1186 files changed, 401704 insertions, 0 deletions

diff --git a/lib/Atffile b/lib/Atffile
new file mode 100644
index 0000000..93bbb01
--- /dev/null
+++ b/lib/Atffile
@@ -0,0 +1,9 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: dns
+tp: irs
+tp: isc
+tp: isccfg
+tp: lwres
diff --git a/lib/Kyuafile b/lib/Kyuafile
new file mode 100644
index 0000000..ff9fc56
--- /dev/null
+++ b/lib/Kyuafile
@@ -0,0 +1,8 @@
+syntax(2)
+test_suite('bind9')
+
+include('dns/Kyuafile')
+include('irs/Kyuafile')
+include('isc/Kyuafile')
+include('isccfg/Kyuafile')
+include('lwres/Kyuafile')
diff --git a/lib/Makefile.in b/lib/Makefile.in
new file mode 100644
index 0000000..81270a0
--- /dev/null
+++ b/lib/Makefile.in
@@ -0,0 +1,21 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	isc isccc dns isccfg bind9 lwres irs samples
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
new file mode 100644
index 0000000..3c98330
--- /dev/null
+++ b/lib/bind9/Makefile.in
@@ -0,0 +1,82 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.14 2009/12/05 23:31:40 each Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@LIBBIND9_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
+
+CDEFINES =	@CRYPTO@
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+ISCCFGLIBS =    ../../lib/isccfg/libisccfg.@A@
+DNSLIBS =    ../../lib/dns/libdns.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =    ../../lib/dns/libdns.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		check.@O@ getaddresses.@O@ version.@O@
+
+# Alphabetically
+SRCS =		check.c getaddresses.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libbind9.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libbind9.la: ${OBJS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind9.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ \
+		${LIBS}
+
+timestamp: libbind9.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libbind9.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libbind9.@A@
+
+clean distclean::
+	rm -f libbind9.@A@ timestamp
diff --git a/lib/bind9/api b/lib/bind9/api
new file mode 100644
index 0000000..79bb9eb
--- /dev/null
+++ b/lib/bind9/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 161
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
new file mode 100644
index 0000000..d32a5a1
--- /dev/null
+++ b/lib/bind9/check.c
@@ -0,0 +1,3991 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <inttypes.h>
+
+#include <isc/aes.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/acl.h>
+#include <dns/dnstap.h>
+#include <dns/fixedname.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/rrl.h>
+#include <dns/secalg.h>
+#include <dns/ssu.h>
+
+#include <dst/dst.h>
+
+#include <isccfg/aclconf.h>
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
+static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
+static dns_name_t const dlviscorg =
+	DNS_NAME_INITABSOLUTE(dlviscorg_ndata, dlviscorg_offsets);
+
+static isc_result_t
+fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
+	  isc_log_t *logctxlogc);
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+}
+
+static isc_result_t
+check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_textregion_t r;
+	dns_fixedname_t fixed;
+	const cfg_obj_t *obj;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	isc_buffer_t b;
+	const char *str;
+
+	dns_fixedname_init(&fixed);
+	obj = cfg_tuple_get(ent, "class");
+	if (cfg_obj_isstring(obj)) {
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdataclass_fromtext(&rdclass, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid class '%s'",
+				    r.base);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "type");
+	if (cfg_obj_isstring(obj)) {
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdatatype_fromtext(&rdtype, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid type '%s'",
+				    r.base);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		isc_buffer_constinit(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, 0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "order");
+	if (!cfg_obj_isstring(obj) ||
+	    strcasecmp("order", cfg_obj_asstring(obj)) != 0) {
+		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			    "rrset-order: keyword 'order' missing");
+		result = ISC_R_FAILURE;
+	}
+
+	obj = cfg_tuple_get(ent, "ordering");
+	if (!cfg_obj_isstring(obj)) {
+	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			"rrset-order: missing ordering");
+		result = ISC_R_FAILURE;
+	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
+#if !DNS_RDATASET_FIXED
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "rrset-order: order 'fixed' was disabled at "
+			    "compilation time");
+#endif
+	} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
+		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "rrset-order: invalid order '%s'",
+			    cfg_obj_asstring(obj));
+		result = ISC_R_FAILURE;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_order(const cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj = NULL;
+
+	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
+		return (result);
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		tresult = check_orderent(cfg_listelt_value(element), logctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_dual_stack(const cfg_obj_t *options, isc_log_t *logctx) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *alternates = NULL;
+	const cfg_obj_t *value;
+	const cfg_obj_t *obj;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t buffer;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	(void)cfg_map_get(options, "dual-stack-servers", &alternates);
+
+	if (alternates == NULL)
+		return (ISC_R_SUCCESS);
+
+	obj = cfg_tuple_get(alternates, "port");
+	if (cfg_obj_isuint32(obj)) {
+		uint32_t val = cfg_obj_asuint32(obj);
+		if (val > UINT16_MAX) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			result = ISC_R_FAILURE;
+		}
+	}
+	obj = cfg_tuple_get(alternates, "addresses");
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		value = cfg_listelt_value(element);
+		if (cfg_obj_issockaddr(value))
+			continue;
+		obj = cfg_tuple_get(value, "name");
+		str = cfg_obj_asstring(obj);
+		isc_buffer_constinit(&buffer, str, strlen(str));
+		isc_buffer_add(&buffer, strlen(str));
+		name = dns_fixedname_initname(&fixed);
+		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
+					    0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "bad name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+		obj = cfg_tuple_get(value, "port");
+		if (cfg_obj_isuint32(obj)) {
+			uint32_t val = cfg_obj_asuint32(obj);
+			if (val > UINT16_MAX) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_forward(const cfg_obj_t *options,  const cfg_obj_t *global,
+	      isc_log_t *logctx)
+{
+	const cfg_obj_t *forward = NULL;
+	const cfg_obj_t *forwarders = NULL;
+
+	(void)cfg_map_get(options, "forward", &forward);
+	(void)cfg_map_get(options, "forwarders", &forwarders);
+
+	if (forwarders != NULL && global != NULL) {
+		const char *file = cfg_obj_file(global);
+		unsigned int line = cfg_obj_line(global);
+		cfg_obj_log(forwarders, logctx, ISC_LOG_ERROR,
+			    "forwarders declared in root zone and "
+			    "in general configuration: %s:%u",
+			    file, line);
+		return (ISC_R_FAILURE);
+	}
+	if (forward != NULL && forwarders == NULL) {
+		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
+			    "no matching 'forwarders' statement");
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+disabled_algorithms(const cfg_obj_t *disabled, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const char *str;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	const cfg_obj_t *obj;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(disabled, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "bad domain name '%s'", str);
+		result = tresult;
+	}
+
+	obj = cfg_tuple_get(disabled, "algorithms");
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
+		r.length = strlen(r.base);
+
+		tresult = dns_secalg_fromtext(&alg, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), logctx,
+				    ISC_LOG_ERROR, "invalid algorithm '%s'",
+				    r.base);
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+disabled_ds_digests(const cfg_obj_t *disabled, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const char *str;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	const cfg_obj_t *obj;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(disabled, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	tresult = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "bad domain name '%s'", str);
+		result = tresult;
+	}
+
+	obj = cfg_tuple_get(disabled, "digests");
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_dsdigest_t digest;
+
+		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
+		r.length = strlen(r.base);
+
+		/* works with a numeric argument too */
+		tresult = dns_dsdigest_fromtext(&digest, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), logctx,
+				    ISC_LOG_ERROR, "invalid digest type '%s'",
+				    r.base);
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+nameexist(const cfg_obj_t *obj, const char *name, int value,
+	  isc_symtab_t *symtab, const char *fmt, isc_log_t *logctx,
+	  isc_mem_t *mctx)
+{
+	char *key;
+	const char *file;
+	unsigned int line;
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	key = isc_mem_strdup(mctx, name);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+	symvalue.as_cpointer = obj;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result == ISC_R_EXISTS) {
+		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
+						&symvalue) == ISC_R_SUCCESS);
+		file = cfg_obj_file(symvalue.as_cpointer);
+		line = cfg_obj_line(symvalue.as_cpointer);
+
+		if (file == NULL)
+			file = "<unknown file>";
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line);
+		isc_mem_free(mctx, key);
+		result = ISC_R_EXISTS;
+	} else if (result != ISC_R_SUCCESS) {
+		isc_mem_free(mctx, key);
+	}
+	return (result);
+}
+
+static isc_result_t
+mustbesecure(const cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
+	     isc_mem_t *mctx)
+{
+	const cfg_obj_t *obj;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(secure, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_constinit(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "bad domain name '%s'", str);
+	} else {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		result = nameexist(secure, namebuf, 1, symtab,
+				   "dnssec-must-be-secure '%s': already "
+				   "exists previous definition: %s:%u",
+				   logctx, mctx);
+	}
+	return (result);
+}
+
+static isc_result_t
+checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
+	 const cfg_obj_t *voptions, const cfg_obj_t *config,
+	 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const cfg_obj_t *aclobj = NULL;
+	const cfg_obj_t *options;
+	dns_acl_t *acl = NULL;
+
+	if (zconfig != NULL) {
+		options = cfg_tuple_get(zconfig, "options");
+		cfg_map_get(options, aclname, &aclobj);
+	}
+	if (voptions != NULL && aclobj == NULL)
+		cfg_map_get(voptions, aclname, &aclobj);
+	if (config != NULL && aclobj == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, aclname, &aclobj);
+	}
+	if (aclobj == NULL)
+		return (ISC_R_SUCCESS);
+	result = cfg_acl_fromconfig(aclobj, config, logctx,
+				    actx, mctx, 0, &acl);
+	if (acl != NULL)
+		dns_acl_detach(&acl);
+	return (result);
+}
+
+static isc_result_t
+check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	int i = 0;
+
+	static const char *acls[] = { "allow-query", "allow-query-on",
+		"allow-query-cache", "allow-query-cache-on",
+		"blackhole", "keep-response-order", "match-clients",
+		"match-destinations", "sortlist", "filter-aaaa", NULL };
+
+	while (acls[i] != NULL) {
+		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
+				   logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+static const unsigned char zeros[16];
+
+static isc_result_t
+check_dns64(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+	    const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *dns64 = NULL;
+	const cfg_obj_t *options;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *map, *obj;
+	isc_netaddr_t na, sa;
+	unsigned int prefixlen;
+	int nbytes;
+	int i;
+
+	static const char *acls[] = { "clients", "exclude", "mapped", NULL};
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "dns64", &dns64);
+	if (config != NULL && dns64 == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "dns64", &dns64);
+	}
+	if (dns64 == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(dns64);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		map = cfg_listelt_value(element);
+		obj = cfg_map_getname(map);
+
+		cfg_obj_asnetprefix(obj, &na, &prefixlen);
+		if (na.family != AF_INET6) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				    "dns64 requires a IPv6 prefix");
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		if (prefixlen != 32 && prefixlen != 40 && prefixlen != 48 &&
+		    prefixlen != 56 && prefixlen != 64 && prefixlen != 96) {
+			cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+				    "bad prefix length %u [32/40/48/56/64/96]",
+				    prefixlen);
+			result = ISC_R_FAILURE;
+			continue;
+		}
+
+		for (i = 0; acls[i] != NULL; i++) {
+			obj = NULL;
+			(void)cfg_map_get(map, acls[i], &obj);
+			if (obj != NULL) {
+				dns_acl_t *acl = NULL;
+				isc_result_t tresult;
+
+				tresult = cfg_acl_fromconfig(obj, config,
+							     logctx, actx,
+							     mctx, 0, &acl);
+				if (acl != NULL)
+					dns_acl_detach(&acl);
+				if (tresult != ISC_R_SUCCESS)
+					result = tresult;
+			}
+		}
+
+		obj = NULL;
+		(void)cfg_map_get(map, "suffix", &obj);
+		if (obj != NULL) {
+			isc_netaddr_fromsockaddr(&sa, cfg_obj_assockaddr(obj));
+			if (sa.family != AF_INET6) {
+				cfg_obj_log(map, logctx, ISC_LOG_ERROR,
+					    "dns64 requires a IPv6 suffix");
+				result = ISC_R_FAILURE;
+				continue;
+			}
+			nbytes = prefixlen / 8 + 4;
+			if (prefixlen >= 32 && prefixlen <= 64)
+				nbytes++;
+			if (memcmp(sa.type.in6.s6_addr, zeros, nbytes) != 0) {
+				char netaddrbuf[ISC_NETADDR_FORMATSIZE];
+				isc_netaddr_format(&sa, netaddrbuf,
+						   sizeof(netaddrbuf));
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "bad suffix '%s' leading "
+					    "%u octets not zeros",
+					    netaddrbuf, nbytes);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	return (result);
+}
+
+#define CHECK_RRL(cond, pat, val1, val2)				\
+	do {								\
+		if (!(cond)) {						\
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,		\
+				    pat, val1, val2);			\
+			if (result == ISC_R_SUCCESS)			\
+				result = ISC_R_RANGE;			\
+		    }							\
+	} while (0)
+
+#define CHECK_RRL_RATE(rate, def, max_rate, name)			\
+	do {								\
+		obj = NULL;						\
+		mresult = cfg_map_get(map, name, &obj);			\
+		if (mresult == ISC_R_SUCCESS) {				\
+			rate = cfg_obj_asuint32(obj);			\
+			CHECK_RRL(rate <= max_rate, name" %d > %d",	\
+				  rate, max_rate);			\
+		}							\
+	} while (0)
+
+static isc_result_t
+check_ratelimit(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		const cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t mresult;
+	const cfg_obj_t *map = NULL;
+	const cfg_obj_t *options;
+	const cfg_obj_t *obj;
+	int min_entries, i;
+	int all_per_second;
+	int errors_per_second;
+	int nodata_per_second;
+	int nxdomains_per_second;
+	int referrals_per_second;
+	int responses_per_second;
+	int slip;
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "rate-limit", &map);
+	if (config != NULL && map == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "rate-limit", &map);
+	}
+	if (map == NULL)
+		return (ISC_R_SUCCESS);
+
+	min_entries = 500;
+	obj = NULL;
+	mresult = cfg_map_get(map, "min-table-size", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		min_entries = cfg_obj_asuint32(obj);
+		if (min_entries < 1)
+			min_entries = 1;
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "max-table-size", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= min_entries,
+			  "max-table-size %d < min-table-size %d",
+			  i, min_entries);
+	}
+
+	CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
+		       "responses-per-second");
+
+	CHECK_RRL_RATE(referrals_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "referrals-per-second");
+	CHECK_RRL_RATE(nodata_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "nodata-per-second");
+	CHECK_RRL_RATE(nxdomains_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "nxdomains-per-second");
+	CHECK_RRL_RATE(errors_per_second, responses_per_second,
+		       DNS_RRL_MAX_RATE, "errors-per-second");
+
+	CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE, "all-per-second");
+
+	CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP, "slip");
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "window", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
+			  "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "qps-scale", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "ipv4-prefix-length", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 8 && i <= 32,
+			  "invalid 'ipv4-prefix-length %d'%s", i, "");
+	}
+
+	obj = NULL;
+	mresult = cfg_map_get(map, "ipv6-prefix-length", &obj);
+	if (mresult == ISC_R_SUCCESS) {
+		i = cfg_obj_asuint32(obj);
+		CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
+			  "ipv6-prefix-length %d < 16 or > %d",
+			  i, DNS_RRL_MAX_PREFIX);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(map, "exempt-clients", &obj);
+	if (obj != NULL) {
+		dns_acl_t *acl = NULL;
+		isc_result_t tresult;
+
+		tresult = cfg_acl_fromconfig(obj, config, logctx, actx,
+					     mctx, 0, &acl);
+		if (acl != NULL)
+			dns_acl_detach(&acl);
+		if (result == ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	return (result);
+}
+
+/*
+ * Check allow-recursion and allow-recursion-on acls, and also log a
+ * warning if they're inconsistent with the "recursion" option.
+ */
+static isc_result_t
+check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		    const char *viewname, const cfg_obj_t *config,
+		    isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	bool recursion;
+	const char *forview = " for view ";
+	int i = 0;
+
+	static const char *acls[] = { "allow-recursion", "allow-recursion-on",
+				      NULL };
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "recursion", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "recursion", &obj);
+	}
+	if (obj == NULL)
+		recursion = true;
+	else
+		recursion = cfg_obj_asboolean(obj);
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	for (i = 0; acls[i] != NULL; i++) {
+		aclobj = options = NULL;
+		acl = NULL;
+
+		if (voptions != NULL)
+			cfg_map_get(voptions, acls[i], &aclobj);
+		if (config != NULL && aclobj == NULL) {
+			options = NULL;
+			cfg_map_get(config, "options", &options);
+			if (options != NULL)
+				cfg_map_get(options, acls[i], &aclobj);
+		}
+		if (aclobj == NULL)
+			continue;
+
+		tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+					    actx, mctx, 0, &acl);
+
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+
+		if (acl == NULL)
+			continue;
+
+		if (recursion == false && !dns_acl_isnone(acl)) {
+			cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+				    "both \"recursion no;\" and "
+				    "\"%s\" active%s%s",
+				    acls[i], forview, viewname);
+		}
+
+		if (acl != NULL)
+			dns_acl_detach(&acl);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		 const char *viewname, const cfg_obj_t *config,
+		 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_aaaa_t filter4, filter6;
+	const char *forview = " for view ";
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	aclobj = options = NULL;
+	acl = NULL;
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa", &aclobj);
+	if (config != NULL && aclobj == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa", &aclobj);
+	}
+	if (aclobj == NULL)
+		return (result);
+
+	result = cfg_acl_fromconfig(aclobj, config, logctx,
+				    actx, mctx, 0, &acl);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	obj = NULL;
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa-on-v4", &obj);
+	}
+
+	if (obj == NULL)
+		filter4 = dns_aaaa_ok;		/* default */
+	else if (cfg_obj_isboolean(obj))
+		filter4 = cfg_obj_asboolean(obj) ? dns_aaaa_filter :
+						  dns_aaaa_ok;
+	else
+		filter4 = dns_aaaa_break_dnssec; 	/* break-dnssec */
+
+	obj = NULL;
+	if (voptions != NULL)
+		cfg_map_get(voptions, "filter-aaaa-on-v6", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "filter-aaaa-on-v6", &obj);
+	}
+
+	if (obj == NULL)
+		filter6 = dns_aaaa_ok;		/* default */
+	else if (cfg_obj_isboolean(obj))
+		filter6 = cfg_obj_asboolean(obj) ? dns_aaaa_filter :
+						  dns_aaaa_ok;
+	else
+		filter6 = dns_aaaa_break_dnssec; 	/* break-dnssec */
+
+	if ((filter4 != dns_aaaa_ok || filter6 != dns_aaaa_ok) &&
+	    dns_acl_isnone(acl))
+	{
+		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+			    "\"filter-aaaa\" is 'none;' but "
+			    "either filter-aaaa-on-v4 or filter-aaaa-on-v6 "
+			    "is enabled%s%s", forview, viewname);
+		result = ISC_R_FAILURE;
+	} else if (filter4 == dns_aaaa_ok && filter6 == dns_aaaa_ok &&
+		   !dns_acl_isnone(acl))
+	{
+		cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+			    "\"filter-aaaa\" is set but "
+			    "neither filter-aaaa-on-v4 or filter-aaaa-on-v6 "
+			    "is enabled%s%s", forview, viewname);
+		result = ISC_R_FAILURE;
+	}
+
+ failure:
+	if (acl != NULL)
+		dns_acl_detach(&acl);
+
+	return (result);
+}
+
+typedef struct {
+	const char *name;
+	unsigned int scale;
+	unsigned int max;
+} intervaltable;
+
+#ifdef HAVE_DNSTAP
+typedef struct {
+	const char *name;
+	unsigned int min;
+	unsigned int max;
+} fstrmtable;
+#endif
+
+typedef enum {
+	optlevel_config,
+	optlevel_options,
+	optlevel_view,
+	optlevel_zone
+} optlevel_t;
+
+static isc_result_t
+check_dscp(const cfg_obj_t *options, isc_log_t *logctx) {
+       isc_result_t result = ISC_R_SUCCESS;
+       const cfg_obj_t *obj = NULL;
+
+       /*
+	* Check that DSCP setting is within range
+	*/
+       obj = NULL;
+       (void)cfg_map_get(options, "dscp", &obj);
+       if (obj != NULL) {
+	       uint32_t dscp = cfg_obj_asuint32(obj);
+	       if (dscp >= 64) {
+		       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				   "'dscp' out of range (0-63)");
+		       result = ISC_R_FAILURE;
+	       }
+       }
+
+       return (result);
+}
+
+static isc_result_t
+check_name(const char *str) {
+	dns_fixedname_t fixed;
+
+	dns_fixedname_init(&fixed);
+	return (dns_name_fromstring(dns_fixedname_name(&fixed), str, 0, NULL));
+}
+
+static isc_result_t
+check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
+	      optlevel_t optlevel)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *resignobj = NULL;
+	const cfg_listelt_t *element;
+	isc_symtab_t *symtab = NULL;
+	dns_fixedname_t fixed;
+	const char *str;
+	dns_name_t *name;
+	isc_buffer_t b;
+	uint32_t lifetime = 3600;
+#if defined(HAVE_OPENSSL_AES) || defined(HAVE_OPENSSL_EVP_AES)
+	const char *ccalg = "aes";
+#else
+	const char *ccalg = "sha256";
+#endif
+
+	static intervaltable intervals[] = {
+	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	};
+
+	static const char *server_contact[] = {
+		"empty-server", "empty-contact",
+		"dns64-server", "dns64-contact",
+		NULL
+	};
+
+#ifdef HAVE_DNSTAP
+	static fstrmtable fstrm[] = {
+		{
+			"fstrm-set-buffer-hint",
+			FSTRM_IOTHR_BUFFER_HINT_MIN,
+			FSTRM_IOTHR_BUFFER_HINT_MAX
+		},
+		{
+			"fstrm-set-flush-timeout",
+			FSTRM_IOTHR_FLUSH_TIMEOUT_MIN,
+			FSTRM_IOTHR_FLUSH_TIMEOUT_MAX
+		},
+		{
+			"fstrm-set-input-queue-size",
+			FSTRM_IOTHR_INPUT_QUEUE_SIZE_MIN,
+			FSTRM_IOTHR_INPUT_QUEUE_SIZE_MAX
+		},
+		{
+			"fstrm-set-output-notify-threshold",
+			FSTRM_IOTHR_QUEUE_NOTIFY_THRESHOLD_MIN,
+			0
+		},
+		{
+			"fstrm-set-output-queue-size",
+			FSTRM_IOTHR_OUTPUT_QUEUE_SIZE_MIN,
+			FSTRM_IOTHR_OUTPUT_QUEUE_SIZE_MAX
+		},
+		{
+			"fstrm-set-reopen-interval",
+			FSTRM_IOTHR_REOPEN_INTERVAL_MIN,
+			FSTRM_IOTHR_REOPEN_INTERVAL_MAX
+		}
+	};
+#endif
+
+	/*
+	 * Check that fields specified in units of time other than seconds
+	 * have reasonable values.
+	 */
+	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
+		uint32_t val;
+		obj = NULL;
+		(void)cfg_map_get(options, intervals[i].name, &obj);
+		if (obj == NULL)
+			continue;
+		val = cfg_obj_asuint32(obj);
+		if (val > intervals[i].max) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (0..%u)",
+				    intervals[i].name, val,
+				    intervals[i].max);
+			result = ISC_R_RANGE;
+		} else if (val > (UINT32_MAX / intervals[i].scale)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%d' is out of range",
+				    intervals[i].name, val);
+			result = ISC_R_RANGE;
+		}
+	}
+
+	obj = NULL;
+	cfg_map_get(options, "max-rsa-exponent-size", &obj);
+	if (obj != NULL) {
+		uint32_t val;
+
+		val = cfg_obj_asuint32(obj);
+		if (val != 0 && (val < 35 || val > 4096)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "max-rsa-exponent-size '%u' is out of "
+				    "range (35..4096)", val);
+			result = ISC_R_RANGE;
+		}
+	}
+
+	obj = NULL;
+	cfg_map_get(options, "sig-validity-interval", &obj);
+	if (obj != NULL) {
+		uint32_t validity, resign = 0;
+
+		validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
+		resignobj = cfg_tuple_get(obj, "re-sign");
+		if (!cfg_obj_isvoid(resignobj))
+			resign = cfg_obj_asuint32(resignobj);
+
+		if (validity > 3660 || validity == 0) { /* 10 years */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (1..3660)",
+				    "sig-validity-interval", validity);
+			result = ISC_R_RANGE;
+		}
+
+		if (!cfg_obj_isvoid(resignobj)) {
+			if (resign > 3660 || resign == 0) { /* 10 years */
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' is out of range (1..3660)",
+					    "sig-validity-interval (re-sign)",
+					    validity);
+				result = ISC_R_RANGE;
+			} else if ((validity > 7 && validity < resign) ||
+				   (validity <= 7 && validity * 24 < resign)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "validity interval (%u days) "
+					    "less than re-signing interval "
+					    "(%u %s)", validity, resign,
+					    (validity > 7) ? "days" : "hours");
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "preferred-glue", &obj);
+	if (obj != NULL) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "a") != 0 &&
+		    strcasecmp(str, "aaaa") != 0 &&
+		    strcasecmp(str, "none") != 0)
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "preferred-glue unexpected value '%s'",
+				    str);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "root-delegation-only", &obj);
+	if (obj != NULL) {
+		if (!cfg_obj_isvoid(obj)) {
+			for (element = cfg_list_first(obj);
+			     element != NULL;
+			     element = cfg_list_next(element)) {
+				const cfg_obj_t *exclude;
+
+				exclude = cfg_listelt_value(element);
+				str = cfg_obj_asstring(exclude);
+				tresult = check_name(str);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "bad domain name '%s'",
+						    str);
+					result = tresult;
+				}
+			}
+		}
+	}
+
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-algorithms", &obj);
+	if (obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = disabled_algorithms(obj, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	/*
+	 * Set supported DS/DLV digest types.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-ds-digests", &obj);
+	if (obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = disabled_ds_digests(obj, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	name = dns_fixedname_initname(&fixed);
+
+	/*
+	 * Check the DLV zone name.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
+	if (obj != NULL) {
+		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+					    false, &symtab);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const char *dlv;
+			const cfg_obj_t *dlvobj, *anchor;
+
+			obj = cfg_listelt_value(element);
+
+			anchor = cfg_tuple_get(obj, "trust-anchor");
+			dlvobj = cfg_tuple_get(obj, "domain");
+			dlv = cfg_obj_asstring(dlvobj);
+
+			/*
+			 * If domain is "auto" or "no" and trust anchor
+			 * is missing, skip remaining tests
+			 */
+			if (cfg_obj_isvoid(anchor)) {
+				if (!strcasecmp(dlv, "no")) {
+					continue;
+				}
+				if (!strcasecmp(dlv, "auto")) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_WARNING,
+						    "dnssec-lookaside 'auto' "
+						    "is no longer supported");
+					continue;
+				}
+			}
+
+			tresult = dns_name_fromstring(name, dlv, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "bad domain name '%s'", dlv);
+				result = tresult;
+				continue;
+			}
+			if (symtab != NULL) {
+				tresult = nameexist(obj, dlv, 1, symtab,
+						    "dnssec-lookaside '%s': "
+						    "already exists; previous "
+						    "definition: %s:%u",
+						    logctx, mctx);
+				if (tresult != ISC_R_SUCCESS &&
+				    result == ISC_R_SUCCESS)
+					result = tresult;
+			}
+
+			/*
+			 * XXXMPA to be removed when multiple lookaside
+			 * namespaces are supported.
+			 */
+			if (!dns_name_equal(dns_rootname, name)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "dnssec-lookaside '%s': "
+					    "non-root not yet supported", dlv);
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_FAILURE;
+			}
+
+			if (cfg_obj_isvoid(anchor)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "dnssec-lookaside requires "
+					    "either or 'no' or a "
+					    "domain and trust anchor");
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_FAILURE;
+				continue;
+			}
+
+			dlv = cfg_obj_asstring(anchor);
+			tresult = dns_name_fromstring(name, dlv, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+					    "bad domain name '%s'", dlv);
+				if (result == ISC_R_SUCCESS)
+					result = tresult;
+				continue;
+			}
+			if (dns_name_equal(&dlviscorg, name)) {
+				cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
+					    "dlv.isc.org has been shut down: "
+					    "dnssec-lookaside ignored");
+				continue;
+			}
+		}
+
+		if (symtab != NULL)
+			isc_symtab_destroy(&symtab);
+	}
+
+	/*
+	 * Check auto-dnssec at the view/options level
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "auto-dnssec", &obj);
+	if (obj != NULL) {
+		const char *arg = cfg_obj_asstring(obj);
+		if (optlevel != optlevel_zone && strcasecmp(arg, "off") != 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "auto-dnssec may only be activated at the "
+				    "zone level");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Check dnssec-must-be-secure.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-must-be-secure", &obj);
+	if (obj != NULL) {
+		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+					    false, &symtab);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = mustbesecure(obj, symtab, logctx, mctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+		if (symtab != NULL)
+			isc_symtab_destroy(&symtab);
+	}
+
+	/*
+	 * Check server/contacts for syntactic validity.
+	 */
+	for (i= 0; server_contact[i] != NULL; i++) {
+		obj = NULL;
+		(void)cfg_map_get(options, server_contact[i], &obj);
+		if (obj != NULL) {
+			str = cfg_obj_asstring(obj);
+			if (check_name(str) != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s: invalid name '%s'",
+					    server_contact[i], str);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check empty zone configuration.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-empty-zone", &obj);
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+		if (check_name(str) != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "disable-empty-zone: invalid name '%s'",
+				    str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Check that server-id is not too long.
+	 * 1024 bytes should be big enough.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "server-id", &obj);
+	if (obj != NULL && cfg_obj_isstring(obj) &&
+	    strlen(cfg_obj_asstring(obj)) > 1024U) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "'server-id' too big (>1024 bytes)");
+		result = ISC_R_FAILURE;
+	}
+
+	tresult = check_dscp(options, logctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	obj = NULL;
+	(void)cfg_map_get(options, "nta-lifetime", &obj);
+	if (obj != NULL) {
+		lifetime = cfg_obj_asuint32(obj);
+		if (lifetime > 604800) {	/* 7 days */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'nta-lifetime' cannot exceed one week");
+			result = ISC_R_RANGE;
+		} else if (lifetime == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'nta-lifetime' may not be zero");
+			result = ISC_R_RANGE;
+		}
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(options, "nta-recheck", &obj);
+	if (obj != NULL) {
+		uint32_t recheck = cfg_obj_asuint32(obj);
+		if (recheck > 604800) {		/* 7 days */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'nta-recheck' cannot exceed one week");
+			result = ISC_R_RANGE;
+		}
+
+		if (recheck > lifetime)
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "'nta-recheck' (%d seconds) is "
+				    "greater than 'nta-lifetime' "
+				    "(%d seconds)", recheck, lifetime);
+	}
+
+	obj = NULL;
+	(void) cfg_map_get(options, "cookie-algorithm", &obj);
+	if (obj != NULL)
+		ccalg = cfg_obj_asstring(obj);
+#if !defined(HAVE_OPENSSL_AES) && !defined(HAVE_OPENSSL_EVP_AES)
+	if (strcasecmp(ccalg, "aes") == 0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "cookie-algorithm: '%s' not supported", ccalg);
+		result = ISC_R_NOTIMPLEMENTED;
+	}
+#endif
+
+	obj = NULL;
+	(void) cfg_map_get(options, "cookie-secret", &obj);
+	if (obj != NULL) {
+		unsigned char secret[32];
+
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			unsigned int usedlength;
+
+			obj = cfg_listelt_value(element);
+			str = cfg_obj_asstring(obj);
+
+			memset(secret, 0, sizeof(secret));
+			isc_buffer_init(&b, secret, sizeof(secret));
+			tresult = isc_hex_decodestring(str, &b);
+			if (tresult == ISC_R_NOSPACE) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "cookie-secret: too long");
+			} else if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "cookie-secret: invalid hex "
+					    "string");
+			}
+			if (tresult != ISC_R_SUCCESS) {
+				if (result == ISC_R_SUCCESS)
+					result = tresult;
+				continue;
+			}
+
+			usedlength = isc_buffer_usedlength(&b);
+			if (strcasecmp(ccalg, "aes") == 0 &&
+			    usedlength != ISC_AES128_KEYLENGTH) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "AES cookie-secret must be "
+					    "128 bits");
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_RANGE;
+			}
+			if (strcasecmp(ccalg, "sha1") == 0 &&
+			    usedlength != ISC_SHA1_DIGESTLENGTH) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "SHA1 cookie-secret must be "
+					    "160 bits");
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_RANGE;
+			}
+			if (strcasecmp(ccalg, "sha256") == 0 &&
+			    usedlength != ISC_SHA256_DIGESTLENGTH) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "SHA256 cookie-secret must be "
+					    "256 bits");
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_RANGE;
+			}
+		}
+	}
+
+#ifdef HAVE_DNSTAP
+	for (i = 0; i < sizeof(fstrm) / sizeof(fstrm[0]); i++) {
+		uint32_t value;
+
+		obj = NULL;
+		(void) cfg_map_get(options, fstrm[i].name, &obj);
+		if (obj == NULL)
+			continue;
+
+		value = cfg_obj_asuint32(obj);
+		if (value < fstrm[i].min ||
+		    (fstrm[i].max != 0U && value > fstrm[i].max)) {
+			if (fstrm[i].max != 0U)
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' out of range (%u..%u)",
+					    fstrm[i].name, value,
+					    fstrm[i].min, fstrm[i].max);
+			else
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s out of range (%u < %u)",
+					    fstrm[i].name, value, fstrm[i].min);
+			result = ISC_R_RANGE;
+		}
+
+		if (strcmp(fstrm[i].name, "fstrm-set-input-queue-size") == 0) {
+			int bits = 0;
+			do {
+				bits += value & 0x1;
+				value >>= 1;
+			} while (value != 0U);
+			if (bits != 1) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' not a power-of-2",
+					    fstrm[i].name,
+					    cfg_obj_asuint32(obj));
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+#endif
+
+	obj = NULL;
+	(void)cfg_map_get(options, "lmdb-mapsize", &obj);
+	if (obj != NULL) {
+		uint64_t mapsize = cfg_obj_asuint64(obj);
+
+		if (mapsize < (1ULL << 20)) { /* 1 megabyte */
+			cfg_obj_log(obj, logctx,
+				    ISC_LOG_ERROR,
+				    "'lmdb-mapsize "
+				    "%" PRId64 "' "
+				    "is too small",
+				    mapsize);
+			return (ISC_R_RANGE);
+		} else if (mapsize > (1ULL << 40)) { /* 1 terabyte */
+			cfg_obj_log(obj, logctx,
+				    ISC_LOG_ERROR,
+				    "'lmdb-mapsize "
+				    "%" PRId64 "' "
+				    "is too large",
+				    mapsize);
+			return (ISC_R_RANGE);
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+get_masters_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_obj_t *masters = NULL;
+	const cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "masters", &masters);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(masters);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *list;
+		const char *listname;
+
+		list = cfg_listelt_value(elt);
+		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
+
+		if (strcasecmp(listname, name) == 0) {
+			*ret = list;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
+		 uint32_t *countp, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	uint32_t count = 0;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t **stack = NULL;
+	uint32_t stackcount = 0, pushed = 0;
+	const cfg_obj_t *list;
+
+	REQUIRE(countp != NULL);
+	result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
+	if (result != ISC_R_SUCCESS) {
+		*countp = count;
+		return (result);
+	}
+
+ newlist:
+	list = cfg_tuple_get(obj, "addresses");
+	element = cfg_list_first(list);
+ resume:
+	for ( ;
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *listname;
+		const cfg_obj_t *addr;
+		const cfg_obj_t *key;
+
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "masterselement");
+		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+
+		if (cfg_obj_issockaddr(addr)) {
+			count++;
+			continue;
+		}
+		if (!cfg_obj_isvoid(key)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unexpected token '%s'",
+				    cfg_obj_asstring(key));
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+		listname = cfg_obj_asstring(addr);
+		symvalue.as_cpointer = addr;
+		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS)
+			continue;
+		tresult = get_masters_def(config, listname, &obj);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
+				    "unable to find masters list '%s'",
+				    listname);
+			continue;
+		}
+		/* Grow stack? */
+		if (stackcount == pushed) {
+			void * newstack;
+			uint32_t newlen = stackcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(*stack);
+			oldsize = stackcount * sizeof(*stack);
+			newstack = isc_mem_get(mctx, newsize);
+			if (newstack == NULL)
+				goto cleanup;
+			if (stackcount != 0) {
+				void *ptr;
+
+				DE_CONST(stack, ptr);
+				memmove(newstack, stack, oldsize);
+				isc_mem_put(mctx, ptr, oldsize);
+			}
+			stack = newstack;
+			stackcount = newlen;
+		}
+		stack[pushed++] = cfg_list_next(element);
+		goto newlist;
+	}
+	if (pushed != 0) {
+		element = stack[--pushed];
+		goto resume;
+	}
+ cleanup:
+	if (stack != NULL) {
+		void *ptr;
+
+		DE_CONST(stack, ptr);
+		isc_mem_put(mctx, ptr, stackcount * sizeof(*stack));
+	}
+	isc_symtab_destroy(&symtab);
+	*countp = count;
+	return (result);
+}
+
+static isc_result_t
+check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *element2;
+	dns_fixedname_t fixed_id, fixed_name;
+	dns_name_t *id, *name;
+	const char *str;
+	isc_textregion_t r;
+	dns_rdatatype_t type;
+
+	/* Check for "update-policy local;" */
+	if (cfg_obj_isstring(policy) &&
+	    strcmp("local", cfg_obj_asstring(policy)) == 0)
+		return (ISC_R_SUCCESS);
+
+	/* Now check the grant policy */
+	for (element = cfg_list_first(policy);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *stmt = cfg_listelt_value(element);
+		const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		dns_ssumatchtype_t mtype;
+
+		id = dns_fixedname_initname(&fixed_id);
+		name = dns_fixedname_initname(&fixed_name);
+
+		tresult = dns_ssu_mtypefromstring(cfg_obj_asstring(matchtype),
+						  &mtype);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "has a bad match-type");
+		}
+
+		str = cfg_obj_asstring(identity);
+		tresult = dns_name_fromstring(id, str, 1, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			result = tresult;
+		}
+
+		/*
+		 * There is no name field for subzone and dname is void
+		 */
+		if (mtype == dns_ssumatchtype_subdomain &&
+		    cfg_obj_isvoid(dname))
+		{
+			str = ".";	/* Use "." as a replacement. */
+		} else {
+			str = cfg_obj_asstring(dname);
+		}
+		if (tresult == ISC_R_SUCCESS) {
+			tresult = dns_name_fromstring(name, str, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid name", str);
+				result = tresult;
+			}
+		}
+
+		if (tresult == ISC_R_SUCCESS &&
+		    mtype == dns_ssumatchtype_wildcard &&
+		    !dns_name_iswildcard(name))
+		{
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "'%s' is not a wildcard", str);
+			result = ISC_R_FAILURE;
+		}
+
+		/*
+		 * For some match types, the name should be a placeholder
+		 * value, either "." or the same as identity.
+		 */
+		switch (mtype) {
+		case dns_ssumatchtype_self:
+		case dns_ssumatchtype_selfsub:
+		case dns_ssumatchtype_selfwild:
+			if (tresult == ISC_R_SUCCESS &&
+			    (!dns_name_equal(id, name) &&
+			     !dns_name_equal(dns_rootname, name))) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "identity and name fields are not "
+					    "the same");
+				result = ISC_R_FAILURE;
+			}
+			break;
+		case dns_ssumatchtype_selfkrb5:
+		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_selfsubkrb5:
+		case dns_ssumatchtype_selfsubms:
+		case dns_ssumatchtype_tcpself:
+		case dns_ssumatchtype_6to4self:
+			if (tresult == ISC_R_SUCCESS &&
+			    !dns_name_equal(dns_rootname, name)) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "name field not set to "
+					    "placeholder value '.'");
+				result = ISC_R_FAILURE;
+			}
+			break;
+		case dns_ssumatchtype_name:
+		case dns_ssumatchtype_subdomain: /* also zonesub */
+		case dns_ssumatchtype_subdomainms:
+		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_wildcard:
+		case dns_ssumatchtype_external:
+		case dns_ssumatchtype_local:
+			if (tresult == ISC_R_SUCCESS) {
+				DE_CONST(str, r.base);
+				r.length = strlen(str);
+				tresult = dns_rdatatype_fromtext(&type, &r);
+			}
+			if (tresult == ISC_R_SUCCESS) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "missing name field type '%s' "
+					    "found", str);
+				result = ISC_R_FAILURE;
+				break;
+			}
+			break;
+		default:
+			INSIST(0);
+		}
+
+		for (element2 = cfg_list_first(typelist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			const cfg_obj_t *typeobj;
+
+			typeobj = cfg_listelt_value(element2);
+			DE_CONST(cfg_obj_asstring(typeobj), r.base);
+			r.length = strlen(r.base);
+
+			tresult = dns_rdatatype_fromtext(&type, &r);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(typeobj, logctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid type", r.base);
+				result = tresult;
+			}
+		}
+	}
+	return (result);
+}
+
+typedef struct {
+	const char *name;
+	unsigned int allowed;
+} optionstable;
+
+static isc_result_t
+check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *obj = NULL;
+	unsigned int i;
+
+	static const char *nonzero[] = { "max-retry-time", "min-retry-time",
+				 "max-refresh-time", "min-refresh-time" };
+	/*
+	 * Check if value is zero.
+	 */
+	for (i = 0; i < sizeof(nonzero) / sizeof(nonzero[0]); i++) {
+		obj = NULL;
+		if (cfg_map_get(options, nonzero[i], &obj) == ISC_R_SUCCESS &&
+		    cfg_obj_asuint32(obj) == 0) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'%s' must not be zero", nonzero[i]);
+			result = ISC_R_FAILURE;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+	       const cfg_obj_t *config, isc_symtab_t *symtab,
+	       isc_symtab_t *files, isc_symtab_t *inview,
+	       const char *viewname, dns_rdataclass_t defclass,
+	       cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const char *znamestr;
+	const char *typestr = NULL;
+	const char *target = NULL;
+	unsigned int ztype;
+	const cfg_obj_t *zoptions, *goptions = NULL;
+	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *inviewobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	dns_rdataclass_t zclass;
+	dns_fixedname_t fixedname;
+	dns_name_t *zname = NULL;
+	isc_buffer_t b;
+	bool root = false;
+	bool rfc1918 = false;
+	bool ula = false;
+	const cfg_listelt_t *element;
+	bool dlz;
+	dns_masterformat_t masterformat;
+	bool ddns = false;
+	const void *clauses = NULL;
+	const char *option = NULL;
+	static const char *acls[] = {
+		"allow-notify",
+		"allow-transfer",
+		"allow-update",
+		"allow-update-forwarding",
+	};
+
+	static optionstable dialups[] = {
+	{ "notify", CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
+	{ "notify-passive", CFG_ZONE_SLAVE },
+	{ "passive", CFG_ZONE_SLAVE | CFG_ZONE_STUB },
+	{ "refresh", CFG_ZONE_SLAVE | CFG_ZONE_STUB },
+	};
+
+	znamestr = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	if (config != NULL)
+		cfg_map_get(config, "options", &goptions);
+
+	inviewobj = NULL;
+	(void)cfg_map_get(zoptions, "in-view", &inviewobj);
+	if (inviewobj != NULL) {
+		target = cfg_obj_asstring(inviewobj);
+		ztype = CFG_ZONE_INVIEW;
+	} else {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "type", &obj);
+		if (obj == NULL) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': type not present", znamestr);
+			return (ISC_R_FAILURE);
+		}
+
+		typestr = cfg_obj_asstring(obj);
+		if (strcasecmp(typestr, "master") == 0) {
+			ztype = CFG_ZONE_MASTER;
+		} else if (strcasecmp(typestr, "slave") == 0) {
+			ztype = CFG_ZONE_SLAVE;
+		} else if (strcasecmp(typestr, "stub") == 0) {
+			ztype = CFG_ZONE_STUB;
+		} else if (strcasecmp(typestr, "static-stub") == 0) {
+			ztype = CFG_ZONE_STATICSTUB;
+		} else if (strcasecmp(typestr, "forward") == 0) {
+			ztype = CFG_ZONE_FORWARD;
+		} else if (strcasecmp(typestr, "hint") == 0) {
+			ztype = CFG_ZONE_HINT;
+		} else if (strcasecmp(typestr, "delegation-only") == 0) {
+			ztype = CFG_ZONE_DELEGATION;
+		} else if (strcasecmp(typestr, "redirect") == 0) {
+			ztype = CFG_ZONE_REDIRECT;
+		} else {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid type %s",
+				    znamestr, typestr);
+			return (ISC_R_FAILURE);
+		}
+
+		if (ztype == CFG_ZONE_REDIRECT && strcmp(znamestr, ".") != 0) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "redirect zones must be called \".\"");
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	obj = cfg_tuple_get(zconfig, "class");
+	if (cfg_obj_isstring(obj)) {
+		isc_textregion_t r;
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		result = dns_rdataclass_fromtext(&zclass, &r);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid class %s",
+				    znamestr, r.base);
+			return (ISC_R_FAILURE);
+		}
+		if (zclass != defclass) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': class '%s' does not "
+				    "match view/default class",
+				    znamestr, r.base);
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		zclass = defclass;
+	}
+
+	/*
+	 * Look for an already existing zone.
+	 * We need to make this canonical as isc_symtab_define()
+	 * deals with strings.
+	 */
+	dns_fixedname_init(&fixedname);
+	isc_buffer_constinit(&b, znamestr, strlen(znamestr));
+	isc_buffer_add(&b, strlen(znamestr));
+	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+				    dns_rootname, DNS_NAME_DOWNCASE, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': is not a valid name", znamestr);
+		result = ISC_R_FAILURE;
+	} else {
+		char namebuf[DNS_NAME_FORMATSIZE + 128];
+		char *tmp = namebuf;
+		size_t len = sizeof(namebuf);
+
+		zname = dns_fixedname_name(&fixedname);
+		dns_name_format(zname, namebuf, sizeof(namebuf));
+		tresult = nameexist(zconfig, namebuf,
+				    ztype == CFG_ZONE_HINT ? 1 :
+				     ztype == CFG_ZONE_REDIRECT ? 2 : 3,
+				    symtab, "zone '%s': already exists "
+				    "previous definition: %s:%u", logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+		if (dns_name_equal(zname, dns_rootname))
+			root = true;
+		else if (dns_name_isrfc1918(zname))
+			rfc1918 = true;
+		else if (dns_name_isula(zname))
+			ula = true;
+		tmp += strlen(tmp);
+		len -= strlen(tmp);
+		(void)snprintf(tmp, len, "%u/%s", zclass,
+			       (ztype == CFG_ZONE_INVIEW) ? target :
+				(viewname != NULL) ? viewname : "_default");
+		switch (ztype) {
+		case CFG_ZONE_INVIEW:
+			tresult = isc_symtab_lookup(inview, namebuf, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(inviewobj, logctx, ISC_LOG_ERROR,
+					    "'in-view' zone '%s' "
+					    "does not exist in view '%s', "
+					    "or view '%s' is not yet defined",
+					    znamestr, target, target);
+				if (result == ISC_R_SUCCESS) {
+					result = tresult;
+				}
+			}
+			break;
+
+		case CFG_ZONE_FORWARD:
+		case CFG_ZONE_REDIRECT:
+		case CFG_ZONE_DELEGATION:
+			break;
+
+		case CFG_ZONE_MASTER:
+		case CFG_ZONE_SLAVE:
+		case CFG_ZONE_HINT:
+		case CFG_ZONE_STUB:
+		case CFG_ZONE_STATICSTUB:
+			tmp = isc_mem_strdup(mctx, namebuf);
+			if (tmp != NULL) {
+				isc_symvalue_t symvalue;
+
+				symvalue.as_cpointer = NULL;
+				tresult = isc_symtab_define(inview, tmp, 1,
+					   symvalue, isc_symexists_replace);
+				if (tresult == ISC_R_NOMEMORY) {
+					isc_mem_free(mctx, tmp);
+				}
+				if (result == ISC_R_SUCCESS &&
+				    tresult != ISC_R_SUCCESS)
+					result = tresult;
+			} else if (result != ISC_R_SUCCESS) {
+				result = ISC_R_NOMEMORY;
+			}
+			break;
+
+		default:
+			INSIST(0);
+		}
+	}
+
+	if (ztype == CFG_ZONE_INVIEW) {
+		const cfg_obj_t *fwd = NULL;
+		unsigned int maxopts = 1;
+
+		(void)cfg_map_get(zoptions, "forward", &fwd);
+		if (fwd != NULL)
+			maxopts++;
+		fwd = NULL;
+		(void)cfg_map_get(zoptions, "forwarders", &fwd);
+		if (fwd != NULL)
+			maxopts++;
+		if (cfg_map_count(zoptions) > maxopts) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'in-view' used "
+				    "with incompatible zone options",
+				    znamestr);
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+		return (result);
+	}
+
+	/*
+	 * Check if value is zero.
+	 */
+	if (check_nonzero(zoptions, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check validity of the zone options.
+	 */
+	option = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &i);
+	while (option != NULL) {
+		obj = NULL;
+		if (cfg_map_get(zoptions, option, &obj) == ISC_R_SUCCESS &&
+		    obj != NULL && !cfg_clause_validforzone(option, ztype))
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "option '%s' is not allowed "
+				    "in '%s' zone '%s'",
+				    option, typestr, znamestr);
+			result = ISC_R_FAILURE;
+		}
+		option = cfg_map_nextclause(&cfg_type_zoneopts, &clauses, &i);
+	}
+
+	/*
+	 * Check that ACLs expand correctly.
+	 */
+	for (i = 0; i < (sizeof(acls) / sizeof(acls[0])); i++) {
+		tresult = checkacl(acls[i], actx, zconfig,
+				   voptions, config, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+		}
+	}
+
+	/*
+	 * Master & slave zones may have an "also-notify" field, but
+	 * shouldn't if notify is disabled.
+	 */
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE) {
+		bool donotify = true;
+
+		obj = NULL;
+		tresult = cfg_map_get(zoptions, "notify", &obj);
+		if (tresult != ISC_R_SUCCESS && voptions != NULL)
+			tresult = cfg_map_get(voptions, "notify", &obj);
+		if (tresult != ISC_R_SUCCESS && goptions != NULL)
+			tresult = cfg_map_get(goptions, "notify", &obj);
+		if (tresult == ISC_R_SUCCESS) {
+			if (cfg_obj_isboolean(obj))
+				donotify = cfg_obj_asboolean(obj);
+			else {
+				const char *notifystr = cfg_obj_asstring(obj);
+				if (ztype != CFG_ZONE_MASTER &&
+				    strcasecmp(notifystr, "master-only") == 0)
+					donotify = false;
+			}
+		}
+
+		obj = NULL;
+		tresult = cfg_map_get(zoptions, "also-notify", &obj);
+		if (tresult == ISC_R_SUCCESS && !donotify) {
+			cfg_obj_log(zoptions, logctx, ISC_LOG_WARNING,
+				    "zone '%s': 'also-notify' set but "
+				    "'notify' is disabled", znamestr);
+		}
+		if (tresult != ISC_R_SUCCESS && voptions != NULL)
+			tresult = cfg_map_get(voptions, "also-notify", &obj);
+		if (tresult != ISC_R_SUCCESS && goptions != NULL)
+			tresult = cfg_map_get(goptions, "also-notify", &obj);
+		if (tresult == ISC_R_SUCCESS && donotify) {
+			uint32_t count;
+			tresult = validate_masters(obj, config, &count,
+						   logctx, mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	/*
+	 * Slave & stub zones must have a "masters" field.
+	 */
+	if (ztype == CFG_ZONE_SLAVE || ztype == CFG_ZONE_STUB) {
+		obj = NULL;
+		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
+			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+				    "zone '%s': missing 'masters' entry",
+				    znamestr);
+			result = ISC_R_FAILURE;
+		} else {
+			uint32_t count;
+			tresult = validate_masters(obj, config, &count,
+						   logctx, mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+				result = tresult;
+			if (tresult == ISC_R_SUCCESS && count == 0) {
+				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+					    "zone '%s': empty 'masters' entry",
+					    znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Master zones can't have both "allow-update" and "update-policy".
+	 */
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE) {
+		bool signing = false;
+		isc_result_t res1, res2, res3;
+		const cfg_obj_t *au = NULL;
+		const char *arg;
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "allow-update", &au);
+		obj = NULL;
+		res2 = cfg_map_get(zoptions, "update-policy", &obj);
+		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'allow-update' is ignored "
+				    "when 'update-policy' is present",
+				    znamestr);
+			result = ISC_R_FAILURE;
+		} else if (res2 == ISC_R_SUCCESS) {
+			res3 = check_update_policy(obj, logctx);
+			if (res3 != ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+
+		/*
+		 * To determine whether auto-dnssec is allowed,
+		 * we should also check for allow-update at the
+		 * view and options levels.
+		 */
+		if (res1 != ISC_R_SUCCESS && voptions != NULL)
+			res1 = cfg_map_get(voptions, "allow-update", &au);
+		if (res1 != ISC_R_SUCCESS && goptions != NULL)
+			res1 = cfg_map_get(goptions, "allow-update", &au);
+
+		if (res2 == ISC_R_SUCCESS)
+			ddns = true;
+		else if (res1 == ISC_R_SUCCESS) {
+			dns_acl_t *acl = NULL;
+			res1 = cfg_acl_fromconfig(au, config, logctx,
+						  actx, mctx, 0, &acl);
+			if (res1 != ISC_R_SUCCESS) {
+				cfg_obj_log(au, logctx, ISC_LOG_ERROR,
+					    "acl expansion failed: %s",
+					    isc_result_totext(result));
+				result = ISC_R_FAILURE;
+			} else if (acl != NULL) {
+				if (!dns_acl_isnone(acl))
+					ddns = true;
+				dns_acl_detach(&acl);
+			}
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
+		if (res1 == ISC_R_SUCCESS)
+			signing = cfg_obj_asboolean(obj);
+
+		obj = NULL;
+		arg = "off";
+		res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
+		if (res3 == ISC_R_SUCCESS)
+			arg = cfg_obj_asstring(obj);
+		if (strcasecmp(arg, "off") != 0 && !ddns && !signing) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'auto-dnssec %s;' requires%s "
+				    "inline-signing to be configured for "
+				    "the zone", arg,
+				    (ztype == CFG_ZONE_MASTER) ?
+					 " dynamic DNS or" : "");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
+		if (res1 == ISC_R_SUCCESS) {
+			uint32_t type = cfg_obj_asuint32(obj);
+			if (type < 0xff00U || type > 0xffffU)
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "sig-signing-type: %u out of "
+					    "range [%u..%u]", type,
+					    0xff00U, 0xffffU);
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-dnskey-kskonly", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SLAVE &&
+		    !signing)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-dnskey-kskonly: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SLAVE &&
+		    !signing)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-loadkeys-interval: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "update-check-ksk", &obj);
+		if (res1 == ISC_R_SUCCESS && ztype == CFG_ZONE_SLAVE &&
+		    !signing)
+		{
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "update-check-ksk: requires "
+				    "inline-signing when used in slave zone");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Check the excessively complicated "dialup" option.
+	 */
+	if (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_SLAVE ||
+	    ztype == CFG_ZONE_STUB)
+	{
+		const cfg_obj_t *dialup = NULL;
+		(void)cfg_map_get(zoptions, "dialup", &dialup);
+		if (dialup != NULL && cfg_obj_isstring(dialup)) {
+			const char *str = cfg_obj_asstring(dialup);
+			for (i = 0;
+			     i < sizeof(dialups) / sizeof(dialups[0]);
+			     i++)
+			{
+				if (strcasecmp(dialups[i].name, str) != 0)
+					continue;
+				if ((dialups[i].allowed & ztype) == 0) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_ERROR,
+						    "dialup type '%s' is not "
+						    "allowed in '%s' "
+						    "zone '%s'",
+						    str, typestr, znamestr);
+					result = ISC_R_FAILURE;
+				}
+				break;
+			}
+			if (i == sizeof(dialups) / sizeof(dialups[0])) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "invalid dialup type '%s' in zone "
+					    "'%s'", str, znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	obj = NULL;
+	if (root) {
+		if (voptions != NULL)
+			(void)cfg_map_get(voptions, "forwarders", &obj);
+		if (obj == NULL && goptions != NULL)
+			(void)cfg_map_get(goptions, "forwarders", &obj);
+	}
+	if (check_forward(zoptions, obj, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check that a RFC 1918 / ULA reverse zone is not forward first
+	 * unless explictly configured to be so.
+	 */
+	if (ztype == CFG_ZONE_FORWARD && (rfc1918 || ula)) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "forward", &obj);
+		if (obj == NULL) {
+			/*
+			 * Forward mode not explicity configured.
+			 */
+			if (voptions != NULL)
+				cfg_map_get(voptions, "forward", &obj);
+			if (obj == NULL && goptions != NULL)
+				cfg_map_get(goptions, "forward", &obj);
+			if (obj == NULL ||
+			    strcasecmp(cfg_obj_asstring(obj), "first") == 0)
+				cfg_obj_log(zconfig, logctx, ISC_LOG_WARNING,
+					    "inherited 'forward first;' for "
+					    "%s zone '%s' - did you want "
+					    "'forward only;'?",
+					    rfc1918 ? "rfc1918" : "ula",
+					    znamestr);
+		}
+	}
+
+	/*
+	 * Check validity of static stub server addresses.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "server-addresses", &obj);
+	if (ztype == CFG_ZONE_STATICSTUB && obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			isc_sockaddr_t sa;
+			isc_netaddr_t na;
+			obj = cfg_listelt_value(element);
+			sa = *cfg_obj_assockaddr(obj);
+
+			if (isc_sockaddr_getport(&sa) != 0) {
+				result = ISC_R_FAILURE;
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "port is not configurable for "
+					    "static stub server-addresses");
+			}
+
+			isc_netaddr_fromsockaddr(&na, &sa);
+			if (isc_netaddr_getzone(&na) != 0) {
+				result = ISC_R_FAILURE;
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "scoped address is not allowed "
+					    "for static stub "
+					    "server-addresses");
+			}
+		}
+	}
+
+	/*
+	 * Check validity of static stub server names.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "server-names", &obj);
+	if (zname != NULL && ztype == CFG_ZONE_STATICSTUB && obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const char *snamestr;
+			dns_fixedname_t fixed_sname;
+			isc_buffer_t b2;
+			dns_name_t *sname;
+
+			obj = cfg_listelt_value(element);
+			snamestr = cfg_obj_asstring(obj);
+
+			isc_buffer_constinit(&b2, snamestr, strlen(snamestr));
+			isc_buffer_add(&b2, strlen(snamestr));
+			sname = dns_fixedname_initname(&fixed_sname);
+			tresult = dns_name_fromtext(sname, &b2, dns_rootname,
+						    0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "server-name '%s' is not a valid "
+					    "name", snamestr);
+				result = ISC_R_FAILURE;
+			} else if (dns_name_issubdomain(sname, zname)) {
+				cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+					    "server-name '%s' must not be a "
+					    "subdomain of zone name '%s'",
+					    snamestr, znamestr);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+
+	/*
+	 * Check that max-zone-ttl isn't used with masterfile-format map
+	 */
+	masterformat = dns_masterformat_text;
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "masterfile-format", &obj);
+	if (obj != NULL) {
+		const char *masterformatstr = cfg_obj_asstring(obj);
+		if (strcasecmp(masterformatstr, "text") == 0)
+			masterformat = dns_masterformat_text;
+		else if (strcasecmp(masterformatstr, "raw") == 0)
+			masterformat = dns_masterformat_raw;
+		else if (strcasecmp(masterformatstr, "map") == 0)
+			masterformat = dns_masterformat_map;
+		else
+			INSIST(0);
+	}
+
+	if (masterformat == dns_masterformat_map) {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+		if (obj == NULL && voptions != NULL)
+			(void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+		if (obj == NULL && goptions !=NULL)
+			(void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+		if (obj != NULL) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'max-zone-ttl' is not "
+				    "compatible with 'masterfile-format map'",
+				    znamestr);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Warn if key-directory doesn't exist
+	 */
+	obj = NULL;
+	tresult = cfg_map_get(zoptions, "key-directory", &obj);
+	if (tresult == ISC_R_SUCCESS) {
+		const char *dir = cfg_obj_asstring(obj);
+		tresult = isc_file_isdirectory(dir);
+		switch (tresult) {
+		case ISC_R_SUCCESS:
+			break;
+		case ISC_R_FILENOTFOUND:
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "key-directory: '%s' does not exist",
+				    dir);
+			break;
+		case ISC_R_INVALIDFILE:
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "key-directory: '%s' is not a directory",
+				    dir);
+			break;
+		default:
+			cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+				    "key-directory: '%s' %s",
+				    dir, isc_result_totext(tresult));
+			result = tresult;
+		}
+	}
+
+	/*
+	 * Check various options.
+	 */
+	tresult = check_options(zoptions, logctx, mctx, optlevel_zone);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	/*
+	 * If the zone type is rbt/rbt64 then master/hint zones
+	 * require file clauses.
+	 * If inline signing is used, then slave zones require a
+	 * file clause as well
+	 */
+	obj = NULL;
+	dlz = false;
+	tresult = cfg_map_get(zoptions, "dlz", &obj);
+	if (tresult == ISC_R_SUCCESS)
+		dlz = true;
+
+	obj = NULL;
+	tresult = cfg_map_get(zoptions, "database", &obj);
+	if (dlz && tresult == ISC_R_SUCCESS) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': cannot specify both 'dlz' "
+				    "and 'database'", znamestr);
+		result = ISC_R_FAILURE;
+	} else if (!dlz &&
+	    (tresult == ISC_R_NOTFOUND ||
+	    (tresult == ISC_R_SUCCESS &&
+	     (strcmp("rbt", cfg_obj_asstring(obj)) == 0 ||
+	      strcmp("rbt64", cfg_obj_asstring(obj)) == 0))))
+	{
+		isc_result_t res1;
+		const cfg_obj_t *fileobj = NULL;
+		tresult = cfg_map_get(zoptions, "file", &fileobj);
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "inline-signing", &obj);
+		if ((tresult != ISC_R_SUCCESS &&
+		    (ztype == CFG_ZONE_MASTER || ztype == CFG_ZONE_HINT ||
+		     (ztype == CFG_ZONE_SLAVE && res1 == ISC_R_SUCCESS &&
+		      cfg_obj_asboolean(obj)))))
+		{
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': missing 'file' entry",
+			    znamestr);
+			result = tresult;
+		} else if (tresult == ISC_R_SUCCESS &&
+			   (ztype == CFG_ZONE_SLAVE || ddns)) {
+			tresult = fileexist(fileobj, files, true, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		} else if (tresult == ISC_R_SUCCESS &&
+			   (ztype == CFG_ZONE_MASTER ||
+			    ztype == CFG_ZONE_HINT))
+		{
+			tresult = fileexist(fileobj, files, false, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	return (result);
+}
+
+
+typedef struct keyalgorithms {
+	const char *name;
+	uint16_t size;
+} algorithmtable;
+
+isc_result_t
+bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
+	const cfg_obj_t *algobj = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+	const char *algorithm;
+	int i;
+	size_t len = 0;
+	isc_result_t result;
+	isc_buffer_t buf;
+	unsigned char secretbuf[1024];
+	static const algorithmtable algorithms[] = {
+#ifndef PK11_MD5_DISABLE
+		{ "hmac-md5", 128 },
+		{ "hmac-md5.sig-alg.reg.int", 0 },
+		{ "hmac-md5.sig-alg.reg.int.", 0 },
+#endif
+		{ "hmac-sha1", 160 },
+		{ "hmac-sha224", 224 },
+		{ "hmac-sha256", 256 },
+		{ "hmac-sha384", 384 },
+		{ "hmac-sha512", 512 },
+		{  NULL, 0 }
+	};
+
+	(void)cfg_map_get(key, "algorithm", &algobj);
+	(void)cfg_map_get(key, "secret", &secretobj);
+	if (secretobj == NULL || algobj == NULL) {
+		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+			    "key '%s' must have both 'secret' and "
+			    "'algorithm' defined",
+			    keyname);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_init(&buf, secretbuf, sizeof(secretbuf));
+	result = isc_base64_decodestring(cfg_obj_asstring(secretobj), &buf);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(secretobj, logctx, ISC_LOG_ERROR,
+			    "bad secret '%s'", isc_result_totext(result));
+		return (result);
+	}
+
+	algorithm = cfg_obj_asstring(algobj);
+	for (i = 0; algorithms[i].name != NULL; i++) {
+		len = strlen(algorithms[i].name);
+		if (strncasecmp(algorithms[i].name, algorithm, len) == 0 &&
+		    (algorithm[len] == '\0' ||
+		     (algorithms[i].size != 0 && algorithm[len] == '-')))
+			break;
+	}
+	if (algorithms[i].name == NULL) {
+		cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+			    "unknown algorithm '%s'", algorithm);
+		return (ISC_R_NOTFOUND);
+	}
+	if (algorithm[len] == '-') {
+		uint16_t digestbits;
+		result = isc_parse_uint16(&digestbits, algorithm + len + 1, 10);
+		if (result == ISC_R_SUCCESS || result == ISC_R_RANGE) {
+			if (result == ISC_R_RANGE ||
+			    digestbits > algorithms[i].size) {
+				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+					    "key '%s' digest-bits too large "
+					    "[%u..%u]", keyname,
+					    algorithms[i].size / 2,
+					    algorithms[i].size);
+				return (ISC_R_RANGE);
+			}
+			if ((digestbits % 8) != 0) {
+				cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+					    "key '%s' digest-bits not multiple"
+					    " of 8", keyname);
+				return (ISC_R_RANGE);
+			}
+			/*
+			 * Recommended minima for hmac algorithms.
+			 */
+			if ((digestbits < (algorithms[i].size / 2U) ||
+			     (digestbits < 80U)))
+				cfg_obj_log(algobj, logctx, ISC_LOG_WARNING,
+					    "key '%s' digest-bits too small "
+					    "[<%u]", keyname,
+					    algorithms[i].size/2);
+		} else {
+			cfg_obj_log(algobj, logctx, ISC_LOG_ERROR,
+				    "key '%s': unable to parse digest-bits",
+				    keyname);
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, bool writeable,
+	  isc_log_t *logctx)
+{
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+	unsigned int line;
+	const char *file;
+
+	result = isc_symtab_lookup(symtab, cfg_obj_asstring(obj), 0, &symvalue);
+	if (result == ISC_R_SUCCESS) {
+		if (writeable) {
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "writeable file '%s': already in use: "
+				    "%s:%u", cfg_obj_asstring(obj),
+				    file, line);
+			return (ISC_R_EXISTS);
+		}
+		result = isc_symtab_lookup(symtab, cfg_obj_asstring(obj), 2,
+					   &symvalue);
+		if (result == ISC_R_SUCCESS) {
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "writeable file '%s': already in use: "
+				    "%s:%u", cfg_obj_asstring(obj),
+				    file, line);
+			return (ISC_R_EXISTS);
+		}
+		return (ISC_R_SUCCESS);
+	}
+
+	symvalue.as_cpointer = obj;
+	result = isc_symtab_define(symtab, cfg_obj_asstring(obj),
+				   writeable ? 2 : 1, symvalue,
+				   isc_symexists_reject);
+	return (result);
+}
+
+/*
+ * Check key list for duplicates key names and that the key names
+ * are valid domain names as these keys are used for TSIG.
+ *
+ * Check the key contents for validity.
+ */
+static isc_result_t
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab,
+	      isc_mem_t *mctx, isc_log_t *logctx)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *element;
+
+	name = dns_fixedname_initname(&fname);
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *key = cfg_listelt_value(element);
+		const char *keyid = cfg_obj_asstring(cfg_map_getname(key));
+		isc_symvalue_t symvalue;
+		isc_buffer_t b;
+		char *keyname;
+
+		isc_buffer_constinit(&b, keyid, strlen(keyid));
+		isc_buffer_add(&b, strlen(keyid));
+		tresult = dns_name_fromtext(name, &b, dns_rootname,
+					    0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': bad key name", keyid);
+			result = tresult;
+			continue;
+		}
+		tresult = bind9_check_key(key, logctx);
+		if (tresult != ISC_R_SUCCESS)
+			return (tresult);
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		keyname = isc_mem_strdup(mctx, namebuf);
+		if (keyname == NULL)
+			return (ISC_R_NOMEMORY);
+		symvalue.as_cpointer = key;
+		tresult = isc_symtab_define(symtab, keyname, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			const char *file;
+			unsigned int line;
+
+			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
+					    1, &symvalue) == ISC_R_SUCCESS);
+			file = cfg_obj_file(symvalue.as_cpointer);
+			line = cfg_obj_line(symvalue.as_cpointer);
+
+			if (file == NULL)
+				file = "<unknown file>";
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': already exists "
+				    "previous definition: %s:%u",
+				    keyid, file, line);
+			isc_mem_free(mctx, keyname);
+			result = tresult;
+		} else if (tresult != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, keyname);
+			return (tresult);
+		}
+	}
+	return (result);
+}
+
+static struct {
+	const char *v4;
+	const char *v6;
+} sources[] = {
+	{ "transfer-source", "transfer-source-v6" },
+	{ "notify-source", "notify-source-v6" },
+	{ "query-source", "query-source-v6" },
+	{ NULL, NULL }
+};
+
+/*
+ * RNDC keys are not normalised unlike TSIG keys.
+ *
+ * 	"foo." is different to "foo".
+ */
+static bool
+rndckey_exists(const cfg_obj_t *keylist, const char *keyname) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
+	const char *str;
+
+	if (keylist == NULL)
+		return (false);
+
+	for (element = cfg_list_first(keylist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_map_getname(obj));
+		if (!strcasecmp(str, keyname))
+			return (true);
+	}
+	return (false);
+}
+
+static isc_result_t
+check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
+	      isc_symtab_t *symtab, isc_log_t *logctx)
+{
+	dns_fixedname_t fname;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	const cfg_listelt_t *e1, *e2;
+	const cfg_obj_t *v1, *v2, *keys;
+	const cfg_obj_t *servers;
+	isc_netaddr_t n1, n2;
+	unsigned int p1, p2;
+	const cfg_obj_t *obj;
+	char buf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const char *xfr;
+	const char *keyval;
+	isc_buffer_t b;
+	int source;
+	dns_name_t *keyname;
+
+	servers = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "server", &servers);
+	if (servers == NULL)
+		(void)cfg_map_get(config, "server", &servers);
+	if (servers == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
+		v1 = cfg_listelt_value(e1);
+		cfg_obj_asnetprefix(cfg_map_getname(v1), &n1, &p1);
+		/*
+		 * Check that unused bits are zero.
+		 */
+		tresult = isc_netaddr_prefixok(&n1, p1);
+		if (tresult != ISC_R_SUCCESS) {
+			INSIST(tresult == ISC_R_FAILURE);
+			isc_netaddr_format(&n1, buf, sizeof(buf));
+			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+				    "server '%s/%u': invalid prefix "
+				    "(extra bits specified)", buf, p1);
+			result = tresult;
+		}
+		source = 0;
+		do {
+			obj = NULL;
+			if (n1.family == AF_INET)
+				xfr = sources[source].v6;
+			else
+				xfr = sources[source].v4;
+			(void)cfg_map_get(v1, xfr, &obj);
+			if (obj != NULL) {
+				isc_netaddr_format(&n1, buf, sizeof(buf));
+				cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+					    "server '%s/%u': %s not legal",
+					    buf, p1, xfr);
+				result = ISC_R_FAILURE;
+			}
+		} while (sources[++source].v4 != NULL);
+		e2 = e1;
+		while ((e2 = cfg_list_next(e2)) != NULL) {
+			v2 = cfg_listelt_value(e2);
+			cfg_obj_asnetprefix(cfg_map_getname(v2), &n2, &p2);
+			if (p1 == p2 && isc_netaddr_equal(&n1, &n2)) {
+				const char *file = cfg_obj_file(v1);
+				unsigned int line = cfg_obj_line(v1);
+
+				if (file == NULL)
+					file = "<unknown file>";
+
+				isc_netaddr_format(&n2, buf, sizeof(buf));
+				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
+					    "server '%s/%u': already exists "
+					    "previous definition: %s:%u",
+					    buf, p2, file, line);
+				result = ISC_R_FAILURE;
+			}
+		}
+		keys = NULL;
+		cfg_map_get(v1, "keys", &keys);
+		if (keys != NULL) {
+			/*
+			 * Normalize key name.
+			 */
+			keyval = cfg_obj_asstring(keys);
+			isc_buffer_constinit(&b, keyval, strlen(keyval));
+			isc_buffer_add(&b, strlen(keyval));
+			keyname = dns_fixedname_initname(&fname);
+			tresult = dns_name_fromtext(keyname, &b, dns_rootname,
+						    0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "bad key name '%s'", keyval);
+				result = ISC_R_FAILURE;
+				continue;
+			}
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			tresult = isc_symtab_lookup(symtab, namebuf, 1, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "unknown key '%s'", keyval);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+
+#define ROOT_KSK_2010	0x1
+#define ROOT_KSK_2017	0x2
+#define DLV_KSK_KEY	0x4
+
+static isc_result_t
+check_trusted_key(const cfg_obj_t *key, bool managed,
+		  unsigned int *keyflags, isc_log_t *logctx)
+{
+	const char *keystr, *keynamestr;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	uint32_t flags, proto, alg;
+	unsigned char keydata[4096];
+
+	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+
+	keyname = dns_fixedname_initname(&fkeyname);
+	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+
+	isc_buffer_constinit(&b, keynamestr, strlen(keynamestr));
+	isc_buffer_add(&b, strlen(keynamestr));
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(key, logctx, ISC_LOG_WARNING, "bad key name: %s\n",
+			    isc_result_totext(result));
+		result = ISC_R_FAILURE;
+	}
+
+	if (flags > 0xffff) {
+		cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+			    "flags too big: %u\n", flags);
+		result = ISC_R_FAILURE;
+	}
+	if (proto > 0xff) {
+		cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+			    "protocol too big: %u\n", proto);
+		result = ISC_R_FAILURE;
+	}
+	if (alg > 0xff) {
+		cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+			    "algorithm too big: %u\n", alg);
+		result = ISC_R_FAILURE;
+	}
+
+	if (managed) {
+		const char *initmethod;
+		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
+
+		if (strcasecmp(initmethod, "initial-key") != 0) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "managed key '%s': "
+				    "invalid initialization method '%s'",
+				    keynamestr, initmethod);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	isc_buffer_init(&b, keydata, sizeof(keydata));
+
+	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+	tresult = isc_base64_decodestring(keystr, &b);
+
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+			    "%s", isc_result_totext(tresult));
+		result = ISC_R_FAILURE;
+	} else {
+		isc_buffer_usedregion(&b, &r);
+
+		if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
+		    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
+			cfg_obj_log(key, logctx, ISC_LOG_WARNING,
+				    "%s key '%s' has a weak exponent",
+				    managed ? "managed" : "trusted",
+				    keynamestr);
+	}
+
+	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) {
+		static const unsigned char root_ksk_2010[] = {
+			0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9,
+			0x55, 0x66, 0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80,
+			0x4c, 0xda, 0x84, 0xe4, 0x7e, 0xf5, 0x6d, 0xbd,
+			0x7a, 0xec, 0x61, 0x26, 0x15, 0x55, 0x2c, 0xec,
+			0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70,
+			0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf,
+			0xe7, 0xc7, 0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82,
+			0x34, 0x13, 0x3a, 0xc0, 0x71, 0x0a, 0x81, 0x18,
+			0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22, 0x83, 0xbc,
+			0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32,
+			0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51,
+			0xe5, 0x4f, 0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb,
+			0x35, 0x95, 0x80, 0x25, 0x0f, 0x55, 0x9c, 0xc5,
+			0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe, 0x3d, 0xe8,
+			0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4,
+			0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4,
+			0x52, 0xe8, 0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e,
+			0xcb, 0xcf, 0x56, 0x34, 0x74, 0x65, 0x2c, 0x33,
+			0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd, 0xf5, 0xd9,
+			0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04,
+			0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73,
+			0x5b, 0x98, 0x4e, 0x03, 0x68, 0x73, 0x09, 0x33,
+			0x23, 0x24, 0xf2, 0x7c, 0x2d, 0xba, 0x85, 0xe9,
+			0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43, 0x38, 0x2e,
+			0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e,
+			0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad,
+			0xe9, 0x52, 0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9,
+			0x01, 0xd4, 0xd3, 0x27, 0x6e, 0x40, 0xb1, 0x14,
+			0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1, 0x9c, 0x2e,
+			0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5,
+			0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49,
+			0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52,
+			0x4d, 0x62, 0x87, 0x3d };
+		static const unsigned char root_ksk_2017[] = {
+			0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09,
+			0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5,
+			0xec, 0x88, 0xf7, 0xa5, 0x92, 0x55, 0xec, 0x53,
+			0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73, 0x90, 0xa4,
+			0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5,
+			0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa,
+			0xec, 0x7a, 0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59,
+			0x44, 0xc4, 0xe2, 0xc0, 0x26, 0xbe, 0x5e, 0x98,
+			0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82, 0x72, 0xe1,
+			0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f,
+			0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35,
+			0x13, 0xb1, 0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8,
+			0x0d, 0xd0, 0xf9, 0x2c, 0xac, 0x96, 0x6d, 0x17,
+			0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64, 0x7c, 0x3f,
+			0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb,
+			0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32,
+			0xc7, 0xc1, 0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac,
+			0x28, 0xff, 0x11, 0x68, 0x2f, 0x21, 0x68, 0x1b,
+			0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03, 0x2b, 0xf6,
+			0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3,
+			0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e,
+			0xa1, 0x91, 0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75,
+			0x9e, 0x2f, 0x77, 0x3a, 0x1f, 0x90, 0x29, 0xc7,
+			0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9, 0x32, 0x1d,
+			0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f,
+			0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d,
+			0x67, 0xdd, 0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a,
+			0xf9, 0xc9, 0xfc, 0x1c, 0x54, 0x66, 0xfb, 0x68,
+			0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c, 0x2c, 0xf7,
+			0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1,
+			0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63,
+			0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51,
+			0x35, 0x7b, 0xe1, 0xb5 };
+		if (flags == 257 && proto == 3 && alg == 8 &&
+		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) &&
+		    !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) {
+			*keyflags |= ROOT_KSK_2010;
+		}
+		if (flags == 257 && proto == 3 && alg == 8 &&
+		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) &&
+		    !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) {
+			*keyflags |= ROOT_KSK_2017;
+		}
+	}
+	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) {
+		static const unsigned char dlviscorgkey[] = {
+			0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef,
+			0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5,
+			0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e,
+			0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61,
+			0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94,
+			0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd,
+			0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8,
+			0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e,
+			0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2,
+			0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56,
+			0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b,
+			0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb,
+			0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2,
+			0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef,
+			0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9,
+			0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65,
+			0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b,
+			0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b,
+			0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01,
+			0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c,
+			0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64,
+			0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00,
+			0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6,
+			0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c,
+			0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64,
+			0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35,
+			0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57,
+			0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd,
+			0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a,
+			0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8,
+			0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f,
+			0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61,
+			0x4b, 0x96, 0xac, 0x13, 0x61 };
+		if (flags == 257 && proto == 3 && alg == 5 &&
+		    isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) &&
+		    !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) {
+			*keyflags |= DLV_KSK_KEY;
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+check_rpz_catz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
+	       const char *viewname, isc_symtab_t *symtab, isc_log_t *logctx)
+{
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj, *nameobj, *zoneobj;
+	const char *zonename, *zonetype;
+	const char *forview = " for view ";
+	isc_symvalue_t value;
+	isc_result_t result, tresult;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+	result = ISC_R_SUCCESS;
+
+	name = dns_fixedname_initname(&fixed);
+	obj = cfg_tuple_get(rpz_obj, "zone list");
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		obj = cfg_listelt_value(element);
+		nameobj = cfg_tuple_get(obj, "zone name");
+		zonename = cfg_obj_asstring(nameobj);
+		zonetype = "";
+
+		tresult = dns_name_fromstring(name, zonename, 0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
+				   "bad domain name '%s'", zonename);
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			continue;
+		}
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		tresult = isc_symtab_lookup(symtab, namebuf, 3, &value);
+		if (tresult == ISC_R_SUCCESS) {
+			obj = NULL;
+			zoneobj = value.as_cpointer;
+			if (zoneobj != NULL && cfg_obj_istuple(zoneobj))
+				zoneobj = cfg_tuple_get(zoneobj, "options");
+			if (zoneobj != NULL && cfg_obj_ismap(zoneobj))
+				(void)cfg_map_get(zoneobj, "type", &obj);
+			if (obj != NULL)
+				zonetype = cfg_obj_asstring(obj);
+		}
+		if (strcasecmp(zonetype, "master") != 0 &&
+		    strcasecmp(zonetype, "slave") != 0) {
+			cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
+				    "%s '%s'%s%s is not a master or slave zone",
+				    rpz_catz, zonename, forview, viewname);
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
+	       const char *viewname, dns_rdataclass_t vclass,
+	       isc_symtab_t *files, isc_symtab_t *inview,
+	       isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *zones = NULL;
+	const cfg_obj_t *keys = NULL;
+#ifndef HAVE_DLOPEN
+	const cfg_obj_t *dyndb = NULL;
+#endif
+	const cfg_listelt_t *element, *element2;
+	isc_symtab_t *symtab = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult = ISC_R_SUCCESS;
+	cfg_aclconfctx_t *actx = NULL;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *opts = NULL;
+	bool enablednssec, enablevalidation;
+	const char *valstr = "no";
+	unsigned int tflags, mflags;
+
+	/*
+	 * Get global options block
+	 */
+	(void)cfg_map_get(config, "options", &options);
+
+	/*
+	 * The most relevant options for this view
+	 */
+	if (voptions != NULL)
+		opts = voptions;
+	else
+		opts = options;
+
+	/*
+	 * Check that all zone statements are syntactically correct and
+	 * there are no duplicate zones.
+	 */
+	tresult = isc_symtab_create(mctx, 1000, freekey, mctx,
+				    false, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	cfg_aclconfctx_create(mctx, &actx);
+
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "zone", &zones);
+	else
+		(void)cfg_map_get(config, "zone", &zones);
+
+	for (element = cfg_list_first(zones);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *zone = cfg_listelt_value(element);
+
+		tresult = check_zoneconf(zone, voptions, config, symtab,
+					 files, inview, viewname, vclass,
+					 actx, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+#ifndef HAVE_DLOPEN
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dyndb", &dyndb);
+	else
+		(void)cfg_map_get(config, "dyndb", &dyndb);
+
+	if (dyndb != NULL) {
+		cfg_obj_log(dyndb, logctx, ISC_LOG_ERROR,
+			    "dynamic loading of databases is not supported");
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_NOTIMPLEMENTED;
+	}
+#endif
+
+	/*
+	 * Check that the response-policy and catalog-zones options
+	 * refer to zones that exist.
+	 */
+	if (opts != NULL) {
+		obj = NULL;
+		if (cfg_map_get(opts, "response-policy", &obj) == ISC_R_SUCCESS
+		    && check_rpz_catz("response-policy zone", obj,
+				 viewname, symtab, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+		obj = NULL;
+		if (cfg_map_get(opts, "catalog-zones", &obj) == ISC_R_SUCCESS
+		    && check_rpz_catz("catalog zone", obj,
+				  viewname, symtab, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	if (opts != NULL && check_forward(opts, NULL, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check non-zero options at the global and view levels.
+	 */
+	if (options != NULL && check_nonzero(options, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+	if (voptions != NULL &&check_nonzero(voptions, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check that dual-stack-servers is reasonable.
+	 */
+	if (opts != NULL && check_dual_stack(opts, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check that rrset-order is reasonable.
+	 */
+	if (opts != NULL && check_order(opts, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check that all key statements are syntactically correct and
+	 * there are no duplicate keys.
+	 */
+	tresult = isc_symtab_create(mctx, 1000, freekey, mctx,
+				    false, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(void)cfg_map_get(config, "key", &keys);
+	tresult = check_keylist(keys, symtab, mctx, logctx);
+	if (tresult == ISC_R_EXISTS)
+		result = ISC_R_FAILURE;
+	else if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	if (voptions != NULL) {
+		keys = NULL;
+		(void)cfg_map_get(voptions, "key", &keys);
+		tresult = check_keylist(keys, symtab, mctx, logctx);
+		if (tresult == ISC_R_EXISTS)
+			result = ISC_R_FAILURE;
+		else if (tresult != ISC_R_SUCCESS) {
+			result = tresult;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Global servers can refer to keys in views.
+	 */
+	if (check_servers(config, voptions, symtab, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that dnssec-enable/dnssec-validation are sensible.
+	 */
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-enable", &obj);
+	if (obj == NULL && options != NULL)
+		(void)cfg_map_get(options, "dnssec-enable", &obj);
+	if (obj == NULL)
+		enablednssec = true;
+	else
+		enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "dnssec-validation", &obj);
+	if (obj == NULL && options != NULL)
+		(void)cfg_map_get(options, "dnssec-validation", &obj);
+	if (obj == NULL) {
+		enablevalidation = enablednssec;
+		valstr = "yes";
+	} else if (cfg_obj_isboolean(obj)) {
+		enablevalidation = cfg_obj_asboolean(obj);
+		valstr = enablevalidation ? "yes" : "no";
+	} else {
+		enablevalidation = true;
+		valstr = "auto";
+	}
+
+	if (enablevalidation && !enablednssec)
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "'dnssec-validation %s;' and 'dnssec-enable no;'",
+			    valstr);
+
+	/*
+	 * Check trusted-keys and managed-keys.
+	 */
+	keys = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "trusted-keys", &keys);
+	if (keys == NULL)
+		(void)cfg_map_get(config, "trusted-keys", &keys);
+
+	tflags = 0;
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			obj = cfg_listelt_value(element2);
+			tresult = check_trusted_key(obj, false, &tflags,
+						    logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trusted-key for root from 2010 without updated "
+			    "trusted-key from 2017: THIS WILL FAIL AFTER "
+			    "KEY ROLLOVER");
+	}
+
+	if ((tflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trusted-key for dlv.isc.org still present; "
+			    "dlv.isc.org has been shut down");
+	}
+
+	keys = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "managed-keys", &keys);
+	if (keys == NULL)
+		(void)cfg_map_get(config, "managed-keys", &keys);
+
+	mflags = 0;
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const cfg_obj_t *keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			obj = cfg_listelt_value(element2);
+			tresult = check_trusted_key(obj, true, &mflags,
+						    logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "managed-key for root from 2010 without updated "
+			    "managed-key from 2017");
+	}
+
+	if ((mflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "managed-key for dlv.isc.org still present; "
+			    "dlv.isc.org has been shut down");
+	}
+
+	if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
+	    (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
+	{
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both trusted-keys and managed-keys for the ICANN "
+			    "root are present");
+	}
+
+	/*
+	 * Check options.
+	 */
+	if (voptions != NULL)
+		tresult = check_options(voptions, logctx, mctx,
+					optlevel_view);
+	else
+		tresult = check_options(config, logctx, mctx,
+					optlevel_config);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	tresult = check_viewacls(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	tresult = check_recursionacls(actx, voptions, viewname,
+				      config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	tresult = check_filteraaaa(actx, voptions, viewname, config,
+				   logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	tresult = check_dns64(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	tresult = check_ratelimit(actx, voptions, config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+ cleanup:
+	if (symtab != NULL)
+		isc_symtab_destroy(&symtab);
+	if (actx != NULL)
+		cfg_aclconfctx_detach(&actx);
+
+	return (result);
+}
+
+static const char *
+default_channels[] = {
+	"default_syslog",
+	"default_stderr",
+	"default_debug",
+	"null",
+	NULL
+};
+
+static isc_result_t
+bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
+		    isc_mem_t *mctx)
+{
+	const cfg_obj_t *categories = NULL;
+	const cfg_obj_t *category;
+	const cfg_obj_t *channels = NULL;
+	const cfg_obj_t *channel;
+	const cfg_listelt_t *element;
+	const cfg_listelt_t *delement;
+	const char *channelname;
+	const char *catname;
+	const cfg_obj_t *fileobj = NULL;
+	const cfg_obj_t *syslogobj = NULL;
+	const cfg_obj_t *nullobj = NULL;
+	const cfg_obj_t *stderrobj = NULL;
+	const cfg_obj_t *logobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	int i;
+
+	(void)cfg_map_get(config, "logging", &logobj);
+	if (logobj == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = isc_symtab_create(mctx, 100, NULL, NULL, false, &symtab);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	symvalue.as_cpointer = NULL;
+	for (i = 0; default_channels[i] != NULL; i++) {
+		tresult = isc_symtab_define(symtab, default_channels[i], 1,
+					    symvalue, isc_symexists_replace);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	cfg_map_get(logobj, "channel", &channels);
+
+	for (element = cfg_list_first(channels);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		channel = cfg_listelt_value(element);
+		channelname = cfg_obj_asstring(cfg_map_getname(channel));
+		fileobj = syslogobj = nullobj = stderrobj = NULL;
+		(void)cfg_map_get(channel, "file", &fileobj);
+		(void)cfg_map_get(channel, "syslog", &syslogobj);
+		(void)cfg_map_get(channel, "null", &nullobj);
+		(void)cfg_map_get(channel, "stderr", &stderrobj);
+		i = 0;
+		if (fileobj != NULL)
+			i++;
+		if (syslogobj != NULL)
+			i++;
+		if (nullobj != NULL)
+			i++;
+		if (stderrobj != NULL)
+			i++;
+		if (i != 1) {
+			cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
+				    "channel '%s': exactly one of file, syslog, "
+				    "null, and stderr must be present",
+				     channelname);
+			result = ISC_R_FAILURE;
+		}
+		tresult = isc_symtab_define(symtab, channelname, 1,
+					    symvalue, isc_symexists_replace);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	cfg_map_get(logobj, "category", &categories);
+
+	for (element = cfg_list_first(categories);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		category = cfg_listelt_value(element);
+		catname = cfg_obj_asstring(cfg_tuple_get(category, "name"));
+		if (isc_log_categorybyname(logctx, catname) == NULL) {
+			cfg_obj_log(category, logctx, ISC_LOG_ERROR,
+				    "undefined category: '%s'", catname);
+			result = ISC_R_FAILURE;
+		}
+		channels = cfg_tuple_get(category, "destinations");
+		for (delement = cfg_list_first(channels);
+		     delement != NULL;
+		     delement = cfg_list_next(delement))
+		{
+			channel = cfg_listelt_value(delement);
+			channelname = cfg_obj_asstring(channel);
+			tresult = isc_symtab_lookup(symtab, channelname, 1,
+						    &symvalue);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(channel, logctx, ISC_LOG_ERROR,
+					    "undefined channel: '%s'",
+					    channelname);
+				result = tresult;
+			}
+		}
+	}
+	isc_symtab_destroy(&symtab);
+	return (result);
+}
+
+static isc_result_t
+bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
+			 isc_log_t *logctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_obj_t *control_keylist;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *key;
+	const char *keyval;
+
+	control_keylist = cfg_tuple_get(control, "keys");
+	if (cfg_obj_isvoid(control_keylist))
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(control_keylist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		key = cfg_listelt_value(element);
+		keyval = cfg_obj_asstring(key);
+
+		if (!rndckey_exists(keylist, keyval)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unknown key '%s'", keyval);
+			result = ISC_R_NOTFOUND;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
+		     isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	cfg_aclconfctx_t *actx = NULL;
+	const cfg_listelt_t *element, *element2;
+	const cfg_obj_t *allow;
+	const cfg_obj_t *control;
+	const cfg_obj_t *controls;
+	const cfg_obj_t *controlslist = NULL;
+	const cfg_obj_t *inetcontrols;
+	const cfg_obj_t *unixcontrols;
+	const cfg_obj_t *keylist = NULL;
+	const char *path;
+	uint32_t perm, mask;
+	dns_acl_t *acl = NULL;
+	isc_sockaddr_t addr;
+	int i;
+
+	(void)cfg_map_get(config, "controls", &controlslist);
+	if (controlslist == NULL)
+		return (ISC_R_SUCCESS);
+
+	(void)cfg_map_get(config, "key", &keylist);
+
+	cfg_aclconfctx_create(mctx, &actx);
+
+	/*
+	 * INET: Check allow clause.
+	 * UNIX: Check "perm" for sanity, check path length.
+	 */
+	for (element = cfg_list_first(controlslist);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		controls = cfg_listelt_value(element);
+		unixcontrols = NULL;
+		inetcontrols = NULL;
+		(void)cfg_map_get(controls, "unix", &unixcontrols);
+		(void)cfg_map_get(controls, "inet", &inetcontrols);
+		for (element2 = cfg_list_first(inetcontrols);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			control = cfg_listelt_value(element2);
+			allow = cfg_tuple_get(control, "allow");
+			tresult = cfg_acl_fromconfig(allow, config, logctx,
+						     actx, mctx, 0, &acl);
+			if (acl != NULL)
+				dns_acl_detach(&acl);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			tresult = bind9_check_controlskeys(control, keylist,
+							   logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+		for (element2 = cfg_list_first(unixcontrols);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2)) {
+			control = cfg_listelt_value(element2);
+			path = cfg_obj_asstring(cfg_tuple_get(control, "path"));
+			tresult = isc_sockaddr_frompath(&addr, path);
+			if (tresult == ISC_R_NOSPACE) {
+				cfg_obj_log(control, logctx, ISC_LOG_ERROR,
+					    "unix control '%s': path too long",
+					    path);
+				result = ISC_R_NOSPACE;
+			}
+			perm = cfg_obj_asuint32(cfg_tuple_get(control, "perm"));
+			for (i = 0; i < 3; i++) {
+#ifdef NEED_SECURE_DIRECTORY
+				mask = (0x1 << (i*3));	/* SEARCH */
+#else
+				mask = (0x6 << (i*3)); 	/* READ + WRITE */
+#endif
+				if ((perm & mask) == mask)
+					break;
+			}
+			if (i == 0) {
+				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
+					    "unix control '%s' allows access "
+					    "to everyone", path);
+			} else if (i == 3) {
+				cfg_obj_log(control, logctx, ISC_LOG_WARNING,
+					    "unix control '%s' allows access "
+					    "to nobody", path);
+			}
+			tresult = bind9_check_controlskeys(control, keylist,
+							   logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+	cfg_aclconfctx_detach(&actx);
+	return (result);
+}
+
+isc_result_t
+bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		      isc_mem_t *mctx)
+{
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *views = NULL;
+	const cfg_obj_t *acls = NULL;
+	const cfg_obj_t *kals = NULL;
+	const cfg_obj_t *obj;
+	const cfg_listelt_t *velement;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_symtab_t *symtab = NULL;
+	isc_symtab_t *files = NULL;
+	isc_symtab_t *inview = NULL;
+
+	static const char *builtin[] = { "localhost", "localnets",
+					 "any", "none"};
+
+	(void)cfg_map_get(config, "options", &options);
+
+	if (options != NULL &&
+	    check_options(options, logctx, mctx,
+			  optlevel_options) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	if (bind9_check_controls(config, logctx, mctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	(void)cfg_map_get(config, "view", &views);
+
+	if (views != NULL && options != NULL)
+		if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+
+	/*
+	 * Use case insensitive comparision as not all file systems are
+	 * case sensitive. This will prevent people using FOO.DB and foo.db
+	 * on case sensitive file systems but that shouldn't be a major issue.
+	 */
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, false,
+				    &files);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+				    true, &inview);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+
+	if (views == NULL) {
+		tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
+					 files, inview, logctx, mctx);
+		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
+			result = ISC_R_FAILURE;
+		}
+	} else {
+		const cfg_obj_t *zones = NULL;
+
+		(void)cfg_map_get(config, "zone", &zones);
+		if (zones != NULL) {
+			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
+				    "when using 'view' statements, "
+				    "all zones must be in views");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, true, &symtab);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
+	for (velement = cfg_list_first(views);
+	     velement != NULL;
+	     velement = cfg_list_next(velement))
+	{
+		const cfg_obj_t *view = cfg_listelt_value(velement);
+		const cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		const cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		const cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		dns_rdataclass_t vclass = dns_rdataclass_in;
+		const char *key = cfg_obj_asstring(vname);
+		isc_symvalue_t symvalue;
+		unsigned int symtype;
+
+		tresult = ISC_R_SUCCESS;
+		if (cfg_obj_isstring(vclassobj)) {
+			isc_textregion_t r;
+
+			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
+			r.length = strlen(r.base);
+			tresult = dns_rdataclass_fromtext(&vclass, &r);
+			if (tresult != ISC_R_SUCCESS)
+				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
+					    "view '%s': invalid class %s",
+					    cfg_obj_asstring(vname), r.base);
+		}
+		symtype = vclass + 1;
+		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
+			symvalue.as_cpointer = view;
+			tresult = isc_symtab_define(symtab, key, symtype,
+						    symvalue,
+						    isc_symexists_reject);
+			if (tresult == ISC_R_EXISTS) {
+				const char *file;
+				unsigned int line;
+				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
+					 symtype, &symvalue) == ISC_R_SUCCESS);
+				file = cfg_obj_file(symvalue.as_cpointer);
+				line = cfg_obj_line(symvalue.as_cpointer);
+				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
+					    "view '%s': already exists "
+					    "previous definition: %s:%u",
+					    key, file, line);
+				result = tresult;
+			} else if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+			} else if ((strcasecmp(key, "_bind") == 0 &&
+				    vclass == dns_rdataclass_ch) ||
+				   (strcasecmp(key, "_default") == 0 &&
+				    vclass == dns_rdataclass_in)) {
+				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
+					    "attempt to redefine builtin view "
+					    "'%s'", key);
+				result = ISC_R_EXISTS;
+			}
+		}
+		if (tresult == ISC_R_SUCCESS)
+			tresult = check_viewconf(config, voptions, key, vclass,
+						 files, inview, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	if (views != NULL && options != NULL) {
+		obj = NULL;
+		tresult = cfg_map_get(options, "cache-file", &obj);
+		if (tresult == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'cache-file' cannot be a global "
+				    "option if views are present");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	cfg_map_get(config, "acl", &acls);
+
+	if (acls != NULL) {
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(acls);
+		     elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
+			unsigned int line = cfg_obj_line(acl);
+			unsigned int i;
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+			for (i = 0;
+			     i < sizeof(builtin) / sizeof(builtin[0]);
+			     i++)
+				if (strcasecmp(aclname, builtin[i]) == 0) {
+					cfg_obj_log(acl, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "builtin acl '%s'",
+						    aclname);
+					result = ISC_R_FAILURE;
+					break;
+				}
+
+			for (elt2 = cfg_list_next(elt);
+			     elt2 != NULL;
+			     elt2 = cfg_list_next(elt2)) {
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(cfg_tuple_get(acl2,
+								      "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+
+					if (file == NULL)
+						file = "<unknown file>";
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "acl '%s' previous "
+						    "definition: %s:%u",
+						     name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+	tresult = cfg_map_get(config, "kal", &kals);
+	if (tresult == ISC_R_SUCCESS) {
+		const cfg_listelt_t *elt;
+		const cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(kals);
+		     elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			const cfg_obj_t *acl = cfg_listelt_value(elt);
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+
+			for (elt2 = cfg_list_next(elt);
+			     elt2 != NULL;
+			     elt2 = cfg_list_next(elt2)) {
+				const cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(cfg_tuple_get(acl2,
+								      "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+					unsigned int line = cfg_obj_line(acl);
+
+					if (file == NULL)
+						file = "<unknown file>";
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "kal '%s' previous "
+						    "definition: %s:%u",
+						     name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+cleanup:
+	if (symtab != NULL)
+		isc_symtab_destroy(&symtab);
+	if (inview != NULL)
+		isc_symtab_destroy(&inview);
+	if (files != NULL)
+		isc_symtab_destroy(&files);
+
+	return (result);
+}
diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c
new file mode 100644
index 0000000..46cd4d5
--- /dev/null
+++ b/lib/bind9/getaddresses.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/netdb.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <bind9/getaddresses.h>
+
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
+#ifndef USE_GETADDRINFO
+#ifndef ISC_PLATFORM_NONSTDHERRNO
+extern int h_errno;
+#endif
+#endif
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port,
+		   isc_sockaddr_t *addrs, int addrsize, int *addrcount)
+{
+	struct in_addr in4;
+	struct in6_addr in6;
+	bool have_ipv4, have_ipv6;
+	int i;
+
+#ifdef USE_GETADDRINFO
+	struct addrinfo *ai = NULL, *tmpai, hints;
+	int result;
+#else
+	struct hostent *he;
+#endif
+
+	REQUIRE(hostname != NULL);
+	REQUIRE(addrs != NULL);
+	REQUIRE(addrcount != NULL);
+	REQUIRE(addrsize > 0);
+
+	have_ipv4 = (isc_net_probeipv4() == ISC_R_SUCCESS);
+	have_ipv6 = (isc_net_probeipv6() == ISC_R_SUCCESS);
+
+	/*
+	 * Try IPv4, then IPv6.  In order to handle the extended format
+	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
+	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
+	 * should be enough for this purpose; the buffer can contain a string
+	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
+	 * addresses (up to 46 bytes), the delimiter character and the
+	 * terminating NULL character.
+	 */
+	if (inet_pton(AF_INET, hostname, &in4) == 1) {
+		if (have_ipv4)
+			isc_sockaddr_fromin(&addrs[0], &in4, port);
+		else
+			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
+		*addrcount = 1;
+		return (ISC_R_SUCCESS);
+	} else if (strlen(hostname) <= 127U) {
+		char tmpbuf[128], *d;
+		uint32_t zone = 0;
+
+		strlcpy(tmpbuf, hostname, sizeof(tmpbuf));
+		d = strchr(tmpbuf, '%');
+		if (d != NULL)
+			*d = '\0';
+
+		if (inet_pton(AF_INET6, tmpbuf, &in6) == 1) {
+			isc_netaddr_t na;
+
+			if (!have_ipv6)
+				return (ISC_R_FAMILYNOSUPPORT);
+
+			if (d != NULL) {
+#ifdef ISC_PLATFORM_HAVESCOPEID
+				isc_result_t iresult;
+
+				iresult = isc_netscope_pton(AF_INET6, d + 1,
+							    &in6, &zone);
+
+				if (iresult != ISC_R_SUCCESS)
+					return (iresult);
+#else
+				/*
+				 * The extended format is specified while the
+				 * system does not provide the ability to use
+				 * it.	Throw an explicit error instead of
+				 * ignoring the specified value.
+				 */
+				return (ISC_R_BADADDRESSFORM);
+#endif
+			}
+
+			isc_netaddr_fromin6(&na, &in6);
+			isc_netaddr_setzone(&na, zone);
+			isc_sockaddr_fromnetaddr(&addrs[0],
+						 (const isc_netaddr_t *)&na,
+						 port);
+
+			*addrcount = 1;
+			return (ISC_R_SUCCESS);
+		}
+	}
+#ifdef USE_GETADDRINFO
+	memset(&hints, 0, sizeof(hints));
+	if (!have_ipv6)
+		hints.ai_family = PF_INET;
+	else if (!have_ipv4)
+		hints.ai_family = PF_INET6;
+	else {
+		hints.ai_family = PF_UNSPEC;
+#ifdef AI_ADDRCONFIG
+		hints.ai_flags = AI_ADDRCONFIG;
+#endif
+	}
+	hints.ai_socktype = SOCK_STREAM;
+#ifdef AI_ADDRCONFIG
+ again:
+#endif
+	result = getaddrinfo(hostname, NULL, &hints, &ai);
+	switch (result) {
+	case 0:
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		return (ISC_R_NOTFOUND);
+#ifdef AI_ADDRCONFIG
+	case EAI_BADFLAGS:
+		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
+			hints.ai_flags &= ~AI_ADDRCONFIG;
+			goto again;
+		}
+#endif
+		/* FALLTHROUGH */
+	default:
+		return (ISC_R_FAILURE);
+	}
+	for (tmpai = ai, i = 0;
+	     tmpai != NULL && i < addrsize;
+	     tmpai = tmpai->ai_next)
+	{
+		if (tmpai->ai_family != AF_INET &&
+		    tmpai->ai_family != AF_INET6)
+			continue;
+		if (tmpai->ai_family == AF_INET) {
+			struct sockaddr_in *sin;
+			sin = (struct sockaddr_in *)tmpai->ai_addr;
+			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
+		} else {
+			struct sockaddr_in6 *sin6;
+			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
+			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr,
+					     port);
+		}
+		i++;
+
+	}
+	freeaddrinfo(ai);
+	*addrcount = i;
+#else
+	he = gethostbyname(hostname);
+	if (he == NULL) {
+		switch (h_errno) {
+		case HOST_NOT_FOUND:
+#ifdef NO_DATA
+		case NO_DATA:
+#endif
+#if defined(NO_ADDRESS) && (!defined(NO_DATA) || (NO_DATA != NO_ADDRESS))
+		case NO_ADDRESS:
+#endif
+			return (ISC_R_NOTFOUND);
+		default:
+			return (ISC_R_FAILURE);
+		}
+	}
+	if (he->h_addrtype != AF_INET && he->h_addrtype != AF_INET6)
+		return (ISC_R_NOTFOUND);
+	for (i = 0; i < addrsize; i++) {
+		if (he->h_addrtype == AF_INET) {
+			struct in_addr *inp;
+			inp = (struct in_addr *)(he->h_addr_list[i]);
+			if (inp == NULL)
+				break;
+			isc_sockaddr_fromin(&addrs[i], inp, port);
+		} else {
+			struct in6_addr *in6p;
+			in6p = (struct in6_addr *)(he->h_addr_list[i]);
+			if (in6p == NULL)
+				break;
+			isc_sockaddr_fromin6(&addrs[i], in6p, port);
+		}
+	}
+	*addrcount = i;
+#endif
+	if (*addrcount == 0)
+		return (ISC_R_NOTFOUND);
+	else
+		return (ISC_R_SUCCESS);
+}
diff --git a/lib/bind9/include/Makefile.in b/lib/bind9/include/Makefile.in
new file mode 100644
index 0000000..b2b3562
--- /dev/null
+++ b/lib/bind9/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	bind9
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/bind9/include/bind9/Makefile.in b/lib/bind9/include/bind9/Makefile.in
new file mode 100644
index 0000000..247fbc5
--- /dev/null
+++ b/lib/bind9/include/bind9/Makefile.in
@@ -0,0 +1,39 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	check.h getaddresses.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/bind9
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/bind9 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/bind9/$$i || exit 1; \
+	done
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
new file mode 100644
index 0000000..f796e26
--- /dev/null
+++ b/lib/bind9/include/bind9/check.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef BIND9_CHECK_H
+#define BIND9_CHECK_H 1
+
+/*! \file bind9/check.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
+		      isc_mem_t *mctx);
+/*%<
+ * Check the syntactic validity of a configuration parse tree generated from
+ * a named.conf file.
+ *
+ * Requires:
+ *\li	config is a valid parse tree
+ *
+ *\li	logctx is a valid logging context.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE
+ */
+
+isc_result_t
+bind9_check_key(const cfg_obj_t *config, isc_log_t *logctx);
+/*%<
+ * Same as bind9_check_namedconf(), but for a single 'key' statement.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_CHECK_H */
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
new file mode 100644
index 0000000..2ffbf9f
--- /dev/null
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef BIND9_GETADDRESSES_H
+#define BIND9_GETADDRESSES_H 1
+
+/*! \file bind9/getaddresses.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isc/net.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port,
+		   isc_sockaddr_t *addrs, int addrsize, int *addrcount);
+/*%<
+ * Use the system resolver to get the addresses associated with a hostname.
+ * If successful, the number of addresses found is returned in 'addrcount'.
+ * If a hostname lookup is performed and addresses of an unknown family is
+ * seen, it is ignored.  If more than 'addrsize' addresses are seen, the
+ * first 'addrsize' are returned and the remainder silently truncated.
+ *
+ * This routine may block.  If called by a program using the isc_app
+ * framework, it should be surrounded by isc_app_block()/isc_app_unblock().
+ *
+ *  Requires:
+ *\li	'hostname' is not NULL.
+ *\li	'addrs' is not NULL.
+ *\li	'addrsize' > 0
+ *\li	'addrcount' is not NULL.
+ *
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_FAMILYNOSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
+ *		not supported.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_GETADDRESSES_H */
diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h
new file mode 100644
index 0000000..fcc0879
--- /dev/null
+++ b/lib/bind9/include/bind9/version.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file bind9/version.h */
+
+#include <isc/platform.h>
+
+LIBBIND9_EXTERNAL_DATA extern const char bind9_version[];
+
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libinterface;
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_librevision;
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libage;
diff --git a/lib/bind9/version.c b/lib/bind9/version.c
new file mode 100644
index 0000000..89003c7
--- /dev/null
+++ b/lib/bind9/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <bind9/version.h>
+
+const char bind9_version[] = VERSION;
+
+const unsigned int bind9_libinterface = LIBINTERFACE;
+const unsigned int bind9_librevision = LIBREVISION;
+const unsigned int bind9_libage = LIBAGE;
diff --git a/lib/bind9/win32/DLLMain.c b/lib/bind9/win32/DLLMain.c
new file mode 100644
index 0000000..8ff1017
--- /dev/null
+++ b/lib/bind9/win32/DLLMain.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/bind9/win32/libbind9.def b/lib/bind9/win32/libbind9.def
new file mode 100644
index 0000000..b9a14ad
--- /dev/null
+++ b/lib/bind9/win32/libbind9.def
@@ -0,0 +1,8 @@
+LIBRARY libbind9
+
+; Exported Functions
+EXPORTS
+bind9_check_namedconf
+bind9_check_key
+bind9_getaddresses
+
diff --git a/lib/bind9/win32/libbind9.dsp.in b/lib/bind9/win32/libbind9.dsp.in
new file mode 100644
index 0000000..a1337bd
--- /dev/null
+++ b/lib/bind9/win32/libbind9.dsp.in
@@ -0,0 +1,137 @@
+# Microsoft Developer Studio Project File - Name="libbind9" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libbind9 - @PLATFORM@ Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libbind9.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libbind9.mak" CFG="libbind9 - @PLATFORM@ Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libbind9 - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libbind9 - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib  ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libbind9.dll"
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libbind9_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib ../../isccfg/win32/debug/libisccfg.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/libbind9.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libbind9 - @PLATFORM@ Release"
+# Name "libbind9 - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\check.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getaddresses.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\bind9\check.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\bind9\getaddresses.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\bind9\version.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libbind9.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/bind9/win32/libbind9.dsw b/lib/bind9/win32/libbind9.dsw
new file mode 100644
index 0000000..0810982
--- /dev/null
+++ b/lib/bind9/win32/libbind9.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "libbind9"=.\libbind9.dsp - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/bind9/win32/libbind9.mak.in b/lib/bind9/win32/libbind9.mak.in
new file mode 100644
index 0000000..3c27e4d
--- /dev/null
+++ b/lib/bind9/win32/libbind9.mak.in
@@ -0,0 +1,452 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libbind9.dsp
+!IF "$(CFG)" == ""
+CFG=libbind9 - @PLATFORM@ Release
+!MESSAGE No configuration specified. Defaulting to libbind9 - @PLATFORM@ Release.
+!ENDIF 
+
+!IF "$(CFG)" != "libbind9 - @PLATFORM@ Release" && "$(CFG)" != "libbind9 - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libbind9.mak" CFG="libbind9 - @PLATFORM@ Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libbind9 - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libbind9 - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libbind9.dll"
+
+!ELSE 
+
+ALL : "libisccfg - @PLATFORM@ Release" "libisc - @PLATFORM@ Release" "libdns - @PLATFORM@ Release" "..\..\..\Build\Release\libbind9.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - @PLATFORM@ ReleaseCLEAN" "libisc - @PLATFORM@ ReleaseCLEAN" "libisccfg - @PLATFORM@ ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\getaddresses.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libbind9.exp"
+	-@erase "$(OUTDIR)\libbind9.lib"
+	-@erase "..\..\..\Build\Release\libbind9.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "../../../lib/dns/win32/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib  ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libbind9.pdb" @MACHINE@ /def:".\libbind9.def" /out:"../../../Build/Release/libbind9.dll" /implib:"$(OUTDIR)\libbind9.lib" 
+DEF_FILE= \
+	".\libbind9.def"
+LINK32_OBJS= \
+	"$(INTDIR)\check.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\getaddresses.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\dns\win32\Release\libdns.lib" \
+	"..\..\isc\win32\Release\libisc.lib" \
+	"..\..\isccfg\win32\Release\libisccfg.lib"
+
+"..\..\..\Build\Release\libbind9.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libbind9.dll" "$(OUTDIR)\libbind9.bsc"
+
+!ELSE 
+
+ALL : "libisccfg - @PLATFORM@ Debug" "libisc - @PLATFORM@ Debug" "libdns - @PLATFORM@ Debug" "..\..\..\Build\Debug\libbind9.dll" "$(OUTDIR)\libbind9.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - @PLATFORM@ DebugCLEAN" "libisc - @PLATFORM@ DebugCLEAN" "libisccfg - @PLATFORM@ DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\check.obj"
+	-@erase "$(INTDIR)\check.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\getaddresses.obj"
+	-@erase "$(INTDIR)\getaddresses.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libbind9.bsc"
+	-@erase "$(OUTDIR)\libbind9.exp"
+	-@erase "$(OUTDIR)\libbind9.lib"
+	-@erase "$(OUTDIR)\libbind9.pdb"
+	-@erase "..\..\..\Build\Debug\libbind9.dll"
+	-@erase "..\..\..\Build\Debug\libbind9.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "../../../lib/isccfg/include" /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBBIND9_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libbind9.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libbind9.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\check.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\getaddresses.sbr" \
+	"$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libbind9.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib ../../isccfg/win32/debug/libisccfg.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libbind9.pdb" /debug @MACHINE@ /def:".\libbind9.def" /out:"../../../Build/Debug/libbind9.dll" /implib:"$(OUTDIR)\libbind9.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libbind9.def"
+LINK32_OBJS= \
+	"$(INTDIR)\check.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\getaddresses.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\dns\win32\Debug\libdns.lib" \
+	"..\..\isc\win32\Debug\libisc.lib" \
+	"..\..\isccfg\win32\Debug\libisccfg.lib"
+
+"..\..\..\Build\Debug\libbind9.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libbind9.dep")
+!INCLUDE "libbind9.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libbind9.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libbind9 - @PLATFORM@ Release" || "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+SOURCE=..\check.c
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\check.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\check.obj"	"$(INTDIR)\check.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\getaddresses.c
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getaddresses.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getaddresses.obj"	"$(INTDIR)\getaddresses.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+"libdns - @PLATFORM@ Release" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Release" 
+   cd "..\..\bind9\win32"
+
+"libdns - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+"libdns - @PLATFORM@ Debug" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Debug" 
+   cd "..\..\bind9\win32"
+
+"libdns - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+"libisc - @PLATFORM@ Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" 
+   cd "..\..\bind9\win32"
+
+"libisc - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+"libisc - @PLATFORM@ Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" 
+   cd "..\..\bind9\win32"
+
+"libisc - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libbind9 - @PLATFORM@ Release"
+
+"libisccfg - @PLATFORM@ Release" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Release" 
+   cd "..\..\bind9\win32"
+
+"libisccfg - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ELSEIF  "$(CFG)" == "libbind9 - @PLATFORM@ Debug"
+
+"libisccfg - @PLATFORM@ Debug" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Debug" 
+   cd "..\..\bind9\win32"
+
+"libisccfg - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\bind9\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/bind9/win32/libbind9.vcxproj.filters.in b/lib/bind9/win32/libbind9.vcxproj.filters.in
new file mode 100644
index 0000000..4e28330
--- /dev/null
+++ b/lib/bind9/win32/libbind9.vcxproj.filters.in
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libbind9.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\check.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getaddresses.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\bind9\check.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\bind9\getaddresses.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\bind9\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/bind9/win32/libbind9.vcxproj.in b/lib/bind9/win32/libbind9.vcxproj.in
new file mode 100644
index 0000000..c1a815b
--- /dev/null
+++ b/lib/bind9/win32/libbind9.vcxproj.in
@@ -0,0 +1,125 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{E741C10B-B075-4206-9596-46765B665E03}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libbind9</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalLibraryDirectories>../../isc/win32/$(Configuration);../../dns/win32/$(Configuration);../../isccfg/win32/$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libbind9.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBBIND9_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>./;../../../;include;../include;../../isc/win32;../../isc/win32/include;../../isc/include;../../isccfg/include;../../dns/include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>../../isc/win32/$(Configuration);../../dns/win32/$(Configuration);../../isccfg/win32/$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libbind9.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libbind9.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\check.c" />
+    <ClCompile Include="..\getaddresses.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\bind9\check.h" />
+    <ClInclude Include="..\include\bind9\getaddresses.h" />
+    <ClInclude Include="..\include\bind9\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/bind9/win32/libbind9.vcxproj.user b/lib/bind9/win32/libbind9.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/bind9/win32/libbind9.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/bind9/win32/version.c b/lib/bind9/win32/version.c
new file mode 100644
index 0000000..68ce992
--- /dev/null
+++ b/lib/bind9/win32/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <versions.h>
+
+#include <bind9/version.h>
+
+LIBBIND9_EXTERNAL_DATA const char bind9_version[] = VERSION;
+
+LIBBIND9_EXTERNAL_DATA const unsigned int bind9_libinterface = LIBINTERFACE;
+LIBBIND9_EXTERNAL_DATA const unsigned int bind9_librevision = LIBREVISION;
+LIBBIND9_EXTERNAL_DATA const unsigned int bind9_libage = LIBAGE;
diff --git a/lib/dns/Atffile b/lib/dns/Atffile
new file mode 100644
index 0000000..1edb838
--- /dev/null
+++ b/lib/dns/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: tests
diff --git a/lib/dns/Kyuafile b/lib/dns/Kyuafile
new file mode 100644
index 0000000..0739e3a
--- /dev/null
+++ b/lib/dns/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
new file mode 100644
index 0000000..4a8549e
--- /dev/null
+++ b/lib/dns/Makefile.in
@@ -0,0 +1,227 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+@BIND9_MAJOR@
+
+@LIBDNS_MAPAPI@
+
+@LIBDNS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+
+CINCLUDES =	-I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
+		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+
+CDEFINES =	-DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+LIBS =		@LIBS@
+
+# Alphabetically
+
+OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
+OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@
+OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
+OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+		  @OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \
+		  @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
+
+PKCS11LINKOBJS	= pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
+		pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
+		pkcs11gost_link.@O@ pkcs11.@O@
+
+DSTOBJS =	@DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
+		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@
+
+GEOIPLINKOBJS = geoip.@O@
+
+DNSTAPOBJS = dnstap.@O@ dnstap.pb-c.@O@
+
+# Alphabetically
+DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
+		cache.@O@ callbacks.@O@ catz.@O@ clientinfo.@O@ compress.@O@ \
+		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
+		dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ dyndb.@O@ \
+		fixedname.@O@ forward.@O@ \
+		ipkeylist.@O@ iptable.@O@ journal.@O@ keydata.@O@ \
+		keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
+		master.@O@ masterdump.@O@ message.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ nta.@O@ \
+		order.@O@ peer.@O@ portlist.@O@ private.@O@ \
+		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
+		rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \
+		request.@O@ resolver.@O@ result.@O@ rootns.@O@ \
+		rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \
+		sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \
+		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
+		tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \
+		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
+PORTDNSOBJS =	client.@O@ ecdb.@O@
+
+OBJS=		@DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
+		${PORTDNSOBJS} @GEOIPLINKOBJS@
+
+
+# Alphabetically
+OPENSSLGOSTLINKSRCS = opensslgost_link.c
+OPENSSLECDSALINKSRCS = opensslecdsa_link.c
+OPENSSLEDDSALINKSRCS = openssleddsa_link.c
+OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
+		  @OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \
+		  @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
+
+PKCS11LINKSRCS	= pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
+		pkcs11ecdsa_link.c pkcs11eddsa_link.c \
+		pkcs11gost_link.c pkcs11.c
+
+DSTSRCS =	@DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
+		dst_api.c dst_lib.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c \
+		hmac_link.c key.c
+
+GEOIPLINKSRCS = geoip.c
+
+DNSTAPSRCS = dnstap.c dnstap.pb-c.c
+
+DNSSRCS =	acache.c acl.c adb.c badcache. byaddr.c \
+		cache.c callbacks.c clientinfo.c compress.c \
+		db.c dbiterator.c dbtable.c diff.c dispatch.c \
+		dlz.c dns64.c dnssec.c ds.c dyndb.c fixedname.c forward.c \
+		ipkeylist.c iptable.c journal.c keydata.c keytable.c lib.c \
+		log.c lookup.c master.c masterdump.c message.c \
+		name.c ncache.c nsec.c nsec3.c nta.c \
+		order.c peer.c portlist.c \
+		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
+		rdataset.c rdatasetiter.c rdataslab.c request.c \
+		resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \
+		sdb.c sdlz.c soa.c ssu.c ssu_external.c \
+		stats.c tcpmsg.c time.c timer.c tkey.c \
+		tsec.c tsig.c ttl.c update.c validator.c \
+		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
+PORTDNSSRCS =	client.c ecdb.c
+
+SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @DNSTAPSRCS@ @GEOIPLINKSRCS@
+
+SUBDIRS =	include
+TARGETS =	timestamp
+TESTDIRS =	@UNITTESTS@
+
+DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
+		-s ${srcdir} -d >> Makefile ;
+
+@BIND9_MAKE_RULES@
+
+PROTOC_C = @PROTOC_C@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DMAJOR=\"${MAJOR}\" \
+		-DMAPAPI=\"${MAPAPI}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libdns.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libdns.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+
+include: gen
+	${MAKE} include/dns/enumtype.h
+	${MAKE} include/dns/enumclass.h
+	${MAKE} include/dns/rdatastruct.h
+	${MAKE} code.h
+
+include/dns/enumtype.h: gen
+	./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/enumclass.h: gen
+	./gen -s ${srcdir} -c > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/rdatastruct.h: gen \
+		${srcdir}/rdata/rdatastructpre.h \
+		${srcdir}/rdata/rdatastructsuf.h
+	./gen -s ${srcdir} -i \
+		-P ${srcdir}/rdata/rdatastructpre.h \
+		-S ${srcdir}/rdata/rdatastructsuf.h > $@ || \
+	{ rm -f $@ ; exit 1; }
+
+code.h:	gen
+	./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
+
+gen: gen.c
+	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+
+timestamp: include libdns.@A@
+	touch timestamp
+
+testdirs: libdns.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
+
+clean distclean::
+	rm -f libdns.@A@ timestamp
+	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+	rm -f dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h
+
+newrr::
+	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+rdata.@O@: include
+
+rbtdb64.@O@: rbtdb64.c rbtdb.c
+
+depend: include
+subdirs: include
+${OBJS}: include
+
+# dnstap
+dnstap.@O@: dnstap.c dnstap.pb-c.c
+
+dnstap.pb-c.c dnstap.pb-c.h include/dns/dnstap.pb-c.h: dnstap.proto
+	$(PROTOC_C) --c_out=. dnstap.proto
+	cp -f dnstap.pb-c.h include/dns
+
+dnstap.pb-c.@O@: dnstap.pb-c.c
+
+spnego.@O@: spnego_asn1.c spnego.h
diff --git a/lib/dns/acache.c b/lib/dns/acache.c
new file mode 100644
index 0000000..4e5fd40
--- /dev/null
+++ b/lib/dns/acache.c
@@ -0,0 +1,1821 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: acache.c,v 1.22 2008/02/07 23:46:54 tbox Exp $ */
+
+#include <config.h>
+
+#include <isc/atomic.h>
+#include <isc/event.h>
+#include <isc/hash.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acache.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#endif
+
+#define ACACHE_MAGIC			ISC_MAGIC('A', 'C', 'H', 'E')
+#define DNS_ACACHE_VALID(acache)	ISC_MAGIC_VALID(acache, ACACHE_MAGIC)
+
+#define ACACHEENTRY_MAGIC		ISC_MAGIC('A', 'C', 'E', 'T')
+#define DNS_ACACHEENTRY_VALID(entry)	ISC_MAGIC_VALID(entry, ACACHEENTRY_MAGIC)
+
+#define DBBUCKETS	67
+
+#if 0
+#define ATRACE(m)       isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_DATABASE, \
+				      DNS_LOGMODULE_ACACHE, \
+				      ISC_LOG_DEBUG(3), \
+				      "acache %p: %s", acache, (m))
+#define AATRACE(a,m)    isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_DATABASE, \
+				      DNS_LOGMODULE_ACACHE, \
+				      ISC_LOG_DEBUG(3), \
+				      "acache %p: %s", (a), (m))
+#else
+#define ATRACE(m)
+#define AATRACE(a, m)
+#endif
+
+/*
+ * The following variables control incremental cleaning.
+ * MINSIZE is how many bytes is the floor for dns_acache_setcachesize().
+ * CLEANERINCREMENT is how many entries are examined in one pass.
+ * (XXX simply derived from definitions in cache.c  There may be better
+ *  constants here.)
+ */
+#define DNS_ACACHE_MINSIZE 		2097152U /* Bytes.  2097152 = 2 MB */
+#define DNS_ACACHE_CLEANERINCREMENT	1000	 /* Number of entries. */
+
+#define DEFAULT_ACACHE_ENTRY_LOCK_COUNT	1009	 /*%< Should be prime. */
+
+#if defined(ISC_RWLOCK_USEATOMIC) &&					\
+	((defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE)) || \
+	 defined(ISC_PLATFORM_HAVEATOMICSTORE))
+#define ACACHE_USE_RWLOCK 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE))
+#define ACACHE_HAVESTDATOMIC 1
+#endif
+#endif
+
+#ifdef ACACHE_USE_RWLOCK
+#define ACACHE_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
+#define ACACHE_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define ACACHE_LOCK(l, t)	RWLOCK((l), (t))
+#define ACACHE_UNLOCK(l, t)	RWUNLOCK((l), (t))
+
+#ifdef ACACHE_HAVESTDATOMIC
+#define acache_storetime(entry, t) \
+	atomic_store_explicit(&(entry)->lastused, (t), \
+			      memory_order_relaxed);
+#else
+#define acache_storetime(entry, t) \
+	(isc_atomic_store((int32_t *)&(entry)->lastused, (t)))
+#endif
+
+#else
+#define ACACHE_INITLOCK(l)	isc_mutex_init(l)
+#define ACACHE_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define ACACHE_LOCK(l, t)	LOCK(l)
+#define ACACHE_UNLOCK(l, t)	UNLOCK(l)
+
+#define acache_storetime(entry, t) ((entry)->lastused = (t))
+#endif
+
+/* Locked by acache lock */
+typedef struct dbentry {
+	ISC_LINK(struct dbentry)	link;
+
+	dns_db_t			*db;
+	ISC_LIST(dns_acacheentry_t)	originlist;
+	ISC_LIST(dns_acacheentry_t)	referlist;
+} dbentry_t;
+
+typedef ISC_LIST(dbentry_t) dbentrylist_t;
+
+typedef struct acache_cleaner acache_cleaner_t;
+
+typedef enum {
+	cleaner_s_idle,	/* Waiting for cleaning-interval to expire. */
+	cleaner_s_busy,	/* Currently cleaning. */
+	cleaner_s_done  /* Freed enough memory after being overmem. */
+} cleaner_state_t;
+
+/*
+ * Convenience macros for comprehensive assertion checking.
+ */
+#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
+			 (c)->resched_event != NULL)
+#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
+			 (c)->resched_event == NULL)
+
+struct acache_cleaner {
+	isc_mutex_t		lock;
+	/*
+	 * Locks overmem_event, overmem.  (See cache.c)
+	 */
+
+	dns_acache_t		*acache;
+	unsigned int		cleaning_interval; /* The cleaning-interval
+						      from named.conf,
+						      in seconds. */
+
+	isc_stdtime_t		last_cleanup_time; /* The time when the last
+						      cleanup task completed */
+
+	isc_timer_t 		*cleaning_timer;
+	isc_event_t		*resched_event;	/* Sent by cleaner task to
+						   itself to reschedule */
+	isc_event_t		*overmem_event;
+
+	dns_acacheentry_t	*current_entry;	/* The bookmark entry to
+						   restart the cleaning.
+						   Locked by acache lock. */
+	int 		 	increment;	/* Number of entries to
+						   clean in one increment */
+
+	unsigned long		ncleaned;	/* Number of entries cleaned
+						   up (for logging purposes) */
+	cleaner_state_t  	state;		/* Idle/Busy/Done. */
+	bool	 	overmem;	/* The acache is in an overmem
+						   state. */
+};
+
+struct dns_acachestats {
+	unsigned int			hits;
+	unsigned int			queries;
+	unsigned int			misses;
+	unsigned int			adds;
+	unsigned int			deleted;
+	unsigned int			cleaned;
+	unsigned int			cleaner_runs;
+	unsigned int			overmem;
+	unsigned int			overmem_nocreates;
+	unsigned int			nomem;
+};
+
+/*
+ * The actual acache object.
+ */
+
+struct dns_acache {
+	unsigned int			magic;
+
+	isc_mem_t			*mctx;
+	isc_refcount_t			refs;
+
+#ifdef ACACHE_USE_RWLOCK
+	isc_rwlock_t 			*entrylocks;
+#else
+	isc_mutex_t 			*entrylocks;
+#endif
+
+	isc_mutex_t			lock;
+
+	int				live_cleaners;
+	acache_cleaner_t		cleaner;
+	ISC_LIST(dns_acacheentry_t)	entries;
+	unsigned int			dbentries;
+	dbentrylist_t			dbbucket[DBBUCKETS];
+
+	bool			shutting_down;
+
+	isc_task_t 			*task;
+	isc_event_t			cevent;
+	bool			cevent_sent;
+
+	dns_acachestats_t		stats;
+};
+
+struct dns_acacheentry {
+	unsigned int 		magic;
+
+	unsigned int		locknum;
+	isc_refcount_t 		references;
+
+	dns_acache_t 		*acache;
+
+	/* Data for Management of cache entries */
+	ISC_LINK(dns_acacheentry_t) link;
+	ISC_LINK(dns_acacheentry_t) olink;
+	ISC_LINK(dns_acacheentry_t) rlink;
+
+	dns_db_t 		*origdb; /* reference to the DB
+					    holding this entry */
+
+	/* Cache data */
+	dns_zone_t 		*zone;		/* zone this entry
+						   belongs to */
+	dns_db_t		*db;   		/* DB this entry belongs to */
+	dns_dbversion_t		*version;	/* the version of the DB */
+	dns_dbnode_t 		*node;		/* node this entry
+						   belongs to */
+	dns_name_t 		*foundname;	/* corresponding DNS name
+						   and rdataset */
+
+	/* Callback function and its argument */
+	void 			(*callback)(dns_acacheentry_t *, void **);
+	void 			*cbarg;
+
+	/* Timestamp of the last time this entry is referred to */
+#ifdef ACACHE_HAVESTDATOMIC
+	atomic_uint_fast32_t	lastused;
+#else
+	isc_stdtime32_t		lastused;
+#endif
+};
+
+/*
+ *	Internal functions (and prototypes).
+ */
+static inline bool check_noentry(dns_acache_t *acache);
+static void destroy(dns_acache_t *acache);
+static void shutdown_entries(dns_acache_t *acache);
+static void shutdown_buckets(dns_acache_t *acache);
+static void destroy_entry(dns_acacheentry_t *ent);
+static inline void unlink_dbentries(dns_acache_t *acache,
+				    dns_acacheentry_t *ent);
+static inline isc_result_t finddbent(dns_acache_t *acache,
+				     dns_db_t *db, dbentry_t **dbentryp);
+static inline void clear_entry(dns_acache_t *acache, dns_acacheentry_t *entry);
+static isc_result_t acache_cleaner_init(dns_acache_t *acache,
+					isc_timermgr_t *timermgr,
+					acache_cleaner_t *cleaner);
+static void acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event);
+static void acache_incremental_cleaning_action(isc_task_t *task,
+					       isc_event_t *event);
+static void acache_overmem_cleaning_action(isc_task_t *task,
+					   isc_event_t *event);
+static void acache_cleaner_shutdown_action(isc_task_t *task,
+					   isc_event_t *event);
+
+/*
+ * acache should be locked.  If it is not, the stats can get out of whack,
+ * which is not a big deal for us since this is for debugging / stats
+ */
+static void
+reset_stats(dns_acache_t *acache) {
+	acache->stats.hits = 0;
+	acache->stats.queries = 0;
+	acache->stats.misses = 0;
+	acache->stats.adds = 0;
+	acache->stats.deleted = 0;
+	acache->stats.cleaned = 0;
+	acache->stats.overmem = 0;
+	acache->stats.overmem_nocreates = 0;
+	acache->stats.nomem = 0;
+}
+
+/*
+ * The acache must be locked before calling.
+ */
+static inline bool
+check_noentry(dns_acache_t *acache) {
+	if (ISC_LIST_EMPTY(acache->entries) && acache->dbentries == 0) {
+		return (true);
+	}
+
+	return (false);
+}
+
+/*
+ * The acache must be locked before calling.
+ */
+static void
+shutdown_entries(dns_acache_t *acache) {
+	dns_acacheentry_t *entry, *entry_next;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	INSIST(acache->shutting_down);
+
+	/*
+	 * Release the dependency of all entries, and detach them.
+	 */
+	for (entry = ISC_LIST_HEAD(acache->entries);
+	     entry != NULL;
+	     entry = entry_next) {
+		entry_next = ISC_LIST_NEXT(entry, link);
+
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		/*
+		 * If the cleaner holds this entry, it will be unlinked and
+		 * freed in the cleaner later.
+		 */
+		if (acache->cleaner.current_entry != entry)
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+		unlink_dbentries(acache, entry);
+		if (entry->callback != NULL) {
+			(entry->callback)(entry, &entry->cbarg);
+			entry->callback = NULL;
+		}
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (acache->cleaner.current_entry != entry)
+			dns_acache_detachentry(&entry);
+	}
+}
+
+/*
+ * The acache must be locked before calling.
+ */
+static void
+shutdown_buckets(dns_acache_t *acache) {
+	int i;
+	dbentry_t *dbent;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	INSIST(acache->shutting_down);
+
+	for (i = 0; i < DBBUCKETS; i++) {
+		while ((dbent = ISC_LIST_HEAD(acache->dbbucket[i])) != NULL) {
+			INSIST(ISC_LIST_EMPTY(dbent->originlist) &&
+			       ISC_LIST_EMPTY(dbent->referlist));
+			ISC_LIST_UNLINK(acache->dbbucket[i], dbent, link);
+
+			dns_db_detach(&dbent->db);
+
+			isc_mem_put(acache->mctx, dbent, sizeof(*dbent));
+
+			acache->dbentries--;
+		}
+	}
+
+	INSIST(acache->dbentries == 0);
+}
+
+static void
+shutdown_task(isc_task_t *task, isc_event_t *ev) {
+	dns_acache_t *acache;
+
+	UNUSED(task);
+
+	acache = ev->ev_arg;
+	INSIST(DNS_ACACHE_VALID(acache));
+
+	isc_event_free(&ev);
+
+	LOCK(&acache->lock);
+
+	shutdown_entries(acache);
+	shutdown_buckets(acache);
+
+	UNLOCK(&acache->lock);
+
+	dns_acache_detach(&acache);
+}
+
+/* The acache and the entry must be locked before calling. */
+static inline void
+unlink_dbentries(dns_acache_t *acache, dns_acacheentry_t *ent) {
+	isc_result_t result;
+	dbentry_t *dbent;
+
+	if (ISC_LINK_LINKED(ent, olink)) {
+		INSIST(ent->origdb != NULL);
+		dbent = NULL;
+		result = finddbent(acache, ent->origdb, &dbent);
+		INSIST(result == ISC_R_SUCCESS);
+
+		ISC_LIST_UNLINK(dbent->originlist, ent, olink);
+	}
+	if (ISC_LINK_LINKED(ent, rlink)) {
+		INSIST(ent->db != NULL);
+		dbent = NULL;
+		result = finddbent(acache, ent->db, &dbent);
+		INSIST(result == ISC_R_SUCCESS);
+
+		ISC_LIST_UNLINK(dbent->referlist, ent, rlink);
+	}
+}
+
+/* There must not be a reference to this entry. */
+static void
+destroy_entry(dns_acacheentry_t *entry) {
+	dns_acache_t *acache;
+
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	acache = entry->acache;
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	/*
+	 * Since there is no reference to this entry, it is safe to call
+	 * clear_entry() here.
+	 */
+	clear_entry(acache, entry);
+
+	isc_mem_put(acache->mctx, entry, sizeof(*entry));
+
+	dns_acache_detach(&acache);
+}
+
+static void
+destroy(dns_acache_t *acache) {
+	int i;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	ATRACE("destroy");
+
+	isc_mem_setwater(acache->mctx, NULL, NULL, 0, 0);
+
+	if (acache->cleaner.overmem_event != NULL)
+		isc_event_free(&acache->cleaner.overmem_event);
+
+	if (acache->cleaner.resched_event != NULL)
+		isc_event_free(&acache->cleaner.resched_event);
+
+	if (acache->task != NULL)
+		isc_task_detach(&acache->task);
+
+	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
+		ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+	isc_mem_put(acache->mctx, acache->entrylocks,
+		    sizeof(*acache->entrylocks) *
+		    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+
+	DESTROYLOCK(&acache->cleaner.lock);
+
+	DESTROYLOCK(&acache->lock);
+	acache->magic = 0;
+
+	isc_mem_putanddetach(&acache->mctx, acache, sizeof(*acache));
+}
+
+static inline isc_result_t
+finddbent(dns_acache_t *acache, dns_db_t *db, dbentry_t **dbentryp) {
+	int bucket;
+	dbentry_t *dbentry;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(db != NULL);
+	REQUIRE(dbentryp != NULL && *dbentryp == NULL);
+
+	/*
+	 * The caller must be holding the acache lock.
+	 */
+
+	bucket = isc_hash_function(&db, sizeof(db), true, NULL) % DBBUCKETS;
+
+	for (dbentry = ISC_LIST_HEAD(acache->dbbucket[bucket]);
+	     dbentry != NULL;
+	     dbentry = ISC_LIST_NEXT(dbentry, link)) {
+		if (dbentry->db == db)
+			break;
+	}
+
+	*dbentryp = dbentry;
+
+	if (dbentry == NULL)
+		return (ISC_R_NOTFOUND);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static inline void
+clear_entry(dns_acache_t *acache, dns_acacheentry_t *entry) {
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	/*
+	 * The caller must be holing the entry lock.
+	 */
+
+	if (entry->foundname) {
+		dns_rdataset_t *rdataset, *rdataset_next;
+
+		for (rdataset = ISC_LIST_HEAD(entry->foundname->list);
+		     rdataset != NULL;
+		     rdataset = rdataset_next) {
+			rdataset_next = ISC_LIST_NEXT(rdataset, link);
+			ISC_LIST_UNLINK(entry->foundname->list,
+					rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(acache->mctx, rdataset, sizeof(*rdataset));
+		}
+		if (dns_name_dynamic(entry->foundname))
+			dns_name_free(entry->foundname, acache->mctx);
+		isc_mem_put(acache->mctx, entry->foundname,
+			    sizeof(*entry->foundname));
+		entry->foundname = NULL;
+	}
+
+	if (entry->node != NULL) {
+		INSIST(entry->db != NULL);
+		dns_db_detachnode(entry->db, &entry->node);
+	}
+	if (entry->version != NULL) {
+		INSIST(entry->db != NULL);
+		dns_db_closeversion(entry->db, &entry->version, false);
+	}
+	if (entry->db != NULL)
+		dns_db_detach(&entry->db);
+	if (entry->zone != NULL)
+		dns_zone_detach(&entry->zone);
+
+	if (entry->origdb != NULL)
+		dns_db_detach(&entry->origdb);
+}
+
+static isc_result_t
+acache_cleaner_init(dns_acache_t *acache, isc_timermgr_t *timermgr,
+		    acache_cleaner_t *cleaner)
+{
+	int result;
+
+	ATRACE("acache cleaner init");
+
+	result = isc_mutex_init(&cleaner->lock);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	cleaner->increment = DNS_ACACHE_CLEANERINCREMENT;
+	cleaner->state = cleaner_s_idle;
+	cleaner->acache = acache;
+	cleaner->overmem = false;
+
+	cleaner->cleaning_timer = NULL;
+	cleaner->resched_event = NULL;
+	cleaner->overmem_event = NULL;
+	cleaner->current_entry = NULL;
+
+	if (timermgr != NULL) {
+		cleaner->acache->live_cleaners++;
+
+		result = isc_task_onshutdown(acache->task,
+					     acache_cleaner_shutdown_action,
+					     acache);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "acache cleaner: "
+					 "isc_task_onshutdown() failed: %s",
+					 dns_result_totext(result));
+			goto cleanup;
+		}
+
+		cleaner->cleaning_interval = 0; /* Initially turned off. */
+		isc_stdtime_get(&cleaner->last_cleanup_time);
+		result = isc_timer_create(timermgr, isc_timertype_inactive,
+					  NULL, NULL,
+					  acache->task,
+					  acache_cleaning_timer_action,
+					  cleaner, &cleaner->cleaning_timer);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_timer_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+
+		cleaner->resched_event =
+			isc_event_allocate(acache->mctx, cleaner,
+					   DNS_EVENT_ACACHECLEAN,
+					   acache_incremental_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->resched_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		cleaner->overmem_event =
+			isc_event_allocate(acache->mctx, cleaner,
+					   DNS_EVENT_ACACHEOVERMEM,
+					   acache_overmem_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->overmem_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (cleaner->overmem_event != NULL)
+		isc_event_free(&cleaner->overmem_event);
+	if (cleaner->resched_event != NULL)
+		isc_event_free(&cleaner->resched_event);
+	if (cleaner->cleaning_timer != NULL)
+		isc_timer_detach(&cleaner->cleaning_timer);
+	cleaner->acache->live_cleaners--;
+	DESTROYLOCK(&cleaner->lock);
+ fail:
+	return (result);
+}
+
+static void
+begin_cleaning(acache_cleaner_t *cleaner) {
+	dns_acacheentry_t *head;
+	dns_acache_t *acache = cleaner->acache;
+
+	/*
+	 * This function does not have to lock the cleaner, since critical
+	 * parameters (except current_entry, which is locked by acache lock,)
+	 * are only used in a single task context.
+	 */
+
+	REQUIRE(CLEANER_IDLE(cleaner));
+	INSIST(DNS_ACACHE_VALID(acache));
+	INSIST(cleaner->current_entry == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_ACACHE, ISC_LOG_DEBUG(1),
+		      "begin acache cleaning, mem inuse %lu",
+		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
+
+	LOCK(&acache->lock);
+
+	head = ISC_LIST_HEAD(acache->entries);
+	if (head != NULL)
+		dns_acache_attachentry(head, &cleaner->current_entry);
+
+	UNLOCK(&acache->lock);
+
+	if (cleaner->current_entry != NULL) {
+		cleaner->ncleaned = 0;
+		cleaner->state = cleaner_s_busy;
+		isc_task_send(acache->task, &cleaner->resched_event);
+	}
+
+	return;
+}
+
+static void
+end_cleaning(acache_cleaner_t *cleaner, isc_event_t *event) {
+	dns_acache_t *acache = cleaner->acache;
+
+	REQUIRE(CLEANER_BUSY(cleaner));
+	REQUIRE(event != NULL);
+	REQUIRE(DNS_ACACHEENTRY_VALID(cleaner->current_entry));
+
+	/* No need to lock the cleaner (see begin_cleaning()). */
+
+	LOCK(&acache->lock);
+
+	/*
+	 * Even if the cleaner has the last reference to the entry, which means
+	 * the entry has been unused, it may still be linked if unlinking the
+	 * entry has been delayed due to the reference.
+	 */
+	if (isc_refcount_current(&cleaner->current_entry->references) == 1) {
+		INSIST(cleaner->current_entry->callback == NULL);
+
+		if (ISC_LINK_LINKED(cleaner->current_entry, link)) {
+			ISC_LIST_UNLINK(acache->entries,
+					cleaner->current_entry, link);
+		}
+	}
+	dns_acache_detachentry(&cleaner->current_entry);
+
+	if (cleaner->overmem)
+		acache->stats.overmem++;
+	acache->stats.cleaned += cleaner->ncleaned;
+	acache->stats.cleaner_runs++;
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_NOTICE,
+		      "acache %p stats: hits=%d misses=%d queries=%d "
+		      "adds=%d deleted=%d "
+		      "cleaned=%d cleaner_runs=%d overmem=%d "
+		      "overmem_nocreates=%d nomem=%d",
+		      acache,
+		      acache->stats.hits, acache->stats.misses,
+		      acache->stats.queries,
+		      acache->stats.adds, acache->stats.deleted,
+		      acache->stats.cleaned, acache->stats.cleaner_runs,
+		      acache->stats.overmem, acache->stats.overmem_nocreates,
+		      acache->stats.nomem);
+	reset_stats(acache);
+
+	isc_stdtime_get(&cleaner->last_cleanup_time);
+
+	UNLOCK(&acache->lock);
+
+	dns_acache_setcleaninginterval(cleaner->acache,
+				       cleaner->cleaning_interval);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "end acache cleaning, "
+		      "%lu entries cleaned, mem inuse %lu",
+		      cleaner->ncleaned,
+		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
+
+	if (cleaner->overmem) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
+			      "acache is still in overmem state "
+			      "after cleaning");
+	}
+
+	cleaner->ncleaned = 0;
+	cleaner->state = cleaner_s_idle;
+	cleaner->resched_event = event;
+}
+
+/*
+ * This is run once for every acache-cleaning-interval as defined
+ * in named.conf.
+ */
+static void
+acache_cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
+	acache_cleaner_t *cleaner = event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "acache cleaning timer fired, "
+		      "cleaner state = %d", cleaner->state);
+
+	if (cleaner->state == cleaner_s_idle)
+		begin_cleaning(cleaner);
+
+	isc_event_free(&event);
+}
+
+/* The caller must hold entry lock. */
+static inline bool
+entry_stale(acache_cleaner_t *cleaner, dns_acacheentry_t *entry,
+	    isc_stdtime32_t now32, unsigned int interval)
+{
+	/*
+	 * If the callback has been canceled, we definitely do not need the
+	 * entry.
+	 */
+	if (entry->callback == NULL)
+		return (true);
+
+	if (interval > cleaner->cleaning_interval)
+		interval = cleaner->cleaning_interval;
+
+	if (entry->lastused + interval < now32)
+		return (true);
+
+	/*
+	 * If the acache is in the overmem state, probabilistically decide if
+	 * the entry should be purged, based on the time passed from its last
+	 * use and the cleaning interval.
+	 */
+	if (cleaner->overmem) {
+		unsigned int passed;
+		uint32_t val;
+
+		if (isc_serial_ge(now32, entry->lastused))
+			passed = now32 - entry->lastused; /* <= interval */
+		else
+			passed = 0;
+
+		if (passed > interval / 2)
+			return (true);
+		isc_random_get(&val);
+		if (passed > interval / 4)
+			return (val % 4 == 0);
+		return (val % 8 == 0);
+	}
+
+	return (false);
+}
+
+/*
+ * Do incremental cleaning.
+ */
+static void
+acache_incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	acache_cleaner_t *cleaner = event->ev_arg;
+	dns_acache_t *acache = cleaner->acache;
+	dns_acacheentry_t *entry, *next = NULL;
+	int n_entries;
+	isc_stdtime32_t now32, last32;
+	isc_stdtime_t now;
+	unsigned int interval;
+
+	INSIST(DNS_ACACHE_VALID(acache));
+	INSIST(task == acache->task);
+	INSIST(event->ev_type == DNS_EVENT_ACACHECLEAN);
+
+	if (cleaner->state == cleaner_s_done) {
+		cleaner->state = cleaner_s_busy;
+		end_cleaning(cleaner, event);
+		return;
+	}
+
+	INSIST(CLEANER_BUSY(cleaner));
+
+	n_entries = cleaner->increment;
+
+	isc_stdtime_get(&now);
+	isc_stdtime_convert32(now, &now32);
+
+	LOCK(&acache->lock);
+
+	entry = cleaner->current_entry;
+	isc_stdtime_convert32(cleaner->last_cleanup_time, &last32);
+	if (isc_serial_ge(now32, last32))
+		interval = now32 - last32;
+	else
+		interval = 0;
+
+	while (n_entries-- > 0) {
+		bool is_stale = false;
+
+		INSIST(entry != NULL);
+
+		next = ISC_LIST_NEXT(entry, link);
+
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		is_stale = entry_stale(cleaner, entry, now32, interval);
+		if (is_stale) {
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+			unlink_dbentries(acache, entry);
+			if (entry->callback != NULL)
+				(entry->callback)(entry, &entry->cbarg);
+			entry->callback = NULL;
+
+			cleaner->ncleaned++;
+		}
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (is_stale)
+			dns_acache_detachentry(&entry);
+
+		if (next == NULL) {
+			if (cleaner->overmem) {
+				entry = ISC_LIST_HEAD(acache->entries);
+				if (entry != NULL) {
+					/*
+					 * If we are still in the overmem
+					 * state, keep cleaning.  In case we
+					 * exit from the loop immediately after
+					 * this, reset next to the head entry
+					 * as we'll expect it will be never
+					 * NULL.
+					 */
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_ACACHE,
+						      ISC_LOG_DEBUG(1),
+						      "acache cleaner: "
+						      "still overmem, "
+						      "reset and try again");
+					next = entry;
+					continue;
+				}
+			}
+
+			UNLOCK(&acache->lock);
+			end_cleaning(cleaner, event);
+			return;
+		}
+
+		entry = next;
+	}
+
+	/*
+	 * We have successfully performed a cleaning increment but have
+	 * not gone through the entire cache.  Remember the entry that will
+	 * be the starting point in the next clean-up, and reschedule another
+	 * batch.  If it fails, just try to continue anyway.
+	 */
+	INSIST(next != NULL);
+	dns_acache_detachentry(&cleaner->current_entry);
+	dns_acache_attachentry(next, &cleaner->current_entry);
+
+	UNLOCK(&acache->lock);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "acache cleaner: checked %d entries, "
+		      "mem inuse %lu, sleeping", cleaner->increment,
+		      (unsigned long)isc_mem_inuse(cleaner->acache->mctx));
+
+	isc_task_send(task, &event);
+	INSIST(CLEANER_BUSY(cleaner));
+
+	return;
+}
+
+/*
+ * This is called when the acache either surpasses its upper limit
+ * or shrinks beyond its lower limit.
+ */
+static void
+acache_overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	acache_cleaner_t *cleaner = event->ev_arg;
+	bool want_cleaning = false;
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == DNS_EVENT_ACACHEOVERMEM);
+	INSIST(cleaner->overmem_event == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ACACHE,
+		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
+		      "overmem = %d, state = %d", cleaner->overmem,
+		      cleaner->state);
+
+	LOCK(&cleaner->lock);
+
+	if (cleaner->overmem) {
+		if (cleaner->state == cleaner_s_idle)
+			want_cleaning = true;
+	} else {
+		if (cleaner->state == cleaner_s_busy)
+			/*
+			 * end_cleaning() can't be called here because
+			 * then both cleaner->overmem_event and
+			 * cleaner->resched_event will point to this
+			 * event.  Set the state to done, and then
+			 * when the acache_incremental_cleaning_action() event
+			 * is posted, it will handle the end_cleaning.
+			 */
+			cleaner->state = cleaner_s_done;
+	}
+
+	cleaner->overmem_event = event;
+
+	UNLOCK(&cleaner->lock);
+
+	if (want_cleaning)
+		begin_cleaning(cleaner);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_acache_t *acache = arg;
+	bool overmem = (mark == ISC_MEM_HIWATER);
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_ACACHE, ISC_LOG_DEBUG(1),
+		      "acache memory reaches %s watermark, mem inuse %lu",
+		      overmem ? "high" : "low",
+		      (unsigned long)isc_mem_inuse(acache->mctx));
+
+	LOCK(&acache->cleaner.lock);
+
+	if (acache->cleaner.overmem != overmem) {
+		acache->cleaner.overmem = overmem;
+
+		if (acache->cleaner.overmem_event != NULL)
+			isc_task_send(acache->task,
+				      &acache->cleaner.overmem_event);
+		isc_mem_waterack(acache->mctx, mark);
+	}
+
+	UNLOCK(&acache->cleaner.lock);
+}
+
+/*
+ * The cleaner task is shutting down; do the necessary cleanup.
+ */
+static void
+acache_cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
+	dns_acache_t *acache = event->ev_arg;
+	bool should_free = false;
+
+	INSIST(task == acache->task);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+	INSIST(DNS_ACACHE_VALID(acache));
+
+	ATRACE("acache cleaner shutdown");
+
+	if (CLEANER_BUSY(&acache->cleaner))
+		end_cleaning(&acache->cleaner, event);
+	else
+		isc_event_free(&event);
+
+	LOCK(&acache->lock);
+
+	acache->live_cleaners--;
+	INSIST(acache->live_cleaners == 0);
+
+	if (isc_refcount_current(&acache->refs) == 0) {
+		INSIST(check_noentry(acache) == true);
+		should_free = true;
+	}
+
+	/*
+	 * By detaching the timer in the context of its task,
+	 * we are guaranteed that there will be no further timer
+	 * events.
+	 */
+	if (acache->cleaner.cleaning_timer != NULL)
+		isc_timer_detach(&acache->cleaner.cleaning_timer);
+
+	/* Make sure we don't reschedule anymore. */
+	(void)isc_task_purge(task, NULL, DNS_EVENT_ACACHECLEAN, NULL);
+
+	UNLOCK(&acache->lock);
+
+	if (should_free)
+		destroy(acache);
+}
+
+/*
+ *	Public functions.
+ */
+
+isc_result_t
+dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
+		  isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr)
+{
+	int i;
+	isc_result_t result;
+	dns_acache_t *acache;
+
+	REQUIRE(acachep != NULL && *acachep == NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(taskmgr != NULL);
+
+	acache = isc_mem_get(mctx, sizeof(*acache));
+	if (acache == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ATRACE("create");
+
+	result = isc_refcount_init(&acache->refs, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acache, sizeof(*acache));
+		return (result);
+	}
+
+	result = isc_mutex_init(&acache->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_decrement(&acache->refs, NULL);
+		isc_refcount_destroy(&acache->refs);
+		isc_mem_put(mctx, acache, sizeof(*acache));
+		return (result);
+	}
+
+	acache->mctx = NULL;
+	isc_mem_attach(mctx, &acache->mctx);
+	ISC_LIST_INIT(acache->entries);
+
+	acache->shutting_down = false;
+
+	acache->task = NULL;
+	acache->entrylocks = NULL;
+
+	result = isc_task_create(taskmgr, 1, &acache->task);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_task_create() failed(): %s",
+				 dns_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+	isc_task_setname(acache->task, "acachetask", acache);
+	ISC_EVENT_INIT(&acache->cevent, sizeof(acache->cevent), 0, NULL,
+		       DNS_EVENT_ACACHECONTROL, shutdown_task, NULL,
+		       NULL, NULL, NULL);
+	acache->cevent_sent = false;
+
+	acache->dbentries = 0;
+	for (i = 0; i < DBBUCKETS; i++)
+		ISC_LIST_INIT(acache->dbbucket[i]);
+
+	acache->entrylocks = isc_mem_get(mctx, sizeof(*acache->entrylocks) *
+					 DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+	if (acache->entrylocks == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++) {
+		result = ACACHE_INITLOCK(&acache->entrylocks[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (i-- > 0)
+				ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+			isc_mem_put(mctx, acache->entrylocks,
+				    sizeof(*acache->entrylocks) *
+				    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+			acache->entrylocks = NULL;
+			goto cleanup;
+		}
+	}
+
+	acache->live_cleaners = 0;
+	result = acache_cleaner_init(acache, timermgr, &acache->cleaner);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	acache->stats.cleaner_runs = 0;
+	reset_stats(acache);
+
+	acache->magic = ACACHE_MAGIC;
+
+	*acachep = acache;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (acache->task != NULL)
+		isc_task_detach(&acache->task);
+	DESTROYLOCK(&acache->lock);
+	isc_refcount_decrement(&acache->refs, NULL);
+	isc_refcount_destroy(&acache->refs);
+	if (acache->entrylocks != NULL) {
+		for (i = 0; i < DEFAULT_ACACHE_ENTRY_LOCK_COUNT; i++)
+			ACACHE_DESTROYLOCK(&acache->entrylocks[i]);
+		isc_mem_put(mctx, acache->entrylocks,
+			    sizeof(*acache->entrylocks) *
+			    DEFAULT_ACACHE_ENTRY_LOCK_COUNT);
+	}
+	isc_mem_put(mctx, acache, sizeof(*acache));
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+void
+dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp) {
+	REQUIRE(DNS_ACACHE_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	AATRACE(source, "attach");
+
+	isc_refcount_increment(&source->refs, NULL);
+
+	*targetp = source;
+}
+
+void
+dns_acache_countquerymiss(dns_acache_t *acache) {
+	acache->stats.misses++; 	/* XXXSK danger: unlocked! */
+	acache->stats.queries++;	/* XXXSK danger: unlocked! */
+}
+
+void
+dns_acache_detach(dns_acache_t **acachep) {
+	dns_acache_t *acache;
+	unsigned int refs;
+	bool should_free = false;
+
+	REQUIRE(acachep != NULL && DNS_ACACHE_VALID(*acachep));
+	acache = *acachep;
+
+	ATRACE("detach");
+
+	isc_refcount_decrement(&acache->refs, &refs);
+	if (refs == 0) {
+		INSIST(check_noentry(acache) == true);
+		should_free = true;
+	}
+
+	*acachep = NULL;
+
+	/*
+	 * If we're exiting and the cleaner task exists, let it free the cache.
+	 */
+	if (should_free && acache->live_cleaners > 0) {
+		isc_task_shutdown(acache->task);
+		should_free = false;
+	}
+
+	if (should_free)
+		destroy(acache);
+}
+
+void
+dns_acache_shutdown(dns_acache_t *acache) {
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	LOCK(&acache->lock);
+
+	ATRACE("shutdown");
+
+	if (!acache->shutting_down) {
+		isc_event_t *event;
+		dns_acache_t *acache_evarg = NULL;
+
+		INSIST(!acache->cevent_sent);
+
+		acache->shutting_down = true;
+
+		isc_mem_setwater(acache->mctx, NULL, NULL, 0, 0);
+
+		/*
+		 * Self attach the object in order to prevent it from being
+		 * destroyed while waiting for the event.
+		 */
+		dns_acache_attach(acache, &acache_evarg);
+		event = &acache->cevent;
+		event->ev_arg = acache_evarg;
+		isc_task_send(acache->task, &event);
+		acache->cevent_sent = true;
+	}
+
+	UNLOCK(&acache->lock);
+}
+
+isc_result_t
+dns_acache_setdb(dns_acache_t *acache, dns_db_t *db) {
+	int bucket;
+	dbentry_t *dbentry;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(db != NULL);
+
+	ATRACE("setdb");
+
+	LOCK(&acache->lock);
+
+	dbentry = NULL;
+	result = finddbent(acache, db, &dbentry);
+	if (result == ISC_R_SUCCESS) {
+		result = ISC_R_EXISTS;
+		goto end;
+	}
+	result = ISC_R_SUCCESS;
+
+	dbentry = isc_mem_get(acache->mctx, sizeof(*dbentry));
+	if (dbentry == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto end;
+	}
+
+	ISC_LINK_INIT(dbentry, link);
+	ISC_LIST_INIT(dbentry->originlist);
+	ISC_LIST_INIT(dbentry->referlist);
+
+	dbentry->db = NULL;
+	dns_db_attach(db, &dbentry->db);
+
+	bucket = isc_hash_function(&db, sizeof(db), true, NULL) % DBBUCKETS;
+
+	ISC_LIST_APPEND(acache->dbbucket[bucket], dbentry, link);
+
+	acache->dbentries++;
+
+ end:
+	UNLOCK(&acache->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_acache_putdb(dns_acache_t *acache, dns_db_t *db) {
+	int bucket;
+	isc_result_t result;
+	dbentry_t *dbentry;
+	dns_acacheentry_t *entry;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(db != NULL);
+
+	ATRACE("putdb");
+
+	LOCK(&acache->lock);
+
+	dbentry = NULL;
+	result = finddbent(acache, db, &dbentry);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * The entry may have not been created due to memory shortage.
+		 */
+		UNLOCK(&acache->lock);
+		return (ISC_R_NOTFOUND);
+	}
+
+	/*
+	 * Release corresponding cache entries: for each entry, release all
+	 * links the entry has, and then callback to the entry holder (if any).
+	 * If no other external references exist (this can happen if the
+	 * original holder has canceled callback,) destroy it here.
+	 */
+	while ((entry = ISC_LIST_HEAD(dbentry->originlist)) != NULL) {
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		/*
+		 * Releasing olink first would avoid finddbent() in
+		 * unlink_dbentries().
+		 */
+		ISC_LIST_UNLINK(dbentry->originlist, entry, olink);
+		if (acache->cleaner.current_entry != entry)
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+		unlink_dbentries(acache, entry);
+
+		if (entry->callback != NULL)
+			(entry->callback)(entry, &entry->cbarg);
+		entry->callback = NULL;
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (acache->cleaner.current_entry != entry)
+			dns_acache_detachentry(&entry);
+	}
+	while ((entry = ISC_LIST_HEAD(dbentry->referlist)) != NULL) {
+		ACACHE_LOCK(&acache->entrylocks[entry->locknum],
+			    isc_rwlocktype_write);
+
+		ISC_LIST_UNLINK(dbentry->referlist, entry, rlink);
+		if (acache->cleaner.current_entry != entry)
+			ISC_LIST_UNLINK(acache->entries, entry, link);
+		unlink_dbentries(acache, entry);
+
+		if (entry->callback != NULL)
+			(entry->callback)(entry, &entry->cbarg);
+		entry->callback = NULL;
+
+		ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+			      isc_rwlocktype_write);
+
+		if (acache->cleaner.current_entry != entry)
+			dns_acache_detachentry(&entry);
+	}
+
+	INSIST(ISC_LIST_EMPTY(dbentry->originlist) &&
+	       ISC_LIST_EMPTY(dbentry->referlist));
+
+	bucket = isc_hash_function(&db, sizeof(db), true, NULL) % DBBUCKETS;
+
+	ISC_LIST_UNLINK(acache->dbbucket[bucket], dbentry, link);
+	dns_db_detach(&dbentry->db);
+
+	isc_mem_put(acache->mctx, dbentry, sizeof(*dbentry));
+
+	acache->dbentries--;
+
+	acache->stats.deleted++;
+
+	UNLOCK(&acache->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
+		       void (*callback)(dns_acacheentry_t *, void **),
+		       void *cbarg, dns_acacheentry_t **entryp)
+{
+	dns_acacheentry_t *newentry;
+	isc_result_t result;
+	uint32_t r;
+	isc_stdtime_t tmptime;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(entryp != NULL && *entryp == NULL);
+	REQUIRE(origdb != NULL);
+
+	/*
+	 * Should we exceed our memory limit for some reason (for
+	 * example, if the cleaner does not run aggressively enough),
+	 * then we will not create additional entries.
+	 *
+	 * XXXSK: It might be better to lock the acache->cleaner->lock,
+	 * but locking may be an expensive bottleneck. If we misread
+	 * the value, we will occasionally refuse to create a few
+	 * cache entries, or create a few that we should not. I do not
+	 * expect this to happen often, and it will not have very bad
+	 * effects when it does. So no lock for now.
+	 */
+	if (acache->cleaner.overmem) {
+		acache->stats.overmem_nocreates++; /* XXXSK danger: unlocked! */
+		return (ISC_R_NORESOURCES);
+	}
+
+	newentry = isc_mem_get(acache->mctx, sizeof(*newentry));
+	if (newentry == NULL) {
+		acache->stats.nomem++;  /* XXXMLG danger: unlocked! */
+		return (ISC_R_NOMEMORY);
+	}
+
+	isc_random_get(&r);
+	newentry->locknum = r % DEFAULT_ACACHE_ENTRY_LOCK_COUNT;
+
+	result = isc_refcount_init(&newentry->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(acache->mctx, newentry, sizeof(*newentry));
+		return (result);
+	};
+
+	ISC_LINK_INIT(newentry, link);
+	ISC_LINK_INIT(newentry, olink);
+	ISC_LINK_INIT(newentry, rlink);
+
+	newentry->acache = NULL;
+	dns_acache_attach(acache, &newentry->acache);
+
+	newentry->zone = NULL;
+	newentry->db = NULL;
+	newentry->version = NULL;
+	newentry->node = NULL;
+	newentry->foundname = NULL;
+
+	newentry->callback = callback;
+	newentry->cbarg = cbarg;
+	newentry->origdb = NULL;
+	dns_db_attach(origdb, &newentry->origdb);
+
+	isc_stdtime_get(&tmptime);
+	acache_storetime(newentry, tmptime);
+
+	newentry->magic = ACACHEENTRY_MAGIC;
+
+	*entryp = newentry;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
+		    dns_db_t **dbp, dns_dbversion_t **versionp,
+		    dns_dbnode_t **nodep, dns_name_t *fname,
+		    dns_message_t *msg, isc_stdtime_t now)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdataset_t *erdataset;
+	isc_stdtime32_t	now32;
+	dns_acache_t *acache;
+	int locknum;
+
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+	REQUIRE(zonep == NULL || *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(fname != NULL);
+	REQUIRE(msg != NULL);
+	acache = entry->acache;
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	locknum = entry->locknum;
+	ACACHE_LOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
+
+	isc_stdtime_convert32(now, &now32);
+	acache_storetime(entry, now32);
+
+	if (entry->zone != NULL && zonep != NULL)
+		dns_zone_attach(entry->zone, zonep);
+
+	if (entry->db == NULL) {
+		*dbp = NULL;
+		*versionp = NULL;
+	} else {
+		dns_db_attach(entry->db, dbp);
+		dns_db_attachversion(entry->db, entry->version, versionp);
+	}
+	if (entry->node == NULL)
+		*nodep = NULL;
+	else {
+		dns_db_attachnode(entry->db, entry->node, nodep);
+
+		INSIST(entry->foundname != NULL);
+		dns_name_copy(entry->foundname, fname, NULL);
+		for (erdataset = ISC_LIST_HEAD(entry->foundname->list);
+		     erdataset != NULL;
+		     erdataset = ISC_LIST_NEXT(erdataset, link)) {
+			dns_rdataset_t *ardataset;
+
+			ardataset = NULL;
+			result = dns_message_gettemprdataset(msg, &ardataset);
+			if (result != ISC_R_SUCCESS) {
+				ACACHE_UNLOCK(&acache->entrylocks[locknum],
+					      isc_rwlocktype_read);
+				goto fail;
+			}
+
+			/*
+			 * XXXJT: if we simply clone the rdataset, we'll get
+			 * lost wrt cyclic ordering.  We'll need an additional
+			 * trick to get the latest counter from the original
+			 * header.
+			 */
+			dns_rdataset_clone(erdataset, ardataset);
+			ISC_LIST_APPEND(fname->list, ardataset, link);
+		}
+	}
+
+	entry->acache->stats.hits++; /* XXXMLG danger: unlocked! */
+	entry->acache->stats.queries++;
+
+	ACACHE_UNLOCK(&acache->entrylocks[locknum], isc_rwlocktype_read);
+
+	return (result);
+
+  fail:
+	while ((erdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
+		ISC_LIST_UNLINK(fname->list, erdataset, link);
+		dns_rdataset_disassociate(erdataset);
+		dns_message_puttemprdataset(msg, &erdataset);
+	}
+	if (*nodep != NULL)
+		dns_db_detachnode(*dbp, nodep);
+	if (*versionp != NULL)
+		dns_db_closeversion(*dbp, versionp, false);
+	if (*dbp != NULL)
+		dns_db_detach(dbp);
+	if (zonep != NULL && *zonep != NULL)
+		dns_zone_detach(zonep);
+
+	return (result);
+}
+
+isc_result_t
+dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
+		    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *fname)
+{
+	isc_result_t result;
+	dbentry_t *odbent;
+	dbentry_t *rdbent = NULL;
+	bool close_version = false;
+	dns_acacheentry_t *dummy_entry = NULL;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	LOCK(&acache->lock);	/* XXX: need to lock it here for ordering */
+	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
+
+	/* Set zone */
+	if (zone != NULL)
+		dns_zone_attach(zone, &entry->zone);
+	/* Set DB */
+	if (db != NULL)
+		dns_db_attach(db, &entry->db);
+	/*
+	 * Set DB version.  If the version is not given by the caller,
+	 * which is the case for glue or cache DBs, use the current version.
+	 */
+	if (version == NULL) {
+		if (db != NULL) {
+			dns_db_currentversion(db, &version);
+			close_version = true;
+		}
+	}
+	if (version != NULL) {
+		INSIST(db != NULL);
+		dns_db_attachversion(db, version, &entry->version);
+	}
+	if (close_version)
+		dns_db_closeversion(db, &version, false);
+	/* Set DB node. */
+	if (node != NULL) {
+		INSIST(db != NULL);
+		dns_db_attachnode(db, node, &entry->node);
+	}
+
+	/*
+	 * Set list of the corresponding rdatasets, if given.
+	 * To minimize the overhead and memory consumption, we'll do this for
+	 * positive cache only, in which case the DB node is non NULL.
+	 * We do not want to cache incomplete information, so give up the
+	 * entire entry when a memory shortage happen during the process.
+	 */
+	if (node != NULL) {
+		dns_rdataset_t *ardataset, *crdataset;
+
+		entry->foundname = isc_mem_get(acache->mctx,
+					       sizeof(*entry->foundname));
+
+		if (entry->foundname == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		dns_name_init(entry->foundname, NULL);
+		result = dns_name_dup(fname, acache->mctx,
+				      entry->foundname);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+
+		for (ardataset = ISC_LIST_HEAD(fname->list);
+		     ardataset != NULL;
+		     ardataset = ISC_LIST_NEXT(ardataset, link)) {
+			crdataset = isc_mem_get(acache->mctx,
+						sizeof(*crdataset));
+			if (crdataset == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto fail;
+			}
+
+			dns_rdataset_init(crdataset);
+			dns_rdataset_clone(ardataset, crdataset);
+			ISC_LIST_APPEND(entry->foundname->list, crdataset,
+					link);
+		}
+	}
+
+	odbent = NULL;
+	result = finddbent(acache, entry->origdb, &odbent);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	if (db != NULL) {
+		rdbent = NULL;
+		result = finddbent(acache, db, &rdbent);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	ISC_LIST_APPEND(acache->entries, entry, link);
+	ISC_LIST_APPEND(odbent->originlist, entry, olink);
+	if (rdbent != NULL)
+		ISC_LIST_APPEND(rdbent->referlist, entry, rlink);
+
+	/*
+	 * The additional cache needs an implicit reference to entries in its
+	 * link.
+	 */
+	dns_acache_attachentry(entry, &dummy_entry);
+
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
+
+	acache->stats.adds++;
+	UNLOCK(&acache->lock);
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	clear_entry(acache, entry);
+
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
+	UNLOCK(&acache->lock);
+
+	return (result);
+}
+
+bool
+dns_acache_cancelentry(dns_acacheentry_t *entry) {
+	dns_acache_t *acache;
+	bool callback_active;
+
+	REQUIRE(DNS_ACACHEENTRY_VALID(entry));
+
+	acache = entry->acache;
+
+	INSIST(DNS_ACACHE_VALID(entry->acache));
+
+	LOCK(&acache->lock);
+	ACACHE_LOCK(&acache->entrylocks[entry->locknum], isc_rwlocktype_write);
+
+	callback_active = (entry->cbarg != NULL);
+
+	/*
+	 * Release dependencies stored in this entry as much as possible.
+	 * The main link cannot be released, since the acache object has
+	 * a reference to this entry; the empty entry will be released in
+	 * the next cleaning action.
+	 */
+	unlink_dbentries(acache, entry);
+	clear_entry(entry->acache, entry);
+
+	entry->callback = NULL;
+	entry->cbarg = NULL;
+
+	ACACHE_UNLOCK(&acache->entrylocks[entry->locknum],
+		      isc_rwlocktype_write);
+	UNLOCK(&acache->lock);
+
+	return (callback_active);
+}
+
+void
+dns_acache_attachentry(dns_acacheentry_t *source,
+		       dns_acacheentry_t **targetp)
+{
+	REQUIRE(DNS_ACACHEENTRY_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references, NULL);
+
+	*targetp = source;
+}
+
+void
+dns_acache_detachentry(dns_acacheentry_t **entryp) {
+	dns_acacheentry_t *entry;
+	unsigned int refs;
+
+	REQUIRE(entryp != NULL && DNS_ACACHEENTRY_VALID(*entryp));
+	entry = *entryp;
+
+	isc_refcount_decrement(&entry->references, &refs);
+
+	/*
+	 * If there are no references to the entry, the entry must have been
+	 * unlinked and can be destroyed safely.
+	 */
+	if (refs == 0) {
+		INSIST(!ISC_LINK_LINKED(entry, link));
+		(*entryp)->acache->stats.deleted++;
+		destroy_entry(entry);
+	}
+
+	*entryp = NULL;
+}
+
+void
+dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t) {
+	isc_interval_t interval;
+	isc_result_t result;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	ATRACE("dns_acache_setcleaninginterval");
+
+	LOCK(&acache->lock);
+
+	/*
+	 * It may be the case that the acache has already shut down.
+	 * If so, it has no timer.  (Not sure if this can really happen.)
+	 */
+	if (acache->cleaner.cleaning_timer == NULL)
+		goto unlock;
+
+	acache->cleaner.cleaning_interval = t;
+
+	if (t == 0) {
+		result = isc_timer_reset(acache->cleaner.cleaning_timer,
+					 isc_timertype_inactive,
+					 NULL, NULL, true);
+	} else {
+		isc_interval_set(&interval, acache->cleaner.cleaning_interval,
+				 0);
+		result = isc_timer_reset(acache->cleaner.cleaning_timer,
+					 isc_timertype_ticker,
+					 NULL, &interval, false);
+	}
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_WARNING,
+			      "could not set acache cleaning interval: %s",
+			      isc_result_totext(result));
+	else
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_ACACHE, ISC_LOG_NOTICE,
+			      "acache %p cleaning interval set to %d.",
+			      acache, t);
+
+ unlock:
+	UNLOCK(&acache->lock);
+}
+
+/*
+ * This function was derived from cache.c:dns_cache_setcachesize().  See the
+ * function for more details about the logic.
+ */
+void
+dns_acache_setcachesize(dns_acache_t *acache, size_t size) {
+	size_t hiwater, lowater;
+
+	REQUIRE(DNS_ACACHE_VALID(acache));
+
+	if (size != 0U && size < DNS_ACACHE_MINSIZE)
+		size = DNS_ACACHE_MINSIZE;
+
+	hiwater = size - (size >> 3);
+	lowater = size - (size >> 2);
+
+	if (size == 0U || hiwater == 0U || lowater == 0U)
+		isc_mem_setwater(acache->mctx, water, acache, 0, 0);
+	else
+		isc_mem_setwater(acache->mctx, water, acache,
+				 hiwater, lowater);
+}
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
new file mode 100644
index 0000000..c1108e8
--- /dev/null
+++ b/lib/dns/acl.c
@@ -0,0 +1,728 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/iptable.h>
+
+
+/*
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements.  The elements are uninitialized and the
+ * length is 0.
+ */
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl;
+
+	/*
+	 * Work around silly limitation of isc_mem_get().
+	 */
+	if (n == 0)
+		n = 1;
+
+	acl = isc_mem_get(mctx, sizeof(*acl));
+	if (acl == NULL)
+		return (ISC_R_NOMEMORY);
+
+	acl->mctx = NULL;
+	isc_mem_attach(mctx, &acl->mctx);
+
+	acl->name = NULL;
+
+	result = isc_refcount_init(&acl->refcount, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acl, sizeof(*acl));
+		return (result);
+	}
+
+	result = dns_iptable_create(mctx, &acl->iptable);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acl, sizeof(*acl));
+		return (result);
+	}
+
+	acl->elements = NULL;
+	acl->alloc = 0;
+	acl->length = 0;
+	acl->has_negatives = false;
+
+	ISC_LINK_INIT(acl, nextincache);
+	/*
+	 * Must set magic early because we use dns_acl_detach() to clean up.
+	 */
+	acl->magic = DNS_ACL_MAGIC;
+
+	acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
+	if (acl->elements == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	acl->alloc = n;
+	memset(acl->elements, 0, n * sizeof(dns_aclelement_t));
+	*target = acl;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_acl_detach(&acl);
+	return (result);
+}
+
+/*
+ * Create a new ACL and initialize it with the value "any" or "none",
+ * depending on the value of the "neg" parameter.
+ * "any" is a positive iptable entry with bit length 0.
+ * "none" is the same as "!any".
+ */
+static isc_result_t
+dns_acl_anyornone(isc_mem_t *mctx, bool neg, dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl = NULL;
+
+	result = dns_acl_create(mctx, 0, &acl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_iptable_addprefix(acl->iptable, NULL, 0, !neg);
+	if (result != ISC_R_SUCCESS) {
+		dns_acl_detach(&acl);
+		return (result);
+	}
+
+	*target = acl;
+	return (result);
+}
+
+/*
+ * Create a new ACL that matches everything.
+ */
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
+	return (dns_acl_anyornone(mctx, false, target));
+}
+
+/*
+ * Create a new ACL that matches nothing.
+ */
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
+	return (dns_acl_anyornone(mctx, true, target));
+}
+
+/*
+ * If pos is true, test whether acl is set to "{ any; }"
+ * If pos is false, test whether acl is set to "{ none; }"
+ */
+static bool
+dns_acl_isanyornone(dns_acl_t *acl, bool pos)
+{
+	/* Should never happen but let's be safe */
+	if (acl == NULL ||
+	    acl->iptable == NULL ||
+	    acl->iptable->radix == NULL ||
+	    acl->iptable->radix->head == NULL ||
+	    acl->iptable->radix->head->prefix == NULL)
+		return (false);
+
+	if (acl->length != 0 || acl->node_count != 1)
+		return (false);
+
+	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
+	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+		    acl->iptable->radix->head->data[1] &&
+	    *(bool *) (acl->iptable->radix->head->data[0]) == pos)
+		return (true);
+
+	return (false); /* All others */
+}
+
+/*
+ * Test whether acl is set to "{ any; }"
+ */
+bool
+dns_acl_isany(dns_acl_t *acl)
+{
+	return (dns_acl_isanyornone(acl, true));
+}
+
+/*
+ * Test whether acl is set to "{ none; }"
+ */
+bool
+dns_acl_isnone(dns_acl_t *acl)
+{
+	return (dns_acl_isanyornone(acl, false));
+}
+
+/*
+ * Determine whether a given address or signer matches a given ACL.
+ * For a match with a positive ACL element or iptable radix entry,
+ * return with a positive value in match; for a match with a negated ACL
+ * element or radix entry, return with a negative value in match.
+ */
+isc_result_t
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
+	      int *match,
+	      const dns_aclelement_t **matchelt)
+{
+	return (dns_acl_match2(reqaddr, reqsigner, NULL, 0, NULL, acl, env,
+			       match, matchelt));
+}
+
+isc_result_t
+dns_acl_match2(const isc_netaddr_t *reqaddr,
+	       const dns_name_t *reqsigner,
+	       const isc_netaddr_t *ecs,
+	       uint8_t ecslen,
+	       uint8_t *scope,
+	       const dns_acl_t *acl,
+	       const dns_aclenv_t *env,
+	       int *match,
+	       const dns_aclelement_t **matchelt)
+{
+	uint16_t bitlen;
+	isc_prefix_t pfx;
+	isc_radix_node_t *node = NULL;
+	const isc_netaddr_t *addr = reqaddr;
+	isc_netaddr_t v4addr;
+	isc_result_t result;
+	int match_num = -1;
+	unsigned int i;
+
+	REQUIRE(reqaddr != NULL);
+	REQUIRE(matchelt == NULL || *matchelt == NULL);
+	REQUIRE(ecs != NULL || scope == NULL);
+
+	if (env != NULL && env->match_mapped &&
+	    addr->family == AF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&addr->type.in6))
+	{
+		isc_netaddr_fromv4mapped(&v4addr, addr);
+		addr = &v4addr;
+	}
+
+	/* Always match with host addresses. */
+	bitlen = (addr->family == AF_INET6) ? 128 : 32;
+	NETADDR_TO_PREFIX_T(addr, pfx, bitlen, false);
+
+	/* Assume no match. */
+	*match = 0;
+
+	/* Search radix. */
+	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
+
+	/* Found a match. */
+	if (result == ISC_R_SUCCESS && node != NULL) {
+		int fam = ISC_RADIX_FAMILY(&pfx);
+		match_num = node->node_num[fam];
+		if (*(bool *) node->data[fam]) {
+			*match = match_num;
+		} else {
+			*match = -match_num;
+		}
+	}
+
+	isc_refcount_destroy(&pfx.refcount);
+
+	/*
+	 * If ecs is not NULL, we search the radix tree again to
+	 * see if we find a better match on an ECS node
+	 */
+	if (ecs != NULL) {
+		node = NULL;
+		addr = ecs;
+
+		if (env != NULL && env->match_mapped &&
+		    addr->family == AF_INET6 &&
+		    IN6_IS_ADDR_V4MAPPED(&addr->type.in6))
+		{
+			isc_netaddr_fromv4mapped(&v4addr, addr);
+			addr = &v4addr;
+		}
+
+		NETADDR_TO_PREFIX_T(addr, pfx, ecslen, true);
+
+		result = isc_radix_search(acl->iptable->radix, &node, &pfx);
+		if (result == ISC_R_SUCCESS && node != NULL) {
+			int off = ISC_RADIX_FAMILY(&pfx);
+			if (match_num == -1 ||
+			    node->node_num[off] < match_num)
+			{
+				match_num = node->node_num[off];
+				if (scope != NULL) {
+					*scope = node->bit;
+				}
+				if (*(bool *) node->data[off]) {
+					*match = match_num;
+				} else {
+					*match = -match_num;
+				}
+			}
+		}
+
+		isc_refcount_destroy(&pfx.refcount);
+	}
+
+	/* Now search non-radix elements for a match with a lower node_num. */
+	for (i = 0; i < acl->length; i++) {
+		dns_aclelement_t *e = &acl->elements[i];
+
+		/* Already found a better match? */
+		if (match_num != -1 && match_num < e->node_num) {
+			break;
+		}
+
+		if (dns_aclelement_match2(reqaddr, reqsigner, ecs, ecslen,
+					  scope, e, env, matchelt))
+		{
+			if (match_num == -1 || e->node_num < match_num) {
+				if (e->negative)
+					*match = -e->node_num;
+				else
+					*match = e->node_num;
+			}
+			break;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Merge the contents of one ACL into another.  Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated.  This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
+isc_result_t
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos)
+{
+	isc_result_t result;
+	unsigned int newalloc, nelem, i;
+	int max_node = 0, nodes;
+
+	/* Resize the element array if needed. */
+	if (dest->length + source->length > dest->alloc) {
+		void *newmem;
+
+		newalloc = dest->alloc + source->alloc;
+		if (newalloc < 4)
+			newalloc = 4;
+
+		newmem = isc_mem_get(dest->mctx,
+				     newalloc * sizeof(dns_aclelement_t));
+		if (newmem == NULL)
+			return (ISC_R_NOMEMORY);
+
+		/* Zero. */
+		memset(newmem, 0, newalloc * sizeof(dns_aclelement_t));
+
+		/* Copy in the original elements */
+		memmove(newmem, dest->elements,
+			dest->length * sizeof(dns_aclelement_t));
+
+		/* Release the memory for the old elements array */
+		isc_mem_put(dest->mctx, dest->elements,
+			    dest->alloc * sizeof(dns_aclelement_t));
+		dest->elements = newmem;
+		dest->alloc = newalloc;
+	}
+
+	/*
+	 * Now copy in the new elements, increasing their node_num
+	 * values so as to keep the new ACL consistent.  If we're
+	 * negating, then negate positive elements, but keep negative
+	 * elements the same for security reasons.
+	 */
+	nelem = dest->length;
+	dest->length += source->length;
+	for (i = 0; i < source->length; i++) {
+		if (source->elements[i].node_num > max_node)
+			max_node = source->elements[i].node_num;
+
+		/* Copy type. */
+		dest->elements[nelem + i].type = source->elements[i].type;
+
+		/* Adjust node numbering. */
+		dest->elements[nelem + i].node_num =
+			source->elements[i].node_num + dest->node_count;
+
+		/* Duplicate nested acl. */
+		if (source->elements[i].type == dns_aclelementtype_nestedacl &&
+		   source->elements[i].nestedacl != NULL)
+			dns_acl_attach(source->elements[i].nestedacl,
+				       &dest->elements[nelem + i].nestedacl);
+
+		/* Duplicate key name. */
+		if (source->elements[i].type == dns_aclelementtype_keyname) {
+			dns_name_init(&dest->elements[nelem+i].keyname, NULL);
+			result = dns_name_dup(&source->elements[i].keyname,
+					      dest->mctx,
+					      &dest->elements[nelem+i].keyname);
+			if (result != ISC_R_SUCCESS)
+				return result;
+		}
+
+#ifdef HAVE_GEOIP
+		/* Duplicate GeoIP data */
+		if (source->elements[i].type == dns_aclelementtype_geoip) {
+			dest->elements[nelem + i].geoip_elem =
+				source->elements[i].geoip_elem;
+		}
+#endif
+
+		/* reverse sense of positives if this is a negative acl */
+		if (!pos && !source->elements[i].negative) {
+			dest->elements[nelem + i].negative = true;
+		} else {
+			dest->elements[nelem + i].negative =
+				source->elements[i].negative;
+		}
+	}
+
+	/*
+	 * Merge the iptables.  Make sure the destination ACL's
+	 * node_count value is set correctly afterward.
+	 */
+	nodes = max_node + dest->node_count;
+	result = dns_iptable_merge(dest->iptable, source->iptable, pos);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (nodes > dest->node_count)
+		dest->node_count = nodes;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete ACL, and returns true iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
+ * caller should examine e->negative.  Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, a matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
+bool
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt)
+{
+	return (dns_aclelement_match2(reqaddr, reqsigner, NULL, 0, NULL,
+				      e, env, matchelt));
+}
+
+bool
+dns_aclelement_match2(const isc_netaddr_t *reqaddr,
+		      const dns_name_t *reqsigner,
+		      const isc_netaddr_t *ecs,
+		      uint8_t ecslen,
+		      uint8_t *scope,
+		      const dns_aclelement_t *e,
+		      const dns_aclenv_t *env,
+		      const dns_aclelement_t **matchelt)
+{
+	dns_acl_t *inner = NULL;
+	int indirectmatch;
+	isc_result_t result;
+#ifdef HAVE_GEOIP
+	const isc_netaddr_t *addr = NULL;
+#endif
+
+	REQUIRE(ecs != NULL || scope == NULL);
+
+	switch (e->type) {
+	case dns_aclelementtype_keyname:
+		if (reqsigner != NULL &&
+		    dns_name_equal(reqsigner, &e->keyname)) {
+			if (matchelt != NULL)
+				*matchelt = e;
+			return (true);
+		} else
+			return (false);
+
+	case dns_aclelementtype_nestedacl:
+		inner = e->nestedacl;
+		break;
+
+	case dns_aclelementtype_localhost:
+		if (env == NULL || env->localhost == NULL)
+			return (false);
+		inner = env->localhost;
+		break;
+
+	case dns_aclelementtype_localnets:
+		if (env == NULL || env->localnets == NULL)
+			return (false);
+		inner = env->localnets;
+		break;
+
+#ifdef HAVE_GEOIP
+	case dns_aclelementtype_geoip:
+		if (env == NULL || env->geoip == NULL)
+			return (false);
+		addr = (env->geoip_use_ecs && ecs != NULL) ? ecs : reqaddr;
+		return (dns_geoip_match(addr, scope, env->geoip,
+					&e->geoip_elem));
+#endif
+	default:
+		/* Should be impossible. */
+		INSIST(0);
+	}
+
+	result = dns_acl_match2(reqaddr, reqsigner, ecs, ecslen, scope,
+				inner, env, &indirectmatch, matchelt);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * Treat negative matches in indirect ACLs as "no match".
+	 * That way, a negated indirect ACL will never become a
+	 * surprise positive match through double negation.
+	 * XXXDCL this should be documented.
+	 */
+	if (indirectmatch > 0) {
+		if (matchelt != NULL)
+			*matchelt = e;
+		return (true);
+	}
+
+	/*
+	 * A negative indirect match may have set *matchelt, but we don't
+	 * want it set when we return.
+	 */
+	if (matchelt != NULL)
+		*matchelt = NULL;
+
+	return (false);
+}
+
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
+	REQUIRE(DNS_ACL_VALID(source));
+
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+static void
+destroy(dns_acl_t *dacl) {
+	unsigned int i;
+
+	INSIST(!ISC_LINK_LINKED(dacl, nextincache));
+
+	for (i = 0; i < dacl->length; i++) {
+		dns_aclelement_t *de = &dacl->elements[i];
+		if (de->type == dns_aclelementtype_keyname) {
+			dns_name_free(&de->keyname, dacl->mctx);
+		} else if (de->type == dns_aclelementtype_nestedacl) {
+			dns_acl_detach(&de->nestedacl);
+		}
+	}
+	if (dacl->elements != NULL)
+		isc_mem_put(dacl->mctx, dacl->elements,
+			    dacl->alloc * sizeof(dns_aclelement_t));
+	if (dacl->name != NULL)
+		isc_mem_free(dacl->mctx, dacl->name);
+	if (dacl->iptable != NULL)
+		dns_iptable_detach(&dacl->iptable);
+	isc_refcount_destroy(&dacl->refcount);
+	dacl->magic = 0;
+	isc_mem_putanddetach(&dacl->mctx, dacl, sizeof(*dacl));
+}
+
+void
+dns_acl_detach(dns_acl_t **aclp) {
+	dns_acl_t *acl = *aclp;
+	unsigned int refs;
+
+	REQUIRE(DNS_ACL_VALID(acl));
+
+	isc_refcount_decrement(&acl->refcount, &refs);
+	if (refs == 0)
+		destroy(acl);
+	*aclp = NULL;
+}
+
+
+static isc_once_t	insecure_prefix_once = ISC_ONCE_INIT;
+static isc_mutex_t	insecure_prefix_lock;
+static bool	insecure_prefix_found;
+
+static void
+initialize_action(void) {
+	RUNTIME_CHECK(isc_mutex_init(&insecure_prefix_lock) == ISC_R_SUCCESS);
+}
+
+/*
+ * Called via isc_radix_process() to find IP table nodes that are
+ * insecure.
+ */
+static void
+is_insecure(isc_prefix_t *prefix, void **data) {
+	/*
+	 * If all nonexistent or negative then this node is secure.
+	 */
+	if ((data[0] == NULL || !* (bool *) data[0]) &&
+	    (data[1] == NULL || !* (bool *) data[1]) &&
+	    (data[2] == NULL || !* (bool *) data[2]) &&
+	    (data[3] == NULL || !* (bool *) data[3]))
+		return;
+
+	/*
+	 * If a loopback address found and the other family and
+	 * ecs entry doesn't exist or is negative, return.
+	 */
+	if (prefix->bitlen == 32 &&
+	    htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK &&
+	    (data[1] == NULL || !* (bool *) data[1]) &&
+	    (data[2] == NULL || !* (bool *) data[2]) &&
+	    (data[3] == NULL || !* (bool *) data[3]))
+		return;
+
+	if (prefix->bitlen == 128 &&
+	    IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) &&
+	    (data[0] == NULL || !* (bool *) data[0]) &&
+	    (data[2] == NULL || !* (bool *) data[2]) &&
+	    (data[3] == NULL || !* (bool *) data[3]))
+		return;
+
+	/* Non-negated, non-loopback */
+	insecure_prefix_found = true;	/* LOCKED */
+	return;
+}
+
+/*
+ * Return true iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns false is safe.
+ */
+bool
+dns_acl_isinsecure(const dns_acl_t *a) {
+	unsigned int i;
+	bool insecure;
+
+	RUNTIME_CHECK(isc_once_do(&insecure_prefix_once,
+				  initialize_action) == ISC_R_SUCCESS);
+
+	/*
+	 * Walk radix tree to find out if there are any non-negated,
+	 * non-loopback prefixes.
+	 */
+	LOCK(&insecure_prefix_lock);
+	insecure_prefix_found = false;
+	isc_radix_process(a->iptable->radix, is_insecure);
+	insecure = insecure_prefix_found;
+	UNLOCK(&insecure_prefix_lock);
+	if (insecure)
+		return (true);
+
+	/* Now check non-radix elements */
+	for (i = 0; i < a->length; i++) {
+		dns_aclelement_t *e = &a->elements[i];
+
+		/* A negated match can never be insecure. */
+		if (e->negative)
+			continue;
+
+		switch (e->type) {
+		case dns_aclelementtype_keyname:
+		case dns_aclelementtype_localhost:
+			continue;
+
+		case dns_aclelementtype_nestedacl:
+			if (dns_acl_isinsecure(e->nestedacl))
+				return (true);
+			continue;
+
+#ifdef HAVE_GEOIP
+		case dns_aclelementtype_geoip:
+#endif
+		case dns_aclelementtype_localnets:
+			return (true);
+
+		default:
+			INSIST(0);
+			return (true);
+		}
+	}
+
+	/* No insecure elements were found. */
+	return (false);
+}
+
+/*
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
+	isc_result_t result;
+
+	env->localhost = NULL;
+	env->localnets = NULL;
+	result = dns_acl_create(mctx, 0, &env->localhost);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_nothing;
+	result = dns_acl_create(mctx, 0, &env->localnets);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_localhost;
+	env->match_mapped = false;
+#ifdef HAVE_GEOIP
+	env->geoip = NULL;
+	env->geoip_use_ecs = false;
+#endif
+	return (ISC_R_SUCCESS);
+
+ cleanup_localhost:
+	dns_acl_detach(&env->localhost);
+ cleanup_nothing:
+	return (result);
+}
+
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
+	dns_acl_detach(&t->localhost);
+	dns_acl_attach(s->localhost, &t->localhost);
+	dns_acl_detach(&t->localnets);
+	dns_acl_attach(s->localnets, &t->localnets);
+	t->match_mapped = s->match_mapped;
+#ifdef HAVE_GEOIP
+	t->geoip_use_ecs = s->geoip_use_ecs;
+#endif
+}
+
+void
+dns_aclenv_destroy(dns_aclenv_t *env) {
+	dns_acl_detach(&env->localhost);
+	dns_acl_detach(&env->localnets);
+}
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
new file mode 100644
index 0000000..956f368
--- /dev/null
+++ b/lib/dns/adb.c
@@ -0,0 +1,4823 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ *
+ * \note
+ * In finds, if task == NULL, no events will be generated, and no events
+ * have been sent.  If task != NULL but taskaction == NULL, an event has been
+ * posted but not yet freed.  If neither are NULL, no event was posted.
+ *
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <limits.h>
+#include <inttypes.h>
+
+#include <isc/mutexblock.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/stats.h>
+#include <isc/string.h>         /* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+
+#define DNS_ADB_MAGIC             ISC_MAGIC('D', 'a', 'd', 'b')
+#define DNS_ADB_VALID(x)          ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
+#define DNS_ADBNAME_MAGIC         ISC_MAGIC('a', 'd', 'b', 'N')
+#define DNS_ADBNAME_VALID(x)      ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
+#define DNS_ADBNAMEHOOK_MAGIC     ISC_MAGIC('a', 'd', 'N', 'H')
+#define DNS_ADBNAMEHOOK_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
+#define DNS_ADBLAMEINFO_MAGIC     ISC_MAGIC('a', 'd', 'b', 'Z')
+#define DNS_ADBLAMEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBLAMEINFO_MAGIC)
+#define DNS_ADBENTRY_MAGIC        ISC_MAGIC('a', 'd', 'b', 'E')
+#define DNS_ADBENTRY_VALID(x)     ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
+#define DNS_ADBFETCH_MAGIC        ISC_MAGIC('a', 'd', 'F', '4')
+#define DNS_ADBFETCH_VALID(x)     ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
+#define DNS_ADBFETCH6_MAGIC       ISC_MAGIC('a', 'd', 'F', '6')
+#define DNS_ADBFETCH6_VALID(x)    ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
+
+/*!
+ * For type 3 negative cache entries, we will remember that the address is
+ * broken for this long.  XXXMLG This is also used for actual addresses, too.
+ * The intent is to keep us from constantly asking about A/AAAA records
+ * if the zone has extremely low TTLs.
+ */
+#define ADB_CACHE_MINIMUM       10      /*%< seconds */
+#define ADB_CACHE_MAXIMUM       86400   /*%< seconds (86400 = 24 hours) */
+#define ADB_ENTRY_WINDOW        1800    /*%< seconds */
+
+/*%
+ * The period in seconds after which an ADB name entry is regarded as stale
+ * and forced to be cleaned up.
+ * TODO: This should probably be configurable at run-time.
+ */
+#ifndef ADB_STALE_MARGIN
+#define ADB_STALE_MARGIN        1800
+#endif
+
+#define FREE_ITEMS              64      /*%< free count for memory pools */
+#define FILL_COUNT              16      /*%< fill count for memory pools */
+
+#define DNS_ADB_INVALIDBUCKET (-1)      /*%< invalid bucket address */
+
+#define DNS_ADB_MINADBSIZE      (1024U*1024U)     /*%< 1 Megabyte */
+
+typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
+typedef struct dns_adbnamehook dns_adbnamehook_t;
+typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
+typedef struct dns_adblameinfo dns_adblameinfo_t;
+typedef ISC_LIST(dns_adbentry_t) dns_adbentrylist_t;
+typedef struct dns_adbfetch dns_adbfetch_t;
+typedef struct dns_adbfetch6 dns_adbfetch6_t;
+
+/*% dns adb structure */
+struct dns_adb {
+	unsigned int                    magic;
+
+	isc_mutex_t                     lock;
+	isc_mutex_t                     reflock; /*%< Covers irefcnt, erefcnt */
+	isc_mutex_t                     overmemlock; /*%< Covers overmem */
+	isc_mem_t                      *mctx;
+	dns_view_t                     *view;
+
+	isc_taskmgr_t                  *taskmgr;
+	isc_task_t                     *task;
+	isc_task_t                     *excl;
+
+	isc_interval_t                  tick_interval;
+	int                             next_cleanbucket;
+
+	unsigned int                    irefcnt;
+	unsigned int                    erefcnt;
+
+	isc_mutex_t                     mplock;
+	isc_mempool_t                  *nmp;    /*%< dns_adbname_t */
+	isc_mempool_t                  *nhmp;   /*%< dns_adbnamehook_t */
+	isc_mempool_t                  *limp;   /*%< dns_adblameinfo_t */
+	isc_mempool_t                  *emp;    /*%< dns_adbentry_t */
+	isc_mempool_t                  *ahmp;   /*%< dns_adbfind_t */
+	isc_mempool_t                  *aimp;   /*%< dns_adbaddrinfo_t */
+	isc_mempool_t                  *afmp;   /*%< dns_adbfetch_t */
+
+	/*!
+	 * Bucketized locks and lists for names.
+	 *
+	 * XXXRTH  Have a per-bucket structure that contains all of these?
+	 */
+	unsigned int			nnames;
+	isc_mutex_t                     namescntlock;
+	unsigned int			namescnt;
+	dns_adbnamelist_t               *names;
+	dns_adbnamelist_t               *deadnames;
+	isc_mutex_t                     *namelocks;
+	bool                   *name_sd;
+	unsigned int                    *name_refcnt;
+
+	/*!
+	 * Bucketized locks and lists for entries.
+	 *
+	 * XXXRTH  Have a per-bucket structure that contains all of these?
+	 */
+	unsigned int			nentries;
+	isc_mutex_t                     entriescntlock;
+	unsigned int			entriescnt;
+	dns_adbentrylist_t              *entries;
+	dns_adbentrylist_t              *deadentries;
+	isc_mutex_t                     *entrylocks;
+	bool                   *entry_sd; /*%< shutting down */
+	unsigned int                    *entry_refcnt;
+
+	isc_event_t                     cevent;
+	bool                   cevent_out;
+	bool                   shutting_down;
+	isc_eventlist_t                 whenshutdown;
+	isc_event_t			growentries;
+	bool			growentries_sent;
+	isc_event_t			grownames;
+	bool			grownames_sent;
+
+	uint32_t			quota;
+	uint32_t			atr_freq;
+	double				atr_low;
+	double				atr_high;
+	double				atr_discount;
+};
+
+/*
+ * XXXMLG  Document these structures.
+ */
+
+/*% dns_adbname structure */
+struct dns_adbname {
+	unsigned int                    magic;
+	dns_name_t                      name;
+	dns_adb_t                      *adb;
+	unsigned int                    partial_result;
+	unsigned int                    flags;
+	int                             lock_bucket;
+	dns_name_t                      target;
+	isc_stdtime_t                   expire_target;
+	isc_stdtime_t                   expire_v4;
+	isc_stdtime_t                   expire_v6;
+	unsigned int                    chains;
+	dns_adbnamehooklist_t           v4;
+	dns_adbnamehooklist_t           v6;
+	dns_adbfetch_t                 *fetch_a;
+	dns_adbfetch_t                 *fetch_aaaa;
+	unsigned int                    fetch_err;
+	unsigned int                    fetch6_err;
+	dns_adbfindlist_t               finds;
+	/* for LRU-based management */
+	isc_stdtime_t                   last_used;
+
+	ISC_LINK(dns_adbname_t)         plink;
+};
+
+/*% The adbfetch structure */
+struct dns_adbfetch {
+	unsigned int                    magic;
+	dns_fetch_t                    *fetch;
+	dns_rdataset_t                  rdataset;
+	unsigned int			depth;
+};
+
+/*%
+ * This is a small widget that dangles off a dns_adbname_t.  It contains a
+ * pointer to the address information about this host, and a link to the next
+ * namehook that will contain the next address this host has.
+ */
+struct dns_adbnamehook {
+	unsigned int                    magic;
+	dns_adbentry_t                 *entry;
+	ISC_LINK(dns_adbnamehook_t)     plink;
+};
+
+/*%
+ * This is a small widget that holds qname-specific information about an
+ * address.  Currently limited to lameness, but could just as easily be
+ * extended to other types of information about zones.
+ */
+struct dns_adblameinfo {
+	unsigned int                    magic;
+
+	dns_name_t                      qname;
+	dns_rdatatype_t                 qtype;
+	isc_stdtime_t                   lame_timer;
+
+	ISC_LINK(dns_adblameinfo_t)     plink;
+};
+
+/*%
+ * An address entry.  It holds quite a bit of information about addresses,
+ * including edns state (in "flags"), rtt, and of course the address of
+ * the host.
+ */
+struct dns_adbentry {
+	unsigned int                    magic;
+
+	int                             lock_bucket;
+	unsigned int                    refcnt;
+	unsigned int                    nh;
+
+	unsigned int                    flags;
+	unsigned int                    srtt;
+	uint16_t			udpsize;
+	unsigned int			completed;
+	unsigned int			timeouts;
+	unsigned char			plain;
+	unsigned char			plainto;
+	unsigned char			edns;
+	unsigned char			to4096;		/* Our max. */
+
+	uint8_t			mode;
+	uint32_t			quota;
+	uint32_t			active;
+	double				atr;
+
+	/*
+	 * Allow for encapsulated IPv4/IPv6 UDP packet over ethernet.
+	 * Ethernet 1500 - IP(20) - IP6(40) - UDP(8) = 1432.
+	 */
+	unsigned char			to1432;		/* Ethernet */
+	unsigned char			to1232;		/* IPv6 nofrag */
+	unsigned char			to512;		/* plain DNS */
+	isc_sockaddr_t                  sockaddr;
+	unsigned char *			cookie;
+	uint16_t			cookielen;
+
+	isc_stdtime_t                   expires;
+	isc_stdtime_t			lastage;
+	/*%<
+	 * A nonzero 'expires' field indicates that the entry should
+	 * persist until that time.  This allows entries found
+	 * using dns_adb_findaddrinfo() to persist for a limited time
+	 * even though they are not necessarily associated with a
+	 * name.
+	 */
+
+	ISC_LIST(dns_adblameinfo_t)     lameinfo;
+	ISC_LINK(dns_adbentry_t)        plink;
+};
+
+/*
+ * Internal functions (and prototypes).
+ */
+static inline dns_adbname_t *new_adbname(dns_adb_t *, dns_name_t *);
+static inline void free_adbname(dns_adb_t *, dns_adbname_t **);
+static inline dns_adbnamehook_t *new_adbnamehook(dns_adb_t *,
+						 dns_adbentry_t *);
+static inline void free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **);
+static inline dns_adblameinfo_t *new_adblameinfo(dns_adb_t *, dns_name_t *,
+						 dns_rdatatype_t);
+static inline void free_adblameinfo(dns_adb_t *, dns_adblameinfo_t **);
+static inline dns_adbentry_t *new_adbentry(dns_adb_t *);
+static inline void free_adbentry(dns_adb_t *, dns_adbentry_t **);
+static inline dns_adbfind_t *new_adbfind(dns_adb_t *);
+static inline bool free_adbfind(dns_adb_t *, dns_adbfind_t **);
+static inline dns_adbaddrinfo_t *new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *,
+						 in_port_t);
+static inline dns_adbfetch_t *new_adbfetch(dns_adb_t *);
+static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
+static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
+						unsigned int, int *);
+static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
+						  isc_sockaddr_t *, int *,
+						  isc_stdtime_t);
+static void dump_adb(dns_adb_t *, FILE *, bool debug, isc_stdtime_t);
+static void print_dns_name(FILE *, dns_name_t *);
+static void print_namehook_list(FILE *, const char *legend,
+				dns_adb_t *adb,
+				dns_adbnamehooklist_t *list,
+				bool debug,
+				isc_stdtime_t now);
+static void print_find_list(FILE *, dns_adbname_t *);
+static void print_fetch_list(FILE *, dns_adbname_t *);
+static inline bool dec_adb_irefcnt(dns_adb_t *);
+static inline void inc_adb_irefcnt(dns_adb_t *);
+static inline void inc_adb_erefcnt(dns_adb_t *);
+static inline void inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
+				    bool);
+static inline bool dec_entry_refcnt(dns_adb_t *, bool,
+					     dns_adbentry_t *, bool);
+static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
+static bool clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
+static void clean_target(dns_adb_t *, dns_name_t *);
+static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, unsigned int);
+static bool check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+static bool check_expire_entry(dns_adb_t *, dns_adbentry_t **,
+					isc_stdtime_t);
+static void cancel_fetches_at_name(dns_adbname_t *);
+static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
+				dns_rdatatype_t);
+static isc_result_t fetch_name(dns_adbname_t *, bool,
+			       unsigned int, isc_counter_t *qc,
+			       dns_rdatatype_t);
+static inline void check_exit(dns_adb_t *);
+static void destroy(dns_adb_t *);
+static bool shutdown_names(dns_adb_t *);
+static bool shutdown_entries(dns_adb_t *);
+static inline void link_name(dns_adb_t *, int, dns_adbname_t *);
+static inline bool unlink_name(dns_adb_t *, dns_adbname_t *);
+static inline void link_entry(dns_adb_t *, int, dns_adbentry_t *);
+static inline bool unlink_entry(dns_adb_t *, dns_adbentry_t *);
+static bool kill_name(dns_adbname_t **, isc_eventtype_t);
+static void water(void *, int);
+static void dump_entry(FILE *, dns_adb_t *, dns_adbentry_t *,
+		       bool, isc_stdtime_t);
+static void adjustsrtt(dns_adbaddrinfo_t *addr, unsigned int rtt,
+		       unsigned int factor, isc_stdtime_t now);
+static void shutdown_task(isc_task_t *task, isc_event_t *ev);
+static void log_quota(dns_adbentry_t *entry, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+/*
+ * MUST NOT overlap DNS_ADBFIND_* flags!
+ */
+#define FIND_EVENT_SENT         0x40000000
+#define FIND_EVENT_FREED        0x80000000
+#define FIND_EVENTSENT(h)       (((h)->flags & FIND_EVENT_SENT) != 0)
+#define FIND_EVENTFREED(h)      (((h)->flags & FIND_EVENT_FREED) != 0)
+
+#define NAME_NEEDS_POKE         0x80000000
+#define NAME_IS_DEAD            0x40000000
+#define NAME_HINT_OK            DNS_ADBFIND_HINTOK
+#define NAME_GLUE_OK            DNS_ADBFIND_GLUEOK
+#define NAME_STARTATZONE        DNS_ADBFIND_STARTATZONE
+#define NAME_DEAD(n)            (((n)->flags & NAME_IS_DEAD) != 0)
+#define NAME_NEEDSPOKE(n)       (((n)->flags & NAME_NEEDS_POKE) != 0)
+#define NAME_GLUEOK(n)          (((n)->flags & NAME_GLUE_OK) != 0)
+#define NAME_HINTOK(n)          (((n)->flags & NAME_HINT_OK) != 0)
+
+/*
+ * Private flag(s) for entries.
+ * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
+ */
+#define ENTRY_IS_DEAD		0x00400000
+
+/*
+ * To the name, address classes are all that really exist.  If it has a
+ * V6 address it doesn't care if it came from a AAAA query.
+ */
+#define NAME_HAS_V4(n)          (!ISC_LIST_EMPTY((n)->v4))
+#define NAME_HAS_V6(n)          (!ISC_LIST_EMPTY((n)->v6))
+#define NAME_HAS_ADDRS(n)       (NAME_HAS_V4(n) || NAME_HAS_V6(n))
+
+/*
+ * Fetches are broken out into A and AAAA types.  In some cases,
+ * however, it makes more sense to test for a particular class of fetches,
+ * like V4 or V6 above.
+ * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
+ * are now equal to FETCH_V4 and FETCH_V6, respectively.
+ */
+#define NAME_FETCH_A(n)         ((n)->fetch_a != NULL)
+#define NAME_FETCH_AAAA(n)      ((n)->fetch_aaaa != NULL)
+#define NAME_FETCH_V4(n)        (NAME_FETCH_A(n))
+#define NAME_FETCH_V6(n)        (NAME_FETCH_AAAA(n))
+#define NAME_FETCH(n)           (NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
+
+/*
+ * Find options and tests to see if there are addresses on the list.
+ */
+#define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+				 != 0)
+#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
+				 != 0)
+#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+
+/*
+ * These are currently used on simple unsigned ints, so they are
+ * not really associated with any particular type.
+ */
+#define WANT_INET(x)            (((x) & DNS_ADBFIND_INET) != 0)
+#define WANT_INET6(x)           (((x) & DNS_ADBFIND_INET6) != 0)
+
+#define EXPIRE_OK(exp, now)     ((exp == INT_MAX) || (exp < now))
+
+/*
+ * Find out if the flags on a name (nf) indicate if it is a hint or
+ * glue, and compare this to the appropriate bits set in o, to see if
+ * this is ok.
+ */
+#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0))
+#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0))
+#define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
+#define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
+				    ((o) & DNS_ADBFIND_STARTATZONE))
+
+#define ENTER_LEVEL             ISC_LOG_DEBUG(50)
+#define EXIT_LEVEL              ENTER_LEVEL
+#define CLEAN_LEVEL             ISC_LOG_DEBUG(100)
+#define DEF_LEVEL               ISC_LOG_DEBUG(5)
+#define NCACHE_LEVEL            ISC_LOG_DEBUG(20)
+
+#define NCACHE_RESULT(r)        ((r) == DNS_R_NCACHENXDOMAIN || \
+				 (r) == DNS_R_NCACHENXRRSET)
+#define AUTH_NX(r)              ((r) == DNS_R_NXDOMAIN || \
+				 (r) == DNS_R_NXRRSET)
+#define NXDOMAIN_RESULT(r)      ((r) == DNS_R_NXDOMAIN || \
+				 (r) == DNS_R_NCACHENXDOMAIN)
+#define NXRRSET_RESULT(r)       ((r) == DNS_R_NCACHENXRRSET || \
+				 (r) == DNS_R_NXRRSET || \
+				 (r) == DNS_R_HINTNXRRSET)
+
+/*
+ * Error state rankings.
+ */
+
+#define FIND_ERR_SUCCESS                0  /* highest rank */
+#define FIND_ERR_CANCELED               1
+#define FIND_ERR_FAILURE                2
+#define FIND_ERR_NXDOMAIN               3
+#define FIND_ERR_NXRRSET                4
+#define FIND_ERR_UNEXPECTED             5
+#define FIND_ERR_NOTFOUND               6
+#define FIND_ERR_MAX                    7
+
+static const char *errnames[] = {
+	"success",
+	"canceled",
+	"failure",
+	"nxdomain",
+	"nxrrset",
+	"unexpected",
+	"not_found"
+};
+
+#define NEWERR(old, new)        (ISC_MIN((old), (new)))
+
+static isc_result_t find_err_map[FIND_ERR_MAX] = {
+	ISC_R_SUCCESS,
+	ISC_R_CANCELED,
+	ISC_R_FAILURE,
+	DNS_R_NXDOMAIN,
+	DNS_R_NXRRSET,
+	ISC_R_UNEXPECTED,
+	ISC_R_NOTFOUND          /* not YET found */
+};
+
+static void
+DP(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+
+static void
+DP(int level, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx,
+		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
+		       level, format, args);
+	va_end(args);
+}
+
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static inline void
+inc_stats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->resstats != NULL)
+		isc_stats_increment(adb->view->resstats, counter);
+}
+
+/*%
+ * Set adb-related statistics counters.
+ */
+static inline void
+set_adbstat(dns_adb_t *adb, uint64_t val, isc_statscounter_t counter) {
+	if (adb->view->adbstats != NULL)
+		isc_stats_set(adb->view->adbstats, val, counter);
+}
+
+static inline void
+dec_adbstats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->adbstats != NULL)
+		isc_stats_decrement(adb->view->adbstats, counter);
+}
+
+static inline void
+inc_adbstats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->adbstats != NULL)
+		isc_stats_increment(adb->view->adbstats, counter);
+}
+
+static inline dns_ttl_t
+ttlclamp(dns_ttl_t ttl) {
+	if (ttl < ADB_CACHE_MINIMUM)
+		ttl = ADB_CACHE_MINIMUM;
+	if (ttl > ADB_CACHE_MAXIMUM)
+		ttl = ADB_CACHE_MAXIMUM;
+
+	return (ttl);
+}
+
+/*
+ * Hashing is most efficient if the number of buckets is prime.
+ * The sequence below is the closest previous primes to 2^n and
+ * 1.5 * 2^n, for values of n from 10 to 28.  (The tables will
+ * no longer grow beyond 2^28 entries.)
+ */
+static const unsigned nbuckets[] = { 1021, 1531, 2039, 3067, 4093, 6143,
+				     8191, 12281, 16381, 24571, 32749,
+				     49193, 65521, 98299, 131071, 199603,
+				     262139, 393209, 524287, 768431, 1048573,
+				     1572853, 2097143, 3145721, 4194301,
+				     6291449, 8388593, 12582893, 16777213,
+				     25165813, 33554393, 50331599, 67108859,
+				     100663291, 134217689, 201326557,
+				     268535431, 0 };
+
+static void
+grow_entries(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	dns_adbentry_t *e;
+	dns_adbentrylist_t *newdeadentries = NULL;
+	dns_adbentrylist_t *newentries = NULL;
+	bool *newentry_sd = NULL;
+	isc_mutex_t *newentrylocks = NULL;
+	isc_result_t result;
+	unsigned int *newentry_refcnt = NULL;
+	unsigned int i, n, bucket;
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+
+	result = isc_task_beginexclusive(task);
+	if (result != ISC_R_SUCCESS)
+		goto check_exit;
+
+	i = 0;
+	while (nbuckets[i] != 0 && adb->nentries >= nbuckets[i])
+		i++;
+	if (nbuckets[i] != 0)
+		n = nbuckets[i];
+	else
+		goto done;
+
+	DP(ISC_LOG_INFO, "adb: grow_entries to %u starting", n);
+
+	/*
+	 * Are we shutting down?
+	 */
+	for (i = 0; i < adb->nentries; i++)
+		if (adb->entry_sd[i])
+			goto cleanup;
+
+	/*
+	 * Grab all the resources we need.
+	 */
+	newentries = isc_mem_get(adb->mctx, sizeof(*newentries) * n);
+	newdeadentries = isc_mem_get(adb->mctx, sizeof(*newdeadentries) * n);
+	newentrylocks = isc_mem_get(adb->mctx, sizeof(*newentrylocks) * n);
+	newentry_sd = isc_mem_get(adb->mctx, sizeof(*newentry_sd) * n);
+	newentry_refcnt = isc_mem_get(adb->mctx, sizeof(*newentry_refcnt) * n);
+	if (newentries == NULL || newdeadentries == NULL ||
+	    newentrylocks == NULL || newentry_sd == NULL ||
+	    newentry_refcnt == NULL)
+		goto cleanup;
+
+	/*
+	 * Initialise the new resources.
+	 */
+	result = isc_mutexblock_init(newentrylocks, n);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (i = 0; i < n; i++) {
+		ISC_LIST_INIT(newentries[i]);
+		ISC_LIST_INIT(newdeadentries[i]);
+		newentry_sd[i] = false;
+		newentry_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+
+	/*
+	 * Move entries to new arrays.
+	 */
+	for (i = 0; i < adb->nentries; i++) {
+		e = ISC_LIST_HEAD(adb->entries[i]);
+		while (e != NULL) {
+			ISC_LIST_UNLINK(adb->entries[i], e, plink);
+			bucket = isc_sockaddr_hash(&e->sockaddr, true) % n;
+			e->lock_bucket = bucket;
+			ISC_LIST_APPEND(newentries[bucket], e, plink);
+			INSIST(adb->entry_refcnt[i] > 0);
+			adb->entry_refcnt[i]--;
+			newentry_refcnt[bucket]++;
+			e = ISC_LIST_HEAD(adb->entries[i]);
+		}
+		e = ISC_LIST_HEAD(adb->deadentries[i]);
+		while (e != NULL) {
+			ISC_LIST_UNLINK(adb->deadentries[i], e, plink);
+			bucket = isc_sockaddr_hash(&e->sockaddr, true) % n;
+			e->lock_bucket = bucket;
+			ISC_LIST_APPEND(newdeadentries[bucket], e, plink);
+			INSIST(adb->entry_refcnt[i] > 0);
+			adb->entry_refcnt[i]--;
+			newentry_refcnt[bucket]++;
+			e = ISC_LIST_HEAD(adb->deadentries[i]);
+		}
+		INSIST(adb->entry_refcnt[i] == 0);
+		adb->irefcnt--;
+	}
+
+	/*
+	 * Cleanup old resources.
+	 */
+	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
+	isc_mem_put(adb->mctx, adb->entries,
+		    sizeof(*adb->entries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->deadentries,
+		    sizeof(*adb->deadentries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entrylocks,
+		    sizeof(*adb->entrylocks) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_sd,
+		    sizeof(*adb->entry_sd) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_refcnt,
+		    sizeof(*adb->entry_refcnt) * adb->nentries);
+
+	/*
+	 * Install new resources.
+	 */
+	adb->entries = newentries;
+	adb->deadentries = newdeadentries;
+	adb->entrylocks = newentrylocks;
+	adb->entry_sd = newentry_sd;
+	adb->entry_refcnt = newentry_refcnt;
+	adb->nentries = n;
+
+	set_adbstat(adb, adb->nentries, dns_adbstats_nentries);
+
+	/*
+	 * Only on success do we set adb->growentries_sent to false.
+	 * This will prevent us being continuously being called on error.
+	 */
+	adb->growentries_sent = false;
+	goto done;
+
+ cleanup:
+	if (newentries != NULL)
+		isc_mem_put(adb->mctx, newentries,
+			    sizeof(*newentries) * n);
+	if (newdeadentries != NULL)
+		isc_mem_put(adb->mctx, newdeadentries,
+			    sizeof(*newdeadentries) * n);
+	if (newentrylocks != NULL)
+		isc_mem_put(adb->mctx, newentrylocks,
+			    sizeof(*newentrylocks) * n);
+	if (newentry_sd != NULL)
+		isc_mem_put(adb->mctx, newentry_sd,
+			    sizeof(*newentry_sd) * n);
+	if (newentry_refcnt != NULL)
+		isc_mem_put(adb->mctx, newentry_refcnt,
+			     sizeof(*newentry_refcnt) * n);
+ done:
+	isc_task_endexclusive(task);
+
+ check_exit:
+	LOCK(&adb->lock);
+	if (dec_adb_irefcnt(adb))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+	DP(ISC_LOG_INFO, "adb: grow_entries finished");
+}
+
+static void
+grow_names(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	dns_adbname_t *name;
+	dns_adbnamelist_t *newdeadnames = NULL;
+	dns_adbnamelist_t *newnames = NULL;
+	bool *newname_sd = NULL;
+	isc_mutex_t *newnamelocks = NULL;
+	isc_result_t result;
+	unsigned int *newname_refcnt = NULL;
+	unsigned int i, n, bucket;
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+
+	result = isc_task_beginexclusive(task);
+	if (result != ISC_R_SUCCESS)
+		goto check_exit;
+
+	i = 0;
+	while (nbuckets[i] != 0 && adb->nnames >= nbuckets[i])
+		i++;
+	if (nbuckets[i] != 0)
+		n = nbuckets[i];
+	else
+		goto done;
+
+	DP(ISC_LOG_INFO, "adb: grow_names to %u starting", n);
+
+	/*
+	 * Are we shutting down?
+	 */
+	for (i = 0; i < adb->nnames; i++)
+		if (adb->name_sd[i])
+			goto cleanup;
+
+	/*
+	 * Grab all the resources we need.
+	 */
+	newnames = isc_mem_get(adb->mctx, sizeof(*newnames) * n);
+	newdeadnames = isc_mem_get(adb->mctx, sizeof(*newdeadnames) * n);
+	newnamelocks = isc_mem_get(adb->mctx, sizeof(*newnamelocks) * n);
+	newname_sd = isc_mem_get(adb->mctx, sizeof(*newname_sd) * n);
+	newname_refcnt = isc_mem_get(adb->mctx, sizeof(*newname_refcnt) * n);
+	if (newnames == NULL || newdeadnames == NULL ||
+	    newnamelocks == NULL || newname_sd == NULL ||
+	    newname_refcnt == NULL)
+		goto cleanup;
+
+	/*
+	 * Initialise the new resources.
+	 */
+	result = isc_mutexblock_init(newnamelocks, n);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (i = 0; i < n; i++) {
+		ISC_LIST_INIT(newnames[i]);
+		ISC_LIST_INIT(newdeadnames[i]);
+		newname_sd[i] = false;
+		newname_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+
+	/*
+	 * Move names to new arrays.
+	 */
+	for (i = 0; i < adb->nnames; i++) {
+		name = ISC_LIST_HEAD(adb->names[i]);
+		while (name != NULL) {
+			ISC_LIST_UNLINK(adb->names[i], name, plink);
+			bucket = dns_name_fullhash(&name->name, true) % n;
+			name->lock_bucket = bucket;
+			ISC_LIST_APPEND(newnames[bucket], name, plink);
+			INSIST(adb->name_refcnt[i] > 0);
+			adb->name_refcnt[i]--;
+			newname_refcnt[bucket]++;
+			name = ISC_LIST_HEAD(adb->names[i]);
+		}
+		name = ISC_LIST_HEAD(adb->deadnames[i]);
+		while (name != NULL) {
+			ISC_LIST_UNLINK(adb->deadnames[i], name, plink);
+			bucket = dns_name_fullhash(&name->name, true) % n;
+			name->lock_bucket = bucket;
+			ISC_LIST_APPEND(newdeadnames[bucket], name, plink);
+			INSIST(adb->name_refcnt[i] > 0);
+			adb->name_refcnt[i]--;
+			newname_refcnt[bucket]++;
+			name = ISC_LIST_HEAD(adb->deadnames[i]);
+		}
+		INSIST(adb->name_refcnt[i] == 0);
+		adb->irefcnt--;
+	}
+
+	/*
+	 * Cleanup old resources.
+	 */
+	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
+	isc_mem_put(adb->mctx, adb->names,
+		    sizeof(*adb->names) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->deadnames,
+		    sizeof(*adb->deadnames) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->namelocks,
+		    sizeof(*adb->namelocks) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_sd,
+		    sizeof(*adb->name_sd) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_refcnt,
+		    sizeof(*adb->name_refcnt) * adb->nnames);
+
+	/*
+	 * Install new resources.
+	 */
+	adb->names = newnames;
+	adb->deadnames = newdeadnames;
+	adb->namelocks = newnamelocks;
+	adb->name_sd = newname_sd;
+	adb->name_refcnt = newname_refcnt;
+	adb->nnames = n;
+
+	set_adbstat(adb, adb->nnames, dns_adbstats_nnames);
+
+	/*
+	 * Only on success do we set adb->grownames_sent to false.
+	 * This will prevent us being continuously being called on error.
+	 */
+	adb->grownames_sent = false;
+	goto done;
+
+ cleanup:
+	if (newnames != NULL)
+		isc_mem_put(adb->mctx, newnames, sizeof(*newnames) * n);
+	if (newdeadnames != NULL)
+		isc_mem_put(adb->mctx, newdeadnames, sizeof(*newdeadnames) * n);
+	if (newnamelocks != NULL)
+		isc_mem_put(adb->mctx, newnamelocks, sizeof(*newnamelocks) * n);
+	if (newname_sd != NULL)
+		isc_mem_put(adb->mctx, newname_sd, sizeof(*newname_sd) * n);
+	if (newname_refcnt != NULL)
+		isc_mem_put(adb->mctx, newname_refcnt,
+			     sizeof(*newname_refcnt) * n);
+ done:
+	isc_task_endexclusive(task);
+
+ check_exit:
+	LOCK(&adb->lock);
+	if (dec_adb_irefcnt(adb))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+	DP(ISC_LOG_INFO, "adb: grow_names finished");
+}
+
+/*
+ * Requires the adbname bucket be locked and that no entry buckets be locked.
+ *
+ * This code handles A and AAAA rdatasets only.
+ */
+static isc_result_t
+import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
+		isc_stdtime_t now)
+{
+	isc_result_t result;
+	dns_adb_t *adb;
+	dns_adbnamehook_t *nh;
+	dns_adbnamehook_t *anh;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_sockaddr_t sockaddr;
+	dns_adbentry_t *foundentry;  /* NO CLEAN UP! */
+	int addr_bucket;
+	bool new_addresses_added;
+	dns_rdatatype_t rdtype;
+	unsigned int findoptions;
+	dns_adbnamehooklist_t *hookhead;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	rdtype = rdataset->type;
+	INSIST((rdtype == dns_rdatatype_a) || (rdtype == dns_rdatatype_aaaa));
+	if (rdtype == dns_rdatatype_a)
+		findoptions = DNS_ADBFIND_INET;
+	else
+		findoptions = DNS_ADBFIND_INET6;
+
+	addr_bucket = DNS_ADB_INVALIDBUCKET;
+	new_addresses_added = false;
+
+	nh = NULL;
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdtype == dns_rdatatype_a) {
+			INSIST(rdata.length == 4);
+			memmove(&ina.s_addr, rdata.data, 4);
+			isc_sockaddr_fromin(&sockaddr, &ina, 0);
+			hookhead = &adbname->v4;
+		} else {
+			INSIST(rdata.length == 16);
+			memmove(in6a.s6_addr, rdata.data, 16);
+			isc_sockaddr_fromin6(&sockaddr, &in6a, 0);
+			hookhead = &adbname->v6;
+		}
+
+		INSIST(nh == NULL);
+		nh = new_adbnamehook(adb, NULL);
+		if (nh == NULL) {
+			adbname->partial_result |= findoptions;
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+
+		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket,
+						 now);
+		if (foundentry == NULL) {
+			dns_adbentry_t *entry;
+
+			entry = new_adbentry(adb);
+			if (entry == NULL) {
+				adbname->partial_result |= findoptions;
+				result = ISC_R_NOMEMORY;
+				goto fail;
+			}
+
+			entry->sockaddr = sockaddr;
+			entry->refcnt = 1;
+			entry->nh = 1;
+
+			nh->entry = entry;
+
+			link_entry(adb, addr_bucket, entry);
+		} else {
+			for (anh = ISC_LIST_HEAD(*hookhead);
+			     anh != NULL;
+			     anh = ISC_LIST_NEXT(anh, plink))
+				if (anh->entry == foundentry)
+					break;
+			if (anh == NULL) {
+				foundentry->refcnt++;
+				foundentry->nh++;
+				nh->entry = foundentry;
+			} else
+				free_adbnamehook(adb, &nh);
+		}
+
+		new_addresses_added = true;
+		if (nh != NULL)
+			ISC_LIST_APPEND(*hookhead, nh, plink);
+		nh = NULL;
+		result = dns_rdataset_next(rdataset);
+	}
+
+ fail:
+	if (nh != NULL)
+		free_adbnamehook(adb, &nh);
+
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+
+	if (rdataset->trust == dns_trust_glue ||
+	    rdataset->trust == dns_trust_additional)
+		rdataset->ttl = ADB_CACHE_MINIMUM;
+	else if (rdataset->trust == dns_trust_ultimate)
+		rdataset->ttl = 0;
+	else
+		rdataset->ttl = ttlclamp(rdataset->ttl);
+
+	if (rdtype == dns_rdatatype_a) {
+		DP(NCACHE_LEVEL, "expire_v4 set to MIN(%u,%u) import_rdataset",
+		   adbname->expire_v4, now + rdataset->ttl);
+		adbname->expire_v4 = ISC_MIN(adbname->expire_v4,
+					     ISC_MIN(now + ADB_ENTRY_WINDOW,
+						     now + rdataset->ttl));
+	} else {
+		DP(NCACHE_LEVEL, "expire_v6 set to MIN(%u,%u) import_rdataset",
+		   adbname->expire_v6, now + rdataset->ttl);
+		adbname->expire_v6 = ISC_MIN(adbname->expire_v6,
+					     ISC_MIN(now + ADB_ENTRY_WINDOW,
+						     now + rdataset->ttl));
+	}
+
+	if (new_addresses_added) {
+		/*
+		 * Lie a little here.  This is more or less so code that cares
+		 * can find out if any new information was added or not.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	return (result);
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static bool
+kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
+	dns_adbname_t *name;
+	bool result = false;
+	bool result4, result6;
+	int bucket;
+	dns_adb_t *adb;
+
+	INSIST(n != NULL);
+	name = *n;
+	*n = NULL;
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	DP(DEF_LEVEL, "killing name %p", name);
+
+	/*
+	 * If we're dead already, just check to see if we should go
+	 * away now or not.
+	 */
+	if (NAME_DEAD(name) && !NAME_FETCH(name)) {
+		result = unlink_name(adb, name);
+		free_adbname(adb, &name);
+		if (result)
+			result = dec_adb_irefcnt(adb);
+		return (result);
+	}
+
+	/*
+	 * Clean up the name's various lists.  These two are destructive
+	 * in that they will always empty the list.
+	 */
+	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
+	result4 = clean_namehooks(adb, &name->v4);
+	result6 = clean_namehooks(adb, &name->v6);
+	clean_target(adb, &name->target);
+	result = (result4 || result6);
+
+	/*
+	 * If fetches are running, cancel them.  If none are running, we can
+	 * just kill the name here.
+	 */
+	if (!NAME_FETCH(name)) {
+		INSIST(result == false);
+		result = unlink_name(adb, name);
+		free_adbname(adb, &name);
+		if (result)
+			result = dec_adb_irefcnt(adb);
+	} else {
+		cancel_fetches_at_name(name);
+		if (!NAME_DEAD(name)) {
+			bucket = name->lock_bucket;
+			ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+			ISC_LIST_APPEND(adb->deadnames[bucket], name, plink);
+			name->flags |= NAME_IS_DEAD;
+		}
+	}
+	return (result);
+}
+
+/*
+ * Requires the name's bucket be locked and no entry buckets be locked.
+ */
+static bool
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
+	dns_adb_t *adb;
+	bool result4 = false;
+	bool result6 = false;
+
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	/*
+	 * Check to see if we need to remove the v4 addresses
+	 */
+	if (!NAME_FETCH_V4(name) && EXPIRE_OK(name->expire_v4, now)) {
+		if (NAME_HAS_V4(name)) {
+			DP(DEF_LEVEL, "expiring v4 for name %p", name);
+			result4 = clean_namehooks(adb, &name->v4);
+			name->partial_result &= ~DNS_ADBFIND_INET;
+		}
+		name->expire_v4 = INT_MAX;
+		name->fetch_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * Check to see if we need to remove the v6 addresses
+	 */
+	if (!NAME_FETCH_V6(name) && EXPIRE_OK(name->expire_v6, now)) {
+		if (NAME_HAS_V6(name)) {
+			DP(DEF_LEVEL, "expiring v6 for name %p", name);
+			result6 = clean_namehooks(adb, &name->v6);
+			name->partial_result &= ~DNS_ADBFIND_INET6;
+		}
+		name->expire_v6 = INT_MAX;
+		name->fetch6_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * Check to see if we need to remove the alias target.
+	 */
+	if (EXPIRE_OK(name->expire_target, now)) {
+		clean_target(adb, &name->target);
+		name->expire_target = INT_MAX;
+	}
+	return (result4 || result6);
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static inline void
+link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) {
+	INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET);
+
+	ISC_LIST_PREPEND(adb->names[bucket], name, plink);
+	name->lock_bucket = bucket;
+	adb->name_refcnt[bucket]++;
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static inline bool
+unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
+	int bucket;
+	bool result = false;
+
+	bucket = name->lock_bucket;
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	if (NAME_DEAD(name))
+		ISC_LIST_UNLINK(adb->deadnames[bucket], name, plink);
+	else
+		ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	INSIST(adb->name_refcnt[bucket] > 0);
+	adb->name_refcnt[bucket]--;
+	if (adb->name_sd[bucket] && adb->name_refcnt[bucket] == 0)
+		result = true;
+	return (result);
+}
+
+/*
+ * Requires the entry's bucket be locked.
+ */
+static inline void
+link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
+	int i;
+	dns_adbentry_t *e;
+
+	if (isc_mem_isovermem(adb->mctx)) {
+		for (i = 0; i < 2; i++) {
+			e = ISC_LIST_TAIL(adb->entries[bucket]);
+			if (e == NULL)
+				break;
+			if (e->refcnt == 0) {
+				unlink_entry(adb, e);
+				free_adbentry(adb, &e);
+				continue;
+			}
+			INSIST((e->flags & ENTRY_IS_DEAD) == 0);
+			e->flags |= ENTRY_IS_DEAD;
+			ISC_LIST_UNLINK(adb->entries[bucket], e, plink);
+			ISC_LIST_PREPEND(adb->deadentries[bucket], e, plink);
+		}
+	}
+
+	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
+	entry->lock_bucket = bucket;
+	adb->entry_refcnt[bucket]++;
+}
+
+/*
+ * Requires the entry's bucket be locked.
+ */
+static inline bool
+unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
+	int bucket;
+	bool result = false;
+
+	bucket = entry->lock_bucket;
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	if ((entry->flags & ENTRY_IS_DEAD) != 0)
+		ISC_LIST_UNLINK(adb->deadentries[bucket], entry, plink);
+	else
+		ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	INSIST(adb->entry_refcnt[bucket] > 0);
+	adb->entry_refcnt[bucket]--;
+	if (adb->entry_sd[bucket] && adb->entry_refcnt[bucket] == 0)
+		result = true;
+	return (result);
+}
+
+static inline void
+violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
+	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
+		UNLOCK(have);
+		LOCK(want);
+		LOCK(have);
+	}
+}
+
+/*
+ * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
+ * checked after calling this function.
+ */
+static bool
+shutdown_names(dns_adb_t *adb) {
+	unsigned int bucket;
+	bool result = false;
+	dns_adbname_t *name;
+	dns_adbname_t *next_name;
+
+	for (bucket = 0; bucket < adb->nnames; bucket++) {
+		LOCK(&adb->namelocks[bucket]);
+		adb->name_sd[bucket] = true;
+
+		name = ISC_LIST_HEAD(adb->names[bucket]);
+		if (name == NULL) {
+			/*
+			 * This bucket has no names.  We must decrement the
+			 * irefcnt ourselves, since it will not be
+			 * automatically triggered by a name being unlinked.
+			 */
+			INSIST(result == false);
+			result = dec_adb_irefcnt(adb);
+		} else {
+			/*
+			 * Run through the list.  For each name, clean up finds
+			 * found there, and cancel any fetches running.  When
+			 * all the fetches are canceled, the name will destroy
+			 * itself.
+			 */
+			while (name != NULL) {
+				next_name = ISC_LIST_NEXT(name, plink);
+				INSIST(result == false);
+				result = kill_name(&name,
+						   DNS_EVENT_ADBSHUTDOWN);
+				name = next_name;
+			}
+		}
+
+		UNLOCK(&adb->namelocks[bucket]);
+	}
+	return (result);
+}
+
+/*
+ * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
+ * checked after calling this function.
+ */
+static bool
+shutdown_entries(dns_adb_t *adb) {
+	unsigned int bucket;
+	bool result = false;
+	dns_adbentry_t *entry;
+	dns_adbentry_t *next_entry;
+
+	for (bucket = 0; bucket < adb->nentries; bucket++) {
+		LOCK(&adb->entrylocks[bucket]);
+		adb->entry_sd[bucket] = true;
+
+		entry = ISC_LIST_HEAD(adb->entries[bucket]);
+		if (adb->entry_refcnt[bucket] == 0) {
+			/*
+			 * This bucket has no entries.  We must decrement the
+			 * irefcnt ourselves, since it will not be
+			 * automatically triggered by an entry being unlinked.
+			 */
+			result = dec_adb_irefcnt(adb);
+		} else {
+			/*
+			 * Run through the list.  Cleanup any entries not
+			 * associated with names, and which are not in use.
+			 */
+			while (entry != NULL) {
+				next_entry = ISC_LIST_NEXT(entry, plink);
+				if (entry->refcnt == 0 &&
+				    entry->expires != 0) {
+					result = unlink_entry(adb, entry);
+					free_adbentry(adb, &entry);
+					if (result)
+						result = dec_adb_irefcnt(adb);
+				}
+				entry = next_entry;
+			}
+		}
+
+		UNLOCK(&adb->entrylocks[bucket]);
+	}
+	return (result);
+}
+
+/*
+ * Name bucket must be locked
+ */
+static void
+cancel_fetches_at_name(dns_adbname_t *name) {
+	if (NAME_FETCH_A(name))
+	    dns_resolver_cancelfetch(name->fetch_a->fetch);
+
+	if (NAME_FETCH_AAAA(name))
+	    dns_resolver_cancelfetch(name->fetch_aaaa->fetch);
+}
+
+/*
+ * Assumes the name bucket is locked.
+ */
+static bool
+clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks) {
+	dns_adbentry_t *entry;
+	dns_adbnamehook_t *namehook;
+	int addr_bucket;
+	bool result = false;
+	bool overmem = isc_mem_isovermem(adb->mctx);
+
+	addr_bucket = DNS_ADB_INVALIDBUCKET;
+	namehook = ISC_LIST_HEAD(*namehooks);
+	while (namehook != NULL) {
+		INSIST(DNS_ADBNAMEHOOK_VALID(namehook));
+
+		/*
+		 * Clean up the entry if needed.
+		 */
+		entry = namehook->entry;
+		if (entry != NULL) {
+			INSIST(DNS_ADBENTRY_VALID(entry));
+
+			if (addr_bucket != entry->lock_bucket) {
+				if (addr_bucket != DNS_ADB_INVALIDBUCKET)
+					UNLOCK(&adb->entrylocks[addr_bucket]);
+				addr_bucket = entry->lock_bucket;
+				INSIST(addr_bucket != DNS_ADB_INVALIDBUCKET);
+				LOCK(&adb->entrylocks[addr_bucket]);
+			}
+
+			entry->nh--;
+			result = dec_entry_refcnt(adb, overmem, entry,
+						  false);
+		}
+
+		/*
+		 * Free the namehook
+		 */
+		namehook->entry = NULL;
+		ISC_LIST_UNLINK(*namehooks, namehook, plink);
+		free_adbnamehook(adb, &namehook);
+
+		namehook = ISC_LIST_HEAD(*namehooks);
+	}
+
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+	return (result);
+}
+
+static void
+clean_target(dns_adb_t *adb, dns_name_t *target) {
+	if (dns_name_countlabels(target) > 0) {
+		dns_name_free(target, adb->mctx);
+		dns_name_init(target, NULL);
+	}
+}
+
+static isc_result_t
+set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
+	   dns_rdataset_t *rdataset, dns_name_t *target)
+{
+	isc_result_t result;
+	dns_namereln_t namereln;
+	unsigned int nlabels;
+	int order;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_fixedname_t fixed1, fixed2;
+	dns_name_t *prefix, *new_target;
+
+	REQUIRE(dns_name_countlabels(target) == 0);
+
+	if (rdataset->type == dns_rdatatype_cname) {
+		dns_rdata_cname_t cname;
+
+		/*
+		 * Copy the CNAME's target into the target name.
+		 */
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_name_dup(&cname.cname, adb->mctx, target);
+		dns_rdata_freestruct(&cname);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		dns_rdata_dname_t dname;
+
+		INSIST(rdataset->type == dns_rdatatype_dname);
+		namereln = dns_name_fullcompare(name, fname, &order, &nlabels);
+		INSIST(namereln == dns_namereln_subdomain);
+		/*
+		 * Get the target name of the DNAME.
+		 */
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		/*
+		 * Construct the new target name.
+		 */
+		prefix = dns_fixedname_initname(&fixed1);
+		new_target = dns_fixedname_initname(&fixed2);
+		dns_name_split(name, nlabels, prefix, NULL);
+		result = dns_name_concatenate(prefix, &dname.dname, new_target,
+					      NULL);
+		dns_rdata_freestruct(&dname);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_name_dup(new_target, adb->mctx, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Assumes nothing is locked, since this is called by the client.
+ */
+static void
+event_free(isc_event_t *event) {
+	dns_adbfind_t *find;
+
+	INSIST(event != NULL);
+	find = event->ev_destroy_arg;
+	INSIST(DNS_ADBFIND_VALID(find));
+
+	LOCK(&find->lock);
+	find->flags |= FIND_EVENT_FREED;
+	event->ev_destroy_arg = NULL;
+	UNLOCK(&find->lock);
+}
+
+/*
+ * Assumes the name bucket is locked.
+ */
+static void
+clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+		    unsigned int addrs)
+{
+	isc_event_t *ev;
+	isc_task_t *task;
+	dns_adbfind_t *find;
+	dns_adbfind_t *next_find;
+	bool process;
+	unsigned int wanted, notify;
+
+	DP(ENTER_LEVEL,
+	   "ENTER clean_finds_at_name, name %p, evtype %08x, addrs %08x",
+	   name, evtype, addrs);
+
+	find = ISC_LIST_HEAD(name->finds);
+	while (find != NULL) {
+		LOCK(&find->lock);
+		next_find = ISC_LIST_NEXT(find, plink);
+
+		process = false;
+		wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
+		notify = wanted & addrs;
+
+		switch (evtype) {
+		case DNS_EVENT_ADBMOREADDRESSES:
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBMOREADDRESSES");
+			if ((notify) != 0) {
+				find->flags &= ~addrs;
+				process = true;
+			}
+			break;
+		case DNS_EVENT_ADBNOMOREADDRESSES:
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBNOMOREADDRESSES");
+			find->flags &= ~addrs;
+			wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
+			if (wanted == 0)
+				process = true;
+			break;
+		default:
+			find->flags &= ~addrs;
+			process = true;
+		}
+
+		if (process) {
+			DP(DEF_LEVEL, "cfan: processing find %p", find);
+			/*
+			 * Unlink the find from the name, letting the caller
+			 * call dns_adb_destroyfind() on it to clean it up
+			 * later.
+			 */
+			ISC_LIST_UNLINK(name->finds, find, plink);
+			find->adbname = NULL;
+			find->name_bucket = DNS_ADB_INVALIDBUCKET;
+
+			INSIST(!FIND_EVENTSENT(find));
+
+			ev = &find->event;
+			task = ev->ev_sender;
+			ev->ev_sender = find;
+			find->result_v4 = find_err_map[name->fetch_err];
+			find->result_v6 = find_err_map[name->fetch6_err];
+			ev->ev_type = evtype;
+			ev->ev_destroy = event_free;
+			ev->ev_destroy_arg = find;
+
+			DP(DEF_LEVEL,
+			   "sending event %p to task %p for find %p",
+			   ev, task, find);
+
+			isc_task_sendanddetach(&task, (isc_event_t **)&ev);
+			find->flags |= FIND_EVENT_SENT;
+		} else {
+			DP(DEF_LEVEL, "cfan: skipping find %p", find);
+		}
+
+		UNLOCK(&find->lock);
+		find = next_find;
+	}
+
+	DP(ENTER_LEVEL, "EXIT clean_finds_at_name, name %p", name);
+}
+
+static inline void
+check_exit(dns_adb_t *adb) {
+	isc_event_t *event;
+	/*
+	 * The caller must be holding the adb lock.
+	 */
+	if (adb->shutting_down) {
+		/*
+		 * If there aren't any external references either, we're
+		 * done.  Send the control event to initiate shutdown.
+		 */
+		INSIST(!adb->cevent_out);      /* Sanity check. */
+		ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+			       DNS_EVENT_ADBCONTROL, shutdown_task, adb,
+			       adb, NULL, NULL);
+		event = &adb->cevent;
+		isc_task_send(adb->task, &event);
+		adb->cevent_out = true;
+	}
+}
+
+static inline bool
+dec_adb_irefcnt(dns_adb_t *adb) {
+	isc_event_t *event;
+	isc_task_t *etask;
+	bool result = false;
+
+	LOCK(&adb->reflock);
+
+	INSIST(adb->irefcnt > 0);
+	adb->irefcnt--;
+
+	if (adb->irefcnt == 0) {
+		event = ISC_LIST_HEAD(adb->whenshutdown);
+		while (event != NULL) {
+			ISC_LIST_UNLINK(adb->whenshutdown, event, ev_link);
+			etask = event->ev_sender;
+			event->ev_sender = adb;
+			isc_task_sendanddetach(&etask, &event);
+			event = ISC_LIST_HEAD(adb->whenshutdown);
+		}
+	}
+
+	if (adb->irefcnt == 0 && adb->erefcnt == 0)
+		result = true;
+	UNLOCK(&adb->reflock);
+	return (result);
+}
+
+static inline void
+inc_adb_irefcnt(dns_adb_t *adb) {
+	LOCK(&adb->reflock);
+	adb->irefcnt++;
+	UNLOCK(&adb->reflock);
+}
+
+static inline void
+inc_adb_erefcnt(dns_adb_t *adb) {
+	LOCK(&adb->reflock);
+	adb->erefcnt++;
+	UNLOCK(&adb->reflock);
+}
+
+static inline void
+inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, bool lock) {
+	int bucket;
+
+	bucket = entry->lock_bucket;
+
+	if (lock)
+		LOCK(&adb->entrylocks[bucket]);
+
+	entry->refcnt++;
+
+	if (lock)
+		UNLOCK(&adb->entrylocks[bucket]);
+}
+
+static inline bool
+dec_entry_refcnt(dns_adb_t *adb, bool overmem, dns_adbentry_t *entry,
+		 bool lock)
+{
+	int bucket;
+	bool destroy_entry;
+	bool result = false;
+
+	bucket = entry->lock_bucket;
+
+	if (lock)
+		LOCK(&adb->entrylocks[bucket]);
+
+	INSIST(entry->refcnt > 0);
+	entry->refcnt--;
+
+	destroy_entry = false;
+	if (entry->refcnt == 0 &&
+	    (adb->entry_sd[bucket] || entry->expires == 0 || overmem ||
+	     (entry->flags & ENTRY_IS_DEAD) != 0)) {
+		destroy_entry = true;
+		result = unlink_entry(adb, entry);
+	}
+
+	if (lock)
+		UNLOCK(&adb->entrylocks[bucket]);
+
+	if (!destroy_entry)
+		return (result);
+
+	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
+
+	free_adbentry(adb, &entry);
+	if (result)
+		result = dec_adb_irefcnt(adb);
+
+	return (result);
+}
+
+static inline dns_adbname_t *
+new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
+	dns_adbname_t *name;
+
+	name = isc_mempool_get(adb->nmp);
+	if (name == NULL)
+		return (NULL);
+
+	dns_name_init(&name->name, NULL);
+	if (dns_name_dup(dnsname, adb->mctx, &name->name) != ISC_R_SUCCESS) {
+		isc_mempool_put(adb->nmp, name);
+		return (NULL);
+	}
+	dns_name_init(&name->target, NULL);
+	name->magic = DNS_ADBNAME_MAGIC;
+	name->adb = adb;
+	name->partial_result = 0;
+	name->flags = 0;
+	name->expire_v4 = INT_MAX;
+	name->expire_v6 = INT_MAX;
+	name->expire_target = INT_MAX;
+	name->chains = 0;
+	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	ISC_LIST_INIT(name->v4);
+	ISC_LIST_INIT(name->v6);
+	name->fetch_a = NULL;
+	name->fetch_aaaa = NULL;
+	name->fetch_err = FIND_ERR_UNEXPECTED;
+	name->fetch6_err = FIND_ERR_UNEXPECTED;
+	ISC_LIST_INIT(name->finds);
+	ISC_LINK_INIT(name, plink);
+
+	LOCK(&adb->namescntlock);
+	adb->namescnt++;
+	inc_adbstats(adb, dns_adbstats_namescnt);
+	if (!adb->grownames_sent && adb->excl != NULL &&
+	    adb->namescnt > (adb->nnames * 8))
+	{
+		isc_event_t *event = &adb->grownames;
+		inc_adb_irefcnt(adb);
+		isc_task_send(adb->excl, &event);
+		adb->grownames_sent = true;
+	}
+	UNLOCK(&adb->namescntlock);
+
+	return (name);
+}
+
+static inline void
+free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
+	dns_adbname_t *n;
+
+	INSIST(name != NULL && DNS_ADBNAME_VALID(*name));
+	n = *name;
+	*name = NULL;
+
+	INSIST(!NAME_HAS_V4(n));
+	INSIST(!NAME_HAS_V6(n));
+	INSIST(!NAME_FETCH(n));
+	INSIST(ISC_LIST_EMPTY(n->finds));
+	INSIST(!ISC_LINK_LINKED(n, plink));
+	INSIST(n->lock_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(n->adb == adb);
+
+	n->magic = 0;
+	dns_name_free(&n->name, adb->mctx);
+
+	isc_mempool_put(adb->nmp, n);
+	LOCK(&adb->namescntlock);
+	adb->namescnt--;
+	dec_adbstats(adb, dns_adbstats_namescnt);
+	UNLOCK(&adb->namescntlock);
+}
+
+static inline dns_adbnamehook_t *
+new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) {
+	dns_adbnamehook_t *nh;
+
+	nh = isc_mempool_get(adb->nhmp);
+	if (nh == NULL)
+		return (NULL);
+
+	nh->magic = DNS_ADBNAMEHOOK_MAGIC;
+	nh->entry = entry;
+	ISC_LINK_INIT(nh, plink);
+
+	return (nh);
+}
+
+static inline void
+free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
+	dns_adbnamehook_t *nh;
+
+	INSIST(namehook != NULL && DNS_ADBNAMEHOOK_VALID(*namehook));
+	nh = *namehook;
+	*namehook = NULL;
+
+	INSIST(nh->entry == NULL);
+	INSIST(!ISC_LINK_LINKED(nh, plink));
+
+	nh->magic = 0;
+	isc_mempool_put(adb->nhmp, nh);
+}
+
+static inline dns_adblameinfo_t *
+new_adblameinfo(dns_adb_t *adb, dns_name_t *qname, dns_rdatatype_t qtype) {
+	dns_adblameinfo_t *li;
+
+	li = isc_mempool_get(adb->limp);
+	if (li == NULL)
+		return (NULL);
+
+	dns_name_init(&li->qname, NULL);
+	if (dns_name_dup(qname, adb->mctx, &li->qname) != ISC_R_SUCCESS) {
+		isc_mempool_put(adb->limp, li);
+		return (NULL);
+	}
+	li->magic = DNS_ADBLAMEINFO_MAGIC;
+	li->lame_timer = 0;
+	li->qtype = qtype;
+	ISC_LINK_INIT(li, plink);
+
+	return (li);
+}
+
+static inline void
+free_adblameinfo(dns_adb_t *adb, dns_adblameinfo_t **lameinfo) {
+	dns_adblameinfo_t *li;
+
+	INSIST(lameinfo != NULL && DNS_ADBLAMEINFO_VALID(*lameinfo));
+	li = *lameinfo;
+	*lameinfo = NULL;
+
+	INSIST(!ISC_LINK_LINKED(li, plink));
+
+	dns_name_free(&li->qname, adb->mctx);
+
+	li->magic = 0;
+
+	isc_mempool_put(adb->limp, li);
+}
+
+static inline dns_adbentry_t *
+new_adbentry(dns_adb_t *adb) {
+	dns_adbentry_t *e;
+	uint32_t r;
+
+	e = isc_mempool_get(adb->emp);
+	if (e == NULL)
+		return (NULL);
+
+	e->magic = DNS_ADBENTRY_MAGIC;
+	e->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	e->refcnt = 0;
+	e->nh = 0;
+	e->flags = 0;
+	e->udpsize = 0;
+	e->edns = 0;
+	e->completed = 0;
+	e->timeouts = 0;
+	e->plain = 0;
+	e->plainto = 0;
+	e->to4096 = 0;
+	e->to1432 = 0;
+	e->to1232 = 0;
+	e->to512 = 0;
+	e->cookie = NULL;
+	e->cookielen = 0;
+	isc_random_get(&r);
+	e->srtt = (r & 0x1f) + 1;
+	e->lastage = 0;
+	e->expires = 0;
+	e->active = 0;
+	e->mode = 0;
+	e->quota = adb->quota;
+	e->atr = 0.0;
+	ISC_LIST_INIT(e->lameinfo);
+	ISC_LINK_INIT(e, plink);
+	LOCK(&adb->entriescntlock);
+	adb->entriescnt++;
+	inc_adbstats(adb, dns_adbstats_entriescnt);
+	if (!adb->growentries_sent && adb->excl != NULL &&
+	    adb->entriescnt > (adb->nentries * 8))
+	{
+		isc_event_t *event = &adb->growentries;
+		inc_adb_irefcnt(adb);
+		isc_task_send(adb->excl, &event);
+		adb->growentries_sent = true;
+	}
+	UNLOCK(&adb->entriescntlock);
+
+	return (e);
+}
+
+static inline void
+free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
+	dns_adbentry_t *e;
+	dns_adblameinfo_t *li;
+
+	INSIST(entry != NULL && DNS_ADBENTRY_VALID(*entry));
+	e = *entry;
+	*entry = NULL;
+
+	INSIST(e->lock_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(e->refcnt == 0);
+	INSIST(!ISC_LINK_LINKED(e, plink));
+
+	e->magic = 0;
+
+	if (e->cookie != NULL)
+		isc_mem_put(adb->mctx, e->cookie, e->cookielen);
+
+	li = ISC_LIST_HEAD(e->lameinfo);
+	while (li != NULL) {
+		ISC_LIST_UNLINK(e->lameinfo, li, plink);
+		free_adblameinfo(adb, &li);
+		li = ISC_LIST_HEAD(e->lameinfo);
+	}
+
+	isc_mempool_put(adb->emp, e);
+	LOCK(&adb->entriescntlock);
+	adb->entriescnt--;
+	dec_adbstats(adb, dns_adbstats_entriescnt);
+	UNLOCK(&adb->entriescntlock);
+}
+
+static inline dns_adbfind_t *
+new_adbfind(dns_adb_t *adb) {
+	dns_adbfind_t *h;
+	isc_result_t result;
+
+	h = isc_mempool_get(adb->ahmp);
+	if (h == NULL)
+		return (NULL);
+
+	/*
+	 * Public members.
+	 */
+	h->magic = 0;
+	h->adb = adb;
+	h->partial_result = 0;
+	h->options = 0;
+	h->flags = 0;
+	h->result_v4 = ISC_R_UNEXPECTED;
+	h->result_v6 = ISC_R_UNEXPECTED;
+	ISC_LINK_INIT(h, publink);
+	ISC_LINK_INIT(h, plink);
+	ISC_LIST_INIT(h->list);
+	h->adbname = NULL;
+	h->name_bucket = DNS_ADB_INVALIDBUCKET;
+
+	/*
+	 * private members
+	 */
+	result = isc_mutex_init(&h->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mempool_put(adb->ahmp, h);
+		return (NULL);
+	}
+
+	ISC_EVENT_INIT(&h->event, sizeof(isc_event_t), 0, 0, 0, NULL, NULL,
+		       NULL, NULL, h);
+
+	inc_adb_irefcnt(adb);
+	h->magic = DNS_ADBFIND_MAGIC;
+	return (h);
+}
+
+static inline dns_adbfetch_t *
+new_adbfetch(dns_adb_t *adb) {
+	dns_adbfetch_t *f;
+
+	f = isc_mempool_get(adb->afmp);
+	if (f == NULL)
+		return (NULL);
+
+	f->magic = 0;
+	f->fetch = NULL;
+
+	dns_rdataset_init(&f->rdataset);
+
+	f->magic = DNS_ADBFETCH_MAGIC;
+
+	return (f);
+}
+
+static inline void
+free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
+	dns_adbfetch_t *f;
+
+	INSIST(fetch != NULL && DNS_ADBFETCH_VALID(*fetch));
+	f = *fetch;
+	*fetch = NULL;
+
+	f->magic = 0;
+
+	if (dns_rdataset_isassociated(&f->rdataset))
+		dns_rdataset_disassociate(&f->rdataset);
+
+	isc_mempool_put(adb->afmp, f);
+}
+
+static inline bool
+free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+
+	INSIST(findp != NULL && DNS_ADBFIND_VALID(*findp));
+	find = *findp;
+	*findp = NULL;
+
+	INSIST(!FIND_HAS_ADDRS(find));
+	INSIST(!ISC_LINK_LINKED(find, publink));
+	INSIST(!ISC_LINK_LINKED(find, plink));
+	INSIST(find->name_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(find->adbname == NULL);
+
+	find->magic = 0;
+
+	DESTROYLOCK(&find->lock);
+	isc_mempool_put(adb->ahmp, find);
+	return (dec_adb_irefcnt(adb));
+}
+
+/*
+ * Copy bits from the entry into the newly allocated addrinfo.  The entry
+ * must be locked, and the reference count must be bumped up by one
+ * if this function returns a valid pointer.
+ */
+static inline dns_adbaddrinfo_t *
+new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry, in_port_t port) {
+	dns_adbaddrinfo_t *ai;
+
+	ai = isc_mempool_get(adb->aimp);
+	if (ai == NULL)
+		return (NULL);
+
+	ai->magic = DNS_ADBADDRINFO_MAGIC;
+	ai->sockaddr = entry->sockaddr;
+	isc_sockaddr_setport(&ai->sockaddr, port);
+	ai->srtt = entry->srtt;
+	ai->flags = entry->flags;
+	ai->entry = entry;
+	ai->dscp = -1;
+	ISC_LINK_INIT(ai, publink);
+
+	return (ai);
+}
+
+static inline void
+free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) {
+	dns_adbaddrinfo_t *ai;
+
+	INSIST(ainfo != NULL && DNS_ADBADDRINFO_VALID(*ainfo));
+	ai = *ainfo;
+	*ainfo = NULL;
+
+	INSIST(ai->entry == NULL);
+	INSIST(!ISC_LINK_LINKED(ai, publink));
+
+	ai->magic = 0;
+
+	isc_mempool_put(adb->aimp, ai);
+}
+
+/*
+ * Search for the name.  NOTE:  The bucket is kept locked on both
+ * success and failure, so it must always be unlocked by the caller!
+ *
+ * On the first call to this function, *bucketp must be set to
+ * DNS_ADB_INVALIDBUCKET.
+ */
+static inline dns_adbname_t *
+find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
+		   unsigned int options, int *bucketp)
+{
+	dns_adbname_t *adbname;
+	int bucket;
+
+	bucket = dns_name_fullhash(name, false) % adb->nnames;
+
+	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
+		LOCK(&adb->namelocks[bucket]);
+		*bucketp = bucket;
+	} else if (*bucketp != bucket) {
+		UNLOCK(&adb->namelocks[*bucketp]);
+		LOCK(&adb->namelocks[bucket]);
+		*bucketp = bucket;
+	}
+
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		if (!NAME_DEAD(adbname)) {
+			if (dns_name_equal(name, &adbname->name)
+			    && GLUEHINT_OK(adbname, options)
+			    && STARTATZONE_MATCHES(adbname, options))
+				return (adbname);
+		}
+		adbname = ISC_LIST_NEXT(adbname, plink);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Search for the address.  NOTE:  The bucket is kept locked on both
+ * success and failure, so it must always be unlocked by the caller.
+ *
+ * On the first call to this function, *bucketp must be set to
+ * DNS_ADB_INVALIDBUCKET.  This will cause a lock to occur.  On
+ * later calls (within the same "lock path") it can be left alone, so
+ * if this function is called multiple times locking is only done if
+ * the bucket changes.
+ */
+static inline dns_adbentry_t *
+find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp,
+	isc_stdtime_t now)
+{
+	dns_adbentry_t *entry, *entry_next;
+	int bucket;
+
+	bucket = isc_sockaddr_hash(addr, true) % adb->nentries;
+
+	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
+		LOCK(&adb->entrylocks[bucket]);
+		*bucketp = bucket;
+	} else if (*bucketp != bucket) {
+		UNLOCK(&adb->entrylocks[*bucketp]);
+		LOCK(&adb->entrylocks[bucket]);
+		*bucketp = bucket;
+	}
+
+	/* Search the list, while cleaning up expired entries. */
+	for (entry = ISC_LIST_HEAD(adb->entries[bucket]);
+	     entry != NULL;
+	     entry = entry_next) {
+		entry_next = ISC_LIST_NEXT(entry, plink);
+		(void)check_expire_entry(adb, &entry, now);
+		if (entry != NULL &&
+		    (entry->expires == 0 || entry->expires > now) &&
+		    isc_sockaddr_equal(addr, &entry->sockaddr)) {
+			ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+			ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
+			return (entry);
+		}
+	}
+
+	return (NULL);
+}
+
+/*
+ * Entry bucket MUST be locked!
+ */
+static bool
+entry_is_lame(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *qname,
+	      dns_rdatatype_t qtype, isc_stdtime_t now)
+{
+	dns_adblameinfo_t *li, *next_li;
+	bool is_bad;
+
+	is_bad = false;
+
+	li = ISC_LIST_HEAD(entry->lameinfo);
+	if (li == NULL)
+		return (false);
+	while (li != NULL) {
+		next_li = ISC_LIST_NEXT(li, plink);
+
+		/*
+		 * Has the entry expired?
+		 */
+		if (li->lame_timer < now) {
+			ISC_LIST_UNLINK(entry->lameinfo, li, plink);
+			free_adblameinfo(adb, &li);
+		}
+
+		/*
+		 * Order tests from least to most expensive.
+		 *
+		 * We do not break out of the main loop here as
+		 * we use the loop for house keeping.
+		 */
+		if (li != NULL && !is_bad && li->qtype == qtype &&
+		    dns_name_equal(qname, &li->qname))
+			is_bad = true;
+
+		li = next_li;
+	}
+
+	return (is_bad);
+}
+
+static void
+log_quota(dns_adbentry_t *entry, const char *fmt, ...) {
+	va_list ap;
+	char msgbuf[2048];
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	isc_netaddr_t netaddr;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
+	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
+		      ISC_LOG_INFO, "adb: quota %s (%u/%u): %s",
+		      addrbuf, entry->active, entry->quota, msgbuf);
+}
+
+static void
+copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *qname,
+		    dns_rdatatype_t qtype, dns_adbname_t *name,
+		    isc_stdtime_t now)
+{
+	dns_adbnamehook_t *namehook;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_adbentry_t *entry;
+	int bucket;
+
+	bucket = DNS_ADB_INVALIDBUCKET;
+
+	if (find->options & DNS_ADBFIND_INET) {
+		namehook = ISC_LIST_HEAD(name->v4);
+		while (namehook != NULL) {
+			entry = namehook->entry;
+			bucket = entry->lock_bucket;
+			INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+			LOCK(&adb->entrylocks[bucket]);
+
+			if (entry->quota != 0 &&
+			    entry->active >= entry->quota)
+			{
+				find->options |=
+					(DNS_ADBFIND_LAMEPRUNED|
+					 DNS_ADBFIND_OVERQUOTA);
+				goto nextv4;
+			}
+
+			if (!FIND_RETURNLAME(find)
+			    && entry_is_lame(adb, entry, qname, qtype, now)) {
+				find->options |= DNS_ADBFIND_LAMEPRUNED;
+				goto nextv4;
+			}
+			addrinfo = new_adbaddrinfo(adb, entry, find->port);
+			if (addrinfo == NULL) {
+				find->partial_result |= DNS_ADBFIND_INET;
+				goto out;
+			}
+			/*
+			 * Found a valid entry.  Add it to the find's list.
+			 */
+			inc_entry_refcnt(adb, entry, false);
+			ISC_LIST_APPEND(find->list, addrinfo, publink);
+			addrinfo = NULL;
+		nextv4:
+			UNLOCK(&adb->entrylocks[bucket]);
+			bucket = DNS_ADB_INVALIDBUCKET;
+			namehook = ISC_LIST_NEXT(namehook, plink);
+		}
+	}
+
+	if (find->options & DNS_ADBFIND_INET6) {
+		namehook = ISC_LIST_HEAD(name->v6);
+		while (namehook != NULL) {
+			entry = namehook->entry;
+			bucket = entry->lock_bucket;
+			INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+			LOCK(&adb->entrylocks[bucket]);
+
+			if (entry->quota != 0 &&
+			    entry->active >= entry->quota)
+			{
+				find->options |=
+					(DNS_ADBFIND_LAMEPRUNED|
+					 DNS_ADBFIND_OVERQUOTA);
+				goto nextv6;
+			}
+
+			if (!FIND_RETURNLAME(find)
+			    && entry_is_lame(adb, entry, qname, qtype, now)) {
+				find->options |= DNS_ADBFIND_LAMEPRUNED;
+				goto nextv6;
+			}
+			addrinfo = new_adbaddrinfo(adb, entry, find->port);
+			if (addrinfo == NULL) {
+				find->partial_result |= DNS_ADBFIND_INET6;
+				goto out;
+			}
+			/*
+			 * Found a valid entry.  Add it to the find's list.
+			 */
+			inc_entry_refcnt(adb, entry, false);
+			ISC_LIST_APPEND(find->list, addrinfo, publink);
+			addrinfo = NULL;
+		nextv6:
+			UNLOCK(&adb->entrylocks[bucket]);
+			bucket = DNS_ADB_INVALIDBUCKET;
+			namehook = ISC_LIST_NEXT(namehook, plink);
+		}
+	}
+
+ out:
+	if (bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->entrylocks[bucket]);
+}
+
+static void
+shutdown_task(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+
+	UNUSED(task);
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	isc_event_free(&ev);
+	/*
+	 * Wait for lock around check_exit() call to be released.
+	 */
+	LOCK(&adb->lock);
+	UNLOCK(&adb->lock);
+	destroy(adb);
+}
+
+/*
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static bool
+check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	bool result = false;
+
+	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
+	name = *namep;
+
+	if (NAME_HAS_V4(name) || NAME_HAS_V6(name))
+		return (result);
+	if (NAME_FETCH(name))
+		return (result);
+	if (!EXPIRE_OK(name->expire_v4, now))
+		return (result);
+	if (!EXPIRE_OK(name->expire_v6, now))
+		return (result);
+	if (!EXPIRE_OK(name->expire_target, now))
+		return (result);
+
+	/*
+	 * The name is empty.  Delete it.
+	 */
+	result = kill_name(&name, DNS_EVENT_ADBEXPIRED);
+	*namep = NULL;
+
+	/*
+	 * Our caller, or one of its callers, will be calling check_exit() at
+	 * some point, so we don't need to do it here.
+	 */
+	return (result);
+}
+
+/*%
+ * Examine the tail entry of the LRU list to see if it expires or is stale
+ * (unused for some period); if so, the name entry will be freed.  If the ADB
+ * is in the overmem condition, the tail and the next to tail entries
+ * will be unconditionally removed (unless they have an outstanding fetch).
+ * We don't care about a race on 'overmem' at the risk of causing some
+ * collateral damage or a small delay in starting cleanup, so we don't bother
+ * to lock ADB (if it's not locked).
+ *
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static void
+check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	int victims, max_victims;
+	dns_adbname_t *victim, *next_victim;
+	bool overmem = isc_mem_isovermem(adb->mctx);
+	int scans = 0;
+
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	max_victims = overmem ? 2 : 1;
+
+	/*
+	 * We limit the number of scanned entries to 10 (arbitrary choice)
+	 * in order to avoid examining too many entries when there are many
+	 * tail entries that have fetches (this should be rare, but could
+	 * happen).
+	 */
+	victim = ISC_LIST_TAIL(adb->names[bucket]);
+	for (victims = 0;
+	     victim != NULL && victims < max_victims && scans < 10;
+	     victim = next_victim) {
+		INSIST(!NAME_DEAD(victim));
+		scans++;
+		next_victim = ISC_LIST_PREV(victim, plink);
+		(void)check_expire_name(&victim, now);
+		if (victim == NULL) {
+			victims++;
+			goto next;
+		}
+
+		if (!NAME_FETCH(victim) &&
+		    (overmem || victim->last_used + ADB_STALE_MARGIN <= now)) {
+			RUNTIME_CHECK(kill_name(&victim,
+						DNS_EVENT_ADBCANCELED) ==
+				      false);
+			victims++;
+		}
+
+	next:
+		if (!overmem)
+			break;
+	}
+}
+
+/*
+ * Entry bucket must be locked; adb may be locked; no other locks held.
+ */
+static bool
+check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
+{
+	dns_adbentry_t *entry;
+	bool result = false;
+
+	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
+	entry = *entryp;
+
+	if (entry->refcnt != 0)
+		return (result);
+
+	if (entry->expires == 0 || entry->expires > now)
+		return (result);
+
+	/*
+	 * The entry is not in use.  Delete it.
+	 */
+	DP(DEF_LEVEL, "killing entry %p", entry);
+	INSIST(ISC_LINK_LINKED(entry, plink));
+	result = unlink_entry(adb, entry);
+	free_adbentry(adb, &entry);
+	if (result)
+		dec_adb_irefcnt(adb);
+	*entryp = NULL;
+	return (result);
+}
+
+/*
+ * ADB must be locked, and no other locks held.
+ */
+static bool
+cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	dns_adbname_t *next_name;
+	bool result = false;
+
+	DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket);
+
+	LOCK(&adb->namelocks[bucket]);
+	if (adb->name_sd[bucket]) {
+		UNLOCK(&adb->namelocks[bucket]);
+		return (result);
+	}
+
+	name = ISC_LIST_HEAD(adb->names[bucket]);
+	while (name != NULL) {
+		next_name = ISC_LIST_NEXT(name, plink);
+		INSIST(result == false);
+		result = check_expire_namehooks(name, now);
+		if (!result)
+			result = check_expire_name(&name, now);
+		name = next_name;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	return (result);
+}
+
+/*
+ * ADB must be locked, and no other locks held.
+ */
+static bool
+cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	dns_adbentry_t *entry, *next_entry;
+	bool result = false;
+
+	DP(CLEAN_LEVEL, "cleaning entry bucket %d", bucket);
+
+	LOCK(&adb->entrylocks[bucket]);
+	entry = ISC_LIST_HEAD(adb->entries[bucket]);
+	while (entry != NULL) {
+		next_entry = ISC_LIST_NEXT(entry, plink);
+		INSIST(result == false);
+		result = check_expire_entry(adb, &entry, now);
+		entry = next_entry;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+	return (result);
+}
+
+static void
+destroy(dns_adb_t *adb) {
+	adb->magic = 0;
+
+	isc_task_detach(&adb->task);
+	if (adb->excl != NULL)
+		isc_task_detach(&adb->excl);
+
+	isc_mempool_destroy(&adb->nmp);
+	isc_mempool_destroy(&adb->nhmp);
+	isc_mempool_destroy(&adb->limp);
+	isc_mempool_destroy(&adb->emp);
+	isc_mempool_destroy(&adb->ahmp);
+	isc_mempool_destroy(&adb->aimp);
+	isc_mempool_destroy(&adb->afmp);
+
+	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
+	isc_mem_put(adb->mctx, adb->entries,
+		    sizeof(*adb->entries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->deadentries,
+		    sizeof(*adb->deadentries) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entrylocks,
+		    sizeof(*adb->entrylocks) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_sd,
+		    sizeof(*adb->entry_sd) * adb->nentries);
+	isc_mem_put(adb->mctx, adb->entry_refcnt,
+		    sizeof(*adb->entry_refcnt) * adb->nentries);
+
+	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
+	isc_mem_put(adb->mctx, adb->names,
+		    sizeof(*adb->names) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->deadnames,
+		    sizeof(*adb->deadnames) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->namelocks,
+		    sizeof(*adb->namelocks) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_sd,
+		    sizeof(*adb->name_sd) * adb->nnames);
+	isc_mem_put(adb->mctx, adb->name_refcnt,
+		    sizeof(*adb->name_refcnt) * adb->nnames);
+
+	DESTROYLOCK(&adb->reflock);
+	DESTROYLOCK(&adb->lock);
+	DESTROYLOCK(&adb->mplock);
+	DESTROYLOCK(&adb->overmemlock);
+	DESTROYLOCK(&adb->entriescntlock);
+	DESTROYLOCK(&adb->namescntlock);
+
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
+}
+
+
+/*
+ * Public functions.
+ */
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb)
+{
+	dns_adb_t *adb;
+	isc_result_t result;
+	unsigned int i;
+
+	REQUIRE(mem != NULL);
+	REQUIRE(view != NULL);
+	REQUIRE(timermgr != NULL); /* this is actually unused */
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(newadb != NULL && *newadb == NULL);
+
+	UNUSED(timermgr);
+
+	adb = isc_mem_get(mem, sizeof(dns_adb_t));
+	if (adb == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Initialize things here that cannot fail, and especially things
+	 * that must be NULL for the error return to work properly.
+	 */
+	adb->magic = 0;
+	adb->erefcnt = 1;
+	adb->irefcnt = 0;
+	adb->nmp = NULL;
+	adb->nhmp = NULL;
+	adb->limp = NULL;
+	adb->emp = NULL;
+	adb->ahmp = NULL;
+	adb->aimp = NULL;
+	adb->afmp = NULL;
+	adb->task = NULL;
+	adb->excl = NULL;
+	adb->mctx = NULL;
+	adb->view = view;
+	adb->taskmgr = taskmgr;
+	adb->next_cleanbucket = 0;
+	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent),
+		       0, NULL, 0, NULL, NULL, NULL, NULL, NULL);
+	adb->cevent_out = false;
+	adb->shutting_down = false;
+	ISC_LIST_INIT(adb->whenshutdown);
+
+	adb->nentries = nbuckets[0];
+	adb->entriescnt = 0;
+	adb->entries = NULL;
+	adb->deadentries = NULL;
+	adb->entry_sd = NULL;
+	adb->entry_refcnt = NULL;
+	adb->entrylocks = NULL;
+	ISC_EVENT_INIT(&adb->growentries, sizeof(adb->growentries), 0, NULL,
+		       DNS_EVENT_ADBGROWENTRIES, grow_entries, adb,
+		       adb, NULL, NULL);
+	adb->growentries_sent = false;
+
+	adb->quota = 0;
+	adb->atr_freq = 0;
+	adb->atr_low = 0.0;
+	adb->atr_high = 0.0;
+	adb->atr_discount = 0.0;
+
+	adb->nnames = nbuckets[0];
+	adb->namescnt = 0;
+	adb->names = NULL;
+	adb->deadnames = NULL;
+	adb->name_sd = NULL;
+	adb->name_refcnt = NULL;
+	adb->namelocks = NULL;
+	ISC_EVENT_INIT(&adb->grownames, sizeof(adb->grownames), 0, NULL,
+		       DNS_EVENT_ADBGROWNAMES, grow_names, adb,
+		       adb, NULL, NULL);
+	adb->grownames_sent = false;
+
+	result = isc_taskmgr_excltask(adb->taskmgr, &adb->excl);
+	if (result != ISC_R_SUCCESS) {
+		DP(DEF_LEVEL, "adb: task-exclusive mode unavailable, "
+			      "intializing table sizes to %u\n",
+			      nbuckets[11]);
+		adb->nentries = nbuckets[11];
+		adb->nnames = nbuckets[11];
+	}
+
+	isc_mem_attach(mem, &adb->mctx);
+
+	result = isc_mutex_init(&adb->lock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0b;
+
+	result = isc_mutex_init(&adb->mplock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0c;
+
+	result = isc_mutex_init(&adb->reflock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0d;
+
+	result = isc_mutex_init(&adb->overmemlock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0e;
+
+	result = isc_mutex_init(&adb->entriescntlock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0f;
+
+	result = isc_mutex_init(&adb->namescntlock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0g;
+
+#define ALLOCENTRY(adb, el) \
+	do { \
+		(adb)->el = isc_mem_get((adb)->mctx, \
+				     sizeof(*(adb)->el) * (adb)->nentries); \
+		if ((adb)->el == NULL) { \
+			result = ISC_R_NOMEMORY; \
+			goto fail1; \
+		}\
+	} while (0)
+	ALLOCENTRY(adb, entries);
+	ALLOCENTRY(adb, deadentries);
+	ALLOCENTRY(adb, entrylocks);
+	ALLOCENTRY(adb, entry_sd);
+	ALLOCENTRY(adb, entry_refcnt);
+#undef ALLOCENTRY
+
+#define ALLOCNAME(adb, el) \
+	do { \
+		(adb)->el = isc_mem_get((adb)->mctx, \
+				     sizeof(*(adb)->el) * (adb)->nnames); \
+		if ((adb)->el == NULL) { \
+			result = ISC_R_NOMEMORY; \
+			goto fail1; \
+		}\
+	} while (0)
+	ALLOCNAME(adb, names);
+	ALLOCNAME(adb, deadnames);
+	ALLOCNAME(adb, namelocks);
+	ALLOCNAME(adb, name_sd);
+	ALLOCNAME(adb, name_refcnt);
+#undef ALLOCNAME
+
+	/*
+	 * Initialize the bucket locks for names and elements.
+	 * May as well initialize the list heads, too.
+	 */
+	result = isc_mutexblock_init(adb->namelocks, adb->nnames);
+	if (result != ISC_R_SUCCESS)
+		goto fail1;
+	for (i = 0; i < adb->nnames; i++) {
+		ISC_LIST_INIT(adb->names[i]);
+		ISC_LIST_INIT(adb->deadnames[i]);
+		adb->name_sd[i] = false;
+		adb->name_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+	for (i = 0; i < adb->nentries; i++) {
+		ISC_LIST_INIT(adb->entries[i]);
+		ISC_LIST_INIT(adb->deadentries[i]);
+		adb->entry_sd[i] = false;
+		adb->entry_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+	result = isc_mutexblock_init(adb->entrylocks, adb->nentries);
+	if (result != ISC_R_SUCCESS)
+		goto fail2;
+
+	/*
+	 * Memory pools
+	 */
+#define MPINIT(t, p, n) do { \
+	result = isc_mempool_create(mem, sizeof(t), &(p)); \
+	if (result != ISC_R_SUCCESS) \
+		goto fail3; \
+	isc_mempool_setfreemax((p), FREE_ITEMS); \
+	isc_mempool_setfillcount((p), FILL_COUNT); \
+	isc_mempool_setname((p), n); \
+	isc_mempool_associatelock((p), &adb->mplock); \
+} while (0)
+
+	MPINIT(dns_adbname_t, adb->nmp, "adbname");
+	MPINIT(dns_adbnamehook_t, adb->nhmp, "adbnamehook");
+	MPINIT(dns_adblameinfo_t, adb->limp, "adblameinfo");
+	MPINIT(dns_adbentry_t, adb->emp, "adbentry");
+	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
+	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
+	MPINIT(dns_adbfetch_t, adb->afmp, "adbfetch");
+
+#undef MPINIT
+
+	/*
+	 * Allocate an internal task.
+	 */
+	result = isc_task_create(adb->taskmgr, 0, &adb->task);
+	if (result != ISC_R_SUCCESS)
+		goto fail3;
+
+	isc_task_setname(adb->task, "ADB", adb);
+
+	result = isc_stats_create(adb->mctx, &view->adbstats, dns_adbstats_max);
+	if (result != ISC_R_SUCCESS)
+		goto fail3;
+
+	set_adbstat(adb, adb->nentries, dns_adbstats_nentries);
+	set_adbstat(adb, adb->nnames, dns_adbstats_nnames);
+
+	/*
+	 * Normal return.
+	 */
+	adb->magic = DNS_ADB_MAGIC;
+	*newadb = adb;
+	return (ISC_R_SUCCESS);
+
+ fail3:
+	if (adb->task != NULL)
+		isc_task_detach(&adb->task);
+
+	/* clean up entrylocks */
+	DESTROYMUTEXBLOCK(adb->entrylocks, adb->nentries);
+
+ fail2: /* clean up namelocks */
+	DESTROYMUTEXBLOCK(adb->namelocks, adb->nnames);
+
+ fail1: /* clean up only allocated memory */
+	if (adb->entries != NULL)
+		isc_mem_put(adb->mctx, adb->entries,
+			    sizeof(*adb->entries) * adb->nentries);
+	if (adb->deadentries != NULL)
+		isc_mem_put(adb->mctx, adb->deadentries,
+			    sizeof(*adb->deadentries) * adb->nentries);
+	if (adb->entrylocks != NULL)
+		isc_mem_put(adb->mctx, adb->entrylocks,
+			    sizeof(*adb->entrylocks) * adb->nentries);
+	if (adb->entry_sd != NULL)
+		isc_mem_put(adb->mctx, adb->entry_sd,
+			    sizeof(*adb->entry_sd) * adb->nentries);
+	if (adb->entry_refcnt != NULL)
+		isc_mem_put(adb->mctx, adb->entry_refcnt,
+			    sizeof(*adb->entry_refcnt) * adb->nentries);
+	if (adb->names != NULL)
+		isc_mem_put(adb->mctx, adb->names,
+			    sizeof(*adb->names) * adb->nnames);
+	if (adb->deadnames != NULL)
+		isc_mem_put(adb->mctx, adb->deadnames,
+			    sizeof(*adb->deadnames) * adb->nnames);
+	if (adb->namelocks != NULL)
+		isc_mem_put(adb->mctx, adb->namelocks,
+			    sizeof(*adb->namelocks) * adb->nnames);
+	if (adb->name_sd != NULL)
+		isc_mem_put(adb->mctx, adb->name_sd,
+			    sizeof(*adb->name_sd) * adb->nnames);
+	if (adb->name_refcnt != NULL)
+		isc_mem_put(adb->mctx, adb->name_refcnt,
+			    sizeof(*adb->name_refcnt) * adb->nnames);
+	if (adb->nmp != NULL)
+		isc_mempool_destroy(&adb->nmp);
+	if (adb->nhmp != NULL)
+		isc_mempool_destroy(&adb->nhmp);
+	if (adb->limp != NULL)
+		isc_mempool_destroy(&adb->limp);
+	if (adb->emp != NULL)
+		isc_mempool_destroy(&adb->emp);
+	if (adb->ahmp != NULL)
+		isc_mempool_destroy(&adb->ahmp);
+	if (adb->aimp != NULL)
+		isc_mempool_destroy(&adb->aimp);
+	if (adb->afmp != NULL)
+		isc_mempool_destroy(&adb->afmp);
+
+	DESTROYLOCK(&adb->namescntlock);
+ fail0g:
+	DESTROYLOCK(&adb->entriescntlock);
+ fail0f:
+	DESTROYLOCK(&adb->overmemlock);
+ fail0e:
+	DESTROYLOCK(&adb->reflock);
+ fail0d:
+	DESTROYLOCK(&adb->mplock);
+ fail0c:
+	DESTROYLOCK(&adb->lock);
+ fail0b:
+	if (adb->excl != NULL)
+		isc_task_detach(&adb->excl);
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
+
+	return (result);
+}
+
+void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbx) {
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(adbx != NULL && *adbx == NULL);
+
+	inc_adb_erefcnt(adb);
+	*adbx = adb;
+}
+
+void
+dns_adb_detach(dns_adb_t **adbx) {
+	dns_adb_t *adb;
+	bool need_exit_check;
+
+	REQUIRE(adbx != NULL && DNS_ADB_VALID(*adbx));
+
+	adb = *adbx;
+	*adbx = NULL;
+
+	INSIST(adb->erefcnt > 0);
+
+	LOCK(&adb->reflock);
+	adb->erefcnt--;
+	need_exit_check = (adb->erefcnt == 0 && adb->irefcnt == 0);
+	UNLOCK(&adb->reflock);
+
+	if (need_exit_check) {
+		LOCK(&adb->lock);
+		INSIST(adb->shutting_down);
+		check_exit(adb);
+		UNLOCK(&adb->lock);
+	}
+}
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
+	isc_task_t *tclone;
+	isc_event_t *event;
+	bool zeroirefcnt;
+
+	/*
+	 * Send '*eventp' to 'task' when 'adb' has shutdown.
+	 */
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&adb->lock);
+	LOCK(&adb->reflock);
+
+	zeroirefcnt = (adb->irefcnt == 0);
+
+	if (adb->shutting_down && zeroirefcnt &&
+	    isc_mempool_getallocated(adb->ahmp) == 0) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = adb;
+		isc_task_send(task, &event);
+	} else {
+		tclone = NULL;
+		isc_task_attach(task, &tclone);
+		event->ev_sender = tclone;
+		ISC_LIST_APPEND(adb->whenshutdown, event, ev_link);
+	}
+
+	UNLOCK(&adb->reflock);
+	UNLOCK(&adb->lock);
+}
+
+static void
+shutdown_stage2(isc_task_t *task, isc_event_t *event) {
+	dns_adb_t *adb;
+
+	UNUSED(task);
+
+	adb = event->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+	INSIST(adb->shutting_down);
+	adb->cevent_out = false;
+	(void)shutdown_names(adb);
+	(void)shutdown_entries(adb);
+	if (dec_adb_irefcnt(adb))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_shutdown(dns_adb_t *adb) {
+	isc_event_t *event;
+
+	/*
+	 * Shutdown 'adb'.
+	 */
+
+	LOCK(&adb->lock);
+
+	if (!adb->shutting_down) {
+		adb->shutting_down = true;
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+		/*
+		 * Isolate shutdown_names and shutdown_entries calls.
+		 */
+		inc_adb_irefcnt(adb);
+		ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+			       DNS_EVENT_ADBCONTROL, shutdown_stage2, adb,
+			       adb, NULL, NULL);
+		adb->cevent_out = true;
+		event = &adb->cevent;
+		isc_task_send(adb->task, &event);
+	}
+
+	UNLOCK(&adb->lock);
+}
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, dns_name_t *name, dns_name_t *qname,
+		   dns_rdatatype_t qtype, unsigned int options,
+		   isc_stdtime_t now, dns_name_t *target,
+		   in_port_t port, dns_adbfind_t **findp)
+{
+	return (dns_adb_createfind2(adb, task, action, arg, name,
+				    qname, qtype, options, now,
+				    target, port, 0, NULL, findp));
+}
+
+isc_result_t
+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		    void *arg, dns_name_t *name, dns_name_t *qname,
+		    dns_rdatatype_t qtype, unsigned int options,
+		    isc_stdtime_t now, dns_name_t *target,
+		    in_port_t port, unsigned int depth, isc_counter_t *qc,
+		    dns_adbfind_t **findp)
+{
+	dns_adbfind_t *find;
+	dns_adbname_t *adbname;
+	int bucket;
+	bool want_event, start_at_zone, alias, have_address;
+	isc_result_t result;
+	unsigned int wanted_addresses;
+	unsigned int wanted_fetches;
+	unsigned int query_pending;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	if (task != NULL) {
+		REQUIRE(action != NULL);
+	}
+	REQUIRE(name != NULL);
+	REQUIRE(qname != NULL);
+	REQUIRE(findp != NULL && *findp == NULL);
+	REQUIRE(target == NULL || dns_name_hasbuffer(target));
+
+	REQUIRE((options & DNS_ADBFIND_ADDRESSMASK) != 0);
+
+	result = ISC_R_UNEXPECTED;
+	POST(result);
+	wanted_addresses = (options & DNS_ADBFIND_ADDRESSMASK);
+	wanted_fetches = 0;
+	query_pending = 0;
+	want_event = false;
+	start_at_zone = false;
+	alias = false;
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	/*
+	 * XXXMLG  Move this comment somewhere else!
+	 *
+	 * Look up the name in our internal database.
+	 *
+	 * Possibilities:  Note that these are not always exclusive.
+	 *
+	 *      No name found.  In this case, allocate a new name header and
+	 *      an initial namehook or two.  If any of these allocations
+	 *      fail, clean up and return ISC_R_NOMEMORY.
+	 *
+	 *      Name found, valid addresses present.  Allocate one addrinfo
+	 *      structure for each found and append it to the linked list
+	 *      of addresses for this header.
+	 *
+	 *      Name found, queries pending.  In this case, if a task was
+	 *      passed in, allocate a job id, attach it to the name's job
+	 *      list and remember to tell the caller that there will be
+	 *      more info coming later.
+	 */
+
+	find = new_adbfind(adb);
+	if (find == NULL)
+		return (ISC_R_NOMEMORY);
+
+	find->port = port;
+
+	/*
+	 * Remember what types of addresses we are interested in.
+	 */
+	find->options = options;
+	find->flags |= wanted_addresses;
+	if (FIND_WANTEVENT(find)) {
+		REQUIRE(task != NULL);
+	}
+
+	if (isc_log_wouldlog(dns_lctx, DEF_LEVEL))
+		dns_name_format(name, namebuf, sizeof(namebuf));
+	else
+		namebuf[0] = 0;
+
+	/*
+	 * Try to see if we know anything about this name at all.
+	 */
+	bucket = DNS_ADB_INVALIDBUCKET;
+	adbname = find_name_and_lock(adb, name, find->options, &bucket);
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+	if (adb->name_sd[bucket]) {
+		DP(DEF_LEVEL,
+		   "dns_adb_createfind: returning ISC_R_SHUTTINGDOWN");
+		RUNTIME_CHECK(free_adbfind(adb, &find) == false);
+		result = ISC_R_SHUTTINGDOWN;
+		goto out;
+	}
+
+	/*
+	 * Nothing found.  Allocate a new adbname structure for this name.
+	 */
+	if (adbname == NULL) {
+		/*
+		 * See if there is any stale name at the end of list, and purge
+		 * it if so.
+		 */
+		check_stale_name(adb, bucket, now);
+
+		adbname = new_adbname(adb, name);
+		if (adbname == NULL) {
+			RUNTIME_CHECK(free_adbfind(adb, &find) == false);
+			result = ISC_R_NOMEMORY;
+			goto out;
+		}
+		link_name(adb, bucket, adbname);
+		if (FIND_HINTOK(find))
+			adbname->flags |= NAME_HINT_OK;
+		if (FIND_GLUEOK(find))
+			adbname->flags |= NAME_GLUE_OK;
+		if (FIND_STARTATZONE(find))
+			adbname->flags |= NAME_STARTATZONE;
+	} else {
+		/* Move this name forward in the LRU list */
+		ISC_LIST_UNLINK(adb->names[bucket], adbname, plink);
+		ISC_LIST_PREPEND(adb->names[bucket], adbname, plink);
+	}
+	adbname->last_used = now;
+
+	/*
+	 * Expire old entries, etc.
+	 */
+	RUNTIME_CHECK(check_expire_namehooks(adbname, now) == false);
+
+	/*
+	 * Do we know that the name is an alias?
+	 */
+	if (!EXPIRE_OK(adbname->expire_target, now)) {
+		/*
+		 * Yes, it is.
+		 */
+		DP(DEF_LEVEL,
+		   "dns_adb_createfind: name %s (%p) is an alias (cached)",
+		   namebuf, adbname);
+		alias = true;
+		goto post_copy;
+	}
+
+	/*
+	 * Try to populate the name from the database and/or
+	 * start fetches.  First try looking for an A record
+	 * in the database.
+	 */
+	if (!NAME_HAS_V4(adbname) && EXPIRE_OK(adbname->expire_v4, now)
+	    && WANT_INET(wanted_addresses)) {
+		result = dbfind_name(adbname, now, dns_rdatatype_a);
+		if (result == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: found A for name %s (%p) in db",
+			   namebuf, adbname);
+			goto v6;
+		}
+
+		/*
+		 * Did we get a CNAME or DNAME?
+		 */
+		if (result == DNS_R_ALIAS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: name %s (%p) is an alias",
+			   namebuf, adbname);
+			alias = true;
+			goto post_copy;
+		}
+
+		/*
+		 * If the name doesn't exist at all, don't bother with
+		 * v6 queries; they won't work.
+		 *
+		 * If the name does exist but we didn't get our data, go
+		 * ahead and try AAAA.
+		 *
+		 * If the result is neither of these, try a fetch for A.
+		 */
+		if (NXDOMAIN_RESULT(result))
+			goto fetch;
+		else if (NXRRSET_RESULT(result))
+			goto v6;
+
+		if (!NAME_FETCH_V4(adbname))
+			wanted_fetches |= DNS_ADBFIND_INET;
+	}
+
+ v6:
+	if (!NAME_HAS_V6(adbname) && EXPIRE_OK(adbname->expire_v6, now)
+	    && WANT_INET6(wanted_addresses)) {
+		result = dbfind_name(adbname, now, dns_rdatatype_aaaa);
+		if (result == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: found AAAA for name %s (%p)",
+			   namebuf, adbname);
+			goto fetch;
+		}
+
+		/*
+		 * Did we get a CNAME or DNAME?
+		 */
+		if (result == DNS_R_ALIAS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: name %s (%p) is an alias",
+			   namebuf, adbname);
+			alias = true;
+			goto post_copy;
+		}
+
+		/*
+		 * Listen to negative cache hints, and don't start
+		 * another query.
+		 */
+		if (NCACHE_RESULT(result) || AUTH_NX(result))
+			goto fetch;
+
+		if (!NAME_FETCH_V6(adbname))
+			wanted_fetches |= DNS_ADBFIND_INET6;
+	}
+
+ fetch:
+	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
+	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
+		have_address = true;
+	else
+		have_address = false;
+	if (wanted_fetches != 0 &&
+	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
+		/*
+		 * We're missing at least one address family.  Either the
+		 * caller hasn't instructed us to avoid fetches, or we don't
+		 * know anything about any of the address families that would
+		 * be acceptable so we have to launch fetches.
+		 */
+
+		if (FIND_STARTATZONE(find))
+			start_at_zone = true;
+
+		/*
+		 * Start V4.
+		 */
+		if (WANT_INET(wanted_fetches) &&
+		    fetch_name(adbname, start_at_zone, depth, qc,
+			       dns_rdatatype_a) == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL, "dns_adb_createfind: "
+			   "started A fetch for name %s (%p)",
+			   namebuf, adbname);
+		}
+
+		/*
+		 * Start V6.
+		 */
+		if (WANT_INET6(wanted_fetches) &&
+		    fetch_name(adbname, start_at_zone, depth, qc,
+			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL, "dns_adb_createfind: "
+			   "started AAAA fetch for name %s (%p)",
+			   namebuf, adbname);
+		}
+	}
+
+	/*
+	 * Run through the name and copy out the bits we are
+	 * interested in.
+	 */
+	copy_namehook_lists(adb, find, qname, qtype, adbname, now);
+
+ post_copy:
+	if (NAME_FETCH_V4(adbname))
+		query_pending |= DNS_ADBFIND_INET;
+	if (NAME_FETCH_V6(adbname))
+		query_pending |= DNS_ADBFIND_INET6;
+
+	/*
+	 * Attach to the name's query list if there are queries
+	 * already running, and we have been asked to.
+	 */
+	want_event = true;
+	if (!FIND_WANTEVENT(find))
+		want_event = false;
+	if (FIND_WANTEMPTYEVENT(find) && FIND_HAS_ADDRS(find))
+		want_event = false;
+	if ((wanted_addresses & query_pending) == 0)
+		want_event = false;
+	if (alias)
+		want_event = false;
+	if (want_event) {
+		find->adbname = adbname;
+		find->name_bucket = bucket;
+		ISC_LIST_APPEND(adbname->finds, find, plink);
+		find->query_pending = (query_pending & wanted_addresses);
+		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
+		find->flags |= (find->query_pending & DNS_ADBFIND_ADDRESSMASK);
+		DP(DEF_LEVEL, "createfind: attaching find %p to adbname %p",
+		   find, adbname);
+	} else {
+		/*
+		 * Remove the flag so the caller knows there will never
+		 * be an event, and set internal flags to fake that
+		 * the event was sent and freed, so dns_adb_destroyfind() will
+		 * do the right thing.
+		 */
+		find->query_pending = (query_pending & wanted_addresses);
+		find->options &= ~DNS_ADBFIND_WANTEVENT;
+		find->flags |= (FIND_EVENT_SENT | FIND_EVENT_FREED);
+		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
+	}
+
+	find->partial_result |= (adbname->partial_result & wanted_addresses);
+	if (alias) {
+		if (target != NULL) {
+			result = dns_name_copy(&adbname->target, target, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto out;
+		}
+		result = DNS_R_ALIAS;
+	} else
+		result = ISC_R_SUCCESS;
+
+	/*
+	 * Copy out error flags from the name structure into the find.
+	 */
+	find->result_v4 = find_err_map[adbname->fetch_err];
+	find->result_v6 = find_err_map[adbname->fetch6_err];
+
+ out:
+	if (find != NULL) {
+		*findp = find;
+
+		if (want_event) {
+			isc_task_t *taskp;
+
+			INSIST((find->flags & DNS_ADBFIND_ADDRESSMASK) != 0);
+			taskp = NULL;
+			isc_task_attach(task, &taskp);
+			find->event.ev_sender = taskp;
+			find->event.ev_action = action;
+			find->event.ev_arg = arg;
+		}
+	}
+
+	UNLOCK(&adb->namelocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_destroyfind(dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+	dns_adbentry_t *entry;
+	dns_adbaddrinfo_t *ai;
+	int bucket;
+	dns_adb_t *adb;
+	bool overmem;
+
+	REQUIRE(findp != NULL && DNS_ADBFIND_VALID(*findp));
+	find = *findp;
+	*findp = NULL;
+
+	LOCK(&find->lock);
+
+	DP(DEF_LEVEL, "dns_adb_destroyfind on find %p", find);
+
+	adb = find->adb;
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	REQUIRE(FIND_EVENTFREED(find));
+
+	bucket = find->name_bucket;
+	INSIST(bucket == DNS_ADB_INVALIDBUCKET);
+
+	UNLOCK(&find->lock);
+
+	/*
+	 * The find doesn't exist on any list, and nothing is locked.
+	 * Return the find to the memory pool, and decrement the adb's
+	 * reference count.
+	 */
+	overmem = isc_mem_isovermem(adb->mctx);
+	ai = ISC_LIST_HEAD(find->list);
+	while (ai != NULL) {
+		ISC_LIST_UNLINK(find->list, ai, publink);
+		entry = ai->entry;
+		ai->entry = NULL;
+		INSIST(DNS_ADBENTRY_VALID(entry));
+		RUNTIME_CHECK(dec_entry_refcnt(adb, overmem, entry, true) ==
+			      false);
+		free_adbaddrinfo(adb, &ai);
+		ai = ISC_LIST_HEAD(find->list);
+	}
+
+	/*
+	 * WARNING:  The find is freed with the adb locked.  This is done
+	 * to avoid a race condition where we free the find, some other
+	 * thread tests to see if it should be destroyed, detects it should
+	 * be, destroys it, and then we try to lock it for our check, but the
+	 * lock is destroyed.
+	 */
+	LOCK(&adb->lock);
+	if (free_adbfind(adb, &find))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	dns_adb_t *adb;
+	int bucket;
+	int unlock_bucket;
+
+	LOCK(&find->lock);
+
+	DP(DEF_LEVEL, "dns_adb_cancelfind on find %p", find);
+
+	adb = find->adb;
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	REQUIRE(!FIND_EVENTFREED(find));
+	REQUIRE(FIND_WANTEVENT(find));
+
+	bucket = find->name_bucket;
+	if (bucket == DNS_ADB_INVALIDBUCKET)
+		goto cleanup;
+
+	/*
+	 * We need to get the adbname's lock to unlink the find.
+	 */
+	unlock_bucket = bucket;
+	violate_locking_hierarchy(&find->lock, &adb->namelocks[unlock_bucket]);
+	bucket = find->name_bucket;
+	if (bucket != DNS_ADB_INVALIDBUCKET) {
+		ISC_LIST_UNLINK(find->adbname->finds, find, plink);
+		find->adbname = NULL;
+		find->name_bucket = DNS_ADB_INVALIDBUCKET;
+	}
+	UNLOCK(&adb->namelocks[unlock_bucket]);
+	bucket = DNS_ADB_INVALIDBUCKET;
+	POST(bucket);
+
+ cleanup:
+
+	if (!FIND_EVENTSENT(find)) {
+		ev = &find->event;
+		task = ev->ev_sender;
+		ev->ev_sender = find;
+		ev->ev_type = DNS_EVENT_ADBCANCELED;
+		ev->ev_destroy = event_free;
+		ev->ev_destroy_arg = find;
+		find->result_v4 = ISC_R_CANCELED;
+		find->result_v6 = ISC_R_CANCELED;
+
+		DP(DEF_LEVEL, "sending event %p to task %p for find %p",
+		   ev, task, find);
+
+		isc_task_sendanddetach(&task, (isc_event_t **)&ev);
+	}
+
+	UNLOCK(&find->lock);
+}
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f) {
+	unsigned int i;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(f != NULL);
+
+	/*
+	 * Lock the adb itself, lock all the name buckets, then lock all
+	 * the entry buckets.  This should put the adb into a state where
+	 * nothing can change, so we can iterate through everything and
+	 * print at our leisure.
+	 */
+
+	LOCK(&adb->lock);
+	isc_stdtime_get(&now);
+
+	for (i = 0; i < adb->nnames; i++)
+		RUNTIME_CHECK(cleanup_names(adb, i, now) == false);
+	for (i = 0; i < adb->nentries; i++)
+		RUNTIME_CHECK(cleanup_entries(adb, i, now) == false);
+
+	dump_adb(adb, f, false, now);
+	UNLOCK(&adb->lock);
+}
+
+static void
+dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
+	if (value == INT_MAX)
+		return;
+	fprintf(f, " [%s TTL %d]", legend, (int)(value - now));
+}
+
+static void
+dump_adb(dns_adb_t *adb, FILE *f, bool debug, isc_stdtime_t now) {
+	unsigned int i;
+	dns_adbname_t *name;
+	dns_adbentry_t *entry;
+
+	fprintf(f, ";\n; Address database dump\n;\n");
+	fprintf(f, "; [edns success/4096 timeout/1432 timeout/1232 timeout/"
+		"512 timeout]\n");
+	fprintf(f, "; [plain success/timeout]\n;\n");
+	if (debug)
+		fprintf(f, "; addr %p, erefcnt %u, irefcnt %u, finds out %u\n",
+			adb, adb->erefcnt, adb->irefcnt,
+			isc_mempool_getallocated(adb->nhmp));
+
+	for (i = 0; i < adb->nnames; i++)
+		LOCK(&adb->namelocks[i]);
+	for (i = 0; i < adb->nentries; i++)
+		LOCK(&adb->entrylocks[i]);
+
+	/*
+	 * Dump the names
+	 */
+	for (i = 0; i < adb->nnames; i++) {
+		name = ISC_LIST_HEAD(adb->names[i]);
+		if (name == NULL)
+			continue;
+		if (debug)
+			fprintf(f, "; bucket %u\n", i);
+		for (;
+		     name != NULL;
+		     name = ISC_LIST_NEXT(name, plink))
+		{
+			if (debug)
+				fprintf(f, "; name %p (flags %08x)\n",
+					name, name->flags);
+
+			fprintf(f, "; ");
+			print_dns_name(f, &name->name);
+			if (dns_name_countlabels(&name->target) > 0) {
+				fprintf(f, " alias ");
+				print_dns_name(f, &name->target);
+			}
+
+			dump_ttl(f, "v4", name->expire_v4, now);
+			dump_ttl(f, "v6", name->expire_v6, now);
+			dump_ttl(f, "target", name->expire_target, now);
+
+			fprintf(f, " [v4 %s] [v6 %s]",
+				errnames[name->fetch_err],
+				errnames[name->fetch6_err]);
+
+			fprintf(f, "\n");
+
+			print_namehook_list(f, "v4", adb,
+					    &name->v4, debug, now);
+			print_namehook_list(f, "v6", adb,
+					    &name->v6, debug, now);
+
+			if (debug) {
+				print_fetch_list(f, name);
+				print_find_list(f, name);
+			}
+		}
+	}
+
+	fprintf(f, ";\n; Unassociated entries\n;\n");
+
+	for (i = 0; i < adb->nentries; i++) {
+		entry = ISC_LIST_HEAD(adb->entries[i]);
+		while (entry != NULL) {
+			if (entry->nh == 0)
+				dump_entry(f, adb, entry, debug, now);
+			entry = ISC_LIST_NEXT(entry, plink);
+		}
+	}
+
+	/*
+	 * Unlock everything
+	 */
+	for (i = 0; i < adb->nentries; i++)
+		UNLOCK(&adb->entrylocks[i]);
+	for (i = 0; i < adb->nnames; i++)
+		UNLOCK(&adb->namelocks[i]);
+}
+
+static void
+dump_entry(FILE *f, dns_adb_t *adb, dns_adbentry_t *entry,
+	   bool debug, isc_stdtime_t now)
+{
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	isc_netaddr_t netaddr;
+	dns_adblameinfo_t *li;
+
+	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
+	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+
+	if (debug)
+		fprintf(f, ";\t%p: refcnt %u\n", entry, entry->refcnt);
+
+	fprintf(f, ";\t%s [srtt %u] [flags %08x] [edns %u/%u/%u/%u/%u] "
+		"[plain %u/%u]", addrbuf, entry->srtt, entry->flags,
+		entry->edns, entry->to4096, entry->to1432, entry->to1232,
+		entry->to512, entry->plain, entry->plainto);
+	if (entry->udpsize != 0U)
+		fprintf(f, " [udpsize %u]", entry->udpsize);
+	if (entry->cookie != NULL) {
+		unsigned int i;
+		fprintf(f, " [cookie=");
+		for (i = 0; i < entry->cookielen; i++)
+			fprintf(f, "%02x", entry->cookie[i]);
+		fprintf(f, "]");
+	}
+	if (entry->expires != 0)
+		fprintf(f, " [ttl %d]", (int)(entry->expires - now));
+
+	if (adb != NULL && adb->quota != 0 && adb->atr_freq != 0) {
+		fprintf(f, " [atr %0.2f] [quota %u]",
+			entry->atr, entry->quota);
+	}
+
+	fprintf(f, "\n");
+	for (li = ISC_LIST_HEAD(entry->lameinfo);
+	     li != NULL;
+	     li = ISC_LIST_NEXT(li, plink))
+	{
+		fprintf(f, ";\t\t");
+		print_dns_name(f, &li->qname);
+		dns_rdatatype_format(li->qtype, typebuf, sizeof(typebuf));
+		fprintf(f, " %s [lame TTL %d]\n", typebuf,
+			(int)(li->lame_timer - now));
+	}
+}
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
+	char tmp[512];
+	const char *tmpp;
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t *sa;
+
+	/*
+	 * Not used currently, in the API Just In Case we
+	 * want to dump out the name and/or entries too.
+	 */
+
+	LOCK(&find->lock);
+
+	fprintf(f, ";Find %p\n", find);
+	fprintf(f, ";\tqpending %08x partial %08x options %08x flags %08x\n",
+		find->query_pending, find->partial_result,
+		find->options, find->flags);
+	fprintf(f, ";\tname_bucket %d, name %p, event sender %p\n",
+		find->name_bucket, find->adbname, find->event.ev_sender);
+
+	ai = ISC_LIST_HEAD(find->list);
+	if (ai != NULL)
+		fprintf(f, "\tAddresses:\n");
+	while (ai != NULL) {
+		sa = &ai->sockaddr;
+		switch (sa->type.sa.sa_family) {
+		case AF_INET:
+			tmpp = inet_ntop(AF_INET, &sa->type.sin.sin_addr,
+					 tmp, sizeof(tmp));
+			break;
+		case AF_INET6:
+			tmpp = inet_ntop(AF_INET6, &sa->type.sin6.sin6_addr,
+					 tmp, sizeof(tmp));
+			break;
+		default:
+			tmpp = "UnkFamily";
+		}
+
+		if (tmpp == NULL)
+			tmpp = "BadAddress";
+
+		fprintf(f, "\t\tentry %p, flags %08x"
+			" srtt %u addr %s\n",
+			ai->entry, ai->flags, ai->srtt, tmpp);
+
+		ai = ISC_LIST_NEXT(ai, publink);
+	}
+
+	UNLOCK(&find->lock);
+}
+
+static void
+print_dns_name(FILE *f, dns_name_t *name) {
+	char buf[DNS_NAME_FORMATSIZE];
+
+	INSIST(f != NULL);
+
+	dns_name_format(name, buf, sizeof(buf));
+	fprintf(f, "%s", buf);
+}
+
+static void
+print_namehook_list(FILE *f, const char *legend,
+		    dns_adb_t *adb, dns_adbnamehooklist_t *list,
+		    bool debug, isc_stdtime_t now)
+{
+	dns_adbnamehook_t *nh;
+
+	for (nh = ISC_LIST_HEAD(*list);
+	     nh != NULL;
+	     nh = ISC_LIST_NEXT(nh, plink))
+	{
+		if (debug)
+			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
+		dump_entry(f, adb, nh->entry, debug, now);
+	}
+}
+
+static inline void
+print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
+	fprintf(f, "\t\tFetch(%s): %p -> { fetch %p }\n",
+		type, ft, ft->fetch);
+}
+
+static void
+print_fetch_list(FILE *f, dns_adbname_t *n) {
+	if (NAME_FETCH_A(n))
+		print_fetch(f, n->fetch_a, "A");
+	if (NAME_FETCH_AAAA(n))
+		print_fetch(f, n->fetch_aaaa, "AAAA");
+}
+
+static void
+print_find_list(FILE *f, dns_adbname_t *name) {
+	dns_adbfind_t *find;
+
+	find = ISC_LIST_HEAD(name->finds);
+	while (find != NULL) {
+		dns_adb_dumpfind(find, f);
+		find = ISC_LIST_NEXT(find, plink);
+	}
+}
+
+static isc_result_t
+dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_adb_t *adb;
+	dns_fixedname_t foundname;
+	dns_name_t *fname;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+	INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
+
+	fname = dns_fixedname_initname(&foundname);
+	dns_rdataset_init(&rdataset);
+
+	if (rdtype == dns_rdatatype_a)
+		adbname->fetch_err = FIND_ERR_UNEXPECTED;
+	else
+		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
+
+	/*
+	 * We need to specify whether to search static-stub zones (if
+	 * configured) depending on whether this is a "start at zone" lookup,
+	 * i.e., whether it's a "bailiwick" glue.  If it's bailiwick (in which
+	 * case NAME_STARTATZONE is set) we need to stop the search at any
+	 * matching static-stub zone without looking into the cache to honor
+	 * the configuration on which server we should send queries to.
+	 */
+	result = dns_view_find2(adb->view, &adbname->name, rdtype, now,
+				NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
+				NAME_HINTOK(adbname),
+				(adbname->flags & NAME_STARTATZONE) != 0 ?
+				true : false,
+				NULL, NULL, fname, &rdataset, NULL);
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (result) {
+	case DNS_R_GLUE:
+	case DNS_R_HINT:
+	case ISC_R_SUCCESS:
+		/*
+		 * Found in the database.  Even if we can't copy out
+		 * any information, return success, or else a fetch
+		 * will be made, which will only make things worse.
+		 */
+		if (rdtype == dns_rdatatype_a)
+			adbname->fetch_err = FIND_ERR_SUCCESS;
+		else
+			adbname->fetch6_err = FIND_ERR_SUCCESS;
+		result = import_rdataset(adbname, &rdataset, now);
+		break;
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+		/*
+		 * We're authoritative and the data doesn't exist.
+		 * Make up a negative cache entry so we don't ask again
+		 * for a while.
+		 *
+		 * XXXRTH  What time should we use?  I'm putting in 30 seconds
+		 * for now.
+		 */
+		if (rdtype == dns_rdatatype_a) {
+			adbname->expire_v4 = now + 30;
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching auth negative entry for A",
+			   adbname);
+			if (result == DNS_R_NXDOMAIN)
+				adbname->fetch_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch_err = FIND_ERR_NXRRSET;
+		} else {
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching auth negative entry for AAAA",
+			   adbname);
+			adbname->expire_v6 = now + 30;
+			if (result == DNS_R_NXDOMAIN)
+				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch6_err = FIND_ERR_NXRRSET;
+		}
+		break;
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		/*
+		 * We found a negative cache entry.  Pull the TTL from it
+		 * so we won't ask again for a while.
+		 */
+		rdataset.ttl = ttlclamp(rdataset.ttl);
+		if (rdtype == dns_rdatatype_a) {
+			adbname->expire_v4 = rdataset.ttl + now;
+			if (result == DNS_R_NCACHENXDOMAIN)
+				adbname->fetch_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch_err = FIND_ERR_NXRRSET;
+			DP(NCACHE_LEVEL,
+			  "adb name %p: Caching negative entry for A (ttl %u)",
+			   adbname, rdataset.ttl);
+		} else {
+			DP(NCACHE_LEVEL,
+		       "adb name %p: Caching negative entry for AAAA (ttl %u)",
+			   adbname, rdataset.ttl);
+			adbname->expire_v6 = rdataset.ttl + now;
+			if (result == DNS_R_NCACHENXDOMAIN)
+				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch6_err = FIND_ERR_NXRRSET;
+		}
+		break;
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		/*
+		 * Clear the hint and glue flags, so this will match
+		 * more often.
+		 */
+		adbname->flags &= ~(DNS_ADBFIND_GLUEOK | DNS_ADBFIND_HINTOK);
+
+		rdataset.ttl = ttlclamp(rdataset.ttl);
+		clean_target(adb, &adbname->target);
+		adbname->expire_target = INT_MAX;
+		result = set_target(adb, &adbname->name, fname, &rdataset,
+				    &adbname->target);
+		if (result == ISC_R_SUCCESS) {
+			result = DNS_R_ALIAS;
+			DP(NCACHE_LEVEL,
+			   "adb name %p: caching alias target",
+			   adbname);
+			adbname->expire_target = rdataset.ttl + now;
+		}
+		if (rdtype == dns_rdatatype_a)
+			adbname->fetch_err = FIND_ERR_SUCCESS;
+		else
+			adbname->fetch6_err = FIND_ERR_SUCCESS;
+		break;
+	}
+
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+
+	return (result);
+}
+
+static void
+fetch_callback(isc_task_t *task, isc_event_t *ev) {
+	dns_fetchevent_t *dev;
+	dns_adbname_t *name;
+	dns_adb_t *adb;
+	dns_adbfetch_t *fetch;
+	int bucket;
+	isc_eventtype_t ev_status;
+	isc_stdtime_t now;
+	isc_result_t result;
+	unsigned int address_type;
+	bool want_check_exit = false;
+
+	UNUSED(task);
+
+	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
+	dev = (dns_fetchevent_t *)ev;
+	name = ev->ev_arg;
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	bucket = name->lock_bucket;
+	LOCK(&adb->namelocks[bucket]);
+
+	INSIST(NAME_FETCH_A(name) || NAME_FETCH_AAAA(name));
+	address_type = 0;
+	if (NAME_FETCH_A(name) && (name->fetch_a->fetch == dev->fetch)) {
+		address_type = DNS_ADBFIND_INET;
+		fetch = name->fetch_a;
+		name->fetch_a = NULL;
+	} else if (NAME_FETCH_AAAA(name)
+		   && (name->fetch_aaaa->fetch == dev->fetch)) {
+		address_type = DNS_ADBFIND_INET6;
+		fetch = name->fetch_aaaa;
+		name->fetch_aaaa = NULL;
+	} else
+		fetch = NULL;
+
+	INSIST(address_type != 0 && fetch != NULL);
+
+	dns_resolver_destroyfetch(&fetch->fetch);
+	dev->fetch = NULL;
+
+	ev_status = DNS_EVENT_ADBNOMOREADDRESSES;
+
+	/*
+	 * Cleanup things we don't care about.
+	 */
+	if (dev->node != NULL)
+		dns_db_detachnode(dev->db, &dev->node);
+	if (dev->db != NULL)
+		dns_db_detach(&dev->db);
+
+	/*
+	 * If this name is marked as dead, clean up, throwing away
+	 * potentially good data.
+	 */
+	if (NAME_DEAD(name)) {
+		free_adbfetch(adb, &fetch);
+		isc_event_free(&ev);
+
+		want_check_exit = kill_name(&name, DNS_EVENT_ADBCANCELED);
+
+		UNLOCK(&adb->namelocks[bucket]);
+
+		if (want_check_exit) {
+			LOCK(&adb->lock);
+			check_exit(adb);
+			UNLOCK(&adb->lock);
+		}
+
+		return;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * If we got a negative cache response, remember it.
+	 */
+	if (NCACHE_RESULT(dev->result)) {
+		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
+		if (address_type == DNS_ADBFIND_INET) {
+			DP(NCACHE_LEVEL, "adb fetch name %p: "
+			   "caching negative entry for A (ttl %u)",
+			   name, dev->rdataset->ttl);
+			name->expire_v4 = ISC_MIN(name->expire_v4,
+						  dev->rdataset->ttl + now);
+			if (dev->result == DNS_R_NCACHENXDOMAIN)
+				name->fetch_err = FIND_ERR_NXDOMAIN;
+			else
+				name->fetch_err = FIND_ERR_NXRRSET;
+			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
+		} else {
+			DP(NCACHE_LEVEL, "adb fetch name %p: "
+			   "caching negative entry for AAAA (ttl %u)",
+			   name, dev->rdataset->ttl);
+			name->expire_v6 = ISC_MIN(name->expire_v6,
+						  dev->rdataset->ttl + now);
+			if (dev->result == DNS_R_NCACHENXDOMAIN)
+				name->fetch6_err = FIND_ERR_NXDOMAIN;
+			else
+				name->fetch6_err = FIND_ERR_NXRRSET;
+			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
+		}
+		goto out;
+	}
+
+	/*
+	 * Handle CNAME/DNAME.
+	 */
+	if (dev->result == DNS_R_CNAME || dev->result == DNS_R_DNAME) {
+		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
+		clean_target(adb, &name->target);
+		name->expire_target = INT_MAX;
+		result = set_target(adb, &name->name,
+				    dns_fixedname_name(&dev->foundname),
+				    dev->rdataset,
+				    &name->target);
+		if (result == ISC_R_SUCCESS) {
+			DP(NCACHE_LEVEL,
+			   "adb fetch name %p: caching alias target",
+			   name);
+			name->expire_target = dev->rdataset->ttl + now;
+		}
+		goto check_result;
+	}
+
+	/*
+	 * Did we get back junk?  If so, and there are no more fetches
+	 * sitting out there, tell all the finds about it.
+	 */
+	if (dev->result != ISC_R_SUCCESS) {
+		char buf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(&name->name, buf, sizeof(buf));
+		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
+		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
+		   dns_result_totext(dev->result));
+		/*
+		 * Don't record a failure unless this is the initial
+		 * fetch of a chain.
+		 */
+		if (fetch->depth > 1)
+			goto out;
+		/* XXXMLG Don't pound on bad servers. */
+		if (address_type == DNS_ADBFIND_INET) {
+			name->expire_v4 = ISC_MIN(name->expire_v4, now + 10);
+			name->fetch_err = FIND_ERR_FAILURE;
+			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
+		} else {
+			name->expire_v6 = ISC_MIN(name->expire_v6, now + 10);
+			name->fetch6_err = FIND_ERR_FAILURE;
+			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
+		}
+		goto out;
+	}
+
+	/*
+	 * We got something potentially useful.
+	 */
+	result = import_rdataset(name, &fetch->rdataset, now);
+
+ check_result:
+	if (result == ISC_R_SUCCESS) {
+		ev_status = DNS_EVENT_ADBMOREADDRESSES;
+		if (address_type == DNS_ADBFIND_INET)
+			name->fetch_err = FIND_ERR_SUCCESS;
+		else
+			name->fetch6_err = FIND_ERR_SUCCESS;
+	}
+
+ out:
+	free_adbfetch(adb, &fetch);
+	isc_event_free(&ev);
+
+	clean_finds_at_name(name, ev_status, address_type);
+
+	UNLOCK(&adb->namelocks[bucket]);
+}
+
+static isc_result_t
+fetch_name(dns_adbname_t *adbname, bool start_at_zone,
+	   unsigned int depth, isc_counter_t *qc, dns_rdatatype_t type)
+{
+	isc_result_t result;
+	dns_adbfetch_t *fetch = NULL;
+	dns_adb_t *adb;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t *nameservers;
+	unsigned int options;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	INSIST((type == dns_rdatatype_a && !NAME_FETCH_V4(adbname)) ||
+	       (type == dns_rdatatype_aaaa && !NAME_FETCH_V6(adbname)));
+
+	adbname->fetch_err = FIND_ERR_NOTFOUND;
+
+	name = NULL;
+	nameservers = NULL;
+	dns_rdataset_init(&rdataset);
+
+	options = DNS_FETCHOPT_NOVALIDATE;
+	if (start_at_zone) {
+		DP(ENTER_LEVEL,
+		   "fetch_name: starting at zone for name %p",
+		   adbname);
+		name = dns_fixedname_initname(&fixed);
+		result = dns_view_findzonecut2(adb->view, &adbname->name, name,
+					       0, 0, true, false,
+					       &rdataset, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_HINT)
+			goto cleanup;
+		nameservers = &rdataset;
+		options |= DNS_FETCHOPT_UNSHARED;
+	}
+
+	fetch = new_adbfetch(adb);
+	if (fetch == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	fetch->depth = depth;
+
+	result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name,
+					   type, name, nameservers, NULL,
+					   NULL, 0, options, depth, qc,
+					   adb->task, fetch_callback, adbname,
+					   &fetch->rdataset, NULL,
+					   &fetch->fetch);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (type == dns_rdatatype_a) {
+		adbname->fetch_a = fetch;
+		inc_stats(adb, dns_resstatscounter_gluefetchv4);
+	} else {
+		adbname->fetch_aaaa = fetch;
+		inc_stats(adb, dns_resstatscounter_gluefetchv6);
+	}
+	fetch = NULL;  /* Keep us from cleaning this up below. */
+
+ cleanup:
+	if (fetch != NULL)
+		free_adbfetch(adb, &fetch);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+
+	return (result);
+}
+
+/*
+ * XXXMLG Needs to take a find argument and an address info, no zone or adb,
+ * since these can be extracted from the find itself.
+ */
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname,
+		 dns_rdatatype_t qtype, isc_stdtime_t expire_time)
+{
+	dns_adblameinfo_t *li;
+	int bucket;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	REQUIRE(qname != NULL);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	li = ISC_LIST_HEAD(addr->entry->lameinfo);
+	while (li != NULL &&
+	       (li->qtype != qtype || !dns_name_equal(qname, &li->qname)))
+		li = ISC_LIST_NEXT(li, plink);
+	if (li != NULL) {
+		if (expire_time > li->lame_timer)
+			li->lame_timer = expire_time;
+		goto unlock;
+	}
+	li = new_adblameinfo(adb, qname, qtype);
+	if (li == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+
+	li->lame_timer = expire_time;
+
+	ISC_LIST_PREPEND(addr->entry->lameinfo, li, plink);
+ unlock:
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		   unsigned int rtt, unsigned int factor)
+{
+	int bucket;
+	isc_stdtime_t now = 0;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	REQUIRE(factor <= 10);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (addr->entry->expires == 0 || factor == DNS_ADB_RTTADJAGE)
+		isc_stdtime_get(&now);
+	adjustsrtt(addr, rtt, factor, now);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_agesrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, isc_stdtime_t now) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	adjustsrtt(addr, 0, DNS_ADB_RTTADJAGE, now);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+static void
+adjustsrtt(dns_adbaddrinfo_t *addr, unsigned int rtt, unsigned int factor,
+	   isc_stdtime_t now)
+{
+	uint64_t new_srtt;
+
+	if (factor == DNS_ADB_RTTADJAGE) {
+		if (addr->entry->lastage != now) {
+			new_srtt = addr->entry->srtt;
+			new_srtt <<= 9;
+			new_srtt -= addr->entry->srtt;
+			new_srtt >>= 9;
+			addr->entry->lastage = now;
+		} else
+			new_srtt = addr->entry->srtt;
+	} else
+		new_srtt = ((uint64_t)addr->entry->srtt / 10 * factor)
+			+ ((uint64_t)rtt / 10 * (10 - factor));
+
+	addr->entry->srtt = (unsigned int) new_srtt;
+	addr->srtt = (unsigned int) new_srtt;
+
+	if (addr->entry->expires == 0)
+		addr->entry->expires = now + ADB_ENTRY_WINDOW;
+}
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		    unsigned int bits, unsigned int mask)
+{
+	int bucket;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	REQUIRE((bits & ENTRY_IS_DEAD) == 0);
+	REQUIRE((mask & ENTRY_IS_DEAD) == 0);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask);
+	if (addr->entry->expires == 0) {
+		isc_stdtime_get(&now);
+		addr->entry->expires = now + ADB_ENTRY_WINDOW;
+	}
+
+	/*
+	 * Note that we do not update the other bits in addr->flags with
+	 * the most recent values from addr->entry->flags.
+	 */
+	addr->flags = (addr->flags & ~mask) | (bits & mask);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+/*
+ * (10000 / ((10 + n) / 10)^(3/2)) for n in 0..99.
+ * These will be used to make quota adjustments.
+ */
+static int quota_adj[] = {
+	10000, 8668, 7607, 6747, 6037, 5443, 4941, 4512, 4141,
+	3818, 3536, 3286, 3065, 2867, 2690, 2530, 2385, 2254,
+	2134, 2025, 1925, 1832, 1747, 1668, 1595, 1527, 1464,
+	1405, 1350, 1298, 1250, 1205, 1162, 1121, 1083, 1048,
+	1014, 981, 922, 894, 868, 843, 820, 797, 775, 755,
+	735, 716, 698, 680, 664, 648, 632, 618, 603, 590, 577,
+	564, 552, 540, 529, 518, 507, 497, 487, 477, 468, 459,
+	450, 442, 434, 426, 418, 411, 404, 397, 390, 383, 377,
+	370, 364, 358, 353, 347, 342, 336, 331, 326, 321, 316,
+	312, 307, 303, 298, 294, 290, 286, 282, 278
+};
+
+#define QUOTA_ADJ_SIZE (sizeof(quota_adj)/sizeof(quota_adj[0]))
+
+/*
+ * Caller must hold adbentry lock
+ */
+static void
+maybe_adjust_quota(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		   bool timeout)
+{
+	double tr;
+
+	UNUSED(adb);
+
+	if (adb->quota == 0 || adb->atr_freq == 0)
+		return;
+
+	if (timeout)
+		addr->entry->timeouts++;
+
+	if (addr->entry->completed++ <= adb->atr_freq)
+		return;
+
+	/*
+	 * Calculate an exponential rolling average of the timeout ratio
+	 *
+	 * XXX: Integer arithmetic might be better than floating point
+	 */
+	tr = (double) addr->entry->timeouts / addr->entry->completed;
+	addr->entry->timeouts = addr->entry->completed = 0;
+	INSIST(addr->entry->atr >= 0.0);
+	INSIST(addr->entry->atr <= 1.0);
+	INSIST(adb->atr_discount >= 0.0);
+	INSIST(adb->atr_discount <= 1.0);
+	addr->entry->atr *= 1.0 - adb->atr_discount;
+	addr->entry->atr += tr * adb->atr_discount;
+	addr->entry->atr = ISC_CLAMP(addr->entry->atr, 0.0, 1.0);
+
+	if (addr->entry->atr < adb->atr_low && addr->entry->mode > 0) {
+		addr->entry->quota = adb->quota *
+			quota_adj[--addr->entry->mode] / 10000;
+		log_quota(addr->entry, "atr %0.2f, quota increased to %u",
+			  addr->entry->atr, addr->entry->quota);
+	} else if (addr->entry->atr > adb->atr_high &&
+		   addr->entry->mode < (QUOTA_ADJ_SIZE - 1)) {
+		addr->entry->quota = adb->quota *
+			quota_adj[++addr->entry->mode] / 10000;
+		log_quota(addr->entry, "atr %0.2f, quota decreased to %u",
+			  addr->entry->atr, addr->entry->quota);
+	}
+
+	/* Ensure we don't drop to zero */
+	if (addr->entry->quota == 0)
+		addr->entry->quota = 1;
+}
+
+#define EDNSTOS 3U
+bool
+dns_adb_noedns(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+	bool noedns = false;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (addr->entry->edns == 0U &&
+	    (addr->entry->plain > EDNSTOS || addr->entry->to4096 > EDNSTOS)) {
+		if (((addr->entry->plain + addr->entry->to4096) & 0x3f) != 0) {
+			noedns = true;
+		} else {
+			/*
+			 * Increment plain so we don't get stuck.
+			 */
+			addr->entry->plain++;
+			if (addr->entry->plain == 0xff) {
+				addr->entry->edns >>= 1;
+				addr->entry->to4096 >>= 1;
+				addr->entry->to1432 >>= 1;
+				addr->entry->to1232 >>= 1;
+				addr->entry->to512 >>= 1;
+				addr->entry->plain >>= 1;
+				addr->entry->plainto >>= 1;
+			}
+		 }
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+	return (noedns);
+}
+
+void
+dns_adb_plainresponse(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	maybe_adjust_quota(adb, addr, false);
+
+	addr->entry->plain++;
+	if (addr->entry->plain == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->to4096 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to512 >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_timeout(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	maybe_adjust_quota(adb, addr, true);
+
+	/*
+	 * If we have not had a successful query then clear all
+	 * edns timeout information.
+	 */
+	if (addr->entry->edns == 0 && addr->entry->plain == 0) {
+		addr->entry->to512 = 0;
+		addr->entry->to1232 = 0;
+		addr->entry->to1432 = 0;
+		addr->entry->to4096 = 0;
+	} else {
+		addr->entry->to512 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to4096 >>= 1;
+	}
+
+	addr->entry->plainto++;
+	if (addr->entry->plainto == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_ednsto(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	maybe_adjust_quota(adb, addr, true);
+
+	if (size <= 512U) {
+		if (addr->entry->to512 <= EDNSTOS) {
+			addr->entry->to512++;
+			addr->entry->to1232++;
+			addr->entry->to1432++;
+			addr->entry->to4096++;
+		}
+	} else if (size <= 1232U) {
+		if (addr->entry->to1232 <= EDNSTOS) {
+			addr->entry->to1232++;
+			addr->entry->to1432++;
+			addr->entry->to4096++;
+		}
+	} else if (size <= 1432U) {
+		if (addr->entry->to1432 <= EDNSTOS) {
+			addr->entry->to1432++;
+			addr->entry->to4096++;
+		}
+	} else {
+		if (addr->entry->to4096 <= EDNSTOS)
+			addr->entry->to4096++;
+	}
+
+	if (addr->entry->to4096 == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->to4096 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to512 >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_setudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	if (size < 512U)
+		size = 512U;
+	if (size > addr->entry->udpsize)
+		addr->entry->udpsize = size;
+
+	maybe_adjust_quota(adb, addr, false);
+
+	addr->entry->edns++;
+	if (addr->entry->edns == 0xff) {
+		addr->entry->edns >>= 1;
+		addr->entry->to4096 >>= 1;
+		addr->entry->to1432 >>= 1;
+		addr->entry->to1232 >>= 1;
+		addr->entry->to512 >>= 1;
+		addr->entry->plain >>= 1;
+		addr->entry->plainto >>= 1;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+unsigned int
+dns_adb_getudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+	unsigned int size;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	size = addr->entry->udpsize;
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (size);
+}
+
+unsigned int
+dns_adb_probesize(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	return dns_adb_probesize2(adb, addr, 0);
+}
+
+unsigned int
+dns_adb_probesize2(dns_adb_t *adb, dns_adbaddrinfo_t *addr, int lookups) {
+	int bucket;
+	unsigned int size;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	if (addr->entry->to1232 > EDNSTOS || lookups >= 2)
+		size = 512;
+	else if (addr->entry->to1432 > EDNSTOS || lookups >= 1)
+		size = 1232;
+	else if (addr->entry->to4096 > EDNSTOS)
+		size = 1432;
+	else
+		size = 4096;
+	/*
+	 * Don't shrink probe size below what we have seen due to multiple
+	 * lookups.
+	 */
+	if (lookups > 0 &&
+	    size < addr->entry->udpsize && addr->entry->udpsize < 4096)
+		size = addr->entry->udpsize;
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (size);
+}
+
+void
+dns_adb_setcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  const unsigned char *cookie, size_t len)
+{
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (addr->entry->cookie != NULL &&
+	    (cookie == NULL || len != addr->entry->cookielen)) {
+		isc_mem_put(adb->mctx, addr->entry->cookie,
+			    addr->entry->cookielen);
+		addr->entry->cookie = NULL;
+		addr->entry->cookielen = 0;
+	}
+
+	if (addr->entry->cookie == NULL && cookie != NULL && len != 0U) {
+		addr->entry->cookie = isc_mem_get(adb->mctx, len);
+		if (addr->entry->cookie != NULL)
+			addr->entry->cookielen = (uint16_t)len;
+	}
+
+	if (addr->entry->cookie != NULL)
+		memmove(addr->entry->cookie, cookie, len);
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+size_t
+dns_adb_getcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  unsigned char *cookie, size_t len)
+{
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	if (cookie != NULL && addr->entry->cookie != NULL &&
+	    len >= addr->entry->cookielen)
+	{
+		memmove(cookie, addr->entry->cookie, addr->entry->cookielen);
+		len = addr->entry->cookielen;
+	} else
+		len = 0;
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (len);
+}
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now)
+{
+	int bucket;
+	dns_adbentry_t *entry;
+	dns_adbaddrinfo_t *addr;
+	isc_result_t result;
+	in_port_t port;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(addrp != NULL && *addrp == NULL);
+
+	UNUSED(now);
+
+	result = ISC_R_SUCCESS;
+	bucket = DNS_ADB_INVALIDBUCKET;
+	entry = find_entry_and_lock(adb, sa, &bucket, now);
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+	if (adb->entry_sd[bucket]) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto unlock;
+	}
+	if (entry == NULL) {
+		/*
+		 * We don't know anything about this address.
+		 */
+		entry = new_adbentry(adb);
+		if (entry == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto unlock;
+		}
+		entry->sockaddr = *sa;
+		link_entry(adb, bucket, entry);
+		DP(ENTER_LEVEL, "findaddrinfo: new entry %p", entry);
+	} else
+		DP(ENTER_LEVEL, "findaddrinfo: found entry %p", entry);
+
+	port = isc_sockaddr_getport(sa);
+	addr = new_adbaddrinfo(adb, entry, port);
+	if (addr == NULL) {
+		result = ISC_R_NOMEMORY;
+	} else {
+		inc_entry_refcnt(adb, entry, false);
+		*addrp = addr;
+	}
+
+ unlock:
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) {
+	dns_adbaddrinfo_t *addr;
+	dns_adbentry_t *entry;
+	int bucket;
+	isc_stdtime_t now;
+	bool want_check_exit = false;
+	bool overmem;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(addrp != NULL);
+	addr = *addrp;
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	entry = addr->entry;
+	REQUIRE(DNS_ADBENTRY_VALID(entry));
+
+	*addrp = NULL;
+	overmem = isc_mem_isovermem(adb->mctx);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (entry->expires == 0) {
+		isc_stdtime_get(&now);
+		entry->expires = now + ADB_ENTRY_WINDOW;
+	}
+
+	want_check_exit = dec_entry_refcnt(adb, overmem, entry, false);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	addr->entry = NULL;
+	free_adbaddrinfo(adb, &addr);
+
+	if (want_check_exit) {
+		LOCK(&adb->lock);
+		check_exit(adb);
+		UNLOCK(&adb->lock);
+	}
+}
+
+void
+dns_adb_flush(dns_adb_t *adb) {
+	unsigned int i;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+
+	/*
+	 * Call our cleanup routines.
+	 */
+	for (i = 0; i < adb->nnames; i++)
+		RUNTIME_CHECK(cleanup_names(adb, i, INT_MAX) == false);
+	for (i = 0; i < adb->nentries; i++)
+		RUNTIME_CHECK(cleanup_entries(adb, i, INT_MAX) == false);
+
+#ifdef DUMP_ADB_AFTER_CLEANING
+	dump_adb(adb, stdout, true, INT_MAX);
+#endif
+
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_flushname(dns_adb_t *adb, dns_name_t *name) {
+	dns_adbname_t *adbname;
+	dns_adbname_t *nextname;
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(name != NULL);
+
+	LOCK(&adb->lock);
+	bucket = dns_name_hash(name, false) % adb->nnames;
+	LOCK(&adb->namelocks[bucket]);
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		nextname = ISC_LIST_NEXT(adbname, plink);
+		if (!NAME_DEAD(adbname) &&
+		    dns_name_equal(name, &adbname->name)) {
+			RUNTIME_CHECK(kill_name(&adbname,
+						DNS_EVENT_ADBCANCELED) ==
+				      false);
+		}
+		adbname = nextname;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_flushnames(dns_adb_t *adb, dns_name_t *name) {
+	dns_adbname_t *adbname, *nextname;
+	unsigned int i;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(name != NULL);
+
+	LOCK(&adb->lock);
+	for (i = 0; i < adb->nnames; i++) {
+		LOCK(&adb->namelocks[i]);
+		adbname = ISC_LIST_HEAD(adb->names[i]);
+		while (adbname != NULL) {
+			bool ret;
+			nextname = ISC_LIST_NEXT(adbname, plink);
+			if (!NAME_DEAD(adbname) &&
+			    dns_name_issubdomain(&adbname->name, name))
+			{
+				ret = kill_name(&adbname,
+						DNS_EVENT_ADBCANCELED);
+				RUNTIME_CHECK(ret == false);
+			}
+			adbname = nextname;
+		}
+		UNLOCK(&adb->namelocks[i]);
+	}
+	UNLOCK(&adb->lock);
+}
+
+static void
+water(void *arg, int mark) {
+	/*
+	 * We're going to change the way to handle overmem condition: use
+	 * isc_mem_isovermem() instead of storing the state via this callback,
+	 * since the latter way tends to cause race conditions.
+	 * To minimize the change, and in case we re-enable the callback
+	 * approach, however, keep this function at the moment.
+	 */
+
+	dns_adb_t *adb = arg;
+	bool overmem = (mark == ISC_MEM_HIWATER);
+
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	DP(ISC_LOG_DEBUG(1),
+	   "adb reached %s water mark", overmem ? "high" : "low");
+}
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, size_t size) {
+	size_t hiwater, lowater;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	if (size != 0U && size < DNS_ADB_MINADBSIZE)
+		size = DNS_ADB_MINADBSIZE;
+
+	hiwater = size - (size >> 3);   /* Approximately 7/8ths. */
+	lowater = size - (size >> 2);   /* Approximately 3/4ths. */
+
+	if (size == 0U || hiwater == 0U || lowater == 0U)
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+	else
+		isc_mem_setwater(adb->mctx, water, adb, hiwater, lowater);
+}
+
+void
+dns_adb_setquota(dns_adb_t *adb, uint32_t quota, uint32_t freq,
+		 double low, double high, double discount)
+{
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	adb->quota = quota;
+	adb->atr_freq = freq;
+	adb->atr_low = low;
+	adb->atr_high = high;
+	adb->atr_discount = discount;
+}
+
+bool
+dns_adbentry_overquota(dns_adbentry_t *entry) {
+	bool block;
+	REQUIRE(DNS_ADBENTRY_VALID(entry));
+	block = (entry->quota != 0 && entry->active >= entry->quota);
+	return (block);
+}
+
+void
+dns_adb_beginudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+
+	LOCK(&adb->entrylocks[bucket]);
+	addr->entry->active++;
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_endudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr) {
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+
+	LOCK(&adb->entrylocks[bucket]);
+	if (addr->entry->active > 0)
+		addr->entry->active--;
+	UNLOCK(&adb->entrylocks[bucket]);
+}
diff --git a/lib/dns/api b/lib/dns/api
new file mode 100644
index 0000000..d94b0e6
--- /dev/null
+++ b/lib/dns/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 1104
+LIBREVISION = 2
+LIBAGE = 0
diff --git a/lib/dns/badcache.c b/lib/dns/badcache.c
new file mode 100644
index 0000000..5c784be
--- /dev/null
+++ b/lib/dns/badcache.c
@@ -0,0 +1,440 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/badcache.h>
+#include <dns/name.h>
+#include <dns/rdatatype.h>
+#include <dns/types.h>
+
+typedef struct dns_bcentry dns_bcentry_t;
+
+struct dns_badcache {
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	isc_mem_t		*mctx;
+
+	dns_bcentry_t 		**table;
+	unsigned int 		count;
+	unsigned int 		minsize;
+	unsigned int 		size;
+	unsigned int 		sweep;
+};
+
+#define BADCACHE_MAGIC                   ISC_MAGIC('B', 'd', 'C', 'a')
+#define VALID_BADCACHE(m)                ISC_MAGIC_VALID(m, BADCACHE_MAGIC)
+
+struct dns_bcentry {
+	dns_bcentry_t *		next;
+	dns_rdatatype_t 	type;
+	isc_time_t		expire;
+	uint32_t		flags;
+	unsigned int		hashval;
+	dns_name_t		name;
+};
+
+static isc_result_t
+badcache_resize(dns_badcache_t *bc, isc_time_t *now, bool grow);
+
+isc_result_t
+dns_badcache_init(isc_mem_t *mctx, unsigned int size, dns_badcache_t **bcp) {
+	isc_result_t result;
+	dns_badcache_t *bc = NULL;
+
+	REQUIRE(bcp != NULL && *bcp == NULL);
+	REQUIRE(mctx != NULL);
+
+	bc = isc_mem_get(mctx, sizeof(dns_badcache_t));
+	if (bc == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(bc, 0, sizeof(dns_badcache_t));
+
+	isc_mem_attach(mctx, &bc->mctx);
+	result = isc_mutex_init(&bc->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	bc->table = isc_mem_get(bc->mctx, sizeof(*bc->table) * size);
+	if (bc->table == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto destroy_lock;
+	}
+
+	bc->size = bc->minsize = size;
+	memset(bc->table, 0, bc->size * sizeof(dns_bcentry_t *));
+
+	bc->count = 0;
+	bc->sweep = 0;
+	bc->magic = BADCACHE_MAGIC;
+
+	*bcp = bc;
+	return (ISC_R_SUCCESS);
+
+ destroy_lock:
+	DESTROYLOCK(&bc->lock);
+ cleanup:
+	isc_mem_putanddetach(&bc->mctx, bc, sizeof(dns_badcache_t));
+	return (result);
+}
+
+void
+dns_badcache_destroy(dns_badcache_t **bcp) {
+	dns_badcache_t *bc;
+
+	REQUIRE(bcp != NULL && *bcp != NULL);
+	bc = *bcp;
+
+	dns_badcache_flush(bc);
+
+	bc->magic = 0;
+	DESTROYLOCK(&bc->lock);
+	isc_mem_put(bc->mctx, bc->table, sizeof(dns_bcentry_t *) * bc->size);
+	isc_mem_putanddetach(&bc->mctx, bc, sizeof(dns_badcache_t));
+	*bcp = NULL;
+}
+
+static isc_result_t
+badcache_resize(dns_badcache_t *bc, isc_time_t *now, bool grow) {
+	dns_bcentry_t **newtable, *bad, *next;
+	unsigned int newsize, i;
+
+	if (grow)
+		newsize = bc->size * 2 + 1;
+	else
+		newsize = (bc->size - 1) / 2;
+
+	newtable = isc_mem_get(bc->mctx, sizeof(dns_bcentry_t *) * newsize);
+	if (newtable == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(newtable, 0, sizeof(dns_bcentry_t *) * newsize);
+
+	for (i = 0; bc->count > 0 && i < bc->size; i++) {
+		for (bad = bc->table[i]; bad != NULL; bad = next) {
+			next = bad->next;
+			if (isc_time_compare(&bad->expire, now) < 0) {
+				isc_mem_put(bc->mctx, bad,
+					    sizeof(*bad) + bad->name.length);
+				bc->count--;
+			} else {
+				bad->next = newtable[bad->hashval % newsize];
+				newtable[bad->hashval % newsize] = bad;
+			}
+		}
+		bc->table[i] = NULL;
+	}
+
+	isc_mem_put(bc->mctx, bc->table, sizeof(*bc->table) * bc->size);
+	bc->size = newsize;
+	bc->table = newtable;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_badcache_add(dns_badcache_t *bc, dns_name_t *name,
+		 dns_rdatatype_t type, bool update,
+		 uint32_t flags, isc_time_t *expire)
+{
+	isc_result_t result;
+	unsigned int i, hashval;
+	dns_bcentry_t *bad, *prev, *next;
+	isc_time_t now;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+	REQUIRE(expire != NULL);
+
+	LOCK(&bc->lock);
+
+	result = isc_time_now(&now);
+	if (result != ISC_R_SUCCESS)
+		isc_time_settoepoch(&now);
+
+	hashval = dns_name_hash(name, false);
+	i = hashval % bc->size;
+	prev = NULL;
+	for (bad = bc->table[i]; bad != NULL; bad = next) {
+		next = bad->next;
+		if (bad->type == type && dns_name_equal(name, &bad->name)) {
+			if (update) {
+				bad->expire = *expire;
+				bad->flags = flags;
+			}
+			break;
+		}
+		if (isc_time_compare(&bad->expire, &now) < 0) {
+			if (prev == NULL)
+				bc->table[i] = bad->next;
+			else
+				prev->next = bad->next;
+			isc_mem_put(bc->mctx, bad,
+				    sizeof(*bad) + bad->name.length);
+			bc->count--;
+		} else
+			prev = bad;
+	}
+
+	if (bad == NULL) {
+		isc_buffer_t buffer;
+		bad = isc_mem_get(bc->mctx, sizeof(*bad) + name->length);
+		if (bad == NULL)
+			goto cleanup;
+		bad->type = type;
+		bad->hashval = hashval;
+		bad->expire = *expire;
+		bad->flags = flags;
+		isc_buffer_init(&buffer, bad + 1, name->length);
+		dns_name_init(&bad->name, NULL);
+		dns_name_copy(name, &bad->name, &buffer);
+		bad->next = bc->table[i];
+		bc->table[i] = bad;
+		bc->count++;
+		if (bc->count > bc->size * 8)
+			badcache_resize(bc, &now, true);
+		if (bc->count < bc->size * 2 && bc->size > bc->minsize)
+			badcache_resize(bc, &now, false);
+	} else
+		bad->expire = *expire;
+
+ cleanup:
+	UNLOCK(&bc->lock);
+}
+
+bool
+dns_badcache_find(dns_badcache_t *bc, dns_name_t *name,
+		  dns_rdatatype_t type, uint32_t *flagp,
+		  isc_time_t *now)
+{
+	dns_bcentry_t *bad, *prev, *next;
+	bool answer = false;
+	unsigned int i;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+	REQUIRE(now != NULL);
+
+	LOCK(&bc->lock);
+
+	/*
+	 * XXXMUKS: dns_name_equal() is expensive as it does a
+	 * octet-by-octet comparison, and it can be made better in two
+	 * ways here. First, lowercase the names (use
+	 * dns_name_downcase() instead of dns_name_copy() in
+	 * dns_badcache_add()) so that dns_name_caseequal() can be used
+	 * which the compiler will emit as SIMD instructions. Second,
+	 * don't put multiple copies of the same name in the chain (or
+	 * multiple names will have to be matched for equality), but use
+	 * name->link to store the type specific part.
+	 */
+
+	if (bc->count == 0)
+		goto skip;
+
+	i = dns_name_hash(name, false) % bc->size;
+	prev = NULL;
+	for (bad = bc->table[i]; bad != NULL; bad = next) {
+		next = bad->next;
+		/*
+		 * Search the hash list. Clean out expired records as we go.
+		 */
+		if (isc_time_compare(&bad->expire, now) < 0) {
+			if (prev != NULL)
+				prev->next = bad->next;
+			else
+				bc->table[i] = bad->next;
+
+			isc_mem_put(bc->mctx, bad, sizeof(*bad) +
+				    bad->name.length);
+			bc->count--;
+			continue;
+		}
+		if (bad->type == type && dns_name_equal(name, &bad->name)) {
+			if (flagp != NULL)
+				*flagp = bad->flags;
+			answer = true;
+			break;
+		}
+		prev = bad;
+	}
+ skip:
+
+	/*
+	 * Slow sweep to clean out stale records.
+	 */
+	i = bc->sweep++ % bc->size;
+	bad = bc->table[i];
+	if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) {
+		bc->table[i] = bad->next;
+		isc_mem_put(bc->mctx, bad, sizeof(*bad) + bad->name.length);
+		bc->count--;
+	}
+
+	UNLOCK(&bc->lock);
+	return (answer);
+}
+
+void
+dns_badcache_flush(dns_badcache_t *bc) {
+	dns_bcentry_t *entry, *next;
+	unsigned int i;
+
+	REQUIRE(VALID_BADCACHE(bc));
+
+	for (i = 0; bc->count > 0 && i < bc->size; i++) {
+		for (entry = bc->table[i]; entry != NULL; entry = next) {
+			next = entry->next;
+			isc_mem_put(bc->mctx, entry, sizeof(*entry) +
+				    entry->name.length);
+			bc->count--;
+		}
+		bc->table[i] = NULL;
+	}
+}
+
+void
+dns_badcache_flushname(dns_badcache_t *bc, dns_name_t *name) {
+	dns_bcentry_t *bad, *prev, *next;
+	isc_result_t result;
+	isc_time_t now;
+	unsigned int i;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+
+	LOCK(&bc->lock);
+
+	result = isc_time_now(&now);
+	if (result != ISC_R_SUCCESS)
+		isc_time_settoepoch(&now);
+	i = dns_name_hash(name, false) % bc->size;
+	prev = NULL;
+	for (bad = bc->table[i]; bad != NULL; bad = next) {
+		int n;
+		next = bad->next;
+		n = isc_time_compare(&bad->expire, &now);
+		if (n < 0 || dns_name_equal(name, &bad->name)) {
+			if (prev == NULL)
+				bc->table[i] = bad->next;
+			else
+				prev->next = bad->next;
+
+			isc_mem_put(bc->mctx, bad, sizeof(*bad) +
+				    bad->name.length);
+			bc->count--;
+		} else
+			prev = bad;
+	}
+
+	UNLOCK(&bc->lock);
+}
+
+void
+dns_badcache_flushtree(dns_badcache_t *bc, dns_name_t *name) {
+	dns_bcentry_t *bad, *prev, *next;
+	unsigned int i;
+	int n;
+	isc_time_t now;
+	isc_result_t result;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(name != NULL);
+
+	LOCK(&bc->lock);
+
+	result = isc_time_now(&now);
+	if (result != ISC_R_SUCCESS)
+		isc_time_settoepoch(&now);
+
+	for (i = 0; bc->count > 0 && i < bc->size; i++) {
+		prev = NULL;
+		for (bad = bc->table[i]; bad != NULL; bad = next) {
+			next = bad->next;
+			n = isc_time_compare(&bad->expire, &now);
+			if (n < 0 || dns_name_issubdomain(&bad->name, name)) {
+				if (prev == NULL)
+					bc->table[i] = bad->next;
+				else
+					prev->next = bad->next;
+
+				isc_mem_put(bc->mctx, bad, sizeof(*bad) +
+					    bad->name.length);
+				bc->count--;
+			} else
+				prev = bad;
+		}
+	}
+
+	UNLOCK(&bc->lock);
+}
+
+
+void
+dns_badcache_print(dns_badcache_t *bc, const char *cachename, FILE *fp) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	dns_bcentry_t *bad, *next, *prev;
+	isc_time_t now;
+	unsigned int i;
+	uint64_t t;
+
+	REQUIRE(VALID_BADCACHE(bc));
+	REQUIRE(cachename != NULL);
+	REQUIRE(fp != NULL);
+
+	LOCK(&bc->lock);
+	fprintf(fp, ";\n; %s\n;\n", cachename);
+
+	TIME_NOW(&now);
+	for (i = 0; bc->count > 0 && i < bc->size; i++) {
+		prev = NULL;
+		for (bad = bc->table[i]; bad != NULL; bad = next) {
+			next = bad->next;
+			if (isc_time_compare(&bad->expire, &now) < 0) {
+				if (prev != NULL)
+					prev->next = bad->next;
+				else
+					bc->table[i] = bad->next;
+
+				isc_mem_put(bc->mctx, bad, sizeof(*bad) +
+					    bad->name.length);
+				bc->count--;
+				continue;
+			}
+			prev = bad;
+			dns_name_format(&bad->name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(bad->type, typebuf,
+					     sizeof(typebuf));
+			t = isc_time_microdiff(&bad->expire, &now);
+			t /= 1000;
+			fprintf(fp, "; %s/%s [ttl "
+				"%" PRIu64 "]\n",
+				namebuf, typebuf, t);
+		}
+	}
+	UNLOCK(&bc->lock);
+}
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
new file mode 100644
index 0000000..9eece30
--- /dev/null
+++ b/lib/dns/byaddr.c
@@ -0,0 +1,315 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+/*
+ * XXXRTH  We could use a static event...
+ */
+
+static char hex_digits[] = {
+	'0', '1', '2', '3', '4', '5', '6', '7',
+	'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
+};
+
+isc_result_t
+dns_byaddr_createptrname(isc_netaddr_t *address, bool nibble,
+			 dns_name_t *name)
+{
+	/*
+	 * We dropped bitstring labels, so all lookups will use nibbles.
+	 */
+	UNUSED(nibble);
+
+	return (dns_byaddr_createptrname2(address,
+					  DNS_BYADDROPT_IPV6INT, name));
+}
+
+isc_result_t
+dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
+			  dns_name_t *name)
+{
+	char textname[128];
+	unsigned char *bytes;
+	int i;
+	char *cp;
+	isc_buffer_t buffer;
+	unsigned int len;
+
+	REQUIRE(address != NULL);
+
+	/*
+	 * We create the text representation and then convert to a
+	 * dns_name_t.  This is not maximally efficient, but it keeps all
+	 * of the knowledge of wire format in the dns_name_ routines.
+	 */
+
+	bytes = (unsigned char *)(&address->type);
+	if (address->family == AF_INET) {
+		(void)snprintf(textname, sizeof(textname),
+			       "%u.%u.%u.%u.in-addr.arpa.",
+			       (bytes[3] & 0xffU),
+			       (bytes[2] & 0xffU),
+			       (bytes[1] & 0xffU),
+			       (bytes[0] & 0xffU));
+	} else if (address->family == AF_INET6) {
+		size_t remaining;
+
+		cp = textname;
+		for (i = 15; i >= 0; i--) {
+			*cp++ = hex_digits[bytes[i] & 0x0f];
+			*cp++ = '.';
+			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
+			*cp++ = '.';
+		}
+		remaining = sizeof(textname) - (cp - textname);
+		if ((options & DNS_BYADDROPT_IPV6INT) != 0) {
+			strlcpy(cp, "ip6.int.", remaining);
+		} else {
+			strlcpy(cp, "ip6.arpa.", remaining);
+		}
+	} else
+		return (ISC_R_NOTIMPLEMENTED);
+
+	len = (unsigned int)strlen(textname);
+	isc_buffer_init(&buffer, textname, len);
+	isc_buffer_add(&buffer, len);
+	return (dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL));
+}
+
+struct dns_byaddr {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	dns_fixedname_t		name;
+	/* Locked by lock. */
+	unsigned int		options;
+	dns_lookup_t *		lookup;
+	isc_task_t *		task;
+	dns_byaddrevent_t *	event;
+	bool		canceled;
+};
+
+#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
+#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
+
+#define MAX_RESTARTS 16
+
+static inline isc_result_t
+copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * The caller must be holding the byaddr's lock.
+	 */
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_ptr_t ptr;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ptr, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		name = isc_mem_get(byaddr->mctx, sizeof(*name));
+		if (name == NULL) {
+			dns_rdata_freestruct(&ptr);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(name, NULL);
+		result = dns_name_dup(&ptr.ptr, byaddr->mctx, name);
+		dns_rdata_freestruct(&ptr);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(byaddr->mctx, name, sizeof(*name));
+			return (ISC_R_NOMEMORY);
+		}
+		ISC_LIST_APPEND(byaddr->event->names, name, link);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+lookup_done(isc_task_t *task, isc_event_t *event) {
+	dns_byaddr_t *byaddr = event->ev_arg;
+	dns_lookupevent_t *levent;
+	isc_result_t result;
+
+	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
+	REQUIRE(VALID_BYADDR(byaddr));
+	REQUIRE(byaddr->task == task);
+
+	UNUSED(task);
+
+	levent = (dns_lookupevent_t *)event;
+
+	if (levent->result == ISC_R_SUCCESS) {
+		result = copy_ptr_targets(byaddr, levent->rdataset);
+		byaddr->event->result = result;
+	} else
+		byaddr->event->result = levent->result;
+	isc_event_free(&event);
+	isc_task_sendanddetach(&byaddr->task, (isc_event_t **)&byaddr->event);
+}
+
+static void
+bevent_destroy(isc_event_t *event) {
+	dns_byaddrevent_t *bevent;
+	dns_name_t *name, *next_name;
+	isc_mem_t *mctx;
+
+	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
+	mctx = event->ev_destroy_arg;
+	bevent = (dns_byaddrevent_t *)event;
+
+	for (name = ISC_LIST_HEAD(bevent->names);
+	     name != NULL;
+	     name = next_name) {
+		next_name = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(bevent->names, name, link);
+		dns_name_free(name, mctx);
+		isc_mem_put(mctx, name, sizeof(*name));
+	}
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
+		  unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp)
+{
+	isc_result_t result;
+	dns_byaddr_t *byaddr;
+	isc_event_t *ievent;
+
+	byaddr = isc_mem_get(mctx, sizeof(*byaddr));
+	if (byaddr == NULL)
+		return (ISC_R_NOMEMORY);
+	byaddr->mctx = NULL;
+	isc_mem_attach(mctx, &byaddr->mctx);
+	byaddr->options = options;
+
+	byaddr->event = isc_mem_get(mctx, sizeof(*byaddr->event));
+	if (byaddr->event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_byaddr;
+	}
+	ISC_EVENT_INIT(byaddr->event, sizeof(*byaddr->event), 0, NULL,
+		       DNS_EVENT_BYADDRDONE, action, arg, byaddr,
+		       bevent_destroy, mctx);
+	byaddr->event->result = ISC_R_FAILURE;
+	ISC_LIST_INIT(byaddr->event->names);
+
+	byaddr->task = NULL;
+	isc_task_attach(task, &byaddr->task);
+
+	result = isc_mutex_init(&byaddr->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_event;
+
+	dns_fixedname_init(&byaddr->name);
+
+	result = dns_byaddr_createptrname2(address, options,
+					   dns_fixedname_name(&byaddr->name));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	byaddr->lookup = NULL;
+	result = dns_lookup_create(mctx, dns_fixedname_name(&byaddr->name),
+				   dns_rdatatype_ptr, view, 0, task,
+				   lookup_done, byaddr, &byaddr->lookup);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	byaddr->canceled = false;
+	byaddr->magic = BYADDR_MAGIC;
+
+	*byaddrp = byaddr;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_lock:
+	DESTROYLOCK(&byaddr->lock);
+
+ cleanup_event:
+	ievent = (isc_event_t *)byaddr->event;
+	isc_event_free(&ievent);
+	byaddr->event = NULL;
+
+	isc_task_detach(&byaddr->task);
+
+ cleanup_byaddr:
+	isc_mem_putanddetach(&mctx, byaddr, sizeof(*byaddr));
+
+	return (result);
+}
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr) {
+	REQUIRE(VALID_BYADDR(byaddr));
+
+	LOCK(&byaddr->lock);
+
+	if (!byaddr->canceled) {
+		byaddr->canceled = true;
+		if (byaddr->lookup != NULL)
+			dns_lookup_cancel(byaddr->lookup);
+	}
+
+	UNLOCK(&byaddr->lock);
+}
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
+	dns_byaddr_t *byaddr;
+
+	REQUIRE(byaddrp != NULL);
+	byaddr = *byaddrp;
+	REQUIRE(VALID_BYADDR(byaddr));
+	REQUIRE(byaddr->event == NULL);
+	REQUIRE(byaddr->task == NULL);
+	dns_lookup_destroy(&byaddr->lookup);
+
+	DESTROYLOCK(&byaddr->lock);
+	byaddr->magic = 0;
+	isc_mem_putanddetach(&byaddr->mctx, byaddr, sizeof(*byaddr));
+
+	*byaddrp = NULL;
+}
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
new file mode 100644
index 0000000..4701ff8
--- /dev/null
+++ b/lib/dns/cache.c
@@ -0,0 +1,1575 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/json.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/stats.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+#include <isc/xml.h>
+
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+
+#include "rbtdb.h"
+
+#define CACHE_MAGIC		ISC_MAGIC('$', '$', '$', '$')
+#define VALID_CACHE(cache)	ISC_MAGIC_VALID(cache, CACHE_MAGIC)
+
+/*!
+ * Control incremental cleaning.
+ * DNS_CACHE_MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
+ * See also DNS_CACHE_CLEANERINCREMENT
+ */
+#define DNS_CACHE_MINSIZE	2097152U /*%< Bytes.  2097152 = 2 MB */
+/*!
+ * Control incremental cleaning.
+ * CLEANERINCREMENT is how many nodes are examined in one pass.
+ * See also DNS_CACHE_MINSIZE
+ */
+#define DNS_CACHE_CLEANERINCREMENT	1000U	/*%< Number of nodes. */
+
+/***
+ ***	Types
+ ***/
+
+/*
+ * A cache_cleaner_t encapsulates the state of the periodic
+ * cache cleaning.
+ */
+
+typedef struct cache_cleaner cache_cleaner_t;
+
+typedef enum {
+	cleaner_s_idle,	/*%< Waiting for cleaning-interval to expire. */
+	cleaner_s_busy,	/*%< Currently cleaning. */
+	cleaner_s_done	/*%< Freed enough memory after being overmem. */
+} cleaner_state_t;
+
+/*
+ * Convenience macros for comprehensive assertion checking.
+ */
+#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
+			 (c)->resched_event != NULL)
+#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
+			 (c)->iterator != NULL && \
+			 (c)->resched_event == NULL)
+
+/*%
+ * Accesses to a cache cleaner object are synchronized through
+ * task/event serialization, or locked from the cache object.
+ */
+struct cache_cleaner {
+	isc_mutex_t	lock;
+	/*%<
+	 * Locks overmem_event, overmem.  Note: never allocate memory
+	 * while holding this lock - that could lead to deadlock since
+	 * the lock is take by water() which is called from the memory
+	 * allocator.
+	 */
+
+	dns_cache_t	*cache;
+	isc_task_t	*task;
+	unsigned int	cleaning_interval; /*% The cleaning-interval from
+					      named.conf, in seconds. */
+	isc_timer_t	*cleaning_timer;
+	isc_event_t	*resched_event;	/*% Sent by cleaner task to
+					   itself to reschedule */
+	isc_event_t	*overmem_event;
+
+	dns_dbiterator_t *iterator;
+	unsigned int	increment;	/*% Number of names to
+					   clean in one increment */
+	cleaner_state_t	state;		/*% Idle/Busy. */
+	bool	overmem;	/*% The cache is in an overmem state. */
+	bool	 replaceiterator;
+};
+
+/*%
+ * The actual cache object.
+ */
+
+struct dns_cache {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	isc_mutex_t		filelock;
+	isc_mem_t		*mctx;		/* Main cache memory */
+	isc_mem_t		*hmctx;		/* Heap memory */
+	char			*name;
+
+	/* Locked by 'lock'. */
+	int			references;
+	int			live_tasks;
+	dns_rdataclass_t	rdclass;
+	dns_db_t		*db;
+	cache_cleaner_t		cleaner;
+	char			*db_type;
+	int			db_argc;
+	char			**db_argv;
+	size_t			size;
+	isc_stats_t		*stats;
+
+	/* Locked by 'filelock'. */
+	char			*filename;
+	/* Access to the on-disk cache file is also locked by 'filelock'. */
+};
+
+/***
+ ***	Functions
+ ***/
+
+static isc_result_t
+cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner);
+
+static void
+cleaning_timer_action(isc_task_t *task, isc_event_t *event);
+
+static void
+incremental_cleaning_action(isc_task_t *task, isc_event_t *event);
+
+static void
+cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
+
+static void
+overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
+
+static inline isc_result_t
+cache_create_db(dns_cache_t *cache, dns_db_t **db) {
+	return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
+			      dns_dbtype_cache, cache->rdclass,
+			      cache->db_argc, cache->db_argv, db));
+}
+
+isc_result_t
+dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 const char *db_type, unsigned int db_argc, char **db_argv,
+		 dns_cache_t **cachep)
+{
+	return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass, "",
+				  db_type, db_argc, db_argv, cachep));
+}
+
+isc_result_t
+dns_cache_create2(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		  const char *cachename, const char *db_type,
+		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep)
+{
+	return (dns_cache_create3(cmctx, cmctx, taskmgr, timermgr, rdclass,
+				  cachename, db_type, db_argc, db_argv,
+				  cachep));
+}
+
+isc_result_t
+dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		  const char *cachename, const char *db_type,
+		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep)
+{
+	isc_result_t result;
+	dns_cache_t *cache;
+	int i, extra = 0;
+	isc_task_t *dbtask;
+
+	REQUIRE(cachep != NULL);
+	REQUIRE(*cachep == NULL);
+	REQUIRE(cmctx != NULL);
+	REQUIRE(hmctx != NULL);
+	REQUIRE(cachename != NULL);
+
+	cache = isc_mem_get(cmctx, sizeof(*cache));
+	if (cache == NULL)
+		return (ISC_R_NOMEMORY);
+
+	cache->mctx = cache->hmctx = NULL;
+	isc_mem_attach(cmctx, &cache->mctx);
+	isc_mem_attach(hmctx, &cache->hmctx);
+
+	cache->name = NULL;
+	if (cachename != NULL) {
+		cache->name = isc_mem_strdup(cmctx, cachename);
+		if (cache->name == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_mem;
+		}
+	}
+
+	result = isc_mutex_init(&cache->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mem;
+
+	result = isc_mutex_init(&cache->filelock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	cache->references = 1;
+	cache->live_tasks = 0;
+	cache->rdclass = rdclass;
+
+	cache->stats = NULL;
+	result = isc_stats_create(cmctx, &cache->stats,
+				  dns_cachestatscounter_max);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_filelock;
+
+	cache->db_type = isc_mem_strdup(cmctx, db_type);
+	if (cache->db_type == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_stats;
+	}
+
+	/*
+	 * For databases of type "rbt" we pass hmctx to dns_db_create()
+	 * via cache->db_argv, followed by the rest of the arguments in
+	 * db_argv (of which there really shouldn't be any).
+	 */
+	if (strcmp(cache->db_type, "rbt") == 0)
+		extra = 1;
+
+	cache->db_argc = db_argc + extra;
+	cache->db_argv = NULL;
+
+	if (cache->db_argc != 0) {
+		cache->db_argv = isc_mem_get(cmctx,
+					     cache->db_argc * sizeof(char *));
+		if (cache->db_argv == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_dbtype;
+		}
+
+		for (i = 0; i < cache->db_argc; i++)
+			cache->db_argv[i] = NULL;
+
+		cache->db_argv[0] = (char *) hmctx;
+		for (i = extra; i < cache->db_argc; i++) {
+			cache->db_argv[i] = isc_mem_strdup(cmctx,
+							   db_argv[i - extra]);
+			if (cache->db_argv[i] == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup_dbargv;
+			}
+		}
+	}
+
+	/*
+	 * Create the database
+	 */
+	cache->db = NULL;
+	result = cache_create_db(cache, &cache->db);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dbargv;
+	if (taskmgr != NULL) {
+		dbtask = NULL;
+		result = isc_task_create(taskmgr, 1, &dbtask);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_db;
+
+		isc_task_setname(dbtask, "cache_dbtask", NULL);
+		dns_db_settask(cache->db, dbtask);
+		isc_task_detach(&dbtask);
+	}
+
+	cache->filename = NULL;
+
+	cache->magic = CACHE_MAGIC;
+
+	/*
+	 * RBT-type cache DB has its own mechanism of cache cleaning and doesn't
+	 * need the control of the generic cleaner.
+	 */
+	if (strcmp(db_type, "rbt") == 0)
+		result = cache_cleaner_init(cache, NULL, NULL, &cache->cleaner);
+	else {
+		result = cache_cleaner_init(cache, taskmgr, timermgr,
+					    &cache->cleaner);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+	result = dns_db_setcachestats(cache->db, cache->stats);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+
+	*cachep = cache;
+	return (ISC_R_SUCCESS);
+
+ cleanup_db:
+	dns_db_detach(&cache->db);
+ cleanup_dbargv:
+	for (i = extra; i < cache->db_argc; i++)
+		if (cache->db_argv[i] != NULL)
+			isc_mem_free(cmctx, cache->db_argv[i]);
+	if (cache->db_argv != NULL)
+		isc_mem_put(cmctx, cache->db_argv,
+			    cache->db_argc * sizeof(char *));
+ cleanup_dbtype:
+	isc_mem_free(cmctx, cache->db_type);
+ cleanup_filelock:
+	DESTROYLOCK(&cache->filelock);
+ cleanup_stats:
+	isc_stats_detach(&cache->stats);
+ cleanup_lock:
+	DESTROYLOCK(&cache->lock);
+ cleanup_mem:
+	if (cache->name != NULL)
+		isc_mem_free(cmctx, cache->name);
+	isc_mem_detach(&cache->hmctx);
+	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
+	return (result);
+}
+
+static void
+cache_free(dns_cache_t *cache) {
+	int i;
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(cache->references == 0);
+
+	isc_mem_setwater(cache->mctx, NULL, NULL, 0, 0);
+
+	if (cache->cleaner.task != NULL)
+		isc_task_detach(&cache->cleaner.task);
+
+	if (cache->cleaner.overmem_event != NULL)
+		isc_event_free(&cache->cleaner.overmem_event);
+
+	if (cache->cleaner.resched_event != NULL)
+		isc_event_free(&cache->cleaner.resched_event);
+
+	if (cache->cleaner.iterator != NULL)
+		dns_dbiterator_destroy(&cache->cleaner.iterator);
+
+	DESTROYLOCK(&cache->cleaner.lock);
+
+	if (cache->filename) {
+		isc_mem_free(cache->mctx, cache->filename);
+		cache->filename = NULL;
+	}
+
+	if (cache->db != NULL)
+		dns_db_detach(&cache->db);
+
+	if (cache->db_argv != NULL) {
+		/*
+		 * We don't free db_argv[0] in "rbt" cache databases
+		 * as it's a pointer to hmctx
+		 */
+		int extra = 0;
+		if (strcmp(cache->db_type, "rbt") == 0)
+			extra = 1;
+		for (i = extra; i < cache->db_argc; i++)
+			if (cache->db_argv[i] != NULL)
+				isc_mem_free(cache->mctx, cache->db_argv[i]);
+		isc_mem_put(cache->mctx, cache->db_argv,
+			    cache->db_argc * sizeof(char *));
+	}
+
+	if (cache->db_type != NULL)
+		isc_mem_free(cache->mctx, cache->db_type);
+
+	if (cache->name != NULL)
+		isc_mem_free(cache->mctx, cache->name);
+
+	if (cache->stats != NULL)
+		isc_stats_detach(&cache->stats);
+
+	DESTROYLOCK(&cache->lock);
+	DESTROYLOCK(&cache->filelock);
+
+	cache->magic = 0;
+	isc_mem_detach(&cache->hmctx);
+	isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
+}
+
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp) {
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&cache->lock);
+	cache->references++;
+	UNLOCK(&cache->lock);
+
+	*targetp = cache;
+}
+
+void
+dns_cache_detach(dns_cache_t **cachep) {
+	dns_cache_t *cache;
+	bool free_cache = false;
+
+	REQUIRE(cachep != NULL);
+	cache = *cachep;
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	REQUIRE(cache->references > 0);
+	cache->references--;
+	if (cache->references == 0) {
+		cache->cleaner.overmem = false;
+		free_cache = true;
+	}
+
+	*cachep = NULL;
+
+	if (free_cache) {
+		/*
+		 * When the cache is shut down, dump it to a file if one is
+		 * specified.
+		 */
+		isc_result_t result = dns_cache_dump(cache);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "error dumping cache: %s ",
+				      isc_result_totext(result));
+
+		/*
+		 * If the cleaner task exists, let it free the cache.
+		 */
+		if (cache->live_tasks > 0) {
+			isc_task_shutdown(cache->cleaner.task);
+			free_cache = false;
+		}
+	}
+
+	UNLOCK(&cache->lock);
+
+	if (free_cache)
+		cache_free(cache);
+}
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(cache->db != NULL);
+
+	LOCK(&cache->lock);
+	dns_db_attach(cache->db, dbp);
+	UNLOCK(&cache->lock);
+
+}
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cache, const char *filename) {
+	char *newname;
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(filename != NULL);
+
+	newname = isc_mem_strdup(cache->mctx, filename);
+	if (newname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK(&cache->filelock);
+	if (cache->filename)
+		isc_mem_free(cache->mctx, cache->filename);
+	cache->filename = newname;
+	UNLOCK(&cache->filelock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache) {
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	if (cache->filename == NULL)
+		return (ISC_R_SUCCESS);
+
+	LOCK(&cache->filelock);
+	result = dns_db_load(cache->db, cache->filename);
+	UNLOCK(&cache->filelock);
+
+	return (result);
+}
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache) {
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	if (cache->filename == NULL)
+		return (ISC_R_SUCCESS);
+
+	LOCK(&cache->filelock);
+	result = dns_master_dump(cache->mctx, cache->db, NULL,
+				 &dns_master_style_cache, cache->filename);
+	UNLOCK(&cache->filelock);
+	return (result);
+
+}
+
+void
+dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
+	isc_interval_t interval;
+	isc_result_t result;
+
+	LOCK(&cache->lock);
+
+	/*
+	 * It may be the case that the cache has already shut down.
+	 * If so, it has no timer.
+	 */
+	if (cache->cleaner.cleaning_timer == NULL)
+		goto unlock;
+
+	cache->cleaner.cleaning_interval = t;
+
+	if (t == 0) {
+		result = isc_timer_reset(cache->cleaner.cleaning_timer,
+					 isc_timertype_inactive,
+					 NULL, NULL, true);
+	} else {
+		isc_interval_set(&interval, cache->cleaner.cleaning_interval,
+				 0);
+		result = isc_timer_reset(cache->cleaner.cleaning_timer,
+					 isc_timertype_ticker,
+					 NULL, &interval, false);
+	}
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "could not set cache cleaning interval: %s",
+			      isc_result_totext(result));
+
+ unlock:
+	UNLOCK(&cache->lock);
+}
+
+unsigned int
+dns_cache_getcleaninginterval(dns_cache_t *cache) {
+	unsigned int t;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	t = cache->cleaner.cleaning_interval;
+	UNLOCK(&cache->lock);
+
+	return (t);
+}
+
+const char *
+dns_cache_getname(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+
+	return (cache->name);
+}
+
+/*
+ * Initialize the cache cleaner object at *cleaner.
+ * Space for the object must be allocated by the caller.
+ */
+
+static isc_result_t
+cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner)
+{
+	isc_result_t result;
+
+	result = isc_mutex_init(&cleaner->lock);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
+	cleaner->state = cleaner_s_idle;
+	cleaner->cache = cache;
+	cleaner->iterator = NULL;
+	cleaner->overmem = false;
+	cleaner->replaceiterator = false;
+
+	cleaner->task = NULL;
+	cleaner->cleaning_timer = NULL;
+	cleaner->resched_event = NULL;
+	cleaner->overmem_event = NULL;
+	cleaner->cleaning_interval = 0; /* Initially turned off. */
+
+	result = dns_db_createiterator(cleaner->cache->db, false,
+				       &cleaner->iterator);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (taskmgr != NULL && timermgr != NULL) {
+		result = isc_task_create(taskmgr, 1, &cleaner->task);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_task_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+		cleaner->cache->live_tasks++;
+		isc_task_setname(cleaner->task, "cachecleaner", cleaner);
+
+		result = isc_task_onshutdown(cleaner->task,
+					     cleaner_shutdown_action, cache);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "isc_task_onshutdown() failed: %s",
+					 dns_result_totext(result));
+			goto cleanup;
+		}
+
+		result = isc_timer_create(timermgr, isc_timertype_inactive,
+					   NULL, NULL, cleaner->task,
+					   cleaning_timer_action, cleaner,
+					   &cleaner->cleaning_timer);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_timer_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+
+		cleaner->resched_event =
+			isc_event_allocate(cache->mctx, cleaner,
+					   DNS_EVENT_CACHECLEAN,
+					   incremental_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->resched_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		cleaner->overmem_event =
+			isc_event_allocate(cache->mctx, cleaner,
+					   DNS_EVENT_CACHEOVERMEM,
+					   overmem_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->overmem_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (cleaner->overmem_event != NULL)
+		isc_event_free(&cleaner->overmem_event);
+	if (cleaner->resched_event != NULL)
+		isc_event_free(&cleaner->resched_event);
+	if (cleaner->cleaning_timer != NULL)
+		isc_timer_detach(&cleaner->cleaning_timer);
+	if (cleaner->task != NULL)
+		isc_task_detach(&cleaner->task);
+	if (cleaner->iterator != NULL)
+		dns_dbiterator_destroy(&cleaner->iterator);
+	DESTROYLOCK(&cleaner->lock);
+ fail:
+	return (result);
+}
+
+static void
+begin_cleaning(cache_cleaner_t *cleaner) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(CLEANER_IDLE(cleaner));
+
+	/*
+	 * Create an iterator, if it does not already exist, and
+	 * position it at the beginning of the cache.
+	 */
+	if (cleaner->iterator == NULL)
+		result = dns_db_createiterator(cleaner->cache->db, false,
+					       &cleaner->iterator);
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "cache cleaner could not create "
+			      "iterator: %s", isc_result_totext(result));
+	else {
+		dns_dbiterator_setcleanmode(cleaner->iterator, true);
+		result = dns_dbiterator_first(cleaner->iterator);
+	}
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * If the result is ISC_R_NOMORE, the database is empty,
+		 * so there is nothing to be cleaned.
+		 */
+		if (result != ISC_R_NOMORE && cleaner->iterator != NULL) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "dns_dbiterator_first() failed: %s",
+					 dns_result_totext(result));
+			dns_dbiterator_destroy(&cleaner->iterator);
+		} else if (cleaner->iterator != NULL) {
+			result = dns_dbiterator_pause(cleaner->iterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+	} else {
+		/*
+		 * Pause the iterator to free its lock.
+		 */
+		result = dns_dbiterator_pause(cleaner->iterator);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "begin cache cleaning, mem inuse %lu",
+			    (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+		cleaner->state = cleaner_s_busy;
+		isc_task_send(cleaner->task, &cleaner->resched_event);
+	}
+
+	return;
+}
+
+static void
+end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
+	isc_result_t result;
+
+	REQUIRE(CLEANER_BUSY(cleaner));
+	REQUIRE(event != NULL);
+
+	result = dns_dbiterator_pause(cleaner->iterator);
+	if (result != ISC_R_SUCCESS)
+		dns_dbiterator_destroy(&cleaner->iterator);
+
+	dns_cache_setcleaninginterval(cleaner->cache,
+				      cleaner->cleaning_interval);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "end cache cleaning, mem inuse %lu",
+		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+
+	cleaner->state = cleaner_s_idle;
+	cleaner->resched_event = event;
+}
+
+/*
+ * This is run once for every cache-cleaning-interval as defined in named.conf.
+ */
+static void
+cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "cache cleaning timer fired, "
+		      "cleaner state = %d", cleaner->state);
+
+	if (cleaner->state == cleaner_s_idle)
+		begin_cleaning(cleaner);
+
+	isc_event_free(&event);
+}
+
+/*
+ * This is called when the cache either surpasses its upper limit
+ * or shrinks beyond its lower limit.
+ */
+static void
+overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+	bool want_cleaning = false;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == DNS_EVENT_CACHEOVERMEM);
+	INSIST(cleaner->overmem_event == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
+		      "overmem = %d, state = %d", cleaner->overmem,
+		      cleaner->state);
+
+	LOCK(&cleaner->lock);
+
+	if (cleaner->overmem) {
+		if (cleaner->state == cleaner_s_idle)
+			want_cleaning = true;
+	} else {
+		if (cleaner->state == cleaner_s_busy)
+			/*
+			 * end_cleaning() can't be called here because
+			 * then both cleaner->overmem_event and
+			 * cleaner->resched_event will point to this
+			 * event.  Set the state to done, and then
+			 * when the incremental_cleaning_action() event
+			 * is posted, it will handle the end_cleaning.
+			 */
+			cleaner->state = cleaner_s_done;
+	}
+
+	cleaner->overmem_event = event;
+
+	UNLOCK(&cleaner->lock);
+
+	if (want_cleaning)
+		begin_cleaning(cleaner);
+}
+
+/*
+ * Do incremental cleaning.
+ */
+static void
+incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+	isc_result_t result;
+	unsigned int n_names;
+	isc_time_t start;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == DNS_EVENT_CACHECLEAN);
+
+	if (cleaner->state == cleaner_s_done) {
+		cleaner->state = cleaner_s_busy;
+		end_cleaning(cleaner, event);
+		LOCK(&cleaner->cache->lock);
+		LOCK(&cleaner->lock);
+		if (cleaner->replaceiterator) {
+			dns_dbiterator_destroy(&cleaner->iterator);
+			(void) dns_db_createiterator(cleaner->cache->db,
+						     false,
+						     &cleaner->iterator);
+			cleaner->replaceiterator = false;
+		}
+		UNLOCK(&cleaner->lock);
+		UNLOCK(&cleaner->cache->lock);
+		return;
+	}
+
+	INSIST(CLEANER_BUSY(cleaner));
+
+	n_names = cleaner->increment;
+
+	REQUIRE(DNS_DBITERATOR_VALID(cleaner->iterator));
+
+	isc_time_now(&start);
+	while (n_names-- > 0) {
+		dns_dbnode_t *node = NULL;
+
+		result = dns_dbiterator_current(cleaner->iterator, &node,
+						NULL);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "cache cleaner: dns_dbiterator_current() "
+				 "failed: %s", dns_result_totext(result));
+
+			end_cleaning(cleaner, event);
+			return;
+		}
+
+		/*
+		 * The node was not needed, but was required by
+		 * dns_dbiterator_current().  Give up its reference.
+		 */
+		dns_db_detachnode(cleaner->cache->db, &node);
+
+		/*
+		 * Step to the next node.
+		 */
+		result = dns_dbiterator_next(cleaner->iterator);
+
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Either the end was reached (ISC_R_NOMORE) or
+			 * some error was signaled.  If the cache is still
+			 * overmem and no error was encountered,
+			 * keep trying to clean it, otherwise stop cleaning.
+			 */
+			if (result != ISC_R_NOMORE)
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "cache cleaner: "
+						 "dns_dbiterator_next() "
+						 "failed: %s",
+						 dns_result_totext(result));
+			else if (cleaner->overmem) {
+				result = dns_dbiterator_first(cleaner->
+							      iterator);
+				if (result == ISC_R_SUCCESS) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_CACHE,
+						      ISC_LOG_DEBUG(1),
+						      "cache cleaner: "
+						      "still overmem, "
+						      "reset and try again");
+					continue;
+				}
+			}
+
+			end_cleaning(cleaner, event);
+			return;
+		}
+	}
+
+	/*
+	 * We have successfully performed a cleaning increment but have
+	 * not gone through the entire cache.  Free the iterator locks
+	 * and reschedule another batch.  If it fails, just try to continue
+	 * anyway.
+	 */
+	result = dns_dbiterator_pause(cleaner->iterator);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "cache cleaner: checked %u nodes, "
+		      "mem inuse %lu, sleeping", cleaner->increment,
+		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+
+	isc_task_send(task, &event);
+	INSIST(CLEANER_BUSY(cleaner));
+	return;
+}
+
+/*
+ * Do immediate cleaning.
+ */
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
+	isc_result_t result;
+	dns_dbiterator_t *iterator = NULL;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	result = dns_db_createiterator(cache->db, 0, &iterator);
+	if (result != ISC_R_SUCCESS)
+		return result;
+
+	result = dns_dbiterator_first(iterator);
+
+	while (result == ISC_R_SUCCESS) {
+		dns_dbnode_t *node = NULL;
+		result = dns_dbiterator_current(iterator, &node,
+						(dns_name_t *)NULL);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Check TTLs, mark expired rdatasets stale.
+		 */
+		result = dns_db_expirenode(cache->db, node, now);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: dns_db_expirenode() "
+					 "failed: %s",
+					 dns_result_totext(result));
+			/*
+			 * Continue anyway.
+			 */
+		}
+
+		/*
+		 * This is where the actual freeing takes place.
+		 */
+		dns_db_detachnode(cache->db, &node);
+
+		result = dns_dbiterator_next(iterator);
+	}
+
+	dns_dbiterator_destroy(&iterator);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_cache_t *cache = arg;
+	bool overmem = (mark == ISC_MEM_HIWATER);
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->cleaner.lock);
+
+	if (overmem != cache->cleaner.overmem) {
+		dns_db_overmem(cache->db, overmem);
+		cache->cleaner.overmem = overmem;
+		isc_mem_waterack(cache->mctx, mark);
+	}
+
+	if (cache->cleaner.overmem_event != NULL)
+		isc_task_send(cache->cleaner.task,
+			      &cache->cleaner.overmem_event);
+
+	UNLOCK(&cache->cleaner.lock);
+}
+
+void
+dns_cache_setcachesize(dns_cache_t *cache, size_t size) {
+	size_t hiwater, lowater;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	/*
+	 * Impose a minimum cache size; pathological things happen if there
+	 * is too little room.
+	 */
+	if (size != 0U && size < DNS_CACHE_MINSIZE)
+		size = DNS_CACHE_MINSIZE;
+
+	LOCK(&cache->lock);
+	cache->size = size;
+	UNLOCK(&cache->lock);
+
+	hiwater = size - (size >> 3);	/* Approximately 7/8ths. */
+	lowater = size - (size >> 2);	/* Approximately 3/4ths. */
+
+	/*
+	 * If the cache was overmem and cleaning, but now with the new limits
+	 * it is no longer in an overmem condition, then the next
+	 * isc_mem_put for cache memory will do the right thing and trigger
+	 * water().
+	 */
+
+	if (size == 0U || hiwater == 0U || lowater == 0U)
+		/*
+		 * Disable cache memory limiting.
+		 */
+		isc_mem_setwater(cache->mctx, water, cache, 0, 0);
+	else
+		/*
+		 * Establish new cache memory limits (either for the first
+		 * time, or replacing other limits).
+		 */
+		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
+}
+
+size_t
+dns_cache_getcachesize(dns_cache_t *cache) {
+	size_t size;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	size = cache->size;
+	UNLOCK(&cache->lock);
+
+	return (size);
+}
+
+/*
+ * The cleaner task is shutting down; do the necessary cleanup.
+ */
+static void
+cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
+	dns_cache_t *cache = event->ev_arg;
+	bool should_free = false;
+
+	UNUSED(task);
+
+	INSIST(task == cache->cleaner.task);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+
+	if (CLEANER_BUSY(&cache->cleaner))
+		end_cleaning(&cache->cleaner, event);
+	else
+		isc_event_free(&event);
+
+	LOCK(&cache->lock);
+
+	cache->live_tasks--;
+	INSIST(cache->live_tasks == 0);
+
+	if (cache->references == 0)
+		should_free = true;
+
+	/*
+	 * By detaching the timer in the context of its task,
+	 * we are guaranteed that there will be no further timer
+	 * events.
+	 */
+	if (cache->cleaner.cleaning_timer != NULL)
+		isc_timer_detach(&cache->cleaner.cleaning_timer);
+
+	/* Make sure we don't reschedule anymore. */
+	(void)isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
+
+	UNLOCK(&cache->lock);
+
+	if (should_free)
+		cache_free(cache);
+}
+
+isc_result_t
+dns_cache_flush(dns_cache_t *cache) {
+	dns_db_t *db = NULL, *olddb;
+	dns_dbiterator_t *dbiterator = NULL, *olddbiterator = NULL;
+	isc_result_t result;
+
+	result = cache_create_db(cache, &db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_createiterator(db, false, &dbiterator);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+		return (result);
+	}
+
+	LOCK(&cache->lock);
+	LOCK(&cache->cleaner.lock);
+	if (cache->cleaner.state == cleaner_s_idle) {
+		olddbiterator = cache->cleaner.iterator;
+		cache->cleaner.iterator = dbiterator;
+		dbiterator = NULL;
+	} else {
+		if (cache->cleaner.state == cleaner_s_busy)
+			cache->cleaner.state = cleaner_s_done;
+		cache->cleaner.replaceiterator = true;
+	}
+	olddb = cache->db;
+	cache->db = db;
+	dns_db_setcachestats(cache->db, cache->stats);
+	UNLOCK(&cache->cleaner.lock);
+	UNLOCK(&cache->lock);
+
+	if (dbiterator != NULL)
+		dns_dbiterator_destroy(&dbiterator);
+	if (olddbiterator != NULL)
+		dns_dbiterator_destroy(&olddbiterator);
+	dns_db_detach(&olddb);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+clearnode(dns_db_t *db, dns_dbnode_t *node) {
+	isc_result_t result;
+	dns_rdatasetiter_t *iter = NULL;
+
+	result = dns_db_allrdatasets(db, node, NULL, (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdataset_init(&rdataset);
+
+		dns_rdatasetiter_current(iter, &rdataset);
+		result = dns_db_deleterdataset(db, node, NULL,
+					       rdataset.type, rdataset.covers);
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
+			break;
+	}
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	dns_rdatasetiter_destroy(&iter);
+	return (result);
+}
+
+static isc_result_t
+cleartree(dns_db_t *db, dns_name_t *name) {
+	isc_result_t result, answer = ISC_R_SUCCESS;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL, *top = NULL;
+	dns_fixedname_t fnodename;
+	dns_name_t *nodename;
+
+	/*
+	 * Create the node if it doesn't exist so dns_dbiterator_seek()
+	 * can find it.  We will continue even if this fails.
+	 */
+	(void)dns_db_findnode(db, name, true, &top);
+
+	nodename = dns_fixedname_initname(&fnodename);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_dbiterator_seek(iter, name);
+	if (result == DNS_R_PARTIALMATCH)
+		result = dns_dbiterator_next(iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(iter, &node, nodename);
+		if (result == DNS_R_NEWORIGIN)
+			result = ISC_R_SUCCESS;
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		/*
+		 * Are we done?
+		 */
+		if (! dns_name_issubdomain(nodename, name))
+			goto cleanup;
+
+		/*
+		 * If clearnode fails record and move onto the next node.
+		 */
+		result = clearnode(db, node);
+		if (result != ISC_R_SUCCESS && answer == ISC_R_SUCCESS)
+			answer = result;
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(iter);
+	}
+
+ cleanup:
+	if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND)
+		result = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS && answer == ISC_R_SUCCESS)
+		answer = result;
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (iter != NULL)
+		dns_dbiterator_destroy(&iter);
+	if (top != NULL)
+		dns_db_detachnode(db, &top);
+
+	return (answer);
+}
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, dns_name_t *name) {
+	return (dns_cache_flushnode(cache, name, false));
+}
+
+isc_result_t
+dns_cache_flushnode(dns_cache_t *cache, dns_name_t *name,
+		    bool tree)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_db_t *db = NULL;
+
+	if (tree && dns_name_equal(name, dns_rootname))
+		return (dns_cache_flush(cache));
+
+	LOCK(&cache->lock);
+	if (cache->db != NULL)
+		dns_db_attach(cache->db, &db);
+	UNLOCK(&cache->lock);
+	if (db == NULL)
+		return (ISC_R_SUCCESS);
+
+	if (tree) {
+		result = cleartree(cache->db, name);
+	} else {
+		result = dns_db_findnode(cache->db, name, false, &node);
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			goto cleanup_db;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_db;
+		result = clearnode(cache->db, node);
+		dns_db_detachnode(cache->db, &node);
+	}
+
+ cleanup_db:
+	dns_db_detach(&db);
+	return (result);
+}
+
+isc_stats_t *
+dns_cache_getstats(dns_cache_t *cache) {
+	REQUIRE(VALID_CACHE(cache));
+	return (cache->stats);
+}
+
+void
+dns_cache_updatestats(dns_cache_t *cache, isc_result_t result) {
+	REQUIRE(VALID_CACHE(cache));
+	if (cache->stats == NULL)
+		return;
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
+		isc_stats_increment(cache->stats,
+				    dns_cachestatscounter_queryhits);
+		break;
+	default:
+		isc_stats_increment(cache->stats,
+				    dns_cachestatscounter_querymisses);
+	}
+}
+
+/*
+ * XXX: Much of the following code has been copied in from statschannel.c.
+ * We should refactor this into a generic function in stats.c that can be
+ * called from both places.
+ */
+typedef struct
+cache_dumparg {
+	isc_statsformat_t	type;
+	void			*arg;		/* type dependent argument */
+	int			ncounters;	/* for general statistics */
+	int			*counterindices; /* for general statistics */
+	uint64_t		*countervalues;	 /* for general statistics */
+	isc_result_t		result;
+} cache_dumparg_t;
+
+static void
+getcounter(isc_statscounter_t counter, uint64_t val, void *arg) {
+	cache_dumparg_t *dumparg = arg;
+
+	REQUIRE(counter < dumparg->ncounters);
+	dumparg->countervalues[counter] = val;
+}
+
+static void
+getcounters(isc_stats_t *stats, isc_statsformat_t type, int ncounters,
+	    int *indices, uint64_t *values)
+{
+	cache_dumparg_t dumparg;
+
+	memset(values, 0, sizeof(values[0]) * ncounters);
+
+	dumparg.type = type;
+	dumparg.ncounters = ncounters;
+	dumparg.counterindices = indices;
+	dumparg.countervalues = values;
+
+	isc_stats_dump(stats, getcounter, &dumparg, ISC_STATSDUMP_VERBOSE);
+}
+
+void
+dns_cache_dumpstats(dns_cache_t *cache, FILE *fp) {
+	int indices[dns_cachestatscounter_max];
+	uint64_t values[dns_cachestatscounter_max];
+
+	REQUIRE(VALID_CACHE(cache));
+
+	getcounters(cache->stats, isc_statsformat_file,
+		    dns_cachestatscounter_max, indices, values);
+
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_hits],
+		"cache hits");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_misses],
+		"cache misses");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_queryhits],
+		"cache hits (from query)");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_querymisses],
+		"cache misses (from query)");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_deletelru],
+		"cache records deleted due to memory exhaustion");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		values[dns_cachestatscounter_deletettl],
+		"cache records deleted due to TTL expiration");
+	fprintf(fp, "%20u %s\n", dns_db_nodecount(cache->db),
+		"cache database nodes");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) dns_db_hashsize(cache->db),
+		"cache database hash buckets");
+
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) isc_mem_total(cache->mctx),
+		"cache tree memory total");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) isc_mem_inuse(cache->mctx),
+		"cache tree memory in use");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) isc_mem_maxinuse(cache->mctx),
+		"cache tree highest memory in use");
+
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) isc_mem_total(cache->hmctx),
+		"cache heap memory total");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) isc_mem_inuse(cache->hmctx),
+		"cache heap memory in use");
+	fprintf(fp, "%20" PRIu64 " %s\n",
+		(uint64_t) isc_mem_maxinuse(cache->hmctx),
+		"cache heap highest memory in use");
+}
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+static int
+renderstat(const char *name, uint64_t value, xmlTextWriterPtr writer) {
+	int xmlrc;
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter"));
+	TRY0(xmlTextWriterWriteAttribute(writer,
+					 ISC_XMLCHAR "name", ISC_XMLCHAR name));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    value));
+	TRY0(xmlTextWriterEndElement(writer)); /* counter */
+
+error:
+	return (xmlrc);
+}
+
+int
+dns_cache_renderxml(dns_cache_t *cache, xmlTextWriterPtr writer) {
+	int indices[dns_cachestatscounter_max];
+	uint64_t values[dns_cachestatscounter_max];
+	int xmlrc;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	getcounters(cache->stats, isc_statsformat_file,
+		    dns_cachestatscounter_max, indices, values);
+	TRY0(renderstat("CacheHits",
+		   values[dns_cachestatscounter_hits], writer));
+	TRY0(renderstat("CacheMisses",
+		   values[dns_cachestatscounter_misses], writer));
+	TRY0(renderstat("QueryHits",
+		   values[dns_cachestatscounter_queryhits], writer));
+	TRY0(renderstat("QueryMisses",
+		   values[dns_cachestatscounter_querymisses], writer));
+	TRY0(renderstat("DeleteLRU",
+		   values[dns_cachestatscounter_deletelru], writer));
+	TRY0(renderstat("DeleteTTL",
+		   values[dns_cachestatscounter_deletettl], writer));
+
+	TRY0(renderstat("CacheNodes", dns_db_nodecount(cache->db), writer));
+	TRY0(renderstat("CacheBuckets", dns_db_hashsize(cache->db), writer));
+
+	TRY0(renderstat("TreeMemTotal", isc_mem_total(cache->mctx), writer));
+	TRY0(renderstat("TreeMemInUse", isc_mem_inuse(cache->mctx), writer));
+	TRY0(renderstat("TreeMemMax", isc_mem_maxinuse(cache->mctx), writer));
+
+	TRY0(renderstat("HeapMemTotal", isc_mem_total(cache->hmctx), writer));
+	TRY0(renderstat("HeapMemInUse", isc_mem_inuse(cache->hmctx), writer));
+	TRY0(renderstat("HeapMemMax", isc_mem_maxinuse(cache->hmctx), writer));
+error:
+	return (xmlrc);
+}
+#endif
+
+#ifdef HAVE_JSON
+#define CHECKMEM(m) do { \
+	if (m == NULL) { \
+		result = ISC_R_NOMEMORY;\
+		goto error;\
+	} \
+} while(0)
+
+isc_result_t
+dns_cache_renderjson(dns_cache_t *cache, json_object *cstats) {
+	isc_result_t result = ISC_R_SUCCESS;
+	int indices[dns_cachestatscounter_max];
+	uint64_t values[dns_cachestatscounter_max];
+	json_object *obj;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	getcounters(cache->stats, isc_statsformat_file,
+		    dns_cachestatscounter_max, indices, values);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_hits]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheHits", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_misses]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheMisses", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_queryhits]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "QueryHits", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_querymisses]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "QueryMisses", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_deletelru]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "DeleteLRU", obj);
+
+	obj = json_object_new_int64(values[dns_cachestatscounter_deletettl]);
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "DeleteTTL", obj);
+
+	obj = json_object_new_int64(dns_db_nodecount(cache->db));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheNodes", obj);
+
+	obj = json_object_new_int64(dns_db_hashsize(cache->db));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "CacheBuckets", obj);
+
+	obj = json_object_new_int64(isc_mem_total(cache->mctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "TreeMemTotal", obj);
+
+	obj = json_object_new_int64(isc_mem_inuse(cache->mctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "TreeMemInUse", obj);
+
+	obj = json_object_new_int64(isc_mem_maxinuse(cache->mctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "TreeMemMax", obj);
+
+	obj = json_object_new_int64(isc_mem_total(cache->hmctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "HeapMemTotal", obj);
+
+	obj = json_object_new_int64(isc_mem_inuse(cache->hmctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "HeapMemInUse", obj);
+
+	obj = json_object_new_int64(isc_mem_maxinuse(cache->hmctx));
+	CHECKMEM(obj);
+	json_object_object_add(cstats, "HeapMemMax", obj);
+
+	result = ISC_R_SUCCESS;
+error:
+	return (result);
+}
+#endif
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
new file mode 100644
index 0000000..42dae51
--- /dev/null
+++ b/lib/dns/callbacks.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/log.h>
+
+static void
+stdio_error_warn_callback(dns_rdatacallbacks_t *, const char *, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+static void
+isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+static void
+isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+/*
+ * Private
+ */
+
+static void
+stdio_error_warn_callback(dns_rdatacallbacks_t *callbacks,
+			  const char *fmt, ...)
+{
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "\n");
+}
+
+static void
+isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_MASTER, /* XXX */
+		       ISC_LOG_ERROR, fmt, ap);
+	va_end(ap);
+}
+
+static void
+isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_MASTER, /* XXX */
+		       ISC_LOG_WARNING, fmt, ap);
+	va_end(ap);
+}
+
+static void
+dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks) {
+	REQUIRE(callbacks != NULL);
+
+	callbacks->magic = DNS_CALLBACK_MAGIC;
+	callbacks->add = NULL;
+	callbacks->rawdata = NULL;
+	callbacks->zone = NULL;
+	callbacks->add_private = NULL;
+	callbacks->error_private = NULL;
+	callbacks->warn_private = NULL;
+}
+
+/*
+ * Public.
+ */
+
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks) {
+	dns_rdatacallbacks_initcommon(callbacks);
+	callbacks->error = isclog_error_callback;
+	callbacks->warn = isclog_warn_callback;
+}
+
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks) {
+	dns_rdatacallbacks_initcommon(callbacks);
+	callbacks->error = stdio_error_warn_callback;
+	callbacks->warn = stdio_error_warn_callback;
+}
+
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
new file mode 100644
index 0000000..b750d66
--- /dev/null
+++ b/lib/dns/catz.c
@@ -0,0 +1,1992 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/sha2.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/catz.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/rdatasetiter.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+
+/*%
+ * Single member zone in a catalog
+ */
+struct dns_catz_entry {
+	dns_name_t		name;
+	dns_catz_options_t	opts;
+	isc_refcount_t		refs;
+};
+
+/*%
+ * Catalog zone
+ */
+struct dns_catz_zone {
+	dns_name_t		name;
+	dns_catz_zones_t	*catzs;
+	dns_rdata_t		soa;
+	/* key in entries is 'mhash', not domain name! */
+	isc_ht_t		*entries;
+	/*
+	 * defoptions are taken from named.conf
+	 * zoneoptions are global options from zone
+	 */
+	dns_catz_options_t	defoptions;
+	dns_catz_options_t	zoneoptions;
+	isc_time_t		lastupdated;
+	bool		updatepending;
+	uint32_t		version;
+
+	dns_db_t		*db;
+	dns_dbversion_t		*dbversion;
+
+	isc_timer_t		*updatetimer;
+	isc_event_t		updateevent;
+
+	bool		active;
+	bool		db_registered;
+
+	isc_refcount_t		refs;
+};
+
+static isc_result_t
+catz_process_zones_entry(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			 dns_label_t *mhash);
+static isc_result_t
+catz_process_zones_suboption(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			     dns_label_t *mhash, dns_name_t *name);
+
+/*%
+ * Collection of catalog zones for a view
+ */
+struct dns_catz_zones {
+	isc_ht_t			*zones;
+	isc_mem_t			*mctx;
+	isc_refcount_t			refs;
+	isc_mutex_t			lock;
+	dns_catz_zonemodmethods_t	*zmm;
+	isc_taskmgr_t			*taskmgr;
+	isc_timermgr_t			*timermgr;
+	dns_view_t			*view;
+	isc_task_t			*updater;
+};
+
+void
+dns_catz_options_init(dns_catz_options_t *options) {
+	dns_ipkeylist_init(&options->masters);
+
+	options->allow_query = NULL;
+	options->allow_transfer = NULL;
+
+	options->allow_query = NULL;
+	options->allow_transfer = NULL;
+
+	options->in_memory = false;
+	options->min_update_interval = 5;
+	options->zonedir = NULL;
+}
+
+void
+dns_catz_options_free(dns_catz_options_t *options, isc_mem_t *mctx) {
+	if (options->masters.count != 0)
+		dns_ipkeylist_clear(mctx, &options->masters);
+	if (options->zonedir != NULL) {
+		isc_mem_free(mctx, options->zonedir);
+		options->zonedir = NULL;
+	}
+	if (options->allow_query != NULL)
+		isc_buffer_free(&options->allow_query);
+	if (options->allow_transfer != NULL)
+		isc_buffer_free(&options->allow_transfer);
+}
+
+isc_result_t
+dns_catz_options_copy(isc_mem_t *mctx, const dns_catz_options_t *src,
+		      dns_catz_options_t *dst)
+{
+	REQUIRE(src != NULL);
+	REQUIRE(dst != NULL);
+	REQUIRE(dst->masters.count == 0);
+	REQUIRE(dst->allow_query == NULL);
+	REQUIRE(dst->allow_transfer == NULL);
+
+	if (src->masters.count != 0)
+		dns_ipkeylist_copy(mctx, &src->masters, &dst->masters);
+
+	if (dst->zonedir != NULL) {
+		isc_mem_free(mctx, dst->zonedir);
+		dst->zonedir = NULL;
+	}
+
+	if (src->zonedir != NULL)
+		dst->zonedir = isc_mem_strdup(mctx, src->zonedir);
+
+	if (src->allow_query != NULL)
+		isc_buffer_dup(mctx, &dst->allow_query, src->allow_query);
+
+	if (src->allow_transfer != NULL)
+		isc_buffer_dup(mctx, &dst->allow_transfer, src->allow_transfer);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_catz_options_setdefault(isc_mem_t *mctx, const dns_catz_options_t *defaults,
+			    dns_catz_options_t *opts)
+{
+	if (opts->masters.count == 0 && defaults->masters.count != 0)
+		dns_ipkeylist_copy(mctx, &defaults->masters, &opts->masters);
+
+	if (defaults->zonedir != NULL)
+		opts->zonedir = isc_mem_strdup(mctx, defaults->zonedir);
+
+	if (opts->allow_query == NULL && defaults->allow_query != NULL)
+		isc_buffer_dup(mctx, &opts->allow_query, defaults->allow_query);
+	if (opts->allow_transfer == NULL && defaults->allow_transfer != NULL)
+		isc_buffer_dup(mctx, &opts->allow_transfer,
+			       defaults->allow_transfer);
+
+	/* This option is always taken from config, so it's always 'default' */
+	opts->in_memory = defaults->in_memory;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_catz_entry_new(isc_mem_t *mctx, const dns_name_t *domain,
+		   dns_catz_entry_t **nentryp)
+{
+	dns_catz_entry_t *nentry;
+	isc_result_t result;
+
+	REQUIRE(nentryp != NULL && *nentryp == NULL);
+
+	nentry = isc_mem_get(mctx, sizeof(dns_catz_entry_t));
+	if (nentry == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_name_init(&nentry->name, NULL);
+	if (domain != NULL) {
+		result = dns_name_dup(domain, mctx, &nentry->name);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	dns_catz_options_init(&nentry->opts);
+	isc_refcount_init(&nentry->refs, 1);
+	*nentryp = nentry;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_mem_put(mctx, nentry, sizeof(dns_catz_entry_t));
+	return (result);
+}
+
+dns_name_t *
+dns_catz_entry_getname(dns_catz_entry_t *entry) {
+	return (&entry->name);
+}
+
+isc_result_t
+dns_catz_entry_copy(dns_catz_zone_t *zone, const dns_catz_entry_t *entry,
+		    dns_catz_entry_t **nentryp)
+{
+	isc_result_t result;
+	dns_catz_entry_t *nentry = NULL;
+
+	result = dns_catz_entry_new(zone->catzs->mctx, &entry->name, &nentry);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_catz_options_copy(zone->catzs->mctx, &entry->opts,
+				       &nentry->opts);
+	if (result != ISC_R_SUCCESS)
+		dns_catz_entry_detach(zone, &nentry);
+
+	*nentryp = nentry;
+	return (result);
+}
+
+void
+dns_catz_entry_attach(dns_catz_entry_t *entry, dns_catz_entry_t **entryp) {
+	REQUIRE(entryp != NULL && *entryp == NULL);
+	isc_refcount_increment(&entry->refs, NULL);
+	*entryp = entry;
+}
+
+void
+dns_catz_entry_detach(dns_catz_zone_t *zone, dns_catz_entry_t **entryp) {
+	dns_catz_entry_t *entry;
+	isc_mem_t *mctx;
+	unsigned int refs;
+
+	REQUIRE(entryp != NULL && *entryp != NULL);
+
+	entry = *entryp;
+	*entryp = NULL;
+
+	mctx = zone->catzs->mctx;
+
+	isc_refcount_decrement(&entry->refs, &refs);
+	if (refs == 0) {
+		dns_catz_options_free(&entry->opts, mctx);
+		if (dns_name_dynamic(&entry->name))
+			dns_name_free(&entry->name, mctx);
+		isc_refcount_destroy(&entry->refs);
+		isc_mem_put(mctx, entry, sizeof(dns_catz_entry_t));
+	}
+}
+
+bool
+dns_catz_entry_validate(const dns_catz_entry_t *entry) {
+	UNUSED(entry);
+
+	return (true);
+}
+
+bool
+dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
+	isc_region_t ra, rb;
+
+	if (ea == eb)
+		return (true);
+
+	if (ea->opts.masters.count != eb->opts.masters.count)
+		return (false);
+
+	if (memcmp(ea->opts.masters.addrs, eb->opts.masters.addrs,
+		   ea->opts.masters.count * sizeof(isc_sockaddr_t)))
+		return (false);
+
+	/* If one is NULL and the other isn't, the entries don't match */
+	if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL))
+		return (false);
+
+	/* If one is non-NULL, then they both are */
+	if (ea->opts.allow_query != NULL) {
+		isc_buffer_usedregion(ea->opts.allow_query, &ra);
+		isc_buffer_usedregion(eb->opts.allow_query, &rb);
+		if (isc_region_compare(&ra, &rb))
+			return (false);
+	}
+
+	/* Repeat the above checks with allow_transfer */
+	if ((ea->opts.allow_transfer == NULL) !=
+	    (eb->opts.allow_transfer == NULL))
+		return (false);
+
+	if (ea->opts.allow_transfer != NULL) {
+		isc_buffer_usedregion(ea->opts.allow_transfer, &ra);
+		isc_buffer_usedregion(eb->opts.allow_transfer, &rb);
+		if (isc_region_compare(&ra, &rb))
+			return (false);
+	}
+
+	/* xxxwpk TODO compare dscps/keys! */
+	return (true);
+}
+
+dns_name_t *
+dns_catz_zone_getname(dns_catz_zone_t *zone) {
+	REQUIRE(zone != NULL);
+
+	return (&zone->name);
+}
+
+dns_catz_options_t *
+dns_catz_zone_getdefoptions(dns_catz_zone_t *zone) {
+	REQUIRE(zone != NULL);
+
+	return (&zone->defoptions);
+}
+
+void
+dns_catz_zone_resetdefoptions(dns_catz_zone_t *zone) {
+	REQUIRE(zone != NULL);
+
+	dns_catz_options_free(&zone->defoptions, zone->catzs->mctx);
+	dns_catz_options_init(&zone->defoptions);
+}
+
+isc_result_t
+dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
+	isc_result_t result;
+	isc_ht_iter_t *iter1 = NULL, *iter2 = NULL;
+	isc_ht_iter_t *iteradd = NULL, *itermod = NULL;
+	isc_ht_t *toadd = NULL, *tomod = NULL;
+	bool delcur = false;
+	char czname[DNS_NAME_FORMATSIZE];
+	char zname[DNS_NAME_FORMATSIZE];
+	dns_catz_zoneop_fn_t addzone, modzone, delzone;
+
+	REQUIRE(target != NULL);
+	REQUIRE(newzone != NULL);
+
+	/* TODO verify the new zone first! */
+
+	addzone = target->catzs->zmm->addzone;
+	modzone = target->catzs->zmm->modzone;
+	delzone = target->catzs->zmm->delzone;
+
+	/* Copy zoneoptions from newzone into target. */
+
+	dns_catz_options_free(&target->zoneoptions, target->catzs->mctx);
+	dns_catz_options_copy(target->catzs->mctx, &newzone->zoneoptions,
+			      &target->zoneoptions);
+	dns_catz_options_setdefault(target->catzs->mctx, &target->defoptions,
+				    &target->zoneoptions);
+
+	dns_name_format(&target->name, czname, DNS_NAME_FORMATSIZE);
+
+	result = isc_ht_init(&toadd, target->catzs->mctx, 16);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_ht_init(&tomod, target->catzs->mctx, 16);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_ht_iter_create(newzone->entries, &iter1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_ht_iter_create(target->entries, &iter2);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * We can create those iterators now, even though toadd and tomod are
+	 * empty
+	 */
+	result = isc_ht_iter_create(toadd, &iteradd);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_ht_iter_create(tomod, &itermod);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * First - walk the new zone and find all nodes that are not in the
+	 * old zone, or are in both zones and are modified.
+	 */
+	for (result = isc_ht_iter_first(iter1);
+	     result == ISC_R_SUCCESS;
+	     result = delcur ? isc_ht_iter_delcurrent_next(iter1) :
+			     isc_ht_iter_next(iter1))
+	{
+		dns_catz_entry_t *nentry;
+		dns_catz_entry_t *oentry;
+		unsigned char * key;
+		size_t keysize;
+		delcur = false;
+
+		isc_ht_iter_current(iter1, (void **) &nentry);
+		isc_ht_iter_currentkey(iter1, &key, &keysize);
+
+		/*
+		 * Spurious record that came from suboption without main
+		 * record, removed.
+		 * xxxwpk: make it a separate verification phase?
+		 */
+		if (dns_name_countlabels(&nentry->name) == 0) {
+			dns_catz_entry_detach(newzone, &nentry);
+			delcur = true;
+			continue;
+		}
+
+		dns_name_format(&nentry->name, zname, DNS_NAME_FORMATSIZE);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+			      "catz: iterating over '%s' from catalog '%s'",
+			      zname, czname);
+		dns_catz_options_setdefault(target->catzs->mctx,
+					    &target->zoneoptions,
+					    &nentry->opts);
+
+		result = isc_ht_find(target->entries, key,
+				     (uint32_t)keysize, (void **) &oentry);
+		if (result != ISC_R_SUCCESS) {
+			result = isc_ht_add(toadd, key, (uint32_t)keysize,
+					    nentry);
+			if (result != ISC_R_SUCCESS)
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTER,
+					      ISC_LOG_ERROR,
+					      "catz: error adding zone '%s' "
+					      "from catalog '%s' - %s",
+					      zname, czname,
+					      isc_result_totext(result));
+			continue;
+		}
+
+		if (dns_catz_entry_cmp(oentry, nentry) != true) {
+			result = isc_ht_add(tomod, key, (uint32_t)keysize,
+					    nentry);
+			if (result != ISC_R_SUCCESS)
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTER,
+					      ISC_LOG_ERROR,
+					      "catz: error modifying zone '%s' "
+					      "from catalog '%s' - %s",
+					      zname, czname,
+					      isc_result_totext(result));
+		}
+		dns_catz_entry_detach(target, &oentry);
+		result = isc_ht_delete(target->entries, key,
+				       (uint32_t)keysize);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	RUNTIME_CHECK(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter1);
+
+	/*
+	 * Then - walk the old zone; only deleted entries should remain.
+	 */
+	for (result = isc_ht_iter_first(iter2);
+	     result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_delcurrent_next(iter2))
+	{
+		dns_catz_entry_t *entry;
+		isc_ht_iter_current(iter2, (void **) &entry);
+
+		dns_name_format(&entry->name, zname, DNS_NAME_FORMATSIZE);
+		result = delzone(entry, target, target->catzs->view,
+			      target->catzs->taskmgr,
+			      target->catzs->zmm->udata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: deleting zone '%s' from catalog '%s' - %s",
+			      zname, czname, isc_result_totext(result));
+		dns_catz_entry_detach(target, &entry);
+	}
+	RUNTIME_CHECK(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter2);
+	/* At this moment target->entries has to be be empty. */
+	INSIST(isc_ht_count(target->entries) == 0);
+	isc_ht_destroy(&target->entries);
+
+	for (result = isc_ht_iter_first(iteradd);
+	     result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_delcurrent_next(iteradd))
+	{
+		dns_catz_entry_t *entry;
+		isc_ht_iter_current(iteradd, (void **) &entry);
+
+		dns_name_format(&entry->name, zname, DNS_NAME_FORMATSIZE);
+		result = addzone(entry, target, target->catzs->view,
+			      target->catzs->taskmgr,
+			      target->catzs->zmm->udata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: adding zone '%s' from catalog "
+			      "'%s' - %s",
+			      zname, czname,
+			      isc_result_totext(result));
+	}
+
+	for (result = isc_ht_iter_first(itermod);
+	     result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_delcurrent_next(itermod))
+	{
+		dns_catz_entry_t *entry;
+		isc_ht_iter_current(itermod, (void **) &entry);
+		result = modzone(entry, target, target->catzs->view,
+				 target->catzs->taskmgr,
+				 target->catzs->zmm->udata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+			      "catz: modifying zone '%s' from catalog "
+			      "'%s' - %s",
+			      zname, czname,
+			      isc_result_totext(result));
+	}
+
+	target->entries = newzone->entries;
+	newzone->entries = NULL;
+
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (iter1 != NULL)
+		isc_ht_iter_destroy(&iter1);
+	if (iter2 != NULL)
+		isc_ht_iter_destroy(&iter2);
+	if (iteradd != NULL)
+		isc_ht_iter_destroy(&iteradd);
+	if (itermod != NULL)
+		isc_ht_iter_destroy(&itermod);
+	if (toadd != NULL)
+		isc_ht_destroy(&toadd);
+	if (tomod != NULL)
+		isc_ht_destroy(&tomod);
+	return (result);
+
+}
+
+isc_result_t
+dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
+		   isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr)
+{
+	dns_catz_zones_t *new_zones;
+	isc_result_t result;
+
+	REQUIRE(catzsp != NULL && *catzsp == NULL);
+	REQUIRE(zmm != NULL);
+
+	new_zones = isc_mem_get(mctx, sizeof(*new_zones));
+	if (new_zones == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(new_zones, 0, sizeof(*new_zones));
+
+	result = isc_mutex_init(&new_zones->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_newzones;
+
+	result = isc_refcount_init(&new_zones->refs, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutex;
+
+	result = isc_ht_init(&new_zones->zones, mctx, 4);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_refcount;
+
+	isc_mem_attach(mctx, &new_zones->mctx);
+	new_zones->zmm = zmm;
+	new_zones->timermgr = timermgr;
+	new_zones->taskmgr = taskmgr;
+
+	result = isc_task_create(taskmgr, 0, &new_zones->updater);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_ht;
+
+	*catzsp = new_zones;
+	return (ISC_R_SUCCESS);
+
+  cleanup_ht:
+	isc_ht_destroy(&new_zones->zones);
+  cleanup_refcount:
+	isc_refcount_destroy(&new_zones->refs);
+  cleanup_mutex:
+	isc_mutex_destroy(&new_zones->lock);
+  cleanup_newzones:
+	isc_mem_put(mctx, new_zones, sizeof(*new_zones));
+
+	return (result);
+}
+
+void
+dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) {
+	REQUIRE(catzs != NULL);
+	REQUIRE(view != NULL);
+	/* Either it's a new one or it's being reconfigured. */
+	REQUIRE(catzs->view == NULL || !strcmp(catzs->view->name, view->name));
+
+	catzs->view = view;
+}
+
+isc_result_t
+dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
+		  const dns_name_t *name)
+{
+	isc_result_t result;
+	dns_catz_zone_t *new_zone;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	new_zone = isc_mem_get(catzs->mctx, sizeof(*new_zone));
+	if (new_zone == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(new_zone, 0, sizeof(*new_zone));
+
+	dns_name_init(&new_zone->name, NULL);
+
+	result = dns_name_dup(name, catzs->mctx, &new_zone->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_newzone;
+
+	result = isc_ht_init(&new_zone->entries, catzs->mctx, 4);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_name;
+
+	new_zone->updatetimer = NULL;
+	result = isc_timer_create(catzs->timermgr, isc_timertype_inactive,
+				  NULL, NULL, catzs->updater,
+				  dns_catz_update_taskaction,
+				  new_zone, &new_zone->updatetimer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_ht;
+
+	isc_time_settoepoch(&new_zone->lastupdated);
+	new_zone->updatepending = false;
+	new_zone->db = NULL;
+	new_zone->dbversion = NULL;
+	new_zone->catzs = catzs;
+	dns_catz_options_init(&new_zone->defoptions);
+	dns_catz_options_init(&new_zone->zoneoptions);
+	new_zone->active = true;
+	new_zone->db_registered = false;
+	new_zone->version = (uint32_t)(-1);
+	isc_refcount_init(&new_zone->refs, 1);
+
+	*zonep = new_zone;
+
+	return (ISC_R_SUCCESS);
+
+  cleanup_ht:
+	isc_ht_destroy(&new_zone->entries);
+  cleanup_name:
+	dns_name_free(&new_zone->name, catzs->mctx);
+  cleanup_newzone:
+	isc_mem_put(catzs->mctx, new_zone, sizeof(*new_zone));
+
+	return (result);
+}
+
+isc_result_t
+dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name,
+		  dns_catz_zone_t **zonep)
+{
+	dns_catz_zone_t *new_zone = NULL;
+	isc_result_t result, tresult;
+	char zname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(catzs != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	dns_name_format(name, zname, DNS_NAME_FORMATSIZE);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+		      "catz: dns_catz_add_zone %s", zname);
+
+	LOCK(&catzs->lock);
+
+	result = dns_catz_new_zone(catzs, &new_zone, name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_ht_add(catzs->zones, new_zone->name.ndata,
+			    new_zone->name.length, new_zone);
+	if (result != ISC_R_SUCCESS) {
+		dns_catz_zone_detach(&new_zone);
+		if (result != ISC_R_EXISTS)
+			goto cleanup;
+	}
+
+	if (result == ISC_R_EXISTS) {
+		tresult = isc_ht_find(catzs->zones, name->ndata,
+				     name->length, (void **) &new_zone);
+		INSIST(tresult == ISC_R_SUCCESS && !new_zone->active);
+		new_zone->active = true;
+	}
+
+	*zonep = new_zone;
+
+ cleanup:
+	UNLOCK(&catzs->lock);
+
+	return (result);
+}
+
+dns_catz_zone_t *
+dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name) {
+	isc_result_t result;
+	dns_catz_zone_t *found;
+
+	result = isc_ht_find(catzs->zones, name->ndata, name->length,
+			     (void **) &found);
+	if (result != ISC_R_SUCCESS)
+		return (NULL);
+
+	return (found);
+}
+
+void
+dns_catz_catzs_attach(dns_catz_zones_t *catzs, dns_catz_zones_t **catzsp) {
+	REQUIRE(catzsp != NULL && *catzsp == NULL);
+
+	isc_refcount_increment(&catzs->refs, NULL);
+	*catzsp = catzs;
+}
+
+void
+dns_catz_zone_attach(dns_catz_zone_t *zone, dns_catz_zone_t **zonep) {
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	isc_refcount_increment(&zone->refs, NULL);
+	*zonep = zone;
+}
+
+void
+dns_catz_zone_detach(dns_catz_zone_t **zonep) {
+	isc_result_t result;
+	dns_catz_zone_t *zone;
+	isc_ht_iter_t *iter = NULL;
+	isc_mem_t *mctx;
+	unsigned int refs;
+
+	REQUIRE(zonep != NULL && *zonep != NULL);
+
+	zone = *zonep;
+	*zonep = NULL;
+	isc_refcount_decrement(&zone->refs, &refs);
+	if (refs == 0) {
+		if (zone->entries != NULL) {
+			result = isc_ht_iter_create(zone->entries, &iter);
+			INSIST(result == ISC_R_SUCCESS);
+			for (result = isc_ht_iter_first(iter);
+			     result == ISC_R_SUCCESS;
+			     result = isc_ht_iter_delcurrent_next(iter))
+			{
+				dns_catz_entry_t *entry;
+
+				isc_ht_iter_current(iter, (void **) &entry);
+				dns_catz_entry_detach(zone, &entry);
+			}
+			INSIST(result == ISC_R_NOMORE);
+			isc_ht_iter_destroy(&iter);
+
+			/* The hashtable has to be empty now. */
+			INSIST(isc_ht_count(zone->entries) == 0);
+			isc_ht_destroy(&zone->entries);
+		}
+		mctx = zone->catzs->mctx;
+		isc_timer_detach(&zone->updatetimer);
+		isc_refcount_destroy(&zone->refs);
+		if (zone->db_registered == true) {
+			result = dns_db_updatenotify_unregister(zone->db,
+						    dns_catz_dbupdate_callback,
+						    zone->catzs);
+			INSIST(result == ISC_R_SUCCESS);
+		}
+		if (zone->dbversion)
+			dns_db_closeversion(zone->db, &zone->dbversion,
+					    false);
+		if (zone->db != NULL)
+			dns_db_detach(&zone->db);
+
+		dns_name_free(&zone->name, mctx);
+		dns_catz_options_free(&zone->defoptions, mctx);
+		dns_catz_options_free(&zone->zoneoptions, mctx);
+
+		zone->catzs = NULL;
+		isc_mem_put(mctx, zone, sizeof(dns_catz_zone_t));
+	}
+}
+
+void
+dns_catz_catzs_detach(dns_catz_zones_t ** catzsp) {
+	dns_catz_zones_t *catzs;
+	isc_ht_iter_t *iter = NULL;
+	isc_result_t result;
+	unsigned int refs;
+	dns_catz_zone_t *zone;
+
+
+	REQUIRE(catzsp != NULL);
+	catzs = *catzsp;
+	REQUIRE(catzs != NULL);
+
+	*catzsp = NULL;
+	isc_refcount_decrement(&catzs->refs, &refs);
+
+	if (refs == 0) {
+		DESTROYLOCK(&catzs->lock);
+		if (catzs->zones != NULL) {
+			result = isc_ht_iter_create(catzs->zones, &iter);
+			INSIST(result == ISC_R_SUCCESS);
+			for (result = isc_ht_iter_first(iter);
+			     result == ISC_R_SUCCESS;)
+			{
+				isc_ht_iter_current(iter, (void **) &zone);
+				result = isc_ht_iter_delcurrent_next(iter);
+				dns_catz_zone_detach(&zone);
+			}
+			INSIST(result == ISC_R_NOMORE);
+			isc_ht_iter_destroy(&iter);
+			INSIST(isc_ht_count(catzs->zones) == 0);
+			isc_ht_destroy(&catzs->zones);
+		}
+		isc_refcount_destroy(&catzs->refs);
+		isc_task_destroy(&catzs->updater);
+		isc_mem_putanddetach(&catzs->mctx, catzs, sizeof(*catzs));
+	}
+}
+
+typedef enum {
+	CATZ_OPT_NONE,
+	CATZ_OPT_ZONES,
+	CATZ_OPT_MASTERS,
+	CATZ_OPT_ALLOW_QUERY,
+	CATZ_OPT_ALLOW_TRANSFER,
+	CATZ_OPT_VERSION,
+} catz_opt_t;
+
+static bool
+catz_opt_cmp(const dns_label_t *option, const char *opt) {
+	unsigned int l = strlen(opt);
+	if (option->length - 1 == l &&
+	    memcmp(opt, option->base + 1, l - 1) == 0)
+		return (true);
+	else
+		return (false);
+}
+
+static catz_opt_t
+catz_get_option(const dns_label_t *option) {
+	if (catz_opt_cmp(option, "zones"))
+		return (CATZ_OPT_ZONES);
+	else if (catz_opt_cmp(option, "masters"))
+		return (CATZ_OPT_MASTERS);
+	else if (catz_opt_cmp(option, "allow-query"))
+		return (CATZ_OPT_ALLOW_QUERY);
+	else if (catz_opt_cmp(option, "allow-transfer"))
+		return (CATZ_OPT_ALLOW_TRANSFER);
+	else if (catz_opt_cmp(option, "version"))
+		return (CATZ_OPT_VERSION);
+	else
+		return (CATZ_OPT_NONE);
+}
+
+static isc_result_t
+catz_process_zones(dns_catz_zone_t *zone, dns_rdataset_t *value,
+		   dns_name_t *name)
+{
+	dns_label_t mhash;
+	dns_name_t opt;
+
+	REQUIRE(zone != NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(name != NULL);
+
+	if (value->rdclass != dns_rdataclass_in)
+		return (ISC_R_FAILURE);
+
+	if (name->labels == 0)
+		return (ISC_R_FAILURE);
+
+	dns_name_getlabel(name, name->labels-1, &mhash);
+
+	if (name->labels == 1)
+		return (catz_process_zones_entry(zone, value, &mhash));
+	else {
+		dns_name_init(&opt, NULL);
+		dns_name_split(name, 1, &opt, NULL);
+		return (catz_process_zones_suboption(zone, value, &mhash, &opt));
+	}
+}
+
+static isc_result_t
+catz_process_zones_entry(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			 dns_label_t *mhash)
+{
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_rdata_ptr_t ptr;
+	dns_catz_entry_t *entry = NULL;
+
+	/*
+	 * We only take -first- value, as mhash must be
+	 * different.
+	 */
+	if (value->type != dns_rdatatype_ptr)
+		return (ISC_R_FAILURE);
+
+	result = dns_rdataset_first(value);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(value, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &ptr, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	result = isc_ht_find(zone->entries, mhash->base,
+			     mhash->length, (void **) &entry);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_name_countlabels(&entry->name) != 0) {
+			/* We have a duplicate. */
+			dns_rdata_freestruct(&ptr);
+			return (ISC_R_FAILURE);
+		} else {
+			result = dns_name_dup(&ptr.ptr, zone->catzs->mctx,
+					      &entry->name);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdata_freestruct(&ptr);
+				return (result);
+			}
+		}
+	} else {
+		result = dns_catz_entry_new(zone->catzs->mctx, &ptr.ptr,
+					    &entry);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&ptr);
+			return (result);
+		}
+
+		result = isc_ht_add(zone->entries, mhash->base,
+				    mhash->length, entry);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&ptr);
+			dns_catz_entry_detach(zone, &entry);
+			return (result);
+		}
+	}
+
+	dns_rdata_freestruct(&ptr);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+catz_process_version(dns_catz_zone_t *zone, dns_rdataset_t *value) {
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_rdata_txt_t rdatatxt;
+	dns_rdata_txt_string_t rdatastr;
+	uint32_t tversion;
+	char t[16];
+
+	REQUIRE(zone != NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+
+	if (value->rdclass != dns_rdataclass_in ||
+	    value->type != dns_rdatatype_txt)
+		return (ISC_R_FAILURE);
+
+	result = dns_rdataset_first(value);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(value, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &rdatatxt, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	result = dns_rdata_txt_first(&rdatatxt);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_rdata_txt_current(&rdatatxt, &rdatastr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_rdata_txt_next(&rdatatxt);
+	if (result != ISC_R_NOMORE) {
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+	if (rdatastr.length > 15) {
+		result = ISC_R_BADNUMBER;
+		goto cleanup;
+	}
+	memmove(t, rdatastr.data, rdatastr.length);
+	t[rdatastr.length] = 0;
+	result = isc_parse_uint32(&tversion, t, 10);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	zone->version = tversion;
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	dns_rdata_freestruct(&rdatatxt);
+	return (result);
+}
+
+static isc_result_t
+catz_process_masters(dns_catz_zone_t *zone, dns_ipkeylist_t *ipkl,
+		     dns_rdataset_t *value, dns_name_t *name)
+{
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dns_rdata_in_a_t rdata_a;
+	dns_rdata_in_aaaa_t rdata_aaaa;
+	dns_rdata_txt_t rdata_txt;
+	dns_rdata_txt_string_t rdatastr;
+	dns_name_t *keyname = NULL;
+	isc_mem_t *mctx;
+	char keycbuf[DNS_NAME_FORMATSIZE];
+	isc_buffer_t keybuf;
+	unsigned int rcount;
+	unsigned int i;
+
+	REQUIRE(zone != NULL);
+	REQUIRE(ipkl != NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(dns_rdataset_isassociated(value));
+	REQUIRE(name != NULL);
+
+	mctx = zone->catzs->mctx;
+	memset(&rdata_a, 0, sizeof(rdata_a));
+	memset(&rdata_aaaa, 0, sizeof(rdata_aaaa));
+	memset(&rdata_txt, 0, sizeof(rdata_txt));
+	isc_buffer_init(&keybuf, keycbuf, sizeof(keycbuf));
+
+	/*
+	 * We have three possibilities here:
+	 * - either empty name and IN A/IN AAAA record
+	 * - label and IN A/IN AAAA
+	 * - label and IN TXT - TSIG key name
+	 */
+	if (value->rdclass != dns_rdataclass_in)
+		return (ISC_R_FAILURE);
+
+	if (name->labels > 0) {
+		isc_sockaddr_t sockaddr;
+
+		/*
+		 * We're pre-preparing the data once, we'll put it into
+		 * the right spot in the masters array once we find it.
+		 */
+		result = dns_rdataset_first(value);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(value, &rdata);
+		switch (value->type) {
+		case dns_rdatatype_a:
+			result = dns_rdata_tostruct(&rdata, &rdata_a, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin(&sockaddr, &rdata_a.in_addr, 0);
+			break;
+		case dns_rdatatype_aaaa:
+			result = dns_rdata_tostruct(&rdata, &rdata_aaaa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin6(&sockaddr, &rdata_aaaa.in6_addr, 0);
+			break;
+		case dns_rdatatype_txt:
+			result = dns_rdata_tostruct(&rdata, &rdata_txt, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			result = dns_rdata_txt_first(&rdata_txt);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			result = dns_rdata_txt_current(&rdata_txt, &rdatastr);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			result = dns_rdata_txt_next(&rdata_txt);
+			if (result != ISC_R_NOMORE)
+				return (ISC_R_FAILURE);
+
+			/* rdatastr.length < DNS_NAME_MAXTEXT */
+			keyname = isc_mem_get(mctx, sizeof(dns_name_t));
+			if (keyname == NULL)
+				return (ISC_R_NOMEMORY);
+			dns_name_init(keyname, 0);
+			memmove(keycbuf, rdatastr.data, rdatastr.length);
+			keycbuf[rdatastr.length] = 0;
+			result = dns_name_fromstring(keyname, keycbuf, 0, mctx);
+			if (result != ISC_R_SUCCESS) {
+				dns_name_free(keyname, mctx);
+				isc_mem_put(mctx, keyname, sizeof(dns_name_t));
+				return (result);
+			}
+			break;
+		default:
+			return (ISC_R_FAILURE);
+		}
+
+		/*
+		 * We have to find the appropriate labeled record in masters
+		 * if it exists.
+		 * In common case we'll have no more than 3-4 records here so
+		 * no optimization.
+		 */
+		for (i = 0; i < ipkl->count; i++) {
+			if (ipkl->labels[i] != NULL &&
+			    !dns_name_compare(name, ipkl->labels[i]))
+				break;
+		}
+
+		if (i < ipkl->count) { /* we have this record already */
+			if (value->type == dns_rdatatype_txt)
+				ipkl->keys[i] = keyname;
+			else /* A/AAAA */
+				memmove(&ipkl->addrs[i], &sockaddr,
+					sizeof(isc_sockaddr_t));
+		} else {
+			result = dns_ipkeylist_resize(mctx, ipkl,
+						      i+1);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+
+			ipkl->labels[i] = isc_mem_get(mctx, sizeof(dns_name_t));
+			if (ipkl->labels[i] == NULL)  {
+				if (keyname != NULL) {
+					dns_name_free(keyname, mctx);
+					isc_mem_put(mctx, keyname,
+						    sizeof(dns_name_t));
+				}
+				return (ISC_R_NOMEMORY);
+			}
+			dns_name_init(ipkl->labels[i], NULL);
+			result = dns_name_dup(name, mctx, ipkl->labels[i]);
+			if (result != ISC_R_SUCCESS) {
+				if (keyname != NULL) {
+					dns_name_free(keyname, mctx);
+					isc_mem_put(mctx, keyname,
+						    sizeof(dns_name_t));
+				}
+				return (result);
+			}
+
+			if (value->type == dns_rdatatype_txt)
+				ipkl->keys[i] = keyname;
+			else /* A/AAAA */
+				memmove(&ipkl->addrs[i], &sockaddr,
+					sizeof(isc_sockaddr_t));
+			ipkl->count++;
+		}
+		return (ISC_R_SUCCESS);
+	}
+	/* else - 'simple' case - without labels */
+
+	if (value->type != dns_rdatatype_a &&
+	    value->type != dns_rdatatype_aaaa)
+		return (ISC_R_FAILURE);
+
+	rcount = dns_rdataset_count(value) + ipkl->count;
+
+	result = dns_ipkeylist_resize(mctx, ipkl, rcount);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(value);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(value))
+	{
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(value, &rdata);
+		/*
+		 * port 0 == take the default
+		 */
+		if (value->type == dns_rdatatype_a) {
+			result = dns_rdata_tostruct(&rdata, &rdata_a, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin(&ipkl->addrs[ipkl->count],
+					    &rdata_a.in_addr, 0);
+		} else {
+			result = dns_rdata_tostruct(&rdata, &rdata_aaaa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_sockaddr_fromin6(&ipkl->addrs[ipkl->count],
+					     &rdata_aaaa.in6_addr, 0);
+		}
+		ipkl->keys[ipkl->count] = NULL;
+		ipkl->labels[ipkl->count] = NULL;
+		ipkl->count++;
+		dns_rdata_freestruct(&rdata_a);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+catz_process_apl(dns_catz_zone_t *zone, isc_buffer_t **aclbp,
+		 dns_rdataset_t *value)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata;
+	dns_rdata_in_apl_t rdata_apl;
+	dns_rdata_apl_ent_t apl_ent;
+	isc_netaddr_t addr;
+	isc_buffer_t *aclb = NULL;
+	unsigned char buf[256]; /* larger than INET6_ADDRSTRLEN */
+
+	REQUIRE(zone != NULL);
+	REQUIRE(aclbp != NULL);
+	REQUIRE(*aclbp == NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+	REQUIRE(dns_rdataset_isassociated(value));
+
+	if (value->rdclass != dns_rdataclass_in ||
+	    value->type != dns_rdatatype_apl)
+		return (ISC_R_FAILURE);
+
+
+	if (dns_rdataset_count(value) > 1) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_WARNING,
+			      "catz: more than one APL entry for member zone, "
+			      "result is undefined");
+	}
+	result = dns_rdataset_first(value);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(value, &rdata);
+	result = dns_rdata_tostruct(&rdata, &rdata_apl, zone->catzs->mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_buffer_allocate(zone->catzs->mctx, &aclb, 16);
+	isc_buffer_setautorealloc(aclb, true);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	for (result = dns_rdata_apl_first(&rdata_apl);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdata_apl_next(&rdata_apl)) {
+		result = dns_rdata_apl_current(&rdata_apl, &apl_ent);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		memset(buf, 0, sizeof(buf));
+		if (apl_ent.data != NULL && apl_ent.length > 0)
+			memmove(buf, apl_ent.data, apl_ent.length);
+		if (apl_ent.family == 1)
+			isc_netaddr_fromin(&addr, (struct in_addr*) buf);
+		else if (apl_ent.family == 2)
+			isc_netaddr_fromin6(&addr, (struct in6_addr*) buf);
+		else
+			continue; /* xxxwpk log it or simply ignore? */
+		if (apl_ent.negative)
+			isc_buffer_putuint8(aclb, '!');
+		isc_buffer_reserve(&aclb, INET6_ADDRSTRLEN);
+		result = isc_netaddr_totext(&addr, aclb);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((apl_ent.family == 1 && apl_ent.prefix < 32) ||
+		    (apl_ent.family == 2 && apl_ent.prefix < 128)) {
+			isc_buffer_putuint8(aclb, '/');
+			isc_buffer_putdecint(aclb, apl_ent.prefix);
+		}
+		isc_buffer_putstr(aclb, "; ");
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	else
+		goto cleanup;
+	*aclbp = aclb;
+	aclb = NULL;
+cleanup:
+	if (aclb != NULL)
+		isc_buffer_free(&aclb);
+	dns_rdata_freestruct(&rdata_apl);
+	return (result);
+}
+
+static isc_result_t
+catz_process_zones_suboption(dns_catz_zone_t *zone, dns_rdataset_t *value,
+			     dns_label_t *mhash, dns_name_t *name)
+{
+	isc_result_t result;
+	dns_catz_entry_t *entry = NULL;
+	dns_label_t option;
+	dns_name_t prefix;
+	catz_opt_t opt;
+
+	REQUIRE(zone != NULL);
+	REQUIRE(mhash != NULL);
+	REQUIRE(DNS_RDATASET_VALID(value));
+
+	if (name->labels == 0)
+		return (ISC_R_FAILURE);
+	dns_name_getlabel(name, name->labels - 1, &option);
+	opt = catz_get_option(&option);
+
+	/*
+	 * We're adding this entry now, in case the option is invalid we'll get
+	 * rid of it in verification phase.
+	 */
+	result = isc_ht_find(zone->entries, mhash->base, mhash->length,
+			     (void **) &entry);
+	if (result != ISC_R_SUCCESS) {
+		result = dns_catz_entry_new(zone->catzs->mctx, NULL, &entry);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = isc_ht_add(zone->entries, mhash->base, mhash->length,
+				    entry);
+		if (result != ISC_R_SUCCESS) {
+			dns_catz_entry_detach(zone, &entry);
+			return (result);
+		}
+	}
+
+	dns_name_init(&prefix, NULL);
+	dns_name_split(name, 1, &prefix, NULL);
+	switch (opt) {
+	case CATZ_OPT_MASTERS:
+		return (catz_process_masters(zone, &entry->opts.masters, value,
+					     &prefix));
+	case CATZ_OPT_ALLOW_QUERY:
+		if (prefix.labels != 0)
+			return (ISC_R_FAILURE);
+		return (catz_process_apl(zone, &entry->opts.allow_query,
+					 value));
+	case CATZ_OPT_ALLOW_TRANSFER:
+		if (prefix.labels != 0)
+			return (ISC_R_FAILURE);
+		return (catz_process_apl(zone, &entry->opts.allow_transfer,
+					 value));
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+catz_process_value(dns_catz_zone_t *zone, dns_name_t *name,
+		   dns_rdataset_t *rdataset)
+{
+	dns_label_t option;
+	dns_name_t prefix;
+	catz_opt_t opt;
+
+	REQUIRE(zone != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	dns_name_getlabel(name, name->labels - 1, &option);
+	opt = catz_get_option(&option);
+	dns_name_init(&prefix, NULL);
+	dns_name_split(name, 1, &prefix, NULL);
+	switch (opt) {
+	case CATZ_OPT_ZONES:
+		return (catz_process_zones(zone, rdataset, &prefix));
+	case CATZ_OPT_MASTERS:
+		return (catz_process_masters(zone, &zone->zoneoptions.masters,
+					     rdataset, &prefix));
+	case CATZ_OPT_ALLOW_QUERY:
+		if (prefix.labels != 0)
+			return (ISC_R_FAILURE);
+		return (catz_process_apl(zone, &zone->zoneoptions.allow_query,
+					 rdataset));
+	case CATZ_OPT_ALLOW_TRANSFER:
+		if (prefix.labels != 0)
+			return (ISC_R_FAILURE);
+		return (catz_process_apl(zone,
+					 &zone->zoneoptions.allow_transfer,
+					 rdataset));
+	case CATZ_OPT_VERSION:
+		if (prefix.labels != 0)
+			return (ISC_R_FAILURE);
+		return (catz_process_version(zone, rdataset));
+	default:
+		return (ISC_R_FAILURE);
+	}
+}
+
+isc_result_t
+dns_catz_update_process(dns_catz_zones_t *catzs, dns_catz_zone_t *zone,
+			dns_name_t *src_name, dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t nrres;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_name_t prefix;
+
+	REQUIRE(catzs != NULL);
+	REQUIRE(zone != NULL);
+
+	nrres = dns_name_fullcompare(src_name, &zone->name, &order, &nlabels);
+	if (nrres == dns_namereln_equal) {
+		if (rdataset->type == dns_rdatatype_soa) {
+			result = dns_rdataset_first(rdataset);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			/*
+			 * xxxwpk TODO do we want to save something from SOA?
+			 */
+			return (result);
+
+		} else if (rdataset->type == dns_rdatatype_ns) {
+			return (ISC_R_SUCCESS);
+		} else {
+			return (ISC_R_UNEXPECTED);
+		}
+	} else if (nrres != dns_namereln_subdomain) {
+		return (ISC_R_UNEXPECTED);
+	}
+
+	dns_name_init(&prefix, NULL);
+	dns_name_split(src_name, zone->name.labels, &prefix, NULL);
+	result = catz_process_value(zone, &prefix, rdataset);
+
+	return (result);
+}
+
+isc_result_t
+dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+				 isc_buffer_t **buffer)
+{
+	isc_buffer_t *tbuf = NULL;
+	isc_sha256_t sha256;
+	isc_region_t r;
+	isc_result_t result;
+	size_t rlen;
+
+	REQUIRE(zone != NULL);
+	REQUIRE(entry != NULL);
+	REQUIRE(buffer != NULL && *buffer != NULL);
+
+	result = isc_buffer_allocate(zone->catzs->mctx, &tbuf,
+				     strlen(zone->catzs->view->name) +
+				     2 * DNS_NAME_FORMATSIZE + 2);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	INSIST(tbuf != NULL);
+
+	isc_buffer_putstr(tbuf, zone->catzs->view->name);
+	isc_buffer_putstr(tbuf, "_");
+	result = dns_name_totext(&zone->name, true, tbuf);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_buffer_putstr(tbuf, "_");
+	result = dns_name_totext(&entry->name, true, tbuf);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* __catz__<digest>.db */
+	rlen = ISC_SHA256_DIGESTSTRINGLENGTH + 12;
+
+	/* optionally prepend with <zonedir>/ */
+	if (entry->opts.zonedir != NULL)
+		rlen += strlen(entry->opts.zonedir) + 1;
+
+	result = isc_buffer_reserve(buffer, (unsigned int)rlen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (entry->opts.zonedir != NULL) {
+		isc_buffer_putstr(*buffer, entry->opts.zonedir);
+		isc_buffer_putstr(*buffer, "/");
+	}
+
+	isc_buffer_usedregion(tbuf, &r);
+	isc_buffer_putstr(*buffer, "__catz__");
+	if (tbuf->used > ISC_SHA256_DIGESTSTRINGLENGTH) {
+		isc_sha256_init(&sha256);
+		isc_sha256_update(&sha256, r.base, r.length);
+		/* we can do that because digest string < 2 * DNS_NAME */
+		isc_sha256_end(&sha256, (char *) r.base);
+		isc_buffer_putstr(*buffer, (char *) r.base);
+	} else {
+		isc_buffer_copyregion(*buffer, &r);
+	}
+
+	isc_buffer_putstr(*buffer, ".db");
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	isc_buffer_free(&tbuf);
+	return (result);
+}
+
+isc_result_t
+dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+			  isc_buffer_t **buf)
+{
+	/*
+	 * We have to generate a text buffer with regular zone config:
+	 * zone foo.bar {
+	 * 	type slave;
+	 * 	masters [ dscp X ] { ip1 port port1; ip2 port port2; };
+	 * }
+	 */
+	isc_buffer_t *buffer = NULL;
+	isc_region_t region;
+	isc_result_t result;
+	uint32_t i;
+	isc_netaddr_t netaddr;
+	char pbuf[sizeof("65535")]; /* used both for port number and DSCP */
+	char zname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(zone != NULL);
+	REQUIRE(entry != NULL);
+	REQUIRE(buf != NULL && *buf == NULL);
+
+	/*
+	 * The buffer will be reallocated if something won't fit,
+	 * ISC_BUFFER_INCR seems like a good start.
+	 */
+	result = isc_buffer_allocate(zone->catzs->mctx, &buffer,
+				     ISC_BUFFER_INCR);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+
+	isc_buffer_setautorealloc(buffer, true);
+	isc_buffer_putstr(buffer, "zone ");
+	dns_name_totext(&entry->name, true, buffer);
+	isc_buffer_putstr(buffer, " { type slave; masters");
+
+	/*
+	 * DSCP value has no default, but when it is specified, it is identical
+	 * for all masters and cannot be overriden for a specific master IP, so
+	 * use the DSCP value set for the first master
+	 */
+	if (entry->opts.masters.count > 0 &&
+	    entry->opts.masters.dscps[0] >= 0) {
+		isc_buffer_putstr(buffer, " dscp ");
+		snprintf(pbuf, sizeof(pbuf), "%hd",
+			 entry->opts.masters.dscps[0]);
+		isc_buffer_putstr(buffer, pbuf);
+	}
+
+	isc_buffer_putstr(buffer, " { ");
+	for (i = 0; i < entry->opts.masters.count; i++) {
+		/*
+		 * Every master must have an IP address assigned.
+		 */
+		switch (entry->opts.masters.addrs[i].type.sa.sa_family) {
+		case AF_INET:
+		case AF_INET6:
+			break;
+		default:
+			dns_name_format(&entry->name, zname,
+					DNS_NAME_FORMATSIZE);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "catz: zone '%s' uses an invalid master "
+				      "(no IP address assigned)",
+				      zname);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		isc_netaddr_fromsockaddr(&netaddr,
+					 &entry->opts.masters.addrs[i]);
+		isc_buffer_reserve(&buffer, INET6_ADDRSTRLEN);
+		result = isc_netaddr_totext(&netaddr, buffer);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		isc_buffer_putstr(buffer, " port ");
+		snprintf(pbuf, sizeof(pbuf), "%u",
+			 isc_sockaddr_getport(&entry->opts.masters.addrs[i]));
+		isc_buffer_putstr(buffer, pbuf);
+
+		if (entry->opts.masters.keys[i] != NULL) {
+			isc_buffer_putstr(buffer, " key ");
+			result = dns_name_totext(entry->opts.masters.keys[i],
+						 true, buffer);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+		isc_buffer_putstr(buffer, "; ");
+	}
+	isc_buffer_putstr(buffer, "}; ");
+	if (entry->opts.in_memory == false) {
+		isc_buffer_putstr(buffer, "file \"");
+		result = dns_catz_generate_masterfilename(zone, entry, &buffer);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_buffer_putstr(buffer, "\"; ");
+
+	}
+	if (entry->opts.allow_query != NULL) {
+		isc_buffer_putstr(buffer, "allow-query { ");
+		isc_buffer_usedregion(entry->opts.allow_query, &region);
+		isc_buffer_copyregion(buffer, &region);
+		isc_buffer_putstr(buffer, "}; ");
+	}
+	if (entry->opts.allow_transfer != NULL) {
+		isc_buffer_putstr(buffer, "allow-transfer { ");
+		isc_buffer_usedregion(entry->opts.allow_transfer, &region);
+		isc_buffer_copyregion(buffer, &region);
+		isc_buffer_putstr(buffer, "}; ");
+	}
+
+	isc_buffer_putstr(buffer, "};");
+	*buf = buffer;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (buffer != NULL)
+		isc_buffer_free(&buffer);
+	return (result);
+}
+
+void
+dns_catz_update_taskaction(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_catz_zone_t * zone;
+	(void) task;
+
+	REQUIRE(event != NULL);
+	zone = event->ev_arg;
+	REQUIRE(zone != NULL);
+
+	LOCK(&zone->catzs->lock);
+	zone->updatepending = false;
+	dns_catz_update_from_db(zone->db, zone->catzs);
+	result = isc_timer_reset(zone->updatetimer, isc_timertype_inactive,
+				 NULL, NULL, true);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_event_free(&event);
+	result = isc_time_now(&zone->lastupdated);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	UNLOCK(&zone->catzs->lock);
+}
+
+isc_result_t
+dns_catz_dbupdate_callback(dns_db_t *db, void *fn_arg) {
+	dns_catz_zones_t *catzs;
+	dns_catz_zone_t *zone = NULL;
+	isc_time_t now;
+	uint64_t tdiff;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_region_t r;
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(fn_arg != NULL);
+	catzs = (dns_catz_zones_t *) fn_arg;
+
+	dns_name_toregion(&db->origin, &r);
+
+	LOCK(&catzs->lock);
+	result = isc_ht_find(catzs->zones, r.base, r.length, (void **) &zone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* New zone came as AXFR */
+	if (zone->db != NULL && zone->db != db) {
+		if (zone->dbversion != NULL)
+			dns_db_closeversion(zone->db, &zone->dbversion,
+						    false);
+		dns_db_detach(&zone->db);
+		/*
+		 * We're not registering db update callback, it will be
+		 * registered at the end of update_from_db
+		 */
+		zone->db_registered = false;
+	}
+	if (zone->db == NULL)
+		dns_db_attach(db, &zone->db);
+
+	if (zone->updatepending == false) {
+		zone->updatepending = true;
+		isc_time_now(&now);
+		tdiff = isc_time_microdiff(&now, &zone->lastupdated)/1000000;
+		if (tdiff < zone->defoptions.min_update_interval) {
+			isc_interval_t interval;
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+				      "catz: new zone version came too soon, "
+				      "deferring update");
+			isc_interval_set(&interval,
+					 zone->defoptions.min_update_interval -
+					 (unsigned int)tdiff, 0);
+			dns_db_currentversion(db, &zone->dbversion);
+			result = isc_timer_reset(zone->updatetimer,
+						 isc_timertype_once,
+						 NULL, &interval, true);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		} else {
+			isc_event_t *event;
+
+			dns_db_currentversion(db, &zone->dbversion);
+			ISC_EVENT_INIT(&zone->updateevent,
+				       sizeof(zone->updateevent), 0, NULL,
+				       DNS_EVENT_CATZUPDATED,
+				       dns_catz_update_taskaction,
+				       zone, zone, NULL, NULL);
+			event = &zone->updateevent;
+			isc_task_send(catzs->updater, &event);
+		}
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+			      "catz: update already queued");
+		if (zone->dbversion != NULL)
+			dns_db_closeversion(zone->db, &zone->dbversion,
+					    false);
+		dns_db_currentversion(zone->db, &zone->dbversion);
+	}
+
+  cleanup:
+	UNLOCK(&catzs->lock);
+
+	return (result);
+}
+
+void
+dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
+	dns_catz_zone_t *oldzone = NULL, *newzone = NULL;
+	isc_result_t result;
+	isc_region_t r;
+	dns_dbnode_t *node = NULL;
+	dns_dbiterator_t *it = NULL;
+	dns_fixedname_t fixname;
+	dns_name_t *name;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t rdataset;
+	char bname[DNS_NAME_FORMATSIZE];
+	isc_buffer_t ibname;
+	uint32_t vers;
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(catzs != NULL);
+
+	/*
+	 * Create a new catz in the same context as current catz.
+	 */
+	dns_name_toregion(&db->origin, &r);
+	result = isc_ht_find(catzs->zones, r.base, r.length, (void **)&oldzone);
+	if (result != ISC_R_SUCCESS) {
+		/* This can happen if we remove the zone in the meantime. */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: zone '%s' not in config",
+			      bname);
+		return;
+	}
+
+	isc_buffer_init(&ibname, bname, DNS_NAME_FORMATSIZE);
+	result = dns_name_totext(&db->origin, true, &ibname);
+	INSIST(result == ISC_R_SUCCESS);
+
+	result = dns_db_getsoaserial(db, oldzone->dbversion, &vers);
+	if (result != ISC_R_SUCCESS) {
+		/* A zone without SOA record?!? */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: zone '%s' has no SOA record (%s)",
+			      bname, isc_result_totext(result));
+		return;
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_MASTER, ISC_LOG_INFO,
+		      "catz: updating catalog zone '%s' with serial %d",
+		      bname, vers);
+
+	result = dns_catz_new_zone(catzs, &newzone, &db->origin);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_closeversion(db, &oldzone->dbversion, false);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed to create new zone - %s",
+			      isc_result_totext(result));
+		return;
+	}
+
+	result = dns_db_createiterator(db, DNS_DB_NONSEC3, &it);
+	if (result != ISC_R_SUCCESS) {
+		dns_catz_zone_detach(&newzone);
+		dns_db_closeversion(db, &oldzone->dbversion, false);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed to create DB iterator - %s",
+			      isc_result_totext(result));
+		return;
+	}
+
+	name = dns_fixedname_initname(&fixname);
+
+	/*
+	 * Iterate over database to fill the new zone.
+	 */
+	result = dns_dbiterator_first(it);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+			      "catz: failed to get db iterator - %s",
+			      isc_result_totext(result));
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(it, &node, name);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "catz: failed to get db iterator - %s",
+				      isc_result_totext(result));
+			break;
+		}
+
+		result = dns_db_allrdatasets(db, node, oldzone->dbversion, 0,
+					  &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
+				      "catz: failed to fetch rrdatasets - %s",
+				      isc_result_totext(result));
+			dns_db_detachnode(db, &node);
+			break;
+		}
+
+		dns_rdataset_init(&rdataset);
+		result = dns_rdatasetiter_first(rdsiter);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			result = dns_catz_update_process(catzs, newzone, name,
+							 &rdataset);
+			if (result != ISC_R_SUCCESS) {
+				char cname[DNS_NAME_FORMATSIZE];
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+				char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+				dns_name_format(name, cname,
+						DNS_NAME_FORMATSIZE);
+				dns_rdataclass_format(rdataset.rdclass,
+						      classbuf,
+						      sizeof(classbuf));
+				dns_rdatatype_format(rdataset.type, typebuf,
+						     sizeof(typebuf));
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_MASTER,
+					      ISC_LOG_WARNING,
+					      "catz: unknown record in catalog "
+					      "zone - %s %s %s(%s) - ignoring",
+					      cname, classbuf, typebuf,
+					      isc_result_totext(result));
+			}
+			dns_rdataset_disassociate(&rdataset);
+			if (result != ISC_R_SUCCESS) {
+				break;
+			}
+			result = dns_rdatasetiter_next(rdsiter);
+		}
+
+		dns_rdatasetiter_destroy(&rdsiter);
+
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(it);
+	}
+
+	dns_dbiterator_destroy(&it);
+	dns_db_closeversion(db, &oldzone->dbversion, false);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+		      "catz: update_from_db: iteration finished");
+
+	/*
+	 * Finally merge new zone into old zone.
+	 */
+	result = dns_catz_zones_merge(oldzone, newzone);
+	dns_catz_zone_detach(&newzone);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTER,
+			      ISC_LOG_ERROR,
+			      "catz: failed merging zones: %s",
+			      isc_result_totext(result));
+
+		return;
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_MASTER, ISC_LOG_DEBUG(3),
+		      "catz: update_from_db: new zone merged");
+
+	/*
+	 * When we're doing reconfig and setting a new catalog zone
+	 * from an existing zone we won't have a chance to set up
+	 * update callback in zone_startload or axfr_makedb, but we will
+	 * call onupdate() artificially so we can register the callback here.
+	 */
+	if (oldzone->db_registered == false) {
+		result = dns_db_updatenotify_register(db,
+						    dns_catz_dbupdate_callback,
+						    oldzone->catzs);
+		if (result == ISC_R_SUCCESS)
+			oldzone->db_registered = true;
+	}
+}
+
+void
+dns_catz_prereconfig(dns_catz_zones_t *catzs) {
+	isc_result_t result;
+	isc_ht_iter_t *iter = NULL;
+	dns_catz_zone_t *zone;
+
+	REQUIRE(catzs != NULL);
+
+	result = isc_ht_iter_create(catzs->zones, &iter);
+	INSIST(result == ISC_R_SUCCESS);
+	for (result = isc_ht_iter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_next(iter))
+	{
+		isc_ht_iter_current(iter, (void **) &zone);
+		zone->active = false;
+	}
+	INSIST(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter);
+}
+
+void
+dns_catz_postreconfig(dns_catz_zones_t *catzs) {
+	isc_result_t result;
+	dns_catz_zone_t *newzone = NULL;
+	isc_ht_iter_t *iter = NULL;
+	dns_catz_zone_t *zone;
+
+	LOCK(&catzs->lock);
+	result = isc_ht_iter_create(catzs->zones, &iter);
+	INSIST(result == ISC_R_SUCCESS);
+	for (result = isc_ht_iter_first(iter);
+	     result == ISC_R_SUCCESS;)
+	{
+		isc_ht_iter_current(iter, (void **) &zone);
+		if (zone->active == false) {
+			char cname[DNS_NAME_FORMATSIZE];
+			dns_name_format(&zone->name, cname,
+					DNS_NAME_FORMATSIZE);
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTER,
+				      ISC_LOG_WARNING,
+				      "catz: removing catalog zone %s", cname);
+
+			/*
+			 * Merge the old zone with an empty one to remove
+			 * all members.
+			 */
+			result = dns_catz_new_zone(catzs, &newzone,
+						   &zone->name);
+			INSIST(result == ISC_R_SUCCESS);
+			dns_catz_zones_merge(zone, newzone);
+			dns_catz_zone_detach(&newzone);
+
+			/* Make sure that we have an empty catalog zone. */
+			INSIST(isc_ht_count(zone->entries) == 0);
+			result = isc_ht_iter_delcurrent_next(iter);
+			dns_catz_zone_detach(&zone);
+		} else {
+			result = isc_ht_iter_next(iter);
+		}
+	}
+	UNLOCK(&catzs->lock);
+	RUNTIME_CHECK(result == ISC_R_NOMORE);
+	isc_ht_iter_destroy(&iter);
+}
+
+isc_result_t
+dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp) {
+	return (isc_ht_iter_create(catz->entries, itp));
+}
diff --git a/lib/dns/client.c b/lib/dns/client.c
new file mode 100644
index 0000000..a6d0e21
--- /dev/null
+++ b/lib/dns/client.c
@@ -0,0 +1,3243 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/safe.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/client.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/tsec.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+
+#define DNS_CLIENT_MAGIC		ISC_MAGIC('D', 'N', 'S', 'c')
+#define DNS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, DNS_CLIENT_MAGIC)
+
+#define RCTX_MAGIC			ISC_MAGIC('R', 'c', 't', 'x')
+#define RCTX_VALID(c)			ISC_MAGIC_VALID(c, RCTX_MAGIC)
+
+#define REQCTX_MAGIC			ISC_MAGIC('R', 'q', 'c', 'x')
+#define REQCTX_VALID(c)			ISC_MAGIC_VALID(c, REQCTX_MAGIC)
+
+#define UCTX_MAGIC			ISC_MAGIC('U', 'c', 't', 'x')
+#define UCTX_VALID(c)			ISC_MAGIC_VALID(c, UCTX_MAGIC)
+
+#define MAX_RESTARTS 16
+
+#ifdef TUNE_LARGE
+#define RESOLVER_NTASKS 523
+#else
+#define RESOLVER_NTASKS 31
+#endif /* TUNE_LARGE */
+
+/*%
+ * DNS client object
+ */
+struct dns_client {
+	/* Unlocked */
+	unsigned int			magic;
+	unsigned int			attributes;
+	isc_mutex_t			lock;
+	isc_mem_t			*mctx;
+	isc_appctx_t			*actx;
+	isc_taskmgr_t			*taskmgr;
+	isc_task_t			*task;
+	isc_socketmgr_t			*socketmgr;
+	isc_timermgr_t			*timermgr;
+	dns_dispatchmgr_t		*dispatchmgr;
+	dns_dispatch_t			*dispatchv4;
+	dns_dispatch_t			*dispatchv6;
+
+	unsigned int			update_timeout;
+	unsigned int			update_udptimeout;
+	unsigned int			update_udpretries;
+	unsigned int			find_timeout;
+	unsigned int			find_udpretries;
+
+	/* Locked */
+	unsigned int			references;
+	dns_viewlist_t			viewlist;
+	ISC_LIST(struct resctx)		resctxs;
+	ISC_LIST(struct reqctx)		reqctxs;
+	ISC_LIST(struct updatectx)	updatectxs;
+};
+
+/*%
+ * Timeout/retry constants for dynamic update borrowed from nsupdate
+ */
+#define DEF_UPDATE_TIMEOUT	300
+#define MIN_UPDATE_TIMEOUT	30
+#define DEF_UPDATE_UDPTIMEOUT	3
+#define DEF_UPDATE_UDPRETRIES	3
+
+#define DEF_FIND_TIMEOUT	5
+#define DEF_FIND_UDPRETRIES	3
+
+#define DNS_CLIENTATTR_OWNCTX			0x01
+
+#define DNS_CLIENTVIEW_NAME			"dnsclient"
+
+/*%
+ * Internal state for a single name resolution procedure
+ */
+typedef struct resctx {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	dns_client_t		*client;
+	bool		want_dnssec;
+	bool		want_validation;
+	bool		want_cdflag;
+	bool		want_tcp;
+
+	/* Locked */
+	ISC_LINK(struct resctx)	link;
+	isc_task_t		*task;
+	dns_view_t		*view;
+	unsigned int		restarts;
+	dns_fixedname_t		name;
+	dns_rdatatype_t		type;
+	dns_fetch_t		*fetch;
+	dns_namelist_t		namelist;
+	isc_result_t		result;
+	dns_clientresevent_t	*event;
+	bool		canceled;
+	dns_rdataset_t		*rdataset;
+	dns_rdataset_t		*sigrdataset;
+} resctx_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct resarg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	isc_result_t		vresult;
+	dns_namelist_t		*namelist;
+	dns_clientrestrans_t	*trans;
+	bool		canceled;
+} resarg_t;
+
+/*%
+ * Internal state for a single DNS request
+ */
+typedef struct reqctx {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	dns_client_t		*client;
+	unsigned int		parseoptions;
+
+	/* Locked */
+	ISC_LINK(struct reqctx)	link;
+	bool		canceled;
+	dns_tsigkey_t		*tsigkey;
+	dns_request_t		*request;
+	dns_clientreqevent_t	*event;
+} reqctx_t;
+
+/*%
+ * Argument of an internal event for synchronous DNS request.
+ */
+typedef struct reqarg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	dns_clientreqtrans_t	*trans;
+	bool		canceled;
+} reqarg_t;
+
+/*%
+ * Argument of an internal event for synchronous name resolution.
+ */
+typedef struct updatearg {
+	/* Unlocked */
+	isc_appctx_t		*actx;
+	dns_client_t		*client;
+	isc_mutex_t		lock;
+
+	/* Locked */
+	isc_result_t		result;
+	dns_clientupdatetrans_t	*trans;
+	bool		canceled;
+} updatearg_t;
+
+/*%
+ * Internal state for a single dynamic update procedure
+ */
+typedef struct updatectx {
+	/* Unlocked */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_client_t			*client;
+	bool			want_tcp;
+
+	/* Locked */
+	dns_request_t			*updatereq;
+	dns_request_t			*soareq;
+	dns_clientrestrans_t		*restrans;
+	dns_clientrestrans_t		*restrans2;
+	bool			canceled;
+
+	/* Task Locked */
+	ISC_LINK(struct updatectx) 	link;
+	dns_clientupdatestate_t		state;
+	dns_rdataclass_t		rdclass;
+	dns_view_t			*view;
+	dns_message_t			*updatemsg;
+	dns_message_t			*soaquery;
+	dns_clientupdateevent_t		*event;
+	dns_tsigkey_t			*tsigkey;
+	dst_key_t			*sig0key;
+	dns_name_t			*firstname;
+	dns_name_t			soaqname;
+	dns_fixedname_t			zonefname;
+	dns_name_t			*zonename;
+	isc_sockaddrlist_t		servers;
+	unsigned int			nservers;
+	isc_sockaddr_t			*currentserver;
+	struct updatectx		*bp4;
+	struct updatectx		*bp6;
+} updatectx_t;
+
+static isc_result_t request_soa(updatectx_t *uctx);
+static void client_resfind(resctx_t *rctx, dns_fetchevent_t *event);
+static isc_result_t send_update(updatectx_t *uctx);
+
+static isc_result_t
+getudpdispatch(int family, dns_dispatchmgr_t *dispatchmgr,
+	       isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+	       bool is_shared, dns_dispatch_t **dispp,
+	       isc_sockaddr_t *localaddr)
+{
+	unsigned int attrs, attrmask;
+	dns_dispatch_t *disp;
+	unsigned buffersize, maxbuffers, maxrequests, buckets, increment;
+	isc_result_t result;
+	isc_sockaddr_t anyaddr;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (family) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	default:
+		INSIST(0);
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	if (localaddr == NULL) {
+		localaddr = &anyaddr;
+		isc_sockaddr_anyofpf(localaddr, family);
+	}
+
+	buffersize = 4096;
+	maxbuffers = is_shared ? 1000 : 8;
+	maxrequests = 32768;
+	buckets = is_shared ? 16411 : 3;
+	increment = is_shared ? 16433 : 5;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr,
+				     taskmgr, localaddr,
+				     buffersize, maxbuffers, maxrequests,
+				     buckets, increment,
+				     attrs, attrmask, &disp);
+	if (result == ISC_R_SUCCESS)
+		*dispp = disp;
+
+	return (result);
+}
+
+static isc_result_t
+createview(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+	   unsigned int options, isc_taskmgr_t *taskmgr,
+	   unsigned int ntasks, isc_socketmgr_t *socketmgr,
+	   isc_timermgr_t *timermgr, dns_dispatchmgr_t *dispatchmgr,
+	   dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+	   dns_view_t **viewp)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	const char *dbtype;
+
+	result = dns_view_create(mctx, rdclass, DNS_CLIENTVIEW_NAME, &view);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Initialize view security roots */
+	result = dns_view_initsecroots(view, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	result = dns_view_createresolver(view, taskmgr, ntasks, 1,
+					 socketmgr, timermgr, 0,
+					 dispatchmgr, dispatchv4, dispatchv6);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	/*
+	 * Set cache DB.
+	 * XXX: it may be better if specific DB implementations can be
+	 * specified via some configuration knob.
+	 */
+	if ((options & DNS_CLIENTCREATEOPT_USECACHE) != 0)
+		dbtype = "rbt";
+	else
+		dbtype = "ecdb";
+	result = dns_db_create(mctx, dbtype, dns_rootname, dns_dbtype_cache,
+			       rdclass, 0, NULL, &view->cachedb);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		return (result);
+	}
+
+	*viewp = view;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_client_create(dns_client_t **clientp, unsigned int options) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	isc_appctx_t *actx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+#if 0
+	/* XXXMPA add debug logging support */
+	isc_log_t *lctx = NULL;
+	isc_logconfig_t *logconfig = NULL;
+	unsigned int logdebuglevel = 0;
+#endif
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_appctx_create(mctx, &actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_socketmgr_createinctx(mctx, actx, &socketmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_timermgr_createinctx(mctx, actx, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#if 0
+	result = isc_log_create(mctx, &lctx, &logconfig);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_log_setdebuglevel(lctx, logdebuglevel);
+#endif
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    options, clientp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	(*clientp)->attributes |= DNS_CLIENTATTR_OWNCTX;
+
+	/* client has its own reference to mctx, so we can detach it here */
+	isc_mem_detach(&mctx);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (actx != NULL)
+		isc_appctx_destroy(&actx);
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		   unsigned int options, dns_client_t **clientp)
+{
+	isc_result_t result;
+	result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
+				     options, clientp, NULL, NULL);
+	return (result);
+}
+
+isc_result_t
+dns_client_createx2(isc_mem_t *mctx, isc_appctx_t *actx,
+		    isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr,
+		    isc_timermgr_t *timermgr, unsigned int options,
+		    dns_client_t **clientp, isc_sockaddr_t *localaddr4,
+		    isc_sockaddr_t *localaddr6)
+{
+	dns_client_t *client;
+	isc_result_t result;
+	dns_dispatchmgr_t *dispatchmgr = NULL;
+	dns_dispatch_t *dispatchv4 = NULL;
+	dns_dispatch_t *dispatchv6 = NULL;
+	dns_view_t *view = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(clientp != NULL && *clientp == NULL);
+
+	client = isc_mem_get(mctx, sizeof(*client));
+	if (client == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&client->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, client, sizeof(*client));
+		return (result);
+	}
+
+	client->actx = actx;
+	client->taskmgr = taskmgr;
+	client->socketmgr = socketmgr;
+	client->timermgr = timermgr;
+
+	client->task = NULL;
+	result = isc_task_create(client->taskmgr, 0, &client->task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	client->dispatchmgr = dispatchmgr;
+
+	/*
+	 * If only one address family is specified, use it.
+	 * If neither family is specified, or if both are, use both.
+	 */
+	client->dispatchv4 = NULL;
+	if (localaddr4 != NULL || localaddr6 == NULL) {
+		result = getudpdispatch(AF_INET, dispatchmgr, socketmgr,
+					taskmgr, true,
+					&dispatchv4, localaddr4);
+		if (result == ISC_R_SUCCESS)
+			client->dispatchv4 = dispatchv4;
+	}
+
+	client->dispatchv6 = NULL;
+	if (localaddr6 != NULL || localaddr4 == NULL) {
+		result = getudpdispatch(AF_INET6, dispatchmgr, socketmgr,
+					taskmgr, true,
+					&dispatchv6, localaddr6);
+		if (result == ISC_R_SUCCESS)
+			client->dispatchv6 = dispatchv6;
+	}
+
+	/* We need at least one of the dispatchers */
+	if (dispatchv4 == NULL && dispatchv6 == NULL) {
+		INSIST(result != ISC_R_SUCCESS);
+		goto cleanup;
+	}
+
+	/* Create the default view for class IN */
+	result = createview(mctx, dns_rdataclass_in, options, taskmgr,
+			    RESOLVER_NTASKS, socketmgr, timermgr,
+			    dispatchmgr, dispatchv4, dispatchv6, &view);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	ISC_LIST_INIT(client->viewlist);
+	ISC_LIST_APPEND(client->viewlist, view, link);
+
+	dns_view_freeze(view); /* too early? */
+
+	ISC_LIST_INIT(client->resctxs);
+	ISC_LIST_INIT(client->reqctxs);
+	ISC_LIST_INIT(client->updatectxs);
+
+	client->mctx = NULL;
+	isc_mem_attach(mctx, &client->mctx);
+
+	client->update_timeout = DEF_UPDATE_TIMEOUT;
+	client->update_udptimeout = DEF_UPDATE_UDPTIMEOUT;
+	client->update_udpretries = DEF_UPDATE_UDPRETRIES;
+	client->find_timeout = DEF_FIND_TIMEOUT;
+	client->find_udpretries = DEF_FIND_UDPRETRIES;
+	client->attributes = 0;
+
+	client->references = 1;
+	client->magic = DNS_CLIENT_MAGIC;
+
+	*clientp = client;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dispatchv4 != NULL)
+		dns_dispatch_detach(&dispatchv4);
+	if (dispatchv6 != NULL)
+		dns_dispatch_detach(&dispatchv6);
+	if (dispatchmgr != NULL)
+		dns_dispatchmgr_destroy(&dispatchmgr);
+	if (client->task != NULL)
+		isc_task_detach(&client->task);
+	isc_mem_put(mctx, client, sizeof(*client));
+
+	return (result);
+}
+
+static void
+destroyclient(dns_client_t **clientp) {
+	dns_client_t *client = *clientp;
+	dns_view_t *view;
+
+	while ((view = ISC_LIST_HEAD(client->viewlist)) != NULL) {
+		ISC_LIST_UNLINK(client->viewlist, view, link);
+		dns_view_detach(&view);
+	}
+
+	if (client->dispatchv4 != NULL)
+		dns_dispatch_detach(&client->dispatchv4);
+	if (client->dispatchv6 != NULL)
+		dns_dispatch_detach(&client->dispatchv6);
+
+	dns_dispatchmgr_destroy(&client->dispatchmgr);
+
+	isc_task_detach(&client->task);
+
+	/*
+	 * If the client has created its own running environments,
+	 * destroy them.
+	 */
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) != 0) {
+		isc_taskmgr_destroy(&client->taskmgr);
+		isc_timermgr_destroy(&client->timermgr);
+		isc_socketmgr_destroy(&client->socketmgr);
+
+		isc_app_ctxfinish(client->actx);
+		isc_appctx_destroy(&client->actx);
+	}
+
+	DESTROYLOCK(&client->lock);
+	client->magic = 0;
+
+	isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
+
+	*clientp = NULL;
+}
+
+void
+dns_client_destroy(dns_client_t **clientp) {
+	dns_client_t *client;
+	bool destroyok = false;
+
+	REQUIRE(clientp != NULL);
+	client = *clientp;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	client->references--;
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs)) {
+		destroyok = true;
+	}
+	UNLOCK(&client->lock);
+
+	if (destroyok)
+		destroyclient(&client);
+
+	*clientp = NULL;
+}
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      dns_name_t *name_space, isc_sockaddrlist_t *addrs)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(addrs != NULL);
+
+	if (name_space == NULL)
+		name_space = dns_rootname;
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_add(view->fwdtable, name_space, addrs,
+				  dns_fwdpolicy_only);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			dns_name_t *name_space)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if (name_space == NULL)
+		name_space = dns_rootname;
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&client->lock);
+		return (result);
+	}
+	UNLOCK(&client->lock);
+
+	result = dns_fwdtable_delete(view->fwdtable, name_space);
+
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+isc_result_t
+dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
+		  const char *dlvname)
+{
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_view_t *view = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (dlvname == NULL)
+		view->dlv = NULL;
+	else {
+		dns_name_t *newdlv;
+
+		isc_buffer_constinit(&b, dlvname, strlen(dlvname));
+		isc_buffer_add(&b, strlen(dlvname));
+		newdlv = dns_fixedname_name(&view->dlv_fixed);
+		result = dns_name_fromtext(newdlv, &b, dns_rootname,
+					   DNS_NAME_DOWNCASE, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		view->dlv = dns_fixedname_name(&view->dlv_fixed);
+	}
+
+ cleanup:
+	if (view != NULL)
+		dns_view_detach(&view);
+
+	return (result);
+}
+
+static isc_result_t
+getrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_rdataset_init(rdataset);
+
+	*rdatasetp = rdataset;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+putrdataset(isc_mem_t *mctx, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(rdatasetp != NULL);
+	rdataset = *rdatasetp;
+	REQUIRE(rdataset != NULL);
+
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	isc_mem_put(mctx, rdataset, sizeof(*rdataset));
+
+	*rdatasetp = NULL;
+}
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	resctx_t *rctx = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->task == task);
+	fevent = (dns_fetchevent_t *)event;
+
+	client_resfind(rctx, fevent);
+}
+
+static inline isc_result_t
+start_fetch(resctx_t *rctx) {
+	isc_result_t result;
+	int fopts = 0;
+
+	/*
+	 * The caller must be holding the rctx's lock.
+	 */
+
+	REQUIRE(rctx->fetch == NULL);
+
+	if (!rctx->want_cdflag)
+		fopts |= DNS_FETCHOPT_NOCDFLAG;
+	if (!rctx->want_validation)
+		fopts |= DNS_FETCHOPT_NOVALIDATE;
+	if (rctx->want_tcp)
+		fopts |= DNS_FETCHOPT_TCP;
+
+	result = dns_resolver_createfetch(rctx->view->resolver,
+					  dns_fixedname_name(&rctx->name),
+					  rctx->type,
+					  NULL, NULL, NULL, fopts,
+					  rctx->task, fetch_done, rctx,
+					  rctx->rdataset,
+					  rctx->sigrdataset,
+					  &rctx->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+view_find(resctx_t *rctx, dns_db_t **dbp, dns_dbnode_t **nodep,
+	  dns_name_t *foundname)
+{
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&rctx->name);
+	dns_rdatatype_t type;
+
+	if (rctx->type == dns_rdatatype_rrsig)
+		type = dns_rdatatype_any;
+	else
+		type = rctx->type;
+
+	result = dns_view_find(rctx->view, name, type, 0, 0, false,
+			       dbp, nodep, foundname, rctx->rdataset,
+			       rctx->sigrdataset);
+
+	return (result);
+}
+
+static void
+client_resfind(resctx_t *rctx, dns_fetchevent_t *event) {
+	isc_mem_t *mctx;
+	isc_result_t tresult, result = ISC_R_SUCCESS;
+	isc_result_t vresult = ISC_R_SUCCESS;
+	bool want_restart;
+	bool send_event = false;
+	dns_name_t *name, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdataset_t *trdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	mctx = rctx->view->mctx;
+
+	name = dns_fixedname_name(&rctx->name);
+
+	do {
+		dns_name_t *fname = NULL;
+		dns_name_t *ansname = NULL;
+		dns_db_t *db = NULL;
+		dns_dbnode_t *node = NULL;
+
+		rctx->restarts++;
+		want_restart = false;
+
+		if (event == NULL && !rctx->canceled) {
+			fname = dns_fixedname_initname(&foundname);
+			INSIST(!dns_rdataset_isassociated(rctx->rdataset));
+			INSIST(rctx->sigrdataset == NULL ||
+			       !dns_rdataset_isassociated(rctx->sigrdataset));
+			result = view_find(rctx, &db, &node, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if (node != NULL) {
+					INSIST(db != NULL);
+					dns_db_detachnode(db, &node);
+				}
+				if (db != NULL)
+					dns_db_detach(&db);
+				result = start_fetch(rctx);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+					if (rctx->sigrdataset != NULL)
+						putrdataset(mctx,
+							    &rctx->sigrdataset);
+					send_event = true;
+				}
+				goto done;
+			}
+		} else {
+			INSIST(event != NULL);
+			INSIST(event->fetch == rctx->fetch);
+			dns_resolver_destroyfetch(&rctx->fetch);
+			db = event->db;
+			node = event->node;
+			result = event->result;
+			vresult = event->vresult;
+			fname = dns_fixedname_name(&event->foundname);
+			INSIST(event->rdataset == rctx->rdataset);
+			INSIST(event->sigrdataset == rctx->sigrdataset);
+		}
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (rctx->canceled)
+			result = ISC_R_CANCELED;
+		else {
+			/*
+			 * Otherwise, get some resource for copying the
+			 * result.
+			 */
+			ansname = isc_mem_get(mctx, sizeof(*ansname));
+			if (ansname == NULL)
+				tresult = ISC_R_NOMEMORY;
+			else {
+				dns_name_t *aname;
+
+				aname = dns_fixedname_name(&rctx->name);
+				dns_name_init(ansname, NULL);
+				tresult = dns_name_dup(aname, mctx, ansname);
+				if (tresult != ISC_R_SUCCESS)
+					isc_mem_put(mctx, ansname,
+						    sizeof(*ansname));
+			}
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			send_event = true;
+			/*
+			 * This case is handled in the main line below.
+			 */
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Add the CNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS)
+				goto done;
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS)
+				goto done;
+			tresult = dns_name_copy(&cname.cname, name, NULL);
+			dns_rdata_freestruct(&cname);
+			if (tresult == ISC_R_SUCCESS)
+				want_restart = true;
+			else
+				result = tresult;
+			goto done;
+		case DNS_R_DNAME:
+			/*
+			 * Add the DNAME to the answer list.
+			 */
+			trdataset = rctx->rdataset;
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			tresult = dns_rdataset_first(trdataset);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			dns_rdataset_current(trdataset, &rdata);
+			tresult = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+			/*
+			 * Construct the new query name and start over.
+			 */
+			prefix = dns_fixedname_initname(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			tresult = dns_name_concatenate(prefix, &dname.dname,
+						      name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (tresult == ISC_R_SUCCESS)
+				want_restart = true;
+			else
+				result = tresult;
+			goto done;
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+			rctx->rdataset = NULL;
+			/* What about sigrdataset? */
+			if (rctx->sigrdataset != NULL)
+				putrdataset(mctx, &rctx->sigrdataset);
+			send_event = true;
+			goto done;
+		default:
+			if (rctx->rdataset != NULL)
+				putrdataset(mctx, &rctx->rdataset);
+			if (rctx->sigrdataset != NULL)
+				putrdataset(mctx, &rctx->sigrdataset);
+			send_event = true;
+			goto done;
+		}
+
+		if (rctx->type == dns_rdatatype_any) {
+			int n = 0;
+			dns_rdatasetiter_t *rdsiter = NULL;
+
+			tresult = dns_db_allrdatasets(db, node, NULL, 0,
+						      &rdsiter);
+			if (tresult != ISC_R_SUCCESS) {
+				result = tresult;
+				goto done;
+			}
+
+			tresult = dns_rdatasetiter_first(rdsiter);
+			while (tresult == ISC_R_SUCCESS) {
+				dns_rdatasetiter_current(rdsiter,
+							 rctx->rdataset);
+				if (rctx->rdataset->type != 0) {
+					ISC_LIST_APPEND(ansname->list,
+							rctx->rdataset,
+							link);
+					n++;
+					rctx->rdataset = NULL;
+				} else {
+					/*
+					 * We're not interested in this
+					 * rdataset.
+					 */
+					dns_rdataset_disassociate(
+						rctx->rdataset);
+				}
+				tresult = dns_rdatasetiter_next(rdsiter);
+
+				if (tresult == ISC_R_SUCCESS &&
+				    rctx->rdataset == NULL) {
+					tresult = getrdataset(mctx,
+							      &rctx->rdataset);
+					if (tresult != ISC_R_SUCCESS) {
+						result = tresult;
+						POST(result);
+						break;
+					}
+				}
+			}
+			if (n == 0) {
+				/*
+				 * We didn't match any rdatasets (which means
+				 * something went wrong in this
+				 * implementation).
+				 */
+				result = DNS_R_SERVFAIL; /* better code? */
+				POST(result);
+			} else {
+				ISC_LIST_APPEND(rctx->namelist, ansname, link);
+				ansname = NULL;
+			}
+			dns_rdatasetiter_destroy(&rdsiter);
+			if (tresult != ISC_R_NOMORE)
+				result = DNS_R_SERVFAIL; /* ditto */
+			else
+				result = ISC_R_SUCCESS;
+			goto done;
+		} else {
+			/*
+			 * This is the "normal" case -- an ordinary question
+			 * to which we've got the answer.
+			 */
+			ISC_LIST_APPEND(ansname->list, rctx->rdataset, link);
+			rctx->rdataset = NULL;
+			if (rctx->sigrdataset != NULL) {
+				ISC_LIST_APPEND(ansname->list,
+						rctx->sigrdataset, link);
+				rctx->sigrdataset = NULL;
+			}
+			ISC_LIST_APPEND(rctx->namelist, ansname, link);
+			ansname = NULL;
+		}
+
+	done:
+		/*
+		 * Free temporary resources
+		 */
+		if (ansname != NULL) {
+			dns_rdataset_t *rdataset;
+
+			while ((rdataset = ISC_LIST_HEAD(ansname->list))
+			       != NULL) {
+				ISC_LIST_UNLINK(ansname->list, rdataset, link);
+				putrdataset(mctx, &rdataset);
+			}
+			dns_name_free(ansname, mctx);
+			isc_mem_put(mctx, ansname, sizeof(*ansname));
+		}
+
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (db != NULL)
+			dns_db_detach(&db);
+		if (event != NULL)
+			isc_event_free(ISC_EVENT_PTR(&event));
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && rctx->restarts == MAX_RESTARTS) {
+			want_restart = false;
+			result = ISC_R_QUOTA;
+			send_event = true;
+		}
+
+		/*
+		 * Prepare further find with new resources
+		 */
+		if (want_restart) {
+			INSIST(rctx->rdataset == NULL &&
+			       rctx->sigrdataset == NULL);
+
+			result = getrdataset(mctx, &rctx->rdataset);
+			if (result == ISC_R_SUCCESS && rctx->want_dnssec) {
+				result = getrdataset(mctx, &rctx->sigrdataset);
+				if (result != ISC_R_SUCCESS) {
+					putrdataset(mctx, &rctx->rdataset);
+				}
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				want_restart = false;
+				send_event = true;
+			}
+		}
+	} while (want_restart);
+
+	if (send_event) {
+		isc_task_t *task;
+
+		while ((name = ISC_LIST_HEAD(rctx->namelist)) != NULL) {
+			ISC_LIST_UNLINK(rctx->namelist, name, link);
+			ISC_LIST_APPEND(rctx->event->answerlist, name, link);
+		}
+
+		rctx->event->result = result;
+		rctx->event->vresult = vresult;
+		task = rctx->event->ev_sender;
+		rctx->event->ev_sender = rctx;
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&rctx->event));
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+static void
+suspend(isc_task_t *task, isc_event_t *event) {
+	isc_appctx_t *actx = event->ev_arg;
+
+	UNUSED(task);
+
+	isc_app_ctxsuspend(actx);
+	isc_event_free(&event);
+}
+
+static void
+resolve_done(isc_task_t *task, isc_event_t *event) {
+	resarg_t *resarg = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	isc_result_t result;
+
+	UNUSED(task);
+
+	LOCK(&resarg->lock);
+
+	resarg->result = rev->result;
+	resarg->vresult = rev->vresult;
+	while ((name = ISC_LIST_HEAD(rev->answerlist)) != NULL) {
+		ISC_LIST_UNLINK(rev->answerlist, name, link);
+		ISC_LIST_APPEND(*resarg->namelist, name, link);
+	}
+
+	dns_client_destroyrestrans(&resarg->trans);
+	isc_event_free(&event);
+
+	if (!resarg->canceled) {
+		UNLOCK(&resarg->lock);
+
+		/*
+		 * We may or may not be running.  isc__appctx_onrun will
+		 * fail if we are currently running otherwise we post a
+		 * action to call isc_app_ctxsuspend when we do start
+		 * running.
+		 */
+		result = isc_app_ctxonrun(resarg->actx, resarg->client->mctx,
+					   task, suspend, resarg->actx);
+		if (result == ISC_R_ALREADYRUNNING)
+			isc_app_ctxsuspend(resarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&resarg->lock);
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(resarg->client->mctx, resarg, sizeof(*resarg));
+	}
+}
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist)
+{
+	isc_result_t result;
+	isc_appctx_t *actx;
+	resarg_t *resarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL && ISC_LIST_EMPTY(*namelist));
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTRESOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution.
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	resarg = isc_mem_get(client->mctx, sizeof(*resarg));
+	if (resarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&resarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	resarg->actx = actx;
+	resarg->client = client;
+	resarg->result = DNS_R_SERVFAIL;
+	resarg->namelist = namelist;
+	resarg->trans = NULL;
+	resarg->canceled = false;
+	result = dns_client_startresolve(client, name, rdclass, type, options,
+					 client->task, resolve_done, resarg,
+					 &resarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&resarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = resarg->result;
+	if (result != ISC_R_SUCCESS && resarg->vresult != ISC_R_SUCCESS) {
+		/*
+		 * If this lookup failed due to some error in DNSSEC
+		 * validation, return the validation error code.
+		 * XXX: or should we pass the validation result separately?
+		 */
+		result = resarg->vresult;
+	}
+	if (resarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		resarg->canceled = true;
+		dns_client_cancelresolve(resarg->trans);
+
+		UNLOCK(&resarg->lock);
+
+		/* resarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&resarg->lock);
+
+		DESTROYLOCK(&resarg->lock);
+		isc_mem_put(client->mctx, resarg, sizeof(*resarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp)
+{
+	dns_view_t *view = NULL;
+	dns_clientresevent_t *event = NULL;
+	resctx_t *rctx = NULL;
+	isc_task_t *tclone = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	bool want_dnssec, want_validation, want_cdflag, want_tcp;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	mctx = client->mctx;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	want_dnssec = !(options & DNS_CLIENTRESOPT_NODNSSEC);
+	want_validation = !(options & DNS_CLIENTRESOPT_NOVALIDATE);
+	want_cdflag = !(options & DNS_CLIENTRESOPT_NOCDFLAG);
+	want_tcp = (options & DNS_CLIENTRESOPT_TCP);
+
+	/*
+	 * Prepare some intermediate resources
+	 */
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	event = (dns_clientresevent_t *)
+		isc_event_allocate(mctx, tclone, DNS_EVENT_CLIENTRESDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	event->result = DNS_R_SERVFAIL;
+	ISC_LIST_INIT(event->answerlist);
+
+	rctx = isc_mem_get(mctx, sizeof(*rctx));
+	if (rctx == NULL)
+		result = ISC_R_NOMEMORY;
+	else {
+		result = isc_mutex_init(&rctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, rctx, sizeof(*rctx));
+			rctx = NULL;
+		}
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = getrdataset(mctx, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	rctx->rdataset = rdataset;
+
+	if (want_dnssec) {
+		result = getrdataset(mctx, &sigrdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	rctx->sigrdataset = sigrdataset;
+
+	dns_fixedname_init(&rctx->name);
+	result = dns_name_copy(name, dns_fixedname_name(&rctx->name), NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rctx->client = client;
+	ISC_LINK_INIT(rctx, link);
+	rctx->canceled = false;
+	rctx->task = client->task;
+	rctx->type = type;
+	rctx->view = view;
+	rctx->restarts = 0;
+	rctx->fetch = NULL;
+	rctx->want_dnssec = want_dnssec;
+	rctx->want_validation = want_validation;
+	rctx->want_cdflag = want_cdflag;
+	rctx->want_tcp = want_tcp;
+	ISC_LIST_INIT(rctx->namelist);
+	rctx->event = event;
+
+	rctx->magic = RCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->resctxs, rctx, link);
+	UNLOCK(&client->lock);
+
+	*transp = (dns_clientrestrans_t *)rctx;
+	client_resfind(rctx, NULL);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (rdataset != NULL)
+		putrdataset(client->mctx, &rdataset);
+	if (sigrdataset != NULL)
+		putrdataset(client->mctx, &sigrdataset);
+	if (rctx != NULL) {
+		DESTROYLOCK(&rctx->lock);
+		isc_mem_put(mctx, rctx, sizeof(*rctx));
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&tclone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans) {
+	resctx_t *rctx;
+
+	REQUIRE(trans != NULL);
+	rctx = (resctx_t *)trans;
+	REQUIRE(RCTX_VALID(rctx));
+
+	LOCK(&rctx->lock);
+
+	if (!rctx->canceled) {
+		rctx->canceled = true;
+		if (rctx->fetch != NULL)
+			dns_resolver_cancelfetch(rctx->fetch);
+	}
+
+	UNLOCK(&rctx->lock);
+}
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist) {
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(namelist != NULL);
+
+	while ((name = ISC_LIST_HEAD(*namelist)) != NULL) {
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while ((rdataset = ISC_LIST_HEAD(name->list)) != NULL) {
+			ISC_LIST_UNLINK(name->list, rdataset, link);
+			putrdataset(client->mctx, &rdataset);
+		}
+		dns_name_free(name, client->mctx);
+		isc_mem_put(client->mctx, name, sizeof(*name));
+	}
+}
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp) {
+	resctx_t *rctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	bool need_destroyclient = false;
+
+	REQUIRE(transp != NULL);
+	rctx = (resctx_t *)*transp;
+	REQUIRE(RCTX_VALID(rctx));
+	REQUIRE(rctx->fetch == NULL);
+	REQUIRE(rctx->event == NULL);
+	client = rctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	mctx = client->mctx;
+	dns_view_detach(&rctx->view);
+
+	/*
+	 * Wait for the lock in client_resfind to be released before
+	 * destroying the lock.
+	 */
+	LOCK(&rctx->lock);
+	UNLOCK(&rctx->lock);
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(rctx, link));
+	ISC_LIST_UNLINK(client->resctxs, rctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs))
+		need_destroyclient = true;
+
+	UNLOCK(&client->lock);
+
+	INSIST(ISC_LIST_EMPTY(rctx->namelist));
+
+	DESTROYLOCK(&rctx->lock);
+	rctx->magic = 0;
+
+	isc_mem_put(mctx, rctx, sizeof(*rctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_name_t *keyname, isc_buffer_t *keydatabuf)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	dst_key_t *dstkey = NULL;
+	dns_keytable_t *secroots = NULL;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_view_getsecroots(view, &secroots);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dst_key_fromdns(keyname, rdclass, keydatabuf, client->mctx,
+				 &dstkey);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_keytable_add(secroots, false, &dstkey);
+
+ cleanup:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	if (view != NULL)
+		dns_view_detach(&view);
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+	return (result);
+}
+
+/*%
+ * Simple request routines
+ */
+static void
+request_done(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request;
+	isc_result_t result, eresult;
+	reqctx_t *ctx;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	result = eresult = reqev->result;
+	ctx = reqev->ev_arg;
+	REQUIRE(REQCTX_VALID(ctx));
+
+	isc_event_free(&event);
+
+	LOCK(&ctx->lock);
+
+	if (eresult == ISC_R_SUCCESS) {
+		result = dns_request_getresponse(request, ctx->event->rmessage,
+						 ctx->parseoptions);
+	}
+
+	if (ctx->tsigkey != NULL)
+		dns_tsigkey_detach(&ctx->tsigkey);
+
+	if (ctx->canceled)
+		ctx->event->result = ISC_R_CANCELED;
+	else
+		ctx->event->result = result;
+	task = ctx->event->ev_sender;
+	ctx->event->ev_sender = ctx;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&ctx->event));
+
+	UNLOCK(&ctx->lock);
+}
+
+static void
+localrequest_done(isc_task_t *task, isc_event_t *event) {
+	reqarg_t *reqarg = event->ev_arg;
+	dns_clientreqevent_t *rev =(dns_clientreqevent_t *)event;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_CLIENTREQDONE);
+
+	LOCK(&reqarg->lock);
+
+	reqarg->result = rev->result;
+	dns_client_destroyreqtrans(&reqarg->trans);
+	isc_event_free(&event);
+
+	if (!reqarg->canceled) {
+		UNLOCK(&reqarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(reqarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&reqarg->lock);
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(reqarg->client->mctx, reqarg, sizeof(*reqarg));
+	}
+}
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries)
+{
+	isc_appctx_t *actx;
+	reqarg_t *reqarg;
+	isc_result_t result;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(qmessage != NULL);
+	REQUIRE(rmessage != NULL);
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTREQOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular resolution.
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	reqarg = isc_mem_get(client->mctx, sizeof(*reqarg));
+	if (reqarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&reqarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+		return (result);
+	}
+
+	reqarg->actx = actx;
+	reqarg->client = client;
+	reqarg->trans = NULL;
+	reqarg->canceled = false;
+
+	result = dns_client_startrequest(client, qmessage, rmessage, server,
+					 options, parseoptions, tsec, timeout,
+					 udptimeout, udpretries,
+					 client->task, localrequest_done,
+					 reqarg, &reqarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&reqarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = reqarg->result;
+	if (reqarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		reqarg->canceled = true;
+		dns_client_cancelresolve(reqarg->trans);
+
+		UNLOCK(&reqarg->lock);
+
+		/* reqarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&reqarg->lock);
+
+		DESTROYLOCK(&reqarg->lock);
+		isc_mem_put(client->mctx, reqarg, sizeof(*reqarg));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp)
+{
+	isc_result_t result;
+	dns_view_t *view = NULL;
+	isc_task_t *tclone = NULL;
+	dns_clientreqevent_t *event = NULL;
+	reqctx_t *ctx = NULL;
+	dns_tsectype_t tsectype = dns_tsectype_none;
+	unsigned int reqoptions;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(qmessage != NULL);
+	REQUIRE(rmessage != NULL);
+	REQUIRE(transp != NULL && *transp == NULL);
+
+	if (tsec != NULL) {
+		tsectype = dns_tsec_gettype(tsec);
+		if (tsectype != dns_tsectype_tsig)
+			return (ISC_R_NOTIMPLEMENTED); /* XXX */
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   qmessage->rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	reqoptions = 0;
+	if ((options & DNS_CLIENTREQOPT_TCP) != 0)
+		reqoptions |= DNS_REQUESTOPT_TCP;
+
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	event = (dns_clientreqevent_t *)
+		isc_event_allocate(client->mctx, tclone,
+				   DNS_EVENT_CLIENTREQDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	ctx = isc_mem_get(client->mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		result = ISC_R_NOMEMORY;
+	else {
+		result = isc_mutex_init(&ctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(client->mctx, ctx, sizeof(*ctx));
+			ctx = NULL;
+		}
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ctx->client = client;
+	ISC_LINK_INIT(ctx, link);
+	ctx->parseoptions = parseoptions;
+	ctx->canceled = false;
+	ctx->event = event;
+	ctx->event->rmessage = rmessage;
+	ctx->tsigkey = NULL;
+	if (tsec != NULL)
+		dns_tsec_getkey(tsec, &ctx->tsigkey);
+
+	ctx->magic = REQCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->reqctxs, ctx, link);
+	UNLOCK(&client->lock);
+
+	ctx->request = NULL;
+	result = dns_request_createvia3(view->requestmgr, qmessage, NULL,
+					server, reqoptions, ctx->tsigkey,
+					timeout, udptimeout, udpretries,
+					client->task, request_done, ctx,
+					&ctx->request);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		*transp = (dns_clientreqtrans_t *)ctx;
+		return (ISC_R_SUCCESS);
+	}
+
+ cleanup:
+	if (ctx != NULL) {
+		LOCK(&client->lock);
+		ISC_LIST_UNLINK(client->reqctxs, ctx, link);
+		UNLOCK(&client->lock);
+		DESTROYLOCK(&ctx->lock);
+		isc_mem_put(client->mctx, ctx, sizeof(*ctx));
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	isc_task_detach(&tclone);
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *trans) {
+	reqctx_t *ctx;
+
+	REQUIRE(trans != NULL);
+	ctx = (reqctx_t *)trans;
+	REQUIRE(REQCTX_VALID(ctx));
+
+	LOCK(&ctx->lock);
+
+	if (!ctx->canceled) {
+		ctx->canceled = true;
+		if (ctx->request != NULL)
+			dns_request_cancel(ctx->request);
+	}
+
+	UNLOCK(&ctx->lock);
+}
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp) {
+	reqctx_t *ctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	bool need_destroyclient = false;
+
+	REQUIRE(transp != NULL);
+	ctx = (reqctx_t *)*transp;
+	REQUIRE(REQCTX_VALID(ctx));
+	client = ctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(ctx->event == NULL);
+	REQUIRE(ctx->request != NULL);
+
+	dns_request_destroy(&ctx->request);
+	mctx = client->mctx;
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(ctx, link));
+	ISC_LIST_UNLINK(client->reqctxs, ctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs)) {
+		need_destroyclient = true;
+	}
+
+	UNLOCK(&client->lock);
+
+	DESTROYLOCK(&ctx->lock);
+	ctx->magic = 0;
+
+	isc_mem_put(mctx, ctx, sizeof(*ctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+/*%
+ * Dynamic update routines
+ */
+static isc_result_t
+rcode2result(dns_rcode_t rcode) {
+	/* XXX: isn't there a similar function? */
+	switch (rcode) {
+	case dns_rcode_formerr:
+		return (DNS_R_FORMERR);
+	case dns_rcode_servfail:
+		return (DNS_R_SERVFAIL);
+	case dns_rcode_nxdomain:
+		return (DNS_R_NXDOMAIN);
+	case dns_rcode_notimp:
+		return (DNS_R_NOTIMP);
+	case dns_rcode_refused:
+		return (DNS_R_REFUSED);
+	case dns_rcode_yxdomain:
+		return (DNS_R_YXDOMAIN);
+	case dns_rcode_yxrrset:
+		return (DNS_R_YXRRSET);
+	case dns_rcode_nxrrset:
+		return (DNS_R_NXRRSET);
+	case dns_rcode_notauth:
+		return (DNS_R_NOTAUTH);
+	case dns_rcode_notzone:
+		return (DNS_R_NOTZONE);
+	case dns_rcode_badvers:
+		return (DNS_R_BADVERS);
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+static void
+update_sendevent(updatectx_t *uctx, isc_result_t result) {
+	isc_task_t *task;
+
+	dns_message_destroy(&uctx->updatemsg);
+	if (uctx->tsigkey != NULL)
+		dns_tsigkey_detach(&uctx->tsigkey);
+	if (uctx->sig0key != NULL)
+		dst_key_free(&uctx->sig0key);
+
+	if (uctx->canceled)
+		uctx->event->result = ISC_R_CANCELED;
+	else
+		uctx->event->result = result;
+	uctx->event->state = uctx->state;
+	task = uctx->event->ev_sender;
+	uctx->event->ev_sender = uctx;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&uctx->event));
+}
+
+static void
+update_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request;
+	dns_message_t *answer = NULL;
+	updatectx_t *uctx = event->ev_arg;
+	dns_client_t *client;
+	unsigned int timeout, reqoptions;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	REQUIRE(UCTX_VALID(uctx));
+	client = uctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	result = reqev->result;
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTPARSE,
+				    &answer);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	uctx->state = dns_clientupdatestate_done;
+	result = dns_request_getresponse(request, answer,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == ISC_R_SUCCESS && answer->rcode != dns_rcode_noerror)
+		result = rcode2result(answer->rcode);
+
+ out:
+	if (answer != NULL)
+		dns_message_destroy(&answer);
+	isc_event_free(&event);
+
+	LOCK(&uctx->lock);
+	uctx->currentserver = ISC_LIST_NEXT(uctx->currentserver, link);
+	dns_request_destroy(&uctx->updatereq);
+	/*
+	 * Moving on to the next server shouldn't change the result
+	 * for NXDOMAIN, YXDOMAIN, NXRRSET and YXRRSET as they
+	 * indicate a prerequisite failure.  REFUSED should also
+	 * be consistent across all servers but often isn't as that
+	 * is policy rather that zone content driven (slaves that
+	 * aren't willing to forward should return NOTIMPL).  NOTZONE
+	 * indicates that we stuffed up the request construction so
+	 * don't retry.
+	 */
+	if (result != ISC_R_SUCCESS && result != DNS_R_NXDOMAIN &&
+	    result != DNS_R_YXDOMAIN && result != DNS_R_YXRRSET &&
+	    result != DNS_R_NXRRSET && result != DNS_R_NOTZONE &&
+	    !uctx->canceled && uctx->currentserver != NULL)
+	{
+		dns_message_renderreset(uctx->updatemsg);
+		dns_message_settsigkey(uctx->updatemsg, NULL);
+
+		timeout = client->update_timeout / uctx->nservers;
+		if (timeout < MIN_UPDATE_TIMEOUT)
+			timeout = MIN_UPDATE_TIMEOUT;
+		reqoptions = 0;
+		if (uctx->want_tcp)
+			reqoptions |= DNS_REQUESTOPT_TCP;
+		result = dns_request_createvia3(uctx->view->requestmgr,
+						uctx->updatemsg,
+						NULL,
+						uctx->currentserver,
+						reqoptions,
+						uctx->tsigkey,
+						timeout,
+						client->update_udptimeout,
+						client->update_udpretries,
+						client->task,
+						update_done, uctx,
+						&uctx->updatereq);
+		UNLOCK(&uctx->lock);
+
+		if (result == ISC_R_SUCCESS) {
+			/* XXX: should we keep the 'done' state here? */
+			uctx->state = dns_clientupdatestate_sent;
+			return;
+		}
+	} else
+		UNLOCK(&uctx->lock);
+
+	update_sendevent(uctx, result);
+}
+
+static isc_result_t
+send_update(updatectx_t *uctx) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_client_t *client = uctx->client;
+	unsigned int timeout, reqoptions;
+
+	REQUIRE(uctx->zonename != NULL && uctx->currentserver != NULL);
+
+	result = dns_message_gettempname(uctx->updatemsg, &name);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(name, NULL);
+	dns_name_clone(uctx->zonename, name);
+	result = dns_message_gettemprdataset(uctx->updatemsg, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttempname(uctx->updatemsg, &name);
+		return (result);
+	}
+	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(uctx->updatemsg, name, DNS_SECTION_ZONE);
+	if (uctx->tsigkey == NULL && uctx->sig0key != NULL) {
+		result = dns_message_setsig0key(uctx->updatemsg,
+						uctx->sig0key);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	timeout = client->update_timeout / uctx->nservers;
+	if (timeout < MIN_UPDATE_TIMEOUT)
+		timeout = MIN_UPDATE_TIMEOUT;
+	reqoptions = 0;
+	if (uctx->want_tcp)
+		reqoptions |= DNS_REQUESTOPT_TCP;
+	result = dns_request_createvia3(uctx->view->requestmgr,
+					uctx->updatemsg,
+					NULL, uctx->currentserver,
+					reqoptions, uctx->tsigkey, timeout,
+					client->update_udptimeout,
+					client->update_udpretries,
+					client->task, update_done, uctx,
+					&uctx->updatereq);
+	if (result == ISC_R_SUCCESS &&
+	    uctx->state == dns_clientupdatestate_prepare) {
+		uctx->state = dns_clientupdatestate_sent;
+	}
+
+	return (result);
+}
+
+static void
+resolveaddr_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	int family;
+	dns_rdatatype_t qtype;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	updatectx_t *uctx;
+	bool completed = false;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_arg != NULL);
+	uctx = *(updatectx_t **)event->ev_arg;
+	REQUIRE(UCTX_VALID(uctx));
+
+	if (event->ev_arg == &uctx->bp4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+		LOCK(&uctx->lock);
+		dns_client_destroyrestrans(&uctx->restrans);
+		UNLOCK(&uctx->lock);
+	} else {
+		INSIST(event->ev_arg == &uctx->bp6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+		LOCK(&uctx->lock);
+		dns_client_destroyrestrans(&uctx->restrans2);
+		UNLOCK(&uctx->lock);
+	}
+
+	result = rev->result;
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!dns_rdataset_isassociated(rdataset))
+				continue;
+			if (rdataset->type != qtype)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+				isc_sockaddr_t *sa;
+
+				sa = isc_mem_get(uctx->client->mctx,
+						 sizeof(*sa));
+				if (sa == NULL) {
+					/*
+					 * If we fail to get a sockaddr,
+					 we simply move forward with the
+					 * addresses we've got so far.
+					 */
+					goto done;
+				}
+
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tostruct(&rdata, &rdata_a,
+								    NULL);
+					RUNTIME_CHECK(result == ISC_R_SUCCESS);
+					isc_sockaddr_fromin(sa,
+							    &rdata_a.in_addr,
+							    53);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tostruct(&rdata, &rdata_aaaa,
+								    NULL);
+					RUNTIME_CHECK(result == ISC_R_SUCCESS);
+					isc_sockaddr_fromin6(sa,
+							     &rdata_aaaa.in6_addr,
+							     53);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				ISC_LINK_INIT(sa, link);
+				ISC_LIST_APPEND(uctx->servers, sa, link);
+				uctx->nservers++;
+			}
+		}
+	}
+
+ done:
+	dns_client_freeresanswer(uctx->client, &rev->answerlist);
+	isc_event_free(&event);
+
+	LOCK(&uctx->lock);
+	if (uctx->restrans == NULL && uctx->restrans2 == NULL)
+		completed = true;
+	UNLOCK(&uctx->lock);
+
+	if (completed) {
+		INSIST(uctx->currentserver == NULL);
+		uctx->currentserver = ISC_LIST_HEAD(uctx->servers);
+		if (uctx->currentserver != NULL && !uctx->canceled)
+			send_update(uctx);
+		else {
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_NOTFOUND;
+			update_sendevent(uctx, result);
+		}
+	}
+}
+
+static isc_result_t
+process_soa(updatectx_t *uctx, dns_rdataset_t *soaset, dns_name_t *soaname) {
+	isc_result_t result;
+	dns_rdata_t soarr = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	dns_name_t primary;
+	unsigned int resoptions;
+
+	result = dns_rdataset_first(soaset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdata_init(&soarr);
+	dns_rdataset_current(soaset, &soarr);
+	result = dns_rdata_tostruct(&soarr, &soa, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_name_init(&primary, NULL);
+	dns_name_clone(&soa.origin, &primary);
+
+	if (uctx->zonename == NULL) {
+		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
+		result = dns_name_copy(soaname, uctx->zonename, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+	}
+
+	if (uctx->currentserver != NULL)
+		result = send_update(uctx);
+	else {
+		/*
+		 * Get addresses of the primary server.  We don't use the ADB
+		 * feature so that we could avoid caching data.
+		 */
+		LOCK(&uctx->lock);
+		uctx->bp4 = uctx;
+		resoptions = 0;
+		if (uctx->want_tcp)
+			resoptions |= DNS_CLIENTRESOPT_TCP;
+		result = dns_client_startresolve(uctx->client, &primary,
+						 uctx->rdclass,
+						 dns_rdatatype_a,
+						 resoptions,
+						 uctx->client->task,
+						 resolveaddr_done, &uctx->bp4,
+						 &uctx->restrans);
+		if (result == ISC_R_SUCCESS) {
+			uctx->bp6 = uctx;
+			result = dns_client_startresolve(uctx->client,
+							 &primary,
+							 uctx->rdclass,
+							 dns_rdatatype_aaaa,
+							 resoptions,
+							 uctx->client->task,
+							 resolveaddr_done,
+							 &uctx->bp6,
+							 &uctx->restrans2);
+		}
+		UNLOCK(&uctx->lock);
+	}
+
+ out:
+	dns_rdata_freestruct(&soa);
+
+	return (result);
+}
+
+static void
+receive_soa(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	updatectx_t *uctx;
+	dns_client_t *client;
+	isc_result_t result, eresult;
+	dns_request_t *request;
+	dns_message_t *rcvmsg = NULL;
+	dns_section_t section;
+	dns_rdataset_t *soaset = NULL;
+	int pass = 0;
+	dns_name_t *name;
+	dns_message_t *soaquery = NULL;
+	isc_sockaddr_t *addr;
+	bool seencname = false;
+	bool droplabel = false;
+	dns_name_t tname;
+	unsigned int nlabels, reqoptions;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	result = eresult = reqev->result;
+	POST(result);
+	uctx = reqev->ev_arg;
+	client = uctx->client;
+	soaquery = uctx->soaquery;
+	addr = uctx->currentserver;
+	INSIST(addr != NULL);
+
+	isc_event_free(&event);
+
+	if (eresult != ISC_R_SUCCESS) {
+		result = eresult;
+		goto out;
+	}
+
+	result = dns_message_create(uctx->client->mctx,
+				    DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+
+	if (result == DNS_R_TSIGERRORSET) {
+		dns_request_t *newrequest = NULL;
+
+		/* Retry SOA request without TSIG */
+		dns_message_destroy(&rcvmsg);
+		dns_message_renderreset(uctx->soaquery);
+		reqoptions = 0;
+		if (uctx->want_tcp)
+			reqoptions |= DNS_REQUESTOPT_TCP;
+		result = dns_request_createvia3(uctx->view->requestmgr,
+						uctx->soaquery, NULL, addr,
+						reqoptions, NULL,
+						client->find_timeout * 20,
+						client->find_timeout, 3,
+						uctx->client->task,
+						receive_soa, uctx,
+						&newrequest);
+		if (result == ISC_R_SUCCESS) {
+			LOCK(&uctx->lock);
+			dns_request_destroy(&uctx->soareq);
+			uctx->soareq = newrequest;
+			UNLOCK(&uctx->lock);
+
+			return;
+		}
+		goto out;
+	}
+
+	section = DNS_SECTION_ANSWER;
+	POST(section);
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain) {
+		result = rcode2result(rcvmsg->rcode);
+		goto out;
+	}
+
+ lookforsoa:
+	if (pass == 0)
+		section = DNS_SECTION_ANSWER;
+	else if (pass == 1)
+		section = DNS_SECTION_AUTHORITY;
+	else {
+		droplabel = true;
+		goto out;
+	}
+
+	result = dns_message_firstname(rcvmsg, section);
+	if (result != ISC_R_SUCCESS) {
+		pass++;
+		goto lookforsoa;
+	}
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(rcvmsg, section, &name);
+		soaset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
+					      &soaset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		if (section == DNS_SECTION_ANSWER) {
+			dns_rdataset_t *tset = NULL;
+			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    ||
+			    dns_message_findtype(name, dns_rdatatype_dname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    )
+			{
+				seencname = true;
+				break;
+			}
+		}
+
+		result = dns_message_nextname(rcvmsg, section);
+	}
+
+	if (soaset == NULL && !seencname) {
+		pass++;
+		goto lookforsoa;
+	}
+
+	if (seencname) {
+		droplabel = true;
+		goto out;
+	}
+
+	result = process_soa(uctx, soaset, name);
+
+ out:
+	if (droplabel) {
+		result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
+		INSIST(result == ISC_R_SUCCESS);
+		name = NULL;
+		dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
+		nlabels = dns_name_countlabels(name);
+		if (nlabels == 1)
+			result = DNS_R_SERVFAIL; /* is there a better error? */
+		else {
+			dns_name_init(&tname, NULL);
+			dns_name_getlabelsequence(name, 1, nlabels - 1,
+						  &tname);
+			dns_name_clone(&tname, name);
+			dns_request_destroy(&request);
+			LOCK(&uctx->lock);
+			uctx->soareq = NULL;
+			UNLOCK(&uctx->lock);
+			dns_message_renderreset(soaquery);
+			dns_message_settsigkey(soaquery, NULL);
+			reqoptions = 0;
+			if (uctx->want_tcp)
+				reqoptions |= DNS_REQUESTOPT_TCP;
+			result = dns_request_createvia3(uctx->view->requestmgr,
+							soaquery, NULL,
+							uctx->currentserver,
+							reqoptions,
+							uctx->tsigkey,
+							client->find_timeout *
+							20,
+							client->find_timeout,
+							3, client->task,
+							receive_soa, uctx,
+							&uctx->soareq);
+		}
+	}
+
+	if (!droplabel || result != ISC_R_SUCCESS) {
+		dns_message_destroy(&uctx->soaquery);
+		LOCK(&uctx->lock);
+		dns_request_destroy(&uctx->soareq);
+		UNLOCK(&uctx->lock);
+	}
+
+	if (rcvmsg != NULL)
+		dns_message_destroy(&rcvmsg);
+
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+static isc_result_t
+request_soa(updatectx_t *uctx) {
+	isc_result_t result;
+	dns_message_t *soaquery = uctx->soaquery;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	unsigned int reqoptions;
+
+	if (soaquery == NULL) {
+		result = dns_message_create(uctx->client->mctx,
+					    DNS_MESSAGE_INTENTRENDER,
+					    &soaquery);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	soaquery->flags |= DNS_MESSAGEFLAG_RD;
+	result = dns_message_gettempname(soaquery, &name);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	result = dns_message_gettemprdataset(soaquery, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_rdataset_makequestion(rdataset, uctx->rdclass, dns_rdatatype_soa);
+	dns_name_clone(uctx->firstname, name);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
+	rdataset = NULL;
+	name = NULL;
+	reqoptions = 0;
+	if (uctx->want_tcp)
+		reqoptions |= DNS_REQUESTOPT_TCP;
+
+	result = dns_request_createvia3(uctx->view->requestmgr,
+					soaquery, NULL, uctx->currentserver,
+					reqoptions, uctx->tsigkey,
+					uctx->client->find_timeout * 20,
+					uctx->client->find_timeout, 3,
+					uctx->client->task, receive_soa, uctx,
+					&uctx->soareq);
+	if (result == ISC_R_SUCCESS) {
+		uctx->soaquery = soaquery;
+		return (ISC_R_SUCCESS);
+	}
+
+ fail:
+	if (rdataset != NULL) {
+		ISC_LIST_UNLINK(name->list, rdataset, link); /* for safety */
+		dns_message_puttemprdataset(soaquery, &rdataset);
+	}
+	if (name != NULL)
+		dns_message_puttempname(soaquery, &name);
+	dns_message_destroy(&soaquery);
+
+	return (result);
+}
+
+static void
+resolvesoa_done(isc_task_t *task, isc_event_t *event) {
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	updatectx_t *uctx;
+	dns_name_t *name, tname;
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result = rev->result;
+	unsigned int nlabels, resoptions;
+
+	UNUSED(task);
+
+	uctx = event->ev_arg;
+	REQUIRE(UCTX_VALID(uctx));
+
+	LOCK(&uctx->lock);
+	dns_client_destroyrestrans(&uctx->restrans);
+	UNLOCK(&uctx->lock);
+
+	uctx = event->ev_arg;
+	if (result != ISC_R_SUCCESS &&
+	    result != DNS_R_NCACHENXDOMAIN &&
+	    result != DNS_R_NCACHENXRRSET) {
+		/* XXX: what about DNSSEC failure? */
+		goto out;
+	}
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (dns_rdataset_isassociated(rdataset) &&
+			    rdataset->type == dns_rdatatype_soa)
+				break;
+		}
+	}
+
+	if (rdataset == NULL) {
+		/* Drop one label and retry resolution. */
+		nlabels = dns_name_countlabels(&uctx->soaqname);
+		if (nlabels == 1) {
+			result = DNS_R_SERVFAIL; /* is there a better error? */
+			goto out;
+		}
+		dns_name_init(&tname, NULL);
+		dns_name_getlabelsequence(&uctx->soaqname, 1, nlabels - 1,
+					  &tname);
+		dns_name_clone(&tname, &uctx->soaqname);
+		resoptions = 0;
+		if (uctx->want_tcp)
+			resoptions |= DNS_CLIENTRESOPT_TCP;
+
+		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
+						 uctx->rdclass,
+						 dns_rdatatype_soa,
+						 resoptions,
+						 uctx->client->task,
+						 resolvesoa_done, uctx,
+						 &uctx->restrans);
+	} else
+		result = process_soa(uctx, rdataset, &uctx->soaqname);
+
+ out:
+	dns_client_freeresanswer(uctx->client, &rev->answerlist);
+	isc_event_free(&event);
+
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+static isc_result_t
+copy_name(isc_mem_t *mctx, dns_message_t *msg, dns_name_t *name,
+	  dns_name_t **newnamep)
+{
+	isc_result_t result;
+	dns_name_t *newname = NULL;
+	isc_region_t r;
+	isc_buffer_t *namebuf = NULL, *rdatabuf = NULL;
+	dns_rdatalist_t *rdatalist;
+	dns_rdataset_t *rdataset, *newrdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT, *newrdata;
+
+	result = dns_message_gettempname(msg, &newname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_name_init(newname, NULL);
+	dns_name_setbuffer(newname, namebuf);
+	dns_message_takebuffer(msg, &namebuf);
+	result = dns_name_copy(name, newname, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		rdatalist = NULL;
+		result = dns_message_gettemprdatalist(msg, &rdatalist);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_rdatalist_init(rdatalist);
+		rdatalist->type = rdataset->type;
+		rdatalist->rdclass = rdataset->rdclass;
+		rdatalist->covers = rdataset->covers;
+		rdatalist->ttl = rdataset->ttl;
+
+		result = dns_rdataset_first(rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(rdataset, &rdata);
+
+			newrdata = NULL;
+			result = dns_message_gettemprdata(msg, &newrdata);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			dns_rdata_toregion(&rdata, &r);
+			rdatabuf = NULL;
+			result = isc_buffer_allocate(mctx, &rdatabuf,
+						     r.length);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			isc_buffer_putmem(rdatabuf, r.base, r.length);
+			isc_buffer_usedregion(rdatabuf, &r);
+			dns_rdata_init(newrdata);
+			dns_rdata_fromregion(newrdata, rdata.rdclass,
+					     rdata.type, &r);
+			newrdata->flags = rdata.flags;
+
+			ISC_LIST_APPEND(rdatalist->rdata, newrdata, link);
+			dns_message_takebuffer(msg, &rdatabuf);
+
+			result = dns_rdataset_next(rdataset);
+		}
+
+		newrdataset = NULL;
+		result = dns_message_gettemprdataset(msg, &newrdataset);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_rdatalist_tordataset(rdatalist, newrdataset);
+
+		ISC_LIST_APPEND(newname->list, newrdataset, link);
+	}
+
+	*newnamep = newname;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	dns_message_puttempname(msg, &newname);
+
+	return (result);
+
+}
+
+static void
+internal_update_callback(isc_task_t *task, isc_event_t *event) {
+	updatearg_t *uarg = event->ev_arg;
+	dns_clientupdateevent_t *uev = (dns_clientupdateevent_t *)event;
+
+	UNUSED(task);
+
+	LOCK(&uarg->lock);
+
+	uarg->result = uev->result;
+
+	dns_client_destroyupdatetrans(&uarg->trans);
+	isc_event_free(&event);
+
+	if (!uarg->canceled) {
+		UNLOCK(&uarg->lock);
+
+		/* Exit from the internal event loop */
+		isc_app_ctxsuspend(uarg->actx);
+	} else {
+		/*
+		 * We have already exited from the loop (due to some
+		 * unexpected event).  Just clean the arg up.
+		 */
+		UNLOCK(&uarg->lock);
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(uarg->client->mctx, uarg, sizeof(*uarg));
+	}
+}
+
+isc_result_t
+dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
+		  dns_name_t *zonename, dns_namelist_t *prerequisites,
+		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		  dns_tsec_t *tsec, unsigned int options)
+{
+	isc_result_t result;
+	isc_appctx_t *actx;
+	updatearg_t *uarg;
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+
+	if ((client->attributes & DNS_CLIENTATTR_OWNCTX) == 0 &&
+	    (options & DNS_CLIENTUPDOPT_ALLOWRUN) == 0) {
+		/*
+		 * If the client is run under application's control, we need
+		 * to create a new running (sub)environment for this
+		 * particular update.
+		 */
+		return (ISC_R_NOTIMPLEMENTED); /* XXXTBD */
+	} else
+		actx = client->actx;
+
+	uarg = isc_mem_get(client->mctx, sizeof(*uarg));
+	if (uarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&uarg->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+		return (result);
+	}
+
+	uarg->actx = actx;
+	uarg->client = client;
+	uarg->result = ISC_R_FAILURE;
+	uarg->trans = NULL;
+	uarg->canceled = false;
+
+	result = dns_client_startupdate(client, rdclass, zonename,
+					prerequisites, updates, servers,
+					tsec, options, client->task,
+					internal_update_callback, uarg,
+					&uarg->trans);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+		return (result);
+	}
+
+	/*
+	 * Start internal event loop.  It blocks until the entire process
+	 * is completed.
+	 */
+	result = isc_app_ctxrun(actx);
+
+	LOCK(&uarg->lock);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SUSPEND)
+		result = uarg->result;
+
+	if (uarg->trans != NULL) {
+		/*
+		 * Unusual termination (perhaps due to signal).  We need some
+		 * tricky cleanup process.
+		 */
+		uarg->canceled = true;
+		dns_client_cancelupdate(uarg->trans);
+
+		UNLOCK(&uarg->lock);
+
+		/* uarg will be freed in the event handler. */
+	} else {
+		UNLOCK(&uarg->lock);
+
+		DESTROYLOCK(&uarg->lock);
+		isc_mem_put(client->mctx, uarg, sizeof(*uarg));
+	}
+
+	return (result);
+}
+
+static void
+startupdate(isc_task_t *task, isc_event_t *event) {
+	updatectx_t *uctx;
+	isc_result_t result;
+	unsigned int resoptions;
+
+	REQUIRE(event != NULL);
+
+	UNUSED(task);
+
+	uctx = event->ev_arg;
+
+	if (uctx->zonename != NULL && uctx->currentserver != NULL) {
+		result = send_update(uctx);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else if (uctx->currentserver != NULL) {
+		result = request_soa(uctx);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else {
+		resoptions = 0;
+		if (uctx->want_tcp)
+			resoptions |= DNS_CLIENTRESOPT_TCP;
+		dns_name_clone(uctx->firstname, &uctx->soaqname);
+		result = dns_client_startresolve(uctx->client, &uctx->soaqname,
+						 uctx->rdclass,
+						 dns_rdatatype_soa, resoptions,
+						 uctx->client->task,
+						 resolvesoa_done, uctx,
+						 &uctx->restrans);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	isc_event_free(&event);
+
+fail:
+	if (result != ISC_R_SUCCESS)
+		update_sendevent(uctx, result);
+}
+
+isc_result_t
+dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
+		       dns_name_t *zonename, dns_namelist_t *prerequisites,
+		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		       dns_tsec_t *tsec, unsigned int options,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_clientupdatetrans_t **transp)
+{
+	dns_view_t *view = NULL;
+	isc_result_t result;
+	dns_name_t *name, *newname;
+	updatectx_t *uctx;
+	isc_task_t *tclone = NULL;
+	dns_section_t section = DNS_SECTION_UPDATE;
+	isc_sockaddr_t *server, *sa = NULL;
+	dns_tsectype_t tsectype = dns_tsectype_none;
+	bool want_tcp;
+
+	UNUSED(options);
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(transp != NULL && *transp == NULL);
+	REQUIRE(updates != NULL);
+	REQUIRE(task != NULL);
+
+	if (tsec != NULL) {
+		tsectype = dns_tsec_gettype(tsec);
+		if (tsectype != dns_tsectype_tsig)
+			return (ISC_R_NOTIMPLEMENTED); /* XXX */
+	}
+
+	LOCK(&client->lock);
+	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
+				   rdclass, &view);
+	UNLOCK(&client->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	want_tcp = (options & DNS_CLIENTUPDOPT_TCP);
+
+	/*
+	 * Create a context and prepare some resources.
+	 */
+
+	uctx = isc_mem_get(client->mctx, sizeof(*uctx));
+	if (uctx == NULL) {
+		dns_view_detach(&view);
+		return (ISC_R_NOMEMORY);
+	}
+
+	result = isc_mutex_init(&uctx->lock);
+	if (result != ISC_R_SUCCESS) {
+		dns_view_detach(&view);
+		isc_mem_put(client->mctx, uctx, sizeof(*uctx));
+		return (ISC_R_NOMEMORY);
+	}
+
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	uctx->client = client;
+	ISC_LINK_INIT(uctx, link);
+	uctx->state = dns_clientupdatestate_prepare;
+	uctx->view = view;
+	uctx->rdclass = rdclass;
+	uctx->canceled = false;
+	uctx->updatemsg = NULL;
+	uctx->soaquery = NULL;
+	uctx->updatereq = NULL;
+	uctx->restrans = NULL;
+	uctx->restrans2 = NULL;
+	uctx->bp4 = NULL;
+	uctx->bp6 = NULL;
+	uctx->soareq = NULL;
+	uctx->event = NULL;
+	uctx->tsigkey = NULL;
+	uctx->sig0key = NULL;
+	uctx->zonename = NULL;
+	uctx->want_tcp = want_tcp;
+	dns_name_init(&uctx->soaqname, NULL);
+	ISC_LIST_INIT(uctx->servers);
+	uctx->nservers = 0;
+	uctx->currentserver = NULL;
+	dns_fixedname_init(&uctx->zonefname);
+	if (tsec != NULL)
+		dns_tsec_getkey(tsec, &uctx->tsigkey);
+	uctx->event = (dns_clientupdateevent_t *)
+		isc_event_allocate(client->mctx, tclone, DNS_EVENT_UPDATEDONE,
+				   action, arg, sizeof(*uctx->event));
+	if (uctx->event == NULL)
+		goto fail;
+	if (zonename != NULL) {
+		uctx->zonename = dns_fixedname_name(&uctx->zonefname);
+		result = dns_name_copy(zonename, uctx->zonename, NULL);
+	}
+	if (servers != NULL) {
+		for (server = ISC_LIST_HEAD(*servers);
+		     server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			sa = isc_mem_get(client->mctx, sizeof(*sa));
+			if (sa == NULL)
+				goto fail;
+			sa->type = server->type;
+			sa->length = server->length;
+			ISC_LINK_INIT(sa, link);
+			ISC_LIST_APPEND(uctx->servers, sa, link);
+			if (uctx->currentserver == NULL)
+				uctx->currentserver = sa;
+			uctx->nservers++;
+		}
+	}
+
+	/* Make update message */
+	result = dns_message_create(client->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &uctx->updatemsg);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	uctx->updatemsg->opcode = dns_opcode_update;
+
+	if (prerequisites != NULL) {
+		for (name = ISC_LIST_HEAD(*prerequisites); name != NULL;
+		     name = ISC_LIST_NEXT(name, link)) {
+			newname = NULL;
+			result = copy_name(client->mctx, uctx->updatemsg,
+					   name, &newname);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			dns_message_addname(uctx->updatemsg, newname,
+					    DNS_SECTION_PREREQUISITE);
+		}
+	}
+
+	for (name = ISC_LIST_HEAD(*updates); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		newname = NULL;
+		result = copy_name(client->mctx, uctx->updatemsg, name,
+				   &newname);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		dns_message_addname(uctx->updatemsg, newname,
+				    DNS_SECTION_UPDATE);
+	}
+
+	uctx->firstname = NULL;
+	result = dns_message_firstname(uctx->updatemsg, section);
+	if (result == ISC_R_NOMORE) {
+		section = DNS_SECTION_PREREQUISITE;
+		result = dns_message_firstname(uctx->updatemsg, section);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	dns_message_currentname(uctx->updatemsg, section, &uctx->firstname);
+
+	uctx->magic = UCTX_MAGIC;
+
+	LOCK(&client->lock);
+	ISC_LIST_APPEND(client->updatectxs, uctx, link);
+	UNLOCK(&client->lock);
+
+	*transp = (dns_clientupdatetrans_t *)uctx;
+	result = isc_app_ctxonrun(client->actx, client->mctx, client->task,
+				  startupdate, uctx);
+	if (result == ISC_R_ALREADYRUNNING) {
+		isc_event_t *event;
+		event = isc_event_allocate(client->mctx, dns_client_startupdate,
+					   DNS_EVENT_STARTUPDATE, startupdate,
+					   uctx, sizeof(*event));
+		if (event != NULL) {
+			result = ISC_R_SUCCESS;
+			isc_task_send(task, &event);
+		} else
+			result = ISC_R_NOMEMORY;
+	}
+	if (result == ISC_R_SUCCESS)
+		return (result);
+	*transp = NULL;
+
+ fail:
+	if (ISC_LINK_LINKED(uctx, link)) {
+		LOCK(&client->lock);
+		ISC_LIST_UNLINK(client->updatectxs, uctx, link);
+		UNLOCK(&client->lock);
+	}
+	if (uctx->updatemsg != NULL)
+		dns_message_destroy(&uctx->updatemsg);
+	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
+		ISC_LIST_UNLINK(uctx->servers, sa, link);
+		isc_mem_put(client->mctx, sa, sizeof(*sa));
+	}
+	if (uctx->event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&uctx->event));
+	if (uctx->tsigkey != NULL)
+		dns_tsigkey_detach(&uctx->tsigkey);
+	isc_task_detach(&tclone);
+	DESTROYLOCK(&uctx->lock);
+	uctx->magic = 0;
+	isc_mem_put(client->mctx, uctx, sizeof(*uctx));
+	dns_view_detach(&view);
+
+	return (result);
+}
+
+void
+dns_client_cancelupdate(dns_clientupdatetrans_t *trans) {
+	updatectx_t *uctx;
+
+	REQUIRE(trans != NULL);
+	uctx = (updatectx_t *)trans;
+	REQUIRE(UCTX_VALID(uctx));
+
+	LOCK(&uctx->lock);
+
+	if (!uctx->canceled) {
+		uctx->canceled = true;
+		if (uctx->updatereq != NULL)
+			dns_request_cancel(uctx->updatereq);
+		if (uctx->soareq != NULL)
+			dns_request_cancel(uctx->soareq);
+		if (uctx->restrans != NULL)
+			dns_client_cancelresolve(uctx->restrans);
+		if (uctx->restrans2 != NULL)
+			dns_client_cancelresolve(uctx->restrans2);
+	}
+
+	UNLOCK(&uctx->lock);
+}
+
+void
+dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp) {
+	updatectx_t *uctx;
+	isc_mem_t *mctx;
+	dns_client_t *client;
+	bool need_destroyclient = false;
+	isc_sockaddr_t *sa;
+
+	REQUIRE(transp != NULL);
+	uctx = (updatectx_t *)*transp;
+	REQUIRE(UCTX_VALID(uctx));
+	client = uctx->client;
+	REQUIRE(DNS_CLIENT_VALID(client));
+	REQUIRE(uctx->updatereq == NULL && uctx->updatemsg == NULL &&
+		uctx->soareq == NULL && uctx->soaquery == NULL &&
+		uctx->event == NULL && uctx->tsigkey == NULL &&
+		uctx->sig0key == NULL);
+
+	mctx = client->mctx;
+	dns_view_detach(&uctx->view);
+	while ((sa = ISC_LIST_HEAD(uctx->servers)) != NULL) {
+		ISC_LIST_UNLINK(uctx->servers, sa, link);
+		isc_mem_put(mctx, sa, sizeof(*sa));
+	}
+
+	LOCK(&client->lock);
+
+	INSIST(ISC_LINK_LINKED(uctx, link));
+	ISC_LIST_UNLINK(client->updatectxs, uctx, link);
+
+	if (client->references == 0 && ISC_LIST_EMPTY(client->resctxs) &&
+	    ISC_LIST_EMPTY(client->reqctxs) &&
+	    ISC_LIST_EMPTY(client->updatectxs))
+		need_destroyclient = true;
+
+	UNLOCK(&client->lock);
+
+	DESTROYLOCK(&uctx->lock);
+	uctx->magic = 0;
+
+	isc_mem_put(mctx, uctx, sizeof(*uctx));
+
+	if (need_destroyclient)
+		destroyclient(&client);
+
+	*transp = NULL;
+}
+
+isc_mem_t *
+dns_client_mctx(dns_client_t *client) {
+
+	REQUIRE(DNS_CLIENT_VALID(client));
+	return (client->mctx);
+}
+
+typedef struct {
+	isc_buffer_t 	buffer;
+	dns_rdataset_t	rdataset;
+	dns_rdatalist_t	rdatalist;
+	dns_rdata_t	rdata;
+	size_t		size;
+	isc_mem_t *	mctx;
+	unsigned char	data[FLEXIBLE_ARRAY_MEMBER];
+} dns_client_updaterec_t;
+
+isc_result_t
+dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
+		     dns_rdatatype_t type, dns_rdata_t *source,
+		     dns_ttl_t ttl, dns_name_t *target,
+		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
+		     dns_rdata_t *rdata, isc_mem_t *mctx)
+{
+	dns_client_updaterec_t *updaterec = NULL;
+	size_t size = offsetof(dns_client_updaterec_t, data);
+
+	REQUIRE(op < updateop_max);
+	REQUIRE(owner != NULL);
+	REQUIRE((rdataset != NULL && rdatalist != NULL && rdata != NULL) ||
+		(rdataset == NULL && rdatalist == NULL && rdata == NULL &&
+		 mctx != NULL));
+	if (op == updateop_add)
+		REQUIRE(source != NULL);
+	if (source != NULL) {
+		REQUIRE(source->type == type);
+		REQUIRE(op == updateop_add || op == updateop_delete ||
+			op == updateop_exist);
+	}
+
+	size += owner->length;
+	if (source != NULL)
+		size += source->length;
+
+	if (rdataset == NULL) {
+		updaterec = isc_mem_get(mctx, size);
+		if (updaterec == NULL)
+			return (ISC_R_NOMEMORY);
+		rdataset = &updaterec->rdataset;
+		rdatalist = &updaterec->rdatalist;
+		rdata = &updaterec->rdata;
+		dns_rdataset_init(rdataset);
+		dns_rdatalist_init(&updaterec->rdatalist);
+		dns_rdata_init(&updaterec->rdata);
+		isc_buffer_init(&updaterec->buffer, updaterec->data,
+				(unsigned int)
+				(size -
+				 offsetof(dns_client_updaterec_t, data)));
+		dns_name_copy(owner, target, &updaterec->buffer);
+		if (source != NULL) {
+			isc_region_t r;
+			dns_rdata_clone(source, rdata);
+			dns_rdata_toregion(rdata, &r);
+			rdata->data = isc_buffer_used(&updaterec->buffer);
+			isc_buffer_copyregion(&updaterec->buffer, &r);
+		}
+		updaterec->mctx = NULL;
+		isc_mem_attach(mctx, &updaterec->mctx);
+	} else if (source != NULL)
+		dns_rdata_clone(source, rdata);
+
+	switch (op) {
+	case updateop_add:
+		break;
+	case updateop_delete:
+		if (source != NULL) {
+			ttl = 0;
+			dns_rdata_makedelete(rdata);
+		} else
+			dns_rdata_deleterrset(rdata, type);
+		break;
+	case updateop_notexist:
+		dns_rdata_notexist(rdata, type);
+		break;
+	case updateop_exist:
+		if (source == NULL) {
+			ttl = 0;
+			dns_rdata_exists(rdata, type);
+		}
+	case updateop_none:
+		break;
+	default:
+		INSIST(0);
+	}
+
+	rdatalist->type = rdata->type;
+	rdatalist->rdclass = rdata->rdclass;
+	if (source != NULL) {
+		rdatalist->covers = dns_rdata_covers(rdata);
+		rdatalist->ttl = ttl;
+	}
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_APPEND(target->list, rdataset, link);
+	if (updaterec != NULL) {
+		target->attributes |= DNS_NAMEATTR_HASUPDATEREC;
+		dns_name_setbuffer(target, &updaterec->buffer);
+	}
+	if (op == updateop_add || op == updateop_delete)
+		target->attributes |= DNS_NAMEATTR_UPDATE;
+	else
+		target->attributes |= DNS_NAMEATTR_PREREQUISITE;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_client_freeupdate(dns_name_t **namep) {
+	dns_client_updaterec_t *updaterec;
+	dns_rdatalist_t *rdatalist;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t *rdata;
+	dns_name_t *name;
+
+	REQUIRE(namep != NULL && *namep != NULL);
+
+	name = *namep;
+	for (rdataset = ISC_LIST_HEAD(name->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_HEAD(name->list)) {
+		ISC_LIST_UNLINK(name->list, rdataset, link);
+		rdatalist = NULL;
+		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
+		if (rdatalist == NULL) {
+			dns_rdataset_disassociate(rdataset);
+			continue;
+		}
+		for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
+		     rdata != NULL;
+		     rdata = ISC_LIST_HEAD(rdatalist->rdata))
+			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
+		dns_rdataset_disassociate(rdataset);
+	}
+
+	if ((name->attributes & DNS_NAMEATTR_HASUPDATEREC) != 0) {
+		updaterec = (dns_client_updaterec_t *)name->buffer;
+		INSIST(updaterec != NULL);
+		isc_mem_putanddetach(&updaterec->mctx, updaterec,
+				     updaterec->size);
+		*namep = NULL;
+	}
+}
diff --git a/lib/dns/clientinfo.c b/lib/dns/clientinfo.c
new file mode 100644
index 0000000..6d025d9
--- /dev/null
+++ b/lib/dns/clientinfo.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include "config.h"
+
+#include <dns/clientinfo.h>
+
+void
+dns_clientinfomethods_init(dns_clientinfomethods_t *methods,
+			   dns_clientinfo_sourceip_t sourceip)
+{
+	methods->version = DNS_CLIENTINFOMETHODS_VERSION;
+	methods->age = DNS_CLIENTINFOMETHODS_AGE;
+	methods->sourceip = sourceip;
+}
+
+void
+dns_clientinfo_init(dns_clientinfo_t *ci, void *data, void *versionp) {
+	ci->version = DNS_CLIENTINFO_VERSION;
+	ci->data = data;
+	ci->dbversion = versionp;
+}
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
new file mode 100644
index 0000000..ec97235
--- /dev/null
+++ b/lib/dns/compress.c
@@ -0,0 +1,400 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#define DNS_NAME_USEINLINE 1
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#define CCTX_MAGIC	ISC_MAGIC('C', 'C', 'T', 'X')
+#define VALID_CCTX(x)	ISC_MAGIC_VALID(x, CCTX_MAGIC)
+
+#define DCTX_MAGIC	ISC_MAGIC('D', 'C', 'T', 'X')
+#define VALID_DCTX(x)	ISC_MAGIC_VALID(x, DCTX_MAGIC)
+
+#define TABLE_READY							\
+	do {								\
+		unsigned int i;						\
+									\
+		if ((cctx->allowed & DNS_COMPRESS_READY) == 0) {	\
+			cctx->allowed |= DNS_COMPRESS_READY;		\
+			for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++)	\
+				cctx->table[i] = NULL;			\
+		}							\
+	} while (0)
+
+/***
+ ***	Compression
+ ***/
+
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
+	REQUIRE(cctx != NULL);
+	REQUIRE(mctx != NULL);	/* See: rdataset.c:towiresorted(). */
+
+	cctx->edns = edns;
+	cctx->mctx = mctx;
+	cctx->count = 0;
+	cctx->allowed = DNS_COMPRESS_ENABLED;
+	cctx->magic = CCTX_MAGIC;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_compress_invalidate(dns_compress_t *cctx) {
+	dns_compressnode_t *node;
+	unsigned int i;
+
+	REQUIRE(VALID_CCTX(cctx));
+
+	if ((cctx->allowed & DNS_COMPRESS_READY) != 0) {
+		for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
+			while (cctx->table[i] != NULL) {
+				node = cctx->table[i];
+				cctx->table[i] = cctx->table[i]->next;
+				if ((node->offset & 0x8000) != 0)
+					isc_mem_put(cctx->mctx, node->r.base,
+						    node->r.length);
+				if (node->count < DNS_COMPRESS_INITIALNODES)
+					continue;
+				isc_mem_put(cctx->mctx, node, sizeof(*node));
+			}
+		}
+	}
+	cctx->magic = 0;
+	cctx->allowed = 0;
+	cctx->edns = -1;
+}
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	cctx->allowed &= ~DNS_COMPRESS_ALL;
+	cctx->allowed |= (allowed & DNS_COMPRESS_ALL);
+}
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	return (cctx->allowed & DNS_COMPRESS_ALL);
+}
+
+void
+dns_compress_disable(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	cctx->allowed &= ~DNS_COMPRESS_ENABLED;
+}
+
+void
+dns_compress_setsensitive(dns_compress_t *cctx, bool sensitive) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	if (sensitive)
+		cctx->allowed |= DNS_COMPRESS_CASESENSITIVE;
+	else
+		cctx->allowed &= ~DNS_COMPRESS_CASESENSITIVE;
+}
+
+bool
+dns_compress_getsensitive(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	return (cctx->allowed & DNS_COMPRESS_CASESENSITIVE);
+}
+
+int
+dns_compress_getedns(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	return (cctx->edns);
+}
+
+#define NODENAME(node, name) \
+do { \
+	(name)->length = (node)->r.length; \
+	(name)->labels = (node)->labels; \
+	(name)->ndata = (node)->r.base; \
+	(name)->attributes = DNS_NAMEATTR_ABSOLUTE; \
+} while (0)
+
+/*
+ * Find the longest match of name in the table.
+ * If match is found return true. prefix, suffix and offset are updated.
+ * If no match is found return false.
+ */
+bool
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
+			dns_name_t *prefix, uint16_t *offset)
+{
+	dns_name_t tname, nname;
+	dns_compressnode_t *node = NULL;
+	unsigned int labels, hash, n;
+
+	REQUIRE(VALID_CCTX(cctx));
+	REQUIRE(dns_name_isabsolute(name) == true);
+	REQUIRE(offset != NULL);
+
+	if ((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)
+		return (false);
+
+	TABLE_READY;
+
+	if (cctx->count == 0)
+		return (false);
+
+	labels = dns_name_countlabels(name);
+	INSIST(labels > 0);
+
+	dns_name_init(&tname, NULL);
+	dns_name_init(&nname, NULL);
+
+	for (n = 0; n < labels - 1; n++) {
+		dns_name_getlabelsequence(name, n, labels - n, &tname);
+		hash = dns_name_hash(&tname, false) %
+		       DNS_COMPRESS_TABLESIZE;
+		for (node = cctx->table[hash]; node != NULL; node = node->next)
+		{
+			NODENAME(node, &nname);
+			if ((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0) {
+				if (dns_name_caseequal(&nname, &tname))
+					break;
+			} else {
+				if (dns_name_equal(&nname, &tname))
+					break;
+			}
+		}
+		if (node != NULL)
+			break;
+	}
+
+	/*
+	 * If node == NULL, we found no match at all.
+	 */
+	if (node == NULL)
+		return (false);
+
+	if (n == 0)
+		dns_name_reset(prefix);
+	else
+		dns_name_getlabelsequence(name, 0, n, prefix);
+
+	*offset = (node->offset & 0x7fff);
+	return (true);
+}
+
+static inline unsigned int
+name_length(const dns_name_t *name) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (r.length);
+}
+
+void
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, uint16_t offset)
+{
+	dns_name_t tname, xname;
+	unsigned int start;
+	unsigned int n;
+	unsigned int count;
+	unsigned int hash;
+	dns_compressnode_t *node;
+	unsigned int length;
+	unsigned int tlength;
+	uint16_t toffset;
+	unsigned char *tmp;
+	isc_region_t r;
+
+	REQUIRE(VALID_CCTX(cctx));
+	REQUIRE(dns_name_isabsolute(name));
+
+	if ((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)
+		return;
+
+	TABLE_READY;
+
+	if (offset >= 0x4000)
+		return;
+	dns_name_init(&tname, NULL);
+	dns_name_init(&xname, NULL);
+
+	n = dns_name_countlabels(name);
+	count = dns_name_countlabels(prefix);
+	if (dns_name_isabsolute(prefix))
+		count--;
+	if (count == 0)
+		return;
+	start = 0;
+	dns_name_toregion(name, &r);
+	length = r.length;
+	tmp = isc_mem_get(cctx->mctx, length);
+	if (tmp == NULL)
+		return;
+	/*
+	 * Copy name data to 'tmp' and make 'r' use 'tmp'.
+	 */
+	memmove(tmp, r.base, r.length);
+	r.base = tmp;
+	dns_name_fromregion(&xname, &r);
+
+	while (count > 0) {
+		dns_name_getlabelsequence(&xname, start, n, &tname);
+		hash = dns_name_hash(&tname, false) %
+		       DNS_COMPRESS_TABLESIZE;
+		tlength = name_length(&tname);
+		toffset = (uint16_t)(offset + (length - tlength));
+		if (toffset >= 0x4000)
+			break;
+		/*
+		 * Create a new node and add it.
+		 */
+		if (cctx->count < DNS_COMPRESS_INITIALNODES)
+			node = &cctx->initialnodes[cctx->count];
+		else {
+			node = isc_mem_get(cctx->mctx,
+					   sizeof(dns_compressnode_t));
+			if (node == NULL)
+				break;
+		}
+		node->count = cctx->count++;
+		/*
+		 * 'node->r.base' becomes 'tmp' when start == 0.
+		 * Record this by setting 0x8000 so it can be freed later.
+		 */
+		if (start == 0)
+			toffset |= 0x8000;
+		node->offset = toffset;
+		dns_name_toregion(&tname, &node->r);
+		node->labels = (uint8_t)dns_name_countlabels(&tname);
+		node->next = cctx->table[hash];
+		cctx->table[hash] = node;
+		start++;
+		n--;
+		count--;
+	}
+
+	if (start == 0)
+		isc_mem_put(cctx->mctx, tmp, length);
+}
+
+void
+dns_compress_rollback(dns_compress_t *cctx, uint16_t offset) {
+	unsigned int i;
+	dns_compressnode_t *node;
+
+	REQUIRE(VALID_CCTX(cctx));
+
+	if ((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)
+		return;
+
+	if ((cctx->allowed & DNS_COMPRESS_READY) == 0)
+		return;
+
+	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
+		node = cctx->table[i];
+		/*
+		 * This relies on nodes with greater offsets being
+		 * closer to the beginning of the list, and the
+		 * items with the greatest offsets being at the end
+		 * of the initialnodes[] array.
+		 */
+		while (node != NULL && (node->offset & 0x7fff) >= offset) {
+			cctx->table[i] = node->next;
+			if ((node->offset & 0x8000) != 0)
+				isc_mem_put(cctx->mctx, node->r.base,
+					    node->r.length);
+			if (node->count >= DNS_COMPRESS_INITIALNODES)
+				isc_mem_put(cctx->mctx, node, sizeof(*node));
+			cctx->count--;
+			node = cctx->table[i];
+		}
+	}
+}
+
+/***
+ ***	Decompression
+ ***/
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns,
+		    dns_decompresstype_t type) {
+
+	REQUIRE(dctx != NULL);
+	REQUIRE(edns >= -1 && edns <= 255);
+
+	dctx->allowed = DNS_COMPRESS_NONE;
+	dctx->edns = edns;
+	dctx->type = type;
+	dctx->magic = DCTX_MAGIC;
+}
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	dctx->magic = 0;
+}
+
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	switch (dctx->type) {
+	case DNS_DECOMPRESS_ANY:
+		dctx->allowed = DNS_COMPRESS_ALL;
+		break;
+	case DNS_DECOMPRESS_NONE:
+		dctx->allowed = DNS_COMPRESS_NONE;
+		break;
+	case DNS_DECOMPRESS_STRICT:
+		dctx->allowed = allowed;
+		break;
+	}
+}
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->allowed);
+}
+
+int
+dns_decompress_edns(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->edns);
+}
+
+dns_decompresstype_t
+dns_decompress_type(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->type);
+}
diff --git a/lib/dns/db.c b/lib/dns/db.c
new file mode 100644
index 0000000..ee3e00d
--- /dev/null
+++ b/lib/dns/db.c
@@ -0,0 +1,1132 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/clientinfo.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+
+/***
+ *** Private Types
+ ***/
+
+struct dns_dbimplementation {
+	const char *				name;
+	dns_dbcreatefunc_t			create;
+	isc_mem_t *				mctx;
+	void *					driverarg;
+	ISC_LINK(dns_dbimplementation_t)	link;
+};
+
+/***
+ *** Supported DB Implementations Registry
+ ***/
+
+/*
+ * Built in database implementations are registered here.
+ */
+
+#include "rbtdb.h"
+#include "rbtdb64.h"
+
+static ISC_LIST(dns_dbimplementation_t) implementations;
+static isc_rwlock_t implock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static dns_dbimplementation_t rbtimp;
+static dns_dbimplementation_t rbt64imp;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_rwlock_init(&implock, 0, 0) == ISC_R_SUCCESS);
+
+	rbtimp.name = "rbt";
+	rbtimp.create = dns_rbtdb_create;
+	rbtimp.mctx = NULL;
+	rbtimp.driverarg = NULL;
+	ISC_LINK_INIT(&rbtimp, link);
+
+	rbt64imp.name = "rbt64";
+	rbt64imp.create = dns_rbtdb64_create;
+	rbt64imp.mctx = NULL;
+	rbt64imp.driverarg = NULL;
+	ISC_LINK_INIT(&rbt64imp, link);
+
+	ISC_LIST_INIT(implementations);
+	ISC_LIST_APPEND(implementations, &rbtimp, link);
+	ISC_LIST_APPEND(implementations, &rbt64imp, link);
+}
+
+static inline dns_dbimplementation_t *
+impfind(const char *name) {
+	dns_dbimplementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(implementations);
+	     imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+		if (strcasecmp(name, imp->name) == 0)
+			return (imp);
+	return (NULL);
+}
+
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
+	      dns_dbtype_t type, dns_rdataclass_t rdclass,
+	      unsigned int argc, char *argv[], dns_db_t **dbp)
+{
+	dns_dbimplementation_t *impinfo;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	/*
+	 * Create a new database using implementation 'db_type'.
+	 */
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(dns_name_isabsolute(origin));
+
+	RWLOCK(&implock, isc_rwlocktype_read);
+	impinfo = impfind(db_type);
+	if (impinfo != NULL) {
+		isc_result_t result;
+		result = ((impinfo->create)(mctx, origin, type,
+					    rdclass, argc, argv,
+					    impinfo->driverarg, dbp));
+		RWUNLOCK(&implock, isc_rwlocktype_read);
+		return (result);
+	}
+
+	RWUNLOCK(&implock, isc_rwlocktype_read);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DB, ISC_LOG_ERROR,
+		      "unsupported database type '%s'", db_type);
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(DNS_DB_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(source->methods->attach)(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+dns_db_detach(dns_db_t **dbp) {
+
+	/*
+	 * Detach *dbp from its database.
+	 */
+
+	REQUIRE(dbp != NULL);
+	REQUIRE(DNS_DB_VALID(*dbp));
+
+	((*dbp)->methods->detach)(dbp);
+
+	ENSURE(*dbp == NULL);
+}
+
+isc_result_t
+dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp)
+{
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (isc_ondestroy_register(&db->ondest, task, eventp));
+}
+
+
+bool
+dns_db_iscache(dns_db_t *db) {
+
+	/*
+	 * Does 'db' have cache semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
+		return (true);
+
+	return (false);
+}
+
+bool
+dns_db_iszone(dns_db_t *db) {
+
+	/*
+	 * Does 'db' have zone semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & (DNS_DBATTR_CACHE|DNS_DBATTR_STUB)) == 0)
+		return (true);
+
+	return (false);
+}
+
+bool
+dns_db_isstub(dns_db_t *db) {
+
+	/*
+	 * Does 'db' have stub semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_STUB) != 0)
+		return (true);
+
+	return (false);
+}
+
+bool
+dns_db_isdnssec(dns_db_t *db) {
+
+	/*
+	 * Is 'db' secure or partially secure?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+	if (db->methods->isdnssec != NULL)
+		return ((db->methods->isdnssec)(db));
+	return ((db->methods->issecure)(db));
+}
+
+bool
+dns_db_issecure(dns_db_t *db) {
+
+	/*
+	 * Is 'db' secure?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+	return ((db->methods->issecure)(db));
+}
+
+bool
+dns_db_ispersistent(dns_db_t *db) {
+
+	/*
+	 * Is 'db' persistent?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->ispersistent)(db));
+}
+
+dns_name_t *
+dns_db_origin(dns_db_t *db) {
+	/*
+	 * The origin of the database.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (&db->origin);
+}
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db) {
+	/*
+	 * The class of the database.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (db->rdclass);
+}
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	/*
+	 * Begin loading 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+
+	return ((db->methods->beginload)(db, callbacks));
+}
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	dns_dbonupdatelistener_t *listener;
+
+	/*
+	 * Finish loading 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+	REQUIRE(callbacks->add_private != NULL);
+
+	for (listener = ISC_LIST_HEAD(db->update_listeners);
+	     listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+		listener->onupdate(db, listener->onupdate_arg);
+
+	return ((db->methods->endload)(db, callbacks));
+}
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename) {
+	return (dns_db_load3(db, filename, dns_masterformat_text, 0));
+}
+
+isc_result_t
+dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format) {
+	return (dns_db_load3(db, filename, format, 0));
+}
+
+isc_result_t
+dns_db_load3(dns_db_t *db, const char *filename, dns_masterformat_t format,
+	     unsigned int options)
+{
+	isc_result_t result, eresult;
+	dns_rdatacallbacks_t callbacks;
+
+	/*
+	 * Load master file 'filename' into 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
+		options |= DNS_MASTER_AGETTL;
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_master_loadfile2(filename, &db->origin, &db->origin,
+				      db->rdclass, options,
+				      &callbacks, db->mctx, format);
+	eresult = dns_db_endload(db, &callbacks);
+	/*
+	 * We always call dns_db_endload(), but we only want to return its
+	 * result if dns_master_loadfile() succeeded.  If dns_master_loadfile()
+	 * failed, we want to return the result code it gave us.
+	 */
+	if (eresult != ISC_R_SUCCESS &&
+	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
+		result = eresult;
+
+	return (result);
+}
+
+isc_result_t
+dns_db_serialize(dns_db_t *db, dns_dbversion_t *version, FILE *file) {
+	REQUIRE(DNS_DB_VALID(db));
+	if (db->methods->serialize == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return ((db->methods->serialize)(db, version, file));
+}
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+	return ((db->methods->dump)(db, version, filename,
+				    dns_masterformat_text));
+}
+
+isc_result_t
+dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+	     dns_masterformat_t masterformat) {
+	/*
+	 * Dump 'db' into master file 'filename' in the 'masterformat' format.
+	 * XXXJT: is it okay to modify the interface to the existing "dump"
+	 * method?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->dump)(db, version, filename, masterformat));
+}
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+
+	/*
+	 * Open the current version for reading.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	(db->methods->currentversion)(db, versionp);
+}
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+
+	/*
+	 * Open a new version for reading and writing.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	return ((db->methods->newversion)(db, versionp));
+}
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp)
+{
+	/*
+	 * Attach '*targetp' to 'source'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(source != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(db->methods->attachversion)(db, source, targetp);
+
+	ENSURE(*targetp != NULL);
+}
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
+		    bool commit)
+{
+	dns_dbonupdatelistener_t *listener;
+
+	/*
+	 * Close version '*versionp'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp != NULL);
+
+	(db->methods->closeversion)(db, versionp, commit);
+
+	if (commit == true) {
+		for (listener = ISC_LIST_HEAD(db->update_listeners);
+		     listener != NULL;
+		     listener = ISC_LIST_NEXT(listener, link))
+			listener->onupdate(db, listener->onupdate_arg);
+	}
+
+	ENSURE(*versionp == NULL);
+}
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, dns_name_t *name,
+		bool create, dns_dbnode_t **nodep)
+{
+
+	/*
+	 * Find the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->findnode != NULL)
+		return ((db->methods->findnode)(db, name, create, nodep));
+	else
+		return ((db->methods->findnodeext)(db, name, create,
+						   NULL, NULL, nodep));
+}
+
+isc_result_t
+dns_db_findnodeext(dns_db_t *db, dns_name_t *name,
+		   bool create, dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep)
+{
+	/*
+	 * Find the node with name 'name', passing 'arg' to the database
+	 * implementation.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->findnodeext != NULL)
+		return ((db->methods->findnodeext)(db, name, create,
+						   methods, clientinfo, nodep));
+	else
+		return ((db->methods->findnode)(db, name, create, nodep));
+}
+
+isc_result_t
+dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+		     bool create, dns_dbnode_t **nodep)
+{
+
+	/*
+	 * Find the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	return ((db->methods->findnsec3node)(db, name, create, nodep));
+}
+
+isc_result_t
+dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	/*
+	 * Find the best match for 'name' and 'type' in version 'version'
+	 * of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(rdataset == NULL ||
+		(DNS_RDATASET_VALID(rdataset) &&
+		 ! dns_rdataset_isassociated(rdataset)));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	if (db->methods->find != NULL)
+		return ((db->methods->find)(db, name, version, type,
+					    options, now, nodep, foundname,
+					    rdataset, sigrdataset));
+	else
+		return ((db->methods->findext)(db, name, version, type,
+					       options, now, nodep, foundname,
+					       NULL, NULL,
+					       rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_db_findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	       dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+
+	/*
+	 * Find the best match for 'name' and 'type' in version 'version'
+	 * of 'db', passing in 'arg'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(rdataset == NULL ||
+		(DNS_RDATASET_VALID(rdataset) &&
+		 ! dns_rdataset_isassociated(rdataset)));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	if (db->methods->findext != NULL)
+		return ((db->methods->findext)(db, name, version, type,
+					       options, now, nodep, foundname,
+					       methods, clientinfo,
+					       rdataset, sigrdataset));
+	else
+		return ((db->methods->find)(db, name, version, type,
+					    options, now, nodep, foundname,
+					    rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
+		   unsigned int options, isc_stdtime_t now,
+		   dns_dbnode_t **nodep, dns_name_t *foundname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	/*
+	 * Find the deepest known zonecut which encloses 'name' in 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->findzonecut)(db, name, options, now, nodep,
+					   foundname, rdataset, sigrdataset));
+}
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(source != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(db->methods->attachnode)(db, source, targetp);
+}
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+
+	/*
+	 * Detach *nodep from its node.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep != NULL);
+
+	(db->methods->detachnode)(db, nodep);
+
+	ENSURE(*nodep == NULL);
+}
+
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	/*
+	 * This doesn't check the implementation magic.  If we find that
+	 * we need such checks in future then this will be done in the
+	 * method.
+	 */
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+
+	UNUSED(db);
+
+	if (db->methods->transfernode == NULL) {
+		*targetp = *sourcep;
+		*sourcep = NULL;
+	} else
+		(db->methods->transfernode)(db, sourcep, targetp);
+
+	ENSURE(*sourcep == NULL);
+}
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+
+	/*
+	 * Mark as stale all records at 'node' which expire at or before 'now'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+	REQUIRE(node != NULL);
+
+	return ((db->methods->expirenode)(db, node, now));
+}
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	/*
+	 * Print a textual representation of the contents of the node to
+	 * 'out'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+
+	(db->methods->printnode)(db, node, out);
+}
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, unsigned int flags,
+		      dns_dbiterator_t **iteratorp)
+{
+	/*
+	 * Create an iterator for version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
+
+	return (db->methods->createiterator(db, flags, iteratorp));
+}
+
+/***
+ *** Rdataset Methods
+ ***/
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
+	REQUIRE(covers == 0 || type == dns_rdatatype_rrsig);
+	REQUIRE(type != dns_rdatatype_any);
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->findrdataset)(db, node, version, type,
+					    covers, now, rdataset,
+					    sigrdataset));
+}
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	/*
+	 * Make '*iteratorp' an rdataset iteratator for all rdatasets at
+	 * 'node' in version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
+
+	return ((db->methods->allrdatasets)(db, node, version, now,
+					    iteratorp));
+}
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset)
+{
+	/*
+	 * Add 'rdataset' to 'node' in version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
+		((db->attributes & DNS_DBATTR_CACHE) != 0 &&
+		 version == NULL && (options & DNS_DBADD_MERGE) == 0));
+	REQUIRE((options & DNS_DBADD_EXACT) == 0 ||
+		(options & DNS_DBADD_MERGE) != 0);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(dns_rdataset_isassociated(rdataset));
+	REQUIRE(rdataset->rdclass == db->rdclass);
+	REQUIRE(addedrdataset == NULL ||
+		(DNS_RDATASET_VALID(addedrdataset) &&
+		 ! dns_rdataset_isassociated(addedrdataset)));
+
+	return ((db->methods->addrdataset)(db, node, version, now, rdataset,
+					   options, addedrdataset));
+}
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			unsigned int options, dns_rdataset_t *newrdataset)
+{
+	/*
+	 * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+	 * 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(dns_rdataset_isassociated(rdataset));
+	REQUIRE(rdataset->rdclass == db->rdclass);
+	REQUIRE(newrdataset == NULL ||
+		(DNS_RDATASET_VALID(newrdataset) &&
+		 ! dns_rdataset_isassociated(newrdataset)));
+
+	return ((db->methods->subtractrdataset)(db, node, version, rdataset,
+						options, newrdataset));
+}
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type,
+		      dns_rdatatype_t covers)
+{
+	/*
+	 * Make it so that no rdataset of type 'type' exists at 'node' in
+	 * version version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
+		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL));
+
+	return ((db->methods->deleterdataset)(db, node, version,
+					      type, covers));
+}
+
+void
+dns_db_overmem(dns_db_t *db, bool overmem) {
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	(db->methods->overmem)(db, overmem);
+}
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, uint32_t *serialp)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+
+	REQUIRE(dns_db_iszone(db) || dns_db_isstub(db));
+
+	result = dns_db_findnode(db, dns_db_origin(db), false, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto freenode;
+
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto freerdataset;
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdataset_next(&rdataset);
+	INSIST(result == ISC_R_NOMORE);
+
+	INSIST(rdata.length > 20);
+	isc_buffer_init(&buffer, rdata.data, rdata.length);
+	isc_buffer_add(&buffer, rdata.length);
+	isc_buffer_forward(&buffer, rdata.length - 20);
+	*serialp = isc_buffer_getuint32(&buffer);
+
+	result = ISC_R_SUCCESS;
+
+ freerdataset:
+	dns_rdataset_disassociate(&rdataset);
+
+ freenode:
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+unsigned int
+dns_db_nodecount(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->nodecount)(db));
+}
+
+size_t
+dns_db_hashsize(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->hashsize == NULL)
+		return (0);
+
+	return ((db->methods->hashsize)(db));
+}
+
+void
+dns_db_settask(dns_db_t *db, isc_task_t *task) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	(db->methods->settask)(db, task);
+}
+
+isc_result_t
+dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
+		isc_mem_t *mctx, dns_dbimplementation_t **dbimp)
+{
+	dns_dbimplementation_t *imp;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	RWLOCK(&implock, isc_rwlocktype_write);
+	imp = impfind(name);
+	if (imp != NULL) {
+		RWUNLOCK(&implock, isc_rwlocktype_write);
+		return (ISC_R_EXISTS);
+	}
+
+	imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
+	if (imp == NULL) {
+		RWUNLOCK(&implock, isc_rwlocktype_write);
+		return (ISC_R_NOMEMORY);
+	}
+	imp->name = name;
+	imp->create = create;
+	imp->mctx = NULL;
+	imp->driverarg = driverarg;
+	isc_mem_attach(mctx, &imp->mctx);
+	ISC_LINK_INIT(imp, link);
+	ISC_LIST_APPEND(implementations, imp, link);
+	RWUNLOCK(&implock, isc_rwlocktype_write);
+
+	*dbimp = imp;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_db_unregister(dns_dbimplementation_t **dbimp) {
+	dns_dbimplementation_t *imp;
+	isc_mem_t *mctx;
+
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	imp = *dbimp;
+	*dbimp = NULL;
+	RWLOCK(&implock, isc_rwlocktype_write);
+	ISC_LIST_UNLINK(implementations, imp, link);
+	mctx = imp->mctx;
+	isc_mem_put(mctx, imp, sizeof(dns_dbimplementation_t));
+	isc_mem_detach(&mctx);
+	RWUNLOCK(&implock, isc_rwlocktype_write);
+	ENSURE(*dbimp == NULL);
+}
+
+isc_result_t
+dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db) == true);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (db->methods->getoriginnode != NULL)
+		return ((db->methods->getoriginnode)(db, nodep));
+
+	return (ISC_R_NOTFOUND);
+}
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->getrrsetstats != NULL)
+		return ((db->methods->getrrsetstats)(db));
+
+	return (NULL);
+}
+
+isc_result_t
+dns_db_setcachestats(dns_db_t *db, isc_stats_t *stats) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->setcachestats != NULL)
+		return ((db->methods->setcachestats)(db, stats));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+			  dns_hash_t *hash, uint8_t *flags,
+			  uint16_t *iterations,
+			  unsigned char *salt, size_t *salt_length)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db) == true);
+
+	if (db->methods->getnsec3parameters != NULL)
+		return ((db->methods->getnsec3parameters)(db, version, hash,
+							  flags, iterations,
+							  salt, salt_length));
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, uint64_t *records,
+	       uint64_t *bytes)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db) == true);
+
+	if (db->methods->getsize != NULL)
+		return ((db->methods->getsize)(db, version, records, bytes));
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      isc_stdtime_t resign)
+{
+	if (db->methods->setsigningtime != NULL)
+		return ((db->methods->setsigningtime)(db, rdataset, resign));
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
+{
+	if (db->methods->getsigningtime != NULL)
+		return ((db->methods->getsigningtime)(db, rdataset, name));
+	return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version)
+{
+	if (db->methods->resigned != NULL)
+		(db->methods->resigned)(db, rdataset, version);
+}
+
+/*
+ * Attach a database to policy zone databases.
+ * This should only happen when the caller has already ensured that
+ * it is dealing with a database that understands response policy zones.
+ */
+void
+dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) {
+	REQUIRE(db->methods->rpz_attach != NULL);
+	(db->methods->rpz_attach)(db, rpzs, rpz_num);
+}
+
+/*
+ * Finish loading a response policy zone.
+ */
+isc_result_t
+dns_db_rpz_ready(dns_db_t *db) {
+	if (db->methods->rpz_ready == NULL)
+		return (ISC_R_SUCCESS);
+	return ((db->methods->rpz_ready)(db));
+}
+
+/**
+ * Attach a notify-on-update function the database
+ */
+isc_result_t
+dns_db_updatenotify_register(dns_db_t *db,
+			     dns_dbupdate_callback_t fn,
+			     void *fn_arg)
+{
+	dns_dbonupdatelistener_t *listener;
+
+	REQUIRE(db != NULL);
+	REQUIRE(fn != NULL);
+
+	listener = isc_mem_get(db->mctx, sizeof(dns_dbonupdatelistener_t));
+	if (listener == NULL)
+		return (ISC_R_NOMEMORY);
+
+	listener->onupdate = fn;
+	listener->onupdate_arg = fn_arg;
+
+	ISC_LINK_INIT(listener, link);
+	ISC_LIST_APPEND(db->update_listeners, listener, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_db_updatenotify_unregister(dns_db_t *db,
+			       dns_dbupdate_callback_t fn,
+			       void *fn_arg)
+{
+	dns_dbonupdatelistener_t *listener;
+
+	REQUIRE(db != NULL);
+
+	for (listener = ISC_LIST_HEAD(db->update_listeners);
+	     listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		if ((listener->onupdate == fn) &&
+		    (listener->onupdate_arg == fn_arg))
+		{
+			ISC_LIST_UNLINK(db->update_listeners, listener, link);
+			isc_mem_put(db->mctx, listener,
+				    sizeof(dns_dbonupdatelistener_t));
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
+	REQUIRE(db != NULL);
+	REQUIRE(node != NULL);
+	REQUIRE(name != NULL);
+
+	if (db->methods->nodefullname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return ((db->methods->nodefullname)(db, node, name));
+}
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
new file mode 100644
index 0000000..548f611
--- /dev/null
+++ b/lib/dns/dbiterator.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/util.h>
+
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	/*
+	 * Destroy '*iteratorp'.
+	 */
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_DBITERATOR_VALID(*iteratorp));
+
+	(*iteratorp)->methods->destroy(iteratorp);
+
+	ENSURE(*iteratorp == NULL);
+}
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the first node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->first(iterator));
+}
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the first node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->last(iterator));
+}
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	/*
+	 * Move the node cursor to the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->seek(iterator, name));
+}
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the previous node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->prev(iterator));
+}
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the next node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->next(iterator));
+}
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name)
+{
+	/*
+	 * Return the current node.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(name == NULL || dns_name_hasbuffer(name));
+
+	return (iterator->methods->current(iterator, nodep, name));
+}
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator) {
+	/*
+	 * Pause iteration.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->pause(iterator));
+}
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+
+	/*
+	 * Return the origin to which returned node names are relative.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+	REQUIRE(iterator->relative_names);
+	REQUIRE(dns_name_hasbuffer(name));
+
+	return (iterator->methods->origin(iterator, name));
+}
+
+void
+dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, bool mode) {
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	iterator->cleaning = mode;
+}
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
new file mode 100644
index 0000000..3cc7cb6
--- /dev/null
+++ b/lib/dns/dbtable.c
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#include <dns/dbtable.h>
+#include <dns/db.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+struct dns_dbtable {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	dns_rdataclass_t	rdclass;
+	isc_mutex_t		lock;
+	isc_rwlock_t		tree_lock;
+	/* Locked by lock. */
+	unsigned int		references;
+	/* Locked by tree_lock. */
+	dns_rbt_t *		rbt;
+	dns_db_t *		default_db;
+};
+
+#define DBTABLE_MAGIC		ISC_MAGIC('D', 'B', '-', '-')
+#define VALID_DBTABLE(dbtable)	ISC_MAGIC_VALID(dbtable, DBTABLE_MAGIC)
+
+static void
+dbdetach(void *data, void *arg) {
+	dns_db_t *db = data;
+
+	UNUSED(arg);
+
+	dns_db_detach(&db);
+}
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep)
+{
+	dns_dbtable_t *dbtable;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbtablep != NULL && *dbtablep == NULL);
+
+	dbtable = (dns_dbtable_t *)isc_mem_get(mctx, sizeof(*dbtable));
+	if (dbtable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dbtable->rbt = NULL;
+	result = dns_rbt_create(mctx, dbdetach, NULL, &dbtable->rbt);
+	if (result != ISC_R_SUCCESS)
+		goto clean1;
+
+	result = isc_mutex_init(&dbtable->lock);
+	if (result != ISC_R_SUCCESS)
+		goto clean2;
+
+	result = isc_rwlock_init(&dbtable->tree_lock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto clean3;
+
+	dbtable->default_db = NULL;
+	dbtable->mctx = NULL;
+	isc_mem_attach(mctx, &dbtable->mctx);
+	dbtable->rdclass = rdclass;
+	dbtable->magic = DBTABLE_MAGIC;
+	dbtable->references = 1;
+
+	*dbtablep = dbtable;
+
+	return (ISC_R_SUCCESS);
+
+ clean3:
+	DESTROYLOCK(&dbtable->lock);
+
+ clean2:
+	dns_rbt_destroy(&dbtable->rbt);
+
+ clean1:
+	isc_mem_putanddetach(&mctx, dbtable, sizeof(*dbtable));
+
+	return (result);
+}
+
+static inline void
+dbtable_free(dns_dbtable_t *dbtable) {
+	/*
+	 * Caller must ensure that it is safe to call.
+	 */
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	if (dbtable->default_db != NULL)
+		dns_db_detach(&dbtable->default_db);
+
+	dns_rbt_destroy(&dbtable->rbt);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	isc_rwlock_destroy(&dbtable->tree_lock);
+
+	dbtable->magic = 0;
+
+	isc_mem_putanddetach(&dbtable->mctx, dbtable, sizeof(*dbtable));
+}
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp) {
+	REQUIRE(VALID_DBTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep) {
+	dns_dbtable_t *dbtable;
+	bool free_dbtable = false;
+
+	REQUIRE(dbtablep != NULL);
+	dbtable = *dbtablep;
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	LOCK(&dbtable->lock);
+
+	INSIST(dbtable->references > 0);
+	dbtable->references--;
+	if (dbtable->references == 0)
+		free_dbtable = true;
+
+	UNLOCK(&dbtable->lock);
+
+	if (free_dbtable)
+		dbtable_free(dbtable);
+
+	*dbtablep = NULL;
+}
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db) {
+	isc_result_t result;
+	dns_db_t *dbclone;
+
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dns_db_class(db) == dbtable->rdclass);
+
+	dbclone = NULL;
+	dns_db_attach(db, &dbclone);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+	result = dns_rbt_addname(dbtable->rbt, dns_db_origin(dbclone), dbclone);
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
+	dns_db_t *stored_data = NULL;
+	isc_result_t result;
+	dns_name_t *name;
+
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	name = dns_db_origin(db);
+
+	/*
+	 * There is a requirement that the association of name with db
+	 * be verified.  With the current rbt.c this is expensive to do,
+	 * because effectively two find operations are being done, but
+	 * deletion is relatively infrequent.
+	 * XXXDCL ... this could be cheaper now with dns_rbt_deletenode.
+	 */
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	result = dns_rbt_findname(dbtable->rbt, name, 0, NULL,
+				  (void **) (void *)&stored_data);
+
+	if (result == ISC_R_SUCCESS) {
+		INSIST(stored_data == db);
+
+		(void)dns_rbt_deletename(dbtable->rbt, name, false);
+	}
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dbtable->default_db == NULL);
+	REQUIRE(dns_name_compare(dns_db_origin(db), dns_rootname) == 0);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	dbtable->default_db = NULL;
+	dns_db_attach(db, &dbtable->default_db);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **dbp) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	dns_db_attach(dbtable->default_db, dbp);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+}
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	dns_db_detach(&dbtable->default_db);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp)
+{
+	dns_db_t *stored_data = NULL;
+	isc_result_t result;
+	unsigned int rbtoptions = 0;
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	if ((options & DNS_DBTABLEFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(dbtable->rbt, name, rbtoptions, NULL,
+				  (void **) (void *)&stored_data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		dns_db_attach(stored_data, dbp);
+	else if (dbtable->default_db != NULL) {
+		dns_db_attach(dbtable->default_db, dbp);
+		result = DNS_R_PARTIALMATCH;
+	} else
+		result = ISC_R_NOTFOUND;
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
new file mode 100644
index 0000000..d846f04
--- /dev/null
+++ b/lib/dns/diff.c
@@ -0,0 +1,673 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/log.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define DIFF_COMMON_LOGARGS \
+	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DIFF
+
+static dns_rdatatype_t
+rdata_covers(dns_rdata_t *rdata) {
+	return (rdata->type == dns_rdatatype_rrsig ?
+		dns_rdata_covers(rdata) : 0);
+}
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx,
+		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+		     dns_rdata_t *rdata, dns_difftuple_t **tp)
+{
+	dns_difftuple_t *t;
+	unsigned int size;
+	unsigned char *datap;
+
+	REQUIRE(tp != NULL && *tp == NULL);
+
+	/*
+	 * Create a new tuple.  The variable-size wire-format name data and
+	 * rdata immediately follow the dns_difftuple_t structure
+	 * in memory.
+	 */
+	size = sizeof(*t) + name->length + rdata->length;
+	t = isc_mem_allocate(mctx, size);
+	if (t == NULL)
+		return (ISC_R_NOMEMORY);
+	t->mctx = NULL;
+	isc_mem_attach(mctx, &t->mctx);
+	t->op = op;
+
+	datap = (unsigned char *)(t + 1);
+
+	memmove(datap, name->ndata, name->length);
+	dns_name_init(&t->name, NULL);
+	dns_name_clone(name, &t->name);
+	t->name.ndata = datap;
+	datap += name->length;
+
+	t->ttl = ttl;
+
+	dns_rdata_init(&t->rdata);
+	dns_rdata_clone(rdata, &t->rdata);
+	if (rdata->data != NULL) {
+		memmove(datap, rdata->data, rdata->length);
+		t->rdata.data = datap;
+		datap += rdata->length;
+	} else {
+		t->rdata.data = NULL;
+		INSIST(rdata->length == 0);
+	}
+
+	ISC_LINK_INIT(&t->rdata, link);
+	ISC_LINK_INIT(t, link);
+	t->magic = DNS_DIFFTUPLE_MAGIC;
+
+	INSIST(datap == (unsigned char *)t + size);
+
+	*tp = t;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_difftuple_free(dns_difftuple_t **tp) {
+	dns_difftuple_t *t = *tp;
+	isc_mem_t *mctx;
+
+	REQUIRE(DNS_DIFFTUPLE_VALID(t));
+
+	dns_name_invalidate(&t->name);
+	t->magic = 0;
+	mctx = t->mctx;
+	isc_mem_free(mctx, t);
+	isc_mem_detach(&mctx);
+	*tp = NULL;
+}
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
+	return (dns_difftuple_create(orig->mctx, orig->op, &orig->name,
+				     orig->ttl, &orig->rdata, copyp));
+}
+
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
+	diff->mctx = mctx;
+	ISC_LIST_INIT(diff->tuples);
+	diff->magic = DNS_DIFF_MAGIC;
+}
+
+void
+dns_diff_clear(dns_diff_t *diff) {
+	dns_difftuple_t *t;
+	REQUIRE(DNS_DIFF_VALID(diff));
+	while ((t = ISC_LIST_HEAD(diff->tuples)) != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, t, link);
+		dns_difftuple_free(&t);
+	}
+	ENSURE(ISC_LIST_EMPTY(diff->tuples));
+}
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuplep)
+{
+	ISC_LIST_APPEND(diff->tuples, *tuplep, link);
+	*tuplep = NULL;
+}
+
+/* XXX this is O(N) */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
+{
+	dns_difftuple_t *ot, *next_ot;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(DNS_DIFFTUPLE_VALID(*tuplep));
+
+	/*
+	 * Look for an existing tuple with the same owner name,
+	 * rdata, and TTL.   If we are doing an addition and find a
+	 * deletion or vice versa, remove both the old and the
+	 * new tuple since they cancel each other out (assuming
+	 * that we never delete nonexistent data or add existing
+	 * data).
+	 *
+	 * If we find an old update of the same kind as
+	 * the one we are doing, there must be a programming
+	 * error.  We report it but try to continue anyway.
+	 */
+	for (ot = ISC_LIST_HEAD(diff->tuples); ot != NULL;
+	     ot = next_ot)
+	{
+		next_ot = ISC_LIST_NEXT(ot, link);
+		if (dns_name_caseequal(&ot->name, &(*tuplep)->name) &&
+		    dns_rdata_compare(&ot->rdata, &(*tuplep)->rdata) == 0 &&
+		    ot->ttl == (*tuplep)->ttl)
+		{
+			ISC_LIST_UNLINK(diff->tuples, ot, link);
+			if ((*tuplep)->op == ot->op) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "unexpected non-minimal diff");
+			} else {
+				dns_difftuple_free(tuplep);
+			}
+			dns_difftuple_free(&ot);
+			break;
+		}
+	}
+
+	if (*tuplep != NULL) {
+		ISC_LIST_APPEND(diff->tuples, *tuplep, link);
+		*tuplep = NULL;
+	}
+
+	ENSURE(*tuplep == NULL);
+}
+
+static isc_stdtime_t
+setresign(dns_rdataset_t *modified) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	int64_t when;
+	isc_result_t result;
+
+	result = dns_rdataset_first(modified);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(modified, &rdata);
+	(void)dns_rdata_tostruct(&rdata, &sig, NULL);
+	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
+		when = 0;
+	else
+		when = dns_time64_from32(sig.timeexpire);
+	dns_rdata_reset(&rdata);
+
+	result = dns_rdataset_next(modified);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(modified, &rdata);
+		(void)dns_rdata_tostruct(&rdata, &sig, NULL);
+		if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
+			goto next_rr;
+		}
+		if (when == 0 || dns_time64_from32(sig.timeexpire) < when)
+			when = dns_time64_from32(sig.timeexpire);
+ next_rr:
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(modified);
+	}
+	INSIST(result == ISC_R_NOMORE);
+	return ((isc_stdtime_t)when);
+}
+
+static void
+getownercase(dns_rdataset_t *rdataset, dns_name_t *name) {
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_getownercase(rdataset, name);
+}
+
+static void
+setownercase(dns_rdataset_t *rdataset, dns_name_t *name) {
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_setownercase(rdataset, name);
+}
+
+static isc_result_t
+diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
+	   bool warn)
+{
+	dns_difftuple_t *t;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(DNS_DB_VALID(db));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name;
+
+		INSIST(node == NULL);
+		name = &t->name;
+		/*
+		 * Find the node.
+		 * We create the node if it does not exist.
+		 * This will cause an empty node to be created if the diff
+		 * contains a deletion of an RR at a nonexistent name,
+		 * but such diffs should never be created in the first
+		 * place.
+		 */
+
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_diffop_t op;
+			dns_rdatalist_t rdl;
+			dns_rdataset_t rds;
+			dns_rdataset_t ardataset;
+			unsigned int options;
+
+			op = t->op;
+			type = t->rdata.type;
+			covers = rdata_covers(&t->rdata);
+
+			/*
+			 * Collect a contiguous set of updates with
+			 * the same operation (add/delete) and RR type
+			 * into a single rdatalist so that the
+			 * database rrset merging/subtraction code
+			 * can work more efficiently than if each
+			 * RR were merged into / subtracted from
+			 * the database separately.
+			 *
+			 * This is done by linking rdata structures from the
+			 * diff into "rdatalist".  This uses the rdata link
+			 * field, not the diff link field, so the structure
+			 * of the diff itself is not affected.
+			 */
+
+			dns_rdatalist_init(&rdl);
+			rdl.type = type;
+			rdl.covers = covers;
+			rdl.rdclass = t->rdata.rdclass;
+			rdl.ttl = t->ttl;
+
+			node = NULL;
+			if (type != dns_rdatatype_nsec3 &&
+			    covers != dns_rdatatype_nsec3)
+				CHECK(dns_db_findnode(db, name, true,
+						      &node));
+			else
+				CHECK(dns_db_findnsec3node(db, name, true,
+							   &node));
+
+			while (t != NULL &&
+			       dns_name_equal(&t->name, name) &&
+			       t->op == op &&
+			       t->rdata.type == type &&
+			       rdata_covers(&t->rdata) == covers)
+			{
+				/*
+				 * Remember the add name for
+				 * dns_rdataset_setownercase.
+				 */
+				name = &t->name;
+				if (t->ttl != rdl.ttl && warn) {
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					dns_rdatatype_format(t->rdata.type,
+							     typebuf,
+							     sizeof(typebuf));
+					dns_rdataclass_format(t->rdata.rdclass,
+							      classbuf,
+							      sizeof(classbuf));
+					isc_log_write(DIFF_COMMON_LOGARGS,
+						ISC_LOG_WARNING,
+						"'%s/%s/%s': TTL differs in "
+						"rdataset, adjusting "
+						"%lu -> %lu",
+						namebuf, typebuf, classbuf,
+						(unsigned long) t->ttl,
+						(unsigned long) rdl.ttl);
+				}
+				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
+				t = ISC_LIST_NEXT(t, link);
+			}
+
+			/*
+			 * Convert the rdatalist into a rdataset.
+			 */
+			dns_rdataset_init(&rds);
+			dns_rdataset_init(&ardataset);
+			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
+
+			/*
+			 * Merge the rdataset into the database.
+			 */
+			switch (op) {
+			case DNS_DIFFOP_ADD:
+			case DNS_DIFFOP_ADDRESIGN:
+				options = DNS_DBADD_MERGE | DNS_DBADD_EXACT |
+					  DNS_DBADD_EXACTTTL;
+				result = dns_db_addrdataset(db, node, ver,
+							    0, &rds, options,
+							    &ardataset);
+				break;
+			case DNS_DIFFOP_DEL:
+			case DNS_DIFFOP_DELRESIGN:
+				options = DNS_DBSUB_EXACT | DNS_DBSUB_WANTOLD;
+				result = dns_db_subtractrdataset(db, node, ver,
+								 &rds, options,
+								 &ardataset);
+				break;
+			default:
+				INSIST(0);
+			}
+
+			if (result == ISC_R_SUCCESS) {
+				if (rds.type == dns_rdatatype_rrsig &&
+				    (op == DNS_DIFFOP_DELRESIGN ||
+				     op == DNS_DIFFOP_ADDRESIGN)) {
+					isc_stdtime_t resign;
+					resign = setresign(&ardataset);
+					dns_db_setsigningtime(db, &ardataset,
+							      resign);
+				}
+				if (op == DNS_DIFFOP_ADD ||
+				    op == DNS_DIFFOP_ADDRESIGN)
+					setownercase(&ardataset, name);
+				if (op == DNS_DIFFOP_DEL ||
+				    op == DNS_DIFFOP_DELRESIGN)
+					getownercase(&ardataset, name);
+			} else if (result == DNS_R_UNCHANGED) {
+				/*
+				 * This will not happen when executing a
+				 * dynamic update, because that code will
+				 * generate strictly minimal diffs.
+				 * It may happen when receiving an IXFR
+				 * from a server that is not as careful.
+				 * Issue a warning and continue.
+				 */
+				if (warn) {
+					dns_name_format(dns_db_origin(db),
+							namebuf,
+							sizeof(namebuf));
+					dns_rdataclass_format(dns_db_class(db),
+							      classbuf,
+							      sizeof(classbuf));
+					isc_log_write(DIFF_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "%s/%s: dns_diff_apply: "
+						      "update with no effect",
+						      namebuf, classbuf);
+				}
+				if (op == DNS_DIFFOP_ADD ||
+				    op == DNS_DIFFOP_ADDRESIGN)
+					setownercase(&ardataset, name);
+				if (op == DNS_DIFFOP_DEL ||
+				    op == DNS_DIFFOP_DELRESIGN)
+					getownercase(&ardataset, name);
+			} else if (result == DNS_R_NXRRSET) {
+				/*
+				 * OK.
+				 */
+				if (op == DNS_DIFFOP_DEL ||
+				    op == DNS_DIFFOP_DELRESIGN)
+					getownercase(&ardataset, name);
+				if (dns_rdataset_isassociated(&ardataset))
+					dns_rdataset_disassociate(&ardataset);
+			} else {
+				if (dns_rdataset_isassociated(&ardataset))
+					dns_rdataset_disassociate(&ardataset);
+				CHECK(result);
+			}
+			dns_db_detachnode(db, &node);
+			if (dns_rdataset_isassociated(&ardataset))
+				dns_rdataset_disassociate(&ardataset);
+		}
+	}
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, true));
+}
+
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, false));
+}
+
+/* XXX this duplicates lots of code in diff_apply(). */
+
+isc_result_t
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private)
+{
+	dns_difftuple_t *t;
+	isc_result_t result;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name;
+
+		name = &t->name;
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_diffop_t op;
+			dns_rdatalist_t rdl;
+			dns_rdataset_t rds;
+
+			op = t->op;
+			type = t->rdata.type;
+			covers = rdata_covers(&t->rdata);
+
+			dns_rdatalist_init(&rdl);
+			rdl.type = type;
+			rdl.covers = covers;
+			rdl.rdclass = t->rdata.rdclass;
+			rdl.ttl = t->ttl;
+
+			while (t != NULL && dns_name_equal(&t->name, name) &&
+			       t->op == op && t->rdata.type == type &&
+			       rdata_covers(&t->rdata) == covers)
+			{
+				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
+				t = ISC_LIST_NEXT(t, link);
+			}
+
+			/*
+			 * Convert the rdatalist into a rdataset.
+			 */
+			dns_rdataset_init(&rds);
+			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
+
+			INSIST(op == DNS_DIFFOP_ADD);
+			result = (*addfunc)(add_private, name, &rds);
+			if (result == DNS_R_UNCHANGED) {
+				isc_log_write(DIFF_COMMON_LOGARGS,
+					      ISC_LOG_WARNING,
+					      "dns_diff_load: "
+					      "update with no effect");
+			} else if (result == ISC_R_SUCCESS ||
+				   result == DNS_R_NXRRSET) {
+				/*
+				 * OK.
+				 */
+			} else {
+				CHECK(result);
+			}
+		}
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * XXX uses qsort(); a merge sort would be more natural for lists,
+ * and perhaps safer wrt thread stack overflow.
+ */
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
+	unsigned int length = 0;
+	unsigned int i;
+	dns_difftuple_t **v;
+	dns_difftuple_t *p;
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	for (p = ISC_LIST_HEAD(diff->tuples);
+	     p != NULL;
+	     p = ISC_LIST_NEXT(p, link))
+		length++;
+	if (length == 0)
+		return (ISC_R_SUCCESS);
+	v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *));
+	if (v == NULL)
+		return (ISC_R_NOMEMORY);
+	for (i = 0; i < length; i++) {
+		p = ISC_LIST_HEAD(diff->tuples);
+		v[i] = p;
+		ISC_LIST_UNLINK(diff->tuples, p, link);
+	}
+	INSIST(ISC_LIST_HEAD(diff->tuples) == NULL);
+	qsort(v, length, sizeof(v[0]), compare);
+	for (i = 0; i < length; i++) {
+		ISC_LIST_APPEND(diff->tuples, v[i], link);
+	}
+	isc_mem_put(diff->mctx, v, length * sizeof(dns_difftuple_t *));
+	return (ISC_R_SUCCESS);
+}
+
+
+/*
+ * Create an rdataset containing the single RR of the given
+ * tuple.  The caller must allocate the rdata, rdataset and
+ * an rdatalist structure for it to refer to.
+ */
+
+static isc_result_t
+diff_tuple_tordataset(dns_difftuple_t *t, dns_rdata_t *rdata,
+		      dns_rdatalist_t *rdl, dns_rdataset_t *rds)
+{
+	REQUIRE(DNS_DIFFTUPLE_VALID(t));
+	REQUIRE(rdl != NULL);
+	REQUIRE(rds != NULL);
+
+	dns_rdatalist_init(rdl);
+	rdl->type = t->rdata.type;
+	rdl->rdclass = t->rdata.rdclass;
+	rdl->ttl = t->ttl;
+	dns_rdataset_init(rds);
+	ISC_LINK_INIT(rdata, link);
+	dns_rdata_clone(&t->rdata, rdata);
+	ISC_LIST_APPEND(rdl->rdata, rdata, link);
+	return (dns_rdatalist_tordataset(rdl, rds));
+}
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file) {
+	isc_result_t result;
+	dns_difftuple_t *t;
+	char *mem = NULL;
+	unsigned int size = 2048;
+	const char *op = NULL;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	mem = isc_mem_get(diff->mctx, size);
+	if (mem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		isc_buffer_t buf;
+		isc_region_t r;
+
+		dns_rdatalist_t rdl;
+		dns_rdataset_t rds;
+		dns_rdata_t rd = DNS_RDATA_INIT;
+
+		result = diff_tuple_tordataset(t, &rd, &rdl, &rds);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "diff_tuple_tordataset failed: %s",
+					 dns_result_totext(result));
+			result =  ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+ again:
+		isc_buffer_init(&buf, mem, size);
+		result = dns_rdataset_totext(&rds, &t->name,
+					     false, false, &buf);
+
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(diff->mctx, mem, size);
+			size += 1024;
+			mem = isc_mem_get(diff->mctx, size);
+			if (mem == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			goto again;
+		}
+
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		/*
+		 * Get rid of final newline.
+		 */
+		INSIST(buf.used >= 1 &&
+		       ((char *) buf.base)[buf.used-1] == '\n');
+		buf.used--;
+
+		isc_buffer_usedregion(&buf, &r);
+		switch (t->op) {
+		case DNS_DIFFOP_EXISTS: op = "exists"; break;
+		case DNS_DIFFOP_ADD: op = "add"; break;
+		case DNS_DIFFOP_DEL: op = "del"; break;
+		case DNS_DIFFOP_ADDRESIGN: op = "add re-sign"; break;
+		case DNS_DIFFOP_DELRESIGN: op = "del re-sign"; break;
+		}
+		if (file != NULL)
+			fprintf(file, "%s %.*s\n", op, (int) r.length,
+				(char *) r.base);
+		else
+			isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
+				      "%s %.*s", op, (int) r.length,
+				      (char *) r.base);
+	}
+	result = ISC_R_SUCCESS;
+ cleanup:
+	if (mem != NULL)
+		isc_mem_put(diff->mctx, mem, size);
+	return (result);
+}
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
new file mode 100644
index 0000000..d1e4c16
--- /dev/null
+++ b/lib/dns/dispatch.c
@@ -0,0 +1,3906 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/portset.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/portlist.h>
+#include <dns/stats.h>
+#include <dns/tcpmsg.h>
+#include <dns/types.h>
+
+typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
+
+typedef struct dispsocket		dispsocket_t;
+typedef ISC_LIST(dispsocket_t)		dispsocketlist_t;
+
+typedef struct dispportentry		dispportentry_t;
+typedef ISC_LIST(dispportentry_t)	dispportlist_t;
+
+typedef struct dns_qid {
+	unsigned int	magic;
+	unsigned int	qid_nbuckets;	/*%< hash table size */
+	unsigned int	qid_increment;	/*%< id increment on collision */
+	isc_mutex_t	lock;
+	dns_displist_t	*qid_table;	/*%< the table itself */
+	dispsocketlist_t *sock_table;	/*%< socket table */
+} dns_qid_t;
+
+struct dns_dispatchmgr {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t		       *mctx;
+	dns_acl_t		       *blackhole;
+	dns_portlist_t		       *portlist;
+	isc_stats_t		       *stats;
+	isc_entropy_t		       *entropy; /*%< entropy source */
+
+	/* Locked by "lock". */
+	isc_mutex_t			lock;
+	unsigned int			state;
+	ISC_LIST(dns_dispatch_t)	list;
+
+	/* Locked by rng_lock. */
+	isc_mutex_t			rng_lock;
+	isc_rng_t		       *rngctx; /*%< RNG context for QID */
+
+	/* locked by buffer_lock */
+	dns_qid_t			*qid;
+	isc_mutex_t			buffer_lock;
+	unsigned int			buffers;    /*%< allocated buffers */
+	unsigned int			buffersize; /*%< size of each buffer */
+	unsigned int			maxbuffers; /*%< max buffers */
+
+	/* Locked internally. */
+	isc_mutex_t			depool_lock;
+	isc_mempool_t		       *depool;	/*%< pool for dispatch events */
+	isc_mutex_t			rpool_lock;
+	isc_mempool_t		       *rpool;	/*%< pool for replies */
+	isc_mutex_t			dpool_lock;
+	isc_mempool_t		       *dpool;  /*%< dispatch allocations */
+	isc_mutex_t			bpool_lock;
+	isc_mempool_t		       *bpool;	/*%< pool for buffers */
+	isc_mutex_t			spool_lock;
+	isc_mempool_t		       *spool;	/*%< pool for dispsocks */
+
+	/*%
+	 * Locked by qid->lock if qid exists; otherwise, can be used without
+	 * being locked.
+	 * Memory footprint considerations: this is a simple implementation of
+	 * available ports, i.e., an ordered array of the actual port numbers.
+	 * This will require about 256KB of memory in the worst case (128KB for
+	 * each of IPv4 and IPv6).  We could reduce it by representing it as a
+	 * more sophisticated way such as a list (or array) of ranges that are
+	 * searched to identify a specific port.  Our decision here is the saved
+	 * memory isn't worth the implementation complexity, considering the
+	 * fact that the whole BIND9 process (which is mainly named) already
+	 * requires a pretty large memory footprint.  We may, however, have to
+	 * revisit the decision when we want to use it as a separate module for
+	 * an environment where memory requirement is severer.
+	 */
+	in_port_t	*v4ports;	/*%< available ports for IPv4 */
+	unsigned int	nv4ports;	/*%< # of available ports for IPv4 */
+	in_port_t	*v6ports;	/*%< available ports for IPv4 */
+	unsigned int	nv6ports;	/*%< # of available ports for IPv4 */
+};
+
+#define MGR_SHUTTINGDOWN		0x00000001U
+#define MGR_IS_SHUTTINGDOWN(l)	(((l)->state & MGR_SHUTTINGDOWN) != 0)
+
+#define IS_PRIVATE(d)	(((d)->attributes & DNS_DISPATCHATTR_PRIVATE) != 0)
+
+struct dns_dispentry {
+	unsigned int			magic;
+	dns_dispatch_t		       *disp;
+	dns_messageid_t			id;
+	in_port_t			port;
+	unsigned int			bucket;
+	isc_sockaddr_t			host;
+	isc_task_t		       *task;
+	isc_taskaction_t		action;
+	void			       *arg;
+	bool			item_out;
+	dispsocket_t			*dispsocket;
+	ISC_LIST(dns_dispatchevent_t)	items;
+	ISC_LINK(dns_dispentry_t)	link;
+};
+
+/*%
+ * Maximum number of dispatch sockets that can be pooled for reuse.  The
+ * appropriate value may vary, but experiments have shown a busy caching server
+ * may need more than 1000 sockets concurrently opened.  The maximum allowable
+ * number of dispatch sockets (per manager) will be set to the double of this
+ * value.
+ */
+#ifndef DNS_DISPATCH_POOLSOCKS
+#define DNS_DISPATCH_POOLSOCKS			2048
+#endif
+
+/*%
+ * Quota to control the number of dispatch sockets.  If a dispatch has more
+ * than the quota of sockets, new queries will purge oldest ones, so that
+ * a massive number of outstanding queries won't prevent subsequent queries
+ * (especially if the older ones take longer time and result in timeout).
+ */
+#ifndef DNS_DISPATCH_SOCKSQUOTA
+#define DNS_DISPATCH_SOCKSQUOTA			3072
+#endif
+
+struct dispsocket {
+	unsigned int			magic;
+	isc_socket_t			*socket;
+	dns_dispatch_t			*disp;
+	isc_sockaddr_t			host;
+	in_port_t			localport; /* XXX: should be removed later */
+	dispportentry_t			*portentry;
+	dns_dispentry_t			*resp;
+	isc_task_t			*task;
+	ISC_LINK(dispsocket_t)		link;
+	unsigned int			bucket;
+	ISC_LINK(dispsocket_t)		blink;
+};
+
+/*%
+ * A port table entry.  We remember every port we first open in a table with a
+ * reference counter so that we can 'reuse' the same port (with different
+ * destination addresses) using the SO_REUSEADDR socket option.
+ */
+struct dispportentry {
+	in_port_t			port;
+	unsigned int			refs;
+	ISC_LINK(struct dispportentry)	link;
+};
+
+#ifndef DNS_DISPATCH_PORTTABLESIZE
+#define DNS_DISPATCH_PORTTABLESIZE	1024
+#endif
+
+#define INVALID_BUCKET		(0xffffdead)
+
+/*%
+ * Number of tasks for each dispatch that use separate sockets for different
+ * transactions.  This must be a power of 2 as it will divide 32 bit numbers
+ * to get an uniformly random tasks selection.  See get_dispsocket().
+ */
+#define MAX_INTERNAL_TASKS	64
+
+struct dns_dispatch {
+	/* Unlocked. */
+	unsigned int		magic;		/*%< magic */
+	dns_dispatchmgr_t      *mgr;		/*%< dispatch manager */
+	int			ntasks;
+	/*%
+	 * internal task buckets.  We use multiple tasks to distribute various
+	 * socket events well when using separate dispatch sockets.  We use the
+	 * 1st task (task[0]) for internal control events.
+	 */
+	isc_task_t	       *task[MAX_INTERNAL_TASKS];
+	isc_socket_t	       *socket;		/*%< isc socket attached to */
+	isc_sockaddr_t		local;		/*%< local address */
+	in_port_t		localport;	/*%< local UDP port */
+	isc_sockaddr_t		peer;		/*%< peer address (TCP) */
+	isc_dscp_t		dscp;		/*%< "listen-on" DSCP value */
+	unsigned int		maxrequests;	/*%< max requests */
+	isc_event_t	       *ctlevent;
+
+	isc_mutex_t		sepool_lock;
+	isc_mempool_t	       *sepool;		/*%< pool for socket events */
+
+	/*% Locked by mgr->lock. */
+	ISC_LINK(dns_dispatch_t) link;
+
+	/* Locked by "lock". */
+	isc_mutex_t		lock;		/*%< locks all below */
+	isc_sockettype_t	socktype;
+	unsigned int		attributes;
+	unsigned int		refcount;	/*%< number of users */
+	dns_dispatchevent_t    *failsafe_ev;	/*%< failsafe cancel event */
+	unsigned int		shutting_down : 1,
+				shutdown_out : 1,
+				connected : 1,
+				tcpmsg_valid : 1,
+				recv_pending : 1; /*%< is a recv() pending? */
+	isc_result_t		shutdown_why;
+	ISC_LIST(dispsocket_t)	activesockets;
+	ISC_LIST(dispsocket_t)	inactivesockets;
+	unsigned int		nsockets;
+	unsigned int		requests;	/*%< how many requests we have */
+	unsigned int		tcpbuffers;	/*%< allocated buffers */
+	dns_tcpmsg_t		tcpmsg;		/*%< for tcp streams */
+	dns_qid_t		*qid;
+	isc_rng_t		*rngctx;	/*%< for QID/UDP port num */
+	dispportlist_t		*port_table;	/*%< hold ports 'owned' by us */
+	isc_mempool_t		*portpool;	/*%< port table entries  */
+};
+
+#define QID_MAGIC		ISC_MAGIC('Q', 'i', 'd', ' ')
+#define VALID_QID(e)		ISC_MAGIC_VALID((e), QID_MAGIC)
+
+#define RESPONSE_MAGIC		ISC_MAGIC('D', 'r', 's', 'p')
+#define VALID_RESPONSE(e)	ISC_MAGIC_VALID((e), RESPONSE_MAGIC)
+
+#define DISPSOCK_MAGIC		ISC_MAGIC('D', 's', 'o', 'c')
+#define VALID_DISPSOCK(e)	ISC_MAGIC_VALID((e), DISPSOCK_MAGIC)
+
+#define DISPATCH_MAGIC		ISC_MAGIC('D', 'i', 's', 'p')
+#define VALID_DISPATCH(e)	ISC_MAGIC_VALID((e), DISPATCH_MAGIC)
+
+#define DNS_DISPATCHMGR_MAGIC	ISC_MAGIC('D', 'M', 'g', 'r')
+#define VALID_DISPATCHMGR(e)	ISC_MAGIC_VALID((e), DNS_DISPATCHMGR_MAGIC)
+
+#define DNS_QID(disp) ((disp)->socktype == isc_sockettype_tcp) ? \
+		       (disp)->qid : (disp)->mgr->qid
+#define DISP_RNGCTX(disp) ((disp)->socktype == isc_sockettype_udp) ? \
+			((disp)->rngctx) : ((disp)->mgr->rngctx)
+
+/*%
+ * Locking a query port buffer is a bit tricky.  We access the buffer without
+ * locking until qid is created.  Technically, there is a possibility of race
+ * between the creation of qid and access to the port buffer; in practice,
+ * however, this should be safe because qid isn't created until the first
+ * dispatch is created and there should be no contending situation until then.
+ */
+#define PORTBUFLOCK(mgr) if ((mgr)->qid != NULL) LOCK(&((mgr)->qid->lock))
+#define PORTBUFUNLOCK(mgr) if ((mgr)->qid != NULL) UNLOCK((&(mgr)->qid->lock))
+
+/*
+ * Statics.
+ */
+static dns_dispentry_t *entry_search(dns_qid_t *, isc_sockaddr_t *,
+				     dns_messageid_t, in_port_t, unsigned int);
+static bool destroy_disp_ok(dns_dispatch_t *);
+static void destroy_disp(isc_task_t *task, isc_event_t *event);
+static void destroy_dispsocket(dns_dispatch_t *, dispsocket_t **);
+static void deactivate_dispsocket(dns_dispatch_t *, dispsocket_t *);
+static void udp_exrecv(isc_task_t *, isc_event_t *);
+static void udp_shrecv(isc_task_t *, isc_event_t *);
+static void udp_recv(isc_event_t *, dns_dispatch_t *, dispsocket_t *);
+static void tcp_recv(isc_task_t *, isc_event_t *);
+static isc_result_t startrecv(dns_dispatch_t *, dispsocket_t *);
+static uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t,
+			 in_port_t);
+static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
+static void *allocate_udp_buffer(dns_dispatch_t *disp);
+static inline void free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
+static inline dns_dispatchevent_t *allocate_devent(dns_dispatch_t *disp);
+static void do_cancel(dns_dispatch_t *disp);
+static dns_dispentry_t *linear_first(dns_qid_t *disp);
+static dns_dispentry_t *linear_next(dns_qid_t *disp,
+				    dns_dispentry_t *resp);
+static void dispatch_free(dns_dispatch_t **dispp);
+static isc_result_t get_udpsocket(dns_dispatchmgr_t *mgr,
+				  dns_dispatch_t *disp,
+				  isc_socketmgr_t *sockmgr,
+				  isc_sockaddr_t *localaddr,
+				  isc_socket_t **sockp,
+				  isc_socket_t *dup_socket);
+static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
+				       isc_socketmgr_t *sockmgr,
+				       isc_taskmgr_t *taskmgr,
+				       isc_sockaddr_t *localaddr,
+				       unsigned int maxrequests,
+				       unsigned int attributes,
+				       dns_dispatch_t **dispp,
+				       isc_socket_t *dup_socket);
+static bool destroy_mgr_ok(dns_dispatchmgr_t *mgr);
+static void destroy_mgr(dns_dispatchmgr_t **mgrp);
+static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
+				 unsigned int increment, dns_qid_t **qidp,
+				 bool needaddrtable);
+static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
+static isc_result_t open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
+				unsigned int options, isc_socket_t **sockp,
+				isc_socket_t *dup_socket);
+static bool portavailable(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+				   isc_sockaddr_t *sockaddrp);
+
+#define LVL(x) ISC_LOG_DEBUG(x)
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx,
+		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
+		      level, "dispatchmgr %p: %s", mgr, msgbuf);
+}
+
+static inline void
+inc_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
+	if (mgr->stats != NULL)
+		isc_stats_increment(mgr->stats, counter);
+}
+
+static inline void
+dec_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
+	if (mgr->stats != NULL)
+		isc_stats_decrement(mgr->stats, counter);
+}
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx,
+		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
+		      level, "dispatch %p: %s", disp, msgbuf);
+}
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
+	    int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(4, 5);
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
+	    int level, const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (VALID_RESPONSE(resp)) {
+		isc_sockaddr_format(&resp->host, peerbuf, sizeof(peerbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p response %p %s: %s", disp, resp,
+			      peerbuf, msgbuf);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p req/resp %p: %s", disp, resp,
+			      msgbuf);
+	}
+}
+
+/*
+ * Return a hash of the destination and message id.
+ */
+static uint32_t
+dns_hash(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id,
+	 in_port_t port)
+{
+	uint32_t ret;
+
+	ret = isc_sockaddr_hash(dest, true);
+	ret ^= ((uint32_t)id << 16) | port;
+	ret %= qid->qid_nbuckets;
+
+	INSIST(ret < qid->qid_nbuckets);
+
+	return (ret);
+}
+
+/*
+ * Find the first entry in 'qid'.  Returns NULL if there are no entries.
+ */
+static dns_dispentry_t *
+linear_first(dns_qid_t *qid) {
+	dns_dispentry_t *ret;
+	unsigned int bucket;
+
+	bucket = 0;
+
+	while (bucket < qid->qid_nbuckets) {
+		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
+		if (ret != NULL)
+			return (ret);
+		bucket++;
+	}
+
+	return (NULL);
+}
+
+/*
+ * Find the next entry after 'resp' in 'qid'.  Return NULL if there are
+ * no more entries.
+ */
+static dns_dispentry_t *
+linear_next(dns_qid_t *qid, dns_dispentry_t *resp) {
+	dns_dispentry_t *ret;
+	unsigned int bucket;
+
+	ret = ISC_LIST_NEXT(resp, link);
+	if (ret != NULL)
+		return (ret);
+
+	bucket = resp->bucket;
+	bucket++;
+	while (bucket < qid->qid_nbuckets) {
+		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
+		if (ret != NULL)
+			return (ret);
+		bucket++;
+	}
+
+	return (NULL);
+}
+
+/*
+ * The dispatch must be locked.
+ */
+static bool
+destroy_disp_ok(dns_dispatch_t *disp)
+{
+	if (disp->refcount != 0)
+		return (false);
+
+	if (disp->recv_pending != 0)
+		return (false);
+
+	if (!ISC_LIST_EMPTY(disp->activesockets))
+		return (false);
+
+	if (disp->shutting_down == 0)
+		return (false);
+
+	return (true);
+}
+
+/*
+ * Called when refcount reaches 0 (and safe to destroy).
+ *
+ * The dispatcher must be locked.
+ * The manager must not be locked.
+ */
+static void
+destroy_disp(isc_task_t *task, isc_event_t *event) {
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+	bool killmgr;
+	dispsocket_t *dispsocket;
+	int i;
+
+	INSIST(event->ev_type == DNS_EVENT_DISPATCHCONTROL);
+
+	UNUSED(task);
+
+	disp = event->ev_arg;
+	mgr = disp->mgr;
+
+	LOCK(&mgr->lock);
+	ISC_LIST_UNLINK(mgr->list, disp, link);
+
+	dispatch_log(disp, LVL(90),
+		     "shutting down; detaching from sock %p, task %p",
+		     disp->socket, disp->task[0]); /* XXXX */
+
+	if (disp->sepool != NULL) {
+		isc_mempool_destroy(&disp->sepool);
+		(void)isc_mutex_destroy(&disp->sepool_lock);
+	}
+
+	if (disp->socket != NULL)
+		isc_socket_detach(&disp->socket);
+	while ((dispsocket = ISC_LIST_HEAD(disp->inactivesockets)) != NULL) {
+		ISC_LIST_UNLINK(disp->inactivesockets, dispsocket, link);
+		destroy_dispsocket(disp, &dispsocket);
+	}
+	for (i = 0; i < disp->ntasks; i++)
+		isc_task_detach(&disp->task[i]);
+	isc_event_free(&event);
+
+	dispatch_free(&disp);
+
+	killmgr = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+	if (killmgr)
+		destroy_mgr(&mgr);
+}
+
+/*%
+ * Manipulate port table per dispatch: find an entry for a given port number,
+ * create a new entry, and decrement a given entry with possible clean-up.
+ */
+static dispportentry_t *
+port_search(dns_dispatch_t *disp, in_port_t port) {
+	dispportentry_t *portentry;
+
+	REQUIRE(disp->port_table != NULL);
+
+	portentry = ISC_LIST_HEAD(disp->port_table[port %
+						   DNS_DISPATCH_PORTTABLESIZE]);
+	while (portentry != NULL) {
+		if (portentry->port == port)
+			return (portentry);
+		portentry = ISC_LIST_NEXT(portentry, link);
+	}
+
+	return (NULL);
+}
+
+static dispportentry_t *
+new_portentry(dns_dispatch_t *disp, in_port_t port) {
+	dispportentry_t *portentry;
+	dns_qid_t *qid;
+
+	REQUIRE(disp->port_table != NULL);
+
+	portentry = isc_mempool_get(disp->portpool);
+	if (portentry == NULL)
+		return (portentry);
+
+	portentry->port = port;
+	portentry->refs = 1;
+	ISC_LINK_INIT(portentry, link);
+	qid = DNS_QID(disp);
+	LOCK(&qid->lock);
+	ISC_LIST_APPEND(disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE],
+			portentry, link);
+	UNLOCK(&qid->lock);
+
+	return (portentry);
+}
+
+/*%
+ * The caller must not hold the qid->lock.
+ */
+static void
+deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) {
+	dispportentry_t *portentry = *portentryp;
+	dns_qid_t *qid;
+
+	REQUIRE(disp->port_table != NULL);
+	REQUIRE(portentry != NULL && portentry->refs > 0);
+
+	qid = DNS_QID(disp);
+	LOCK(&qid->lock);
+	portentry->refs--;
+
+	if (portentry->refs == 0) {
+		ISC_LIST_UNLINK(disp->port_table[portentry->port %
+						 DNS_DISPATCH_PORTTABLESIZE],
+				portentry, link);
+		isc_mempool_put(disp->portpool, portentry);
+	}
+
+	/*
+	 * Set '*portentryp' to NULL inside the lock so that
+	 * dispsock->portentry does not change in socket_search.
+	 */
+	*portentryp = NULL;
+
+	UNLOCK(&qid->lock);
+}
+
+/*%
+ * Find a dispsocket for socket address 'dest', and port number 'port'.
+ * Return NULL if no such entry exists.  Requires qid->lock to be held.
+ */
+static dispsocket_t *
+socket_search(dns_qid_t *qid, isc_sockaddr_t *dest, in_port_t port,
+	      unsigned int bucket)
+{
+	dispsocket_t *dispsock;
+
+	REQUIRE(VALID_QID(qid));
+	REQUIRE(bucket < qid->qid_nbuckets);
+
+	dispsock = ISC_LIST_HEAD(qid->sock_table[bucket]);
+
+	while (dispsock != NULL) {
+		if (dispsock->portentry != NULL &&
+		    dispsock->portentry->port == port &&
+		    isc_sockaddr_equal(dest, &dispsock->host))
+			return (dispsock);
+		dispsock = ISC_LIST_NEXT(dispsock, blink);
+	}
+
+	return (NULL);
+}
+
+/*%
+ * Make a new socket for a single dispatch with a random port number.
+ * The caller must hold the disp->lock
+ */
+static isc_result_t
+get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+	       isc_socketmgr_t *sockmgr, dispsocket_t **dispsockp,
+	       in_port_t *portp)
+{
+	int i;
+	uint32_t r;
+	dns_dispatchmgr_t *mgr = disp->mgr;
+	isc_socket_t *sock = NULL;
+	isc_result_t result = ISC_R_FAILURE;
+	in_port_t port;
+	isc_sockaddr_t localaddr;
+	unsigned int bucket = 0;
+	dispsocket_t *dispsock;
+	unsigned int nports;
+	in_port_t *ports;
+	unsigned int bindoptions;
+	dispportentry_t *portentry = NULL;
+	dns_qid_t *qid;
+
+	if (isc_sockaddr_pf(&disp->local) == AF_INET) {
+		nports = disp->mgr->nv4ports;
+		ports = disp->mgr->v4ports;
+	} else {
+		nports = disp->mgr->nv6ports;
+		ports = disp->mgr->v6ports;
+	}
+	if (nports == 0)
+		return (ISC_R_ADDRNOTAVAIL);
+
+	dispsock = ISC_LIST_HEAD(disp->inactivesockets);
+	if (dispsock != NULL) {
+		ISC_LIST_UNLINK(disp->inactivesockets, dispsock, link);
+		sock = dispsock->socket;
+		dispsock->socket = NULL;
+	} else {
+		dispsock = isc_mempool_get(mgr->spool);
+		if (dispsock == NULL)
+			return (ISC_R_NOMEMORY);
+
+		disp->nsockets++;
+		dispsock->socket = NULL;
+		dispsock->disp = disp;
+		dispsock->resp = NULL;
+		dispsock->portentry = NULL;
+		isc_random_get(&r);
+		dispsock->task = NULL;
+		isc_task_attach(disp->task[r % disp->ntasks], &dispsock->task);
+		ISC_LINK_INIT(dispsock, link);
+		ISC_LINK_INIT(dispsock, blink);
+		dispsock->magic = DISPSOCK_MAGIC;
+	}
+
+	/*
+	 * Pick up a random UDP port and open a new socket with it.  Avoid
+	 * choosing ports that share the same destination because it will be
+	 * very likely to fail in bind(2) or connect(2).
+	 */
+	localaddr = disp->local;
+	qid = DNS_QID(disp);
+
+	for (i = 0; i < 64; i++) {
+		port = ports[isc_rng_uniformrandom(DISP_RNGCTX(disp), nports)];
+		isc_sockaddr_setport(&localaddr, port);
+
+		LOCK(&qid->lock);
+		bucket = dns_hash(qid, dest, 0, port);
+		if (socket_search(qid, dest, port, bucket) != NULL) {
+			UNLOCK(&qid->lock);
+			continue;
+		}
+		UNLOCK(&qid->lock);
+		bindoptions = 0;
+		portentry = port_search(disp, port);
+
+		if (portentry != NULL)
+			bindoptions |= ISC_SOCKET_REUSEADDRESS;
+		result = open_socket(sockmgr, &localaddr, bindoptions, &sock,
+				     NULL);
+		if (result == ISC_R_SUCCESS) {
+			if (portentry == NULL) {
+				portentry = new_portentry(disp, port);
+				if (portentry == NULL) {
+					result = ISC_R_NOMEMORY;
+					break;
+				}
+			} else {
+				LOCK(&qid->lock);
+				portentry->refs++;
+				UNLOCK(&qid->lock);
+			}
+			break;
+		} else if (result == ISC_R_NOPERM) {
+			char buf[ISC_SOCKADDR_FORMATSIZE];
+			isc_sockaddr_format(&localaddr, buf, sizeof(buf));
+			dispatch_log(disp, ISC_LOG_WARNING,
+				     "open_socket(%s) -> %s: continuing",
+				     buf, isc_result_totext(result));
+		} else if (result != ISC_R_ADDRINUSE)
+			break;
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dispsock->socket = sock;
+		dispsock->host = *dest;
+		dispsock->portentry = portentry;
+		dispsock->bucket = bucket;
+		LOCK(&qid->lock);
+		ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink);
+		UNLOCK(&qid->lock);
+		*dispsockp = dispsock;
+		*portp = port;
+	} else {
+		/*
+		 * We could keep it in the inactive list, but since this should
+		 * be an exceptional case and might be resource shortage, we'd
+		 * rather destroy it.
+		 */
+		if (sock != NULL)
+			isc_socket_detach(&sock);
+		destroy_dispsocket(disp, &dispsock);
+	}
+
+	return (result);
+}
+
+/*%
+ * Destroy a dedicated dispatch socket.
+ */
+static void
+destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
+	dispsocket_t *dispsock;
+	dns_qid_t *qid;
+
+	/*
+	 * The dispatch must be locked.
+	 */
+
+	REQUIRE(dispsockp != NULL && *dispsockp != NULL);
+	dispsock = *dispsockp;
+	REQUIRE(!ISC_LINK_LINKED(dispsock, link));
+
+	disp->nsockets--;
+	dispsock->magic = 0;
+	if (dispsock->portentry != NULL)
+		deref_portentry(disp, &dispsock->portentry);
+	if (dispsock->socket != NULL)
+		isc_socket_detach(&dispsock->socket);
+	if (ISC_LINK_LINKED(dispsock, blink)) {
+		qid = DNS_QID(disp);
+		LOCK(&qid->lock);
+		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
+				blink);
+		UNLOCK(&qid->lock);
+	}
+	if (dispsock->task != NULL)
+		isc_task_detach(&dispsock->task);
+	isc_mempool_put(disp->mgr->spool, dispsock);
+
+	*dispsockp = NULL;
+}
+
+/*%
+ * Deactivate a dedicated dispatch socket.  Move it to the inactive list for
+ * future reuse unless the total number of sockets are exceeding the maximum.
+ */
+static void
+deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
+	isc_result_t result;
+	dns_qid_t *qid;
+
+	/*
+	 * The dispatch must be locked.
+	 */
+	ISC_LIST_UNLINK(disp->activesockets, dispsock, link);
+	if (dispsock->resp != NULL) {
+		INSIST(dispsock->resp->dispsocket == dispsock);
+		dispsock->resp->dispsocket = NULL;
+	}
+
+	INSIST(dispsock->portentry != NULL);
+	deref_portentry(disp, &dispsock->portentry);
+
+	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
+		destroy_dispsocket(disp, &dispsock);
+	else {
+		result = isc_socket_close(dispsock->socket);
+
+		qid = DNS_QID(disp);
+		LOCK(&qid->lock);
+		ISC_LIST_UNLINK(qid->sock_table[dispsock->bucket], dispsock,
+				blink);
+		UNLOCK(&qid->lock);
+
+		if (result == ISC_R_SUCCESS)
+			ISC_LIST_APPEND(disp->inactivesockets, dispsock, link);
+		else {
+			/*
+			 * If the underlying system does not allow this
+			 * optimization, destroy this temporary structure (and
+			 * create a new one for a new transaction).
+			 */
+			INSIST(result == ISC_R_NOTIMPLEMENTED);
+			destroy_dispsocket(disp, &dispsock);
+		}
+	}
+}
+
+/*
+ * Find an entry for query ID 'id', socket address 'dest', and port number
+ * 'port'.
+ * Return NULL if no such entry exists.
+ */
+static dns_dispentry_t *
+entry_search(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id,
+	     in_port_t port, unsigned int bucket)
+{
+	dns_dispentry_t *res;
+
+	REQUIRE(VALID_QID(qid));
+	REQUIRE(bucket < qid->qid_nbuckets);
+
+	res = ISC_LIST_HEAD(qid->qid_table[bucket]);
+
+	while (res != NULL) {
+		if (res->id == id && isc_sockaddr_equal(dest, &res->host) &&
+		    res->port == port) {
+			return (res);
+		}
+		res = ISC_LIST_NEXT(res, link);
+	}
+
+	return (NULL);
+}
+
+static void
+free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len) {
+	isc_mempool_t *bpool;
+	INSIST(buf != NULL && len != 0);
+
+
+	switch (disp->socktype) {
+	case isc_sockettype_tcp:
+		INSIST(disp->tcpbuffers > 0);
+		disp->tcpbuffers--;
+		isc_mem_put(disp->mgr->mctx, buf, len);
+		break;
+	case isc_sockettype_udp:
+		LOCK(&disp->mgr->buffer_lock);
+		INSIST(disp->mgr->buffers > 0);
+		INSIST(len == disp->mgr->buffersize);
+		disp->mgr->buffers--;
+		bpool = disp->mgr->bpool;
+		UNLOCK(&disp->mgr->buffer_lock);
+		isc_mempool_put(bpool, buf);
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+static void *
+allocate_udp_buffer(dns_dispatch_t *disp) {
+	isc_mempool_t *bpool;
+	void *temp;
+
+	LOCK(&disp->mgr->buffer_lock);
+	bpool = disp->mgr->bpool;
+	disp->mgr->buffers++;
+	UNLOCK(&disp->mgr->buffer_lock);
+
+	temp = isc_mempool_get(bpool);
+
+	if (temp == NULL) {
+		LOCK(&disp->mgr->buffer_lock);
+		disp->mgr->buffers--;
+		UNLOCK(&disp->mgr->buffer_lock);
+	}
+
+	return (temp);
+}
+
+static inline void
+free_sevent(isc_event_t *ev) {
+	isc_mempool_t *pool = ev->ev_destroy_arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *) ev;
+	isc_mempool_put(pool, sev);
+}
+
+static inline isc_socketevent_t *
+allocate_sevent(dns_dispatch_t *disp, isc_socket_t *sock,
+		isc_eventtype_t type, isc_taskaction_t action, const void *arg)
+{
+	isc_socketevent_t *ev;
+	void *deconst_arg;
+
+	ev = isc_mempool_get(disp->sepool);
+	if (ev == NULL)
+		return (NULL);
+	DE_CONST(arg, deconst_arg);
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, type,
+		       action, deconst_arg, sock,
+		       free_sevent, disp->sepool);
+	ev->result = ISC_R_UNSET;
+	ISC_LINK_INIT(ev, ev_link);
+	ISC_LIST_INIT(ev->bufferlist);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+
+	return (ev);
+}
+
+
+static inline void
+free_devent(dns_dispatch_t *disp, dns_dispatchevent_t *ev) {
+	if (disp->failsafe_ev == ev) {
+		INSIST(disp->shutdown_out == 1);
+		disp->shutdown_out = 0;
+
+		return;
+	}
+
+	isc_mempool_put(disp->mgr->depool, ev);
+}
+
+static inline dns_dispatchevent_t *
+allocate_devent(dns_dispatch_t *disp) {
+	dns_dispatchevent_t *ev;
+
+	ev = isc_mempool_get(disp->mgr->depool);
+	if (ev == NULL)
+		return (NULL);
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, 0,
+		       NULL, NULL, NULL, NULL, NULL);
+
+	return (ev);
+}
+
+static void
+udp_exrecv(isc_task_t *task, isc_event_t *ev) {
+	dispsocket_t *dispsock = ev->ev_arg;
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPSOCK(dispsock));
+	udp_recv(ev, dispsock->disp, dispsock);
+}
+
+static void
+udp_shrecv(isc_task_t *task, isc_event_t *ev) {
+	dns_dispatch_t *disp = ev->ev_arg;
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPATCH(disp));
+	udp_recv(ev, disp, NULL);
+}
+
+/*
+ * General flow:
+ *
+ * If I/O result == CANCELED or error, free the buffer.
+ *
+ * If query, free the buffer, restart.
+ *
+ * If response:
+ *	Allocate event, fill in details.
+ *		If cannot allocate, free buffer, restart.
+ *	find target.  If not found, free buffer, restart.
+ *	if event queue is not empty, queue.  else, send.
+ *	restart.
+ */
+static void
+udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	dns_messageid_t id;
+	isc_result_t dres;
+	isc_buffer_t source;
+	unsigned int flags;
+	dns_dispentry_t *resp = NULL;
+	dns_dispatchevent_t *rev;
+	unsigned int bucket;
+	bool killit;
+	bool queue_response;
+	dns_dispatchmgr_t *mgr;
+	dns_qid_t *qid;
+	isc_netaddr_t netaddr;
+	int match;
+	int result;
+	bool qidlocked = false;
+
+	LOCK(&disp->lock);
+
+	mgr = disp->mgr;
+	qid = mgr->qid;
+
+	dispatch_log(disp, LVL(90),
+		     "got packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->mgr->buffers, disp->recv_pending);
+
+	if (dispsock == NULL && ev->ev_type == ISC_SOCKEVENT_RECVDONE) {
+		/*
+		 * Unless the receive event was imported from a listening
+		 * interface, in which case the event type is
+		 * DNS_EVENT_IMPORTRECVDONE, receive operation must be pending.
+		 */
+		INSIST(disp->recv_pending != 0);
+		disp->recv_pending = 0;
+	}
+
+	if (dispsock != NULL &&
+	    (ev->result == ISC_R_CANCELED || dispsock->resp == NULL)) {
+		/*
+		 * dispsock->resp can be NULL if this transaction was canceled
+		 * just after receiving a response.  Since this socket is
+		 * exclusively used and there should be at most one receive
+		 * event the canceled event should have been no effect.  So
+		 * we can (and should) deactivate the socket right now.
+		 */
+		deactivate_dispsocket(disp, dispsock);
+		dispsock = NULL;
+	}
+
+	if (disp->shutting_down) {
+		/*
+		 * This dispatcher is shutting down.
+		 */
+		free_buffer(disp, ev->region.base, ev->region.length);
+
+		isc_event_free(&ev_in);
+		ev = NULL;
+
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit)
+			isc_task_send(disp->task[0], &disp->ctlevent);
+
+		return;
+	}
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		if (dispsock != NULL) {
+			resp = dispsock->resp;
+			id = resp->id;
+			if (ev->result != ISC_R_SUCCESS) {
+				/*
+				 * This is most likely a network error on a
+				 * connected socket.  It makes no sense to
+				 * check the address or parse the packet, but it
+				 * will help to return the error to the caller.
+				 */
+				goto sendresponse;
+			}
+		} else {
+			free_buffer(disp, ev->region.base, ev->region.length);
+
+			isc_event_free(&ev_in);
+			UNLOCK(&disp->lock);
+			return;
+		}
+	} else if (ev->result != ISC_R_SUCCESS) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+
+		if (ev->result != ISC_R_CANCELED)
+			dispatch_log(disp, ISC_LOG_ERROR,
+				     "odd socket result in udp_recv(): %s",
+				     isc_result_totext(ev->result));
+
+		isc_event_free(&ev_in);
+		UNLOCK(&disp->lock);
+		return;
+	}
+
+	/*
+	 * If this is from a blackholed address, drop it.
+	 */
+	isc_netaddr_fromsockaddr(&netaddr, &ev->address);
+	if (disp->mgr->blackhole != NULL &&
+	    dns_acl_match(&netaddr, NULL, disp->mgr->blackhole,
+			  NULL, &match, NULL) == ISC_R_SUCCESS &&
+	    match > 0)
+	{
+		if (isc_log_wouldlog(dns_lctx, LVL(10))) {
+			char netaddrstr[ISC_NETADDR_FORMATSIZE];
+			isc_netaddr_format(&netaddr, netaddrstr,
+					   sizeof(netaddrstr));
+			dispatch_log(disp, LVL(10),
+				     "blackholed packet from %s",
+				     netaddrstr);
+		}
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto restart;
+	}
+
+	/*
+	 * Peek into the buffer to see what we can see.
+	 */
+	isc_buffer_init(&source, ev->region.base, ev->region.length);
+	isc_buffer_add(&source, ev->n);
+	dres = dns_message_peekheader(&source, &id, &flags);
+	if (dres != ISC_R_SUCCESS) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		dispatch_log(disp, LVL(10), "got garbage packet");
+		goto restart;
+	}
+
+	dispatch_log(disp, LVL(92),
+		     "got valid DNS message header, /QR %c, id %u",
+		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
+
+	/*
+	 * Look at flags.  If query, drop it. If response,
+	 * look to see where it goes.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
+		/* query */
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto restart;
+	}
+
+	/*
+	 * Search for the corresponding response.  If we are using an exclusive
+	 * socket, we've already identified it and we can skip the search; but
+	 * the ID and the address must match the expected ones.
+	 */
+	if (resp == NULL) {
+		bucket = dns_hash(qid, &ev->address, id, disp->localport);
+		LOCK(&qid->lock);
+		qidlocked = true;
+		resp = entry_search(qid, &ev->address, id, disp->localport,
+				    bucket);
+		dispatch_log(disp, LVL(90),
+			     "search for response in bucket %d: %s",
+			     bucket, (resp == NULL ? "not found" : "found"));
+
+		if (resp == NULL) {
+			inc_stats(mgr, dns_resstatscounter_mismatch);
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+	} else if (resp->id != id || !isc_sockaddr_equal(&ev->address,
+							 &resp->host)) {
+		dispatch_log(disp, LVL(90),
+			     "response to an exclusive socket doesn't match");
+		inc_stats(mgr, dns_resstatscounter_mismatch);
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
+	/*
+	 * Now that we have the original dispatch the query was sent
+	 * from check that the address and port the response was
+	 * sent to make sense.
+	 */
+	if (disp != resp->disp) {
+		isc_sockaddr_t a1;
+		isc_sockaddr_t a2;
+
+		/*
+		 * Check that the socket types and ports match.
+		 */
+		if (disp->socktype != resp->disp->socktype ||
+		    isc_sockaddr_getport(&disp->local) !=
+		    isc_sockaddr_getport(&resp->disp->local)) {
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+
+		/*
+		 * If each dispatch is bound to a different address
+		 * then fail.
+		 *
+		 * Note under Linux a packet can be sent out via IPv4 socket
+		 * and the response be received via a IPv6 socket.
+		 *
+		 * Requests sent out via IPv6 should always come back in
+		 * via IPv6.
+		 */
+		if (isc_sockaddr_pf(&resp->disp->local) == PF_INET6 &&
+		    isc_sockaddr_pf(&disp->local) != PF_INET6) {
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+		isc_sockaddr_anyofpf(&a1, isc_sockaddr_pf(&resp->disp->local));
+		isc_sockaddr_anyofpf(&a2, isc_sockaddr_pf(&disp->local));
+		if (!isc_sockaddr_eqaddr(&disp->local, &resp->disp->local) &&
+		    !isc_sockaddr_eqaddr(&a1, &resp->disp->local) &&
+		    !isc_sockaddr_eqaddr(&a2, &disp->local)) {
+			free_buffer(disp, ev->region.base, ev->region.length);
+			goto unlock;
+		}
+	}
+
+  sendresponse:
+	queue_response = resp->item_out;
+	rev = allocate_devent(resp->disp);
+	if (rev == NULL) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
+	/*
+	 * At this point, rev contains the event we want to fill in, and
+	 * resp contains the information on the place to send it to.
+	 * Send the event off.
+	 */
+	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length);
+	isc_buffer_add(&rev->buffer, ev->n);
+	rev->result = ev->result;
+	rev->id = id;
+	rev->addr = ev->address;
+	rev->pktinfo = ev->pktinfo;
+	rev->attributes = ev->attributes;
+	if (queue_response) {
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
+	} else {
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL,
+			       DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[a] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
+		resp->item_out = true;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+	}
+ unlock:
+	if (qidlocked)
+		UNLOCK(&qid->lock);
+
+	/*
+	 * Restart recv() to get the next packet.
+	 */
+ restart:
+	result = startrecv(disp, dispsock);
+	if (result != ISC_R_SUCCESS && dispsock != NULL) {
+		/*
+		 * XXX: wired. There seems to be no recovery process other than
+		 * deactivate this socket anyway (since we cannot start
+		 * receiving, we won't be able to receive a cancel event
+		 * from the user).
+		 */
+		deactivate_dispsocket(disp, dispsock);
+	}
+	isc_event_free(&ev_in);
+	UNLOCK(&disp->lock);
+}
+
+/*
+ * General flow:
+ *
+ * If I/O result == CANCELED, EOF, or error, notify everyone as the
+ * various queues drain.
+ *
+ * If query, restart.
+ *
+ * If response:
+ *	Allocate event, fill in details.
+ *		If cannot allocate, restart.
+ *	find target.  If not found, restart.
+ *	if event queue is not empty, queue.  else, send.
+ *	restart.
+ */
+static void
+tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
+	dns_dispatch_t *disp = ev_in->ev_arg;
+	dns_tcpmsg_t *tcpmsg = &disp->tcpmsg;
+	dns_messageid_t id;
+	isc_result_t dres;
+	unsigned int flags;
+	dns_dispentry_t *resp;
+	dns_dispatchevent_t *rev;
+	unsigned int bucket;
+	bool killit;
+	bool queue_response;
+	dns_qid_t *qid;
+	int level;
+	char buf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPATCH(disp));
+
+	qid = disp->qid;
+
+	dispatch_log(disp, LVL(90),
+		     "got TCP packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->tcpbuffers, disp->recv_pending);
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->recv_pending != 0);
+	disp->recv_pending = 0;
+
+	if (disp->refcount == 0) {
+		/*
+		 * This dispatcher is shutting down.  Force cancelation.
+		 */
+		tcpmsg->result = ISC_R_CANCELED;
+	}
+
+	if (tcpmsg->result != ISC_R_SUCCESS) {
+		switch (tcpmsg->result) {
+		case ISC_R_CANCELED:
+			break;
+
+		case ISC_R_EOF:
+			dispatch_log(disp, LVL(90), "shutting down on EOF");
+			do_cancel(disp);
+			break;
+
+		case ISC_R_CONNECTIONRESET:
+			level = ISC_LOG_INFO;
+			goto logit;
+
+		default:
+			level = ISC_LOG_ERROR;
+		logit:
+			isc_sockaddr_format(&tcpmsg->address, buf, sizeof(buf));
+			dispatch_log(disp, level, "shutting down due to TCP "
+				     "receive error: %s: %s", buf,
+				     isc_result_totext(tcpmsg->result));
+			do_cancel(disp);
+			break;
+		}
+
+		/*
+		 * The event is statically allocated in the tcpmsg
+		 * structure, and destroy_disp() frees the tcpmsg, so we must
+		 * free the event *before* calling destroy_disp().
+		 */
+		isc_event_free(&ev_in);
+
+		disp->shutting_down = 1;
+		disp->shutdown_why = tcpmsg->result;
+
+		/*
+		 * If the recv() was canceled pass the word on.
+		 */
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit)
+			isc_task_send(disp->task[0], &disp->ctlevent);
+		return;
+	}
+
+	dispatch_log(disp, LVL(90), "result %d, length == %d, addr = %p",
+		     tcpmsg->result,
+		     tcpmsg->buffer.length, tcpmsg->buffer.base);
+
+	/*
+	 * Peek into the buffer to see what we can see.
+	 */
+	dres = dns_message_peekheader(&tcpmsg->buffer, &id, &flags);
+	if (dres != ISC_R_SUCCESS) {
+		dispatch_log(disp, LVL(10), "got garbage packet");
+		goto restart;
+	}
+
+	dispatch_log(disp, LVL(92),
+		     "got valid DNS message header, /QR %c, id %u",
+		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
+
+	/*
+	 * Allocate an event to send to the query or response client, and
+	 * allocate a new buffer for our use.
+	 */
+
+	/*
+	 * Look at flags.  If query, drop it. If response,
+	 * look to see where it goes.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
+		/*
+		 * Query.
+		 */
+		goto restart;
+	}
+
+	/*
+	 * Response.
+	 */
+	bucket = dns_hash(qid, &tcpmsg->address, id, disp->localport);
+	LOCK(&qid->lock);
+	resp = entry_search(qid, &tcpmsg->address, id, disp->localport, bucket);
+	dispatch_log(disp, LVL(90),
+		     "search for response in bucket %d: %s",
+		     bucket, (resp == NULL ? "not found" : "found"));
+
+	if (resp == NULL)
+		goto unlock;
+	queue_response = resp->item_out;
+	rev = allocate_devent(disp);
+	if (rev == NULL)
+		goto unlock;
+
+	/*
+	 * At this point, rev contains the event we want to fill in, and
+	 * resp contains the information on the place to send it to.
+	 * Send the event off.
+	 */
+	dns_tcpmsg_keepbuffer(tcpmsg, &rev->buffer);
+	disp->tcpbuffers++;
+	rev->result = ISC_R_SUCCESS;
+	rev->id = id;
+	rev->addr = tcpmsg->address;
+	if (queue_response) {
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
+	} else {
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[b] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
+		resp->item_out = true;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+	}
+ unlock:
+	UNLOCK(&qid->lock);
+
+	/*
+	 * Restart recv() to get the next packet.
+	 */
+ restart:
+	(void)startrecv(disp, NULL);
+
+	isc_event_free(&ev_in);
+	UNLOCK(&disp->lock);
+}
+
+/*
+ * disp must be locked.
+ */
+static isc_result_t
+startrecv(dns_dispatch_t *disp, dispsocket_t *dispsock) {
+	isc_result_t res;
+	isc_region_t region;
+	isc_socket_t *sock;
+
+	if (disp->shutting_down == 1)
+		return (ISC_R_SUCCESS);
+
+	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
+		return (ISC_R_SUCCESS);
+
+	if (disp->recv_pending != 0 && dispsock == NULL)
+		return (ISC_R_SUCCESS);
+
+	if (disp->mgr->buffers >= disp->mgr->maxbuffers)
+		return (ISC_R_NOMEMORY);
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0 &&
+	    dispsock == NULL)
+		return (ISC_R_SUCCESS);
+
+	if (dispsock != NULL)
+		sock = dispsock->socket;
+	else
+		sock = disp->socket;
+	INSIST(sock != NULL);
+
+	switch (disp->socktype) {
+		/*
+		 * UDP reads are always maximal.
+		 */
+	case isc_sockettype_udp:
+		region.length = disp->mgr->buffersize;
+		region.base = allocate_udp_buffer(disp);
+		if (region.base == NULL)
+			return (ISC_R_NOMEMORY);
+		if (dispsock != NULL) {
+			isc_task_t *dt = dispsock->task;
+			isc_socketevent_t *sev =
+				allocate_sevent(disp, sock,
+						ISC_SOCKEVENT_RECVDONE,
+						udp_exrecv, dispsock);
+			if (sev == NULL) {
+				free_buffer(disp, region.base, region.length);
+				return (ISC_R_NOMEMORY);
+			}
+
+			res = isc_socket_recv2(sock, &region, 1, dt, sev, 0);
+			if (res != ISC_R_SUCCESS) {
+				free_buffer(disp, region.base, region.length);
+				return (res);
+			}
+		} else {
+			isc_task_t *dt = disp->task[0];
+			isc_socketevent_t *sev =
+				allocate_sevent(disp, sock,
+						ISC_SOCKEVENT_RECVDONE,
+						udp_shrecv, disp);
+			if (sev == NULL) {
+				free_buffer(disp, region.base, region.length);
+				return (ISC_R_NOMEMORY);
+			}
+
+			res = isc_socket_recv2(sock, &region, 1, dt, sev, 0);
+			if (res != ISC_R_SUCCESS) {
+				free_buffer(disp, region.base, region.length);
+				disp->shutdown_why = res;
+				disp->shutting_down = 1;
+				do_cancel(disp);
+				return (ISC_R_SUCCESS); /* recover by cancel */
+			}
+			INSIST(disp->recv_pending == 0);
+			disp->recv_pending = 1;
+		}
+		break;
+
+	case isc_sockettype_tcp:
+		res = dns_tcpmsg_readmessage(&disp->tcpmsg, disp->task[0],
+					     tcp_recv, disp);
+		if (res != ISC_R_SUCCESS) {
+			disp->shutdown_why = res;
+			disp->shutting_down = 1;
+			do_cancel(disp);
+			return (ISC_R_SUCCESS); /* recover by cancel */
+		}
+		INSIST(disp->recv_pending == 0);
+		disp->recv_pending = 1;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Mgr must be locked when calling this function.
+ */
+static bool
+destroy_mgr_ok(dns_dispatchmgr_t *mgr) {
+	mgr_log(mgr, LVL(90),
+		"destroy_mgr_ok: shuttingdown=%d, listnonempty=%d, "
+		"depool=%d, rpool=%d, dpool=%d",
+		MGR_IS_SHUTTINGDOWN(mgr), !ISC_LIST_EMPTY(mgr->list),
+		isc_mempool_getallocated(mgr->depool),
+		isc_mempool_getallocated(mgr->rpool),
+		isc_mempool_getallocated(mgr->dpool));
+	if (!MGR_IS_SHUTTINGDOWN(mgr))
+		return (false);
+	if (!ISC_LIST_EMPTY(mgr->list))
+		return (false);
+	if (isc_mempool_getallocated(mgr->depool) != 0)
+		return (false);
+	if (isc_mempool_getallocated(mgr->rpool) != 0)
+		return (false);
+	if (isc_mempool_getallocated(mgr->dpool) != 0)
+		return (false);
+
+	return (true);
+}
+
+/*
+ * Mgr must be unlocked when calling this function.
+ */
+static void
+destroy_mgr(dns_dispatchmgr_t **mgrp) {
+	isc_mem_t *mctx;
+	dns_dispatchmgr_t *mgr;
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	mctx = mgr->mctx;
+
+	mgr->magic = 0;
+	mgr->mctx = NULL;
+	DESTROYLOCK(&mgr->lock);
+	mgr->state = 0;
+
+	if (mgr->rngctx != NULL)
+		isc_rng_detach(&mgr->rngctx);
+	DESTROYLOCK(&mgr->rng_lock);
+
+	isc_mempool_destroy(&mgr->depool);
+	isc_mempool_destroy(&mgr->rpool);
+	isc_mempool_destroy(&mgr->dpool);
+	if (mgr->bpool != NULL)
+		isc_mempool_destroy(&mgr->bpool);
+	if (mgr->spool != NULL)
+		isc_mempool_destroy(&mgr->spool);
+
+	DESTROYLOCK(&mgr->spool_lock);
+	DESTROYLOCK(&mgr->bpool_lock);
+	DESTROYLOCK(&mgr->dpool_lock);
+	DESTROYLOCK(&mgr->rpool_lock);
+	DESTROYLOCK(&mgr->depool_lock);
+
+	if (mgr->entropy != NULL)
+		isc_entropy_detach(&mgr->entropy);
+	if (mgr->qid != NULL)
+		qid_destroy(mctx, &mgr->qid);
+
+	DESTROYLOCK(&mgr->buffer_lock);
+
+	if (mgr->blackhole != NULL)
+		dns_acl_detach(&mgr->blackhole);
+
+	if (mgr->stats != NULL)
+		isc_stats_detach(&mgr->stats);
+
+	if (mgr->v4ports != NULL) {
+		isc_mem_put(mctx, mgr->v4ports,
+			    mgr->nv4ports * sizeof(in_port_t));
+	}
+	if (mgr->v6ports != NULL) {
+		isc_mem_put(mctx, mgr->v6ports,
+			    mgr->nv6ports * sizeof(in_port_t));
+	}
+	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
+	    unsigned int options, isc_socket_t **sockp,
+	    isc_socket_t *dup_socket)
+{
+	isc_socket_t *sock;
+	isc_result_t result;
+
+	sock = *sockp;
+	if (sock != NULL) {
+		result = isc_socket_open(sock);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else if (dup_socket != NULL) {
+		result = isc_socket_dup(dup_socket, &sock);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		isc_socket_setname(sock, "dispatcher", NULL);
+		*sockp = sock;
+		return (ISC_R_SUCCESS);
+	} else {
+		result = isc_socket_create(mgr, isc_sockaddr_pf(local),
+					   isc_sockettype_udp, &sock);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	isc_socket_setname(sock, "dispatcher", NULL);
+
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(sock, true);
+#endif
+	result = isc_socket_bind(sock, local, options);
+	if (result != ISC_R_SUCCESS) {
+		if (*sockp == NULL)
+			isc_socket_detach(&sock);
+		else {
+			isc_socket_close(sock);
+		}
+		return (result);
+	}
+
+	*sockp = sock;
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Create a temporary port list to set the initial default set of dispatch
+ * ports: [1024, 65535].  This is almost meaningless as the application will
+ * normally set the ports explicitly, but is provided to fill some minor corner
+ * cases.
+ */
+static isc_result_t
+create_default_portset(isc_mem_t *mctx, isc_portset_t **portsetp) {
+	isc_result_t result;
+
+	result = isc_portset_create(mctx, portsetp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_portset_addrange(*portsetp, 1024, 65535);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Publics.
+ */
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
+		       dns_dispatchmgr_t **mgrp)
+{
+	dns_dispatchmgr_t *mgr;
+	isc_result_t result;
+	isc_portset_t *v4portset = NULL;
+	isc_portset_t *v6portset = NULL;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(mgrp != NULL && *mgrp == NULL);
+
+	mgr = isc_mem_get(mctx, sizeof(dns_dispatchmgr_t));
+	if (mgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
+	mgr->blackhole = NULL;
+	mgr->stats = NULL;
+	mgr->rngctx = NULL;
+
+	result = isc_mutex_init(&mgr->lock);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate;
+
+	result = isc_mutex_init(&mgr->rng_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_lock;
+
+	result = isc_mutex_init(&mgr->buffer_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_rng_lock;
+
+	result = isc_mutex_init(&mgr->depool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_buffer_lock;
+
+	result = isc_mutex_init(&mgr->rpool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_depool_lock;
+
+	result = isc_mutex_init(&mgr->dpool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_rpool_lock;
+
+	result = isc_mutex_init(&mgr->bpool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_dpool_lock;
+
+	result = isc_mutex_init(&mgr->spool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_bpool_lock;
+
+	mgr->depool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatchevent_t),
+			       &mgr->depool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_spool_lock;
+	}
+
+	mgr->rpool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispentry_t),
+			       &mgr->rpool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_depool;
+	}
+
+	mgr->dpool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatch_t),
+			       &mgr->dpool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_rpool;
+	}
+
+	isc_mempool_setname(mgr->depool, "dispmgr_depool");
+	isc_mempool_setmaxalloc(mgr->depool, 32768);
+	isc_mempool_setfreemax(mgr->depool, 32768);
+	isc_mempool_associatelock(mgr->depool, &mgr->depool_lock);
+	isc_mempool_setfillcount(mgr->depool, 32);
+
+	isc_mempool_setname(mgr->rpool, "dispmgr_rpool");
+	isc_mempool_setmaxalloc(mgr->rpool, 32768);
+	isc_mempool_setfreemax(mgr->rpool, 32768);
+	isc_mempool_associatelock(mgr->rpool, &mgr->rpool_lock);
+	isc_mempool_setfillcount(mgr->rpool, 32);
+
+	isc_mempool_setname(mgr->dpool, "dispmgr_dpool");
+	isc_mempool_setmaxalloc(mgr->dpool, 32768);
+	isc_mempool_setfreemax(mgr->dpool, 32768);
+	isc_mempool_associatelock(mgr->dpool, &mgr->dpool_lock);
+	isc_mempool_setfillcount(mgr->dpool, 32);
+
+	mgr->buffers = 0;
+	mgr->buffersize = 0;
+	mgr->maxbuffers = 0;
+	mgr->bpool = NULL;
+	mgr->spool = NULL;
+	mgr->entropy = NULL;
+	mgr->qid = NULL;
+	mgr->state = 0;
+	ISC_LIST_INIT(mgr->list);
+	mgr->v4ports = NULL;
+	mgr->v6ports = NULL;
+	mgr->nv4ports = 0;
+	mgr->nv6ports = 0;
+	mgr->magic = DNS_DISPATCHMGR_MAGIC;
+
+	result = create_default_portset(mctx, &v4portset);
+	if (result == ISC_R_SUCCESS) {
+		result = create_default_portset(mctx, &v6portset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_dispatchmgr_setavailports(mgr,
+							       v4portset,
+							       v6portset);
+		}
+	}
+	if (v4portset != NULL)
+		isc_portset_destroy(mctx, &v4portset);
+	if (v6portset != NULL)
+		isc_portset_destroy(mctx, &v6portset);
+	if (result != ISC_R_SUCCESS)
+		goto kill_dpool;
+
+	if (entropy != NULL)
+		isc_entropy_attach(entropy, &mgr->entropy);
+
+	result = isc_rng_create(mctx, mgr->entropy, &mgr->rngctx);
+	if (result != ISC_R_SUCCESS)
+		goto kill_dpool;
+
+	*mgrp = mgr;
+	return (ISC_R_SUCCESS);
+
+ kill_dpool:
+	isc_mempool_destroy(&mgr->dpool);
+ kill_rpool:
+	isc_mempool_destroy(&mgr->rpool);
+ kill_depool:
+	isc_mempool_destroy(&mgr->depool);
+ kill_spool_lock:
+	DESTROYLOCK(&mgr->spool_lock);
+ kill_bpool_lock:
+	DESTROYLOCK(&mgr->bpool_lock);
+ kill_dpool_lock:
+	DESTROYLOCK(&mgr->dpool_lock);
+ kill_rpool_lock:
+	DESTROYLOCK(&mgr->rpool_lock);
+ kill_depool_lock:
+	DESTROYLOCK(&mgr->depool_lock);
+ kill_buffer_lock:
+	DESTROYLOCK(&mgr->buffer_lock);
+ kill_rng_lock:
+	DESTROYLOCK(&mgr->rng_lock);
+ kill_lock:
+	DESTROYLOCK(&mgr->lock);
+ deallocate:
+	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+void
+dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	if (mgr->blackhole != NULL)
+		dns_acl_detach(&mgr->blackhole);
+	dns_acl_attach(blackhole, &mgr->blackhole);
+}
+
+dns_acl_t *
+dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (mgr->blackhole);
+}
+
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+				 dns_portlist_t *portlist)
+{
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	UNUSED(portlist);
+
+	/* This function is deprecated: use dns_dispatchmgr_setavailports(). */
+	return;
+}
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (NULL);		/* this function is deprecated */
+}
+
+isc_result_t
+dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
+			      isc_portset_t *v6portset)
+{
+	in_port_t *v4ports, *v6ports, p;
+	unsigned int nv4ports, nv6ports, i4, i6;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	nv4ports = isc_portset_nports(v4portset);
+	nv6ports = isc_portset_nports(v6portset);
+
+	v4ports = NULL;
+	if (nv4ports != 0) {
+		v4ports = isc_mem_get(mgr->mctx, sizeof(in_port_t) * nv4ports);
+		if (v4ports == NULL)
+			return (ISC_R_NOMEMORY);
+	}
+	v6ports = NULL;
+	if (nv6ports != 0) {
+		v6ports = isc_mem_get(mgr->mctx, sizeof(in_port_t) * nv6ports);
+		if (v6ports == NULL) {
+			if (v4ports != NULL) {
+				isc_mem_put(mgr->mctx, v4ports,
+					    sizeof(in_port_t) *
+					    isc_portset_nports(v4portset));
+			}
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	p = 0;
+	i4 = 0;
+	i6 = 0;
+	do {
+		if (isc_portset_isset(v4portset, p)) {
+			INSIST(i4 < nv4ports);
+			v4ports[i4++] = p;
+		}
+		if (isc_portset_isset(v6portset, p)) {
+			INSIST(i6 < nv6ports);
+			v6ports[i6++] = p;
+		}
+	} while (p++ < 65535);
+	INSIST(i4 == nv4ports && i6 == nv6ports);
+
+	PORTBUFLOCK(mgr);
+	if (mgr->v4ports != NULL) {
+		isc_mem_put(mgr->mctx, mgr->v4ports,
+			    mgr->nv4ports * sizeof(in_port_t));
+	}
+	mgr->v4ports = v4ports;
+	mgr->nv4ports = nv4ports;
+
+	if (mgr->v6ports != NULL) {
+		isc_mem_put(mgr->mctx, mgr->v6ports,
+			    mgr->nv6ports * sizeof(in_port_t));
+	}
+	mgr->v6ports = v6ports;
+	mgr->nv6ports = nv6ports;
+	PORTBUFUNLOCK(mgr);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
+		       unsigned int buffersize, unsigned int maxbuffers,
+		       unsigned int maxrequests, unsigned int buckets,
+		       unsigned int increment)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+
+	/*
+	 * Keep some number of items around.  This should be a config
+	 * option.  For now, keep 8, but later keep at least two even
+	 * if the caller wants less.  This allows us to ensure certain
+	 * things, like an event can be "freed" and the next allocation
+	 * will always succeed.
+	 *
+	 * Note that if limits are placed on anything here, we use one
+	 * event internally, so the actual limit should be "wanted + 1."
+	 *
+	 * XXXMLG
+	 */
+
+	if (maxbuffers < 8)
+		maxbuffers = 8;
+
+	LOCK(&mgr->buffer_lock);
+
+	/* Create or adjust buffer pool */
+	if (mgr->bpool != NULL) {
+		/*
+		 * We only increase the maxbuffers to avoid accidental buffer
+		 * shortage.  Ideally we'd separate the manager-wide maximum
+		 * from per-dispatch limits and respect the latter within the
+		 * global limit.  But at this moment that's deemed to be
+		 * overkilling and isn't worth additional implementation
+		 * complexity.
+		 */
+		if (maxbuffers > mgr->maxbuffers) {
+			isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
+			isc_mempool_setfreemax(mgr->bpool, maxbuffers);
+			mgr->maxbuffers = maxbuffers;
+		}
+	} else {
+		result = isc_mempool_create(mgr->mctx, buffersize, &mgr->bpool);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK(&mgr->buffer_lock);
+			return (result);
+		}
+		isc_mempool_setname(mgr->bpool, "dispmgr_bpool");
+		isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
+		isc_mempool_setfreemax(mgr->bpool, maxbuffers);
+		isc_mempool_associatelock(mgr->bpool, &mgr->bpool_lock);
+		isc_mempool_setfillcount(mgr->bpool, 32);
+	}
+
+	/* Create or adjust socket pool */
+	if (mgr->spool != NULL) {
+		if (maxrequests < DNS_DISPATCH_POOLSOCKS * 2) {
+			isc_mempool_setmaxalloc(mgr->spool,
+						DNS_DISPATCH_POOLSOCKS * 2);
+			isc_mempool_setfreemax(mgr->spool,
+					       DNS_DISPATCH_POOLSOCKS * 2);
+		}
+		UNLOCK(&mgr->buffer_lock);
+		return (ISC_R_SUCCESS);
+	}
+	result = isc_mempool_create(mgr->mctx, sizeof(dispsocket_t),
+				    &mgr->spool);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_mempool_setname(mgr->spool, "dispmgr_spool");
+	isc_mempool_setmaxalloc(mgr->spool, maxrequests);
+	isc_mempool_setfreemax(mgr->spool, maxrequests);
+	isc_mempool_associatelock(mgr->spool, &mgr->spool_lock);
+	isc_mempool_setfillcount(mgr->spool, 32);
+
+	result = qid_allocate(mgr, buckets, increment, &mgr->qid, true);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	mgr->buffersize = buffersize;
+	mgr->maxbuffers = maxbuffers;
+	UNLOCK(&mgr->buffer_lock);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mempool_destroy(&mgr->bpool);
+	if (mgr->spool != NULL)
+		isc_mempool_destroy(&mgr->spool);
+	UNLOCK(&mgr->buffer_lock);
+	return (result);
+}
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+	bool killit;
+
+	REQUIRE(mgrp != NULL);
+	REQUIRE(VALID_DISPATCHMGR(*mgrp));
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	LOCK(&mgr->lock);
+	mgr->state |= MGR_SHUTTINGDOWN;
+	killit = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "destroy: killit=%d", killit);
+
+	if (killit)
+		destroy_mgr(&mgr);
+}
+
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(ISC_LIST_EMPTY(mgr->list));
+	REQUIRE(mgr->stats == NULL);
+
+	isc_stats_attach(stats, &mgr->stats);
+}
+
+static int
+port_cmp(const void *key, const void *ent) {
+	in_port_t p1 = *(const in_port_t *)key;
+	in_port_t p2 = *(const in_port_t *)ent;
+
+	if (p1 < p2)
+		return (-1);
+	else if (p1 == p2)
+		return (0);
+	else
+		return (1);
+}
+
+static bool
+portavailable(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+	      isc_sockaddr_t *sockaddrp)
+{
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+	in_port_t *ports, port;
+	unsigned int nports;
+	bool available = false;
+
+	REQUIRE(sock != NULL || sockaddrp != NULL);
+
+	PORTBUFLOCK(mgr);
+	if (sock != NULL) {
+		sockaddrp = &sockaddr;
+		result = isc_socket_getsockname(sock, sockaddrp);
+		if (result != ISC_R_SUCCESS)
+			goto unlock;
+	}
+
+	if (isc_sockaddr_pf(sockaddrp) == AF_INET) {
+		ports = mgr->v4ports;
+		nports = mgr->nv4ports;
+	} else {
+		ports = mgr->v6ports;
+		nports = mgr->nv6ports;
+	}
+	if (ports == NULL)
+		goto unlock;
+
+	port = isc_sockaddr_getport(sockaddrp);
+	if (bsearch(&port, ports, nports, sizeof(in_port_t), port_cmp) != NULL)
+		available = true;
+
+unlock:
+	PORTBUFUNLOCK(mgr);
+	return (available);
+}
+
+#define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
+
+static bool
+local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+
+	REQUIRE(disp->socket != NULL);
+
+	if (addr == NULL)
+		return (true);
+
+	/*
+	 * Don't match wildcard ports unless the port is available in the
+	 * current configuration.
+	 */
+	if (isc_sockaddr_getport(addr) == 0 &&
+	    isc_sockaddr_getport(&disp->local) == 0 &&
+	    !portavailable(disp->mgr, disp->socket, NULL)) {
+		return (false);
+	}
+
+	/*
+	 * Check if we match the binding <address,port>.
+	 * Wildcard ports match/fail here.
+	 */
+	if (isc_sockaddr_equal(&disp->local, addr))
+		return (true);
+	if (isc_sockaddr_getport(addr) == 0)
+		return (false);
+
+	/*
+	 * Check if we match a bound wildcard port <address,port>.
+	 */
+	if (!isc_sockaddr_eqaddr(&disp->local, addr))
+		return (false);
+	result = isc_socket_getsockname(disp->socket, &sockaddr);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+
+	return (isc_sockaddr_equal(&sockaddr, addr));
+}
+
+/*
+ * Requires mgr be locked.
+ *
+ * No dispatcher can be locked by this thread when calling this function.
+ *
+ *
+ * NOTE:
+ *	If a matching dispatcher is found, it is locked after this function
+ *	returns, and must be unlocked by the caller.
+ */
+static isc_result_t
+dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
+	      unsigned int attributes, unsigned int mask,
+	      dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t result;
+
+	/*
+	 * Make certain that we will not match a private or exclusive dispatch.
+	 */
+	attributes &= ~(DNS_DISPATCHATTR_PRIVATE|DNS_DISPATCHATTR_EXCLUSIVE);
+	mask |= (DNS_DISPATCHATTR_PRIVATE|DNS_DISPATCHATTR_EXCLUSIVE);
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0)
+		    && ATTRMATCH(disp->attributes, attributes, mask)
+		    && local_addr_match(disp, local))
+			break;
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+
+	if (disp == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto out;
+	}
+
+	*dispp = disp;
+	result = ISC_R_SUCCESS;
+ out:
+
+	return (result);
+}
+
+static isc_result_t
+qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
+	     unsigned int increment, dns_qid_t **qidp,
+	     bool needsocktable)
+{
+	dns_qid_t *qid;
+	unsigned int i;
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(qidp != NULL && *qidp == NULL);
+
+	qid = isc_mem_get(mgr->mctx, sizeof(*qid));
+	if (qid == NULL)
+		return (ISC_R_NOMEMORY);
+
+	qid->qid_table = isc_mem_get(mgr->mctx,
+				     buckets * sizeof(dns_displist_t));
+	if (qid->qid_table == NULL) {
+		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
+		return (ISC_R_NOMEMORY);
+	}
+
+	qid->sock_table = NULL;
+	if (needsocktable) {
+		qid->sock_table = isc_mem_get(mgr->mctx, buckets *
+					      sizeof(dispsocketlist_t));
+		if (qid->sock_table == NULL) {
+			isc_mem_put(mgr->mctx, qid->qid_table,
+				    buckets * sizeof(dns_displist_t));
+			isc_mem_put(mgr->mctx, qid, sizeof(*qid));
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	result = isc_mutex_init(&qid->lock);
+	if (result != ISC_R_SUCCESS) {
+		if (qid->sock_table != NULL) {
+			isc_mem_put(mgr->mctx, qid->sock_table,
+				    buckets * sizeof(dispsocketlist_t));
+		}
+		isc_mem_put(mgr->mctx, qid->qid_table,
+			    buckets * sizeof(dns_displist_t));
+		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
+		return (result);
+	}
+
+	for (i = 0; i < buckets; i++) {
+		ISC_LIST_INIT(qid->qid_table[i]);
+		if (qid->sock_table != NULL)
+			ISC_LIST_INIT(qid->sock_table[i]);
+	}
+
+	qid->qid_nbuckets = buckets;
+	qid->qid_increment = increment;
+	qid->magic = QID_MAGIC;
+	*qidp = qid;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
+	dns_qid_t *qid;
+
+	REQUIRE(qidp != NULL);
+	qid = *qidp;
+
+	REQUIRE(VALID_QID(qid));
+
+	*qidp = NULL;
+	qid->magic = 0;
+	isc_mem_put(mctx, qid->qid_table,
+		    qid->qid_nbuckets * sizeof(dns_displist_t));
+	if (qid->sock_table != NULL) {
+		isc_mem_put(mctx, qid->sock_table,
+			    qid->qid_nbuckets * sizeof(dispsocketlist_t));
+	}
+	DESTROYLOCK(&qid->lock);
+	isc_mem_put(mctx, qid, sizeof(*qid));
+}
+
+/*
+ * Allocate and set important limits.
+ */
+static isc_result_t
+dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
+		  dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	/*
+	 * Set up the dispatcher, mostly.  Don't bother setting some of
+	 * the options that are controlled by tcp vs. udp, etc.
+	 */
+
+	disp = isc_mempool_get(mgr->dpool);
+	if (disp == NULL)
+		return (ISC_R_NOMEMORY);
+
+	disp->magic = 0;
+	disp->mgr = mgr;
+	disp->maxrequests = maxrequests;
+	disp->attributes = 0;
+	ISC_LINK_INIT(disp, link);
+	disp->refcount = 1;
+	disp->recv_pending = 0;
+	memset(&disp->local, 0, sizeof(disp->local));
+	memset(&disp->peer, 0, sizeof(disp->peer));
+	disp->localport = 0;
+	disp->shutting_down = 0;
+	disp->shutdown_out = 0;
+	disp->connected = 0;
+	disp->tcpmsg_valid = 0;
+	disp->shutdown_why = ISC_R_UNEXPECTED;
+	disp->requests = 0;
+	disp->tcpbuffers = 0;
+	disp->qid = NULL;
+	ISC_LIST_INIT(disp->activesockets);
+	ISC_LIST_INIT(disp->inactivesockets);
+	disp->nsockets = 0;
+	disp->rngctx = NULL;
+	isc_rng_attach(mgr->rngctx, &disp->rngctx);
+	disp->port_table = NULL;
+	disp->portpool = NULL;
+	disp->dscp = -1;
+
+	result = isc_mutex_init(&disp->lock);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate;
+
+	disp->failsafe_ev = allocate_devent(disp);
+	if (disp->failsafe_ev == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto kill_lock;
+	}
+
+	disp->magic = DISPATCH_MAGIC;
+
+	*dispp = disp;
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * error returns
+	 */
+ kill_lock:
+	DESTROYLOCK(&disp->lock);
+ deallocate:
+	if (disp->rngctx != NULL)
+		isc_rng_detach(&disp->rngctx);
+	isc_mempool_put(mgr->dpool, disp);
+
+	return (result);
+}
+
+
+/*
+ * MUST be unlocked, and not used by anything.
+ */
+static void
+dispatch_free(dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+	int i;
+
+	REQUIRE(VALID_DISPATCH(*dispp));
+	disp = *dispp;
+	*dispp = NULL;
+
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (disp->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&disp->tcpmsg);
+		disp->tcpmsg_valid = 0;
+	}
+
+	INSIST(disp->tcpbuffers == 0);
+	INSIST(disp->requests == 0);
+	INSIST(disp->recv_pending == 0);
+	INSIST(ISC_LIST_EMPTY(disp->activesockets));
+	INSIST(ISC_LIST_EMPTY(disp->inactivesockets));
+
+	isc_mempool_put(mgr->depool, disp->failsafe_ev);
+	disp->failsafe_ev = NULL;
+
+	if (disp->qid != NULL)
+		qid_destroy(mgr->mctx, &disp->qid);
+
+	if (disp->port_table != NULL) {
+		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
+			INSIST(ISC_LIST_EMPTY(disp->port_table[i]));
+		isc_mem_put(mgr->mctx, disp->port_table,
+			    sizeof(disp->port_table[0]) *
+			    DNS_DISPATCH_PORTTABLESIZE);
+	}
+
+	if (disp->portpool != NULL)
+		isc_mempool_destroy(&disp->portpool);
+
+	if (disp->rngctx != NULL)
+		isc_rng_detach(&disp->rngctx);
+
+	disp->mgr = NULL;
+	DESTROYLOCK(&disp->lock);
+	disp->magic = 0;
+	isc_mempool_put(mgr->dpool, disp);
+}
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp)
+{
+
+	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
+
+	return (dns_dispatch_createtcp2(mgr, sock, taskmgr, NULL, NULL,
+					buffersize, maxbuffers, maxrequests,
+					buckets, increment, attributes,
+					dispp));
+}
+
+isc_result_t
+dns_dispatch_createtcp2(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+			isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+			isc_sockaddr_t *destaddr, unsigned int buffersize,
+			unsigned int maxbuffers, unsigned int maxrequests,
+			unsigned int buckets, unsigned int increment,
+			unsigned int attributes, dns_dispatch_t **dispp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+
+	UNUSED(maxbuffers);
+	UNUSED(buffersize);
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(isc_socket_gettype(sock) == isc_sockettype_tcp);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
+	REQUIRE((attributes & DNS_DISPATCHATTR_UDP) == 0);
+
+	if (destaddr == NULL)
+		attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * dispatch_allocate() checks mgr for us.
+	 * qid_allocate() checks buckets and increment for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, maxrequests, &disp);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	result = qid_allocate(mgr, buckets, increment, &disp->qid, false);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate_dispatch;
+
+	disp->socktype = isc_sockettype_tcp;
+	disp->socket = NULL;
+	isc_socket_attach(sock, &disp->socket);
+
+	disp->sepool = NULL;
+
+	disp->ntasks = 1;
+	disp->task[0] = NULL;
+	result = isc_task_create(taskmgr, 0, &disp->task[0]);
+	if (result != ISC_R_SUCCESS)
+		goto kill_socket;
+
+	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
+					    DNS_EVENT_DISPATCHCONTROL,
+					    destroy_disp, disp,
+					    sizeof(isc_event_t));
+	if (disp->ctlevent == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto kill_task;
+	}
+
+	isc_task_setname(disp->task[0], "tcpdispatch", disp);
+
+	dns_tcpmsg_init(mgr->mctx, disp->socket, &disp->tcpmsg);
+	disp->tcpmsg_valid = 1;
+
+	disp->attributes = attributes;
+
+	if (localaddr == NULL) {
+		if (destaddr != NULL) {
+			switch (isc_sockaddr_pf(destaddr)) {
+			case AF_INET:
+				isc_sockaddr_any(&disp->local);
+				break;
+			case AF_INET6:
+				isc_sockaddr_any6(&disp->local);
+				break;
+			}
+		}
+	} else
+		disp->local = *localaddr;
+
+	if (destaddr != NULL)
+		disp->peer = *destaddr;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]);
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * Error returns.
+	 */
+ kill_task:
+	isc_task_detach(&disp->task[0]);
+ kill_socket:
+	isc_socket_detach(&disp->socket);
+ deallocate_dispatch:
+	dispatch_free(&disp);
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, isc_sockaddr_t *destaddr,
+		    isc_sockaddr_t *localaddr, dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t result;
+	isc_sockaddr_t peeraddr;
+	isc_sockaddr_t sockname;
+	unsigned int attributes, mask;
+	bool match = false;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(destaddr != NULL);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	attributes = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_CONNECTED;
+	mask = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_PRIVATE |
+	       DNS_DISPATCHATTR_EXCLUSIVE | DNS_DISPATCHATTR_CONNECTED;
+
+	LOCK(&mgr->lock);
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL && !match) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    (localaddr == NULL ||
+		     isc_sockaddr_eqaddr(localaddr, &disp->local))) {
+			result = isc_socket_getsockname(disp->socket,
+							&sockname);
+			if (result == ISC_R_SUCCESS)
+				result = isc_socket_getpeername(disp->socket,
+								&peeraddr);
+			if (result == ISC_R_SUCCESS &&
+			    isc_sockaddr_equal(destaddr, &peeraddr) &&
+			    (localaddr == NULL ||
+			     isc_sockaddr_eqaddr(localaddr, &sockname))) {
+				/* attach */
+				disp->refcount++;
+				*dispp = disp;
+				match = true;
+			}
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+	UNLOCK(&mgr->lock);
+	return (match ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_dispatch_gettcp2(dns_dispatchmgr_t *mgr, isc_sockaddr_t *destaddr,
+		     isc_sockaddr_t *localaddr, bool *connected,
+		     dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t result;
+	isc_sockaddr_t peeraddr;
+	isc_sockaddr_t sockname;
+	unsigned int attributes, mask;
+	bool match = false;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(destaddr != NULL);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+	REQUIRE(connected != NULL);
+
+	/* First pass (same as dns_dispatch_gettcp()) */
+	attributes = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_CONNECTED;
+	mask = DNS_DISPATCHATTR_TCP | DNS_DISPATCHATTR_PRIVATE |
+	       DNS_DISPATCHATTR_EXCLUSIVE | DNS_DISPATCHATTR_CONNECTED;
+
+	LOCK(&mgr->lock);
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL && !match) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    (localaddr == NULL ||
+		     isc_sockaddr_eqaddr(localaddr, &disp->local))) {
+			result = isc_socket_getsockname(disp->socket,
+							&sockname);
+			if (result == ISC_R_SUCCESS)
+				result = isc_socket_getpeername(disp->socket,
+								&peeraddr);
+			if (result == ISC_R_SUCCESS &&
+			    isc_sockaddr_equal(destaddr, &peeraddr) &&
+			    (localaddr == NULL ||
+			     isc_sockaddr_eqaddr(localaddr, &sockname))) {
+				/* attach */
+				disp->refcount++;
+				*dispp = disp;
+				match = true;
+				*connected = true;
+			}
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+	if (match) {
+		UNLOCK(&mgr->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Second pass */
+	attributes = DNS_DISPATCHATTR_TCP;
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL && !match) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0) &&
+		    ATTRMATCH(disp->attributes, attributes, mask) &&
+		    (localaddr == NULL ||
+		     isc_sockaddr_eqaddr(localaddr, &disp->local)) &&
+		    isc_sockaddr_equal(destaddr, &disp->peer)) {
+			/* attach */
+			disp->refcount++;
+			*dispp = disp;
+			match = true;
+		}
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+	UNLOCK(&mgr->lock);
+	return (match ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp, dns_dispatch_t *dup_dispatch)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp = NULL;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(sockmgr != NULL);
+	REQUIRE(localaddr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) == 0);
+
+	result = dns_dispatchmgr_setudp(mgr, buffersize, maxbuffers,
+					maxrequests, buckets, increment);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	LOCK(&mgr->lock);
+
+	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		REQUIRE(isc_sockaddr_getport(localaddr) == 0);
+		goto createudp;
+	}
+
+	/*
+	 * See if we have a dispatcher that matches.
+	 */
+	if (dup_dispatch == NULL) {
+		result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
+		if (result == ISC_R_SUCCESS) {
+			disp->refcount++;
+
+			if (disp->maxrequests < maxrequests)
+				disp->maxrequests = maxrequests;
+
+			if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0
+			    && (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
+			{
+				disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
+				if (disp->recv_pending != 0)
+					isc_socket_cancel(disp->socket,
+							  disp->task[0],
+							  ISC_SOCKCANCEL_RECV);
+			}
+
+			UNLOCK(&disp->lock);
+			UNLOCK(&mgr->lock);
+
+			*dispp = disp;
+
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+ createudp:
+	/*
+	 * Nope, create one.
+	 */
+	result = dispatch_createudp(mgr, sockmgr, taskmgr, localaddr,
+				    maxrequests, attributes, &disp,
+				    dup_dispatch == NULL
+					    ? NULL
+					    : dup_dispatch->socket);
+
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	UNLOCK(&mgr->lock);
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp)
+{
+	return (dns_dispatch_getudp_dup(mgr, sockmgr, taskmgr, localaddr,
+					buffersize, maxbuffers, maxrequests,
+					buckets, increment, attributes,
+					mask, dispp, NULL));
+}
+
+/*
+ * mgr should be locked.
+ */
+
+#ifndef DNS_DISPATCH_HELD
+#define DNS_DISPATCH_HELD 20U
+#endif
+
+static isc_result_t
+get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
+	      isc_socketmgr_t *sockmgr, isc_sockaddr_t *localaddr,
+	      isc_socket_t **sockp, isc_socket_t *dup_socket)
+{
+	unsigned int i, j;
+	isc_socket_t *held[DNS_DISPATCH_HELD];
+	isc_sockaddr_t localaddr_bound;
+	isc_socket_t *sock = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool anyport;
+
+	INSIST(sockp != NULL && *sockp == NULL);
+
+	localaddr_bound = *localaddr;
+	anyport = (isc_sockaddr_getport(localaddr) == 0);
+
+	if (anyport) {
+		unsigned int nports;
+		in_port_t *ports;
+
+		/*
+		 * If no port is specified, we first try to pick up a random
+		 * port by ourselves.
+		 */
+		if (isc_sockaddr_pf(localaddr) == AF_INET) {
+			nports = disp->mgr->nv4ports;
+			ports = disp->mgr->v4ports;
+		} else {
+			nports = disp->mgr->nv6ports;
+			ports = disp->mgr->v6ports;
+		}
+		if (nports == 0)
+			return (ISC_R_ADDRNOTAVAIL);
+
+		for (i = 0; i < 1024; i++) {
+			in_port_t prt;
+
+			prt = ports[isc_rng_uniformrandom(DISP_RNGCTX(disp),
+							  nports)];
+			isc_sockaddr_setport(&localaddr_bound, prt);
+			result = open_socket(sockmgr, &localaddr_bound,
+					     0, &sock, NULL);
+			/*
+			 * Continue if the port choosen is already in use
+			 * or the OS has reserved it.
+			 */
+			if (result == ISC_R_NOPERM ||
+			    result == ISC_R_ADDRINUSE)
+				continue;
+			disp->localport = prt;
+			*sockp = sock;
+			return (result);
+		}
+
+		/*
+		 * If this fails 1024 times, we then ask the kernel for
+		 * choosing one.
+		 */
+	} else {
+		/* Allow to reuse address for non-random ports. */
+		result = open_socket(sockmgr, localaddr,
+				     ISC_SOCKET_REUSEADDRESS, &sock,
+				     dup_socket);
+
+		if (result == ISC_R_SUCCESS)
+			*sockp = sock;
+
+		return (result);
+	}
+
+	memset(held, 0, sizeof(held));
+	i = 0;
+
+	for (j = 0; j < 0xffffU; j++) {
+		result = open_socket(sockmgr, localaddr, 0, &sock, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto end;
+		else if (portavailable(mgr, sock, NULL))
+			break;
+		if (held[i] != NULL)
+			isc_socket_detach(&held[i]);
+		held[i++] = sock;
+		sock = NULL;
+		if (i == DNS_DISPATCH_HELD)
+			i = 0;
+	}
+	if (j == 0xffffU) {
+		mgr_log(mgr, ISC_LOG_ERROR,
+			"avoid-v%s-udp-ports: unable to allocate "
+			"an available port",
+			isc_sockaddr_pf(localaddr) == AF_INET ? "4" : "6");
+		result = ISC_R_FAILURE;
+		goto end;
+	}
+	*sockp = sock;
+
+end:
+	for (i = 0; i < DNS_DISPATCH_HELD; i++) {
+		if (held[i] != NULL)
+			isc_socket_detach(&held[i]);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		   isc_taskmgr_t *taskmgr,
+		   isc_sockaddr_t *localaddr,
+		   unsigned int maxrequests,
+		   unsigned int attributes,
+		   dns_dispatch_t **dispp,
+		   isc_socket_t *dup_socket)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+	isc_socket_t *sock = NULL;
+	int i = 0;
+
+	/*
+	 * dispatch_allocate() checks mgr for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, maxrequests, &disp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	disp->socktype = isc_sockettype_udp;
+
+	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0) {
+		result = get_udpsocket(mgr, disp, sockmgr, localaddr, &sock,
+				       dup_socket);
+		if (result != ISC_R_SUCCESS)
+			goto deallocate_dispatch;
+
+		if (isc_log_wouldlog(dns_lctx, 90)) {
+			char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+			isc_sockaddr_format(localaddr, addrbuf,
+					    ISC_SOCKADDR_FORMATSIZE);
+			mgr_log(mgr, LVL(90), "dns_dispatch_createudp: Created"
+				" UDP dispatch for %s with socket fd %d",
+				addrbuf, isc_socket_getfd(sock));
+		}
+
+	} else {
+		isc_sockaddr_t sa_any;
+
+		/*
+		 * For dispatches using exclusive sockets with a specific
+		 * source address, we only check if the specified address is
+		 * available on the system.  Query sockets will be created later
+		 * on demand.
+		 */
+		isc_sockaddr_anyofpf(&sa_any, isc_sockaddr_pf(localaddr));
+		if (!isc_sockaddr_eqaddr(&sa_any, localaddr)) {
+			result = open_socket(sockmgr, localaddr, 0, &sock, NULL);
+			if (sock != NULL)
+				isc_socket_detach(&sock);
+			if (result != ISC_R_SUCCESS)
+				goto deallocate_dispatch;
+		}
+
+		disp->port_table = isc_mem_get(mgr->mctx,
+					       sizeof(disp->port_table[0]) *
+					       DNS_DISPATCH_PORTTABLESIZE);
+		if (disp->port_table == NULL)
+			goto deallocate_dispatch;
+		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
+			ISC_LIST_INIT(disp->port_table[i]);
+
+		result = isc_mempool_create(mgr->mctx, sizeof(dispportentry_t),
+					    &disp->portpool);
+		if (result != ISC_R_SUCCESS)
+			goto deallocate_dispatch;
+		isc_mempool_setname(disp->portpool, "disp_portpool");
+		isc_mempool_setfreemax(disp->portpool, 128);
+	}
+	disp->socket = sock;
+	disp->local = *localaddr;
+
+	if ((attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0)
+		disp->ntasks = MAX_INTERNAL_TASKS;
+	else
+		disp->ntasks = 1;
+	for (i = 0; i < disp->ntasks; i++) {
+		disp->task[i] = NULL;
+		result = isc_task_create(taskmgr, 0, &disp->task[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (--i >= 0) {
+				isc_task_shutdown(disp->task[i]);
+				isc_task_detach(&disp->task[i]);
+			}
+			goto kill_socket;
+		}
+		isc_task_setname(disp->task[i], "udpdispatch", disp);
+	}
+
+	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
+					    DNS_EVENT_DISPATCHCONTROL,
+					    destroy_disp, disp,
+					    sizeof(isc_event_t));
+	if (disp->ctlevent == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto kill_task;
+	}
+
+	disp->sepool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(isc_socketevent_t),
+			       &disp->sepool) != ISC_R_SUCCESS)
+	{
+		result = ISC_R_NOMEMORY;
+		goto kill_ctlevent;
+	}
+
+	result = isc_mutex_init(&disp->sepool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_sepool;
+
+	isc_mempool_setname(disp->sepool, "disp_sepool");
+	isc_mempool_setmaxalloc(disp->sepool, 32768);
+	isc_mempool_setfreemax(disp->sepool, 32768);
+	isc_mempool_associatelock(disp->sepool, &disp->sepool_lock);
+	isc_mempool_setfillcount(disp->sepool, 16);
+
+	attributes &= ~DNS_DISPATCHATTR_TCP;
+	attributes |= DNS_DISPATCHATTR_UDP;
+	disp->attributes = attributes;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+
+	mgr_log(mgr, LVL(90), "created UDP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task[0]); /* XXX */
+	if (disp->socket != NULL)
+		dispatch_log(disp, LVL(90), "created socket %p", disp->socket);
+
+	*dispp = disp;
+
+	return (result);
+
+	/*
+	 * Error returns.
+	 */
+ kill_sepool:
+	isc_mempool_destroy(&disp->sepool);
+ kill_ctlevent:
+	isc_event_free(&disp->ctlevent);
+ kill_task:
+	for (i = 0; i < disp->ntasks; i++)
+		isc_task_detach(&disp->task[i]);
+ kill_socket:
+	if (disp->socket != NULL)
+		isc_socket_detach(&disp->socket);
+ deallocate_dispatch:
+	dispatch_free(&disp);
+
+	return (result);
+}
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	LOCK(&disp->lock);
+	disp->refcount++;
+	UNLOCK(&disp->lock);
+
+	*dispp = disp;
+}
+
+/*
+ * It is important to lock the manager while we are deleting the dispatch,
+ * since dns_dispatch_getudp will call dispatch_find, which returns to
+ * the caller a dispatch but does not attach to it until later.  _getudp
+ * locks the manager, however, so locking it here will keep us from attaching
+ * to a dispatcher that is in the process of going away.
+ */
+void
+dns_dispatch_detach(dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	dispsocket_t *dispsock;
+	bool killit;
+
+	REQUIRE(dispp != NULL && VALID_DISPATCH(*dispp));
+
+	disp = *dispp;
+	*dispp = NULL;
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->refcount > 0);
+	disp->refcount--;
+	if (disp->refcount == 0) {
+		if (disp->recv_pending > 0)
+			isc_socket_cancel(disp->socket, disp->task[0],
+					  ISC_SOCKCANCEL_RECV);
+		for (dispsock = ISC_LIST_HEAD(disp->activesockets);
+		     dispsock != NULL;
+		     dispsock = ISC_LIST_NEXT(dispsock, link)) {
+			isc_socket_cancel(dispsock->socket, dispsock->task,
+					  ISC_SOCKCANCEL_RECV);
+		}
+		disp->shutting_down = 1;
+	}
+
+	dispatch_log(disp, LVL(90), "detach: refcount %d", disp->refcount);
+
+	killit = destroy_disp_ok(disp);
+	UNLOCK(&disp->lock);
+	if (killit)
+		isc_task_send(disp->task[0], &disp->ctlevent);
+}
+
+isc_result_t
+dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			  isc_task_t *task, isc_taskaction_t action, void *arg,
+			  dns_messageid_t *idp, dns_dispentry_t **resp,
+			  isc_socketmgr_t *sockmgr)
+{
+	return (dns_dispatch_addresponse3(disp, 0, dest, task, action, arg,
+					  idp, resp, sockmgr));
+}
+
+isc_result_t
+dns_dispatch_addresponse3(dns_dispatch_t *disp, unsigned int options,
+			  isc_sockaddr_t *dest, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_messageid_t *idp, dns_dispentry_t **resp,
+			  isc_socketmgr_t *sockmgr)
+{
+	dns_dispentry_t *res;
+	unsigned int bucket;
+	in_port_t localport = 0;
+	dns_messageid_t id;
+	int i;
+	bool ok;
+	dns_qid_t *qid;
+	dispsocket_t *dispsocket = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(task != NULL);
+	REQUIRE(dest != NULL);
+	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(idp != NULL);
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0)
+		REQUIRE(sockmgr != NULL);
+
+	LOCK(&disp->lock);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	if (disp->requests >= disp->maxrequests) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_QUOTA);
+	}
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0 &&
+	    disp->nsockets > DNS_DISPATCH_SOCKSQUOTA) {
+		dispsocket_t *oldestsocket;
+		dns_dispentry_t *oldestresp;
+		dns_dispatchevent_t *rev;
+
+		/*
+		 * Kill oldest outstanding query if the number of sockets
+		 * exceeds the quota to keep the room for new queries.
+		 */
+		oldestsocket = ISC_LIST_HEAD(disp->activesockets);
+		oldestresp = oldestsocket->resp;
+		if (oldestresp != NULL && !oldestresp->item_out) {
+			rev = allocate_devent(oldestresp->disp);
+			if (rev != NULL) {
+				rev->buffer.base = NULL;
+				rev->result = ISC_R_CANCELED;
+				rev->id = oldestresp->id;
+				ISC_EVENT_INIT(rev, sizeof(*rev), 0,
+					       NULL, DNS_EVENT_DISPATCH,
+					       oldestresp->action,
+					       oldestresp->arg, oldestresp,
+					       NULL, NULL);
+				oldestresp->item_out = true;
+				isc_task_send(oldestresp->task,
+					      ISC_EVENT_PTR(&rev));
+				inc_stats(disp->mgr,
+					  dns_resstatscounter_dispabort);
+			}
+		}
+
+		/*
+		 * Move this entry to the tail so that it won't (easily) be
+		 * examined before actually being canceled.
+		 */
+		ISC_LIST_UNLINK(disp->activesockets, oldestsocket, link);
+		ISC_LIST_APPEND(disp->activesockets, oldestsocket, link);
+	}
+
+	qid = DNS_QID(disp);
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		/*
+		 * Get a separate UDP socket with a random port number.
+		 */
+		result = get_dispsocket(disp, dest, sockmgr, &dispsocket,
+					&localport);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK(&disp->lock);
+			inc_stats(disp->mgr, dns_resstatscounter_dispsockfail);
+			return (result);
+		}
+	} else {
+		localport = disp->localport;
+	}
+
+	/*
+	 * Try somewhat hard to find an unique ID unless FIXEDID is set
+	 * in which case we use the id passed in via *idp.
+	 */
+	LOCK(&qid->lock);
+	if ((options & DNS_DISPATCHOPT_FIXEDID) != 0)
+		id = *idp;
+	else
+		id = (dns_messageid_t)isc_rng_random(DISP_RNGCTX(disp));
+	ok = false;
+	i = 0;
+	do {
+		bucket = dns_hash(qid, dest, id, localport);
+		if (entry_search(qid, dest, id, localport, bucket) == NULL) {
+			ok = true;
+			break;
+		}
+		if ((disp->attributes & DNS_DISPATCHATTR_FIXEDID) != 0)
+			break;
+		id += qid->qid_increment;
+		id &= 0x0000ffff;
+	} while (i++ < 64);
+	UNLOCK(&qid->lock);
+
+	if (!ok) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_NOMORE);
+	}
+
+	res = isc_mempool_get(disp->mgr->rpool);
+	if (res == NULL) {
+		if (dispsocket != NULL)
+			destroy_dispsocket(disp, &dispsocket);
+		UNLOCK(&disp->lock);
+		return (ISC_R_NOMEMORY);
+	}
+
+	disp->refcount++;
+	disp->requests++;
+	res->task = NULL;
+	isc_task_attach(task, &res->task);
+	res->disp = disp;
+	res->id = id;
+	res->port = localport;
+	res->bucket = bucket;
+	res->host = *dest;
+	res->action = action;
+	res->arg = arg;
+	res->dispsocket = dispsocket;
+	if (dispsocket != NULL)
+		dispsocket->resp = res;
+	res->item_out = false;
+	ISC_LIST_INIT(res->items);
+	ISC_LINK_INIT(res, link);
+	res->magic = RESPONSE_MAGIC;
+
+	LOCK(&qid->lock);
+	ISC_LIST_APPEND(qid->qid_table[bucket], res, link);
+	UNLOCK(&qid->lock);
+
+	inc_stats(disp->mgr, (qid == disp->mgr->qid) ?
+			     dns_resstatscounter_disprequdp :
+			     dns_resstatscounter_dispreqtcp);
+
+	request_log(disp, res, LVL(90),
+		    "attached to task %p", res->task);
+
+	if (((disp->attributes & DNS_DISPATCHATTR_UDP) != 0) ||
+	    ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) != 0)) {
+		result = startrecv(disp, dispsocket);
+		if (result != ISC_R_SUCCESS) {
+			LOCK(&qid->lock);
+			ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
+			UNLOCK(&qid->lock);
+
+			if (dispsocket != NULL)
+				destroy_dispsocket(disp, &dispsocket);
+
+			disp->refcount--;
+			disp->requests--;
+
+			dec_stats(disp->mgr, (qid == disp->mgr->qid) ?
+					     dns_resstatscounter_disprequdp :
+					     dns_resstatscounter_dispreqtcp);
+
+			UNLOCK(&disp->lock);
+			isc_task_detach(&res->task);
+			isc_mempool_put(disp->mgr->rpool, res);
+			return (result);
+		}
+	}
+
+	if (dispsocket != NULL)
+		ISC_LIST_APPEND(disp->activesockets, dispsocket, link);
+
+	UNLOCK(&disp->lock);
+
+	*idp = id;
+	*resp = res;
+
+	if ((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) != 0)
+		INSIST(res->dispsocket != NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			 isc_task_t *task, isc_taskaction_t action, void *arg,
+			 dns_messageid_t *idp, dns_dispentry_t **resp)
+{
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0);
+
+	return (dns_dispatch_addresponse3(disp, 0, dest, task, action, arg,
+					  idp, resp, NULL));
+}
+
+void
+dns_dispatch_starttcp(dns_dispatch_t *disp) {
+
+	REQUIRE(VALID_DISPATCH(disp));
+
+	dispatch_log(disp, LVL(90), "starttcp %p", disp->task[0]);
+
+	LOCK(&disp->lock);
+	if ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) == 0) {
+		disp->attributes |= DNS_DISPATCHATTR_CONNECTED;
+		(void)startrecv(disp, NULL);
+	}
+	UNLOCK(&disp->lock);
+}
+
+isc_result_t
+dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
+	dns_dispatch_t *disp;
+	dns_dispatchevent_t *ev;
+
+	REQUIRE(VALID_RESPONSE(resp));
+	REQUIRE(sockevent != NULL && *sockevent != NULL);
+
+	disp = resp->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+
+	REQUIRE(resp->item_out == true);
+	resp->item_out = false;
+
+	ev = *sockevent;
+	*sockevent = NULL;
+
+	LOCK(&disp->lock);
+	if (ev->buffer.base != NULL)
+		free_buffer(disp, ev->buffer.base, ev->buffer.length);
+	free_devent(disp, ev);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+	ev = ISC_LIST_HEAD(resp->items);
+	if (ev != NULL) {
+		ISC_LIST_UNLINK(resp->items, ev, ev_link);
+		ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[c] Sent event %p buffer %p len %d to task %p",
+			    ev, ev->buffer.base, ev->buffer.length,
+			    resp->task);
+		resp->item_out = true;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
+	}
+	UNLOCK(&disp->lock);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
+			    dns_dispatchevent_t **sockevent)
+{
+	dns_dispatchmgr_t *mgr;
+	dns_dispatch_t *disp;
+	dns_dispentry_t *res;
+	dispsocket_t *dispsock;
+	dns_dispatchevent_t *ev;
+	unsigned int bucket;
+	bool killit;
+	unsigned int n;
+	isc_eventlist_t events;
+	dns_qid_t *qid;
+
+	REQUIRE(resp != NULL);
+	REQUIRE(VALID_RESPONSE(*resp));
+
+	res = *resp;
+	*resp = NULL;
+
+	disp = res->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	qid = DNS_QID(disp);
+
+	if (sockevent != NULL) {
+		REQUIRE(*sockevent != NULL);
+		ev = *sockevent;
+		*sockevent = NULL;
+	} else {
+		ev = NULL;
+	}
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->requests > 0);
+	disp->requests--;
+	dec_stats(disp->mgr, (qid == disp->mgr->qid) ?
+			     dns_resstatscounter_disprequdp :
+			     dns_resstatscounter_dispreqtcp);
+	INSIST(disp->refcount > 0);
+	disp->refcount--;
+	if (disp->refcount == 0) {
+		if (disp->recv_pending > 0)
+			isc_socket_cancel(disp->socket, disp->task[0],
+					  ISC_SOCKCANCEL_RECV);
+		for (dispsock = ISC_LIST_HEAD(disp->activesockets);
+		     dispsock != NULL;
+		     dispsock = ISC_LIST_NEXT(dispsock, link)) {
+			isc_socket_cancel(dispsock->socket, dispsock->task,
+					  ISC_SOCKCANCEL_RECV);
+		}
+		disp->shutting_down = 1;
+	}
+
+	bucket = res->bucket;
+
+	LOCK(&qid->lock);
+	ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
+	UNLOCK(&qid->lock);
+
+	if (ev == NULL && res->item_out) {
+		/*
+		 * We've posted our event, but the caller hasn't gotten it
+		 * yet.  Take it back.
+		 */
+		ISC_LIST_INIT(events);
+		n = isc_task_unsend(res->task, res, DNS_EVENT_DISPATCH,
+				    NULL, &events);
+		/*
+		 * We had better have gotten it back.
+		 */
+		INSIST(n == 1);
+		ev = (dns_dispatchevent_t *)ISC_LIST_HEAD(events);
+	}
+
+	if (ev != NULL) {
+		REQUIRE(res->item_out == true);
+		res->item_out = false;
+		if (ev->buffer.base != NULL)
+			free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		free_devent(disp, ev);
+	}
+
+	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
+	isc_task_detach(&res->task);
+
+	if (res->dispsocket != NULL) {
+		isc_socket_cancel(res->dispsocket->socket,
+				  res->dispsocket->task, ISC_SOCKCANCEL_RECV);
+		res->dispsocket->resp = NULL;
+	}
+
+	/*
+	 * Free any buffered responses as well
+	 */
+	ev = ISC_LIST_HEAD(res->items);
+	while (ev != NULL) {
+		ISC_LIST_UNLINK(res->items, ev, ev_link);
+		if (ev->buffer.base != NULL)
+			free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		free_devent(disp, ev);
+		ev = ISC_LIST_HEAD(res->items);
+	}
+	res->magic = 0;
+	isc_mempool_put(disp->mgr->rpool, res);
+	if (disp->shutting_down == 1)
+		do_cancel(disp);
+	else
+		(void)startrecv(disp, NULL);
+
+	killit = destroy_disp_ok(disp);
+	UNLOCK(&disp->lock);
+	if (killit)
+		isc_task_send(disp->task[0], &disp->ctlevent);
+}
+
+static void
+do_cancel(dns_dispatch_t *disp) {
+	dns_dispatchevent_t *ev;
+	dns_dispentry_t *resp;
+	dns_qid_t *qid;
+
+	if (disp->shutdown_out == 1)
+		return;
+
+	qid = DNS_QID(disp);
+
+	/*
+	 * Search for the first response handler without packets outstanding
+	 * unless a specific hander is given.
+	 */
+	LOCK(&qid->lock);
+	for (resp = linear_first(qid);
+	     resp != NULL && resp->item_out;
+	     /* Empty. */)
+		resp = linear_next(qid, resp);
+
+	/*
+	 * No one to send the cancel event to, so nothing to do.
+	 */
+	if (resp == NULL)
+		goto unlock;
+
+	/*
+	 * Send the shutdown failsafe event to this resp.
+	 */
+	ev = disp->failsafe_ev;
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
+		       resp->action, resp->arg, resp, NULL, NULL);
+	ev->result = disp->shutdown_why;
+	ev->buffer.base = NULL;
+	ev->buffer.length = 0;
+	disp->shutdown_out = 1;
+	request_log(disp, resp, LVL(10),
+		    "cancel: failsafe event %p -> task %p",
+		    ev, resp->task);
+	resp->item_out = true;
+	isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
+ unlock:
+	UNLOCK(&qid->lock);
+}
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	return (disp->socket);
+}
+
+isc_socket_t *
+dns_dispatch_getentrysocket(dns_dispentry_t *resp) {
+	REQUIRE(VALID_RESPONSE(resp));
+
+	if (resp->dispsocket != NULL)
+		return (resp->dispsocket->socket);
+	else
+		return (NULL);
+}
+
+isc_result_t
+dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp) {
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(addrp != NULL);
+
+	if (disp->socktype == isc_sockettype_udp) {
+		*addrp = disp->local;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	LOCK(&disp->lock);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return;
+	}
+
+	disp->shutdown_why = ISC_R_CANCELED;
+	disp->shutting_down = 1;
+	do_cancel(disp);
+
+	UNLOCK(&disp->lock);
+
+	return;
+}
+
+unsigned int
+dns_dispatch_getattributes(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	/*
+	 * We don't bother locking disp here; it's the caller's responsibility
+	 * to use only non volatile flags.
+	 */
+	return (disp->attributes);
+}
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp,
+			      unsigned int attributes, unsigned int mask)
+{
+	REQUIRE(VALID_DISPATCH(disp));
+	/* Exclusive attribute can only be set on creation */
+	REQUIRE((attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0);
+	/* Also, a dispatch with randomport specified cannot start listening */
+	REQUIRE((disp->attributes & DNS_DISPATCHATTR_EXCLUSIVE) == 0 ||
+		(attributes & DNS_DISPATCHATTR_NOLISTEN) == 0);
+
+	/* XXXMLG
+	 * Should check for valid attributes here!
+	 */
+
+	LOCK(&disp->lock);
+
+	if ((mask & DNS_DISPATCHATTR_NOLISTEN) != 0) {
+		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0 &&
+		    (attributes & DNS_DISPATCHATTR_NOLISTEN) == 0) {
+			disp->attributes &= ~DNS_DISPATCHATTR_NOLISTEN;
+			(void)startrecv(disp, NULL);
+		} else if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN)
+			   == 0 &&
+			   (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0) {
+			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
+			if (disp->recv_pending != 0)
+				isc_socket_cancel(disp->socket, disp->task[0],
+						  ISC_SOCKCANCEL_RECV);
+		}
+	}
+
+	disp->attributes &= ~mask;
+	disp->attributes |= (attributes & mask);
+	UNLOCK(&disp->lock);
+}
+
+void
+dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
+	void *buf;
+	isc_socketevent_t *sevent, *newsevent;
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(event != NULL);
+
+	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0)
+		return;
+
+	sevent = (isc_socketevent_t *)event;
+	INSIST(sevent->n <= disp->mgr->buffersize);
+
+	newsevent = (isc_socketevent_t *)
+		    isc_event_allocate(disp->mgr->mctx, NULL,
+				      DNS_EVENT_IMPORTRECVDONE, udp_shrecv,
+				      disp, sizeof(isc_socketevent_t));
+	if (newsevent == NULL)
+		return;
+
+	buf = allocate_udp_buffer(disp);
+	if (buf == NULL) {
+		isc_event_free(ISC_EVENT_PTR(&newsevent));
+		return;
+	}
+	memmove(buf, sevent->region.base, sevent->n);
+	newsevent->region.base = buf;
+	newsevent->region.length = disp->mgr->buffersize;
+	newsevent->n = sevent->n;
+	newsevent->result = sevent->result;
+	newsevent->address = sevent->address;
+	newsevent->timestamp = sevent->timestamp;
+	newsevent->pktinfo = sevent->pktinfo;
+	newsevent->attributes = sevent->attributes;
+
+	isc_task_send(disp->task[0], ISC_EVENT_PTR(&newsevent));
+}
+
+dns_dispatch_t *
+dns_dispatchset_get(dns_dispatchset_t *dset) {
+	dns_dispatch_t *disp;
+
+	/* check that dispatch set is configured */
+	if (dset == NULL || dset->ndisp == 0)
+		return (NULL);
+
+	LOCK(&dset->lock);
+	disp = dset->dispatches[dset->cur];
+	dset->cur++;
+	if (dset->cur == dset->ndisp)
+		dset->cur = 0;
+	UNLOCK(&dset->lock);
+
+	return (disp);
+}
+
+isc_result_t
+dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
+		       isc_taskmgr_t *taskmgr, dns_dispatch_t *source,
+		       dns_dispatchset_t **dsetp, int n)
+{
+	isc_result_t result;
+	dns_dispatchset_t *dset;
+	dns_dispatchmgr_t *mgr;
+	int i, j;
+
+	REQUIRE(VALID_DISPATCH(source));
+	REQUIRE((source->attributes & DNS_DISPATCHATTR_UDP) != 0);
+	REQUIRE(dsetp != NULL && *dsetp == NULL);
+
+	mgr = source->mgr;
+
+	dset = isc_mem_get(mctx, sizeof(dns_dispatchset_t));
+	if (dset == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(dset, 0, sizeof(*dset));
+
+	result = isc_mutex_init(&dset->lock);
+	if (result != ISC_R_SUCCESS)
+		goto fail_alloc;
+
+	dset->dispatches = isc_mem_get(mctx, sizeof(dns_dispatch_t *) * n);
+	if (dset->dispatches == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto fail_lock;
+	}
+
+	isc_mem_attach(mctx, &dset->mctx);
+	dset->ndisp = n;
+	dset->cur = 0;
+
+	dset->dispatches[0] = NULL;
+	dns_dispatch_attach(source, &dset->dispatches[0]);
+
+	LOCK(&mgr->lock);
+	for (i = 1; i < n; i++) {
+		dset->dispatches[i] = NULL;
+		result = dispatch_createudp(mgr, sockmgr, taskmgr,
+					    &source->local,
+					    source->maxrequests,
+					    source->attributes,
+					    &dset->dispatches[i],
+					    source->socket);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	UNLOCK(&mgr->lock);
+	*dsetp = dset;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	UNLOCK(&mgr->lock);
+
+	for (j = 0; j < i; j++)
+		dns_dispatch_detach(&(dset->dispatches[j]));
+	isc_mem_put(mctx, dset->dispatches, sizeof(dns_dispatch_t *) * n);
+	if (dset->mctx == mctx)
+		isc_mem_detach(&dset->mctx);
+
+ fail_lock:
+	DESTROYLOCK(&dset->lock);
+
+ fail_alloc:
+	isc_mem_put(mctx, dset, sizeof(dns_dispatchset_t));
+	return (result);
+}
+
+void
+dns_dispatchset_cancelall(dns_dispatchset_t *dset, isc_task_t *task) {
+	int i;
+
+	REQUIRE(dset != NULL);
+
+	for (i = 0; i < dset->ndisp; i++) {
+		isc_socket_t *sock;
+		sock = dns_dispatch_getsocket(dset->dispatches[i]);
+		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
+	}
+}
+
+void
+dns_dispatchset_destroy(dns_dispatchset_t **dsetp) {
+	dns_dispatchset_t *dset;
+	int i;
+
+	REQUIRE(dsetp != NULL && *dsetp != NULL);
+
+	dset = *dsetp;
+	for (i = 0; i < dset->ndisp; i++)
+		dns_dispatch_detach(&(dset->dispatches[i]));
+	isc_mem_put(dset->mctx, dset->dispatches,
+		    sizeof(dns_dispatch_t *) * dset->ndisp);
+	DESTROYLOCK(&dset->lock);
+	isc_mem_putanddetach(&dset->mctx, dset, sizeof(dns_dispatchset_t));
+
+	*dsetp = NULL;
+}
+
+void
+dns_dispatch_setdscp(dns_dispatch_t *disp, isc_dscp_t dscp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	disp->dscp = dscp;
+}
+
+isc_dscp_t
+dns_dispatch_getdscp(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	return (disp->dscp);
+}
+
+#if 0
+void
+dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
+	dns_dispatch_t *disp;
+	char foo[1024];
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		isc_sockaddr_format(&disp->local, foo, sizeof(foo));
+		printf("\tdispatch %p, addr %s\n", disp, foo);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+}
+#endif
diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
new file mode 100644
index 0000000..6c93d97
--- /dev/null
+++ b/lib/dns/dlz.c
@@ -0,0 +1,549 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <dns/db.h>
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/ssu.h>
+#include <dns/zone.h>
+
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/***
+ *** Supported DLZ DB Implementations Registry
+ ***/
+
+static ISC_LIST(dns_dlzimplementation_t) dlz_implementations;
+static isc_rwlock_t dlz_implock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dlz_initialize(void) {
+	RUNTIME_CHECK(isc_rwlock_init(&dlz_implock, 0, 0) == ISC_R_SUCCESS);
+	ISC_LIST_INIT(dlz_implementations);
+}
+
+/*%
+ * Searches the dlz_implementations list for a driver matching name.
+ */
+static inline dns_dlzimplementation_t *
+dlz_impfind(const char *name) {
+	dns_dlzimplementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(dlz_implementations);
+	     imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+		if (strcasecmp(name, imp->name) == 0)
+			return (imp);
+	return (NULL);
+}
+
+/***
+ *** Basic DLZ Methods
+ ***/
+
+isc_result_t
+dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
+		    isc_sockaddr_t *clientaddr, dns_db_t **dbp)
+{
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_dlzallowzonexfr_t allowzonexfr;
+	dns_dlzdb_t *dlzdb;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/*
+	 * Find a driver in which the zone exists and transfer is supported
+	 */
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_searched);
+	     dlzdb != NULL;
+	     dlzdb = ISC_LIST_NEXT(dlzdb, link))
+	{
+		REQUIRE(DNS_DLZ_VALID(dlzdb));
+
+		allowzonexfr = dlzdb->implementation->methods->allowzonexfr;
+		result = (*allowzonexfr)(dlzdb->implementation->driverarg,
+					 dlzdb->dbdata, dlzdb->mctx,
+					 view->rdclass, name, clientaddr, dbp);
+
+		/*
+		 * if ISC_R_NOPERM, we found the right database but
+		 * the zone may not transfer.
+		 */
+		if (result == ISC_R_SUCCESS || result == ISC_R_NOPERM)
+			return (result);
+	}
+
+	if (result == ISC_R_NOTIMPLEMENTED)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
+dns_dlzcreate(isc_mem_t *mctx, const char *dlzname, const char *drivername,
+	      unsigned int argc, char *argv[], dns_dlzdb_t **dbp)
+{
+	dns_dlzimplementation_t *impinfo;
+	isc_result_t result;
+	dns_dlzdb_t *db = NULL;
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(dlzname != NULL);
+	REQUIRE(drivername != NULL);
+	REQUIRE(mctx != NULL);
+
+	/* write log message */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+		      "Loading '%s' using driver %s", dlzname, drivername);
+
+	/* lock the dlz_implementations list so we can search it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_read);
+
+	/* search for the driver implementation	 */
+	impinfo = dlz_impfind(drivername);
+	if (impinfo == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "unsupported DLZ database driver '%s'."
+			      "  %s not loaded.",
+			      drivername, dlzname);
+
+		return (ISC_R_NOTFOUND);
+	}
+
+	/* Allocate memory to hold the DLZ database driver */
+	db = isc_mem_get(mctx, sizeof(dns_dlzdb_t));
+	if (db == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Make sure memory region is set to all 0's */
+	memset(db, 0, sizeof(dns_dlzdb_t));
+
+	ISC_LINK_INIT(db, link);
+	db->implementation = impinfo;
+	if (dlzname != NULL)
+		db->dlzname = isc_mem_strdup(mctx, dlzname);
+
+	/* Create a new database using implementation 'drivername'. */
+	result = ((impinfo->methods->create)(mctx, dlzname, argc, argv,
+					     impinfo->driverarg,
+					     &db->dbdata));
+
+	/* mark the DLZ driver as valid */
+	if (result == ISC_R_SUCCESS) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+		db->magic = DNS_DLZ_MAGIC;
+		isc_mem_attach(mctx, &db->mctx);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "DLZ driver loaded successfully.");
+		*dbp = db;
+		return (ISC_R_SUCCESS);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_ERROR,
+			      "DLZ driver failed to load.");
+	}
+
+	/* impinfo->methods->create failed. */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_read);
+	isc_mem_put(mctx, db, sizeof(dns_dlzdb_t));
+	return (result);
+}
+
+void
+dns_dlzdestroy(dns_dlzdb_t **dbp) {
+	dns_dlzdestroy_t destroy;
+	dns_dlzdb_t *db;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Unloading DLZ driver.");
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dbp != NULL && DNS_DLZ_VALID(*dbp));
+
+	db = *dbp;
+	*dbp = NULL;
+
+	if (db->ssutable != NULL)
+		dns_ssutable_detach(&db->ssutable);
+
+	/* call the drivers destroy method */
+	if (db->dlzname != NULL)
+		isc_mem_free(db->mctx, db->dlzname);
+	destroy = db->implementation->methods->destroy;
+	(*destroy)(db->implementation->driverarg, db->dbdata);
+	/* return memory and detach */
+	isc_mem_putanddetach(&db->mctx, db, sizeof(dns_dlzdb_t));
+}
+
+/*%
+ * Registers a DLZ driver.  This basically just adds the dlz
+ * driver to the list of available drivers in the dlz_implementations list.
+ */
+isc_result_t
+dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
+		void *driverarg, isc_mem_t *mctx,
+		dns_dlzimplementation_t **dlzimp)
+{
+
+	dns_dlzimplementation_t *dlz_imp;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Registering DLZ driver '%s'", drivername);
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->create != NULL);
+	REQUIRE(methods->destroy != NULL);
+	REQUIRE(methods->findzone != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(dlzimp != NULL && *dlzimp == NULL);
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	/* lock the dlz_implementations list so we can modify it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/*
+	 * check that another already registered driver isn't using
+	 * the same name
+	 */
+	dlz_imp = dlz_impfind(drivername);
+	if (dlz_imp != NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+			      "DLZ Driver '%s' already registered",
+			      drivername);
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+		return (ISC_R_EXISTS);
+	}
+
+	/*
+	 * Allocate memory for a dlz_implementation object.  Error if
+	 * we cannot.
+	 */
+	dlz_imp = isc_mem_get(mctx, sizeof(dns_dlzimplementation_t));
+	if (dlz_imp == NULL) {
+		RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Make sure memory region is set to all 0's */
+	memset(dlz_imp, 0, sizeof(dns_dlzimplementation_t));
+
+	/* Store the data passed into this method */
+	dlz_imp->name = drivername;
+	dlz_imp->methods = methods;
+	dlz_imp->mctx = NULL;
+	dlz_imp->driverarg = driverarg;
+
+	/* attach the new dlz_implementation object to a memory context */
+	isc_mem_attach(mctx, &dlz_imp->mctx);
+
+	/*
+	 * prepare the dlz_implementation object to be put in a list,
+	 * and append it to the list
+	 */
+	ISC_LINK_INIT(dlz_imp, link);
+	ISC_LIST_APPEND(dlz_implementations, dlz_imp, link);
+
+	/* Unlock the dlz_implementations list.	 */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/* Pass back the dlz_implementation that we created. */
+	*dlzimp = dlz_imp;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Tokenize the string "s" into whitespace-separated words,
+ * return the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_put().  The string
+ * is modified in-place.
+ */
+isc_result_t
+dns_dlzstrtoargv(isc_mem_t *mctx, char *s,
+		 unsigned int *argcp, char ***argvp)
+{
+	return(isc_commandline_strtoargv(mctx, s, argcp, argvp, 0));
+}
+
+/*%
+ * Unregisters a DLZ driver.  This basically just removes the dlz
+ * driver from the list of available drivers in the dlz_implementations list.
+ */
+void
+dns_dlzunregister(dns_dlzimplementation_t **dlzimp) {
+	dns_dlzimplementation_t *dlz_imp;
+	isc_mem_t *mctx;
+
+	/* Write debugging message to log */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(2),
+		      "Unregistering DLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(dlzimp != NULL && *dlzimp != NULL);
+
+	/*
+	 * initialize the dlz_implementations list, this is guaranteed
+	 * to only really happen once.
+	 */
+	RUNTIME_CHECK(isc_once_do(&once, dlz_initialize) == ISC_R_SUCCESS);
+
+	dlz_imp = *dlzimp;
+
+	/* lock the dlz_implementations list so we can modify it. */
+	RWLOCK(&dlz_implock, isc_rwlocktype_write);
+
+	/* remove the dlz_implementation object from the list */
+	ISC_LIST_UNLINK(dlz_implementations, dlz_imp, link);
+	mctx = dlz_imp->mctx;
+
+	/*
+	 * Return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_put(mctx, dlz_imp, sizeof(dns_dlzimplementation_t));
+	isc_mem_detach(&mctx);
+
+	/* Unlock the dlz_implementations list. */
+	RWUNLOCK(&dlz_implock, isc_rwlocktype_write);
+}
+
+/*
+ * Create a writeable DLZ zone. This can be called by DLZ drivers
+ * during configure() to create a zone that can be updated. The zone
+ * type is set to dns_zone_dlz, which is equivalent to a master zone
+ *
+ * This function uses a callback setup in dns_dlzconfigure() to call
+ * into the server zone code to setup the remaining pieces of server
+ * specific functionality on the zone
+ */
+isc_result_t
+dns_dlz_writeablezone(dns_view_t *view, dns_dlzdb_t *dlzdb,
+		      const char *zone_name)
+{
+	dns_zone_t *zone = NULL;
+	dns_zone_t *dupzone = NULL;
+	isc_result_t result;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+
+	REQUIRE(DNS_DLZ_VALID(dlzdb));
+
+	REQUIRE(dlzdb->configure_callback != NULL);
+
+	isc_buffer_constinit(&buffer, zone_name, strlen(zone_name));
+	isc_buffer_add(&buffer, strlen(zone_name));
+	dns_fixedname_init(&fixorigin);
+	result = dns_name_fromtext(dns_fixedname_name(&fixorigin),
+				   &buffer, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	origin = dns_fixedname_name(&fixorigin);
+
+	if (!dlzdb->search) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_WARNING,
+			      "DLZ %s has 'search no;', but attempted to "
+			      "register writeable zone %s.",
+			      dlzdb->dlzname, zone_name);
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/* See if the zone already exists */
+	result = dns_view_findzone(view, origin, &dupzone);
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_detach(&dupzone);
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	}
+	INSIST(dupzone == NULL);
+
+	/* Create it */
+	result = dns_zone_create(&zone, view->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_zone_setorigin(zone, origin);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_zone_setview(zone, view);
+
+	dns_zone_setadded(zone, true);
+
+	if (dlzdb->ssutable == NULL) {
+		result = dns_ssutable_createdlz(dlzdb->mctx,
+						&dlzdb->ssutable, dlzdb);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	dns_zone_setssutable(zone, dlzdb->ssutable);
+
+	result = dlzdb->configure_callback(view, dlzdb, zone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_view_addzone(view, zone);
+
+
+ cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+
+/*%
+ * Configure a DLZ driver. This is optional, and if supplied gives
+ * the backend an opportunity to configure parameters related to DLZ.
+ */
+isc_result_t
+dns_dlzconfigure(dns_view_t *view, dns_dlzdb_t *dlzdb,
+		 dlzconfigure_callback_t callback)
+{
+	dns_dlzimplementation_t *impl;
+	isc_result_t result;
+
+	REQUIRE(DNS_DLZ_VALID(dlzdb));
+	REQUIRE(dlzdb->implementation != NULL);
+
+	impl = dlzdb->implementation;
+
+	if (impl->methods->configure == NULL)
+		return (ISC_R_SUCCESS);
+
+	dlzdb->configure_callback = callback;
+
+	result = impl->methods->configure(impl->driverarg, dlzdb->dbdata,
+					  view, dlzdb);
+	return (result);
+}
+
+bool
+dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase, dns_name_t *signer,
+		 dns_name_t *name, isc_netaddr_t *tcpaddr,
+		 dns_rdatatype_t type, const dst_key_t *key)
+{
+	dns_dlzimplementation_t *impl;
+	bool r;
+
+	REQUIRE(dlzdatabase != NULL);
+	REQUIRE(dlzdatabase->implementation != NULL);
+	REQUIRE(dlzdatabase->implementation->methods != NULL);
+	impl = dlzdatabase->implementation;
+
+	if (impl->methods->ssumatch == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DLZ, ISC_LOG_INFO,
+			      "No ssumatch method for DLZ database");
+		return (false);
+	}
+
+	r = impl->methods->ssumatch(signer, name, tcpaddr, type, key,
+				    impl->driverarg, dlzdatabase->dbdata);
+	return (r);
+}
diff --git a/lib/dns/dns64.c b/lib/dns/dns64.c
new file mode 100644
index 0000000..490445c
--- /dev/null
+++ b/lib/dns/dns64.c
@@ -0,0 +1,297 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dns64.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+
+struct dns_dns64 {
+	unsigned char		bits[16];	/*
+						 * Prefix + suffix bits.
+						 */
+	dns_acl_t *		clients;	/*
+						 * Which clients get mapped
+						 * addresses.
+						 */
+	dns_acl_t *		mapped;		/*
+						 * IPv4 addresses to be mapped.
+						 */
+	dns_acl_t *		excluded;	/*
+						 * IPv6 addresses that are
+						 * treated as not existing.
+						 */
+	unsigned int		prefixlen;	/*
+						 * Start of mapped address.
+						 */
+	unsigned int		flags;
+	isc_mem_t *		mctx;
+	ISC_LINK(dns_dns64_t)	link;
+};
+
+isc_result_t
+dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
+		 unsigned int prefixlen, isc_netaddr_t *suffix,
+		 dns_acl_t *clients, dns_acl_t *mapped, dns_acl_t *excluded,
+		 unsigned int flags, dns_dns64_t **dns64p)
+{
+	dns_dns64_t *dns64;
+	unsigned int nbytes = 16;
+
+	REQUIRE(prefix != NULL && prefix->family == AF_INET6);
+	/* Legal prefix lengths from rfc6052.txt. */
+	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
+		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
+	REQUIRE(isc_netaddr_prefixok(prefix, prefixlen) == ISC_R_SUCCESS);
+	REQUIRE(dns64p != NULL && *dns64p == NULL);
+
+	if (suffix != NULL) {
+		static const unsigned char zeros[16];
+		REQUIRE(prefix->family == AF_INET6);
+		nbytes = prefixlen / 8 + 4;
+		/* Bits 64-71 are zeros. rfc6052.txt */
+		if (prefixlen >= 32 && prefixlen <= 64)
+			nbytes++;
+		REQUIRE(memcmp(suffix->type.in6.s6_addr, zeros, nbytes) == 0);
+	}
+
+	dns64 = isc_mem_get(mctx, sizeof(dns_dns64_t));
+	if (dns64 == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(dns64->bits, 0, sizeof(dns64->bits));
+	memmove(dns64->bits, prefix->type.in6.s6_addr, prefixlen / 8);
+	if (suffix != NULL)
+		memmove(dns64->bits + nbytes, suffix->type.in6.s6_addr + nbytes,
+			16 - nbytes);
+	dns64->clients = NULL;
+	if (clients != NULL)
+		dns_acl_attach(clients, &dns64->clients);
+	dns64->mapped = NULL;
+	if (mapped != NULL)
+		dns_acl_attach(mapped, &dns64->mapped);
+	dns64->excluded = NULL;
+	if (excluded != NULL)
+		dns_acl_attach(excluded, &dns64->excluded);
+	dns64->prefixlen = prefixlen;
+	dns64->flags = flags;
+	ISC_LINK_INIT(dns64, link);
+	dns64->mctx = NULL;
+	isc_mem_attach(mctx, &dns64->mctx);
+	*dns64p = dns64;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dns64_destroy(dns_dns64_t **dns64p) {
+	dns_dns64_t *dns64;
+
+	REQUIRE(dns64p != NULL && *dns64p != NULL);
+
+	dns64 = *dns64p;
+	*dns64p = NULL;
+
+	REQUIRE(!ISC_LINK_LINKED(dns64, link));
+
+	if (dns64->clients != NULL)
+		dns_acl_detach(&dns64->clients);
+	if (dns64->mapped != NULL)
+		dns_acl_detach(&dns64->mapped);
+	if (dns64->excluded != NULL)
+		dns_acl_detach(&dns64->excluded);
+	isc_mem_putanddetach(&dns64->mctx, dns64, sizeof(*dns64));
+}
+
+isc_result_t
+dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		    unsigned int flags, unsigned char *a, unsigned char *aaaa)
+{
+	unsigned int nbytes, i;
+	isc_result_t result;
+	int match;
+
+	if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
+	    (flags & DNS_DNS64_RECURSIVE) == 0)
+		return (DNS_R_DISALLOWED);
+
+	if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
+	    (flags & DNS_DNS64_DNSSEC) != 0)
+		return (DNS_R_DISALLOWED);
+
+	if (dns64->clients != NULL) {
+		result = dns_acl_match(reqaddr, reqsigner, dns64->clients, env,
+				       &match, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (match <= 0)
+			return (DNS_R_DISALLOWED);
+	}
+
+	if (dns64->mapped != NULL) {
+		struct in_addr ina;
+		isc_netaddr_t netaddr;
+
+		memmove(&ina.s_addr, a, 4);
+		isc_netaddr_fromin(&netaddr, &ina);
+		result = dns_acl_match(&netaddr, NULL, dns64->mapped, env,
+				       &match, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (match <= 0)
+			return (DNS_R_DISALLOWED);
+	}
+
+	nbytes = dns64->prefixlen / 8;
+	INSIST(nbytes <= 12);
+	/* Copy prefix. */
+	memmove(aaaa, dns64->bits, nbytes);
+	/* Bits 64-71 are zeros. rfc6052.txt */
+	if (nbytes == 8)
+		aaaa[nbytes++] = 0;
+	/* Copy mapped address. */
+	for (i = 0; i < 4U; i++) {
+		aaaa[nbytes++] = a[i];
+		/* Bits 64-71 are zeros. rfc6052.txt */
+		if (nbytes == 8)
+			aaaa[nbytes++] = 0;
+	}
+	/* Copy suffix. */
+	memmove(aaaa + nbytes, dns64->bits + nbytes, 16 - nbytes);
+	return (ISC_R_SUCCESS);
+}
+
+dns_dns64_t *
+dns_dns64_next(dns_dns64_t *dns64) {
+	dns64 = ISC_LIST_NEXT(dns64, link);
+	return (dns64);
+}
+
+void
+dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64) {
+	ISC_LIST_APPEND(*list, dns64, link);
+}
+
+void
+dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64) {
+	ISC_LIST_UNLINK(*list, dns64, link);
+}
+
+bool
+dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		 unsigned int flags, dns_rdataset_t *rdataset,
+		 bool *aaaaok, size_t aaaaoklen)
+{
+	struct in6_addr in6;
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	int match;
+	bool answer = false;
+	bool found = false;
+	unsigned int i, ok;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_aaaa);
+	REQUIRE(rdataset->rdclass == dns_rdataclass_in);
+	if (aaaaok != NULL)
+		REQUIRE(aaaaoklen == dns_rdataset_count(rdataset));
+
+	for (;dns64 != NULL; dns64 = ISC_LIST_NEXT(dns64, link)) {
+		if ((dns64->flags & DNS_DNS64_RECURSIVE_ONLY) != 0 &&
+		    (flags & DNS_DNS64_RECURSIVE) == 0)
+			continue;
+
+		if ((dns64->flags & DNS_DNS64_BREAK_DNSSEC) == 0 &&
+		    (flags & DNS_DNS64_DNSSEC) != 0)
+			continue;
+		/*
+		 * Work out if this dns64 structure applies to this client.
+		 */
+		if (dns64->clients != NULL) {
+			result = dns_acl_match(reqaddr, reqsigner,
+					       dns64->clients, env,
+					       &match, NULL);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (match <= 0)
+				continue;
+		}
+
+		if (!found && aaaaok != NULL) {
+			for (i = 0; i < aaaaoklen; i++)
+				aaaaok[i] = false;
+		}
+		found = true;
+
+		/*
+		 * If we are not excluding any addresses then any AAAA
+		 * will do.
+		 */
+		if (dns64->excluded == NULL) {
+			answer = true;
+			if (aaaaok == NULL)
+				goto done;
+			for (i = 0; i < aaaaoklen; i++)
+				aaaaok[i] = true;
+			goto done;
+		}
+
+		i = 0; ok = 0;
+		for (result = dns_rdataset_first(rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(rdataset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			if (aaaaok == NULL || !aaaaok[i]) {
+
+				dns_rdataset_current(rdataset, &rdata);
+				memmove(&in6.s6_addr, rdata.data, 16);
+				isc_netaddr_fromin6(&netaddr, &in6);
+
+				result = dns_acl_match(&netaddr, NULL,
+						       dns64->excluded,
+						       env, &match, NULL);
+				if (result == ISC_R_SUCCESS && match <= 0) {
+					answer = true;
+					if (aaaaok == NULL)
+						goto done;
+					aaaaok[i] = true;
+					ok++;
+				}
+			} else
+				ok++;
+			i++;
+		}
+		/*
+		 * Are all addresses ok?
+		 */
+		if (aaaaok != NULL && ok == aaaaoklen)
+			goto done;
+	}
+
+ done:
+	if (!found && aaaaok != NULL) {
+		for (i = 0; i < aaaaoklen; i++)
+			aaaaok[i] = true;
+	}
+	return (found ? answer : true);
+}
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
new file mode 100644
index 0000000..7d45e3a
--- /dev/null
+++ b/lib/dns/dnssec.c
@@ -0,0 +1,2241 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>		/* for DNS_TSIG_FUDGE */
+
+#include <dst/result.h>
+
+LIBDNS_EXTERNAL_DATA isc_stats_t *dns_dnssec_stats;
+
+#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+
+#define TYPE_SIGN 0
+#define TYPE_VERIFY 1
+
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data);
+
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2);
+
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata);
+
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data) {
+	dst_context_t *ctx = arg;
+
+	return (dst_context_adddata(ctx, data));
+}
+
+static inline void
+inc_stat(isc_statscounter_t counter) {
+	if (dns_dnssec_stats != NULL)
+		isc_stats_increment(dns_dnssec_stats, counter);
+}
+
+/*
+ * Make qsort happy.
+ */
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
+	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
+				  (const dns_rdata_t *)rdata2));
+}
+
+/*
+ * Sort the rdataset into an array.
+ */
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata)
+{
+	isc_result_t ret;
+	int i = 0, n;
+	dns_rdata_t *data;
+	dns_rdataset_t rdataset;
+
+	n = dns_rdataset_count(set);
+
+	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+	if (data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(set, &rdataset);
+	ret = dns_rdataset_first(&rdataset);
+	if (ret != ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
+		isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
+		return (ret);
+	}
+
+	/*
+	 * Put them in the array.
+	 */
+	do {
+		dns_rdata_init(&data[i]);
+		dns_rdataset_current(&rdataset, &data[i++]);
+	} while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
+
+	/*
+	 * Sort the array.
+	 */
+	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
+	*rdata = data;
+	*nrdata = n;
+	dns_rdataset_disassociate(&rdataset);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key)
+{
+	isc_buffer_t b;
+	isc_region_t r;
+
+	INSIST(name != NULL);
+	INSIST(rdata != NULL);
+	INSIST(mctx != NULL);
+	INSIST(key != NULL);
+	INSIST(*key == NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key ||
+		rdata->type == dns_rdatatype_dnskey);
+
+	dns_rdata_toregion(rdata, &r);
+	isc_buffer_init(&b, r.base, r.length);
+	isc_buffer_add(&b, r.length);
+	return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
+}
+
+static isc_result_t
+digest_sig(dst_context_t *ctx, bool downcase, dns_rdata_t *sigrdata,
+	   dns_rdata_rrsig_t *rrsig)
+{
+	isc_region_t r;
+	isc_result_t ret;
+	dns_fixedname_t fname;
+
+	dns_rdata_toregion(sigrdata, &r);
+	INSIST(r.length >= 19);
+
+	r.length = 18;
+	ret = dst_context_adddata(ctx, &r);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	if (downcase) {
+		dns_fixedname_init(&fname);
+
+		RUNTIME_CHECK(dns_name_downcase(&rrsig->signer,
+						dns_fixedname_name(&fname),
+						NULL) == ISC_R_SUCCESS);
+		dns_name_toregion(dns_fixedname_name(&fname), &r);
+	} else
+		dns_name_toregion(&rrsig->signer, &r);
+
+	return (dst_context_adddata(ctx, &r));
+}
+
+isc_result_t
+dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
+{
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t tmpsigrdata;
+	dns_rdata_t *rdatas;
+	int nrdatas, i;
+	isc_buffer_t sigbuf, envbuf;
+	isc_region_t r;
+	dst_context_t *ctx = NULL;
+	isc_result_t ret;
+	isc_buffer_t *databuf = NULL;
+	char data[256 + 8];
+	uint32_t flags;
+	unsigned int sigsize;
+	dns_fixedname_t fnewname;
+	dns_fixedname_t fsigner;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dns_name_countlabels(name) <= 255);
+	REQUIRE(set != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(inception != NULL);
+	REQUIRE(expire != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sigrdata != NULL);
+
+	if (*inception >= *expire)
+		return (DNS_R_INVALIDTIME);
+
+	/*
+	 * Is the key allowed to sign data?
+	 */
+	flags = dst_key_flags(key);
+	if (flags & DNS_KEYTYPE_NOAUTH)
+		return (DNS_R_KEYUNAUTHORIZED);
+	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (DNS_R_KEYUNAUTHORIZED);
+
+	sig.mctx = mctx;
+	sig.common.rdclass = set->rdclass;
+	sig.common.rdtype = dns_rdatatype_rrsig;
+	ISC_LINK_INIT(&sig.common, link);
+
+	/*
+	 * Downcase signer.
+	 */
+	dns_name_init(&sig.signer, NULL);
+	dns_fixedname_init(&fsigner);
+	RUNTIME_CHECK(dns_name_downcase(dst_key_name(key),
+		      dns_fixedname_name(&fsigner), NULL) == ISC_R_SUCCESS);
+	dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer);
+
+	sig.covered = set->type;
+	sig.algorithm = dst_key_alg(key);
+	sig.labels = dns_name_countlabels(name) - 1;
+	if (dns_name_iswildcard(name))
+		sig.labels--;
+	sig.originalttl = set->ttl;
+	sig.timesigned = *inception;
+	sig.timeexpire = *expire;
+	sig.keyid = dst_key_id(key);
+	ret = dst_key_sigsize(key, &sigsize);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	sig.siglen = sigsize;
+	/*
+	 * The actual contents of sig.signature are not important yet, since
+	 * they're not used in digest_sig().
+	 */
+	sig.signature = isc_mem_get(mctx, sig.siglen);
+	if (sig.signature == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_signature;
+
+	dns_rdata_init(&tmpsigrdata);
+	ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
+				   sig.common.rdtype, &sig, databuf);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_databuf;
+
+	ret = dst_context_create3(key, mctx,
+				  DNS_LOGCATEGORY_DNSSEC, true, &ctx);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_databuf;
+
+	/*
+	 * Digest the SIG rdata.
+	 */
+	ret = digest_sig(ctx, false, &tmpsigrdata, &sig);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	dns_fixedname_init(&fnewname);
+	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
+					NULL) == ISC_R_SUCCESS);
+	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
+
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
+	memmove(data, r.base, r.length);
+	isc_buffer_add(&envbuf, r.length);
+	isc_buffer_putuint16(&envbuf, set->type);
+	isc_buffer_putuint16(&envbuf, set->rdclass);
+	isc_buffer_putuint32(&envbuf, set->ttl);
+
+	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+	isc_buffer_usedregion(&envbuf, &r);
+
+	for (i = 0; i < nrdatas; i++) {
+		uint16_t len;
+		isc_buffer_t lenbuf;
+		isc_region_t lenr;
+
+		/*
+		 * Skip duplicates.
+		 */
+		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
+		    continue;
+
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+
+		/*
+		 * Digest the length of the rdata.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
+		INSIST(rdatas[i].length < 65536);
+		isc_buffer_putuint16(&lenbuf, (uint16_t)rdatas[i].length);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+		ret = dst_context_adddata(ctx, &lenr);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+	}
+
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	ret = dst_context_sign(ctx, &sigbuf);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_array;
+	isc_buffer_usedregion(&sigbuf, &r);
+	if (r.length != sig.siglen) {
+		ret = ISC_R_NOSPACE;
+		goto cleanup_array;
+	}
+
+	ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
+				   sig.common.rdtype, &sig, buffer);
+
+cleanup_array:
+	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
+cleanup_context:
+	dst_context_destroy(&ctx);
+cleanup_databuf:
+	isc_buffer_free(&databuf);
+cleanup_signature:
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+
+	return (ret);
+}
+
+isc_result_t
+dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   bool ignoretime, isc_mem_t *mctx,
+		   dns_rdata_t *sigrdata, dns_name_t *wild)
+{
+	return (dns_dnssec_verify3(name, set, key, ignoretime, 0, mctx,
+				   sigrdata, wild));
+}
+
+isc_result_t
+dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   bool ignoretime, unsigned int maxbits,
+		   isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild)
+{
+	dns_rdata_rrsig_t sig;
+	dns_fixedname_t fnewname;
+	isc_region_t r;
+	isc_buffer_t envbuf;
+	dns_rdata_t *rdatas;
+	int nrdatas, i;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	unsigned char data[300];
+	dst_context_t *ctx = NULL;
+	int labels = 0;
+	uint32_t flags;
+	bool downcase = false;
+
+	REQUIRE(name != NULL);
+	REQUIRE(set != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
+
+	ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (set->type != sig.covered)
+		return (DNS_R_SIGINVALID);
+
+	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
+		inc_stat(dns_dnssecstats_fail);
+		return (DNS_R_SIGINVALID);
+	}
+
+	if (!ignoretime) {
+		isc_stdtime_get(&now);
+
+		/*
+		 * Is SIG temporally valid?
+		 */
+		if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGFUTURE);
+		} else if (isc_serial_lt(sig.timeexpire, (uint32_t)now)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGEXPIRED);
+		}
+	}
+
+	/*
+	 * NS, SOA and DNSSKEY records are signed by their owner.
+	 * DS records are signed by the parent.
+	 */
+	switch (set->type) {
+	case dns_rdatatype_ns:
+	case dns_rdatatype_soa:
+	case dns_rdatatype_dnskey:
+		if (!dns_name_equal(name, &sig.signer)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGINVALID);
+		}
+		break;
+	case dns_rdatatype_ds:
+		if (dns_name_equal(name, &sig.signer)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGINVALID);
+		}
+		/* FALLTHROUGH */
+	default:
+		if (!dns_name_issubdomain(name, &sig.signer)) {
+			inc_stat(dns_dnssecstats_fail);
+			return (DNS_R_SIGINVALID);
+		}
+		break;
+	}
+
+	/*
+	 * Is the key allowed to sign data?
+	 */
+	flags = dst_key_flags(key);
+	if (flags & DNS_KEYTYPE_NOAUTH) {
+		inc_stat(dns_dnssecstats_fail);
+		return (DNS_R_KEYUNAUTHORIZED);
+	}
+	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE) {
+		inc_stat(dns_dnssecstats_fail);
+		return (DNS_R_KEYUNAUTHORIZED);
+	}
+
+ again:
+	ret = dst_context_create4(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+				  false, maxbits, &ctx);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_struct;
+
+	/*
+	 * Digest the SIG rdata (not including the signature).
+	 */
+	ret = digest_sig(ctx, downcase, sigrdata, &sig);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	/*
+	 * If the name is an expanded wildcard, use the wildcard name.
+	 */
+	dns_fixedname_init(&fnewname);
+	labels = dns_name_countlabels(name) - 1;
+	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
+					NULL) == ISC_R_SUCCESS);
+	if (labels - sig.labels > 0)
+		dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
+			       NULL, dns_fixedname_name(&fnewname));
+
+	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
+
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
+	if (labels - sig.labels > 0) {
+		isc_buffer_putuint8(&envbuf, 1);
+		isc_buffer_putuint8(&envbuf, '*');
+		memmove(data + 2, r.base, r.length);
+	}
+	else
+		memmove(data, r.base, r.length);
+	isc_buffer_add(&envbuf, r.length);
+	isc_buffer_putuint16(&envbuf, set->type);
+	isc_buffer_putuint16(&envbuf, set->rdclass);
+	isc_buffer_putuint32(&envbuf, sig.originalttl);
+
+	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	isc_buffer_usedregion(&envbuf, &r);
+
+	for (i = 0; i < nrdatas; i++) {
+		uint16_t len;
+		isc_buffer_t lenbuf;
+		isc_region_t lenr;
+
+		/*
+		 * Skip duplicates.
+		 */
+		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
+		    continue;
+
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+
+		/*
+		 * Digest the rdata length.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
+		INSIST(rdatas[i].length < 65536);
+		isc_buffer_putuint16(&lenbuf, (uint16_t)rdatas[i].length);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dst_context_adddata(ctx, &lenr);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+	}
+
+	r.base = sig.signature;
+	r.length = sig.siglen;
+	ret = dst_context_verify2(ctx, maxbits, &r);
+	if (ret == ISC_R_SUCCESS && downcase) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
+			      "successfully validated after lower casing "
+			      "signer '%s'", namebuf);
+		inc_stat(dns_dnssecstats_downcase);
+	} else if (ret == ISC_R_SUCCESS)
+		inc_stat(dns_dnssecstats_asis);
+
+cleanup_array:
+	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
+cleanup_context:
+	dst_context_destroy(&ctx);
+	if (ret == DST_R_VERIFYFAILURE && !downcase) {
+		downcase = true;
+		goto again;
+	}
+cleanup_struct:
+	dns_rdata_freestruct(&sig);
+
+	if (ret == DST_R_VERIFYFAILURE)
+		ret = DNS_R_SIGINVALID;
+
+	if (ret != ISC_R_SUCCESS)
+		inc_stat(dns_dnssecstats_fail);
+
+	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
+		if (wild != NULL)
+			RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
+						 dns_fixedname_name(&fnewname),
+						 wild, NULL) == ISC_R_SUCCESS);
+		inc_stat(dns_dnssecstats_wildcard);
+		ret = DNS_R_FROMWILDCARD;
+	}
+	return (ret);
+}
+
+isc_result_t
+dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  bool ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata)
+{
+	isc_result_t result;
+
+	result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
+				    sigrdata, NULL);
+	if (result == DNS_R_FROMWILDCARD)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+bool
+dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t publish, active, revoke, inactive, deltime;
+	bool pubset = false, actset = false;
+	bool revset = false, inactset = false;
+	bool delset = false;
+	int major, minor;
+
+	/* Is this an old-style key? */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Smart signing started with key format 1.3; prior to that, all
+	 * keys are assumed active
+	 */
+	if (major == 1 && minor <= 2)
+		return (true);
+
+	result = dst_key_gettime(key, DST_TIME_PUBLISH, &publish);
+	if (result == ISC_R_SUCCESS)
+		pubset = true;
+
+	result = dst_key_gettime(key, DST_TIME_ACTIVATE, &active);
+	if (result == ISC_R_SUCCESS)
+		actset = true;
+
+	result = dst_key_gettime(key, DST_TIME_REVOKE, &revoke);
+	if (result == ISC_R_SUCCESS)
+		revset = true;
+
+	result = dst_key_gettime(key, DST_TIME_INACTIVE, &inactive);
+	if (result == ISC_R_SUCCESS)
+		inactset = true;
+
+	result = dst_key_gettime(key, DST_TIME_DELETE, &deltime);
+	if (result == ISC_R_SUCCESS)
+		delset = true;
+
+	if ((inactset && inactive <= now) || (delset && deltime <= now))
+		return (false);
+
+	if (revset && revoke <= now && pubset && publish <= now)
+		return (true);
+
+	if (actset && active <= now)
+		return (true);
+
+	return (false);
+}
+
+/*%<
+ * Indicate whether a key is scheduled to to have CDS/CDNSKEY records
+ * published now.
+ *
+ * Returns true iff.
+ *  - SyncPublish is set and in the past, AND
+ *  - SyncDelete is unset or in the future
+ */
+static bool
+syncpublish(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t when;
+	int major, minor;
+
+	/*
+	 * Is this an old-style key?
+	 */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Smart signing started with key format 1.3
+	 */
+	if (major == 1 && minor <= 2)
+		return (false);
+
+	result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+
+	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
+	if (result != ISC_R_SUCCESS)
+		return (true);
+	if (when <= now)
+		return (false);
+	return (true);
+}
+
+/*%<
+ * Indicate whether a key is scheduled to to have CDS/CDNSKEY records
+ * deleted now.
+ *
+ * Returns true iff. SyncDelete is set and in the past.
+ */
+static bool
+syncdelete(dst_key_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t when;
+	int major, minor;
+
+	/*
+	 * Is this an old-style key?
+	 */
+	result = dst_key_getprivateformat(key, &major, &minor);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Smart signing started with key format 1.3.
+	 */
+	if (major == 1 && minor <= 2)
+		return (false);
+
+	result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+	if (when <= now)
+		return (true);
+	return (false);
+}
+
+#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
+			  == DNS_KEYOWNER_ZONE)
+
+isc_result_t
+dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_stdtime_t now,
+			 isc_mem_t *mctx, unsigned int maxkeys,
+			 dst_key_t **keys, unsigned int *nkeys)
+{
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dst_key_t *pubkey = NULL;
+	unsigned int count = 0;
+
+	REQUIRE(nkeys != NULL);
+	REQUIRE(keys != NULL);
+
+	*nkeys = 0;
+	memset(keys, 0, sizeof(*keys) * maxkeys);
+	dns_rdataset_init(&rdataset);
+	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+				   &rdataset, NULL));
+	RETERR(dns_rdataset_first(&rdataset));
+	while (result == ISC_R_SUCCESS && count < maxkeys) {
+		pubkey = NULL;
+		dns_rdataset_current(&rdataset, &rdata);
+		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, rdataset.ttl);
+
+		if (!is_zone_key(pubkey) ||
+		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto next;
+		/* Corrupted .key file? */
+		if (!dns_name_equal(name, dst_key_name(pubkey)))
+			goto next;
+		keys[count] = NULL;
+		result = dst_key_fromfile(dst_key_name(pubkey),
+					  dst_key_id(pubkey),
+					  dst_key_alg(pubkey),
+					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					  directory,
+					  mctx, &keys[count]);
+
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			uint32_t flags;
+			flags = dst_key_flags(pubkey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(pubkey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(dst_key_name(pubkey),
+							  dst_key_id(pubkey),
+							  dst_key_alg(pubkey),
+							  DST_TYPE_PUBLIC|
+							  DST_TYPE_PRIVATE,
+							  directory,
+							  mctx, &keys[count]);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(pubkey, keys[count],
+						       false)) {
+					dst_key_setflags(keys[count], flags);
+				}
+				dst_key_setflags(pubkey, flags);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			char filename[DNS_NAME_FORMATSIZE +
+				      DNS_SECALG_FORMATSIZE +
+				      sizeof("key file for //65535")];
+			isc_result_t result2;
+			isc_buffer_t buf;
+
+			isc_buffer_init(&buf, filename, ISC_DIR_NAMEMAX);
+			result2 = dst_key_getfilename(dst_key_name(pubkey),
+						      dst_key_id(pubkey),
+						      dst_key_alg(pubkey),
+						      (DST_TYPE_PUBLIC |
+						       DST_TYPE_PRIVATE),
+						      directory, mctx,
+						      &buf);
+			if (result2 != ISC_R_SUCCESS) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char algbuf[DNS_SECALG_FORMATSIZE];
+
+				dns_name_format(dst_key_name(pubkey),
+						namebuf, sizeof(namebuf));
+				dns_secalg_format(dst_key_alg(pubkey),
+						  algbuf, sizeof(algbuf));
+				snprintf(filename, sizeof(filename) - 1,
+					 "key file for %s/%s/%d",
+					 namebuf, algbuf, dst_key_id(pubkey));
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_findzonekeys2: error "
+				      "reading %s: %s",
+				      filename, isc_result_totext(result));
+		}
+
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
+			keys[count] = pubkey;
+			pubkey = NULL;
+			count++;
+			goto next;
+		}
+
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		/*
+		 * If a key is marked inactive, skip it
+		 */
+		if (!dns_dnssec_keyactive(keys[count], now)) {
+			dst_key_setinactive(pubkey, true);
+			dst_key_free(&keys[count]);
+			keys[count] = pubkey;
+			pubkey = NULL;
+			count++;
+			goto next;
+		}
+
+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(keys[count], rdataset.ttl);
+
+		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
+			/* We should never get here. */
+			dst_key_free(&keys[count]);
+			goto next;
+		}
+		count++;
+ next:
+		if (pubkey != NULL)
+			dst_key_free(&pubkey);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+	if (count == 0)
+		result = ISC_R_NOTFOUND;
+	else
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (result != ISC_R_SUCCESS)
+		while (count > 0)
+			dst_key_free(&keys[--count]);
+	*nkeys = count;
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys)
+{
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+	return (dns_dnssec_findzonekeys3(db, ver, node, name, directory, now,
+					 mctx, maxkeys, keys, nkeys));
+}
+
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys)
+{
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+	return (dns_dnssec_findzonekeys3(db, ver, node, name, NULL, now,
+					 mctx, maxkeys, keys, nkeys));
+}
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
+	dns_rdata_sig_t sig;	/* SIG(0) */
+	unsigned char data[512];
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	isc_buffer_t headerbuf, databuf, sigbuf;
+	unsigned int sigsize;
+	isc_buffer_t *dynbuf = NULL;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *datalist;
+	dns_rdataset_t *dataset;
+	isc_region_t r;
+	isc_stdtime_t now;
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	bool signeedsfree = true;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	if (is_response(msg))
+		REQUIRE(msg->query.base != NULL);
+
+	mctx = msg->mctx;
+
+	memset(&sig, 0, sizeof(sig));
+
+	sig.mctx = mctx;
+	sig.common.rdclass = dns_rdataclass_any;
+	sig.common.rdtype = dns_rdatatype_sig;	/* SIG(0) */
+	ISC_LINK_INIT(&sig.common, link);
+
+	sig.covered = 0;
+	sig.algorithm = dst_key_alg(key);
+	sig.labels = 0; /* the root name */
+	sig.originalttl = 0;
+
+	isc_stdtime_get(&now);
+	sig.timesigned = now - DNS_TSIG_FUDGE;
+	sig.timeexpire = now + DNS_TSIG_FUDGE;
+
+	sig.keyid = dst_key_id(key);
+
+	dns_name_init(&sig.signer, NULL);
+	dns_name_clone(dst_key_name(key), &sig.signer);
+
+	sig.siglen = 0;
+	sig.signature = NULL;
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+
+	RETERR(dst_context_create3(key, mctx,
+				   DNS_LOGCATEGORY_DNSSEC, true, &ctx));
+
+	/*
+	 * Digest the fields of the SIG - we can cheat and use
+	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
+	 * is identical to dns format.
+	 */
+	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
+				    dns_rdatatype_sig /* SIG(0) */,
+				    &sig, &databuf));
+	isc_buffer_usedregion(&databuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
+	if (is_response(msg))
+		RETERR(dst_context_adddata(ctx, &msg->query));
+
+	/*
+	 * Digest the header.
+	 */
+	isc_buffer_init(&headerbuf, header, sizeof(header));
+	dns_message_renderheader(msg, &headerbuf);
+	isc_buffer_usedregion(&headerbuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * Digest the remainder of the message.
+	 */
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	RETERR(dst_key_sigsize(key, &sigsize));
+	sig.siglen = sigsize;
+	sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
+	if (sig.signature == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	RETERR(dst_context_sign(ctx, &sigbuf));
+	dst_context_destroy(&ctx);
+
+	rdata = NULL;
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				    dns_rdatatype_sig /* SIG(0) */,
+				    &sig, dynbuf));
+
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+	signeedsfree = false;
+
+	dns_message_takebuffer(msg, &dynbuf);
+
+	datalist = NULL;
+	RETERR(dns_message_gettemprdatalist(msg, &datalist));
+	datalist->rdclass = dns_rdataclass_any;
+	datalist->type = dns_rdatatype_sig;	/* SIG(0) */
+	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	dataset = NULL;
+	RETERR(dns_message_gettemprdataset(msg, &dataset));
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
+	msg->sig0 = dataset;
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	if (signeedsfree)
+		isc_mem_put(mctx, sig.signature, sig.siglen);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key)
+{
+	dns_rdata_sig_t sig;	/* SIG(0) */
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r, source_r, sig_r, header_r;
+	isc_stdtime_t now;
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	uint16_t addcount, addcount_n;
+	bool signeedsfree = false;
+
+	REQUIRE(source != NULL);
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	mctx = msg->mctx;
+
+	msg->verify_attempted = 1;
+	msg->verified_sig = 0;
+	msg->sig0status = dns_tsigerror_badsig;
+
+	if (is_response(msg)) {
+		if (msg->query.base == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
+	}
+
+	isc_buffer_usedregion(source, &source_r);
+
+	RETERR(dns_rdataset_first(msg->sig0));
+	dns_rdataset_current(msg->sig0, &rdata);
+
+	RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
+	signeedsfree = true;
+
+	if (sig.labels != 0) {
+		result = DNS_R_SIGINVALID;
+		goto failure;
+	}
+
+	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
+		result = DNS_R_SIGINVALID;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
+		result = DNS_R_SIGFUTURE;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+	else if (isc_serial_lt(sig.timeexpire, (uint32_t)now)) {
+		result = DNS_R_SIGEXPIRED;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+
+	if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
+		result = DNS_R_SIGINVALID;
+		msg->sig0status = dns_tsigerror_badkey;
+		goto failure;
+	}
+
+	RETERR(dst_context_create3(key, mctx,
+				   DNS_LOGCATEGORY_DNSSEC, false, &ctx));
+
+	/*
+	 * Digest the SIG(0) record, except for the signature.
+	 */
+	dns_rdata_toregion(&rdata, &r);
+	r.length -= sig.siglen;
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
+	if (is_response(msg))
+		RETERR(dst_context_adddata(ctx, &msg->query));
+
+	/*
+	 * Extract the header.
+	 */
+	memmove(header, source_r.base, DNS_MESSAGE_HEADERLEN);
+
+	/*
+	 * Decrement the additional field counter.
+	 */
+	memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+	addcount_n = ntohs(addcount);
+	addcount = htons((uint16_t)(addcount_n - 1));
+	memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+	/*
+	 * Digest the modified header.
+	 */
+	header_r.base = (unsigned char *) header;
+	header_r.length = DNS_MESSAGE_HEADERLEN;
+	RETERR(dst_context_adddata(ctx, &header_r));
+
+	/*
+	 * Digest all non-SIG(0) records.
+	 */
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+	RETERR(dst_context_adddata(ctx, &r));
+
+	sig_r.base = sig.signature;
+	sig_r.length = sig.siglen;
+	result = dst_context_verify(ctx, &sig_r);
+	if (result != ISC_R_SUCCESS) {
+		msg->sig0status = dns_tsigerror_badsig;
+		goto failure;
+	}
+
+	msg->verified_sig = 1;
+	msg->sig0status = dns_rcode_noerror;
+
+	dst_context_destroy(&ctx);
+	dns_rdata_freestruct(&sig);
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (signeedsfree)
+		dns_rdata_freestruct(&sig);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+
+	return (result);
+}
+
+/*%
+ * Does this key ('rdata') self sign the rrset ('rdataset')?
+ */
+bool
+dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     bool ignoretime, isc_mem_t *mctx)
+{
+	INSIST(rdataset->type == dns_rdatatype_key ||
+	       rdataset->type == dns_rdatatype_dnskey);
+	if (rdataset->type == dns_rdatatype_key) {
+		INSIST(sigrdataset->type == dns_rdatatype_sig);
+		INSIST(sigrdataset->covers == dns_rdatatype_key);
+	} else {
+		INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+		INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
+	}
+
+	return (dns_dnssec_signs(rdata, name, rdataset, sigrdataset,
+				 ignoretime, mctx));
+
+}
+
+bool
+dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     bool ignoretime, isc_mem_t *mctx)
+{
+	dst_key_t *dstkey = NULL;
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	INSIST(sigrdataset->type == dns_rdatatype_rrsig);
+	if (sigrdataset->covers != rdataset->type)
+		return (false);
+
+	result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+	result = dns_rdata_tostruct(rdata, &key, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	keytag = dst_key_id(dstkey);
+	for (result = dns_rdataset_first(sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset))
+	{
+		dns_rdata_reset(&sigrdata);
+		dns_rdataset_current(sigrdataset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (sig.algorithm == key.algorithm &&
+		    sig.keyid == keytag) {
+			result = dns_dnssec_verify2(name, rdataset, dstkey,
+						    ignoretime, mctx,
+						    &sigrdata, NULL);
+			if (result == ISC_R_SUCCESS) {
+				dst_key_free(&dstkey);
+				return (true);
+			}
+		}
+	}
+	dst_key_free(&dstkey);
+	return (false);
+}
+
+isc_result_t
+dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
+		     dns_dnsseckey_t **dkp)
+{
+	isc_result_t result;
+	dns_dnsseckey_t *dk;
+	int major, minor;
+
+	REQUIRE(dkp != NULL && *dkp == NULL);
+	dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
+	if (dk == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dk->key = *dstkey;
+	*dstkey = NULL;
+	dk->force_publish = false;
+	dk->force_sign = false;
+	dk->hint_publish = false;
+	dk->hint_sign = false;
+	dk->hint_remove = false;
+	dk->first_sign = false;
+	dk->is_active = false;
+	dk->prepublish = 0;
+	dk->source = dns_keysource_unknown;
+	dk->index = 0;
+
+	/* KSK or ZSK? */
+	dk->ksk = (dst_key_flags(dk->key) & DNS_KEYFLAG_KSK);
+
+	/* Is this an old-style key? */
+	result = dst_key_getprivateformat(dk->key, &major, &minor);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/* Smart signing started with key format 1.3 */
+	dk->legacy = (major == 1 && minor <= 2);
+
+	ISC_LINK_INIT(dk, link);
+	*dkp = dk;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
+	dns_dnsseckey_t *dk;
+
+	REQUIRE(dkp != NULL && *dkp != NULL);
+	dk = *dkp;
+	if (dk->key != NULL)
+		dst_key_free(&dk->key);
+	isc_mem_put(mctx, dk, sizeof(dns_dnsseckey_t));
+	*dkp = NULL;
+}
+
+static void
+get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
+	isc_result_t result;
+	isc_stdtime_t publish, active, revoke, inactive, deltime;
+	bool pubset = false, actset = false;
+	bool revset = false, inactset = false;
+	bool delset = false;
+
+	REQUIRE(key != NULL && key->key != NULL);
+
+	result = dst_key_gettime(key->key, DST_TIME_PUBLISH, &publish);
+	if (result == ISC_R_SUCCESS)
+		pubset = true;
+
+	result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
+	if (result == ISC_R_SUCCESS)
+		actset = true;
+
+	result = dst_key_gettime(key->key, DST_TIME_REVOKE, &revoke);
+	if (result == ISC_R_SUCCESS)
+		revset = true;
+
+	result = dst_key_gettime(key->key, DST_TIME_INACTIVE, &inactive);
+	if (result == ISC_R_SUCCESS)
+		inactset = true;
+
+	result = dst_key_gettime(key->key, DST_TIME_DELETE, &deltime);
+	if (result == ISC_R_SUCCESS)
+		delset = true;
+
+	/* Metadata says publish (but possibly not activate) */
+	if (pubset && publish <= now)
+		key->hint_publish = true;
+
+	/* Metadata says activate (so we must also publish) */
+	if (actset && active <= now) {
+		key->hint_sign = true;
+
+		/* Only publish if publish time has already passed. */
+		if (pubset && publish <= now)
+			key->hint_publish = true;
+	}
+
+	/*
+	 * Activation date is set (maybe in the future), but
+	 * publication date isn't. Most likely the user wants to
+	 * publish now and activate later.
+	 */
+	if (actset && !pubset)
+		key->hint_publish = true;
+
+	/*
+	 * If activation date is in the future, make note of how far off
+	 */
+	if (key->hint_publish && actset && active > now) {
+		key->prepublish = active - now;
+	}
+
+	/*
+	 * Key has been marked inactive: we can continue publishing,
+	 * but don't sign.
+	 */
+	if (key->hint_publish && inactset && inactive <= now) {
+		key->hint_sign = false;
+	}
+
+	/*
+	 * Metadata says revoke.  If the key is published,
+	 * we *have to* sign with it per RFC5011--even if it was
+	 * not active before.
+	 *
+	 * If it hasn't already been done, we should also revoke it now.
+	 */
+	if (key->hint_publish && (revset && revoke <= now)) {
+		uint32_t flags;
+		key->hint_sign = true;
+		flags = dst_key_flags(key->key);
+		if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+			flags |= DNS_KEYFLAG_REVOKE;
+			dst_key_setflags(key->key, flags);
+		}
+	}
+
+	/*
+	 * Metadata says delete, so don't publish this key or sign with it.
+	 */
+	if (delset && deltime <= now) {
+		key->hint_publish = false;
+		key->hint_sign = false;
+		key->hint_remove = true;
+	}
+}
+
+/*%
+ * Get a list of DNSSEC keys from the key repository
+ */
+isc_result_t
+dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
+			     isc_stdtime_t now, isc_mem_t *mctx,
+			     dns_dnsseckeylist_t *keylist)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	bool dir_open = false;
+	dns_dnsseckeylist_t list;
+	isc_dir_t dir;
+	dns_dnsseckey_t *key = NULL;
+	dst_key_t *dstkey = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	isc_buffer_t b;
+	unsigned int len, i, alg;
+
+	REQUIRE(keylist != NULL);
+	ISC_LIST_INIT(list);
+	isc_dir_init(&dir);
+
+	isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
+	RETERR(dns_name_tofilenametext(origin, false, &b));
+	len = isc_buffer_usedlength(&b);
+	namebuf[len] = '\0';
+
+	if (directory == NULL)
+		directory = ".";
+	RETERR(isc_dir_open(&dir, directory));
+	dir_open = true;
+
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.name[0] != 'K' ||
+		    dir.entry.length < len + 1 ||
+		    dir.entry.name[len + 1] != '+' ||
+		    strncasecmp(dir.entry.name + 1, namebuf, len) != 0)
+			continue;
+
+		alg = 0;
+		for (i = len + 1 + 1; i < dir.entry.length ; i++) {
+			if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
+				break;
+			alg *= 10;
+			alg += dir.entry.name[i] - '0';
+		}
+
+		/*
+		 * Did we not read exactly 3 digits?
+		 * Did we overflow?
+		 * Did we correctly terminate?
+		 */
+		if (i != len + 1 + 1 + 3 || i >= dir.entry.length ||
+		    dir.entry.name[i] != '+')
+			continue;
+
+		for (i++ ; i < dir.entry.length ; i++)
+			if (dir.entry.name[i] < '0' || dir.entry.name[i] > '9')
+				break;
+
+		/*
+		 * Did we not read exactly 5 more digits?
+		 * Did we overflow?
+		 * Did we correctly terminate?
+		 */
+		if (i != len + 1 + 1 + 3 + 1 + 5 || i >= dir.entry.length ||
+		    strcmp(dir.entry.name + i, ".private") != 0)
+				continue;
+
+		dstkey = NULL;
+		result = dst_key_fromnamedfile(dir.entry.name,
+					       directory,
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &dstkey);
+
+		switch (alg) {
+#ifndef PK11_MD5_DISABLE
+		case DST_ALG_HMACMD5:
+#endif
+		case DST_ALG_HMACSHA1:
+		case DST_ALG_HMACSHA224:
+		case DST_ALG_HMACSHA256:
+		case DST_ALG_HMACSHA384:
+		case DST_ALG_HMACSHA512:
+			if (result == DST_R_BADKEYTYPE)
+				continue;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx,
+				      DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC,
+				      ISC_LOG_WARNING,
+				      "dns_dnssec_findmatchingkeys: "
+				      "error reading key file %s: %s",
+				      dir.entry.name,
+				      isc_result_totext(result));
+			continue;
+		}
+
+		RETERR(dns_dnsseckey_create(mctx, &dstkey, &key));
+		key->source = dns_keysource_repository;
+		get_hints(key, now);
+
+		if (key->legacy) {
+			dns_dnsseckey_destroy(mctx, &key);
+		} else {
+			ISC_LIST_APPEND(list, key, link);
+			key = NULL;
+		}
+	}
+
+	if (!ISC_LIST_EMPTY(list)) {
+		result = ISC_R_SUCCESS;
+		ISC_LIST_APPENDLIST(*keylist, list, link);
+	} else
+		result = ISC_R_NOTFOUND;
+
+ failure:
+	if (dir_open)
+		isc_dir_close(&dir);
+	INSIST(key == NULL);
+	while ((key = ISC_LIST_HEAD(list)) != NULL) {
+		ISC_LIST_UNLINK(list, key, link);
+		INSIST(key->key != NULL);
+		dst_key_free(&key->key);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
+			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist)
+{
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+	return (dns_dnssec_findmatchingkeys2(origin, directory, now, mctx,
+					     keylist));
+}
+
+/*%
+ * Add 'newkey' to 'keylist' if it's not already there.
+ *
+ * If 'savekeys' is true, then we need to preserve all
+ * the keys in the keyset, regardless of whether they have
+ * metadata indicating they should be deactivated or removed.
+ */
+static isc_result_t
+addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey,
+       bool savekeys, isc_mem_t *mctx)
+{
+	dns_dnsseckey_t *key;
+	isc_result_t result;
+
+	/* Skip duplicates */
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		if (dst_key_id(key->key) == dst_key_id(*newkey) &&
+		    dst_key_alg(key->key) == dst_key_alg(*newkey) &&
+		    dns_name_equal(dst_key_name(key->key),
+				   dst_key_name(*newkey)))
+			break;
+	}
+
+	if (key != NULL) {
+		/*
+		 * Found a match.  If the old key was only public and the
+		 * new key is private, replace the old one; otherwise
+		 * leave it.  But either way, mark the key as having
+		 * been found in the zone.
+		 */
+		if (dst_key_isprivate(key->key)) {
+			dst_key_free(newkey);
+		} else if (dst_key_isprivate(*newkey)) {
+			dst_key_free(&key->key);
+			key->key = *newkey;
+		}
+
+		key->source = dns_keysource_zoneapex;
+		return (ISC_R_SUCCESS);
+	}
+
+	result = dns_dnsseckey_create(mctx, newkey, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (key->legacy || savekeys) {
+		key->force_publish = true;
+		key->force_sign = dst_key_isprivate(key->key);
+	}
+	key->source = dns_keysource_zoneapex;
+	ISC_LIST_APPEND(*keylist, key, link);
+	*newkey = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+
+/*%
+ * Mark all keys which signed the DNSKEY/SOA RRsets as "active",
+ * for future reference.
+ */
+static isc_result_t
+mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t sigs;
+	dns_dnsseckey_t *key;
+
+	REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
+
+	dns_rdataset_init(&sigs);
+	dns_rdataset_clone(rrsigs, &sigs);
+	for (key = ISC_LIST_HEAD(*keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		uint16_t keyid, sigid;
+		dns_secalg_t keyalg, sigalg;
+		keyid = dst_key_id(key->key);
+		keyalg = dst_key_alg(key->key);
+
+		for (result = dns_rdataset_first(&sigs);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&sigs)) {
+			dns_rdata_rrsig_t sig;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&sigs, &rdata);
+			result = dns_rdata_tostruct(&rdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			sigalg = sig.algorithm;
+			sigid = sig.keyid;
+			if (keyid == sigid && keyalg == sigalg) {
+				key->is_active = true;
+				break;
+			}
+		}
+	}
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (dns_rdataset_isassociated(&sigs))
+		dns_rdataset_disassociate(&sigs);
+	return (result);
+}
+
+/*%
+ * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ */
+isc_result_t
+dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+			       const char *directory, isc_mem_t *mctx,
+			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+			       dns_rdataset_t *soasigs, bool savekeys,
+			       bool publickey,
+			       dns_dnsseckeylist_t *keylist)
+{
+	dns_rdataset_t keys;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *pubkey = NULL, *privkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
+
+	dns_rdataset_init(&keys);
+
+	dns_rdataset_clone(keyset, &keys);
+	for (result = dns_rdataset_first(&keys);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keys)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&keys, &rdata);
+		RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &pubkey));
+		dst_key_setttl(pubkey, keys.ttl);
+
+		if (!is_zone_key(pubkey) ||
+		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto skip;
+
+		/* Corrupted .key file? */
+		if (!dns_name_equal(origin, dst_key_name(pubkey)))
+			goto skip;
+
+		if (publickey) {
+			RETERR(addkey(keylist, &pubkey, savekeys, mctx));
+			goto skip;
+		}
+
+		result = dst_key_fromfile(dst_key_name(pubkey),
+					  dst_key_id(pubkey),
+					  dst_key_alg(pubkey),
+					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					  directory, mctx, &privkey);
+
+		/*
+		 * If the key was revoked and the private file
+		 * doesn't exist, maybe it was revoked internally
+		 * by named.  Try loading the unrevoked version.
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			uint32_t flags;
+			flags = dst_key_flags(pubkey);
+			if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
+				dst_key_setflags(pubkey,
+						 flags & ~DNS_KEYFLAG_REVOKE);
+				result = dst_key_fromfile(dst_key_name(pubkey),
+							  dst_key_id(pubkey),
+							  dst_key_alg(pubkey),
+							  DST_TYPE_PUBLIC|
+							  DST_TYPE_PRIVATE,
+							  directory,
+							  mctx, &privkey);
+				if (result == ISC_R_SUCCESS &&
+				    dst_key_pubcompare(pubkey, privkey,
+						       false)) {
+					dst_key_setflags(privkey, flags);
+				}
+				dst_key_setflags(pubkey, flags);
+			}
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			char filename[DNS_NAME_FORMATSIZE +
+				      DNS_SECALG_FORMATSIZE +
+				      sizeof("key file for //65535")];
+			isc_result_t result2;
+			isc_buffer_t buf;
+
+			isc_buffer_init(&buf, filename, ISC_DIR_NAMEMAX);
+			result2 = dst_key_getfilename(dst_key_name(pubkey),
+						      dst_key_id(pubkey),
+						      dst_key_alg(pubkey),
+						      (DST_TYPE_PUBLIC |
+						       DST_TYPE_PRIVATE),
+						      directory, mctx,
+						      &buf);
+			if (result2 != ISC_R_SUCCESS) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char algbuf[DNS_SECALG_FORMATSIZE];
+
+				dns_name_format(dst_key_name(pubkey),
+						namebuf, sizeof(namebuf));
+				dns_secalg_format(dst_key_alg(pubkey),
+						  algbuf, sizeof(algbuf));
+				snprintf(filename, sizeof(filename) - 1,
+					 "key file for %s/%s/%d",
+					 namebuf, algbuf, dst_key_id(pubkey));
+			}
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+				      "dns_dnssec_keylistfromrdataset: error "
+				      "reading %s: %s",
+				      filename, isc_result_totext(result));
+		}
+
+		if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
+			RETERR(addkey(keylist, &pubkey, savekeys, mctx));
+			goto skip;
+		}
+		RETERR(result);
+
+		/* This should never happen. */
+		if ((dst_key_flags(privkey) & DNS_KEYTYPE_NOAUTH) != 0)
+			goto skip;
+
+		/*
+		 * Whatever the key's default TTL may have
+		 * been, the rdataset TTL takes priority.
+		 */
+		dst_key_setttl(privkey, dst_key_getttl(pubkey));
+
+		RETERR(addkey(keylist, &privkey, savekeys, mctx));
+ skip:
+		if (pubkey != NULL)
+			dst_key_free(&pubkey);
+		if (privkey != NULL)
+			dst_key_free(&privkey);
+	}
+
+	if (result != ISC_R_NOMORE)
+		RETERR(result);
+
+	if (keysigs != NULL && dns_rdataset_isassociated(keysigs))
+		RETERR(mark_active_keys(keylist, keysigs));
+
+	if (soasigs != NULL && dns_rdataset_isassociated(soasigs))
+		RETERR(mark_active_keys(keylist, soasigs));
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&keys))
+		dns_rdataset_disassociate(&keys);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (privkey != NULL)
+		dst_key_free(&privkey);
+	return (result);
+}
+
+static isc_result_t
+make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
+	    dns_rdata_t *target)
+{
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, buf, bufsize);
+	result = dst_key_todns(key, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdata_reset(target);
+	isc_buffer_usedregion(&b, &r);
+	dns_rdata_fromregion(target, dst_key_class(key),
+			     dns_rdatatype_dnskey, &r);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+publish(dns_rdata_t *rdata, dns_diff_t *diff, dns_name_t *origin,
+	dns_ttl_t ttl, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
+				    rdata, &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+delrdata(dns_rdata_t *rdata, dns_diff_t *diff, dns_name_t *origin,
+	 dns_ttl_t ttl, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl,
+				    rdata, &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
+	    dns_ttl_t ttl, isc_mem_t *mctx, bool allzsk,
+	    void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	unsigned char buf[DST_KEY_MAXSIZE];
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_rdata_reset(&dnskey);
+	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Fetching %s %d/%s from key %s.",
+	       key->ksk ?  (allzsk ?  "KSK/ZSK" : "KSK") : "ZSK",
+	       dst_key_id(key->key), alg,
+	       key->source == dns_keysource_user ?  "file" : "repository");
+
+	if (key->prepublish && ttl > key->prepublish) {
+		char keystr[DST_KEY_FORMATSIZE];
+		isc_stdtime_t now;
+
+		dst_key_format(key->key, keystr, sizeof(keystr));
+		report("Key %s: Delaying activation to match the DNSKEY TTL.\n",
+		       keystr, ttl);
+
+		isc_stdtime_get(&now);
+		dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
+	}
+
+	/* publish key */
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl,
+				    &dnskey, &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, dns_name_t *origin,
+	  dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
+	  void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	unsigned char buf[DST_KEY_MAXSIZE];
+	dns_rdata_t dnskey = DNS_RDATA_INIT;
+	char alg[80];
+
+	dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
+	report("Removing %s key %d/%s from DNSKEY RRset.",
+	       reason, dst_key_id(key->key), alg);
+
+	RETERR(make_dnskey(key->key, buf, sizeof(buf), &dnskey));
+	RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, &dnskey,
+				    &tuple));
+	dns_diff_appendminimal(diff, &tuple);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+static bool
+exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdataset_t trdataset;
+
+	dns_rdataset_init(&trdataset);
+	dns_rdataset_clone(rdataset, &trdataset);
+	for (result = dns_rdataset_first(&trdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&trdataset)) {
+		dns_rdata_t current = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&trdataset, &current);
+		if (dns_rdata_compare(rdata, &current) == 0) {
+			dns_rdataset_disassociate(&trdataset);
+			return (true);
+		}
+	}
+	dns_rdataset_disassociate(&trdataset);
+	return (false);
+}
+
+isc_result_t
+dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
+		      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
+		      isc_stdtime_t now, dns_ttl_t ttl, dns_diff_t *diff,
+		      isc_mem_t *mctx)
+{
+	unsigned char dsbuf1[DNS_DS_BUFFERSIZE];
+	unsigned char dsbuf2[DNS_DS_BUFFERSIZE];
+	unsigned char keybuf[DST_KEY_MAXSIZE];
+	isc_result_t result;
+	dns_dnsseckey_t *key;
+
+	for (key = ISC_LIST_HEAD(*keys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
+		dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
+		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
+		dns_name_t *origin = dst_key_name(key->key);
+
+		RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
+				   &cdnskeyrdata));
+
+		/*
+		 * XXXMPA we need to be able to specify the DS algorithms
+		 * to be used here and below with rmkeys.
+		 */
+		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+					 DNS_DSDIGEST_SHA1, dsbuf1,
+					 &cdsrdata1));
+		RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+					 DNS_DSDIGEST_SHA256, dsbuf2,
+					 &cdsrdata2));
+
+		/*
+		 * Now that the we have created the DS records convert
+		 * the rdata to CDNSKEY and CDS for comparison.
+		 */
+		cdnskeyrdata.type = dns_rdatatype_cdnskey;
+		cdsrdata1.type = dns_rdatatype_cds;
+		cdsrdata2.type = dns_rdatatype_cds;
+
+		if (syncpublish(key->key, now)) {
+			if (!dns_rdataset_isassociated(cdnskey) ||
+			    !exists(cdnskey, &cdnskeyrdata))
+				RETERR(publish(&cdnskeyrdata, diff, origin,
+					       ttl, mctx));
+			if (!dns_rdataset_isassociated(cds) ||
+			    !exists(cds, &cdsrdata1))
+				RETERR(publish(&cdsrdata1, diff, origin,
+					       ttl, mctx));
+			if (!dns_rdataset_isassociated(cds) ||
+			    !exists(cds, &cdsrdata2))
+				RETERR(publish(&cdsrdata2, diff, origin,
+					       ttl, mctx));
+		}
+
+		if (dns_rdataset_isassociated(cds) &&
+		    syncdelete(key->key, now)) {
+			if (exists(cds, &cdsrdata1))
+				RETERR(delrdata(&cdsrdata1, diff, origin,
+						cds->ttl, mctx));
+			if (exists(cds, &cdsrdata2))
+				RETERR(delrdata(&cdsrdata2, diff, origin,
+						cds->ttl, mctx));
+		}
+
+		if (dns_rdataset_isassociated(cdnskey) &&
+		    syncdelete(key->key, now)) {
+			if (exists(cdnskey, &cdnskeyrdata))
+				RETERR(delrdata(&cdnskeyrdata, diff, origin,
+						cdnskey->ttl, mctx));
+		}
+	}
+
+	if (!dns_rdataset_isassociated(cds) &&
+	    !dns_rdataset_isassociated(cdnskey))
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * Unconditionaly remove CDS/DNSKEY records for removed keys.
+	 */
+	for (key = ISC_LIST_HEAD(*rmkeys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		dns_rdata_t cdsrdata1 = DNS_RDATA_INIT;
+		dns_rdata_t cdsrdata2 = DNS_RDATA_INIT;
+		dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
+		dns_name_t *origin = dst_key_name(key->key);
+
+		RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
+				   &cdnskeyrdata));
+
+		if (dns_rdataset_isassociated(cds)) {
+			RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+						 DNS_DSDIGEST_SHA1, dsbuf1,
+						 &cdsrdata1));
+			RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata,
+						 DNS_DSDIGEST_SHA256, dsbuf2,
+						 &cdsrdata2));
+			if (exists(cds, &cdsrdata1))
+				RETERR(delrdata(&cdsrdata1, diff, origin,
+						cds->ttl, mctx));
+			if (exists(cds, &cdsrdata2))
+				RETERR(delrdata(&cdsrdata2, diff, origin,
+						cds->ttl, mctx));
+		}
+
+		if (dns_rdataset_isassociated(cdnskey)) {
+			if (exists(cdnskey, &cdnskeyrdata))
+				RETERR(delrdata(&cdnskeyrdata, diff, origin,
+						cdnskey->ttl, mctx));
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+/*
+ * Update 'keys' with information from 'newkeys'.
+ *
+ * If 'removed' is not NULL, any keys that are being removed from
+ * the zone will be added to the list for post-removal processing.
+ */
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
+		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
+		      dns_ttl_t hint_ttl, dns_diff_t *diff,
+		      bool allzsk, isc_mem_t *mctx,
+		      void (*report)(const char *, ...))
+{
+	isc_result_t result;
+	dns_dnsseckey_t *key, *key1, *key2, *next;
+	bool found_ttl = false;
+	dns_ttl_t ttl = hint_ttl;
+
+	/*
+	 * First, look through the existing key list to find keys
+	 * supplied from the command line which are not in the zone.
+	 * Update the zone to include them.
+	 *
+	 * Also, if there are keys published in the zone already,
+	 * use their TTL for all subsequent published keys.
+	 */
+	for (key = ISC_LIST_HEAD(*keys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link)) {
+		if (key->source == dns_keysource_user &&
+		    (key->hint_publish || key->force_publish)) {
+			RETERR(publish_key(diff, key, origin, ttl,
+					   mctx, allzsk, report));
+		}
+		if (key->source == dns_keysource_zoneapex) {
+			ttl = dst_key_getttl(key->key);
+			found_ttl = true;
+		}
+	}
+
+	/*
+	 * If there were no existing keys, use the smallest nonzero
+	 * TTL of the keys found in the repository.
+	 */
+	if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
+		dns_ttl_t shortest = 0;
+
+		for (key = ISC_LIST_HEAD(*newkeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			dns_ttl_t thisttl = dst_key_getttl(key->key);
+			if (thisttl != 0 &&
+			    (shortest == 0 || thisttl < shortest))
+				shortest = thisttl;
+		}
+
+		if (shortest != 0)
+			ttl = shortest;
+	}
+
+	/*
+	 * Second, scan the list of newly found keys looking for matches
+	 * with known keys, and update accordingly.
+	 */
+	for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
+		bool key_revoked = false;
+
+		next = ISC_LIST_NEXT(key1, link);
+
+		for (key2 = ISC_LIST_HEAD(*keys);
+		     key2 != NULL;
+		     key2 = ISC_LIST_NEXT(key2, link)) {
+			int f1 = dst_key_flags(key1->key);
+			int f2 = dst_key_flags(key2->key);
+			int nr1 = f1 & ~DNS_KEYFLAG_REVOKE;
+			int nr2 = f2 & ~DNS_KEYFLAG_REVOKE;
+			if (nr1 == nr2 &&
+			    dst_key_alg(key1->key) == dst_key_alg(key2->key) &&
+			    dst_key_pubcompare(key1->key, key2->key,
+					       true)) {
+				int r1, r2;
+				r1 = dst_key_flags(key1->key) &
+					DNS_KEYFLAG_REVOKE;
+				r2 = dst_key_flags(key2->key) &
+					DNS_KEYFLAG_REVOKE;
+				key_revoked = (r1 != r2);
+				break;
+			}
+		}
+
+		/* No match found in keys; add the new key. */
+		if (key2 == NULL) {
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			if (key1->source != dns_keysource_zoneapex &&
+			    (key1->hint_publish || key1->force_publish)) {
+				RETERR(publish_key(diff, key1, origin, ttl,
+						   mctx, allzsk, report));
+				if (key1->hint_sign || key1->force_sign)
+					key1->first_sign = true;
+			}
+
+			continue;
+		}
+
+		/* Match found: remove or update it as needed */
+		if (key1->hint_remove) {
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
+					  "expired", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL)
+				ISC_LIST_APPEND(*removed, key2, link);
+			else
+				dns_dnsseckey_destroy(mctx, &key2);
+		} else if (key_revoked &&
+			 (dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0) {
+
+			/*
+			 * A previously valid key has been revoked.
+			 * We need to remove the old version and pull
+			 * in the new one.
+			 */
+			RETERR(remove_key(diff, key2, origin, ttl, mctx,
+					  "revoked", report));
+			ISC_LIST_UNLINK(*keys, key2, link);
+			if (removed != NULL)
+				ISC_LIST_APPEND(*removed, key2, link);
+			else
+				dns_dnsseckey_destroy(mctx, &key2);
+
+			RETERR(publish_key(diff, key1, origin, ttl,
+					   mctx, allzsk, report));
+			ISC_LIST_UNLINK(*newkeys, key1, link);
+			ISC_LIST_APPEND(*keys, key1, link);
+
+			/*
+			 * XXX: The revoke flag is only defined for trust
+			 * anchors.  Setting the flag on a non-KSK is legal,
+			 * but not defined in any RFC.  It seems reasonable
+			 * to treat it the same as a KSK: keep it in the
+			 * zone, sign the DNSKEY set with it, but not
+			 * sign other records with it.
+			 */
+			key1->ksk = true;
+			continue;
+		} else {
+			if (!key2->is_active &&
+			    (key1->hint_sign || key1->force_sign))
+				key2->first_sign = true;
+			key2->hint_sign = key1->hint_sign;
+			key2->hint_publish = key1->hint_publish;
+		}
+	}
+
+	/* Free any leftover keys in newkeys */
+	while (!ISC_LIST_EMPTY(*newkeys)) {
+		key1 = ISC_LIST_HEAD(*newkeys);
+		ISC_LIST_UNLINK(*newkeys, key1, link);
+		dns_dnsseckey_destroy(mctx, &key1);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
new file mode 100644
index 0000000..ab3bd74
--- /dev/null
+++ b/lib/dns/dnstap.c
@@ -0,0 +1,1251 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 2013-2014, Farsight Security, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#ifndef HAVE_DNSTAP
+#error DNSTAP not configured.
+#endif /* HAVE_DNSTAP */
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dnstap.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/types.h>
+#include <dns/view.h>
+
+#include <dns/dnstap.pb-c.h>
+#include <protobuf-c/protobuf-c.h>
+
+#define DTENV_MAGIC			ISC_MAGIC('D', 't', 'n', 'v')
+#define VALID_DTENV(env)		ISC_MAGIC_VALID(env, DTENV_MAGIC)
+
+#define DNSTAP_CONTENT_TYPE	"protobuf:dnstap.Dnstap"
+#define DNSTAP_INITIAL_BUF_SIZE 256
+
+struct dns_dtmsg {
+	void *buf;
+	size_t len;
+	Dnstap__Dnstap d;
+	Dnstap__Message m;
+};
+
+struct dns_dthandle {
+	dns_dtmode_t mode;
+	struct fstrm_reader *reader;
+	isc_mem_t *mctx;
+};
+
+struct dns_dtenv {
+	unsigned int magic;
+	isc_refcount_t refcount;
+
+	isc_mem_t *mctx;
+
+	struct fstrm_iothr *iothr;
+	struct fstrm_iothr_options *fopt;
+
+	isc_region_t identity;
+	isc_region_t version;
+	char *path;
+	dns_dtmode_t mode;
+	isc_stats_t *stats;
+};
+
+#define CHECK(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto cleanup; \
+	} while (0)
+
+static isc_mutex_t dt_mutex;
+static bool dt_initialized = false;
+static isc_thread_key_t dt_key;
+static isc_once_t mutex_once = ISC_ONCE_INIT;
+static isc_mem_t *dt_mctx = NULL;
+
+/*
+ * Change under task exclusive.
+ */
+static unsigned int generation;
+
+static void
+mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&dt_mutex) == ISC_R_SUCCESS);
+}
+
+static void
+dtfree(void *arg) {
+	free(arg);
+	isc_thread_key_setspecific(dt_key, NULL);
+}
+
+static isc_result_t
+dt_init(void) {
+	isc_result_t result;
+
+	result = isc_once_do(&mutex_once, mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (dt_initialized)
+		return (ISC_R_SUCCESS);
+
+	LOCK(&dt_mutex);
+	if (!dt_initialized) {
+		int ret;
+
+		if (dt_mctx == NULL)
+			result = isc_mem_create2(0, 0, &dt_mctx, 0);
+		if (result != ISC_R_SUCCESS)
+			goto unlock;
+		isc_mem_setname(dt_mctx, "dt", NULL);
+		isc_mem_setdestroycheck(dt_mctx, false);
+
+		ret = isc_thread_key_create(&dt_key, dtfree);
+		if (ret == 0)
+			dt_initialized = true;
+		else
+			result = ISC_R_FAILURE;
+	}
+unlock:
+	UNLOCK(&dt_mutex);
+
+	return (result);
+}
+
+isc_result_t
+dns_dt_create(isc_mem_t *mctx, dns_dtmode_t mode, const char *path,
+	      struct fstrm_iothr_options **foptp, dns_dtenv_t **envp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	fstrm_res res;
+	struct fstrm_unix_writer_options *fuwopt = NULL;
+	struct fstrm_file_options *ffwopt = NULL;
+	struct fstrm_writer_options *fwopt = NULL;
+	struct fstrm_writer *fw = NULL;
+	dns_dtenv_t *env = NULL;
+
+	REQUIRE(path != NULL);
+	REQUIRE(envp != NULL && *envp == NULL);
+	REQUIRE(foptp!= NULL && *foptp != NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+		      DNS_LOGMODULE_DNSTAP, ISC_LOG_INFO,
+		      "opening dnstap destination '%s'", path);
+
+	generation++;
+
+	env = isc_mem_get(mctx, sizeof(dns_dtenv_t));
+	if (env == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	memset(env, 0, sizeof(dns_dtenv_t));
+
+	CHECK(isc_refcount_init(&env->refcount, 1));
+	CHECK(isc_stats_create(mctx, &env->stats, dns_dnstapcounter_max));
+	env->path = isc_mem_strdup(mctx, path);
+	if (env->path == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	fwopt = fstrm_writer_options_init();
+	if (fwopt == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	res = fstrm_writer_options_add_content_type(fwopt,
+					    DNSTAP_CONTENT_TYPE,
+					    sizeof(DNSTAP_CONTENT_TYPE) - 1);
+	if (res != fstrm_res_success)
+		CHECK(ISC_R_FAILURE);
+
+	if (mode == dns_dtmode_file) {
+		ffwopt = fstrm_file_options_init();
+		if (ffwopt != NULL) {
+			fstrm_file_options_set_file_path(ffwopt, env->path);
+			fw = fstrm_file_writer_init(ffwopt, fwopt);
+		}
+	} else if (mode == dns_dtmode_unix) {
+		fuwopt = fstrm_unix_writer_options_init();
+		if (fuwopt != NULL) {
+			fstrm_unix_writer_options_set_socket_path(fuwopt,
+								  env->path);
+			fw = fstrm_unix_writer_init(fuwopt, fwopt);
+		}
+	} else
+		CHECK(ISC_R_FAILURE);
+
+	if (fw == NULL)
+		CHECK(ISC_R_FAILURE);
+
+	env->iothr = fstrm_iothr_init(*foptp, &fw);
+	if (env->iothr == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+			      DNS_LOGMODULE_DNSTAP, ISC_LOG_WARNING,
+			      "unable to initialize dnstap I/O thread");
+		fstrm_writer_destroy(&fw);
+		CHECK(ISC_R_FAILURE);
+	}
+	env->mode = mode;
+	env->fopt = *foptp;
+	*foptp = NULL;
+
+	isc_mem_attach(mctx, &env->mctx);
+
+	env->magic = DTENV_MAGIC;
+	*envp = env;
+
+ cleanup:
+	if (ffwopt != NULL)
+		fstrm_file_options_destroy(&ffwopt);
+
+	if (fuwopt != NULL)
+		fstrm_unix_writer_options_destroy(&fuwopt);
+
+	if (fwopt != NULL)
+		fstrm_writer_options_destroy(&fwopt);
+
+	if (result != ISC_R_SUCCESS) {
+		if (env != NULL) {
+			if (env->mctx != NULL)
+				isc_mem_detach(&env->mctx);
+			if (env->path != NULL)
+				isc_mem_free(mctx, env->path);
+			if (env->stats != NULL)
+				isc_stats_detach(&env->stats);
+			isc_mem_put(mctx, env, sizeof(dns_dtenv_t));
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_dt_reopen(dns_dtenv_t *env, int roll) {
+	isc_result_t result = ISC_R_SUCCESS;
+	fstrm_res res;
+	isc_logfile_t file;
+	struct fstrm_unix_writer_options *fuwopt = NULL;
+	struct fstrm_file_options *ffwopt = NULL;
+	struct fstrm_writer_options *fwopt = NULL;
+	struct fstrm_writer *fw = NULL;
+
+	REQUIRE(VALID_DTENV(env));
+
+	/*
+	 * Check that we can create a new fw object.
+	 */
+	fwopt = fstrm_writer_options_init();
+	if (fwopt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	res = fstrm_writer_options_add_content_type(fwopt,
+					    DNSTAP_CONTENT_TYPE,
+					    sizeof(DNSTAP_CONTENT_TYPE) - 1);
+	if (res != fstrm_res_success)
+		CHECK(ISC_R_FAILURE);
+
+	if (env->mode == dns_dtmode_file) {
+		ffwopt = fstrm_file_options_init();
+		if (ffwopt != NULL) {
+			fstrm_file_options_set_file_path(ffwopt, env->path);
+			fw = fstrm_file_writer_init(ffwopt, fwopt);
+		}
+	} else if (env->mode == dns_dtmode_unix) {
+		fuwopt = fstrm_unix_writer_options_init();
+		if (fuwopt != NULL) {
+			fstrm_unix_writer_options_set_socket_path(fuwopt,
+								  env->path);
+			fw = fstrm_unix_writer_init(fuwopt, fwopt);
+		}
+	} else
+		CHECK(ISC_R_NOTIMPLEMENTED);
+
+	if (fw == NULL)
+		CHECK(ISC_R_FAILURE);
+
+	/*
+	 * We are committed here.
+	 */
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+		      DNS_LOGMODULE_DNSTAP, ISC_LOG_INFO,
+		      "%s dnstap destination '%s'",
+		      (roll < 0) ? "reopening" : "rolling",
+		      env->path);
+
+	generation++;
+
+	if (env->iothr != NULL)
+		fstrm_iothr_destroy(&env->iothr);
+
+	if (env->mode == dns_dtmode_file && roll >= 0) {
+		/*
+		 * Create a temporary isc_logfile_t structure so we can
+		 * take advantage of the logfile rolling facility.
+		 */
+		char *filename = isc_mem_strdup(env->mctx, env->path);
+		file.name = filename;
+		file.stream = NULL;
+		file.versions = roll != 0 ? roll : ISC_LOG_ROLLINFINITE;
+		file.maximum_size = 0;
+		file.maximum_reached = false;
+		result = isc_logfile_roll(&file);
+		isc_mem_free(env->mctx, filename);
+		CHECK(result);
+	}
+
+	env->iothr = fstrm_iothr_init(env->fopt, &fw);
+	if (env->iothr == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+			      DNS_LOGMODULE_DNSTAP, ISC_LOG_WARNING,
+			      "unable to initialize dnstap I/O thread");
+		CHECK(ISC_R_FAILURE);
+	}
+
+ cleanup:
+	if (ffwopt != NULL)
+		fstrm_file_options_destroy(&ffwopt);
+
+	if (fw != NULL)
+		fstrm_writer_destroy(&fw);
+
+	if (fwopt != NULL)
+		fstrm_writer_options_destroy(&fwopt);
+
+	if (fuwopt != NULL)
+		fstrm_unix_writer_options_destroy(&fuwopt);
+
+	return (result);
+}
+
+static isc_result_t
+toregion(dns_dtenv_t *env, isc_region_t *r, const char *str) {
+	unsigned char *p = NULL;
+
+	REQUIRE(r != NULL);
+
+	if (str != NULL) {
+		p = (unsigned char *) isc_mem_strdup(env->mctx, str);
+		if (p == NULL)
+			return (ISC_R_NOMEMORY);
+	}
+
+	if (r->base != NULL) {
+		isc_mem_free(env->mctx, r->base);
+		r->length = 0;
+	}
+
+	if (p != NULL) {
+		r->base = p;
+		r->length = strlen((char *) p);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dt_setidentity(dns_dtenv_t *env, const char *identity) {
+	REQUIRE(VALID_DTENV(env));
+
+	return (toregion(env, &env->identity, identity));
+}
+
+isc_result_t
+dns_dt_setversion(dns_dtenv_t *env, const char *version) {
+	REQUIRE(VALID_DTENV(env));
+
+	return (toregion(env, &env->version, version));
+}
+
+static struct fstrm_iothr_queue *
+dt_queue(dns_dtenv_t *env) {
+	isc_result_t result;
+	struct ioq {
+		unsigned int generation;
+		struct fstrm_iothr_queue *ioq;
+	} *ioq;
+
+	REQUIRE(VALID_DTENV(env));
+
+	if (env->iothr == NULL)
+		return (NULL);
+
+	result = dt_init();
+	if (result != ISC_R_SUCCESS)
+		return (NULL);
+
+	ioq = (struct ioq *)isc_thread_key_getspecific(dt_key);
+	if (ioq != NULL && ioq->generation != generation) {
+		result = isc_thread_key_setspecific(dt_key, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (NULL);
+		free(ioq);
+		ioq = NULL;
+	}
+	if (ioq == NULL) {
+		ioq = malloc(sizeof(*ioq));
+		if (ioq == NULL)
+			return (NULL);
+		ioq->generation = generation;
+		ioq->ioq = fstrm_iothr_get_input_queue(env->iothr);
+		if (ioq->ioq == NULL) {
+			free(ioq);
+			return (NULL);
+		}
+		result = isc_thread_key_setspecific(dt_key, ioq);
+		if (result != ISC_R_SUCCESS) {
+			free(ioq);
+			return (NULL);
+		}
+	}
+
+	return (ioq->ioq);
+}
+
+void
+dns_dt_attach(dns_dtenv_t *source, dns_dtenv_t **destp) {
+	REQUIRE(VALID_DTENV(source));
+	REQUIRE(destp != NULL && *destp == NULL);
+
+	isc_refcount_increment(&source->refcount, NULL);
+	*destp = source;
+}
+
+isc_result_t
+dns_dt_getstats(dns_dtenv_t *env, isc_stats_t **statsp) {
+	REQUIRE(VALID_DTENV(env));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (env->stats == NULL)
+		return (ISC_R_NOTFOUND);
+	isc_stats_attach(env->stats, statsp);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy(dns_dtenv_t *env) {
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+		      DNS_LOGMODULE_DNSTAP, ISC_LOG_INFO,
+		      "closing dnstap");
+	env->magic = 0;
+
+	generation++;
+
+	if (env->iothr != NULL)
+		fstrm_iothr_destroy(&env->iothr);
+	if (env->fopt != NULL)
+		fstrm_iothr_options_destroy(&env->fopt);
+
+	if (env->identity.base != NULL) {
+		isc_mem_free(env->mctx, env->identity.base);
+		env->identity.length = 0;
+	}
+	if (env->version.base != NULL) {
+		isc_mem_free(env->mctx, env->version.base);
+		env->version.length = 0;
+	}
+	if (env->path != NULL)
+		isc_mem_free(env->mctx, env->path);
+	if (env->stats != NULL)
+		isc_stats_detach(&env->stats);
+
+	isc_mem_putanddetach(&env->mctx, env, sizeof(*env));
+}
+
+void
+dns_dt_detach(dns_dtenv_t **envp) {
+	unsigned int refs;
+	dns_dtenv_t *env;
+
+	REQUIRE(envp != NULL && VALID_DTENV(*envp));
+
+	env = *envp;
+	*envp = NULL;
+
+	isc_refcount_decrement(&env->refcount, &refs);
+	if (refs == 0)
+		destroy(env);
+}
+
+static isc_result_t
+pack_dt(const Dnstap__Dnstap *d, void **buf, size_t *sz) {
+	ProtobufCBufferSimple sbuf;
+
+	REQUIRE(d != NULL);
+	REQUIRE(sz != NULL);
+
+	memset(&sbuf, 0, sizeof(sbuf));
+	sbuf.base.append = protobuf_c_buffer_simple_append;
+	sbuf.len = 0;
+	sbuf.alloced = DNSTAP_INITIAL_BUF_SIZE;
+
+	/* Need to use malloc() here because protobuf uses free() */
+	sbuf.data = malloc(sbuf.alloced);
+	if (sbuf.data == NULL)
+		return (ISC_R_NOMEMORY);
+	sbuf.must_free_data = 1;
+
+	*sz = dnstap__dnstap__pack_to_buffer(d, (ProtobufCBuffer *) &sbuf);
+	if (sbuf.data == NULL)
+		return (ISC_R_FAILURE);
+	*buf = sbuf.data;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+send_dt(dns_dtenv_t *env, void *buf, size_t len) {
+	struct fstrm_iothr_queue *ioq;
+	fstrm_res res;
+
+	REQUIRE(env != NULL);
+
+	if (buf == NULL)
+		return;
+
+	ioq = dt_queue(env);
+	if (ioq == NULL) {
+		free(buf);
+		return;
+	}
+
+	res = fstrm_iothr_submit(env->iothr, ioq, buf, len,
+				 fstrm_free_wrapper, NULL);
+	if (res != fstrm_res_success) {
+		if (env->stats != NULL)
+			isc_stats_increment(env->stats,
+					    dns_dnstapcounter_drop);
+		free(buf);
+	} else {
+		if (env->stats != NULL)
+			isc_stats_increment(env->stats,
+					    dns_dnstapcounter_success);
+	}
+}
+
+static void
+init_msg(dns_dtenv_t *env, dns_dtmsg_t *dm, Dnstap__Message__Type mtype) {
+	memset(dm, 0, sizeof(*dm));
+	dm->d.base.descriptor = &dnstap__dnstap__descriptor;
+	dm->m.base.descriptor = &dnstap__message__descriptor;
+	dm->d.type = DNSTAP__DNSTAP__TYPE__MESSAGE;
+	dm->d.message = &dm->m;
+	dm->m.type = mtype;
+
+	if (env->identity.length != 0) {
+		dm->d.identity.data = env->identity.base;
+		dm->d.identity.len = env->identity.length;
+		dm->d.has_identity = true;
+	}
+
+	if (env->version.length != 0) {
+		dm->d.version.data = env->version.base;
+		dm->d.version.len = env->version.length;
+		dm->d.has_version = true;
+	}
+}
+
+static Dnstap__Message__Type
+dnstap_type(dns_dtmsgtype_t msgtype) {
+	switch (msgtype) {
+	case DNS_DTTYPE_SQ:
+		return (DNSTAP__MESSAGE__TYPE__STUB_QUERY);
+	case DNS_DTTYPE_SR:
+		return (DNSTAP__MESSAGE__TYPE__STUB_RESPONSE);
+	case DNS_DTTYPE_CQ:
+		return (DNSTAP__MESSAGE__TYPE__CLIENT_QUERY);
+	case DNS_DTTYPE_CR:
+		return (DNSTAP__MESSAGE__TYPE__CLIENT_RESPONSE);
+	case DNS_DTTYPE_AQ:
+		return (DNSTAP__MESSAGE__TYPE__AUTH_QUERY);
+	case DNS_DTTYPE_AR:
+		return (DNSTAP__MESSAGE__TYPE__AUTH_RESPONSE);
+	case DNS_DTTYPE_RQ:
+		return (DNSTAP__MESSAGE__TYPE__RESOLVER_QUERY);
+	case DNS_DTTYPE_RR:
+		return (DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE);
+	case DNS_DTTYPE_FQ:
+		return (DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY);
+	case DNS_DTTYPE_FR:
+		return (DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE);
+	case DNS_DTTYPE_TQ:
+		return (DNSTAP__MESSAGE__TYPE__TOOL_QUERY);
+	case DNS_DTTYPE_TR:
+		return (DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE);
+	default:
+		INSIST(0);
+	}
+}
+
+static void
+cpbuf(isc_buffer_t *buf, ProtobufCBinaryData *p, protobuf_c_boolean *has) {
+	p->data = isc_buffer_base(buf);
+	p->len = isc_buffer_usedlength(buf);
+	*has = 1;
+}
+
+static void
+setaddr(dns_dtmsg_t *dm, isc_sockaddr_t *sa, bool tcp,
+	ProtobufCBinaryData *addr, protobuf_c_boolean *has_addr,
+	uint32_t *port, protobuf_c_boolean *has_port)
+{
+	int family = isc_sockaddr_pf(sa);
+
+	if (family != AF_INET6 && family != AF_INET)
+		return;
+
+	if (family == AF_INET6) {
+		dm->m.socket_family = DNSTAP__SOCKET_FAMILY__INET6;
+		addr->data = sa->type.sin6.sin6_addr.s6_addr;
+		addr->len = 16;
+		*port = ntohs(sa->type.sin6.sin6_port);
+	} else {
+		dm->m.socket_family = DNSTAP__SOCKET_FAMILY__INET;
+		addr->data = (uint8_t *) &sa->type.sin.sin_addr.s_addr;
+		addr->len = 4;
+		*port = ntohs(sa->type.sin.sin_port);
+	}
+
+	if (tcp)
+		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP;
+	else
+		dm->m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__UDP;
+
+	dm->m.has_socket_protocol = 1;
+	dm->m.has_socket_family = 1;
+	*has_addr = 1;
+	*has_port = 1;
+}
+
+void
+dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype,
+	    isc_sockaddr_t *qaddr, isc_sockaddr_t *raddr,
+	    bool tcp, isc_region_t *zone, isc_time_t *qtime,
+	    isc_time_t *rtime, isc_buffer_t *buf)
+{
+	isc_time_t now, *t;
+	dns_dtmsg_t dm;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if ((msgtype & view->dttypes) == 0)
+		return;
+
+	if (view->dtenv == NULL)
+		return;
+
+	REQUIRE(VALID_DTENV(view->dtenv));
+
+	TIME_NOW(&now);
+	t = &now;
+
+	init_msg(view->dtenv, &dm, dnstap_type(msgtype));
+
+	/* Query/response times */
+	switch (msgtype) {
+	case DNS_DTTYPE_AR:
+	case DNS_DTTYPE_CR:
+	case DNS_DTTYPE_RR:
+	case DNS_DTTYPE_FR:
+	case DNS_DTTYPE_SR:
+	case DNS_DTTYPE_TR:
+		if (rtime != NULL)
+			t = rtime;
+
+		dm.m.response_time_sec = isc_time_seconds(t);
+		dm.m.has_response_time_sec = 1;
+		dm.m.response_time_nsec = isc_time_nanoseconds(t);
+		dm.m.has_response_time_nsec = 1;
+
+		cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
+
+		/* Types RR and FR get both query and response times */
+		if (msgtype == DNS_DTTYPE_CR || msgtype == DNS_DTTYPE_AR)
+			break;
+
+		/* FALLTHROUGH */
+	case DNS_DTTYPE_AQ:
+	case DNS_DTTYPE_CQ:
+	case DNS_DTTYPE_FQ:
+	case DNS_DTTYPE_RQ:
+	case DNS_DTTYPE_SQ:
+	case DNS_DTTYPE_TQ:
+		if (qtime != NULL)
+			t = qtime;
+
+		dm.m.query_time_sec = isc_time_seconds(t);
+		dm.m.has_query_time_sec = 1;
+		dm.m.query_time_nsec = isc_time_nanoseconds(t);
+		dm.m.has_query_time_nsec = 1;
+
+		cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
+		break;
+	default:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+			      DNS_LOGMODULE_DNSTAP, ISC_LOG_ERROR,
+			      "invalid dnstap message type %d", msgtype);
+		return;
+	}
+
+	/* Zone/bailiwick */
+	switch (msgtype) {
+	case DNS_DTTYPE_AR:
+	case DNS_DTTYPE_RQ:
+	case DNS_DTTYPE_RR:
+	case DNS_DTTYPE_FQ:
+	case DNS_DTTYPE_FR:
+		if (zone != NULL && zone->base != NULL && zone->length != 0) {
+			dm.m.query_zone.data = zone->base;
+			dm.m.query_zone.len = zone->length;
+			dm.m.has_query_zone = 1;
+		}
+		break;
+	default:
+		break;
+	}
+
+	if (qaddr != NULL) {
+		setaddr(&dm, qaddr, tcp,
+			&dm.m.query_address, &dm.m.has_query_address,
+			&dm.m.query_port, &dm.m.has_query_port);
+	}
+	if (raddr != NULL) {
+		setaddr(&dm, raddr, tcp,
+			&dm.m.response_address, &dm.m.has_response_address,
+			&dm.m.response_port, &dm.m.has_response_port);
+	}
+
+	if (pack_dt(&dm.d, &dm.buf, &dm.len) == ISC_R_SUCCESS)
+		send_dt(view->dtenv, dm.buf, dm.len);
+}
+
+void
+dns_dt_shutdown() {
+	if (dt_mctx != NULL)
+		isc_mem_detach(&dt_mctx);
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, strlen(str));
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_putstr(*b, str);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+putaddr(isc_buffer_t **b, isc_region_t *ip) {
+	char buf[64];
+
+	if (ip->length == 4) {
+		if (!inet_ntop(AF_INET, ip->base, buf, sizeof(buf)))
+			return (ISC_R_FAILURE);
+	} else if (ip->length == 16) {
+		if (!inet_ntop(AF_INET6, ip->base, buf, sizeof(buf)))
+			return (ISC_R_FAILURE);
+	} else
+		return (ISC_R_BADADDRESSFORM);
+
+	return (putstr(b, buf));
+}
+
+static bool
+dnstap_file(struct fstrm_reader *r) {
+	fstrm_res res;
+	const struct fstrm_control *control = NULL;
+	const uint8_t *rtype = NULL;
+	size_t dlen = strlen(DNSTAP_CONTENT_TYPE), rlen = 0;
+	size_t n = 0;
+
+	res = fstrm_reader_get_control(r, FSTRM_CONTROL_START, &control);
+	if (res != fstrm_res_success)
+		return (false);
+
+	res = fstrm_control_get_num_field_content_type(control, &n);
+	if (res != fstrm_res_success)
+		return (false);
+	if (n > 0) {
+		res = fstrm_control_get_field_content_type(control, 0,
+							   &rtype, &rlen);
+		if (res != fstrm_res_success)
+			return (false);
+
+		if (rlen != dlen)
+			return (false);
+
+		if (memcmp(DNSTAP_CONTENT_TYPE, rtype, dlen) == 0)
+			return (true);
+	}
+
+	return (false);
+}
+
+isc_result_t
+dns_dt_open(const char *filename, dns_dtmode_t mode, isc_mem_t *mctx,
+	    dns_dthandle_t **handlep)
+{
+	isc_result_t result;
+	struct fstrm_file_options *fopt = NULL;
+	fstrm_res res;
+	dns_dthandle_t *handle;
+
+	REQUIRE(handlep != NULL && *handlep == NULL);
+
+	handle = isc_mem_get(mctx, sizeof(*handle));
+	if (handle == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	handle->mode = mode;
+	handle->mctx = NULL;
+
+	switch(mode) {
+	case dns_dtmode_file:
+		fopt = fstrm_file_options_init();
+		if (fopt == NULL)
+			CHECK(ISC_R_NOMEMORY);
+
+		fstrm_file_options_set_file_path(fopt, filename);
+
+		handle->reader = fstrm_file_reader_init(fopt, NULL);
+		if (handle->reader == NULL)
+			CHECK(ISC_R_NOMEMORY);
+
+		res = fstrm_reader_open(handle->reader);
+		if (res != fstrm_res_success)
+			CHECK(ISC_R_FAILURE);
+
+		if (!dnstap_file(handle->reader))
+			CHECK(DNS_R_BADDNSTAP);
+		break;
+	case dns_dtmode_unix:
+		return (ISC_R_NOTIMPLEMENTED);
+	default:
+		INSIST(0);
+	}
+
+	isc_mem_attach(mctx, &handle->mctx);
+	result = ISC_R_SUCCESS;
+	*handlep = handle;
+	handle = NULL;
+
+ cleanup:
+	if (result != ISC_R_SUCCESS && handle->reader != NULL) {
+		fstrm_reader_destroy(&handle->reader);
+		handle->reader = NULL;
+	}
+	if (fopt != NULL)
+		fstrm_file_options_destroy(&fopt);
+	if (handle != NULL)
+		isc_mem_put(mctx, handle, sizeof(*handle));
+	return (result);
+}
+
+isc_result_t
+dns_dt_getframe(dns_dthandle_t *handle, uint8_t **bufp, size_t *sizep) {
+	const uint8_t *data;
+	fstrm_res res;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(bufp != NULL);
+	REQUIRE(sizep != NULL);
+
+	data = (const uint8_t *) *bufp;
+
+	res = fstrm_reader_read(handle->reader, &data, sizep);
+	switch (res) {
+	case fstrm_res_success:
+		if (data == NULL)
+			return (ISC_R_FAILURE);
+		DE_CONST(data, *bufp);
+		return (ISC_R_SUCCESS);
+	case fstrm_res_stop:
+		return (ISC_R_NOMORE);
+	default:
+		return (ISC_R_FAILURE);
+	}
+}
+
+void
+dns_dt_close(dns_dthandle_t **handlep) {
+	dns_dthandle_t *handle;
+
+	REQUIRE(handlep != NULL && *handlep != NULL);
+
+	handle = *handlep;
+	*handlep = NULL;
+
+	if (handle->reader != NULL) {
+		fstrm_reader_destroy(&handle->reader);
+		handle->reader = NULL;
+	}
+	isc_mem_putanddetach(&handle->mctx, handle, sizeof(*handle));
+}
+
+isc_result_t
+dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp) {
+	isc_result_t result;
+	Dnstap__Message *m;
+	dns_dtdata_t *d = NULL;
+	isc_buffer_t b;
+
+	REQUIRE(src != NULL);
+	REQUIRE(destp != NULL && *destp == NULL);
+
+	d = isc_mem_get(mctx, sizeof(*d));
+	if (d == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(d, 0, sizeof(*d));
+	isc_mem_attach(mctx, &d->mctx);
+
+	d->frame = dnstap__dnstap__unpack(NULL, src->length, src->base);
+	if (d->frame == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	if (d->frame->type != DNSTAP__DNSTAP__TYPE__MESSAGE)
+		CHECK(DNS_R_BADDNSTAP);
+
+	m = d->frame->message;
+
+	/* Message type */
+	switch (m->type) {
+	case DNSTAP__MESSAGE__TYPE__AUTH_QUERY:
+		d->type = DNS_DTTYPE_AQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__AUTH_RESPONSE:
+		d->type = DNS_DTTYPE_AR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__CLIENT_QUERY:
+		d->type = DNS_DTTYPE_CQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__CLIENT_RESPONSE:
+		d->type = DNS_DTTYPE_CR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY:
+		d->type = DNS_DTTYPE_FQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE:
+		d->type = DNS_DTTYPE_FR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__RESOLVER_QUERY:
+		d->type = DNS_DTTYPE_RQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE:
+		d->type = DNS_DTTYPE_RR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__STUB_QUERY:
+		d->type = DNS_DTTYPE_SQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__STUB_RESPONSE:
+		d->type = DNS_DTTYPE_SR;
+		break;
+	case DNSTAP__MESSAGE__TYPE__TOOL_QUERY:
+		d->type = DNS_DTTYPE_TQ;
+		break;
+	case DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE:
+		d->type = DNS_DTTYPE_TR;
+		break;
+	default:
+		CHECK(DNS_R_BADDNSTAP);
+	}
+
+	/* Query? */
+	if ((d->type & DNS_DTTYPE_QUERY) != 0)
+		d->query = true;
+	else
+		d->query = false;
+
+	/* Parse DNS message */
+	if (d->query && m->has_query_message) {
+		d->msgdata.base = m->query_message.data;
+		d->msgdata.length = m->query_message.len;
+	} else if (!d->query && m->has_response_message) {
+		d->msgdata.base = m->response_message.data;
+		d->msgdata.length = m->response_message.len;
+	}
+
+	isc_buffer_init(&b, d->msgdata.base, d->msgdata.length);
+	isc_buffer_add(&b, d->msgdata.length);
+	CHECK(dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &d->msg));
+	result = dns_message_parse(d->msg, &b, 0);
+	if (result != ISC_R_SUCCESS) {
+		if (result != DNS_R_RECOVERABLE)
+			dns_message_destroy(&d->msg);
+		result = ISC_R_SUCCESS;
+	}
+
+	/* Timestamp */
+	if (d->query) {
+		if (m->has_query_time_sec && m->has_query_time_nsec)
+			isc_time_set(&d->qtime, m->query_time_sec,
+				     m->query_time_nsec);
+	} else {
+		if (m->has_response_time_sec && m->has_response_time_nsec)
+			isc_time_set(&d->rtime, m->response_time_sec,
+				     m->response_time_nsec);
+	}
+
+	/* Peer address */
+	if (m->has_query_address) {
+		d->qaddr.base = m->query_address.data;
+		d->qaddr.length = m->query_address.len;
+	}
+	if (m->has_query_port) {
+		d->qport = m->query_port;
+	}
+
+	if (m->has_response_address) {
+		d->raddr.base = m->response_address.data;
+		d->raddr.length = m->response_address.len;
+	}
+	if (m->has_response_port) {
+		d->rport = m->response_port;
+	}
+
+	/* Socket protocol */
+	if (m->has_socket_protocol) {
+		const ProtobufCEnumValue *type =
+			protobuf_c_enum_descriptor_get_value(
+				&dnstap__socket_protocol__descriptor,
+				m->socket_protocol);
+		if (type != NULL &&
+		    type->value == DNSTAP__SOCKET_PROTOCOL__TCP)
+			d->tcp = true;
+		else
+			d->tcp = false;
+	}
+
+	/* Query tuple */
+	if (d->msg != NULL) {
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset;
+
+		CHECK(dns_message_firstname(d->msg, DNS_SECTION_QUESTION));
+		dns_message_currentname(d->msg, DNS_SECTION_QUESTION, &name);
+		rdataset = ISC_LIST_HEAD(name->list);
+
+		dns_name_format(name, d->namebuf, sizeof(d->namebuf));
+		dns_rdatatype_format(rdataset->type, d->typebuf,
+				     sizeof(d->typebuf));
+		dns_rdataclass_format(rdataset->rdclass, d->classbuf,
+				      sizeof(d->classbuf));
+	}
+
+	*destp = d;
+
+ cleanup:
+	if (result != ISC_R_SUCCESS)
+		dns_dtdata_free(&d);
+
+	return (result);
+}
+
+isc_result_t
+dns_dt_datatotext(dns_dtdata_t *d, isc_buffer_t **dest) {
+	isc_result_t result;
+	char buf[100];
+
+	REQUIRE(d != NULL);
+	REQUIRE(dest != NULL && *dest != NULL);
+
+	memset(buf, 0, sizeof(buf));
+
+	/* Timestamp */
+	if (d->query && !isc_time_isepoch(&d->qtime))
+		isc_time_formattimestamp(&d->qtime, buf, sizeof(buf));
+	else if (!d->query && !isc_time_isepoch(&d->rtime))
+		isc_time_formattimestamp(&d->rtime, buf, sizeof(buf));
+
+	if (buf[0] == '\0')
+		CHECK(putstr(dest, "???\?-?\?-?? ??:??:??.??? "));
+	else {
+		CHECK(putstr(dest, buf));
+		CHECK(putstr(dest, " "));
+	}
+
+	/* Type mnemonic */
+	switch (d->type) {
+	case DNS_DTTYPE_AQ:
+		CHECK(putstr(dest, "AQ "));
+		break;
+	case DNS_DTTYPE_AR:
+		CHECK(putstr(dest, "AR "));
+		break;
+	case DNS_DTTYPE_CQ:
+		CHECK(putstr(dest, "CQ "));
+		break;
+	case DNS_DTTYPE_CR:
+		CHECK(putstr(dest, "CR "));
+		break;
+	case DNS_DTTYPE_FQ:
+		CHECK(putstr(dest, "FQ "));
+		break;
+	case DNS_DTTYPE_FR:
+		CHECK(putstr(dest, "FR "));
+		break;
+	case DNS_DTTYPE_RQ:
+		CHECK(putstr(dest, "RQ "));
+		break;
+	case DNS_DTTYPE_RR:
+		CHECK(putstr(dest, "RR "));
+		break;
+	case DNS_DTTYPE_SQ:
+		CHECK(putstr(dest, "SQ "));
+		break;
+	case DNS_DTTYPE_SR:
+		CHECK(putstr(dest, "SR "));
+		break;
+	case DNS_DTTYPE_TQ:
+		CHECK(putstr(dest, "TQ "));
+		break;
+	case DNS_DTTYPE_TR:
+		CHECK(putstr(dest, "TR "));
+		break;
+	default:
+		return (DNS_R_BADDNSTAP);
+	}
+
+	/* Query and response addresses */
+	if (d->qaddr.length != 0) {
+		CHECK(putaddr(dest, &d->qaddr));
+		snprintf(buf, sizeof(buf), ":%u", d->qport);
+		CHECK(putstr(dest, buf));
+	} else {
+		CHECK(putstr(dest, "?"));
+	}
+	if ((d->type & DNS_DTTYPE_QUERY) != 0) {
+		CHECK(putstr(dest, " -> "));
+	} else {
+		CHECK(putstr(dest, " <- "));
+	}
+	if (d->raddr.length != 0) {
+		CHECK(putaddr(dest, &d->raddr));
+		snprintf(buf, sizeof(buf), ":%u", d->rport);
+		CHECK(putstr(dest, buf));
+	} else {
+		CHECK(putstr(dest, "?"));
+	}
+
+	CHECK(putstr(dest, " "));
+
+	/* Protocol */
+	if (d->tcp)
+		CHECK(putstr(dest, "TCP "));
+	else
+		CHECK(putstr(dest, "UDP "));
+
+	/* Message size */
+	if (d->msgdata.base != NULL) {
+		snprintf(buf, sizeof(buf), "%zub ", (size_t) d->msgdata.length);
+		CHECK(putstr(dest, buf));
+	} else
+		CHECK(putstr(dest, "0b "));
+
+	/* Query tuple */
+	if (d->namebuf[0] == '\0')
+		CHECK(putstr(dest, "?/"));
+	else {
+		CHECK(putstr(dest, d->namebuf));
+		CHECK(putstr(dest, "/"));
+	}
+
+	if (d->classbuf[0] == '\0')
+		CHECK(putstr(dest, "?/"));
+	else {
+		CHECK(putstr(dest, d->classbuf));
+		CHECK(putstr(dest, "/"));
+	}
+
+	if (d->typebuf[0] == '\0')
+		CHECK(putstr(dest, "?"));
+	else
+		CHECK(putstr(dest, d->typebuf));
+
+	CHECK(isc_buffer_reserve(dest, 1));
+	isc_buffer_putuint8(*dest, 0);
+
+ cleanup:
+	return (result);
+}
+
+void
+dns_dtdata_free(dns_dtdata_t **dp) {
+	dns_dtdata_t *d;
+
+	REQUIRE(dp != NULL && *dp != NULL);
+
+	d = *dp;
+
+	if (d->msg != NULL)
+		dns_message_destroy(&d->msg);
+	if (d->frame != NULL)
+		dnstap__dnstap__free_unpacked(d->frame, NULL);
+
+	isc_mem_putanddetach(&d->mctx, d, sizeof(*d));
+
+	*dp = NULL;
+}
diff --git a/lib/dns/dnstap.proto b/lib/dns/dnstap.proto
new file mode 100644
index 0000000..1ed1bb0
--- /dev/null
+++ b/lib/dns/dnstap.proto
@@ -0,0 +1,268 @@
+// dnstap: flexible, structured event replication format for DNS software
+//
+// This file contains the protobuf schemas for the "dnstap" structured event
+// replication format for DNS software.
+
+// Written in 2013-2014 by Farsight Security, Inc.
+//
+// To the extent possible under law, the author(s) have dedicated all
+// copyright and related and neighboring rights to this file to the public
+// domain worldwide. This file is distributed without any warranty.
+//
+// You should have received a copy of the CC0 Public Domain Dedication along
+// with this file. If not, see:
+//
+// <http://creativecommons.org/publicdomain/zero/1.0/>.
+
+package dnstap;
+
+// "Dnstap": this is the top-level dnstap type, which is a "union" type that
+// contains other kinds of dnstap payloads, although currently only one type
+// of dnstap payload is defined.
+// See: https://developers.google.com/protocol-buffers/docs/techniques#union
+message Dnstap {
+    // DNS server identity.
+    // If enabled, this is the identity string of the DNS server which generated
+    // this message. Typically this would be the same string as returned by an
+    // "NSID" (RFC 5001) query.
+    optional bytes      identity = 1;
+
+    // DNS server version.
+    // If enabled, this is the version string of the DNS server which generated
+    // this message. Typically this would be the same string as returned by a
+    // "version.bind" query.
+    optional bytes      version = 2;
+
+    // Extra data for this payload.
+    // This field can be used for adding an arbitrary byte-string annotation to
+    // the payload. No encoding or interpretation is applied or enforced.
+    optional bytes      extra = 3;
+
+    // Identifies which field below is filled in.
+    enum Type {
+        MESSAGE = 1;
+    }
+    required Type       type = 15;
+
+    // One of the following will be filled in.
+    optional Message    message = 14;
+}
+
+// SocketFamily: the network protocol family of a socket. This specifies how
+// to interpret "network address" fields.
+enum SocketFamily {
+    INET = 1;   // IPv4 (RFC 791)
+    INET6 = 2;  // IPv6 (RFC 2460)
+}
+
+// SocketProtocol: the transport protocol of a socket. This specifies how to
+// interpret "transport port" fields.
+enum SocketProtocol {
+    UDP = 1;    // User Datagram Protocol (RFC 768)
+    TCP = 2;    // Transmission Control Protocol (RFC 793)
+}
+
+// Message: a wire-format (RFC 1035 section 4) DNS message and associated
+// metadata. Applications generating "Message" payloads should follow
+// certain requirements based on the MessageType, see below.
+message Message {
+
+    // There are eight types of "Message" defined that correspond to the
+    // four arrows in the following diagram, slightly modified from RFC 1035
+    // section 2:
+
+    //    +---------+               +----------+           +--------+
+    //    |         |     query     |          |   query   |        |
+    //    | Stub    |-SQ--------CQ->| Recursive|-RQ----AQ->| Auth.  |
+    //    | Resolver|               | Server   |           | Name   |
+    //    |         |<-SR--------CR-|          |<-RR----AR-| Server |
+    //    +---------+    response   |          |  response |        |
+    //                              +----------+           +--------+
+
+    // Each arrow has two Type values each, one for each "end" of each arrow,
+    // because these are considered to be distinct events. Each end of each
+    // arrow on the diagram above has been marked with a two-letter Type
+    // mnemonic. Clockwise from upper left, these mnemonic values are:
+    //
+    //   SQ:        STUB_QUERY
+    //   CQ:      CLIENT_QUERY
+    //   RQ:    RESOLVER_QUERY
+    //   AQ:        AUTH_QUERY
+    //   AR:        AUTH_RESPONSE
+    //   RR:    RESOLVER_RESPONSE
+    //   CR:      CLIENT_RESPONSE
+    //   SR:        STUB_RESPONSE
+
+    // Two additional types of "Message" have been defined for the
+    // "forwarding" case where an upstream DNS server is responsible for
+    // further recursion. These are not shown on the diagram above, but have
+    // the following mnemonic values:
+
+    //   FQ:   FORWARDER_QUERY
+    //   FR:   FORWARDER_RESPONSE
+
+    // The "Message" Type values are defined below.
+
+    enum Type {
+        // AUTH_QUERY is a DNS query message received from a resolver by an
+        // authoritative name server, from the perspective of the authorative
+        // name server.
+        AUTH_QUERY = 1;
+
+        // AUTH_RESPONSE is a DNS response message sent from an authoritative
+        // name server to a resolver, from the perspective of the authoritative
+        // name server.
+        AUTH_RESPONSE = 2;
+
+        // RESOLVER_QUERY is a DNS query message sent from a resolver to an
+        // authoritative name server, from the perspective of the resolver.
+        // Resolvers typically clear the RD (recursion desired) bit when
+        // sending queries.
+        RESOLVER_QUERY = 3;
+
+        // RESOLVER_RESPONSE is a DNS response message received from an
+        // authoritative name server by a resolver, from the perspective of
+        // the resolver.
+        RESOLVER_RESPONSE = 4;
+
+        // CLIENT_QUERY is a DNS query message sent from a client to a DNS
+        // server which is expected to perform further recursion, from the
+        // perspective of the DNS server. The client may be a stub resolver or
+        // forwarder or some other type of software which typically sets the RD
+        // (recursion desired) bit when querying the DNS server. The DNS server
+        // may be a simple forwarding proxy or it may be a full recursive
+        // resolver.
+        CLIENT_QUERY = 5;
+
+        // CLIENT_RESPONSE is a DNS response message sent from a DNS server to
+        // a client, from the perspective of the DNS server. The DNS server
+        // typically sets the RA (recursion available) bit when responding.
+        CLIENT_RESPONSE = 6;
+
+        // FORWARDER_QUERY is a DNS query message sent from a downstream DNS
+        // server to an upstream DNS server which is expected to perform
+        // further recursion, from the perspective of the downstream DNS
+        // server.
+        FORWARDER_QUERY = 7;
+
+        // FORWARDER_RESPONSE is a DNS response message sent from an upstream
+        // DNS server performing recursion to a downstream DNS server, from the
+        // perspective of the downstream DNS server.
+        FORWARDER_RESPONSE = 8;
+
+        // STUB_QUERY is a DNS query message sent from a stub resolver to a DNS
+        // server, from the perspective of the stub resolver.
+        STUB_QUERY = 9;
+
+        // STUB_RESPONSE is a DNS response message sent from a DNS server to a
+        // stub resolver, from the perspective of the stub resolver.
+        STUB_RESPONSE = 10;
+
+        // TOOL_QUERY is a DNS query message sent from a DNS software tool to a
+        // DNS server, from the perspective of the tool.
+        TOOL_QUERY = 11;
+
+        // TOOL_RESPONSE is a DNS response message received by a DNS software
+        // tool from a DNS server, from the perspective of the tool.
+        TOOL_RESPONSE = 12;
+    }
+
+    // One of the Type values described above.
+    required Type               type = 1;
+
+    // One of the SocketFamily values described above.
+    optional SocketFamily       socket_family = 2;
+
+    // One of the SocketProtocol values described above.
+    optional SocketProtocol     socket_protocol = 3;
+
+    // The network address of the message initiator.
+    // For SocketFamily INET, this field is 4 octets (IPv4 address).
+    // For SocketFamily INET6, this field is 16 octets (IPv6 address).
+    optional bytes              query_address = 4;
+
+    // The network address of the message responder.
+    // For SocketFamily INET, this field is 4 octets (IPv4 address).
+    // For SocketFamily INET6, this field is 16 octets (IPv6 address).
+    optional bytes              response_address = 5;
+
+    // The transport port of the message initiator.
+    // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
+    optional uint32             query_port = 6;
+
+    // The transport port of the message responder.
+    // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
+    optional uint32             response_port = 7;
+
+    // The time at which the DNS query message was sent or received, depending
+    // on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY.
+    // This is the number of seconds since the UNIX epoch.
+    optional uint64             query_time_sec = 8;
+
+    // The time at which the DNS query message was sent or received.
+    // This is the seconds fraction, expressed as a count of nanoseconds.
+    optional fixed32            query_time_nsec = 9;
+
+    // The initiator's original wire-format DNS query message, verbatim.
+    optional bytes              query_message = 10;
+
+    // The "zone" or "bailiwick" pertaining to the DNS query message.
+    // This is a wire-format DNS domain name.
+    optional bytes              query_zone = 11;
+
+    // The time at which the DNS response message was sent or received,
+    // depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or
+    // CLIENT_RESPONSE.
+    // This is the number of seconds since the UNIX epoch.
+    optional uint64             response_time_sec = 12;
+
+    // The time at which the DNS response message was sent or received.
+    // This is the seconds fraction, expressed as a count of nanoseconds.
+    optional fixed32            response_time_nsec = 13;
+
+    // The responder's original wire-format DNS response message, verbatim.
+    optional bytes              response_message = 14;
+}
+
+// All fields except for 'type' in the Message schema are optional.
+// It is recommended that at least the following fields be filled in for
+// particular types of Messages.
+
+// AUTH_QUERY:
+//      socket_family, socket_protocol
+//      query_address, query_port
+//      query_message
+//      query_time_sec, query_time_nsec
+
+// AUTH_RESPONSE:
+//      socket_family, socket_protocol
+//      query_address, query_port
+//      query_time_sec, query_time_nsec
+//      response_message
+//      response_time_sec, response_time_nsec
+
+// RESOLVER_QUERY:
+//      socket_family, socket_protocol
+//      query_message
+//      query_time_sec, query_time_nsec
+//      query_zone
+//      response_address, response_port
+
+// RESOLVER_RESPONSE:
+//      socket_family, socket_protocol
+//      query_time_sec, query_time_nsec
+//      query_zone
+//      response_address, response_port
+//      response_message
+//      response_time_sec, response_time_nsec
+
+// CLIENT_QUERY:
+//      socket_family, socket_protocol
+//      query_message
+//      query_time_sec, query_time_nsec
+
+// CLIENT_RESPONSE:
+//      socket_family, socket_protocol
+//      query_time_sec, query_time_nsec
+//      response_message
+//      response_time_sec, response_time_nsec
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
new file mode 100644
index 0000000..d1a507b
--- /dev/null
+++ b/lib/dns/ds.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/region.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/util.h>
+
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+#include "dst_gost.h"
+#endif
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  unsigned int digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata)
+{
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	unsigned char digest[ISC_SHA384_DIGESTLENGTH];
+	isc_region_t r;
+	isc_buffer_t b;
+	dns_rdata_ds_t ds;
+	isc_sha1_t sha1;
+	isc_sha256_t sha256;
+	isc_sha384_t sha384;
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+	isc_gost_t gost;
+#endif
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->type == dns_rdatatype_dnskey);
+
+	if (!dst_ds_digest_supported(digest_type))
+		return (ISC_R_NOTIMPLEMENTED);
+
+	name = dns_fixedname_initname(&fname);
+	(void)dns_name_downcase(owner, name, NULL);
+
+	memset(buffer, 0, DNS_DS_BUFFERSIZE);
+	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
+
+	switch (digest_type) {
+	case DNS_DSDIGEST_SHA1:
+		isc_sha1_init(&sha1);
+		dns_name_toregion(name, &r);
+		isc_sha1_update(&sha1, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha1_update(&sha1, r.base, r.length);
+		isc_sha1_final(&sha1, digest);
+		break;
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+#define RETERR(x) do {					\
+	isc_result_t ret = (x);				\
+	if (ret != ISC_R_SUCCESS) {			\
+		isc_gost_invalidate(&gost);		\
+		return (ret);				\
+	}						\
+} while (0)
+
+	case DNS_DSDIGEST_GOST:
+		RETERR(isc_gost_init(&gost));
+		dns_name_toregion(name, &r);
+		RETERR(isc_gost_update(&gost, r.base, r.length));
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		RETERR(isc_gost_update(&gost, r.base, r.length));
+		RETERR(isc_gost_final(&gost, digest));
+		break;
+#endif
+
+	case DNS_DSDIGEST_SHA384:
+		isc_sha384_init(&sha384);
+		dns_name_toregion(name, &r);
+		isc_sha384_update(&sha384, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha384_update(&sha384, r.base, r.length);
+		isc_sha384_final(digest, &sha384);
+		break;
+
+	case DNS_DSDIGEST_SHA256:
+	default:
+		isc_sha256_init(&sha256);
+		dns_name_toregion(name, &r);
+		isc_sha256_update(&sha256, r.base, r.length);
+		dns_rdata_toregion(key, &r);
+		INSIST(r.length >= 4);
+		isc_sha256_update(&sha256, r.base, r.length);
+		isc_sha256_final(digest, &sha256);
+		break;
+	}
+
+	ds.mctx = NULL;
+	ds.common.rdclass = key->rdclass;
+	ds.common.rdtype = dns_rdatatype_ds;
+	ds.algorithm = r.base[3];
+	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
+	ds.digest_type = digest_type;
+	switch (digest_type) {
+	case DNS_DSDIGEST_SHA1:
+		ds.length = ISC_SHA1_DIGESTLENGTH;
+		break;
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+	case DNS_DSDIGEST_GOST:
+		ds.length = ISC_GOST_DIGESTLENGTH;
+		break;
+#endif
+
+	case DNS_DSDIGEST_SHA384:
+		ds.length = ISC_SHA384_DIGESTLENGTH;
+		break;
+
+	case DNS_DSDIGEST_SHA256:
+	default:
+		ds.length = ISC_SHA256_DIGESTLENGTH;
+		break;
+	}
+	ds.digest = digest;
+
+	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
+				     &ds, &b));
+}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
new file mode 100644
index 0000000..97fee68
--- /dev/null
+++ b/lib/dns/dst_api.c
@@ -0,0 +1,2029 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/fsaccess.h>
+#include <isc/hmacsha.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/random.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+#include <isc/file.h>
+
+#include <pk11/site.h>
+
+#define DST_KEY_INTERNAL
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/ttl.h>
+#include <dns/types.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
+static dst_func_t *dst_t_func[DST_MAX_ALGS];
+static isc_entropy_t *dst_entropy_pool = NULL;
+static unsigned int dst_entropy_flags = 0;
+
+static bool dst_initialized = false;
+
+void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
+LIBDNS_EXTERNAL_DATA isc_mem_t *dst__memory_pool = NULL;
+
+/*
+ * Static functions.
+ */
+static dst_key_t *	get_key_struct(dns_name_t *name,
+				       unsigned int alg,
+				       unsigned int flags,
+				       unsigned int protocol,
+				       unsigned int bits,
+				       dns_rdataclass_t rdclass,
+				       dns_ttl_t ttl,
+				       isc_mem_t *mctx);
+static isc_result_t	write_public_key(const dst_key_t *key, int type,
+					 const char *directory);
+static isc_result_t	buildfilename(dns_name_t *name,
+				      dns_keytag_t id,
+				      unsigned int alg,
+				      unsigned int type,
+				      const char *directory,
+				      isc_buffer_t *out);
+static isc_result_t	computeid(dst_key_t *key);
+static isc_result_t	frombuffer(dns_name_t *name,
+				   unsigned int alg,
+				   unsigned int flags,
+				   unsigned int protocol,
+				   dns_rdataclass_t rdclass,
+				   isc_buffer_t *source,
+				   isc_mem_t *mctx,
+				   dst_key_t **keyp);
+
+static isc_result_t	algorithm_status(unsigned int alg);
+
+static isc_result_t	addsuffix(char *filename, int len,
+				  const char *dirname, const char *ofilename,
+				  const char *suffix);
+
+#define RETERR(x)				\
+	do {					\
+		result = (x);			\
+		if (result != ISC_R_SUCCESS)	\
+			goto out;		\
+	} while (0)
+
+#define CHECKALG(alg)				\
+	do {					\
+		isc_result_t _r;		\
+		_r = algorithm_status(alg);	\
+		if (_r != ISC_R_SUCCESS)	\
+			return (_r);		\
+	} while (0);				\
+
+#if defined(OPENSSL)
+static void *
+default_memalloc(void *arg, size_t size) {
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void
+default_memfree(void *arg, void *ptr) {
+	UNUSED(arg);
+	free(ptr);
+}
+#endif
+
+isc_result_t
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+	return (dst_lib_init2(mctx, ectx, NULL, eflags));
+}
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags) {
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(dst_initialized == false);
+
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
+	UNUSED(engine);
+#endif
+
+	dst__memory_pool = NULL;
+
+#if defined(OPENSSL)
+	UNUSED(mctx);
+	/*
+	 * When using --with-openssl, there seems to be no good way of not
+	 * leaking memory due to the openssl error handling mechanism.
+	 * Avoid assertions by using a local memory context and not checking
+	 * for leaks on exit.  Note: as there are leaks we cannot use
+	 * ISC_MEMFLAG_INTERNAL as it will free up memory still being used
+	 * by libcrypto.
+	 */
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &dst__memory_pool, 0);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_mem_setname(dst__memory_pool, "dst", NULL);
+#ifndef OPENSSL_LEAKS
+	isc_mem_setdestroycheck(dst__memory_pool, false);
+#endif
+#else /* OPENSSL */
+	isc_mem_attach(mctx, &dst__memory_pool);
+#endif /* OPENSSL */
+	if (ectx != NULL) {
+		isc_entropy_attach(ectx, &dst_entropy_pool);
+		dst_entropy_flags = eflags;
+	}
+
+	dst_result_register();
+
+	memset(dst_t_func, 0, sizeof(dst_t_func));
+#ifndef PK11_MD5_DISABLE
+	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+#endif
+	RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
+	RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
+	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
+	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
+	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
+#ifdef OPENSSL
+	RETERR(dst__openssl_init(engine));
+#ifndef PK11_MD5_DISABLE
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
+				    DST_ALG_RSAMD5));
+#endif
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
+				    DST_ALG_RSASHA1));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
+				    DST_ALG_NSEC3RSASHA1));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA256],
+				    DST_ALG_RSASHA256));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
+				    DST_ALG_RSASHA512));
+#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE)
+	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
+	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+#endif
+#ifndef PK11_DH_DISABLE
+	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#endif
+#ifdef HAVE_OPENSSL_GOST
+	RETERR(dst__opensslgost_init(&dst_t_func[DST_ALG_ECCGOST]));
+#endif
+#ifdef HAVE_OPENSSL_ECDSA
+	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+#endif
+#ifdef HAVE_OPENSSL_ED25519
+	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif
+#ifdef HAVE_OPENSSL_ED448
+	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif
+#elif PKCS11CRYPTO
+	RETERR(dst__pkcs11_init(mctx, engine));
+#ifndef PK11_MD5_DISABLE
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+#endif
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
+	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
+#ifndef PK11_DSA_DISABLE
+	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
+	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
+#endif
+#ifndef PK11_DH_DISABLE
+	RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
+#endif
+#ifdef HAVE_PKCS11_ECDSA
+	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
+	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+#endif
+#ifdef HAVE_PKCS11_ED25519
+	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif
+#ifdef HAVE_PKCS11_ED448
+	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif
+#ifdef HAVE_PKCS11_GOST
+	RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
+#endif
+#endif /* if OPENSSL, elif PKCS11CRYPTO */
+#ifdef GSSAPI
+	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
+#endif
+	dst_initialized = true;
+	return (ISC_R_SUCCESS);
+
+ out:
+	/* avoid immediate crash! */
+	dst_initialized = true;
+	dst_lib_destroy();
+	return (result);
+}
+
+void
+dst_lib_destroy(void) {
+	int i;
+	RUNTIME_CHECK(dst_initialized == true);
+	dst_initialized = false;
+
+	for (i = 0; i < DST_MAX_ALGS; i++)
+		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
+			dst_t_func[i]->cleanup();
+#ifdef OPENSSL
+	dst__openssl_destroy();
+#elif PKCS11CRYPTO
+	(void) dst__pkcs11_destroy();
+#endif /* if OPENSSL, elif PKCS11CRYPTO */
+	if (dst__memory_pool != NULL)
+		isc_mem_detach(&dst__memory_pool);
+	if (dst_entropy_pool != NULL)
+		isc_entropy_detach(&dst_entropy_pool);
+}
+
+bool
+dst_algorithm_supported(unsigned int alg) {
+	REQUIRE(dst_initialized == true);
+
+	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
+		return (false);
+	return (true);
+}
+
+bool
+dst_ds_digest_supported(unsigned int digest_type) {
+	return  (digest_type == DNS_DSDIGEST_SHA1 ||
+		 digest_type == DNS_DSDIGEST_SHA256 ||
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+		 digest_type == DNS_DSDIGEST_GOST ||
+#endif
+		 digest_type == DNS_DSDIGEST_SHA384);
+}
+
+isc_result_t
+dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
+	return (dst_context_create4(key, mctx, DNS_LOGCATEGORY_GENERAL,
+				    true, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, dst_context_t **dctxp)
+{
+	return (dst_context_create4(key, mctx, category, true, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create3(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, bool useforsigning,
+		    dst_context_t **dctxp)
+{
+	return (dst_context_create4(key, mctx, category,
+				    useforsigning, 0, dctxp));
+}
+
+isc_result_t
+dst_context_create4(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, bool useforsigning,
+		    int maxbits, dst_context_t **dctxp)
+{
+	dst_context_t *dctx;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(mctx != NULL);
+	REQUIRE(dctxp != NULL && *dctxp == NULL);
+
+	if (key->func->createctx == NULL &&
+	    key->func->createctx2 == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+	if (key->keydata.generic == NULL)
+		return (DST_R_NULLKEY);
+
+	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(dctx, 0, sizeof(*dctx));
+	dst_key_attach(key, &dctx->key);
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->category = category;
+	if (useforsigning)
+		dctx->use = DO_SIGN;
+	else
+		dctx->use = DO_VERIFY;
+	if (key->func->createctx2 != NULL)
+		result = key->func->createctx2(key, maxbits, dctx);
+	else
+		result = key->func->createctx(key, dctx);
+	if (result != ISC_R_SUCCESS) {
+		if (dctx->key != NULL)
+			dst_key_free(&dctx->key);
+		isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(dst_context_t));
+		return (result);
+	}
+	dctx->magic = CTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_context_destroy(dst_context_t **dctxp) {
+	dst_context_t *dctx;
+
+	REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
+
+	dctx = *dctxp;
+	INSIST(dctx->key->func->destroyctx != NULL);
+	dctx->key->func->destroyctx(dctx);
+	if (dctx->key != NULL)
+		dst_key_free(&dctx->key);
+	dctx->magic = 0;
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(dst_context_t));
+	*dctxp = NULL;
+}
+
+isc_result_t
+dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(data != NULL);
+	INSIST(dctx->key->func->adddata != NULL);
+
+	return (dctx->key->func->adddata(dctx, data));
+}
+
+isc_result_t
+dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key;
+
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	key = dctx->key;
+	CHECKALG(key->key_alg);
+	if (key->keydata.generic == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->func->sign == NULL)
+		return (DST_R_NOTPRIVATEKEY);
+	if (key->func->isprivate == NULL ||
+	    key->func->isprivate(key) == false)
+		return (DST_R_NOTPRIVATEKEY);
+
+	return (key->func->sign(dctx, sig));
+}
+
+isc_result_t
+dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	CHECKALG(dctx->key->key_alg);
+	if (dctx->key->keydata.generic == NULL)
+		return (DST_R_NULLKEY);
+	if (dctx->key->func->verify == NULL)
+		return (DST_R_NOTPUBLICKEY);
+
+	return (dctx->key->func->verify(dctx, sig));
+}
+
+isc_result_t
+dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
+		    isc_region_t *sig)
+{
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	CHECKALG(dctx->key->key_alg);
+	if (dctx->key->keydata.generic == NULL)
+		return (DST_R_NULLKEY);
+	if (dctx->key->func->verify == NULL &&
+	    dctx->key->func->verify2 == NULL)
+		return (DST_R_NOTPUBLICKEY);
+
+	return (dctx->key->func->verify2 != NULL ?
+		dctx->key->func->verify2(dctx, maxbits, sig) :
+		dctx->key->func->verify(dctx, sig));
+}
+
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret)
+{
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
+	REQUIRE(secret != NULL);
+
+	CHECKALG(pub->key_alg);
+	CHECKALG(priv->key_alg);
+
+	if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)
+		return (DST_R_NULLKEY);
+
+	if (pub->key_alg != priv->key_alg ||
+	    pub->func->computesecret == NULL ||
+	    priv->func->computesecret == NULL)
+		return (DST_R_KEYCANNOTCOMPUTESECRET);
+
+	if (dst_key_isprivate(priv) == false)
+		return (DST_R_NOTPRIVATEKEY);
+
+	return (pub->func->computesecret(pub, priv, secret));
+}
+
+isc_result_t
+dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->tofile == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	if (type & DST_TYPE_PUBLIC) {
+		ret = write_public_key(key, type, directory);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+	}
+
+	if ((type & DST_TYPE_PRIVATE) &&
+	    (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
+		return (key->func->tofile(key, directory));
+	else
+		return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setexternal(dst_key_t *key, bool value) {
+	key->external = value;
+}
+
+bool
+dst_key_isexternal(dst_key_t *key) {
+	return (key->external);
+}
+
+isc_result_t
+dst_key_getfilename(dns_name_t *name, dns_keytag_t id,
+		    unsigned int alg, int type, const char *directory,
+		    isc_mem_t *mctx, isc_buffer_t *buf)
+{
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(buf != NULL);
+
+	CHECKALG(alg);
+
+	result = buildfilename(name, id, alg, type, directory, buf);
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(buf) > 0)
+			isc_buffer_putuint8(buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
+		 unsigned int alg, int type, const char *directory,
+		 isc_mem_t *mctx, dst_key_t **keyp)
+{
+	isc_result_t result;
+	char filename[ISC_DIR_NAMEMAX];
+	isc_buffer_t buf;
+	dst_key_t *key;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	CHECKALG(alg);
+
+	key = NULL;
+
+	isc_buffer_init(&buf, filename, ISC_DIR_NAMEMAX);
+	result = dst_key_getfilename(name, id, alg, type, NULL, mctx, &buf);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	result = dst_key_fromnamedfile(filename, directory, type, mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
+	    alg != key->key_alg) {
+		result = DST_R_INVALIDPRIVATEKEY;
+		goto out;
+	}
+
+	*keyp = key;
+	result = ISC_R_SUCCESS;
+
+ out:
+	if ((key != NULL) && (result != ISC_R_SUCCESS))
+		dst_key_free(&key);
+
+	return (result);
+}
+
+isc_result_t
+dst_key_fromnamedfile(const char *filename, const char *dirname,
+		      int type, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	isc_result_t result;
+	dst_key_t *pubkey = NULL, *key = NULL;
+	char *newfilename = NULL;
+	int newfilenamelen = 0;
+	isc_lex_t *lex = NULL;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(filename != NULL);
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	/* If an absolute path is specified, don't use the key directory */
+#ifndef WIN32
+	if (filename[0] == '/')
+		dirname = NULL;
+#else /* WIN32 */
+	if (filename[0] == '/' || filename[0] == '\\')
+		dirname = NULL;
+#endif
+
+	newfilenamelen = strlen(filename) + 5;
+	if (dirname != NULL)
+		newfilenamelen += strlen(dirname) + 1;
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	if (newfilename == NULL)
+		return (ISC_R_NOMEMORY);
+	result = addsuffix(newfilename, newfilenamelen,
+			   dirname, filename, ".key");
+	INSIST(result == ISC_R_SUCCESS);
+
+	result = dst_key_read_public(newfilename, type, mctx, &pubkey);
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+	newfilename = NULL;
+	RETERR(result);
+
+	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
+	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		result = computeid(pubkey);
+		if (result != ISC_R_SUCCESS) {
+			dst_key_free(&pubkey);
+			return (result);
+		}
+
+		*keyp = pubkey;
+		return (ISC_R_SUCCESS);
+	}
+
+	result = algorithm_status(pubkey->key_alg);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&pubkey);
+		return (result);
+	}
+
+	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
+			     pubkey->key_flags, pubkey->key_proto, 0,
+			     pubkey->key_class, pubkey->key_ttl, mctx);
+	if (key == NULL) {
+		dst_key_free(&pubkey);
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (key->func->parse == NULL)
+		RETERR(DST_R_UNSUPPORTEDALG);
+
+	newfilenamelen = strlen(filename) + 9;
+	if (dirname != NULL)
+		newfilenamelen += strlen(dirname) + 1;
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	if (newfilename == NULL)
+		RETERR(ISC_R_NOMEMORY);
+	result = addsuffix(newfilename, newfilenamelen,
+			   dirname, filename, ".private");
+	INSIST(result == ISC_R_SUCCESS);
+
+	RETERR(isc_lex_create(mctx, 1500, &lex));
+	RETERR(isc_lex_openfile(lex, newfilename));
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+
+	RETERR(key->func->parse(key, lex, pubkey));
+	isc_lex_destroy(&lex);
+
+	RETERR(computeid(key));
+
+	if (pubkey->key_id != key->key_id)
+		RETERR(DST_R_INVALIDPRIVATEKEY);
+	dst_key_free(&pubkey);
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+
+ out:
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (newfilename != NULL)
+		isc_mem_put(mctx, newfilename, newfilenamelen);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	if (key != NULL)
+		dst_key_free(&key);
+	return (result);
+}
+
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(target != NULL);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->todns == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	if (isc_buffer_availablelength(target) < 4)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint16(target, (uint16_t)(key->key_flags & 0xffff));
+	isc_buffer_putuint8(target, (uint8_t)key->key_proto);
+	isc_buffer_putuint8(target, (uint8_t)key->key_alg);
+
+	if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
+		if (isc_buffer_availablelength(target) < 2)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint16(target,
+				     (uint16_t)((key->key_flags >> 16)
+						    & 0xffff));
+	}
+
+	if (key->keydata.generic == NULL) /*%< NULL KEY */
+		return (ISC_R_SUCCESS);
+
+	return (key->func->todns(key, target));
+}
+
+isc_result_t
+dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
+		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	uint8_t alg, proto;
+	uint32_t flags, extflags;
+	dst_key_t *key = NULL;
+	dns_keytag_t id, rid;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+
+	isc_buffer_remainingregion(source, &r);
+
+	if (isc_buffer_remaininglength(source) < 4)
+		return (DST_R_INVALIDPUBLICKEY);
+	flags = isc_buffer_getuint16(source);
+	proto = isc_buffer_getuint8(source);
+	alg = isc_buffer_getuint8(source);
+
+	id = dst_region_computeid(&r, alg);
+	rid = dst_region_computerid(&r, alg);
+
+	if (flags & DNS_KEYFLAG_EXTENDED) {
+		if (isc_buffer_remaininglength(source) < 2)
+			return (DST_R_INVALIDPUBLICKEY);
+		extflags = isc_buffer_getuint16(source);
+		flags |= (extflags << 16);
+	}
+
+	result = frombuffer(name, alg, flags, proto, rdclass, source,
+			    mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	key->key_id = id;
+	key->key_rid = rid;
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_frombuffer(dns_name_t *name, unsigned int alg,
+		   unsigned int flags, unsigned int protocol,
+		   dns_rdataclass_t rdclass,
+		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key = NULL;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+
+	result = frombuffer(name, alg, flags, protocol, rdclass, source,
+			    mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(target != NULL);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->todns == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	return (key->func->todns(key, target));
+}
+
+isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
+	isc_lex_t *lex = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(!dst_key_isprivate(key));
+	REQUIRE(buffer != NULL);
+
+	if (key->func->parse == NULL)
+		RETERR(DST_R_UNSUPPORTEDALG);
+
+	RETERR(isc_lex_create(key->mctx, 1500, &lex));
+	RETERR(isc_lex_openbuffer(lex, buffer));
+	RETERR(key->func->parse(key, lex, NULL));
+ out:
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	return (result);
+}
+
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key)
+{
+	REQUIRE(key != NULL);
+
+	return (key->keydata.gssctx);
+}
+
+isc_result_t
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
+		   dst_key_t **keyp, isc_region_t *intoken)
+{
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(gssctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
+			     0, dns_rdataclass_in, 0, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (intoken != NULL) {
+		/*
+		 * Keep the token for use by external ssu rules. They may need
+		 * to examine the PAC in the kerberos ticket.
+		 */
+		RETERR(isc_buffer_allocate(key->mctx, &key->key_tkeytoken,
+		       intoken->length));
+		RETERR(isc_buffer_copyregion(key->key_tkeytoken, intoken));
+	}
+
+	key->keydata.gssctx = gssctx;
+	*keyp = key;
+	result = ISC_R_SUCCESS;
+out:
+	return result;
+}
+
+isc_result_t
+dst_key_buildinternal(dns_name_t *name, unsigned int alg,
+		      unsigned int bits, unsigned int flags,
+		      unsigned int protocol, dns_rdataclass_t rdclass,
+		      void *data, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+	REQUIRE(data != NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, bits, rdclass,
+			     0, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	key->keydata.generic = data;
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
+		  unsigned int protocol, dns_rdataclass_t rdclass,
+		  const char *engine, const char *label, const char *pin,
+		  isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+	REQUIRE(label != NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->func->fromlabel == NULL) {
+		dst_key_free(&key);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	result = key->func->fromlabel(key, engine, label, pin);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_generate(dns_name_t *name, unsigned int alg,
+		 unsigned int bits, unsigned int param,
+		 unsigned int flags, unsigned int protocol,
+		 dns_rdataclass_t rdclass,
+		 isc_mem_t *mctx, dst_key_t **keyp)
+{
+	return (dst_key_generate2(name, alg, bits, param, flags, protocol,
+				  rdclass, mctx, keyp, NULL));
+}
+
+isc_result_t
+dst_key_generate2(dns_name_t *name, unsigned int alg,
+		  unsigned int bits, unsigned int param,
+		  unsigned int flags, unsigned int protocol,
+		  dns_rdataclass_t rdclass,
+		  isc_mem_t *mctx, dst_key_t **keyp,
+		  void (*callback)(int))
+{
+	dst_key_t *key;
+	isc_result_t ret;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, bits,
+			     rdclass, 0, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (bits == 0) { /*%< NULL KEY */
+		key->key_flags |= DNS_KEYTYPE_NOKEY;
+		*keyp = key;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (key->func->generate == NULL) {
+		dst_key_free(&key);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	ret = key->func->generate(key, param, callback);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	ret = computeid(key);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, uint32_t *valuep)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(valuep != NULL);
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	if (!key->numset[type])
+		return (ISC_R_NOTFOUND);
+	*valuep = key->nums[type];
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setnum(dst_key_t *key, int type, uint32_t value)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->nums[type] = value;
+	key->numset[type] = true;
+}
+
+void
+dst_key_unsetnum(dst_key_t *key, int type)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->numset[type] = false;
+}
+
+isc_result_t
+dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(timep != NULL);
+	REQUIRE(type <= DST_MAX_TIMES);
+	if (!key->timeset[type])
+		return (ISC_R_NOTFOUND);
+	*timep = key->times[type];
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+	key->times[type] = when;
+	key->timeset[type] = true;
+}
+
+void
+dst_key_unsettime(dst_key_t *key, int type) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_TIMES);
+	key->timeset[type] = false;
+}
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp) {
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(majorp != NULL);
+	REQUIRE(minorp != NULL);
+	*majorp = key->fmt_major;
+	*minorp = key->fmt_minor;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor) {
+	REQUIRE(VALID_KEY(key));
+	key->fmt_major = major;
+	key->fmt_minor = minor;
+}
+
+static bool
+comparekeys(const dst_key_t *key1, const dst_key_t *key2,
+	    bool match_revoked_key,
+	    bool (*compare)(const dst_key_t *key1,
+				     const dst_key_t *key2))
+{
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key1));
+	REQUIRE(VALID_KEY(key2));
+
+	if (key1 == key2)
+		return (true);
+
+	if (key1->key_alg != key2->key_alg)
+		return (false);
+
+	if (key1->key_id != key2->key_id) {
+		if (!match_revoked_key)
+			return (false);
+#ifndef PK11_MD5_DISABLE
+		if (key1->key_alg == DST_ALG_RSAMD5)
+			return (false);
+#endif
+		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
+		    (key2->key_flags & DNS_KEYFLAG_REVOKE))
+			return (false);
+		if (key1->key_id != key2->key_rid &&
+		    key1->key_rid != key2->key_id)
+			return (false);
+	}
+
+	if (compare != NULL)
+		return (compare(key1, key2));
+	else
+		return (false);
+}
+
+
+/*
+ * Compares only the public portion of two keys, by converting them
+ * both to wire format and comparing the results.
+ */
+static bool
+pub_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	isc_result_t result;
+	unsigned char buf1[DST_KEY_MAXSIZE], buf2[DST_KEY_MAXSIZE];
+	isc_buffer_t b1, b2;
+	isc_region_t r1, r2;
+
+	isc_buffer_init(&b1, buf1, sizeof(buf1));
+	result = dst_key_todns(key1, &b1);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+	/* Zero out flags. */
+	buf1[0] = buf1[1] = 0;
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b1, 2);
+
+	isc_buffer_init(&b2, buf2, sizeof(buf2));
+	result = dst_key_todns(key2, &b2);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+	/* Zero out flags. */
+	buf2[0] = buf2[1] = 0;
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0)
+		isc_buffer_subtract(&b2, 2);
+
+	isc_buffer_usedregion(&b1, &r1);
+	/* Remove extended flags. */
+	if ((key1->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf1[4], &buf1[6], r1.length - 6);
+		r1.length -= 2;
+	}
+
+	isc_buffer_usedregion(&b2, &r2);
+	/* Remove extended flags. */
+	if ((key2->key_flags & DNS_KEYFLAG_EXTENDED) != 0) {
+		memmove(&buf2[4], &buf2[6], r2.length - 6);
+		r2.length -= 2;
+	}
+	return (isc_region_compare(&r1, &r2) == 0);
+}
+
+bool
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	return (comparekeys(key1, key2, false, key1->func->compare));
+}
+
+bool
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   bool match_revoked_key)
+{
+	return (comparekeys(key1, key2, match_revoked_key, pub_compare));
+}
+
+
+bool
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key1));
+	REQUIRE(VALID_KEY(key2));
+
+	if (key1 == key2)
+		return (true);
+	if (key1->key_alg == key2->key_alg &&
+	    key1->func->paramcompare != NULL &&
+	    key1->func->paramcompare(key1, key2) == true)
+		return (true);
+	else
+		return (false);
+}
+
+void
+dst_key_attach(dst_key_t *source, dst_key_t **target) {
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(VALID_KEY(source));
+
+	isc_refcount_increment(&source->refs, NULL);
+	*target = source;
+}
+
+void
+dst_key_free(dst_key_t **keyp) {
+	isc_mem_t *mctx;
+	dst_key_t *key;
+	unsigned int refs;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
+
+	key = *keyp;
+	mctx = key->mctx;
+
+	isc_refcount_decrement(&key->refs, &refs);
+	if (refs != 0)
+		return;
+
+	isc_refcount_destroy(&key->refs);
+	if (key->keydata.generic != NULL) {
+		INSIST(key->func->destroy != NULL);
+		key->func->destroy(key);
+	}
+	if (key->engine != NULL)
+		isc_mem_free(mctx, key->engine);
+	if (key->label != NULL)
+		isc_mem_free(mctx, key->label);
+	dns_name_free(key->key_name, mctx);
+	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+	if (key->key_tkeytoken) {
+		isc_buffer_free(&key->key_tkeytoken);
+	}
+	isc_safe_memwipe(key, sizeof(*key));
+	isc_mem_putanddetach(&mctx, key, sizeof(*key));
+	*keyp = NULL;
+}
+
+bool
+dst_key_isprivate(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	INSIST(key->func->isprivate != NULL);
+	return (key->func->isprivate(key));
+}
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, int type,
+		      const char *directory, isc_buffer_t *out) {
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
+		type == 0);
+
+	return (buildfilename(key->key_name, key->key_id, key->key_alg,
+			      type, directory, out));
+}
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(n != NULL);
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		*n = (key->key_size + 7) / 8;
+		break;
+#ifndef PK11_DSA_DISABLE
+	case DST_ALG_DSA:
+	case DST_ALG_NSEC3DSA:
+		*n = DNS_SIG_DSASIGSIZE;
+		break;
+#endif
+	case DST_ALG_ECCGOST:
+		*n = DNS_SIG_GOSTSIGSIZE;
+		break;
+	case DST_ALG_ECDSA256:
+		*n = DNS_SIG_ECDSA256SIZE;
+		break;
+	case DST_ALG_ECDSA384:
+		*n = DNS_SIG_ECDSA384SIZE;
+		break;
+	case DST_ALG_ED25519:
+		*n = DNS_SIG_ED25519SIZE;
+		break;
+	case DST_ALG_ED448:
+		*n = DNS_SIG_ED448SIZE;
+		break;
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_HMACMD5:
+		*n = 16;
+		break;
+#endif
+	case DST_ALG_HMACSHA1:
+		*n = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA224:
+		*n = ISC_SHA224_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA256:
+		*n = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA384:
+		*n = ISC_SHA384_DIGESTLENGTH;
+		break;
+	case DST_ALG_HMACSHA512:
+		*n = ISC_SHA512_DIGESTLENGTH;
+		break;
+	case DST_ALG_GSSAPI:
+		*n = 128; /*%< XXX */
+		break;
+#ifndef PK11_DH_DISABLE
+	case DST_ALG_DH:
+#endif
+	default:
+		return (DST_R_UNSUPPORTEDALG);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(n != NULL);
+
+#ifndef PK11_DH_DISABLE
+	if (key->key_alg == DST_ALG_DH)
+		*n = (key->key_size + 7) / 8;
+	else
+#endif
+		return (DST_R_UNSUPPORTEDALG);
+#ifndef PK11_DH_DISABLE
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+/*%
+ * Set the flags on a key, then recompute the key ID
+ */
+isc_result_t
+dst_key_setflags(dst_key_t *key, uint32_t flags) {
+	REQUIRE(VALID_KEY(key));
+	key->key_flags = flags;
+	return (computeid(key));
+}
+
+void
+dst_key_format(const dst_key_t *key, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
+	dns_secalg_format((dns_secalg_t) dst_key_alg(key), algstr,
+			  sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
+}
+
+isc_result_t
+dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
+
+	REQUIRE(buffer != NULL && *buffer == NULL);
+	REQUIRE(length != NULL && *length == 0);
+	REQUIRE(VALID_KEY(key));
+
+	if (key->func->dump == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return (key->func->dump(key, mctx, buffer, length));
+}
+
+isc_result_t
+dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
+		unsigned int protocol, dns_rdataclass_t rdclass,
+		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp)
+{
+	isc_result_t result;
+	dst_key_t *key;
+
+	REQUIRE(dst_initialized == true);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	if (dst_t_func[alg]->restore == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = (dst_t_func[alg]->restore)(key, keystr);
+	if (result == ISC_R_SUCCESS)
+		*keyp = key;
+	else
+		dst_key_free(&key);
+
+	return (result);
+}
+
+/***
+ *** Static methods
+ ***/
+
+/*%
+ * Allocates a key structure and fills in some of the fields.
+ */
+static dst_key_t *
+get_key_struct(dns_name_t *name, unsigned int alg,
+	       unsigned int flags, unsigned int protocol,
+	       unsigned int bits, dns_rdataclass_t rdclass,
+	       dns_ttl_t ttl, isc_mem_t *mctx)
+{
+	dst_key_t *key;
+	isc_result_t result;
+	int i;
+
+	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
+	if (key == NULL)
+		return (NULL);
+
+	memset(key, 0, sizeof(dst_key_t));
+
+	key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
+	if (key->key_name == NULL) {
+		isc_mem_put(mctx, key, sizeof(dst_key_t));
+		return (NULL);
+	}
+
+	dns_name_init(key->key_name, NULL);
+	result = dns_name_dup(name, mctx, key->key_name);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+		isc_mem_put(mctx, key, sizeof(dst_key_t));
+		return (NULL);
+	}
+
+	result = isc_refcount_init(&key->refs, 1);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_free(key->key_name, mctx);
+		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+		isc_mem_put(mctx, key, sizeof(dst_key_t));
+		return (NULL);
+	}
+	isc_mem_attach(mctx, &key->mctx);
+	key->key_alg = alg;
+	key->key_flags = flags;
+	key->key_proto = protocol;
+	key->keydata.generic = NULL;
+	key->key_size = bits;
+	key->key_class = rdclass;
+	key->key_ttl = ttl;
+	key->func = dst_t_func[alg];
+	key->fmt_major = 0;
+	key->fmt_minor = 0;
+	for (i = 0; i < (DST_MAX_TIMES + 1); i++) {
+		key->times[i] = 0;
+		key->timeset[i] = false;
+	}
+	key->inactive = false;
+	key->magic = KEY_MAGIC;
+	return (key);
+}
+
+bool
+dst_key_inactive(const dst_key_t *key) {
+
+	REQUIRE(VALID_KEY(key));
+
+	return (key->inactive);
+}
+
+void
+dst_key_setinactive(dst_key_t *key, bool inactive) {
+
+	REQUIRE(VALID_KEY(key));
+
+	key->inactive = inactive;
+}
+
+/*%
+ * Reads a public key from disk
+ */
+isc_result_t
+dst_key_read_public(const char *filename, int type,
+		    isc_mem_t *mctx, dst_key_t **keyp)
+{
+	u_char rdatabuf[DST_KEY_MAXSIZE];
+	isc_buffer_t b;
+	dns_fixedname_t name;
+	isc_lex_t *lex = NULL;
+	isc_token_t token;
+	isc_result_t ret;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
+	dns_rdataclass_t rdclass = dns_rdataclass_in;
+	isc_lexspecials_t specials;
+	uint32_t ttl = 0;
+	isc_result_t result;
+	dns_rdatatype_t keytype;
+
+	/*
+	 * Open the file and read its formatted contents
+	 * File format:
+	 *    domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol> <algorithm> <key>
+	 */
+
+	/* 1500 should be large enough for any key */
+	ret = isc_lex_create(mctx, 1500, &lex);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	memset(specials, 0, sizeof(specials));
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	ret = isc_lex_openfile(lex, filename);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+#define NEXTTOKEN(lex, opt, token) { \
+	ret = isc_lex_gettoken(lex, opt, token); \
+	if (ret != ISC_R_SUCCESS) \
+		goto cleanup; \
+	}
+
+#define BADTOKEN() { \
+	ret = ISC_R_UNEXPECTEDTOKEN; \
+	goto cleanup; \
+	}
+
+	/* Read the domain name */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+
+	/*
+	 * We don't support "@" in .key files.
+	 */
+	if (!strcmp(DST_AS_STR(token), "@"))
+		BADTOKEN();
+
+	dns_fixedname_init(&name);
+	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
+	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
+	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
+				0, NULL);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Read the next word: either TTL, class, or 'KEY' */
+	NEXTTOKEN(lex, opt, &token);
+
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+
+	/* If it's a TTL, read the next one */
+	result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
+	if (result == ISC_R_SUCCESS)
+		NEXTTOKEN(lex, opt, &token);
+
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+
+	ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
+	if (ret == ISC_R_SUCCESS)
+		NEXTTOKEN(lex, opt, &token);
+
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+
+	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
+		keytype = dns_rdatatype_dnskey;
+	else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
+		keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
+	else
+		BADTOKEN();
+
+	if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
+	    ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
+		ret = DST_R_BADKEYTYPE;
+		goto cleanup;
+	}
+
+	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
+	ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
+				 false, mctx, &b, NULL);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
+			      keyp);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dst_key_setttl(*keyp, ttl);
+
+ cleanup:
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	return (ret);
+}
+
+static bool
+issymmetric(const dst_key_t *key) {
+	REQUIRE(dst_initialized == true);
+	REQUIRE(VALID_KEY(key));
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+#ifndef PK11_DSA_DISABLE
+	case DST_ALG_DSA:
+	case DST_ALG_NSEC3DSA:
+#endif
+#ifndef PK11_DH_DISABLE
+	case DST_ALG_DH:
+#endif
+	case DST_ALG_ECCGOST:
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
+		return (false);
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_HMACMD5:
+#endif
+	case DST_ALG_HMACSHA1:
+	case DST_ALG_HMACSHA224:
+	case DST_ALG_HMACSHA256:
+	case DST_ALG_HMACSHA384:
+	case DST_ALG_HMACSHA512:
+	case DST_ALG_GSSAPI:
+		return (true);
+	default:
+		return (false);
+	}
+}
+
+/*%
+ * Write key timing metadata to a file pointer, preceded by 'tag'
+ */
+static void
+printtime(const dst_key_t *key, int type, const char *tag, FILE *stream) {
+	isc_result_t result;
+#ifdef ISC_PLATFORM_USETHREADS
+	char output[26]; /* Minimum buffer as per ctime_r() specification. */
+#else
+	const char *output;
+#endif
+	isc_stdtime_t when;
+	time_t t;
+	char utc[sizeof("YYYYMMDDHHSSMM")];
+	isc_buffer_t b;
+	isc_region_t r;
+
+	result = dst_key_gettime(key, type, &when);
+	if (result == ISC_R_NOTFOUND)
+		return;
+
+	/* time_t and isc_stdtime_t might be different sizes */
+	t = when;
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef WIN32
+	if (ctime_s(output, sizeof(output), &t) != 0)
+		goto error;
+#else
+	if (ctime_r(&t, output) == NULL)
+		goto error;
+#endif
+#else
+	output = ctime(&t);
+#endif
+
+	isc_buffer_init(&b, utc, sizeof(utc));
+	result = dns_time32_totext(when, &b);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	isc_buffer_usedregion(&b, &r);
+	fprintf(stream, "%s: %.*s (%.*s)\n", tag, (int)r.length, r.base,
+		 (int)strlen(output) - 1, output);
+	return;
+
+ error:
+	fprintf(stream, "%s: (set, unable to display)\n", tag);
+}
+
+/*%
+ * Writes a public key to disk in DNS format.
+ */
+static isc_result_t
+write_public_key(const dst_key_t *key, int type, const char *directory) {
+	FILE *fp;
+	isc_buffer_t keyb, textb, fileb, classb;
+	isc_region_t r;
+	char filename[ISC_DIR_NAMEMAX];
+	unsigned char key_array[DST_KEY_MAXSIZE];
+	char text_array[DST_KEY_MAXTEXTSIZE];
+	char class_array[10];
+	isc_result_t ret;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_fsaccess_t access;
+
+	REQUIRE(VALID_KEY(key));
+
+	isc_buffer_init(&keyb, key_array, sizeof(key_array));
+	isc_buffer_init(&textb, text_array, sizeof(text_array));
+	isc_buffer_init(&classb, class_array, sizeof(class_array));
+
+	ret = dst_key_todns(key, &keyb);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_usedregion(&keyb, &r);
+	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
+
+	ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
+	if (ret != ISC_R_SUCCESS)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	ret = dns_rdataclass_totext(key->key_class, &classb);
+	if (ret != ISC_R_SUCCESS)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	/*
+	 * Make the filename.
+	 */
+	isc_buffer_init(&fileb, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	/*
+	 * Create public key file.
+	 */
+	if ((fp = fopen(filename, "w")) == NULL)
+		return (DST_R_WRITEERROR);
+
+	if (issymmetric(key)) {
+		access = 0;
+		isc_fsaccess_add(ISC_FSACCESS_OWNER,
+				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
+				 &access);
+		(void)isc_fsaccess_set(filename, access);
+	}
+
+	/* Write key information in comments */
+	if ((type & DST_TYPE_KEY) == 0) {
+		fprintf(fp, "; This is a %s%s-signing key, keyid %d, for ",
+			(key->key_flags & DNS_KEYFLAG_REVOKE) != 0 ?
+				"revoked " :
+				"",
+			(key->key_flags & DNS_KEYFLAG_KSK) != 0 ?
+				"key" :
+				"zone",
+			key->key_id);
+		ret = dns_name_print(key->key_name, fp);
+		if (ret != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (ret);
+		}
+		fputc('\n', fp);
+
+		printtime(key, DST_TIME_CREATED, "; Created", fp);
+		printtime(key, DST_TIME_PUBLISH, "; Publish", fp);
+		printtime(key, DST_TIME_ACTIVATE, "; Activate", fp);
+		printtime(key, DST_TIME_REVOKE, "; Revoke", fp);
+		printtime(key, DST_TIME_INACTIVE, "; Inactive", fp);
+		printtime(key, DST_TIME_DELETE, "; Delete", fp);
+		printtime(key, DST_TIME_SYNCPUBLISH , "; SyncPublish", fp);
+		printtime(key, DST_TIME_SYNCDELETE , "; SyncDelete", fp);
+	}
+
+	/* Now print the actual key */
+	ret = dns_name_print(key->key_name, fp);
+	fprintf(fp, " ");
+
+	if (key->key_ttl != 0)
+		fprintf(fp, "%u ", key->key_ttl);
+
+	isc_buffer_usedregion(&classb, &r);
+	if ((unsigned) fwrite(r.base, 1, r.length, fp) != r.length)
+	       ret = DST_R_WRITEERROR;
+
+	if ((type & DST_TYPE_KEY) != 0)
+		fprintf(fp, " KEY ");
+	else
+		fprintf(fp, " DNSKEY ");
+
+	isc_buffer_usedregion(&textb, &r);
+	if ((unsigned) fwrite(r.base, 1, r.length, fp) != r.length)
+	       ret = DST_R_WRITEERROR;
+
+	fputc('\n', fp);
+	fflush(fp);
+	if (ferror(fp))
+		ret = DST_R_WRITEERROR;
+	fclose(fp);
+
+	return (ret);
+}
+
+static isc_result_t
+buildfilename(dns_name_t *name, dns_keytag_t id,
+	      unsigned int alg, unsigned int type,
+	      const char *directory, isc_buffer_t *out)
+{
+	const char *suffix = "";
+	unsigned int len;
+	isc_result_t result;
+
+	REQUIRE(out != NULL);
+	if ((type & DST_TYPE_PRIVATE) != 0)
+		suffix = ".private";
+	else if (type == DST_TYPE_PUBLIC)
+		suffix = ".key";
+	if (directory != NULL) {
+		if (isc_buffer_availablelength(out) < strlen(directory))
+			return (ISC_R_NOSPACE);
+		isc_buffer_putstr(out, directory);
+		if (strlen(directory) > 0U &&
+		    directory[strlen(directory) - 1] != '/')
+			isc_buffer_putstr(out, "/");
+	}
+	if (isc_buffer_availablelength(out) < 1)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(out, "K");
+	result = dns_name_tofilenametext(name, false, out);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
+	if (isc_buffer_availablelength(out) < len)
+		return (ISC_R_NOSPACE);
+	snprintf((char *) isc_buffer_used(out),
+		 (int)isc_buffer_availablelength(out),
+		 "+%03d+%05d%s", alg, id, suffix);
+	isc_buffer_add(out, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+computeid(dst_key_t *key) {
+	isc_buffer_t dnsbuf;
+	unsigned char dns_array[DST_KEY_MAXSIZE];
+	isc_region_t r;
+	isc_result_t ret;
+
+	isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
+	ret = dst_key_todns(key, &dnsbuf);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_usedregion(&dnsbuf, &r);
+	key->key_id = dst_region_computeid(&r, key->key_alg);
+	key->key_rid = dst_region_computerid(&r, key->key_alg);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
+	   unsigned int protocol, dns_rdataclass_t rdclass,
+	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key;
+	isc_result_t ret;
+
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(source != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, 0, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (isc_buffer_remaininglength(source) > 0) {
+		ret = algorithm_status(alg);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+		if (key->func->fromdns == NULL) {
+			dst_key_free(&key);
+			return (DST_R_UNSUPPORTEDALG);
+		}
+
+		ret = key->func->fromdns(key, source);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+algorithm_status(unsigned int alg) {
+	REQUIRE(dst_initialized == true);
+
+	if (dst_algorithm_supported(alg))
+		return (ISC_R_SUCCESS);
+#if !defined(OPENSSL) && !defined(PKCS11CRYPTO)
+	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
+	    alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
+	    alg == DST_ALG_NSEC3RSASHA1 ||
+	    alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
+	    alg == DST_ALG_ECCGOST ||
+	    alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384 ||
+	    alg == DST_ALG_ED25519 || alg == DST_ALG_ED448)
+		return (DST_R_NOCRYPTO);
+#endif
+	return (DST_R_UNSUPPORTEDALG);
+}
+
+static isc_result_t
+addsuffix(char *filename, int len, const char *odirname,
+	  const char *ofilename, const char *suffix)
+{
+	int olen = strlen(ofilename);
+	int n;
+
+	if (olen > 1 && ofilename[olen - 1] == '.')
+		olen -= 1;
+	else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0)
+		olen -= 8;
+	else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
+		olen -= 4;
+
+	if (odirname == NULL)
+		n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
+	else
+		n = snprintf(filename, len, "%s/%.*s%s",
+			     odirname, olen, ofilename, suffix);
+	if (n < 0)
+		return (ISC_R_FAILURE);
+	if (n >= len)
+		return (ISC_R_NOSPACE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst__entropy_getdata(void *buf, unsigned int len, bool pseudo) {
+	unsigned int flags = dst_entropy_flags;
+
+	if (dst_entropy_pool == NULL)
+		return (ISC_R_FAILURE);
+
+	if (len == 0)
+		return (ISC_R_SUCCESS);
+
+#ifdef PKCS11CRYPTO
+	UNUSED(pseudo);
+	UNUSED(flags);
+	return (pk11_rand_bytes(buf, len));
+#else /* PKCS11CRYPTO */
+	if (pseudo)
+		flags &= ~ISC_ENTROPY_GOODONLY;
+	else
+		flags |= ISC_ENTROPY_BLOCKING;
+	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+#endif /* PKCS11CRYPTO */
+}
+
+unsigned int
+dst__entropy_status(void) {
+#ifndef PKCS11CRYPTO
+#ifdef GSSAPI
+	unsigned int flags = dst_entropy_flags;
+	isc_result_t ret;
+	unsigned char buf[32];
+	static bool first = true;
+
+	if (dst_entropy_pool == NULL)
+		return (0);
+
+	if (first) {
+		/* Someone believes RAND_status() initializes the PRNG */
+		flags &= ~ISC_ENTROPY_GOODONLY;
+		ret = isc_entropy_getdata(dst_entropy_pool, buf,
+					  sizeof(buf), NULL, flags);
+		INSIST(ret == ISC_R_SUCCESS);
+		isc_entropy_putdata(dst_entropy_pool, buf,
+				    sizeof(buf), 2 * sizeof(buf));
+		first = false;
+	}
+#endif
+	return (isc_entropy_status(dst_entropy_pool));
+#else
+	return (0);
+#endif
+}
+
+isc_buffer_t *
+dst_key_tkeytoken(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_tkeytoken);
+}
diff --git a/lib/dns/dst_gost.h b/lib/dns/dst_gost.h
new file mode 100644
index 0000000..e42c6a1
--- /dev/null
+++ b/lib/dns/dst_gost.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_GOST_H
+#define DST_GOST_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <dst/result.h>
+
+#define ISC_GOST_DIGESTLENGTH 32U
+
+#ifdef HAVE_OPENSSL_GOST
+#include <openssl/evp.h>
+
+typedef struct {
+	EVP_MD_CTX *ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	EVP_MD_CTX _ctx;
+#endif
+} isc_gost_t;
+
+#endif
+#ifdef HAVE_PKCS11_GOST
+#include <pk11/pk11.h>
+
+typedef pk11_context_t isc_gost_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx);
+
+void
+isc_gost_invalidate(isc_gost_t *ctx);
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *data, unsigned int len);
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest);
+
+ISC_LANG_ENDDECLS
+
+#endif /* HAVE_OPENSSL_GOST || HAVE_PKCS11_GOST */
+
+#endif /* DST_GOST_H */
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
new file mode 100644
index 0000000..11e5fc6
--- /dev/null
+++ b/lib/dns/dst_internal.h
@@ -0,0 +1,306 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef DST_DST_INTERNAL_H
+#define DST_DST_INTERNAL_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/region.h>
+#include <isc/types.h>
+#include <isc/md5.h>
+#include <isc/refcount.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/stdtime.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
+
+#include <pk11/site.h>
+
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#ifdef OPENSSL
+#ifndef PK11_DH_DISABLE
+#include <openssl/dh.h>
+#endif
+#ifndef PK11_DSA_DISABLE
+#include <openssl/dsa.h>
+#endif
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#endif
+
+ISC_LANG_BEGINDECLS
+
+#define KEY_MAGIC	ISC_MAGIC('D','S','T','K')
+#define CTX_MAGIC	ISC_MAGIC('D','S','T','C')
+
+#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
+#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
+
+LIBDNS_EXTERNAL_DATA extern isc_mem_t *dst__memory_pool;
+
+/***
+ *** Types
+ ***/
+
+typedef struct dst_func dst_func_t;
+
+#ifndef PK11_MD5_DISABLE
+typedef struct dst_hmacmd5_key	  dst_hmacmd5_key_t;
+#endif
+typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
+typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
+typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
+typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
+typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
+
+/*%
+ * Indicate whether a DST context will be used for signing
+ * or for verification
+ */
+typedef enum { DO_SIGN, DO_VERIFY } dst_use_t;
+
+/*% DST Key Structure */
+struct dst_key {
+	unsigned int	magic;
+	isc_refcount_t	refs;
+	dns_name_t *	key_name;	/*%< name of the key */
+	unsigned int	key_size;	/*%< size of the key in bits */
+	unsigned int	key_proto;	/*%< protocols this key is used for */
+	unsigned int	key_alg;	/*%< algorithm of the key */
+	uint32_t	key_flags;	/*%< flags of the public key */
+	uint16_t	key_id;		/*%< identifier of the key */
+	uint16_t	key_rid;	/*%< identifier of the key when
+					     revoked */
+	uint16_t	key_bits;	/*%< hmac digest bits */
+	dns_rdataclass_t key_class;	/*%< class of the key record */
+	dns_ttl_t	key_ttl;	/*%< default/initial dnskey ttl */
+	isc_mem_t	*mctx;		/*%< memory context */
+	char		*engine;	/*%< engine name (HSM) */
+	char		*label;		/*%< engine label (HSM) */
+	union {
+		void *generic;
+		gss_ctx_id_t gssctx;
+#ifdef OPENSSL
+#if !defined(USE_EVP) || !USE_EVP
+		RSA *rsa;
+#endif
+#ifndef PK11_DSA_DISABLE
+		DSA *dsa;
+#endif
+#ifndef PK11_DH_DISABLE
+		DH *dh;
+#endif
+		EVP_PKEY *pkey;
+#elif PKCS11CRYPTO
+		pk11_object_t *pkey;
+#endif
+#ifndef PK11_MD5_DISABLE
+		dst_hmacmd5_key_t *hmacmd5;
+#endif
+		dst_hmacsha1_key_t *hmacsha1;
+		dst_hmacsha224_key_t *hmacsha224;
+		dst_hmacsha256_key_t *hmacsha256;
+		dst_hmacsha384_key_t *hmacsha384;
+		dst_hmacsha512_key_t *hmacsha512;
+
+	} keydata;			/*%< pointer to key in crypto pkg fmt */
+
+	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< timing metadata */
+	bool	timeset[DST_MAX_TIMES + 1];  /*%< data set? */
+	isc_stdtime_t	nums[DST_MAX_NUMERIC + 1];   /*%< numeric metadata */
+	bool	numset[DST_MAX_NUMERIC + 1]; /*%< data set? */
+	bool 	inactive;      /*%< private key not present as it is
+					    inactive */
+	bool 	external;      /*%< external key */
+
+	int		fmt_major;     /*%< private key format, major version */
+	int		fmt_minor;     /*%< private key format, minor version */
+
+	dst_func_t *    func;	       /*%< crypto package specific functions */
+	isc_buffer_t   *key_tkeytoken; /*%< TKEY token data */
+};
+
+struct dst_context {
+	unsigned int magic;
+	dst_use_t use;
+	dst_key_t *key;
+	isc_mem_t *mctx;
+	isc_logcategory_t *category;
+	union {
+		void *generic;
+		dst_gssapi_signverifyctx_t *gssctx;
+#ifndef PK11_MD5_DISABLE
+		isc_md5_t *md5ctx;
+#endif
+		isc_sha1_t *sha1ctx;
+		isc_sha256_t *sha256ctx;
+		isc_sha512_t *sha512ctx;
+#ifndef PK11_MD5_DISABLE
+		isc_hmacmd5_t *hmacmd5ctx;
+#endif
+		isc_hmacsha1_t *hmacsha1ctx;
+		isc_hmacsha224_t *hmacsha224ctx;
+		isc_hmacsha256_t *hmacsha256ctx;
+		isc_hmacsha384_t *hmacsha384ctx;
+		isc_hmacsha512_t *hmacsha512ctx;
+#ifdef OPENSSL
+		EVP_MD_CTX *evp_md_ctx;
+#elif PKCS11CRYPTO
+		pk11_context_t *pk11_ctx;
+#endif
+	} ctxdata;
+};
+
+struct dst_func {
+	/*
+	 * Context functions
+	 */
+	isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
+	isc_result_t (*createctx2)(dst_key_t *key, int maxbits,
+				   dst_context_t *dctx);
+	void (*destroyctx)(dst_context_t *dctx);
+	isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
+
+	/*
+	 * Key operations
+	 */
+	isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig);
+	isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig);
+	isc_result_t (*verify2)(dst_context_t *dctx, int maxbits,
+				const isc_region_t *sig);
+	isc_result_t (*computesecret)(const dst_key_t *pub,
+				      const dst_key_t *priv,
+				      isc_buffer_t *secret);
+	bool (*compare)(const dst_key_t *key1, const dst_key_t *key2);
+	bool (*paramcompare)(const dst_key_t *key1,
+				      const dst_key_t *key2);
+	isc_result_t (*generate)(dst_key_t *key, int parms,
+				 void (*callback)(int));
+	bool (*isprivate)(const dst_key_t *key);
+	void (*destroy)(dst_key_t *key);
+
+	/* conversion functions */
+	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
+	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
+	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
+	isc_result_t (*parse)(dst_key_t *key,
+			      isc_lex_t *lexer,
+			      dst_key_t *pub);
+
+	/* cleanup */
+	void (*cleanup)(void);
+
+	isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
+				  const char *label, const char *pin);
+	isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
+			     int *length);
+	isc_result_t (*restore)(dst_key_t *key, const char *keystr);
+};
+
+/*%
+ * Initializers
+ */
+isc_result_t dst__openssl_init(const char *engine);
+#define dst__pkcs11_init pk11_initialize
+
+#ifndef PK11_MD5_DISABLE
+isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
+#endif
+isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
+isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
+isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
+				  unsigned char algorithm);
+isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
+#ifndef PK11_DSA_DISABLE
+isc_result_t dst__openssldsa_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
+#endif
+#ifndef PK11_DH_DISABLE
+isc_result_t dst__openssldh_init(struct dst_func **funcp);
+isc_result_t dst__pkcs11dh_init(struct dst_func **funcp);
+#endif
+isc_result_t dst__gssapi_init(struct dst_func **funcp);
+#ifdef HAVE_OPENSSL_ECDSA
+isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
+#endif
+#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
+isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
+#endif
+#ifdef HAVE_PKCS11_ECDSA
+isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
+#endif
+#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
+isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
+#endif
+#ifdef HAVE_OPENSSL_GOST
+isc_result_t dst__opensslgost_init(struct dst_func **funcp);
+#endif
+#ifdef HAVE_PKCS11_GOST
+isc_result_t dst__pkcs11gost_init(struct dst_func **funcp);
+#endif
+
+/*%
+ * Destructors
+ */
+void dst__openssl_destroy(void);
+#define dst__pkcs11_destroy pk11_finalize
+
+/*%
+ * Memory allocators using the DST memory pool.
+ */
+void * dst__mem_alloc(size_t size);
+void   dst__mem_free(void *ptr);
+void * dst__mem_realloc(void *ptr, size_t size);
+
+/*%
+ * Entropy retriever using the DST entropy pool.
+ */
+isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
+				  bool pseudo);
+
+/*
+ * Entropy status hook.
+ */
+unsigned int dst__entropy_status(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_INTERNAL_H */
+/*! \file */
diff --git a/lib/dns/dst_lib.c b/lib/dns/dst_lib.c
new file mode 100644
index 0000000..4edf728
--- /dev/null
+++ b/lib/dns/dst_lib.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <dst/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBDNS_EXTERNAL_DATA isc_msgcat_t *		dst_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libdst.cat", &dst_msgcat);
+}
+
+void
+dst_lib_initmsgcat(void) {
+
+	/*
+	 * Initialize the DST library's message catalog, dst_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
new file mode 100644
index 0000000..e085f11
--- /dev/null
+++ b/lib/dns/dst_openssl.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_OPENSSL_H
+#define DST_OPENSSL_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/result.h>
+
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include <openssl/conf.h>
+#include <openssl/crypto.h>
+#include <openssl/bn.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+/*
+ * These are new in OpenSSL 1.1.0.  BN_GENCB _cb needs to be declared in
+ * the function like this before the BN_GENCB_new call:
+ *
+ * #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ *     	 _cb;
+ * #endif
+ */
+#define BN_GENCB_free(x) ((void)0)
+#define BN_GENCB_new() (&_cb)
+#define BN_GENCB_get_arg(x) ((x)->arg)
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+/*
+ * EVP_dss1() is a version of EVP_sha1() that was needed prior to
+ * 1.1.0 because there was a link between digests and signing algorithms;
+ * the link has been eliminated and EVP_sha1() can be used now instead.
+ */
+#define EVP_dss1 EVP_sha1
+#endif
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback);
+
+isc_result_t
+dst__openssl_toresult2(const char *funcname, isc_result_t fallback);
+
+isc_result_t
+dst__openssl_toresult3(isc_logcategory_t *category,
+		       const char *funcname, isc_result_t fallback);
+
+#if !defined(OPENSSL_NO_ENGINE)
+ENGINE *
+dst__openssl_getengine(const char *engine);
+#else
+#define dst__openssl_getengine(x) NULL
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_OPENSSL_H */
+/*! \file */
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
new file mode 100644
index 0000000..f31c33d
--- /dev/null
+++ b/lib/dns/dst_parse.c
@@ -0,0 +1,856 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/fsaccess.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/time.h>
+#include <dns/log.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst/result.h"
+
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
+#define PRIVATE_KEY_STR "Private-key-format:"
+#define ALGORITHM_STR "Algorithm:"
+
+#define TIMING_NTAGS (DST_MAX_TIMES + 1)
+static const char *timetags[TIMING_NTAGS] = {
+	"Created:",
+	"Publish:",
+	"Activate:",
+	"Revoke:",
+	"Inactive:",
+	"Delete:",
+	"DSPublish:",
+	"SyncPublish:",
+	"SyncDelete:"
+};
+
+#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
+static const char *numerictags[NUMERIC_NTAGS] = {
+	"Predecessor:",
+	"Successor:",
+	"MaxTTL:",
+	"RollPeriod:"
+};
+
+struct parse_map {
+	const int value;
+	const char *tag;
+};
+
+static struct parse_map map[] = {
+	{TAG_RSA_MODULUS, "Modulus:"},
+	{TAG_RSA_PUBLICEXPONENT, "PublicExponent:"},
+	{TAG_RSA_PRIVATEEXPONENT, "PrivateExponent:"},
+	{TAG_RSA_PRIME1, "Prime1:"},
+	{TAG_RSA_PRIME2, "Prime2:"},
+	{TAG_RSA_EXPONENT1, "Exponent1:"},
+	{TAG_RSA_EXPONENT2, "Exponent2:"},
+	{TAG_RSA_COEFFICIENT, "Coefficient:"},
+	{TAG_RSA_ENGINE, "Engine:" },
+	{TAG_RSA_LABEL, "Label:" },
+
+#ifndef PK11_DH_DISABLE
+	{TAG_DH_PRIME, "Prime(p):"},
+	{TAG_DH_GENERATOR, "Generator(g):"},
+	{TAG_DH_PRIVATE, "Private_value(x):"},
+	{TAG_DH_PUBLIC, "Public_value(y):"},
+#endif
+
+#ifndef PK11_DSA_DISABLE
+	{TAG_DSA_PRIME, "Prime(p):"},
+	{TAG_DSA_SUBPRIME, "Subprime(q):"},
+	{TAG_DSA_BASE, "Base(g):"},
+	{TAG_DSA_PRIVATE, "Private_value(x):"},
+	{TAG_DSA_PUBLIC, "Public_value(y):"},
+#endif
+
+	{TAG_GOST_PRIVASN1, "GostAsn1:"},
+	{TAG_GOST_PRIVRAW, "PrivateKey:"},
+
+	{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
+	{TAG_ECDSA_ENGINE, "Engine:" },
+	{TAG_ECDSA_LABEL, "Label:" },
+
+	{TAG_EDDSA_PRIVATEKEY, "PrivateKey:"},
+	{TAG_EDDSA_ENGINE, "Engine:" },
+	{TAG_EDDSA_LABEL, "Label:" },
+
+#ifndef PK11_MD5_DISABLE
+	{TAG_HMACMD5_KEY, "Key:"},
+	{TAG_HMACMD5_BITS, "Bits:"},
+#endif
+
+	{TAG_HMACSHA1_KEY, "Key:"},
+	{TAG_HMACSHA1_BITS, "Bits:"},
+
+	{TAG_HMACSHA224_KEY, "Key:"},
+	{TAG_HMACSHA224_BITS, "Bits:"},
+
+	{TAG_HMACSHA256_KEY, "Key:"},
+	{TAG_HMACSHA256_BITS, "Bits:"},
+
+	{TAG_HMACSHA384_KEY, "Key:"},
+	{TAG_HMACSHA384_BITS, "Bits:"},
+
+	{TAG_HMACSHA512_KEY, "Key:"},
+	{TAG_HMACSHA512_BITS, "Bits:"},
+
+	{0, NULL}
+};
+
+static int
+find_value(const char *s, const unsigned int alg) {
+	int i;
+
+	for (i = 0; map[i].tag != NULL; i++) {
+		if (strcasecmp(s, map[i].tag) == 0 &&
+		    (TAG_ALG(map[i].value) == alg))
+			return (map[i].value);
+	}
+	return (-1);
+}
+
+static const char *
+find_tag(const int value) {
+	int i;
+
+	for (i = 0; ; i++) {
+		if (map[i].tag == NULL)
+			return (NULL);
+		else if (value == map[i].value)
+			return (map[i].tag);
+	}
+}
+
+static int
+find_metadata(const char *s, const char *tags[], int ntags) {
+	int i;
+
+	for (i = 0; i < ntags; i++) {
+		if (tags[i] != NULL && strcasecmp(s, tags[i]) == 0)
+			return (i);
+	}
+
+	return (-1);
+}
+
+static int
+find_timedata(const char *s) {
+	return (find_metadata(s, timetags, TIMING_NTAGS));
+}
+
+static int
+find_numericdata(const char *s) {
+	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
+}
+
+static int
+check_rsa(const dst_private_t *priv, bool external) {
+	int i, j;
+	bool have[RSA_NTAGS];
+	bool ok;
+	unsigned int mask;
+
+	if (external)
+		return ((priv->nelements == 0) ? 0 : -1);
+
+	for (i = 0; i < RSA_NTAGS; i++)
+		have[i] = false;
+
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < RSA_NTAGS; i++)
+			if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
+				break;
+		if (i == RSA_NTAGS)
+			return (-1);
+		have[i] = true;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_RSA_ENGINE & mask])
+		ok = have[TAG_RSA_MODULUS & mask] &&
+		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
+		     have[TAG_RSA_LABEL & mask];
+	else
+		ok = have[TAG_RSA_MODULUS & mask] &&
+		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
+		     have[TAG_RSA_PRIVATEEXPONENT & mask] &&
+		     have[TAG_RSA_PRIME1 & mask] &&
+		     have[TAG_RSA_PRIME2 & mask] &&
+		     have[TAG_RSA_EXPONENT1 & mask] &&
+		     have[TAG_RSA_EXPONENT2 & mask] &&
+		     have[TAG_RSA_COEFFICIENT & mask];
+	return (ok ? 0 : -1 );
+}
+
+#ifndef PK11_DH_DISABLE
+static int
+check_dh(const dst_private_t *priv) {
+	int i, j;
+	if (priv->nelements != DH_NTAGS)
+		return (-1);
+	for (i = 0; i < DH_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_DH, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+#endif
+
+#ifndef PK11_DSA_DISABLE
+static int
+check_dsa(const dst_private_t *priv, bool external) {
+	int i, j;
+
+	if (external)
+		return ((priv->nelements == 0)? 0 : -1);
+
+	if (priv->nelements != DSA_NTAGS)
+		return (-1);
+
+	for (i = 0; i < DSA_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+#endif
+
+static int
+check_gost(const dst_private_t *priv, bool external) {
+
+	if (external)
+		return ((priv->nelements == 0)? 0 : -1);
+
+	if (priv->nelements != GOST_NTAGS)
+		return (-1);
+	if ((priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0)) &&
+	    (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 1)))
+		return (-1);
+	return (0);
+}
+
+static int
+check_ecdsa(const dst_private_t *priv, bool external) {
+	int i, j;
+	bool have[ECDSA_NTAGS];
+	bool ok;
+	unsigned int mask;
+
+	if (external)
+		return ((priv->nelements == 0) ? 0 : -1);
+
+	for (i = 0; i < ECDSA_NTAGS; i++)
+		have[i] = false;
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < ECDSA_NTAGS; i++)
+			if (priv->elements[j].tag == TAG(DST_ALG_ECDSA256, i))
+				break;
+		if (i == ECDSA_NTAGS)
+			return (-1);
+		have[i] = true;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_ECDSA_ENGINE & mask])
+		ok = have[TAG_ECDSA_LABEL & mask];
+	else
+		ok = have[TAG_ECDSA_PRIVATEKEY & mask];
+	return (ok ? 0 : -1 );
+}
+
+static int
+check_eddsa(const dst_private_t *priv, bool external) {
+	int i, j;
+	bool have[EDDSA_NTAGS];
+	bool ok;
+	unsigned int mask;
+
+	if (external)
+		return ((priv->nelements == 0) ? 0 : -1);
+
+	for (i = 0; i < EDDSA_NTAGS; i++)
+		have[i] = false;
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < EDDSA_NTAGS; i++)
+			if (priv->elements[j].tag == TAG(DST_ALG_ED25519, i))
+				break;
+		if (i == EDDSA_NTAGS)
+			return (-1);
+		have[i] = true;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_EDDSA_ENGINE & mask])
+		ok = have[TAG_EDDSA_LABEL & mask];
+	else
+		ok = have[TAG_EDDSA_PRIVATEKEY & mask];
+	return (ok ? 0 : -1 );
+}
+
+#ifndef PK11_MD5_DISABLE
+static int
+check_hmac_md5(const dst_private_t *priv, bool old) {
+	int i, j;
+
+	if (priv->nelements != HMACMD5_NTAGS) {
+		/*
+		 * If this is a good old format and we are accepting
+		 * the old format return success.
+		 */
+		if (old && priv->nelements == OLD_HMACMD5_NTAGS &&
+		    priv->elements[0].tag == TAG_HMACMD5_KEY)
+			return (0);
+		return (-1);
+	}
+	/*
+	 * We must be new format at this point.
+	 */
+	for (i = 0; i < HMACMD5_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+#endif
+
+static int
+check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
+	       unsigned int alg)
+{
+	unsigned int i, j;
+	if (priv->nelements != ntags)
+		return (-1);
+	for (i = 0; i < ntags; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(alg, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+
+static int
+check_data(const dst_private_t *priv, const unsigned int alg,
+	   bool old, bool external)
+{
+#ifdef PK11_MD5_DISABLE
+	UNUSED(old);
+#endif
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		return (check_rsa(priv, external));
+#ifndef PK11_DH_DISABLE
+	case DST_ALG_DH:
+		return (check_dh(priv));
+#endif
+#ifndef PK11_DSA_DISABLE
+	case DST_ALG_DSA:
+	case DST_ALG_NSEC3DSA:
+		return (check_dsa(priv, external));
+#endif
+	case DST_ALG_ECCGOST:
+		return (check_gost(priv, external));
+	case DST_ALG_ECDSA256:
+	case DST_ALG_ECDSA384:
+		return (check_ecdsa(priv, external));
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
+		return (check_eddsa(priv, external));
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_HMACMD5:
+		return (check_hmac_md5(priv, old));
+#endif
+	case DST_ALG_HMACSHA1:
+		return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
+	case DST_ALG_HMACSHA224:
+		return (check_hmac_sha(priv, HMACSHA224_NTAGS, alg));
+	case DST_ALG_HMACSHA256:
+		return (check_hmac_sha(priv, HMACSHA256_NTAGS, alg));
+	case DST_ALG_HMACSHA384:
+		return (check_hmac_sha(priv, HMACSHA384_NTAGS, alg));
+	case DST_ALG_HMACSHA512:
+		return (check_hmac_sha(priv, HMACSHA512_NTAGS, alg));
+	default:
+		return (DST_R_UNSUPPORTEDALG);
+	}
+}
+
+void
+dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
+	int i;
+
+	if (priv == NULL)
+		return;
+	for (i = 0; i < priv->nelements; i++) {
+		if (priv->elements[i].data == NULL)
+			continue;
+		memset(priv->elements[i].data, 0, MAXFIELDSIZE);
+		isc_mem_put(mctx, priv->elements[i].data, MAXFIELDSIZE);
+	}
+	priv->nelements = 0;
+}
+
+isc_result_t
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv)
+{
+	int n = 0, major, minor, check;
+	isc_buffer_t b;
+	isc_token_t token;
+	unsigned char *data = NULL;
+	unsigned int opt = ISC_LEXOPT_EOL;
+	isc_stdtime_t when;
+	isc_result_t ret;
+	bool external = false;
+
+	REQUIRE(priv != NULL);
+
+	priv->nelements = 0;
+	memset(priv->elements, 0, sizeof(priv->elements));
+
+#define NEXTTOKEN(lex, opt, token)				\
+	do {							\
+		ret = isc_lex_gettoken(lex, opt, token);	\
+		if (ret != ISC_R_SUCCESS)			\
+			goto fail;				\
+	} while (0)
+
+#define READLINE(lex, opt, token)				\
+	do {							\
+		ret = isc_lex_gettoken(lex, opt, token);	\
+		if (ret == ISC_R_EOF)				\
+			break;					\
+		else if (ret != ISC_R_SUCCESS)			\
+			goto fail;				\
+	} while ((*token).type != isc_tokentype_eol)
+
+	/*
+	 * Read the description line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    (DST_AS_STR(token))[0] != 'v')
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+	if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	if (major > DST_MAJOR_VERSION) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	/*
+	 * Store the private key format version number
+	 */
+	dst_key_setprivateformat(key, major, minor);
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the algorithm line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+	if (token.type != isc_tokentype_number ||
+	    token.value.as_ulong != (unsigned long) dst_key_alg(key))
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the key data.
+	 */
+	for (n = 0; n < MAXFIELDS; n++) {
+		int tag;
+		isc_region_t r;
+		do {
+			ret = isc_lex_gettoken(lex, opt, &token);
+			if (ret == ISC_R_EOF)
+				goto done;
+			if (ret != ISC_R_SUCCESS)
+				goto fail;
+		} while (token.type == isc_tokentype_eol);
+
+		if (token.type != isc_tokentype_string) {
+			ret = DST_R_INVALIDPRIVATEKEY;
+			goto fail;
+		}
+
+		if (strcmp(DST_AS_STR(token), "External:") == 0) {
+			external = true;
+			goto next;
+		}
+
+		/* Numeric metadata */
+		tag = find_numericdata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < NUMERIC_NTAGS);
+
+			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+			if (token.type != isc_tokentype_number) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			dst_key_setnum(key, tag, token.value.as_ulong);
+			goto next;
+		}
+
+		/* Timing metadata */
+		tag = find_timedata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < TIMING_NTAGS);
+
+			NEXTTOKEN(lex, opt, &token);
+			if (token.type != isc_tokentype_string) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			ret = dns_time32_fromtext(DST_AS_STR(token), &when);
+			if (ret != ISC_R_SUCCESS)
+				goto fail;
+
+			dst_key_settime(key, tag, when);
+
+			goto next;
+		}
+
+		/* Key data */
+		tag = find_value(DST_AS_STR(token), alg);
+		if (tag < 0 && minor > DST_MINOR_VERSION)
+			goto next;
+		else if (tag < 0) {
+			ret = DST_R_INVALIDPRIVATEKEY;
+			goto fail;
+		}
+
+		priv->elements[n].tag = tag;
+
+		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
+		if (data == NULL)
+			goto fail;
+
+		isc_buffer_init(&b, data, MAXFIELDSIZE);
+		ret = isc_base64_tobuffer(lex, &b, -1);
+		if (ret != ISC_R_SUCCESS)
+			goto fail;
+
+		isc_buffer_usedregion(&b, &r);
+		priv->elements[n].length = r.length;
+		priv->elements[n].data = r.base;
+		priv->nelements++;
+
+	  next:
+		READLINE(lex, opt, &token);
+		data = NULL;
+	}
+
+ done:
+	if (external && priv->nelements != 0) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+#ifdef PK11_MD5_DISABLE
+	check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
+			   true, external);
+#else
+	check = check_data(priv, alg, true, external);
+#endif
+	if (check < 0) {
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	} else if (check != ISC_R_SUCCESS) {
+		ret = check;
+		goto fail;
+	}
+
+	key->external = external;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	dst__privstruct_free(priv, mctx);
+	if (data != NULL)
+		isc_mem_put(mctx, data, MAXFIELDSIZE);
+
+	return (ret);
+}
+
+isc_result_t
+dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
+			  const char *directory)
+{
+	FILE *fp;
+	isc_result_t result;
+	char filename[ISC_DIR_NAMEMAX];
+	char buffer[MAXFIELDSIZE * 2];
+	isc_fsaccess_t access;
+	isc_stdtime_t when;
+	uint32_t value;
+	isc_buffer_t b;
+	isc_region_t r;
+	int major, minor;
+	mode_t mode;
+	int i, ret;
+
+	REQUIRE(priv != NULL);
+
+	ret = check_data(priv, dst_key_alg(key), false, key->external);
+	if (ret < 0)
+		return (DST_R_INVALIDPRIVATEKEY);
+	else if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, filename, sizeof(filename));
+	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_file_mode(filename, &mode);
+	if (result == ISC_R_SUCCESS && mode != 0600) {
+		/* File exists; warn that we are changing its permissions */
+		int level;
+
+#ifdef _WIN32
+		/* Windows security model is pretty different,
+		 * e.g., there is no umask... */
+		level = ISC_LOG_NOTICE;
+#else
+		level = ISC_LOG_WARNING;
+#endif
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_DNSSEC, level,
+			      "Permissions on the file %s "
+			      "have changed from 0%o to 0600 as "
+			      "a result of this operation.",
+			      filename, (unsigned int)mode);
+	}
+
+	if ((fp = fopen(filename, "w")) == NULL)
+		return (DST_R_WRITEERROR);
+
+	access = 0;
+	isc_fsaccess_add(ISC_FSACCESS_OWNER,
+			 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
+			 &access);
+	(void)isc_fsaccess_set(filename, access);
+
+	dst_key_getprivateformat(key, &major, &minor);
+	if (major == 0 && minor == 0) {
+		major = DST_MAJOR_VERSION;
+		minor = DST_MINOR_VERSION;
+	}
+
+	/* XXXDCL return value should be checked for full filesystem */
+	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
+
+	fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key));
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (dst_key_alg(key)) {
+	case DST_ALG_RSAMD5:
+		fprintf(fp, "(RSA)\n");
+		break;
+	case DST_ALG_DH:
+		fprintf(fp, "(DH)\n");
+		break;
+	case DST_ALG_DSA:
+		fprintf(fp, "(DSA)\n");
+		break;
+	case DST_ALG_RSASHA1:
+		fprintf(fp, "(RSASHA1)\n");
+		break;
+	case DST_ALG_NSEC3RSASHA1:
+		fprintf(fp, "(NSEC3RSASHA1)\n");
+		break;
+	case DST_ALG_NSEC3DSA:
+		fprintf(fp, "(NSEC3DSA)\n");
+		break;
+	case DST_ALG_RSASHA256:
+		fprintf(fp, "(RSASHA256)\n");
+		break;
+	case DST_ALG_RSASHA512:
+		fprintf(fp, "(RSASHA512)\n");
+		break;
+	case DST_ALG_ECCGOST:
+		fprintf(fp, "(ECC-GOST)\n");
+		break;
+	case DST_ALG_ECDSA256:
+		fprintf(fp, "(ECDSAP256SHA256)\n");
+		break;
+	case DST_ALG_ECDSA384:
+		fprintf(fp, "(ECDSAP384SHA384)\n");
+		break;
+	case DST_ALG_ED25519:
+		fprintf(fp, "(ED25519)\n");
+		break;
+	case DST_ALG_ED448:
+		fprintf(fp, "(ED448)\n");
+		break;
+	case DST_ALG_HMACMD5:
+		fprintf(fp, "(HMAC_MD5)\n");
+		break;
+	case DST_ALG_HMACSHA1:
+		fprintf(fp, "(HMAC_SHA1)\n");
+		break;
+	case DST_ALG_HMACSHA224:
+		fprintf(fp, "(HMAC_SHA224)\n");
+		break;
+	case DST_ALG_HMACSHA256:
+		fprintf(fp, "(HMAC_SHA256)\n");
+		break;
+	case DST_ALG_HMACSHA384:
+		fprintf(fp, "(HMAC_SHA384)\n");
+		break;
+	case DST_ALG_HMACSHA512:
+		fprintf(fp, "(HMAC_SHA512)\n");
+		break;
+	default:
+		fprintf(fp, "(?)\n");
+		break;
+	}
+
+	for (i = 0; i < priv->nelements; i++) {
+		const char *s;
+
+		s = find_tag(priv->elements[i].tag);
+
+		r.base = priv->elements[i].data;
+		r.length = priv->elements[i].length;
+		isc_buffer_init(&b, buffer, sizeof(buffer));
+		result = isc_base64_totext(&r, sizeof(buffer), "", &b);
+		if (result != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+		isc_buffer_usedregion(&b, &r);
+
+	       fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
+	}
+
+	if (key->external)
+	       fprintf(fp, "External:\n");
+
+	/* Add the metadata tags */
+	if (major > 1 || (major == 1 && minor >= 3)) {
+		for (i = 0; i < NUMERIC_NTAGS; i++) {
+			result = dst_key_getnum(key, i, &value);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			fprintf(fp, "%s %u\n", numerictags[i], value);
+		}
+		for (i = 0; i < TIMING_NTAGS; i++) {
+			result = dst_key_gettime(key, i, &when);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			isc_buffer_init(&b, buffer, sizeof(buffer));
+			result = dns_time32_totext(when, &b);
+			if (result != ISC_R_SUCCESS) {
+			       fclose(fp);
+			       return (DST_R_INVALIDPRIVATEKEY);
+			}
+
+			isc_buffer_usedregion(&b, &r);
+
+			fprintf(fp, "%s %.*s\n", timetags[i], (int)r.length,
+				r.base);
+		}
+	}
+
+	fflush(fp);
+	result = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
+	fclose(fp);
+	return (result);
+}
+
+/*! \file */
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
new file mode 100644
index 0000000..a2600e1
--- /dev/null
+++ b/lib/dns/dst_parse.h
@@ -0,0 +1,142 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+#ifndef DST_DST_PARSE_H
+#define DST_DST_PARSE_H 1
+
+#include <isc/lang.h>
+
+#include <dst/dst.h>
+
+#define MAXFIELDSIZE		512
+
+/*
+ * Maximum number of fields in a private file is 18 (12 algorithm-
+ * specific fields for RSA, plus 6 generic fields).
+ */
+#define MAXFIELDS		12+6
+
+#define TAG_SHIFT		4
+#define TAG_ALG(tag)		((unsigned int)(tag) >> TAG_SHIFT)
+#define TAG(alg, off)		(((alg) << TAG_SHIFT) + (off))
+
+/* These are used by both RSA-MD5 and RSA-SHA1 */
+#define RSA_NTAGS		11
+#define TAG_RSA_MODULUS		((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
+#define TAG_RSA_PUBLICEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
+#define TAG_RSA_PRIVATEEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
+#define TAG_RSA_PRIME1		((DST_ALG_RSAMD5 << TAG_SHIFT) + 3)
+#define TAG_RSA_PRIME2		((DST_ALG_RSAMD5 << TAG_SHIFT) + 4)
+#define TAG_RSA_EXPONENT1	((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
+#define TAG_RSA_EXPONENT2	((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
+#define TAG_RSA_COEFFICIENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
+#define TAG_RSA_ENGINE		((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
+#define TAG_RSA_LABEL		((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
+
+#define DH_NTAGS		4
+#define TAG_DH_PRIME		((DST_ALG_DH << TAG_SHIFT) + 0)
+#define TAG_DH_GENERATOR	((DST_ALG_DH << TAG_SHIFT) + 1)
+#define TAG_DH_PRIVATE		((DST_ALG_DH << TAG_SHIFT) + 2)
+#define TAG_DH_PUBLIC		((DST_ALG_DH << TAG_SHIFT) + 3)
+
+#define DSA_NTAGS		5
+#define TAG_DSA_PRIME		((DST_ALG_DSA << TAG_SHIFT) + 0)
+#define TAG_DSA_SUBPRIME	((DST_ALG_DSA << TAG_SHIFT) + 1)
+#define TAG_DSA_BASE		((DST_ALG_DSA << TAG_SHIFT) + 2)
+#define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
+#define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
+
+#define GOST_NTAGS		1
+#define TAG_GOST_PRIVASN1	((DST_ALG_ECCGOST << TAG_SHIFT) + 0)
+#define TAG_GOST_PRIVRAW	((DST_ALG_ECCGOST << TAG_SHIFT) + 1)
+
+#define ECDSA_NTAGS		4
+#define TAG_ECDSA_PRIVATEKEY	((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
+#define TAG_ECDSA_ENGINE	((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
+#define TAG_ECDSA_LABEL		((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
+
+#define EDDSA_NTAGS		4
+#define TAG_EDDSA_PRIVATEKEY	((DST_ALG_ED25519 << TAG_SHIFT) + 0)
+#define TAG_EDDSA_ENGINE	((DST_ALG_ED25519 << TAG_SHIFT) + 1)
+#define TAG_EDDSA_LABEL		((DST_ALG_ED25519 << TAG_SHIFT) + 2)
+
+#define OLD_HMACMD5_NTAGS	1
+#define HMACMD5_NTAGS		2
+#define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
+#define TAG_HMACMD5_BITS	((DST_ALG_HMACMD5 << TAG_SHIFT) + 1)
+
+#define HMACSHA1_NTAGS		2
+#define TAG_HMACSHA1_KEY	((DST_ALG_HMACSHA1 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA1_BITS	((DST_ALG_HMACSHA1 << TAG_SHIFT) + 1)
+
+#define HMACSHA224_NTAGS	2
+#define TAG_HMACSHA224_KEY	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA224_BITS	((DST_ALG_HMACSHA224 << TAG_SHIFT) + 1)
+
+#define HMACSHA256_NTAGS	2
+#define TAG_HMACSHA256_KEY	((DST_ALG_HMACSHA256 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA256_BITS	((DST_ALG_HMACSHA256 << TAG_SHIFT) + 1)
+
+#define HMACSHA384_NTAGS	2
+#define TAG_HMACSHA384_KEY	((DST_ALG_HMACSHA384 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA384_BITS	((DST_ALG_HMACSHA384 << TAG_SHIFT) + 1)
+
+#define HMACSHA512_NTAGS	2
+#define TAG_HMACSHA512_KEY	((DST_ALG_HMACSHA512 << TAG_SHIFT) + 0)
+#define TAG_HMACSHA512_BITS	((DST_ALG_HMACSHA512 << TAG_SHIFT) + 1)
+
+struct dst_private_element {
+	unsigned short tag;
+	unsigned short length;
+	unsigned char *data;
+};
+
+typedef struct dst_private_element dst_private_element_t;
+
+struct dst_private {
+	unsigned short nelements;
+	dst_private_element_t elements[MAXFIELDS];
+};
+
+typedef struct dst_private dst_private_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
+
+isc_result_t
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv);
+
+isc_result_t
+dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
+			  const char *directory);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_PARSE_H */
diff --git a/lib/dns/dst_pkcs11.h b/lib/dns/dst_pkcs11.h
new file mode 100644
index 0000000..b8011f2
--- /dev/null
+++ b/lib/dns/dst_pkcs11.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_PKCS11_H
+#define DST_PKCS11_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+		     isc_result_t fallback, CK_RV rv);
+
+#define PK11_CALL(func, args, fallback) \
+	((void) (((rv = (func) args) == CKR_OK) || \
+		 ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+					      fallback, rv)), 0)))
+
+#define PK11_RET(func, args, fallback) \
+	((void) (((rv = (func) args) == CKR_OK) || \
+		 ((ret = dst__pkcs11_toresult(#func, __FILE__, __LINE__, \
+					      fallback, rv)), 0)));	\
+	if (rv != CKR_OK) goto err;
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_PKCS11_H */
diff --git a/lib/dns/dst_result.c b/lib/dns/dst_result.c
new file mode 100644
index 0000000..caee5f0
--- /dev/null
+++ b/lib/dns/dst_result.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+#include <dst/lib.h>
+
+static const char *text[DST_R_NRESULTS] = {
+	"algorithm is unsupported",		/*%< 0 */
+	"crypto failure",			/*%< 1 */
+	"built with no crypto support",		/*%< 2 */
+	"illegal operation for a null key",	/*%< 3 */
+	"public key is invalid",		/*%< 4 */
+	"private key is invalid",		/*%< 5 */
+	"external key",				/*%< 6 */
+	"error occurred writing key to disk",	/*%< 7 */
+	"invalid algorithm specific parameter",	/*%< 8 */
+	"UNUSED9",				/*%< 9 */
+	"UNUSED10",				/*%< 10 */
+	"sign failure",				/*%< 11 */
+	"UNUSED12",				/*%< 12 */
+	"UNUSED13",				/*%< 13 */
+	"verify failure",			/*%< 14 */
+	"not a public key",			/*%< 15 */
+	"not a private key",			/*%< 16 */
+	"not a key that can compute a secret",	/*%< 17 */
+	"failure computing a shared secret",	/*%< 18 */
+	"no randomness available",		/*%< 19 */
+	"bad key type",				/*%< 20 */
+	"no engine",				/*%< 21 */
+	"illegal operation for an external key",/*%< 22 */
+};
+
+static const char *ids[DST_R_NRESULTS] = {
+	"DST_R_UNSUPPORTEDALG",
+	"DST_R_CRYPTOFAILURE",
+	"DST_R_NOCRYPTO",
+	"DST_R_NULLKEY",
+	"DST_R_INVALIDPUBLICKEY",
+	"DST_R_INVALIDPRIVATEKEY",
+	"UNUSED",
+	"DST_R_WRITEERROR",
+	"DST_R_INVALIDPARAM",
+	"UNUSED",
+	"UNUSED",
+	"DST_R_SIGNFAILURE",
+	"UNUSED",
+	"UNUSED",
+	"DST_R_VERIFYFAILURE",
+	"DST_R_NOTPUBLICKEY",
+	"DST_R_NOTPRIVATEKEY",
+	"DST_R_KEYCANNOTCOMPUTESECRET",
+	"DST_R_COMPUTESECRETFAILURE",
+	"DST_R_NORANDOMNESS",
+	"DST_R_BADKEYTYPE",
+	"DST_R_NOENGINE",
+	"DST_R_EXTERNALKEY",
+};
+
+#define DST_RESULT_RESULTSET			2
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_DST, DST_R_NRESULTS,
+				     text, dst_msgcat, DST_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+	result = isc_result_registerids(ISC_RESULTCLASS_DST, DST_R_NRESULTS,
+					ids, dst_msgcat, DST_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	dst_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+dst_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+dst_result_register(void) {
+	initialize();
+}
+
+/*! \file */
diff --git a/lib/dns/dyndb.c b/lib/dns/dyndb.c
new file mode 100644
index 0000000..93ad795
--- /dev/null
+++ b/lib/dns/dyndb.c
@@ -0,0 +1,467 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#elif _WIN32
+#include <windows.h>
+#endif
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/result.h>
+#include <isc/region.h>
+#include <isc/task.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/dyndb.h>
+#include <dns/log.h>
+#include <dns/types.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <string.h>
+
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+
+
+typedef struct dyndb_implementation dyndb_implementation_t;
+struct dyndb_implementation {
+	isc_mem_t			*mctx;
+	void				*handle;
+	dns_dyndb_register_t		*register_func;
+	dns_dyndb_destroy_t		*destroy_func;
+	char				*name;
+	void				*inst;
+	LINK(dyndb_implementation_t)	link;
+};
+
+/*
+ * List of dyndb implementations. Locked by dyndb_lock.
+ *
+ * These are stored here so they can be cleaned up on shutdown.
+ * (The order in which they are stored is not important.)
+ */
+static LIST(dyndb_implementation_t) dyndb_implementations;
+
+/* Locks dyndb_implementations. */
+static isc_mutex_t dyndb_lock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+dyndb_initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&dyndb_lock) == ISC_R_SUCCESS);
+	INIT_LIST(dyndb_implementations);
+}
+
+static dyndb_implementation_t *
+impfind(const char *name) {
+	dyndb_implementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(dyndb_implementations);
+	     imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+		if (strcasecmp(name, imp->name) == 0)
+			return (imp);
+	return (NULL);
+}
+
+#if HAVE_DLFCN_H && HAVE_DLOPEN
+static isc_result_t
+load_symbol(void *handle, const char *filename,
+	    const char *symbol_name, void **symbolp)
+{
+	const char *errmsg;
+	void *symbol;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	symbol = dlsym(handle, symbol_name);
+	if (symbol == NULL) {
+		errmsg = dlerror();
+		if (errmsg == NULL)
+			errmsg = "returned function pointer is NULL";
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to lookup symbol %s in "
+			      "dyndb module '%s': %s",
+			      symbol_name, filename, errmsg);
+		return (ISC_R_FAILURE);
+	}
+	dlerror();
+
+	*symbolp = symbol;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+	     dyndb_implementation_t **impp)
+{
+	isc_result_t result;
+	void *handle = NULL;
+	dyndb_implementation_t *imp = NULL;
+	dns_dyndb_register_t *register_func = NULL;
+	dns_dyndb_destroy_t *destroy_func = NULL;
+	dns_dyndb_version_t *version_func = NULL;
+	int version, flags;
+
+	REQUIRE(impp != NULL && *impp == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DYNDB, ISC_LOG_INFO,
+		      "loading DynDB instance '%s' driver '%s'",
+		      instname, filename);
+
+	flags = RTLD_NOW|RTLD_LOCAL;
+#ifdef RTLD_DEEPBIND
+	flags |= RTLD_DEEPBIND;
+#endif
+
+	handle = dlopen(filename, flags);
+	if (handle == NULL)
+		CHECK(ISC_R_FAILURE);
+
+	/* Clear dlerror */
+	dlerror();
+
+	CHECK(load_symbol(handle, filename, "dyndb_version",
+			  (void **)&version_func));
+
+	version = version_func(NULL);
+	if (version < (DNS_DYNDB_VERSION - DNS_DYNDB_AGE) ||
+	    version > DNS_DYNDB_VERSION)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "driver API version mismatch: %d/%d",
+			      version, DNS_DYNDB_VERSION);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, filename, "dyndb_init",
+			  (void **)&register_func));
+	CHECK(load_symbol(handle, filename, "dyndb_destroy",
+			  (void **)&destroy_func));
+
+	imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t));
+	if (imp == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	imp->handle = handle;
+	imp->register_func = register_func;
+	imp->destroy_func = destroy_func;
+	imp->name = isc_mem_strdup(mctx, instname);
+	if (imp->name == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	imp->inst = NULL;
+	INIT_LINK(imp, link);
+
+	*impp = imp;
+	imp = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to dynamically load instance '%s' "
+			      "driver '%s': %s (%s)", instname, filename,
+			      dlerror(), isc_result_totext(result));
+	if (imp != NULL)
+		isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+	if (result != ISC_R_SUCCESS && handle != NULL)
+		dlclose(handle);
+
+	return (result);
+}
+
+static void
+unload_library(dyndb_implementation_t **impp) {
+	dyndb_implementation_t *imp;
+
+	REQUIRE(impp != NULL && *impp != NULL);
+
+	imp = *impp;
+
+	isc_mem_free(imp->mctx, imp->name);
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+
+	*impp = NULL;
+}
+#elif _WIN32
+static isc_result_t
+load_symbol(HMODULE handle, const char *filename,
+	    const char *symbol_name, void **symbolp)
+{
+	void *symbol;
+
+	REQUIRE(handle != NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	symbol = GetProcAddress(handle, symbol_name);
+	if (symbol == NULL) {
+		int errstatus = GetLastError();
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to lookup symbol %s in "
+			      "dyndb module '%s': %d",
+			      symbol_name, filename, errstatus);
+		return (ISC_R_FAILURE);
+	}
+
+	*symbolp = symbol;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+	     dyndb_implementation_t **impp)
+{
+	isc_result_t result;
+	HMODULE handle;
+	dyndb_implementation_t *imp = NULL;
+	dns_dyndb_register_t *register_func = NULL;
+	dns_dyndb_destroy_t *destroy_func = NULL;
+	dns_dyndb_version_t *version_func = NULL;
+	int version;
+
+	REQUIRE(impp != NULL && *impp == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DYNDB, ISC_LOG_INFO,
+		      "loading DynDB instance '%s' driver '%s'",
+		      instname, filename);
+
+	handle = LoadLibraryA(filename);
+	if (handle == NULL)
+		CHECK(ISC_R_FAILURE);
+
+	CHECK(load_symbol(handle, filename, "dyndb_version",
+			  (void **)&version_func));
+
+	version = version_func(NULL);
+	if (version < (DNS_DYNDB_VERSION - DNS_DYNDB_AGE) ||
+	    version > DNS_DYNDB_VERSION)
+	{
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "driver API version mismatch: %d/%d",
+			      version, DNS_DYNDB_VERSION);
+		CHECK(ISC_R_FAILURE);
+	}
+
+	CHECK(load_symbol(handle, filename, "dyndb_init",
+			  (void **)&register_func));
+	CHECK(load_symbol(handle, filename, "dyndb_destroy",
+			  (void **)&destroy_func));
+
+	imp = isc_mem_get(mctx, sizeof(dyndb_implementation_t));
+	if (imp == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	imp->handle = handle;
+	imp->register_func = register_func;
+	imp->destroy_func = destroy_func;
+	imp->name = isc_mem_strdup(mctx, instname);
+	if (imp->name == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	imp->inst = NULL;
+	INIT_LINK(imp, link);
+
+	*impp = imp;
+	imp = NULL;
+
+cleanup:
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_ERROR,
+			      "failed to dynamically load instance '%s' "
+			      "driver '%s': %d (%s)", instname, filename,
+			      GetLastError(), isc_result_totext(result));
+	if (imp != NULL)
+		isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+	if (result != ISC_R_SUCCESS && handle != NULL)
+		FreeLibrary(handle);
+
+	return (result);
+}
+
+static void
+unload_library(dyndb_implementation_t **impp) {
+	dyndb_implementation_t *imp;
+
+	REQUIRE(impp != NULL && *impp != NULL);
+
+	imp = *impp;
+
+	isc_mem_free(imp->mctx, imp->name);
+	isc_mem_putanddetach(&imp->mctx, imp, sizeof(dyndb_implementation_t));
+
+	*impp = NULL;
+}
+#else	/* HAVE_DLFCN_H || _WIN32 */
+static isc_result_t
+load_library(isc_mem_t *mctx, const char *filename, const char *instname,
+	     dyndb_implementation_t **impp)
+{
+	UNUSED(mctx);
+	UNUSED(filename);
+	UNUSED(instname);
+	UNUSED(impp);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_DYNDB,
+		      ISC_LOG_ERROR,
+		      "dynamic database support is not implemented");
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+unload_library(dyndb_implementation_t **impp)
+{
+	UNUSED(impp);
+}
+#endif	/* HAVE_DLFCN_H */
+
+isc_result_t
+dns_dyndb_load(const char *libname, const char *name, const char *parameters,
+	       const char *file, unsigned long line, isc_mem_t *mctx,
+	       const dns_dyndbctx_t *dctx)
+{
+	isc_result_t result;
+	dyndb_implementation_t *implementation = NULL;
+
+	REQUIRE(DNS_DYNDBCTX_VALID(dctx));
+	REQUIRE(name != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+	LOCK(&dyndb_lock);
+
+	/* duplicate instance names are not allowed */
+	if (impfind(name) != NULL)
+		CHECK(ISC_R_EXISTS);
+
+	CHECK(load_library(mctx, libname, name, &implementation));
+	CHECK(implementation->register_func(mctx, name, parameters, file, line,
+					    dctx, &implementation->inst));
+
+	APPEND(dyndb_implementations, implementation, link);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (result != ISC_R_SUCCESS)
+		if (implementation != NULL)
+			unload_library(&implementation);
+
+	UNLOCK(&dyndb_lock);
+	return (result);
+}
+
+void
+dns_dyndb_cleanup(bool exiting) {
+	dyndb_implementation_t *elem;
+	dyndb_implementation_t *prev;
+
+	RUNTIME_CHECK(isc_once_do(&once, dyndb_initialize) == ISC_R_SUCCESS);
+
+	LOCK(&dyndb_lock);
+	elem = TAIL(dyndb_implementations);
+	while (elem != NULL) {
+		prev = PREV(elem, link);
+		UNLINK(dyndb_implementations, elem, link);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_DYNDB, ISC_LOG_INFO,
+			      "unloading DynDB instance '%s'", elem->name);
+		elem->destroy_func(&elem->inst);
+		ENSURE(elem->inst == NULL);
+		unload_library(&elem);
+		elem = prev;
+	}
+	UNLOCK(&dyndb_lock);
+
+	if (exiting == true)
+		isc_mutex_destroy(&dyndb_lock);
+}
+
+isc_result_t
+dns_dyndb_createctx(isc_mem_t *mctx, const void *hashinit, isc_log_t *lctx,
+		    dns_view_t *view, dns_zonemgr_t *zmgr, isc_task_t *task,
+		    isc_timermgr_t *tmgr, dns_dyndbctx_t **dctxp)
+{
+	dns_dyndbctx_t *dctx;
+
+	REQUIRE(dctxp != NULL && *dctxp == NULL);
+
+	dctx = isc_mem_get(mctx, sizeof(*dctx));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(dctx, 0, sizeof(*dctx));
+	if (view != NULL)
+		dns_view_attach(view, &dctx->view);
+	if (zmgr != NULL)
+		dns_zonemgr_attach(zmgr, &dctx->zmgr);
+	if (task != NULL)
+		isc_task_attach(task, &dctx->task);
+	dctx->timermgr = tmgr;
+	dctx->hashinit = hashinit;
+	dctx->lctx = lctx;
+	dctx->refvar = &isc_bind9;
+
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->magic = DNS_DYNDBCTX_MAGIC;
+
+	*dctxp = dctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dyndb_destroyctx(dns_dyndbctx_t **dctxp) {
+	dns_dyndbctx_t *dctx;
+
+	REQUIRE(dctxp != NULL && DNS_DYNDBCTX_VALID(*dctxp));
+
+	dctx = *dctxp;
+	*dctxp = NULL;
+
+	dctx->magic = 0;
+
+	if (dctx->view != NULL)
+		dns_view_detach(&dctx->view);
+	if (dctx->zmgr != NULL)
+		dns_zonemgr_detach(&dctx->zmgr);
+	if (dctx->task != NULL)
+		isc_task_detach(&dctx->task);
+	dctx->timermgr = NULL;
+	dctx->lctx = NULL;
+
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
+}
diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
new file mode 100644
index 0000000..cf24d73
--- /dev/null
+++ b/lib/dns/ecdb.c
@@ -0,0 +1,835 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include "config.h"
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+#include <isc/util.h>
+#include <isc/mutex.h>
+#include <isc/mem.h>
+
+#include <dns/db.h>
+#include <dns/ecdb.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataslab.h>
+
+#define ECDB_MAGIC		ISC_MAGIC('E', 'C', 'D', 'B')
+#define VALID_ECDB(db)		((db) != NULL && \
+				 (db)->common.impmagic == ECDB_MAGIC)
+
+#define ECDBNODE_MAGIC		ISC_MAGIC('E', 'C', 'D', 'N')
+#define VALID_ECDBNODE(ecdbn)	ISC_MAGIC_VALID(ecdbn, ECDBNODE_MAGIC)
+
+/*%
+ * The 'ephemeral' cache DB (ecdb) implementation.  An ecdb just provides
+ * temporary storage for ongoing name resolution with the common DB interfaces.
+ * It actually doesn't cache anything.  The implementation expects any stored
+ * data is released within a short period, and does not care about the
+ * scalability in terms of the number of nodes.
+ */
+
+typedef struct dns_ecdb {
+	/* Unlocked */
+	dns_db_t			common;
+	isc_mutex_t			lock;
+
+	/* Locked */
+	unsigned int			references;
+	ISC_LIST(struct dns_ecdbnode)	nodes;
+} dns_ecdb_t;
+
+typedef struct dns_ecdbnode {
+	/* Unlocked */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_ecdb_t			*ecdb;
+	dns_name_t			name;
+	ISC_LINK(struct dns_ecdbnode)	link;
+
+	/* Locked */
+	ISC_LIST(struct rdatasetheader)	rdatasets;
+	unsigned int			references;
+} dns_ecdbnode_t;
+
+typedef struct rdatasetheader {
+	dns_rdatatype_t			type;
+	dns_ttl_t			ttl;
+	dns_trust_t			trust;
+	dns_rdatatype_t			covers;
+	unsigned int			attributes;
+
+	ISC_LINK(struct rdatasetheader)	link;
+} rdatasetheader_t;
+
+/* Copied from rbtdb.c */
+#define RDATASET_ATTR_NXDOMAIN		0x0010
+#define RDATASET_ATTR_NEGATIVE		0x0100
+#define NXDOMAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+#define NEGATIVE(header) \
+	(((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
+
+static isc_result_t dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin,
+				    dns_dbtype_t type,
+				    dns_rdataclass_t rdclass,
+				    unsigned int argc, char *argv[],
+				    void *driverarg, dns_db_t **dbp);
+
+static void rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
+static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int rdataset_count(dns_rdataset_t *rdataset);
+static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,			/* addnoqname */
+	NULL,			/* getnoqname */
+	NULL,			/* addclosest */
+	NULL,			/* getclosest */
+	NULL,			/* getadditional */
+	NULL,			/* setadditional */
+	NULL,			/* putadditional */
+	rdataset_settrust,	/* settrust */
+	NULL,			/* expire */
+	NULL,			/* clearprefetch */
+	NULL,			/* setownercase */
+	NULL			/* getownercase */
+};
+
+typedef struct ecdb_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	rdatasetheader_t	       *current;
+} ecdb_rdatasetiter_t;
+
+static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
+					     dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	return (dns_db_register("ecdb", dns_ecdb_create, NULL, mctx, dbimp));
+}
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp) {
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	dns_db_unregister(dbimp);
+}
+
+/*%
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&ecdb->lock);
+	ecdb->references++;
+	UNLOCK(&ecdb->lock);
+
+	*targetp = source;
+}
+
+static void
+destroy_ecdb(dns_ecdb_t **ecdbp) {
+	dns_ecdb_t *ecdb = *ecdbp;
+	isc_mem_t *mctx = ecdb->common.mctx;
+
+	if (dns_name_dynamic(&ecdb->common.origin))
+		dns_name_free(&ecdb->common.origin, mctx);
+
+	DESTROYLOCK(&ecdb->lock);
+
+	ecdb->common.impmagic = 0;
+	ecdb->common.magic = 0;
+
+	isc_mem_putanddetach(&mctx, ecdb, sizeof(*ecdb));
+
+	*ecdbp = NULL;
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_ecdb_t *ecdb;
+	bool need_destroy = false;
+
+	REQUIRE(dbp != NULL);
+	ecdb = (dns_ecdb_t *)*dbp;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	LOCK(&ecdb->lock);
+	ecdb->references--;
+	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
+		need_destroy = true;
+	UNLOCK(&ecdb->lock);
+
+	if (need_destroy)
+		destroy_ecdb(&ecdb);
+
+	*dbp = NULL;
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node = (dns_ecdbnode_t *)source;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(node));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = node;
+}
+
+static void
+destroynode(dns_ecdbnode_t *node) {
+	isc_mem_t *mctx;
+	dns_ecdb_t *ecdb = node->ecdb;
+	bool need_destroydb = false;
+	rdatasetheader_t *header;
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_UNLINK(ecdb->nodes, node, link);
+	if (ecdb->references == 0 && ISC_LIST_EMPTY(ecdb->nodes))
+		need_destroydb = true;
+	UNLOCK(&ecdb->lock);
+
+	dns_name_free(&node->name, mctx);
+
+	while ((header = ISC_LIST_HEAD(node->rdatasets)) != NULL) {
+		unsigned int headersize;
+
+		ISC_LIST_UNLINK(node->rdatasets, header, link);
+		headersize =
+			dns_rdataslab_size((unsigned char *)header,
+					   sizeof(*header));
+		isc_mem_put(mctx, header, headersize);
+	}
+
+	DESTROYLOCK(&node->lock);
+
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(*node));
+
+	if (need_destroydb)
+		destroy_ecdb(&ecdb);
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *node;
+	bool need_destroy = false;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL);
+	node = (dns_ecdbnode_t *)*nodep;
+	REQUIRE(VALID_ECDBNODE(node));
+
+	UNUSED(ecdb);		/* in case REQUIRE() is empty */
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = true;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*nodep = NULL;
+}
+
+static isc_result_t
+find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+    dns_dbnode_t **nodep, dns_name_t *foundname, dns_rdataset_t *rdataset,
+    dns_rdataset_t *sigrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name,
+	    unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+
+	REQUIRE(VALID_ECDB(ecdb));
+
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *node;
+	isc_result_t result;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+
+	if (create != true)	{
+		/* an 'ephemeral' node is never reused. */
+		return (ISC_R_NOTFOUND);
+	}
+
+	mctx = ecdb->common.mctx;
+	node = isc_mem_get(mctx, sizeof(*node));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		isc_mem_put(mctx, node, sizeof(*node));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	dns_name_init(&node->name, NULL);
+	result = dns_name_dup(name, mctx, &node->name);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&node->lock);
+		isc_mem_put(mctx, node, sizeof(*node));
+		return (result);
+	}
+	node->ecdb= ecdb;
+	node->references = 1;
+	ISC_LIST_INIT(node->rdatasets);
+
+	ISC_LINK_INIT(node, link);
+
+	LOCK(&ecdb->lock);
+	ISC_LIST_APPEND(ecdb->nodes, node, link);
+	UNLOCK(&ecdb->lock);
+
+	node->magic = ECDBNODE_MAGIC;
+
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node,
+	      rdatasetheader_t *header, dns_rdataset_t *rdataset)
+{
+	unsigned char *raw;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ecdb->common.rdclass;
+	rdataset->type = header->type;
+	rdataset->covers = header->covers;
+	rdataset->ttl = header->ttl;
+	rdataset->trust = header->trust;
+	if (NXDOMAIN(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	if (NEGATIVE(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
+
+	rdataset->private1 = ecdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = 0;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	INSIST(node->references > 0);
+	node->references++;
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_mem_t *mctx;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(options);
+
+	mctx = ecdb->common.mctx;
+
+	LOCK(&ecdbnode->lock);
+
+	/*
+	 * Sanity check: this implementation does not allow overriding an
+	 * existing rdataset of the same type.
+	 */
+	for (header = ISC_LIST_HEAD(ecdbnode->rdatasets); header != NULL;
+	     header = ISC_LIST_NEXT(header, link)) {
+		INSIST(header->type != rdataset->type ||
+		       header->covers != rdataset->covers);
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, mctx,
+					    &r, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	header = (rdatasetheader_t *)r.base;
+	header->type = rdataset->type;
+	header->ttl = rdataset->ttl;
+	header->trust = rdataset->trust;
+	header->covers = rdataset->covers;
+	header->attributes = 0;
+	if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+		header->attributes |= RDATASET_ATTR_NXDOMAIN;
+	if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+		header->attributes |= RDATASET_ATTR_NEGATIVE;
+	ISC_LINK_INIT(header, link);
+	ISC_LIST_APPEND(ecdbnode->rdatasets, header, link);
+
+	if (addedrdataset == NULL)
+		goto unlock;
+
+	bind_rdataset(ecdb, ecdbnode, header, addedrdataset);
+
+ unlock:
+	UNLOCK(&ecdbnode->lock);
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options,
+	       dns_dbiterator_t **iteratorp)
+{
+	UNUSED(db);
+	UNUSED(options);
+	UNUSED(iteratorp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	dns_ecdb_t *ecdb = (dns_ecdb_t *)db;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)node;
+	isc_mem_t *mctx;
+	ecdb_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_ECDB(ecdb));
+	REQUIRE(VALID_ECDBNODE(ecdbnode));
+
+	mctx = ecdb->common.mctx;
+
+	iterator = isc_mem_get(mctx, sizeof(ecdb_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static dns_dbmethods_t ecdb_methods = {
+	attach,
+	detach,
+	NULL,			/* beginload */
+	NULL,			/* endload */
+	NULL,			/* serialize */
+	NULL,			/* dump */
+	NULL,			/* currentversion */
+	NULL,			/* newversion */
+	NULL,			/* attachversion */
+	NULL,			/* closeversion */
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	NULL,			/* expirenode */
+	NULL,			/* printnode */
+	createiterator,		/* createiterator */
+	NULL,			/* findrdataset */
+	allrdatasets,
+	addrdataset,
+	NULL,			/* subtractrdataset */
+	deleterdataset,
+	NULL,			/* issecure */
+	NULL,			/* nodecount */
+	NULL,			/* ispersistent */
+	NULL,			/* overmem */
+	NULL,			/* settask */
+	NULL,			/* getoriginnode */
+	NULL,			/* transfernode */
+	NULL,			/* getnsec3parameters */
+	NULL,			/* findnsec3node */
+	NULL,			/* setsigningtime */
+	NULL,			/* getsigningtime */
+	NULL,			/* resigned */
+	NULL,			/* isdnssec */
+	NULL,			/* getrrsetstats */
+	NULL,			/* rpz_attach */
+	NULL,			/* rpz_ready */
+	NULL,			/* findnodeext */
+	NULL,			/* findext */
+	NULL,			/* setcachestats */
+	NULL,			/* hashsize */
+	NULL,			/* nodefullname */
+	NULL			/* getsize */
+};
+
+static isc_result_t
+dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+		dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		void *driverarg, dns_db_t **dbp)
+{
+	dns_ecdb_t *ecdb;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(origin == dns_rootname);
+	REQUIRE(type == dns_dbtype_cache);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	UNUSED(argc);
+	UNUSED(argv);
+	UNUSED(driverarg);
+
+	ecdb = isc_mem_get(mctx, sizeof(*ecdb));
+	if (ecdb == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ecdb->common.attributes = DNS_DBATTR_CACHE;
+	ecdb->common.rdclass = rdclass;
+	ecdb->common.methods = &ecdb_methods;
+	dns_name_init(&ecdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(origin, mctx, &ecdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (result);
+	}
+
+	result = isc_mutex_init(&ecdb->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		if (dns_name_dynamic(&ecdb->common.origin))
+			dns_name_free(&ecdb->common.origin, mctx);
+		isc_mem_put(mctx, ecdb, sizeof(*ecdb));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	ecdb->references = 1;
+	ISC_LIST_INIT(ecdb->nodes);
+
+	ecdb->common.mctx = NULL;
+	isc_mem_attach(mctx, &ecdb->common.mctx);
+	ecdb->common.impmagic = ECDB_MAGIC;
+	ecdb->common.magic = DNS_DB_MAGIC;
+
+	*dbp = (dns_db_t *)ecdb;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	dns_db_detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+#if DNS_RDATASET_FIXED
+	raw += 2 + (4 * count);
+#else
+	raw += 2;
+#endif
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += length + 4;
+#else
+	raw += length + 2;
+#endif
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+	unsigned int length;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += 4;
+#else
+	raw += 2;
+#endif
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	header->trust = rdataset->trust = trust;
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	isc_mem_t *mctx;
+	union {
+		dns_rdatasetiter_t *rdatasetiterator;
+		ecdb_rdatasetiter_t *ecdbiterator;
+	} u;
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
+
+	u.rdatasetiterator = *iteratorp;
+
+	mctx = u.ecdbiterator->common.db->mctx;
+	u.ecdbiterator->common.magic = 0;
+
+	dns_db_detachnode(u.ecdbiterator->common.db,
+			  &u.ecdbiterator->common.node);
+	isc_mem_put(mctx, u.ecdbiterator,
+		    sizeof(ecdb_rdatasetiter_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdbnode_t *ecdbnode = (dns_ecdbnode_t *)iterator->node;
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	if (ISC_LIST_EMPTY(ecdbnode->rdatasets))
+		return (ISC_R_NOMORE);
+	ecdbiterator->current = ISC_LIST_HEAD(ecdbnode->rdatasets);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	ecdbiterator->current = ISC_LIST_NEXT(ecdbiterator->current, link);
+	if (ecdbiterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	ecdb_rdatasetiter_t *ecdbiterator = (ecdb_rdatasetiter_t *)iterator;
+	dns_ecdb_t *ecdb;
+
+	ecdb = (dns_ecdb_t *)iterator->db;
+	REQUIRE(VALID_ECDB(ecdb));
+
+	bind_rdataset(ecdb, iterator->node, ecdbiterator->current, rdataset);
+}
diff --git a/lib/dns/fixedname.c b/lib/dns/fixedname.c
new file mode 100644
index 0000000..3d5de3b
--- /dev/null
+++ b/lib/dns/fixedname.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <dns/fixedname.h>
+
+void
+dns_fixedname_init(dns_fixedname_t *fixed) {
+	dns_name_init(&fixed->name, fixed->offsets);
+	isc_buffer_init(&fixed->buffer, fixed->data, DNS_NAME_MAXWIRE);
+	dns_name_setbuffer(&fixed->name, &fixed->buffer);
+}
+
+void
+dns_fixedname_invalidate(dns_fixedname_t *fixed) {
+	dns_name_invalidate(&fixed->name);
+}
+
+dns_name_t *
+dns_fixedname_name(dns_fixedname_t *fixed) {
+	return (&fixed->name);
+}
+
+dns_name_t *
+dns_fixedname_initname(dns_fixedname_t *fixed) {
+	dns_fixedname_init(fixed);
+	return (dns_fixedname_name(fixed));
+}
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
new file mode 100644
index 0000000..cf1865f
--- /dev/null
+++ b/lib/dns/forward.c
@@ -0,0 +1,257 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#include <dns/forward.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+struct dns_fwdtable {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_rwlock_t		rwlock;
+	/* Locked by lock. */
+	dns_rbt_t		*table;
+};
+
+#define FWDTABLEMAGIC		ISC_MAGIC('F', 'w', 'd', 'T')
+#define VALID_FWDTABLE(ft) 	ISC_MAGIC_VALID(ft, FWDTABLEMAGIC)
+
+static void
+auto_detach(void *, void *);
+
+isc_result_t
+dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep) {
+	dns_fwdtable_t *fwdtable;
+	isc_result_t result;
+
+	REQUIRE(fwdtablep != NULL && *fwdtablep == NULL);
+
+	fwdtable = isc_mem_get(mctx, sizeof(dns_fwdtable_t));
+	if (fwdtable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	fwdtable->table = NULL;
+	result = dns_rbt_create(mctx, auto_detach, fwdtable, &fwdtable->table);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_fwdtable;
+
+	result = isc_rwlock_init(&fwdtable->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rbt;
+
+	fwdtable->mctx = NULL;
+	isc_mem_attach(mctx, &fwdtable->mctx);
+	fwdtable->magic = FWDTABLEMAGIC;
+	*fwdtablep = fwdtable;
+
+	return (ISC_R_SUCCESS);
+
+   cleanup_rbt:
+	dns_rbt_destroy(&fwdtable->table);
+
+   cleanup_fwdtable:
+	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_addfwd(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		    dns_forwarderlist_t *fwdrs, dns_fwdpolicy_t fwdpolicy)
+{
+	isc_result_t result;
+	dns_forwarders_t *forwarders;
+	dns_forwarder_t *fwd, *nfwd;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	forwarders = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarders_t));
+	if (forwarders == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_INIT(forwarders->fwdrs);
+	for (fwd = ISC_LIST_HEAD(*fwdrs);
+	     fwd != NULL;
+	     fwd = ISC_LIST_NEXT(fwd, link))
+	{
+		nfwd = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarder_t));
+		if (nfwd == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		*nfwd = *fwd;
+		ISC_LINK_INIT(nfwd, link);
+		ISC_LIST_APPEND(forwarders->fwdrs, nfwd, link);
+	}
+	forwarders->fwdpolicy = fwdpolicy;
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_addname(fwdtable->table, name, forwarders);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
+		fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+		ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
+		isc_mem_put(fwdtable->mctx, fwd, sizeof(isc_sockaddr_t));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t fwdpolicy)
+{
+	isc_result_t result;
+	dns_forwarders_t *forwarders;
+	dns_forwarder_t *fwd;
+	isc_sockaddr_t *sa;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	forwarders = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarders_t));
+	if (forwarders == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_INIT(forwarders->fwdrs);
+	for (sa = ISC_LIST_HEAD(*addrs);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link))
+	{
+		fwd = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarder_t));
+		if (fwd == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		fwd->addr = *sa;
+		fwd->dscp = -1;
+		ISC_LINK_INIT(fwd, link);
+		ISC_LIST_APPEND(forwarders->fwdrs, fwd, link);
+	}
+	forwarders->fwdpolicy = fwdpolicy;
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_addname(fwdtable->table, name, forwarders);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
+		fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+		ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
+		isc_mem_put(fwdtable->mctx, fwd, sizeof(dns_forwarder_t));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name) {
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_deletename(fwdtable->table, name, false);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		  dns_forwarders_t **forwardersp)
+{
+	return (dns_fwdtable_find2(fwdtable, name, NULL, forwardersp));
+}
+
+isc_result_t
+dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		   dns_name_t *foundname, dns_forwarders_t **forwardersp)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
+				  (void **)forwardersp);
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_SUCCESS;
+
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep) {
+	dns_fwdtable_t *fwdtable;
+	isc_mem_t *mctx;
+
+	REQUIRE(fwdtablep != NULL && VALID_FWDTABLE(*fwdtablep));
+
+	fwdtable = *fwdtablep;
+
+	dns_rbt_destroy(&fwdtable->table);
+	isc_rwlock_destroy(&fwdtable->rwlock);
+	fwdtable->magic = 0;
+	mctx = fwdtable->mctx;
+	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
+	isc_mem_detach(&mctx);
+
+	*fwdtablep = NULL;
+}
+
+/***
+ *** Private
+ ***/
+
+static void
+auto_detach(void *data, void *arg) {
+	dns_forwarders_t *forwarders = data;
+	dns_fwdtable_t *fwdtable = arg;
+	dns_forwarder_t *fwd;
+
+	UNUSED(arg);
+
+	while (!ISC_LIST_EMPTY(forwarders->fwdrs)) {
+		fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+		ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link);
+		isc_mem_put(fwdtable->mctx, fwd, sizeof(dns_forwarder_t));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
+}
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
new file mode 100644
index 0000000..84c3e7f
--- /dev/null
+++ b/lib/dns/gen-unix.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief
+ * This file is responsible for defining two operations that are not
+ * directly portable between Unix-like systems and Windows NT, option
+ * parsing and directory scanning.  It is here because it was decided
+ * that the "gen" build utility was not to depend on libisc.a, so
+ * the functions declared in isc/commandline.h and isc/dir.h could not
+ * be used.
+ *
+ * The commandline stuff is really just a wrapper around getopt().
+ * The dir stuff was shrunk to fit the needs of gen.c.
+ */
+
+#ifndef DNS_GEN_UNIX_H
+#define DNS_GEN_UNIX_H 1
+
+#include <sys/types.h>          /* Required on some systems for dirent.h. */
+
+#include <dirent.h>
+#include <stdbool.h>
+#include <unistd.h>		/* XXXDCL Required for ?. */
+
+#include <isc/lang.h>
+
+#ifdef NEED_OPTARG
+extern char *optarg;
+#endif
+
+#define isc_commandline_parse		getopt
+#define isc_commandline_argument 	optarg
+
+typedef struct {
+	DIR *handle;
+	char *filename;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+static bool
+start_directory(const char *path, isc_dir_t *dir) {
+	dir->handle = opendir(path);
+
+	if (dir->handle != NULL)
+		return (true);
+	else
+		return (false);
+
+}
+
+static bool
+next_file(isc_dir_t *dir) {
+	struct dirent *dirent;
+
+	dir->filename = NULL;
+
+	if (dir->handle != NULL) {
+		dirent = readdir(dir->handle);
+		if (dirent != NULL)
+			dir->filename = dirent->d_name;
+	}
+
+	if (dir->filename != NULL)
+		return (true);
+	else
+		return (false);
+}
+
+static void
+end_directory(isc_dir_t *dir) {
+	if (dir->handle != NULL)
+		(void)closedir(dir->handle);
+
+	dir->handle = NULL;
+}
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_UNIX_H */
diff --git a/lib/dns/gen-win32.h b/lib/dns/gen-win32.h
new file mode 100644
index 0000000..4791032
--- /dev/null
+++ b/lib/dns/gen-win32.h
@@ -0,0 +1,273 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1987, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * \note This file was adapted from the NetBSD project's source tree, RCS ID:
+ *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
+ *
+ * The primary change has been to rename items to the ISC namespace
+ * and format in the ISC coding style.
+ *
+ * This file is responsible for defining two operations that are not
+ * directly portable between Unix-like systems and Windows NT, option
+ * parsing and directory scanning.  It is here because it was decided
+ * that the "gen" build utility was not to depend on libisc.a, so
+ * the functions declared in isc/commandline.h and isc/dir.h could not
+ * be used.
+ *
+ * The commandline stuff is pretty much a straight copy from the initial
+ * isc/commandline.c.  The dir stuff was shrunk to fit the needs of gen.c.
+ */
+
+#ifndef DNS_GEN_WIN32_H
+#define DNS_GEN_WIN32_H 1
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <windows.h>
+
+#include <isc/lang.h>
+
+int isc_commandline_index = 1;		/* Index into parent argv vector. */
+int isc_commandline_option;		/* Character checked for validity. */
+
+char *isc_commandline_argument;		/* Argument associated with option. */
+char *isc_commandline_progname;		/* For printing error messages. */
+
+bool isc_commandline_errprint = true; /* Print error messages. */
+bool isc_commandline_reset = true; /* Reset processing. */
+
+#define BADOPT	'?'
+#define BADARG	':'
+#define ENDOPT	""
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * getopt --
+ *	Parse argc/argv argument vector.
+ */
+int
+isc_commandline_parse(int argc, char * const *argv, const char *options) {
+	static char *place = ENDOPT;
+	char *option;			/* Index into *options of option. */
+
+	/*
+	 * Update scanning pointer, either because a reset was requested or
+	 * the previous argv was finished.
+	 */
+	if (isc_commandline_reset || *place == '\0') {
+		isc_commandline_reset = false;
+
+		if (isc_commandline_progname == NULL)
+			isc_commandline_progname = argv[0];
+
+		if (isc_commandline_index >= argc ||
+		    *(place = argv[isc_commandline_index]) != '-') {
+			/*
+			 * Index out of range or points to non-option.
+			 */
+			place = ENDOPT;
+			return (-1);
+		}
+
+		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
+			/*
+			 * Found '--' to signal end of options.	 Advance
+			 * index to next argv, the first non-option.
+			 */
+			isc_commandline_index++;
+			place = ENDOPT;
+			return (-1);
+		}
+	}
+
+	isc_commandline_option = *place++;
+	option = strchr(options, isc_commandline_option);
+
+	/*
+	 * Ensure valid option has been passed as specified by options string.
+	 * '-:' is never a valid command line option because it could not
+	 * distinguish ':' from the argument specifier in the options string.
+	 */
+	if (isc_commandline_option == ':' || option == NULL) {
+		if (*place == '\0')
+			isc_commandline_index++;
+
+		if (isc_commandline_errprint && *options != ':')
+			fprintf(stderr, "%s: illegal option -- %c\n",
+				isc_commandline_progname,
+				isc_commandline_option);
+
+		return (BADOPT);
+	}
+
+	if (*++option != ':') {
+		/*
+		 * Option does not take an argument.
+		 */
+		isc_commandline_argument = NULL;
+
+		/*
+		 * Skip to next argv if at the end of the current argv.
+		 */
+		if (*place == '\0')
+			++isc_commandline_index;
+
+	} else {
+		/*
+		 * Option needs an argument.
+		 */
+		if (*place != '\0')
+			/*
+			 * Option is in this argv, -D1 style.
+			 */
+			isc_commandline_argument = place;
+
+		else if (argc > ++isc_commandline_index)
+			/*
+			 * Option is next argv, -D 1 style.
+			 */
+			isc_commandline_argument = argv[isc_commandline_index];
+
+		else {
+			/*
+			 * Argument needed, but no more argv.
+			 */
+			place = ENDOPT;
+
+			/*
+			 * Silent failure with "missing argument" return
+			 * when ':' starts options string, per historical spec.
+			 */
+			if (*options == ':')
+				return (BADARG);
+
+			if (isc_commandline_errprint)
+				fprintf(stderr,
+				    "%s: option requires an argument -- %c\n",
+				    isc_commandline_progname,
+				    isc_commandline_option);
+
+			return (BADOPT);
+		}
+
+		place = ENDOPT;
+
+		/*
+		 * Point to argv that follows argument.
+		 */
+		isc_commandline_index++;
+	}
+
+	return (isc_commandline_option);
+}
+
+typedef struct {
+	HANDLE handle;
+	WIN32_FIND_DATA	find_data;
+	bool first_file;
+	char *filename;
+} isc_dir_t;
+
+bool
+start_directory(const char *path, isc_dir_t *dir) {
+	char pattern[_MAX_PATH], *p;
+
+	/*
+	 * Need space for slash-splat and final NUL.
+	 */
+	if (strlen(path) + 3 > sizeof(pattern))
+		return (false);
+
+	strcpy(pattern, path);
+
+	/*
+	 * Append slash (if needed) and splat.
+	 */
+	p = pattern + strlen(pattern);
+	if (p != pattern  && p[-1] != '\\' && p[-1] != ':')
+		*p++ = '\\';
+	*p++ = '*';
+	*p++ = '\0';
+
+	dir->first_file = true;
+
+	dir->handle = FindFirstFile(pattern, &dir->find_data);
+
+	if (dir->handle == INVALID_HANDLE_VALUE) {
+		dir->filename = NULL;
+		return (false);
+	} else {
+		dir->filename = dir->find_data.cFileName;
+		return (true);
+	}
+}
+
+bool
+next_file(isc_dir_t *dir) {
+	if (dir->first_file)
+		dir->first_file = false;
+
+	else if (dir->handle != INVALID_HANDLE_VALUE) {
+		if (FindNextFile(dir->handle, &dir->find_data) == TRUE)
+			dir->filename = dir->find_data.cFileName;
+		else
+			dir->filename = NULL;
+
+	} else
+		dir->filename = NULL;
+
+	if (dir->filename != NULL)
+		return (true);
+	else
+		return (false);
+}
+
+void
+end_directory(isc_dir_t *dir) {
+	if (dir->handle != INVALID_HANDLE_VALUE)
+		FindClose(dir->handle);
+}
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_WIN32_H */
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
new file mode 100644
index 0000000..2a3b94b
--- /dev/null
+++ b/lib/dns/gen.c
@@ -0,0 +1,923 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifdef WIN32
+/*
+ * Silence compiler warnings about using strcpy and friends.
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+/*
+ * We use snprintf which was defined late in Windows even it is in C99.
+ */
+#if _MSC_VER < 1900
+#define snprintf _snprintf
+#endif
+#endif
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#ifdef WIN32
+#include "gen-win32.h"
+#else
+#include "gen-unix.h"
+#endif
+
+#define INSIST(cond) \
+	if (!(cond)) { \
+		fprintf(stderr, "%s:%d: INSIST(%s)\n", \
+			 __FILE__, __LINE__, #cond); \
+		abort(); \
+	}
+
+#define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
+#define FROMTEXTCLASS "rdclass"
+#define FROMTEXTTYPE "type"
+#define FROMTEXTDEF "result = DNS_R_UNKNOWN"
+
+#define TOTEXTARGS "rdata, tctx, target"
+#define TOTEXTCLASS "rdata->rdclass"
+#define TOTEXTTYPE "rdata->type"
+#define TOTEXTDEF "use_default = true"
+
+#define FROMWIREARGS "rdclass, type, source, dctx, options, target"
+#define FROMWIRECLASS "rdclass"
+#define FROMWIRETYPE "type"
+#define FROMWIREDEF "use_default = true"
+
+#define TOWIREARGS "rdata, cctx, target"
+#define TOWIRECLASS "rdata->rdclass"
+#define TOWIRETYPE "rdata->type"
+#define TOWIREDEF "use_default = true"
+
+#define FROMSTRUCTARGS "rdclass, type, source, target"
+#define FROMSTRUCTCLASS "rdclass"
+#define FROMSTRUCTTYPE "type"
+#define FROMSTRUCTDEF "use_default = true"
+
+#define TOSTRUCTARGS "rdata, target, mctx"
+#define TOSTRUCTCLASS "rdata->rdclass"
+#define TOSTRUCTTYPE "rdata->type"
+#define TOSTRUCTDEF "use_default = true"
+
+#define FREESTRUCTARGS "source"
+#define FREESTRUCTCLASS "common->rdclass"
+#define FREESTRUCTTYPE "common->rdtype"
+#define FREESTRUCTDEF NULL
+
+#define COMPAREARGS "rdata1, rdata2"
+#define COMPARECLASS "rdata1->rdclass"
+#define COMPARETYPE "rdata1->type"
+#define COMPAREDEF "use_default = true"
+
+#define ADDITIONALDATAARGS "rdata, add, arg"
+#define ADDITIONALDATACLASS "rdata->rdclass"
+#define ADDITIONALDATATYPE "rdata->type"
+#define ADDITIONALDATADEF "use_default = true"
+
+#define DIGESTARGS "rdata, digest, arg"
+#define DIGESTCLASS "rdata->rdclass"
+#define DIGESTTYPE "rdata->type"
+#define DIGESTDEF "use_default = true"
+
+#define CHECKOWNERARGS "name, rdclass, type, wildcard"
+#define CHECKOWNERCLASS "rdclass"
+#define CHECKOWNERTYPE "type"
+#define CHECKOWNERDEF "result = true"
+
+#define CHECKNAMESARGS "rdata, owner, bad"
+#define CHECKNAMESCLASS "rdata->rdclass"
+#define CHECKNAMESTYPE "rdata->type"
+#define CHECKNAMESDEF "result = true"
+
+static const char copyright[] =
+"/*\n"
+" * Copyright (C) 1998%s  Internet Systems Consortium, Inc. (\"ISC\")\n"
+" *\n"
+" * This Source Code Form is subject to the terms of the Mozilla Public\n"
+" * License, v. 2.0. If a copy of the MPL was not distributed with this\n"
+" * file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
+" */\n"
+"\n"
+"/***************\n"
+" ***************\n"
+" ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.\n"
+" ***************   DO NOT EDIT!\n"
+" ***************\n"
+" ***************/\n"
+"\n"
+"/*! \\file */\n"
+"\n";
+
+#define STR_EXPAND(tok) #tok
+#define STR(tok) STR_EXPAND(tok)
+
+#define TYPENAMES 256
+#define TYPECLASSLEN 20		/* DNS mnemonic size. Must be less than 100. */
+#define TYPECLASSBUF (TYPECLASSLEN + 1)
+#define TYPECLASSFMT "%" STR(TYPECLASSLEN) "[-0-9a-z]_%d"
+#define ATTRIBUTESIZE 256
+#define DIRNAMESIZE 256
+
+static struct cc {
+	struct cc *next;
+	int rdclass;
+	char classname[TYPECLASSBUF];
+} *classes;
+
+static struct tt {
+	struct tt *next;
+	int rdclass;
+	int type;
+	char classname[TYPECLASSBUF];
+	char typename[TYPECLASSBUF];
+	char dirname[DIRNAMESIZE];	/* XXX Should be max path length */
+} *types;
+
+static struct ttnam {
+	char typename[TYPECLASSBUF];
+	char macroname[TYPECLASSBUF];
+	char attr[ATTRIBUTESIZE];
+	unsigned int sorted;
+	int type;
+} typenames[TYPENAMES];
+
+static int maxtype = -1;
+
+static char *
+upper(char *);
+static char *
+funname(const char *, char *);
+static void
+doswitch(const char *, const char *, const char *, const char *,
+	 const char *, const char *);
+static void
+add(int, const char *, int, const char *, const char *);
+static void
+sd(int, const char *, const char *, char);
+static void
+insert_into_typenames(int, const char *, const char *);
+
+/*%
+ * If you use more than 10 of these in, say, a printf(), you'll have problems.
+ */
+static char *
+upper(char *s) {
+	static int buf_to_use = 0;
+	static char buf[10][256];
+	char *b;
+	int c;
+
+	buf_to_use++;
+	if (buf_to_use > 9)
+		buf_to_use = 0;
+
+	b = buf[buf_to_use];
+	memset(b, 0, 256);
+
+	while ((c = (*s++) & 0xff))
+		*b++ = islower(c) ? toupper(c) : c;
+	*b = '\0';
+	return (buf[buf_to_use]);
+}
+
+static char *
+funname(const char *s, char *buf) {
+	char *b = buf;
+	char c;
+
+	INSIST(strlen(s) < TYPECLASSBUF);
+	while ((c = *s++)) {
+		*b++ = (c == '-') ? '_' : c;
+	}
+	*b = '\0';
+	return (buf);
+}
+
+static void
+doswitch(const char *name, const char *function, const char *args,
+	 const char *tsw, const char *csw, const char *res)
+{
+	struct tt *tt;
+	int first = 1;
+	int lasttype = 0;
+	int subswitch = 0;
+	char buf1[TYPECLASSBUF], buf2[TYPECLASSBUF];
+	const char *result = " result =";
+
+	if (res == NULL)
+		result = "";
+
+	for (tt = types; tt != NULL; tt = tt->next) {
+		if (first) {
+			fprintf(stdout, "\n#define %s \\\n", name);
+			fprintf(stdout, "\tswitch (%s) { \\\n" /*}*/, tsw);
+			first = 0;
+		}
+		if (tt->type != lasttype && subswitch) {
+			if (res == NULL)
+				fprintf(stdout, "\t\tdefault: break; \\\n");
+			else
+				fprintf(stdout,
+					"\t\tdefault: %s; break; \\\n", res);
+			fputs(/*{*/ "\t\t} \\\n", stdout);
+			fputs("\t\tbreak; \\\n", stdout);
+			subswitch = 0;
+		}
+		if (tt->rdclass && tt->type != lasttype) {
+			fprintf(stdout, "\tcase %d: switch (%s) { \\\n" /*}*/,
+				tt->type, csw);
+			subswitch = 1;
+		}
+		if (tt->rdclass == 0)
+			fprintf(stdout,
+				"\tcase %d:%s %s_%s(%s); break;",
+				tt->type, result, function,
+				funname(tt->typename, buf1), args);
+		else
+			fprintf(stdout,
+				"\t\tcase %d:%s %s_%s_%s(%s); break;",
+				tt->rdclass, result, function,
+				funname(tt->classname, buf1),
+				funname(tt->typename, buf2), args);
+		fputs(" \\\n", stdout);
+		lasttype = tt->type;
+	}
+	if (subswitch) {
+		if (res == NULL)
+			fprintf(stdout, "\t\tdefault: break; \\\n");
+		else
+			fprintf(stdout, "\t\tdefault: %s; break; \\\n", res);
+		fputs(/*{*/ "\t\t} \\\n", stdout);
+		fputs("\t\tbreak; \\\n", stdout);
+	}
+	if (first) {
+		if (res == NULL)
+			fprintf(stdout, "\n#define %s\n", name);
+		else
+			fprintf(stdout, "\n#define %s %s;\n", name, res);
+	} else {
+		if (res == NULL)
+			fprintf(stdout, "\tdefault: break; \\\n");
+		else
+			fprintf(stdout, "\tdefault: %s; break; \\\n", res);
+		fputs(/*{*/ "\t}\n", stdout);
+	}
+}
+
+static struct ttnam *
+find_typename(int type) {
+	int i;
+
+	for (i = 0; i < TYPENAMES; i++) {
+		if (typenames[i].typename[0] != 0 &&
+		    typenames[i].type == type)
+			return (&typenames[i]);
+	}
+	return (NULL);
+}
+
+static void
+insert_into_typenames(int type, const char *typename, const char *attr) {
+	struct ttnam *ttn = NULL;
+	size_t c;
+	int i, n;
+	char tmp[256];
+
+	INSIST(strlen(typename) < TYPECLASSBUF);
+	for (i = 0; i < TYPENAMES; i++) {
+		if (typenames[i].typename[0] != 0 &&
+		    typenames[i].type == type &&
+		    strcmp(typename, typenames[i].typename) != 0) {
+			fprintf(stderr,
+				"Error:  type %d has two names: %s, %s\n",
+				type, typenames[i].typename, typename);
+			exit(1);
+		}
+		if (typenames[i].typename[0] == 0 && ttn == NULL)
+			ttn = &typenames[i];
+	}
+	if (ttn == NULL) {
+		fprintf(stderr, "Error: typenames array too small\n");
+		exit(1);
+	}
+
+	/* XXXMUKS: This is redundant due to the INSIST above. */
+	if (strlen(typename) > sizeof(ttn->typename) - 1) {
+		fprintf(stderr, "Error:  type name %s is too long\n",
+			typename);
+		exit(1);
+	}
+
+	strncpy(ttn->typename, typename, sizeof(ttn->typename));
+	ttn->typename[sizeof(ttn->typename) - 1] = '\0';
+
+	strncpy(ttn->macroname, ttn->typename, sizeof(ttn->macroname));
+	ttn->macroname[sizeof(ttn->macroname) - 1] = '\0';
+
+	ttn->type = type;
+	c = strlen(ttn->macroname);
+	while (c > 0) {
+		if (ttn->macroname[c - 1] == '-')
+			ttn->macroname[c - 1] = '_';
+		c--;
+	}
+
+	if (attr == NULL) {
+		n = snprintf(tmp, sizeof(tmp),
+			     "RRTYPE_%s_ATTRIBUTES", upper(ttn->macroname));
+		INSIST(n > 0 && (unsigned)n < sizeof(tmp));
+		attr = tmp;
+	}
+
+	if (ttn->attr[0] != 0 && strcmp(attr, ttn->attr) != 0) {
+		fprintf(stderr, "Error:  type %d has different attributes: "
+			"%s, %s\n", type, ttn->attr, attr);
+		exit(1);
+	}
+
+	if (strlen(attr) > sizeof(ttn->attr) - 1) {
+		fprintf(stderr, "Error:  attr (%s) [name %s] is too long\n",
+			attr, typename);
+		exit(1);
+	}
+
+	strncpy(ttn->attr, attr, sizeof(ttn->attr));
+	ttn->attr[sizeof(ttn->attr) - 1] = '\0';
+
+	ttn->sorted = 0;
+	if (maxtype < type)
+		maxtype = type;
+}
+
+static void
+add(int rdclass, const char *classname, int type, const char *typename,
+    const char *dirname)
+{
+	struct tt *newtt = (struct tt *)malloc(sizeof(*newtt));
+	struct tt *tt, *oldtt;
+	struct cc *newcc;
+	struct cc *cc, *oldcc;
+
+	INSIST(strlen(typename) < TYPECLASSBUF);
+	INSIST(strlen(classname) < TYPECLASSBUF);
+	INSIST(strlen(dirname) < DIRNAMESIZE);
+
+	insert_into_typenames(type, typename, NULL);
+
+	if (newtt == NULL) {
+		fprintf(stderr, "malloc() failed\n");
+		exit(1);
+	}
+
+	newtt->next = NULL;
+	newtt->rdclass = rdclass;
+	newtt->type = type;
+
+	strncpy(newtt->classname, classname, sizeof(newtt->classname));
+	newtt->classname[sizeof(newtt->classname) - 1] = '\0';
+
+	strncpy(newtt->typename, typename, sizeof(newtt->typename));
+	newtt->typename[sizeof(newtt->typename) - 1] = '\0';
+
+	if (strncmp(dirname, "./", 2) == 0)
+		dirname += 2;
+	strncpy(newtt->dirname, dirname, sizeof(newtt->dirname));
+	newtt->dirname[sizeof(newtt->dirname) - 1] = '\0';
+
+	tt = types;
+	oldtt = NULL;
+
+	while ((tt != NULL) && (tt->type < type)) {
+		oldtt = tt;
+		tt = tt->next;
+	}
+
+	while ((tt != NULL) && (tt->type == type) && (tt->rdclass < rdclass)) {
+		if (strcmp(tt->typename, typename) != 0)
+			exit(1);
+		oldtt = tt;
+		tt = tt->next;
+	}
+
+	if ((tt != NULL) && (tt->type == type) && (tt->rdclass == rdclass))
+		exit(1);
+
+	newtt->next = tt;
+	if (oldtt != NULL)
+		oldtt->next = newtt;
+	else
+		types = newtt;
+
+	/*
+	 * Do a class switch for this type.
+	 */
+	if (rdclass == 0)
+		return;
+
+	newcc = (struct cc *)malloc(sizeof(*newcc));
+	if (newcc == NULL) {
+		fprintf(stderr, "malloc() failed\n");
+		exit(1);
+	}
+	newcc->rdclass = rdclass;
+	strncpy(newcc->classname, classname, sizeof(newcc->classname));
+	newcc->classname[sizeof(newcc->classname) - 1] = '\0';
+	cc = classes;
+	oldcc = NULL;
+
+	while ((cc != NULL) && (cc->rdclass < rdclass)) {
+		oldcc = cc;
+		cc = cc->next;
+	}
+
+	if ((cc != NULL) && cc->rdclass == rdclass) {
+		free((char *)newcc);
+		return;
+	}
+
+	newcc->next = cc;
+	if (oldcc != NULL)
+		oldcc->next = newcc;
+	else
+		classes = newcc;
+}
+
+static void
+sd(int rdclass, const char *classname, const char *dirname, char filetype) {
+	char buf[TYPECLASSLEN + sizeof("_65535.h")];
+	char typename[TYPECLASSBUF];
+	int type, n;
+	isc_dir_t dir;
+
+	if (!start_directory(dirname, &dir))
+		return;
+
+	while (next_file(&dir)) {
+		if (sscanf(dir.filename, TYPECLASSFMT, typename, &type) != 2)
+			continue;
+		if ((type > 65535) || (type < 0))
+			continue;
+
+		n = snprintf(buf, sizeof(buf), "%s_%d.%c", typename,
+			     type, filetype);
+		INSIST(n > 0 && (unsigned)n < sizeof(buf));
+		if (strcmp(buf, dir.filename) != 0)
+			continue;
+		add(rdclass, classname, type, typename, dirname);
+	}
+
+	end_directory(&dir);
+}
+
+static unsigned int
+HASH(char *string) {
+	size_t n;
+	unsigned char a, b;
+
+	n = strlen(string);
+	if (n == 0) {
+		fprintf(stderr, "n == 0?\n");
+		exit(1);
+	}
+	a = tolower((unsigned char)string[0]);
+	b = tolower((unsigned char)string[n - 1]);
+
+	return ((a + n) * b) % 256;
+}
+
+int
+main(int argc, char **argv) {
+	char buf[DIRNAMESIZE];		/* XXX Should be max path length */
+	char srcdir[DIRNAMESIZE];	/* XXX Should be max path length */
+	int rdclass;
+	char classname[TYPECLASSBUF];
+	struct tt *tt;
+	struct cc *cc;
+	struct ttnam *ttn, *ttn2;
+	unsigned int hash;
+	struct tm *tm;
+	time_t now;
+	char year[11];
+	int lasttype;
+	int code = 1;
+	int class_enum = 0;
+	int type_enum = 0;
+	int structs = 0;
+	int depend = 0;
+	int c, i, j, n;
+	char buf1[TYPECLASSBUF];
+	char filetype = 'c';
+	FILE *fd;
+	char *prefix = NULL;
+	char *suffix = NULL;
+	char *file = NULL;
+	isc_dir_t dir;
+
+	for (i = 0; i < TYPENAMES; i++)
+		memset(&typenames[i], 0, sizeof(typenames[i]));
+
+	srcdir[0] = '\0';
+	while ((c = isc_commandline_parse(argc, argv, "cdits:F:P:S:")) != -1)
+		switch (c) {
+		case 'c':
+			code = 0;
+			depend = 0;
+			type_enum = 0;
+			class_enum = 1;
+			filetype = 'c';
+			structs = 0;
+			break;
+		case 'd':
+			code = 0;
+			depend = 1;
+			class_enum = 0;
+			type_enum = 0;
+			structs = 0;
+			filetype = 'h';
+			break;
+		case 't':
+			code = 0;
+			depend = 0;
+			class_enum = 0;
+			type_enum = 1;
+			filetype = 'c';
+			structs = 0;
+			break;
+		case 'i':
+			code = 0;
+			depend = 0;
+			class_enum = 0;
+			type_enum = 0;
+			structs = 1;
+			filetype = 'h';
+			break;
+		case 's':
+			if (strlen(isc_commandline_argument) >
+			    DIRNAMESIZE - 2 * TYPECLASSLEN  -
+			    sizeof("/rdata/_65535_65535")) {
+				fprintf(stderr, "\"%s\" too long\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			n = snprintf(srcdir, sizeof(srcdir), "%s/",
+				     isc_commandline_argument);
+			INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
+			break;
+		case 'F':
+			file = isc_commandline_argument;
+			break;
+		case 'P':
+			prefix = isc_commandline_argument;
+			break;
+		case 'S':
+			suffix = isc_commandline_argument;
+			break;
+		case '?':
+			exit(1);
+		}
+
+	n = snprintf(buf, sizeof(buf), "%srdata", srcdir);
+	INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
+
+	if (!start_directory(buf, &dir))
+		exit(1);
+
+	while (next_file(&dir)) {
+		if (sscanf(dir.filename, TYPECLASSFMT, classname,
+			   &rdclass) != 2)
+			continue;
+		if ((rdclass > 65535) || (rdclass < 0))
+			continue;
+
+		n = snprintf(buf, sizeof(buf), "%srdata/%s_%d",
+			     srcdir, classname, rdclass);
+		INSIST(n > 0 && (unsigned)n < sizeof(buf));
+		if (strcmp(buf + 6 + strlen(srcdir), dir.filename) != 0)
+			continue;
+		sd(rdclass, classname, buf, filetype);
+	}
+	end_directory(&dir);
+	n = snprintf(buf, sizeof(buf), "%srdata/generic", srcdir);
+	INSIST(n > 0 && (unsigned)n < sizeof(srcdir));
+	sd(0, "", buf, filetype);
+
+	if (time(&now) != -1) {
+		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) {
+			n = snprintf(year, sizeof(year), "-%d",
+				     tm->tm_year + 1900);
+			INSIST(n > 0 && (unsigned)n < sizeof(year));
+		} else {
+			snprintf(year, sizeof(year), "-2016");
+		}
+	} else {
+		snprintf(year, sizeof(year), "-2016");
+	}
+
+	if (!depend)
+		fprintf(stdout, copyright, year);
+
+	if (code) {
+		fputs("#ifndef DNS_CODE_H\n", stdout);
+		fputs("#define DNS_CODE_H 1\n\n", stdout);
+
+		fputs("#include <isc/result.h>\n\n", stdout);
+		fputs("#include <dns/name.h>\n\n", stdout);
+
+		for (tt = types; tt != NULL; tt = tt->next)
+			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
+				tt->dirname, tt->typename, tt->type);
+
+		fputs("\n\n", stdout);
+
+		doswitch("FROMTEXTSWITCH", "fromtext", FROMTEXTARGS,
+			 FROMTEXTTYPE, FROMTEXTCLASS, FROMTEXTDEF);
+		doswitch("TOTEXTSWITCH", "totext", TOTEXTARGS,
+			 TOTEXTTYPE, TOTEXTCLASS, TOTEXTDEF);
+		doswitch("FROMWIRESWITCH", "fromwire", FROMWIREARGS,
+			 FROMWIRETYPE, FROMWIRECLASS, FROMWIREDEF);
+		doswitch("TOWIRESWITCH", "towire", TOWIREARGS,
+			 TOWIRETYPE, TOWIRECLASS, TOWIREDEF);
+		doswitch("COMPARESWITCH", "compare", COMPAREARGS,
+			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
+		doswitch("CASECOMPARESWITCH", "casecompare", COMPAREARGS,
+			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
+		doswitch("FROMSTRUCTSWITCH", "fromstruct", FROMSTRUCTARGS,
+			  FROMSTRUCTTYPE, FROMSTRUCTCLASS, FROMSTRUCTDEF);
+		doswitch("TOSTRUCTSWITCH", "tostruct", TOSTRUCTARGS,
+			  TOSTRUCTTYPE, TOSTRUCTCLASS, TOSTRUCTDEF);
+		doswitch("FREESTRUCTSWITCH", "freestruct", FREESTRUCTARGS,
+			  FREESTRUCTTYPE, FREESTRUCTCLASS, FREESTRUCTDEF);
+		doswitch("ADDITIONALDATASWITCH", "additionaldata",
+			 ADDITIONALDATAARGS, ADDITIONALDATATYPE,
+			 ADDITIONALDATACLASS, ADDITIONALDATADEF);
+		doswitch("DIGESTSWITCH", "digest",
+			 DIGESTARGS, DIGESTTYPE,
+			 DIGESTCLASS, DIGESTDEF);
+		doswitch("CHECKOWNERSWITCH", "checkowner",
+			CHECKOWNERARGS, CHECKOWNERTYPE,
+			CHECKOWNERCLASS, CHECKOWNERDEF);
+		doswitch("CHECKNAMESSWITCH", "checknames",
+			CHECKNAMESARGS, CHECKNAMESTYPE,
+			CHECKNAMESCLASS, CHECKNAMESDEF);
+
+		/*
+		 * From here down, we are processing the rdata names and
+		 * attributes.
+		 */
+
+#define PRINT_COMMA(x) (x == maxtype ? "" : ",")
+
+#define METANOTQUESTION  "DNS_RDATATYPEATTR_META | " \
+			 "DNS_RDATATYPEATTR_NOTQUESTION"
+#define METAQUESTIONONLY "DNS_RDATATYPEATTR_META | " \
+			 "DNS_RDATATYPEATTR_QUESTIONONLY"
+#define RESERVED "DNS_RDATATYPEATTR_RESERVED"
+
+		/*
+		 * Add in reserved/special types.  This will let us
+		 * sort them without special cases.
+		 */
+		insert_into_typenames(0, "reserved0", RESERVED);
+		insert_into_typenames(31, "eid", RESERVED);
+		insert_into_typenames(32, "nimloc", RESERVED);
+		insert_into_typenames(34, "atma", RESERVED);
+		insert_into_typenames(100, "uinfo", RESERVED);
+		insert_into_typenames(101, "uid", RESERVED);
+		insert_into_typenames(102, "gid", RESERVED);
+		insert_into_typenames(251, "ixfr", METAQUESTIONONLY);
+		insert_into_typenames(252, "axfr", METAQUESTIONONLY);
+		insert_into_typenames(253, "mailb", METAQUESTIONONLY);
+		insert_into_typenames(254, "maila", METAQUESTIONONLY);
+		insert_into_typenames(255, "any", METAQUESTIONONLY);
+
+		/*
+		 * Spit out a quick and dirty hash function.  Here,
+		 * we walk through the list of type names, and calculate
+		 * a hash.  This isn't perfect, but it will generate "pretty
+		 * good" estimates.  Lowercase the characters before
+		 * computing in all cases.
+		 *
+		 * Here, walk the list from top to bottom, calculating
+		 * the hash (mod 256) for each name.
+		 */
+		fprintf(stdout, "#define RDATATYPE_COMPARE(_s, _d, _tn, _n, _tp) \\\n");
+		fprintf(stdout, "\tdo { \\\n");
+		fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n"
+				"\t\t    strncasecmp(_s,(_tn),"
+				"(sizeof(_s) - 1)) == 0) { \\\n");
+		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
+				  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
+		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
+		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
+		fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
+		fprintf(stdout, "\t\t} \\\n");
+		fprintf(stdout, "\t} while (0)\n\n");
+
+		fprintf(stdout, "#define RDATATYPE_FROMTEXT_SW(_hash,"
+				"_typename,_length,_typep) \\\n");
+		fprintf(stdout, "\tswitch (_hash) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+
+			/*
+			 * Skip entries we already processed.
+			 */
+			if (ttn->sorted != 0)
+				continue;
+
+			hash = HASH(ttn->typename);
+			fprintf(stdout, "\t\tcase %u: \\\n", hash);
+
+			/*
+			 * Find all other entries that happen to match
+			 * this hash.
+			 */
+			for (j = 0; j <= maxtype; j++) {
+				ttn2 = find_typename(j);
+				if (ttn2 == NULL)
+					continue;
+				if (hash == HASH(ttn2->typename)) {
+					fprintf(stdout, "\t\t\tRDATATYPE_COMPARE"
+					       "(\"%s\", %d, "
+					       "_typename, _length, _typep); \\\n",
+					       ttn2->typename, ttn2->type);
+					ttn2->sorted = 1;
+				}
+			}
+			fprintf(stdout, "\t\t\tbreak; \\\n");
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+			fprintf(stdout, "\tcase %d: return (%s); \\\n",
+				i, upper(ttn->attr));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+			/*
+			 * Remove KEYDATA (65533) from the type to memonic
+			 * translation as it is internal use only.  This
+			 * stops the tools from displaying KEYDATA instead
+			 * of TYPE65533.
+			 */
+			if (i == 65533U)
+				continue;
+			fprintf(stdout, "\tcase %d: return "
+				"(str_totext(\"%s\", target)); \\\n",
+				i, upper(ttn->typename));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fputs("#endif /* DNS_CODE_H */\n", stdout);
+	} else if (type_enum) {
+		char *s;
+
+		fprintf(stdout, "#ifndef DNS_ENUMTYPE_H\n");
+		fprintf(stdout, "#define DNS_ENUMTYPE_H 1\n\n");
+
+		fprintf(stdout, "enum {\n");
+		fprintf(stdout, "\tdns_rdatatype_none = 0,\n");
+
+		lasttype = 0;
+		for (tt = types; tt != NULL; tt = tt->next)
+			if (tt->type != lasttype)
+				fprintf(stdout,
+					"\tdns_rdatatype_%s = %d,\n",
+					funname(tt->typename, buf1),
+					lasttype = tt->type);
+
+		fprintf(stdout, "\tdns_rdatatype_ixfr = 251,\n");
+		fprintf(stdout, "\tdns_rdatatype_axfr = 252,\n");
+		fprintf(stdout, "\tdns_rdatatype_mailb = 253,\n");
+		fprintf(stdout, "\tdns_rdatatype_maila = 254,\n");
+		fprintf(stdout, "\tdns_rdatatype_any = 255\n");
+
+		fprintf(stdout, "};\n\n");
+
+		fprintf(stdout, "#define dns_rdatatype_none\t"
+			"((dns_rdatatype_t)dns_rdatatype_none)\n");
+
+		for (tt = types; tt != NULL; tt = tt->next)
+			if (tt->type != lasttype) {
+				s = funname(tt->typename, buf1);
+				fprintf(stdout,
+					"#define dns_rdatatype_%s\t%s"
+					"((dns_rdatatype_t)dns_rdatatype_%s)"
+					"\n",
+					s, strlen(s) < 2U ? "\t" : "", s);
+				lasttype = tt->type;
+			}
+
+		fprintf(stdout, "#define dns_rdatatype_ixfr\t"
+			"((dns_rdatatype_t)dns_rdatatype_ixfr)\n");
+		fprintf(stdout, "#define dns_rdatatype_axfr\t"
+			"((dns_rdatatype_t)dns_rdatatype_axfr)\n");
+		fprintf(stdout, "#define dns_rdatatype_mailb\t"
+			"((dns_rdatatype_t)dns_rdatatype_mailb)\n");
+		fprintf(stdout, "#define dns_rdatatype_maila\t"
+			"((dns_rdatatype_t)dns_rdatatype_maila)\n");
+		fprintf(stdout, "#define dns_rdatatype_any\t"
+			"((dns_rdatatype_t)dns_rdatatype_any)\n");
+
+		fprintf(stdout, "\n#endif /* DNS_ENUMTYPE_H */\n");
+
+	} else if (class_enum) {
+		char *s;
+		int classnum;
+
+		fprintf(stdout, "#ifndef DNS_ENUMCLASS_H\n");
+		fprintf(stdout, "#define DNS_ENUMCLASS_H 1\n\n");
+
+		fprintf(stdout, "enum {\n");
+
+		fprintf(stdout, "\tdns_rdataclass_reserved0 = 0,\n");
+		fprintf(stdout, "#define dns_rdataclass_reserved0 \\\n\t\t\t\t"
+			"((dns_rdataclass_t)dns_rdataclass_reserved0)\n");
+
+#define PRINTCLASS(name, num) \
+	do { \
+		s = funname(name, buf1); \
+		classnum = num; \
+		fprintf(stdout, "\tdns_rdataclass_%s = %d%s\n", s, classnum, \
+		       classnum != 255 ? "," : ""); \
+		fprintf(stdout, "#define dns_rdataclass_%s\t" \
+		       "((dns_rdataclass_t)dns_rdataclass_%s)\n", s, s); \
+	} while (0)
+
+		for (cc = classes; cc != NULL; cc = cc->next) {
+			if (cc->rdclass == 3)
+				PRINTCLASS("chaos", 3);
+			else if (cc->rdclass == 255)
+				PRINTCLASS("none", 254);
+			PRINTCLASS(cc->classname, cc->rdclass);
+		}
+
+#undef PRINTCLASS
+
+		fprintf(stdout, "};\n\n");
+		fprintf(stdout, "#endif /* DNS_ENUMCLASS_H */\n");
+	} else if (structs) {
+		if (prefix != NULL) {
+			if ((fd = fopen(prefix,"r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL)
+					fputs(buf, stdout);
+				fclose(fd);
+			}
+		}
+		for (tt = types; tt != NULL; tt = tt->next) {
+			snprintf(buf, sizeof(buf), "%s/%s_%d.h",
+				tt->dirname, tt->typename, tt->type);
+			if ((fd = fopen(buf,"r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL)
+					fputs(buf, stdout);
+				fclose(fd);
+			}
+		}
+		if (suffix != NULL) {
+			if ((fd = fopen(suffix,"r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL)
+					fputs(buf, stdout);
+				fclose(fd);
+			}
+		}
+	} else if (depend) {
+		for (tt = types; tt != NULL; tt = tt->next)
+			fprintf(stdout, "%s:\t%s/%s_%d.h\n", file,
+				tt->dirname, tt->typename, tt->type);
+	}
+
+	if (ferror(stdout) != 0)
+		exit(1);
+
+	return (0);
+}
diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c
new file mode 100644
index 0000000..ec20baa
--- /dev/null
+++ b/lib/dns/geoip.c
@@ -0,0 +1,881 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/util.h>
+
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/string.h>
+
+#include <dns/acl.h>
+#include <dns/geoip.h>
+
+#include <isc/thread.h>
+#include <math.h>
+#ifndef WIN32
+#include <netinet/in.h>
+#else
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_   /* Prevent inclusion of winsock.h in windows.h */
+#endif
+#include <winsock2.h>
+#endif	/* WIN32 */
+#include <dns/log.h>
+
+#ifdef HAVE_GEOIP
+#include <GeoIP.h>
+#include <GeoIPCity.h>
+
+/*
+ * This structure preserves state from the previous GeoIP lookup,
+ * so that successive lookups for the same data from the same IP
+ * address will not require repeated calls into the GeoIP library
+ * to look up data in the database. This should improve performance
+ * somewhat.
+ *
+ * For lookups in the City and Region databases, we preserve pointers
+ * to the GeoIPRecord and GeoIPregion structures; these will need to be
+ * freed by GeoIPRecord_delete() and GeoIPRegion_delete().
+ *
+ * for lookups in ISP, AS, Org and Domain we prserve a pointer to
+ * the returned name; these must be freed by free().
+ *
+ * For lookups in Country we preserve a pointer to the text of
+ * the country code, name, etc (we use a different pointer for this
+ * than for the names returned by Org, ISP, etc, because those need
+ * to be freed but country lookups do not).
+ *
+ * For lookups in Netspeed we preserve the returned ID.
+ *
+ * XXX: Currently this mechanism is only used for IPv4 lookups; the
+ * family and addr6 fields are to be used IPv6 is added.
+ */
+typedef struct geoip_state {
+	uint16_t subtype;
+	unsigned int family;
+	uint32_t ipnum;
+	geoipv6_t ipnum6;
+	uint8_t scope;
+	GeoIPRecord *record;
+	GeoIPRegion *region;
+	const char *text;
+	char *name;
+	int id;
+	isc_mem_t *mctx;
+} geoip_state_t;
+
+#ifdef ISC_PLATFORM_USETHREADS
+static isc_mutex_t key_mutex;
+static bool state_key_initialized = false;
+static isc_thread_key_t state_key;
+static isc_once_t mutex_once = ISC_ONCE_INIT;
+static isc_mem_t *state_mctx = NULL;
+
+static void
+key_mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&key_mutex) == ISC_R_SUCCESS);
+}
+
+static void
+free_state(void *arg) {
+	geoip_state_t *state = arg;
+	if (state != NULL && state->record != NULL)
+		GeoIPRecord_delete(state->record);
+	if (state != NULL)
+		isc_mem_putanddetach(&state->mctx,
+				     state, sizeof(geoip_state_t));
+	isc_thread_key_setspecific(state_key, NULL);
+}
+
+static isc_result_t
+state_key_init(void) {
+	isc_result_t result;
+
+	result = isc_once_do(&mutex_once, key_mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!state_key_initialized) {
+		LOCK(&key_mutex);
+		if (!state_key_initialized) {
+			int ret;
+
+			if (state_mctx == NULL)
+				result = isc_mem_create2(0, 0, &state_mctx, 0);
+			if (result != ISC_R_SUCCESS)
+				goto unlock;
+			isc_mem_setname(state_mctx, "geoip_state", NULL);
+			isc_mem_setdestroycheck(state_mctx, false);
+
+			ret = isc_thread_key_create(&state_key, free_state);
+			if (ret == 0)
+				state_key_initialized = true;
+			else
+				result = ISC_R_FAILURE;
+		}
+ unlock:
+		UNLOCK(&key_mutex);
+	}
+
+	return (result);
+}
+#else
+static geoip_state_t saved_state;
+#endif
+
+static void
+clean_state(geoip_state_t *state) {
+	if (state == NULL)
+		return;
+
+	if (state->record != NULL) {
+		GeoIPRecord_delete(state->record);
+		state->record = NULL;
+	}
+	if (state->region != NULL) {
+		GeoIPRegion_delete(state->region);
+		state->region = NULL;
+	}
+	if (state->name != NULL) {
+		free (state->name);
+		state->name = NULL;
+	}
+	state->ipnum = 0;
+	state->text = NULL;
+	state->id = 0;
+}
+
+static isc_result_t
+set_state(unsigned int family, uint32_t ipnum, const geoipv6_t *ipnum6,
+	  uint8_t scope, dns_geoip_subtype_t subtype, GeoIPRecord *record,
+	  GeoIPRegion *region, char *name, const char *text, int id)
+{
+	geoip_state_t *state = NULL;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_result_t result;
+
+	result = state_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	state = (geoip_state_t *) isc_thread_key_getspecific(state_key);
+	if (state == NULL) {
+		state = (geoip_state_t *) isc_mem_get(state_mctx,
+						      sizeof(geoip_state_t));
+		if (state == NULL)
+			return (ISC_R_NOMEMORY);
+		memset(state, 0, sizeof(*state));
+
+		result = isc_thread_key_setspecific(state_key, state);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(state_mctx, state, sizeof(geoip_state_t));
+			return (result);
+		}
+
+		isc_mem_attach(state_mctx, &state->mctx);
+	} else
+		clean_state(state);
+#else
+	state = &saved_state;
+	clean_state(state);
+#endif
+
+	if (family == AF_INET) {
+		state->ipnum = ipnum;
+	} else {
+		INSIST(ipnum6 != NULL);
+		state->ipnum6 = *ipnum6;
+	}
+
+	state->family = family;
+	state->subtype = subtype;
+	state->scope = scope;
+	state->record = record;
+	state->region = region;
+	state->name = name;
+	state->text = text;
+	state->id = id;
+
+	return (ISC_R_SUCCESS);
+}
+
+static geoip_state_t *
+get_state_for(unsigned int family, uint32_t ipnum,
+	      const geoipv6_t *ipnum6)
+{
+	geoip_state_t *state;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_result_t result;
+
+	result = state_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (NULL);
+
+	state = (geoip_state_t *) isc_thread_key_getspecific(state_key);
+	if (state == NULL)
+		return (NULL);
+#else
+	state = &saved_state;
+#endif
+
+	if (state->family == family &&
+	    ((state->family == AF_INET && state->ipnum == ipnum) ||
+	     (state->family == AF_INET6 && ipnum6 != NULL &&
+	      memcmp(state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0)))
+		return (state);
+
+	return (NULL);
+}
+
+/*
+ * Country lookups are performed if the previous lookup was from a
+ * different IP address than the current, or was for a search of a
+ * different subtype.
+ */
+static const char *
+country_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
+	       unsigned int family,
+	       uint32_t ipnum, const geoipv6_t *ipnum6,
+	       uint8_t *scope)
+{
+	geoip_state_t *prev_state = NULL;
+	const char *text = NULL;
+	GeoIPLookup gl;
+
+	REQUIRE(db != NULL);
+
+#ifndef HAVE_GEOIP_V6
+	/* no IPv6 support? give up now */
+	if (family == AF_INET6)
+		return (NULL);
+#endif
+
+	prev_state = get_state_for(family, ipnum, ipnum6);
+	if (prev_state != NULL && prev_state->subtype == subtype) {
+		text = prev_state->text;
+		if (scope != NULL)
+			*scope = prev_state->scope;
+	}
+
+	if (text == NULL) {
+		switch (subtype) {
+		case dns_geoip_country_code:
+			if (family == AF_INET)
+				text = GeoIP_country_code_by_ipnum_gl(db,
+								 ipnum, &gl);
+#ifdef HAVE_GEOIP_V6
+			else
+				text = GeoIP_country_code_by_ipnum_v6_gl(db,
+								 *ipnum6, &gl);
+#endif
+			break;
+		case dns_geoip_country_code3:
+			if (family == AF_INET)
+				text = GeoIP_country_code3_by_ipnum_gl(db,
+								 ipnum, &gl);
+#ifdef HAVE_GEOIP_V6
+			else
+				text = GeoIP_country_code3_by_ipnum_v6_gl(db,
+								 *ipnum6, &gl);
+#endif
+			break;
+		case dns_geoip_country_name:
+			if (family == AF_INET)
+				text = GeoIP_country_name_by_ipnum_gl(db,
+								 ipnum, &gl);
+#ifdef HAVE_GEOIP_V6
+			else
+				text = GeoIP_country_name_by_ipnum_v6_gl(db,
+								 *ipnum6, &gl);
+#endif
+			break;
+		default:
+			INSIST(0);
+		}
+
+		if (text == NULL)
+			return (NULL);
+
+		if (scope != NULL)
+			*scope = gl.netmask;
+
+		set_state(family, ipnum, ipnum6, gl.netmask, subtype,
+			  NULL, NULL, NULL, text, 0);
+	}
+
+	return (text);
+}
+
+static char *
+city_string(GeoIPRecord *record, dns_geoip_subtype_t subtype, int *maxlen) {
+	const char *s;
+	char *deconst;
+
+	REQUIRE(record != NULL);
+	REQUIRE(maxlen != NULL);
+
+	/* Set '*maxlen' to the maximum length of this subtype, if any */
+	switch (subtype) {
+	case dns_geoip_city_countrycode:
+	case dns_geoip_city_region:
+	case dns_geoip_city_continentcode:
+		*maxlen = 2;
+		break;
+
+	case dns_geoip_city_countrycode3:
+		*maxlen = 3;
+		break;
+
+	default:
+		/* No fixed length; just use strcasecmp() for comparison */
+		*maxlen = 255;
+	}
+
+	switch (subtype) {
+	case dns_geoip_city_countrycode:
+		return (record->country_code);
+	case dns_geoip_city_countrycode3:
+		return (record->country_code3);
+	case dns_geoip_city_countryname:
+		return (record->country_name);
+	case dns_geoip_city_region:
+		return (record->region);
+	case dns_geoip_city_regionname:
+		s = GeoIP_region_name_by_code(record->country_code,
+					      record->region);
+		DE_CONST(s, deconst);
+		return (deconst);
+	case dns_geoip_city_name:
+		return (record->city);
+	case dns_geoip_city_postalcode:
+		return (record->postal_code);
+	case dns_geoip_city_continentcode:
+		return (record->continent_code);
+	case dns_geoip_city_timezonecode:
+		s = GeoIP_time_zone_by_country_and_region(record->country_code,
+							  record->region);
+		DE_CONST(s, deconst);
+		return (deconst);
+	default:
+		INSIST(0);
+	}
+}
+
+static bool
+is_city(dns_geoip_subtype_t subtype) {
+	switch (subtype) {
+	case dns_geoip_city_countrycode:
+	case dns_geoip_city_countrycode3:
+	case dns_geoip_city_countryname:
+	case dns_geoip_city_region:
+	case dns_geoip_city_regionname:
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_continentcode:
+	case dns_geoip_city_timezonecode:
+	case dns_geoip_city_metrocode:
+	case dns_geoip_city_areacode:
+		return (true);
+	default:
+		return (false);
+	}
+}
+
+/*
+ * GeoIPRecord lookups are performed if the previous lookup was
+ * from a different IP address than the current, or was for a search
+ * outside the City database.
+ */
+static GeoIPRecord *
+city_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
+	    unsigned int family, uint32_t ipnum,
+	    const geoipv6_t *ipnum6,
+	    uint8_t *scope)
+{
+	GeoIPRecord *record = NULL;
+	geoip_state_t *prev_state = NULL;
+
+	REQUIRE(db != NULL);
+
+#ifndef HAVE_GEOIP_V6
+	/* no IPv6 support? give up now */
+	if (family == AF_INET6)
+		return (NULL);
+#endif
+
+	prev_state = get_state_for(family, ipnum, ipnum6);
+	if (prev_state != NULL && is_city(prev_state->subtype)) {
+		record = prev_state->record;
+		if (scope != NULL)
+			*scope = record->netmask;
+	}
+
+	if (record == NULL) {
+		if (family == AF_INET)
+			record = GeoIP_record_by_ipnum(db, ipnum);
+#ifdef HAVE_GEOIP_V6
+		else
+			record = GeoIP_record_by_ipnum_v6(db, *ipnum6);
+#endif
+		if (record == NULL)
+			return (NULL);
+
+		if (scope != NULL)
+			*scope = record->netmask;
+
+		set_state(family, ipnum, ipnum6, record->netmask, subtype,
+			  record, NULL, NULL, NULL, 0);
+	}
+
+	return (record);
+}
+
+static char * region_string(GeoIPRegion *region, dns_geoip_subtype_t subtype, int *maxlen) {
+	const char *s;
+	char *deconst;
+
+	REQUIRE(region != NULL);
+	REQUIRE(maxlen != NULL);
+
+	switch (subtype) {
+	case dns_geoip_region_countrycode:
+		*maxlen = 2;
+		return (region->country_code);
+	case dns_geoip_region_code:
+		*maxlen = 2;
+		return (region->region);
+	case dns_geoip_region_name:
+		*maxlen = 255;
+		s = GeoIP_region_name_by_code(region->country_code,
+					      region->region);
+		DE_CONST(s, deconst);
+		return (deconst);
+	default:
+		INSIST(0);
+	}
+}
+
+static bool
+is_region(dns_geoip_subtype_t subtype) {
+	switch (subtype) {
+	case dns_geoip_region_countrycode:
+	case dns_geoip_region_code:
+		return (true);
+	default:
+		return (false);
+	}
+}
+
+/*
+ * GeoIPRegion lookups are performed if the previous lookup was
+ * from a different IP address than the current, or was for a search
+ * outside the Region database.
+ */
+static GeoIPRegion *
+region_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
+	      uint32_t ipnum, uint8_t *scope)
+{
+	GeoIPRegion *region = NULL;
+	geoip_state_t *prev_state = NULL;
+	GeoIPLookup gl;
+
+	REQUIRE(db != NULL);
+
+	prev_state = get_state_for(AF_INET, ipnum, NULL);
+	if (prev_state != NULL && is_region(prev_state->subtype)) {
+		region = prev_state->region;
+		if (scope != NULL)
+			*scope = prev_state->scope;
+	}
+
+	if (region == NULL) {
+		region = GeoIP_region_by_ipnum_gl(db, ipnum, &gl);
+		if (region == NULL)
+			return (NULL);
+
+		if (scope != NULL)
+			*scope = gl.netmask;
+
+		set_state(AF_INET, ipnum, NULL, gl.netmask,
+			  subtype, NULL, region, NULL, NULL, 0);
+	}
+
+	return (region);
+}
+
+/*
+ * ISP, Organization, AS Number and Domain lookups are performed if
+ * the previous lookup was from a different IP address than the current,
+ * or was for a search of a different subtype.
+ */
+static char *
+name_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
+	    uint32_t ipnum, uint8_t *scope)
+{
+	char *name = NULL;
+	geoip_state_t *prev_state = NULL;
+	GeoIPLookup gl;
+
+	REQUIRE(db != NULL);
+
+	prev_state = get_state_for(AF_INET, ipnum, NULL);
+	if (prev_state != NULL && prev_state->subtype == subtype) {
+		name = prev_state->name;
+		if (scope != NULL)
+			*scope = prev_state->scope;
+	}
+
+	if (name == NULL) {
+		name = GeoIP_name_by_ipnum_gl(db, ipnum, &gl);
+		if (name == NULL)
+			return (NULL);
+
+		if (scope != NULL)
+			*scope = gl.netmask;
+
+		set_state(AF_INET, ipnum, NULL, gl.netmask,
+			  subtype, NULL, NULL, name, NULL, 0);
+	}
+
+	return (name);
+}
+
+/*
+ * Netspeed lookups are performed if the previous lookup was from a
+ * different IP address than the current, or was for a search of a
+ * different subtype.
+ */
+static int
+netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
+		uint32_t ipnum, uint8_t *scope)
+{
+	geoip_state_t *prev_state = NULL;
+	bool found = false;
+	GeoIPLookup gl;
+	int id = -1;
+
+	REQUIRE(db != NULL);
+
+	prev_state = get_state_for(AF_INET, ipnum, NULL);
+	if (prev_state != NULL && prev_state->subtype == subtype) {
+		id = prev_state->id;
+		if (scope != NULL)
+			*scope = prev_state->scope;
+		found = true;
+	}
+
+	if (!found) {
+		id = GeoIP_id_by_ipnum_gl(db, ipnum, &gl);
+		if (id == 0)
+			return (0);
+
+		if (scope != NULL)
+			*scope = gl.netmask;
+
+		set_state(AF_INET, ipnum, NULL, gl.netmask,
+			  subtype, NULL, NULL, NULL, NULL, id);
+	}
+
+	return (id);
+}
+#endif /* HAVE_GEOIP */
+
+#define DB46(addr, geoip, name) \
+	((addr->family == AF_INET) ? (geoip->name##_v4) : (geoip->name##_v6))
+
+#ifdef HAVE_GEOIP
+/*
+ * Find the best database to answer a generic subtype
+ */
+static dns_geoip_subtype_t
+fix_subtype(const isc_netaddr_t *reqaddr, const dns_geoip_databases_t *geoip,
+	    dns_geoip_subtype_t subtype)
+{
+	dns_geoip_subtype_t ret = subtype;
+
+	switch (subtype) {
+	case dns_geoip_countrycode:
+		if (DB46(reqaddr, geoip, city) != NULL)
+			ret = dns_geoip_city_countrycode;
+		else if (reqaddr->family == AF_INET && geoip->region != NULL)
+			ret = dns_geoip_region_countrycode;
+		else if (DB46(reqaddr, geoip, country) != NULL)
+			ret = dns_geoip_country_code;
+		break;
+	case dns_geoip_countrycode3:
+		if (DB46(reqaddr, geoip, city) != NULL)
+			ret = dns_geoip_city_countrycode3;
+		else if (DB46(reqaddr, geoip, country) != NULL)
+			ret = dns_geoip_country_code3;
+		break;
+	case dns_geoip_countryname:
+		if (DB46(reqaddr, geoip, city) != NULL)
+			ret = dns_geoip_city_countryname;
+		else if (DB46(reqaddr, geoip, country) != NULL)
+			ret = dns_geoip_country_name;
+		break;
+	case dns_geoip_region:
+		if (DB46(reqaddr, geoip, city) != NULL)
+			ret = dns_geoip_city_region;
+		else if (reqaddr->family == AF_INET && geoip->region != NULL)
+			ret = dns_geoip_region_code;
+		break;
+	case dns_geoip_regionname:
+		if (DB46(reqaddr, geoip, city) != NULL)
+			ret = dns_geoip_city_regionname;
+		else if (reqaddr->family == AF_INET && geoip->region != NULL)
+			ret = dns_geoip_region_name;
+		break;
+	default:
+		break;
+	}
+
+	return (ret);
+}
+#endif /* HAVE_GEOIP */
+
+bool
+dns_geoip_match(const isc_netaddr_t *reqaddr, uint8_t *scope,
+		const dns_geoip_databases_t *geoip,
+		const dns_geoip_elem_t *elt)
+{
+#ifndef HAVE_GEOIP
+	UNUSED(reqaddr);
+	UNUSED(geoip);
+	UNUSED(elt);
+
+	return (false);
+#else
+	GeoIP *db;
+	GeoIPRecord *record;
+	GeoIPRegion *region;
+	dns_geoip_subtype_t subtype;
+	uint32_t ipnum = 0;
+	int maxlen = 0, id, family;
+	const char *cs;
+	char *s;
+#ifdef HAVE_GEOIP_V6
+	const geoipv6_t *ipnum6 = NULL;
+#else
+	const void *ipnum6 = NULL;
+#endif
+
+	INSIST(geoip != NULL);
+
+	family = reqaddr->family;
+	switch (family) {
+	case AF_INET:
+		ipnum = ntohl(reqaddr->type.in.s_addr);
+		break;
+	case AF_INET6:
+#ifdef HAVE_GEOIP_V6
+		ipnum6 = &reqaddr->type.in6;
+		break;
+#else
+		return (false);
+#endif
+	default:
+		return (false);
+	}
+
+	subtype = fix_subtype(reqaddr, geoip, elt->subtype);
+
+	switch (subtype) {
+	case dns_geoip_country_code:
+		maxlen = 2;
+		goto getcountry;
+
+	case dns_geoip_country_code3:
+		maxlen = 3;
+		goto getcountry;
+
+	case dns_geoip_country_name:
+		maxlen = 255;
+ getcountry:
+		db = DB46(reqaddr, geoip, country);
+		if (db == NULL)
+			return (false);
+
+		INSIST(elt->as_string != NULL);
+
+		cs = country_lookup(db, subtype, family, ipnum, ipnum6, scope);
+		if (cs != NULL && strncasecmp(elt->as_string, cs, maxlen) == 0)
+			return (true);
+		break;
+
+	case dns_geoip_city_countrycode:
+	case dns_geoip_city_countrycode3:
+	case dns_geoip_city_countryname:
+	case dns_geoip_city_region:
+	case dns_geoip_city_regionname:
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_continentcode:
+	case dns_geoip_city_timezonecode:
+		INSIST(elt->as_string != NULL);
+
+		db = DB46(reqaddr, geoip, city);
+		if (db == NULL)
+			return (false);
+
+		record = city_lookup(db, subtype, family,
+				     ipnum, ipnum6, scope);
+		if (record == NULL)
+			break;
+
+		s = city_string(record, subtype, &maxlen);
+		INSIST(maxlen != 0);
+		if (s != NULL && strncasecmp(elt->as_string, s, maxlen) == 0)
+			return (true);
+		break;
+
+	case dns_geoip_city_metrocode:
+		db = DB46(reqaddr, geoip, city);
+		if (db == NULL)
+			return (false);
+
+		record = city_lookup(db, subtype, family,
+				     ipnum, ipnum6, scope);
+		if (record == NULL)
+			break;
+
+		if (elt->as_int == record->metro_code)
+			return (true);
+		break;
+
+	case dns_geoip_city_areacode:
+		db = DB46(reqaddr, geoip, city);
+		if (db == NULL)
+			return (false);
+
+		record = city_lookup(db, subtype, family,
+				     ipnum, ipnum6, scope);
+		if (record == NULL)
+			break;
+
+		if (elt->as_int == record->area_code)
+			return (true);
+		break;
+
+	case dns_geoip_region_countrycode:
+	case dns_geoip_region_code:
+	case dns_geoip_region_name:
+	case dns_geoip_region:
+		if (geoip->region == NULL)
+			return (false);
+
+		INSIST(elt->as_string != NULL);
+
+		/* Region DB is not supported for IPv6 */
+		if (family == AF_INET6)
+			return (false);
+
+		region = region_lookup(geoip->region, subtype, ipnum, scope);
+		if (region == NULL)
+			break;
+
+		s = region_string(region, subtype, &maxlen);
+		INSIST(maxlen != 0);
+		if (s != NULL && strncasecmp(elt->as_string, s, maxlen) == 0)
+			return (true);
+		break;
+
+	case dns_geoip_isp_name:
+		db = geoip->isp;
+		goto getname;
+
+	case dns_geoip_org_name:
+		db = geoip->org;
+		goto getname;
+
+	case dns_geoip_as_asnum:
+		db = geoip->as;
+		goto getname;
+
+	case dns_geoip_domain_name:
+		db = geoip->domain;
+
+ getname:
+		if (db == NULL)
+			return (false);
+
+		INSIST(elt->as_string != NULL);
+		/* ISP, Org, AS, and Domain are not supported for IPv6 */
+		if (family == AF_INET6)
+			return (false);
+
+		s = name_lookup(db, subtype, ipnum, scope);
+		if (s != NULL) {
+			size_t l;
+			if (strcasecmp(elt->as_string, s) == 0)
+				return (true);
+			if (subtype != dns_geoip_as_asnum)
+				break;
+			/*
+			 * Just check if the ASNNNN value matches.
+			 */
+			l = strlen(elt->as_string);
+			if (l > 0U && strchr(elt->as_string, ' ') == NULL &&
+			    strncasecmp(elt->as_string, s, l) == 0 &&
+			    s[l] == ' ')
+				return (true);
+		}
+		break;
+
+	case dns_geoip_netspeed_id:
+		INSIST(geoip->netspeed != NULL);
+
+		/* Netspeed DB is not supported for IPv6 */
+		if (family == AF_INET6)
+			return (false);
+
+		id = netspeed_lookup(geoip->netspeed, subtype, ipnum, scope);
+		if (id == elt->as_int)
+			return (true);
+		break;
+
+	case dns_geoip_countrycode:
+	case dns_geoip_countrycode3:
+	case dns_geoip_countryname:
+	case dns_geoip_regionname:
+		/*
+		 * If these were not remapped by fix_subtype(),
+		 * the database was unavailable. Always return false.
+		 */
+		break;
+
+	default:
+		INSIST(0);
+	}
+
+	return (false);
+#endif
+}
+
+void
+dns_geoip_shutdown(void) {
+#ifdef HAVE_GEOIP
+	GeoIP_cleanup();
+#ifdef ISC_PLATFORM_USETHREADS
+	if (state_mctx != NULL)
+		isc_mem_detach(&state_mctx);
+#endif
+#else
+	return;
+#endif
+}
diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
new file mode 100644
index 0000000..82eac95
--- /dev/null
+++ b/lib/dns/gssapi_link.c
@@ -0,0 +1,388 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#ifdef GSSAPI
+
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+
+#include <dst/gssapi.h>
+
+#define INITIAL_BUFFER_SIZE 1024
+#define BUFFER_EXTRA 1024
+
+#define REGION_TO_GBUFFER(r, gb) \
+	do { \
+		(gb).length = (r).length; \
+		(gb).value = (r).base; \
+	} while (0)
+
+#define GBUFFER_TO_REGION(gb, r) \
+	do { \
+	  (r).length = (unsigned int)(gb).length; \
+		(r).base = (gb).value; \
+	} while (0)
+
+
+struct dst_gssapi_signverifyctx {
+	isc_buffer_t *buffer;
+};
+
+/*%
+ * Allocate a temporary "context" for use in gathering data for signing
+ * or verifying.
+ */
+static isc_result_t
+gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx;
+	isc_result_t result;
+
+	UNUSED(key);
+
+	ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ctx->buffer = NULL;
+	result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
+				     INITIAL_BUFFER_SIZE);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
+		return (result);
+	}
+
+	dctx->ctxdata.gssctx = ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Destroy the temporary sign/verify context.
+ */
+static void
+gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+
+	if (ctx != NULL) {
+		if (ctx->buffer != NULL)
+			isc_buffer_free(&ctx->buffer);
+		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
+		dctx->ctxdata.gssctx = NULL;
+	}
+}
+
+/*%
+ * Add data to our running buffer of data we will be signing or verifying.
+ * This code will see if the new data will fit in our existing buffer, and
+ * copy it in if it will.  If not, it will attempt to allocate a larger
+ * buffer and copy old+new into it, and free the old buffer.
+ */
+static isc_result_t
+gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_buffer_t *newbuffer = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	result = isc_buffer_copyregion(ctx->buffer, data);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	length = isc_buffer_length(ctx->buffer) + data->length + BUFFER_EXTRA;
+
+	result = isc_buffer_allocate(dctx->mctx, &newbuffer, length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(ctx->buffer, &r);
+	(void)isc_buffer_copyregion(newbuffer, &r);
+	(void)isc_buffer_copyregion(newbuffer, data);
+
+	isc_buffer_free(&ctx->buffer);
+	ctx->buffer = newbuffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Sign.
+ */
+static isc_result_t
+gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_region_t message;
+	gss_buffer_desc gmessage, gsig;
+	OM_uint32 minor, gret;
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	char buf[1024];
+
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
+	isc_buffer_usedregion(ctx->buffer, &message);
+	REGION_TO_GBUFFER(message, gmessage);
+
+	/*
+	 * Generate the signature.
+	 */
+	gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage,
+			   &gsig);
+
+	/*
+	 * If it did not complete, we log the result and return a generic
+	 * failure code.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS sign error: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * If it will not fit in our allocated buffer, return that we need
+	 * more space.
+	 */
+	if (gsig.length > isc_buffer_availablelength(sig)) {
+		gss_release_buffer(&minor, &gsig);
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Copy the output into our buffer space, and release the gssapi
+	 * allocated space.
+	 */
+	isc_buffer_putmem(sig, gsig.value, (unsigned int)gsig.length);
+	if (gsig.length != 0U)
+		gss_release_buffer(&minor, &gsig);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Verify.
+ */
+static isc_result_t
+gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_region_t message, r;
+	gss_buffer_desc gmessage, gsig;
+	OM_uint32 minor, gret;
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	unsigned char *buf;
+	char err[1024];
+
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
+	isc_buffer_usedregion(ctx->buffer, &message);
+	REGION_TO_GBUFFER(message, gmessage);
+
+	/*
+	 * XXXMLG
+	 * It seem that gss_verify_mic() modifies the signature buffer,
+	 * at least on Heimdal's implementation.  Copy it here to an allocated
+	 * buffer.
+	 */
+	buf = isc_mem_allocate(dst__memory_pool, sig->length);
+	if (buf == NULL)
+		return (ISC_R_FAILURE);
+	memmove(buf, sig->base, sig->length);
+	r.base = buf;
+	r.length = sig->length;
+	REGION_TO_GBUFFER(r, gsig);
+
+	/*
+	 * Verify the data.
+	 */
+	gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
+
+	isc_mem_free(dst__memory_pool, buf);
+
+	/*
+	 * Convert return codes into something useful to us.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS verify error: %s",
+			gss_error_tostring(gret, minor, err, sizeof(err)));
+		if (gret == GSS_S_DEFECTIVE_TOKEN ||
+		    gret == GSS_S_BAD_SIG ||
+		    gret == GSS_S_DUPLICATE_TOKEN ||
+		    gret == GSS_S_OLD_TOKEN ||
+		    gret == GSS_S_UNSEQ_TOKEN ||
+		    gret == GSS_S_GAP_TOKEN ||
+		    gret == GSS_S_CONTEXT_EXPIRED ||
+		    gret == GSS_S_NO_CONTEXT ||
+		    gret == GSS_S_FAILURE)
+			return(DST_R_VERIFYFAILURE);
+		else
+			return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
+	gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
+
+	/* No idea */
+	return (gsskey1 == gsskey2);
+}
+
+static isc_result_t
+gssapi_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	UNUSED(key);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	/* No idea */
+	return (ISC_R_FAILURE);
+}
+
+static bool
+gssapi_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+gssapi_destroy(dst_key_t *key) {
+	REQUIRE(key != NULL);
+	dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
+	key->keydata.gssctx = NULL;
+}
+
+static isc_result_t
+gssapi_restore(dst_key_t *key, const char *keystr) {
+	OM_uint32 major, minor;
+	unsigned int len;
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	gss_buffer_desc gssbuffer;
+	isc_result_t result;
+
+	len = strlen(keystr);
+	if ((len % 4) != 0U)
+		return (ISC_R_BADBASE64);
+
+	len = (len / 4) * 3;
+
+	result = isc_buffer_allocate(key->mctx, &b, len);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_base64_decodestring(keystr, b);
+	if (result != ISC_R_SUCCESS) {
+		isc_buffer_free(&b);
+		return (result);
+	}
+
+	isc_buffer_remainingregion(b, &r);
+	REGION_TO_GBUFFER(r, gssbuffer);
+	major = gss_import_sec_context(&minor, &gssbuffer,
+				       &key->keydata.gssctx);
+	if (major != GSS_S_COMPLETE) {
+		isc_buffer_free(&b);
+		return (ISC_R_FAILURE);
+	}
+
+	isc_buffer_free(&b);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+gssapi_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length) {
+	OM_uint32 major, minor;
+	gss_buffer_desc gssbuffer;
+	size_t len;
+	char *buf;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	major = gss_export_sec_context(&minor, &key->keydata.gssctx,
+				       &gssbuffer);
+	if (major != GSS_S_COMPLETE) {
+		fprintf(stderr, "gss_export_sec_context -> %d, %d\n",
+			major, minor);
+		return (ISC_R_FAILURE);
+	}
+	if (gssbuffer.length == 0U)
+		return (ISC_R_FAILURE);
+	len = ((gssbuffer.length + 2)/3) * 4;
+	buf = isc_mem_get(mctx, len);
+	if (buf == NULL) {
+		gss_release_buffer(&minor, &gssbuffer);
+		return (ISC_R_NOMEMORY);
+	}
+	isc_buffer_init(&b, buf, (unsigned int)len);
+	GBUFFER_TO_REGION(gssbuffer, r);
+	result = isc_base64_totext(&r, 0, "", &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	gss_release_buffer(&minor, &gssbuffer);
+	*buffer = buf;
+	*length = (int)len;
+	return (ISC_R_SUCCESS);
+}
+
+static dst_func_t gssapi_functions = {
+	gssapi_create_signverify_ctx,
+	NULL, /*%< createctx2 */
+	gssapi_destroy_signverify_ctx,
+	gssapi_adddata,
+	gssapi_sign,
+	gssapi_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	gssapi_compare,
+	NULL, /*%< paramcompare */
+	gssapi_generate,
+	gssapi_isprivate,
+	gssapi_destroy,
+	NULL, /*%< todns */
+	NULL, /*%< fromdns */
+	NULL, /*%< tofile */
+	NULL, /*%< parse */
+	NULL, /*%< cleanup */
+	NULL,  /*%< fromlabel */
+	gssapi_dump,
+	gssapi_restore,
+};
+
+isc_result_t
+dst__gssapi_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &gssapi_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else
+int  gssapi_link_unneeded = 1;
+#endif
+
+/*! \file */
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
new file mode 100644
index 0000000..8bd99af
--- /dev/null
+++ b/lib/dns/gssapictx.c
@@ -0,0 +1,894 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/platform.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+/*
+ * If we're using our own SPNEGO implementation (see configure.in),
+ * pull it in now.  Otherwise, we just use whatever GSSAPI supplies.
+ */
+#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
+#include "spnego.h"
+#define	gss_accept_sec_context	gss_accept_sec_context_spnego
+#define	gss_init_sec_context	gss_init_sec_context_spnego
+#endif
+
+/*
+ * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
+ * one for anything but Kerberos.  Supplying an explicit OID set
+ * doesn't appear to hurt anything in other implementations, so we
+ * always use one.  If we're not using our own SPNEGO implementation,
+ * we include SPNEGO's OID.
+ */
+#ifdef GSSAPI
+#ifdef WIN32
+#include <krb5/krb5.h>
+#else
+#include ISC_PLATFORM_KRB5HEADER
+#endif
+
+static unsigned char krb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+#ifndef USE_ISC_SPNEGO
+static unsigned char spnego_mech_oid_bytes[] = {
+	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+};
+#endif
+
+static gss_OID_desc mech_oid_set_array[] = {
+	{ sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
+#ifndef USE_ISC_SPNEGO
+	{ sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
+#endif
+};
+
+static gss_OID_set_desc mech_oid_set = {
+	sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
+	mech_oid_set_array
+};
+
+#endif
+
+#define REGION_TO_GBUFFER(r, gb) \
+	do { \
+		(gb).length = (r).length; \
+		(gb).value = (r).base; \
+	} while (0)
+
+#define GBUFFER_TO_REGION(gb, r) \
+	do { \
+	  (r).length = (unsigned int)(gb).length; \
+		(r).base = (gb).value; \
+	} while (0)
+
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto out; \
+	} while (0)
+
+#ifdef GSSAPI
+static inline void
+name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
+		gss_buffer_desc *gbuffer)
+{
+	dns_name_t tname, *namep;
+	isc_region_t r;
+	isc_result_t result;
+
+	if (!dns_name_isabsolute(name))
+		namep = name;
+	else
+	{
+		unsigned int labels;
+		dns_name_init(&tname, NULL);
+		labels = dns_name_countlabels(name);
+		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
+		namep = &tname;
+	}
+
+	result = dns_name_toprincipal(namep, buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_buffer_putuint8(buffer, 0);
+	isc_buffer_usedregion(buffer, &r);
+	REGION_TO_GBUFFER(r, *gbuffer);
+}
+
+static void
+log_cred(const gss_cred_id_t cred) {
+	OM_uint32 gret, minor, lifetime;
+	gss_name_t gname;
+	gss_buffer_desc gbuffer;
+	gss_cred_usage_t usage;
+	const char *usage_text;
+	char buf[1024];
+
+	gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed gss_inquire_cred: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return;
+	}
+
+	gret = gss_display_name(&minor, gname, &gbuffer, NULL);
+	if (gret != GSS_S_COMPLETE)
+		gss_log(3, "failed gss_display_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	else {
+		switch (usage) {
+		case GSS_C_BOTH:
+			usage_text = "GSS_C_BOTH";
+			break;
+		case GSS_C_INITIATE:
+			usage_text = "GSS_C_INITIATE";
+			break;
+		case GSS_C_ACCEPT:
+			usage_text = "GSS_C_ACCEPT";
+			break;
+		default:
+			usage_text = "???";
+		}
+		gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
+			usage_text, (unsigned long)lifetime);
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		if (gbuffer.length != 0U) {
+			gret = gss_release_buffer(&minor, &gbuffer);
+			if (gret != GSS_S_COMPLETE)
+				gss_log(3, "failed gss_release_buffer: %s",
+					gss_error_tostring(gret, minor, buf,
+							   sizeof(buf)));
+		}
+	}
+
+	gret = gss_release_name(&minor, &gname);
+	if (gret != GSS_S_COMPLETE)
+		gss_log(3, "failed gss_release_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+}
+#endif
+
+#ifdef GSSAPI
+/*
+ * check for the most common configuration errors.
+ *
+ * The errors checked for are:
+ *   - tkey-gssapi-credential doesn't start with DNS/
+ *   - the default realm in /etc/krb5.conf and the
+ *     tkey-gssapi-credential bind config option don't match
+ *
+ * Note that if tkey-gssapi-keytab is set then these configure checks
+ * are not performed, and runtime errors from gssapi are used instead
+ */
+static void
+check_config(const char *gss_name) {
+	const char *p;
+	krb5_context krb5_ctx;
+	char *krb5_realm_name = NULL;
+
+	if (strncasecmp(gss_name, "DNS/", 4) != 0) {
+		gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) "
+			"should start with 'DNS/'", gss_name);
+		return;
+	}
+
+	if (krb5_init_context(&krb5_ctx) != 0) {
+		gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
+		return;
+	}
+	if (krb5_get_default_realm(krb5_ctx, &krb5_realm_name) != 0) {
+		gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	p = strchr(gss_name, '@');
+	if (p == NULL) {
+		gss_log(ISC_LOG_ERROR, "badly formatted "
+			"tkey-gssapi-credentials (%s)", gss_name);
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	if (strcasecmp(p + 1, krb5_realm_name) != 0) {
+		gss_log(ISC_LOG_ERROR, "default realm from krb5.conf (%s) "
+			"does not match tkey-gssapi-credential (%s)",
+			krb5_realm_name, gss_name);
+		krb5_free_context(krb5_ctx);
+		return;
+	}
+	krb5_free_context(krb5_ctx);
+}
+#endif
+
+isc_result_t
+dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
+		       gss_cred_id_t *cred)
+{
+#ifdef GSSAPI
+	isc_result_t result;
+	isc_buffer_t namebuf;
+	gss_name_t gname;
+	gss_buffer_desc gnamebuf;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	OM_uint32 gret, minor;
+	OM_uint32 lifetime;
+	gss_cred_usage_t usage;
+	char buf[1024];
+
+	REQUIRE(cred != NULL && *cred == NULL);
+
+	/*
+	 * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
+	 * here when we're in the acceptor role, which would let us
+	 * default the hostname and use a compiled in default service
+	 * name of "DNS", giving one less thing to configure in
+	 * named.conf.	Unfortunately, this creates a circular
+	 * dependency due to DNS-based realm lookup in at least one
+	 * GSSAPI implementation (Heimdal).  Oh well.
+	 */
+	if (name != NULL) {
+		isc_buffer_init(&namebuf, array, sizeof(array));
+		name_to_gbuffer(name, &namebuf, &gnamebuf);
+		gret = gss_import_name(&minor, &gnamebuf,
+				       GSS_C_NO_OID, &gname);
+		if (gret != GSS_S_COMPLETE) {
+			check_config((char *)array);
+
+			gss_log(3, "failed gss_import_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+			return (ISC_R_FAILURE);
+		}
+	} else
+		gname = NULL;
+
+	/* Get the credentials. */
+	if (gname != NULL)
+		gss_log(3, "acquiring credentials for %s",
+			(char *)gnamebuf.value);
+	else {
+		/* XXXDCL does this even make any sense? */
+		gss_log(3, "acquiring credentials for ?");
+	}
+
+	if (initiate)
+		usage = GSS_C_INITIATE;
+	else
+		usage = GSS_C_ACCEPT;
+
+	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
+				&mech_oid_set, usage, cred, NULL, &lifetime);
+
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed to acquire %s credentials for %s: %s",
+			initiate ? "initiate" : "accept",
+			(gname != NULL) ? (char *)gnamebuf.value : "?",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		if (gname != NULL)
+			check_config((char *)array);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	gss_log(4, "acquired %s credentials for %s",
+		initiate ? "initiate" : "accept",
+		(gname != NULL) ? (char *)gnamebuf.value : "?");
+
+	log_cred(*cred);
+	result = ISC_R_SUCCESS;
+
+cleanup:
+	if (gname != NULL) {
+		gret = gss_release_name(&minor, &gname);
+		if (gret != GSS_S_COMPLETE)
+			gss_log(3, "failed gss_release_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+	}
+
+	return (result);
+#else
+	REQUIRE(cred != NULL && *cred == NULL);
+
+	UNUSED(name);
+	UNUSED(initiate);
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+bool
+dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
+				    const dns_name_t *name,
+				    const dns_name_t *realm,
+				    bool subdomain)
+{
+#ifdef GSSAPI
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *rname;
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
+	result = dns_name_toprincipal(signer, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_buffer_putuint8(&buffer, 0);
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strchr(sbuf, '@');
+	if (rname == NULL)
+		return (false);
+	*rname = '\0';
+	rname++;
+
+	if (strcmp(rname, rbuf) != 0) {
+		return (false);
+	}
+
+	/*
+	 * Find the host portion of the signer's name.	We do this by
+	 * searching for the first / character.  We then check to make
+	 * certain the instance name is "host"
+	 *
+	 * This will work for
+	 *    host/example.com@EXAMPLE.COM
+	 */
+	sname = strchr(sbuf, '/');
+	if (sname == NULL)
+		return (false);
+	*sname = '\0';
+	sname++;
+	if (strcmp(sbuf, "host") != 0)
+		return (false);
+
+	/*
+	 * If name is non NULL check that it matches against the
+	 * machine name as expected.
+	 */
+	if (name != NULL) {
+		dns_fixedname_t fixed;
+		dns_name_t *machine;
+
+		machine = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring(machine, sname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+		if (subdomain) {
+			return (dns_name_issubdomain(name, machine));
+		}
+		return (dns_name_equal(name, machine));
+	}
+
+	return (true);
+#else
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	UNUSED(subdomain);
+	return (false);
+#endif
+}
+
+bool
+dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
+				  const dns_name_t *name,
+				  const dns_name_t *realm,
+				  bool subdomain)
+{
+#ifdef GSSAPI
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *rname;
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	isc_buffer_init(&buffer, sbuf, sizeof(sbuf));
+	result = dns_name_toprincipal(signer, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_buffer_putuint8(&buffer, 0);
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strchr(sbuf, '@');
+	if (rname == NULL)
+		return (false);
+	sname = strchr(sbuf, '$');
+	if (sname == NULL)
+		return (false);
+
+	/*
+	 * Verify that the $ and @ follow one another.
+	 */
+	if (rname - sname != 1)
+		return (false);
+
+	/*
+	 * Find the host portion of the signer's name.	Zero out the $ so
+	 * it terminates the signer's name, and skip past the @ for
+	 * the realm.
+	 *
+	 * All service principals in Microsoft format seem to be in
+	 *    machinename$@EXAMPLE.COM
+	 * format.
+	 */
+	rname++;
+	*sname = '\0';
+	sname = sbuf;
+
+	if (strcmp(rname, rbuf) != 0) {
+		return (false);
+	}
+
+	/*
+	 * Now, we check that the realm matches (case sensitive) and that
+	 * 'name' matches against 'machinename' qualified with 'realm'.
+	 */
+	if (name != NULL) {
+		dns_fixedname_t fixed;
+		dns_name_t *machine;
+
+		machine = dns_fixedname_initname(&fixed);
+		result = dns_name_fromstring2(machine, sbuf, realm, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			return (false);
+		}
+		if (subdomain) {
+			return (dns_name_issubdomain(name, machine));
+		}
+		return (dns_name_equal(name, machine));
+	}
+
+	return (true);
+#else
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	UNUSED(subdomain);
+	return (false);
+#endif
+}
+
+isc_result_t
+dst_gssapi_releasecred(gss_cred_id_t *cred) {
+#ifdef GSSAPI
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	REQUIRE(cred != NULL && *cred != NULL);
+
+	gret = gss_release_cred(&minor, cred);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the credential's memory */
+		gss_log(3, "failed releasing credential: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	*cred = NULL;
+
+	return(ISC_R_SUCCESS);
+#else
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+#ifdef GSSAPI
+/*
+ * Format a gssapi error message info into a char ** on the given memory
+ * context. This is used to return gssapi error messages back up the
+ * call chain for reporting to the user.
+ */
+static void
+gss_err_message(isc_mem_t *mctx, uint32_t major, uint32_t minor,
+		char **err_message)
+{
+	char buf[1024];
+	char *estr;
+
+	if (err_message == NULL || mctx == NULL) {
+		/* the caller doesn't want any error messages */
+		return;
+	}
+
+	estr = gss_error_tostring(major, minor, buf, sizeof(buf));
+	if (estr != NULL)
+		(*err_message) = isc_mem_strdup(mctx, estr);
+}
+#endif
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message)
+{
+#ifdef GSSAPI
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	gss_name_t gname;
+	OM_uint32 gret, minor, ret_flags, flags;
+	gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
+	isc_result_t result;
+	gss_buffer_desc gnamebuf;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+
+	/* Client must pass us a valid gss_ctx_id_t here */
+	REQUIRE(gssctx != NULL);
+	REQUIRE(mctx != NULL);
+
+	isc_buffer_init(&namebuf, array, sizeof(array));
+	name_to_gbuffer(name, &namebuf, &gnamebuf);
+
+	/* Get the name as a GSS name */
+	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
+	if (gret != GSS_S_COMPLETE) {
+		gss_err_message(mctx, gret, minor, err_message);
+		result = ISC_R_FAILURE;
+		goto out;
+	}
+
+	if (intoken != NULL) {
+		/* Don't call gss_release_buffer for gintoken! */
+		REGION_TO_GBUFFER(*intoken, gintoken);
+		gintokenp = &gintoken;
+	} else {
+		gintokenp = NULL;
+	}
+
+	/*
+	 * Note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
+	 * servers don't like it.
+	 */
+	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG;
+
+	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
+				    gname, GSS_SPNEGO_MECHANISM, flags,
+				    0, NULL, gintokenp,
+				    NULL, &gouttoken, &ret_flags, NULL);
+
+	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
+		gss_err_message(mctx, gret, minor, err_message);
+		if (err_message != NULL && *err_message != NULL)
+			gss_log(3, "Failure initiating security context: %s",
+				*err_message);
+		else
+			gss_log(3, "Failure initiating security context");
+
+		result = ISC_R_FAILURE;
+		goto out;
+	}
+
+	/*
+	 * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
+	 * MUTUAL and INTEG flags, fail if either not set.
+	 */
+
+	/*
+	 * RFC 2744 states the a valid output token has a non-zero length.
+	 */
+	if (gouttoken.length != 0U) {
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(outtoken, &r));
+	}
+
+	if (gret == GSS_S_COMPLETE)
+		result = ISC_R_SUCCESS;
+	else
+		result = DNS_R_CONTINUE;
+
+ out:
+	if (gouttoken.length != 0U)
+		(void)gss_release_buffer(&minor, &gouttoken);
+	(void)gss_release_name(&minor, &gname);
+	return (result);
+#else
+	UNUSED(name);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(gssctx);
+	UNUSED(mctx);
+	UNUSED(err_message);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     const char *gssapi_keytab,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *ctxout, dns_name_t *principal,
+		     isc_mem_t *mctx)
+{
+#ifdef GSSAPI
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
+			gouttoken = GSS_C_EMPTY_BUFFER;
+	OM_uint32 gret, minor;
+	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+	gss_name_t gname = NULL;
+	isc_result_t result;
+	char buf[1024];
+
+	REQUIRE(outtoken != NULL && *outtoken == NULL);
+
+	REGION_TO_GBUFFER(*intoken, gintoken);
+
+	if (*ctxout == NULL)
+		context = GSS_C_NO_CONTEXT;
+	else
+		context = *ctxout;
+
+	if (gssapi_keytab != NULL) {
+#if defined(ISC_PLATFORM_GSSAPI_KRB5_HEADER) || defined(WIN32)
+		gret = gsskrb5_register_acceptor_identity(gssapi_keytab);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed "
+				"gsskrb5_register_acceptor_identity(%s): %s",
+				gssapi_keytab,
+				gss_error_tostring(gret, 0, buf, sizeof(buf)));
+			return (DNS_R_INVALIDTKEY);
+		}
+#else
+		/*
+		 * Minimize memory leakage by only setting KRB5_KTNAME
+		 * if it needs to change.
+		 */
+		const char *old = getenv("KRB5_KTNAME");
+		if (old == NULL || strcmp(old, gssapi_keytab) != 0) {
+			size_t size;
+			char *kt;
+
+			size = strlen(gssapi_keytab) + 13;
+			kt = malloc(size);
+			if (kt == NULL)
+				return (ISC_R_NOMEMORY);
+			snprintf(kt, size, "KRB5_KTNAME=%s", gssapi_keytab);
+			if (putenv(kt) != 0)
+				return (ISC_R_NOMEMORY);
+		}
+#endif
+	}
+
+	log_cred(cred);
+
+	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
+				      GSS_C_NO_CHANNEL_BINDINGS, &gname,
+				      NULL, &gouttoken, NULL, NULL, NULL);
+
+	result = ISC_R_FAILURE;
+
+	switch (gret) {
+	case GSS_S_COMPLETE:
+	case GSS_S_CONTINUE_NEEDED:
+		break;
+	case GSS_S_DEFECTIVE_TOKEN:
+	case GSS_S_DEFECTIVE_CREDENTIAL:
+	case GSS_S_BAD_SIG:
+	case GSS_S_DUPLICATE_TOKEN:
+	case GSS_S_OLD_TOKEN:
+	case GSS_S_NO_CRED:
+	case GSS_S_CREDENTIALS_EXPIRED:
+	case GSS_S_BAD_BINDINGS:
+	case GSS_S_NO_CONTEXT:
+	case GSS_S_BAD_MECH:
+	case GSS_S_FAILURE:
+		result = DNS_R_INVALIDTKEY;
+		/* fall through */
+	default:
+		gss_log(3, "failed gss_accept_sec_context: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (result);
+	}
+
+	if (gouttoken.length > 0U) {
+		RETERR(isc_buffer_allocate(mctx, outtoken,
+					   (unsigned int)gouttoken.length));
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(*outtoken, &r));
+		(void)gss_release_buffer(&minor, &gouttoken);
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_display_name: %s",
+				gss_error_tostring(gret, minor,
+						   buf, sizeof(buf)));
+			RETERR(ISC_R_FAILURE);
+		}
+
+		/*
+		 * Compensate for a bug in Solaris8's implementation
+		 * of gss_display_name().  Should be harmless in any
+		 * case, since principal names really should not
+		 * contain null characters.
+		 */
+		if (gnamebuf.length > 0U &&
+		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
+			gnamebuf.length--;
+
+		gss_log(3, "gss-api source name (accept) is %.*s",
+			(int)gnamebuf.length, (char *)gnamebuf.value);
+
+		GBUFFER_TO_REGION(gnamebuf, r);
+		isc_buffer_init(&namebuf, r.base, r.length);
+		isc_buffer_add(&namebuf, r.length);
+
+		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
+					 0, NULL));
+
+		if (gnamebuf.length != 0U) {
+			gret = gss_release_buffer(&minor, &gnamebuf);
+			if (gret != GSS_S_COMPLETE)
+				gss_log(3, "failed gss_release_buffer: %s",
+					gss_error_tostring(gret, minor, buf,
+							   sizeof(buf)));
+		}
+	} else
+		result = DNS_R_CONTINUE;
+
+	*ctxout = context;
+
+ out:
+	if (gname != NULL) {
+		gret = gss_release_name(&minor, &gname);
+		if (gret != GSS_S_COMPLETE)
+			gss_log(3, "failed gss_release_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+	}
+
+	return (result);
+#else
+	UNUSED(cred);
+	UNUSED(gssapi_keytab);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(ctxout);
+	UNUSED(principal);
+	UNUSED(mctx);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
+{
+#ifdef GSSAPI
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	UNUSED(mctx);
+
+	REQUIRE(gssctx != NULL && *gssctx != NULL);
+
+	/* Delete the context from the GSS provider */
+	gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the context's memory */
+		gss_log(3, "Failure deleting security context %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	return(ISC_R_SUCCESS);
+#else
+	UNUSED(mctx);
+	UNUSED(gssctx);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+char *
+gss_error_tostring(uint32_t major, uint32_t minor,
+		   char *buf, size_t buflen) {
+#ifdef GSSAPI
+	gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
+			msg_major = GSS_C_EMPTY_BUFFER;
+	OM_uint32 msg_ctx, minor_stat;
+
+	/* Handle major status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_major);
+
+	/* Handle minor status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_minor);
+
+	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
+		(char *)msg_major.value, (char *)msg_minor.value);
+
+	if (msg_major.length != 0U)
+		(void)gss_release_buffer(&minor_stat, &msg_major);
+	if (msg_minor.length != 0U)
+		(void)gss_release_buffer(&minor_stat, &msg_minor);
+	return(buf);
+#else
+	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
+		 major, minor);
+
+	return (buf);
+#endif
+}
+
+void
+gss_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_TKEY, ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+/*! \file */
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
new file mode 100644
index 0000000..94e73b1
--- /dev/null
+++ b/lib/dns/hmac_link.c
@@ -0,0 +1,1811 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#ifdef HAVE_FIPS_MODE
+#include "dst_openssl.h"	/* FIPS_mode() prototype */
+#endif
+#include "dst_parse.h"
+
+#ifndef PK11_MD5_DISABLE
+static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmacmd5_key {
+	unsigned char key[ISC_MD5_BLOCK_LENGTH];
+};
+#endif
+
+static isc_result_t
+getkeybits(dst_key_t *key, struct dst_private_element *element) {
+
+	if (element->length != 2)
+		return (DST_R_INVALIDPRIVATEKEY);
+
+	key->key_bits =	(element->data[0] << 8) + element->data[1];
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifndef PK11_MD5_DISABLE
+static isc_result_t
+hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacmd5_t *hmacmd5ctx;
+	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+
+	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+	if (hmacmd5ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
+	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacmd5_destroyctx(dst_context_t *dctx) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
+
+	if (hmacmd5ctx != NULL) {
+		isc_hmacmd5_invalidate(hmacmd5ctx);
+		isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
+		dctx->ctxdata.hmacmd5ctx = NULL;
+	}
+}
+
+static isc_result_t
+hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
+
+	isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacmd5_sign(hmacmd5ctx, digest);
+	isc_buffer_add(sig, ISC_MD5_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
+
+	if (sig->length > ISC_MD5_DIGESTLENGTH)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacmd5_verify2(hmacmd5ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	dst_hmacmd5_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmacmd5;
+	hkey2 = key2->keydata.hmacmd5;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (true);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (false);
+
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
+		return (true);
+	else
+		return (false);
+}
+
+static isc_result_t
+hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes;
+	unsigned char data[ISC_MD5_BLOCK_LENGTH];
+
+	UNUSED(callback);
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > ISC_MD5_BLOCK_LENGTH) {
+		bytes = ISC_MD5_BLOCK_LENGTH;
+		key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
+	}
+
+	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+	ret = dst__entropy_getdata(data, bytes, pseudorandom_ok);
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacmd5_fromdns(key, &b);
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmacmd5_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmacmd5_destroy(dst_key_t *key) {
+	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmacmd5 = NULL;
+}
+
+static isc_result_t
+hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacmd5_key_t *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->keydata.hmacmd5 != NULL);
+
+	hkey = key->keydata.hmacmd5;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacmd5_key_t *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_md5_t md5ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacmd5_key_t));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_MD5_BLOCK_LENGTH) {
+		isc_md5_init(&md5ctx);
+		isc_md5_update(&md5ctx, r.base, r.length);
+		isc_md5_final(&md5ctx, hkey->key);
+		keylen = ISC_MD5_DIGESTLENGTH;
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmacmd5 = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	dst_hmacmd5_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->keydata.hmacmd5 == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	hkey = key->keydata.hmacmd5;
+
+	priv.elements[cnt].tag = TAG_HMACMD5_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACMD5_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (key->external)
+		result = DST_R_EXTERNALKEY;
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACMD5_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacmd5_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACMD5_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacmd5_functions = {
+	hmacmd5_createctx,
+	NULL, /*%< createctx2 */
+	hmacmd5_destroyctx,
+	hmacmd5_adddata,
+	hmacmd5_sign,
+	hmacmd5_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	hmacmd5_compare,
+	NULL, /*%< paramcompare */
+	hmacmd5_generate,
+	hmacmd5_isprivate,
+	hmacmd5_destroy,
+	hmacmd5_todns,
+	hmacmd5_fromdns,
+	hmacmd5_tofile,
+	hmacmd5_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__hmacmd5_init(dst_func_t **funcp) {
+#ifdef HAVE_FIPS_MODE
+	/*
+	 * Problems from OpenSSL are likely from FIPS mode
+	 */
+	int fips_mode = FIPS_mode();
+
+	if (fips_mode != 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "FIPS mode is %d: MD5 is only supported "
+				 "if the value is 0.\n"
+				 "Please disable either FIPS mode or MD5.",
+				 fips_mode);
+	}
+#endif
+
+	/*
+	 * Prevent use of incorrect crypto
+	 */
+
+	RUNTIME_CHECK(isc_md5_check(false));
+	RUNTIME_CHECK(isc_hmacmd5_check(0));
+
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacmd5_functions;
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmacsha1_key {
+	unsigned char key[ISC_SHA1_BLOCK_LENGTH];
+};
+
+static isc_result_t
+hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha1_t *hmacsha1ctx;
+	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+
+	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
+	if (hmacsha1ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
+	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha1_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
+
+	if (hmacsha1ctx != NULL) {
+		isc_hmacsha1_invalidate(hmacsha1ctx);
+		isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));
+		dctx->ctxdata.hmacsha1ctx = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
+
+	isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha1_sign(hmacsha1ctx, digest, ISC_SHA1_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
+
+	if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha1_verify(hmacsha1ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	dst_hmacsha1_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmacsha1;
+	hkey2 = key2->keydata.hmacsha1;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (true);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (false);
+
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+		return (true);
+	else
+		return (false);
+}
+
+static isc_result_t
+hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes;
+	unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+
+	UNUSED(callback);
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > ISC_SHA1_BLOCK_LENGTH) {
+		bytes = ISC_SHA1_BLOCK_LENGTH;
+		key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
+	}
+
+	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+	ret = dst__entropy_getdata(data, bytes, pseudorandom_ok);
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha1_fromdns(key, &b);
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmacsha1_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmacsha1_destroy(dst_key_t *key) {
+	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmacsha1 = NULL;
+}
+
+static isc_result_t
+hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha1_key_t *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->keydata.hmacsha1 != NULL);
+
+	hkey = key->keydata.hmacsha1;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha1_key_t *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha1_t sha1ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha1_key_t));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA1_BLOCK_LENGTH) {
+		isc_sha1_init(&sha1ctx);
+		isc_sha1_update(&sha1ctx, r.base, r.length);
+		isc_sha1_final(&sha1ctx, hkey->key);
+		keylen = ISC_SHA1_DIGESTLENGTH;
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmacsha1 = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha1_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	dst_hmacsha1_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->keydata.hmacsha1 == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	hkey = key->keydata.hmacsha1;
+
+	priv.elements[cnt].tag = TAG_HMACSHA1_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA1_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA1, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (key->external)
+		result = DST_R_EXTERNALKEY;
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA1_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha1_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA1_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha1_functions = {
+	hmacsha1_createctx,
+	NULL, /*%< createctx2 */
+	hmacsha1_destroyctx,
+	hmacsha1_adddata,
+	hmacsha1_sign,
+	hmacsha1_verify,
+	NULL, /* verify2 */
+	NULL, /* computesecret */
+	hmacsha1_compare,
+	NULL, /* paramcompare */
+	hmacsha1_generate,
+	hmacsha1_isprivate,
+	hmacsha1_destroy,
+	hmacsha1_todns,
+	hmacsha1_fromdns,
+	hmacsha1_tofile,
+	hmacsha1_parse,
+	NULL, /* cleanup */
+	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
+};
+
+isc_result_t
+dst__hmacsha1_init(dst_func_t **funcp) {
+	/*
+	 * Prevent use of incorrect crypto
+	 */
+	RUNTIME_CHECK(isc_sha1_check(false));
+	RUNTIME_CHECK(isc_hmacsha1_check(0));
+
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha1_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmacsha224_key {
+	unsigned char key[ISC_SHA224_BLOCK_LENGTH];
+};
+
+static isc_result_t
+hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha224_t *hmacsha224ctx;
+	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+
+	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
+	if (hmacsha224ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_BLOCK_LENGTH);
+	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha224_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
+
+	if (hmacsha224ctx != NULL) {
+		isc_hmacsha224_invalidate(hmacsha224ctx);
+		isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));
+		dctx->ctxdata.hmacsha224ctx = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
+
+	isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha224_sign(hmacsha224ctx, digest, ISC_SHA224_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA224_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
+
+	if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha224_verify(hmacsha224ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	dst_hmacsha224_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmacsha224;
+	hkey2 = key2->keydata.hmacsha224;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (true);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (false);
+
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA224_BLOCK_LENGTH))
+		return (true);
+	else
+		return (false);
+}
+
+static isc_result_t
+hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes;
+	unsigned char data[ISC_SHA224_BLOCK_LENGTH];
+
+	UNUSED(callback);
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > ISC_SHA224_BLOCK_LENGTH) {
+		bytes = ISC_SHA224_BLOCK_LENGTH;
+		key->key_size = ISC_SHA224_BLOCK_LENGTH * 8;
+	}
+
+	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
+	ret = dst__entropy_getdata(data, bytes, pseudorandom_ok);
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha224_fromdns(key, &b);
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmacsha224_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmacsha224_destroy(dst_key_t *key) {
+	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmacsha224 = NULL;
+}
+
+static isc_result_t
+hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha224_key_t *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->keydata.hmacsha224 != NULL);
+
+	hkey = key->keydata.hmacsha224;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha224_key_t *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha224_t sha224ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha224_key_t));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA224_BLOCK_LENGTH) {
+		isc_sha224_init(&sha224ctx);
+		isc_sha224_update(&sha224ctx, r.base, r.length);
+		isc_sha224_final(hkey->key, &sha224ctx);
+		keylen = ISC_SHA224_DIGESTLENGTH;
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmacsha224 = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha224_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	dst_hmacsha224_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->keydata.hmacsha224 == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	hkey = key->keydata.hmacsha224;
+
+	priv.elements[cnt].tag = TAG_HMACSHA224_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA224_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA224, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (key->external)
+		result = DST_R_EXTERNALKEY;
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA224_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha224_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA224_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha224_functions = {
+	hmacsha224_createctx,
+	NULL, /*%< createctx2 */
+	hmacsha224_destroyctx,
+	hmacsha224_adddata,
+	hmacsha224_sign,
+	hmacsha224_verify,
+	NULL, /* verify2 */
+	NULL, /* computesecret */
+	hmacsha224_compare,
+	NULL, /* paramcompare */
+	hmacsha224_generate,
+	hmacsha224_isprivate,
+	hmacsha224_destroy,
+	hmacsha224_todns,
+	hmacsha224_fromdns,
+	hmacsha224_tofile,
+	hmacsha224_parse,
+	NULL, /* cleanup */
+	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
+};
+
+isc_result_t
+dst__hmacsha224_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha224_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmacsha256_key {
+	unsigned char key[ISC_SHA256_BLOCK_LENGTH];
+};
+
+static isc_result_t
+hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha256_t *hmacsha256ctx;
+	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+
+	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
+	if (hmacsha256ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_BLOCK_LENGTH);
+	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha256_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
+
+	if (hmacsha256ctx != NULL) {
+		isc_hmacsha256_invalidate(hmacsha256ctx);
+		isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));
+		dctx->ctxdata.hmacsha256ctx = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
+
+	isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha256_sign(hmacsha256ctx, digest, ISC_SHA256_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA256_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
+
+	if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha256_verify(hmacsha256ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	dst_hmacsha256_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmacsha256;
+	hkey2 = key2->keydata.hmacsha256;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (true);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (false);
+
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA256_BLOCK_LENGTH))
+		return (true);
+	else
+		return (false);
+}
+
+static isc_result_t
+hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes;
+	unsigned char data[ISC_SHA256_BLOCK_LENGTH];
+
+	UNUSED(callback);
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > ISC_SHA256_BLOCK_LENGTH) {
+		bytes = ISC_SHA256_BLOCK_LENGTH;
+		key->key_size = ISC_SHA256_BLOCK_LENGTH * 8;
+	}
+
+	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
+	ret = dst__entropy_getdata(data, bytes, pseudorandom_ok);
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha256_fromdns(key, &b);
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmacsha256_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmacsha256_destroy(dst_key_t *key) {
+	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmacsha256 = NULL;
+}
+
+static isc_result_t
+hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha256_key_t *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->keydata.hmacsha256 != NULL);
+
+	hkey = key->keydata.hmacsha256;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha256_key_t *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha256_t sha256ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha256_key_t));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA256_BLOCK_LENGTH) {
+		isc_sha256_init(&sha256ctx);
+		isc_sha256_update(&sha256ctx, r.base, r.length);
+		isc_sha256_final(hkey->key, &sha256ctx);
+		keylen = ISC_SHA256_DIGESTLENGTH;
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmacsha256 = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha256_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	dst_hmacsha256_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->keydata.hmacsha256 == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	hkey = key->keydata.hmacsha256;
+
+	priv.elements[cnt].tag = TAG_HMACSHA256_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA256_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA256, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (key->external)
+		result = DST_R_EXTERNALKEY;
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA256_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha256_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA256_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha256_functions = {
+	hmacsha256_createctx,
+	NULL, /*%< createctx2 */
+	hmacsha256_destroyctx,
+	hmacsha256_adddata,
+	hmacsha256_sign,
+	hmacsha256_verify,
+	NULL, /* verify2 */
+	NULL, /* computesecret */
+	hmacsha256_compare,
+	NULL, /* paramcompare */
+	hmacsha256_generate,
+	hmacsha256_isprivate,
+	hmacsha256_destroy,
+	hmacsha256_todns,
+	hmacsha256_fromdns,
+	hmacsha256_tofile,
+	hmacsha256_parse,
+	NULL, /* cleanup */
+	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
+};
+
+isc_result_t
+dst__hmacsha256_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha256_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmacsha384_key {
+	unsigned char key[ISC_SHA384_BLOCK_LENGTH];
+};
+
+static isc_result_t
+hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha384_t *hmacsha384ctx;
+	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+
+	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
+	if (hmacsha384ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_BLOCK_LENGTH);
+	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha384_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
+
+	if (hmacsha384ctx != NULL) {
+		isc_hmacsha384_invalidate(hmacsha384ctx);
+		isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));
+		dctx->ctxdata.hmacsha384ctx = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
+
+	isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha384_sign(hmacsha384ctx, digest, ISC_SHA384_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA384_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
+
+	if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha384_verify(hmacsha384ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	dst_hmacsha384_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmacsha384;
+	hkey2 = key2->keydata.hmacsha384;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (true);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (false);
+
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA384_BLOCK_LENGTH))
+		return (true);
+	else
+		return (false);
+}
+
+static isc_result_t
+hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes;
+	unsigned char data[ISC_SHA384_BLOCK_LENGTH];
+
+	UNUSED(callback);
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > ISC_SHA384_BLOCK_LENGTH) {
+		bytes = ISC_SHA384_BLOCK_LENGTH;
+		key->key_size = ISC_SHA384_BLOCK_LENGTH * 8;
+	}
+
+	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
+	ret = dst__entropy_getdata(data, bytes, pseudorandom_ok);
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha384_fromdns(key, &b);
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmacsha384_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmacsha384_destroy(dst_key_t *key) {
+	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmacsha384 = NULL;
+}
+
+static isc_result_t
+hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha384_key_t *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->keydata.hmacsha384 != NULL);
+
+	hkey = key->keydata.hmacsha384;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha384_key_t *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha384_t sha384ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha384_key_t));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA384_BLOCK_LENGTH) {
+		isc_sha384_init(&sha384ctx);
+		isc_sha384_update(&sha384ctx, r.base, r.length);
+		isc_sha384_final(hkey->key, &sha384ctx);
+		keylen = ISC_SHA384_DIGESTLENGTH;
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmacsha384 = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha384_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	dst_hmacsha384_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->keydata.hmacsha384 == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	hkey = key->keydata.hmacsha384;
+
+	priv.elements[cnt].tag = TAG_HMACSHA384_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA384_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA384, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (key->external)
+		result = DST_R_EXTERNALKEY;
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA384_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha384_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA384_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha384_functions = {
+	hmacsha384_createctx,
+	NULL, /*%< createctx2 */
+	hmacsha384_destroyctx,
+	hmacsha384_adddata,
+	hmacsha384_sign,
+	hmacsha384_verify,
+	NULL, /* verify2 */
+	NULL, /* computesecret */
+	hmacsha384_compare,
+	NULL, /* paramcompare */
+	hmacsha384_generate,
+	hmacsha384_isprivate,
+	hmacsha384_destroy,
+	hmacsha384_todns,
+	hmacsha384_fromdns,
+	hmacsha384_tofile,
+	hmacsha384_parse,
+	NULL, /* cleanup */
+	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
+};
+
+isc_result_t
+dst__hmacsha384_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha384_functions;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+struct dst_hmacsha512_key {
+	unsigned char key[ISC_SHA512_BLOCK_LENGTH];
+};
+
+static isc_result_t
+hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacsha512_t *hmacsha512ctx;
+	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+
+	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
+	if (hmacsha512ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_BLOCK_LENGTH);
+	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacsha512_destroyctx(dst_context_t *dctx) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
+
+	if (hmacsha512ctx != NULL) {
+		isc_hmacsha512_invalidate(hmacsha512ctx);
+		isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));
+		dctx->ctxdata.hmacsha512ctx = NULL;
+	}
+}
+
+static isc_result_t
+hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
+
+	isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacsha512_sign(hmacsha512ctx, digest, ISC_SHA512_DIGESTLENGTH);
+	isc_buffer_add(sig, ISC_SHA512_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
+
+	if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacsha512_verify(hmacsha512ctx, sig->base, sig->length))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static bool
+hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	dst_hmacsha512_key_t *hkey1, *hkey2;
+
+	hkey1 = key1->keydata.hmacsha512;
+	hkey2 = key2->keydata.hmacsha512;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (true);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (false);
+
+	if (isc_safe_memequal(hkey1->key, hkey2->key, ISC_SHA512_BLOCK_LENGTH))
+		return (true);
+	else
+		return (false);
+}
+
+static isc_result_t
+hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
+		    void (*callback)(int))
+{
+	isc_buffer_t b;
+	isc_result_t ret;
+	unsigned int bytes;
+	unsigned char data[ISC_SHA512_BLOCK_LENGTH];
+
+	UNUSED(callback);
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > ISC_SHA512_BLOCK_LENGTH) {
+		bytes = ISC_SHA512_BLOCK_LENGTH;
+		key->key_size = ISC_SHA512_BLOCK_LENGTH * 8;
+	}
+
+	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
+	ret = dst__entropy_getdata(data, bytes, pseudorandom_ok);
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacsha512_fromdns(key, &b);
+	isc_safe_memwipe(data, sizeof(data));
+
+	return (ret);
+}
+
+static bool
+hmacsha512_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (true);
+}
+
+static void
+hmacsha512_destroy(dst_key_t *key) {
+	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
+	key->keydata.hmacsha512 = NULL;
+}
+
+static isc_result_t
+hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha512_key_t *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->keydata.hmacsha512 != NULL);
+
+	hkey = key->keydata.hmacsha512;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	dst_hmacsha512_key_t *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_sha512_t sha512ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha512_key_t));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > ISC_SHA512_BLOCK_LENGTH) {
+		isc_sha512_init(&sha512ctx);
+		isc_sha512_update(&sha512ctx, r.base, r.length);
+		isc_sha512_final(hkey->key, &sha512ctx);
+		keylen = ISC_SHA512_DIGESTLENGTH;
+	} else {
+		memmove(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->keydata.hmacsha512 = hkey;
+
+	isc_buffer_forward(data, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacsha512_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	dst_hmacsha512_key_t *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+	unsigned char buf[2];
+
+	if (key->keydata.hmacsha512 == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	hkey = key->keydata.hmacsha512;
+
+	priv.elements[cnt].tag = TAG_HMACSHA512_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	buf[0] = (key->key_bits >> 8) & 0xffU;
+	buf[1] = key->key_bits & 0xffU;
+	priv.elements[cnt].tag = TAG_HMACSHA512_BITS;
+	priv.elements[cnt].data = buf;
+	priv.elements[cnt++].length = 2;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t result, tresult;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+
+	UNUSED(pub);
+	/* read private key file */
+	result = dst__privstruct_parse(key, DST_ALG_HMACSHA512, lexer, mctx,
+				       &priv);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (key->external)
+		result = DST_R_EXTERNALKEY;
+
+	key->key_bits = 0;
+	for (i = 0; i < priv.nelements && result == ISC_R_SUCCESS; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_HMACSHA512_KEY:
+			isc_buffer_init(&b, priv.elements[i].data,
+					priv.elements[i].length);
+			isc_buffer_add(&b, priv.elements[i].length);
+			tresult = hmacsha512_fromdns(key, &b);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		case TAG_HMACSHA512_BITS:
+			tresult = getkeybits(key, &priv.elements[i]);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+			break;
+		default:
+			result = DST_R_INVALIDPRIVATEKEY;
+			break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (result);
+}
+
+static dst_func_t hmacsha512_functions = {
+	hmacsha512_createctx,
+	NULL, /*%< createctx2 */
+	hmacsha512_destroyctx,
+	hmacsha512_adddata,
+	hmacsha512_sign,
+	hmacsha512_verify,
+	NULL, /* verify2 */
+	NULL, /* computesecret */
+	hmacsha512_compare,
+	NULL, /* paramcompare */
+	hmacsha512_generate,
+	hmacsha512_isprivate,
+	hmacsha512_destroy,
+	hmacsha512_todns,
+	hmacsha512_fromdns,
+	hmacsha512_tofile,
+	hmacsha512_parse,
+	NULL, /* cleanup */
+	NULL, /* fromlabel */
+	NULL, /* dump */
+	NULL, /* restore */
+};
+
+isc_result_t
+dst__hmacsha512_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacsha512_functions;
+	return (ISC_R_SUCCESS);
+}
+
+/*! \file */
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
new file mode 100644
index 0000000..5467ea1
--- /dev/null
+++ b/lib/dns/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dns dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
new file mode 100644
index 0000000..59897fe
--- /dev/null
+++ b/lib/dns/include/dns/Makefile.in
@@ -0,0 +1,60 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	acache.h acl.h adb.h badcache.h bit.h byaddr.h \
+		cache.h callbacks.h catz.h cert.h \
+		client.h clientinfo.h compress.h \
+		db.h dbiterator.h dbtable.h diff.h dispatch.h \
+		dlz.h dlz_dlopen.h dns64.h dnssec.h ds.h dsdigest.h \
+		dnstap.h dyndb.h \
+		edns.h ecdb.h events.h fixedname.h forward.h geoip.h \
+		ipkeylist.h iptable.h \
+		journal.h keydata.h keyflags.h keytable.h keyvalues.h \
+		lib.h lookup.h log.h master.h masterdump.h message.h \
+		name.h ncache.h nsec.h nsec3.h nta.h opcode.h order.h \
+		peer.h portlist.h private.h \
+		rbt.h rcode.h rdata.h rdataclass.h rdatalist.h \
+		rdataset.h rdatasetiter.h rdataslab.h rdatatype.h request.h \
+		resolver.h result.h rootns.h rpz.h rriterator.h rrl.h \
+		sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h stats.h \
+		tcpmsg.h time.h timer.h tkey.h tsec.h tsig.h ttl.h types.h \
+		update.h validator.h version.h view.h xfrin.h \
+		zone.h zonekey.h zt.h
+
+GENHEADERS =	@DNSTAP_PB_C_H@ enumclass.h enumtype.h rdatastruct.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dns || exit 1; \
+	done
+	for i in ${GENHEADERS}; do \
+		${INSTALL_DATA} $$i ${DESTDIR}${includedir}/dns || exit 1; \
+	done
+
+uninstall::
+	for i in ${GENHEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/dns/$$i || exit 1; \
+	done
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/dns/$$i || exit 1; \
+	done
diff --git a/lib/dns/include/dns/acache.h b/lib/dns/include/dns/acache.h
new file mode 100644
index 0000000..7b1dcd7
--- /dev/null
+++ b/lib/dns/include/dns/acache.h
@@ -0,0 +1,442 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: acache.h,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
+
+#ifndef DNS_ACACHE_H
+#define DNS_ACACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Acache
+ *
+ * The Additional Cache Object
+ *
+ *	This module manages internal caching entries that correspond to
+ *	the additional section data of a DNS DB node (an RRset header, more
+ *	accurately).  An additional cache entry is expected to be (somehow)
+ *	attached to a particular RR in a particular DB node, and contains a set
+ *	of information of an additional data for the DB node.
+ *
+ *	An additional cache object is intended to be created as a per-view
+ *	object, and manages all cache entries within the view.
+ *
+ *	The intended usage of the additional caching is to provide a short cut
+ *	to additional glue RRs of an NS RR.  For each NS RR, it is often
+ *	necessary to look for glue RRs to make a proper response.  Once the
+ *	glue RRs are known, the additional caching allows the client to
+ *	associate the information to the original NS RR so that further
+ *	expensive lookups can be avoided for the NS RR.
+ *
+ *	Each additional cache entry contains information to identify a
+ *	particular DB node and (optionally) an associated RRset.  The
+ *	information consists of its zone, database, the version of the
+ *	database, database node, and RRset.
+ *
+ *	A "negative" information can also be cached.  For example, if a glue
+ *	RR does not exist as an authoritative data in the same zone as that
+ *	of the NS RR, this fact can be cached by specifying a NULL pointer
+ *	for the database, version, and node.  (See the description for
+ *	dns_acache_getentry() below for more details.)
+ *
+ *	Since each member stored in an additional cache entry holds a reference
+ *	to a corresponding object, a stale cache entry may cause unnecessary
+ *	memory consumption.  For instance, when a zone is reloaded, additional
+ *	cache entries that have a reference to the zone (and its DB and/or
+ *	DB nodes) can delay the cleanup of the referred objects.  In order to
+ *	minimize such a bad effect, this module provides several cleanup
+ *	mechanisms.
+ *
+ *	The first one is a shutdown procedure called when the associated view
+ *	is shut down.  In this case, dns_acache_shutdown() will be called and
+ *	all cache entries will be purged.  This mechanism will help the
+ *	situation when the configuration is reloaded or the main server is
+ *	stopped.
+ *
+ *	Per-DB cleanup mechanism is also provided.  Each additional cache entry
+ *	is associated with related DB, which is expected to have been
+ *	registered when the DB was created by dns_acache_setdb().  If a
+ *	particular DB is going to be destroyed, the primary holder of the DB,
+ *	a typical example of which is a zone, will call dns_acache_putdb().
+ *	Then this module will clean-up all cache entries associated with the
+ *	DB.  This mechanism is effective when a secondary zone DB is going to
+ *	be stale after a zone transfer.
+ *
+ *	Finally, this module supports for periodic clean-up of stale entries.
+ *	Each cache entry has a timestamp field, which is updated every time
+ *	the entry is referred.  A periodically invoked cleaner checks the
+ *	timestamp of each entry, and purge entries that have not been referred
+ *	for a certain period.  The cleaner interval can be specified by
+ *	dns_acache_setcleaninginterval().  If the periodic clean-up is not
+ *	enough, it is also possible to specify the upper limit of entries
+ *	in terms of the memory consumption.  If the maximum value is
+ *	specified, the cleaner is invoked when the memory consumption reaches
+ *	the high watermark inferred from the maximum value.  In this case,
+ *	the cleaner will use more aggressive algorithm to decide the "victim"
+ *	entries.  The maximum value can be specified by
+ *	dns_acache_setcachesize().
+ *
+ *	When a cache entry is going to be purged within this module, the
+ *	callback function specified at the creation time will be called.
+ *	The callback function is expected to release all internal resources
+ *	related to the entry, which will typically be specific to DB
+ *	implementation, and to call dns_acache_detachentry().  The callback
+ *	mechanism is very important, since the holder of an additional cache
+ *	entry may not be able to initiate the clean-up of the entry, due to
+ *	the reference ordering.  For example, as long as an additional cache
+ *	entry has a reference to a DB object, the DB cannot be freed, in which
+ *	a DB node may have a reference to the cache entry.
+ *
+ *	Credits:
+ *	The basic idea of this kind of short-cut for frequently used
+ *	information is similar to the "pre-compiled answer" approach adopted
+ *	in nsd by NLnet LABS with RIPE NCC.  Our work here is an independent
+ *	effort, but the success of nsd encouraged us to pursue this path.
+ *
+ *	The design and implementation of the periodic memory management and
+ *	the upper limitation of memory consumption was derived from the cache
+ *	DB implementation of BIND9.
+ *
+ * MP:
+ *	There are two main locks in this module.  One is for each entry, and
+ *	the other is for the additional cache object.
+ *
+ * Reliability:
+ *	The callback function for a cache entry is called with holding the
+ *	entry lock.  Thus, it implicitly assumes the callback function does not
+ *	call a function that can require the lock.  Typically, the only
+ *	function that can be called from the callback function safely is
+ *	dns_acache_detachentry().  The breakage of this implicit assumption
+ *	may cause a deadlock.
+ *
+ * Resources:
+ *	In a 32-bit architecture (such as i386), the following additional
+ *	memory is required comparing to the case that disables this module.
+ *	- 76 bytes for each additional cache entry
+ *	- if the entry has a DNS name and associated RRset,
+ *	  * 44 bytes + size of the name (1-255 bytes)
+ *	  * 52 bytes x number_of_RRs
+ *	- 28 bytes for each DB related to this module
+ *
+ *	Using the additional cache also requires extra memory consumption in
+ *	the DB implementation.  In the current implementation for rbtdb, we
+ *	need:
+ *	- two additional pointers for each DB node (8 bytes for a 32-bit
+ *	  architecture
+ *	- for each RR associated to an RR in a DB node, we also need
+ *	  a pointer and management objects to support the additional cache
+ *	  function.  These are allocated on-demand.  The total size is
+ *	  32 bytes for a 32-bit architecture.
+ *
+ * Security:
+ *	Since this module does not handle any low-level data directly,
+ *	no security issue specific to this module is anticipated.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/mutex.h>
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+/***
+ *** Functions
+ ***/
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_acache_create(dns_acache_t **acachep, isc_mem_t *mctx,
+		  isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr);
+/*
+ * Create a new DNS additional cache object.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context
+ *
+ *	'taskmgr' is a valid task manager
+ *
+ *	'timermgr' is a valid timer or NULL.  If NULL, no periodic cleaning of
+ *	the cache will take place.
+ *
+ *	'acachep' is a valid pointer, and *acachep == NULL
+ *
+ * Ensures:
+ *
+ *	'*acachep' is attached to the newly created cache
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+dns_acache_attach(dns_acache_t *source, dns_acache_t **targetp);
+/*
+ * Attach *targetp to cache.
+ *
+ * Requires:
+ *
+ *	'acache' is a valid additional cache.
+ *
+ *	'targetp' points to a NULL dns_acache_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to the 'source' additional cache.
+ */
+
+void
+dns_acache_detach(dns_acache_t **acachep);
+/*
+ * Detach *acachep from its cache.
+ *
+ * Requires:
+ *
+ *	'*acachep' points to a valid additional cache.
+ *
+ * Ensures:
+ *
+ *	*acachep is NULL.
+ *
+ *	If '*acachep' is the last reference to the cache and the additional
+ *	cache does not have an outstanding task, all resources used by the
+ *	cache will be freed.
+ */
+
+void
+dns_acache_setcleaninginterval(dns_acache_t *acache, unsigned int t);
+/*
+ * Set the periodic cleaning interval of an additional cache to 'interval'
+ * seconds.
+ */
+
+void
+dns_acache_setcachesize(dns_acache_t *acache, size_t size);
+/*
+ * Set the maximum additional cache size.  0 means unlimited.
+ */
+
+isc_result_t
+dns_acache_setdb(dns_acache_t *acache, dns_db_t *db);
+/*
+ * Set 'db' in 'acache' when the db can be referred from acache, in order
+ * to provide a hint for resolving the back reference.
+ *
+ * Requires:
+ *	'acache' is a valid acache pointer.
+ *	'db' is a valid DNS DB pointer.
+ *
+ * Ensures:
+ *	'acache' will have a reference to 'db'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_EXISTS	(which means the specified 'db' is already set)
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_acache_putdb(dns_acache_t *acache, dns_db_t *db);
+/*
+ * Release 'db' from 'acache' if it has been set by dns_acache_setdb().
+ *
+ * Requires:
+ *	'acache' is a valid acache pointer.
+ *	'db' is a valid DNS DB pointer.
+ *
+ * Ensures:
+ *	'acache' will release the reference to 'db'.  Additionally, the content
+ *	of each cache entry that is related to the 'db' will be released via
+ *	the callback function.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND	(which means the specified 'db' is not set in 'acache')
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_acache_shutdown(dns_acache_t *acache);
+/*
+ * Shutdown 'acache'.
+ *
+ * Requires:
+ *
+ * 	'*acache' is a valid additional cache.
+ */
+
+isc_result_t
+dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
+		       void (*callback)(dns_acacheentry_t *, void **),
+		       void *cbarg, dns_acacheentry_t **entryp);
+/*
+ * Create an additional cache entry.  A new entry is created and attached to
+ * the given additional cache object.  A callback function is also associated
+ * with the created entry, which will be called when the cache entry is purged
+ * for some reason.
+ *
+ * Requires:
+ *
+ * 	'acache' is a valid additional cache.
+ *	'entryp' is a valid pointer, and *entryp == NULL
+ *	'origdb' is a valid DNS DB pointer.
+ *	'callback' and 'cbarg' can be NULL.  In this case, however, the entry
+ *	is meaningless (and will be cleaned-up in the next periodical
+ *	cleaning).
+ *
+ * Ensures:
+ *	'*entryp' will point to a new additional cache entry.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_acache_getentry(dns_acacheentry_t *entry, dns_zone_t **zonep,
+		    dns_db_t **dbp, dns_dbversion_t **versionp,
+		    dns_dbnode_t **nodep, dns_name_t *fname,
+		    dns_message_t *msg, isc_stdtime_t now);
+/*
+ * Get content from a particular additional cache entry.
+ *
+ * Requires:
+ *
+ * 	'entry' is a valid additional cache entry.
+ *	'zonep' is a NULL pointer or '*zonep' == NULL (this is the only
+ *	optional parameter.)
+ *	'dbp' is a valid pointer, and '*dbp' == NULL
+ *	'versionp' is a valid pointer, and '*versionp' == NULL
+ *	'nodep' is a valid pointer, and '*nodep' == NULL
+ *	'fname' is a valid DNS name.
+ *	'msg' is a valid DNS message.
+ *
+ * Ensures:
+ *	Several possible cases can happen according to the content.
+ *	1. For a positive cache entry,
+ *	'*zonep' will point to the corresponding zone (if zonep is a valid
+ *	pointer),
+ *	'*dbp' will point to a DB for the zone,
+ *	'*versionp' will point to its version, and
+ *	'*nodep' will point to the corresponding DB node.
+ *	'fname' will have the DNS name of the DB node and contain a list of
+ *	rdataset for the node (which can be an empty list).
+ *
+ * 	2. For a negative cache entry that means no corresponding zone exists,
+ *	'*zonep' == NULL (if zonep is a valid pointer)
+ *	'*dbp', '*versionp', and '*nodep' will be NULL.
+ *
+ *	3. For a negative cache entry that means no corresponding DB node
+ *	exists, '*zonep' will point to the corresponding zone (if zonep is a
+ *	valid pointer),
+ *	'*dbp' will point to a corresponding DB for zone,
+ *	'*versionp' will point to its version.
+ *	'*nodep' will be kept as NULL.
+ *	'fname' will not change.
+ *
+ *	On failure, no new references will be created.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_acache_setentry(dns_acache_t *acache, dns_acacheentry_t *entry,
+		    dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *fname);
+/*
+ * Set content to a particular additional cache entry.
+ *
+ * Requires:
+ *	'acache' is a valid additional cache.
+ *	'entry' is a valid additional cache entry.
+ *	All the others pointers are NULL or a valid pointer of the
+ *	corresponding type.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTFOUND
+ */
+
+bool
+dns_acache_cancelentry(dns_acacheentry_t *entry);
+/*
+ * Cancel the use of the cache entry 'entry'.  This function is supposed to
+ * be called when the node that holds the entry finds the content is not
+ * correct any more.  This function will try to release as much dependency as
+ * possible, and will be ready to be cleaned-up.  The registered callback
+ * function will be canceled and will never called.
+ *
+ * Requires:
+ *	'entry' is a valid additional cache entry.
+ *
+ * Returns:
+ * 	true if the entry was active when canceled
+ */
+
+void
+dns_acache_attachentry(dns_acacheentry_t *source, dns_acacheentry_t **targetp);
+/*
+ * Attach *targetp to the cache entry 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid additional cache entry.
+ *
+ *	'targetp' points to a NULL dns_acacheentry_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to 'source'.
+ */
+
+void
+dns_acache_detachentry(dns_acacheentry_t **entryp);
+/*
+ * Detach *entryp from its cache.
+ *
+ * Requires:
+ *
+ *	'*entryp' points to a valid additional cache entry.
+ *
+ * Ensures:
+ *
+ *	*entryp is NULL.
+ *
+ *	If '*entryp' is the last reference to the entry,
+ *	cache does not have an outstanding task, all resources used by the
+ *	entry (including the entry object itself) will be freed.
+ */
+
+void
+dns_acache_countquerymiss(dns_acache_t *acache);
+/*
+ * Count up a missed acache query.  XXXMLG need more docs.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACACHE_H */
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
new file mode 100644
index 0000000..c8a7833
--- /dev/null
+++ b/lib/dns/include/dns/acl.h
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp $ */
+
+#ifndef DNS_ACL_H
+#define DNS_ACL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/acl.h
+ * \brief
+ * Address match list handling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+#include <isc/refcount.h>
+
+#ifdef HAVE_GEOIP
+#include <dns/geoip.h>
+#endif
+#include <dns/name.h>
+#include <dns/types.h>
+#include <dns/iptable.h>
+
+#ifdef HAVE_GEOIP
+#include <GeoIP.h>
+#endif
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	dns_aclelementtype_ipprefix,
+	dns_aclelementtype_keyname,
+	dns_aclelementtype_nestedacl,
+	dns_aclelementtype_localhost,
+	dns_aclelementtype_localnets,
+#ifdef HAVE_GEOIP
+	dns_aclelementtype_geoip,
+#endif /* HAVE_GEOIP */
+	dns_aclelementtype_any
+} dns_aclelementtype_t;
+
+typedef struct dns_aclipprefix dns_aclipprefix_t;
+
+struct dns_aclipprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int prefixlen;
+};
+
+struct dns_aclelement {
+	dns_aclelementtype_t	type;
+	bool		negative;
+	dns_name_t		keyname;
+#ifdef HAVE_GEOIP
+	dns_geoip_elem_t	geoip_elem;
+#endif /* HAVE_GEOIP */
+	dns_acl_t		*nestedacl;
+	int			node_num;
+};
+
+struct dns_acl {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_refcount_t		refcount;
+	dns_iptable_t		*iptable;
+#define node_count		iptable->radix->num_added_node
+	dns_aclelement_t	*elements;
+	bool 		has_negatives;
+	unsigned int 		alloc;		/*%< Elements allocated */
+	unsigned int 		length;		/*%< Elements initialized */
+	char 			*name;		/*%< Temporary use only */
+	ISC_LINK(dns_acl_t) 	nextincache;	/*%< Ditto */
+};
+
+struct dns_aclenv {
+	dns_acl_t *localhost;
+	dns_acl_t *localnets;
+	bool match_mapped;
+#ifdef HAVE_GEOIP
+	dns_geoip_databases_t *geoip;
+	bool geoip_use_ecs;
+#endif
+};
+
+#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
+#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
+/*%<
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements.  The elements are uninitialized and the
+ * length is 0.
+ */
+
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
+/*%<
+ * Create a new ACL that matches everything.
+ */
+
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
+/*%<
+ * Create a new ACL that matches nothing.
+ */
+
+bool
+dns_acl_isany(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ any; }"
+ */
+
+bool
+dns_acl_isnone(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ none; }"
+ */
+
+isc_result_t
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos);
+/*%<
+ * Merge the contents of one ACL into another.  Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated.  This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
+
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
+/*%<
+ * Attach to acl 'source'.
+ *
+ * Requires:
+ *\li	'source' to be a valid acl.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_acl_detach(dns_acl_t **aclp);
+/*%<
+ * Detach the acl. On final detach the acl must not be linked on any
+ * list.
+ *
+ * Requires:
+ *\li	'*aclp' to be a valid acl.
+ *
+ * Insists:
+ *\li	'*aclp' is not linked on final detach.
+ */
+
+bool
+dns_acl_isinsecure(const dns_acl_t *a);
+/*%<
+ * Return #true iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns #false is safe.
+ */
+
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
+/*%<
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
+
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
+
+void
+dns_aclenv_destroy(dns_aclenv_t *env);
+
+isc_result_t
+dns_acl_match(const isc_netaddr_t *reqaddr,
+	      const dns_name_t *reqsigner,
+	      const dns_acl_t *acl,
+	      const dns_aclenv_t *env,
+	      int *match,
+	      const dns_aclelement_t **matchelt);
+
+isc_result_t
+dns_acl_match2(const isc_netaddr_t *reqaddr,
+	       const dns_name_t *reqsigner,
+	       const isc_netaddr_t *ecs,
+	       uint8_t ecslen,
+	       uint8_t *scope,
+	       const dns_acl_t *acl,
+	       const dns_aclenv_t *env,
+	       int *match,
+	       const dns_aclelement_t **matchelt);
+/*%<
+ * General, low-level ACL matching.  This is expected to
+ * be useful even for weird stuff like the topology and sortlist statements.
+ *
+ * Match the address 'reqaddr', and optionally the key name 'reqsigner',
+ * and optionally the client prefix 'ecs' of length 'ecslen'
+ * (reported via EDNS client subnet option) against 'acl'.
+ *
+ * 'reqsigner' and 'ecs' may be NULL.  If an ACL matches against 'ecs'
+ * and 'ecslen', then 'scope' will be set to indicate the netmask that
+ * matched.
+ *
+ * If there is a match, '*match' will be set to an integer whose absolute
+ * value corresponds to the order in which the matching value was inserted
+ * into the ACL.  For a positive match, this value will be positive; for a
+ * negative match, it will be negative.
+ *
+ * If there is no match, *match will be set to zero.
+ *
+ * If there is a match in the element list (either positive or negative)
+ * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
+ * element.
+ *
+ * 'env' points to the current ACL environment, including the
+ * current values of localhost and localnets and (if applicable)
+ * the GeoIP context.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Always succeeds.
+ */
+
+bool
+dns_aclelement_match(const isc_netaddr_t *reqaddr,
+		     const dns_name_t *reqsigner,
+		     const dns_aclelement_t *e,
+		     const dns_aclenv_t *env,
+		     const dns_aclelement_t **matchelt);
+
+bool
+dns_aclelement_match2(const isc_netaddr_t *reqaddr,
+		      const dns_name_t *reqsigner,
+		      const isc_netaddr_t *ecs,
+		      uint8_t ecslen,
+		      uint8_t *scope,
+		      const dns_aclelement_t *e,
+		      const dns_aclenv_t *env,
+		      const dns_aclelement_t **matchelt);
+/*%<
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete ACL, and returns true iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
+ * caller should examine e->negative.  Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, a matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACL_H */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
new file mode 100644
index 0000000..ca35bac
--- /dev/null
+++ b/lib/dns/include/dns/adb.h
@@ -0,0 +1,841 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_ADB_H
+#define DNS_ADB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/adb.h
+ *\brief
+ * DNS Address Database
+ *
+ * This module implements an address database (ADB) for mapping a name
+ * to an isc_sockaddr_t. It also provides statistical information on
+ * how good that address might be.
+ *
+ * A client will pass in a dns_name_t, and the ADB will walk through
+ * the rdataset looking up addresses associated with the name.  If it
+ * is found on the internal lists, a structure is filled in with the
+ * address information and stats for found addresses.
+ *
+ * If the name cannot be found on the internal lists, a new entry will
+ * be created for a name if all the information needed can be found
+ * in the zone table or cache.  This new address will then be returned.
+ *
+ * If a request must be made to remote servers to satisfy a name lookup,
+ * this module will start fetches to try to complete these addresses.  When
+ * at least one more completes, an event is sent to the caller.  If none of
+ * them resolve before the fetch times out, an event indicating this is
+ * sent instead.
+ *
+ * Records are stored internally until a timer expires. The timer is the
+ * smaller of the TTL or signature validity period.
+ *
+ * Lameness is stored per <qname,qtype> tuple, and this data hangs off each
+ * address field.  When an address is marked lame for a given tuple the address
+ * will not be returned to a caller.
+ *
+ *
+ * MP:
+ *
+ *\li	The ADB takes care of all necessary locking.
+ *
+ *\li	Only the task which initiated the name lookup can cancel the lookup.
+ *
+ *
+ * Security:
+ *
+ *\li	None, since all data stored is required to be pre-filtered.
+ *	(Cache needs to be sane, fetches return bounds-checked and sanity-
+ *       checked data, caller passes a good dns_name_t for the zone, etc)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+
+#include <dns/types.h>
+#include <dns/view.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Magic number checks
+ ***/
+
+#define DNS_ADBFIND_MAGIC	  ISC_MAGIC('a','d','b','H')
+#define DNS_ADBFIND_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFIND_MAGIC)
+#define DNS_ADBADDRINFO_MAGIC	  ISC_MAGIC('a','d','A','I')
+#define DNS_ADBADDRINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBADDRINFO_MAGIC)
+
+
+/***
+ *** TYPES
+ ***/
+
+typedef struct dns_adbname		dns_adbname_t;
+
+/*!
+ *\brief
+ * Represents a lookup for a single name.
+ *
+ * On return, the client can safely use "list", and can reorder the list.
+ * Items may not be _deleted_ from this list, however, or added to it
+ * other than by using the dns_adb_*() API.
+ */
+struct dns_adbfind {
+	/* Public */
+	unsigned int			magic;		/*%< RO: magic */
+	dns_adbaddrinfolist_t		list;		/*%< RO: list of addrs */
+	unsigned int			query_pending;	/*%< RO: partial list */
+	unsigned int			partial_result;	/*%< RO: addrs missing */
+	unsigned int			options;	/*%< RO: options */
+	isc_result_t			result_v4;	/*%< RO: v4 result */
+	isc_result_t			result_v6;	/*%< RO: v6 result */
+	ISC_LINK(dns_adbfind_t)		publink;	/*%< RW: client use */
+
+	/* Private */
+	isc_mutex_t			lock;		/* locks all below */
+	in_port_t			port;
+	int				name_bucket;
+	unsigned int			flags;
+	dns_adbname_t		       *adbname;
+	dns_adb_t		       *adb;
+	isc_event_t			event;
+	ISC_LINK(dns_adbfind_t)		plink;
+};
+
+/*
+ * _INET:
+ * _INET6:
+ *	return addresses of that type.
+ *
+ * _EMPTYEVENT:
+ *	Only schedule an event if no addresses are known.
+ *	Must set _WANTEVENT for this to be meaningful.
+ *
+ * _WANTEVENT:
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ *
+ * _AVOIDFETCHES:
+ *	If set, fetches will not be generated unless no addresses are
+ *	available in any of the address families requested.
+ *
+ * _STARTATZONE:
+ *	Fetches will start using the closest zone data or use the root servers.
+ *	This is useful for reestablishing glue that has expired.
+ *
+ * _GLUEOK:
+ * _HINTOK:
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ *
+ * _RETURNLAME:
+ *	Return lame servers in a find, so that all addresses are returned.
+ *
+ * _LAMEPRUNED:
+ *	At least one address was omitted from the list because it was lame.
+ *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
+ */
+/*% Return addresses of type INET. */
+#define DNS_ADBFIND_INET		0x00000001
+/*% Return addresses of type INET6. */
+#define DNS_ADBFIND_INET6		0x00000002
+#define DNS_ADBFIND_ADDRESSMASK		0x00000003
+/*%
+ *      Only schedule an event if no addresses are known.
+ *      Must set _WANTEVENT for this to be meaningful.
+ */
+#define DNS_ADBFIND_EMPTYEVENT		0x00000004
+/*%
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ */
+#define DNS_ADBFIND_WANTEVENT		0x00000008
+/*%
+ *	If set, fetches will not be generated unless no addresses are
+ *	available in any of the address families requested.
+ */
+#define DNS_ADBFIND_AVOIDFETCHES	0x00000010
+/*%
+ *	Fetches will start using the closest zone data or use the root servers.
+ *	This is useful for reestablishing glue that has expired.
+ */
+#define DNS_ADBFIND_STARTATZONE		0x00000020
+/*%
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ */
+#define DNS_ADBFIND_GLUEOK		0x00000040
+/*%
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ */
+#define DNS_ADBFIND_HINTOK		0x00000080
+/*%
+ *	Return lame servers in a find, so that all addresses are returned.
+ */
+#define DNS_ADBFIND_RETURNLAME		0x00000100
+/*%
+ *      Only schedule an event if no addresses are known.
+ *      Must set _WANTEVENT for this to be meaningful.
+ */
+#define DNS_ADBFIND_LAMEPRUNED		0x00000200
+/*%
+ *      The server's fetch quota is exceeded; it will be treated as
+ *      lame for this query.
+ */
+#define DNS_ADBFIND_OVERQUOTA		0x00000400
+
+/*%
+ * The answers to queries come back as a list of these.
+ */
+struct dns_adbaddrinfo {
+	unsigned int			magic;		/*%< private */
+
+	isc_sockaddr_t			sockaddr;	/*%< [rw] */
+	unsigned int			srtt;		/*%< [rw] microsecs */
+	isc_dscp_t			dscp;
+
+	unsigned int			flags;		/*%< [rw] */
+	dns_adbentry_t		       *entry;		/*%< private */
+	ISC_LINK(dns_adbaddrinfo_t)	publink;
+};
+
+/*!<
+ * The event sent to the caller task is just a plain old isc_event_t.  It
+ * contains no data other than a simple status, passed in the "type" field
+ * to indicate that another address resolved, or all partially resolved
+ * addresses have failed to resolve.
+ *
+ * "sender" is the dns_adbfind_t used to issue this query.
+ *
+ * This is simply a standard event, with the "type" set to:
+ *
+ *\li	#DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
+ *\li	#DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
+ *					were canceled, or otherwise will
+ *					not be usable.
+ *\li	#DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
+ *					3rd party.
+ *\li	#DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
+ *					was canceled.
+ *
+ * In each of these cases, the addresses returned by the initial call
+ * to dns_adb_createfind() can still be used until they are no longer needed.
+ */
+
+/****
+ **** FUNCTIONS
+ ****/
+
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
+/*%<
+ * Create a new ADB.
+ *
+ * Notes:
+ *
+ *\li	Generally, applications should not create an ADB directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *\li	'mem' must be a valid memory context.
+ *
+ *\li	'view' be a pointer to a valid view.
+ *
+ *\li	'tmgr' be a pointer to a valid timer manager.
+ *
+ *\li	'taskmgr' be a pointer to a valid task manager.
+ *
+ *\li	'newadb' != NULL && '*newadb' == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS	after happiness.
+ *\li	#ISC_R_NOMEMORY	after resource allocation failure.
+ */
+
+void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
+/*%
+ * Attach to an 'adb' to 'adbp'.
+ *
+ * Requires:
+ *\li	'adb' to be a valid dns_adb_t, created via dns_adb_create().
+ *\li	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
+ *	to NULL.
+ */
+
+void
+dns_adb_detach(dns_adb_t **adb);
+/*%
+ * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
+ *
+ * Requires:
+ *
+ *\li	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
+ *	dns_adb_create().
+ */
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
+/*%
+ * Send '*eventp' to 'task' when 'adb' has shutdown.
+ *
+ * Requires:
+ *
+ *\li	'*adb' is a valid dns_adb_t.
+ *
+ *\li	eventp != NULL && *eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL
+ *
+ *\li	The event's sender field is set to the value of adb when the event
+ *	is sent.
+ */
+
+void
+dns_adb_shutdown(dns_adb_t *adb);
+/*%<
+ * Shutdown 'adb'.
+ *
+ * Requires:
+ *
+ * \li	'*adb' is a valid dns_adb_t.
+ */
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, dns_name_t *name, dns_name_t *qname,
+		   dns_rdatatype_t qtype, unsigned int options,
+		   isc_stdtime_t now, dns_name_t *target,
+		   in_port_t port, dns_adbfind_t **find);
+isc_result_t
+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		    void *arg, dns_name_t *name, dns_name_t *qname,
+		    dns_rdatatype_t qtype, unsigned int options,
+		    isc_stdtime_t now, dns_name_t *target, in_port_t port,
+		    unsigned int depth, isc_counter_t *qc,
+		    dns_adbfind_t **find);
+/*%<
+ * Main interface for clients. The adb will look up the name given in
+ * "name" and will build up a list of found addresses, and perhaps start
+ * internal fetches to resolve names that are unknown currently.
+ *
+ * If other addresses resolve after this call completes, an event will
+ * be sent to the <task, taskaction, arg> with the sender of that event
+ * set to a pointer to the dns_adbfind_t returned by this function.
+ *
+ * If no events will be generated, the *find->result_v4 and/or result_v6
+ * members may be examined for address lookup status.  The usual #ISC_R_SUCCESS,
+ * #ISC_R_FAILURE, #DNS_R_NXDOMAIN, and #DNS_R_NXRRSET are returned, along with
+ * #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
+ * latter case, retrying may produce more addresses.
+ *
+ * If events will be returned, the result_v[46] members are only valid
+ * when that event is actually returned.
+ *
+ * The list of addresses returned is unordered.  The caller must impose
+ * any ordering required.  The list will not contain "known bad" addresses,
+ * however.  For instance, it will not return hosts that are known to be
+ * lame for the zone in question.
+ *
+ * The caller cannot (directly) modify the contents of the address list's
+ * fields other than the "link" field.  All values can be read at any
+ * time, however.
+ *
+ * The "now" parameter is used only for determining which entries that
+ * have a specific time to live or expire time should be removed from
+ * the running database.  If specified as zero, the current time will
+ * be retrieved and used.
+ *
+ * If 'target' is not NULL and 'name' is an alias (i.e. the name is
+ * CNAME'd or DNAME'd to another name), then 'target' will be updated with
+ * the domain name that 'name' is aliased to.
+ *
+ * All addresses returned will have the sockaddr's port set to 'port.'
+ * The caller may change them directly in the dns_adbaddrinfo_t since
+ * they are copies of the internal address only.
+ *
+ * XXXMLG  Document options, especially the flags which control how
+ *         events are sent.
+ *
+ * Requires:
+ *
+ *\li	*adb be a valid isc_adb_t object.
+ *
+ *\li	If events are to be sent, *task be a valid task,
+ *	and isc_taskaction_t != NULL.
+ *
+ *\li	*name is a valid dns_name_t.
+ *
+ *\li	qname != NULL and *qname be a valid dns_name_t.
+ *
+ *\li	target == NULL or target is a valid name with a buffer.
+ *
+ *\li	find != NULL && *find == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS	Addresses might have been returned, and events will be
+ *			delivered for unresolved addresses.
+ *\li	#ISC_R_NOMORE	Addresses might have been returned, but no events
+ *			will ever be posted for this context.  This is only
+ *			returned if task != NULL.
+ *\li	#ISC_R_NOMEMORY	insufficient resources
+ *\li	#DNS_R_ALIAS	'name' is an alias for another name.
+ *
+ * Calls, and returns error codes from:
+ *
+ *\li	isc_stdtime_get()
+ *
+ * Notes:
+ *
+ *\li	No internal reference to "name" exists after this function
+ *	returns.
+ */
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find);
+/*%<
+ * Cancels the find, and sends the event off to the caller.
+ *
+ * It is an error to call dns_adb_cancelfind() on a find where
+ * no event is wanted, or will ever be sent.
+ *
+ * Note:
+ *
+ *\li	It is possible that the real completion event was posted just
+ *	before the dns_adb_cancelfind() call was made.  In this case,
+ *	dns_adb_cancelfind() will do nothing.  The event callback needs
+ *	to be prepared to find this situation (i.e. result is valid but
+ *	the caller expects it to be canceled).
+ *
+ * Requires:
+ *
+ *\li	'find' be a valid dns_adbfind_t pointer.
+ *
+ *\li	events would have been posted to the task.  This can be checked
+ *	with (find->options & DNS_ADBFIND_WANTEVENT).
+ *
+ * Ensures:
+ *
+ *\li	The event was posted to the task.
+ */
+
+void
+dns_adb_destroyfind(dns_adbfind_t **find);
+/*%<
+ * Destroys the find reference.
+ *
+ * Note:
+ *
+ *\li	This can only be called after the event was delivered for a
+ *	find.  Additionally, the event MUST have been freed via
+ *	isc_event_free() BEFORE this function is called.
+ *
+ * Requires:
+ *
+ *\li	'find' != NULL and *find be valid dns_adbfind_t pointer.
+ *
+ * Ensures:
+ *
+ *\li	No "address found" events will be posted to the originating task
+ *	after this function returns.
+ */
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f);
+/*%<
+ * This function is only used for debugging.  It will dump as much of the
+ * state of the running system as possible.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	f != NULL, and is a file open for writing.
+ */
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
+/*%<
+ * This function is only used for debugging.  Dump the data associated
+ * with a find.
+ *
+ * Requires:
+ *
+ *\li	find is valid.
+ *
+ * \li	f != NULL, and is a file open for writing.
+ */
+
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *qname,
+		 dns_rdatatype_t type, isc_stdtime_t expire_time);
+/*%<
+ * Mark the given address as lame for the <qname,qtype>.  expire_time should
+ * be set to the time when the entry should expire.  That is, if it is to
+ * expire 10 minutes in the future, it should set it to (now + 10 * 60).
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ *
+ *\li	qname be the qname used in the dns_adb_createfind() call.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOMEMORY		-- could not mark address as lame.
+ */
+
+/*
+ * Reasonable defaults for RTT adjustments
+ *
+ * (Note: these values function both as scaling factors and as
+ * indicators of the type of RTT adjustment operation taking place.
+ * Adjusting the scaling factors is fine, as long as they all remain
+ * unique values.)
+ */
+#define DNS_ADB_RTTADJDEFAULT		7	/*%< default scale */
+#define DNS_ADB_RTTADJREPLACE		0	/*%< replace with our rtt */
+#define DNS_ADB_RTTADJAGE		10	/*%< age this rtt */
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		   unsigned int rtt, unsigned int factor);
+/*%<
+ * Mix the round trip time into the existing smoothed rtt.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ *
+ *\li	0 <= factor <= 10
+ *
+ * Note:
+ *
+ *\li	The srtt in addr will be updated to reflect the new global
+ *	srtt value.  This may include changes made by others.
+ */
+
+void
+dns_adb_agesrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr, isc_stdtime_t now);
+/*
+ * dns_adb_agesrtt is equivalent to dns_adb_adjustsrtt with factor
+ * equal to DNS_ADB_RTTADJAGE and the current time passed in.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ *
+ * Note:
+ *
+ *\li	The srtt in addr will be updated to reflect the new global
+ *	srtt value.  This may include changes made by others.
+ */
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		    unsigned int bits, unsigned int mask);
+/*%
+ * Change Flags.
+ *
+ * Set the flags as given by:
+ *
+ *\li	newflags = (oldflags & ~mask) | (bits & mask);
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_setudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size);
+/*%
+ * Update seen UDP response size.  The largest seen will be returned by
+ * dns_adb_getudpsize().
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+unsigned int
+dns_adb_getudpsize(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Return the largest seen UDP response size.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+unsigned int
+dns_adb_probesize(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+unsigned int
+dns_adb_probesize2(dns_adb_t *adb, dns_adbaddrinfo_t *addr, int lookups);
+/*%
+ * Return suggested EDNS UDP size based on observed responses / failures.
+ * 'lookups' is the number of times the current lookup has been attempted.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_plainresponse(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Record a successful plain DNS response.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_timeout(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Record a plain DNS UDP query failed.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+void
+dns_adb_ednsto(dns_adb_t *adb, dns_adbaddrinfo_t *addr, unsigned int size);
+/*%
+ * Record a failed EDNS UDP response and the advertised EDNS UDP buffer size
+ * used.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+bool
+dns_adb_noedns(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Return whether EDNS should be disabled for this server.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now);
+/*%<
+ * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
+ *
+ * Requires:
+ *
+ *\li	adb is valid.
+ *
+ *\li	sa is valid.
+ *
+ *\li	addrp != NULL && *addrp == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SHUTTINGDOWN
+ */
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
+/*%<
+ * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
+ *
+ * Requires:
+ *
+ *\li	adb is valid.
+ *
+ *\li	*addrp is a valid dns_adbaddrinfo_t *.
+ */
+
+void
+dns_adb_flush(dns_adb_t *adb);
+/*%<
+ * Flushes all cached data from the adb.
+ *
+ * Requires:
+ *\li 	adb is valid.
+ */
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, size_t size);
+/*%<
+ * Set a target memory size.  If memory usage exceeds the target
+ * size entries will be removed before they would have expired on
+ * a random basis.
+ *
+ * If 'size' is 0 then memory usage is unlimited.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ */
+
+void
+dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
+/*%<
+ * Flush 'name' from the adb cache.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'name' is valid.
+ */
+
+void
+dns_adb_flushnames(dns_adb_t *adb, dns_name_t *name);
+/*%<
+ * Flush 'name' and all subdomains from the adb cache.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'name' is valid.
+ */
+
+void
+dns_adb_setcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  const unsigned char *cookie, size_t len);
+/*%<
+ * Record the COOKIE associated with this addresss.  If
+ * cookie is NULL or len is zero the recorded COOKIE is cleared.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'addr' is valid.
+ */
+
+size_t
+dns_adb_getcookie(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		  unsigned char *cookie, size_t len);
+/*
+ * Retieve the saved COOKIE value and store it in 'cookie' which has
+ * size 'len'.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ *\li	'addr' is valid.
+ *
+ * Returns:
+ *	The size of the cookie or zero if it doesn't fit in the buffer
+ *	or it doesn't exist.
+ */
+
+void
+dns_adb_setquota(dns_adb_t *adb, uint32_t quota, uint32_t freq,
+		 double low, double high, double discount);
+/*%<
+ * Set the baseline ADB quota, and configure parameters for the
+ * quota adjustment algorithm.
+ *
+ * If the number of fetches currently waiting for responses from this
+ * address exceeds the current quota, then additional fetches are spilled.
+ *
+ * 'quota' is the highest permissible quota; it will adjust itself
+ * downward in response to detected congestion.
+ *
+ * After every 'freq' fetches have either completed or timed out, an
+ * exponentially weighted moving average of the ratio of timeouts
+ * to responses is calculated.  If the EWMA goes above a 'high'
+ * threshold, then the quota is adjusted down one step; if it drops
+ * below a 'low' threshold, then the quota is adjusted back up one
+ * step.
+ *
+ * The quota adjustment is based on the function (1 / 1 + (n/10)^(3/2)),
+ * for values of n from 0 to 99.  It starts at 100% of the baseline
+ * quota, and descends after 100 steps to 2%.
+ *
+ * 'discount' represents the discount rate of the moving average. Higher
+ * values cause older values to be discounted sooner, providing a faster
+ * response to changes in the timeout ratio.
+ *
+ * Requires:
+ *\li	'adb' is valid.
+ */
+
+bool
+dns_adbentry_overquota(dns_adbentry_t *entry);
+/*%<
+ * Returns true if the specified ADB has too many active fetches.
+ *
+ * Requires:
+ *\li	'entry' is valid.
+ */
+
+void
+dns_adb_beginudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+void
+dns_adb_endudpfetch(dns_adb_t *adb, dns_adbaddrinfo_t *addr);
+/*%
+ * Begin/end a UDP fetch on a particular address.
+ *
+ * These functions increment or decrement the fetch counter for
+ * the ADB entry so that the fetch quota can be enforced.
+ *
+ * Requires:
+ *
+ *\li	adb be valid.
+ *
+ *\li	addr be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ADB_H */
diff --git a/lib/dns/include/dns/badcache.h b/lib/dns/include/dns/badcache.h
new file mode 100644
index 0000000..276e3cb
--- /dev/null
+++ b/lib/dns/include/dns/badcache.h
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_BADCACHE_H
+#define DNS_BADCACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/badcache.h
+ * \brief
+ * Defines dns_badcache_t, the "bad cache" object.
+ *
+ * Notes:
+ *\li 	A bad cache object is a hash table of name/type tuples,
+ *	indicating whether a given tuple known to be "bad" in some
+ *	sense (e.g., queries for that name and type have been
+ *	returning SERVFAIL). This is used for both the "bad server
+ *	cache" in the resolver and for the "servfail cache" in
+ *	the view.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ * Standards:
+ */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_badcache_init(isc_mem_t *mctx, unsigned int size, dns_badcache_t **bcp);
+/*%
+ * Allocate and initialize a badcache and store it in '*bcp'.
+ *
+ * Requires:
+ * \li	mctx != NULL
+ * \li	bcp != NULL
+ * \li	*bcp == NULL
+ */
+
+void
+dns_badcache_destroy(dns_badcache_t **bcp);
+/*%
+ * Flush and then free badcache in 'bcp'. '*bcp' is set to NULL on return.
+ *
+ * Requires:
+ * \li	'*bcp' to be a valid badcache
+ */
+
+void
+dns_badcache_add(dns_badcache_t *bc, dns_name_t *name,
+		 dns_rdatatype_t type, bool update,
+		 uint32_t flags, isc_time_t *expire);
+/*%
+ * Adds a badcache entry to the badcache 'bc' for name 'name' and
+ * type 'type'.  If an entry already exists, then it will be updated if
+ * 'update' is true.  The entry will be stored with flags 'flags'
+ * and expiration date 'expire'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache.
+ * \li	name != NULL
+ * \li	expire != NULL
+ */
+
+bool
+dns_badcache_find(dns_badcache_t *bc, dns_name_t *name,
+		  dns_rdatatype_t type, uint32_t *flagp,
+		  isc_time_t *now);
+/*%
+ * Returns true if a record is found in the badcache 'bc' matching
+ * 'name' and 'type', with an expiration date later than 'now'.
+ * If 'flagp' is not NULL, then '*flagp' is updated to the flags
+ * that were stored in the badcache entry.  Returns false if
+ * no matching record is found.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache.
+ * \li	name != NULL
+ * \li	now != NULL
+ */
+
+void
+dns_badcache_flush(dns_badcache_t *bc);
+/*%
+ * Flush the entire bad cache.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ */
+
+void
+dns_badcache_flushname(dns_badcache_t *bc, dns_name_t *name);
+/*%
+ * Flush the bad cache of all entries at 'name'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ * \li	name != NULL
+ */
+
+void
+dns_badcache_flushtree(dns_badcache_t *bc, dns_name_t *name);
+/*%
+ * Flush the bad cache of all entries at or below 'name'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ * \li	name != NULL
+ */
+
+void
+dns_badcache_print(dns_badcache_t *bc, const char *cachename, FILE *fp);
+/*%
+ * Print the contents of badcache 'bc' (headed by the title 'cachename')
+ * to file pointer 'fp'.
+ *
+ * Requires:
+ * \li	bc to be a valid badcache
+ * \li	cachename != NULL
+ * \li	fp != NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_BADCACHE_H */
diff --git a/lib/dns/include/dns/bit.h b/lib/dns/include/dns/bit.h
new file mode 100644
index 0000000..9ebb57a
--- /dev/null
+++ b/lib/dns/include/dns/bit.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_BIT_H
+#define DNS_BIT_H 1
+
+/*! \file dns/bit.h */
+
+#include <inttypes.h>
+
+typedef uint64_t dns_bitset_t;
+
+#define DNS_BIT_SET(bit, bitset) \
+	(*(bitset) |= ((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CLEAR(bit, bitset) \
+	(*(bitset) &= ~((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CHECK(bit, bitset) \
+	((*(bitset) & ((dns_bitset_t)1 << (bit)))	\
+	 == ((dns_bitset_t)1 << (bit)))
+
+#endif /* DNS_BIT_H */
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
new file mode 100644
index 0000000..9fe3009
--- /dev/null
+++ b/lib/dns/include/dns/byaddr.h
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_BYADDR_H
+#define DNS_BYADDR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/byaddr.h
+ * \brief
+ * The byaddr module provides reverse lookup services for IPv4 and IPv6
+ * addresses.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/event.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * A 'dns_byaddrevent_t' is returned when a byaddr completes.
+ * The sender field will be set to the byaddr that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_byaddrevent {
+	ISC_EVENT_COMMON(struct dns_byaddrevent);
+	isc_result_t			result;
+	dns_namelist_t			names;
+} dns_byaddrevent_t;
+
+/*
+ * This option is deprecated since we now only consider nibbles.
+#define DNS_BYADDROPT_IPV6NIBBLE	0x0001
+ */
+/*% Note DNS_BYADDROPT_IPV6NIBBLE is now deprecated. */
+#define DNS_BYADDROPT_IPV6INT		0x0002
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
+		  unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
+/*%<
+ * Find the domain name of 'address'.
+ *
+ * Notes:
+ *
+ *\li	There is a reverse lookup format for IPv6 addresses, 'nibble'
+ *
+ *\li	The 'nibble' format for that address is
+ *
+ * \code
+ *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
+ * \endcode
+ *
+ *\li	#DNS_BYADDROPT_IPV6INT can be used to get nibble lookups under ip6.int.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid mctx.
+ *
+ *\li	'address' is a valid IPv4 or IPv6 address.
+ *
+ *\li	'view' is a valid view which has a resolver.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	byaddrp != NULL && *byaddrp == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ *\li	Any resolver-related error (e.g. #ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr);
+/*%<
+ * Cancel 'byaddr'.
+ *
+ * Notes:
+ *
+ *\li	If 'byaddr' has not completed, post its #DNS_EVENT_BYADDRDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'byaddr' is a valid byaddr.
+ */
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp);
+/*%<
+ * Destroy 'byaddr'.
+ *
+ * Requires:
+ *
+ *\li	'*byaddrp' is a valid byaddr.
+ *
+ *\li	The caller has received the #DNS_EVENT_BYADDRDONE event (either because
+ *	the byaddr completed or because dns_byaddr_cancel() was called).
+ *
+ * Ensures:
+ *
+ *\li	*byaddrp == NULL.
+ */
+
+isc_result_t
+dns_byaddr_createptrname(isc_netaddr_t *address, bool nibble,
+			 dns_name_t *name);
+
+isc_result_t
+dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
+			  dns_name_t *name);
+/*%<
+ * Creates a name that would be used in a PTR query for this address.  The
+ * nibble flag indicates that the 'nibble' format is to be used if an IPv6
+ * address is provided, instead of the 'bitstring' format.  Since we dropped
+ * the support of the bitstring labels, it is expected that the flag is always
+ * set.  'options' are the same as for dns_byaddr_create().
+ *
+ * Requires:
+ *
+ * \li	'address' is a valid address.
+ * \li	'name' is a valid name with a dedicated buffer.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_BYADDR_H */
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
new file mode 100644
index 0000000..62797db
--- /dev/null
+++ b/lib/dns/include/dns/cache.h
@@ -0,0 +1,342 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_CACHE_H
+#define DNS_CACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/cache.h
+ * \brief
+ * Defines dns_cache_t, the cache object.
+ *
+ * Notes:
+ *\li 	A cache object contains DNS data of a single class.
+ *	Multiple classes will be handled by creating multiple
+ *	views, each with a different class and its own cache.
+ *
+ * MP:
+ *\li	See notes at the individual functions.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ * Standards:
+ */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/json.h>
+#include <isc/lang.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_cache_create(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 const char *db_type, unsigned int db_argc, char **db_argv,
+		 dns_cache_t **cachep);
+isc_result_t
+dns_cache_create2(isc_mem_t *cmctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		  const char *cachename, const char *db_type,
+		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep);
+isc_result_t
+dns_cache_create3(isc_mem_t *cmctx, isc_mem_t *hmctx, isc_taskmgr_t *taskmgr,
+		  isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		  const char *cachename, const char *db_type,
+		  unsigned int db_argc, char **db_argv, dns_cache_t **cachep);
+/*%<
+ * Create a new DNS cache.
+ *
+ * dns_cache_create2() will create a named cache.
+ *
+ * dns_cache_create3() will create a named cache using two separate memory
+ * contexts, one for cache data which can be cleaned and a separate one for
+ * memory allocated for the heap (which can grow without an upper limit and
+ * has no mechanism for shrinking).
+ *
+ * dns_cache_create() is a backward compatible version that internally
+ * specifies an empty cache name and a single memory context.
+ *
+ * Requires:
+ *
+ *\li	'cmctx' (and 'hmctx' if applicable) is a valid memory context.
+ *
+ *\li	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
+ * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
+ * 	cache will take place.
+ *
+ *\li	'cachename' is a valid string.  This must not be NULL.
+ *
+ *\li	'cachep' is a valid pointer, and *cachep == NULL
+ *
+ * Ensures:
+ *
+ *\li	'*cachep' is attached to the newly created cache
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
+/*%<
+ * Attach *targetp to cache.
+ *
+ * Requires:
+ *
+ *\li	'cache' is a valid cache.
+ *
+ *\li	'targetp' points to a NULL dns_cache_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to cache.
+ */
+
+void
+dns_cache_detach(dns_cache_t **cachep);
+/*%<
+ * Detach *cachep from its cache.
+ *
+ * Requires:
+ *
+ *\li	'cachep' points to a valid cache.
+ *
+ * Ensures:
+ *
+ *\li	*cachep is NULL.
+ *
+ *\li	If '*cachep' is the last reference to the cache,
+ *		all resources used by the cache will be freed
+ */
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
+/*%<
+ * Attach *dbp to the cache's database.
+ *
+ * Notes:
+ *
+ *\li	This may be used to get a reference to the database for
+ *	the purpose of cache lookups (XXX currently it is also
+ * 	the way to add data to the cache, but having a
+ * 	separate dns_cache_add() interface instead would allow
+ * 	more control over memory usage).
+ *	The caller should call dns_db_detach() on the reference
+ *	when it is no longer needed.
+ *
+ * Requires:
+ *
+ *\li	'cache' is a valid cache.
+ *
+ *\li	'dbp' points to a NULL dns_db *.
+ *
+ * Ensures:
+ *
+ *\li	*dbp is attached to the database.
+ */
+
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cache, const char *filename);
+/*%<
+ * If 'filename' is non-NULL, make the cache persistent.
+ * The cache's data will be stored in the given file.
+ * If 'filename' is NULL, make the cache non-persistent.
+ * Files that are no longer used are not unlinked automatically.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Various file-related failures
+ */
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache);
+/*%<
+ * If the cache has a file name, load the cache contents from the file.
+ * Previous cache contents are not discarded.
+ * If no file name has been set, do nothing and return success.
+ *
+ * MT:
+ *\li	Multiple simultaneous attempts to load or dump the cache
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during loading
+ *	may or may not be preserved, and reads may return
+ * 	either the old or the newly loaded data.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *  \li    Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache);
+/*%<
+ * If the cache has a file name, write the cache contents to disk,
+ * overwriting any preexisting file.  If no file name has been set,
+ * do nothing and return success.
+ *
+ * MT:
+ *\li	Multiple simultaneous attempts to load or dump the cache
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during the dump may
+ * 	or may not be reflected in the dumped file.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *  \li    Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
+/*%<
+ * Force immediate cleaning of the cache, freeing all rdatasets
+ * whose TTL has expired as of 'now' and that have no pending
+ * references.
+ */
+
+void
+dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
+/*%<
+ * Set the periodic cache cleaning interval to 'interval' seconds.
+ */
+
+unsigned int
+dns_cache_getcleaninginterval(dns_cache_t *cache);
+/*%<
+ * Get the periodic cache cleaning interval to 'interval' seconds.
+ */
+
+const char *
+dns_cache_getname(dns_cache_t *cache);
+/*%<
+ * Get the cache name.
+ */
+
+void
+dns_cache_setcachesize(dns_cache_t *cache, size_t size);
+/*%<
+ * Set the maximum cache size.  0 means unlimited.
+ */
+
+size_t
+dns_cache_getcachesize(dns_cache_t *cache);
+/*%<
+ * Get the maximum cache size.
+ */
+
+isc_result_t
+dns_cache_flush(dns_cache_t *cache);
+/*%<
+ * Flushes all data from the cache.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_cache_flushnode(dns_cache_t *cache, dns_name_t *name,
+		    bool tree);
+/*
+ * Flush a given name from the cache.  If 'tree' is true, then
+ * also flush all names under 'name'.
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ *\li	'name' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	other error returns.
+ */
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, dns_name_t *name);
+/*
+ * Flush a given name from the cache.  Equivalent to
+ * dns_cache_flushpartial(cache, name, false).
+ *
+ * Requires:
+ *\li	'cache' to be valid.
+ *\li	'name' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	other error returns.
+ */
+
+isc_stats_t *
+dns_cache_getstats(dns_cache_t *cache);
+/*
+ * Return a pointer to the stats collection object for 'cache'
+ */
+
+void
+dns_cache_dumpstats(dns_cache_t *cache, FILE *fp);
+/*
+ * Dump cache statistics and status in text to 'fp'
+ */
+
+void
+dns_cache_updatestats(dns_cache_t *cache, isc_result_t result);
+/*
+ * Update cache statistics based on result code in 'result'
+ */
+
+#ifdef HAVE_LIBXML2
+int
+dns_cache_renderxml(dns_cache_t *cache, xmlTextWriterPtr writer);
+/*
+ * Render cache statistics and status in XML for 'writer'.
+ */
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+isc_result_t
+dns_cache_renderjson(dns_cache_t *cache, json_object *cstats);
+/*
+ * Render cache statistics and status in JSON
+ */
+#endif /* HAVE_JSON */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CACHE_H */
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
new file mode 100644
index 0000000..9c723f3
--- /dev/null
+++ b/lib/dns/include/dns/callbacks.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_CALLBACKS_H
+#define DNS_CALLBACKS_H 1
+
+/*! \file dns/callbacks.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Types
+ ***/
+
+#define DNS_CALLBACK_MAGIC	ISC_MAGIC('C','L','L','B')
+#define DNS_CALLBACK_VALID(cb)	ISC_MAGIC_VALID(cb, DNS_CALLBACK_MAGIC)
+
+struct dns_rdatacallbacks {
+	unsigned int magic;
+
+	/*%
+	 * dns_load_master calls this when it has rdatasets to commit.
+	 */
+	dns_addrdatasetfunc_t add;
+
+	/*%
+	 * This is called when reading in a database image from a 'map'
+	 * format zone file.
+	 */
+	dns_deserializefunc_t deserialize;
+
+	/*%
+	 * dns_master_load*() call this when loading a raw zonefile,
+	 * to pass back information obtained from the file header
+	 */
+	dns_rawdatafunc_t rawdata;
+	dns_zone_t *zone;
+
+	/*%
+	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
+	 */
+	void	(*error)(struct dns_rdatacallbacks *, const char *, ...);
+	/*%
+	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
+	 */
+	void	(*warn)(struct dns_rdatacallbacks *, const char *, ...);
+	/*%
+	 * Private data handles for use by the above callback functions.
+	 */
+	void	*add_private;
+	void	*deserialize_private;
+	void	*error_private;
+	void	*warn_private;
+};
+
+/***
+ ***	Initialization
+ ***/
+
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Initialize 'callbacks'.
+ *
+ * \li	'magic' is set to DNS_CALLBACK_MAGIC
+ *
+ * \li	'error' and 'warn' are set to default callbacks that print the
+ *	error message through the DNS library log context.
+ *
+ *\li	All other elements are initialized to NULL.
+ *
+ * Requires:
+ *  \li    'callbacks' is a valid dns_rdatacallbacks_t,
+ */
+
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Like dns_rdatacallbacks_init, but logs to stdio.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CALLBACKS_H */
diff --git a/lib/dns/include/dns/catz.h b/lib/dns/include/dns/catz.h
new file mode 100644
index 0000000..61426f7
--- /dev/null
+++ b/lib/dns/include/dns/catz.h
@@ -0,0 +1,469 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_CATZ_H
+#define DNS_CATZ_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/ht.h>
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/ipkeylist.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_CATZ_ERROR_LEVEL	ISC_LOG_WARNING
+#define DNS_CATZ_INFO_LEVEL	ISC_LOG_INFO
+#define DNS_CATZ_DEBUG_LEVEL1	ISC_LOG_DEBUG(1)
+#define DNS_CATZ_DEBUG_LEVEL2	ISC_LOG_DEBUG(2)
+#define DNS_CATZ_DEBUG_LEVEL3	ISC_LOG_DEBUG(3)
+#define DNS_CATZ_DEBUG_QUIET	(DNS_CATZ_DEBUG_LEVEL3+1)
+
+/*
+ * Catalog Zones functions and structures.
+ */
+
+/*
+ * Options for a member zone in a catalog
+ */
+struct dns_catz_entry_options {
+	/*
+	 * Options that can be overriden in catalog zone
+	 */
+	/* default-masters definition */
+	dns_ipkeylist_t masters;
+
+	/* both as text in config format, NULL if none */
+	isc_buffer_t *allow_query;
+	isc_buffer_t *allow_transfer;
+
+	/*
+	 * Options that are only set in named.conf
+	 */
+	/* zone-directory definition */
+	char *zonedir;
+
+	/* zone should not be stored on disk (no 'file' statement in def */
+	bool in_memory;
+	/*
+	 * Minimal interval between catalog zone updates, if a new version
+	 * of catalog zone is received before this time the update will be
+	 * postponed. This is a global option for the whole catalog zone.
+	 */
+	uint32_t min_update_interval;
+};
+
+void
+dns_catz_options_init(dns_catz_options_t *options);
+/*%<
+ * Initialize 'options' to NULL values.
+ *
+ * Requires:
+ * \li	options to be non NULL
+ */
+
+void
+dns_catz_options_free(dns_catz_options_t *options, isc_mem_t *mctx);
+/*%<
+ * Free 'options' contents into 'mctx'. ('options' itself is not freed.)
+ *
+ * Requires:
+ * \li	options to be non NULL
+ * \li	mctx to be a valid memory context
+ */
+
+isc_result_t
+dns_catz_options_copy(isc_mem_t *mctx, const dns_catz_options_t *opts,
+		      dns_catz_options_t *nopts);
+/*%<
+ * Duplicate 'opts' into 'nopts', allocating space from 'mctx'
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context
+ * \li	'options' to be non NULL and valid options
+ * \li	'nopts' to be non NULL
+ */
+
+isc_result_t
+dns_catz_options_setdefault(isc_mem_t *mctx, const dns_catz_options_t *defaults,
+			    dns_catz_options_t *opts);
+/*%<
+ * Replace empty values in 'opts' with values from 'defaults'
+ *
+ * Requires:
+ * \li	mctx to be a valid memory context
+ * \li	defaults to be non NULL and valid options
+ * \li	opts to be non NULL
+ */
+
+dns_name_t *
+dns_catz_entry_getname(dns_catz_entry_t *entry);
+/*%<
+ * Get domain name for 'entry'
+ *
+ * Requires:
+ * \li	entry to be non NULL
+ *
+ * Returns:
+ * \li	domain name for entry
+ */
+
+isc_result_t
+dns_catz_entry_new(isc_mem_t *mctx, const dns_name_t *domain,
+		   dns_catz_entry_t **nentryp);
+/*%<
+ * Allocate a new catz_entry on 'mctx', with the name 'domain'
+ *
+ * Requires:
+ * \li	mctx to be a valid memory context
+ * \li	domain to be valid dns_name or NULL
+ * \li	nentryp to be non NULL, *nentryp to be NULL
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS on success
+ * \li	ISC_R_NOMEMORY on allocation failure
+ */
+
+isc_result_t
+dns_catz_entry_copy(dns_catz_zone_t *zone, const dns_catz_entry_t *entry,
+		    dns_catz_entry_t **nentryp);
+/*%<
+ * Allocate a new catz_entry and deep copy 'entry' into 'nentryp'.
+ *
+ * Requires:
+ * \li	mctx to be a valid memory context
+ * \li	entry to be non NULL
+ * \li	nentryp to be non NULL, *nentryp to be NULL
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS on success
+ * \li	ISC_R_NOMEMORY on allocation failure
+ */
+
+void
+dns_catz_entry_attach(dns_catz_entry_t *entry, dns_catz_entry_t **entryp);
+/*%<
+ * Attach an entry
+ *
+ * Requires:
+ * \li	entry is not NULL
+ * \li	entryp is not NULL, *entryp is NULL
+ */
+
+void
+dns_catz_entry_detach(dns_catz_zone_t *zone, dns_catz_entry_t **entryp);
+/*%<
+ * Detach an entry, free if no further references
+ *
+ * Requires:
+ * \li	zone is not NULL
+ * \li	entryp is not NULL, *entryp is not NULL
+ */
+
+bool
+dns_catz_entry_validate(const dns_catz_entry_t *entry);
+/*%<
+ * Validate whether entry is correct.
+ * (NOT YET IMPLEMENTED: always returns true)
+ */
+
+bool
+dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb);
+/*%<
+ * Deep compare two entries
+ *
+ * Requires:
+ * \li	ea is not NULL
+ * \li	eb is not NULL
+ *
+ * Returns:
+ * \li true if entries are the same
+ * \li false if the entries differ
+ */
+
+void
+dns_catz_zone_attach(dns_catz_zone_t *zone, dns_catz_zone_t **zonep);
+/*%<
+ * Attach a catzone
+ *
+ * Requires:
+ * \li	zone is not NULL
+ * \li	zonep is not NULL, *zonep is NULL
+ */
+
+void
+dns_catz_zone_detach(dns_catz_zone_t** zonep);
+/*%<
+ * Detach a zone, free if no further references
+ *
+ * Requires:
+ * \li	zonep is not NULL, *zonep is not NULL
+ */
+
+isc_result_t
+dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
+		const dns_name_t *name);
+/*%<
+ * Allocate a new catz zone on catzs mctx
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ * \li	zonep is not NULL, *zonep is NULL
+ * \li	name is not NULL
+ *
+ */
+
+dns_name_t *
+dns_catz_zone_getname(dns_catz_zone_t *zone);
+/*%<
+ * Get catalog zone name
+ *
+ * Requires:
+ * \li	zone is not NULL
+ */
+
+dns_catz_options_t *
+dns_catz_zone_getdefoptions(dns_catz_zone_t *zone);
+/*%<
+ * Get default member zone options for catalog zone 'zone'
+ *
+ * Requires:
+ * \li	zone is not NULL
+ */
+
+void
+dns_catz_zone_resetdefoptions(dns_catz_zone_t *zone);
+/*%<
+ * Reset the default member zone options for catalog zone 'zone' to
+ * the default values.
+ *
+ * Requires:
+ * \li	zone is not NULL
+ */
+
+isc_result_t
+dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone);
+/*%<
+ * Merge 'newzone' into 'target', calling addzone/delzone/modzone
+ * (from zone->catzs->zmm) for appropriate member zones.
+ *
+ * Requires:
+ * \li	orig is not NULL
+ * \li	newzone is not NULL, *newzone is not NULL
+ *
+ */
+
+isc_result_t
+dns_catz_update_process(dns_catz_zones_t *catzs, dns_catz_zone_t *zone,
+			 dns_name_t *src_name, dns_rdataset_t *rdataset);
+/*%<
+ * Process a single rdataset from a catalog zone 'zone' update, src_name is the
+ * record name.
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ * \li	zone is not NULL
+ * \li	src_name is not NULL
+ * \li	rdataset is valid
+ */
+
+isc_result_t
+dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+				 isc_buffer_t **buffer);
+/*%<
+ * Generate master file name and put it into *buffer (might be reallocated).
+ * The general format of the file name is:
+ * __catz__catalog.zone.name__member_zone_name.db
+ * But if it's too long it's shortened to:
+ * __catz__unique_hash_generated_from_the_above.db
+ *
+ * Requires:
+ * \li	zone is not NULL
+ * \li	entry is not NULL
+ * \li	buffer is not NULL and *buffer is not NULL
+ */
+
+isc_result_t
+dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
+			  isc_buffer_t **buf);
+/*%<
+ * Generate a zone config entry (in text form) from dns_catz_entry and puts
+ * it into *buf. buf might be reallocated.
+ *
+ * Requires:
+ * \li	zone is not NULL
+ * \li	entry is not NULL
+ * \li	buf is not NULL
+ * \li	*buf is NULL
+ *
+ */
+
+
+/* Methods provided by named to dynamically modify the member zones */
+/* xxxwpk TODO config! */
+typedef isc_result_t (*dns_catz_zoneop_fn_t)(dns_catz_entry_t *entry,
+		dns_catz_zone_t *origin, dns_view_t *view,
+		isc_taskmgr_t *taskmgr, void *udata);
+struct dns_catz_zonemodmethods {
+	dns_catz_zoneop_fn_t addzone;
+	dns_catz_zoneop_fn_t modzone;
+	dns_catz_zoneop_fn_t delzone;
+	void * udata;
+};
+
+
+isc_result_t
+dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
+		   isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr);
+/*%<
+ * Allocate a new catz_zones object, a collection storing all catalog zones
+ * for a view.
+ *
+ * Requires:
+ * \li catzsp is not NULL, *catzsp is NULL
+ * \li zmm is not NULL
+ *
+ */
+
+isc_result_t
+dns_catz_add_zone(dns_catz_zones_t *catzs, const dns_name_t *name,
+		  dns_catz_zone_t **catzp);
+/*%<
+ * Allocate a new catz named 'name' and put it in 'catzs' collection.
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ * \li	name is not NULL
+ * \li	zonep is not NULL, *zonep is NULL
+ *
+ */
+
+dns_catz_zone_t *
+dns_catz_get_zone(dns_catz_zones_t *catzs, const dns_name_t *name);
+/*%<
+ * Returns a zone named 'name' from collection 'catzs'
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ * \li	name is not NULL
+ */
+
+void
+dns_catz_catzs_attach(dns_catz_zones_t *catzs, dns_catz_zones_t **catzsp);
+/*%<
+ * Attach 'catzs' to 'catzsp'
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ * \li	catzsp is not NULL, *catzsp is NULL
+ */
+
+void
+dns_catz_catzs_detach(dns_catz_zones_t **catzsp);
+/*%<
+ * Detach 'catzsp', free if no further references
+ *
+ * Requires:
+ * \li	catzsp is not NULL, *catzsp is not NULL
+ */
+
+void
+dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view);
+/*%<
+ * Set a view for catzs
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ * \li	catzs->view is NULL or catzs->view == view
+ */
+
+
+isc_result_t
+dns_catz_dbupdate_callback(dns_db_t *db, void *fn_arg);
+/*%<
+ * Callback for update of catalog zone database.
+ * If there was no catalog zone update recently it launches an
+ * update_taskaction immediately.
+ * If there was an update recently it schedules update_taskaction for some time
+ * in the future.
+ * If there is an update scheduled it replaces old db version with a new one.
+ *
+ * Requires:
+ * \li	db is a valid database
+ * \li	fn_arg is not NULL (casted to dns_catz_zones_t*)
+ */
+
+void
+dns_catz_update_taskaction(isc_task_t *task, isc_event_t *event);
+/*%<
+ * Task that launches dns_catz_update_from_db
+ *
+ * Requires:
+ * \li	event is not NULL
+ */
+
+void
+dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs);
+/*%<
+ * Process an updated database for a catalog zone.
+ * It creates a new catz, iterates over database to fill it with content, and
+ * then merges new catz into old catz.
+ *
+ * Requires:
+ * \li	db is a valid DB
+ * \li	catzs is not NULL
+ *
+ */
+
+void
+dns_catz_prereconfig(dns_catz_zones_t *catzs);
+/*%<
+ * Called before reconfig, clears 'active' flag on all the zones in set
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ *
+ */
+
+void
+dns_catz_postreconfig(dns_catz_zones_t *catzs);
+/*%<
+ * Called after reconfig, walks through all zones in set, removes those
+ * inactive and force reload of those with changed configuration.
+ *
+ * Requires:
+ * \li	catzs is not NULL
+ */
+
+isc_result_t
+dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp);
+/*%<
+ * Get the hashtable iterator on catalog zone members, point '*itp' to it.
+ *
+ * Returns:
+ * \li #ISC_R_SUCCESS		-- success
+ * \li Any other value		-- failure
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CATZ_H_ */
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
new file mode 100644
index 0000000..188d283
--- /dev/null
+++ b/lib/dns/include/dns/cert.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_CERT_H
+#define DNS_CERT_H 1
+
+/*! \file dns/cert.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a certificate type.
+ * The text may contain either a mnemonic type name or a decimal type number.
+ *
+ * Requires:
+ *\li	'certp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_RANGE			numeric type is out of range
+ *\li	#DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of certificate type 'cert' into 'target'.
+ *
+ * Requires:
+ *\li	'cert' is a valid cert.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CERT_H */
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
new file mode 100644
index 0000000..d3c5790
--- /dev/null
+++ b/lib/dns/include/dns/client.h
@@ -0,0 +1,674 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_CLIENT_H
+#define DNS_CLIENT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ *
+ * \brief
+ * The DNS client module provides convenient programming interfaces to various
+ * DNS services, such as name resolution with or without DNSSEC validation or
+ * dynamic DNS update.  This module is primarily expected to be used by other
+ * applications than BIND9-related ones that need such advanced DNS features.
+ *
+ * MP:
+ *\li	In the typical usage of this module, application threads will not share
+ *	the same data structures created and manipulated in this module.
+ *	However, the module still ensures appropriate synchronization of such
+ *	data structures.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include <isc/event.h>
+#include <isc/sockaddr.h>
+
+#include <dns/tsig.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+typedef enum {
+	updateop_none = 0,
+	updateop_add = 1,
+	updateop_delete = 2,
+	updateop_exist = 3,
+	updateop_notexist = 4,
+	updateop_max = 5
+} dns_client_updateop_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Optional flags for dns_client_create(x).
+ */
+/*%< Enable caching resolution results (experimental). */
+#define DNS_CLIENTCREATEOPT_USECACHE	0x8000
+
+/*%
+ * Optional flags for dns_client_(start)resolve.
+ */
+/*%< Do not return DNSSEC data (e.g. RRSIGS) with response. */
+#define DNS_CLIENTRESOPT_NODNSSEC	0x01
+/*%< Allow running external context. */
+#define DNS_CLIENTRESOPT_ALLOWRUN	0x02
+/*%< Don't validate responses. */
+#define DNS_CLIENTRESOPT_NOVALIDATE	0x04
+/*%< Don't set the CD flag on upstream queries. */
+#define DNS_CLIENTRESOPT_NOCDFLAG	0x08
+/*%< Use TCP transport. */
+#define DNS_CLIENTRESOPT_TCP		0x10
+
+/*%
+ * Optional flags for dns_client_(start)request.
+ */
+/*%< Allow running external context. */
+#define DNS_CLIENTREQOPT_ALLOWRUN	0x01
+/*%< Use TCP transport. */
+#define DNS_CLIENTREQOPT_TCP		0x02
+
+/*%
+ * Optional flags for dns_client_(start)update.
+ */
+/*%< Allow running external context. */
+#define DNS_CLIENTUPDOPT_ALLOWRUN	0x01
+/*%< Use TCP transport. */
+#define DNS_CLIENTUPDOPT_TCP		0x02
+
+/*%
+ * A dns_clientresevent_t is sent when name resolution performed by a client
+ * completes.  'result' stores the result code of the entire resolution
+ * procedure.  'vresult' specifically stores the result code of DNSSEC
+ * validation if it is performed.  When name resolution successfully completes,
+ * 'answerlist' is typically non empty, containing answer names along with
+ * RRsets.  It is the receiver's responsibility to free this list by calling
+ * dns_client_freeresanswer() before freeing the event structure.
+ */
+typedef struct dns_clientresevent {
+	ISC_EVENT_COMMON(struct dns_clientresevent);
+	isc_result_t	result;
+	isc_result_t	vresult;
+	dns_namelist_t	answerlist;
+} dns_clientresevent_t;		/* too long? */
+
+/*%
+ * Status of a dynamic update procedure.
+ */
+typedef enum {
+	dns_clientupdatestate_prepare,	/*%< no updates have been sent */
+	dns_clientupdatestate_sent,	/*%< updates were sent, no response */
+	dns_clientupdatestate_done	/*%< update was sent and succeeded */
+} dns_clientupdatestate_t;
+
+/*%
+ * A dns_clientreqevent_t is sent when a DNS request is completed by a client.
+ * 'result' stores the result code of the entire transaction.
+ * If the transaction is successfully completed but the response packet cannot
+ * be parsed, 'result' will store the result code of dns_message_parse().
+ * If the response packet is received, 'rmessage' will contain the response
+ * message, whether it is successfully parsed or not.
+ */
+typedef struct dns_clientreqevent {
+	ISC_EVENT_COMMON(struct dns_clientreqevent);
+	isc_result_t	result;
+	dns_message_t	*rmessage;
+} dns_clientreqevent_t;		/* too long? */
+
+/*%
+ * A dns_clientupdateevent_t is sent when dynamic update performed by a client
+ * completes.  'result' stores the result code of the entire update procedure.
+ * 'state' specifies the status of the update procedure when this event is
+ * sent.  This can be used as a hint by the receiver to determine whether
+ * the update attempt was ever made.  In particular, if the state is
+ * dns_clientupdatestate_prepare, the receiver can be sure that the requested
+ * update was not applied.
+ */
+typedef struct dns_clientupdateevent {
+	ISC_EVENT_COMMON(struct dns_clientupdateevent);
+	isc_result_t		result;
+	dns_clientupdatestate_t	state;
+} dns_clientupdateevent_t;	/* too long? */
+
+isc_result_t
+dns_client_create(dns_client_t **clientp, unsigned int options);
+
+isc_result_t
+dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
+		   isc_socketmgr_t *socketmgr, isc_timermgr_t *timermgr,
+		   unsigned int options, dns_client_t **clientp);
+
+isc_result_t
+dns_client_createx2(isc_mem_t *mctx, isc_appctx_t *actx,
+	   isc_taskmgr_t *taskmgr, isc_socketmgr_t *socketmgr,
+	   isc_timermgr_t *timermgr, unsigned int options,
+	   dns_client_t **clientp,
+	   isc_sockaddr_t *localaddr4, isc_sockaddr_t *localaddr6);
+/*%<
+ * Create a DNS client.  These functions create a new client object with
+ * minimal internal resources such as the default 'view' for the IN class and
+ * IPv4/IPv6 dispatches for the view.
+ *
+ * dns_client_createx() takes 'manager' arguments so that the caller can
+ * control the behavior of the client through the underlying event framework.
+ * On the other hand, dns_client_create() simplifies the interface and creates
+ * the managers internally.  A DNS client object created via
+ * dns_client_create() is expected to be used by an application that only needs
+ * simple synchronous services or by a thread-based application.
+ *
+ * dns_client_createx2 takes two additional parameters, 'localaddr4' and
+ * 'localaddr6', to specify the local address to use for each family. If
+ * both are set to NULL, then wildcard addresses will be used for both
+ * families. If only one is NULL, then the other address will be used
+ * as the local address, and the other protocol family will not be used.
+ *
+ * If the DNS_CLIENTCREATEOPT_USECACHE flag is set in 'options',
+ * dns_client_create(x) will create a cache database with the view.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'actx' is a valid application context.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	clientp != NULL && *clientp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_destroy(dns_client_t **clientp);
+/*%<
+ * Destroy 'client'.
+ *
+ * Requires:
+ *
+ *\li	'*clientp' is a valid client.
+ *
+ * Ensures:
+ *
+ *\li	*clientp == NULL.
+ */
+
+isc_result_t
+dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
+		      dns_name_t *name_space, isc_sockaddrlist_t *addrs);
+/*%<
+ * Specify a list of addresses of recursive name servers that the client will
+ * use for name resolution.  A view for the 'rdclass' class must be created
+ * beforehand.  If 'name_space' is non NULL, the specified server will be used
+ * if and only if the query name is a subdomain of 'name_space'.  When servers
+ * for multiple 'name_space's are provided, and a query name is covered by
+ * more than one 'name_space', the servers for the best (longest) matching
+ * name_space will be used.  If 'name_space' is NULL, it works as if
+ * dns_rootname (.) were specified.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'name_space' is NULL or a valid name.
+ *
+ *\li	'addrs' != NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
+			dns_name_t *name_space);
+/*%<
+ * Remove configured recursive name servers for the 'rdclass' and 'name_space'
+ * from the client.  See the description of dns_client_setservers() for
+ * the requirements about 'rdclass' and 'name_space'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'name_space' is NULL or a valid name.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
+		  const char *dlvname);
+/*%<
+ * Specify a name to use for DNSSEC lookaside validation.
+ * If a trusted key has been added for that name, then DLV will be
+ * used during validation.  If 'dlvname' is NULL, then DLV will no
+ * longer be used for this client.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_resolve(dns_client_t *client, dns_name_t *name,
+		   dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		   unsigned int options, dns_namelist_t *namelist);
+
+isc_result_t
+dns_client_startresolve(dns_client_t *client, dns_name_t *name,
+			dns_rdataclass_t rdclass, dns_rdatatype_t type,
+			unsigned int options, isc_task_t *task,
+			isc_taskaction_t action, void *arg,
+			dns_clientrestrans_t **transp);
+/*%<
+ * Perform name resolution for 'name', 'rdclass', and 'type'.
+ *
+ * If any trusted keys are configured and the query name is considered to
+ * belong to a secure zone, these functions also validate the responses
+ * using DNSSEC by default.  If the DNS_CLIENTRESOPT_NOVALIDATE flag is set
+ * in 'options', DNSSEC validation is disabled regardless of the configured
+ * trusted keys or the query name. With DNS_CLIENTRESOPT_NODNSSEC
+ * DNSSEC data is not returned with response. DNS_CLIENTRESOPT_NOCDFLAG
+ * disables the CD flag on queries, DNS_CLIENTRESOPT_TCP switches to
+ * the TCP (vs. UDP) transport.
+ *
+ * dns_client_resolve() provides a synchronous service.  This function starts
+ * name resolution internally and blocks until it completes.  On success,
+ * 'namelist' will contain a list of answer names, each of which has
+ * corresponding RRsets.  The caller must provide a valid empty list, and
+ * is responsible for freeing the list content via dns_client_freeresanswer().
+ * If the name resolution fails due to an error in DNSSEC validation,
+ * dns_client_resolve() returns the result code indicating the validation
+ * error. Otherwise, it returns the result code of the entire resolution
+ * process, either success or failure.
+ *
+ * It is typically expected that the client object passed to
+ * dns_client_resolve() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTRESOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_startresolve() is an asynchronous version of dns_client_resolve()
+ * and does not block.  When name resolution is completed, 'action' will be
+ * called with the argument of a 'dns_clientresevent_t' object, which contains
+ * the resulting list of answer names (on success).  On return, '*transp' is
+ * set to an opaque transaction ID so that the caller can cancel this
+ * resolution process.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'addrs' != NULL.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'namelist' != NULL and is not empty.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelresolve(dns_clientrestrans_t *trans);
+/*%<
+ * Cancel an ongoing resolution procedure started via
+ * dns_client_startresolve().
+ *
+ * Notes:
+ *
+ *\li	If the resolution procedure has not completed, post its CLIENTRESDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyrestrans(dns_clientrestrans_t **transp);
+/*%<
+ * Destroy name resolution transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTRESDONE event (either because the
+ *	resolution completed or because dns_client_cancelresolve() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+void
+dns_client_freeresanswer(dns_client_t *client, dns_namelist_t *namelist);
+/*%<
+ * Free resources allocated for the content of 'namelist'.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'namelist' != NULL.
+ */
+
+isc_result_t
+dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
+			 dns_name_t *keyname, isc_buffer_t *keydatabuf);
+/*%<
+ * Add a DNSSEC trusted key for the 'rdclass' class.  A view for the 'rdclass'
+ * class must be created beforehand.  'keyname' is the DNS name of the key,
+ * and 'keydatabuf' stores the resource data of the key.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'keyname' is a valid name.
+ *
+ *\li	'keydatabuf' is a valid buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+isc_result_t
+dns_client_request(dns_client_t *client, dns_message_t *qmessage,
+		   dns_message_t *rmessage, isc_sockaddr_t *server,
+		   unsigned int options, unsigned int parseoptions,
+		   dns_tsec_t *tsec, unsigned int timeout,
+		   unsigned int udptimeout, unsigned int udpretries);
+
+isc_result_t
+dns_client_startrequest(dns_client_t *client, dns_message_t *qmessage,
+			dns_message_t *rmessage, isc_sockaddr_t *server,
+			unsigned int options, unsigned int parseoptions,
+			dns_tsec_t *tsec, unsigned int timeout,
+			unsigned int udptimeout, unsigned int udpretries,
+			isc_task_t *task, isc_taskaction_t action, void *arg,
+			dns_clientreqtrans_t **transp);
+
+/*%<
+ * Send a DNS request containig a query message 'query' to 'server'.
+ *
+ * 'parseoptions' will be used when the response packet is parsed, and will be
+ * passed to dns_message_parse() via dns_request_getresponse().  See
+ * dns_message_parse() for more details.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the request/response transaction.  This is optional and can
+ * be NULL, in which case this library performs the transaction  without any
+ * transaction authentication.
+ *
+ * 'timeout', 'udptimeout', and 'udpretries' are passed to
+ * dns_request_createvia3().  See dns_request_createvia3() for more details.
+ *
+ * dns_client_request() provides a synchronous service.  This function sends
+ * the request and blocks until a response is received.  On success,
+ * 'rmessage' will contain the response message.  The caller must provide a
+ * valid initialized message.
+ *
+ * It is usually expected that the client object passed to
+ * dns_client_request() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTREQOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_startrequest() is an asynchronous version of dns_client_request()
+ * and does not block.  When the transaction is completed, 'action' will be
+ * called with the argument of a 'dns_clientreqevent_t' object, which contains
+ * the response message (on success).  On return, '*transp' is set to an opaque
+ * transaction ID so that the caller can cancel this request.
+ *
+ * DNS_CLIENTREQOPT_TCP switches to the TCP (vs. UDP) transport.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'qmessage' and 'rmessage' are valid initialized message.
+ *
+ *\li	'server' is a valid socket address structure.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ *
+ *\li	Any result that dns_message_parse() can return.
+ */
+
+void
+dns_client_cancelrequest(dns_clientreqtrans_t *transp);
+/*%<
+ * Cancel an ongoing DNS request procedure started via
+ * dns_client_startrequest().
+ *
+ * Notes:
+ *
+ *\li	If the request procedure has not completed, post its CLIENTREQDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyreqtrans(dns_clientreqtrans_t **transp);
+/*%
+ * Destroy DNS request transaction state identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the CLIENTREQDONE event (either because the
+ *	request completed or because dns_client_cancelrequest() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+isc_result_t
+dns_client_update(dns_client_t *client, dns_rdataclass_t rdclass,
+		  dns_name_t *zonename, dns_namelist_t *prerequisites,
+		  dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		  dns_tsec_t *tsec, unsigned int options);
+
+isc_result_t
+dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
+		       dns_name_t *zonename, dns_namelist_t *prerequisites,
+		       dns_namelist_t *updates, isc_sockaddrlist_t *servers,
+		       dns_tsec_t *tsec, unsigned int options,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_clientupdatetrans_t **transp);
+/*%<
+ * Perform DNS dynamic update for 'updates' of the 'rdclass' class with
+ * optional 'prerequisites'.
+ *
+ * 'updates' are a list of names with associated RRsets to be updated.
+ *
+ * 'prerequisites' are a list of names with associated RRsets corresponding to
+ * the prerequisites of the updates.  This is optional and can be NULL, in
+ * which case the prerequisite section of the update message will be empty.
+ *
+ * Both 'updates' and 'prerequisites' must be constructed as specified in
+ * RFC2136.
+ *
+ * 'zonename' is the name of the zone in which the updated names exist.
+ * This is optional and can be NULL.  In this case, these functions internally
+ * identify the appropriate zone through some queries for the SOA RR starting
+ * with the first name in prerequisites or updates.
+ *
+ * 'servers' is a list of authoritative servers to which the update message
+ * should be sent.  This is optional and can be NULL.  In this case, these
+ * functions internally identify the appropriate primary server name and its
+ * addresses through some queries for the SOA RR (like the case of zonename)
+ * and supplemental A/AAAA queries for the server name.
+ * Note: The client module generally assumes the given addresses are of the
+ * primary server of the corresponding zone.  It will work even if a secondary
+ * server address is specified as long as the server allows update forwarding,
+ * it is generally discouraged to include secondary server addresses unless
+ * there's strong reason to do so.
+ *
+ * 'tsec' is a transaction security object containing, e.g. a TSIG key for
+ * authenticating the update transaction (and the supplemental query/response
+ * transactions if the server is specified).  This is optional and can be
+ * NULL, in which case the library tries the update without any transaction
+ * authentication.
+ *
+ * It is typically expected that the client object passed to
+ * dns_client_update() was created via dns_client_create() and has its own
+ * managers and contexts.  However, if the DNS_CLIENTUPDOPT_ALLOWRUN flag is
+ * set in 'options', this function performs the synchronous service even if
+ * it does not have its own manager and context structures.
+ *
+ * dns_client_update() provides a synchronous service.  This function blocks
+ * until the entire update procedure completes, including the additional
+ * queries when necessary.
+ *
+ * dns_client_startupdate() is an asynchronous version of dns_client_update().
+ * It immediately returns (typically with *transp being set to a non-NULL
+ * pointer), and performs the update procedure through a set of internal
+ * events.  All transactions including the additional query exchanges are
+ * performed as a separate event, so none of these events cause blocking
+ * operation.  When the update procedure completes, the specified function
+ * 'action' will be called with the argument of a 'dns_clientupdateevent_t'
+ * structure.  On return, '*transp' is set to an opaque transaction ID so that
+ * the caller can cancel this update process.
+ *
+ * DNS_CLIENTUPDOPT_TCP switches to the TCP (vs. UDP) transport.
+ *
+ * Requires:
+ *
+ *\li	'client' is a valid client.
+ *
+ *\li	'updates' != NULL.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'transp' != NULL && *transp == NULL;
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_client_cancelupdate(dns_clientupdatetrans_t *trans);
+/*%<
+ * Cancel an ongoing dynamic update procedure started via
+ * dns_client_startupdate().
+ *
+ * Notes:
+ *
+ *\li	If the update procedure has not completed, post its UPDATEDONE
+ *	event with a result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'trans' is a valid transaction ID.
+ */
+
+void
+dns_client_destroyupdatetrans(dns_clientupdatetrans_t **transp);
+/*%<
+ * Destroy dynamic update transaction identified by '*transp'.
+ *
+ * Requires:
+ *
+ *\li	'*transp' is a valid transaction ID.
+ *
+ *\li	The caller has received the UPDATEDONE event (either because the
+ *	update completed or because dns_client_cancelupdate() was called).
+ *
+ * Ensures:
+ *
+ *\li	*transp == NULL.
+ */
+
+isc_result_t
+dns_client_updaterec(dns_client_updateop_t op, dns_name_t *owner,
+		     dns_rdatatype_t type, dns_rdata_t *source,
+		     dns_ttl_t ttl, dns_name_t *target,
+		     dns_rdataset_t *rdataset, dns_rdatalist_t *rdatalist,
+		     dns_rdata_t *rdata, isc_mem_t *mctx);
+/*%<
+ * TBD
+ */
+
+void
+dns_client_freeupdate(dns_name_t **namep);
+/*%<
+ * TBD
+ */
+
+isc_mem_t *
+dns_client_mctx(dns_client_t *client);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CLIENT_H */
diff --git a/lib/dns/include/dns/clientinfo.h b/lib/dns/include/dns/clientinfo.h
new file mode 100644
index 0000000..30e29c8
--- /dev/null
+++ b/lib/dns/include/dns/clientinfo.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_CLIENTINFO_H
+#define DNS_CLIENTINFO_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/clientinfo.h
+ * \brief
+ * The DNS clientinfo interface allows libdns to retrieve information
+ * about the client from the caller.
+ *
+ * The clientinfo interface is used by the DNS DB and DLZ interfaces;
+ * it allows databases to modify their answers on the basis of information
+ * about the client, such as source IP address.
+ *
+ * dns_clientinfo_t contains a pointer to an opaque structure containing
+ * client information in some form.  dns_clientinfomethods_t contains a
+ * list of methods which operate on that opaque structure to return
+ * potentially useful data.  Both structures also contain versioning
+ * information.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <inttypes.h>
+
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+#define DNS_CLIENTINFO_VERSION 2
+typedef struct dns_clientinfo {
+	uint16_t version;
+	void *data;
+	void *dbversion;
+} dns_clientinfo_t;
+
+typedef isc_result_t (*dns_clientinfo_sourceip_t)(dns_clientinfo_t *client,
+						  isc_sockaddr_t **addrp);
+
+#define DNS_CLIENTINFOMETHODS_VERSION 1
+#define DNS_CLIENTINFOMETHODS_AGE 0
+
+typedef struct dns_clientinfomethods {
+	uint16_t version;
+	uint16_t age;
+	dns_clientinfo_sourceip_t sourceip;
+} dns_clientinfomethods_t;
+
+/*****
+ ***** Methods
+ *****/
+void
+dns_clientinfomethods_init(dns_clientinfomethods_t *methods,
+			   dns_clientinfo_sourceip_t sourceip);
+
+void
+dns_clientinfo_init(dns_clientinfo_t *ci, void *data, void *versionp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CLIENTINFO_H */
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
new file mode 100644
index 0000000..0c951d7
--- /dev/null
+++ b/lib/dns/include/dns/compress.h
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_COMPRESS_H
+#define DNS_COMPRESS_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/region.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*! \file dns/compress.h
+ * Direct manipulation of the structures is strongly discouraged.
+ *
+ * A name compression context handles compression of multiple DNS names
+ * in relation to a single DNS message. The context can be used to
+ * selectively turn on/off compression for specific names (depending on
+ * the RR type) by using \c dns_compress_setmethods(). Alternately,
+ * compression can be disabled completely using \c
+ * dns_compress_disable().
+ *
+ * \c dns_compress_setmethods() is intended for use by RDATA towire()
+ * implementations, whereas \c dns_compress_disable() is intended to be
+ * used by a nameserver's configuration manager.
+ */
+
+#define DNS_COMPRESS_NONE		0x00	/*%< no compression */
+#define DNS_COMPRESS_GLOBAL14		0x01	/*%< "normal" compression. */
+#define DNS_COMPRESS_ALL		0x01	/*%< all compression. */
+#define DNS_COMPRESS_CASESENSITIVE	0x02	/*%< case sensitive compression. */
+#define DNS_COMPRESS_ENABLED		0x04
+
+#define DNS_COMPRESS_READY		0x80000000
+
+#define DNS_COMPRESS_TABLESIZE 64
+#define DNS_COMPRESS_INITIALNODES 16
+
+typedef struct dns_compressnode dns_compressnode_t;
+
+struct dns_compressnode {
+	isc_region_t		r;
+	uint16_t		offset;
+	uint16_t		count;
+	uint8_t			labels;
+	dns_compressnode_t	*next;
+};
+
+struct dns_compress {
+	unsigned int		magic;		/*%< Magic number. */
+	unsigned int		allowed;	/*%< Allowed methods. */
+	int			edns;		/*%< Edns version or -1. */
+	/*% Global compression table. */
+	dns_compressnode_t	*table[DNS_COMPRESS_TABLESIZE];
+	/*% Preallocated nodes for the table. */
+	dns_compressnode_t	initialnodes[DNS_COMPRESS_INITIALNODES];
+	uint16_t		count;		/*%< Number of nodes. */
+	isc_mem_t		*mctx;		/*%< Memory context. */
+};
+
+typedef enum {
+	DNS_DECOMPRESS_ANY,			/*%< Any compression */
+	DNS_DECOMPRESS_STRICT,			/*%< Allowed compression */
+	DNS_DECOMPRESS_NONE			/*%< No compression */
+} dns_decompresstype_t;
+
+struct dns_decompress {
+	unsigned int		magic;		/*%< Magic number. */
+	unsigned int		allowed;	/*%< Allowed methods. */
+	int			edns;		/*%< Edns version or -1. */
+	dns_decompresstype_t	type;		/*%< Strict checking */
+};
+
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
+/*%<
+ *	Initialise the compression context structure pointed to by
+ *	'cctx'. A freshly initialized context has name compression
+ *	enabled, but no methods are set. Please use \c
+ *	dns_compress_setmethods() to set a compression method.
+ *
+ *	Requires:
+ *	\li	'cctx' is a valid dns_compress_t structure.
+ *	\li	'mctx' is an initialized memory context.
+ *	Ensures:
+ *	\li	cctx->global is initialized.
+ *
+ *	Returns:
+ *	\li	#ISC_R_SUCCESS
+ */
+
+void
+dns_compress_invalidate(dns_compress_t *cctx);
+
+/*%<
+ *	Invalidate the compression structure pointed to by cctx.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ */
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
+
+/*%<
+ *	Sets allowed compression methods.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ */
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx);
+
+/*%<
+ *	Gets allowed compression methods.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *
+ *	Returns:
+ *\li		allowed compression bitmap.
+ */
+
+void
+dns_compress_disable(dns_compress_t *cctx);
+/*%<
+ *	Disables all name compression in the context. Once disabled,
+ *	name compression cannot currently be re-enabled.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *
+ */
+
+void
+dns_compress_setsensitive(dns_compress_t *cctx, bool sensitive);
+
+/*
+ *	Preserve the case of compressed domain names.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+bool
+dns_compress_getsensitive(dns_compress_t *cctx);
+/*
+ *	Return whether case is to be preserved when compressing
+ *	domain names.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+int
+dns_compress_getedns(dns_compress_t *cctx);
+
+/*%<
+ *	Gets edns value.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *
+ *	Returns:
+ *\li		-1 .. 255
+ */
+
+bool
+dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
+			dns_name_t *prefix, uint16_t *offset);
+/*%<
+ *	Finds longest possible match of 'name' in the global compression table.
+ *
+ *	Requires:
+ *\li		'cctx' to be initialized.
+ *\li		'name' to be a absolute name.
+ *\li		'prefix' to be initialized.
+ *\li		'offset' to point to an uint16_t.
+ *
+ *	Ensures:
+ *\li		'prefix' and 'offset' are valid if true is 	returned.
+ *
+ *	Returns:
+ *\li		#true / #false
+ */
+
+void
+dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
+		 const dns_name_t *prefix, uint16_t offset);
+/*%<
+ *	Add compression pointers for 'name' to the compression table,
+ *	not replacing existing pointers.
+ *
+ *	Requires:
+ *\li		'cctx' initialized
+ *
+ *\li		'name' must be initialized and absolute, and must remain
+ *		valid until the message compression is complete.
+ *
+ *\li		'prefix' must be a prefix returned by
+ *		dns_compress_findglobal(), or the same as 'name'.
+ */
+
+void
+dns_compress_rollback(dns_compress_t *cctx, uint16_t offset);
+
+/*%<
+ *	Remove any compression pointers from global table >= offset.
+ *
+ *	Requires:
+ *\li		'cctx' is initialized.
+ */
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns,
+		    dns_decompresstype_t type);
+
+/*%<
+ *	Initializes 'dctx'.
+ *	Records 'edns' and 'type' into the structure.
+ *
+ *	Requires:
+ *\li		'dctx' to be a valid pointer.
+ */
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx);
+
+/*%<
+ *	Invalidates 'dctx'.
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
+
+/*%<
+ *	Sets 'dctx->allowed' to 'allowed'.
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx);
+
+/*%<
+ *	Returns 'dctx->allowed'
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+int
+dns_decompress_edns(dns_decompress_t *dctx);
+
+/*%<
+ *	Returns 'dctx->edns'
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+dns_decompresstype_t
+dns_decompress_type(dns_decompress_t *dctx);
+
+/*%<
+ *	Returns 'dctx->type'
+ *
+ *	Requires:
+ *\li		'dctx' to be initialized
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_COMPRESS_H */
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
new file mode 100644
index 0000000..ae6ae36
--- /dev/null
+++ b/lib/dns/include/dns/db.h
@@ -0,0 +1,1690 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+#ifndef DNS_DB_H
+#define DNS_DB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/db.h
+ * \brief
+ * The DNS DB interface allows named rdatasets to be stored and retrieved.
+ *
+ * The dns_db_t type is like a "virtual class".  To actually use
+ * DBs, an implementation of the class is required.
+ *
+ * XXX more XXX
+ *
+ * MP:
+ * \li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ * \li	No anticipated impact.
+ *
+ * Resources:
+ * \li	TBS
+ *
+ * Security:
+ * \li	No anticipated impact.
+ *
+ * Standards:
+ * \li	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/deprecated.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+
+#include <dns/clientinfo.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rpz.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_dbmethods {
+	void		(*attach)(dns_db_t *source, dns_db_t **targetp);
+	void		(*detach)(dns_db_t **dbp);
+	isc_result_t	(*beginload)(dns_db_t *db,
+				     dns_rdatacallbacks_t *callbacks);
+	isc_result_t	(*endload)(dns_db_t *db,
+				     dns_rdatacallbacks_t *callbacks);
+	isc_result_t	(*serialize)(dns_db_t *db,
+				     dns_dbversion_t *version, FILE *file);
+	isc_result_t	(*dump)(dns_db_t *db, dns_dbversion_t *version,
+				const char *filename,
+				dns_masterformat_t masterformat);
+	void		(*currentversion)(dns_db_t *db,
+					  dns_dbversion_t **versionp);
+	isc_result_t	(*newversion)(dns_db_t *db,
+				      dns_dbversion_t **versionp);
+	void		(*attachversion)(dns_db_t *db, dns_dbversion_t *source,
+					 dns_dbversion_t **targetp);
+	void		(*closeversion)(dns_db_t *db,
+					dns_dbversion_t **versionp,
+					bool commit);
+	isc_result_t	(*findnode)(dns_db_t *db, dns_name_t *name,
+				    bool create,
+				    dns_dbnode_t **nodep);
+	isc_result_t	(*find)(dns_db_t *db, dns_name_t *name,
+				dns_dbversion_t *version,
+				dns_rdatatype_t type, unsigned int options,
+				isc_stdtime_t now,
+				dns_dbnode_t **nodep, dns_name_t *foundname,
+				dns_rdataset_t *rdataset,
+				dns_rdataset_t *sigrdataset);
+	isc_result_t	(*findzonecut)(dns_db_t *db, dns_name_t *name,
+				       unsigned int options, isc_stdtime_t now,
+				       dns_dbnode_t **nodep,
+				       dns_name_t *foundname,
+				       dns_rdataset_t *rdataset,
+				       dns_rdataset_t *sigrdataset);
+	void		(*attachnode)(dns_db_t *db,
+				      dns_dbnode_t *source,
+				      dns_dbnode_t **targetp);
+	void		(*detachnode)(dns_db_t *db,
+				      dns_dbnode_t **targetp);
+	isc_result_t	(*expirenode)(dns_db_t *db, dns_dbnode_t *node,
+				      isc_stdtime_t now);
+	void		(*printnode)(dns_db_t *db, dns_dbnode_t *node,
+				     FILE *out);
+	isc_result_t 	(*createiterator)(dns_db_t *db, unsigned int options,
+					  dns_dbiterator_t **iteratorp);
+	isc_result_t	(*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					dns_dbversion_t *version,
+					dns_rdatatype_t type,
+					dns_rdatatype_t covers,
+					isc_stdtime_t now,
+					dns_rdataset_t *rdataset,
+					dns_rdataset_t *sigrdataset);
+	isc_result_t	(*allrdatasets)(dns_db_t *db, dns_dbnode_t *node,
+					dns_dbversion_t *version,
+					isc_stdtime_t now,
+					dns_rdatasetiter_t **iteratorp);
+	isc_result_t	(*addrdataset)(dns_db_t *db, dns_dbnode_t *node,
+				       dns_dbversion_t *version,
+				       isc_stdtime_t now,
+				       dns_rdataset_t *rdataset,
+				       unsigned int options,
+				       dns_rdataset_t *addedrdataset);
+	isc_result_t	(*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					    dns_dbversion_t *version,
+					    dns_rdataset_t *rdataset,
+					    unsigned int options,
+					    dns_rdataset_t *newrdataset);
+	isc_result_t	(*deleterdataset)(dns_db_t *db, dns_dbnode_t *node,
+					  dns_dbversion_t *version,
+					  dns_rdatatype_t type,
+					  dns_rdatatype_t covers);
+	bool	(*issecure)(dns_db_t *db);
+	unsigned int	(*nodecount)(dns_db_t *db);
+	bool	(*ispersistent)(dns_db_t *db);
+	void		(*overmem)(dns_db_t *db, bool overmem);
+	void		(*settask)(dns_db_t *db, isc_task_t *);
+	isc_result_t	(*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
+	void		(*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep,
+					dns_dbnode_t **targetp);
+	isc_result_t    (*getnsec3parameters)(dns_db_t *db,
+					      dns_dbversion_t *version,
+					      dns_hash_t *hash,
+					      uint8_t *flags,
+					      uint16_t *iterations,
+					      unsigned char *salt,
+					      size_t *salt_len);
+	isc_result_t    (*findnsec3node)(dns_db_t *db, dns_name_t *name,
+					 bool create,
+					 dns_dbnode_t **nodep);
+	isc_result_t	(*setsigningtime)(dns_db_t *db,
+					  dns_rdataset_t *rdataset,
+					  isc_stdtime_t resign);
+	isc_result_t	(*getsigningtime)(dns_db_t *db,
+					  dns_rdataset_t *rdataset,
+					  dns_name_t *name);
+	void		(*resigned)(dns_db_t *db, dns_rdataset_t *rdataset,
+					   dns_dbversion_t *version);
+	bool	(*isdnssec)(dns_db_t *db);
+	dns_stats_t	*(*getrrsetstats)(dns_db_t *db);
+	void		(*rpz_attach)(dns_db_t *db, dns_rpz_zones_t *rpzs,
+				      dns_rpz_num_t rpz_num);
+	isc_result_t	(*rpz_ready)(dns_db_t *db);
+	isc_result_t	(*findnodeext)(dns_db_t *db, dns_name_t *name,
+				     bool create,
+				     dns_clientinfomethods_t *methods,
+				     dns_clientinfo_t *clientinfo,
+				     dns_dbnode_t **nodep);
+	isc_result_t	(*findext)(dns_db_t *db, dns_name_t *name,
+				   dns_dbversion_t *version,
+				   dns_rdatatype_t type, unsigned int options,
+				   isc_stdtime_t now,
+				   dns_dbnode_t **nodep, dns_name_t *foundname,
+				   dns_clientinfomethods_t *methods,
+				   dns_clientinfo_t *clientinfo,
+				   dns_rdataset_t *rdataset,
+				   dns_rdataset_t *sigrdataset);
+	isc_result_t	(*setcachestats)(dns_db_t *db, isc_stats_t *stats);
+	size_t		(*hashsize)(dns_db_t *db);
+	isc_result_t	(*nodefullname)(dns_db_t *db, dns_dbnode_t *node,
+					dns_name_t *name);
+	isc_result_t	(*getsize)(dns_db_t *db, dns_dbversion_t *version,
+				   uint64_t *records, uint64_t *bytes);
+} dns_dbmethods_t;
+
+typedef isc_result_t
+(*dns_dbcreatefunc_t)(isc_mem_t *mctx, dns_name_t *name,
+		      dns_dbtype_t type, dns_rdataclass_t rdclass,
+		      unsigned int argc, char *argv[], void *driverarg,
+		      dns_db_t **dbp);
+
+typedef isc_result_t
+(*dns_dbupdate_callback_t)(dns_db_t *db, void *fn_arg);
+
+#define DNS_DB_MAGIC		ISC_MAGIC('D','N','S','D')
+#define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
+
+/*%
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_db_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
+ * dns_db_ routines to work.  DB implementations must maintain all DB
+ * invariants.
+ */
+struct dns_db {
+	unsigned int				magic;
+	unsigned int				impmagic;
+	dns_dbmethods_t *			methods;
+	uint16_t				attributes;
+	dns_rdataclass_t			rdclass;
+	dns_name_t				origin;
+	isc_ondestroy_t				ondest;
+	isc_mem_t *				mctx;
+	ISC_LIST(dns_dbonupdatelistener_t)	update_listeners;
+};
+
+#define DNS_DBATTR_CACHE		0x01
+#define DNS_DBATTR_STUB			0x02
+
+struct dns_dbonupdatelistener {
+	dns_dbupdate_callback_t			onupdate;
+	void *					onupdate_arg;
+	ISC_LINK(dns_dbonupdatelistener_t)	link;
+};
+
+/*@{*/
+/*%
+ * Options that can be specified for dns_db_find().
+ */
+#define DNS_DBFIND_GLUEOK		0x0001
+#define DNS_DBFIND_VALIDATEGLUE		0x0002
+#define DNS_DBFIND_NOWILD		0x0004
+#define DNS_DBFIND_PENDINGOK		0x0008
+#define DNS_DBFIND_NOEXACT		0x0010
+#define DNS_DBFIND_FORCENSEC		0x0020
+#define DNS_DBFIND_COVERINGNSEC		0x0040
+#define DNS_DBFIND_FORCENSEC3		0x0080
+#define DNS_DBFIND_ADDITIONALOK		0x0100
+#define DNS_DBFIND_NOZONECUT		0x0200
+/*@}*/
+
+/*@{*/
+/*%
+ * Options that can be specified for dns_db_addrdataset().
+ */
+#define DNS_DBADD_MERGE			0x01
+#define DNS_DBADD_FORCE			0x02
+#define DNS_DBADD_EXACT			0x04
+#define DNS_DBADD_EXACTTTL		0x08
+#define DNS_DBADD_PREFETCH		0x10
+/*@}*/
+
+/*%
+ * Options that can be specified for dns_db_subtractrdataset().
+ */
+#define DNS_DBSUB_EXACT			0x01
+#define DNS_DBSUB_WANTOLD		0x02
+
+/*@{*/
+/*%
+ * Iterator options
+ */
+#define DNS_DB_RELATIVENAMES	0x1
+#define DNS_DB_NSEC3ONLY	0x2
+#define DNS_DB_NONSEC3		0x4
+/*@}*/
+
+/*****
+ ***** Methods
+ *****/
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
+	      dns_dbtype_t type, dns_rdataclass_t rdclass,
+	      unsigned int argc, char *argv[], dns_db_t **dbp);
+/*%<
+ * Create a new database using implementation 'db_type'.
+ *
+ * Notes:
+ * \li	All names in the database must be subdomains of 'origin' and in class
+ *	'rdclass'.  The database makes its own copy of the origin, so the
+ *	caller may do whatever they like with 'origin' and its storage once the
+ *	call returns.
+ *
+ * \li	DB implementation-specific parameters are passed using argc and argv.
+ *
+ * Requires:
+ *
+ * \li	dbp != NULL and *dbp == NULL
+ *
+ * \li	'origin' is a valid absolute domain name.
+ *
+ * \li	mctx is a valid memory context
+ *
+ * Ensures:
+ *
+ * \li	A copy of 'origin' has been made for the databases use, and the
+ *	caller is free to do whatever they want with the name and storage
+ *	associated with 'origin'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTFOUND				db_type not found
+ *
+ * \li	Many other errors are possible, depending on what db_type was
+ *	specified.
+ */
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ * \li	'source' is a valid database.
+ *
+ * \li	'targetp' points to a NULL dns_db_t *.
+ *
+ * Ensures:
+ *
+ * \li	*targetp is attached to source.
+ */
+
+void
+dns_db_detach(dns_db_t **dbp);
+/*%<
+ * Detach *dbp from its database.
+ *
+ * Requires:
+ *
+ * \li	'dbp' points to a valid database.
+ *
+ * Ensures:
+ *
+ * \li	*dbp is NULL.
+ *
+ * \li	If '*dbp' is the last reference to the database,
+ *		all resources used by the database will be freed
+ */
+
+isc_result_t
+dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
+/*%<
+ * Causes 'eventp' to be sent to be sent to 'task' when the database is
+ * destroyed.
+ *
+ * Note; ownership of the eventp is taken from the caller (and *eventp is
+ * set to NULL). The sender field of the event is set to 'db' before it is
+ * sent to the task.
+ */
+
+bool
+dns_db_iscache(dns_db_t *db);
+/*%<
+ * Does 'db' have cache semantics?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' has cache semantics
+ * \li	#false	otherwise
+ */
+
+bool
+dns_db_iszone(dns_db_t *db);
+/*%<
+ * Does 'db' have zone semantics?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' has zone semantics
+ * \li	#false	otherwise
+ */
+
+bool
+dns_db_isstub(dns_db_t *db);
+/*%<
+ * Does 'db' have stub semantics?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' has zone semantics
+ * \li	#false	otherwise
+ */
+
+bool
+dns_db_issecure(dns_db_t *db);
+/*%<
+ * Is 'db' secure?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ * \li	#true	'db' is secure.
+ * \li	#false	'db' is not secure.
+ */
+
+bool
+dns_db_isdnssec(dns_db_t *db);
+/*%<
+ * Is 'db' secure or partially secure?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ * \li	#true	'db' is secure or is partially.
+ * \li	#false	'db' is not secure.
+ */
+
+dns_name_t *
+dns_db_origin(dns_db_t *db);
+/*%<
+ * The origin of the database.
+ *
+ * Note: caller must not try to change this name.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	The origin of the database.
+ */
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db);
+/*%<
+ * The class of the database.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	The class of the database.
+ */
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Begin loading 'db'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	This is the first attempt to load 'db'.
+ *
+ * \li  'callbacks' is a pointer to an initialized dns_rdatacallbacks_t
+ *       structure.
+ *
+ * Ensures:
+ *
+ * \li	On success, callbacks->add will be a valid dns_addrdatasetfunc_t
+ *      suitable for loading records into 'db' from a raw or text zone
+ *      file. callbacks->add_private will be a valid DB load context
+ *      which should be used as 'arg' when callbacks->add is called.
+ *      callbacks->deserialize will be a valid dns_deserialize_func_t
+ *      suitable for loading 'db' from a map format zone file.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Finish loading 'db'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database that is being loaded.
+ *
+ * \li	'callbacks' is a valid dns_rdatacallbacks_t structure.
+ *
+ * \li	callbacks->add_private is not NULL and is a valid database load context.
+ *
+ * Ensures:
+ *
+ * \li	'callbacks' is returned to its state prior to calling dns_db_beginload()
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename);
+
+isc_result_t
+dns_db_load2(dns_db_t *db, const char *filename, dns_masterformat_t format);
+
+isc_result_t
+dns_db_load3(dns_db_t *db, const char *filename, dns_masterformat_t format,
+	     unsigned int options);
+/*%<
+ * Load master file 'filename' into 'db'.
+ *
+ * Notes:
+ * \li	This routine is equivalent to calling
+ *
+ *\code
+ *		dns_db_beginload();
+ *		dns_master_loadfile();
+ *		dns_db_endload();
+ *\endcode
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	This is the first attempt to load 'db'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_serialize(dns_db_t *db, dns_dbversion_t *version, FILE *rbtfile);
+/*%<
+ * Dump version 'version' of 'db' to map-format file 'filename'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'version' is a valid version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, OS file errors, etc.
+ */
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
+
+isc_result_t
+dns_db_dump2(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+	     dns_masterformat_t masterformat);
+/*%<
+ * Dump version 'version' of 'db' to master file 'filename'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'version' is a valid version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used, OS file errors, etc.
+ */
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*%<
+ * Open the current version for reading.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*versionp' is attached to the current version.
+ *
+ */
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*%<
+ * Open a new version for reading and writing.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*versionp' is attached to the current version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	source is a valid open version
+ *
+ * \li	targetp != NULL && *targetp == NULL
+ *
+ * Ensures:
+ *
+ * \li	'*targetp' is attached to source.
+ */
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
+		    bool commit);
+/*%<
+ * Close version '*versionp'.
+ *
+ * Note: if '*versionp' is a read-write version and 'commit' is true,
+ * then all changes made in the version will take effect, otherwise they
+ * will be rolled back.  The value of 'commit' is ignored for read-only
+ * versions.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * \li	'*versionp' refers to a valid version.
+ *
+ * \li	If committing a writable version, then there must be no other
+ *	outstanding references to the version (e.g. an active rdataset
+ *	iterator).
+ *
+ * Ensures:
+ *
+ * \li	*versionp == NULL
+ *
+ * \li	If *versionp is a read-write version, and commit is true, then
+ *	the version will become the current version.  If !commit, then all
+ *	changes made in the version will be undone, and the version will
+ *	not become the current version.
+ */
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, dns_name_t *name, bool create,
+		dns_dbnode_t **nodep);
+
+isc_result_t
+dns_db_findnodeext(dns_db_t *db, dns_name_t *name, bool create,
+		   dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep);
+/*%<
+ * Find the node with name 'name'.
+ *
+ * dns_db_findnodeext() (findnode extended) also accepts parameters
+ * 'methods' and 'clientinfo', which, when provided, enable the database to
+ * retreive information about the client from the caller, and modify its
+ * response on the basis of that information.
+ *
+ * Notes:
+ * \li	If 'create' is true and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ * \li	This routine is for finding or creating a node with the specified
+ *	name.  There are no partial matches.  It is not suitable for use
+ *	in building responses to ordinary DNS queries; clients which wish
+ *	to do that should use dns_db_find() instead.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'name' is a valid, non-empty, absolute name.
+ *
+ * \li	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND			If !create and name not found.
+ * \li	#ISC_R_NOMEMORY			Can only happen if create is true.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+isc_result_t
+dns_db_findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	       dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	       dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find the best match for 'name' and 'type' in version 'version' of 'db'.
+ *
+ * dns_db_findext() (find extended) also accepts parameters 'methods'
+ * and 'clientinfo', which when provided enable the database to retreive
+ * information about the client from the caller, and modify its response
+ * on the basis of this information.
+ *
+ * Notes:
+ *
+ * \li	If type == dns_rdataset_any, then rdataset will not be bound.
+ *
+ * \li	If 'options' does not have #DNS_DBFIND_GLUEOK set, then no glue will
+ *	be returned.  For zone databases, glue is as defined in RFC2181.
+ *	For cache databases, glue is any rdataset with a trust of
+ *	dns_trust_glue.
+ *
+ * \li	If 'options' does not have #DNS_DBFIND_ADDITIONALOK set, then no
+ *	additional records will be returned.  Only caches can have
+ *	rdataset with trust dns_trust_additional.
+ *
+ * \li	If 'options' does not have #DNS_DBFIND_PENDINGOK set, then no
+ *	pending data will be returned.  This option is only meaningful for
+ *	cache databases.
+ *
+ * \li	If the #DNS_DBFIND_NOWILD option is set, then wildcard matching will
+ *	be disabled.  This option is only meaningful for zone databases.
+ *
+ * \li  If the #DNS_DBFIND_NOZONECUT option is set, the database is
+ *	assumed to contain no zone cuts above 'name'.  An implementation
+ *	may therefore choose to search for a match beginning at 'name'
+ *	rather than walking down the tree to check check for delegations.
+ *	If #DNS_DBFIND_NOWILD is not set, wildcard matching will be
+ *	attempted at each node starting at the direct ancestor of 'name'
+ *	and working up to the zone origin.  This option is only meaningful
+ *	when querying redirect zones.
+ *
+ * \li	If the #DNS_DBFIND_FORCENSEC option is set, the database is assumed to
+ *	have NSEC records, and these will be returned when appropriate.  This
+ *	is only necessary when querying a database that was not secure
+ *	when created.
+ *
+ * \li	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
+ *	NSEC record that potentially covers 'name' if a answer cannot
+ *	be found.  Note the returned NSEC needs to be checked to ensure
+ *	that it is correct.  This only affects answers returned from the
+ *	cache.
+ *
+ * \li	If the #DNS_DBFIND_FORCENSEC3 option is set, then we are looking
+ *	in the NSEC3 tree and not the main tree.  Without this option being
+ *	set NSEC3 records will not be found.
+ *
+ * \li	To respond to a query for SIG records, the caller should create a
+ *	rdataset iterator and extract the signatures from each rdataset.
+ *
+ * \li	Making queries of type ANY with #DNS_DBFIND_GLUEOK is not recommended,
+ *	because the burden of determining whether a given rdataset is valid
+ *	glue or not falls upon the caller.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
+ *
+ * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ * \li	'foundname' is a valid name with a dedicated buffer.
+ *
+ * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures,
+ *	on a non-error completion:
+ *
+ *	\li	If nodep != NULL, then it is bound to the found node.
+ *
+ *	\li	If foundname != NULL, then it contains the full name of the
+ *		found node.
+ *
+ *	\li	If rdataset != NULL and type != dns_rdatatype_any, then
+ *		rdataset is bound to the found rdataset.
+ *
+ *	Non-error results are:
+ *
+ *	\li	#ISC_R_SUCCESS			The desired node and type were
+ *						found.
+ *
+ *	\li	#DNS_R_GLUE			The desired node and type were
+ *						found, but are glue.  This
+ *						result can only occur if
+ *						the DNS_DBFIND_GLUEOK option
+ *						is set.  This result can only
+ *						occur if 'db' is a zone
+ *						database.  If type ==
+ *						dns_rdatatype_any, then the
+ *						node returned may contain, or
+ *						consist entirely of invalid
+ *						glue (i.e. data occluded by a
+ *						zone cut).  The caller must
+ *						take care not to return invalid
+ *						glue to a client.
+ *
+ *	\li	#DNS_R_DELEGATION		The data requested is beneath
+ *						a zone cut.  node, foundname,
+ *						and rdataset reference the
+ *						NS RRset of the zone cut.
+ *						If 'db' is a cache database,
+ *						then this is the deepest known
+ *						delegation.
+ *
+ *	\li	#DNS_R_ZONECUT			type == dns_rdatatype_any, and
+ *						the desired node is a zonecut.
+ *						The caller must take care not
+ *						to return inappropriate glue
+ *						to a client.  This result can
+ *						only occur if 'db' is a zone
+ *						database and DNS_DBFIND_GLUEOK
+ *						is set.
+ *
+ *	\li	#DNS_R_DNAME			The data requested is beneath
+ *						a DNAME.  node, foundname,
+ *						and rdataset reference the
+ *						DNAME RRset.
+ *
+ *	\li	#DNS_R_CNAME			The rdataset requested was not
+ *						found, but there is a CNAME
+ *						at the desired name.  node,
+ *						foundname, and rdataset
+ *						reference the CNAME RRset.
+ *
+ *	\li	#DNS_R_NXDOMAIN			The desired name does not
+ *						exist.
+ *
+ *	\li	#DNS_R_NXRRSET			The desired name exists, but
+ *						the desired type does not.
+ *
+ *	\li	#ISC_R_NOTFOUND			The desired name does not
+ *						exist, and no delegation could
+ *						be found.  This result can only
+ *						occur if 'db' is a cache
+ *						database.  The caller should
+ *						use its nameserver(s) of last
+ *						resort (e.g. root hints).
+ *
+ *	\li	#DNS_R_NCACHENXDOMAIN		The desired name does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *	\li	#DNS_R_NCACHENXRRSET		The desired type does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *	\li	#DNS_R_EMPTYNAME		The name exists but there is
+ *						no data at the name.
+ *
+ *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
+ *						that potentially covers 'name'.
+ *
+ *	\li	#DNS_R_EMPTYWILD		The name is a wildcard without
+ *						resource records.
+ *
+ *	Error results:
+ *
+ *	\li	#ISC_R_NOMEMORY
+ *
+ *	\li	#DNS_R_BADDB			Data that is required to be
+ *						present in the DB, e.g. an NSEC
+ *						record in a secure zone, is not
+ *						present.
+ *
+ *	\li	Other results are possible, and should all be treated as
+ *		errors.
+ */
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
+		   unsigned int options, isc_stdtime_t now,
+		   dns_dbnode_t **nodep, dns_name_t *foundname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find the deepest known zonecut which encloses 'name' in 'db'.
+ *
+ * Notes:
+ *
+ * \li	If the #DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
+ *
+ * \li	If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with cache semantics.
+ *
+ * \li	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ * \li	'foundname' is a valid name with a dedicated buffer.
+ *
+ * \li	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures, on a non-error completion:
+ *
+ * \li	If nodep != NULL, then it is bound to the found node.
+ *
+ * \li	If foundname != NULL, then it contains the full name of the
+ *	found node.
+ *
+ * \li	If rdataset != NULL and type != dns_rdatatype_any, then
+ *	rdataset is bound to the found rdataset.
+ *
+ * Non-error results are:
+ *
+ * \li	#ISC_R_SUCCESS
+ *
+ * \li	#ISC_R_NOTFOUND
+ *
+ * \li	Other results are possible, and should all be treated as
+ *	errors.
+ */
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'source' is a valid node.
+ *
+ * \li	'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li	*targetp is attached to source.
+ */
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*%<
+ * Detach *nodep from its node.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'nodep' points to a valid node.
+ *
+ * Ensures:
+ *
+ * \li	*nodep is NULL.
+ */
+
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp);
+/*%<
+ * Transfer a node between pointer.
+ *
+ * This is equivalent to calling dns_db_attachnode() then dns_db_detachnode().
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'*sourcep' is a valid node.
+ *
+ * \li	'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li	'*sourcep' is NULL.
+ */
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
+/*%<
+ * Mark as stale all records at 'node' which expire at or before 'now'.
+ *
+ * Note: if 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid cache database.
+ *
+ * \li	'node' is a valid node.
+ */
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
+/*%<
+ * Print a textual representation of the contents of the node to
+ * 'out'.
+ *
+ * Note: this function is intended for debugging, not general use.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ */
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, unsigned int options,
+		      dns_dbiterator_t **iteratorp);
+/*%<
+ * Create an iterator for version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	One or more of the following options can be set.
+ *	#DNS_DB_RELATIVENAMES
+ *	#DNS_DB_NSEC3ONLY
+ *	#DNS_DB_NONSEC3
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *iteratorp will be a valid database iterator.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+/***
+ *** Rdataset Methods
+ ***/
+
+/*
+ * XXXRTH  Should we check for glue and pending data in dns_db_findrdataset()?
+ */
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset);
+
+/*%<
+ * Search for an rdataset of type 'type' at 'node' that are in version
+ * 'version' of 'db'.  If found, make 'rdataset' refer to it.
+ *
+ * Notes:
+ *
+ * \li	If 'version' is NULL, then the current version will be used.
+ *
+ * \li	Care must be used when using this routine to build a DNS response:
+ *	'node' should have been found with dns_db_find(), not
+ *	dns_db_findnode().  No glue checking is done.  No checking for
+ *	pending data is done.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	'rdataset' is a valid, disassociated rdataset.
+ *
+ * \li	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
+ *
+ * \li	If 'covers' != 0, 'type' must be SIG.
+ *
+ * \li	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
+ *
+ * Ensures:
+ *
+ * \li	On success, 'rdataset' is associated with the found rdataset.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
+/*%<
+ * Make '*iteratorp' an rdataset iterator for all rdatasets at 'node' in
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	If 'version' is NULL, then the current version will be used.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*iteratorp' is a valid rdataset iterator.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset);
+/*%<
+ * Add 'rdataset' to 'node' in version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	If the database has zone semantics, the #DNS_DBADD_MERGE option is set,
+ *	and an rdataset of the same type as 'rdataset' already exists at
+ *	'node' then the contents of 'rdataset' will be merged with the existing
+ *	rdataset.  If the option is not set, then rdataset will replace any
+ *	existing rdataset of the same type.  If not merging and the
+ *	#DNS_DBADD_FORCE option is set, then the data will update the database
+ *	without regard to trust levels.  If not forcing the data, then the
+ *	rdataset will only be added if its trust level is >= the trust level of
+ *	any existing rdataset.  Forcing is only meaningful for cache databases.
+ *	If #DNS_DBADD_EXACT is set then there must be no rdata in common between
+ *	the old and new rdata sets.  If #DNS_DBADD_EXACTTTL is set then both
+ *	the old and new rdata sets must have the same ttl.
+ *
+ * \li	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
+ *	a cache database, then the added rdataset will expire no later than
+ *	now + rdataset->ttl.
+ *
+ * \li	If 'addedrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, or to the existing data if
+ *	the existing data was better.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ * \li	'addedrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ * \li	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ * \li	If the database has cache semantics, the #DNS_DBADD_MERGE option must
+ *	not be set.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			The operation did not change anything.
+ * \li	#ISC_R_NOMEMORY
+ * \li	#DNS_R_NOTEXACT
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			unsigned int options, dns_rdataset_t *newrdataset);
+/*%<
+ * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+ * 'db'.
+ *
+ * Notes:
+ *
+ * \li	If 'newrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, unless the rdataset has
+ *	become nonexistent.  If DNS_DBSUB_EXACT is set then all elements
+ *	of 'rdataset' must exist at 'node'.
+ *
+ *\li	If DNS_DBSUB_WANTOLD is set and the entire rdataset was deleted
+ *	then return the original rdatatset in newrdataset if that existed.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ * \li	'newrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ * \li	The database has zone semantics and 'version' is a valid
+ *	read-write version.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			The operation did not change anything.
+ * \li	#DNS_R_NXRRSET			All rdata of the same type as those
+ *					in 'rdataset' have been deleted.
+ * \li	#DNS_R_NOTEXACT			Some part of 'rdataset' did not
+ *					exist and DNS_DBSUB_EXACT was set.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type,
+		      dns_rdatatype_t covers);
+/*%<
+ * Make it so that no rdataset of type 'type' exists at 'node' in version
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ * \li	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
+ *	'version' (provided that the dns_db_deleterdataset() isn't followed
+ *	by one or more dns_db_addrdataset() calls).
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'node' is a valid node.
+ *
+ * \li	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ * \li	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
+ *	allowed.
+ *
+ * \li	If 'covers' != 0, 'type' must be SIG.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_UNCHANGED			No rdatasets of 'type' existed before
+ *					the operation was attempted.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, uint32_t *serialp);
+/*%<
+ * Get the current SOA serial number from a zone database.
+ *
+ * Requires:
+ * \li	'db' is a valid database with zone semantics.
+ * \li	'ver' is a valid version.
+ */
+
+void
+dns_db_overmem(dns_db_t *db, bool overmem);
+/*%<
+ * Enable / disable aggressive cache cleaning.
+ */
+
+unsigned int
+dns_db_nodecount(dns_db_t *db);
+/*%<
+ * Count the number of nodes in 'db'.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	The number of nodes in the database
+ */
+
+size_t
+dns_db_hashsize(dns_db_t *db);
+/*%<
+ * For database implementations using a hash table, report the
+ * current number of buckets.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	The number of buckets in the database's hash table, or
+ *      0 if not implemented.
+ */
+
+void
+dns_db_settask(dns_db_t *db, isc_task_t *task);
+/*%<
+ * If task is set then the final detach maybe performed asynchronously.
+ *
+ * Requires:
+ * \li	'db' is a valid database.
+ * \li	'task' to be valid or NULL.
+ */
+
+bool
+dns_db_ispersistent(dns_db_t *db);
+/*%<
+ * Is 'db' persistent?  A persistent database does not need to be loaded
+ * from disk or written to disk.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ * \li	#true	'db' is persistent.
+ * \li	#false	'db' is not persistent.
+ */
+
+isc_result_t
+dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
+		isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+/*%<
+ * Register a new database implementation and add it to the list of
+ * supported implementations.
+ *
+ * Requires:
+ *
+ * \li 	'name' is not NULL
+ * \li	'order' is a valid function pointer
+ * \li	'mctx' is a valid memory context
+ * \li	dbimp != NULL && *dbimp == NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS	The registration succeeded
+ * \li	#ISC_R_NOMEMORY	Out of memory
+ * \li	#ISC_R_EXISTS	A database implementation with the same name exists
+ *
+ * Ensures:
+ *
+ * \li	*dbimp points to an opaque structure which must be passed to
+ *	dns_db_unregister().
+ */
+
+void
+dns_db_unregister(dns_dbimplementation_t **dbimp);
+/*%<
+ * Remove a database implementation from the list of supported
+ * implementations.  No databases of this type can be active when this
+ * is called.
+ *
+ * Requires:
+ * \li 	dbimp != NULL && *dbimp == NULL
+ *
+ * Ensures:
+ *
+ * \li	Any memory allocated in *dbimp will be freed.
+ */
+
+isc_result_t
+dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*%<
+ * Get the origin DB node corresponding to the DB's zone.  This function
+ * should typically succeed unless the underlying DB implementation doesn't
+ * support the feature.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid zone database.
+ * \li	'nodep' != NULL && '*nodep' == NULL
+ *
+ * Ensures:
+ * \li	On success, '*nodep' will point to the DB node of the zone's origin.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature.
+ */
+
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+			  dns_hash_t *hash, uint8_t *flags,
+			  uint16_t *interations,
+			  unsigned char *salt, size_t *salt_length);
+/*%<
+ * Get the NSEC3 parameters that are associated with this zone.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature
+ *			  or this zone does not have NSEC3 records.
+ */
+
+isc_result_t
+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, uint64_t *records,
+	       uint64_t *bytes);
+/*%<
+ * Get the number of records in the given version of the database as well
+ * as the number bytes used to store those records.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'version' is NULL or a valid version.
+ * \li	'records' is NULL or a pointer to return the record count in.
+ * \li	'bytes' is NULL or a pointer to return the byte count in.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+		     bool create, dns_dbnode_t **nodep);
+/*%<
+ * Find the NSEC3 node with name 'name'.
+ *
+ * Notes:
+ * \li	If 'create' is true and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'name' is a valid, non-empty, absolute name.
+ *
+ * \li	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND			If !create and name not found.
+ * \li	#ISC_R_NOMEMORY			Can only happen if create is true.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      isc_stdtime_t resign);
+/*%<
+ * Sets the re-signing time associated with 'rdataset' to 'resign'.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' is or is to be associated with 'db'.
+ * \li  'rdataset' is not pending removed from the heap via an
+ *       uncommitted call to dns_db_resigned().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Return the rdataset with the earliest signing time in the zone.
+ * Note: the rdataset is version agnostic.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be initialized but not associated.
+ * \li	'name' to be NULL or have a buffer associated with it.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - No dataset exists.
+ */
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version);
+/*%<
+ * Mark 'rdataset' as not being available to be returned by
+ * dns_db_getsigningtime().  If the changes associated with 'version'
+ * are committed this will be permanent.  If the version is not committed
+ * this change will be rolled back when the version is closed.  Until
+ * 'version' is either committed or rolled back, 'rdataset' can no longer
+ * be acted upon by dns_db_setsigningtime().
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be associated with 'db'.
+ * \li	'version' to be open for writing.
+ */
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db);
+/*%<
+ * Get statistics information counting RRsets stored in the DB, when available.
+ * The statistics may not be available depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database (cache only).
+ *
+ * Returns:
+ * \li	when available, a pointer to a statistics object created by
+ *	dns_rdatasetstats_create(); otherwise NULL.
+ */
+
+isc_result_t
+dns_db_setcachestats(dns_db_t *db, isc_stats_t *stats);
+/*%<
+ * Set the location in which to collect cache statistics.
+ * This option may not exist depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database (cache only).
+ *
+ * Returns:
+ * \li	when available, a pointer to a statistics object created by
+ *	dns_rdatasetstats_create(); otherwise NULL.
+ */
+
+void
+dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num);
+/*%<
+ * Attach the response policy information for a view to a database for a
+ * zone for the view.
+ */
+
+isc_result_t
+dns_db_rpz_ready(dns_db_t *db);
+/*%<
+ * Finish loading a response policy zone.
+ */
+
+isc_result_t
+dns_db_updatenotify_register(dns_db_t *db,
+			     dns_dbupdate_callback_t fn,
+			     void *fn_arg);
+/*%<
+ * Register a notify-on-update callback function to a database.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database
+ * \li	'db' does not have an update callback registered
+ * \li	'fn' is not NULL
+ *
+ */
+
+isc_result_t
+dns_db_updatenotify_unregister(dns_db_t *db,
+			       dns_dbupdate_callback_t fn,
+			       void *fn_arg);
+/*%<
+ * Unregister a notify-on-update callback.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database
+ * \li	'db' has update callback registered
+ *
+ */
+
+isc_result_t
+dns_db_nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name);
+/*%<
+ * Get the name associated with a database node.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database
+ * \li	'node' and 'name' are not NULL
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
new file mode 100644
index 0000000..8b50c8c
--- /dev/null
+++ b/lib/dns/include/dns/dbiterator.h
@@ -0,0 +1,294 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DBITERATOR_H
+#define DNS_DBITERATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/dbiterator.h
+ * \brief
+ * The DNS DB Iterator interface allows iteration of all of the nodes in a
+ * database.
+ *
+ * The dns_dbiterator_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_db_detachnode() on all
+ * nodes returned.
+ *
+ * XXX &lt;more&gt; XXX
+ *
+ * MP:
+ *\li	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *
+ *\li	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_dbiteratormethods {
+	void		(*destroy)(dns_dbiterator_t **iteratorp);
+	isc_result_t	(*first)(dns_dbiterator_t *iterator);
+	isc_result_t	(*last)(dns_dbiterator_t *iterator);
+	isc_result_t	(*seek)(dns_dbiterator_t *iterator, dns_name_t *name);
+	isc_result_t	(*prev)(dns_dbiterator_t *iterator);
+	isc_result_t	(*next)(dns_dbiterator_t *iterator);
+	isc_result_t	(*current)(dns_dbiterator_t *iterator,
+				   dns_dbnode_t **nodep, dns_name_t *name);
+	isc_result_t	(*pause)(dns_dbiterator_t *iterator);
+	isc_result_t	(*origin)(dns_dbiterator_t *iterator,
+				  dns_name_t *name);
+} dns_dbiteratormethods_t;
+
+#define DNS_DBITERATOR_MAGIC	     ISC_MAGIC('D','N','S','I')
+#define DNS_DBITERATOR_VALID(dbi)    ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
+/*%
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_dbiterator_t.
+ *
+ * Clients may use the 'db' field of this structure.  Except for that field,
+ * direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DBITERATOR_MAGIC for any of
+ * the dns_dbiterator routines to work.  DB iterator implementations must
+ * maintain all DB iterator invariants.
+ */
+struct dns_dbiterator {
+	/* Unlocked. */
+	unsigned int			magic;
+	dns_dbiteratormethods_t *	methods;
+	dns_db_t *			db;
+	bool			relative_names;
+	bool			cleaning;
+};
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
+/*%<
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *\li	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the iterator are freed.
+ *
+ *\li	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the first node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no nodes in the database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the last node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no nodes in the database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
+/*%<
+ * Move the node cursor to the node with name 'name'.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ *\li	'name' is a valid name.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ *\li	#DNS_R_PARTIALMATCH
+ *	(node is at name above requested named when name has children)
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the previous node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator);
+/*%<
+ * Move the node cursor to the next node in the database (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name);
+/*%<
+ * Return the current node.
+ *
+ * Notes:
+ *\li	If 'name' is not NULL, it will be set to the name of the node.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ *\li	nodep != NULL && *nodep == NULL
+ *
+ *\li	The node cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *
+ *\li	'name' is NULL, or is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_NEWORIGIN			If this iterator was created with
+ *					'relative_names' set to true,
+ *					then #DNS_R_NEWORIGIN will be returned
+ *					when the origin the names are
+ *					relative to changes.  This result
+ *					can occur only when 'name' is not
+ *					NULL.  This is also a successful
+ *					result.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator);
+/*%<
+ * Pause iteration.
+ *
+ * Calling a cursor movement method or dns_dbiterator_current() may cause
+ * database locks to be acquired.  Rather than reacquire these locks every
+ * time one of these routines is called, the locks may simply be held.
+ * Calling dns_dbiterator_pause() releases any such locks.  Iterator clients
+ * should call this routine any time they are not going to execute another
+ * iterator method in the immediate future.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Ensures:
+ *\li	Any database locks being held for efficiency of iterator access are
+ *	released.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+/*%<
+ * Return the origin to which returned node names are relative.
+ *
+ * Requires:
+ *
+ *\li	'iterator' is a valid relative_names iterator.
+ *
+ *\li	'name' is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, bool mode);
+/*%<
+ * Indicate that the given iterator is/is not cleaning the DB.
+ *
+ * Notes:
+ *\li	When 'mode' is true,
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBITERATOR_H */
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
new file mode 100644
index 0000000..8f139b9
--- /dev/null
+++ b/lib/dns/include/dns/dbtable.h
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DBTABLE_H
+#define DNS_DBTABLE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/dbtable.h
+ * \brief
+ * DNS DB Tables
+ *
+ * XXX TBS XXX
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_DBTABLEFIND_NOEXACT		0x01
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep);
+/*%<
+ * Make a new dbtable of class 'rdclass'
+ *
+ * Requires:
+ *\li	mctx != NULL
+ * \li	dbtablep != NULL && *dptablep == NULL
+ *\li	'rdclass' is a valid class
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid dbtable.
+ *
+ *\li	'targetp' points to a NULL dns_dbtable_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep);
+/*%<
+ * Detach *dbtablep from its dbtable.
+ *
+ * Requires:
+ *
+ *\li	'*dbtablep' points to a valid dbtable.
+ *
+ * Ensures:
+ *
+ *\li	*dbtablep is NULL.
+ *
+ *\li	If '*dbtablep' is the last reference to the dbtable,
+ *		all resources used by the dbtable will be freed
+ */
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
+/*%<
+ * Add 'db' to 'dbtable'.
+ *
+ * Requires:
+ *\li	'dbtable' is a valid dbtable.
+ *
+ *\li	'db' is a valid database with the same class as 'dbtable'
+ */
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
+/*%<
+ * Remove 'db' from 'dbtable'.
+ *
+ * Requires:
+ *\li	'db' was previously added to 'dbtable'.
+ */
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
+/*%<
+ * Use 'db' as the result of a dns_dbtable_find() if no better match is
+ * available.
+ */
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
+/*%<
+ * Get the 'db' used as the result of a dns_dbtable_find()
+ * if no better match is available.
+ */
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable);
+/*%<
+ * Remove the default db from 'dbtable'.
+ */
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp);
+/*%<
+ * Find the deepest match to 'name' in the dbtable, and return it
+ *
+ * Notes:
+ *\li	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
+ *	match (if any) to 'name' will be returned.
+ *
+ * Returns:
+ * \li #ISC_R_SUCCESS		on success
+ *\li	     something else:		no default and match
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBTABLE_H */
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
new file mode 100644
index 0000000..50f6e9d
--- /dev/null
+++ b/lib/dns/include/dns/diff.h
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DIFF_H
+#define DNS_DIFF_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/diff.h
+ * \brief
+ * A diff is a convenience type representing a list of changes to be
+ * made to a database.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A dns_difftuple_t represents a single RR being added or deleted.
+ * The RR type and class are in the 'rdata' member; the class is always
+ * the real one, not a DynDNS meta-class, so that the rdatas can be
+ * compared using dns_rdata_compare().  The TTL is significant
+ * even for deletions, because a deletion/addition pair cannot
+ * be canceled out if the TTL differs (it might be an explicit
+ * TTL update).
+ *
+ * Tuples are also used to represent complete RRs with owner
+ * names for a couple of other purposes, such as the
+ * individual RRs of a "RRset exists (value dependent)"
+ * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
+ * and the TTL is ignored.
+ *
+ * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
+ * RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
+ * timeexpire.
+ */
+
+typedef enum {
+	DNS_DIFFOP_ADD = 0,		/*%< Add an RR. */
+	DNS_DIFFOP_DEL = 1,		/*%< Delete an RR. */
+	DNS_DIFFOP_EXISTS = 2,		/*%< Assert RR existence. */
+	DNS_DIFFOP_ADDRESIGN = 4,	/*%< ADD + RESIGN. */
+	DNS_DIFFOP_DELRESIGN = 5	/*%< DEL + RESIGN. */
+} dns_diffop_t;
+
+typedef struct dns_difftuple dns_difftuple_t;
+
+#define DNS_DIFFTUPLE_MAGIC	ISC_MAGIC('D','I','F','T')
+#define DNS_DIFFTUPLE_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
+
+struct dns_difftuple {
+	unsigned int			magic;
+	isc_mem_t			*mctx;
+	dns_diffop_t			op;
+	dns_name_t			name;
+	dns_ttl_t			ttl;
+	dns_rdata_t			rdata;
+	ISC_LINK(dns_difftuple_t)	link;
+	/* Variable-size name data and rdata follows. */
+};
+
+/*%
+ * A dns_diff_t represents a set of changes being applied to
+ * a zone.  Diffs are also used to represent "RRset exists
+ * (value dependent)" prerequisites.
+ */
+typedef struct dns_diff dns_diff_t;
+
+#define DNS_DIFF_MAGIC		ISC_MAGIC('D','I','F','F')
+#define DNS_DIFF_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFF_MAGIC)
+
+struct dns_diff {
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	ISC_LIST(dns_difftuple_t)	tuples;
+};
+
+/* Type of comparison function for sorting diffs. */
+typedef int dns_diff_compare_func(const void *, const void *);
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/**************************************************************************/
+/*
+ * Manipulation of diffs and tuples.
+ */
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx,
+		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+		     dns_rdata_t *rdata, dns_difftuple_t **tp);
+/*%<
+ * Create a tuple.  Deep copies are made of the name and rdata, so
+ * they need not remain valid after the call.
+ *
+ * Requires:
+ *\li	*tp != NULL && *tp == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *  \li    ISC_R_NOMEMORY
+ */
+
+void
+dns_difftuple_free(dns_difftuple_t **tp);
+/*%<
+ * Free a tuple.
+ *
+ * Requires:
+ *    \li   **tp is a valid tuple.
+ *
+ * Ensures:
+ *     \li  *tp == NULL
+ *      \li All memory used by the tuple is freed.
+ */
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
+/*%<
+ * Copy a tuple.
+ *
+ * Requires:
+ * \li	'orig' points to a valid tuple
+ *\li	copyp != NULL && *copyp == NULL
+ */
+
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
+/*%<
+ * Initialize a diff.
+ *
+ * Requires:
+ * \li   'diff' points to an uninitialized dns_diff_t
+ *  \li  allocated by the caller.
+ *
+ * Ensures:
+ * \li   '*diff' is a valid, empty diff.
+ */
+
+void
+dns_diff_clear(dns_diff_t *diff);
+/*%<
+ * Clear a diff, destroying all its tuples.
+ *
+ * Requires:
+ * \li   'diff' points to a valid dns_diff_t.
+ *
+ * Ensures:
+ * \li    Any tuples in the diff are destroyed.
+ *     The diff now empty, but it is still valid
+ *     and may be reused without calling dns_diff_init
+ *     again.  The only memory used is that of the
+ *     dns_diff_t structure itself.
+ *
+ * Notes:
+ * \li    Managing the memory of the dns_diff_t structure itself
+ *     is the caller's responsibility.
+ */
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*%<
+ * Append a single tuple to a diff.
+ *
+ *\li	'diff' is a valid diff.
+ * \li	'*tuple' is a valid tuple.
+ *
+ * Ensures:
+ *\li	*tuple is NULL.
+ *\li	The tuple has been freed, or will be freed when the diff is cleared.
+ */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*%<
+ * Append 'tuple' to 'diff', removing any duplicate
+ * or conflicting updates as needed to create a minimal diff.
+ *
+ * Requires:
+ *\li	'diff' is a minimal diff.
+ *
+ * Ensures:
+ *\li	'diff' is still a minimal diff.
+ *  \li 	*tuple is NULL.
+ *   \li	The tuple has been freed, or will be freed when the diff is cleared.
+ *
+ */
+
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
+/*%<
+ * Sort 'diff' in-place according to the comparison function 'compare'.
+ */
+
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+/*%<
+ * Apply 'diff' to the database 'db'.
+ *
+ * dns_diff_apply() logs warnings about updates with no effect or
+ * with inconsistent TTLs; dns_diff_applysilently() does not.
+ *
+ * For efficiency, the diff should be sorted by owner name.
+ * If it is not sorted, operation will still be correct,
+ * but less efficient.
+ *
+ * Requires:
+ *\li	*diff is a valid diff (possibly empty), containing
+ *   	tuples of type #DNS_DIFFOP_ADD and/or
+ *  	For #DNS_DIFFOP_DEL tuples, the TTL is ignored.
+ *
+ */
+
+isc_result_t
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private);
+/*%<
+ * Like dns_diff_apply, but for use when loading a new database
+ * instead of modifying an existing one.  This bypasses the
+ * database transaction mechanisms.
+ *
+ * Requires:
+ *\li 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
+ * 	dns_db_beginload()
+ *
+ *\li	'add_private' points to a corresponding dns_dbload_t *
+ *      (XXX why is it a void pointer, then?)
+ */
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file);
+
+/*%<
+ * Print the differences to 'file' or if 'file' is NULL via the
+ * logging system.
+ *
+ * Require:
+ *\li	'diff' to be valid.
+ *\li	'file' to refer to a open file or NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	any error from dns_rdataset_totext()
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DIFF_H */
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
new file mode 100644
index 0000000..476863a
--- /dev/null
+++ b/lib/dns/include/dns/dispatch.h
@@ -0,0 +1,614 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DISPATCH_H
+#define DNS_DISPATCH_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/dispatch.h
+ * \brief
+ * DNS Dispatch Management
+ * 	Shared UDP and single-use TCP dispatches for queries and responses.
+ *
+ * MP:
+ *
+ *\li     	All locking is performed internally to each dispatch.
+ * 	Restrictions apply to dns_dispatch_removeresponse().
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ *\li	Depends on the isc_socket_t and dns_message_t for prevention of
+ *	buffer overruns.
+ *
+ * Standards:
+ *
+ *\li	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/socket.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * This event is sent to a task when a response comes in.
+ * No part of this structure should ever be modified by the caller,
+ * other than parts of the buffer.  The holy parts of the buffer are
+ * the base and size of the buffer.  All other parts of the buffer may
+ * be used.  On event delivery the used region contains the packet.
+ *
+ * "id" is the received message id,
+ *
+ * "addr" is the host that sent it to us,
+ *
+ * "buffer" holds state on the received data.
+ *
+ * The "free" routine for this event will clean up itself as well as
+ * any buffer space allocated from common pools.
+ */
+
+struct dns_dispatchevent {
+	ISC_EVENT_COMMON(dns_dispatchevent_t);	/*%< standard event common */
+	isc_result_t		result;		/*%< result code */
+	int32_t		id;		/*%< message id */
+	isc_sockaddr_t		addr;		/*%< address recv'd from */
+	struct in6_pktinfo	pktinfo;	/*%< reply info for v6 */
+	isc_buffer_t	        buffer;		/*%< data buffer */
+	uint32_t		attributes;	/*%< mirrored from socket.h */
+};
+
+/*%
+ * This is a set of one or more dispatches which can be retrieved
+ * round-robin fashion.
+ */
+struct dns_dispatchset {
+	isc_mem_t		*mctx;
+	dns_dispatch_t		**dispatches;
+	int			ndisp;
+	int			cur;
+	isc_mutex_t		lock;
+};
+
+/*@{*/
+/*%
+ * Attributes for added dispatchers.
+ *
+ * Values with the mask 0xffff0000 are application defined.
+ * Values with the mask 0x0000ffff are library defined.
+ *
+ * Insane values (like setting both TCP and UDP) are not caught.  Don't
+ * do that.
+ *
+ * _PRIVATE
+ *	The dispatcher cannot be shared.
+ *
+ * _TCP, _UDP
+ *	The dispatcher is a TCP or UDP socket.
+ *
+ * _IPV4, _IPV6
+ *	The dispatcher uses an IPv4 or IPv6 socket.
+ *
+ * _NOLISTEN
+ *	The dispatcher should not listen on the socket.
+ *
+ * _MAKEQUERY
+ *	The dispatcher can be used to issue queries to other servers, and
+ *	accept replies from them.
+ *
+ * _RANDOMPORT
+ *	Previously used to indicate that the port of a dispatch UDP must be
+ *	chosen randomly.  This behavior now always applies and the attribute
+ *	is obsoleted.
+ *
+ * _EXCLUSIVE
+ *	A separate socket will be used on-demand for each transaction.
+ */
+#define DNS_DISPATCHATTR_PRIVATE	0x00000001U
+#define DNS_DISPATCHATTR_TCP		0x00000002U
+#define DNS_DISPATCHATTR_UDP		0x00000004U
+#define DNS_DISPATCHATTR_IPV4		0x00000008U
+#define DNS_DISPATCHATTR_IPV6		0x00000010U
+#define DNS_DISPATCHATTR_NOLISTEN	0x00000020U
+#define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
+#define DNS_DISPATCHATTR_CONNECTED	0x00000080U
+#define DNS_DISPATCHATTR_FIXEDID	0x00000100U
+#define DNS_DISPATCHATTR_EXCLUSIVE	0x00000200U
+/*@}*/
+
+/*
+ */
+#define DNS_DISPATCHOPT_FIXEDID		0x00000001U
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
+		       dns_dispatchmgr_t **mgrp);
+/*%<
+ * Creates a new dispatchmgr object.
+ *
+ * Requires:
+ *\li	"mctx" be a valid memory context.
+ *
+ *\li	mgrp != NULL && *mgrp == NULL
+ *
+ *\li	"entropy" may be NULL, in which case an insecure random generator
+ *	will be used.  If it is non-NULL, it must be a valid entropy
+ *	source.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
+/*%<
+ * Destroys the dispatchmgr when it becomes empty.  This could be
+ * immediately.
+ *
+ * Requires:
+ *\li	mgrp != NULL && *mgrp is a valid dispatchmgr.
+ */
+
+
+void
+dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole);
+/*%<
+ * Sets the dispatcher's "blackhole list," a list of addresses that will
+ * be ignored by all dispatchers created by the dispatchmgr.
+ *
+ * Requires:
+ * \li	mgrp is a valid dispatchmgr
+ * \li	blackhole is a valid acl
+ */
+
+
+dns_acl_t *
+dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
+/*%<
+ * Gets a pointer to the dispatcher's current blackhole list,
+ * without incrementing its reference count.
+ *
+ * Requires:
+ *\li 	mgr is a valid dispatchmgr
+ * Returns:
+ *\li	A pointer to the current blackhole list, or NULL.
+ */
+
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+				 dns_portlist_t *portlist);
+/*%<
+ * This function is deprecated.  Use dns_dispatchmgr_setavailports() instead.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr
+ */
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
+/*%<
+ * This function is deprecated and always returns NULL.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr
+ */
+
+isc_result_t
+dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
+			      isc_portset_t *v6portset);
+/*%<
+ * Sets a list of UDP ports that can be used for outgoing UDP messages.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr
+ *\li	v4portset is NULL or a valid port set
+ *\li	v6portset is NULL or a valid port set
+ */
+
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats);
+/*%<
+ * Sets statistics counter for the dispatchmgr.  This function is expected to
+ * be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced.  Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr with no managed dispatch.
+ *\li	stats is a valid statistics supporting resolver statistics counters
+ *	(see dns/stats.h).
+ */
+
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp);
+
+isc_result_t
+dns_dispatch_getudp_dup(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp, dns_dispatch_t *dup);
+/*%<
+ * Attach to existing dns_dispatch_t if one is found with dns_dispatchmgr_find,
+ * otherwise create a new UDP dispatch.
+ *
+ * Requires:
+ *\li	All pointer parameters be valid for their respective types.
+ *
+ *\li	dispp != NULL && *disp == NULL
+ *
+ *\li	512 <= buffersize <= 64k
+ *
+ *\li	maxbuffers > 0
+ *
+ *\li	buckets < 2097169
+ *
+ *\li	increment > buckets
+ *
+ *\li	(attributes & DNS_DISPATCHATTR_TCP) == 0
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- success.
+ *
+ *\li	Anything else	-- failure.
+ */
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp);
+isc_result_t
+dns_dispatch_createtcp2(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+			isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+			isc_sockaddr_t *destaddr, unsigned int buffersize,
+			unsigned int maxbuffers, unsigned int maxrequests,
+			unsigned int buckets, unsigned int increment,
+			unsigned int attributes, dns_dispatch_t **dispp);
+/*%<
+ * Create a new dns_dispatch and attach it to the provided isc_socket_t.
+ *
+ * For all dispatches, "buffersize" is the maximum packet size we will
+ * accept.
+ *
+ * "maxbuffers" and "maxrequests" control the number of buffers in the
+ * overall system and the number of buffers which can be allocated to
+ * requests.
+ *
+ * "buckets" is the number of buckets to use, and should be prime.
+ *
+ * "increment" is used in a collision avoidance function, and needs to be
+ * a prime > buckets, and not 2.
+ *
+ * Requires:
+ *
+ *\li	mgr is a valid dispatch manager.
+ *
+ *\li	sock is a valid.
+ *
+ *\li	task is a valid task that can be used internally to this dispatcher.
+ *
+ * \li	512 <= buffersize <= 64k
+ *
+ *\li	maxbuffers > 0.
+ *
+ *\li	maxrequests <= maxbuffers.
+ *
+ *\li	buckets < 2097169 (the next prime after 65536 * 32)
+ *
+ *\li	increment > buckets (and prime).
+ *
+ *\li	attributes includes #DNS_DISPATCHATTR_TCP and does not include
+ *	#DNS_DISPATCHATTR_UDP.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- success.
+ *
+ *\li	Anything else	-- failure.
+ */
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
+/*%<
+ * Attach to a dispatch handle.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *
+ *\li	dispp != NULL && *dispp == NULL
+ */
+
+void
+dns_dispatch_detach(dns_dispatch_t **dispp);
+/*%<
+ * Detaches from the dispatch.
+ *
+ * Requires:
+ *\li	dispp != NULL and *dispp be a valid dispatch.
+ */
+
+void
+dns_dispatch_starttcp(dns_dispatch_t *disp);
+/*%<
+ * Start processing of a TCP dispatch once the socket connects.
+ *
+ * Requires:
+ *\li	'disp' is valid.
+ */
+
+isc_result_t
+dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, isc_sockaddr_t *destaddr,
+		    isc_sockaddr_t *localaddr, dns_dispatch_t **dispp);
+isc_result_t
+dns_dispatch_gettcp2(dns_dispatchmgr_t *mgr, isc_sockaddr_t *destaddr,
+		     isc_sockaddr_t *localaddr, bool *connected,
+		     dns_dispatch_t **dispp);
+/*
+ * Attempt to connect to a existing TCP connection (connection completed
+ * for dns_dispatch_gettcp()).
+ */
+
+
+isc_result_t
+dns_dispatch_addresponse3(dns_dispatch_t *disp, unsigned int options,
+			  isc_sockaddr_t *dest, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  uint16_t *idp, dns_dispentry_t **resp,
+			  isc_socketmgr_t *sockmgr);
+
+isc_result_t
+dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			  isc_task_t *task, isc_taskaction_t action, void *arg,
+			  uint16_t *idp, dns_dispentry_t **resp,
+			  isc_socketmgr_t *sockmgr);
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			 isc_task_t *task, isc_taskaction_t action, void *arg,
+			 uint16_t *idp, dns_dispentry_t **resp);
+/*%<
+ * Add a response entry for this dispatch.
+ *
+ * "*idp" is filled in with the assigned message ID, and *resp is filled in
+ * to contain the magic token used to request event flow stop.
+ *
+ * Arranges for the given task to get a callback for response packets.  When
+ * the event is delivered, it must be returned using dns_dispatch_freeevent()
+ * or through dns_dispatch_removeresponse() for another to be delivered.
+ *
+ * Requires:
+ *\li	"idp" be non-NULL.
+ *
+ *\li	"task" "action" and "arg" be set as appropriate.
+ *
+ *\li	"dest" be non-NULL and valid.
+ *
+ *\li	"resp" be non-NULL and *resp be NULL
+ *
+ *\li	"sockmgr" be NULL or a valid socket manager.  If 'disp' has
+ *	the DNS_DISPATCHATTR_EXCLUSIVE attribute, this must not be NULL,
+ *	which also means dns_dispatch_addresponse() cannot be used.
+ *
+ * Ensures:
+ *
+ *\li	&lt;id, dest> is a unique tuple.  That means incoming messages
+ *	are identifiable.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS		-- all is well.
+ *\li	ISC_R_NOMEMORY		-- memory could not be allocated.
+ *\li	ISC_R_NOMORE		-- no more message ids can be allocated
+ *				   for this destination.
+ */
+
+
+void
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
+			    dns_dispatchevent_t **sockevent);
+/*%<
+ * Stops the flow of responses for the provided id and destination.
+ * If "sockevent" is non-NULL, the dispatch event and associated buffer is
+ * also returned to the system.
+ *
+ * Requires:
+ *\li	"resp" != NULL and "*resp" contain a value previously allocated
+ *	by dns_dispatch_addresponse();
+ *
+ *\li	May only be called from within the task given as the 'task'
+ * 	argument to dns_dispatch_addresponse() when allocating '*resp'.
+ */
+
+isc_socket_t *
+dns_dispatch_getentrysocket(dns_dispentry_t *resp);
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp);
+/*%<
+ * Return the socket associated with this dispatcher.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *
+ * Returns:
+ *\li	The socket the dispatcher is using.
+ */
+
+isc_result_t
+dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp);
+/*%<
+ * Return the local address for this dispatch.
+ * This currently only works for dispatches using UDP sockets.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *\li	addrp to be non null.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTIMPLEMENTED
+ */
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp);
+/*%<
+ * cancel outstanding clients
+ *
+ * Requires:
+ *\li	disp is valid.
+ */
+
+unsigned int
+dns_dispatch_getattributes(dns_dispatch_t *disp);
+/*%<
+ * Return the attributes (DNS_DISPATCHATTR_xxx) of this dispatch.  Only the
+ * non-changeable attributes are expected to be referenced by the caller.
+ *
+ * Requires:
+ *\li	disp is valid.
+ */
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp,
+			      unsigned int attributes, unsigned int mask);
+/*%<
+ * Set the bits described by "mask" to the corresponding values in
+ * "attributes".
+ *
+ * That is:
+ *
+ * \code
+ *	new = (old & ~mask) | (attributes & mask)
+ * \endcode
+ *
+ * This function has a side effect when #DNS_DISPATCHATTR_NOLISTEN changes.
+ * When the flag becomes off, the dispatch will start receiving on the
+ * corresponding socket.  When the flag becomes on, receive events on the
+ * corresponding socket will be canceled.
+ *
+ * Requires:
+ *\li	disp is valid.
+ *
+ *\li	attributes are reasonable for the dispatch.  That is, setting the UDP
+ *	attribute on a TCP socket isn't reasonable.
+ */
+
+void
+dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
+/*%<
+ * Inform the dispatcher of a socket receive.  This is used for sockets
+ * shared between dispatchers and clients.  If the dispatcher fails to copy
+ * or send the event, nothing happens.
+ *
+ * If the attribute DNS_DISPATCHATTR_NOLISTEN is not set, then
+ * the dispatch is already handling a recv; return immediately.
+ *
+ * Requires:
+ *\li 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
+ * 	event != NULL
+ */
+
+dns_dispatch_t *
+dns_dispatchset_get(dns_dispatchset_t *dset);
+/*%<
+ * Retrieve the next dispatch from dispatch set 'dset', and increment
+ * the round-robin counter.
+ *
+ * Requires:
+ *\li 	dset != NULL
+ */
+
+isc_result_t
+dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
+		       isc_taskmgr_t *taskmgr, dns_dispatch_t *source,
+		       dns_dispatchset_t **dsetp, int n);
+/*%<
+ * Given a valid dispatch 'source', create a dispatch set containing
+ * 'n' UDP dispatches, with the remainder filled out by clones of the
+ * source.
+ *
+ * Requires:
+ *\li 	source is a valid UDP dispatcher
+ *\li 	dsetp != NULL, *dsetp == NULL
+ */
+
+void
+dns_dispatchset_cancelall(dns_dispatchset_t *dset, isc_task_t *task);
+/*%<
+ * Cancel socket operations for the dispatches in 'dset'.
+ */
+
+void
+dns_dispatchset_destroy(dns_dispatchset_t **dsetp);
+/*%<
+ * Dereference all the dispatches in '*dsetp', free the dispatchset
+ * memory, and set *dsetp to NULL.
+ *
+ * Requires:
+ *\li 	dset is valid
+ */
+
+void
+dns_dispatch_setdscp(dns_dispatch_t *disp, isc_dscp_t dscp);
+isc_dscp_t
+dns_dispatch_getdscp(dns_dispatch_t *disp);
+/*%<
+ * Set/get the DSCP value to be used when sending responses to clients,
+ * as defined in the "listen-on" or "listen-on-v6" statements.
+ *
+ * Requires:
+ *\li	disp is valid.
+ */
+
+isc_result_t
+dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent);
+/*%<
+ * Free the sockevent and trigger the sending of the next item off the
+ * dispatch queue if present.
+ *
+ * Requires:
+ *\li	resp is valid
+ *\li	*sockevent to be valid
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DISPATCH_H */
diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h
new file mode 100644
index 0000000..cc43f7c
--- /dev/null
+++ b/lib/dns/include/dns/dlz.h
@@ -0,0 +1,339 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file dns/dlz.h */
+
+#ifndef DLZ_H
+#define DLZ_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DLZ Interface
+ *
+ * The DLZ interface allows zones to be looked up using a driver instead of
+ * Bind's default in memory zone table.
+ *
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <stdbool.h>
+
+#include <dns/clientinfo.h>
+#include <dns/name.h>
+#include <dns/types.h>
+#include <dns/view.h>
+#include <dst/dst.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+#define DNS_DLZ_MAGIC		ISC_MAGIC('D','L','Z','D')
+#define DNS_DLZ_VALID(dlz)	ISC_MAGIC_VALID(dlz, DNS_DLZ_MAGIC)
+
+typedef isc_result_t
+(*dns_dlzallowzonexfr_t)(void *driverarg, void *dbdata, isc_mem_t *mctx,
+			 dns_rdataclass_t rdclass, dns_name_t *name,
+			 isc_sockaddr_t *clientaddr,
+			 dns_db_t **dbp);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply an allow zone transfer method.  This method is called when
+ * the DNS server is performing a zone transfer query.  The driver's
+ * method should return ISC_R_SUCCESS and a database pointer to the
+ * name server if the zone is supported by the database, and zone
+ * transfer is allowed.  Otherwise it will return ISC_R_NOTFOUND if
+ * the zone is not supported by the database, or ISC_R_NOPERM if zone
+ * transfers are not allowed.  If an error occurs it should return a
+ * result code indicating the type of error.
+ */
+
+typedef isc_result_t
+(*dns_dlzcreate_t)(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
+		   char *argv[], void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a create method.  This method is called when the DNS server
+ * is starting up and creating drivers for use later.
+ */
+
+typedef void
+(*dns_dlzdestroy_t)(void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a destroy method.  This method is called when the DNS server
+ * is shutting down and no longer needs the driver.
+ */
+
+typedef isc_result_t
+(*dns_dlzfindzone_t)(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		     dns_rdataclass_t rdclass, dns_name_t *name,
+		     dns_clientinfomethods_t *methods,
+		     dns_clientinfo_t *clientinfo,
+		     dns_db_t **dbp);
+
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface MUST
+ * supply a find zone method.  This method is called when the DNS
+ * server is performing a query.  The find zone method will be called
+ * with the longest possible name first, and continue to be called
+ * with successively shorter domain names, until any of the following
+ * occur:
+ *
+ * \li	1) a match is found, and the function returns (ISC_R_SUCCESS)
+ *
+ * \li	2) a problem occurs, and the functions returns anything other
+ *	   than (ISC_R_NOTFOUND)
+ * \li	3) we run out of domain name labels. I.E. we have tried the
+ *	   shortest domain name
+ * \li	4) the number of labels in the domain name is less than
+ *	   min_labels for dns_dlzfindzone
+ *
+ * The driver's find zone method should return ISC_R_SUCCESS and a
+ * database pointer to the name server if the zone is supported by the
+ * database.  Otherwise it will return ISC_R_NOTFOUND, and a null
+ * pointer if the zone is not supported.  If an error occurs it should
+ * return a result code indicating the type of error.
+ */
+
+
+typedef isc_result_t
+(*dns_dlzconfigure_t)(void *driverarg, void *dbdata,
+		      dns_view_t *view, dns_dlzdb_t *dlzdb);
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface may
+ * optionally supply a configure method. If supplied, this will be
+ * called immediately after the create method is called. The driver
+ * may call configuration functions during the configure call
+ */
+
+
+typedef bool (*dns_dlzssumatch_t)(dns_name_t *signer,
+					   dns_name_t *name,
+					   isc_netaddr_t *tcpaddr,
+					   dns_rdatatype_t type,
+					   const dst_key_t *key,
+					   void *driverarg, void *dbdata);
+/*%<
+ * Method prototype.  Drivers implementing the DLZ interface may
+ * optionally supply a ssumatch method. If supplied, this will be
+ * called to authorize update requests
+ */
+
+/*% the methods supplied by a DLZ driver */
+typedef struct dns_dlzmethods {
+	dns_dlzcreate_t		create;
+	dns_dlzdestroy_t	destroy;
+	dns_dlzfindzone_t	findzone;
+	dns_dlzallowzonexfr_t	allowzonexfr;
+	dns_dlzconfigure_t	configure;
+	dns_dlzssumatch_t	ssumatch;
+} dns_dlzmethods_t;
+
+/*% information about a DLZ driver */
+struct dns_dlzimplementation {
+	const char				*name;
+	const dns_dlzmethods_t			*methods;
+	isc_mem_t				*mctx;
+	void					*driverarg;
+	ISC_LINK(dns_dlzimplementation_t)	link;
+};
+
+typedef isc_result_t (*dlzconfigure_callback_t)(dns_view_t *, dns_dlzdb_t *,
+						dns_zone_t *);
+
+/*% An instance of a DLZ driver */
+struct dns_dlzdb {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_dlzimplementation_t	*implementation;
+	void			*dbdata;
+	dlzconfigure_callback_t configure_callback;
+	bool		search;
+	char			*dlzname;
+	ISC_LINK(dns_dlzdb_t)	link;
+	dns_ssutable_t 		*ssutable;
+};
+
+
+/***
+ *** Method declarations
+ ***/
+
+isc_result_t
+dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
+		    isc_sockaddr_t *clientaddr, dns_db_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is performing a zone
+ * transfer query.  It will call the DLZ driver's allow zone transfer
+ * method.
+ */
+
+isc_result_t
+dns_dlzcreate(isc_mem_t *mctx, const char *dlzname,
+	      const char *drivername, unsigned int argc,
+	      char *argv[], dns_dlzdb_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is starting up and
+ * creating drivers for use later.  It will search the DLZ driver list
+ * for 'drivername' and return a DLZ driver via dbp if a match is
+ * found.  If the DLZ driver supplies a create method, this function
+ * will call it.
+ */
+
+void
+dns_dlzdestroy(dns_dlzdb_t **dbp);
+
+/*%<
+ * This method is called when the DNS server is shutting down and no
+ * longer needs the driver.  If the DLZ driver supplies a destroy
+ * methods, this function will call it.
+ */
+
+isc_result_t
+dns_dlzregister(const char *drivername, const dns_dlzmethods_t *methods,
+		 void *driverarg, isc_mem_t *mctx,
+		dns_dlzimplementation_t **dlzimp);
+
+/*%<
+ * Register a dynamically loadable zones (DLZ) driver for the database
+ * type 'drivername', implemented by the functions in '*methods'.
+ *
+ * dlzimp must point to a NULL dlz_implementation_t pointer.  That is,
+ * dlzimp != NULL && *dlzimp == NULL.  It will be assigned a value that
+ * will later be used to identify the driver when deregistering it.
+ */
+
+isc_result_t
+dns_dlzstrtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp);
+
+/*%<
+ * This method is called when the name server is starting up to parse
+ * the DLZ driver command line from named.conf.  Basically it splits
+ * up a string into and argc / argv.  The primary difference of this
+ * method is items between braces { } are considered only 1 word.  for
+ * example the command line "this is { one grouped phrase } and this
+ * isn't" would be parsed into:
+ *
+ * \li	argv[0]: "this"
+ * \li	argv[1]: "is"
+ * \li	argv{2]: " one grouped phrase "
+ * \li	argv[3]: "and"
+ * \li	argv[4]: "this"
+ * \li	argv{5}: "isn't"
+ *
+ * braces should NOT be nested, more than one grouping in the command
+ * line is allowed.  Notice, argv[2] has an extra space at the
+ * beginning and end.  Extra spaces are not stripped between a
+ * grouping.  You can do so in your driver if needed, or be sure not
+ * to put extra spaces before / after the braces.
+ */
+
+void
+dns_dlzunregister(dns_dlzimplementation_t **dlzimp);
+
+/*%<
+ * Removes the dlz driver from the list of registered dlz drivers.
+ * There must be no active dlz drivers of this type when this function
+ * is called.
+ */
+
+
+typedef isc_result_t dns_dlz_writeablezone_t(dns_view_t *view,
+					     dns_dlzdb_t *dlzdb,
+					     const char *zone_name);
+dns_dlz_writeablezone_t dns_dlz_writeablezone;
+/*%<
+ * creates a writeable DLZ zone. Must be called from within the
+ * configure() method of a DLZ driver.
+ */
+
+
+isc_result_t
+dns_dlzconfigure(dns_view_t *view, dns_dlzdb_t *dlzdb,
+		 dlzconfigure_callback_t callback);
+/*%<
+ * call a DLZ drivers configure method, if supplied
+ */
+
+bool
+dns_dlz_ssumatch(dns_dlzdb_t *dlzdatabase,
+		  dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
+		  dns_rdatatype_t type, const dst_key_t *key);
+/*%<
+ * call a DLZ drivers ssumatch method, if supplied. Otherwise return false
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DLZ_H */
diff --git a/lib/dns/include/dns/dlz_dlopen.h b/lib/dns/include/dns/dlz_dlopen.h
new file mode 100644
index 0000000..3719aa7
--- /dev/null
+++ b/lib/dns/include/dns/dlz_dlopen.h
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file dns/dlz_dlopen.h */
+
+#ifndef DLZ_DLOPEN_H
+#define DLZ_DLOPEN_H
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <dns/sdlz.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * This header provides a minimal set of defines and typedefs needed
+ * for the entry points of an external DLZ module for bind9.
+ */
+
+#define DLZ_DLOPEN_VERSION 3
+#define DLZ_DLOPEN_AGE 0
+
+/*
+ * dlz_dlopen_version() is required for all DLZ external drivers. It
+ * should return DLZ_DLOPEN_VERSION
+ */
+typedef int dlz_dlopen_version_t(unsigned int *flags);
+
+/*
+ * dlz_dlopen_create() is required for all DLZ external drivers.
+ */
+typedef isc_result_t dlz_dlopen_create_t(const char *dlzname,
+					 unsigned int argc,
+					 char *argv[],
+					 void **dbdata,
+					 ...);
+
+/*
+ * dlz_dlopen_destroy() is optional, and will be called when the
+ * driver is unloaded if supplied
+ */
+typedef void dlz_dlopen_destroy_t(void *dbdata);
+
+/*
+ * dlz_dlopen_findzonedb() is required for all DLZ external drivers
+ */
+typedef isc_result_t dlz_dlopen_findzonedb_t(void *dbdata,
+					     const char *name,
+					     dns_clientinfomethods_t *methods,
+					     dns_clientinfo_t *clientinfo);
+
+/*
+ * dlz_dlopen_lookup() is required for all DLZ external drivers
+ */
+typedef isc_result_t dlz_dlopen_lookup_t(const char *zone,
+					 const char *name,
+					 void *dbdata,
+					 dns_sdlzlookup_t *lookup,
+					 dns_clientinfomethods_t *methods,
+					 dns_clientinfo_t *clientinfo);
+
+/*
+ * dlz_dlopen_authority is optional() if dlz_dlopen_lookup()
+ * supplies authority information for the dns record
+ */
+typedef isc_result_t dlz_dlopen_authority_t(const char *zone,
+					    void *dbdata,
+					    dns_sdlzlookup_t *lookup);
+
+/*
+ * dlz_dlopen_allowzonexfr() is optional, and should be supplied if
+ * you want to support zone transfers
+ */
+typedef isc_result_t dlz_dlopen_allowzonexfr_t(void *dbdata,
+					       const char *name,
+					       const char *client);
+
+/*
+ * dlz_dlopen_allnodes() is optional, but must be supplied if supply a
+ * dlz_dlopen_allowzonexfr() function
+ */
+typedef isc_result_t dlz_dlopen_allnodes_t(const char *zone,
+					   void *dbdata,
+					   dns_sdlzallnodes_t *allnodes);
+
+/*
+ * dlz_dlopen_newversion() is optional. It should be supplied if you
+ * want to support dynamic updates.
+ */
+typedef isc_result_t dlz_dlopen_newversion_t(const char *zone,
+					     void *dbdata,
+					     void **versionp);
+
+/*
+ * dlz_closeversion() is optional, but must be supplied if you supply
+ * a dlz_newversion() function
+ */
+typedef void dlz_dlopen_closeversion_t(const char *zone,
+				       bool commit,
+				       void *dbdata,
+				       void **versionp);
+
+/*
+ * dlz_dlopen_configure() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_configure_t(dns_view_t *view,
+					    dns_dlzdb_t *dlzdb,
+					    void *dbdata);
+
+/*
+ * dlz_dlopen_setclientcallback() is optional, but must be supplied if you
+ * want to retrieve information about the client (e.g., source address)
+ * before sending a replay.
+ */
+typedef isc_result_t dlz_dlopen_setclientcallback_t(dns_view_t *view,
+						    void *dbdata);
+
+
+/*
+ * dlz_dlopen_ssumatch() is optional, but must be supplied if you want
+ * to support dynamic updates
+ */
+typedef bool dlz_dlopen_ssumatch_t(const char *signer,
+					    const char *name,
+					    const char *tcpaddr,
+					    const char *type,
+					    const char *key,
+					    uint32_t keydatalen,
+					    unsigned char *keydata,
+					    void *dbdata);
+
+/*
+ * dlz_dlopen_addrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_addrdataset_t(const char *name,
+					      const char *rdatastr,
+					      void *dbdata,
+					      void *version);
+
+/*
+ * dlz_dlopen_subrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_subrdataset_t(const char *name,
+					      const char *rdatastr,
+					      void *dbdata,
+					      void *version);
+
+/*
+ * dlz_dlopen_delrdataset() is optional, but must be supplied if you
+ * want to support dynamic updates
+ */
+typedef isc_result_t dlz_dlopen_delrdataset_t(const char *name,
+					      const char *type,
+					      void *dbdata,
+					      void *version);
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/lib/dns/include/dns/dns64.h b/lib/dns/include/dns/dns64.h
new file mode 100644
index 0000000..34c2ad5
--- /dev/null
+++ b/lib/dns/include/dns/dns64.h
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DNS64_H
+#define DNS_DNS64_H 1
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * dns_dns64_create() flags.
+ */
+#define DNS_DNS64_RECURSIVE_ONLY	0x01	/* If set then this record
+						 * only applies to recursive
+						 * queries.
+						 */
+#define DNS_DNS64_BREAK_DNSSEC		0x02	/* If set then still perform
+						 * DNSSEC synthesis even
+						 * though the result would
+						 * fail validation.
+						 */
+
+/*
+ * dns_dns64_aaaaok() and dns_dns64_aaaafroma() flags.
+ */
+#define DNS_DNS64_RECURSIVE		0x01	/* Recursive query. */
+#define DNS_DNS64_DNSSEC		0x02	/* DNSSEC sensitive query. */
+
+isc_result_t
+dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
+		 unsigned int prefixlen, isc_netaddr_t *suffix,
+		 dns_acl_t *client, dns_acl_t *mapped, dns_acl_t *excluded,
+		 unsigned int flags, dns_dns64_t **dns64);
+/*
+ * Create a dns64 record which is used to identify the set of clients
+ * it applies to and how to perform the DNS64 synthesis.
+ *
+ * 'prefix' and 'prefixlen' defined the leading bits of the AAAA records
+ * to be synthesised.  'suffix' defines the bits after the A records bits.
+ * If suffix is NULL zeros will be used for these bits.  'client' defines
+ * for which clients this record applies.  If 'client' is NULL then all
+ * clients apply.  'mapped' defines which A records are candidated for
+ * mapping.  If 'mapped' is NULL then all A records will be mapped.
+ * 'excluded' defines which AAAA are to be treated as non-existent for the
+ * purposed of determining whether to perform syntesis.  If 'excluded' is
+ * NULL then no AAAA records prevent synthesis.
+ *
+ * If DNS_DNS64_RECURSIVE_ONLY is set then the record will only match if
+ * DNS_DNS64_RECURSIVE is set when calling  dns_dns64_aaaaok() and
+ * dns_dns64_aaaafroma().
+ *
+ * If DNS_DNS64_BREAK_DNSSEC is set then the record will still apply if
+ * DNS_DNS64_DNSSEC is set when calling  dns_dns64_aaaaok() and
+ * dns_dns64_aaaafroma() otherwise the record will be ignored.
+ *
+ * Requires:
+ *      'mctx'          to be valid.
+ *      'prefix'        to be valid and the address family to AF_INET6.
+ *      'prefixlen'     to be one of 32, 40, 48, 56, 72 and 96.
+ *                      the bits not covered by prefixlen in prefix to
+ *                      be zero.
+ *      'suffix'        to be NULL or the address family be set to AF_INET6
+ *                      and the leading 'prefixlen' + 32 bits of the 'suffix'
+ *                      to be zero.  If 'prefixlen' is 40, 48 or 56 then the
+ *                      the leading 'prefixlen' + 40 bits of 'suffix' must be
+ *                      zero.
+ *	'client'	to be NULL or a valid acl.
+ *	'mapped'	to be NULL or a valid acl.
+ *	'excluded'	to be NULL or a valid acl.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_dns64_destroy(dns_dns64_t **dns64p);
+/*
+ * Destroys a dns64 record.
+ *
+ * Requires the record to not be linked.
+ */
+
+isc_result_t
+dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		    const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		    unsigned int flags, unsigned char *a, unsigned char *aaaa);
+/*
+ * dns_dns64_aaaafroma() determines whether to perform a DNS64 address
+ * synthesis from 'a' based on 'dns64', 'reqaddr', 'reqsigner', 'env',
+ * 'flags' and 'aaaa'.  If synthesis is performed then the result is
+ * written to '*aaaa'.
+ *
+ * The synthesised address will be of the form:
+ *
+ *	 <prefix bits><a bits><suffix bits>
+ *
+ * If <a bits> straddle bits 64-71 of the AAAA record, then 8 zero bits will
+ * be inserted at bits 64-71.
+ *
+ * Requires:
+ *	'dns64'		to be valid.
+ *	'reqaddr'	to be valid.
+ *	'reqsigner'	to be NULL or valid.
+ *	'env'		to be valid.
+ *	'a'		to point to a IPv4 address in network order.
+ *	'aaaa'		to point to a IPv6 address buffer in network order.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		if synthesis was performed.
+ *	DNS_R_DISALLOWED	if there is no match.
+ */
+
+dns_dns64_t *
+dns_dns64_next(dns_dns64_t *dns64);
+/*
+ * Return the next dns64 record in the list.
+ */
+
+void
+dns_dns64_append(dns_dns64list_t *list, dns_dns64_t *dns64);
+/*
+ * Append the dns64 record to the list.
+ */
+
+void
+dns_dns64_unlink(dns_dns64list_t *list, dns_dns64_t *dns64);
+/*
+ * Unlink the dns64 record from the list.
+ */
+
+bool
+dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr,
+		 const dns_name_t *reqsigner, const dns_aclenv_t *env,
+		 unsigned int flags, dns_rdataset_t *rdataset,
+		 bool *aaaaok, size_t aaaaoklen);
+/*
+ * Determine if there are any non-excluded AAAA records in from the
+ * matching dns64 records in the list starting at 'dns64'.  If there
+ * is a non-exluded address return true.  If all addresses are
+ * excluded in the matched records return false.   If no records
+ * match then return true.
+ *
+ * If aaaaok is defined then dns_dns64_aaaaok() return a array of which
+ * addresses in 'rdataset' were deemed to not be exclude by any matching
+ * record.  If there are no matching records then all entries are set
+ * to true.
+ *
+ * Requires
+ * 	'rdataset'	to be valid and to be for type AAAA and class IN.
+ *	'aaaaoklen'	must match the number of records in 'rdataset'
+ *			if 'aaaaok' in non NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNS64_H */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
new file mode 100644
index 0000000..0b6369c
--- /dev/null
+++ b/lib/dns/include/dns/dnssec.h
@@ -0,0 +1,383 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DNSSEC_H
+#define DNS_DNSSEC_H 1
+
+/*! \file dns/dnssec.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+#include <isc/stats.h>
+
+#include <dns/diff.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBDNS_EXTERNAL_DATA extern isc_stats_t *dns_dnssec_stats;
+
+/*%< Maximum number of keys supported in a zone. */
+#define DNS_MAXZONEKEYS 32
+
+/*
+ * Indicates how the signer found this key: in the key repository, at the
+ * zone apex, or specified by the user.
+ */
+typedef enum {
+	dns_keysource_unknown,
+	dns_keysource_repository,
+	dns_keysource_zoneapex,
+	dns_keysource_user
+} dns_keysource_t;
+
+/*
+ * A DNSSEC key and hints about its intended use gleaned from metadata
+ */
+struct dns_dnsseckey {
+	dst_key_t *key;
+	bool hint_publish;  /*% metadata says to publish */
+	bool force_publish; /*% publish regardless of metadata */
+	bool hint_sign;     /*% metadata says to sign with this key */
+	bool force_sign;    /*% sign with key regardless of metadata */
+	bool hint_remove;   /*% metadata says *don't* publish */
+	bool is_active;     /*% key is already active */
+	bool first_sign;    /*% key is newly becoming active */
+	unsigned int prepublish;     /*% how long until active? */
+	dns_keysource_t source;      /*% how the key was found */
+	bool ksk;           /*% this is a key-signing key */
+	bool legacy;        /*% this is old-style key with no
+					 metadata (possibly generated by
+					 an older version of BIND9) and
+					 should be ignored when searching
+					 for keys to import into the zone */
+	unsigned int index;          /*% position in list */
+	ISC_LINK(dns_dnsseckey_t) link;
+};
+
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key);
+/*%<
+ *	Creates a DST key from a DNS record.  Basically a wrapper around
+ *	dst_key_fromdns().
+ *
+ *	Requires:
+ *\li		'name' is not NULL
+ *\li		'rdata' is not NULL
+ *\li		'mctx' is not NULL
+ *\li		'key' is not NULL
+ *\li		'*key' is NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		DST_R_INVALIDPUBLICKEY
+ *\li		various errors from dns_name_totext
+ */
+
+isc_result_t
+dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
+/*%<
+ *	Generates a RRSIG record covering this rdataset.  This has no effect
+ *	on existing RRSIG records.
+ *
+ *	Requires:
+ *\li		'name' (the owner name of the record) is a valid name
+ *\li		'set' is a valid rdataset
+ *\li		'key' is a valid key
+ *\li		'inception' is not NULL
+ *\li		'expire' is not NULL
+ *\li		'mctx' is not NULL
+ *\li		'buffer' is not NULL
+ *\li		'sigrdata' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOSPACE
+ *\li		#DNS_R_INVALIDTIME - the expiration is before the inception
+ *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *\li		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  bool ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata);
+
+isc_result_t
+dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   bool ignoretime, isc_mem_t *mctx,
+		   dns_rdata_t *sigrdata, dns_name_t *wild);
+
+isc_result_t
+dns_dnssec_verify3(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   bool ignoretime, unsigned int maxbits,
+		   isc_mem_t *mctx, dns_rdata_t *sigrdata, dns_name_t *wild);
+/*%<
+ *	Verifies the RRSIG record covering this rdataset signed by a specific
+ *	key.  This does not determine if the key's owner is authorized to sign
+ *	this record, as this requires a resolver or database.
+ *	If 'ignoretime' is true, temporal validity will not be checked.
+ *
+ *	'maxbits' specifies the maximum number of rsa exponent bits accepted.
+ *
+ *	Requires:
+ *\li		'name' (the owner name of the record) is a valid name
+ *\li		'set' is a valid rdataset
+ *\li		'key' is a valid key
+ *\li		'mctx' is not NULL
+ *\li		'sigrdata' is a valid rdata containing a SIG record
+ *\li		'wild' if non-NULL then is a valid and has a buffer.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#DNS_R_FROMWILDCARD - the signature is valid and is from
+ *			a wildcard expansion.  dns_dnssec_verify2() only.
+ *			'wild' contains the name of the wildcard if non-NULL.
+ *\li		#DNS_R_SIGINVALID - the signature fails to verify
+ *\li		#DNS_R_SIGEXPIRED - the signature has expired
+ *\li		#DNS_R_SIGFUTURE - the signature's validity period has not begun
+ *\li		#DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *\li		DST_R_*
+ */
+
+/*@{*/
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+			dns_name_t *name, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys);
+
+isc_result_t
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys);
+
+isc_result_t
+dns_dnssec_findzonekeys3(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_stdtime_t now,
+			 isc_mem_t *mctx, unsigned int maxkeys,
+			 dst_key_t **keys, unsigned int *nkeys);
+
+/*%<
+ * 	Finds a set of zone keys.
+ * 	XXX temporary - this should be handled in dns_zone_t.
+ */
+/*@}*/
+
+bool
+dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now);
+/*%<
+ *
+ * 	Returns true if 'key' is active as of the time specified
+ * 	in 'now' (i.e., if the activation date has passed, inactivation or
+ * 	deletion date has not yet been reached, and the key is not revoked
+ * 	-- or if it is a legacy key without metadata). Otherwise returns
+ * 	false.
+ *
+ *	Requires:
+ *\li		'key' is a valid key
+ */
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
+/*%<
+ *	Signs a message with a SIG(0) record.  This is implicitly called by
+ *	dns_message_renderend() if msg->sig0key is not NULL.
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid key that can be used for signing
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key);
+/*%<
+ *	Verifies a message signed by a SIG(0) record.  This is not
+ *	called implicitly by dns_message_parse().  If dns_message_signer()
+ *	is called before dns_dnssec_verifymessage(), it will return
+ *	#DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	the verified_sig0 flag in msg if the verify succeeds, and
+ *	the sig0status field otherwise.
+ *
+ *	Requires:
+ *\li		'source' is a valid buffer containing the unparsed message
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid key
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOTFOUND - no SIG(0) was found
+ *\li		#DNS_R_SIGINVALID - the SIG record is not well-formed or
+ *				   was not generated by the key.
+ *\li		DST_R_*
+ */
+
+bool
+dns_dnssec_selfsigns(dns_rdata_t *rdata, dns_name_t *name,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     bool ignoretime, isc_mem_t *mctx);
+
+
+bool
+dns_dnssec_signs(dns_rdata_t *rdata, dns_name_t *name,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 bool ignoretime, isc_mem_t *mctx);
+/*%<
+ * Verify that 'rdataset' is validly signed in 'sigrdataset' by
+ * the key in 'rdata'.
+ *
+ * dns_dnssec_selfsigns() requires that rdataset be a DNSKEY or KEY
+ * rrset.  dns_dnssec_signs() works on any rrset.
+ */
+
+
+isc_result_t
+dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
+		     dns_dnsseckey_t **dkp);
+/*%<
+ * Create and initialize a dns_dnsseckey_t structure.
+ *
+ *	Requires:
+ *\li		'dkp' is not NULL and '*dkp' is NULL.
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ */
+
+void
+dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp);
+/*%<
+ * Reclaim a dns_dnsseckey_t structure.
+ *
+ *	Requires:
+ *\li		'dkp' is not NULL and '*dkp' is not NULL.
+ *
+ *	Ensures:
+ *\li		'*dkp' is NULL.
+ */
+
+isc_result_t
+dns_dnssec_findmatchingkeys(dns_name_t *origin, const char *directory,
+			    isc_mem_t *mctx, dns_dnsseckeylist_t *keylist);
+
+isc_result_t
+dns_dnssec_findmatchingkeys2(dns_name_t *origin, const char *directory,
+			     isc_stdtime_t now, isc_mem_t *mctx,
+			     dns_dnsseckeylist_t *keylist);
+/*%<
+ * Search 'directory' for K* key files matching the name in 'origin'.
+ * Append all such keys, along with use hints gleaned from their
+ * metadata, onto 'keylist'.
+ *
+ *	Requires:
+ *\li		'keylist' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOTFOUND
+ *\li		#ISC_R_NOMEMORY
+ *\li		any error returned by dns_name_totext(), isc_dir_open(), or
+ *              dst_key_fromnamedfile()
+ *
+ *	Ensures:
+ *\li		On error, keylist is unchanged
+ */
+
+isc_result_t
+dns_dnssec_keylistfromrdataset(dns_name_t *origin,
+			       const char *directory, isc_mem_t *mctx,
+			       dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
+			       dns_rdataset_t *soasigs, bool savekeys,
+			       bool publickey,
+			       dns_dnsseckeylist_t *keylist);
+/*%<
+ * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
+ * Omit duplicates.  If 'publickey' is false, search 'directory' for
+ * matching key files, and load the private keys that go with
+ * the public ones.  If 'savekeys' is true, mark the keys so
+ * they will not be deleted or inactivated regardless of metadata.
+ *
+ * 'keysigs' and 'soasigs', if not NULL and associated, contain the
+ * RRSIGS for the DNSKEY and SOA records respectively and are used to mark
+ * whether a key is already active in the zone.
+ */
+
+isc_result_t
+dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
+		      dns_dnsseckeylist_t *removed, dns_name_t *origin,
+		      dns_ttl_t hint_ttl, dns_diff_t *diff, bool allzsk,
+		      isc_mem_t *mctx, void (*report)(const char *, ...));
+/*%<
+ * Update the list of keys in 'keys' with new key information in 'newkeys'.
+ *
+ * For each key in 'newkeys', see if it has a match in 'keys'.
+ * - If not, and if the metadata says the key should be published:
+ *   add it to 'keys', and place a dns_difftuple into 'diff' so
+ *   the key can be added to the DNSKEY set.  If the metadata says it
+ *   should be active, set the first_sign flag.
+ * - If so, and if the metadata says it should be removed:
+ *   remove it from 'keys', and place a dns_difftuple into 'diff' so
+ *   the key can be removed from the DNSKEY set.  if 'removed' is non-NULL,
+ *   copy the key into that list; otherwise destroy it.
+ * - Otherwise, make sure keys has current metadata.
+ *
+ * If 'allzsk' is true, we are allowing KSK-flagged keys to be used as
+ * ZSKs.
+ *
+ * 'hint_ttl' is the TTL to use for the DNSKEY RRset if there is no
+ * existing RRset, and if none of the keys to be added has a default TTL
+ * (in which case we would use the shortest one).  If the TTL is longer
+ * than the time until a new key will be activated, then we have to delay
+ * the key's activation.
+ *
+ * 'report' points to a function for reporting status.
+ *
+ * On completion, any remaining keys in 'newkeys' are freed.
+ */
+
+isc_result_t
+dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
+		      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
+		      isc_stdtime_t now, dns_ttl_t hint_ttl, dns_diff_t *diff,
+		      isc_mem_t *mctx);
+/*%<
+ * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNSSEC_H */
diff --git a/lib/dns/include/dns/dnstap.h b/lib/dns/include/dns/dnstap.h
new file mode 100644
index 0000000..279f7fd
--- /dev/null
+++ b/lib/dns/include/dns/dnstap.h
@@ -0,0 +1,377 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef _DNSTAP_H
+#define _DNSTAP_H
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * The dt (dnstap) module provides fast passive logging of DNS messages.
+ * Protocol Buffers.  The protobuf schema for Dnstap messages is in the
+ * file dnstap.proto, which is compiled to dnstap.pb-c.c and dnstap.pb-c.h.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#ifdef HAVE_DNSTAP
+#include <fstrm.h>
+#include <protobuf-c/protobuf-c.h>
+#include <dns/dnstap.pb-c.h>
+#else
+struct fstrm_iothr_options;
+#endif /* HAVE_DNSTAP */
+
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/time.h>
+#include <isc/types.h>
+
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/types.h>
+
+/*%
+ * Dnstap message types:
+ *
+ * STUB QUERY: SQ
+ * STUB RESPONSE: SR
+ * CLIENT QUERY: CQ
+ * CLIENT RESPONSE: CR
+ * AUTH QUERY: AQ
+ * AUTH RESPONSE: AR
+ * RESOLVER QUERY: RQ
+ * RESOLVER RESPONSE: RR
+ * FORWARDER QUERY: FQ
+ * FORWARDER RESPONSE: FR
+ */
+
+#define DNS_DTTYPE_SQ 0x0001
+#define DNS_DTTYPE_SR 0x0002
+#define DNS_DTTYPE_CQ 0x0004
+#define DNS_DTTYPE_CR 0x0008
+#define DNS_DTTYPE_AQ 0x0010
+#define DNS_DTTYPE_AR 0x0020
+#define DNS_DTTYPE_RQ 0x0040
+#define DNS_DTTYPE_RR 0x0080
+#define DNS_DTTYPE_FQ 0x0100
+#define DNS_DTTYPE_FR 0x0200
+#define DNS_DTTYPE_TQ 0x0400
+#define DNS_DTTYPE_TR 0x0800
+
+#define DNS_DTTYPE_QUERY \
+	(DNS_DTTYPE_SQ|DNS_DTTYPE_CQ|DNS_DTTYPE_AQ|\
+	 DNS_DTTYPE_RQ|DNS_DTTYPE_FQ|DNS_DTTYPE_TQ)
+#define DNS_DTTYPE_RESPONSE \
+	(DNS_DTTYPE_SR|DNS_DTTYPE_CR|DNS_DTTYPE_AR|\
+	 DNS_DTTYPE_RR|DNS_DTTYPE_FR|DNS_DTTYPE_TR)
+#define DNS_DTTYPE_ALL \
+	(DNS_DTTYPE_QUERY|DNS_DTTYPE_RESPONSE)
+
+typedef enum {
+	dns_dtmode_none = 0,
+	dns_dtmode_file,
+	dns_dtmode_unix
+} dns_dtmode_t;
+
+typedef struct dns_dthandle dns_dthandle_t;
+
+#ifdef HAVE_DNSTAP
+struct dns_dtdata {
+	isc_mem_t *mctx;
+
+	Dnstap__Dnstap *frame;
+
+	bool query;
+	bool tcp;
+	dns_dtmsgtype_t type;
+
+	isc_time_t qtime;
+	isc_time_t rtime;
+
+	isc_region_t qaddr;
+	isc_region_t raddr;
+
+	uint32_t qport;
+	uint32_t rport;
+
+	isc_region_t msgdata;
+	dns_message_t *msg;
+
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+};
+#endif /* HAVE_DNSTAP */
+
+isc_result_t
+dns_dt_create(isc_mem_t *mctx, dns_dtmode_t mode, const char *path,
+	      struct fstrm_iothr_options **foptp, dns_dtenv_t **envp);
+/*%<
+ * Create and initialize the dnstap environment.
+ *
+ * There should be a single global dnstap environment for the server;
+ * copies of it will be attached to each view.
+ *
+ * Notes:
+ *
+ *\li	'path' refers to a UNIX domain socket by default. It may
+ *	optionally be prepended with "socket:" or "file:". If prepended
+ *	with "file:", then dnstap logs are sent to a file instead of a
+ *	socket.
+ *
+ *\li	'*foptp' set the options for fstrm_iothr_init(). '*foptp' must have
+ *	have had the number of input queues set and this should be set
+ *	to the number of worker threads.  Additionally the queue model
+ *	should also be set.  Other options may be set if desired.
+ *	If dns_dt_create succeeds the *foptp is set to NULL.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'path' is a valid C string.
+ *
+ *\li	'fopt' is non NULL.
+ *
+ *\li	envp != NULL && *envp == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ *\li	Other errors are possible.
+ */
+
+isc_result_t
+dns_dt_reopen(dns_dtenv_t *env, int roll);
+/*%<
+ * Reopens files established by dns_dt_create().
+ *
+ * If 'roll' is non-negative and 'env->mode' is dns_dtmode_file,
+ * then the file is automatically rolled over before reopening.
+ * The value of 'roll' indicates the number of backup log files to
+ * keep.  If 'roll' is negative, or if 'env->mode' is dns_dtmode_unix,
+ * then the channel is simply reopened.
+ *
+ * Note: dns_dt_reopen() must be called in task exclusive mode.
+ *
+ * Requires:
+ *\li	'env' is a valid dnstap environment.
+ */
+
+isc_result_t
+dns_dt_setidentity(dns_dtenv_t *env, const char *identity);
+isc_result_t
+dns_dt_setversion(dns_dtenv_t *env, const char *version);
+/*%<
+ * Set the "identity" and "version" strings to be sent in dnstap messages.
+ *
+ * Requires:
+ *
+ *\li	'env' is a valid dnstap environment.
+ */
+
+void
+dns_dt_attach(dns_dtenv_t *source, dns_dtenv_t **destp);
+/*%<
+ * Attach '*destp' to 'source', incrementing the reference counter.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid dnstap environment.
+ *
+ *\li	'destp' is not NULL and '*destp' is NULL.
+ *
+ *\li	*destp is attached to source.
+ */
+
+void
+dns_dt_detach(dns_dtenv_t **envp);
+/*%<
+ * Detach '*envp', decrementing the reference counter.
+ *
+ * Requires:
+ *
+ *\li	'*envp' is a valid dnstap environment.
+ *
+ * Ensures:
+ *
+ *\li	'*envp' will be destroyed when the number of references reaches zero.
+ *
+ *\li	'*envp' is NULL.
+ */
+
+isc_result_t
+dns_dt_getstats(dns_dtenv_t *env, isc_stats_t **statsp);
+/*%<
+ * Attach to the stats struct if it exists.
+ *
+ * Requires:
+ *
+ *\li	'env' is a valid dnstap environment.
+ *
+ *\li	'statsp' is non NULL and '*statsp' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	ISC_R_NOTFOUND
+ */
+
+void
+dns_dt_shutdown(void);
+/*%<
+ * Shuts down dnstap and frees global resources. This function must only
+ * be called immediately before server shutdown.
+ */
+
+void
+dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype,
+	    isc_sockaddr_t *qaddr, isc_sockaddr_t *dstaddr,
+	    bool tcp, isc_region_t *zone, isc_time_t *qtime,
+	    isc_time_t *rtime, isc_buffer_t *buf);
+/*%<
+ * Sends a dnstap message to the log, if 'msgtype' is one of the message
+ * types represented in 'view->dttypes'.
+ *
+ * Parameters are: 'qaddr' (query address, i.e, the address of the
+ * query initiator); 'raddr' (response address, i.e., the address of
+ * the query responder); 'tcp' (boolean indicating whether the transaction
+ * was over TCP); 'zone' (the authoritative zone or bailiwick, in
+ * uncompressed wire format), 'qtime' and 'rtime' (query and response
+ * times; if NULL, they are set to the current time); and 'buf' (the
+ * DNS message being logged, in wire format).
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view, and 'view->dtenv' is NULL or is a
+ *	valid dnstap environment.
+ */
+
+isc_result_t
+dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp);
+/*%<
+ * Converts a raw dnstap frame in 'src' to a parsed dnstap data structure
+ * in '*destp'.
+ *
+ * Requires:
+ *\li	'src' is not NULL
+ *
+ *\li	'destp' is not NULL and '*destp' points to a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS on success
+ *
+ *\li	Other errors are possible.
+ */
+
+isc_result_t
+dns_dt_datatotext(dns_dtdata_t *d, isc_buffer_t **dest);
+/*%<
+ * Converts a parsed dnstap data structure 'd' to text, storing
+ * the result in the buffer 'dest'.  If 'dest' points to a dynamically
+ * allocated buffer, then it may be reallocated as needed.
+ *
+ * (XXX: add a 'long_form' option to generate a detailed listing of
+ * dnstap data instead * of a one-line summary.)
+ *
+ * Requires:
+ *\li	'd' is not NULL
+ *
+ *\li	'dest' is not NULL and '*dest' points to a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_NOSPACE if buffer is not dynamic and runs out of space
+ *\li	#ISC_R_NOMEMORY if buffer is dynamic but memory could not be allocated
+ *
+ *\li	Other errors are possible.
+ */
+
+void
+dns_dtdata_free(dns_dtdata_t **dp);
+/*%<
+ * Frees the specified dns_dtdata structure and all its members,
+ * and sets *dp to NULL.
+ */
+
+isc_result_t
+dns_dt_open(const char *filename, dns_dtmode_t mode,
+	    isc_mem_t *mctx, dns_dthandle_t **handlep);
+/*%<
+ * Opens a dnstap framestream at 'filename' and stores a pointer to the
+ * reader object in a dns_dthandle_t structure.
+ *
+ * The caller is responsible for allocating the handle structure.
+ *
+ * (XXX: Currently only file readers are supported, not unix-domain socket
+ * readers.)
+ *
+ * Requires:
+ *
+ *\li	'filename' is not NULL.
+ *
+ *\li	'handlep' is not NULL and '*handlep' is NULL.
+ *
+ *\li	'*mctx' is not a valid memory context.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_NOTIMPLEMENTED if 'mode' is not dns_dtmode_file. (XXX)
+ *\li	#ISC_R_NOMEMORY if the fstrm library was unable to allocate a
+ *      reader or options structure
+ *\li	#ISC_R_FAILURE if 'filename' could not be opened.
+ *\li	#DNS_R_BADDNSTAP if 'filename' does not contain a dnstap
+ *      framestream.
+ */
+
+isc_result_t
+dns_dt_getframe(dns_dthandle_t *handle, uint8_t **bufp, size_t *sizep);
+/*%<
+ * Read a dnstap frame from the framstream reader in 'handle', storing
+ * a pointer to it in '*bufp' and its size in '*sizep'.
+ *
+ * Requires:
+ *
+ *\li	'handle' is not NULL
+ *\li	'bufp' is not NULL
+ *\li	'sizep' is not NULL
+ *
+ * Ensures:
+ * \li	if returning ISC_R_SUCCESS then '*bufp' is not NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS on success
+ *\li	#ISC_R_NOMORE at the end of the frame stream
+ *\li	#ISC_R_FAILURE for any other failure
+ */
+
+void
+dns_dt_close(dns_dthandle_t **handlep);
+/*%<
+ * Closes the dnstap file referenced by 'handle'.
+ *
+ * Requires:
+ *
+ *\li	'*handlep' is not NULL
+ */
+
+#endif /* _DNSTAP_H */
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
new file mode 100644
index 0000000..4ea5a0d
--- /dev/null
+++ b/lib/dns/include/dns/ds.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DS_H
+#define DNS_DS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_DSDIGEST_SHA1 (1)
+#define DNS_DSDIGEST_SHA256 (2)
+#define DNS_DSDIGEST_GOST (3)
+#define DNS_DSDIGEST_SHA384 (4)
+
+/*
+ * Assuming SHA-384 digest type.
+ */
+#define DNS_DS_BUFFERSIZE (52)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  unsigned int digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a DS record.
+ *
+ * Requires:
+ *\li	key	Points to a valid DNS KEY record.
+ *\li	buffer	Points to a temporary buffer of at least
+ * 		#DNS_DS_BUFFERSIZE bytes.
+ *\li	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata	Contains a valid DS rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DS_H */
diff --git a/lib/dns/include/dns/dsdigest.h b/lib/dns/include/dns/dsdigest.h
new file mode 100644
index 0000000..b029ecd
--- /dev/null
+++ b/lib/dns/include/dns/dsdigest.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_DSDIGEST_H
+#define DNS_DSDIGEST_H 1
+
+/*! \file dns/dsdigest.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DS/DLV digest type value.
+ * The text may contain either a mnemonic digest name or a decimal
+ * digest number.
+ *
+ * Requires:
+ *\li	'dsdigestp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of the DS/DLV digest type 'dsdigest'
+ * into 'target'.
+ *
+ * Requires:
+ *\li	'dsdigest' is a valid dsdigest.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
+ */
+
+#define DNS_DSDIGEST_FORMATSIZE 20
+void
+dns_dsdigest_format(dns_dsdigest_t typ, char *cp, unsigned int size);
+/*%<
+ * Wrapper for dns_dsdigest_totext(), writing text into 'cp'
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DSDIGEST_H */
diff --git a/lib/dns/include/dns/dyndb.h b/lib/dns/include/dns/dyndb.h
new file mode 100644
index 0000000..d5fedb5
--- /dev/null
+++ b/lib/dns/include/dns/dyndb.h
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_DYNDB_H
+#define DNS_DYNDB_H
+
+#include <stdbool.h>
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*!
+ * \brief
+ * Context for intializing a dyndb module.
+ *
+ * This structure passes global server data to which a dyndb
+ * module will need access -- the server memory context, hash
+ * initializer, log context, etc.  The structure doesn't persist
+ * beyond configuring the dyndb module. The module's register function
+ * should attach to all reference-counted variables and its destroy
+ * function should detach from them.
+ */
+struct dns_dyndbctx {
+	unsigned int	magic;
+	const void	*hashinit;
+	isc_mem_t	*mctx;
+	isc_log_t	*lctx;
+	dns_view_t	*view;
+	dns_zonemgr_t	*zmgr;
+	isc_task_t	*task;
+	isc_timermgr_t	*timermgr;
+	bool	*refvar;
+};
+
+#define DNS_DYNDBCTX_MAGIC	ISC_MAGIC('D', 'd', 'b', 'c')
+#define DNS_DYNDBCTX_VALID(d)	ISC_MAGIC_VALID(d, DNS_DYNDBCTX_MAGIC)
+
+/*
+ * API version
+ *
+ * When the API changes, increment DNS_DYNDB_VERSION. If the
+ * change is backward-compatible (e.g., adding a new function call
+ * but not changing or removing an old one), increment DNS_DYNDB_AGE;
+ * if not, set DNS_DYNDB_AGE to 0.
+ */
+#ifndef DNS_DYNDB_VERSION
+#define DNS_DYNDB_VERSION 1
+#define DNS_DYNDB_AGE 0
+#endif
+
+typedef isc_result_t dns_dyndb_register_t(isc_mem_t *mctx,
+					  const char *name,
+					  const char *parameters,
+					  const char *file,
+					  unsigned long line,
+					  const dns_dyndbctx_t *dctx,
+					  void **instp);
+/*%
+ * Called when registering a new driver instance. 'name' must be unique.
+ * 'parameters' contains the driver configuration text. 'dctx' is the
+ * initialization context set up in dns_dyndb_createctx().
+ *
+ * '*instp' must be set to the driver instance handle if the functino
+ * is successful.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+typedef void dns_dyndb_destroy_t(void **instp);
+/*%
+ * Destroy a driver instance. Dereference any reference-counted
+ * variables passed in 'dctx' and 'inst' in the register function.
+ *
+ * \c *instp must be set to \c NULL by the function before it returns.
+ */
+
+typedef int dns_dyndb_version_t(unsigned int *flags);
+/*%
+ * Return the API version number a dyndb module was compiled with.
+ *
+ * If the returned version number is no greater than than
+ * DNS_DYNDB_VERSION, and no less than DNS_DYNDB_VERSION - DNS_DYNDB_AGE,
+ * then the module is API-compatible with named.
+ *
+ * 'flags' is currently unused and may be NULL, but could be used in
+ * the future to pass back driver capabilities or other information.
+ */
+
+isc_result_t
+dns_dyndb_load(const char *libname, const char *name, const char *parameters,
+	       const char *file, unsigned long line, isc_mem_t *mctx,
+	       const dns_dyndbctx_t *dctx);
+/*%
+ * Load a dyndb module.
+ *
+ * This loads a dyndb module using dlopen() or equivalent, calls its register
+ * function (see dns_dyndb_register_t above), and if successful, adds
+ * the instance handle to a list of dyndb instances so it can be cleaned
+ * up later.
+ *
+ * 'file' and 'line' can be used to indicate the name of the file and
+ * the line number from which the parameters were taken, so that logged
+ * error messages, if any, will display the correct locations.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+void
+dns_dyndb_cleanup(bool exiting);
+/*%
+ * Shut down and destroy all running dyndb modules.
+ *
+ * 'exiting' indicates whether the server is shutting down,
+ * as opposed to merely being reconfigured.
+ */
+
+isc_result_t
+dns_dyndb_createctx(isc_mem_t *mctx, const void *hashinit, isc_log_t *lctx,
+		    dns_view_t *view, dns_zonemgr_t *zmgr, isc_task_t *task,
+		    isc_timermgr_t *tmgr, dns_dyndbctx_t **dctxp);
+/*%
+ * Create a dyndb initialization context structure, with
+ * pointers to structures in the server that the dyndb module will
+ * need to access (view, zone manager, memory context, hash initializer,
+ * etc). This structure is expected to last only until all dyndb
+ * modules have been loaded and initialized; after that it will be
+ * destroyed with dns_dyndb_destroyctx().
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	Other errors are possible
+ */
+
+void
+dns_dyndb_destroyctx(dns_dyndbctx_t **dctxp);
+/*%
+ * Destroys a dyndb initialization context structure; all
+ * reference-counted members are detached and the structure is freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DYNDB_H */
diff --git a/lib/dns/include/dns/ecdb.h b/lib/dns/include/dns/ecdb.h
new file mode 100644
index 0000000..6d6c880
--- /dev/null
+++ b/lib/dns/include/dns/ecdb.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_ECDB_H
+#define DNS_ECDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/* TBD */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/* TBD: describe those */
+
+isc_result_t
+dns_ecdb_register(isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+void
+dns_ecdb_unregister(dns_dbimplementation_t **dbimp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ECDB_H */
diff --git a/lib/dns/include/dns/edns.h b/lib/dns/include/dns/edns.h
new file mode 100644
index 0000000..018c89d
--- /dev/null
+++ b/lib/dns/include/dns/edns.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_EDNS_H
+#define DNS_EDNS_H 1
+
+/*%
+ * The maximum version on EDNS supported by this build.
+ */
+#define DNS_EDNS_VERSION 0
+#ifdef DRAFT_ANDREWS_EDNS1
+#undef DNS_EDNS_VERSION
+/*
+ * Warning: this currently disables sending COOKIE requests in resolver.c
+ */
+#define DNS_EDNS_VERSION 1 /* draft-andrews-edns1 */
+#endif
+
+#endif
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
new file mode 100644
index 0000000..bd051c1
--- /dev/null
+++ b/lib/dns/include/dns/events.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_EVENTS_H
+#define DNS_EVENTS_H 1
+
+#include <isc/eventclass.h>
+
+/*! \file dns/events.h
+ * \brief
+ * Registry of DNS event numbers.
+ */
+
+#define DNS_EVENT_FETCHCONTROL			(ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_FETCHDONE			(ISC_EVENTCLASS_DNS + 1)
+#define DNS_EVENT_VIEWRESSHUTDOWN		(ISC_EVENTCLASS_DNS + 2)
+#define DNS_EVENT_VIEWADBSHUTDOWN		(ISC_EVENTCLASS_DNS + 3)
+#define DNS_EVENT_UPDATE			(ISC_EVENTCLASS_DNS + 4)
+#define DNS_EVENT_UPDATEDONE			(ISC_EVENTCLASS_DNS + 5)
+#define DNS_EVENT_DISPATCH			(ISC_EVENTCLASS_DNS + 6)
+#define DNS_EVENT_TCPMSG			(ISC_EVENTCLASS_DNS + 7)
+#define DNS_EVENT_ADBMOREADDRESSES		(ISC_EVENTCLASS_DNS + 8)
+#define DNS_EVENT_ADBNOMOREADDRESSES		(ISC_EVENTCLASS_DNS + 9)
+#define DNS_EVENT_ADBCANCELED			(ISC_EVENTCLASS_DNS + 10)
+#define DNS_EVENT_ADBNAMEDELETED		(ISC_EVENTCLASS_DNS + 11)
+#define DNS_EVENT_ADBSHUTDOWN			(ISC_EVENTCLASS_DNS + 12)
+#define DNS_EVENT_ADBEXPIRED			(ISC_EVENTCLASS_DNS + 13)
+#define DNS_EVENT_ADBCONTROL			(ISC_EVENTCLASS_DNS + 14)
+#define DNS_EVENT_CACHECLEAN			(ISC_EVENTCLASS_DNS + 15)
+#define DNS_EVENT_BYADDRDONE			(ISC_EVENTCLASS_DNS + 16)
+#define DNS_EVENT_ZONECONTROL			(ISC_EVENTCLASS_DNS + 17)
+#define DNS_EVENT_DBDESTROYED			(ISC_EVENTCLASS_DNS + 18)
+#define DNS_EVENT_VALIDATORDONE			(ISC_EVENTCLASS_DNS + 19)
+#define DNS_EVENT_REQUESTDONE			(ISC_EVENTCLASS_DNS + 20)
+#define DNS_EVENT_VALIDATORSTART		(ISC_EVENTCLASS_DNS + 21)
+#define DNS_EVENT_VIEWREQSHUTDOWN		(ISC_EVENTCLASS_DNS + 22)
+#define DNS_EVENT_NOTIFYSENDTOADDR		(ISC_EVENTCLASS_DNS + 23)
+#define DNS_EVENT_ZONE				(ISC_EVENTCLASS_DNS + 24)
+#define DNS_EVENT_ZONESTARTXFRIN		(ISC_EVENTCLASS_DNS + 25)
+#define DNS_EVENT_MASTERQUANTUM			(ISC_EVENTCLASS_DNS + 26)
+#define DNS_EVENT_CACHEOVERMEM			(ISC_EVENTCLASS_DNS + 27)
+#define DNS_EVENT_MASTERNEXTZONE		(ISC_EVENTCLASS_DNS + 28)
+#define DNS_EVENT_IOREADY			(ISC_EVENTCLASS_DNS + 29)
+#define DNS_EVENT_LOOKUPDONE			(ISC_EVENTCLASS_DNS + 30)
+#define DNS_EVENT_RBTDEADNODES			(ISC_EVENTCLASS_DNS + 31)
+#define DNS_EVENT_DISPATCHCONTROL		(ISC_EVENTCLASS_DNS + 32)
+#define DNS_EVENT_REQUESTCONTROL		(ISC_EVENTCLASS_DNS + 33)
+#define DNS_EVENT_DUMPQUANTUM			(ISC_EVENTCLASS_DNS + 34)
+#define DNS_EVENT_IMPORTRECVDONE		(ISC_EVENTCLASS_DNS + 35)
+#define DNS_EVENT_FREESTORAGE			(ISC_EVENTCLASS_DNS + 36)
+#define DNS_EVENT_VIEWACACHESHUTDOWN		(ISC_EVENTCLASS_DNS + 37)
+#define DNS_EVENT_ACACHECONTROL			(ISC_EVENTCLASS_DNS + 38)
+#define DNS_EVENT_ACACHECLEAN			(ISC_EVENTCLASS_DNS + 39)
+#define DNS_EVENT_ACACHEOVERMEM			(ISC_EVENTCLASS_DNS + 40)
+#define DNS_EVENT_RBTPRUNE			(ISC_EVENTCLASS_DNS + 41)
+#define DNS_EVENT_MANAGEKEYS			(ISC_EVENTCLASS_DNS + 42)
+#define DNS_EVENT_CLIENTRESDONE			(ISC_EVENTCLASS_DNS + 43)
+#define DNS_EVENT_CLIENTREQDONE			(ISC_EVENTCLASS_DNS + 44)
+#define DNS_EVENT_ADBGROWENTRIES		(ISC_EVENTCLASS_DNS + 45)
+#define DNS_EVENT_ADBGROWNAMES			(ISC_EVENTCLASS_DNS + 46)
+#define DNS_EVENT_ZONESECURESERIAL		(ISC_EVENTCLASS_DNS + 47)
+#define DNS_EVENT_ZONESECUREDB			(ISC_EVENTCLASS_DNS + 48)
+#define DNS_EVENT_ZONELOAD			(ISC_EVENTCLASS_DNS + 49)
+#define DNS_EVENT_KEYDONE			(ISC_EVENTCLASS_DNS + 50)
+#define DNS_EVENT_SETNSEC3PARAM			(ISC_EVENTCLASS_DNS + 51)
+#define DNS_EVENT_SETSERIAL			(ISC_EVENTCLASS_DNS + 52)
+#define DNS_EVENT_CATZUPDATED			(ISC_EVENTCLASS_DNS + 53)
+#define DNS_EVENT_CATZADDZONE			(ISC_EVENTCLASS_DNS + 54)
+#define DNS_EVENT_CATZMODZONE			(ISC_EVENTCLASS_DNS + 55)
+#define DNS_EVENT_CATZDELZONE			(ISC_EVENTCLASS_DNS + 56)
+#define DNS_EVENT_STARTUPDATE			(ISC_EVENTCLASS_DNS + 58)
+
+#define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
+
+#endif /* DNS_EVENTS_H */
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
new file mode 100644
index 0000000..6a9b555
--- /dev/null
+++ b/lib/dns/include/dns/fixedname.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_FIXEDNAME_H
+#define DNS_FIXEDNAME_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/fixedname.h
+ * \brief
+ * Fixed-size Names
+ *
+ * dns_fixedname_t is a convenience type containing a name, an offsets
+ * table, and a dedicated buffer big enough for the longest possible
+ * name. This is typically used for stack-allocated names.
+ *
+ * MP:
+ *\li	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	Per dns_fixedname_t:
+ *\code
+ *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
+ *		sizeof(isc_buffer_t) + 255 bytes + structure padding
+ *\endcode
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+#include <dns/name.h>
+
+/*****
+ ***** Types
+ *****/
+
+struct dns_fixedname {
+	dns_name_t			name;
+	dns_offsets_t			offsets;
+	isc_buffer_t			buffer;
+	unsigned char			data[DNS_NAME_MAXWIRE];
+};
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_fixedname_init(dns_fixedname_t *fixed);
+
+void
+dns_fixedname_invalidate(dns_fixedname_t *fixed);
+
+dns_name_t *
+dns_fixedname_name(dns_fixedname_t *fixed);
+
+dns_name_t *
+dns_fixedname_initname(dns_fixedname_t *fixed);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_FIXEDNAME_H */
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
new file mode 100644
index 0000000..eb0e045
--- /dev/null
+++ b/lib/dns/include/dns/forward.h
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_FORWARD_H
+#define DNS_FORWARD_H 1
+
+/*! \file dns/forward.h */
+
+#include <isc/lang.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_forwarder {
+	isc_sockaddr_t			addr;
+	isc_dscp_t			dscp;
+	ISC_LINK(dns_forwarder_t)	link;
+};
+
+typedef ISC_LIST(struct dns_forwarder)	dns_forwarderlist_t;
+
+struct dns_forwarders {
+	dns_forwarderlist_t	fwdrs;
+	dns_fwdpolicy_t		fwdpolicy;
+};
+
+isc_result_t
+dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep);
+/*%<
+ * Creates a new forwarding table.
+ *
+ * Requires:
+ * \li 	mctx is a valid memory context.
+ * \li	fwdtablep != NULL && *fwdtablep == NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_fwdtable_addfwd(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		    dns_forwarderlist_t *fwdrs, dns_fwdpolicy_t policy);
+isc_result_t
+dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy);
+/*%<
+ * Adds an entry to the forwarding table.  The entry associates
+ * a domain with a list of forwarders and a forwarding policy.  The
+ * addrs/fwdrs list is copied if not empty, so the caller should free
+ * its copy.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	addrs/fwdrs is a valid list of isc_sockaddr/dns_forwarder
+ *      structures, which may be empty.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_fwdtable_delete(dns_fwdtable_t *fwdtable, dns_name_t *name);
+/*%<
+ * Removes an entry for 'name' from the forwarding table.  If an entry
+ * that exactly matches 'name' does not exist, ISC_R_NOTFOUND will be returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		  dns_forwarders_t **forwardersp);
+/*%<
+ * Finds a domain in the forwarding table.  The closest matching parent
+ * domain is returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	forwardersp != NULL && *forwardersp == NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		   dns_name_t *foundname, dns_forwarders_t **forwardersp);
+/*%<
+ * Finds a domain in the forwarding table.  The closest matching parent
+ * domain is returned.
+ *
+ * Requires:
+ * \li	fwdtable is a valid forwarding table.
+ * \li	name is a valid name
+ * \li	forwardersp != NULL && *forwardersp == NULL
+ * \li	foundname to be NULL or a valid name with buffer.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+void
+dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep);
+/*%<
+ * Destroys a forwarding table.
+ *
+ * Requires:
+ * \li	fwtablep != NULL && *fwtablep != NULL
+ *
+ * Ensures:
+ * \li	all memory associated with the forwarding table is freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_FORWARD_H */
diff --git a/lib/dns/include/dns/geoip.h b/lib/dns/include/dns/geoip.h
new file mode 100644
index 0000000..d9028e5
--- /dev/null
+++ b/lib/dns/include/dns/geoip.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_GEOIP_H
+#define DNS_GEOIP_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/acl.h
+ * \brief
+ * Address match list handling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+#include <dns/iptable.h>
+
+#ifdef HAVE_GEOIP
+#include <GeoIP.h>
+#else
+typedef void GeoIP;
+#endif
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	dns_geoip_countrycode,
+	dns_geoip_countrycode3,
+	dns_geoip_countryname,
+	dns_geoip_region,
+	dns_geoip_regionname,
+	dns_geoip_country_code,
+	dns_geoip_country_code3,
+	dns_geoip_country_name,
+	dns_geoip_region_countrycode,
+	dns_geoip_region_code,
+	dns_geoip_region_name,
+	dns_geoip_city_countrycode,
+	dns_geoip_city_countrycode3,
+	dns_geoip_city_countryname,
+	dns_geoip_city_region,
+	dns_geoip_city_regionname,
+	dns_geoip_city_name,
+	dns_geoip_city_postalcode,
+	dns_geoip_city_metrocode,
+	dns_geoip_city_areacode,
+	dns_geoip_city_continentcode,
+	dns_geoip_city_timezonecode,
+	dns_geoip_isp_name,
+	dns_geoip_org_name,
+	dns_geoip_as_asnum,
+	dns_geoip_domain_name,
+	dns_geoip_netspeed_id
+} dns_geoip_subtype_t;
+
+typedef struct dns_geoip_elem {
+	dns_geoip_subtype_t subtype;
+	GeoIP *db;
+	union {
+		char as_string[256];
+		int as_int;
+	};
+} dns_geoip_elem_t;
+
+typedef struct dns_geoip_databases {
+	GeoIP *country_v4;			/* DB 1        */
+	GeoIP *city_v4;				/* DB 2 or 6   */
+	GeoIP *region;				/* DB 3 or 7   */
+	GeoIP *isp;				/* DB 4        */
+	GeoIP *org;				/* DB 5        */
+	GeoIP *as;				/* DB 9        */
+	GeoIP *netspeed;			/* DB 10       */
+	GeoIP *domain;				/* DB 11       */
+	GeoIP *country_v6;			/* DB 12       */
+	GeoIP *city_v6;				/* DB 30 or 31 */
+} dns_geoip_databases_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+bool
+dns_geoip_match(const isc_netaddr_t *reqaddr, uint8_t *scope,
+		const dns_geoip_databases_t *geoip,
+		const dns_geoip_elem_t *elt);
+
+void
+dns_geoip_shutdown(void);
+
+ISC_LANG_ENDDECLS
+#endif /* DNS_GEOIP_H */
diff --git a/lib/dns/include/dns/ipkeylist.h b/lib/dns/include/dns/ipkeylist.h
new file mode 100644
index 0000000..5b012b4
--- /dev/null
+++ b/lib/dns/include/dns/ipkeylist.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_IPKEYLIST_H
+#define DNS_IPKEYLIST_H 1
+
+#include <inttypes.h>
+
+#include <isc/types.h>
+#include <dns/types.h>
+
+/*%
+ * A structure holding a list of addresses, dscps and keys.  Used to
+ * store masters for a slave zone, created by parsing config options.
+ */
+struct dns_ipkeylist {
+	isc_sockaddr_t		*addrs;
+	isc_dscp_t		*dscps;
+	dns_name_t		**keys;
+	dns_name_t		**labels;
+	uint32_t		count;
+	uint32_t		allocated;
+};
+
+void
+dns_ipkeylist_init(dns_ipkeylist_t *ipkl);
+/*%<
+ * Reset ipkl to empty state
+ *
+ * Requires:
+ *\li	'ipkl' to be non NULL.
+ */
+
+void
+dns_ipkeylist_clear(isc_mem_t *mctx, dns_ipkeylist_t *ipkl);
+/*%<
+ * Free `ipkl` contents using `mctx`.
+ *
+ * After this call, `ipkl` is a freshly cleared structure with all
+ * pointers set to `NULL` and count set to 0.
+ *
+ * Requires:
+ *\li	'mctx' to be a valid memory context.
+ *\li	'ipkl' to be non NULL.
+ */
+
+isc_result_t
+dns_ipkeylist_copy(isc_mem_t *mctx, const dns_ipkeylist_t *src,
+		   dns_ipkeylist_t *dst);
+/*%<
+ * Deep copy `src` into empty `dst`, allocating `dst`'s contents.
+ *
+ * Requires:
+ *\li	'mctx' to be a valid memory context.
+ *\li	'src' to be non NULL
+ *\li	'dst' to be non NULL and point to an empty \ref dns_ipkeylist_t
+ *       with all pointers set to `NULL` and count set to 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- success
+ *\li	any other value -- failure
+ */
+isc_result_t
+dns_ipkeylist_resize(isc_mem_t *mctx, dns_ipkeylist_t *ipkl, unsigned int n);
+/*%<
+ * Resize ipkl to contain n elements. Size (count) is not changed, and the
+ * added space is zeroed.
+ *
+ * Requires:
+ * \li	'mctx' to be a valid memory context.
+ * \li	'ipk' to be non NULL
+ * \li	'n' >= ipkl->count
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS if successs
+ * \li	#ISC_R_NOMEMORY if there's no memory, ipkeylist is left untoched
+ */
+
+#endif
diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h
new file mode 100644
index 0000000..26a6ad5
--- /dev/null
+++ b/lib/dns/include/dns/iptable.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_IPTABLE_H
+#define DNS_IPTABLE_H 1
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/radix.h>
+
+#include <dns/types.h>
+
+struct dns_iptable {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_refcount_t		refcount;
+	isc_radix_tree_t	*radix;
+	ISC_LINK(dns_iptable_t)	nextincache;
+};
+
+#define DNS_IPTABLE_MAGIC	ISC_MAGIC('T','a','b','l')
+#define DNS_IPTABLE_VALID(a)	ISC_MAGIC_VALID(a, DNS_IPTABLE_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target);
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
+		      uint16_t bitlen, bool pos);
+isc_result_t
+dns_iptable_addprefix2(dns_iptable_t *tab, isc_netaddr_t *addr,
+		       uint16_t bitlen, bool pos,
+		       bool is_ecs);
+/*
+ * Add an IP prefix to an existing IP table
+ */
+
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, bool pos);
+/*
+ * Merge one IP table into another one.
+ */
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target);
+
+void
+dns_iptable_detach(dns_iptable_t **tabp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_IPTABLE_H */
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
new file mode 100644
index 0000000..8bcb551
--- /dev/null
+++ b/lib/dns/include/dns/journal.h
@@ -0,0 +1,298 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_JOURNAL_H
+#define DNS_JOURNAL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/journal.h
+ * \brief
+ * Database journaling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/name.h>
+#include <dns/diff.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+/***
+ *** Defines.
+ ***/
+#define DNS_JOURNALOPT_RESIGN	0x00000001
+
+#define DNS_JOURNAL_READ	0x00000000	/* false */
+#define DNS_JOURNAL_CREATE	0x00000001	/* true */
+#define DNS_JOURNAL_WRITE	0x00000002
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A dns_journal_t represents an open journal file.  This is an opaque type.
+ *
+ * A particular dns_journal_t object may be opened for writing, in which case
+ * it can be used for writing transactions to a journal file, or it can be
+ * opened for reading, in which case it can be used for reading transactions
+ * from (iterating over) a journal file.  A single dns_journal_t object may
+ * not be used for both purposes.
+ */
+typedef struct dns_journal dns_journal_t;
+
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/**************************************************************************/
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		      dns_diffop_t op, dns_difftuple_t **tp);
+/*!< brief
+ * Create a diff tuple for the current database SOA.
+ * XXX this probably belongs somewhere else.
+ */
+
+
+/*@{*/
+#define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
+#define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
+/*!< brief
+ * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff
+ * a is "greater than" b where "greater than" is as defined in RFC1982.
+ * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
+ */
+/*@}*/
+
+/**************************************************************************/
+/*
+ * Journal object creation and destruction.
+ */
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, unsigned int mode,
+		 dns_journal_t **journalp);
+/*%<
+ * Open the journal file 'filename' and create a dns_journal_t object for it.
+ *
+ * DNS_JOURNAL_CREATE open the journal for reading and writing and create
+ * the journal if it does not exist.
+ * DNS_JOURNAL_WRITE open the journal for reading and writing.
+ * DNS_JOURNAL_READ open the journal for reading only.
+ */
+
+void
+dns_journal_destroy(dns_journal_t **journalp);
+/*%<
+ * Destroy a dns_journal_t, closing any open files and freeing its memory.
+ */
+
+/**************************************************************************/
+/*
+ * Writing transactions to journals.
+ */
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j);
+/*%<
+ * Prepare to write a new transaction to the open journal file 'j'.
+ *
+ * Requires:
+ *     \li 'j' is open for writing.
+ */
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
+/*%<
+ * Write 'diff' to the current transaction of journal file 'j'.
+ *
+ * Requires:
+ * \li     'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ *\li 	'diff' is a full or partial, correctly ordered IXFR
+ *      difference sequence.
+ */
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j);
+/*%<
+ * Commit the current transaction of journal file 'j'.
+ *
+ * Requires:
+ * \li     'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ *   \li   dns_journal_writediff() has been called one or more times
+ * 	to form a complete, correctly ordered IXFR difference
+ *      sequence.
+ */
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
+/*%
+ * Write a complete transaction at once to a journal file,
+ * sorting it if necessary, and commit it.  Equivalent to calling
+ * dns_diff_sort(), dns_journal_begin_transaction(),
+ * dns_journal_writediff(), and dns_journal_commit().
+ *
+ * Requires:
+ *\li      'j' is open for writing.
+ *
+ * \li	'diff' contains exactly one SOA deletion, one SOA addition
+ *       with a greater serial number, and possibly other changes,
+ *       in arbitrary order.
+ */
+
+/**************************************************************************/
+/*
+ * Reading transactions from journals.
+ */
+
+uint32_t
+dns_journal_first_serial(dns_journal_t *j);
+uint32_t
+dns_journal_last_serial(dns_journal_t *j);
+/*%<
+ * Get the first and last addressable serial number in the journal.
+ */
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j,
+		      uint32_t begin_serial, uint32_t end_serial);
+/*%<
+ * Prepare to iterate over the transactions that will bring the database
+ * from SOA serial number 'begin_serial' to 'end_serial'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_RANGE	begin_serial is outside the addressable range.
+ *\li	ISC_R_NOTFOUND	begin_serial is within the range of addressable
+ *			serial numbers covered by the journal, but
+ *			this particular serial number does not exist.
+ */
+
+/*@{*/
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j);
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j);
+/*%<
+ * Position the iterator at the first/next RR in a journal
+ * transaction sequence established using dns_journal_iter_init().
+ *
+ * Requires:
+ *    \li  dns_journal_iter_init() has been called.
+ *
+ */
+/*@}*/
+
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, uint32_t *ttl,
+		       dns_rdata_t **rdata);
+/*%<
+ * Get the name, ttl, and rdata of the current journal RR.
+ *
+ * Requires:
+ * \li     The last call to dns_journal_first_rr() or dns_journal_next_rr()
+ *      returned ISC_R_SUCCESS.
+ */
+
+/**************************************************************************/
+/*
+ * Database roll-forward.
+ */
+
+isc_result_t
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
+			const char *filename);
+/*%<
+ * Roll forward (play back) the journal file "filename" into the
+ * database "db".  This should be called when the server starts
+ * after a shutdown or crash.
+ *
+ * Requires:
+ *\li   'mctx' is a valid memory context.
+ *\li	'db' is a valid database which does not have a version
+ *           open for writing.
+ *\li   'filename' is the name of the journal file belonging to 'db'.
+ *
+ * Returns:
+ *\li	DNS_R_NOJOURNAL when journal does not exist.
+ *\li	ISC_R_NOTFOUND when current serial in not in journal.
+ *\li	ISC_R_RANGE when current serial in not in journals range.
+ *\li	ISC_R_SUCCESS journal has been applied successfully to database.
+ *	others
+ */
+
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
+/* For debugging not general use */
+
+isc_result_t
+dns_db_diff(isc_mem_t *mctx,
+	    dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb,
+	    const char *journal_filename);
+
+isc_result_t
+dns_db_diffx(dns_diff_t *diff, dns_db_t *dba, dns_dbversion_t *dbvera,
+	     dns_db_t *dbb, dns_dbversion_t *dbverb,
+	     const char *journal_filename);
+/*%<
+ * Compare the databases 'dba' and 'dbb' and generate a diff/journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.  Append the journal
+ * entry to the journal file specified by 'journal_filename' if
+ * non-NULL.
+ */
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
+		    uint32_t target_size);
+/*%<
+ * Attempt to compact the journal if it is greater that 'target_size'.
+ * Changes from 'serial' onwards will be preserved.  If the journal
+ * exists and is non-empty 'serial' must exist in the journal.
+ */
+
+bool
+dns_journal_get_sourceserial(dns_journal_t *j, uint32_t *sourceserial);
+void
+dns_journal_set_sourceserial(dns_journal_t *j, uint32_t sourceserial);
+/*%<
+ * Get and set source serial.
+ *
+ * Returns:
+ *	 true if sourceserial has previously been set.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_JOURNAL_H */
diff --git a/lib/dns/include/dns/keydata.h b/lib/dns/include/dns/keydata.h
new file mode 100644
index 0000000..f12932a
--- /dev/null
+++ b/lib/dns/include/dns/keydata.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_KEYDATA_H
+#define DNS_KEYDATA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/keydata.h
+ * \brief
+ * KEYDATA utilities.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+#include <dns/rdatastruct.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keydata_todnskey(dns_rdata_keydata_t *keydata,
+		     dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx);
+
+isc_result_t
+dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata,
+		       dns_rdata_dnskey_t *dnskey,
+		       uint32_t refresh, uint32_t addhd,
+		       uint32_t removehd, isc_mem_t *mctx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYDATA_H */
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
new file mode 100644
index 0000000..6d41a1c
--- /dev/null
+++ b/lib/dns/include/dns/keyflags.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_KEYFLAGS_H
+#define DNS_KEYFLAGS_H 1
+
+/*! \file dns/keyflags.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNSSEC KEY flags value.
+ * The text may contain either a set of flag mnemonics separated by
+ * vertical bars or a decimal flags value.  For compatibility with
+ * older versions of BIND and the DNSSEC signer, octal values
+ * prefixed with a zero and hexadecimal values prefixed with "0x"
+ * are also accepted.
+ *
+ * Requires:
+ *\li	'flagsp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric flag value is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic flag is unknown
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYFLAGS_H */
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
new file mode 100644
index 0000000..a94fa3e
--- /dev/null
+++ b/lib/dns/include/dns/keytable.h
@@ -0,0 +1,439 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_KEYTABLE_H
+#define DNS_KEYTABLE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * The keytable module provides services for storing and retrieving DNSSEC
+ * trusted keys, as well as the ability to find the deepest matching key
+ * for a given domain name.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
+/*%<
+ * Create a keytable.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	keytablep != NULL && *keytablep == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, *keytablep is a valid, empty key table.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+
+void
+dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid keytable.
+ *
+ *\li	'targetp' points to a NULL dns_keytable_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+dns_keytable_detach(dns_keytable_t **keytablep);
+/*%<
+ * Detach *keytablep from its keytable.
+ *
+ * Requires:
+ *
+ *\li	'keytablep' points to a valid keytable.
+ *
+ * Ensures:
+ *
+ *\li	*keytablep is NULL.
+ *
+ *\li	If '*keytablep' is the last reference to the keytable,
+ *		all resources used by the keytable will be freed
+ */
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, bool managed,
+		 dst_key_t **keyp);
+/*%<
+ * Add '*keyp' to 'keytable' (using the name in '*keyp').
+ * The value of keynode->managed is set to 'managed'
+ *
+ * Notes:
+ *
+ *\li	Ownership of *keyp is transferred to the keytable.
+ *\li   If the key already exists in the table, ISC_R_EXISTS is
+ *      returned and the new key is freed.
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	keyp != NULL && *keyp is a valid dst_key_t *.
+ *
+ * Ensures:
+ *
+ *\li	On success, *keyp == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_EXISTS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name);
+/*%<
+ * Add a null key to 'keytable' for name 'name'.  This marks the
+ * name as a secure domain, but doesn't supply any key data to allow the
+ * domain to be validated.  (Used when automated trust anchor management
+ * has gotten broken by a zone misconfiguration; for example, when the
+ * active key has been revoked but the stand-by key was still in its 30-day
+ * waiting period for validity.)
+ *
+ * Notes:
+ *
+ *\li   If a key already exists in the table, ISC_R_EXISTS is
+ *      returned and nothing is done.
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	keyp != NULL && *keyp is a valid dst_key_t *.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_EXISTS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname);
+/*%<
+ * Delete node(s) from 'keytable' matching name 'keyname'
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *
+ *\li	'name' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey);
+/*%<
+ * Delete node(s) from 'keytable' containing copies of the key pointed
+ * to by 'dstkey'
+ *
+ * Requires:
+ *
+ *\li	'keytable' points to a valid keytable.
+ *\li	'dstkey' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
+		  dns_keynode_t **keynodep);
+/*%<
+ * Search for the first instance of a key named 'name' in 'keytable',
+ * without regard to keyid and algorithm.  Use dns_keytable_nextkeynode()
+ * to find subsequent instances.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	keynodep != NULL && *keynodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			 dns_keynode_t **nextnodep);
+/*%<
+ * Return for the next key after 'keynode' in 'keytable', without regard to
+ * keyid and algorithm.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'keynode' is a valid keynode.
+ *
+ *\li	nextnodep != NULL && *nextnodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
+			 dns_secalg_t algorithm, dns_keytag_t tag,
+			 dns_keynode_t **keynodep);
+/*%<
+ * Search for a key named 'name', matching 'algorithm' and 'tag' in
+ * 'keytable'.  This finds the first instance which matches.  Use
+ * dns_keytable_findnextkeynode() to find other instances.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	keynodep != NULL && *keynodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_PARTIALMATCH	the name existed in the keytable.
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+					     dns_keynode_t **nextnodep);
+/*%<
+ * Search for the next key with the same properties as 'keynode' in
+ * 'keytable' as found by dns_keytable_findkeynode().
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'keynode' is a valid keynode.
+ *
+ *\li	nextnodep != NULL && *nextnodep == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
+			      dns_name_t *foundname);
+/*%<
+ * Search for the deepest match of 'name' in 'keytable'.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	'foundname' is a name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ *
+ *\li	Any other result indicates an error.
+ */
+
+void
+dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
+			   dns_keynode_t **target);
+/*%<
+ * Attach a keynode and and increment the active_nodes counter in a
+ * corresponding keytable.
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'source' is a valid keynode.
+ *
+ *\li	'target' is not null and '*target' is null.
+ */
+
+void
+dns_keytable_detachkeynode(dns_keytable_t *keytable,
+			   dns_keynode_t **keynodep);
+/*%<
+ * Give back a keynode found via dns_keytable_findkeynode().
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	*keynodep is a valid keynode returned by a call to
+ *	dns_keytable_findkeynode().
+ *
+ * Ensures:
+ *
+ *\li	*keynodep == NULL
+ */
+
+isc_result_t
+dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
+			    dns_name_t *foundname, bool *wantdnssecp);
+/*%<
+ * Is 'name' at or beneath a trusted key?
+ *
+ * Requires:
+ *
+ *\li	'keytable' is a valid keytable.
+ *
+ *\li	'name' is a valid absolute name.
+ *
+ *\li	'foundanme' is NULL or is a pointer to an initialized dns_name_t
+ *
+ *\li	'*wantsdnssecp' is a valid bool.
+
+ * Ensures:
+ *
+ *\li	On success, *wantsdnssecp will be true if and only if 'name'
+ *	is at or beneath a trusted key.  If 'foundname' is not NULL, then
+ *	it will be updated to contain the name of the closest enclosing
+ *	trust anchor.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result is an error.
+ */
+
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp);
+/*%<
+ * Dump the keytable on fp.
+ */
+
+isc_result_t
+dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **buf);
+/*%<
+ * Dump the keytable to buffer at 'buf'
+ */
+
+dst_key_t *
+dns_keynode_key(dns_keynode_t *keynode);
+/*%<
+ * Get the DST key associated with keynode.
+ */
+
+bool
+dns_keynode_managed(dns_keynode_t *keynode);
+/*%<
+ * Is this flagged as a managed key?
+ */
+
+isc_result_t
+dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target);
+/*%<
+ * Allocate space for a keynode
+ */
+
+void
+dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target);
+/*%<
+ * Attach keynode 'source' to '*target'
+ */
+
+void
+dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **target);
+/*%<
+ * Detach a single keynode, without touching any keynodes that
+ * may be pointed to by its 'next' pointer
+ */
+
+void
+dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **target);
+/*%<
+ * Detach a keynode and all its succesors.
+ */
+
+isc_result_t
+dns_keytable_forall(dns_keytable_t *keytable,
+		    void (*func)(dns_keytable_t *, dns_keynode_t *, void *),
+		    void *arg);
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYTABLE_H */
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
new file mode 100644
index 0000000..ad17261
--- /dev/null
+++ b/lib/dns/include/dns/keyvalues.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_KEYVALUES_H
+#define DNS_KEYVALUES_H 1
+
+/*! \file dns/keyvalues.h */
+
+/*
+ * Flags field of the KEY RR rdata
+ */
+#define DNS_KEYFLAG_TYPEMASK	0xC000	/*%< Mask for "type" bits */
+#define DNS_KEYTYPE_AUTHCONF	0x0000	/*%< Key usable for both */
+#define DNS_KEYTYPE_CONFONLY	0x8000	/*%< Key usable for confidentiality */
+#define DNS_KEYTYPE_AUTHONLY	0x4000	/*%< Key usable for authentication */
+#define DNS_KEYTYPE_NOKEY	0xC000	/*%< No key usable for either; no key */
+#define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
+#define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
+
+#define DNS_KEYFLAG_RESERVED2	0x2000	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_EXTENDED	0x1000	/*%< key has extended flags */
+#define DNS_KEYFLAG_RESERVED4	0x0800	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED5	0x0400	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_OWNERMASK	0x0300	/*%< these bits determine the type */
+#define DNS_KEYOWNER_USER	0x0000	/*%< key is assoc. with user */
+#define DNS_KEYOWNER_ENTITY	0x0200	/*%< key is assoc. with entity eg host */
+#define DNS_KEYOWNER_ZONE	0x0100	/*%< key is zone key */
+#define DNS_KEYOWNER_RESERVED	0x0300	/*%< reserved meaning */
+#define DNS_KEYFLAG_REVOKE	0x0080	/*%< key revoked (per rfc5011) */
+#define DNS_KEYFLAG_RESERVED9	0x0040	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED10	0x0020	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED11	0x0010	/*%< reserved - must be zero */
+#define DNS_KEYFLAG_SIGNATORYMASK 0x000F /*%< key can sign RR's of same name */
+
+#define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
+				  DNS_KEYFLAG_RESERVED4 | \
+				  DNS_KEYFLAG_RESERVED5 | \
+				  DNS_KEYFLAG_RESERVED9 | \
+				  DNS_KEYFLAG_RESERVED10 | \
+				  DNS_KEYFLAG_RESERVED11 )
+#define DNS_KEYFLAG_KSK		0x0001	/*%< key signing key */
+
+#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/*%< no bits defined here */
+
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define DNS_KEYALG_RSAMD5	1       /*%< RSA with MD5 */
+#define DNS_KEYALG_RSA		DNS_KEYALG_RSAMD5
+#define DNS_KEYALG_DH		2       /*%< Diffie Hellman KEY */
+#define DNS_KEYALG_DSA		3       /*%< DSA KEY */
+#define DNS_KEYALG_NSEC3DSA	6
+#define DNS_KEYALG_DSS		DNS_ALG_DSA
+#define DNS_KEYALG_ECC		4
+#define DNS_KEYALG_RSASHA1	5
+#define DNS_KEYALG_NSEC3RSASHA1	7
+#define DNS_KEYALG_RSASHA256	8
+#define DNS_KEYALG_RSASHA512	10
+#define DNS_KEYALG_ECCGOST	12
+#define DNS_KEYALG_ECDSA256	13
+#define DNS_KEYALG_ECDSA384	14
+#define DNS_KEYALG_ED25519	15
+#define DNS_KEYALG_ED448	16
+#define DNS_KEYALG_INDIRECT	252
+#define DNS_KEYALG_PRIVATEDNS	253
+#define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
+
+/* Protocol values  */
+#define	DNS_KEYPROTO_RESERVED	0
+#define DNS_KEYPROTO_TLS	1
+#define DNS_KEYPROTO_EMAIL	2
+#define DNS_KEYPROTO_DNSSEC	3
+#define DNS_KEYPROTO_IPSEC	4
+#define DNS_KEYPROTO_ANY	255
+
+/* Signatures */
+#define DNS_SIG_RSAMINBITS	512	/*%< Size of a mod or exp in bits */
+#define DNS_SIG_RSAMAXBITS	2552
+	/* Total of binary mod and exp */
+#define DNS_SIG_RSAMAXBYTES	((DNS_SIG_RSAMAXBITS+7/8)*2+3)
+	/*%< Max length of text sig block */
+#define DNS_SIG_RSAMAXBASE64	(((DNS_SIG_RSAMAXBYTES+2)/3)*4)
+#define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
+#define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
+
+#define DNS_SIG_DSASIGSIZE	41
+#define DNS_SIG_DSAMINBITS	512
+#define DNS_SIG_DSAMAXBITS	1024
+#define DNS_SIG_DSAMINBYTES	213
+#define DNS_SIG_DSAMAXBYTES	405
+
+#define DNS_SIG_GOSTSIGSIZE	64
+
+#define DNS_SIG_ECDSA256SIZE	64
+#define DNS_SIG_ECDSA384SIZE	96
+
+#define DNS_KEY_ECDSA256SIZE	64
+#define DNS_KEY_ECDSA384SIZE	96
+
+#define DNS_SIG_ED25519SIZE	64
+#define DNS_SIG_ED448SIZE	114
+
+#define DNS_KEY_ED25519SIZE	32
+#define DNS_KEY_ED448SIZE	57
+
+#endif /* DNS_KEYVALUES_H */
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
new file mode 100644
index 0000000..d63efdd
--- /dev/null
+++ b/lib/dns/include/dns/lib.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_LIB_H
+#define DNS_LIB_H 1
+
+/*! \file dns/lib.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Tuning: external query load in packets per seconds.
+ */
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_pps;
+LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dns_msgcat;
+
+void
+dns_lib_initmsgcat(void);
+/*%<
+ * Initialize the DNS library's message catalog, dns_msgcat, if it
+ * has not already been initialized.
+ */
+
+isc_result_t
+dns_lib_init(void);
+/*%<
+ * A set of initialization procedure used in the DNS library.  This function
+ * is provided for an application that is not aware of the underlying ISC or
+ * DNS libraries much.
+ */
+
+void
+dns_lib_shutdown(void);
+/*%<
+ * Free temporary resources allocated in dns_lib_init().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LIB_H */
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
new file mode 100644
index 0000000..278ada0
--- /dev/null
+++ b/lib/dns/include/dns/log.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/log.h
+ */
+
+#ifndef DNS_LOG_H
+#define DNS_LOG_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+
+LIBDNS_EXTERNAL_DATA extern isc_log_t *dns_lctx;
+LIBDNS_EXTERNAL_DATA extern isc_logcategory_t dns_categories[];
+LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
+
+#define DNS_LOGCATEGORY_NOTIFY		(&dns_categories[0])
+#define DNS_LOGCATEGORY_DATABASE	(&dns_categories[1])
+#define DNS_LOGCATEGORY_SECURITY	(&dns_categories[2])
+/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
+#define DNS_LOGCATEGORY_DNSSEC		(&dns_categories[4])
+#define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
+#define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
+#define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
+#define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
+#define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
+#define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
+#define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
+#define DNS_LOGCATEGORY_RPZ		(&dns_categories[12])
+#define DNS_LOGCATEGORY_RRL		(&dns_categories[13])
+#define DNS_LOGCATEGORY_CNAME		(&dns_categories[14])
+#define DNS_LOGCATEGORY_SPILL		(&dns_categories[15])
+#define DNS_LOGCATEGORY_DNSTAP		(&dns_categories[16])
+
+/* Backwards compatibility. */
+#define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
+
+#define DNS_LOGMODULE_DB		(&dns_modules[0])
+#define DNS_LOGMODULE_RBTDB		(&dns_modules[1])
+#define DNS_LOGMODULE_RBTDB64		(&dns_modules[2])
+#define DNS_LOGMODULE_RBT		(&dns_modules[3])
+#define DNS_LOGMODULE_RDATA		(&dns_modules[4])
+#define DNS_LOGMODULE_MASTER		(&dns_modules[5])
+#define DNS_LOGMODULE_MESSAGE		(&dns_modules[6])
+#define DNS_LOGMODULE_CACHE		(&dns_modules[7])
+#define DNS_LOGMODULE_CONFIG		(&dns_modules[8])
+#define DNS_LOGMODULE_RESOLVER		(&dns_modules[9])
+#define DNS_LOGMODULE_ZONE		(&dns_modules[10])
+#define DNS_LOGMODULE_JOURNAL		(&dns_modules[11])
+#define DNS_LOGMODULE_ADB		(&dns_modules[12])
+#define DNS_LOGMODULE_XFER_IN		(&dns_modules[13])
+#define DNS_LOGMODULE_XFER_OUT		(&dns_modules[14])
+#define DNS_LOGMODULE_ACL		(&dns_modules[15])
+#define DNS_LOGMODULE_VALIDATOR		(&dns_modules[16])
+#define DNS_LOGMODULE_DISPATCH		(&dns_modules[17])
+#define DNS_LOGMODULE_REQUEST		(&dns_modules[18])
+#define DNS_LOGMODULE_MASTERDUMP	(&dns_modules[19])
+#define DNS_LOGMODULE_TSIG		(&dns_modules[20])
+#define DNS_LOGMODULE_TKEY		(&dns_modules[21])
+#define DNS_LOGMODULE_SDB		(&dns_modules[22])
+#define DNS_LOGMODULE_DIFF		(&dns_modules[23])
+#define DNS_LOGMODULE_HINTS		(&dns_modules[24])
+#define DNS_LOGMODULE_ACACHE		(&dns_modules[25])
+#define DNS_LOGMODULE_DLZ		(&dns_modules[26])
+#define DNS_LOGMODULE_DNSSEC		(&dns_modules[27])
+#define DNS_LOGMODULE_CRYPTO		(&dns_modules[28])
+#define DNS_LOGMODULE_PACKETS		(&dns_modules[29])
+#define DNS_LOGMODULE_NTA		(&dns_modules[30])
+#define DNS_LOGMODULE_DYNDB		(&dns_modules[31])
+#define DNS_LOGMODULE_DNSTAP		(&dns_modules[32])
+#define DNS_LOGMODULE_SSU		(&dns_modules[33])
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_log_init(isc_log_t *lctx);
+/*%
+ * Make the libdns categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	dns_log_init() is called only once.
+ *
+ * Ensures:
+ * \li	The categories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+void
+dns_log_setcontext(isc_log_t *lctx);
+/*%
+ * Make the libdns library use the provided context for logging internal
+ * messages.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOG_H */
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
new file mode 100644
index 0000000..1af58fe
--- /dev/null
+++ b/lib/dns/include/dns/lookup.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_LOOKUP_H
+#define DNS_LOOKUP_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/lookup.h
+ * \brief
+ * The lookup module performs simple DNS lookups.  It implements
+ * the full resolver algorithm, both looking for local data and
+ * resolving external names as necessary.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
+ */
+
+#include <isc/lang.h>
+#include <isc/event.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * A 'dns_lookupevent_t' is returned when a lookup completes.
+ * The sender field will be set to the lookup that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_lookupevent {
+	ISC_EVENT_COMMON(struct dns_lookupevent);
+	isc_result_t			result;
+	dns_name_t			*name;
+	dns_rdataset_t			*rdataset;
+	dns_rdataset_t			*sigrdataset;
+	dns_db_t			*db;
+	dns_dbnode_t			*node;
+} dns_lookupevent_t;
+
+isc_result_t
+dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp);
+/*%<
+ * Finds the rrsets matching 'name' and 'type'.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid mctx.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'view' is a valid view which has a resolver.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	lookupp != NULL && *lookupp == NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ *
+ *\li	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_lookup_cancel(dns_lookup_t *lookup);
+/*%<
+ * Cancel 'lookup'.
+ *
+ * Notes:
+ *
+ *\li	If 'lookup' has not completed, post its LOOKUPDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'lookup' is a valid lookup.
+ */
+
+void
+dns_lookup_destroy(dns_lookup_t **lookupp);
+/*%<
+ * Destroy 'lookup'.
+ *
+ * Requires:
+ *
+ *\li	'*lookupp' is a valid lookup.
+ *
+ *\li	The caller has received the LOOKUPDONE event (either because the
+ *	lookup completed or because dns_lookup_cancel() was called).
+ *
+ * Ensures:
+ *
+ *\li	*lookupp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOOKUP_H */
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
new file mode 100644
index 0000000..61c93b0
--- /dev/null
+++ b/lib/dns/include/dns/master.h
@@ -0,0 +1,382 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_MASTER_H
+#define DNS_MASTER_H 1
+
+/*! \file dns/master.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*
+ * Flags to be passed in the 'options' argument in the functions below.
+ */
+#define	DNS_MASTER_AGETTL 	0x00000001	/*%< Age the ttl based on $DATE. */
+#define DNS_MASTER_MANYERRORS 	0x00000002	/*%< Continue processing on errors. */
+#define DNS_MASTER_NOINCLUDE 	0x00000004	/*%< Disallow $INCLUDE directives. */
+#define DNS_MASTER_ZONE 	0x00000008	/*%< Loading a zone master file. */
+#define DNS_MASTER_HINT 	0x00000010	/*%< Loading a hint master file. */
+#define DNS_MASTER_SLAVE 	0x00000020	/*%< Loading a slave master file. */
+#define DNS_MASTER_CHECKNS 	0x00000040	/*%<
+						 * Check NS records to see
+						 * if they are an address
+						 */
+#define DNS_MASTER_FATALNS 	0x00000080	/*%<
+						 * Treat DNS_MASTER_CHECKNS
+						 * matches as fatal
+						 */
+#define DNS_MASTER_CHECKNAMES   0x00000100
+#define DNS_MASTER_CHECKNAMESFAIL 0x00000200
+#define DNS_MASTER_CHECKWILDCARD 0x00000400	/* Check for internal wildcards. */
+#define DNS_MASTER_CHECKMX	0x00000800
+#define DNS_MASTER_CHECKMXFAIL	0x00001000
+
+#define DNS_MASTER_RESIGN	0x00002000
+#define DNS_MASTER_KEY	 	0x00004000	/*%< Loading a key zone master file. */
+#define DNS_MASTER_NOTTL	0x00008000	/*%< Don't require ttl. */
+#define DNS_MASTER_CHECKTTL	0x00010000	/*%< Check max-zone-ttl */
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Structures that implement the "raw" format for master dump.
+ * These are provided for a reference purpose only; in the actual
+ * encoding, we directly read/write each field so that the encoded data
+ * is always "packed", regardless of the hardware architecture.
+ */
+#define DNS_RAWFORMAT_VERSION 1
+
+/*
+ * Flags to indicate the status of the data in the raw file header
+ */
+#define DNS_MASTERRAW_COMPAT 		0x01
+#define DNS_MASTERRAW_SOURCESERIALSET	0x02
+#define DNS_MASTERRAW_LASTXFRINSET	0x04
+
+/* Common header */
+struct dns_masterrawheader {
+	uint32_t		format;		/* must be
+						 * dns_masterformat_raw
+						 * or
+						 * dns_masterformat_map */
+	uint32_t		version;	/* compatibility for future
+						 * extensions */
+	uint32_t		dumptime;	/* timestamp on creation
+						 * (currently unused) */
+	uint32_t		flags;		/* Flags */
+	uint32_t		sourceserial;	/* Source serial number (used
+						 * by inline-signing zones) */
+	uint32_t		lastxfrin;	/* timestamp of last transfer
+						 * (used by slave zones) */
+};
+
+/* The structure for each RRset */
+typedef struct {
+	uint32_t		totallen;	/* length of the data for this
+						 * RRset, including the
+						 * "header" part */
+	dns_rdataclass_t	rdclass;	/* 16-bit class */
+	dns_rdatatype_t		type;		/* 16-bit type */
+	dns_rdatatype_t		covers;		/* same as type */
+	dns_ttl_t		ttl;		/* 32-bit TTL */
+	uint32_t		nrdata;		/* number of RRs in this set */
+	/* followed by encoded owner name, and then rdata */
+} dns_masterrawrdataset_t;
+
+/*
+ * Method prototype: a callback to register each include file as
+ * it is encountered.
+ */
+typedef void
+(*dns_masterincludecb_t)(const char *file, void *arg);
+
+/***
+ ***	Function
+ ***/
+
+isc_result_t
+dns_master_loadfile(const char *master_file,
+		    dns_name_t *top,
+		    dns_name_t *origin,
+		    dns_rdataclass_t zclass,
+		    unsigned int options,
+		    dns_rdatacallbacks_t *callbacks,
+		    isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadfile2(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx,
+		     dns_masterformat_t format);
+
+isc_result_t
+dns_master_loadfile3(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx,
+		     dns_masterformat_t format);
+
+isc_result_t
+dns_master_loadfile4(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     dns_masterincludecb_t include_cb,
+		     void *include_arg, isc_mem_t *mctx,
+		     dns_masterformat_t format);
+
+isc_result_t
+dns_master_loadfile5(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     dns_masterincludecb_t include_cb,
+		     void *include_arg, isc_mem_t *mctx,
+		     dns_masterformat_t format,
+		     dns_ttl_t maxttl);
+
+isc_result_t
+dns_master_loadstream(FILE *stream,
+		      dns_name_t *top,
+		      dns_name_t *origin,
+		      dns_rdataclass_t zclass,
+		      unsigned int options,
+		      dns_rdatacallbacks_t *callbacks,
+		      isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer,
+		      dns_name_t *top,
+		      dns_name_t *origin,
+		      dns_rdataclass_t zclass,
+		      unsigned int options,
+		      dns_rdatacallbacks_t *callbacks,
+		      isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadfileinc(const char *master_file,
+		       dns_name_t *top,
+		       dns_name_t *origin,
+		       dns_rdataclass_t zclass,
+		       unsigned int options,
+		       dns_rdatacallbacks_t *callbacks,
+		       isc_task_t *task,
+		       dns_loaddonefunc_t done, void *done_arg,
+		       dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadfileinc2(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx,
+			dns_masterformat_t format);
+
+isc_result_t
+dns_master_loadfileinc3(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx,
+			dns_masterformat_t format);
+
+isc_result_t
+dns_master_loadfileinc4(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp,
+			dns_masterincludecb_t include_cb, void *include_arg,
+			isc_mem_t *mctx, dns_masterformat_t format);
+
+isc_result_t
+dns_master_loadfileinc5(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp,
+			dns_masterincludecb_t include_cb, void *include_arg,
+			isc_mem_t *mctx, dns_masterformat_t format,
+			uint32_t maxttl);
+
+isc_result_t
+dns_master_loadstreaminc(FILE *stream,
+			 dns_name_t *top,
+			 dns_name_t *origin,
+			 dns_rdataclass_t zclass,
+			 unsigned int options,
+			 dns_rdatacallbacks_t *callbacks,
+			 isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadbufferinc(isc_buffer_t *buffer,
+			 dns_name_t *top,
+			 dns_name_t *origin,
+			 dns_rdataclass_t zclass,
+			 unsigned int options,
+			 dns_rdatacallbacks_t *callbacks,
+			 isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+/*%<
+ * Loads a RFC1305 master file from a file, stream, buffer, or existing
+ * lexer into rdatasets and then calls 'callbacks->commit' to commit the
+ * rdatasets.  Rdata memory belongs to dns_master_load and will be
+ * reused / released when the callback completes.  dns_load_master will
+ * abort if callbacks->commit returns any value other than ISC_R_SUCCESS.
+ *
+ * If 'DNS_MASTER_AGETTL' is set and the master file contains one or more
+ * $DATE directives, the TTLs of the data will be aged accordingly.
+ *
+ * 'callbacks->commit' is assumed to call 'callbacks->error' or
+ * 'callbacks->warn' to generate any error messages required.
+ *
+ * 'done' is called with 'done_arg' and a result code when the loading
+ * is completed or has failed.  If the initial setup fails 'done' is
+ * not called.
+ *
+ * 'resign' the number of seconds before a RRSIG expires that it should
+ * be re-signed.  0 is used if not provided.
+ *
+ * Requires:
+ *\li	'master_file' points to a valid string.
+ *\li	'lexer' points to a valid lexer.
+ *\li	'top' points to a valid name.
+ *\li	'origin' points to a valid name.
+ *\li	'callbacks->commit' points to a valid function.
+ *\li	'callbacks->error' points to a valid function.
+ *\li	'callbacks->warn' points to a valid function.
+ *\li	'mctx' points to a valid memory context.
+ *\li	'task' and 'done' to be valid.
+ *\li	'lmgr' to be valid.
+ *\li	'ctxp != NULL && ctxp == NULL'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS upon successfully loading the master file.
+ *\li	ISC_R_SEENINCLUDE upon successfully loading the master file with
+ *		a $INCLUDE statement.
+ *\li	ISC_R_NOMEMORY out of memory.
+ *\li	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
+ *		there was not one.
+ *\li	ISC_R_UNEXPECTED
+ *\li	DNS_R_NOOWNER failed to specify a ownername.
+ *\li	DNS_R_NOTTL failed to specify a ttl.
+ *\li	DNS_R_BADCLASS record class did not match zone class.
+ *\li	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
+ *\li	Any dns_rdata_fromtext() error code.
+ *\li	Any error code from callbacks->commit().
+ */
+
+void
+dns_loadctx_detach(dns_loadctx_t **ctxp);
+/*%<
+ * Detach from the load context.
+ *
+ * Requires:
+ *\li	'*ctxp' to be valid.
+ *
+ * Ensures:
+ *\li	'*ctxp == NULL'
+ */
+
+void
+dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target);
+/*%<
+ * Attach to the load context.
+ *
+ * Requires:
+ *\li	'source' to be valid.
+ *\li	'target != NULL && *target == NULL'.
+ */
+
+void
+dns_loadctx_cancel(dns_loadctx_t *ctx);
+/*%<
+ * Cancel loading the zone file associated with this load context.
+ *
+ * Requires:
+ *\li	'ctx' to be valid
+ */
+
+void
+dns_master_initrawheader(dns_masterrawheader_t *header);
+/*%<
+ * Initializes the header for a raw master file, setting all
+ * values to zero.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MASTER_H */
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
new file mode 100644
index 0000000..b01ca08
--- /dev/null
+++ b/lib/dns/include/dns/masterdump.h
@@ -0,0 +1,428 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_MASTERDUMP_H
+#define DNS_MASTERDUMP_H 1
+
+/*! \file dns/masterdump.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_master_style dns_master_style_t;
+
+/***
+ *** Definitions
+ ***/
+
+/*
+ * Flags affecting master file formatting.  Flags 0x0000FFFF
+ * define the formatting of the rdata part and are defined in
+ * rdata.h.
+ */
+
+/*% Omit the owner name when possible. */
+#define	DNS_STYLEFLAG_OMIT_OWNER        0x000010000ULL
+
+/*%
+ * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
+ * also set, this means no TTLs are ever printed
+ * because $TTL directives are generated before every
+ * change in the TTL.  In this case, no columns need to
+ * be reserved for the TTL.  Master files generated with
+ * these options will be rejected by BIND 4.x because it
+ * does not recognize the $TTL directive.
+ *
+ * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
+ * omitted when it is equal to the previous TTL.
+ * This is correct according to RFC1035, but the
+ * TTLs may be silently misinterpreted by older
+ * versions of BIND which use the SOA MINTTL as a
+ * default TTL value.
+ */
+#define	DNS_STYLEFLAG_OMIT_TTL		0x000020000ULL
+
+/*% Omit the class when possible. */
+#define	DNS_STYLEFLAG_OMIT_CLASS	0x000040000ULL
+
+/*% Output $TTL directives. */
+#define	DNS_STYLEFLAG_TTL		0x000080000ULL
+
+/*%
+ * Output $ORIGIN directives and print owner names relative to
+ * the origin when possible.
+ */
+#define	DNS_STYLEFLAG_REL_OWNER		0x000100000ULL
+
+/*% Print domain names in RR data in relative form when possible.
+   For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
+#define	DNS_STYLEFLAG_REL_DATA		0x000200000ULL
+
+/*% Print the trust level of each rdataset. */
+#define	DNS_STYLEFLAG_TRUST		0x000400000ULL
+
+/*% Print negative caching entries. */
+#define	DNS_STYLEFLAG_NCACHE		0x000800000ULL
+
+/*% Never print the TTL. */
+#define	DNS_STYLEFLAG_NO_TTL		0x001000000ULL
+
+/*% Never print the CLASS. */
+#define	DNS_STYLEFLAG_NO_CLASS		0x002000000ULL
+
+/*% Report re-signing time. */
+#define	DNS_STYLEFLAG_RESIGN		0x004000000ULL
+
+/*% Don't printout the cryptographic parts of DNSSEC records. */
+#define	DNS_STYLEFLAG_NOCRYPTO		0x008000000ULL
+
+/*% Comment out data by prepending with ";" */
+#define	DNS_STYLEFLAG_COMMENTDATA	0x010000000ULL
+
+/*% Print TTL with human-readable units. */
+#define DNS_STYLEFLAG_TTL_UNITS		0x020000000ULL
+
+/*% Indent output. */
+#define DNS_STYLEFLAG_INDENT		0x040000000ULL
+
+/*% Output in YAML style. */
+#define DNS_STYLEFLAG_YAML		0x080000000ULL
+
+/*% Print ECS cache entries as comments (reserved for future use). */
+#define DNS_STYLEFLAG_ECSCACHE		0x100000000ULL
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Constants
+ ***/
+
+/*%
+ * The default master file style.
+ *
+ * This uses $TTL directives to avoid the need to dedicate a
+ * tab stop for the TTL.  The class is only printed for the first
+ * rrset in the file and shares a tab stop with the RR type.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
+
+/*%
+ * A master file style that dumps zones to a very generic format easily
+ * imported/checked with external tools.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
+
+/*%
+ * A master file style that prints explicit TTL values on each
+ * record line, never using $TTL statements.  The TTL has a tab
+ * stop of its own, but the class and type share one.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
+					dns_master_style_explicitttl;
+
+/*%
+ * A master style format designed for cache files.  It prints explicit TTL
+ * values on each record line and never uses $ORIGIN or relative names.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
+
+/*%
+ * A master style that prints name, ttl, class, type, and value on
+ * every line.  Similar to explicitttl above, but more verbose.
+ * Intended for generating master files which can be easily parsed
+ * by perl scripts and similar applications.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
+
+/*%
+ * The style used for debugging, "dig" output, etc.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
+
+/*%
+ * Similar to dns_master_style_debug but data is prepended with ";"
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_comment;
+
+/*%
+ * Similar to dns_master_style_debug but data is indented with
+ * dns_master_indentstr (defaults to tab).
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_indent;
+
+/*%
+ * The style used for dumping "key" zones.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_keyzone;
+
+/*%
+ * YAML-compatible output
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_yaml;
+
+/*%
+ * The default indent string to prepend lines with when using
+ * styleflag DNS_STYLEFLAG_INDENT or DNS_STYLEFLAG_YAML.
+ * This is set to "\t" by default. The indent is repeated
+ * 'dns_master_indent' times. This precedes everything else
+ * on the line, including comment characters (;).
+ *
+ * XXX: Changing this value at runtime is not thread-safe.
+ */
+LIBDNS_EXTERNAL_DATA extern const char *dns_master_indentstr;
+
+/*%
+ * The number of copies of the indent string to put at the beginning
+ * of the line when using DNS_STYLEFLAG_INDENT or DNS_STYLEFLAG_YAML.
+ * This is set to 1 by default. It is increased and decreased
+ * to adjust indentation levels when producing YAML output.
+ *
+ * XXX: This is not thread-safe.
+ */
+LIBDNS_EXTERNAL_DATA extern unsigned int dns_master_indent;
+
+/***
+ ***	Functions
+ ***/
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
+/*%<
+ * Attach to a dump context.
+ *
+ * Require:
+ *\li	'source' to be valid.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp);
+/*%<
+ * Detach from a dump context.
+ *
+ * Require:
+ *\li	'dctxp' to point to a valid dump context.
+ *
+ * Ensures:
+ *\li	'*dctxp' is NULL.
+ */
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx);
+/*%<
+ * Cancel a in progress dump.
+ *
+ * Require:
+ *\li	'dctx' to be valid.
+ */
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx);
+/*%<
+ * Return the version handle (if any) of the database being dumped.
+ *
+ * Require:
+ *\li	'dctx' to be valid.
+ */
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx);
+/*%<
+ * Return the database being dumped.
+ *
+ * Require:
+ *\li	'dctx' to be valid.
+ */
+
+
+/*@{*/
+isc_result_t
+dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
+			   dns_dbversion_t *version,
+			   const dns_master_style_t *style, FILE *f,
+			   isc_task_t *task, dns_dumpdonefunc_t done,
+			   void *done_arg, dns_dumpctx_t **dctxp);
+
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
+			dns_dbversion_t *version,
+			const dns_master_style_t *style, FILE *f);
+
+isc_result_t
+dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
+			 dns_dbversion_t *version,
+			 const dns_master_style_t *style,
+			 dns_masterformat_t format, FILE *f);
+
+isc_result_t
+dns_master_dumptostream3(isc_mem_t *mctx, dns_db_t *db,
+			 dns_dbversion_t *version,
+			 const dns_master_style_t *style,
+			 dns_masterformat_t format,
+			 dns_masterrawheader_t *header, FILE *f);
+/*%<
+ * Dump the database 'db' to the steam 'f' in the specified format by
+ * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
+ * 'style' specifies the file style (e.g., &dns_master_style_default).
+ *
+ * dns_master_dumptostream() is an old form of dns_master_dumptostream3(),
+ * which always specifies the dns_masterformat_text format.
+ * dns_master_dumptostream2() is an old form which always specifies
+ * a NULL header.
+ *
+ * If 'format' is dns_masterformat_raw, then 'header' can contain
+ * information to be written to the file header.
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Require:
+ *\li	'task' to be valid.
+ *\li	'done' to be non NULL.
+ *\li	'dctxp' to be non NULL && '*dctxp' to be NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_CONTINUE	dns_master_dumptostreaminc() only.
+ *\li	ISC_R_NOMEMORY
+ *\li	Any database or rrset iterator error.
+ *\li	Any dns_rdata_totext() error code.
+ */
+/*@}*/
+
+/*@{*/
+isc_result_t
+dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		   const dns_master_style_t *style, const char *filename,
+		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		   dns_dumpctx_t **dctxp);
+
+isc_result_t
+dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    const dns_master_style_t *style, const char *filename,
+		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,			    dns_dumpctx_t **dctxp, dns_masterformat_t format);
+
+isc_result_t
+dns_master_dumpinc3(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    const dns_master_style_t *style, const char *filename,
+		    isc_task_t *task, dns_dumpdonefunc_t done, void
+		    *done_arg, dns_dumpctx_t **dctxp,
+		    dns_masterformat_t format, dns_masterrawheader_t *header);
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
+		dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename);
+
+isc_result_t
+dns_master_dump2(isc_mem_t *mctx, dns_db_t *db,
+		 dns_dbversion_t *version,
+		 const dns_master_style_t *style, const char *filename,
+		 dns_masterformat_t format);
+
+isc_result_t
+dns_master_dump3(isc_mem_t *mctx, dns_db_t *db,
+		 dns_dbversion_t *version,
+		 const dns_master_style_t *style, const char *filename,
+		 dns_masterformat_t format, dns_masterrawheader_t *header);
+
+/*%<
+ * Dump the database 'db' to the file 'filename' in the specified format by
+ * 'format'.  If the format is dns_masterformat_text (the RFC1035 format),
+ * 'style' specifies the file style (e.g., &dns_master_style_default).
+ *
+ * dns_master_dumpinc() and dns_master_dump() are old forms of _dumpinc3()
+ * and _dump3(), respectively, which always specify the dns_masterformat_text
+ * format.  dns_master_dumpinc2() and dns_master_dump2() are old forms which
+ * always specify a NULL header.
+ *
+ * If 'format' is dns_masterformat_raw, then 'header' can contain
+ * information to be written to the file header.
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_CONTINUE	dns_master_dumpinc() only.
+ *\li	ISC_R_NOMEMORY
+ *\li	Any database or rrset iterator error.
+ *\li	Any dns_rdata_totext() error code.
+ */
+/*@}*/
+
+isc_result_t
+dns_master_rdatasettotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target);
+/*%<
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *\li	The rdata cursor position will be changed.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid non-question rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ */
+
+isc_result_t
+dns_master_questiontotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target);
+
+isc_result_t
+dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
+			    dns_dbversion_t *version,
+			    dns_dbnode_t *node, dns_name_t *name,
+			    const dns_master_style_t *style,
+			    FILE *f);
+
+isc_result_t
+dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *name,
+		    const dns_master_style_t *style, const char *filename);
+
+dns_masterstyle_flags_t
+dns_master_styleflags(const dns_master_style_t *style);
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
+		       unsigned int ttl_column, unsigned int class_column,
+		       unsigned int type_column, unsigned int rdata_column,
+		       unsigned int line_length, unsigned int tab_width,
+		       isc_mem_t *mctx);
+
+isc_result_t
+dns_master_stylecreate2(dns_master_style_t **style, unsigned int flags,
+		       unsigned int ttl_column, unsigned int class_column,
+		       unsigned int type_column, unsigned int rdata_column,
+		       unsigned int line_length, unsigned int tab_width,
+		       unsigned int split_width, isc_mem_t *mctx);
+
+void
+dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
new file mode 100644
index 0000000..334123b
--- /dev/null
+++ b/lib/dns/include/dns/message.h
@@ -0,0 +1,1436 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_MESSAGE_H
+#define DNS_MESSAGE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/compress.h>
+#include <dns/masterdump.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+/*! \file dns/message.h
+ * \brief Message Handling Module
+ *
+ * How this beast works:
+ *
+ * When a dns message is received in a buffer, dns_message_parse() is called
+ * on the memory region.  Various items are checked including the format
+ * of the message (if counts are right, if counts consume the entire sections,
+ * and if sections consume the entire message) and known pseudo-RRs in the
+ * additional data section are analyzed and removed.
+ *
+ * TSIG checking is also done at this layer, and any DNSSEC transaction
+ * signatures should also be checked here.
+ *
+ * Notes on using the gettemp*() and puttemp*() functions:
+ *
+ * These functions return items (names, rdatasets, etc) allocated from some
+ * internal state of the dns_message_t.
+ *
+ * Names and rdatasets must be put back into the dns_message_t in
+ * one of two ways.  Assume a name was allocated via
+ * dns_message_gettempname():
+ *
+ *\li	(1) insert it into a section, using dns_message_addname().
+ *
+ *\li	(2) return it to the message using dns_message_puttempname().
+ *
+ * The same applies to rdatasets.
+ *
+ * On the other hand, offsets, rdatalists and rdatas allocated using
+ * dns_message_gettemp*() will always be freed automatically
+ * when the message is reset or destroyed; calling dns_message_puttemp*()
+ * on rdatalists and rdatas is optional and serves only to enable the item
+ * to be reused multiple times during the lifetime of the message; offsets
+ * cannot be reused.
+ *
+ * Buffers allocated using isc_buffer_allocate() can be automatically freed
+ * as well by giving the buffer to the message using dns_message_takebuffer().
+ * Doing this will cause the buffer to be freed using isc_buffer_free()
+ * when the section lists are cleared, such as in a reset or in a destroy.
+ * Since the buffer itself exists until the message is destroyed, this sort
+ * of code can be written:
+ *
+ * \code
+ *	buffer = isc_buffer_allocate(mctx, 512);
+ *	name = NULL;
+ *	name = dns_message_gettempname(message, &name);
+ *	dns_name_init(name, NULL);
+ *	result = dns_name_fromtext(name, &source, dns_rootname, 0, buffer);
+ *	dns_message_takebuffer(message, &buffer);
+ * \endcode
+ *
+ *
+ * TODO:
+ *
+ * XXX Needed:  ways to set and retrieve EDNS information, add rdata to a
+ * section, move rdata from one section to another, remove rdata, etc.
+ */
+
+#define DNS_MESSAGEFLAG_QR		0x8000U
+#define DNS_MESSAGEFLAG_AA		0x0400U
+#define DNS_MESSAGEFLAG_TC		0x0200U
+#define DNS_MESSAGEFLAG_RD		0x0100U
+#define DNS_MESSAGEFLAG_RA		0x0080U
+#define DNS_MESSAGEFLAG_AD		0x0020U
+#define DNS_MESSAGEFLAG_CD		0x0010U
+
+/*%< EDNS0 extended message flags */
+#define DNS_MESSAGEEXTFLAG_DO		0x8000U
+
+/*%< EDNS0 extended OPT codes */
+#define DNS_OPT_NSID		3		/*%< NSID opt code */
+#define DNS_OPT_CLIENT_SUBNET	8		/*%< client subnet opt code */
+#define DNS_OPT_EXPIRE		9		/*%< EXPIRE opt code */
+#define DNS_OPT_COOKIE		10		/*%< COOKIE opt code */
+#define DNS_OPT_PAD		12		/*%< PAD opt code */
+#define DNS_OPT_KEY_TAG		14		/*%< Key tag opt code */
+
+/*%< Experimental options [65001...65534] as per RFC6891 */
+
+/*%< The number of EDNS options we know about. */
+#define DNS_EDNSOPTIONS	5
+
+#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
+#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
+
+#define DNS_MESSAGE_HEADERLEN		12 /*%< 6 uint16_t's */
+
+#define DNS_MESSAGE_MAGIC		ISC_MAGIC('M','S','G','@')
+#define DNS_MESSAGE_VALID(msg)		ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
+
+/*
+ * Ordering here matters.  DNS_SECTION_ANY must be the lowest and negative,
+ * and DNS_SECTION_MAX must be one greater than the last used section.
+ */
+typedef int dns_section_t;
+#define DNS_SECTION_ANY			(-1)
+#define DNS_SECTION_QUESTION		0
+#define DNS_SECTION_ANSWER		1
+#define DNS_SECTION_AUTHORITY		2
+#define DNS_SECTION_ADDITIONAL		3
+#define DNS_SECTION_MAX			4
+
+typedef int dns_pseudosection_t;
+#define DNS_PSEUDOSECTION_ANY		(-1)
+#define DNS_PSEUDOSECTION_OPT           0
+#define DNS_PSEUDOSECTION_TSIG          1
+#define DNS_PSEUDOSECTION_SIG0          2
+#define DNS_PSEUDOSECTION_MAX           3
+
+typedef int dns_messagetextflag_t;
+#define DNS_MESSAGETEXTFLAG_NOCOMMENTS	0x0001
+#define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
+#define DNS_MESSAGETEXTFLAG_ONESOA	0x0004
+#define DNS_MESSAGETEXTFLAG_OMITSOA	0x0008
+
+/*
+ * Dynamic update names for these sections.
+ */
+#define DNS_SECTION_ZONE		DNS_SECTION_QUESTION
+#define DNS_SECTION_PREREQUISITE	DNS_SECTION_ANSWER
+#define DNS_SECTION_UPDATE		DNS_SECTION_AUTHORITY
+
+/*
+ * These tell the message library how the created dns_message_t will be used.
+ */
+#define DNS_MESSAGE_INTENTUNKNOWN	0 /*%< internal use only */
+#define DNS_MESSAGE_INTENTPARSE		1 /*%< parsing messages */
+#define DNS_MESSAGE_INTENTRENDER	2 /*%< rendering */
+
+/*
+ * Control behavior of parsing
+ */
+#define DNS_MESSAGEPARSE_PRESERVEORDER	0x0001	/*%< preserve rdata order */
+#define DNS_MESSAGEPARSE_BESTEFFORT	0x0002	/*%< return a message if a
+						   recoverable parse error
+						   occurs */
+#define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/*%< save a copy of the
+						   source buffer */
+#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< truncation errors are
+						  * not fatal. */
+
+/*
+ * Control behavior of rendering
+ */
+#define DNS_MESSAGERENDER_ORDERED	0x0001	/*%< don't change order */
+#define DNS_MESSAGERENDER_PARTIAL	0x0002	/*%< allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/*%< omit DNSSEC records */
+#define DNS_MESSAGERENDER_PREFER_A	0x0008	/*%< prefer A records in
+						      additional section. */
+#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/*%< prefer AAAA records in
+						  additional section. */
+#ifdef ALLOW_FILTER_AAAA
+#define DNS_MESSAGERENDER_FILTER_AAAA	0x0020	/*%< filter AAAA records */
+#endif
+
+typedef struct dns_msgblock dns_msgblock_t;
+
+struct dns_message {
+	/* public from here down */
+	unsigned int			magic;
+
+	dns_messageid_t			id;
+	unsigned int			flags;
+	dns_rcode_t			rcode;
+	dns_opcode_t			opcode;
+	dns_rdataclass_t		rdclass;
+
+	/* 4 real, 1 pseudo */
+	unsigned int			counts[DNS_SECTION_MAX];
+
+	/* private from here down */
+	dns_namelist_t			sections[DNS_SECTION_MAX];
+	dns_name_t		       *cursors[DNS_SECTION_MAX];
+	dns_rdataset_t		       *opt;
+	dns_rdataset_t		       *sig0;
+	dns_rdataset_t		       *tsig;
+
+	int				state;
+	unsigned int			from_to_wire : 2;
+	unsigned int			header_ok : 1;
+	unsigned int			question_ok : 1;
+	unsigned int			tcp_continuation : 1;
+	unsigned int			verified_sig : 1;
+	unsigned int			verify_attempted : 1;
+	unsigned int			free_query : 1;
+	unsigned int			free_saved : 1;
+	unsigned int			cc_ok : 1;
+	unsigned int			cc_bad : 1;
+	unsigned int			tkey : 1;
+	unsigned int			rdclass_set : 1;
+
+	unsigned int			opt_reserved;
+	unsigned int			sig_reserved;
+	unsigned int			reserved; /* reserved space (render) */
+
+	isc_buffer_t		       *buffer;
+	dns_compress_t		       *cctx;
+
+	isc_mem_t		       *mctx;
+	isc_mempool_t		       *namepool;
+	isc_mempool_t		       *rdspool;
+
+	isc_bufferlist_t		scratchpad;
+	isc_bufferlist_t		cleanup;
+
+	ISC_LIST(dns_msgblock_t)	rdatas;
+	ISC_LIST(dns_msgblock_t)	rdatalists;
+	ISC_LIST(dns_msgblock_t)	offsets;
+
+	ISC_LIST(dns_rdata_t)		freerdata;
+	ISC_LIST(dns_rdatalist_t)	freerdatalist;
+
+	dns_rcode_t			tsigstatus;
+	dns_rcode_t			querytsigstatus;
+	dns_name_t		       *tsigname; /* Owner name of TSIG, if any */
+	dns_rdataset_t		       *querytsig;
+	dns_tsigkey_t		       *tsigkey;
+	dst_context_t		       *tsigctx;
+	int				sigstart;
+	int				timeadjust;
+
+	dns_name_t		       *sig0name; /* Owner name of SIG0, if any */
+	dst_key_t		       *sig0key;
+	dns_rcode_t			sig0status;
+	isc_region_t			query;
+	isc_region_t			saved;
+
+	dns_rdatasetorderfunc_t		order;
+	const void *			order_arg;
+};
+
+struct dns_ednsopt {
+	uint16_t			code;
+	uint16_t			length;
+	unsigned char			*value;
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
+
+/*%<
+ * Create msg structure.
+ *
+ * This function will allocate some internal blocks of memory that are
+ * expected to be needed for parsing or rendering nearly any type of message.
+ *
+ * Requires:
+ *\li	'mctx' be a valid memory context.
+ *
+ *\li	'msgp' be non-null and '*msg' be NULL.
+ *
+ *\li	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
+ *	#DNS_MESSAGE_INTENTRENDER.
+ *
+ * Ensures:
+ *\li	The data in "*msg" is set to indicate an unused and empty msg
+ *	structure.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- out of memory
+ *\li	#ISC_R_SUCCESS		-- success
+ */
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent);
+/*%<
+ * Reset a message structure to default state.  All internal lists are freed
+ * or reset to a default state as well.  This is simply a more efficient
+ * way to call dns_message_destroy() followed by dns_message_allocate(),
+ * since it avoid many memory allocations.
+ *
+ * If any data loanouts (buffers, names, rdatas, etc) were requested,
+ * the caller must no longer use them after this call.
+ *
+ * The intended next use of the message will be 'intent'.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
+ */
+
+void
+dns_message_destroy(dns_message_t **msgp);
+/*%<
+ * Destroy all state in the message.
+ *
+ * Requires:
+ *
+ *\li	'msgp' be valid.
+ *
+ * Ensures:
+ *\li	'*msgp' == NULL
+ */
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  const dns_master_style_t *style,
+			  dns_messagetextflag_t flags,
+			  isc_buffer_t *target);
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg,
+				dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target);
+/*%<
+ * Convert section 'section' or 'pseudosection' of message 'msg' to
+ * a cleartext representation
+ *
+ * Notes:
+ *     \li See dns_message_totext for meanings of flags.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ *\li	'style' is a valid master dump style.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	'section' is a valid section label.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
+ *
+ *\li	Note: On error return, *target may be partially filled with data.
+*/
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
+		   dns_messagetextflag_t flags, isc_buffer_t *target);
+/*%<
+ * Convert all sections of message 'msg' to a cleartext representation
+ *
+ * Notes on flags:
+ *\li	If #DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning with
+ * 	";;" will be emitted indicating section name.
+ *\li	If #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will be
+ * 	emitted.
+ *\li   If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the first
+ *	SOA record in the answer section.
+ *\li	If *#DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records
+ *	in the answer section.
+ *
+ * The SOA flags are useful for suppressing the display of the second
+ * SOA record in an AXFR by setting #DNS_MESSAGETEXTFLAG_ONESOA on the
+ * first message in an AXFR stream and #DNS_MESSAGETEXTFLAG_OMITSOA on
+ * subsequent messages.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ *\li	'style' is a valid master dump style.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_NOMORE
+ *
+ *\li	Note: On error return, *target may be partially filled with data.
+ */
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  unsigned int options);
+/*%<
+ * Parse raw wire data in 'source' as a DNS message.
+ *
+ * OPT records are detected and stored in the pseudo-section "opt".
+ * TSIGs are detected and stored in the pseudo-section "tsig".
+ *
+ * If #DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
+ * is UPDATE, a separate dns_name_t object will be created for each RR in the
+ * message.  Each such dns_name_t will have a single rdataset containing the
+ * single RR, and the order of the RRs in the message is preserved.
+ * Otherwise, only one dns_name_t object will be created for each unique
+ * owner name in the section, and each such dns_name_t will have a list
+ * of rdatasets.  To access the names and their data, use
+ * dns_message_firstname() and dns_message_nextname().
+ *
+ * If #DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
+ * not be considered FORMERRs.  If the entire message can be parsed, it
+ * will be returned and DNS_R_RECOVERABLE will be returned.
+ *
+ * If #DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
+ * RR's as possible, DNS_R_RECOVERABLE will be returned.
+ *
+ * OPT and TSIG records are always handled specially, regardless of the
+ * 'preserve_order' setting.
+ *
+ * Requires:
+ *\li	"msg" be valid.
+ *
+ *\li	"buffer" be a wire format buffer.
+ *
+ * Ensures:
+ *\li	The buffer's data format is correct.
+ *
+ *\li	The buffer's contents verify as correct regarding header bits, buffer
+ * 	and rdata sizes, etc.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well
+ *\li	#ISC_R_NOMEMORY		-- no memory
+ *\li	#DNS_R_RECOVERABLE	-- the message parsed properly, but contained
+ *				   errors.
+ *\li	Many other errors possible XXXMLG
+ */
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+			isc_buffer_t *buffer);
+/*%<
+ * Begin rendering on a message.  Only one call can be made to this function
+ * per message.
+ *
+ * The compression context is "owned" by the message library until
+ * dns_message_renderend() is called.  It must be invalidated by the caller.
+ *
+ * The buffer is "owned" by the message library until dns_message_renderend()
+ * is called.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'cctx' be valid.
+ *
+ *\li	'buffer' is a valid buffer.
+ *
+ * Side Effects:
+ *
+ *\li	The buffer is cleared before it is used.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well
+ *\li	#ISC_R_NOSPACE		-- output buffer is too small
+ */
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
+/*%<
+ * Reset the buffer.  This can be used after growing the old buffer
+ * on a ISC_R_NOSPACE return from most of the render functions.
+ *
+ * On successful completion, the old buffer is no longer used by the
+ * library.  The new buffer is owned by the library until
+ * dns_message_renderend() is called.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ *\li	buffer != NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_NOSPACE		-- new buffer is too small
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space);
+/*%<
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Reserve "space" bytes in the given buffer.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOSPACE		-- not enough free space in the buffer.
+ */
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space);
+/*%<
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Release "space" bytes in the given buffer that was previously reserved.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'space' is less than or equal to the total amount of space reserved
+ *	via prior calls to dns_message_renderreserve().
+ *
+ *\li	dns_message_renderbegin() was called.
+ */
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t section,
+			  unsigned int options);
+/*%<
+ * Render all names, rdatalists, etc from the given section at the
+ * specified priority or higher.
+ *
+ * Requires:
+ *\li	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all records were written, and there are
+ *				   no more records for this section.
+ *\li	#ISC_R_NOSPACE		-- Not enough room in the buffer to write
+ *				   all records requested.
+ *\li	#DNS_R_MOREDATA		-- All requested records written, and there
+ *				   are records remaining for this section.
+ */
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
+/*%<
+ * Render the message header.  This is implicitly called by
+ * dns_message_renderend().
+ *
+ * Requires:
+ *
+ *\li	'msg' be a valid message.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ *\li	'target' is a valid buffer with enough space to hold a message header
+ */
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg);
+/*%<
+ * Finish rendering to the buffer.  Note that more data can be in the
+ * 'msg' structure.  Destroying the structure will free this, or in a multi-
+ * part EDNS1 message this data can be rendered to another buffer later.
+ *
+ * Requires:
+ *
+ *\li	'msg' be a valid message.
+ *
+ *\li	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+
+void
+dns_message_renderreset(dns_message_t *msg);
+/*%<
+ * Reset the message so that it may be rendered again.
+ *
+ * Notes:
+ *
+ *\li	If dns_message_renderbegin() has been called, dns_message_renderend()
+ *	must be called before calling this function.
+ *
+ * Requires:
+ *
+ *\li	'msg' be a valid message with rendering intent.
+ */
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section);
+/*%<
+ * Set internal per-section name pointer to the beginning of the section.
+ *
+ * The functions dns_message_firstname() and dns_message_nextname() may
+ * be used for iterating over the owner names in a section.
+ *
+ * Requires:
+ *
+ *\li   	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMORE		-- No names on given section.
+ */
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section);
+/*%<
+ * Sets the internal per-section name pointer to point to the next name
+ * in that section.
+ *
+ * Requires:
+ *
+ * \li  	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	dns_message_firstname() must have been called on this section,
+ *	and the result was ISC_R_SUCCESS.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMORE		-- No more names in given section.
+ */
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name);
+/*%<
+ * Sets 'name' to point to the name where the per-section internal name
+ * pointer is currently set.
+ *
+ * This function returns the name in the database, so any data associated
+ * with it (via the name's "list" member) contains the actual rdatasets.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'name' be non-NULL, and *name be NULL.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	dns_message_firstname() must have been called on this section,
+ *	and the result of it and any dns_message_nextname() calls was
+ *	#ISC_R_SUCCESS.
+ */
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **foundname,
+		     dns_rdataset_t **rdataset);
+/*%<
+ * Search for a name in the specified section.  If it is found, *name is
+ * set to point to the name, and *rdataset is set to point to the found
+ * rdataset (if type is specified as other than dns_rdatatype_any).
+ *
+ * Requires:
+ *\li	'msg' be valid.
+ *
+ *\li	'section' be a valid section.
+ *
+ *\li	If a pointer to the name is desired, 'foundname' should be non-NULL.
+ *	If it is non-NULL, '*foundname' MUST be NULL.
+ *
+ *\li	If a type other than dns_datatype_any is searched for, 'rdataset'
+ *	may be non-NULL, '*rdataset' be NULL, and will point at the found
+ *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
+ *
+ *\li	'target' be a valid name.
+ *
+ *\li	'type' be a valid type.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#DNS_R_NXDOMAIN		-- name does not exist in that section.
+ *\li	#DNS_R_NXRRSET		-- The name does exist, but the desired
+ *				   type does not.
+ */
+
+isc_result_t
+dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
+/*%<
+ * Search the name for the specified type.  If it is found, *rdataset is
+ * filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *\li	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
+ */
+
+isc_result_t
+dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type, dns_rdatatype_t covers,
+		 dns_rdataset_t **rdataset);
+/*%<
+ * Search the name for the specified rdclass and type.  If it is found,
+ * *rdataset is filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *\li	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *\li	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ *\li	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOTFOUND		-- the desired type does not exist.
+ */
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection,
+		     dns_section_t tosection);
+/*%<
+ * Move a name from one section to another.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid.
+ *
+ *\li	'name' must be a name already in 'fromsection'.
+ *
+ *\li	'fromsection' must be a valid section.
+ *
+ *\li	'tosection' must be a valid section.
+ */
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section);
+/*%<
+ * Adds the name to the given section.
+ *
+ * It is the caller's responsibility to enforce any unique name requirements
+ * in a section.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid, and be a renderable message.
+ *
+ *\li	'name' be a valid absolute name.
+ *
+ *\li	'section' be a named section.
+ */
+
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+		       dns_section_t section);
+/*%<
+ * Remove a existing name from a given section.
+ *
+ * It is the caller's responsibility to ensure the name is part of the
+ * given section.
+ *
+ * Requires:
+ *
+ *\li	'msg' be valid, and be a renderable message.
+ *
+ *\li	'name' be a valid absolute name.
+ *
+ *\li	'section' be a named section.
+ */
+
+
+/*
+ * LOANOUT FUNCTIONS
+ *
+ * Each of these functions loan a particular type of data to the caller.
+ * The storage for these will vanish when the message is destroyed or
+ * reset, and must NOT be used after these operations.
+ */
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
+/*%<
+ * Return a name that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * It is the caller's responsibility to initialize this name.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item);
+/*%<
+ * Return an offsets array that can be used for any temporary purpose,
+ * such as attaching to a temporary name.  The offsets will be freed
+ * when the message is destroyed or reset.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*%<
+ * Return a rdata that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The rdata will be freed
+ * when the message is destroyed or reset.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*%<
+ * Return a rdataset that can be used for any temporary purpose, including
+ * inserting into the message's linked lists. The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*%<
+ * Return a rdatalist that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The rdatalist will be
+ * destroyed when the message is destroyed or reset.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item == NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- All is well.
+ *\li	#ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
+/*%<
+ * Return a borrowed name to the message's name free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a name returned by
+ *	dns_message_gettempname()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*%<
+ * Return a borrowed rdata to the message's rdata free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a rdata returned by
+ *	dns_message_gettemprdata()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*%<
+ * Return a borrowed rdataset to the message's rdataset free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a rdataset returned by
+ *	dns_message_gettemprdataset()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*%<
+ * Return a borrowed rdatalist to the message's rdatalist free list.
+ *
+ * Requires:
+ *\li	msg be a valid message
+ *
+ *\li	item != NULL && *item point to a rdatalist returned by
+ *	dns_message_gettemprdatalist()
+ *
+ * Ensures:
+ *\li	*item == NULL
+ */
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp);
+/*%<
+ * Assume the remaining region of "source" is a DNS message.  Peek into
+ * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
+ *
+ * Requires:
+ *
+ *\li	source != NULL
+ *
+ * Ensures:
+ *
+ *\li	if (idp != NULL) *idp == message id.
+ *
+ *\li	if (flagsp != NULL) *flagsp == message flags.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
+ */
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, bool want_question_section);
+/*%<
+ * Start formatting a reply to the query in 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with parsing intent, and contains a query.
+ *
+ * Ensures:
+ *
+ *\li	The message will have a rendering intent.  If 'want_question_section'
+ *	is true, the message opcode is query or notify, and the question
+ *	section is present and properly formatted, then the question section
+ *	will be included in the reply.  All other sections will be cleared.
+ *	The QR flag will be set, the RD flag will be preserved, and all other
+ *	flags will be cleared.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#DNS_R_FORMERR		-- the header or question section of the
+ *				   message is invalid, replying is impossible.
+ *				   If DNS_R_FORMERR is returned when
+ *				   want_question_section is false, then
+ *				   it's the header section that's bad;
+ *				   otherwise either of the header or question
+ *				   sections may be bad.
+ */
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg);
+/*%<
+ * Get the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *
+ * Returns:
+ *
+ *\li	The OPT rdataset of 'msg', or NULL if there isn't one.
+ */
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
+/*%<
+ * Set the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with rendering intent
+ *	and no sections have been rendered.
+ *
+ *\li	'opt' is a valid OPT record.
+ *
+ * Ensures:
+ *
+ *\li	The OPT record has either been freed or ownership of it has
+ *	been transferred to the message.
+ *
+ *\li	If ISC_R_SUCCESS was returned, the OPT record will be rendered
+ *	when dns_message_renderend() is called.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_NOSPACE		-- there is no space for the OPT record.
+ */
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
+/*%<
+ * Get the TSIG record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *\li	'owner' is NULL or *owner is NULL.
+ *
+ * Returns:
+ *
+ *\li	The TSIG rdataset of 'msg', or NULL if there isn't one.
+ *
+ * Ensures:
+ *
+ * \li	If 'owner' is not NULL, it will point to the owner name.
+ */
+
+isc_result_t
+dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key);
+/*%<
+ * Set the tsig key for 'msg'.  This is only necessary for when rendering a
+ * query or parsing a response.  The key (if non-NULL) is attached to, and
+ * will be detached when the message is destroyed.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *\li	'key' is a valid tsig key or NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_NOSPACE		-- there is no space for the TSIG record.
+ */
+
+dns_tsigkey_t *
+dns_message_gettsigkey(dns_message_t *msg);
+/*%<
+ * Gets the tsig key for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message
+ */
+
+isc_result_t
+dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig);
+/*%<
+ * Indicates that 'querytsig' is the TSIG from the signed query for which
+ * 'msg' is the response.  This is also used for chained TSIGs in TCP
+ * responses.
+ *
+ * Requires:
+ *
+ *\li	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
+ *	or NULL
+ *
+ *\li	'msg' is a valid message
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
+			 isc_buffer_t **querytsig);
+/*%<
+ * Gets the tsig from the TSIG from the signed query 'msg'.  This is also used
+ * for chained TSIGs in TCP responses.  Unlike dns_message_gettsig, this makes
+ * a copy of the data, so can be used if the message is destroyed.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid signed message
+ *\li	'mctx' is a valid memory context
+ *\li	querytsig != NULL && *querytsig == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ * Ensures:
+ *\li 	'tsig' points to NULL or an allocated buffer which must be freed
+ * 	by the caller.
+ */
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg, dns_name_t **owner);
+/*%<
+ * Get the SIG(0) record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message.
+ *\li	'owner' is NULL or *owner is NULL.
+ *
+ * Returns:
+ *
+ *\li	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
+ *
+ * Ensures:
+ *
+ * \li	If 'owner' is not NULL, it will point to the owner name.
+ */
+
+isc_result_t
+dns_message_setsig0key(dns_message_t *msg, dst_key_t *key);
+/*%<
+ * Set the SIG(0) key for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *\li	'key' is a valid sig key or NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *
+ *\li	#ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
+ */
+
+dst_key_t *
+dns_message_getsig0key(dns_message_t *msg);
+/*%<
+ * Gets the SIG(0) key for 'msg'.
+ *
+ * Requires:
+ *
+ *\li	'msg' is a valid message
+ */
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
+/*%<
+ * Give the *buffer to the message code to clean up when it is no
+ * longer needed.  This is usually when the message is reset or
+ * destroyed.
+ *
+ * Requires:
+ *
+ *\li	msg be a valid message.
+ *
+ *\li	buffer != NULL && *buffer is a valid isc_buffer_t, which was
+ *	dynamically allocated via isc_buffer_allocate().
+ */
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer);
+/*%<
+ * If this message was signed, return the identity of the signer.
+ * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
+ * key that signed the message.
+ *
+ * Requires:
+ *
+ *\li	msg is a valid parsed message.
+ *\li	signer is a valid name
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		- the message was signed, and *signer
+ *				  contains the signing identity
+ *
+ *\li	#ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
+ *				  message
+ *
+ *\li	#DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
+ *				  signature failed to verify
+ *
+ *\li	#DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
+ *				  verified, but the query was rejected by
+ *				  the server
+ *
+ *\li	#DNS_R_NOIDENTITY	- the message was signed by a TSIG and
+ *				  verified, but the key has no identity since
+ *				  it was generated by an unsigned TKEY process
+ *
+ *\li	#DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
+ *				  the signature failed to verify
+ *
+ *\li	#DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
+ *				  but the signature has not been verified yet
+ */
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view);
+/*%<
+ * If this message was signed, verify the signature.
+ *
+ * Requires:
+ *
+ *\li	msg is a valid parsed message.
+ *\li	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
+/*%<
+ * Reset the signature state and then if the message was signed,
+ * verify the message.
+ *
+ * Requires:
+ *
+ *\li	msg is a valid parsed message.
+ *\li	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *\li	#DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *\li	#DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *\li	#DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+void
+dns_message_resetsig(dns_message_t *msg);
+/*%<
+ * Reset the signature state.
+ *
+ * Requires:
+ *\li	'msg' is a valid parsed message.
+ */
+
+isc_region_t *
+dns_message_getrawmessage(dns_message_t *msg);
+/*%<
+ * Retrieve the raw message in compressed wire format.  The message must
+ * have been successfully parsed for it to have been saved.
+ *
+ * Requires:
+ *\li	msg is a valid parsed message.
+ *
+ * Returns:
+ *\li	NULL	if there is no saved message.
+ *	a pointer to a region which refers the dns message.
+ */
+
+void
+dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
+			 const void *order_arg);
+/*%<
+ * Define the order in which RR sets get rendered by
+ * dns_message_rendersection() to be the ascending order
+ * defined by the integer value returned by 'order' when
+ * given each RR and 'arg' as arguments.  If 'order' and
+ * 'order_arg' are NULL, a default order is used.
+ *
+ * Requires:
+ *\li	msg be a valid message.
+ *\li	order_arg is NULL if and only if order is NULL.
+ */
+
+void
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
+/*%<
+ * Adjust the time used to sign/verify a message by timeadjust.
+ * Currently only TSIG.
+ *
+ * Requires:
+ *\li	msg be a valid message.
+ */
+
+int
+dns_message_gettimeadjust(dns_message_t *msg);
+/*%<
+ * Return the current time adjustment.
+ *
+ * Requires:
+ *\li	msg be a valid message.
+ */
+
+void
+dns_message_logpacket(dns_message_t *message, const char *description,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, isc_mem_t *mctx);
+void
+dns_message_logpacket2(dns_message_t *message,
+		       const char *description, isc_sockaddr_t *address,
+		       isc_logcategory_t *category, isc_logmodule_t *module,
+		       int level, isc_mem_t *mctx);
+void
+dns_message_logfmtpacket(dns_message_t *message, const char *description,
+			 isc_logcategory_t *category, isc_logmodule_t *module,
+			 const dns_master_style_t *style, int level,
+			 isc_mem_t *mctx);
+void
+dns_message_logfmtpacket2(dns_message_t *message,
+			  const char *description, isc_sockaddr_t *address,
+			  isc_logcategory_t *category, isc_logmodule_t *module,
+			  const dns_master_style_t *style, int level,
+			  isc_mem_t *mctx);
+/*%<
+ * Log 'message' at the specified logging parameters.
+ *
+ * For dns_message_logpacket and dns_message_logfmtpacket expect the
+ * 'description' to end in a newline.
+ *
+ * For dns_message_logpacket2 and dns_message_logfmtpacket2
+ * 'description' will be emitted at the start of the message followed
+ * by the formatted address and a newline.
+ *
+ * Requires:
+ * \li   message be a valid.
+ * \li   description to be non NULL.
+ * \li   address to be non NULL.
+ * \li   category to be valid.
+ * \li   module to be valid.
+ * \li   style to be valid.
+ * \li   mctx to be a valid.
+ */
+
+isc_result_t
+dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt,
+		     unsigned int version, uint16_t udpsize,
+		     unsigned int flags, dns_ednsopt_t *ednsopts, size_t count);
+/*%<
+ * Built a opt record.
+ *
+ * Requires:
+ * \li   msg be a valid message.
+ * \li   opt to be a non NULL and *opt to be NULL.
+ *
+ * Returns:
+ * \li	 ISC_R_SUCCESS on success.
+ * \li	 ISC_R_NOMEMORY
+ * \li	 ISC_R_NOSPACE
+ * \li	 other.
+ */
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li   msg be a valid message with parsing intent.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MESSAGE_H */
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
new file mode 100644
index 0000000..bbb663b
--- /dev/null
+++ b/lib/dns/include/dns/name.h
@@ -0,0 +1,1423 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_NAME_H
+#define DNS_NAME_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/name.h
+ * \brief
+ * Provides facilities for manipulating DNS names and labels, including
+ * conversions to and from wire format and text format.
+ *
+ * Given the large number of names possible in a nameserver, and because
+ * names occur in rdata, it was important to come up with a very efficient
+ * way of storing name data, but at the same time allow names to be
+ * manipulated.  The decision was to store names in uncompressed wire format,
+ * and not to make them fully abstracted objects; i.e. certain parts of the
+ * server know names are stored that way.  This saves a lot of memory, and
+ * makes adding names to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of names to be manipulating such a low-level structure.  This is
+ * where the Names and Labels module comes in.  The module allows name or
+ * label handles to be created and attached to uncompressed wire format
+ * regions.  All name operations and conversions are done through these
+ * handles.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *
+ *\li	*** WARNING ***
+ *
+ *\li	dns_name_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *\li	RFC1035
+ *\li	Draft EDNS0 (0)
+ *\li	Draft Binary Labels (2)
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/region.h>		/* Required for storage size of dns_label_t. */
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Labels
+ *****
+ ***** A 'label' is basically a region.  It contains one DNS wire format
+ ***** label of type 00 (ordinary).
+ *****/
+
+/*****
+ ***** Names
+ *****
+ ***** A 'name' is a handle to a binary region.  It contains a sequence of one
+ ***** or more DNS wire format labels of type 00 (ordinary).
+ ***** Note that all names are not required to end with the root label,
+ ***** as they are in the actual DNS wire protocol.
+ *****/
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Clients are strongly discouraged from using this type directly,  with
+ * the exception of the 'link' and 'list' fields which may be used directly
+ * for whatever purpose the client desires.
+ */
+struct dns_name {
+	unsigned int			magic;
+	unsigned char *			ndata;
+	unsigned int			length;
+	unsigned int			labels;
+	unsigned int			attributes;
+	unsigned char *			offsets;
+	isc_buffer_t *			buffer;
+	ISC_LINK(dns_name_t)		link;
+	ISC_LIST(dns_rdataset_t)	list;
+};
+
+#define DNS_NAME_MAGIC			ISC_MAGIC('D','N','S','n')
+
+#define DNS_NAMEATTR_ABSOLUTE		0x00000001
+#define DNS_NAMEATTR_READONLY		0x00000002
+#define DNS_NAMEATTR_DYNAMIC		0x00000004
+#define DNS_NAMEATTR_DYNOFFSETS		0x00000008
+#define DNS_NAMEATTR_NOCOMPRESS		0x00000010
+/*
+ * Attributes below 0x0100 reserved for name.c usage.
+ */
+#define DNS_NAMEATTR_CACHE		0x00000100	/*%< Used by resolver. */
+#define DNS_NAMEATTR_ANSWER		0x00000200	/*%< Used by resolver. */
+#define DNS_NAMEATTR_NCACHE		0x00000400	/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHAINING		0x00000800	/*%< Used by resolver. */
+#define DNS_NAMEATTR_CHASE		0x00001000	/*%< Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD		0x00002000	/*%< Used by server. */
+#define DNS_NAMEATTR_PREREQUISITE	0x00004000	/*%< Used by client. */
+#define DNS_NAMEATTR_UPDATE		0x00008000	/*%< Used by client. */
+#define DNS_NAMEATTR_HASUPDATEREC	0x00010000	/*%< Used by client. */
+
+/*
+ * Various flags.
+ */
+#define DNS_NAME_DOWNCASE		0x0001
+#define DNS_NAME_CHECKNAMES		0x0002		/*%< Used by rdata. */
+#define DNS_NAME_CHECKNAMESFAIL		0x0004		/*%< Used by rdata. */
+#define DNS_NAME_CHECKREVERSE		0x0008		/*%< Used by rdata. */
+#define DNS_NAME_CHECKMX		0x0010		/*%< Used by rdata. */
+#define DNS_NAME_CHECKMXFAIL		0x0020		/*%< Used by rdata. */
+
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_rootname;
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
+
+/*%<
+ * DNS_NAME_INITNONABSOLUTE and DNS_NAME_INITABSOLUTE are macros for
+ * initializing dns_name_t structures.
+ *
+ * Note[1]: 'length' is set to (sizeof(A) - 1) in DNS_NAME_INITNONABSOLUTE
+ * and sizeof(A) in DNS_NAME_INITABSOLUTE to allow C strings to be used
+ * to initialize 'ndata'.
+ *
+ * Note[2]: The final value of offsets for DNS_NAME_INITABSOLUTE should
+ * match (sizeof(A) - 1) which is the offset of the root label.
+ *
+ * Typical usage:
+ *	unsigned char data[] = "\005value";
+ *	unsigned char offsets[] = { 0 };
+ *	dns_name_t value = DNS_NAME_INITNONABSOLUTE(data, offsets);
+ *
+ *	unsigned char data[] = "\005value";
+ *	unsigned char offsets[] = { 0, 6 };
+ *	dns_name_t value = DNS_NAME_INITABSOLUTE(data, offsets);
+ */
+#define DNS_NAME_INITNONABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, (sizeof(A) - 1), sizeof(B), \
+	DNS_NAMEATTR_READONLY, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+
+/*%
+ * Standard size of a wire format name
+ */
+#define DNS_NAME_MAXWIRE 255
+
+/*
+ * Text output filter procedure.
+ * 'target' is the buffer to be converted.  The region to be converted
+ * is from 'buffer'->base + 'used_org' to the end of the used region.
+ */
+typedef isc_result_t (*dns_name_totextfilter_t)(isc_buffer_t *target,
+						unsigned int used_org,
+						bool absolute);
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_name_init(dns_name_t *name, unsigned char *offsets);
+/*%<
+ * Initialize 'name'.
+ *
+ * Notes:
+ * \li	'offsets' is never required to be non-NULL, but specifying a
+ *	dns_offsets_t for 'offsets' will improve the performance of most
+ *	name operations if the name is used more than once.
+ *
+ * Requires:
+ * \li	'name' is not NULL and points to a struct dns_name.
+ *
+ * \li	offsets == NULL or offsets is a dns_offsets_t.
+ *
+ * Ensures:
+ * \li	'name' is a valid name.
+ * \li	dns_name_countlabels(name) == 0
+ * \li	dns_name_isabsolute(name) == false
+ */
+
+void
+dns_name_reset(dns_name_t *name);
+/*%<
+ * Reinitialize 'name'.
+ *
+ * Notes:
+ * \li	This function distinguishes itself from dns_name_init() in two
+ *	key ways:
+ *
+ * \li	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
+ *	  or by being part of a dns_fixedname_t) the link to the buffer
+ *	  is retained but the buffer itself is cleared.
+ *
+ * \li	+ Of the attributes associated with 'name', all are retained except
+ *	  DNS_NAMEATTR_ABSOLUTE.
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * Ensures:
+ * \li	'name' is a valid name.
+ * \li	dns_name_countlabels(name) == 0
+ * \li	dns_name_isabsolute(name) == false
+ */
+
+void
+dns_name_invalidate(dns_name_t *name);
+/*%<
+ * Make 'name' invalid.
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * Ensures:
+ * \li	If assertion checking is enabled, future attempts to use 'name'
+ *	without initializing it will cause an assertion failure.
+ *
+ * \li	If the name had a dedicated buffer, that association is ended.
+ */
+
+bool
+dns_name_isvalid(const dns_name_t *name);
+/*%<
+ * Check whether 'name' points to a valid dns_name
+ */
+
+/***
+ *** Dedicated Buffers
+ ***/
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
+/*%<
+ * Dedicate a buffer for use with 'name'.
+ *
+ * Notes:
+ * \li	Specification of a target buffer in dns_name_fromwire(),
+ *	dns_name_fromtext(), and dns_name_concatenate() is optional if
+ *	'name' has a dedicated buffer.
+ *
+ * \li	The caller must not write to buffer until the name has been
+ *	invalidated or is otherwise known not to be in use.
+ *
+ * \li	If buffer is NULL and the name previously had a dedicated buffer,
+ *	than that buffer is no longer dedicated to use with this name.
+ *	The caller is responsible for ensuring that the storage used by
+ *	the name remains valid.
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * \li	'buffer' is a valid binary buffer and 'name' doesn't have a
+ *	dedicated buffer already, or 'buffer' is NULL.
+ */
+
+bool
+dns_name_hasbuffer(const dns_name_t *name);
+/*%<
+ * Does 'name' have a dedicated buffer?
+ *
+ * Requires:
+ * \li	'name' is a valid name.
+ *
+ * Returns:
+ * \li	true	'name' has a dedicated buffer.
+ * \li	false	'name' does not have a dedicated buffer.
+ */
+
+/***
+ *** Properties
+ ***/
+
+bool
+dns_name_isabsolute(const dns_name_t *name);
+/*%<
+ * Does 'name' end in the root label?
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * Returns:
+ * \li	TRUE		The last label in 'name' is the root label.
+ * \li	FALSE		The last label in 'name' is not the root label.
+ */
+
+bool
+dns_name_iswildcard(const dns_name_t *name);
+/*%<
+ * Is 'name' a wildcard name?
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * \li	dns_name_countlabels(name) > 0
+ *
+ * Returns:
+ * \li	TRUE		The least significant label of 'name' is '*'.
+ * \li	FALSE		The least significant label of 'name' is not '*'.
+ */
+
+unsigned int
+dns_name_hash(dns_name_t *name, bool case_sensitive);
+/*%<
+ * Provide a hash value for 'name'.
+ *
+ * Note: if 'case_sensitive' is false, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * Returns:
+ * \li	A hash value
+ */
+
+unsigned int
+dns_name_fullhash(dns_name_t *name, bool case_sensitive);
+/*%<
+ * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
+ * always takes into account of the entire name to calculate the hash value.
+ *
+ * Note: if 'case_sensitive' is false, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *\li	'name' is a valid name
+ *
+ * Returns:
+ *\li	A hash value
+ */
+
+unsigned int
+dns_name_hashbylabel(dns_name_t *name, bool case_sensitive);
+/*%<
+ * Provide a hash value for 'name', where the hash value is the sum
+ * of the hash values of each label.  This function should only be used
+ * when incremental hashing is necessary, for example, during RBT
+ * traversal. It is not currently used in BIND. Generally,
+ * dns_name_fullhash() is the correct function to use for name
+ * hashing.
+ *
+ * Note: if 'case_sensitive' is false, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *\li	'name' is a valid name
+ *
+ * Returns:
+ *\li	A hash value
+ */
+
+/*
+ *** Comparisons
+ ***/
+
+dns_namereln_t
+dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
+		     int *orderp, unsigned int *nlabelsp);
+/*%<
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2', and also determine the hierarchical
+ * relationship of the names.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ *\li	'name1' is a valid name
+ *
+ *\li	dns_name_countlabels(name1) > 0
+ *
+ *\li	'name2' is a valid name
+ *
+ *\li	dns_name_countlabels(name2) > 0
+ *
+ *\li	orderp and nlabelsp are valid pointers.
+ *
+ *\li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Ensures:
+ *
+ *\li	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
+ *	name1 > name2.
+ *
+ *\li	*nlabelsp is the number of common significant labels.
+ *
+ * Returns:
+ *\li	dns_namereln_none		There's no hierarchical relationship
+ *					between name1 and name2.
+ *\li	dns_namereln_contains		name1 properly contains name2; i.e.
+ *					name2 is a proper subdomain of name1.
+ *\li	dns_namereln_subdomain		name1 is a proper subdomain of name2.
+ *\li	dns_namereln_equal		name1 and name2 are equal.
+ *\li	dns_namereln_commonancestor	name1 and name2 share a common
+ *					ancestor.
+ */
+
+int
+dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2'.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ * \li	'name1' is a valid name
+ *
+ * \li	'name2' is a valid name
+ *
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ * \li	< 0		'name1' is less than 'name2'
+ * \li	0		'name1' is equal to 'name2'
+ * \li	> 0		'name1' is greater than 'name2'
+ */
+
+bool
+dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Are 'name1' and 'name2' equal?
+ *
+ * Notes:
+ * \li	Because it only needs to test for equality, dns_name_equal() can be
+ *	significantly faster than dns_name_fullcompare() or dns_name_compare().
+ *
+ * \li	Offsets tables are not used in the comparision.
+ *
+ * \li	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ * 	compared the caller must ensure that they are both relative to the
+ * 	same domain.
+ *
+ * Requires:
+ * \li	'name1' is a valid name
+ *
+ * \li	'name2' is a valid name
+ *
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ * \li	true	'name1' and 'name2' are equal
+ * \li	false	'name1' and 'name2' are not equal
+ */
+
+bool
+dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Case sensitive version of dns_name_equal().
+ */
+
+int
+dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Compare two names as if they are part of rdata in DNSSEC canonical
+ * form.
+ *
+ * Requires:
+ * \li	'name1' is a valid absolute name
+ *
+ * \li	dns_name_countlabels(name1) > 0
+ *
+ * \li	'name2' is a valid absolute name
+ *
+ * \li	dns_name_countlabels(name2) > 0
+ *
+ * Returns:
+ * \li	< 0		'name1' is less than 'name2'
+ * \li	0		'name1' is equal to 'name2'
+ * \li	> 0		'name1' is greater than 'name2'
+ */
+
+bool
+dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2);
+/*%<
+ * Is 'name1' a subdomain of 'name2'?
+ *
+ * Notes:
+ * \li	name1 is a subdomain of name2 if name1 is contained in name2, or
+ *	name1 equals name2.
+ *
+ * \li	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ * \li	'name1' is a valid name
+ *
+ * \li	'name2' is a valid name
+ *
+ * \li	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ * \li	TRUE		'name1' is a subdomain of 'name2'
+ * \li	FALSE		'name1' is not a subdomain of 'name2'
+ */
+
+bool
+dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
+/*%<
+ * Does 'name' match the wildcard specified in 'wname'?
+ *
+ * Notes:
+ * \li	name matches the wildcard specified in wname if all labels
+ *	following the wildcard in wname are identical to the same number
+ *	of labels at the end of name.
+ *
+ * \li	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * \li	dns_name_countlabels(name) > 0
+ *
+ * \li	'wname' is a valid name
+ *
+ * \li	dns_name_countlabels(wname) > 0
+ *
+ * \li	dns_name_iswildcard(wname) is true
+ *
+ * \li	Either name is absolute and wname is absolute, or neither is.
+ *
+ * Returns:
+ * \li	TRUE		'name' matches the wildcard specified in 'wname'
+ * \li	FALSE		'name' does not match the wildcard specified in 'wname'
+ */
+
+/***
+ *** Labels
+ ***/
+
+unsigned int
+dns_name_countlabels(const dns_name_t *name);
+/*%<
+ * How many labels does 'name' have?
+ *
+ * Notes:
+ * \li	In this case, as in other places, a 'label' is an ordinary label.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * Ensures:
+ * \li	The result is <= 128.
+ *
+ * Returns:
+ * \li	The number of labels in 'name'.
+ */
+
+void
+dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
+/*%<
+ * Make 'label' refer to the 'n'th least significant label of 'name'.
+ *
+ * Notes:
+ * \li	Numbering starts at 0.
+ *
+ * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ * \li	'label' refers to the same memory as 'name', so 'name' must not
+ *	be changed while 'label' is still in use.
+ *
+ * Requires:
+ * \li	n < dns_name_countlabels(name)
+ */
+
+void
+dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
+			  unsigned int n, dns_name_t *target);
+/*%<
+ * Make 'target' refer to the 'n' labels including and following 'first'
+ * in 'source'.
+ *
+ * Notes:
+ * \li	Numbering starts at 0.
+ *
+ * \li	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ * \li	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ * Requires:
+ * \li	'source' and 'target' are valid names.
+ *
+ * \li	first < dns_name_countlabels(name)
+ *
+ * \li	first + n <= dns_name_countlabels(name)
+ */
+
+
+void
+dns_name_clone(const dns_name_t *source, dns_name_t *target);
+/*%<
+ * Make 'target' refer to the same name as 'source'.
+ *
+ * Notes:
+ *
+ * \li	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ * \li	This call is functionally equivalent to:
+ *
+ * \code
+ *		dns_name_getlabelsequence(source, 0,
+ *					  dns_name_countlabels(source),
+ *					  target);
+ * \endcode
+ *
+ *	but is more efficient.  Also, dns_name_clone() works even if 'source'
+ *	is empty.
+ *
+ * Requires:
+ *
+ * \li	'source' is a valid name.
+ *
+ * \li	'target' is a valid name that is not read-only.
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
+/*%<
+ * Make 'name' refer to region 'r'.
+ *
+ * Note:
+ * \li	If the conversion encounters a root label before the end of the
+ *	region the conversion stops and the length is set to the length
+ *	so far converted.  A maximum of 255 bytes is converted.
+ *
+ * Requires:
+ * \li	The data in 'r' is a sequence of one or more type 00 or type 01000001
+ *	labels.
+ */
+
+void
+dns_name_toregion(dns_name_t *name, isc_region_t *r);
+/*%<
+ * Make 'r' refer to 'name'.
+ *
+ * Requires:
+ *
+ * \li	'name' is a valid name.
+ *
+ * \li	'r' is a valid region.
+ */
+
+isc_result_t
+dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
+		  dns_decompress_t *dctx, unsigned int options,
+		  isc_buffer_t *target);
+/*%<
+ * Copy the possibly-compressed name at source (active region) into target,
+ * decompressing it.
+ *
+ * Notes:
+ * \li	Decompression policy is controlled by 'dctx'.
+ *
+ * \li	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
+ *	downcased when they are copied into 'target'.
+ *
+ * Security:
+ *
+ * \li	*** WARNING ***
+ *
+ * \li	This routine will often be used when 'source' contains raw network
+ *	data.  A programming error in this routine could result in a denial
+ *	of service, or in the hijacking of the server.
+ *
+ * Requires:
+ *
+ * \li	'name' is a valid name.
+ *
+ * \li	'source' is a valid buffer and the first byte of the active
+ *	region should be the first byte of a DNS wire format domain name.
+ *
+ * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ * \li	'dctx' is a valid decompression context.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ * \li	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ * \li		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in options.
+ *
+ * \li		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ * \li	Success
+ * \li	Bad Form: Label Length
+ * \li	Bad Form: Unknown Label Type
+ * \li	Bad Form: Name Length
+ * \li	Bad Form: Compression type not allowed
+ * \li	Bad Form: Bad compression pointer
+ * \li	Bad Form: Input too short
+ * \li	Resource Limit: Too many compression pointers
+ * \li	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target);
+/*%<
+ * Convert 'name' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ * \li	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ * \li	'name' is a valid name
+ *
+ * \li	dns_name_countlabels(name) > 0
+ *
+ * \li	dns_name_isabsolute(name) == TRUE
+ *
+ * \li	target is a valid buffer.
+ *
+ * \li	Any offsets specified in a global compression table are valid
+ *	for buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ * \li		The used space in target is updated.
+ *
+ * Returns:
+ * \li	Success
+ * \li	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t
+dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
+		  const dns_name_t *origin, unsigned int options,
+		  isc_buffer_t *target);
+/*%<
+ * Convert the textual representation of a DNS name at source
+ * into uncompressed wire form stored in target.
+ *
+ * Notes:
+ * \li	Relative domain names will have 'origin' appended to them
+ *	unless 'origin' is NULL, in which case relative domain names
+ *	will remain relative.
+ *
+ * \li	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
+ *	in 'source' will be downcased when they are copied into 'target'.
+ *
+ * Requires:
+ *
+ * \li	'name' is a valid name.
+ *
+ * \li	'source' is a valid buffer.
+ *
+ * \li	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ * \li	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ * \li		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in 'options'.
+ *
+ * \li		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_EMPTYLABEL
+ *\li	#DNS_R_LABELTOOLONG
+ *\li	#DNS_R_BADESCAPE
+ *\li	#DNS_R_BADDOTTEDQUAD
+ *\li	#ISC_R_NOSPACE
+ *\li	#ISC_R_UNEXPECTEDEND
+ */
+
+#define DNS_NAME_OMITFINALDOT	0x01U
+#define DNS_NAME_MASTERFILE	0x02U	/* escape $ and @ */
+
+isc_result_t
+dns_name_toprincipal(const dns_name_t *name, isc_buffer_t *target);
+
+isc_result_t
+dns_name_totext(const dns_name_t *name, bool omit_final_dot,
+		isc_buffer_t *target);
+
+isc_result_t
+dns_name_totext2(const dns_name_t *name, unsigned int options,
+		 isc_buffer_t *target);
+/*%<
+ * Convert 'name' into text format, storing the result in 'target'.
+ *
+ * Notes:
+ *\li	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *\li	If DNS_NAME_OMITFINALDOT is set in options, then the final '.'
+ *	in absolute names other than the root name will be omitted.
+ *
+ *\li	If DNS_NAME_MASTERFILE is set in options, '$' and '@' will also
+ *	be escaped.
+ *
+ *\li	If dns_name_countlabels == 0, the name will be "@", representing the
+ *	current origin as described by RFC1035.
+ *
+ *\li	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		the used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ */
+
+#define DNS_NAME_MAXTEXT 1023
+/*%<
+ * The maximum length of the text representation of a domain
+ * name as generated by dns_name_totext().  This does not
+ * include space for a terminating NULL.
+ *
+ * This definition is conservative - the actual maximum
+ * is 1004, derived as follows:
+ *
+ *   A backslash-decimal escaped character takes 4 bytes.
+ *   A wire-encoded name can be up to 255 bytes and each
+ *   label is one length byte + at most 63 bytes of data.
+ *   Maximizing the label lengths gives us a name of
+ *   three 63-octet labels, one 61-octet label, and the
+ *   root label:
+ *
+ *      1 + 63 + 1 + 63 + 1 + 63 + 1 + 61 + 1 = 255
+ *
+ *   When printed, this is (3 * 63 + 61) * 4
+ *   bytes for the escaped label data + 4 bytes for the
+ *   dot terminating each label = 1004 bytes total.
+ */
+
+isc_result_t
+dns_name_tofilenametext(dns_name_t *name, bool omit_final_dot,
+			isc_buffer_t *target);
+/*%<
+ * Convert 'name' into an alternate text format appropriate for filenames,
+ * storing the result in 'target'.  The name data is downcased, guaranteeing
+ * that the filename does not depend on the case of the converted name.
+ *
+ * Notes:
+ *\li	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *\li	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid absolute name
+ *
+ *\li	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *\li	If the result is success:
+ *		the used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ */
+
+isc_result_t
+dns_name_downcase(dns_name_t *source, dns_name_t *name,
+		  isc_buffer_t *target);
+/*%<
+ * Downcase 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' and 'name' are valid names.
+ *
+ *\li	If source == name, then
+ *		'source' must not be read-only
+ *
+ *\li	Otherwise,
+ *		'target' is a valid buffer or 'target' is NULL and
+ *		'name' has a dedicated buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *
+ * Note: if source == name, then the result will always be ISC_R_SUCCESS.
+ */
+
+isc_result_t
+dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
+		     dns_name_t *name, isc_buffer_t *target);
+/*%<
+ *	Concatenate 'prefix' and 'suffix'.
+ *
+ * Requires:
+ *
+ *\li	'prefix' is a valid name or NULL.
+ *
+ *\li	'suffix' is a valid name or NULL.
+ *
+ *\li	'name' is a valid name or NULL.
+ *
+ *\li	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ *\li	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
+ *
+ * Ensures:
+ *
+ *\li	On success,
+ *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
+ *		is attached to it.
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *\li	#DNS_R_NAMETOOLONG
+ */
+
+void
+dns_name_split(dns_name_t *name, unsigned int suffixlabels,
+	       dns_name_t *prefix, dns_name_t *suffix);
+/*%<
+ *
+ * Split 'name' into two pieces on a label boundary.
+ *
+ * Notes:
+ * \li     'name' is split such that 'suffix' holds the most significant
+ *      'suffixlabels' labels.  All other labels are stored in 'prefix'.
+ *
+ *\li	Copying name data is avoided as much as possible, so 'prefix'
+ *	and 'suffix' will end up pointing at the data for 'name'.
+ *
+ *\li	It is legitimate to pass a 'prefix' or 'suffix' that has
+ *	its name data stored someplace other than the dedicated buffer.
+ *	This is useful to avoid name copying in the calling function.
+ *
+ *\li	It is also legitimate to pass a 'prefix' or 'suffix' that is
+ *	the same dns_name_t as 'name'.
+ *
+ * Requires:
+ *\li	'name' is a valid name.
+ *
+ *\li	'suffixlabels' cannot exceed the number of labels in 'name'.
+ *
+ * \li	'prefix' is a valid name or NULL, and cannot be read-only.
+ *
+ *\li	'suffix' is a valid name or NULL, and cannot be read-only.
+ *
+ * Ensures:
+ *
+ *\li	On success:
+ *		If 'prefix' is not NULL it will contain the least significant
+ *		labels.
+ *		If 'suffix' is not NULL it will contain the most significant
+ *		labels.  dns_name_countlabels(suffix) will be equal to
+ *		suffixlabels.
+ *
+ *\li	On failure:
+ *		Either 'prefix' or 'suffix' is invalidated (depending
+ *		on which one the problem was encountered with).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	No worries.  (This function should always success).
+ */
+
+isc_result_t
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target);
+/*%<
+ * Make 'target' a dynamically allocated copy of 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid non-empty name.
+ *
+ *\li	'target' is a valid name that is not read-only.
+ *
+ *\li	'mctx' is a valid memory context.
+ */
+
+isc_result_t
+dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target);
+/*%<
+ * Make 'target' a read-only dynamically allocated copy of 'source'.
+ * 'target' will also have a dynamically allocated offsets table.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid non-empty name.
+ *
+ *\li	'target' is a valid name that is not read-only.
+ *
+ *\li	'target' has no offsets table.
+ *
+ *\li	'mctx' is a valid memory context.
+ */
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx);
+/*%<
+ * Free 'name'.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name created previously in 'mctx' by dns_name_dup().
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *
+ *\li	All dynamic resources used by 'name' are freed and the name is
+ *	invalidated.
+ */
+
+isc_result_t
+dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
+/*%<
+ * Send 'name' in DNSSEC canonical form to 'digest'.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *\li	If successful, the DNSSEC canonical form of 'name' will have been
+ *	sent to 'digest'.
+ *
+ *\li	If digest() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_name_digest().
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Many other results are possible if not successful.
+ *
+ */
+
+bool
+dns_name_dynamic(dns_name_t *name);
+/*%<
+ * Returns whether there is dynamic memory associated with this name.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ * Returns:
+ *
+ *\li	'true' if the name is dynamic otherwise 'false'.
+ */
+
+isc_result_t
+dns_name_print(dns_name_t *name, FILE *stream);
+/*%<
+ * Print 'name' on 'stream'.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'stream' is a valid stream.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+void
+dns_name_format(const dns_name_t *name, char *cp, unsigned int size);
+/*%<
+ * Format 'name' as text appropriate for use in log messages.
+ *
+ * Store the formatted name at 'cp', writing no more than
+ * 'size' bytes.  The resulting string is guaranteed to be
+ * null terminated.
+ *
+ * The formatted name will have a terminating dot only if it is
+ * the root.
+ *
+ * This function cannot fail, instead any errors are indicated
+ * in the returned text.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'cp' points a valid character array of size 'size'.
+ *
+ *\li	'size' > 0.
+ *
+ */
+
+isc_result_t
+dns_name_tostring(dns_name_t *source, char **target, isc_mem_t *mctx);
+/*%<
+ * Convert 'name' to string format, allocating sufficient memory to
+ * hold it (free with isc_mem_free()).
+ *
+ * Differs from dns_name_format in that it allocates its own memory.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid name.
+ *\li	'target' is not NULL.
+ *\li	'*target' is NULL.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ *
+ *\li	Any error that dns_name_totext() can return.
+ */
+
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx);
+isc_result_t
+dns_name_fromstring2(dns_name_t *target, const char *src,
+		     const dns_name_t *origin, unsigned int options,
+		     isc_mem_t *mctx);
+/*%<
+ * Convert a string to a name and place it in target, allocating memory
+ * as necessary.  'options' has the same semantics as that of
+ * dns_name_fromtext().
+ *
+ * If 'target' has a buffer then the name will be copied into it rather than
+ * memory being allocated.
+ *
+ * Requires:
+ *
+ * \li	'target' is a valid name that is not read-only.
+ * \li	'src' is not NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_name_fromtext() can return.
+ *
+ *\li	Any error that dns_name_dup() can return.
+ */
+
+isc_result_t
+dns_name_settotextfilter(dns_name_totextfilter_t proc);
+/*%<
+ * Set / clear a thread specific function 'proc' to be called at the
+ * end of dns_name_totext().
+ *
+ * Note: Under Windows you need to call "dns_name_settotextfilter(NULL);"
+ * prior to exiting the thread otherwise memory will be leaked.
+ * For other platforms, which are pthreads based, this is still a good
+ * idea but not required.
+ *
+ * Returns
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+#define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
+/*%<
+ * Suggested size of buffer passed to dns_name_format().
+ * Includes space for the terminating NULL.
+ */
+
+isc_result_t
+dns_name_copy(const dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
+/*%<
+ * Makes 'dest' refer to a copy of the name in 'source'.  The data are
+ * either copied to 'target' or the dedicated buffer in 'dest'.
+ *
+ * Requires:
+ * \li	'source' is a valid name.
+ *
+ * \li	'dest' is an initialized name with a dedicated buffer.
+ *
+ * \li	'target' is NULL or an initialized buffer.
+ *
+ * \li	Either dest has a dedicated buffer or target != NULL.
+ *
+ * Ensures:
+ *
+ *\li	On success, the used space in target is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ */
+
+bool
+dns_name_ishostname(const dns_name_t *name, bool wildcard);
+/*%<
+ * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
+ * If 'wildcard' is true then allow the first label of name to
+ * be a wildcard.
+ * The root is also accepted.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+
+
+bool
+dns_name_ismailbox(const dns_name_t *name);
+/*%<
+ * Return if 'name' is a valid mailbox.  RFC 821.
+ *
+ * Requires:
+ * \li	'name' to be valid.
+ */
+
+bool
+dns_name_internalwildcard(const dns_name_t *name);
+/*%<
+ * Return if 'name' contains a internal wildcard name.
+ *
+ * Requires:
+ * \li	'name' to be valid.
+ */
+
+void
+dns_name_destroy(void);
+/*%<
+ * Cleanup dns_name_settotextfilter() / dns_name_totext() state.
+ *
+ * This should be called as part of the final cleanup process.
+ *
+ * Note: dns_name_settotextfilter(NULL); should be called for all
+ * threads which have called dns_name_settotextfilter() with a
+ * non-NULL argument prior to calling dns_name_destroy();
+ */
+
+bool
+dns_name_isdnssd(const dns_name_t *owner);
+/*%<
+ * Determine if the 'owner' is a DNS-SD prefix.
+ */
+
+bool
+dns_name_isrfc1918(const dns_name_t *owner);
+/*%<
+ * Determine if the 'name' is in the RFC 1918 reverse namespace.
+ */
+
+bool
+dns_name_isula(const dns_name_t *owner);
+/*%<
+ * Determine if the 'name' is in the ULA reverse namespace.
+ */
+
+bool
+dns_name_istat(const dns_name_t *name);
+/*
+ * Determine if 'name' is a potential 'trust-anchor-telemetry' name.
+ */
+
+ISC_LANG_ENDDECLS
+
+/*
+ *** High Performance Macros
+ ***/
+
+/*
+ * WARNING:  Use of these macros by applications may require recompilation
+ *           of the application in some situations where calling the function
+ *           would not.
+ *
+ * WARNING:  No assertion checking is done for these macros.
+ */
+
+#define DNS_NAME_INIT(n, o) \
+do { \
+	dns_name_t *_n = (n); \
+	/* memset(_n, 0, sizeof(*_n)); */ \
+	_n->magic = DNS_NAME_MAGIC; \
+	_n->ndata = NULL; \
+	_n->length = 0; \
+	_n->labels = 0; \
+	_n->attributes = 0; \
+	_n->offsets = (o); \
+	_n->buffer = NULL; \
+	ISC_LINK_INIT(_n, link); \
+	ISC_LIST_INIT(_n->list); \
+} while (0)
+
+#define DNS_NAME_RESET(n) \
+do { \
+	(n)->ndata = NULL; \
+	(n)->length = 0; \
+	(n)->labels = 0; \
+	(n)->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
+	if ((n)->buffer != NULL) \
+		isc_buffer_clear((n)->buffer); \
+} while (0)
+
+#define DNS_NAME_SETBUFFER(n, b) \
+	(n)->buffer = (b)
+
+#define DNS_NAME_ISABSOLUTE(n) \
+	(((n)->attributes & DNS_NAMEATTR_ABSOLUTE) != 0 ? true : false)
+
+#define DNS_NAME_COUNTLABELS(n) \
+	((n)->labels)
+
+#define DNS_NAME_TOREGION(n, r) \
+do { \
+	(r)->base = (n)->ndata; \
+	(r)->length = (n)->length; \
+} while (0)
+
+#define DNS_NAME_SPLIT(n, l, p, s) \
+do { \
+	dns_name_t *_n = (n); \
+	dns_name_t *_p = (p); \
+	dns_name_t *_s = (s); \
+	unsigned int _l = (l); \
+	if (_p != NULL) \
+		dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \
+	if (_s != NULL) \
+		dns_name_getlabelsequence(_n, _n->labels - _l, _l, _s); \
+} while (0)
+
+#ifdef DNS_NAME_USEINLINE
+
+#define dns_name_init(n, o)		DNS_NAME_INIT(n, o)
+#define dns_name_reset(n)		DNS_NAME_RESET(n)
+#define dns_name_setbuffer(n, b)	DNS_NAME_SETBUFFER(n, b)
+#define dns_name_countlabels(n)		DNS_NAME_COUNTLABELS(n)
+#define dns_name_isabsolute(n)		DNS_NAME_ISABSOLUTE(n)
+#define dns_name_toregion(n, r)		DNS_NAME_TOREGION(n, r)
+#define dns_name_split(n, l, p, s)	DNS_NAME_SPLIT(n, l, p, s)
+
+#endif /* DNS_NAME_USEINLINE */
+
+#endif /* DNS_NAME_H */
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
new file mode 100644
index 0000000..2942c26
--- /dev/null
+++ b/lib/dns/include/dns/ncache.h
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_NCACHE_H
+#define DNS_NCACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/ncache.h
+ *\brief
+ * DNS Ncache
+ *
+ * XXX TBS XXX
+ *
+ * MP:
+ *\li	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFC2308
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * _OMITDNSSEC:
+ *      Omit DNSSEC records when rendering.
+ */
+#define DNS_NCACHETOWIRE_OMITDNSSEC   0x0001
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdataset_t *addedrdataset);
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+		     dns_dbnode_t *node, dns_rdatatype_t covers,
+		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     bool optout, dns_rdataset_t *addedrdataset);
+/*%<
+ * Convert the authority data from 'message' into a negative cache
+ * rdataset, and store it in 'cache' at 'node' with a TTL limited to
+ * 'maxttl'.
+ *
+ * \li dns_ncache_add produces a negative cache entry with a trust of no
+ *     more than answer
+ * \li dns_ncache_addoptout produces a negative cache entry which will have
+ *     a trust of secure if all the records that make up the entry are secure.
+ *
+ * The 'covers' argument is the RR type whose nonexistence we are caching,
+ * or dns_rdatatype_any when caching a NXDOMAIN response.
+ *
+ * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
+ *
+ * Note:
+ *\li	If 'addedrdataset' is not NULL, then it will be attached to the added
+ *	rdataset.  See dns_db_addrdataset() for more details.
+ *
+ * Requires:
+ *\li	'message' is a valid message with a properly formatting negative cache
+ *	authority section.
+ *
+ *\li	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
+ *	'now', and 'addedrdataset'.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE
+ *
+ *\li	Any result code of dns_db_addrdataset() is a possible result code
+ *	of dns_ncache_add().
+ */
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp);
+/*%<
+ * Convert the negative caching rdataset 'rdataset' to wire format,
+ * compressing names as specified in 'cctx', and storing the result in
+ * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
+ * be added to 'target'.
+ *
+ * Notes:
+ *\li	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid negative caching rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ *
+ *\li	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *\li	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		- all ok
+ *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
+/*%<
+ * Search the negative caching rdataset for an rdataset with the
+ * specified name and type.
+ *
+ * Requires:
+ *\li	'ncacherdataset' is a valid negative caching rdataset.
+ *
+ *\li	'ncacherdataset' is not empty.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'type' is not SIG, or a meta-RR type.
+ *
+ *\li	'rdataset' is a valid disassociated rdataset.
+ *
+ * Ensures:
+ *\li	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
+ *	rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		- the rdataset was found.
+ *\li	#ISC_R_NOTFOUND		- the rdataset was not found.
+ *
+ */
+
+isc_result_t
+dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+			  dns_rdatatype_t covers, dns_rdataset_t *rdataset);
+/*%<
+ * Similar to dns_ncache_getrdataset() but get the rrsig that matches.
+ */
+
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+		   dns_rdataset_t *rdataset);
+
+/*%<
+ * Extract the current rdataset and name from a ncache entry.
+ *
+ * Requires:
+ * \li	'ncacherdataset' to be valid and to be a negative cache entry
+ * \li	'found' to be valid.
+ * \li	'rdataset' to be unassociated.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NCACHE_H */
diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h
new file mode 100644
index 0000000..18cec17
--- /dev/null
+++ b/lib/dns/include/dns/nsec.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_NSEC_H
+#define DNS_NSEC_H 1
+
+/*! \file dns/nsec.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *target,
+		    unsigned char *buffer, dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a NSEC record.
+ *
+ * Requires:
+ *\li	buffer	Points to a temporary buffer of at least
+ * 		DNS_NSEC_BUFFERSIZE bytes.
+ *\li	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata	Contains a valid NSEC rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+isc_result_t
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       dns_name_t *target, dns_ttl_t ttl);
+/*%<
+ * Build a NSEC record and add it to a database.
+ */
+
+bool
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*%<
+ * Determine if a type is marked as present in an NSEC record.
+ *
+ * Requires:
+ *\li	'nsec' points to a valid rdataset of type NSEC
+ */
+
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
+		  bool *answer);
+/*
+ * Report whether the DNSKEY RRset has a NSEC only algorithm.  Unknown
+ * algorithms are assumed to support NSEC3.  If DNSKEY is not found,
+ * *answer is set to false, and ISC_R_NOTFOUND is returned.
+ *
+ * Requires:
+ * 	'answer' to be non NULL.
+ */
+
+unsigned int
+dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
+			unsigned int max_type);
+/*%<
+ * Convert a raw bitmap into a compressed windowed bit map.  'map' and 'raw'
+ * may overlap.
+ *
+ * Returns the length of the compressed windowed bit map.
+ */
+
+void
+dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit);
+/*%<
+ * Set type bit in raw 'array' to 'bit'.
+ */
+
+bool
+dns_nsec_isset(const unsigned char *array, unsigned int type);
+/*%<
+ * Test if the corresponding 'type' bit is set in 'array'.
+ */
+
+isc_result_t
+dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
+		       dns_name_t *nsecname, dns_rdataset_t *nsecset,
+		       bool *exists, bool *data,
+		       dns_name_t *wild, dns_nseclog_t log, void *arg);
+/*%
+ * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
+ * or we can determine whether there is data or not at the name.
+ * If the name does not exist return the wildcard name.
+ *
+ * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC_H */
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
new file mode 100644
index 0000000..07d2bf0
--- /dev/null
+++ b/lib/dns/include/dns/nsec3.h
@@ -0,0 +1,271 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_NSEC3_H
+#define DNS_NSEC3_H 1
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/iterated_hash.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/name.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+#define DNS_NSEC3_SALTSIZE 255
+
+/*
+ * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
+ * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
+ */
+#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
+/*
+ * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
+ */
+#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
+
+/*
+ * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
+ */
+#define DNS_NSEC3_UNKNOWNALG ((dns_hash_t)245U)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		     dns_dbnode_t *node, unsigned int hashalg,
+		     unsigned int optin, unsigned int iterations,
+		     const unsigned char *salt, size_t salt_length,
+		     const unsigned char *nexthash, size_t hash_length,
+		     unsigned char *buffer, dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a NSEC3 record for the data at 'node'.
+ * Note: 'node' is not the node where the NSEC3 record will be stored.
+ *
+ * Requires:
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_NSEC_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+bool
+dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*%<
+ * Determine if a type is marked as present in an NSEC3 record.
+ *
+ * Requires:
+ *	'nsec' points to a valid rdataset of type NSEC3
+ */
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
+		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
+		   dns_hash_t hashalg, unsigned int iterations,
+		   const unsigned char *salt, size_t saltlength);
+/*%<
+ * Make a hashed domain name from an unhashed one. If rethash is not NULL
+ * the raw hash is stored there.
+ */
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash);
+/*%<
+ * Return the length of the hash produced by the specified algorithm
+ * or zero when unknown.
+ */
+
+bool
+dns_nsec3_supportedhash(dns_hash_t hash);
+/*%<
+ * Return whether we support this hash algorithm or not.
+ */
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
+		   dns_ttl_t nsecttl, bool unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    dns_name_t *name, dns_ttl_t nsecttl,
+		    bool unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     bool unsecure, dns_rdatatype_t private,
+		     dns_diff_t *diff);
+/*%<
+ * Add NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the addition.
+ * The existing NSEC3 records are removed.
+ *
+ * dns_nsec3_addnsec3() will only add records to the chain identified by
+ * 'nsec3param'.
+ *
+ * 'unsecure' should be set to reflect if this is a potentially
+ * unsecure delegation (no DS record).
+ *
+ * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
+ * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
+ * will be preferentially chosen over NSEC3PARAM records without
+ * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
+ * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
+ * is set then the new NSEC3 will have OPTOUT set to match the that in the
+ * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
+ * record in the chain.
+ *
+ * dns_nsec3_addnsec3sx() is similar to dns_nsec3_addnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'name' to be valid.
+ *	'nsec3param' to be valid.
+ *	'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		    dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t private, dns_diff_t *diff);
+/*%<
+ * Remove NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the removal.
+ *
+ * dns_nsec3_delnsec3() performs the above for the chain identified by
+ * 'nsec3param'.
+ *
+ * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
+ * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
+ * records have the OPTOUT flag preserved.
+ *
+ * dns_nsec3_delnsec3sx() is similar to dns_nsec3_delnsec3s() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'name' to be valid.
+ *	'nsec3param' to be valid.
+ *	'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
+		 bool complete, bool *answer);
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  bool complete, dns_rdatatype_t private,
+		  bool *answer);
+/*%<
+ * Check if there are any complete/to be built NSEC3 chains.
+ * If 'complete' is true only complete chains will be recognized.
+ *
+ * dns_nsec3_activex() is similar to dns_nsec3_active() but 'private'
+ * specifies the type of the private rdataset to be checked in addition to
+ * the nsec3param rdataset at the zone apex.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'answer' to be non NULL.
+ */
+
+isc_result_t
+dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
+			isc_mem_t *mctx, unsigned int *iterationsp);
+/*%<
+ * Find the maximum permissible number of iterations allowed based on
+ * the key strength.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'mctx' to be valid.
+ *	'iterationsp' to be non NULL.
+ */
+
+bool
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a private rdata to a nsec3param rdata.
+ *
+ * Return true if 'src' could be successfully converted.
+ *
+ * 'buf' should be at least DNS_NSEC3PARAM_BUFFERSIZE in size.
+ */
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype,
+			 unsigned char *buf, size_t buflen);
+/*%<
+ * Convert a nsec3param rdata to a private rdata.
+ *
+ * 'buf' should be at least src->length + 1 in size.
+ */
+
+isc_result_t
+dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst,
+			  size_t dstlen);
+/*%<
+ * Convert the salt of given NSEC3PARAM RDATA into hex-encoded, NULL-terminated
+ * text stored at "dst".
+ *
+ * Requires:
+ *
+ *\li 	"dst" to have enough space (as indicated by "dstlen") to hold the
+ * 	resulting text and its NULL-terminating byte.
+ */
+
+isc_result_t
+dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
+			    dns_zone_t *zone, bool nonsec,
+			    dns_diff_t *diff);
+
+/*%<
+ * Mark NSEC3PARAM for deletion.
+ */
+
+isc_result_t
+dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+			dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
+			dns_name_t *zonename, bool *exists,
+			bool *data, bool *optout,
+			bool *unknown, bool *setclosest,
+			bool *setnearest, dns_name_t *closest,
+			dns_name_t *nearest, dns_nseclog_t logit, void *arg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC3_H */
diff --git a/lib/dns/include/dns/nta.h b/lib/dns/include/dns/nta.h
new file mode 100644
index 0000000..edbaa77
--- /dev/null
+++ b/lib/dns/include/dns/nta.h
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_NTA_H
+#define DNS_NTA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * The NTA module provides services for storing and retrieving negative
+ * trust anchors, and determine whether a given domain is subject to
+ * DNSSEC validation.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+#include <dns/types.h>
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/view.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_ntatable {
+	/* Unlocked. */
+	unsigned int		magic;
+	dns_view_t		*view;
+	isc_rwlock_t		rwlock;
+	isc_taskmgr_t		*taskmgr;
+	isc_timermgr_t		*timermgr;
+	isc_task_t		*task;
+	/* Locked by rwlock. */
+	uint32_t		references;
+	dns_rbt_t		*table;
+};
+
+#define NTATABLE_MAGIC		ISC_MAGIC('N', 'T', 'A', 't')
+#define VALID_NTATABLE(nt) 	ISC_MAGIC_VALID(nt, NTATABLE_MAGIC)
+
+isc_result_t
+dns_ntatable_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr,
+		    dns_ntatable_t **ntatablep);
+/*%<
+ * Create an NTA table in view 'view'.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+ *
+ *\li	'tmgr' is a valid timer manager.
+ *
+ *\li	ntatablep != NULL && *ntatablep == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, *ntatablep is a valid, empty NTA table.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure.
+ */
+
+void
+dns_ntatable_attach(dns_ntatable_t *source, dns_ntatable_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid ntatable.
+ *
+ *\li	'targetp' points to a NULL dns_ntatable_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+dns_ntatable_detach(dns_ntatable_t **ntatablep);
+/*%<
+ * Detach *ntatablep from its ntatable.
+ *
+ * Requires:
+ *
+ *\li	'ntatablep' points to a valid ntatable.
+ *
+ * Ensures:
+ *
+ *\li	*ntatablep is NULL.
+ *
+ *\li	If '*ntatablep' is the last reference to the ntatable,
+ *		all resources used by the ntatable will be freed
+ */
+
+isc_result_t
+dns_ntatable_add(dns_ntatable_t *ntatable, dns_name_t *name,
+		 bool force, isc_stdtime_t now,
+		 uint32_t lifetime);
+/*%<
+ * Add a negative trust anchor to 'ntatable' for name 'name',
+ * which will expire at time 'now' + 'lifetime'.  If 'force' is false,
+ * then the name will be checked periodically to see if it's bogus;
+ * if not, then the NTA will be allowed to expire early.
+ *
+ * Notes:
+ *
+ *\li   If an NTA already exists in the table, its expiry time
+ *      is updated.
+ *
+ * Requires:
+ *
+ *\li	'ntatable' points to a valid ntatable.
+ *
+ *\li	'name' points to a valid name.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_ntatable_delete(dns_ntatable_t *ntatable, dns_name_t *keyname);
+/*%<
+ * Delete node(s) from 'ntatable' matching name 'keyname'
+ *
+ * Requires:
+ *
+ *\li	'ntatable' points to a valid ntatable.
+ *
+ *\li	'name' is not NULL
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+bool
+dns_ntatable_covered(dns_ntatable_t *ntatable, isc_stdtime_t now,
+		     dns_name_t *name, dns_name_t *anchor);
+/*%<
+ * Return true if 'name' is below a non-expired negative trust
+ * anchor which in turn is at or below 'anchor'.
+ *
+ * If 'ntatable' has not been initialized, return false.
+ *
+ * Requires:
+ *
+ *\li	'ntatable' is NULL or is a valid ntatable.
+ *
+ *\li	'name' is a valid absolute name.
+ */
+
+isc_result_t
+dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf);
+/*%<
+ * Dump the NTA table to buffer at 'buf'
+ *
+ * Requires:
+ * \li   "ntatable" is a valid table.
+ *
+ * \li   "*buf" is a valid buffer.
+ */
+
+isc_result_t
+dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp);
+/*%<
+ * Dump the NTA table to the file opened as 'fp'.
+ */
+
+isc_result_t
+dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp);
+/*%<
+ * Save the NTA table to the file opened as 'fp', for later loading.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NTA_H */
diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h
new file mode 100644
index 0000000..ff9e82e
--- /dev/null
+++ b/lib/dns/include/dns/opcode.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_OPCODE_H
+#define DNS_OPCODE_H 1
+
+/*! \file dns/opcode.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of error 'opcode' into 'target'.
+ *
+ * Requires:
+ *\li	'opcode' is a valid opcode.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_OPCODE_H */
diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h
new file mode 100644
index 0000000..e7c0516
--- /dev/null
+++ b/lib/dns/include/dns/order.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_ORDER_H
+#define DNS_ORDER_H 1
+
+/*! \file dns/order.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
+/*%<
+ * Create a order object.
+ *
+ * Requires:
+ * \li	'orderp' to be non NULL and '*orderp == NULL'.
+ *\li	'mctx' to be valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_order_add(dns_order_t *order, dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode);
+/*%<
+ * Add a entry to the end of the order list.
+ *
+ * Requires:
+ * \li	'order' to be valid.
+ *\li	'name' to be valid.
+ *\li	'mode' to be one of #DNS_RDATASETATTR_RANDOMIZE,
+ *		#DNS_RDATASETATTR_FIXEDORDER or zero (#DNS_RDATASETATTR_CYCLIC).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+unsigned int
+dns_order_find(dns_order_t *order, dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
+/*%<
+ * Find the first matching entry on the list.
+ *
+ * Requires:
+ *\li	'order' to be valid.
+ *\li	'name' to be valid.
+ *
+ * Returns the mode set by dns_order_add() or zero.
+ */
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target);
+/*%<
+ * Attach to the 'source' object.
+ *
+ * Requires:
+ * \li	'source' to be valid.
+ *\li	'target' to be non NULL and '*target == NULL'.
+ */
+
+void
+dns_order_detach(dns_order_t **orderp);
+/*%<
+ * Detach from the object.  Clean up if last this was the last
+ * reference.
+ *
+ * Requires:
+ *\li	'*orderp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ORDER_H */
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
new file mode 100644
index 0000000..58a1354
--- /dev/null
+++ b/lib/dns/include/dns/peer.h
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_PEER_H
+#define DNS_PEER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/peer.h
+ * \brief
+ * Data structures for peers (e.g. a 'server' config file statement)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+
+#include <dns/types.h>
+
+#define DNS_PEERLIST_MAGIC	ISC_MAGIC('s','e','R','L')
+#define DNS_PEER_MAGIC		ISC_MAGIC('S','E','r','v')
+
+#define DNS_PEERLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEERLIST_MAGIC)
+#define DNS_PEER_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEER_MAGIC)
+
+/***
+ *** Types
+ ***/
+
+struct dns_peerlist {
+	unsigned int		magic;
+	uint32_t		refs;
+
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_peer_t) elements;
+};
+
+struct dns_peer {
+	unsigned int		magic;
+	uint32_t		refs;
+
+	isc_mem_t	       *mem;
+
+	isc_netaddr_t		address;
+	unsigned int		prefixlen;
+	bool		bogus;
+	dns_transfer_format_t	transfer_format;
+	uint32_t		transfers;
+	bool		support_ixfr;
+	bool		provide_ixfr;
+	bool		request_ixfr;
+	bool		support_edns;
+	bool		request_nsid;
+	bool		send_cookie;
+	bool		request_expire;
+	bool		force_tcp;
+	dns_name_t	       *key;
+	isc_sockaddr_t	       *transfer_source;
+	isc_dscp_t		transfer_dscp;
+	isc_sockaddr_t	       *notify_source;
+	isc_dscp_t		notify_dscp;
+	isc_sockaddr_t	       *query_source;
+	isc_dscp_t		query_dscp;
+	uint16_t		udpsize;		/* receive size */
+	uint16_t		maxudp;			/* transmit size */
+	uint8_t			ednsversion;		/* edns version */
+
+	uint32_t		bitflags;
+
+	ISC_LINK(dns_peer_t)	next;
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list);
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target);
+
+void
+dns_peerlist_detach(dns_peerlist_t **list);
+
+/*
+ * After return caller still holds a reference to peer.
+ */
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer);
+
+/*
+ * Ditto. */
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *peers, isc_netaddr_t *addr,
+			dns_peer_t **retval);
+
+/*
+ * What he said.
+ */
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
+
+isc_result_t
+dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *ipaddr,
+		   unsigned int prefixlen, dns_peer_t **peer);
+
+void
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
+
+void
+dns_peer_detach(dns_peer_t **list);
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setsendcookie(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getsendcookie(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setrequestexpire(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getrequestexpire(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setsupportedns(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getforcetcp(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_setforcetcp(dns_peer_t *peer, bool newval);
+
+isc_result_t
+dns_peer_getsupportedns(dns_peer_t *peer, bool *retval);
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, uint32_t newval);
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, uint32_t *retval);
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval);
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval);
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval);
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_peer_setudpsize(dns_peer_t *peer, uint16_t udpsize);
+
+isc_result_t
+dns_peer_getudpsize(dns_peer_t *peer, uint16_t *udpsize);
+
+isc_result_t
+dns_peer_setmaxudp(dns_peer_t *peer, uint16_t maxudp);
+
+isc_result_t
+dns_peer_getmaxudp(dns_peer_t *peer, uint16_t *maxudp);
+
+isc_result_t
+dns_peer_setnotifysource(dns_peer_t *peer, const isc_sockaddr_t *notify_source);
+
+isc_result_t
+dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source);
+
+isc_result_t
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source);
+
+isc_result_t
+dns_peer_setnotifydscp(dns_peer_t *peer, isc_dscp_t dscp);
+
+isc_result_t
+dns_peer_getnotifydscp(dns_peer_t *peer, isc_dscp_t *dscpp);
+
+isc_result_t
+dns_peer_settransferdscp(dns_peer_t *peer, isc_dscp_t dscp);
+
+isc_result_t
+dns_peer_gettransferdscp(dns_peer_t *peer, isc_dscp_t *dscpp);
+
+isc_result_t
+dns_peer_setquerydscp(dns_peer_t *peer, isc_dscp_t dscp);
+
+isc_result_t
+dns_peer_getquerydscp(dns_peer_t *peer, isc_dscp_t *dscpp);
+
+isc_result_t
+dns_peer_setednsversion(dns_peer_t *peer, uint8_t ednsversion);
+
+isc_result_t
+dns_peer_getednsversion(dns_peer_t *peer, uint8_t *ednsversion);
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_PEER_H */
diff --git a/lib/dns/include/dns/portlist.h b/lib/dns/include/dns/portlist.h
new file mode 100644
index 0000000..471db97
--- /dev/null
+++ b/lib/dns/include/dns/portlist.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/portlist.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+#ifndef DNS_PORTLIST_H
+#define DNS_PORTLIST_H 1
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
+/*%<
+ * Create a port list.
+ *
+ * Requires:
+ *\li	'mctx' to be valid.
+ *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
+/*%<
+ * Add the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
+/*%<
+ * Remove the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
+ */
+
+bool
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
+/*%<
+ * Find the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'af' to be AF_INET or AF_INET6
+ *
+ * Returns
+ * \li	#true if the tuple is found, false otherwise.
+ */
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
+/*%<
+ * Attach to a port list.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ */
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp);
+/*%<
+ * Detach from a port list.
+ *
+ * Requires:
+ *\li	'*portlistp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_PORTLIST_H */
diff --git a/lib/dns/include/dns/private.h b/lib/dns/include/dns/private.h
new file mode 100644
index 0000000..8604746
--- /dev/null
+++ b/lib/dns/include/dns/private.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+#include <dns/db.h>
+
+#ifndef DNS_PRIVATE_H
+#define DNS_PRIVATE_H
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype,
+		   bool *build_nsec, bool *build_nsec3);
+/*%<
+ * Examine the NSEC, NSEC3PARAM and privatetype RRsets at the apex of the
+ * database to determine which of NSEC or NSEC3 chains we are currently
+ * maintaining.  In normal operations only one of NSEC or NSEC3 is being
+ * maintained but when we are transitiong between NSEC and NSEC3 we need
+ * to update both sets of chains.  If 'privatetype' is zero then the
+ * privatetype RRset will not be examined.
+ *
+ * Requires:
+ * \li	'db' is valid.
+ * \li	'version' is valid or NULL.
+ * \li	'build_nsec' is a pointer to a bool or NULL.
+ * \li	'build_nsec3' is a pointer to a bool or NULL.
+ *
+ * Returns:
+ * \li 	ISC_R_SUCCESS, 'build_nsec' and 'build_nsec3' will be valid.
+ * \li	other on error
+ */
+
+isc_result_t
+dns_private_totext(dns_rdata_t *privaterdata, isc_buffer_t *buffer);
+/*%<
+ * Convert a private-type RR 'privaterdata' to human-readable form,
+ * and place the result in 'buffer'.  The text should indicate
+ * which action the private-type record specifies and whether the
+ * action has been completed.
+ *
+ * Requires:
+ * \li	'privaterdata' is a valid rdata containing at least five bytes
+ * \li	'buffer' is a valid buffer
+ *
+ * Returns:
+ * \li 	ISC_R_SUCCESS
+ * \li	other on error
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
new file mode 100644
index 0000000..67ac3e4
--- /dev/null
+++ b/lib/dns/include/dns/rbt.h
@@ -0,0 +1,1144 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RBT_H
+#define DNS_RBT_H 1
+
+/*! \file dns/rbt.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/crc64.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/refcount.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RBT_USEHASH 1
+
+/*@{*/
+/*%
+ * Option values for dns_rbt_findnode() and dns_rbt_findname().
+ * These are used to form a bitmask.
+ */
+#define DNS_RBTFIND_NOOPTIONS                   0x00
+#define DNS_RBTFIND_EMPTYDATA                   0x01
+#define DNS_RBTFIND_NOEXACT                     0x02
+#define DNS_RBTFIND_NOPREDECESSOR               0x04
+/*@}*/
+
+#ifndef DNS_RBT_USEISCREFCOUNT
+#ifdef ISC_REFCOUNT_HAVEATOMIC
+#define DNS_RBT_USEISCREFCOUNT 1
+#endif
+#endif
+
+#define DNS_RBT_USEMAGIC 1
+
+/*
+ * These should add up to 30.
+ */
+#define DNS_RBT_LOCKLENGTH                      10
+#define DNS_RBT_REFLENGTH                       20
+
+#define DNS_RBTNODE_MAGIC               ISC_MAGIC('R','B','N','O')
+#if DNS_RBT_USEMAGIC
+#define DNS_RBTNODE_VALID(n)            ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
+#else
+#define DNS_RBTNODE_VALID(n)            true
+#endif
+
+/*%
+ * This is the structure that is used for each node in the red/black
+ * tree of trees.  NOTE WELL:  the implementation manages this as a variable
+ * length structure, with the actual wire-format name and other data
+ * appended to this structure.  Allocating a contiguous block of memory for
+ * multiple dns_rbtnode structures will not work.
+ */
+typedef struct dns_rbtnode dns_rbtnode_t;
+enum {
+	DNS_RBT_NSEC_NORMAL=0,      /* in main tree */
+	DNS_RBT_NSEC_HAS_NSEC=1,    /* also has node in nsec tree */
+	DNS_RBT_NSEC_NSEC=2,        /* in nsec tree */
+	DNS_RBT_NSEC_NSEC3=3        /* in nsec3 tree */
+};
+struct dns_rbtnode {
+#if DNS_RBT_USEMAGIC
+	unsigned int magic;
+#endif
+	/*@{*/
+	/*!
+	 * The following bitfields add up to a total bitwidth of 32.
+	 * The range of values necessary for each item is indicated,
+	 * but in the case of "attributes" the field is wider to accommodate
+	 * possible future expansion.
+	 *
+	 * In each case below the "range" indicated is what's _necessary_ for
+	 * the bitfield to hold, not what it actually _can_ hold.
+	 *
+	 * Note: Tree lock must be held before modifying these
+	 * bit-fields.
+	 *
+	 * Note: The two "unsigned int :0;" unnamed bitfields on either
+	 * side of the bitfields below are scaffolding that border the
+	 * set of bitfields which are accessed after acquiring the tree
+	 * lock. Please don't insert any other bitfield members between
+	 * the unnamed bitfields unless they should also be accessed
+	 * after acquiring the tree lock.
+	 */
+	unsigned int :0;                /* start of bitfields c/o tree lock */
+	unsigned int is_root : 1;       /*%< range is 0..1 */
+	unsigned int color : 1;         /*%< range is 0..1 */
+	unsigned int find_callback : 1; /*%< range is 0..1 */
+	unsigned int attributes : 3;    /*%< range is 0..2 */
+	unsigned int nsec : 2;          /*%< range is 0..3 */
+	unsigned int namelen : 8;       /*%< range is 1..255 */
+	unsigned int offsetlen : 8;     /*%< range is 1..128 */
+	unsigned int oldnamelen : 8;    /*%< range is 1..255 */
+	/*@}*/
+
+	/* flags needed for serialization to file*/
+	unsigned int is_mmapped : 1;
+	unsigned int parent_is_relative : 1;
+	unsigned int left_is_relative : 1;
+	unsigned int right_is_relative : 1;
+	unsigned int down_is_relative : 1;
+	unsigned int data_is_relative : 1;
+
+	/* node needs to be cleaned from rpz */
+	unsigned int rpz : 1;
+	unsigned int :0;                /* end of bitfields c/o tree lock */
+
+#ifdef DNS_RBT_USEHASH
+	unsigned int hashval;
+	dns_rbtnode_t *uppernode;
+	dns_rbtnode_t *hashnext;
+#endif
+	dns_rbtnode_t *parent;
+	dns_rbtnode_t *left;
+	dns_rbtnode_t *right;
+	dns_rbtnode_t *down;
+
+	/*%
+	 * Used for LRU cache.  This linked list is used to mark nodes which
+	 * have no data any longer, but we cannot unlink at that exact moment
+	 * because we did not or could not obtain a write lock on the tree.
+	 */
+	ISC_LINK(dns_rbtnode_t) deadlink;
+
+	/*@{*/
+	/*!
+	 * These values are used in the RBT DB implementation.  The appropriate
+	 * node lock must be held before accessing them.
+	 *
+	 * Note: The two "unsigned int :0;" unnamed bitfields on either
+	 * side of the bitfields below are scaffolding that border the
+	 * set of bitfields which are accessed after acquiring the node
+	 * lock. Please don't insert any other bitfield members between
+	 * the unnamed bitfields unless they should also be accessed
+	 * after acquiring the node lock.
+	 *
+	 * NOTE: Do not merge these fields into bitfields above, as
+	 * they'll all be put in the same qword that could be accessed
+	 * without the node lock as it shares the qword with other
+	 * members. Leave these members here so that they occupy a
+	 * separate region of memory.
+	 */
+	void *data;
+	unsigned int :0;                /* start of bitfields c/o node lock */
+	unsigned int dirty:1;
+	unsigned int wild:1;
+	unsigned int locknum:DNS_RBT_LOCKLENGTH;
+#ifndef DNS_RBT_USEISCREFCOUNT
+	unsigned int references:DNS_RBT_REFLENGTH;
+#endif
+	unsigned int :0;                /* end of bitfields c/o node lock */
+#ifdef DNS_RBT_USEISCREFCOUNT
+	isc_refcount_t references; /* note that this is not in the bitfield */
+#endif
+	/*@}*/
+};
+
+typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
+					      dns_name_t *name,
+					      void *callback_arg);
+
+typedef isc_result_t (*dns_rbtdatawriter_t)(FILE *file,
+					    unsigned char *data,
+					    void *arg,
+					    uint64_t *crc);
+
+typedef isc_result_t (*dns_rbtdatafixer_t)(dns_rbtnode_t *rbtnode,
+					   void *base, size_t offset,
+					   void *arg, uint64_t *crc);
+
+typedef void (*dns_rbtdeleter_t)(void *, void *);
+
+/*****
+ *****  Chain Info
+ *****/
+
+/*!
+ * A chain is used to keep track of the sequence of nodes to reach any given
+ * node from the root of the tree.  Originally nodes did not have parent
+ * pointers in them (for memory usage reasons) so there was no way to find
+ * the path back to the root from any given node.  Now that nodes have parent
+ * pointers, chains might be going away in a future release, though the
+ * movement functionality would remain.
+ *
+ * Chains may be used to iterate over a tree of trees.  After setting up the
+ * chain's structure using dns_rbtnodechain_init(), it needs to be initialized
+ * to point to the lexically first or lexically last node in the tree of trees
+ * using dns_rbtnodechain_first() or dns_rbtnodechain_last(), respectively.
+ * Calling dns_rbtnodechain_next() or dns_rbtnodechain_prev() then moves the
+ * chain over to the next or previous node, respectively.
+ *
+ * In any event, parent information, whether via parent pointers or chains, is
+ * necessary information for iterating through the tree or for basic internal
+ * tree maintenance issues (ie, the rotations that are done to rebalance the
+ * tree when a node is added).  The obvious implication of this is that for a
+ * chain to remain valid, the tree has to be locked down against writes for the
+ * duration of the useful life of the chain, because additions or removals can
+ * change the path from the root to the node the chain has targeted.
+ *
+ * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
+ * dns_name_t parameters for the name and the origin, which can be NULL.  If
+ * non-NULL, 'name' will end up pointing to the name data and offsets that are
+ * stored at the node (and thus it will be read-only), so it should be a
+ * regular dns_name_t that has been initialized with dns_name_init.  When
+ * 'origin' is non-NULL, it will get the name of the origin stored in it, so it
+ * needs to have its own buffer space and offsets, which is most easily
+ * accomplished with a dns_fixedname_t.  It is _not_ necessary to reinitialize
+ * either 'name' or 'origin' between calls to the chain functions.
+ *
+ * NOTE WELL: even though the name data at the root of the tree of trees will
+ * be absolute (typically just "."), it will will be made into a relative name
+ * with an origin of "." -- an empty name when the node is ".".  This is
+ * because a common on operation on 'name' and 'origin' is to use
+ * dns_name_concatenate() on them to generate the complete name.  An empty name
+ * can be detected when dns_name_countlabels == 0, and is printed by
+ * dns_name_totext()/dns_name_format() as "@", consistent with RFC1035's
+ * definition of "@" as the current origin.
+ *
+ * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
+ * functions but additionally can provide the node to which the chain points.
+ */
+
+/*%
+ * The number of level blocks to allocate at a time.  Currently the maximum
+ * number of levels is allocated directly in the structure, but future
+ * revisions of this code might have a static initial block with dynamic
+ * growth.  Allocating space for 256 levels when the tree is almost never that
+ * deep is wasteful, but it's not clear that it matters, since the waste is
+ * only 2MB for 1000 concurrently active chains on a system with 64-bit
+ * pointers.
+ */
+#define DNS_RBT_LEVELBLOCK 254
+
+typedef struct dns_rbtnodechain {
+	unsigned int            magic;
+	isc_mem_t *             mctx;
+	/*%
+	 * The terminal node of the chain.  It is not in levels[].
+	 * This is ostensibly private ... but in a pinch it could be
+	 * used tell that the chain points nowhere without needing to
+	 * call dns_rbtnodechain_current().
+	 */
+	dns_rbtnode_t *         end;
+	/*%
+	 * The maximum number of labels in a name is 128; bitstrings mean
+	 * a conceptually very large number (which I have not bothered to
+	 * compute) of logical levels because splitting can potentially occur
+	 * at each bit.  However, DNSSEC restricts the number of "logical"
+	 * labels in a name to 255, meaning only 254 pointers are needed
+	 * in the worst case.
+	 */
+	dns_rbtnode_t *         levels[DNS_RBT_LEVELBLOCK];
+	/*%
+	 * level_count indicates how deep the chain points into the
+	 * tree of trees, and is the index into the levels[] array.
+	 * Thus, levels[level_count - 1] is the last level node stored.
+	 * A chain that points to the top level of the tree of trees has
+	 * a level_count of 0, the first level has a level_count of 1, and
+	 * so on.
+	 */
+	unsigned int            level_count;
+	/*%
+	 * level_matches tells how many levels matched above the node
+	 * returned by dns_rbt_findnode().  A match (partial or exact) found
+	 * in the first level thus results in level_matches being set to 1.
+	 * This is used by the rbtdb to set the start point for a recursive
+	 * search of superdomains until the RR it is looking for is found.
+	 */
+	unsigned int            level_matches;
+} dns_rbtnodechain_t;
+
+/*****
+ ***** Public interfaces.
+ *****/
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter,
+	       void *deleter_arg, dns_rbt_t **rbtp);
+/*%<
+ * Initialize a red-black tree of trees.
+ *
+ * Notes:
+ *\li   The deleter argument, if non-null, points to a function that is
+ *      responsible for cleaning up any memory associated with the data
+ *      pointer of a node when the node is deleted.  It is passed the
+ *      deleted node's data pointer as its first argument and deleter_arg
+ *      as its second argument.
+ *
+ * Requires:
+ * \li  mctx is a pointer to a valid memory context.
+ *\li   rbtp != NULL && *rbtp == NULL
+ *\li   arg == NULL iff deleter == NULL
+ *
+ * Ensures:
+ *\li   If result is ISC_R_SUCCESS:
+ *              *rbtp points to a valid red-black tree manager
+ *
+ *\li   If result is failure:
+ *              *rbtp does not point to a valid red-black tree manager.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOMEMORY Resource limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
+/*%<
+ * Add 'name' to the tree of trees, associated with 'data'.
+ *
+ * Notes:
+ *\li   'data' is never required to be non-NULL, but specifying it
+ *      when the name is added is faster than searching for 'name'
+ *      again and then setting the data pointer.  The lack of a data pointer
+ *      for a node also has other ramifications regarding whether
+ *      dns_rbt_findname considers a node to exist, or dns_rbt_deletename
+ *      joins nodes.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *\li   'name' is not altered in any way.
+ *
+ *\li   Any external references to nodes in the tree are unaffected by
+ *      node splits that are necessary to insert the new name.
+ *
+ *\li   If result is #ISC_R_SUCCESS:
+ *              'name' is findable in the red/black tree of trees in O(log N).
+ *              The data pointer of the node for 'name' is set to 'data'.
+ *
+ *\li   If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
+ *              The tree of trees is unaltered.
+ *
+ *\li   If result is #ISC_R_NOMEMORY:
+ *              No guarantees.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_EXISTS   The name already exists with associated data.
+ *\li   #ISC_R_NOSPACE  The name had more logical labels than are allowed.
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
+
+/*%<
+ * Just like dns_rbt_addname, but returns the address of the node.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt structure.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *\li   nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *\li   'name' is not altered in any way.
+ *
+ *\li   Any external references to nodes in the tree are unaffected by
+ *      node splits that are necessary to insert the new name.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              'name' is findable in the red/black tree of trees in O(log N).
+ *              *nodep is the node that was added for 'name'.
+ *
+ *\li   If result is ISC_R_EXISTS:
+ *              The tree of trees is unaltered.
+ *              *nodep is the existing node for 'name'.
+ *
+ *\li   If result is ISC_R_NOMEMORY:
+ *              No guarantees.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_EXISTS   The name already exists, possibly without data.
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, const dns_name_t *name, unsigned int options,
+		 dns_name_t *foundname, void **data);
+/*%<
+ * Get the data pointer associated with 'name'.
+ *
+ * Notes:
+ *\li   When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to #DNS_RBTFIND_EMPTYDATA), even when there is
+ *      an exact match in the tree.
+ *
+ *\li   A node that has no data is considered not to exist for this function,
+ *      unless the #DNS_RBTFIND_EMPTYDATA option is set.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *\li   data != NULL && *data == NULL
+ *
+ * Ensures:
+ *\li   'name' and the tree are not altered in any way.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              *data is the data associated with 'name'.
+ *
+ *\li   If result is DNS_R_PARTIALMATCH:
+ *              *data is the data associated with the deepest superdomain
+ *              of 'name' which has data.
+ *
+ *\li   If result is ISC_R_NOTFOUND:
+ *              Neither the name nor a superdomain was found with data.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          Success
+ *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
+ *\li   #ISC_R_NOTFOUND         No match
+ *\li   #ISC_R_NOSPACE          Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, const dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 unsigned int options, dns_rbtfindcallback_t callback,
+		 void *callback_arg);
+/*%<
+ * Find the node for 'name'.
+ *
+ * Notes:
+ *\li   A node that has no data is considered not to exist for this function,
+ *      unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
+ *      exact matches and partial matches.
+ *
+ *\li   If the chain parameter is non-NULL, then the path through the tree
+ *      to the DNSSEC predecessor of the searched for name is maintained,
+ *      unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
+ *      is used. (For more details on those options, see below.)
+ *
+ *\li   If there is no predecessor, then the chain will point to nowhere, as
+ *      indicated by chain->end being NULL or dns_rbtnodechain_current
+ *      returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
+ *      there will always be a predecessor for all names except the root
+ *      name, because '.' will exist and '.' is the predecessor of
+ *      everything.  But you can certainly construct a trivial tree and a
+ *      search for it that has no predecessor.
+ *
+ *\li   Within the chain structure, the 'levels' member of the structure holds
+ *      the root node of each level except the first.
+ *
+ *\li   The 'level_count' of the chain indicates how deep the chain to the
+ *      predecessor name is, as an index into the 'levels[]' array.  It does
+ *      not count name elements, per se, but only levels of the tree of trees,
+ *      the distinction arising because multiple labels from a name can be
+ *      stored on only one level.  It is also does not include the level
+ *      that has the node, since that level is not stored in levels[].
+ *
+ *\li   The chain's 'level_matches' is not directly related to the predecessor.
+ *      It is the number of levels above the level of the found 'node',
+ *      regardless of whether it was a partial match or exact match.  When
+ *      the node is found in the top level tree, or no node is found at all,
+ *      level_matches is 0.
+ *
+ *\li   When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
+ *      there is an exact match in the tree.  In this case, the chain
+ *      will not point to the DNSSEC predecessor, but will instead point
+ *      to the exact match, if there was any.  Thus the preceding paragraphs
+ *      should have "exact match" substituted for "predecessor" to describe
+ *      how the various elements of the chain are set.  This was done to
+ *      ensure that the chain's state was sane, and to prevent problems that
+ *      occurred when running the predecessor location code under conditions
+ *      it was not designed for.  It is not clear *where* the chain should
+ *      point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
+ *      with this option because you want a particular node, let us know
+ *      where you want the chain pointed, so this can be made more firm.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE.
+ *\li   node != NULL && *node == NULL.
+ *\li   #DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutually
+ *              exclusive.
+ *
+ * Ensures:
+ *\li   'name' and the tree are not altered in any way.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *\verbatim
+ *              *node is the terminal node for 'name'.
+
+ *              'foundname' and 'name' represent the same name (though not
+ *              the same memory).
+
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *              chain->level_matches and chain->level_count are equal.
+ *\endverbatim
+ *
+ *      If result is DNS_R_PARTIALMATCH:
+ *\verbatim
+ *              *node is the data associated with the deepest superdomain
+ *              of 'name' which has data.
+ *
+ *              'foundname' is the name of deepest superdomain (which has
+ *              data, unless the DNS_RBTFIND_EMPTYDATA option is set).
+ *
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *\endverbatim
+ *
+ *\li   If result is ISC_R_NOTFOUND:
+ *\verbatim
+ *              Neither the name nor a superdomain was found.  *node is NULL.
+ *
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *              chain->level_matches is 0.
+ *\endverbatim
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          Success
+ *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
+ *\li   #ISC_R_NOTFOUND         No match, or superdomain with no data
+ *\li   #ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, bool recurse);
+/*%<
+ * Delete 'name' from the tree of trees.
+ *
+ * Notes:
+ *\li   When 'name' is removed, if recurse is true then all of its
+ *      subnames are removed too.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *\li   'name' is not altered in any way.
+ *
+ *\li   Does NOT ensure that any external references to nodes in the tree
+ *      are unaffected by node joins.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              'name' does not appear in the tree with data; however,
+ *              the node for the name might still exist which can be
+ *              found with dns_rbt_findnode (but not dns_rbt_findname).
+ *
+ *\li   If result is ISC_R_NOTFOUND:
+ *              'name' does not appear in the tree with data, because
+ *              it did not appear in the tree before the function was called.
+ *
+ *\li   If result is something else:
+ *              See result codes for dns_rbt_findnode (if it fails, the
+ *              node is not deleted) or dns_rbt_deletenode (if it fails,
+ *              the node is deleted, but the tree is not optimized when
+ *              it could have been).
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOTFOUND No match
+ *\li   something_else  Any return code from dns_rbt_findnode except
+ *                      DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
+ *                      to be returned instead), and any code from
+ *                      dns_rbt_deletenode.
+ */
+
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, bool recurse);
+/*%<
+ * Delete 'node' from the tree of trees.
+ *
+ * Notes:
+ *\li   When 'node' is removed, if recurse is true then all nodes
+ *      in levels down from it are removed too.
+ *
+ * Requires:
+ *\li   rbt is a valid rbt manager.
+ *\li   node != NULL.
+ *
+ * Ensures:
+ *\li   Does NOT ensure that any external references to nodes in the tree
+ *      are unaffected by node joins.
+ *
+ *\li   If result is ISC_R_SUCCESS:
+ *              'node' does not appear in the tree with data; however,
+ *              the node might still exist if it serves as a pointer to
+ *              a lower tree level as long as 'recurse' was false, hence
+ *              the node could can be found with dns_rbt_findnode when
+ *              that function's empty_data_ok parameter is true.
+ *
+ *\li   If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ *              The node was deleted, but the tree structure was not
+ *              optimized.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory when joining nodes.
+ *\li   #ISC_R_NOSPACE  dns_name_concatenate failed when joining nodes.
+ */
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*%<
+ * Convert the sequence of labels stored at 'node' into a 'name'.
+ *
+ * Notes:
+ *\li   This function does not return the full name, from the root, but
+ *      just the labels at the indicated node.
+ *
+ *\li   The name data pointed to by 'name' is the information stored
+ *      in the node, not a copy.  Altering the data at this pointer
+ *      will likely cause grief.
+ *
+ * Requires:
+ * \li  name->offsets == NULL
+ *
+ * Ensures:
+ * \li  'name' is DNS_NAMEATTR_READONLY.
+ *
+ * \li  'name' will point directly to the labels stored after the
+ *      dns_rbtnode_t struct.
+ *
+ * \li  'name' will have offsets that also point to the information stored
+ *      as part of the node.
+ */
+
+isc_result_t
+dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*%<
+ * Like dns_rbt_namefromnode, but returns the full name from the root.
+ *
+ * Notes:
+ * \li  Unlike dns_rbt_namefromnode, the name will not point directly
+ *      to node data.  Rather, dns_name_concatenate will be used to copy
+ *      the name data from each node into the 'name' argument.
+ *
+ * Requires:
+ * \li  name != NULL
+ * \li  name has a dedicated buffer.
+ *
+ * Returns:
+ * \li  ISC_R_SUCCESS
+ * \li  ISC_R_NOSPACE           (possible via dns_name_concatenate)
+ * \li  DNS_R_NAMETOOLONG       (possible via dns_name_concatenate)
+ */
+
+char *
+dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
+		       unsigned int size);
+/*%<
+ * Format the full name of a node for printing, using dns_name_format().
+ *
+ * Notes:
+ * \li  'size' is the length of the printname buffer.  This should be
+ *      DNS_NAME_FORMATSIZE or larger.
+ *
+ * Requires:
+ * \li  node and printname are not NULL.
+ *
+ * Returns:
+ * \li  The 'printname' pointer.
+ */
+
+unsigned int
+dns_rbt_nodecount(dns_rbt_t *rbt);
+/*%<
+ * Obtain the number of nodes in the tree of trees.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+size_t
+dns_rbt_hashsize(dns_rbt_t *rbt);
+/*%<
+ * Obtain the current number of buckets in the 'rbt' hash table.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+void
+dns_rbt_destroy(dns_rbt_t **rbtp);
+isc_result_t
+dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
+/*%<
+ * Stop working with a red-black tree of trees.
+ * If 'quantum' is zero then the entire tree will be destroyed.
+ * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
+ * allowing the rbt to be incrementally destroyed by repeated calls to
+ * dns_rbt_destroy2().  Once dns_rbt_destroy2() has been called no other
+ * operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
+ * performed on the tree of trees.
+ *
+ * Requires:
+ * \li  *rbt is a valid rbt manager.
+ *
+ * Ensures on ISC_R_SUCCESS:
+ * \li  All space allocated by the RBT library has been returned.
+ *
+ * \li  *rbt is invalidated as an rbt manager.
+ *
+ * Returns:
+ * \li  ISC_R_SUCCESS
+ * \li  ISC_R_QUOTA if 'quantum' nodes have been destroyed.
+ */
+
+off_t
+dns_rbt_serialize_align(off_t target);
+/*%<
+ * Align the provided integer to a pointer-size boundary.
+ * This should be used if, during serialization of data to a will-be
+ * mmap()ed file, a pointer alignment is needed for some data.
+ */
+
+isc_result_t
+dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt,
+		       dns_rbtdatawriter_t datawriter,
+		       void *writer_arg, off_t *offset);
+/*%<
+ * Write out the RBT structure and its data to a file.
+ *
+ * Notes:
+ * \li  The file must be an actual file which allows seek() calls, so it cannot
+ *      be a stream.  Returns ISC_R_INVALIDFILE if not.
+ */
+
+isc_result_t
+dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+			 off_t header_offset, isc_mem_t *mctx,
+			 dns_rbtdeleter_t deleter, void *deleter_arg,
+			 dns_rbtdatafixer_t datafixer, void *fixer_arg,
+			 dns_rbtnode_t **originp, dns_rbt_t **rbtp);
+/*%<
+ * Read a RBT structure and its data from a file.
+ *
+ * If 'originp' is not NULL, then it is pointed to the root node of the RBT.
+ *
+ * Notes:
+ * \li  The file must be an actual file which allows seek() calls, so it cannot
+ *      be a stream.  This condition is not checked in the code.
+ */
+
+void
+dns_rbt_printtext(dns_rbt_t *rbt,
+		  void (*data_printer)(FILE *, void *), FILE *f);
+/*%<
+ * Print an ASCII representation of the internal structure of the red-black
+ * tree of trees to the passed stream.
+ *
+ * data_printer is a callback function that is called to print the data
+ * in a node. It should print it to the passed FILE stream.
+ *
+ * Notes:
+ * \li  The name stored at each node, along with the node's color, is printed.
+ *      Then the down pointer, left and right pointers are displayed
+ *      recursively in turn.  NULL down pointers are silently omitted;
+ *      NULL left and right pointers are printed.
+ */
+
+void
+dns_rbt_printdot(dns_rbt_t *rbt, bool show_pointers, FILE *f);
+/*%<
+ * Print a GraphViz dot representation of the internal structure of the
+ * red-black tree of trees to the passed stream.
+ *
+ * If show_pointers is TRUE, pointers are also included in the generated
+ * graph.
+ *
+ * Notes:
+ * \li	The name stored at each node, along with the node's color is displayed.
+ *	Then the down pointer, left and right pointers are displayed
+ *	recursively in turn.  NULL left, right and down pointers are
+ *	silently omitted.
+ */
+
+void
+dns_rbt_printnodeinfo(dns_rbtnode_t *n, FILE *f);
+/*%<
+ * Print out various information about a node
+ *
+ * Requires:
+ *\li	'n' is a valid pointer.
+ *
+ *\li	'f' points to a valid open FILE structure that allows writing.
+ */
+
+
+size_t
+dns__rbt_getheight(dns_rbt_t *rbt);
+/*%<
+ * Return the maximum height of sub-root nodes found in the red-black
+ * forest.
+ *
+ * The height of a node is defined as the number of nodes in the longest
+ * path from the node to a leaf. For each subtree in the forest, this
+ * function determines the height of its root node. Then it returns the
+ * maximum such height in the forest.
+ *
+ * Note: This function exists for testing purposes. Non-test code must
+ * not use it.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+bool
+dns__rbt_checkproperties(dns_rbt_t *rbt);
+/*%<
+ * Check red-black properties of the forest.
+ *
+ * Note: This function exists for testing purposes. Non-test code must
+ * not use it.
+ *
+ * Requires:
+ * \li  rbt is a valid rbt manager.
+ */
+
+size_t
+dns__rbtnode_getdistance(dns_rbtnode_t *node);
+/*%<
+ * Return the distance (in nodes) from the node to its upper node of its
+ * subtree. The root node has a distance of 1. A child of the root node
+ * has a distance of 2.
+ */
+
+/*****
+ ***** Chain Functions
+ *****/
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
+/*%<
+ * Initialize 'chain'.
+ *
+ * Requires:
+ *\li   'chain' is a valid pointer.
+ *
+ *\li   'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *\li   'chain' is suitable for use.
+ */
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
+/*%<
+ * Free any dynamic storage associated with 'chain', and then reinitialize
+ * 'chain'.
+ *
+ * Requires:
+ *\li   'chain' is a valid pointer.
+ *
+ * Ensures:
+ *\li   'chain' is suitable for use, and uses no dynamic storage.
+ */
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
+/*%<
+ * Free any dynamic storage associated with 'chain', and then invalidates it.
+ *
+ * Notes:
+ *\li   Future calls to any dns_rbtnodechain_ function will need to call
+ *      dns_rbtnodechain_init on the chain first (except, of course,
+ *      dns_rbtnodechain_init itself).
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *
+ * Ensures:
+ *\li   'chain' is no longer suitable for use, and uses no dynamic storage.
+ */
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node);
+/*%<
+ * Provide the name, origin and node to which the chain is currently pointed.
+ *
+ * Notes:
+ *\li   The tree need not have be locked against additions for the chain
+ *      to remain valid, however there are no guarantees if any deletion
+ *      has been made since the chain was established.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *
+ * Ensures:
+ *\li   'node', if non-NULL, is the node to which the chain was pointed
+ *      by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
+ *      If none were called for the chain since it was initialized or reset,
+ *      or if the was no predecessor to the name searched for with
+ *      dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
+ *
+ *\li   'name', if non-NULL, is the name stored at the terminal level of
+ *      the chain.  This is typically a single label, like the "www" of
+ *      "www.isc.org", but need not be so.  At the root of the tree of trees,
+ *      if the node is "." then 'name' is ".", otherwise it is relative to ".".
+ *      (Minimalist and atypical case:  if the tree has just the name
+ *      "isc.org." then the root node's stored name is "isc.org." but 'name'
+ *      will be "isc.org".)
+ *
+ *\li   'origin', if non-NULL, is the sequence of labels in the levels
+ *      above the terminal level, such as "isc.org." in the above example.
+ *      'origin' is always "." for the root node.
+ *
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          name, origin & node were successfully set.
+ *\li   #ISC_R_NOTFOUND         The chain does not point to any node.
+ *\li   &lt;something_else>     Any error return from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*%<
+ * Set the chain to the lexically first node in the tree of trees.
+ *
+ * Notes:
+ *\li   By the definition of ordering for DNS names, the root of the tree of
+ *      trees is the very first node, since everything else in the megatree
+ *      uses it as a common suffix.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *\li   The chain points to the very first node of the tree.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.  Thus 'origin' will always be ".".
+ *
+ * Returns:
+ *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
+ *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*%<
+ * Set the chain to the lexically last node in the tree of trees.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *\li   The chain points to the very last node of the tree.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
+ *
+ * Returns:
+ *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
+ *\li   #ISC_R_NOMEMORY         Resource Limit: Out of Memory building chain.
+ *\li   &lt;something_else>     Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Adjusts chain to point the DNSSEC predecessor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *      since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *\li   The chain is pointed to the predecessor of its current target.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
+ *
+ *\li   'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          The predecessor was found and 'name' was set.
+ *\li   #DNS_R_NEWORIGIN                The predecessor was found with a different
+ *                              origin and 'name' and 'origin' were set.
+ *\li   #ISC_R_NOMORE           There was no predecessor.
+ *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Adjusts chain to point the DNSSEC successor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *\li   'chain' is a valid chain.
+ *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *      since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *\li   The chain is pointed to the successor of its current target.
+ *
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
+ *
+ *\li   'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS          The successor was found and 'name' was set.
+ *\li   #DNS_R_NEWORIGIN                The successor was found with a different
+ *                              origin and 'name' and 'origin' were set.
+ *\li   #ISC_R_NOMORE           There was no successor.
+ *\li   &lt;something_else>     Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Descend down if possible.
+ */
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
+/*%<
+ * Find the next node at the current depth in DNSSEC order.
+ */
+
+/*
+ * Wrapper macros for manipulating the rbtnode reference counter:
+ *   Since we selectively use isc_refcount_t for the reference counter of
+ *   a rbtnode, operations on the counter depend on the actual type of it.
+ *   The following macros provide a common interface to these operations,
+ *   hiding the back-end.  The usage is the same as that of isc_refcount_xxx().
+ */
+#ifdef DNS_RBT_USEISCREFCOUNT
+#define dns_rbtnode_refinit(node, n)                            \
+	do {                                                    \
+		isc_refcount_init(&(node)->references, (n));    \
+	} while (0)
+#define dns_rbtnode_refdestroy(node)                            \
+	do {                                                    \
+		isc_refcount_destroy(&(node)->references);      \
+	} while (0)
+#define dns_rbtnode_refcurrent(node)                            \
+	isc_refcount_current(&(node)->references)
+#define dns_rbtnode_refincrement0(node, refs)                   \
+	do {                                                    \
+		isc_refcount_increment0(&(node)->references, (refs)); \
+	} while (0)
+#define dns_rbtnode_refincrement(node, refs)                    \
+	do {                                                    \
+		isc_refcount_increment(&(node)->references, (refs)); \
+	} while (0)
+#define dns_rbtnode_refdecrement(node, refs)                    \
+	do {                                                    \
+		isc_refcount_decrement(&(node)->references, (refs)); \
+	} while (0)
+#else  /* DNS_RBT_USEISCREFCOUNT */
+#define dns_rbtnode_refinit(node, n)    ((node)->references = (n))
+#define dns_rbtnode_refdestroy(node)    ISC_REQUIRE((node)->references == 0)
+#define dns_rbtnode_refcurrent(node)    ((node)->references)
+
+#if (__STDC_VERSION__ + 0) >= 199901L || defined __GNUC__
+static inline void
+dns_rbtnode_refincrement0(dns_rbtnode_t *node, unsigned int *refs) {
+	node->references++;
+	if (refs != NULL)
+		*refs = node->references;
+}
+
+static inline void
+dns_rbtnode_refincrement(dns_rbtnode_t *node, unsigned int *refs) {
+	ISC_REQUIRE(node->references > 0);
+	node->references++;
+	if (refs != NULL)
+		*refs = node->references;
+}
+
+static inline void
+dns_rbtnode_refdecrement(dns_rbtnode_t *node, unsigned int *refs) {
+	ISC_REQUIRE(node->references > 0);
+	node->references--;
+	if (refs != NULL)
+		*refs = node->references;
+}
+#else
+#define dns_rbtnode_refincrement0(node, refs)                   \
+	do {                                                    \
+		unsigned int *_tmp = (unsigned int *)(refs);    \
+		(node)->references++;                           \
+		if ((_tmp) != NULL)                             \
+			(*_tmp) = (node)->references;           \
+	} while (0)
+#define dns_rbtnode_refincrement(node, refs)                    \
+	do {                                                    \
+		ISC_REQUIRE((node)->references > 0);                \
+		(node)->references++;                           \
+		if ((refs) != NULL)                             \
+			(*refs) = (node)->references;           \
+	} while (0)
+#define dns_rbtnode_refdecrement(node, refs)                    \
+	do {                                                    \
+		ISC_REQUIRE((node)->references > 0);                \
+		(node)->references--;                           \
+		if ((refs) != NULL)                             \
+			(*refs) = (node)->references;           \
+	} while (0)
+#endif
+#endif /* DNS_RBT_USEISCREFCOUNT */
+
+void
+dns_rbtnode_nodename(dns_rbtnode_t *node, dns_name_t *name);
+
+dns_rbtnode_t *
+dns_rbt_root(dns_rbt_t *rbt);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBT_H */
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
new file mode 100644
index 0000000..59146af
--- /dev/null
+++ b/lib/dns/include/dns/rcode.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RCODE_H
+#define DNS_RCODE_H 1
+
+/*! \file dns/rcode.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNS error value.
+ *
+ * Requires:
+ *\li	'rcodep' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of error 'rcode' into 'target'.
+ *
+ * Requires:
+ *\li	'rcode' is a valid rcode.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t dns_tsigrcode_fromtext(dns_rcode_t *rcodep,
+				    isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a TSIG/TKEY error value.
+ *
+ * Requires:
+ *\li	'rcodep' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of TSIG/TKEY error 'rcode' into 'target'.
+ *
+ * Requires:
+ *\li	'rcode' is a valid TSIG/TKEY error code.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *\li	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a has algorithm value.
+ *
+ * Requires:
+ *\li	'hashalg' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RCODE_H */
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
new file mode 100644
index 0000000..25220ce
--- /dev/null
+++ b/lib/dns/include/dns/rdata.h
@@ -0,0 +1,774 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATA_H
+#define DNS_RDATA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/rdata.h
+ * \brief
+ * Provides facilities for manipulating DNS rdata, including conversions to
+ * and from wire format and text format.
+ *
+ * Given the large amount of rdata possible in a nameserver, it was important
+ * to come up with a very efficient way of storing rdata, but at the same
+ * time allow it to be manipulated.
+ *
+ * The decision was to store rdata in uncompressed wire format,
+ * and not to make it a fully abstracted object; i.e. certain parts of the
+ * server know rdata is stored that way.  This saves a lot of memory, and
+ * makes adding rdata to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of rdata to be manipulating such a low-level structure.  This is
+ * where the rdata module comes in.  The module allows rdata handles to be
+ * created and attached to uncompressed wire format regions.  All rdata
+ * operations and conversions are done through these handles.
+ *
+ * Implementation Notes:
+ *
+ *\li	The routines in this module are expected to be synthesized by the
+ *	build process from a set of source files, one per rdata type.  For
+ *	portability, it's probably best that the building be done by a C
+ *	program.  Adding a new rdata type will be a simple matter of adding
+ *	a file to a directory and rebuilding the server.  *All* knowledge of
+ *	the format of a particular rdata type is in this file.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *\li	Rdata is typed, and the caller must know what type of rdata it has.
+ *	A caller that gets this wrong could crash the server.
+ *
+ *\li	The fromstruct() and tostruct() routines use a void * pointer to
+ *	represent the structure.  The caller must ensure that it passes a
+ *	pointer to the appropriate type, or the server could crash or memory
+ *	could be corrupted.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *
+ *\li	*** WARNING ***
+ *	dns_rdata_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *\li	RFC1035
+ *\li	Draft EDNS0 (0)
+ *\li	Draft EDNS1 (0)
+ *\li	Draft Binary Labels (2)
+ *\li	Draft Local Compression (1)
+ *\li	Various RFCs for particular types; these will be documented in the
+ *	 sources files of the types.
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+#include <dns/message.h>
+
+ISC_LANG_BEGINDECLS
+
+
+/***
+ *** Types
+ ***/
+
+/*%
+ ***** An 'rdata' is a handle to a binary region.  The handle has an RR
+ ***** class and type, and the data in the binary region is in the format
+ ***** of the given class and type.
+ *****/
+/*%
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field which may be used directly for whatever
+ * purpose the client desires.
+ */
+struct dns_rdata {
+	unsigned char *			data;
+	unsigned int			length;
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	unsigned int			flags;
+	ISC_LINK(dns_rdata_t)		link;
+};
+
+#define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
+
+#define DNS_RDATA_CHECKINITIALIZED
+#ifdef DNS_RDATA_CHECKINITIALIZED
+#define DNS_RDATA_INITIALIZED(rdata) \
+	((rdata)->data == NULL && (rdata)->length == 0 && \
+	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+	 !ISC_LINK_LINKED((rdata), link))
+#else
+#ifdef ISC_LIST_CHECKINIT
+#define DNS_RDATA_INITIALIZED(rdata) \
+	(!ISC_LINK_LINKED((rdata), link))
+#else
+#define DNS_RDATA_INITIALIZED(rdata) true
+#endif
+#endif
+
+#define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
+#define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
+
+#define DNS_RDATA_VALIDFLAGS(rdata) \
+	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
+
+/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH	65512U
+
+/*
+ * Flags affecting rdata formatting style.  Flags 0xFFFF0000
+ * are used by masterfile-level formatting and defined elsewhere.
+ * See additional comments at dns_rdata_tofmttext().
+ */
+
+/*% Split the rdata into multiple lines to try to keep it
+ within the "width". */
+#define DNS_STYLEFLAG_MULTILINE		0x00000001ULL
+
+/*% Output explanatory comments. */
+#define DNS_STYLEFLAG_COMMENT		0x00000002ULL
+#define DNS_STYLEFLAG_RRCOMMENT		0x00000004ULL
+
+/*% Output KEYDATA in human readable format. */
+#define DNS_STYLEFLAG_KEYDATA		0x00000008ULL
+
+/*% Output textual RR type and RDATA in RFC 3597 unknown format */
+#define DNS_STYLEFLAG_UNKNOWNFORMAT	0x00000010ULL
+
+#define DNS_RDATA_DOWNCASE		DNS_NAME_DOWNCASE
+#define DNS_RDATA_CHECKNAMES		DNS_NAME_CHECKNAMES
+#define DNS_RDATA_CHECKNAMESFAIL	DNS_NAME_CHECKNAMESFAIL
+#define DNS_RDATA_CHECKREVERSE		DNS_NAME_CHECKREVERSE
+#define DNS_RDATA_CHECKMX		DNS_NAME_CHECKMX
+#define DNS_RDATA_CHECKMXFAIL		DNS_NAME_CHECKMXFAIL
+#define DNS_RDATA_UNKNOWNESCAPE		0x80000000
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_rdata_init(dns_rdata_t *rdata);
+/*%<
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *	'rdata' is a valid rdata (i.e. not NULL, points to a struct dns_rdata)
+ */
+
+void
+dns_rdata_reset(dns_rdata_t *rdata);
+/*%<
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *\li	'rdata' is a previously initialized rdata and is not linked.
+ */
+
+void
+dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
+/*%<
+ * Clone 'target' from 'src'.
+ *
+ * Requires:
+ *\li	'src' to be initialized.
+ *\li	'target' to be initialized.
+ */
+
+/***
+ *** Comparisons
+ ***/
+
+int
+dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
+/*%<
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'rdata1' and 'rdata2'.
+ *
+ * Requires:
+ *
+ *\li	'rdata1' is a valid, non-empty rdata
+ *
+ *\li	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *\li	< 0		'rdata1' is less than 'rdata2'
+ *\li	0		'rdata1' is equal to 'rdata2'
+ *\li	> 0		'rdata1' is greater than 'rdata2'
+ */
+
+int
+dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
+/*%<
+ * dns_rdata_casecompare() is similar to dns_rdata_compare() but also
+ * compares domain names case insensitively in known rdata types that
+ * are treated as opaque data by dns_rdata_compare().
+ *
+ * Requires:
+ *
+ *\li	'rdata1' is a valid, non-empty rdata
+ *
+ *\li	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *\li	< 0		'rdata1' is less than 'rdata2'
+ *\li	0		'rdata1' is equal to 'rdata2'
+ *\li	> 0		'rdata1' is greater than 'rdata2'
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_region_t *r);
+/*%<
+ * Make 'rdata' refer to region 'r'.
+ *
+ * Requires:
+ *
+ *\li	The data in 'r' is properly formatted for whatever type it is.
+ */
+
+void
+dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
+/*%<
+ * Make 'r' refer to 'rdata'.
+ */
+
+isc_result_t
+dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_buffer_t *source,
+		   dns_decompress_t *dctx, unsigned int options,
+		   isc_buffer_t *target);
+/*%<
+ * Copy the possibly-compressed rdata at source into the target region.
+ *
+ * Notes:
+ *\li	Name decompression policy is controlled by 'dctx'.
+ *
+ *	'options'
+ *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *
+ * Requires:
+ *
+ *\li	'rdclass' and 'type' are valid.
+ *
+ *\li	'source' is a valid buffer, and the active region of 'source'
+ *	references the rdata to be processed.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	'dctx' is a valid decompression context.
+ *
+ * Ensures,
+ *	if result is success:
+ *	\li 	If 'rdata' is not NULL, it is attached to the target.
+ *	\li	The conditions dns_name_fromwire() ensures for names hold
+ *		for all names in the rdata.
+ *	\li	The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *\li	Success
+ *\li	Any non-success status from dns_name_fromwire()
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Bad Form: Input too short
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
+		 isc_buffer_t *target);
+/*%<
+ * Convert 'rdata' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *\li	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ *\li	'rdata' is a valid, non-empty rdata
+ *
+ *\li	target is a valid buffer
+ *
+ *\li	Any offsets specified in a global compression table are valid
+ *	for target.
+ *
+ * Ensures,
+ *	if the result is success:
+ *	\li	The used space in target is updated.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Any non-success status from dns_name_towire()
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin,
+		   unsigned int options, isc_mem_t *mctx,
+		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks);
+/*%<
+ * Convert the textual representation of a DNS rdata into uncompressed wire
+ * form stored in the target region.  Tokens constituting the text of the rdata
+ * are taken from 'lexer'.
+ *
+ * Notes:
+ *\li	Relative domain names in the rdata will have 'origin' appended to them.
+ *	A NULL origin implies "origin == dns_rootname".
+ *
+ *
+ *	'options'
+ *\li	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *\li	DNS_RDATA_CHECKNAMES 	perform checknames checks.
+ *\li	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
+ *				not set a warning will be issued.
+ *\li	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
+ *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
+ *
+ * Requires:
+ *
+ *\li	'rdclass' and 'type' are valid.
+ *
+ *\li	'lexer' is a valid isc_lex_t.
+ *
+ *\li	'mctx' is a valid isc_mem_t.
+ *
+ *\li	'target' is a valid region.
+ *
+ *\li	'origin' if non NULL it must be absolute.
+ *
+ *\li	'callbacks' to be NULL or callbacks->warn and callbacks->error be
+ *	initialized.
+ *
+ * Ensures,
+ *	if result is success:
+ *\li	 	If 'rdata' is not NULL, it is attached to the target.
+
+ *\li		The conditions dns_name_fromtext() ensures for names hold
+ *		for all names in the rdata.
+
+ *\li		The used space in target is updated.
+ *
+ * Result:
+ *\li	Success
+ *\li	Translated result codes from isc_lex_gettoken
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Bad Form: Input too short
+ *\li	Resource Limit: Not enough space
+ *\li	Resource Limit: Not enough memory
+ */
+
+isc_result_t
+dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
+/*%<
+ * Convert 'rdata' into text format, storing the result in 'target'.
+ * The text will consist of a single line, with fields separated by
+ * single spaces.
+ *
+ * Notes:
+ *\li	If 'origin' is not NULL, then any names in the rdata that are
+ *	subdomains of 'origin' will be made relative it.
+ *
+ *\li	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
+ *	at the moment.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata
+ *
+ *\li	'origin' is NULL, or is a valid name
+ *
+ *\li	'target' is a valid text buffer
+ *
+ * Ensures,
+ *	if the result is success:
+ *
+ *	\li	The used space in target is updated.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Any non-success status from dns_name_totext()
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
+		    unsigned int width, unsigned int split_width,
+		    const char *linebreak, isc_buffer_t *target);
+/*%<
+ * Like dns_rdata_totext, but do formatted output suitable for
+ * database dumps.  This is intended for use by dns_db_dump();
+ * library users are discouraged from calling it directly.
+ *
+ * If (flags & #DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
+ * within 'width' by breaking the text into multiple lines.
+ * The string 'linebreak' is inserted between lines, and parentheses
+ * are added when necessary.  Because RRs contain unbreakable elements
+ * such as domain names whose length is variable, unpredictable, and
+ * potentially large, there is no guarantee that the lines will
+ * not exceed 'width' anyway.
+ *
+ * If (flags & #DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
+ * printed as a single line, and no parentheses are used.
+ * The 'width' and 'linebreak' arguments are ignored.
+ *
+ * If (flags & #DNS_STYLEFLAG_COMMENT) != 0, output explanatory
+ * comments next to things like the SOA timer fields.  Some
+ * comments (e.g., the SOA ones) are only printed when multiline
+ * output is selected.
+ *
+ * base64 rdata text (e.g., DNSKEY records) will be split into chunks
+ * of 'split_width' characters.  If split_width == 0, the text will
+ * not be split at all.  If split_width == UINT_MAX (0xffffffff), then
+ * it is undefined and falls back to the default value of 'width'
+ */
+
+isc_result_t
+dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, void *source, isc_buffer_t *target);
+/*%<
+ * Convert the C structure representation of an rdata into uncompressed wire
+ * format in 'target'.
+ *
+ * XXX  Should we have a 'size' parameter as a sanity check on target?
+ *
+ * Requires:
+ *
+ *\li	'rdclass' and 'type' are valid.
+ *
+ *\li	'source' points to a valid C struct for the class and type.
+ *
+ *\li	'target' is a valid buffer.
+ *
+ *\li	All structure pointers to memory blocks should be NULL if their
+ *	corresponding length values are zero.
+ *
+ * Ensures,
+ *	if result is success:
+ *	\li 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *	\li	The used space in 'target' is updated.
+ *
+ * Result:
+ *\li	Success
+ *\li	Various 'Bad Form' class failures depending on class and type
+ *\li	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
+/*%<
+ * Convert an rdata into its C structure representation.
+ *
+ * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
+ *
+ * If 'mctx' is non NULL then memory will be allocated if required.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'target' to point to a valid pointer for the type and class.
+ *
+ * Result:
+ *\li	Success
+ *\li	Resource Limit: Not enough memory
+ */
+
+void
+dns_rdata_freestruct(void *source);
+/*%<
+ * Free dynamic memory attached to 'source' (if any).
+ *
+ * Requires:
+ *
+ *\li	'source' to point to the structure previously filled in by
+ *	dns_rdata_tostruct().
+ */
+
+bool
+dns_rdatatype_ismeta(dns_rdatatype_t type);
+/*%<
+ * Return true iff the rdata type 'type' is a meta-type
+ * like ANY or AXFR.
+ */
+
+bool
+dns_rdatatype_issingleton(dns_rdatatype_t type);
+/*%<
+ * Return true iff the rdata type 'type' is a singleton type,
+ * like CNAME or SOA.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
+/*%<
+ * Return true iff the rdata class 'rdclass' is a meta-class
+ * like ANY or NONE.
+ */
+
+bool
+dns_rdatatype_isdnssec(dns_rdatatype_t type);
+/*%<
+ * Return true iff 'type' is one of the DNSSEC
+ * rdata types that may exist alongside a CNAME record.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ */
+
+bool
+dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' is considered authoritative
+ * data (not glue) in the NSEC chain when it occurs in the parent zone
+ * at a zone cut.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_isknown(dns_rdatatype_t type);
+/*%<
+ * Return true iff the rdata type 'type' is known.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg);
+/*%<
+ * Call 'add' for each name and type from 'rdata' which is subject to
+ * additional section processing.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'add' is a valid dns_additionalfunc_t.
+ *
+ * Ensures:
+ *
+ *\li	If successful, then add() will have been called for each name
+ *	and type subject to additional section processing.
+ *
+ *\li	If add() returns something other than #ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_additionaldata().
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Many other results are possible if not successful.
+ */
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
+/*%<
+ * Send 'rdata' in DNSSEC canonical form to 'digest'.
+ *
+ * Note:
+ *\li	'digest' may be called more than once by dns_rdata_digest().  The
+ *	concatenation of all the regions, in the order they were given
+ *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
+ *
+ * Requires:
+ *
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *\li	If successful, then all of the rdata's data has been sent, in
+ *	DNSSEC canonical form, to 'digest'.
+ *
+ *\li	If digest() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_digest().
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Many other results are possible if not successful.
+ */
+
+bool
+dns_rdatatype_questiononly(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' can only appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_notquestion(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' can not appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+bool
+dns_rdatatype_atparent(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' should appear at the parent of
+ * a zone cut.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t rdtype);
+/*%<
+ * Return attributes for the given type.
+ *
+ * Requires:
+ *\li	'rdtype' are known.
+ *
+ * Returns:
+ *\li	a bitmask consisting of the following flags.
+ */
+
+/*% only one may exist for a name */
+#define DNS_RDATATYPEATTR_SINGLETON		0x00000001U
+/*% requires no other data be present */
+#define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
+/*% Is a meta type */
+#define DNS_RDATATYPEATTR_META			0x00000004U
+/*% Is a DNSSEC type, like RRSIG or NSEC */
+#define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
+/*% Is a zone cut authority type */
+#define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
+/*% Is reserved (unusable) */
+#define DNS_RDATATYPEATTR_RESERVED		0x00000020U
+/*% Is an unknown type */
+#define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
+/*% Is META, and can only be in a question section */
+#define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
+/*% is META, and can NOT be in a question section */
+#define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
+/*% Is present at zone cuts in the parent, not the child */
+#define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata);
+/*%<
+ * Return the rdatatype that this type covers.
+ *
+ * Requires:
+ *\li	'rdata' is a valid, non-empty rdata.
+ *
+ *\li	'rdata' is a type that covers other rdata types.
+ *
+ * Returns:
+ *\li	The type covered.
+ */
+
+bool
+dns_rdata_checkowner(dns_name_t* name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, bool wildcard);
+/*
+ * Returns whether this is a valid ownername for this <type,class>.
+ * If wildcard is true allow the first label to be a wildcard if
+ * appropriate.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ */
+
+bool
+dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
+/*
+ * Returns whether 'rdata' contains valid domain names.  The checks are
+ * sensitive to the owner name.
+ *
+ * If 'bad' is non-NULL and a domain name fails the check the
+ * the offending name will be return in 'bad' by cloning from
+ * the 'rdata' contents.
+ *
+ * Requires:
+ *	'rdata' to be valid.
+ *	'owner' to be valid.
+ *	'bad'	to be NULL or valid.
+ */
+
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type);
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata);
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATA_H */
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
new file mode 100644
index 0000000..67fe1c7
--- /dev/null
+++ b/lib/dns/include/dns/rdataclass.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATACLASS_H
+#define DNS_RDATACLASS_H 1
+
+/*! \file dns/rdataclass.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNS class.
+ *
+ * Requires:
+ *\li	'classp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			class is unknown
+ */
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of class 'rdclass' into 'target'.
+ *
+ * Requires:
+ *\li	'rdclass' is a valid class.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_rdataclass_tounknowntext(dns_rdataclass_t rdclass, isc_buffer_t *target);
+/*%<
+ * Put textual RFC3597 CLASSXXXX representation of class 'rdclass' into
+ * 'target'.
+ *
+ * Requires:
+ *\li	'rdclass' is a valid class.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass,
+		      char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the class 'rdclass'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define DNS_RDATACLASS_FORMATSIZE sizeof("CLASS65535")
+/*%<
+ * Minimum size of array to pass to dns_rdataclass_format().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATACLASS_H */
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
new file mode 100644
index 0000000..63015e1
--- /dev/null
+++ b/lib/dns/include/dns/rdatalist.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATALIST_H
+#define DNS_RDATALIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/rdatalist.h
+ * \brief
+ * A DNS rdatalist is a list of rdata of a common type and class.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*%
+ * Clients may use this type directly.
+ */
+struct dns_rdatalist {
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	dns_rdatatype_t			covers;
+	dns_ttl_t			ttl;
+	ISC_LIST(dns_rdata_t)		rdata;
+	ISC_LINK(dns_rdatalist_t)	link;
+	/*%<
+	 * Case vector.  If the bit is set then the corresponding
+	 * character in the owner name needs to be AND'd with 0x20,
+	 * rendering that character upper case.
+	 */
+	unsigned char			upper[32];
+};
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist);
+/*%<
+ * Initialize rdatalist.
+ *
+ * Ensures:
+ *\li	All fields of rdatalist have been initialized to their default
+ *	values.
+ */
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
+			 dns_rdataset_t *rdataset);
+/*%<
+ * Make 'rdataset' refer to the rdata in 'rdatalist'.
+ *
+ * Note:
+ *\li	The caller must ensure that 'rdatalist' remains valid and unchanged
+ *	while 'rdataset' is associated with it.
+ *
+ * Requires:
+ *
+ *\li	'rdatalist' is a valid rdatalist.
+ *
+ *\li	'rdataset' is a valid rdataset that is not currently associated with
+ *	any rdata.
+ *
+ * Ensures,
+ *	on success,
+ *
+ *\li		'rdataset' is associated with the rdata in rdatalist.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
+			   dns_rdatalist_t **rdatalist);
+/*%<
+ * Point 'rdatalist' to the rdatalist in 'rdataset'.
+ *
+ * Requires:
+ *
+ *\li	'rdatalist' is a pointer to a NULL dns_rdatalist_t pointer.
+ *
+ *\li	'rdataset' is a valid rdataset associated with an rdatalist.
+ *
+ * Ensures,
+ *	on success,
+ *
+ *\li		'rdatalist' is pointed to the rdatalist in rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_H */
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
new file mode 100644
index 0000000..5295d8e
--- /dev/null
+++ b/lib/dns/include/dns/rdataset.h
@@ -0,0 +1,710 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RDATASET_H
+#define DNS_RDATASET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/rdataset.h
+ * \brief
+ * A DNS rdataset is a handle that can be associated with a collection of
+ * rdata all having a common owner name, class, and type.
+ *
+ * The dns_rdataset_t type is like a "virtual class".  To actually use
+ * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
+ * required.
+ *
+ * XXX &lt;more&gt; XXX
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/rdatastruct.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	dns_rdatasetadditional_fromauth,
+	dns_rdatasetadditional_fromcache,
+	dns_rdatasetadditional_fromglue
+} dns_rdatasetadditional_t;
+
+typedef struct dns_rdatasetmethods {
+	void			(*disassociate)(dns_rdataset_t *rdataset);
+	isc_result_t		(*first)(dns_rdataset_t *rdataset);
+	isc_result_t		(*next)(dns_rdataset_t *rdataset);
+	void			(*current)(dns_rdataset_t *rdataset,
+					   dns_rdata_t *rdata);
+	void			(*clone)(dns_rdataset_t *source,
+					 dns_rdataset_t *target);
+	unsigned int		(*count)(dns_rdataset_t *rdataset);
+	isc_result_t		(*addnoqname)(dns_rdataset_t *rdataset,
+					      dns_name_t *name);
+	isc_result_t		(*getnoqname)(dns_rdataset_t *rdataset,
+					      dns_name_t *name,
+					      dns_rdataset_t *neg,
+					      dns_rdataset_t *negsig);
+	isc_result_t		(*addclosest)(dns_rdataset_t *rdataset,
+					      dns_name_t *name);
+	isc_result_t		(*getclosest)(dns_rdataset_t *rdataset,
+					      dns_name_t *name,
+					      dns_rdataset_t *neg,
+					      dns_rdataset_t *negsig);
+	isc_result_t		(*getadditional)(dns_rdataset_t *rdataset,
+						 dns_rdatasetadditional_t type,
+						 dns_rdatatype_t qtype,
+						 dns_acache_t *acache,
+						 dns_zone_t **zonep,
+						 dns_db_t **dbp,
+						 dns_dbversion_t **versionp,
+						 dns_dbnode_t **nodep,
+						 dns_name_t *fname,
+						 dns_message_t *msg,
+						 isc_stdtime_t now);
+	isc_result_t		(*setadditional)(dns_rdataset_t *rdataset,
+						 dns_rdatasetadditional_t type,
+						 dns_rdatatype_t qtype,
+						 dns_acache_t *acache,
+						 dns_zone_t *zone,
+						 dns_db_t *db,
+						 dns_dbversion_t *version,
+						 dns_dbnode_t *node,
+						 dns_name_t *fname);
+	isc_result_t		(*putadditional)(dns_acache_t *acache,
+						 dns_rdataset_t *rdataset,
+						 dns_rdatasetadditional_t type,
+						 dns_rdatatype_t qtype);
+	void			(*settrust)(dns_rdataset_t *rdataset,
+					    dns_trust_t trust);
+	void			(*expire)(dns_rdataset_t *rdataset);
+	void			(*clearprefetch)(dns_rdataset_t *rdataset);
+	void			(*setownercase)(dns_rdataset_t *rdataset,
+						const dns_name_t *name);
+	void			(*getownercase)(const dns_rdataset_t *rdataset,							dns_name_t *name);
+} dns_rdatasetmethods_t;
+
+#define DNS_RDATASET_MAGIC	       ISC_MAGIC('D','N','S','R')
+#define DNS_RDATASET_VALID(set)	       ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
+
+/*%
+ * Direct use of this structure by clients is strongly discouraged, except
+ * for the 'link' field which may be used however the client wishes.  The
+ * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
+ * rdataset implementations may change any of the fields.
+ */
+struct dns_rdataset {
+	unsigned int			magic;		/* XXX ? */
+	dns_rdatasetmethods_t *		methods;
+	ISC_LINK(dns_rdataset_t)	link;
+	/*
+	 * XXX do we need these, or should they be retrieved by methods?
+	 * Leaning towards the latter, since they are not frequently required
+	 * once you have the rdataset.
+	 */
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	dns_ttl_t			ttl;
+	dns_trust_t			trust;
+	dns_rdatatype_t			covers;
+	/*
+	 * attributes
+	 */
+	unsigned int			attributes;
+	/*%
+	 * the counter provides the starting point in the "cyclic" order.
+	 * The value UINT32_MAX has a special meaning of "picking up a
+	 * random value." in order to take care of databases that do not
+	 * increment the counter.
+	 */
+	uint32_t			count;
+	/*
+	 * This RRSIG RRset should be re-generated around this time.
+	 * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes.
+	 */
+	isc_stdtime_t			resign;
+	/*@{*/
+	/*%
+	 * These are for use by the rdataset implementation, and MUST NOT
+	 * be changed by clients.
+	 */
+	void *				private1;
+	void *				private2;
+	void *				private3;
+	unsigned int			privateuint4;
+	void *				private5;
+	void *				private6;
+	void *				private7;
+	/*@}*/
+
+};
+
+/*!
+ * \def DNS_RDATASETATTR_RENDERED
+ *	Used by message.c to indicate that the rdataset was rendered.
+ *
+ * \def DNS_RDATASETATTR_TTLADJUSTED
+ *	Used by message.c to indicate that the rdataset's rdata had differing
+ *	TTL values, and the rdataset->ttl holds the smallest.
+ *
+ * \def DNS_RDATASETATTR_LOADORDER
+ *	Output the RRset in load order.
+ */
+
+#define DNS_RDATASETATTR_QUESTION	0x00000001
+#define DNS_RDATASETATTR_RENDERED	0x00000002	/*%< Used by message.c */
+#define DNS_RDATASETATTR_ANSWERED	0x00000004	/*%< Used by server. */
+#define DNS_RDATASETATTR_CACHE		0x00000008	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_ANSWER		0x00000010	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_ANSWERSIG	0x00000020	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_EXTERNAL	0x00000040	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_NCACHE		0x00000080	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_CHAINING	0x00000100	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_TTLADJUSTED	0x00000200	/*%< Used by message.c */
+#define DNS_RDATASETATTR_FIXEDORDER	0x00000400
+#define DNS_RDATASETATTR_RANDOMIZE	0x00000800
+#define DNS_RDATASETATTR_CHASE		0x00001000	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_NXDOMAIN	0x00002000
+#define DNS_RDATASETATTR_NOQNAME	0x00004000
+#define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/*%< Used by resolver. */
+#define DNS_RDATASETATTR_REQUIRED	0x00010000
+#define DNS_RDATASETATTR_REQUIREDGLUE	DNS_RDATASETATTR_REQUIRED
+#define DNS_RDATASETATTR_LOADORDER	0x00020000
+#define DNS_RDATASETATTR_RESIGN		0x00040000
+#define DNS_RDATASETATTR_CLOSEST	0x00080000
+#define DNS_RDATASETATTR_OPTOUT		0x00100000	/*%< OPTOUT proof */
+#define DNS_RDATASETATTR_NEGATIVE	0x00200000
+#define DNS_RDATASETATTR_PREFETCH	0x00400000
+
+/*%
+ * _OMITDNSSEC:
+ * 	Omit DNSSEC records when rendering ncache records.
+ */
+#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset);
+/*%<
+ * Make 'rdataset' a valid, disassociated rdataset.
+ *
+ * Requires:
+ *\li	'rdataset' is not NULL.
+ *
+ * Ensures:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ */
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset);
+/*%<
+ * Invalidate 'rdataset'.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *\li	If assertion checking is enabled, future attempts to use 'rdataset'
+ *	without initializing it will cause an assertion failure.
+ */
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset);
+/*%<
+ * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+ *
+ * Notes:
+ *\li	The client must ensure it has no references to rdata in the rdataset
+ *	before disassociating.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Ensures:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ */
+
+bool
+dns_rdataset_isassociated(dns_rdataset_t *rdataset);
+/*%<
+ * Is 'rdataset' associated?
+ *
+ * Requires:
+ *\li	'rdataset' is a valid rdataset.
+ *
+ * Returns:
+ *\li	#true			'rdataset' is associated.
+ *\li	#false			'rdataset' is not associated.
+ */
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type);
+/*%<
+ * Make 'rdataset' a valid, associated, question rdataset, with a
+ * question class of 'rdclass' and type 'type'.
+ *
+ * Notes:
+ *\li	Question rdatasets have a class and type, but no rdata.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *\li	'rdataset' is a valid, associated, question rdataset.
+ */
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+/*%<
+ * Make 'target' refer to the same rdataset as 'source'.
+ *
+ * Requires:
+ *\li	'source' is a valid, associated rdataset.
+ *
+ *\li	'target' is a valid, dissociated rdataset.
+ *
+ * Ensures:
+ *\li	'target' references the same rdataset as 'source'.
+ */
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset);
+/*%<
+ * Return the number of records in 'rdataset'.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *\li	The number of records in 'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset);
+/*%<
+ * Move the rdata cursor to the first rdata in the rdataset (if any).
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset);
+/*%<
+ * Move the rdata cursor to the next rdata in the rdataset (if any).
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no more rdata in the set.
+ */
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+/*%<
+ * Make 'rdata' refer to the current rdata.
+ *
+ * Notes:
+ *
+ *\li	The data returned in 'rdata' is valid for the life of the
+ *	rdataset; in particular, subsequent changes in the cursor position
+ *	do not invalidate 'rdata'.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid, associated rdataset.
+ *
+ *\li	The rdata cursor of 'rdataset' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *
+ * Ensures:
+ *\li	'rdata' refers to the rdata at the rdata cursor location of
+ *\li	'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    bool omit_final_dot,
+		    bool question,
+		    isc_buffer_t *target);
+/*%<
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *\li	The rdata cursor position will be changed.
+ *
+ *\li	The 'question' flag should normally be #false.  If it is
+ *	#true, the TTL and rdata fields are not printed.  This is
+ *	for use when printing an rdata representing a question section.
+ *
+ *\li	This interface is deprecated; use dns_master_rdatasettottext()
+ * 	and/or dns_master_questiontotext() instead.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ */
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    dns_compress_t *cctx,
+		    isc_buffer_t *target,
+		    unsigned int options,
+		    unsigned int *countp);
+/*%<
+ * Convert 'rdataset' to wire format, compressing names as specified
+ * in 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *\li	The rdata cursor position will be changed.
+ *
+ *\li	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *\li	'rdataset' is a valid rdataset.
+ *
+ *\li	'rdataset' is not empty.
+ *
+ *\li	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *\li	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *\li	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		- all ok
+ *\li	#ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *\li	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
+			  const dns_name_t *owner_name,
+			  dns_compress_t *cctx,
+			  isc_buffer_t *target,
+			  dns_rdatasetorderfunc_t order,
+			  const void *order_arg,
+			  unsigned int options,
+			  unsigned int *countp);
+/*%<
+ * Like dns_rdataset_towire(), but sorting the rdatasets according to
+ * the integer value returned by 'order' when called with the rdataset
+ * and 'order_arg' as arguments.
+ *
+ * Requires:
+ *\li	All the requirements of dns_rdataset_towire(), and
+ *	that order_arg is NULL if and only if order is NULL.
+ */
+
+isc_result_t
+dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+			   const dns_name_t *owner_name,
+			   dns_compress_t *cctx,
+			   isc_buffer_t *target,
+			   dns_rdatasetorderfunc_t order,
+			   const void *order_arg,
+			   unsigned int options,
+			   unsigned int *countp,
+			   void **state);
+/*%<
+ * Like dns_rdataset_towiresorted() except that a partial rdataset
+ * may be written.
+ *
+ * Requires:
+ *\li	All the requirements of dns_rdataset_towiresorted().
+ *	If 'state' is non NULL then the current position in the
+ *	rdataset will be remembered if the rdataset in not
+ *	completely written and should be passed on on subsequent
+ *	calls (NOT CURRENTLY IMPLEMENTED).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS if all of the records were written.
+ *\li	#ISC_R_NOSPACE if unable to fit in all of the records. *countp
+ *		      will be updated to reflect the number of records
+ *		      written.
+ */
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+			    dns_additionaldatafunc_t add, void *arg);
+/*%<
+ * For each rdata in rdataset, call 'add' for each name and type in the
+ * rdata which is subject to additional section processing.
+ *
+ * Requires:
+ *
+ *\li	'rdataset' is a valid, non-question rdataset.
+ *
+ *\li	'add' is a valid dns_additionaldatafunc_t
+ *
+ * Ensures:
+ *
+ *\li	If successful, dns_rdata_additionaldata() will have been called for
+ *	each rdata in 'rdataset'.
+ *
+ *\li	If a call to dns_rdata_additionaldata() is not successful, the
+ *	result returned will be the result of dns_rdataset_additionaldata().
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_rdata_additionaldata() can return.
+ */
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig);
+/*%<
+ * Return the noqname proof for this record.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
+ *\li	'name' to be valid.
+ *\li	'neg' and 'negsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Associate a noqname proof with this record.
+ * Sets #DNS_RDATASETATTR_NOQNAME if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec'/'nsec3' and 'rrsig(nsec)'/'rrsig(nsec3)' ttl.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
+ *\li	'name' to be valid and have NSEC or NSEC3 and associated RRSIG
+ *	 rdatasets.
+ */
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+/*%<
+ * Return the closest encloser for this record.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li	'name' to be valid.
+ *\li	'nsec' and 'nsecsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Associate a closest encloset proof with this record.
+ * Sets #DNS_RDATASETATTR_CLOSEST if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec' and 'rrsig(nsec)' ttl.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li	'name' to be valid and have NSEC3 and RRSIG(NSEC3) rdatasets.
+ */
+
+isc_result_t
+dns_rdataset_getadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t **zonep,
+			   dns_db_t **dbp,
+			   dns_dbversion_t **versionp,
+			   dns_dbnode_t **nodep,
+			   dns_name_t *fname,
+			   dns_message_t *msg,
+			   isc_stdtime_t now);
+/*%<
+ * Get cached additional information from the DB node for a particular
+ * 'rdataset.'  'type' is one of dns_rdatasetadditional_fromauth,
+ * dns_rdatasetadditional_fromcache, and dns_rdatasetadditional_fromglue,
+ * which specifies the origin of the information.  'qtype' is intended to
+ * be used for specifying a particular rdata type in the cached information.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'acache' can be NULL, in which case this function will simply return
+ * 	ISC_R_FAILURE.
+ * \li	For the other pointers, see dns_acache_getentry().
+ *
+ * Ensures:
+ * \li	See dns_acache_getentry().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE	- additional information caching is not supported.
+ * \li	#ISC_R_NOTFOUND	- the corresponding DB node has not cached additional
+ *			  information for 'rdataset.'
+ * \li	Any error that dns_acache_getentry() can return.
+ */
+
+isc_result_t
+dns_rdataset_setadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t *zone,
+			   dns_db_t *db,
+			   dns_dbversion_t *version,
+			   dns_dbnode_t *node,
+			   dns_name_t *fname);
+/*%<
+ * Set cached additional information to the DB node for a particular
+ * 'rdataset.'  See dns_rdataset_getadditional for the semantics of 'type'
+ * and 'qtype'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'acache' can be NULL, in which case this function will simply return
+ *	ISC_R_FAILURE.
+ * \li	For the other pointers, see dns_acache_setentry().
+ *
+ * Ensures:
+ * \li	See dns_acache_setentry().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE	- additional information caching is not supported.
+ * \li	#ISC_R_NOMEMORY
+ * \li	Any error that dns_acache_setentry() can return.
+ */
+
+isc_result_t
+dns_rdataset_putadditional(dns_acache_t *acache,
+			   dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype);
+/*%<
+ * Discard cached additional information stored in the DB node for a particular
+ * 'rdataset.'  See dns_rdataset_getadditional for the semantics of 'type'
+ * and 'qtype'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'acache' can be NULL, in which case this function will simply return
+ *	ISC_R_FAILURE.
+ *
+ * Ensures:
+ * \li	See dns_acache_cancelentry().
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE	- additional information caching is not supported.
+ * \li	#ISC_R_NOTFOUND	- the corresponding DB node has not cached additional
+ *			  information for 'rdataset.'
+ */
+
+void
+dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+/*%<
+ * Set the trust of the 'rdataset' to trust in any in the backing database.
+ * The local trust level of 'rdataset' is also set.
+ */
+
+void
+dns_rdataset_expire(dns_rdataset_t *rdataset);
+/*%<
+ * Mark the rdataset to be expired in the backing database.
+ */
+
+void
+dns_rdataset_clearprefetch(dns_rdataset_t *rdataset);
+/*%<
+ * Clear the PREFETCH attribute for the given rdataset in the
+ * underlying database.
+ *
+ * In the cache database, this signals that the rdataset is not
+ * eligible to be prefetched when the TTL is close to expiring.
+ * It has no function in other databases.
+ */
+
+void
+dns_rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name);
+/*%<
+ * Store the casing of 'name', the owner name of 'rdataset', into
+ * a bitfield so that the name can be capitalized the same when when
+ * the rdataset is used later. This sets the CASESET attribute.
+ */
+
+void
+dns_rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * If the CASESET attribute is set, retrieve the case bitfield that was
+ * previously stored by dns_rdataset_getownername(), and capitalize 'name'
+ * according to it. If CASESET is not set, do nothing.
+ */
+
+void
+dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
+		     bool acceptexpired);
+/*%<
+ * Trim the ttl of 'rdataset' and 'sigrdataset' so that they will expire
+ * at or before 'rrsig->expiretime'.  If 'acceptexpired' is true and the
+ * signature has expired or will expire in the next 120 seconds, limit
+ * the ttl to be no more than 120 seconds.
+ *
+ * The ttl is further limited by the original ttl as stored in 'rrsig'
+ * and the original ttl values of 'rdataset' and 'sigrdataset'.
+ *
+ * Requires:
+ * \li	'rdataset' is a valid rdataset.
+ * \li	'sigrdataset' is a valid rdataset.
+ * \li	'rrsig' is non NULL.
+ */
+
+const char *
+dns_trust_totext(dns_trust_t trust);
+/*%<
+ * Display trust in textual form.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASET_H */
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
new file mode 100644
index 0000000..54b3e90
--- /dev/null
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATASETITER_H
+#define DNS_RDATASETITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/rdatasetiter.h
+ * \brief
+ * The DNS Rdataset Iterator interface allows iteration of all of the
+ * rdatasets at a node.
+ *
+ * The dns_rdatasetiter_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_rdataset_disassociate()
+ * on all rdatasets returned.
+ *
+ * XXX more XXX
+ *
+ * MP:
+ *\li	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *
+ *\li	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_rdatasetitermethods {
+	void		(*destroy)(dns_rdatasetiter_t **iteratorp);
+	isc_result_t	(*first)(dns_rdatasetiter_t *iterator);
+	isc_result_t	(*next)(dns_rdatasetiter_t *iterator);
+	void		(*current)(dns_rdatasetiter_t *iterator,
+				   dns_rdataset_t *rdataset);
+} dns_rdatasetitermethods_t;
+
+#define DNS_RDATASETITER_MAGIC	     ISC_MAGIC('D','N','S','i')
+#define DNS_RDATASETITER_VALID(i)    ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
+
+/*%
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_rdatasetiter_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be #DNS_RDATASETITER_MAGIC for
+ * any of the dns_rdatasetiter routines to work.  DB implementations must
+ * maintain all DB rdataset iterator invariants.
+ */
+struct dns_rdatasetiter {
+	/* Unlocked. */
+	unsigned int			magic;
+	dns_rdatasetitermethods_t *	methods;
+	dns_db_t *			db;
+	dns_dbnode_t *			node;
+	dns_dbversion_t *		version;
+	isc_stdtime_t			now;
+};
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+/*%<
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *\li	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the iterator are freed.
+ *
+ *\li	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
+/*%<
+ * Move the rdataset cursor to the first rdataset at the node (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMORE			There are no rdatasets at the node.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
+/*%<
+ * Move the rdataset cursor to the next rdataset at the node (if any).
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOMORE			There are no more rdatasets at the
+ *					node.
+ *
+ *\li	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t *rdataset);
+/*%<
+ * Return the current rdataset.
+ *
+ * Requires:
+ *\li	'iterator' is a valid iterator.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	The rdataset cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was #ISC_R_SUCCESS).
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASETITER_H */
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
new file mode 100644
index 0000000..2e0d0e1
--- /dev/null
+++ b/lib/dns/include/dns/rdataslab.h
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATASLAB_H
+#define DNS_RDATASLAB_H 1
+
+/*! \file dns/rdataslab.h
+ * \brief
+ * Implements storage of rdatasets into slabs of memory.
+ *
+ * MP:
+ *\li	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *\li	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *\li	If the caller passes invalid memory references, these functions are
+ *	likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *\li	None.
+ *
+ * Security:
+ *\li	None.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RDATASLAB_FORCE 0x1
+#define DNS_RDATASLAB_EXACT 0x2
+
+#define DNS_RDATASLAB_OFFLINE 0x01 	/* RRSIG is for offline DNSKEY */
+#define DNS_RDATASLAB_WARNMASK 0x0E	/*%< RRSIG(DNSKEY) expired
+					 * warnings number mask. */
+#define DNS_RDATASLAB_WARNSHIFT 1	/*%< How many bits to shift to find
+					 * remaining expired warning number. */
+
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen);
+/*%<
+ * Slabify a rdataset.  The slab area will be allocated and returned
+ * in 'region'.
+ *
+ * Requires:
+ *\li	'rdataset' is valid.
+ *
+ * Ensures:
+ *\li	'region' will have base pointing to the start of allocated memory,
+ *	with the slabified region beginning at region->base + reservelen.
+ *	region->length contains the total length allocated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- successful completion
+ *\li	ISC_R_NOMEMORY		- no memory.
+ *\li	XXX others
+ */
+
+void
+dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+			 dns_rdatatype_t covers, dns_ttl_t ttl,
+			 dns_rdataset_t *rdataset);
+/*%<
+ * Construct an rdataset from a slab.
+ *
+ * Requires:
+ *\li	'slab' points to a slab.
+ *\li	'rdataset' is disassociated.
+ *
+ * Ensures:
+ *\li	'rdataset' is associated and points to a valid rdataest.
+ */
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
+/*%<
+ * Return the total size of an rdataslab.
+ *
+ * Requires:
+ *\li	'slab' points to a slab.
+ *
+ * Returns:
+ *\li	The number of bytes in the slab, including the reservelen.
+ */
+
+unsigned int
+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen);
+/*%<
+ * Return the number of records in the rdataslab
+ *
+ * Requires:
+ *\li	'slab' points to a slab.
+ *
+ * Returns:
+ *\li	The number of records in the slab.
+ */
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    unsigned int flags, unsigned char **tslabp);
+/*%<
+ * Merge 'oslab' and 'nslab'.
+ */
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned int flags, unsigned char **tslabp);
+/*%<
+ * Subtract 'sslab' from 'mslab'.  If 'exact' is true then all elements
+ * of 'sslab' must exist in 'mslab'.
+ *
+ * XXX
+ * valid flags are DNS_RDATASLAB_EXACT
+ */
+
+bool
+dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
+		    unsigned int reservelen);
+/*%<
+ * Compare two rdataslabs for equality.  This does _not_ do a full
+ * DNSSEC comparison.
+ *
+ * Requires:
+ *\li	'slab1' and 'slab2' point to slabs.
+ *
+ * Returns:
+ *\li	true if the slabs are equal, false otherwise.
+ */
+bool
+dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+		     unsigned int reservelen, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type);
+/*%<
+ * Compare two rdataslabs for DNSSEC equality.
+ *
+ * Requires:
+ *\li	'slab1' and 'slab2' point to slabs.
+ *
+ * Returns:
+ *\li	true if the slabs are equal, #false otherwise.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASLAB_H */
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
new file mode 100644
index 0000000..0e79232
--- /dev/null
+++ b/lib/dns/include/dns/rdatatype.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATATYPE_H
+#define DNS_RDATATYPE_H 1
+
+/*! \file dns/rdatatype.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNS rdata type.
+ *
+ * Requires:
+ *\li	'typep' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t
+dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of type 'type' into 'target'.
+ *
+ * Requires:
+ *\li	'type' is a valid type.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t
+dns_rdatatype_tounknowntext(dns_rdatatype_t type, isc_buffer_t *target);
+/*%<
+ * Put textual RFC3597 TYPEXXXX representation of type 'type' into
+ * 'target'.
+ *
+ * Requires:
+ *\li	'type' is a valid type.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#ISC_R_NOSPACE			target buffer is too small
+ */
+
+void
+dns_rdatatype_format(dns_rdatatype_t rdtype,
+		     char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the type 'rdtype'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define DNS_RDATATYPE_FORMATSIZE sizeof("NSEC3PARAM")
+
+/*%<
+ * Minimum size of array to pass to dns_rdatatype_format().
+ * May need to be adjusted if a new RR type with a very long
+ * name is defined.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATATYPE_H */
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
new file mode 100644
index 0000000..672d3e9
--- /dev/null
+++ b/lib/dns/include/dns/request.h
@@ -0,0 +1,403 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_REQUEST_H
+#define DNS_REQUEST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/request.h
+ *
+ * \brief
+ * The request module provides simple request/response services useful for
+ * sending SOA queries, DNS Notify messages, and dynamic update requests.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ */
+
+#include <stdbool.h>
+#include <isc/lang.h>
+#include <isc/event.h>
+
+#include <dns/types.h>
+
+#define DNS_REQUESTOPT_TCP 0x00000001U
+#define DNS_REQUESTOPT_CASE 0x00000002U
+#define DNS_REQUESTOPT_FIXEDID 0x00000004U
+#define DNS_REQUESTOPT_SHARE 0x00000008U
+
+typedef struct dns_requestevent {
+	ISC_EVENT_COMMON(struct dns_requestevent);
+	isc_result_t result;
+	dns_request_t *request;
+} dns_requestevent_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		      dns_requestmgr_t **requestmgrp);
+/*%<
+ * Create a request manager.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
+ *
+ *\li	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
+ *
+ *\li	requestmgrp != NULL && *requestmgrp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, *requestmgrp is a valid request manager.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any other result indicates failure.
+ */
+
+void
+dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
+			    isc_event_t **eventp);
+/*%<
+ * Send '*eventp' to 'task' when 'requestmgr' has completed shutdown.
+ *
+ * Notes:
+ *
+ *\li	It is not safe to detach the last reference to 'requestmgr' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *\li	'requestmgr' is a valid request manager.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ */
+
+void
+dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
+/*%<
+ * Start the shutdown process for 'requestmgr'.
+ *
+ * Notes:
+ *
+ *\li	This call has no effect if the request manager is already shutting
+ *	down.
+ *
+ * Requires:
+ *
+ *\li	'requestmgr' is a valid requestmgr.
+ */
+
+void
+dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
+/*%<
+ *	Attach to the request manager.  dns_requestmgr_shutdown() must not
+ *	have been called on 'source' prior to calling dns_requestmgr_attach().
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid requestmgr.
+ *
+ *\li	'targetp' to be non NULL and '*targetp' to be NULL.
+ */
+
+void
+dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
+/*%<
+ *	Detach from the given requestmgr.  If this is the final detach
+ *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
+ *	be called before the final detach.
+ *
+ * Requires:
+ *
+ *\li	'*requestmgrp' is a valid requestmgr.
+ *
+ * Ensures:
+ *\li	'*requestmgrp' is NULL.
+ */
+
+isc_result_t
+dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		   isc_sockaddr_t *address, unsigned int options,
+		   dns_tsigkey_t *key,
+		   unsigned int timeout, isc_task_t *task,
+		   isc_taskaction_t action, void *arg,
+		   dns_request_t **requestp);
+/*%<
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *\li	'message' will be rendered and sent to 'address'.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used,
+ *	#DNS_REQUESTOPT_SHARE option is set too, connecting TCP
+ *	(vs. connected) will be shared too.  The request
+ *	will timeout after 'timeout' seconds.
+ *
+ *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
+ *	compression.
+ *
+ *\li	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'message' is a valid DNS message.
+ *
+ *\li	'address' is a valid sockaddr.
+ *
+ *\li	'timeout' > 0
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	requestp != NULL && *requestp == NULL
+ */
+
+/*% See dns_request_createvia4() */
+isc_result_t
+dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, dns_tsigkey_t *key,
+		      unsigned int timeout, isc_task_t *task,
+		      isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp);
+
+/*% See dns_request_createvia4() */
+isc_result_t
+dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+/*% See dns_request_createvia4() */
+isc_result_t
+dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+isc_result_t
+dns_request_createvia4(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       isc_dscp_t dscp, unsigned int options,
+		       dns_tsigkey_t *key, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+/*%<
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *\li	'message' will be rendered and sent to 'address'.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used,
+ *	#DNS_REQUESTOPT_SHARE option is set too, connecting TCP
+ *	(vs. connected) will be shared too.  The request
+ *	will timeout after 'timeout' seconds.  UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
+ *
+ *\li	If the #DNS_REQUESTOPT_CASE option is set, use case sensitive
+ *	compression.
+ *
+ *\li	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'message' is a valid DNS message.
+ *
+ *\li	'dstaddr' is a valid sockaddr.
+ *
+ *\li	'srcaddr' is a valid sockaddr or NULL.
+ *
+ *\li	'srcaddr' and 'dstaddr' are the same protocol family.
+ *
+ *\li	'timeout' > 0
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	requestp != NULL && *requestp == NULL
+ */
+
+/*% See dns_request_createraw4() */
+isc_result_t
+dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, unsigned int timeout,
+		      isc_task_t *task, isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp);
+
+/*% See dns_request_createraw4() */
+isc_result_t
+dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+/*% See dns_request_createraw4() */
+isc_result_t
+dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+isc_result_t
+dns_request_createraw4(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       isc_dscp_t dscp, unsigned int options,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+/*!<
+ * \brief Create and send a request.
+ *
+ * Notes:
+ *
+ *\li	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
+ *	#DNS_REQUESTOPT_TCP option is set, TCP will be used,
+ *	#DNS_REQUESTOPT_SHARE option is set too, connecting TCP
+ *	(vs. connected) will be shared too.  The request
+ *	will timeout after 'timeout' seconds.   UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
+ *
+ *\li	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'msgbuf' is a valid DNS message in compressed wire format.
+ *
+ *\li	'destaddr' is a valid sockaddr.
+ *
+ *\li	'srcaddr' is a valid sockaddr or NULL.
+ *
+ *\li	'srcaddr' and 'dstaddr' are the same protocol family.
+ *
+ *\li	'timeout' > 0
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	requestp != NULL && *requestp == NULL
+ */
+
+void
+dns_request_cancel(dns_request_t *request);
+/*%<
+ * Cancel 'request'.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request.
+ *
+ * Ensures:
+ *
+ *\li	If the completion event for 'request' has not yet been sent, it
+ *	will be sent, and the result code will be ISC_R_CANCELED.
+ */
+
+isc_result_t
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			unsigned int options);
+/*%<
+ * Get the response to 'request' by filling in 'message'.
+ *
+ * 'options' is passed to dns_message_parse().  See dns_message_parse()
+ * for more details.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ *\li	The result code of the completion event was #ISC_R_SUCCESS.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *
+ *\li	Any result that dns_message_parse() can return.
+ */
+
+bool
+dns_request_usedtcp(dns_request_t *request);
+/*%<
+ * Return whether this query used TCP or not.  Setting #DNS_REQUESTOPT_TCP
+ * in the call to dns_request_create() will cause the function to return
+ * #true, otherwise the result is based on the query message size.
+ *
+ * Requires:
+ *\li	'request' is a valid request.
+ *
+ * Returns:
+ *\li	true	if TCP was used.
+ *\li	false	if UDP was used.
+ */
+
+void
+dns_request_destroy(dns_request_t **requestp);
+/*%<
+ * Destroy 'request'.
+ *
+ * Requires:
+ *
+ *\li	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ * Ensures:
+ *
+ *\li	*requestp == NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_REQUEST_H */
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
new file mode 100644
index 0000000..c09107f
--- /dev/null
+++ b/lib/dns/include/dns/resolver.h
@@ -0,0 +1,714 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RESOLVER_H
+#define DNS_RESOLVER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/resolver.h
+ *
+ * \brief
+ * This is the BIND 9 resolver, the module responsible for resolving DNS
+ * requests by iteratively querying authoritative servers and following
+ * referrals.  This is a "full resolver", not to be confused with
+ * the stub resolvers most people associate with the word "resolver".
+ * The full resolver is part of the caching name server or resolver
+ * daemon the stub resolver talks to.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, TBS
+ *\li	Drafts:	TBS
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+
+#include <dns/types.h>
+#include <dns/fixedname.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
+ * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
+ * receiver's responsibility to detach before freeing the event.
+ * \brief
+ * 'rdataset', 'sigrdataset', 'client' and 'id' are the values that were
+ * supplied when dns_resolver_createfetch() was called.  They are returned
+ *  to the caller so that they may be freed.
+ */
+typedef struct dns_fetchevent {
+	ISC_EVENT_COMMON(struct dns_fetchevent);
+	dns_fetch_t *			fetch;
+	isc_result_t			result;
+	dns_rdatatype_t			qtype;
+	dns_db_t *			db;
+	dns_dbnode_t *			node;
+	dns_rdataset_t *		rdataset;
+	dns_rdataset_t *		sigrdataset;
+	dns_fixedname_t			foundname;
+	isc_sockaddr_t *		client;
+	dns_messageid_t			id;
+	isc_result_t			vresult;
+} dns_fetchevent_t;
+
+/*%
+ * The two quota types (fetches-per-zone and fetches-per-server)
+ */
+typedef enum {
+	dns_quotatype_zone = 0,
+	dns_quotatype_server
+} dns_quotatype_t;
+
+/*
+ * Options that modify how a 'fetch' is done.
+ */
+#define DNS_FETCHOPT_TCP		0x0001	     /*%< Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x0002	     /*%< See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x0004	     /*%< Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x0008	     /*%< Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY	0x0010	     /*%< Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE		0x0020	     /*%< Disable validation. */
+#define DNS_FETCHOPT_EDNS512		0x0040	     /*%< Advertise a 512 byte
+							  UDP buffer. */
+#define DNS_FETCHOPT_WANTNSID		0x0080	     /*%< Request NSID */
+#define DNS_FETCHOPT_PREFETCH		0x0100	     /*%< Do prefetch */
+#define DNS_FETCHOPT_NOCDFLAG		0x0200	     /*%< Don't set CD flag. */
+#define DNS_FETCHOPT_NONTA		0x0400	     /*%< Ignore NTA table. */
+/* RESERVED ECS				0x0000 */
+/* RESERVED ECS				0x1000 */
+/* RESERVED ECS				0x2000 */
+/* RESERVED TCPCLIENT			0x4000 */
+#define DNS_FETCHOPT_NOCACHED		0x8000	     /*%< Force cache update. */
+
+/* Reserved in use by adb.c		0x00400000 */
+#define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
+#define	DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
+#define	DNS_FETCHOPT_EDNSVERSIONSHIFT	24
+
+/*
+ * Upper bounds of class of query RTT (ms).  Corresponds to
+ * dns_resstatscounter_queryrttX statistics counters.
+ */
+#define DNS_RESOLVER_QRYRTTCLASS0	10
+#define DNS_RESOLVER_QRYRTTCLASS0STR	"10"
+#define DNS_RESOLVER_QRYRTTCLASS1	100
+#define DNS_RESOLVER_QRYRTTCLASS1STR	"100"
+#define DNS_RESOLVER_QRYRTTCLASS2	500
+#define DNS_RESOLVER_QRYRTTCLASS2STR	"500"
+#define DNS_RESOLVER_QRYRTTCLASS3	800
+#define DNS_RESOLVER_QRYRTTCLASS3STR	"800"
+#define DNS_RESOLVER_QRYRTTCLASS4	1600
+#define DNS_RESOLVER_QRYRTTCLASS4STR	"1600"
+
+/*
+ * XXXRTH  Should this API be made semi-private?  (I.e.
+ * _dns_resolver_create()).
+ */
+
+#define DNS_RESOLVER_CHECKNAMES		0x01
+#define DNS_RESOLVER_CHECKNAMESFAIL	0x02
+
+isc_result_t
+dns_resolver_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr,
+		    unsigned int ntasks, unsigned int ndisp,
+		    isc_socketmgr_t *socketmgr,
+		    isc_timermgr_t *timermgr,
+		    unsigned int options,
+		    dns_dispatchmgr_t *dispatchmgr,
+		    dns_dispatch_t *dispatchv4,
+		    dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp);
+
+/*%<
+ * Create a resolver.
+ *
+ * Notes:
+ *
+ *\li	Generally, applications should not create a resolver directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+ *
+ *\li	'taskmgr' is a valid task manager.
+ *
+ *\li	'ntasks' > 0.
+ *
+ *\li	'socketmgr' is a valid socket manager.
+ *
+ *\li	'timermgr' is a valid timer manager.
+ *
+ *\li	'dispatchv4' is a dispatch with an IPv4 UDP socket, or is NULL.
+ *	If not NULL, 'ndisp' clones of it will be created by the resolver.
+ *
+ *\li	'dispatchv6' is a dispatch with an IPv6 UDP socket, or is NULL.
+ *	If not NULL, 'ndisp' clones of it will be created by the resolver.
+ *
+ *\li	resp != NULL && *resp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_resolver_freeze(dns_resolver_t *res);
+/*%<
+ * Freeze resolver.
+ *
+ * Notes:
+ *
+ *\li	Certain configuration changes cannot be made after the resolver
+ *	is frozen.  Fetches cannot be created until the resolver is frozen.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver.
+ *
+ * Ensures:
+ *
+ *\li	'res' is frozen.
+ */
+
+void
+dns_resolver_prime(dns_resolver_t *res);
+/*%<
+ * Prime resolver.
+ *
+ * Notes:
+ *
+ *\li	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
+ *	need to be primed with the root nameservers, otherwise the root
+ *	nameserver hints data may be used indefinitely.  This function requests
+ *	that the resolver start a priming fetch, if it isn't already priming.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid, frozen resolver.
+ */
+
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp);
+/*%<
+ * Send '*eventp' to 'task' when 'res' has completed shutdown.
+ *
+ * Notes:
+ *
+ *\li	It is not safe to detach the last reference to 'res' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver.
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ */
+
+void
+dns_resolver_shutdown(dns_resolver_t *res);
+/*%<
+ * Start the shutdown process for 'res'.
+ *
+ * Notes:
+ *
+ *\li	This call has no effect if the resolver is already shutting down.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver.
+ */
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp);
+
+void
+dns_resolver_detach(dns_resolver_t **resp);
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+			 dns_rdatatype_t type,
+			 dns_name_t *domain, dns_rdataset_t *nameservers,
+			 dns_forwarders_t *forwarders,
+			 unsigned int options, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset,
+			 dns_fetch_t **fetchp);
+
+isc_result_t
+dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+			  dns_rdatatype_t type,
+			  dns_name_t *domain, dns_rdataset_t *nameservers,
+			  dns_forwarders_t *forwarders,
+			  isc_sockaddr_t *client, uint16_t id,
+			  unsigned int options, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_rdataset_t *rdataset,
+			  dns_rdataset_t *sigrdataset,
+			  dns_fetch_t **fetchp);
+isc_result_t
+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
+			  dns_rdatatype_t type,
+			  dns_name_t *domain, dns_rdataset_t *nameservers,
+			  dns_forwarders_t *forwarders,
+			  isc_sockaddr_t *client, uint16_t id,
+			  unsigned int options, unsigned int depth,
+			  isc_counter_t *qc, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_rdataset_t *rdataset,
+			  dns_rdataset_t *sigrdataset,
+			  dns_fetch_t **fetchp);
+/*%<
+ * Recurse to answer a question.
+ *
+ * Notes:
+ *
+ *\li	This call starts a query for 'name', type 'type'.
+ *
+ *\li	The 'domain' is a parent domain of 'name' for which
+ *	a set of name servers 'nameservers' is known.  If no
+ *	such name server information is available, set
+ * 	'domain' and 'nameservers' to NULL.
+ *
+ *\li	'forwarders' is unimplemented, and subject to change when
+ *	we figure out how selective forwarding will work.
+ *
+ *\li	When the fetch completes (successfully or otherwise), a
+ *	#DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
+ *	posted to 'task'.
+ *
+ *\li	The values of 'rdataset' and 'sigrdataset' will be returned in
+ *	the FETCHDONE event.
+ *
+ *\li	'client' and 'id' are used for duplicate query detection.  '*client'
+ *	must remain stable until after 'action' has been called or
+ *	dns_resolver_cancelfetch() is called.
+ *
+ * Requires:
+ *
+ *\li	'res' is a valid resolver that has been frozen.
+ *
+ *\li	'name' is a valid name.
+ *
+ *\li	'type' is not a meta type other than ANY.
+ *
+ *\li	'domain' is a valid name or NULL.
+ *
+ *\li	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
+ *	iff. 'domain' is not NULL.
+ *
+ *\li	'forwarders' is NULL.
+ *
+ *\li	'client' is a valid sockaddr or NULL.
+ *
+ *\li	'options' contains valid options.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ *\li	fetchp != NULL && *fetchp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS					Success
+ *\li	#DNS_R_DUPLICATE
+ *\li	#DNS_R_DROP
+ *
+ *\li	Many other values are possible, all of which indicate failure.
+ */
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch);
+/*%<
+ * Cancel 'fetch'.
+ *
+ * Notes:
+ *
+ *\li	If 'fetch' has not completed, post its FETCHDONE event with a
+ *	result code of #ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *\li	'fetch' is a valid fetch.
+ */
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp);
+/*%<
+ * Destroy 'fetch'.
+ *
+ * Requires:
+ *
+ *\li	'*fetchp' is a valid fetch.
+ *
+ *\li	The caller has received the FETCHDONE event (either because the
+ *	fetch completed or because dns_resolver_cancelfetch() was called).
+ *
+ * Ensures:
+ *
+ *\li	*fetchp == NULL.
+ */
+
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, bool duplicateok);
+/*%<
+ * Dump a log message on internal state at the completion of given 'fetch'.
+ * 'lctx', 'category', 'module', and 'level' are used to write the log message.
+ * By default, only one log message is written even if the corresponding fetch
+ * context serves multiple clients; if 'duplicateok' is true the suppression
+ * is disabled and the message can be written every time this function is
+ * called.
+ *
+ * Requires:
+ *
+ *\li	'fetch' is a valid fetch, and has completed.
+ */
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver);
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver);
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver);
+
+uint32_t
+dns_resolver_getlamettl(dns_resolver_t *resolver);
+/*%<
+ * Get the resolver's lame-ttl.  zero => no lame processing.
+ *
+ * Requires:
+ *\li	'resolver' to be valid.
+ */
+
+void
+dns_resolver_setlamettl(dns_resolver_t *resolver, uint32_t lame_ttl);
+/*%<
+ * Set the resolver's lame-ttl.  zero => no lame processing.
+ *
+ * Requires:
+ *\li	'resolver' to be valid.
+ */
+
+unsigned int
+dns_resolver_nrunning(dns_resolver_t *resolver);
+/*%<
+ * Return the number of currently running resolutions in this
+ * resolver.  This is may be less than the number of outstanding
+ * fetches due to multiple identical fetches, or more than the
+ * number of of outstanding fetches due to the fact that resolution
+ * can continue even though a fetch has been canceled.
+ */
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
+			  dns_name_t *name, in_port_t port);
+/*%<
+ * Add alternate addresses to be tried in the event that the nameservers
+ * for a zone are not available in the address families supported by the
+ * operating system.
+ *
+ * Require:
+ * \li	only one of 'name' or 'alt' to be valid.
+ */
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, uint16_t udpsize);
+/*%<
+ * Set the EDNS UDP buffer size advertised by the server.
+ */
+
+uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver);
+/*%<
+ * Get the current EDNS UDP buffer size.
+ */
+
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver);
+/*%<
+ * Clear the disabled DNSSEC algorithms.
+ */
+
+void
+dns_resolver_reset_ds_digests(dns_resolver_t *resolver);
+/*%<
+ * Clear the disabled DS/DLV digest types.
+ */
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int alg);
+/*%<
+ * Mark the given DNSSEC algorithm as disabled and below 'name'.
+ * Valid algorithms are less than 256.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int digest_type);
+/*%<
+ * Mark the given DS/DLV digest type as disabled and below 'name'.
+ * Valid types are less than 256.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ *\li	#ISC_R_NOMEMORY
+ */
+
+bool
+dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int alg);
+/*%<
+ * Check if the given algorithm is supported by this resolver.
+ * This checks whether the algorithm has been disabled via
+ * dns_resolver_disable_algorithm(), then checks the underlying
+ * crypto libraries if it was not specifically disabled.
+ */
+
+bool
+dns_resolver_ds_digest_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int digest_type);
+/*%<
+ * Check if the given digest type is supported by this resolver.
+ * This checks whether the digest type has been disabled via
+ * dns_resolver_disable_ds_digest(), then checks the underlying
+ * crypto libraries if it was not specifically disabled.
+ */
+
+void
+dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
+
+isc_result_t
+dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
+			     bool value);
+
+bool
+dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
+
+
+void
+dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds);
+/*%<
+ * Set the length of time the resolver will work on a query, in seconds.
+ *
+ * If timeout is 0, the default timeout will be applied.
+ *
+ * Requires:
+ * \li  resolver to be valid.
+ */
+
+unsigned int
+dns_resolver_gettimeout(dns_resolver_t *resolver);
+/*%<
+ * Get the current length of time the resolver will work on a query, in seconds.
+ *
+ * Requires:
+ * \li  resolver to be valid.
+ */
+
+void
+dns_resolver_setclientsperquery(dns_resolver_t *resolver,
+				uint32_t min, uint32_t max);
+void
+dns_resolver_setfetchesperzone(dns_resolver_t *resolver, uint32_t clients);
+
+void
+dns_resolver_getclientsperquery(dns_resolver_t *resolver, uint32_t *cur,
+				uint32_t *min, uint32_t *max);
+
+bool
+dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
+
+void
+dns_resolver_setzeronosoattl(dns_resolver_t *resolver, bool state);
+
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver);
+
+void
+dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *expire);
+/*%<
+ * Add a entry to the bad cache for <name,type> that will expire at 'expire'.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li	name to be valid.
+ */
+
+bool
+dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *now);
+/*%<
+ * Check to see if there is a unexpired entry in the bad cache for
+ * <name,type>.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li	name to be valid.
+ */
+
+void
+dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name);
+/*%<
+ * Flush the bad cache of all entries at 'name' if 'name' is non NULL.
+ * Flush the entire bad cache if 'name' is NULL.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_flushbadnames(dns_resolver_t *resolver, dns_name_t *name);
+/*%<
+ * Flush the bad cache of all entries at or below 'name'.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ * \li  name != NULL
+ */
+
+void
+dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
+/*%
+ * Print out the contents of the bad cache to 'fp'.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setquerydscp4(dns_resolver_t *resolver, isc_dscp_t dscp);
+isc_dscp_t
+dns_resolver_getquerydscp4(dns_resolver_t *resolver);
+
+void
+dns_resolver_setquerydscp6(dns_resolver_t *resolver, isc_dscp_t dscp);
+isc_dscp_t
+dns_resolver_getquerydscp6(dns_resolver_t *resolver);
+/*%
+ * Get and set the DSCP values for the resolver's IPv4 and IPV6 query
+ * sources.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
+unsigned int
+dns_resolver_getmaxdepth(dns_resolver_t *resolver);
+/*%
+ * Get and set how many NS indirections will be followed when looking for
+ * nameserver addresses.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries);
+unsigned int
+dns_resolver_getmaxqueries(dns_resolver_t *resolver);
+/*%
+ * Get and set how many iterative queries will be allowed before
+ * terminating a recursive query.
+ *
+ * Requires:
+ * \li	resolver to be valid.
+ */
+
+void
+dns_resolver_setquotaresponse(dns_resolver_t *resolver,
+			     dns_quotatype_t which, isc_result_t resp);
+isc_result_t
+dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which);
+/*%
+ * Get and set the result code that will be used when quotas
+ * are exceeded. If 'which' is set to quotatype "zone", then the
+ * result specified in 'resp' will be used when the fetches-per-zone
+ * quota is exceeded by a fetch.  If 'which' is set to quotatype "server",
+ * then the reuslt specified in 'resp' will be used when the
+ * fetches-per-server quota has been exceeded for all the
+ * authoritative servers for a zone.  Valid choices are
+ * DNS_R_DROP or DNS_R_SERVFAIL.
+ *
+ * Requires:
+ * \li	'resolver' to be valid.
+ * \li	'which' to be dns_quotatype_zone or dns_quotatype_server
+ * \li	'resp' to be DNS_R_DROP or DNS_R_SERVFAIL.
+ */
+
+void
+dns_resolver_dumpfetches(dns_resolver_t *resolver,
+			 isc_statsformat_t format, FILE *fp);
+
+
+#ifdef ENABLE_AFL
+/*%
+ * Enable fuzzing of resolver, changes behaviour and eliminates retries
+ */
+void dns_resolver_setfuzzing(void);
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
new file mode 100644
index 0000000..92fa5e1
--- /dev/null
+++ b/lib/dns/include/dns/result.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_RESULT_H
+#define DNS_RESULT_H 1
+
+/*! \file dns/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+#include <dns/types.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DNS result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
+
+/*
+ * DNS library result codes
+ */
+#define DNS_R_LABELTOOLONG		(ISC_RESULTCLASS_DNS + 0)
+#define DNS_R_BADESCAPE			(ISC_RESULTCLASS_DNS + 1)
+/*
+ * Since we dropped the support of bitstring labels, deprecate the related
+ * result codes too.
+
+#define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
+#define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
+*/
+#define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
+#define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
+#define DNS_R_INVALIDNS			(ISC_RESULTCLASS_DNS + 6)
+#define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
+#define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
+#define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
+#define DNS_R_TOOMANYHOPS		(ISC_RESULTCLASS_DNS + 10)
+#define DNS_R_DISALLOWED		(ISC_RESULTCLASS_DNS + 11)
+#define DNS_R_EXTRATOKEN		(ISC_RESULTCLASS_DNS + 12)
+#define DNS_R_EXTRADATA			(ISC_RESULTCLASS_DNS + 13)
+#define DNS_R_TEXTTOOLONG		(ISC_RESULTCLASS_DNS + 14)
+#define DNS_R_NOTZONETOP		(ISC_RESULTCLASS_DNS + 15)
+#define DNS_R_SYNTAX			(ISC_RESULTCLASS_DNS + 16)
+#define DNS_R_BADCKSUM			(ISC_RESULTCLASS_DNS + 17)
+#define DNS_R_BADAAAA			(ISC_RESULTCLASS_DNS + 18)
+#define DNS_R_NOOWNER			(ISC_RESULTCLASS_DNS + 19)
+#define DNS_R_NOTTL			(ISC_RESULTCLASS_DNS + 20)
+#define DNS_R_BADCLASS			(ISC_RESULTCLASS_DNS + 21)
+#define DNS_R_NAMETOOLONG		(ISC_RESULTCLASS_DNS + 22)
+#define DNS_R_PARTIALMATCH		(ISC_RESULTCLASS_DNS + 23)
+#define DNS_R_NEWORIGIN			(ISC_RESULTCLASS_DNS + 24)
+#define DNS_R_UNCHANGED			(ISC_RESULTCLASS_DNS + 25)
+#define DNS_R_BADTTL			(ISC_RESULTCLASS_DNS + 26)
+#define DNS_R_NOREDATA			(ISC_RESULTCLASS_DNS + 27)
+#define DNS_R_CONTINUE			(ISC_RESULTCLASS_DNS + 28)
+#define DNS_R_DELEGATION		(ISC_RESULTCLASS_DNS + 29)
+#define DNS_R_GLUE			(ISC_RESULTCLASS_DNS + 30)
+#define DNS_R_DNAME			(ISC_RESULTCLASS_DNS + 31)
+#define DNS_R_CNAME			(ISC_RESULTCLASS_DNS + 32)
+#define DNS_R_BADDB			(ISC_RESULTCLASS_DNS + 33)
+#define DNS_R_ZONECUT			(ISC_RESULTCLASS_DNS + 34)
+#define DNS_R_BADZONE			(ISC_RESULTCLASS_DNS + 35)
+#define DNS_R_MOREDATA			(ISC_RESULTCLASS_DNS + 36)
+#define DNS_R_UPTODATE			(ISC_RESULTCLASS_DNS + 37)
+#define DNS_R_TSIGVERIFYFAILURE		(ISC_RESULTCLASS_DNS + 38)
+#define DNS_R_TSIGERRORSET		(ISC_RESULTCLASS_DNS + 39)
+#define DNS_R_SIGINVALID		(ISC_RESULTCLASS_DNS + 40)
+#define DNS_R_SIGEXPIRED		(ISC_RESULTCLASS_DNS + 41)
+#define DNS_R_SIGFUTURE			(ISC_RESULTCLASS_DNS + 42)
+#define DNS_R_KEYUNAUTHORIZED		(ISC_RESULTCLASS_DNS + 43)
+#define DNS_R_INVALIDTIME		(ISC_RESULTCLASS_DNS + 44)
+#define DNS_R_EXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 45)
+#define DNS_R_UNEXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 46)
+#define DNS_R_INVALIDTKEY		(ISC_RESULTCLASS_DNS + 47)
+#define DNS_R_HINT			(ISC_RESULTCLASS_DNS + 48)
+#define DNS_R_DROP			(ISC_RESULTCLASS_DNS + 49)
+#define DNS_R_NOTLOADED			(ISC_RESULTCLASS_DNS + 50)
+#define DNS_R_NCACHENXDOMAIN		(ISC_RESULTCLASS_DNS + 51)
+#define DNS_R_NCACHENXRRSET		(ISC_RESULTCLASS_DNS + 52)
+#define DNS_R_WAIT			(ISC_RESULTCLASS_DNS + 53)
+#define DNS_R_NOTVERIFIEDYET		(ISC_RESULTCLASS_DNS + 54)
+#define DNS_R_NOIDENTITY		(ISC_RESULTCLASS_DNS + 55)
+#define DNS_R_NOJOURNAL			(ISC_RESULTCLASS_DNS + 56)
+#define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
+#define DNS_R_USETCP			(ISC_RESULTCLASS_DNS + 58)
+#define DNS_R_NOVALIDSIG		(ISC_RESULTCLASS_DNS + 59)
+#define DNS_R_NOVALIDNSEC		(ISC_RESULTCLASS_DNS + 60)
+#define DNS_R_NOTINSECURE		(ISC_RESULTCLASS_DNS + 61)
+#define DNS_R_UNKNOWNSERVICE		(ISC_RESULTCLASS_DNS + 62)
+#define DNS_R_RECOVERABLE		(ISC_RESULTCLASS_DNS + 63)
+#define DNS_R_UNKNOWNOPT		(ISC_RESULTCLASS_DNS + 64)
+#define DNS_R_UNEXPECTEDID		(ISC_RESULTCLASS_DNS + 65)
+#define DNS_R_SEENINCLUDE		(ISC_RESULTCLASS_DNS + 66)
+#define DNS_R_NOTEXACT			(ISC_RESULTCLASS_DNS + 67)
+#define DNS_R_BLACKHOLED		(ISC_RESULTCLASS_DNS + 68)
+#define DNS_R_BADALG			(ISC_RESULTCLASS_DNS + 69)
+#define DNS_R_METATYPE			(ISC_RESULTCLASS_DNS + 70)
+#define DNS_R_CNAMEANDOTHER		(ISC_RESULTCLASS_DNS + 71)
+#define DNS_R_SINGLETON			(ISC_RESULTCLASS_DNS + 72)
+#define DNS_R_HINTNXRRSET		(ISC_RESULTCLASS_DNS + 73)
+#define DNS_R_NOMASTERFILE		(ISC_RESULTCLASS_DNS + 74)
+#define DNS_R_UNKNOWNPROTO		(ISC_RESULTCLASS_DNS + 75)
+#define DNS_R_CLOCKSKEW			(ISC_RESULTCLASS_DNS + 76)
+#define DNS_R_BADIXFR			(ISC_RESULTCLASS_DNS + 77)
+#define DNS_R_NOTAUTHORITATIVE		(ISC_RESULTCLASS_DNS + 78)
+#define DNS_R_NOVALIDKEY		(ISC_RESULTCLASS_DNS + 79)
+#define DNS_R_OBSOLETE			(ISC_RESULTCLASS_DNS + 80)
+#define DNS_R_FROZEN			(ISC_RESULTCLASS_DNS + 81)
+#define DNS_R_UNKNOWNFLAG		(ISC_RESULTCLASS_DNS + 82)
+#define DNS_R_EXPECTEDRESPONSE		(ISC_RESULTCLASS_DNS + 83)
+#define DNS_R_NOVALIDDS			(ISC_RESULTCLASS_DNS + 84)
+#define DNS_R_NSISADDRESS		(ISC_RESULTCLASS_DNS + 85)
+#define DNS_R_REMOTEFORMERR		(ISC_RESULTCLASS_DNS + 86)
+#define DNS_R_TRUNCATEDTCP		(ISC_RESULTCLASS_DNS + 87)
+#define DNS_R_LAME			(ISC_RESULTCLASS_DNS + 88)
+#define DNS_R_UNEXPECTEDRCODE		(ISC_RESULTCLASS_DNS + 89)
+#define DNS_R_UNEXPECTEDOPCODE		(ISC_RESULTCLASS_DNS + 90)
+#define DNS_R_CHASEDSSERVERS		(ISC_RESULTCLASS_DNS + 91)
+#define DNS_R_EMPTYNAME			(ISC_RESULTCLASS_DNS + 92)
+#define DNS_R_EMPTYWILD			(ISC_RESULTCLASS_DNS + 93)
+#define DNS_R_BADBITMAP			(ISC_RESULTCLASS_DNS + 94)
+#define DNS_R_FROMWILDCARD		(ISC_RESULTCLASS_DNS + 95)
+#define DNS_R_BADOWNERNAME		(ISC_RESULTCLASS_DNS + 96)
+#define DNS_R_BADNAME			(ISC_RESULTCLASS_DNS + 97)
+#define DNS_R_DYNAMIC			(ISC_RESULTCLASS_DNS + 98)
+#define DNS_R_UNKNOWNCOMMAND		(ISC_RESULTCLASS_DNS + 99)
+#define DNS_R_MUSTBESECURE		(ISC_RESULTCLASS_DNS + 100)
+#define DNS_R_COVERINGNSEC		(ISC_RESULTCLASS_DNS + 101)
+#define DNS_R_MXISADDRESS		(ISC_RESULTCLASS_DNS + 102)
+#define DNS_R_DUPLICATE			(ISC_RESULTCLASS_DNS + 103)
+#define DNS_R_INVALIDNSEC3		(ISC_RESULTCLASS_DNS + 104)
+#define DNS_R_NOTMASTER 		(ISC_RESULTCLASS_DNS + 105)
+#define DNS_R_BROKENCHAIN		(ISC_RESULTCLASS_DNS + 106)
+#define DNS_R_EXPIRED			(ISC_RESULTCLASS_DNS + 107)
+#define DNS_R_NOTDYNAMIC 		(ISC_RESULTCLASS_DNS + 108)
+#define DNS_R_BADEUI	 		(ISC_RESULTCLASS_DNS + 109)
+#define DNS_R_NTACOVERED		(ISC_RESULTCLASS_DNS + 110)
+#define DNS_R_BADCDS			(ISC_RESULTCLASS_DNS + 111)
+#define DNS_R_BADCDNSKEY		(ISC_RESULTCLASS_DNS + 112)
+#define DNS_R_OPTERR			(ISC_RESULTCLASS_DNS + 113)
+#define DNS_R_BADDNSTAP			(ISC_RESULTCLASS_DNS + 114)
+#define DNS_R_BADTSIG			(ISC_RESULTCLASS_DNS + 115)
+#define DNS_R_BADSIG0			(ISC_RESULTCLASS_DNS + 116)
+#define DNS_R_TOOMANYRECORDS		(ISC_RESULTCLASS_DNS + 117)
+
+#define DNS_R_NRESULTS			118	/*%< Number of results */
+
+/*
+ * DNS wire format rcodes.
+ *
+ * By making these their own class we can easily convert them into the
+ * wire-format rcode value simply by masking off the resultclass.
+ */
+#define DNS_R_NOERROR			(ISC_RESULTCLASS_DNSRCODE + 0)
+#define DNS_R_FORMERR			(ISC_RESULTCLASS_DNSRCODE + 1)
+#define DNS_R_SERVFAIL			(ISC_RESULTCLASS_DNSRCODE + 2)
+#define DNS_R_NXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 3)
+#define DNS_R_NOTIMP			(ISC_RESULTCLASS_DNSRCODE + 4)
+#define DNS_R_REFUSED			(ISC_RESULTCLASS_DNSRCODE + 5)
+#define DNS_R_YXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 6)
+#define DNS_R_YXRRSET			(ISC_RESULTCLASS_DNSRCODE + 7)
+#define DNS_R_NXRRSET			(ISC_RESULTCLASS_DNSRCODE + 8)
+#define DNS_R_NOTAUTH			(ISC_RESULTCLASS_DNSRCODE + 9)
+#define DNS_R_NOTZONE			(ISC_RESULTCLASS_DNSRCODE + 10)
+#define DNS_R_RCODE11			(ISC_RESULTCLASS_DNSRCODE + 11)
+#define DNS_R_RCODE12			(ISC_RESULTCLASS_DNSRCODE + 12)
+#define DNS_R_RCODE13			(ISC_RESULTCLASS_DNSRCODE + 13)
+#define DNS_R_RCODE14			(ISC_RESULTCLASS_DNSRCODE + 14)
+#define DNS_R_RCODE15			(ISC_RESULTCLASS_DNSRCODE + 15)
+#define DNS_R_BADVERS			(ISC_RESULTCLASS_DNSRCODE + 16)
+
+#define DNS_R_NRCODERESULTS		17	/*%< Number of rcode results */
+
+#define DNS_RESULT_ISRCODE(result) \
+	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
+
+ISC_LANG_BEGINDECLS
+
+const char *
+dns_result_totext(isc_result_t);
+
+void
+dns_result_register(void);
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESULT_H */
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
new file mode 100644
index 0000000..f6a1819
--- /dev/null
+++ b/lib/dns/include/dns/rootns.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_ROOTNS_H
+#define DNS_ROOTNS_H 1
+
+/*! \file dns/rootns.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		  const char *filename, dns_db_t **target);
+
+void
+dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db);
+/*
+ * Reports differences between hints and the real roots.
+ *
+ * Requires view, hints and (cache) db to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ROOTNS_H */
diff --git a/lib/dns/include/dns/rpz.h b/lib/dns/include/dns/rpz.h
new file mode 100644
index 0000000..78f3443
--- /dev/null
+++ b/lib/dns/include/dns/rpz.h
@@ -0,0 +1,380 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+
+#ifndef DNS_RPZ_H
+#define DNS_RPZ_H 1
+
+#include <stdbool.h>
+
+#include <isc/deprecated.h>
+#include <isc/event.h>
+#include <isc/ht.h>
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RPZ_PREFIX		"rpz-"
+/*
+ * Sub-zones of various trigger types.
+ */
+#define DNS_RPZ_CLIENT_IP_ZONE	DNS_RPZ_PREFIX"client-ip"
+#define DNS_RPZ_IP_ZONE		DNS_RPZ_PREFIX"ip"
+#define DNS_RPZ_NSIP_ZONE	DNS_RPZ_PREFIX"nsip"
+#define DNS_RPZ_NSDNAME_ZONE	DNS_RPZ_PREFIX"nsdname"
+/*
+ * Special policies.
+ */
+#define DNS_RPZ_PASSTHRU_NAME	DNS_RPZ_PREFIX"passthru"
+#define DNS_RPZ_DROP_NAME	DNS_RPZ_PREFIX"drop"
+#define DNS_RPZ_TCP_ONLY_NAME	DNS_RPZ_PREFIX"tcp-only"
+
+
+typedef uint8_t		dns_rpz_prefix_t;
+
+typedef enum {
+	DNS_RPZ_TYPE_BAD,
+	DNS_RPZ_TYPE_CLIENT_IP,
+	DNS_RPZ_TYPE_QNAME,
+	DNS_RPZ_TYPE_IP,
+	DNS_RPZ_TYPE_NSDNAME,
+	DNS_RPZ_TYPE_NSIP
+} dns_rpz_type_t;
+
+/*
+ * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP
+ * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA
+ * < DNS_RPZ_POLICY_CNAME to choose among competing policies.
+ */
+typedef enum {
+	DNS_RPZ_POLICY_GIVEN = 0,	/* 'given': what policy record says */
+	DNS_RPZ_POLICY_DISABLED = 1,	/* log what would have happened */
+	DNS_RPZ_POLICY_PASSTHRU = 2,	/* 'passthru': do not rewrite */
+	DNS_RPZ_POLICY_DROP = 3,	/* 'drop': do not respond */
+	DNS_RPZ_POLICY_TCP_ONLY = 4,	/* 'tcp-only': answer UDP with TC=1 */
+	DNS_RPZ_POLICY_NXDOMAIN = 5,	/* 'nxdomain': answer with NXDOMAIN */
+	DNS_RPZ_POLICY_NODATA = 6,	/* 'nodata': answer with ANCOUNT=0 */
+	DNS_RPZ_POLICY_CNAME = 7,	/* 'cname x': answer with x's rrsets */
+	DNS_RPZ_POLICY_RECORD,
+	DNS_RPZ_POLICY_WILDCNAME,
+	DNS_RPZ_POLICY_MISS,
+	DNS_RPZ_POLICY_ERROR
+} dns_rpz_policy_t;
+
+typedef uint8_t	    dns_rpz_num_t;
+
+#define DNS_RPZ_MAX_ZONES   32
+#if DNS_RPZ_MAX_ZONES > 32
+# if DNS_RPZ_MAX_ZONES > 64
+#  error "rpz zone bit masks must fit in a word"
+# endif
+typedef uint64_t	    dns_rpz_zbits_t;
+#else
+typedef uint32_t	    dns_rpz_zbits_t;
+#endif
+
+#define DNS_RPZ_ALL_ZBITS   ((dns_rpz_zbits_t)-1)
+
+#define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES
+
+#define DNS_RPZ_ZBIT(n)	    (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n))
+
+/*
+ * Mask of the specified and higher numbered policy zones
+ * Avoid hassles with (1<<33) or (1<<65)
+ */
+#define DNS_RPZ_ZMASK(n)    ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \
+						0 : (1<<((n)+1))) -1))
+
+/*
+ * The trigger counter type.
+ */
+typedef size_t dns_rpz_trigger_counter_t;
+
+/*
+ * The number of triggers of each type in a response policy zone.
+ */
+typedef struct dns_rpz_triggers dns_rpz_triggers_t;
+struct dns_rpz_triggers {
+	dns_rpz_trigger_counter_t	client_ipv4;
+	dns_rpz_trigger_counter_t	client_ipv6;
+	dns_rpz_trigger_counter_t	qname;
+	dns_rpz_trigger_counter_t	ipv4;
+	dns_rpz_trigger_counter_t	ipv6;
+	dns_rpz_trigger_counter_t	nsdname;
+	dns_rpz_trigger_counter_t	nsipv4;
+	dns_rpz_trigger_counter_t	nsipv6;
+};
+
+/*
+ * A single response policy zone.
+ */
+typedef struct dns_rpz_zone dns_rpz_zone_t;
+struct dns_rpz_zone {
+	isc_refcount_t	refs;
+	dns_rpz_num_t	num;		/* ordinal in list of policy zones */
+	dns_name_t	origin;		/* Policy zone name */
+	dns_name_t	client_ip;	/* DNS_RPZ_CLIENT_IP_ZONE.origin. */
+	dns_name_t	ip;		/* DNS_RPZ_IP_ZONE.origin. */
+	dns_name_t	nsdname;	/* DNS_RPZ_NSDNAME_ZONE.origin */
+	dns_name_t	nsip;		/* DNS_RPZ_NSIP_ZONE.origin. */
+	dns_name_t	passthru;	/* DNS_RPZ_PASSTHRU_NAME. */
+	dns_name_t	drop;		/* DNS_RPZ_DROP_NAME. */
+	dns_name_t	tcp_only;	/* DNS_RPZ_TCP_ONLY_NAME. */
+	dns_name_t	cname;		/* override value for ..._CNAME */
+	dns_ttl_t	max_policy_ttl;
+	dns_rpz_policy_t policy;	/* DNS_RPZ_POLICY_GIVEN or override */
+};
+
+/*
+ * Radix tree node for response policy IP addresses
+ */
+typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t;
+
+/*
+ * Bitfields indicating which policy zones have policies of
+ * which type.
+ */
+typedef struct dns_rpz_have dns_rpz_have_t;
+struct dns_rpz_have {
+	dns_rpz_zbits_t	    client_ipv4;
+	dns_rpz_zbits_t	    client_ipv6;
+	dns_rpz_zbits_t	    client_ip;
+	dns_rpz_zbits_t	    qname;
+	dns_rpz_zbits_t	    ipv4;
+	dns_rpz_zbits_t	    ipv6;
+	dns_rpz_zbits_t	    ip;
+	dns_rpz_zbits_t	    nsdname;
+	dns_rpz_zbits_t	    nsipv4;
+	dns_rpz_zbits_t	    nsipv6;
+	dns_rpz_zbits_t	    nsip;
+	dns_rpz_zbits_t	    qname_skip_recurse;
+};
+
+/*
+ * Policy options
+ */
+typedef struct dns_rpz_popt dns_rpz_popt_t;
+struct dns_rpz_popt {
+	dns_rpz_zbits_t	    no_rd_ok;
+	dns_rpz_zbits_t	    no_log;
+	bool	    break_dnssec;
+	bool	    qname_wait_recurse;
+	bool	    nsip_wait_recurse;
+	unsigned int	    min_ns_labels;
+	dns_rpz_num_t	    num_zones;
+};
+
+/*
+ * Response policy zones known to a view.
+ */
+typedef struct dns_rpz_zones dns_rpz_zones_t;
+struct dns_rpz_zones {
+	dns_rpz_popt_t		p;
+	dns_rpz_zone_t		*zones[DNS_RPZ_MAX_ZONES];
+	dns_rpz_triggers_t	triggers[DNS_RPZ_MAX_ZONES];
+
+	/*
+	 * RPZ policy version number (initially 0, increases whenever
+	 * the server is reconfigured with new zones or policy)
+	 */
+	int			rpz_ver;
+
+	dns_rpz_zbits_t		defined;
+
+	/*
+	 * The set of records for a policy zone are in one of these states:
+	 *	never loaded		    load_begun=0  have=0
+	 *	during initial loading	    load_begun=1  have=0
+	 *				and rbtdb->rpzsp == rbtdb->load_rpzsp
+	 *	after good load		    load_begun=1  have!=0
+	 *	after failed initial load   load_begun=1  have=0
+	 *				and rbtdb->load_rpzsp == NULL
+	 *	reloading after failure	    load_begun=1  have=0
+	 *	reloading after success
+	 *		main rpzs	    load_begun=1  have!=0
+	 *		load rpzs	    load_begun=1  have=0
+	 */
+	dns_rpz_zbits_t		load_begun;
+	dns_rpz_have_t		have;
+
+	/*
+	 * total_triggers maintains the total number of triggers in all
+	 * policy zones in the view. It is only used to print summary
+	 * statistics after a zone load of how the trigger counts
+	 * changed.
+	 */
+	dns_rpz_triggers_t	total_triggers;
+
+	isc_mem_t		*mctx;
+	isc_refcount_t		refs;
+	/*
+	 * One lock for short term read-only search that guarantees the
+	 * consistency of the pointers.
+	 * A second lock for maintenance that guarantees no other thread
+	 * is adding or deleting nodes.
+	 */
+	isc_rwlock_t		search_lock;
+	isc_mutex_t		maint_lock;
+
+	dns_rpz_cidr_node_t	*cidr;
+	dns_rbt_t		*rbt;
+};
+
+
+/*
+ * context for finding the best policy
+ */
+typedef struct {
+	unsigned int		state;
+# define DNS_RPZ_REWRITTEN	0x0001
+# define DNS_RPZ_DONE_CLIENT_IP	0x0002	/* client IP address checked */
+# define DNS_RPZ_DONE_QNAME	0x0004	/* qname checked */
+# define DNS_RPZ_DONE_QNAME_IP	0x0008	/* IP addresses of qname checked */
+# define DNS_RPZ_DONE_NSDNAME	0x0010	/* NS name missed; checking addresses */
+# define DNS_RPZ_DONE_IPv4	0x0020
+# define DNS_RPZ_RECURSING	0x0040
+# define DNS_RPZ_ACTIVE		0x0080
+	/*
+	 * Best match so far.
+	 */
+	struct {
+		dns_rpz_type_t		type;
+		dns_rpz_zone_t		*rpz;
+		dns_rpz_prefix_t	prefix;
+		dns_rpz_policy_t	policy;
+		dns_ttl_t		ttl;
+		isc_result_t		result;
+		dns_zone_t		*zone;
+		dns_db_t		*db;
+		dns_dbversion_t		*version;
+		dns_dbnode_t		*node;
+		dns_rdataset_t		*rdataset;
+	} m;
+	/*
+	 * State for chasing IP addresses and NS names including recursion.
+	 */
+	struct {
+		unsigned int		label;
+		dns_db_t		*db;
+		dns_rdataset_t		*ns_rdataset;
+		dns_rdatatype_t		r_type;
+		isc_result_t		r_result;
+		dns_rdataset_t		*r_rdataset;
+	} r;
+
+	/*
+	 * State of real query while recursing for NSIP or NSDNAME.
+	 */
+	struct {
+		isc_result_t		result;
+		bool		is_zone;
+		bool		authoritative;
+		dns_zone_t		*zone;
+		dns_db_t		*db;
+		dns_dbnode_t		*node;
+		dns_rdataset_t		*rdataset;
+		dns_rdataset_t		*sigrdataset;
+		dns_rdatatype_t		qtype;
+	} q;
+
+	/*
+	 * A copy of the 'have' and 'p' structures and the RPZ
+	 * policy version as of the beginning of RPZ processing,
+	 * used to avoid problems when policy is updated while
+	 * RPZ recursion is ongoing.
+	 */
+	dns_rpz_have_t		have;
+	dns_rpz_popt_t		popt;
+	int			rpz_ver;
+
+	/*
+	 * p_name: current policy owner name
+	 * r_name: recursing for this name to possible policy triggers
+	 * f_name: saved found name from before recursion
+	 */
+	dns_name_t		*p_name;
+	dns_name_t		*r_name;
+	dns_name_t		*fname;
+	dns_fixedname_t		_p_namef;
+	dns_fixedname_t		_r_namef;
+	dns_fixedname_t		_fnamef;
+} dns_rpz_st_t;
+
+#define DNS_RPZ_TTL_DEFAULT		5
+#define DNS_RPZ_MAX_TTL_DEFAULT		DNS_RPZ_TTL_DEFAULT
+
+/*
+ * So various response policy zone messages can be turned up or down.
+ */
+#define DNS_RPZ_ERROR_LEVEL	ISC_LOG_WARNING
+#define DNS_RPZ_INFO_LEVEL	ISC_LOG_INFO
+#define DNS_RPZ_DEBUG_LEVEL1	ISC_LOG_DEBUG(1)
+#define DNS_RPZ_DEBUG_LEVEL2	ISC_LOG_DEBUG(2)
+#define DNS_RPZ_DEBUG_LEVEL3	ISC_LOG_DEBUG(3)
+#define DNS_RPZ_DEBUG_QUIET	(DNS_RPZ_DEBUG_LEVEL3+1)
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type);
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str);
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy);
+
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname);
+
+isc_result_t
+dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx);
+
+void
+dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target);
+
+void
+dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp);
+
+isc_result_t
+dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp,
+		  dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num);
+
+isc_result_t
+dns_rpz_ready(dns_rpz_zones_t *rpzs,
+	      dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num);
+
+isc_result_t
+dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name);
+
+void
+dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name);
+
+dns_rpz_num_t
+dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
+		dns_name_t *ip_name, dns_rpz_prefix_t *prefixp);
+
+dns_rpz_zbits_t
+dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		  dns_rpz_zbits_t zbits, dns_name_t *trig_name);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RPZ_H */
diff --git a/lib/dns/include/dns/rriterator.h b/lib/dns/include/dns/rriterator.h
new file mode 100644
index 0000000..8c0c076
--- /dev/null
+++ b/lib/dns/include/dns/rriterator.h
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: rriterator.h,v 1.4 2011/11/01 23:47:00 tbox Exp $ */
+
+#ifndef DNS_RRITERATOR_H
+#define DNS_RRITERATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/rriterator.h
+ * \brief
+ * Functions for "walking" a zone database, visiting each RR or RRset in turn.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
+#include <isc/stdtime.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+/*%
+ * A dns_rriterator_t is an iterator that iterates over an entire database,
+ * returning one RR at a time, in some arbitrary order.
+ */
+
+typedef struct dns_rriterator {
+	unsigned int		magic;
+	isc_result_t		result;
+	dns_db_t		*db;
+	dns_dbiterator_t 	*dbit;
+	dns_dbversion_t 	*ver;
+	isc_stdtime_t		now;
+	dns_dbnode_t		*node;
+	dns_fixedname_t		fixedname;
+	dns_rdatasetiter_t 	*rdatasetit;
+	dns_rdataset_t 		rdataset;
+	dns_rdata_t		rdata;
+} dns_rriterator_t;
+
+#define RRITERATOR_MAGIC		ISC_MAGIC('R', 'R', 'I', 't')
+#define VALID_RRITERATOR(m)		ISC_MAGIC_VALID(m, RRITERATOR_MAGIC)
+
+isc_result_t
+dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db,
+		       dns_dbversion_t *ver, isc_stdtime_t now);
+/*%
+ * Initialize an rriterator; sets the cursor to the origin node
+ * of the database.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_rriterator_first(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the first rdata in the database.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rriterator_nextrrset(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the next rrset in the database,
+ * skipping over any remaining records that have the same rdatatype
+ * as the current one.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more rrsets in the database
+ */
+
+isc_result_t
+dns_rriterator_next(dns_rriterator_t *it);
+/*%<
+ * Move the rriterator cursor to the next rrset in the database,
+ * skipping over any remaining records that have the same rdatatype
+ * as the current one.
+ *
+ * Requires:
+ *\li	'it' is a valid, initialized rriterator
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more records in the database
+ */
+
+void
+dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
+			  uint32_t *ttl, dns_rdataset_t **rdataset,
+			  dns_rdata_t **rdata);
+/*%<
+ * Make '*name' refer to the current name.  If 'rdataset' is not NULL,
+ * make '*rdataset' refer to the current * rdataset.  If '*rdata' is not
+ * NULL, make '*rdata' refer to the current record.
+ *
+ * Requires:
+ *\li	'*name' is a valid name object
+ *\li	'rdataset' is NULL or '*rdataset' is NULL
+ *\li	'rdata' is NULL or '*rdata' is NULL
+ *
+ * Ensures:
+ *\li	'rdata' refers to the rdata at the rdata cursor location of
+ *\li	'rdataset'.
+ */
+
+void
+dns_rriterator_pause(dns_rriterator_t *it);
+/*%<
+ * Pause rriterator.  Frees any locks held by the database iterator.
+ * Callers should use this routine any time they are not going to
+ * execute another rriterator method in the immediate future.
+ *
+ * Requires:
+ *\li	'it' is a valid iterator.
+ *
+ * Ensures:
+ *\li	Any database locks being held for efficiency of iterator access are
+ *	released.
+ */
+
+void
+dns_rriterator_destroy(dns_rriterator_t *it);
+/*%<
+ * Shut down and free resources in rriterator 'it'.
+ *
+ * Requires:
+ *
+ *\li	'it' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the rriterator are freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RRITERATOR_H */
diff --git a/lib/dns/include/dns/rrl.h b/lib/dns/include/dns/rrl.h
new file mode 100644
index 0000000..0301ed8
--- /dev/null
+++ b/lib/dns/include/dns/rrl.h
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RRL_H
+#define DNS_RRL_H 1
+
+/*
+ * Rate limit DNS responses.
+ */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+
+/*
+ * Memory allocation or other failures.
+ */
+#define DNS_RRL_LOG_FAIL	ISC_LOG_WARNING
+/*
+ * dropped or slipped responses.
+ */
+#define DNS_RRL_LOG_DROP	ISC_LOG_INFO
+/*
+ * Major events in dropping or slipping.
+ */
+#define DNS_RRL_LOG_DEBUG1	ISC_LOG_DEBUG(3)
+/*
+ * Limit computations.
+ */
+#define DNS_RRL_LOG_DEBUG2	ISC_LOG_DEBUG(4)
+/*
+ * Even less interesting.
+ */
+#define DNS_RRL_LOG_DEBUG3	ISC_LOG_DEBUG(9)
+
+
+#define DNS_RRL_LOG_ERR_LEN	64
+#define DNS_RRL_LOG_BUF_LEN	(sizeof("would continue limiting") +	\
+				 DNS_RRL_LOG_ERR_LEN +			\
+				 sizeof(" responses to ") +		\
+				 ISC_NETADDR_FORMATSIZE +		\
+				 sizeof("/128 for IN ") +		\
+				 DNS_RDATATYPE_FORMATSIZE +		\
+				 DNS_NAME_FORMATSIZE)
+
+
+typedef struct dns_rrl_hash dns_rrl_hash_t;
+
+/*
+ * Response types.
+ */
+typedef enum {
+	DNS_RRL_RTYPE_FREE = 0,
+	DNS_RRL_RTYPE_QUERY,
+	DNS_RRL_RTYPE_REFERRAL,
+	DNS_RRL_RTYPE_NODATA,
+	DNS_RRL_RTYPE_NXDOMAIN,
+	DNS_RRL_RTYPE_ERROR,
+	DNS_RRL_RTYPE_ALL,
+	DNS_RRL_RTYPE_TCP,
+} dns_rrl_rtype_t;
+
+/*
+ * A rate limit bucket key.
+ * This should be small to limit the total size of the database.
+ * The hash of the qname should be wide enough to make the probability
+ * of collisions among requests from a single IP address block less than 50%.
+ * We need a 32-bit hash value for 10000 qps (e.g. random qnames forged
+ * by attacker) to collide with legitimate qnames from the target with
+ * probability at most 1%.
+ */
+#define DNS_RRL_MAX_PREFIX  64
+typedef union dns_rrl_key dns_rrl_key_t;
+struct dns__rrl_key {
+	uint32_t	    ip[DNS_RRL_MAX_PREFIX/32];
+	uint32_t	    qname_hash;
+	dns_rdatatype_t	    qtype;
+	uint8_t         qclass;
+	unsigned int	    rtype   :4; /* dns_rrl_rtype_t */
+	unsigned int	    ipv6    :1;
+};
+union dns_rrl_key {
+	struct dns__rrl_key s;
+	uint16_t	w[sizeof(struct dns__rrl_key)/sizeof(uint16_t)];
+};
+
+/*
+ * A rate-limit entry.
+ * This should be small to limit the total size of the table of entries.
+ */
+typedef struct dns_rrl_entry dns_rrl_entry_t;
+typedef ISC_LIST(dns_rrl_entry_t) dns_rrl_bin_t;
+struct dns_rrl_entry {
+	ISC_LINK(dns_rrl_entry_t) lru;
+	ISC_LINK(dns_rrl_entry_t) hlink;
+	dns_rrl_key_t	key;
+# define DNS_RRL_RESPONSE_BITS	24
+	signed int	responses   :DNS_RRL_RESPONSE_BITS;
+# define DNS_RRL_QNAMES_BITS	8
+	unsigned int	log_qname   :DNS_RRL_QNAMES_BITS;
+
+# define DNS_RRL_TS_GEN_BITS	2
+	unsigned int	ts_gen	    :DNS_RRL_TS_GEN_BITS;
+	unsigned int	ts_valid    :1;
+# define DNS_RRL_HASH_GEN_BITS	1
+	unsigned int	hash_gen    :DNS_RRL_HASH_GEN_BITS;
+	unsigned int	logged	    :1;
+# define DNS_RRL_LOG_BITS	11
+	unsigned int	log_secs    :DNS_RRL_LOG_BITS;
+
+# define DNS_RRL_TS_BITS	12
+	unsigned int	ts	    :DNS_RRL_TS_BITS;
+
+# define DNS_RRL_MAX_SLIP	10
+	unsigned int	slip_cnt    :4;
+};
+
+#define DNS_RRL_MAX_TIME_TRAVEL	5
+#define DNS_RRL_FOREVER		(1<<DNS_RRL_TS_BITS)
+#define DNS_RRL_MAX_TS		(DNS_RRL_FOREVER - 1)
+
+#define DNS_RRL_MAX_RESPONSES	((1<<(DNS_RRL_RESPONSE_BITS-1))-1)
+#define DNS_RRL_MAX_WINDOW	3600
+#if DNS_RRL_MAX_WINDOW >= DNS_RRL_MAX_TS
+#error "DNS_RRL_MAX_WINDOW is too large"
+#endif
+#define DNS_RRL_MAX_RATE	1000
+#if DNS_RRL_MAX_RATE >= (DNS_RRL_MAX_RESPONSES / DNS_RRL_MAX_WINDOW)
+#error "DNS_RRL_MAX_rate is too large"
+#endif
+
+#if (1<<DNS_RRL_LOG_BITS) >= DNS_RRL_FOREVER
+#error DNS_RRL_LOG_BITS is too big
+#endif
+#define DNS_RRL_MAX_LOG_SECS	1800
+#if DNS_RRL_MAX_LOG_SECS >= (1<<DNS_RRL_LOG_BITS)
+#error "DNS_RRL_MAX_LOG_SECS is too large"
+#endif
+#define DNS_RRL_STOP_LOG_SECS	60
+#if DNS_RRL_STOP_LOG_SECS >= (1<<DNS_RRL_LOG_BITS)
+#error "DNS_RRL_STOP_LOG_SECS is too large"
+#endif
+
+
+/*
+ * A hash table of rate-limit entries.
+ */
+struct dns_rrl_hash {
+	isc_stdtime_t	check_time;
+	unsigned int	gen	    :DNS_RRL_HASH_GEN_BITS;
+	int		length;
+	dns_rrl_bin_t	bins[1];
+};
+
+/*
+ * A block of rate-limit entries.
+ */
+typedef struct dns_rrl_block dns_rrl_block_t;
+struct dns_rrl_block {
+	ISC_LINK(dns_rrl_block_t) link;
+	int		size;
+	dns_rrl_entry_t	entries[1];
+};
+
+/*
+ * A rate limited qname buffer.
+ */
+typedef struct dns_rrl_qname_buf dns_rrl_qname_buf_t;
+struct dns_rrl_qname_buf {
+	ISC_LINK(dns_rrl_qname_buf_t) link;
+	const dns_rrl_entry_t *e;
+	unsigned int	    index;
+	dns_fixedname_t	    qname;
+};
+
+typedef struct dns_rrl_rate dns_rrl_rate_t;
+struct dns_rrl_rate {
+	int	    r;
+	int	    scaled;
+	const char  *str;
+};
+
+/*
+ * Per-view query rate limit parameters and a pointer to database.
+ */
+typedef struct dns_rrl dns_rrl_t;
+struct dns_rrl {
+	isc_mutex_t	lock;
+	isc_mem_t	*mctx;
+
+	bool	log_only;
+	dns_rrl_rate_t	responses_per_second;
+	dns_rrl_rate_t	referrals_per_second;
+	dns_rrl_rate_t	nodata_per_second;
+	dns_rrl_rate_t	nxdomains_per_second;
+	dns_rrl_rate_t	errors_per_second;
+	dns_rrl_rate_t	all_per_second;
+	dns_rrl_rate_t	slip;
+	int		window;
+	double		qps_scale;
+	int		max_entries;
+
+	dns_acl_t	*exempt;
+
+	int		num_entries;
+
+	int		qps_responses;
+	isc_stdtime_t	qps_time;
+	double		qps;
+
+	unsigned int	probes;
+	unsigned int	searches;
+
+	ISC_LIST(dns_rrl_block_t) blocks;
+	ISC_LIST(dns_rrl_entry_t) lru;
+
+	dns_rrl_hash_t	*hash;
+	dns_rrl_hash_t	*old_hash;
+	unsigned int	hash_gen;
+
+	unsigned int	ts_gen;
+# define DNS_RRL_TS_BASES   (1<<DNS_RRL_TS_GEN_BITS)
+	isc_stdtime_t	ts_bases[DNS_RRL_TS_BASES];
+
+	int		ipv4_prefixlen;
+	uint32_t	ipv4_mask;
+	int		ipv6_prefixlen;
+	uint32_t	ipv6_mask[4];
+
+	isc_stdtime_t	log_stops_time;
+	dns_rrl_entry_t	*last_logged;
+	int		num_logged;
+	int		num_qnames;
+	ISC_LIST(dns_rrl_qname_buf_t) qname_free;
+# define DNS_RRL_QNAMES	    (1<<DNS_RRL_QNAMES_BITS)
+	dns_rrl_qname_buf_t *qnames[DNS_RRL_QNAMES];
+};
+
+typedef enum {
+	DNS_RRL_RESULT_OK,
+	DNS_RRL_RESULT_DROP,
+	DNS_RRL_RESULT_SLIP,
+} dns_rrl_result_t;
+
+dns_rrl_result_t
+dns_rrl(dns_view_t *view,
+	const isc_sockaddr_t *client_addr, bool is_tcp,
+	dns_rdataclass_t rdclass, dns_rdatatype_t qtype,
+	dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now,
+	bool wouldlog, char *log_buf, unsigned int log_buf_len);
+
+void
+dns_rrl_view_destroy(dns_view_t *view);
+
+isc_result_t
+dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RRL_H */
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
new file mode 100644
index 0000000..c033b60
--- /dev/null
+++ b/lib/dns/include/dns/sdb.h
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_SDB_H
+#define DNS_SDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/sdb.h
+ * \brief
+ * Simple database API.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+
+#include <dns/clientinfo.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A simple database.  This is an opaque type.
+ */
+typedef struct dns_sdb dns_sdb_t;
+
+/*%
+ * A simple database lookup in progress.  This is an opaque type.
+ */
+typedef struct dns_sdblookup dns_sdblookup_t;
+
+/*%
+ * A simple database traversal in progress.  This is an opaque type.
+ */
+typedef struct dns_sdballnodes dns_sdballnodes_t;
+
+typedef isc_result_t
+(*dns_sdblookupfunc_t)(const char *zone, const char *name, void *dbdata,
+		       dns_sdblookup_t *lookup,
+		       dns_clientinfomethods_t *methods,
+		       dns_clientinfo_t *clientinfo);
+typedef isc_result_t
+(*dns_sdblookup2func_t)(const dns_name_t *zone, const dns_name_t *name,
+			void *dbdata, dns_sdblookup_t *lookup,
+			dns_clientinfomethods_t *methods,
+			dns_clientinfo_t *clientinfo);
+
+typedef isc_result_t
+(*dns_sdbauthorityfunc_t)(const char *zone, void *dbdata, dns_sdblookup_t *);
+
+typedef isc_result_t
+(*dns_sdballnodesfunc_t)(const char *zone, void *dbdata,
+			 dns_sdballnodes_t *allnodes);
+
+typedef isc_result_t
+(*dns_sdbcreatefunc_t)(const char *zone, int argc, char **argv,
+		       void *driverdata, void **dbdata);
+
+typedef void
+(*dns_sdbdestroyfunc_t)(const char *zone, void *driverdata, void **dbdata);
+
+
+typedef struct dns_sdbmethods {
+	dns_sdblookupfunc_t	lookup;
+	dns_sdbauthorityfunc_t	authority;
+	dns_sdballnodesfunc_t	allnodes;
+	dns_sdbcreatefunc_t	create;
+	dns_sdbdestroyfunc_t	destroy;
+	dns_sdblookup2func_t	lookup2;
+} dns_sdbmethods_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SDBFLAG_RELATIVEOWNER 0x00000001U
+#define DNS_SDBFLAG_RELATIVERDATA 0x00000002U
+#define DNS_SDBFLAG_THREADSAFE 0x00000004U
+#define DNS_SDBFLAG_DNS64 0x00000008U
+
+isc_result_t
+dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
+		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdbimplementation_t **sdbimp);
+/*%<
+ * Register a simple database driver for the database type 'drivername',
+ * implemented by the functions in '*methods'.
+ *
+ * sdbimp must point to a NULL dns_sdbimplementation_t pointer.  That is,
+ * sdbimp != NULL && *sdbimp == NULL.  It will be assigned a value that
+ * will later be used to identify the driver when deregistering it.
+ *
+ * The name server will perform lookups in the database by calling the
+ * function 'lookup', passing it a printable zone name 'zone', a printable
+ * domain name 'name', and a copy of the argument 'dbdata' that
+ * was potentially returned by the create function.  The 'dns_sdblookup_t'
+ * argument to 'lookup' and 'authority' is an opaque pointer to be passed to
+ * ns_sdb_putrr().
+ *
+ * The lookup function returns the lookup results to the name server
+ * by calling ns_sdb_putrr() once for each record found.  On success,
+ * the return value of the lookup function should be ISC_R_SUCCESS.
+ * If the domain name 'name' does not exist, the lookup function should
+ * ISC_R_NOTFOUND.  Any other return value is treated as an error.
+ *
+ * Lookups at the zone apex will cause the server to also call the
+ * function 'authority' (if non-NULL), which must provide an SOA record
+ * and NS records for the zone by calling ns_sdb_putrr() once for each of
+ * these records.  The 'authority' function may be NULL if invoking
+ * the 'lookup' function on the zone apex will return SOA and NS records.
+ *
+ * The allnodes function, if non-NULL, fills in an opaque structure to be
+ * used by a database iterator.  This allows the zone to be transferred.
+ * This may use a considerable amount of memory for large zones, and the
+ * zone transfer may not be fully RFC1035 compliant if the zone is
+ * frequently changed.
+ *
+ * The create function will be called for each zone configured
+ * into the name server using this database type.  It can be used
+ * to create a "database object" containing zone specific data,
+ * which can make use of the database arguments specified in the
+ * name server configuration.
+ *
+ * The destroy function will be called to free the database object
+ * when its zone is destroyed.
+ *
+ * The create and destroy functions may be NULL.
+ *
+ * If flags includes DNS_SDBFLAG_RELATIVEOWNER, the lookup and authority
+ * functions will be called with relative names rather than absolute names.
+ * The string "@" represents the zone apex in this case.
+ *
+ * If flags includes DNS_SDBFLAG_RELATIVERDATA, the rdata strings may
+ * include relative names.  Otherwise, all names in the rdata string must
+ * be absolute.  Be aware that if relative names are allowed, any
+ * absolute names must contain a trailing dot.
+ *
+ * If flags includes DNS_SDBFLAG_THREADSAFE, the driver must be able to
+ * handle multiple lookups in parallel.  Otherwise, calls into the driver
+ * are serialized.
+ */
+
+void
+dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
+/*%<
+ * Removes the simple database driver from the list of registered database
+ * types.  There must be no active databases of this type when this function
+ * is called.
+ */
+
+/*% See dns_sdb_putradata() */
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data);
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
+		 const unsigned char *rdata, unsigned int rdlen);
+/*%<
+ * Add a single resource record to the lookup structure to be
+ * returned in the query response.  dns_sdb_putrr() takes the
+ * resource record in master file text format as a null-terminated
+ * string, and dns_sdb_putrdata() takes the raw RDATA in
+ * uncompressed wire format.
+ */
+
+/*% See dns_sdb_putnamerdata() */
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data);
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl,
+		      const void *rdata, unsigned int rdlen);
+/*%<
+ * Add a single resource record to the allnodes structure to be
+ * included in a zone transfer response, in text or wire
+ * format as above.
+ */
+
+isc_result_t
+dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
+	       uint32_t serial);
+/*%<
+ * This function may optionally be called from the 'authority' callback
+ * to simplify construction of the SOA record for 'zone'.  It will
+ * provide a SOA listing 'mname' as as the master server and 'rname' as
+ * the responsible person mailbox.  It is the responsibility of the
+ * driver to increment the serial number between responses if necessary.
+ * All other SOA fields will have reasonable default values.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SDB_H */
diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h
new file mode 100644
index 0000000..5b6bc3e
--- /dev/null
+++ b/lib/dns/include/dns/sdlz.h
@@ -0,0 +1,374 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file dns/sdlz.h */
+
+#ifndef SDLZ_H
+#define SDLZ_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <dns/clientinfo.h>
+#include <dns/dlz.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SDLZFLAG_THREADSAFE		0x00000001U
+#define DNS_SDLZFLAG_RELATIVEOWNER	0x00000002U
+#define DNS_SDLZFLAG_RELATIVERDATA	0x00000004U
+
+ /* A simple DLZ database. */
+typedef struct dns_sdlz_db dns_sdlz_db_t;
+
+ /* A simple DLZ database lookup in progress. */
+typedef struct dns_sdlzlookup dns_sdlzlookup_t;
+
+ /* A simple DLZ database traversal in progress. */
+typedef struct dns_sdlzallnodes dns_sdlzallnodes_t;
+
+typedef isc_result_t (*dns_sdlzallnodesfunc_t)(const char *zone,
+					       void *driverarg,
+					       void *dbdata,
+					       dns_sdlzallnodes_t *allnodes);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an all nodes method.  This method is called when the DNS
+ * server is performing a zone transfer query, after the allow zone
+ * transfer method has been called.  This method is only called if the
+ * allow zone transfer method returned ISC_R_SUCCESS.  This method and
+ * the allow zone transfer method are both required for zone transfers
+ * to be supported.  If the driver generates data dynamically (instead
+ * of searching in a database for it) it should not implement this
+ * function as a zone transfer would be meaningless.  A SDLZ driver
+ * does not have to implement an all nodes method.
+ */
+
+typedef isc_result_t (*dns_sdlzallowzonexfr_t)(void *driverarg,
+					       void *dbdata, const char *name,
+					       const char *client);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an allow zone transfer method.  This method is called when
+ * the DNS server is performing a zone transfer query, before the all
+ * nodes method can be called.  This method and the all node method
+ * are both required for zone transfers to be supported.  If the
+ * driver generates data dynamically (instead of searching in a
+ * database for it) it should not implement this function as a zone
+ * transfer would be meaningless.  A SDLZ driver does not have to
+ * implement an allow zone transfer method.
+ *
+ * This method should return ISC_R_SUCCESS if the zone is supported by
+ * the database and a zone transfer is allowed for the specified
+ * client.  If the zone is supported by the database, but zone
+ * transfers are not allowed for the specified client this method
+ * should return ISC_R_NOPERM..  Lastly the method should return
+ * ISC_R_NOTFOUND if the zone is not supported by the database.  If an
+ * error occurs it should return a result code indicating the type of
+ * error.
+ */
+
+typedef isc_result_t (*dns_sdlzauthorityfunc_t)(const char *zone,
+						void *driverarg, void *dbdata,
+						dns_sdlzlookup_t *lookup);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply an authority method.  This method is called when the DNS
+ * server is performing a query, after both the find zone and lookup
+ * methods have been called.  This method is required if the lookup
+ * function does not supply authority information for the dns
+ * record. A SDLZ driver does not have to implement an authority
+ * method.
+ */
+
+typedef isc_result_t (*dns_sdlzcreate_t)(const char *dlzname,
+					 unsigned int argc, char *argv[],
+					 void *driverarg, void **dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a create method.  This method is called when the DNS server
+ * is starting up and creating drivers for use later. A SDLZ driver
+ * does not have to implement a create method.
+ */
+
+typedef void (*dns_sdlzdestroy_t)(void *driverarg, void *dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a destroy method.  This method is called when the DNS server
+ * is shutting down and no longer needs the driver.  A SDLZ driver does
+ * not have to implement a destroy method.
+ */
+
+typedef isc_result_t
+(*dns_sdlzfindzone_t)(void *driverarg, void *dbdata, const char *name,
+		      dns_clientinfomethods_t *methods,
+		      dns_clientinfo_t *clientinfo);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface MUST
+ * supply a find zone method.  This method is called when the DNS
+ * server is performing a query to to determine if 'name' is a
+ * supported dns zone.  The find zone method will be called with the
+ * longest possible name first, and continue to be called with
+ * successively shorter domain names, until any of the following
+ * occur:
+ *
+ * \li	1) the function returns (ISC_R_SUCCESS) indicating a zone name
+ *	   match.
+ *
+ * \li	2) a problem occurs, and the functions returns anything other than
+ *	   (ISC_R_NOTFOUND)
+ *
+ * \li	3) we run out of domain name labels. I.E. we have tried the
+ *	   shortest domain name
+ *
+ * \li	4) the number of labels in the domain name is less than min_labels
+ *	   for dns_dlzfindzone
+ *
+ * The driver's find zone method should return ISC_R_SUCCESS if the
+ * zone is supported by the database.  Otherwise it should return
+ * ISC_R_NOTFOUND, if the zone is not supported.  If an error occurs
+ * it should return a result code indicating the type of error.
+ */
+
+typedef isc_result_t
+(*dns_sdlzlookupfunc_t)(const char *zone, const char *name, void *driverarg,
+			void *dbdata, dns_sdlzlookup_t *lookup,
+			dns_clientinfomethods_t *methods,
+			dns_clientinfo_t *clientinfo);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface MUST
+ * supply a lookup method.  This method is called when the
+ * DNS server is performing a query, after the find zone and before any
+ * other methods have been called.  This function returns DNS record
+ * information using the dns_sdlz_putrr and dns_sdlz_putsoa functions.
+ * If this function supplies authority information for the DNS record
+ * the authority method is not required.  If it does not, the
+ * authority function is required.
+ *
+ * The 'methods' and 'clientinfo' args allow an SDLZ driver to retrieve
+ * information about the querying client (such as source IP address)
+ * from the caller.
+ */
+
+typedef isc_result_t (*dns_sdlznewversion_t)(const char *zone,
+					     void *driverarg, void *dbdata,
+					     void **versionp);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a newversion method.  This method is called to start a
+ * write transaction on a zone and should only be implemented by
+ * writeable backends.
+ * When implemented, the driver should create a new transaction, and
+ * fill *versionp with a pointer to the transaction state. The
+ * closeversion function will be called to close the transaction.
+ */
+
+typedef void (*dns_sdlzcloseversion_t)(const char *zone, bool commit,
+				       void *driverarg, void *dbdata,
+				       void **versionp);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface must
+ * supply a closeversion method if they supply a newversion method.
+ * When implemented, the driver should close the given transaction,
+ * committing changes if 'commit' is true. If 'commit' is not true
+ * then all changes should be discarded and the database rolled back.
+ * If the call is successful then *versionp should be set to NULL
+ */
+
+typedef isc_result_t (*dns_sdlzconfigure_t)(dns_view_t *view,
+					    dns_dlzdb_t *dlzdb,
+					    void *driverarg, void *dbdata);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a configure method. When supplied, it will be called
+ * immediately after the create method to give the driver a chance
+ * to configure writeable zones
+ */
+
+
+typedef bool (*dns_sdlzssumatch_t)(const char *signer,
+					    const char *name,
+					    const char *tcpaddr,
+					    const char *type,
+					    const char *key,
+					    uint32_t keydatalen,
+					    unsigned char *keydata,
+					    void *driverarg,
+					    void *dbdata);
+
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a ssumatch method. If supplied, then ssumatch will be
+ * called to authorize any zone updates. The driver should return
+ * true to allow the update, and false to deny it. For a DLZ
+ * controlled zone, this is the only access control on updates.
+ */
+
+
+typedef isc_result_t (*dns_sdlzmodrdataset_t)(const char *name,
+					      const char *rdatastr,
+					      void *driverarg, void *dbdata,
+					      void *version);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply addrdataset and subtractrdataset methods. If supplied, then these
+ * will be called when rdatasets are added/subtracted during
+ * updates. The version parameter comes from a call to the sdlz
+ * newversion() method from the driver. The rdataset parameter is a
+ * linearise string representation of the rdataset change. The format
+ * is the same as used by dig when displaying records. The fields are
+ * tab delimited.
+ */
+
+typedef isc_result_t (*dns_sdlzdelrdataset_t)(const char *name,
+					      const char *type,
+					      void *driverarg, void *dbdata,
+					      void *version);
+/*%<
+ * Method prototype.  Drivers implementing the SDLZ interface may
+ * supply a delrdataset method. If supplied, then this
+ * function will be called when rdatasets are deleted during
+ * updates. The call should remove all rdatasets of the given type for
+ * the specified name.
+ */
+
+typedef struct dns_sdlzmethods {
+	dns_sdlzcreate_t	create;
+	dns_sdlzdestroy_t	destroy;
+	dns_sdlzfindzone_t	findzone;
+	dns_sdlzlookupfunc_t	lookup;
+	dns_sdlzauthorityfunc_t	authority;
+	dns_sdlzallnodesfunc_t	allnodes;
+	dns_sdlzallowzonexfr_t	allowzonexfr;
+	dns_sdlznewversion_t    newversion;
+	dns_sdlzcloseversion_t  closeversion;
+	dns_sdlzconfigure_t	configure;
+	dns_sdlzssumatch_t	ssumatch;
+	dns_sdlzmodrdataset_t	addrdataset;
+	dns_sdlzmodrdataset_t	subtractrdataset;
+	dns_sdlzdelrdataset_t	delrdataset;
+} dns_sdlzmethods_t;
+
+isc_result_t
+dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
+		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdlzimplementation_t **sdlzimp);
+/*%<
+ * Register a dynamically loadable zones (dlz) driver for the database
+ * type 'drivername', implemented by the functions in '*methods'.
+ *
+ * sdlzimp must point to a NULL dns_sdlzimplementation_t pointer.
+ * That is, sdlzimp != NULL && *sdlzimp == NULL.  It will be assigned
+ * a value that will later be used to identify the driver when
+ * deregistering it.
+ */
+
+void
+dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp);
+
+/*%<
+ * Removes the sdlz driver from the list of registered sdlz drivers.
+ * There must be no active sdlz drivers of this type when this
+ * function is called.
+ */
+
+typedef isc_result_t dns_sdlz_putnamedrr_t(dns_sdlzallnodes_t *allnodes,
+					   const char *name,
+					   const char *type,
+					   dns_ttl_t ttl,
+					   const char *data);
+dns_sdlz_putnamedrr_t dns_sdlz_putnamedrr;
+
+/*%<
+ * Add a single resource record to the allnodes structure to be later
+ * parsed into a zone transfer response.
+ */
+
+typedef isc_result_t dns_sdlz_putrr_t(dns_sdlzlookup_t *lookup,
+				      const char *type,
+				      dns_ttl_t ttl,
+				      const char *data);
+dns_sdlz_putrr_t dns_sdlz_putrr;
+/*%<
+ * Add a single resource record to the lookup structure to be later
+ * parsed into a query response.
+ */
+
+typedef isc_result_t dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup,
+				       const char *mname,
+				       const char *rname,
+				       uint32_t serial);
+dns_sdlz_putsoa_t dns_sdlz_putsoa;
+/*%<
+ * This function may optionally be called from the 'authority'
+ * callback to simplify construction of the SOA record for 'zone'.  It
+ * will provide a SOA listing 'mname' as as the master server and
+ * 'rname' as the responsible person mailbox.  It is the
+ * responsibility of the driver to increment the serial number between
+ * responses if necessary.  All other SOA fields will have reasonable
+ * default values.
+ */
+
+
+typedef isc_result_t dns_sdlz_setdb_t(dns_dlzdb_t *dlzdatabase,
+				      dns_rdataclass_t rdclass,
+				      dns_name_t *name,
+				      dns_db_t **dbp);
+dns_sdlz_setdb_t dns_sdlz_setdb;
+/*%<
+ * Create the database pointers for a writeable SDLZ zone
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* SDLZ_H */
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
new file mode 100644
index 0000000..e27d6b4
--- /dev/null
+++ b/lib/dns/include/dns/secalg.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_SECALG_H
+#define DNS_SECALG_H 1
+
+/*! \file dns/secalg.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNSSEC security algorithm value.
+ * The text may contain either a mnemonic algorithm name or a decimal algorithm
+ * number.
+ *
+ * Requires:
+ *\li	'secalgp' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of the DNSSEC security algorithm 'secalg'
+ * into 'target'.
+ *
+ * Requires:
+ *\li	'secalg' is a valid secalg.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *\li		The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
+ */
+
+#define DNS_SECALG_FORMATSIZE 20
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size);
+/*%<
+ * Wrapper for dns_secalg_totext(), writing text into 'cp'
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECALG_H */
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
new file mode 100644
index 0000000..7ee8958
--- /dev/null
+++ b/lib/dns/include/dns/secproto.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_SECPROTO_H
+#define DNS_SECPROTO_H 1
+
+/*! \file dns/secproto.h */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a DNSSEC security protocol value.
+ * The text may contain either a mnemonic protocol name or a decimal protocol
+ * number.
+ *
+ * Requires:
+ *\li	'secprotop' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_RANGE			numeric type is out of range
+ *\li	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
+/*%<
+ * Put a textual representation of the DNSSEC security protocol 'secproto'
+ * into 'target'.
+ *
+ * Requires:
+ *\li	'secproto' is a valid secproto.
+ *
+ *\li	'target' is a valid text buffer.
+ *
+ * Ensures,
+ *	if the result is success:
+ *	\li	The used space in 'target' is updated.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			on success
+ *\li	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECPROTO_H */
diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
new file mode 100644
index 0000000..1e97e7a
--- /dev/null
+++ b/lib/dns/include/dns/soa.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_SOA_H
+#define DNS_SOA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/soa.h
+ * \brief
+ * SOA utilities.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SOA_BUFFERSIZE      ((2 * DNS_NAME_MAXWIRE) + (4 * 5))
+
+isc_result_t
+dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
+		   dns_rdataclass_t rdclass,
+		   uint32_t serial, uint32_t refresh,
+		   uint32_t retry, uint32_t expire,
+		   uint32_t minimum, unsigned char *buffer,
+		   dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of an SOA record.
+ *
+ * Requires:
+ *\li   buffer  Points to a temporary buffer of at least
+ *              DNS_SOA_BUFFERSIZE bytes.
+ *\li   rdata   Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *  \li    *rdata       Contains a valid SOA rdata.  The 'data' member
+ *  			refers to 'buffer'.
+ */
+
+uint32_t
+dns_soa_getserial(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getrefresh(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getretry(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getexpire(dns_rdata_t *rdata);
+uint32_t
+dns_soa_getminimum(dns_rdata_t *rdata);
+/*
+ * Extract an integer field from the rdata of a SOA record.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+void
+dns_soa_setserial(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setrefresh(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setretry(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setexpire(uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setminimum(uint32_t val, dns_rdata_t *rdata);
+/*
+ * Change an integer field of a SOA record by modifying the
+ * rdata in-place.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SOA_H */
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
new file mode 100644
index 0000000..402583c
--- /dev/null
+++ b/lib/dns/include/dns/ssu.h
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_SSU_H
+#define DNS_SSU_H 1
+
+/*! \file dns/ssu.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/acl.h>
+#include <dns/types.h>
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	dns_ssumatchtype_name = 0,
+	dns_ssumatchtype_subdomain = 1,
+	dns_ssumatchtype_wildcard = 2,
+	dns_ssumatchtype_self    = 3,
+	dns_ssumatchtype_selfsub = 4,
+	dns_ssumatchtype_selfwild = 5,
+	dns_ssumatchtype_selfkrb5 = 6,
+	dns_ssumatchtype_selfms  = 7,
+	dns_ssumatchtype_subdomainms = 8,
+	dns_ssumatchtype_subdomainkrb5 = 9,
+	dns_ssumatchtype_tcpself = 10,
+	dns_ssumatchtype_6to4self = 11,
+	dns_ssumatchtype_external = 12,
+	dns_ssumatchtype_local = 13,
+	dns_ssumatchtype_selfsubms = 14,
+	dns_ssumatchtype_selfsubkrb5 = 15,
+	dns_ssumatchtype_max = 15,	/* max value */
+
+	dns_ssumatchtype_dlz = 16	/* intentionally higher than _max */
+} dns_ssumatchtype_t;
+
+#define DNS_SSUMATCHTYPE_NAME		dns_ssumatchtype_name
+#define DNS_SSUMATCHTYPE_SUBDOMAIN	dns_ssumatchtype_subdomain
+#define DNS_SSUMATCHTYPE_WILDCARD	dns_ssumatchtype_wildcard
+#define DNS_SSUMATCHTYPE_SELF		dns_ssumatchtype_self
+#define DNS_SSUMATCHTYPE_SELFSUB	dns_ssumatchtype_selfsub
+#define DNS_SSUMATCHTYPE_SELFWILD	dns_ssumatchtype_selfwild
+#define DNS_SSUMATCHTYPE_SELFKRB5	dns_ssumatchtype_selfkrb5
+#define DNS_SSUMATCHTYPE_SELFMS		dns_ssumatchtype_selfms
+#define DNS_SSUMATCHTYPE_SUBDOMAINMS	dns_ssumatchtype_subdomainms
+#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	dns_ssumatchtype_subdomainkrb5
+#define DNS_SSUMATCHTYPE_TCPSELF	dns_ssumatchtype_tcpself
+#define DNS_SSUMATCHTYPE_6TO4SELF	dns_ssumatchtype_6to4self
+#define DNS_SSUMATCHTYPE_EXTERNAL	dns_ssumatchtype_external
+#define DNS_SSUMATCHTYPE_LOCAL		dns_ssumatchtype_local
+#define DNS_SSUMATCHTYPE_MAX 		dns_ssumatchtype_max  /* max value */
+
+#define DNS_SSUMATCHTYPE_DLZ		dns_ssumatchtype_dlz  /* intentionally higher than _MAX */
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
+/*%<
+ *	Creates a table that will be used to store simple-secure-update rules.
+ *	Note: all locking must be provided by the client.
+ *
+ *	Requires:
+ *\li		'mctx' is a valid memory context
+ *\li		'table' is not NULL, and '*table' is NULL
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+		       dns_dlzdb_t *dlzdatabase);
+/*%<
+ * Create an SSU table that contains a dlzdatabase pointer, and a
+ * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU
+ * table is used by writeable DLZ drivers to offload authorization for
+ * updates to the driver.
+ */
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
+/*%<
+ *	Attach '*targetp' to 'source'.
+ *
+ *	Requires:
+ *\li		'source' is a valid SSU table
+ *\li		'targetp' points to a NULL dns_ssutable_t *.
+ *
+ *	Ensures:
+ *\li		*targetp is attached to source.
+ */
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep);
+/*%<
+ *	Detach '*tablep' from its simple-secure-update rule table.
+ *
+ *	Requires:
+ *\li		'tablep' points to a valid dns_ssutable_t
+ *
+ *	Ensures:
+ *\li		*tablep is NULL
+ *\li		If '*tablep' is the last reference to the SSU table, all
+ *			resources used by the table will be freed.
+ */
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
+		     dns_name_t *identity, unsigned int matchtype,
+		     dns_name_t *name, unsigned int ntypes,
+		     dns_rdatatype_t *types);
+/*%<
+ *	Adds a new rule to a simple-secure-update rule table.  The rule
+ *	either grants or denies update privileges of an identity (or set of
+ *	identities) to modify a name (or set of names) or certain types present
+ *	at that name.
+ *
+ *	Notes:
+ *\li		If 'matchtype' is of SELF type, this rule only matches if the
+ *              name to be updated matches the signing identity.
+ *
+ *\li		If 'ntypes' is 0, this rule applies to all types except
+ *		NS, SOA, RRSIG, and NSEC.
+ *
+ *\li		If 'types' includes ANY, this rule applies to all types
+ *		except NSEC.
+ *
+ *	Requires:
+ *\li		'table' is a valid SSU table
+ *\li		'identity' is a valid absolute name
+ *\li		'matchtype' must be one of the defined constants.
+ *\li		'name' is a valid absolute name
+ *\li		If 'ntypes' > 0, 'types' must not be NULL
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS
+ *\li		ISC_R_NOMEMORY
+ */
+
+bool
+dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, isc_netaddr_t *addr,
+			dns_rdatatype_t type, const dst_key_t *key);
+bool
+dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, isc_netaddr_t *addr,
+			bool tcp, const dns_aclenv_t *env,
+			dns_rdatatype_t type, const dst_key_t *key);
+/*%<
+ *	Checks that the attempted update of (name, type) is allowed according
+ *	to the rules specified in the simple-secure-update rule table.  If
+ *	no rules are matched, access is denied.
+ *
+ *	Notes:
+ *		In dns_ssutable_checkrules(), 'addr' should only be
+ *		set if the request received via TCP.  This provides a
+ *		weak assurance that the request was not spoofed.
+ *		'addr' is to to validate DNS_SSUMATCHTYPE_TCPSELF
+ *		and DNS_SSUMATCHTYPE_6TO4SELF rules.
+ *
+ *		In dns_ssutable_checkrules2(), 'addr' can also be passed for
+ *		UDP requests and TCP is specified via the 'tcp' parameter.
+ *		In addition to DNS_SSUMATCHTYPE_TCPSELF and
+ *		tcp_ssumatchtype_6to4self  rules, the address
+ *		also be used to check DNS_SSUMATCHTYPE_LOCAL rules.
+ *		If 'addr' is set then 'env' must also be set so that
+ *		requests from non-localhost addresses can be rejected.
+ *
+ *		For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
+ *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
+ *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
+ *		Section 2.5, "IP6.ARPA Domain".
+ *
+ *		For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
+ *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
+ *		the top	48 bits of the IPv6 address are mapped to the reverse
+ *		name. This is independent of whether the most significant 16
+ *		bits match 2002::/16, assigned for 6to4 prefixes, or not.
+ *
+ *	Requires:
+ *\li		'table' is a valid SSU table
+ *\li		'signer' is NULL or a valid absolute name
+ *\li		'addr' is NULL or a valid network address.
+ *\li		'aclenv' is NULL or a valid ACL environment.
+ *\li		'name' is a valid absolute name
+ *\li		if 'addr' is not NULL, 'env' is not NULL.
+ */
+
+
+/*% Accessor functions to extract rule components */
+bool	dns_ssurule_isgrant(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+dns_name_t *	dns_ssurule_identity(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+unsigned int	dns_ssurule_matchtype(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+dns_name_t *	dns_ssurule_name(const dns_ssurule_t *rule);
+/*% Accessor functions to extract rule components */
+unsigned int	dns_ssurule_types(const dns_ssurule_t *rule,
+				  dns_rdatatype_t **types);
+
+isc_result_t	dns_ssutable_firstrule(const dns_ssutable_t *table,
+				       dns_ssurule_t **rule);
+/*%<
+ * Initiates a rule iterator.  There is no need to maintain any state.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE
+ */
+
+isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
+				      dns_ssurule_t **nextrule);
+/*%<
+ * Returns the next rule in the table.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE
+ */
+
+bool
+dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
+		       dns_name_t *name, isc_netaddr_t *tcpaddr,
+		       dns_rdatatype_t type, const dst_key_t *key,
+		       isc_mem_t *mctx);
+/*%<
+ * Check a policy rule via an external application
+ */
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype);
+/*%<
+ * Set 'mtype' from 'str'
+ *
+ * Requires:
+ *\li		'str' is not NULL.
+ *\li		'mtype' is not NULL,
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SSU_H */
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
new file mode 100644
index 0000000..9ef47af
--- /dev/null
+++ b/lib/dns/include/dns/stats.h
@@ -0,0 +1,466 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+#ifndef DNS_STATS_H
+#define DNS_STATS_H 1
+
+/*! \file dns/stats.h */
+
+#include <inttypes.h>
+
+#include <dns/types.h>
+
+/*%
+ * Statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	/*%
+	 * Resolver statistics counters.
+	 */
+	dns_resstatscounter_queryv4 = 0,
+	dns_resstatscounter_queryv6 = 1,
+	dns_resstatscounter_responsev4 = 2,
+	dns_resstatscounter_responsev6 = 3,
+	dns_resstatscounter_nxdomain = 4,
+	dns_resstatscounter_servfail = 5,
+	dns_resstatscounter_formerr = 6,
+	dns_resstatscounter_othererror = 7,
+	dns_resstatscounter_edns0fail = 8,
+	dns_resstatscounter_mismatch = 9,
+	dns_resstatscounter_truncated = 10,
+	dns_resstatscounter_lame = 11,
+	dns_resstatscounter_retry = 12,
+	dns_resstatscounter_gluefetchv4 = 13,
+	dns_resstatscounter_gluefetchv6 = 14,
+	dns_resstatscounter_gluefetchv4fail = 15,
+	dns_resstatscounter_gluefetchv6fail = 16,
+	dns_resstatscounter_val = 17,
+	dns_resstatscounter_valsuccess = 18,
+	dns_resstatscounter_valnegsuccess = 19,
+	dns_resstatscounter_valfail = 20,
+	dns_resstatscounter_dispabort = 21,
+	dns_resstatscounter_dispsockfail = 22,
+	dns_resstatscounter_querytimeout = 23,
+	dns_resstatscounter_queryrtt0 = 24,
+	dns_resstatscounter_queryrtt1 = 25,
+	dns_resstatscounter_queryrtt2 = 26,
+	dns_resstatscounter_queryrtt3 = 27,
+	dns_resstatscounter_queryrtt4 = 28,
+	dns_resstatscounter_queryrtt5 = 29,
+	dns_resstatscounter_nfetch = 30,
+	dns_resstatscounter_disprequdp = 31,
+	dns_resstatscounter_dispreqtcp = 32,
+	dns_resstatscounter_buckets = 33,
+	dns_resstatscounter_refused = 34,
+	dns_resstatscounter_cookienew = 35,
+	dns_resstatscounter_cookieout = 36,
+	dns_resstatscounter_cookiein = 37,
+	dns_resstatscounter_cookieok = 38,
+	dns_resstatscounter_badvers = 39,
+	dns_resstatscounter_badcookie = 40,
+	dns_resstatscounter_zonequota = 41,
+	dns_resstatscounter_serverquota = 42,
+	dns_resstatscounter_nextitem = 43,
+	dns_resstatscounter_max = 44,
+
+	/*
+	 * DNSSEC stats.
+	 */
+	dns_dnssecstats_asis = 0,
+	dns_dnssecstats_downcase = 1,
+	dns_dnssecstats_wildcard = 2,
+	dns_dnssecstats_fail = 3,
+
+	dns_dnssecstats_max = 4,
+
+	/*%
+	 * Zone statistics counters.
+	 */
+	dns_zonestatscounter_notifyoutv4 = 0,
+	dns_zonestatscounter_notifyoutv6 = 1,
+	dns_zonestatscounter_notifyinv4 = 2,
+	dns_zonestatscounter_notifyinv6 = 3,
+	dns_zonestatscounter_notifyrej = 4,
+	dns_zonestatscounter_soaoutv4 = 5,
+	dns_zonestatscounter_soaoutv6 = 6,
+	dns_zonestatscounter_axfrreqv4 = 7,
+	dns_zonestatscounter_axfrreqv6 = 8,
+	dns_zonestatscounter_ixfrreqv4 = 9,
+	dns_zonestatscounter_ixfrreqv6 = 10,
+	dns_zonestatscounter_xfrsuccess = 11,
+	dns_zonestatscounter_xfrfail = 12,
+
+	dns_zonestatscounter_max = 13,
+
+	/*
+	 * Adb statistics values.
+	 */
+	dns_adbstats_nentries = 0,
+	dns_adbstats_entriescnt = 1,
+	dns_adbstats_nnames = 2,
+	dns_adbstats_namescnt = 3,
+
+	dns_adbstats_max = 4,
+
+	/*
+	 * Cache statistics values.
+	 */
+	dns_cachestatscounter_hits = 1,
+	dns_cachestatscounter_misses = 2,
+	dns_cachestatscounter_queryhits = 3,
+	dns_cachestatscounter_querymisses = 4,
+	dns_cachestatscounter_deletelru = 5,
+	dns_cachestatscounter_deletettl = 6,
+
+	dns_cachestatscounter_max = 7,
+
+	/*%
+	 * Query statistics counters (obsolete).
+	 */
+	dns_statscounter_success = 0,    /*%< Successful lookup */
+	dns_statscounter_referral = 1,   /*%< Referral result */
+	dns_statscounter_nxrrset = 2,    /*%< NXRRSET result */
+	dns_statscounter_nxdomain = 3,   /*%< NXDOMAIN result */
+	dns_statscounter_recursion = 4,  /*%< Recursion was used */
+	dns_statscounter_failure = 5,    /*%< Some other failure */
+	dns_statscounter_duplicate = 6,  /*%< Duplicate query */
+	dns_statscounter_dropped = 7,	 /*%< Duplicate query (dropped) */
+
+	/*%
+	 * DNSTAP statistics counters.
+	 */
+	dns_dnstapcounter_success = 0,
+	dns_dnstapcounter_drop =  1,
+	dns_dnstapcounter_max = 2
+};
+
+#define DNS_STATS_NCOUNTERS 8
+
+#if 0
+/*%<
+ * Flag(s) for dns_xxxstats_dump().  DNS_STATSDUMP_VERBOSE is obsolete.
+ * ISC_STATSDUMP_VERBOSE should be used instead.  These two values are
+ * intentionally defined to be the same value to ensure binary compatibility.
+ */
+#define DNS_STATSDUMP_VERBOSE	0x00000001 /*%< dump 0-value counters */
+#endif
+
+/*%<
+ * (Obsoleted)
+ */
+LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
+
+/*%
+ * Attributes for statistics counters of RRset and Rdatatype types.
+ *
+ * _OTHERTYPE
+ *	The rdata type is not explicitly supported and the corresponding counter
+ *	is counted for other such types, too.  When this attribute is set,
+ *	the base type is of no use.
+ *
+ * _NXRRSET
+ * 	RRset type counters only.  Indicates the RRset is non existent.
+ *
+ * _NXDOMAIN
+ *	RRset type counters only.  Indicates a non existent name.  When this
+ *	attribute is set, the base type is of no use.
+ *
+ * _STALE
+ *	RRset type counters only.  This indicates a record that marked for
+ *	removal.
+ *
+ *	Note: incrementing _STALE will decrement the corresponding non-stale
+ *	counter.
+ */
+#define DNS_RDATASTATSTYPE_ATTR_OTHERTYPE	0x0001
+#define DNS_RDATASTATSTYPE_ATTR_NXRRSET		0x0002
+#define DNS_RDATASTATSTYPE_ATTR_NXDOMAIN	0x0004
+#define DNS_RDATASTATSTYPE_ATTR_STALE		0x0008
+
+/*%<
+ * Conversion macros among dns_rdatatype_t, attributes and isc_statscounter_t.
+ */
+#define DNS_RDATASTATSTYPE_BASE(type)	((dns_rdatatype_t)((type) & 0xFFFF))
+#define DNS_RDATASTATSTYPE_ATTR(type)	((type) >> 16)
+#define DNS_RDATASTATSTYPE_VALUE(b, a)	(((a) << 16) | (b))
+
+/*%<
+ * Types of dump callbacks.
+ */
+typedef void (*dns_generalstats_dumper_t)(isc_statscounter_t, uint64_t,
+					  void *);
+typedef void (*dns_rdatatypestats_dumper_t)(dns_rdatastatstype_t, uint64_t,
+					    void *);
+typedef void (*dns_opcodestats_dumper_t)(dns_opcode_t, uint64_t, void *);
+
+typedef void (*dns_rcodestats_dumper_t)(dns_rcode_t, uint64_t, void *);
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type.  It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ * This function is obsolete.  A more general function, isc_stats_create(),
+ * should be used.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per rdatatype.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per RRset.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per opcode.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per assigned rcode.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+dns_stats_detach(dns_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li	'statsp' != NULL and '*statsp' is a valid dns_stats_t.
+ */
+
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats.  This function is obsolete.
+ * A more general function, isc_stats_increment(), should be used.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type);
+/*%<
+ * Increment the statistics counter for 'type'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatatypestats_create().
+ */
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Increment the statistics counter for 'rrsettype'.
+ *
+ * Note: if 'rrsettype' has the _STALE attribute set the corresponding
+ * non-stale counter will be decremented.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Decrement the statistics counter for 'rrsettype'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
+/*%<
+ * Increment the statistics counter for 'code'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_opcodestats_create().
+ */
+
+void
+dns_rcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
+/*%<
+ * Increment the statistics counter for 'code'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rcodestats_create().
+ */
+
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+		      void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * This function is obsolete.  A more general function, isc_stats_dump(),
+ * should be used.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+			void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+		       void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+		     void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding opcode, the current
+ * counter value and the given argument arg.  By default counters that have a
+ * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
+ * such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rcodestats_dump(dns_stats_t *stats, dns_rcodestats_dumper_t dump_fn,
+		    void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding rcode, the current
+ * counter value and the given argument arg.  By default counters that have a
+ * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
+ * such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+isc_result_t
+dns_stats_alloccounters(isc_mem_t *mctx, uint64_t **ctrp);
+/*%<
+ * Allocate an array of query statistics counters from the memory
+ * context 'mctx'.
+ *
+ * This function is obsoleted.  Use dns_xxxstats_create() instead.
+ */
+
+void
+dns_stats_freecounters(isc_mem_t *mctx, uint64_t **ctrp);
+/*%<
+ * Free an array of query statistics counters allocated from the memory
+ * context 'mctx'.
+ *
+ * This function is obsoleted.  Use dns_stats_destroy() instead.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_STATS_H */
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
new file mode 100644
index 0000000..1e8f29b
--- /dev/null
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TCPMSG_H
+#define DNS_TCPMSG_H 1
+
+/*! \file dns/tcpmsg.h */
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+typedef struct dns_tcpmsg {
+	/* private (don't touch!) */
+	unsigned int		magic;
+	uint16_t		size;
+	isc_buffer_t		buffer;
+	unsigned int		maxsize;
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;
+	isc_task_t	       *task;
+	isc_taskaction_t	action;
+	void		       *arg;
+	isc_event_t		event;
+	/* public (read-only) */
+	isc_result_t		result;
+	isc_sockaddr_t		address;
+} dns_tcpmsg_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
+/*%<
+ * Associate a tcp message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *\li	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *\li	"sock" be a read/write TCP socket.
+ *
+ *\li	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *\li	"tcpmsg" is a valid structure.
+ */
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
+/*%<
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ *\li	512 <= "maxsize" <= 65536
+ */
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg);
+/*%<
+ * Schedule an event to be delivered when a DNS message is readable, or
+ * when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ *\li	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS		-- no error
+ *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *\li	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
+/*%<
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ */
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
+/*%<
+ * If a dns buffer is to be kept between calls, this function marks the
+ * internal state-machine buffer as invalid, and copies all the contents
+ * of the state into "buffer".
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ *\li	"buffer" be non-NULL.
+ */
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
+/*%<
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *\li	"tcpmsg" be valid.
+ *
+ * Ensures:
+ *
+ *\li	"tcpmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TCPMSG_H */
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
new file mode 100644
index 0000000..012b733
--- /dev/null
+++ b/lib/dns/include/dns/time.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TIME_H
+#define DNS_TIME_H 1
+
+/*! \file dns/time.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_time64_fromtext(const char *source, int64_t *target);
+/*%<
+ * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
+ * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
+ * Store the count at 'target'.
+ */
+
+isc_result_t
+dns_time32_fromtext(const char *source, uint32_t *target);
+/*%<
+ * Like dns_time64_fromtext, but returns the second count modulo 2^32
+ * as per RFC2535.
+ */
+
+
+isc_result_t
+dns_time64_totext(int64_t value, isc_buffer_t *target);
+/*%<
+ * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into
+ * a YYYYMMDDHHMMSS text representation and append it to 'target'.
+ */
+
+isc_result_t
+dns_time32_totext(uint32_t value, isc_buffer_t *target);
+/*%<
+ * Like dns_time64_totext, but for a 32-bit cyclic time value.
+ * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
+ * are congruent with 'value' modulo 2^32, the one closest to the
+ * current date is chosen.
+ */
+
+int64_t
+dns_time64_from32(uint32_t value);
+/*%<
+ * Covert a 32-bit cyclic time value into a 64 bit time stamp.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TIME_H */
diff --git a/lib/dns/include/dns/timer.h b/lib/dns/include/dns/timer.h
new file mode 100644
index 0000000..845cf6c
--- /dev/null
+++ b/lib/dns/include/dns/timer.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TIMER_H
+#define DNS_TIMER_H 1
+
+/*! \file dns/timer.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
+		  unsigned int idletime, bool purge);
+/*%<
+ * Convenience function for setting up simple, one-second-granularity
+ * idle timers as used by zone transfers.
+ * \brief
+ * Set the timer 'timer' to go off after 'idletime' seconds of inactivity,
+ * or after 'maxtime' at the very latest.  Events are purged iff
+ * 'purge' is true.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TIMER_H */
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
new file mode 100644
index 0000000..f2500fa
--- /dev/null
+++ b/lib/dns/include/dns/tkey.h
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TKEY_H
+#define DNS_TKEY_H 1
+
+/*! \file dns/tkey.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Key agreement modes */
+#define DNS_TKEYMODE_SERVERASSIGNED		1
+#define DNS_TKEYMODE_DIFFIEHELLMAN		2
+#define DNS_TKEYMODE_GSSAPI			3
+#define DNS_TKEYMODE_RESOLVERASSIGNED		4
+#define DNS_TKEYMODE_DELETE			5
+
+struct dns_tkeyctx {
+	dst_key_t *dhkey;
+	dns_name_t *domain;
+	gss_cred_id_t gsscred;
+	isc_mem_t *mctx;
+	isc_entropy_t *ectx;
+	char *gssapi_keytab;
+};
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx,
+		   dns_tkeyctx_t **tctxp);
+/*%<
+ *	Create an empty TKEY context.
+ *
+ * 	Requires:
+ *\li		'mctx' is not NULL
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is NULL
+ *
+ *	Returns
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		return codes from dns_name_fromtext()
+ */
+
+void
+dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
+/*%<
+ *      Frees all data associated with the TKEY context
+ *
+ * 	Requires:
+ *\li		'tctx' is not NULL
+ *\li		'*tctx' is not NULL
+ */
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
+		      dns_tsig_keyring_t *ring);
+/*%<
+ *	Processes a query containing a TKEY record, adding or deleting TSIG
+ *	keys if necessary, and modifies the message to contain the response.
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'tctx' is a valid TKEY context
+ *\li		'ring' is a valid TSIG keyring
+ *
+ *	Returns
+ *\li		#ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
+ *				or msg now includes a TKEY with an error set)
+ *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
+ *				or KEY).
+ *\li		other		An error occurred while processing the message
+ */
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
+		      dns_name_t *algorithm, isc_buffer_t *nonce,
+		      uint32_t lifetime);
+/*%<
+ *	Builds a query containing a TKEY that will generate a shared
+ *	secret using a Diffie-Hellman key exchange.  The shared key
+ *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
+ *	is supported), and will be named either 'name',
+ *	'name' + server chosen domain, or random data + server chosen domain
+ *	if 'name' == dns_rootname.  If nonce is not NULL, it supplies
+ *	random data used in the shared secret computation.  The key is
+ *	requested to have the specified lifetime (in seconds)
+ *
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid Diffie Hellman dst key
+ *\li		'name' is a valid name
+ *\li		'algorithm' is a valid name
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
+		       isc_buffer_t *intoken, uint32_t lifetime,
+		       gss_ctx_id_t *context, bool win2k,
+		       isc_mem_t *mctx, char **err_message);
+/*%<
+ *	Builds a query containing a TKEY that will generate a GSSAPI context.
+ *	The key is requested to have the specified lifetime (in seconds).
+ *
+ *	Requires:
+ *\li		'msg'	  is a valid message
+ *\li		'name'	  is a valid name
+ *\li		'gname'	  is a valid name
+ *\li		'context' is a pointer to a valid gss_ctx_id_t
+ *			  (which may have the value GSS_C_NO_CONTEXT)
+ *\li		'win2k'   when true says to turn on some hacks to work
+ *			  with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
+ *\li		*err_message	optional error message
+ */
+
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
+/*%<
+ *	Builds a query containing a TKEY record that will delete the
+ *	specified shared secret from the server.
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'key' is a valid TSIG key
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			   dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+/*%<
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to generate a shared secret using a Diffie-Hellman key
+ *	exchange.  If the query was successful, a new shared key
+ *	is created and added to the list of shared keys.
+ *
+ *	Requires:
+ *\li		'qmsg' is a valid message (the query)
+ *\li		'rmsg' is a valid message (the response)
+ *\li		'key' is a valid Diffie Hellman dst key
+ *\li		'outkey' is either NULL or a pointer to NULL
+ *\li		'ring' is a valid keyring or NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	the shared key was successfully added
+ *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+isc_result_t
+dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			    dns_name_t *gname, gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring, char **err_message);
+/*%<
+ * XXX
+ */
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring);
+/*%<
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to delete a shared secret.  If the query was successful,
+ *	the shared key is deleted from the list of shared keys.
+ *
+ *	Requires:
+ *\li		'qmsg' is a valid message (the query)
+ *\li		'rmsg' is a valid message (the response)
+ *\li		'ring' is not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS	the shared key was successfully deleted
+ *\li		#ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      dns_name_t *server, gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      bool win2k, char **err_message);
+
+/*
+ *	Client side negotiation of GSS-TSIG.  Process the response
+ *	to a TKEY, and establish a TSIG key if negotiation was successful.
+ *	Build a response to the input TKEY message.  Can take multiple
+ *	calls to successfully establish the context.
+ *
+ *	Requires:
+ *		'qmsg'    is a valid message, the original TKEY request;
+ *			     it will be filled with the new message to send
+ *		'rmsg'    is a valid message, the incoming TKEY message
+ *		'server'  is the server name
+ *		'context' is the input context handle
+ *		'outkey'  receives the established key, if non-NULL;
+ *			      if non-NULL must point to NULL
+ *		'ring'	  is the keyring in which to establish the key,
+ *			      or NULL
+ *		'win2k'   when true says to turn on some hacks to work
+ *			      with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	context was successfully established
+ *		ISC_R_NOTFOUND  couldn't find a needed part of the query
+ *					or response
+ *		DNS_R_CONTINUE  additional context negotiation is required;
+ *					send the new qmsg to the server
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TKEY_H */
diff --git a/lib/dns/include/dns/tsec.h b/lib/dns/include/dns/tsec.h
new file mode 100644
index 0000000..95e16c8
--- /dev/null
+++ b/lib/dns/include/dns/tsec.h
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TSEC_H
+#define DNS_TSEC_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ *
+ * \brief
+ * The TSEC (Transaction Security) module is an abstraction layer for managing
+ * DNS transaction mechanisms such as TSIG or SIG(0).  A TSEC structure is a
+ * mechanism-independent object containing key information specific to the
+ * mechanism, and is expected to be used as an argument to other modules
+ * that use transaction security in a mechanism-independent manner.
+ *
+ * MP:
+ *\li	A TSEC structure is expected to be thread-specific.  No inter-thread
+ *	synchronization is ensured in multiple access to a single TSEC
+ *	structure.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	This module does not handle any low-level data directly, and so no
+ *	security issue specific to this module is anticipated.
+ */
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * Transaction security types.
+ */
+typedef enum {
+	dns_tsectype_none,
+	dns_tsectype_tsig,
+	dns_tsectype_sig0
+} dns_tsectype_t;
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp);
+/*%<
+ * Create a TSEC structure and stores a type-dependent key structure in it.
+ * For a TSIG key (type is dns_tsectype_tsig), dns_tsec_create() creates a
+ * TSIG key structure from '*key' and keeps it in the structure.  For other
+ * types, this function simply retains '*key' in the structure.  In either
+ * case, the ownership of '*key' is transferred to the TSEC module; the caller
+ * must not modify or destroy it after the call to dns_tsec_create().
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'type' is a valid value of dns_tsectype_t (see above).
+ *
+ *\li	'key' is a valid key.
+ *
+ *\li	tsecp != NULL && *tsecp == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp);
+/*%<
+ * Destroy the TSEC structure.  The stored key is also detached or destroyed.
+ *
+ * Requires
+ *
+ *\li	'*tsecp' is a valid TSEC structure.
+ *
+ * Ensures
+ *
+ *\li	*tsecp == NULL.
+ *
+ */
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec);
+/*%<
+ * Return the TSEC type of '*tsec'.
+ *
+ * Requires
+ *
+ *\li	'tsec' is a valid TSEC structure.
+ *
+ */
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp);
+/*%<
+ * Return the TSEC key of '*tsec' in '*keyp'.
+ *
+ * Requires
+ *
+ *\li	keyp != NULL
+ *
+ * Ensures
+ *
+ *\li	*tsecp points to a valid key structure depending on the TSEC type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSEC_H */
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
new file mode 100644
index 0000000..a7b7bc2
--- /dev/null
+++ b/lib/dns/include/dns/tsig.h
@@ -0,0 +1,293 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TSIG_H
+#define DNS_TSIG_H 1
+
+/*! \file dns/tsig.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdio.h>
+#include <isc/stdtime.h>
+
+#include <pk11/site.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+
+/*
+ * Algorithms.
+ */
+#ifndef PK11_MD5_DISABLE
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
+#define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
+#endif
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
+#define DNS_TSIG_GSSAPI_NAME		dns_tsig_gssapi_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
+#define DNS_TSIG_GSSAPIMS_NAME		dns_tsig_gssapims_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha1_name;
+#define DNS_TSIG_HMACSHA1_NAME		dns_tsig_hmacsha1_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha224_name;
+#define DNS_TSIG_HMACSHA224_NAME	dns_tsig_hmacsha224_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha256_name;
+#define DNS_TSIG_HMACSHA256_NAME	dns_tsig_hmacsha256_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha384_name;
+#define DNS_TSIG_HMACSHA384_NAME	dns_tsig_hmacsha384_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha512_name;
+#define DNS_TSIG_HMACSHA512_NAME	dns_tsig_hmacsha512_name
+
+/*%
+ * Default fudge value.
+ */
+#define DNS_TSIG_FUDGE			300
+
+struct dns_tsig_keyring {
+	dns_rbt_t *keys;
+	unsigned int writecount;
+	isc_rwlock_t lock;
+	isc_mem_t *mctx;
+	/*
+	 * LRU list of generated key along with a count of the keys on the
+	 * list and a maximum size.
+	 */
+	unsigned int generated;
+	unsigned int maxgenerated;
+	ISC_LIST(dns_tsigkey_t) lru;
+	unsigned int references;
+};
+
+struct dns_tsigkey {
+	/* Unlocked */
+	unsigned int		magic;		/*%< Magic number. */
+	isc_mem_t		*mctx;
+	dst_key_t		*key;		/*%< Key */
+	dns_name_t		name;		/*%< Key name */
+	dns_name_t		*algorithm;	/*%< Algorithm name */
+	dns_name_t		*creator;	/*%< name that created secret */
+	bool		generated;	/*%< was this generated? */
+	isc_stdtime_t		inception;	/*%< start of validity period */
+	isc_stdtime_t		expire;		/*%< end of validity period */
+	dns_tsig_keyring_t	*ring;		/*%< the enclosing keyring */
+	isc_refcount_t		refs;		/*%< reference counter */
+	ISC_LINK(dns_tsigkey_t) link;
+};
+
+#define dns_tsigkey_identity(tsigkey) \
+	((tsigkey) == NULL ? NULL : \
+	 (tsigkey)->generated ? ((tsigkey)->creator) : \
+	 (&((tsigkey)->name)))
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+		   unsigned char *secret, int length, bool generated,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+
+isc_result_t
+dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
+			  dst_key_t *dstkey, bool generated,
+			  dns_name_t *creator, isc_stdtime_t inception,
+			  isc_stdtime_t expire, isc_mem_t *mctx,
+			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+/*%<
+ *	Creates a tsig key structure and saves it in the keyring.  If key is
+ *	not NULL, *key will contain a copy of the key.  The keys validity
+ *	period is specified by (inception, expire), and will not expire if
+ *	inception == expire.  If the key was generated, the creating identity,
+ *	if there is one, should be in the creator parameter.  Specifying an
+ *	unimplemented algorithm will cause failure only if dstkey != NULL; this
+ *	allows a transient key with an invalid algorithm to exist long enough
+ *	to generate a BADKEY response.
+ *
+ *	If dns_tsigkey_createfromkey is successful a new reference to 'dstkey'
+ *	will have been made.
+ *
+ *	Requires:
+ *\li		'name' is a valid dns_name_t
+ *\li		'algorithm' is a valid dns_name_t
+ *\li		'secret' is a valid pointer
+ *\li		'length' is an integer >= 0
+ *\li		'dstkey' is a valid dst key or NULL
+ *\li		'creator' points to a valid dns_name_t or is NULL
+ *\li		'mctx' is a valid memory context
+ *\li		'ring' is a valid TSIG keyring or NULL
+ *\li		'key' or '*key' must be NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_EXISTS - a key with this name already exists
+ *\li		#ISC_R_NOTIMPLEMENTED - algorithm is not implemented
+ *\li		#ISC_R_NOMEMORY
+ */
+
+void
+dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp);
+/*%<
+ *	Attach '*targetp' to 'source'.
+ *
+ *	Requires:
+ *\li		'key' is a valid TSIG key
+ *
+ *	Ensures:
+ *\li		*targetp is attached to source.
+ */
+
+void
+dns_tsigkey_detach(dns_tsigkey_t **keyp);
+/*%<
+ *	Detaches from the tsig key structure pointed to by '*key'.
+ *
+ *	Requires:
+ *\li		'keyp' is not NULL and '*keyp' is a valid TSIG key
+ *
+ *	Ensures:
+ *\li		'keyp' points to NULL
+ */
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key);
+/*%<
+ *	Prevents this key from being used again.  It will be deleted when
+ *	no references exist.
+ *
+ *	Requires:
+ *\li		'key' is a valid TSIG key on a keyring
+ */
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg);
+/*%<
+ *	Generates a TSIG record for this message
+ *
+ *	Requires:
+ *\li		'msg' is a valid message
+ *\li		'msg->tsigkey' is a valid TSIG key
+ *\li		'msg->tsig' is NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#ISC_R_NOSPACE
+ *\li		#DNS_R_EXPECTEDTSIG
+ *			- this is a response & msg->querytsig is NULL
+ */
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2);
+/*%<
+ *	Verifies the TSIG record in this message
+ *
+ *	Requires:
+ *\li		'source' is a valid buffer containing the unparsed message
+ *\li		'msg' is a valid message
+ *\li		'msg->tsigkey' is a valid TSIG key if this is a response
+ *\li		'msg->tsig' is NULL
+ *\li		'msg->querytsig' is not NULL if this is a response
+ *\li		'ring1' and 'ring2' are each either a valid keyring or NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ *\li		#DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
+ *\li		#DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
+ *\li		#DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
+ *				     and this is a query
+ *\li		#DNS_R_CLOCKSKEW - the TSIG failed to verify because of
+ *				  the time was out of the allowed range.
+ *\li		#DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
+ *\li		#DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
+ *					 should have been a response,
+ *					 but was not.
+ */
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
+		 dns_name_t *algorithm, dns_tsig_keyring_t *ring);
+/*%<
+ *	Returns the TSIG key corresponding to this name and (possibly)
+ *	algorithm.  Also increments the key's reference counter.
+ *
+ *	Requires:
+ *\li		'tsigkey' is not NULL
+ *\li		'*tsigkey' is NULL
+ *\li		'name' is a valid dns_name_t
+ *\li		'algorithm' is a valid dns_name_t or NULL
+ *\li		'ring' is a valid keyring
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOTFOUND
+ */
+
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
+/*%<
+ *	Create an empty TSIG key ring.
+ *
+ *	Requires:
+ *\li		'mctx' is not NULL
+ *\li		'ringp' is not NULL, and '*ringp' is NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+		    dns_tsigkey_t *tkey);
+/*%<
+ *      Place a TSIG key onto a key ring.
+ *
+ *	Requires:
+ *\li		'ring', 'name' and 'tkey' are not NULL
+ *
+ *	Returns:
+ *\li		#ISC_R_SUCCESS
+ *\li		Any other value indicates failure.
+ */
+
+
+void
+dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target);
+
+void
+dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp);
+
+isc_result_t
+dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp);
+
+/*%<
+ *	Destroy a TSIG key ring.
+ *
+ *	Requires:
+ *\li		'ringp' is not NULL
+ */
+
+void
+dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSIG_H */
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
new file mode 100644
index 0000000..9241f10
--- /dev/null
+++ b/lib/dns/include/dns/ttl.h
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_TTL_H
+#define DNS_TTL_H 1
+
+/*! \file dns/ttl.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_ttl_totext(uint32_t src, bool verbose,
+	       isc_buffer_t *target);
+isc_result_t
+dns_ttl_totext2(uint32_t src, bool verbose,
+		bool upcase, isc_buffer_t *target);
+/*%<
+ * Output a TTL or other time interval in a human-readable form.
+ * The time interval is given as a count of seconds in 'src'.
+ * The text representation is appended to 'target'.
+ *
+ * If 'verbose' is false, use the terse BIND 8 style, like "1w2d3h4m5s".
+ *
+ * If 'verbose' is true, use a verbose style like the SOA comments
+ * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
+ *
+ * If 'upcase' is true, we conform to the BIND 8 style in which
+ * the unit letter is capitalized if there is only a single unit
+ * letter to print (for example, "1m30s", but "2M")
+ *
+ * If 'upcase' is false, unit letters are always in lower case.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE
+ */
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, uint32_t *ttl);
+/*%<
+ * Converts a counter from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_SYNTAX
+ */
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, uint32_t *ttl);
+/*%<
+ * Converts a ttl from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	DNS_R_BADTTL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TTL_H */
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
new file mode 100644
index 0000000..6754d16
--- /dev/null
+++ b/lib/dns/include/dns/types.h
@@ -0,0 +1,437 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_TYPES_H
+#define DNS_TYPES_H 1
+
+/*! \file dns/types.h
+ * \brief
+ * Including this file gives you type declarations suitable for use in
+ * .h files, which lets us avoid circular type reference problems.
+ * \brief
+ * To actually use a type or get declarations of its methods, you must
+ * include the appropriate .h file too.
+ */
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/types.h>
+
+typedef struct dns_acache			dns_acache_t;
+typedef struct dns_acacheentry			dns_acacheentry_t;
+typedef struct dns_acachestats			dns_acachestats_t;
+typedef struct dns_acl 				dns_acl_t;
+typedef struct dns_aclelement 			dns_aclelement_t;
+typedef struct dns_aclenv			dns_aclenv_t;
+typedef struct dns_adb				dns_adb_t;
+typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
+typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
+typedef struct dns_adbentry			dns_adbentry_t;
+typedef struct dns_adbfind			dns_adbfind_t;
+typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
+typedef struct dns_badcache 			dns_badcache_t;
+typedef struct dns_byaddr			dns_byaddr_t;
+typedef struct dns_catz_zonemodmethods		dns_catz_zonemodmethods_t;
+typedef struct dns_catz_entry_options		dns_catz_options_t;
+typedef struct dns_catz_entry			dns_catz_entry_t;
+typedef struct dns_catz_zone			dns_catz_zone_t;
+typedef struct dns_catz_changed			dns_catz_changed_t;
+typedef struct dns_catz_zones			dns_catz_zones_t;
+typedef struct dns_client			dns_client_t;
+typedef void					dns_clientrestrans_t;
+typedef void					dns_clientreqtrans_t;
+typedef void					dns_clientupdatetrans_t;
+typedef struct dns_cache			dns_cache_t;
+typedef uint16_t				dns_cert_t;
+typedef struct dns_compress			dns_compress_t;
+typedef struct dns_db				dns_db_t;
+typedef struct dns_dbimplementation		dns_dbimplementation_t;
+typedef struct dns_dbiterator			dns_dbiterator_t;
+typedef void					dns_dbload_t;
+typedef void					dns_dbnode_t;
+typedef struct dns_dbonupdatelistener		dns_dbonupdatelistener_t;
+typedef struct dns_dbtable			dns_dbtable_t;
+typedef void					dns_dbversion_t;
+typedef struct dns_dlzimplementation		dns_dlzimplementation_t;
+typedef struct dns_dlzdb			dns_dlzdb_t;
+typedef ISC_LIST(dns_dlzdb_t)			dns_dlzdblist_t;
+typedef struct dns_dyndbctx			dns_dyndbctx_t;
+typedef struct dns_sdlzimplementation		dns_sdlzimplementation_t;
+typedef struct dns_decompress			dns_decompress_t;
+typedef struct dns_dispatch			dns_dispatch_t;
+typedef struct dns_dispatchevent		dns_dispatchevent_t;
+typedef struct dns_dispatchlist			dns_dispatchlist_t;
+typedef struct dns_dispatchset			dns_dispatchset_t;
+typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
+typedef struct dns_dispentry			dns_dispentry_t;
+typedef struct dns_dns64			dns_dns64_t;
+typedef ISC_LIST(dns_dns64_t)			dns_dns64list_t;
+typedef struct dns_dnsseckey			dns_dnsseckey_t;
+typedef ISC_LIST(dns_dnsseckey_t)		dns_dnsseckeylist_t;
+typedef uint8_t					dns_dsdigest_t;
+typedef struct dns_dtdata			dns_dtdata_t;
+typedef struct dns_dtenv			dns_dtenv_t;
+typedef struct dns_dtmsg			dns_dtmsg_t;
+typedef uint16_t 				dns_dtmsgtype_t;
+typedef struct dns_dumpctx			dns_dumpctx_t;
+typedef struct dns_ednsopt			dns_ednsopt_t;
+typedef struct dns_fetch			dns_fetch_t;
+typedef struct dns_fixedname			dns_fixedname_t;
+typedef struct dns_forwarders			dns_forwarders_t;
+typedef struct dns_forwarder			dns_forwarder_t;
+typedef struct dns_fwdtable			dns_fwdtable_t;
+typedef struct dns_iptable			dns_iptable_t;
+typedef uint32_t				dns_iterations_t;
+typedef uint16_t				dns_keyflags_t;
+typedef struct dns_keynode			dns_keynode_t;
+typedef ISC_LIST(dns_keynode_t)			dns_keynodelist_t;
+typedef struct dns_keytable			dns_keytable_t;
+typedef uint16_t				dns_keytag_t;
+typedef struct dns_loadctx			dns_loadctx_t;
+typedef struct dns_loadmgr			dns_loadmgr_t;
+typedef struct dns_masterrawheader		dns_masterrawheader_t;
+typedef uint64_t				dns_masterstyle_flags_t;
+typedef struct dns_message			dns_message_t;
+typedef uint16_t				dns_messageid_t;
+typedef isc_region_t				dns_label_t;
+typedef struct dns_lookup			dns_lookup_t;
+typedef struct dns_name				dns_name_t;
+typedef ISC_LIST(dns_name_t)			dns_namelist_t;
+typedef struct dns_nta				dns_nta_t;
+typedef struct dns_ntatable			dns_ntatable_t;
+typedef uint16_t				dns_opcode_t;
+typedef unsigned char				dns_offsets_t[128];
+typedef struct dns_order			dns_order_t;
+typedef struct dns_peer				dns_peer_t;
+typedef struct dns_peerlist			dns_peerlist_t;
+typedef struct dns_portlist			dns_portlist_t;
+typedef struct dns_rbt				dns_rbt_t;
+typedef uint16_t				dns_rcode_t;
+typedef struct dns_rdata			dns_rdata_t;
+typedef struct dns_rdatacallbacks		dns_rdatacallbacks_t;
+typedef uint16_t				dns_rdataclass_t;
+typedef struct dns_rdatalist			dns_rdatalist_t;
+typedef struct dns_rdataset			dns_rdataset_t;
+typedef ISC_LIST(dns_rdataset_t)		dns_rdatasetlist_t;
+typedef struct dns_rdatasetiter			dns_rdatasetiter_t;
+typedef uint16_t				dns_rdatatype_t;
+typedef struct dns_request			dns_request_t;
+typedef struct dns_requestmgr			dns_requestmgr_t;
+typedef struct dns_resolver			dns_resolver_t;
+typedef struct dns_sdbimplementation		dns_sdbimplementation_t;
+typedef uint8_t					dns_secalg_t;
+typedef uint8_t					dns_secproto_t;
+typedef struct dns_signature			dns_signature_t;
+typedef struct dns_ssurule			dns_ssurule_t;
+typedef struct dns_ssutable			dns_ssutable_t;
+typedef struct dns_stats			dns_stats_t;
+typedef uint32_t				dns_rdatastatstype_t;
+typedef struct dns_tkeyctx			dns_tkeyctx_t;
+typedef uint16_t				dns_trust_t;
+typedef struct dns_tsec				dns_tsec_t;
+typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
+typedef struct dns_tsigkey			dns_tsigkey_t;
+typedef uint32_t				dns_ttl_t;
+typedef struct dns_update_state			dns_update_state_t;
+typedef struct dns_validator			dns_validator_t;
+typedef struct dns_view				dns_view_t;
+typedef ISC_LIST(dns_view_t)			dns_viewlist_t;
+typedef struct dns_zone				dns_zone_t;
+typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
+typedef struct dns_zonemgr			dns_zonemgr_t;
+typedef struct dns_zt				dns_zt_t;
+typedef struct dns_ipkeylist 			dns_ipkeylist_t;
+
+/*
+ * If we are not using GSSAPI, define the types we use as opaque types here.
+ */
+#ifndef GSSAPI
+typedef struct not_defined_gss_cred_id *gss_cred_id_t;
+typedef struct not_defined_gss_ctx *gss_ctx_id_t;
+#endif
+typedef struct dst_gssapi_signverifyctx dst_gssapi_signverifyctx_t;
+
+typedef enum {
+	dns_hash_sha1 = 1
+} dns_hash_t;
+
+typedef enum {
+	dns_fwdpolicy_none = 0,
+	dns_fwdpolicy_first = 1,
+	dns_fwdpolicy_only = 2
+} dns_fwdpolicy_t;
+
+typedef enum {
+	dns_namereln_none = 0,
+	dns_namereln_contains = 1,
+	dns_namereln_subdomain = 2,
+	dns_namereln_equal = 3,
+	dns_namereln_commonancestor = 4
+} dns_namereln_t;
+
+typedef enum {
+	dns_one_answer, dns_many_answers
+} dns_transfer_format_t;
+
+typedef enum {
+	dns_dbtype_zone = 0, dns_dbtype_cache = 1, dns_dbtype_stub = 3
+} dns_dbtype_t;
+
+typedef enum {
+	dns_notifytype_no = 0,
+	dns_notifytype_yes = 1,
+	dns_notifytype_explicit = 2,
+	dns_notifytype_masteronly = 3
+} dns_notifytype_t;
+
+typedef enum {
+	dns_minimal_no = 0,
+	dns_minimal_yes = 1,
+	dns_minimal_noauth = 2,
+	dns_minimal_noauthrec = 3
+} dns_minimaltype_t;
+
+typedef enum {
+	dns_dialuptype_no = 0,
+	dns_dialuptype_yes = 1,
+	dns_dialuptype_notify = 2,
+	dns_dialuptype_notifypassive = 3,
+	dns_dialuptype_refresh = 4,
+	dns_dialuptype_passive = 5
+} dns_dialuptype_t;
+
+typedef enum {
+	dns_masterformat_none = 0,
+	dns_masterformat_text = 1,
+	dns_masterformat_raw  = 2,
+	dns_masterformat_map = 3
+} dns_masterformat_t;
+
+typedef enum {
+	dns_aaaa_ok = 0,
+	dns_aaaa_filter = 1,
+	dns_aaaa_break_dnssec = 2
+} dns_aaaa_t;
+
+/*
+ * These are generated by gen.c.
+ */
+#include <dns/enumtype.h>	/* Provides dns_rdatatype_t. */
+#include <dns/enumclass.h>	/* Provides dns_rdataclass_t. */
+
+/*%
+ * rcodes.
+ */
+enum {
+	/*
+	 * Standard rcodes.
+	 */
+	dns_rcode_noerror = 0,
+#define dns_rcode_noerror		((dns_rcode_t)dns_rcode_noerror)
+	dns_rcode_formerr = 1,
+#define dns_rcode_formerr		((dns_rcode_t)dns_rcode_formerr)
+	dns_rcode_servfail = 2,
+#define dns_rcode_servfail		((dns_rcode_t)dns_rcode_servfail)
+	dns_rcode_nxdomain = 3,
+#define dns_rcode_nxdomain		((dns_rcode_t)dns_rcode_nxdomain)
+	dns_rcode_notimp = 4,
+#define dns_rcode_notimp		((dns_rcode_t)dns_rcode_notimp)
+	dns_rcode_refused = 5,
+#define dns_rcode_refused		((dns_rcode_t)dns_rcode_refused)
+	dns_rcode_yxdomain = 6,
+#define dns_rcode_yxdomain		((dns_rcode_t)dns_rcode_yxdomain)
+	dns_rcode_yxrrset = 7,
+#define dns_rcode_yxrrset		((dns_rcode_t)dns_rcode_yxrrset)
+	dns_rcode_nxrrset = 8,
+#define dns_rcode_nxrrset		((dns_rcode_t)dns_rcode_nxrrset)
+	dns_rcode_notauth = 9,
+#define dns_rcode_notauth		((dns_rcode_t)dns_rcode_notauth)
+	dns_rcode_notzone = 10,
+#define dns_rcode_notzone		((dns_rcode_t)dns_rcode_notzone)
+	/*
+	 * Extended rcodes.
+	 */
+	dns_rcode_badvers = 16,
+#define dns_rcode_badvers		((dns_rcode_t)dns_rcode_badvers)
+	dns_rcode_badcookie = 23
+#define dns_rcode_badcookie		((dns_rcode_t)dns_rcode_badcookie)
+	/*
+	 * Update dns_rcodestats_create() and dns_rcodestats_increment()
+	 * and this comment if a rcode > dns_rcode_badcookie is assigned.
+	 */
+	/* Private space [3841..4095] */
+};
+
+/*%
+ * TSIG errors.
+ */
+enum {
+	dns_tsigerror_badsig = 16,
+	dns_tsigerror_badkey = 17,
+	dns_tsigerror_badtime = 18,
+	dns_tsigerror_badmode = 19,
+	dns_tsigerror_badname = 20,
+	dns_tsigerror_badalg = 21,
+	dns_tsigerror_badtrunc = 22
+};
+
+/*%
+ * Opcodes.
+ */
+enum {
+	dns_opcode_query = 0,
+#define dns_opcode_query		((dns_opcode_t)dns_opcode_query)
+	dns_opcode_iquery = 1,
+#define dns_opcode_iquery		((dns_opcode_t)dns_opcode_iquery)
+	dns_opcode_status = 2,
+#define dns_opcode_status		((dns_opcode_t)dns_opcode_status)
+	dns_opcode_notify = 4,
+#define dns_opcode_notify		((dns_opcode_t)dns_opcode_notify)
+	dns_opcode_update = 5		/* dynamic update */
+#define dns_opcode_update		((dns_opcode_t)dns_opcode_update)
+};
+
+/*%
+ * Trust levels.  Must be kept in sync with trustnames[] in masterdump.c.
+ */
+enum {
+	/* Sentinel value; no data should have this trust level. */
+	dns_trust_none = 0,
+#define dns_trust_none			((dns_trust_t)dns_trust_none)
+
+	/*%
+	 * Subject to DNSSEC validation but has not yet been validated
+	 * dns_trust_pending_additional (from the additional section).
+	 */
+	dns_trust_pending_additional = 1,
+#define dns_trust_pending_additional \
+		 ((dns_trust_t)dns_trust_pending_additional)
+
+	dns_trust_pending_answer = 2,
+#define dns_trust_pending_answer	((dns_trust_t)dns_trust_pending_answer)
+
+	/*% Received in the additional section of a response. */
+	dns_trust_additional = 3,
+#define dns_trust_additional		((dns_trust_t)dns_trust_additional)
+
+	/* Received in a referral response. */
+	dns_trust_glue = 4,
+#define dns_trust_glue			((dns_trust_t)dns_trust_glue)
+
+	/* Answer from a non-authoritative server */
+	dns_trust_answer = 5,
+#define dns_trust_answer		((dns_trust_t)dns_trust_answer)
+
+	/*  Received in the authority section as part of an
+	    authoritative response */
+	dns_trust_authauthority = 6,
+#define dns_trust_authauthority		((dns_trust_t)dns_trust_authauthority)
+
+	/* Answer from an authoritative server */
+	dns_trust_authanswer = 7,
+#define dns_trust_authanswer		((dns_trust_t)dns_trust_authanswer)
+
+	/* Successfully DNSSEC validated */
+	dns_trust_secure = 8,
+#define dns_trust_secure		((dns_trust_t)dns_trust_secure)
+
+	/* This server is authoritative */
+	dns_trust_ultimate = 9
+#define dns_trust_ultimate		((dns_trust_t)dns_trust_ultimate)
+};
+
+#define DNS_TRUST_PENDING(x)		((x) == dns_trust_pending_answer || \
+					 (x) == dns_trust_pending_additional)
+#define DNS_TRUST_ADDITIONAL(x)		((x) == dns_trust_additional || \
+					 (x) == dns_trust_pending_additional)
+#define DNS_TRUST_GLUE(x)		((x) == dns_trust_glue)
+#define DNS_TRUST_ANSWER(x)		((x) == dns_trust_answer)
+
+
+/*%
+ * Name checking severities.
+ */
+typedef enum {
+	dns_severity_ignore,
+	dns_severity_warn,
+	dns_severity_fail
+} dns_severity_t;
+
+/*%
+ * DNS Serial Number Update Method.
+ *
+ * \li	_none:		Keep the current serial.
+ * \li	_increment:	Add one to the current serial, skipping 0.
+ * \li	_unixtime:	Set to the seconds since 00:00 Jan 1, 1970,
+ *			if possible.
+ * \li	_date:		Set to today's date in YYYYMMDDVV format:
+ *                      (Year, Month, Day, Version)
+ */
+typedef enum {
+	dns_updatemethod_none = 0,
+	dns_updatemethod_increment,
+	dns_updatemethod_unixtime,
+	dns_updatemethod_date
+} dns_updatemethod_t;
+
+/*
+ * Functions.
+ */
+typedef void
+(*dns_dumpdonefunc_t)(void *, isc_result_t);
+
+typedef void
+(*dns_loaddonefunc_t)(void *, isc_result_t);
+
+typedef void
+(*dns_rawdatafunc_t)(dns_zone_t *, dns_masterrawheader_t *);
+
+typedef isc_result_t
+(*dns_addrdatasetfunc_t)(void *, dns_name_t *, dns_rdataset_t *);
+
+typedef isc_result_t
+(*dns_additionaldatafunc_t)(void *, dns_name_t *, dns_rdatatype_t);
+
+typedef isc_result_t
+(*dns_digestfunc_t)(void *, isc_region_t *);
+
+typedef void
+(*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
+
+typedef void
+(*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
+
+typedef int
+(*dns_rdatasetorderfunc_t)(const dns_rdata_t *, const void *);
+
+typedef bool
+(*dns_checkmxfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
+
+typedef bool
+(*dns_checksrvfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *);
+
+typedef bool
+(*dns_checknsfunc_t)(dns_zone_t *, dns_name_t *, dns_name_t *,
+		     dns_rdataset_t *, dns_rdataset_t *);
+
+typedef bool
+(*dns_isselffunc_t)(dns_view_t *, dns_tsigkey_t *, isc_sockaddr_t *,
+		    isc_sockaddr_t *, dns_rdataclass_t, void *);
+
+typedef isc_result_t
+(*dns_deserializefunc_t)(void *, FILE *, off_t);
+
+typedef void
+(*dns_nseclog_t)(void *val, int , const char *, ...);
+
+#endif /* DNS_TYPES_H */
diff --git a/lib/dns/include/dns/update.h b/lib/dns/include/dns/update.h
new file mode 100644
index 0000000..6700c8f
--- /dev/null
+++ b/lib/dns/include/dns/update.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_UPDATE_H
+#define DNS_UPDATE_H 1
+
+/*! \file dns/update.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/diff.h>
+
+typedef struct {
+	void (*func)(void *arg, dns_zone_t *zone, int level,
+		     const char *message);
+	void *arg;
+} dns_update_log_t;
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+uint32_t
+dns_update_soaserial(uint32_t serial, dns_updatemethod_t method);
+/*%<
+ * Return the next serial number after 'serial', depending on the
+ * update method 'method':
+ *
+ *\li	* dns_updatemethod_increment increments the serial number by one
+ *\li	* dns_updatemethod_unixtime sets the serial number to the current
+ *	  time (seconds since UNIX epoch) if possible, or increments by one
+ *	  if not.
+ */
+
+isc_result_t
+dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+		      dns_dbversion_t *oldver, dns_dbversion_t *newver,
+		      dns_diff_t *diff, uint32_t sigvalidityinterval);
+
+isc_result_t
+dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+			 dns_dbversion_t *oldver, dns_dbversion_t *newver,
+			 dns_diff_t *diff, uint32_t sigvalidityinterval,
+			 dns_update_state_t **state);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_UPDATE_H */
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
new file mode 100644
index 0000000..81e46d8
--- /dev/null
+++ b/lib/dns/include/dns/validator.h
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_VALIDATOR_H
+#define DNS_VALIDATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/validator.h
+ *
+ * \brief
+ * DNS Validator
+ * This is the BIND 9 validator, the module responsible for validating the
+ * rdatasets and negative responses (messages).  It makes use of zones in
+ * the view and may fetch RRset to complete trust chains.  It implements
+ * DNSSEC as specified in RFC 4033, 4034 and 4035.
+ *
+ * It can also optionally implement ISC's DNSSEC look-aside validation.
+ *
+ * Correct operation is critical to preventing spoofed answers from secure
+ * zones being accepted.
+ *
+ * MP:
+ *\li	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/event.h>
+#include <isc/mutex.h>
+
+#include <dns/fixedname.h>
+#include <dns/types.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
+
+#include <dst/dst.h>
+
+/*%
+ * A dns_validatorevent_t is sent when a 'validation' completes.
+ * \brief
+ * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
+ * supplied when dns_validator_create() was called.  They are returned to the
+ * caller so that they may be freed.
+ *
+ * If the RESULT is ISC_R_SUCCESS and the answer is secure then
+ * proofs[] will contain the names of the NSEC records that hold the
+ * various proofs.  Note the same name may appear multiple times.
+ */
+typedef struct dns_validatorevent {
+	ISC_EVENT_COMMON(struct dns_validatorevent);
+	dns_validator_t *		validator;
+	isc_result_t			result;
+	/*
+	 * Name and type of the response to be validated.
+	 */
+	dns_name_t *			name;
+	dns_rdatatype_t			type;
+	/*
+	 * Rdata and RRSIG (if any) for positive responses.
+	 */
+	dns_rdataset_t *		rdataset;
+	dns_rdataset_t *		sigrdataset;
+	/*
+	 * The full response.  Required for negative responses.
+	 * Also required for positive wildcard responses.
+	 */
+	dns_message_t *			message;
+	/*
+	 * Proofs to be cached.
+	 */
+	dns_name_t *			proofs[4];
+	/*
+	 * Optout proof seen.
+	 */
+	bool			optout;
+	/*
+	 * Answer is secure.
+	 */
+	bool			secure;
+} dns_validatorevent_t;
+
+#define DNS_VALIDATOR_NOQNAMEPROOF 0
+#define DNS_VALIDATOR_NODATAPROOF 1
+#define DNS_VALIDATOR_NOWILDCARDPROOF 2
+#define DNS_VALIDATOR_CLOSESTENCLOSER 3
+
+/*%
+ * A validator object represents a validation in progress.
+ * \brief
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field, which may be used directly for
+ * whatever purpose the client desires.
+ */
+struct dns_validator {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_view_t *			view;
+	/* Locked by lock. */
+	unsigned int			options;
+	unsigned int			attributes;
+	dns_validatorevent_t *		event;
+	dns_fetch_t *			fetch;
+	dns_validator_t *		subvalidator;
+	dns_validator_t *		parent;
+	dns_keytable_t *		keytable;
+	dns_keynode_t *			keynode;
+	dst_key_t *			key;
+	dns_rdata_rrsig_t *		siginfo;
+	isc_task_t *			task;
+	isc_taskaction_t		action;
+	void *				arg;
+	unsigned int			labels;
+	dns_rdataset_t *		currentset;
+	bool			seensig;
+	dns_rdataset_t *		keyset;
+	dns_rdataset_t *		dsset;
+	dns_rdataset_t *		soaset;
+	dns_rdataset_t *		nsecset;
+	dns_rdataset_t *		nsec3set;
+	dns_name_t *			soaname;
+	dns_rdataset_t			frdataset;
+	dns_rdataset_t			fsigrdataset;
+	dns_fixedname_t			fname;
+	dns_fixedname_t			wild;
+	dns_fixedname_t			nearest;
+	dns_fixedname_t			closest;
+	ISC_LINK(dns_validator_t)	link;
+	dns_rdataset_t 			dlv;
+	dns_fixedname_t			dlvsep;
+	bool			havedlvsep;
+	bool			mustbesecure;
+	unsigned int			dlvlabels;
+	unsigned int			depth;
+	unsigned int			authcount;
+	unsigned int			authfail;
+	isc_stdtime_t			start;
+};
+
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DLV		0x0001U
+#define DNS_VALIDATOR_DEFER		0x0002U
+#define DNS_VALIDATOR_NOCDFLAG		0x0004U
+#define DNS_VALIDATOR_NONTA		0x0008U  /*% Ignore NTA table */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_message_t *message, unsigned int options,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     dns_validator_t **validatorp);
+/*%<
+ * Start a DNSSEC validation.
+ *
+ * This validates a response to the question given by
+ * 'name' and 'type'.
+ *
+ * To validate a positive response, the response data is
+ * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
+ * is NULL, the data is presumed insecure and an attempt
+ * is made to prove its insecurity by finding the appropriate
+ * null key.
+ *
+ * The complete response message may be given in 'message',
+ * to make available any authority section NSECs that may be
+ * needed for validation of a response resulting from a
+ * wildcard expansion (though no such wildcard validation
+ * is implemented yet).  If the complete response message
+ * is not available, 'message' is NULL.
+ *
+ * To validate a negative response, the complete negative response
+ * message is given in 'message'.  The 'rdataset', and
+ * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
+ * arguments must be provided.
+ *
+ * The validation is performed in the context of 'view'.
+ *
+ * When the validation finishes, a dns_validatorevent_t with
+ * the given 'action' and 'arg' are sent to 'task'.
+ * Its 'result' field will be ISC_R_SUCCESS iff the
+ * response was successfully proven to be either secure or
+ * part of a known insecure domain.
+ *
+ * options:
+ * If DNS_VALIDATOR_DLV is set the caller knows there is not a
+ * trusted key and the validator should immediately attempt to validate
+ * the answer by looking for an appropriate DLV RRset.
+ */
+
+void
+dns_validator_send(dns_validator_t *validator);
+/*%<
+ * Send a deferred validation request
+ *
+ * Requires:
+ *	'validator' to points to a valid DNSSEC validator.
+ */
+
+void
+dns_validator_cancel(dns_validator_t *validator);
+/*%<
+ * Cancel a DNSSEC validation in progress.
+ *
+ * Requires:
+ *\li	'validator' points to a valid DNSSEC validator, which
+ *	may or may not already have completed.
+ *
+ * Ensures:
+ *\li	It the validator has not already sent its completion
+ *	event, it will send it with result code ISC_R_CANCELED.
+ */
+
+void
+dns_validator_destroy(dns_validator_t **validatorp);
+/*%<
+ * Destroy a DNSSEC validator.
+ *
+ * Requires:
+ *\li	'*validatorp' points to a valid DNSSEC validator.
+ * \li	The validator must have completed and sent its completion
+ * 	event.
+ *
+ * Ensures:
+ *\li	All resources used by the validator are freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_VALIDATOR_H */
diff --git a/lib/dns/include/dns/version.h b/lib/dns/include/dns/version.h
new file mode 100644
index 0000000..0552e81
--- /dev/null
+++ b/lib/dns/include/dns/version.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file dns/version.h */
+
+#ifndef DNS_VERSION_H
+#define DNS_VERSION_H 1
+
+#include <isc/platform.h>
+
+LIBDNS_EXTERNAL_DATA extern const char dns_version[];
+LIBDNS_EXTERNAL_DATA extern const char dns_major[];
+LIBDNS_EXTERNAL_DATA extern const char dns_mapapi[];
+
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libinterface;
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_librevision;
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libage;
+
+#endif /* DNS_VERSION_H */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
new file mode 100644
index 0000000..8e21298
--- /dev/null
+++ b/lib/dns/include/dns/view.h
@@ -0,0 +1,1353 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_VIEW_H
+#define DNS_VIEW_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/view.h
+ * \brief
+ * DNS View
+ *
+ * A "view" is a DNS namespace, together with an optional resolver and a
+ * forwarding policy.  A "DNS namespace" is a (possibly empty) set of
+ * authoritative zones together with an optional cache and optional
+ * "hints" information.
+ *
+ * Views start out "unfrozen".  In this state, core attributes like
+ * the cache, set of zones, and forwarding policy may be set.  While
+ * "unfrozen", the caller (e.g. nameserver configuration loading
+ * code), must ensure exclusive access to the view.  When the view is
+ * "frozen", the core attributes become immutable, and the view module
+ * will ensure synchronization.  Freezing allows the view's core attributes
+ * to be accessed without locking.
+ *
+ * MP:
+ *\li	Before the view is frozen, the caller must ensure synchronization.
+ *
+ *\li	After the view is frozen, the module guarantees appropriate
+ *	synchronization of any data structures it creates and manipulates.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	None.
+ */
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/event.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/acl.h>
+#include <dns/catz.h>
+#include <dns/clientinfo.h>
+#include <dns/dnstap.h>
+#include <dns/fixedname.h>
+#include <dns/rrl.h>
+#include <dns/rdatastruct.h>
+#include <dns/rpz.h>
+#include <dns/types.h>
+#include <dns/zt.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_view {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	dns_rdataclass_t		rdclass;
+	char *				name;
+	dns_zt_t *			zonetable;
+	dns_resolver_t *		resolver;
+	dns_adb_t *			adb;
+	dns_requestmgr_t *		requestmgr;
+	dns_acache_t *			acache;
+	dns_cache_t *			cache;
+	dns_db_t *			cachedb;
+	dns_db_t *			hints;
+
+	/*
+	 * security roots and negative trust anchors.
+	 * internal use only; access via * dns_view_getsecroots()
+	 */
+	dns_keytable_t *		secroots_priv;
+	dns_ntatable_t *		ntatable_priv;
+
+	isc_mutex_t			lock;
+	bool			frozen;
+	isc_task_t *			task;
+	isc_event_t			resevent;
+	isc_event_t			adbevent;
+	isc_event_t			reqevent;
+	isc_stats_t *			adbstats;
+	isc_stats_t *			resstats;
+	dns_stats_t *			resquerystats;
+	bool			cacheshared;
+
+	/* Configurable data. */
+	dns_tsig_keyring_t *		statickeys;
+	dns_tsig_keyring_t *		dynamickeys;
+	dns_peerlist_t *		peers;
+	dns_order_t *			order;
+	dns_fwdtable_t *		fwdtable;
+	bool			recursion;
+	bool			auth_nxdomain;
+	bool			additionalfromcache;
+	bool			additionalfromauth;
+	bool			minimal_any;
+	dns_minimaltype_t		minimalresponses;
+	bool			enablednssec;
+	bool			enablevalidation;
+	bool			acceptexpired;
+	bool			requireservercookie;
+	bool			trust_anchor_telemetry;
+	bool			root_key_sentinel;
+	dns_transfer_format_t		transfer_format;
+	dns_acl_t *			cacheacl;
+	dns_acl_t *			cacheonacl;
+	dns_acl_t *			queryacl;
+	dns_acl_t *			queryonacl;
+	dns_acl_t *			recursionacl;
+	dns_acl_t *			recursiononacl;
+	dns_acl_t *			sortlist;
+	dns_acl_t *			notifyacl;
+	dns_acl_t *			transferacl;
+	dns_acl_t *			updateacl;
+	dns_acl_t *			upfwdacl;
+	dns_acl_t *			denyansweracl;
+	dns_acl_t *			nocasecompress;
+	bool			msgcompression;
+	dns_rbt_t *			answeracl_exclude;
+	dns_rbt_t *			denyanswernames;
+	dns_rbt_t *			answernames_exclude;
+	dns_rrl_t *			rrl;
+	bool			provideixfr;
+	bool			requestnsid;
+	bool			sendcookie;
+	dns_ttl_t			maxcachettl;
+	dns_ttl_t			maxncachettl;
+	uint32_t			nta_lifetime;
+	uint32_t			nta_recheck;
+	char				*nta_file;
+	dns_ttl_t			prefetch_trigger;
+	dns_ttl_t			prefetch_eligible;
+	in_port_t			dstport;
+	dns_aclenv_t			aclenv;
+	dns_rdatatype_t			preferred_glue;
+	bool			flush;
+	dns_namelist_t *		delonly;
+	bool			rootdelonly;
+	dns_namelist_t *		rootexclude;
+	bool			checknames;
+	dns_name_t *			dlv;
+	dns_fixedname_t			dlv_fixed;
+	uint16_t			maxudp;
+	uint16_t			nocookieudp;
+	unsigned int			maxbits;
+	dns_aaaa_t			v4_aaaa;
+	dns_aaaa_t			v6_aaaa;
+	dns_acl_t *			aaaa_acl;
+	dns_dns64list_t 		dns64;
+	unsigned int 			dns64cnt;
+	dns_rpz_zones_t			*rpzs;
+	dns_catz_zones_t		*catzs;
+	dns_dlzdblist_t 		dlz_searched;
+	dns_dlzdblist_t 		dlz_unsearched;
+	uint32_t			fail_ttl;
+	dns_badcache_t			*failcache;
+
+	/*
+	 * Configurable data for server use only,
+	 * locked by server configuration lock.
+	 */
+	dns_acl_t *			matchclients;
+	dns_acl_t *			matchdestinations;
+	bool			matchrecursiveonly;
+
+	/* Locked by themselves. */
+	isc_refcount_t			references;
+
+	/* Locked by lock. */
+	unsigned int			weakrefs;
+	unsigned int			attributes;
+	/* Under owner's locking control. */
+	ISC_LINK(struct dns_view)	link;
+	dns_viewlist_t *		viewlist;
+
+	dns_zone_t *			managed_keys;
+	dns_zone_t *			redirect;
+	dns_name_t *			redirectzone;	/* points to
+							 * redirectfixed
+							 * when valid */
+	dns_fixedname_t 		redirectfixed;
+
+	/*
+	 * File and configuration data for zones added at runtime
+	 * (only used in BIND9).
+	 *
+	 * XXX: This should be a pointer to an opaque type that
+	 * named implements.
+	 */
+	char *				new_zone_file;
+	char *			        new_zone_db;
+	void *				new_zone_dbenv;
+	uint64_t			new_zone_mapsize;
+	void *				new_zone_config;
+	void				(*cfg_destroy)(void **);
+	isc_mutex_t			new_zone_lock;
+
+	unsigned char			secret[32];	/* Client secret */
+	unsigned int			v6bias;
+
+	dns_dtenv_t			*dtenv;		/* Dnstap environment */
+	dns_dtmsgtype_t			dttypes;	/* Dnstap message types
+							   to log */
+};
+
+#define DNS_VIEW_MAGIC			ISC_MAGIC('V','i','e','w')
+#define DNS_VIEW_VALID(view)		ISC_MAGIC_VALID(view, DNS_VIEW_MAGIC)
+
+#define DNS_VIEWATTR_RESSHUTDOWN	0x01
+#define DNS_VIEWATTR_ADBSHUTDOWN	0x02
+#define DNS_VIEWATTR_REQSHUTDOWN	0x04
+
+#ifdef HAVE_LMDB
+#include <lmdb.h>
+/*
+ * MDB_NOTLS is used to prevent problems after configuration is reloaded, due
+ * to the way LMDB's use of thread-local storage (TLS) interacts with the BIND9
+ * thread model.
+ */
+#define DNS_LMDB_COMMON_FLAGS		(MDB_CREATE | MDB_NOSUBDIR | MDB_NOTLS)
+#ifndef __OpenBSD__
+#define DNS_LMDB_FLAGS			(DNS_LMDB_COMMON_FLAGS)
+#else /* __OpenBSD__ */
+/*
+ * OpenBSD does not have a unified buffer cache, which requires both reads and
+ * writes to be performed using mmap().
+ */
+#define DNS_LMDB_FLAGS			(DNS_LMDB_COMMON_FLAGS | MDB_WRITEMAP)
+#endif /* __OpenBSD__ */
+#endif /* HAVE_LMDB */
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		const char *name, dns_view_t **viewp);
+/*%<
+ * Create a view.
+ *
+ * Notes:
+ *
+ *\li	The newly created view has no cache, no resolver, and an empty
+ *	zone table.  The view is not frozen.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'rdclass' is a valid class.
+ *
+ *\li	'name' is a valid C string.
+ *
+ *\li	viewp != NULL && *viewp == NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *
+ *\li	Other errors are possible.
+ */
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp);
+/*%<
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid, frozen view.
+ *
+ *\li	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ *
+ *\li	While *targetp is attached, the view will not shut down.
+ */
+
+void
+dns_view_detach(dns_view_t **viewp);
+/*%<
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a valid dns_view_t *
+ *
+ * Ensures:
+ *
+ *\li	*viewp is NULL.
+ */
+
+void
+dns_view_flushanddetach(dns_view_t **viewp);
+/*%<
+ * Detach '*viewp' from its view.  If this was the last reference
+ * uncommitted changed in zones will be flushed to disk.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a valid dns_view_t *
+ *
+ * Ensures:
+ *
+ *\li	*viewp is NULL.
+ */
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
+/*%<
+ * Weakly attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid, frozen view.
+ *
+ *\li	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ *
+ * \li	While *targetp is attached, the view will not be freed.
+ */
+
+void
+dns_view_weakdetach(dns_view_t **targetp);
+/*%<
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a valid dns_view_t *.
+ *
+ * Ensures:
+ *
+ *\li	*viewp is NULL.
+ */
+
+isc_result_t
+dns_view_createzonetable(dns_view_t *view);
+/*%<
+ * Create a zonetable for the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'view' does not have a zonetable already.
+ *
+ * Returns:
+ *
+ *\li   	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_zt_create() can return.
+ */
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view,
+			isc_taskmgr_t *taskmgr,
+			unsigned int ntasks, unsigned int ndisp,
+			isc_socketmgr_t *socketmgr,
+			isc_timermgr_t *timermgr,
+			unsigned int options,
+			dns_dispatchmgr_t *dispatchmgr,
+			dns_dispatch_t *dispatchv4,
+			dns_dispatch_t *dispatchv6);
+/*%<
+ * Create a resolver and address database for the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'view' does not have a resolver already.
+ *
+ *\li	The requirements of dns_resolver_create() apply to 'taskmgr',
+ *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
+ *	'dispatchv6'.
+ *
+ * Returns:
+ *
+ *\li   	#ISC_R_SUCCESS
+ *
+ *\li	Any error that dns_resolver_create() can return.
+ */
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
+void
+dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, bool shared);
+/*%<
+ * Set the view's cache database.  If 'shared' is true, this means the cache
+ * is created by another view and is shared with that view.  dns_view_setcache()
+ * is a backward compatible version equivalent to setcache2(..., false).
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'cache' is a valid cache.
+ *
+ * Ensures:
+ *
+ * \li    	The cache of 'view' is 'cached.
+ *
+ *\li	If this is not the first call to dns_view_setcache() for this
+ *	view, then previously set cache is detached.
+ */
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints);
+/*%<
+ * Set the view's hints database.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view, whose hints database has not been
+ *	set.
+ *
+ *\li	'hints' is a valid zone database.
+ *
+ * Ensures:
+ *
+ * \li    	The hints database of 'view' is 'hints'.
+ */
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+void
+dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+/*%<
+ * Set the view's static TSIG keys
+ *
+ * Requires:
+ *
+ *   \li   'view' is a valid, unfrozen view, whose static TSIG keyring has not
+ *	been set.
+ *
+ *\li      'ring' is a valid TSIG keyring
+ *
+ * Ensures:
+ *
+ *\li      The static TSIG keyring of 'view' is 'ring'.
+ */
+
+void
+dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp);
+/*%<
+ * Return the views dynamic keys.
+ *
+ *   \li  'view' is a valid, unfrozen view.
+ *   \li  'ringp' != NULL && ringp == NULL.
+ */
+
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport);
+/*%<
+ * Set the view's destination port.  This is the port to
+ * which outgoing queries are sent.  The default is 53,
+ * the standard DNS port.
+ *
+ * Requires:
+ *
+ *\li      'view' is a valid view.
+ *
+ *\li      'dstport' is a valid TCP/UDP port number.
+ *
+ * Ensures:
+ *\li	External name servers will be assumed to be listening
+ *	on 'dstport'.  For servers whose address has already
+ *	obtained obtained at the time of the call, the view may
+ *	continue to use the previously set port until the address
+ *	times out from the view's address database.
+ */
+
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
+/*%<
+ * Add zone 'zone' to 'view'.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ *\li	'zone' is a valid zone.
+ */
+
+void
+dns_view_freeze(dns_view_t *view);
+/*%<
+ * Freeze view.  No changes can be made to view configuration while frozen.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, unfrozen view.
+ *
+ * Ensures:
+ *
+ *\li	'view' is frozen.
+ */
+
+void
+dns_view_thaw(dns_view_t *view);
+/*%<
+ * Thaw view.  This allows zones to be added or removed at runtime.  This is
+ * NOT thread-safe; the caller MUST have run isc_task_exclusive() prior to
+ * thawing the view.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ * Ensures:
+ *
+ *\li	'view' is no longer frozen.
+ */
+isc_result_t
+dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options, bool use_hints,
+	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+isc_result_t
+dns_view_find2(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	       isc_stdtime_t now, unsigned int options,
+	       bool use_hints, bool use_static_stub,
+	       dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ * In general, this function first searches view's zone and cache DBs for the
+ * best match data against 'name'.  If nothing found there, and if 'use_hints'
+ * is true, the view's hint DB (if configured) is searched.
+ * If the view is configured with a static-stub zone which gives the longest
+ * match for 'name' among the zones, however, the cache DB is not consulted
+ * unless 'use_static_stub' is false (see below about this argument).
+ *
+ * dns_view_find() is a backward compatible version equivalent to
+ * dns_view_find2() with use_static_stub argument being false.
+ *
+ * Notes:
+ *
+ *\li	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets #DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *\li	If 'now' is zero, then the current time will be used.
+ *
+ *\li	If 'use_hints' is true, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.  If the name is found
+ *	in the hints database but not the type, the result code will be
+ *	#DNS_R_HINTNXRRSET.
+ *
+ *\li	If 'use_static_stub' is false and the longest match zone for 'name'
+ *	is a static-stub zone, it's ignored and the cache and/or hints will be
+ *	searched.  In the majority of the cases this argument should be
+ *	false.  The only known usage of this argument being true is
+ *	if this search is for a "bailiwick" glue A or AAAA RRset that may
+ *	best match a static-stub zone.  Consider the following example:
+ *	this view is configured with a static-stub zone "example.com",
+ *	and an attempt of recursive resolution needs to send a query for the
+ *	zone.  In this case it's quite likely that the resolver is trying to
+ *	find A/AAAA RRs for the apex name "example.com".  And, to honor the
+ *	static-stub configuration it needs to return the glue RRs in the
+ *	static-stub zone even if that exact RRs coming from the authoritative
+ *	zone has been cached.
+ *	In other general cases, the requested data is better to be
+ *	authoritative, either locally configured or retrieved from an external
+ *	server, and the data in the static-stub zone should better be ignored.
+ *
+ *\li	'foundname' must meet the requirements of dns_db_find().
+ *
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ *\li	'name' is valid name.
+ *
+ *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	except dns_rdatatype_any.
+ *
+ *\li	dbp == NULL || *dbp == NULL
+ *
+ *\li	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
+ *
+ *\li	'foundname' is a valid name with a dedicated buffer or NULL.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ *\li	If dbp != NULL, it points to the database containing the data.
+ *
+ *\li	If nodep != NULL, it points to the database node containing the data.
+ *
+ *\li	If foundname != NULL, it contains the full name of the found data.
+ *
+ * Returns:
+ *
+ *\li	Any result that dns_db_find() can return, with the exception of
+ *	#DNS_R_DELEGATION.
+ */
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		    isc_stdtime_t now, unsigned int options,
+		    bool use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ *
+ * Notes:
+ *
+ *\li	This routine is appropriate for simple, exact-match queries of the
+ *	view.  'name' must be a canonical name; there is no DNAME or CNAME
+ *	processing.
+ *
+ *\li	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *\li	If 'now' is zero, then the current time will be used.
+ *
+ *\li	If 'use_hints' is true, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.  If the name is found
+ *	in the hints database but not the type, the result code will be
+ *	DNS_R_HINTNXRRSET.
+ *
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ *\li	'name' is valid name.
+ *
+ *\li	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *\li	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS			Success; result is desired type.
+ *\li	DNS_R_GLUE			Success; result is glue.
+ *\li	DNS_R_HINT			Success; result is a hint.
+ *\li	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
+ *\li	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
+ *\li	DNS_R_NXDOMAIN			The name does not exist.
+ *\li	DNS_R_NXRRSET			The rrset does not exist.
+ *\li	#ISC_R_NOTFOUND			No matching data found,
+ *					or an error occurred.
+ */
+
+/*% See dns_view_findzonecut2() */
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		     isc_stdtime_t now, unsigned int options,
+		     bool use_hints,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+isc_result_t
+dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		      isc_stdtime_t now, unsigned int options,
+		      bool use_hints, bool use_cache,
+		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*%<
+ * Find the best known zonecut containing 'name'.
+ *
+ * This uses local authority, cache, and optionally hints data.
+ * No external queries are performed.
+ *
+ * Notes:
+ *
+ *\li	If 'now' is zero, then the current time will be used.
+ *
+ *\li	If 'use_hints' is true, and the view has a hints database, then
+ *	it will be searched last.
+ *
+ *\li	If 'use_cache' is true, and the view has a cache, then it will be
+ *	searched.
+ *
+ *\li	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ *\li	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid, frozen view.
+ *
+ *\li	'name' is valid name.
+ *
+ *\li	'rdataset' is a valid, disassociated rdataset.
+ *
+ *\li	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				Success.
+ *
+ *\li	Many other results are possible.
+ */
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp);
+/*%<
+ * Search for a view with name 'name' and class 'rdclass' in 'list'.
+ * If found, '*viewp' is (strongly) attached to it.
+ *
+ * Requires:
+ *
+ *\li	'viewp' points to a NULL dns_view_t *.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		A matching view was found.
+ *\li	#ISC_R_NOTFOUND		No matching view was found.
+ */
+
+isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name, bool allclasses,
+		      dns_rdataclass_t rdclass, dns_zone_t **zonep);
+
+/*%<
+ * Search zone with 'name' in view with 'rdclass' in viewlist 'list'
+ * If found, zone is returned in *zonep. If allclasses is set rdclass is ignored
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS          A matching zone was found.
+ *\li	#ISC_R_NOTFOUND         No matching zone was found.
+ *\li	#ISC_R_MULTIPLE         Multiple zones with the same name were found.
+ */
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
+/*%<
+ * Search for the zone 'name' in the zone table of 'view'.
+ * If found, 'zonep' is (strongly) attached to it.  There
+ * are no partial matches.
+ *
+ * Requires:
+ *
+ *\li	'zonep' points to a NULL dns_zone_t *.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		A matching zone was found.
+ *\li	#ISC_R_NOTFOUND		No matching zone was found.
+ *\li	others			An error occurred.
+ */
+
+isc_result_t
+dns_view_load(dns_view_t *view, bool stop);
+
+isc_result_t
+dns_view_loadnew(dns_view_t *view, bool stop);
+
+isc_result_t
+dns_view_asyncload(dns_view_t *view, dns_zt_allloaded_t callback, void *arg);
+
+isc_result_t
+dns_view_asyncload2(dns_view_t *view, dns_zt_allloaded_t callback, void *arg,
+		    bool newonly);
+/*%<
+ * Load zones attached to this view.  dns_view_load() loads
+ * all zones whose master file has changed since the last
+ * load; dns_view_loadnew() loads only zones that have never
+ * been loaded.
+ *
+ * dns_view_asyncload() loads zones asynchronously.  When all zones
+ * in the view have finished loading, 'callback' is called with argument
+ * 'arg' to inform the caller.
+ *
+ * If 'stop' is true, stop on the first error and return it.
+ * If 'stop' is false (or we are loading asynchronously), ignore errors.
+ *
+ * Requires:
+ *
+ *\li	'view' is valid.
+ */
+
+isc_result_t
+dns_view_gettsig(dns_view_t *view, dns_name_t *keyname,
+		 dns_tsigkey_t **keyp);
+/*%<
+ * Find the TSIG key configured in 'view' with name 'keyname',
+ * if any.
+ *
+ * Requires:
+ *\li	keyp points to a NULL dns_tsigkey_t *.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *\li	#ISC_R_NOTFOUND	No key was found.
+ *\li	others		An error occurred.
+ */
+
+isc_result_t
+dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
+		     dns_tsigkey_t **keyp);
+/*%<
+ * Find the TSIG key configured in 'view' for the server whose
+ * address is 'peeraddr', if any.
+ *
+ * Requires:
+ *	keyp points to a NULL dns_tsigkey_t *.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *\li	#ISC_R_NOTFOUND	No key was found.
+ *\li	others		An error occurred.
+ */
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
+/*%<
+ * Verifies the signature of a message.
+ *
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+ *\li	'source' is a valid buffer containing the message
+ *\li	'msg' is a valid message
+ *
+ * Returns:
+ *\li	see dns_tsig_verify()
+ */
+
+void
+dns_view_dialup(dns_view_t *view);
+/*%<
+ * Perform dialup-time maintenance on the zones of 'view'.
+ */
+
+isc_result_t
+dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
+/*%<
+ * Dump the current state of the view 'view' to the stream 'fp'
+ * for purposes of analysis or debugging.
+ *
+ * Currently the dumped state includes the view's cache; in the future
+ * it may also include other state such as the address database.
+ * It will not not include authoritative data since it is voluminous and
+ * easily obtainable by other means.
+ *
+ * Requires:
+ *
+ *\li	'view' is valid.
+ *
+ *\li	'fp' refers to a file open for writing.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	The cache was successfully dumped.
+ * \li	others		An error occurred (see dns_master_dump)
+ */
+
+isc_result_t
+dns_view_flushcache(dns_view_t *view);
+isc_result_t
+dns_view_flushcache2(dns_view_t *view, bool fixuponly);
+/*%<
+ * Flush the view's cache (and ADB).  If 'fixuponly' is true, it only updates
+ * the internal reference to the cache DB with omitting actual flush operation.
+ * 'fixuponly' is intended to be used for a view that shares a cache with
+ * a different view.  dns_view_flushcache() is a backward compatible version
+ * that always sets fixuponly to false.
+ *
+ * Requires:
+ * 	'view' is valid.
+ *
+ * 	No other tasks are executing.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_view_flushnode(dns_view_t *view, dns_name_t *name, bool tree);
+/*%<
+ * Flush the given name from the view's cache (and optionally ADB/badcache).
+ *
+ * Flush the given name from the cache, ADB, and bad cache.  If 'tree'
+ * is true, also flush all subdomains of 'name'.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *	other returns are failures.
+ */
+
+isc_result_t
+dns_view_flushname(dns_view_t *view, dns_name_t *name);
+/*%<
+ * Flush the given name from the view's cache, ADB and badcache.
+ * Equivalent to dns_view_flushnode(view, name, false).
+ *
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *	other returns are failures.
+ */
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
+/*%<
+ * Add the given name to the delegation only table.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name);
+/*%<
+ * Add the given name to be excluded from the root-delegation-only.
+ *
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+bool
+dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
+/*%<
+ * Check if 'name' is in the delegation only table or if
+ * rootdelonly is set that name is not being excluded.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ *\li	'name' is valid.
+ *
+ * Returns:
+ *\li	#true if the name is the table.
+ *\li	#false otherwise.
+ */
+
+void
+dns_view_setrootdelonly(dns_view_t *view, bool value);
+/*%<
+ * Set the root delegation only flag.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ */
+
+bool
+dns_view_getrootdelonly(dns_view_t *view);
+/*%<
+ * Get the root delegation only flag.
+ *
+ * Requires:
+ *\li	'view' is valid.
+ */
+
+isc_result_t
+dns_view_freezezones(dns_view_t *view, bool freeze);
+/*%<
+ * Freeze/thaw updates to master zones.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ */
+
+void
+dns_view_setadbstats(dns_view_t *view, isc_stats_t *stats);
+/*%<
+ * Set a adb statistics set 'stats' for 'view'.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics supporting adb statistics
+ *	(see dns/stats.h).
+ */
+
+void
+dns_view_getadbstats(dns_view_t *view, isc_stats_t **statsp);
+/*%<
+ * Get the adb statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+void
+dns_view_setresstats(dns_view_t *view, isc_stats_t *stats);
+/*%<
+ * Set a general resolver statistics counter set 'stats' for 'view'.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics supporting resolver statistics counters
+ *	(see dns/stats.h).
+ */
+
+void
+dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp);
+/*%<
+ * Get the general statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+void
+dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats);
+/*%<
+ * Set a statistics counter set of rdata type, 'stats', for 'view'.  Once the
+ * statistic set is installed, view's resolver will count outgoing queries
+ * per rdata type.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics created by dns_rdatatypestats_create().
+ */
+
+void
+dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp);
+/*%<
+ * Get the rdatatype statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+bool
+dns_view_iscacheshared(dns_view_t *view);
+/*%<
+ * Check if the view shares the cache created by another view.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	#true if the cache is shared.
+ *\li	#false otherwise.
+ */
+
+isc_result_t
+dns_view_initntatable(dns_view_t *view,
+		      isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr);
+/*%<
+ * Initialize the negative trust anchor table for the view.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getntatable(dns_view_t *view, dns_ntatable_t **ntp);
+/*%<
+ * Get the negative trust anchor table for this view.  Returns
+ * ISC_R_NOTFOUND if the table not been initialized for the view.
+ *
+ * '*ntp' is attached on success; the caller is responsible for
+ * detaching it with dns_ntatable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'nta' is not NULL and '*nta' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx);
+/*%<
+ * Initialize security roots for the view, detaching any previously
+ * existing security roots first.  (Note that secroots_priv is
+ * NULL until this function is called, so any function using
+ * security roots must check that they have been initialized first.
+ * One way to do this is use dns_view_getsecroots() and check its
+ * return value.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other result indicates failure
+ */
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp);
+/*%<
+ * Get the security roots for this view.  Returns ISC_R_NOTFOUND if
+ * the security roots keytable has not been initialized for the view.
+ *
+ * '*ktp' is attached on success; the caller is responsible for
+ * detaching it with dns_keytable_detach().
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'ktp' is not NULL and '*ktp' is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOTFOUND
+ */
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			isc_stdtime_t now, bool checknta,
+			bool *secure_domain);
+/*%<
+ * Is 'name' at or beneath a trusted key, and not covered by a valid
+ * negative trust anchor?  Put answer in '*secure_domain'.
+ *
+ * If 'checknta' is false, ignore the NTA table in determining
+ * whether this is a secure domain.
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	Any other value indicates failure
+ */
+
+bool
+dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now,
+		   dns_name_t *name, dns_name_t *anchor);
+/*%<
+ * Is there a current negative trust anchor above 'name' and below 'anchor'?
+ *
+ * Requires:
+ * \li	'view' is valid.
+ *
+ * Returns:
+ *\li	ISC_R_TRUE
+ *\li	ISC_R_FALSE
+ */
+
+void
+dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
+		 dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx);
+/*%<
+ * Remove keys that match 'keyname' and 'dnskey' from the views trust
+ * anchors.
+ *
+ * (NOTE: If the configuration specifies that there should be a
+ * trust anchor at 'keyname', but no keys are left after this
+ * operation, that is an error.  We fail closed, inserting a NULL
+ * key so as to prevent validation until a legimitate key has been
+ * provided.)
+ *
+ * Requires:
+ * \li	'view' is valid.
+ * \li	'keyname' is valid.
+ * \li	'mctx' is valid.
+ * \li	'dnskey' is valid.
+ */
+
+isc_result_t
+dns_view_setnewzones(dns_view_t *view, bool allow, void *cfgctx,
+		     void (*cfg_destroy)(void **), uint64_t mapsize);
+/*%<
+ * Set whether or not to allow zones to be created or deleted at runtime.
+ *
+ * If 'allow' is true, determines the filename into which new zone
+ * configuration will be written.  Preserves the configuration context
+ * (a pointer to which is passed in 'cfgctx') for use when parsing new
+ * zone configuration.  'cfg_destroy' points to a callback routine to
+ * destroy the configuration context when the view is destroyed.  (This
+ * roundabout method is used in order to avoid libdns having a dependency
+ * on libisccfg and libbind9.)
+ *
+ * If 'allow' is false, removes any existing references to
+ * configuration context and frees any memory.
+ *
+ * Requires:
+ * \li 'view' is valid.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_NOSPACE
+ */
+
+void
+dns_view_restorekeyring(dns_view_t *view);
+
+isc_result_t
+dns_view_searchdlz(dns_view_t *view, dns_name_t *name,
+		   unsigned int minlabels,
+		   dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo,
+		   dns_db_t **dbp);
+
+/*%<
+ * Search through the DLZ database(s) in view->dlz_searched to find
+ * one that can answer a query for 'name', using the DLZ driver's
+ * findzone method.  If successful, '*dbp' is set to point to the
+ * DLZ database.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_NOTFOUND
+ *
+ * Requires:
+ * \li 'view' is valid.
+ * \li 'name' is not NULL.
+ * \li 'dbp' is not NULL and *dbp is NULL.
+ */
+
+uint32_t
+dns_view_getfailttl(dns_view_t *view);
+/*%<
+ * Get the view's servfail-ttl.  zero => no servfail caching.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setfailttl(dns_view_t *view, uint32_t failttl);
+/*%<
+ * Set the view's servfail-ttl.  zero => no servfail caching.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+isc_result_t
+dns_view_saventa(dns_view_t *view);
+/*%<
+ * Save NTA for names in this view to a file.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+isc_result_t
+dns_view_loadnta(dns_view_t *view);
+/*%<
+ * Loads NTA for names in this view from a file.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setviewcommit(dns_view_t *view);
+/*%<
+ * Commit dns_zone_setview() calls previously made for all zones in this
+ * view.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setviewrevert(dns_view_t *view);
+/*%<
+ * Revert dns_zone_setview() calls previously made for all zones in this
+ * view.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
new file mode 100644
index 0000000..123ba56
--- /dev/null
+++ b/lib/dns/include/dns/xfrin.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_XFRIN_H
+#define DNS_XFRIN_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file dns/xfrin.h
+ * \brief
+ * Incoming zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A transfer in progress.  This is an opaque type.
+ */
+typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/*% see dns_xfrin_create2() */
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
+		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		 isc_socketmgr_t *socketmgr, isc_task_t *task,
+		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
+
+isc_result_t
+dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done,
+		  dns_xfrin_ctx_t **xfrp);
+
+isc_result_t
+dns_xfrin_create3(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  isc_dscp_t dscp, dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done,
+		  dns_xfrin_ctx_t **xfrp);
+/*%<
+ * Attempt to start an incoming zone transfer of 'zone'
+ * from 'masteraddr', creating a dns_xfrin_ctx_t object to
+ * manage it.  Attach '*xfrp' to the newly created object.
+ *
+ * Iff ISC_R_SUCCESS is returned, '*done' is guaranteed to be
+ * called in the context of 'task', with 'zone' and a result
+ * code as arguments when the transfer finishes.
+ *
+ * Requires:
+ *\li	'xfrtype' is dns_rdatatype_axfr, dns_rdatatype_ixfr
+ *	or dns_rdatatype_soa (soa query followed by axfr if
+ *	serial is greater than current serial).
+ *
+ *\li	If 'xfrtype' is dns_rdatatype_ixfr or dns_rdatatype_soa,
+ *	the zone has a database.
+ */
+
+void
+dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
+/*%<
+ * If the zone transfer 'xfr' has already finished,
+ * do nothing.  Otherwise, abort it and cause it to call
+ * its done callback with a status of ISC_R_CANCELED.
+ */
+
+void
+dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
+/*%<
+ * Detach a reference to a zone transfer object.
+ * Caller to maintain external locking if required.
+ */
+
+void
+dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target);
+/*%<
+ * Caller to maintain external locking if required.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_XFRIN_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
new file mode 100644
index 0000000..c059ce2
--- /dev/null
+++ b/lib/dns/include/dns/zone.h
@@ -0,0 +1,2515 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ZONE_H
+#define DNS_ZONE_H 1
+
+/*! \file dns/zone.h */
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+#include <stdbool.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+
+#include <dns/catz.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/rdatastruct.h>
+#include <dns/rpz.h>
+#include <dns/types.h>
+#include <dns/zt.h>
+
+typedef enum {
+	dns_zone_none,
+	dns_zone_master,
+	dns_zone_slave,
+	dns_zone_stub,
+	dns_zone_staticstub,
+	dns_zone_key,
+	dns_zone_dlz,
+	dns_zone_redirect
+} dns_zonetype_t;
+
+typedef enum {
+	dns_zonestat_none = 0,
+	dns_zonestat_terse,
+	dns_zonestat_full
+} dns_zonestat_level_t;
+
+#define DNS_ZONEOPT_SERVERS	  0x00000001U	/*%< perform server checks */
+#define DNS_ZONEOPT_PARENTS	  0x00000002U	/*%< perform parent checks */
+#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/*%< perform child checks */
+#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/*%< perform NOTIFY */
+#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/*%< return many errors on load */
+#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/*%< calculate differences */
+#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/*%< don't merge journal */
+#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/*%< check if NS's are addresses */
+#define DNS_ZONEOPT_FATALNS	  0x00000100U	/*%< DNS_ZONEOPT_CHECKNS is fatal */
+#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/*%< this zone has multiple masters */
+#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/*%< use alternate transfer sources */
+#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/*%< check-names */
+#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/*%< fatal check-name failures */
+#define DNS_ZONEOPT_CHECKWILDCARD 0x00002000U	/*%< check for internal wildcards */
+#define DNS_ZONEOPT_CHECKMX	  0x00004000U	/*%< check-mx */
+#define DNS_ZONEOPT_CHECKMXFAIL   0x00008000U	/*%< fatal check-mx failures */
+#define DNS_ZONEOPT_CHECKINTEGRITY 0x00010000U	/*%< perform integrity checks */
+#define DNS_ZONEOPT_CHECKSIBLING  0x00020000U	/*%< perform sibling glue checks */
+#define DNS_ZONEOPT_NOCHECKNS	  0x00040000U	/*%< disable IN NS address checks */
+#define DNS_ZONEOPT_WARNMXCNAME	  0x00080000U	/*%< warn on MX CNAME check */
+#define DNS_ZONEOPT_IGNOREMXCNAME 0x00100000U	/*%< ignore MX CNAME check */
+#define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
+#define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
+#define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
+#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
+#define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
+#define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
+#define DNS_ZONEOPT_SECURETOINSECURE 0x08000000U /*%< dnssec-secure-to-insecure */
+#define DNS_ZONEOPT_DNSKEYKSKONLY 0x10000000U	/*%< dnssec-dnskey-kskonly */
+#define DNS_ZONEOPT_CHECKDUPRR	  0x20000000U   /*%< check-dup-records */
+#define DNS_ZONEOPT_CHECKDUPRRFAIL 0x40000000U	/*%< fatal check-dup-records failures */
+#define DNS_ZONEOPT_CHECKSPF	  0x80000000U	/*%< check SPF records */
+
+/*
+ * The following zone options are shifted left into the
+ * higher-order 32 bits of the options.
+ */
+#define DNS_ZONEOPT2_CHECKTTL	  0x00000001U	/*%< check max-zone-ttl */
+#define DNS_ZONEOPT2_AUTOEMPTY	  0x00000002U	/*%< automatic empty zone */
+
+#ifndef NOMINUM_PUBLIC
+/*
+ * Nominum specific options build down.
+ */
+#define DNS_ZONEOPT_NOTIFYFORWARD 0x80000000U	/* forward notify to master */
+#endif /* NOMINUM_PUBLIC */
+
+/*
+ * Zone key maintenance options
+ */
+#define DNS_ZONEKEY_ALLOW	0x00000001U	/*%< fetch keys on command */
+#define DNS_ZONEKEY_MAINTAIN	0x00000002U	/*%< publish/sign on schedule */
+#define DNS_ZONEKEY_CREATE	0x00000004U	/*%< make keys when needed */
+#define DNS_ZONEKEY_FULLSIGN    0x00000008U     /*%< roll to new keys immediately */
+#define DNS_ZONEKEY_NORESIGN	0x00000010U	/*%< no automatic resigning */
+
+#ifndef DNS_ZONE_MINREFRESH
+#define DNS_ZONE_MINREFRESH		    300	/*%< 5 minutes */
+#endif
+#ifndef DNS_ZONE_MAXREFRESH
+#define DNS_ZONE_MAXREFRESH		2419200	/*%< 4 weeks */
+#endif
+#ifndef DNS_ZONE_DEFAULTREFRESH
+#define DNS_ZONE_DEFAULTREFRESH		   3600	/*%< 1 hour */
+#endif
+#ifndef DNS_ZONE_MINRETRY
+#define DNS_ZONE_MINRETRY		    300	/*%< 5 minutes */
+#endif
+#ifndef DNS_ZONE_MAXRETRY
+#define DNS_ZONE_MAXRETRY		1209600	/*%< 2 weeks */
+#endif
+#ifndef DNS_ZONE_DEFAULTRETRY
+#define DNS_ZONE_DEFAULTRETRY		     60	/*%< 1 minute, subject to
+						   exponential backoff */
+#endif
+
+#define DNS_ZONESTATE_XFERRUNNING	1
+#define DNS_ZONESTATE_XFERDEFERRED	2
+#define DNS_ZONESTATE_SOAQUERY		3
+#define DNS_ZONESTATE_ANY		4
+#define DNS_ZONESTATE_AUTOMATIC		5
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
+/*%<
+ *	Creates a new empty zone and attach '*zonep' to it.
+ *
+ * Requires:
+ *\li	'zonep' to point to a NULL pointer.
+ *\li	'mctx' to be a valid memory context.
+ *
+ * Ensures:
+ *\li	'*zonep' refers to a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
+/*%<
+ *	Sets the class of a zone.  This operation can only be performed
+ *	once on a zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	dns_zone_setclass() not to have been called since the zone was
+ *	created.
+ *\li	'rdclass' != dns_rdataclass_none.
+ */
+
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone class.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_getserial2(dns_zone_t *zone, uint32_t *serialp);
+
+uint32_t
+dns_zone_getserial(dns_zone_t *zone);
+/*%<
+ *	Returns the current serial number of the zone.  On success, the SOA
+ *	serial of the zone will be copied into '*serialp'.
+ *	dns_zone_getserial() cannot catch failure cases and is deprecated by
+ *	dns_zone_getserial2().
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *\li	'serialp' to be non NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_NOTLOADED	zone DB is not loaded
+ */
+
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
+/*%<
+ *	Sets the zone type. This operation can only be performed once on
+ *	a zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *\li	dns_zone_settype() not to have been called since the zone was
+ *	created.
+ *\li	'type' != dns_zone_none
+ */
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
+/*%<
+ *	Associate the zone with a view.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone);
+/*%<
+ *	Returns the zone's associated view.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setviewcommit(dns_zone_t *zone);
+/*%<
+ *	Commit the previous view saved internally via dns_zone_setview().
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setviewrevert(dns_zone_t *zone);
+/*%<
+ *	Revert the most recent dns_zone_setview() on this zone,
+ *	restoring the previous view.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
+/*%<
+ *	Sets the zones origin to 'origin'.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'origin' to be non NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li 	#ISC_R_NOMEMORY
+ */
+
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone);
+/*%<
+ *	Returns the value of the origin.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setfile(dns_zone_t *zone, const char *file);
+
+isc_result_t
+dns_zone_setfile2(dns_zone_t *zone, const char *file,
+		  dns_masterformat_t format);
+isc_result_t
+dns_zone_setfile3(dns_zone_t *zone, const char *file,
+		  dns_masterformat_t format, const dns_master_style_t *style);
+/*%<
+ *    Sets the name of the master file in the format of 'format' from which
+ *    the zone loads its database to 'file'.
+ *
+ *    For zones that have no associated master file, 'file' will be NULL.
+ *
+ *	For zones with persistent databases, the file name
+ *	setting is ignored.
+ *
+ *    dns_zone_setfile() is a backward-compatible form of
+ *    dns_zone_setfile2(), which always specifies the
+ *    dns_masterformat_text (RFC1035) format.
+ *
+ *    dns_zone_setfile2() is a backward-compatible form of
+ *    dns_zone_setfile3(), which also specifies the style
+ *    that should be used if a zone using the 'text'
+ *    masterformat is ever dumped.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getfile(dns_zone_t *zone);
+/*%<
+ * 	Gets the name of the zone's master file, if any.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	Pointer to null-terminated file name, or NULL.
+ */
+
+void
+dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t records);
+/*%<
+ * 	Sets the maximim number of records permitted in a zone.
+ *	0 implies unlimited.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	void
+ */
+
+uint32_t
+dns_zone_getmaxrecords(dns_zone_t *zone);
+/*%<
+ * 	Gets the maximim number of records permitted in a zone.
+ *	0 implies unlimited.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	uint32_t maxrecords.
+ */
+
+void
+dns_zone_setmaxttl(dns_zone_t *zone, uint32_t maxttl);
+/*%<
+ * 	Sets the max ttl of the zone.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	void
+ */
+
+dns_ttl_t
+dns_zone_getmaxttl(dns_zone_t *zone);
+/*%<
+ * 	Gets the max ttl of the zone.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li	dns_ttl_t maxttl.
+ */
+
+isc_result_t
+dns_zone_load(dns_zone_t *zone);
+
+isc_result_t
+dns_zone_loadnew(dns_zone_t *zone);
+
+isc_result_t
+dns_zone_loadandthaw(dns_zone_t *zone);
+
+/*%<
+ *	Cause the database to be loaded from its backing store.
+ *	Confirm that the minimum requirements for the zone type are
+ *	met, otherwise DNS_R_BADZONE is returned.
+ *
+ *	dns_zone_loadnew() only loads zones that are not yet loaded.
+ *	dns_zone_load() also loads zones that are already loaded and
+ *	and whose master file has changed since the last load.
+ *	dns_zone_loadandthaw() is similar to dns_zone_load() but will
+ *	also re-enable DNS UPDATEs when the load completes.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_SUCCESS
+ *\li	DNS_R_CONTINUE	  Incremental load has been queued.
+ *\li	DNS_R_UPTODATE	  The zone has already been loaded based on
+ *			  file system timestamps.
+ *\li	DNS_R_BADZONE
+ *\li	Any result value from dns_db_load().
+ */
+
+isc_result_t
+dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg);
+
+isc_result_t
+dns_zone_asyncload2(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg,
+		    bool newonly);
+/*%<
+ * Cause the database to be loaded from its backing store asynchronously.
+ * Other zone maintenance functions are suspended until this is complete.
+ * When finished, 'done' is called to inform the caller, with 'arg' as
+ * its first argument and 'zone' as its second.  (Normally, 'arg' is
+ * expected to point to the zone table but is left undefined for testing
+ * purposes.)
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_ALREADYRUNNING
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOMEMORY
+ */
+
+bool
+dns__zone_loadpending(dns_zone_t *zone);
+/*%<
+ * Indicates whether the zone is waiting to be loaded asynchronously.
+ * (Not currently intended for use outside of this module and associated
+ * tests.)
+ */
+
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
+/*%<
+ *	Attach '*target' to 'source' incrementing its external
+ * 	reference count.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zone_detach(dns_zone_t **zonep);
+/*%<
+ *	Detach from a zone decrementing its external reference count.
+ *	If this was the last external reference to the zone it will be
+ * 	shut down and eventually freed.
+ *
+ * Require:
+ *\li	'zonep' to point to a valid zone.
+ */
+
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
+/*%<
+ *	Attach '*target' to 'source' incrementing its internal
+ * 	reference count.  This is intended for use by operations
+ * 	such as zone transfers that need to prevent the zone
+ * 	object from being freed but not from shutting down.
+ *
+ * Require:
+ *\li	The caller is running in the context of the zone's task.
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zone_idetach(dns_zone_t **zonep);
+/*%<
+ *	Detach from a zone decrementing its internal reference count.
+ *	If there are no more internal or external references to the
+ * 	zone, it will be freed.
+ *
+ * Require:
+ *\li	The caller is running in the context of the zone's task.
+ *\li	'zonep' to point to a valid zone.
+ */
+
+void
+dns_zone_setflag(dns_zone_t *zone, unsigned int flags, bool value);
+/*%<
+ *	Sets ('value' == 'true') / clears ('value' == 'IS_FALSE')
+ *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
+ *
+ * Requires
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
+/*%<
+ * 	Attach '*dbp' to the database to if it exists otherwise
+ *	return DNS_R_NOTLOADED.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'dbp' to be != NULL && '*dbp' == NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	DNS_R_NOTLOADED
+ */
+
+void
+dns_zone_setdb(dns_zone_t *zone, dns_db_t *db);
+/*%<
+ *	Sets the zone database to 'db'.
+ *
+ *	This function is expected to be used to configure a zone with a
+ *	database which is not loaded from a file or zone transfer.
+ *	It can be used for a general purpose zone, but right now its use
+ *	is limited to static-stub zones to avoid possible undiscovered
+ *	problems in the general cases.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone of static-stub.
+ *\li	zone doesn't have a database.
+ */
+
+isc_result_t
+dns_zone_setdbtype(dns_zone_t *zone,
+		   unsigned int dbargc, const char * const *dbargv);
+/*%<
+ *	Sets the database type to dbargv[0] and database arguments
+ *	to subsequent dbargv elements.
+ *	'db_type' is not checked to see if it is a valid database type.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'database' to be non NULL.
+ *\li	'dbargc' to be >= 1
+ *\li	'dbargv' to point to dbargc NULL-terminated strings
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx);
+/*%<
+ *	Returns the current dbtype.  isc_mem_free() should be used
+ * 	to free 'argv' after use.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'argv' to be non NULL and *argv to be NULL.
+ *\li	'mctx' to be valid.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+void
+dns_zone_markdirty(dns_zone_t *zone);
+/*%<
+ *	Mark a zone as 'dirty'.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_expire(dns_zone_t *zone);
+/*%<
+ *	Mark the zone as expired.  If the zone requires dumping cause it to
+ *	be initiated.  Set the refresh and retry intervals to there default
+ *	values and unload the zone.
+ *
+ * Require
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_refresh(dns_zone_t *zone);
+/*%<
+ *	Initiate zone up to date checks.  The zone must already be being
+ *	managed.
+ *
+ * Require
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_flush(dns_zone_t *zone);
+/*%<
+ *	Write the zone to database if there are uncommitted changes.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_dump(dns_zone_t *zone);
+/*%<
+ *	Write the zone to database.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
+
+isc_result_t
+dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		       const dns_master_style_t *style);
+isc_result_t
+dns_zone_dumptostream3(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		       const dns_master_style_t *style,
+		       const uint32_t rawversion);
+/*%<
+ *    Write the zone to stream 'fd' in the specified 'format'.
+ *    If the 'format' is dns_masterformat_text (RFC1035), 'style' also
+ *    specifies the file style (e.g., &dns_master_style_default).
+ *
+ *    dns_zone_dumptostream() is a backward-compatible form of
+ *    dns_zone_dumptostream2(), which always uses the dns_masterformat_text
+ *    format and the dns_master_style_default style.
+ *
+ *    dns_zone_dumptostream2() is a backward-compatible form of
+ *    dns_zone_dumptostream3(), which always uses the current
+ *    default raw file format version.
+ *
+ *    Note that dns_zone_dumptostream3() is the most flexible form.  It
+ *    can also provide the functionality of dns_zone_fulldumptostream().
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'fd' to be a stream open for writing.
+ */
+
+isc_result_t
+dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
+/*%<
+ *	The same as dns_zone_dumptostream, but dumps the zone with
+ *	different dump settings (dns_master_style_full).
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'fd' to be a stream open for writing.
+ */
+
+void
+dns_zone_maintenance(dns_zone_t *zone);
+/*%<
+ *	Perform regular maintenance on the zone.  This is called as a
+ *	result of a zone being managed.
+ *
+ * Require
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
+		    uint32_t count);
+isc_result_t
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    uint32_t count);
+/*%<
+ *	Set the list of master servers for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'masters' array of isc_sockaddr_t with port set or NULL.
+ *\li	'count' the number of masters.
+ *\li      'keynames' array of dns_name_t's for tsig keys or NULL.
+ *
+ *  \li    dns_zone_setmasters() is just a wrapper to setmasterswithkeys(),
+ *      passing NULL in the keynames field.
+ *
+ * \li	If 'masters' is NULL then 'count' must be zero.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li      Any result dns_name_dup() can return, if keynames!=NULL
+ */
+
+isc_result_t
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
+		       uint32_t count);
+isc_result_t
+dns_zone_setalsonotifywithkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       dns_name_t **keynames, uint32_t count);
+isc_result_t
+dns_zone_setalsonotifydscpkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       const isc_dscp_t *dscps, dns_name_t **keynames,
+			       uint32_t count);
+/*%<
+ *	Set the list of additional servers to be notified when
+ *	a zone changes.	 To clear the list use 'count = 0'.
+ *
+ *	dns_zone_alsonotifywithkeys() allows each notify address to
+ *	be associated with a TSIG key.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'notify' to be non-NULL if count != 0.
+ *\li	'count' to be the number of notifiees.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+dns_zone_unload(dns_zone_t *zone);
+/*%<
+ *	detach the database from the zone structure.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setoption(dns_zone_t *zone, unsigned int option,
+		   bool value);
+void
+dns_zone_setoption2(dns_zone_t *zone, unsigned int option,
+		    bool value);
+/*%<
+ *	Set the given options on ('value' == true) or off
+ *	('value' == #false).
+ *
+ *	dns_zone_setoption2() has been introduced because the number
+ *	of options needed now exceeds the 32 bits in the zone->options
+ *	field; it should be used set options with names beginning
+ *	with DNS_ZONEOPT2_.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+unsigned int
+dns_zone_getoptions(dns_zone_t *zone);
+unsigned int
+dns_zone_getoptions2(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone options.
+ *
+ *	Callers should be aware there is now more than one set of zone
+ *	options.  dns_zone_getoptions2() has been introduced because the
+ *	number of options needed now exceeds the 32 bits in the
+ *	zone->options field. It returns the options whose names begin
+ *	with DNS_ZONEOPT2_.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int option, bool value);
+/*%<
+ *	Set key options on ('value' == true) or off ('value' ==
+ *	#false).
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone);
+/*%<
+ *	Returns the current zone key options.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the minimum refresh time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *\li	val > 0.
+ */
+
+void
+dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the maximum refresh time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *\li	val > 0.
+ */
+
+void
+dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the minimum retry time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *\li	val > 0.
+ */
+
+void
+dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val);
+/*%<
+ *	Set the maximum retry time.
+ *
+ * Requires:
+ *\li	'zone' is valid.
+ *	val > 0.
+ */
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *xfrsource);
+/*%<
+ * 	Set the source address to be used in IPv4 zone transfers.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setxfrsource4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+isc_result_t
+dns_zone_setaltxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_dscp_t
+dns_zone_getxfrsource4dscp(dns_zone_t *zone);
+isc_dscp_t
+dns_zone_getaltxfrsource4dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			  const isc_sockaddr_t *xfrsource);
+/*%<
+ * 	Set the source address to be used in IPv6 zone transfers.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setxfrsource6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getxfrsource6dscp(dns_zone_t *zone);
+isc_dscp_t
+dns_zone_getaltxfrsource6dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+isc_result_t
+dns_zone_setaltxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the transfer/alt-transfer source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
+/*%<
+ * 	Set the source address to be used with IPv4 NOTIFY messages.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'notifysrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc4(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setnotifysrc4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getnotifysrc4dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv4 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setnotifysrc4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv4 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
+/*%<
+ * 	Set the source address to be used with IPv6 NOTIFY messages.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'notifysrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc6(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setnotifysrc6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getnotifysrc6dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv6 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setnotifysrc6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv6 notify source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+void
+dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the notify acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query-on acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the update acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
+ */
+
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the forward unsigned updates acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
+ */
+
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the transfer acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be valid acl.
+ */
+
+dns_acl_t *
+dns_zone_getnotifyacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current notify acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query-on acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current update acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current forward unsigned updates acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current transfer acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+void
+dns_zone_clearupdateacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current update acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearforwardacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current forward unsigned updates acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearnotifyacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current notify acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearqueryacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearqueryonacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query-on acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearxfracl(dns_zone_t *zone);
+/*%<
+ *	Clear the current transfer acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+bool
+dns_zone_getupdatedisabled(dns_zone_t *zone);
+/*%<
+ * Return update disabled.
+ * Transient unless called when running in isc_task_exclusive() mode.
+ */
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, bool state);
+/*%<
+ * Set update disabled.
+ * Should only be called only when running in isc_task_exclusive() mode.
+ * Failure to do so may result in updates being committed after the
+ * call has been made.
+ */
+
+bool
+dns_zone_getzeronosoattl(dns_zone_t *zone);
+/*%<
+ * Return zero-no-soa-ttl status.
+ */
+
+void
+dns_zone_setzeronosoattl(dns_zone_t *zone, bool state);
+/*%<
+ * Set zero-no-soa-ttl status.
+ */
+
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
+/*%<
+ * 	Set the severity of name checking when loading a zone.
+ *
+ * Require:
+ * \li     'zone' to be a valid zone.
+ */
+
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone);
+/*%<
+ *	Return the current severity of name checking.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setjournalsize(dns_zone_t *zone, int32_t size);
+/*%<
+ *	Sets the journal size for the zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+int32_t
+dns_zone_getjournalsize(dns_zone_t *zone);
+/*%<
+ *	Return the journal size as set with a previous call to
+ *	dns_zone_setjournalsize().
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       dns_message_t *msg);
+isc_result_t
+dns_zone_notifyreceive2(dns_zone_t *zone, isc_sockaddr_t *from,
+			isc_sockaddr_t *to, dns_message_t *msg);
+/*%<
+ *	Tell the zone that it has received a NOTIFY message from another
+ *	server.  This may cause some zone maintenance activity to occur.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *\li	'*from' to contain the address of the server from which 'msg'
+ *		was received.
+ *\li	'msg' a message with opcode NOTIFY and qr clear.
+ *
+ * Returns:
+ *\li	DNS_R_REFUSED
+ *\li	DNS_R_NOTIMP
+ *\li	DNS_R_FORMERR
+ *\li	DNS_R_SUCCESS
+ */
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin);
+/*%<
+ * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * \li	'zone' to be valid initialised zone.
+ */
+
+uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone);
+/*%<
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrin() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout);
+/*%<
+ * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * \li	'zone' to be valid initialised zone.
+ */
+
+uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone);
+/*%<
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrout() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *myjournal);
+/*%<
+ * Sets the filename used for journaling updates / IXFR transfers.
+ * The default journal name is set by dns_zone_setfile() to be
+ * "file.jnl".  If 'myjournal' is NULL, the zone will have no
+ * journal name.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+char *
+dns_zone_getjournal(dns_zone_t *zone);
+/*%<
+ * Returns the journal name associated with this zone.
+ * If no journal has been set this will be NULL.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone);
+/*%<
+ * Returns the type of the zone (master/slave/etc.)
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
+/*%<
+ * Give a zone a task to work with.  Any current task will be detached.
+ *
+ * Requires:
+ *\li	'zone' to be valid.
+ *\li	'task' to be valid.
+ */
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
+/*%<
+ * Attach '*target' to the zone's task.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *\li	'zone' to have a task.
+ *\li	'target' to be != NULL && '*target' == NULL.
+ */
+
+void
+dns_zone_notify(dns_zone_t *zone);
+/*%<
+ * Generate notify events for this zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump);
+/*%<
+ * Replace the database of "zone" with a new database "db".
+ *
+ * If "dump" is true, then the new zone contents are dumped
+ * into to the zone's master file for persistence.  When replacing
+ * a zone database by one just loaded from a master file, set
+ * "dump" to false to avoid a redundant redump of the data just
+ * loaded.  Otherwise, it should be set to true.
+ *
+ * If the "diff-on-reload" option is enabled in the configuration file,
+ * the differences between the old and the new database are added to the
+ * journal file, and the master file dump is postponed.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	DNS_R_SUCCESS
+ * \li	DNS_R_BADZONE	zone failed basic consistency checks:
+ *			* a single SOA must exist
+ *			* some NS records must exist.
+ *	Others
+ */
+
+uint32_t
+dns_zone_getidlein(dns_zone_t *zone);
+/*%<
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	number of seconds of idle time before we abort the transfer in.
+ */
+
+void
+dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein);
+/*%<
+ * \li	Set the idle timeout for transfer the.
+ * \li	Zero set the default value, 1 hour.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getidleout(dns_zone_t *zone);
+/*%<
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	number of seconds of idle time before we abort a transfer out.
+ */
+
+void
+dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout);
+/*%<
+ * \li	Set the idle timeout for transfers out.
+ * \li	Zero set the default value, 1 hour.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table);
+/*%<
+ * Get the simple-secure-update policy table.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table);
+/*%<
+ * Set / clear the simple-secure-update policy table.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone);
+/*%<
+ * Get the memory context of a zone.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone);
+/*%<
+ *	If 'zone' is managed return the zone manager otherwise NULL.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval);
+/*%<
+ * Set the zone's RRSIG validity interval.  This is the length of time
+ * for which DNSSEC signatures created as a result of dynamic updates
+ * to secure zones will remain valid, in seconds.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getsigvalidityinterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's RRSIG validity interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval);
+/*%<
+ * Set the zone's RRSIG re-signing interval.  A dynamic zone's RRSIG's
+ * will be re-signed 'interval' amount of time before they expire.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's RRSIG re-signing interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
+/*%<
+ * Sets zone notify method to "notifytype"
+ */
+
+isc_result_t
+dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
+		       dns_updatecallback_t callback, void *callback_arg);
+/*%<
+ * Forward 'msg' to each master in turn until we get an answer or we
+ * have exhausted the list of masters. 'callback' will be called with
+ * ISC_R_SUCCESS if we get an answer and the returned message will be
+ * passed as 'answer_message', otherwise a non ISC_R_SUCCESS result code
+ * will be passed and answer_message will be NULL.  The callback function
+ * is responsible for destroying 'answer_message'.
+ *		(callback)(callback_arg, result, answer_message);
+ *
+ * Require:
+ *\li	'zone' to be valid
+ *\li	'msg' to be valid.
+ *\li	'callback' to be non NULL.
+ * Returns:
+ *\li	#ISC_R_SUCCESS if the message has been forwarded,
+ *\li	#ISC_R_NOMEMORY
+ *\li	Others
+ */
+
+isc_result_t
+dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
+/*%<
+ * Find the next zone in the list of managed zones.
+ *
+ * Requires:
+ *\li	'zone' to be valid
+ *\li	The zone manager for the indicated zone MUST be locked
+ *	by the caller.  This is not checked.
+ *\li	'next' be non-NULL, and '*next' be NULL.
+ *
+ * Ensures:
+ *\li	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *	(result ISC_R_NOMORE).
+ */
+
+
+
+isc_result_t
+dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
+/*%<
+ * Find the first zone in the list of managed zones.
+ *
+ * Requires:
+ *\li	'zonemgr' to be valid
+ *\li	The zone manager for the indicated zone MUST be locked
+ *	by the caller.  This is not checked.
+ *\li	'first' be non-NULL, and '*first' be NULL
+ *
+ * Ensures:
+ *\li	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *	(result ISC_R_NOMORE).
+ */
+
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
+/*%<
+ *	Sets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone);
+/*%<
+ * 	Gets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Requires:
+ *\li	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *	Pointer to null-terminated file name, or NULL.
+ */
+
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp);
+/*%<
+ * Create a zone manager.  Note: the zone manager will not be able to
+ * manage any zones until dns_zonemgr_setsize() has been run.
+ *
+ * Requires:
+ *\li	'mctx' to be a valid memory context.
+ *\li	'taskmgr' to be a valid task manager.
+ *\li	'timermgr' to be a valid timer manager.
+ *\li	'zmgrp'	to point to a NULL pointer.
+ */
+
+isc_result_t
+dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones);
+/*%<
+ *	Set the size of the zone manager task pool.  This must be run
+ *	before zmgr can be used for managing zones.  Currently, it can only
+ *	be run once; the task pool cannot be resized.
+ *
+ * Requires:
+ *\li	zmgr is a valid zone manager.
+ *\li	zmgr->zonetasks has been initialized.
+ */
+
+isc_result_t
+dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep);
+/*%<
+ *	Allocate a new zone using a memory context from the
+ *	zone manager's memory context pool.
+ *
+ * Require:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zonep' != NULL and '*zonep' == NULL.
+ */
+
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*%<
+ *	Bring the zone under control of a zone manager.
+ *
+ * Require:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
+/*%<
+ * Force zone maintenance of all loaded zones managed by 'zmgr'
+ * to take place at the system's earliest convenience.
+ */
+
+void
+dns__zonemgr_run(isc_task_t *task, isc_event_t *event);
+/*%<
+ * Event handler to call dns_zonemgr_forcemaint(); used to start
+ * zone operations from a unit test.  Not intended for use outside
+ * libdns or related tests.
+ */
+
+void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
+/*%<
+ * Attempt to start any stalled zone transfers.
+ */
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
+/*%<
+ *	Shut down the zone manager.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target);
+/*%<
+ *	Attach '*target' to 'source' incrementing its external
+ * 	reference count.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
+/*%<
+ *	 Detach from a zone manager.
+ *
+ * Requires:
+ *\li	'*zmgrp' is a valid, non-NULL zone manager pointer.
+ *
+ * Ensures:
+ *\li	'*zmgrp' is NULL.
+ */
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*%<
+ *	Release 'zone' from the managed by 'zmgr'.  'zmgr' is implicitly
+ *	detached from 'zone'.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'zone' to be a valid zone.
+ *\li	'zmgr' == 'zone->zmgr'
+ *
+ * Ensures:
+ *\li	'zone->zmgr' == NULL;
+ */
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, uint32_t value);
+/*%<
+ *	Set the maximum number of simultaneous transfers in allowed by
+ *	the zone manager.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+uint32_t
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the maximum number of simultaneous transfers in allowed.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, uint32_t value);
+/*%<
+ *	Set the number of zone transfers allowed per nameserver.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+uint32_t
+dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of transfers allowed per nameserver.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, uint32_t iolimit);
+/*%<
+ *	Set the number of simultaneous file descriptors available for
+ *	reading and writing masterfiles.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'iolimit' to be positive.
+ */
+
+uint32_t
+dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
+/*%<
+ *	Get the number of simultaneous file descriptors available for
+ *	reading and writing masterfiles.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+void
+dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of startup NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+void
+dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of SOA queries sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
+unsigned int
+dns_zonemgr_getnotifyrate(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getstartupnotifyrate(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of startup NOTIFY requests sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr);
+/*%<
+ *	Return the number of SOA queries sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
+/*%<
+ *	Returns the number of zones in the specified state.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'state' to be a valid DNS_ZONESTATE_ constant.
+ */
+
+void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now);
+/*%<
+ *	Add the pair of addresses to the unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ */
+
+bool
+dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			isc_sockaddr_t *local, isc_time_t *now);
+/*%<
+ *	Returns true if the given local/remote address pair
+ *	is found in the zone maanger's unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ *\li	'now' != NULL
+ */
+
+void
+dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local);
+/*%<
+ *	Remove the pair of addresses from the unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ */
+
+void
+dns_zone_forcereload(dns_zone_t *zone);
+/*%<
+ *      Force a reload of specified zone.
+ *
+ * Requires:
+ *\li      'zone' to be a valid zone.
+ */
+
+bool
+dns_zone_isforced(dns_zone_t *zone);
+/*%<
+ *      Check if the zone is waiting a forced reload.
+ *
+ * Requires:
+ * \li     'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setstatistics(dns_zone_t *zone, bool on);
+/*%<
+ * This function is obsoleted by dns_zone_setrequeststats().
+ */
+
+uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone);
+/*%<
+ * This function is obsoleted by dns_zone_getrequeststats().
+ */
+
+void
+dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats);
+/*%<
+ * Set a general zone-maintenance statistics set 'stats' for 'zone'.  This
+ * function is expected to be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced.  Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone and does not have a statistics set already
+ *	installed.
+ *
+ *\li	stats is a valid statistics supporting zone statistics counters
+ *	(see dns/stats.h).
+ */
+
+void
+dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats);
+
+void
+dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats);
+/*%<
+ * Set additional statistics sets to zone.  These are attached to the zone
+ * but are not counted in the zone module; only the caller updates the
+ * counters.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ *\li	stats is a valid statistics.
+ */
+
+isc_stats_t *
+dns_zone_getrequeststats(dns_zone_t *zone);
+
+dns_stats_t *
+dns_zone_getrcvquerystats(dns_zone_t *zone);
+/*%<
+ * Get the additional statistics for zone, if one is installed.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ * Returns:
+ * \li	when available, a pointer to the statistics set installed in zone;
+ *	otherwise NULL.
+ */
+
+void
+dns_zone_dialup(dns_zone_t *zone);
+/*%<
+ * Perform dialup-time maintenance on 'zone'.
+ */
+
+void
+dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup);
+/*%<
+ * Set the dialup type of 'zone' to 'dialup'.
+ *
+ * Requires:
+ * \li	'zone' to be valid initialised zone.
+ *\li	'dialup' to be a valid dialup type.
+ */
+
+void
+dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *prefix, const char *msg, va_list ap);
+/*%<
+ * Log the message 'msg...' at 'level' using log category 'category', including
+ * text that identifies the message as applying to 'zone'.  If the (optional)
+ * 'prefix' is not NULL, it will be placed at the start of the entire log line.
+ */
+
+void
+dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*%<
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
+/*%<
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
+/*%<
+ * Return the name of the zone with class and view.
+ *
+ * Requires:
+ *\li	'zone' to be valid.
+ *\li	'buf' to be non NULL.
+ */
+
+void
+dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t len);
+/*%<
+ * Return the name of the zone only.
+ *
+ * Requires:
+ *\li	'zone' to be valid.
+ *\li	'buf' to be non NULL.
+ */
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
+/*%<
+ * Check if this record meets the check-names policy.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ *	'name' to be valid.
+ *	'rdata' to be valid.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		passed checks.
+ *	DNS_R_BADOWNERNAME	failed ownername checks.
+ *	DNS_R_BADNAME		failed rdata checks.
+ */
+
+void
+dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache);
+/*%<
+ *	Associate the zone with an additional cache.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acache' to be a non NULL pointer.
+ *
+ * Ensures:
+ *	'zone' will have a reference to 'acache'
+ */
+
+void
+dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx);
+/*%<
+ *	Set the post load integrity callback function 'checkmx'.
+ *	'checkmx' will be called if the MX TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv);
+/*%<
+ *	Set the post load integrity callback function 'checksrv'.
+ *	'checksrv' will be called if the SRV TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns);
+/*%<
+ *	Set the post load integrity callback function 'checkns'.
+ *	'checkns' will be called if the NS TARGET is not within the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay);
+/*%<
+ * Set the minimum delay between sets of notify messages.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ */
+
+uint32_t
+dns_zone_getnotifydelay(dns_zone_t *zone);
+/*%<
+ * Get the minimum delay between sets of notify messages.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ */
+
+void
+dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
+/*%<
+ * Set the isself callback function and argument.
+ *
+ * bool
+ * isself(dns_view_t *myview, dns_tsigkey_t *mykey, isc_netaddr_t *srcaddr,
+ *	  isc_netaddr_t *destaddr, dns_rdataclass_t rdclass, void *arg);
+ *
+ * 'isself' returns true if a non-recursive query from 'srcaddr' to
+ * 'destaddr' with optional key 'mykey' for class 'rdclass' would be
+ * delivered to 'myview'.
+ */
+
+void
+dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes);
+/*%<
+ * Set the number of nodes that will be checked per quantum.
+ */
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures);
+/*%<
+ * Set the number of signatures that will be generated per quantum.
+ */
+
+uint32_t
+dns_zone_getsignatures(dns_zone_t *zone);
+/*%<
+ * Get the number of signatures that will be generated per quantum.
+ */
+
+isc_result_t
+dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
+		     uint16_t keyid, bool deleteit);
+/*%<
+ * Initiate/resume signing of the entire zone with the zone DNSKEY(s)
+ * that match the given algorithm and keyid.
+ */
+
+isc_result_t
+dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param);
+/*%<
+ * Incrementally add a NSEC3 chain that corresponds to 'nsec3param'.
+ */
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone);
+/*
+ * Get/Set the private record type.  It is expected that these interfaces
+ * will not be permanent.
+ */
+
+void
+dns_zone_rekey(dns_zone_t *zone, bool fullsign);
+/*%<
+ * Update the zone's DNSKEY set from the key repository.
+ *
+ * If 'fullsign' is true, trigger an immediate full signing of
+ * the zone with the new key.  Otherwise, if there are no keys or
+ * if the new keys are for algorithms that have already signed the
+ * zone, then the zone can be re-signed incrementally.
+ */
+
+isc_result_t
+dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		 unsigned int *errors);
+/*%
+ * Check if the name servers for the zone are sane (have address, don't
+ * refer to CNAMEs/DNAMEs.  The number of constiancy errors detected in
+ * returned in '*errors'
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ * \li	'db' to be valid.
+ * \li	'version' to be valid or NULL.
+ * \li	'errors' to be non NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS if there were no errors examining the zone contents.
+ */
+
+isc_result_t
+dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version);
+/*%
+ * Check if CSD, CDNSKEY and DNSKEY are consistent.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ * \li	'db' to be valid.
+ * \li	'version' to be valid or NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#DNS_R_BADCDS
+ *\li	#DNS_R_BADCDNSKEY
+ *	Others
+ */
+
+void
+dns_zone_setadded(dns_zone_t *zone, bool added);
+/*%
+ * Sets the value of zone->added, which should be true for
+ * zones that were originally added by "rndc addzone".
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getadded(dns_zone_t *zone);
+/*%
+ * Returns true if the zone was originally added at runtime
+ * using "rndc addzone".
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setautomatic(dns_zone_t *zone, bool automatic);
+/*%
+ * Sets the value of zone->automatic, which should be true for
+ * zones that were automatically added by named.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getautomatic(dns_zone_t *zone);
+/*%
+ * Returns true if the zone was added automatically by named.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * Load the origin names for a writeable DLZ database.
+ */
+
+bool
+dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze);
+/*%
+ * Return true iff the zone is "dynamic", in the sense that the zone's
+ * master file (if any) is written by the server, rather than being
+ * updated manually and read by the server.
+ *
+ * This is true for slave zones, stub zones, key zones, and zones that
+ * allow dynamic updates either by having an update policy ("ssutable")
+ * or an "allow-update" ACL with a value other than exactly "{ none; }".
+ *
+ * If 'ignore_freeze' is true, then the zone which has had updates disabled
+ * will still report itself to be dynamic.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval);
+/*%
+ * Sets the frequency, in minutes, with which the key repository will be
+ * checked to see if the keys for this zone have been updated.  Any value
+ * higher than 1440 minutes (24 hours) will be silently reduced.  A
+ * value of zero will return an out-of-range error.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+bool
+dns_zone_getrequestexpire(dns_zone_t *zone);
+/*%
+ * Returns the true/false value of the request-expire option in the zone.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setrequestexpire(dns_zone_t *zone, bool flag);
+/*%
+ * Sets the request-expire option for the zone. Either true or false. The
+ * default value is determined by the setting of this option in the view.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+
+bool
+dns_zone_getrequestixfr(dns_zone_t *zone);
+/*%
+ * Returns the true/false value of the request-ixfr option in the zone.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setrequestixfr(dns_zone_t *zone, bool flag);
+/*%
+ * Sets the request-ixfr option for the zone. Either true or false. The
+ * default value is determined by the setting of this option in the view.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method);
+/*%
+ * Sets the update method to use when incrementing the zone serial number
+ * due to a DDNS update.  Valid options are dns_updatemethod_increment
+ * and dns_updatemethod_unixtime.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+dns_updatemethod_t
+dns_zone_getserialupdatemethod(dns_zone_t *zone);
+/*%
+ * Returns the update method to be used when incrementing the zone serial
+ * number due to a DDNS update.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+isc_result_t
+dns_zone_link(dns_zone_t *zone, dns_zone_t *raw);
+
+void
+dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw);
+
+isc_result_t
+dns_zone_keydone(dns_zone_t *zone, const char *data);
+
+isc_result_t
+dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
+		       uint16_t iter, uint8_t saltlen,
+		       unsigned char *salt, bool replace);
+/*%
+ * Set the NSEC3 parameters for the zone.
+ *
+ * If 'replace' is true, then the existing NSEC3 chain, if any, will
+ * be replaced with the new one.  If 'hash' is zero, then the replacement
+ * chain will be NSEC rather than NSEC3.
+ *
+ * Requires:
+ * \li	'zone' to be valid.
+ */
+
+void
+dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header);
+/*%
+ * Set the data to be included in the header when the zone is dumped in
+ * binary format.
+ */
+
+isc_result_t
+dns_zone_synckeyzone(dns_zone_t *zone);
+/*%
+ * Force the managed key zone to synchronize, and start the key
+ * maintenance timer.
+ */
+
+isc_result_t
+dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime);
+/*%
+ * Return the time when the zone was last loaded.
+ */
+
+isc_result_t
+dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime);
+/*%
+ * Return the time when the (slave) zone will need to be refreshed.
+ */
+
+isc_result_t
+dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime);
+/*%
+ * Return the time when the (slave) zone will expire.
+ */
+
+isc_result_t
+dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime);
+/*%
+ * Return the time of the next scheduled DNSSEC key event.
+ */
+
+unsigned int
+dns_zone_getincludes(dns_zone_t *zone, char ***includesp);
+/*%
+ * Return the number include files that were encountered
+ * during load.  If the number is greater than zero, 'includesp'
+ * will point to an array containing the filenames.
+ *
+ * The array and its contents need to be freed using isc_mem_free.
+ */
+
+isc_result_t
+dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
+		    dns_rpz_num_t rpz_num);
+/*%
+ * Set the response policy associated with a zone.
+ */
+
+void
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db);
+/*%
+ * If a zone is a response policy zone, mark its new database.
+ */
+
+dns_rpz_num_t
+dns_zone_get_rpz_num(dns_zone_t *zone);
+
+void
+dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
+/*%<
+ * Enable zone as catalog zone.
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ * \li	'catzs' is not NULL
+ * \li	prior to calling, zone->catzs is NULL or is equal to 'catzs'
+ */
+
+void
+dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db);
+/*%<
+ * If 'zone' is a catalog zone, then set up a notify-on-update trigger
+ * in its database. (If not a catalog zone, this function has no effect.)
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ * \li	'db' is not NULL
+ */
+void
+dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz);
+/*%<
+ * Set parent catalog zone for this zone
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ * \li	'catz' is not NULL
+ */
+
+dns_catz_zone_t *
+dns_zone_get_parentcatz(const dns_zone_t *zone);
+/*%<
+ * Get parent catalog zone for this zone
+ *
+ * Requires:
+ *
+ * \li	'zone' is a valid zone object
+ */
+
+
+void
+dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level);
+
+dns_zonestat_level_t
+dns_zone_getstatlevel(dns_zone_t *zone);
+/*%
+ * Set and get the statistics reporting level for the zone;
+ * full, terse, or none.
+ */
+
+isc_result_t
+dns_zone_setserial(dns_zone_t *zone, uint32_t serial);
+/*%
+ * Set the zone's serial to 'serial'.
+ */
+ISC_LANG_ENDDECLS
+
+
+#endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h
new file mode 100644
index 0000000..01a0369
--- /dev/null
+++ b/lib/dns/include/dns/zonekey.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_ZONEKEY_H
+#define DNS_ZONEKEY_H 1
+
+/*! \file dns/zonekey.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+bool
+dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
+/*%<
+ *	Determines if the key record contained in the rdata is a zone key.
+ *
+ *	Requires:
+ *		'keyrdata' is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONEKEY_H */
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
new file mode 100644
index 0000000..84ca8ea
--- /dev/null
+++ b/lib/dns/include/dns/zt.h
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_ZT_H
+#define DNS_ZT_H 1
+
+/*! \file dns/zt.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_ZTFIND_NOEXACT		0x01
+
+ISC_LANG_BEGINDECLS
+
+typedef isc_result_t
+(*dns_zt_allloaded_t)(void *arg);
+/*%<
+ * Method prototype: when all pending zone loads are complete,
+ * the zone table can inform the caller via a callback function with
+ * this signature.
+ */
+
+typedef isc_result_t
+(*dns_zt_zoneloaded_t)(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task);
+/*%<
+ * Method prototype: when a zone finishes loading, the zt object
+ * can be informed via a callback function with this signature.
+ */
+
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
+/*%<
+ * Creates a new zone table.
+ *
+ * Requires:
+ * \li	'mctx' to be initialized.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS on success.
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
+/*%<
+ * Mounts the zone on the zone table.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ * \li	'zone' to be valid
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_EXISTS
+ * \li	#ISC_R_NOSPACE
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
+/*%<
+ * Unmount the given zone from the table.
+ *
+ * Requires:
+ * 	'zt' to be valid
+ * \li	'zone' to be valid
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ * \li	#ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zone);
+/*%<
+ * Find the best match for 'name' in 'zt'.  If foundname is non NULL
+ * then the name of the zone found is returned.
+ *
+ * Notes:
+ * \li	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
+ *	to 'name' will be returned.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ * \li	'name' to be valid
+ * \li	'foundname' to be initialized and associated with a fixedname or NULL
+ * \li	'zone' to be non NULL and '*zone' to be NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#DNS_R_PARTIALMATCH
+ * \li	#ISC_R_NOTFOUND
+ * \li	#ISC_R_NOSPACE
+ */
+
+void
+dns_zt_detach(dns_zt_t **ztp);
+/*%<
+ * Detach the given zonetable, if the reference count goes to zero the
+ * zonetable will be freed.  In either case 'ztp' is set to NULL.
+ *
+ * Requires:
+ * \li	'*ztp' to be valid
+ */
+
+void
+dns_zt_flushanddetach(dns_zt_t **ztp);
+/*%<
+ * Detach the given zonetable, if the reference count goes to zero the
+ * zonetable will be flushed and then freed.  In either case 'ztp' is
+ * set to NULL.
+ *
+ * Requires:
+ * \li	'*ztp' to be valid
+ */
+
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
+/*%<
+ * Attach 'zt' to '*ztp'.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ * \li	'*ztp' to be NULL
+ */
+
+isc_result_t
+dns_zt_load(dns_zt_t *zt, bool stop);
+
+isc_result_t
+dns_zt_loadnew(dns_zt_t *zt, bool stop);
+
+isc_result_t
+dns_zt_asyncload(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg);
+
+isc_result_t
+dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
+		  bool newonly);
+/*%<
+ * Load all zones in the table.  If 'stop' is true,
+ * stop on the first error and return it.  If 'stop'
+ * is false, ignore errors.
+ *
+ * dns_zt_loadnew() only loads zones that are not yet loaded.
+ * dns_zt_load() also loads zones that are already loaded and
+ * and whose master file has changed since the last load.
+ * dns_zt_asyncload() loads zones asynchronously; when all
+ * zones in the zone table have finished loaded (or failed due
+ * to errors), the caller is informed by calling 'alldone'
+ * with an argument of 'arg'.
+ *
+ * Requires:
+ * \li	'zt' to be valid
+ */
+
+isc_result_t
+dns_zt_freezezones(dns_zt_t *zt, bool freeze);
+/*%<
+ * Freeze/thaw updates to master zones.
+ * Any pending updates will be flushed.
+ * Zones will be reloaded on thaw.
+ */
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, bool stop,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+
+isc_result_t
+dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
+	      isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+/*%<
+ * Apply a given 'action' to all zone zones in the table.
+ * If 'stop' is 'true' then walking the zone tree will stop if
+ * 'action' does not return ISC_R_SUCCESS.
+ *
+ * Requires:
+ * \li	'zt' to be valid.
+ * \li	'action' to be non NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS if action was applied to all nodes.  If 'stop' is
+ *	false and 'sub' is non NULL then the first error (if any)
+ *	reported by 'action' is returned in '*sub';
+ *	any error code from 'action'.
+ */
+
+bool
+dns_zt_loadspending(dns_zt_t *zt);
+/*%<
+ * Returns true if and only if there are zones still waiting to
+ * be loaded in zone table 'zt'.
+ *
+ * Requires:
+ * \li	'zt' to be valid.
+ */
+
+void
+dns_zt_setviewcommit(dns_zt_t *zt);
+/*%<
+ * Commit dns_zone_setview() calls previously made for all zones in this
+ * zone table.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_zt_setviewrevert(dns_zt_t *zt);
+/*%<
+ * Revert dns_zone_setview() calls previously made for all zones in this
+ * zone table.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZT_H */
diff --git a/lib/dns/include/dst/Makefile.in b/lib/dns/include/dst/Makefile.in
new file mode 100644
index 0000000..04727f7
--- /dev/null
+++ b/lib/dns/include/dst/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	dst.h gssapi.h lib.h result.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dst
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dst || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/dst/$$i || exit 1; \
+	done
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
new file mode 100644
index 0000000..1924e74
--- /dev/null
+++ b/lib/dns/include/dst/dst.h
@@ -0,0 +1,995 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DST_DST_H
+#define DST_DST_H 1
+
+/*! \file dst/dst.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/secalg.h>
+#include <dns/ds.h>
+#include <dns/dsdigest.h>
+
+#include <dst/gssapi.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * The dst_key structure is opaque.  Applications should use the accessor
+ * functions provided to retrieve key attributes.  If an application needs
+ * to set attributes, new accessor functions will be written.
+ */
+
+typedef struct dst_key		dst_key_t;
+typedef struct dst_context 	dst_context_t;
+
+/* DST algorithm codes */
+#define DST_ALG_UNKNOWN		0
+#define DST_ALG_RSAMD5		1
+#define DST_ALG_RSA		DST_ALG_RSAMD5	/*%< backwards compatibility */
+#define DST_ALG_DH		2
+#define DST_ALG_DSA		3
+#define DST_ALG_ECC		4
+#define DST_ALG_RSASHA1		5
+#define DST_ALG_NSEC3DSA	6
+#define DST_ALG_NSEC3RSASHA1	7
+#define DST_ALG_RSASHA256	8
+#define DST_ALG_RSASHA512	10
+#define DST_ALG_ECCGOST		12
+#define DST_ALG_ECDSA256	13
+#define DST_ALG_ECDSA384	14
+#define DST_ALG_ED25519		15
+#define DST_ALG_ED448		16
+#define DST_ALG_HMACMD5		157
+#define DST_ALG_GSSAPI		160
+#define DST_ALG_HMACSHA1	161	/* XXXMPA */
+#define DST_ALG_HMACSHA224	162	/* XXXMPA */
+#define DST_ALG_HMACSHA256	163	/* XXXMPA */
+#define DST_ALG_HMACSHA384	164	/* XXXMPA */
+#define DST_ALG_HMACSHA512	165	/* XXXMPA */
+#define DST_ALG_INDIRECT	252
+#define DST_ALG_PRIVATE		254
+#define DST_MAX_ALGS		256
+
+/*% A buffer of this size is large enough to hold any key */
+#define DST_KEY_MAXSIZE		1280
+
+/*%
+ * A buffer of this size is large enough to hold the textual representation
+ * of any key
+ */
+#define DST_KEY_MAXTEXTSIZE	2048
+
+/*% 'Type' for dst_read_key() */
+#define DST_TYPE_KEY		0x1000000	/* KEY key */
+#define DST_TYPE_PRIVATE	0x2000000
+#define DST_TYPE_PUBLIC		0x4000000
+
+/* Key timing metadata definitions */
+#define DST_TIME_CREATED	0
+#define DST_TIME_PUBLISH	1
+#define DST_TIME_ACTIVATE	2
+#define DST_TIME_REVOKE 	3
+#define DST_TIME_INACTIVE	4
+#define DST_TIME_DELETE 	5
+#define DST_TIME_DSPUBLISH 	6
+#define DST_TIME_SYNCPUBLISH 	7
+#define DST_TIME_SYNCDELETE 	8
+#define DST_MAX_TIMES		8
+
+/* Numeric metadata definitions */
+#define DST_NUM_PREDECESSOR	0
+#define DST_NUM_SUCCESSOR	1
+#define DST_NUM_MAXTTL		2
+#define DST_NUM_ROLLPERIOD	3
+#define DST_MAX_NUMERIC		3
+
+/*
+ * Current format version number of the private key parser.
+ *
+ * When parsing a key file with the same major number but a higher minor
+ * number, the key parser will ignore any fields it does not recognize.
+ * Thus, DST_MINOR_VERSION should be incremented whenever new
+ * fields are added to the private key file (such as new metadata).
+ *
+ * When rewriting these keys, those fields will be dropped, and the
+ * format version set back to the current one..
+ *
+ * When a key is seen with a higher major number, the key parser will
+ * reject it as invalid.  Thus, DST_MAJOR_VERSION should be incremented
+ * and DST_MINOR_VERSION set to zero whenever there is a format change
+ * which is not backward compatible to previous versions of the dst_key
+ * parser, such as change in the syntax of an existing field, the removal
+ * of a currently mandatory field, or a new field added which would
+ * alter the functioning of the key if it were absent.
+ */
+#define DST_MAJOR_VERSION	1
+#define DST_MINOR_VERSION	3
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags);
+/*%<
+ * Initializes the DST subsystem.
+ *
+ * Requires:
+ * \li 	"mctx" is a valid memory context
+ * \li	"ectx" is a valid entropy context
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	DST_R_NOENGINE
+ *
+ * Ensures:
+ * \li	DST is properly initialized.
+ */
+
+void
+dst_lib_destroy(void);
+/*%<
+ * Releases all resources allocated by DST.
+ */
+
+bool
+dst_algorithm_supported(unsigned int alg);
+/*%<
+ * Checks that a given algorithm is supported by DST.
+ *
+ * Returns:
+ * \li	true
+ * \li	false
+ */
+
+bool
+dst_ds_digest_supported(unsigned int digest_type);
+/*%<
+ * Checks that a given digest algorithm is supported by DST.
+ *
+ * Returns:
+ * \li	true
+ * \li	false
+ */
+
+isc_result_t
+dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
+
+isc_result_t
+dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, dst_context_t **dctxp);
+
+isc_result_t
+dst_context_create3(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, bool useforsigning,
+		    dst_context_t **dctxp);
+
+isc_result_t
+dst_context_create4(dst_key_t *key, isc_mem_t *mctx,
+		    isc_logcategory_t *category, bool useforsigning,
+		    int maxbits, dst_context_t **dctxp);
+/*%<
+ * Creates a context to be used for a sign or verify operation.
+ *
+ * Requires:
+ * \li	"key" is a valid key.
+ * \li	"mctx" is a valid memory context.
+ * \li	dctxp != NULL && *dctxp == NULL
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ *
+ * Ensures:
+ * \li	*dctxp will contain a usable context.
+ */
+
+void
+dst_context_destroy(dst_context_t **dctxp);
+/*%<
+ * Destroys all memory associated with a context.
+ *
+ * Requires:
+ * \li	*dctxp != NULL && *dctxp == NULL
+ *
+ * Ensures:
+ * \li	*dctxp == NULL
+ */
+
+isc_result_t
+dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);
+/*%<
+ * Incrementally adds data to the context to be used in a sign or verify
+ * operation.
+ *
+ * Requires:
+ * \li	"dctx" is a valid context
+ * \li	"data" is a valid region
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_SIGNFAILURE
+ * \li	all other errors indicate failure
+ */
+
+isc_result_t
+dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);
+/*%<
+ * Computes a signature using the data and key stored in the context.
+ *
+ * Requires:
+ * \li	"dctx" is a valid context.
+ * \li	"sig" is a valid buffer.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_VERIFYFAILURE
+ * \li	all other errors indicate failure
+ *
+ * Ensures:
+ * \li	"sig" will contain the signature
+ */
+
+isc_result_t
+dst_context_verify(dst_context_t *dctx, isc_region_t *sig);
+
+isc_result_t
+dst_context_verify2(dst_context_t *dctx, unsigned int maxbits,
+		    isc_region_t *sig);
+/*%<
+ * Verifies the signature using the data and key stored in the context.
+ *
+ * 'maxbits' specifies the maximum number of bits permitted in the RSA
+ * exponent.
+ *
+ * Requires:
+ * \li	"dctx" is a valid context.
+ * \li	"sig" is a valid region.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	all other errors indicate failure
+ *
+ * Ensures:
+ * \li	"sig" will contain the signature
+ */
+
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret);
+/*%<
+ * Computes a shared secret from two (Diffie-Hellman) keys.
+ *
+ * Requires:
+ * \li	"pub" is a valid key that can be used to derive a shared secret
+ * \li	"priv" is a valid private key that can be used to derive a shared secret
+ * \li	"secret" is a valid buffer
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, secret will contain the derived shared secret.
+ */
+
+isc_result_t
+dst_key_getfilename(dns_name_t *name, dns_keytag_t id, unsigned int alg,
+		    int type, const char *directory,
+		    isc_mem_t *mctx, isc_buffer_t *buf);
+/*%<
+ * Generates a key filename for the name, algorithm, and
+ * id, and places it in the buffer 'buf'. If directory is NULL, the
+ * current directory is assumed.
+ *
+ * Requires:
+ * \li	"name" is a valid absolute dns name.
+ * \li	"id" is a valid key tag identifier.
+ * \li	"alg" is a supported key algorithm.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ * \li	"mctx" is a valid memory context.
+ * \li	"buf" is not NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ */
+
+isc_result_t
+dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
+		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a key from permanent storage.  The key can either be a public or
+ * private key, and is specified by name, algorithm, and id.  If a private key
+ * is specified, the public key must also be present.  If directory is NULL,
+ * the current directory is assumed.
+ *
+ * Requires:
+ * \li	"name" is a valid absolute dns name.
+ * \li	"id" is a valid key tag identifier.
+ * \li	"alg" is a supported key algorithm.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_fromnamedfile(const char *filename, const char *dirname,
+		      int type, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a key from permanent storage.  The key can either be a public or
+ * key, and is specified by filename.  If a private key is specified, the
+ * public key must also be present.
+ *
+ * If 'dirname' is not NULL, and 'filename' is a relative path,
+ * then the file is looked up relative to the given directory.
+ * If 'filename' is an absolute path, 'dirname' is ignored.
+ *
+ * Requires:
+ * \li	"filename" is not NULL
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ * \li	"mctx" is a valid memory context
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+
+isc_result_t
+dst_key_read_public(const char *filename, int type,
+		    isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Reads a public key from permanent storage.  The key must be a public key.
+ *
+ * Requires:
+ * \li	"filename" is not NULL
+ * \li	"type" is DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ * \li	"mctx" is a valid memory context
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	DST_R_BADKEYTYPE if the key type is not the expected one
+ * \li	ISC_R_UNEXPECTEDTOKEN if the file can not be parsed as a public key
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_tofile(const dst_key_t *key, int type, const char *directory);
+/*%<
+ * Writes a key to permanent storage.  The key can either be a public or
+ * private key.  Public keys are written in DNS format and private keys
+ * are written as a set of base64 encoded values.  If directory is NULL,
+ * the current directory is assumed.
+ *
+ * Requires:
+ * \li	"key" is a valid key.
+ * \li	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ */
+
+isc_result_t
+dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
+		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Converts a DNS KEY record into a DST key.
+ *
+ * Requires:
+ * \li	"name" is a valid absolute dns name.
+ * \li	"source" is a valid buffer.  There must be at least 4 bytes available.
+ * \li	"mctx" is a valid memory context.
+ * \li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, *keyp will contain a valid key, and the consumed
+ *	pointer in data will be advanced.
+ */
+
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
+/*%<
+ * Converts a DST key into a DNS KEY record.
+ *
+ * Requires:
+ * \li	"key" is a valid key.
+ * \li	"target" is a valid buffer.  There must be at least 4 bytes unused.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ * \li	If successful, the used pointer in 'target' is advanced by at least 4.
+ */
+
+isc_result_t
+dst_key_frombuffer(dns_name_t *name, unsigned int alg,
+		   unsigned int flags, unsigned int protocol,
+		   dns_rdataclass_t rdclass,
+		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+/*%<
+ * Converts a buffer containing DNS KEY RDATA into a DST key.
+ *
+ * Requires:
+ *\li	"name" is a valid absolute dns name.
+ *\li	"alg" is a supported key algorithm.
+ *\li	"source" is a valid buffer.
+ *\li	"mctx" is a valid memory context.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, *keyp will contain a valid key, and the consumed
+ *	pointer in source will be advanced.
+ */
+
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
+/*%<
+ * Converts a DST key into DNS KEY RDATA format.
+ *
+ * Requires:
+ *\li	"key" is a valid key.
+ *\li	"target" is a valid buffer.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, the used pointer in 'target' is advanced.
+ */
+
+isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
+/*%<
+ * Converts a public key into a private key, reading the private key
+ * information from the buffer.  The buffer should contain the same data
+ * as the .private key file would.
+ *
+ * Requires:
+ *\li	"key" is a valid public key.
+ *\li	"buffer" is not NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, key will contain a valid private key.
+ */
+
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key);
+/*%<
+ * Returns the opaque key data.
+ * Be cautions when using this value unless you know what you are doing.
+ *
+ * Requires:
+ *\li	"key" is not NULL.
+ *
+ * Returns:
+ *\li	gssctx key data, possibly NULL.
+ */
+
+isc_result_t
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
+		   dst_key_t **keyp, isc_region_t *intoken);
+/*%<
+ * Converts a GSSAPI opaque context id into a DST key.
+ *
+ * Requires:
+ *\li	"name" is a valid absolute dns name.
+ *\li	"gssctx" is a GSSAPI context id.
+ *\li	"mctx" is a valid memory context.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, *keyp will contain a valid key and be responsible for
+ *	the context id.
+ */
+
+#ifdef DST_KEY_INTERNAL
+isc_result_t
+dst_key_buildinternal(dns_name_t *name, unsigned int alg,
+		      unsigned int bits, unsigned int flags,
+		      unsigned int protocol, dns_rdataclass_t rdclass,
+		      void *data, isc_mem_t *mctx, dst_key_t **keyp);
+#endif
+
+isc_result_t
+dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
+		  unsigned int protocol, dns_rdataclass_t rdclass,
+		  const char *engine, const char *label, const char *pin,
+		  isc_mem_t *mctx, dst_key_t **keyp);
+
+isc_result_t
+dst_key_generate(dns_name_t *name, unsigned int alg,
+		 unsigned int bits, unsigned int param,
+		 unsigned int flags, unsigned int protocol,
+		 dns_rdataclass_t rdclass,
+		 isc_mem_t *mctx, dst_key_t **keyp);
+
+isc_result_t
+dst_key_generate2(dns_name_t *name, unsigned int alg,
+		  unsigned int bits, unsigned int param,
+		  unsigned int flags, unsigned int protocol,
+		  dns_rdataclass_t rdclass,
+		  isc_mem_t *mctx, dst_key_t **keyp,
+		  void (*callback)(int));
+
+/*%<
+ * Generate a DST key (or keypair) with the supplied parameters.  The
+ * interpretation of the "param" field depends on the algorithm:
+ * \code
+ * 	RSA:	exponent
+ * 		0	use exponent 3
+ * 		!0	use Fermat4 (2^16 + 1)
+ * 	DH:	generator
+ * 		0	default - use well known prime if bits == 768 or 1024,
+ * 			otherwise use 2 as the generator.
+ * 		!0	use this value as the generator.
+ * 	DSA:	unused
+ * 	HMACMD5: entropy
+ *		0	default - require good entropy
+ *		!0	lack of good entropy is ok
+ *\endcode
+ *
+ * Requires:
+ *\li	"name" is a valid absolute dns name.
+ *\li	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ *\li 	ISC_R_SUCCESS
+ * \li	any other result indicates failure
+ *
+ * Ensures:
+ *\li	If successful, *keyp will contain a valid key.
+ */
+
+bool
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
+/*%<
+ * Compares two DST keys.  Returns true if they match, false otherwise.
+ *
+ * Keys ARE NOT considered to match if one of them is the revoked version
+ * of the other.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	true
+ * \li	false
+ */
+
+bool
+dst_key_pubcompare(const dst_key_t *key1, const dst_key_t *key2,
+		   bool match_revoked_key);
+/*%<
+ * Compares only the public portions of two DST keys.  Returns true
+ * if they match, false otherwise.  This allows us, for example, to
+ * determine whether a public key found in a zone matches up with a
+ * key pair found on disk.
+ *
+ * If match_revoked_key is TRUE, then keys ARE considered to match if one
+ * of them is the revoked version of the other. Otherwise, they are not.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	true
+ * \li	false
+ */
+
+bool
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
+/*%<
+ * Compares the parameters of two DST keys.  This is used to determine if
+ * two (Diffie-Hellman) keys can be used to derive a shared secret.
+ *
+ * Requires:
+ *\li	"key1" is a valid key.
+ *\li	"key2" is a valid key.
+ *
+ * Returns:
+ *\li 	true
+ * \li	false
+ */
+
+void
+dst_key_attach(dst_key_t *source, dst_key_t **target);
+/*
+ * Attach to a existing key increasing the reference count.
+ *
+ * Requires:
+ *\li 'source' to be a valid key.
+ *\li 'target' to be non-NULL and '*target' to be NULL.
+ */
+
+void
+dst_key_free(dst_key_t **keyp);
+/*%<
+ * Decrement the key's reference counter and, when it reaches zero,
+ * release all memory associated with the key.
+ *
+ * Requires:
+ *\li	"keyp" is not NULL and "*keyp" is a valid key.
+ *\li	reference counter greater than zero.
+ *
+ * Ensures:
+ *\li	All memory associated with "*keyp" will be freed.
+ *\li	*keyp == NULL
+ */
+
+/*%<
+ * Accessor functions to obtain key fields.
+ *
+ * Require:
+ *\li	"key" is a valid key.
+ */
+dns_name_t *
+dst_key_name(const dst_key_t *key);
+
+unsigned int
+dst_key_size(const dst_key_t *key);
+
+unsigned int
+dst_key_proto(const dst_key_t *key);
+
+unsigned int
+dst_key_alg(const dst_key_t *key);
+
+uint32_t
+dst_key_flags(const dst_key_t *key);
+
+dns_keytag_t
+dst_key_id(const dst_key_t *key);
+
+dns_keytag_t
+dst_key_rid(const dst_key_t *key);
+
+dns_rdataclass_t
+dst_key_class(const dst_key_t *key);
+
+bool
+dst_key_isprivate(const dst_key_t *key);
+
+bool
+dst_key_iszonekey(const dst_key_t *key);
+
+bool
+dst_key_isnullkey(const dst_key_t *key);
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, int type,
+		      const char *directory, isc_buffer_t *out);
+/*%<
+ * Generates the filename used by dst to store the specified key.
+ * If directory is NULL, the current directory is assumed.
+ *
+ * Requires:
+ *\li	"key" is a valid key
+ *\li	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
+ *\li	"out" is a valid buffer
+ *
+ * Ensures:
+ *\li	the file name will be written to "out", and the used pointer will
+ *		be advanced.
+ */
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n);
+/*%<
+ * Computes the size of a signature generated by the given key.
+ *
+ * Requires:
+ *\li	"key" is a valid key.
+ *\li	"n" is not NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	DST_R_UNSUPPORTEDALG
+ *
+ * Ensures:
+ *\li	"n" stores the size of a generated signature
+ */
+
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n);
+/*%<
+ * Computes the size of a shared secret generated by the given key.
+ *
+ * Requires:
+ *\li	"key" is a valid key.
+ *\li	"n" is not NULL
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	DST_R_UNSUPPORTEDALG
+ *
+ * Ensures:
+ *\li	"n" stores the size of a generated shared secret
+ */
+
+uint16_t
+dst_region_computeid(const isc_region_t *source, unsigned int alg);
+uint16_t
+dst_region_computerid(const isc_region_t *source, unsigned int alg);
+/*%<
+ * Computes the (revoked) key id of the key stored in the provided
+ * region with the given algorithm.
+ *
+ * Requires:
+ *\li	"source" contains a valid, non-NULL region.
+ *
+ * Returns:
+ *\li 	the key id
+ */
+
+uint16_t
+dst_key_getbits(const dst_key_t *key);
+/*%<
+ * Get the number of digest bits required (0 == MAX).
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+void
+dst_key_setbits(dst_key_t *key, uint16_t bits);
+/*%<
+ * Set the number of digest bits required (0 == MAX).
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+void
+dst_key_setttl(dst_key_t *key, dns_ttl_t ttl);
+/*%<
+ * Set the default TTL to use when converting the key
+ * to a KEY or DNSKEY RR.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+dns_ttl_t
+dst_key_getttl(const dst_key_t *key);
+/*%<
+ * Get the default TTL to use when converting the key
+ * to a KEY or DNSKEY RR.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+isc_result_t
+dst_key_setflags(dst_key_t *key, uint32_t flags);
+/*
+ * Set the key flags, and recompute the key ID.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, uint32_t *valuep);
+/*%<
+ * Get a member of the numeric metadata array and place it in '*valuep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ *	"timep" is not null.
+ */
+
+void
+dst_key_setnum(dst_key_t *key, int type, uint32_t value);
+/*%<
+ * Set a member of the numeric metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+void
+dst_key_unsetnum(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the numeric metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+isc_result_t
+dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep);
+/*%<
+ * Get a member of the timing metadata array and place it in '*timep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ *	"timep" is not null.
+ */
+
+void
+dst_key_settime(dst_key_t *key, int type, isc_stdtime_t when);
+/*%<
+ * Set a member of the timing metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+void
+dst_key_unsettime(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the timing metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_TIMES
+ */
+
+isc_result_t
+dst_key_getprivateformat(const dst_key_t *key, int *majorp, int *minorp);
+/*%<
+ * Get the private key format version number.  (If the key does not have
+ * a private key associated with it, the version will be 0.0.)  The major
+ * version number is placed in '*majorp', and the minor version number in
+ * '*minorp'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"majorp" is not NULL.
+ *	"minorp" is not NULL.
+ */
+
+void
+dst_key_setprivateformat(dst_key_t *key, int major, int minor);
+/*%<
+ * Set the private key format version number.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+#define DST_KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + 7)
+
+void
+dst_key_format(const dst_key_t *key, char *cp, unsigned int size);
+/*%<
+ * Write the uniquely identifying information about the key (name,
+ * algorithm, key ID) into a string 'cp' of size 'size'.
+ */
+
+
+isc_buffer_t *
+dst_key_tkeytoken(const dst_key_t *key);
+/*%<
+ * Return the token from the TKEY request, if any.  If this key was
+ * not negotiated via TKEY, return NULL.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ */
+
+
+isc_result_t
+dst_key_dump(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length);
+/*%<
+ * Allocate 'buffer' and dump the key into it in base64 format. The buffer
+ * is not NUL terminated. The length of the buffer is returned in *length.
+ *
+ * 'buffer' needs to be freed using isc_mem_put(mctx, buffer, length);
+ *
+ * Requires:
+ *	'buffer' to be non NULL and *buffer to be NULL.
+ *	'length' to be non NULL and *length to be zero.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTIMPLEMENTED
+ *	others.
+ */
+
+isc_result_t
+dst_key_restore(dns_name_t *name, unsigned int alg, unsigned int flags,
+		unsigned int protocol, dns_rdataclass_t rdclass,
+		isc_mem_t *mctx, const char *keystr, dst_key_t **keyp);
+
+bool
+dst_key_inactive(const dst_key_t *key);
+/*%<
+ * Determines if the private key is missing due the key being deemed inactive.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+void
+dst_key_setinactive(dst_key_t *key, bool inactive);
+/*%<
+ * Set key inactive state.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
+void
+dst_key_setexternal(dst_key_t *key, bool value);
+
+bool
+dst_key_isexternal(dst_key_t *key);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_H */
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h
new file mode 100644
index 0000000..17a9f54
--- /dev/null
+++ b/lib/dns/include/dst/gssapi.h
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DST_GSSAPI_H
+#define DST_GSSAPI_H 1
+
+/*! \file dst/gssapi.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+#include <dns/types.h>
+
+#ifdef GSSAPI
+#ifdef WIN32
+/*
+ * MSVC does not like macros in #include lines.
+ */
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+#else
+#include ISC_PLATFORM_GSSAPIHEADER
+#ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#include ISC_PLATFORM_GSSAPI_KRB5_HEADER
+#endif
+#endif
+#ifndef GSS_SPNEGO_MECHANISM
+#define GSS_SPNEGO_MECHANISM ((void*)0)
+#endif
+#endif
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dst_gssapi_acquirecred(dns_name_t *name, bool initiate,
+		       gss_cred_id_t *cred);
+/*
+ *	Acquires GSS credentials.
+ *
+ *	Requires:
+ * 	'name' 	    is a valid name, preferably one known by the GSS provider
+ * 	'initiate'  indicates whether the credentials are for initiating or
+ *		    accepting contexts
+ *      'cred'      is a pointer to NULL, which will be allocated with the
+ *		    credential handle.  Call dst_gssapi_releasecred to free
+ *		    the memory.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS msg was successfully updated to include the
+ *				      query to be sent
+ *		other		  an error occurred while building the message
+ */
+
+isc_result_t
+dst_gssapi_releasecred(gss_cred_id_t *cred);
+/*
+ *	Releases GSS credentials.  Calling this function does release the
+ *  memory allocated for the credential in dst_gssapi_acquirecred()
+ *
+ *	Requires:
+ *      'mctx'  is a valid memory context
+ *      'cred'  is a pointer to the credential to be released
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS 	credential was released successfully
+ *		other		an error occurred while releaseing
+ *				the credential
+ */
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
+		   isc_mem_t *mctx, char **err_message);
+/*
+ *	Initiates a GSS context.
+ *
+ *	Requires:
+ * 	'name'     is a valid name, preferably one known by the GSS
+ * 	provider
+ * 	'intoken'  is a token received from the acceptor, or NULL if
+ *		   there isn't one
+ * 	'outtoken' is a buffer to receive the token generated by
+ *		   gss_init_sec_context() to be sent to the acceptor
+ *      'context'  is a pointer to a valid gss_ctx_id_t
+ *                 (which may have the value GSS_C_NO_CONTEXT)
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		other		an error occurred while building the message
+ *		*err_message	optional error message
+ */
+
+isc_result_t
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     const char *gssapi_keytab,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *context, dns_name_t *principal,
+		     isc_mem_t *mctx);
+/*
+ *	Accepts a GSS context.
+ *
+ *	Requires:
+ * 	'mctx'     is a valid memory context
+ *      'cred'     is the acceptor's valid GSS credential handle
+ * 	'intoken'  is a token received from the initiator
+ * 	'outtoken' is a pointer a buffer pointer used to return the token
+ *		   generated by gss_accept_sec_context() to be sent to the
+ *		   initiator
+ *      'context'  is a valid pointer to receive the generated context handle.
+ *                 On the initial call, it should be a pointer to NULL, which
+ *		   will be allocated as a gss_ctx_id_t.  Subsequent calls
+ *		   should pass in the handle generated on the first call.
+ *		   Call dst_gssapi_releasecred to delete the context and free
+ *		   the memory.
+ *
+ *	Requires:
+ *		'outtoken' to != NULL && *outtoken == NULL.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		DNS_R_CONTINUE	transaction still in progress
+ *		other 		an error occurred while building the message
+ */
+
+isc_result_t
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
+/*
+ *	Destroys a GSS context.  This function deletes the context from the GSS
+ *  	provider and then frees the memory used by the context pointer.
+ *
+ *	Requires:
+ *      'mctx'    is a valid memory context
+ *	'context' is a valid GSS context
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ */
+
+
+void
+gss_log(int level, const char *fmt, ...)
+ISC_FORMAT_PRINTF(2, 3);
+/*
+ * Logging function for GSS.
+ *
+ *  Requires
+ *      'level' is the log level to be used, as an integer
+ *      'fmt'   is a printf format specifier
+ */
+
+char *
+gss_error_tostring(uint32_t major, uint32_t minor,
+		   char *buf, size_t buflen);
+/*
+ *	Render a GSS major status/minor status pair into a string
+ *
+ *	Requires:
+ *      'major' is a GSS major status code
+ * 	'minor' is a GSS minor status code
+ *
+ *	Returns:
+ *		A string containing the text representation of the error codes.
+ *      	Users should copy the string if they wish to keep it.
+ */
+
+bool
+dst_gssapi_identitymatchesrealmkrb5(const dns_name_t *signer,
+				    const dns_name_t *name,
+				    const dns_name_t *realm,
+				    bool subdomain);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
+ */
+
+bool
+dst_gssapi_identitymatchesrealmms(const dns_name_t *signer,
+				  const dns_name_t *name,
+				  const dns_name_t *realm,
+				  bool subdomain);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_GSSAPI_H */
diff --git a/lib/dns/include/dst/lib.h b/lib/dns/include/dst/lib.h
new file mode 100644
index 0000000..508439f
--- /dev/null
+++ b/lib/dns/include/dst/lib.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DST_LIB_H
+#define DST_LIB_H 1
+
+/*! \file dst/lib.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dst_msgcat;
+
+void
+dst_lib_initmsgcat(void);
+/*
+ * Initialize the DST library's message catalog, dst_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_LIB_H */
diff --git a/lib/dns/include/dst/result.h b/lib/dns/include/dst/result.h
new file mode 100644
index 0000000..0855d80
--- /dev/null
+++ b/lib/dns/include/dst/result.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DST_RESULT_H
+#define DST_RESULT_H 1
+
+/*! \file dst/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DST result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
+
+#define DST_R_UNSUPPORTEDALG		(ISC_RESULTCLASS_DST + 0)
+#define DST_R_CRYPTOFAILURE		(ISC_RESULTCLASS_DST + 1)
+/* compat */
+#define DST_R_OPENSSLFAILURE		DST_R_CRYPTOFAILURE
+#define DST_R_NOCRYPTO			(ISC_RESULTCLASS_DST + 2)
+#define DST_R_NULLKEY			(ISC_RESULTCLASS_DST + 3)
+#define DST_R_INVALIDPUBLICKEY		(ISC_RESULTCLASS_DST + 4)
+#define DST_R_INVALIDPRIVATEKEY		(ISC_RESULTCLASS_DST + 5)
+/* 6 is unused */
+#define DST_R_WRITEERROR		(ISC_RESULTCLASS_DST + 7)
+#define DST_R_INVALIDPARAM		(ISC_RESULTCLASS_DST + 8)
+/* 9 is unused */
+/* 10 is unused */
+#define DST_R_SIGNFAILURE		(ISC_RESULTCLASS_DST + 11)
+/* 12 is unused */
+/* 13 is unused */
+#define DST_R_VERIFYFAILURE		(ISC_RESULTCLASS_DST + 14)
+#define DST_R_NOTPUBLICKEY		(ISC_RESULTCLASS_DST + 15)
+#define DST_R_NOTPRIVATEKEY		(ISC_RESULTCLASS_DST + 16)
+#define DST_R_KEYCANNOTCOMPUTESECRET	(ISC_RESULTCLASS_DST + 17)
+#define DST_R_COMPUTESECRETFAILURE	(ISC_RESULTCLASS_DST + 18)
+#define DST_R_NORANDOMNESS		(ISC_RESULTCLASS_DST + 19)
+#define DST_R_BADKEYTYPE		(ISC_RESULTCLASS_DST + 20)
+#define DST_R_NOENGINE			(ISC_RESULTCLASS_DST + 21)
+#define DST_R_EXTERNALKEY		(ISC_RESULTCLASS_DST + 22)
+
+#define DST_R_NRESULTS			23	/* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *
+dst_result_totext(isc_result_t);
+
+void
+dst_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_RESULT_H */
diff --git a/lib/dns/ipkeylist.c b/lib/dns/ipkeylist.c
new file mode 100644
index 0000000..4f114e5
--- /dev/null
+++ b/lib/dns/ipkeylist.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/ipkeylist.h>
+#include <dns/name.h>
+
+void
+dns_ipkeylist_init(dns_ipkeylist_t *ipkl) {
+	ipkl->count = 0;
+	ipkl->allocated = 0;
+	ipkl->addrs = NULL;
+	ipkl->dscps = NULL;
+	ipkl->keys = NULL;
+	ipkl->labels = NULL;
+}
+
+void
+dns_ipkeylist_clear(isc_mem_t *mctx, dns_ipkeylist_t *ipkl) {
+	uint32_t i;
+
+	REQUIRE(ipkl != NULL);
+
+	if (ipkl->allocated == 0)
+		return;
+
+	if (ipkl->addrs != NULL)
+		isc_mem_put(mctx, ipkl->addrs,
+			    ipkl->allocated * sizeof(isc_sockaddr_t));
+
+	if (ipkl->dscps != NULL)
+		isc_mem_put(mctx, ipkl->dscps,
+			    ipkl->allocated * sizeof(isc_dscp_t));
+
+	if (ipkl->keys != NULL) {
+		for (i = 0; i < ipkl->allocated; i++) {
+			if (ipkl->keys[i] == NULL)
+				continue;
+			if (dns_name_dynamic(ipkl->keys[i]))
+				dns_name_free(ipkl->keys[i], mctx);
+			isc_mem_put(mctx, ipkl->keys[i], sizeof(dns_name_t));
+		}
+		isc_mem_put(mctx, ipkl->keys,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+
+	if (ipkl->labels != NULL) {
+		for (i = 0; i < ipkl->allocated; i++) {
+			if (ipkl->labels[i] == NULL)
+				continue;
+			if (dns_name_dynamic(ipkl->labels[i]))
+				dns_name_free(ipkl->labels[i], mctx);
+			isc_mem_put(mctx, ipkl->labels[i], sizeof(dns_name_t));
+		}
+		isc_mem_put(mctx, ipkl->labels,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+
+	dns_ipkeylist_init(ipkl);
+}
+
+isc_result_t
+dns_ipkeylist_copy(isc_mem_t *mctx, const dns_ipkeylist_t *src,
+		   dns_ipkeylist_t *dst)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	uint32_t i;
+
+	REQUIRE(dst != NULL);
+	/* dst might be preallocated, we don't care, but it must be empty */
+	REQUIRE(dst->count == 0);
+
+	if (src->count == 0)
+		return (ISC_R_SUCCESS);
+
+	result = dns_ipkeylist_resize(mctx, dst, src->count);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	memmove(dst->addrs, src->addrs, src->count * sizeof(isc_sockaddr_t));
+
+	if (src->dscps != NULL) {
+		memmove(dst->dscps, src->dscps,
+			src->count * sizeof(isc_dscp_t));
+	}
+
+	if (src->keys != NULL) {
+		for (i = 0; i < src->count; i++) {
+			if (src->keys[i] != NULL) {
+				dst->keys[i] = isc_mem_get(mctx,
+							   sizeof(dns_name_t));
+				if (dst->keys[i] == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto cleanup_keys;
+				}
+				dns_name_init(dst->keys[i], NULL);
+				result = dns_name_dup(src->keys[i], mctx,
+						      dst->keys[i]);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup_keys;
+			} else {
+				dst->keys[i] = NULL;
+			}
+		}
+	}
+
+	if (src->labels != NULL) {
+		for (i = 0; i < src->count; i++) {
+			if (src->labels[i] != NULL) {
+				dst->labels[i] = isc_mem_get(mctx,
+							   sizeof(dns_name_t));
+				if (dst->labels[i] == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto cleanup_labels;
+				}
+				dns_name_init(dst->labels[i], NULL);
+				result = dns_name_dup(src->labels[i], mctx,
+						      dst->labels[i]);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup_labels;
+			} else {
+				dst->labels[i] = NULL;
+			}
+		}
+	}
+	dst->count = src->count;
+	return (ISC_R_SUCCESS);
+
+  cleanup_labels:
+	do {
+		if (dst->labels[i] != NULL) {
+			if (dns_name_dynamic(dst->labels[i]))
+				dns_name_free(dst->labels[i], mctx);
+			isc_mem_put(mctx, dst->labels[i], sizeof(dns_name_t));
+			dst->labels[i] = NULL;
+		}
+	} while (i-- > 0);
+
+  cleanup_keys:
+	do {
+		if (dst->keys[i] != NULL) {
+			if (dns_name_dynamic(dst->keys[i]))
+				dns_name_free(dst->keys[i], mctx);
+			isc_mem_put(mctx, dst->keys[i], sizeof(dns_name_t));
+			dst->keys[i] = NULL;
+		}
+	} while (i-- > 0);
+
+	return (result);
+}
+
+isc_result_t
+dns_ipkeylist_resize(isc_mem_t *mctx, dns_ipkeylist_t *ipkl, unsigned int n) {
+	isc_sockaddr_t *addrs = NULL;
+	isc_dscp_t *dscps = NULL;
+	dns_name_t **keys = NULL;
+	dns_name_t **labels = NULL;
+
+	REQUIRE(ipkl != NULL);
+	REQUIRE(n > ipkl->count);
+
+	if (n <= ipkl->allocated)
+		return (ISC_R_SUCCESS);
+
+	addrs = isc_mem_get(mctx, n * sizeof(isc_sockaddr_t));
+	if (addrs == NULL)
+		goto nomemory;
+	dscps = isc_mem_get(mctx, n * sizeof(isc_dscp_t));
+	if (dscps == NULL)
+		goto nomemory;
+	keys = isc_mem_get(mctx, n * sizeof(dns_name_t *));
+	if (keys == NULL)
+		goto nomemory;
+	labels = isc_mem_get(mctx, n * sizeof(dns_name_t *));
+	if (labels == NULL)
+		goto nomemory;
+
+	if (ipkl->addrs != NULL) {
+		memmove(addrs, ipkl->addrs,
+			ipkl->allocated * sizeof(isc_sockaddr_t));
+		isc_mem_put(mctx, ipkl->addrs,
+			    ipkl->allocated * sizeof(isc_sockaddr_t));
+	}
+	ipkl->addrs = addrs;
+	memset(&ipkl->addrs[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(isc_sockaddr_t));
+
+	if (ipkl->dscps != NULL) {
+		memmove(dscps, ipkl->dscps,
+			ipkl->allocated * sizeof(isc_dscp_t));
+		isc_mem_put(mctx, ipkl->dscps,
+			    ipkl->allocated * sizeof(isc_dscp_t));
+	}
+	ipkl->dscps = dscps;
+	memset(&ipkl->dscps[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(isc_dscp_t));
+
+	if (ipkl->keys) {
+		memmove(keys, ipkl->keys,
+			ipkl->allocated * sizeof(dns_name_t *));
+		isc_mem_put(mctx, ipkl->keys,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+	ipkl->keys = keys;
+	memset(&ipkl->keys[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(dns_name_t *));
+
+	if (ipkl->labels != NULL) {
+		memmove(labels, ipkl->labels,
+			ipkl->allocated * sizeof(dns_name_t *));
+		isc_mem_put(mctx, ipkl->labels,
+			    ipkl->allocated * sizeof(dns_name_t *));
+	}
+	ipkl->labels = labels;
+	memset(&ipkl->labels[ipkl->allocated], 0,
+	       (n - ipkl->allocated) * sizeof(dns_name_t *));
+
+	ipkl->allocated = n;
+	return (ISC_R_SUCCESS);
+
+nomemory:
+	if (addrs != NULL)
+		isc_mem_put(mctx, addrs, n * sizeof(isc_sockaddr_t));
+	if (dscps != NULL)
+		isc_mem_put(mctx, dscps, n * sizeof(isc_dscp_t));
+	if (keys != NULL)
+		isc_mem_put(mctx, keys, n * sizeof(dns_name_t *));
+	if (labels != NULL)
+		isc_mem_put(mctx, labels, n * sizeof(dns_name_t *));
+
+	return (ISC_R_NOMEMORY);
+}
diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c
new file mode 100644
index 0000000..10713a0
--- /dev/null
+++ b/lib/dns/iptable.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/radix.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+
+static void destroy_iptable(dns_iptable_t *dtab);
+
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target) {
+	isc_result_t result;
+	dns_iptable_t *tab;
+
+	tab = isc_mem_get(mctx, sizeof(*tab));
+	if (tab == NULL)
+		return (ISC_R_NOMEMORY);
+	tab->mctx = NULL;
+	isc_mem_attach(mctx, &tab->mctx);
+	isc_refcount_init(&tab->refcount, 1);
+	tab->radix = NULL;
+	tab->magic = DNS_IPTABLE_MAGIC;
+
+	result = isc_radix_create(mctx, &tab->radix, RADIX_MAXBITS);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	*target = tab;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_iptable_detach(&tab);
+	return (result);
+}
+
+static bool dns_iptable_neg = false;
+static bool dns_iptable_pos = true;
+
+/*
+ * Add an IP prefix to an existing IP table
+ */
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
+		      uint16_t bitlen, bool pos)
+{
+	return(dns_iptable_addprefix2(tab, addr, bitlen, pos, false));
+}
+
+isc_result_t
+dns_iptable_addprefix2(dns_iptable_t *tab, isc_netaddr_t *addr,
+		       uint16_t bitlen, bool pos,
+		       bool is_ecs)
+{
+	isc_result_t result;
+	isc_prefix_t pfx;
+	isc_radix_node_t *node = NULL;
+	int i;
+
+	INSIST(DNS_IPTABLE_VALID(tab));
+	INSIST(tab->radix != NULL);
+
+	NETADDR_TO_PREFIX_T(addr, pfx, bitlen, is_ecs);
+
+	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
+		return(result);
+	}
+
+	/* If a node already contains data, don't overwrite it */
+	if (pfx.family == AF_UNSPEC) {
+		/* "any" or "none" */
+		INSIST(pfx.bitlen == 0);
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			if (node->data[i] == NULL) {
+				node->data[i] = pos ? &dns_iptable_pos
+						    : &dns_iptable_neg;
+			}
+		}
+	} else {
+		/* any other prefix */
+		int fam = ISC_RADIX_FAMILY(&pfx);
+		if (node->data[fam] == NULL) {
+			node->data[fam] = pos ? &dns_iptable_pos
+						 : &dns_iptable_neg;
+		}
+	}
+
+	isc_refcount_destroy(&pfx.refcount);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Merge one IP table into another one.
+ */
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, bool pos)
+{
+	isc_result_t result;
+	isc_radix_node_t *node, *new_node;
+	int i, max_node = 0;
+
+	RADIX_WALK (source->radix->head, node) {
+		new_node = NULL;
+		result = isc_radix_insert (tab->radix, &new_node, node, NULL);
+
+		if (result != ISC_R_SUCCESS)
+			return(result);
+
+		/*
+		 * If we're negating a nested ACL, then we should
+		 * reverse the sense of every node.  However, this
+		 * could lead to a negative node in a nested ACL
+		 * becoming a positive match in the parent, which
+		 * could be a security risk.  To prevent this, we
+		 * just leave the negative nodes negative.
+		 */
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			if (!pos) {
+				if (node->data[i] &&
+				    *(bool *) node->data[i])
+					new_node->data[i] = &dns_iptable_neg;
+			}
+			if (node->node_num[i] > max_node)
+				max_node = node->node_num[i];
+		}
+	} RADIX_WALK_END;
+
+	tab->radix->num_added_node += max_node;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target) {
+	REQUIRE(DNS_IPTABLE_VALID(source));
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+void
+dns_iptable_detach(dns_iptable_t **tabp) {
+	dns_iptable_t *tab = *tabp;
+	unsigned int refs;
+	REQUIRE(DNS_IPTABLE_VALID(tab));
+	isc_refcount_decrement(&tab->refcount, &refs);
+	if (refs == 0)
+		destroy_iptable(tab);
+	*tabp = NULL;
+}
+
+static void
+destroy_iptable(dns_iptable_t *dtab) {
+
+	REQUIRE(DNS_IPTABLE_VALID(dtab));
+
+	if (dtab->radix != NULL) {
+		isc_radix_destroy(dtab->radix, NULL);
+		dtab->radix = NULL;
+	}
+
+	isc_refcount_destroy(&dtab->refcount);
+	dtab->magic = 0;
+	isc_mem_putanddetach(&dtab->mctx, dtab, sizeof(*dtab));
+}
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
new file mode 100644
index 0000000..bdbc459
--- /dev/null
+++ b/lib/dns/journal.c
@@ -0,0 +1,2364 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+
+/*! \file
+ * \brief Journaling.
+ *
+ * A journal file consists of
+ *
+ *   \li A fixed-size header of type journal_rawheader_t.
+ *
+ *   \li The index.  This is an unordered array of index entries
+ *     of type journal_rawpos_t giving the locations
+ *     of some arbitrary subset of the journal's addressable
+ *     transactions.  The index entries are used as hints to
+ *     speed up the process of locating a transaction with a given
+ *     serial number.  Unused index entries have an "offset"
+ *     field of zero.  The size of the index can vary between
+ *     journal files, but does not change during the lifetime
+ *     of a file.  The size can be zero.
+ *
+ *   \li The journal data.  This  consists of one or more transactions.
+ *     Each transaction begins with a transaction header of type
+ *     journal_rawxhdr_t.  The transaction header is followed by a
+ *     sequence of RRs, similar in structure to an IXFR difference
+ *     sequence (RFC1995).  That is, the pre-transaction SOA,
+ *     zero or more other deleted RRs, the post-transaction SOA,
+ *     and zero or more other added RRs.  Unlike in IXFR, each RR
+ *     is prefixed with a 32-bit length.
+ *
+ *     The journal data part grows as new transactions are
+ *     appended to the file.  Only those transactions
+ *     whose serial number is current-(2^31-1) to current
+ *     are considered "addressable" and may be pointed
+ *     to from the header or index.  They may be preceded
+ *     by old transactions that are no longer addressable,
+ *     and they may be followed by transactions that were
+ *     appended to the journal but never committed by updating
+ *     the "end" position in the header.  The latter will
+ *     be overwritten when new transactions are added.
+ */
+/*%
+ * When true, accept IXFR difference sequences where the
+ * SOA serial number does not change (BIND 8 sends such
+ * sequences).
+ */
+static bool bind8_compat = true; /* XXX config */
+
+/**************************************************************************/
+/*
+ * Miscellaneous utilities.
+ */
+
+#define JOURNAL_COMMON_LOGARGS \
+	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_JOURNAL
+
+#define JOURNAL_DEBUG_LOGARGS(n) \
+	JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
+
+/*%
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code) \
+	do { result = (code);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define CHECK(op) \
+	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto failure; 	\
+	} while (0)
+
+#define JOURNAL_SERIALSET	0x01U
+
+static isc_result_t index_to_disk(dns_journal_t *);
+
+static inline uint32_t
+decode_uint32(unsigned char *p) {
+	return ((p[0] << 24) +
+		(p[1] << 16) +
+		(p[2] <<  8) +
+		(p[3] <<  0));
+}
+
+static inline void
+encode_uint32(uint32_t val, unsigned char *p) {
+	p[0] = (uint8_t)(val >> 24);
+	p[1] = (uint8_t)(val >> 16);
+	p[2] = (uint8_t)(val >>  8);
+	p[3] = (uint8_t)(val >>  0);
+}
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		      dns_diffop_t op, dns_difftuple_t **tp)
+{
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_fixedname_t fixed;
+	dns_name_t *zonename;
+
+	zonename = dns_fixedname_initname(&fixed);
+	dns_name_copy(dns_db_origin(db), zonename, NULL);
+
+	node = NULL;
+	result = dns_db_findnode(db, zonename, false, &node);
+	if (result != ISC_R_SUCCESS)
+		goto nonode;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto freenode;
+
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto freenode;
+
+	dns_rdataset_current(&rdataset, &rdata);
+	dns_rdataset_getownercase(&rdataset, zonename);
+
+	result = dns_difftuple_create(mctx, op, zonename, rdataset.ttl,
+				      &rdata, tp);
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+
+ freenode:
+	dns_db_detachnode(db, &node);
+ nonode:
+	UNEXPECTED_ERROR(__FILE__, __LINE__, "missing SOA");
+	return (result);
+}
+
+/* Journaling */
+
+/*%
+ * On-disk representation of a "pointer" to a journal entry.
+ * These are used in the journal header to locate the beginning
+ * and end of the journal, and in the journal index to locate
+ * other transactions.
+ */
+typedef struct {
+	unsigned char	serial[4];  /*%< SOA serial before update. */
+	/*
+	 * XXXRTH  Should offset be 8 bytes?
+	 * XXXDCL ... probably, since isc_offset_t is 8 bytes on many OSs.
+	 * XXXAG  ... but we will not be able to seek >2G anyway on many
+	 *            platforms as long as we are using fseek() rather
+	 *            than lseek().
+	 */
+	unsigned char	offset[4];  /*%< Offset from beginning of file. */
+} journal_rawpos_t;
+
+
+/*%
+ * The header is of a fixed size, with some spare room for future
+ * extensions.
+ */
+#define JOURNAL_HEADER_SIZE 64 /* Bytes. */
+
+/*%
+ * The on-disk representation of the journal header.
+ * All numbers are stored in big-endian order.
+ */
+typedef union {
+	struct {
+		/*% File format version ID. */
+		unsigned char 		format[16];
+		/*% Position of the first addressable transaction */
+		journal_rawpos_t 	begin;
+		/*% Position of the next (yet nonexistent) transaction. */
+		journal_rawpos_t 	end;
+		/*% Number of index entries following the header. */
+		unsigned char 		index_size[4];
+		/*% Source serial number. */
+		unsigned char           sourceserial[4];
+		unsigned char           flags;
+	} h;
+	/* Pad the header to a fixed size. */
+	unsigned char pad[JOURNAL_HEADER_SIZE];
+} journal_rawheader_t;
+
+/*%
+ * The on-disk representation of the transaction header.
+ * There is one of these at the beginning of each transaction.
+ */
+typedef struct {
+	unsigned char	size[4]; 	/*%< In bytes, excluding header. */
+	unsigned char	serial0[4];	/*%< SOA serial before update. */
+	unsigned char	serial1[4];	/*%< SOA serial after update. */
+} journal_rawxhdr_t;
+
+/*%
+ * The on-disk representation of the RR header.
+ * There is one of these at the beginning of each RR.
+ */
+typedef struct {
+	unsigned char	size[4]; 	/*%< In bytes, excluding header. */
+} journal_rawrrhdr_t;
+
+/*%
+ * The in-core representation of the journal header.
+ */
+typedef struct {
+	uint32_t	serial;
+	isc_offset_t	offset;
+} journal_pos_t;
+
+#define POS_VALID(pos) 		((pos).offset != 0)
+#define POS_INVALIDATE(pos) 	((pos).offset = 0, (pos).serial = 0)
+
+typedef struct {
+	unsigned char 	format[16];
+	journal_pos_t 	begin;
+	journal_pos_t 	end;
+	uint32_t	index_size;
+	uint32_t	sourceserial;
+	bool	serialset;
+} journal_header_t;
+
+/*%
+ * The in-core representation of the transaction header.
+ */
+
+typedef struct {
+	uint32_t	size;
+	uint32_t	serial0;
+	uint32_t	serial1;
+} journal_xhdr_t;
+
+/*%
+ * The in-core representation of the RR header.
+ */
+typedef struct {
+	uint32_t	size;
+} journal_rrhdr_t;
+
+
+/*%
+ * Initial contents to store in the header of a newly created
+ * journal file.
+ *
+ * The header starts with the magic string ";BIND LOG V9\n"
+ * to identify the file as a BIND 9 journal file.  An ASCII
+ * identification string is used rather than a binary magic
+ * number to be consistent with BIND 8 (BIND 8 journal files
+ * are ASCII text files).
+ */
+
+static journal_header_t
+initial_journal_header = { ";BIND LOG V9\n", { 0, 0 }, { 0, 0 }, 0, 0, 0 };
+
+#define JOURNAL_EMPTY(h) ((h)->begin.offset == (h)->end.offset)
+
+typedef enum {
+	JOURNAL_STATE_INVALID,
+	JOURNAL_STATE_READ,
+	JOURNAL_STATE_WRITE,
+	JOURNAL_STATE_TRANSACTION,
+	JOURNAL_STATE_INLINE
+} journal_state_t;
+
+struct dns_journal {
+	unsigned int		magic;		/*%< JOUR */
+	isc_mem_t		*mctx;		/*%< Memory context */
+	journal_state_t		state;
+	char 			*filename;	/*%< Journal file name */
+	FILE *			fp;		/*%< File handle */
+	isc_offset_t		offset;		/*%< Current file offset */
+	journal_header_t 	header;		/*%< In-core journal header */
+	unsigned char		*rawindex;	/*%< In-core buffer for journal index in on-disk format */
+	journal_pos_t		*index;		/*%< In-core journal index */
+
+	/*% Current transaction state (when writing). */
+	struct {
+		unsigned int	n_soa;		/*%< Number of SOAs seen */
+		journal_pos_t	pos[2];		/*%< Begin/end position */
+	} x;
+
+	/*% Iteration state (when reading). */
+	struct {
+		/* These define the part of the journal we iterate over. */
+		journal_pos_t bpos;		/*%< Position before first, */
+		journal_pos_t epos;		/*%< and after last transaction */
+		/* The rest is iterator state. */
+		uint32_t current_serial;	/*%< Current SOA serial */
+		isc_buffer_t source;		/*%< Data from disk */
+		isc_buffer_t target;		/*%< Data from _fromwire check */
+		dns_decompress_t dctx;		/*%< Dummy decompression ctx */
+		dns_name_t name;		/*%< Current domain name */
+		dns_rdata_t rdata;		/*%< Current rdata */
+		uint32_t ttl;		/*%< Current TTL */
+		unsigned int xsize;		/*%< Size of transaction data */
+		unsigned int xpos;		/*%< Current position in it */
+		isc_result_t result;		/*%< Result of last call */
+	} it;
+};
+
+#define DNS_JOURNAL_MAGIC	ISC_MAGIC('J', 'O', 'U', 'R')
+#define DNS_JOURNAL_VALID(t)	ISC_MAGIC_VALID(t, DNS_JOURNAL_MAGIC)
+
+static void
+journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked) {
+	cooked->serial = decode_uint32(raw->serial);
+	cooked->offset = decode_uint32(raw->offset);
+}
+
+static void
+journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked) {
+	encode_uint32(cooked->serial, raw->serial);
+	encode_uint32(cooked->offset, raw->offset);
+}
+
+static void
+journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked) {
+	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
+	memmove(cooked->format, raw->h.format, sizeof(cooked->format));
+	journal_pos_decode(&raw->h.begin, &cooked->begin);
+	journal_pos_decode(&raw->h.end, &cooked->end);
+	cooked->index_size = decode_uint32(raw->h.index_size);
+	cooked->sourceserial = decode_uint32(raw->h.sourceserial);
+	cooked->serialset = (raw->h.flags & JOURNAL_SERIALSET);
+}
+
+static void
+journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw) {
+	unsigned char flags = 0;
+
+	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
+	memset(raw->pad, 0, sizeof(raw->pad));
+	memmove(raw->h.format, cooked->format, sizeof(raw->h.format));
+	journal_pos_encode(&raw->h.begin, &cooked->begin);
+	journal_pos_encode(&raw->h.end, &cooked->end);
+	encode_uint32(cooked->index_size, raw->h.index_size);
+	encode_uint32(cooked->sourceserial, raw->h.sourceserial);
+	if (cooked->serialset)
+		flags |= JOURNAL_SERIALSET;
+	raw->h.flags = flags;
+}
+
+/*
+ * Journal file I/O subroutines, with error checking and reporting.
+ */
+static isc_result_t
+journal_seek(dns_journal_t *j, uint32_t offset) {
+	isc_result_t result;
+
+	result = isc_stdio_seek(j->fp, (off_t)offset, SEEK_SET);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: seek: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset = offset;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_read(dns_journal_t *j, void *mem, size_t nbytes) {
+	isc_result_t result;
+
+	result = isc_stdio_read(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_EOF)
+			return (ISC_R_NOMORE);
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: read: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset += (isc_offset_t)nbytes;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_write(dns_journal_t *j, void *mem, size_t nbytes) {
+	isc_result_t result;
+
+	result = isc_stdio_write(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: write: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset += (isc_offset_t)nbytes;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_fsync(dns_journal_t *j) {
+	isc_result_t result;
+	result = isc_stdio_flush(j->fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: flush: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	result = isc_stdio_sync(j->fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: fsync: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Read/write a transaction header at the current file position.
+ */
+
+static isc_result_t
+journal_read_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr) {
+	journal_rawxhdr_t raw;
+	isc_result_t result;
+	result = journal_read(j, &raw, sizeof(raw));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	xhdr->size = decode_uint32(raw.size);
+	xhdr->serial0 = decode_uint32(raw.serial0);
+	xhdr->serial1 = decode_uint32(raw.serial1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_write_xhdr(dns_journal_t *j, uint32_t size,
+		   uint32_t serial0, uint32_t serial1)
+{
+	journal_rawxhdr_t raw;
+	encode_uint32(size, raw.size);
+	encode_uint32(serial0, raw.serial0);
+	encode_uint32(serial1, raw.serial1);
+	return (journal_write(j, &raw, sizeof(raw)));
+}
+
+
+/*
+ * Read an RR header at the current file position.
+ */
+
+static isc_result_t
+journal_read_rrhdr(dns_journal_t *j, journal_rrhdr_t *rrhdr) {
+	journal_rawrrhdr_t raw;
+	isc_result_t result;
+	result = journal_read(j, &raw, sizeof(raw));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rrhdr->size = decode_uint32(raw.size);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_file_create(isc_mem_t *mctx, const char *filename) {
+	FILE *fp = NULL;
+	isc_result_t result;
+	journal_header_t header;
+	journal_rawheader_t rawheader;
+	int index_size = 56; /* XXX configurable */
+	int size;
+	void *mem; /* Memory for temporary index image. */
+
+	INSIST(sizeof(journal_rawheader_t) == JOURNAL_HEADER_SIZE);
+
+	result = isc_stdio_open(filename, "wb", &fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: create: %s",
+			      filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	header = initial_journal_header;
+	header.index_size = index_size;
+	journal_header_encode(&header, &rawheader);
+
+	size = sizeof(journal_rawheader_t) +
+		index_size * sizeof(journal_rawpos_t);
+
+	mem = isc_mem_get(mctx, size);
+	if (mem == NULL) {
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(mem, 0, size);
+	memmove(mem, &rawheader, sizeof(rawheader));
+
+	result = isc_stdio_write(mem, 1, (size_t) size, fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: write: %s",
+				 filename, isc_result_totext(result));
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+		isc_mem_put(mctx, mem, size);
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_mem_put(mctx, mem, size);
+
+	result = isc_stdio_close(fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: close: %s",
+				 filename, isc_result_totext(result));
+		(void)isc_file_remove(filename);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_open(isc_mem_t *mctx, const char *filename, bool writable,
+	     bool create, dns_journal_t **journalp)
+{
+	FILE *fp = NULL;
+	isc_result_t result;
+	journal_rawheader_t rawheader;
+	dns_journal_t *j;
+
+	INSIST(journalp != NULL && *journalp == NULL);
+	j = isc_mem_get(mctx, sizeof(*j));
+	if (j == NULL)
+		return (ISC_R_NOMEMORY);
+
+	j->mctx = NULL;
+	isc_mem_attach(mctx, &j->mctx);
+	j->state = JOURNAL_STATE_INVALID;
+	j->fp = NULL;
+	j->filename = isc_mem_strdup(mctx, filename);
+	j->index = NULL;
+	j->rawindex = NULL;
+
+	if (j->filename == NULL)
+		FAIL(ISC_R_NOMEMORY);
+
+	result = isc_stdio_open(j->filename, writable ? "rb+" : "rb", &fp);
+
+	if (result == ISC_R_FILENOTFOUND) {
+		if (create) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(1),
+				      "journal file %s does not exist, "
+				      "creating it", j->filename);
+			CHECK(journal_file_create(mctx, filename));
+			/*
+			 * Retry.
+			 */
+			result = isc_stdio_open(j->filename, "rb+", &fp);
+		} else {
+			FAIL(ISC_R_NOTFOUND);
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: open: %s",
+			      j->filename, isc_result_totext(result));
+		FAIL(ISC_R_UNEXPECTED);
+	}
+
+	j->fp = fp;
+
+	/*
+	 * Set magic early so that seek/read can succeed.
+	 */
+	j->magic = DNS_JOURNAL_MAGIC;
+
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_read(j, &rawheader, sizeof(rawheader)));
+
+	if (memcmp(rawheader.h.format, initial_journal_header.format,
+		   sizeof(initial_journal_header.format)) != 0) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: journal format not recognized",
+				 j->filename);
+		FAIL(ISC_R_UNEXPECTED);
+	}
+	journal_header_decode(&rawheader, &j->header);
+
+	/*
+	 * If there is an index, read the raw index into a dynamically
+	 * allocated buffer and then convert it into a cooked index.
+	 */
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned int rawbytes;
+		unsigned char *p;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+		j->rawindex = isc_mem_get(mctx, rawbytes);
+		if (j->rawindex == NULL)
+			FAIL(ISC_R_NOMEMORY);
+
+		CHECK(journal_read(j, j->rawindex, rawbytes));
+
+		j->index = isc_mem_get(mctx, j->header.index_size *
+				       sizeof(journal_pos_t));
+		if (j->index == NULL)
+			FAIL(ISC_R_NOMEMORY);
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			j->index[i].serial = decode_uint32(p);
+			p += 4;
+			j->index[i].offset = decode_uint32(p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+	}
+	j->offset = -1; /* Invalid, must seek explicitly. */
+
+	/*
+	 * Initialize the iterator.
+	 */
+	dns_name_init(&j->it.name, NULL);
+	dns_rdata_init(&j->it.rdata);
+
+	/*
+	 * Set up empty initial buffers for unchecked and checked
+	 * wire format RR data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&j->it.source, NULL, 0);
+	isc_buffer_init(&j->it.target, NULL, 0);
+	dns_decompress_init(&j->it.dctx, -1, DNS_DECOMPRESS_NONE);
+
+	j->state =
+		writable ? JOURNAL_STATE_WRITE : JOURNAL_STATE_READ;
+
+	*journalp = j;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	j->magic = 0;
+	if (j->rawindex != NULL)
+		isc_mem_put(j->mctx, j->rawindex, j->header.index_size *
+			    sizeof(journal_rawpos_t));
+	if (j->index != NULL)
+		isc_mem_put(j->mctx, j->index, j->header.index_size *
+			    sizeof(journal_pos_t));
+	if (j->filename != NULL)
+		isc_mem_free(j->mctx, j->filename);
+	if (j->fp != NULL)
+		(void)isc_stdio_close(j->fp);
+	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
+	return (result);
+}
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, unsigned int mode,
+		 dns_journal_t **journalp)
+{
+	isc_result_t result;
+	size_t namelen;
+	char backup[1024];
+	bool writable, create;
+
+	create = (mode & DNS_JOURNAL_CREATE);
+	writable = (mode & (DNS_JOURNAL_WRITE|DNS_JOURNAL_CREATE));
+
+	result = journal_open(mctx, filename, writable, create, journalp);
+	if (result == ISC_R_NOTFOUND) {
+		namelen = strlen(filename);
+		if (namelen > 4U && strcmp(filename + namelen - 4, ".jnl") == 0)
+			namelen -= 4;
+
+		result = isc_string_printf(backup, sizeof(backup), "%.*s.jbk",
+					   (int)namelen, filename);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = journal_open(mctx, backup, writable, writable,
+				      journalp);
+	}
+	return (result);
+}
+
+/*
+ * A comparison function defining the sorting order for
+ * entries in the IXFR-style journal file.
+ *
+ * The IXFR format requires that deletions are sorted before
+ * additions, and within either one, SOA records are sorted
+ * before others.
+ *
+ * Also sort the non-SOA records by type as a courtesy to the
+ * server receiving the IXFR - it may help reduce the amount of
+ * rdataset merging it has to do.
+ */
+static int
+ixfr_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	int bop = 0, aop = 0;
+
+	switch (a->op) {
+	case DNS_DIFFOP_DEL:
+	case DNS_DIFFOP_DELRESIGN:
+		aop = 1;
+		break;
+	case DNS_DIFFOP_ADD:
+	case DNS_DIFFOP_ADDRESIGN:
+		aop = 0;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	switch (b->op) {
+	case DNS_DIFFOP_DEL:
+	case DNS_DIFFOP_DELRESIGN:
+		bop = 1;
+		break;
+	case DNS_DIFFOP_ADD:
+	case DNS_DIFFOP_ADDRESIGN:
+		bop = 0;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	r = bop - aop;
+	if (r != 0)
+		return (r);
+
+	r = (b->rdata.type == dns_rdatatype_soa) -
+		(a->rdata.type == dns_rdatatype_soa);
+	if (r != 0)
+		return (r);
+
+	r = (a->rdata.type - b->rdata.type);
+	return (r);
+}
+
+/*
+ * Advance '*pos' to the next journal transaction.
+ *
+ * Requires:
+ *	*pos refers to a valid journal transaction.
+ *
+ * Ensures:
+ *	When ISC_R_SUCCESS is returned,
+ *	*pos refers to the next journal transaction.
+ *
+ * Returns one of:
+ *
+ *    ISC_R_SUCCESS
+ *    ISC_R_NOMORE 	*pos pointed at the last transaction
+ *    Other results due to file errors are possible.
+ */
+static isc_result_t
+journal_next(dns_journal_t *j, journal_pos_t *pos) {
+	isc_result_t result;
+	journal_xhdr_t xhdr;
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	result = journal_seek(j, pos->offset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pos->serial == j->header.end.serial)
+		return (ISC_R_NOMORE);
+	/*
+	 * Read the header of the current transaction.
+	 * This will return ISC_R_NOMORE if we are at EOF.
+	 */
+	result = journal_read_xhdr(j, &xhdr);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Check serial number consistency.
+	 */
+	if (xhdr.serial0 != pos->serial) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal file corrupt: "
+			      "expected serial %u, got %u",
+			      j->filename, pos->serial, xhdr.serial0);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Check for offset wraparound.
+	 */
+	if ((isc_offset_t)(pos->offset + sizeof(journal_rawxhdr_t) + xhdr.size)
+	    < pos->offset) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: offset too large", j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	pos->offset += sizeof(journal_rawxhdr_t) + xhdr.size;
+	pos->serial = xhdr.serial1;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * If the index of the journal 'j' contains an entry "better"
+ * than '*best_guess', replace '*best_guess' with it.
+ *
+ * "Better" means having a serial number closer to 'serial'
+ * but not greater than 'serial'.
+ */
+static void
+index_find(dns_journal_t *j, uint32_t serial, journal_pos_t *best_guess) {
+	unsigned int i;
+	if (j->index == NULL)
+		return;
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]) &&
+		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
+		    DNS_SERIAL_GT(j->index[i].serial, best_guess->serial))
+			*best_guess = j->index[i];
+	}
+}
+
+/*
+ * Add a new index entry.  If there is no room, make room by removing
+ * the odd-numbered entries and compacting the others into the first
+ * half of the index.  This decimates old index entries exponentially
+ * over time, so that the index always contains a much larger fraction
+ * of recent serial numbers than of old ones.  This is deliberate -
+ * most index searches are for outgoing IXFR, and IXFR tends to request
+ * recent versions more often than old ones.
+ */
+static void
+index_add(dns_journal_t *j, journal_pos_t *pos) {
+	unsigned int i;
+	if (j->index == NULL)
+		return;
+	/*
+	 * Search for a vacant position.
+	 */
+	for (i = 0; i < j->header.index_size; i++) {
+		if (! POS_VALID(j->index[i]))
+			break;
+	}
+	if (i == j->header.index_size) {
+		unsigned int k = 0;
+		/*
+		 * Found no vacant position.  Make some room.
+		 */
+		for (i = 0; i < j->header.index_size; i += 2) {
+			j->index[k++] = j->index[i];
+		}
+		i = k; /* 'i' identifies the first vacant position. */
+		while (k < j->header.index_size) {
+			POS_INVALIDATE(j->index[k]);
+			k++;
+		}
+	}
+	INSIST(i < j->header.index_size);
+	INSIST(! POS_VALID(j->index[i]));
+
+	/*
+	 * Store the new index entry.
+	 */
+	j->index[i] = *pos;
+}
+
+/*
+ * Invalidate any existing index entries that could become
+ * ambiguous when a new transaction with number 'serial' is added.
+ */
+static void
+index_invalidate(dns_journal_t *j, uint32_t serial) {
+	unsigned int i;
+	if (j->index == NULL)
+		return;
+	for (i = 0; i < j->header.index_size; i++) {
+		if (! DNS_SERIAL_GT(serial, j->index[i].serial))
+			POS_INVALIDATE(j->index[i]);
+	}
+}
+
+/*
+ * Try to find a transaction with initial serial number 'serial'
+ * in the journal 'j'.
+ *
+ * If found, store its position at '*pos' and return ISC_R_SUCCESS.
+ *
+ * If 'serial' is current (= the ending serial number of the
+ * last transaction in the journal), set '*pos' to
+ * the position immediately following the last transaction and
+ * return ISC_R_SUCCESS.
+ *
+ * If 'serial' is within the range of addressable serial numbers
+ * covered by the journal but that particular serial number is missing
+ * (from the journal, not just from the index), return ISC_R_NOTFOUND.
+ *
+ * If 'serial' is outside the range of addressable serial numbers
+ * covered by the journal, return ISC_R_RANGE.
+ *
+ */
+static isc_result_t
+journal_find(dns_journal_t *j, uint32_t serial, journal_pos_t *pos) {
+	isc_result_t result;
+	journal_pos_t current_pos;
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	if (DNS_SERIAL_GT(j->header.begin.serial, serial))
+		return (ISC_R_RANGE);
+	if (DNS_SERIAL_GT(serial, j->header.end.serial))
+		return (ISC_R_RANGE);
+	if (serial == j->header.end.serial) {
+		*pos = j->header.end;
+		return (ISC_R_SUCCESS);
+	}
+
+	current_pos = j->header.begin;
+	index_find(j, serial, &current_pos);
+
+	while (current_pos.serial != serial) {
+		if (DNS_SERIAL_GT(current_pos.serial, serial))
+			return (ISC_R_NOTFOUND);
+		result = journal_next(j, &current_pos);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	*pos = current_pos;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j) {
+	uint32_t offset;
+	isc_result_t result;
+	journal_rawxhdr_t hdr;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(j->state == JOURNAL_STATE_WRITE ||
+		j->state == JOURNAL_STATE_INLINE);
+
+	/*
+	 * Find the file offset where the new transaction should
+	 * be written, and seek there.
+	 */
+	if (JOURNAL_EMPTY(&j->header)) {
+		offset = sizeof(journal_rawheader_t) +
+			j->header.index_size * sizeof(journal_rawpos_t);
+	} else {
+		offset = j->header.end.offset;
+	}
+	j->x.pos[0].offset = offset;
+	j->x.pos[1].offset = offset; /* Initial value, will be incremented. */
+	j->x.n_soa = 0;
+
+	CHECK(journal_seek(j, offset));
+
+	/*
+	 * Write a dummy transaction header of all zeroes to reserve
+	 * space.  It will be filled in when the transaction is
+	 * finished.
+	 */
+	memset(&hdr, 0, sizeof(hdr));
+	CHECK(journal_write(j, &hdr, sizeof(hdr)));
+	j->x.pos[1].offset = j->offset;
+
+	j->state = JOURNAL_STATE_TRANSACTION;
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
+	dns_difftuple_t *t;
+	isc_buffer_t buffer;
+	void *mem = NULL;
+	uint64_t size;
+	isc_result_t result;
+	isc_region_t used;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
+
+	isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "writing to journal");
+	(void)dns_diff_print(diff, NULL);
+
+	/*
+	 * Pass 1: determine the buffer size needed, and
+	 * keep track of SOA serial numbers.
+	 */
+	size = 0;
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		if (t->rdata.type == dns_rdatatype_soa) {
+			if (j->x.n_soa < 2)
+				j->x.pos[j->x.n_soa].serial =
+					dns_soa_getserial(&t->rdata);
+			j->x.n_soa++;
+		}
+		size += sizeof(journal_rawrrhdr_t);
+		size += t->name.length; /* XXX should have access macro? */
+		size += 10;
+		size += t->rdata.length;
+	}
+
+	if (size >= INT32_MAX) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "dns_journal_writediff: %s: journal entry "
+			      "too big to be stored: %" PRIu64 " bytes",
+			      j->filename, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	mem = isc_mem_get(j->mctx, size);
+	if (mem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, mem, size);
+
+	/*
+	 * Pass 2.  Write RRs to buffer.
+	 */
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		/*
+		 * Write the RR header.
+		 */
+		isc_buffer_putuint32(&buffer, t->name.length + 10 +
+				     t->rdata.length);
+		/*
+		 * Write the owner name, RR header, and RR data.
+		 */
+		isc_buffer_putmem(&buffer, t->name.ndata, t->name.length);
+		isc_buffer_putuint16(&buffer, t->rdata.type);
+		isc_buffer_putuint16(&buffer, t->rdata.rdclass);
+		isc_buffer_putuint32(&buffer, t->ttl);
+		INSIST(t->rdata.length < 65536);
+		isc_buffer_putuint16(&buffer, (uint16_t)t->rdata.length);
+		INSIST(isc_buffer_availablelength(&buffer) >= t->rdata.length);
+		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);
+	}
+
+	isc_buffer_usedregion(&buffer, &used);
+	INSIST(used.length == size);
+
+	j->x.pos[1].offset += used.length;
+
+	/*
+	 * Write the buffer contents to the journal file.
+	 */
+	CHECK(journal_write(j, used.base, used.length));
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (mem != NULL)
+		isc_mem_put(j->mctx, mem, size);
+	return (result);
+
+}
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j) {
+	isc_result_t result;
+	journal_rawheader_t rawheader;
+	uint64_t total;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION ||
+		j->state == JOURNAL_STATE_INLINE);
+
+	/*
+	 * Just write out a updated header.
+	 */
+	if (j->state == JOURNAL_STATE_INLINE) {
+		CHECK(journal_fsync(j));
+		journal_header_encode(&j->header, &rawheader);
+		CHECK(journal_seek(j, 0));
+		CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j));
+		j->state = JOURNAL_STATE_WRITE;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Perform some basic consistency checks.
+	 */
+	if (j->x.n_soa != 2) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: malformed transaction: %d SOAs",
+			      j->filename, j->x.n_soa);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (! (DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial) ||
+	       (bind8_compat &&
+		j->x.pos[1].serial == j->x.pos[0].serial)))
+	{
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: malformed transaction: serial number "
+			      "would decrease", j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (! JOURNAL_EMPTY(&j->header)) {
+		if (j->x.pos[0].serial != j->header.end.serial) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "malformed transaction: "
+					 "%s last serial %u != "
+					 "transaction first serial %u",
+					 j->filename,
+					 j->header.end.serial,
+					 j->x.pos[0].serial);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	/*
+	 * We currently don't support huge journal entries.
+	 */
+	total = j->x.pos[1].offset - j->x.pos[0].offset;
+	if (total >= INT32_MAX) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			     "transaction too big to be stored in journal: "
+			     "%" PRIu64 "b (max is %" PRIu64 "b)", total,
+			     (uint64_t)INT32_MAX);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Some old journal entries may become non-addressable
+	 * when we increment the current serial number.  Purge them
+	 * by stepping header.begin forward to the first addressable
+	 * transaction.  Also purge them from the index.
+	 */
+	if (! JOURNAL_EMPTY(&j->header)) {
+		while (! DNS_SERIAL_GT(j->x.pos[1].serial,
+				       j->header.begin.serial)) {
+			CHECK(journal_next(j, &j->header.begin));
+		}
+		index_invalidate(j, j->x.pos[1].serial);
+	}
+#ifdef notyet
+	if (DNS_SERIAL_GT(last_dumped_serial, j->x.pos[1].serial)) {
+		force_dump(...);
+	}
+#endif
+
+	/*
+	 * Commit the transaction data to stable storage.
+	 */
+	CHECK(journal_fsync(j));
+
+	if (j->state == JOURNAL_STATE_TRANSACTION) {
+		isc_offset_t offset;
+		offset = (j->x.pos[1].offset - j->x.pos[0].offset) -
+				 sizeof(journal_rawxhdr_t);
+		/*
+		 * Update the transaction header.
+		 */
+		CHECK(journal_seek(j, j->x.pos[0].offset));
+		CHECK(journal_write_xhdr(j, offset, j->x.pos[0].serial,
+					 j->x.pos[1].serial));
+	}
+
+	/*
+	 * Update the journal header.
+	 */
+	if (JOURNAL_EMPTY(&j->header))
+		j->header.begin = j->x.pos[0];
+	j->header.end = j->x.pos[1];
+	journal_header_encode(&j->header, &rawheader);
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+
+	/*
+	 * Update the index.
+	 */
+	index_add(j, &j->x.pos[0]);
+
+	/*
+	 * Convert the index into on-disk format and write
+	 * it to disk.
+	 */
+	CHECK(index_to_disk(j));
+
+	/*
+	 * Commit the header to stable storage.
+	 */
+	CHECK(journal_fsync(j));
+
+	/*
+	 * We no longer have a transaction open.
+	 */
+	j->state = JOURNAL_STATE_WRITE;
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff) {
+	isc_result_t result;
+	CHECK(dns_diff_sort(diff, ixfr_order));
+	CHECK(dns_journal_begin_transaction(j));
+	CHECK(dns_journal_writediff(j, diff));
+	CHECK(dns_journal_commit(j));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+void
+dns_journal_destroy(dns_journal_t **journalp) {
+	dns_journal_t *j = *journalp;
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	j->it.result = ISC_R_FAILURE;
+	dns_name_invalidate(&j->it.name);
+	dns_decompress_invalidate(&j->it.dctx);
+	if (j->rawindex != NULL)
+		isc_mem_put(j->mctx, j->rawindex, j->header.index_size *
+			    sizeof(journal_rawpos_t));
+	if (j->index != NULL)
+		isc_mem_put(j->mctx, j->index, j->header.index_size *
+			    sizeof(journal_pos_t));
+	if (j->it.target.base != NULL)
+		isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
+	if (j->it.source.base != NULL)
+		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
+	if (j->filename != NULL)
+		isc_mem_free(j->mctx, j->filename);
+	if (j->fp != NULL)
+		(void)isc_stdio_close(j->fp);
+	j->magic = 0;
+	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
+	*journalp = NULL;
+}
+
+/*
+ * Roll the open journal 'j' into the database 'db'.
+ * A new database version will be created.
+ */
+
+/* XXX Share code with incoming IXFR? */
+
+static isc_result_t
+roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options) {
+	isc_buffer_t source;		/* Transaction data from disk */
+	isc_buffer_t target;		/* Ditto after _fromwire check */
+	uint32_t db_serial;		/* Database SOA serial */
+	uint32_t end_serial;	/* Last journal SOA serial */
+	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	journal_pos_t pos;
+	dns_diff_t diff;
+	unsigned int n_soa = 0;
+	unsigned int n_put = 0;
+	dns_diffop_t op;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(DNS_DB_VALID(db));
+
+	dns_diff_init(j->mctx, &diff);
+
+	/*
+	 * Set up empty initial buffers for unchecked and checked
+	 * wire format transaction data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
+
+	/*
+	 * Create the new database version.
+	 */
+	CHECK(dns_db_newversion(db, &ver));
+
+	/*
+	 * Get the current database SOA serial number.
+	 */
+	CHECK(dns_db_getsoaserial(db, ver, &db_serial));
+
+	/*
+	 * Locate a journal entry for the current database serial.
+	 */
+	CHECK(journal_find(j, db_serial, &pos));
+	/*
+	 * XXX do more drastic things, like marking zone stale,
+	 * if this fails?
+	 */
+	/*
+	 * XXXRTH  The zone code should probably mark the zone as bad and
+	 *         scream loudly into the log if this is a dynamic update
+	 *	   log reply that failed.
+	 */
+
+	end_serial = dns_journal_last_serial(j);
+	if (db_serial == end_serial)
+		CHECK(DNS_R_UPTODATE);
+
+	CHECK(dns_journal_iter_init(j, db_serial, end_serial));
+
+	for (result = dns_journal_first_rr(j);
+	     result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(j))
+	{
+		dns_name_t *name;
+		uint32_t ttl;
+		dns_rdata_t *rdata;
+		dns_difftuple_t *tuple = NULL;
+
+		name = NULL;
+		rdata = NULL;
+		dns_journal_current_rr(j, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa) {
+			n_soa++;
+			if (n_soa == 2)
+				db_serial = j->it.current_serial;
+		}
+
+		if (n_soa == 3)
+			n_soa = 1;
+		if (n_soa == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "%s: journal file corrupt: missing "
+					 "initial SOA", j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		if ((options & DNS_JOURNALOPT_RESIGN) != 0)
+			op = (n_soa == 1) ? DNS_DIFFOP_DELRESIGN :
+					    DNS_DIFFOP_ADDRESIGN;
+		else
+			op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
+
+		CHECK(dns_difftuple_create(diff.mctx, op, name, ttl, rdata,
+					   &tuple));
+		dns_diff_append(&diff, &tuple);
+
+		if (++n_put > 100)  {
+			isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+				      "%s: applying diff to database (%u)",
+				      j->filename, db_serial);
+			(void)dns_diff_print(&diff, NULL);
+			CHECK(dns_diff_apply(&diff, db, ver));
+			dns_diff_clear(&diff);
+			n_put = 0;
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	CHECK(result);
+
+	if (n_put != 0) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+			      "%s: applying final diff to database (%u)",
+			      j->filename, db_serial);
+		(void)dns_diff_print(&diff, NULL);
+		CHECK(dns_diff_apply(&diff, db, ver));
+		dns_diff_clear(&diff);
+	}
+
+ failure:
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, result == ISC_R_SUCCESS ?
+				    true : false);
+
+	if (source.base != NULL)
+		isc_mem_put(j->mctx, source.base, source.length);
+	if (target.base != NULL)
+		isc_mem_put(j->mctx, target.base, target.length);
+
+	dns_diff_clear(&diff);
+
+	INSIST(ver == NULL);
+
+	return (result);
+}
+
+isc_result_t
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
+			const char *filename)
+{
+	dns_journal_t *j;
+	isc_result_t result;
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(filename != NULL);
+
+	j = NULL;
+	result = dns_journal_open(mctx, filename, DNS_JOURNAL_READ, &j);
+	if (result == ISC_R_NOTFOUND) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+			      "no journal file, but that's OK");
+		return (DNS_R_NOJOURNAL);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (JOURNAL_EMPTY(&j->header))
+		result = DNS_R_UPTODATE;
+	else
+		result = roll_forward(j, db, options);
+
+	dns_journal_destroy(&j);
+
+	return (result);
+}
+
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
+	dns_journal_t *j;
+	isc_buffer_t source;		/* Transaction data from disk */
+	isc_buffer_t target;		/* Ditto after _fromwire check */
+	uint32_t start_serial;		/* Database SOA serial */
+	uint32_t end_serial;	/* Last journal SOA serial */
+	isc_result_t result;
+	dns_diff_t diff;
+	unsigned int n_soa = 0;
+	unsigned int n_put = 0;
+
+	REQUIRE(filename != NULL);
+
+	j = NULL;
+	result = dns_journal_open(mctx, filename, DNS_JOURNAL_READ, &j);
+	if (result == ISC_R_NOTFOUND) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no journal file");
+		return (DNS_R_NOJOURNAL);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "journal open failure: %s: %s",
+			      isc_result_totext(result), filename);
+		return (result);
+	}
+
+	if (j->header.serialset)
+		fprintf(file, "Source serial = %u\n", j->header.sourceserial);
+	dns_diff_init(j->mctx, &diff);
+
+	/*
+	 * Set up empty initial buffers for unchecked and checked
+	 * wire format transaction data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
+
+	start_serial = dns_journal_first_serial(j);
+	end_serial = dns_journal_last_serial(j);
+
+	CHECK(dns_journal_iter_init(j, start_serial, end_serial));
+
+	for (result = dns_journal_first_rr(j);
+	     result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(j))
+	{
+		dns_name_t *name;
+		uint32_t ttl;
+		dns_rdata_t *rdata;
+		dns_difftuple_t *tuple = NULL;
+
+		name = NULL;
+		rdata = NULL;
+		dns_journal_current_rr(j, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa)
+			n_soa++;
+
+		if (n_soa == 3)
+			n_soa = 1;
+		if (n_soa == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "%s: journal file corrupt: missing "
+				      "initial SOA", j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
+					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
+					   name, ttl, rdata, &tuple));
+		dns_diff_append(&diff, &tuple);
+
+		if (++n_put > 100)  {
+			result = dns_diff_print(&diff, file);
+			dns_diff_clear(&diff);
+			n_put = 0;
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	CHECK(result);
+
+	if (n_put != 0) {
+		result = dns_diff_print(&diff, file);
+		dns_diff_clear(&diff);
+	}
+	goto cleanup;
+
+ failure:
+	isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+		      "%s: cannot print: journal file corrupt", j->filename);
+
+ cleanup:
+	if (source.base != NULL)
+		isc_mem_put(j->mctx, source.base, source.length);
+	if (target.base != NULL)
+		isc_mem_put(j->mctx, target.base, target.length);
+
+	dns_diff_clear(&diff);
+	dns_journal_destroy(&j);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Miscellaneous accessors.
+ */
+uint32_t
+dns_journal_first_serial(dns_journal_t *j) {
+	return (j->header.begin.serial);
+}
+
+uint32_t
+dns_journal_last_serial(dns_journal_t *j) {
+	return (j->header.end.serial);
+}
+
+void
+dns_journal_set_sourceserial(dns_journal_t *j, uint32_t sourceserial) {
+
+	REQUIRE(j->state == JOURNAL_STATE_WRITE ||
+		j->state == JOURNAL_STATE_INLINE ||
+		j->state == JOURNAL_STATE_TRANSACTION);
+
+	j->header.sourceserial = sourceserial;
+	j->header.serialset = true;
+	if (j->state == JOURNAL_STATE_WRITE)
+		j->state = JOURNAL_STATE_INLINE;
+}
+
+bool
+dns_journal_get_sourceserial(dns_journal_t *j, uint32_t *sourceserial) {
+	REQUIRE(sourceserial != NULL);
+
+	if (!j->header.serialset)
+		return (false);
+	*sourceserial = j->header.sourceserial;
+	return (true);
+}
+
+/**************************************************************************/
+/*
+ * Iteration support.
+ *
+ * When serving an outgoing IXFR, we transmit a part the journal starting
+ * at the serial number in the IXFR request and ending at the serial
+ * number that is current when the IXFR request arrives.  The ending
+ * serial number is not necessarily at the end of the journal:
+ * the journal may grow while the IXFR is in progress, but we stop
+ * when we reach the serial number that was current when the IXFR started.
+ */
+
+static isc_result_t read_one_rr(dns_journal_t *j);
+
+/*
+ * Make sure the buffer 'b' is has at least 'size' bytes
+ * allocated, and clear it.
+ *
+ * Requires:
+ *	Either b->base is NULL, or it points to b->length bytes of memory
+ *	previously allocated by isc_mem_get().
+ */
+
+static isc_result_t
+size_buffer(isc_mem_t *mctx, isc_buffer_t *b, unsigned size) {
+	if (b->length < size) {
+		void *mem = isc_mem_get(mctx, size);
+		if (mem == NULL)
+			return (ISC_R_NOMEMORY);
+		if (b->base != NULL)
+			isc_mem_put(mctx, b->base, b->length);
+		b->base = mem;
+		b->length = size;
+	}
+	isc_buffer_clear(b);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j,
+		      uint32_t begin_serial, uint32_t end_serial)
+{
+	isc_result_t result;
+
+	CHECK(journal_find(j, begin_serial, &j->it.bpos));
+	INSIST(j->it.bpos.serial == begin_serial);
+
+	CHECK(journal_find(j, end_serial, &j->it.epos));
+	INSIST(j->it.epos.serial == end_serial);
+
+	result = ISC_R_SUCCESS;
+ failure:
+	j->it.result = result;
+	return (j->it.result);
+}
+
+
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j) {
+	isc_result_t result;
+
+	/*
+	 * Seek to the beginning of the first transaction we are
+	 * interested in.
+	 */
+	CHECK(journal_seek(j, j->it.bpos.offset));
+	j->it.current_serial = j->it.bpos.serial;
+
+	j->it.xsize = 0;  /* We have no transaction data yet... */
+	j->it.xpos = 0;	  /* ...and haven't used any of it. */
+
+	return (read_one_rr(j));
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+read_one_rr(dns_journal_t *j) {
+	isc_result_t result;
+
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	unsigned int rdlen;
+	uint32_t ttl;
+	journal_xhdr_t xhdr;
+	journal_rrhdr_t rrhdr;
+
+	if (j->offset > j->it.epos.offset) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: possible integer overflow",
+			      j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (j->offset == j->it.epos.offset)
+		return (ISC_R_NOMORE);
+	if (j->it.xpos == j->it.xsize) {
+		/*
+		 * We are at a transaction boundary.
+		 * Read another transaction header.
+		 */
+		CHECK(journal_read_xhdr(j, &xhdr));
+		if (xhdr.size == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "%s: journal corrupt: empty transaction",
+				      j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		if (xhdr.serial0 != j->it.current_serial) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "%s: journal file corrupt: "
+					 "expected serial %u, got %u",
+					 j->filename,
+					 j->it.current_serial, xhdr.serial0);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		j->it.xsize = xhdr.size;
+		j->it.xpos = 0;
+	}
+	/*
+	 * Read an RR.
+	 */
+	CHECK(journal_read_rrhdr(j, &rrhdr));
+	/*
+	 * Perform a sanity check on the journal RR size.
+	 * The smallest possible RR has a 1-byte owner name
+	 * and a 10-byte header.  The largest possible
+	 * RR has 65535 bytes of data, a header, and a maximum-
+	 * size owner name, well below 70 k total.
+	 */
+	if (rrhdr.size < 1+10 || rrhdr.size > 70000) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: journal corrupt: impossible RR size "
+				 "(%d bytes)", j->filename, rrhdr.size);
+		FAIL(ISC_R_UNEXPECTED);
+	}
+
+	CHECK(size_buffer(j->mctx, &j->it.source, rrhdr.size));
+	CHECK(journal_read(j, j->it.source.base, rrhdr.size));
+	isc_buffer_add(&j->it.source, rrhdr.size);
+
+	/*
+	 * The target buffer is made the same size
+	 * as the source buffer, with the assumption that when
+	 * no compression in present, the output of dns_*_fromwire()
+	 * is no larger than the input.
+	 */
+	CHECK(size_buffer(j->mctx, &j->it.target, rrhdr.size));
+
+	/*
+	 * Parse the owner name.  We don't know where it
+	 * ends yet, so we make the entire "remaining"
+	 * part of the buffer "active".
+	 */
+	isc_buffer_setactive(&j->it.source,
+			     j->it.source.used - j->it.source.current);
+	CHECK(dns_name_fromwire(&j->it.name, &j->it.source,
+				&j->it.dctx, 0, &j->it.target));
+
+	/*
+	 * Check that the RR header is there, and parse it.
+	 */
+	if (isc_buffer_remaininglength(&j->it.source) < 10)
+		FAIL(DNS_R_FORMERR);
+
+	rdtype = isc_buffer_getuint16(&j->it.source);
+	rdclass = isc_buffer_getuint16(&j->it.source);
+	ttl = isc_buffer_getuint32(&j->it.source);
+	rdlen = isc_buffer_getuint16(&j->it.source);
+
+	/*
+	 * Parse the rdata.
+	 */
+	if (isc_buffer_remaininglength(&j->it.source) != rdlen)
+		FAIL(DNS_R_FORMERR);
+	isc_buffer_setactive(&j->it.source, rdlen);
+	dns_rdata_reset(&j->it.rdata);
+	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass,
+				 rdtype, &j->it.source, &j->it.dctx,
+				 0, &j->it.target));
+	j->it.ttl = ttl;
+
+	j->it.xpos += sizeof(journal_rawrrhdr_t) + rrhdr.size;
+	if (rdtype == dns_rdatatype_soa) {
+		/* XXX could do additional consistency checks here */
+		j->it.current_serial = dns_soa_getserial(&j->it.rdata);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	j->it.result = result;
+	return (result);
+}
+
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j) {
+	j->it.result = read_one_rr(j);
+	return (j->it.result);
+}
+
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, uint32_t *ttl,
+		   dns_rdata_t **rdata)
+{
+	REQUIRE(j->it.result == ISC_R_SUCCESS);
+	*name = &j->it.name;
+	*ttl = j->it.ttl;
+	*rdata = &j->it.rdata;
+}
+
+/**************************************************************************/
+/*
+ * Generating diffs from databases
+ */
+
+/*
+ * Construct a diff containing all the RRs at the current name of the
+ * database iterator 'dbit' in database 'db', version 'ver'.
+ * Set '*name' to the current name, and append the diff to 'diff'.
+ * All new tuples will have the operation 'op'.
+ *
+ * Requires: 'name' must have buffer large enough to hold the name.
+ * Typically, a dns_fixedname_t would be used.
+ */
+static isc_result_t
+get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
+	      dns_dbiterator_t *dbit, dns_name_t *name, dns_diffop_t op,
+	      dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_difftuple_t *tuple = NULL;
+
+	result = dns_dbiterator_current(dbit, &node, name);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_allrdatasets(db, node, ver, now, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_difftuple_create(diff->mctx, op, name,
+						      rdataset.ttl, &rdata,
+						      &tuple);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&rdataset);
+				goto cleanup_iterator;
+			}
+			dns_diff_append(diff, &tuple);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE)
+			goto cleanup_iterator;
+	}
+	if (result != ISC_R_NOMORE)
+		goto cleanup_iterator;
+
+	result = ISC_R_SUCCESS;
+
+ cleanup_iterator:
+	dns_rdatasetiter_destroy(&rdsiter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*
+ * Comparison function for use by dns_diff_subtract when sorting
+ * the diffs to be subtracted.  The sort keys are the rdata type
+ * and the rdata itself.  The owner name is ignored, because
+ * it is known to be the same for all tuples.
+ */
+static int
+rdata_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0)
+		return (r);
+	r = dns_rdata_compare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+static isc_result_t
+dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r) {
+	isc_result_t result;
+	dns_difftuple_t *p[2];
+	int i, t;
+	bool append;
+
+	CHECK(dns_diff_sort(&diff[0], rdata_order));
+	CHECK(dns_diff_sort(&diff[1], rdata_order));
+
+	for (;;) {
+		p[0] = ISC_LIST_HEAD(diff[0].tuples);
+		p[1] = ISC_LIST_HEAD(diff[1].tuples);
+		if (p[0] == NULL && p[1] == NULL)
+			break;
+
+		for (i = 0; i < 2; i++)
+			if (p[!i] == NULL) {
+				ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
+				ISC_LIST_APPEND(r->tuples, p[i], link);
+				goto next;
+			}
+		t = rdata_order(&p[0], &p[1]);
+		if (t < 0) {
+			ISC_LIST_UNLINK(diff[0].tuples, p[0], link);
+			ISC_LIST_APPEND(r->tuples, p[0], link);
+			goto next;
+		}
+		if (t > 0) {
+			ISC_LIST_UNLINK(diff[1].tuples, p[1], link);
+			ISC_LIST_APPEND(r->tuples, p[1], link);
+			goto next;
+		}
+		INSIST(t == 0);
+		/*
+		 * Identical RRs in both databases; skip them both
+		 * if the ttl differs.
+		 */
+		append = (p[0]->ttl != p[1]->ttl);
+		for (i = 0; i < 2; i++) {
+			ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
+			if (append) {
+				ISC_LIST_APPEND(r->tuples, p[i], link);
+			} else {
+				dns_difftuple_free(&p[i]);
+			}
+		}
+	next: ;
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+diff_namespace(dns_db_t *dba, dns_dbversion_t *dbvera,
+	       dns_db_t *dbb, dns_dbversion_t *dbverb,
+	       unsigned int options, dns_diff_t *resultdiff)
+{
+	dns_db_t *db[2];
+	dns_dbversion_t *ver[2];
+	dns_dbiterator_t *dbit[2] = { NULL, NULL };
+	bool have[2] = { false, false };
+	dns_fixedname_t fixname[2];
+	isc_result_t result, itresult[2];
+	dns_diff_t diff[2];
+	int i, t;
+
+	db[0] = dba, db[1] = dbb;
+	ver[0] = dbvera, ver[1] = dbverb;
+
+	dns_diff_init(resultdiff->mctx, &diff[0]);
+	dns_diff_init(resultdiff->mctx, &diff[1]);
+
+	dns_fixedname_init(&fixname[0]);
+	dns_fixedname_init(&fixname[1]);
+
+	result = dns_db_createiterator(db[0], options, &dbit[0]);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_db_createiterator(db[1], options, &dbit[1]);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_iterator;
+
+	itresult[0] = dns_dbiterator_first(dbit[0]);
+	itresult[1] = dns_dbiterator_first(dbit[1]);
+
+	for (;;) {
+		for (i = 0; i < 2; i++) {
+			if (! have[i] && itresult[i] == ISC_R_SUCCESS) {
+				CHECK(get_name_diff(db[i], ver[i], 0, dbit[i],
+					    dns_fixedname_name(&fixname[i]),
+					    i == 0 ?
+					    DNS_DIFFOP_ADD :
+					    DNS_DIFFOP_DEL,
+					    &diff[i]));
+				itresult[i] = dns_dbiterator_next(dbit[i]);
+				have[i] = true;
+			}
+		}
+
+		if (! have[0] && ! have[1]) {
+			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+			break;
+		}
+
+		for (i = 0; i < 2; i++) {
+			if (! have[!i]) {
+				ISC_LIST_APPENDLIST(resultdiff->tuples,
+						    diff[i].tuples, link);
+				INSIST(ISC_LIST_EMPTY(diff[i].tuples));
+				have[i] = false;
+				goto next;
+			}
+		}
+
+		t = dns_name_compare(dns_fixedname_name(&fixname[0]),
+				     dns_fixedname_name(&fixname[1]));
+		if (t < 0) {
+			ISC_LIST_APPENDLIST(resultdiff->tuples,
+					    diff[0].tuples, link);
+			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+			have[0] = false;
+			continue;
+		}
+		if (t > 0) {
+			ISC_LIST_APPENDLIST(resultdiff->tuples,
+					    diff[1].tuples, link);
+			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+			have[1] = false;
+			continue;
+		}
+		INSIST(t == 0);
+		CHECK(dns_diff_subtract(diff, resultdiff));
+		INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+		INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+		have[0] = have[1] = false;
+	next: ;
+	}
+	if (itresult[0] != ISC_R_NOMORE)
+		FAIL(itresult[0]);
+	if (itresult[1] != ISC_R_NOMORE)
+		FAIL(itresult[1]);
+
+	INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+	INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+
+ failure:
+	dns_dbiterator_destroy(&dbit[1]);
+
+ cleanup_iterator:
+	dns_dbiterator_destroy(&dbit[0]);
+	dns_diff_clear(&diff[0]);
+	dns_diff_clear(&diff[1]);
+	return (result);
+}
+
+/*
+ * Compare the databases 'dba' and 'dbb' and generate a journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.
+ */
+isc_result_t
+dns_db_diff(isc_mem_t *mctx, dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb, const char *filename)
+{
+	isc_result_t result;
+	dns_diff_t diff;
+
+	dns_diff_init(mctx, &diff);
+
+	result = dns_db_diffx(&diff, dba, dbvera, dbb, dbverb, filename);
+
+	dns_diff_clear(&diff);
+
+	return (result);
+}
+
+isc_result_t
+dns_db_diffx(dns_diff_t *diff, dns_db_t *dba, dns_dbversion_t *dbvera,
+	     dns_db_t *dbb, dns_dbversion_t *dbverb, const char *filename)
+{
+	isc_result_t result;
+	dns_journal_t *journal = NULL;
+
+	if (filename != NULL) {
+		result = dns_journal_open(diff->mctx, filename,
+					  DNS_JOURNAL_CREATE, &journal);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	CHECK(diff_namespace(dba, dbvera, dbb, dbverb, DNS_DB_NONSEC3, diff));
+	CHECK(diff_namespace(dba, dbvera, dbb, dbverb, DNS_DB_NSEC3ONLY, diff));
+
+	if (journal != NULL) {
+		if (ISC_LIST_EMPTY(diff->tuples))
+			isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no changes");
+		else
+			CHECK(dns_journal_write_transaction(journal, diff));
+	}
+
+ failure:
+	if (journal != NULL)
+		dns_journal_destroy(&journal);
+	return (result);
+}
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, uint32_t serial,
+		    uint32_t target_size)
+{
+	unsigned int i;
+	journal_pos_t best_guess;
+	journal_pos_t current_pos;
+	dns_journal_t *j1 = NULL;
+	dns_journal_t *j2 = NULL;
+	journal_rawheader_t rawheader;
+	unsigned int copy_length;
+	size_t namelen;
+	char *buf = NULL;
+	unsigned int size = 0;
+	isc_result_t result;
+	unsigned int indexend;
+	char newname[1024];
+	char backup[1024];
+	bool is_backup = false;
+
+	REQUIRE(filename != NULL);
+
+	namelen = strlen(filename);
+	if (namelen > 4U && strcmp(filename + namelen - 4, ".jnl") == 0)
+		namelen -= 4;
+
+	result = isc_string_printf(newname, sizeof(newname), "%.*s.jnw",
+				   (int)namelen, filename);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_string_printf(backup, sizeof(backup), "%.*s.jbk",
+				   (int)namelen, filename);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = journal_open(mctx, filename, false, false, &j1);
+	if (result == ISC_R_NOTFOUND) {
+		is_backup = true;
+		result = journal_open(mctx, backup, false, false, &j1);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (JOURNAL_EMPTY(&j1->header)) {
+		dns_journal_destroy(&j1);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (DNS_SERIAL_GT(j1->header.begin.serial, serial) ||
+	    DNS_SERIAL_GT(serial, j1->header.end.serial)) {
+		dns_journal_destroy(&j1);
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * Cope with very small target sizes.
+	 */
+	indexend = sizeof(journal_rawheader_t) +
+		   j1->header.index_size * sizeof(journal_rawpos_t);
+	if (target_size < indexend * 2)
+		target_size = target_size/2 + indexend;
+
+	/*
+	 * See if there is any work to do.
+	 */
+	if ((uint32_t) j1->header.end.offset < target_size) {
+		dns_journal_destroy(&j1);
+		return (ISC_R_SUCCESS);
+	}
+
+	CHECK(journal_open(mctx, newname, true, true, &j2));
+
+	/*
+	 * Remove overhead so space test below can succeed.
+	 */
+	if (target_size >= indexend)
+		target_size -= indexend;
+
+	/*
+	 * Find if we can create enough free space.
+	 */
+	best_guess = j1->header.begin;
+	for (i = 0; i < j1->header.index_size; i++) {
+		if (POS_VALID(j1->index[i]) &&
+		    DNS_SERIAL_GE(serial, j1->index[i].serial) &&
+		    ((uint32_t)(j1->header.end.offset - j1->index[i].offset)
+		     >= target_size / 2) &&
+		    j1->index[i].offset > best_guess.offset)
+			best_guess = j1->index[i];
+	}
+
+	current_pos = best_guess;
+	while (current_pos.serial != serial) {
+		CHECK(journal_next(j1, &current_pos));
+		if (current_pos.serial == j1->header.end.serial)
+			break;
+
+		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
+		   ((uint32_t)(j1->header.end.offset - current_pos.offset)
+		     >= (target_size / 2)) &&
+		    current_pos.offset > best_guess.offset)
+			best_guess = current_pos;
+		else
+			break;
+	}
+
+	INSIST(best_guess.serial != j1->header.end.serial);
+	if (best_guess.serial != serial)
+		CHECK(journal_next(j1, &best_guess));
+
+	/*
+	 * We should now be roughly half target_size provided
+	 * we did not reach 'serial'.  If not we will just copy
+	 * all uncommitted deltas regardless of the size.
+	 */
+	copy_length = j1->header.end.offset - best_guess.offset;
+
+	if (copy_length != 0) {
+		/*
+		 * Copy best_guess to end into space just freed.
+		 */
+		size = 64*1024;
+		if (copy_length < size)
+			size = copy_length;
+		buf = isc_mem_get(mctx, size);
+		if (buf == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+
+		CHECK(journal_seek(j1, best_guess.offset));
+		CHECK(journal_seek(j2, indexend));
+		for (i = 0; i < copy_length; i += size) {
+			unsigned int len = (copy_length - i) > size ? size :
+							 (copy_length - i);
+			CHECK(journal_read(j1, buf, len));
+			CHECK(journal_write(j2, buf, len));
+		}
+
+		CHECK(journal_fsync(j2));
+
+		/*
+		 * Compute new header.
+		 */
+		j2->header.begin.serial = best_guess.serial;
+		j2->header.begin.offset = indexend;
+		j2->header.end.serial = j1->header.end.serial;
+		j2->header.end.offset = indexend + copy_length;
+		j2->header.sourceserial = j1->header.sourceserial;
+		j2->header.serialset = j1->header.serialset;
+
+		/*
+		 * Update the journal header.
+		 */
+		journal_header_encode(&j2->header, &rawheader);
+		CHECK(journal_seek(j2, 0));
+		CHECK(journal_write(j2, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j2));
+
+		/*
+		 * Build new index.
+		 */
+		current_pos = j2->header.begin;
+		while (current_pos.serial != j2->header.end.serial) {
+			index_add(j2, &current_pos);
+			CHECK(journal_next(j2, &current_pos));
+		}
+
+		/*
+		 * Write index.
+		 */
+		CHECK(index_to_disk(j2));
+		CHECK(journal_fsync(j2));
+
+		indexend = j2->header.end.offset;
+		POST(indexend);
+	}
+
+	/*
+	 * Close both journals before trying to rename files (this is
+	 * necessary on WIN32).
+	 */
+	dns_journal_destroy(&j1);
+	dns_journal_destroy(&j2);
+
+	/*
+	 * With a UFS file system this should just succeed and be atomic.
+	 * Any IXFR outs will just continue and the old journal will be
+	 * removed on final close.
+	 *
+	 * With MSDOS / NTFS we need to do a two stage rename, triggered
+	 * by EEXIST.  (If any IXFR's are running in other threads, however,
+	 * this will fail, and the journal will not be compacted.  But
+	 * if so, hopefully they'll be finished by the next time we
+	 * compact.)
+	 */
+	if (rename(newname, filename) == -1) {
+		if (errno == EEXIST && !is_backup) {
+			result = isc_file_remove(backup);
+			if (result != ISC_R_SUCCESS &&
+			    result != ISC_R_FILENOTFOUND)
+				goto failure;
+			if (rename(filename, backup) == -1)
+				goto maperrno;
+			if (rename(newname, filename) == -1)
+				goto maperrno;
+			(void)isc_file_remove(backup);
+		} else {
+ maperrno:
+			result = ISC_R_FAILURE;
+			goto failure;
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	(void)isc_file_remove(newname);
+	if (buf != NULL)
+		isc_mem_put(mctx, buf, size);
+	if (j1 != NULL)
+		dns_journal_destroy(&j1);
+	if (j2 != NULL)
+		dns_journal_destroy(&j2);
+	return (result);
+}
+
+static isc_result_t
+index_to_disk(dns_journal_t *j) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned char *p;
+		unsigned int rawbytes;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			encode_uint32(j->index[i].serial, p);
+			p += 4;
+			encode_uint32(j->index[i].offset, p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+
+		CHECK(journal_seek(j, sizeof(journal_rawheader_t)));
+		CHECK(journal_write(j, j->rawindex, rawbytes));
+	}
+failure:
+	return (result);
+}
diff --git a/lib/dns/key.c b/lib/dns/key.c
new file mode 100644
index 0000000..16dadf8
--- /dev/null
+++ b/lib/dns/key.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stddef.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/dst.h>
+
+#include "dst_internal.h"
+
+uint16_t
+dst_region_computeid(const isc_region_t *source, unsigned int alg) {
+	uint32_t ac;
+	const unsigned char *p;
+	int size;
+
+	REQUIRE(source != NULL);
+	REQUIRE(source->length >= 4);
+
+	p = source->base;
+	size = source->length;
+
+	if (alg == DST_ALG_RSAMD5)
+		return ((p[size - 3] << 8) + p[size - 2]);
+
+	for (ac = 0; size > 1; size -= 2, p += 2)
+		ac += ((*p) << 8) + *(p + 1);
+
+	if (size > 0)
+		ac += ((*p) << 8);
+	ac += (ac >> 16) & 0xffff;
+
+	return ((uint16_t)(ac & 0xffff));
+}
+
+uint16_t
+dst_region_computerid(const isc_region_t *source, unsigned int alg) {
+	uint32_t ac;
+	const unsigned char *p;
+	int size;
+
+	REQUIRE(source != NULL);
+	REQUIRE(source->length >= 4);
+
+	p = source->base;
+	size = source->length;
+
+	if (alg == DST_ALG_RSAMD5)
+		return ((p[size - 3] << 8) + p[size - 2]);
+
+	ac = ((*p) << 8) + *(p + 1);
+	ac |= DNS_KEYFLAG_REVOKE;
+	for (size -= 2, p +=2; size > 1; size -= 2, p += 2)
+		ac += ((*p) << 8) + *(p + 1);
+
+	if (size > 0)
+		ac += ((*p) << 8);
+	ac += (ac >> 16) & 0xffff;
+
+	return ((uint16_t)(ac & 0xffff));
+}
+
+dns_name_t *
+dst_key_name(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_name);
+}
+
+unsigned int
+dst_key_size(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_size);
+}
+
+unsigned int
+dst_key_proto(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_proto);
+}
+
+unsigned int
+dst_key_alg(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_alg);
+}
+
+uint32_t
+dst_key_flags(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_flags);
+}
+
+dns_keytag_t
+dst_key_id(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_id);
+}
+
+dns_keytag_t
+dst_key_rid(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_rid);
+}
+
+dns_rdataclass_t
+dst_key_class(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_class);
+}
+
+bool
+dst_key_iszonekey(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0)
+		return (false);
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (false);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+		return (false);
+	return (true);
+}
+
+bool
+dst_key_isnullkey(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	if ((key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
+		return (false);
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (false);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+		return (false);
+	return (true);
+}
+
+void
+dst_key_setbits(dst_key_t *key, uint16_t bits) {
+	unsigned int maxbits;
+	REQUIRE(VALID_KEY(key));
+	if (bits != 0) {
+		RUNTIME_CHECK(dst_key_sigsize(key, &maxbits) == ISC_R_SUCCESS);
+		maxbits *= 8;
+		REQUIRE(bits <= maxbits);
+	}
+	key->key_bits = bits;
+}
+
+uint16_t
+dst_key_getbits(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_bits);
+}
+
+void
+dst_key_setttl(dst_key_t *key, dns_ttl_t ttl) {
+	REQUIRE(VALID_KEY(key));
+	key->key_ttl = ttl;
+}
+
+dns_ttl_t
+dst_key_getttl(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_ttl);
+}
+
+/*! \file */
diff --git a/lib/dns/keydata.c b/lib/dns/keydata.c
new file mode 100644
index 0000000..135d968
--- /dev/null
+++ b/lib/dns/keydata.c
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/keydata.h>
+
+isc_result_t
+dns_keydata_todnskey(dns_rdata_keydata_t *keydata,
+		     dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
+{
+	REQUIRE(keydata != NULL && dnskey != NULL);
+
+	dnskey->common.rdtype = dns_rdatatype_dnskey;
+	dnskey->common.rdclass = keydata->common.rdclass;
+	dnskey->mctx = mctx;
+	dnskey->flags = keydata->flags;
+	dnskey->protocol = keydata->protocol;
+	dnskey->algorithm = keydata->algorithm;
+
+	dnskey->datalen = keydata->datalen;
+
+	if (mctx == NULL)
+		dnskey->data = keydata->data;
+	else {
+		dnskey->data = isc_mem_allocate(mctx, dnskey->datalen);
+		if (dnskey->data == NULL)
+			return (ISC_R_NOMEMORY);
+		memmove(dnskey->data, keydata->data, dnskey->datalen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keydata_fromdnskey(dns_rdata_keydata_t *keydata,
+		       dns_rdata_dnskey_t *dnskey,
+		       uint32_t refresh, uint32_t addhd,
+		       uint32_t removehd, isc_mem_t *mctx)
+{
+	REQUIRE(keydata != NULL && dnskey != NULL);
+
+	keydata->common.rdtype = dns_rdatatype_keydata;
+	keydata->common.rdclass = dnskey->common.rdclass;
+	keydata->mctx = mctx;
+	keydata->refresh = refresh;
+	keydata->addhd = addhd;
+	keydata->removehd = removehd;
+	keydata->flags = dnskey->flags;
+	keydata->protocol = dnskey->protocol;
+	keydata->algorithm = dnskey->algorithm;
+
+	keydata->datalen = dnskey->datalen;
+	if (mctx == NULL)
+		keydata->data = dnskey->data;
+	else {
+		keydata->data = isc_mem_allocate(mctx, keydata->datalen);
+		if (keydata->data == NULL)
+			return (ISC_R_NOMEMORY);
+		memmove(keydata->data, dnskey->data, keydata->datalen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
new file mode 100644
index 0000000..57b8608
--- /dev/null
+++ b/lib/dns/keytable.c
@@ -0,0 +1,768 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/keytable.h>
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#define KEYTABLE_MAGIC                  ISC_MAGIC('K', 'T', 'b', 'l')
+#define VALID_KEYTABLE(kt)              ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
+
+#define KEYNODE_MAGIC                   ISC_MAGIC('K', 'N', 'o', 'd')
+#define VALID_KEYNODE(kn)               ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
+
+struct dns_keytable {
+	/* Unlocked. */
+	unsigned int            magic;
+	isc_mem_t               *mctx;
+	isc_refcount_t          active_nodes;
+	isc_refcount_t          references;
+	isc_rwlock_t            rwlock;
+	/* Locked by rwlock. */
+	dns_rbt_t               *table;
+};
+
+struct dns_keynode {
+	unsigned int            magic;
+	isc_refcount_t          refcount;
+	dst_key_t *             key;
+	bool           managed;
+	struct dns_keynode *    next;
+};
+
+static void
+free_keynode(void *node, void *arg) {
+	dns_keynode_t *keynode = node;
+	isc_mem_t *mctx = arg;
+
+	dns_keynode_detachall(mctx, &keynode);
+}
+
+isc_result_t
+dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
+	dns_keytable_t *keytable;
+	isc_result_t result;
+
+	/*
+	 * Create a keytable.
+	 */
+
+	REQUIRE(keytablep != NULL && *keytablep == NULL);
+
+	keytable = isc_mem_get(mctx, sizeof(*keytable));
+	if (keytable == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	keytable->table = NULL;
+	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_keytable;
+	}
+
+	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_rbt;
+	}
+
+	result = isc_refcount_init(&keytable->active_nodes, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_rwlock;
+	}
+
+	result = isc_refcount_init(&keytable->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_active_nodes;
+	}
+
+	keytable->mctx = NULL;
+	isc_mem_attach(mctx, &keytable->mctx);
+	keytable->magic = KEYTABLE_MAGIC;
+	*keytablep = keytable;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_active_nodes:
+	isc_refcount_destroy(&keytable->active_nodes);
+
+ cleanup_rwlock:
+	isc_rwlock_destroy(&keytable->rwlock);
+
+ cleanup_rbt:
+	dns_rbt_destroy(&keytable->table);
+
+ cleanup_keytable:
+	isc_mem_putanddetach(&mctx, keytable, sizeof(*keytable));
+
+	return (result);
+}
+
+void
+dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references, NULL);
+
+	*targetp = source;
+}
+
+void
+dns_keytable_detach(dns_keytable_t **keytablep) {
+	dns_keytable_t *keytable;
+	unsigned int refs;
+
+	/*
+	 * Detach *keytablep from its keytable.
+	 */
+
+	REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
+
+	keytable = *keytablep;
+	*keytablep = NULL;
+
+	isc_refcount_decrement(&keytable->references, &refs);
+	if (refs == 0) {
+		INSIST(isc_refcount_current(&keytable->active_nodes) == 0);
+		isc_refcount_destroy(&keytable->active_nodes);
+		isc_refcount_destroy(&keytable->references);
+		dns_rbt_destroy(&keytable->table);
+		isc_rwlock_destroy(&keytable->rwlock);
+		keytable->magic = 0;
+		isc_mem_putanddetach(&keytable->mctx,
+				     keytable, sizeof(*keytable));
+	}
+}
+
+static isc_result_t
+insert(dns_keytable_t *keytable, bool managed,
+       dns_name_t *keyname, dst_key_t **keyp)
+{
+	isc_result_t result;
+	dns_keynode_t *knode = NULL;
+	dns_rbtnode_t *node;
+
+	REQUIRE(keyp == NULL || *keyp != NULL);
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	result = dns_keynode_create(keytable->mctx, &knode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	knode->managed = managed;
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	node = NULL;
+	result = dns_rbt_addnode(keytable->table, keyname, &node);
+
+	if (keyp != NULL) {
+		if (result == ISC_R_EXISTS) {
+			/* Key already in table? */
+			dns_keynode_t *k;
+			for (k = node->data; k != NULL; k = k->next) {
+				if (k->key == NULL) {
+					k->key = *keyp;
+					*keyp = NULL; /* transfer ownership */
+					break;
+				}
+				if (dst_key_compare(k->key, *keyp) == true)
+					break;
+			}
+
+			if (k == NULL)
+				result = ISC_R_SUCCESS;
+			else if (*keyp != NULL)
+				dst_key_free(keyp);
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			knode->key = *keyp;
+			knode->next = node->data;
+			*keyp = NULL;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		node->data = knode;
+		knode = NULL;
+	}
+
+	/* Key was already there?  That's the same as a success */
+	if (result == ISC_R_EXISTS)
+		result = ISC_R_SUCCESS;
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	if (knode != NULL)
+		dns_keynode_detach(keytable->mctx, &knode);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, bool managed,
+		 dst_key_t **keyp)
+{
+	REQUIRE(keyp != NULL && *keyp != NULL);
+	return (insert(keytable, managed, dst_key_name(*keyp), keyp));
+}
+
+isc_result_t
+dns_keytable_marksecure(dns_keytable_t *keytable, dns_name_t *name) {
+	return (insert(keytable, true, name, NULL));
+}
+
+isc_result_t
+dns_keytable_delete(dns_keytable_t *keytable, dns_name_t *keyname) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL)
+			result = dns_rbt_deletenode(keytable->table,
+						    node, false);
+		else
+			result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_deletekeynode(dns_keytable_t *keytable, dst_key_t *dstkey) {
+	isc_result_t result;
+	dns_name_t *keyname;
+	dns_rbtnode_t *node = NULL;
+	dns_keynode_t *knode = NULL, **kprev = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dstkey != NULL);
+
+	keyname = dst_key_name(dstkey);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+	if (result != ISC_R_SUCCESS)
+		goto finish;
+
+	if (node->data == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto finish;
+	}
+
+	knode = node->data;
+	if (knode->next == NULL && knode->key != NULL &&
+	    dst_key_compare(knode->key, dstkey) == true)
+	{
+		result = dns_rbt_deletenode(keytable->table, node, false);
+		goto finish;
+	}
+
+	kprev = (dns_keynode_t **) &node->data;
+	while (knode != NULL) {
+		if (knode->key != NULL &&
+		    dst_key_compare(knode->key, dstkey) == true)
+			break;
+		kprev = &knode->next;
+		knode = knode->next;
+	}
+
+	if (knode != NULL) {
+		if (knode->key != NULL)
+			dst_key_free(&knode->key);
+		/*
+		 * This is equivalent to:
+		 * dns_keynode_attach(knode->next, &tmp);
+		 * dns_keynode_detach(kprev);
+		 * dns_keynode_attach(tmp, &kprev);
+		 * dns_keynode_detach(&tmp);
+		 */
+		*kprev = knode->next;
+		knode->next = NULL;
+		dns_keynode_detach(keytable->mctx, &knode);
+	} else
+		result = DNS_R_PARTIALMATCH;
+  finish:
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+isc_result_t
+dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
+		  dns_keynode_t **keynodep)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyname != NULL);
+	REQUIRE(keynodep != NULL && *keynodep == NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	result = dns_rbt_findnode(keytable->table, keyname, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL) {
+			isc_refcount_increment0(&keytable->active_nodes, NULL);
+			dns_keynode_attach(node->data, keynodep);
+		} else
+			result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			 dns_keynode_t **nextnodep)
+{
+	/*
+	 * Return the next key after 'keynode', regardless of
+	 * properties.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
+
+	if (keynode->next == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_keynode_attach(keynode->next, nextnodep);
+	isc_refcount_increment(&keytable->active_nodes, NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
+			 dns_secalg_t algorithm, dns_keytag_t tag,
+			 dns_keynode_t **keynodep)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+	void *data;
+
+	/*
+	 * Search for a key named 'name', matching 'algorithm' and 'tag' in
+	 * 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(keynodep != NULL && *keynodep == NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	/*
+	 * Note we don't want the DNS_R_PARTIALMATCH from dns_rbt_findname()
+	 * as that indicates that 'name' was not found.
+	 *
+	 * DNS_R_PARTIALMATCH indicates that the name was found but we
+	 * didn't get a match on algorithm and key id arguments.
+	 */
+	knode = NULL;
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
+
+	if (result == ISC_R_SUCCESS) {
+		INSIST(data != NULL);
+		for (knode = data; knode != NULL; knode = knode->next) {
+			if (knode->key == NULL) {
+				knode = NULL;
+				break;
+			}
+			if (algorithm == dst_key_alg(knode->key)
+			    && tag == dst_key_id(knode->key))
+				break;
+		}
+		if (knode != NULL) {
+			isc_refcount_increment0(&keytable->active_nodes, NULL);
+			dns_keynode_attach(knode, keynodep);
+		} else
+			result = DNS_R_PARTIALMATCH;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			     dns_keynode_t **nextnodep)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+
+	/*
+	 * Search for the next key with the same properties as 'keynode' in
+	 * 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
+
+	for (knode = keynode->next; knode != NULL; knode = knode->next) {
+		if (knode->key == NULL) {
+			knode = NULL;
+			break;
+		}
+		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
+		    dst_key_id(keynode->key) == dst_key_id(knode->key))
+			break;
+	}
+	if (knode != NULL) {
+		isc_refcount_increment(&keytable->active_nodes, NULL);
+		result = ISC_R_SUCCESS;
+		dns_keynode_attach(knode, nextnodep);
+	} else
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
+			      dns_name_t *foundname)
+{
+	isc_result_t result;
+	void *data;
+
+	/*
+	 * Search for the deepest match in 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(foundname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = ISC_R_SUCCESS;
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
+			   dns_keynode_t **target)
+{
+	/*
+	 * Give back a keynode found via dns_keytable_findkeynode().
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_refcount_increment(&keytable->active_nodes, NULL);
+
+	dns_keynode_attach(source, target);
+}
+
+void
+dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
+{
+	/*
+	 * Give back a keynode found via dns_keytable_findkeynode().
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
+
+	isc_refcount_decrement(&keytable->active_nodes, NULL);
+	dns_keynode_detach(keytable->mctx, keynodep);
+}
+
+isc_result_t
+dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
+			    dns_name_t *foundname, bool *wantdnssecp)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	/*
+	 * Is 'name' at or beneath a trusted key?
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(wantdnssecp != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findnode(keytable->table, name, foundname, &node,
+				  NULL, DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		INSIST(node->data != NULL);
+		*wantdnssecp = true;
+		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_NOTFOUND) {
+		*wantdnssecp = false;
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, strlen(str));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_putstr(*b, str);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keytable_dump(dns_keytable_t *keytable, FILE *fp) {
+	isc_result_t result;
+	isc_buffer_t *text = NULL;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(fp != NULL);
+
+	result = isc_buffer_allocate(keytable->mctx, &text, 4096);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_keytable_totext(keytable, &text);
+
+	if (isc_buffer_usedlength(text) != 0) {
+		(void) putstr(&text, "\n");
+	} else if (result == ISC_R_SUCCESS)
+		(void) putstr(&text, "none");
+	else {
+		(void) putstr(&text, "could not dump key table: ");
+		(void) putstr(&text, isc_result_totext(result));
+	}
+
+	fprintf(fp, "%.*s", (int) isc_buffer_usedlength(text),
+		(char *) isc_buffer_base(text));
+
+	isc_buffer_free(&text);
+	return (result);
+}
+
+isc_result_t
+dns_keytable_totext(dns_keytable_t *keytable, isc_buffer_t **text) {
+	isc_result_t result;
+	dns_keynode_t *knode;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(text != NULL && *text != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, keytable->mctx);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+	for (;;) {
+		char pbuf[DST_KEY_FORMATSIZE];
+
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		for (knode = node->data; knode != NULL; knode = knode->next) {
+			char obuf[DNS_NAME_FORMATSIZE + 200];
+			if (knode->key == NULL)
+				continue;
+			dst_key_format(knode->key, pbuf, sizeof(pbuf));
+			snprintf(obuf, sizeof(obuf), "%s ; %s\n", pbuf,
+				knode->managed ? "managed" : "trusted");
+			result = putstr(text, obuf);
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+isc_result_t
+dns_keytable_forall(dns_keytable_t *keytable,
+		    void (*func)(dns_keytable_t *, dns_keynode_t *, void *),
+		    void *arg)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, keytable->mctx);
+	result = dns_rbtnodechain_first(&chain, keytable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+	isc_refcount_increment0(&keytable->active_nodes, NULL);
+	for (;;) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL)
+			(*func)(keytable, node->data, arg);
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+	isc_refcount_decrement(&keytable->active_nodes, NULL);
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+dst_key_t *
+dns_keynode_key(dns_keynode_t *keynode) {
+
+	/*
+	 * Get the DST key associated with keynode.
+	 */
+
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	return (keynode->key);
+}
+
+bool
+dns_keynode_managed(dns_keynode_t *keynode) {
+	/*
+	 * Is this a managed key?
+	 */
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	return (keynode->managed);
+}
+
+isc_result_t
+dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
+	isc_result_t result;
+	dns_keynode_t *knode;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	knode = isc_mem_get(mctx, sizeof(dns_keynode_t));
+	if (knode == NULL)
+		return (ISC_R_NOMEMORY);
+
+	knode->magic = KEYNODE_MAGIC;
+	knode->managed = false;
+	knode->key = NULL;
+	knode->next = NULL;
+
+	result = isc_refcount_init(&knode->refcount, 1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	*target = knode;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_keynode_attach(dns_keynode_t *source, dns_keynode_t **target) {
+	REQUIRE(VALID_KEYNODE(source));
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+void
+dns_keynode_detach(isc_mem_t *mctx, dns_keynode_t **keynode) {
+	unsigned int refs;
+	dns_keynode_t *node = *keynode;
+	REQUIRE(VALID_KEYNODE(node));
+	isc_refcount_decrement(&node->refcount, &refs);
+	if (refs == 0) {
+		if (node->key != NULL)
+			dst_key_free(&node->key);
+		isc_refcount_destroy(&node->refcount);
+		isc_mem_put(mctx, node, sizeof(dns_keynode_t));
+	}
+	*keynode = NULL;
+}
+
+void
+dns_keynode_detachall(isc_mem_t *mctx, dns_keynode_t **keynode) {
+	dns_keynode_t *next = NULL, *node = *keynode;
+	REQUIRE(VALID_KEYNODE(node));
+	while (node != NULL) {
+		next = node->next;
+		dns_keynode_detach(mctx, &node);
+		node = next;
+	}
+	*keynode = NULL;
+}
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
new file mode 100644
index 0000000..304814b
--- /dev/null
+++ b/lib/dns/lib.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lib.c,v 1.19 2009/09/03 00:12:23 each Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/msgcat.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/ecdb.h>
+#include <dns/lib.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+
+/***
+ *** Globals
+ ***/
+
+LIBDNS_EXTERNAL_DATA unsigned int			dns_pps = 0U;
+LIBDNS_EXTERNAL_DATA isc_msgcat_t *			dns_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libdns.cat", &dns_msgcat);
+}
+
+void
+dns_lib_initmsgcat(void) {
+
+	/*
+	 * Initialize the DNS library's message catalog, dns_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
+
+static isc_once_t init_once = ISC_ONCE_INIT;
+static isc_mem_t *dns_g_mctx = NULL;
+static dns_dbimplementation_t *dbimp = NULL;
+static bool initialize_done = false;
+static isc_mutex_t reflock;
+static unsigned int references = 0;
+
+static void
+initialize(void) {
+	isc_result_t result;
+
+	REQUIRE(initialize_done == false);
+
+	result = isc_mem_create(0, 0, &dns_g_mctx);
+	if (result != ISC_R_SUCCESS)
+		return;
+	dns_result_register();
+	result = dns_ecdb_register(dns_g_mctx, &dbimp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mctx;
+	result = isc_hash_create(dns_g_mctx, NULL, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+	result = dst_lib_init(dns_g_mctx, NULL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_hash;
+
+	result = isc_mutex_init(&reflock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dst;
+
+	initialize_done = true;
+	return;
+
+  cleanup_dst:
+	dst_lib_destroy();
+  cleanup_hash:
+	isc_hash_destroy();
+  cleanup_db:
+	if (dbimp != NULL)
+		dns_ecdb_unregister(&dbimp);
+  cleanup_mctx:
+	if (dns_g_mctx != NULL)
+		isc_mem_detach(&dns_g_mctx);
+}
+
+isc_result_t
+dns_lib_init(void) {
+	isc_result_t result;
+
+	/*
+	 * Since this routine is expected to be used by a normal application,
+	 * it should be better to return an error, instead of an emergency
+	 * abort, on any failure.
+	 */
+	result = isc_once_do(&init_once, initialize);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!initialize_done)
+		return (ISC_R_FAILURE);
+
+	LOCK(&reflock);
+	references++;
+	UNLOCK(&reflock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_lib_shutdown(void) {
+	bool cleanup_ok = false;
+
+	LOCK(&reflock);
+	if (--references == 0)
+		cleanup_ok = true;
+	UNLOCK(&reflock);
+
+	if (!cleanup_ok)
+		return;
+
+	dst_lib_destroy();
+
+	if (isc_hashctx != NULL)
+		isc_hash_destroy();
+	if (dbimp != NULL)
+		dns_ecdb_unregister(&dbimp);
+	if (dns_g_mctx != NULL)
+		isc_mem_detach(&dns_g_mctx);
+}
diff --git a/lib/dns/log.c b/lib/dns/log.c
new file mode 100644
index 0000000..fb1da41
--- /dev/null
+++ b/lib/dns/log.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+/*%
+ * When adding a new category, be sure to add the appropriate
+ * \#define to <dns/log.h>.
+ */
+LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
+	{ "notify", 	0 },
+	{ "database", 	0 },
+	{ "security", 	0 },
+	{ "_placeholder", 0 },
+	{ "dnssec",	0 },
+	{ "resolver",	0 },
+	{ "xfer-in",	0 },
+	{ "xfer-out",	0 },
+	{ "dispatch",	0 },
+	{ "lame-servers", 0 },
+	{ "delegation-only", 0 },
+	{ "edns-disabled", 0 },
+	{ "rpz",	0 },
+	{ "rate-limit",	0 },
+	{ "cname",	0 },
+	{ "spill",	0 },
+	{ "dnstap",	0 },
+	{ NULL, 	0 }
+};
+
+/*%
+ * When adding a new module, be sure to add the appropriate
+ * \#define to <dns/log.h>.
+ */
+LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
+	{ "dns/db",	 	0 },
+	{ "dns/rbtdb", 		0 },
+	{ "dns/rbtdb64", 	0 },
+	{ "dns/rbt", 		0 },
+	{ "dns/rdata", 		0 },
+	{ "dns/master", 	0 },
+	{ "dns/message", 	0 },
+	{ "dns/cache", 		0 },
+	{ "dns/config",		0 },
+	{ "dns/resolver",	0 },
+	{ "dns/zone",		0 },
+	{ "dns/journal",	0 },
+	{ "dns/adb",		0 },
+	{ "dns/xfrin",		0 },
+	{ "dns/xfrout",		0 },
+	{ "dns/acl",		0 },
+	{ "dns/validator",	0 },
+	{ "dns/dispatch",	0 },
+	{ "dns/request",	0 },
+	{ "dns/masterdump",	0 },
+	{ "dns/tsig",		0 },
+	{ "dns/tkey",		0 },
+	{ "dns/sdb",		0 },
+	{ "dns/diff",		0 },
+	{ "dns/hints",		0 },
+	{ "dns/acache",		0 },
+	{ "dns/dlz",		0 },
+	{ "dns/dnssec",		0 },
+	{ "dns/crypto",		0 },
+	{ "dns/packets",	0 },
+	{ "dns/nta",		0 },
+	{ "dns/dyndb",		0 },
+	{ "dns/dnstap",		0 },
+	{ "dns/ssu",		0 },
+	{ NULL, 		0 }
+};
+
+LIBDNS_EXTERNAL_DATA isc_log_t *dns_lctx = NULL;
+
+void
+dns_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, dns_categories);
+	isc_log_registermodules(lctx, dns_modules);
+}
+
+void
+dns_log_setcontext(isc_log_t *lctx) {
+	dns_lctx = lctx;
+}
diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c
new file mode 100644
index 0000000..acd9c34
--- /dev/null
+++ b/lib/dns/lookup.c
@@ -0,0 +1,491 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+struct dns_lookup {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	dns_rdatatype_t		type;
+	dns_fixedname_t		name;
+	/* Locked by lock. */
+	unsigned int		options;
+	isc_task_t *		task;
+	dns_view_t *		view;
+	dns_lookupevent_t *	event;
+	dns_fetch_t *		fetch;
+	unsigned int		restarts;
+	bool		canceled;
+	dns_rdataset_t		rdataset;
+	dns_rdataset_t		sigrdataset;
+};
+
+#define LOOKUP_MAGIC			ISC_MAGIC('l', 'o', 'o', 'k')
+#define VALID_LOOKUP(l)			ISC_MAGIC_VALID((l), LOOKUP_MAGIC)
+
+#define MAX_RESTARTS 16
+
+static void lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event);
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	dns_lookup_t *lookup = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(VALID_LOOKUP(lookup));
+	REQUIRE(lookup->task == task);
+	fevent = (dns_fetchevent_t *)event;
+	REQUIRE(fevent->fetch == lookup->fetch);
+
+	lookup_find(lookup, fevent);
+}
+
+static inline isc_result_t
+start_fetch(dns_lookup_t *lookup) {
+	isc_result_t result;
+
+	/*
+	 * The caller must be holding the lookup's lock.
+	 */
+
+	REQUIRE(lookup->fetch == NULL);
+
+	result = dns_resolver_createfetch(lookup->view->resolver,
+					  dns_fixedname_name(&lookup->name),
+					  lookup->type,
+					  NULL, NULL, NULL, 0,
+					  lookup->task, fetch_done, lookup,
+					  &lookup->rdataset,
+					  &lookup->sigrdataset,
+					  &lookup->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+build_event(dns_lookup_t *lookup) {
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdataset_t *sigrdataset = NULL;
+	isc_result_t result;
+
+	name = isc_mem_get(lookup->mctx, sizeof(dns_name_t));
+	if (name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto fail;
+	}
+	dns_name_init(name, NULL);
+	result = dns_name_dup(dns_fixedname_name(&lookup->name),
+			      lookup->mctx, name);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	if (dns_rdataset_isassociated(&lookup->rdataset)) {
+		rdataset = isc_mem_get(lookup->mctx, sizeof(dns_rdataset_t));
+		if (rdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		dns_rdataset_init(rdataset);
+		dns_rdataset_clone(&lookup->rdataset, rdataset);
+	}
+
+	if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
+		sigrdataset = isc_mem_get(lookup->mctx,
+					  sizeof(dns_rdataset_t));
+		if (sigrdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		dns_rdataset_init(sigrdataset);
+		dns_rdataset_clone(&lookup->sigrdataset, sigrdataset);
+	}
+
+	lookup->event->name = name;
+	lookup->event->rdataset = rdataset;
+	lookup->event->sigrdataset = sigrdataset;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (name != NULL) {
+		if (dns_name_dynamic(name))
+			dns_name_free(name, lookup->mctx);
+		isc_mem_put(lookup->mctx, name, sizeof(dns_name_t));
+	}
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		isc_mem_put(lookup->mctx, rdataset, sizeof(dns_rdataset_t));
+	}
+	return (result);
+}
+
+static isc_result_t
+view_find(dns_lookup_t *lookup, dns_name_t *foundname) {
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&lookup->name);
+	dns_rdatatype_t type;
+
+	if (lookup->type == dns_rdatatype_rrsig)
+		type = dns_rdatatype_any;
+	else
+		type = lookup->type;
+
+	result = dns_view_find(lookup->view, name, type, 0, 0, false,
+			       &lookup->event->db, &lookup->event->node,
+			       foundname, &lookup->rdataset,
+			       &lookup->sigrdataset);
+	return (result);
+}
+
+static void
+lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
+	isc_result_t result;
+	bool want_restart;
+	bool send_event;
+	dns_name_t *name, *fname, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(VALID_LOOKUP(lookup));
+
+	LOCK(&lookup->lock);
+
+	result = ISC_R_SUCCESS;
+	name = dns_fixedname_name(&lookup->name);
+
+	do {
+		lookup->restarts++;
+		want_restart = false;
+		send_event = true;
+
+		if (event == NULL && !lookup->canceled) {
+			fname = dns_fixedname_initname(&foundname);
+			INSIST(!dns_rdataset_isassociated(&lookup->rdataset));
+			INSIST(!dns_rdataset_isassociated
+						(&lookup->sigrdataset));
+			/*
+			 * If we have restarted then clear the old node.				 */
+			if  (lookup->event->node != NULL) {
+				INSIST(lookup->event->db != NULL);
+				dns_db_detachnode(lookup->event->db,
+						 &lookup->event->node);
+			}
+			if (lookup->event->db != NULL)
+				dns_db_detach(&lookup->event->db);
+			result = view_find(lookup, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if  (lookup->event->node != NULL) {
+					INSIST(lookup->event->db != NULL);
+					dns_db_detachnode(lookup->event->db,
+							 &lookup->event->node);
+				}
+				if (lookup->event->db != NULL)
+					dns_db_detach(&lookup->event->db);
+				result = start_fetch(lookup);
+				if (result == ISC_R_SUCCESS)
+					send_event = false;
+				goto done;
+			}
+		} else if (event != NULL) {
+			result = event->result;
+			fname = dns_fixedname_name(&event->foundname);
+			dns_resolver_destroyfetch(&lookup->fetch);
+			INSIST(event->rdataset == &lookup->rdataset);
+			INSIST(event->sigrdataset == &lookup->sigrdataset);
+		} else
+			fname = NULL;	/* Silence compiler warning. */
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (lookup->canceled)
+			result = ISC_R_CANCELED;
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			result = build_event(lookup);
+			if (event == NULL)
+				break;
+			if (event->db != NULL)
+				dns_db_attach(event->db, &lookup->event->db);
+			if (event->node != NULL)
+				dns_db_attachnode(lookup->event->db,
+						  event->node,
+						  &lookup->event->node);
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			result = dns_rdataset_first(&lookup->rdataset);
+			if (result != ISC_R_SUCCESS)
+				break;
+			dns_rdataset_current(&lookup->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS)
+				break;
+			result = dns_name_copy(&cname.cname, name, NULL);
+			dns_rdata_freestruct(&cname);
+			if (result == ISC_R_SUCCESS) {
+				want_restart = true;
+				send_event = false;
+			}
+			break;
+		case DNS_R_DNAME:
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			result = dns_rdataset_first(&lookup->rdataset);
+			if (result != ISC_R_SUCCESS)
+				break;
+			dns_rdataset_current(&lookup->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS)
+				break;
+			/*
+			 * Construct the new query name and start over.
+			 */
+			prefix = dns_fixedname_initname(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			result = dns_name_concatenate(prefix, &dname.dname,
+						      name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (result == ISC_R_SUCCESS) {
+				want_restart = true;
+				send_event = false;
+			}
+			break;
+		default:
+			send_event = true;
+		}
+
+		if (dns_rdataset_isassociated(&lookup->rdataset))
+			dns_rdataset_disassociate(&lookup->rdataset);
+		if (dns_rdataset_isassociated(&lookup->sigrdataset))
+			dns_rdataset_disassociate(&lookup->sigrdataset);
+
+	done:
+		if (event != NULL) {
+			if (event->node != NULL)
+				dns_db_detachnode(event->db, &event->node);
+			if (event->db != NULL)
+				dns_db_detach(&event->db);
+			isc_event_free(ISC_EVENT_PTR(&event));
+		}
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && lookup->restarts == MAX_RESTARTS) {
+			want_restart = false;
+			result = ISC_R_QUOTA;
+			send_event = true;
+		}
+
+	} while (want_restart);
+
+	if (send_event) {
+		lookup->event->result = result;
+		lookup->event->ev_sender = lookup;
+		isc_task_sendanddetach(&lookup->task,
+				       (isc_event_t **)&lookup->event);
+		dns_view_detach(&lookup->view);
+	}
+
+	UNLOCK(&lookup->lock);
+}
+
+static void
+levent_destroy(isc_event_t *event) {
+	dns_lookupevent_t *levent;
+	isc_mem_t *mctx;
+
+	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
+	mctx = event->ev_destroy_arg;
+	levent = (dns_lookupevent_t *)event;
+
+	if (levent->name != NULL) {
+		if (dns_name_dynamic(levent->name))
+			dns_name_free(levent->name, mctx);
+		isc_mem_put(mctx, levent->name, sizeof(dns_name_t));
+	}
+	if (levent->rdataset != NULL) {
+		dns_rdataset_disassociate(levent->rdataset);
+		isc_mem_put(mctx, levent->rdataset, sizeof(dns_rdataset_t));
+	}
+	if (levent->sigrdataset != NULL) {
+		dns_rdataset_disassociate(levent->sigrdataset);
+		isc_mem_put(mctx, levent->sigrdataset, sizeof(dns_rdataset_t));
+	}
+	if (levent->node != NULL)
+		dns_db_detachnode(levent->db, &levent->node);
+	if (levent->db != NULL)
+		dns_db_detach(&levent->db);
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_result_t
+dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp)
+{
+	isc_result_t result;
+	dns_lookup_t *lookup;
+	isc_event_t *ievent;
+
+	lookup = isc_mem_get(mctx, sizeof(*lookup));
+	if (lookup == NULL)
+		return (ISC_R_NOMEMORY);
+	lookup->mctx = NULL;
+	isc_mem_attach(mctx, &lookup->mctx);
+	lookup->options = options;
+
+	ievent = isc_event_allocate(mctx, lookup, DNS_EVENT_LOOKUPDONE,
+				    action, arg, sizeof(*lookup->event));
+	if (ievent == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_lookup;
+	}
+	lookup->event = (dns_lookupevent_t *)ievent;
+	lookup->event->ev_destroy = levent_destroy;
+	lookup->event->ev_destroy_arg = mctx;
+	lookup->event->result = ISC_R_FAILURE;
+	lookup->event->name = NULL;
+	lookup->event->rdataset = NULL;
+	lookup->event->sigrdataset = NULL;
+	lookup->event->db = NULL;
+	lookup->event->node = NULL;
+
+	lookup->task = NULL;
+	isc_task_attach(task, &lookup->task);
+
+	result = isc_mutex_init(&lookup->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_event;
+
+	dns_fixedname_init(&lookup->name);
+
+	result = dns_name_copy(name, dns_fixedname_name(&lookup->name), NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	lookup->type = type;
+	lookup->view = NULL;
+	dns_view_attach(view, &lookup->view);
+	lookup->fetch = NULL;
+	lookup->restarts = 0;
+	lookup->canceled = false;
+	dns_rdataset_init(&lookup->rdataset);
+	dns_rdataset_init(&lookup->sigrdataset);
+	lookup->magic = LOOKUP_MAGIC;
+
+	*lookupp = lookup;
+
+	lookup_find(lookup, NULL);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_lock:
+	DESTROYLOCK(&lookup->lock);
+
+ cleanup_event:
+	ievent = (isc_event_t *)lookup->event;
+	isc_event_free(&ievent);
+	lookup->event = NULL;
+
+	isc_task_detach(&lookup->task);
+
+ cleanup_lookup:
+	isc_mem_putanddetach(&mctx, lookup, sizeof(*lookup));
+
+	return (result);
+}
+
+void
+dns_lookup_cancel(dns_lookup_t *lookup) {
+	REQUIRE(VALID_LOOKUP(lookup));
+
+	LOCK(&lookup->lock);
+
+	if (!lookup->canceled) {
+		lookup->canceled = true;
+		if (lookup->fetch != NULL) {
+			INSIST(lookup->view != NULL);
+			dns_resolver_cancelfetch(lookup->fetch);
+		}
+	}
+
+	UNLOCK(&lookup->lock);
+}
+
+void
+dns_lookup_destroy(dns_lookup_t **lookupp) {
+	dns_lookup_t *lookup;
+
+	REQUIRE(lookupp != NULL);
+	lookup = *lookupp;
+	REQUIRE(VALID_LOOKUP(lookup));
+	REQUIRE(lookup->event == NULL);
+	REQUIRE(lookup->task == NULL);
+	REQUIRE(lookup->view == NULL);
+	if (dns_rdataset_isassociated(&lookup->rdataset))
+		dns_rdataset_disassociate(&lookup->rdataset);
+	if (dns_rdataset_isassociated(&lookup->sigrdataset))
+		dns_rdataset_disassociate(&lookup->sigrdataset);
+
+	DESTROYLOCK(&lookup->lock);
+	lookup->magic = 0;
+	isc_mem_putanddetach(&lookup->mctx, lookup, sizeof(*lookup));
+
+	*lookupp = NULL;
+}
diff --git a/lib/dns/mapapi b/lib/dns/mapapi
new file mode 100644
index 0000000..90bf250
--- /dev/null
+++ b/lib/dns/mapapi
@@ -0,0 +1,16 @@
+# This value should be increased whenever changing the structure of
+# any object that will appear in a type 'map' master file (which
+# contains a working memory image of an RBT database), as loading 
+# an incorrect memory image produces an inconsistent and probably
+# nonfunctional database.  These structures include but are not
+# necessarily limited to dns_masterrawheader, rbtdb_file_header,
+# rbt_file_header, dns_rbtdb, dns_rbt, dns_rbtnode, rdatasetheader.
+#
+# Err on the side of caution: if anything in the RBTDB is changed,
+# bump the value.  Making map files unreadable protects the system
+# from instability; it's a feature not a bug.
+#
+# Whenever releasing a new major release of BIND9, set this value
+# back to 1.0 when releasing the first alpha.  Fast files are *never*
+# compatible across major releases.
+MAPAPI=1.0
diff --git a/lib/dns/master.c b/lib/dns/master.c
new file mode 100644
index 0000000..082e63f
--- /dev/null
+++ b/lib/dns/master.c
@@ -0,0 +1,3242 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/lex.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+/*!
+ * Grow the number of dns_rdatalist_t (#RDLSZ) and dns_rdata_t (#RDSZ) structures
+ * by these sizes when we need to.
+ *
+ */
+/*% RDLSZ reflects the number of different types with the same name expected. */
+#define RDLSZ 32
+/*%
+ * RDSZ reflects the number of rdata expected at a give name that can fit into
+ * 64k.
+ */
+#define RDSZ 512
+
+#define NBUFS 4
+#define MAXWIRESZ 255
+
+/*%
+ * Target buffer size and minimum target size.
+ * MINTSIZ must be big enough to hold the largest rdata record.
+ * \brief
+ * TSIZ >= MINTSIZ
+ */
+#define TSIZ (128*1024)
+/*%
+ * max message size - header - root - type - class - ttl - rdlen
+ */
+#define MINTSIZ DNS_RDATA_MAXLENGTH
+/*%
+ * Size for tokens in the presentation format,
+ * The largest tokens are the base64 blocks in KEY and CERT records,
+ * Largest key allowed is about 1372 bytes but
+ * there is no fixed upper bound on CERT records.
+ * 2K is too small for some X.509s, 8K is overkill.
+ */
+#define TOKENSIZ (8*1024)
+
+/*%
+ * Buffers sizes for $GENERATE.
+ */
+#define DNS_MASTER_LHS 2048
+#define DNS_MASTER_RHS MINTSIZ
+
+#define CHECKNAMESFAIL(x) (((x) & DNS_MASTER_CHECKNAMESFAIL) != 0)
+
+typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
+
+typedef struct dns_incctx dns_incctx_t;
+
+/*%
+ * Master file load state.
+ */
+
+struct dns_loadctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_masterformat_t	format;
+
+	dns_rdatacallbacks_t	*callbacks;
+	isc_task_t		*task;
+	dns_loaddonefunc_t	done;
+	void			*done_arg;
+
+	/* Common methods */
+	isc_result_t		(*openfile)(dns_loadctx_t *lctx,
+					    const char *filename);
+	isc_result_t		(*load)(dns_loadctx_t *lctx);
+
+	/* Members used by all formats */
+	uint32_t		maxttl;
+
+	/* Members specific to the text format: */
+	isc_lex_t		*lex;
+	bool		keep_lex;
+	unsigned int		options;
+	bool		ttl_known;
+	bool		default_ttl_known;
+	bool		warn_1035;
+	bool		warn_tcr;
+	bool		warn_sigexpired;
+	bool		seen_include;
+	uint32_t		ttl;
+	uint32_t		default_ttl;
+	dns_rdataclass_t	zclass;
+	dns_fixedname_t		fixed_top;
+	dns_name_t		*top;			/*%< top of zone */
+
+	/* Members specific to the raw format: */
+	FILE			*f;
+	bool		first;
+	dns_masterrawheader_t	header;
+
+	/* Which fixed buffers we are using? */
+	unsigned int		loop_cnt;		/*% records per quantum,
+							 * 0 => all. */
+	bool		canceled;
+	isc_mutex_t		lock;
+	isc_result_t		result;
+	/* locked by lock */
+	uint32_t		references;
+	dns_incctx_t		*inc;
+	uint32_t		resign;
+	isc_stdtime_t		now;
+
+	dns_masterincludecb_t	include_cb;
+	void			*include_arg;
+};
+
+struct dns_incctx {
+	dns_incctx_t		*parent;
+	dns_name_t		*origin;
+	dns_name_t		*current;
+	dns_name_t		*glue;
+	dns_fixedname_t		fixed[NBUFS];		/* working buffers */
+	unsigned int		in_use[NBUFS];		/* covert to bitmap? */
+	int			glue_in_use;
+	int			current_in_use;
+	int			origin_in_use;
+	bool		origin_changed;
+	bool		drop;
+	unsigned int		glue_line;
+	unsigned int		current_line;
+};
+
+#define DNS_LCTX_MAGIC ISC_MAGIC('L','c','t','x')
+#define DNS_LCTX_VALID(lctx) ISC_MAGIC_VALID(lctx, DNS_LCTX_MAGIC)
+
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
+static isc_result_t
+openfile_text(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_text(dns_loadctx_t *lctx);
+
+static isc_result_t
+openfile_raw(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_raw(dns_loadctx_t *lctx);
+
+static isc_result_t
+openfile_map(dns_loadctx_t *lctx, const char *master_file);
+
+static isc_result_t
+load_map(dns_loadctx_t *lctx);
+
+static isc_result_t
+pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *, dns_loadctx_t *, rdatalist_head_t *,
+       dns_name_t *, const char *, unsigned int);
+
+static bool
+is_glue(rdatalist_head_t *, dns_name_t *);
+
+static dns_rdatalist_t *
+grow_rdatalist(int, dns_rdatalist_t *, int, rdatalist_head_t *,
+		rdatalist_head_t *, isc_mem_t *mctx);
+
+static dns_rdata_t *
+grow_rdata(int, dns_rdata_t *, int, rdatalist_head_t *, rdatalist_head_t *,
+	   isc_mem_t *);
+
+static void
+load_quantum(isc_task_t *task, isc_event_t *event);
+
+static isc_result_t
+task_send(dns_loadctx_t *lctx);
+
+static void
+loadctx_destroy(dns_loadctx_t *lctx);
+
+#define GETTOKENERR(lexer, options, token, eol, err) \
+	do { \
+		result = gettoken(lexer, options, token, eol, callbacks); \
+		switch (result) { \
+		case ISC_R_SUCCESS: \
+			break; \
+		case ISC_R_UNEXPECTED: \
+			goto insist_and_cleanup; \
+		default: \
+			if (MANYERRS(lctx, result)) { \
+				SETRESULT(lctx, result); \
+				LOGIT(result); \
+				read_till_eol = true; \
+				err \
+				goto next_line; \
+			} else \
+				goto log_and_cleanup; \
+		} \
+		if ((token)->type == isc_tokentype_special) { \
+			result = DNS_R_SYNTAX; \
+			if (MANYERRS(lctx, result)) { \
+				SETRESULT(lctx, result); \
+				LOGIT(result); \
+				read_till_eol = true; \
+				goto next_line; \
+			} else \
+				goto log_and_cleanup; \
+		} \
+	} while (0)
+#define GETTOKEN(lexer, options, token, eol) \
+	GETTOKENERR(lexer, options, token, eol, {} )
+
+#define COMMITALL \
+	do { \
+		result = commit(callbacks, lctx, &current_list, \
+				ictx->current, source, ictx->current_line); \
+		if (MANYERRS(lctx, result)) { \
+			SETRESULT(lctx, result); \
+		} else if (result != ISC_R_SUCCESS) \
+			goto insist_and_cleanup; \
+		result = commit(callbacks, lctx, &glue_list, \
+				ictx->glue, source, ictx->glue_line); \
+		if (MANYERRS(lctx, result)) { \
+			SETRESULT(lctx, result); \
+		} else if (result != ISC_R_SUCCESS) \
+			goto insist_and_cleanup; \
+		rdcount = 0; \
+		rdlcount = 0; \
+		isc_buffer_init(&target, target_mem, target_size); \
+		rdcount_save = rdcount; \
+		rdlcount_save = rdlcount; \
+	} while (0)
+
+#define WARNUNEXPECTEDEOF(lexer) \
+	do { \
+		if (isc_lex_isfile(lexer)) \
+			(*callbacks->warn)(callbacks, \
+				"%s: file does not end with newline", \
+				source); \
+	} while (0)
+
+#define EXPECTEOL \
+	do { \
+		GETTOKEN(lctx->lex, 0, &token, true); \
+		if (token.type != isc_tokentype_eol) { \
+			isc_lex_ungettoken(lctx->lex, &token); \
+			result = DNS_R_EXTRATOKEN; \
+			if (MANYERRS(lctx, result)) { \
+				SETRESULT(lctx, result); \
+				LOGIT(result); \
+				read_till_eol = true; \
+				break; \
+			} else if (result != ISC_R_SUCCESS) \
+				goto log_and_cleanup; \
+		} \
+	} while (0)
+
+#define MANYERRS(lctx, result) \
+		((result != ISC_R_SUCCESS) && \
+		 (result != ISC_R_IOERROR) && \
+		 ((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
+
+#define SETRESULT(lctx, r) \
+		do { \
+			if ((lctx)->result == ISC_R_SUCCESS) \
+				(lctx)->result = r; \
+		} while (0)
+
+#define LOGITFILE(result, filename) \
+	if (result == ISC_R_INVALIDFILE || result == ISC_R_FILENOTFOUND || \
+	    result == ISC_R_IOERROR || result == ISC_R_TOOMANYOPENFILES || \
+	    result == ISC_R_NOPERM) \
+		(*callbacks->error)(callbacks, "%s: %s:%lu: %s: %s", \
+				    "dns_master_load", source, line, \
+				    filename, dns_result_totext(result)); \
+	else LOGIT(result)
+
+#define LOGIT(result) \
+	if (result == ISC_R_NOMEMORY) \
+		(*callbacks->error)(callbacks, "dns_master_load: %s", \
+				    dns_result_totext(result)); \
+	else \
+		(*callbacks->error)(callbacks, "%s: %s:%lu: %s", \
+				    "dns_master_load", \
+				    source, line, dns_result_totext(result))
+
+
+static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static dns_name_t const in_addr_arpa =
+	DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets);
+
+static unsigned char ip6_int_data[]  = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static dns_name_t const ip6_int =
+	DNS_NAME_INITABSOLUTE(ip6_int_data, ip6_int_offsets);
+
+static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static dns_name_t const ip6_arpa =
+	DNS_NAME_INITABSOLUTE(ip6_arpa_data, ip6_arpa_offsets);
+
+static inline isc_result_t
+gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
+	 bool eol, dns_rdatacallbacks_t *callbacks)
+{
+	isc_result_t result;
+
+	options |= ISC_LEXOPT_EOL | ISC_LEXOPT_EOF | ISC_LEXOPT_DNSMULTILINE |
+		ISC_LEXOPT_ESCAPE;
+	result = isc_lex_gettoken(lex, options, token);
+	if (result != ISC_R_SUCCESS) {
+		switch (result) {
+		case ISC_R_NOMEMORY:
+			return (ISC_R_NOMEMORY);
+		default:
+			(*callbacks->error)(callbacks,
+					    "dns_master_load: %s:%lu:"
+					    " isc_lex_gettoken() failed: %s",
+					    isc_lex_getsourcename(lex),
+					    isc_lex_getsourceline(lex),
+					    isc_result_totext(result));
+			return (result);
+		}
+		/*NOTREACHED*/
+	}
+	if (eol != true)
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof) {
+			unsigned long int line;
+			const char *what;
+			const char *file;
+			file = isc_lex_getsourcename(lex);
+			line = isc_lex_getsourceline(lex);
+			if (token->type == isc_tokentype_eol) {
+				line--;
+				what = "line";
+			} else
+				what = "file";
+			(*callbacks->error)(callbacks,
+			    "dns_master_load: %s:%lu: unexpected end of %s",
+					    file, line, what);
+			return (ISC_R_UNEXPECTEDEND);
+		}
+	return (ISC_R_SUCCESS);
+}
+
+
+void
+dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target) {
+
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(DNS_LCTX_VALID(source));
+
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);	/* Overflow? */
+	UNLOCK(&source->lock);
+
+	*target = source;
+}
+
+void
+dns_loadctx_detach(dns_loadctx_t **lctxp) {
+	dns_loadctx_t *lctx;
+	bool need_destroy = false;
+
+	REQUIRE(lctxp != NULL);
+	lctx = *lctxp;
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	LOCK(&lctx->lock);
+	INSIST(lctx->references > 0);
+	lctx->references--;
+	if (lctx->references == 0)
+		need_destroy = true;
+	UNLOCK(&lctx->lock);
+
+	if (need_destroy)
+		loadctx_destroy(lctx);
+	*lctxp = NULL;
+}
+
+static void
+incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
+	dns_incctx_t *parent;
+
+ again:
+	parent = ictx->parent;
+	ictx->parent = NULL;
+
+	isc_mem_put(mctx, ictx, sizeof(*ictx));
+
+	if (parent != NULL) {
+		ictx = parent;
+		goto again;
+	}
+}
+
+static void
+loadctx_destroy(dns_loadctx_t *lctx) {
+	isc_mem_t *mctx;
+	isc_result_t result;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	lctx->magic = 0;
+	if (lctx->inc != NULL)
+		incctx_destroy(lctx->mctx, lctx->inc);
+
+	if (lctx->f != NULL) {
+		result = isc_stdio_close(lctx->f);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_stdio_close() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+
+	/* isc_lex_destroy() will close all open streams */
+	if (lctx->lex != NULL && !lctx->keep_lex)
+		isc_lex_destroy(&lctx->lex);
+
+	if (lctx->task != NULL)
+		isc_task_detach(&lctx->task);
+	DESTROYLOCK(&lctx->lock);
+	mctx = NULL;
+	isc_mem_attach(lctx->mctx, &mctx);
+	isc_mem_detach(&lctx->mctx);
+	isc_mem_put(mctx, lctx, sizeof(*lctx));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
+	dns_incctx_t *ictx;
+	isc_region_t r;
+	int i;
+
+	ictx = isc_mem_get(mctx, sizeof(*ictx));
+	if (ictx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	for (i = 0; i < NBUFS; i++) {
+		dns_fixedname_init(&ictx->fixed[i]);
+		ictx->in_use[i] = false;
+	}
+
+	ictx->origin_in_use = 0;
+	ictx->origin = dns_fixedname_name(&ictx->fixed[ictx->origin_in_use]);
+	ictx->in_use[ictx->origin_in_use] = true;
+	dns_name_toregion(origin, &r);
+	dns_name_fromregion(ictx->origin, &r);
+
+	ictx->glue = NULL;
+	ictx->current = NULL;
+	ictx->glue_in_use = -1;
+	ictx->current_in_use = -1;
+	ictx->parent = NULL;
+	ictx->drop = false;
+	ictx->glue_line = 0;
+	ictx->current_line = 0;
+	ictx->origin_changed = true;
+
+	*ictxp = ictx;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
+	       unsigned int options, uint32_t resign, dns_name_t *top,
+	       dns_rdataclass_t zclass, dns_name_t *origin,
+	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+	       dns_loaddonefunc_t done, void *done_arg,
+	       dns_masterincludecb_t include_cb, void *include_arg,
+	       isc_lex_t *lex, dns_loadctx_t **lctxp)
+{
+	dns_loadctx_t *lctx;
+	isc_result_t result;
+	isc_region_t r;
+	isc_lexspecials_t specials;
+
+	REQUIRE(lctxp != NULL && *lctxp == NULL);
+	REQUIRE(callbacks != NULL);
+	REQUIRE(callbacks->add != NULL);
+	REQUIRE(callbacks->error != NULL);
+	REQUIRE(callbacks->warn != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(dns_name_isabsolute(top));
+	REQUIRE(dns_name_isabsolute(origin));
+	REQUIRE((task == NULL && done == NULL) ||
+		(task != NULL && done != NULL));
+
+	lctx = isc_mem_get(mctx, sizeof(*lctx));
+	if (lctx == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutex_init(&lctx->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, lctx, sizeof(*lctx));
+		return (result);
+	}
+
+	lctx->inc = NULL;
+	result = incctx_create(mctx, origin, &lctx->inc);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_ctx;
+
+	lctx->maxttl = 0;
+
+	lctx->format = format;
+	switch (format) {
+	default:
+		INSIST(0);
+	case dns_masterformat_text:
+		lctx->openfile = openfile_text;
+		lctx->load = load_text;
+		break;
+	case dns_masterformat_raw:
+		lctx->openfile = openfile_raw;
+		lctx->load = load_raw;
+		break;
+	case dns_masterformat_map:
+		lctx->openfile = openfile_map;
+		lctx->load = load_map;
+		break;
+	}
+
+	if (lex != NULL) {
+		lctx->lex = lex;
+		lctx->keep_lex = true;
+	} else {
+		lctx->lex = NULL;
+		result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_inc;
+		lctx->keep_lex = false;
+		memset(specials, 0, sizeof(specials));
+		specials[0] = 1;
+		specials['('] = 1;
+		specials[')'] = 1;
+		specials['"'] = 1;
+		isc_lex_setspecials(lctx->lex, specials);
+		isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+	}
+
+	lctx->ttl_known = (options & DNS_MASTER_NOTTL);
+	lctx->ttl = 0;
+	lctx->default_ttl_known = lctx->ttl_known;
+	lctx->default_ttl = 0;
+	lctx->warn_1035 = true;	/* XXX Argument? */
+	lctx->warn_tcr = true;	/* XXX Argument? */
+	lctx->warn_sigexpired = true;	/* XXX Argument? */
+	lctx->options = options;
+	lctx->seen_include = false;
+	lctx->zclass = zclass;
+	lctx->resign = resign;
+	lctx->result = ISC_R_SUCCESS;
+	lctx->include_cb = include_cb;
+	lctx->include_arg = include_arg;
+	isc_stdtime_get(&lctx->now);
+
+	lctx->top = dns_fixedname_initname(&lctx->fixed_top);
+	dns_name_toregion(top, &r);
+	dns_name_fromregion(lctx->top, &r);
+
+	lctx->f = NULL;
+	lctx->first = true;
+	dns_master_initrawheader(&lctx->header);
+
+	lctx->loop_cnt = (done != NULL) ? 100 : 0;
+	lctx->callbacks = callbacks;
+	lctx->task = NULL;
+	if (task != NULL)
+		isc_task_attach(task, &lctx->task);
+	lctx->done = done;
+	lctx->done_arg = done_arg;
+	lctx->canceled = false;
+	lctx->mctx = NULL;
+	isc_mem_attach(mctx, &lctx->mctx);
+	lctx->references = 1;			/* Implicit attach. */
+	lctx->magic = DNS_LCTX_MAGIC;
+	*lctxp = lctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup_inc:
+	incctx_destroy(mctx, lctx->inc);
+ cleanup_ctx:
+	isc_mem_put(mctx, lctx, sizeof(*lctx));
+	return (result);
+}
+
+static const char *hex = "0123456789abcdef0123456789ABCDEF";
+
+/*%
+ * Convert value into a nibble sequence from least significant to most
+ * significant nibble.  Zero fill upper most significant nibbles if
+ * required to make the width.
+ *
+ * Returns the number of characters that should have been written without
+ * counting the terminating NUL.
+ */
+static unsigned int
+nibbles(char *numbuf, size_t length, unsigned int width, char mode, int value) {
+	unsigned int count = 0;
+
+	/*
+	 * This reserve space for the NUL string terminator.
+	 */
+	if (length > 0U) {
+		*numbuf = '\0';
+		length--;
+	}
+	do {
+		char val = hex[(value & 0x0f) + ((mode == 'n') ? 0 : 16)];
+		value >>= 4;
+		if (length > 0U) {
+			*numbuf++ = val;
+			*numbuf = '\0';
+			length--;
+		}
+		if (width > 0)
+			width--;
+		count++;
+		/*
+		 * If width is non zero then we need to add a label seperator.
+		 * If value is non zero then we need to add another label and
+		 * that requires a label seperator.
+		 */
+		if (width > 0 || value != 0) {
+			if (length > 0U) {
+				*numbuf++ = '.';
+				*numbuf = '\0';
+				length--;
+			}
+			if (width > 0)
+				width--;
+			count++;
+		}
+	} while (value != 0 || width > 0);
+	return (count);
+}
+
+static isc_result_t
+genname(char *name, int it, char *buffer, size_t length) {
+	char fmt[sizeof("%04000000000d")];
+	char numbuf[128];
+	char *cp;
+	char mode[2];
+	int delta = 0;
+	isc_textregion_t r;
+	unsigned int n;
+	unsigned int width;
+	bool nibblemode;
+
+	r.base = buffer;
+	r.length = (unsigned int)length;
+
+	while (*name != '\0') {
+		if (*name == '$') {
+			name++;
+			if (*name == '$') {
+				if (r.length == 0)
+					return (ISC_R_NOSPACE);
+				r.base[0] = *name++;
+				isc_textregion_consume(&r, 1);
+				continue;
+			}
+			nibblemode = false;
+			strlcpy(fmt, "%d", sizeof(fmt));
+			/* Get format specifier. */
+			if (*name == '{' ) {
+				n = sscanf(name, "{%d,%u,%1[doxXnN]}",
+					   &delta, &width, mode);
+				switch (n) {
+				case 1:
+					break;
+				case 2:
+					n = snprintf(fmt, sizeof(fmt),
+						     "%%0%ud", width);
+					break;
+				case 3:
+					if (mode[0] == 'n' || mode[0] == 'N')
+						nibblemode = true;
+					n = snprintf(fmt, sizeof(fmt),
+						     "%%0%u%c", width, mode[0]);
+					break;
+				default:
+					return (DNS_R_SYNTAX);
+				}
+				if (n >= sizeof(fmt))
+					return (ISC_R_NOSPACE);
+				/* Skip past closing brace. */
+				while (*name != '\0' && *name++ != '}')
+					continue;
+			}
+			if (nibblemode)
+				n = nibbles(numbuf, sizeof(numbuf), width,
+					    mode[0], it + delta);
+			else
+				n = snprintf(numbuf, sizeof(numbuf), fmt,
+					     it + delta);
+			if (n >= sizeof(numbuf))
+				return (ISC_R_NOSPACE);
+			cp = numbuf;
+			while (*cp != '\0') {
+				if (r.length == 0)
+					return (ISC_R_NOSPACE);
+				r.base[0] = *cp++;
+				isc_textregion_consume(&r, 1);
+			}
+		} else if (*name == '\\') {
+			if (r.length == 0)
+				return (ISC_R_NOSPACE);
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+			if (*name == '\0')
+				continue;
+			if (r.length == 0)
+				return (ISC_R_NOSPACE);
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+		} else {
+			if (r.length == 0)
+				return (ISC_R_NOSPACE);
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+		}
+	}
+	if (r.length == 0)
+		return (ISC_R_NOSPACE);
+	r.base[0] = '\0';
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
+	 const char *source, unsigned int line)
+{
+	char *target_mem = NULL;
+	char *lhsbuf = NULL;
+	char *rhsbuf = NULL;
+	dns_fixedname_t ownerfixed;
+	dns_name_t *owner;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatacallbacks_t *callbacks;
+	dns_rdatalist_t rdatalist;
+	dns_rdatatype_t type;
+	rdatalist_head_t head;
+	int target_size = MINTSIZ;	/* only one rdata at a time */
+	isc_buffer_t buffer;
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_textregion_t r;
+	int i, n, start, stop, step = 0;
+	dns_incctx_t *ictx;
+	char dummy[2];
+
+	ictx = lctx->inc;
+	callbacks = lctx->callbacks;
+	owner = dns_fixedname_initname(&ownerfixed);
+	ISC_LIST_INIT(head);
+
+	target_mem = isc_mem_get(lctx->mctx, target_size);
+	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_RHS);
+	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_LHS);
+	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error_cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+
+	n = sscanf(range, "%d-%d%1[/]%d", &start, &stop, dummy, &step);
+	if ((n != 2 && n != 4) || (start < 0) || (stop < 0) ||
+	     (n == 4 && step < 1) || (stop < start))
+	{
+	       (*callbacks->error)(callbacks,
+				  "%s: %s:%lu: invalid range '%s'",
+				  "$GENERATE", source, line, range);
+		result = DNS_R_SYNTAX;
+		goto insist_cleanup;
+	}
+	if (n == 2)
+		step = 1;
+
+	/*
+	 * Get type.
+	 */
+	r.base = gtype;
+	r.length = strlen(gtype);
+	result = dns_rdatatype_fromtext(&type, &r);
+	if (result != ISC_R_SUCCESS) {
+		(*callbacks->error)(callbacks,
+				   "%s: %s:%lu: unknown RR type '%s'",
+				   "$GENERATE", source, line, gtype);
+		goto insist_cleanup;
+	}
+
+	/*
+	 * RFC2930: TKEY and TSIG are not allowed to be loaded
+	 * from master files.
+	 */
+	if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+	    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+	    dns_rdatatype_ismeta(type))
+	{
+		(*callbacks->error)(callbacks,
+				   "%s: %s:%lu: meta RR type '%s'",
+				   "$GENERATE",
+				   source, line, gtype);
+		result = DNS_R_METATYPE;
+		goto insist_cleanup;
+	}
+
+	for (i = start; i <= stop; i += step) {
+		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+		result = genname(rhs, i, rhsbuf, DNS_MASTER_RHS);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		isc_buffer_init(&buffer, lhsbuf, strlen(lhsbuf));
+		isc_buffer_add(&buffer, strlen(lhsbuf));
+		isc_buffer_setactive(&buffer, strlen(lhsbuf));
+		result = dns_name_fromtext(owner, &buffer, ictx->origin,
+					   0, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    (lctx->options & DNS_MASTER_KEY) == 0 &&
+		    !dns_name_issubdomain(owner, lctx->top))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(owner, namebuf, sizeof(namebuf));
+			/*
+			 * Ignore out-of-zone data.
+			 */
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "ignoring out-of-zone data (%s)",
+					   source, line, namebuf);
+			continue;
+		}
+
+		isc_buffer_init(&buffer, rhsbuf, strlen(rhsbuf));
+		isc_buffer_add(&buffer, strlen(rhsbuf));
+		isc_buffer_setactive(&buffer, strlen(rhsbuf));
+
+		result = isc_lex_openbuffer(lctx->lex, &buffer);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		isc_buffer_init(&target, target_mem, target_size);
+		result = dns_rdata_fromtext(&rdata, lctx->zclass, type,
+					    lctx->lex, ictx->origin, 0,
+					    lctx->mctx, &target, callbacks);
+		RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		dns_rdatalist_init(&rdatalist);
+		rdatalist.type = type;
+		rdatalist.rdclass = lctx->zclass;
+		rdatalist.ttl = lctx->ttl;
+		ISC_LIST_PREPEND(head, &rdatalist, link);
+		ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+		result = commit(callbacks, lctx, &head, owner, source, line);
+		ISC_LIST_UNLINK(rdatalist.rdata, &rdata, link);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+		dns_rdata_reset(&rdata);
+	}
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+ error_cleanup:
+	if (result == ISC_R_NOMEMORY)
+		(*callbacks->error)(callbacks, "$GENERATE: %s",
+				    dns_result_totext(result));
+	else
+		(*callbacks->error)(callbacks, "$GENERATE: %s:%lu: %s",
+				    source, line, dns_result_totext(result));
+
+ insist_cleanup:
+	INSIST(result != ISC_R_SUCCESS);
+
+ cleanup:
+	if (target_mem != NULL)
+		isc_mem_put(lctx->mctx, target_mem, target_size);
+	if (lhsbuf != NULL)
+		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_LHS);
+	if (rhsbuf != NULL)
+		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_RHS);
+	return (result);
+}
+
+static void
+limit_ttl(dns_rdatacallbacks_t *callbacks, const char *source,
+	  unsigned int line, uint32_t *ttlp)
+{
+	if (*ttlp > 0x7fffffffUL) {
+		(callbacks->warn)(callbacks,
+				  "%s: %s:%lu: "
+				  "$TTL %lu > MAXTTL, "
+				  "setting $TTL to 0",
+				  "dns_master_load",
+				  source, line,
+				  *ttlp);
+		*ttlp = 0;
+	}
+}
+
+static isc_result_t
+check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
+	 unsigned long line)
+{
+	char *tmp = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	void (*callback)(struct dns_rdatacallbacks *, const char *, ...);
+
+	if ((lctx->options & DNS_MASTER_FATALNS) != 0)
+		callback = lctx->callbacks->error;
+	else
+		callback = lctx->callbacks->warn;
+
+	if (token->type == isc_tokentype_string) {
+		struct in_addr addr;
+		struct in6_addr addr6;
+
+		tmp = isc_mem_strdup(lctx->mctx, DNS_AS_STR(*token));
+		if (tmp == NULL)
+			return (ISC_R_NOMEMORY);
+		/*
+		 * Catch both "1.2.3.4" and "1.2.3.4."
+		 */
+		if (tmp[strlen(tmp) - 1] == '.')
+			tmp[strlen(tmp) - 1] = '\0';
+		if (inet_aton(tmp, &addr) == 1 ||
+		    inet_pton(AF_INET6, tmp, &addr6) == 1)
+			result = DNS_R_NSISADDRESS;
+	}
+	if (result != ISC_R_SUCCESS)
+		(*callback)(lctx->callbacks, "%s:%lu: NS record '%s' "
+			    "appears to be an address",
+			    source, line, DNS_AS_STR(*token));
+	if (tmp != NULL)
+		isc_mem_free(lctx->mctx, tmp);
+	return (result);
+}
+
+static void
+check_wildcard(dns_incctx_t *ictx, const char *source, unsigned long line,
+	       dns_rdatacallbacks_t *callbacks)
+{
+	dns_name_t *name;
+
+	name = (ictx->glue != NULL) ? ictx->glue : ictx->current;
+	if (dns_name_internalwildcard(name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%lu: warning: ownername "
+				   "'%s' contains an non-terminal wildcard",
+				   source, line, namebuf);
+	}
+}
+
+static isc_result_t
+openfile_text(dns_loadctx_t *lctx, const char *master_file) {
+	return (isc_lex_openfile(lctx->lex, master_file));
+}
+
+static int
+find_free_name(dns_incctx_t *incctx) {
+	int i;
+
+	for (i = 0; i < (NBUFS - 1); i++) {
+		if (!incctx->in_use[i]) {
+			break;
+		}
+	}
+	INSIST(!incctx->in_use[i]);
+	return (i);
+}
+
+static isc_result_t
+load_text(dns_loadctx_t *lctx) {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t type, covers;
+	uint32_t ttl_offset = 0;
+	dns_name_t *new_name;
+	bool current_has_delegation = false;
+	bool done = false;
+	bool finish_origin = false;
+	bool finish_include = false;
+	bool read_till_eol = false;
+	bool initialws;
+	char *include_file = NULL;
+	isc_token_t token;
+	isc_result_t result = ISC_R_UNEXPECTED;
+	rdatalist_head_t glue_list;
+	rdatalist_head_t current_list;
+	dns_rdatalist_t *this;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdatalist_t *new_rdatalist;
+	int rdlcount = 0;
+	int rdlcount_save = 0;
+	int rdatalist_size = 0;
+	isc_buffer_t buffer;
+	isc_buffer_t target;
+	isc_buffer_t target_ft;
+	isc_buffer_t target_save;
+	dns_rdata_t *rdata = NULL;
+	dns_rdata_t *new_rdata;
+	int rdcount = 0;
+	int rdcount_save = 0;
+	int rdata_size = 0;
+	unsigned char *target_mem = NULL;
+	int target_size = TSIZ;
+	int new_in_use;
+	unsigned int loop_cnt = 0;
+	isc_mem_t *mctx;
+	dns_rdatacallbacks_t *callbacks;
+	dns_incctx_t *ictx;
+	char *range = NULL;
+	char *lhs = NULL;
+	char *gtype = NULL;
+	char *rhs = NULL;
+	const char *source = "";
+	unsigned long line = 0;
+	bool explicit_ttl;
+	char classname1[DNS_RDATACLASS_FORMATSIZE];
+	char classname2[DNS_RDATACLASS_FORMATSIZE];
+	unsigned int options = 0;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+	callbacks = lctx->callbacks;
+	mctx = lctx->mctx;
+	ictx = lctx->inc;
+
+	ISC_LIST_INIT(glue_list);
+	ISC_LIST_INIT(current_list);
+
+
+	/*
+	 * Allocate target_size of buffer space.  This is greater than twice
+	 * the maximum individual RR data size.
+	 */
+	target_mem = isc_mem_get(mctx, target_size);
+	if (target_mem == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto log_and_cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+	target_save = target;
+
+	if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0)
+		options |= DNS_RDATA_CHECKNAMES;
+	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0)
+		options |= DNS_RDATA_CHECKNAMESFAIL;
+	if ((lctx->options & DNS_MASTER_CHECKMX) != 0)
+		options |= DNS_RDATA_CHECKMX;
+	if ((lctx->options & DNS_MASTER_CHECKMXFAIL) != 0)
+		options |= DNS_RDATA_CHECKMXFAIL;
+	source = isc_lex_getsourcename(lctx->lex);
+	do {
+		initialws = false;
+		line = isc_lex_getsourceline(lctx->lex);
+		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS | ISC_LEXOPT_QSTRING,
+			 &token, true);
+		line = isc_lex_getsourceline(lctx->lex);
+
+		if (token.type == isc_tokentype_eof) {
+			if (read_till_eol)
+				WARNUNEXPECTEDEOF(lctx->lex);
+			/* Pop the include stack? */
+			if (ictx->parent != NULL) {
+				COMMITALL;
+				lctx->inc = ictx->parent;
+				ictx->parent = NULL;
+				incctx_destroy(lctx->mctx, ictx);
+				RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
+				line = isc_lex_getsourceline(lctx->lex);
+				POST(line);
+				source = isc_lex_getsourcename(lctx->lex);
+				ictx = lctx->inc;
+				continue;
+			}
+			done = true;
+			continue;
+		}
+
+		if (token.type == isc_tokentype_eol) {
+			read_till_eol = false;
+			continue;		/* blank line */
+		}
+
+		if (read_till_eol)
+			continue;
+
+		if (token.type == isc_tokentype_initialws) {
+			/*
+			 * Still working on the same name.
+			 */
+			initialws = true;
+		} else if (token.type == isc_tokentype_string ||
+			   token.type == isc_tokentype_qstring) {
+
+			/*
+			 * "$" Support.
+			 *
+			 * "$ORIGIN" and "$INCLUDE" can both take domain names.
+			 * The processing of "$ORIGIN" and "$INCLUDE" extends
+			 * across the normal domain name processing.
+			 */
+
+			if (strcasecmp(DNS_AS_STR(token), "$ORIGIN") == 0) {
+				GETTOKEN(lctx->lex, 0, &token, false);
+				finish_origin = true;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$TTL") == 0) {
+				GETTOKENERR(lctx->lex, 0, &token, false,
+					    lctx->ttl = 0;
+					    lctx->default_ttl_known = true;);
+				result =
+				   dns_ttl_fromtext(&token.value.as_textregion,
+						    &lctx->ttl);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					lctx->ttl = 0;
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+				limit_ttl(callbacks, source, line, &lctx->ttl);
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = true;
+				EXPECTEOL;
+				continue;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$INCLUDE") == 0) {
+				COMMITALL;
+				if ((lctx->options & DNS_MASTER_NOINCLUDE)
+				    != 0)
+				{
+					(callbacks->error)(callbacks,
+					   "%s: %s:%lu: $INCLUDE not allowed",
+					   "dns_master_load",
+					   source, line);
+					result = DNS_R_REFUSED;
+					goto insist_and_cleanup;
+				}
+				if (ttl_offset != 0) {
+					(callbacks->error)(callbacks,
+					   "%s: %s:%lu: $INCLUDE "
+					   "may not be used with $DATE",
+					   "dns_master_load",
+					   source, line);
+					result = DNS_R_SYNTAX;
+					goto insist_and_cleanup;
+				}
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING, &token,
+					 false);
+				if (include_file != NULL)
+					isc_mem_free(mctx, include_file);
+				include_file = isc_mem_strdup(mctx,
+							   DNS_AS_STR(token));
+				if (include_file == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				GETTOKEN(lctx->lex, 0, &token, true);
+
+				if (token.type == isc_tokentype_eol ||
+				    token.type == isc_tokentype_eof) {
+					if (token.type == isc_tokentype_eof)
+						WARNUNEXPECTEDEOF(lctx->lex);
+					/*
+					 * No origin field.
+					 */
+					result = pushfile(include_file,
+							  ictx->origin, lctx);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						LOGITFILE(result, include_file);
+						continue;
+					} else if (result != ISC_R_SUCCESS) {
+						LOGITFILE(result, include_file);
+						goto insist_and_cleanup;
+					}
+					ictx = lctx->inc;
+					source =
+					       isc_lex_getsourcename(lctx->lex);
+					line = isc_lex_getsourceline(lctx->lex);
+					POST(line);
+					continue;
+				}
+				/*
+				 * There is an origin field.  Fall through
+				 * to domain name processing code and do
+				 * the actual inclusion later.
+				 */
+				finish_include = true;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$DATE") == 0) {
+				int64_t dump_time64;
+				isc_stdtime_t dump_time, current_time;
+				GETTOKEN(lctx->lex, 0, &token, false);
+				isc_stdtime_get(&current_time);
+				result = dns_time64_fromtext(DNS_AS_STR(token),
+							     &dump_time64);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					LOGIT(result);
+					dump_time64 = 0;
+				} else if (result != ISC_R_SUCCESS)
+					goto log_and_cleanup;
+				dump_time = (isc_stdtime_t)dump_time64;
+				if (dump_time != dump_time64) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "%s: %s:%lu: $DATE outside epoch",
+					 "dns_master_load", source, line);
+					result = ISC_R_UNEXPECTED;
+					goto insist_and_cleanup;
+				}
+				if (dump_time > current_time) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+					"%s: %s:%lu: "
+					"$DATE in future, using current date",
+					"dns_master_load", source, line);
+					dump_time = current_time;
+				}
+				ttl_offset = current_time - dump_time;
+				EXPECTEOL;
+				continue;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$GENERATE") == 0) {
+				/*
+				 * Lazy cleanup.
+				 */
+				if (range != NULL)
+					isc_mem_free(mctx, range);
+				if (lhs != NULL)
+					isc_mem_free(mctx, lhs);
+				if (gtype != NULL)
+					isc_mem_free(mctx, gtype);
+				if (rhs != NULL)
+					isc_mem_free(mctx, rhs);
+				range = lhs = gtype = rhs = NULL;
+				/* RANGE */
+				GETTOKEN(lctx->lex, 0, &token, false);
+				range = isc_mem_strdup(mctx,
+						     DNS_AS_STR(token));
+				if (range == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				/* LHS */
+				GETTOKEN(lctx->lex, 0, &token, false);
+				lhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				if (lhs == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				rdclass = 0;
+				explicit_ttl = false;
+				/* CLASS? */
+				GETTOKEN(lctx->lex, 0, &token, false);
+				if (dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion)
+						== ISC_R_SUCCESS) {
+					GETTOKEN(lctx->lex, 0, &token,
+						 false);
+				}
+				/* TTL? */
+				if (dns_ttl_fromtext(&token.value.as_textregion,
+						     &lctx->ttl)
+						== ISC_R_SUCCESS) {
+					limit_ttl(callbacks, source, line,
+						  &lctx->ttl);
+					lctx->ttl_known = true;
+					explicit_ttl = true;
+					GETTOKEN(lctx->lex, 0, &token,
+						 false);
+				}
+				/* CLASS? */
+				if (rdclass == 0 &&
+				    dns_rdataclass_fromtext(&rdclass,
+						    &token.value.as_textregion)
+						== ISC_R_SUCCESS)
+					GETTOKEN(lctx->lex, 0, &token,
+						 false);
+				/* TYPE */
+				gtype = isc_mem_strdup(mctx,
+						       DNS_AS_STR(token));
+				if (gtype == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				/* RHS */
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING,
+					 &token, false);
+				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				if (rhs == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				if (!lctx->ttl_known &&
+				    !lctx->default_ttl_known) {
+					(*callbacks->error)(callbacks,
+					    "%s: %s:%lu: no TTL specified",
+					    "dns_master_load", source, line);
+					result = DNS_R_NOTTL;
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						lctx->ttl = 0;
+					} else {
+						goto insist_and_cleanup;
+					}
+				} else if (!explicit_ttl &&
+					   lctx->default_ttl_known) {
+					lctx->ttl = lctx->default_ttl;
+				}
+				/*
+				 * If the class specified does not match the
+				 * zone's class print out a error message and
+				 * exit.
+				 */
+				if (rdclass != 0 && rdclass != lctx->zclass) {
+					goto bad_class;
+				}
+				result = generate(lctx, range, lhs, gtype, rhs,
+						  source, line);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+				EXPECTEOL;
+				continue;
+			} else if (strncasecmp(DNS_AS_STR(token),
+					       "$", 1) == 0) {
+				(callbacks->error)(callbacks,
+					   "%s: %s:%lu: "
+					   "unknown $ directive '%s'",
+					   "dns_master_load", source, line,
+					   DNS_AS_STR(token));
+				result = DNS_R_SYNTAX;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+
+			/*
+			 * Normal processing resumes.
+			 */
+			new_in_use = find_free_name(ictx);
+			new_name =
+			      dns_fixedname_initname(&ictx->fixed[new_in_use]);
+			isc_buffer_init(&buffer, token.value.as_region.base,
+					token.value.as_region.length);
+			isc_buffer_add(&buffer, token.value.as_region.length);
+			isc_buffer_setactive(&buffer,
+					     token.value.as_region.length);
+			result = dns_name_fromtext(new_name, &buffer,
+					  ictx->origin, 0, NULL);
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				LOGIT(result);
+				read_till_eol = true;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto log_and_cleanup;
+
+			/*
+			 * Finish $ORIGIN / $INCLUDE processing if required.
+			 */
+			if (finish_origin) {
+				if (ictx->origin_in_use != -1)
+					ictx->in_use[ictx->origin_in_use] =
+						false;
+				ictx->origin_in_use = new_in_use;
+				ictx->in_use[ictx->origin_in_use] = true;
+				ictx->origin = new_name;
+				ictx->origin_changed = true;
+				finish_origin = false;
+				EXPECTEOL;
+				continue;
+			}
+			if (finish_include) {
+				finish_include = false;
+				EXPECTEOL;
+				result = pushfile(include_file, new_name, lctx);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					LOGITFILE(result, include_file);
+					continue;
+				} else if (result != ISC_R_SUCCESS) {
+					LOGITFILE(result, include_file);
+					goto insist_and_cleanup;
+				}
+				ictx = lctx->inc;
+				ictx->origin_changed = true;
+				source = isc_lex_getsourcename(lctx->lex);
+				line = isc_lex_getsourceline(lctx->lex);
+				POST(line);
+				continue;
+			}
+
+			/*
+			 * "$" Processing Finished
+			 */
+
+			/*
+			 * If we are processing glue and the new name does
+			 * not match the current glue name, commit the glue
+			 * and pop stacks leaving us in 'normal' processing
+			 * state.  Linked lists are undone by commit().
+			 */
+			if (ictx->glue != NULL &&
+			    dns_name_compare(ictx->glue, new_name) != 0) {
+				result = commit(callbacks, lctx, &glue_list,
+						ictx->glue, source,
+						ictx->glue_line);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+				if (ictx->glue_in_use != -1)
+					ictx->in_use[ictx->glue_in_use] =
+						false;
+				ictx->glue_in_use = -1;
+				ictx->glue = NULL;
+				rdcount = rdcount_save;
+				rdlcount = rdlcount_save;
+				target = target_save;
+			}
+
+			/*
+			 * If we are in 'normal' processing state and the new
+			 * name does not match the current name, see if the
+			 * new name is for glue and treat it as such,
+			 * otherwise we have a new name so commit what we
+			 * have.
+			 */
+			if ((ictx->glue == NULL) && (ictx->current == NULL ||
+			    dns_name_compare(ictx->current, new_name) != 0)) {
+				if (current_has_delegation &&
+					is_glue(&current_list, new_name)) {
+					rdcount_save = rdcount;
+					rdlcount_save = rdlcount;
+					target_save = target;
+					ictx->glue = new_name;
+					ictx->glue_in_use = new_in_use;
+					ictx->in_use[ictx->glue_in_use] =
+						true;
+				} else {
+					result = commit(callbacks, lctx,
+							&current_list,
+							ictx->current,
+							source,
+							ictx->current_line);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else if (result != ISC_R_SUCCESS)
+						goto insist_and_cleanup;
+					rdcount = 0;
+					rdlcount = 0;
+					if (ictx->current_in_use != -1)
+					    ictx->in_use[ictx->current_in_use] =
+						false;
+					ictx->current_in_use = new_in_use;
+					ictx->in_use[ictx->current_in_use] =
+						true;
+					ictx->current = new_name;
+					current_has_delegation = false;
+					isc_buffer_init(&target, target_mem,
+							target_size);
+				}
+				/*
+				 * Check for internal wildcards.
+				 */
+				if ((lctx->options & DNS_MASTER_CHECKWILDCARD)
+						 != 0)
+					check_wildcard(ictx, source, line,
+						       callbacks);
+
+			}
+			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+			    (lctx->options & DNS_MASTER_KEY) == 0 &&
+			    !dns_name_issubdomain(new_name, lctx->top))
+			{
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(new_name, namebuf,
+						sizeof(namebuf));
+				/*
+				 * Ignore out-of-zone data.
+				 */
+				(*callbacks->warn)(callbacks,
+				       "%s:%lu: "
+				       "ignoring out-of-zone data (%s)",
+				       source, line, namebuf);
+				ictx->drop = true;
+			} else
+				ictx->drop = false;
+		} else {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "%s:%lu: isc_lex_gettoken() returned "
+					 "unexpected token type (%d)",
+					 source, line, token.type);
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				LOGIT(result);
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * Find TTL, class and type.  Both TTL and class are optional
+		 * and may occur in any order if they exist. TTL and class
+		 * come before type which must exist.
+		 *
+		 * [<TTL>] [<class>] <type> <RDATA>
+		 * [<class>] [<TTL>] <type> <RDATA>
+		 */
+
+		type = 0;
+		rdclass = 0;
+
+		GETTOKEN(lctx->lex, 0, &token, initialws);
+
+		if (initialws) {
+			if (token.type == isc_tokentype_eol) {
+				read_till_eol = false;
+				continue;		/* blank line */
+			}
+
+			if (token.type == isc_tokentype_eof) {
+				WARNUNEXPECTEDEOF(lctx->lex);
+				read_till_eol = false;
+				isc_lex_ungettoken(lctx->lex, &token);
+				continue;
+			}
+
+			if (ictx->current == NULL) {
+				(*callbacks->error)(callbacks,
+					"%s:%lu: no current owner name",
+					source, line);
+				result = DNS_R_NOOWNER;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					read_till_eol = true;
+					continue;
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+
+			if (ictx->origin_changed) {
+				char cbuf[DNS_NAME_FORMATSIZE];
+				char obuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(ictx->current, cbuf,
+						sizeof(cbuf));
+				dns_name_format(ictx->origin, obuf,
+						sizeof(obuf));
+				(*callbacks->warn)(callbacks,
+					"%s:%lu: record with inherited "
+					"owner (%s) immediately after "
+					"$ORIGIN (%s)", source, line,
+					cbuf, obuf);
+			}
+		}
+
+		ictx->origin_changed = false;
+
+		if (dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion)
+				== ISC_R_SUCCESS)
+			GETTOKEN(lctx->lex, 0, &token, false);
+
+		explicit_ttl = false;
+		result = dns_ttl_fromtext(&token.value.as_textregion,
+					  &lctx->ttl);
+		if (result == ISC_R_SUCCESS) {
+			limit_ttl(callbacks, source, line, &lctx->ttl);
+			explicit_ttl = true;
+			lctx->ttl_known = true;
+			GETTOKEN(lctx->lex, 0, &token, false);
+		}
+
+		if (token.type != isc_tokentype_string) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+			"isc_lex_gettoken() returned unexpected token type");
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (rdclass == 0 &&
+		    dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion)
+				== ISC_R_SUCCESS)
+			GETTOKEN(lctx->lex, 0, &token, false);
+
+		if (token.type != isc_tokentype_string) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+			"isc_lex_gettoken() returned unexpected token type");
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		result = dns_rdatatype_fromtext(&type,
+						&token.value.as_textregion);
+		if (result != ISC_R_SUCCESS) {
+			(*callbacks->warn)(callbacks,
+				   "%s:%lu: unknown RR type '%.*s'",
+				   source, line,
+				   token.value.as_textregion.length,
+				   token.value.as_textregion.base);
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+		/*
+		 * If the class specified does not match the zone's class
+		 * print out a error message and exit.
+		 */
+		if (rdclass != 0 && rdclass != lctx->zclass) {
+  bad_class:
+
+			dns_rdataclass_format(rdclass, classname1,
+					      sizeof(classname1));
+			dns_rdataclass_format(lctx->zclass, classname2,
+					      sizeof(classname2));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: class '%s' != "
+					    "zone class '%s'",
+					    source, line,
+					    classname1, classname2);
+			result = DNS_R_BADCLASS;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (type == dns_rdatatype_ns && ictx->glue == NULL)
+			current_has_delegation = true;
+
+		/*
+		 * RFC1123: MD and MF are not allowed to be loaded from
+		 * master files.
+		 */
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    (type == dns_rdatatype_md || type == dns_rdatatype_mf)) {
+			char typename[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_OBSOLETE;
+
+			dns_rdatatype_format(type, typename, sizeof(typename));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: %s '%s': %s",
+					    source, line,
+					    "type", typename,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else
+				goto insist_and_cleanup;
+		}
+
+		/*
+		 * RFC2930: TKEY and TSIG are not allowed to be loaded
+		 * from master files.
+		 */
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    dns_rdatatype_ismeta(type))
+		{
+			char typename[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_METATYPE;
+
+			dns_rdatatype_format(type, typename, sizeof(typename));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: %s '%s': %s",
+					    source, line,
+					    "type", typename,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else
+				goto insist_and_cleanup;
+		}
+
+		/*
+		 * Find a rdata structure.
+		 */
+		if (rdcount == rdata_size) {
+			new_rdata = grow_rdata(rdata_size + RDSZ, rdata,
+					       rdata_size, &current_list,
+					       &glue_list, mctx);
+			if (new_rdata == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto log_and_cleanup;
+			}
+			rdata_size += RDSZ;
+			rdata = new_rdata;
+		}
+
+		/*
+		 * Peek at the NS record.
+		 */
+		if (type == dns_rdatatype_ns &&
+		    lctx->zclass == dns_rdataclass_in &&
+		    (lctx->options & DNS_MASTER_CHECKNS) != 0) {
+
+			GETTOKEN(lctx->lex, 0, &token, false);
+			result = check_ns(lctx, &token, source, line);
+			isc_lex_ungettoken(lctx->lex, &token);
+			if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * Check owner name.
+		 */
+		options &= ~DNS_RDATA_CHECKREVERSE;
+		if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
+			bool ok;
+			dns_name_t *name;
+
+			name = (ictx->glue != NULL) ? ictx->glue :
+						      ictx->current;
+			ok = dns_rdata_checkowner(name, lctx->zclass, type,
+						  true);
+			if (!ok) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				const char *desc;
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				result = DNS_R_BADOWNERNAME;
+				desc = dns_result_totext(result);
+				if (CHECKNAMESFAIL(lctx->options) ||
+				    type == dns_rdatatype_nsec3) {
+					(*callbacks->error)(callbacks,
+							    "%s:%lu: %s: %s",
+							    source, line,
+							    namebuf, desc);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else {
+						goto cleanup;
+					}
+				} else {
+					(*callbacks->warn)(callbacks,
+							   "%s:%lu: %s: %s",
+							   source, line,
+							   namebuf, desc);
+				}
+			}
+			if (type == dns_rdatatype_ptr &&
+			    !dns_name_isdnssd(name) &&
+			    (dns_name_issubdomain(name, &in_addr_arpa) ||
+			     dns_name_issubdomain(name, &ip6_arpa) ||
+			     dns_name_issubdomain(name, &ip6_int)))
+				options |= DNS_RDATA_CHECKREVERSE;
+		}
+
+		/*
+		 * Read rdata contents.
+		 */
+		dns_rdata_init(&rdata[rdcount]);
+		target_ft = target;
+		result = dns_rdata_fromtext(&rdata[rdcount], lctx->zclass,
+					    type, lctx->lex, ictx->origin,
+					    options, lctx->mctx, &target,
+					    callbacks);
+		if (MANYERRS(lctx, result)) {
+			SETRESULT(lctx, result);
+			continue;
+		} else if (result != ISC_R_SUCCESS)
+			goto insist_and_cleanup;
+
+		if (ictx->drop) {
+			target = target_ft;
+			continue;
+		}
+
+		if (type == dns_rdatatype_soa &&
+		    (lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    dns_name_compare(ictx->current, lctx->top) != 0) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(ictx->current, namebuf,
+					sizeof(namebuf));
+			(*callbacks->error)(callbacks, "%s:%lu: SOA "
+					    "record not at top of zone (%s)",
+					    source, line, namebuf);
+			result = DNS_R_NOTZONETOP;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = true;
+				target = target_ft;
+				continue;
+			} else {
+				goto insist_and_cleanup;
+			}
+		}
+
+		if (type == dns_rdatatype_rrsig ||
+		    type == dns_rdatatype_sig)
+			covers = dns_rdata_covers(&rdata[rdcount]);
+		else
+			covers = 0;
+
+		if (!lctx->ttl_known && !lctx->default_ttl_known) {
+			if (type == dns_rdatatype_soa) {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: no TTL specified; "
+						   "using SOA MINTTL instead",
+						   source, line);
+				lctx->ttl = dns_soa_getminimum(&rdata[rdcount]);
+				limit_ttl(callbacks, source, line, &lctx->ttl);
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = true;
+			} else if ((lctx->options & DNS_MASTER_HINT) != 0) {
+				/*
+				 * Zero TTL's are fine for hints.
+				 */
+				lctx->ttl = 0;
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = true;
+			} else {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: no TTL specified; "
+						   "zone rejected",
+						   source, line);
+				result = DNS_R_NOTTL;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					lctx->ttl = 0;
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+		} else if (!explicit_ttl && lctx->default_ttl_known) {
+			lctx->ttl = lctx->default_ttl;
+		} else if (!explicit_ttl && lctx->warn_1035) {
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "using RFC1035 TTL semantics",
+					   source, line);
+			lctx->warn_1035 = false;
+		}
+
+		if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) {
+			dns_rdata_rrsig_t sig;
+			result = dns_rdata_tostruct(&rdata[rdcount], &sig,
+						    NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (isc_serial_lt(sig.timeexpire, lctx->now)) {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: "
+						   "signature has expired",
+						   source, line);
+				lctx->warn_sigexpired = false;
+			}
+		}
+
+		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
+		    lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0) {
+			(*callbacks->warn)(callbacks, "%s:%lu: old style DNSSEC "
+					   " zone detected", source, line);
+			lctx->warn_tcr = false;
+		}
+
+		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
+			/*
+			 * Adjust the TTL for $DATE.  If the RR has already
+			 * expired, ignore it.
+			 */
+			if (lctx->ttl < ttl_offset)
+				continue;
+			lctx->ttl -= ttl_offset;
+		}
+
+		/*
+		 * Find type in rdatalist.
+		 * If it does not exist create new one and prepend to list
+		 * as this will minimise list traversal.
+		 */
+		if (ictx->glue != NULL)
+			this = ISC_LIST_HEAD(glue_list);
+		else
+			this = ISC_LIST_HEAD(current_list);
+
+		while (this != NULL) {
+			if (this->type == type && this->covers == covers)
+				break;
+			this = ISC_LIST_NEXT(this, link);
+		}
+
+		if (this == NULL) {
+			if (rdlcount == rdatalist_size) {
+				new_rdatalist =
+					grow_rdatalist(rdatalist_size + RDLSZ,
+						       rdatalist,
+						       rdatalist_size,
+						       &current_list,
+						       &glue_list,
+						       mctx);
+				if (new_rdatalist == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				rdatalist = new_rdatalist;
+				rdatalist_size += RDLSZ;
+			}
+			this = &rdatalist[rdlcount++];
+			dns_rdatalist_init(this);
+			this->type = type;
+			this->covers = covers;
+			this->rdclass = lctx->zclass;
+			this->ttl = lctx->ttl;
+			if (ictx->glue != NULL)
+				ISC_LIST_INITANDPREPEND(glue_list, this, link);
+			else
+				ISC_LIST_INITANDPREPEND(current_list, this,
+							link);
+		} else if (this->ttl != lctx->ttl) {
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "TTL set to prior TTL (%lu)",
+					   source, line, this->ttl);
+			lctx->ttl = this->ttl;
+		}
+
+		if ((lctx->options & DNS_MASTER_CHECKTTL) != 0 &&
+		    lctx->ttl > lctx->maxttl)
+		{
+			(callbacks->error)(callbacks,
+				   "dns_master_load: %s:%lu: "
+				   "TTL %d exceeds configured max-zone-ttl %d",
+				   source, line, lctx->ttl, lctx->maxttl);
+			result = ISC_R_RANGE;
+			goto log_and_cleanup;
+		}
+
+		ISC_LIST_APPEND(this->rdata, &rdata[rdcount], link);
+		if (ictx->glue != NULL)
+			ictx->glue_line = line;
+		else
+			ictx->current_line = line;
+		rdcount++;
+
+		/*
+		 * We must have at least 64k as rdlen is 16 bits.
+		 * If we don't commit everything we have so far.
+		 */
+		if ((target.length - target.used) < MINTSIZ)
+			COMMITALL;
+ next_line:
+		;
+	} while (!done && (lctx->loop_cnt == 0 || loop_cnt++ < lctx->loop_cnt));
+
+	/*
+	 * Commit what has not yet been committed.
+	 */
+	result = commit(callbacks, lctx, &current_list, ictx->current,
+			source, ictx->current_line);
+	if (MANYERRS(lctx, result)) {
+		SETRESULT(lctx, result);
+	} else if (result != ISC_R_SUCCESS)
+		goto insist_and_cleanup;
+	result = commit(callbacks, lctx, &glue_list, ictx->glue,
+			source, ictx->glue_line);
+	if (MANYERRS(lctx, result)) {
+		SETRESULT(lctx, result);
+	} else if (result != ISC_R_SUCCESS)
+		goto insist_and_cleanup;
+
+	if (!done) {
+		INSIST(lctx->done != NULL && lctx->task != NULL);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS) {
+		result = lctx->result;
+	} else if (result == ISC_R_SUCCESS && lctx->seen_include)
+		result = DNS_R_SEENINCLUDE;
+	goto cleanup;
+
+ log_and_cleanup:
+	LOGIT(result);
+
+ insist_and_cleanup:
+	INSIST(result != ISC_R_SUCCESS);
+
+ cleanup:
+	while ((this = ISC_LIST_HEAD(current_list)) != NULL)
+		ISC_LIST_UNLINK(current_list, this, link);
+	while ((this = ISC_LIST_HEAD(glue_list)) != NULL)
+		ISC_LIST_UNLINK(glue_list, this, link);
+	if (rdatalist != NULL)
+		isc_mem_put(mctx, rdatalist,
+			    rdatalist_size * sizeof(*rdatalist));
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
+	if (target_mem != NULL)
+		isc_mem_put(mctx, target_mem, target_size);
+	if (include_file != NULL)
+		isc_mem_free(mctx, include_file);
+	if (range != NULL)
+		isc_mem_free(mctx, range);
+	if (lhs != NULL)
+		isc_mem_free(mctx, lhs);
+	if (gtype != NULL)
+		isc_mem_free(mctx, gtype);
+	if (rhs != NULL)
+		isc_mem_free(mctx, rhs);
+	return (result);
+}
+
+static isc_result_t
+pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
+	isc_result_t result;
+	dns_incctx_t *ictx;
+	dns_incctx_t *newctx = NULL;
+	isc_region_t r;
+
+	REQUIRE(master_file != NULL);
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	ictx = lctx->inc;
+	lctx->seen_include = true;
+
+	result = incctx_create(lctx->mctx, origin, &newctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Push origin_changed.
+	 */
+	newctx->origin_changed = ictx->origin_changed;
+
+	/* Set current domain. */
+	if (ictx->glue != NULL || ictx->current != NULL) {
+		newctx->current_in_use = find_free_name(newctx);
+		newctx->current =
+			dns_fixedname_name(&newctx->fixed[newctx->current_in_use]);
+		newctx->in_use[newctx->current_in_use] = true;
+		dns_name_toregion((ictx->glue != NULL) ?
+				   ictx->glue : ictx->current, &r);
+		dns_name_fromregion(newctx->current, &r);
+		newctx->drop = ictx->drop;
+	}
+
+	result = (lctx->openfile)(lctx, master_file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	newctx->parent = ictx;
+	lctx->inc = newctx;
+
+	if (lctx->include_cb != NULL)
+		lctx->include_cb(master_file, lctx->include_arg);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	incctx_destroy(lctx->mctx, newctx);
+	return (result);
+}
+
+/*
+ * Fill/check exists buffer with 'len' bytes.  Track remaining bytes to be
+ * read when incrementally filling the buffer.
+ */
+static inline isc_result_t
+read_and_check(bool do_read, isc_buffer_t *buffer,
+	       size_t len, FILE *f, uint32_t *totallen)
+{
+	isc_result_t result;
+
+	REQUIRE(totallen != NULL);
+
+	if (do_read) {
+		INSIST(isc_buffer_availablelength(buffer) >= len);
+		result = isc_stdio_read(isc_buffer_used(buffer), 1, len,
+					f, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		isc_buffer_add(buffer, (unsigned int)len);
+		if (*totallen < len)
+			return (ISC_R_RANGE);
+		*totallen -= (uint32_t)len;
+	} else if (isc_buffer_remaininglength(buffer) < len)
+		return (ISC_R_RANGE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_header(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_masterrawheader_t header;
+	dns_rdatacallbacks_t *callbacks;
+	size_t commonlen = sizeof(header.format) + sizeof(header.version);
+	size_t remainder;
+	unsigned char data[sizeof(header)];
+	isc_buffer_t target;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	if (lctx->format != dns_masterformat_raw &&
+	    lctx->format != dns_masterformat_map)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	callbacks = lctx->callbacks;
+	dns_master_initrawheader(&header);
+
+	INSIST(commonlen <= sizeof(header));
+	isc_buffer_init(&target, data, sizeof(data));
+
+	result = isc_stdio_read(data, 1, commonlen, lctx->f, NULL);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_read failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	isc_buffer_add(&target, (unsigned int)commonlen);
+	header.format = isc_buffer_getuint32(&target);
+	if (header.format != lctx->format) {
+		(*callbacks->error)(callbacks, "dns_master_load: "
+				    "file format mismatch (not %s)",
+				    lctx->format == dns_masterformat_map
+					    ? "map"
+					    : "raw");
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	header.version = isc_buffer_getuint32(&target);
+
+	switch (header.version) {
+	case 0:
+		remainder = sizeof(header.dumptime);
+		break;
+	case DNS_RAWFORMAT_VERSION:
+		remainder = sizeof(header) - commonlen;
+		break;
+	default:
+		(*callbacks->error)(callbacks,
+				    "dns_master_load: "
+				    "unsupported file format version");
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = isc_stdio_read(data + commonlen, 1, remainder, lctx->f, NULL);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_read failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	isc_buffer_add(&target, (unsigned int)remainder);
+	header.dumptime = isc_buffer_getuint32(&target);
+	if (header.version == DNS_RAWFORMAT_VERSION) {
+		header.flags = isc_buffer_getuint32(&target);
+		header.sourceserial = isc_buffer_getuint32(&target);
+		header.lastxfrin = isc_buffer_getuint32(&target);
+	}
+
+	lctx->first = false;
+	lctx->header = header;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openfile_map(dns_loadctx_t *lctx, const char *master_file) {
+	isc_result_t result;
+
+	result = isc_stdio_open(master_file, "rb", &lctx->f);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_open() failed: %s",
+				 isc_result_totext(result));
+	}
+
+	return (result);
+}
+
+/*
+ * Load a map format file, using mmap() to access RBT trees directly
+ */
+static isc_result_t
+load_map(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdatacallbacks_t *callbacks;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	callbacks = lctx->callbacks;
+
+	if (lctx->first) {
+		result = load_header(lctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		result = (*callbacks->deserialize)
+			  (callbacks->deserialize_private,
+			   lctx->f, sizeof(dns_masterrawheader_t));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+openfile_raw(dns_loadctx_t *lctx, const char *master_file) {
+	isc_result_t result;
+
+	result = isc_stdio_open(master_file, "rb", &lctx->f);
+	if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_stdio_open() failed: %s",
+				 isc_result_totext(result));
+	}
+
+	return (result);
+}
+
+static isc_result_t
+load_raw(dns_loadctx_t *lctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool done = false;
+	unsigned int loop_cnt = 0;
+	dns_rdatacallbacks_t *callbacks;
+	unsigned char namebuf[DNS_NAME_MAXWIRE];
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	rdatalist_head_t head, dummy;
+	dns_rdatalist_t rdatalist;
+	isc_mem_t *mctx = lctx->mctx;
+	dns_rdata_t *rdata = NULL;
+	unsigned int rdata_size = 0;
+	int target_size = TSIZ;
+	isc_buffer_t target, buf;
+	unsigned char *target_mem = NULL;
+	dns_decompress_t dctx;
+
+	callbacks = lctx->callbacks;
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+
+	if (lctx->first) {
+		result = load_header(lctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	ISC_LIST_INIT(head);
+	ISC_LIST_INIT(dummy);
+
+	/*
+	 * Allocate target_size of buffer space.  This is greater than twice
+	 * the maximum individual RR data size.
+	 */
+	target_mem = isc_mem_get(mctx, target_size);
+	if (target_mem == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+
+	name = dns_fixedname_initname(&fixed);
+
+	/*
+	 * In the following loop, we regard any error fatal regardless of
+	 * whether "MANYERRORS" is set in the context option.  This is because
+	 * normal errors should already have been checked at creation time.
+	 * Besides, it is very unlikely that we can recover from an error
+	 * in this format, and so trying to continue parsing erroneous data
+	 * does not really make sense.
+	 */
+	for (loop_cnt = 0;
+	     (lctx->loop_cnt == 0 || loop_cnt < lctx->loop_cnt);
+	     loop_cnt++) {
+		unsigned int i, rdcount;
+		uint16_t namelen;
+		uint32_t totallen;
+		size_t minlen, readlen;
+		bool sequential_read = false;
+
+		/* Read the data length */
+		isc_buffer_clear(&target);
+		INSIST(isc_buffer_availablelength(&target) >=
+		       sizeof(totallen));
+		result = isc_stdio_read(target.base, 1, sizeof(totallen),
+					lctx->f, NULL);
+		if (result == ISC_R_EOF) {
+			result = ISC_R_SUCCESS;
+			done = true;
+			break;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_buffer_add(&target, sizeof(totallen));
+		totallen = isc_buffer_getuint32(&target);
+
+		/*
+		 * Validation: the input data must at least contain the common
+		 * header.
+		 */
+		minlen = sizeof(totallen) + sizeof(uint16_t) +
+			sizeof(uint16_t) + sizeof(uint16_t) +
+			sizeof(uint32_t) + sizeof(uint32_t);
+		if (totallen < minlen) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		totallen -= sizeof(totallen);
+
+		isc_buffer_clear(&target);
+		if (totallen > isc_buffer_availablelength(&target)) {
+			/*
+			 * The default buffer size should typically be large
+			 * enough to store the entire RRset.  We could try to
+			 * allocate enough space if this is not the case, but
+			 * it might cause a hazardous result when "totallen"
+			 * is forged.  Thus, we'd rather take an inefficient
+			 * but robust approach in this atypical case: read
+			 * data step by step, and commit partial data when
+			 * necessary.  Note that the buffer must be large
+			 * enough to store the "header part", owner name, and
+			 * at least one rdata (however large it is).
+			 */
+			sequential_read = true;
+			readlen = minlen - sizeof(totallen);
+		} else {
+			/*
+			 * Typical case.  We can read the whole RRset at once
+			 * with the default buffer.
+			 */
+			readlen = totallen;
+		}
+		result = isc_stdio_read(target.base, 1, readlen,
+					lctx->f, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		isc_buffer_add(&target, (unsigned int)readlen);
+		totallen -= (uint32_t)readlen;
+
+		/* Construct RRset headers */
+		dns_rdatalist_init(&rdatalist);
+		rdatalist.rdclass = isc_buffer_getuint16(&target);
+		if (lctx->zclass != rdatalist.rdclass) {
+			result = DNS_R_BADCLASS;
+			goto cleanup;
+		}
+		rdatalist.type = isc_buffer_getuint16(&target);
+		rdatalist.covers = isc_buffer_getuint16(&target);
+		rdatalist.ttl =  isc_buffer_getuint32(&target);
+		rdcount = isc_buffer_getuint32(&target);
+		if (rdcount == 0 || rdcount > 0xffff) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		INSIST(isc_buffer_consumedlength(&target) <= readlen);
+
+		/* Owner name: length followed by name */
+		result = read_and_check(sequential_read, &target,
+					sizeof(namelen), lctx->f, &totallen);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		namelen = isc_buffer_getuint16(&target);
+		if (namelen > sizeof(namebuf)) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		result = read_and_check(sequential_read, &target, namelen,
+					lctx->f, &totallen);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		isc_buffer_setactive(&target, (unsigned int)namelen);
+		result = dns_name_fromwire(name, &target, &dctx, 0, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		if ((lctx->options & DNS_MASTER_CHECKTTL) != 0 &&
+		    rdatalist.ttl > lctx->maxttl)
+		{
+			(callbacks->error)(callbacks,
+					   "dns_master_load: "
+					   "TTL %d exceeds configured "
+					   "max-zone-ttl %d",
+					   rdatalist.ttl, lctx->maxttl);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		/* Rdata contents. */
+		if (rdcount > rdata_size) {
+			dns_rdata_t *new_rdata = NULL;
+
+			new_rdata = grow_rdata(rdcount + RDSZ, rdata,
+					       rdata_size, &head,
+					       &dummy, mctx);
+			if (new_rdata == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			rdata_size = rdcount + RDSZ;
+			rdata = new_rdata;
+		}
+
+	continue_read:
+		for (i = 0; i < rdcount; i++) {
+			uint16_t rdlen;
+
+			dns_rdata_init(&rdata[i]);
+
+			if (sequential_read &&
+			    isc_buffer_availablelength(&target) < MINTSIZ) {
+				unsigned int j;
+
+				INSIST(i > 0); /* detect an infinite loop */
+
+				/* Partial Commit. */
+				ISC_LIST_APPEND(head, &rdatalist, link);
+				result = commit(callbacks, lctx, &head, name,
+						NULL, 0);
+				for (j = 0; j < i; j++) {
+					ISC_LIST_UNLINK(rdatalist.rdata,
+							&rdata[j], link);
+					dns_rdata_reset(&rdata[j]);
+				}
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				/* Rewind the buffer and continue */
+				isc_buffer_clear(&target);
+
+				rdcount -= i;
+
+				goto continue_read;
+			}
+
+			/* rdata length */
+			result = read_and_check(sequential_read, &target,
+						sizeof(rdlen), lctx->f,
+						&totallen);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			rdlen = isc_buffer_getuint16(&target);
+
+			/* rdata */
+			result = read_and_check(sequential_read, &target,
+						rdlen, lctx->f, &totallen);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			isc_buffer_setactive(&target, (unsigned int)rdlen);
+			/*
+			 * It is safe to have the source active region and
+			 * the target available region be the same if
+			 * decompression is disabled (see dctx above) and we
+			 * are not downcasing names (options == 0).
+			 */
+			isc_buffer_init(&buf, isc_buffer_current(&target),
+					(unsigned int)rdlen);
+			result = dns_rdata_fromwire(&rdata[i],
+						    rdatalist.rdclass,
+						    rdatalist.type, &target,
+						    &dctx, 0, &buf);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			ISC_LIST_APPEND(rdatalist.rdata, &rdata[i], link);
+		}
+
+		/*
+		 * Sanity check.  Still having remaining space is not
+		 * necessarily critical, but it very likely indicates broken
+		 * or malformed data.
+		 */
+		if (isc_buffer_remaininglength(&target) != 0 || totallen != 0) {
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+
+		ISC_LIST_APPEND(head, &rdatalist, link);
+
+		/* Commit this RRset.  rdatalist will be unlinked. */
+		result = commit(callbacks, lctx, &head, name, NULL, 0);
+
+		for (i = 0; i < rdcount; i++) {
+			ISC_LIST_UNLINK(rdatalist.rdata, &rdata[i], link);
+			dns_rdata_reset(&rdata[i]);
+		}
+
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	if (!done) {
+		INSIST(lctx->done != NULL && lctx->task != NULL);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS)
+		result = lctx->result;
+
+	if (result == ISC_R_SUCCESS && callbacks->rawdata != NULL)
+		(*callbacks->rawdata)(callbacks->zone, &lctx->header);
+
+ cleanup:
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
+	if (target_mem != NULL)
+		isc_mem_put(mctx, target_mem, target_size);
+	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE) {
+		(*callbacks->error)(callbacks, "dns_master_load: %s",
+				    dns_result_totext(result));
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_master_loadfile(const char *master_file, dns_name_t *top,
+		    dns_name_t *origin,
+		    dns_rdataclass_t zclass, unsigned int options,
+		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	return (dns_master_loadfile5(master_file, top, origin, zclass,
+				     options, 0, callbacks, NULL, NULL,
+				     mctx, dns_masterformat_text, 0));
+}
+
+isc_result_t
+dns_master_loadfile2(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass, unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
+		     dns_masterformat_t format)
+{
+	return (dns_master_loadfile5(master_file, top, origin, zclass,
+				     options, 0, callbacks, NULL, NULL,
+				     mctx, format, 0));
+}
+
+isc_result_t
+dns_master_loadfile3(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options, uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
+		     dns_masterformat_t format)
+{
+	return (dns_master_loadfile5(master_file, top, origin, zclass,
+				     options, resign, callbacks, NULL, NULL,
+				     mctx, format, 0));
+}
+
+isc_result_t
+dns_master_loadfile4(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options, uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     dns_masterincludecb_t include_cb, void *include_arg,
+		     isc_mem_t *mctx, dns_masterformat_t format)
+{
+	return (dns_master_loadfile5(master_file, top, origin, zclass,
+				     options, resign, callbacks,
+				     include_cb, include_arg,
+				     mctx, format, 0));
+}
+
+isc_result_t
+dns_master_loadfile5(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options, uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     dns_masterincludecb_t include_cb, void *include_arg,
+		     isc_mem_t *mctx, dns_masterformat_t format,
+		     dns_ttl_t maxttl)
+{
+	dns_loadctx_t *lctx = NULL;
+	isc_result_t result;
+
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, NULL, NULL, NULL,
+				include_cb, include_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	lctx->maxttl = maxttl;
+
+	result = (lctx->openfile)(lctx, master_file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+ cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadfileinc(const char *master_file, dns_name_t *top,
+		       dns_name_t *origin, dns_rdataclass_t zclass,
+		       unsigned int options, dns_rdatacallbacks_t *callbacks,
+		       isc_task_t *task, dns_loaddonefunc_t done,
+		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	return (dns_master_loadfileinc4(master_file, top, origin, zclass,
+					options, 0, callbacks, task, done,
+					done_arg, lctxp, NULL, NULL, mctx,
+					dns_masterformat_text));
+}
+
+isc_result_t
+dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task, dns_loaddonefunc_t done,
+			void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx,
+			dns_masterformat_t format)
+{
+	return (dns_master_loadfileinc4(master_file, top, origin, zclass,
+					options, 0, callbacks, task, done,
+					done_arg, lctxp, NULL, NULL, mctx,
+					format));
+}
+
+isc_result_t
+dns_master_loadfileinc3(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, uint32_t resign,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx,
+			dns_masterformat_t format)
+{
+	return (dns_master_loadfileinc4(master_file, top, origin, zclass,
+					options, resign, callbacks, task,
+					done, done_arg, lctxp, NULL, NULL,
+					mctx, format));
+}
+
+isc_result_t
+dns_master_loadfileinc4(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task, dns_loaddonefunc_t done,
+			void *done_arg, dns_loadctx_t **lctxp,
+			dns_masterincludecb_t include_cb, void *include_arg,
+			isc_mem_t *mctx, dns_masterformat_t format)
+{
+	options &= ~DNS_MASTER_CHECKTTL;
+	return (dns_master_loadfileinc5(master_file, top, origin, zclass,
+					options, resign, callbacks, task,
+					done, done_arg, lctxp, include_cb,
+					include_arg, mctx, format, 0));
+}
+
+isc_result_t
+dns_master_loadfileinc5(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task, dns_loaddonefunc_t done,
+			void *done_arg, dns_loadctx_t **lctxp,
+			dns_masterincludecb_t include_cb, void *include_arg,
+			isc_mem_t *mctx, dns_masterformat_t format,
+			uint32_t maxttl)
+{
+	dns_loadctx_t *lctx = NULL;
+	isc_result_t result;
+
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, task, done, done_arg,
+				include_cb, include_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	lctx->maxttl = maxttl;
+
+	result = (lctx->openfile)(lctx, master_file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
+		      dns_rdataclass_t zclass, unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(stream != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_lex_openstream(lctx->lex, stream);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
+			 dns_rdataclass_t zclass, unsigned int options,
+			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(stream != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, task, done,
+				done_arg, NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_lex_openstream(lctx->lex, stream);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
+		      dns_name_t *origin, dns_rdataclass_t zclass,
+		      unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(buffer != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_lex_openbuffer(lctx->lex, buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+ cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
+			 dns_name_t *origin, dns_rdataclass_t zclass,
+			 unsigned int options,
+			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, task, done,
+				done_arg, NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_lex_openbuffer(lctx->lex, buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, NULL, NULL, NULL,
+				NULL, NULL, lex, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = (lctx->load)(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
+				zclass, origin, callbacks, task, done,
+				done_arg, NULL, NULL, lex, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+/*
+ * Grow the slab of dns_rdatalist_t structures.
+ * Re-link glue and current list.
+ */
+static dns_rdatalist_t *
+grow_rdatalist(int new_len, dns_rdatalist_t *oldlist, int old_len,
+	       rdatalist_head_t *current, rdatalist_head_t *glue,
+	       isc_mem_t *mctx)
+{
+	dns_rdatalist_t *newlist;
+	int rdlcount = 0;
+	ISC_LIST(dns_rdatalist_t) save;
+	dns_rdatalist_t *this;
+
+	newlist = isc_mem_get(mctx, new_len * sizeof(*newlist));
+	if (newlist == NULL)
+		return (NULL);
+
+	ISC_LIST_INIT(save);
+	while ((this = ISC_LIST_HEAD(*current)) != NULL) {
+		ISC_LIST_UNLINK(*current, this, link);
+		ISC_LIST_APPEND(save, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(save)) != NULL) {
+		ISC_LIST_UNLINK(save, this, link);
+		INSIST(rdlcount < new_len);
+		newlist[rdlcount] = *this;
+		ISC_LIST_APPEND(*current, &newlist[rdlcount], link);
+		rdlcount++;
+	}
+
+	ISC_LIST_INIT(save);
+	while ((this = ISC_LIST_HEAD(*glue)) != NULL) {
+		ISC_LIST_UNLINK(*glue, this, link);
+		ISC_LIST_APPEND(save, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(save)) != NULL) {
+		ISC_LIST_UNLINK(save, this, link);
+		INSIST(rdlcount < new_len);
+		newlist[rdlcount] = *this;
+		ISC_LIST_APPEND(*glue, &newlist[rdlcount], link);
+		rdlcount++;
+	}
+
+	INSIST(rdlcount == old_len);
+	if (oldlist != NULL)
+		isc_mem_put(mctx, oldlist, old_len * sizeof(*oldlist));
+	return (newlist);
+}
+
+/*
+ * Grow the slab of rdata structs.
+ * Re-link the current and glue chains.
+ */
+static dns_rdata_t *
+grow_rdata(int new_len, dns_rdata_t *oldlist, int old_len,
+	   rdatalist_head_t *current, rdatalist_head_t *glue,
+	   isc_mem_t *mctx)
+{
+	dns_rdata_t *newlist;
+	int rdcount = 0;
+	ISC_LIST(dns_rdata_t) save;
+	dns_rdatalist_t *this;
+	dns_rdata_t *rdata;
+
+	newlist = isc_mem_get(mctx, new_len * sizeof(*newlist));
+	if (newlist == NULL)
+		return (NULL);
+	memset(newlist, 0, new_len * sizeof(*newlist));
+
+	/*
+	 * Copy current relinking.
+	 */
+	this = ISC_LIST_HEAD(*current);
+	while (this != NULL) {
+		ISC_LIST_INIT(save);
+		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
+			ISC_LIST_UNLINK(this->rdata, rdata, link);
+			ISC_LIST_APPEND(save, rdata, link);
+		}
+		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
+			ISC_LIST_UNLINK(save, rdata, link);
+			INSIST(rdcount < new_len);
+			newlist[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &newlist[rdcount], link);
+			rdcount++;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+
+	/*
+	 * Copy glue relinking.
+	 */
+	this = ISC_LIST_HEAD(*glue);
+	while (this != NULL) {
+		ISC_LIST_INIT(save);
+		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
+			ISC_LIST_UNLINK(this->rdata, rdata, link);
+			ISC_LIST_APPEND(save, rdata, link);
+		}
+		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
+			ISC_LIST_UNLINK(save, rdata, link);
+			INSIST(rdcount < new_len);
+			newlist[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &newlist[rdcount], link);
+			rdcount++;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+	INSIST(rdcount == old_len || rdcount == 0);
+	if (oldlist != NULL)
+		isc_mem_put(mctx, oldlist, old_len * sizeof(*oldlist));
+	return (newlist);
+}
+
+static uint32_t
+resign_fromlist(dns_rdatalist_t *this, dns_loadctx_t *lctx) {
+	dns_rdata_t *rdata;
+	dns_rdata_rrsig_t sig;
+	uint32_t when;
+
+	rdata = ISC_LIST_HEAD(this->rdata);
+	INSIST(rdata != NULL);
+	(void)dns_rdata_tostruct(rdata, &sig, NULL);
+	if (isc_serial_gt(sig.timesigned, lctx->now))
+		when = lctx->now;
+	else
+		when = sig.timeexpire - lctx->resign;
+
+	rdata = ISC_LIST_NEXT(rdata, link);
+	while (rdata != NULL) {
+		(void)dns_rdata_tostruct(rdata, &sig, NULL);
+		if (isc_serial_gt(sig.timesigned, lctx->now))
+			when = lctx->now;
+		else if (sig.timeexpire - lctx->resign < when)
+			when = sig.timeexpire - lctx->resign;
+		rdata = ISC_LIST_NEXT(rdata, link);
+	}
+	return (when);
+}
+
+/*
+ * Convert each element from a rdatalist_t to rdataset then call commit.
+ * Unlink each element as we go.
+ */
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
+       rdatalist_head_t *head, dns_name_t *owner,
+       const char *source, unsigned int line)
+{
+	dns_rdatalist_t *this;
+	dns_rdataset_t dataset;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	void    (*error)(struct dns_rdatacallbacks *, const char *, ...);
+
+	this = ISC_LIST_HEAD(*head);
+	error = callbacks->error;
+
+	if (this == NULL)
+		return (ISC_R_SUCCESS);
+	do {
+		dns_rdataset_init(&dataset);
+		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset)
+			      == ISC_R_SUCCESS);
+		dataset.trust = dns_trust_ultimate;
+		/*
+		 * If this is a secure dynamic zone set the re-signing time.
+		 */
+		if (dataset.type == dns_rdatatype_rrsig &&
+		    (lctx->options & DNS_MASTER_RESIGN) != 0) {
+			dataset.attributes |= DNS_RDATASETATTR_RESIGN;
+			dataset.resign = resign_fromlist(this, lctx);
+		}
+		result = ((*callbacks->add)(callbacks->add_private, owner,
+					    &dataset));
+		if (result == ISC_R_NOMEMORY) {
+			(*error)(callbacks, "dns_master_load: %s",
+				 dns_result_totext(result));
+		} else if (result != ISC_R_SUCCESS) {
+			dns_name_format(owner, namebuf, sizeof(namebuf));
+			if (source != NULL) {
+				(*error)(callbacks, "%s: %s:%lu: %s: %s",
+					 "dns_master_load", source, line,
+					 namebuf, dns_result_totext(result));
+			} else {
+				(*error)(callbacks, "%s: %s: %s",
+					 "dns_master_load", namebuf,
+					 dns_result_totext(result));
+			}
+		}
+		if (MANYERRS(lctx, result))
+			SETRESULT(lctx, result);
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+		ISC_LIST_UNLINK(*head, this, link);
+		this = ISC_LIST_HEAD(*head);
+	} while (this != NULL);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Returns true if one of the NS rdata's contains 'owner'.
+ */
+
+static bool
+is_glue(rdatalist_head_t *head, dns_name_t *owner) {
+	dns_rdatalist_t *this;
+	dns_rdata_t *rdata;
+	isc_region_t region;
+	dns_name_t name;
+
+	/*
+	 * Find NS rrset.
+	 */
+	this = ISC_LIST_HEAD(*head);
+	while (this != NULL) {
+		if (this->type == dns_rdatatype_ns)
+			break;
+		this = ISC_LIST_NEXT(this, link);
+	}
+	if (this == NULL)
+		return (false);
+
+	rdata = ISC_LIST_HEAD(this->rdata);
+	while (rdata != NULL) {
+		dns_name_init(&name, NULL);
+		dns_rdata_toregion(rdata, &region);
+		dns_name_fromregion(&name, &region);
+		if (dns_name_compare(&name, owner) == 0)
+			return (true);
+		rdata = ISC_LIST_NEXT(rdata, link);
+	}
+	return (false);
+}
+
+static void
+load_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_loadctx_t *lctx;
+
+	REQUIRE(event != NULL);
+	lctx = event->ev_arg;
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	if (lctx->canceled)
+		result = ISC_R_CANCELED;
+	else
+		result = (lctx->load)(lctx);
+	if (result == DNS_R_CONTINUE) {
+		event->ev_arg = lctx;
+		isc_task_send(task, &event);
+	} else {
+		(lctx->done)(lctx->done_arg, result);
+		isc_event_free(&event);
+		dns_loadctx_detach(&lctx);
+	}
+}
+
+static isc_result_t
+task_send(dns_loadctx_t *lctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(lctx->mctx, NULL,
+				   DNS_EVENT_MASTERQUANTUM,
+				   load_quantum, lctx, sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_task_send(lctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_loadctx_cancel(dns_loadctx_t *lctx) {
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	LOCK(&lctx->lock);
+	lctx->canceled = true;
+	UNLOCK(&lctx->lock);
+}
+
+void
+dns_master_initrawheader(dns_masterrawheader_t *header) {
+	memset(header, 0, sizeof(dns_masterrawheader_t));
+}
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
new file mode 100644
index 0000000..4d09d16
--- /dev/null
+++ b/lib/dns/masterdump.c
@@ -0,0 +1,2127 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+#define DNS_DCTX_MAGIC		ISC_MAGIC('D', 'c', 't', 'x')
+#define DNS_DCTX_VALID(d)	ISC_MAGIC_VALID(d, DNS_DCTX_MAGIC)
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+#define CHECK(x) do { \
+	if ((x) != ISC_R_SUCCESS) \
+		goto cleanup; \
+	} while (0)
+
+struct dns_master_style {
+	dns_masterstyle_flags_t flags;		/* DNS_STYLEFLAG_* */
+	unsigned int ttl_column;
+	unsigned int class_column;
+	unsigned int type_column;
+	unsigned int rdata_column;
+	unsigned int line_length;
+	unsigned int tab_width;
+	unsigned int split_width;
+};
+
+/*%
+ * The maximum length of the newline+indentation that is output
+ * when inserting a line break in an RR.  This effectively puts an
+ * upper limits on the value of "rdata_column", because if it is
+ * very large, the tabs and spaces needed to reach it will not fit.
+ */
+#define DNS_TOTEXT_LINEBREAK_MAXLEN 100
+
+/*%
+ * Context structure for a masterfile dump in progress.
+ */
+typedef struct dns_totext_ctx {
+	dns_master_style_t	style;
+	bool 		class_printed;
+	char *			linebreak;
+	char 			linebreak_buf[DNS_TOTEXT_LINEBREAK_MAXLEN];
+	dns_name_t *		origin;
+	dns_name_t *		neworigin;
+	dns_fixedname_t		origin_fixname;
+	uint32_t 		current_ttl;
+	bool 		current_ttl_valid;
+} dns_totext_ctx_t;
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_keyzone = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_REL_DATA |
+	DNS_STYLEFLAG_OMIT_TTL |
+	DNS_STYLEFLAG_TTL |
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_RRCOMMENT |
+	DNS_STYLEFLAG_MULTILINE |
+	DNS_STYLEFLAG_KEYDATA,
+	24, 24, 24, 32, 80, 8, UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_default = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_REL_DATA |
+	DNS_STYLEFLAG_OMIT_TTL |
+	DNS_STYLEFLAG_TTL |
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_RRCOMMENT |
+	DNS_STYLEFLAG_MULTILINE,
+	24, 24, 24, 32, 80, 8, UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_full = {
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_RESIGN,
+	46, 46, 46, 64, 120, 8, UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_explicitttl = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_REL_DATA |
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_RRCOMMENT |
+	DNS_STYLEFLAG_MULTILINE,
+	24, 32, 32, 40, 80, 8, UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_cache = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_MULTILINE |
+	DNS_STYLEFLAG_RRCOMMENT |
+	DNS_STYLEFLAG_TRUST |
+	DNS_STYLEFLAG_NCACHE,
+	24, 32, 32, 40, 80, 8, UINT_MAX
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_simple = {
+	0,
+	24, 32, 32, 40, 80, 8, UINT_MAX
+};
+
+/*%
+ * A style suitable for dns_rdataset_totext().
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_debug = {
+	DNS_STYLEFLAG_REL_OWNER,
+	24, 32, 40, 48, 80, 8, UINT_MAX
+};
+
+/*%
+ * Similar, but indented (i.e., prepended with dns_master_indentstr).
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_indent = {
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_INDENT,
+	24, 32, 40, 48, 80, 8, UINT_MAX
+};
+
+/*%
+ * Similar, but with each line commented out.
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_comment = {
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_MULTILINE |
+	DNS_STYLEFLAG_RRCOMMENT |
+	DNS_STYLEFLAG_COMMENTDATA,
+	24, 32, 40, 48, 80, 8, UINT_MAX
+};
+
+/*%
+ * YAML style
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_yaml = {
+	DNS_STYLEFLAG_YAML |
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_INDENT,
+	24, 32, 40, 48, 80, 8, UINT_MAX
+};
+
+/*%
+ * Default indent string.
+ */
+LIBDNS_EXTERNAL_DATA const char *dns_master_indentstr = "\t";
+LIBDNS_EXTERNAL_DATA unsigned int dns_master_indent = 1;
+
+#define N_SPACES 10
+static char spaces[N_SPACES+1] = "          ";
+
+#define N_TABS 10
+static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
+
+struct dns_dumpctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	unsigned int		references;
+	bool		canceled;
+	bool		first;
+	bool		do_date;
+	isc_stdtime_t		now;
+	FILE			*f;
+	dns_db_t		*db;
+	dns_dbversion_t		*version;
+	dns_dbiterator_t	*dbiter;
+	dns_totext_ctx_t	tctx;
+	isc_task_t		*task;
+	dns_dumpdonefunc_t	done;
+	void			*done_arg;
+	unsigned int		nodes;
+	/* dns_master_dumpinc() */
+	char			*file;
+	char 			*tmpfile;
+	dns_masterformat_t	format;
+	dns_masterrawheader_t	header;
+	isc_result_t		(*dumpsets)(isc_mem_t *mctx, dns_name_t *name,
+					    dns_rdatasetiter_t *rdsiter,
+					    dns_totext_ctx_t *ctx,
+					    isc_buffer_t *buffer, FILE *f);
+};
+
+#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+
+/*%
+ * Output tabs and spaces to go from column '*current' to
+ * column 'to', and update '*current' to reflect the new
+ * current column.
+ */
+static isc_result_t
+indent(unsigned int *current, unsigned int to, int tabwidth,
+       isc_buffer_t *target)
+{
+	isc_region_t r;
+	unsigned char *p;
+	unsigned int from;
+	int ntabs, nspaces, t;
+
+	from = *current;
+
+	if (to < from + 1)
+		to = from + 1;
+
+	ntabs = to / tabwidth - from / tabwidth;
+	if (ntabs < 0)
+		ntabs = 0;
+
+	if (ntabs > 0) {
+		isc_buffer_availableregion(target, &r);
+		if (r.length < (unsigned) ntabs)
+			return (ISC_R_NOSPACE);
+		p = r.base;
+
+		t = ntabs;
+		while (t) {
+			int n = t;
+			if (n > N_TABS)
+				n = N_TABS;
+			memmove(p, tabs, n);
+			p += n;
+			t -= n;
+		}
+		isc_buffer_add(target, ntabs);
+		from = (to / tabwidth) * tabwidth;
+	}
+
+	nspaces = to - from;
+	INSIST(nspaces >= 0);
+
+	isc_buffer_availableregion(target, &r);
+	if (r.length < (unsigned) nspaces)
+		return (ISC_R_NOSPACE);
+	p = r.base;
+
+	t = nspaces;
+	while (t) {
+		int n = t;
+		if (n > N_SPACES)
+			n = N_SPACES;
+		memmove(p, spaces, n);
+		p += n;
+		t -= n;
+	}
+	isc_buffer_add(target, nspaces);
+
+	*current = to;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
+	isc_result_t result;
+
+	REQUIRE(style->tab_width != 0);
+
+	ctx->style = *style;
+	ctx->class_printed = false;
+
+	dns_fixedname_init(&ctx->origin_fixname);
+
+	/*
+	 * Set up the line break string if needed.
+	 */
+	if ((ctx->style.flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		isc_buffer_t buf;
+		isc_region_t r;
+		unsigned int col = 0;
+
+		isc_buffer_init(&buf, ctx->linebreak_buf,
+				sizeof(ctx->linebreak_buf));
+
+		isc_buffer_availableregion(&buf, &r);
+		if (r.length < 1)
+			return (DNS_R_TEXTTOOLONG);
+		r.base[0] = '\n';
+		isc_buffer_add(&buf, 1);
+
+		if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+		    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+		{
+			unsigned int i, len = strlen(dns_master_indentstr);
+			for (i = 0; i < dns_master_indent; i++) {
+				if (isc_buffer_availablelength(&buf) < len)
+					return (DNS_R_TEXTTOOLONG);
+				isc_buffer_putstr(&buf, dns_master_indentstr);
+			}
+		}
+
+		if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0) {
+			isc_buffer_availableregion(&buf, &r);
+			if (r.length < 1)
+				return (DNS_R_TEXTTOOLONG);
+			r.base[0] = ';';
+			isc_buffer_add(&buf, 1);
+		}
+
+		result = indent(&col, ctx->style.rdata_column,
+				ctx->style.tab_width, &buf);
+		/*
+		 * Do not return ISC_R_NOSPACE if the line break string
+		 * buffer is too small, because that would just make
+		 * dump_rdataset() retry indefinitely with ever
+		 * bigger target buffers.  That's a different buffer,
+		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
+		 */
+		if (result == ISC_R_NOSPACE)
+			return (DNS_R_TEXTTOOLONG);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		isc_buffer_availableregion(&buf, &r);
+		if (r.length < 1)
+			return (DNS_R_TEXTTOOLONG);
+		r.base[0] = '\0';
+		isc_buffer_add(&buf, 1);
+		ctx->linebreak = ctx->linebreak_buf;
+	} else {
+		ctx->linebreak = NULL;
+	}
+
+	ctx->origin = NULL;
+	ctx->neworigin = NULL;
+	ctx->current_ttl = 0;
+	ctx->current_ttl_valid = false;
+
+	return (ISC_R_SUCCESS);
+}
+
+#define INDENT_TO(col) \
+	do { \
+		 if ((ctx->style.flags & DNS_STYLEFLAG_YAML) != 0) { \
+			if ((result = str_totext(" ", target)) \
+			    != ISC_R_SUCCESS) \
+				return (result); \
+		 } else if ((result = indent(&column, ctx->style.col, \
+				      ctx->style.tab_width, target)) \
+		     != ISC_R_SUCCESS) \
+			    return (result); \
+	} while (0)
+
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+ncache_summary(dns_rdataset_t *rdataset, bool omit_final_dot,
+	       isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdataset_t rds;
+	dns_name_t name;
+
+	dns_rdataset_init(&rds);
+	dns_name_init(&name, NULL);
+
+	do {
+		dns_ncache_current(rdataset, &name, &rds);
+		for (result = dns_rdataset_first(&rds);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rds)) {
+			CHECK(str_totext("; ", target));
+			CHECK(dns_name_totext(&name, omit_final_dot, target));
+			CHECK(str_totext(" ", target));
+			CHECK(dns_rdatatype_totext(rds.type, target));
+			if (rds.type == dns_rdatatype_rrsig) {
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdatatype_totext(rds.covers, target));
+				CHECK(str_totext(" ...\n", target));
+			} else {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rds, &rdata);
+				CHECK(str_totext(" ", target));
+				CHECK(dns_rdata_tofmttext(&rdata, dns_rootname,
+							  0, 0, 0, " ", target));
+				CHECK(str_totext("\n", target));
+			}
+		}
+		dns_rdataset_disassociate(&rds);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ cleanup:
+	if (dns_rdataset_isassociated(&rds))
+		dns_rdataset_disassociate(&rds);
+
+	return (result);
+}
+
+/*
+ * Convert 'rdataset' to master file text format according to 'ctx',
+ * storing the result in 'target'.  If 'owner_name' is NULL, it
+ * is omitted; otherwise 'owner_name' must be valid and have at least
+ * one label.
+ */
+
+static isc_result_t
+rdataset_totext(dns_rdataset_t *rdataset,
+		dns_name_t *owner_name,
+		dns_totext_ctx_t *ctx,
+		bool omit_final_dot,
+		isc_buffer_t *target)
+{
+	isc_result_t result;
+	unsigned int column;
+	bool first = true;
+	uint32_t current_ttl;
+	bool current_ttl_valid;
+	dns_rdatatype_t type;
+	unsigned int type_start;
+	dns_fixedname_t fixed;
+	dns_name_t *name = NULL;
+	unsigned int i;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+	result = dns_rdataset_first(rdataset);
+
+	current_ttl = ctx->current_ttl;
+	current_ttl_valid = ctx->current_ttl_valid;
+
+	if (owner_name != NULL) {
+		name = dns_fixedname_initname(&fixed);
+		dns_name_copy(owner_name, name, NULL);
+		dns_rdataset_getownercase(rdataset, name);
+	}
+
+	while (result == ISC_R_SUCCESS) {
+		column = 0;
+
+		/*
+		 * Indent?
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+		    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			for (i = 0; i < dns_master_indent; i++)
+				RETERR(str_totext(dns_master_indentstr,
+						  target));
+
+		/*
+		 * YAML enumerator?
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_YAML) != 0) {
+			RETERR(str_totext("- ", target));
+		}
+
+		/*
+		 * Comment?
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_COMMENTDATA) != 0)
+			RETERR(str_totext(";", target));
+
+		/*
+		 * Owner name.
+		 */
+		if (name != NULL &&
+		    ! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0 &&
+		       !first))
+		{
+			unsigned int name_start = target->used;
+			RETERR(dns_name_totext(name, omit_final_dot, target));
+			column += target->used - name_start;
+		}
+
+		/*
+		 * TTL.
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_TTL) == 0 &&
+		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
+		      current_ttl_valid &&
+		      rdataset->ttl == current_ttl))
+		{
+			char ttlbuf[64];
+			isc_region_t r;
+			unsigned int length;
+
+			INDENT_TO(ttl_column);
+			if ((ctx->style.flags & DNS_STYLEFLAG_TTL_UNITS) != 0) {
+				length = target->used;
+				result = dns_ttl_totext2(rdataset->ttl,
+							false, false,
+							target);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				column += target->used - length;
+			} else {
+				length = snprintf(ttlbuf, sizeof(ttlbuf), "%u",
+						  rdataset->ttl);
+				INSIST(length <= sizeof(ttlbuf));
+				isc_buffer_availableregion(target, &r);
+				if (r.length < length)
+					return (ISC_R_NOSPACE);
+				memmove(r.base, ttlbuf, length);
+				isc_buffer_add(target, length);
+				column += length;
+			}
+
+			/*
+			 * If the $TTL directive is not in use, the TTL we
+			 * just printed becomes the default for subsequent RRs.
+			 */
+			if ((ctx->style.flags & DNS_STYLEFLAG_TTL) == 0) {
+				current_ttl = rdataset->ttl;
+				current_ttl_valid = true;
+			}
+		}
+
+		/*
+		 * Class.
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_CLASS) == 0 &&
+		    ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
+		     ctx->class_printed == false))
+		{
+			unsigned int class_start;
+			INDENT_TO(class_column);
+			class_start = target->used;
+			if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0)
+				result = dns_rdataclass_tounknowntext
+					(rdataset->rdclass, target);
+			else
+				result = dns_rdataclass_totext
+					(rdataset->rdclass, target);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			column += (target->used - class_start);
+		}
+
+		/*
+		 * Type.
+		 */
+
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			type = rdataset->covers;
+		} else {
+			type = rdataset->type;
+		}
+
+		INDENT_TO(type_column);
+		type_start = target->used;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+			RETERR(str_totext("\\-", target));
+		switch (type) {
+		case dns_rdatatype_keydata:
+#define KEYDATA "KEYDATA"
+			if ((ctx->style.flags & DNS_STYLEFLAG_KEYDATA) != 0) {
+				if (isc_buffer_availablelength(target) <
+				    (sizeof(KEYDATA) - 1))
+					return (ISC_R_NOSPACE);
+				isc_buffer_putstr(target, KEYDATA);
+				break;
+			}
+			/* FALLTHROUGH */
+		default:
+			if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0)
+				result = dns_rdatatype_tounknowntext(type, target);
+			else
+				result = dns_rdatatype_totext(type, target);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		column += (target->used - type_start);
+
+		/*
+		 * Rdata.
+		 */
+		INDENT_TO(rdata_column);
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+			if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+			    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			{
+				for (i = 0; i < dns_master_indent; i++)
+					RETERR(str_totext(dns_master_indentstr,
+							  target));
+			}
+			if (NXDOMAIN(rdataset))
+				RETERR(str_totext(";-$NXDOMAIN\n", target));
+			else
+				RETERR(str_totext(";-$NXRRSET\n", target));
+			/*
+			 * Print a summary of the cached records which make
+			 * up the negative response.
+			 */
+			RETERR(ncache_summary(rdataset, omit_final_dot,
+					      target));
+			break;
+		} else {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			isc_region_t r;
+
+			dns_rdataset_current(rdataset, &rdata);
+
+			RETERR(dns_rdata_tofmttext(&rdata,
+						   ctx->origin,
+						   (unsigned int)
+						   ctx->style.flags,
+						   ctx->style.line_length -
+						       ctx->style.rdata_column,
+						   ctx->style.split_width,
+						   ctx->linebreak,
+						   target));
+
+			isc_buffer_availableregion(target, &r);
+			if (r.length < 1)
+				return (ISC_R_NOSPACE);
+			r.base[0] = '\n';
+			isc_buffer_add(target, 1);
+		}
+
+		first = false;
+		result = dns_rdataset_next(rdataset);
+	}
+
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	/*
+	 * Update the ctx state to reflect what we just printed.
+	 * This is done last, only when we are sure we will return
+	 * success, because this function may be called multiple
+	 * times with increasing buffer sizes until it succeeds,
+	 * and failed attempts must not update the state prematurely.
+	 */
+	ctx->class_printed = true;
+	ctx->current_ttl= current_ttl;
+	ctx->current_ttl_valid = current_ttl_valid;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Print the name, type, and class of an empty rdataset,
+ * such as those used to represent the question section
+ * of a DNS message.
+ */
+static isc_result_t
+question_totext(dns_rdataset_t *rdataset,
+		dns_name_t *owner_name,
+		dns_totext_ctx_t *ctx,
+		bool omit_final_dot,
+		isc_buffer_t *target)
+{
+	unsigned int column;
+	isc_result_t result;
+	isc_region_t r;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_NOMORE);
+
+	column = 0;
+
+	/* Owner name */
+	{
+		unsigned int name_start = target->used;
+		RETERR(dns_name_totext(owner_name,
+				       omit_final_dot,
+				       target));
+		column += target->used - name_start;
+	}
+
+	/* Class */
+	{
+		unsigned int class_start;
+		INDENT_TO(class_column);
+		class_start = target->used;
+		if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0)
+			result = dns_rdataclass_tounknowntext(rdataset->rdclass,
+							      target);
+		else
+			result = dns_rdataclass_totext(rdataset->rdclass,
+						       target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		column += (target->used - class_start);
+	}
+
+	/* Type */
+	{
+		unsigned int type_start;
+		INDENT_TO(type_column);
+		type_start = target->used;
+		if ((ctx->style.flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0)
+			result = dns_rdatatype_tounknowntext(rdataset->type,
+							     target);
+		else
+			result = dns_rdatatype_totext(rdataset->type,
+						      target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		column += (target->used - type_start);
+	}
+
+	isc_buffer_availableregion(target, &r);
+	if (r.length < 1)
+		return (ISC_R_NOSPACE);
+	r.base[0] = '\n';
+	isc_buffer_add(target, 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    bool omit_final_dot,
+		    bool question,
+		    isc_buffer_t *target)
+{
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(&dns_master_style_debug, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * The caller might want to give us an empty owner
+	 * name (e.g. if they are outputting into a master
+	 * file and this rdataset has the same name as the
+	 * previous one.)
+	 */
+	if (dns_name_countlabels(owner_name) == 0)
+		owner_name = NULL;
+
+	if (question)
+		return (question_totext(rdataset, owner_name, &ctx,
+					omit_final_dot, target));
+	else
+		return (rdataset_totext(rdataset, owner_name, &ctx,
+					omit_final_dot, target));
+}
+
+isc_result_t
+dns_master_rdatasettotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target)
+{
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(style, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (rdataset_totext(rdataset, owner_name, &ctx,
+				false, target));
+}
+
+isc_result_t
+dns_master_questiontotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target)
+{
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(style, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (question_totext(rdataset, owner_name, &ctx,
+				false, target));
+}
+
+/*
+ * Print an rdataset.  'buffer' is a scratch buffer, which must have been
+ * dynamically allocated by the caller.  It must be large enough to
+ * hold the result from dns_ttl_totext().  If more than that is needed,
+ * the buffer will be grown automatically.
+ */
+
+static isc_result_t
+dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
+	      dns_totext_ctx_t *ctx,
+	      isc_buffer_t *buffer, FILE *f)
+{
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(buffer->length > 0);
+
+	/*
+	 * Output a $TTL directive if needed.
+	 */
+
+	if ((ctx->style.flags & DNS_STYLEFLAG_TTL) != 0) {
+		if (ctx->current_ttl_valid == false ||
+		    ctx->current_ttl != rdataset->ttl)
+		{
+			if ((ctx->style.flags & DNS_STYLEFLAG_COMMENT) != 0)
+			{
+				isc_buffer_clear(buffer);
+				result = dns_ttl_totext(rdataset->ttl,
+							true, buffer);
+				INSIST(result == ISC_R_SUCCESS);
+				isc_buffer_usedregion(buffer, &r);
+				fprintf(f, "$TTL %u\t; %.*s\n", rdataset->ttl,
+					(int) r.length, (char *) r.base);
+			} else {
+				fprintf(f, "$TTL %u\n", rdataset->ttl);
+			}
+			ctx->current_ttl = rdataset->ttl;
+			ctx->current_ttl_valid = true;
+		}
+	}
+
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Generate the text representation of the rdataset into
+	 * the buffer.  If the buffer is too small, grow it.
+	 */
+	for (;;) {
+		int newlength;
+		void *newmem;
+		result = rdataset_totext(rdataset, name, ctx,
+					 false, buffer);
+		if (result != ISC_R_NOSPACE)
+			break;
+
+		newlength = buffer->length * 2;
+		newmem = isc_mem_get(mctx, newlength);
+		if (newmem == NULL)
+			return (ISC_R_NOMEMORY);
+		isc_mem_put(mctx, buffer->base, buffer->length);
+		isc_buffer_init(buffer, newmem, newlength);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Write the buffer contents to the master file.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "master file write failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Define the order in which rdatasets should be printed in zone
+ * files.  We will print SOA and NS records before others, SIGs
+ * immediately following the things they sign, and order everything
+ * else by RR number.  This is all just for aesthetics and
+ * compatibility with buggy software that expects the SOA to be first;
+ * the DNS specifications allow any order.
+ */
+
+static int
+dump_order(const dns_rdataset_t *rds) {
+	int t;
+	int sig;
+	if (rds->type == dns_rdatatype_rrsig) {
+		t = rds->covers;
+		sig = 1;
+	} else {
+		t = rds->type;
+		sig = 0;
+	}
+	switch (t) {
+	case dns_rdatatype_soa:
+		t = 0;
+		break;
+	case dns_rdatatype_ns:
+		t = 1;
+		break;
+	default:
+		t += 2;
+		break;
+	}
+	return (t << 1) + sig;
+}
+
+static int
+dump_order_compare(const void *a, const void *b) {
+	return (dump_order(*((const dns_rdataset_t * const *) a)) -
+		dump_order(*((const dns_rdataset_t * const *) b)));
+}
+
+/*
+ * Dump all the rdatasets of a domain name to a master file.  We make
+ * a "best effort" attempt to sort the RRsets in a nice order, but if
+ * there are more than MAXSORT RRsets, we punt and only sort them in
+ * groups of MAXSORT.  This is not expected to ever happen in practice
+ * since much less than 64 RR types have been registered with the
+ * IANA, so far, and the output will be correct (though not
+ * aesthetically pleasing) even if it does happen.
+ */
+
+#define MAXSORT 64
+
+static isc_result_t
+dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
+		    dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		    isc_buffer_t *buffer, FILE *f)
+{
+	isc_result_t itresult, dumpresult;
+	isc_region_t r;
+	dns_rdataset_t rdatasets[MAXSORT];
+	dns_rdataset_t *sorted[MAXSORT];
+	int i, n;
+
+	itresult = dns_rdatasetiter_first(rdsiter);
+	dumpresult = ISC_R_SUCCESS;
+
+	if (itresult == ISC_R_SUCCESS && ctx->neworigin != NULL) {
+		isc_buffer_clear(buffer);
+		itresult = dns_name_totext(ctx->neworigin, false, buffer);
+		RUNTIME_CHECK(itresult == ISC_R_SUCCESS);
+		isc_buffer_usedregion(buffer, &r);
+		fprintf(f, "$ORIGIN %.*s\n", (int) r.length, (char *) r.base);
+		ctx->neworigin = NULL;
+	}
+
+ again:
+	for (i = 0;
+	     itresult == ISC_R_SUCCESS && i < MAXSORT;
+	     itresult = dns_rdatasetiter_next(rdsiter), i++) {
+		dns_rdataset_init(&rdatasets[i]);
+		dns_rdatasetiter_current(rdsiter, &rdatasets[i]);
+		sorted[i] = &rdatasets[i];
+	}
+	n = i;
+	INSIST(n <= MAXSORT);
+
+	qsort(sorted, n, sizeof(sorted[0]), dump_order_compare);
+
+	for (i = 0; i < n; i++) {
+		dns_rdataset_t *rds = sorted[i];
+		if (ctx->style.flags & DNS_STYLEFLAG_TRUST) {
+			if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+			    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			{
+				unsigned int j;
+				for (j = 0; j < dns_master_indent; j++)
+					fprintf(f, "%s", dns_master_indentstr);
+			}
+			fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
+		}
+		if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
+		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
+			/* Omit negative cache entries */
+		} else {
+			isc_result_t result =
+				dump_rdataset(mctx, name, rds, ctx,
+					       buffer, f);
+			if (result != ISC_R_SUCCESS)
+				dumpresult = result;
+			if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
+				name = NULL;
+		}
+		if (ctx->style.flags & DNS_STYLEFLAG_RESIGN &&
+		    rds->attributes & DNS_RDATASETATTR_RESIGN) {
+			isc_buffer_t b;
+			char buf[sizeof("YYYYMMDDHHMMSS")];
+			memset(buf, 0, sizeof(buf));
+			isc_buffer_init(&b, buf, sizeof(buf) - 1);
+			dns_time64_totext((uint64_t)rds->resign, &b);
+			if ((ctx->style.flags & DNS_STYLEFLAG_INDENT) != 0 ||
+			    (ctx->style.flags & DNS_STYLEFLAG_YAML) != 0)
+			{
+				unsigned int j;
+				for (j = 0; j < dns_master_indent; j++)
+					fprintf(f, "%s", dns_master_indentstr);
+			}
+			fprintf(f, "; resign=%s\n", buf);
+		}
+		dns_rdataset_disassociate(rds);
+	}
+
+	if (dumpresult != ISC_R_SUCCESS)
+		return (dumpresult);
+
+	/*
+	 * If we got more data than could be sorted at once,
+	 * go handle the rest.
+	 */
+	if (itresult == ISC_R_SUCCESS)
+		goto again;
+
+	if (itresult == ISC_R_NOMORE)
+		itresult = ISC_R_SUCCESS;
+
+	return (itresult);
+}
+
+/*
+ * Dump given RRsets in the "raw" format.
+ */
+static isc_result_t
+dump_rdataset_raw(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
+		  isc_buffer_t *buffer, FILE *f)
+{
+	isc_result_t result;
+	uint32_t totallen;
+	uint16_t dlen;
+	isc_region_t r, r_hdr;
+
+	REQUIRE(buffer->length > 0);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
+ restart:
+	totallen = 0;
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_SUCCESS);
+
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Common header and owner name (length followed by name)
+	 * These fields should be in a moderate length, so we assume we
+	 * can store all of them in the initial buffer.
+	 */
+	isc_buffer_availableregion(buffer, &r_hdr);
+	INSIST(r_hdr.length >= sizeof(dns_masterrawrdataset_t));
+	isc_buffer_putuint32(buffer, totallen);	/* XXX: leave space */
+	isc_buffer_putuint16(buffer, rdataset->rdclass); /* 16-bit class */
+	isc_buffer_putuint16(buffer, rdataset->type); /* 16-bit type */
+	isc_buffer_putuint16(buffer, rdataset->covers);	/* same as type */
+	isc_buffer_putuint32(buffer, rdataset->ttl); /* 32-bit TTL */
+	isc_buffer_putuint32(buffer, dns_rdataset_count(rdataset));
+	totallen = isc_buffer_usedlength(buffer);
+	INSIST(totallen <= sizeof(dns_masterrawrdataset_t));
+
+	dns_name_toregion(name, &r);
+	INSIST(isc_buffer_availablelength(buffer) >=
+	       (sizeof(dlen) + r.length));
+	dlen = (uint16_t)r.length;
+	isc_buffer_putuint16(buffer, dlen);
+	isc_buffer_copyregion(buffer, &r);
+	totallen += sizeof(dlen) + r.length;
+
+	do {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		INSIST(r.length <= 0xffffU);
+		dlen = (uint16_t)r.length;
+
+		/*
+		 * Copy the rdata into the buffer.  If the buffer is too small,
+		 * grow it.  This should be rare, so we'll simply restart the
+		 * entire procedure (or should we copy the old data and
+		 * continue?).
+		 */
+		if (isc_buffer_availablelength(buffer) <
+						 sizeof(dlen) + r.length) {
+			int newlength;
+			void *newmem;
+
+			newlength = buffer->length * 2;
+			newmem = isc_mem_get(mctx, newlength);
+			if (newmem == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_mem_put(mctx, buffer->base, buffer->length);
+			isc_buffer_init(buffer, newmem, newlength);
+			goto restart;
+		}
+		isc_buffer_putuint16(buffer, dlen);
+		isc_buffer_copyregion(buffer, &r);
+		totallen += sizeof(dlen) + r.length;
+
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	/*
+	 * Fill in the total length field.
+	 * XXX: this is a bit tricky.  Since we have already "used" the space
+	 * for the total length in the buffer, we first remember the entire
+	 * buffer length in the region, "rewind", and then write the value.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	isc_buffer_clear(buffer);
+	isc_buffer_putuint32(buffer, totallen);
+	INSIST(isc_buffer_usedlength(buffer) < totallen);
+
+	/*
+	 * Write the buffer contents to the raw master file.
+	 */
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "raw master file write failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dump_rdatasets_raw(isc_mem_t *mctx, dns_name_t *name,
+		   dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		   isc_buffer_t *buffer, FILE *f)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter)) {
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
+		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
+			/* Omit negative cache entries */
+		} else {
+			result = dump_rdataset_raw(mctx, name, &rdataset,
+						   buffer, f);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static isc_result_t
+dump_rdatasets_map(isc_mem_t *mctx, dns_name_t *name,
+		   dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
+		   isc_buffer_t *buffer, FILE *f)
+{
+	UNUSED(mctx);
+	UNUSED(name);
+	UNUSED(rdsiter);
+	UNUSED(ctx);
+	UNUSED(buffer);
+	UNUSED(f);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Initial size of text conversion buffer.  The buffer is used
+ * for several purposes: converting origin names, rdatasets,
+ * $DATE timestamps, and comment strings for $TTL directives.
+ *
+ * When converting rdatasets, it is dynamically resized, but
+ * when converting origins, timestamps, etc it is not.  Therefore,
+ * the initial size must large enough to hold the longest possible
+ * text representation of any domain name (for $ORIGIN).
+ */
+static const int initial_buffer_length = 1200;
+
+static isc_result_t
+dumptostreaminc(dns_dumpctx_t *dctx);
+
+static void
+dumpctx_destroy(dns_dumpctx_t *dctx) {
+
+	dctx->magic = 0;
+	DESTROYLOCK(&dctx->lock);
+	dns_dbiterator_destroy(&dctx->dbiter);
+	if (dctx->version != NULL)
+		dns_db_closeversion(dctx->db, &dctx->version, false);
+	dns_db_detach(&dctx->db);
+	if (dctx->task != NULL)
+		isc_task_detach(&dctx->task);
+	if (dctx->file != NULL)
+		isc_mem_free(dctx->mctx, dctx->file);
+	if (dctx->tmpfile != NULL)
+		isc_mem_free(dctx->mctx, dctx->tmpfile);
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
+}
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target) {
+
+	REQUIRE(DNS_DCTX_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);	/* Overflow? */
+	UNLOCK(&source->lock);
+
+	*target = source;
+}
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp) {
+	dns_dumpctx_t *dctx;
+	bool need_destroy = false;
+
+	REQUIRE(dctxp != NULL);
+	dctx = *dctxp;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	*dctxp = NULL;
+
+	LOCK(&dctx->lock);
+	INSIST(dctx->references != 0);
+	dctx->references--;
+	if (dctx->references == 0)
+		need_destroy = true;
+	UNLOCK(&dctx->lock);
+	if (need_destroy)
+		dumpctx_destroy(dctx);
+}
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->version);
+}
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->db);
+}
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	LOCK(&dctx->lock);
+	dctx->canceled = true;
+	UNLOCK(&dctx->lock);
+}
+
+static isc_result_t
+flushandsync(FILE *f, isc_result_t result, const char *temp) {
+	bool logit = (result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_stdio_flush(f);
+	if (result != ISC_R_SUCCESS && logit) {
+		if (temp != NULL)
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to master file: %s: flush: %s",
+				      temp, isc_result_totext(result));
+		else
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to stream: flush: %s",
+				      isc_result_totext(result));
+		logit = false;
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_stdio_sync(f);
+	if (result != ISC_R_SUCCESS && logit) {
+		if (temp != NULL)
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to master file: %s: fsync: %s",
+				      temp, isc_result_totext(result));
+		else
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+				      "dumping to stream: fsync: %s",
+				      isc_result_totext(result));
+	}
+	return (result);
+}
+
+static isc_result_t
+closeandrename(FILE *f, isc_result_t result, const char *temp, const char *file)
+{
+	isc_result_t tresult;
+	bool logit = (result == ISC_R_SUCCESS);
+
+	result = flushandsync(f, result, temp);
+	if (result != ISC_R_SUCCESS)
+		logit = false;
+
+	tresult = isc_stdio_close(f);
+	if (result == ISC_R_SUCCESS)
+		result = tresult;
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: fclose: %s",
+			      temp, isc_result_totext(result));
+		logit = false;
+	}
+	if (result == ISC_R_SUCCESS)
+		result = isc_file_rename(temp, file);
+	else
+		(void)isc_file_remove(temp);
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: rename: %s: %s",
+			      file, isc_result_totext(result));
+	}
+	return (result);
+}
+
+static void
+dump_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_result_t tresult;
+	dns_dumpctx_t *dctx;
+
+	REQUIRE(event != NULL);
+	dctx = event->ev_arg;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	if (dctx->canceled)
+		result = ISC_R_CANCELED;
+	else
+		result = dumptostreaminc(dctx);
+	if (result == DNS_R_CONTINUE) {
+		event->ev_arg = dctx;
+		isc_task_send(task, &event);
+		return;
+	}
+
+	if (dctx->file != NULL) {
+		tresult = closeandrename(dctx->f, result,
+					 dctx->tmpfile, dctx->file);
+		if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+			result = tresult;
+	} else
+		result = flushandsync(dctx->f, result, NULL);
+	(dctx->done)(dctx->done_arg, result);
+	isc_event_free(&event);
+	dns_dumpctx_detach(&dctx);
+}
+
+static isc_result_t
+task_send(dns_dumpctx_t *dctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(dctx->mctx, NULL, DNS_EVENT_DUMPQUANTUM,
+				   dump_quantum, dctx, sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_task_send(dctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp,
+	       dns_masterformat_t format, dns_masterrawheader_t *header)
+{
+	dns_dumpctx_t *dctx;
+	isc_result_t result;
+	unsigned int options;
+
+	dctx = isc_mem_get(mctx, sizeof(*dctx));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dctx->mctx = NULL;
+	dctx->f = f;
+	dctx->dbiter = NULL;
+	dctx->db = NULL;
+	dctx->version = NULL;
+	dctx->done = NULL;
+	dctx->done_arg = NULL;
+	dctx->task = NULL;
+	dctx->nodes = 0;
+	dctx->first = true;
+	dctx->canceled = false;
+	dctx->file = NULL;
+	dctx->tmpfile = NULL;
+	dctx->format = format;
+	if (header == NULL)
+		dns_master_initrawheader(&dctx->header);
+	else
+		dctx->header = *header;
+
+	switch (format) {
+	case dns_masterformat_text:
+		dctx->dumpsets = dump_rdatasets_text;
+		break;
+	case dns_masterformat_raw:
+		dctx->dumpsets = dump_rdatasets_raw;
+		break;
+	case dns_masterformat_map:
+		dctx->dumpsets = dump_rdatasets_map;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+
+	result = totext_ctx_init(style, &dctx->tctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		goto cleanup;
+	}
+
+	isc_stdtime_get(&dctx->now);
+	dns_db_attach(db, &dctx->db);
+
+	dctx->do_date = dns_db_iscache(dctx->db);
+
+	if (dctx->format == dns_masterformat_text &&
+	    (dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) {
+		options = DNS_DB_RELATIVENAMES;
+	} else
+		options = 0;
+	result = dns_db_createiterator(dctx->db, options, &dctx->dbiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_mutex_init(&dctx->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (version != NULL)
+		dns_db_attachversion(dctx->db, version, &dctx->version);
+	else if (!dns_db_iscache(db))
+		dns_db_currentversion(dctx->db, &dctx->version);
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->references = 1;
+	dctx->magic = DNS_DCTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dctx->dbiter != NULL)
+		dns_dbiterator_destroy(&dctx->dbiter);
+	if (dctx->db != NULL)
+		dns_db_detach(&dctx->db);
+	if (dctx != NULL)
+		isc_mem_put(mctx, dctx, sizeof(*dctx));
+	return (result);
+}
+
+static isc_result_t
+writeheader(dns_dumpctx_t *dctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_region_t r;
+	dns_masterrawheader_t rawheader;
+	uint32_t rawversion, now32;
+
+	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
+	if (bufmem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	switch (dctx->format) {
+	case dns_masterformat_text:
+		/*
+		 * If the database has cache semantics, output an
+		 * RFC2540 $DATE directive so that the TTLs can be
+		 * adjusted when it is reloaded.  For zones it is not
+		 * really needed, and it would make the file
+		 * incompatible with pre-RFC2540 software, so we omit
+		 * it in the zone case.
+		 */
+		if (dctx->do_date) {
+			result = dns_time32_totext(dctx->now, &buffer);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_buffer_usedregion(&buffer, &r);
+			fprintf(dctx->f, "$DATE %.*s\n",
+				(int) r.length, (char *) r.base);
+		}
+		break;
+	case dns_masterformat_raw:
+	case dns_masterformat_map:
+		r.base = (unsigned char *)&rawheader;
+		r.length = sizeof(rawheader);
+		isc_buffer_region(&buffer, &r);
+#if !defined(STDTIME_ON_32BITS) || (STDTIME_ON_32BITS + 0) != 1
+		/*
+		 * We assume isc_stdtime_t is a 32-bit integer,
+		 * which should be the case on most platforms.
+		 * If it turns out to be uncommon, we'll need
+		 * to bump the version number and revise the
+		 * header format.
+		 */
+		isc_log_write(dns_lctx,
+			      ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP,
+			      ISC_LOG_INFO,
+			      "dumping master file in raw "
+			      "format: stdtime is not 32bits");
+		now32 = 0;
+#else
+		now32 = dctx->now;
+#endif
+		rawversion = 1;
+		if ((dctx->header.flags & DNS_MASTERRAW_COMPAT) != 0)
+			rawversion = 0;
+
+		isc_buffer_putuint32(&buffer, dctx->format);
+		isc_buffer_putuint32(&buffer, rawversion);
+		isc_buffer_putuint32(&buffer, now32);
+
+		if (rawversion == 1) {
+			isc_buffer_putuint32(&buffer, dctx->header.flags);
+			isc_buffer_putuint32(&buffer,
+					     dctx->header.sourceserial);
+			isc_buffer_putuint32(&buffer, dctx->header.lastxfrin);
+		}
+
+		INSIST(isc_buffer_usedlength(&buffer) <= sizeof(rawheader));
+		result = isc_stdio_write(buffer.base, 1,
+					 isc_buffer_usedlength(&buffer),
+					 dctx->f, NULL);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		break;
+	default:
+		INSIST(0);
+	}
+
+	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+static isc_result_t
+dumptostreaminc(dns_dumpctx_t *dctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t buffer;
+	char *bufmem;
+	dns_name_t *name;
+	dns_fixedname_t fixname;
+	unsigned int nodes;
+	isc_time_t start;
+
+	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
+	if (bufmem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	name = dns_fixedname_initname(&fixname);
+
+	if (dctx->first) {
+		CHECK(writeheader(dctx));
+
+		/*
+		 * Fast format is not currently written incrementally,
+		 * so we make the call to dns_db_serialize() here.
+		 * If the database is anything other than an rbtdb,
+		 * this should result in not implemented
+		 */
+		if (dctx->format == dns_masterformat_map) {
+			result = dns_db_serialize(dctx->db, dctx->version,
+						  dctx->f);
+			goto cleanup;
+		}
+
+		result = dns_dbiterator_first(dctx->dbiter);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
+			goto cleanup;
+
+		dctx->first = false;
+	} else
+		result = ISC_R_SUCCESS;
+
+	nodes = dctx->nodes;
+	isc_time_now(&start);
+	while (result == ISC_R_SUCCESS && (dctx->nodes == 0 || nodes--)) {
+		dns_rdatasetiter_t *rdsiter = NULL;
+		dns_dbnode_t *node = NULL;
+
+		result = dns_dbiterator_current(dctx->dbiter, &node, name);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+			break;
+		if (result == DNS_R_NEWORIGIN) {
+			dns_name_t *origin =
+				dns_fixedname_name(&dctx->tctx.origin_fixname);
+			result = dns_dbiterator_origin(dctx->dbiter, origin);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if ((dctx->tctx.style.flags &
+			     DNS_STYLEFLAG_REL_DATA) != 0)
+				dctx->tctx.origin = origin;
+			dctx->tctx.neworigin = origin;
+		}
+		result = dns_db_allrdatasets(dctx->db, node, dctx->version,
+					     dctx->now, &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dctx->db, &node);
+			goto cleanup;
+		}
+		result = (dctx->dumpsets)(dctx->mctx, name, rdsiter,
+					  &dctx->tctx, &buffer, dctx->f);
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dctx->db, &node);
+			goto cleanup;
+		}
+		dns_db_detachnode(dctx->db, &node);
+		result = dns_dbiterator_next(dctx->dbiter);
+	}
+
+	/*
+	 * Work out how many nodes can be written in the time between
+	 * two requests to the nameserver.  Smooth the resulting number and
+	 * use it as a estimate for the number of nodes to be written in the
+	 * next iteration.
+	 */
+	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
+		unsigned int pps = dns_pps;	/* packets per second */
+		unsigned int interval;
+		uint64_t usecs;
+		isc_time_t end;
+
+		isc_time_now(&end);
+		if (pps < 100)
+			pps = 100;
+		interval = 1000000 / pps;	/* interval in usecs */
+		if (interval == 0)
+			interval = 1;
+		usecs = isc_time_microdiff(&end, &start);
+		if (usecs == 0) {
+			dctx->nodes = dctx->nodes * 2;
+			if (dctx->nodes > 1000)
+				dctx->nodes = 1000;
+		} else {
+			nodes = dctx->nodes * interval;
+			nodes /= (unsigned int)usecs;
+			if (nodes == 0)
+				nodes = 1;
+			else if (nodes > 1000)
+				nodes = 1000;
+
+			/* Smooth and assign. */
+			dctx->nodes = (nodes + dctx->nodes * 7) / 8;
+
+			isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_MASTERDUMP,
+				      ISC_LOG_DEBUG(1),
+				      "dumptostreaminc(%p) new nodes -> %d",
+				      dctx, dctx->nodes);
+		}
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ cleanup:
+	RUNTIME_CHECK(dns_dbiterator_pause(dctx->dbiter) == ISC_R_SUCCESS);
+	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
+			   dns_dbversion_t *version,
+			   const dns_master_style_t *style,
+			   FILE *f, isc_task_t *task,
+			   dns_dumpdonefunc_t done, void *done_arg,
+			   dns_dumpctx_t **dctxp)
+{
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	REQUIRE(task != NULL);
+	REQUIRE(f != NULL);
+	REQUIRE(done != NULL);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx,
+				dns_masterformat_text, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->nodes = 100;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+	dns_dumpctx_detach(&dctx);
+	return (result);
+}
+
+/*
+ * Dump an entire database into a master file.
+ */
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
+			dns_dbversion_t *version,
+			const dns_master_style_t *style,
+			FILE *f)
+{
+	return (dns_master_dumptostream3(mctx, db, version, style,
+					 dns_masterformat_text, NULL, f));
+}
+
+isc_result_t
+dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
+			 dns_dbversion_t *version,
+			 const dns_master_style_t *style,
+			 dns_masterformat_t format, FILE *f)
+{
+	return (dns_master_dumptostream3(mctx, db, version, style,
+					 format, NULL, f));
+}
+
+isc_result_t
+dns_master_dumptostream3(isc_mem_t *mctx, dns_db_t *db,
+			 dns_dbversion_t *version,
+			 const dns_master_style_t *style,
+			 dns_masterformat_t format,
+			 dns_masterrawheader_t *header, FILE *f)
+{
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx,
+				format, header);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dumptostreaminc(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+
+	result = flushandsync(f, result, NULL);
+	return (result);
+}
+
+static isc_result_t
+opentmp(isc_mem_t *mctx, dns_masterformat_t format, const char *file,
+	char **tempp, FILE **fp) {
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	int tempnamelen;
+
+	tempnamelen = strlen(file) + 20;
+	tempname = isc_mem_allocate(mctx, tempnamelen);
+	if (tempname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_file_mktemplate(file, tempname, tempnamelen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (format == dns_masterformat_text)
+		result = isc_file_openunique(tempname, &f);
+	else
+		result = isc_file_bopenunique(tempname, &f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: open: %s",
+			      tempname, isc_result_totext(result));
+		goto cleanup;
+	}
+	*tempp = tempname;
+	*fp = f;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		   const dns_master_style_t *style, const char *filename,
+		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		   dns_dumpctx_t **dctxp)
+{
+	return (dns_master_dumpinc3(mctx, db, version, style, filename, task,
+				    done, done_arg, dctxp,
+				    dns_masterformat_text, NULL));
+}
+
+isc_result_t
+dns_master_dumpinc2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    const dns_master_style_t *style, const char *filename,
+		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		    dns_dumpctx_t **dctxp, dns_masterformat_t format)
+{
+	return (dns_master_dumpinc3(mctx, db, version, style, filename, task,
+				    done, done_arg, dctxp, format, NULL));
+}
+
+isc_result_t
+dns_master_dumpinc3(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    const dns_master_style_t *style, const char *filename,
+		    isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		    dns_dumpctx_t **dctxp, dns_masterformat_t format,
+		    dns_masterrawheader_t *header)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	char *file = NULL;
+	dns_dumpctx_t *dctx = NULL;
+
+	file = isc_mem_strdup(mctx, filename);
+	if (file == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = opentmp(mctx, format, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx,
+				format, header);
+	if (result != ISC_R_SUCCESS) {
+		(void)isc_stdio_close(f);
+		(void)isc_file_remove(tempname);
+		goto cleanup;
+	}
+
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->nodes = 100;
+	dctx->file = file;
+	file = NULL;
+	dctx->tmpfile = tempname;
+	tempname = NULL;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	if (dctx != NULL)
+		dns_dumpctx_detach(&dctx);
+	if (file != NULL)
+		isc_mem_free(mctx, file);
+	if (tempname != NULL)
+		isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename)
+{
+	return (dns_master_dump3(mctx, db, version, style, filename,
+				 dns_masterformat_text, NULL));
+}
+
+isc_result_t
+dns_master_dump2(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		 const dns_master_style_t *style, const char *filename,
+		 dns_masterformat_t format)
+{
+	return (dns_master_dump3(mctx, db, version, style, filename,
+				 format, NULL));
+}
+
+isc_result_t
+dns_master_dump3(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		 const dns_master_style_t *style, const char *filename,
+		 dns_masterformat_t format, dns_masterrawheader_t *header)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname;
+	dns_dumpctx_t *dctx = NULL;
+
+	result = opentmp(mctx, format, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx,
+				format, header);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dumptostreaminc(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+
+	result = closeandrename(f, result, tempname, filename);
+
+ cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+/*
+ * Dump a database node into a master file.
+ * XXX: this function assumes the text format.
+ */
+isc_result_t
+dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
+			    dns_dbversion_t *version,
+			    dns_dbnode_t *node, dns_name_t *name,
+			    const dns_master_style_t *style,
+			    FILE *f)
+{
+	isc_result_t result;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_stdtime_t now;
+	dns_totext_ctx_t ctx;
+	dns_rdatasetiter_t *rdsiter = NULL;
+
+	result = totext_ctx_init(style, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	isc_stdtime_get(&now);
+
+	bufmem = isc_mem_get(mctx, initial_buffer_length);
+	if (bufmem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dump_rdatasets_text(mctx, name, rdsiter, &ctx, &buffer, f);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	isc_mem_put(mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *name,
+		    const dns_master_style_t *style, const char *filename)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+
+	result = isc_stdio_open(filename, "w", &f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping node to file: %s: open: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = dns_master_dumpnodetostream(mctx, db, version, node, name,
+					     style, f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: dump: %s", filename,
+			      isc_result_totext(result));
+		(void)isc_stdio_close(f);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_stdio_close(f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: close: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (result);
+}
+
+dns_masterstyle_flags_t
+dns_master_styleflags(const dns_master_style_t *style) {
+	REQUIRE(style != NULL);
+	return (style->flags);
+}
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
+		       unsigned int ttl_column, unsigned int class_column,
+		       unsigned int type_column, unsigned int rdata_column,
+		       unsigned int line_length, unsigned int tab_width,
+		       isc_mem_t *mctx)
+{
+	return (dns_master_stylecreate2(stylep, flags, ttl_column,
+					class_column, type_column,
+					rdata_column, line_length,
+					tab_width, 0xffffffff, mctx));
+}
+
+isc_result_t
+dns_master_stylecreate2(dns_master_style_t **stylep, unsigned int flags,
+			unsigned int ttl_column, unsigned int class_column,
+			unsigned int type_column, unsigned int rdata_column,
+			unsigned int line_length, unsigned int tab_width,
+			unsigned int split_width, isc_mem_t *mctx)
+{
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep == NULL);
+	style = isc_mem_get(mctx, sizeof(*style));
+	if (style == NULL)
+		return (ISC_R_NOMEMORY);
+
+	style->flags = flags;
+	style->ttl_column = ttl_column;
+	style->class_column = class_column;
+	style->type_column = type_column;
+	style->rdata_column = rdata_column;
+	style->line_length = line_length;
+	style->tab_width = tab_width;
+	style->split_width = split_width;
+	*stylep = style;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep != NULL);
+	style = *stylep;
+	*stylep = NULL;
+	isc_mem_put(mctx, style, sizeof(*style));
+}
diff --git a/lib/dns/message.c b/lib/dns/message.c
new file mode 100644
index 0000000..ac637a2
--- /dev/null
+++ b/lib/dns/message.c
@@ -0,0 +1,4362 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/opcode.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+#include <dns/ttl.h>
+#include <dns/view.h>
+
+#ifdef SKAN_MSG_DEBUG
+static void
+hexdump(const char *msg, const char *msg2, void *base, size_t len) {
+	unsigned char *p;
+	unsigned int cnt;
+
+	p = base;
+	cnt = 0;
+
+	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, (unsigned)len, base);
+
+	while (cnt < len) {
+		if (cnt % 16 == 0)
+			printf("%p: ", p);
+		else if (cnt % 8 == 0)
+			printf(" |");
+		printf(" %02x %c", *p, (isprint(*p) ? *p : ' '));
+		p++;
+		cnt++;
+
+		if (cnt % 16 == 0)
+			printf("\n");
+	}
+
+	if (cnt % 16 != 0)
+		printf("\n");
+}
+#endif
+
+#define DNS_MESSAGE_OPCODE_MASK		0x7800U
+#define DNS_MESSAGE_OPCODE_SHIFT	11
+#define DNS_MESSAGE_RCODE_MASK		0x000fU
+#define DNS_MESSAGE_FLAG_MASK		0x8ff0U
+#define DNS_MESSAGE_EDNSRCODE_MASK	0xff000000U
+#define DNS_MESSAGE_EDNSRCODE_SHIFT	24
+#define DNS_MESSAGE_EDNSVERSION_MASK	0x00ff0000U
+#define DNS_MESSAGE_EDNSVERSION_SHIFT	16
+
+#define VALID_NAMED_SECTION(s)  (((s) > DNS_SECTION_ANY) \
+				 && ((s) < DNS_SECTION_MAX))
+#define VALID_SECTION(s)	(((s) >= DNS_SECTION_ANY) \
+				 && ((s) < DNS_SECTION_MAX))
+#define ADD_STRING(b, s)	{if (strlen(s) >= \
+				   isc_buffer_availablelength(b)) { \
+				       result = ISC_R_NOSPACE; \
+				       goto cleanup; \
+				 } else \
+				       isc_buffer_putstr(b, s);}
+#define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
+				 && ((s) < DNS_PSEUDOSECTION_MAX))
+
+#define OPTOUT(x) (((x)->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
+
+/*%
+ * This is the size of each individual scratchpad buffer, and the numbers
+ * of various block allocations used within the server.
+ * XXXMLG These should come from a config setting.
+ */
+#define SCRATCHPAD_SIZE		512
+#define NAME_COUNT		 64
+#define OFFSET_COUNT		  4
+#define RDATA_COUNT		  8
+#define RDATALIST_COUNT		  8
+#define RDATASET_COUNT	         64
+
+/*%
+ * Text representation of the different items, for message_totext
+ * functions.
+ */
+static const char *sectiontext[] = {
+	"QUESTION",
+	"ANSWER",
+	"AUTHORITY",
+	"ADDITIONAL"
+};
+
+static const char *updsectiontext[] = {
+	"ZONE",
+	"PREREQUISITE",
+	"UPDATE",
+	"ADDITIONAL"
+};
+
+static const char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+/*%
+ * "helper" type, which consists of a block of some type, and is linkable.
+ * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
+ * size, or the allocated elements will not be aligned correctly.
+ */
+struct dns_msgblock {
+	unsigned int			count;
+	unsigned int			remaining;
+	ISC_LINK(dns_msgblock_t)	link;
+}; /* dynamically sized */
+
+static inline dns_msgblock_t *
+msgblock_allocate(isc_mem_t *, unsigned int, unsigned int);
+
+#define msgblock_get(block, type) \
+	((type *)msgblock_internalget(block, sizeof(type)))
+
+static inline void *
+msgblock_internalget(dns_msgblock_t *, unsigned int);
+
+static inline void
+msgblock_reset(dns_msgblock_t *);
+
+static inline void
+msgblock_free(isc_mem_t *, dns_msgblock_t *, unsigned int);
+
+static void
+logfmtpacket(dns_message_t *message, const char *description,
+	     isc_sockaddr_t *address, isc_logcategory_t *category,
+	     isc_logmodule_t *module, const dns_master_style_t *style,
+	     int level, isc_mem_t *mctx);
+
+/*
+ * Allocate a new dns_msgblock_t, and return a pointer to it.  If no memory
+ * is free, return NULL.
+ */
+static inline dns_msgblock_t *
+msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type,
+		  unsigned int count)
+{
+	dns_msgblock_t *block;
+	unsigned int length;
+
+	length = sizeof(dns_msgblock_t) + (sizeof_type * count);
+
+	block = isc_mem_get(mctx, length);
+	if (block == NULL)
+		return (NULL);
+
+	block->count = count;
+	block->remaining = count;
+
+	ISC_LINK_INIT(block, link);
+
+	return (block);
+}
+
+/*
+ * Return an element from the msgblock.  If no more are available, return
+ * NULL.
+ */
+static inline void *
+msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) {
+	void *ptr;
+
+	if (block == NULL || block->remaining == 0)
+		return (NULL);
+
+	block->remaining--;
+
+	ptr = (((unsigned char *)block)
+	       + sizeof(dns_msgblock_t)
+	       + (sizeof_type * block->remaining));
+
+	return (ptr);
+}
+
+static inline void
+msgblock_reset(dns_msgblock_t *block) {
+	block->remaining = block->count;
+}
+
+/*
+ * Release memory associated with a message block.
+ */
+static inline void
+msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block, unsigned int sizeof_type)
+{
+	unsigned int length;
+
+	length = sizeof(dns_msgblock_t) + (sizeof_type * block->count);
+
+	isc_mem_put(mctx, block, length);
+}
+
+/*
+ * Allocate a new dynamic buffer, and attach it to this message as the
+ * "current" buffer.  (which is always the last on the list, for our
+ * uses)
+ */
+static inline isc_result_t
+newbuffer(dns_message_t *msg, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t *dynbuf;
+
+	dynbuf = NULL;
+	result = isc_buffer_allocate(msg->mctx, &dynbuf, size);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_APPEND(msg->scratchpad, dynbuf, link);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_buffer_t *
+currentbuffer(dns_message_t *msg) {
+	isc_buffer_t *dynbuf;
+
+	dynbuf = ISC_LIST_TAIL(msg->scratchpad);
+	INSIST(dynbuf != NULL);
+
+	return (dynbuf);
+}
+
+static inline void
+releaserdata(dns_message_t *msg, dns_rdata_t *rdata) {
+	ISC_LIST_PREPEND(msg->freerdata, rdata, link);
+}
+
+static inline dns_rdata_t *
+newrdata(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_rdata_t *rdata;
+
+	rdata = ISC_LIST_HEAD(msg->freerdata);
+	if (rdata != NULL) {
+		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
+		return (rdata);
+	}
+
+	msgblock = ISC_LIST_TAIL(msg->rdatas);
+	rdata = msgblock_get(msgblock, dns_rdata_t);
+	if (rdata == NULL) {
+		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_rdata_t),
+					     RDATA_COUNT);
+		if (msgblock == NULL)
+			return (NULL);
+
+		ISC_LIST_APPEND(msg->rdatas, msgblock, link);
+
+		rdata = msgblock_get(msgblock, dns_rdata_t);
+	}
+
+	dns_rdata_init(rdata);
+	return (rdata);
+}
+
+static inline void
+releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) {
+	ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link);
+}
+
+static inline dns_rdatalist_t *
+newrdatalist(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_rdatalist_t *rdatalist;
+
+	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	if (rdatalist != NULL) {
+		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
+		goto out;
+	}
+
+	msgblock = ISC_LIST_TAIL(msg->rdatalists);
+	rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
+	if (rdatalist == NULL) {
+		msgblock = msgblock_allocate(msg->mctx,
+					     sizeof(dns_rdatalist_t),
+					     RDATALIST_COUNT);
+		if (msgblock == NULL)
+			return (NULL);
+
+		ISC_LIST_APPEND(msg->rdatalists, msgblock, link);
+
+		rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
+	}
+ out:
+	if (rdatalist != NULL)
+		dns_rdatalist_init(rdatalist);
+
+	return (rdatalist);
+}
+
+static inline dns_offsets_t *
+newoffsets(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_offsets_t *offsets;
+
+	msgblock = ISC_LIST_TAIL(msg->offsets);
+	offsets = msgblock_get(msgblock, dns_offsets_t);
+	if (offsets == NULL) {
+		msgblock = msgblock_allocate(msg->mctx,
+					     sizeof(dns_offsets_t),
+					     OFFSET_COUNT);
+		if (msgblock == NULL)
+			return (NULL);
+
+		ISC_LIST_APPEND(msg->offsets, msgblock, link);
+
+		offsets = msgblock_get(msgblock, dns_offsets_t);
+	}
+
+	return (offsets);
+}
+
+static inline void
+msginitheader(dns_message_t *m) {
+	m->id = 0;
+	m->flags = 0;
+	m->rcode = 0;
+	m->opcode = 0;
+	m->rdclass = 0;
+}
+
+static inline void
+msginitprivate(dns_message_t *m) {
+	unsigned int i;
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		m->cursors[i] = NULL;
+		m->counts[i] = 0;
+	}
+	m->opt = NULL;
+	m->sig0 = NULL;
+	m->sig0name = NULL;
+	m->tsig = NULL;
+	m->tsigname = NULL;
+	m->state = DNS_SECTION_ANY;  /* indicate nothing parsed or rendered */
+	m->opt_reserved = 0;
+	m->sig_reserved = 0;
+	m->reserved = 0;
+	m->buffer = NULL;
+}
+
+static inline void
+msginittsig(dns_message_t *m) {
+	m->tsigstatus = dns_rcode_noerror;
+	m->querytsigstatus = dns_rcode_noerror;
+	m->tsigkey = NULL;
+	m->tsigctx = NULL;
+	m->sigstart = -1;
+	m->sig0key = NULL;
+	m->sig0status = dns_rcode_noerror;
+	m->timeadjust = 0;
+}
+
+/*
+ * Init elements to default state.  Used both when allocating a new element
+ * and when resetting one.
+ */
+static inline void
+msginit(dns_message_t *m) {
+	msginitheader(m);
+	msginitprivate(m);
+	msginittsig(m);
+	m->header_ok = 0;
+	m->question_ok = 0;
+	m->tcp_continuation = 0;
+	m->verified_sig = 0;
+	m->verify_attempted = 0;
+	m->order = NULL;
+	m->order_arg = NULL;
+	m->query.base = NULL;
+	m->query.length = 0;
+	m->free_query = 0;
+	m->saved.base = NULL;
+	m->saved.length = 0;
+	m->free_saved = 0;
+	m->cc_ok = 0;
+	m->cc_bad = 0;
+	m->tkey = 0;
+	m->rdclass_set = 0;
+	m->querytsig = NULL;
+}
+
+static inline void
+msgresetnames(dns_message_t *msg, unsigned int first_section) {
+	unsigned int i;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rds, *next_rds;
+
+	/*
+	 * Clean up name lists by calling the rdataset disassociate function.
+	 */
+	for (i = first_section; i < DNS_SECTION_MAX; i++) {
+		name = ISC_LIST_HEAD(msg->sections[i]);
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+			ISC_LIST_UNLINK(msg->sections[i], name, link);
+
+			rds = ISC_LIST_HEAD(name->list);
+			while (rds != NULL) {
+				next_rds = ISC_LIST_NEXT(rds, link);
+				ISC_LIST_UNLINK(name->list, rds, link);
+
+				INSIST(dns_rdataset_isassociated(rds));
+				dns_rdataset_disassociate(rds);
+				isc_mempool_put(msg->rdspool, rds);
+				rds = next_rds;
+			}
+			if (dns_name_dynamic(name))
+				dns_name_free(name, msg->mctx);
+			isc_mempool_put(msg->namepool, name);
+			name = next_name;
+		}
+	}
+}
+
+static void
+msgresetopt(dns_message_t *msg)
+{
+	if (msg->opt != NULL) {
+		if (msg->opt_reserved > 0) {
+			dns_message_renderrelease(msg, msg->opt_reserved);
+			msg->opt_reserved = 0;
+		}
+		INSIST(dns_rdataset_isassociated(msg->opt));
+		dns_rdataset_disassociate(msg->opt);
+		isc_mempool_put(msg->rdspool, msg->opt);
+		msg->opt = NULL;
+		msg->cc_ok = 0;
+		msg->cc_bad = 0;
+	}
+}
+
+static void
+msgresetsigs(dns_message_t *msg, bool replying) {
+	if (msg->sig_reserved > 0) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+	}
+	if (msg->tsig != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->tsig));
+		INSIST(msg->namepool != NULL);
+		if (replying) {
+			INSIST(msg->querytsig == NULL);
+			msg->querytsig = msg->tsig;
+		} else {
+			dns_rdataset_disassociate(msg->tsig);
+			isc_mempool_put(msg->rdspool, msg->tsig);
+			if (msg->querytsig != NULL) {
+				dns_rdataset_disassociate(msg->querytsig);
+				isc_mempool_put(msg->rdspool, msg->querytsig);
+			}
+		}
+		if (dns_name_dynamic(msg->tsigname))
+			dns_name_free(msg->tsigname, msg->mctx);
+		isc_mempool_put(msg->namepool, msg->tsigname);
+		msg->tsig = NULL;
+		msg->tsigname = NULL;
+	} else if (msg->querytsig != NULL && !replying) {
+		dns_rdataset_disassociate(msg->querytsig);
+		isc_mempool_put(msg->rdspool, msg->querytsig);
+		msg->querytsig = NULL;
+	}
+	if (msg->sig0 != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->sig0));
+		dns_rdataset_disassociate(msg->sig0);
+		isc_mempool_put(msg->rdspool, msg->sig0);
+		if (msg->sig0name != NULL) {
+			if (dns_name_dynamic(msg->sig0name))
+				dns_name_free(msg->sig0name, msg->mctx);
+			isc_mempool_put(msg->namepool, msg->sig0name);
+		}
+		msg->sig0 = NULL;
+		msg->sig0name = NULL;
+	}
+}
+
+/*
+ * Free all but one (or everything) for this message.  This is used by
+ * both dns_message_reset() and dns_message_destroy().
+ */
+static void
+msgreset(dns_message_t *msg, bool everything) {
+	dns_msgblock_t *msgblock, *next_msgblock;
+	isc_buffer_t *dynbuf, *next_dynbuf;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *rdatalist;
+
+	msgresetnames(msg, 0);
+	msgresetopt(msg);
+	msgresetsigs(msg, false);
+
+	/*
+	 * Clean up linked lists.
+	 */
+
+	/*
+	 * Run through the free lists, and just unlink anything found there.
+	 * The memory isn't lost since these are part of message blocks we
+	 * have allocated.
+	 */
+	rdata = ISC_LIST_HEAD(msg->freerdata);
+	while (rdata != NULL) {
+		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
+		rdata = ISC_LIST_HEAD(msg->freerdata);
+	}
+	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	while (rdatalist != NULL) {
+		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
+		rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	}
+
+	dynbuf = ISC_LIST_HEAD(msg->scratchpad);
+	INSIST(dynbuf != NULL);
+	if (!everything) {
+		isc_buffer_clear(dynbuf);
+		dynbuf = ISC_LIST_NEXT(dynbuf, link);
+	}
+	while (dynbuf != NULL) {
+		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
+		ISC_LIST_UNLINK(msg->scratchpad, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+		dynbuf = next_dynbuf;
+	}
+
+	msgblock = ISC_LIST_HEAD(msg->rdatas);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->rdatas, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdata_t));
+		msgblock = next_msgblock;
+	}
+
+	/*
+	 * rdatalists could be empty.
+	 */
+
+	msgblock = ISC_LIST_HEAD(msg->rdatalists);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->rdatalists, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdatalist_t));
+		msgblock = next_msgblock;
+	}
+
+	msgblock = ISC_LIST_HEAD(msg->offsets);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->offsets, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_offsets_t));
+		msgblock = next_msgblock;
+	}
+
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+
+	if (msg->tsigctx != NULL)
+		dst_context_destroy(&msg->tsigctx);
+
+	if (msg->query.base != NULL) {
+		if (msg->free_query != 0)
+			isc_mem_put(msg->mctx, msg->query.base,
+				    msg->query.length);
+		msg->query.base = NULL;
+		msg->query.length = 0;
+	}
+
+	if (msg->saved.base != NULL) {
+		if (msg->free_saved != 0)
+			isc_mem_put(msg->mctx, msg->saved.base,
+				    msg->saved.length);
+		msg->saved.base = NULL;
+		msg->saved.length = 0;
+	}
+
+	/*
+	 * cleanup the buffer cleanup list
+	 */
+	dynbuf = ISC_LIST_HEAD(msg->cleanup);
+	while (dynbuf != NULL) {
+		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
+		ISC_LIST_UNLINK(msg->cleanup, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+		dynbuf = next_dynbuf;
+	}
+
+	/*
+	 * Set other bits to normal default values.
+	 */
+	if (!everything)
+		msginit(msg);
+
+	ENSURE(isc_mempool_getallocated(msg->namepool) == 0);
+	ENSURE(isc_mempool_getallocated(msg->rdspool) == 0);
+}
+
+static unsigned int
+spacefortsig(dns_tsigkey_t *key, int otherlen) {
+	isc_region_t r1, r2;
+	unsigned int x;
+	isc_result_t result;
+
+	/*
+	 * The space required for an TSIG record is:
+	 *
+	 *	n1 bytes for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the rdlength
+	 *	n2 bytes for the algorithm name
+	 *	6 bytes for the time signed
+	 *	2 bytes for the fudge
+	 *	2 bytes for the MAC size
+	 *	x bytes for the MAC
+	 *	2 bytes for the original id
+	 *	2 bytes for the error
+	 *	2 bytes for the other data length
+	 *	y bytes for the other data (at most)
+	 * ---------------------------------
+	 *     26 + n1 + n2 + x + y bytes
+	 */
+
+	dns_name_toregion(&key->name, &r1);
+	dns_name_toregion(key->algorithm, &r2);
+	if (key->key == NULL)
+		x = 0;
+	else {
+		result = dst_key_sigsize(key->key, &x);
+		if (result != ISC_R_SUCCESS)
+			x = 0;
+	}
+	return (26 + r1.length + r2.length + x + otherlen);
+}
+
+isc_result_t
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
+{
+	dns_message_t *m;
+	isc_result_t result;
+	isc_buffer_t *dynbuf;
+	unsigned int i;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(msgp != NULL);
+	REQUIRE(*msgp == NULL);
+	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
+		|| intent == DNS_MESSAGE_INTENTRENDER);
+
+	m = isc_mem_get(mctx, sizeof(dns_message_t));
+	if (m == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * No allocations until further notice.  Just initialize all lists
+	 * and other members that are freed in the cleanup phase here.
+	 */
+
+	m->magic = DNS_MESSAGE_MAGIC;
+	m->from_to_wire = intent;
+	msginit(m);
+
+	for (i = 0; i < DNS_SECTION_MAX; i++)
+		ISC_LIST_INIT(m->sections[i]);
+
+	m->mctx = NULL;
+	isc_mem_attach(mctx, &m->mctx);
+
+	ISC_LIST_INIT(m->scratchpad);
+	ISC_LIST_INIT(m->cleanup);
+	m->namepool = NULL;
+	m->rdspool = NULL;
+	ISC_LIST_INIT(m->rdatas);
+	ISC_LIST_INIT(m->rdatalists);
+	ISC_LIST_INIT(m->offsets);
+	ISC_LIST_INIT(m->freerdata);
+	ISC_LIST_INIT(m->freerdatalist);
+
+	/*
+	 * Ok, it is safe to allocate (and then "goto cleanup" if failure)
+	 */
+
+	result = isc_mempool_create(m->mctx, sizeof(dns_name_t), &m->namepool);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_mempool_setfillcount(m->namepool, NAME_COUNT);
+	isc_mempool_setfreemax(m->namepool, NAME_COUNT);
+	isc_mempool_setname(m->namepool, "msg:names");
+
+	result = isc_mempool_create(m->mctx, sizeof(dns_rdataset_t),
+				    &m->rdspool);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_mempool_setfillcount(m->rdspool, RDATASET_COUNT);
+	isc_mempool_setfreemax(m->rdspool, RDATASET_COUNT);
+	isc_mempool_setname(m->rdspool, "msg:rdataset");
+
+	dynbuf = NULL;
+	result = isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	ISC_LIST_APPEND(m->scratchpad, dynbuf, link);
+
+	m->cctx = NULL;
+
+	*msgp = m;
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * Cleanup for error returns.
+	 */
+ cleanup:
+	dynbuf = ISC_LIST_HEAD(m->scratchpad);
+	if (dynbuf != NULL) {
+		ISC_LIST_UNLINK(m->scratchpad, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+	}
+	if (m->namepool != NULL)
+		isc_mempool_destroy(&m->namepool);
+	if (m->rdspool != NULL)
+		isc_mempool_destroy(&m->rdspool);
+	m->magic = 0;
+	isc_mem_putanddetach(&mctx, m, sizeof(dns_message_t));
+
+	return (ISC_R_NOMEMORY);
+}
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
+		|| intent == DNS_MESSAGE_INTENTRENDER);
+
+	msgreset(msg, false);
+	msg->from_to_wire = intent;
+}
+
+void
+dns_message_destroy(dns_message_t **msgp) {
+	dns_message_t *msg;
+
+	REQUIRE(msgp != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(*msgp));
+
+	msg = *msgp;
+	*msgp = NULL;
+
+	msgreset(msg, true);
+	isc_mempool_destroy(&msg->namepool);
+	isc_mempool_destroy(&msg->rdspool);
+	msg->magic = 0;
+	isc_mem_putanddetach(&msg->mctx, msg, sizeof(dns_message_t));
+}
+
+static isc_result_t
+findname(dns_name_t **foundname, dns_name_t *target,
+	 dns_namelist_t *section)
+{
+	dns_name_t *curr;
+
+	for (curr = ISC_LIST_TAIL(*section);
+	     curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link)) {
+		if (dns_name_equal(curr, target)) {
+			if (foundname != NULL)
+				*foundname = curr;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_message_find(dns_name_t *name, dns_rdataclass_t rdclass,
+		 dns_rdatatype_t type, dns_rdatatype_t covers,
+		 dns_rdataset_t **rdataset)
+{
+	dns_rdataset_t *curr;
+
+	REQUIRE(name != NULL);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+
+	for (curr = ISC_LIST_TAIL(name->list);
+	     curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link)) {
+		if (curr->rdclass == rdclass &&
+		    curr->type == type && curr->covers == covers) {
+			if (rdataset != NULL)
+				*rdataset = curr;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset)
+{
+	dns_rdataset_t *curr;
+
+	REQUIRE(name != NULL);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+
+	for (curr = ISC_LIST_TAIL(name->list);
+	     curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link)) {
+		if (curr->type == type && curr->covers == covers) {
+			if (ISC_UNLIKELY(rdataset != NULL))
+				*rdataset = curr;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Read a name from buffer "source".
+ */
+static isc_result_t
+getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
+	dns_decompress_t *dctx)
+{
+	isc_buffer_t *scratch;
+	isc_result_t result;
+	unsigned int tries;
+
+	scratch = currentbuffer(msg);
+
+	/*
+	 * First try:  use current buffer.
+	 * Second try:  allocate a new buffer and use that.
+	 */
+	tries = 0;
+	while (tries < 2) {
+		result = dns_name_fromwire(name, source, dctx, false,
+					   scratch);
+
+		if (result == ISC_R_NOSPACE) {
+			tries++;
+
+			result = newbuffer(msg, SCRATCHPAD_SIZE);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			scratch = currentbuffer(msg);
+			dns_name_reset(name);
+		} else {
+			return (result);
+		}
+	}
+
+	INSIST(0);  /* Cannot get here... */
+	return (ISC_R_UNEXPECTED);
+}
+
+static isc_result_t
+getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+	 unsigned int rdatalen, dns_rdata_t *rdata)
+{
+	isc_buffer_t *scratch;
+	isc_result_t result;
+	unsigned int tries;
+	unsigned int trysize;
+
+	scratch = currentbuffer(msg);
+
+	isc_buffer_setactive(source, rdatalen);
+
+	/*
+	 * First try:  use current buffer.
+	 * Second try:  allocate a new buffer of size
+	 *     max(SCRATCHPAD_SIZE, 2 * compressed_rdatalen)
+	 *     (the data will fit if it was not more than 50% compressed)
+	 * Subsequent tries: double buffer size on each try.
+	 */
+	tries = 0;
+	trysize = 0;
+	/* XXX possibly change this to a while (tries < 2) loop */
+	for (;;) {
+		result = dns_rdata_fromwire(rdata, rdclass, rdtype,
+					    source, dctx, 0,
+					    scratch);
+
+		if (result == ISC_R_NOSPACE) {
+			if (tries == 0) {
+				trysize = 2 * rdatalen;
+				if (trysize < SCRATCHPAD_SIZE)
+					trysize = SCRATCHPAD_SIZE;
+			} else {
+				INSIST(trysize != 0);
+				if (trysize >= 65535)
+					return (ISC_R_NOSPACE);
+					/* XXX DNS_R_RRTOOLONG? */
+				trysize *= 2;
+			}
+			tries++;
+			result = newbuffer(msg, trysize);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			scratch = currentbuffer(msg);
+		} else {
+			return (result);
+		}
+	}
+}
+
+#define DO_ERROR(r)					\
+	do {						\
+		if (best_effort)			\
+			seen_problem = true;	\
+		else {					\
+			result = r;			\
+			goto cleanup;			\
+		}					\
+	} while (0)
+
+static isc_result_t
+getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	     unsigned int options)
+{
+	isc_region_t r;
+	unsigned int count;
+	dns_name_t *name;
+	dns_name_t *name2;
+	dns_offsets_t *offsets;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	isc_result_t result;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	dns_namelist_t *section;
+	bool free_name;
+	bool best_effort;
+	bool seen_problem;
+
+	section = &msg->sections[DNS_SECTION_QUESTION];
+
+	best_effort = (options & DNS_MESSAGEPARSE_BESTEFFORT);
+	seen_problem = false;
+
+	name = NULL;
+	rdataset = NULL;
+	rdatalist = NULL;
+
+	for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) {
+		name = isc_mempool_get(msg->namepool);
+		if (name == NULL)
+			return (ISC_R_NOMEMORY);
+		free_name = true;
+
+		offsets = newoffsets(msg);
+		if (offsets == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		dns_name_init(name, *offsets);
+
+		/*
+		 * Parse the name out of this packet.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		isc_buffer_setactive(source, r.length);
+		result = getname(name, source, msg, dctx);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Run through the section, looking to see if this name
+		 * is already there.  If it is found, put back the allocated
+		 * name since we no longer need it, and set our name pointer
+		 * to point to the name we found.
+		 */
+		result = findname(&name2, name, section);
+
+		/*
+		 * If it is the first name in the section, accept it.
+		 *
+		 * If it is not, but is not the same as the name already
+		 * in the question section, append to the section.  Note that
+		 * here in the question section this is illegal, so return
+		 * FORMERR.  In the future, check the opcode to see if
+		 * this should be legal or not.  In either case we no longer
+		 * need this name pointer.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			if (!ISC_LIST_EMPTY(*section))
+				DO_ERROR(DNS_R_FORMERR);
+			ISC_LIST_APPEND(*section, name, link);
+			free_name = false;
+		} else {
+			isc_mempool_put(msg->namepool, name);
+			name = name2;
+			name2 = NULL;
+			free_name = false;
+		}
+
+		/*
+		 * Get type and class.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		if (r.length < 4) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+		rdtype = isc_buffer_getuint16(source);
+		rdclass = isc_buffer_getuint16(source);
+
+		/*
+		 * If this class is different than the one we already read,
+		 * this is an error.
+		 */
+		if (msg->rdclass_set == 0) {
+			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
+		} else if (msg->rdclass != rdclass)
+			DO_ERROR(DNS_R_FORMERR);
+
+		/*
+		 * Is this a TKEY query?
+		 */
+		if (rdtype == dns_rdatatype_tkey)
+			msg->tkey = 1;
+
+		/*
+		 * Can't ask the same question twice.
+		 */
+		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+		if (result == ISC_R_SUCCESS)
+			DO_ERROR(DNS_R_FORMERR);
+
+		/*
+		 * Allocate a new rdatalist.
+		 */
+		rdatalist = newrdatalist(msg);
+		if (rdatalist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		rdataset =  isc_mempool_get(msg->rdspool);
+		if (rdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		/*
+		 * Convert rdatalist to rdataset, and attach the latter to
+		 * the name.
+		 */
+		rdatalist->type = rdtype;
+		rdatalist->rdclass = rdclass;
+
+		dns_rdataset_init(rdataset);
+		result = dns_rdatalist_tordataset(rdatalist, rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
+
+		ISC_LIST_APPEND(name->list, rdataset, link);
+		rdataset = NULL;
+	}
+
+	if (seen_problem)
+		return (DNS_R_RECOVERABLE);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (rdataset != NULL) {
+		INSIST(!dns_rdataset_isassociated(rdataset));
+		isc_mempool_put(msg->rdspool, rdataset);
+	}
+#if 0
+	if (rdatalist != NULL)
+		isc_mempool_put(msg->rdlpool, rdatalist);
+#endif
+	if (free_name)
+		isc_mempool_put(msg->namepool, name);
+
+	return (result);
+}
+
+static bool
+update(dns_section_t section, dns_rdataclass_t rdclass) {
+	if (section == DNS_SECTION_PREREQUISITE)
+		return (rdclass == dns_rdataclass_any ||
+			 rdclass == dns_rdataclass_none);
+	if (section == DNS_SECTION_UPDATE)
+		return (rdclass == dns_rdataclass_any);
+	return (false);
+}
+
+/*
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
+ * covering RRSIGs.
+ */
+static bool
+auth_signed(dns_namelist_t *section) {
+	dns_name_t *name;
+
+	for (name = ISC_LIST_HEAD(*section);
+	     name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		int auth_dnssec = 0, auth_rrsig = 0;
+		dns_rdataset_t *rds;
+
+		for (rds = ISC_LIST_HEAD(name->list);
+		     rds != NULL;
+		     rds = ISC_LIST_NEXT(rds, link))
+		{
+			switch (rds->type) {
+			case dns_rdatatype_ds:
+				auth_dnssec |= 0x1;
+				break;
+			case dns_rdatatype_nsec:
+				auth_dnssec |= 0x2;
+				break;
+			case dns_rdatatype_nsec3:
+				auth_dnssec |= 0x4;
+				break;
+			case dns_rdatatype_rrsig:
+				break;
+			default:
+				continue;
+			}
+
+			switch (rds->covers) {
+			case dns_rdatatype_ds:
+				auth_rrsig |= 0x1;
+				break;
+			case dns_rdatatype_nsec:
+				auth_rrsig |= 0x2;
+				break;
+			case dns_rdatatype_nsec3:
+				auth_rrsig |= 0x4;
+				break;
+			default:
+				break;
+			}
+		}
+
+		if (auth_dnssec != auth_rrsig)
+			return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	   dns_section_t sectionid, unsigned int options)
+{
+	isc_region_t r;
+	unsigned int count, rdatalen;
+	dns_name_t *name = NULL;
+	dns_name_t *name2 = NULL;
+	dns_offsets_t *offsets;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	isc_result_t result;
+	dns_rdatatype_t rdtype, covers;
+	dns_rdataclass_t rdclass;
+	dns_rdata_t *rdata;
+	dns_ttl_t ttl;
+	dns_namelist_t *section;
+	bool free_name = false, free_rdataset = false;
+	bool preserve_order, best_effort, seen_problem;
+	bool issigzero;
+
+	preserve_order = (options & DNS_MESSAGEPARSE_PRESERVEORDER);
+	best_effort = (options & DNS_MESSAGEPARSE_BESTEFFORT);
+	seen_problem = false;
+
+	section = &msg->sections[sectionid];
+
+	for (count = 0; count < msg->counts[sectionid]; count++) {
+		int recstart = source->current;
+		bool skip_name_search, skip_type_search;
+
+		skip_name_search = false;
+		skip_type_search = false;
+		free_rdataset = false;
+
+		name = isc_mempool_get(msg->namepool);
+		if (name == NULL)
+			return (ISC_R_NOMEMORY);
+		free_name = true;
+
+		offsets = newoffsets(msg);
+		if (offsets == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		dns_name_init(name, *offsets);
+
+		/*
+		 * Parse the name out of this packet.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		isc_buffer_setactive(source, r.length);
+		result = getname(name, source, msg, dctx);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Get type, class, ttl, and rdatalen.  Verify that at least
+		 * rdatalen bytes remain.  (Some of this is deferred to
+		 * later.)
+		 */
+		isc_buffer_remainingregion(source, &r);
+		if (r.length < 2 + 2 + 4 + 2) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+		rdtype = isc_buffer_getuint16(source);
+		rdclass = isc_buffer_getuint16(source);
+
+		/*
+		 * If there was no question section, we may not yet have
+		 * established a class.  Do so now.
+		 */
+		if (msg->rdclass_set == 0 &&
+		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
+		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
+		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
+			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
+		}
+
+		/*
+		 * If this class is different than the one in the question
+		 * section, bail.
+		 */
+		if (msg->opcode != dns_opcode_update
+		    && rdtype != dns_rdatatype_tsig
+		    && rdtype != dns_rdatatype_opt
+		    && rdtype != dns_rdatatype_key /* in a TKEY query */
+		    && rdtype != dns_rdatatype_sig /* SIG(0) */
+		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+		    && msg->rdclass != dns_rdataclass_any
+		    && msg->rdclass != rdclass)
+			DO_ERROR(DNS_R_FORMERR);
+
+		/*
+		 * If this is not a TKEY query/response then the KEY
+		 * record's class needs to match.
+		 */
+		if (msg->opcode != dns_opcode_update && !msg->tkey &&
+		    rdtype == dns_rdatatype_key &&
+		    msg->rdclass != dns_rdataclass_any &&
+		    msg->rdclass != rdclass)
+			DO_ERROR(DNS_R_FORMERR);
+
+		/*
+		 * Special type handling for TSIG, OPT, and TKEY.
+		 */
+		if (rdtype == dns_rdatatype_tsig) {
+			/*
+			 * If it is a tsig, verify that it is in the
+			 * additional data section.
+			 */
+			if (sectionid != DNS_SECTION_ADDITIONAL ||
+			    rdclass != dns_rdataclass_any ||
+			    count != msg->counts[sectionid]  - 1)
+				DO_ERROR(DNS_R_BADTSIG);
+			msg->sigstart = recstart;
+			skip_name_search = true;
+			skip_type_search = true;
+		} else if (rdtype == dns_rdatatype_opt) {
+			/*
+			 * The name of an OPT record must be ".", it
+			 * must be in the additional data section, and
+			 * it must be the first OPT we've seen.
+			 */
+			if (!dns_name_equal(dns_rootname, name) ||
+			    sectionid != DNS_SECTION_ADDITIONAL ||
+			    msg->opt != NULL)
+				DO_ERROR(DNS_R_FORMERR);
+			skip_name_search = true;
+			skip_type_search = true;
+		} else if (rdtype == dns_rdatatype_tkey) {
+			/*
+			 * A TKEY must be in the additional section if this
+			 * is a query, and the answer section if this is a
+			 * response.  Unless it's a Win2000 client.
+			 *
+			 * Its class is ignored.
+			 */
+			dns_section_t tkeysection;
+
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
+				tkeysection = DNS_SECTION_ADDITIONAL;
+			else
+				tkeysection = DNS_SECTION_ANSWER;
+			if (sectionid != tkeysection &&
+			    sectionid != DNS_SECTION_ANSWER)
+				DO_ERROR(DNS_R_FORMERR);
+		}
+
+		/*
+		 * ... now get ttl and rdatalen, and check buffer.
+		 */
+		ttl = isc_buffer_getuint32(source);
+		rdatalen = isc_buffer_getuint16(source);
+		r.length -= (2 + 2 + 4 + 2);
+		if (r.length < rdatalen) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+
+		/*
+		 * Read the rdata from the wire format.  Interpret the
+		 * rdata according to its actual class, even if it had a
+		 * DynDNS meta-class in the packet (unless this is a TSIG).
+		 * Then put the meta-class back into the finished rdata.
+		 */
+		rdata = newrdata(msg);
+		if (rdata == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		if (msg->opcode == dns_opcode_update &&
+		    update(sectionid, rdclass)) {
+			if (rdatalen != 0) {
+				result = DNS_R_FORMERR;
+				goto cleanup;
+			}
+			/*
+			 * When the rdata is empty, the data pointer is
+			 * never dereferenced, but it must still be non-NULL.
+			 * Casting 1 rather than "" avoids warnings about
+			 * discarding the const attribute of a string,
+			 * for compilers that would warn about such things.
+			 */
+			rdata->data = (unsigned char *)1;
+			rdata->length = 0;
+			rdata->rdclass = rdclass;
+			rdata->type = rdtype;
+			rdata->flags = DNS_RDATA_UPDATE;
+			result = ISC_R_SUCCESS;
+		} else if (rdclass == dns_rdataclass_none &&
+			   msg->opcode == dns_opcode_update &&
+			   sectionid == DNS_SECTION_UPDATE) {
+			result = getrdata(source, msg, dctx, msg->rdclass,
+					  rdtype, rdatalen, rdata);
+		} else
+			result = getrdata(source, msg, dctx, rdclass,
+					  rdtype, rdatalen, rdata);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		rdata->rdclass = rdclass;
+		issigzero = false;
+		if (rdtype == dns_rdatatype_rrsig &&
+		    rdata->flags == 0) {
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0)
+				DO_ERROR(DNS_R_FORMERR);
+		} else if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
+			   rdata->flags == 0) {
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0) {
+				if (sectionid != DNS_SECTION_ADDITIONAL ||
+				    count != msg->counts[sectionid]  - 1)
+					DO_ERROR(DNS_R_BADSIG0);
+				msg->sigstart = recstart;
+				skip_name_search = true;
+				skip_type_search = true;
+				issigzero = true;
+			} else {
+				if (msg->rdclass != dns_rdataclass_any &&
+				    msg->rdclass != rdclass)
+					DO_ERROR(DNS_R_FORMERR);
+			}
+		} else
+			covers = 0;
+
+		/*
+		 * Check the ownername of NSEC3 records
+		 */
+		if (rdtype == dns_rdatatype_nsec3 &&
+		    !dns_rdata_checkowner(name, msg->rdclass, rdtype,
+					  false)) {
+			result = DNS_R_BADOWNERNAME;
+			goto cleanup;
+		}
+
+		/*
+		 * If we are doing a dynamic update or this is a meta-type,
+		 * don't bother searching for a name, just append this one
+		 * to the end of the message.
+		 */
+		if (preserve_order || msg->opcode == dns_opcode_update ||
+		    skip_name_search) {
+			if (rdtype != dns_rdatatype_opt &&
+			    rdtype != dns_rdatatype_tsig &&
+			    !issigzero)
+			{
+				ISC_LIST_APPEND(*section, name, link);
+				free_name = false;
+			}
+		} else {
+			/*
+			 * Run through the section, looking to see if this name
+			 * is already there.  If it is found, put back the
+			 * allocated name since we no longer need it, and set
+			 * our name pointer to point to the name we found.
+			 */
+			result = findname(&name2, name, section);
+
+			/*
+			 * If it is a new name, append to the section.
+			 */
+			if (result == ISC_R_SUCCESS) {
+				isc_mempool_put(msg->namepool, name);
+				name = name2;
+			} else {
+				ISC_LIST_APPEND(*section, name, link);
+			}
+			free_name = false;
+		}
+
+		/*
+		 * Search name for the particular type and class.
+		 * Skip this stage if in update mode or this is a meta-type.
+		 */
+		if (preserve_order || msg->opcode == dns_opcode_update ||
+		    skip_type_search)
+			result = ISC_R_NOTFOUND;
+		else {
+			/*
+			 * If this is a type that can only occur in
+			 * the question section, fail.
+			 */
+			if (dns_rdatatype_questiononly(rdtype))
+				DO_ERROR(DNS_R_FORMERR);
+
+			rdataset = NULL;
+			result = dns_message_find(name, rdclass, rdtype,
+						   covers, &rdataset);
+		}
+
+		/*
+		 * If we found an rdataset that matches, we need to
+		 * append this rdata to that set.  If we did not, we need
+		 * to create a new rdatalist, store the important bits there,
+		 * convert it to an rdataset, and link the latter to the name.
+		 * Yuck.  When appending, make certain that the type isn't
+		 * a singleton type, such as SOA or CNAME.
+		 *
+		 * Note that this check will be bypassed when preserving order,
+		 * the opcode is an update, or the type search is skipped.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			if (dns_rdatatype_issingleton(rdtype)) {
+				dns_rdata_t *first;
+				dns_rdatalist_fromrdataset(rdataset,
+							   &rdatalist);
+				first = ISC_LIST_HEAD(rdatalist->rdata);
+				INSIST(first != NULL);
+				if (dns_rdata_compare(rdata, first) != 0)
+					DO_ERROR(DNS_R_FORMERR);
+			}
+		}
+
+		if (result == ISC_R_NOTFOUND) {
+			rdataset = isc_mempool_get(msg->rdspool);
+			if (rdataset == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			free_rdataset = true;
+
+			rdatalist = newrdatalist(msg);
+			if (rdatalist == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+
+			rdatalist->type = rdtype;
+			rdatalist->covers = covers;
+			rdatalist->rdclass = rdclass;
+			rdatalist->ttl = ttl;
+
+			dns_rdataset_init(rdataset);
+			RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist,
+							       rdataset)
+				      == ISC_R_SUCCESS);
+			dns_rdataset_setownercase(rdataset, name);
+
+			if (rdtype != dns_rdatatype_opt &&
+			    rdtype != dns_rdatatype_tsig &&
+			    !issigzero)
+			{
+				ISC_LIST_APPEND(name->list, rdataset, link);
+				free_rdataset = false;
+			}
+		}
+
+		/*
+		 * Minimize TTLs.
+		 *
+		 * Section 5.2 of RFC2181 says we should drop
+		 * nonauthoritative rrsets where the TTLs differ, but we
+		 * currently treat them the as if they were authoritative and
+		 * minimize them.
+		 */
+		if (ttl != rdataset->ttl) {
+			rdataset->attributes |= DNS_RDATASETATTR_TTLADJUSTED;
+			if (ttl < rdataset->ttl)
+				rdataset->ttl = ttl;
+		}
+
+		/* Append this rdata to the rdataset. */
+		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+
+		/*
+		 * If this is an OPT, SIG(0) or TSIG record, remember it.
+		 * Also, set the extended rcode for TSIG.
+		 *
+		 * Note msg->opt, msg->sig0 and msg->tsig will only be
+		 * already set if best-effort parsing is enabled otherwise
+		 * there will only be at most one of each.
+		 */
+		if (rdtype == dns_rdatatype_opt && msg->opt == NULL) {
+			dns_rcode_t ercode;
+
+			msg->opt = rdataset;
+			rdataset = NULL;
+			free_rdataset = false;
+			ercode = (dns_rcode_t)
+				((msg->opt->ttl & DNS_MESSAGE_EDNSRCODE_MASK)
+				 >> 20);
+			msg->rcode |= ercode;
+			isc_mempool_put(msg->namepool, name);
+			free_name = false;
+		} else if (issigzero && msg->sig0 == NULL) {
+			msg->sig0 = rdataset;
+			msg->sig0name = name;
+			rdataset = NULL;
+			free_rdataset = false;
+			free_name = false;
+		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
+			msg->tsig = rdataset;
+			msg->tsigname = name;
+			/* Windows doesn't like TSIG names to be compressed. */
+			msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+			rdataset = NULL;
+			free_rdataset = false;
+			free_name = false;
+		}
+
+		if (seen_problem) {
+			if (free_name)
+				isc_mempool_put(msg->namepool, name);
+			if (free_rdataset)
+				isc_mempool_put(msg->rdspool, rdataset);
+			free_name = free_rdataset = false;
+		}
+		INSIST(free_name == false);
+		INSIST(free_rdataset == false);
+	}
+
+	/*
+	 * If any of DS, NSEC or NSEC3 appeared in the
+	 * authority section of a query response without
+	 * a covering RRSIG, FORMERR
+	 */
+	if (sectionid == DNS_SECTION_AUTHORITY &&
+	    msg->opcode == dns_opcode_query &&
+	    ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
+	    ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
+	    !preserve_order &&
+	    !auth_signed(section))
+		DO_ERROR(DNS_R_FORMERR);
+
+	if (seen_problem)
+		return (DNS_R_RECOVERABLE);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (free_name)
+		isc_mempool_put(msg->namepool, name);
+	if (free_rdataset)
+		isc_mempool_put(msg->rdspool, rdataset);
+
+	return (result);
+}
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  unsigned int options)
+{
+	isc_region_t r;
+	dns_decompress_t dctx;
+	isc_result_t ret;
+	uint16_t tmpflags;
+	isc_buffer_t origsource;
+	bool seen_problem;
+	bool ignore_tc;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(source != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+
+	seen_problem = false;
+	ignore_tc = (options & DNS_MESSAGEPARSE_IGNORETRUNCATION);
+
+	origsource = *source;
+
+	msg->header_ok = 0;
+	msg->question_ok = 0;
+
+	isc_buffer_remainingregion(source, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN)
+		return (ISC_R_UNEXPECTEDEND);
+
+	msg->id = isc_buffer_getuint16(source);
+	tmpflags = isc_buffer_getuint16(source);
+	msg->opcode = ((tmpflags & DNS_MESSAGE_OPCODE_MASK)
+		       >> DNS_MESSAGE_OPCODE_SHIFT);
+	msg->rcode = (dns_rcode_t)(tmpflags & DNS_MESSAGE_RCODE_MASK);
+	msg->flags = (tmpflags & DNS_MESSAGE_FLAG_MASK);
+	msg->counts[DNS_SECTION_QUESTION] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_ANSWER] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_AUTHORITY] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+
+	msg->header_ok = 1;
+	msg->state = DNS_SECTION_QUESTION;
+
+	/*
+	 * -1 means no EDNS.
+	 */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+
+	dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
+
+	ret = getquestions(source, msg, &dctx, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	msg->question_ok = 1;
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_ANSWER, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_AUTHORITY, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_ADDITIONAL, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = true;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_remainingregion(source, &r);
+	if (r.length != 0) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(3),
+			      "message has %u byte(s) of trailing garbage",
+			      r.length);
+	}
+
+ truncated:
+	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
+		isc_buffer_usedregion(&origsource, &msg->saved);
+	else {
+		msg->saved.length = isc_buffer_usedlength(&origsource);
+		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+		if (msg->saved.base == NULL)
+			return (ISC_R_NOMEMORY);
+		memmove(msg->saved.base, isc_buffer_base(&origsource),
+			msg->saved.length);
+		msg->free_saved = 1;
+	}
+
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		return (DNS_R_RECOVERABLE);
+	if (seen_problem == true)
+		return (DNS_R_RECOVERABLE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+			isc_buffer_t *buffer)
+{
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(msg->buffer == NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+
+	msg->cctx = cctx;
+
+	/*
+	 * Erase the contents of this buffer.
+	 */
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Make certain there is enough for at least the header in this
+	 * buffer.
+	 */
+	isc_buffer_availableregion(buffer, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN)
+		return (ISC_R_NOSPACE);
+
+	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Reserve enough space for the header in this buffer.
+	 */
+	isc_buffer_add(buffer, DNS_MESSAGE_HEADERLEN);
+
+	msg->buffer = buffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer) {
+	isc_region_t r, rn;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(msg->buffer != NULL);
+
+	/*
+	 * Ensure that the new buffer is empty, and has enough space to
+	 * hold the current contents.
+	 */
+	isc_buffer_clear(buffer);
+
+	isc_buffer_availableregion(buffer, &rn);
+	isc_buffer_usedregion(msg->buffer, &r);
+	REQUIRE(rn.length > r.length);
+
+	/*
+	 * Copy the contents from the old to the new buffer.
+	 */
+	isc_buffer_add(buffer, r.length);
+	memmove(rn.base, r.base, r.length);
+
+	msg->buffer = buffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(space <= msg->reserved);
+
+	msg->reserved -= space;
+}
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->buffer != NULL) {
+		isc_buffer_availableregion(msg->buffer, &r);
+		if (r.length < (space + msg->reserved))
+			return (ISC_R_NOSPACE);
+	}
+
+	msg->reserved += space;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline bool
+wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
+	int pass_needed;
+
+	/*
+	 * If we are not rendering class IN, this ordering is bogus.
+	 */
+	if (rds->rdclass != dns_rdataclass_in)
+		return (false);
+
+	switch (rds->type) {
+	case dns_rdatatype_a:
+	case dns_rdatatype_aaaa:
+		if (preferred_glue == rds->type)
+			pass_needed = 4;
+		else
+			pass_needed = 3;
+		break;
+	case dns_rdatatype_rrsig:
+	case dns_rdatatype_dnskey:
+		pass_needed = 2;
+		break;
+	default:
+		pass_needed = 1;
+	}
+
+	if (pass_needed >= pass)
+		return (false);
+
+	return (true);
+}
+
+#ifdef ALLOW_FILTER_AAAA
+/*
+ * Decide whether to not answer with an AAAA record and its RRSIG
+ */
+static inline bool
+norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
+		  dns_section_t sectionid)
+{
+	if (sectionid == DNS_SECTION_QUESTION)
+		return (false);
+
+	switch (rdataset->type) {
+	case dns_rdatatype_ns:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0 ||
+		    sectionid != DNS_SECTION_AUTHORITY)
+			return (false);
+		break;
+
+	case dns_rdatatype_aaaa:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0)
+			return (false);
+		break;
+
+	case dns_rdatatype_rrsig:
+		if ((options & DNS_MESSAGERENDER_FILTER_AAAA) == 0 ||
+		    (rdataset->covers != dns_rdatatype_ns &&
+		     rdataset->covers != dns_rdatatype_aaaa))
+			return (false);
+		if ((rdataset->covers == dns_rdatatype_ns) &&
+		    (sectionid != DNS_SECTION_AUTHORITY))
+			return (false);
+		break;
+
+	default:
+		return (false);
+	}
+
+	if (rdataset->rdclass != dns_rdataclass_in)
+		return (false);
+
+	return (true);
+}
+#endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+	  dns_compress_t *cctx, isc_buffer_t *target,
+	  unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+	isc_result_t result;
+
+	/*
+	 * Shrink the space in the buffer by the reserved amount.
+	 */
+	if (target->length - target->used < reserved)
+		return (ISC_R_NOSPACE);
+
+	target->length -= reserved;
+	result = dns_rdataset_towire(rdataset, owner_name,
+				     cctx, target, options, countp);
+	target->length += reserved;
+
+	return (result);
+}
+
+static void
+maybe_clear_ad(dns_message_t *msg, dns_section_t sectionid) {
+	if (msg->counts[sectionid] == 0 &&
+	    (sectionid == DNS_SECTION_ANSWER ||
+	     (sectionid == DNS_SECTION_AUTHORITY &&
+	      msg->counts[DNS_SECTION_ANSWER] == 0)))
+		msg->flags &= ~DNS_MESSAGEFLAG_AD;
+}
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+			  unsigned int options)
+{
+	dns_namelist_t *section;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rdataset, *next_rdataset;
+	unsigned int count, total;
+	isc_result_t result;
+	isc_buffer_t st; /* for rollbacks */
+	int pass;
+	bool partial = false;
+	unsigned int rd_options;
+	dns_rdatatype_t preferred_glue = 0;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->buffer != NULL);
+	REQUIRE(VALID_NAMED_SECTION(sectionid));
+
+	section = &msg->sections[sectionid];
+
+	if ((sectionid == DNS_SECTION_ADDITIONAL)
+	    && (options & DNS_MESSAGERENDER_ORDERED) == 0) {
+		if ((options & DNS_MESSAGERENDER_PREFER_A) != 0) {
+			preferred_glue = dns_rdatatype_a;
+			pass = 4;
+		} else if ((options & DNS_MESSAGERENDER_PREFER_AAAA) != 0) {
+			preferred_glue = dns_rdatatype_aaaa;
+			pass = 4;
+		} else
+			pass = 3;
+	} else
+		pass = 1;
+
+	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
+		rd_options = 0;
+	else
+		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
+
+	/*
+	 * Shrink the space in the buffer by the reserved amount.
+	 */
+	if (msg->buffer->length - msg->buffer->used < msg->reserved)
+		return (ISC_R_NOSPACE);
+	msg->buffer->length -= msg->reserved;
+
+	total = 0;
+	if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0)
+		partial = true;
+
+	/*
+	 * Render required glue first.  Set TC if it won't fit.
+	 */
+	name = ISC_LIST_HEAD(*section);
+	if (name != NULL) {
+		rdataset = ISC_LIST_HEAD(name->list);
+		if (rdataset != NULL &&
+		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
+		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
+			const void *order_arg = msg->order_arg;
+			st = *(msg->buffer);
+			count = 0;
+			if (partial)
+				result = dns_rdataset_towirepartial(rdataset,
+								    name,
+								    msg->cctx,
+								    msg->buffer,
+								    msg->order,
+								    order_arg,
+								    rd_options,
+								    &count,
+								    NULL);
+			else
+				result = dns_rdataset_towiresorted(rdataset,
+								   name,
+								   msg->cctx,
+								   msg->buffer,
+								   msg->order,
+								   order_arg,
+								   rd_options,
+								   &count);
+			total += count;
+			if (partial && result == ISC_R_NOSPACE) {
+				msg->flags |= DNS_MESSAGEFLAG_TC;
+				msg->buffer->length += msg->reserved;
+				msg->counts[sectionid] += total;
+				return (result);
+			}
+			if (result == ISC_R_NOSPACE)
+				msg->flags |= DNS_MESSAGEFLAG_TC;
+			if (result != ISC_R_SUCCESS) {
+				INSIST(st.used < 65536);
+				dns_compress_rollback(msg->cctx,
+						      (uint16_t)st.used);
+				*(msg->buffer) = st;  /* rollback */
+				msg->buffer->length += msg->reserved;
+				msg->counts[sectionid] += total;
+				return (result);
+			}
+			rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
+		}
+	}
+
+	do {
+		name = ISC_LIST_HEAD(*section);
+		if (name == NULL) {
+			msg->buffer->length += msg->reserved;
+			msg->counts[sectionid] += total;
+			return (ISC_R_SUCCESS);
+		}
+
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+
+			rdataset = ISC_LIST_HEAD(name->list);
+			while (rdataset != NULL) {
+				next_rdataset = ISC_LIST_NEXT(rdataset, link);
+
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_RENDERED) != 0)
+					goto next;
+
+				if (((options & DNS_MESSAGERENDER_ORDERED)
+				     == 0)
+				    && (sectionid == DNS_SECTION_ADDITIONAL)
+				    && wrong_priority(rdataset, pass,
+						      preferred_glue))
+					goto next;
+
+#ifdef ALLOW_FILTER_AAAA
+				/*
+				 * Suppress AAAAs if asked and we are
+				 * not doing DNSSEC or are breaking DNSSEC.
+				 * Say so in the AD bit if we break DNSSEC.
+				 */
+				if (norender_rdataset(rdataset, options, sectionid)) {
+					if (sectionid == DNS_SECTION_ANSWER ||
+					    sectionid == DNS_SECTION_AUTHORITY)
+					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
+					if (OPTOUT(rdataset))
+					    msg->flags &= ~DNS_MESSAGEFLAG_AD;
+					goto next;
+				}
+
+#endif
+				st = *(msg->buffer);
+
+				count = 0;
+				if (partial)
+					result = dns_rdataset_towirepartial(
+							  rdataset,
+							  name,
+							  msg->cctx,
+							  msg->buffer,
+							  msg->order,
+							  msg->order_arg,
+							  rd_options,
+							  &count,
+							  NULL);
+				else
+					result = dns_rdataset_towiresorted(
+							  rdataset,
+							  name,
+							  msg->cctx,
+							  msg->buffer,
+							  msg->order,
+							  msg->order_arg,
+							  rd_options,
+							  &count);
+
+				total += count;
+
+				/*
+				 * If out of space, record stats on what we
+				 * rendered so far, and return that status.
+				 *
+				 * XXXMLG Need to change this when
+				 * dns_rdataset_towire() can render partial
+				 * sets starting at some arbitrary point in the
+				 * set.  This will include setting a bit in the
+				 * rdataset to indicate that a partial
+				 * rendering was done, and some state saved
+				 * somewhere (probably in the message struct)
+				 * to indicate where to continue from.
+				 */
+				if (partial && result == ISC_R_NOSPACE) {
+					msg->buffer->length += msg->reserved;
+					msg->counts[sectionid] += total;
+					return (result);
+				}
+				if (result != ISC_R_SUCCESS) {
+					INSIST(st.used < 65536);
+					dns_compress_rollback(msg->cctx,
+							(uint16_t)st.used);
+					*(msg->buffer) = st;  /* rollback */
+					msg->buffer->length += msg->reserved;
+					msg->counts[sectionid] += total;
+					maybe_clear_ad(msg, sectionid);
+					return (result);
+				}
+
+				/*
+				 * If we have rendered non-validated data,
+				 * ensure that the AD bit is not set.
+				 */
+				if (rdataset->trust != dns_trust_secure &&
+				    (sectionid == DNS_SECTION_ANSWER ||
+				     sectionid == DNS_SECTION_AUTHORITY))
+					msg->flags &= ~DNS_MESSAGEFLAG_AD;
+				if (OPTOUT(rdataset))
+					msg->flags &= ~DNS_MESSAGEFLAG_AD;
+
+				rdataset->attributes |=
+					DNS_RDATASETATTR_RENDERED;
+
+			next:
+				rdataset = next_rdataset;
+			}
+
+			name = next_name;
+		}
+	} while (--pass != 0);
+
+	msg->buffer->length += msg->reserved;
+	msg->counts[sectionid] += total;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) {
+	uint16_t tmp;
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	isc_buffer_availableregion(target, &r);
+	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
+
+	isc_buffer_putuint16(target, msg->id);
+
+	tmp = ((msg->opcode << DNS_MESSAGE_OPCODE_SHIFT)
+	       & DNS_MESSAGE_OPCODE_MASK);
+	tmp |= (msg->rcode & DNS_MESSAGE_RCODE_MASK);
+	tmp |= (msg->flags & DNS_MESSAGE_FLAG_MASK);
+
+	INSIST(msg->counts[DNS_SECTION_QUESTION]  < 65536 &&
+	       msg->counts[DNS_SECTION_ANSWER]    < 65536 &&
+	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
+	       msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
+
+	isc_buffer_putuint16(target, tmp);
+	isc_buffer_putuint16(target,
+			    (uint16_t)msg->counts[DNS_SECTION_QUESTION]);
+	isc_buffer_putuint16(target,
+			    (uint16_t)msg->counts[DNS_SECTION_ANSWER]);
+	isc_buffer_putuint16(target,
+			    (uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
+	isc_buffer_putuint16(target,
+			    (uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
+}
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg) {
+	isc_buffer_t tmpbuf;
+	isc_region_t r;
+	int result;
+	unsigned int count;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->buffer != NULL);
+
+	if ((msg->rcode & ~DNS_MESSAGE_RCODE_MASK) != 0 && msg->opt == NULL) {
+		/*
+		 * We have an extended rcode but are not using EDNS.
+		 */
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * If we're adding a OPT, TSIG or SIG(0) to a truncated message,
+	 * clear all rdatasets from the message except for the question
+	 * before adding the OPT, TSIG or SIG(0).  If the question doesn't
+	 * fit, don't include it.
+	 */
+	if ((msg->tsigkey != NULL || msg->sig0key != NULL || msg->opt) &&
+	    (msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+	{
+		isc_buffer_t *buf;
+
+		msgresetnames(msg, DNS_SECTION_ANSWER);
+		buf = msg->buffer;
+		dns_message_renderreset(msg);
+		msg->buffer = buf;
+		isc_buffer_clear(msg->buffer);
+		isc_buffer_add(msg->buffer, DNS_MESSAGE_HEADERLEN);
+		dns_compress_rollback(msg->cctx, 0);
+		result = dns_message_rendersection(msg, DNS_SECTION_QUESTION,
+						   0);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
+			return (result);
+	}
+
+	/*
+	 * If we've got an OPT record, render it.
+	 */
+	if (msg->opt != NULL) {
+		dns_message_renderrelease(msg, msg->opt_reserved);
+		msg->opt_reserved = 0;
+		/*
+		 * Set the extended rcode.
+		 */
+		msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK;
+		msg->opt->ttl |= ((msg->rcode << 20) &
+				  DNS_MESSAGE_EDNSRCODE_MASK);
+		/*
+		 * Render.
+		 */
+		count = 0;
+		result = renderset(msg->opt, dns_rootname, msg->cctx,
+				   msg->buffer, msg->reserved, 0, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * If we're adding a TSIG record, generate and render it.
+	 */
+	if (msg->tsigkey != NULL) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+		result = dns_tsig_sign(msg);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		count = 0;
+		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+				   msg->buffer, msg->reserved, 0, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * If we're adding a SIG(0) record, generate and render it.
+	 */
+	if (msg->sig0key != NULL) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+		result = dns_dnssec_signmessage(msg, msg->sig0key);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		count = 0;
+		/*
+		 * Note: dns_rootname is used here, not msg->sig0name, since
+		 * the owner name of a SIG(0) is irrelevant, and will not
+		 * be set in a message being rendered.
+		 */
+		result = renderset(msg->sig0, dns_rootname, msg->cctx,
+				   msg->buffer, msg->reserved, 0, &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_buffer_init(&tmpbuf, r.base, r.length);
+
+	dns_message_renderheader(msg, &tmpbuf);
+
+	msg->buffer = NULL;  /* forget about this buffer only on success XXX */
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderreset(dns_message_t *msg) {
+	unsigned int i;
+	dns_name_t *name;
+	dns_rdataset_t *rds;
+
+	/*
+	 * Reset the message so that it may be rendered again.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+
+	msg->buffer = NULL;
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		msg->cursors[i] = NULL;
+		msg->counts[i] = 0;
+		for (name = ISC_LIST_HEAD(msg->sections[i]);
+		     name != NULL;
+		     name = ISC_LIST_NEXT(name, link)) {
+			for (rds = ISC_LIST_HEAD(name->list);
+			     rds != NULL;
+			     rds = ISC_LIST_NEXT(rds, link)) {
+				rds->attributes &= ~DNS_RDATASETATTR_RENDERED;
+			}
+		}
+	}
+	if (msg->tsigname != NULL)
+		dns_message_puttempname(msg, &msg->tsigname);
+	if (msg->tsig != NULL) {
+		dns_rdataset_disassociate(msg->tsig);
+		dns_message_puttemprdataset(msg, &msg->tsig);
+	}
+	if (msg->sig0 != NULL) {
+		dns_rdataset_disassociate(msg->sig0);
+		dns_message_puttemprdataset(msg, &msg->sig0);
+	}
+}
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	msg->cursors[section] = ISC_LIST_HEAD(msg->sections[section]);
+
+	if (msg->cursors[section] == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+	REQUIRE(msg->cursors[section] != NULL);
+
+	msg->cursors[section] = ISC_LIST_NEXT(msg->cursors[section], link);
+
+	if (msg->cursors[section] == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name)
+{
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(msg->cursors[section] != NULL);
+
+	*name = msg->cursors[section];
+}
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **name,
+		     dns_rdataset_t **rdataset)
+{
+	dns_name_t *foundname;
+	isc_result_t result;
+
+	/*
+	 * XXX These requirements are probably too intensive, especially
+	 * where things can be NULL, but as they are they ensure that if
+	 * something is NON-NULL, indicating that the caller expects it
+	 * to be filled in, that we can in fact fill it in.
+	 */
+	REQUIRE(msg != NULL);
+	REQUIRE(VALID_SECTION(section));
+	REQUIRE(target != NULL);
+	REQUIRE(name == NULL || *name == NULL);
+
+	if (type == dns_rdatatype_any) {
+		REQUIRE(rdataset == NULL);
+	} else {
+		REQUIRE(rdataset == NULL || *rdataset == NULL);
+	}
+
+	result = findname(&foundname, target,
+			  &msg->sections[section]);
+
+	if (result == ISC_R_NOTFOUND)
+		return (DNS_R_NXDOMAIN);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (name != NULL)
+		*name = foundname;
+
+	/*
+	 * And now look for the type.
+	 */
+	if (ISC_UNLIKELY(type == dns_rdatatype_any))
+		return (ISC_R_SUCCESS);
+
+	result = dns_message_findtype(foundname, type, covers, rdataset);
+	if (result == ISC_R_NOTFOUND)
+		return (DNS_R_NXRRSET);
+
+	return (result);
+}
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection,
+		     dns_section_t tosection)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(fromsection));
+	REQUIRE(VALID_NAMED_SECTION(tosection));
+
+	/*
+	 * Unlink the name from the old section
+	 */
+	ISC_LIST_UNLINK(msg->sections[fromsection], name, link);
+	ISC_LIST_APPEND(msg->sections[tosection], name, link);
+}
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_APPEND(msg->sections[section], name, link);
+}
+
+void
+dns_message_removename(dns_message_t *msg, dns_name_t *name,
+		       dns_section_t section)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_UNLINK(msg->sections[section], name, link);
+}
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = isc_mempool_get(msg->namepool);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(*item, NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newoffsets(msg);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newrdata(msg);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = isc_mempool_get(msg->rdspool);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_rdataset_init(*item);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newrdatalist(msg);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	if (dns_name_dynamic(*item))
+		dns_name_free(*item, msg->mctx);
+	isc_mempool_put(msg->namepool, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	releaserdata(msg, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	REQUIRE(!dns_rdataset_isassociated(*item));
+	isc_mempool_put(msg->rdspool, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	releaserdatalist(msg, *item);
+	*item = NULL;
+}
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp)
+{
+	isc_region_t r;
+	isc_buffer_t buffer;
+	dns_messageid_t id;
+	unsigned int flags;
+
+	REQUIRE(source != NULL);
+
+	buffer = *source;
+
+	isc_buffer_remainingregion(&buffer, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN)
+		return (ISC_R_UNEXPECTEDEND);
+
+	id = isc_buffer_getuint16(&buffer);
+	flags = isc_buffer_getuint16(&buffer);
+	flags &= DNS_MESSAGE_FLAG_MASK;
+
+	if (flagsp != NULL)
+		*flagsp = flags;
+	if (idp != NULL)
+		*idp = id;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, bool want_question_section) {
+	unsigned int clear_from;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE((msg->flags & DNS_MESSAGEFLAG_QR) == 0);
+
+	if (!msg->header_ok)
+		return (DNS_R_FORMERR);
+	if (msg->opcode != dns_opcode_query &&
+	    msg->opcode != dns_opcode_notify)
+		want_question_section = false;
+	if (msg->opcode == dns_opcode_update)
+		clear_from = DNS_SECTION_PREREQUISITE;
+	else if (want_question_section) {
+		if (!msg->question_ok)
+			return (DNS_R_FORMERR);
+		clear_from = DNS_SECTION_ANSWER;
+	} else
+		clear_from = DNS_SECTION_QUESTION;
+	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
+	msgresetnames(msg, clear_from);
+	msgresetopt(msg);
+	msgresetsigs(msg, true);
+	msginitprivate(msg);
+	/*
+	 * We now clear most flags and then set QR, ensuring that the
+	 * reply's flags will be in a reasonable state.
+	 */
+	if (msg->opcode == dns_opcode_query)
+		msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
+	else
+		msg->flags = 0;
+	msg->flags |= DNS_MESSAGEFLAG_QR;
+
+	/*
+	 * This saves the query TSIG status, if the query was signed, and
+	 * reserves space in the reply for the TSIG.
+	 */
+	if (msg->tsigkey != NULL) {
+		unsigned int otherlen = 0;
+		msg->querytsigstatus = msg->tsigstatus;
+		msg->tsigstatus = dns_rcode_noerror;
+		if (msg->querytsigstatus == dns_tsigerror_badtime)
+			otherlen = 6;
+		msg->sig_reserved = spacefortsig(msg->tsigkey, otherlen);
+		result = dns_message_renderreserve(msg, msg->sig_reserved);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+	}
+	if (msg->saved.base != NULL) {
+		msg->query.base = msg->saved.base;
+		msg->query.length = msg->saved.length;
+		msg->free_query = msg->free_saved;
+		msg->saved.base = NULL;
+		msg->saved.length = 0;
+		msg->free_saved = 0;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg) {
+
+	/*
+	 * Get the OPT record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->opt);
+}
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Set the OPT record for 'msg'.
+	 */
+
+	/*
+	 * The space required for an OPT record is:
+	 *
+	 *	1 byte for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the rdata length
+	 * ---------------------------------
+	 *     11 bytes
+	 *
+	 * plus the length of the rdata.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(opt->type == dns_rdatatype_opt);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	msgresetopt(msg);
+
+	result = dns_rdataset_first(opt);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_rdataset_current(opt, &rdata);
+	msg->opt_reserved = 11 + rdata.length;
+	result = dns_message_renderreserve(msg, msg->opt_reserved);
+	if (result != ISC_R_SUCCESS) {
+		msg->opt_reserved = 0;
+		goto cleanup;
+	}
+
+	msg->opt = opt;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_rdataset_disassociate(opt);
+	dns_message_puttemprdataset(msg, &opt);
+	return (result);
+}
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) {
+
+	/*
+	 * Get the TSIG record and owner for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner == NULL || *owner == NULL);
+
+	if (owner != NULL)
+		*owner = msg->tsigname;
+	return (msg->tsig);
+}
+
+isc_result_t
+dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
+	isc_result_t result;
+
+	/*
+	 * Set the TSIG key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	if (key == NULL && msg->tsigkey != NULL) {
+		if (msg->sig_reserved != 0) {
+			dns_message_renderrelease(msg, msg->sig_reserved);
+			msg->sig_reserved = 0;
+		}
+		dns_tsigkey_detach(&msg->tsigkey);
+	}
+	if (key != NULL) {
+		REQUIRE(msg->tsigkey == NULL && msg->sig0key == NULL);
+		dns_tsigkey_attach(key, &msg->tsigkey);
+		if (msg->from_to_wire == DNS_MESSAGE_INTENTRENDER) {
+			msg->sig_reserved = spacefortsig(msg->tsigkey, 0);
+			result = dns_message_renderreserve(msg,
+							   msg->sig_reserved);
+			if (result != ISC_R_SUCCESS) {
+				dns_tsigkey_detach(&msg->tsigkey);
+				msg->sig_reserved = 0;
+				return (result);
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+dns_tsigkey_t *
+dns_message_gettsigkey(dns_message_t *msg) {
+
+	/*
+	 * Get the TSIG key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->tsigkey);
+}
+
+isc_result_t
+dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig) {
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *list = NULL;
+	dns_rdataset_t *set = NULL;
+	isc_buffer_t *buf = NULL;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->querytsig == NULL);
+
+	if (querytsig == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = dns_message_gettemprdata(msg, &rdata);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdatalist(msg, &list);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(msg, &set);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_buffer_usedregion(querytsig, &r);
+	result = isc_buffer_allocate(msg->mctx, &buf, r.length);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_buffer_putmem(buf, r.base, r.length);
+	isc_buffer_usedregion(buf, &r);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_tsig, &r);
+	dns_message_takebuffer(msg, &buf);
+	ISC_LIST_APPEND(list->rdata, rdata, link);
+	result = dns_rdatalist_tordataset(list, set);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	msg->querytsig = set;
+
+	return (result);
+
+ cleanup:
+	if (rdata != NULL)
+		dns_message_puttemprdata(msg, &rdata);
+	if (list != NULL)
+		dns_message_puttemprdatalist(msg, &list);
+	if (set != NULL)
+		dns_message_puttemprdataset(msg, &set);
+	return (ISC_R_NOMEMORY);
+}
+
+isc_result_t
+dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
+			 isc_buffer_t **querytsig) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(mctx != NULL);
+	REQUIRE(querytsig != NULL && *querytsig == NULL);
+
+	if (msg->tsig == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = dns_rdataset_first(msg->tsig);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(msg->tsig, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+
+	result = isc_buffer_allocate(mctx, querytsig, r.length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putmem(*querytsig, r.base, r.length);
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg, dns_name_t **owner) {
+
+	/*
+	 * Get the SIG(0) record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner == NULL || *owner == NULL);
+
+	if (msg->sig0 != NULL && owner != NULL) {
+		/* If dns_message_getsig0 is called on a rendered message
+		 * after the SIG(0) has been applied, we need to return the
+		 * root name, not NULL.
+		 */
+		if (msg->sig0name == NULL)
+			*owner = dns_rootname;
+		else
+			*owner = msg->sig0name;
+	}
+	return (msg->sig0);
+}
+
+isc_result_t
+dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
+	isc_region_t r;
+	unsigned int x;
+	isc_result_t result;
+
+	/*
+	 * Set the SIG(0) key for 'msg'
+	 */
+
+	/*
+	 * The space required for an SIG(0) record is:
+	 *
+	 *	1 byte for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the type covered
+	 *	1 byte for the algorithm
+	 *	1 bytes for the labels
+	 *	4 bytes for the original ttl
+	 *	4 bytes for the signature expiration
+	 *	4 bytes for the signature inception
+	 *	2 bytes for the key tag
+	 *	n bytes for the signer's name
+	 *	x bytes for the signature
+	 * ---------------------------------
+	 *     27 + n + x bytes
+	 */
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	if (key != NULL) {
+		REQUIRE(msg->sig0key == NULL && msg->tsigkey == NULL);
+		dns_name_toregion(dst_key_name(key), &r);
+		result = dst_key_sigsize(key, &x);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+		msg->sig_reserved = 27 + r.length + x;
+		result = dns_message_renderreserve(msg, msg->sig_reserved);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+		msg->sig0key = key;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+dst_key_t *
+dns_message_getsig0key(dns_message_t *msg) {
+
+	/*
+	 * Get the SIG(0) key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->sig0key);
+}
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*buffer));
+
+	ISC_LIST_APPEND(msg->cleanup, *buffer, link);
+	*buffer = NULL;
+}
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(signer != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+
+	if (msg->tsig == NULL && msg->sig0 == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (msg->verify_attempted == 0)
+		return (DNS_R_NOTVERIFIEDYET);
+
+	if (!dns_name_hasbuffer(signer)) {
+		isc_buffer_t *dynbuf = NULL;
+		result = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_name_setbuffer(signer, dynbuf);
+		dns_message_takebuffer(msg, &dynbuf);
+	}
+
+	if (msg->sig0 != NULL) {
+		dns_rdata_sig_t sig;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		if (msg->verified_sig && msg->sig0status == dns_rcode_noerror)
+			result = ISC_R_SUCCESS;
+		else
+			result = DNS_R_SIGINVALID;
+		dns_name_clone(&sig.signer, signer);
+		dns_rdata_freestruct(&sig);
+	} else {
+		dns_name_t *identity;
+		dns_rdata_any_tsig_t tsig;
+
+		result = dns_rdataset_first(msg->tsig);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->tsig, &rdata);
+
+		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (msg->verified_sig &&
+		    msg->tsigstatus == dns_rcode_noerror &&
+		    tsig.error == dns_rcode_noerror)
+		{
+			result = ISC_R_SUCCESS;
+		} else if ((!msg->verified_sig) ||
+			   (msg->tsigstatus != dns_rcode_noerror))
+		{
+			result = DNS_R_TSIGVERIFYFAILURE;
+		} else {
+			INSIST(tsig.error != dns_rcode_noerror);
+			result = DNS_R_TSIGERRORSET;
+		}
+		dns_rdata_freestruct(&tsig);
+
+		if (msg->tsigkey == NULL) {
+			/*
+			 * If msg->tsigstatus & tsig.error are both
+			 * dns_rcode_noerror, the message must have been
+			 * verified, which means msg->tsigkey will be
+			 * non-NULL.
+			 */
+			INSIST(result != ISC_R_SUCCESS);
+		} else {
+			identity = dns_tsigkey_identity(msg->tsigkey);
+			if (identity == NULL) {
+				if (result == ISC_R_SUCCESS)
+					result = DNS_R_NOIDENTITY;
+				identity = &msg->tsigkey->name;
+			}
+			dns_name_clone(identity, signer);
+		}
+	}
+
+	return (result);
+}
+
+void
+dns_message_resetsig(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->verified_sig = 0;
+	msg->verify_attempted = 0;
+	msg->tsigstatus = dns_rcode_noerror;
+	msg->sig0status = dns_rcode_noerror;
+	msg->timeadjust = 0;
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+}
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
+	dns_message_resetsig(msg);
+	return (dns_message_checksig(msg, view));
+}
+
+#ifdef SKAN_MSG_DEBUG
+void
+dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+	dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+	dns_rdata_any_tsig_t querytsig;
+	isc_result_t result;
+
+	if (msg->tsig != NULL) {
+		result = dns_rdataset_first(msg->tsig);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->tsig, &querytsigrdata);
+		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		hexdump(txt1, "TSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+
+	if (msg->querytsig != NULL) {
+		result = dns_rdataset_first(msg->querytsig);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->querytsig, &querytsigrdata);
+		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		hexdump(txt1, "QUERYTSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+}
+#endif
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+	isc_buffer_t b, msgb;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
+		return (ISC_R_SUCCESS);
+
+	INSIST(msg->saved.base != NULL);
+	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+	isc_buffer_add(&msgb, msg->saved.length);
+	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+#ifdef SKAN_MSG_DEBUG
+		dns_message_dumpsig(msg, "dns_message_checksig#1");
+#endif
+		if (view != NULL)
+			return (dns_view_checksig(view, &msgb, msg));
+		else
+			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+	} else {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_sig_t sig;
+		dns_rdataset_t keyset;
+		isc_result_t result;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		/*
+		 * This can occur when the message is a dynamic update, since
+		 * the rdata length checking is relaxed.  This should not
+		 * happen in a well-formed message, since the SIG(0) is only
+		 * looked for in the additional section, and the dynamic update
+		 * meta-records are in the prerequisite and update sections.
+		 */
+		if (rdata.length == 0)
+			return (ISC_R_UNEXPECTEDEND);
+
+		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		dns_rdataset_init(&keyset);
+		if (view == NULL)
+			return (DNS_R_KEYUNAUTHORIZED);
+		result = dns_view_simplefind(view, &sig.signer,
+					     dns_rdatatype_key /* SIG(0) */,
+					     0, 0, false, &keyset, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			/* XXXBEW Should possibly create a fetch here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		} else if (keyset.trust < dns_trust_secure) {
+			/* XXXBEW Should call a validator here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		}
+		result = dns_rdataset_first(&keyset);
+		INSIST(result == ISC_R_SUCCESS);
+		for (;
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&keyset))
+		{
+			dst_key_t *key = NULL;
+
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&keyset, &rdata);
+			isc_buffer_init(&b, rdata.data, rdata.length);
+			isc_buffer_add(&b, rdata.length);
+
+			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
+						 &b, view->mctx, &key);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (dst_key_alg(key) != sig.algorithm ||
+			    dst_key_id(key) != sig.keyid ||
+			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+			{
+				dst_key_free(&key);
+				continue;
+			}
+			result = dns_dnssec_verifymessage(&msgb, msg, key);
+			dst_key_free(&key);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		if (result == ISC_R_NOMORE)
+			result = DNS_R_KEYUNAUTHORIZED;
+
+ freesig:
+		if (dns_rdataset_isassociated(&keyset))
+			dns_rdataset_disassociate(&keyset);
+		dns_rdata_freestruct(&sig);
+		return (result);
+	}
+}
+
+#define INDENT(sp) \
+	do { \
+		unsigned int __i; \
+		dns_masterstyle_flags_t  __flags = dns_master_styleflags(sp); \
+		if ((__flags & DNS_STYLEFLAG_INDENT) == 0ULL && \
+		    (__flags & DNS_STYLEFLAG_YAML) == 0ULL) \
+			break; \
+		for (__i = 0; __i < dns_master_indent; __i++) { \
+			ADD_STRING(target, dns_master_indentstr); \
+		} \
+	} while (0)
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  const dns_master_style_t *style,
+			  dns_messagetextflag_t flags,
+			  isc_buffer_t *target) {
+	dns_name_t *name, empty_name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool seensoa = false;
+	unsigned int saveindent;
+	dns_masterstyle_flags_t sflags;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_SECTION(section));
+
+	saveindent = dns_master_indent;
+	sflags = dns_master_styleflags(style);
+	if (ISC_LIST_EMPTY(msg->sections[section]))
+		goto cleanup;
+
+
+	INDENT(style);
+	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, sectiontext[section]);
+		} else {
+			ADD_STRING(target, updsectiontext[section]);
+		}
+		ADD_STRING(target, "_SECTION:\n");
+	} else if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+		ADD_STRING(target, ";; ");
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, sectiontext[section]);
+		} else {
+			ADD_STRING(target, updsectiontext[section]);
+		}
+		ADD_STRING(target, " SECTION:\n");
+	}
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, section);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup;
+	}
+	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+		dns_master_indent++;
+	}
+	do {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (section == DNS_SECTION_ANSWER &&
+			    rdataset->type == dns_rdatatype_soa) {
+				if ((flags & DNS_MESSAGETEXTFLAG_OMITSOA) != 0)
+					continue;
+				if (seensoa &&
+				    (flags & DNS_MESSAGETEXTFLAG_ONESOA) != 0)
+					continue;
+				seensoa = true;
+			}
+			if (section == DNS_SECTION_QUESTION) {
+				INDENT(style);
+				if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+					ADD_STRING(target, "- ");
+				} else {
+					ADD_STRING(target, ";");
+				}
+				result = dns_master_questiontotext(name,
+								   rdataset,
+								   style,
+								   target);
+			} else {
+				result = dns_master_rdatasettotext(name,
+								   rdataset,
+								   style,
+								   target);
+			}
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+		result = dns_message_nextname(msg, section);
+	} while (result == ISC_R_SUCCESS);
+	if ((sflags & DNS_STYLEFLAG_YAML) != 0) {
+		dns_master_indent--;
+	}
+	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+	    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0 &&
+	    (sflags & DNS_STYLEFLAG_YAML) == 0)
+	{
+		INDENT(style);
+		ADD_STRING(target, "\n");
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup:
+	dns_master_indent = saveindent;
+	return (result);
+}
+
+static isc_result_t
+render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target) {
+	int i;
+	char addr[16], addr_text[64];
+	uint16_t family;
+	uint8_t addrlen, addrbytes, scopelen;
+	isc_result_t result;
+
+	/*
+	 * Note: This routine needs to handle malformed ECS options.
+	 */
+
+	if (isc_buffer_remaininglength(ecsbuf) < 4)
+		return (DNS_R_OPTERR);
+	family = isc_buffer_getuint16(ecsbuf);
+	addrlen = isc_buffer_getuint8(ecsbuf);
+	scopelen = isc_buffer_getuint8(ecsbuf);
+
+	addrbytes = (addrlen + 7) / 8;
+	if (isc_buffer_remaininglength(ecsbuf) < addrbytes)
+		return (DNS_R_OPTERR);
+
+	if (addrbytes > sizeof(addr))
+		return (DNS_R_OPTERR);
+
+	memset(addr, 0, sizeof(addr));
+	for (i = 0; i < addrbytes; i ++)
+		addr[i] = isc_buffer_getuint8(ecsbuf);
+
+	switch (family) {
+	case 0:
+		if (addrlen != 0U || scopelen != 0U)
+			return (DNS_R_OPTERR);
+		strlcpy(addr_text, "0", sizeof(addr_text));
+		break;
+	case 1:
+		if (addrlen > 32 || scopelen > 32)
+			return (DNS_R_OPTERR);
+		inet_ntop(AF_INET, addr, addr_text, sizeof(addr_text));
+		break;
+	case 2:
+		if (addrlen > 128 || scopelen > 128)
+			return (DNS_R_OPTERR);
+		inet_ntop(AF_INET6, addr, addr_text, sizeof(addr_text));
+		break;
+	default:
+		return (DNS_R_OPTERR);
+	}
+
+	ADD_STRING(target, ": ");
+	ADD_STRING(target, addr_text);
+	snprintf(addr_text, sizeof(addr_text), "/%d/%d", addrlen, scopelen);
+	ADD_STRING(target, addr_text);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	return (result);
+}
+
+
+static isc_result_t
+dns_message_pseudosectiontoyaml(dns_message_t *msg,
+				dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target)
+{
+	dns_rdataset_t *ps = NULL;
+	dns_name_t *name = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	char buf[sizeof("1234567890")];
+	uint32_t mbz;
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	uint16_t optcode, optlen;
+	unsigned char *optdata;
+	unsigned int saveindent = dns_master_indent;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_PSEUDOSECTION(section));
+
+	switch (section) {
+	case DNS_PSEUDOSECTION_OPT:
+		ps = dns_message_getopt(msg);
+		if (ps == NULL) {
+			goto cleanup;
+		}
+
+		INDENT(style);
+		ADD_STRING(target, "OPT_PSEUDOSECTION:\n");
+		dns_master_indent++;
+
+		INDENT(style);
+		ADD_STRING(target, "EDNS:\n");
+		dns_master_indent++;
+
+		INDENT(style);
+		ADD_STRING(target, "version: ");
+		snprintf(buf, sizeof(buf), "%u",
+			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "flags:");
+		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
+			ADD_STRING(target, " do");
+		ADD_STRING(target, "\n");
+		mbz = ps->ttl & 0xffff;
+		mbz &= ~DNS_MESSAGEEXTFLAG_DO;		/* Known Flags. */
+		if (mbz != 0) {
+			INDENT(style);
+			ADD_STRING(target, "MBZ: ");
+			snprintf(buf, sizeof(buf), "0x%.4x", mbz);
+			ADD_STRING(target, buf);
+			ADD_STRING(target, "\n");
+		}
+		INDENT(style);
+		ADD_STRING(target, "udp: ");
+		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
+		ADD_STRING(target, buf);
+		result = dns_rdataset_first(ps);
+		if (result != ISC_R_SUCCESS) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+
+		/*
+		 * Print EDNS info, if any.
+		 *
+		 * WARNING: The option contents may be malformed as
+		 * dig +ednsopt=value:<content> does not validity
+		 * checking.
+		 */
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(ps, &rdata);
+
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) != 0) {
+			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			INSIST(isc_buffer_remaininglength(&optbuf) >= optlen);
+
+			if (optcode == DNS_OPT_NSID) {
+				INDENT(style);
+				ADD_STRING(target, "NSID");
+			} else if (optcode == DNS_OPT_COOKIE) {
+				INDENT(style);
+				ADD_STRING(target, "COOKIE");
+			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
+				isc_buffer_t ecsbuf;
+				INDENT(style);
+				ADD_STRING(target, "CLIENT-SUBNET");
+				isc_buffer_init(&ecsbuf,
+						isc_buffer_current(&optbuf),
+						optlen);
+				isc_buffer_add(&ecsbuf, optlen);
+				result = render_ecs(&ecsbuf, target);
+				if (result == ISC_R_NOSPACE)
+					goto cleanup;
+				if (result == ISC_R_SUCCESS) {
+					isc_buffer_forward(&optbuf, optlen);
+					ADD_STRING(target, "\n");
+					continue;
+				}
+				ADD_STRING(target, "\n");
+			} else if (optcode == DNS_OPT_EXPIRE) {
+				if (optlen == 4) {
+					uint32_t secs;
+					secs = isc_buffer_getuint32(&optbuf);
+					INDENT(style);
+					ADD_STRING(target, "EXPIRE: ");
+					snprintf(buf, sizeof(buf), "%u", secs);
+					ADD_STRING(target, buf);
+					ADD_STRING(target, " (");
+					result = dns_ttl_totext(secs,
+								true,
+								target);
+					if (result != ISC_R_SUCCESS)
+						goto cleanup;
+					ADD_STRING(target, ")\n");
+					continue;
+				}
+				INDENT(style);
+				ADD_STRING(target, "EXPIRE");
+			} else if (optcode == DNS_OPT_PAD) {
+				INDENT(style);
+				ADD_STRING(target, "PAD");
+			} else if (optcode == DNS_OPT_KEY_TAG) {
+				INDENT(style);
+				ADD_STRING(target, "KEY-TAG");
+				if (optlen > 0U && (optlen % 2U) == 0U) {
+					const char *sep = ": ";
+					uint16_t id;
+					while (optlen > 0U) {
+					    id = isc_buffer_getuint16(&optbuf);
+					    snprintf(buf, sizeof(buf), "%s%u",
+						     sep, id);
+					    ADD_STRING(target, buf);
+					    sep = ", ";
+					    optlen -= 2;
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else {
+				INDENT(style);
+				ADD_STRING(target, "OPT: ");
+				snprintf(buf, sizeof(buf), "%u", optcode);
+				ADD_STRING(target, buf);
+				ADD_STRING(target, "\n");
+			}
+
+			if (optlen != 0) {
+				int i;
+				ADD_STRING(target, ": ");
+
+				optdata = isc_buffer_current(&optbuf);
+				for (i = 0; i < optlen; i++) {
+					const char *sep;
+					switch (optcode) {
+					case DNS_OPT_COOKIE:
+						sep = "";
+						break;
+					default:
+						sep = " ";
+						break;
+					}
+					snprintf(buf, sizeof(buf), "%02x%s",
+						 optdata[i], sep);
+					ADD_STRING(target, buf);
+				}
+
+				isc_buffer_forward(&optbuf, optlen);
+
+				if (optcode == DNS_OPT_COOKIE) {
+					/*
+					 * Valid server cookie?
+					 */
+					if (msg->cc_ok && optlen >= 16)
+						ADD_STRING(target, " (good)");
+					/*
+					 * Server cookie is not valid but
+					 * we had our cookie echoed back.
+					 */
+					if (msg->cc_ok && optlen < 16)
+						ADD_STRING(target, " (echoed)");
+					/*
+					 * We didn't get our cookie echoed
+					 * back.
+					 */
+					if (msg->cc_bad)
+						ADD_STRING(target, " (bad)");
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				if (optcode == DNS_OPT_CLIENT_SUBNET) {
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				/*
+				 * For non-COOKIE options, add a printable
+				 * version
+				 */
+				ADD_STRING(target, "(\"");
+				if (isc_buffer_availablelength(target) < optlen)
+				{
+					result = ISC_R_NOSPACE;
+					goto cleanup;
+				}
+				for (i = 0; i < optlen; i++) {
+					if (isprint(optdata[i]))
+						isc_buffer_putmem(target,
+								  &optdata[i],
+								  1);
+					else
+						isc_buffer_putstr(target, ".");
+				}
+				ADD_STRING(target, "\")");
+			}
+			ADD_STRING(target, "\n");
+		}
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	case DNS_PSEUDOSECTION_TSIG:
+		ps = dns_message_gettsig(msg, &name);
+		if (ps == NULL) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+		INDENT(style);
+		ADD_STRING(target, "TSIG_PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style, target);
+		ADD_STRING(target, "\n");
+		goto cleanup;
+	case DNS_PSEUDOSECTION_SIG0:
+		ps = dns_message_getsig0(msg, &name);
+		if (ps == NULL) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+		INDENT(style);
+		ADD_STRING(target, "SIG0_PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, "\n");
+		goto cleanup;
+	}
+
+	result = ISC_R_UNEXPECTED;
+
+ cleanup:
+	dns_master_indent = saveindent;
+	return (result);
+}
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg,
+				dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target)
+{
+	dns_rdataset_t *ps = NULL;
+	dns_name_t *name = NULL;
+	isc_result_t result;
+	char buf[sizeof("1234567890")];
+	uint32_t mbz;
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	uint16_t optcode, optlen;
+	unsigned char *optdata;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_PSEUDOSECTION(section));
+
+	if ((dns_master_styleflags(style) & DNS_STYLEFLAG_YAML) != 0)
+		return (dns_message_pseudosectiontoyaml(msg, section, style,
+							flags, target));
+	switch (section) {
+	case DNS_PSEUDOSECTION_OPT:
+		ps = dns_message_getopt(msg);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+			INDENT(style);
+			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
+		}
+
+		INDENT(style);
+		ADD_STRING(target, "; EDNS: version: ");
+		snprintf(buf, sizeof(buf), "%u",
+			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", flags:");
+		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
+			ADD_STRING(target, " do");
+		mbz = ps->ttl & 0xffff;
+		mbz &= ~DNS_MESSAGEEXTFLAG_DO;		/* Known Flags. */
+		if (mbz != 0) {
+			ADD_STRING(target, "; MBZ: ");
+			snprintf(buf, sizeof(buf), "0x%.4x", mbz);
+			ADD_STRING(target, buf);
+			ADD_STRING(target, ", udp: ");
+		} else
+			ADD_STRING(target, "; udp: ");
+		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
+		ADD_STRING(target, buf);
+
+		result = dns_rdataset_first(ps);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+
+		/*
+		 * Print EDNS info, if any.
+		 *
+		 * WARNING: The option contents may be malformed as
+		 * dig +ednsopt=value:<content> does not validity
+		 * checking.
+		 */
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(ps, &rdata);
+
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) != 0) {
+			INSIST(isc_buffer_remaininglength(&optbuf) >= 4U);
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			INSIST(isc_buffer_remaininglength(&optbuf) >= optlen);
+
+			INDENT(style);
+
+			if (optcode == DNS_OPT_NSID) {
+				ADD_STRING(target, "; NSID");
+			} else if (optcode == DNS_OPT_COOKIE) {
+				ADD_STRING(target, "; COOKIE");
+			} else if (optcode == DNS_OPT_CLIENT_SUBNET) {
+				isc_buffer_t ecsbuf;
+
+				ADD_STRING(target, "; CLIENT-SUBNET");
+				isc_buffer_init(&ecsbuf,
+						isc_buffer_current(&optbuf),
+						optlen);
+				isc_buffer_add(&ecsbuf, optlen);
+				result = render_ecs(&ecsbuf, target);
+				if (result == ISC_R_NOSPACE)
+					return (result);
+				if (result == ISC_R_SUCCESS) {
+					isc_buffer_forward(&optbuf, optlen);
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else if (optcode == DNS_OPT_EXPIRE) {
+				if (optlen == 4) {
+					uint32_t secs;
+					secs = isc_buffer_getuint32(&optbuf);
+					ADD_STRING(target, "; EXPIRE: ");
+					snprintf(buf, sizeof(buf), "%u", secs);
+					ADD_STRING(target, buf);
+					ADD_STRING(target, " (");
+					result = dns_ttl_totext(secs,
+								true,
+								target);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+					ADD_STRING(target, ")\n");
+					continue;
+				}
+				ADD_STRING(target, "; EXPIRE");
+			} else if (optcode == DNS_OPT_PAD) {
+				ADD_STRING(target, "; PAD");
+			} else if (optcode == DNS_OPT_KEY_TAG) {
+				ADD_STRING(target, "; KEY-TAG");
+				if (optlen > 0U && (optlen % 2U) == 0U) {
+					const char *sep = ": ";
+					uint16_t id;
+					while (optlen > 0U) {
+					    id = isc_buffer_getuint16(&optbuf);
+					    snprintf(buf, sizeof(buf), "%s%u",
+						     sep, id);
+					    ADD_STRING(target, buf);
+					    sep = ", ";
+					    optlen -= 2;
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
+			} else {
+				ADD_STRING(target, "; OPT=");
+				snprintf(buf, sizeof(buf), "%u", optcode);
+				ADD_STRING(target, buf);
+			}
+
+			if (optlen != 0) {
+				int i;
+				ADD_STRING(target, ": ");
+
+				optdata = isc_buffer_current(&optbuf);
+				for (i = 0; i < optlen; i++) {
+					const char *sep;
+					switch (optcode) {
+					case DNS_OPT_COOKIE:
+						sep = "";
+						break;
+					default:
+						sep = " ";
+						break;
+					}
+					snprintf(buf, sizeof(buf), "%02x%s",
+						 optdata[i], sep);
+					ADD_STRING(target, buf);
+				}
+
+				isc_buffer_forward(&optbuf, optlen);
+
+				if (optcode == DNS_OPT_COOKIE) {
+					/*
+					 * Valid server cookie?
+					 */
+					if (msg->cc_ok && optlen >= 16)
+						ADD_STRING(target, " (good)");
+					/*
+					 * Server cookie is not valid but
+					 * we had our cookie echoed back.
+					 */
+					if (msg->cc_ok && optlen < 16)
+						ADD_STRING(target, " (echoed)");
+					/*
+					 * We didn't get our cookie echoed
+					 * back.
+					 */
+					if (msg->cc_bad)
+						ADD_STRING(target, " (bad)");
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				if (optcode == DNS_OPT_CLIENT_SUBNET) {
+					ADD_STRING(target, "\n");
+					continue;
+				}
+
+				/*
+				 * For non-COOKIE options, add a printable
+				 * version
+				 */
+				ADD_STRING(target, "(\"");
+				if (isc_buffer_availablelength(target) < optlen)
+					return (ISC_R_NOSPACE);
+				for (i = 0; i < optlen; i++) {
+					if (isprint(optdata[i]))
+						isc_buffer_putmem(target,
+								  &optdata[i],
+								  1);
+					else
+						isc_buffer_putstr(target, ".");
+				}
+				ADD_STRING(target, "\")");
+			}
+			ADD_STRING(target, "\n");
+		}
+		return (ISC_R_SUCCESS);
+	case DNS_PSEUDOSECTION_TSIG:
+		ps = dns_message_gettsig(msg, &name);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		INDENT(style);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, "\n");
+		return (result);
+	case DNS_PSEUDOSECTION_SIG0:
+		ps = dns_message_getsig0(msg, &name);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		INDENT(style);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, ";; SIG0 PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, "\n");
+		return (result);
+	}
+	result = ISC_R_UNEXPECTED;
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
+		   dns_messagetextflag_t flags, isc_buffer_t *target)
+{
+	char buf[sizeof("1234567890")];
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	if (((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0) &&
+	     (dns_master_styleflags(style) & DNS_STYLEFLAG_YAML))
+	{
+		INDENT(style);
+		ADD_STRING(target, "opcode: ");
+		ADD_STRING(target, opcodetext[msg->opcode]);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "status: ");
+		result = dns_rcode_totext(msg->rcode, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "id: ");
+		snprintf(buf, sizeof(buf), "%6u", msg->id);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "flags:");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+			ADD_STRING(target, " qr");
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
+			ADD_STRING(target, " aa");
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+			ADD_STRING(target, " tc");
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
+			ADD_STRING(target, " rd");
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
+			ADD_STRING(target, " ra");
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
+			ADD_STRING(target, " ad");
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
+			ADD_STRING(target, " cd");
+		ADD_STRING(target, "\n");
+		/*
+		 * The final unnamed flag must be zero.
+		 */
+		if ((msg->flags & 0x0040U) != 0) {
+			INDENT(style);
+			ADD_STRING(target, "MBZ: 0x4");
+			ADD_STRING(target, "\n");
+		}
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "QUESTION: ");
+		} else {
+			ADD_STRING(target, "ZONE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_QUESTION]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "ANSWER: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "PREREQ: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ANSWER]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "AUTHORITY: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "UPDATE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_AUTHORITY]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, "ADDITIONAL: ");
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_ADDITIONAL]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+	} else if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0) {
+		INDENT(style);
+		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
+		ADD_STRING(target, opcodetext[msg->opcode]);
+		ADD_STRING(target, ", status: ");
+		result = dns_rcode_totext(msg->rcode, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		ADD_STRING(target, ", id: ");
+		snprintf(buf, sizeof(buf), "%6u", msg->id);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+		INDENT(style);
+		ADD_STRING(target, ";; flags:");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+			ADD_STRING(target, " qr");
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
+			ADD_STRING(target, " aa");
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+			ADD_STRING(target, " tc");
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
+			ADD_STRING(target, " rd");
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
+			ADD_STRING(target, " ra");
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
+			ADD_STRING(target, " ad");
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
+			ADD_STRING(target, " cd");
+		/*
+		 * The final unnamed flag must be zero.
+		 */
+		if ((msg->flags & 0x0040U) != 0) {
+			INDENT(style);
+			ADD_STRING(target, "; MBZ: 0x4");
+		}
+		if (msg->opcode != dns_opcode_update) {
+			INDENT(style);
+			ADD_STRING(target, "; QUESTION: ");
+		} else {
+			INDENT(style);
+			ADD_STRING(target, "; ZONE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_QUESTION]);
+		ADD_STRING(target, buf);
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, ", ANSWER: ");
+		} else {
+			ADD_STRING(target, ", PREREQ: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ANSWER]);
+		ADD_STRING(target, buf);
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, ", AUTHORITY: ");
+		} else {
+			ADD_STRING(target, ", UPDATE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_AUTHORITY]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", ADDITIONAL: ");
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_ADDITIONAL]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+	}
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_OPT,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_QUESTION,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ANSWER,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_AUTHORITY,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ADDITIONAL,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_TSIG,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_SIG0,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+ cleanup:
+	return (result);
+}
+
+isc_region_t *
+dns_message_getrawmessage(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (&msg->saved);
+}
+
+void
+dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
+			 const void *order_arg)
+{
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->order = order;
+	msg->order_arg = order_arg;
+}
+
+void
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->timeadjust = timeadjust;
+}
+
+int
+dns_message_gettimeadjust(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (msg->timeadjust);
+}
+
+isc_result_t
+dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target) {
+
+	REQUIRE(opcode < 16);
+
+	if (isc_buffer_availablelength(target) < strlen(opcodetext[opcode]))
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(target, opcodetext[opcode]);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_logpacket(dns_message_t *message, const char *description,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, isc_mem_t *mctx)
+{
+	logfmtpacket(message, description, NULL, category, module,
+		     &dns_master_style_debug, level, mctx);
+}
+
+void
+dns_message_logpacket2(dns_message_t *message,
+		       const char *description, isc_sockaddr_t *address,
+		       isc_logcategory_t *category, isc_logmodule_t *module,
+		       int level, isc_mem_t *mctx)
+{
+	REQUIRE(address != NULL);
+
+	logfmtpacket(message, description, address, category, module,
+		     &dns_master_style_debug, level, mctx);
+}
+
+void
+dns_message_logfmtpacket(dns_message_t *message, const char *description,
+			 isc_logcategory_t *category, isc_logmodule_t *module,
+			 const dns_master_style_t *style, int level,
+			 isc_mem_t *mctx)
+{
+	logfmtpacket(message, description, NULL, category, module, style,
+		     level, mctx);
+}
+
+void
+dns_message_logfmtpacket2(dns_message_t *message,
+			  const char *description, isc_sockaddr_t *address,
+			  isc_logcategory_t *category, isc_logmodule_t *module,
+			  const dns_master_style_t *style, int level,
+			  isc_mem_t *mctx)
+{
+	REQUIRE(address != NULL);
+
+	logfmtpacket(message, description, address, category, module, style,
+		     level, mctx);
+}
+
+static void
+logfmtpacket(dns_message_t *message, const char *description,
+	     isc_sockaddr_t *address, isc_logcategory_t *category,
+	     isc_logmodule_t *module, const dns_master_style_t *style,
+	     int level, isc_mem_t *mctx)
+{
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE] = { 0 };
+	const char *newline = "\n";
+	const char *space = " ";
+	isc_buffer_t buffer;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	/*
+	 * Note that these are multiline debug messages.  We want a newline
+	 * to appear in the log after each message.
+	 */
+
+	if (address != NULL)
+		isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
+	else
+		newline = space = "";
+
+	do {
+		buf = isc_mem_get(mctx, len);
+		if (buf == NULL)
+			break;
+		isc_buffer_init(&buffer, buf, len);
+		result = dns_message_totext(message, style, 0, &buffer);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(mctx, buf, len);
+			len += 1024;
+		} else if (result == ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, category, module, level,
+				      "%s%s%s%s%.*s", description, space,
+				      addrbuf, newline,
+				      (int)isc_buffer_usedlength(&buffer),
+				      buf);
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL)
+		isc_mem_put(mctx, buf, len);
+}
+
+isc_result_t
+dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp,
+		     unsigned int version, uint16_t udpsize,
+		     unsigned int flags, dns_ednsopt_t *ednsopts, size_t count)
+{
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_result_t result;
+	unsigned int len = 0, i;
+
+	REQUIRE(DNS_MESSAGE_VALID(message));
+	REQUIRE(rdatasetp != NULL && *rdatasetp == NULL);
+
+	result = dns_message_gettemprdatalist(message, &rdatalist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_gettemprdata(message, &rdata);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rdatalist->type = dns_rdatatype_opt;
+
+	/*
+	 * Set Maximum UDP buffer size.
+	 */
+	rdatalist->rdclass = udpsize;
+
+	/*
+	 * Set EXTENDED-RCODE and Z to 0.
+	 */
+	rdatalist->ttl = (version << 16);
+	rdatalist->ttl |= (flags & 0xffff);
+
+	/*
+	 * Set EDNS options if applicable
+	 */
+	if (count != 0U) {
+		isc_buffer_t *buf = NULL;
+		for (i = 0; i < count; i++)
+			len += ednsopts[i].length + 4;
+
+		if (len > 0xffffU) {
+			result = ISC_R_NOSPACE;
+			goto cleanup;
+		}
+
+		result = isc_buffer_allocate(message->mctx, &buf, len);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		for (i = 0; i < count; i++)  {
+			isc_buffer_putuint16(buf, ednsopts[i].code);
+			isc_buffer_putuint16(buf, ednsopts[i].length);
+			if (ednsopts[i].length != 0) {
+				isc_buffer_putmem(buf, ednsopts[i].value,
+						  ednsopts[i].length);
+			}
+		}
+		rdata->data = isc_buffer_base(buf);
+		rdata->length = len;
+		dns_message_takebuffer(message, &buf);
+	} else {
+		rdata->data = NULL;
+		rdata->length = 0;
+	}
+
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
+	rdata->flags = 0;
+
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	result = dns_rdatalist_tordataset(rdatalist, rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	*rdatasetp = rdataset;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (rdata != NULL)
+		dns_message_puttemprdata(message, &rdata);
+	if (rdataset != NULL)
+		dns_message_puttemprdataset(message, &rdataset);
+	if (rdatalist != NULL)
+		dns_message_puttemprdatalist(message, &rdatalist);
+	return (result);
+}
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+	REQUIRE(msg->rdclass_set == 0);
+
+	msg->rdclass = rdclass;
+	msg->rdclass_set = 1;
+}
diff --git a/lib/dns/name.c b/lib/dns/name.c
new file mode 100644
index 0000000..66040fb
--- /dev/null
+++ b/lib/dns/name.c
@@ -0,0 +1,2734 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#define VALID_NAME(n)	ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
+
+typedef enum {
+	ft_init = 0,
+	ft_start,
+	ft_ordinary,
+	ft_initialescape,
+	ft_escape,
+	ft_escdecimal,
+	ft_at
+} ft_state;
+
+typedef enum {
+	fw_start = 0,
+	fw_ordinary,
+	fw_newcurrent
+} fw_state;
+
+static char digitvalue[256] = {
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,	/*16*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
+	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, /*64*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
+};
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+#define CONVERTTOASCII(c)
+#define CONVERTFROMASCII(c)
+
+#define INIT_OFFSETS(name, var, default_offsets) \
+	if ((name)->offsets != NULL)		 \
+		var = (name)->offsets;		 \
+	else \
+		var = (default_offsets);
+
+#define SETUP_OFFSETS(name, var, default_offsets) \
+	if ((name)->offsets != NULL)		  \
+		var = (name)->offsets;		  \
+	else { \
+		var = (default_offsets);      \
+		set_offsets(name, var, NULL); \
+	}
+
+/*%
+ * Note:  If additional attributes are added that should not be set for
+ *	  empty names, MAKE_EMPTY() must be changed so it clears them.
+ */
+#define MAKE_EMPTY(name) \
+do { \
+	name->ndata = NULL; \
+	name->length = 0; \
+	name->labels = 0; \
+	name->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
+} while (0);
+
+/*%
+ * A name is "bindable" if it can be set to point to a new value, i.e.
+ * name->ndata and name->length may be changed.
+ */
+#define BINDABLE(name) \
+	((name->attributes & (DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC)) \
+	 == 0)
+
+/*%
+ * Note that the name data must be a char array, not a string
+ * literal, to avoid compiler warnings about discarding
+ * the const attribute of a string.
+ */
+static unsigned char root_ndata[] = { "" };
+static unsigned char root_offsets[] = { 0 };
+
+static dns_name_t root = DNS_NAME_INITABSOLUTE(root_ndata, root_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_rootname = &root;
+
+static unsigned char wild_ndata[] = { "\001*" };
+static unsigned char wild_offsets[] = { 0 };
+
+static dns_name_t wild =
+	DNS_NAME_INITNONABSOLUTE(wild_ndata, wild_offsets);
+
+/* XXXDCL make const? */
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
+
+unsigned int
+dns_fullname_hash(dns_name_t *name, bool case_sensitive);
+
+/*
+ * dns_name_t to text post-conversion procedure.
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+static int thread_key_initialized = 0;
+static isc_mutex_t thread_key_mutex;
+static isc_mem_t *thread_key_mctx = NULL;
+static isc_thread_key_t totext_filter_proc_key;
+static isc_once_t once = ISC_ONCE_INIT;
+#else
+static dns_name_totextfilter_t totext_filter_proc = NULL;
+#endif
+
+static void
+set_offsets(const dns_name_t *name, unsigned char *offsets,
+	    dns_name_t *set_name);
+
+void
+dns_name_init(dns_name_t *name, unsigned char *offsets) {
+	/*
+	 * Initialize 'name'.
+	 */
+	DNS_NAME_INIT(name, offsets);
+}
+
+void
+dns_name_reset(dns_name_t *name) {
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(BINDABLE(name));
+
+	DNS_NAME_RESET(name);
+}
+
+void
+dns_name_invalidate(dns_name_t *name) {
+	/*
+	 * Make 'name' invalid.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	name->magic = 0;
+	name->ndata = NULL;
+	name->length = 0;
+	name->labels = 0;
+	name->attributes = 0;
+	name->offsets = NULL;
+	name->buffer = NULL;
+	ISC_LINK_INIT(name, link);
+}
+
+bool
+dns_name_isvalid(const dns_name_t *name) {
+	unsigned char *ndata, *offsets;
+	unsigned int offset, count, length, nlabels;
+
+	if (!VALID_NAME(name))
+		return (false);
+
+	if (name->length > 255U || name->labels > 127U)
+		return (false);
+
+	ndata = name->ndata;
+	length = name->length;
+	offsets = name->offsets;
+	offset = 0;
+	nlabels = 0;
+
+	while (offset != length) {
+		count = *ndata;
+		if (count > 63U)
+			return (false);
+		if (offsets != NULL && offsets[nlabels] != offset)
+			return (false);
+
+		nlabels++;
+		offset += count + 1;
+		ndata += count + 1;
+		if (offset > length)
+			return (false);
+
+		if (count == 0)
+			break;
+	}
+
+	if (nlabels != name->labels || offset != name->length)
+		return (false);
+
+	return (true);
+}
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer) {
+	/*
+	 * Dedicate a buffer for use with 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((buffer != NULL && name->buffer == NULL) ||
+		(buffer == NULL));
+
+	name->buffer = buffer;
+}
+
+bool
+dns_name_hasbuffer(const dns_name_t *name) {
+	/*
+	 * Does 'name' have a dedicated buffer?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	if (name->buffer != NULL)
+		return (true);
+
+	return (false);
+}
+
+bool
+dns_name_isabsolute(const dns_name_t *name) {
+
+	/*
+	 * Does 'name' end in the root label?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	if ((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		return (true);
+	return (false);
+}
+
+#define hyphenchar(c) ((c) == 0x2d)
+#define asterchar(c) ((c) == 0x2a)
+#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
+		      || ((c) >= 0x61 && (c) <= 0x7a))
+#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+#define borderchar(c) (alphachar(c) || digitchar(c))
+#define middlechar(c) (borderchar(c) || hyphenchar(c))
+#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)
+
+bool
+dns_name_ismailbox(const dns_name_t *name) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	bool first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+
+	/*
+	 * Root label.
+	 */
+	if (name->length == 1)
+		return (true);
+
+	ndata = name->ndata;
+	n = *ndata++;
+	INSIST(n <= 63);
+	while (n--) {
+		ch = *ndata++;
+		if (!domainchar(ch))
+			return (false);
+	}
+
+	if (ndata == name->ndata + name->length)
+		return (false);
+
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n <= 63);
+		first = true;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch))
+					return (false);
+			} else {
+				if (!middlechar(ch))
+					return (false);
+			}
+			first = false;
+		}
+	}
+	return (true);
+}
+
+bool
+dns_name_ishostname(const dns_name_t *name, bool wildcard) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	bool first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+
+	/*
+	 * Root label.
+	 */
+	if (name->length == 1)
+		return (true);
+
+	/*
+	 * Skip wildcard if this is a ownername.
+	 */
+	ndata = name->ndata;
+	if (wildcard && ndata[0] == 1 && ndata[1] == '*')
+		ndata += 2;
+
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n <= 63);
+		first = true;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch))
+					return (false);
+			} else {
+				if (!middlechar(ch))
+					return (false);
+			}
+			first = false;
+		}
+	}
+	return (true);
+}
+
+bool
+dns_name_iswildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+
+	/*
+	 * Is 'name' a wildcard name?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	if (name->length >= 2) {
+		ndata = name->ndata;
+		if (ndata[0] == 1 && ndata[1] == '*')
+			return (true);
+	}
+
+	return (false);
+}
+
+bool
+dns_name_internalwildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+	unsigned int count;
+	unsigned int label;
+
+	/*
+	 * Does 'name' contain a internal wildcard?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	/*
+	 * Skip first label.
+	 */
+	ndata = name->ndata;
+	count = *ndata++;
+	INSIST(count <= 63);
+	ndata += count;
+	label = 1;
+	/*
+	 * Check all but the last of the remaining labels.
+	 */
+	while (label + 1 < name->labels) {
+		count = *ndata++;
+		INSIST(count <= 63);
+		if (count == 1 && *ndata == '*')
+			return (true);
+		ndata += count;
+		label++;
+	}
+	return (false);
+}
+
+unsigned int
+dns_name_hash(dns_name_t *name, bool case_sensitive) {
+	unsigned int length;
+
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+
+	length = name->length;
+	if (length > 16)
+		length = 16;
+
+	return (isc_hash_function_reverse(name->ndata, length,
+					  case_sensitive, NULL));
+}
+
+unsigned int
+dns_name_fullhash(dns_name_t *name, bool case_sensitive) {
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+
+	return (isc_hash_function_reverse(name->ndata, name->length,
+					  case_sensitive, NULL));
+}
+
+unsigned int
+dns_fullname_hash(dns_name_t *name, bool case_sensitive) {
+	/*
+	 * This function was deprecated due to the breakage of the name space
+	 * convention.	We only keep this internally to provide binary backward
+	 * compatibility.
+	 */
+	return (dns_name_fullhash(name, case_sensitive));
+}
+
+unsigned int
+dns_name_hashbylabel(dns_name_t *name, bool case_sensitive) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	dns_name_t tname;
+	unsigned int h = 0;
+	unsigned int i;
+
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+	else if (name->labels == 1)
+		return (isc_hash_function_reverse(name->ndata, name->length,
+						  case_sensitive, NULL));
+
+	SETUP_OFFSETS(name, offsets, odata);
+	DNS_NAME_INIT(&tname, NULL);
+	tname.labels = 1;
+	h = 0;
+	for (i = 0; i < name->labels; i++) {
+		tname.ndata = name->ndata + offsets[i];
+		if (i == name->labels - 1)
+			tname.length = name->length - offsets[i];
+		else
+			tname.length = offsets[i + 1] - offsets[i];
+		h += isc_hash_function_reverse(tname.ndata, tname.length,
+					       case_sensitive, NULL);
+	}
+
+	return (h);
+}
+
+dns_namereln_t
+dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
+		     int *orderp, unsigned int *nlabelsp)
+{
+	unsigned int l1, l2, l, count1, count2, count, nlabels;
+	int cdiff, ldiff, chdiff;
+	unsigned char *label1, *label2;
+	unsigned char *offsets1, *offsets2;
+	dns_offsets_t odata1, odata2;
+	dns_namereln_t namereln = dns_namereln_none;
+
+	/*
+	 * Determine the relative ordering under the DNSSEC order relation of
+	 * 'name1' and 'name2', and also determine the hierarchical
+	 * relationship of the names.
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	REQUIRE(orderp != NULL);
+	REQUIRE(nlabelsp != NULL);
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (ISC_UNLIKELY(name1 == name2)) {
+		*orderp = 0;
+		*nlabelsp = name1->labels;
+		return (dns_namereln_equal);
+	}
+
+	SETUP_OFFSETS(name1, offsets1, odata1);
+	SETUP_OFFSETS(name2, offsets2, odata2);
+
+	nlabels = 0;
+	l1 = name1->labels;
+	l2 = name2->labels;
+	if (l2 > l1) {
+		l = l1;
+		ldiff = 0 - (l2 - l1);
+	} else {
+		l = l2;
+		ldiff = l1 - l2;
+	}
+
+	offsets1 += l1;
+	offsets2 += l2;
+
+	while (ISC_LIKELY(l > 0)) {
+		l--;
+		offsets1--;
+		offsets2--;
+		label1 = &name1->ndata[*offsets1];
+		label2 = &name2->ndata[*offsets2];
+		count1 = *label1++;
+		count2 = *label2++;
+
+		/*
+		 * We dropped bitstring labels, and we don't support any
+		 * other extended label types.
+		 */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		cdiff = (int)count1 - (int)count2;
+		if (cdiff < 0)
+			count = count1;
+		else
+			count = count2;
+
+		/* Loop unrolled for performance */
+		while (ISC_LIKELY(count > 3)) {
+			chdiff = (int)maptolower[label1[0]] -
+				 (int)maptolower[label2[0]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			chdiff = (int)maptolower[label1[1]] -
+				 (int)maptolower[label2[1]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			chdiff = (int)maptolower[label1[2]] -
+				 (int)maptolower[label2[2]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			chdiff = (int)maptolower[label1[3]] -
+				 (int)maptolower[label2[3]];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			count -= 4;
+			label1 += 4;
+			label2 += 4;
+		}
+		while (ISC_LIKELY(count-- > 0)) {
+			chdiff = (int)maptolower[*label1++] -
+				 (int)maptolower[*label2++];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+		}
+		if (cdiff != 0) {
+			*orderp = cdiff;
+			goto done;
+		}
+		nlabels++;
+	}
+
+	*orderp = ldiff;
+	if (ldiff < 0)
+		namereln = dns_namereln_contains;
+	else if (ldiff > 0)
+		namereln = dns_namereln_subdomain;
+	else
+		namereln = dns_namereln_equal;
+	*nlabelsp = nlabels;
+	return (namereln);
+
+ done:
+	*nlabelsp = nlabels;
+	if (nlabels > 0)
+		namereln = dns_namereln_commonancestor;
+
+	return (namereln);
+}
+
+int
+dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+
+	/*
+	 * Determine the relative ordering under the DNSSEC order relation of
+	 * 'name1' and 'name2'.
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	(void)dns_name_fullcompare(name1, name2, &order, &nlabels);
+
+	return (order);
+}
+
+bool
+dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
+	unsigned int l, count;
+	unsigned char c;
+	unsigned char *label1, *label2;
+
+	/*
+	 * Are 'name1' and 'name2' equal?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (ISC_UNLIKELY(name1 == name2))
+		return (true);
+
+	if (name1->length != name2->length)
+		return (false);
+
+	l = name1->labels;
+
+	if (l != name2->labels)
+		return (false);
+
+	label1 = name1->ndata;
+	label2 = name2->ndata;
+	while (ISC_LIKELY(l-- > 0)) {
+		count = *label1++;
+		if (count != *label2++)
+			return (false);
+
+		INSIST(count <= 63); /* no bitstring support */
+
+		/* Loop unrolled for performance */
+		while (ISC_LIKELY(count > 3)) {
+			c = maptolower[label1[0]];
+			if (c != maptolower[label2[0]])
+				return (false);
+			c = maptolower[label1[1]];
+			if (c != maptolower[label2[1]])
+				return (false);
+			c = maptolower[label1[2]];
+			if (c != maptolower[label2[2]])
+				return (false);
+			c = maptolower[label1[3]];
+			if (c != maptolower[label2[3]])
+				return (false);
+			count -= 4;
+			label1 += 4;
+			label2 += 4;
+		}
+		while (ISC_LIKELY(count-- > 0)) {
+			c = maptolower[*label1++];
+			if (c != maptolower[*label2++])
+				return (false);
+		}
+	}
+
+	return (true);
+}
+
+bool
+dns_name_caseequal(const dns_name_t *name1, const dns_name_t *name2) {
+
+	/*
+	 * Are 'name1' and 'name2' equal?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (name1->length != name2->length)
+		return (false);
+
+	if (memcmp(name1->ndata, name2->ndata, name1->length) != 0)
+		return (false);
+
+	return (true);
+}
+
+int
+dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
+	unsigned int l1, l2, l, count1, count2, count;
+	unsigned char c1, c2;
+	unsigned char *label1, *label2;
+
+	/*
+	 * Compare two absolute names as rdata.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(name1->labels > 0);
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(VALID_NAME(name2));
+	REQUIRE(name2->labels > 0);
+	REQUIRE((name2->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+
+	l1 = name1->labels;
+	l2 = name2->labels;
+
+	l = (l1 < l2) ? l1 : l2;
+
+	label1 = name1->ndata;
+	label2 = name2->ndata;
+	while (l > 0) {
+		l--;
+		count1 = *label1++;
+		count2 = *label2++;
+
+		/* no bitstring support */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		if (count1 != count2)
+			return ((count1 < count2) ? -1 : 1);
+		count = count1;
+		while (count > 0) {
+			count--;
+			c1 = maptolower[*label1++];
+			c2 = maptolower[*label2++];
+			if (c1 < c2)
+				return (-1);
+			else if (c1 > c2)
+				return (1);
+		}
+	}
+
+	/*
+	 * If one name had more labels than the other, their common
+	 * prefix must have been different because the shorter name
+	 * ended with the root label and the longer one can't have
+	 * a root label in the middle of it.  Therefore, if we get
+	 * to this point, the lengths must be equal.
+	 */
+	INSIST(l1 == l2);
+
+	return (0);
+}
+
+bool
+dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t namereln;
+
+	/*
+	 * Is 'name1' a subdomain of 'name2'?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
+	if (namereln == dns_namereln_subdomain ||
+	    namereln == dns_namereln_equal)
+		return (true);
+
+	return (false);
+}
+
+bool
+dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
+	int order;
+	unsigned int nlabels, labels;
+	dns_name_t tname;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(VALID_NAME(wname));
+	labels = wname->labels;
+	REQUIRE(labels > 0);
+	REQUIRE(dns_name_iswildcard(wname));
+
+#if defined(__clang__)  && \
+       ( __clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2))
+	memset(&tname, 0, sizeof(tname));
+#endif
+	DNS_NAME_INIT(&tname, NULL);
+	dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
+	if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
+	    dns_namereln_subdomain)
+		return (true);
+	return (false);
+}
+
+unsigned int
+dns_name_countlabels(const dns_name_t *name) {
+	/*
+	 * How many labels does 'name' have?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	ENSURE(name->labels <= 128);
+
+	return (name->labels);
+}
+
+void
+dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+
+	/*
+	 * Make 'label' refer to the 'n'th least significant label of 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(n < name->labels);
+	REQUIRE(label != NULL);
+
+	SETUP_OFFSETS(name, offsets, odata);
+
+	label->base = &name->ndata[offsets[n]];
+	if (n == name->labels - 1)
+		label->length = name->length - offsets[n];
+	else
+		label->length = offsets[n + 1] - offsets[n];
+}
+
+void
+dns_name_getlabelsequence(const dns_name_t *source,
+			  unsigned int first, unsigned int n,
+			  dns_name_t *target)
+{
+	unsigned char *p, l;
+	unsigned int firstoffset, endoffset;
+	unsigned int i;
+
+	/*
+	 * Make 'target' refer to the 'n' labels including and following
+	 * 'first' in 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(first <= source->labels);
+	REQUIRE(n <= source->labels - first); /* note first+n could overflow */
+	REQUIRE(BINDABLE(target));
+
+	p = source->ndata;
+	if (ISC_UNLIKELY(first == source->labels)) {
+		firstoffset = source->length;
+	} else {
+		for (i = 0; i < first; i++) {
+			l = *p;
+			p += l + 1;
+		}
+		firstoffset = p - source->ndata;
+	}
+
+	if (ISC_LIKELY(first + n == source->labels))
+		endoffset = source->length;
+	else {
+		for (i = 0; i < n; i++) {
+			l = *p;
+			p += l + 1;
+		}
+		endoffset = p - source->ndata;
+	}
+
+	target->ndata = &source->ndata[firstoffset];
+	target->length = endoffset - firstoffset;
+
+	if (first + n == source->labels && n > 0 &&
+	    (source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	else
+		target->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+
+	target->labels = n;
+
+	/*
+	 * If source and target are the same, and we're making target
+	 * a prefix of source, the offsets table is correct already
+	 * so we don't need to call set_offsets().
+	 */
+	if (target->offsets != NULL &&
+	    (target != source || first != 0))
+		set_offsets(target, target->offsets, NULL);
+}
+
+void
+dns_name_clone(const dns_name_t *source, dns_name_t *target) {
+
+	/*
+	 * Make 'target' refer to the same name as 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+
+	target->ndata = source->ndata;
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = source->attributes &
+		(unsigned int)~(DNS_NAMEATTR_READONLY | DNS_NAMEATTR_DYNAMIC |
+				DNS_NAMEATTR_DYNOFFSETS);
+	if (target->offsets != NULL && source->labels > 0) {
+		if (source->offsets != NULL)
+			memmove(target->offsets, source->offsets,
+				source->labels);
+		else
+			set_offsets(target, target->offsets, NULL);
+	}
+}
+
+void
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	unsigned int len;
+	isc_region_t r2;
+
+	/*
+	 * Make 'name' refer to region 'r'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(r != NULL);
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+
+	if (name->buffer != NULL) {
+		isc_buffer_clear(name->buffer);
+		isc_buffer_availableregion(name->buffer, &r2);
+		len = (r->length < r2.length) ? r->length : r2.length;
+		if (len > DNS_NAME_MAXWIRE)
+			len = DNS_NAME_MAXWIRE;
+		if (len != 0)
+			memmove(r2.base, r->base, len);
+		name->ndata = r2.base;
+		name->length = len;
+	} else {
+		name->ndata = r->base;
+		name->length = (r->length <= DNS_NAME_MAXWIRE) ?
+			r->length : DNS_NAME_MAXWIRE;
+	}
+
+	if (r->length > 0)
+		set_offsets(name, offsets, name);
+	else {
+		name->labels = 0;
+		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+	}
+
+	if (name->buffer != NULL)
+		isc_buffer_add(name->buffer, name->length);
+}
+
+void
+dns_name_toregion(dns_name_t *name, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(r != NULL);
+
+	DNS_NAME_TOREGION(name, r);
+}
+
+isc_result_t
+dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
+		  const dns_name_t *origin, unsigned int options,
+		  isc_buffer_t *target)
+{
+	unsigned char *ndata, *label = NULL;
+	char *tdata;
+	char c;
+	ft_state state;
+	unsigned int value = 0, count = 0;
+	unsigned int n1 = 0, n2 = 0;
+	unsigned int tlen, nrem, nused, digits = 0, labels, tused;
+	bool done;
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	bool downcase;
+
+	/*
+	 * Convert the textual representation of a DNS name at source
+	 * into uncompressed wire form stored in target.
+	 *
+	 * Notes:
+	 *	Relative domain names will have 'origin' appended to them
+	 *	unless 'origin' is NULL, in which case relative domain names
+	 *	will remain relative.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(ISC_BUFFER_VALID(source));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+
+	downcase = (options & DNS_NAME_DOWNCASE);
+
+	if (target == NULL && name->buffer != NULL) {
+		target = name->buffer;
+		isc_buffer_clear(target);
+	}
+
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+	offsets[0] = 0;
+
+	/*
+	 * Make 'name' empty in case of failure.
+	 */
+	MAKE_EMPTY(name);
+
+	/*
+	 * Set up the state machine.
+	 */
+	tdata = (char *)source->base + source->current;
+	tlen = isc_buffer_remaininglength(source);
+	tused = 0;
+	ndata = isc_buffer_used(target);
+	nrem = isc_buffer_availablelength(target);
+	if (nrem > 255)
+		nrem = 255;
+	nused = 0;
+	labels = 0;
+	done = false;
+	state = ft_init;
+
+	while (nrem > 0 && tlen > 0 && !done) {
+		c = *tdata++;
+		tlen--;
+		tused++;
+
+		switch (state) {
+		case ft_init:
+			/*
+			 * Is this the root name?
+			 */
+			if (c == '.') {
+				if (tlen != 0)
+					return (DNS_R_EMPTYLABEL);
+				labels++;
+				*ndata++ = 0;
+				nrem--;
+				nused++;
+				done = true;
+				break;
+			}
+			if (c == '@' && tlen == 0) {
+				state = ft_at;
+				break;
+			}
+
+			/* FALLTHROUGH */
+		case ft_start:
+			label = ndata;
+			ndata++;
+			nrem--;
+			nused++;
+			count = 0;
+			if (c == '\\') {
+				state = ft_initialescape;
+				break;
+			}
+			state = ft_ordinary;
+			if (nrem == 0)
+				return (ISC_R_NOSPACE);
+			/* FALLTHROUGH */
+		case ft_ordinary:
+			if (c == '.') {
+				if (count == 0)
+					return (DNS_R_EMPTYLABEL);
+				*label = count;
+				labels++;
+				INSIST(labels <= 127);
+				offsets[labels] = nused;
+				if (tlen == 0) {
+					labels++;
+					*ndata++ = 0;
+					nrem--;
+					nused++;
+					done = true;
+				}
+				state = ft_start;
+			} else if (c == '\\') {
+				state = ft_escape;
+			} else {
+				if (count >= 63)
+					return (DNS_R_LABELTOOLONG);
+				count++;
+				CONVERTTOASCII(c);
+				if (downcase)
+					c = maptolower[c & 0xff];
+				*ndata++ = c;
+				nrem--;
+				nused++;
+			}
+			break;
+		case ft_initialescape:
+			if (c == '[') {
+				/*
+				 * This looks like a bitstring label, which
+				 * was deprecated.  Intentionally drop it.
+				 */
+				return (DNS_R_BADLABELTYPE);
+			}
+			state = ft_escape;
+			POST(state);
+			/* FALLTHROUGH */
+		case ft_escape:
+			if (!isdigit(c & 0xff)) {
+				if (count >= 63)
+					return (DNS_R_LABELTOOLONG);
+				count++;
+				CONVERTTOASCII(c);
+				if (downcase)
+					c = maptolower[c & 0xff];
+				*ndata++ = c;
+				nrem--;
+				nused++;
+				state = ft_ordinary;
+				break;
+			}
+			digits = 0;
+			value = 0;
+			state = ft_escdecimal;
+			/* FALLTHROUGH */
+		case ft_escdecimal:
+			if (!isdigit(c & 0xff))
+				return (DNS_R_BADESCAPE);
+			value *= 10;
+			value += digitvalue[c & 0xff];
+			digits++;
+			if (digits == 3) {
+				if (value > 255)
+					return (DNS_R_BADESCAPE);
+				if (count >= 63)
+					return (DNS_R_LABELTOOLONG);
+				count++;
+				if (downcase)
+					value = maptolower[value];
+				*ndata++ = value;
+				nrem--;
+				nused++;
+				state = ft_ordinary;
+			}
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected state %d", state);
+			/* Does not return. */
+		}
+	}
+
+	if (!done) {
+		if (nrem == 0)
+			return (ISC_R_NOSPACE);
+		INSIST(tlen == 0);
+		if (state != ft_ordinary && state != ft_at)
+			return (ISC_R_UNEXPECTEDEND);
+		if (state == ft_ordinary) {
+			INSIST(count != 0);
+			*label = count;
+			labels++;
+			INSIST(labels <= 127);
+			offsets[labels] = nused;
+		}
+		if (origin != NULL) {
+			if (nrem < origin->length)
+				return (ISC_R_NOSPACE);
+			label = origin->ndata;
+			n1 = origin->length;
+			nrem -= n1;
+			POST(nrem);
+			while (n1 > 0) {
+				n2 = *label++;
+				INSIST(n2 <= 63); /* no bitstring support */
+				*ndata++ = n2;
+				n1 -= n2 + 1;
+				nused += n2 + 1;
+				while (n2 > 0) {
+					c = *label++;
+					if (downcase)
+						c = maptolower[c & 0xff];
+					*ndata++ = c;
+					n2--;
+				}
+				labels++;
+				if (n1 > 0) {
+					INSIST(labels <= 127);
+					offsets[labels] = nused;
+				}
+			}
+			if ((origin->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+				name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+		}
+	} else
+		name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+
+	name->ndata = (unsigned char *)target->base + target->used;
+	name->labels = labels;
+	name->length = nused;
+
+	isc_buffer_forward(source, tused);
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+static void
+free_specific(void *arg) {
+	dns_name_totextfilter_t *mem = arg;
+	isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
+	/* Stop use being called again. */
+	(void)isc_thread_key_setspecific(totext_filter_proc_key, NULL);
+}
+
+static void
+thread_key_mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_filter_proc_key_init(void) {
+	isc_result_t result;
+
+	/*
+	 * We need the call to isc_once_do() to support profiled mutex
+	 * otherwise thread_key_mutex could be initialized at compile time.
+	 */
+	result = isc_once_do(&once, thread_key_mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!thread_key_initialized) {
+		LOCK(&thread_key_mutex);
+		if (thread_key_mctx == NULL)
+			result = isc_mem_create2(0, 0, &thread_key_mctx, 0);
+		if (result != ISC_R_SUCCESS)
+			goto unlock;
+		isc_mem_setname(thread_key_mctx, "threadkey", NULL);
+		isc_mem_setdestroycheck(thread_key_mctx, false);
+
+		if (!thread_key_initialized &&
+		     isc_thread_key_create(&totext_filter_proc_key,
+					   free_specific) != 0) {
+			result = ISC_R_FAILURE;
+			isc_mem_detach(&thread_key_mctx);
+		} else
+			thread_key_initialized = 1;
+ unlock:
+		UNLOCK(&thread_key_mutex);
+	}
+	return (result);
+}
+#endif
+
+isc_result_t
+dns_name_totext(const dns_name_t *name, bool omit_final_dot,
+		isc_buffer_t *target)
+{
+	unsigned int options = DNS_NAME_MASTERFILE;
+
+	if (omit_final_dot)
+		options |= DNS_NAME_OMITFINALDOT;
+	return (dns_name_totext2(name, options, target));
+}
+
+isc_result_t
+dns_name_toprincipal(const dns_name_t *name, isc_buffer_t *target) {
+	return (dns_name_totext2(name, DNS_NAME_OMITFINALDOT, target));
+}
+
+isc_result_t
+dns_name_totext2(const dns_name_t *name, unsigned int options,
+		 isc_buffer_t *target)
+{
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int labels;
+	bool saw_root = false;
+	unsigned int oused = target->used;
+#ifdef ISC_PLATFORM_USETHREADS
+	dns_name_totextfilter_t *mem;
+	dns_name_totextfilter_t totext_filter_proc = NULL;
+	isc_result_t result;
+#endif
+	bool omit_final_dot = (options & DNS_NAME_OMITFINALDOT);
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+#ifdef ISC_PLATFORM_USETHREADS
+	result = totext_filter_proc_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+#endif
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (labels == 0 && nlen == 0) {
+		/*
+		 * Special handling for an empty name.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		/*
+		 * The names of these booleans are misleading in this case.
+		 * This empty name is not necessarily from the root node of
+		 * the DNS root zone, nor is a final dot going to be included.
+		 * They need to be set this way, though, to keep the "@"
+		 * from being trounced.
+		 */
+		saw_root = true;
+		omit_final_dot = false;
+		*tdata++ = '@';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	} else if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		saw_root = true;
+		omit_final_dot = false;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0) {
+			saw_root = true;
+			break;
+		}
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				switch (c) {
+				/* Special modifiers in zone files. */
+				case 0x40: /* '@' */
+				case 0x24: /* '$' */
+					if ((options & DNS_NAME_MASTERFILE) == 0)
+						goto no_escape;
+					/* FALLTHROUGH */
+				case 0x22: /* '"' */
+				case 0x28: /* '(' */
+				case 0x29: /* ')' */
+				case 0x2E: /* '.' */
+				case 0x3B: /* ';' */
+				case 0x5C: /* '\\' */
+					if (trem < 2)
+						return (ISC_R_NOSPACE);
+					*tdata++ = '\\';
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem -= 2;
+					nlen--;
+					break;
+				no_escape:
+				default:
+					if (c > 0x20 && c < 0x7f) {
+						if (trem == 0)
+							return (ISC_R_NOSPACE);
+						CONVERTFROMASCII(c);
+						*tdata++ = c;
+						ndata++;
+						trem--;
+						nlen--;
+					} else {
+						if (trem < 4)
+							return (ISC_R_NOSPACE);
+						*tdata++ = 0x5c;
+						*tdata++ = 0x30 +
+							   ((c / 100) % 10);
+						*tdata++ = 0x30 +
+							   ((c / 10) % 10);
+						*tdata++ = 0x30 + (c % 10);
+						trem -= 4;
+						ndata++;
+						nlen--;
+					}
+				}
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* NOTREACHED */
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0)
+		return (ISC_R_NOSPACE);
+
+	if (!saw_root || omit_final_dot) {
+		trem++;
+		tdata--;
+	}
+	if (trem > 0) {
+		*tdata = 0;
+	}
+	isc_buffer_add(target, tlen - trem);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	mem = isc_thread_key_getspecific(totext_filter_proc_key);
+	if (mem != NULL)
+		totext_filter_proc = *mem;
+#endif
+	if (totext_filter_proc != NULL)
+		return ((*totext_filter_proc)(target, oused, saw_root));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_tofilenametext(dns_name_t *name, bool omit_final_dot,
+			isc_buffer_t *target)
+{
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int labels;
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		omit_final_dot = false;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0)
+			break;
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				if ((c >= 0x30 && c <= 0x39) || /* digit */
+				    (c >= 0x41 && c <= 0x5A) ||	/* uppercase */
+				    (c >= 0x61 && c <= 0x7A) || /* lowercase */
+				    c == 0x2D ||		/* hyphen */
+				    c == 0x5F)			/* underscore */
+				{
+					if (trem == 0)
+						return (ISC_R_NOSPACE);
+					/* downcase */
+					if (c >= 0x41 && c <= 0x5A)
+						c += 0x20;
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem--;
+					nlen--;
+				} else {
+					if (trem < 4)
+						return (ISC_R_NOSPACE);
+					snprintf(tdata, trem, "%%%02X", c);
+					tdata += 3;
+					trem -= 3;
+					ndata++;
+					nlen--;
+				}
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* NOTREACHED */
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0)
+		return (ISC_R_NOSPACE);
+
+	if (omit_final_dot)
+		trem++;
+
+	isc_buffer_add(target, tlen - trem);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
+	unsigned char *sndata, *ndata;
+	unsigned int nlen, count, labels;
+	isc_buffer_t buffer;
+
+	/*
+	 * Downcase 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(name));
+	if (source == name) {
+		REQUIRE((name->attributes & DNS_NAMEATTR_READONLY) == 0);
+		isc_buffer_init(&buffer, source->ndata, source->length);
+		target = &buffer;
+		ndata = source->ndata;
+	} else {
+		REQUIRE(BINDABLE(name));
+		REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+			(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+		if (target == NULL) {
+			target = name->buffer;
+			isc_buffer_clear(name->buffer);
+		}
+		ndata = (unsigned char *)target->base + target->used;
+		name->ndata = ndata;
+	}
+
+	sndata = source->ndata;
+	nlen = source->length;
+	labels = source->labels;
+
+	if (nlen > (target->length - target->used)) {
+		MAKE_EMPTY(name);
+		return (ISC_R_NOSPACE);
+	}
+
+	while (labels > 0 && nlen > 0) {
+		labels--;
+		count = *sndata++;
+		*ndata++ = count;
+		nlen--;
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				*ndata++ = maptolower[(*sndata++)];
+				nlen--;
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* Does not return. */
+		}
+	}
+
+	if (source != name) {
+		name->labels = source->labels;
+		name->length = source->length;
+		if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+			name->attributes = DNS_NAMEATTR_ABSOLUTE;
+		else
+			name->attributes = 0;
+		if (name->labels > 0 && name->offsets != NULL)
+			set_offsets(name, name->offsets, NULL);
+	}
+
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+set_offsets(const dns_name_t *name, unsigned char *offsets,
+	    dns_name_t *set_name)
+{
+	unsigned int offset, count, length, nlabels;
+	unsigned char *ndata;
+	bool absolute;
+
+	ndata = name->ndata;
+	length = name->length;
+	offset = 0;
+	nlabels = 0;
+	absolute = false;
+	while (ISC_LIKELY(offset != length)) {
+		INSIST(nlabels < 128);
+		offsets[nlabels++] = offset;
+		count = *ndata;
+		INSIST(count <= 63);
+		offset += count + 1;
+		ndata += count + 1;
+		INSIST(offset <= length);
+		if (ISC_UNLIKELY(count == 0)) {
+			absolute = true;
+			break;
+		}
+	}
+	if (set_name != NULL) {
+		INSIST(set_name == name);
+
+		set_name->labels = nlabels;
+		set_name->length = offset;
+		if (absolute)
+			set_name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+		else
+			set_name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+	}
+	INSIST(nlabels == name->labels);
+	INSIST(offset == name->length);
+}
+
+isc_result_t
+dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
+		  dns_decompress_t *dctx, unsigned int options,
+		  isc_buffer_t *target)
+{
+	unsigned char *cdata, *ndata;
+	unsigned int cused; /* Bytes of compressed name data used */
+	unsigned int nused, labels, n, nmax;
+	unsigned int current, new_current, biggest_pointer;
+	bool done;
+	fw_state state = fw_start;
+	unsigned int c;
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	bool downcase;
+	bool seen_pointer;
+
+	/*
+	 * Copy the possibly-compressed name at source into target,
+	 * decompressing it.  Loop prevention is performed by checking
+	 * the new pointer against biggest_pointer.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+
+	downcase = (options & DNS_NAME_DOWNCASE);
+
+	if (target == NULL && name->buffer != NULL) {
+		target = name->buffer;
+		isc_buffer_clear(target);
+	}
+
+	REQUIRE(dctx != NULL);
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+
+	/*
+	 * Make 'name' empty in case of failure.
+	 */
+	MAKE_EMPTY(name);
+
+	/*
+	 * Initialize things to make the compiler happy; they're not required.
+	 */
+	n = 0;
+	new_current = 0;
+
+	/*
+	 * Set up.
+	 */
+	labels = 0;
+	done = false;
+
+	ndata = isc_buffer_used(target);
+	nused = 0;
+	seen_pointer = false;
+
+	/*
+	 * Find the maximum number of uncompressed target name
+	 * bytes we are willing to generate.  This is the smaller
+	 * of the available target buffer length and the
+	 * maximum legal domain name length (255).
+	 */
+	nmax = isc_buffer_availablelength(target);
+	if (nmax > DNS_NAME_MAXWIRE)
+		nmax = DNS_NAME_MAXWIRE;
+
+	cdata = isc_buffer_current(source);
+	cused = 0;
+
+	current = source->current;
+	biggest_pointer = current;
+
+	/*
+	 * Note:  The following code is not optimized for speed, but
+	 * rather for correctness.  Speed will be addressed in the future.
+	 */
+
+	while (current < source->active && !done) {
+		c = *cdata++;
+		current++;
+		if (!seen_pointer)
+			cused++;
+
+		switch (state) {
+		case fw_start:
+			if (c < 64) {
+				offsets[labels] = nused;
+				labels++;
+				if (nused + c + 1 > nmax)
+					goto full;
+				nused += c + 1;
+				*ndata++ = c;
+				if (c == 0)
+					done = true;
+				n = c;
+				state = fw_ordinary;
+			} else if (c >= 128 && c < 192) {
+				/*
+				 * 14 bit local compression pointer.
+				 * Local compression is no longer an
+				 * IETF draft.
+				 */
+				return (DNS_R_BADLABELTYPE);
+			} else if (c >= 192) {
+				/*
+				 * Ordinary 14-bit pointer.
+				 */
+				if ((dctx->allowed & DNS_COMPRESS_GLOBAL14) ==
+				    0)
+					return (DNS_R_DISALLOWED);
+				new_current = c & 0x3F;
+				state = fw_newcurrent;
+			} else
+				return (DNS_R_BADLABELTYPE);
+			break;
+		case fw_ordinary:
+			if (downcase)
+				c = maptolower[c];
+			*ndata++ = c;
+			n--;
+			if (n == 0)
+				state = fw_start;
+			break;
+		case fw_newcurrent:
+			new_current *= 256;
+			new_current += c;
+			if (new_current >= biggest_pointer)
+				return (DNS_R_BADPOINTER);
+			biggest_pointer = new_current;
+			current = new_current;
+			cdata = (unsigned char *)source->base + current;
+			seen_pointer = true;
+			state = fw_start;
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unknown state %d", state);
+			/* Does not return. */
+		}
+	}
+
+	if (!done)
+		return (ISC_R_UNEXPECTEDEND);
+
+	name->ndata = (unsigned char *)target->base + target->used;
+	name->labels = labels;
+	name->length = nused;
+	name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+
+	isc_buffer_forward(source, cused);
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+
+ full:
+	if (nmax == DNS_NAME_MAXWIRE)
+		/*
+		 * The name did not fit even though we had a buffer
+		 * big enough to fit a maximum-length name.
+		 */
+		return (DNS_R_NAMETOOLONG);
+	else
+		/*
+		 * The name might fit if only the caller could give us a
+		 * big enough buffer.
+		 */
+		return (ISC_R_NOSPACE);
+}
+
+isc_result_t
+dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
+		isc_buffer_t *target)
+{
+	unsigned int methods;
+	uint16_t offset;
+	dns_name_t gp;	/* Global compression prefix */
+	bool gf;	/* Global compression target found */
+	uint16_t go;	/* Global compression offset */
+	dns_offsets_t clo;
+	dns_name_t clname;
+
+	/*
+	 * Convert 'name' into wire format, compressing it as specified by the
+	 * compression context 'cctx', and storing the result in 'target'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(cctx != NULL);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	/*
+	 * If 'name' doesn't have an offsets table, make a clone which
+	 * has one.
+	 */
+	if (name->offsets == NULL) {
+#if defined(__clang__)  && \
+       ( __clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2))
+		memset(&clname, 0, sizeof(clname));
+#endif
+		DNS_NAME_INIT(&clname, clo);
+		dns_name_clone(name, &clname);
+		name = &clname;
+	}
+	DNS_NAME_INIT(&gp, NULL);
+
+	offset = target->used;	/*XXX*/
+
+	methods = dns_compress_getmethods(cctx);
+
+	if ((name->attributes & DNS_NAMEATTR_NOCOMPRESS) == 0 &&
+	    (methods & DNS_COMPRESS_GLOBAL14) != 0)
+		gf = dns_compress_findglobal(cctx, name, &gp, &go);
+	else
+		gf = false;
+
+	/*
+	 * If the offset is too high for 14 bit global compression, we're
+	 * out of luck.
+	 */
+	if (gf && go >= 0x4000)
+		gf = false;
+
+	/*
+	 * Will the compression pointer reduce the message size?
+	 */
+	if (gf && (gp.length + 2) >= name->length)
+		gf = false;
+
+	if (gf) {
+		if (target->length - target->used < gp.length)
+			return (ISC_R_NOSPACE);
+		if (gp.length != 0) {
+			unsigned char *base = target->base;
+			(void)memmove(base + target->used, gp.ndata,
+				      (size_t)gp.length);
+		}
+		isc_buffer_add(target, gp.length);
+		go |= 0xc000;
+		if (target->length - target->used < 2)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint16(target, go);
+		if (gp.length != 0)
+			dns_compress_add(cctx, name, &gp, offset);
+	} else {
+		if (target->length - target->used < name->length)
+			return (ISC_R_NOSPACE);
+		if (name->length != 0) {
+			unsigned char *base = target->base;
+			(void)memmove(base + target->used, name->ndata,
+				      (size_t)name->length);
+		}
+		isc_buffer_add(target, name->length);
+		dns_compress_add(cctx, name, name, offset);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
+		     isc_buffer_t *target)
+{
+	unsigned char *ndata, *offsets;
+	unsigned int nrem, labels, prefix_length, length;
+	bool copy_prefix = true;
+	bool copy_suffix = true;
+	bool absolute = false;
+	dns_name_t tmp_name;
+	dns_offsets_t odata;
+
+	/*
+	 * Concatenate 'prefix' and 'suffix'.
+	 */
+
+	REQUIRE(prefix == NULL || VALID_NAME(prefix));
+	REQUIRE(suffix == NULL || VALID_NAME(suffix));
+	REQUIRE(name == NULL || VALID_NAME(name));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && name != NULL && ISC_BUFFER_VALID(name->buffer)));
+	if (prefix == NULL || prefix->labels == 0)
+		copy_prefix = false;
+	if (suffix == NULL || suffix->labels == 0)
+		copy_suffix = false;
+	if (copy_prefix &&
+	    (prefix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		absolute = true;
+		REQUIRE(!copy_suffix);
+	}
+	if (name == NULL) {
+		DNS_NAME_INIT(&tmp_name, odata);
+		name = &tmp_name;
+	}
+	if (target == NULL) {
+		INSIST(name->buffer != NULL);
+		target = name->buffer;
+		isc_buffer_clear(name->buffer);
+	}
+
+	REQUIRE(BINDABLE(name));
+
+	/*
+	 * Set up.
+	 */
+	nrem = target->length - target->used;
+	ndata = (unsigned char *)target->base + target->used;
+	if (nrem > DNS_NAME_MAXWIRE)
+		nrem = DNS_NAME_MAXWIRE;
+	length = 0;
+	prefix_length = 0;
+	labels = 0;
+	if (copy_prefix) {
+		prefix_length = prefix->length;
+		length += prefix_length;
+		labels += prefix->labels;
+	}
+	if (copy_suffix) {
+		length += suffix->length;
+		labels += suffix->labels;
+	}
+	if (length > DNS_NAME_MAXWIRE) {
+		MAKE_EMPTY(name);
+		return (DNS_R_NAMETOOLONG);
+	}
+	if (length > nrem) {
+		MAKE_EMPTY(name);
+		return (ISC_R_NOSPACE);
+	}
+
+	if (copy_suffix) {
+		if ((suffix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+			absolute = true;
+		memmove(ndata + prefix_length, suffix->ndata, suffix->length);
+	}
+
+	/*
+	 * If 'prefix' and 'name' are the same object, and the object has
+	 * a dedicated buffer, and we're using it, then we don't have to
+	 * copy anything.
+	 */
+	if (copy_prefix && (prefix != name || prefix->buffer != target))
+		memmove(ndata, prefix->ndata, prefix_length);
+
+	name->ndata = ndata;
+	name->labels = labels;
+	name->length = length;
+	if (absolute)
+		name->attributes = DNS_NAMEATTR_ABSOLUTE;
+	else
+		name->attributes = 0;
+
+	if (name->labels > 0 && name->offsets != NULL) {
+		INIT_OFFSETS(name, offsets, odata);
+		set_offsets(name, offsets, NULL);
+	}
+
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_split(dns_name_t *name, unsigned int suffixlabels,
+	       dns_name_t *prefix, dns_name_t *suffix)
+
+{
+	unsigned int splitlabel;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(suffixlabels > 0);
+	REQUIRE(suffixlabels <= name->labels);
+	REQUIRE(prefix != NULL || suffix != NULL);
+	REQUIRE(prefix == NULL ||
+		(VALID_NAME(prefix) &&
+		 BINDABLE(prefix)));
+	REQUIRE(suffix == NULL ||
+		(VALID_NAME(suffix) &&
+		 BINDABLE(suffix)));
+
+	splitlabel = name->labels - suffixlabels;
+
+	if (prefix != NULL)
+		dns_name_getlabelsequence(name, 0, splitlabel, prefix);
+
+	if (suffix != NULL)
+		dns_name_getlabelsequence(name, splitlabel,
+					  suffixlabels, suffix);
+
+	return;
+}
+
+isc_result_t
+dns_name_dup(const dns_name_t *source, isc_mem_t *mctx,
+	     dns_name_t *target)
+{
+	/*
+	 * Make 'target' a dynamically allocated copy of 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length);
+	if (target->ndata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memmove(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	if (target->offsets != NULL) {
+		if (source->offsets != NULL)
+			memmove(target->offsets, source->offsets,
+				source->labels);
+		else
+			set_offsets(target, target->offsets, NULL);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target)
+{
+	/*
+	 * Make 'target' a read-only dynamically allocated copy of 'source'.
+	 * 'target' will also have a dynamically allocated offsets table.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+	REQUIRE(target->offsets == NULL);
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length + source->labels);
+	if (target->ndata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memmove(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC | DNS_NAMEATTR_DYNOFFSETS |
+		DNS_NAMEATTR_READONLY;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	target->offsets = target->ndata + source->length;
+	if (source->offsets != NULL)
+		memmove(target->offsets, source->offsets, source->labels);
+	else
+		set_offsets(target, target->offsets, NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
+	size_t size;
+
+	/*
+	 * Free 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0);
+
+	size = name->length;
+	if ((name->attributes & DNS_NAMEATTR_DYNOFFSETS) != 0)
+		size += name->labels;
+	isc_mem_put(mctx, name->ndata, size);
+	dns_name_invalidate(name);
+}
+
+isc_result_t
+dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg) {
+	dns_name_t downname;
+	unsigned char data[256];
+	isc_buffer_t buffer;
+	isc_result_t result;
+	isc_region_t r;
+
+	/*
+	 * Send 'name' in DNSSEC canonical form to 'digest'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(digest != NULL);
+
+#if defined(__clang__)  && \
+       ( __clang_major__ < 3 || (__clang_major__ == 3 && __clang_minor__ < 2))
+	memset(&downname, 0, sizeof(downname));
+#endif
+	DNS_NAME_INIT(&downname, NULL);
+
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	result = dns_name_downcase(name, &downname, &buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(&buffer, &r);
+
+	return ((digest)(arg, &r));
+}
+
+bool
+dns_name_dynamic(dns_name_t *name) {
+	REQUIRE(VALID_NAME(name));
+
+	/*
+	 * Returns whether there is dynamic memory associated with this name.
+	 */
+
+	return ((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0 ?
+		true : false);
+}
+
+isc_result_t
+dns_name_print(dns_name_t *name, FILE *stream) {
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	char t[1024];
+
+	/*
+	 * Print 'name' on 'stream'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	isc_buffer_init(&b, t, sizeof(t));
+	result = dns_name_totext(name, false, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&b, &r);
+	fprintf(stream, "%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_settotextfilter(dns_name_totextfilter_t proc) {
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_result_t result;
+	dns_name_totextfilter_t *mem;
+	int res;
+
+	result = totext_filter_proc_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * If we already have been here set / clear as appropriate.
+	 * Otherwise allocate memory.
+	 */
+	mem = isc_thread_key_getspecific(totext_filter_proc_key);
+	if (mem != NULL && proc != NULL) {
+		*mem = proc;
+		return (ISC_R_SUCCESS);
+	}
+	if (proc == NULL) {
+		if (mem != NULL)
+			isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
+		res = isc_thread_key_setspecific(totext_filter_proc_key, NULL);
+		if (res != 0)
+			result = ISC_R_UNEXPECTED;
+		return (result);
+	}
+
+	mem = isc_mem_get(thread_key_mctx, sizeof(*mem));
+	if (mem == NULL)
+		return (ISC_R_NOMEMORY);
+	*mem = proc;
+	if (isc_thread_key_setspecific(totext_filter_proc_key, mem) != 0) {
+		isc_mem_put(thread_key_mctx, mem, sizeof(*mem));
+		result = ISC_R_UNEXPECTED;
+	}
+	return (result);
+#else
+	totext_filter_proc = proc;
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+void
+dns_name_format(const dns_name_t *name, char *cp, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	REQUIRE(size > 0);
+
+	/*
+	 * Leave room for null termination after buffer.
+	 */
+	isc_buffer_init(&buf, cp, size - 1);
+	result = dns_name_totext(name, true, &buf);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Null terminate.
+		 */
+		isc_region_t r;
+		isc_buffer_usedregion(&buf, &r);
+		((char *) r.base)[r.length] = '\0';
+
+	} else
+		snprintf(cp, size, "<unknown>");
+}
+
+/*
+ * dns_name_tostring() -- similar to dns_name_format() but allocates its own
+ * memory.
+ */
+isc_result_t
+dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	isc_region_t reg;
+	char *p, txt[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(target != NULL && *target == NULL);
+
+	isc_buffer_init(&buf, txt, sizeof(txt));
+	result = dns_name_totext(name, false, &buf);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(&buf, &reg);
+	p = isc_mem_allocate(mctx, reg.length + 1);
+	if (p == NULL)
+		return (ISC_R_NOMEMORY);
+	memmove(p, (char *) reg.base, (int) reg.length);
+	p[reg.length] = '\0';
+
+	*target = p;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * dns_name_fromstring() -- convert directly from a string to a name,
+ * allocating memory as needed
+ */
+isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src, unsigned int options,
+		    isc_mem_t *mctx)
+{
+	return (dns_name_fromstring2(target, src, dns_rootname, options, mctx));
+}
+
+isc_result_t
+dns_name_fromstring2(dns_name_t *target, const char *src,
+		     const dns_name_t *origin, unsigned int options,
+		     isc_mem_t *mctx)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+
+	REQUIRE(src != NULL);
+
+	isc_buffer_constinit(&buf, src, strlen(src));
+	isc_buffer_add(&buf, strlen(src));
+	if (BINDABLE(target) && target->buffer != NULL)
+		name = target;
+	else {
+		name = dns_fixedname_initname(&fn);
+	}
+
+	result = dns_name_fromtext(name, &buf, origin, options, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (name != target)
+		result = dns_name_dupwithoffsets(name, mctx, target);
+	return (result);
+}
+
+isc_result_t
+dns_name_copy(const dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
+	unsigned char *ndata;
+
+	/*
+	 * Make dest a copy of source.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(dest));
+	REQUIRE(target != NULL || dest->buffer != NULL);
+
+	if (target == NULL) {
+		target = dest->buffer;
+		isc_buffer_clear(dest->buffer);
+	}
+
+	REQUIRE(BINDABLE(dest));
+
+	/*
+	 * Set up.
+	 */
+	if (target->length - target->used < source->length)
+		return (ISC_R_NOSPACE);
+
+	ndata = (unsigned char *)target->base + target->used;
+	dest->ndata = target->base;
+
+	if (source->length != 0)
+		memmove(ndata, source->ndata, source->length);
+
+	dest->ndata = ndata;
+	dest->labels = source->labels;
+	dest->length = source->length;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		dest->attributes = DNS_NAMEATTR_ABSOLUTE;
+	else
+		dest->attributes = 0;
+
+	if (dest->labels > 0 && dest->offsets != NULL) {
+		if (source->offsets != NULL)
+			memmove(dest->offsets, source->offsets, source->labels);
+		else
+			set_offsets(dest, dest->offsets, NULL);
+	}
+
+	isc_buffer_add(target, dest->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_destroy(void) {
+#ifdef ISC_PLATFORM_USETHREADS
+	RUNTIME_CHECK(isc_once_do(&once, thread_key_mutex_init)
+				  == ISC_R_SUCCESS);
+
+	LOCK(&thread_key_mutex);
+	if (thread_key_initialized) {
+		isc_mem_detach(&thread_key_mctx);
+		isc_thread_key_delete(totext_filter_proc_key);
+		thread_key_initialized = 0;
+	}
+	UNLOCK(&thread_key_mutex);
+
+#endif
+}
+
+/*
+ * Service Discovery Prefixes RFC 6763.
+ */
+static unsigned char b_dns_sd_udp_data[]  = "\001b\007_dns-sd\004_udp";
+static unsigned char b_dns_sd_udp_offsets[] = { 0, 2, 10 };
+static unsigned char db_dns_sd_udp_data[]  = "\002db\007_dns-sd\004_udp";
+static unsigned char db_dns_sd_udp_offsets[] = { 0, 3, 11 };
+static unsigned char r_dns_sd_udp_data[]  = "\001r\007_dns-sd\004_udp";
+static unsigned char r_dns_sd_udp_offsets[] = { 0, 2, 10 };
+static unsigned char dr_dns_sd_udp_data[]  = "\002dr\007_dns-sd\004_udp";
+static unsigned char dr_dns_sd_udp_offsets[] = { 0, 3, 11 };
+static unsigned char lb_dns_sd_udp_data[]  = "\002lb\007_dns-sd\004_udp";
+static unsigned char lb_dns_sd_udp_offsets[] = { 0, 3, 11 };
+
+static dns_name_t const dns_sd[] = {
+	DNS_NAME_INITNONABSOLUTE(b_dns_sd_udp_data, b_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(db_dns_sd_udp_data, db_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(r_dns_sd_udp_data, r_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(dr_dns_sd_udp_data, dr_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(lb_dns_sd_udp_data, lb_dns_sd_udp_offsets)
+};
+
+bool
+dns_name_isdnssd(const dns_name_t *name) {
+	size_t i;
+	dns_name_t prefix;
+
+	if (dns_name_countlabels(name) > 3U) {
+		dns_name_init(&prefix, NULL);
+		dns_name_getlabelsequence(name, 0, 3, &prefix);
+		for (i = 0; i < (sizeof(dns_sd)/sizeof(dns_sd[0])); i++)
+			if (dns_name_equal(&prefix, &dns_sd[i]))
+				return (true);
+	}
+
+	return (false);
+}
+
+static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
+static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
+static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
+
+static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
+static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
+
+static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
+
+static dns_name_t const rfc1918names[] = {
+	DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets)
+};
+
+bool
+dns_name_isrfc1918(const dns_name_t *name) {
+	size_t i;
+
+	for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++)
+		if (dns_name_issubdomain(name, &rfc1918names[i]))
+			return (true);
+	return (false);
+}
+
+static unsigned char ulaoffsets[] = { 0, 2, 4, 8, 13 };
+static unsigned char ip6fc[] = "\001c\001f\003ip6\004ARPA";
+static unsigned char ip6fd[] = "\001d\001f\003ip6\004ARPA";
+
+static dns_name_t const ulanames[] = {
+	DNS_NAME_INITABSOLUTE(ip6fc, ulaoffsets),
+	DNS_NAME_INITABSOLUTE(ip6fd, ulaoffsets)
+};
+
+bool
+dns_name_isula(const dns_name_t *name) {
+	size_t i;
+
+	for (i = 0; i < (sizeof(ulanames)/sizeof(*ulanames)); i++)
+		if (dns_name_issubdomain(name, &ulanames[i]))
+			return (true);
+	return (false);
+}
+
+/*
+ * Use a simple table as we don't want all the locale stuff
+ * associated with ishexdigit().
+ */
+const char
+ishex[256] = {
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,
+     0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+bool
+dns_name_istat(const dns_name_t *name) {
+	unsigned char len;
+	const unsigned char *ndata;
+
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels < 1)
+		return (false);
+
+	ndata = name->ndata;
+	len = ndata[0];
+	INSIST(len <= name->length);
+	ndata++;
+
+	/*
+	 * Is there at least one trust anchor reported and is the
+	 * label length consistent with a trust-anchor-telemetry label.
+	 */
+	if ((len < 8) || (len - 3) % 5 != 0) {
+		return (false);
+	}
+
+	if (ndata[0] != '_' ||
+	    maptolower[ndata[1]] != 't' ||
+	    maptolower[ndata[2]] != 'a') {
+		return (false);
+	}
+	ndata += 3;
+	len -= 3;
+
+	while (len > 0) {
+		INSIST(len >= 5);
+		if (ndata[0] != '-' || !ishex[ndata[1]] || !ishex[ndata[2]] ||
+		    !ishex[ndata[3]] || !ishex[ndata[4]]) {
+			return (false);
+		}
+		ndata += 5;
+		len -= 5;
+	}
+	return (true);
+}
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
new file mode 100644
index 0000000..c5078de
--- /dev/null
+++ b/lib/dns/ncache.c
@@ -0,0 +1,750 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+
+#define DNS_NCACHE_RDATA 20U
+
+/*
+ * The format of an ncache rdata is a sequence of zero or more records of
+ * the following format:
+ *
+ *	owner name
+ *	type
+ *	trust
+ *	rdata count
+ *		rdata length			These two occur 'rdata count'
+ *		rdata				times.
+ *
+ */
+
+static isc_result_t
+addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  bool optout, bool secure,
+	  dns_rdataset_t *addedrdataset);
+
+static inline isc_result_t
+copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
+	isc_result_t result;
+	unsigned int count;
+	isc_region_t ar, r;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Copy the rdataset count to the buffer.
+	 */
+	isc_buffer_availableregion(buffer, &ar);
+	if (ar.length < 2)
+		return (ISC_R_NOSPACE);
+	count = dns_rdataset_count(rdataset);
+	INSIST(count <= 65535);
+	isc_buffer_putuint16(buffer, (uint16_t)count);
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		INSIST(r.length <= 65535);
+		isc_buffer_availableregion(buffer, &ar);
+		if (ar.length < 2)
+			return (ISC_R_NOSPACE);
+		/*
+		 * Copy the rdata length to the buffer.
+		 */
+		isc_buffer_putuint16(buffer, (uint16_t)r.length);
+		/*
+		 * Copy the rdata to the buffer.
+		 */
+		result = isc_buffer_copyregion(buffer, &r);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdataset_t *addedrdataset)
+{
+	return (addoptout(message, cache, node, covers, now, maxttl,
+			  false, false, addedrdataset));
+}
+
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+		     dns_dbnode_t *node, dns_rdatatype_t covers,
+		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     bool optout, dns_rdataset_t *addedrdataset)
+{
+	return (addoptout(message, cache, node, covers, now, maxttl,
+			  optout, true, addedrdataset));
+}
+
+static isc_result_t
+addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	  bool optout, bool secure,
+	  dns_rdataset_t *addedrdataset)
+{
+	isc_result_t result;
+	isc_buffer_t buffer;
+	isc_region_t r;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+	dns_name_t *name;
+	dns_ttl_t ttl;
+	dns_trust_t trust;
+	dns_rdata_t rdata[DNS_NCACHE_RDATA];
+	dns_rdataset_t ncrdataset;
+	dns_rdatalist_t ncrdatalist;
+	unsigned char data[4096];
+	unsigned int next = 0;
+
+	/*
+	 * Convert the authority data from 'message' into a negative cache
+	 * rdataset, and store it in 'cache' at 'node'.
+	 */
+
+	REQUIRE(message != NULL);
+
+	/*
+	 * We assume that all data in the authority section has been
+	 * validated by the caller.
+	 */
+
+	/*
+	 * Initialize the list.
+	 */
+	dns_rdatalist_init(&ncrdatalist);
+	ncrdatalist.rdclass = dns_db_class(cache);
+	ncrdatalist.covers = covers;
+	ncrdatalist.ttl = maxttl;
+
+	/*
+	 * Build an ncache rdatas into buffer.
+	 */
+	ttl = maxttl;
+	trust = 0xffff;
+	isc_buffer_init(&buffer, data, sizeof(data));
+	if (message->counts[DNS_SECTION_AUTHORITY])
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	else
+		result = ISC_R_NOMORE;
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY,
+					&name);
+		if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_NCACHE) == 0)
+					continue;
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (type == dns_rdatatype_soa ||
+				    type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3) {
+					if (ttl > rdataset->ttl)
+						ttl = rdataset->ttl;
+					if (trust > rdataset->trust)
+						trust = rdataset->trust;
+					/*
+					 * Copy the owner name to the buffer.
+					 */
+					dns_name_toregion(name, &r);
+					result = isc_buffer_copyregion(&buffer,
+								       &r);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+					/*
+					 * Copy the type to the buffer.
+					 */
+					isc_buffer_availableregion(&buffer,
+								   &r);
+					if (r.length < 3)
+						return (ISC_R_NOSPACE);
+					isc_buffer_putuint16(&buffer,
+							     rdataset->type);
+					isc_buffer_putuint8(&buffer,
+					       (unsigned char)rdataset->trust);
+					/*
+					 * Copy the rdataset into the buffer.
+					 */
+					result = copy_rdataset(rdataset,
+							       &buffer);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+
+					if (next >= DNS_NCACHE_RDATA)
+						return (ISC_R_NOSPACE);
+					dns_rdata_init(&rdata[next]);
+					isc_buffer_remainingregion(&buffer, &r);
+					rdata[next].data = r.base;
+					rdata[next].length = r.length;
+					rdata[next].rdclass =
+						ncrdatalist.rdclass;
+					rdata[next].type = 0;
+					rdata[next].flags = 0;
+					ISC_LIST_APPEND(ncrdatalist.rdata,
+							&rdata[next], link);
+					isc_buffer_forward(&buffer, r.length);
+					next++;
+				}
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	if (trust == 0xffff) {
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
+		    message->counts[DNS_SECTION_ANSWER] == 0) {
+			/*
+			 * The response has aa set and we haven't followed
+			 * any CNAME or DNAME chains.
+			 */
+			trust = dns_trust_authauthority;
+		} else
+			trust = dns_trust_additional;
+		ttl = 0;
+	}
+
+	INSIST(trust != 0xffff);
+
+	ncrdatalist.ttl = ttl;
+
+	dns_rdataset_init(&ncrdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
+		      == ISC_R_SUCCESS);
+	if (!secure && trust > dns_trust_answer)
+		trust = dns_trust_answer;
+	ncrdataset.trust = trust;
+	ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
+	if (message->rcode == dns_rcode_nxdomain)
+		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	if (optout)
+		ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
+
+	return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
+				   0, addedrdataset));
+}
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	isc_region_t remaining, tavailable;
+	isc_buffer_t source, savedbuffer, rdlen;
+	dns_name_t name;
+	dns_rdatatype_t type;
+	unsigned int i, rcount, count;
+
+	/*
+	 * Convert the negative caching rdataset 'rdataset' to wire format,
+	 * compressing names as specified in 'cctx', and storing the result in
+	 * 'target'.
+	 */
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == 0);
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+
+	savedbuffer = *target;
+	count = 0;
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rdataset, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
+		dns_name_init(&name, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&name, &remaining);
+		INSIST(remaining.length >= name.length);
+		isc_buffer_forward(&source, name.length);
+		remaining.length -= name.length;
+
+		INSIST(remaining.length >= 5);
+		type = isc_buffer_getuint16(&source);
+		isc_buffer_forward(&source, 1);
+		rcount = isc_buffer_getuint16(&source);
+
+		for (i = 0; i < rcount; i++) {
+			/*
+			 * Get the length of this rdata and set up an
+			 * rdata structure for it.
+			 */
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= 2);
+			dns_rdata_reset(&rdata);
+			rdata.length = isc_buffer_getuint16(&source);
+			isc_buffer_remainingregion(&source, &remaining);
+			rdata.data = remaining.base;
+			rdata.type = type;
+			rdata.rdclass = rdataset->rdclass;
+			INSIST(remaining.length >= rdata.length);
+			isc_buffer_forward(&source, rdata.length);
+
+			if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
+			    dns_rdatatype_isdnssec(type))
+				continue;
+
+			/*
+			 * Write the name.
+			 */
+			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+			result = dns_name_towire(&name, cctx, target);
+			if (result != ISC_R_SUCCESS)
+				goto rollback;
+
+			/*
+			 * See if we have space for type, class, ttl, and
+			 * rdata length.  Write the type, class, and ttl.
+			 */
+			isc_buffer_availableregion(target, &tavailable);
+			if (tavailable.length < 10) {
+				result = ISC_R_NOSPACE;
+				goto rollback;
+			}
+			isc_buffer_putuint16(target, type);
+			isc_buffer_putuint16(target, rdataset->rdclass);
+			isc_buffer_putuint32(target, rdataset->ttl);
+
+			/*
+			 * Save space for rdata length.
+			 */
+			rdlen = *target;
+			isc_buffer_add(target, 2);
+
+			/*
+			 * Write the rdata.
+			 */
+			result = dns_rdata_towire(&rdata, cctx, target);
+			if (result != ISC_R_SUCCESS)
+				goto rollback;
+
+			/*
+			 * Set the rdata length field to the compressed
+			 * length.
+			 */
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
+			isc_buffer_putuint16(&rdlen,
+					     (uint16_t)(target->used -
+							    rdlen.used - 2));
+
+			count++;
+		}
+		INSIST(isc_buffer_remaininglength(&source) == 0);
+		result = dns_rdataset_next(rdataset);
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto rollback;
+
+	*countp = count;
+
+	return (ISC_R_SUCCESS);
+
+ rollback:
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (uint16_t)savedbuffer.used);
+	*countp = 0;
+	*target = savedbuffer;
+
+	return (result);
+}
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	unsigned char *raw = rdataset->private3;
+
+	raw[-1] = (unsigned char)trust;
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	rdataset_settrust,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t remaining;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t ttype;
+	dns_trust_t trust = dns_trust_none;
+	dns_rdataset_t rclone;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+	REQUIRE(name != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(type != dns_rdatatype_rrsig);
+
+	dns_rdataset_init(&rclone);
+	dns_rdataset_clone(ncacherdataset, &rclone);
+	result = dns_rdataset_first(&rclone);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rclone, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
+		dns_name_init(&tname, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&tname, &remaining);
+		INSIST(remaining.length >= tname.length);
+		isc_buffer_forward(&source, tname.length);
+		remaining.length -= tname.length;
+
+		INSIST(remaining.length >= 3);
+		ttype = isc_buffer_getuint16(&source);
+
+		if (ttype == type && dns_name_equal(&tname, name)) {
+			trust = isc_buffer_getuint8(&source);
+			INSIST(trust <= dns_trust_ultimate);
+			isc_buffer_remainingregion(&source, &remaining);
+			break;
+		}
+		result = dns_rdataset_next(&rclone);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rclone);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_NOTFOUND);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	INSIST(remaining.length != 0);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	rdataset->covers = 0;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+			  dns_rdatatype_t covers, dns_rdataset_t *rdataset)
+{
+	dns_name_t tname;
+	dns_rdata_rrsig_t rrsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rclone;
+	dns_rdatatype_t type;
+	dns_trust_t trust = dns_trust_none;
+	isc_buffer_t source;
+	isc_region_t remaining, sigregion;
+	isc_result_t result;
+	unsigned char *raw;
+	unsigned int count;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+	REQUIRE(name != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	dns_rdataset_init(&rclone);
+	dns_rdataset_clone(ncacherdataset, &rclone);
+	result = dns_rdataset_first(&rclone);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rclone, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
+		dns_name_init(&tname, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&tname, &remaining);
+		INSIST(remaining.length >= tname.length);
+		isc_buffer_forward(&source, tname.length);
+		isc_region_consume(&remaining, tname.length);
+
+		INSIST(remaining.length >= 2);
+		type = isc_buffer_getuint16(&source);
+		isc_region_consume(&remaining, 2);
+
+		if (type != dns_rdatatype_rrsig ||
+		    !dns_name_equal(&tname, name)) {
+			result = dns_rdataset_next(&rclone);
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		INSIST(remaining.length >= 1);
+		trust = isc_buffer_getuint8(&source);
+		INSIST(trust <= dns_trust_ultimate);
+		isc_region_consume(&remaining, 1);
+
+		raw = remaining.base;
+		count = raw[0] * 256 + raw[1];
+		INSIST(count > 0);
+		raw += 2;
+		sigregion.length = raw[0] * 256 + raw[1];
+		raw += 2;
+		sigregion.base = raw;
+		dns_rdata_reset(&rdata);
+		dns_rdata_fromregion(&rdata, rdataset->rdclass,
+				     dns_rdatatype_rrsig, &sigregion);
+		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		if (rrsig.covered == covers) {
+			isc_buffer_remainingregion(&source, &remaining);
+			break;
+		}
+
+		result = dns_rdataset_next(&rclone);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rclone);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_NOTFOUND);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	INSIST(remaining.length != 0);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = dns_rdatatype_rrsig;
+	rdataset->covers = covers;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+		   dns_rdataset_t *rdataset)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_trust_t trust;
+	isc_region_t remaining, sigregion;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t type;
+	unsigned int count;
+	dns_rdata_rrsig_t rrsig;
+	unsigned char *raw;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
+	REQUIRE(found != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	dns_rdataset_current(ncacherdataset, &rdata);
+	isc_buffer_init(&source, rdata.data, rdata.length);
+	isc_buffer_add(&source, rdata.length);
+
+	dns_name_init(&tname, NULL);
+	isc_buffer_remainingregion(&source, &remaining);
+	dns_name_fromregion(found, &remaining);
+	INSIST(remaining.length >= found->length);
+	isc_buffer_forward(&source, found->length);
+	remaining.length -= found->length;
+
+	INSIST(remaining.length >= 5);
+	type = isc_buffer_getuint16(&source);
+	trust = isc_buffer_getuint8(&source);
+	INSIST(trust <= dns_trust_ultimate);
+	isc_buffer_remainingregion(&source, &remaining);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	if (type == dns_rdatatype_rrsig) {
+		/*
+		 * Extract covers from RRSIG.
+		 */
+		raw = remaining.base;
+		count = raw[0] * 256 + raw[1];
+		INSIST(count > 0);
+		raw += 2;
+		sigregion.length = raw[0] * 256 + raw[1];
+		raw += 2;
+		sigregion.base = raw;
+		dns_rdata_reset(&rdata);
+		dns_rdata_fromregion(&rdata, rdataset->rdclass,
+				     rdataset->type, &sigregion);
+		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		rdataset->covers = rrsig.covered;
+	} else
+		rdataset->covers = 0;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
new file mode 100644
index 0000000..d0f0705
--- /dev/null
+++ b/lib/dns/nsec.c
@@ -0,0 +1,445 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/log.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/nsec.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+void
+dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
+	unsigned int shift, mask;
+
+	shift = 7 - (type % 8);
+	mask = 1 << shift;
+
+	if (bit != 0)
+		array[type / 8] |= mask;
+	else
+		array[type / 8] &= (~mask & 0xFF);
+}
+
+bool
+dns_nsec_isset(const unsigned char *array, unsigned int type) {
+	unsigned int byte, shift, mask;
+
+	byte = array[type / 8];
+	shift = 7 - (type % 8);
+	mask = 1 << shift;
+
+	return (byte & mask);
+}
+
+unsigned int
+dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
+			unsigned int max_type)
+{
+	unsigned char *start = map;
+	unsigned int window;
+	int octet;
+
+	if (raw == NULL)
+		return (0);
+
+	for (window = 0; window < 256; window++) {
+		if (window * 256 > max_type)
+			break;
+		for (octet = 31; octet >= 0; octet--)
+			if (*(raw + octet) != 0)
+				break;
+		if (octet < 0) {
+			raw += 32;
+			continue;
+		}
+		*map++ = window;
+		*map++ = octet + 1;
+		/*
+		 * Note: potential overlapping move.
+		 */
+		memmove(map, raw, octet + 1);
+		map += octet + 1;
+		raw += 32;
+	}
+	return (unsigned int)(map - start);
+}
+
+isc_result_t
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *target,
+		    unsigned char *buffer, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_region_t r;
+	unsigned int i;
+
+	unsigned char *nsec_bits, *bm;
+	unsigned int max_type;
+	dns_rdatasetiter_t *rdsiter;
+
+	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
+	dns_name_toregion(target, &r);
+	memmove(buffer, r.base, r.length);
+	r.base = buffer;
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
+	dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
+	max_type = dns_rdatatype_nsec;
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig) {
+			if (rdataset.type > max_type)
+				max_type = rdataset.type;
+			dns_nsec_setbit(bm, rdataset.type, 1);
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
+	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
+	    ! dns_nsec_isset(bm, dns_rdatatype_soa)) {
+		for (i = 0; i <= max_type; i++) {
+			if (dns_nsec_isset(bm, i) &&
+			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
+				dns_nsec_setbit(bm, i, 0);
+		}
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
+
+	r.length = (unsigned int)(nsec_bits - r.base);
+	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
+	dns_rdata_fromregion(rdata,
+			     dns_db_class(db),
+			     dns_rdatatype_nsec,
+			     &r);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       dns_name_t *target, dns_ttl_t ttl)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[DNS_NSEC_BUFFERSIZE];
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdata_init(&rdata);
+
+	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
+
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_db_class(db);
+	rdatalist.type = dns_rdatatype_nsec;
+	rdatalist.ttl = ttl;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	result = dns_db_addrdataset(db, node, version, 0, &rdataset,
+				    0, NULL);
+	if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+bool
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
+	dns_rdata_nsec_t nsecstruct;
+	isc_result_t result;
+	bool present;
+	unsigned int i, len, window;
+
+	REQUIRE(nsec != NULL);
+	REQUIRE(nsec->type == dns_rdatatype_nsec);
+
+	/* This should never fail */
+	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
+	present = false;
+	for (i = 0; i < nsecstruct.len; i += len) {
+		INSIST(i + 2 <= nsecstruct.len);
+		window = nsecstruct.typebits[i];
+		len = nsecstruct.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsecstruct.len);
+		if (window * 256 > type)
+			break;
+		if ((window + 1) * 256 <= type)
+			continue;
+		if (type < (window * 256) + len * 8)
+			present = dns_nsec_isset(&nsecstruct.typebits[i],
+						 type % 256);
+		break;
+	}
+	dns_rdata_freestruct(&nsecstruct);
+	return (present);
+}
+
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
+		  bool *answer)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_dnskey_t dnskey;
+	isc_result_t result;
+
+	REQUIRE(answer != NULL);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     0, 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND)
+		*answer = false;
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
+		    dnskey.algorithm == DST_ALG_RSASHA1 ||
+		    dnskey.algorithm == DST_ALG_DSA ||
+		    dnskey.algorithm == DST_ALG_ECC)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS)
+		*answer = true;
+	if (result == ISC_R_NOMORE) {
+		*answer = false;
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*%
+ * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
+ * or we can determine whether there is data or not at the name.
+ * If the name does not exist return the wildcard name.
+ *
+ * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
+ */
+isc_result_t
+dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
+		       dns_name_t *nsecname, dns_rdataset_t *nsecset,
+		       bool *exists, bool *data,
+		       dns_name_t *wild, dns_nseclog_t logit, void *arg)
+{
+	int order;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_namereln_t relation;
+	unsigned int olabels, nlabels, labels;
+	dns_rdata_nsec_t nsec;
+	bool atparent;
+	bool ns;
+	bool soa;
+
+	REQUIRE(exists != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(nsecset != NULL &&
+		nsecset->type == dns_rdatatype_nsec);
+
+	result = dns_rdataset_first(nsecset);
+	if (result != ISC_R_SUCCESS) {
+		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
+		return (result);
+	}
+	dns_rdataset_current(nsecset, &rdata);
+
+	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
+	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
+
+	if (order < 0) {
+		/*
+		 * The name is not within the NSEC range.
+		 */
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			      "NSEC does not cover name, before NSEC");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order == 0) {
+		/*
+		 * The names are the same.   If we are validating "."
+		 * then atparent should not be set as there is no parent.
+		 */
+		atparent = (olabels != 1) && dns_rdatatype_atparent(type);
+		ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+		soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
+		if (ns && !soa) {
+			if (!atparent) {
+				/*
+				 * This NSEC record is from somewhere higher in
+				 * the DNS, and at the parent of a delegation.
+				 * It can not be legitimately used here.
+				 */
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					      "ignoring parent nsec");
+				return (ISC_R_IGNORE);
+			}
+		} else if (atparent && ns && soa) {
+			/*
+			 * This NSEC record is from the child.
+			 * It can not be legitimately used here.
+			 */
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				      "ignoring child nsec");
+			return (ISC_R_IGNORE);
+		}
+		if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
+		    type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_cname)) {
+			*exists = true;
+			*data = dns_nsec_typepresent(&rdata, type);
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				      "nsec proves name exists (owner) data=%d",
+				      *data);
+			return (ISC_R_SUCCESS);
+		}
+		(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
+		return (ISC_R_IGNORE);
+	}
+
+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
+	{
+		/*
+		 * This NSEC record is from somewhere higher in
+		 * the DNS, and at the parent of a delegation.
+		 * It can not be legitimately used here.
+		 */
+		(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
+		return (ISC_R_IGNORE);
+	}
+
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
+	if (order == 0) {
+		dns_rdata_freestruct(&nsec);
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			      "ignoring nsec matches next name");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
+		/*
+		 * The name is not within the NSEC range.
+		 */
+		dns_rdata_freestruct(&nsec);
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			    "ignoring nsec because name is past end of range");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order > 0 && relation == dns_namereln_subdomain) {
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			      "nsec proves name exist (empty)");
+		dns_rdata_freestruct(&nsec);
+		*exists = true;
+		*data = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (wild != NULL) {
+		dns_name_t common;
+		dns_name_init(&common, NULL);
+		if (olabels > nlabels) {
+			labels = dns_name_countlabels(nsecname);
+			dns_name_getlabelsequence(nsecname, labels - olabels,
+						  olabels, &common);
+		} else {
+			labels = dns_name_countlabels(&nsec.next);
+			dns_name_getlabelsequence(&nsec.next, labels - nlabels,
+						  nlabels, &common);
+		}
+		result = dns_name_concatenate(dns_wildcardname, &common,
+					      wild, NULL);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdata_freestruct(&nsec);
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				    "failure generating wildcard name");
+			return (result);
+		}
+	}
+	dns_rdata_freestruct(&nsec);
+	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
+	*exists = false;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
new file mode 100644
index 0000000..e127893
--- /dev/null
+++ b/lib/dns/nsec3.c
@@ -0,0 +1,2113 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/iterated_hash.h>
+#include <isc/log.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/safe.h>
+
+#include <dst/dst.h>
+
+#include <dns/db.h>
+#include <dns/zone.h>
+#include <dns/compress.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/fixedname.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#define CHECK(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
+#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
+#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
+#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		     dns_dbnode_t *node, unsigned int hashalg,
+		     unsigned int flags, unsigned int iterations,
+		     const unsigned char *salt, size_t salt_length,
+		     const unsigned char *nexthash, size_t hash_length,
+		     unsigned char *buffer, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_region_t r;
+	unsigned int i;
+	bool found;
+	bool found_ns;
+	bool need_rrsig;
+
+	unsigned char *nsec_bits, *bm;
+	unsigned int max_type;
+	dns_rdatasetiter_t *rdsiter;
+	unsigned char *p;
+
+	REQUIRE(salt_length < 256U);
+	REQUIRE(hash_length < 256U);
+	REQUIRE(flags <= 0xffU);
+	REQUIRE(hashalg <= 0xffU);
+	REQUIRE(iterations <= 0xffffU);
+
+	switch (hashalg) {
+	case dns_hash_sha1:
+		REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH);
+		break;
+	}
+
+	memset(buffer, 0, DNS_NSEC3_BUFFERSIZE);
+
+	p = buffer;
+
+	*p++ = hashalg;
+	*p++ = flags;
+
+	*p++ = iterations >> 8;
+	*p++ = iterations;
+
+	*p++ = (unsigned char)salt_length;
+	memmove(p, salt, salt_length);
+	p += salt_length;
+
+	*p++ = (unsigned char)hash_length;
+	memmove(p, nexthash, hash_length);
+	p += hash_length;
+
+	r.length = (unsigned int)(p - buffer);
+	r.base = buffer;
+
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	max_type = 0;
+	if (node == NULL)
+		goto collapse_bitmap;
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	found = found_ns = need_rrsig = false;
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig) {
+			if (rdataset.type > max_type)
+				max_type = rdataset.type;
+			dns_nsec_setbit(bm, rdataset.type, 1);
+			/*
+			 * Work out if we need to set the RRSIG bit for
+			 * this node.  We set the RRSIG bit if either of
+			 * the following conditions are met:
+			 * 1) We have a SOA or DS then we need to set
+			 *    the RRSIG bit as both always will be signed.
+			 * 2) We set the RRSIG bit if we don't have
+			 *    a NS record but do have other data.
+			 */
+			if (rdataset.type == dns_rdatatype_soa ||
+			    rdataset.type == dns_rdatatype_ds)
+				need_rrsig = true;
+			else if (rdataset.type == dns_rdatatype_ns)
+				found_ns = true;
+			else
+				found = true;
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if ((found && !found_ns) || need_rrsig) {
+		if (dns_rdatatype_rrsig > max_type)
+			max_type = dns_rdatatype_rrsig;
+		dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
+	}
+
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
+	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
+	    ! dns_nsec_isset(bm, dns_rdatatype_soa)) {
+		for (i = 0; i <= max_type; i++) {
+			if (dns_nsec_isset(bm, i) &&
+			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
+				dns_nsec_setbit(bm, i, 0);
+		}
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+ collapse_bitmap:
+	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
+	r.length = (unsigned int)(nsec_bits - r.base);
+	INSIST(r.length <= DNS_NSEC3_BUFFERSIZE);
+	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r);
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) {
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+	bool present;
+	unsigned int i, len, window;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	/* This should never fail */
+	result = dns_rdata_tostruct(rdata, &nsec3, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
+	present = false;
+	for (i = 0; i < nsec3.len; i += len) {
+		INSIST(i + 2 <= nsec3.len);
+		window = nsec3.typebits[i];
+		len = nsec3.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsec3.len);
+		if (window * 256 > type)
+			break;
+		if ((window + 1) * 256 <= type)
+			continue;
+		if (type < (window * 256) + len * 8)
+			present = dns_nsec_isset(&nsec3.typebits[i],
+						 type % 256);
+		break;
+	}
+	dns_rdata_freestruct(&nsec3);
+	return (present);
+}
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
+		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
+		   dns_hash_t hashalg, unsigned int iterations,
+		   const unsigned char *salt, size_t saltlength)
+{
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nametext[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *downcased;
+	isc_buffer_t namebuffer;
+	isc_region_t region;
+	size_t len;
+
+	if (rethash == NULL)
+		rethash = hash;
+
+	memset(rethash, 0, NSEC3_MAX_HASH_LENGTH);
+
+	downcased = dns_fixedname_initname(&fixed);
+	dns_name_downcase(name, downcased, NULL);
+
+	/* hash the node name */
+	len = isc_iterated_hash(rethash, hashalg, iterations,
+				salt, (int)saltlength,
+				downcased->ndata, downcased->length);
+	if (len == 0U)
+		return (DNS_R_BADALG);
+
+	if (hash_length != NULL)
+		*hash_length = len;
+
+	/* convert the hash to base32hex non-padded */
+	region.base = rethash;
+	region.length = (unsigned int)len;
+	isc_buffer_init(&namebuffer, nametext, sizeof nametext);
+	isc_base32hexnp_totext(&region, 1, "", &namebuffer);
+
+	/* convert the hex to a domain name */
+	dns_fixedname_init(result);
+	return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer,
+				  origin, 0, NULL));
+}
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash) {
+
+	switch (hash) {
+	case dns_hash_sha1:
+		return(ISC_SHA1_DIGESTLENGTH);
+	}
+	return (0);
+}
+
+bool
+dns_nsec3_supportedhash(dns_hash_t hash) {
+	switch (hash) {
+	case dns_hash_sha1:
+		return (true);
+	}
+	return (false);
+}
+
+/*%
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li  '*tuple' == NULL.  Either the tuple is freed, or its
+ *      ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	    bool *exists)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *iter = NULL;
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*exists = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_allrdatasets(db, node, version,
+				     (isc_stdtime_t) 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	result = dns_rdatasetiter_first(iter);
+	if (result == ISC_R_SUCCESS) {
+		*exists = true;
+	} else if (result == ISC_R_NOMORE) {
+		*exists = false;
+		result = ISC_R_SUCCESS;
+	} else
+		*exists = false;
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static bool
+match_nsec3param(const dns_rdata_nsec3_t *nsec3,
+		 const dns_rdata_nsec3param_t *nsec3param)
+{
+	if (nsec3->hash == nsec3param->hash &&
+	    nsec3->iterations == nsec3param->iterations &&
+	    nsec3->salt_length == nsec3param->salt_length &&
+	    !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length))
+		return (true);
+	return (false);
+}
+
+/*%
+ * Delete NSEC3 records at "name" which match "param", recording the
+ * change in "diff".
+ */
+static isc_result_t
+delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL ;
+	dns_difftuple_t *tuple = NULL;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	result = dns_db_findnsec3node(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
+
+		if (!match_nsec3param(&nsec3, nsec3param))
+			continue;
+
+		result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name,
+					      rdataset.ttl, &rdata, &tuple);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		result = do_one_tuple(&tuple, db, version, diff);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+	result = ISC_R_SUCCESS;
+
+ failure:
+	dns_rdataset_disassociate(&rdataset);
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+static bool
+better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	if (REMOVE(param->data[1]))
+		return (true);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(nsec3paramset, &rdataset);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata =  DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		if (rdataset.type != dns_rdatatype_nsec3param) {
+			dns_rdata_t tmprdata =  DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &tmprdata);
+			if (!dns_nsec3param_fromprivate(&tmprdata, &rdata,
+							buf, sizeof(buf)))
+				continue;
+		} else
+			dns_rdataset_current(&rdataset, &rdata);
+
+		if (rdata.length != param->length)
+			continue;
+		if (rdata.data[0] != param->data[0] ||
+		    REMOVE(rdata.data[1]) ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
+			continue;
+		if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) {
+			dns_rdataset_disassociate(&rdataset);
+			return (true);
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (false);
+}
+
+static isc_result_t
+find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
+	   const dns_rdata_nsec3param_t *nsec3param)
+{
+	isc_result_t result;
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL));
+		dns_rdata_reset(&rdata);
+		if (match_nsec3param(nsec3, nsec3param))
+			break;
+	}
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
+		   dns_ttl_t nsecttl, bool unsecure, dns_diff_t *diff)
+{
+	dns_dbiterator_t *dbit = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbnode_t *newnode = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fprev;
+	dns_hash_t hash;
+	dns_name_t *hashname;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t empty;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	int pass;
+	bool exists = false;
+	bool maybe_remove_unsecure = false;
+	uint8_t flags;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char *old_next;
+	unsigned char *salt;
+	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
+	unsigned int iterations;
+	unsigned int labels;
+	size_t next_length;
+	unsigned int old_length;
+	unsigned int salt_length;
+
+	hashname = dns_fixedname_initname(&fixed);
+	prev = dns_fixedname_initname(&fprev);
+
+	dns_rdataset_init(&rdataset);
+
+	origin = dns_db_origin(db);
+
+	/*
+	 * Chain parameters.
+	 */
+	hash = nsec3param->hash;
+	iterations = nsec3param->iterations;
+	salt_length = nsec3param->salt_length;
+	salt = nsec3param->salt;
+
+	/*
+	 * Default flags for a new chain.
+	 */
+	flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
+
+	/*
+	 * If this is the first NSEC3 in the chain nexthash will
+	 * remain pointing to itself.
+	 */
+	next_length = sizeof(nexthash);
+	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+				 name, origin, hash, iterations,
+				 salt, salt_length));
+	INSIST(next_length <= sizeof(nexthash));
+
+	/*
+	 * Create the node if it doesn't exist and hold
+	 * a reference to it until we have added the NSEC3.
+	 */
+	CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+
+	/*
+	 * Seek the iterator to the 'newnode'.
+	 */
+	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+	CHECK(dns_dbiterator_seek(dbit, hashname));
+	CHECK(dns_dbiterator_pause(dbit));
+	result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	/*
+	 * If we updating a existing NSEC3 then find its
+	 * next field.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_SUCCESS) {
+			if (!CREATE(nsec3param->flags))
+				flags = nsec3.flags;
+			next_length = nsec3.next_length;
+			INSIST(next_length <= sizeof(nexthash));
+			memmove(nexthash, nsec3.next, next_length);
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * If the NSEC3 is not for a unsecure delegation then
+			 * we are just updating it.  If it is for a unsecure
+			 * delegation then we need find out if we need to
+			 * remove the NSEC3 record or not by examining the
+			 * previous NSEC3 record.
+			 */
+			if (!unsecure)
+				goto addnsec3;
+			else if (CREATE(nsec3param->flags) && OPTOUT(flags)) {
+				result = dns_nsec3_delnsec3(db, version, name,
+							    nsec3param, diff);
+				goto failure;
+			} else
+				maybe_remove_unsecure = true;
+		} else {
+			dns_rdataset_disassociate(&rdataset);
+			if (result != ISC_R_NOMORE)
+				goto failure;
+		}
+	}
+
+	/*
+	 * Find the previous NSEC3 (if any) and update it if required.
+	 */
+	pass = 0;
+	do {
+		result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			pass++;
+			CHECK(dns_dbiterator_last(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, prev));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_NOMORE) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		if (maybe_remove_unsecure) {
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * If we have OPTOUT set in the previous NSEC3 record
+			 * we actually need to delete the NSEC3 record.
+			 * Otherwise we just need to replace the NSEC3 record.
+			 */
+			if (OPTOUT(nsec3.flags)) {
+				result = dns_nsec3_delnsec3(db, version, name,
+							    nsec3param, diff);
+				goto failure;
+			}
+			goto addnsec3;
+		} else {
+			/*
+			 * Is this is a unsecure delegation we are adding?
+			 * If so no change is required.
+			 */
+			if (OPTOUT(nsec3.flags) && unsecure) {
+				dns_rdataset_disassociate(&rdataset);
+				goto failure;
+			}
+		}
+
+		old_next = nsec3.next;
+		old_length = nsec3.next_length;
+
+		/*
+		 * Delete the old previous NSEC3.
+		 */
+		CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+		/*
+		 * Fixup the previous NSEC3.
+		 */
+		nsec3.next = nexthash;
+		nsec3.next_length = (unsigned char)next_length;
+		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+					   dns_rdatatype_nsec3, &nsec3,
+					   &buffer));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		INSIST(old_length <= sizeof(nexthash));
+		memmove(nexthash, old_next, old_length);
+		if (!CREATE(nsec3param->flags))
+			flags = nsec3.flags;
+		dns_rdata_reset(&rdata);
+		dns_rdataset_disassociate(&rdataset);
+		break;
+	} while (pass < 2);
+
+ addnsec3:
+	/*
+	 * Create the NSEC3 RDATA.
+	 */
+	CHECK(dns_db_findnode(db, name, false, &node));
+	CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
+				   salt, salt_length, nexthash, next_length,
+				   nsec3buf, &rdata));
+	dns_db_detachnode(db, &node);
+
+	/*
+	 * Delete the old NSEC3 and record the change.
+	 */
+	CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+	/*
+	 * Add the new NSEC3 and record the change.
+	 */
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+				   hashname, nsecttl, &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, version, diff));
+	INSIST(tuple == NULL);
+	dns_rdata_reset(&rdata);
+	dns_db_detachnode(db, &newnode);
+
+	/*
+	 * Add missing NSEC3 records for empty nodes
+	 */
+	dns_name_init(&empty, NULL);
+	dns_name_clone(name, &empty);
+	do {
+		labels = dns_name_countlabels(&empty) - 1;
+		if (labels <= dns_name_countlabels(origin))
+			break;
+		dns_name_getlabelsequence(&empty, 1, labels, &empty);
+		CHECK(name_exists(db, version, &empty, &exists));
+		if (exists)
+			break;
+		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+					 &empty, origin, hash, iterations,
+					 salt, salt_length));
+
+		/*
+		 * Create the node if it doesn't exist and hold
+		 * a reference to it until we have added the NSEC3
+		 * or we discover we don't need to add make a change.
+		 */
+		CHECK(dns_db_findnsec3node(db, hashname, true, &newnode));
+		result = dns_db_findrdataset(db, newnode, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		if (result == ISC_R_SUCCESS) {
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			dns_rdataset_disassociate(&rdataset);
+			if (result == ISC_R_SUCCESS) {
+				dns_db_detachnode(db, &newnode);
+				break;
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+		}
+
+		/*
+		 * Find the previous NSEC3 and update it.
+		 */
+		CHECK(dns_dbiterator_seek(dbit, hashname));
+		pass = 0;
+		do {
+			result = dns_dbiterator_prev(dbit);
+			if (result == ISC_R_NOMORE) {
+				pass++;
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			CHECK(dns_dbiterator_current(dbit, &node, prev));
+			CHECK(dns_dbiterator_pause(dbit));
+			result = dns_db_findrdataset(db, node, version,
+						     dns_rdatatype_nsec3, 0,
+						     (isc_stdtime_t) 0,
+						     &rdataset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			if (result == ISC_R_NOMORE) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			old_next = nsec3.next;
+			old_length = nsec3.next_length;
+
+			/*
+			 * Delete the old previous NSEC3.
+			 */
+			CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+			/*
+			 * Fixup the previous NSEC3.
+			 */
+			nsec3.next = nexthash;
+			nsec3.next_length = (unsigned char)next_length;
+			isc_buffer_init(&buffer, nsec3buf,
+					sizeof(nsec3buf));
+			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+						   dns_rdatatype_nsec3, &nsec3,
+						   &buffer));
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   prev, rdataset.ttl, &rdata,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, version, diff));
+			INSIST(old_length <= sizeof(nexthash));
+			memmove(nexthash, old_next, old_length);
+			if (!CREATE(nsec3param->flags))
+				flags = nsec3.flags;
+			dns_rdata_reset(&rdata);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		} while (pass < 2);
+
+		INSIST(pass < 2);
+
+		/*
+		 * Create the NSEC3 RDATA for the empty node.
+		 */
+		CHECK(dns_nsec3_buildrdata(db, version, NULL, hash, flags,
+					   iterations, salt, salt_length,
+					   nexthash, next_length, nsec3buf,
+					   &rdata));
+		/*
+		 * Delete the old NSEC3 and record the change.
+		 */
+		CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+
+		/*
+		 * Add the new NSEC3 and record the change.
+		 */
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+					   hashname, nsecttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		INSIST(tuple == NULL);
+		dns_rdata_reset(&rdata);
+		dns_db_detachnode(db, &newnode);
+	} while (1);
+
+	/* result cannot be ISC_R_NOMORE here */
+	INSIST(result != ISC_R_NOMORE);
+
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (newnode != NULL)
+		dns_db_detachnode(db, &newnode);
+	return (result);
+}
+
+/*%
+ * Add NSEC3 records for "name", recording the change in "diff".
+ * The existing NSEC3 records are removed.
+ */
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    dns_name_t *name, dns_ttl_t nsecttl,
+		    bool unsecure, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0)
+			continue;
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+bool
+dns_nsec3param_fromprivate(dns_rdata_t *src, dns_rdata_t *target,
+			   unsigned char *buf, size_t buflen)
+{
+	dns_decompress_t dctx;
+	isc_result_t result;
+	isc_buffer_t buf1;
+	isc_buffer_t buf2;
+
+	/*
+	 * Algorithm 0 (reserved by RFC 4034) is used to identify
+	 * NSEC3PARAM records from DNSKEY pointers.
+	 */
+	if (src->length < 1 || src->data[0] != 0)
+		return (false);
+
+	isc_buffer_init(&buf1, src->data + 1, src->length - 1);
+	isc_buffer_add(&buf1, src->length - 1);
+	isc_buffer_setactive(&buf1, src->length - 1);
+	isc_buffer_init(&buf2, buf, (unsigned int)buflen);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	result = dns_rdata_fromwire(target, src->rdclass,
+				    dns_rdatatype_nsec3param,
+				    &buf1, &dctx, 0, &buf2);
+	dns_decompress_invalidate(&dctx);
+
+	return (result == ISC_R_SUCCESS);
+}
+
+void
+dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
+			 dns_rdatatype_t privatetype,
+			 unsigned char *buf, size_t buflen)
+{
+	REQUIRE(buflen >= src->length + 1);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	memmove(buf + 1, src->data, src->length);
+	buf[0] = 0;
+	target->data = buf;
+	target->length = src->length + 1;
+	target->type = privatetype;
+	target->rdclass = src->rdclass;
+	target->flags = 0;
+	ISC_LINK_INIT(target, link);
+}
+
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag)
+{
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	else
+		CHECK(dns_db_findnode(db, name, false, &node));
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_casecompare(&myrdata, rdata))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = true;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst,
+			  size_t dstlen)
+{
+	isc_result_t result;
+	isc_region_t r;
+	isc_buffer_t b;
+
+	REQUIRE(nsec3param != NULL);
+	REQUIRE(dst != NULL);
+
+	if (nsec3param->salt_length == 0) {
+		if (dstlen < 2U) {
+			return (ISC_R_NOSPACE);
+		}
+		strlcpy(dst, "-", dstlen);
+		return (ISC_R_SUCCESS);
+	}
+
+	r.base = nsec3param->salt;
+	r.length = nsec3param->salt_length;
+	isc_buffer_init(&b, dst, (unsigned int)dstlen);
+
+	result = isc_hex_totext(&r, 2, "", &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (isc_buffer_availablelength(&b) < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
+			    dns_zone_t *zone, bool nonsec,
+			    dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_name_t next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	bool flag;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	dns_name_t *origin = dns_zone_getorigin(zone);
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	dns_name_init(&next, NULL);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Cause all NSEC3 chains to be deleted.
+	 */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		dns_nsec3param_toprivate(&rdata, &private, privatetype,
+					 buf, sizeof(buf));
+		buf[2] = DNS_NSEC3FLAG_REMOVE;
+		if (nonsec)
+			buf[2] |= DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, origin, &private, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &private,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, ver, privatetype, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		INSIST(rdata.length <= sizeof(buf));
+		memmove(buf, rdata.data, rdata.length);
+
+		/*
+		 * Private NSEC3 record length >= 6.
+		 * <0(1), hash(1), flags(1), iterations(2), saltlen(1)>
+		 */
+		if (rdata.length < 6 || buf[0] != 0 ||
+		    (buf[2] & DNS_NSEC3FLAG_REMOVE) != 0 ||
+		    (nonsec && (buf[2] & DNS_NSEC3FLAG_NONSEC) != 0))
+			continue;
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, origin,
+					   0, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		rdata.data = buf;
+		buf[2] = DNS_NSEC3FLAG_REMOVE;
+		if (nonsec)
+			buf[2] |= DNS_NSEC3FLAG_NONSEC;
+
+		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &rdata, &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+ success:
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_addnsec3sx(dns_db_t *db, dns_dbversion_t *version,
+		     dns_name_t *name, dns_ttl_t nsecttl,
+		     bool unsecure, dns_rdatatype_t type,
+		     dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t prdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version, type, 0, 0,
+				     &prdataset, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0)
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (!dns_rdataset_isassociated(&prdataset))
+		goto success;
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&prdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&prdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (better_param(&prdataset, &rdata2))
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE)
+ success:
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*%
+ * Determine whether any NSEC3 records that were associated with
+ * 'name' should be deleted or if they should continue to exist.
+ * true indicates they should be deleted.
+ * false indicates they should be retained.
+ */
+static isc_result_t
+deleteit(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 bool *yesno)
+{
+	isc_result_t result;
+	dns_fixedname_t foundname;
+	dns_fixedname_init(&foundname);
+
+	result = dns_db_find(db, name, ver, dns_rdatatype_any,
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t) 0, NULL,
+			     dns_fixedname_name(&foundname),
+			     NULL, NULL);
+	if (result == DNS_R_EMPTYNAME || result == ISC_R_SUCCESS ||
+	    result ==  DNS_R_ZONECUT) {
+		*yesno = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+	    result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
+		*yesno = true;
+		return (ISC_R_SUCCESS);
+	}
+	/*
+	 * Silence compiler.
+	 */
+	*yesno = true;
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
+{
+	dns_dbiterator_t *dbit = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fprev;
+	dns_hash_t hash;
+	dns_name_t *hashname;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t empty;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	int pass;
+	bool yesno;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char *salt;
+	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
+	unsigned int iterations;
+	unsigned int labels;
+	size_t next_length;
+	unsigned int salt_length;
+
+	hashname = dns_fixedname_initname(&fixed);
+	prev = dns_fixedname_initname(&fprev);
+
+	dns_rdataset_init(&rdataset);
+
+	origin = dns_db_origin(db);
+
+	/*
+	 * Chain parameters.
+	 */
+	hash = nsec3param->hash;
+	iterations = nsec3param->iterations;
+	salt_length = nsec3param->salt_length;
+	salt = nsec3param->salt;
+
+	/*
+	 * If this is the first NSEC3 in the chain nexthash will
+	 * remain pointing to itself.
+	 */
+	next_length = sizeof(nexthash);
+	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+				 name, origin, hash, iterations,
+				 salt, salt_length));
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+
+	result = dns_dbiterator_seek(dbit, hashname);
+	if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	CHECK(dns_dbiterator_current(dbit, &node, NULL));
+	CHECK(dns_dbiterator_pause(dbit));
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * If we find a existing NSEC3 for this chain then save the
+	 * next field.
+	 */
+	result = find_nsec3(&nsec3, &rdataset, nsec3param);
+	if (result == ISC_R_SUCCESS) {
+		next_length = nsec3.next_length;
+		INSIST(next_length <= sizeof(nexthash));
+		memmove(nexthash, nsec3.next, next_length);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Find the previous NSEC3 and update it.
+	 */
+	pass = 0;
+	do {
+		result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			pass++;
+			CHECK(dns_dbiterator_last(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, prev));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_NOMORE) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		/*
+		 * Delete the old previous NSEC3.
+		 */
+		CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+		/*
+		 * Fixup the previous NSEC3.
+		 */
+		nsec3.next = nexthash;
+		nsec3.next_length = (unsigned char)next_length;
+		if (CREATE(nsec3param->flags))
+			nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
+		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+					   dns_rdatatype_nsec3, &nsec3,
+					   &buffer));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		dns_rdata_reset(&rdata);
+		dns_rdataset_disassociate(&rdataset);
+		break;
+	} while (pass < 2);
+
+	/*
+	 * Delete the old NSEC3 and record the change.
+	 */
+	CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+
+	/*
+	 *  Delete NSEC3 records for now non active nodes.
+	 */
+	dns_name_init(&empty, NULL);
+	dns_name_clone(name, &empty);
+	do {
+		labels = dns_name_countlabels(&empty) - 1;
+		if (labels <= dns_name_countlabels(origin))
+			break;
+		dns_name_getlabelsequence(&empty, 1, labels, &empty);
+		CHECK(deleteit(db, version, &empty, &yesno));
+		if (!yesno)
+			break;
+
+		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+					 &empty, origin, hash, iterations,
+					 salt, salt_length));
+		result = dns_dbiterator_seek(dbit, hashname);
+		if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		CHECK(dns_dbiterator_current(dbit, &node, NULL));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		dns_db_detachnode(db, &node);
+		if (result == ISC_R_NOTFOUND)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_SUCCESS) {
+			next_length = nsec3.next_length;
+			INSIST(next_length <= sizeof(nexthash));
+			memmove(nexthash, nsec3.next, next_length);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result == ISC_R_NOMORE)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		pass = 0;
+		do {
+			result = dns_dbiterator_prev(dbit);
+			if (result == ISC_R_NOMORE) {
+				pass++;
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			CHECK(dns_dbiterator_current(dbit, &node, prev));
+			CHECK(dns_dbiterator_pause(dbit));
+			result = dns_db_findrdataset(db, node, version,
+						     dns_rdatatype_nsec3, 0,
+						     (isc_stdtime_t) 0,
+						     &rdataset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			if (result == ISC_R_NOMORE) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			/*
+			 * Delete the old previous NSEC3.
+			 */
+			CHECK(delnsec3(db, version, prev, nsec3param, diff));
+
+			/*
+			 * Fixup the previous NSEC3.
+			 */
+			nsec3.next = nexthash;
+			nsec3.next_length = (unsigned char)next_length;
+			isc_buffer_init(&buffer, nsec3buf,
+					sizeof(nsec3buf));
+			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+						   dns_rdatatype_nsec3, &nsec3,
+						   &buffer));
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   prev, rdataset.ttl, &rdata,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, version, diff));
+			dns_rdata_reset(&rdata);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		} while (pass < 2);
+
+		INSIST(pass < 2);
+
+		/*
+		 * Delete the old NSEC3 and record the change.
+		 */
+		CHECK(delnsec3(db, version, hashname, nsec3param, diff));
+	} while (1);
+
+ success:
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		    dns_diff_t *diff)
+{
+	return (dns_nsec3_delnsec3sx(db, version, name, 0, diff));
+}
+
+isc_result_t
+dns_nsec3_delnsec3sx(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		     dns_rdatatype_t privatetype, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.flags != 0)
+			continue;
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+	if (privatetype == 0)
+		goto success;
+	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+				     &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Update each NSEC3 chain being built.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1,  &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata2, &nsec3param, NULL));
+
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (better_param(&rdataset, &rdata2))
+			continue;
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+	if (result == ISC_R_NOMORE)
+ success:
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
+		 bool complete, bool *answer)
+{
+	return (dns_nsec3_activex(db, version, complete, 0, answer));
+}
+
+isc_result_t
+dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version,
+		  bool complete, dns_rdatatype_t privatetype,
+		  bool *answer)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+
+	REQUIRE(answer != NULL);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (nsec3param.flags == 0)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		*answer = true;
+		return (ISC_R_SUCCESS);
+	}
+	if (result == ISC_R_NOMORE)
+		*answer = false;
+
+ try_private:
+	if (privatetype == 0 || complete) {
+		*answer = false;
+		return (ISC_R_SUCCESS);
+	}
+	result = dns_db_findrdataset(db, node, version, privatetype, 0, 0,
+				     &rdataset, NULL);
+
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = false;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		dns_rdata_t rdata2 = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &rdata1);
+		if (!dns_nsec3param_fromprivate(&rdata1, &rdata2,
+						buf, sizeof(buf)))
+			continue;
+		result = dns_rdata_tostruct(&rdata2, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!complete && CREATE(nsec3param.flags))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*answer = true;
+		result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = false;
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
+			isc_mem_t *mctx, unsigned int *iterationsp)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dst_key_t *key = NULL;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned int bits, minbits = 4096;
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     0, 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*iterationsp = 0;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		isc_buffer_init(&buffer, rdata.data, rdata.length);
+		isc_buffer_add(&buffer, rdata.length);
+		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
+				      &buffer, mctx, &key));
+		bits = dst_key_size(key);
+		dst_key_free(&key);
+		if (minbits > bits)
+			minbits = bits;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	if (minbits <= 1024)
+		*iterationsp = 150;
+	else if (minbits <= 2048)
+		*iterationsp = 500;
+	else
+		*iterationsp = 2500;
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
+			dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
+			dns_name_t *zonename, bool *exists,
+			bool *data, bool *optout,
+			bool *unknown, bool *setclosest,
+			bool *setnearest, dns_name_t *closest,
+			dns_name_t *nearest, dns_nseclog_t logit, void *arg)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fzone;
+	dns_fixedname_t qfixed;
+	dns_label_t hashlabel;
+	dns_name_t *qname;
+	dns_name_t *zone;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	int order;
+	int scope;
+	bool atparent;
+	bool first;
+	bool ns;
+	bool soa;
+	isc_buffer_t buffer;
+	isc_result_t answer = ISC_R_IGNORE;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	unsigned int length;
+	unsigned int qlabels;
+	unsigned int zlabels;
+
+	REQUIRE((exists == NULL && data == NULL) ||
+		(exists != NULL && data != NULL));
+	REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3);
+	REQUIRE((setclosest == NULL && closest == NULL) ||
+		(setclosest != NULL && closest != NULL));
+	REQUIRE((setnearest == NULL && nearest == NULL) ||
+		(setnearest != NULL && nearest != NULL));
+
+	result = dns_rdataset_first(nsec3set);
+	if (result != ISC_R_SUCCESS) {
+		(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC3 set");
+		return (result);
+	}
+
+	dns_rdataset_current(nsec3set, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
+
+	zone = dns_fixedname_initname(&fzone);
+	zlabels = dns_name_countlabels(nsec3name);
+
+	/*
+	 * NSEC3 records must have two or more labels to be valid.
+	 */
+	if (zlabels < 2)
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Strip off the NSEC3 hash to get the zone.
+	 */
+	zlabels--;
+	dns_name_split(nsec3name, zlabels, NULL, zone);
+
+	/*
+	 * If not below the zone name we can ignore this record.
+	 */
+	if (!dns_name_issubdomain(name, zone))
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Is this zone the same or deeper than the current zone?
+	 */
+	if (dns_name_countlabels(zonename) == 0 ||
+	    dns_name_issubdomain(zone, zonename))
+		dns_name_copy(zone, zonename, NULL);
+
+	if (!dns_name_equal(zone, zonename))
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Are we only looking for the most enclosing zone?
+	 */
+	if (exists == NULL || data == NULL)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * Only set unknown once we are sure that this NSEC3 is from
+	 * the deepest covering zone.
+	 */
+	if (!dns_nsec3_supportedhash(nsec3.hash)) {
+		if (unknown != NULL)
+			*unknown = true;
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Recover the hash from the first label.
+	 */
+	dns_name_getlabel(nsec3name, 0, &hashlabel);
+	isc_region_consume(&hashlabel, 1);
+	isc_buffer_init(&buffer, owner, sizeof(owner));
+	result = isc_base32hex_decoderegion(&hashlabel, &buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * The hash lengths should match.  If not ignore the record.
+	 */
+	if (isc_buffer_usedlength(&buffer) != nsec3.next_length)
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Work out what this NSEC3 covers.
+	 * Inside (<0) or outside (>=0).
+	 */
+	scope = isc_safe_memcompare(owner, nsec3.next, nsec3.next_length);
+
+	/*
+	 * Prepare to compute all the hashes.
+	 */
+	qname = dns_fixedname_initname(&qfixed);
+	dns_name_downcase(name, qname, NULL);
+	qlabels = dns_name_countlabels(qname);
+	first = true;
+
+	while (qlabels >= zlabels) {
+		length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
+					   nsec3.salt, nsec3.salt_length,
+					   qname->ndata, qname->length);
+		/*
+		 * The computed hash length should match.
+		 */
+		if (length != nsec3.next_length) {
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "ignoring NSEC bad length %u vs %u",
+				 length, nsec3.next_length);
+			return (ISC_R_IGNORE);
+		}
+
+		order = isc_safe_memcompare(hash, owner, length);
+		if (first && order == 0) {
+			/*
+			 * The hashes are the same.
+			 */
+			atparent = dns_rdatatype_atparent(type);
+			ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns);
+			soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa);
+			if (ns && !soa) {
+				if (!atparent) {
+					/*
+					 * This NSEC3 record is from somewhere
+					 * higher in the DNS, and at the
+					 * parent of a delegation. It can not
+					 * be legitimately used here.
+					 */
+					(*logit)(arg, ISC_LOG_DEBUG(3),
+						 "ignoring parent NSEC3");
+					return (ISC_R_IGNORE);
+				}
+			} else if (atparent && ns && soa) {
+				/*
+				 * This NSEC3 record is from the child.
+				 * It can not be legitimately used here.
+				 */
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "ignoring child NSEC3");
+				return (ISC_R_IGNORE);
+			}
+			if (type == dns_rdatatype_cname ||
+			    type == dns_rdatatype_nxt ||
+			    type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_key ||
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) {
+				*exists = true;
+				*data = dns_nsec3_typepresent(&rdata, type);
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "NSEC3 proves name exists (owner) "
+					 "data=%d", *data);
+				return (ISC_R_SUCCESS);
+			}
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "NSEC3 proves CNAME exists");
+			return (ISC_R_IGNORE);
+		}
+
+		if (order == 0 &&
+		    dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa))
+		{
+			/*
+			 * This NSEC3 record is from somewhere higher in
+			 * the DNS, and at the parent of a delegation.
+			 * It can not be legitimately used here.
+			 */
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "ignoring parent NSEC3");
+			return (ISC_R_IGNORE);
+		}
+
+		/*
+		 * Potential closest encloser.
+		 */
+		if (order == 0) {
+			if (closest != NULL &&
+			    (dns_name_countlabels(closest) == 0 ||
+			     dns_name_issubdomain(qname, closest)) &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) &&
+			    (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
+			     !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
+			{
+
+				dns_name_format(qname, namebuf,
+						sizeof(namebuf));
+				(*logit)(arg, ISC_LOG_DEBUG(3),
+					 "NSEC3 indicates potential closest "
+					 "encloser: '%s'", namebuf);
+				dns_name_copy(qname, closest, NULL);
+				*setclosest = true;
+			}
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			(*logit)(arg, ISC_LOG_DEBUG(3),
+				 "NSEC3 at super-domain %s", namebuf);
+			return (answer);
+		}
+
+		/*
+		 * Find if the name does not exist.
+		 *
+		 * We continue as we need to find the name closest to the
+		 * closest encloser that doesn't exist.
+		 *
+		 * We also need to continue to ensure that we are not
+		 * proving the non-existence of a record in a sub-zone.
+		 * If that would be the case we will return ISC_R_IGNORE
+		 * above.
+		 */
+		if ((scope < 0 && order > 0 &&
+		     memcmp(hash, nsec3.next, length) < 0) ||
+		    (scope >= 0 && (order > 0 ||
+				    memcmp(hash, nsec3.next, length) < 0)))
+		{
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC3 proves "
+				 "name does not exist: '%s'", namebuf);
+			if (nearest != NULL &&
+			    (dns_name_countlabels(nearest) == 0 ||
+			     dns_name_issubdomain(nearest, qname))) {
+				dns_name_copy(qname, nearest, NULL);
+				*setnearest = true;
+			}
+
+			*exists = false;
+			*data = false;
+			if (optout != NULL) {
+				if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
+					(*logit)(arg, ISC_LOG_DEBUG(3),
+						 "NSEC3 indicates optout");
+				else
+					(*logit)(arg, ISC_LOG_DEBUG(3),
+						 "NSEC3 indicates secure range");
+				*optout = (nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
+			}
+			answer = ISC_R_SUCCESS;
+		}
+
+		qlabels--;
+		if (qlabels > 0)
+			dns_name_split(qname, qlabels, NULL, qname);
+		first = false;
+	}
+	return (answer);
+}
diff --git a/lib/dns/nta.c b/lib/dns/nta.c
new file mode 100644
index 0000000..41e219b
--- /dev/null
+++ b/lib/dns/nta.c
@@ -0,0 +1,722 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/log.h>
+#include <dns/nta.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rbt.h>
+#include <dns/rdataset.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+struct dns_nta {
+	unsigned int		magic;
+	isc_refcount_t		refcount;
+	dns_ntatable_t		*ntatable;
+	bool		forced;
+	isc_timer_t		*timer;
+	dns_fetch_t		*fetch;
+	dns_rdataset_t		rdataset;
+	dns_rdataset_t		sigrdataset;
+	dns_fixedname_t		fn;
+	dns_name_t		*name;
+	isc_stdtime_t		expiry;
+};
+
+#define NTA_MAGIC		ISC_MAGIC('N', 'T', 'A', 'n')
+#define VALID_NTA(nn)	 	ISC_MAGIC_VALID(nn, NTA_MAGIC)
+
+/*
+ * Obtain a reference to the nta object.  Released by
+ * nta_detach.
+ */
+static void
+nta_ref(dns_nta_t *nta) {
+	isc_refcount_increment(&nta->refcount, NULL);
+}
+
+static void
+nta_detach(isc_mem_t *mctx, dns_nta_t **ntap) {
+	unsigned int refs;
+	dns_nta_t *nta = *ntap;
+
+	REQUIRE(VALID_NTA(nta));
+
+	*ntap = NULL;
+	isc_refcount_decrement(&nta->refcount, &refs);
+	if (refs == 0) {
+		nta->magic = 0;
+		if (nta->timer != NULL) {
+			(void) isc_timer_reset(nta->timer,
+					       isc_timertype_inactive,
+					       NULL, NULL, true);
+			isc_timer_detach(&nta->timer);
+		}
+		isc_refcount_destroy(&nta->refcount);
+		if (dns_rdataset_isassociated(&nta->rdataset))
+			dns_rdataset_disassociate(&nta->rdataset);
+		if (dns_rdataset_isassociated(&nta->sigrdataset))
+			dns_rdataset_disassociate(&nta->sigrdataset);
+		if (nta->fetch != NULL) {
+			dns_resolver_cancelfetch(nta->fetch);
+			dns_resolver_destroyfetch(&nta->fetch);
+		}
+		isc_mem_put(mctx, nta, sizeof(dns_nta_t));
+	}
+}
+
+static void
+free_nta(void *data, void *arg) {
+	dns_nta_t *nta = (dns_nta_t *) data;
+	isc_mem_t *mctx = (isc_mem_t *) arg;
+
+	nta_detach(mctx, &nta);
+}
+
+isc_result_t
+dns_ntatable_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr,
+		    dns_ntatable_t **ntatablep)
+{
+	dns_ntatable_t *ntatable;
+	isc_result_t result;
+
+	REQUIRE(ntatablep != NULL && *ntatablep == NULL);
+
+	ntatable = isc_mem_get(view->mctx, sizeof(*ntatable));
+	if (ntatable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ntatable->task = NULL;
+	result = isc_task_create(taskmgr, 0, &ntatable->task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_ntatable;
+	isc_task_setname(ntatable->task, "ntatable", ntatable);
+
+	ntatable->table = NULL;
+	result = dns_rbt_create(view->mctx, free_nta, view->mctx,
+				&ntatable->table);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_task;
+
+	result = isc_rwlock_init(&ntatable->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rbt;
+
+	ntatable->timermgr = timermgr;
+	ntatable->taskmgr = taskmgr;
+
+	ntatable->view = view;
+	ntatable->references = 1;
+
+	ntatable->magic = NTATABLE_MAGIC;
+	*ntatablep = ntatable;
+
+	return (ISC_R_SUCCESS);
+
+   cleanup_rbt:
+	dns_rbt_destroy(&ntatable->table);
+
+   cleanup_task:
+	isc_task_detach(&ntatable->task);
+
+   cleanup_ntatable:
+	isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable));
+
+	return (result);
+}
+
+void
+dns_ntatable_attach(dns_ntatable_t *source, dns_ntatable_t **targetp) {
+	REQUIRE(VALID_NTATABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	RWLOCK(&source->rwlock, isc_rwlocktype_write);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
+
+	*targetp = source;
+}
+
+void
+dns_ntatable_detach(dns_ntatable_t **ntatablep) {
+	bool destroy = false;
+	dns_ntatable_t *ntatable;
+
+	REQUIRE(ntatablep != NULL && VALID_NTATABLE(*ntatablep));
+
+	ntatable = *ntatablep;
+	*ntatablep = NULL;
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+	INSIST(ntatable->references > 0);
+	ntatable->references--;
+	if (ntatable->references == 0)
+		destroy = true;
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	if (destroy) {
+		dns_rbt_destroy(&ntatable->table);
+		isc_rwlock_destroy(&ntatable->rwlock);
+		if (ntatable->task != NULL)
+			isc_task_detach(&ntatable->task);
+		ntatable->timermgr = NULL;
+		ntatable->taskmgr = NULL;
+		ntatable->magic = 0;
+		isc_mem_put(ntatable->view->mctx, ntatable, sizeof(*ntatable));
+	}
+}
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	dns_nta_t *nta = devent->ev_arg;
+	isc_result_t eresult = devent->result;
+	dns_ntatable_t *ntatable = nta->ntatable;
+	dns_view_t *view = ntatable->view;
+	isc_stdtime_t now;
+
+	UNUSED(task);
+
+	if (dns_rdataset_isassociated(&nta->rdataset))
+		dns_rdataset_disassociate(&nta->rdataset);
+	if (dns_rdataset_isassociated(&nta->sigrdataset))
+		dns_rdataset_disassociate(&nta->sigrdataset);
+	if (nta->fetch == devent->fetch)
+		nta->fetch = NULL;
+	dns_resolver_destroyfetch(&devent->fetch);
+
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+
+	isc_event_free(&event);
+	isc_stdtime_get(&now);
+
+	switch (eresult) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+	case DNS_R_NXRRSET:
+		if (nta->expiry > now)
+			nta->expiry = now;
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * If we're expiring before the next recheck, we might
+	 * as well stop the timer now.
+	 */
+	if (nta->timer != NULL && nta->expiry - now < view->nta_recheck)
+		(void) isc_timer_reset(nta->timer, isc_timertype_inactive,
+				       NULL, NULL, true);
+	nta_detach(view->mctx, &nta);
+}
+
+static void
+checkbogus(isc_task_t *task, isc_event_t *event) {
+	dns_nta_t *nta = event->ev_arg;
+	dns_ntatable_t *ntatable = nta->ntatable;
+	dns_view_t *view = ntatable->view;
+	isc_result_t result;
+
+	if (nta->fetch != NULL) {
+		dns_resolver_cancelfetch(nta->fetch);
+		nta->fetch = NULL;
+	}
+	if (dns_rdataset_isassociated(&nta->rdataset))
+		dns_rdataset_disassociate(&nta->rdataset);
+	if (dns_rdataset_isassociated(&nta->sigrdataset))
+		dns_rdataset_disassociate(&nta->sigrdataset);
+
+	isc_event_free(&event);
+
+	nta_ref(nta);
+	result = dns_resolver_createfetch(view->resolver, nta->name,
+					  dns_rdatatype_nsec,
+					  NULL, NULL, NULL,
+					  DNS_FETCHOPT_NONTA,
+					  task, fetch_done, nta,
+					  &nta->rdataset,
+					  &nta->sigrdataset,
+					  &nta->fetch);
+	if (result != ISC_R_SUCCESS)
+		nta_detach(view->mctx, &nta);
+}
+
+static isc_result_t
+settimer(dns_ntatable_t *ntatable, dns_nta_t *nta, uint32_t lifetime) {
+	isc_result_t result;
+	isc_interval_t interval;
+	dns_view_t *view;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+	REQUIRE(VALID_NTA(nta));
+
+	if (ntatable->timermgr == NULL)
+		return (ISC_R_SUCCESS);
+
+	view = ntatable->view;
+	if (view->nta_recheck == 0 || lifetime <= view->nta_recheck)
+		return (ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, view->nta_recheck, 0);
+	result = isc_timer_create(ntatable->timermgr, isc_timertype_ticker,
+				  NULL, &interval, ntatable->task,
+				  checkbogus, nta, &nta->timer);
+	return (result);
+}
+
+static isc_result_t
+nta_create(dns_ntatable_t *ntatable, dns_name_t *name, dns_nta_t **target) {
+	isc_result_t result;
+	dns_nta_t *nta = NULL;
+	dns_view_t *view;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+	REQUIRE(target != NULL && *target == NULL);
+
+	view = ntatable->view;
+
+	nta = isc_mem_get(view->mctx, sizeof(dns_nta_t));
+	if (nta == NULL)
+		return (ISC_R_NOMEMORY);
+
+	nta->ntatable = ntatable;
+	nta->expiry = 0;
+	nta->timer = NULL;
+	nta->fetch = NULL;
+	dns_rdataset_init(&nta->rdataset);
+	dns_rdataset_init(&nta->sigrdataset);
+
+	result = isc_refcount_init(&nta->refcount, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(view->mctx, nta, sizeof(dns_nta_t));
+		return (result);
+	}
+
+	nta->name = dns_fixedname_initname(&nta->fn);
+	dns_name_copy(name, nta->name, NULL);
+
+	nta->magic = NTA_MAGIC;
+
+	*target = nta;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ntatable_add(dns_ntatable_t *ntatable, dns_name_t *name,
+		 bool force, isc_stdtime_t now,
+		 uint32_t lifetime)
+{
+	isc_result_t result;
+	dns_nta_t *nta = NULL;
+	dns_rbtnode_t *node;
+	dns_view_t *view;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	view = ntatable->view;
+
+	result = nta_create(ntatable, name, &nta);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	nta->expiry = now + lifetime;
+	nta->forced = force;
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	node = NULL;
+	result = dns_rbt_addnode(ntatable->table, name, &node);
+	if (result == ISC_R_SUCCESS) {
+		if (!force)
+			(void)settimer(ntatable, nta, lifetime);
+		node->data = nta;
+		nta = NULL;
+	} else if (result == ISC_R_EXISTS) {
+		dns_nta_t *n = node->data;
+		if (n == NULL) {
+			if (!force)
+				(void)settimer(ntatable, nta, lifetime);
+			node->data = nta;
+			nta = NULL;
+		} else {
+			n->expiry = nta->expiry;
+			nta_detach(view->mctx, &nta);
+		}
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	if (nta != NULL)
+		nta_detach(view->mctx, &nta);
+
+	return (result);
+}
+
+/*
+ * Caller must hold a write lock on rwlock.
+ */
+static isc_result_t
+deletenode(dns_ntatable_t *ntatable, const dns_name_t *name) {
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+	REQUIRE(name != NULL);
+
+	result = dns_rbt_findnode(ntatable->table, name, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (node->data != NULL)
+			result = dns_rbt_deletenode(ntatable->table,
+						    node, false);
+		else
+			result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
+dns_ntatable_delete(dns_ntatable_t *ntatable, dns_name_t *name) {
+	isc_result_t result;
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+	result = deletenode(ntatable, name);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+bool
+dns_ntatable_covered(dns_ntatable_t *ntatable, isc_stdtime_t now,
+		     dns_name_t *name, dns_name_t *anchor)
+{
+	isc_result_t result;
+	dns_fixedname_t fn;
+	dns_rbtnode_t *node;
+	dns_name_t *foundname;
+	dns_nta_t *nta = NULL;
+	bool answer = false;
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+
+	REQUIRE(ntatable == NULL || VALID_NTATABLE(ntatable));
+	REQUIRE(dns_name_isabsolute(name));
+
+	if (ntatable == NULL)
+		return (false);
+
+	foundname = dns_fixedname_initname(&fn);
+
+ relock:
+	RWLOCK(&ntatable->rwlock, locktype);
+ again:
+	node = NULL;
+	result = dns_rbt_findnode(ntatable->table, name, foundname, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+	if (result == DNS_R_PARTIALMATCH) {
+		if (dns_name_issubdomain(foundname, anchor))
+			result = ISC_R_SUCCESS;
+	}
+	if (result == ISC_R_SUCCESS) {
+		nta = (dns_nta_t *) node->data;
+		answer = (nta->expiry > now);
+	}
+
+	/* Deal with expired NTA */
+	if (result == ISC_R_SUCCESS && !answer) {
+		char nb[DNS_NAME_FORMATSIZE];
+
+		if (locktype == isc_rwlocktype_read) {
+			RWUNLOCK(&ntatable->rwlock, locktype);
+			locktype = isc_rwlocktype_write;
+			goto relock;
+		}
+
+		dns_name_format(foundname, nb, sizeof(nb));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+			      "deleting expired NTA at %s", nb);
+
+		if (nta->timer != NULL) {
+			(void) isc_timer_reset(nta->timer,
+					       isc_timertype_inactive,
+					       NULL, NULL, true);
+			isc_timer_detach(&nta->timer);
+		}
+
+		result = deletenode(ntatable, foundname);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+				      "deleting NTA failed: %s",
+				      isc_result_totext(result));
+		}
+		goto again;
+	}
+	RWUNLOCK(&ntatable->rwlock, locktype);
+
+	return (answer);
+}
+
+static isc_result_t
+putstr(isc_buffer_t **b, const char *str) {
+	isc_result_t result;
+
+	result = isc_buffer_reserve(b, strlen(str));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_putstr(*b, str);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ntatable_totext(dns_ntatable_t *ntatable, isc_buffer_t **buf) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	bool first = true;
+	isc_stdtime_t now;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	isc_stdtime_get(&now);
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, ntatable->view->mctx);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+	for (;;) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			dns_nta_t *n = (dns_nta_t *) node->data;
+			char nbuf[DNS_NAME_FORMATSIZE];
+			char tbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+			char obuf[DNS_NAME_FORMATSIZE +
+				  ISC_FORMATHTTPTIMESTAMP_SIZE +
+				  sizeof("expired:  \n")];
+			dns_fixedname_t fn;
+			dns_name_t *name;
+			isc_time_t t;
+
+			name = dns_fixedname_initname(&fn);
+			dns_rbt_fullnamefromnode(node, name);
+			dns_name_format(name, nbuf, sizeof(nbuf));
+			isc_time_set(&t, n->expiry, 0);
+			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
+
+			snprintf(obuf, sizeof(obuf), "%s%s: %s %s",
+				 first ? "" : "\n", nbuf,
+				 n->expiry <= now ? "expired" : "expiry",
+				 tbuf);
+			first = false;
+			result = putstr(buf, obuf);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+#if 0
+isc_result_t
+dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_stdtime_t now;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	isc_stdtime_get(&now);
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, ntatable->view->mctx);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		goto cleanup;
+	for (;;) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			dns_nta_t *n = (dns_nta_t *) node->data;
+			char nbuf[DNS_NAME_FORMATSIZE], tbuf[80];
+			dns_fixedname_t fn;
+			dns_name_t *name;
+			isc_time_t t;
+
+			name = dns_fixedname_initname(&fn);
+			dns_rbt_fullnamefromnode(node, name);
+			dns_name_format(name, nbuf, sizeof(nbuf));
+			isc_time_set(&t, n->expiry, 0);
+			isc_time_formattimestamp(&t, tbuf, sizeof(tbuf));
+			fprintf(fp, "%s: %s %s\n", nbuf,
+				n->expiry <= now ? "expired" : "expiry",
+				tbuf);
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+#endif
+
+isc_result_t
+dns_ntatable_dump(dns_ntatable_t *ntatable, FILE *fp) {
+	isc_result_t result;
+	isc_buffer_t *text = NULL;
+	int len = 4096;
+
+	result = isc_buffer_allocate(ntatable->view->mctx, &text, len);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_ntatable_totext(ntatable, &text);
+
+	if (isc_buffer_usedlength(text) != 0) {
+		(void) putstr(&text, "\n");
+	} else if (result == ISC_R_SUCCESS) {
+		(void) putstr(&text, "none");
+	} else {
+		(void) putstr(&text, "could not dump NTA table: ");
+		(void) putstr(&text, isc_result_totext(result));
+	}
+
+	fprintf(fp, "%.*s", (int) isc_buffer_usedlength(text),
+		(char *) isc_buffer_base(text));
+	isc_buffer_free(&text);
+	return (result);
+}
+
+isc_result_t
+dns_ntatable_save(dns_ntatable_t *ntatable, FILE *fp) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_stdtime_t now;
+	bool written = false;
+
+	REQUIRE(VALID_NTATABLE(ntatable));
+
+	isc_stdtime_get(&now);
+
+	RWLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+	dns_rbtnodechain_init(&chain, ntatable->view->mctx);
+	result = dns_rbtnodechain_first(&chain, ntatable->table, NULL, NULL);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+		goto cleanup;
+
+	for (;;) {
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+		if (node->data != NULL) {
+			dns_nta_t *n = (dns_nta_t *) node->data;
+			if (n->expiry > now) {
+				isc_buffer_t b;
+				char nbuf[DNS_NAME_FORMATSIZE + 1], tbuf[80];
+				dns_fixedname_t fn;
+				dns_name_t *name;
+
+				name = dns_fixedname_initname(&fn);
+				dns_rbt_fullnamefromnode(node, name);
+
+				isc_buffer_init(&b, nbuf, sizeof(nbuf));
+				result = dns_name_totext(name, false, &b);
+				if (result != ISC_R_SUCCESS)
+					goto skip;
+
+				/* Zero terminate. */
+				isc_buffer_putuint8(&b, 0);
+
+				isc_buffer_init(&b, tbuf, sizeof(tbuf));
+				dns_time32_totext(n->expiry, &b);
+
+				/* Zero terminate. */
+				isc_buffer_putuint8(&b, 0);
+
+				fprintf(fp, "%s %s %s\n", nbuf,
+					n->forced ? "forced" : "regular",
+					tbuf);
+				written = true;
+			}
+		}
+	skip:
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			break;
+		}
+	}
+
+   cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_read);
+
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	else
+		return (written ? ISC_R_SUCCESS : ISC_R_NOTFOUND);
+}
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
new file mode 100644
index 0000000..a30a2ab
--- /dev/null
+++ b/lib/dns/openssl_link.c
@@ -0,0 +1,464 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef OPENSSL
+
+#include <config.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/mutexblock.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+
+#if !defined(OPENSSL_NO_ENGINE)
+#include <openssl/engine.h>
+#endif
+
+static RAND_METHOD *rm = NULL;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+static isc_mutex_t *locks = NULL;
+static int nlocks;
+#endif
+
+#if !defined(OPENSSL_NO_ENGINE)
+static ENGINE *e = NULL;
+#endif
+
+static int
+entropy_get(unsigned char *buf, int num) {
+	isc_result_t result;
+	if (num < 0)
+		return (-1);
+	result = dst__entropy_getdata(buf, (unsigned int) num, false);
+	return (result == ISC_R_SUCCESS ? 1 : -1);
+}
+
+static int
+entropy_status(void) {
+	return (dst__entropy_status() > 32);
+}
+
+static int
+entropy_getpseudo(unsigned char *buf, int num) {
+	isc_result_t result;
+	if (num < 0)
+		return (-1);
+	result = dst__entropy_getdata(buf, (unsigned int) num, true);
+	return (result == ISC_R_SUCCESS ? 1 : -1);
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+static void
+entropy_add(const void *buf, int num, double entropy) {
+	/*
+	 * Do nothing.  The only call to this provides no useful data anyway.
+	 */
+	UNUSED(buf);
+	UNUSED(num);
+	UNUSED(entropy);
+}
+#else
+static int
+entropy_add(const void *buf, int num, double entropy) {
+	/*
+	 * Do nothing.  The only call to this provides no useful data anyway.
+	 */
+	UNUSED(buf);
+	UNUSED(num);
+	UNUSED(entropy);
+	return (1);
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+static void
+lock_callback(int mode, int type, const char *file, int line) {
+	UNUSED(file);
+	UNUSED(line);
+	if ((mode & CRYPTO_LOCK) != 0)
+		LOCK(&locks[type]);
+	else
+		UNLOCK(&locks[type]);
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
+static unsigned long
+id_callback(void) {
+	return ((unsigned long)isc_thread_self());
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+
+#define FLARG
+#define FILELINE
+#if ISC_MEM_TRACKLINES
+#define FLARG_PASS      , __FILE__, __LINE__
+#else
+#define FLARG_PASS
+#endif
+
+#else
+
+#define FLARG           , const char *file, int line
+#define FILELINE	, __FILE__, __LINE__
+#if ISC_MEM_TRACKLINES
+#define FLARG_PASS      , file, line
+#else
+#define FLARG_PASS
+#endif
+
+#endif
+
+static void *
+mem_alloc(size_t size FLARG) {
+#ifdef OPENSSL_LEAKS
+	void *ptr;
+
+	INSIST(dst__memory_pool != NULL);
+	ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS);
+	return (ptr);
+#else
+	INSIST(dst__memory_pool != NULL);
+	return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS));
+#endif
+}
+
+static void
+mem_free(void *ptr FLARG) {
+	INSIST(dst__memory_pool != NULL);
+	if (ptr != NULL)
+		isc__mem_free(dst__memory_pool, ptr FLARG_PASS);
+}
+
+static void *
+mem_realloc(void *ptr, size_t size FLARG) {
+#ifdef OPENSSL_LEAKS
+	void *rptr;
+
+	INSIST(dst__memory_pool != NULL);
+	rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS);
+	return (rptr);
+#else
+	INSIST(dst__memory_pool != NULL);
+	return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS));
+#endif
+}
+
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+static void
+_set_thread_id(CRYPTO_THREADID *id)
+{
+	CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
+}
+#endif
+
+isc_result_t
+dst__openssl_init(const char *engine) {
+	isc_result_t result;
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE *re;
+#else
+	UNUSED(engine);
+#endif
+
+#ifdef  DNS_CRYPTO_LEAKS
+	CRYPTO_malloc_debug_init();
+	CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+#endif
+	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	nlocks = CRYPTO_num_locks();
+	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE);
+	if (locks == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutexblock_init(locks, nlocks);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutexalloc;
+	CRYPTO_set_locking_callback(lock_callback);
+# if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+	CRYPTO_THREADID_set_callback(_set_thread_id);
+# else
+	CRYPTO_set_id_callback(id_callback);
+# endif
+
+	ERR_load_crypto_strings();
+#endif
+
+	rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
+	if (rm == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_mutexinit;
+	}
+	rm->seed = NULL;
+	rm->bytes = entropy_get;
+	rm->cleanup = NULL;
+	rm->add = entropy_add;
+	rm->pseudorand = entropy_getpseudo;
+	rm->status = entropy_status;
+
+#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(CONF_MFLAGS_DEFAULT_SECTION)
+	OPENSSL_config(NULL);
+#else
+	/*
+	 * OPENSSL_config() can only be called a single time as of
+	 * 1.0.2e so do the steps individually.
+	 */
+	OPENSSL_load_builtin_modules();
+	ENGINE_load_builtin_engines();
+	ERR_clear_error();
+	CONF_modules_load_file(NULL, NULL,
+			       CONF_MFLAGS_DEFAULT_SECTION |
+			       CONF_MFLAGS_IGNORE_MISSING_FILE);
+#endif
+
+	if (engine != NULL && *engine == '\0')
+		engine = NULL;
+
+	if (engine != NULL) {
+		e = ENGINE_by_id(engine);
+		if (e == NULL) {
+			result = DST_R_NOENGINE;
+			goto cleanup_rm;
+		}
+		/* This will init the engine. */
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+			result = DST_R_NOENGINE;
+			goto cleanup_rm;
+		}
+	}
+
+	re = ENGINE_get_default_RAND();
+	if (re == NULL) {
+		re = ENGINE_new();
+		if (re == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_rm;
+		}
+		ENGINE_set_RAND(re, rm);
+		ENGINE_set_default_RAND(re);
+		ENGINE_free(re);
+	} else
+		ENGINE_finish(re);
+#else
+	RAND_set_rand_method(rm);
+#endif /* !defined(OPENSSL_NO_ENGINE) */
+	return (ISC_R_SUCCESS);
+
+#if !defined(OPENSSL_NO_ENGINE)
+ cleanup_rm:
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
+	mem_free(rm FILELINE);
+	rm = NULL;
+#endif
+ cleanup_mutexinit:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	CRYPTO_set_locking_callback(NULL);
+	DESTROYMUTEXBLOCK(locks, nlocks);
+ cleanup_mutexalloc:
+	mem_free(locks FILELINE);
+	locks = NULL;
+#endif
+	return (result);
+}
+
+void
+dst__openssl_destroy(void) {
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
+	OPENSSL_cleanup();
+	if (rm != NULL) {
+		mem_free(rm FILELINE);
+		rm = NULL;
+	}
+#else
+	/*
+	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
+	 */
+	if (rm != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+		RAND_cleanup();
+#endif
+		mem_free(rm FILELINE);
+		rm = NULL;
+	}
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	CONF_modules_free();
+#endif
+	OBJ_cleanup();
+	EVP_cleanup();
+#if !defined(OPENSSL_NO_ENGINE)
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
+	ENGINE_cleanup();
+#endif
+#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	CRYPTO_cleanup_all_ex_data();
+#endif
+	ERR_clear_error();
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+	ERR_remove_thread_state(NULL);
+#elif OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
+	ERR_remove_state(0);
+#endif
+	ERR_free_strings();
+
+#ifdef  DNS_CRYPTO_LEAKS
+	CRYPTO_mem_leaks_fp(stderr);
+#endif
+
+	if (locks != NULL) {
+		CRYPTO_set_locking_callback(NULL);
+		DESTROYMUTEXBLOCK(locks, nlocks);
+		mem_free(locks FILELINE);
+		locks = NULL;
+	}
+#endif
+}
+
+static isc_result_t
+toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	unsigned long err = ERR_peek_error();
+#if defined(HAVE_OPENSSL_ECDSA) && \
+    defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+	int lib = ERR_GET_LIB(err);
+#endif
+	int reason = ERR_GET_REASON(err);
+
+	switch (reason) {
+	/*
+	 * ERR_* errors are globally unique; others
+	 * are unique per sublibrary
+	 */
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+#if defined(HAVE_OPENSSL_ECDSA) && \
+    defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
+		if (lib == ERR_R_ECDSA_LIB &&
+		    reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
+			result = ISC_R_NOENTROPY;
+			break;
+		}
+#endif
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback) {
+	isc_result_t result;
+
+	result = toresult(fallback);
+
+	ERR_clear_error();
+	return (result);
+}
+
+isc_result_t
+dst__openssl_toresult2(const char *funcname, isc_result_t fallback) {
+	return (dst__openssl_toresult3(DNS_LOGCATEGORY_GENERAL,
+				       funcname, fallback));
+}
+
+isc_result_t
+dst__openssl_toresult3(isc_logcategory_t *category,
+		       const char *funcname, isc_result_t fallback) {
+	isc_result_t result;
+	unsigned long err;
+	const char *file, *data;
+	int line, flags;
+	char buf[256];
+
+	result = toresult(fallback);
+
+	isc_log_write(dns_lctx, category,
+		      DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+		      "%s failed (%s)", funcname,
+		      isc_result_totext(result));
+
+	if (result == ISC_R_NOMEMORY)
+		goto done;
+
+	for (;;) {
+		err = ERR_get_error_line_data(&file, &line, &data, &flags);
+		if (err == 0U)
+			goto done;
+		ERR_error_string_n(err, buf, sizeof(buf));
+		isc_log_write(dns_lctx, category,
+			      DNS_LOGMODULE_CRYPTO, ISC_LOG_INFO,
+			      "%s:%s:%d:%s", buf, file, line,
+			      (flags & ERR_TXT_STRING) ? data : "");
+	}
+
+    done:
+	ERR_clear_error();
+	return (result);
+}
+
+#if !defined(OPENSSL_NO_ENGINE)
+ENGINE *
+dst__openssl_getengine(const char *engine) {
+
+	if (engine == NULL)
+		return (NULL);
+	if (e == NULL)
+		return (NULL);
+	if (strcmp(engine, ENGINE_get_id(e)) == 0)
+		return (e);
+	return (NULL);
+}
+#endif
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
+/*! \file */
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
new file mode 100644
index 0000000..e8a3f7e
--- /dev/null
+++ b/lib/dns/openssldh_link.c
@@ -0,0 +1,793 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef OPENSSL
+
+#include <config.h>
+
+#include <pk11/site.h>
+
+#ifndef PK11_DH_DISABLE
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <openssl/opensslv.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#define PRIME2 "02"
+
+#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
+	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
+	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
+
+#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \
+	"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
+	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
+	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
+
+#define PRIME1536 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+
+
+static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
+
+#if !defined(HAVE_DH_GET0_KEY)
+/*
+ * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
+ * are from OpenSSL 1.1.0.
+ */
+static void
+DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
+	if (pub_key != NULL) {
+		*pub_key = dh->pub_key;
+	}
+	if (priv_key != NULL) {
+		*priv_key = dh->priv_key;
+	}
+}
+
+static int
+DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
+	if (pub_key != NULL) {
+		BN_free(dh->pub_key);
+		dh->pub_key = pub_key;
+	}
+
+	if (priv_key != NULL) {
+		BN_free(dh->priv_key);
+		dh->priv_key = priv_key;
+	}
+
+	return (1);
+}
+
+static void
+DH_get0_pqg(const DH *dh,
+	    const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+	if (p != NULL) {
+		*p = dh->p;
+	}
+	if (q != NULL) {
+		*q = dh->q;
+	}
+	if (g != NULL) {
+		*g = dh->g;
+	}
+}
+
+static int
+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+	/* If the fields p and g in d are NULL, the corresponding input
+	 * parameters MUST be non-NULL.  q may remain NULL.
+	 */
+	if ((dh->p == NULL && p == NULL)
+	    || (dh->g == NULL && g == NULL))
+	{
+		return 0;
+	}
+
+	if (p != NULL) {
+		BN_free(dh->p);
+		dh->p = p;
+	}
+	if (q != NULL) {
+		BN_free(dh->q);
+		dh->q = q;
+	}
+	if (g != NULL) {
+		BN_free(dh->g);
+		dh->g = g;
+	}
+
+	if (q != NULL) {
+		dh->length = BN_num_bits(q);
+	}
+
+	return (1);
+}
+
+#define DH_clear_flags(d, f) (d)->flags &= ~(f)
+
+#endif
+
+static isc_result_t
+openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+			isc_buffer_t *secret)
+{
+	DH *dhpub, *dhpriv;
+	const BIGNUM *pub_key = NULL;
+	int ret;
+	isc_region_t r;
+	unsigned int len;
+
+	REQUIRE(pub->keydata.dh != NULL);
+	REQUIRE(priv->keydata.dh != NULL);
+
+	dhpub = pub->keydata.dh;
+	dhpriv = priv->keydata.dh;
+
+	len = DH_size(dhpriv);
+	isc_buffer_availableregion(secret, &r);
+	if (r.length < len)
+		return (ISC_R_NOSPACE);
+
+	DH_get0_key(dhpub, &pub_key, NULL);
+	ret = DH_compute_key(r.base, pub_key, dhpriv);
+	if (ret <= 0)
+		return (dst__openssl_toresult2("DH_compute_key",
+					       DST_R_COMPUTESECRETFAILURE));
+	isc_buffer_add(secret, len);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	DH *dh1, *dh2;
+	const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
+	const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
+	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
+
+	if (dh1 == NULL && dh2 == NULL)
+		return (true);
+	else if (dh1 == NULL || dh2 == NULL)
+		return (false);
+
+	DH_get0_key(dh1, &pub_key1, &priv_key1);
+	DH_get0_key(dh2, &pub_key2, &priv_key2);
+	DH_get0_pqg(dh1, &p1, NULL, &g1);
+	DH_get0_pqg(dh2, &p2, NULL, &g2);
+
+	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
+	    BN_cmp(pub_key1, pub_key2) != 0)
+		return (false);
+
+	if (priv_key1 != NULL || priv_key2 != NULL) {
+		if (priv_key1 == NULL || priv_key2 == NULL)
+			return (false);
+		if (BN_cmp(priv_key1, priv_key2) != 0)
+			return (false);
+	}
+	return (true);
+}
+
+static bool
+openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	DH *dh1, *dh2;
+	const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
+
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
+
+	if (dh1 == NULL && dh2 == NULL)
+		return (true);
+	else if (dh1 == NULL || dh2 == NULL)
+		return (false);
+
+	DH_get0_pqg(dh1, &p1, NULL, &g1);
+	DH_get0_pqg(dh2, &p2, NULL, &g2);
+
+	if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0)
+		return (false);
+	return (true);
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb) {
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = BN_GENCB_get_arg(cb);
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+#endif
+
+static isc_result_t
+openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+	DH *dh = NULL;
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	BN_GENCB *cb;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	BN_GENCB _cb;
+#endif
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+#else
+
+	UNUSED(callback);
+#endif
+
+	if (generator == 0) {
+		if (key->key_size == 768 ||
+		    key->key_size == 1024 ||
+		    key->key_size == 1536)
+		{
+			BIGNUM *p, *g;
+			dh = DH_new();
+			if (key->key_size == 768)
+				p = BN_dup(bn768);
+			else if (key->key_size == 1024)
+				p = BN_dup(bn1024);
+			else
+				p = BN_dup(bn1536);
+			g = BN_dup(bn2);
+			if (dh == NULL || p == NULL || g == NULL) {
+				if (dh != NULL)
+					DH_free(dh);
+				if (p != NULL)
+					BN_free(p);
+				if (g != NULL)
+					BN_free(g);
+				return (dst__openssl_toresult(ISC_R_NOMEMORY));
+			}
+			DH_set0_pqg(dh, p, NULL, g);
+		} else
+			generator = 2;
+	}
+
+	if (generator != 0) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+		dh = DH_new();
+		if (dh == NULL)
+			return (dst__openssl_toresult(ISC_R_NOMEMORY));
+		cb = BN_GENCB_new();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+		if (cb == NULL) {
+			DH_free(dh);
+			return (dst__openssl_toresult(ISC_R_NOMEMORY));
+		}
+#endif
+		if (callback == NULL) {
+			BN_GENCB_set_old(cb, NULL, NULL);
+		} else {
+			u.fptr = callback;
+			BN_GENCB_set(cb, &progress_cb, u.dptr);
+		}
+
+		if (!DH_generate_parameters_ex(dh, key->key_size, generator,
+					       cb)) {
+			DH_free(dh);
+			BN_GENCB_free(cb);
+			return (dst__openssl_toresult2(
+					"DH_generate_parameters_ex",
+					DST_R_OPENSSLFAILURE));
+		}
+		BN_GENCB_free(cb);
+		cb = NULL;
+#else
+		dh = DH_generate_parameters(key->key_size, generator,
+					    NULL, NULL);
+		if (dh == NULL)
+			return (dst__openssl_toresult2(
+					"DH_generate_parameters",
+					DST_R_OPENSSLFAILURE));
+#endif
+	}
+
+	if (DH_generate_key(dh) == 0) {
+		DH_free(dh);
+		return (dst__openssl_toresult2("DH_generate_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+	key->keydata.dh = dh;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+openssldh_isprivate(const dst_key_t *key) {
+	DH *dh = key->keydata.dh;
+	const BIGNUM *priv_key = NULL;
+
+	DH_get0_key(dh, NULL, &priv_key);
+	return (dh != NULL && priv_key != NULL);
+}
+
+static void
+openssldh_destroy(dst_key_t *key) {
+	DH *dh = key->keydata.dh;
+
+	if (dh == NULL)
+		return;
+
+	DH_free(dh);
+	key->keydata.dh = NULL;
+}
+
+static void
+uint16_toregion(uint16_t val, isc_region_t *region) {
+	*region->base = (val & 0xff00) >> 8;
+	isc_region_consume(region, 1);
+	*region->base = (val & 0x00ff);
+	isc_region_consume(region, 1);
+}
+
+static uint16_t
+uint16_fromregion(isc_region_t *region) {
+	uint16_t val;
+	unsigned char *cp = region->base;
+
+	val = ((unsigned int)(cp[0])) << 8;
+	val |= ((unsigned int)(cp[1]));
+
+	isc_region_consume(region, 2);
+
+	return (val);
+}
+
+static isc_result_t
+openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+	DH *dh;
+	const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+	isc_region_t r;
+	uint16_t dnslen, plen, glen, publen;
+
+	REQUIRE(key->keydata.dh != NULL);
+
+	dh = key->keydata.dh;
+
+	isc_buffer_availableregion(data, &r);
+
+	DH_get0_pqg(dh, &p, NULL, &g);
+	if (BN_cmp(g, bn2) == 0 &&
+	    (BN_cmp(p, bn768) == 0 ||
+	     BN_cmp(p, bn1024) == 0 ||
+	     BN_cmp(p, bn1536) == 0)) {
+		plen = 1;
+		glen = 0;
+	}
+	else {
+		plen = BN_num_bytes(p);
+		glen = BN_num_bytes(g);
+	}
+	DH_get0_key(dh, &pub_key, NULL);
+	publen = BN_num_bytes(pub_key);
+	dnslen = plen + glen + publen + 6;
+	if (r.length < (unsigned int) dnslen)
+		return (ISC_R_NOSPACE);
+
+	uint16_toregion(plen, &r);
+	if (plen == 1) {
+		if (BN_cmp(p, bn768) == 0)
+			*r.base = 1;
+		else if (BN_cmp(p, bn1024) == 0)
+			*r.base = 2;
+		else
+			*r.base = 3;
+	} else
+		BN_bn2bin(p, r.base);
+	isc_region_consume(&r, plen);
+
+	uint16_toregion(glen, &r);
+	if (glen > 0)
+		BN_bn2bin(g, r.base);
+	isc_region_consume(&r, glen);
+
+	uint16_toregion(publen, &r);
+	BN_bn2bin(pub_key, r.base);
+	isc_region_consume(&r, publen);
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	DH *dh;
+	BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
+	isc_region_t r;
+	uint16_t plen, glen, publen;
+	int special = 0;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	dh = DH_new();
+	if (dh == NULL)
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+
+	/*
+	 * Read the prime length.  1 & 2 are table entries, > 16 means a
+	 * prime follows, otherwise an error.
+	 */
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	plen = uint16_fromregion(&r);
+	if (plen < 16 && plen != 1 && plen != 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (r.length < plen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (plen == 1 || plen == 2) {
+		if (plen == 1) {
+			special = *r.base;
+			isc_region_consume(&r, 1);
+		} else {
+			special = uint16_fromregion(&r);
+		}
+		switch (special) {
+			case 1:
+				p = BN_dup(bn768);
+				break;
+			case 2:
+				p = BN_dup(bn1024);
+				break;
+			case 3:
+				p = BN_dup(bn1536);
+				break;
+			default:
+				DH_free(dh);
+				return (DST_R_INVALIDPUBLICKEY);
+		}
+	} else {
+		p = BN_bin2bn(r.base, plen, NULL);
+		isc_region_consume(&r, plen);
+	}
+
+	/*
+	 * Read the generator length.  This should be 0 if the prime was
+	 * special, but it might not be.  If it's 0 and the prime is not
+	 * special, we have a problem.
+	 */
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	glen = uint16_fromregion(&r);
+	if (r.length < glen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (special != 0) {
+		if (glen == 0)
+			g = BN_dup(bn2);
+		else {
+			g = BN_bin2bn(r.base, glen, NULL);
+			if (g != NULL && BN_cmp(g, bn2) != 0) {
+				DH_free(dh);
+				BN_free(g);
+				return (DST_R_INVALIDPUBLICKEY);
+			}
+		}
+	} else {
+		if (glen == 0) {
+			DH_free(dh);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		g = BN_bin2bn(r.base, glen, NULL);
+	}
+	isc_region_consume(&r, glen);
+
+	if (p == NULL || g == NULL) {
+		DH_free(dh);
+		if (p != NULL)
+			BN_free(p);
+		if (g != NULL)
+			BN_free(g);
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	}
+	DH_set0_pqg(dh, p, NULL, g);
+
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	publen = uint16_fromregion(&r);
+	if (r.length < publen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	pub_key = BN_bin2bn(r.base, publen, NULL);
+	if (pub_key == NULL) {
+		DH_free(dh);
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	}
+#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && (LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
+	/*
+	 * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when
+	 * DH structure is empty, hence we cannot use DH_get0_key().
+	 */
+	dh->pub_key = pub_key;
+#else /* LIBRESSL_VERSION_NUMBER */
+	DH_set0_key(dh, pub_key, NULL);
+#endif /* LIBRESSL_VERSION_NUMBER */
+	isc_region_consume(&r, publen);
+
+	key->key_size = BN_num_bits(p);
+
+	isc_buffer_forward(data, plen + glen + publen + 6);
+
+	key->keydata.dh = dh;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldh_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	DH *dh;
+	const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+	dst_private_t priv;
+	unsigned char *bufs[4];
+	isc_result_t result;
+
+	if (key->keydata.dh == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	dh = key->keydata.dh;
+	DH_get0_key(dh, &pub_key, &priv_key);
+	DH_get0_pqg(dh, &p, NULL, &g);
+
+	memset(bufs, 0, sizeof(bufs));
+	for (i = 0; i < 4; i++) {
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(p));
+		if (bufs[i] == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_DH_PRIME;
+	priv.elements[i].length = BN_num_bytes(p);
+	BN_bn2bin(p, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_GENERATOR;
+	priv.elements[i].length = BN_num_bytes(g);
+	BN_bn2bin(g, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PRIVATE;
+	priv.elements[i].length = BN_num_bytes(priv_key);
+	BN_bn2bin(priv_key, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PUBLIC;
+	priv.elements[i].length = BN_num_bytes(pub_key);
+	BN_bn2bin(pub_key, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	for (i = 0; i < 4; i++) {
+		if (bufs[i] == NULL)
+			break;
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(p));
+	}
+	return (result);
+}
+
+static isc_result_t
+openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	DH *dh = NULL;
+	BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
+	isc_mem_t *mctx;
+#define DST_RET(a) {ret = a; goto err;}
+
+	UNUSED(pub);
+	mctx = key->mctx;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external)
+		DST_RET(DST_R_EXTERNALKEY);
+
+	dh = DH_new();
+	if (dh == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
+	key->keydata.dh = dh;
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		bn = BN_bin2bn(priv.elements[i].data,
+			       priv.elements[i].length, NULL);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+
+		switch (priv.elements[i].tag) {
+			case TAG_DH_PRIME:
+				p = bn;
+				break;
+			case TAG_DH_GENERATOR:
+				g = bn;
+				break;
+			case TAG_DH_PRIVATE:
+				priv_key = bn;
+				break;
+			case TAG_DH_PUBLIC:
+				pub_key = bn;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	DH_set0_key(dh, pub_key, priv_key);
+	DH_set0_pqg(dh, p, NULL, g);
+
+	key->key_size = BN_num_bits(p);
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (p != NULL)
+		BN_free(p);
+	if (g != NULL)
+		BN_free(g);
+	if (pub_key != NULL)
+		BN_free(pub_key);
+	if (priv_key != NULL)
+		BN_free(priv_key);
+	openssldh_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static void
+openssldh_cleanup(void) {
+	BN_free(bn2);
+	BN_free(bn768);
+	BN_free(bn1024);
+	BN_free(bn1536);
+}
+
+static dst_func_t openssldh_functions = {
+	NULL, /*%< createctx */
+	NULL, /*%< createctx2 */
+	NULL, /*%< destroyctx */
+	NULL, /*%< adddata */
+	NULL, /*%< openssldh_sign */
+	NULL, /*%< openssldh_verify */
+	NULL, /*%< openssldh_verify2 */
+	openssldh_computesecret,
+	openssldh_compare,
+	openssldh_paramcompare,
+	openssldh_generate,
+	openssldh_isprivate,
+	openssldh_destroy,
+	openssldh_todns,
+	openssldh_fromdns,
+	openssldh_tofile,
+	openssldh_parse,
+	openssldh_cleanup,
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssldh_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		if (BN_hex2bn(&bn2, PRIME2) == 0 || bn2 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn768, PRIME768) == 0 || bn768 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn1024, PRIME1024) == 0 || bn1024 == NULL) {
+			goto cleanup;
+		}
+		if (BN_hex2bn(&bn1536, PRIME1536) == 0 || bn1536 == NULL) {
+			goto cleanup;
+		}
+		*funcp = &openssldh_functions;
+	}
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (bn2 != NULL) BN_free(bn2);
+	if (bn768 != NULL) BN_free(bn768);
+	if (bn1024 != NULL) BN_free(bn1024);
+	if (bn1536 != NULL) BN_free(bn1536);
+	return (ISC_R_NOMEMORY);
+}
+#endif /* !PK11_DH_DISABLE */
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
+/*! \file */
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
new file mode 100644
index 0000000..8abf4bb
--- /dev/null
+++ b/lib/dns/openssldsa_link.c
@@ -0,0 +1,815 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef OPENSSL
+#ifndef USE_EVP
+#define USE_EVP 1
+#endif
+
+#include <config.h>
+
+#include <pk11/site.h>
+
+#ifndef PK11_DSA_DISABLE
+
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/dsa.h>
+
+static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
+
+#if !defined(HAVE_DSA_GET0_PQG)
+static void
+DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
+	     const BIGNUM **g)
+{
+	if (p != NULL)
+		*p = d->p;
+	if (q != NULL)
+		*q = d->q;
+	if (g != NULL)
+		*g = d->g;
+}
+
+static int
+DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
+	if (p == NULL || q == NULL || g == NULL)
+		return 0;
+	BN_free(d->p);
+	BN_free(d->q);
+	BN_free(d->g);
+	d->p = p;
+	d->q = q;
+	d->g = g;
+
+	return 1;
+}
+
+static void
+DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) {
+	if (pub_key != NULL)
+		*pub_key = d->pub_key;
+	if (priv_key != NULL)
+		*priv_key = d->priv_key;
+}
+
+static int
+DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) {
+	/* Note that it is valid for priv_key to be NULL */
+	if (pub_key == NULL)
+		return 0;
+
+	BN_free(d->pub_key);
+	BN_free(d->priv_key);
+	d->pub_key = pub_key;
+	d->priv_key = priv_key;
+
+	return 1;
+}
+
+static void
+DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
+	*pr = sig->r;
+	*ps = sig->s;
+}
+
+static int
+DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
+	if (r == NULL || s == NULL)
+		return 0;
+
+	BN_clear_free(sig->r);
+	BN_clear_free(sig->s);
+	sig->r = r;
+	sig->s = s;
+
+	return 1;
+}
+
+
+#define DSA_clear_flags(d, x) (d)->flags &= ~(x)
+
+#endif
+
+static isc_result_t
+openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx;
+
+	UNUSED(key);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+			return (ISC_R_FAILURE);
+	}
+
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+#else
+	isc_sha1_t *sha1ctx;
+
+	UNUSED(key);
+
+	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+	if (sha1ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_sha1_init(sha1ctx);
+	dctx->ctxdata.sha1ctx = sha1ctx;
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+static void
+openssldsa_destroyctx(dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+	if (sha1ctx != NULL) {
+		isc_sha1_invalidate(sha1ctx);
+		isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
+		dctx->ctxdata.sha1ctx = NULL;
+	}
+#endif
+}
+
+static isc_result_t
+openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
+		return (ISC_R_FAILURE);
+	}
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+	isc_sha1_update(sha1ctx, data->base, data->length);
+#endif
+	return (ISC_R_SUCCESS);
+}
+
+static int
+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
+	int bytes = size - BN_num_bytes(bn);
+	while (bytes-- > 0)
+		*buf++ = 0;
+	BN_bn2bin(bn, buf);
+	return (size);
+}
+
+static isc_result_t
+openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key = dctx->key;
+	DSA *dsa = key->keydata.dsa;
+	isc_region_t region;
+	DSA_SIG *dsasig;
+	const BIGNUM *r = 0, *s = NULL;
+	unsigned int klen;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey;
+	unsigned char *sigbuf;
+	const unsigned char *sb;
+	unsigned int siglen;
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+#endif
+
+	isc_buffer_availableregion(sig, &region);
+	if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
+		return (ISC_R_NOSPACE);
+
+#if USE_EVP
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		return (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_FAILURE);
+	}
+	sigbuf = malloc(EVP_PKEY_size(pkey));
+	if (sigbuf == NULL) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_NOMEMORY);
+	}
+	if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
+		EVP_PKEY_free(pkey);
+		free(sigbuf);
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_SignFinal",
+					       ISC_R_FAILURE));
+	}
+	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
+	EVP_PKEY_free(pkey);
+	/* Convert from Dss-Sig-Value (RFC2459). */
+	dsasig = DSA_SIG_new();
+	if (dsasig == NULL) {
+		free(sigbuf);
+		return (ISC_R_NOMEMORY);
+	}
+	sb = sigbuf;
+	if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
+		free(sigbuf);
+		return (dst__openssl_toresult3(dctx->category,
+					       "d2i_DSA_SIG",
+					       ISC_R_FAILURE));
+	}
+	free(sigbuf);
+
+#elif 0
+	/* Only use EVP for the Digest */
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestFinal_ex",
+					       ISC_R_FAILURE));
+	}
+	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
+	if (dsasig == NULL)
+		return (dst__openssl_toresult3(dctx->category,
+					       "DSA_do_sign",
+					       DST_R_SIGNFAILURE));
+#else
+	isc_sha1_final(sha1ctx, digest);
+
+	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
+	if (dsasig == NULL)
+		return (dst__openssl_toresult3(dctx->category,
+					       "DSA_do_sign",
+					       DST_R_SIGNFAILURE));
+#endif
+
+	klen = (key->key_size - 512)/64;
+	if (klen > 255)
+		return (ISC_R_FAILURE);
+	*region.base = klen;
+	isc_region_consume(&region, 1);
+
+	DSA_SIG_get0(dsasig, &r, &s);
+	BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH);
+	isc_region_consume(&region, ISC_SHA1_DIGESTLENGTH);
+	BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH);
+	isc_region_consume(&region, ISC_SHA1_DIGESTLENGTH);
+	DSA_SIG_free(dsasig);
+	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	dst_key_t *key = dctx->key;
+	DSA *dsa = key->keydata.dsa;
+	BIGNUM *r = NULL, *s = NULL;
+	int status = 0;
+	unsigned char *cp = sig->base;
+	DSA_SIG *dsasig;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+#if 0
+	EVP_PKEY *pkey;
+	unsigned char *sigbuf;
+#endif
+	unsigned int siglen;
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+#endif
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+
+
+#if USE_EVP
+#if 1
+	/* Only use EVP for the digest */
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+		return (ISC_R_FAILURE);
+	}
+#endif
+#else
+	isc_sha1_final(sha1ctx, digest);
+#endif
+
+	if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
+		return (DST_R_VERIFYFAILURE);
+	}
+
+	cp++;	/*%< Skip T */
+	dsasig = DSA_SIG_new();
+	if (dsasig == NULL)
+		return (ISC_R_NOMEMORY);
+	r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+	cp += ISC_SHA1_DIGESTLENGTH;
+	s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+	DSA_SIG_set0(dsasig, r, s);
+
+#if 0
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		return (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_FAILURE);
+	}
+	/* Convert to Dss-Sig-Value (RFC2459). */
+	sigbuf = malloc(EVP_PKEY_size(pkey) + 50);
+	if (sigbuf == NULL) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_NOMEMORY);
+	}
+	siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf);
+	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
+	status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey);
+	EVP_PKEY_free(pkey);
+	free(sigbuf);
+#else
+	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
+#endif
+	DSA_SIG_free(dsasig);
+	switch (status) {
+	case 1:
+		return (ISC_R_SUCCESS);
+	case 0:
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	default:
+		return (dst__openssl_toresult3(dctx->category,
+					       "DSA_do_verify",
+					       DST_R_VERIFYFAILURE));
+	}
+}
+
+static bool
+openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	DSA *dsa1, *dsa2;
+	const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL;
+	const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL;
+	const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL;
+	const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL;
+
+	dsa1 = key1->keydata.dsa;
+	dsa2 = key2->keydata.dsa;
+
+	if (dsa1 == NULL && dsa2 == NULL)
+		return (true);
+	else if (dsa1 == NULL || dsa2 == NULL)
+		return (false);
+
+	DSA_get0_key(dsa1, &pub_key1, &priv_key1);
+	DSA_get0_key(dsa2, &pub_key2, &priv_key2);
+	DSA_get0_pqg(dsa1, &p1, &q1, &g1);
+	DSA_get0_pqg(dsa2, &p2, &q2, &g2);
+
+	if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 ||
+	    BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0)
+		return (false);
+
+	if (priv_key1 != NULL || priv_key2 != NULL) {
+		if (priv_key1 == NULL || priv_key2 == NULL)
+			return (false);
+		if (BN_cmp(priv_key1, priv_key2))
+			return (false);
+	}
+	return (true);
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb) {
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = BN_GENCB_get_arg(cb);
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+#endif
+
+static isc_result_t
+openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	DSA *dsa;
+	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
+	isc_result_t result;
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	BN_GENCB *cb;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	BN_GENCB _cb;
+#endif
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+#else
+
+	UNUSED(callback);
+#endif
+	UNUSED(unused);
+
+	result = dst__entropy_getdata(rand_array, sizeof(rand_array),
+				      false);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	dsa = DSA_new();
+	if (dsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	cb = BN_GENCB_new();
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+	if (cb == NULL) {
+		DSA_free(dsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+#endif
+	if (callback == NULL) {
+		BN_GENCB_set_old(cb, NULL, NULL);
+	} else {
+		u.fptr = callback;
+		BN_GENCB_set(cb, &progress_cb, u.dptr);
+	}
+
+	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
+					ISC_SHA1_DIGESTLENGTH,  NULL, NULL,
+					cb))
+	{
+		DSA_free(dsa);
+		BN_GENCB_free(cb);
+		return (dst__openssl_toresult2("DSA_generate_parameters_ex",
+					       DST_R_OPENSSLFAILURE));
+	}
+	BN_GENCB_free(cb);
+	cb = NULL;
+#else
+	dsa = DSA_generate_parameters(key->key_size, rand_array,
+				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
+				      NULL, NULL);
+	if (dsa == NULL)
+		return (dst__openssl_toresult2("DSA_generate_parameters",
+					       DST_R_OPENSSLFAILURE));
+#endif
+
+	if (DSA_generate_key(dsa) == 0) {
+		DSA_free(dsa);
+		return (dst__openssl_toresult2("DSA_generate_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+
+	DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
+
+	key->keydata.dsa = dsa;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+openssldsa_isprivate(const dst_key_t *key) {
+	DSA *dsa = key->keydata.dsa;
+	const BIGNUM *priv_key = NULL;
+
+	DSA_get0_key(dsa, NULL, &priv_key);
+	return (dsa != NULL && priv_key != NULL);
+}
+
+static void
+openssldsa_destroy(dst_key_t *key) {
+	DSA *dsa = key->keydata.dsa;
+	DSA_free(dsa);
+	key->keydata.dsa = NULL;
+}
+
+
+static isc_result_t
+openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	DSA *dsa;
+	const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL;
+	isc_region_t r;
+	int dnslen;
+	unsigned int t, p_bytes;
+
+	REQUIRE(key->keydata.dsa != NULL);
+
+	dsa = key->keydata.dsa;
+
+	isc_buffer_availableregion(data, &r);
+
+	DSA_get0_key(dsa, &pub_key, NULL);
+	DSA_get0_pqg(dsa, &p, &q, &g);
+
+	t = (BN_num_bytes(p) - 64) / 8;
+	if (t > 8)
+		return (DST_R_INVALIDPUBLICKEY);
+	p_bytes = 64 + 8 * t;
+
+	dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
+	if (r.length < (unsigned int) dnslen)
+		return (ISC_R_NOSPACE);
+
+	*r.base = t;
+	isc_region_consume(&r, 1);
+
+	BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH);
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+	BN_bn2bin_fixed(p, r.base, key->key_size/8);
+	isc_region_consume(&r, p_bytes);
+	BN_bn2bin_fixed(g, r.base, key->key_size/8);
+	isc_region_consume(&r, p_bytes);
+	BN_bn2bin_fixed(pub_key, r.base, key->key_size/8);
+	isc_region_consume(&r, p_bytes);
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	DSA *dsa;
+	BIGNUM *pub_key, *p, *q, *g;
+	isc_region_t r;
+	unsigned int t, p_bytes;
+	isc_mem_t *mctx = key->mctx;
+
+	UNUSED(mctx);
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	dsa = DSA_new();
+	if (dsa == NULL)
+		return (ISC_R_NOMEMORY);
+	DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
+
+	t = (unsigned int) *r.base;
+	isc_region_consume(&r, 1);
+	if (t > 8) {
+		DSA_free(dsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	p_bytes = 64 + 8 * t;
+
+	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+		DSA_free(dsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+
+	p = BN_bin2bn(r.base, p_bytes, NULL);
+	isc_region_consume(&r, p_bytes);
+
+	g = BN_bin2bn(r.base, p_bytes, NULL);
+	isc_region_consume(&r, p_bytes);
+
+	pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+	isc_region_consume(&r, p_bytes);
+
+	if (pub_key == NULL || p == NULL || q == NULL || g == NULL) {
+		DSA_free(dsa);
+		if (p != NULL) BN_free(p);
+		if (q != NULL) BN_free(q);
+		if (g != NULL) BN_free(g);
+		return (ISC_R_NOMEMORY);
+	}
+
+	DSA_set0_key(dsa, pub_key, NULL);
+	DSA_set0_pqg(dsa, p, q, g);
+
+	key->key_size = p_bytes * 8;
+
+	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
+
+	key->keydata.dsa = dsa;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+static isc_result_t
+openssldsa_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	DSA *dsa;
+	const BIGNUM *pub_key = NULL, *priv_key = NULL;
+	const BIGNUM *p = NULL, *q = NULL, *g = NULL;
+	dst_private_t priv;
+	unsigned char bufs[5][128];
+
+	if (key->keydata.dsa == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	dsa = key->keydata.dsa;
+
+	DSA_get0_key(dsa, &pub_key, &priv_key);
+	DSA_get0_pqg(dsa, &p, &q, &g);
+
+	priv.elements[cnt].tag = TAG_DSA_PRIME;
+	priv.elements[cnt].length = BN_num_bytes(p);
+	BN_bn2bin(p, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
+	priv.elements[cnt].length = BN_num_bytes(q);
+	BN_bn2bin(q, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_BASE;
+	priv.elements[cnt].length = BN_num_bytes(g);
+	BN_bn2bin(g, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_PRIVATE;
+	priv.elements[cnt].length = BN_num_bytes(priv_key);
+	BN_bn2bin(priv_key, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_PUBLIC;
+	priv.elements[cnt].length = BN_num_bytes(pub_key);
+	BN_bn2bin(pub_key, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	DSA *dsa = NULL;
+	BIGNUM *pub_key = NULL, *priv_key = NULL;
+	BIGNUM *p = NULL, *q = NULL, *g = NULL;
+	isc_mem_t *mctx = key->mctx;
+#define DST_RET(a) {ret = a; goto err;}
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	dsa = DSA_new();
+	if (dsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
+	key->keydata.dsa = dsa;
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		bn = BN_bin2bn(priv.elements[i].data,
+			       priv.elements[i].length, NULL);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+
+		switch (priv.elements[i].tag) {
+			case TAG_DSA_PRIME:
+				p = bn;
+				break;
+			case TAG_DSA_SUBPRIME:
+				q = bn;
+				break;
+			case TAG_DSA_BASE:
+				g = bn;
+				break;
+			case TAG_DSA_PRIVATE:
+				priv_key = bn;
+				break;
+			case TAG_DSA_PUBLIC:
+				pub_key = bn;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	DSA_set0_key(dsa, pub_key, priv_key);
+	DSA_set0_pqg(dsa, p, q, g);
+	key->key_size = BN_num_bits(p);
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (p != NULL)
+		BN_free(p);
+	if (q != NULL)
+		BN_free(q);
+	if (g != NULL)
+		BN_free(g);
+	openssldsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t openssldsa_functions = {
+	openssldsa_createctx,
+	NULL, /*%< createctx2 */
+	openssldsa_destroyctx,
+	openssldsa_adddata,
+	openssldsa_sign,
+	openssldsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	openssldsa_compare,
+	NULL, /*%< paramcompare */
+	openssldsa_generate,
+	openssldsa_isprivate,
+	openssldsa_destroy,
+	openssldsa_todns,
+	openssldsa_fromdns,
+	openssldsa_tofile,
+	openssldsa_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssldsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &openssldsa_functions;
+	return (ISC_R_SUCCESS);
+}
+#endif /* !PK11_DSA_DISABLE */
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
+/*! \file */
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
new file mode 100644
index 0000000..e9ea5ea
--- /dev/null
+++ b/lib/dns/opensslecdsa_link.c
@@ -0,0 +1,657 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(OPENSSL) && defined(HAVE_OPENSSL_ECDSA)
+
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
+#error "ECDSA without EVP for SHA2?"
+#endif
+
+#include <stdbool.h>
+
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/ecdsa.h>
+#include <openssl/bn.h>
+
+#ifndef NID_X9_62_prime256v1
+#error "P-256 group is not known (NID_X9_62_prime256v1)"
+#endif
+#ifndef NID_secp384r1
+#error "P-384 group is not known (NID_secp384r1)"
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+#if !defined(HAVE_ECDSA_SIG_GET0)
+/* From OpenSSL 1.1 */
+static void
+ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
+	if (pr != NULL) {
+		*pr = sig->r;
+	}
+	if (ps != NULL) {
+		*ps = sig->s;
+	}
+}
+
+static int
+ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
+	if (r == NULL || s == NULL) {
+		return 0;
+	}
+
+	BN_clear_free(sig->r);
+	BN_clear_free(sig->s);
+	sig->r = r;
+	sig->s = s;
+
+	return 1;
+}
+#endif
+
+static isc_result_t opensslecdsa_todns(const dst_key_t *key,
+				       isc_buffer_t *data);
+
+static isc_result_t
+opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *type = NULL;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	if (dctx->key->key_alg == DST_ALG_ECDSA256)
+		type = EVP_sha256();
+	else
+		type = EVP_sha384();
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestInit_ex",
+					       ISC_R_FAILURE));
+	}
+
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslecdsa_destroyctx(dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+}
+
+static isc_result_t
+opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestUpdate",
+					       ISC_R_FAILURE));
+
+	return (ISC_R_SUCCESS);
+}
+
+static int
+BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
+	int bytes = size - BN_num_bytes(bn);
+
+	while (bytes-- > 0)
+		*buf++ = 0;
+	BN_bn2bin(bn, buf);
+	return (size);
+}
+
+static isc_result_t
+opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	isc_region_t region;
+	ECDSA_SIG *ecdsasig;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	unsigned int dgstlen, siglen;
+	unsigned char digest[EVP_MAX_MD_SIZE];
+	const BIGNUM *r, *s;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (eckey == NULL)
+		return (ISC_R_FAILURE);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		siglen = DNS_SIG_ECDSA256SIZE;
+	else
+		siglen = DNS_SIG_ECDSA384SIZE;
+
+	isc_buffer_availableregion(sig, &region);
+	if (region.length < siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestFinal",
+					       ISC_R_FAILURE));
+
+	ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
+	if (ecdsasig == NULL)
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "ECDSA_do_sign",
+					       DST_R_SIGNFAILURE));
+	ECDSA_SIG_get0(ecdsasig, &r, &s);
+	BN_bn2bin_fixed(r, region.base, siglen / 2);
+	isc_region_consume(&region, siglen / 2);
+	BN_bn2bin_fixed(s, region.base, siglen / 2);
+	isc_region_consume(&region, siglen / 2);
+	ECDSA_SIG_free(ecdsasig);
+	isc_buffer_add(sig, siglen);
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	int status;
+	unsigned char *cp = sig->base;
+	ECDSA_SIG *ecdsasig = NULL;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	unsigned int dgstlen, siglen;
+	unsigned char digest[EVP_MAX_MD_SIZE];
+	BIGNUM *r = NULL, *s = NULL ;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (eckey == NULL)
+		return (ISC_R_FAILURE);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		siglen = DNS_SIG_ECDSA256SIZE;
+	else
+		siglen = DNS_SIG_ECDSA384SIZE;
+
+	if (sig->length != siglen)
+		return (DST_R_VERIFYFAILURE);
+
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen))
+		DST_RET (dst__openssl_toresult3(dctx->category,
+						"EVP_DigestFinal_ex",
+						ISC_R_FAILURE));
+
+	ecdsasig = ECDSA_SIG_new();
+	if (ecdsasig == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	r = BN_bin2bn(cp, siglen / 2, NULL);
+	cp += siglen / 2;
+	s = BN_bin2bn(cp, siglen / 2, NULL);
+	ECDSA_SIG_set0(ecdsasig, r, s);
+	/* cp += siglen / 2; */
+
+	status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
+	switch (status) {
+	case 1:
+		ret = ISC_R_SUCCESS;
+		break;
+	case 0:
+		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+		break;
+	default:
+		ret = dst__openssl_toresult3(dctx->category,
+					     "ECDSA_do_verify",
+					     DST_R_VERIFYFAILURE);
+		break;
+	}
+
+ err:
+	if (ecdsasig != NULL)
+		ECDSA_SIG_free(ecdsasig);
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static bool
+opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	bool ret;
+	int status;
+	EVP_PKEY *pkey1 = key1->keydata.pkey;
+	EVP_PKEY *pkey2 = key2->keydata.pkey;
+	EC_KEY *eckey1 = NULL;
+	EC_KEY *eckey2 = NULL;
+	const BIGNUM *priv1, *priv2;
+
+	if (pkey1 == NULL && pkey2 == NULL)
+		return (true);
+	else if (pkey1 == NULL || pkey2 == NULL)
+		return (false);
+
+	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
+	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
+	if (eckey1 == NULL && eckey2 == NULL) {
+		DST_RET (true);
+	} else if (eckey1 == NULL || eckey2 == NULL)
+		DST_RET (false);
+
+	status = EVP_PKEY_cmp(pkey1, pkey2);
+	if (status != 1)
+		DST_RET (false);
+
+	priv1 = EC_KEY_get0_private_key(eckey1);
+	priv2 = EC_KEY_get0_private_key(eckey2);
+	if (priv1 != NULL || priv2 != NULL) {
+		if (priv1 == NULL || priv2 == NULL)
+			DST_RET (false);
+		if (BN_cmp(priv1, priv2) != 0)
+			DST_RET (false);
+	}
+	ret = true;
+
+ err:
+	if (eckey1 != NULL)
+		EC_KEY_free(eckey1);
+	if (eckey2 != NULL)
+		EC_KEY_free(eckey2);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	int group_nid;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		group_nid = NID_X9_62_prime256v1;
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	} else {
+		group_nid = NID_secp384r1;
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+	}
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL)
+		return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
+					       DST_R_OPENSSLFAILURE));
+
+	if (EC_KEY_generate_key(eckey) != 1)
+		DST_RET (dst__openssl_toresult2("EC_KEY_generate_key",
+						DST_R_OPENSSLFAILURE));
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET (ISC_R_FAILURE);
+	}
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static bool
+opensslecdsa_isprivate(const dst_key_t *key) {
+	bool ret;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
+
+	ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static void
+opensslecdsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	isc_region_t r;
+	int len;
+	unsigned char *cp;
+	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(ISC_R_FAILURE));
+	len = i2o_ECPublicKey(eckey, NULL);
+	/* skip form */
+	len--;
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < (unsigned int) len)
+		DST_RET (ISC_R_NOSPACE);
+	cp = buf;
+	if (!i2o_ECPublicKey(eckey, &cp))
+		DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
+	memmove(r.base, buf + 1, len);
+	isc_buffer_add(data, len);
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	isc_region_t r;
+	int group_nid;
+	unsigned int len;
+	const unsigned char *cp;
+	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		len = DNS_KEY_ECDSA256SIZE;
+		group_nid = NID_X9_62_prime256v1;
+	} else {
+		len = DNS_KEY_ECDSA384SIZE;
+		group_nid = NID_secp384r1;
+	}
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (r.length < len)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
+	memmove(buf + 1, r.base, len);
+	cp = buf;
+	if (o2i_ECPublicKey(&eckey,
+			    (const unsigned char **) &cp,
+			    (long) len + 1) == NULL)
+		DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
+	if (EC_KEY_check_key(eckey) != 1)
+		DST_RET (dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET (dst__openssl_toresult(ISC_R_FAILURE));
+	}
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = pkey;
+	key->key_size = len * 4;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	const BIGNUM *privkey;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	privkey = EC_KEY_get0_private_key(eckey);
+	if (privkey == NULL)
+		DST_RET (ISC_R_FAILURE);
+
+	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+	if (buf == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+
+	priv.elements[0].tag = TAG_ECDSA_PRIVATEKEY;
+	priv.elements[0].length = BN_num_bytes(privkey);
+	BN_bn2bin(privkey, buf);
+	priv.elements[0].data = buf;
+	priv.nelements = 1;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+ err:
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	if (buf != NULL)
+		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+	return (ret);
+}
+
+static isc_result_t
+ecdsa_check(EC_KEY *eckey, dst_key_t *pub)
+{
+	isc_result_t ret = ISC_R_FAILURE;
+	EVP_PKEY *pkey;
+	EC_KEY *pubeckey = NULL;
+	const EC_POINT *pubkey;
+
+	if (pub == NULL)
+		return (ISC_R_SUCCESS);
+	pkey = pub->keydata.pkey;
+	if (pkey == NULL)
+		return (ISC_R_SUCCESS);
+	pubeckey = EVP_PKEY_get1_EC_KEY(pkey);
+	if (pubeckey == NULL)
+		return (ISC_R_SUCCESS);
+	pubkey = EC_KEY_get0_public_key(pubeckey);
+	if (pubkey == NULL)
+		DST_RET (ISC_R_SUCCESS);
+	if (EC_KEY_set_public_key(eckey, pubkey) != 1)
+		DST_RET (ISC_R_SUCCESS);
+	if (EC_KEY_check_key(eckey) == 1)
+		DST_RET (ISC_R_SUCCESS);
+
+ err:
+	if (pubeckey != NULL)
+		EC_KEY_free(pubeckey);
+	return (ret);
+}
+
+static isc_result_t
+opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	EC_KEY *eckey = NULL;
+	BIGNUM *privkey = NULL;
+	int group_nid;
+	isc_mem_t *mctx = key->mctx;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		group_nid = NID_X9_62_prime256v1;
+	else
+		group_nid = NID_secp384r1;
+
+	eckey = EC_KEY_new_by_curve_name(group_nid);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	privkey = BN_bin2bn(priv.elements[0].data,
+			    priv.elements[0].length, NULL);
+	if (privkey == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (!EC_KEY_set_private_key(eckey, privkey))
+		DST_RET(ISC_R_NOMEMORY);
+	if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
+		EVP_PKEY_free(pkey);
+		DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	if (key->key_alg == DST_ALG_ECDSA256)
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	else
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (privkey != NULL)
+		BN_clear_free(privkey);
+	if (eckey != NULL)
+		EC_KEY_free(eckey);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t opensslecdsa_functions = {
+	opensslecdsa_createctx,
+	NULL, /*%< createctx2 */
+	opensslecdsa_destroyctx,
+	opensslecdsa_adddata,
+	opensslecdsa_sign,
+	opensslecdsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	opensslecdsa_compare,
+	NULL, /*%< paramcompare */
+	opensslecdsa_generate,
+	opensslecdsa_isprivate,
+	opensslecdsa_destroy,
+	opensslecdsa_todns,
+	opensslecdsa_fromdns,
+	opensslecdsa_tofile,
+	opensslecdsa_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__opensslecdsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &opensslecdsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* HAVE_OPENSSL_ECDSA */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_ECDSA */
+/*! \file */
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
new file mode 100644
index 0000000..b76fac9
--- /dev/null
+++ b/lib/dns/openssleddsa_link.c
@@ -0,0 +1,676 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(OPENSSL) && \
+    (defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448))
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#ifndef NID_ED25519
+#error "Ed25519 group is not known (NID_ED25519)"
+#endif
+#ifndef NID_ED448
+#error "Ed448 group is not known (NID_ED448)"
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+/* OpenSSL doesn't provide direct access to key values */
+
+#define PUBPREFIXLEN	12
+
+static const unsigned char ed25519_pub_prefix[] = {
+	0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+	0x70, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed25519_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED25519SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed25519_pub_prefix, PUBPREFIXLEN);
+	memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED25519SIZE);
+	p = buf;
+	return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED25519SIZE));
+}
+
+static isc_result_t pub_ed25519_from_ossl(EVP_PKEY *pkey,
+					  unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED25519SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PUBKEY(pkey, NULL);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PUBKEY(pkey, &p);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED25519SIZE, DNS_KEY_ED25519SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+static const unsigned char ed448_pub_prefix[] = {
+	0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+	0x71, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
+	memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
+	p = buf;
+	return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
+					unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PUBKEY(pkey, NULL);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PUBKEY(pkey, &p);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+#define PRIVPREFIXLEN	16
+
+static const unsigned char ed25519_priv_prefix[] = {
+	0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+	0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20
+};
+
+static EVP_PKEY *priv_ed25519_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED25519SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed25519_priv_prefix, PRIVPREFIXLEN);
+	memmove(buf + PRIVPREFIXLEN, key, DNS_KEY_ED25519SIZE);
+	p = buf;
+	return (d2i_PrivateKey(NID_ED25519, NULL, &p,
+			       PRIVPREFIXLEN + DNS_KEY_ED25519SIZE));
+}
+
+static isc_result_t priv_ed25519_from_ossl(EVP_PKEY *pkey,
+					  unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED25519SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PrivateKey(pkey, NULL);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PrivateKey(pkey, &p);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED25519SIZE, DNS_KEY_ED25519SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+static const unsigned char ed448_priv_prefix[] = {
+	0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+	0x03, 0x2b, 0x65, 0x71, 0x04, 0x22, 0x04, 0x20
+};
+
+static EVP_PKEY *priv_ed448_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED448SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed448_priv_prefix, PRIVPREFIXLEN);
+	memmove(buf + PRIVPREFIXLEN, key, DNS_KEY_ED448SIZE);
+	p = buf;
+	return (d2i_PrivateKey(NID_ED448, NULL, &p,
+			       PRIVPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t priv_ed448_from_ossl(EVP_PKEY *pkey,
+					unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED448SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PrivateKey(pkey, NULL);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PrivateKey(pkey, &p);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t openssleddsa_todns(const dst_key_t *key,
+				       isc_buffer_t *data);
+
+static isc_result_t
+openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_buffer_t *buf = NULL;
+	isc_result_t result;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_allocate(dctx->mctx, &buf, 64);
+	dctx->ctxdata.generic = buf;
+
+	return (result);
+}
+
+static void
+openssleddsa_destroyctx(dst_context_t *dctx) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+	if (buf != NULL)
+		isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+openssleddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	isc_buffer_t *nbuf = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_copyregion(buf, data);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	length = isc_buffer_length(buf) + data->length + 64;
+	result = isc_buffer_allocate(dctx->mctx, &nbuf, length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(buf, &r);
+	(void) isc_buffer_copyregion(nbuf, &r);
+	(void) isc_buffer_copyregion(nbuf, data);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = nbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	isc_region_t tbsreg;
+	isc_region_t sigreg;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	size_t siglen;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		siglen = DNS_SIG_ED25519SIZE;
+	else
+		siglen = DNS_SIG_ED448SIZE;
+
+	isc_buffer_availableregion(sig, &sigreg);
+	if (sigreg.length < (unsigned int) siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	isc_buffer_usedregion(buf, &tbsreg);
+
+	if (!EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestSignInit",
+					       ISC_R_FAILURE));
+	if (!EVP_DigestSign(ctx, sigreg.base, &siglen,
+			    tbsreg.base, tbsreg.length))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestSign",
+					       DST_R_SIGNFAILURE));
+	isc_buffer_add(sig, (unsigned int) siglen);
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (ctx != NULL)
+		EVP_MD_CTX_free(ctx);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	int status;
+	isc_region_t tbsreg;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	unsigned int siglen;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		siglen = DNS_SIG_ED25519SIZE;
+	else
+		siglen = DNS_SIG_ED448SIZE;
+
+	if (sig->length != siglen)
+		return (DST_R_VERIFYFAILURE);
+
+	isc_buffer_usedregion(buf, &tbsreg);
+
+	if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestVerifyInit",
+					       ISC_R_FAILURE));
+
+	status = EVP_DigestVerify(ctx, sig->base, siglen,
+				  tbsreg.base, tbsreg.length);
+
+	switch (status) {
+	case 1:
+		ret = ISC_R_SUCCESS;
+		break;
+	case 0:
+		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+		break;
+	default:
+		ret = dst__openssl_toresult3(dctx->category,
+					     "EVP_DigestVerify",
+					     DST_R_VERIFYFAILURE);
+		break;
+	}
+
+ err:
+	if (ctx != NULL)
+		EVP_MD_CTX_free(ctx);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static bool
+openssleddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	EVP_PKEY *pkey1 = key1->keydata.pkey;
+	EVP_PKEY *pkey2 = key2->keydata.pkey;
+
+	if (pkey1 == NULL && pkey2 == NULL)
+		return (true);
+	else if (pkey1 == NULL || pkey2 == NULL)
+		return (false);
+
+	status = EVP_PKEY_cmp(pkey1, pkey2);
+	if (status == 1)
+		return (true);
+	return (false);
+}
+
+static isc_result_t
+openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *ctx = NULL;
+	int nid, status;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	if (key->key_alg == DST_ALG_ED25519) {
+		nid = NID_ED25519;
+		key->key_size = DNS_KEY_ED25519SIZE;
+	} else {
+		nid = NID_ED448;
+		key->key_size = DNS_KEY_ED448SIZE;
+	}
+
+	ctx = EVP_PKEY_CTX_new_id(nid, NULL);
+	if (ctx == NULL)
+		return (dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
+					       DST_R_OPENSSLFAILURE));
+
+	status = EVP_PKEY_keygen_init(ctx);
+	if (status != 1)
+		DST_RET (dst__openssl_toresult2("EVP_PKEY_keygen_init",
+						DST_R_OPENSSLFAILURE));
+
+	status = EVP_PKEY_keygen(ctx, &pkey);
+	if (status != 1)
+		DST_RET (dst__openssl_toresult2("EVP_PKEY_keygen",
+						DST_R_OPENSSLFAILURE));
+
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (ctx != NULL)
+		EVP_PKEY_CTX_free(ctx);
+	return (ret);
+}
+
+static bool
+openssleddsa_isprivate(const dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	int len;
+	unsigned long err;
+
+	if (pkey == NULL)
+		return (false);
+
+	len = i2d_PrivateKey(pkey, NULL);
+	if (len > 0)
+		return (true);
+	/* can check if first error is EC_R_INVALID_PRIVATE_KEY */
+	while ((err = ERR_get_error()) != 0)
+		/**/;
+
+	return (false);
+}
+
+static void
+openssleddsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(pkey != NULL);
+
+	pkey = key->keydata.pkey;
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		isc_buffer_availableregion(data, &r);
+		if (r.length < DNS_KEY_ED25519SIZE)
+			return (ISC_R_NOSPACE);
+		result = pub_ed25519_from_ossl(pkey, r.base);
+		if (result == ISC_R_SUCCESS)
+			isc_buffer_add(data, DNS_KEY_ED25519SIZE);
+		return (result);
+	case DST_ALG_ED448:
+		isc_buffer_availableregion(data, &r);
+		if (r.length < DNS_KEY_ED448SIZE)
+			return (ISC_R_NOSPACE);
+		result = pub_ed448_from_ossl(pkey, r.base);
+		if (result == ISC_R_SUCCESS)
+			isc_buffer_add(data, DNS_KEY_ED448SIZE);
+		return (result);
+	default:
+		INSIST(0);
+	}
+}
+
+static isc_result_t
+openssleddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey;
+	isc_region_t r;
+	unsigned int len;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+		if (r.length < len)
+			return (DST_R_INVALIDPUBLICKEY);
+		pkey = pub_ed25519_to_ossl(r.base);
+	} else {
+		len = DNS_KEY_ED448SIZE;
+		if (r.length < len)
+			return (DST_R_INVALIDPUBLICKEY);
+		pkey = pub_ed448_to_ossl(r.base);
+	}
+	if (pkey == NULL)
+		return (dst__openssl_toresult(ISC_R_FAILURE));
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = pkey;
+	key->key_size = len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int len;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	pkey = key->keydata.pkey;
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+		buf = isc_mem_get(key->mctx, len);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[0].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[0].length = len;
+		ret = priv_ed25519_from_ossl(pkey, buf);
+		if (ret != ISC_R_SUCCESS)
+			DST_RET (dst__openssl_toresult(ret));
+		priv.elements[0].data = buf;
+		priv.nelements = 1;
+		ret = dst__privstruct_writefile(key, &priv, directory);
+	} else {
+		len = DNS_KEY_ED448SIZE;
+		buf = isc_mem_get(key->mctx, len);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[0].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[0].length = len;
+		ret = priv_ed448_from_ossl(pkey, buf);
+		if (ret != ISC_R_SUCCESS)
+			DST_RET (dst__openssl_toresult(ret));
+		priv.elements[0].data = buf;
+		priv.nelements = 1;
+		ret = dst__privstruct_writefile(key, &priv, directory);
+	}
+
+ err:
+	if (buf != NULL)
+		isc_mem_put(key->mctx, buf, len);
+	return (ret);
+}
+
+static isc_result_t
+eddsa_check(EVP_PKEY *privkey, dst_key_t *pub)
+{
+	EVP_PKEY *pkey;
+
+	if (pub == NULL)
+		return (ISC_R_SUCCESS);
+	pkey = pub->keydata.pkey;
+	if (pkey == NULL)
+		return (ISC_R_SUCCESS);
+	if (EVP_PKEY_cmp(privkey, pkey) == 1)
+		return (ISC_R_SUCCESS);
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	unsigned int len;
+	isc_mem_t *mctx = key->mctx;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+		if (priv.elements[0].length < len)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		pkey = priv_ed25519_to_ossl(priv.elements[0].data);
+	} else {
+		len = DNS_KEY_ED448SIZE;
+		if (priv.elements[0].length < len)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		pkey = priv_ed448_to_ossl(priv.elements[0].data);
+	}
+	if (pkey == NULL)
+		DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	if (eddsa_check(pkey, pub) != ISC_R_SUCCESS) {
+		EVP_PKEY_free(pkey);
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+	key->keydata.pkey = pkey;
+	key->key_size = len;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t openssleddsa_functions = {
+	openssleddsa_createctx,
+	NULL, /*%< createctx2 */
+	openssleddsa_destroyctx,
+	openssleddsa_adddata,
+	openssleddsa_sign,
+	openssleddsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	openssleddsa_compare,
+	NULL, /*%< paramcompare */
+	openssleddsa_generate,
+	openssleddsa_isprivate,
+	openssleddsa_destroy,
+	openssleddsa_todns,
+	openssleddsa_fromdns,
+	openssleddsa_tofile,
+	openssleddsa_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssleddsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &openssleddsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* HAVE_OPENSSL_EDxxx */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_EDxxx */
+/*! \file */
diff --git a/lib/dns/opensslgost_link.c b/lib/dns/opensslgost_link.c
new file mode 100644
index 0000000..481b91c
--- /dev/null
+++ b/lib/dns/opensslgost_link.c
@@ -0,0 +1,630 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(OPENSSL) && defined(HAVE_OPENSSL_GOST)
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+#include "dst_gost.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#include <openssl/engine.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define EVP_MD_CTX_new() &(ctx->_ctx), EVP_MD_CTX_init(&(ctx->_ctx))
+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
+#endif
+
+static ENGINE *e = NULL;
+static const EVP_MD *opensslgost_digest;
+extern const EVP_MD *EVP_gost(void);
+
+const EVP_MD *EVP_gost(void) {
+	return (opensslgost_digest);
+}
+
+/* ISC methods */
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx) {
+	const EVP_MD *md;
+	int ret;
+
+	INSIST(ctx != NULL);
+
+	md = EVP_gost();
+	if (md == NULL)
+		return (DST_R_CRYPTOFAILURE);
+	ctx->ctx = EVP_MD_CTX_new();
+	if (ctx->ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = EVP_DigestInit(ctx->ctx, md);
+	if (ret != 1)
+		return (DST_R_CRYPTOFAILURE);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_gost_invalidate(isc_gost_t *ctx) {
+	EVP_MD_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *data,
+		unsigned int len)
+{
+	int ret;
+
+	INSIST(ctx != NULL);
+	INSIST(ctx->ctx != NULL);
+	INSIST(data != NULL);
+
+	ret = EVP_DigestUpdate(ctx->ctx, (const void *) data, (size_t) len);
+	if (ret != 1)
+		return (DST_R_CRYPTOFAILURE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
+	int ret;
+
+	INSIST(ctx != NULL);
+	INSIST(ctx->ctx != NULL);
+	INSIST(digest != NULL);
+
+	ret = EVP_DigestFinal(ctx->ctx, digest, NULL);
+	EVP_MD_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+	if (ret != 1)
+		return (DST_R_CRYPTOFAILURE);
+	return (ISC_R_SUCCESS);
+}
+
+/* DST methods */
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static isc_result_t opensslgost_todns(const dst_key_t *key,
+				      isc_buffer_t *data);
+
+static isc_result_t
+opensslgost_createctx(dst_key_t *key, dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *md = EVP_gost();
+
+	UNUSED(key);
+
+	if (md == NULL)
+		return (DST_R_OPENSSLFAILURE);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, md, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (ISC_R_FAILURE);
+	}
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslgost_destroyctx(dst_context_t *dctx) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+}
+
+static isc_result_t
+opensslgost_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length))
+		return (ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key = dctx->key;
+	isc_region_t r;
+	unsigned int siglen = 0;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	isc_buffer_availableregion(sig, &r);
+
+	if (r.length < (unsigned int) EVP_PKEY_size(pkey))
+		return (ISC_R_NOSPACE);
+
+	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey))
+		return (ISC_R_FAILURE);
+
+	isc_buffer_add(sig, siglen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	dst_key_t *key = dctx->key;
+	int status = 0;
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+	switch (status) {
+	case 1:
+		return (ISC_R_SUCCESS);
+	case 0:
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	default:
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_VerifyFinal",
+					       DST_R_VERIFYFAILURE));
+	}
+}
+
+static bool
+opensslgost_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	EVP_PKEY *pkey1, *pkey2;
+
+	pkey1 = key1->keydata.pkey;
+	pkey2 = key2->keydata.pkey;
+
+	if (pkey1 == NULL && pkey2 == NULL)
+		return (true);
+	else if (pkey1 == NULL || pkey2 == NULL)
+		return (false);
+
+	if (EVP_PKEY_cmp(pkey1, pkey2) != 1)
+		return (false);
+	return (true);
+}
+
+static int
+progress_cb(EVP_PKEY_CTX *ctx)
+{
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+	int p;
+
+	u.dptr = EVP_PKEY_CTX_get_app_data(ctx);
+	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+
+static isc_result_t
+opensslgost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	EVP_PKEY_CTX *ctx;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+	EVP_PKEY *pkey = NULL;
+	isc_result_t ret;
+
+	UNUSED(unused);
+	ctx = EVP_PKEY_CTX_new_id(NID_id_GostR3410_2001, NULL);
+	if (ctx == NULL)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
+					       DST_R_OPENSSLFAILURE));
+	if (callback != NULL) {
+		u.fptr = callback;
+		EVP_PKEY_CTX_set_app_data(ctx, u.dptr);
+		EVP_PKEY_CTX_set_cb(ctx, &progress_cb);
+	}
+	if (EVP_PKEY_keygen_init(ctx) <= 0)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
+					       DST_R_OPENSSLFAILURE));
+	if (EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_CTX_ctrl_str",
+					       DST_R_OPENSSLFAILURE));
+	if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
+		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
+					       DST_R_OPENSSLFAILURE));
+	key->keydata.pkey = pkey;
+	key->key_size = EVP_PKEY_bits(pkey);
+	EVP_PKEY_CTX_free(ctx);
+	return (ISC_R_SUCCESS);
+
+err:
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+	if (ctx != NULL)
+		EVP_PKEY_CTX_free(ctx);
+	return (ret);
+}
+
+static bool
+opensslgost_isprivate(const dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EC_KEY *ec;
+
+	INSIST(pkey != NULL);
+
+	ec = EVP_PKEY_get0(pkey);
+	return (ec != NULL && EC_KEY_get0_private_key(ec) != NULL);
+}
+
+static void
+opensslgost_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static const unsigned char gost_prefix[37] = {
+	0x30, 0x63, 0x30, 0x1c, 0x06, 0x06, 0x2a, 0x85,
+	0x03, 0x02, 0x02, 0x13, 0x30, 0x12, 0x06, 0x07,
+	0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01, 0x06,
+	0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01,
+	0x03, 0x43, 0x00, 0x04, 0x40
+};
+
+static isc_result_t
+opensslgost_todns(const dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey;
+	isc_region_t r;
+	unsigned char der[37 + 64], *p;
+	int len;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	pkey = key->keydata.pkey;
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < 64)
+		return (ISC_R_NOSPACE);
+
+	p = der;
+	len = i2d_PUBKEY(pkey, &p);
+	INSIST(len == sizeof(der));
+	INSIST(isc_safe_memequal(gost_prefix, der, 37));
+	memmove(r.base, der + 37, 64);
+	isc_buffer_add(data, 64);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslgost_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	isc_region_t r;
+	EVP_PKEY *pkey = NULL;
+	unsigned char der[37 + 64];
+	const unsigned char *p;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	if (r.length != 64)
+		return (DST_R_INVALIDPUBLICKEY);
+	memmove(der, gost_prefix, 37);
+	memmove(der + 37, r.base, 64);
+	isc_buffer_forward(data, 64);
+
+	p = der;
+	if (d2i_PUBKEY(&pkey, &p, (long) sizeof(der)) == NULL)
+		return (dst__openssl_toresult2("d2i_PUBKEY",
+					       DST_R_OPENSSLFAILURE));
+	key->keydata.pkey = pkey;
+	key->key_size = EVP_PKEY_bits(pkey);
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef PREFER_GOSTASN1
+
+static isc_result_t
+opensslgost_tofile(const dst_key_t *key, const char *directory) {
+	EVP_PKEY *pkey;
+	dst_private_t priv;
+	isc_result_t result;
+	unsigned char *der, *p;
+	int len;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	pkey = key->keydata.pkey;
+
+	len = i2d_PrivateKey(pkey, NULL);
+	der = isc_mem_get(key->mctx, (size_t) len);
+	if (der == NULL)
+		return (ISC_R_NOMEMORY);
+
+	p = der;
+	if (i2d_PrivateKey(pkey, &p) != len) {
+		result = dst__openssl_toresult2("i2d_PrivateKey",
+						DST_R_OPENSSLFAILURE);
+		goto fail;
+	}
+
+	priv.elements[0].tag = TAG_GOST_PRIVASN1;
+	priv.elements[0].length = len;
+	priv.elements[0].data = der;
+	priv.nelements = 1;
+
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	if (der != NULL)
+		isc_mem_put(key->mctx, der, (size_t) len);
+	return (result);
+}
+
+#else
+
+static isc_result_t
+opensslgost_tofile(const dst_key_t *key, const char *directory) {
+	EVP_PKEY *pkey;
+	EC_KEY *eckey;
+	const BIGNUM *privkey;
+	dst_private_t priv;
+	isc_result_t ret;
+	unsigned char *buf = NULL;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	pkey = key->keydata.pkey;
+	eckey = EVP_PKEY_get0(pkey);
+	if (eckey == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	privkey = EC_KEY_get0_private_key(eckey);
+	if (privkey == NULL)
+		return (ISC_R_FAILURE);
+
+	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
+	if (buf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	priv.elements[0].tag = TAG_GOST_PRIVRAW;
+	priv.elements[0].length = BN_num_bytes(privkey);
+	BN_bn2bin(privkey, buf);
+	priv.elements[0].data = buf;
+	priv.nelements = 1;
+
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL)
+		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
+	return (ret);
+}
+#endif
+
+static unsigned char gost_dummy_key[71] = {
+	0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
+	0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
+	0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
+	0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
+	0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
+	0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
+	0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
+	0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
+	0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
+};
+
+static isc_result_t
+opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	isc_mem_t *mctx = key->mctx;
+	EVP_PKEY *pkey = NULL;
+	EC_KEY *eckey;
+	const EC_POINT *pubkey = NULL;
+	BIGNUM *privkey = NULL;
+	const unsigned char *p;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECCGOST, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	INSIST((priv.elements[0].tag == TAG_GOST_PRIVASN1) ||
+	       (priv.elements[0].tag == TAG_GOST_PRIVRAW));
+
+	if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
+		p = priv.elements[0].data;
+		if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+				   (long) priv.elements[0].length) == NULL)
+			DST_RET(dst__openssl_toresult2(
+					    "d2i_PrivateKey",
+					    DST_R_INVALIDPRIVATEKEY));
+	} else {
+		if ((pub != NULL) && (pub->keydata.pkey != NULL)) {
+			eckey = EVP_PKEY_get0(pub->keydata.pkey);
+			pubkey = EC_KEY_get0_public_key(eckey);
+		}
+
+		privkey = BN_bin2bn(priv.elements[0].data,
+				    priv.elements[0].length, NULL);
+		if (privkey == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+
+		/* can't create directly the whole key */
+		p = gost_dummy_key;
+		if (d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+				   (long) sizeof(gost_dummy_key)) == NULL)
+			DST_RET(dst__openssl_toresult2(
+					    "d2i_PrivateKey",
+					    DST_R_INVALIDPRIVATEKEY));
+
+		eckey = EVP_PKEY_get0(pkey);
+		if (eckey == NULL)
+			return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		if (!EC_KEY_set_private_key(eckey, privkey))
+			DST_RET(ISC_R_NOMEMORY);
+
+		/* have to (re)set the public key */
+#ifdef notyet
+		(void) gost2001_compute_public(eckey);
+#else
+		if ((pubkey != NULL) && !EC_KEY_set_public_key(eckey, pubkey))
+			DST_RET(ISC_R_NOMEMORY);
+#endif
+		BN_clear_free(privkey);
+		privkey = NULL;
+	}
+	key->keydata.pkey = pkey;
+	key->key_size = EVP_PKEY_bits(pkey);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (privkey != NULL)
+		BN_clear_free(privkey);
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+	opensslgost_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static void
+opensslgost_cleanup(void) {
+	if (e != NULL) {
+		ENGINE_finish(e);
+		ENGINE_free(e);
+		e = NULL;
+	}
+}
+
+static dst_func_t opensslgost_functions = {
+	opensslgost_createctx,
+	NULL, /*%< createctx2 */
+	opensslgost_destroyctx,
+	opensslgost_adddata,
+	opensslgost_sign,
+	opensslgost_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	opensslgost_compare,
+	NULL, /*%< paramcompare */
+	opensslgost_generate,
+	opensslgost_isprivate,
+	opensslgost_destroy,
+	opensslgost_todns,
+	opensslgost_fromdns,
+	opensslgost_tofile,
+	opensslgost_parse,
+	opensslgost_cleanup,
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL  /*%< restore */
+};
+
+isc_result_t
+dst__opensslgost_init(dst_func_t **funcp) {
+	isc_result_t ret;
+
+	REQUIRE(funcp != NULL);
+
+	/* check if the gost engine works properly */
+	e = ENGINE_by_id("gost");
+	if (e == NULL)
+		return (dst__openssl_toresult2("ENGINE_by_id",
+					       DST_R_OPENSSLFAILURE));
+	if (ENGINE_init(e) <= 0) {
+		ENGINE_free(e);
+		e = NULL;
+		return (dst__openssl_toresult2("ENGINE_init",
+					       DST_R_OPENSSLFAILURE));
+	}
+	/* better than to rely on digest_gost symbol */
+	opensslgost_digest = ENGINE_get_digest(e, NID_id_GostR3411_94);
+	if (opensslgost_digest == NULL)
+		DST_RET(dst__openssl_toresult2("ENGINE_get_digest",
+					       DST_R_OPENSSLFAILURE));
+	/* from openssl.cnf */
+	if (ENGINE_register_pkey_asn1_meths(e) <= 0)
+		DST_RET(dst__openssl_toresult2(
+				"ENGINE_register_pkey_asn1_meths",
+				DST_R_OPENSSLFAILURE));
+	if (ENGINE_ctrl_cmd_string(e,
+				   "CRYPT_PARAMS",
+				   "id-Gost28147-89-CryptoPro-A-ParamSet",
+				   0) <= 0)
+		DST_RET(dst__openssl_toresult2("ENGINE_ctrl_cmd_string",
+					       DST_R_OPENSSLFAILURE));
+
+	if (*funcp == NULL)
+		*funcp = &opensslgost_functions;
+	return (ISC_R_SUCCESS);
+
+ err:
+	ENGINE_finish(e);
+	ENGINE_free(e);
+	e = NULL;
+	return (ret);
+}
+
+#else /* HAVE_OPENSSL_GOST */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_GOST */
+/*! \file */
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
new file mode 100644
index 0000000..c03fd72
--- /dev/null
+++ b/lib/dns/opensslrsa_link.c
@@ -0,0 +1,1830 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifdef OPENSSL
+#include <config.h>
+
+#ifndef USE_EVP
+#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA512)
+#define USE_EVP 0
+#else
+#define USE_EVP 1
+#endif
+#endif
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+#include <openssl/bn.h>
+#endif
+#if !defined(OPENSSL_NO_ENGINE)
+#include <openssl/engine.h>
+#endif
+
+/*
+ * Limit the size of public exponents.
+ */
+#ifndef RSA_MAX_PUBEXP_BITS
+#define RSA_MAX_PUBEXP_BITS    35
+#endif
+
+/*
+ * We don't use configure for windows so enforce the OpenSSL version
+ * here.  Unlike with configure we don't support overriding this test.
+ */
+#ifdef WIN32
+#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
+       OPENSSL_VERSION_NUMBER < 0x00908000L) || \
+      (OPENSSL_VERSION_NUMBER >= 0x0090804fL && \
+       OPENSSL_VERSION_NUMBER < 0x10002000L) || \
+      OPENSSL_VERSION_NUMBER >= 0x1000205fL)
+#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
+#endif
+#endif
+
+
+	/*
+	 * XXXMPA  Temporarily disable RSA_BLINDING as it requires
+	 * good quality random data that cannot currently be guaranteed.
+	 * XXXMPA  Find which versions of openssl use pseudo random data
+	 * and set RSA_FLAG_BLINDING for those.
+	 */
+
+#if 0
+#if OPENSSL_VERSION_NUMBER < 0x0090601fL
+#define SET_FLAGS(rsa) \
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
+#endif
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x0090601fL
+#define SET_FLAGS(rsa) \
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+	} while (0)
+#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(RSA_FLAG_NO_BLINDING)
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+		(rsa)->flags |= RSA_FLAG_NO_BLINDING; \
+	} while (0)
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+	} while (0)
+#endif
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \
+		RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \
+	} while (0)
+#endif
+#define DST_RET(a) {ret = a; goto err;}
+
+#if !defined(HAVE_RSA_SET0_KEY)
+/* From OpenSSL 1.1.0 */
+static int
+RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+
+	/*
+	 * If the fields n and e in r are NULL, the corresponding input
+	 * parameters MUST be non-NULL for n and e.  d may be
+	 * left NULL (in case only the public key is used).
+	 */
+	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
+		return 0;
+	}
+
+	if (n != NULL) {
+		BN_free(r->n);
+		r->n = n;
+	}
+	if (e != NULL) {
+		BN_free(r->e);
+		r->e = e;
+	}
+	if (d != NULL) {
+		BN_free(r->d);
+		r->d = d;
+	}
+
+	return 1;
+}
+
+static int
+RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
+
+	/*
+	 * If the fields p and q in r are NULL, the corresponding input
+	 * parameters MUST be non-NULL.
+	 */
+	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
+		return 0;
+	}
+
+	if (p != NULL) {
+		BN_free(r->p);
+		r->p = p;
+	}
+	if (q != NULL) {
+		BN_free(r->q);
+		r->q = q;
+	}
+
+	return 1;
+}
+
+static int
+RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
+	/*
+	 * If the fields dmp1, dmq1 and iqmp in r are NULL, the
+	 * corresponding input parameters MUST be non-NULL.
+	 */
+	if ((r->dmp1 == NULL && dmp1 == NULL) ||
+	    (r->dmq1 == NULL && dmq1 == NULL) ||
+	    (r->iqmp == NULL && iqmp == NULL))
+	{
+		return 0;
+	}
+
+	if (dmp1 != NULL) {
+		BN_free(r->dmp1);
+		r->dmp1 = dmp1;
+	}
+	if (dmq1 != NULL) {
+		BN_free(r->dmq1);
+		r->dmq1 = dmq1;
+	}
+	if (iqmp != NULL) {
+		BN_free(r->iqmp);
+		r->iqmp = iqmp;
+	}
+
+	return 1;
+}
+
+static void
+RSA_get0_key(const RSA *r,
+	     const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+	if (n != NULL) {
+		*n = r->n;
+	}
+	if (e != NULL) {
+		*e = r->e;
+	}
+	if (d != NULL) {
+		*d = r->d;
+	}
+}
+
+static void
+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
+	if (p != NULL) {
+		*p = r->p;
+	}
+	if (q != NULL) {
+		*q = r->q;
+	}
+}
+
+static void
+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
+		    const BIGNUM **iqmp)
+{
+	if (dmp1 != NULL) {
+		*dmp1 = r->dmp1;
+	}
+	if (dmq1 != NULL) {
+		*dmq1 = r->dmq1;
+	}
+	if (iqmp != NULL) {
+		*iqmp = r->iqmp;
+	}
+}
+
+static int
+RSA_test_flags(const RSA *r, int flags) {
+	return (r->flags & flags);
+}
+
+#endif
+
+static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static isc_result_t
+opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *type = NULL;
+#endif
+
+	UNUSED(key);
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
+#if USE_EVP
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		type = EVP_md5();	/* MD5 + RSA */
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		type = EVP_sha1();	/* SHA1 + RSA */
+		break;
+#ifdef HAVE_EVP_SHA256
+	case DST_ALG_RSASHA256:
+		type = EVP_sha256();	/* SHA256 + RSA */
+		break;
+#endif
+#ifdef HAVE_EVP_SHA512
+	case DST_ALG_RSASHA512:
+		type = EVP_sha512();
+		break;
+#endif
+	default:
+		INSIST(0);
+	}
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestInit_ex",
+					       ISC_R_FAILURE));
+	}
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+#else
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx;
+
+			md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
+			if (md5ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_md5_init(md5ctx);
+			dctx->ctxdata.md5ctx = md5ctx;
+		}
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx;
+
+			sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+			if (sha1ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_sha1_init(sha1ctx);
+			dctx->ctxdata.sha1ctx = sha1ctx;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx;
+
+			sha256ctx = isc_mem_get(dctx->mctx,
+						sizeof(isc_sha256_t));
+			if (sha256ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_sha256_init(sha256ctx);
+			dctx->ctxdata.sha256ctx = sha256ctx;
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx;
+
+			sha512ctx = isc_mem_get(dctx->mctx,
+						sizeof(isc_sha512_t));
+			if (sha512ctx == NULL)
+				return (ISC_R_NOMEMORY);
+			isc_sha512_init(sha512ctx);
+			dctx->ctxdata.sha512ctx = sha512ctx;
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslrsa_destroyctx(dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+#endif
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+#if USE_EVP
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+#else
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			if (md5ctx != NULL) {
+				isc_md5_invalidate(md5ctx);
+				isc_mem_put(dctx->mctx, md5ctx,
+					    sizeof(isc_md5_t));
+				dctx->ctxdata.md5ctx = NULL;
+			}
+		}
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			if (sha1ctx != NULL) {
+				isc_sha1_invalidate(sha1ctx);
+				isc_mem_put(dctx->mctx, sha1ctx,
+					    sizeof(isc_sha1_t));
+				dctx->ctxdata.sha1ctx = NULL;
+			}
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			if (sha256ctx != NULL) {
+				isc_sha256_invalidate(sha256ctx);
+				isc_mem_put(dctx->mctx, sha256ctx,
+					    sizeof(isc_sha256_t));
+				dctx->ctxdata.sha256ctx = NULL;
+			}
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			if (sha512ctx != NULL) {
+				isc_sha512_invalidate(sha512ctx);
+				isc_mem_put(dctx->mctx, sha512ctx,
+					    sizeof(isc_sha512_t));
+				dctx->ctxdata.sha512ctx = NULL;
+			}
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+#endif
+}
+
+static isc_result_t
+opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+#endif
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+#if USE_EVP
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestUpdate",
+					       ISC_R_FAILURE));
+	}
+#else
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			isc_md5_update(md5ctx, data->base, data->length);
+		}
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			isc_sha1_update(sha1ctx, data->base, data->length);
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			isc_sha256_update(sha256ctx, data->base, data->length);
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			isc_sha512_update(sha512ctx, data->base, data->length);
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+#endif
+	return (ISC_R_SUCCESS);
+}
+
+#if ! USE_EVP && OPENSSL_VERSION_NUMBER < 0x00908000L
+/*
+ * Digest prefixes from RFC 5702.
+ */
+static unsigned char sha256_prefix[] =
+	 { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+	   0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
+static unsigned char sha512_prefix[] =
+	 { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+	   0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
+#define PREFIXLEN sizeof(sha512_prefix)
+#else
+#define PREFIXLEN 0
+#endif
+
+static isc_result_t
+opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key = dctx->key;
+	isc_region_t r;
+	unsigned int siglen = 0;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+#else
+	RSA *rsa = key->keydata.rsa;
+	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
+	unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH];
+	int status;
+	int type = 0;
+	unsigned int digestlen = 0;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	unsigned int prefixlen = 0;
+	const unsigned char *prefix = NULL;
+#endif
+#endif
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+	isc_buffer_availableregion(sig, &r);
+
+#if USE_EVP
+	if (r.length < (unsigned int) EVP_PKEY_size(pkey))
+		return (ISC_R_NOSPACE);
+
+	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_SignFinal",
+					       ISC_R_FAILURE));
+	}
+#else
+	if (r.length < (unsigned int) RSA_size(rsa))
+		return (ISC_R_NOSPACE);
+
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			isc_md5_final(md5ctx, digest);
+			type = NID_md5;
+			digestlen = ISC_MD5_DIGESTLENGTH;
+		}
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			isc_sha1_final(sha1ctx, digest);
+			type = NID_sha1;
+			digestlen = ISC_SHA1_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			isc_sha256_final(digest, sha256ctx);
+			digestlen = ISC_SHA256_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha256_prefix;
+			prefixlen = sizeof(sha256_prefix);
+#else
+			type = NID_sha256;
+#endif
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			isc_sha512_final(digest, sha512ctx);
+			digestlen = ISC_SHA512_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha512_prefix;
+			prefixlen = sizeof(sha512_prefix);
+#else
+			type = NID_sha512;
+#endif
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		INSIST(type != 0);
+		status = RSA_sign(type, digest, digestlen, r.base,
+				  &siglen, rsa);
+		break;
+
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		INSIST(prefix != NULL);
+		INSIST(prefixlen != 0);
+		INSIST(prefixlen + digestlen <= sizeof(digest));
+
+		memmove(digest + prefixlen, digest, digestlen);
+		memmove(digest, prefix, prefixlen);
+		status = RSA_private_encrypt(digestlen + prefixlen,
+					     digest, r.base, rsa,
+					     RSA_PKCS1_PADDING);
+		if (status < 0)
+			status = 0;
+		else
+			siglen = status;
+		break;
+
+	default:
+		INSIST(0);
+	}
+#else
+	INSIST(type != 0);
+	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
+#endif
+	if (status == 0)
+		return (dst__openssl_toresult3(dctx->category,
+					       "RSA_sign",
+					       DST_R_OPENSSLFAILURE));
+#endif
+
+	isc_buffer_add(sig, siglen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
+	dst_key_t *key = dctx->key;
+	int status = 0;
+	const BIGNUM *e = NULL;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	RSA *rsa;
+	int bits;
+#else
+	/* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	int type = 0;
+	unsigned int digestlen = 0;
+	RSA *rsa = key->keydata.rsa;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	unsigned int prefixlen = 0;
+	const unsigned char *prefix = NULL;
+#endif
+#endif
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_RSASHA256 ||
+		dctx->key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+#if USE_EVP
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	RSA_get0_key(rsa, NULL, &e, NULL);
+	bits = BN_num_bits(e);
+	RSA_free(rsa);
+	if (bits > maxbits && maxbits != 0)
+		return (DST_R_VERIFYFAILURE);
+
+	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+	switch (status) {
+	case 1:
+		return (ISC_R_SUCCESS);
+	case 0:
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	default:
+		return (dst__openssl_toresult3(dctx->category,
+					       "EVP_VerifyFinal",
+					       DST_R_VERIFYFAILURE));
+	}
+#else
+	RSA_get0_key(rsa, NULL, &e, NULL);
+	if (BN_num_bits(e) > maxbits && maxbits != 0)
+		return (DST_R_VERIFYFAILURE);
+
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		{
+			isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
+
+			isc_md5_final(md5ctx, digest);
+			type = NID_md5;
+			digestlen = ISC_MD5_DIGESTLENGTH;
+		}
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		{
+			isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+
+			isc_sha1_final(sha1ctx, digest);
+			type = NID_sha1;
+			digestlen = ISC_SHA1_DIGESTLENGTH;
+		}
+		break;
+	case DST_ALG_RSASHA256:
+		{
+			isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
+
+			isc_sha256_final(digest, sha256ctx);
+			digestlen = ISC_SHA256_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha256_prefix;
+			prefixlen = sizeof(sha256_prefix);
+#else
+			type = NID_sha256;
+#endif
+		}
+		break;
+	case DST_ALG_RSASHA512:
+		{
+			isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
+
+			isc_sha512_final(digest, sha512ctx);
+			digestlen = ISC_SHA512_DIGESTLENGTH;
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+			prefix = sha512_prefix;
+			prefixlen = sizeof(sha512_prefix);
+#else
+			type = NID_sha512;
+#endif
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (sig->length != (unsigned int) RSA_size(rsa))
+		return (DST_R_VERIFYFAILURE);
+
+#if OPENSSL_VERSION_NUMBER < 0x00908000L
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		INSIST(type != 0);
+		status = RSA_verify(type, digest, digestlen, sig->base,
+				    RSA_size(rsa), rsa);
+		break;
+
+	case DST_ALG_RSASHA256:
+	case DST_ALG_RSASHA512:
+		{
+			/*
+			 * 1024 is big enough for all valid RSA bit sizes
+			 * for use with DNSSEC.
+			 */
+			unsigned char original[PREFIXLEN + 1024];
+
+			INSIST(prefix != NULL);
+			INSIST(prefixlen != 0U);
+
+			if (RSA_size(rsa) > (int)sizeof(original))
+				return (DST_R_VERIFYFAILURE);
+
+			status = RSA_public_decrypt(sig->length, sig->base,
+						    original, rsa,
+						    RSA_PKCS1_PADDING);
+			if (status <= 0)
+				return (dst__openssl_toresult3(
+						dctx->category,
+						"RSA_public_decrypt",
+						DST_R_VERIFYFAILURE));
+			if (status != (int)(prefixlen + digestlen))
+				return (DST_R_VERIFYFAILURE);
+			if (!isc_safe_memequal(original, prefix, prefixlen))
+				return (DST_R_VERIFYFAILURE);
+			if (!isc_safe_memequal(original + prefixlen,
+					    digest, digestlen))
+				return (DST_R_VERIFYFAILURE);
+			status = 1;
+		}
+		break;
+
+	default:
+		INSIST(0);
+	}
+#else
+	INSIST(type != 0);
+	status = RSA_verify(type, digest, digestlen, sig->base,
+			     RSA_size(rsa), rsa);
+#endif
+	if (status != 1)
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+static isc_result_t
+opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	return (opensslrsa_verify2(dctx, 0, sig));
+}
+
+static bool
+opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	RSA *rsa1 = NULL, *rsa2 = NULL;
+	const BIGNUM *n1 = NULL, *n2 = NULL;
+	const BIGNUM *e1 = NULL, *e2 = NULL;
+	const BIGNUM *d1 = NULL, *d2 = NULL;
+	const BIGNUM *p1 = NULL, *p2 = NULL;
+	const BIGNUM *q1 = NULL, *q2 = NULL;
+#if USE_EVP
+	EVP_PKEY *pkey1, *pkey2;
+#endif
+
+#if USE_EVP
+	pkey1 = key1->keydata.pkey;
+	pkey2 = key2->keydata.pkey;
+	/*
+	 * The pkey reference will keep these around after
+	 * the RSA_free() call.
+	 */
+	if (pkey1 != NULL) {
+		rsa1 = EVP_PKEY_get1_RSA(pkey1);
+		RSA_free(rsa1);
+	}
+	if (pkey2 != NULL) {
+		rsa2 = EVP_PKEY_get1_RSA(pkey2);
+		RSA_free(rsa2);
+	}
+#else
+	rsa1 = key1->keydata.rsa;
+	rsa2 = key2->keydata.rsa;
+#endif
+
+	if (rsa1 == NULL && rsa2 == NULL)
+		return (true);
+	else if (rsa1 == NULL || rsa2 == NULL)
+		return (false);
+
+	RSA_get0_key(rsa1, &n1, &e1, &d1);
+	RSA_get0_key(rsa2, &n2, &e2, &d2);
+	status = BN_cmp(n1, n2) || BN_cmp(e1, e2);
+
+	if (status != 0)
+		return (false);
+
+#if USE_EVP
+	if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
+	    RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) {
+		if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
+		    RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) == 0)
+			return (false);
+		/*
+		 * Can't compare private parameters, BTW does it make sense?
+		 */
+		return (true);
+	}
+#endif
+
+	if (d1 != NULL || d2 != NULL) {
+		if (d1 == NULL || d2 == NULL)
+			return (false);
+		RSA_get0_factors(rsa1, &p1, &q1);
+		RSA_get0_factors(rsa2, &p2, &q2);
+		status = BN_cmp(d1, d2) || BN_cmp(p1, p1) || BN_cmp(q1, q2);
+
+		if (status != 0)
+			return (false);
+	}
+	return (true);
+}
+
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+static int
+progress_cb(int p, int n, BN_GENCB *cb) {
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+
+	UNUSED(n);
+
+	u.dptr = BN_GENCB_get_arg(cb);
+	if (u.fptr != NULL)
+		u.fptr(p);
+	return (1);
+}
+#endif
+
+static isc_result_t
+opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+#if OPENSSL_VERSION_NUMBER > 0x00908000L
+	isc_result_t ret = DST_R_OPENSSLFAILURE;
+	union {
+		void *dptr;
+		void (*fptr)(int);
+	} u;
+	RSA *rsa = RSA_new();
+	BIGNUM *e = BN_new();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	BN_GENCB _cb;
+#endif
+	BN_GENCB *cb = BN_GENCB_new();
+#if USE_EVP
+	EVP_PKEY *pkey = EVP_PKEY_new();
+#endif
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096)
+			goto err;
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) ||
+		    (key->key_size > 4096))
+			goto err;
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) ||
+		    (key->key_size > 4096))
+			goto err;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (rsa == NULL || e == NULL || cb == NULL)
+		goto err;
+#if USE_EVP
+	if (pkey == NULL)
+		goto err;
+	if (!EVP_PKEY_set1_RSA(pkey, rsa))
+		goto err;
+#endif
+
+	if (exp == 0) {
+		/* RSA_F4 0x10001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 16);
+	} else {
+		/* (phased-out) F5 0x100000001 */
+		BN_set_bit(e, 0);
+		BN_set_bit(e, 32);
+	}
+
+	if (callback == NULL) {
+		BN_GENCB_set_old(cb, NULL, NULL);
+	} else {
+		u.fptr = callback;
+		BN_GENCB_set(cb, &progress_cb, u.dptr);
+	}
+
+	if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
+		BN_free(e);
+		BN_GENCB_free(cb);
+		cb = NULL;
+		SET_FLAGS(rsa);
+#if USE_EVP
+		key->keydata.pkey = pkey;
+
+		RSA_free(rsa);
+#else
+		key->keydata.rsa = rsa;
+#endif
+		return (ISC_R_SUCCESS);
+	}
+	ret = dst__openssl_toresult2("RSA_generate_key_ex",
+				     DST_R_OPENSSLFAILURE);
+
+ err:
+#if USE_EVP
+	if (pkey != NULL) {
+		EVP_PKEY_free(pkey);
+		pkey = NULL;
+	}
+#endif
+	if (e != NULL) {
+		BN_free(e);
+		e = NULL;
+	}
+	if (rsa != NULL) {
+		RSA_free(rsa);
+		rsa = NULL;
+	}
+	if (cb != NULL) {
+		BN_GENCB_free(cb);
+		cb = NULL;
+	}
+	return (dst__openssl_toresult(ret));
+#else
+	RSA *rsa;
+	unsigned long e;
+#if USE_EVP
+	EVP_PKEY *pkey = EVP_PKEY_new();
+
+	UNUSED(callback);
+
+	if (pkey == NULL)
+		return (ISC_R_NOMEMORY);
+#else
+	UNUSED(callback);
+#endif
+
+	if (exp == 0)
+	       e = RSA_F4;
+	else
+	       e = 0x40000003;
+	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
+	if (rsa == NULL) {
+#if USE_EVP
+		EVP_PKEY_free(pkey);
+#endif
+		return (dst__openssl_toresult2("RSA_generate_key",
+					       DST_R_OPENSSLFAILURE));
+	}
+	SET_FLAGS(rsa);
+#if USE_EVP
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		EVP_PKEY_free(pkey);
+		RSA_free(rsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+#else
+	key->keydata.rsa = rsa;
+#endif
+
+	return (ISC_R_SUCCESS);
+#endif
+}
+
+static bool
+opensslrsa_isprivate(const dst_key_t *key) {
+	const BIGNUM *d = NULL;
+#if USE_EVP
+	RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
+	INSIST(rsa != NULL);
+	RSA_free(rsa);
+	/* key->keydata.pkey still has a reference so rsa is still valid. */
+#else
+	RSA *rsa = key->keydata.rsa;
+#endif
+	if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0)
+		return (true);
+	RSA_get0_key(rsa, NULL, NULL, &d);
+	return (rsa != NULL && d != NULL);
+}
+
+static void
+opensslrsa_destroy(dst_key_t *key) {
+#if USE_EVP
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+#else
+	RSA *rsa = key->keydata.rsa;
+	RSA_free(rsa);
+	key->keydata.rsa = NULL;
+#endif
+}
+
+static isc_result_t
+opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	isc_region_t r;
+	unsigned int e_bytes;
+	unsigned int mod_bytes;
+	isc_result_t ret;
+	RSA *rsa;
+#if USE_EVP
+	EVP_PKEY *pkey;
+#endif
+	const BIGNUM *e = NULL, *n = NULL;
+
+#if USE_EVP
+	REQUIRE(key->keydata.pkey != NULL);
+#else
+	REQUIRE(key->keydata.rsa != NULL);
+#endif
+
+#if USE_EVP
+	pkey = key->keydata.pkey;
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
+	rsa = key->keydata.rsa;
+#endif
+
+	isc_buffer_availableregion(data, &r);
+
+	RSA_get0_key(rsa, &n, &e, NULL);
+	mod_bytes = BN_num_bytes(n);
+	e_bytes = BN_num_bytes(e);
+
+	if (e_bytes < 256) {	/*%< key exponent is <= 2040 bits */
+		if (r.length < 1)
+			DST_RET(ISC_R_NOSPACE);
+		isc_buffer_putuint8(data, (uint8_t) e_bytes);
+		isc_region_consume(&r, 1);
+	} else {
+		if (r.length < 3)
+			DST_RET(ISC_R_NOSPACE);
+		isc_buffer_putuint8(data, 0);
+		isc_buffer_putuint16(data, (uint16_t) e_bytes);
+		isc_region_consume(&r, 3);
+	}
+
+	if (r.length < e_bytes + mod_bytes)
+		DST_RET(ISC_R_NOSPACE);
+
+	RSA_get0_key(rsa, &n, &e, NULL);
+	BN_bn2bin(e, r.base);
+	isc_region_consume(&r, e_bytes);
+	BN_bn2bin(n, r.base);
+
+	isc_buffer_add(data, e_bytes + mod_bytes);
+
+	ret = ISC_R_SUCCESS;
+ err:
+#if USE_EVP
+	if (rsa != NULL)
+		RSA_free(rsa);
+#endif
+	return (ret);
+}
+
+static isc_result_t
+opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	RSA *rsa;
+	isc_region_t r;
+	unsigned int e_bytes;
+	unsigned int length;
+#if USE_EVP
+	EVP_PKEY *pkey;
+#endif
+	BIGNUM *e = NULL, *n = NULL;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	length = r.length;
+
+	rsa = RSA_new();
+	if (rsa == NULL)
+		return (dst__openssl_toresult(ISC_R_NOMEMORY));
+	SET_FLAGS(rsa);
+
+	if (r.length < 1) {
+		RSA_free(rsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	e_bytes = *r.base;
+	isc_region_consume(&r, 1);
+
+	if (e_bytes == 0) {
+		if (r.length < 2) {
+			RSA_free(rsa);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		e_bytes = (*r.base) << 8;
+		isc_region_consume(&r, 1);
+		e_bytes += *r.base;
+		isc_region_consume(&r, 1);
+	}
+
+	if (r.length < e_bytes) {
+		RSA_free(rsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	e = BN_bin2bn(r.base, e_bytes, NULL);
+	isc_region_consume(&r, e_bytes);
+	n = BN_bin2bn(r.base, r.length, NULL);
+	if (RSA_set0_key(rsa, n, e, NULL) == 0) {
+		if (n != NULL) BN_free(n);
+		if (e != NULL) BN_free(e);
+		RSA_free(rsa);
+		return (ISC_R_NOMEMORY);
+	}
+	key->key_size = BN_num_bits(n);
+
+	isc_buffer_forward(data, length);
+
+#if USE_EVP
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		RSA_free(rsa);
+		return (ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		EVP_PKEY_free(pkey);
+		RSA_free(rsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+#else
+	key->keydata.rsa = rsa;
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	RSA *rsa;
+	dst_private_t priv;
+	unsigned char *bufs[8];
+	isc_result_t result;
+	const BIGNUM *n = NULL, *e = NULL, *d = NULL;
+	const BIGNUM *p = NULL, *q = NULL;
+	const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+
+#if USE_EVP
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+	rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
+	if (key->keydata.rsa == NULL)
+		return (DST_R_NULLKEY);
+	rsa = key->keydata.rsa;
+#endif
+	memset(bufs, 0, sizeof(bufs));
+
+	RSA_get0_key(rsa, &n, &e, &d);
+	RSA_get0_factors(rsa, &p, &q);
+	RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
+
+	if (key->external) {
+		priv.nelements = 0;
+		result = dst__privstruct_writefile(key, &priv, directory);
+		goto fail;
+	}
+
+	for (i = 0; i < 8; i++) {
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(n));
+		if (bufs[i] == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_RSA_MODULUS;
+	priv.elements[i].length = BN_num_bytes(n);
+	BN_bn2bin(n, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+	priv.elements[i].length = BN_num_bytes(e);
+	BN_bn2bin(e, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	if (d != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+		priv.elements[i].length = BN_num_bytes(d);
+		BN_bn2bin(d, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (p != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME1;
+		priv.elements[i].length = BN_num_bytes(p);
+		BN_bn2bin(p, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (q != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME2;
+		priv.elements[i].length = BN_num_bytes(q);
+		BN_bn2bin(q, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmp1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT1;
+		priv.elements[i].length = BN_num_bytes(dmp1);
+		BN_bn2bin(dmp1, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmq1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT2;
+		priv.elements[i].length = BN_num_bytes(dmq1);
+		BN_bn2bin(dmq1, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (iqmp != NULL) {
+		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+		priv.elements[i].length = BN_num_bytes(iqmp);
+		BN_bn2bin(iqmp, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_RSA_ENGINE;
+		priv.elements[i].length =
+			(unsigned short)strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_RSA_LABEL;
+		priv.elements[i].length =
+			(unsigned short)strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+#if USE_EVP
+	RSA_free(rsa);
+#endif
+	for (i = 0; i < 8; i++) {
+		if (bufs[i] == NULL)
+			break;
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(n));
+	}
+	return (result);
+}
+
+static isc_result_t
+rsa_check(RSA *rsa, RSA *pub) {
+	const BIGNUM *n1 = NULL, *n2 = NULL;
+	const BIGNUM *e1 = NULL, *e2 = NULL;
+	BIGNUM *n = NULL, *e = NULL;
+
+	/*
+	 * Public parameters should be the same but if they are not set
+	 * copy them from the public key.
+	 */
+	RSA_get0_key(rsa, &n1, &e1, NULL);
+	if (pub != NULL) {
+		RSA_get0_key(pub, &n2, &e2, NULL);
+		if (n1 != NULL) {
+			if (BN_cmp(n1, n2) != 0)
+				return (DST_R_INVALIDPRIVATEKEY);
+		} else {
+			n = BN_dup(n2);
+		}
+		if (e1 != NULL) {
+			if (BN_cmp(e1, e2) != 0)
+				return (DST_R_INVALIDPRIVATEKEY);
+		} else {
+			e = BN_dup(e2);
+		}
+		if (RSA_set0_key(rsa, n, e, NULL) == 0) {
+			if (n != NULL)
+				BN_free(n);
+			if (e != NULL)
+				BN_free(e);
+		}
+	}
+	RSA_get0_key(rsa, &n1, &e1, NULL);
+	if (n1 == NULL || e1 == NULL)
+		return (DST_R_INVALIDPRIVATEKEY);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	RSA *rsa = NULL, *pubrsa = NULL;
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE *ep = NULL;
+	const BIGNUM *ex = NULL;
+#endif
+	isc_mem_t *mctx = key->mctx;
+	const char *engine = NULL, *label = NULL;
+#if !defined(OPENSSL_NO_ENGINE) || USE_EVP
+	EVP_PKEY *pkey = NULL;
+#endif
+	BIGNUM *n = NULL, *e = NULL, *d = NULL;
+	BIGNUM *p = NULL, *q = NULL;
+	BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+#if USE_EVP
+	if (pub != NULL && pub->keydata.pkey != NULL)
+		pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
+#else
+	if (pub != NULL && pub->keydata.rsa != NULL) {
+		pubrsa = pub->keydata.rsa;
+		pub->keydata.rsa = NULL;
+	}
+#endif
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_RSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+
+	/*
+	 * Is this key is stored in a HSM?
+	 * See if we can fetch it.
+	 */
+	if (label != NULL) {
+#if !defined(OPENSSL_NO_ENGINE)
+		if (engine == NULL)
+			DST_RET(DST_R_NOENGINE);
+		ep = dst__openssl_getengine(engine);
+		if (ep == NULL)
+			DST_RET(DST_R_NOENGINE);
+		pkey = ENGINE_load_private_key(ep, label, NULL, NULL);
+		if (pkey == NULL)
+			DST_RET(dst__openssl_toresult2(
+					"ENGINE_load_private_key",
+					ISC_R_NOTFOUND));
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		key->label = isc_mem_strdup(key->mctx, label);
+		if (key->label == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		rsa = EVP_PKEY_get1_RSA(pkey);
+		if (rsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		RSA_get0_key(rsa, NULL, &ex, NULL);
+		if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
+			DST_RET(ISC_R_RANGE);
+		if (pubrsa != NULL)
+			RSA_free(pubrsa);
+		key->key_size = EVP_PKEY_bits(pkey);
+#if USE_EVP
+		key->keydata.pkey = pkey;
+		RSA_free(rsa);
+#else
+		key->keydata.rsa = rsa;
+		EVP_PKEY_free(pkey);
+#endif
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+#else
+		DST_RET(DST_R_NOENGINE);
+#endif
+	}
+
+	rsa = RSA_new();
+	if (rsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	SET_FLAGS(rsa);
+
+#if USE_EVP
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_RSA(pkey, rsa))
+		DST_RET(ISC_R_FAILURE);
+	key->keydata.pkey = pkey;
+#else
+	key->keydata.rsa = rsa;
+#endif
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			continue;
+		case TAG_RSA_LABEL:
+			continue;
+		default:
+			bn = BN_bin2bn(priv.elements[i].data,
+				       priv.elements[i].length, NULL);
+			if (bn == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			switch (priv.elements[i].tag) {
+			case TAG_RSA_MODULUS:
+				n = bn;
+				break;
+			case TAG_RSA_PUBLICEXPONENT:
+				e = bn;
+				break;
+			case TAG_RSA_PRIVATEEXPONENT:
+				d = bn;
+				break;
+			case TAG_RSA_PRIME1:
+				p = bn;
+				break;
+			case TAG_RSA_PRIME2:
+				q = bn;
+				break;
+			case TAG_RSA_EXPONENT1:
+				dmp1 = bn;
+				break;
+			case TAG_RSA_EXPONENT2:
+				dmq1 = bn;
+				break;
+			case TAG_RSA_COEFFICIENT:
+				iqmp = bn;
+				break;
+			}
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+
+	if (RSA_set0_key(rsa, n, e, d) == 0) {
+		if (n != NULL) BN_free(n);
+		if (e != NULL) BN_free(e);
+		if (d != NULL) BN_free(d);
+	}
+	if (RSA_set0_factors(rsa, p, q) == 0) {
+		if (p != NULL) BN_free(p);
+		if (q != NULL) BN_free(q);
+	}
+	if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) {
+		if (dmp1 != NULL) BN_free(dmp1);
+		if (dmq1 != NULL) BN_free(dmq1);
+		if (iqmp != NULL) BN_free(iqmp);
+	}
+
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS)
+		DST_RET(ISC_R_RANGE);
+	key->key_size = BN_num_bits(n);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
+#if USE_EVP
+	RSA_free(rsa);
+#endif
+
+	return (ISC_R_SUCCESS);
+
+ err:
+#if USE_EVP
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+#endif
+	if (rsa != NULL)
+		RSA_free(rsa);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
+	key->keydata.generic = NULL;
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		     const char *pin)
+{
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE *e = NULL;
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	RSA *rsa = NULL, *pubrsa = NULL;
+	char *colon, *tmpengine = NULL;
+	const BIGNUM *ex = NULL;
+
+	UNUSED(pin);
+
+	if (engine == NULL) {
+		if (strchr(label, ':') == NULL)
+			DST_RET(DST_R_NOENGINE);
+		tmpengine = isc_mem_strdup(key->mctx, label);
+		if (tmpengine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		colon = strchr(tmpengine, ':');
+		INSIST(colon != NULL);
+		*colon = '\0';
+	}
+	e = dst__openssl_getengine(engine);
+	if (e == NULL)
+		DST_RET(DST_R_NOENGINE);
+	pkey = ENGINE_load_public_key(e, label, NULL, NULL);
+	if (pkey != NULL) {
+		pubrsa = EVP_PKEY_get1_RSA(pkey);
+		EVP_PKEY_free(pkey);
+		if (pubrsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+	if (pkey == NULL)
+		DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
+					       ISC_R_NOTFOUND));
+	if (tmpengine != NULL) {
+		key->engine = tmpengine;
+		tmpengine = NULL;
+	} else {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL)
+		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	RSA_get0_key(rsa, NULL, &ex, NULL);
+	if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
+		DST_RET(ISC_R_RANGE);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
+	key->key_size = EVP_PKEY_bits(pkey);
+#if USE_EVP
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+#else
+	key->keydata.rsa = rsa;
+	EVP_PKEY_free(pkey);
+#endif
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (tmpengine != NULL)
+		isc_mem_free(key->mctx, tmpengine);
+	if (rsa != NULL)
+		RSA_free(rsa);
+	if (pubrsa != NULL)
+		RSA_free(pubrsa);
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+	return (ret);
+#else
+	UNUSED(key);
+	UNUSED(engine);
+	UNUSED(label);
+	UNUSED(pin);
+	return(DST_R_NOENGINE);
+#endif
+}
+
+static dst_func_t opensslrsa_functions = {
+	opensslrsa_createctx,
+	NULL, /*%< createctx2 */
+	opensslrsa_destroyctx,
+	opensslrsa_adddata,
+	opensslrsa_sign,
+	opensslrsa_verify,
+	opensslrsa_verify2,
+	NULL, /*%< computesecret */
+	opensslrsa_compare,
+	NULL, /*%< paramcompare */
+	opensslrsa_generate,
+	opensslrsa_isprivate,
+	opensslrsa_destroy,
+	opensslrsa_todns,
+	opensslrsa_fromdns,
+	opensslrsa_tofile,
+	opensslrsa_parse,
+	NULL, /*%< cleanup */
+	opensslrsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
+	REQUIRE(funcp != NULL);
+
+	if (*funcp == NULL) {
+		switch (algorithm) {
+		case DST_ALG_RSASHA256:
+#if defined(HAVE_EVP_SHA256) || !USE_EVP
+			*funcp = &opensslrsa_functions;
+#endif
+			break;
+		case DST_ALG_RSASHA512:
+#if defined(HAVE_EVP_SHA512) || !USE_EVP
+			*funcp = &opensslrsa_functions;
+#endif
+			break;
+		default:
+			*funcp = &opensslrsa_functions;
+			break;
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
+/*! \file */
diff --git a/lib/dns/order.c b/lib/dns/order.c
new file mode 100644
index 0000000..6ffc4a0
--- /dev/null
+++ b/lib/dns/order.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: order.c,v 1.10 2007/06/19 23:47:16 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/types.h>
+#include <isc/util.h>
+#include <isc/refcount.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/order.h>
+#include <dns/rdataset.h>
+#include <dns/types.h>
+
+typedef struct dns_order_ent dns_order_ent_t;
+struct dns_order_ent {
+	dns_fixedname_t			name;
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			rdtype;
+	unsigned int			mode;
+	ISC_LINK(dns_order_ent_t)	link;
+};
+
+struct dns_order {
+	unsigned int			magic;
+	isc_refcount_t          	references;
+	ISC_LIST(dns_order_ent_t)	ents;
+	isc_mem_t			*mctx;
+};
+
+#define DNS_ORDER_MAGIC ISC_MAGIC('O','r','d','r')
+#define DNS_ORDER_VALID(order)	ISC_MAGIC_VALID(order, DNS_ORDER_MAGIC)
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
+	dns_order_t *order;
+	isc_result_t result;
+
+	REQUIRE(orderp != NULL && *orderp == NULL);
+
+	order = isc_mem_get(mctx, sizeof(*order));
+	if (order == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_INIT(order->ents);
+
+	/* Implicit attach. */
+	result = isc_refcount_init(&order->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, order, sizeof(*order));
+		return (result);
+	}
+
+	order->mctx = NULL;
+	isc_mem_attach(mctx, &order->mctx);
+	order->magic = DNS_ORDER_MAGIC;
+	*orderp = order;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_order_add(dns_order_t *order, dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode)
+{
+	dns_order_ent_t *ent;
+
+	REQUIRE(DNS_ORDER_VALID(order));
+	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
+		mode == DNS_RDATASETATTR_FIXEDORDER ||
+		mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
+
+	ent = isc_mem_get(order->mctx, sizeof(*ent));
+	if (ent == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_fixedname_init(&ent->name);
+	RUNTIME_CHECK(dns_name_copy(name, dns_fixedname_name(&ent->name), NULL)
+		      == ISC_R_SUCCESS);
+	ent->rdtype = rdtype;
+	ent->rdclass = rdclass;
+	ent->mode = mode;
+	ISC_LINK_INIT(ent, link);
+	ISC_LIST_INITANDAPPEND(order->ents, ent, link);
+	return (ISC_R_SUCCESS);
+}
+
+static inline bool
+match(dns_name_t *name1, dns_name_t *name2) {
+
+	if (dns_name_iswildcard(name2))
+		return(dns_name_matcheswildcard(name1, name2));
+	return (dns_name_equal(name1, name2));
+}
+
+unsigned int
+dns_order_find(dns_order_t *order, dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass)
+{
+	dns_order_ent_t *ent;
+	REQUIRE(DNS_ORDER_VALID(order));
+
+	for (ent = ISC_LIST_HEAD(order->ents);
+	     ent != NULL;
+	     ent = ISC_LIST_NEXT(ent, link)) {
+		if (ent->rdtype != rdtype && ent->rdtype != dns_rdatatype_any)
+			continue;
+		if (ent->rdclass != rdclass &&
+		    ent->rdclass != dns_rdataclass_any)
+			continue;
+		if (match(name, dns_fixedname_name(&ent->name)))
+			return (ent->mode);
+	}
+	return (DNS_RDATASETATTR_RANDOMIZE);
+}
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target) {
+	REQUIRE(DNS_ORDER_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->references, NULL);
+	*target = source;
+}
+
+void
+dns_order_detach(dns_order_t **orderp) {
+	dns_order_t *order;
+	dns_order_ent_t *ent;
+	unsigned int references;
+
+	REQUIRE(orderp != NULL);
+	order = *orderp;
+	REQUIRE(DNS_ORDER_VALID(order));
+	isc_refcount_decrement(&order->references, &references);
+	*orderp = NULL;
+	if (references != 0)
+		return;
+
+	order->magic = 0;
+	while ((ent = ISC_LIST_HEAD(order->ents)) != NULL) {
+		ISC_LIST_UNLINK(order->ents, ent, link);
+		isc_mem_put(order->mctx, ent, sizeof(*ent));
+	}
+	isc_refcount_destroy(&order->references);
+	isc_mem_putanddetach(&order->mctx, order, sizeof(*order));
+}
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
new file mode 100644
index 0000000..3a781d2
--- /dev/null
+++ b/lib/dns/peer.c
@@ -0,0 +1,887 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: peer.c,v 1.33 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/sockaddr.h>
+
+#include <dns/bit.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/peer.h>
+
+/*%
+ * Bit positions in the dns_peer_t structure flags field
+ */
+#define BOGUS_BIT			 0
+#define SERVER_TRANSFER_FORMAT_BIT	 1
+#define TRANSFERS_BIT			 2
+#define PROVIDE_IXFR_BIT		 3
+#define REQUEST_IXFR_BIT		 4
+#define SUPPORT_EDNS_BIT		 5
+#define SERVER_UDPSIZE_BIT		 6
+#define SERVER_MAXUDP_BIT		 7
+#define REQUEST_NSID_BIT                 8
+#define SEND_COOKIE_BIT                  9
+#define NOTIFY_DSCP_BIT                 10
+#define TRANSFER_DSCP_BIT               11
+#define QUERY_DSCP_BIT                 	12
+#define REQUEST_EXPIRE_BIT              13
+#define EDNS_VERSION_BIT	        14
+#define FORCE_TCP_BIT			15
+
+static void
+peerlist_delete(dns_peerlist_t **list);
+
+static void
+peer_delete(dns_peer_t **peer);
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
+	dns_peerlist_t *l;
+
+	REQUIRE(list != NULL);
+
+	l = isc_mem_get(mem, sizeof(*l));
+	if (l == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_INIT(l->elements);
+	l->mem = mem;
+	l->refs = 1;
+	l->magic = DNS_PEERLIST_MAGIC;
+
+	*list = l;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
+	REQUIRE(DNS_PEERLIST_VALID(source));
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL);
+
+	source->refs++;
+
+	ENSURE(source->refs != 0xffffffffU);
+
+	*target = source;
+}
+
+void
+dns_peerlist_detach(dns_peerlist_t **list) {
+	dns_peerlist_t *plist;
+
+	REQUIRE(list != NULL);
+	REQUIRE(*list != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(*list));
+
+	plist = *list;
+	*list = NULL;
+
+	REQUIRE(plist->refs > 0);
+
+	plist->refs--;
+
+	if (plist->refs == 0)
+		peerlist_delete(&plist);
+}
+
+static void
+peerlist_delete(dns_peerlist_t **list) {
+	dns_peerlist_t *l;
+	dns_peer_t *server, *stmp;
+
+	REQUIRE(list != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(*list));
+
+	l = *list;
+
+	REQUIRE(l->refs == 0);
+
+	server = ISC_LIST_HEAD(l->elements);
+	while (server != NULL) {
+		stmp = ISC_LIST_NEXT(server, next);
+		ISC_LIST_UNLINK(l->elements, server, next);
+		dns_peer_detach(&server);
+		server = stmp;
+	}
+
+	l->magic = 0;
+	isc_mem_put(l->mem, l, sizeof(*l));
+
+	*list = NULL;
+}
+
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
+	dns_peer_t *p = NULL;
+
+	dns_peer_attach(peer, &p);
+
+	/*
+	 * More specifics to front of list.
+	 */
+	for (p = ISC_LIST_HEAD(peers->elements);
+	     p != NULL;
+	     p = ISC_LIST_NEXT(p, next))
+		if (p->prefixlen < peer->prefixlen)
+			break;
+
+	if (p != NULL)
+		ISC_LIST_INSERTBEFORE(peers->elements, p, peer, next);
+	else
+		ISC_LIST_APPEND(peers->elements, peer, next);
+
+}
+
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
+			isc_netaddr_t *addr, dns_peer_t **retval)
+{
+	dns_peer_t *server;
+	isc_result_t res;
+
+	REQUIRE(retval != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(servers));
+
+	server = ISC_LIST_HEAD(servers->elements);
+	while (server != NULL) {
+		if (isc_netaddr_eqprefix(addr, &server->address,
+					 server->prefixlen))
+			break;
+
+		server = ISC_LIST_NEXT(server, next);
+	}
+
+	if (server != NULL) {
+		*retval = server;
+		res = ISC_R_SUCCESS;
+	} else {
+		res = ISC_R_NOTFOUND;
+	}
+
+	return (res);
+}
+
+
+
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
+	dns_peer_t *p = NULL;
+
+	p = ISC_LIST_TAIL(peers->elements);
+
+	dns_peer_attach(p, retval);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
+	unsigned int prefixlen = 0;
+
+	REQUIRE(peerptr != NULL);
+	switch(addr->family) {
+	case AF_INET:
+		prefixlen = 32;
+		break;
+	case AF_INET6:
+		 prefixlen = 128;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	return (dns_peer_newprefix(mem, addr, prefixlen, peerptr));
+}
+
+isc_result_t
+dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *addr, unsigned int prefixlen,
+		   dns_peer_t **peerptr)
+{
+	dns_peer_t *peer;
+
+	REQUIRE(peerptr != NULL);
+
+	peer = isc_mem_get(mem, sizeof(*peer));
+	if (peer == NULL)
+		return (ISC_R_NOMEMORY);
+
+	peer->magic = DNS_PEER_MAGIC;
+	peer->address = *addr;
+	peer->prefixlen = prefixlen;
+	peer->mem = mem;
+	peer->bogus = false;
+	peer->transfer_format = dns_one_answer;
+	peer->transfers = 0;
+	peer->request_ixfr = false;
+	peer->provide_ixfr = false;
+	peer->key = NULL;
+	peer->refs = 1;
+	peer->transfer_source = NULL;
+	peer->notify_source = NULL;
+	peer->query_source = NULL;
+
+	memset(&peer->bitflags, 0x0, sizeof(peer->bitflags));
+
+	ISC_LINK_INIT(peer, next);
+
+	*peerptr = peer;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
+	REQUIRE(DNS_PEER_VALID(source));
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL);
+
+	source->refs++;
+
+	ENSURE(source->refs != 0xffffffffU);
+
+	*target = source;
+}
+
+void
+dns_peer_detach(dns_peer_t **peer) {
+	dns_peer_t *p;
+
+	REQUIRE(peer != NULL);
+	REQUIRE(*peer != NULL);
+	REQUIRE(DNS_PEER_VALID(*peer));
+
+	p = *peer;
+
+	REQUIRE(p->refs > 0);
+
+	*peer = NULL;
+	p->refs--;
+
+	if (p->refs == 0)
+		peer_delete(&p);
+}
+
+static void
+peer_delete(dns_peer_t **peer) {
+	dns_peer_t *p;
+	isc_mem_t *mem;
+
+	REQUIRE(peer != NULL);
+	REQUIRE(DNS_PEER_VALID(*peer));
+
+	p = *peer;
+
+	REQUIRE(p->refs == 0);
+
+	mem = p->mem;
+	p->mem = NULL;
+	p->magic = 0;
+
+	if (p->key != NULL) {
+		dns_name_free(p->key, mem);
+		isc_mem_put(mem, p->key, sizeof(dns_name_t));
+	}
+
+	if (p->query_source != NULL)
+		isc_mem_put(mem, p->query_source, sizeof(*p->query_source));
+
+	if (p->notify_source != NULL)
+		isc_mem_put(mem, p->notify_source, sizeof(*p->notify_source));
+
+	if (p->transfer_source != NULL)
+		isc_mem_put(mem, p->transfer_source,
+			    sizeof(*p->transfer_source));
+
+	isc_mem_put(mem, p, sizeof(*p));
+
+	*peer = NULL;
+}
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags);
+
+	peer->bogus = newval;
+	DNS_BIT_SET(BOGUS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags)) {
+		*retval = peer->bogus;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags);
+
+	peer->provide_ixfr = newval;
+	DNS_BIT_SET(PROVIDE_IXFR_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags)) {
+		*retval = peer->provide_ixfr;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags);
+
+	peer->request_ixfr = newval;
+	DNS_BIT_SET(REQUEST_IXFR_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags)) {
+		*retval = peer->request_ixfr;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setsupportedns(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags);
+
+	peer->support_edns = newval;
+	DNS_BIT_SET(SUPPORT_EDNS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getsupportedns(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags)) {
+		*retval = peer->support_edns;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags);
+
+	peer->request_nsid = newval;
+	DNS_BIT_SET(REQUEST_NSID_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags)) {
+		*retval = peer->request_nsid;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setsendcookie(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SEND_COOKIE_BIT, &peer->bitflags);
+
+	peer->send_cookie = newval;
+	DNS_BIT_SET(SEND_COOKIE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getsendcookie(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SEND_COOKIE_BIT, &peer->bitflags)) {
+		*retval = peer->send_cookie;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setrequestexpire(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_EXPIRE_BIT, &peer->bitflags);
+
+	peer->request_expire = newval;
+	DNS_BIT_SET(REQUEST_EXPIRE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestexpire(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_EXPIRE_BIT, &peer->bitflags)) {
+		*retval = peer->request_expire;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setforcetcp(dns_peer_t *peer, bool newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(FORCE_TCP_BIT, &peer->bitflags);
+
+	peer->force_tcp = newval;
+	DNS_BIT_SET(FORCE_TCP_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getforcetcp(dns_peer_t *peer, bool *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(FORCE_TCP_BIT, &peer->bitflags)) {
+		*retval = peer->force_tcp;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, uint32_t newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags);
+
+	peer->transfers = newval;
+	DNS_BIT_SET(TRANSFERS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, uint32_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags)) {
+		*retval = peer->transfers;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT,
+				 &peer->bitflags);
+
+	peer->transfer_format = newval;
+	DNS_BIT_SET(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
+		*retval = peer->transfer_format;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (peer->key != NULL) {
+		*retval = peer->key;
+	}
+
+	return (peer->key == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval) {
+	bool exists = false;
+
+	if (peer->key != NULL) {
+		dns_name_free(peer->key, peer->mem);
+		isc_mem_put(peer->mem, peer->key, sizeof(dns_name_t));
+		exists = true;
+	}
+
+	peer->key = *keyval;
+	*keyval = NULL;
+
+	return (exists ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	dns_fixedname_init(&fname);
+	isc_buffer_constinit(&b, keyval, strlen(keyval));
+	isc_buffer_add(&b, strlen(keyval));
+	result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
+				   dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	name = isc_mem_get(peer->mem, sizeof(dns_name_t));
+	if (name == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_name_init(name, NULL);
+	result = dns_name_dup(dns_fixedname_name(&fname), peer->mem, name);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
+		return (result);
+	}
+
+	result = dns_peer_setkey(peer, &name);
+	if (result != ISC_R_SUCCESS)
+		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer,
+			   const isc_sockaddr_t *transfer_source)
+{
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->transfer_source != NULL) {
+		isc_mem_put(peer->mem, peer->transfer_source,
+			    sizeof(*peer->transfer_source));
+		peer->transfer_source = NULL;
+	}
+	if (transfer_source != NULL) {
+		peer->transfer_source = isc_mem_get(peer->mem,
+						sizeof(*peer->transfer_source));
+		if (peer->transfer_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->transfer_source = *transfer_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(transfer_source != NULL);
+
+	if (peer->transfer_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*transfer_source = *peer->transfer_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setnotifysource(dns_peer_t *peer,
+			 const isc_sockaddr_t *notify_source)
+{
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->notify_source != NULL) {
+		isc_mem_put(peer->mem, peer->notify_source,
+			    sizeof(*peer->notify_source));
+		peer->notify_source = NULL;
+	}
+	if (notify_source != NULL) {
+		peer->notify_source = isc_mem_get(peer->mem,
+						sizeof(*peer->notify_source));
+		if (peer->notify_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->notify_source = *notify_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getnotifysource(dns_peer_t *peer, isc_sockaddr_t *notify_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(notify_source != NULL);
+
+	if (peer->notify_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*notify_source = *peer->notify_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->query_source != NULL) {
+		isc_mem_put(peer->mem, peer->query_source,
+			    sizeof(*peer->query_source));
+		peer->query_source = NULL;
+	}
+	if (query_source != NULL) {
+		peer->query_source = isc_mem_get(peer->mem,
+						sizeof(*peer->query_source));
+		if (peer->query_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->query_source = *query_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getquerysource(dns_peer_t *peer, isc_sockaddr_t *query_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(query_source != NULL);
+
+	if (peer->query_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*query_source = *peer->query_source;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setudpsize(dns_peer_t *peer, uint16_t udpsize) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags);
+
+	peer->udpsize = udpsize;
+	DNS_BIT_SET(SERVER_UDPSIZE_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getudpsize(dns_peer_t *peer, uint16_t *udpsize) {
+
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(udpsize != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags)) {
+		*udpsize = peer->udpsize;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setmaxudp(dns_peer_t *peer, uint16_t maxudp) {
+	bool existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags);
+
+	peer->maxudp = maxudp;
+	DNS_BIT_SET(SERVER_MAXUDP_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getmaxudp(dns_peer_t *peer, uint16_t *maxudp) {
+
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(maxudp != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags)) {
+		*maxudp = peer->maxudp;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setnotifydscp(dns_peer_t *peer, isc_dscp_t dscp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscp < 64);
+
+	peer->notify_dscp = dscp;
+	DNS_BIT_SET(NOTIFY_DSCP_BIT, &peer->bitflags);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getnotifydscp(dns_peer_t *peer, isc_dscp_t *dscpp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscpp != NULL);
+
+	if (DNS_BIT_CHECK(NOTIFY_DSCP_BIT, &peer->bitflags)) {
+		*dscpp = peer->notify_dscp;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_settransferdscp(dns_peer_t *peer, isc_dscp_t dscp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscp < 64);
+
+	peer->transfer_dscp = dscp;
+	DNS_BIT_SET(TRANSFER_DSCP_BIT, &peer->bitflags);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransferdscp(dns_peer_t *peer, isc_dscp_t *dscpp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscpp != NULL);
+
+	if (DNS_BIT_CHECK(TRANSFER_DSCP_BIT, &peer->bitflags)) {
+		*dscpp = peer->transfer_dscp;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setquerydscp(dns_peer_t *peer, isc_dscp_t dscp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscp < 64);
+
+	peer->query_dscp = dscp;
+	DNS_BIT_SET(QUERY_DSCP_BIT, &peer->bitflags);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getquerydscp(dns_peer_t *peer, isc_dscp_t *dscpp) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(dscpp != NULL);
+
+	if (DNS_BIT_CHECK(QUERY_DSCP_BIT, &peer->bitflags)) {
+		*dscpp = peer->query_dscp;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setednsversion(dns_peer_t *peer, uint8_t ednsversion) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	peer->ednsversion = ednsversion;
+	DNS_BIT_SET(EDNS_VERSION_BIT, &peer->bitflags);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getednsversion(dns_peer_t *peer, uint8_t *ednsversion) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(ednsversion != NULL);
+
+	if (DNS_BIT_CHECK(EDNS_VERSION_BIT, &peer->bitflags)) {
+		*ednsversion = peer->ednsversion;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
diff --git a/lib/dns/pkcs11.c b/lib/dns/pkcs11.c
new file mode 100644
index 0000000..5a2c502
--- /dev/null
+++ b/lib/dns/pkcs11.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+
+#include "dst_pkcs11.h"
+
+isc_result_t
+dst__pkcs11_toresult(const char *funcname, const char *file, int line,
+		     isc_result_t fallback, CK_RV rv)
+{
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_CRYPTO, ISC_LOG_WARNING,
+		      "%s:%d: %s: Error = 0x%.8lX\n",
+		      file, line, funcname, rv);
+	if (rv == CKR_HOST_MEMORY)
+		return (ISC_R_NOMEMORY);
+	return (fallback);
+}
+
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
new file mode 100644
index 0000000..e2b60ea
--- /dev/null
+++ b/lib/dns/pkcs11dh_link.c
@@ -0,0 +1,1136 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <pk11/site.h>
+
+#ifndef PK11_DH_DISABLE
+
+#include <ctype.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+#define WANT_DH_PRIMES
+#include <pk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * PKCS#3 DH keys:
+ *  mechanisms:
+ *    CKM_DH_PKCS_PARAMETER_GEN,
+ *    CKM_DH_PKCS_KEY_PAIR_GEN,
+ *    CKM_DH_PKCS_DERIVE
+ *  domain parameters:
+ *    object class CKO_DOMAIN_PARAMETERS
+ *    key type CKK_DH
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_BASE (base g)
+ *    optional attribute CKA_PRIME_BITS (p length in bits)
+ *  public key:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_DH
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (public value y)
+ *  private key:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_DH
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (private value x)
+ *    optional attribute CKA_VALUE_BITS (x length in bits)
+ *  reuse CKA_PRIVATE_EXPONENT for key pair private value
+ */
+
+#define CKA_VALUE2	CKA_PRIVATE_EXPONENT
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static void pkcs11dh_destroy(dst_key_t *key);
+static isc_result_t pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static isc_result_t
+pkcs11dh_loadpriv(const dst_key_t *key,
+		  CK_SESSION_HANDLE session,
+		  CK_OBJECT_HANDLE *hKey)
+{
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_DH;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_PRIME, NULL, 0 },
+		{ CKA_BASE, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	const pk11_object_t *priv;
+	isc_result_t ret;
+	unsigned int i;
+
+	priv = key->keydata.pkey;
+	if ((priv->object != CK_INVALID_HANDLE) && priv->ontoken) {
+		*hKey = priv->object;
+		return (ISC_R_SUCCESS);
+	}
+
+	attr = pk11_attribute_bytype(priv, CKA_PRIME);
+	if (attr == NULL)
+		return (DST_R_INVALIDPRIVATEKEY);
+	keyTemplate[6].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (keyTemplate[6].pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(keyTemplate[6].pValue, attr->pValue, attr->ulValueLen);
+	keyTemplate[6].ulValueLen = attr->ulValueLen;
+
+	attr = pk11_attribute_bytype(priv, CKA_BASE);
+	if (attr == NULL)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	keyTemplate[7].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (keyTemplate[7].pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(keyTemplate[7].pValue, attr->pValue, attr->ulValueLen);
+	keyTemplate[7].ulValueLen = attr->ulValueLen;
+
+	attr = pk11_attribute_bytype(priv, CKA_VALUE2);
+	if (attr == NULL)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	keyTemplate[8].pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (keyTemplate[8].pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(keyTemplate[8].pValue, attr->pValue, attr->ulValueLen);
+	keyTemplate[8].ulValueLen = attr->ulValueLen;
+
+	PK11_CALL(pkcs_C_CreateObject,
+		  (session, keyTemplate, (CK_ULONG) 9, hKey),
+		  DST_R_COMPUTESECRETFAILURE);
+	if (rv == CKR_OK)
+		ret = ISC_R_SUCCESS;
+
+    err:
+	for (i = 6; i <= 8; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(key->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		       isc_buffer_t *secret)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_DH_PKCS_DERIVE, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+	CK_OBJECT_HANDLE hDerived = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_ATTRIBUTE *attr;
+	CK_ULONG secLen;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE_LEN, &secLen, (CK_ULONG) sizeof(secLen) }
+	};
+	CK_ATTRIBUTE valTemplate[] =
+	{
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_BYTE *secValue;
+	pk11_context_t ctx;
+	isc_result_t ret;
+	unsigned int i;
+	isc_region_t r;
+
+	REQUIRE(pub->keydata.pkey != NULL);
+	REQUIRE(priv->keydata.pkey != NULL);
+	REQUIRE(priv->keydata.pkey->repr != NULL);
+	attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_PRIME);
+	if (attr == NULL)
+		return (DST_R_INVALIDPUBLICKEY);
+	REQUIRE(attr != NULL);
+	secLen = attr->ulValueLen;
+	attr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
+	if (attr == NULL)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	ret = pk11_get_session(&ctx, OP_DH, true, false,
+			       priv->keydata.pkey->reqlogon, NULL,
+			       pk11_get_best_token(OP_DH));
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	mech.ulParameterLen = attr->ulValueLen;
+	mech.pParameter = isc_mem_get(pub->mctx, mech.ulParameterLen);
+	if (mech.pParameter == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(mech.pParameter, attr->pValue, mech.ulParameterLen);
+
+	ret = pkcs11dh_loadpriv(priv, ctx.session, &hKey);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	PK11_RET(pkcs_C_DeriveKey,
+		 (ctx.session, &mech, hKey,
+		  keyTemplate, (CK_ULONG) 6, &hDerived),
+		 DST_R_COMPUTESECRETFAILURE);
+
+	attr = valTemplate;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (ctx.session, hDerived, attr, (CK_ULONG) 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(pub->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (ctx.session, hDerived, attr, (CK_ULONG) 1),
+		 DST_R_CRYPTOFAILURE);
+
+	/* strip leading zeros */
+	secValue = (CK_BYTE_PTR) attr->pValue;
+	for (i = 0; i < attr->ulValueLen; i++)
+		if (secValue[i] != 0)
+			break;
+	isc_buffer_availableregion(secret, &r);
+	if (r.length < attr->ulValueLen - i)
+		DST_RET(ISC_R_NOSPACE);
+	memmove(r.base, secValue + i, attr->ulValueLen - i);
+	isc_buffer_add(secret, attr->ulValueLen - i);
+	ret = ISC_R_SUCCESS;
+
+    err:
+	if (hDerived != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx.session, hDerived);
+	if (valTemplate[0].pValue != NULL) {
+		isc_safe_memwipe(valTemplate[0].pValue,
+				 valTemplate[0].ulValueLen);
+		isc_mem_put(pub->mctx,
+			    valTemplate[0].pValue,
+			    valTemplate[0].ulValueLen);
+	}
+	if ((hKey != CK_INVALID_HANDLE) && !priv->keydata.pkey->ontoken)
+		(void) pkcs_C_DestroyObject(ctx.session, hKey);
+	if (mech.pParameter != NULL) {
+		isc_safe_memwipe(mech.pParameter, mech.ulParameterLen);
+		isc_mem_put(pub->mctx, mech.pParameter, mech.ulParameterLen);
+	}
+	pk11_return_session(&ctx);
+	return (ret);
+}
+
+static bool
+pkcs11dh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *dh1, *dh2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	dh1 = key1->keydata.pkey;
+	dh2 = key2->keydata.pkey;
+
+	if ((dh1 == NULL) && (dh2 == NULL))
+		return (true);
+	else if ((dh1 == NULL) || (dh2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dh1, CKA_PRIME);
+	attr2 = pk11_attribute_bytype(dh2, CKA_PRIME);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dh1, CKA_BASE);
+	attr2 = pk11_attribute_bytype(dh2, CKA_BASE);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dh1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(dh2, CKA_VALUE);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dh1, CKA_VALUE2);
+	attr2 = pk11_attribute_bytype(dh2, CKA_VALUE2);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (false);
+
+	if (!dh1->ontoken && !dh2->ontoken)
+		return (true);
+	else if (dh1->ontoken || dh2->ontoken ||
+		 (dh1->object != dh2->object))
+		return (false);
+
+	return (true);
+}
+
+static bool
+pkcs11dh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *dh1, *dh2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	dh1 = key1->keydata.pkey;
+	dh2 = key2->keydata.pkey;
+
+	if ((dh1 == NULL) && (dh2 == NULL))
+		return (true);
+	else if ((dh1 == NULL) || (dh2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dh1, CKA_PRIME);
+	attr2 = pk11_attribute_bytype(dh2, CKA_PRIME);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dh1, CKA_BASE);
+	attr2 = pk11_attribute_bytype(dh2, CKA_BASE);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	return (true);
+}
+
+static isc_result_t
+pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_DH_PKCS_PARAMETER_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE domainparams = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS dClass = CKO_DOMAIN_PARAMETERS;
+	CK_KEY_TYPE keyType = CKK_DH;
+	CK_ULONG bits = 0;
+	CK_ATTRIBUTE dTemplate[] =
+	{
+		{ CKA_CLASS, &dClass, (CK_ULONG) sizeof(dClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) }
+	};
+	CK_ATTRIBUTE pTemplate[] =
+	{
+		{ CKA_PRIME, NULL, 0 },
+		{ CKA_BASE, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE,&keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIME, NULL, 0 },
+		{ CKA_BASE, NULL, 0 },
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_DERIVE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *dh = NULL;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	UNUSED(callback);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_DH, true, false,
+			       false, NULL, pk11_get_best_token(OP_DH));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	bits = key->key_size;
+	if ((generator == 0) &&
+	    ((bits == 768) || (bits == 1024) || (bits == 1536))) {
+		if (bits == 768) {
+			pubTemplate[4].pValue =
+				isc_mem_get(key->mctx, sizeof(pk11_dh_bn768));
+			if (pubTemplate[4].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(pubTemplate[4].pValue,
+				pk11_dh_bn768, sizeof(pk11_dh_bn768));
+			pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn768);
+		} else if (bits == 1024) {
+			pubTemplate[4].pValue =
+				isc_mem_get(key->mctx, sizeof(pk11_dh_bn1024));
+			if (pubTemplate[4].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(pubTemplate[4].pValue,
+				pk11_dh_bn1024, sizeof(pk11_dh_bn1024));
+			pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1024);
+		} else {
+			pubTemplate[4].pValue =
+				isc_mem_get(key->mctx, sizeof(pk11_dh_bn1536));
+			if (pubTemplate[4].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(pubTemplate[4].pValue,
+				pk11_dh_bn1536, sizeof(pk11_dh_bn1536));
+			pubTemplate[4].ulValueLen = sizeof(pk11_dh_bn1536);
+		}
+		pubTemplate[5].pValue = isc_mem_get(key->mctx,
+						    sizeof(pk11_dh_bn2));
+		if (pubTemplate[5].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memmove(pubTemplate[5].pValue, pk11_dh_bn2,
+			sizeof(pk11_dh_bn2));
+		pubTemplate[5].ulValueLen = sizeof(pk11_dh_bn2);
+	} else {
+		PK11_RET(pkcs_C_GenerateKey,
+			 (pk11_ctx->session, &mech,
+			  dTemplate, (CK_ULONG) 5, &domainparams),
+			 DST_R_CRYPTOFAILURE);
+		PK11_RET(pkcs_C_GetAttributeValue,
+			 (pk11_ctx->session, domainparams,
+			  pTemplate, (CK_ULONG) 2),
+			 DST_R_CRYPTOFAILURE);
+		pTemplate[0].pValue = isc_mem_get(key->mctx,
+						  pTemplate[0].ulValueLen);
+		if (pTemplate[0].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen);
+		pTemplate[1].pValue = isc_mem_get(key->mctx,
+						  pTemplate[1].ulValueLen);
+		if (pTemplate[1].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen);
+		PK11_RET(pkcs_C_GetAttributeValue,
+			 (pk11_ctx->session, domainparams,
+			  pTemplate, (CK_ULONG) 2),
+			 DST_R_CRYPTOFAILURE);
+
+		pubTemplate[4].pValue = pTemplate[0].pValue;
+		pubTemplate[4].ulValueLen = pTemplate[0].ulValueLen;
+		pTemplate[0].pValue = NULL;
+		pubTemplate[5].pValue = pTemplate[1].pValue;
+		pubTemplate[5].ulValueLen = pTemplate[1].ulValueLen;
+		pTemplate[1].pValue = NULL;
+	}
+
+	mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 6,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+	if (dh == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dh, 0,  sizeof(*dh));
+	key->keydata.pkey = dh;
+	dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+	if (dh->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dh->repr, 0, sizeof(*attr) * 4);
+	dh->attrcnt = 4;
+
+	attr = dh->repr;
+	attr[0].type = CKA_PRIME;
+	attr[0].pValue = pubTemplate[4].pValue;
+	attr[0].ulValueLen = pubTemplate[4].ulValueLen;
+	pubTemplate[4].pValue = NULL;
+
+	attr[1].type = CKA_BASE;
+	attr[1].pValue = pubTemplate[5].pValue;
+	attr[1].ulValueLen = pubTemplate[5].ulValueLen;
+	pubTemplate[5].pValue =NULL;
+
+	attr += 2;
+	attr->type = CKA_VALUE;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	attr++;
+	attr->type = CKA_VALUE;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->type = CKA_VALUE2;
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	pkcs11dh_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	if (domainparams != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
+
+	if (pubTemplate[4].pValue != NULL) {
+		isc_safe_memwipe(pubTemplate[4].pValue,
+				 pubTemplate[4].ulValueLen);
+		isc_mem_put(key->mctx,
+			    pubTemplate[4].pValue,
+			    pubTemplate[4].ulValueLen);
+	}
+	if (pubTemplate[5].pValue != NULL) {
+		isc_safe_memwipe(pubTemplate[5].pValue,
+				 pubTemplate[5].ulValueLen);
+		isc_mem_put(key->mctx,
+			    pubTemplate[5].pValue,
+			    pubTemplate[5].ulValueLen);
+	}
+	if (pTemplate[0].pValue != NULL) {
+		isc_safe_memwipe(pTemplate[0].pValue,
+				 pTemplate[0].ulValueLen);
+		isc_mem_put(key->mctx,
+			    pTemplate[0].pValue,
+			    pTemplate[0].ulValueLen);
+	}
+	if (pTemplate[1].pValue != NULL) {
+		isc_safe_memwipe(pTemplate[1].pValue,
+				 pTemplate[1].ulValueLen);
+		isc_mem_put(key->mctx,
+			    pTemplate[1].pValue,
+			    pTemplate[1].ulValueLen);
+	}
+
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11dh_isprivate(const dst_key_t *key) {
+	pk11_object_t *dh = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (dh == NULL)
+		return (false);
+	attr = pk11_attribute_bytype(dh, CKA_VALUE2);
+	return (attr != NULL || dh->ontoken);
+}
+
+static void
+pkcs11dh_destroy(dst_key_t *key) {
+	pk11_object_t *dh = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (dh == NULL)
+		return;
+
+	INSIST((dh->object == CK_INVALID_HANDLE) || dh->ontoken);
+
+	for (attr = pk11_attribute_first(dh);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dh, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+		case CKA_VALUE2:
+		case CKA_PRIME:
+		case CKA_BASE:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (dh->repr != NULL) {
+		isc_safe_memwipe(dh->repr, dh->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(dh, sizeof(*dh));
+	isc_mem_put(key->mctx, dh, sizeof(*dh));
+	key->keydata.pkey = NULL;
+}
+
+static void
+uint16_toregion(uint16_t val, isc_region_t *region) {
+	*region->base = (val & 0xff00) >> 8;
+	isc_region_consume(region, 1);
+	*region->base = (val & 0x00ff);
+	isc_region_consume(region, 1);
+}
+
+static uint16_t
+uint16_fromregion(isc_region_t *region) {
+	uint16_t val;
+	unsigned char *cp = region->base;
+
+	val = ((unsigned int)(cp[0])) << 8;
+	val |= ((unsigned int)(cp[1]));
+
+	isc_region_consume(region, 2);
+
+	return (val);
+}
+
+static isc_result_t
+pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *dh;
+	CK_ATTRIBUTE *attr;
+	isc_region_t r;
+	uint16_t dnslen, plen = 0, glen = 0, publen = 0;
+	CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	dh = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(dh);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dh, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+			pub = (CK_BYTE *) attr->pValue;
+			publen = (uint16_t) attr->ulValueLen;
+			break;
+		case CKA_PRIME:
+			prime = (CK_BYTE *) attr->pValue;
+			plen = (uint16_t) attr->ulValueLen;
+			break;
+		case CKA_BASE:
+			base = (CK_BYTE *) attr->pValue;
+			glen = (uint16_t) attr->ulValueLen;
+			break;
+		}
+	REQUIRE((prime != NULL) && (base != NULL) && (pub != NULL));
+
+	isc_buffer_availableregion(data, &r);
+
+	if ((glen == 1) && isc_safe_memequal(pk11_dh_bn2, base, glen) &&
+	    (((plen == sizeof(pk11_dh_bn768)) &&
+	      isc_safe_memequal(pk11_dh_bn768, prime, plen)) ||
+	     ((plen == sizeof(pk11_dh_bn1024)) &&
+	      isc_safe_memequal(pk11_dh_bn1024, prime, plen)) ||
+	     ((plen == sizeof(pk11_dh_bn1536)) &&
+	      isc_safe_memequal(pk11_dh_bn1536, prime, plen)))) {
+		plen = 1;
+		glen = 0;
+	}
+
+	dnslen = plen + glen + publen + 6;
+	if (r.length < (unsigned int) dnslen)
+		return (ISC_R_NOSPACE);
+
+	uint16_toregion(plen, &r);
+	if (plen == 1) {
+		if (isc_safe_memequal(pk11_dh_bn768, prime,
+				      sizeof(pk11_dh_bn768)))
+			*r.base = 1;
+		else if (isc_safe_memequal(pk11_dh_bn1024, prime,
+					   sizeof(pk11_dh_bn1024)))
+			*r.base = 2;
+		else
+			*r.base = 3;
+	}
+	else
+		memmove(r.base, prime, plen);
+	isc_region_consume(&r, plen);
+
+	uint16_toregion(glen, &r);
+	if (glen > 0)
+		memmove(r.base, base, glen);
+	isc_region_consume(&r, glen);
+
+	uint16_toregion(publen, &r);
+	memmove(r.base, pub, publen);
+	isc_region_consume(&r, publen);
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *dh = NULL;
+	isc_region_t r;
+	uint16_t plen, glen, plen_, glen_, publen;
+	CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+	CK_ATTRIBUTE *attr;
+	int special = 0;
+	isc_result_t result;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+	if (dh == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	memset(dh, 0, sizeof(*dh));
+	result = DST_R_INVALIDPUBLICKEY;
+
+	/*
+	 * Read the prime length.  1 & 2 are table entries, > 16 means a
+	 * prime follows, otherwise an error.
+	 */
+	if (r.length < 2)
+		goto cleanup;
+
+	plen = uint16_fromregion(&r);
+	if (plen < 16 && plen != 1 && plen != 2)
+		goto cleanup;
+
+	if (r.length < plen)
+		goto cleanup;
+
+	plen_ = plen;
+	if (plen == 1 || plen == 2) {
+		if (plen == 1) {
+			special = *r.base;
+			isc_region_consume(&r, 1);
+		} else {
+			special = uint16_fromregion(&r);
+		}
+		switch (special) {
+			case 1:
+				prime = pk11_dh_bn768;
+				plen_ = sizeof(pk11_dh_bn768);
+				break;
+			case 2:
+				prime = pk11_dh_bn1024;
+				plen_ = sizeof(pk11_dh_bn1024);
+				break;
+			case 3:
+				prime = pk11_dh_bn1536;
+				plen_ = sizeof(pk11_dh_bn1536);
+				break;
+			default:
+				goto cleanup;
+		}
+	}
+	else {
+		prime = r.base;
+		isc_region_consume(&r, plen);
+	}
+
+	/*
+	 * Read the generator length.  This should be 0 if the prime was
+	 * special, but it might not be.  If it's 0 and the prime is not
+	 * special, we have a problem.
+	 */
+	if (r.length < 2)
+		goto cleanup;
+
+	glen = uint16_fromregion(&r);
+	if (r.length < glen)
+		goto cleanup;
+
+	glen_ = glen;
+	if (special != 0) {
+		if (glen == 0) {
+			base = pk11_dh_bn2;
+			glen_ = sizeof(pk11_dh_bn2);
+		}
+		else {
+			base = r.base;
+			if (!isc_safe_memequal(base, pk11_dh_bn2, glen))
+				goto cleanup;
+			base = pk11_dh_bn2;
+			glen_ = sizeof(pk11_dh_bn2);
+		}
+	}
+	else {
+		if (glen == 0)
+			goto cleanup;
+		base = r.base;
+	}
+	isc_region_consume(&r, glen);
+
+	if (r.length < 2)
+		goto cleanup;
+
+	publen = uint16_fromregion(&r);
+	if (r.length < publen)
+		goto cleanup;
+
+	pub = r.base;
+	isc_region_consume(&r, publen);
+
+	key->key_size = pk11_numbits(prime, plen_);
+
+	dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (dh->repr == NULL)
+		goto nomemory;
+	memset(dh->repr, 0, sizeof(*attr) * 3);
+	dh->attrcnt = 3;
+
+	attr = dh->repr;
+	attr[0].type = CKA_PRIME;
+	attr[0].pValue = isc_mem_get(key->mctx, plen_);
+	if (attr[0].pValue == NULL)
+		goto nomemory;
+	memmove(attr[0].pValue, prime, plen_);
+	attr[0].ulValueLen = (CK_ULONG) plen_;
+
+	attr[1].type = CKA_BASE;
+	attr[1].pValue = isc_mem_get(key->mctx, glen_);
+	if (attr[1].pValue == NULL)
+		goto nomemory;
+	memmove(attr[1].pValue, base, glen_);
+	attr[1].ulValueLen = (CK_ULONG) glen_;
+
+	attr[2].type = CKA_VALUE;
+	attr[2].pValue = isc_mem_get(key->mctx, publen);
+	if (attr[2].pValue == NULL)
+		goto nomemory;
+	memmove(attr[2].pValue, pub, publen);
+	attr[2].ulValueLen = (CK_ULONG) publen;
+
+	isc_buffer_forward(data, plen + glen + publen + 6);
+
+	key->keydata.pkey = dh;
+
+	return (ISC_R_SUCCESS);
+
+ nomemory:
+	for (attr = pk11_attribute_first(dh);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dh, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+		case CKA_PRIME:
+		case CKA_BASE:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (dh->repr != NULL) {
+		isc_safe_memwipe(dh->repr, dh->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
+	}
+
+	result = ISC_R_NOMEMORY;
+
+ cleanup:
+	if (dh != NULL) {
+		isc_safe_memwipe(dh, sizeof(*dh));
+		isc_mem_put(key->mctx, dh, sizeof(*dh));
+	}
+	return (result);
+}
+
+static isc_result_t
+pkcs11dh_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	pk11_object_t *dh;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *prime = NULL, *base = NULL, *pub = NULL, *prv = NULL;
+	dst_private_t priv;
+	unsigned char *bufs[4];
+	isc_result_t result;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external)
+		return (DST_R_EXTERNALKEY);
+
+	dh = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(dh);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dh, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+			pub = attr;
+			break;
+		case CKA_VALUE2:
+			prv = attr;
+			break;
+		case CKA_PRIME:
+			prime = attr;
+			break;
+		case CKA_BASE:
+			base = attr;
+			break;
+		}
+	if ((prime == NULL) || (base == NULL) ||
+	    (pub == NULL) || (prv == NULL))
+		return (DST_R_NULLKEY);
+
+	memset(bufs, 0, sizeof(bufs));
+	for (i = 0; i < 4; i++) {
+		bufs[i] = isc_mem_get(key->mctx, prime->ulValueLen);
+		if (bufs[i] == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		memset(bufs[i], 0, prime->ulValueLen);
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_DH_PRIME;
+	priv.elements[i].length = (unsigned short) prime->ulValueLen;
+	memmove(bufs[i], prime->pValue, prime->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_GENERATOR;
+	priv.elements[i].length = (unsigned short) base->ulValueLen;
+	memmove(bufs[i], base->pValue, base->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PRIVATE;
+	priv.elements[i].length = (unsigned short) prv->ulValueLen;
+	memmove(bufs[i], prv->pValue, prv->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PUBLIC;
+	priv.elements[i].length = (unsigned short) pub->ulValueLen;
+	memmove(bufs[i], pub->pValue, pub->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	for (i = 0; i < 4; i++) {
+		if (bufs[i] == NULL)
+			break;
+		isc_safe_memwipe(bufs[i], prime->ulValueLen);
+		isc_mem_put(key->mctx, bufs[i], prime->ulValueLen);
+	}
+	return (result);
+}
+
+static isc_result_t
+pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	pk11_object_t *dh = NULL;
+	CK_ATTRIBUTE *attr;
+	isc_mem_t *mctx;
+
+	UNUSED(pub);
+	mctx = key->mctx;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external)
+		DST_RET(DST_R_EXTERNALKEY);
+
+	dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
+	if (dh == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dh, 0, sizeof(*dh));
+	key->keydata.pkey = dh;
+	dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+	if (dh->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dh->repr, 0, sizeof(*attr) * 4);
+	dh->attrcnt = 4;
+	attr = dh->repr;
+	attr[0].type = CKA_PRIME;
+	attr[1].type = CKA_BASE;
+	attr[2].type = CKA_VALUE;
+	attr[3].type = CKA_VALUE2;
+
+	for (i = 0; i < priv.nelements; i++) {
+		CK_BYTE *bn;
+
+		bn = isc_mem_get(key->mctx, priv.elements[i].length);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memmove(bn, priv.elements[i].data, priv.elements[i].length);
+
+		switch (priv.elements[i].tag) {
+			case TAG_DH_PRIME:
+				attr = pk11_attribute_bytype(dh, CKA_PRIME);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DH_GENERATOR:
+				attr = pk11_attribute_bytype(dh, CKA_BASE);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DH_PRIVATE:
+				attr = pk11_attribute_bytype(dh, CKA_VALUE2);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DH_PUBLIC:
+				attr = pk11_attribute_bytype(dh, CKA_VALUE);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+
+	attr = pk11_attribute_bytype(dh, CKA_PRIME);
+	INSIST(attr != NULL);
+	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11dh_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t pkcs11dh_functions = {
+	NULL, /*%< createctx */
+	NULL, /*%< createctx2 */
+	NULL, /*%< destroyctx */
+	NULL, /*%< adddata */
+	NULL, /*%< sign */
+	NULL, /*%< verify */
+	NULL, /*%< verify2 */
+	pkcs11dh_computesecret,
+	pkcs11dh_compare,
+	pkcs11dh_paramcompare,
+	pkcs11dh_generate,
+	pkcs11dh_isprivate,
+	pkcs11dh_destroy,
+	pkcs11dh_todns,
+	pkcs11dh_fromdns,
+	pkcs11dh_tofile,
+	pkcs11dh_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11dh_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &pkcs11dh_functions;
+	return (ISC_R_SUCCESS);
+}
+#endif /* !PK11_DH_DISABLE */
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
new file mode 100644
index 0000000..12d707a
--- /dev/null
+++ b/lib/dns/pkcs11dsa_link.c
@@ -0,0 +1,1126 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <pk11/site.h>
+
+#ifndef PK11_DSA_DISABLE
+
+#include <string.h>
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <pk11/internal.h>
+
+/*
+ * FIPS 186-2 DSA keys:
+ *  mechanisms:
+ *    CKM_DSA_SHA1,
+ *    CKM_DSA_KEY_PAIR_GEN,
+ *    CKM_DSA_PARAMETER_GEN
+ *  domain parameters:
+ *    object class CKO_DOMAIN_PARAMETERS
+ *    key type CKK_DSA
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_SUBPRIME (subprime q)
+ *    attribute CKA_BASE (base g)
+ *    optional attribute CKA_PRIME_BITS (p length in bits)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_DSA
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_SUBPRIME (subprime q)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (public value y)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_DSA
+ *    attribute CKA_PRIME (prime p)
+ *    attribute CKA_SUBPRIME (subprime q)
+ *    attribute CKA_BASE (base g)
+ *    attribute CKA_VALUE (private value x)
+ *  reuse CKA_PRIVATE_EXPONENT for key pair private value
+ */
+
+#define CKA_VALUE2	CKA_PRIVATE_EXPONENT
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11dsa_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_DSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_PRIME, NULL, 0 },
+		{ CKA_SUBPRIME, NULL, 0 },
+		{ CKA_BASE, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *dsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	REQUIRE(key != NULL);
+	dsa = key->keydata.pkey;
+	REQUIRE(dsa != NULL);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_DSA, true, false,
+			       dsa->reqlogon, NULL,
+			       pk11_get_best_token(OP_DSA));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = dsa->ontoken;
+		pk11_ctx->object = dsa->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(dsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dsa, attr))
+		switch (attr->type) {
+		case CKA_PRIME:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_SUBPRIME:
+			INSIST(keyTemplate[7].type == attr->type);
+			keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[7].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[7].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[7].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_BASE:
+			INSIST(keyTemplate[8].type == attr->type);
+			keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[8].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[8].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[8].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE2:
+			INSIST(keyTemplate[9].type == CKA_VALUE);
+			keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[9].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[9].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[9].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 10,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+    token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 6; i <= 9; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+	for (i = 6; i <= 9; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_DSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_PRIME, NULL, 0 },
+		{ CKA_SUBPRIME, NULL, 0 },
+		{ CKA_BASE, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *dsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	dsa = key->keydata.pkey;
+	REQUIRE(dsa != NULL);
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_DSA, true, false,
+			       dsa->reqlogon, NULL,
+			       pk11_get_best_token(OP_DSA));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = dsa->ontoken;
+		pk11_ctx->object = dsa->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(dsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dsa, attr))
+		switch (attr->type) {
+		case CKA_PRIME:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_SUBPRIME:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_BASE:
+			INSIST(keyTemplate[7].type == attr->type);
+			keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[7].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[7].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[7].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE:
+			INSIST(keyTemplate[8].type == attr->type);
+			keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[8].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[8].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[8].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 9,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+    token_key:
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 5; i <= 8; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+	for (i = 5; i <= 8; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	if (dctx->use == DO_SIGN)
+		return (pkcs11dsa_createctx_sign(key, dctx));
+	else
+		return (pkcs11dsa_createctx_verify(key, dctx));
+}
+
+static void
+pkcs11dsa_destroyctx(dst_context_t *dctx) {
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	if (pk11_ctx != NULL) {
+		if (!pk11_ctx->ontoken &&
+		    (pk11_ctx->object != CK_INVALID_HANDLE))
+			(void) pkcs_C_DestroyObject(pk11_ctx->session,
+					       pk11_ctx->object);
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11dsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	if (dctx->use == DO_SIGN)
+		PK11_CALL(pkcs_C_SignUpdate,
+			  (pk11_ctx->session,
+			   (CK_BYTE_PTR) data->base,
+			   (CK_ULONG) data->length),
+			  ISC_R_FAILURE);
+	else
+		PK11_CALL(pkcs_C_VerifyUpdate,
+			  (pk11_ctx->session,
+			   (CK_BYTE_PTR) data->base,
+			   (CK_ULONG) data->length),
+			  ISC_R_FAILURE);
+	return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_ULONG siglen = ISC_SHA1_DIGESTLENGTH * 2;
+	isc_region_t r;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int klen;
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
+		return (ISC_R_NOSPACE);
+
+	PK11_RET(pkcs_C_SignFinal,
+		 (pk11_ctx->session, (CK_BYTE_PTR) r.base + 1, &siglen),
+		 DST_R_SIGNFAILURE);
+	if (siglen != ISC_SHA1_DIGESTLENGTH * 2)
+		return (DST_R_SIGNFAILURE);
+
+	klen = (dctx->key->key_size - 512)/64;
+	if (klen > 255)
+		return (ISC_R_FAILURE);
+	*r.base = klen;
+	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+
+    err:
+	return (ret);
+}
+
+static isc_result_t
+pkcs11dsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_VerifyFinal,
+		  (pk11_ctx->session,
+		   (CK_BYTE_PTR) sig->base + 1,
+		   (CK_ULONG) sig->length - 1),
+		  DST_R_VERIFYFAILURE);
+	return (ret);
+}
+
+static bool
+pkcs11dsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *dsa1, *dsa2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	dsa1 = key1->keydata.pkey;
+	dsa2 = key2->keydata.pkey;
+
+	if ((dsa1 == NULL) && (dsa2 == NULL))
+		return (true);
+	else if ((dsa1 == NULL) || (dsa2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dsa1, CKA_PRIME);
+	attr2 = pk11_attribute_bytype(dsa2, CKA_PRIME);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dsa1, CKA_SUBPRIME);
+	attr2 = pk11_attribute_bytype(dsa2, CKA_SUBPRIME);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dsa1, CKA_BASE);
+	attr2 = pk11_attribute_bytype(dsa2, CKA_BASE);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE2);
+	attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE2);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (false);
+
+	if (!dsa1->ontoken && !dsa2->ontoken)
+		return (true);
+	else if (dsa1->ontoken || dsa2->ontoken ||
+		 (dsa1->object != dsa2->object))
+		return (false);
+
+	return (true);
+}
+
+static isc_result_t
+pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_DSA_PARAMETER_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE dp = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS dpClass = CKO_DOMAIN_PARAMETERS;
+	CK_KEY_TYPE  keyType = CKK_DSA;
+	CK_ULONG bits = 0;
+	CK_ATTRIBUTE dpTemplate[] =
+	{
+		{ CKA_CLASS, &dpClass, (CK_ULONG) sizeof(dpClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) },
+	};
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_PRIME, NULL, 0 },
+		{ CKA_SUBPRIME, NULL, 0 },
+		{ CKA_BASE, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *dsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_DSA, true, false,
+			       false, NULL, pk11_get_best_token(OP_DSA));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	bits = key->key_size;
+	PK11_RET(pkcs_C_GenerateKey,
+		 (pk11_ctx->session, &mech, dpTemplate, (CK_ULONG) 5, &dp),
+		 DST_R_CRYPTOFAILURE);
+
+	dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+	if (dsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dsa, 0, sizeof(*dsa));
+	key->keydata.pkey = dsa;
+	dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
+	if (dsa->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dsa->repr, 0, sizeof(*attr) * 5);
+	dsa->attrcnt = 5;
+
+	attr = dsa->repr;
+	attr[0].type = CKA_PRIME;
+	attr[1].type = CKA_SUBPRIME;
+	attr[2].type = CKA_BASE;
+	attr[3].type = CKA_VALUE;
+	attr[4].type = CKA_VALUE2;
+
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, dp, attr, 3),
+		 DST_R_CRYPTOFAILURE);
+
+	for (i = 0; i <= 2; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, dp, attr, 3),
+		 DST_R_CRYPTOFAILURE);
+	pubTemplate[5].pValue = attr[0].pValue;
+	pubTemplate[5].ulValueLen = attr[0].ulValueLen;
+	pubTemplate[6].pValue = attr[1].pValue;
+	pubTemplate[6].ulValueLen = attr[1].ulValueLen;
+	pubTemplate[7].pValue = attr[2].pValue;
+	pubTemplate[7].ulValueLen = attr[2].ulValueLen;
+
+	mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 8,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	attr = dsa->repr;
+	attr += 3;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	attr++;
+	attr->type = CKA_VALUE;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->type = CKA_VALUE2;
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	pkcs11dsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	if (dp != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11dsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *dsa = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (dsa == NULL)
+		return (false);
+	attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
+	return (attr != NULL || dsa->ontoken);
+}
+
+static void
+pkcs11dsa_destroy(dst_key_t *key) {
+	pk11_object_t *dsa = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (dsa == NULL)
+		return;
+
+	INSIST((dsa->object == CK_INVALID_HANDLE) || dsa->ontoken);
+
+	for (attr = pk11_attribute_first(dsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dsa, attr))
+		switch (attr->type) {
+		case CKA_PRIME:
+		case CKA_SUBPRIME:
+		case CKA_BASE:
+		case CKA_VALUE:
+		case CKA_VALUE2:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (dsa->repr != NULL) {
+		isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    dsa->repr,
+			    dsa->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(dsa, sizeof(*dsa));
+	isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+	key->keydata.pkey = NULL;
+}
+
+
+static isc_result_t
+pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *dsa;
+	CK_ATTRIBUTE *attr;
+	isc_region_t r;
+	int dnslen;
+	unsigned int t, p_bytes;
+	CK_ATTRIBUTE *prime = NULL, *subprime = NULL;
+	CK_ATTRIBUTE *base = NULL, *pub_key = NULL;
+	CK_BYTE *cp;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	dsa = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(dsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dsa, attr))
+		switch (attr->type) {
+		case CKA_PRIME:
+			prime = attr;
+			break;
+		case CKA_SUBPRIME:
+			subprime = attr;
+			break;
+		case CKA_BASE:
+			base = attr;
+			break;
+		case CKA_VALUE:
+			pub_key = attr;
+			break;
+		}
+	REQUIRE((prime != NULL) && (subprime != NULL) &&
+		(base != NULL) && (pub_key != NULL));
+
+	isc_buffer_availableregion(data, &r);
+
+	t = (prime->ulValueLen - 64) / 8;
+	if (t > 8)
+		return (DST_R_INVALIDPUBLICKEY);
+	p_bytes = 64 + 8 * t;
+
+	dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
+	if (r.length < (unsigned int) dnslen)
+		return (ISC_R_NOSPACE);
+
+	memset(r.base, 0, dnslen);
+	*r.base = t;
+	isc_region_consume(&r, 1);
+
+	cp = (CK_BYTE *) subprime->pValue;
+	memmove(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen,
+		cp, subprime->ulValueLen);
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+	cp = (CK_BYTE *) prime->pValue;
+	memmove(r.base + key->key_size/8 - prime->ulValueLen,
+		cp, prime->ulValueLen);
+	isc_region_consume(&r, p_bytes);
+	cp = (CK_BYTE *) base->pValue;
+	memmove(r.base + key->key_size/8 - base->ulValueLen,
+		cp, base->ulValueLen);
+	isc_region_consume(&r, p_bytes);
+	cp = (CK_BYTE *) pub_key->pValue;
+	memmove(r.base + key->key_size/8 - pub_key->ulValueLen,
+		cp, pub_key->ulValueLen);
+	isc_region_consume(&r, p_bytes);
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *dsa;
+	isc_region_t r;
+	unsigned int t, p_bytes;
+	CK_BYTE *prime, *subprime, *base, *pub_key;
+	CK_ATTRIBUTE *attr;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+	if (dsa == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(dsa, 0, sizeof(*dsa));
+
+	t = (unsigned int) *r.base;
+	isc_region_consume(&r, 1);
+	if (t > 8) {
+		isc_safe_memwipe(dsa, sizeof(*dsa));
+		isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	p_bytes = 64 + 8 * t;
+
+	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+		isc_safe_memwipe(dsa, sizeof(*dsa));
+		isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	subprime = r.base;
+	isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
+
+	prime = r.base;
+	isc_region_consume(&r, p_bytes);
+
+	base = r.base;
+	isc_region_consume(&r, p_bytes);
+
+	pub_key = r.base;
+	isc_region_consume(&r, p_bytes);
+
+	key->key_size = p_bytes * 8;
+
+	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
+
+	dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
+	if (dsa->repr == NULL)
+		goto nomemory;
+	memset(dsa->repr, 0, sizeof(*attr) * 4);
+	dsa->attrcnt = 4;
+
+	attr = dsa->repr;
+	attr[0].type = CKA_PRIME;
+	attr[0].pValue = isc_mem_get(key->mctx, p_bytes);
+	if (attr[0].pValue == NULL)
+		goto nomemory;
+	memmove(attr[0].pValue, prime, p_bytes);
+	attr[0].ulValueLen = p_bytes;
+
+	attr[1].type = CKA_SUBPRIME;
+	attr[1].pValue = isc_mem_get(key->mctx, ISC_SHA1_DIGESTLENGTH);
+	if (attr[1].pValue == NULL)
+		goto nomemory;
+	memmove(attr[1].pValue, subprime, ISC_SHA1_DIGESTLENGTH);
+	attr[1].ulValueLen = ISC_SHA1_DIGESTLENGTH;
+
+	attr[2].type = CKA_BASE;
+	attr[2].pValue = isc_mem_get(key->mctx, p_bytes);
+	if (attr[2].pValue == NULL)
+		goto nomemory;
+	memmove(attr[2].pValue, base, p_bytes);
+	attr[2].ulValueLen = p_bytes;
+
+	attr[3].type = CKA_VALUE;
+	attr[3].pValue = isc_mem_get(key->mctx, p_bytes);
+	if (attr[3].pValue == NULL)
+		goto nomemory;
+	memmove(attr[3].pValue, pub_key, p_bytes);
+	attr[3].ulValueLen = p_bytes;
+
+	key->keydata.pkey = dsa;
+
+	return (ISC_R_SUCCESS);
+
+    nomemory:
+	for (attr = pk11_attribute_first(dsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dsa, attr))
+		switch (attr->type) {
+		case CKA_PRIME:
+		case CKA_SUBPRIME:
+		case CKA_BASE:
+		case CKA_VALUE:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (dsa->repr != NULL) {
+		isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    dsa->repr,
+			    dsa->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(dsa, sizeof(*dsa));
+	isc_mem_put(key->mctx, dsa, sizeof(*dsa));
+	return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11dsa_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	pk11_object_t *dsa;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *prime = NULL, *subprime = NULL, *base = NULL;
+	CK_ATTRIBUTE *pub_key = NULL, *priv_key = NULL;
+	dst_private_t priv;
+	unsigned char bufs[5][128];
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	dsa = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(dsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(dsa, attr))
+		switch (attr->type) {
+		case CKA_PRIME:
+			prime = attr;
+			break;
+		case CKA_SUBPRIME:
+			subprime = attr;
+			break;
+		case CKA_BASE:
+			base = attr;
+			break;
+		case CKA_VALUE:
+			pub_key = attr;
+			break;
+		case CKA_VALUE2:
+			priv_key = attr;
+			break;
+		}
+	if ((prime == NULL) || (subprime == NULL) || (base == NULL) ||
+	    (pub_key == NULL) || (priv_key ==NULL))
+		return (DST_R_NULLKEY);
+
+	priv.elements[cnt].tag = TAG_DSA_PRIME;
+	priv.elements[cnt].length = (unsigned short) prime->ulValueLen;
+	memmove(bufs[cnt], prime->pValue, prime->ulValueLen);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
+	priv.elements[cnt].length = (unsigned short) subprime->ulValueLen;
+	memmove(bufs[cnt], subprime->pValue, subprime->ulValueLen);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_BASE;
+	priv.elements[cnt].length = (unsigned short) base->ulValueLen;
+	memmove(bufs[cnt], base->pValue, base->ulValueLen);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_PRIVATE;
+	priv.elements[cnt].length = (unsigned short) priv_key->ulValueLen;
+	memmove(bufs[cnt], priv_key->pValue, priv_key->ulValueLen);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_PUBLIC;
+	priv.elements[cnt].length = (unsigned short) pub_key->ulValueLen;
+	memmove(bufs[cnt], pub_key->pValue, pub_key->ulValueLen);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	pk11_object_t *dsa = NULL;
+	CK_ATTRIBUTE *attr;
+	isc_mem_t *mctx = key->mctx;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
+	if (dsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dsa, 0, sizeof(*dsa));
+	key->keydata.pkey = dsa;
+
+	dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
+	if (dsa->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(dsa->repr, 0, sizeof(*attr) * 5);
+	dsa->attrcnt = 5;
+	attr = dsa->repr;
+	attr[0].type = CKA_PRIME;
+	attr[1].type = CKA_SUBPRIME;
+	attr[2].type = CKA_BASE;
+	attr[3].type = CKA_VALUE;
+	attr[4].type = CKA_VALUE2;
+
+	for (i = 0; i < priv.nelements; i++) {
+		CK_BYTE *bn;
+
+		bn = isc_mem_get(key->mctx, priv.elements[i].length);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memmove(bn, priv.elements[i].data, priv.elements[i].length);
+
+		switch (priv.elements[i].tag) {
+			case TAG_DSA_PRIME:
+				attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DSA_SUBPRIME:
+				attr = pk11_attribute_bytype(dsa,
+							     CKA_SUBPRIME);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DSA_BASE:
+				attr = pk11_attribute_bytype(dsa, CKA_BASE);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DSA_PRIVATE:
+				attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_DSA_PUBLIC:
+				attr = pk11_attribute_bytype(dsa, CKA_VALUE);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+
+	attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+	INSIST(attr != NULL);
+	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11dsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t pkcs11dsa_functions = {
+	pkcs11dsa_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11dsa_destroyctx,
+	pkcs11dsa_adddata,
+	pkcs11dsa_sign,
+	pkcs11dsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11dsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11dsa_generate,
+	pkcs11dsa_isprivate,
+	pkcs11dsa_destroy,
+	pkcs11dsa_todns,
+	pkcs11dsa_fromdns,
+	pkcs11dsa_tofile,
+	pkcs11dsa_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11dsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &pkcs11dsa_functions;
+	return (ISC_R_SUCCESS);
+}
+#endif /* !PK11_DSA_DISABLE */
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/pkcs11ecdsa_link.c b/lib/dns/pkcs11ecdsa_link.c
new file mode 100644
index 0000000..4a39cc4
--- /dev/null
+++ b/lib/dns/pkcs11ecdsa_link.c
@@ -0,0 +1,1198 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_ECDSA)
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+#define WANT_ECC_CURVES
+#include <pk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * FIPS 186-3 ECDSA keys:
+ *  mechanisms:
+ *    CKM_ECDSA,
+ *    CKM_EC_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_EC_PARAMS (choice with OID namedCurve)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_EC
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_EC_POINT (point Q)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_EC
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_VALUE (big int d)
+ *  point format: 0x04 (octet-string) <2*size+1> 0x4 (uncompressed) <x> <y>
+ */
+
+#define TAG_OCTECT_STRING	0x04
+#define UNCOMPRESSED		0x04
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11ecdsa_todns(const dst_key_t *key,
+				      isc_buffer_t *data);
+static void pkcs11ecdsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11ecdsa_fetch(dst_key_t *key, const char *engine,
+				      const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = {0, NULL, 0 };
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_result_t ret;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+	REQUIRE(ec != NULL);
+
+	if (dctx->key->key_alg == DST_ALG_ECDSA256)
+		mech.mechanism = CKM_SHA256;
+	else
+		mech.mechanism = CKM_SHA384;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN))
+		slotid = ec->slot;
+	else
+		slotid = pk11_get_best_token(OP_EC);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+	return (ISC_R_SUCCESS);
+
+ err:
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static void
+pkcs11ecdsa_destroyctx(dst_context_t *dctx) {
+	CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	if (pk11_ctx != NULL) {
+		(void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
+		memset(garbage, 0, sizeof(garbage));
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11ecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
+		dctx->key->key_alg == DST_ALG_ECDSA384);
+
+	PK11_CALL(pkcs_C_DigestUpdate,
+		  (pk11_ctx->session,
+		   (CK_BYTE_PTR) data->base,
+		   (CK_ULONG) data->length),
+		  ISC_R_FAILURE);
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG dgstlen;
+	CK_ULONG siglen;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	REQUIRE(ec != NULL);
+
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		dgstlen = ISC_SHA256_DIGESTLENGTH;
+		siglen = DNS_SIG_ECDSA256SIZE;
+	} else {
+		siglen = DNS_SIG_ECDSA384SIZE;
+		dgstlen = ISC_SHA384_DIGESTLENGTH;
+	}
+
+	PK11_RET(pkcs_C_DigestFinal,
+		 (pk11_ctx->session, digest, &dgstlen),
+		 ISC_R_FAILURE);
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = ec->ontoken;
+		pk11_ctx->object = ec->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+ token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session,
+		  digest, dgstlen,
+		  (CK_BYTE_PTR) r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int) siglen);
+
+ err:
+
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			memset(keyTemplate[i].pValue, 0,
+			       keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_ECDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_EC_POINT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG dgstlen;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	REQUIRE(ec != NULL);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		dgstlen = ISC_SHA256_DIGESTLENGTH;
+	else
+		dgstlen = ISC_SHA384_DIGESTLENGTH;
+
+	PK11_RET(pkcs_C_DigestFinal,
+		 (pk11_ctx->session, digest, &dgstlen),
+		 ISC_R_FAILURE);
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EC_POINT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session,
+		  digest, dgstlen,
+		  (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
+		 DST_R_VERIFYFAILURE);
+
+ err:
+
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			memset(keyTemplate[i].pValue, 0,
+			       keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+
+static bool
+pkcs11ecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *ec1, *ec2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	ec1 = key1->keydata.pkey;
+	ec2 = key2->keydata.pkey;
+
+	if ((ec1 == NULL) && (ec2 == NULL))
+		return (true);
+	else if ((ec1 == NULL) || (ec2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (false);
+
+	if (!ec1->ontoken && !ec2->ontoken)
+		return (true);
+	else if (ec1->ontoken || ec2->ontoken ||
+		 (ec1->object != ec2->object))
+		return (false);
+
+	return (true);
+}
+
+#define SETCURVE() \
+	if (key->key_alg == DST_ALG_ECDSA256) { \
+		attr->pValue = isc_mem_get(key->mctx, \
+					   sizeof(pk11_ecc_prime256v1)); \
+		if (attr->pValue == NULL) \
+			DST_RET(ISC_R_NOMEMORY); \
+		memmove(attr->pValue, \
+			pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1)); \
+		attr->ulValueLen = sizeof(pk11_ecc_prime256v1); \
+	} else { \
+		attr->pValue = isc_mem_get(key->mctx, \
+					   sizeof(pk11_ecc_secp384r1)); \
+		if (attr->pValue == NULL) \
+			DST_RET(ISC_R_NOMEMORY); \
+		memmove(attr->pValue, \
+			pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1)); \
+		attr->ulValueLen = sizeof(pk11_ecc_secp384r1); \
+	}
+
+#define FREECURVE() \
+	if (attr->pValue != NULL) { \
+		memset(attr->pValue, 0, attr->ulValueLen); \
+		isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+		attr->pValue = NULL; \
+	}
+
+static isc_result_t
+pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EC_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE  keyType = CKK_EC;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       false, NULL, pk11_get_best_token(OP_EC));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_EC_POINT;
+	attr[2].type = CKA_VALUE;
+
+	attr = &pubTemplate[5];
+	SETCURVE();
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 6,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	attr = &pubTemplate[5];
+	FREECURVE();
+
+	attr = ec->repr;
+	SETCURVE();
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	else
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11ecdsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11ecdsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL)
+		return (false);
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	return (attr != NULL || ec->ontoken);
+}
+
+static void
+pkcs11ecdsa_destroy(dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL)
+		return;
+
+	INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+		case CKA_VALUE:
+			FREECURVE();
+			break;
+		}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    ec->repr,
+			    ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11ecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		len = DNS_KEY_ECDSA256SIZE;
+	else
+		len = DNS_KEY_ECDSA384SIZE;
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+	if ((attr == NULL) ||
+	    (attr->ulValueLen != len + 3) ||
+	    (((CK_BYTE_PTR) attr->pValue)[0] != TAG_OCTECT_STRING) ||
+	    (((CK_BYTE_PTR) attr->pValue)[1] != len + 1) ||
+	    (((CK_BYTE_PTR) attr->pValue)[2] != UNCOMPRESSED))
+		return (ISC_R_FAILURE);
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < len)
+		return (ISC_R_NOSPACE);
+	memmove(r.base, (CK_BYTE_PTR) attr->pValue + 3, len);
+	isc_buffer_add(data, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if (key->key_alg == DST_ALG_ECDSA256)
+		len = DNS_KEY_ECDSA256SIZE;
+	else
+		len = DNS_KEY_ECDSA384SIZE;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (r.length != len)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		goto nomemory;
+	ec->attrcnt = 2;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	if (key->key_alg == DST_ALG_ECDSA256) {
+		attr->pValue =
+			isc_mem_get(key->mctx, sizeof(pk11_ecc_prime256v1));
+		if (attr->pValue == NULL)
+			goto nomemory;
+		memmove(attr->pValue,
+			pk11_ecc_prime256v1, sizeof(pk11_ecc_prime256v1));
+		attr->ulValueLen = sizeof(pk11_ecc_prime256v1);
+	} else {
+		attr->pValue =
+			isc_mem_get(key->mctx, sizeof(pk11_ecc_secp384r1));
+		if (attr->pValue == NULL)
+			goto nomemory;
+		memmove(attr->pValue,
+			pk11_ecc_secp384r1, sizeof(pk11_ecc_secp384r1));
+		attr->ulValueLen = sizeof(pk11_ecc_secp384r1);
+	}
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	attr->pValue = isc_mem_get(key->mctx, len + 3);
+	if (attr->pValue == NULL)
+		goto nomemory;
+	((CK_BYTE_PTR) attr->pValue)[0] = TAG_OCTECT_STRING;
+	((CK_BYTE_PTR) attr->pValue)[1] = len + 1;
+	((CK_BYTE_PTR) attr->pValue)[2] = UNCOMPRESSED;
+	memmove((CK_BYTE_PTR) attr->pValue + 3, r.base, len);
+	attr->ulValueLen = len + 3;
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = ec;
+	key->key_size = len * 4;
+	return (ISC_R_SUCCESS);
+
+ nomemory:
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+			FREECURVE();
+			break;
+		}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    ec->repr,
+			    ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11ecdsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *ec;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
+		priv.elements[i].length = (unsigned short) attr->ulValueLen;
+		memmove(buf, attr->pValue, attr->ulValueLen);
+		priv.elements[i].data = buf;
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_ECDSA_ENGINE;
+		priv.elements[i].length = strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_ECDSA_LABEL;
+		priv.elements[i].length = strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		memset(buf, 0, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		  dst_key_t *pub)
+{
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *ec;
+	pk11_object_t *pubec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+
+	if (label == NULL)
+		return (DST_R_NOENGINE);
+
+	ec = key->keydata.pkey;
+	pubec = pub->keydata.pkey;
+
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+
+	attr->type = CKA_EC_PARAMS;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_EC_POINT;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	pk11_object_t *ec = NULL;
+	CK_ATTRIBUTE *attr, *pattr;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+	const char *engine = NULL, *label = NULL;
+
+	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
+		key->key_alg == DST_ALG_ECDSA384);
+
+	if ((pub == NULL) || (pub->keydata.pkey == NULL))
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_ECDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_ECDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11ecdsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS)
+			goto err;
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+		return (ret);
+	}
+
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_VALUE;
+	attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+	attr->ulValueLen = priv.elements[0].length;
+
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	if (key->key_alg == DST_ALG_ECDSA256)
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	else
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11ecdsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		      const char *pin)
+{
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EC;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(pin);
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	key->keydata.pkey = ec;
+
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_EC_POINT;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	attr = ec->repr;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (key->key_alg == DST_ALG_ECDSA256)
+		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
+	else
+		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11ecdsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static dst_func_t pkcs11ecdsa_functions = {
+	pkcs11ecdsa_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11ecdsa_destroyctx,
+	pkcs11ecdsa_adddata,
+	pkcs11ecdsa_sign,
+	pkcs11ecdsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11ecdsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11ecdsa_generate,
+	pkcs11ecdsa_isprivate,
+	pkcs11ecdsa_destroy,
+	pkcs11ecdsa_todns,
+	pkcs11ecdsa_fromdns,
+	pkcs11ecdsa_tofile,
+	pkcs11ecdsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11ecdsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11ecdsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &pkcs11ecdsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_ECDSA */
+/*! \file */
diff --git a/lib/dns/pkcs11eddsa_link.c b/lib/dns/pkcs11eddsa_link.c
new file mode 100644
index 0000000..015d0e8
--- /dev/null
+++ b/lib/dns/pkcs11eddsa_link.c
@@ -0,0 +1,1185 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && \
+    defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+#define WANT_ECC_CURVES
+#include <pk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+#include <pkcs11/eddsa.h>
+
+/*
+ * FIPS 186-3 EDDSA keys:
+ *  mechanisms:
+ *    CKM_EDDSA,
+ *    CKM_EDDSA_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_EC_PARAMS (choice with OID namedCurve)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_EDDSA
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_EC_POINT (big int A, CKA_VALUE on the token)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_EDDSA
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_VALUE (big int k)
+ */
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11eddsa_todns(const dst_key_t *key,
+				      isc_buffer_t *data);
+static void pkcs11eddsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11eddsa_fetch(dst_key_t *key, const char *engine,
+				      const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_buffer_t *buf = NULL;
+	isc_result_t result;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_allocate(dctx->mctx, &buf, 16);
+	isc_buffer_setautorealloc(buf, true);
+	dctx->ctxdata.generic = buf;
+
+	return (result);
+}
+
+static void
+pkcs11eddsa_destroyctx(dst_context_t *dctx) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+	if (buf != NULL)
+		isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	isc_buffer_t *nbuf = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_copyregion(buf, data);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	length = isc_buffer_length(buf) + data->length + 64;
+	result = isc_buffer_allocate(dctx->mctx, &nbuf, length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(buf, &r);
+	(void) isc_buffer_copyregion(nbuf, &r);
+	(void) isc_buffer_copyregion(nbuf, data);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = nbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_ULONG siglen;
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t t;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	REQUIRE(ec != NULL);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		siglen = DNS_SIG_ED25519SIZE;
+	else
+		siglen = DNS_SIG_ED448SIZE;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN))
+		slotid = ec->slot;
+	else
+		slotid = pk11_get_best_token(OP_EC);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = ec->ontoken;
+		pk11_ctx->object = ec->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+ token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	isc_buffer_usedregion(buf, &t);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session,
+		  (CK_BYTE_PTR) t.base, (CK_ULONG) t.length,
+		  (CK_BYTE_PTR) r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int) siglen);
+
+ err:
+
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			memset(keyTemplate[i].pValue, 0,
+			       keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t t;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	REQUIRE(ec != NULL);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN))
+		slotid = ec->slot;
+	else
+		slotid = pk11_get_best_token(OP_EC);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EC_POINT:
+			/* keyTemplate[6].type is CKA_VALUE */
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	isc_buffer_usedregion(buf, &t);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session,
+		  (CK_BYTE_PTR) t.base, (CK_ULONG) t.length,
+		  (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
+		 DST_R_VERIFYFAILURE);
+
+ err:
+
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			memset(keyTemplate[i].pValue, 0,
+			       keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static bool
+pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *ec1, *ec2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	ec1 = key1->keydata.pkey;
+	ec2 = key2->keydata.pkey;
+
+	if ((ec1 == NULL) && (ec2 == NULL))
+		return (true);
+	else if ((ec1 == NULL) || (ec2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (false);
+
+	if (!ec1->ontoken && !ec2->ontoken)
+		return (true);
+	else if (ec1->ontoken || ec2->ontoken ||
+		 (ec1->object != ec2->object))
+		return (false);
+
+	return (true);
+}
+
+#define SETCURVE() \
+	if (key->key_alg == DST_ALG_ED25519) { \
+		attr->pValue = isc_mem_get(key->mctx, \
+					   sizeof(pk11_ecc_ed25519)); \
+		if (attr->pValue == NULL) \
+			DST_RET(ISC_R_NOMEMORY); \
+		memmove(attr->pValue, \
+			pk11_ecc_ed25519, sizeof(pk11_ecc_ed25519)); \
+		attr->ulValueLen = sizeof(pk11_ecc_ed25519); \
+	} else { \
+		attr->pValue = isc_mem_get(key->mctx, \
+					   sizeof(pk11_ecc_ed448)); \
+		if (attr->pValue == NULL) \
+			DST_RET(ISC_R_NOMEMORY); \
+		memmove(attr->pValue, \
+			pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); \
+		attr->ulValueLen = sizeof(pk11_ecc_ed448); \
+	}
+
+#define FREECURVE() \
+	if (attr->pValue != NULL) { \
+		memset(attr->pValue, 0, attr->ulValueLen); \
+		isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+		attr->pValue = NULL; \
+	}
+
+static isc_result_t
+pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE  keyType = CKK_EDDSA;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       false, NULL, pk11_get_best_token(OP_EC));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_VALUE;
+	attr[2].type = CKA_VALUE;
+
+	attr = &pubTemplate[5];
+	SETCURVE();
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 6,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	attr = &pubTemplate[5];
+	FREECURVE();
+
+	attr = ec->repr;
+	SETCURVE();
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->type = CKA_EC_POINT;
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	if (key->key_alg == DST_ALG_ED25519)
+		key->key_size = DNS_KEY_ED25519SIZE;
+	else
+		key->key_size = DNS_KEY_ED448SIZE;
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11eddsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11eddsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL)
+		return (false);
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	return (attr != NULL || ec->ontoken);
+}
+
+static void
+pkcs11eddsa_destroy(dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL)
+		return;
+
+	INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+		case CKA_VALUE:
+			FREECURVE();
+			break;
+		}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    ec->repr,
+			    ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		len = DNS_KEY_ED25519SIZE;
+	else
+		len = DNS_KEY_ED448SIZE;
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+	if ((attr == NULL) || (attr->ulValueLen != len))
+		return (ISC_R_FAILURE);
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < len)
+		return (ISC_R_NOSPACE);
+	memmove(r.base, (CK_BYTE_PTR) attr->pValue, len);
+	isc_buffer_add(data, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		len = DNS_KEY_ED25519SIZE;
+	else
+		len = DNS_KEY_ED448SIZE;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (r.length != len)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		goto nomemory;
+	ec->attrcnt = 2;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	if (key->key_alg == DST_ALG_ED25519) {
+		attr->pValue =
+			isc_mem_get(key->mctx, sizeof(pk11_ecc_ed25519));
+		if (attr->pValue == NULL)
+			goto nomemory;
+		memmove(attr->pValue,
+			pk11_ecc_ed25519, sizeof(pk11_ecc_ed25519));
+		attr->ulValueLen = sizeof(pk11_ecc_ed25519);
+	} else {
+		attr->pValue =
+			isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448));
+		if (attr->pValue == NULL)
+			goto nomemory;
+		memmove(attr->pValue,
+			pk11_ecc_ed448, sizeof(pk11_ecc_ed448));
+		attr->ulValueLen = sizeof(pk11_ecc_ed448);
+	}
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	attr->pValue = isc_mem_get(key->mctx, len);
+	if (attr->pValue == NULL)
+		goto nomemory;
+	memmove((CK_BYTE_PTR) attr->pValue, r.base, len);
+	attr->ulValueLen = len;
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = ec;
+	key->key_size = len;
+	return (ISC_R_SUCCESS);
+
+ nomemory:
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+			FREECURVE();
+			break;
+		}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    ec->repr,
+			    ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11eddsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *ec;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[i].length = (unsigned short) attr->ulValueLen;
+		memmove(buf, attr->pValue, attr->ulValueLen);
+		priv.elements[i].data = buf;
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_ENGINE;
+		priv.elements[i].length = strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_LABEL;
+		priv.elements[i].length = strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		memset(buf, 0, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		  dst_key_t *pub)
+{
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *ec;
+	pk11_object_t *pubec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+
+	if (label == NULL)
+		return (DST_R_NOENGINE);
+
+	ec = key->keydata.pkey;
+	pubec = pub->keydata.pkey;
+
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+
+	attr->type = CKA_EC_PARAMS;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_EC_POINT;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	pk11_object_t *ec = NULL;
+	CK_ATTRIBUTE *attr, *pattr;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+	const char *engine = NULL, *label = NULL;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if ((pub == NULL) || (pub->keydata.pkey == NULL))
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_EDDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_EDDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11eddsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS)
+			goto err;
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+		return (ret);
+	}
+
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_VALUE;
+	attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+	attr->ulValueLen = priv.elements[0].length;
+
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	if (key->key_alg == DST_ALG_ED25519)
+		key->key_size = DNS_KEY_ED25519SIZE;
+	else
+		key->key_size = DNS_KEY_ED448SIZE;
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11eddsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		      const char *pin)
+{
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(pin);
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = true;
+	ec->reqlogon = true;
+	key->keydata.pkey = ec;
+
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_VALUE;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, true, false,
+			       ec->reqlogon, NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	attr = ec->repr;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	attr[1].type = CKA_EC_POINT;
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (key->key_alg == DST_ALG_ED25519)
+		key->key_size = DNS_KEY_ED25519SIZE;
+	else
+		key->key_size = DNS_KEY_ED448SIZE;
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11eddsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static dst_func_t pkcs11eddsa_functions = {
+	pkcs11eddsa_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11eddsa_destroyctx,
+	pkcs11eddsa_adddata,
+	pkcs11eddsa_sign,
+	pkcs11eddsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11eddsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11eddsa_generate,
+	pkcs11eddsa_isprivate,
+	pkcs11eddsa_destroy,
+	pkcs11eddsa_todns,
+	pkcs11eddsa_fromdns,
+	pkcs11eddsa_tofile,
+	pkcs11eddsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11eddsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11eddsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &pkcs11eddsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_EDxxx */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_EDxxx */
+/*! \file */
diff --git a/lib/dns/pkcs11gost_link.c b/lib/dns/pkcs11gost_link.c
new file mode 100644
index 0000000..b5c98f4
--- /dev/null
+++ b/lib/dns/pkcs11gost_link.c
@@ -0,0 +1,957 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && defined(HAVE_PKCS11_GOST)
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+#include "dst_gost.h"
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+#define WANT_GOST_PARAMS
+#include <pk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+
+/*
+ * RU CryptoPro GOST keys:
+ *  mechanisms:
+ *    CKM_GOSTR3411
+ *    CKM_GOSTR3410_WITH_GOSTR3411
+ *    CKM_GOSTR3410_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_GOSTR3410_PARAMS (fixed BER OID 1.2.643.2.2.35.1)
+ *    CKA_GOSTR3411_PARAMS (fixed BER OID 1.2.643.2.2.30.1)
+ *    CKA_GOST28147_PARAMS (optional, don't use)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_GOSTR3410
+ *    attribute CKA_VALUE (point Q)
+ *    attribute CKA_GOSTR3410_PARAMS
+ *    attribute CKA_GOSTR3411_PARAMS
+ *    attribute CKA_GOST28147_PARAMS
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_GOSTR3410
+ *    attribute CKA_VALUE (big int d)
+ *    attribute CKA_GOSTR3410_PARAMS
+ *    attribute CKA_GOSTR3411_PARAMS
+ *    attribute CKA_GOST28147_PARAMS
+ *  point format: <x> <y> (little endian)
+ */
+
+#define CKA_VALUE2			CKA_PRIVATE_EXPONENT
+
+#define ISC_GOST_SIGNATURELENGTH	64
+#define ISC_GOST_PUBKEYLENGTH		64
+#define ISC_GOST_KEYSIZE		256
+
+/* HASH methods */
+
+isc_result_t
+isc_gost_init(isc_gost_t *ctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_GOSTR3411, NULL, 0 };
+	int ret = ISC_R_SUCCESS;
+
+	ret = pk11_get_session(ctx, OP_GOST, true, false,
+			       false, NULL, 0);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	PK11_CALL(pkcs_C_DigestInit, (ctx->session, &mech), ISC_R_FAILURE);
+	return (ret);
+}
+
+void
+isc_gost_invalidate(isc_gost_t *ctx) {
+	CK_BYTE garbage[ISC_GOST_DIGESTLENGTH];
+	CK_ULONG len = ISC_GOST_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(ctx);
+}
+
+isc_result_t
+isc_gost_update(isc_gost_t *ctx, const unsigned char *buf, unsigned int len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+	int ret = ISC_R_SUCCESS;
+
+	DE_CONST(buf, pPart);
+	PK11_CALL(pkcs_C_DigestUpdate,
+		  (ctx->session, pPart, (CK_ULONG) len),
+		  ISC_R_FAILURE);
+	return (ret);
+}
+
+isc_result_t
+isc_gost_final(isc_gost_t *ctx, unsigned char *digest) {
+	CK_RV rv;
+	CK_ULONG len = ISC_GOST_DIGESTLENGTH;
+	int ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_DigestFinal,
+		  (ctx->session, (CK_BYTE_PTR) digest, &len),
+		  ISC_R_FAILURE);
+	pk11_return_session(ctx);
+	return (ret);
+}
+
+/* DST methods */
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static isc_result_t pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11gost_destroy(dst_key_t *key);
+
+static isc_result_t
+pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_GOSTR3410;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, 0 },
+		{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+		{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_paramset) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *gost;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	REQUIRE(key != NULL);
+	gost = key->keydata.pkey;
+	REQUIRE(gost != NULL);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_GOST, true, false,
+			       gost->reqlogon, NULL,
+			       pk11_get_best_token(OP_GOST));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = gost->ontoken;
+		pk11_ctx->object = gost->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(gost);
+	     attr != NULL;
+	     attr = pk11_attribute_next(gost, attr))
+		switch (attr->type) {
+		case CKA_VALUE2:
+			INSIST(keyTemplate[6].type == CKA_VALUE);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 9,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+    token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 6; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+	for (i = 6; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_GOSTR3410;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, 0 },
+		{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+		{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_paramset) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *gost;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	REQUIRE(key != NULL);
+	gost = key->keydata.pkey;
+	REQUIRE(gost != NULL);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_GOST, true, false,
+			       gost->reqlogon, NULL,
+			       pk11_get_best_token(OP_GOST));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (gost->ontoken && (gost->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = gost->ontoken;
+		pk11_ctx->object = gost->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(gost);
+	     attr != NULL;
+	     attr = pk11_attribute_next(gost, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 8,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+    token_key:
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 5; i <= 5; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
+	for (i = 5; i <= 5; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11gost_createctx(dst_key_t *key, dst_context_t *dctx) {
+	if (dctx->use == DO_SIGN)
+		return (pkcs11gost_createctx_sign(key, dctx));
+	else
+		return (pkcs11gost_createctx_verify(key, dctx));
+}
+
+static void
+pkcs11gost_destroyctx(dst_context_t *dctx) {
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	if (pk11_ctx != NULL) {
+		if (!pk11_ctx->ontoken &&
+		    (pk11_ctx->object != CK_INVALID_HANDLE))
+			(void) pkcs_C_DestroyObject(pk11_ctx->session,
+					       pk11_ctx->object);
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11gost_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	if (dctx->use == DO_SIGN)
+		PK11_CALL(pkcs_C_SignUpdate,
+			  (pk11_ctx->session,
+			   (CK_BYTE_PTR) data->base,
+			   (CK_ULONG) data->length),
+			  ISC_R_FAILURE);
+	else
+		PK11_CALL(pkcs_C_VerifyUpdate,
+			  (pk11_ctx->session,
+			   (CK_BYTE_PTR) data->base,
+			   (CK_ULONG) data->length),
+			  ISC_R_FAILURE);
+	return (ret);
+}
+
+static isc_result_t
+pkcs11gost_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_ULONG siglen = ISC_GOST_SIGNATURELENGTH;
+	isc_region_t r;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < ISC_GOST_SIGNATURELENGTH)
+		return (ISC_R_NOSPACE);
+
+	PK11_RET(pkcs_C_SignFinal,
+		 (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+	if (siglen != ISC_GOST_SIGNATURELENGTH)
+		return (DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, ISC_GOST_SIGNATURELENGTH);
+
+    err:
+	return (ret);
+}
+
+static isc_result_t
+pkcs11gost_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_VerifyFinal,
+		  (pk11_ctx->session,
+		   (CK_BYTE_PTR) sig->base,
+		   (CK_ULONG) sig->length),
+		  DST_R_VERIFYFAILURE);
+	return (ret);
+}
+
+static bool
+pkcs11gost_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *gost1, *gost2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	gost1 = key1->keydata.pkey;
+	gost2 = key2->keydata.pkey;
+
+	if ((gost1 == NULL) && (gost2 == NULL))
+		return (true);
+	else if ((gost1 == NULL) || (gost2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(gost1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(gost2, CKA_VALUE);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(gost1, CKA_VALUE2);
+	attr2 = pk11_attribute_bytype(gost2, CKA_VALUE2);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (false);
+
+	if (!gost1->ontoken && !gost2->ontoken)
+		return (true);
+	else if (gost1->ontoken || gost2->ontoken ||
+		 (gost1->object != gost2->object))
+		return (false);
+
+	return (true);
+}
+
+static isc_result_t
+pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_GOSTR3410_KEY_PAIR_GEN, NULL, 0 };
+	CK_KEY_TYPE  keyType = CKK_GOSTR3410;
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+		{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_paramset) }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *gost;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_GOST, true, false,
+			       false, NULL, pk11_get_best_token(OP_GOST));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 7,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+	if (gost == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(gost, 0, sizeof(*gost));
+	key->keydata.pkey = gost;
+	key->key_size = ISC_GOST_KEYSIZE;
+	gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
+						  sizeof(*attr) * 2);
+	if (gost->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(gost->repr, 0, sizeof(*attr) * 2);
+	gost->attrcnt = 2;
+
+	attr = gost->repr;
+	attr[0].type = CKA_VALUE;
+	attr[1].type = CKA_VALUE2;
+
+	attr = gost->repr;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	attr++;
+	attr->type = CKA_VALUE;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->type = CKA_VALUE2;
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	pkcs11gost_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11gost_isprivate(const dst_key_t *key) {
+	pk11_object_t *gost = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (gost == NULL)
+		return (false);
+	attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+	return (attr != NULL || gost->ontoken);
+}
+
+static void
+pkcs11gost_destroy(dst_key_t *key) {
+	pk11_object_t *gost = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (gost == NULL)
+		return;
+
+	INSIST((gost->object == CK_INVALID_HANDLE) || gost->ontoken);
+
+	for (attr = pk11_attribute_first(gost);
+	     attr != NULL;
+	     attr = pk11_attribute_next(gost, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+		case CKA_VALUE2:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (gost->repr != NULL) {
+		isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    gost->repr, gost->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(gost, sizeof(*gost));
+	isc_mem_put(key->mctx, gost, sizeof(*gost));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11gost_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *gost;
+	isc_region_t r;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	gost = key->keydata.pkey;
+	attr = pk11_attribute_bytype(gost, CKA_VALUE);
+	if ((attr == NULL) || (attr->ulValueLen != ISC_GOST_PUBKEYLENGTH))
+		return (ISC_R_FAILURE);
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < ISC_GOST_PUBKEYLENGTH)
+		return (ISC_R_NOSPACE);
+	memmove(r.base, (CK_BYTE_PTR) attr->pValue, ISC_GOST_PUBKEYLENGTH);
+	isc_buffer_add(data, ISC_GOST_PUBKEYLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *gost;
+	isc_region_t r;
+	CK_ATTRIBUTE *attr;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (r.length != ISC_GOST_PUBKEYLENGTH)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+	if (gost == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(gost, 0, sizeof(*gost));
+	gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr));
+	if (gost->repr == NULL)
+		goto nomemory;
+	gost->attrcnt = 1;
+
+	attr = gost->repr;
+	attr->type = CKA_VALUE;
+	attr->pValue = isc_mem_get(key->mctx, ISC_GOST_PUBKEYLENGTH);
+	if (attr->pValue == NULL)
+		goto nomemory;
+	memmove((CK_BYTE_PTR) attr->pValue, r.base, ISC_GOST_PUBKEYLENGTH);
+	attr->ulValueLen = ISC_GOST_PUBKEYLENGTH;
+
+	isc_buffer_forward(data, ISC_GOST_PUBKEYLENGTH);
+	key->keydata.pkey = gost;
+	key->key_size = ISC_GOST_KEYSIZE;
+	return (ISC_R_SUCCESS);
+
+ nomemory:
+	for (attr = pk11_attribute_first(gost);
+	     attr != NULL;
+	     attr = pk11_attribute_next(gost, attr))
+		switch (attr->type) {
+		case CKA_VALUE:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (gost->repr != NULL) {
+		isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    gost->repr, gost->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(gost, sizeof(*gost));
+	isc_mem_put(key->mctx, gost, sizeof(*gost));
+	return (ISC_R_NOMEMORY);
+}
+
+static unsigned char gost_private_der[39] = {
+	0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
+	0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
+	0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
+	0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
+	0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20
+};
+
+#ifdef PREFER_GOSTASN1
+
+static isc_result_t
+pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *gost;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+	int adj;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	gost = key->keydata.pkey;
+	attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen + 39);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[i].tag = TAG_GOST_PRIVASN1;
+		priv.elements[i].length =
+			(unsigned short) attr->ulValueLen + 39;
+		memmove(buf, gost_private_der, 39);
+		memmove(buf + 39, attr->pValue, attr->ulValueLen);
+		adj = (int) attr->ulValueLen - 32;
+		if (adj != 0) {
+			buf[1] += adj;
+			buf[36] += adj;
+			buf[38] += adj;
+		}
+		priv.elements[i].data = buf;
+		i++;
+	} else
+		return (DST_R_CRYPTOFAILURE);
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		isc_safe_memwipe(buf, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+
+#else
+
+static isc_result_t
+pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *gost;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	gost = key->keydata.pkey;
+	attr = pk11_attribute_bytype(gost, CKA_VALUE2);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[i].tag = TAG_GOST_PRIVRAW;
+		priv.elements[i].length = (unsigned short) attr->ulValueLen;
+		memmove(buf, attr->pValue, attr->ulValueLen);
+		priv.elements[i].data = buf;
+		i++;
+	} else
+		return (DST_R_CRYPTOFAILURE);
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		isc_safe_memwipe(buf, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+#endif
+
+static isc_result_t
+pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	pk11_object_t *gost = NULL;
+	CK_ATTRIBUTE *attr, *pattr;
+	isc_mem_t *mctx = key->mctx;
+
+	if ((pub == NULL) || (pub->keydata.pkey == NULL))
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	if (priv.elements[0].tag == TAG_GOST_PRIVASN1) {
+		int adj = (int) priv.elements[0].length - (39 + 32);
+		unsigned char buf[39];
+
+		if ((adj > 0) || (adj < -31))
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		memmove(buf, gost_private_der, 39);
+		if (adj != 0) {
+			buf[1] += adj;
+			buf[36] += adj;
+			buf[38] += adj;
+		}
+		if (!isc_safe_memequal(priv.elements[0].data, buf, 39))
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		priv.elements[0].tag = TAG_GOST_PRIVRAW;
+		priv.elements[0].length -= 39;
+		memmove(priv.elements[0].data,
+			priv.elements[0].data + 39,
+			32 + adj);
+	}
+
+	gost = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*gost));
+	if (gost == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(gost, 0, sizeof(*gost));
+	key->keydata.pkey = gost;
+	key->key_size = ISC_GOST_KEYSIZE;
+
+	gost->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx,
+						  sizeof(*attr) * 2);
+	if (gost->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(gost->repr, 0, sizeof(*attr) * 2);
+	gost->attrcnt = 2;
+
+	attr = gost->repr;
+	attr->type = CKA_VALUE;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_VALUE);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_VALUE2;
+	attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+	attr->ulValueLen = priv.elements[0].length;
+
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11gost_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t pkcs11gost_functions = {
+	pkcs11gost_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11gost_destroyctx,
+	pkcs11gost_adddata,
+	pkcs11gost_sign,
+	pkcs11gost_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11gost_compare,
+	NULL, /*%< paramcompare */
+	pkcs11gost_generate,
+	pkcs11gost_isprivate,
+	pkcs11gost_destroy,
+	pkcs11gost_todns,
+	pkcs11gost_fromdns,
+	pkcs11gost_tofile,
+	pkcs11gost_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11gost_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &pkcs11gost_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_GOST */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_GOST */
+/*! \file */
diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
new file mode 100644
index 0000000..eb782c8
--- /dev/null
+++ b/lib/dns/pkcs11rsa_link.c
@@ -0,0 +1,2237 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifdef PKCS11CRYPTO
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <pk11/internal.h>
+#include <pk11/site.h>
+
+/*
+ * Limit the size of public exponents.
+ */
+#ifndef RSA_MAX_PUBEXP_BITS
+#define RSA_MAX_PUBEXP_BITS    35
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data);
+static void pkcs11rsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11rsa_fetch(dst_key_t *key, const char *engine,
+				    const char *label, dst_key_t *pub);
+
+#ifndef PK11_RSA_PKCS_REPLACE
+
+static isc_result_t
+pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+		{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+		{ CKA_PRIME_1, NULL, 0 },
+		{ CKA_PRIME_2, NULL, 0 },
+		{ CKA_EXPONENT_1, NULL, 0 },
+		{ CKA_EXPONENT_2, NULL, 0 },
+		{ CKA_COEFFICIENT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_SLOT_ID slotid;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+		key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	rsa = key->keydata.pkey;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (rsa->ontoken)
+		slotid = rsa->slot;
+	else
+		slotid = pk11_get_best_token(OP_RSA);
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
+			       rsa->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = rsa->ontoken;
+		pk11_ctx->object = rsa->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[7].type == attr->type);
+			keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[7].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[7].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[7].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIVATE_EXPONENT:
+			INSIST(keyTemplate[8].type == attr->type);
+			keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[8].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[8].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[8].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_1:
+			INSIST(keyTemplate[9].type == attr->type);
+			keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[9].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[9].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[9].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_2:
+			INSIST(keyTemplate[10].type == attr->type);
+			keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[10].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[10].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[10].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_1:
+			INSIST(keyTemplate[11].type == attr->type);
+			keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			if (keyTemplate[11].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[11].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[11].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_2:
+			INSIST(keyTemplate[12].type == attr->type);
+			keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			if (keyTemplate[12].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[12].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[12].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_COEFFICIENT:
+			INSIST(keyTemplate[13].type == attr->type);
+			keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			if (keyTemplate[13].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[13].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[13].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 14,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+    token_key:
+
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		mech.mechanism = CKM_MD5_RSA_PKCS;
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		mech.mechanism = CKM_SHA1_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA256:
+		mech.mechanism = CKM_SHA256_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA512:
+		mech.mechanism = CKM_SHA512_RSA_PKCS;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 6; i <= 13; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+		(void) pkcs_C_DestroyObject(pk11_ctx->session,
+					    pk11_ctx->object);
+	for (i = 6; i <= 13; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+			   dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+		key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#endif
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	rsa = key->keydata.pkey;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
+			       rsa->reqlogon, NULL,
+			       pk11_get_best_token(OP_RSA));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			if (pk11_numbits(attr->pValue,
+					 attr->ulValueLen) > maxbits &&
+			    maxbits != 0)
+				DST_RET(DST_R_VERIFYFAILURE);
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	switch (dctx->key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		mech.mechanism = CKM_MD5_RSA_PKCS;
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		mech.mechanism = CKM_SHA1_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA256:
+		mech.mechanism = CKM_SHA256_RSA_PKCS;
+		break;
+	case DST_ALG_RSASHA512:
+		mech.mechanism = CKM_SHA512_RSA_PKCS;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, pk11_ctx->object),
+		 ISC_R_FAILURE);
+
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
+		(void) pkcs_C_DestroyObject(pk11_ctx->session,
+					    pk11_ctx->object);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	if (dctx->use == DO_SIGN)
+		return (pkcs11rsa_createctx_sign(key, dctx));
+	else
+		return (pkcs11rsa_createctx_verify(key, 0U, dctx));
+}
+
+static isc_result_t
+pkcs11rsa_createctx2(dst_key_t *key, int maxbits, dst_context_t *dctx) {
+	if (dctx->use == DO_SIGN)
+		return (pkcs11rsa_createctx_sign(key, dctx));
+	else
+		return (pkcs11rsa_createctx_verify(key,
+						   (unsigned) maxbits, dctx));
+}
+
+static void
+pkcs11rsa_destroyctx(dst_context_t *dctx) {
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	if (pk11_ctx != NULL) {
+		if (!pk11_ctx->ontoken &&
+		    (pk11_ctx->object != CK_INVALID_HANDLE))
+			(void) pkcs_C_DestroyObject(pk11_ctx->session,
+						    pk11_ctx->object);
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	if (dctx->use == DO_SIGN)
+		PK11_CALL(pkcs_C_SignUpdate,
+			  (pk11_ctx->session,
+			   (CK_BYTE_PTR) data->base,
+			   (CK_ULONG) data->length),
+			  ISC_R_FAILURE);
+	else
+		PK11_CALL(pkcs_C_VerifyUpdate,
+			  (pk11_ctx->session,
+			   (CK_BYTE_PTR) data->base,
+			   (CK_ULONG) data->length),
+			  ISC_R_FAILURE);
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_ULONG siglen = 0;
+	isc_region_t r;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_RET(pkcs_C_SignFinal,
+		 (pk11_ctx->session, NULL, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_availableregion(sig, &r);
+
+	if (r.length < (unsigned int) siglen)
+		return (ISC_R_NOSPACE);
+
+	PK11_RET(pkcs_C_SignFinal,
+		 (pk11_ctx->session, (CK_BYTE_PTR) r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int) siglen);
+
+    err:
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_VerifyFinal,
+		  (pk11_ctx->session,
+		   (CK_BYTE_PTR) sig->base,
+		   (CK_ULONG) sig->length),
+		  DST_R_VERIFYFAILURE);
+	return (ret);
+}
+
+#else
+
+/*
+ * CKM_<hash>_RSA_PKCS mechanisms are not available so fall back
+ * to CKM_RSA_PKCS and do the EMSA-PKCS#1-v1.5 encapsulation by hand.
+ */
+
+CK_BYTE md5_der[] =
+	{ 0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86,
+	  0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00,
+	  0x04, 0x10 };
+CK_BYTE sha1_der[] =
+	{ 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
+	  0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
+CK_BYTE sha256_der[] =
+	{ 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+	  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+	  0x00, 0x04, 0x20 };
+CK_BYTE sha512_der[] =
+	{ 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+	  0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
+	  0x00, 0x04, 0x40 };
+#define MAX_DER_SIZE 19
+#define MIN_PKCS1_PADLEN 11
+
+static isc_result_t
+pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { 0, NULL, 0 };
+	CK_SLOT_ID slotid;
+	pk11_object_t *rsa = key->keydata.pkey;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+		key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#endif
+	REQUIRE(rsa != NULL);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		mech.mechanism = CKM_MD5;
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		mech.mechanism = CKM_SHA_1;
+		break;
+	case DST_ALG_RSASHA256:
+		mech.mechanism = CKM_SHA256;
+		break;
+	case DST_ALG_RSASHA512:
+		mech.mechanism = CKM_SHA512;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (rsa->ontoken)
+		slotid = rsa->slot;
+	else
+		slotid = pk11_get_best_token(OP_RSA);
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
+			       rsa->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	PK11_RET(pkcs_C_DigestInit, (pk11_ctx->session, &mech), ISC_R_FAILURE);
+	dctx->ctxdata.pk11_ctx = pk11_ctx;
+	return (ISC_R_SUCCESS);
+
+    err:
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static void
+pkcs11rsa_destroyctx(dst_context_t *dctx) {
+	CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+
+	if (pk11_ctx != NULL) {
+		(void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
+		isc_safe_memwipe(garbage, sizeof(garbage));
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+		dctx->ctxdata.pk11_ctx = NULL;
+	}
+}
+
+static isc_result_t
+pkcs11rsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	CK_RV rv;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	PK11_CALL(pkcs_C_DigestUpdate,
+		  (pk11_ctx->session,
+		   (CK_BYTE_PTR) data->base,
+		   (CK_ULONG) data->length),
+		  ISC_R_FAILURE);
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+		{ CKA_PRIVATE_EXPONENT, NULL, 0 },
+		{ CKA_PRIME_1, NULL, 0 },
+		{ CKA_PRIME_2, NULL, 0 },
+		{ CKA_EXPONENT_1, NULL, 0 },
+		{ CKA_EXPONENT_2, NULL, 0 },
+		{ CKA_COEFFICIENT, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
+	CK_BYTE *der;
+	CK_ULONG derlen;
+	CK_ULONG hashlen;
+	CK_ULONG dgstlen;
+	CK_ULONG siglen = 0;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *rsa = key->keydata.pkey;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+		key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#endif
+	REQUIRE(rsa != NULL);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		der = md5_der;
+		derlen = sizeof(md5_der);
+		hashlen = ISC_MD5_DIGESTLENGTH;
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		der = sha1_der;
+		derlen = sizeof(sha1_der);
+		hashlen = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA256:
+		der = sha256_der;
+		derlen = sizeof(sha256_der);
+		hashlen = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA512:
+		der = sha512_der;
+		derlen = sizeof(sha512_der);
+		hashlen = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		INSIST(0);
+	}
+	dgstlen = derlen + hashlen;
+	INSIST(dgstlen <= sizeof(digest));
+	memmove(digest, der, derlen);
+
+	PK11_RET(pkcs_C_DigestFinal,
+		 (pk11_ctx->session, digest + derlen, &hashlen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < (unsigned int) dgstlen + MIN_PKCS1_PADLEN)
+		return (ISC_R_NOSPACE);
+
+	if (rsa->ontoken && (rsa->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = rsa->ontoken;
+		pk11_ctx->object = rsa->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[7].type == attr->type);
+			keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[7].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[7].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[7].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIVATE_EXPONENT:
+			INSIST(keyTemplate[8].type == attr->type);
+			keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[8].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[8].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[8].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_1:
+			INSIST(keyTemplate[9].type == attr->type);
+			keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[9].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[9].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[9].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PRIME_2:
+			INSIST(keyTemplate[10].type == attr->type);
+			keyTemplate[10].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[10].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[10].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[10].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_1:
+			INSIST(keyTemplate[11].type == attr->type);
+			keyTemplate[11].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			if (keyTemplate[11].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[11].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[11].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EXPONENT_2:
+			INSIST(keyTemplate[12].type == attr->type);
+			keyTemplate[12].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			if (keyTemplate[12].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[12].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[12].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_COEFFICIENT:
+			INSIST(keyTemplate[13].type == attr->type);
+			keyTemplate[13].pValue = isc_mem_get(dctx->mctx,
+							     attr->ulValueLen);
+			if (keyTemplate[13].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[13].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[13].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 14,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+    token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session,
+		  digest, dgstlen,
+		  NULL, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	if (r.length < (unsigned int) siglen)
+		return (ISC_R_NOSPACE);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session,
+		  digest, dgstlen,
+		  (CK_BYTE_PTR) r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int) siglen);
+
+    err:
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 6; i <= 13; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_RSA_PKCS, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_MODULUS, NULL, 0 },
+		{ CKA_PUBLIC_EXPONENT, NULL, 0 },
+	};
+	CK_ATTRIBUTE *attr;
+	CK_BYTE digest[MAX_DER_SIZE + ISC_SHA512_DIGESTLENGTH];
+	CK_BYTE *der;
+	CK_ULONG derlen;
+	CK_ULONG hashlen;
+	CK_ULONG dgstlen;
+	pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *rsa = key->keydata.pkey;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+#ifndef PK11_MD5_DISABLE
+	REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
+		key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#else
+	REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
+		key->key_alg == DST_ALG_NSEC3RSASHA1 ||
+		key->key_alg == DST_ALG_RSASHA256 ||
+		key->key_alg == DST_ALG_RSASHA512);
+#endif
+	REQUIRE(rsa != NULL);
+
+	switch (key->key_alg) {
+#ifndef PK11_MD5_DISABLE
+	case DST_ALG_RSAMD5:
+		der = md5_der;
+		derlen = sizeof(md5_der);
+		hashlen = ISC_MD5_DIGESTLENGTH;
+		break;
+#endif
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		der = sha1_der;
+		derlen = sizeof(sha1_der);
+		hashlen = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA256:
+		der = sha256_der;
+		derlen = sizeof(sha256_der);
+		hashlen = ISC_SHA256_DIGESTLENGTH;
+		break;
+	case DST_ALG_RSASHA512:
+		der = sha512_der;
+		derlen = sizeof(sha512_der);
+		hashlen = ISC_SHA512_DIGESTLENGTH;
+		break;
+	default:
+		INSIST(0);
+	}
+	dgstlen = derlen + hashlen;
+	INSIST(dgstlen <= sizeof(digest));
+	memmove(digest, der, derlen);
+
+	PK11_RET(pkcs_C_DigestFinal,
+		 (pk11_ctx->session, digest + derlen, &hashlen),
+		 DST_R_SIGNFAILURE);
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_MODULUS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			if (pk11_numbits(attr->pValue,
+					 attr->ulValueLen)
+				> RSA_MAX_PUBEXP_BITS)
+				DST_RET(DST_R_VERIFYFAILURE);
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = false;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session,
+		  digest, dgstlen,
+		  (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
+		 DST_R_VERIFYFAILURE);
+
+    err:
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	dctx->ctxdata.pk11_ctx = NULL;
+
+	return (ret);
+}
+#endif
+
+static bool
+pkcs11rsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *rsa1, *rsa2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	rsa1 = key1->keydata.pkey;
+	rsa2 = key2->keydata.pkey;
+
+	if ((rsa1 == NULL) && (rsa2 == NULL))
+		return (true);
+	else if ((rsa1 == NULL) || (rsa2 == NULL))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(rsa1, CKA_MODULUS);
+	attr2 = pk11_attribute_bytype(rsa2, CKA_MODULUS);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(rsa1, CKA_PUBLIC_EXPONENT);
+	attr2 = pk11_attribute_bytype(rsa2, CKA_PUBLIC_EXPONENT);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (true);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (false);
+
+	attr1 = pk11_attribute_bytype(rsa1, CKA_PRIVATE_EXPONENT);
+	attr2 = pk11_attribute_bytype(rsa2, CKA_PRIVATE_EXPONENT);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (false);
+
+	if (!rsa1->ontoken && !rsa2->ontoken)
+		return (true);
+	else if (rsa1->ontoken || rsa2->ontoken ||
+		 (rsa1->object != rsa2->object))
+		return (false);
+
+	return (true);
+}
+
+static isc_result_t
+pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_RSA_PKCS_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_ULONG bits = 0;
+	CK_BYTE pubexp[5];
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE  keyType = CKK_RSA;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_MODULUS_BITS, &bits, (CK_ULONG) sizeof(bits) },
+		{ CKA_PUBLIC_EXPONENT, &pubexp, (CK_ULONG) sizeof(pubexp) }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(callback);
+
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) ||
+		    (key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) ||
+		    (key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
+			       false, NULL, pk11_get_best_token(OP_RSA));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	bits = key->key_size;
+	if (exp == 0) {
+		/* RSA_F4 0x10001 */
+		pubexp[0] = 1;
+		pubexp[1] = 0;
+		pubexp[2] = 1;
+		pubTemplate[6].ulValueLen = 3;
+	} else {
+		/* F5 0x100000001 */
+		pubexp[0] = 1;
+		pubexp[1] = 0;
+		pubexp[2] = 0;
+		pubexp[3] = 0;
+		pubexp[4] = 1;
+		pubTemplate[6].ulValueLen = 5;
+	}
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 7,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+	if (rsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(rsa, 0, sizeof(*rsa));
+	key->keydata.pkey = rsa;
+	rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
+	if (rsa->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(rsa->repr, 0, sizeof(*attr) * 8);
+	rsa->attrcnt = 8;
+
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+	attr[2].type = CKA_PRIVATE_EXPONENT;
+	attr[3].type = CKA_PRIME_1;
+	attr[4].type = CKA_PRIME_2;
+	attr[5].type = CKA_EXPONENT_1;
+	attr[6].type = CKA_EXPONENT_2;
+	attr[7].type = CKA_COEFFICIENT;
+
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	attr += 2;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 6),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 5; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 6),
+		 DST_R_CRYPTOFAILURE);
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	pkcs11rsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static bool
+pkcs11rsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *rsa = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (rsa == NULL)
+		return (false);
+	attr = pk11_attribute_bytype(rsa, CKA_PRIVATE_EXPONENT);
+	return (attr != NULL || rsa->ontoken);
+}
+
+static void
+pkcs11rsa_destroy(dst_key_t *key) {
+	pk11_object_t *rsa = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (rsa == NULL)
+		return;
+
+	INSIST((rsa->object == CK_INVALID_HANDLE) || rsa->ontoken);
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_MODULUS:
+		case CKA_PUBLIC_EXPONENT:
+		case CKA_PRIVATE_EXPONENT:
+		case CKA_PRIME_1:
+		case CKA_PRIME_2:
+		case CKA_EXPONENT_1:
+		case CKA_EXPONENT_2:
+		case CKA_COEFFICIENT:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (rsa->repr != NULL) {
+		isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    rsa->repr,
+			    rsa->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(rsa, sizeof(*rsa));
+	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11rsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *rsa;
+	CK_ATTRIBUTE *attr;
+	isc_region_t r;
+	unsigned int e_bytes = 0, mod_bytes = 0;
+	CK_BYTE *exponent = NULL, *modulus = NULL;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	rsa = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_PUBLIC_EXPONENT:
+			exponent = (CK_BYTE *) attr->pValue;
+			e_bytes = (unsigned int) attr->ulValueLen;
+			break;
+		case CKA_MODULUS:
+			modulus = (CK_BYTE *) attr->pValue;
+			mod_bytes = (unsigned int) attr->ulValueLen;
+			break;
+		}
+	REQUIRE((exponent != NULL) && (modulus != NULL));
+
+	isc_buffer_availableregion(data, &r);
+
+	if (e_bytes < 256) {	/*%< key exponent is <= 2040 bits */
+		if (r.length < 1)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(data, (uint8_t) e_bytes);
+		isc_region_consume(&r, 1);
+	} else {
+		if (r.length < 3)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(data, 0);
+		isc_buffer_putuint16(data, (uint16_t) e_bytes);
+		isc_region_consume(&r, 3);
+	}
+
+	if (r.length < e_bytes + mod_bytes)
+		return (ISC_R_NOSPACE);
+
+	memmove(r.base, exponent, e_bytes);
+	isc_region_consume(&r, e_bytes);
+	memmove(r.base, modulus, mod_bytes);
+
+	isc_buffer_add(data, e_bytes + mod_bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *rsa;
+	isc_region_t r;
+	unsigned int e_bytes, mod_bytes;
+	CK_BYTE *exponent = NULL, *modulus = NULL;
+	CK_ATTRIBUTE *attr;
+	unsigned int length;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	length = r.length;
+
+	rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+	if (rsa == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(rsa, 0, sizeof(*rsa));
+
+	e_bytes = *r.base;
+	isc_region_consume(&r, 1);
+
+	if (e_bytes == 0) {
+		if (r.length < 2) {
+			isc_safe_memwipe(rsa, sizeof(*rsa));
+			isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		e_bytes = (*r.base) << 8;
+		isc_region_consume(&r, 1);
+		e_bytes += *r.base;
+		isc_region_consume(&r, 1);
+	}
+
+	if (r.length < e_bytes) {
+		isc_safe_memwipe(rsa, sizeof(*rsa));
+		isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	exponent = r.base;
+	isc_region_consume(&r, e_bytes);
+	modulus = r.base;
+	mod_bytes = r.length;
+
+	key->key_size = pk11_numbits(modulus, mod_bytes);
+
+	isc_buffer_forward(data, length);
+
+	rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (rsa->repr == NULL)
+		goto nomemory;
+	memset(rsa->repr, 0, sizeof(*attr) * 2);
+	rsa->attrcnt = 2;
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[0].pValue = isc_mem_get(key->mctx, mod_bytes);
+	if (attr[0].pValue == NULL)
+		goto nomemory;
+	memmove(attr[0].pValue, modulus, mod_bytes);
+	attr[0].ulValueLen = (CK_ULONG) mod_bytes;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+	attr[1].pValue = isc_mem_get(key->mctx, e_bytes);
+	if (attr[1].pValue == NULL)
+		goto nomemory;
+	memmove(attr[1].pValue, exponent, e_bytes);
+	attr[1].ulValueLen = (CK_ULONG) e_bytes;
+
+	key->keydata.pkey = rsa;
+
+	return (ISC_R_SUCCESS);
+
+    nomemory:
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_MODULUS:
+		case CKA_PUBLIC_EXPONENT:
+			if (attr->pValue != NULL) {
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
+				isc_mem_put(key->mctx,
+					    attr->pValue,
+					    attr->ulValueLen);
+			}
+			break;
+		}
+	if (rsa->repr != NULL) {
+		isc_safe_memwipe(rsa->repr,
+				 rsa->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    rsa->repr,
+			    rsa->attrcnt * sizeof(*attr));
+	}
+	isc_safe_memwipe(rsa, sizeof(*rsa));
+	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+	return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	pk11_object_t *rsa;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *modulus = NULL, *exponent = NULL;
+	CK_ATTRIBUTE  *d = NULL, *p = NULL, *q = NULL;
+	CK_ATTRIBUTE *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+	dst_private_t priv;
+	unsigned char *bufs[10];
+	isc_result_t result;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	rsa = key->keydata.pkey;
+
+	for (attr = pk11_attribute_first(rsa);
+	     attr != NULL;
+	     attr = pk11_attribute_next(rsa, attr))
+		switch (attr->type) {
+		case CKA_MODULUS:
+			modulus = attr;
+			break;
+		case CKA_PUBLIC_EXPONENT:
+			exponent = attr;
+			break;
+		case CKA_PRIVATE_EXPONENT:
+			d = attr;
+			break;
+		case CKA_PRIME_1:
+			p = attr;
+			break;
+		case CKA_PRIME_2:
+			q = attr;
+			break;
+		case CKA_EXPONENT_1:
+			dmp1 = attr;
+			break;
+		case CKA_EXPONENT_2:
+			dmq1 = attr;
+			break;
+		case CKA_COEFFICIENT:
+			iqmp = attr;
+			break;
+		}
+	if ((modulus == NULL) || (exponent == NULL))
+		return (DST_R_NULLKEY);
+
+	memset(bufs, 0, sizeof(bufs));
+
+	for (i = 0; i < 10; i++) {
+		bufs[i] = isc_mem_get(key->mctx, modulus->ulValueLen);
+		if (bufs[i] == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		memset(bufs[i], 0, modulus->ulValueLen);
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_RSA_MODULUS;
+	priv.elements[i].length = (unsigned short) modulus->ulValueLen;
+	memmove(bufs[i], modulus->pValue, modulus->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+	priv.elements[i].length = (unsigned short) exponent->ulValueLen;
+	memmove(bufs[i], exponent->pValue, exponent->ulValueLen);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	if (d != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+		priv.elements[i].length = (unsigned short) d->ulValueLen;
+		memmove(bufs[i], d->pValue, d->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (p != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME1;
+		priv.elements[i].length = (unsigned short) p->ulValueLen;
+		memmove(bufs[i], p->pValue, p->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (q != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME2;
+		priv.elements[i].length = (unsigned short) q->ulValueLen;
+		memmove(bufs[i], q->pValue, q->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmp1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT1;
+		priv.elements[i].length = (unsigned short) dmp1->ulValueLen;
+		memmove(bufs[i], dmp1->pValue, dmp1->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (dmq1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT2;
+		priv.elements[i].length = (unsigned short) dmq1->ulValueLen;
+		memmove(bufs[i], dmq1->pValue, dmq1->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (iqmp != NULL) {
+		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+		priv.elements[i].length = (unsigned short) iqmp->ulValueLen;
+		memmove(bufs[i], iqmp->pValue, iqmp->ulValueLen);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_RSA_ENGINE;
+		priv.elements[i].length =
+			(unsigned short)strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_RSA_LABEL;
+		priv.elements[i].length =
+			(unsigned short)strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	for (i = 0; i < 10; i++) {
+		if (bufs[i] == NULL)
+			break;
+		isc_safe_memwipe(bufs[i], modulus->ulValueLen);
+		isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
+	}
+	return (result);
+}
+
+static isc_result_t
+pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		dst_key_t *pub)
+{
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *rsa;
+	pk11_object_t *pubrsa;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+
+	if (label == NULL)
+		return (DST_R_NOENGINE);
+
+	rsa = key->keydata.pkey;
+	pubrsa = pub->keydata.pkey;
+
+	rsa->object = CK_INVALID_HANDLE;
+	rsa->ontoken = true;
+	rsa->reqlogon = true;
+	rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (rsa->repr == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(rsa->repr, 0, sizeof(*attr) * 2);
+	rsa->attrcnt = 2;
+	attr = rsa->repr;
+
+	attr->type = CKA_MODULUS;
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_PUBLIC_EXPONENT;
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
+			       rsa->reqlogon, NULL, rsa->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(rsa, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(attr != NULL);
+	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+
+	return (ret);
+}
+
+static isc_result_t
+rsa_check(pk11_object_t *rsa, pk11_object_t *pubrsa) {
+	CK_ATTRIBUTE *pubattr, *privattr;
+	CK_BYTE *priv_exp = NULL, *priv_mod = NULL;
+	CK_BYTE *pub_exp = NULL, *pub_mod = NULL;
+	unsigned int priv_explen = 0, priv_modlen = 0;
+	unsigned int pub_explen = 0, pub_modlen = 0;
+
+	REQUIRE(rsa != NULL && pubrsa != NULL);
+
+	privattr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+	INSIST(privattr != NULL);
+	priv_exp = privattr->pValue;
+	priv_explen = privattr->ulValueLen;
+
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_PUBLIC_EXPONENT);
+	INSIST(pubattr != NULL);
+	pub_exp = pubattr->pValue;
+	pub_explen = pubattr->ulValueLen;
+
+	if (priv_exp != NULL) {
+		if (priv_explen != pub_explen)
+			return (DST_R_INVALIDPRIVATEKEY);
+		if (!isc_safe_memequal(priv_exp, pub_exp, pub_explen))
+			return (DST_R_INVALIDPRIVATEKEY);
+	} else {
+		privattr->pValue = pub_exp;
+		privattr->ulValueLen = pub_explen;
+		pubattr->pValue = NULL;
+		pubattr->ulValueLen = 0;
+	}
+
+	if (privattr->pValue == NULL)
+		return (DST_R_INVALIDPRIVATEKEY);
+
+	privattr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(privattr != NULL);
+	priv_mod = privattr->pValue;
+	priv_modlen = privattr->ulValueLen;
+
+	pubattr = pk11_attribute_bytype(pubrsa, CKA_MODULUS);
+	INSIST(pubattr != NULL);
+	pub_mod = pubattr->pValue;
+	pub_modlen = pubattr->ulValueLen;
+
+	if (priv_mod != NULL) {
+		if (priv_modlen != pub_modlen)
+			return (DST_R_INVALIDPRIVATEKEY);
+		if (!isc_safe_memequal(priv_mod, pub_mod, pub_modlen))
+			return (DST_R_INVALIDPRIVATEKEY);
+	} else {
+		privattr->pValue = pub_mod;
+		privattr->ulValueLen = pub_modlen;
+		pubattr->pValue = NULL;
+		pubattr->ulValueLen = 0;
+	}
+
+	if (privattr->pValue == NULL)
+		return (DST_R_INVALIDPRIVATEKEY);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	pk11_object_t *rsa;
+	CK_ATTRIBUTE *attr;
+	isc_mem_t *mctx = key->mctx;
+	const char *engine = NULL, *label = NULL;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_RSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+	if (rsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(rsa, 0, sizeof(*rsa));
+	key->keydata.pkey = rsa;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11rsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS)
+			goto err;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ret);
+	}
+
+	rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 8);
+	if (rsa->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(rsa->repr, 0, sizeof(*attr) * 8);
+	rsa->attrcnt = 8;
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+	attr[2].type = CKA_PRIVATE_EXPONENT;
+	attr[3].type = CKA_PRIME_1;
+	attr[4].type = CKA_PRIME_2;
+	attr[5].type = CKA_EXPONENT_1;
+	attr[6].type = CKA_EXPONENT_2;
+	attr[7].type = CKA_COEFFICIENT;
+
+	for (i = 0; i < priv.nelements; i++) {
+		CK_BYTE *bn;
+
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			continue;
+		case TAG_RSA_LABEL:
+			continue;
+		default:
+			bn = isc_mem_get(key->mctx, priv.elements[i].length);
+			if (bn == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(bn, priv.elements[i].data,
+				priv.elements[i].length);
+		}
+
+		switch (priv.elements[i].tag) {
+			case TAG_RSA_MODULUS:
+				attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_PUBLICEXPONENT:
+				attr = pk11_attribute_bytype(rsa,
+						CKA_PUBLIC_EXPONENT);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_PRIVATEEXPONENT:
+				attr = pk11_attribute_bytype(rsa,
+						CKA_PRIVATE_EXPONENT);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_PRIME1:
+				attr = pk11_attribute_bytype(rsa, CKA_PRIME_1);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_PRIME2:
+				attr = pk11_attribute_bytype(rsa, CKA_PRIME_2);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_EXPONENT1:
+				attr = pk11_attribute_bytype(rsa,
+							     CKA_EXPONENT_1);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_EXPONENT2:
+				attr = pk11_attribute_bytype(rsa,
+							     CKA_EXPONENT_2);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+			case TAG_RSA_COEFFICIENT:
+				attr = pk11_attribute_bytype(rsa,
+							     CKA_COEFFICIENT);
+				INSIST(attr != NULL);
+				attr->pValue = bn;
+				attr->ulValueLen = priv.elements[i].length;
+				break;
+		}
+	}
+
+	if (rsa_check(rsa, pub->keydata.pkey) != ISC_R_SUCCESS)
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(attr != NULL);
+	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+	INSIST(attr != NULL);
+	if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+		DST_RET(ISC_R_RANGE);
+
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11rsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		    const char *pin)
+{
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_RSA;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *rsa;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(pin);
+
+	rsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*rsa));
+	if (rsa == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(rsa, 0, sizeof(*rsa));
+	rsa->object = CK_INVALID_HANDLE;
+	rsa->ontoken = true;
+	rsa->reqlogon = true;
+	key->keydata.pkey = rsa;
+
+	rsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (rsa->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(rsa->repr, 0, sizeof(*attr) * 2);
+	rsa->attrcnt = 2;
+	attr = rsa->repr;
+	attr[0].type = CKA_MODULUS;
+	attr[1].type = CKA_PUBLIC_EXPONENT;
+
+	ret = pk11_parse_uri(rsa, label, key->mctx, OP_RSA);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_RSA, true, false,
+			       rsa->reqlogon, NULL, rsa->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(rsa, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(rsa, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	attr = rsa->repr;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &rsa->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+
+	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+	INSIST(attr != NULL);
+	if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
+		DST_RET(ISC_R_RANGE);
+
+	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+	INSIST(attr != NULL);
+	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
+
+	pk11_return_session(pk11_ctx);
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ISC_R_SUCCESS);
+
+    err:
+	pkcs11rsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+
+	return (ret);
+}
+
+static dst_func_t pkcs11rsa_functions = {
+	pkcs11rsa_createctx,
+#ifndef PK11_RSA_PKCS_REPLACE
+	pkcs11rsa_createctx2,
+#else
+	NULL, /*%< createctx2 */
+#endif
+	pkcs11rsa_destroyctx,
+	pkcs11rsa_adddata,
+	pkcs11rsa_sign,
+	pkcs11rsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11rsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11rsa_generate,
+	pkcs11rsa_isprivate,
+	pkcs11rsa_destroy,
+	pkcs11rsa_todns,
+	pkcs11rsa_fromdns,
+	pkcs11rsa_tofile,
+	pkcs11rsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11rsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11rsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+
+	if (*funcp == NULL)
+		*funcp = &pkcs11rsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO */
+/*! \file */
diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c
new file mode 100644
index 0000000..7de7178
--- /dev/null
+++ b/lib/dns/portlist.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/types.h>
+#include <dns/portlist.h>
+
+#define DNS_PORTLIST_MAGIC	ISC_MAGIC('P','L','S','T')
+#define DNS_VALID_PORTLIST(p)	ISC_MAGIC_VALID(p, DNS_PORTLIST_MAGIC)
+
+typedef struct dns_element {
+	in_port_t	port;
+	uint16_t	flags;
+} dns_element_t;
+
+struct dns_portlist {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	isc_refcount_t	refcount;
+	isc_mutex_t	lock;
+	dns_element_t 	*list;
+	unsigned int	allocated;
+	unsigned int	active;
+};
+
+#define DNS_PL_INET	0x0001
+#define DNS_PL_INET6	0x0002
+#define DNS_PL_ALLOCATE	16
+
+static int
+compare(const void *arg1, const void *arg2) {
+	const dns_element_t *e1 = (const dns_element_t *)arg1;
+	const dns_element_t *e2 = (const dns_element_t *)arg2;
+
+	if (e1->port < e2->port)
+		return (-1);
+	if (e1->port > e2->port)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+	isc_result_t result;
+
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	portlist = isc_mem_get(mctx, sizeof(*portlist));
+	if (portlist == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutex_init(&portlist->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, portlist, sizeof(*portlist));
+		return (result);
+	}
+	result = isc_refcount_init(&portlist->refcount, 1);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&portlist->lock);
+		isc_mem_put(mctx, portlist, sizeof(*portlist));
+		return (result);
+	}
+	portlist->list = NULL;
+	portlist->allocated = 0;
+	portlist->active = 0;
+	portlist->mctx = NULL;
+	isc_mem_attach(mctx, &portlist->mctx);
+	portlist->magic = DNS_PORTLIST_MAGIC;
+	*portlistp = portlist;
+	return (ISC_R_SUCCESS);
+}
+
+static dns_element_t *
+find_port(dns_element_t *list, unsigned int len, in_port_t port) {
+	unsigned int xtry = len / 2;
+	unsigned int min = 0;
+	unsigned int max = len - 1;
+	unsigned int last = len;
+
+	for (;;) {
+		if (list[xtry].port == port)
+			return (&list[xtry]);
+		if (port > list[xtry].port) {
+			if (xtry == max)
+				break;
+			min = xtry;
+			xtry = xtry + (max - xtry + 1) / 2;
+			INSIST(xtry <= max);
+			if (xtry == last)
+				break;
+			last = min;
+		} else {
+			if (xtry == min)
+				break;
+			max = xtry;
+			xtry = xtry - (xtry - min + 1) / 2;
+			INSIST(xtry >= min);
+			if (xtry == last)
+				break;
+			last = max;
+		}
+	}
+	return (NULL);
+}
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	isc_result_t result;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET)
+				el->flags |= DNS_PL_INET;
+			else
+				el->flags |= DNS_PL_INET6;
+			result = ISC_R_SUCCESS;
+			goto unlock;
+		}
+	}
+
+	if (portlist->allocated <= portlist->active) {
+		unsigned int allocated;
+		allocated = portlist->allocated + DNS_PL_ALLOCATE;
+		el = isc_mem_get(portlist->mctx, sizeof(*el) * allocated);
+		if (el == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto unlock;
+		}
+		if (portlist->list != NULL) {
+			memmove(el, portlist->list,
+				portlist->allocated * sizeof(*el));
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated * sizeof(*el));
+		}
+		portlist->list = el;
+		portlist->allocated = allocated;
+	}
+	portlist->list[portlist->active].port = port;
+	if (af == AF_INET)
+		portlist->list[portlist->active].flags = DNS_PL_INET;
+	else
+		portlist->list[portlist->active].flags = DNS_PL_INET6;
+	portlist->active++;
+	qsort(portlist->list, portlist->active, sizeof(*el), compare);
+	result = ISC_R_SUCCESS;
+ unlock:
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET)
+				el->flags &= ~DNS_PL_INET;
+			else
+				el->flags &= ~DNS_PL_INET6;
+			if (el->flags == 0) {
+				*el = portlist->list[portlist->active];
+				portlist->active--;
+				qsort(portlist->list, portlist->active,
+				      sizeof(*el), compare);
+			}
+		}
+	}
+	UNLOCK(&portlist->lock);
+}
+
+bool
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	bool result = false;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET && (el->flags & DNS_PL_INET) != 0)
+				result = true;
+			if (af == AF_INET6 && (el->flags & DNS_PL_INET6) != 0)
+				result = true;
+		}
+	}
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp) {
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	isc_refcount_increment(&portlist->refcount, NULL);
+	*portlistp = portlist;
+}
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+	unsigned int count;
+
+	REQUIRE(portlistp != NULL);
+	portlist = *portlistp;
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	*portlistp = NULL;
+	isc_refcount_decrement(&portlist->refcount, &count);
+	if (count == 0) {
+		portlist->magic = 0;
+		isc_refcount_destroy(&portlist->refcount);
+		if (portlist->list != NULL)
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated *
+				    sizeof(*portlist->list));
+		DESTROYLOCK(&portlist->lock);
+		isc_mem_putanddetach(&portlist->mctx, portlist,
+				     sizeof(*portlist));
+	}
+}
diff --git a/lib/dns/private.c b/lib/dns/private.c
new file mode 100644
index 0000000..b694f8c
--- /dev/null
+++ b/lib/dns/private.c
@@ -0,0 +1,367 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include "config.h"
+
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/nsec3.h>
+#include <dns/private.h>
+
+/*
+ * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
+ * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
+ *
+ * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
+ * if all the NSEC3PARAM records (and associated chains) are slated for
+ * destruction and we have not been told to NOT build the NSEC chain.
+ *
+ * If the NSEC set exist then check to see if there is a request to create
+ * a NSEC3 chain.
+ *
+ * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
+ * type exists then we need to examine it to determine if NSEC3 chain has
+ * been requested to be built otherwise a NSEC chain needs to be built.
+ */
+
+#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
+#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
+#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
+
+#define CHECK(x) do {					\
+			 result = (x);			\
+			 if (result != ISC_R_SUCCESS)	\
+				goto failure;		\
+		 } while (0)
+
+/*
+ * Work out if 'param' should be ignored or not (i.e. it is in the process
+ * of being removed).
+ *
+ * Note: we 'belt-and-braces' here by also checking for a CREATE private
+ * record and keep the param record in this case.
+ */
+
+static bool
+ignore(dns_rdata_t *param, dns_rdataset_t *privateset) {
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(privateset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(privateset)) {
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t private = DNS_RDATA_INIT;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		/*
+		 * We are going to create a new NSEC3 chain so it
+		 * doesn't matter if we are removing this one.
+		 */
+		if (CREATE(rdata.data[1]))
+			return (false);
+		if (rdata.data[0] != param->data[0] ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
+			continue;
+		/*
+		 * The removal of this NSEC3 chain does NOT cause a
+		 * NSEC chain to be created so we don't need to tell
+		 * the caller that it will be removed.
+		 */
+		if (NONSEC(rdata.data[1]))
+			return (false);
+		return (true);
+	}
+	return (false);
+}
+
+isc_result_t
+dns_private_chains(dns_db_t *db, dns_dbversion_t *ver,
+		   dns_rdatatype_t privatetype,
+		   bool *build_nsec, bool *build_nsec3)
+{
+	dns_dbnode_t *node;
+	dns_rdataset_t nsecset, nsec3paramset, privateset;
+	bool nsec3chain;
+	bool signing;
+	isc_result_t result;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	unsigned int count;
+
+	node = NULL;
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&nsec3paramset);
+	dns_rdataset_init(&privateset);
+
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, (isc_stdtime_t) 0, &nsecset, NULL);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &nsec3paramset,
+				     NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	if (dns_rdataset_isassociated(&nsecset) &&
+	    dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec != NULL)
+			*build_nsec = true;
+		if (build_nsec3 != NULL)
+			*build_nsec3 = true;
+		goto success;
+	}
+
+	if (privatetype != (dns_rdatatype_t)0) {
+		result = dns_db_findrdataset(db, node, ver, privatetype,
+					     0, (isc_stdtime_t) 0,
+					     &privateset, NULL);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+			goto failure;
+	}
+
+	/*
+	 * Look to see if we also need to be creating a NSEC3 chain.
+	 */
+	if (dns_rdataset_isassociated(&nsecset)) {
+		if (build_nsec != NULL)
+			*build_nsec = true;
+		if (build_nsec3 != NULL)
+			*build_nsec3 = false;
+		if (!dns_rdataset_isassociated(&privateset))
+			goto success;
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset)) {
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			if (REMOVE(rdata.data[1]))
+				continue;
+			if (build_nsec3 != NULL)
+				*build_nsec3 = true;
+			break;
+		}
+		goto success;
+	}
+
+	if (dns_rdataset_isassociated(&nsec3paramset)) {
+		if (build_nsec3 != NULL)
+			*build_nsec3 = true;
+		if (build_nsec != NULL)
+			*build_nsec = false;
+		if (!dns_rdataset_isassociated(&privateset))
+			goto success;
+		/*
+		 * If we are in the process of building a new NSEC3 chain
+		 * then we don't need to build a NSEC chain.
+		 */
+		for (result = dns_rdataset_first(&privateset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&privateset)) {
+			dns_rdata_t private = DNS_RDATA_INIT;
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			dns_rdataset_current(&privateset, &private);
+			if (!dns_nsec3param_fromprivate(&private, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			if (CREATE(rdata.data[1]))
+				goto success;
+		}
+
+		/*
+		 * Check to see if there will be a active NSEC3CHAIN once
+		 * the changes queued complete.
+		 */
+		count = 0;
+		for (result = dns_rdataset_first(&nsec3paramset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&nsec3paramset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+
+			/*
+			 * If there is more that one NSEC3 chain present then
+			 * we don't need to construct a NSEC chain.
+			 */
+			if (++count > 1)
+				goto success;
+			dns_rdataset_current(&nsec3paramset, &rdata);
+			if (ignore(&rdata, &privateset))
+				continue;
+			/*
+			 * We still have a good NSEC3 chain or we are
+			 * not creating a NSEC chain as NONSEC is set.
+			 */
+			goto success;
+		}
+
+		/*
+		 * The last NSEC3 chain is being removed and does not have
+		 * have NONSEC set.
+		 */
+		if (build_nsec != NULL)
+			*build_nsec = true;
+		goto success;
+	}
+
+	if (build_nsec != NULL)
+		*build_nsec = false;
+	if (build_nsec3 != NULL)
+		*build_nsec3 = false;
+	if (!dns_rdataset_isassociated(&privateset))
+		goto success;
+
+	signing = false;
+	nsec3chain = false;
+
+	for (result = dns_rdataset_first(&privateset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&privateset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&privateset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf))) {
+			/*
+			 * Look for record that says we are signing the
+			 * zone with a key.
+			 */
+			if (private.length == 5 && private.data[0] != 0 &&
+			    private.data[3] == 0 && private.data[4] == 0)
+				signing = true;
+		} else {
+			if (CREATE(rdata.data[1]))
+				nsec3chain = true;
+		}
+	}
+
+	if (signing) {
+		if (nsec3chain) {
+			if (build_nsec3 != NULL)
+				*build_nsec3 = true;
+		} else {
+			if (build_nsec != NULL)
+				*build_nsec = true;
+		}
+	}
+
+ success:
+	result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&nsecset))
+		dns_rdataset_disassociate(&nsecset);
+	if (dns_rdataset_isassociated(&nsec3paramset))
+		dns_rdataset_disassociate(&nsec3paramset);
+	if (dns_rdataset_isassociated(&privateset))
+		dns_rdataset_disassociate(&privateset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
+	isc_result_t result;
+
+	if (private->length < 5)
+		return (ISC_R_NOTFOUND);
+
+	if (private->data[0] == 0) {
+		unsigned char nsec3buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		unsigned char newbuf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_nsec3param_t nsec3param;
+		bool del, init, nonsec;
+		isc_buffer_t b;
+
+		if (!dns_nsec3param_fromprivate(private, &rdata, nsec3buf,
+						sizeof(nsec3buf)))
+			CHECK(ISC_R_FAILURE);
+
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		del = (nsec3param.flags & DNS_NSEC3FLAG_REMOVE);
+		init = (nsec3param.flags & DNS_NSEC3FLAG_INITIAL);
+		nonsec = (nsec3param.flags & DNS_NSEC3FLAG_NONSEC);
+
+		nsec3param.flags &= ~(DNS_NSEC3FLAG_CREATE|
+				      DNS_NSEC3FLAG_REMOVE|
+				      DNS_NSEC3FLAG_INITIAL|
+				      DNS_NSEC3FLAG_NONSEC);
+
+		if (init)
+			isc_buffer_putstr(buf, "Pending NSEC3 chain ");
+		else if (del)
+			isc_buffer_putstr(buf, "Removing NSEC3 chain ");
+		else
+			isc_buffer_putstr(buf, "Creating NSEC3 chain ");
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, newbuf, sizeof(newbuf));
+		CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
+					   dns_rdatatype_nsec3param,
+					   &nsec3param, &b));
+
+		CHECK(dns_rdata_totext(&rdata, NULL, buf));
+
+		if (del && !nonsec)
+			isc_buffer_putstr(buf, " / creating NSEC chain");
+	} else if (private->length == 5) {
+		unsigned char alg = private->data[0];
+		dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
+		char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE];
+		bool del = (private->data[3] != 0);
+		bool complete = (private->data[4] != 0);
+
+		if (del && complete)
+			isc_buffer_putstr(buf, "Done removing signatures for ");
+		else if (del)
+			isc_buffer_putstr(buf, "Removing signatures for ");
+		else if (complete)
+			isc_buffer_putstr(buf, "Done signing with ");
+		else
+			isc_buffer_putstr(buf, "Signing with ");
+
+		dns_secalg_format(alg, algbuf, sizeof(algbuf));
+		snprintf(keybuf, sizeof(keybuf), "key %d/%s", keyid, algbuf);
+		isc_buffer_putstr(buf, keybuf);
+	} else
+		return (ISC_R_NOTFOUND);
+
+	isc_buffer_putuint8(buf, 0);
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
new file mode 100644
index 0000000..62d0826
--- /dev/null
+++ b/lib/dns/rbt.c
@@ -0,0 +1,3672 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <sys/stat.h>
+#include <inttypes.h> /* uintptr_t */
+#include <stdbool.h>
+
+#include <isc/crc64.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*%
+ * This define is so dns/name.h (included by dns/fixedname.h) uses more
+ * efficient macro calls instead of functions for a few operations.
+ */
+#define DNS_NAME_USEINLINE 1
+
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+#include <dns/version.h>
+
+#include <unistd.h>
+
+#define CHECK(x) \
+	do { \
+		result = (x); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+#define RBT_MAGIC               ISC_MAGIC('R', 'B', 'T', '+')
+#define VALID_RBT(rbt)          ISC_MAGIC_VALID(rbt, RBT_MAGIC)
+
+/*
+ * XXXDCL Since parent pointers were added in again, I could remove all of the
+ * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
+ * _lastnode.  This would involve pretty major change to the API.
+ */
+#define CHAIN_MAGIC             ISC_MAGIC('0', '-', '0', '-')
+#define VALID_CHAIN(chain)      ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
+
+#define RBT_HASH_SIZE           64
+
+#ifdef RBT_MEM_TEST
+#undef RBT_HASH_SIZE
+#define RBT_HASH_SIZE 2 /*%< To give the reallocation code a workout. */
+#endif
+
+struct dns_rbt {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	dns_rbtnode_t *		root;
+	void			(*data_deleter)(void *, void *);
+	void *			deleter_arg;
+	unsigned int		nodecount;
+	size_t			hashsize;
+	dns_rbtnode_t **	hashtable;
+	void *			mmap_location;
+};
+
+#define RED 0
+#define BLACK 1
+
+/*
+ * This is the header for map-format RBT images.  It is populated,
+ * and then written, as the LAST thing done to the file before returning.
+ * Writing this last (with zeros in the header area initially) will ensure
+ * that the header is only valid when the RBT image is also valid.
+ */
+typedef struct file_header file_header_t;
+
+/* Pad to 32 bytes */
+static char FILE_VERSION[32] = "\0";
+
+/* Header length, always the same size regardless of structure size */
+#define HEADER_LENGTH		1024
+
+struct file_header {
+	char version1[32];
+	uint64_t first_node_offset;	/* usually 1024 */
+	/*
+	 * information about the system on which the map file was generated
+	 * will be used to tell if we can load the map file or not
+	 */
+	uint32_t ptrsize;
+	unsigned int bigendian:1;	/* big or little endian system */
+	unsigned int rdataset_fixed:1;	/* compiled with --enable-rrset-fixed */
+	unsigned int nodecount;		/* shadow from rbt structure */
+	uint64_t crc;
+	char version2[32];  		/* repeated; must match version1 */
+};
+
+/*
+ * The following declarations are for the serialization of an RBT:
+ *
+ * step one: write out a zeroed header of 1024 bytes
+ * step two: walk the tree in a depth-first, left-right-down order, writing
+ * out the nodes, reserving space as we go, correcting addresses to point
+ * at the proper offset in the file, and setting a flag for each pointer to
+ * indicate that it is a reference to a location in the file, rather than in
+ * memory.
+ * step three: write out the header, adding the information that will be
+ * needed to re-create the tree object itself.
+ *
+ * The RBTDB object will do this three times, once for each of the three
+ * RBT objects it contains.
+ *
+ * Note: 'file' must point an actual open file that can be mmapped
+ * and fseeked, not to a pipe or stream
+ */
+
+static isc_result_t
+dns_rbt_zero_header(FILE *file);
+
+static isc_result_t
+write_header(FILE *file, dns_rbt_t *rbt, uint64_t first_node_offset,
+	     uint64_t crc);
+
+static bool
+match_header_version(file_header_t *header);
+
+static isc_result_t
+serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left,
+	       uintptr_t right, uintptr_t down, uintptr_t parent,
+	       uintptr_t data, uint64_t *crc);
+
+static isc_result_t
+serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent,
+		dns_rbtdatawriter_t datawriter, void *writer_arg,
+		uintptr_t *where, uint64_t *crc);
+/*
+ * The following functions allow you to get the actual address of a pointer
+ * without having to use an if statement to check to see if that address is
+ * relative or not
+ */
+static inline dns_rbtnode_t *
+getparent(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->parent);
+	adjusted_address += node->parent_is_relative * (uintptr_t)header;
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static inline dns_rbtnode_t *
+getleft(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->left);
+	adjusted_address += node->left_is_relative * (uintptr_t)header;
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static inline dns_rbtnode_t *
+getright(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->right);
+	adjusted_address += node->right_is_relative * (uintptr_t)header;
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static inline dns_rbtnode_t *
+getdown(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->down);
+	adjusted_address += node->down_is_relative * (uintptr_t)header;
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+static inline dns_rbtnode_t *
+getdata(dns_rbtnode_t *node, file_header_t *header) {
+	char *adjusted_address = (char *)(node->data);
+	adjusted_address += node->data_is_relative * (uintptr_t)header;
+
+	return ((dns_rbtnode_t *)adjusted_address);
+}
+
+/*%
+ * Elements of the rbtnode structure.
+ */
+#define PARENT(node)            ((node)->parent)
+#define LEFT(node)              ((node)->left)
+#define RIGHT(node)             ((node)->right)
+#define DOWN(node)              ((node)->down)
+#ifdef DNS_RBT_USEHASH
+#define UPPERNODE(node)         ((node)->uppernode)
+#endif /* DNS_RBT_USEHASH */
+#define DATA(node)              ((node)->data)
+#define IS_EMPTY(node)          ((node)->data == NULL)
+#define HASHNEXT(node)          ((node)->hashnext)
+#define HASHVAL(node)           ((node)->hashval)
+#define COLOR(node)             ((node)->color)
+#define NAMELEN(node)           ((node)->namelen)
+#define OLDNAMELEN(node)        ((node)->oldnamelen)
+#define OFFSETLEN(node)         ((node)->offsetlen)
+#define ATTRS(node)             ((node)->attributes)
+#define IS_ROOT(node)           ((node)->is_root == 1)
+#define FINDCALLBACK(node)      ((node)->find_callback == 1)
+
+/*%
+ * Structure elements from the rbtdb.c, not
+ * used as part of the rbt.c algorithms.
+ */
+#define DIRTY(node)     ((node)->dirty)
+#define WILD(node)      ((node)->wild)
+#define LOCKNUM(node)   ((node)->locknum)
+
+/*%
+ * The variable length stuff stored after the node has the following
+ * structure.
+ *
+ *	&lt;name_data&gt;{1..255}&lt;oldoffsetlen&gt;{1}&lt;offsets&gt;{1..128}
+ *
+ * &lt;name_data&gt; contains the name of the node when it was created.
+ * &lt;oldoffsetlen&gt; contains the length of &lt;offsets&gt; when the node was created.
+ * &lt;offsets&gt; contains the offets into name for each label when the node was
+ * created.
+ */
+
+#define NAME(node)      ((unsigned char *)((node) + 1))
+#define OFFSETS(node)   (NAME(node) + OLDNAMELEN(node) + 1)
+#define OLDOFFSETLEN(node) (OFFSETS(node)[-1])
+
+#define NODE_SIZE(node) (sizeof(*node) + \
+			 OLDNAMELEN(node) + OLDOFFSETLEN(node) + 1)
+
+/*%
+ * Color management.
+ */
+#define IS_RED(node)            ((node) != NULL && (node)->color == RED)
+#define IS_BLACK(node)          ((node) == NULL || (node)->color == BLACK)
+#define MAKE_RED(node)          ((node)->color = RED)
+#define MAKE_BLACK(node)        ((node)->color = BLACK)
+
+/*%
+ * Chain management.
+ *
+ * The "ancestors" member of chains were removed, with their job now
+ * being wholly handled by parent pointers (which didn't exist, because
+ * of memory concerns, when chains were first implemented).
+ */
+#define ADD_LEVEL(chain, node) \
+	do { \
+		INSIST((chain)->level_count < DNS_RBT_LEVELBLOCK); \
+		(chain)->levels[(chain)->level_count++] = (node); \
+	} while (0)
+
+/*%
+ * The following macros directly access normally private name variables.
+ * These macros are used to avoid a lot of function calls in the critical
+ * path of the tree traversal code.
+ */
+
+static inline void
+NODENAME(dns_rbtnode_t *node, dns_name_t *name) {
+	name->length = NAMELEN(node);
+	name->labels = OFFSETLEN(node);
+	name->ndata = NAME(node);
+	name->offsets = OFFSETS(node);
+	name->attributes = ATTRS(node);
+	name->attributes |= DNS_NAMEATTR_READONLY;
+}
+
+void
+dns_rbtnode_nodename(dns_rbtnode_t *node, dns_name_t *name) {
+	name->length = NAMELEN(node);
+	name->labels = OFFSETLEN(node);
+	name->ndata = NAME(node);
+	name->offsets = OFFSETS(node);
+	name->attributes = ATTRS(node);
+	name->attributes |= DNS_NAMEATTR_READONLY;
+}
+
+dns_rbtnode_t *
+dns_rbt_root(dns_rbt_t *rbt) {
+  return rbt->root;
+}
+
+#ifdef DNS_RBT_USEHASH
+static isc_result_t
+inithash(dns_rbt_t *rbt);
+#endif
+
+#ifdef DEBUG
+#define inline
+/*
+ * A little something to help out in GDB.
+ */
+dns_name_t Name(dns_rbtnode_t *node);
+dns_name_t
+Name(dns_rbtnode_t *node) {
+	dns_name_t name;
+
+	dns_name_init(&name, NULL);
+	if (node != NULL)
+		NODENAME(node, &name);
+
+	return (name);
+}
+
+static void
+hexdump(const char *desc, unsigned char *data, size_t size) {
+	char hexdump[BUFSIZ * 2 + 1];
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	size_t bytes;
+
+	fprintf(stderr, "%s: ", desc);
+	do {
+		isc_buffer_init(&b, hexdump, sizeof(hexdump));
+		r.base = data;
+		r.length = bytes = (size > BUFSIZ) ? BUFSIZ : size;
+		result = isc_hex_totext(&r, 0, "", &b);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		isc_buffer_putuint8(&b, 0);
+		fprintf(stderr, "%s", hexdump);
+		data += bytes;
+		size -= bytes;
+	} while (size > 0);
+	fprintf(stderr, "\n");
+}
+#endif /* DEBUG */
+
+#ifdef DNS_RBT_USEHASH
+
+/*
+ * Upper node is the parent of the root of the passed node's
+ * subtree. The passed node must not be NULL.
+ */
+static inline dns_rbtnode_t *
+get_upper_node(dns_rbtnode_t *node) {
+	return (UPPERNODE(node));
+}
+
+static void
+fixup_uppernodes_helper(dns_rbtnode_t *node, dns_rbtnode_t *uppernode) {
+	if (node == NULL)
+		return;
+
+	UPPERNODE(node) = uppernode;
+
+	fixup_uppernodes_helper(LEFT(node), uppernode);
+	fixup_uppernodes_helper(RIGHT(node), uppernode);
+	fixup_uppernodes_helper(DOWN(node), node);
+}
+
+/*
+ * This function is used to fixup uppernode members of all dns_rbtnodes
+ * after deserialization.
+ */
+static void
+fixup_uppernodes(dns_rbt_t *rbt) {
+	fixup_uppernodes_helper(rbt->root, NULL);
+}
+
+#else
+
+/* The passed node must not be NULL. */
+static inline dns_rbtnode_t *
+get_subtree_root(dns_rbtnode_t *node) {
+	while (!IS_ROOT(node)) {
+		node = PARENT(node);
+	}
+
+	return (node);
+}
+
+/* Upper node is the parent of the root of the passed node's
+ * subtree. The passed node must not be NULL.
+ */
+static inline dns_rbtnode_t *
+get_upper_node(dns_rbtnode_t *node) {
+	dns_rbtnode_t *root = get_subtree_root(node);
+
+	/*
+	 * Return the node in the level above the argument node that points
+	 * to the level the argument node is in.  If the argument node is in
+	 * the top level, the return value is NULL.
+	 */
+	return (PARENT(root));
+}
+
+#endif /* DNS_RBT_USEHASH */
+
+size_t
+dns__rbtnode_getdistance(dns_rbtnode_t *node) {
+	size_t nodes = 1;
+
+	while (node != NULL) {
+		if (IS_ROOT(node))
+			break;
+		nodes++;
+		node = PARENT(node);
+	}
+
+	return (nodes);
+}
+
+/*
+ * Forward declarations.
+ */
+static isc_result_t
+create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep);
+
+#ifdef DNS_RBT_USEHASH
+static inline void
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name);
+static inline void
+unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
+static void
+rehash(dns_rbt_t *rbt, unsigned int newcount);
+#else
+#define hash_node(rbt, node, name)
+#define unhash_node(rbt, node)
+#define rehash(rbt, newcount)
+#endif
+
+static inline void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+static inline void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+
+static void
+addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
+	   dns_rbtnode_t **rootp);
+
+static void
+deletefromlevel(dns_rbtnode_t *item, dns_rbtnode_t **rootp);
+
+static isc_result_t
+treefix(dns_rbt_t *rbt, void *base, size_t size,
+	dns_rbtnode_t *n, dns_name_t *name,
+	dns_rbtdatafixer_t datafixer, void *fixer_arg,
+	uint64_t *crc);
+
+static void
+deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, bool unhash,
+	       dns_rbtnode_t **nodep);
+
+static void
+printnodename(dns_rbtnode_t *node, bool quoted, FILE *f);
+
+static void
+freenode(dns_rbt_t *rbt, dns_rbtnode_t **nodep);
+
+static isc_result_t
+dns_rbt_zero_header(FILE *file) {
+	/*
+	 * Write out a zeroed header as a placeholder.  Doing this ensures
+	 * that the file will not read while it is partially written, should
+	 * writing fail or be interrupted.
+	 */
+	char buffer[HEADER_LENGTH];
+	isc_result_t result;
+
+	memset(buffer, 0, HEADER_LENGTH);
+	result = isc_stdio_write(buffer, 1, HEADER_LENGTH, file, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = fflush(file);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_file_version(void) {
+	int n;
+
+	memset(FILE_VERSION, 0, sizeof(FILE_VERSION));
+	n = snprintf(FILE_VERSION, sizeof(FILE_VERSION),
+		 "RBT Image %s %s", dns_major, dns_mapapi);
+	INSIST(n > 0 && (unsigned int)n < sizeof(FILE_VERSION));
+}
+
+/*
+ * Write out the real header, including NodeDump version information
+ * and the offset of the first node.
+ *
+ * Any information stored in the rbt object itself should be stored
+ * here.
+ */
+static isc_result_t
+write_header(FILE *file, dns_rbt_t *rbt, uint64_t first_node_offset,
+	     uint64_t crc)
+{
+	file_header_t header;
+	isc_result_t result;
+	off_t location;
+
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	memset(&header, 0, sizeof(file_header_t));
+	memmove(header.version1, FILE_VERSION, sizeof(header.version1));
+	memmove(header.version2, FILE_VERSION, sizeof(header.version2));
+	header.first_node_offset = first_node_offset;
+	header.ptrsize = (uint32_t) sizeof(void *);
+	header.bigendian = (1 == htonl(1)) ? 1 : 0;
+
+#ifdef DNS_RDATASET_FIXED
+	header.rdataset_fixed = 1;
+#else
+	header.rdataset_fixed = 0;
+#endif
+
+	header.nodecount = rbt->nodecount;
+
+	header.crc = crc;
+
+	CHECK(isc_stdio_tell(file, &location));
+	location = dns_rbt_serialize_align(location);
+	CHECK(isc_stdio_seek(file, location, SEEK_SET));
+	CHECK(isc_stdio_write(&header, 1, sizeof(file_header_t), file, NULL));
+	CHECK(fflush(file));
+
+	/* Ensure we are always at the end of the file. */
+	CHECK(isc_stdio_seek(file, 0, SEEK_END));
+
+ cleanup:
+	return (result);
+}
+
+static bool
+match_header_version(file_header_t *header) {
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	if (memcmp(header->version1, FILE_VERSION,
+		   sizeof(header->version1)) != 0 ||
+	    memcmp(header->version2, FILE_VERSION,
+		   sizeof(header->version1)) != 0)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left,
+	       uintptr_t right, uintptr_t down, uintptr_t parent,
+	       uintptr_t data, uint64_t *crc)
+{
+	dns_rbtnode_t temp_node;
+	off_t file_position;
+	unsigned char *node_data;
+	size_t datasize;
+	isc_result_t result;
+#ifdef DEBUG
+	dns_name_t nodename;
+#endif
+
+	INSIST(node != NULL);
+
+	CHECK(isc_stdio_tell(file, &file_position));
+	file_position = dns_rbt_serialize_align(file_position);
+	CHECK(isc_stdio_seek(file, file_position, SEEK_SET));
+
+	temp_node = *node;
+	temp_node.down_is_relative = 0;
+	temp_node.left_is_relative = 0;
+	temp_node.right_is_relative = 0;
+	temp_node.parent_is_relative = 0;
+	temp_node.data_is_relative = 0;
+	temp_node.is_mmapped = 1;
+
+	/*
+	 * If the next node is not NULL, calculate the next node's location
+	 * in the file.  Note that this will have to change when the data
+	 * structure changes, and it also assumes that we always write the
+	 * nodes out in list order (which we currently do.)
+	*/
+	if (temp_node.parent != NULL) {
+		temp_node.parent = (dns_rbtnode_t *)(parent);
+		temp_node.parent_is_relative = 1;
+	}
+	if (temp_node.left != NULL) {
+		temp_node.left = (dns_rbtnode_t *)(left);
+		temp_node.left_is_relative = 1;
+	}
+	if (temp_node.right != NULL) {
+		temp_node.right = (dns_rbtnode_t *)(right);
+		temp_node.right_is_relative = 1;
+	}
+	if (temp_node.down != NULL) {
+		temp_node.down = (dns_rbtnode_t *)(down);
+		temp_node.down_is_relative = 1;
+	}
+	if (temp_node.data != NULL) {
+		temp_node.data = (dns_rbtnode_t *)(data);
+		temp_node.data_is_relative = 1;
+	}
+
+	node_data = (unsigned char *) node + sizeof(dns_rbtnode_t);
+	datasize = NODE_SIZE(node) - sizeof(dns_rbtnode_t);
+
+	CHECK(isc_stdio_write(&temp_node, 1, sizeof(dns_rbtnode_t),
+			      file, NULL));
+	CHECK(isc_stdio_write(node_data, 1, datasize, file, NULL));
+
+#ifdef DEBUG
+	dns_name_init(&nodename, NULL);
+	NODENAME(node, &nodename);
+	fprintf(stderr, "serialize ");
+	dns_name_print(&nodename, stderr);
+	fprintf(stderr, "\n");
+	hexdump("node header", (unsigned char*) &temp_node,
+		sizeof(dns_rbtnode_t));
+	hexdump("node data", node_data, datasize);
+#endif
+
+	isc_crc64_update(crc, (const uint8_t *) &temp_node,
+			 sizeof(dns_rbtnode_t));
+	isc_crc64_update(crc, (const uint8_t *) node_data, datasize);
+
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+serialize_nodes(FILE *file, dns_rbtnode_t *node, uintptr_t parent,
+		dns_rbtdatawriter_t datawriter, void *writer_arg,
+		uintptr_t *where, uint64_t *crc)
+{
+	uintptr_t left = 0, right = 0, down = 0, data = 0;
+	off_t location = 0, offset_adjust;
+	isc_result_t result;
+
+	if (node == NULL) {
+		if (where != NULL)
+			*where = 0;
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Reserve space for current node. */
+	CHECK(isc_stdio_tell(file, &location));
+	location = dns_rbt_serialize_align(location);
+	CHECK(isc_stdio_seek(file, location, SEEK_SET));
+
+	offset_adjust = dns_rbt_serialize_align(location + NODE_SIZE(node));
+	CHECK(isc_stdio_seek(file, offset_adjust, SEEK_SET));
+
+	/*
+	 * Serialize the rest of the tree.
+	 *
+	 * WARNING: A change in the order (from left, right, down)
+	 * will break the way the crc hash is computed.
+	 */
+	CHECK(serialize_nodes(file, getleft(node, NULL), location,
+			      datawriter, writer_arg, &left, crc));
+	CHECK(serialize_nodes(file, getright(node, NULL), location,
+			      datawriter, writer_arg, &right, crc));
+	CHECK(serialize_nodes(file, getdown(node, NULL), location,
+			      datawriter, writer_arg, &down, crc));
+
+	if (node->data != NULL) {
+		off_t ret;
+
+		CHECK(isc_stdio_tell(file, &ret));
+		ret = dns_rbt_serialize_align(ret);
+		CHECK(isc_stdio_seek(file, ret, SEEK_SET));
+		data = ret;
+
+		datawriter(file, node->data, writer_arg, crc);
+	}
+
+	/* Seek back to reserved space. */
+	CHECK(isc_stdio_seek(file, location, SEEK_SET));
+
+	/* Serialize the current node. */
+	CHECK(serialize_node(file, node, left, right, down, parent, data, crc));
+
+	/* Ensure we are always at the end of the file. */
+	CHECK(isc_stdio_seek(file, 0, SEEK_END));
+
+	if (where != NULL)
+		*where = (uintptr_t) location;
+
+ cleanup:
+	return (result);
+}
+
+off_t
+dns_rbt_serialize_align(off_t target) {
+	off_t offset = target % 8;
+
+	if (offset == 0)
+		return (target);
+	else
+		return (target + 8 - offset);
+}
+
+isc_result_t
+dns_rbt_serialize_tree(FILE *file, dns_rbt_t *rbt,
+		       dns_rbtdatawriter_t datawriter,
+		       void *writer_arg, off_t *offset)
+{
+	isc_result_t result;
+	off_t header_position, node_position, end_position;
+	uint64_t crc;
+
+	REQUIRE(file != NULL);
+
+	CHECK(isc_file_isplainfilefd(fileno(file)));
+
+	isc_crc64_init(&crc);
+
+	CHECK(isc_stdio_tell(file, &header_position));
+
+	/* Write dummy header */
+	CHECK(dns_rbt_zero_header(file));
+
+	/* Serialize nodes */
+	CHECK(isc_stdio_tell(file, &node_position));
+	CHECK(serialize_nodes(file, rbt->root, 0, datawriter,
+			      writer_arg, NULL, &crc));
+
+	CHECK(isc_stdio_tell(file, &end_position));
+	if (node_position == end_position) {
+		CHECK(isc_stdio_seek(file, header_position, SEEK_SET));
+		*offset = 0;
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_crc64_final(&crc);
+#ifdef DEBUG
+	hexdump("serializing CRC", (unsigned char *)&crc, sizeof(crc));
+#endif
+
+	/* Serialize header */
+	CHECK(isc_stdio_seek(file, header_position, SEEK_SET));
+	CHECK(write_header(file, rbt, HEADER_LENGTH, crc));
+
+	/* Ensure we are always at the end of the file. */
+	CHECK(isc_stdio_seek(file, 0, SEEK_END));
+	*offset = dns_rbt_serialize_align(header_position);
+
+ cleanup:
+	return (result);
+}
+
+#define CONFIRM(a) do { \
+	if (! (a)) { \
+		result = ISC_R_INVALIDFILE; \
+		goto cleanup; \
+	} \
+} while(0);
+
+static isc_result_t
+treefix(dns_rbt_t *rbt, void *base, size_t filesize, dns_rbtnode_t *n,
+	dns_name_t *name, dns_rbtdatafixer_t datafixer,
+	void *fixer_arg, uint64_t *crc)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_fixedname_t fixed;
+	dns_name_t nodename, *fullname;
+	unsigned char *node_data;
+	dns_rbtnode_t header;
+	size_t datasize, nodemax = filesize - sizeof(dns_rbtnode_t);
+
+	if (n == NULL)
+		return (ISC_R_SUCCESS);
+
+	CONFIRM((void *) n >= base);
+	CONFIRM((char *) n - (char *) base <= (int) nodemax);
+	CONFIRM(DNS_RBTNODE_VALID(n));
+
+	dns_name_init(&nodename, NULL);
+	NODENAME(n, &nodename);
+
+	fullname = &nodename;
+	CONFIRM(dns_name_isvalid(fullname));
+
+	if (!dns_name_isabsolute(&nodename)) {
+		fullname = dns_fixedname_initname(&fixed);
+		CHECK(dns_name_concatenate(&nodename, name, fullname, NULL));
+	}
+
+	/* memorize header contents prior to fixup */
+	memmove(&header, n, sizeof(header));
+
+	if (n->left_is_relative) {
+		CONFIRM(n->left <= (dns_rbtnode_t *) nodemax);
+		n->left = getleft(n, rbt->mmap_location);
+		n->left_is_relative = 0;
+		CONFIRM(DNS_RBTNODE_VALID(n->left));
+	} else
+		CONFIRM(n->left == NULL);
+
+	if (n->right_is_relative) {
+		CONFIRM(n->right <= (dns_rbtnode_t *) nodemax);
+		n->right = getright(n, rbt->mmap_location);
+		n->right_is_relative = 0;
+		CONFIRM(DNS_RBTNODE_VALID(n->right));
+	} else
+		CONFIRM(n->right == NULL);
+
+	if (n->down_is_relative) {
+		CONFIRM(n->down <= (dns_rbtnode_t *) nodemax);
+		n->down = getdown(n, rbt->mmap_location);
+		n->down_is_relative = 0;
+		CONFIRM(n->down > (dns_rbtnode_t *) n);
+		CONFIRM(DNS_RBTNODE_VALID(n->down));
+	} else
+		CONFIRM(n->down == NULL);
+
+	if (n->parent_is_relative) {
+		CONFIRM(n->parent <= (dns_rbtnode_t *) nodemax);
+		n->parent = getparent(n, rbt->mmap_location);
+		n->parent_is_relative = 0;
+		CONFIRM(n->parent < (dns_rbtnode_t *) n);
+		CONFIRM(DNS_RBTNODE_VALID(n->parent));
+	} else
+		CONFIRM(n->parent == NULL);
+
+	if (n->data_is_relative) {
+		CONFIRM(n->data <= (void *) filesize);
+		n->data = getdata(n, rbt->mmap_location);
+		n->data_is_relative = 0;
+		CONFIRM(n->data > (void *) n);
+	} else
+		CONFIRM(n->data == NULL);
+
+	hash_node(rbt, n, fullname);
+
+	/* a change in the order (from left, right, down) will break hashing*/
+	if (n->left != NULL)
+		CHECK(treefix(rbt, base, filesize, n->left, name,
+			      datafixer, fixer_arg, crc));
+	if (n->right != NULL)
+		CHECK(treefix(rbt, base, filesize, n->right, name,
+			      datafixer, fixer_arg, crc));
+	if (n->down != NULL)
+		CHECK(treefix(rbt, base, filesize, n->down, fullname,
+			      datafixer, fixer_arg, crc));
+
+	if (datafixer != NULL && n->data != NULL)
+		CHECK(datafixer(n, base, filesize, fixer_arg, crc));
+
+	rbt->nodecount++;
+	node_data = (unsigned char *) n + sizeof(dns_rbtnode_t);
+	datasize = NODE_SIZE(n) - sizeof(dns_rbtnode_t);
+
+#ifdef DEBUG
+	fprintf(stderr, "deserialize ");
+	dns_name_print(&nodename, stderr);
+	fprintf(stderr, "\n");
+	hexdump("node header", (unsigned char *) &header,
+		sizeof(dns_rbtnode_t));
+	hexdump("node data", node_data, datasize);
+#endif
+	isc_crc64_update(crc, (const uint8_t *) &header,
+			sizeof(dns_rbtnode_t));
+	isc_crc64_update(crc, (const uint8_t *) node_data,
+			datasize);
+
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+dns_rbt_deserialize_tree(void *base_address, size_t filesize,
+			 off_t header_offset, isc_mem_t *mctx,
+			 dns_rbtdeleter_t deleter, void *deleter_arg,
+			 dns_rbtdatafixer_t datafixer, void *fixer_arg,
+			 dns_rbtnode_t **originp, dns_rbt_t **rbtp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	file_header_t *header;
+	dns_rbt_t *rbt = NULL;
+	uint64_t crc;
+	unsigned int host_big_endian;
+
+	REQUIRE(originp == NULL || *originp == NULL);
+	REQUIRE(rbtp != NULL && *rbtp == NULL);
+
+	isc_crc64_init(&crc);
+
+	CHECK(dns_rbt_create(mctx, deleter, deleter_arg, &rbt));
+
+	rbt->mmap_location = base_address;
+
+	header = (file_header_t *)((char *)base_address + header_offset);
+	if (!match_header_version(header)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+#ifdef DNS_RDATASET_FIXED
+	if (header->rdataset_fixed != 1) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+#else
+	if (header->rdataset_fixed != 0) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+#endif
+
+	if (header->ptrsize != (uint32_t) sizeof(void *)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	host_big_endian = (1 == htonl(1));
+	if (header->bigendian != host_big_endian) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	/* Copy other data items from the header into our rbt. */
+	rbt->root = (dns_rbtnode_t *)((char *)base_address +
+				header_offset + header->first_node_offset);
+
+	if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+	rehash(rbt, header->nodecount);
+
+	CHECK(treefix(rbt, base_address, filesize, rbt->root,
+		      dns_rootname, datafixer, fixer_arg, &crc));
+
+	isc_crc64_final(&crc);
+#ifdef DEBUG
+	hexdump("deserializing CRC", (unsigned char *)&crc, sizeof(crc));
+#endif
+
+	/* Check file hash */
+	if (header->crc != crc) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	if (header->nodecount != rbt->nodecount) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+#ifdef DNS_RBT_USEHASH
+	fixup_uppernodes(rbt);
+#endif /* DNS_RBT_USEHASH */
+
+	*rbtp = rbt;
+	if (originp != NULL)
+		*originp = rbt->root;
+
+ cleanup:
+	if (result != ISC_R_SUCCESS && rbt != NULL) {
+		rbt->root = NULL;
+		rbt->nodecount = 0;
+		dns_rbt_destroy(&rbt);
+	}
+
+	return (result);
+}
+
+/*
+ * Initialize a red/black tree of trees.
+ */
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, dns_rbtdeleter_t deleter,
+	       void *deleter_arg, dns_rbt_t **rbtp)
+{
+#ifdef DNS_RBT_USEHASH
+	isc_result_t result;
+#endif
+	dns_rbt_t *rbt;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rbtp != NULL && *rbtp == NULL);
+	REQUIRE(deleter == NULL ? deleter_arg == NULL : 1);
+
+	rbt = (dns_rbt_t *)isc_mem_get(mctx, sizeof(*rbt));
+	if (rbt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rbt->mctx = NULL;
+	isc_mem_attach(mctx, &rbt->mctx);
+	rbt->data_deleter = deleter;
+	rbt->deleter_arg = deleter_arg;
+	rbt->root = NULL;
+	rbt->nodecount = 0;
+	rbt->hashtable = NULL;
+	rbt->hashsize = 0;
+	rbt->mmap_location = NULL;
+
+#ifdef DNS_RBT_USEHASH
+	result = inithash(rbt);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_putanddetach(&rbt->mctx, rbt, sizeof(*rbt));
+		return (result);
+	}
+#endif
+
+	rbt->magic = RBT_MAGIC;
+
+	*rbtp = rbt;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Deallocate a red/black tree of trees.
+ */
+void
+dns_rbt_destroy(dns_rbt_t **rbtp) {
+	RUNTIME_CHECK(dns_rbt_destroy2(rbtp, 0) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum) {
+	dns_rbt_t *rbt;
+
+	REQUIRE(rbtp != NULL && VALID_RBT(*rbtp));
+
+	rbt = *rbtp;
+
+	deletetreeflat(rbt, quantum, false, &rbt->root);
+	if (rbt->root != NULL)
+		return (ISC_R_QUOTA);
+
+	INSIST(rbt->nodecount == 0);
+
+	rbt->mmap_location = NULL;
+
+	if (rbt->hashtable != NULL)
+		isc_mem_put(rbt->mctx, rbt->hashtable,
+			    rbt->hashsize * sizeof(dns_rbtnode_t *));
+
+	rbt->magic = 0;
+
+	isc_mem_putanddetach(&rbt->mctx, rbt, sizeof(*rbt));
+	*rbtp = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_rbt_nodecount(dns_rbt_t *rbt) {
+
+	REQUIRE(VALID_RBT(rbt));
+
+	return (rbt->nodecount);
+}
+
+size_t
+dns_rbt_hashsize(dns_rbt_t *rbt) {
+
+	REQUIRE(VALID_RBT(rbt));
+
+	return (rbt->hashsize);
+}
+
+static inline isc_result_t
+chain_name(dns_rbtnodechain_t *chain, dns_name_t *name,
+	   bool include_chain_end)
+{
+	dns_name_t nodename;
+	isc_result_t result = ISC_R_SUCCESS;
+	int i;
+
+	dns_name_init(&nodename, NULL);
+
+	if (include_chain_end && chain->end != NULL) {
+		NODENAME(chain->end, &nodename);
+		result = dns_name_copy(&nodename, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else
+		dns_name_reset(name);
+
+	for (i = (int)chain->level_count - 1; i >= 0; i--) {
+		NODENAME(chain->levels[i], &nodename);
+		result = dns_name_concatenate(name, &nodename, name, NULL);
+
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (result);
+}
+
+static inline isc_result_t
+move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) {
+	do {
+		/*
+		 * Go as far right and then down as much as possible,
+		 * as long as the rightmost node has a down pointer.
+		 */
+		while (RIGHT(node) != NULL)
+			node = RIGHT(node);
+
+		if (DOWN(node) == NULL)
+			break;
+
+		ADD_LEVEL(chain, node);
+		node = DOWN(node);
+	} while (1);
+
+	chain->end = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Add 'name' to tree, initializing its data pointer with 'data'.
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
+	/*
+	 * Does this thing have too many variables or what?
+	 */
+	dns_rbtnode_t **root, *parent, *child, *current, *new_current;
+	dns_name_t *add_name, *new_name, current_name, *prefix, *suffix;
+	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix, fnewname;
+	dns_offsets_t current_offsets;
+	dns_namereln_t compared;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int level_count;
+	unsigned int common_labels;
+	unsigned int nlabels, hlabels;
+	int order;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	/*
+	 * Dear future BIND developer,
+	 *
+	 * After you have tried attempting to optimize this routine by
+	 * using the hashtable and have realized your folly, please
+	 * append another cross ("X") below as a warning to the next
+	 * future BIND developer:
+	 *
+	 * Number of victim developers: X
+	 *
+	 * I wish the past developer had included such a notice.
+	 *
+	 * Long form: Unlike dns_rbt_findnode(), this function does not
+	 * lend itself to be optimized using the hashtable:
+	 *
+	 * 1. In the subtree where the insertion occurs, this function
+	 * needs to have the insertion point and the order where the
+	 * lookup terminated (i.e., at the insertion point where left or
+	 * right child is NULL). This cannot be determined from the
+	 * hashtable, so at least in that subtree, a BST O(log N) lookup
+	 * is necessary.
+	 *
+	 * 2. Our RBT nodes contain not only single labels but label
+	 * sequences to optimize space usage. So at every level, we have
+	 * to look for a match in the hashtable for all superdomains in
+	 * the rest of the name we're searching. This is an O(N)
+	 * operation at least, here N being the label size of name, each
+	 * of which is a hashtable lookup involving dns_name_equal()
+	 * comparisons.
+	 */
+
+	/*
+	 * Create a copy of the name so the original name structure is
+	 * not modified.
+	 */
+	add_name = dns_fixedname_initname(&fixedcopy);
+	dns_name_clone(name, add_name);
+
+	if (ISC_UNLIKELY(rbt->root == NULL)) {
+		result = create_node(rbt->mctx, add_name, &new_current);
+		if (result == ISC_R_SUCCESS) {
+			rbt->nodecount++;
+			new_current->is_root = 1;
+#ifdef DNS_RBT_USEHASH
+			UPPERNODE(new_current) = NULL;
+#endif /* DNS_RBT_USEHASH */
+			rbt->root = new_current;
+			*nodep = new_current;
+			hash_node(rbt, new_current, name);
+		}
+		return (result);
+	}
+
+	level_count = 0;
+
+	prefix = dns_fixedname_initname(&fixedprefix);
+	suffix = dns_fixedname_initname(&fixedsuffix);
+
+	root = &rbt->root;
+	INSIST(IS_ROOT(*root));
+	parent = NULL;
+	current = NULL;
+	child = *root;
+	dns_name_init(&current_name, current_offsets);
+	new_name = dns_fixedname_initname(&fnewname);
+	nlabels = dns_name_countlabels(name);
+	hlabels = 0;
+
+	do {
+		current = child;
+
+		NODENAME(current, &current_name);
+		compared = dns_name_fullcompare(add_name, &current_name,
+						&order, &common_labels);
+
+		if (compared == dns_namereln_equal) {
+			*nodep = current;
+			result = ISC_R_EXISTS;
+			break;
+
+		}
+
+		if (compared == dns_namereln_none) {
+
+			if (order < 0) {
+				parent = current;
+				child = LEFT(current);
+
+			} else if (order > 0) {
+				parent = current;
+				child = RIGHT(current);
+
+			}
+
+		} else {
+			/*
+			 * This name has some suffix in common with the
+			 * name at the current node.  If the name at
+			 * the current node is shorter, that means the
+			 * new name should be in a subtree.  If the
+			 * name at the current node is longer, that means
+			 * the down pointer to this tree should point
+			 * to a new tree that has the common suffix, and
+			 * the non-common parts of these two names should
+			 * start a new tree.
+			 */
+			hlabels += common_labels;
+			if (compared == dns_namereln_subdomain) {
+				/*
+				 * All of the existing labels are in common,
+				 * so the new name is in a subtree.
+				 * Whack off the common labels for the
+				 * not-in-common part to be searched for
+				 * in the next level.
+				 */
+				dns_name_split(add_name, common_labels,
+					       add_name, NULL);
+
+				/*
+				 * Follow the down pointer (possibly NULL).
+				 */
+				root = &DOWN(current);
+
+				INSIST(*root == NULL ||
+				       (IS_ROOT(*root) &&
+					PARENT(*root) == current));
+
+				parent = NULL;
+				child = DOWN(current);
+
+				INSIST(level_count < DNS_RBT_LEVELBLOCK);
+				level_count++;
+			} else {
+				/*
+				 * The number of labels in common is fewer
+				 * than the number of labels at the current
+				 * node, so the current node must be adjusted
+				 * to have just the common suffix, and a down
+				 * pointer made to a new tree.
+				 */
+
+				INSIST(compared == dns_namereln_commonancestor
+				       || compared == dns_namereln_contains);
+
+				/*
+				 * Ensure the number of levels in the tree
+				 * does not exceed the number of logical
+				 * levels allowed by DNSSEC.
+				 *
+				 * XXXDCL need a better error result?
+				 */
+				if (level_count >= DNS_RBT_LEVELBLOCK) {
+					result = ISC_R_NOSPACE;
+					break;
+				}
+
+				/*
+				 * Split the name into two parts, a prefix
+				 * which is the not-in-common parts of the
+				 * two names and a suffix that is the common
+				 * parts of them.
+				 */
+				dns_name_split(&current_name, common_labels,
+					       prefix, suffix);
+				result = create_node(rbt->mctx, suffix,
+						     &new_current);
+
+				if (result != ISC_R_SUCCESS)
+					break;
+
+				/*
+				 * Reproduce the tree attributes of the
+				 * current node.
+				 */
+				new_current->is_root = current->is_root;
+				if (current->nsec == DNS_RBT_NSEC_HAS_NSEC)
+					new_current->nsec = DNS_RBT_NSEC_NORMAL;
+				else
+					new_current->nsec = current->nsec;
+				PARENT(new_current)  = PARENT(current);
+				LEFT(new_current)    = LEFT(current);
+				RIGHT(new_current)   = RIGHT(current);
+				COLOR(new_current)   = COLOR(current);
+
+				/*
+				 * Fix pointers that were to the current node.
+				 */
+				if (parent != NULL) {
+					if (LEFT(parent) == current)
+						LEFT(parent) = new_current;
+					else
+						RIGHT(parent) = new_current;
+				}
+				if (LEFT(new_current) != NULL)
+					PARENT(LEFT(new_current)) =
+						new_current;
+				if (RIGHT(new_current) != NULL)
+					PARENT(RIGHT(new_current)) =
+						new_current;
+				if (*root == current)
+					*root = new_current;
+
+				NAMELEN(current) = prefix->length;
+				OFFSETLEN(current) = prefix->labels;
+
+				/*
+				 * Set up the new root of the next level.
+				 * By definition it will not be the top
+				 * level tree, so clear DNS_NAMEATTR_ABSOLUTE.
+				 */
+				current->is_root = 1;
+				PARENT(current) = new_current;
+				DOWN(new_current) = current;
+				root = &DOWN(new_current);
+#ifdef DNS_RBT_USEHASH
+				UPPERNODE(new_current) = UPPERNODE(current);
+				UPPERNODE(current) = new_current;
+#endif /* DNS_RBT_USEHASH */
+
+				INSIST(level_count < DNS_RBT_LEVELBLOCK);
+				level_count++;
+
+				LEFT(current) = NULL;
+				RIGHT(current) = NULL;
+
+				MAKE_BLACK(current);
+				ATTRS(current) &= ~DNS_NAMEATTR_ABSOLUTE;
+
+				rbt->nodecount++;
+				dns_name_getlabelsequence(name,
+							  nlabels - hlabels,
+							  hlabels, new_name);
+				hash_node(rbt, new_current, new_name);
+
+				if (common_labels ==
+				    dns_name_countlabels(add_name)) {
+					/*
+					 * The name has been added by pushing
+					 * the not-in-common parts down to
+					 * a new level.
+					 */
+					*nodep = new_current;
+					return (ISC_R_SUCCESS);
+
+				} else {
+					/*
+					 * The current node has no data,
+					 * because it is just a placeholder.
+					 * Its data pointer is already NULL
+					 * from create_node()), so there's
+					 * nothing more to do to it.
+					 */
+
+					/*
+					 * The not-in-common parts of the new
+					 * name will be inserted into the new
+					 * level following this loop (unless
+					 * result != ISC_R_SUCCESS, which
+					 * is tested after the loop ends).
+					 */
+					dns_name_split(add_name, common_labels,
+						       add_name, NULL);
+
+					break;
+				}
+
+			}
+
+		}
+
+	} while (ISC_LIKELY(child != NULL));
+
+	if (ISC_LIKELY(result == ISC_R_SUCCESS))
+		result = create_node(rbt->mctx, add_name, &new_current);
+
+	if (ISC_LIKELY(result == ISC_R_SUCCESS)) {
+#ifdef DNS_RBT_USEHASH
+		if (*root == NULL)
+			UPPERNODE(new_current) = current;
+		else
+			UPPERNODE(new_current) = PARENT(*root);
+#endif /* DNS_RBT_USEHASH */
+		addonlevel(new_current, current, order, root);
+		rbt->nodecount++;
+		*nodep = new_current;
+		hash_node(rbt, new_current, name);
+	}
+
+	return (result);
+}
+
+/*
+ * Add a name to the tree of trees, associating it with some data.
+ */
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+
+	node = NULL;
+
+	result = dns_rbt_addnode(rbt, name, &node);
+
+	/*
+	 * dns_rbt_addnode will report the node exists even when
+	 * it does not have data associated with it, but the
+	 * dns_rbt_*name functions all behave depending on whether
+	 * there is data associated with a node.
+	 */
+	if (result == ISC_R_SUCCESS ||
+	    (result == ISC_R_EXISTS && DATA(node) == NULL)) {
+		DATA(node) = data;
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+/*
+ * Find the node for "name" in the tree of trees.
+ */
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, const dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 unsigned int options, dns_rbtfindcallback_t callback,
+		 void *callback_arg)
+{
+	dns_rbtnode_t *current, *last_compared;
+	dns_rbtnodechain_t localchain;
+	dns_name_t *search_name, current_name, *callback_name;
+	dns_fixedname_t fixedcallbackname, fixedsearchname;
+	dns_namereln_t compared;
+	isc_result_t result, saved_result;
+	unsigned int common_labels;
+	unsigned int hlabels = 0;
+	int order;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(node != NULL && *node == NULL);
+	REQUIRE((options & (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR))
+		!=         (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR));
+
+	/*
+	 * If there is a chain it needs to appear to be in a sane state,
+	 * otherwise a chain is still needed to generate foundname and
+	 * callback_name.
+	 */
+	if (chain == NULL) {
+		options |= DNS_RBTFIND_NOPREDECESSOR;
+		chain = &localchain;
+		dns_rbtnodechain_init(chain, rbt->mctx);
+	} else
+		dns_rbtnodechain_reset(chain);
+
+	if (ISC_UNLIKELY(rbt->root == NULL))
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * Appease GCC about variables it incorrectly thinks are
+	 * possibly used uninitialized.
+	 */
+	compared = dns_namereln_none;
+	last_compared = NULL;
+	order = 0;
+
+	callback_name = dns_fixedname_initname(&fixedcallbackname);
+
+	/*
+	 * search_name is the name segment being sought in each tree level.
+	 * By using a fixedname, the search_name will definitely have offsets
+	 * for use by any splitting.
+	 * By using dns_name_clone, no name data should be copied thanks to
+	 * the lack of bitstring labels.
+	 */
+	search_name = dns_fixedname_initname(&fixedsearchname);
+	dns_name_clone(name, search_name);
+
+	dns_name_init(&current_name, NULL);
+
+	saved_result = ISC_R_SUCCESS;
+	current = rbt->root;
+
+	while (ISC_LIKELY(current != NULL)) {
+		NODENAME(current, &current_name);
+		compared = dns_name_fullcompare(search_name, &current_name,
+						&order, &common_labels);
+		/*
+		 * last_compared is used as a shortcut to start (or
+		 * continue rather) finding the stop-node of the search
+		 * when hashing was used (see much below in this
+		 * function).
+		 */
+		last_compared = current;
+
+		if (compared == dns_namereln_equal)
+			break;
+
+		if (compared == dns_namereln_none) {
+#ifdef DNS_RBT_USEHASH
+			/*
+			 * Here, current is pointing at a subtree root
+			 * node. We try to find a matching node using
+			 * the hashtable. We can get one of 3 results
+			 * here: (a) we locate the matching node, (b) we
+			 * find a node to which the current node has a
+			 * subdomain relation, (c) we fail to find (a)
+			 * or (b).
+			 */
+
+			dns_name_t hash_name;
+			dns_rbtnode_t *hnode;
+			dns_rbtnode_t *up_current;
+			unsigned int nlabels;
+			unsigned int tlabels = 1;
+			unsigned int hash;
+
+			/*
+			 * The case of current not being a subtree root,
+			 * that means a left or right pointer was
+			 * followed, only happens when the algorithm
+			 * fell through to the traditional binary search
+			 * because of a bitstring label.  Since we
+			 * dropped the bitstring support, this should
+			 * not happen.
+			 */
+			INSIST(IS_ROOT(current));
+
+			nlabels = dns_name_countlabels(search_name);
+
+			/*
+			 * current is the root of the current level, so
+			 * its parent is the same as its "up" pointer.
+			 */
+			up_current = PARENT(current);
+			dns_name_init(&hash_name, NULL);
+
+		hashagain:
+			/*
+			 * Compute the hash over the full absolute
+			 * name. Look for the smallest suffix match at
+			 * this tree level (hlevel), and then at every
+			 * iteration, look for the next smallest suffix
+			 * match (add another subdomain label to the
+			 * absolute name being hashed).
+			 */
+			dns_name_getlabelsequence(name,
+						  nlabels - tlabels,
+						  hlabels + tlabels,
+						  &hash_name);
+			hash = dns_name_fullhash(&hash_name, false);
+			dns_name_getlabelsequence(search_name,
+						  nlabels - tlabels,
+						  tlabels, &hash_name);
+
+			/*
+			 * Walk all the nodes in the hash bucket pointed
+			 * by the computed hash value.
+			 */
+			for (hnode = rbt->hashtable[hash % rbt->hashsize];
+			     hnode != NULL;
+			     hnode = hnode->hashnext)
+			{
+				dns_name_t hnode_name;
+
+				if (ISC_LIKELY(hash != HASHVAL(hnode)))
+					continue;
+				/*
+				 * This checks that the hashed label
+				 * sequence being looked up is at the
+				 * same tree level, so that we don't
+				 * match a labelsequence from some other
+				 * subdomain.
+				 */
+				if (ISC_LIKELY(get_upper_node(hnode) != up_current))
+					continue;
+
+				dns_name_init(&hnode_name, NULL);
+				NODENAME(hnode, &hnode_name);
+				if (ISC_LIKELY(dns_name_equal(&hnode_name, &hash_name)))
+					break;
+			}
+
+			if (hnode != NULL) {
+				current = hnode;
+				/*
+				 * This is an optimization.  If hashing found
+				 * the right node, the next call to
+				 * dns_name_fullcompare() would obviously
+				 * return _equal or _subdomain.  Determine
+				 * which of those would be the case by
+				 * checking if the full name was hashed.  Then
+				 * make it look like dns_name_fullcompare
+				 * was called and jump to the right place.
+				 */
+				if (tlabels == nlabels) {
+					compared = dns_namereln_equal;
+					break;
+				} else {
+					common_labels = tlabels;
+					compared = dns_namereln_subdomain;
+					goto subdomain;
+				}
+			}
+
+			if (tlabels++ < nlabels)
+				goto hashagain;
+
+			/*
+			 * All of the labels have been tried against the hash
+			 * table.  Since we dropped the support of bitstring
+			 * labels, the name isn't in the table.
+			 */
+			current = NULL;
+			continue;
+
+#else /* DNS_RBT_USEHASH */
+
+			/*
+			 * Standard binary search tree movement.
+			 */
+			if (order < 0)
+				current = LEFT(current);
+			else
+				current = RIGHT(current);
+
+#endif /* DNS_RBT_USEHASH */
+
+		} else {
+			/*
+			 * The names have some common suffix labels.
+			 *
+			 * If the number in common are equal in length to
+			 * the current node's name length, then follow the
+			 * down pointer and search in the new tree.
+			 */
+			if (compared == dns_namereln_subdomain) {
+#ifdef DNS_RBT_USEHASH
+		subdomain:
+#endif
+				/*
+				 * Whack off the current node's common parts
+				 * for the name to search in the next level.
+				 */
+				dns_name_split(search_name, common_labels,
+					       search_name, NULL);
+				hlabels += common_labels;
+				/*
+				 * This might be the closest enclosing name.
+				 */
+				if (DATA(current) != NULL ||
+				    (options & DNS_RBTFIND_EMPTYDATA) != 0)
+					*node = current;
+
+				/*
+				 * Point the chain to the next level.   This
+				 * needs to be done before 'current' is pointed
+				 * there because the callback in the next
+				 * block of code needs the current 'current',
+				 * but in the event the callback requests that
+				 * the search be stopped then the
+				 * DNS_R_PARTIALMATCH code at the end of this
+				 * function needs the chain pointed to the
+				 * next level.
+				 */
+				ADD_LEVEL(chain, current);
+
+				/*
+				 * The caller may want to interrupt the
+				 * downward search when certain special nodes
+				 * are traversed.  If this is a special node,
+				 * the callback is used to learn what the
+				 * caller wants to do.
+				 */
+				if (callback != NULL &&
+				    FINDCALLBACK(current)) {
+					result = chain_name(chain,
+							    callback_name,
+							    false);
+					if (result != ISC_R_SUCCESS) {
+						dns_rbtnodechain_reset(chain);
+						return (result);
+					}
+
+					result = (callback)(current,
+							    callback_name,
+							    callback_arg);
+					if (result != DNS_R_CONTINUE) {
+						saved_result = result;
+						/*
+						 * Treat this node as if it
+						 * had no down pointer.
+						 */
+						current = NULL;
+						break;
+					}
+				}
+
+				/*
+				 * Finally, head to the next tree level.
+				 */
+				current = DOWN(current);
+			} else {
+				/*
+				 * Though there are labels in common, the
+				 * entire name at this node is not common
+				 * with the search name so the search
+				 * name does not exist in the tree.
+				 */
+				INSIST(compared == dns_namereln_commonancestor
+				       || compared == dns_namereln_contains);
+
+				current = NULL;
+			}
+		}
+	}
+
+	/*
+	 * If current is not NULL, NOEXACT is not disallowing exact matches,
+	 * and either the node has data or an empty node is ok, return
+	 * ISC_R_SUCCESS to indicate an exact match.
+	 */
+	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0 &&
+	    (DATA(current) != NULL ||
+	     (options & DNS_RBTFIND_EMPTYDATA) != 0)) {
+		/*
+		 * Found an exact match.
+		 */
+		chain->end = current;
+		chain->level_matches = chain->level_count;
+
+		if (foundname != NULL)
+			result = chain_name(chain, foundname, true);
+		else
+			result = ISC_R_SUCCESS;
+
+		if (result == ISC_R_SUCCESS) {
+			*node = current;
+			result = saved_result;
+		} else
+			*node = NULL;
+	} else {
+		/*
+		 * Did not find an exact match (or did not want one).
+		 */
+		if (*node != NULL) {
+			/*
+			 * ... but found a partially matching superdomain.
+			 * Unwind the chain to the partial match node
+			 * to set level_matches to the level above the node,
+			 * and then to derive the name.
+			 *
+			 * chain->level_count is guaranteed to be at least 1
+			 * here because by definition of finding a superdomain,
+			 * the chain is pointed to at least the first subtree.
+			 */
+			chain->level_matches = chain->level_count - 1;
+
+			while (chain->levels[chain->level_matches] != *node) {
+				INSIST(chain->level_matches > 0);
+				chain->level_matches--;
+			}
+
+			if (foundname != NULL) {
+				unsigned int saved_count = chain->level_count;
+
+				chain->level_count = chain->level_matches + 1;
+
+				result = chain_name(chain, foundname,
+						    false);
+
+				chain->level_count = saved_count;
+			} else
+				result = ISC_R_SUCCESS;
+
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_PARTIALMATCH;
+
+		} else
+			result = ISC_R_NOTFOUND;
+
+		if (current != NULL) {
+			/*
+			 * There was an exact match but either
+			 * DNS_RBTFIND_NOEXACT was set, or
+			 * DNS_RBTFIND_EMPTYDATA was set and the node had no
+			 * data.  A policy decision was made to set the
+			 * chain to the exact match, but this is subject
+			 * to change if it becomes apparent that something
+			 * else would be more useful.  It is important that
+			 * this case is handled here, because the predecessor
+			 * setting code below assumes the match was not exact.
+			 */
+			INSIST(((options & DNS_RBTFIND_NOEXACT) != 0) ||
+			       ((options & DNS_RBTFIND_EMPTYDATA) == 0 &&
+				DATA(current) == NULL));
+			chain->end = current;
+
+		} else if ((options & DNS_RBTFIND_NOPREDECESSOR) != 0) {
+			/*
+			 * Ensure the chain points nowhere.
+			 */
+			chain->end = NULL;
+
+		} else {
+			/*
+			 * Since there was no exact match, the chain argument
+			 * needs to be pointed at the DNSSEC predecessor of
+			 * the search name.
+			 */
+			if (compared == dns_namereln_subdomain) {
+				/*
+				 * Attempted to follow a down pointer that was
+				 * NULL, which means the searched for name was
+				 * a subdomain of a terminal name in the tree.
+				 * Since there are no existing subdomains to
+				 * order against, the terminal name is the
+				 * predecessor.
+				 */
+				INSIST(chain->level_count > 0);
+				INSIST(chain->level_matches <
+				       chain->level_count);
+				chain->end =
+					chain->levels[--chain->level_count];
+
+			} else {
+				isc_result_t result2;
+
+				/*
+				 * Point current to the node that stopped
+				 * the search.
+				 *
+				 * With the hashing modification that has been
+				 * added to the algorithm, the stop node of a
+				 * standard binary search is not known.  So it
+				 * has to be found.  There is probably a more
+				 * clever way of doing this.
+				 *
+				 * The assignment of current to NULL when
+				 * the relationship is *not* dns_namereln_none,
+				 * even though it later gets set to the same
+				 * last_compared anyway, is simply to not push
+				 * the while loop in one more level of
+				 * indentation.
+				 */
+				if (compared == dns_namereln_none)
+					current = last_compared;
+				else
+					current = NULL;
+
+				while (current != NULL) {
+					NODENAME(current, &current_name);
+					compared = dns_name_fullcompare(
+								search_name,
+								&current_name,
+								&order,
+								&common_labels);
+					POST(compared);
+
+					last_compared = current;
+
+					/*
+					 * Standard binary search movement.
+					 */
+					if (order < 0)
+						current = LEFT(current);
+					else
+						current = RIGHT(current);
+
+				}
+
+				current = last_compared;
+
+				/*
+				 * Reached a point within a level tree that
+				 * positively indicates the name is not
+				 * present, but the stop node could be either
+				 * less than the desired name (order > 0) or
+				 * greater than the desired name (order < 0).
+				 *
+				 * If the stop node is less, it is not
+				 * necessarily the predecessor.  If the stop
+				 * node has a down pointer, then the real
+				 * predecessor is at the end of a level below
+				 * (not necessarily the next level).
+				 * Move down levels until the rightmost node
+				 * does not have a down pointer.
+				 *
+				 * When the stop node is greater, it is
+				 * the successor.  All the logic for finding
+				 * the predecessor is handily encapsulated
+				 * in dns_rbtnodechain_prev.  In the event
+				 * that the search name is less than anything
+				 * else in the tree, the chain is reset.
+				 * XXX DCL What is the best way for the caller
+				 *         to know that the search name has
+				 *         no predecessor?
+				 */
+
+
+				if (order > 0) {
+					if (DOWN(current) != NULL) {
+						ADD_LEVEL(chain, current);
+
+						result2 =
+						      move_chain_to_last(chain,
+								DOWN(current));
+
+						if (result2 != ISC_R_SUCCESS)
+							result = result2;
+					} else
+						/*
+						 * Ah, the pure and simple
+						 * case.  The stop node is the
+						 * predecessor.
+						 */
+						chain->end = current;
+
+				} else {
+					INSIST(order < 0);
+
+					chain->end = current;
+
+					result2 = dns_rbtnodechain_prev(chain,
+									NULL,
+									NULL);
+					if (result2 == ISC_R_SUCCESS ||
+					    result2 == DNS_R_NEWORIGIN)
+						;       /* Nothing. */
+					else if (result2 == ISC_R_NOMORE)
+						/*
+						 * There is no predecessor.
+						 */
+						dns_rbtnodechain_reset(chain);
+					else
+						result = result2;
+				}
+
+			}
+		}
+	}
+
+	ENSURE(*node == NULL || DNS_RBTNODE_VALID(*node));
+
+	return (result);
+}
+
+/*
+ * Get the data pointer associated with 'name'.
+ */
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, const dns_name_t *name, unsigned int options,
+		 dns_name_t *foundname, void **data) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(data != NULL && *data == NULL);
+
+	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL,
+				  options, NULL, NULL);
+
+	if (node != NULL &&
+	    (DATA(node) != NULL || (options & DNS_RBTFIND_EMPTYDATA) != 0))
+		*data = DATA(node);
+	else
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+/*
+ * Delete a name from the tree of trees.
+ */
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, bool recurse) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+
+	/*
+	 * First, find the node.
+	 *
+	 * When searching, the name might not have an exact match:
+	 * consider a.b.a.com, b.b.a.com and c.b.a.com as the only
+	 * elements of a tree, which would make layer 1 a single
+	 * node tree of "b.a.com" and layer 2 a three node tree of
+	 * a, b, and c.  Deleting a.com would find only a partial depth
+	 * match in the first layer.  Should it be a requirement that
+	 * that the name to be deleted have data?  For now, it is.
+	 *
+	 * ->dirty, ->locknum and ->references are ignored; they are
+	 * solely the province of rbtdb.c.
+	 */
+	result = dns_rbt_findnode(rbt, name, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+
+	if (result == ISC_R_SUCCESS) {
+		if (DATA(node) != NULL)
+			result = dns_rbt_deletenode(rbt, node, recurse);
+		else
+			result = ISC_R_NOTFOUND;
+
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+/*
+ * Remove a node from the tree of trees.
+ *
+ * NOTE WELL: deletion is *not* symmetric with addition; that is, reversing
+ * a sequence of additions to be deletions will not generally get the
+ * tree back to the state it started in.  For example, if the addition
+ * of "b.c" caused the node "a.b.c" to be split, pushing "a" to its own level,
+ * then the subsequent deletion of "b.c" will not cause "a" to be pulled up,
+ * restoring "a.b.c".  The RBT *used* to do this kind of rejoining, but it
+ * turned out to be a bad idea because it could corrupt an active nodechain
+ * that had "b.c" as one of its levels -- and the RBT has no idea what
+ * nodechains are in use by callers, so it can't even *try* to helpfully
+ * fix them up (which would probably be doomed to failure anyway).
+ *
+ * Similarly, it is possible to leave the tree in a state where a supposedly
+ * deleted node still exists.  The first case of this is obvious; take
+ * the tree which has "b.c" on one level, pointing to "a".  Now deleted "b.c".
+ * It was just established in the previous paragraph why we can't pull "a"
+ * back up to its parent level.  But what happens when "a" then gets deleted?
+ * "b.c" is left hanging around without data or children.  This condition
+ * is actually pretty easy to detect, but ... should it really be removed?
+ * Is a chain pointing to it?  An iterator?  Who knows!  (Note that the
+ * references structure member cannot be looked at because it is private to
+ * rbtdb.)  This is ugly and makes me unhappy, but after hours of trying to
+ * make it more aesthetically proper and getting nowhere, this is the way it
+ * is going to stay until such time as it proves to be a *real* problem.
+ *
+ * Finally, for reference, note that the original routine that did node
+ * joining was called join_nodes().  It has been excised, living now only
+ * in the CVS history, but comments have been left behind that point to it just
+ * in case someone wants to muck with this some more.
+ *
+ * The one positive aspect of all of this is that joining used to have a
+ * case where it might fail.  Without trying to join, now this function always
+ * succeeds. It still returns isc_result_t, though, so the API wouldn't change.
+ */
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, bool recurse)
+{
+	dns_rbtnode_t *parent;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	INSIST(rbt->nodecount != 0);
+
+	if (DOWN(node) != NULL) {
+		if (recurse) {
+			PARENT(DOWN(node)) = NULL;
+			deletetreeflat(rbt, 0, true, &DOWN(node));
+		} else {
+			if (DATA(node) != NULL && rbt->data_deleter != NULL)
+				rbt->data_deleter(DATA(node), rbt->deleter_arg);
+			DATA(node) = NULL;
+
+			/*
+			 * Since there is at least one node below this one and
+			 * no recursion was requested, the deletion is
+			 * complete.  The down node from this node might be all
+			 * by itself on a single level, so join_nodes() could
+			 * be used to collapse the tree (with all the caveats
+			 * of the comment at the start of this function).
+			 * But join_nodes() function has now been removed.
+			 */
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Note the node that points to the level of the node
+	 * that is being deleted.  If the deleted node is the
+	 * top level, parent will be set to NULL.
+	 */
+	parent = get_upper_node(node);
+
+	/*
+	 * This node now has no down pointer, so now it needs
+	 * to be removed from this level.
+	 */
+	deletefromlevel(node, parent == NULL ? &rbt->root : &DOWN(parent));
+
+	if (DATA(node) != NULL && rbt->data_deleter != NULL)
+		rbt->data_deleter(DATA(node), rbt->deleter_arg);
+
+	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif
+	dns_rbtnode_refdestroy(node);
+
+	freenode(rbt, &node);
+
+	/*
+	 * This function never fails.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name) {
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(name != NULL);
+	REQUIRE(name->offsets == NULL);
+
+	NODENAME(node, name);
+}
+
+isc_result_t
+dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) {
+	dns_name_t current;
+	isc_result_t result;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(name != NULL);
+	REQUIRE(name->buffer != NULL);
+
+	dns_name_init(&current, NULL);
+	dns_name_reset(name);
+
+	do {
+		INSIST(node != NULL);
+
+		NODENAME(node, &current);
+
+		result = dns_name_concatenate(name, &current, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		node = get_upper_node(node);
+	} while (! dns_name_isabsolute(name));
+
+	return (result);
+}
+
+char *
+dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname, unsigned int size)
+{
+	dns_fixedname_t fixedname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(printname != NULL);
+
+	name = dns_fixedname_initname(&fixedname);
+	result = dns_rbt_fullnamefromnode(node, name);
+	if (result == ISC_R_SUCCESS)
+		dns_name_format(name, printname, size);
+	else
+		snprintf(printname, size, "<error building name: %s>",
+			 dns_result_totext(result));
+
+	return (printname);
+}
+
+static isc_result_t
+create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *node;
+	isc_region_t region;
+	unsigned int labels;
+	size_t nodelen;
+
+	REQUIRE(name->offsets != NULL);
+
+	dns_name_toregion(name, &region);
+	labels = dns_name_countlabels(name);
+	ENSURE(labels > 0);
+
+	/*
+	 * Allocate space for the node structure, the name, and the offsets.
+	 */
+	nodelen = sizeof(dns_rbtnode_t) + region.length + labels + 1;
+	node = (dns_rbtnode_t *)isc_mem_get(mctx, nodelen);
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(node, 0, nodelen);
+
+	node->is_root = 0;
+	PARENT(node) = NULL;
+	RIGHT(node) = NULL;
+	LEFT(node) = NULL;
+	DOWN(node) = NULL;
+	DATA(node) = NULL;
+	node->is_mmapped = 0;
+	node->down_is_relative = 0;
+	node->left_is_relative = 0;
+	node->right_is_relative = 0;
+	node->parent_is_relative = 0;
+	node->data_is_relative = 0;
+	node->rpz = 0;
+
+#ifdef DNS_RBT_USEHASH
+	HASHNEXT(node) = NULL;
+	HASHVAL(node) = 0;
+#endif
+
+	ISC_LINK_INIT(node, deadlink);
+
+	LOCKNUM(node) = 0;
+	WILD(node) = 0;
+	DIRTY(node) = 0;
+	dns_rbtnode_refinit(node, 0);
+	node->find_callback = 0;
+	node->nsec = DNS_RBT_NSEC_NORMAL;
+
+	MAKE_BLACK(node);
+
+	/*
+	 * The following is stored to make reconstructing a name from the
+	 * stored value in the node easy:  the length of the name, the number
+	 * of labels, whether the name is absolute or not, the name itself,
+	 * and the name's offsets table.
+	 *
+	 * XXX RTH
+	 *      The offsets table could be made smaller by eliminating the
+	 *      first offset, which is always 0.  This requires changes to
+	 *      lib/dns/name.c.
+	 *
+	 * Note: OLDOFFSETLEN *must* be assigned *after* OLDNAMELEN is assigned
+	 * 	 as it uses OLDNAMELEN.
+	 */
+	OLDNAMELEN(node) = NAMELEN(node) = region.length;
+	OLDOFFSETLEN(node) = OFFSETLEN(node) = labels;
+	ATTRS(node) = name->attributes;
+
+	memmove(NAME(node), region.base, region.length);
+	memmove(OFFSETS(node), name->offsets, labels);
+
+#if DNS_RBT_USEMAGIC
+	node->magic = DNS_RBTNODE_MAGIC;
+#endif
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef DNS_RBT_USEHASH
+static inline void
+hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
+	unsigned int hash;
+
+	REQUIRE(name != NULL);
+
+	HASHVAL(node) = dns_name_fullhash(name, false);
+
+	hash = HASHVAL(node) % rbt->hashsize;
+	HASHNEXT(node) = rbt->hashtable[hash];
+
+	rbt->hashtable[hash] = node;
+}
+
+static isc_result_t
+inithash(dns_rbt_t *rbt) {
+	unsigned int bytes;
+
+	rbt->hashsize = RBT_HASH_SIZE;
+	bytes = (unsigned int)rbt->hashsize * sizeof(dns_rbtnode_t *);
+	rbt->hashtable = isc_mem_get(rbt->mctx, bytes);
+
+	if (rbt->hashtable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(rbt->hashtable, 0, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rehash(dns_rbt_t *rbt, unsigned int newcount) {
+	unsigned int oldsize;
+	dns_rbtnode_t **oldtable;
+	dns_rbtnode_t *node;
+	dns_rbtnode_t *nextnode;
+	unsigned int hash;
+	unsigned int i;
+
+	oldsize = (unsigned int)rbt->hashsize;
+	oldtable = rbt->hashtable;
+	do {
+		INSIST((rbt->hashsize * 2 + 1) > rbt->hashsize);
+		rbt->hashsize = rbt->hashsize * 2 + 1;
+	} while (newcount >= (rbt->hashsize * 3));
+	rbt->hashtable = isc_mem_get(rbt->mctx,
+				     rbt->hashsize * sizeof(dns_rbtnode_t *));
+	if (rbt->hashtable == NULL) {
+		rbt->hashtable = oldtable;
+		rbt->hashsize = oldsize;
+		return;
+	}
+
+	for (i = 0; i < rbt->hashsize; i++)
+		rbt->hashtable[i] = NULL;
+
+	for (i = 0; i < oldsize; i++) {
+		for (node = oldtable[i]; node != NULL; node = nextnode) {
+			hash = HASHVAL(node) % rbt->hashsize;
+			nextnode = HASHNEXT(node);
+			HASHNEXT(node) = rbt->hashtable[hash];
+			rbt->hashtable[hash] = node;
+		}
+	}
+
+	isc_mem_put(rbt->mctx, oldtable, oldsize * sizeof(dns_rbtnode_t *));
+}
+
+static inline void
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	if (rbt->nodecount >= (rbt->hashsize * 3))
+		rehash(rbt, rbt->nodecount);
+
+	hash_add_node(rbt, node, name);
+}
+
+static inline void
+unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+	unsigned int bucket;
+	dns_rbtnode_t *bucket_node;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	bucket = HASHVAL(node) % rbt->hashsize;
+	bucket_node = rbt->hashtable[bucket];
+
+	if (bucket_node == node) {
+		rbt->hashtable[bucket] = HASHNEXT(node);
+	} else {
+		while (HASHNEXT(bucket_node) != node) {
+			INSIST(HASHNEXT(bucket_node) != NULL);
+			bucket_node = HASHNEXT(bucket_node);
+		}
+		HASHNEXT(bucket_node) = HASHNEXT(node);
+	}
+}
+#endif /* DNS_RBT_USEHASH */
+
+static inline void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(rootp != NULL);
+
+	child = RIGHT(node);
+	INSIST(child != NULL);
+
+	RIGHT(node) = LEFT(child);
+	if (LEFT(child) != NULL)
+		PARENT(LEFT(child)) = node;
+	LEFT(child) = node;
+
+	PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
+		*rootp = child;
+		child->is_root = 1;
+		node->is_root = 0;
+
+	} else {
+		if (LEFT(PARENT(node)) == node)
+			LEFT(PARENT(node)) = child;
+		else
+			RIGHT(PARENT(node)) = child;
+	}
+
+	PARENT(node) = child;
+}
+
+static inline void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(rootp != NULL);
+
+	child = LEFT(node);
+	INSIST(child != NULL);
+
+	LEFT(node) = RIGHT(child);
+	if (RIGHT(child) != NULL)
+		PARENT(RIGHT(child)) = node;
+	RIGHT(child) = node;
+
+	PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
+		*rootp = child;
+		child->is_root = 1;
+		node->is_root = 0;
+
+	} else {
+		if (LEFT(PARENT(node)) == node)
+			LEFT(PARENT(node)) = child;
+		else
+			RIGHT(PARENT(node)) = child;
+	}
+
+	PARENT(node) = child;
+}
+
+/*
+ * This is the real workhorse of the insertion code, because it does the
+ * true red/black tree on a single level.
+ */
+static void
+addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
+	   dns_rbtnode_t **rootp)
+{
+	dns_rbtnode_t *child, *root, *parent, *grandparent;
+	dns_name_t add_name, current_name;
+	dns_offsets_t add_offsets, current_offsets;
+
+	REQUIRE(rootp != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node) && LEFT(node) == NULL &&
+		RIGHT(node) == NULL);
+	REQUIRE(current != NULL);
+
+	root = *rootp;
+	if (root == NULL) {
+		/*
+		 * First node of a level.
+		 */
+		MAKE_BLACK(node);
+		node->is_root = 1;
+		PARENT(node) = current;
+		*rootp = node;
+		return;
+	}
+
+	child = root;
+	POST(child);
+
+	dns_name_init(&add_name, add_offsets);
+	NODENAME(node, &add_name);
+
+	dns_name_init(&current_name, current_offsets);
+	NODENAME(current, &current_name);
+
+	if (order < 0) {
+		INSIST(LEFT(current) == NULL);
+		LEFT(current) = node;
+	} else {
+		INSIST(RIGHT(current) == NULL);
+		RIGHT(current) = node;
+	}
+
+	INSIST(PARENT(node) == NULL);
+	PARENT(node) = current;
+
+	MAKE_RED(node);
+
+	while (node != root && IS_RED(PARENT(node))) {
+		/*
+		 * XXXDCL could do away with separate parent and grandparent
+		 * variables.  They are vestiges of the days before parent
+		 * pointers.  However, they make the code a little clearer.
+		 */
+
+		parent = PARENT(node);
+		grandparent = PARENT(parent);
+
+		if (parent == LEFT(grandparent)) {
+			child = RIGHT(grandparent);
+			if (child != NULL && IS_RED(child)) {
+				MAKE_BLACK(parent);
+				MAKE_BLACK(child);
+				MAKE_RED(grandparent);
+				node = grandparent;
+			} else {
+				if (node == RIGHT(parent)) {
+					rotate_left(parent, &root);
+					node = parent;
+					parent = PARENT(node);
+					grandparent = PARENT(parent);
+				}
+				MAKE_BLACK(parent);
+				MAKE_RED(grandparent);
+				rotate_right(grandparent, &root);
+			}
+		} else {
+			child = LEFT(grandparent);
+			if (child != NULL && IS_RED(child)) {
+				MAKE_BLACK(parent);
+				MAKE_BLACK(child);
+				MAKE_RED(grandparent);
+				node = grandparent;
+			} else {
+				if (node == LEFT(parent)) {
+					rotate_right(parent, &root);
+					node = parent;
+					parent = PARENT(node);
+					grandparent = PARENT(parent);
+				}
+				MAKE_BLACK(parent);
+				MAKE_RED(grandparent);
+				rotate_left(grandparent, &root);
+			}
+		}
+	}
+
+	MAKE_BLACK(root);
+	ENSURE(IS_ROOT(root));
+	*rootp = root;
+
+	return;
+}
+
+/*
+ * This is the real workhorse of the deletion code, because it does the
+ * true red/black tree on a single level.
+ */
+static void
+deletefromlevel(dns_rbtnode_t *item, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child, *sibling, *parent;
+	dns_rbtnode_t *successor;
+
+	REQUIRE(item != NULL);
+
+	/*
+	 * Verify that the parent history is (apparently) correct.
+	 */
+	INSIST((IS_ROOT(item) && *rootp == item) ||
+	       (! IS_ROOT(item) &&
+		(LEFT(PARENT(item)) == item ||
+		 RIGHT(PARENT(item)) == item)));
+
+	child = NULL;
+
+	if (LEFT(item) == NULL) {
+		if (RIGHT(item) == NULL) {
+			if (IS_ROOT(item)) {
+				/*
+				 * This is the only item in the tree.
+				 */
+				*rootp = NULL;
+				return;
+			}
+		} else
+			/*
+			 * This node has one child, on the right.
+			 */
+			child = RIGHT(item);
+
+	} else if (RIGHT(item) == NULL)
+		/*
+		 * This node has one child, on the left.
+		 */
+		child = LEFT(item);
+	else {
+		dns_rbtnode_t holder, *tmp = &holder;
+
+		/*
+		 * This node has two children, so it cannot be directly
+		 * deleted.  Find its immediate in-order successor and
+		 * move it to this location, then do the deletion at the
+		 * old site of the successor.
+		 */
+		successor = RIGHT(item);
+		while (LEFT(successor) != NULL)
+			successor = LEFT(successor);
+
+		/*
+		 * The successor cannot possibly have a left child;
+		 * if there is any child, it is on the right.
+		 */
+		if (RIGHT(successor) != NULL)
+			child = RIGHT(successor);
+
+		/*
+		 * Swap the two nodes; it would be simpler to just replace
+		 * the value being deleted with that of the successor,
+		 * but this rigamarole is done so the caller has complete
+		 * control over the pointers (and memory allocation) of
+		 * all of nodes.  If just the key value were removed from
+		 * the tree, the pointer to the node would be unchanged.
+		 */
+
+		/*
+		 * First, put the successor in the tree location of the
+		 * node to be deleted.  Save its existing tree pointer
+		 * information, which will be needed when linking up
+		 * delete to the successor's old location.
+		 */
+		memmove(tmp, successor, sizeof(dns_rbtnode_t));
+
+		if (IS_ROOT(item)) {
+			*rootp = successor;
+			successor->is_root = true;
+			item->is_root = false;
+
+		} else
+			if (LEFT(PARENT(item)) == item)
+				LEFT(PARENT(item)) = successor;
+			else
+				RIGHT(PARENT(item)) = successor;
+
+		PARENT(successor) = PARENT(item);
+		LEFT(successor)   = LEFT(item);
+		RIGHT(successor)  = RIGHT(item);
+		COLOR(successor)  = COLOR(item);
+
+		if (LEFT(successor) != NULL)
+			PARENT(LEFT(successor)) = successor;
+		if (RIGHT(successor) != successor)
+			PARENT(RIGHT(successor)) = successor;
+
+		/*
+		 * Now relink the node to be deleted into the
+		 * successor's previous tree location.  PARENT(tmp)
+		 * is the successor's original parent.
+		 */
+		INSIST(! IS_ROOT(item));
+
+		if (PARENT(tmp) == item) {
+			/*
+			 * Node being deleted was successor's parent.
+			 */
+			RIGHT(successor) = item;
+			PARENT(item) = successor;
+
+		} else {
+			LEFT(PARENT(tmp)) = item;
+			PARENT(item) = PARENT(tmp);
+		}
+
+		/*
+		 * Original location of successor node has no left.
+		 */
+		LEFT(item)   = NULL;
+		RIGHT(item)  = RIGHT(tmp);
+		COLOR(item)  = COLOR(tmp);
+	}
+
+	/*
+	 * Remove the node by removing the links from its parent.
+	 */
+	if (! IS_ROOT(item)) {
+		if (LEFT(PARENT(item)) == item)
+			LEFT(PARENT(item)) = child;
+		else
+			RIGHT(PARENT(item)) = child;
+
+		if (child != NULL)
+			PARENT(child) = PARENT(item);
+
+	} else {
+		/*
+		 * This is the root being deleted, and at this point
+		 * it is known to have just one child.
+		 */
+		*rootp = child;
+		child->is_root = 1;
+		PARENT(child) = PARENT(item);
+	}
+
+	/*
+	 * Fix color violations.
+	 */
+	if (IS_BLACK(item)) {
+		parent = PARENT(item);
+
+		while (child != *rootp && IS_BLACK(child)) {
+			INSIST(child == NULL || ! IS_ROOT(child));
+
+			if (LEFT(parent) == child) {
+				sibling = RIGHT(parent);
+
+				if (IS_RED(sibling)) {
+					MAKE_BLACK(sibling);
+					MAKE_RED(parent);
+					rotate_left(parent, rootp);
+					sibling = RIGHT(parent);
+				}
+
+				INSIST(sibling != NULL);
+
+				if (IS_BLACK(LEFT(sibling)) &&
+				    IS_BLACK(RIGHT(sibling))) {
+					MAKE_RED(sibling);
+					child = parent;
+
+				} else {
+
+					if (IS_BLACK(RIGHT(sibling))) {
+						MAKE_BLACK(LEFT(sibling));
+						MAKE_RED(sibling);
+						rotate_right(sibling, rootp);
+						sibling = RIGHT(parent);
+					}
+
+					COLOR(sibling) = COLOR(parent);
+					MAKE_BLACK(parent);
+					INSIST(RIGHT(sibling) != NULL);
+					MAKE_BLACK(RIGHT(sibling));
+					rotate_left(parent, rootp);
+					child = *rootp;
+				}
+
+			} else {
+				/*
+				 * Child is parent's right child.
+				 * Everything is done the same as above,
+				 * except mirrored.
+				 */
+				sibling = LEFT(parent);
+
+				if (IS_RED(sibling)) {
+					MAKE_BLACK(sibling);
+					MAKE_RED(parent);
+					rotate_right(parent, rootp);
+					sibling = LEFT(parent);
+				}
+
+				INSIST(sibling != NULL);
+
+				if (IS_BLACK(LEFT(sibling)) &&
+				    IS_BLACK(RIGHT(sibling))) {
+					MAKE_RED(sibling);
+					child = parent;
+
+				} else {
+					if (IS_BLACK(LEFT(sibling))) {
+						MAKE_BLACK(RIGHT(sibling));
+						MAKE_RED(sibling);
+						rotate_left(sibling, rootp);
+						sibling = LEFT(parent);
+					}
+
+					COLOR(sibling) = COLOR(parent);
+					MAKE_BLACK(parent);
+					INSIST(LEFT(sibling) != NULL);
+					MAKE_BLACK(LEFT(sibling));
+					rotate_right(parent, rootp);
+					child = *rootp;
+				}
+			}
+
+			parent = PARENT(child);
+		}
+
+		if (IS_RED(child))
+			MAKE_BLACK(child);
+	}
+}
+
+static void
+freenode(dns_rbt_t *rbt, dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *node = *nodep;
+
+	if (node->is_mmapped == 0) {
+		isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
+	}
+	*nodep = NULL;
+
+	rbt->nodecount--;
+}
+
+static void
+deletetreeflat(dns_rbt_t *rbt, unsigned int quantum, bool unhash,
+	       dns_rbtnode_t **nodep)
+{
+	dns_rbtnode_t *root = *nodep;
+
+	while (root != NULL) {
+		/*
+		 * If there is a left, right or down node, walk into it
+		 * and iterate.
+		 */
+		if (LEFT(root) != NULL) {
+			dns_rbtnode_t *node = root;
+			root = LEFT(root);
+			LEFT(node) = NULL;
+		} else if (RIGHT(root) != NULL) {
+			dns_rbtnode_t *node = root;
+			root = RIGHT(root);
+			RIGHT(node) = NULL;
+		} else if (DOWN(root) != NULL) {
+			dns_rbtnode_t *node = root;
+			root = DOWN(root);
+			DOWN(node) = NULL;
+		} else {
+			/*
+			 * There are no left, right or down nodes, so we
+			 * can free this one and go back to its parent.
+			 */
+			dns_rbtnode_t *node = root;
+			root = PARENT(root);
+
+			if (DATA(node) != NULL && rbt->data_deleter != NULL)
+				rbt->data_deleter(DATA(node),
+						  rbt->deleter_arg);
+			if (unhash)
+				unhash_node(rbt, node);
+			/*
+			 * Note: we don't call unhash_node() here as we
+			 * are destroying the complete RBT tree.
+			 */
+#if DNS_RBT_USEMAGIC
+			node->magic = 0;
+#endif
+			freenode(rbt, &node);
+			if (quantum != 0 && --quantum == 0)
+				break;
+		}
+	}
+
+	*nodep = root;
+}
+
+static size_t
+getheight_helper(dns_rbtnode_t *node) {
+	size_t dl, dr;
+	size_t this_height, down_height;
+
+	if (node == NULL)
+		return (0);
+
+	dl = getheight_helper(LEFT(node));
+	dr = getheight_helper(RIGHT(node));
+
+	this_height = ISC_MAX(dl + 1, dr + 1);
+	down_height = getheight_helper(DOWN(node));
+
+	return (ISC_MAX(this_height, down_height));
+}
+
+size_t
+dns__rbt_getheight(dns_rbt_t *rbt) {
+	return (getheight_helper(rbt->root));
+}
+
+static bool
+check_properties_helper(dns_rbtnode_t *node) {
+	if (node == NULL)
+		return (true);
+
+	if (IS_RED(node)) {
+		/* Root nodes must be BLACK. */
+		if (IS_ROOT(node))
+			return (false);
+
+		/* Both children of RED nodes must be BLACK. */
+		if (IS_RED(LEFT(node)) || IS_RED(RIGHT(node)))
+			return (false);
+	}
+
+	if ((DOWN(node) != NULL) && (!IS_ROOT(DOWN(node))))
+		return (false);
+
+	if (IS_ROOT(node)) {
+		if ((PARENT(node) != NULL) &&
+		    (DOWN(PARENT(node)) != node))
+			return (false);
+
+		if (get_upper_node(node) != PARENT(node))
+			return (false);
+	}
+
+	/* If node is assigned to the down_ pointer of its parent, it is
+	 * a subtree root and must have the flag set.
+	 */
+	if (((!PARENT(node)) ||
+	     (DOWN(PARENT(node)) == node)) &&
+	    (!IS_ROOT(node)))
+	{
+		return (false);
+	}
+
+	/* Repeat tests with this node's children. */
+	return (check_properties_helper(LEFT(node)) &&
+		check_properties_helper(RIGHT(node)) &&
+		check_properties_helper(DOWN(node)));
+}
+
+static bool
+check_black_distance_helper(dns_rbtnode_t *node, size_t *distance) {
+	size_t dl, dr, dd;
+
+	if (node == NULL) {
+		*distance = 1;
+		return (true);
+	}
+
+	if (!check_black_distance_helper(LEFT(node), &dl))
+		return (false);
+
+	if (!check_black_distance_helper(RIGHT(node), &dr))
+		return (false);
+
+	if (!check_black_distance_helper(DOWN(node), &dd))
+		return (false);
+
+	/* Left and right side black node counts must match. */
+	if (dl != dr)
+		return (false);
+
+	if (IS_BLACK(node))
+		dl++;
+
+	*distance = dl;
+
+	return (true);
+}
+
+bool
+dns__rbt_checkproperties(dns_rbt_t *rbt) {
+	size_t dd;
+
+	if (!check_properties_helper(rbt->root))
+		return (false);
+
+	/* Path from a given node to all its leaves must contain the
+	 * same number of BLACK child nodes. This is done separately
+	 * here instead of inside check_properties_helper() as
+	 * it would take (n log n) complexity otherwise.
+	 */
+	return (check_black_distance_helper(rbt->root, &dd));
+}
+
+static void
+dns_rbt_indent(FILE *f, int depth) {
+	int i;
+
+	fprintf(f, "%4d ", depth);
+
+	for (i = 0; i < depth; i++)
+		fprintf(f, "- ");
+}
+
+void
+dns_rbt_printnodeinfo(dns_rbtnode_t *n, FILE *f) {
+	fprintf(f, "Node info for nodename: ");
+	printnodename(n, true, f);
+	fprintf(f, "\n");
+
+	fprintf(f, "n = %p\n", n);
+
+	fprintf(f, "Relative pointers: %s%s%s%s%s\n",
+			(n->parent_is_relative == 1 ? " P" : ""),
+			(n->right_is_relative == 1 ? " R" : ""),
+			(n->left_is_relative == 1 ? " L" : ""),
+			(n->down_is_relative == 1 ? " D" : ""),
+			(n->data_is_relative == 1 ? " T" : ""));
+
+	fprintf(f, "node lock address = %u\n", n->locknum);
+
+	fprintf(f, "Parent: %p\n", n->parent);
+	fprintf(f, "Right: %p\n", n->right);
+	fprintf(f, "Left: %p\n", n->left);
+	fprintf(f, "Down: %p\n", n->down);
+	fprintf(f, "daTa: %p\n", n->data);
+}
+
+static void
+printnodename(dns_rbtnode_t *node, bool quoted, FILE *f) {
+	isc_region_t r;
+	dns_name_t name;
+	char buffer[DNS_NAME_FORMATSIZE];
+	dns_offsets_t offsets;
+
+	r.length = NAMELEN(node);
+	r.base = NAME(node);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &r);
+
+	dns_name_format(&name, buffer, sizeof(buffer));
+
+	if (quoted)
+		fprintf(f, "\"%s\"", buffer);
+	else
+		fprintf(f, "%s", buffer);
+}
+
+static void
+print_text_helper(dns_rbtnode_t *root, dns_rbtnode_t *parent,
+		  int depth, const char *direction,
+		  void (*data_printer)(FILE *, void *), FILE *f)
+{
+	dns_rbt_indent(f, depth);
+
+	if (root != NULL) {
+		printnodename(root, true, f);
+		fprintf(f, " (%s, %s", direction,
+			IS_RED(root) ? "RED" : "BLACK");
+
+		if ((! IS_ROOT(root) && PARENT(root) != parent) ||
+		    (  IS_ROOT(root) && depth > 0 &&
+		       DOWN(PARENT(root)) != root)) {
+
+			fprintf(f, " (BAD parent pointer! -> ");
+			if (PARENT(root) != NULL)
+				printnodename(PARENT(root), true, f);
+			else
+				fprintf(f, "NULL");
+			fprintf(f, ")");
+		}
+
+		fprintf(f, ")");
+
+		if (root->data != NULL && data_printer != NULL) {
+			fprintf(f, " data@%p: ", root->data);
+			data_printer(f, root->data);
+		}
+		fprintf(f, "\n");
+
+		depth++;
+
+		if (IS_RED(root) && IS_RED(LEFT(root)))
+			fprintf(f, "** Red/Red color violation on left\n");
+		print_text_helper(LEFT(root), root, depth, "left",
+					  data_printer, f);
+
+		if (IS_RED(root) && IS_RED(RIGHT(root)))
+			fprintf(f, "** Red/Red color violation on right\n");
+		print_text_helper(RIGHT(root), root, depth, "right",
+					  data_printer, f);
+
+		print_text_helper(DOWN(root), NULL, depth, "down",
+					  data_printer, f);
+	} else {
+		fprintf(f, "NULL (%s)\n", direction);
+	}
+}
+
+void
+dns_rbt_printtext(dns_rbt_t *rbt,
+		  void (*data_printer)(FILE *, void *), FILE *f)
+{
+	REQUIRE(VALID_RBT(rbt));
+
+	print_text_helper(rbt->root, NULL, 0, "root", data_printer, f);
+}
+
+static int
+print_dot_helper(dns_rbtnode_t *node, unsigned int *nodecount,
+		 bool show_pointers, FILE *f)
+{
+	unsigned int l, r, d;
+
+	if (node == NULL)
+		return (0);
+
+	l = print_dot_helper(LEFT(node), nodecount, show_pointers, f);
+	r = print_dot_helper(RIGHT(node), nodecount, show_pointers, f);
+	d = print_dot_helper(DOWN(node), nodecount, show_pointers, f);
+
+	*nodecount += 1;
+
+	fprintf(f, "node%u[label = \"<f0> |<f1> ", *nodecount);
+	printnodename(node, false, f);
+	fprintf(f, "|<f2>");
+
+	if (show_pointers)
+		fprintf(f, "|<f3> n=%p|<f4> p=%p", node, PARENT(node));
+
+	fprintf(f, "\"] [");
+
+	if (IS_RED(node))
+		fprintf(f, "color=red");
+	else
+		fprintf(f, "color=black");
+
+	/* XXXMUKS: verify that IS_ROOT() indicates subtree root and not
+	 * forest root.
+	 */
+	if (IS_ROOT(node))
+		fprintf(f, ",penwidth=3");
+
+	if (IS_EMPTY(node))
+		fprintf(f, ",style=filled,fillcolor=lightgrey");
+
+	fprintf(f, "];\n");
+
+	if (LEFT(node) != NULL)
+		fprintf(f, "\"node%u\":f0 -> \"node%u\":f1;\n", *nodecount, l);
+
+	if (DOWN(node) != NULL)
+		fprintf(f, "\"node%u\":f1 -> \"node%u\":f1 [penwidth=5];\n",
+			*nodecount, d);
+
+	if (RIGHT(node) != NULL)
+		fprintf(f, "\"node%u\":f2 -> \"node%u\":f1;\n", *nodecount, r);
+
+	return (*nodecount);
+}
+
+void
+dns_rbt_printdot(dns_rbt_t *rbt, bool show_pointers, FILE *f) {
+	unsigned int nodecount = 0;
+
+	REQUIRE(VALID_RBT(rbt));
+
+	fprintf(f, "digraph g {\n");
+	fprintf(f, "node [shape = record,height=.1];\n");
+	print_dot_helper(rbt->root, &nodecount, show_pointers, f);
+	fprintf(f, "}\n");
+}
+
+/*
+ * Chain Functions
+ */
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx) {
+
+	REQUIRE(chain != NULL);
+
+	/*
+	 * Initialize 'chain'.
+	 */
+	chain->mctx = mctx;
+	chain->end = NULL;
+	chain->level_count = 0;
+	chain->level_matches = 0;
+	memset(chain->levels, 0, sizeof(chain->levels));
+
+	chain->magic = CHAIN_MAGIC;
+}
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_CHAIN(chain));
+
+	if (node != NULL)
+		*node = chain->end;
+
+	if (chain->end == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (name != NULL) {
+		NODENAME(chain->end, name);
+
+		if (chain->level_count == 0) {
+			/*
+			 * Names in the top level tree are all absolute.
+			 * Always make 'name' relative.
+			 */
+			INSIST(dns_name_isabsolute(name));
+
+			/*
+			 * This is cheaper than dns_name_getlabelsequence().
+			 */
+			name->labels--;
+			name->length--;
+			name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+		}
+	}
+
+	if (origin != NULL) {
+		if (chain->level_count > 0)
+			result = chain_name(chain, origin, false);
+		else
+			result = dns_name_copy(dns_rootname, origin, NULL);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin)
+{
+	dns_rbtnode_t *current, *previous, *predecessor;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool new_origin = false;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	predecessor = NULL;
+
+	current = chain->end;
+
+	if (LEFT(current) != NULL) {
+		/*
+		 * Moving left one then right as far as possible is the
+		 * previous node, at least for this level.
+		 */
+		current = LEFT(current);
+
+		while (RIGHT(current) != NULL)
+			current = RIGHT(current);
+
+		predecessor = current;
+
+	} else {
+		/*
+		 * No left links, so move toward the root.  If at any point on
+		 * the way there the link from parent to child is a right
+		 * link, then the parent is the previous node, at least
+		 * for this level.
+		 */
+		while (! IS_ROOT(current)) {
+			previous = current;
+			current = PARENT(current);
+
+			if (RIGHT(current) == previous) {
+				predecessor = current;
+				break;
+			}
+		}
+	}
+
+	if (predecessor != NULL) {
+		/*
+		 * Found a predecessor node in this level.  It might not
+		 * really be the predecessor, however.
+		 */
+		if (DOWN(predecessor) != NULL) {
+			/*
+			 * The predecessor is really down at least one level.
+			 * Go down and as far right as possible, and repeat
+			 * as long as the rightmost node has a down pointer.
+			 */
+			do {
+				/*
+				 * XXX DCL Need to do something about origins
+				 * here. See whether to go down, and if so
+				 * whether it is truly what Bob calls a
+				 * new origin.
+				 */
+				ADD_LEVEL(chain, predecessor);
+				predecessor = DOWN(predecessor);
+
+				/* XXX DCL duplicated from above; clever
+				 * way to unduplicate? */
+
+				while (RIGHT(predecessor) != NULL)
+					predecessor = RIGHT(predecessor);
+			} while (DOWN(predecessor) != NULL);
+
+			/* XXX DCL probably needs work on the concept */
+			if (origin != NULL)
+				new_origin = true;
+		}
+
+	} else if (chain->level_count > 0) {
+		/*
+		 * Dang, didn't find a predecessor in this level.
+		 * Got to the root of this level without having traversed
+		 * any right links.  Ascend the tree one level; the
+		 * node that points to this tree is the predecessor.
+		 */
+		INSIST(chain->level_count > 0 && IS_ROOT(current));
+		predecessor = chain->levels[--chain->level_count];
+
+		/* XXX DCL probably needs work on the concept */
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the top level tree, because "." is declared as the origin
+		 * for the second level tree.
+		 */
+		if (origin != NULL &&
+		    (chain->level_count > 0 || OFFSETLEN(predecessor) > 1))
+			new_origin = true;
+	}
+
+	if (predecessor != NULL) {
+		chain->end = predecessor;
+
+		if (new_origin) {
+			result = dns_rbtnodechain_current(chain, name, origin,
+							  NULL);
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_NEWORIGIN;
+
+		} else
+			result = dns_rbtnodechain_current(chain, name, NULL,
+							  NULL);
+
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin)
+{
+	dns_rbtnode_t *current, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool new_origin = false;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	if (DOWN(current) != NULL) {
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the second level tree, because "." is already declared
+		 * as the origin for the top level tree.
+		 */
+		if (chain->level_count > 0 ||
+		    OFFSETLEN(current) > 1)
+			new_origin = true;
+
+		ADD_LEVEL(chain, current);
+		current = DOWN(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		/*
+		 * It is not necessary to use dns_rbtnodechain_current like
+		 * the other functions because this function will never
+		 * find a node in the topmost level.  This is because the
+		 * root level will never be more than one name, and everything
+		 * in the megatree is a successor to that node, down at
+		 * the second level or below.
+		 */
+
+		if (name != NULL)
+			NODENAME(chain->end, name);
+
+		if (new_origin) {
+			if (origin != NULL)
+				result = chain_name(chain, origin, false);
+
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_NEWORIGIN;
+
+		} else
+			result = ISC_R_SUCCESS;
+
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name) {
+	dns_rbtnode_t *current, *previous, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	if (RIGHT(current) == NULL) {
+		while (! IS_ROOT(current)) {
+			previous = current;
+			current = PARENT(current);
+
+			if (LEFT(current) == previous) {
+				successor = current;
+				break;
+			}
+		}
+	} else {
+		current = RIGHT(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		if (name != NULL)
+			NODENAME(chain->end, name);
+
+		result = ISC_R_SUCCESS;
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin)
+{
+	dns_rbtnode_t *current, *previous, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+	bool new_origin = false;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	/*
+	 * If there is a level below this node, the next node is the leftmost
+	 * node of the next level.
+	 */
+	if (DOWN(current) != NULL) {
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the second level tree, because "." is already declared
+		 * as the origin for the top level tree.
+		 */
+		if (chain->level_count > 0 ||
+		    OFFSETLEN(current) > 1)
+			new_origin = true;
+
+		ADD_LEVEL(chain, current);
+		current = DOWN(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+
+	} else if (RIGHT(current) == NULL) {
+		/*
+		 * The successor is up, either in this level or a previous one.
+		 * Head back toward the root of the tree, looking for any path
+		 * that was via a left link; the successor is the node that has
+		 * that left link.  In the event the root of the level is
+		 * reached without having traversed any left links, ascend one
+		 * level and look for either a right link off the point of
+		 * ascent, or search for a left link upward again, repeating
+		 * ascends until either case is true.
+		 */
+		do {
+			while (! IS_ROOT(current)) {
+				previous = current;
+				current = PARENT(current);
+
+				if (LEFT(current) == previous) {
+					successor = current;
+					break;
+				}
+			}
+
+			if (successor == NULL) {
+				/*
+				 * Reached the root without having traversed
+				 * any left pointers, so this level is done.
+				 */
+				if (chain->level_count == 0) {
+					/*
+					 * If the tree we are iterating over
+					 * was modified since this chain was
+					 * initialized in a way that caused
+					 * node splits to occur, "current" may
+					 * now be pointing to a root node which
+					 * appears to be at level 0, but still
+					 * has a parent.  If that happens,
+					 * abort.  Otherwise, we are done
+					 * looking for a successor as we really
+					 * reached the root node on level 0.
+					 */
+					INSIST(PARENT(current) == NULL);
+					break;
+				}
+
+				current = chain->levels[--chain->level_count];
+				new_origin = true;
+
+				if (RIGHT(current) != NULL)
+					break;
+			}
+		} while (successor == NULL);
+	}
+
+	if (successor == NULL && RIGHT(current) != NULL) {
+		current = RIGHT(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		/*
+		 * If we determine that the current node is the successor to
+		 * itself, we will run into an infinite loop, so abort instead.
+		 */
+		INSIST(chain->end != successor);
+
+		chain->end = successor;
+
+		/*
+		 * It is not necessary to use dns_rbtnodechain_current like
+		 * the other functions because this function will never
+		 * find a node in the topmost level.  This is because the
+		 * root level will never be more than one name, and everything
+		 * in the megatree is a successor to that node, down at
+		 * the second level or below.
+		 */
+
+		if (name != NULL)
+			NODENAME(chain->end, name);
+
+		if (new_origin) {
+			if (origin != NULL)
+				result = chain_name(chain, origin, false);
+
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_NEWORIGIN;
+
+		} else
+			result = ISC_R_SUCCESS;
+
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin)
+
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(VALID_CHAIN(chain));
+
+	dns_rbtnodechain_reset(chain);
+
+	chain->end = rbt->root;
+
+	result = dns_rbtnodechain_current(chain, name, origin, NULL);
+
+	if (result == ISC_R_SUCCESS)
+		result = DNS_R_NEWORIGIN;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin)
+
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(VALID_CHAIN(chain));
+
+	dns_rbtnodechain_reset(chain);
+
+	result = move_chain_to_last(chain, rbt->root);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_rbtnodechain_current(chain, name, origin, NULL);
+
+	if (result == ISC_R_SUCCESS)
+		result = DNS_R_NEWORIGIN;
+
+	return (result);
+}
+
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain) {
+
+	REQUIRE(VALID_CHAIN(chain));
+
+	/*
+	 * Free any dynamic storage associated with 'chain', and then
+	 * reinitialize 'chain'.
+	 */
+	chain->end = NULL;
+	chain->level_count = 0;
+	chain->level_matches = 0;
+}
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain) {
+	/*
+	 * Free any dynamic storage associated with 'chain', and then
+	 * invalidate 'chain'.
+	 */
+
+	dns_rbtnodechain_reset(chain);
+
+	chain->magic = 0;
+}
+
+/* XXXMUKS:
+ *
+ * - worth removing inline as static functions are inlined automatically
+ *   where suitable by modern compilers.
+ * - bump the size of dns_rbt.nodecount to size_t.
+ * - the dumpfile header also contains a nodecount that is unsigned
+ *   int. If large files (> 2^32 nodes) are to be supported, the
+ *   allocation for this field should be increased.
+ */
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
new file mode 100644
index 0000000..0861139
--- /dev/null
+++ b/lib/dns/rbtdb.c
@@ -0,0 +1,10431 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+/* #define inline */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/crc64.h>
+#include <isc/event.h>
+#include <isc/heap.h>
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/acache.h>
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rbt.h>
+#include <dns/rpz.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataslab.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/version.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zonekey.h>
+
+#ifndef WIN32
+#include <sys/mman.h>
+#else
+#define PROT_READ	0x01
+#define PROT_WRITE	0x02
+#define MAP_PRIVATE	0x0002
+#define MAP_FAILED	((void *)-1)
+#endif
+
+#ifdef DNS_RBTDB_VERSION64
+#include "rbtdb64.h"
+#else
+#include "rbtdb.h"
+#endif
+
+#ifdef DNS_RBTDB_VERSION64
+#define RBTDB_MAGIC                     ISC_MAGIC('R', 'B', 'D', '8')
+#else
+#define RBTDB_MAGIC                     ISC_MAGIC('R', 'B', 'D', '4')
+#endif
+
+#define CHECK(op) \
+	do { result = (op); \
+		if (result != ISC_R_SUCCESS) goto failure; \
+	} while (0)
+
+/*
+ * This is the map file header for RBTDB images.  It is populated, and then
+ * written, as the LAST thing done to the file.  Writing this last (with
+ * zeros in the header area initially) will ensure that the header is only
+ * valid when the RBTDB image is also valid.
+ */
+typedef struct rbtdb_file_header rbtdb_file_header_t;
+
+/* Header length, always the same size regardless of structure size */
+#define RBTDB_HEADER_LENGTH	1024
+
+struct rbtdb_file_header {
+	char version1[32];
+	uint32_t ptrsize;
+	unsigned int bigendian:1;
+	uint64_t tree;
+	uint64_t nsec;
+	uint64_t nsec3;
+
+	char version2[32];  		/* repeated; must match version1 */
+};
+
+
+/*%
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+#define VALID_RBTDB(rbtdb)      ((rbtdb) != NULL && \
+				 (rbtdb)->common.impmagic == RBTDB_MAGIC)
+
+#ifdef DNS_RBTDB_VERSION64
+typedef uint64_t                    rbtdb_serial_t;
+/*%
+ * Make casting easier in symbolic debuggers by using different names
+ * for the 64 bit version.
+ */
+#define dns_rbtdb_t dns_rbtdb64_t
+#define rdatasetheader_t rdatasetheader64_t
+#define rbtdb_version_t rbtdb_version64_t
+
+#define once once64
+#define FILE_VERSION FILE_VERSION64
+#define init_count init_count64
+
+#define cache_methods cache_methods64
+#define dbiterator_methods dbiterator_methods64
+#define rdataset_methods rdataset_methods64
+#define rdatasetiter_methods rdatasetiter_methods64
+#define slab_methods slab_methods64
+#define zone_methods zone_methods64
+
+#define acache_callback acache_callback64
+#define acache_cancelentry acache_cancelentry64
+#define activeempty activeempty64
+#define activeemtpynode activeemtpynode64
+#define add32 add64
+#define add_changed add_changed64
+#define add_empty_wildcards add_empty_wildcards64
+#define add_wildcard_magic add_wildcard_magic64
+#define addclosest addclosest64
+#define addnoqname addnoqname64
+#define addrdataset addrdataset64
+#define adjust_quantum adjust_quantum64
+#define allocate_version allocate_version64
+#define allrdatasets allrdatasets64
+#define attach attach64
+#define attachnode attachnode64
+#define attachversion attachversion64
+#define beginload beginload64
+#define bind_rdataset bind_rdataset64
+#define cache_find cache_find64
+#define cache_findrdataset cache_findrdataset64
+#define cache_findzonecut cache_findzonecut64
+#define cache_zonecut_callback cache_zonecut_callback64
+#define check_stale_header check_stale_header64
+#define clean_cache_node clean_cache_node64
+#define clean_stale_headers clean_stale_headers64
+#define clean_zone_node clean_zone_node64
+#define cleanup_dead_nodes cleanup_dead_nodes64
+#define cleanup_dead_nodes_callback cleanup_dead_nodes_callback64
+#define cleanup_nondirty cleanup_nondirty64
+#define closeversion closeversion64
+#define cname_and_other_data cname_and_other_data64
+#define createiterator createiterator64
+#define currentversion currentversion64
+#define dbiterator_current dbiterator_current64
+#define dbiterator_destroy dbiterator_destroy64
+#define dbiterator_first dbiterator_first64
+#define dbiterator_last dbiterator_last64
+#define dbiterator_next dbiterator_next64
+#define dbiterator_origin dbiterator_origin64
+#define dbiterator_pause dbiterator_pause64
+#define dbiterator_prev dbiterator_prev64
+#define dbiterator_seek dbiterator_seek64
+#define decrement_reference decrement_reference64
+#define delegating_type delegating_type64
+#define delete_callback delete_callback64
+#define delete_node delete_node64
+#define deleterdataset deleterdataset64
+#define dereference_iter_node dereference_iter_node64
+#define deserialize32 deserialize64
+#define detach detach64
+#define detachnode detachnode64
+#define dump dump64
+#define endload endload64
+#define expire_header expire_header64
+#define expirenode expirenode64
+#define find_closest_nsec find_closest_nsec64
+#define find_coveringnsec find_coveringnsec64
+#define find_deepest_zonecut find_deepest_zonecut64
+#define find_wildcard find_wildcard64
+#define findnode findnode64
+#define findnodeintree findnodeintree64
+#define findnsec3node findnsec3node64
+#define flush_deletions flush_deletions64
+#define free_acachearray free_acachearray64
+#define free_noqname free_noqname64
+#define free_rbtdb free_rbtdb64
+#define free_rbtdb_callback free_rbtdb_callback64
+#define free_rdataset free_rdataset64
+#define getnsec3parameters getnsec3parameters64
+#define getoriginnode getoriginnode64
+#define getrrsetstats getrrsetstats64
+#define getsigningtime getsigningtime64
+#define getsize getsize64
+#define hashsize hashsize64
+#define init_file_version init_file_version64
+#define init_rdataset init_rdataset64
+#define isdnssec isdnssec64
+#define ispersistent ispersistent64
+#define issecure issecure64
+#define iszonesecure iszonesecure64
+#define loading_addrdataset loading_addrdataset64
+#define loadnode loadnode64
+#define make_least_version make_least_version64
+#define mark_stale_header mark_stale_header64
+#define match_header_version match_header_version64
+#define matchparams matchparams64
+#define maybe_free_rbtdb maybe_free_rbtdb64
+#define need_headerupdate need_headerupdate64
+#define new_rdataset new_rdataset64
+#define new_reference new_reference64
+#define newversion newversion64
+#define nodecount nodecount64
+#define nodefullname nodefullname64
+#define overmem overmem64
+#define overmem_purge overmem_purge64
+#define previous_closest_nsec previous_closest_nsec64
+#define printnode printnode64
+#define prune_tree prune_tree64
+#define rbt_datafixer rbt_datafixer64
+#define rbt_datawriter rbt_datawriter64
+#define rbtdb_write_header rbtdb_write_header64
+#define rbtdb_zero_header rbtdb_zero_header64
+#define rdataset_clearprefetch rdataset_clearprefetch64
+#define rdataset_clone rdataset_clone64
+#define rdataset_count rdataset_count64
+#define rdataset_current rdataset_current64
+#define rdataset_disassociate rdataset_disassociate64
+#define rdataset_expire rdataset_expire64
+#define rdataset_first rdataset_first64
+#define rdataset_getadditional rdataset_getadditional64
+#define rdataset_getclosest rdataset_getclosest64
+#define rdataset_getnoqname rdataset_getnoqname64
+#define rdataset_getownercase rdataset_getownercase64
+#define rdataset_next rdataset_next64
+#define rdataset_putadditional rdataset_putadditional64
+#define rdataset_setadditional rdataset_setadditional64
+#define rdataset_setownercase rdataset_setownercase64
+#define rdataset_settrust rdataset_settrust64
+#define rdatasetiter_current rdatasetiter_current64
+#define rdatasetiter_destroy rdatasetiter_destroy64
+#define rdatasetiter_first rdatasetiter_first64
+#define rdatasetiter_next rdatasetiter_next64
+#define reactivate_node reactivate_node64
+#define reference_iter_node reference_iter_node64
+#define resign_delete resign_delete64
+#define resign_insert resign_insert64
+#define resign_sooner resign_sooner64
+#define resigned resigned64
+#define resume_iteration resume_iteration64
+#define rollback_node rollback_node64
+#define rpz_attach rpz_attach64
+#define rpz_ready rpz_ready64
+#define serialize serialize64
+#define set_index set_index64
+#define set_ttl set_ttl64
+#define setcachestats setcachestats64
+#define setnsec3parameters setnsec3parameters64
+#define setownercase setownercase64
+#define setsigningtime setsigningtime64
+#define settask settask64
+#define setup_delegation setup_delegation64
+#define subtractrdataset subtractrdataset64
+#define ttl_sooner ttl_sooner64
+#define update_cachestats update_cachestats64
+#define update_header update_header64
+#define update_newheader update_newheader64
+#define update_recordsandbytes  update_recordsandbytes64
+#define update_rrsetstats update_rrsetstats64
+#define valid_glue valid_glue64
+#define zone_find zone_find64
+#define zone_findrdataset zone_findrdataset64
+#define zone_findzonecut zone_findzonecut64
+#define zone_zonecut_callback zone_zonecut_callback64
+
+#else
+typedef uint32_t                    rbtdb_serial_t;
+#endif
+
+typedef uint32_t                    rbtdb_rdatatype_t;
+
+#define RBTDB_RDATATYPE_BASE(type)      ((dns_rdatatype_t)((type) & 0xFFFF))
+#define RBTDB_RDATATYPE_EXT(type)       ((dns_rdatatype_t)((type) >> 16))
+#define RBTDB_RDATATYPE_VALUE(base, ext) ((rbtdb_rdatatype_t)(((uint32_t)ext) << 16) | (((uint32_t)base) & 0xffff))
+
+#define RBTDB_RDATATYPE_SIGNSEC \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
+#define RBTDB_RDATATYPE_SIGNSEC3 \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3)
+#define RBTDB_RDATATYPE_SIGNS \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
+#define RBTDB_RDATATYPE_SIGCNAME \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
+#define RBTDB_RDATATYPE_SIGDNAME \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
+#define RBTDB_RDATATYPE_SIGDDS \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds)
+#define RBTDB_RDATATYPE_NCACHEANY \
+		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
+
+/*
+ * We use rwlock for DB lock only when ISC_RWLOCK_USEATOMIC is non 0.
+ * Using rwlock is effective with regard to lookup performance only when
+ * it is implemented in an efficient way.
+ * Otherwise, it is generally wise to stick to the simple locking since rwlock
+ * would require more memory or can even make lookups slower due to its own
+ * overhead (when it internally calls mutex locks).
+ */
+#ifdef ISC_RWLOCK_USEATOMIC
+#define DNS_RBTDB_USERWLOCK 1
+#else
+#define DNS_RBTDB_USERWLOCK 0
+#endif
+
+#if DNS_RBTDB_USERWLOCK
+#define RBTDB_INITLOCK(l)       isc_rwlock_init((l), 0, 0)
+#define RBTDB_DESTROYLOCK(l)    isc_rwlock_destroy(l)
+#define RBTDB_LOCK(l, t)        RWLOCK((l), (t))
+#define RBTDB_UNLOCK(l, t)      RWUNLOCK((l), (t))
+#else
+#define RBTDB_INITLOCK(l)       isc_mutex_init(l)
+#define RBTDB_DESTROYLOCK(l)    DESTROYLOCK(l)
+#define RBTDB_LOCK(l, t)        LOCK(l)
+#define RBTDB_UNLOCK(l, t)      UNLOCK(l)
+#endif
+
+/*
+ * Since node locking is sensitive to both performance and memory footprint,
+ * we need some trick here.  If we have both high-performance rwlock and
+ * high performance and small-memory reference counters, we use rwlock for
+ * node lock and isc_refcount for node references.  In this case, we don't have
+ * to protect the access to the counters by locks.
+ * Otherwise, we simply use ordinary mutex lock for node locking, and use
+ * simple integers as reference counters which is protected by the lock.
+ * In most cases, we can simply use wrapper macros such as NODE_LOCK and
+ * NODE_UNLOCK.  In some other cases, however, we need to protect reference
+ * counters first and then protect other parts of a node as read-only data.
+ * Special additional macros, NODE_STRONGLOCK(), NODE_WEAKLOCK(), etc, are also
+ * provided for these special cases.  When we can use the efficient backend
+ * routines, we should only protect the "other members" by NODE_WEAKLOCK(read).
+ * Otherwise, we should use NODE_STRONGLOCK() to protect the entire critical
+ * section including the access to the reference counter.
+ * Note that we cannot use NODE_LOCK()/NODE_UNLOCK() wherever the protected
+ * section is also protected by NODE_STRONGLOCK().
+ */
+#if defined(ISC_RWLOCK_USEATOMIC) && defined(DNS_RBT_USEISCREFCOUNT)
+typedef isc_rwlock_t nodelock_t;
+
+#define NODE_INITLOCK(l)        isc_rwlock_init((l), 0, 0)
+#define NODE_DESTROYLOCK(l)     isc_rwlock_destroy(l)
+#define NODE_LOCK(l, t)         RWLOCK((l), (t))
+#define NODE_UNLOCK(l, t)       RWUNLOCK((l), (t))
+#define NODE_TRYUPGRADE(l)      isc_rwlock_tryupgrade(l)
+
+#define NODE_STRONGLOCK(l)      ((void)0)
+#define NODE_STRONGUNLOCK(l)    ((void)0)
+#define NODE_WEAKLOCK(l, t)     NODE_LOCK(l, t)
+#define NODE_WEAKUNLOCK(l, t)   NODE_UNLOCK(l, t)
+#define NODE_WEAKDOWNGRADE(l)   isc_rwlock_downgrade(l)
+#else
+typedef isc_mutex_t nodelock_t;
+
+#define NODE_INITLOCK(l)        isc_mutex_init(l)
+#define NODE_DESTROYLOCK(l)     DESTROYLOCK(l)
+#define NODE_LOCK(l, t)         LOCK(l)
+#define NODE_UNLOCK(l, t)       UNLOCK(l)
+#define NODE_TRYUPGRADE(l)      ISC_R_SUCCESS
+
+#define NODE_STRONGLOCK(l)      LOCK(l)
+#define NODE_STRONGUNLOCK(l)    UNLOCK(l)
+#define NODE_WEAKLOCK(l, t)     ((void)0)
+#define NODE_WEAKUNLOCK(l, t)   ((void)0)
+#define NODE_WEAKDOWNGRADE(l)   ((void)0)
+#endif
+
+/*%
+ * Whether to rate-limit updating the LRU to avoid possible thread contention.
+ * Our performance measurement has shown the cost is marginal, so it's defined
+ * to be 0 by default either with or without threads.
+ */
+#ifndef DNS_RBTDB_LIMITLRUUPDATE
+#define DNS_RBTDB_LIMITLRUUPDATE 0
+#endif
+
+/*
+ * Allow clients with a virtual time of up to 5 minutes in the past to see
+ * records that would have otherwise have expired.
+ */
+#define RBTDB_VIRTUAL 300
+
+struct noqname {
+	dns_name_t 	name;
+	void *     	neg;
+	void *     	negsig;
+	dns_rdatatype_t	type;
+};
+
+typedef struct acachectl acachectl_t;
+
+typedef struct rdatasetheader {
+	/*%
+	 * Locked by the owning node's lock.
+	 */
+	rbtdb_serial_t                  serial;
+	dns_ttl_t                       rdh_ttl;
+	rbtdb_rdatatype_t               type;
+	uint16_t                    attributes;
+	dns_trust_t                     trust;
+	struct noqname                  *noqname;
+	struct noqname                  *closest;
+	unsigned int 			is_mmapped : 1;
+	unsigned int 			next_is_relative : 1;
+	unsigned int 			node_is_relative : 1;
+	unsigned int 			resign_lsb : 1;
+	/*%<
+	 * We don't use the LIST macros, because the LIST structure has
+	 * both head and tail pointers, and is doubly linked.
+	 */
+
+	struct rdatasetheader           *next;
+	/*%<
+	 * If this is the top header for an rdataset, 'next' points
+	 * to the top header for the next rdataset (i.e., the next type).
+	 * Otherwise, it points up to the header whose down pointer points
+	 * at this header.
+	 */
+
+	struct rdatasetheader           *down;
+	/*%<
+	 * Points to the header for the next older version of
+	 * this rdataset.
+	 */
+
+	uint32_t                    count;
+	/*%<
+	 * Monotonously increased every time this rdataset is bound so that
+	 * it is used as the base of the starting point in DNS responses
+	 * when the "cyclic" rrset-order is required.  Since the ordering
+	 * should not be so crucial, no lock is set for the counter for
+	 * performance reasons.
+	 */
+
+	acachectl_t                     *additional_auth;
+	acachectl_t                     *additional_glue;
+
+	dns_rbtnode_t                   *node;
+	isc_stdtime_t                   last_used;
+	ISC_LINK(struct rdatasetheader) link;
+
+	unsigned int                    heap_index;
+	/*%<
+	 * Used for TTL-based cache cleaning.
+	 */
+	isc_stdtime_t                   resign;
+	/*%<
+	 * Case vector.  If the bit is set then the corresponding
+	 * character in the owner name needs to be AND'd with 0x20,
+	 * rendering that character upper case.
+	 */
+	unsigned char			upper[32];
+} rdatasetheader_t;
+
+typedef ISC_LIST(rdatasetheader_t)      rdatasetheaderlist_t;
+typedef ISC_LIST(dns_rbtnode_t)         rbtnodelist_t;
+
+#define RDATASET_ATTR_NONEXISTENT       0x0001
+#define RDATASET_ATTR_STALE             0x0002
+#define RDATASET_ATTR_IGNORE            0x0004
+#define RDATASET_ATTR_RETAIN            0x0008
+#define RDATASET_ATTR_NXDOMAIN          0x0010
+#define RDATASET_ATTR_RESIGN            0x0020
+#define RDATASET_ATTR_STATCOUNT         0x0040
+#define RDATASET_ATTR_OPTOUT            0x0080
+#define RDATASET_ATTR_NEGATIVE          0x0100
+#define RDATASET_ATTR_PREFETCH          0x0200
+#define RDATASET_ATTR_CASESET           0x0400
+#define RDATASET_ATTR_ZEROTTL           0x0800
+#define RDATASET_ATTR_CASEFULLYLOWER    0x1000
+
+typedef struct acache_cbarg {
+	dns_rdatasetadditional_t        type;
+	unsigned int                    count;
+	dns_db_t                        *db;
+	dns_dbnode_t                    *node;
+	rdatasetheader_t                *header;
+} acache_cbarg_t;
+
+struct acachectl {
+	dns_acacheentry_t               *entry;
+	acache_cbarg_t                  *cbarg;
+};
+
+/*
+ * XXX
+ * When the cache will pre-expire data (due to memory low or other
+ * situations) before the rdataset's TTL has expired, it MUST
+ * respect the RETAIN bit and not expire the data until its TTL is
+ * expired.
+ */
+
+#undef IGNORE                   /* WIN32 winbase.h defines this. */
+
+#define EXISTS(header) \
+	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) == 0)
+#define NONEXISTENT(header) \
+	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
+#define IGNORE(header) \
+	(((header)->attributes & RDATASET_ATTR_IGNORE) != 0)
+#define RETAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
+#define NXDOMAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+#define STALE(header) \
+	(((header)->attributes & RDATASET_ATTR_STALE) != 0)
+#define RESIGN(header) \
+	(((header)->attributes & RDATASET_ATTR_RESIGN) != 0)
+#define OPTOUT(header) \
+	(((header)->attributes & RDATASET_ATTR_OPTOUT) != 0)
+#define NEGATIVE(header) \
+	(((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
+#define PREFETCH(header) \
+	(((header)->attributes & RDATASET_ATTR_PREFETCH) != 0)
+#define CASESET(header) \
+	(((header)->attributes & RDATASET_ATTR_CASESET) != 0)
+#define ZEROTTL(header) \
+	(((header)->attributes & RDATASET_ATTR_ZEROTTL) != 0)
+#define CASEFULLYLOWER(header) \
+	(((header)->attributes & RDATASET_ATTR_CASEFULLYLOWER) != 0)
+
+
+#define ACTIVE(header, now) \
+	(((header)->rdh_ttl > (now)) || \
+	 ((header)->rdh_ttl == (now) && ZEROTTL(header)))
+
+#define DEFAULT_NODE_LOCK_COUNT         7       /*%< Should be prime. */
+
+/*%
+ * Number of buckets for cache DB entries (locks, LRU lists, TTL heaps).
+ * There is a tradeoff issue about configuring this value: if this is too
+ * small, it may cause heavier contention between threads; if this is too large,
+ * LRU purge algorithm won't work well (entries tend to be purged prematurely).
+ * The default value should work well for most environments, but this can
+ * also be configurable at compilation time via the
+ * DNS_RBTDB_CACHE_NODE_LOCK_COUNT variable.  This value must be larger than
+ * 1 due to the assumption of overmem_purge().
+ */
+#ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT
+#if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1
+#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1"
+#else
+#define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT
+#endif
+#else
+#define DEFAULT_CACHE_NODE_LOCK_COUNT   16
+#endif	/* DNS_RBTDB_CACHE_NODE_LOCK_COUNT */
+
+typedef struct {
+	nodelock_t                      lock;
+	/* Protected in the refcount routines. */
+	isc_refcount_t                  references;
+	/* Locked by lock. */
+	bool                   exiting;
+} rbtdb_nodelock_t;
+
+typedef struct rbtdb_changed {
+	dns_rbtnode_t *                 node;
+	bool                   dirty;
+	ISC_LINK(struct rbtdb_changed)  link;
+} rbtdb_changed_t;
+
+typedef ISC_LIST(rbtdb_changed_t)       rbtdb_changedlist_t;
+
+typedef enum {
+	dns_db_insecure,
+	dns_db_partial,
+	dns_db_secure
+} dns_db_secure_t;
+
+typedef struct dns_rbtdb dns_rbtdb_t;
+
+/* Reason for expiring a record from cache */
+typedef enum {
+	expire_lru,
+	expire_ttl,
+	expire_flush
+} expire_t;
+
+typedef struct rbtdb_version {
+	/* Not locked */
+	rbtdb_serial_t                  serial;
+	dns_rbtdb_t *			rbtdb;
+	/*
+	 * Protected in the refcount routines.
+	 * XXXJT: should we change the lock policy based on the refcount
+	 * performance?
+	 */
+	isc_refcount_t                  references;
+	/* Locked by database lock. */
+	bool                   writer;
+	bool                   commit_ok;
+	rbtdb_changedlist_t             changed_list;
+	rdatasetheaderlist_t		resigned_list;
+	ISC_LINK(struct rbtdb_version)  link;
+	dns_db_secure_t			secure;
+	bool			havensec3;
+	/* NSEC3 parameters */
+	dns_hash_t			hash;
+	uint8_t			flags;
+	uint16_t			iterations;
+	uint8_t			salt_length;
+	unsigned char			salt[DNS_NSEC3_SALTSIZE];
+
+	/*
+	 * records and bytes are covered by rwlock.
+	 */
+	isc_rwlock_t                    rwlock;
+	uint64_t			records;
+	uint64_t			bytes;
+} rbtdb_version_t;
+
+typedef ISC_LIST(rbtdb_version_t)       rbtdb_versionlist_t;
+
+struct dns_rbtdb {
+	/* Unlocked. */
+	dns_db_t                        common;
+	/* Locks the data in this struct */
+#if DNS_RBTDB_USERWLOCK
+	isc_rwlock_t                    lock;
+#else
+	isc_mutex_t                     lock;
+#endif
+	/* Locks the tree structure (prevents nodes appearing/disappearing) */
+	isc_rwlock_t                    tree_lock;
+	/* Locks for individual tree nodes */
+	unsigned int                    node_lock_count;
+	rbtdb_nodelock_t *              node_locks;
+	dns_rbtnode_t *                 origin_node;
+	dns_rbtnode_t *			nsec3_origin_node;
+	dns_stats_t *			rrsetstats; /* cache DB only */
+	isc_stats_t *			cachestats; /* cache DB only */
+	/* Locked by lock. */
+	unsigned int                    active;
+	isc_refcount_t                  references;
+	unsigned int                    attributes;
+	rbtdb_serial_t                  current_serial;
+	rbtdb_serial_t                  least_serial;
+	rbtdb_serial_t                  next_serial;
+	rbtdb_version_t *               current_version;
+	rbtdb_version_t *               future_version;
+	rbtdb_versionlist_t             open_versions;
+	isc_task_t *                    task;
+	dns_dbnode_t                    *soanode;
+	dns_dbnode_t                    *nsnode;
+
+	/*
+	 * This is a linked list used to implement the LRU cache.  There will
+	 * be node_lock_count linked lists here.  Nodes in bucket 1 will be
+	 * placed on the linked list rdatasets[1].
+	 */
+	rdatasetheaderlist_t            *rdatasets;
+
+	/*%
+	 * Temporary storage for stale cache nodes and dynamically deleted
+	 * nodes that await being cleaned up.
+	 */
+	rbtnodelist_t                   *deadnodes;
+
+	/*
+	 * Heaps.  These are used for TTL based expiry in a cache,
+	 * or for zone resigning in a zone DB.  hmctx is the memory
+	 * context to use for the heap (which differs from the main
+	 * database memory context in the case of a cache).
+	 */
+	isc_mem_t			*hmctx;
+	isc_heap_t                      **heaps;
+
+	/*
+	 * Base values for the mmap() code.
+	 */
+	void *				mmap_location;
+	size_t				mmap_size;
+
+	/* Locked by tree_lock. */
+	dns_rbt_t *                     tree;
+	dns_rbt_t *			nsec;
+	dns_rbt_t *			nsec3;
+	dns_rpz_zones_t			*rpzs;
+	dns_rpz_num_t			rpz_num;
+	dns_rpz_zones_t			*load_rpzs;
+
+	/* Unlocked */
+	unsigned int                    quantum;
+};
+
+#define RBTDB_ATTR_LOADED               0x01
+#define RBTDB_ATTR_LOADING              0x02
+
+/*%
+ * Search Context
+ */
+typedef struct {
+	dns_rbtdb_t *           rbtdb;
+	rbtdb_version_t *       rbtversion;
+	rbtdb_serial_t          serial;
+	unsigned int            options;
+	dns_rbtnodechain_t      chain;
+	bool           copy_name;
+	bool           need_cleanup;
+	bool           wild;
+	dns_rbtnode_t *         zonecut;
+	rdatasetheader_t *      zonecut_rdataset;
+	rdatasetheader_t *      zonecut_sigrdataset;
+	dns_fixedname_t         zonecut_name;
+	isc_stdtime_t           now;
+} rbtdb_search_t;
+
+/*%
+ * Load Context
+ */
+typedef struct {
+	dns_rbtdb_t *           rbtdb;
+	isc_stdtime_t           now;
+} rbtdb_load_t;
+
+static void delete_callback(void *data, void *arg);
+static void rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
+static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int rdataset_count(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
+					dns_name_t *name,
+					dns_rdataset_t *neg,
+					dns_rdataset_t *negsig);
+static isc_result_t rdataset_getclosest(dns_rdataset_t *rdataset,
+					dns_name_t *name,
+					dns_rdataset_t *neg,
+					dns_rdataset_t *negsig);
+static isc_result_t rdataset_getadditional(dns_rdataset_t *rdataset,
+					   dns_rdatasetadditional_t type,
+					   dns_rdatatype_t qtype,
+					   dns_acache_t *acache,
+					   dns_zone_t **zonep,
+					   dns_db_t **dbp,
+					   dns_dbversion_t **versionp,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *fname,
+					   dns_message_t *msg,
+					   isc_stdtime_t now);
+static isc_result_t rdataset_setadditional(dns_rdataset_t *rdataset,
+					   dns_rdatasetadditional_t type,
+					   dns_rdatatype_t qtype,
+					   dns_acache_t *acache,
+					   dns_zone_t *zone,
+					   dns_db_t *db,
+					   dns_dbversion_t *version,
+					   dns_dbnode_t *node,
+					   dns_name_t *fname);
+static isc_result_t rdataset_putadditional(dns_acache_t *acache,
+					   dns_rdataset_t *rdataset,
+					   dns_rdatasetadditional_t type,
+					   dns_rdatatype_t qtype);
+static inline bool need_headerupdate(rdatasetheader_t *header,
+					      isc_stdtime_t now);
+static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+			  isc_stdtime_t now);
+static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+			  bool tree_locked, expire_t reason);
+static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+			  isc_stdtime_t now, bool tree_locked);
+static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+				  rdatasetheader_t *newheader);
+static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+			  rdatasetheader_t *header);
+static void prune_tree(isc_task_t *task, isc_event_t *event);
+static void rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust);
+static void rdataset_expire(dns_rdataset_t *rdataset);
+static void rdataset_clearprefetch(dns_rdataset_t *rdataset);
+static void rdataset_setownercase(dns_rdataset_t *rdataset,
+				  const dns_name_t *name);
+static void rdataset_getownercase(const dns_rdataset_t *rdataset,
+				  dns_name_t *name);
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	rdataset_getnoqname,
+	NULL,
+	rdataset_getclosest,
+	rdataset_getadditional,
+	rdataset_setadditional,
+	rdataset_putadditional,
+	rdataset_settrust,
+	rdataset_expire,
+	rdataset_clearprefetch,
+	rdataset_setownercase,
+	rdataset_getownercase
+};
+
+static dns_rdatasetmethods_t slab_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void rdatasetiter_current(dns_rdatasetiter_t *iterator,
+				 dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+typedef struct rbtdb_rdatasetiter {
+	dns_rdatasetiter_t              common;
+	rdatasetheader_t *              current;
+} rbtdb_rdatasetiter_t;
+
+/*
+ * Note that these iterators, unless created with either DNS_DB_NSEC3ONLY or
+ * DNS_DB_NONSEC3, will transparently move between the last node of the
+ * "regular" RBT ("chain" field) and the root node of the NSEC3 RBT
+ * ("nsec3chain" field) of the database in question, as if the latter was a
+ * successor to the former in lexical order.  The "current" field always holds
+ * the address of either "chain" or "nsec3chain", depending on which RBT is
+ * being traversed at given time.
+ */
+static void             dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t     dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_seek(dns_dbiterator_t *iterator,
+					dns_name_t *name);
+static isc_result_t     dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_current(dns_dbiterator_t *iterator,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *name);
+static isc_result_t     dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_origin(dns_dbiterator_t *iterator,
+					  dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy,
+	dbiterator_first,
+	dbiterator_last,
+	dbiterator_seek,
+	dbiterator_prev,
+	dbiterator_next,
+	dbiterator_current,
+	dbiterator_pause,
+	dbiterator_origin
+};
+
+#define DELETION_BATCH_MAX 64
+
+/*
+ * If 'paused' is true, then the tree lock is not being held.
+ */
+typedef struct rbtdb_dbiterator {
+	dns_dbiterator_t                common;
+	bool                   paused;
+	bool                   new_origin;
+	isc_rwlocktype_t                tree_locked;
+	isc_result_t                    result;
+	dns_fixedname_t                 name;
+	dns_fixedname_t                 origin;
+	dns_rbtnodechain_t              chain;
+	dns_rbtnodechain_t		nsec3chain;
+	dns_rbtnodechain_t		*current;
+	dns_rbtnode_t                   *node;
+	dns_rbtnode_t                   *deletions[DELETION_BATCH_MAX];
+	int                             delcnt;
+	bool			nsec3only;
+	bool			nonsec3;
+} rbtdb_dbiterator_t;
+
+
+#define IS_STUB(rbtdb)  (((rbtdb)->common.attributes & DNS_DBATTR_STUB)  != 0)
+#define IS_CACHE(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_CACHE) != 0)
+
+static void free_rbtdb(dns_rbtdb_t *rbtdb, bool log,
+		       isc_event_t *event);
+static void overmem(dns_db_t *db, bool over);
+static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
+static void setownercase(rdatasetheader_t *header, const dns_name_t *name);
+
+static bool match_header_version(rbtdb_file_header_t *header);
+
+/* Pad to 32 bytes */
+static char FILE_VERSION[32] = "\0";
+
+/*%
+ * 'init_count' is used to initialize 'newheader->count' which inturn
+ * is used to determine where in the cycle rrset-order cyclic starts.
+ * We don't lock this as we don't care about simultaneous updates.
+ *
+ * Note:
+ *      Both init_count and header->count can be UINT32_MAX.
+ *      The count on the returned rdataset however can't be as
+ *      that indicates that the database does not implement cyclic
+ *      processing.
+ */
+static unsigned int init_count;
+
+/*
+ * Locking
+ *
+ * If a routine is going to lock more than one lock in this module, then
+ * the locking must be done in the following order:
+ *
+ *      Tree Lock
+ *
+ *      Node Lock       (Only one from the set may be locked at one time by
+ *                       any caller)
+ *
+ *      Database Lock
+ *
+ * Failure to follow this hierarchy can result in deadlock.
+ */
+
+/*
+ * Deleting Nodes
+ *
+ * For zone databases the node for the origin of the zone MUST NOT be deleted.
+ */
+
+/*
+ * Debugging routines
+ */
+#ifdef DEBUG
+static void
+hexdump(const char *desc, unsigned char *data, size_t size) {
+	char hexdump[BUFSIZ * 2 + 1];
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+	size_t bytes;
+
+	fprintf(stderr, "%s: ", desc);
+	do {
+		isc_buffer_init(&b, hexdump, sizeof(hexdump));
+		r.base = data;
+		r.length = bytes = (size > BUFSIZ) ? BUFSIZ : size;
+		result = isc_hex_totext(&r, 0, "", &b);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		isc_buffer_putuint8(&b, 0);
+		fprintf(stderr, "%s", hexdump);
+		data += bytes;
+		size -= bytes;
+	} while (size > 0);
+	fprintf(stderr, "\n");
+}
+#endif
+
+
+/*
+ * DB Routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	isc_refcount_increment(&rbtdb->references, NULL);
+
+	*targetp = source;
+}
+
+static void
+free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_arg;
+
+	UNUSED(task);
+
+	free_rbtdb(rbtdb, true, event);
+}
+
+static void
+update_cachestats(dns_rbtdb_t *rbtdb, isc_result_t result) {
+	INSIST(IS_CACHE(rbtdb));
+
+	if (rbtdb->cachestats == NULL)
+		return;
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+	case DNS_R_DELEGATION:
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		isc_stats_increment(rbtdb->cachestats,
+				    dns_cachestatscounter_hits);
+		break;
+	default:
+		isc_stats_increment(rbtdb->cachestats,
+				    dns_cachestatscounter_misses);
+	}
+}
+
+static void
+update_rrsetstats(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+		  bool increment)
+{
+	dns_rdatastatstype_t statattributes = 0;
+	dns_rdatastatstype_t base = 0;
+	dns_rdatastatstype_t type;
+
+	/* At the moment we count statistics only for cache DB */
+	INSIST(IS_CACHE(rbtdb));
+
+	if (NEGATIVE(header)) {
+		if (NXDOMAIN(header))
+			statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+		else {
+			statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+			base = RBTDB_RDATATYPE_EXT(header->type);
+		}
+	} else
+		base = RBTDB_RDATATYPE_BASE(header->type);
+
+	if (STALE(header))
+		statattributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+
+	type = DNS_RDATASTATSTYPE_VALUE(base, statattributes);
+	if (increment)
+		dns_rdatasetstats_increment(rbtdb->rrsetstats, type);
+	else
+		dns_rdatasetstats_decrement(rbtdb->rrsetstats, type);
+}
+
+static void
+set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
+	int idx;
+	isc_heap_t *heap;
+	dns_ttl_t oldttl;
+
+
+	if (!IS_CACHE(rbtdb)) {
+		header->rdh_ttl = newttl;
+		return;
+	}
+
+	oldttl = header->rdh_ttl;
+	header->rdh_ttl = newttl;
+
+	/*
+	 * It's possible the rbtdb is not a cache.  If this is the case,
+	 * we will not have a heap, and we move on.  If we do, though,
+	 * we might need to adjust things.
+	 */
+	if (header->heap_index == 0 || newttl == oldttl)
+		return;
+	idx = header->node->locknum;
+	if (rbtdb->heaps == NULL || rbtdb->heaps[idx] == NULL)
+	    return;
+	heap = rbtdb->heaps[idx];
+
+	if (newttl < oldttl)
+		isc_heap_increased(heap, header->heap_index);
+	else
+		isc_heap_decreased(heap, header->heap_index);
+}
+
+/*%
+ * These functions allow the heap code to rank the priority of each
+ * element.  It returns true if v1 happens "sooner" than v2.
+ */
+static bool
+ttl_sooner(void *v1, void *v2) {
+	rdatasetheader_t *h1 = v1;
+	rdatasetheader_t *h2 = v2;
+
+	return (h1->rdh_ttl < h2->rdh_ttl);
+}
+
+static bool
+resign_sooner(void *v1, void *v2) {
+	rdatasetheader_t *h1 = v1;
+	rdatasetheader_t *h2 = v2;
+
+	return (h1->resign < h2->resign ||
+		(h1->resign == h2->resign &&
+		 h1->resign_lsb < h2->resign_lsb));
+}
+
+/*%
+ * This function sets the heap index into the header.
+ */
+static void
+set_index(void *what, unsigned int idx) {
+	rdatasetheader_t *h = what;
+
+	h->heap_index = idx;
+}
+
+/*%
+ * Work out how many nodes can be deleted in the time between two
+ * requests to the nameserver.  Smooth the resulting number and use it
+ * as a estimate for the number of nodes to be deleted in the next
+ * iteration.
+ */
+static unsigned int
+adjust_quantum(unsigned int old, isc_time_t *start) {
+	unsigned int pps = dns_pps;     /* packets per second */
+	unsigned int interval;
+	uint64_t usecs;
+	isc_time_t end;
+	unsigned int nodes;
+
+	if (pps < 100)
+		pps = 100;
+	isc_time_now(&end);
+
+	interval = 1000000 / pps;       /* interval in usec */
+	if (interval == 0)
+		interval = 1;
+	usecs = isc_time_microdiff(&end, start);
+	if (usecs == 0) {
+		/*
+		 * We were unable to measure the amount of time taken.
+		 * Double the nodes deleted next time.
+		 */
+		old *= 2;
+		if (old > 1000)
+			old = 1000;
+		return (old);
+	}
+	nodes = old * interval;
+	nodes /= (unsigned int)usecs;
+	if (nodes == 0)
+		nodes = 1;
+	else if (nodes > 1000)
+		nodes = 1000;
+
+	/* Smooth */
+	nodes = (nodes + old * 3) / 4;
+
+	if (nodes != old)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "adjust_quantum: old=%d, new=%d", old, nodes);
+
+	return (nodes);
+}
+
+static void
+free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
+	unsigned int i;
+	isc_ondestroy_t ondest;
+	isc_result_t result;
+	char buf[DNS_NAME_FORMATSIZE];
+	dns_rbt_t **treep;
+	isc_time_t start;
+	dns_dbonupdatelistener_t *listener, *listener_next;
+
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
+		overmem((dns_db_t *)rbtdb, (bool)-1);
+
+	REQUIRE(rbtdb->current_version != NULL || EMPTY(rbtdb->open_versions));
+	REQUIRE(rbtdb->future_version == NULL);
+
+	if (rbtdb->current_version != NULL) {
+		unsigned int refs;
+
+		isc_refcount_decrement(&rbtdb->current_version->references,
+				       &refs);
+		INSIST(refs == 0);
+		UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
+		isc_refcount_destroy(&rbtdb->current_version->references);
+		isc_rwlock_destroy(&rbtdb->current_version->rwlock);
+		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
+			    sizeof(rbtdb_version_t));
+	}
+
+	/*
+	 * We assume the number of remaining dead nodes is reasonably small;
+	 * the overhead of unlinking all nodes here should be negligible.
+	 */
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		dns_rbtnode_t *node;
+
+		node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
+		while (node != NULL) {
+			ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
+			node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
+		}
+	}
+
+	if (event == NULL)
+		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
+
+	for (;;) {
+		/*
+		 * pick the next tree to (start to) destroy
+		 */
+		treep = &rbtdb->tree;
+		if (*treep == NULL) {
+			treep = &rbtdb->nsec;
+			if (*treep == NULL) {
+				treep = &rbtdb->nsec3;
+				/*
+				 * we're finished after clear cutting
+				 */
+				if (*treep == NULL)
+					break;
+			}
+		}
+
+		isc_time_now(&start);
+		result = dns_rbt_destroy2(treep, rbtdb->quantum);
+		if (result == ISC_R_QUOTA) {
+			INSIST(rbtdb->task != NULL);
+			if (rbtdb->quantum != 0)
+				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
+								&start);
+			if (event == NULL)
+				event = isc_event_allocate(rbtdb->common.mctx,
+							   NULL,
+							 DNS_EVENT_FREESTORAGE,
+							   free_rbtdb_callback,
+							   rbtdb,
+							   sizeof(isc_event_t));
+			if (event == NULL)
+				continue;
+			isc_task_send(rbtdb->task, &event);
+			return;
+		}
+		INSIST(result == ISC_R_SUCCESS && *treep == NULL);
+	}
+
+	if (event != NULL)
+		isc_event_free(&event);
+	if (log) {
+		if (dns_name_dynamic(&rbtdb->common.origin))
+			dns_name_format(&rbtdb->common.origin, buf,
+					sizeof(buf));
+		else
+			strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "done free_rbtdb(%s)", buf);
+	}
+	if (dns_name_dynamic(&rbtdb->common.origin))
+		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		isc_refcount_destroy(&rbtdb->node_locks[i].references);
+		NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+	}
+
+	/*
+	 * Clean up LRU / re-signing order lists.
+	 */
+	if (rbtdb->rdatasets != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++)
+			INSIST(ISC_LIST_EMPTY(rbtdb->rdatasets[i]));
+		isc_mem_put(rbtdb->common.mctx, rbtdb->rdatasets,
+			    rbtdb->node_lock_count *
+			    sizeof(rdatasetheaderlist_t));
+	}
+	/*
+	 * Clean up dead node buckets.
+	 */
+	if (rbtdb->deadnodes != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++)
+			INSIST(ISC_LIST_EMPTY(rbtdb->deadnodes[i]));
+		isc_mem_put(rbtdb->common.mctx, rbtdb->deadnodes,
+		    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
+	}
+	/*
+	 * Clean up heap objects.
+	 */
+	if (rbtdb->heaps != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++)
+			isc_heap_destroy(&rbtdb->heaps[i]);
+		isc_mem_put(rbtdb->hmctx, rbtdb->heaps,
+			    rbtdb->node_lock_count * sizeof(isc_heap_t *));
+	}
+
+	if (rbtdb->rrsetstats != NULL)
+		dns_stats_detach(&rbtdb->rrsetstats);
+	if (rbtdb->cachestats != NULL)
+		isc_stats_detach(&rbtdb->cachestats);
+
+	if (rbtdb->load_rpzs != NULL) {
+		/*
+		 * We must be cleaning up after a failed zone loading.
+		 */
+		REQUIRE(rbtdb->rpzs != NULL &&
+			rbtdb->rpz_num < rbtdb->rpzs->p.num_zones);
+		dns_rpz_detach_rpzs(&rbtdb->load_rpzs);
+	}
+	if (rbtdb->rpzs != NULL) {
+		REQUIRE(rbtdb->rpz_num < rbtdb->rpzs->p.num_zones);
+		dns_rpz_detach_rpzs(&rbtdb->rpzs);
+	}
+
+	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
+	isc_rwlock_destroy(&rbtdb->tree_lock);
+	isc_refcount_destroy(&rbtdb->references);
+	if (rbtdb->task != NULL)
+		isc_task_detach(&rbtdb->task);
+
+	RBTDB_DESTROYLOCK(&rbtdb->lock);
+	rbtdb->common.magic = 0;
+	rbtdb->common.impmagic = 0;
+	ondest = rbtdb->common.ondest;
+	isc_mem_detach(&rbtdb->hmctx);
+
+	if (rbtdb->mmap_location != NULL)
+		isc_file_munmap(rbtdb->mmap_location,
+				(size_t) rbtdb->mmap_size);
+
+	for (listener = ISC_LIST_HEAD(rbtdb->common.update_listeners);
+	     listener != NULL;
+	     listener = listener_next)
+	{
+		listener_next = ISC_LIST_NEXT(listener, link);
+		ISC_LIST_UNLINK(rbtdb->common.update_listeners, listener, link);
+		isc_mem_put(rbtdb->common.mctx, listener,
+			    sizeof(dns_dbonupdatelistener_t));
+	}
+
+	isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb));
+	isc_ondestroy_notify(&ondest, rbtdb);
+}
+
+static inline void
+maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
+	bool want_free = false;
+	unsigned int i;
+	unsigned int inactive = 0;
+
+	/* XXX check for open versions here */
+
+	if (rbtdb->soanode != NULL)
+		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->soanode);
+	if (rbtdb->nsnode != NULL)
+		dns_db_detachnode((dns_db_t *)rbtdb, &rbtdb->nsnode);
+
+	/*
+	 * Even though there are no external direct references, there still
+	 * may be nodes in use.
+	 */
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
+		rbtdb->node_locks[i].exiting = true;
+		NODE_UNLOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_write);
+		if (isc_refcount_current(&rbtdb->node_locks[i].references)
+		    == 0) {
+			inactive++;
+		}
+	}
+
+	if (inactive != 0) {
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+		rbtdb->active -= inactive;
+		if (rbtdb->active == 0)
+			want_free = true;
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+		if (want_free) {
+			char buf[DNS_NAME_FORMATSIZE];
+			if (dns_name_dynamic(&rbtdb->common.origin)) {
+				dns_name_format(&rbtdb->common.origin, buf,
+						sizeof(buf));
+			} else {
+				strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+			}
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "calling free_rbtdb(%s)", buf);
+			free_rbtdb(rbtdb, true, NULL);
+		}
+	}
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(*dbp);
+	unsigned int refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	isc_refcount_decrement(&rbtdb->references, &refs);
+
+	if (refs == 0)
+		maybe_free_rbtdb(rbtdb);
+
+	*dbp = NULL;
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version;
+	unsigned int refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	version = rbtdb->current_version;
+	isc_refcount_increment(&version->references, &refs);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	*versionp = (dns_dbversion_t *)version;
+}
+
+static inline rbtdb_version_t *
+allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
+		 unsigned int references, bool writer)
+{
+	isc_result_t result;
+	rbtdb_version_t *version;
+
+	version = isc_mem_get(mctx, sizeof(*version));
+	if (version == NULL)
+		return (NULL);
+	version->serial = serial;
+	result = isc_refcount_init(&version->references, references);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, version, sizeof(*version));
+		return (NULL);
+	}
+	version->writer = writer;
+	version->commit_ok = false;
+	ISC_LIST_INIT(version->changed_list);
+	ISC_LIST_INIT(version->resigned_list);
+	ISC_LINK_INIT(version, link);
+
+	return (version);
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	isc_result_t result;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(rbtdb->future_version == NULL);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+	RUNTIME_CHECK(rbtdb->next_serial != 0);         /* XXX Error? */
+	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
+				   true);
+	if (version != NULL) {
+		version->rbtdb = rbtdb;
+		version->commit_ok = true;
+		version->secure = rbtdb->current_version->secure;
+		version->havensec3 = rbtdb->current_version->havensec3;
+		if (version->havensec3) {
+			version->flags = rbtdb->current_version->flags;
+			version->iterations =
+				rbtdb->current_version->iterations;
+			version->hash = rbtdb->current_version->hash;
+			version->salt_length =
+				rbtdb->current_version->salt_length;
+			memmove(version->salt, rbtdb->current_version->salt,
+				version->salt_length);
+		} else {
+			version->flags = 0;
+			version->iterations = 0;
+			version->hash = 0;
+			version->salt_length = 0;
+			memset(version->salt, 0, sizeof(version->salt));
+		}
+		result = isc_rwlock_init(&version->rwlock, 0, 0);
+		if (result != ISC_R_SUCCESS) {
+			isc_refcount_destroy(&version->references);
+			isc_mem_put(rbtdb->common.mctx, version,
+				    sizeof(*version));
+			version = NULL;
+		} else {
+			RWLOCK(&rbtdb->current_version->rwlock,
+			       isc_rwlocktype_read);
+			version->records = rbtdb->current_version->records;
+			version->bytes = rbtdb->current_version->bytes;
+			RWUNLOCK(&rbtdb->current_version->rwlock,
+				 isc_rwlocktype_read);
+			rbtdb->next_serial++;
+			rbtdb->future_version = version;
+		}
+	} else
+		result = ISC_R_NOMEMORY;
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	if (version == NULL)
+		return (result);
+
+	*versionp = version;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *rbtversion = source;
+	unsigned int refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
+
+	isc_refcount_increment(&rbtversion->references, &refs);
+	INSIST(refs > 1);
+
+	*targetp = rbtversion;
+}
+
+static rbtdb_changed_t *
+add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+	    dns_rbtnode_t *node)
+{
+	rbtdb_changed_t *changed;
+	unsigned int refs;
+
+	/*
+	 * Caller must be holding the node lock if its reference must be
+	 * protected by the lock.
+	 */
+
+	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	REQUIRE(version->writer);
+
+	if (changed != NULL) {
+		dns_rbtnode_refincrement(node, &refs);
+		INSIST(refs != 0);
+		changed->node = node;
+		changed->dirty = false;
+		ISC_LIST_INITANDAPPEND(version->changed_list, changed, link);
+	} else
+		version->commit_ok = false;
+
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	return (changed);
+}
+
+static void
+free_acachearray(isc_mem_t *mctx, rdatasetheader_t *header,
+		 acachectl_t *array)
+{
+	unsigned int count;
+	unsigned int i;
+	unsigned char *raw;     /* RDATASLAB */
+
+	/*
+	 * The caller must be holding the corresponding node lock.
+	 */
+
+	if (array == NULL)
+		return;
+
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1];
+
+	/*
+	 * Sanity check: since an additional cache entry has a reference to
+	 * the original DB node (in the callback arg), there should be no
+	 * acache entries when the node can be freed.
+	 */
+	for (i = 0; i < count; i++)
+		INSIST(array[i].entry == NULL && array[i].cbarg == NULL);
+
+	isc_mem_put(mctx, array, count * sizeof(acachectl_t));
+}
+
+static inline void
+free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
+
+	if (dns_name_dynamic(&(*noqname)->name))
+		dns_name_free(&(*noqname)->name, mctx);
+	if ((*noqname)->neg != NULL)
+		isc_mem_put(mctx, (*noqname)->neg,
+			    dns_rdataslab_size((*noqname)->neg, 0));
+	if ((*noqname)->negsig != NULL)
+		isc_mem_put(mctx, (*noqname)->negsig,
+			    dns_rdataslab_size((*noqname)->negsig, 0));
+	isc_mem_put(mctx, *noqname, sizeof(**noqname));
+	*noqname = NULL;
+}
+
+static inline void
+init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h) {
+	ISC_LINK_INIT(h, link);
+	h->heap_index = 0;
+	h->is_mmapped = 0;
+	h->next_is_relative = 0;
+	h->node_is_relative = 0;
+
+#if TRACE_HEADER
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
+		fprintf(stderr, "initialized header: %p\n", h);
+#else
+	UNUSED(rbtdb);
+#endif
+}
+
+/*
+ * Update the copied values of 'next' and 'node' if they are relative.
+ */
+static void
+update_newheader(rdatasetheader_t *newh, rdatasetheader_t *old) {
+	char *p;
+
+	if (old->next_is_relative) {
+		p = (char *) old;
+		p += (uintptr_t)old->next;
+		newh->next = (rdatasetheader_t *)p;
+	}
+	if (old->node_is_relative) {
+		p = (char *) old;
+		p += (uintptr_t)old->node;
+		newh->node = (dns_rbtnode_t *)p;
+	}
+	if (CASESET(old)) {
+		uint16_t attr;
+
+		memmove(newh->upper, old->upper, sizeof(old->upper));
+		attr = old->attributes & (RDATASET_ATTR_CASESET |
+					  RDATASET_ATTR_CASEFULLYLOWER);
+		newh->attributes |= attr;
+	}
+}
+
+static inline rdatasetheader_t *
+new_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx) {
+	rdatasetheader_t *h;
+
+	h = isc_mem_get(mctx, sizeof(*h));
+	if (h == NULL)
+		return (NULL);
+
+#if TRACE_HEADER
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
+		fprintf(stderr, "allocated header: %p\n", h);
+#endif
+	memset(h->upper, 0xeb, sizeof(h->upper));
+	init_rdataset(rbtdb, h);
+	h->rdh_ttl = 0;
+	return (h);
+}
+
+static inline void
+free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset) {
+	unsigned int size;
+	int idx;
+
+	if (EXISTS(rdataset) &&
+	    (rdataset->attributes & RDATASET_ATTR_STATCOUNT) != 0) {
+		update_rrsetstats(rbtdb, rdataset, false);
+	}
+
+	idx = rdataset->node->locknum;
+	if (ISC_LINK_LINKED(rdataset, link)) {
+		INSIST(IS_CACHE(rbtdb));
+		ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, link);
+	}
+
+	if (rdataset->heap_index != 0)
+		isc_heap_delete(rbtdb->heaps[idx], rdataset->heap_index);
+	rdataset->heap_index = 0;
+
+	if (rdataset->noqname != NULL)
+		free_noqname(mctx, &rdataset->noqname);
+	if (rdataset->closest != NULL)
+		free_noqname(mctx, &rdataset->closest);
+
+	free_acachearray(mctx, rdataset, rdataset->additional_auth);
+	free_acachearray(mctx, rdataset, rdataset->additional_glue);
+
+	if (NONEXISTENT(rdataset))
+		size = sizeof(*rdataset);
+	else
+		size = dns_rdataslab_size((unsigned char *)rdataset,
+					  sizeof(*rdataset));
+
+	if (rdataset->is_mmapped == 1)
+		return;
+
+	isc_mem_put(mctx, rdataset, size);
+}
+
+static inline void
+rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+	rdatasetheader_t *header, *dcurrent;
+	bool make_dirty = false;
+
+	/*
+	 * Caller must hold the node lock.
+	 */
+
+	/*
+	 * We set the IGNORE attribute on rdatasets with serial number
+	 * 'serial'.  When the reference count goes to zero, these rdatasets
+	 * will be cleaned up; until that time, they will be ignored.
+	 */
+	for (header = node->data; header != NULL; header = header->next) {
+		if (header->serial == serial) {
+			header->attributes |= RDATASET_ATTR_IGNORE;
+			make_dirty = true;
+		}
+		for (dcurrent = header->down;
+		     dcurrent != NULL;
+		     dcurrent = dcurrent->down) {
+			if (dcurrent->serial == serial) {
+				dcurrent->attributes |= RDATASET_ATTR_IGNORE;
+				make_dirty = true;
+			}
+		}
+	}
+	if (make_dirty)
+		node->dirty = 1;
+}
+
+static inline void
+mark_stale_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header) {
+
+	/*
+	 * If we are already stale there is nothing to do.
+	 */
+	if ((header->attributes & RDATASET_ATTR_STALE) != 0)
+		return;
+
+	header->attributes |= RDATASET_ATTR_STALE;
+	header->node->dirty = 1;
+
+	/*
+	 * If we have not been counted then there is nothing to do.
+	 */
+	if ((header->attributes & RDATASET_ATTR_STATCOUNT) == 0)
+		return;
+
+	if (EXISTS(header))
+		update_rrsetstats(rbtdb, header, true);
+}
+
+static inline void
+clean_stale_headers(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *top)
+{
+	rdatasetheader_t *d, *down_next;
+
+	for (d = top->down; d != NULL; d = down_next) {
+		down_next = d->down;
+		free_rdataset(rbtdb, mctx, d);
+	}
+	top->down = NULL;
+}
+
+static inline void
+clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	rdatasetheader_t *current, *top_prev, *top_next;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	top_prev = NULL;
+	for (current = node->data; current != NULL; current = top_next) {
+		top_next = current->next;
+		clean_stale_headers(rbtdb, mctx, current);
+		/*
+		 * If current is nonexistent or stale, we can clean it up.
+		 */
+		if ((current->attributes &
+		     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) {
+			if (top_prev != NULL)
+				top_prev->next = current->next;
+			else
+				node->data = current->next;
+			free_rdataset(rbtdb, mctx, current);
+		} else
+			top_prev = current;
+	}
+	node->dirty = 0;
+}
+
+static inline void
+clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		rbtdb_serial_t least_serial)
+{
+	rdatasetheader_t *current, *dcurrent, *down_next, *dparent;
+	rdatasetheader_t *top_prev, *top_next;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	bool still_dirty = false;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+	REQUIRE(least_serial != 0);
+
+	top_prev = NULL;
+	for (current = node->data; current != NULL; current = top_next) {
+		top_next = current->next;
+
+		/*
+		 * First, we clean up any instances of multiple rdatasets
+		 * with the same serial number, or that have the IGNORE
+		 * attribute.
+		 */
+		dparent = current;
+		for (dcurrent = current->down;
+		     dcurrent != NULL;
+		     dcurrent = down_next) {
+			down_next = dcurrent->down;
+			INSIST(dcurrent->serial <= dparent->serial);
+			if (dcurrent->serial == dparent->serial ||
+			    IGNORE(dcurrent)) {
+				if (down_next != NULL)
+					down_next->next = dparent;
+				dparent->down = down_next;
+				free_rdataset(rbtdb, mctx, dcurrent);
+			} else
+				dparent = dcurrent;
+		}
+
+		/*
+		 * We've now eliminated all IGNORE datasets with the possible
+		 * exception of current, which we now check.
+		 */
+		if (IGNORE(current)) {
+			down_next = current->down;
+			if (down_next == NULL) {
+				if (top_prev != NULL)
+					top_prev->next = current->next;
+				else
+					node->data = current->next;
+				free_rdataset(rbtdb, mctx, current);
+				/*
+				 * current no longer exists, so we can
+				 * just continue with the loop.
+				 */
+				continue;
+			} else {
+				/*
+				 * Pull up current->down, making it the new
+				 * current.
+				 */
+				if (top_prev != NULL)
+					top_prev->next = down_next;
+				else
+					node->data = down_next;
+				down_next->next = top_next;
+				free_rdataset(rbtdb, mctx, current);
+				current = down_next;
+			}
+		}
+
+		/*
+		 * We now try to find the first down node less than the
+		 * least serial.
+		 */
+		dparent = current;
+		for (dcurrent = current->down;
+		     dcurrent != NULL;
+		     dcurrent = down_next) {
+			down_next = dcurrent->down;
+			if (dcurrent->serial < least_serial)
+				break;
+			dparent = dcurrent;
+		}
+
+		/*
+		 * If there is a such an rdataset, delete it and any older
+		 * versions.
+		 */
+		if (dcurrent != NULL) {
+			do {
+				down_next = dcurrent->down;
+				INSIST(dcurrent->serial <= least_serial);
+				free_rdataset(rbtdb, mctx, dcurrent);
+				dcurrent = down_next;
+			} while (dcurrent != NULL);
+			dparent->down = NULL;
+		}
+
+		/*
+		 * Note.  The serial number of 'current' might be less than
+		 * least_serial too, but we cannot delete it because it is
+		 * the most recent version, unless it is a NONEXISTENT
+		 * rdataset.
+		 */
+		if (current->down != NULL) {
+			still_dirty = true;
+			top_prev = current;
+		} else {
+			/*
+			 * If this is a NONEXISTENT rdataset, we can delete it.
+			 */
+			if (NONEXISTENT(current)) {
+				if (top_prev != NULL)
+					top_prev->next = current->next;
+				else
+					node->data = current->next;
+				free_rdataset(rbtdb, mctx, current);
+			} else
+				top_prev = current;
+		}
+	}
+	if (!still_dirty)
+		node->dirty = 0;
+}
+
+static void
+delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	dns_rbtnode_t *nsecnode;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result = ISC_R_UNEXPECTED;
+	unsigned int node_has_rpz;
+
+	INSIST(!ISC_LINK_LINKED(node, deadlink));
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+		char printname[DNS_NAME_FORMATSIZE];
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_DEBUG(1),
+			      "delete_node(): %p %s (bucket %d)",
+			      node,
+			      dns_rbt_formatnodename(node,
+					printname, sizeof(printname)),
+			      node->locknum);
+	}
+
+	switch (node->nsec) {
+	case DNS_RBT_NSEC_NORMAL:
+		/*
+		 * Though this may be wasteful, it has to be done before
+		 * node is deleted.
+		 */
+		name = dns_fixedname_initname(&fname);
+		dns_rbt_fullnamefromnode(node, name);
+
+		/*
+		 * dns_rbt_deletenode() may keep the node if it has a
+		 * down pointer, but we mustn't call dns_rpz_delete() on
+		 * it again.
+		 */
+		node_has_rpz = node->rpz;
+		node->rpz = 0;
+		result = dns_rbt_deletenode(rbtdb->tree, node, false);
+		if (result == ISC_R_SUCCESS &&
+		    rbtdb->rpzs != NULL && node_has_rpz)
+			dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name);
+		break;
+	case DNS_RBT_NSEC_HAS_NSEC:
+		name = dns_fixedname_initname(&fname);
+		dns_rbt_fullnamefromnode(node, name);
+		/*
+		 * Delete the corresponding node from the auxiliary NSEC
+		 * tree before deleting from the main tree.
+		 */
+		nsecnode = NULL;
+		result = dns_rbt_findnode(rbtdb->nsec, name, NULL, &nsecnode,
+					  NULL, DNS_RBTFIND_EMPTYDATA,
+					  NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "delete_node: "
+				      "dns_rbt_findnode(nsec): %s",
+				      isc_result_totext(result));
+		} else {
+			result = dns_rbt_deletenode(rbtdb->nsec, nsecnode,
+						    false);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_WARNING,
+					      "delete_node(): "
+					      "dns_rbt_deletenode(nsecnode): %s",
+					      isc_result_totext(result));
+			}
+		}
+		/*
+		 * dns_rbt_deletenode() may keep the node if it has a
+		 * down pointer, but we mustn't call dns_rpz_delete() on
+		 * it again.
+		 */
+		node_has_rpz = node->rpz;
+		node->rpz = 0;
+		result = dns_rbt_deletenode(rbtdb->tree, node, false);
+		if (result == ISC_R_SUCCESS &&
+		    rbtdb->rpzs != NULL && node_has_rpz)
+			dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name);
+		break;
+	case DNS_RBT_NSEC_NSEC:
+		result = dns_rbt_deletenode(rbtdb->nsec, node, false);
+		break;
+	case DNS_RBT_NSEC_NSEC3:
+		result = dns_rbt_deletenode(rbtdb->nsec3, node, false);
+		break;
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "delete_node(): "
+			      "dns_rbt_deletenode: %s",
+			      isc_result_totext(result));
+	}
+}
+
+/*
+ * Caller must be holding the node lock.
+ */
+static inline void
+new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	unsigned int lockrefs, noderefs;
+	isc_refcount_t *lockref;
+
+	INSIST(!ISC_LINK_LINKED(node, deadlink));
+	dns_rbtnode_refincrement0(node, &noderefs);
+	if (noderefs == 1) {    /* this is the first reference to the node */
+		lockref = &rbtdb->node_locks[node->locknum].references;
+		isc_refcount_increment0(lockref, &lockrefs);
+		INSIST(lockrefs != 0);
+	}
+	INSIST(noderefs != 0);
+}
+
+/*%
+ * Clean up dead nodes.  These are nodes which have no references, and
+ * have no data.  They are dead but we could not or chose not to delete
+ * them when we deleted all the data at that node because we did not want
+ * to wait for the tree write lock.
+ *
+ * The caller must hold a tree write lock and bucketnum'th node (write) lock.
+ */
+static void
+cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
+	dns_rbtnode_t *node;
+	int count = 10;         /* XXXJT: should be adjustable */
+
+	node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+	while (node != NULL && count > 0) {
+		ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink);
+
+		/*
+		 * Since we're holding a tree write lock, it should be
+		 * impossible for this node to be referenced by others.
+		 */
+		INSIST(dns_rbtnode_refcurrent(node) == 0 &&
+		       node->data == NULL);
+
+		if (node->parent != NULL &&
+		    node->parent->down == node && node->left == NULL &&
+		    node->right == NULL && rbtdb->task != NULL)
+		{
+			isc_event_t *ev;
+			dns_db_t *db;
+
+			ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+						DNS_EVENT_RBTPRUNE,
+						prune_tree, node,
+						sizeof(isc_event_t));
+			if (ev != NULL) {
+				new_reference(rbtdb, node);
+				db = NULL;
+				attach((dns_db_t *)rbtdb, &db);
+				ev->ev_sender = db;
+				isc_task_send(rbtdb->task, &ev);
+			} else {
+				ISC_LIST_APPEND(rbtdb->deadnodes[bucketnum],
+						node, deadlink);
+			}
+		} else {
+			delete_node(rbtdb, node);
+		}
+		node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+		count--;
+	}
+}
+
+/*
+ * This function is assumed to be called when a node is newly referenced
+ * and can be in the deadnode list.  In that case the node must be retrieved
+ * from the list because it is going to be used.  In addition, if the caller
+ * happens to hold a write lock on the tree, it's a good chance to purge dead
+ * nodes.
+ * Note: while a new reference is gained in multiple places, there are only very
+ * few cases where the node can be in the deadnode list (only empty nodes can
+ * have been added to the list).
+ */
+static inline void
+reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		isc_rwlocktype_t treelocktype)
+{
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+	nodelock_t *nodelock = &rbtdb->node_locks[node->locknum].lock;
+	bool maybe_cleanup = false;
+
+	POST(locktype);
+
+	NODE_STRONGLOCK(nodelock);
+	NODE_WEAKLOCK(nodelock, locktype);
+
+	/*
+	 * Check if we can possibly cleanup the dead node.  If so, upgrade
+	 * the node lock below to perform the cleanup.
+	 */
+	if (!ISC_LIST_EMPTY(rbtdb->deadnodes[node->locknum]) &&
+	    treelocktype == isc_rwlocktype_write) {
+		maybe_cleanup = true;
+	}
+
+	if (ISC_LINK_LINKED(node, deadlink) || maybe_cleanup) {
+		/*
+		 * Upgrade the lock and test if we still need to unlink.
+		 */
+		NODE_WEAKUNLOCK(nodelock, locktype);
+		locktype = isc_rwlocktype_write;
+		POST(locktype);
+		NODE_WEAKLOCK(nodelock, locktype);
+		if (ISC_LINK_LINKED(node, deadlink))
+			ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum],
+					node, deadlink);
+		if (maybe_cleanup)
+			cleanup_dead_nodes(rbtdb, node->locknum);
+	}
+
+	new_reference(rbtdb, node);
+
+	NODE_WEAKUNLOCK(nodelock, locktype);
+	NODE_STRONGUNLOCK(nodelock);
+}
+
+/*
+ * Caller must be holding the node lock; either the "strong", read or write
+ * lock.  Note that the lock must be held even when node references are
+ * atomically modified; in that case the decrement operation itself does not
+ * have to be protected, but we must avoid a race condition where multiple
+ * threads are decreasing the reference to zero simultaneously and at least
+ * one of them is going to free the node.
+ *
+ * This function returns true if and only if the node reference decreases
+ * to zero.
+ *
+ * NOTE: Decrementing the reference count of a node to zero does not mean it
+ * will be immediately freed.
+ */
+static bool
+decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		    rbtdb_serial_t least_serial,
+		    isc_rwlocktype_t nlock, isc_rwlocktype_t tlock,
+		    bool pruning)
+{
+	isc_result_t result;
+	bool write_locked;
+	rbtdb_nodelock_t *nodelock;
+	unsigned int refs, nrefs;
+	int bucket = node->locknum;
+	bool no_reference = true;
+
+	nodelock = &rbtdb->node_locks[bucket];
+
+#define KEEP_NODE(n, r) \
+	((n)->data != NULL || (n)->down != NULL || \
+	 (n) == (r)->origin_node || (n) == (r)->nsec3_origin_node)
+
+	/* Handle easy and typical case first. */
+	if (!node->dirty && KEEP_NODE(node, rbtdb)) {
+		dns_rbtnode_refdecrement(node, &nrefs);
+		INSIST((int)nrefs >= 0);
+		if (nrefs == 0) {
+			isc_refcount_decrement(&nodelock->references, &refs);
+			INSIST((int)refs >= 0);
+		}
+		return ((nrefs == 0) ? true : false);
+	}
+
+	/* Upgrade the lock? */
+	if (nlock == isc_rwlocktype_read) {
+		NODE_WEAKUNLOCK(&nodelock->lock, isc_rwlocktype_read);
+		NODE_WEAKLOCK(&nodelock->lock, isc_rwlocktype_write);
+	}
+
+	dns_rbtnode_refdecrement(node, &nrefs);
+	INSIST((int)nrefs >= 0);
+	if (nrefs > 0) {
+		/* Restore the lock? */
+		if (nlock == isc_rwlocktype_read)
+			NODE_WEAKDOWNGRADE(&nodelock->lock);
+		return (false);
+	}
+
+	if (node->dirty) {
+		if (IS_CACHE(rbtdb))
+			clean_cache_node(rbtdb, node);
+		else {
+			if (least_serial == 0) {
+				/*
+				 * Caller doesn't know the least serial.
+				 * Get it.
+				 */
+				RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+				least_serial = rbtdb->least_serial;
+				RBTDB_UNLOCK(&rbtdb->lock,
+					     isc_rwlocktype_read);
+			}
+			clean_zone_node(rbtdb, node, least_serial);
+		}
+	}
+
+	/*
+	 * Attempt to switch to a write lock on the tree.  If this fails,
+	 * we will add this node to a linked list of nodes in this locking
+	 * bucket which we will free later.
+	 */
+	if (tlock != isc_rwlocktype_write) {
+		/*
+		 * Locking hierarchy notwithstanding, we don't need to free
+		 * the node lock before acquiring the tree write lock because
+		 * we only do a trylock.
+		 */
+		if (tlock == isc_rwlocktype_read)
+			result = isc_rwlock_tryupgrade(&rbtdb->tree_lock);
+		else
+			result = isc_rwlock_trylock(&rbtdb->tree_lock,
+						    isc_rwlocktype_write);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS ||
+			      result == ISC_R_LOCKBUSY);
+
+		write_locked = (result == ISC_R_SUCCESS);
+	} else
+		write_locked = true;
+
+	isc_refcount_decrement(&nodelock->references, &refs);
+	INSIST((int)refs >= 0);
+
+	if (KEEP_NODE(node, rbtdb))
+		goto restore_locks;
+
+#undef KEEP_NODE
+
+	if (write_locked) {
+		/*
+		 * We can now delete the node.
+		 */
+
+		/*
+		 * If this node is the only one in the level it's in, deleting
+		 * this node may recursively make its parent the only node in
+		 * the parent level; if so, and if no one is currently using
+		 * the parent node, this is almost the only opportunity to
+		 * clean it up.  But the recursive cleanup is not that trivial
+		 * since the child and parent may be in different lock buckets,
+		 * which would cause a lock order reversal problem.  To avoid
+		 * the trouble, we'll dispatch a separate event for batch
+		 * cleaning.  We need to check whether we're deleting the node
+		 * as a result of pruning to avoid infinite dispatching.
+		 * Note: pruning happens only when a task has been set for the
+		 * rbtdb.  If the user of the rbtdb chooses not to set a task,
+		 * it's their responsibility to purge stale leaves (e.g. by
+		 * periodic walk-through).
+		 */
+		if (!pruning && node->parent != NULL &&
+		    node->parent->down == node && node->left == NULL &&
+		    node->right == NULL && rbtdb->task != NULL) {
+			isc_event_t *ev;
+			dns_db_t *db;
+
+			ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+						DNS_EVENT_RBTPRUNE,
+						prune_tree, node,
+						sizeof(isc_event_t));
+			if (ev != NULL) {
+				new_reference(rbtdb, node);
+				db = NULL;
+				attach((dns_db_t *)rbtdb, &db);
+				ev->ev_sender = db;
+				isc_task_send(rbtdb->task, &ev);
+				no_reference = false;
+			} else {
+				/*
+				 * XXX: this is a weird situation.  We could
+				 * ignore this error case, but then the stale
+				 * node will unlikely be purged except via a
+				 * rare condition such as manual cleanup.  So
+				 * we queue it in the deadnodes list, hoping
+				 * the memory shortage is temporary and the node
+				 * will be deleted later.
+				 */
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_INFO,
+					      "decrement_reference: failed to "
+					      "allocate pruning event");
+				INSIST(node->data == NULL);
+				INSIST(!ISC_LINK_LINKED(node, deadlink));
+				ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
+						deadlink);
+			}
+		} else {
+			delete_node(rbtdb, node);
+		}
+	} else {
+		INSIST(node->data == NULL);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
+	}
+
+ restore_locks:
+	/* Restore the lock? */
+	if (nlock == isc_rwlocktype_read)
+		NODE_WEAKDOWNGRADE(&nodelock->lock);
+
+	/*
+	 * Relock a read lock, or unlock the write lock if no lock was held.
+	 */
+	if (tlock == isc_rwlocktype_none)
+		if (write_locked)
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	if (tlock == isc_rwlocktype_read)
+		if (write_locked)
+			isc_rwlock_downgrade(&rbtdb->tree_lock);
+
+	return (no_reference);
+}
+
+/*
+ * Prune the tree by recursively cleaning-up single leaves.  In the worst
+ * case, the number of iteration is the number of tree levels, which is at
+ * most the maximum number of domain name labels, i.e, 127.  In practice, this
+ * should be much smaller (only a few times), and even the worst case would be
+ * acceptable for a single event.
+ */
+static void
+prune_tree(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_sender;
+	dns_rbtnode_t *node = event->ev_arg;
+	dns_rbtnode_t *parent;
+	unsigned int locknum;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	locknum = node->locknum;
+	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	do {
+		parent = node->parent;
+		decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
+				    isc_rwlocktype_write, true);
+
+		if (parent != NULL && parent->down == NULL) {
+			/*
+			 * node was the only down child of the parent and has
+			 * just been removed.  We'll then need to examine the
+			 * parent.  Keep the lock if possible; otherwise,
+			 * release the old lock and acquire one for the parent.
+			 */
+			if (parent->locknum != locknum) {
+				NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+					    isc_rwlocktype_write);
+				locknum = parent->locknum;
+				NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+					  isc_rwlocktype_write);
+			}
+
+			/*
+			 * We need to gain a reference to the node before
+			 * decrementing it in the next iteration.  In addition,
+			 * if the node is in the dead-nodes list, extract it
+			 * from the list beforehand as we do in
+			 * reactivate_node().
+			 */
+			if (ISC_LINK_LINKED(parent, deadlink))
+				ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+						parent, deadlink);
+			new_reference(rbtdb, parent);
+		} else
+			parent = NULL;
+
+		node = parent;
+	} while (node != NULL);
+	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	detach((dns_db_t **)&rbtdb);
+}
+
+static inline void
+make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+		   rbtdb_changedlist_t *cleanup_list)
+{
+	/*
+	 * Caller must be holding the database lock.
+	 */
+
+	rbtdb->least_serial = version->serial;
+	*cleanup_list = version->changed_list;
+	ISC_LIST_INIT(version->changed_list);
+}
+
+static inline void
+cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
+	rbtdb_changed_t *changed, *next_changed;
+
+	/*
+	 * If the changed record is dirty, then
+	 * an update created multiple versions of
+	 * a given rdataset.  We keep this list
+	 * until we're the least open version, at
+	 * which point it's safe to get rid of any
+	 * older versions.
+	 *
+	 * If the changed record isn't dirty, then
+	 * we don't need it anymore since we're
+	 * committing and not rolling back.
+	 *
+	 * The caller must be holding the database lock.
+	 */
+	for (changed = HEAD(version->changed_list);
+	     changed != NULL;
+	     changed = next_changed) {
+		next_changed = NEXT(changed, link);
+		if (!changed->dirty) {
+			UNLINK(version->changed_list,
+			       changed, link);
+			APPEND(*cleanup_list,
+			       changed, link);
+		}
+	}
+}
+
+static void
+iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
+	dns_rdataset_t keyset;
+	dns_rdataset_t nsecset, signsecset;
+	bool haszonekey = false;
+	bool hasnsec = false;
+	isc_result_t result;
+
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_dnskey,
+				     0, 0, &keyset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_rdataset_first(&keyset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_t keyrdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&keyset, &keyrdata);
+			if (dns_zonekey_iszonekey(&keyrdata)) {
+				haszonekey = true;
+				break;
+			}
+			result = dns_rdataset_next(&keyset);
+		}
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (!haszonekey) {
+		version->secure = dns_db_insecure;
+		version->havensec3 = false;
+		return;
+	}
+
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&signsecset);
+	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_nsec,
+				     0, 0, &nsecset, &signsecset);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&signsecset)) {
+			hasnsec = true;
+			dns_rdataset_disassociate(&signsecset);
+		}
+		dns_rdataset_disassociate(&nsecset);
+	}
+
+	setnsec3parameters(db, version);
+
+	/*
+	 * Do we have a valid NSEC/NSEC3 chain?
+	 */
+	if (version->havensec3 || hasnsec)
+		version->secure = dns_db_secure;
+	else
+		version->secure = dns_db_insecure;
+}
+
+/*%<
+ * Walk the origin node looking for NSEC3PARAM records.
+ * Cache the nsec3 parameters.
+ */
+static void
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
+	dns_rbtnode_t *node;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t region;
+	isc_result_t result;
+	rdatasetheader_t *header, *header_next;
+	unsigned char *raw;             /* RDATASLAB */
+	unsigned int count, length;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	version->havensec3 = false;
+	node = rbtdb->origin_node;
+	NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
+	for (header = node->data;
+	     header != NULL;
+	     header = header_next) {
+		header_next = header->next;
+		do {
+			if (header->serial <= version->serial &&
+			    !IGNORE(header)) {
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+
+		if (header != NULL &&
+		    (header->type == dns_rdatatype_nsec3param)) {
+			/*
+			 * Find A NSEC3PARAM with a supported algorithm.
+			 */
+			raw = (unsigned char *)header + sizeof(*header);
+			count = raw[0] * 256 + raw[1]; /* count */
+#if DNS_RDATASET_FIXED
+			raw += count * 4 + 2;
+#else
+			raw += 2;
+#endif
+			while (count-- > 0U) {
+				length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+				raw += 4;
+#else
+				raw += 2;
+#endif
+				region.base = raw;
+				region.length = length;
+				raw += length;
+				dns_rdata_fromregion(&rdata,
+						     rbtdb->common.rdclass,
+						     dns_rdatatype_nsec3param,
+						     &region);
+				result = dns_rdata_tostruct(&rdata,
+							    &nsec3param,
+							    NULL);
+				INSIST(result == ISC_R_SUCCESS);
+				dns_rdata_reset(&rdata);
+
+				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG &&
+				    !dns_nsec3_supportedhash(nsec3param.hash))
+					continue;
+
+				if (nsec3param.flags != 0)
+					continue;
+
+				memmove(version->salt, nsec3param.salt,
+					nsec3param.salt_length);
+				version->hash = nsec3param.hash;
+				version->salt_length = nsec3param.salt_length;
+				version->iterations = nsec3param.iterations;
+				version->flags = nsec3param.flags;
+				version->havensec3 = true;
+				/*
+				 * Look for a better algorithm than the
+				 * unknown test algorithm.
+				 */
+				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG)
+					goto unlock;
+			}
+		}
+	}
+ unlock:
+	NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+}
+
+static void
+cleanup_dead_nodes_callback(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_arg;
+	bool again = false;
+	unsigned int locknum;
+	unsigned int refs;
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	for (locknum = 0; locknum < rbtdb->node_lock_count; locknum++) {
+		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+			  isc_rwlocktype_write);
+		cleanup_dead_nodes(rbtdb, locknum);
+		if (ISC_LIST_HEAD(rbtdb->deadnodes[locknum]) != NULL)
+			again = true;
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+			    isc_rwlocktype_write);
+	}
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	if (again)
+		isc_task_send(task, &event);
+	else {
+		isc_event_free(&event);
+		isc_refcount_decrement(&rbtdb->references, &refs);
+		if (refs == 0)
+			maybe_free_rbtdb(rbtdb);
+	}
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version, *cleanup_version, *least_greater;
+	bool rollback = false;
+	rbtdb_changedlist_t cleanup_list;
+	rdatasetheaderlist_t resigned_list;
+	rbtdb_changed_t *changed, *next_changed;
+	rbtdb_serial_t serial, least_serial;
+	dns_rbtnode_t *rbtnode;
+	unsigned int refs;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	version = (rbtdb_version_t *)*versionp;
+	INSIST(version->rbtdb == rbtdb);
+
+	cleanup_version = NULL;
+	ISC_LIST_INIT(cleanup_list);
+	ISC_LIST_INIT(resigned_list);
+
+	isc_refcount_decrement(&version->references, &refs);
+	if (refs > 0) {         /* typical and easy case first */
+		if (commit) {
+			RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+			INSIST(!version->writer);
+			RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+		}
+		goto end;
+	}
+
+	/*
+	 * Update the zone's secure status in version before making
+	 * it the current version.
+	 */
+	if (version->writer && commit && !IS_CACHE(rbtdb))
+		iszonesecure(db, version, rbtdb->origin_node);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+	serial = version->serial;
+	if (version->writer) {
+		if (commit) {
+			unsigned cur_ref;
+			rbtdb_version_t *cur_version;
+
+			INSIST(version->commit_ok);
+			INSIST(version == rbtdb->future_version);
+			/*
+			 * The current version is going to be replaced.
+			 * Release the (likely last) reference to it from the
+			 * DB itself and unlink it from the open list.
+			 */
+			cur_version = rbtdb->current_version;
+			isc_refcount_decrement(&cur_version->references,
+					       &cur_ref);
+			if (cur_ref == 0) {
+				if (cur_version->serial == rbtdb->least_serial)
+					INSIST(EMPTY(cur_version->changed_list));
+				UNLINK(rbtdb->open_versions,
+				       cur_version, link);
+			}
+			if (EMPTY(rbtdb->open_versions)) {
+				/*
+				 * We're going to become the least open
+				 * version.
+				 */
+				make_least_version(rbtdb, version,
+						   &cleanup_list);
+			} else {
+				/*
+				 * Some other open version is the
+				 * least version.  We can't cleanup
+				 * records that were changed in this
+				 * version because the older versions
+				 * may still be in use by an open
+				 * version.
+				 *
+				 * We can, however, discard the
+				 * changed records for things that
+				 * we've added that didn't exist in
+				 * prior versions.
+				 */
+				cleanup_nondirty(version, &cleanup_list);
+			}
+			/*
+			 * If the (soon to be former) current version
+			 * isn't being used by anyone, we can clean
+			 * it up.
+			 */
+			if (cur_ref == 0) {
+				cleanup_version = cur_version;
+				APPENDLIST(version->changed_list,
+					   cleanup_version->changed_list,
+					   link);
+			}
+			/*
+			 * Become the current version.
+			 */
+			version->writer = false;
+			rbtdb->current_version = version;
+			rbtdb->current_serial = version->serial;
+			rbtdb->future_version = NULL;
+
+			/*
+			 * Keep the current version in the open list, and
+			 * gain a reference for the DB itself (see the DB
+			 * creation function below).  This must be the only
+			 * case where we need to increment the counter from
+			 * zero and need to use isc_refcount_increment0().
+			 */
+			isc_refcount_increment0(&version->references,
+						&cur_ref);
+			INSIST(cur_ref == 1);
+			PREPEND(rbtdb->open_versions,
+				rbtdb->current_version, link);
+			resigned_list = version->resigned_list;
+			ISC_LIST_INIT(version->resigned_list);
+		} else {
+			/*
+			 * We're rolling back this transaction.
+			 */
+			cleanup_list = version->changed_list;
+			ISC_LIST_INIT(version->changed_list);
+			resigned_list = version->resigned_list;
+			ISC_LIST_INIT(version->resigned_list);
+			rollback = true;
+			cleanup_version = version;
+			rbtdb->future_version = NULL;
+		}
+	} else {
+		if (version != rbtdb->current_version) {
+			/*
+			 * There are no external or internal references
+			 * to this version and it can be cleaned up.
+			 */
+			cleanup_version = version;
+
+			/*
+			 * Find the version with the least serial
+			 * number greater than ours.
+			 */
+			least_greater = PREV(version, link);
+			if (least_greater == NULL)
+				least_greater = rbtdb->current_version;
+
+			INSIST(version->serial < least_greater->serial);
+			/*
+			 * Is this the least open version?
+			 */
+			if (version->serial == rbtdb->least_serial) {
+				/*
+				 * Yes.  Install the new least open
+				 * version.
+				 */
+				make_least_version(rbtdb,
+						   least_greater,
+						   &cleanup_list);
+			} else {
+				/*
+				 * Add any unexecuted cleanups to
+				 * those of the least greater version.
+				 */
+				APPENDLIST(least_greater->changed_list,
+					   version->changed_list,
+					   link);
+			}
+		} else if (version->serial == rbtdb->least_serial)
+			INSIST(EMPTY(version->changed_list));
+		UNLINK(rbtdb->open_versions, version, link);
+	}
+	least_serial = rbtdb->least_serial;
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	if (cleanup_version != NULL) {
+		INSIST(EMPTY(cleanup_version->changed_list));
+		isc_rwlock_destroy(&cleanup_version->rwlock);
+		isc_mem_put(rbtdb->common.mctx, cleanup_version,
+			    sizeof(*cleanup_version));
+	}
+
+	/*
+	 * Commit/rollback re-signed headers.
+	 */
+	for (header = HEAD(resigned_list);
+	     header != NULL;
+	     header = HEAD(resigned_list)) {
+		nodelock_t *lock;
+
+		ISC_LIST_UNLINK(resigned_list, header, link);
+
+		lock = &rbtdb->node_locks[header->node->locknum].lock;
+		NODE_LOCK(lock, isc_rwlocktype_write);
+		if (rollback && !IGNORE(header)) {
+			isc_result_t result;
+			result = resign_insert(rbtdb, header->node->locknum,
+					       header);
+			if (result != ISC_R_SUCCESS)
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_ZONE, ISC_LOG_ERROR,
+					      "Unable to reinsert header to "
+					      "re-signing heap: %s\n",
+				dns_result_totext(result));
+		}
+		decrement_reference(rbtdb, header->node, least_serial,
+				    isc_rwlocktype_write, isc_rwlocktype_none,
+				    false);
+		NODE_UNLOCK(lock, isc_rwlocktype_write);
+	}
+
+	if (!EMPTY(cleanup_list)) {
+		isc_event_t *event = NULL;
+		isc_rwlocktype_t tlock = isc_rwlocktype_none;
+
+		if (rbtdb->task != NULL)
+			event = isc_event_allocate(rbtdb->common.mctx, NULL,
+						   DNS_EVENT_RBTDEADNODES,
+						   cleanup_dead_nodes_callback,
+						   rbtdb, sizeof(isc_event_t));
+		if (event == NULL) {
+			/*
+			 * We acquire a tree write lock here in order to make
+			 * sure that stale nodes will be removed in
+			 * decrement_reference().  If we didn't have the lock,
+			 * those nodes could miss the chance to be removed
+			 * until the server stops.  The write lock is
+			 * expensive, but this event should be rare enough
+			 * to justify the cost.
+			 */
+			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+			tlock = isc_rwlocktype_write;
+		}
+
+		for (changed = HEAD(cleanup_list);
+		     changed != NULL;
+		     changed = next_changed) {
+			nodelock_t *lock;
+
+			next_changed = NEXT(changed, link);
+			rbtnode = changed->node;
+			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
+
+			NODE_LOCK(lock, isc_rwlocktype_write);
+			/*
+			 * This is a good opportunity to purge any dead nodes,
+			 * so use it.
+			 */
+			if (event == NULL)
+				cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+
+			if (rollback)
+				rollback_node(rbtnode, serial);
+			decrement_reference(rbtdb, rbtnode, least_serial,
+					    isc_rwlocktype_write, tlock,
+					    false);
+
+			NODE_UNLOCK(lock, isc_rwlocktype_write);
+
+			isc_mem_put(rbtdb->common.mctx, changed,
+				    sizeof(*changed));
+		}
+		if (event != NULL) {
+			isc_refcount_increment(&rbtdb->references, NULL);
+			isc_task_send(rbtdb->task, &event);
+		} else
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	}
+
+ end:
+	*versionp = NULL;
+}
+
+/*
+ * Add the necessary magic for the wildcard name 'name'
+ * to be found in 'rbtdb'.
+ *
+ * In order for wildcard matching to work correctly in
+ * zone_find(), we must ensure that a node for the wildcarding
+ * level exists in the database, and has its 'find_callback'
+ * and 'wild' bits set.
+ *
+ * E.g. if the wildcard name is "*.sub.example." then we
+ * must ensure that "sub.example." exists and is marked as
+ * a wildcard level.
+ */
+static isc_result_t
+add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t foundname;
+	dns_offsets_t offsets;
+	unsigned int n;
+	dns_rbtnode_t *node = NULL;
+
+	dns_name_init(&foundname, offsets);
+	n = dns_name_countlabels(name);
+	INSIST(n >= 2);
+	n--;
+	dns_name_getlabelsequence(name, 1, n, &foundname);
+	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
+		return (result);
+	if (result == ISC_R_SUCCESS)
+		node->nsec = DNS_RBT_NSEC_NORMAL;
+	node->find_callback = 1;
+	node->wild = 1;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t foundname;
+	dns_offsets_t offsets;
+	unsigned int n, l, i;
+
+	dns_name_init(&foundname, offsets);
+	n = dns_name_countlabels(name);
+	l = dns_name_countlabels(&rbtdb->common.origin);
+	i = l + 1;
+	while (i < n) {
+		dns_rbtnode_t *node = NULL;     /* dummy */
+		dns_name_getlabelsequence(name, n - i, i, &foundname);
+		if (dns_name_iswildcard(&foundname)) {
+			result = add_wildcard_magic(rbtdb, &foundname);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			result = dns_rbt_addnode(rbtdb->tree, &foundname,
+						 &node);
+			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
+				return (result);
+			if (result == ISC_R_SUCCESS)
+				node->nsec = DNS_RBT_NSEC_NORMAL;
+		}
+		i++;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
+	       bool create, dns_dbnode_t **nodep)
+{
+	dns_rbtnode_t *node = NULL;
+	dns_name_t nodename;
+	isc_result_t result;
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+
+	INSIST(tree == rbtdb->tree || tree == rbtdb->nsec3);
+
+	dns_name_init(&nodename, NULL);
+	RWLOCK(&rbtdb->tree_lock, locktype);
+	result = dns_rbt_findnode(tree, name, NULL, &node, NULL,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		RWUNLOCK(&rbtdb->tree_lock, locktype);
+		if (!create) {
+			if (result == DNS_R_PARTIALMATCH)
+				result = ISC_R_NOTFOUND;
+			return (result);
+		}
+		/*
+		 * It would be nice to try to upgrade the lock instead of
+		 * unlocking then relocking.
+		 */
+		locktype = isc_rwlocktype_write;
+		RWLOCK(&rbtdb->tree_lock, locktype);
+		node = NULL;
+		result = dns_rbt_addnode(tree, name, &node);
+		if (result == ISC_R_SUCCESS) {
+			dns_rbt_namefromnode(node, &nodename);
+#ifdef DNS_RBT_USEHASH
+			node->locknum = node->hashval % rbtdb->node_lock_count;
+#else
+			node->locknum = dns_name_hash(&nodename, true) %
+				rbtdb->node_lock_count;
+#endif
+			if (tree == rbtdb->tree) {
+				add_empty_wildcards(rbtdb, name);
+
+				if (dns_name_iswildcard(name)) {
+					result = add_wildcard_magic(rbtdb, name);
+					if (result != ISC_R_SUCCESS) {
+						RWUNLOCK(&rbtdb->tree_lock, locktype);
+						return (result);
+					}
+				}
+			}
+			if (tree == rbtdb->nsec3)
+				node->nsec = DNS_RBT_NSEC_NSEC3;
+		} else if (result != ISC_R_EXISTS) {
+			RWUNLOCK(&rbtdb->tree_lock, locktype);
+			return (result);
+		}
+	}
+
+	if (tree == rbtdb->nsec3)
+		INSIST(node->nsec == DNS_RBT_NSEC_NSEC3);
+
+	reactivate_node(rbtdb, node, locktype);
+
+	/*
+	 * Always try to add the policy zone data, because this node might
+	 * already have been implicitly created by the previous addition of
+	 * a longer domain.  A common example is adding *.example.com
+	 * (implicitly creating example.com) followed by explicitly adding
+	 * example.com.
+	 */
+	if (create && rbtdb->rpzs != NULL && tree == rbtdb->tree) {
+		dns_fixedname_t fnamef;
+		dns_name_t *fname;
+
+		dns_fixedname_init(&fnamef);
+		fname = dns_fixedname_name(&fnamef);
+		dns_rbt_fullnamefromnode(node, fname);
+		result = dns_rpz_add(rbtdb->rpzs, rbtdb->rpz_num, fname);
+		if (result == ISC_R_SUCCESS)
+			node->rpz = 1;
+		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+			/*
+			 * It is too late to give up, so merely complain.
+			 */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+				      "dns_rpz_add(): %s",
+				      isc_result_totext(result));
+		}
+	}
+
+	RWUNLOCK(&rbtdb->tree_lock, locktype);
+
+	*nodep = (dns_dbnode_t *)node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	return (findnodeintree(rbtdb, rbtdb->tree, name, create, nodep));
+}
+
+static isc_result_t
+findnsec3node(dns_db_t *db, dns_name_t *name, bool create,
+	      dns_dbnode_t **nodep)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	return (findnodeintree(rbtdb, rbtdb->nsec3, name, create, nodep));
+}
+
+static isc_result_t
+zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+	rbtdb_search_t *search = arg;
+	rdatasetheader_t *header, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header, *ns_header;
+	rdatasetheader_t *found;
+	isc_result_t result;
+	dns_rbtnode_t *onode;
+
+	/*
+	 * We only want to remember the topmost zone cut, since it's the one
+	 * that counts, so we'll just continue if we've already found a
+	 * zonecut.
+	 */
+	if (search->zonecut != NULL)
+		return (DNS_R_CONTINUE);
+
+	found = NULL;
+	result = DNS_R_CONTINUE;
+	onode = search->rbtdb->origin_node;
+
+	NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
+
+	/*
+	 * Look for an NS or DNAME rdataset active in our version.
+	 */
+	ns_header = NULL;
+	dname_header = NULL;
+	sigdname_header = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->type == dns_rdatatype_ns ||
+		    header->type == dns_rdatatype_dname ||
+		    header->type == RBTDB_RDATATYPE_SIGDNAME) {
+			do {
+				if (header->serial <= search->serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL) {
+				if (header->type == dns_rdatatype_dname)
+					dname_header = header;
+				else if (header->type ==
+					   RBTDB_RDATATYPE_SIGDNAME)
+					sigdname_header = header;
+				else if (node != onode ||
+					 IS_STUB(search->rbtdb)) {
+					/*
+					 * We've found an NS rdataset that
+					 * isn't at the origin node.  We check
+					 * that they're not at the origin node,
+					 * because otherwise we'd erroneously
+					 * treat the zone top as if it were
+					 * a delegation.
+					 */
+					ns_header = header;
+				}
+			}
+		}
+	}
+
+	/*
+	 * Did we find anything?
+	 */
+	if (!IS_CACHE(search->rbtdb) && !IS_STUB(search->rbtdb) &&
+	    ns_header != NULL) {
+		/*
+		 * Note that NS has precedence over DNAME if both exist
+		 * in a zone.  Otherwise DNAME take precedence over NS.
+		 */
+		found = ns_header;
+		search->zonecut_sigrdataset = NULL;
+	} else if (dname_header != NULL) {
+		found = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+	} else if (ns_header != NULL) {
+		found = ns_header;
+		search->zonecut_sigrdataset = NULL;
+	}
+
+	if (found != NULL) {
+		/*
+		 * We increment the reference count on node to ensure that
+		 * search->zonecut_rdataset will still be valid later.
+		 */
+		new_reference(search->rbtdb, node);
+		search->zonecut = node;
+		search->zonecut_rdataset = found;
+		search->need_cleanup = true;
+		/*
+		 * Since we've found a zonecut, anything beneath it is
+		 * glue and is not subject to wildcard matching, so we
+		 * may clear search->wild.
+		 */
+		search->wild = false;
+		if ((search->options & DNS_DBFIND_GLUEOK) == 0) {
+			/*
+			 * If the caller does not want to find glue, then
+			 * this is the best answer and the search should
+			 * stop now.
+			 */
+			result = DNS_R_PARTIALMATCH;
+		} else {
+			dns_name_t *zcname;
+
+			/*
+			 * The search will continue beneath the zone cut.
+			 * This may or may not be the best match.  In case it
+			 * is, we need to remember the node name.
+			 */
+			zcname = dns_fixedname_name(&search->zonecut_name);
+			RUNTIME_CHECK(dns_name_copy(name, zcname, NULL) ==
+				      ISC_R_SUCCESS);
+			search->copy_name = true;
+		}
+	} else {
+		/*
+		 * There is no zonecut at this node which is active in this
+		 * version.
+		 *
+		 * If this is a "wild" node and the caller hasn't disabled
+		 * wildcard matching, remember that we've seen a wild node
+		 * in case we need to go searching for wildcard matches
+		 * later on.
+		 */
+		if (node->wild && (search->options & DNS_DBFIND_NOWILD) == 0)
+			search->wild = true;
+	}
+
+	NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
+
+	return (result);
+}
+
+static inline void
+bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+	      rdatasetheader_t *header, isc_stdtime_t now,
+	      dns_rdataset_t *rdataset)
+{
+	unsigned char *raw;     /* RDATASLAB */
+
+	/*
+	 * Caller must be holding the node reader lock.
+	 * XXXJT: technically, we need a writer lock, since we'll increment
+	 * the header count below.  However, since the actual counter value
+	 * doesn't matter, we prioritize performance here.  (We may want to
+	 * use atomic increment when available).
+	 */
+
+	if (rdataset == NULL)
+		return;
+
+	new_reference(rbtdb, node);
+
+	INSIST(rdataset->methods == NULL);      /* We must be disassociated. */
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = rbtdb->common.rdclass;
+	rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
+	rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
+	rdataset->ttl = header->rdh_ttl - now;
+	rdataset->trust = header->trust;
+	if (NEGATIVE(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
+	if (NXDOMAIN(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	if (OPTOUT(header))
+		rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
+	if (PREFETCH(header))
+		rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
+	rdataset->private1 = rbtdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = header->count++;
+	if (rdataset->count == UINT32_MAX)
+		rdataset->count = 0;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	/*
+	 * Add noqname proof.
+	 */
+	rdataset->private6 = header->noqname;
+	if (rdataset->private6 != NULL)
+		rdataset->attributes |=  DNS_RDATASETATTR_NOQNAME;
+	rdataset->private7 = header->closest;
+	if (rdataset->private7 != NULL)
+		rdataset->attributes |=  DNS_RDATASETATTR_CLOSEST;
+
+	/*
+	 * Copy out re-signing information.
+	 */
+	if (RESIGN(header)) {
+		rdataset->attributes |=  DNS_RDATASETATTR_RESIGN;
+		rdataset->resign = (header->resign << 1) | header->resign_lsb;
+	} else
+		rdataset->resign = 0;
+}
+
+static inline isc_result_t
+setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		 dns_name_t *foundname, dns_rdataset_t *rdataset,
+		 dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_name_t *zcname;
+	rbtdb_rdatatype_t type;
+	dns_rbtnode_t *node;
+
+	/*
+	 * The caller MUST NOT be holding any node locks.
+	 */
+
+	node = search->zonecut;
+	type = search->zonecut_rdataset->type;
+
+	/*
+	 * If we have to set foundname, we do it before anything else.
+	 * If we were to set foundname after we had set nodep or bound the
+	 * rdataset, then we'd have to undo that work if dns_name_copy()
+	 * failed.  By setting foundname first, there's nothing to undo if
+	 * we have trouble.
+	 */
+	if (foundname != NULL && search->copy_name) {
+		zcname = dns_fixedname_name(&search->zonecut_name);
+		result = dns_name_copy(zcname, foundname, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (nodep != NULL) {
+		/*
+		 * Note that we don't have to increment the node's reference
+		 * count here because we're going to use the reference we
+		 * already have in the search block.
+		 */
+		*nodep = node;
+		search->need_cleanup = false;
+	}
+	if (rdataset != NULL) {
+		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
+			      search->now, rdataset);
+		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
+			bind_rdataset(search->rbtdb, node,
+				      search->zonecut_sigrdataset,
+				      search->now, sigrdataset);
+		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+	}
+
+	if (type == dns_rdatatype_dname)
+		return (DNS_R_DNAME);
+	return (DNS_R_DELEGATION);
+}
+
+static inline bool
+valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
+	   dns_rbtnode_t *node)
+{
+	unsigned char *raw;     /* RDATASLAB */
+	unsigned int count, size;
+	dns_name_t ns_name;
+	bool valid = false;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	rdatasetheader_t *header;
+
+	/*
+	 * No additional locking is required.
+	 */
+
+	/*
+	 * Valid glue types are A, AAAA, A6.  NS is also a valid glue type
+	 * if it occurs at a zone cut, but is not valid below it.
+	 */
+	if (type == dns_rdatatype_ns) {
+		if (node != search->zonecut) {
+			return (false);
+		}
+	} else if (type != dns_rdatatype_a &&
+		   type != dns_rdatatype_aaaa &&
+		   type != dns_rdatatype_a6) {
+		return (false);
+	}
+
+	header = search->zonecut_rdataset;
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += 2 + (4 * count);
+#else
+	raw += 2;
+#endif
+
+	while (count > 0) {
+		count--;
+		size = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+		raw += 4;
+#else
+		raw += 2;
+#endif
+		region.base = raw;
+		region.length = size;
+		raw += size;
+		/*
+		 * XXX Until we have rdata structures, we have no choice but
+		 * to directly access the rdata format.
+		 */
+		dns_name_init(&ns_name, offsets);
+		dns_name_fromregion(&ns_name, &region);
+		if (dns_name_compare(&ns_name, name) == 0) {
+			valid = true;
+			break;
+		}
+	}
+
+	return (valid);
+}
+
+static inline bool
+activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
+	    dns_name_t *name)
+{
+	dns_fixedname_t fnext;
+	dns_fixedname_t forigin;
+	dns_name_t *next;
+	dns_name_t *origin;
+	dns_name_t prefix;
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	bool answer = false;
+	rdatasetheader_t *header;
+
+	rbtdb = search->rbtdb;
+
+	dns_name_init(&prefix, NULL);
+	next = dns_fixedname_initname(&fnext);
+	origin = dns_fixedname_initname(&forigin);
+
+	result = dns_rbtnodechain_next(chain, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		node = NULL;
+		result = dns_rbtnodechain_current(chain, &prefix,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			break;
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		if (header != NULL)
+			break;
+		result = dns_rbtnodechain_next(chain, NULL, NULL);
+	}
+	if (result == ISC_R_SUCCESS)
+		result = dns_name_concatenate(&prefix, origin, next, NULL);
+	if (result == ISC_R_SUCCESS && dns_name_issubdomain(next, name))
+		answer = true;
+	return (answer);
+}
+
+static inline bool
+activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
+	dns_fixedname_t fnext;
+	dns_fixedname_t forigin;
+	dns_fixedname_t fprev;
+	dns_name_t *next;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t name;
+	dns_name_t rname;
+	dns_name_t tname;
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	bool check_next = true;
+	bool check_prev = true;
+	bool answer = false;
+	isc_result_t result;
+	rdatasetheader_t *header;
+	unsigned int n;
+
+	rbtdb = search->rbtdb;
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&tname, NULL);
+	dns_name_init(&rname, NULL);
+	next = dns_fixedname_initname(&fnext);
+	prev = dns_fixedname_initname(&fprev);
+	origin = dns_fixedname_initname(&forigin);
+
+	/*
+	 * Find if qname is at or below a empty node.
+	 * Use our own copy of the chain.
+	 */
+
+	chain = search->chain;
+	do {
+		node = NULL;
+		result = dns_rbtnodechain_current(&chain, &name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			break;
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		if (header != NULL)
+			break;
+		result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	} while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN);
+	if (result == ISC_R_SUCCESS)
+		result = dns_name_concatenate(&name, origin, prev, NULL);
+	if (result != ISC_R_SUCCESS)
+		check_prev = false;
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		node = NULL;
+		result = dns_rbtnodechain_current(&chain, &name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			break;
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		if (header != NULL)
+			break;
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+	if (result == ISC_R_SUCCESS)
+		result = dns_name_concatenate(&name, origin, next, NULL);
+	if (result != ISC_R_SUCCESS)
+		check_next = false;
+
+	dns_name_clone(qname, &rname);
+
+	/*
+	 * Remove the wildcard label to find the terminal name.
+	 */
+	n = dns_name_countlabels(wname);
+	dns_name_getlabelsequence(wname, 1, n - 1, &tname);
+
+	do {
+		if ((check_prev && dns_name_issubdomain(prev, &rname)) ||
+		    (check_next && dns_name_issubdomain(next, &rname))) {
+			answer = true;
+			break;
+		}
+		/*
+		 * Remove the left hand label.
+		 */
+		n = dns_name_countlabels(&rname);
+		dns_name_getlabelsequence(&rname, 1, n - 1, &rname);
+	} while (!dns_name_equal(&rname, &tname));
+	return (answer);
+}
+
+static inline isc_result_t
+find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
+	      dns_name_t *qname)
+{
+	unsigned int i, j;
+	dns_rbtnode_t *node, *level_node, *wnode;
+	rdatasetheader_t *header;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_name_t name;
+	dns_name_t *wname;
+	dns_fixedname_t fwname;
+	dns_rbtdb_t *rbtdb;
+	bool done, wild, active;
+	dns_rbtnodechain_t wchain;
+
+	/*
+	 * Caller must be holding the tree lock and MUST NOT be holding
+	 * any node locks.
+	 */
+
+	/*
+	 * Examine each ancestor level.  If the level's wild bit
+	 * is set, then construct the corresponding wildcard name and
+	 * search for it.  If the wildcard node exists, and is active in
+	 * this version, we're done.  If not, then we next check to see
+	 * if the ancestor is active in this version.  If so, then there
+	 * can be no possible wildcard match and again we're done.  If not,
+	 * continue the search.
+	 */
+
+	rbtdb = search->rbtdb;
+	i = search->chain.level_matches;
+	done = false;
+	node = *nodep;
+	do {
+		NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+
+		/*
+		 * First we try to figure out if this node is active in
+		 * the search's version.  We do this now, even though we
+		 * may not need the information, because it simplifies the
+		 * locking and code flow.
+		 */
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		if (header != NULL)
+			active = true;
+		else
+			active = false;
+
+		if (node->wild)
+			wild = true;
+		else
+			wild = false;
+
+		NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+
+		if (wild) {
+			/*
+			 * Construct the wildcard name for this level.
+			 */
+			dns_name_init(&name, NULL);
+			dns_rbt_namefromnode(node, &name);
+			wname = dns_fixedname_initname(&fwname);
+			result = dns_name_concatenate(dns_wildcardname, &name,
+						      wname, NULL);
+			j = i;
+			while (result == ISC_R_SUCCESS && j != 0) {
+				j--;
+				level_node = search->chain.levels[j];
+				dns_name_init(&name, NULL);
+				dns_rbt_namefromnode(level_node, &name);
+				result = dns_name_concatenate(wname,
+							      &name,
+							      wname,
+							      NULL);
+			}
+			if (result != ISC_R_SUCCESS)
+				break;
+
+			wnode = NULL;
+			dns_rbtnodechain_init(&wchain, NULL);
+			result = dns_rbt_findnode(rbtdb->tree, wname,
+						  NULL, &wnode, &wchain,
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				nodelock_t *lock;
+
+				/*
+				 * We have found the wildcard node.  If it
+				 * is active in the search's version, we're
+				 * done.
+				 */
+				lock = &rbtdb->node_locks[wnode->locknum].lock;
+				NODE_LOCK(lock, isc_rwlocktype_read);
+				for (header = wnode->data;
+				     header != NULL;
+				     header = header->next) {
+					if (header->serial <= search->serial &&
+					    !IGNORE(header) && EXISTS(header))
+						break;
+				}
+				NODE_UNLOCK(lock, isc_rwlocktype_read);
+				if (header != NULL ||
+				    activeempty(search, &wchain, wname)) {
+					if (activeemtpynode(search, qname,
+							    wname)) {
+						return (ISC_R_NOTFOUND);
+					}
+					/*
+					 * The wildcard node is active!
+					 *
+					 * Note: result is still ISC_R_SUCCESS
+					 * so we don't have to set it.
+					 */
+					*nodep = wnode;
+					break;
+				}
+			} else if (result != ISC_R_NOTFOUND &&
+				   result != DNS_R_PARTIALMATCH) {
+				/*
+				 * An error has occurred.  Bail out.
+				 */
+				break;
+			}
+		}
+
+		if (active) {
+			/*
+			 * The level node is active.  Any wildcarding
+			 * present at higher levels has no
+			 * effect and we're done.
+			 */
+			result = ISC_R_NOTFOUND;
+			break;
+		}
+
+		if (i > 0) {
+			i--;
+			node = search->chain.levels[i];
+		} else
+			done = true;
+	} while (!done);
+
+	return (result);
+}
+
+static bool
+matchparams(rdatasetheader_t *header, rbtdb_search_t *search)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	unsigned char *raw;                     /* RDATASLAB */
+	unsigned int rdlen, count;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(header->type == dns_rdatatype_nsec3);
+
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1]; /* count */
+#if DNS_RDATASET_FIXED
+	raw += count * 4 + 2;
+#else
+	raw += 2;
+#endif
+	while (count-- > 0) {
+		rdlen = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+		raw += 4;
+#else
+		raw += 2;
+#endif
+		region.base = raw;
+		region.length = rdlen;
+		dns_rdata_fromregion(&rdata, search->rbtdb->common.rdclass,
+				     dns_rdatatype_nsec3, &region);
+		raw += rdlen;
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (nsec3.hash == search->rbtversion->hash &&
+		    nsec3.iterations == search->rbtversion->iterations &&
+		    nsec3.salt_length == search->rbtversion->salt_length &&
+		    memcmp(nsec3.salt, search->rbtversion->salt,
+			   nsec3.salt_length) == 0)
+			return (true);
+		dns_rdata_reset(&rdata);
+	}
+	return (false);
+}
+
+/*
+ * Find node of the NSEC/NSEC3 record that is 'name'.
+ */
+static inline isc_result_t
+previous_closest_nsec(dns_rdatatype_t type, rbtdb_search_t *search,
+		    dns_name_t *name, dns_name_t *origin,
+		    dns_rbtnode_t **nodep, dns_rbtnodechain_t *nsecchain,
+		    bool *firstp)
+{
+	dns_fixedname_t ftarget;
+	dns_name_t *target;
+	dns_rbtnode_t *nsecnode;
+	isc_result_t result;
+
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (type == dns_rdatatype_nsec3) {
+		result = dns_rbtnodechain_prev(&search->chain, NULL, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+			return (result);
+		result = dns_rbtnodechain_current(&search->chain, name, origin,
+						  nodep);
+		return (result);
+	}
+
+	target = dns_fixedname_initname(&ftarget);
+
+	for (;;) {
+		if (*firstp) {
+			/*
+			 * Construct the name of the second node to check.
+			 * It is the first node sought in the NSEC tree.
+			 */
+			*firstp = false;
+			dns_rbtnodechain_init(nsecchain, NULL);
+			result = dns_name_concatenate(name, origin,
+						      target, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			nsecnode = NULL;
+			result = dns_rbt_findnode(search->rbtdb->nsec,
+						  target, NULL,
+						  &nsecnode, nsecchain,
+						  DNS_RBTFIND_NOOPTIONS,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * Since this was the first loop, finding the
+				 * name in the NSEC tree implies that the first
+				 * node checked in the main tree had an
+				 * unacceptable NSEC record.
+				 * Try the previous node in the NSEC tree.
+				 */
+				result = dns_rbtnodechain_prev(nsecchain,
+							       name, origin);
+				if (result == DNS_R_NEWORIGIN)
+					result = ISC_R_SUCCESS;
+			} else if (result == ISC_R_NOTFOUND ||
+				   result == DNS_R_PARTIALMATCH) {
+				result = dns_rbtnodechain_current(nsecchain,
+							name, origin, NULL);
+				if (result == ISC_R_NOTFOUND)
+					result = ISC_R_NOMORE;
+			}
+		} else {
+			/*
+			 * This is a second or later trip through the auxiliary
+			 * tree for the name of a third or earlier NSEC node in
+			 * the main tree.  Previous trips through the NSEC tree
+			 * must have found nodes in the main tree with NSEC
+			 * records.  Perhaps they lacked signature records.
+			 */
+			result = dns_rbtnodechain_prev(nsecchain, name, origin);
+			if (result == DNS_R_NEWORIGIN)
+				result = ISC_R_SUCCESS;
+		}
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * Construct the name to seek in the main tree.
+		 */
+		result = dns_name_concatenate(name, origin, target, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		*nodep = NULL;
+		result = dns_rbt_findnode(search->rbtdb->tree, target, NULL,
+					  nodep, &search->chain,
+					  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * There should always be a node in the main tree with the
+		 * same name as the node in the auxiliary NSEC tree, except for
+		 * nodes in the auxiliary tree that are awaiting deletion.
+		 */
+		if (result != DNS_R_PARTIALMATCH && result != ISC_R_NOTFOUND) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_ERROR,
+				      "previous_closest_nsec(): %s",
+				      isc_result_totext(result));
+			return (DNS_R_BADDB);
+		}
+	}
+}
+
+/*
+ * Find the NSEC/NSEC3 which is or before the current point on the
+ * search chain.  For NSEC3 records only NSEC3 records that match the
+ * current NSEC3PARAM record are considered.
+ */
+static inline isc_result_t
+find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  dns_name_t *foundname, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset, dns_rbt_t *tree,
+		  dns_db_secure_t secure)
+{
+	dns_rbtnode_t *node, *prevnode;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	dns_rbtnodechain_t nsecchain;
+	bool empty_node;
+	isc_result_t result;
+	dns_fixedname_t fname, forigin;
+	dns_name_t *name, *origin;
+	dns_rdatatype_t type;
+	rbtdb_rdatatype_t sigtype;
+	bool wraps;
+	bool first = true;
+	bool need_sig = (secure == dns_db_secure);
+
+	if (tree == search->rbtdb->nsec3) {
+		type = dns_rdatatype_nsec3;
+		sigtype = RBTDB_RDATATYPE_SIGNSEC3;
+		wraps = true;
+	} else {
+		type = dns_rdatatype_nsec;
+		sigtype = RBTDB_RDATATYPE_SIGNSEC;
+		wraps = false;
+	}
+
+	/*
+	 * Use the auxiliary tree only starting with the second node in the
+	 * hope that the original node will be right much of the time.
+	 */
+	name = dns_fixedname_initname(&fname);
+	origin = dns_fixedname_initname(&forigin);
+ again:
+	node = NULL;
+	prevnode = NULL;
+	result = dns_rbtnodechain_current(&search->chain, name, origin, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	do {
+		NODE_LOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			  isc_rwlocktype_read);
+		found = NULL;
+		foundsig = NULL;
+		empty_node = true;
+		for (header = node->data;
+		     header != NULL;
+		     header = header_next) {
+			header_next = header->next;
+			/*
+			 * Look for an active, extant NSEC or RRSIG NSEC.
+			 */
+			do {
+				if (header->serial <= search->serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL) {
+				/*
+				 * We now know that there is at least one
+				 * active rdataset at this node.
+				 */
+				empty_node = false;
+				if (header->type == type) {
+					found = header;
+					if (foundsig != NULL)
+						break;
+				} else if (header->type == sigtype) {
+					foundsig = header;
+					if (found != NULL)
+						break;
+				}
+			}
+		}
+		if (!empty_node) {
+			if (found != NULL && search->rbtversion->havensec3 &&
+			    found->type == dns_rdatatype_nsec3 &&
+			    !matchparams(found, search)) {
+				empty_node = true;
+				found = NULL;
+				foundsig = NULL;
+				result = previous_closest_nsec(type, search,
+							       name, origin,
+							       &prevnode, NULL,
+							       NULL);
+			} else if (found != NULL &&
+				   (foundsig != NULL || !need_sig)) {
+				/*
+				 * We've found the right NSEC/NSEC3 record.
+				 *
+				 * Note: for this to really be the right
+				 * NSEC record, it's essential that the NSEC
+				 * records of any nodes obscured by a zone
+				 * cut have been removed; we assume this is
+				 * the case.
+				 */
+				result = dns_name_concatenate(name, origin,
+							      foundname, NULL);
+				if (result == ISC_R_SUCCESS) {
+					if (nodep != NULL) {
+						new_reference(search->rbtdb,
+							      node);
+						*nodep = node;
+					}
+					bind_rdataset(search->rbtdb, node,
+						      found, search->now,
+						      rdataset);
+					if (foundsig != NULL)
+						bind_rdataset(search->rbtdb,
+							      node,
+							      foundsig,
+							      search->now,
+							      sigrdataset);
+				}
+			} else if (found == NULL && foundsig == NULL) {
+				/*
+				 * This node is active, but has no NSEC or
+				 * RRSIG NSEC.  That means it's glue or
+				 * other obscured zone data that isn't
+				 * relevant for our search.  Treat the
+				 * node as if it were empty and keep looking.
+				 */
+				empty_node = true;
+				result = previous_closest_nsec(type, search,
+							       name, origin,
+							       &prevnode,
+							       &nsecchain,
+							       &first);
+			} else {
+				/*
+				 * We found an active node, but either the
+				 * NSEC or the RRSIG NSEC is missing.  This
+				 * shouldn't happen.
+				 */
+				result = DNS_R_BADDB;
+			}
+		} else {
+			/*
+			 * This node isn't active.  We've got to keep
+			 * looking.
+			 */
+			result = previous_closest_nsec(type, search,
+						       name, origin, &prevnode,
+						       &nsecchain, &first);
+		}
+		NODE_UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock),
+			    isc_rwlocktype_read);
+		node = prevnode;
+		prevnode = NULL;
+	} while (empty_node && result == ISC_R_SUCCESS);
+
+	if (!first)
+		dns_rbtnodechain_invalidate(&nsecchain);
+
+	if (result == ISC_R_NOMORE && wraps) {
+		result = dns_rbtnodechain_last(&search->chain, tree,
+					       NULL, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+			wraps = false;
+			goto again;
+		}
+	}
+
+	/*
+	 * If the result is ISC_R_NOMORE, then we got to the beginning of
+	 * the database and didn't find a NSEC record.  This shouldn't
+	 * happen.
+	 */
+	if (result == ISC_R_NOMORE)
+		result = DNS_R_BADDB;
+
+	return (result);
+}
+
+static isc_result_t
+zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	  dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	  dns_dbnode_t **nodep, dns_name_t *foundname,
+	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	bool cname_ok = true;
+	bool close_version = false;
+	bool maybe_zonecut = false;
+	bool at_zonecut = false;
+	bool wild;
+	bool empty_node;
+	rdatasetheader_t *header, *header_next, *found, *nsecheader;
+	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
+	rbtdb_rdatatype_t sigtype;
+	bool active;
+	dns_rbtnodechain_t chain;
+	nodelock_t *lock;
+	dns_rbt_t *tree;
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+	INSIST(version == NULL ||
+	       ((rbtdb_version_t *)version)->rbtdb == (dns_rbtdb_t *)db);
+
+	/*
+	 * We don't care about 'now'.
+	 */
+	UNUSED(now);
+
+	/*
+	 * If the caller didn't supply a version, attach to the current
+	 * version.
+	 */
+	if (version == NULL) {
+		currentversion(db, &version);
+		close_version = true;
+	}
+
+	search.rbtversion = version;
+	search.serial = search.rbtversion->serial;
+	search.options = options;
+	search.copy_name = false;
+	search.need_cleanup = false;
+	search.wild = false;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
+	search.now = 0;
+
+	/*
+	 * 'wild' will be true iff. we've matched a wildcard.
+	 */
+	wild = false;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.  If, while going down, we
+	 * encounter a callback node, zone_zonecut_callback() will search the
+	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
+	 */
+	tree =  (options & DNS_DBFIND_FORCENSEC3) != 0 ? search.rbtdb->nsec3 :
+							 search.rbtdb->tree;
+	result = dns_rbt_findnode(tree, name, foundname, &node,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
+				  zone_zonecut_callback, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+	partial_match:
+		if (search.zonecut != NULL) {
+		    result = setup_delegation(&search, nodep, foundname,
+					      rdataset, sigrdataset);
+		    goto tree_exit;
+		}
+
+		if (search.wild) {
+			/*
+			 * At least one of the levels in the search chain
+			 * potentially has a wildcard.  For each such level,
+			 * we must see if there's a matching wildcard active
+			 * in the current version.
+			 */
+			result = find_wildcard(&search, &node, name);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_name_copy(name, foundname, NULL);
+				if (result != ISC_R_SUCCESS)
+					goto tree_exit;
+				wild = true;
+				goto found;
+			}
+			else if (result != ISC_R_NOTFOUND)
+				goto tree_exit;
+		}
+
+		chain = search.chain;
+		active = activeempty(&search, &chain, name);
+
+		/*
+		 * If we're here, then the name does not exist, is not
+		 * beneath a zonecut, and there's no matching wildcard.
+		 */
+		if ((search.rbtversion->secure == dns_db_secure &&
+		     !search.rbtversion->havensec3) ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0 ||
+		    (search.options & DNS_DBFIND_FORCENSEC3) != 0)
+		{
+			result = find_closest_nsec(&search, nodep, foundname,
+						   rdataset, sigrdataset, tree,
+						   search.rbtversion->secure);
+			if (result == ISC_R_SUCCESS)
+				result = active ? DNS_R_EMPTYNAME :
+						  DNS_R_NXDOMAIN;
+		} else
+			result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN;
+		goto tree_exit;
+	} else if (result != ISC_R_SUCCESS)
+		goto tree_exit;
+
+ found:
+	/*
+	 * We have found a node whose name is the desired name, or we
+	 * have matched a wildcard.
+	 */
+
+	if (search.zonecut != NULL) {
+		/*
+		 * If we're beneath a zone cut, we don't want to look for
+		 * CNAMEs because they're not legitimate zone glue.
+		 */
+		cname_ok = false;
+	} else {
+		/*
+		 * The node may be a zone cut itself.  If it might be one,
+		 * make sure we check for it later.
+		 *
+		 * DS records live above the zone cut in ordinary zone so
+		 * we want to ignore any referral.
+		 *
+		 * Stub zones don't have anything "above" the delgation so
+		 * we always return a referral.
+		 */
+		if (node->find_callback &&
+		    ((node != search.rbtdb->origin_node &&
+		      !dns_rdatatype_atparent(type)) ||
+		     IS_STUB(search.rbtdb)))
+			maybe_zonecut = true;
+	}
+
+	/*
+	 * Certain DNSSEC types are not subject to CNAME matching
+	 * (RFC4035, section 2.5 and RFC3007).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
+	 */
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
+		cname_ok = false;
+
+	/*
+	 * We now go looking for rdata...
+	 */
+
+	lock = &search.rbtdb->node_locks[node->locknum].lock;
+	NODE_LOCK(lock, isc_rwlocktype_read);
+
+	found = NULL;
+	foundsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	nsecheader = NULL;
+	nsecsig = NULL;
+	cnamesig = NULL;
+	empty_node = true;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		/*
+		 * Look for an active, extant rdataset.
+		 */
+		do {
+			if (header->serial <= search.serial &&
+			    !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't
+				 * exist" record?
+				 */
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+		if (header != NULL) {
+			/*
+			 * We now know that there is at least one active
+			 * rdataset at this node.
+			 */
+			empty_node = false;
+
+			/*
+			 * Do special zone cut handling, if requested.
+			 */
+			if (maybe_zonecut &&
+			    header->type == dns_rdatatype_ns) {
+				/*
+				 * We increment the reference count on node to
+				 * ensure that search->zonecut_rdataset will
+				 * still be valid later.
+				 */
+				new_reference(search.rbtdb, node);
+				search.zonecut = node;
+				search.zonecut_rdataset = header;
+				search.zonecut_sigrdataset = NULL;
+				search.need_cleanup = true;
+				maybe_zonecut = false;
+				at_zonecut = true;
+				/*
+				 * It is not clear if KEY should still be
+				 * allowed at the parent side of the zone
+				 * cut or not.  It is needed for RFC3007
+				 * validated updates.
+				 */
+				if ((search.options & DNS_DBFIND_GLUEOK) == 0
+				    && type != dns_rdatatype_nsec
+				    && type != dns_rdatatype_key) {
+					/*
+					 * Glue is not OK, but any answer we
+					 * could return would be glue.  Return
+					 * the delegation.
+					 */
+					found = NULL;
+					break;
+				}
+				if (found != NULL && foundsig != NULL)
+					break;
+			}
+
+
+			/*
+			 * If the NSEC3 record doesn't match the chain
+			 * we are using behave as if it isn't here.
+			 */
+			if (header->type == dns_rdatatype_nsec3 &&
+			   !matchparams(header, &search)) {
+				NODE_UNLOCK(lock, isc_rwlocktype_read);
+				goto partial_match;
+			}
+			/*
+			 * If we found a type we were looking for,
+			 * remember it.
+			 */
+			if (header->type == type ||
+			    type == dns_rdatatype_any ||
+			    (header->type == dns_rdatatype_cname &&
+			     cname_ok)) {
+				/*
+				 * We've found the answer!
+				 */
+				found = header;
+				if (header->type == dns_rdatatype_cname &&
+				    cname_ok) {
+					/*
+					 * We may be finding a CNAME instead
+					 * of the desired type.
+					 *
+					 * If we've already got the CNAME RRSIG,
+					 * use it, otherwise change sigtype
+					 * so that we find it.
+					 */
+					if (cnamesig != NULL)
+						foundsig = cnamesig;
+					else
+						sigtype =
+						    RBTDB_RDATATYPE_SIGCNAME;
+				}
+				/*
+				 * If we've got all we need, end the search.
+				 */
+				if (!maybe_zonecut && foundsig != NULL)
+					break;
+			} else if (header->type == sigtype) {
+				/*
+				 * We've found the RRSIG rdataset for our
+				 * target type.  Remember it.
+				 */
+				foundsig = header;
+				/*
+				 * If we've got all we need, end the search.
+				 */
+				if (!maybe_zonecut && found != NULL)
+					break;
+			} else if (header->type == dns_rdatatype_nsec &&
+				   !search.rbtversion->havensec3) {
+				/*
+				 * Remember a NSEC rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				nsecheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC &&
+				   !search.rbtversion->havensec3) {
+				/*
+				 * If we need the NSEC rdataset, we'll also
+				 * need its signature.
+				 */
+				nsecsig = header;
+			} else if (cname_ok &&
+				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
+				/*
+				 * If we get a CNAME match, we'll also need
+				 * its signature.
+				 */
+				cnamesig = header;
+			}
+		}
+	}
+
+	if (empty_node) {
+		/*
+		 * We have an exact match for the name, but there are no
+		 * active rdatasets in the desired version.  That means that
+		 * this node doesn't exist in the desired version, and that
+		 * we really have a partial match.
+		 */
+		if (!wild) {
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			goto partial_match;
+		}
+	}
+
+	/*
+	 * If we didn't find what we were looking for...
+	 */
+	if (found == NULL) {
+		if (search.zonecut != NULL) {
+			/*
+			 * We were trying to find glue at a node beneath a
+			 * zone cut, but didn't.
+			 *
+			 * Return the delegation.
+			 */
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+			goto tree_exit;
+		}
+		/*
+		 * The desired type doesn't exist.
+		 */
+		result = DNS_R_NXRRSET;
+		if (search.rbtversion->secure == dns_db_secure &&
+		    !search.rbtversion->havensec3 &&
+		    (nsecheader == NULL || nsecsig == NULL)) {
+			/*
+			 * The zone is secure but there's no NSEC,
+			 * or the NSEC has no signature!
+			 */
+			if (!wild) {
+				result = DNS_R_BADDB;
+				goto node_exit;
+			}
+
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = find_closest_nsec(&search, nodep, foundname,
+						   rdataset, sigrdataset,
+						   search.rbtdb->tree,
+						   search.rbtversion->secure);
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_EMPTYWILD;
+			goto tree_exit;
+		}
+		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
+		    nsecheader == NULL)
+		{
+			/*
+			 * There's no NSEC record, and we were told
+			 * to find one.
+			 */
+			result = DNS_R_BADDB;
+			goto node_exit;
+		}
+		if (nodep != NULL) {
+			new_reference(search.rbtdb, node);
+			*nodep = node;
+		}
+		if ((search.rbtversion->secure == dns_db_secure &&
+		     !search.rbtversion->havensec3) ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		{
+			bind_rdataset(search.rbtdb, node, nsecheader,
+				      0, rdataset);
+			if (nsecsig != NULL)
+				bind_rdataset(search.rbtdb, node,
+					      nsecsig, 0, sigrdataset);
+		}
+		if (wild)
+			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+		goto node_exit;
+	}
+
+	/*
+	 * We found what we were looking for, or we found a CNAME.
+	 */
+
+	if (type != found->type &&
+	    type != dns_rdatatype_any &&
+	    found->type == dns_rdatatype_cname) {
+		/*
+		 * We weren't doing an ANY query and we found a CNAME instead
+		 * of the type we were looking for, so we need to indicate
+		 * that result to the caller.
+		 */
+		result = DNS_R_CNAME;
+	} else if (search.zonecut != NULL) {
+		/*
+		 * If we're beneath a zone cut, we must indicate that the
+		 * result is glue, unless we're actually at the zone cut
+		 * and the type is NSEC or KEY.
+		 */
+		if (search.zonecut == node) {
+			/*
+			 * It is not clear if KEY should still be
+			 * allowed at the parent side of the zone
+			 * cut or not.  It is needed for RFC3007
+			 * validated updates.
+			 */
+			if (type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_nsec3 ||
+			    type == dns_rdatatype_key)
+				result = ISC_R_SUCCESS;
+			else if (type == dns_rdatatype_any)
+				result = DNS_R_ZONECUT;
+			else
+				result = DNS_R_GLUE;
+		} else
+			result = DNS_R_GLUE;
+		/*
+		 * We might have found data that isn't glue, but was occluded
+		 * by a dynamic update.  If the caller cares about this, they
+		 * will have told us to validate glue.
+		 *
+		 * XXX We should cache the glue validity state!
+		 */
+		if (result == DNS_R_GLUE &&
+		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
+		    !valid_glue(&search, foundname, type, node)) {
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+			result = setup_delegation(&search, nodep, foundname,
+						  rdataset, sigrdataset);
+		    goto tree_exit;
+		}
+	} else {
+		/*
+		 * An ordinary successful query!
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (nodep != NULL) {
+		if (!at_zonecut)
+			new_reference(search.rbtdb, node);
+		else
+			search.need_cleanup = false;
+		*nodep = node;
+	}
+
+	if (type != dns_rdatatype_any) {
+		bind_rdataset(search.rbtdb, node, found, 0, rdataset);
+		if (foundsig != NULL)
+			bind_rdataset(search.rbtdb, node, foundsig, 0,
+				      sigrdataset);
+	}
+
+	if (wild)
+		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+
+ node_exit:
+	NODE_UNLOCK(lock, isc_rwlocktype_read);
+
+ tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we found a zonecut but aren't going to use it, we have to
+	 * let go of it.
+	 */
+	if (search.need_cleanup) {
+		node = search.zonecut;
+		INSIST(node != NULL);
+		lock = &(search.rbtdb->node_locks[node->locknum].lock);
+
+		NODE_LOCK(lock, isc_rwlocktype_read);
+		decrement_reference(search.rbtdb, node, 0,
+				    isc_rwlocktype_read, isc_rwlocktype_none,
+				    false);
+		NODE_UNLOCK(lock, isc_rwlocktype_read);
+	}
+
+	if (close_version)
+		closeversion(db, &version, false);
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	return (result);
+}
+
+static isc_result_t
+zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+		 isc_stdtime_t now, dns_dbnode_t **nodep,
+		 dns_name_t *foundname,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
+
+	/* NOTREACHED */
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+check_stale_header(dns_rbtnode_t *node, rdatasetheader_t *header,
+		   isc_rwlocktype_t *locktype, nodelock_t *lock,
+		   rbtdb_search_t *search, rdatasetheader_t **header_prev)
+{
+
+#if !defined(ISC_RWLOCK_USEATOMIC) || !defined(DNS_RBT_USEISCREFCOUNT)
+	UNUSED(lock);
+#endif
+
+	if (!ACTIVE(header, search->now)) {
+		/*
+		 * This rdataset is stale.  If no one else is using the
+		 * node, we can clean it up right now, otherwise we mark
+		 * it as stale, and the node as dirty, so it will get
+		 * cleaned up later.
+		 */
+		if ((header->rdh_ttl < search->now - RBTDB_VIRTUAL) &&
+		    (*locktype == isc_rwlocktype_write ||
+		     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS))
+		{
+			/*
+			 * We update the node's status only when we can
+			 * get write access; otherwise, we leave others
+			 * to this work.  Periodical cleaning will
+			 * eventually take the job as the last resort.
+			 * We won't downgrade the lock, since other
+			 * rdatasets are probably stale, too.
+			 */
+			*locktype = isc_rwlocktype_write;
+
+			if (dns_rbtnode_refcurrent(node) == 0) {
+				isc_mem_t *mctx;
+
+				/*
+				 * header->down can be non-NULL if the
+				 * refcount has just decremented to 0
+				 * but decrement_reference() has not
+				 * performed clean_cache_node(), in
+				 * which case we need to purge the stale
+				 * headers first.
+				 */
+				mctx = search->rbtdb->common.mctx;
+				clean_stale_headers(search->rbtdb, mctx, header);
+				if (*header_prev != NULL)
+					(*header_prev)->next = header->next;
+				else
+					node->data = header->next;
+				free_rdataset(search->rbtdb, mctx, header);
+			} else {
+				mark_stale_header(search->rbtdb, header);
+				*header_prev = header;
+			}
+		} else
+			*header_prev = header;
+		return (true);
+	}
+	return (false);
+}
+
+static isc_result_t
+cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+	rbtdb_search_t *search = arg;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header;
+	isc_result_t result;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	/* XXX comment */
+
+	REQUIRE(search->zonecut == NULL);
+
+	/*
+	 * Keep compiler silent.
+	 */
+	UNUSED(name);
+
+	lock = &(search->rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	/*
+	 * Look for a DNAME or RRSIG DNAME rdataset.
+	 */
+	dname_header = NULL;
+	sigdname_header = NULL;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (check_stale_header(node, header,
+				       &locktype, lock, search,
+				       &header_prev)) {
+			/* Do nothing. */
+		} else if (header->type == dns_rdatatype_dname &&
+			   EXISTS(header)) {
+			dname_header = header;
+			header_prev = header;
+		} else if (header->type == RBTDB_RDATATYPE_SIGDNAME &&
+			 EXISTS(header)) {
+			sigdname_header = header;
+			header_prev = header;
+		} else
+			header_prev = header;
+	}
+
+	if (dname_header != NULL &&
+	    (!DNS_TRUST_PENDING(dname_header->trust) ||
+	     (search->options & DNS_DBFIND_PENDINGOK) != 0)) {
+		/*
+		 * We increment the reference count on node to ensure that
+		 * search->zonecut_rdataset will still be valid later.
+		 */
+		new_reference(search->rbtdb, node);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		search->zonecut = node;
+		search->zonecut_rdataset = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+		search->need_cleanup = true;
+		result = DNS_R_PARTIALMATCH;
+	} else
+		result = DNS_R_CONTINUE;
+
+	NODE_UNLOCK(lock, locktype);
+
+	return (result);
+}
+
+static inline isc_result_t
+find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
+		     dns_dbnode_t **nodep, dns_name_t *foundname,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	unsigned int i;
+	dns_rbtnode_t *level_node;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *foundsig;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_name_t name;
+	dns_rbtdb_t *rbtdb;
+	bool done;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	/*
+	 * Caller must be holding the tree lock.
+	 */
+
+	rbtdb = search->rbtdb;
+	i = search->chain.level_matches;
+	done = false;
+	do {
+		locktype = isc_rwlocktype_read;
+		lock = &rbtdb->node_locks[node->locknum].lock;
+		NODE_LOCK(lock, locktype);
+
+		/*
+		 * Look for NS and RRSIG NS rdatasets.
+		 */
+		found = NULL;
+		foundsig = NULL;
+		header_prev = NULL;
+		for (header = node->data; header != NULL; header = header_next) {
+			header_next = header->next;
+			if (check_stale_header(node, header,
+					       &locktype, lock, search,
+					       &header_prev)) {
+				/* Do nothing. */
+			} else if (EXISTS(header)) {
+				/*
+				 * We've found an extant rdataset.  See if
+				 * we're interested in it.
+				 */
+				if (header->type == dns_rdatatype_ns) {
+					found = header;
+					if (foundsig != NULL)
+						break;
+				} else if (header->type ==
+					   RBTDB_RDATATYPE_SIGNS) {
+					foundsig = header;
+					if (found != NULL)
+						break;
+				}
+				header_prev = header;
+			} else
+				header_prev = header;
+		}
+
+		if (found != NULL) {
+			/*
+			 * If we have to set foundname, we do it before
+			 * anything else.  If we were to set foundname after
+			 * we had set nodep or bound the rdataset, then we'd
+			 * have to undo that work if dns_name_concatenate()
+			 * failed.  By setting foundname first, there's
+			 * nothing to undo if we have trouble.
+			 */
+			if (foundname != NULL) {
+				dns_name_init(&name, NULL);
+				dns_rbt_namefromnode(node, &name);
+				result = dns_name_copy(&name, foundname, NULL);
+				while (result == ISC_R_SUCCESS && i > 0) {
+					i--;
+					level_node = search->chain.levels[i];
+					dns_name_init(&name, NULL);
+					dns_rbt_namefromnode(level_node,
+							     &name);
+					result =
+						dns_name_concatenate(foundname,
+								     &name,
+								     foundname,
+								     NULL);
+				}
+				if (result != ISC_R_SUCCESS) {
+					*nodep = NULL;
+					goto node_exit;
+				}
+			}
+			result = DNS_R_DELEGATION;
+			if (nodep != NULL) {
+				new_reference(search->rbtdb, node);
+				*nodep = node;
+			}
+			bind_rdataset(search->rbtdb, node, found, search->now,
+				      rdataset);
+			if (foundsig != NULL)
+				bind_rdataset(search->rbtdb, node, foundsig,
+					      search->now, sigrdataset);
+			if (need_headerupdate(found, search->now) ||
+			    (foundsig != NULL &&
+			     need_headerupdate(foundsig, search->now))) {
+				if (locktype != isc_rwlocktype_write) {
+					NODE_UNLOCK(lock, locktype);
+					NODE_LOCK(lock, isc_rwlocktype_write);
+					locktype = isc_rwlocktype_write;
+					POST(locktype);
+				}
+				if (need_headerupdate(found, search->now))
+					update_header(search->rbtdb, found,
+						      search->now);
+				if (foundsig != NULL &&
+				    need_headerupdate(foundsig, search->now)) {
+					update_header(search->rbtdb, foundsig,
+						      search->now);
+				}
+			}
+		}
+
+	node_exit:
+		NODE_UNLOCK(lock, locktype);
+
+		if (found == NULL && i > 0) {
+			i--;
+			node = search->chain.levels[i];
+		} else
+			done = true;
+
+	} while (!done);
+
+	return (result);
+}
+
+static isc_result_t
+find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  isc_stdtime_t now, dns_name_t *foundname,
+		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header, *header_next, *header_prev;
+	rdatasetheader_t *found, *foundsig;
+	bool empty_node;
+	isc_result_t result;
+	dns_fixedname_t fname, forigin;
+	dns_name_t *name, *origin;
+	rbtdb_rdatatype_t matchtype, sigmatchtype;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0);
+	sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
+					     dns_rdatatype_nsec);
+
+	do {
+		node = NULL;
+		name = dns_fixedname_initname(&fname);
+		origin = dns_fixedname_initname(&forigin);
+		result = dns_rbtnodechain_current(&search->chain, name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		locktype = isc_rwlocktype_read;
+		lock = &(search->rbtdb->node_locks[node->locknum].lock);
+		NODE_LOCK(lock, locktype);
+		found = NULL;
+		foundsig = NULL;
+		empty_node = true;
+		header_prev = NULL;
+		for (header = node->data; header != NULL; header = header_next) {
+			header_next = header->next;
+			if (check_stale_header(node, header,
+					       &locktype, lock, search,
+					       &header_prev)) {
+				continue;
+			}
+			if (NONEXISTENT(header) ||
+			    RBTDB_RDATATYPE_BASE(header->type) == 0) {
+				header_prev = header;
+				continue;
+			}
+			empty_node = false;
+			if (header->type == matchtype)
+				found = header;
+			else if (header->type == sigmatchtype)
+				foundsig = header;
+			header_prev = header;
+		}
+		if (found != NULL) {
+			result = dns_name_concatenate(name, origin,
+						      foundname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto unlock_node;
+			bind_rdataset(search->rbtdb, node, found,
+				      now, rdataset);
+			if (foundsig != NULL)
+				bind_rdataset(search->rbtdb, node, foundsig,
+					      now, sigrdataset);
+			new_reference(search->rbtdb, node);
+			*nodep = node;
+			result = DNS_R_COVERINGNSEC;
+		} else if (!empty_node) {
+			result = ISC_R_NOTFOUND;
+		} else
+			result = dns_rbtnodechain_prev(&search->chain, NULL,
+						       NULL);
+ unlock_node:
+		NODE_UNLOCK(lock, locktype);
+	} while (empty_node && result == ISC_R_SUCCESS);
+	return (result);
+}
+
+/*
+ * Connect this RBTDB to the response policy zone summary data for the view.
+ */
+static void
+rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) {
+	dns_rbtdb_t * rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	REQUIRE(rbtdb->rpzs == NULL && rbtdb->rpz_num == DNS_RPZ_INVALID_NUM);
+	dns_rpz_attach_rpzs(rpzs, &rbtdb->rpzs);
+	rbtdb->rpz_num = rpz_num;
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+}
+
+/*
+ * Enable this RBTDB as a response policy zone.
+ */
+static isc_result_t
+rpz_ready(dns_db_t *db) {
+	dns_rbtdb_t * rbtdb;
+	isc_result_t result;
+
+	rbtdb = (dns_rbtdb_t *)db;
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	if (rbtdb->rpzs == NULL) {
+		INSIST(rbtdb->rpz_num == DNS_RPZ_INVALID_NUM);
+		result = ISC_R_SUCCESS;
+	} else {
+		result = dns_rpz_ready(rbtdb->rpzs, &rbtdb->load_rpzs,
+				       rbtdb->rpz_num);
+	}
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	return (result);
+}
+
+static isc_result_t
+cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	   dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	   dns_dbnode_t **nodep, dns_name_t *foundname,
+	   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	bool cname_ok = true;
+	bool empty_node;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *nsheader;
+	rdatasetheader_t *foundsig, *nssig, *cnamesig;
+	rdatasetheader_t *update, *updatesig;
+	rbtdb_rdatatype_t sigtype, negtype;
+
+	UNUSED(version);
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+	REQUIRE(version == NULL);
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	search.rbtversion = NULL;
+	search.serial = 1;
+	search.options = options;
+	search.copy_name = false;
+	search.need_cleanup = false;
+	search.wild = false;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
+	search.now = now;
+	update = NULL;
+	updatesig = NULL;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.  If, while going down, we
+	 * encounter a callback node, cache_zonecut_callback() will search the
+	 * rdatasets at the zone cut for a DNAME rdataset.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
+				  cache_zonecut_callback, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) {
+			result = find_coveringnsec(&search, nodep, now,
+						   foundname, rdataset,
+						   sigrdataset);
+			if (result == DNS_R_COVERINGNSEC)
+				goto tree_exit;
+		}
+		if (search.zonecut != NULL) {
+		    result = setup_delegation(&search, nodep, foundname,
+					      rdataset, sigrdataset);
+		    goto tree_exit;
+		} else {
+		find_ns:
+			result = find_deepest_zonecut(&search, node, nodep,
+						      foundname, rdataset,
+						      sigrdataset);
+			goto tree_exit;
+		}
+	} else if (result != ISC_R_SUCCESS)
+		goto tree_exit;
+
+	/*
+	 * Certain DNSSEC types are not subject to CNAME matching
+	 * (RFC4035, section 2.5 and RFC3007).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
+	 */
+	if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
+		cname_ok = false;
+
+	/*
+	 * We now go looking for rdata...
+	 */
+
+	lock = &(search.rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	found = NULL;
+	foundsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
+	nsheader = NULL;
+	nssig = NULL;
+	cnamesig = NULL;
+	empty_node = true;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (check_stale_header(node, header,
+				       &locktype, lock, &search,
+				       &header_prev)) {
+			/* Do nothing. */
+		} else if (EXISTS(header) && (!STALE(header))) {
+			/*
+			 * We now know that there is at least one active
+			 * non-stale rdataset at this node.
+			 */
+			empty_node = false;
+
+			/*
+			 * If we found a type we were looking for, remember
+			 * it.
+			 */
+			if (header->type == type ||
+			    (type == dns_rdatatype_any &&
+			     RBTDB_RDATATYPE_BASE(header->type) != 0) ||
+			    (cname_ok && header->type ==
+			     dns_rdatatype_cname)) {
+				/*
+				 * We've found the answer.
+				 */
+				found = header;
+				if (header->type == dns_rdatatype_cname &&
+				    cname_ok &&
+				    cnamesig != NULL) {
+					/*
+					 * If we've already got the
+					 * CNAME RRSIG, use it.
+					 */
+					foundsig = cnamesig;
+				}
+			} else if (header->type == sigtype) {
+				/*
+				 * We've found the RRSIG rdataset for our
+				 * target type.  Remember it.
+				 */
+				foundsig = header;
+			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
+				   header->type == negtype) {
+				/*
+				 * We've found a negative cache entry.
+				 */
+				found = header;
+			} else if (header->type == dns_rdatatype_ns) {
+				/*
+				 * Remember a NS rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				nsheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
+				/*
+				 * If we need the NS rdataset, we'll also
+				 * need its signature.
+				 */
+				nssig = header;
+			} else if (cname_ok &&
+				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
+				/*
+				 * If we get a CNAME match, we'll also need
+				 * its signature.
+				 */
+				cnamesig = header;
+			}
+			header_prev = header;
+		} else
+			header_prev = header;
+	}
+
+	if (empty_node) {
+		/*
+		 * We have an exact match for the name, but there are no
+		 * extant rdatasets.  That means that this node doesn't
+		 * meaningfully exist, and that we really have a partial match.
+		 */
+		NODE_UNLOCK(lock, locktype);
+		goto find_ns;
+	}
+
+	/*
+	 * If we didn't find what we were looking for...
+	 */
+	if (found == NULL ||
+	    (DNS_TRUST_ADDITIONAL(found->trust) &&
+	     ((options & DNS_DBFIND_ADDITIONALOK) == 0)) ||
+	    (found->trust == dns_trust_glue &&
+	     ((options & DNS_DBFIND_GLUEOK) == 0)) ||
+	    (DNS_TRUST_PENDING(found->trust) &&
+	     ((options & DNS_DBFIND_PENDINGOK) == 0))) {
+		/*
+		 * If there is an NS rdataset at this node, then this is the
+		 * deepest zone cut.
+		 */
+		if (nsheader != NULL) {
+			if (nodep != NULL) {
+				new_reference(search.rbtdb, node);
+				INSIST(!ISC_LINK_LINKED(node, deadlink));
+				*nodep = node;
+			}
+			bind_rdataset(search.rbtdb, node, nsheader, search.now,
+				      rdataset);
+			if (need_headerupdate(nsheader, search.now))
+				update = nsheader;
+			if (nssig != NULL) {
+				bind_rdataset(search.rbtdb, node, nssig,
+					      search.now, sigrdataset);
+				if (need_headerupdate(nssig, search.now))
+					updatesig = nssig;
+			}
+			result = DNS_R_DELEGATION;
+			goto node_exit;
+		}
+
+		/*
+		 * Go find the deepest zone cut.
+		 */
+		NODE_UNLOCK(lock, locktype);
+		goto find_ns;
+	}
+
+	/*
+	 * We found what we were looking for, or we found a CNAME.
+	 */
+
+	if (nodep != NULL) {
+		new_reference(search.rbtdb, node);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		*nodep = node;
+	}
+
+	if (NEGATIVE(found)) {
+		/*
+		 * We found a negative cache entry.
+		 */
+		if (NXDOMAIN(found))
+			result = DNS_R_NCACHENXDOMAIN;
+		else
+			result = DNS_R_NCACHENXRRSET;
+	} else if (type != found->type &&
+		   type != dns_rdatatype_any &&
+		   found->type == dns_rdatatype_cname) {
+		/*
+		 * We weren't doing an ANY query and we found a CNAME instead
+		 * of the type we were looking for, so we need to indicate
+		 * that result to the caller.
+		 */
+		result = DNS_R_CNAME;
+	} else {
+		/*
+		 * An ordinary successful query!
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
+	    result == DNS_R_NCACHENXRRSET) {
+		bind_rdataset(search.rbtdb, node, found, search.now,
+			      rdataset);
+		if (need_headerupdate(found, search.now))
+			update = found;
+		if (!NEGATIVE(found) && foundsig != NULL) {
+			bind_rdataset(search.rbtdb, node, foundsig, search.now,
+				      sigrdataset);
+			if (need_headerupdate(foundsig, search.now))
+				updatesig = foundsig;
+		}
+	}
+
+ node_exit:
+	if ((update != NULL || updatesig != NULL) &&
+	    locktype != isc_rwlocktype_write) {
+		NODE_UNLOCK(lock, locktype);
+		NODE_LOCK(lock, isc_rwlocktype_write);
+		locktype = isc_rwlocktype_write;
+		POST(locktype);
+	}
+	if (update != NULL && need_headerupdate(update, search.now))
+		update_header(search.rbtdb, update, search.now);
+	if (updatesig != NULL && need_headerupdate(updatesig, search.now))
+		update_header(search.rbtdb, updatesig, search.now);
+
+	NODE_UNLOCK(lock, locktype);
+
+ tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we found a zonecut but aren't going to use it, we have to
+	 * let go of it.
+	 */
+	if (search.need_cleanup) {
+		node = search.zonecut;
+		INSIST(node != NULL);
+		lock = &(search.rbtdb->node_locks[node->locknum].lock);
+
+		NODE_LOCK(lock, isc_rwlocktype_read);
+		decrement_reference(search.rbtdb, node, 0,
+				    isc_rwlocktype_read, isc_rwlocktype_none,
+				    false);
+		NODE_UNLOCK(lock, isc_rwlocktype_read);
+	}
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	update_cachestats(search.rbtdb, result);
+	return (result);
+}
+
+static isc_result_t
+cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+		  isc_stdtime_t now, dns_dbnode_t **nodep,
+		  dns_name_t *foundname,
+		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node = NULL;
+	nodelock_t *lock;
+	isc_result_t result;
+	rbtdb_search_t search;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *foundsig;
+	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
+	isc_rwlocktype_t locktype;
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	search.rbtversion = NULL;
+	search.serial = 1;
+	search.options = options;
+	search.copy_name = false;
+	search.need_cleanup = false;
+	search.wild = false;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
+	search.now = now;
+
+	if ((options & DNS_DBFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+				  &search.chain, rbtoptions, NULL, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+	find_ns:
+		result = find_deepest_zonecut(&search, node, nodep, foundname,
+					      rdataset, sigrdataset);
+		goto tree_exit;
+	} else if (result != ISC_R_SUCCESS)
+		goto tree_exit;
+
+	/*
+	 * We now go looking for an NS rdataset at the node.
+	 */
+
+	lock = &(search.rbtdb->node_locks[node->locknum].lock);
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	found = NULL;
+	foundsig = NULL;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (check_stale_header(node, header,
+				       &locktype, lock, &search,
+				       &header_prev)) {
+			/* Do nothing. */
+		} else if (EXISTS(header)) {
+			/*
+			 * If we found a type we were looking for, remember
+			 * it.
+			 */
+			if (header->type == dns_rdatatype_ns) {
+				/*
+				 * Remember a NS rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				found = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
+				/*
+				 * If we need the NS rdataset, we'll also
+				 * need its signature.
+				 */
+				foundsig = header;
+			}
+			header_prev = header;
+		} else
+			header_prev = header;
+	}
+
+	if (found == NULL) {
+		/*
+		 * No NS records here.
+		 */
+		NODE_UNLOCK(lock, locktype);
+		goto find_ns;
+	}
+
+	if (nodep != NULL) {
+		new_reference(search.rbtdb, node);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		*nodep = node;
+	}
+
+	bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
+	if (foundsig != NULL)
+		bind_rdataset(search.rbtdb, node, foundsig, search.now,
+			      sigrdataset);
+
+	if (need_headerupdate(found, search.now) ||
+	    (foundsig != NULL &&  need_headerupdate(foundsig, search.now))) {
+		if (locktype != isc_rwlocktype_write) {
+			NODE_UNLOCK(lock, locktype);
+			NODE_LOCK(lock, isc_rwlocktype_write);
+			locktype = isc_rwlocktype_write;
+			POST(locktype);
+		}
+		if (need_headerupdate(found, search.now))
+			update_header(search.rbtdb, found, search.now);
+		if (foundsig != NULL &&
+		    need_headerupdate(foundsig, search.now)) {
+			update_header(search.rbtdb, foundsig, search.now);
+		}
+	}
+
+	NODE_UNLOCK(lock, locktype);
+
+ tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	INSIST(!search.need_cleanup);
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	if (result == DNS_R_DELEGATION)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node = (dns_rbtnode_t *)source;
+	unsigned int refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
+	dns_rbtnode_refincrement(node, &refs);
+	INSIST(refs != 0);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node;
+	bool want_free = false;
+	bool inactive = false;
+	rbtdb_nodelock_t *nodelock;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	node = (dns_rbtnode_t *)(*targetp);
+	nodelock = &rbtdb->node_locks[node->locknum];
+
+	NODE_LOCK(&nodelock->lock, isc_rwlocktype_read);
+
+	if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+				isc_rwlocktype_none, false)) {
+		if (isc_refcount_current(&nodelock->references) == 0 &&
+		    nodelock->exiting) {
+			inactive = true;
+		}
+	}
+
+	NODE_UNLOCK(&nodelock->lock, isc_rwlocktype_read);
+
+	*targetp = NULL;
+
+	if (inactive) {
+		RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+		rbtdb->active--;
+		if (rbtdb->active == 0)
+			want_free = true;
+		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+		if (want_free) {
+			char buf[DNS_NAME_FORMATSIZE];
+			if (dns_name_dynamic(&rbtdb->common.origin))
+				dns_name_format(&rbtdb->common.origin, buf,
+						sizeof(buf));
+			else
+				strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "calling free_rbtdb(%s)", buf);
+			free_rbtdb(rbtdb, true, NULL);
+		}
+	}
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = node;
+	rdatasetheader_t *header;
+	bool force_expire = false;
+	/*
+	 * These are the category and module used by the cache cleaner.
+	 */
+	bool log = false;
+	isc_logcategory_t *category = DNS_LOGCATEGORY_DATABASE;
+	isc_logmodule_t *module = DNS_LOGMODULE_CACHE;
+	int level = ISC_LOG_DEBUG(2);
+	char printname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	/*
+	 * Caller must hold a tree lock.
+	 */
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	if (isc_mem_isovermem(rbtdb->common.mctx)) {
+		uint32_t val;
+
+		isc_random_get(&val);
+		/*
+		 * XXXDCL Could stand to have a better policy, like LRU.
+		 */
+		force_expire = (rbtnode->down == NULL && val % 4 == 0);
+
+		/*
+		 * Note that 'log' can be true IFF overmem is also true.
+		 * overmem can currently only be true for cache
+		 * databases -- hence all of the "overmem cache" log strings.
+		 */
+		log = isc_log_wouldlog(dns_lctx, level);
+		if (log)
+			isc_log_write(dns_lctx, category, module, level,
+				      "overmem cache: %s %s",
+				      force_expire ? "FORCE" : "check",
+				      dns_rbt_formatnodename(rbtnode,
+							   printname,
+							   sizeof(printname)));
+	}
+
+	/*
+	 * We may not need write access, but this code path is not performance
+	 * sensitive, so it should be okay to always lock as a writer.
+	 */
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	for (header = rbtnode->data; header != NULL; header = header->next)
+		if (header->rdh_ttl <= now - RBTDB_VIRTUAL) {
+			/*
+			 * We don't check if refcurrent(rbtnode) == 0 and try
+			 * to free like we do in cache_find(), because
+			 * refcurrent(rbtnode) must be non-zero.  This is so
+			 * because 'node' is an argument to the function.
+			 */
+			mark_stale_header(rbtdb, header);
+			if (log)
+				isc_log_write(dns_lctx, category, module,
+					      level, "overmem cache: stale %s",
+					      printname);
+		} else if (force_expire) {
+			if (! RETAIN(header)) {
+				set_ttl(rbtdb, header, 0);
+				mark_stale_header(rbtdb, header);
+			} else if (log) {
+				isc_log_write(dns_lctx, category, module,
+					      level, "overmem cache: "
+					      "reprieve by RETAIN() %s",
+					      printname);
+			}
+		} else if (isc_mem_isovermem(rbtdb->common.mctx) && log)
+			isc_log_write(dns_lctx, category, module, level,
+				      "overmem cache: saved %s", printname);
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	/* This is an empty callback.  See adb.c:water() */
+
+	UNUSED(db);
+	UNUSED(over);
+
+	return;
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = node;
+	bool first;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	fprintf(out, "node %p, %u references, locknum = %u\n",
+		rbtnode, dns_rbtnode_refcurrent(rbtnode),
+		rbtnode->locknum);
+	if (rbtnode->data != NULL) {
+		rdatasetheader_t *current, *top_next;
+
+		for (current = rbtnode->data; current != NULL;
+		     current = top_next) {
+			top_next = current->next;
+			first = true;
+			fprintf(out, "\ttype %u", current->type);
+			do {
+				if (!first)
+					fprintf(out, "\t");
+				first = false;
+				fprintf(out,
+					"\tserial = %lu, ttl = %u, "
+					"trust = %u, attributes = %u, "
+					"resign = %u\n",
+					(unsigned long)current->serial,
+					current->rdh_ttl,
+					current->trust,
+					current->attributes,
+					(current->resign << 1) |
+					current->resign_lsb);
+				current = current->down;
+			} while (current != NULL);
+		}
+	} else
+		fprintf(out, "(empty)\n");
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_dbiterator_t *rbtdbiter;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
+	if (rbtdbiter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rbtdbiter->common.methods = &dbiterator_methods;
+	rbtdbiter->common.db = NULL;
+	dns_db_attach(db, &rbtdbiter->common.db);
+	rbtdbiter->common.relative_names = (options & DNS_DB_RELATIVENAMES);
+	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
+	rbtdbiter->common.cleaning = false;
+	rbtdbiter->paused = true;
+	rbtdbiter->tree_locked = isc_rwlocktype_none;
+	rbtdbiter->result = ISC_R_SUCCESS;
+	dns_fixedname_init(&rbtdbiter->name);
+	dns_fixedname_init(&rbtdbiter->origin);
+	rbtdbiter->node = NULL;
+	rbtdbiter->delcnt = 0;
+	rbtdbiter->nsec3only = (options & DNS_DB_NSEC3ONLY);
+	rbtdbiter->nonsec3 = (options & DNS_DB_NONSEC3);
+	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
+	dns_rbtnodechain_init(&rbtdbiter->chain, db->mctx);
+	dns_rbtnodechain_init(&rbtdbiter->nsec3chain, db->mctx);
+	if (rbtdbiter->nsec3only)
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+	else
+		rbtdbiter->current = &rbtdbiter->chain;
+
+	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		  dns_rdatatype_t type, dns_rdatatype_t covers,
+		  isc_stdtime_t now, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	rbtdb_serial_t serial;
+	rbtdb_version_t *rbtversion = version;
+	bool close_version = false;
+	rbtdb_rdatatype_t matchtype, sigmatchtype;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(type != dns_rdatatype_any);
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (rbtversion == NULL) {
+		currentversion(db, (dns_dbversion_t **) (void *)(&rbtversion));
+		close_version = true;
+	}
+	serial = rbtversion->serial;
+	now = 0;
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	found = NULL;
+	foundsig = NULL;
+	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
+	if (covers == 0)
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	else
+		sigmatchtype = 0;
+
+	for (header = rbtnode->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		do {
+			if (header->serial <= serial &&
+			    !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't
+				 * exist" record?
+				 */
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+		if (header != NULL) {
+			/*
+			 * We have an active, extant rdataset.  If it's a
+			 * type we're looking for, remember it.
+			 */
+			if (header->type == matchtype) {
+				found = header;
+				if (foundsig != NULL)
+					break;
+			} else if (header->type == sigmatchtype) {
+				foundsig = header;
+				if (found != NULL)
+					break;
+			}
+		}
+	}
+	if (found != NULL) {
+		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
+		if (foundsig != NULL)
+			bind_rdataset(rbtdb, rbtnode, foundsig, now,
+				      sigrdataset);
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+
+	if (close_version)
+		closeversion(db, (dns_dbversion_t **) (void *)(&rbtversion),
+			     false);
+
+	if (found == NULL)
+		return (ISC_R_NOTFOUND);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   dns_rdatatype_t type, dns_rdatatype_t covers,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   dns_rdataset_t *sigrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, negtype;
+	isc_result_t result;
+	nodelock_t *lock;
+	isc_rwlocktype_t locktype;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(type != dns_rdatatype_any);
+
+	UNUSED(version);
+
+	result = ISC_R_SUCCESS;
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	lock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	locktype = isc_rwlocktype_read;
+	NODE_LOCK(lock, locktype);
+
+	found = NULL;
+	foundsig = NULL;
+	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
+	negtype = RBTDB_RDATATYPE_VALUE(0, type);
+	if (covers == 0)
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	else
+		sigmatchtype = 0;
+
+	for (header = rbtnode->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (!ACTIVE(header, now)) {
+			if ((header->rdh_ttl < now - RBTDB_VIRTUAL) &&
+			    (locktype == isc_rwlocktype_write ||
+			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
+				/*
+				 * We update the node's status only when we
+				 * can get write access.
+				 */
+				locktype = isc_rwlocktype_write;
+
+				/*
+				 * We don't check if refcurrent(rbtnode) == 0
+				 * and try to free like we do in cache_find(),
+				 * because refcurrent(rbtnode) must be
+				 * non-zero.  This is so because 'node' is an
+				 * argument to the function.
+				 */
+				mark_stale_header(rbtdb, header);
+			}
+		} else if (EXISTS(header) && (!STALE(header))) {
+			if (header->type == matchtype)
+				found = header;
+			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
+				 header->type == negtype)
+				found = header;
+			else if (header->type == sigmatchtype)
+				foundsig = header;
+		}
+	}
+	if (found != NULL) {
+		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
+		if (!NEGATIVE(found) && foundsig != NULL)
+			bind_rdataset(rbtdb, rbtnode, foundsig, now,
+				      sigrdataset);
+	}
+
+	NODE_UNLOCK(lock, locktype);
+
+	if (found == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (NEGATIVE(found)) {
+		/*
+		 * We found a negative cache entry.
+		 */
+		if (NXDOMAIN(found))
+			result = DNS_R_NCACHENXDOMAIN;
+		else
+			result = DNS_R_NCACHENXRRSET;
+	}
+
+	update_cachestats(rbtdb, result);
+
+	return (result);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	rbtdb_rdatasetiter_t *iterator;
+	unsigned int refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if ((db->attributes & DNS_DBATTR_CACHE) == 0) {
+		now = 0;
+		if (rbtversion == NULL)
+			currentversion(db,
+				 (dns_dbversion_t **) (void *)(&rbtversion));
+		else {
+			INSIST(rbtversion->rbtdb == rbtdb);
+
+			isc_refcount_increment(&rbtversion->references,
+					       &refs);
+			INSIST(refs > 1);
+		}
+	} else {
+		if (now == 0)
+			isc_stdtime_get(&now);
+		rbtversion = NULL;
+	}
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = node;
+	iterator->common.version = (dns_dbversion_t *)rbtversion;
+	iterator->common.now = now;
+
+	NODE_STRONGLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	dns_rbtnode_refincrement(rbtnode, &refs);
+	INSIST(refs != 0);
+
+	iterator->current = NULL;
+
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+	rdatasetheader_t *header, *header_next;
+	bool cname, other_data;
+	dns_rdatatype_t rdtype;
+
+	/*
+	 * The caller must hold the node lock.
+	 */
+
+	/*
+	 * Look for CNAME and "other data" rdatasets active in our version.
+	 */
+	cname = false;
+	other_data = false;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->type == dns_rdatatype_cname) {
+			/*
+			 * Look for an active extant CNAME.
+			 */
+			do {
+				if (header->serial <= serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL)
+				cname = true;
+		} else {
+			/*
+			 * Look for active extant "other data".
+			 *
+			 * "Other data" is any rdataset whose type is not
+			 * KEY, NSEC, SIG or RRSIG.
+			 */
+			rdtype = RBTDB_RDATATYPE_BASE(header->type);
+			if (rdtype != dns_rdatatype_key &&
+			    rdtype != dns_rdatatype_sig &&
+			    rdtype != dns_rdatatype_nsec &&
+			    rdtype != dns_rdatatype_rrsig) {
+				/*
+				 * Is it active and extant?
+				 */
+				do {
+					if (header->serial <= serial &&
+					    !IGNORE(header)) {
+						/*
+						 * Is this a "this rdataset
+						 * doesn't exist" record?
+						 */
+						if (NONEXISTENT(header))
+							header = NULL;
+						break;
+					} else
+						header = header->down;
+				} while (header != NULL);
+				if (header != NULL)
+					other_data = true;
+			}
+		}
+	}
+
+	if (cname && other_data)
+		return (true);
+
+	return (false);
+}
+
+static isc_result_t
+resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
+	isc_result_t result;
+
+	INSIST(!IS_CACHE(rbtdb));
+	INSIST(newheader->heap_index == 0);
+	INSIST(!ISC_LINK_LINKED(newheader, link));
+
+	result = isc_heap_insert(rbtdb->heaps[idx], newheader);
+	return (result);
+}
+
+static void
+resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+	      rdatasetheader_t *header)
+{
+	/*
+	 * Remove the old header from the heap
+	 */
+	if (header != NULL && header->heap_index != 0) {
+		isc_heap_delete(rbtdb->heaps[header->node->locknum],
+				header->heap_index);
+		header->heap_index = 0;
+		if (version != NULL) {
+			new_reference(rbtdb, header->node);
+			ISC_LIST_APPEND(version->resigned_list, header, link);
+		}
+	}
+}
+
+static void
+update_recordsandbytes(bool add, rbtdb_version_t *rbtversion,
+		       rdatasetheader_t *header)
+{
+	unsigned char *hdr = (unsigned char *)header;
+	size_t hdrsize = sizeof (*header);
+
+	if (add) {
+		rbtversion->records += dns_rdataslab_count(hdr, hdrsize);
+		rbtversion->bytes += dns_rdataslab_size(hdr, hdrsize);
+	} else {
+		rbtversion->records -= dns_rdataslab_count(hdr, hdrsize);
+		rbtversion->bytes -= dns_rdataslab_size(hdr, hdrsize);
+	}
+}
+
+static isc_result_t
+add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+      rdatasetheader_t *newheader, unsigned int options, bool loading,
+      dns_rdataset_t *addedrdataset, isc_stdtime_t now)
+{
+	rbtdb_changed_t *changed = NULL;
+	rdatasetheader_t *topheader, *topheader_prev, *header, *sigheader;
+	unsigned char *merged;
+	isc_result_t result;
+	bool header_nx;
+	bool newheader_nx;
+	bool merge;
+	dns_rdatatype_t rdtype, covers;
+	rbtdb_rdatatype_t negtype, sigtype;
+	dns_trust_t trust;
+	int idx;
+
+	/*
+	 * Add an rdatasetheader_t to a node.
+	 */
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	if ((options & DNS_DBADD_MERGE) != 0) {
+		REQUIRE(rbtversion != NULL);
+		merge = true;
+	} else
+		merge = false;
+
+	if ((options & DNS_DBADD_FORCE) != 0)
+		trust = dns_trust_ultimate;
+	else
+		trust = newheader->trust;
+
+	if (rbtversion != NULL && !loading) {
+		/*
+		 * We always add a changed record, even if no changes end up
+		 * being made to this node, because it's harmless and
+		 * simplifies the code.
+		 */
+		changed = add_changed(rbtdb, rbtversion, rbtnode);
+		if (changed == NULL) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	newheader_nx = NONEXISTENT(newheader) ? true : false;
+	topheader_prev = NULL;
+	sigheader = NULL;
+	negtype = 0;
+	if (rbtversion == NULL && !newheader_nx) {
+		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+		covers = RBTDB_RDATATYPE_EXT(newheader->type);
+		sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
+		if (NEGATIVE(newheader)) {
+			/*
+			 * We're adding a negative cache entry.
+			 */
+			if (covers == dns_rdatatype_any) {
+				/*
+				 * If we're adding an negative cache entry
+				 * which covers all types (NXDOMAIN,
+				 * NODATA(QTYPE=ANY)),
+				 *
+				 * We make all other data stale so that the
+				 * only rdataset that can be found at this
+				 * node is the negative cache entry.
+				 */
+				for (topheader = rbtnode->data;
+				     topheader != NULL;
+				     topheader = topheader->next)
+				{
+					set_ttl(rbtdb, topheader, 0);
+					mark_stale_header(rbtdb, topheader);
+				}
+				goto find_header;
+			}
+			/*
+			 * Otherwise look for any RRSIGs of the given
+			 * type so they can be marked stale later.
+			 */
+			for (topheader = rbtnode->data;
+			     topheader != NULL;
+			     topheader = topheader->next)
+				if (topheader->type == sigtype)
+					sigheader = topheader;
+			negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+		} else {
+			/*
+			 * We're adding something that isn't a
+			 * negative cache entry.  Look for an extant
+			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
+			 * cache entry.  If we're adding an RRSIG, also
+			 * check for an extant non-stale NODATA ncache
+			 * entry which covers the same type as the RRSIG.
+			 */
+			for (topheader = rbtnode->data;
+			     topheader != NULL;
+			     topheader = topheader->next) {
+				if ((topheader->type ==
+					RBTDB_RDATATYPE_NCACHEANY) ||
+					(newheader->type == sigtype &&
+					topheader->type ==
+					RBTDB_RDATATYPE_VALUE(0, covers))) {
+						break;
+					}
+			}
+			if (topheader != NULL && EXISTS(topheader) &&
+			    ACTIVE(topheader, now)) {
+				/*
+				 * Found one.
+				 */
+				if (trust < topheader->trust) {
+					/*
+					 * The NXDOMAIN/NODATA(QTYPE=ANY)
+					 * is more trusted.
+					 */
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					if (addedrdataset != NULL)
+						bind_rdataset(rbtdb, rbtnode,
+							      topheader, now,
+							      addedrdataset);
+					return (DNS_R_UNCHANGED);
+				}
+				/*
+				 * The new rdataset is better.  Expire the
+				 * ncache entry.
+				 */
+				set_ttl(rbtdb, topheader, 0);
+				mark_stale_header(rbtdb, topheader);
+				topheader = NULL;
+				goto find_header;
+			}
+			negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+		}
+	}
+
+	for (topheader = rbtnode->data;
+	     topheader != NULL;
+	     topheader = topheader->next) {
+		if (topheader->type == newheader->type ||
+		    topheader->type == negtype)
+			break;
+		topheader_prev = topheader;
+	}
+
+ find_header:
+	/*
+	 * If header isn't NULL, we've found the right type.  There may be
+	 * IGNORE rdatasets between the top of the chain and the first real
+	 * data.  We skip over them.
+	 */
+	header = topheader;
+	while (header != NULL && IGNORE(header))
+		header = header->down;
+	if (header != NULL) {
+		header_nx = NONEXISTENT(header) ? true : false;
+
+		/*
+		 * Deleting an already non-existent rdataset has no effect.
+		 */
+		if (header_nx && newheader_nx) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			return (DNS_R_UNCHANGED);
+		}
+
+		/*
+		 * Trying to add an rdataset with lower trust to a cache DB
+		 * has no effect, provided that the cache data isn't stale.
+		 */
+		if (rbtversion == NULL && trust < header->trust &&
+		    (ACTIVE(header, now) || header_nx)) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL)
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      addedrdataset);
+			return (DNS_R_UNCHANGED);
+		}
+
+		/*
+		 * Don't merge if a nonexistent rdataset is involved.
+		 */
+		if (merge && (header_nx || newheader_nx))
+			merge = false;
+
+		/*
+		 * If 'merge' is true, we'll try to create a new rdataset
+		 * that is the union of 'newheader' and 'header'.
+		 */
+		if (merge) {
+			unsigned int flags = 0;
+			INSIST(rbtversion->serial >= header->serial);
+			merged = NULL;
+			result = ISC_R_SUCCESS;
+
+			if ((options & DNS_DBADD_EXACT) != 0)
+				flags |= DNS_RDATASLAB_EXACT;
+			if ((options & DNS_DBADD_EXACTTTL) != 0 &&
+			     newheader->rdh_ttl != header->rdh_ttl)
+					result = DNS_R_NOTEXACT;
+			else if (newheader->rdh_ttl != header->rdh_ttl)
+				flags |= DNS_RDATASLAB_FORCE;
+			if (result == ISC_R_SUCCESS)
+				result = dns_rdataslab_merge(
+					     (unsigned char *)header,
+					     (unsigned char *)newheader,
+					     (unsigned int)(sizeof(*newheader)),
+					     rbtdb->common.mctx,
+					     rbtdb->common.rdclass,
+					     (dns_rdatatype_t)header->type,
+					     flags, &merged);
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * If 'header' has the same serial number as
+				 * we do, we could clean it up now if we knew
+				 * that our caller had no references to it.
+				 * We don't know this, however, so we leave it
+				 * alone.  It will get cleaned up when
+				 * clean_zone_node() runs.
+				 */
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				newheader = (rdatasetheader_t *)merged;
+				init_rdataset(rbtdb, newheader);
+				update_newheader(newheader, header);
+				if (loading && RESIGN(newheader) &&
+				    RESIGN(header) &&
+				    resign_sooner(header, newheader))
+				{
+					newheader->resign = header->resign;
+					newheader->resign_lsb =
+							header->resign_lsb;
+				}
+			} else {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+		/*
+		 * Don't replace existing NS, A and AAAA RRsets
+		 * in the cache if they are already exist.  This
+		 * prevents named being locked to old servers.
+		 * Don't lower trust of existing record if the
+		 * update is forced.
+		 */
+		if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
+		    header->type == dns_rdatatype_ns &&
+		    !header_nx && !newheader_nx &&
+		    header->trust >= newheader->trust &&
+		    dns_rdataslab_equalx((unsigned char *)header,
+					 (unsigned char *)newheader,
+					 (unsigned int)(sizeof(*newheader)),
+					 rbtdb->common.rdclass,
+					 (dns_rdatatype_t)header->type)) {
+			/*
+			 * Honour the new ttl if it is less than the
+			 * older one.
+			 */
+			if (header->rdh_ttl > newheader->rdh_ttl)
+				set_ttl(rbtdb, header, newheader->rdh_ttl);
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL) {
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
+			if (header->closest == NULL &&
+			    newheader->closest != NULL) {
+				header->closest = newheader->closest;
+				newheader->closest = NULL;
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL)
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      addedrdataset);
+			return (ISC_R_SUCCESS);
+		}
+		/*
+		 * If we have will be replacing a NS RRset force its TTL
+		 * to be no more than the current NS RRset's TTL.  This
+		 * ensures the delegations that are withdrawn are honoured.
+		 */
+		if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
+		    header->type == dns_rdatatype_ns &&
+		    !header_nx && !newheader_nx &&
+		    header->trust <= newheader->trust) {
+			if (newheader->rdh_ttl > header->rdh_ttl) {
+				newheader->rdh_ttl = header->rdh_ttl;
+			}
+		}
+		if (IS_CACHE(rbtdb) && ACTIVE(header, now) &&
+		    (options & DNS_DBADD_PREFETCH) == 0 &&
+		    (header->type == dns_rdatatype_a ||
+		     header->type == dns_rdatatype_aaaa ||
+		     header->type == dns_rdatatype_ds ||
+		     header->type == RBTDB_RDATATYPE_SIGDDS) &&
+		    !header_nx && !newheader_nx &&
+		    header->trust >= newheader->trust &&
+		    dns_rdataslab_equal((unsigned char *)header,
+					(unsigned char *)newheader,
+					(unsigned int)(sizeof(*newheader)))) {
+			/*
+			 * Honour the new ttl if it is less than the
+			 * older one.
+			 */
+			if (header->rdh_ttl > newheader->rdh_ttl)
+				set_ttl(rbtdb, header, newheader->rdh_ttl);
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL) {
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
+			if (header->closest == NULL &&
+			    newheader->closest != NULL) {
+				header->closest = newheader->closest;
+				newheader->closest = NULL;
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL)
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      addedrdataset);
+			return (ISC_R_SUCCESS);
+		}
+		INSIST(rbtversion == NULL ||
+		       rbtversion->serial >= topheader->serial);
+		if (loading) {
+			newheader->down = NULL;
+			idx = newheader->node->locknum;
+			if (IS_CACHE(rbtdb)) {
+				if (ZEROTTL(newheader))
+					ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+							newheader, link);
+				else
+					ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+							 newheader, link);
+				INSIST(rbtdb->heaps != NULL);
+				result = isc_heap_insert(rbtdb->heaps[idx],
+							 newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					return (result);
+				}
+			} else if (RESIGN(newheader)) {
+				result = resign_insert(rbtdb, idx, newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					return (result);
+				}
+				/*
+				 * Don't call resign_delete as we don't need
+				 * to reverse the delete.  The free_rdataset
+				 * call below will clean up the heap entry.
+				 */
+			}
+
+			/*
+			 * There are no other references to 'header' when
+			 * loading, so we MAY clean up 'header' now.
+			 * Since we don't generate changed records when
+			 * loading, we MUST clean up 'header' now.
+			 */
+			if (topheader_prev != NULL)
+				topheader_prev->next = newheader;
+			else
+				rbtnode->data = newheader;
+			newheader->next = topheader->next;
+			if (rbtversion != NULL && !header_nx) {
+				RWLOCK(&rbtversion->rwlock,
+				       isc_rwlocktype_write);
+				update_recordsandbytes(false, rbtversion,
+						       header);
+				RWUNLOCK(&rbtversion->rwlock,
+					 isc_rwlocktype_write);
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, header);
+		} else {
+			idx = newheader->node->locknum;
+			if (IS_CACHE(rbtdb)) {
+				INSIST(rbtdb->heaps != NULL);
+				result = isc_heap_insert(rbtdb->heaps[idx],
+							 newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					return (result);
+				}
+				if (ZEROTTL(newheader))
+					ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+							newheader, link);
+				else
+					ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+							 newheader, link);
+			} else if (RESIGN(newheader)) {
+				result = resign_insert(rbtdb, idx, newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					return (result);
+				}
+				resign_delete(rbtdb, rbtversion, header);
+			}
+			if (topheader_prev != NULL)
+				topheader_prev->next = newheader;
+			else
+				rbtnode->data = newheader;
+			newheader->next = topheader->next;
+			newheader->down = topheader;
+			topheader->next = newheader;
+			rbtnode->dirty = 1;
+			if (changed != NULL)
+				changed->dirty = true;
+			if (rbtversion == NULL) {
+				set_ttl(rbtdb, header, 0);
+				mark_stale_header(rbtdb, header);
+				if (sigheader != NULL) {
+					set_ttl(rbtdb, sigheader, 0);
+					mark_stale_header(rbtdb, sigheader);
+				}
+			}
+			if (rbtversion != NULL && !header_nx) {
+				RWLOCK(&rbtversion->rwlock,
+				       isc_rwlocktype_write);
+				update_recordsandbytes(false, rbtversion,
+						       header);
+				RWUNLOCK(&rbtversion->rwlock,
+					 isc_rwlocktype_write);
+			}
+		}
+	} else {
+		/*
+		 * No non-IGNORED rdatasets of the given type exist at
+		 * this node.
+		 */
+
+		/*
+		 * If we're trying to delete the type, don't bother.
+		 */
+		if (newheader_nx) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			return (DNS_R_UNCHANGED);
+		}
+
+		idx = newheader->node->locknum;
+		if (IS_CACHE(rbtdb)) {
+			result = isc_heap_insert(rbtdb->heaps[idx], newheader);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+			if (ZEROTTL(newheader))
+				ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+						newheader, link);
+			else
+				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+						 newheader, link);
+		} else if (RESIGN(newheader)) {
+			result = resign_insert(rbtdb, idx, newheader);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+			resign_delete(rbtdb, rbtversion, header);
+		}
+
+		if (topheader != NULL) {
+			/*
+			 * We have an list of rdatasets of the given type,
+			 * but they're all marked IGNORE.  We simply insert
+			 * the new rdataset at the head of the list.
+			 *
+			 * Ignored rdatasets cannot occur during loading, so
+			 * we INSIST on it.
+			 */
+			INSIST(!loading);
+			INSIST(rbtversion == NULL ||
+			       rbtversion->serial >= topheader->serial);
+			if (topheader_prev != NULL)
+				topheader_prev->next = newheader;
+			else
+				rbtnode->data = newheader;
+			newheader->next = topheader->next;
+			newheader->down = topheader;
+			topheader->next = newheader;
+			rbtnode->dirty = 1;
+			if (changed != NULL)
+				changed->dirty = true;
+		} else {
+			/*
+			 * No rdatasets of the given type exist at the node.
+			 */
+			newheader->next = rbtnode->data;
+			newheader->down = NULL;
+			rbtnode->data = newheader;
+		}
+	}
+
+	if (rbtversion != NULL && !newheader_nx) {
+		RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+		update_recordsandbytes(true, rbtversion, newheader);
+		RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+	}
+
+	/*
+	 * Check if the node now contains CNAME and other data.
+	 */
+	if (rbtversion != NULL &&
+	    cname_and_other_data(rbtnode, rbtversion->serial))
+		return (DNS_R_CNAMEANDOTHER);
+
+	if (addedrdataset != NULL)
+		bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline bool
+delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		rbtdb_rdatatype_t type)
+{
+	if (IS_CACHE(rbtdb)) {
+		if (type == dns_rdatatype_dname)
+			return (true);
+		else
+			return (false);
+	} else if (type == dns_rdatatype_dname ||
+		   (type == dns_rdatatype_ns &&
+		    (node != rbtdb->origin_node || IS_STUB(rbtdb))))
+		return (true);
+	return (false);
+}
+
+static inline isc_result_t
+addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset)
+{
+	struct noqname *noqname;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t neg, negsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&neg);
+	dns_rdataset_init(&negsig);
+
+	result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	noqname = isc_mem_get(mctx, sizeof(*noqname));
+	if (noqname == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	dns_name_init(&noqname->name, NULL);
+	noqname->neg = NULL;
+	noqname->negsig = NULL;
+	noqname->type = neg.type;
+	result = dns_name_dup(&name, mctx, &noqname->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	noqname->neg = r.base;
+	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	noqname->negsig = r.base;
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	newheader->noqname = noqname;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	if (noqname != NULL)
+		free_noqname(mctx, &noqname);
+	return(result);
+}
+
+static inline isc_result_t
+addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset)
+{
+	struct noqname *closest;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t neg, negsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&neg);
+	dns_rdataset_init(&negsig);
+
+	result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	closest = isc_mem_get(mctx, sizeof(*closest));
+	if (closest == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	dns_name_init(&closest->name, NULL);
+	closest->neg = NULL;
+	closest->negsig = NULL;
+	closest->type = neg.type;
+	result = dns_name_dup(&name, mctx, &closest->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	closest->neg = r.base;
+	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	closest->negsig = r.base;
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	newheader->closest = closest;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	if (closest != NULL)
+		free_noqname(mctx, &closest);
+	return(result);
+}
+
+static dns_dbmethods_t zone_methods;
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	isc_region_t region;
+	rdatasetheader_t *newheader;
+	rdatasetheader_t *header;
+	isc_result_t result;
+	bool delegating;
+	bool newnsec;
+	bool tree_locked = false;
+	bool cache_is_overmem = false;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (rbtdb->common.methods == &zone_methods)
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
+			  (rdataset->type == dns_rdatatype_nsec3 ||
+			   rdataset->covers == dns_rdatatype_nsec3)) ||
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
+			   rdataset->type != dns_rdatatype_nsec3 &&
+			   rdataset->covers != dns_rdatatype_nsec3)));
+
+	if (rbtversion == NULL) {
+		if (now == 0)
+			isc_stdtime_get(&now);
+	} else
+		now = 0;
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	name = dns_fixedname_initname(&fixed);
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	dns_rbt_fullnamefromnode(node, name);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	dns_rdataset_getownercase(rdataset, name);
+
+	newheader = (rdatasetheader_t *)region.base;
+	init_rdataset(rbtdb, newheader);
+	setownercase(newheader, name);
+	set_ttl(rbtdb, newheader, rdataset->ttl + now);
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	newheader->attributes = 0;
+	if (rdataset->ttl == 0U)
+		newheader->attributes |= RDATASET_ATTR_ZEROTTL;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	newheader->count = init_count++;
+	newheader->trust = rdataset->trust;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
+	newheader->last_used = now;
+	newheader->node = rbtnode;
+	if (rbtversion != NULL) {
+		newheader->serial = rbtversion->serial;
+		now = 0;
+
+		if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+			newheader->attributes |= RDATASET_ATTR_RESIGN;
+			newheader->resign = (isc_stdtime_t)
+				(dns_time64_from32(rdataset->resign) >> 1);
+			newheader->resign_lsb = rdataset->resign & 0x1;
+		} else {
+			newheader->resign = 0;
+			newheader->resign_lsb = 0;
+		}
+	} else {
+		newheader->serial = 1;
+		newheader->resign = 0;
+		newheader->resign_lsb = 0;
+		if ((rdataset->attributes & DNS_RDATASETATTR_PREFETCH) != 0)
+			newheader->attributes |= RDATASET_ATTR_PREFETCH;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+			newheader->attributes |= RDATASET_ATTR_NEGATIVE;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+			newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
+		if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
+			newheader->attributes |= RDATASET_ATTR_OPTOUT;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
+			result = addnoqname(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) {
+			result = addclosest(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+	}
+
+	/*
+	 * If we're adding a delegation type (e.g. NS or DNAME for a zone,
+	 * just DNAME for the cache), then we need to set the callback bit
+	 * on the node.
+	 */
+	if (delegating_type(rbtdb, rbtnode, rdataset->type))
+		delegating = true;
+	else
+		delegating = false;
+
+	/*
+	 * Add to the auxiliary NSEC tree if we're adding an NSEC record.
+	 */
+	if (rbtnode->nsec != DNS_RBT_NSEC_HAS_NSEC &&
+	    rdataset->type == dns_rdatatype_nsec)
+		newnsec = true;
+	else
+		newnsec = false;
+
+	/*
+	 * If we're adding a delegation type, adding to the auxiliary NSEC tree,
+	 * or the DB is a cache in an overmem state, hold an exclusive lock on
+	 * the tree.  In the latter case the lock does not necessarily have to
+	 * be acquired but it will help purge stale entries more effectively.
+	 */
+	if (IS_CACHE(rbtdb) && isc_mem_isovermem(rbtdb->common.mctx))
+		cache_is_overmem = true;
+	if (delegating || newnsec || cache_is_overmem) {
+		tree_locked = true;
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	}
+
+	if (cache_is_overmem)
+		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	if (rbtdb->rrsetstats != NULL) {
+		newheader->attributes |= RDATASET_ATTR_STATCOUNT;
+		update_rrsetstats(rbtdb, newheader, true);
+	}
+
+	if (IS_CACHE(rbtdb)) {
+		if (tree_locked)
+			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+
+		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+			expire_header(rbtdb, header, tree_locked,
+				      expire_ttl);
+
+		/*
+		 * If we've been holding a write lock on the tree just for
+		 * cleaning, we can release it now.  However, we still need the
+		 * node lock.
+		 */
+		if (tree_locked && !delegating && !newnsec) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+			tree_locked = false;
+		}
+	}
+
+	result = ISC_R_SUCCESS;
+	if (newnsec) {
+		dns_rbtnode_t *nsecnode;
+
+		dns_rbt_fullnamefromnode(rbtnode, name);
+		nsecnode = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+		if (result == ISC_R_SUCCESS) {
+			nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		} else if (result == ISC_R_EXISTS) {
+			rbtnode->nsec = DNS_RBT_NSEC_HAS_NSEC;
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = add32(rbtdb, rbtnode, rbtversion, newheader, options,
+			       false, addedrdataset, now);
+	if (result == ISC_R_SUCCESS && delegating)
+		rbtnode->find_callback = 1;
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	if (tree_locked)
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is deferred until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
+		iszonesecure(db, version, rbtdb->origin_node);
+
+	return (result);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	rdatasetheader_t *topheader, *topheader_prev, *header, *newheader;
+	unsigned char *subresult;
+	isc_region_t region;
+	isc_result_t result;
+	rbtdb_changed_t *changed;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rbtversion != NULL && rbtversion->rbtdb == rbtdb);
+
+	if (rbtdb->common.methods == &zone_methods)
+		REQUIRE(((rbtnode->nsec == DNS_RBT_NSEC_NSEC3 &&
+			  (rdataset->type == dns_rdatatype_nsec3 ||
+			   rdataset->covers == dns_rdatatype_nsec3)) ||
+			 (rbtnode->nsec != DNS_RBT_NSEC_NSEC3 &&
+			   rdataset->type != dns_rdatatype_nsec3 &&
+			   rdataset->covers != dns_rdatatype_nsec3)));
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region, sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	newheader = (rdatasetheader_t *)region.base;
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, rdataset->ttl);
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	newheader->attributes = 0;
+	newheader->serial = rbtversion->serial;
+	newheader->trust = 0;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	newheader->count = init_count++;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
+	newheader->last_used = 0;
+	newheader->node = rbtnode;
+	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+		newheader->attributes |= RDATASET_ATTR_RESIGN;
+		newheader->resign = (isc_stdtime_t)
+			(dns_time64_from32(rdataset->resign) >> 1);
+		newheader->resign_lsb = rdataset->resign & 0x1;
+	} else {
+		newheader->resign = 0;
+		newheader->resign_lsb = 0;
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	changed = add_changed(rbtdb, rbtversion, rbtnode);
+	if (changed == NULL) {
+		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+		NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+			    isc_rwlocktype_write);
+		return (ISC_R_NOMEMORY);
+	}
+
+	topheader_prev = NULL;
+	for (topheader = rbtnode->data;
+	     topheader != NULL;
+	     topheader = topheader->next) {
+		if (topheader->type == newheader->type)
+			break;
+		topheader_prev = topheader;
+	}
+	/*
+	 * If header isn't NULL, we've found the right type.  There may be
+	 * IGNORE rdatasets between the top of the chain and the first real
+	 * data.  We skip over them.
+	 */
+	header = topheader;
+	while (header != NULL && IGNORE(header))
+		header = header->down;
+	if (header != NULL && EXISTS(header)) {
+		unsigned int flags = 0;
+		subresult = NULL;
+		result = ISC_R_SUCCESS;
+		if ((options & DNS_DBSUB_EXACT) != 0) {
+			flags |= DNS_RDATASLAB_EXACT;
+			if (newheader->rdh_ttl != header->rdh_ttl)
+				result = DNS_R_NOTEXACT;
+		}
+		if (result == ISC_R_SUCCESS)
+			result = dns_rdataslab_subtract(
+					(unsigned char *)header,
+					(unsigned char *)newheader,
+					(unsigned int)(sizeof(*newheader)),
+					rbtdb->common.mctx,
+					rbtdb->common.rdclass,
+					(dns_rdatatype_t)header->type,
+					flags, &subresult);
+		if (result == ISC_R_SUCCESS) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			newheader = (rdatasetheader_t *)subresult;
+			init_rdataset(rbtdb, newheader);
+			update_newheader(newheader, header);
+			if (RESIGN(header)) {
+				newheader->attributes |= RDATASET_ATTR_RESIGN;
+				newheader->resign = header->resign;
+				newheader->resign_lsb = header->resign_lsb;
+				result = resign_insert(rbtdb, rbtnode->locknum,
+						       newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					goto unlock;
+				}
+			}
+			/*
+			 * We have to set the serial since the rdataslab
+			 * subtraction routine copies the reserved portion of
+			 * header, not newheader.
+			 */
+			newheader->serial = rbtversion->serial;
+			/*
+			 * XXXJT: dns_rdataslab_subtract() copied the pointers
+			 * to additional info.  We need to clear these fields
+			 * to avoid having duplicated references.
+			 */
+			newheader->additional_auth = NULL;
+			newheader->additional_glue = NULL;
+			update_recordsandbytes(true, rbtversion, newheader);
+		} else if (result == DNS_R_NXRRSET) {
+			/*
+			 * This subtraction would remove all of the rdata;
+			 * add a nonexistent header instead.
+			 */
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
+			if (newheader == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto unlock;
+			}
+			init_rdataset(rbtdb, newheader);
+			set_ttl(rbtdb, newheader, 0);
+			newheader->type = topheader->type;
+			newheader->attributes = RDATASET_ATTR_NONEXISTENT;
+			newheader->trust = 0;
+			newheader->serial = rbtversion->serial;
+			newheader->noqname = NULL;
+			newheader->closest = NULL;
+			newheader->count = 0;
+			newheader->additional_auth = NULL;
+			newheader->additional_glue = NULL;
+			newheader->node = rbtnode;
+			newheader->resign = 0;
+			newheader->resign_lsb = 0;
+			newheader->last_used = 0;
+		} else {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			goto unlock;
+		}
+
+		/*
+		 * If we're here, we want to link newheader in front of
+		 * topheader.
+		 */
+		INSIST(rbtversion->serial >= topheader->serial);
+		update_recordsandbytes(false, rbtversion, header);
+		if (topheader_prev != NULL)
+			topheader_prev->next = newheader;
+		else
+			rbtnode->data = newheader;
+		newheader->next = topheader->next;
+		newheader->down = topheader;
+		topheader->next = newheader;
+		rbtnode->dirty = 1;
+		changed->dirty = true;
+		resign_delete(rbtdb, rbtversion, header);
+	} else {
+		/*
+		 * The rdataset doesn't exist, so we don't need to do anything
+		 * to satisfy the deletion request.
+		 */
+		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+		if ((options & DNS_DBSUB_EXACT) != 0)
+			result = DNS_R_NOTEXACT;
+		else
+			result = DNS_R_UNCHANGED;
+	}
+
+	if (result == ISC_R_SUCCESS && newrdataset != NULL)
+		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
+
+	if (result == DNS_R_NXRRSET && newrdataset != NULL &&
+	    (options & DNS_DBSUB_WANTOLD) != 0)
+		bind_rdataset(rbtdb, rbtnode, header, 0, newrdataset);
+
+ unlock:
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is deferred until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
+		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	isc_result_t result;
+	rdatasetheader_t *newheader;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (type == dns_rdatatype_any)
+		return (ISC_R_NOTIMPLEMENTED);
+	if (type == dns_rdatatype_rrsig && covers == 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
+	if (newheader == NULL)
+		return (ISC_R_NOMEMORY);
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, 0);
+	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
+	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
+	newheader->trust = 0;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
+	if (rbtversion != NULL)
+		newheader->serial = rbtversion->serial;
+	else
+		newheader->serial = 0;
+	newheader->count = 0;
+	newheader->last_used = 0;
+	newheader->node = rbtnode;
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+
+	result = add32(rbtdb, rbtnode, rbtversion, newheader, DNS_DBADD_FORCE,
+		       false, NULL, 0);
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_write);
+
+	/*
+	 * Update the zone's secure status.  If version is non-NULL
+	 * this is deferred until closeversion() is called.
+	 */
+	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
+		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
+
+	return (result);
+}
+
+/*
+ * load a non-NSEC3 node in the main tree and optionally to the auxiliary NSEC
+ */
+static isc_result_t
+loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
+	 bool hasnsec)
+{
+	isc_result_t noderesult, rpzresult, nsecresult, tmpresult;
+	dns_rbtnode_t *nsecnode = NULL, *node = NULL;
+
+	noderesult = dns_rbt_addnode(rbtdb->tree, name, &node);
+	if (rbtdb->rpzs != NULL &&
+	    (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS)) {
+		rpzresult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
+					name);
+		if (rpzresult == ISC_R_SUCCESS) {
+			node->rpz = 1;
+		} else if (noderesult != ISC_R_EXISTS) {
+			/*
+			 * Remove the node we just added above.
+			 */
+			tmpresult = dns_rbt_deletenode(rbtdb->tree, node,
+						       false);
+			if (tmpresult != ISC_R_SUCCESS)
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_WARNING,
+					      "loading_addrdataset: "
+					      "dns_rbt_deletenode: %s after "
+					      "dns_rbt_addnode(NSEC): %s",
+					      isc_result_totext(tmpresult),
+					      isc_result_totext(ISC_R_SUCCESS));
+			noderesult = rpzresult;
+		}
+	}
+	if (!hasnsec)
+		goto done;
+	if (noderesult == ISC_R_EXISTS) {
+		/*
+		 * Add a node to the auxiliary NSEC tree for an old node
+		 * just now getting an NSEC record.
+		 */
+		if (node->nsec == DNS_RBT_NSEC_HAS_NSEC)
+			goto done;
+	} else if (noderesult != ISC_R_SUCCESS)
+		goto done;
+
+	/*
+	 * Build the auxiliary tree for NSECs as we go.
+	 * This tree speeds searches for closest NSECs that would otherwise
+	 * need to examine many irrelevant nodes in large TLDs.
+	 *
+	 * Add nodes to the auxiliary tree after corresponding nodes have
+	 * been added to the main tree.
+	 */
+	nsecresult = dns_rbt_addnode(rbtdb->nsec, name, &nsecnode);
+	if (nsecresult == ISC_R_SUCCESS) {
+		nsecnode->nsec = DNS_RBT_NSEC_NSEC;
+		node->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		goto done;
+	}
+
+	if (nsecresult == ISC_R_EXISTS) {
+#if 1 /* 0 */
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE,
+			      ISC_LOG_WARNING,
+			      "addnode: NSEC node already exists");
+#endif
+		node->nsec = DNS_RBT_NSEC_HAS_NSEC;
+		goto done;
+	}
+
+	if (noderesult == ISC_R_SUCCESS) {
+		unsigned int node_has_rpz;
+
+		/*
+		 * Remove the node we just added above.
+		 * dns_rbt_deletenode() may keep the node if it has a
+		 * down pointer, but we mustn't call dns_rpz_delete() on
+		 * it again.
+		 */
+		node_has_rpz = node->rpz;
+		node->rpz = 0;
+		tmpresult = dns_rbt_deletenode(rbtdb->tree, node, false);
+		if (tmpresult == ISC_R_SUCCESS) {
+			/*
+			 * Clean rpz entries added above.
+			 */
+			if (rbtdb->rpzs != NULL && node_has_rpz)
+				dns_rpz_delete(rbtdb->load_rpzs,
+					       rbtdb->rpz_num, name);
+		} else {
+			isc_log_write(dns_lctx,
+				      DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE,
+				      ISC_LOG_WARNING,
+				      "loading_addrdataset: "
+				      "dns_rbt_deletenode: %s after "
+				      "dns_rbt_addnode(NSEC): %s",
+				      isc_result_totext(tmpresult),
+				      isc_result_totext(noderesult));
+		}
+	}
+
+	/*
+	 * Set the error condition to be returned.
+	 */
+	noderesult = nsecresult;
+
+ done:
+	if (noderesult == ISC_R_SUCCESS || noderesult == ISC_R_EXISTS)
+		*nodep = node;
+
+	return (noderesult);
+}
+
+static isc_result_t
+loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
+	rbtdb_load_t *loadctx = arg;
+	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	isc_region_t region;
+	rdatasetheader_t *newheader;
+
+	REQUIRE(rdataset->rdclass == rbtdb->common.rdclass);
+
+	/*
+	 * This routine does no node locking.  See comments in
+	 * 'load' below for more information on loading and
+	 * locking.
+	 */
+
+	/*
+	 * SOA records are only allowed at top of zone.
+	 */
+	if (rdataset->type == dns_rdatatype_soa &&
+	    !IS_CACHE(rbtdb) && !dns_name_equal(name, &rbtdb->common.origin))
+		return (DNS_R_NOTZONETOP);
+
+	if (rdataset->type != dns_rdatatype_nsec3 &&
+	    rdataset->covers != dns_rdatatype_nsec3)
+		add_empty_wildcards(rbtdb, name);
+
+	if (dns_name_iswildcard(name)) {
+		/*
+		 * NS record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_ns)
+			return (DNS_R_INVALIDNS);
+		/*
+		 * NSEC3 record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_nsec3)
+			return (DNS_R_INVALIDNSEC3);
+		result = add_wildcard_magic(rbtdb, name);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	node = NULL;
+	if (rdataset->type == dns_rdatatype_nsec3 ||
+	    rdataset->covers == dns_rdatatype_nsec3) {
+		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
+		if (result == ISC_R_SUCCESS)
+			node->nsec = DNS_RBT_NSEC_NSEC3;
+	} else if (rdataset->type == dns_rdatatype_nsec) {
+		result = loadnode(rbtdb, name, &node, true);
+	} else {
+		result = loadnode(rbtdb, name, &node, false);
+	}
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
+		return (result);
+	if (result == ISC_R_SUCCESS) {
+		dns_name_t foundname;
+		dns_name_init(&foundname, NULL);
+		dns_rbt_namefromnode(node, &foundname);
+#ifdef DNS_RBT_USEHASH
+		node->locknum = node->hashval % rbtdb->node_lock_count;
+#else
+		node->locknum = dns_name_hash(&foundname, true) %
+			rbtdb->node_lock_count;
+#endif
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region,
+					    sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	newheader = (rdatasetheader_t *)region.base;
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader,
+		rdataset->ttl + loadctx->now); /* XXX overflow check */
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	newheader->attributes = 0;
+	newheader->trust = rdataset->trust;
+	newheader->serial = 1;
+	newheader->noqname = NULL;
+	newheader->closest = NULL;
+	newheader->count = init_count++;
+	newheader->additional_auth = NULL;
+	newheader->additional_glue = NULL;
+	newheader->last_used = 0;
+	newheader->node = node;
+	setownercase(newheader, name);
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+		newheader->attributes |= RDATASET_ATTR_RESIGN;
+		newheader->resign = (isc_stdtime_t)
+			(dns_time64_from32(rdataset->resign) >> 1);
+		newheader->resign_lsb = rdataset->resign & 0x1;
+	} else {
+		newheader->resign = 0;
+		newheader->resign_lsb = 0;
+	}
+
+	result = add32(rbtdb, node, rbtdb->current_version, newheader,
+		       DNS_DBADD_MERGE, true, NULL, 0);
+	if (result == ISC_R_SUCCESS &&
+	    delegating_type(rbtdb, node, rdataset->type))
+		node->find_callback = 1;
+	else if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static isc_result_t
+rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
+	      void *arg, uint64_t *crc)
+{
+	isc_result_t result;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *) arg;
+	rdatasetheader_t *header;
+	unsigned char *limit = ((unsigned char *) base) + filesize;
+	unsigned char *p;
+	size_t size;
+	unsigned int count;
+
+	REQUIRE(rbtnode != NULL);
+
+	for (header = rbtnode->data; header != NULL; header = header->next) {
+		p = (unsigned char *) header;
+
+		size = dns_rdataslab_size(p, sizeof(*header));
+		count = dns_rdataslab_count(p, sizeof(*header));;
+		rbtdb->current_version->records += count;
+		rbtdb->current_version->bytes += size;
+		isc_crc64_update(crc, p, size);
+#ifdef DEBUG
+		hexdump("hashing header", p, sizeof(rdatasetheader_t));
+		hexdump("hashing slab", p + sizeof(rdatasetheader_t),
+			size - sizeof(rdatasetheader_t));
+#endif
+		header->serial = 1;
+		header->is_mmapped = 1;
+		header->node = rbtnode;
+		header->node_is_relative = 0;
+
+		if (rbtdb != NULL && RESIGN(header) &&
+		    (header->resign != 0 || header->resign_lsb != 0))
+		{
+			int idx = header->node->locknum;
+			result = isc_heap_insert(rbtdb->heaps[idx], header);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+
+		if (header->next != NULL) {
+			size_t cooked = dns_rbt_serialize_align(size);
+			if ((uintptr_t)header->next !=
+				    (p - (unsigned char *)base) + cooked)
+				return (ISC_R_INVALIDFILE);
+			header->next = (rdatasetheader_t *)(p + cooked);
+			header->next_is_relative = 0;
+			if ((header->next < (rdatasetheader_t *) base) ||
+			    (header->next > (rdatasetheader_t *) limit))
+				return (ISC_R_INVALIDFILE);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Load the RBT database from the image in 'f'
+ */
+static isc_result_t
+deserialize32(void *arg, FILE *f, off_t offset) {
+	isc_result_t result;
+	rbtdb_load_t *loadctx = arg;
+	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
+	rbtdb_file_header_t *header;
+	int fd;
+	off_t filesize = 0;
+	char *base;
+	dns_rbt_t *tree = NULL, *nsec = NULL, *nsec3 = NULL;
+	int protect, flags;
+	dns_rbtnode_t *origin_node = NULL;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	/*
+	 * TODO CKB: since this is read-write (had to be to add nodes later)
+	 * we will need to lock the file or the nodes in it before modifying
+	 * the nodes in the file.
+	 */
+
+	/* Map in the whole file in one go */
+	fd = fileno(f);
+	isc_file_getsizefd(fd, &filesize);
+	protect = PROT_READ|PROT_WRITE;
+	flags = MAP_PRIVATE;
+#ifdef MAP_FILE
+	flags |= MAP_FILE;
+#endif
+
+	base = isc_file_mmap(NULL, filesize, protect, flags, fd, 0);
+	if (base == NULL || base == MAP_FAILED) {
+		return (ISC_R_FAILURE);
+	}
+
+	header = (rbtdb_file_header_t *)(base + offset);
+	if (!match_header_version(header)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
+
+	if (header->tree != 0) {
+		result = dns_rbt_deserialize_tree(base, filesize,
+						  (off_t) header->tree,
+						  rbtdb->common.mctx,
+						  delete_callback, rbtdb,
+						  rbt_datafixer, rbtdb,
+						  NULL, &tree);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		result = dns_rbt_findnode(tree, &rbtdb->common.origin, NULL,
+					  &origin_node, NULL,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	if (header->nsec != 0) {
+		result = dns_rbt_deserialize_tree(base, filesize,
+						  (off_t) header->nsec,
+						  rbtdb->common.mctx,
+						  delete_callback, rbtdb,
+						  rbt_datafixer, rbtdb,
+						  NULL, &nsec);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	if (header->nsec3 != 0) {
+		result = dns_rbt_deserialize_tree(base, filesize,
+						  (off_t) header->nsec3,
+						  rbtdb->common.mctx,
+						  delete_callback, rbtdb,
+						  rbt_datafixer, rbtdb,
+						  NULL, &nsec3);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	/*
+	 * We have a successfully loaded all the rbt trees now update
+	 * rbtdb to use them.
+	 */
+
+	rbtdb->mmap_location = base;
+	rbtdb->mmap_size = (size_t) filesize;
+
+	if (tree != NULL) {
+		dns_rbt_destroy(&rbtdb->tree);
+		rbtdb->tree = tree;
+		rbtdb->origin_node = origin_node;
+	}
+
+	if (nsec != NULL) {
+		dns_rbt_destroy(&rbtdb->nsec);
+		rbtdb->nsec = nsec;
+	}
+
+	if (nsec3 != NULL) {
+		dns_rbt_destroy(&rbtdb->nsec3);
+		rbtdb->nsec3 = nsec3;
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (tree != NULL)
+		dns_rbt_destroy(&tree);
+	if (nsec != NULL)
+		dns_rbt_destroy(&nsec);
+	if (nsec3 != NULL)
+		dns_rbt_destroy(&nsec3);
+	isc_file_munmap(base, (size_t) filesize);
+	return (result);
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	rbtdb_load_t *loadctx;
+	dns_rbtdb_t *rbtdb;
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx));
+	if (loadctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	loadctx->rbtdb = rbtdb;
+	if (IS_CACHE(rbtdb))
+		isc_stdtime_get(&loadctx->now);
+	else
+		loadctx->now = 0;
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	if (rbtdb->rpzs != NULL) {
+		isc_result_t result;
+
+		result = dns_rpz_beginload(&rbtdb->load_rpzs,
+					   rbtdb->rpzs, rbtdb->rpz_num);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(rbtdb->common.mctx, loadctx,
+				    sizeof(*loadctx));
+			return (result);
+		}
+	}
+
+	REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING))
+		== 0);
+	rbtdb->attributes |= RBTDB_ATTR_LOADING;
+
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	callbacks->add = loading_addrdataset;
+	callbacks->add_private = loadctx;
+	callbacks->deserialize = deserialize32;
+	callbacks->deserialize_private = loadctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	rbtdb_load_t *loadctx;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(DNS_CALLBACK_VALID(callbacks));
+	loadctx = callbacks->add_private;
+	REQUIRE(loadctx != NULL);
+	REQUIRE(loadctx->rbtdb == rbtdb);
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0);
+	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0);
+
+	rbtdb->attributes &= ~RBTDB_ATTR_LOADING;
+	rbtdb->attributes |= RBTDB_ATTR_LOADED;
+
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+	/*
+	 * If there's a KEY rdataset at the zone origin containing a
+	 * zone key, we consider the zone secure.
+	 */
+	if (! IS_CACHE(rbtdb) && rbtdb->origin_node != NULL)
+		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
+
+	callbacks->add = NULL;
+	callbacks->add_private = NULL;
+	callbacks->deserialize = NULL;
+	callbacks->deserialize_private = NULL;
+
+	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx));
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * helper function to handle writing out the rdataset data pointed to
+ * by the void *data pointer in the dns_rbtnode
+ */
+static isc_result_t
+rbt_datawriter(FILE *rbtfile, unsigned char *data, void *arg,
+	       uint64_t *crc)
+{
+	rbtdb_version_t *version = (rbtdb_version_t *) arg;
+	rbtdb_serial_t serial;
+	rdatasetheader_t newheader;
+	rdatasetheader_t *header = (rdatasetheader_t *) data, *next;
+	off_t where;
+	size_t cooked, size;
+	unsigned char *p;
+	isc_result_t result = ISC_R_SUCCESS;
+	char pad[sizeof(char *)];
+	uintptr_t off;
+
+	REQUIRE(rbtfile != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(version != NULL);
+
+	serial = version->serial;
+
+	for (; header != NULL; header = next) {
+		next = header->next;
+		do {
+			if (header->serial <= serial && !IGNORE(header)) {
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+
+		if (header == NULL)
+			continue;
+
+		CHECK(isc_stdio_tell(rbtfile, &where));
+		size = dns_rdataslab_size((unsigned char *) header,
+					  sizeof(rdatasetheader_t));
+
+		p = (unsigned char *) header;
+		memmove(&newheader, p, sizeof(rdatasetheader_t));
+		newheader.down = NULL;
+		newheader.next = NULL;
+		off = where;
+		if ((off_t)off != where)
+			return (ISC_R_RANGE);
+		newheader.node = (dns_rbtnode_t *) off;
+		newheader.node_is_relative = 1;
+		newheader.serial = 1;
+
+		/*
+		 * Round size up to the next pointer sized offset so it
+		 * will be properly aligned when read back in.
+		 */
+		cooked = dns_rbt_serialize_align(size);
+		if (next != NULL) {
+			newheader.next = (rdatasetheader_t *) (off + cooked);
+			newheader.next_is_relative = 1;
+		}
+
+#ifdef DEBUG
+		hexdump("writing header", (unsigned char *) &newheader,
+			sizeof(rdatasetheader_t));
+		hexdump("writing slab", p + sizeof(rdatasetheader_t),
+			size - sizeof(rdatasetheader_t));
+#endif
+		isc_crc64_update(crc, (unsigned char *) &newheader,
+				 sizeof(rdatasetheader_t));
+		CHECK(isc_stdio_write(&newheader, sizeof(rdatasetheader_t), 1,
+				      rbtfile, NULL));
+
+		isc_crc64_update(crc, p + sizeof(rdatasetheader_t),
+				 size - sizeof(rdatasetheader_t));
+		CHECK(isc_stdio_write(p + sizeof(rdatasetheader_t),
+				      size - sizeof(rdatasetheader_t), 1,
+				      rbtfile, NULL));
+		/*
+		 * Pad to force alignment.
+		 */
+		if (size != (size_t) cooked) {
+			memset(pad, 0, sizeof(pad));
+			CHECK(isc_stdio_write(pad, cooked - size, 1,
+					      rbtfile, NULL));
+		}
+	}
+
+ failure:
+	return (result);
+}
+
+/*
+ * Write out a zeroed header as a placeholder.  Doing this ensures
+ * that the file will not read while it is partially written, should
+ * writing fail or be interrupted.
+ */
+static isc_result_t
+rbtdb_zero_header(FILE *rbtfile) {
+	char buffer[RBTDB_HEADER_LENGTH];
+	isc_result_t result;
+
+	memset(buffer, 0, RBTDB_HEADER_LENGTH);
+	result = isc_stdio_write(buffer, 1, RBTDB_HEADER_LENGTH, rbtfile, NULL);
+	fflush(rbtfile);
+
+	return (result);
+}
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_file_version(void) {
+	int n;
+
+	memset(FILE_VERSION, 0, sizeof(FILE_VERSION));
+	n = snprintf(FILE_VERSION, sizeof(FILE_VERSION),
+		 "RBTDB Image %s %s", dns_major, dns_mapapi);
+	INSIST(n > 0 && (unsigned int)n < sizeof(FILE_VERSION));
+}
+
+/*
+ * Write the file header out, recording the locations of the three
+ * RBT's used in the rbtdb: tree, nsec, and nsec3, and including NodeDump
+ * version information and any information stored in the rbtdb object
+ * itself that should be stored here.
+ */
+static isc_result_t
+rbtdb_write_header(FILE *rbtfile, off_t tree_location, off_t nsec_location,
+		   off_t nsec3_location)
+{
+	rbtdb_file_header_t header;
+	isc_result_t result;
+
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	memset(&header, 0, sizeof(rbtdb_file_header_t));
+	memmove(header.version1, FILE_VERSION, sizeof(header.version1));
+	memmove(header.version2, FILE_VERSION, sizeof(header.version2));
+	header.ptrsize = (uint32_t) sizeof(void *);
+	header.bigendian = (1 == htonl(1)) ? 1 : 0;
+	header.tree = (uint64_t) tree_location;
+	header.nsec = (uint64_t) nsec_location;
+	header.nsec3 = (uint64_t) nsec3_location;
+	result = isc_stdio_write(&header, 1, sizeof(rbtdb_file_header_t),
+			      rbtfile, NULL);
+	fflush(rbtfile);
+
+	return (result);
+}
+
+static bool
+match_header_version(rbtdb_file_header_t *header) {
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	if (memcmp(header->version1, FILE_VERSION,
+		   sizeof(header->version1)) != 0 ||
+	    memcmp(header->version2, FILE_VERSION,
+		   sizeof(header->version1)) != 0)
+	{
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+serialize(dns_db_t *db, dns_dbversion_t *ver, FILE *rbtfile) {
+	rbtdb_version_t *version = (rbtdb_version_t *) ver;
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result;
+	off_t tree_location, nsec_location, nsec3_location, header_location;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rbtfile != NULL);
+
+	/* Ensure we're writing to a plain file */
+	CHECK(isc_file_isplainfilefd(fileno(rbtfile)));
+
+	/*
+	 * first, write out a zeroed header to store rbtdb information
+	 *
+	 * then for each of the three trees, store the current position
+	 * in the file and call dns_rbt_serialize_tree
+	 *
+	 * finally, write out the rbtdb header, storing the locations of the
+	 * rbtheaders
+	 *
+	 * NOTE: need to do something better with the return codes, &= will
+	 * not work.
+	 */
+	CHECK(isc_stdio_tell(rbtfile, &header_location));
+	CHECK(rbtdb_zero_header(rbtfile));
+	CHECK(dns_rbt_serialize_tree(rbtfile, rbtdb->tree, rbt_datawriter,
+				     version, &tree_location));
+	CHECK(dns_rbt_serialize_tree(rbtfile, rbtdb->nsec, rbt_datawriter,
+				     version, &nsec_location));
+	CHECK(dns_rbt_serialize_tree(rbtfile, rbtdb->nsec3, rbt_datawriter,
+				     version, &nsec3_location));
+
+	CHECK(isc_stdio_seek(rbtfile, header_location, SEEK_SET));
+	CHECK(rbtdb_write_header(rbtfile, tree_location, nsec_location,
+				 nsec3_location));
+ failure:
+	return (result);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat)
+{
+	dns_rbtdb_t *rbtdb;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	return (dns_master_dump2(rbtdb->common.mctx, db, version,
+				 &dns_master_style_default,
+				 filename, masterformat));
+}
+
+static void
+delete_callback(void *data, void *arg) {
+	dns_rbtdb_t *rbtdb = arg;
+	rdatasetheader_t *current, *next;
+	unsigned int locknum;
+
+	current = data;
+	locknum = current->node->locknum;
+	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	while (current != NULL) {
+		next = current->next;
+		free_rdataset(rbtdb, rbtdb->common.mctx, current);
+		current = next;
+	}
+	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+}
+
+static bool
+issecure(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	bool secure;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	secure = (rbtdb->current_version->secure == dns_db_secure);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (secure);
+}
+
+static bool
+isdnssec(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	bool dnssec;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	dnssec = (rbtdb->current_version->secure != dns_db_insecure);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (dnssec);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	unsigned int count;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	count = dns_rbt_nodecount(rbtdb->tree);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (count);
+}
+
+static size_t
+hashsize(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	size_t size;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	size = dns_rbt_hashsize(rbtdb->tree);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (size);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
+	if (rbtdb->task != NULL)
+		isc_task_detach(&rbtdb->task);
+	if (task != NULL)
+		isc_task_attach(task, &rbtdb->task);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+}
+
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (false);
+}
+
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *onode;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	/* Note that the access to origin_node doesn't require a DB lock */
+	onode = (dns_rbtnode_t *)rbtdb->origin_node;
+	if (onode != NULL) {
+		NODE_STRONGLOCK(&rbtdb->node_locks[onode->locknum].lock);
+		new_reference(rbtdb, onode);
+		NODE_STRONGUNLOCK(&rbtdb->node_locks[onode->locknum].lock);
+
+		*nodep = rbtdb->origin_node;
+	} else {
+		INSIST(IS_CACHE(rbtdb));
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
+		   uint8_t *flags, uint16_t *iterations,
+		   unsigned char *salt, size_t *salt_length)
+{
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result = ISC_R_NOTFOUND;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	if (rbtversion == NULL)
+		rbtversion = rbtdb->current_version;
+
+	if (rbtversion->havensec3) {
+		if (hash != NULL)
+			*hash = rbtversion->hash;
+		if (salt != NULL && salt_length != NULL) {
+			REQUIRE(*salt_length >= rbtversion->salt_length);
+			memmove(salt, rbtversion->salt,
+				rbtversion->salt_length);
+		}
+		if (salt_length != NULL)
+			*salt_length = rbtversion->salt_length;
+		if (iterations != NULL)
+			*iterations = rbtversion->iterations;
+		if (flags != NULL)
+			*flags = rbtversion->flags;
+		result = ISC_R_SUCCESS;
+	}
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+getsize(dns_db_t *db, dns_dbversion_t *version, uint64_t *records,
+	uint64_t *bytes)
+{
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result = ISC_R_SUCCESS;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
+
+	if (rbtversion == NULL)
+		rbtversion = rbtdb->current_version;
+
+	RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
+	if (records != NULL)
+		*records = rbtversion->records;
+
+	if (bytes != NULL)
+		*bytes = rbtversion->bytes;
+	RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	isc_result_t result = ISC_R_SUCCESS;
+	rdatasetheader_t *header, oldheader;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(!IS_CACHE(rbtdb));
+	REQUIRE(rdataset != NULL);
+
+	header = rdataset->private3;
+	header--;
+
+	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		  isc_rwlocktype_write);
+
+	oldheader = *header;
+	/*
+	 * Only break the heap invariant (by adjusting resign and resign_lsb)
+	 * if we are going to be restoring it by calling isc_heap_increased
+	 * or isc_heap_decreased.
+	 */
+	if (resign != 0) {
+		header->resign =
+			 (isc_stdtime_t)(dns_time64_from32(resign) >> 1);
+		header->resign_lsb = resign & 0x1;
+	}
+	if (header->heap_index != 0) {
+		INSIST(RESIGN(header));
+		if (resign == 0) {
+			isc_heap_delete(rbtdb->heaps[header->node->locknum],
+					header->heap_index);
+			header->heap_index = 0;
+		} else if (resign_sooner(header, &oldheader)) {
+			isc_heap_increased(rbtdb->heaps[header->node->locknum],
+					   header->heap_index);
+		} else if (resign_sooner(&oldheader, header)) {
+			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
+					   header->heap_index);
+		}
+	} else if (resign != 0) {
+		header->attributes |= RDATASET_ATTR_RESIGN;
+		result = resign_insert(rbtdb, header->node->locknum, header);
+	}
+	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		    isc_rwlocktype_write);
+	return (result);
+}
+
+static isc_result_t
+getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+	       dns_name_t *foundname)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rdatasetheader_t *header = NULL, *this;
+	unsigned int i;
+	isc_result_t result = ISC_R_NOTFOUND;
+	unsigned int locknum;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read);
+		this = isc_heap_element(rbtdb->heaps[i], 1);
+		if (this == NULL) {
+			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
+				    isc_rwlocktype_read);
+			continue;
+		}
+		if (header == NULL)
+			header = this;
+		else if (resign_sooner(this, header)) {
+			locknum = header->node->locknum;
+			NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+				    isc_rwlocktype_read);
+			header = this;
+		} else
+			NODE_UNLOCK(&rbtdb->node_locks[i].lock,
+				    isc_rwlocktype_read);
+	}
+
+	if (header == NULL)
+		goto unlock;
+
+	bind_rdataset(rbtdb, header->node, header, 0, rdataset);
+
+	if (foundname != NULL)
+		dns_rbt_fullnamefromnode(header->node, foundname);
+
+	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		    isc_rwlocktype_read);
+
+	result = ISC_R_SUCCESS;
+
+ unlock:
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static void
+resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+{
+	rbtdb_version_t *rbtversion = (rbtdb_version_t *)version;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->methods == &rdataset_methods);
+	REQUIRE(rbtdb->future_version == rbtversion);
+	REQUIRE(rbtversion != NULL);
+	REQUIRE(rbtversion->writer);
+	REQUIRE(rbtversion->rbtdb == rbtdb);
+
+	node = rdataset->private2;
+	INSIST(node != NULL);
+	header = rdataset->private3;
+	INSIST(header != NULL);
+	header--;
+
+	if (header->heap_index == 0)
+		return;
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	NODE_LOCK(&rbtdb->node_locks[node->locknum].lock,
+		  isc_rwlocktype_write);
+	/*
+	 * Delete from heap and save to re-signed list so that it can
+	 * be restored if we backout of this change.
+	 */
+	resign_delete(rbtdb, rbtversion, header);
+	NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
+		    isc_rwlocktype_write);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+}
+
+static isc_result_t
+setcachestats(dns_db_t *db, isc_stats_t *stats) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb)); /* current restriction */
+	REQUIRE(stats != NULL);
+
+	isc_stats_attach(stats, &rbtdb->cachestats);
+	return (ISC_R_SUCCESS);
+}
+
+static dns_stats_t *
+getrrsetstats(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb)); /* current restriction */
+
+	return (rbtdb->rrsetstats);
+}
+
+static isc_result_t
+nodefullname(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	isc_result_t result;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(node != NULL);
+	REQUIRE(name != NULL);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	result = dns_rbt_fullnamefromnode(rbtnode, name);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static dns_dbmethods_t zone_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	serialize,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	zone_find,
+	zone_findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	zone_findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	getoriginnode,
+	NULL,
+	getnsec3parameters,
+	findnsec3node,
+	setsigningtime,
+	getsigningtime,
+	resigned,
+	isdnssec,
+	NULL,
+	rpz_attach,
+	rpz_ready,
+	NULL,
+	NULL,
+	NULL,
+	hashsize,
+	nodefullname,
+	getsize
+};
+
+static dns_dbmethods_t cache_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	NULL,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	cache_find,
+	cache_findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	cache_findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	getoriginnode,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	isdnssec,
+	getrrsetstats,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	setcachestats,
+	hashsize,
+	nodefullname,
+	NULL
+};
+
+isc_result_t
+#ifdef DNS_RBTDB_VERSION64
+dns_rbtdb64_create
+#else
+dns_rbtdb_create
+#endif
+		(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp)
+{
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result;
+	int i;
+	dns_name_t name;
+	bool (*sooner)(void *, void *);
+	isc_mem_t *hmctx = mctx;
+
+	/* Keep the compiler happy. */
+	UNUSED(driverarg);
+
+	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
+	if (rbtdb == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * If argv[0] exists, it points to a memory context to use for heap
+	 */
+	if (argc != 0)
+		hmctx = (isc_mem_t *) argv[0];
+
+	memset(rbtdb, '\0', sizeof(*rbtdb));
+	dns_name_init(&rbtdb->common.origin, NULL);
+	rbtdb->common.attributes = 0;
+	if (type == dns_dbtype_cache) {
+		rbtdb->common.methods = &cache_methods;
+		rbtdb->common.attributes |= DNS_DBATTR_CACHE;
+	} else if (type == dns_dbtype_stub) {
+		rbtdb->common.methods = &zone_methods;
+		rbtdb->common.attributes |= DNS_DBATTR_STUB;
+	} else
+		rbtdb->common.methods = &zone_methods;
+	rbtdb->common.rdclass = rdclass;
+	rbtdb->common.mctx = NULL;
+
+	ISC_LIST_INIT(rbtdb->common.update_listeners);
+
+	result = RBTDB_INITLOCK(&rbtdb->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rbtdb;
+
+	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	/*
+	 * Initialize node_lock_count in a generic way to support future
+	 * extension which allows the user to specify this value on creation.
+	 * Note that when specified for a cache DB it must be larger than 1
+	 * as commented with the definition of DEFAULT_CACHE_NODE_LOCK_COUNT.
+	 */
+	if (rbtdb->node_lock_count == 0) {
+		if (IS_CACHE(rbtdb))
+			rbtdb->node_lock_count = DEFAULT_CACHE_NODE_LOCK_COUNT;
+		else
+			rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
+	} else if (rbtdb->node_lock_count < 2 && IS_CACHE(rbtdb)) {
+		result = ISC_R_RANGE;
+		goto cleanup_tree_lock;
+	}
+	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
+	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
+					sizeof(rbtdb_nodelock_t));
+	if (rbtdb->node_locks == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_tree_lock;
+	}
+
+	rbtdb->cachestats = NULL;
+	rbtdb->rrsetstats = NULL;
+	if (IS_CACHE(rbtdb)) {
+		result = dns_rdatasetstats_create(mctx, &rbtdb->rrsetstats);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_node_locks;
+		rbtdb->rdatasets = isc_mem_get(mctx, rbtdb->node_lock_count *
+					       sizeof(rdatasetheaderlist_t));
+		if (rbtdb->rdatasets == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_rrsetstats;
+		}
+		for (i = 0; i < (int)rbtdb->node_lock_count; i++)
+			ISC_LIST_INIT(rbtdb->rdatasets[i]);
+	} else
+		rbtdb->rdatasets = NULL;
+
+	/*
+	 * Create the heaps.
+	 */
+	rbtdb->heaps = isc_mem_get(hmctx, rbtdb->node_lock_count *
+				   sizeof(isc_heap_t *));
+	if (rbtdb->heaps == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_rdatasets;
+	}
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
+		rbtdb->heaps[i] = NULL;
+	sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner;
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
+		result = isc_heap_create(hmctx, sooner, set_index, 0,
+					 &rbtdb->heaps[i]);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_heaps;
+	}
+
+	/*
+	 * Create deadnode lists.
+	 */
+	rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count *
+				       sizeof(rbtnodelist_t));
+	if (rbtdb->deadnodes == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_heaps;
+	}
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
+		ISC_LIST_INIT(rbtdb->deadnodes[i]);
+
+	rbtdb->active = rbtdb->node_lock_count;
+
+	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
+		result = NODE_INITLOCK(&rbtdb->node_locks[i].lock);
+		if (result == ISC_R_SUCCESS) {
+			result = isc_refcount_init(&rbtdb->node_locks[i].references, 0);
+			if (result != ISC_R_SUCCESS)
+				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+		}
+		if (result != ISC_R_SUCCESS) {
+			while (i-- > 0) {
+				NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
+				isc_refcount_destroy(&rbtdb->node_locks[i].references);
+			}
+			goto cleanup_deadnodes;
+		}
+		rbtdb->node_locks[i].exiting = false;
+	}
+
+	/*
+	 * Attach to the mctx.  The database will persist so long as there
+	 * are references to it, and attaching to the mctx ensures that our
+	 * mctx won't disappear out from under us.
+	 */
+	isc_mem_attach(mctx, &rbtdb->common.mctx);
+	isc_mem_attach(hmctx, &rbtdb->hmctx);
+
+	/*
+	 * Must be initialized before free_rbtdb() is called.
+	 */
+	isc_ondestroy_init(&rbtdb->common.ondest);
+
+	/*
+	 * Make a copy of the origin name.
+	 */
+	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	/*
+	 * Make the Red-Black Trees.
+	 */
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	/*
+	 * In order to set the node callback bit correctly in zone databases,
+	 * we need to know if the node has the origin name of the zone.
+	 * In loading_addrdataset() we could simply compare the new name
+	 * to the origin name, but this is expensive.  Also, we don't know the
+	 * node name in addrdataset(), so we need another way of knowing the
+	 * zone's top.
+	 *
+	 * We now explicitly create a node for the zone's origin, and then
+	 * we simply remember the node's address.  This is safe, because
+	 * the top-of-zone node can never be deleted, nor can its address
+	 * change.
+	 */
+	if (!IS_CACHE(rbtdb)) {
+		rbtdb->origin_node = NULL;
+		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
+					 &rbtdb->origin_node);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result != ISC_R_EXISTS);
+			free_rbtdb(rbtdb, false, NULL);
+			return (result);
+		}
+		INSIST(rbtdb->origin_node != NULL);
+		rbtdb->origin_node->nsec = DNS_RBT_NSEC_NORMAL;
+		/*
+		 * We need to give the origin node the right locknum.
+		 */
+		dns_name_init(&name, NULL);
+		dns_rbt_namefromnode(rbtdb->origin_node, &name);
+#ifdef DNS_RBT_USEHASH
+		rbtdb->origin_node->locknum =
+			rbtdb->origin_node->hashval %
+			rbtdb->node_lock_count;
+#else
+		rbtdb->origin_node->locknum =
+			dns_name_hash(&name, true) %
+			rbtdb->node_lock_count;
+#endif
+		/*
+		 * Add an apex node to the NSEC3 tree so that NSEC3 searches
+		 * return partial matches when there is only a single NSEC3
+		 * record in the tree.
+		 */
+		rbtdb->nsec3_origin_node = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin,
+					 &rbtdb->nsec3_origin_node);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result != ISC_R_EXISTS);
+			free_rbtdb(rbtdb, false, NULL);
+			return (result);
+		}
+		rbtdb->nsec3_origin_node->nsec = DNS_RBT_NSEC_NSEC3;
+		/*
+		 * We need to give the nsec3 origin node the right locknum.
+		 */
+		dns_name_init(&name, NULL);
+		dns_rbt_namefromnode(rbtdb->nsec3_origin_node, &name);
+#ifdef DNS_RBT_USEHASH
+		rbtdb->nsec3_origin_node->locknum =
+			rbtdb->nsec3_origin_node->hashval %
+			rbtdb->node_lock_count;
+#else
+		rbtdb->nsec3_origin_node->locknum =
+			dns_name_hash(&name, true) %
+			rbtdb->node_lock_count;
+#endif
+	}
+
+	/*
+	 * Misc. Initialization.
+	 */
+	result = isc_refcount_init(&rbtdb->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+	rbtdb->attributes = 0;
+	rbtdb->task = NULL;
+	rbtdb->rpzs = NULL;
+	rbtdb->load_rpzs = NULL;
+	rbtdb->rpz_num = DNS_RPZ_INVALID_NUM;
+
+	/*
+	 * Version Initialization.
+	 */
+	rbtdb->current_serial = 1;
+	rbtdb->least_serial = 1;
+	rbtdb->next_serial = 2;
+	rbtdb->current_version = allocate_version(mctx, 1, 1, false);
+	if (rbtdb->current_version == NULL) {
+		isc_refcount_decrement(&rbtdb->references, NULL);
+		free_rbtdb(rbtdb, false, NULL);
+		return (ISC_R_NOMEMORY);
+	}
+	rbtdb->current_version->rbtdb = rbtdb;
+	rbtdb->current_version->secure = dns_db_insecure;
+	rbtdb->current_version->havensec3 = false;
+	rbtdb->current_version->flags = 0;
+	rbtdb->current_version->iterations = 0;
+	rbtdb->current_version->hash = 0;
+	rbtdb->current_version->salt_length = 0;
+	memset(rbtdb->current_version->salt, 0,
+	       sizeof(rbtdb->current_version->salt));
+	result = isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&rbtdb->current_version->references);
+		isc_mem_put(mctx, rbtdb->current_version,
+			    sizeof(*rbtdb->current_version));
+		rbtdb->current_version = NULL;
+		isc_refcount_decrement(&rbtdb->references, NULL);
+		free_rbtdb(rbtdb, false, NULL);
+		return (result);
+	}
+
+	rbtdb->current_version->records = 0;
+	rbtdb->current_version->bytes = 0;
+	rbtdb->future_version = NULL;
+	ISC_LIST_INIT(rbtdb->open_versions);
+	/*
+	 * Keep the current version in the open list so that list operation
+	 * won't happen in normal lookup operations.
+	 */
+	PREPEND(rbtdb->open_versions, rbtdb->current_version, link);
+
+	rbtdb->common.magic = DNS_DB_MAGIC;
+	rbtdb->common.impmagic = RBTDB_MAGIC;
+
+	*dbp = (dns_db_t *)rbtdb;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_deadnodes:
+	isc_mem_put(mctx, rbtdb->deadnodes,
+		    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
+
+ cleanup_heaps:
+	if (rbtdb->heaps != NULL) {
+		for (i = 0 ; i < (int)rbtdb->node_lock_count ; i++)
+			if (rbtdb->heaps[i] != NULL)
+				isc_heap_destroy(&rbtdb->heaps[i]);
+		isc_mem_put(hmctx, rbtdb->heaps,
+			    rbtdb->node_lock_count * sizeof(isc_heap_t *));
+	}
+
+ cleanup_rdatasets:
+	if (rbtdb->rdatasets != NULL)
+		isc_mem_put(mctx, rbtdb->rdatasets, rbtdb->node_lock_count *
+			    sizeof(rdatasetheaderlist_t));
+ cleanup_rrsetstats:
+	if (rbtdb->rrsetstats != NULL)
+		dns_stats_detach(&rbtdb->rrsetstats);
+
+ cleanup_node_locks:
+	isc_mem_put(mctx, rbtdb->node_locks,
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
+
+ cleanup_tree_lock:
+	isc_rwlock_destroy(&rbtdb->tree_lock);
+
+ cleanup_lock:
+	RBTDB_DESTROYLOCK(&rbtdb->lock);
+
+ cleanup_rbtdb:
+	isc_mem_put(mctx, rbtdb,  sizeof(*rbtdb));
+	return (result);
+}
+
+
+/*
+ * Slabbed Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+
+#if DNS_RDATASET_FIXED
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0)
+		raw += 2 + (4 * count);
+	else
+#endif
+		raw += 2;
+
+	/*
+	 * The privateuint4 field is the number of rdata beyond the
+	 * cursor position, so we decrement the total count by one
+	 * before storing it.
+	 *
+	 * If DNS_RDATASETATTR_LOADORDER is not set 'raw' points to the
+	 * first record.  If DNS_RDATASETATTR_LOADORDER is set 'raw' points
+	 * to the first entry in the offset table.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;     /* RDATASLAB */
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+
+	/*
+	 * Skip forward one record (length + 4) or one offset (4).
+	 */
+	raw = rdataset->private5;
+#if DNS_RDATASET_FIXED
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) == 0) {
+#endif
+		length = raw[0] * 256 + raw[1];
+		raw += length;
+#if DNS_RDATASET_FIXED
+	}
+	rdataset->private5 = raw + 4;           /* length(2) + order(2) */
+#else
+	rdataset->private5 = raw + 2;           /* length(2) */
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;        /* RDATASLAB */
+#if DNS_RDATASET_FIXED
+	unsigned int offset;
+#endif
+	unsigned int length;
+	isc_region_t r;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	/*
+	 * Find the start of the record if not already in private5
+	 * then skip the length and order fields.
+	 */
+#if DNS_RDATASET_FIXED
+	if ((rdataset->attributes & DNS_RDATASETATTR_LOADORDER) != 0) {
+		offset = (raw[0] << 24) + (raw[1] << 16) +
+			 (raw[2] << 8) + raw[3];
+		raw = rdataset->private3;
+		raw += offset;
+	}
+#endif
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += 4;
+#else
+	raw += 2;
+#endif
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	INSIST(!ISC_LINK_LINKED(target, link));
+	*target = *source;
+	ISC_LINK_INIT(target, link);
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static isc_result_t
+rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	struct noqname *noqname = rdataset->private6;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsec->methods = &slab_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = noqname->type;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = noqname->neg;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsecsig->methods = &slab_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = noqname->type;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = noqname->negsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	dns_name_clone(&noqname->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	struct noqname *closest = rdataset->private7;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsec->methods = &slab_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = closest->type;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = closest->neg;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsecsig->methods = &slab_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = closest->type;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = closest->negsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	dns_name_clone(&closest->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	header->trust = rdataset->trust = trust;
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+}
+
+static void
+rdataset_expire(dns_rdataset_t *rdataset) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	expire_header(rbtdb, header, false, expire_flush);
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+}
+
+static void
+rdataset_clearprefetch(dns_rdataset_t *rdataset) {
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	rdatasetheader_t *header = rdataset->private3;
+
+	header--;
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+	header->attributes &= ~RDATASET_ATTR_PREFETCH;
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_write);
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	rbtdb_rdatasetiter_t *rbtiterator;
+
+	rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp);
+
+	if (rbtiterator->common.version != NULL)
+		closeversion(rbtiterator->common.db,
+			     &rbtiterator->common.version, false);
+	detachnode(rbtiterator->common.db, &rbtiterator->common.node);
+	isc_mem_put(rbtiterator->common.db->mctx, rbtiterator,
+		    sizeof(*rbtiterator));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+	rdatasetheader_t *header, *top_next;
+	rbtdb_serial_t serial;
+	isc_stdtime_t now;
+
+	if (IS_CACHE(rbtdb)) {
+		serial = 1;
+		now = rbtiterator->common.now;
+	} else {
+		serial = rbtversion->serial;
+		now = 0;
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	for (header = rbtnode->data; header != NULL; header = top_next) {
+		top_next = header->next;
+		do {
+			if (header->serial <= serial && !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't exist"
+				 * record?  Or is it too old in the cache?
+				 *
+				 * Note: unlike everywhere else, we
+				 * check for now > header->rdh_ttl instead
+				 * of now >= header->rdh_ttl.  This allows
+				 * ANY and RRSIG queries for 0 TTL
+				 * rdatasets to work.
+				 */
+				if (NONEXISTENT(header) ||
+				    (now != 0 && now > header->rdh_ttl))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+		if (header != NULL)
+			break;
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+
+	rbtiterator->current = header;
+
+	if (header == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+	rdatasetheader_t *header, *top_next;
+	rbtdb_serial_t serial;
+	isc_stdtime_t now;
+	rbtdb_rdatatype_t type, negtype;
+	dns_rdatatype_t rdtype, covers;
+
+	header = rbtiterator->current;
+	if (header == NULL)
+		return (ISC_R_NOMORE);
+
+	if (IS_CACHE(rbtdb)) {
+		serial = 1;
+		now = rbtiterator->common.now;
+	} else {
+		serial = rbtversion->serial;
+		now = 0;
+	}
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	type = header->type;
+	rdtype = RBTDB_RDATATYPE_BASE(header->type);
+	if (NEGATIVE(header)) {
+		covers = RBTDB_RDATATYPE_EXT(header->type);
+		negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
+	} else
+		negtype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+	for (header = header->next; header != NULL; header = top_next) {
+		top_next = header->next;
+		/*
+		 * If not walking back up the down list.
+		 */
+		if (header->type != type && header->type != negtype) {
+			do {
+				if (header->serial <= serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 *
+					 * Note: unlike everywhere else, we
+					 * check for now > header->ttl instead
+					 * of now >= header->ttl.  This allows
+					 * ANY and RRSIG queries for 0 TTL
+					 * rdatasets to work.
+					 */
+					if (NONEXISTENT(header) ||
+					    (now != 0 && now > header->rdh_ttl))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL)
+				break;
+		}
+	}
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+
+	rbtiterator->current = header;
+
+	if (header == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rdatasetheader_t *header;
+
+	header = rbtiterator->current;
+	REQUIRE(header != NULL);
+
+	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		  isc_rwlocktype_read);
+
+	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
+		      rdataset);
+
+	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+		    isc_rwlocktype_read);
+}
+
+
+/*
+ * Database Iterator Methods
+ */
+
+static inline void
+reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_rbtnode_t *node = rbtdbiter->node;
+
+	if (node == NULL)
+		return;
+
+	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
+	reactivate_node(rbtdb, node, rbtdbiter->tree_locked);
+}
+
+static inline void
+dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_rbtnode_t *node = rbtdbiter->node;
+	nodelock_t *lock;
+
+	if (node == NULL)
+		return;
+
+	lock = &rbtdb->node_locks[node->locknum].lock;
+	NODE_LOCK(lock, isc_rwlocktype_read);
+	decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
+			    rbtdbiter->tree_locked, false);
+	NODE_UNLOCK(lock, isc_rwlocktype_read);
+
+	rbtdbiter->node = NULL;
+}
+
+static void
+flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtnode_t *node;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	bool was_read_locked = false;
+	nodelock_t *lock;
+	int i;
+
+	if (rbtdbiter->delcnt != 0) {
+		/*
+		 * Note that "%d node of %d in tree" can report things like
+		 * "flush_deletions: 59 nodes of 41 in tree".  This means
+		 * That some nodes appear on the deletions list more than
+		 * once.  Only the last occurence will actually be deleted.
+		 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "flush_deletions: %d nodes of %d in tree",
+			      rbtdbiter->delcnt,
+			      dns_rbt_nodecount(rbtdb->tree));
+
+		if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+			was_read_locked = true;
+		}
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		rbtdbiter->tree_locked = isc_rwlocktype_write;
+
+		for (i = 0; i < rbtdbiter->delcnt; i++) {
+			node = rbtdbiter->deletions[i];
+			lock = &rbtdb->node_locks[node->locknum].lock;
+
+			NODE_LOCK(lock, isc_rwlocktype_read);
+			decrement_reference(rbtdb, node, 0,
+					    isc_rwlocktype_read,
+					    rbtdbiter->tree_locked, false);
+			NODE_UNLOCK(lock, isc_rwlocktype_read);
+		}
+
+		rbtdbiter->delcnt = 0;
+
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		if (was_read_locked) {
+			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+			rbtdbiter->tree_locked = isc_rwlocktype_read;
+
+		} else {
+			rbtdbiter->tree_locked = isc_rwlocktype_none;
+		}
+	}
+}
+
+static inline void
+resume_iteration(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+
+	REQUIRE(rbtdbiter->paused);
+	REQUIRE(rbtdbiter->tree_locked == isc_rwlocktype_none);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	rbtdbiter->tree_locked = isc_rwlocktype_read;
+
+	rbtdbiter->paused = false;
+}
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)(*iteratorp);
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_db_t *db = NULL;
+
+	if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		rbtdbiter->tree_locked = isc_rwlocktype_none;
+	} else
+		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_none);
+
+	dereference_iter_node(rbtdbiter);
+
+	flush_deletions(rbtdbiter);
+
+	dns_db_attach(rbtdbiter->common.db, &db);
+	dns_db_detach(&rbtdbiter->common.db);
+
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+	isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter));
+	dns_db_detach(&db);
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *name, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	dereference_iter_node(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->nsec3, name, origin);
+	} else {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->tree, name, origin);
+		if (!rbtdbiter->nonsec3 && result == ISC_R_NOTFOUND) {
+			rbtdbiter->current = &rbtdbiter->nsec3chain;
+			result = dns_rbtnodechain_first(rbtdbiter->current,
+							rbtdb->nsec3, name,
+							origin);
+		}
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = true;
+			reference_iter_node(rbtdbiter);
+		}
+	} else {
+		INSIST(result == ISC_R_NOTFOUND);
+		result = ISC_R_NOMORE; /* The tree is empty. */
+	}
+
+	rbtdbiter->result = result;
+
+	if (result != ISC_R_SUCCESS)
+		ENSURE(!rbtdbiter->paused);
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *name, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	dereference_iter_node(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	result = ISC_R_NOTFOUND;
+	if (rbtdbiter->nsec3only && !rbtdbiter->nonsec3) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbtnodechain_last(rbtdbiter->current,
+					       rbtdb->nsec3, name, origin);
+	}
+	if (!rbtdbiter->nsec3only && result == ISC_R_NOTFOUND) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
+					       name, origin);
+	}
+	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = true;
+			reference_iter_node(rbtdbiter);
+		}
+	} else {
+		INSIST(result == ISC_R_NOTFOUND);
+		result = ISC_R_NOMORE; /* The tree is empty. */
+	}
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	isc_result_t result, tresult;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *iname, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	dereference_iter_node(rbtdbiter);
+
+	iname = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
+					  &rbtdbiter->node,
+					  rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	} else if (rbtdbiter->nonsec3) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
+					  &rbtdbiter->node,
+					  rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	} else {
+		/*
+		 * Stay on main chain if not found on either chain.
+		 */
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
+					  &rbtdbiter->node,
+					  rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_rbtnode_t *node = NULL;
+			tresult = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
+						  &node, &rbtdbiter->nsec3chain,
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			if (tresult == ISC_R_SUCCESS) {
+				rbtdbiter->node = node;
+				rbtdbiter->current = &rbtdbiter->nsec3chain;
+				result = tresult;
+			}
+		}
+	}
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		tresult = dns_rbtnodechain_current(rbtdbiter->current, iname,
+						   origin, NULL);
+		if (tresult == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = true;
+			reference_iter_node(rbtdbiter);
+		} else {
+			result = tresult;
+			rbtdbiter->node = NULL;
+		}
+	} else
+		rbtdbiter->node = NULL;
+
+	rbtdbiter->result = (result == DNS_R_PARTIALMATCH) ?
+			    ISC_R_SUCCESS : result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *name, *origin;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	result = dns_rbtnodechain_prev(rbtdbiter->current, name, origin);
+	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
+	    !rbtdbiter->nonsec3 &&
+	    &rbtdbiter->nsec3chain == rbtdbiter->current) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		dns_rbtnodechain_reset(rbtdbiter->current);
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
+					       name, origin);
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_NOMORE;
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		rbtdbiter->new_origin = (result == DNS_R_NEWORIGIN);
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+	}
+
+	if (result == ISC_R_SUCCESS)
+		reference_iter_node(rbtdbiter);
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *name, *origin;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	result = dns_rbtnodechain_next(rbtdbiter->current, name, origin);
+	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
+	    !rbtdbiter->nonsec3 && &rbtdbiter->chain == rbtdbiter->current) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		dns_rbtnodechain_reset(rbtdbiter->current);
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->nsec3, name, origin);
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_NOMORE;
+	}
+
+	dereference_iter_node(rbtdbiter);
+
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		rbtdbiter->new_origin = (result == DNS_R_NEWORIGIN);
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
+						  NULL, &rbtdbiter->node);
+	}
+	if (result == ISC_R_SUCCESS)
+		reference_iter_node(rbtdbiter);
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtnode_t *node = rbtdbiter->node;
+	isc_result_t result;
+	dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name);
+	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
+
+	REQUIRE(rbtdbiter->result == ISC_R_SUCCESS);
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	if (name != NULL) {
+		if (rbtdbiter->common.relative_names)
+			origin = NULL;
+		result = dns_name_concatenate(nodename, origin, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (rbtdbiter->common.relative_names && rbtdbiter->new_origin)
+			result = DNS_R_NEWORIGIN;
+	} else
+		result = ISC_R_SUCCESS;
+
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
+	new_reference(rbtdb, node);
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
+
+	*nodep = rbtdbiter->node;
+
+	if (iterator->cleaning && result == ISC_R_SUCCESS) {
+		isc_result_t expire_result;
+
+		/*
+		 * If the deletion array is full, flush it before trying
+		 * to expire the current node.  The current node can't
+		 * fully deleted while the iteration cursor is still on it.
+		 */
+		if (rbtdbiter->delcnt == DELETION_BATCH_MAX)
+			flush_deletions(rbtdbiter);
+
+		expire_result = expirenode(iterator->db, *nodep, 0);
+
+		/*
+		 * expirenode() currently always returns success.
+		 */
+		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
+			unsigned int refs;
+
+			rbtdbiter->deletions[rbtdbiter->delcnt++] = node;
+			NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
+			dns_rbtnode_refincrement(node, &refs);
+			INSIST(refs != 0);
+			NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
+	    rbtdbiter->result != DNS_R_PARTIALMATCH &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		return (ISC_R_SUCCESS);
+
+	rbtdbiter->paused = true;
+
+	if (rbtdbiter->tree_locked != isc_rwlocktype_none) {
+		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_read);
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		rbtdbiter->tree_locked = isc_rwlocktype_none;
+	}
+
+	flush_deletions(rbtdbiter);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS)
+		return (rbtdbiter->result);
+
+	return (dns_name_copy(origin, name, NULL));
+}
+
+/*%
+ * Additional cache routines.
+ */
+static isc_result_t
+rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
+		       dns_rdatatype_t qtype, dns_acache_t *acache,
+		       dns_zone_t **zonep, dns_db_t **dbp,
+		       dns_dbversion_t **versionp, dns_dbnode_t **nodep,
+		       dns_name_t *fname, dns_message_t *msg,
+		       isc_stdtime_t now)
+{
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	unsigned int current_count = rdataset->privateuint4;
+	unsigned int count;
+	rdatasetheader_t *header;
+	nodelock_t *nodelock;
+	unsigned int total_count;
+	acachectl_t *acarray;
+	dns_acacheentry_t *entry;
+	isc_result_t result;
+
+	UNUSED(qtype); /* we do not use this value at least for now */
+	UNUSED(acache);
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	total_count = raw[0] * 256 + raw[1];
+	INSIST(total_count > current_count);
+	count = total_count - current_count - 1;
+
+	acarray = NULL;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_read);
+
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromcache:
+		acarray = NULL;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray == NULL) {
+		if (type != dns_rdatasetadditional_fromcache)
+			dns_acache_countquerymiss(acache);
+		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+
+	if (acarray[count].entry == NULL) {
+		dns_acache_countquerymiss(acache);
+		NODE_UNLOCK(nodelock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+
+	entry = NULL;
+	dns_acache_attachentry(acarray[count].entry, &entry);
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_read);
+
+	result = dns_acache_getentry(entry, zonep, dbp, versionp,
+				     nodep, fname, msg, now);
+
+	dns_acache_detachentry(&entry);
+
+	return (result);
+}
+
+static void
+acache_callback(dns_acacheentry_t *entry, void **arg) {
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *rbtnode;
+	nodelock_t *nodelock;
+	acachectl_t *acarray = NULL;
+	acache_cbarg_t *cbarg;
+	unsigned int count;
+
+	REQUIRE(arg != NULL);
+	cbarg = *arg;
+
+	/*
+	 * The caller must hold the entry lock.
+	 */
+
+	rbtdb = (dns_rbtdb_t *)cbarg->db;
+	rbtnode = (dns_rbtnode_t *)cbarg->node;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_write);
+
+	switch (cbarg->type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = cbarg->header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = cbarg->header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	count = cbarg->count;
+	if (acarray != NULL && acarray[count].entry == entry) {
+		acarray[count].entry = NULL;
+		INSIST(acarray[count].cbarg == cbarg);
+		acarray[count].cbarg = NULL;
+		isc_mem_put(rbtdb->common.mctx, cbarg, sizeof(acache_cbarg_t));
+		dns_acache_detachentry(&entry);
+	}
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+
+	dns_db_detachnode((dns_db_t *)rbtdb, (dns_dbnode_t **)(void*)&rbtnode);
+	dns_db_detach((dns_db_t **)(void*)&rbtdb);
+
+	*arg = NULL;
+}
+
+static void
+acache_cancelentry(isc_mem_t *mctx, dns_acacheentry_t *entry,
+		      acache_cbarg_t **cbargp)
+{
+	acache_cbarg_t *cbarg;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(entry != NULL);
+	REQUIRE(cbargp != NULL && *cbargp != NULL);
+
+	cbarg = *cbargp;
+
+	if (dns_acache_cancelentry(entry)) {
+		dns_db_detachnode(cbarg->db, &cbarg->node);
+		dns_db_detach(&cbarg->db);
+	}
+
+	isc_mem_put(mctx, cbarg, sizeof(acache_cbarg_t));
+
+	*cbargp = NULL;
+}
+
+static isc_result_t
+rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
+		       dns_rdatatype_t qtype, dns_acache_t *acache,
+		       dns_zone_t *zone, dns_db_t *db,
+		       dns_dbversion_t *version, dns_dbnode_t *node,
+		       dns_name_t *fname)
+{
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	unsigned int current_count = rdataset->privateuint4;
+	rdatasetheader_t *header;
+	unsigned int total_count, count;
+	nodelock_t *nodelock;
+	isc_result_t result;
+	acachectl_t *acarray;
+	dns_acacheentry_t *newentry, *oldentry = NULL;
+	acache_cbarg_t *newcbarg, *oldcbarg = NULL;
+
+	UNUSED(qtype);
+
+	if (type == dns_rdatasetadditional_fromcache)
+		return (ISC_R_SUCCESS);
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	total_count = raw[0] * 256 + raw[1];
+	INSIST(total_count > current_count);
+	count = total_count - current_count - 1; /* should be private data */
+
+	newcbarg = isc_mem_get(rbtdb->common.mctx, sizeof(*newcbarg));
+	if (newcbarg == NULL)
+		return (ISC_R_NOMEMORY);
+	newcbarg->type = type;
+	newcbarg->count = count;
+	newcbarg->header = header;
+	newcbarg->db = NULL;
+	dns_db_attach((dns_db_t *)rbtdb, &newcbarg->db);
+	newcbarg->node = NULL;
+	dns_db_attachnode((dns_db_t *)rbtdb, (dns_dbnode_t *)rbtnode,
+			  &newcbarg->node);
+	newentry = NULL;
+	result = dns_acache_createentry(acache, (dns_db_t *)rbtdb,
+					acache_callback, newcbarg, &newentry);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Set cache data in the new entry. */
+	result = dns_acache_setentry(acache, newentry, zone, db,
+				     version, node, fname);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_write);
+
+	acarray = NULL;
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray == NULL) {
+		unsigned int i;
+
+		acarray = isc_mem_get(rbtdb->common.mctx, total_count *
+				      sizeof(acachectl_t));
+
+		if (acarray == NULL) {
+			NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+			goto fail;
+		}
+
+		for (i = 0; i < total_count; i++) {
+			acarray[i].entry = NULL;
+			acarray[i].cbarg = NULL;
+		}
+	}
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		header->additional_auth = acarray;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		header->additional_glue = acarray;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray[count].entry != NULL) {
+		/*
+		 * Swap the entry.  Delay cleaning-up the old entry since
+		 * it would require a node lock.
+		 */
+		oldentry = acarray[count].entry;
+		INSIST(acarray[count].cbarg != NULL);
+		oldcbarg = acarray[count].cbarg;
+	}
+	acarray[count].entry = newentry;
+	acarray[count].cbarg = newcbarg;
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+
+	if (oldentry != NULL) {
+		acache_cancelentry(rbtdb->common.mctx, oldentry, &oldcbarg);
+		dns_acache_detachentry(&oldentry);
+	}
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (newcbarg != NULL) {
+		if (newentry != NULL) {
+			acache_cancelentry(rbtdb->common.mctx, newentry,
+					   &newcbarg);
+			dns_acache_detachentry(&newentry);
+		} else {
+			dns_db_detachnode((dns_db_t *)rbtdb, &newcbarg->node);
+			dns_db_detach(&newcbarg->db);
+			isc_mem_put(rbtdb->common.mctx, newcbarg,
+			    sizeof(*newcbarg));
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
+		       dns_rdatasetadditional_t type, dns_rdatatype_t qtype)
+{
+	dns_rbtdb_t *rbtdb = rdataset->private1;
+	dns_rbtnode_t *rbtnode = rdataset->private2;
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	unsigned int current_count = rdataset->privateuint4;
+	rdatasetheader_t *header;
+	nodelock_t *nodelock;
+	unsigned int total_count, count;
+	acachectl_t *acarray;
+	dns_acacheentry_t *entry;
+	acache_cbarg_t *cbarg;
+
+	UNUSED(qtype);          /* we do not use this value at least for now */
+	UNUSED(acache);
+
+	if (type == dns_rdatasetadditional_fromcache)
+		return (ISC_R_SUCCESS);
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+
+	total_count = raw[0] * 256 + raw[1];
+	INSIST(total_count > current_count);
+	count = total_count - current_count - 1;
+
+	acarray = NULL;
+	entry = NULL;
+
+	nodelock = &rbtdb->node_locks[rbtnode->locknum].lock;
+	NODE_LOCK(nodelock, isc_rwlocktype_write);
+
+	switch (type) {
+	case dns_rdatasetadditional_fromauth:
+		acarray = header->additional_auth;
+		break;
+	case dns_rdatasetadditional_fromglue:
+		acarray = header->additional_glue;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (acarray == NULL) {
+		NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+
+	entry = acarray[count].entry;
+	if (entry == NULL) {
+		NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+
+	acarray[count].entry = NULL;
+	cbarg = acarray[count].cbarg;
+	acarray[count].cbarg = NULL;
+
+	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
+
+	if (entry != NULL) {
+		if (cbarg != NULL)
+			acache_cancelentry(rbtdb->common.mctx, entry, &cbarg);
+		dns_acache_detachentry(&entry);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+setownercase(rdatasetheader_t *header, const dns_name_t *name) {
+	unsigned int i;
+	bool fully_lower;
+
+	/*
+	 * We do not need to worry about label lengths as they are all
+	 * less than or equal to 63.
+	 */
+	memset(header->upper, 0, sizeof(header->upper));
+	fully_lower = true;
+	for (i = 0; i < name->length; i++)
+		if (name->ndata[i] >= 0x41 && name->ndata[i] <= 0x5a) {
+			header->upper[i/8] |= 1 << (i%8);
+			fully_lower = false;
+		}
+	header->attributes |= RDATASET_ATTR_CASESET;
+	if (ISC_LIKELY(fully_lower))
+		header->attributes |= RDATASET_ATTR_CASEFULLYLOWER;
+}
+
+static void
+rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	rdatasetheader_t *header;
+
+	header = (struct rdatasetheader *)(raw - sizeof(*header));
+	setownercase(header, name);
+}
+
+static const unsigned char charmask[] = {
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
+	0x20, 0x20, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+static void
+rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name) {
+	const unsigned char *raw = rdataset->private3;        /* RDATASLAB */
+	const rdatasetheader_t *header;
+	unsigned int i, j;
+	unsigned char bits;
+	unsigned char c, flip;
+
+	header = (const struct rdatasetheader *)(raw - sizeof(*header));
+
+	if (!CASESET(header))
+		return;
+
+#if 0
+	/*
+	 * This was the original code, and is implemented differently in
+	 * the #else block that follows.
+	 */
+	for (i = 0; i < name->length; i++) {
+		/*
+		 * Set the case bit if it does not match the recorded bit.
+		 */
+		if (name->ndata[i] >= 0x61 && name->ndata[i] <= 0x7a &&
+		    (header->upper[i/8] & (1 << (i%8))) != 0)
+			name->ndata[i] &= ~0x20; /* clear the lower case bit */
+		else if (name->ndata[i] >= 0x41 && name->ndata[i] <= 0x5a &&
+			 (header->upper[i/8] & (1 << (i%8))) == 0)
+			name->ndata[i] |= 0x20; /* set the lower case bit */
+	}
+#else
+	if (ISC_LIKELY(CASEFULLYLOWER(header))) {
+		unsigned char *bp, *be;
+		bp = name->ndata;
+		be = bp + name->length;
+
+		while (bp <= be - 4) {
+			c = bp[0];
+			bp[0] = maptolower[c];
+			c = bp[1];
+			bp[1] = maptolower[c];
+			c = bp[2];
+			bp[2] = maptolower[c];
+			c = bp[3];
+			bp[3] = maptolower[c];
+			bp += 4;
+		}
+		while (bp < be) {
+			c = *bp;
+			*bp++ = maptolower[c];
+		}
+		return;
+	}
+
+	i = 0;
+	for (j = 0; j < (name->length >> 3); j++) {
+		unsigned int k;
+
+		bits = ~(header->upper[j]);
+
+		for (k = 0; k < 8; k++) {
+			c = name->ndata[i];
+			flip = (bits & 1) << 5;
+			flip ^= c;
+			flip &= charmask[c];
+			name->ndata[i] ^= flip;
+
+			i++;
+			bits >>= 1;
+		}
+	}
+
+	if (ISC_UNLIKELY(i == name->length))
+		return;
+
+	bits = ~(header->upper[j]);
+
+	for (; i < name->length; i++) {
+		c = name->ndata[i];
+		flip = (bits & 1) << 5;
+		flip ^= c;
+		flip &= charmask[c];
+		name->ndata[i] ^= flip;
+
+		bits >>= 1;
+	}
+#endif
+}
+
+/*%
+ * Routines for LRU-based cache management.
+ */
+
+/*%
+ * See if a given cache entry that is being reused needs to be updated
+ * in the LRU-list.  From the LRU management point of view, this function is
+ * expected to return true for almost all cases.  When used with threads,
+ * however, this may cause a non-negligible performance penalty because a
+ * writer lock will have to be acquired before updating the list.
+ * If DNS_RBTDB_LIMITLRUUPDATE is defined to be non 0 at compilation time, this
+ * function returns true if the entry has not been updated for some period of
+ * time.  We differentiate the NS or glue address case and the others since
+ * experiments have shown that the former tends to be accessed relatively
+ * infrequently and the cost of cache miss is higher (e.g., a missing NS records
+ * may cause external queries at a higher level zone, involving more
+ * transactions).
+ *
+ * Caller must hold the node (read or write) lock.
+ */
+static inline bool
+need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
+	if ((header->attributes &
+	     (RDATASET_ATTR_NONEXISTENT |
+	      RDATASET_ATTR_STALE |
+	      RDATASET_ATTR_ZEROTTL)) != 0)
+		return (false);
+
+#if DNS_RBTDB_LIMITLRUUPDATE
+	if (header->type == dns_rdatatype_ns ||
+	    (header->trust == dns_trust_glue &&
+	     (header->type == dns_rdatatype_a ||
+	      header->type == dns_rdatatype_aaaa))) {
+		/*
+		 * Glue records are updated if at least 60 seconds have passed
+		 * since the previous update time.
+		 */
+		return (header->last_used + 60 <= now);
+	}
+
+	/* Other records are updated if 5 minutes have passed. */
+	return (header->last_used + 300 <= now);
+#else
+	UNUSED(now);
+
+	return (true);
+#endif
+}
+
+/*%
+ * Update the timestamp of a given cache entry and move it to the head
+ * of the corresponding LRU list.
+ *
+ * Caller must hold the node (write) lock.
+ *
+ * Note that the we do NOT touch the heap here, as the TTL has not changed.
+ */
+static void
+update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+	      isc_stdtime_t now)
+{
+	INSIST(IS_CACHE(rbtdb));
+
+	/* To be checked: can we really assume this? XXXMLG */
+	INSIST(ISC_LINK_LINKED(header, link));
+
+	ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum], header, link);
+	header->last_used = now;
+	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+}
+
+/*%
+ * Purge some expired and/or stale (i.e. unused for some period) cache entries
+ * under an overmem condition.  To recover from this condition quickly, up to
+ * 2 entries will be purged.  This process is triggered while adding a new
+ * entry, and we specifically avoid purging entries in the same LRU bucket as
+ * the one to which the new entry will belong.  Otherwise, we might purge
+ * entries of the same name of different RR types while adding RRsets from a
+ * single response (consider the case where we're adding A and AAAA glue records
+ * of the same NS name).
+ */
+static void
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+	      isc_stdtime_t now, bool tree_locked)
+{
+	rdatasetheader_t *header, *header_prev;
+	unsigned int locknum;
+	int purgecount = 2;
+
+	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+	     locknum != locknum_start && purgecount > 0;
+	     locknum = (locknum + 1) % rbtdb->node_lock_count) {
+		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+			  isc_rwlocktype_write);
+
+		header = isc_heap_element(rbtdb->heaps[locknum], 1);
+		if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
+			expire_header(rbtdb, header, tree_locked,
+				      expire_ttl);
+			purgecount--;
+		}
+
+		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+		     header != NULL && purgecount > 0;
+		     header = header_prev) {
+			header_prev = ISC_LIST_PREV(header, link);
+			/*
+			 * Unlink the entry at this point to avoid checking it
+			 * again even if it's currently used someone else and
+			 * cannot be purged at this moment.  This entry won't be
+			 * referenced any more (so unlinking is safe) since the
+			 * TTL was reset to 0.
+			 */
+			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+					link);
+			expire_header(rbtdb, header, tree_locked,
+				      expire_lru);
+			purgecount--;
+		}
+
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+				    isc_rwlocktype_write);
+	}
+}
+
+static void
+expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+	      bool tree_locked, expire_t reason)
+{
+	set_ttl(rbtdb, header, 0);
+	mark_stale_header(rbtdb, header);
+
+	/*
+	 * Caller must hold the node (write) lock.
+	 */
+
+	if (dns_rbtnode_refcurrent(header->node) == 0) {
+		/*
+		 * If no one else is using the node, we can clean it up now.
+		 * We first need to gain a new reference to the node to meet a
+		 * requirement of decrement_reference().
+		 */
+		new_reference(rbtdb, header->node);
+		decrement_reference(rbtdb, header->node, 0,
+				    isc_rwlocktype_write,
+				    tree_locked ? isc_rwlocktype_write :
+				    isc_rwlocktype_none, false);
+
+		if (rbtdb->cachestats == NULL)
+			return;
+
+		switch (reason) {
+		case expire_ttl:
+			isc_stats_increment(rbtdb->cachestats,
+					    dns_cachestatscounter_deletettl);
+			break;
+		case expire_lru:
+			isc_stats_increment(rbtdb->cachestats,
+					    dns_cachestatscounter_deletelru);
+			break;
+		default:
+			break;
+		}
+
+	}
+}
diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
new file mode 100644
index 0000000..a7cb42b
--- /dev/null
+++ b/lib/dns/rbtdb.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RBTDB_H
+#define DNS_RBTDB_H 1
+
+#include <isc/lang.h>
+#include <dns/types.h>
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * DNS Red-Black Tree DB Implementation
+ */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp);
+
+/*%<
+ * Create a new database of type "rbt" (or "rbt64").  Called via
+ * dns_db_create(); see documentation for that function for more details.
+ *
+ * If argv[0] is set, it points to a valid memory context to be used for
+ * allocation of heap memory.  Generally this is used for cache databases
+ * only.
+ *
+ * Requires:
+ *
+ * \li argc == 0 or argv[0] is a valid memory context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBTDB_H */
diff --git a/lib/dns/rbtdb64.c b/lib/dns/rbtdb64.c
new file mode 100644
index 0000000..6f4a659
--- /dev/null
+++ b/lib/dns/rbtdb64.c
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: rbtdb64.c,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
+
+/*! \file */
+
+#define DNS_RBTDB_VERSION64 1
+#include "rbtdb.c"
diff --git a/lib/dns/rbtdb64.h b/lib/dns/rbtdb64.h
new file mode 100644
index 0000000..faf85e5
--- /dev/null
+++ b/lib/dns/rbtdb64.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: rbtdb64.h,v 1.17 2007/06/19 23:47:16 tbox Exp $ */
+
+#ifndef DNS_RBTDB64_H
+#define DNS_RBTDB64_H 1
+
+#include <isc/lang.h>
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * DNS Red-Black Tree DB Implementation with 64-bit version numbers
+ */
+
+#include <dns/db.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rbtdb64_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
+		   dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		   void *driverarg, dns_db_t **dbp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBTDB64_H */
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
new file mode 100644
index 0000000..6a5948e
--- /dev/null
+++ b/lib/dns/rcode.c
@@ -0,0 +1,593 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/stdlib.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/cert.h>
+#include <dns/ds.h>
+#include <dns/dsdigest.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+
+#define RETERR(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) \
+			return (_r); \
+	} while (0)
+
+#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
+
+#define TOTEXTONLY 0x01
+
+#define RCODENAMES \
+	/* standard rcodes */ \
+	{ dns_rcode_noerror, "NOERROR", 0}, \
+	{ dns_rcode_formerr, "FORMERR", 0}, \
+	{ dns_rcode_servfail, "SERVFAIL", 0}, \
+	{ dns_rcode_nxdomain, "NXDOMAIN", 0}, \
+	{ dns_rcode_notimp, "NOTIMP", 0}, \
+	{ dns_rcode_refused, "REFUSED", 0}, \
+	{ dns_rcode_yxdomain, "YXDOMAIN", 0}, \
+	{ dns_rcode_yxrrset, "YXRRSET", 0}, \
+	{ dns_rcode_nxrrset, "NXRRSET", 0}, \
+	{ dns_rcode_notauth, "NOTAUTH", 0}, \
+	{ dns_rcode_notzone, "NOTZONE", 0}, \
+	{ 11, "RESERVED11", TOTEXTONLY}, \
+	{ 12, "RESERVED12", TOTEXTONLY}, \
+	{ 13, "RESERVED13", TOTEXTONLY}, \
+	{ 14, "RESERVED14", TOTEXTONLY}, \
+	{ 15, "RESERVED15", TOTEXTONLY},
+
+#define ERCODENAMES \
+	/* extended rcodes */ \
+	{ dns_rcode_badvers, "BADVERS", 0}, \
+	{ dns_rcode_badcookie, "BADCOOKIE", 0}, \
+	{ 0, NULL, 0 }
+
+#define TSIGRCODENAMES \
+	/* extended rcodes */ \
+	{ dns_tsigerror_badsig, "BADSIG", 0}, \
+	{ dns_tsigerror_badkey, "BADKEY", 0}, \
+	{ dns_tsigerror_badtime, "BADTIME", 0}, \
+	{ dns_tsigerror_badmode, "BADMODE", 0}, \
+	{ dns_tsigerror_badname, "BADNAME", 0}, \
+	{ dns_tsigerror_badalg, "BADALG", 0}, \
+	{ dns_tsigerror_badtrunc, "BADTRUNC", 0}, \
+	{ 0, NULL, 0 }
+
+/* RFC4398 section 2.1 */
+
+#define CERTNAMES \
+	{ 1, "PKIX", 0}, \
+	{ 2, "SPKI", 0}, \
+	{ 3, "PGP", 0}, \
+	{ 4, "IPKIX", 0}, \
+	{ 5, "ISPKI", 0}, \
+	{ 6, "IPGP", 0}, \
+	{ 7, "ACPKIX", 0}, \
+	{ 8, "IACPKIX", 0}, \
+	{ 253, "URI", 0}, \
+	{ 254, "OID", 0}, \
+	{ 0, NULL, 0}
+
+/* RFC2535 section 7, RFC3110 */
+
+#ifndef PK11_MD5_DISABLE
+#define MD5_SECALGNAMES \
+	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
+	{ DNS_KEYALG_RSAMD5, "RSA", 0 },
+#else
+#define MD5_SECALGNAMES
+#endif
+#ifndef PK11_DH_DISABLE
+#define DH_SECALGNAMES \
+	{ DNS_KEYALG_DH, "DH", 0 },
+#else
+#define DH_SECALGNAMES
+#endif
+#ifndef PK11_DSA_DISABLE
+#define DSA_SECALGNAMES \
+	{ DNS_KEYALG_DSA, "DSA", 0 }, \
+	{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 },
+#else
+#define DSA_SECALGNAMES
+#endif
+
+#define SECALGNAMES \
+	MD5_SECALGNAMES \
+	DH_SECALGNAMES \
+	DSA_SECALGNAMES \
+	{ DNS_KEYALG_ECC, "ECC", 0 }, \
+	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
+	{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
+	{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
+	{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
+	{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
+	{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
+	{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
+	{ DNS_KEYALG_ED448, "ED448", 0 }, \
+	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
+	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
+	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
+	{ 0, NULL, 0}
+
+/* RFC2535 section 7.1 */
+
+#define SECPROTONAMES \
+	{   0,    "NONE", 0 }, \
+	{   1,    "TLS", 0 }, \
+	{   2,    "EMAIL", 0 }, \
+	{   3,    "DNSSEC", 0 }, \
+	{   4,    "IPSEC", 0 }, \
+	{ 255,    "ALL", 0 }, \
+	{ 0, NULL, 0}
+
+#define HASHALGNAMES \
+	{ 1, "SHA-1", 0 }, \
+	{ 0, NULL, 0 }
+
+/* RFC3658, RFC4509, RFC5933, RFC6605 */
+
+#define DSDIGESTNAMES \
+	{ DNS_DSDIGEST_SHA1, "SHA-1", 0 }, \
+	{ DNS_DSDIGEST_SHA256, "SHA-256", 0 }, \
+	{ DNS_DSDIGEST_GOST, "GOST", 0 }, \
+	{ DNS_DSDIGEST_SHA384, "SHA-384", 0 }, \
+	{ 0, NULL, 0}
+
+struct tbl {
+	unsigned int    value;
+	const char      *name;
+	int             flags;
+};
+
+static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
+static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
+static struct tbl certs[] = { CERTNAMES };
+static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl secprotos[] = { SECPROTONAMES };
+static struct tbl hashalgs[] = { HASHALGNAMES };
+static struct tbl dsdigests[] = { DSDIGESTNAMES };
+
+static struct keyflag {
+	const char *name;
+	unsigned int value;
+	unsigned int mask;
+} keyflags[] = {
+	{ "NOCONF", 0x4000, 0xC000 },
+	{ "NOAUTH", 0x8000, 0xC000 },
+	{ "NOKEY",  0xC000, 0xC000 },
+	{ "FLAG2",  0x2000, 0x2000 },
+	{ "EXTEND", 0x1000, 0x1000 },
+	{ "FLAG4",  0x0800, 0x0800 },
+	{ "FLAG5",  0x0400, 0x0400 },
+	{ "USER",   0x0000, 0x0300 },
+	{ "ZONE",   0x0100, 0x0300 },
+	{ "HOST",   0x0200, 0x0300 },
+	{ "NTYP3",  0x0300, 0x0300 },
+	{ "FLAG8",  0x0080, 0x0080 },
+	{ "FLAG9",  0x0040, 0x0040 },
+	{ "FLAG10", 0x0020, 0x0020 },
+	{ "FLAG11", 0x0010, 0x0010 },
+	{ "SIG0",   0x0000, 0x000F },
+	{ "SIG1",   0x0001, 0x000F },
+	{ "SIG2",   0x0002, 0x000F },
+	{ "SIG3",   0x0003, 0x000F },
+	{ "SIG4",   0x0004, 0x000F },
+	{ "SIG5",   0x0005, 0x000F },
+	{ "SIG6",   0x0006, 0x000F },
+	{ "SIG7",   0x0007, 0x000F },
+	{ "SIG8",   0x0008, 0x000F },
+	{ "SIG9",   0x0009, 0x000F },
+	{ "SIG10",  0x000A, 0x000F },
+	{ "SIG11",  0x000B, 0x000F },
+	{ "SIG12",  0x000C, 0x000F },
+	{ "SIG13",  0x000D, 0x000F },
+	{ "SIG14",  0x000E, 0x000F },
+	{ "SIG15",  0x000F, 0x000F },
+	{ "KSK",  DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK },
+	{ NULL,     0, 0 }
+};
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
+	      unsigned int max, bool hex_allowed)
+{
+	isc_result_t result;
+	uint32_t n;
+	char buffer[NUMBERSIZE];
+
+	if (! isdigit(source->base[0] & 0xff) ||
+	    source->length > NUMBERSIZE - 1)
+		return (ISC_R_BADNUMBER);
+
+	/*
+	 * We have a potential number.	Try to parse it with
+	 * isc_parse_uint32().	isc_parse_uint32() requires
+	 * null termination, so we must make a copy.
+	 */
+	snprintf(buffer, sizeof(buffer), "%.*s",
+		 (int)source->length, source->base);
+
+	INSIST(buffer[source->length] == '\0');
+
+	result = isc_parse_uint32(&n, buffer, 10);
+	if (result == ISC_R_BADNUMBER && hex_allowed)
+		result = isc_parse_uint32(&n, buffer, 16);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (n > max)
+		return (ISC_R_RANGE);
+	*valuep = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
+		      struct tbl *table, unsigned int max)
+{
+	isc_result_t result;
+	int i;
+
+	result = maybe_numeric(valuep, source, max, false);
+	if (result != ISC_R_BADNUMBER)
+		return (result);
+
+	for (i = 0; table[i].name != NULL; i++) {
+		unsigned int n;
+		n = strlen(table[i].name);
+		if (n == source->length &&
+		    (table[i].flags & TOTEXTONLY) == 0 &&
+		    strncasecmp(source->base, table[i].name, n) == 0) {
+			*valuep = table[i].value;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (DNS_R_UNKNOWN);
+}
+
+static isc_result_t
+dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
+		    struct tbl *table)
+{
+	int i = 0;
+	char buf[sizeof("4294967296")];
+	while (table[i].name != NULL) {
+		if (table[i].value == value) {
+			return (str_totext(table[i].name, target));
+		}
+		i++;
+	}
+	snprintf(buf, sizeof(buf), "%u", value);
+	return (str_totext(buf, target));
+}
+
+isc_result_t
+dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, rcodes));
+}
+
+isc_result_t
+dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
+}
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
+	*certp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(cert, target, certs));
+}
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
+	*secalgp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secalg, target, secalgs));
+}
+
+void
+dns_secalg_format(dns_secalg_t alg, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(cp != NULL && size > 0);
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_secalg_totext(alg, &b);
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	if (result != ISC_R_SUCCESS)
+		r.base[0] = 0;
+}
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
+	*secprotop = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secproto, target, secprotos));
+}
+
+isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, hashalgs, 0xff));
+	*hashalg = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
+{
+	isc_result_t result;
+	char *text, *end;
+	unsigned int value, mask;
+
+	result = maybe_numeric(&value, source, 0xffff, true);
+	if (result == ISC_R_SUCCESS) {
+		*flagsp = value;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_BADNUMBER)
+		return (result);
+
+	text = source->base;
+	end = source->base + source->length;
+	value = mask = 0;
+
+	while (text < end) {
+		struct keyflag *p;
+		unsigned int len;
+		char *delim = memchr(text, '|', end - text);
+		if (delim != NULL)
+			len = (unsigned int)(delim - text);
+		else
+			len = (unsigned int)(end - text);
+		for (p = keyflags; p->name != NULL; p++) {
+			if (strncasecmp(p->name, text, len) == 0)
+				break;
+		}
+		if (p->name == NULL)
+			return (DNS_R_UNKNOWNFLAG);
+		value |= p->value;
+#ifdef notyet
+		if ((mask & p->mask) != 0)
+			warn("overlapping key flags");
+#endif
+		mask |= p->mask;
+		text += len;
+		if (delim != NULL)
+			text++; /* Skip "|" */
+	}
+	*flagsp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dsdigest_fromtext(dns_dsdigest_t *dsdigestp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, dsdigests, 0xff));
+	*dsdigestp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dsdigest_totext(dns_dsdigest_t dsdigest, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(dsdigest, target, dsdigests));
+}
+
+void
+dns_dsdigest_format(dns_dsdigest_t typ, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(cp != NULL && size > 0);
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_dsdigest_totext(typ, &b);
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+	if (result != ISC_R_SUCCESS)
+		r.base[0] = 0;
+}
+
+/*
+ * This uses lots of hard coded values, but how often do we actually
+ * add classes?
+ */
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
+#define COMPARE(string, rdclass) \
+	if (((sizeof(string) - 1) == source->length) \
+	    && (strncasecmp(source->base, string, source->length) == 0)) { \
+		*classp = rdclass; \
+		return (ISC_R_SUCCESS); \
+	}
+
+	switch (tolower((unsigned char)source->base[0])) {
+	case 'a':
+		COMPARE("any", dns_rdataclass_any);
+		break;
+	case 'c':
+		/*
+		 * RFC1035 says the mnemonic for the CHAOS class is CH,
+		 * but historical BIND practice is to call it CHAOS.
+		 * We will accept both forms, but only generate CH.
+		 */
+		COMPARE("ch", dns_rdataclass_chaos);
+		COMPARE("chaos", dns_rdataclass_chaos);
+
+		if (source->length > 5 &&
+		    source->length < (5 + sizeof("65000")) &&
+		    strncasecmp("class", source->base, 5) == 0) {
+			char buf[sizeof("65000")];
+			char *endp;
+			unsigned int val;
+
+			/*
+			 * source->base is not required to be NUL terminated.
+			 * Copy up to remaining bytes and NUL terminate.
+			 */
+			snprintf(buf, sizeof(buf), "%.*s",
+				 (int)(source->length - 5), source->base + 5);
+			val = strtoul(buf, &endp, 10);
+			if (*endp == '\0' && val <= 0xffff) {
+				*classp = (dns_rdataclass_t)val;
+				return (ISC_R_SUCCESS);
+			}
+		}
+		break;
+	case 'h':
+		COMPARE("hs", dns_rdataclass_hs);
+		COMPARE("hesiod", dns_rdataclass_hs);
+		break;
+	case 'i':
+		COMPARE("in", dns_rdataclass_in);
+		break;
+	case 'n':
+		COMPARE("none", dns_rdataclass_none);
+		break;
+	case 'r':
+		COMPARE("reserved0", dns_rdataclass_reserved0);
+		break;
+	}
+
+#undef COMPARE
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
+	switch (rdclass) {
+	case dns_rdataclass_any:
+		return (str_totext("ANY", target));
+	case dns_rdataclass_chaos:
+		return (str_totext("CH", target));
+	case dns_rdataclass_hs:
+		return (str_totext("HS", target));
+	case dns_rdataclass_in:
+		return (str_totext("IN", target));
+	case dns_rdataclass_none:
+		return (str_totext("NONE", target));
+	case dns_rdataclass_reserved0:
+		return (str_totext("RESERVED0", target));
+	default:
+		return (dns_rdataclass_tounknowntext(rdclass, target));
+	}
+}
+
+isc_result_t
+dns_rdataclass_tounknowntext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
+	char buf[sizeof("CLASS65535")];
+
+	snprintf(buf, sizeof(buf), "CLASS%u", rdclass);
+	return (str_totext(buf, target));
+}
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass,
+		      char *array, unsigned int size)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	if (size == 0U)
+		return;
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdataclass_totext(rdclass, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+	if (result != ISC_R_SUCCESS)
+		strlcpy(array, "<unknown>", size);
+}
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
new file mode 100644
index 0000000..93f5559
--- /dev/null
+++ b/lib/dns/rdata.c
@@ -0,0 +1,2432 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <inttypes.h>
+
+#include <isc/base64.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/cert.h>
+#include <dns/compress.h>
+#include <dns/dsdigest.h>
+#include <dns/enumtype.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/message.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+#define RETERR(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) \
+			return (_r); \
+	} while (0)
+
+#define RETTOK(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) { \
+			isc_lex_ungettoken(lexer, &token); \
+			return (_r); \
+		} \
+	} while (0)
+
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+
+#define CHECKTOK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) {			\
+			isc_lex_ungettoken(lexer, &token);	\
+			goto cleanup;				\
+		}						\
+	} while (0)
+
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
+#define ARGS_FROMTEXT	int rdclass, dns_rdatatype_t type, \
+			isc_lex_t *lexer, dns_name_t *origin, \
+			unsigned int options, isc_buffer_t *target, \
+			dns_rdatacallbacks_t *callbacks
+
+#define ARGS_TOTEXT	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, \
+			isc_buffer_t *target
+
+#define ARGS_FROMWIRE	int rdclass, dns_rdatatype_t type, \
+			isc_buffer_t *source, dns_decompress_t *dctx, \
+			unsigned int options, isc_buffer_t *target
+
+#define ARGS_TOWIRE	dns_rdata_t *rdata, dns_compress_t *cctx, \
+			isc_buffer_t *target
+
+#define ARGS_COMPARE	const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
+
+#define ARGS_FROMSTRUCT	int rdclass, dns_rdatatype_t type, \
+			void *source, isc_buffer_t *target
+
+#define ARGS_TOSTRUCT	const dns_rdata_t *rdata, void *target, isc_mem_t *mctx
+
+#define ARGS_FREESTRUCT void *source
+
+#define ARGS_ADDLDATA	dns_rdata_t *rdata, dns_additionaldatafunc_t add, \
+			void *arg
+
+#define ARGS_DIGEST	dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
+
+#define ARGS_CHECKOWNER dns_name_t *name, dns_rdataclass_t rdclass, \
+			dns_rdatatype_t type, bool wildcard
+
+#define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
+
+
+/*%
+ * Context structure for the totext_ functions.
+ * Contains formatting options for rdata-to-text
+ * conversion.
+ */
+typedef struct dns_rdata_textctx {
+	dns_name_t *origin;	/*%< Current origin, or NULL. */
+	unsigned int flags;	/*%< DNS_STYLEFLAG_*  */
+	unsigned int width;	/*%< Width of rdata column. */
+	const char *linebreak;	/*%< Line break string. */
+} dns_rdata_textctx_t;
+
+static isc_result_t
+txt_totext(isc_region_t *source, bool quote, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
+
+static isc_result_t
+multitxt_totext(isc_region_t *source, isc_buffer_t *target);
+
+static isc_result_t
+multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
+
+static bool
+name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
+
+static unsigned int
+name_length(dns_name_t *name);
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+inet_totext(int af, isc_region_t *src, isc_buffer_t *target);
+
+static bool
+buffer_empty(isc_buffer_t *source);
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region);
+
+static isc_result_t
+uint32_tobuffer(uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint16_tobuffer(uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint8_tobuffer(uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+name_tobuffer(dns_name_t *name, isc_buffer_t *target);
+
+static uint32_t
+uint32_fromregion(isc_region_t *region);
+
+static uint16_t
+uint16_fromregion(isc_region_t *region);
+
+static uint8_t
+uint8_fromregion(isc_region_t *region);
+
+static uint8_t
+uint8_consume_fromregion(isc_region_t *region);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static int
+hexvalue(char value);
+
+static int
+decvalue(char value);
+
+static isc_result_t
+btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target);
+
+static isc_result_t
+atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target);
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
+	       dns_rdatacallbacks_t *callbacks, const char *name,
+	       unsigned long line, isc_token_t *token, isc_result_t result);
+
+static void
+fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks);
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target);
+
+static void
+warn_badname(dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks);
+
+static void
+warn_badmx(isc_token_t *token, isc_lex_t *lexer,
+	   dns_rdatacallbacks_t *callbacks);
+
+static uint16_t
+uint16_consume_fromregion(isc_region_t *region);
+
+static isc_result_t
+unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	       isc_buffer_t *target);
+
+static inline isc_result_t
+generic_fromtext_key(ARGS_FROMTEXT);
+
+static inline isc_result_t
+generic_totext_key(ARGS_TOTEXT);
+
+static inline isc_result_t
+generic_fromwire_key(ARGS_FROMWIRE);
+
+static inline isc_result_t
+generic_fromstruct_key(ARGS_FROMSTRUCT);
+
+static inline isc_result_t
+generic_tostruct_key(ARGS_TOSTRUCT);
+
+static inline void
+generic_freestruct_key(ARGS_FREESTRUCT);
+
+static isc_result_t
+generic_fromtext_txt(ARGS_FROMTEXT);
+
+static isc_result_t
+generic_totext_txt(ARGS_TOTEXT);
+
+static isc_result_t
+generic_fromwire_txt(ARGS_FROMWIRE);
+
+static isc_result_t
+generic_fromstruct_txt(ARGS_FROMSTRUCT);
+
+static isc_result_t
+generic_tostruct_txt(ARGS_TOSTRUCT);
+
+static void
+generic_freestruct_txt(ARGS_FREESTRUCT);
+
+static isc_result_t
+generic_txt_first(dns_rdata_txt_t *txt);
+
+static isc_result_t
+generic_txt_next(dns_rdata_txt_t *txt);
+
+static isc_result_t
+generic_txt_current(dns_rdata_txt_t *txt, dns_rdata_txt_string_t *string);
+
+static isc_result_t
+generic_totext_ds(ARGS_TOTEXT);
+
+static isc_result_t
+generic_tostruct_ds(ARGS_TOSTRUCT);
+
+static isc_result_t
+generic_fromtext_ds(ARGS_FROMTEXT);
+
+static isc_result_t
+generic_fromwire_ds(ARGS_FROMWIRE);
+
+static isc_result_t
+generic_fromstruct_ds(ARGS_FROMSTRUCT);
+
+static isc_result_t
+generic_fromtext_tlsa(ARGS_FROMTEXT);
+
+static isc_result_t
+generic_totext_tlsa(ARGS_TOTEXT);
+
+static isc_result_t
+generic_fromwire_tlsa(ARGS_FROMWIRE);
+
+static isc_result_t
+generic_fromstruct_tlsa(ARGS_FROMSTRUCT);
+
+static isc_result_t
+generic_tostruct_tlsa(ARGS_TOSTRUCT);
+
+static void
+generic_freestruct_tlsa(ARGS_FREESTRUCT);
+
+/*% INT16 Size */
+#define NS_INT16SZ	2
+/*% IPv6 Address Size */
+#define NS_LOCATORSZ	8
+
+/*
+ * Active Diretory gc._msdcs.<forest> prefix.
+ */
+static unsigned char gc_msdcs_data[]  = "\002gc\006_msdcs";
+static unsigned char gc_msdcs_offset [] = { 0, 3 };
+
+static dns_name_t const gc_msdcs =
+	DNS_NAME_INITNONABSOLUTE(gc_msdcs_data, gc_msdcs_offset);
+
+/*%
+ *	convert presentation level address to network order binary form.
+ * \return
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * \note
+ *	(1) does not touch `dst' unless it's returning 1.
+ */
+static inline int
+locator_pton(const char *src, unsigned char *dst) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	unsigned char tmp[NS_LOCATORSZ];
+	unsigned char *tp = tmp, *endp;
+	const char *xdigits;
+	int ch, seen_xdigits;
+	unsigned int val;
+
+	memset(tp, '\0', NS_LOCATORSZ);
+	endp = tp + NS_LOCATORSZ;
+	seen_xdigits = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		pch = strchr((xdigits = xdigits_l), ch);
+		if (pch == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (++seen_xdigits > 4)
+				return (0);
+			continue;
+		}
+		if (ch == ':') {
+			if (!seen_xdigits)
+				return (0);
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (unsigned char) (val >> 8) & 0xff;
+			*tp++ = (unsigned char) val & 0xff;
+			seen_xdigits = 0;
+			val = 0;
+			continue;
+		}
+		return (0);
+	}
+	if (seen_xdigits) {
+		if (tp + NS_INT16SZ > endp)
+			return (0);
+		*tp++ = (unsigned char) (val >> 8) & 0xff;
+		*tp++ = (unsigned char) val & 0xff;
+	}
+	if (tp != endp)
+		return (0);
+	memmove(dst, tmp, NS_LOCATORSZ);
+	return (1);
+}
+
+static inline int
+getquad(const void *src, struct in_addr *dst,
+	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
+{
+	int result;
+	struct in_addr tmp;
+
+	result = inet_aton(src, dst);
+	if (result == 1 && callbacks != NULL &&
+	    inet_pton(AF_INET, src, &tmp) != 1) {
+		const char *name = isc_lex_getsourcename(lexer);
+		if (name == NULL)
+			name = "UNKNOWN";
+		(*callbacks->warn)(callbacks, "%s:%lu: \"%s\" "
+				   "is not a decimal dotted quad", name,
+				   isc_lex_getsourceline(lexer), src);
+	}
+	return (result);
+}
+
+static inline isc_result_t
+name_duporclone(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+
+	if (mctx != NULL)
+		return (dns_name_dup(source, mctx, target));
+	dns_name_clone(source, target);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void *
+mem_maybedup(isc_mem_t *mctx, void *source, size_t length) {
+	void *copy;
+
+	if (mctx == NULL)
+		return (source);
+	copy = isc_mem_allocate(mctx, length);
+	if (copy != NULL)
+		memmove(copy, source, length);
+
+	return (copy);
+}
+
+static inline isc_result_t
+typemap_fromtext(isc_lex_t *lexer, isc_buffer_t *target,
+		 bool allow_empty)
+{
+	isc_token_t token;
+	unsigned char bm[8*1024]; /* 64k bits */
+	dns_rdatatype_t covered, max_used;
+	int octet;
+	unsigned int max_octet, newend, end;
+	int window;
+	bool first = true;
+
+	max_used = 0;
+	bm[0] = 0;
+	end = 0;
+
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string)
+			break;
+		RETTOK(dns_rdatatype_fromtext(&covered,
+					      &token.value.as_textregion));
+		if (covered > max_used) {
+			newend = covered / 8;
+			if (newend > end) {
+				memset(&bm[end + 1], 0, newend - end);
+				end = newend;
+			}
+			max_used = covered;
+		}
+		bm[covered/8] |= (0x80>>(covered%8));
+		first = false;
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	if (!allow_empty && first)
+		return (DNS_R_FORMERR);
+
+	for (window = 0; window < 256 ; window++) {
+		if (max_used < window * 256)
+			break;
+
+		max_octet = max_used - (window * 256);
+		if (max_octet >= 256)
+			max_octet = 31;
+		else
+			max_octet /= 8;
+
+		/*
+		 * Find if we have a type in this window.
+		 */
+		for (octet = max_octet; octet >= 0; octet--) {
+			if (bm[window * 32 + octet] != 0)
+				break;
+		}
+		if (octet < 0)
+			continue;
+		RETERR(uint8_tobuffer(window, target));
+		RETERR(uint8_tobuffer(octet + 1, target));
+		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+typemap_totext(isc_region_t *sr, dns_rdata_textctx_t *tctx,
+	       isc_buffer_t *target)
+{
+	unsigned int i, j, k;
+	unsigned int window, len;
+	bool first = true;
+
+	for (i = 0; i < sr->length; i += len) {
+		if (tctx != NULL &&
+		    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			RETERR(str_totext(tctx->linebreak, target));
+			first = true;
+		}
+		INSIST(i + 2 <= sr->length);
+		window = sr->base[i];
+		len = sr->base[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= sr->length);
+		for (j = 0; j < len; j++) {
+			dns_rdatatype_t t;
+			if (sr->base[i + j] == 0)
+				continue;
+			for (k = 0; k < 8; k++) {
+				if ((sr->base[i + j] & (0x80 >> k)) == 0)
+					continue;
+				t = window * 256 + j * 8 + k;
+				if (!first)
+					RETERR(str_totext(" ", target));
+				first = false;
+				if (dns_rdatatype_isknown(t)) {
+					RETERR(dns_rdatatype_totext(t, target));
+				} else {
+					char buf[sizeof("TYPE65535")];
+					snprintf(buf, sizeof(buf), "TYPE%u", t);
+					RETERR(str_totext(buf, target));
+				}
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+typemap_test(isc_region_t *sr, bool allow_empty) {
+	unsigned int window, lastwindow = 0;
+	unsigned int len;
+	bool first = true;
+	unsigned int i;
+
+	for (i = 0; i < sr->length; i += len) {
+		/*
+		 * Check for overflow.
+		 */
+		if (i + 2 > sr->length)
+			RETERR(DNS_R_FORMERR);
+		window = sr->base[i];
+		len = sr->base[i + 1];
+		i += 2;
+		/*
+		 * Check that bitmap windows are in the correct order.
+		 */
+		if (!first && window <= lastwindow)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for legal lengths.
+		 */
+		if (len < 1 || len > 32)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for overflow.
+		 */
+		if (i + len > sr->length)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * The last octet of the bitmap must be non zero.
+		 */
+		if (sr->base[i + len - 1] == 0)
+			RETERR(DNS_R_FORMERR);
+		lastwindow = window;
+		first = false;
+	}
+	if (i != sr->length)
+		return (DNS_R_EXTRADATA);
+	if (!allow_empty && first)
+		RETERR(DNS_R_FORMERR);
+	return (ISC_R_SUCCESS);
+}
+
+static const char hexdigits[] = "0123456789abcdef";
+static const char decdigits[] = "0123456789";
+
+#include "code.h"
+
+#define META 0x0001
+#define RESERVED 0x0002
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_rdata_init(dns_rdata_t *rdata) {
+
+	REQUIRE(rdata != NULL);
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->flags = 0;
+	ISC_LINK_INIT(rdata, link);
+	/* ISC_LIST_INIT(rdata->list); */
+}
+
+void
+dns_rdata_reset(dns_rdata_t *rdata) {
+
+	REQUIRE(rdata != NULL);
+
+	REQUIRE(!ISC_LINK_LINKED(rdata, link));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->flags = 0;
+}
+
+/***
+ ***
+ ***/
+
+void
+dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target) {
+
+	REQUIRE(src != NULL);
+	REQUIRE(target != NULL);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(src));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(target));
+
+	target->data = src->data;
+	target->length = src->length;
+	target->rdclass = src->rdclass;
+	target->type = src->type;
+	target->flags = src->flags;
+}
+
+
+/***
+ *** Comparisons
+ ***/
+
+int
+dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
+	int result = 0;
+	bool use_default = false;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+	if (rdata1->rdclass != rdata2->rdclass)
+		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
+
+	if (rdata1->type != rdata2->type)
+		return (rdata1->type < rdata2->type ? -1 : 1);
+
+	COMPARESWITCH
+
+	if (use_default) {
+		isc_region_t r1;
+		isc_region_t r2;
+
+		dns_rdata_toregion(rdata1, &r1);
+		dns_rdata_toregion(rdata2, &r2);
+		result = isc_region_compare(&r1, &r2);
+	}
+	return (result);
+}
+
+int
+dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
+	int result = 0;
+	bool use_default = false;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+	if (rdata1->rdclass != rdata2->rdclass)
+		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
+
+	if (rdata1->type != rdata2->type)
+		return (rdata1->type < rdata2->type ? -1 : 1);
+
+	CASECOMPARESWITCH
+
+	if (use_default) {
+		isc_region_t r1;
+		isc_region_t r2;
+
+		dns_rdata_toregion(rdata1, &r1);
+		dns_rdata_toregion(rdata2, &r2);
+		result = isc_region_compare(&r1, &r2);
+	}
+	return (result);
+}
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_region_t *r)
+{
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+	REQUIRE(r != NULL);
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	rdata->data = r->base;
+	rdata->length = r->length;
+	rdata->rdclass = rdclass;
+	rdata->type = type;
+	rdata->flags = 0;
+}
+
+void
+dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(r != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	r->base = rdata->data;
+	r->length = rdata->length;
+}
+
+isc_result_t
+dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_buffer_t *source,
+		   dns_decompress_t *dctx, unsigned int options,
+		   isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_region_t region;
+	isc_buffer_t ss;
+	isc_buffer_t st;
+	bool use_default = false;
+	uint32_t activelength;
+	unsigned int length;
+
+	REQUIRE(dctx != NULL);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL);
+
+	if (type == 0)
+		return (DNS_R_FORMERR);
+
+	ss = *source;
+	st = *target;
+
+	activelength = isc_buffer_activelength(source);
+	INSIST(activelength < 65536);
+
+	FROMWIRESWITCH
+
+	if (use_default) {
+		if (activelength > isc_buffer_availablelength(target))
+			result = ISC_R_NOSPACE;
+		else {
+			isc_buffer_putmem(target, isc_buffer_current(source),
+					  activelength);
+			isc_buffer_forward(source, activelength);
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
+	/*
+	 * We should have consumed all of our buffer.
+	 */
+	if (result == ISC_R_SUCCESS && !buffer_empty(source))
+		result = DNS_R_EXTRADATA;
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = length;
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		*source = ss;
+		*target = st;
+	}
+	return (result);
+}
+
+isc_result_t
+dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
+		 isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+	isc_region_t tr;
+	isc_buffer_t st;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
+	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+		INSIST(rdata->length == 0);
+		return (ISC_R_SUCCESS);
+	}
+
+	st = *target;
+
+	TOWIRESWITCH
+
+	if (use_default) {
+		isc_buffer_availableregion(target, &tr);
+		if (tr.length < rdata->length)
+			return (ISC_R_NOSPACE);
+		memmove(tr.base, rdata->data, rdata->length);
+		isc_buffer_add(target, rdata->length);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+		INSIST(target->used < 65536);
+		dns_compress_rollback(cctx, (uint16_t)target->used);
+	}
+	return (result);
+}
+
+/*
+ * If the binary data in 'src' is valid uncompressed wire format
+ * rdata of class 'rdclass' and type 'type', return ISC_R_SUCCESS
+ * and copy the validated rdata to 'dest'.  Otherwise return an error.
+ */
+static isc_result_t
+rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass,
+	    dns_rdatatype_t type)
+{
+	dns_decompress_t dctx;
+	isc_result_t result;
+
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	isc_buffer_setactive(src, isc_buffer_usedlength(src));
+	result = dns_rdata_fromwire(NULL, rdclass, type, src, &dctx, 0, dest);
+	dns_decompress_invalidate(&dctx);
+
+	return (result);
+}
+
+static isc_result_t
+unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		 isc_lex_t *lexer, isc_mem_t *mctx, isc_buffer_t *target)
+{
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	isc_token_t token;
+
+	if (type == 0 || dns_rdatatype_ismeta(type))
+		return (DNS_R_METATYPE);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+					false));
+	if (token.value.as_ulong > 65535U)
+		return (ISC_R_RANGE);
+	result = isc_buffer_allocate(mctx, &buf, token.value.as_ulong);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_hex_tobuffer(lexer, buf,
+				  (unsigned int)token.value.as_ulong);
+	if (result != ISC_R_SUCCESS)
+	       goto failure;
+	if (isc_buffer_usedlength(buf) != token.value.as_ulong) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto failure;
+	}
+
+	if (dns_rdatatype_isknown(type)) {
+		result = rdata_validate(buf, target, rdclass, type);
+	} else {
+		isc_region_t r;
+		isc_buffer_usedregion(buf, &r);
+		result = isc_buffer_copyregion(target, &r);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	isc_buffer_free(&buf);
+	return (ISC_R_SUCCESS);
+
+ failure:
+	isc_buffer_free(&buf);
+	return (result);
+}
+
+isc_result_t
+dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_lex_t *lexer,
+		   dns_name_t *origin, unsigned int options, isc_mem_t *mctx,
+		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_region_t region;
+	isc_buffer_t st;
+	isc_token_t token;
+	unsigned int lexoptions = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+				  ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	char *name;
+	unsigned long line;
+	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
+	isc_result_t tresult;
+	unsigned int length;
+	bool unknown;
+
+	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == true);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+	if (callbacks != NULL) {
+		REQUIRE(callbacks->warn != NULL);
+		REQUIRE(callbacks->error != NULL);
+	}
+
+	st = *target;
+
+	if (callbacks != NULL)
+		callback = callbacks->error;
+	else
+		callback = default_fromtext_callback;
+
+	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+					false);
+	if (result != ISC_R_SUCCESS) {
+		name = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		fromtext_error(callback, callbacks, name, line, NULL, result);
+		return (result);
+	}
+
+	unknown = false;
+	if (token.type == isc_tokentype_string &&
+	    strcmp(DNS_AS_STR(token), "\\#") == 0) {
+		/*
+		 * If this is a TXT record '\#' could be a escaped '#'.
+		 * Look to see if the next token is a number and if so
+		 * treat it as a unknown record format.
+		 */
+		if (type == dns_rdatatype_txt) {
+			result = isc_lex_getmastertoken(lexer, &token,
+							isc_tokentype_number,
+							false);
+			if (result == ISC_R_SUCCESS)
+				isc_lex_ungettoken(lexer, &token);
+		}
+
+		if (result == ISC_R_SUCCESS) {
+			unknown = true;
+			result = unknown_fromtext(rdclass, type, lexer,
+						  mctx, target);
+		} else
+			options |= DNS_RDATA_UNKNOWNESCAPE;
+	} else
+		isc_lex_ungettoken(lexer, &token);
+
+	if (!unknown)
+		FROMTEXTSWITCH
+
+	/*
+	 * Consume to end of line / file.
+	 * If not at end of line initially set error code.
+	 * Call callback via fromtext_error once if there was an error.
+	 */
+	do {
+		name = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		tresult = isc_lex_gettoken(lexer, lexoptions, &token);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			if (callback != NULL)
+				fromtext_error(callback, callbacks, name,
+					       line, NULL, result);
+			break;
+		} else if (token.type != isc_tokentype_eol &&
+			   token.type != isc_tokentype_eof) {
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_EXTRATOKEN;
+			if (callback != NULL) {
+				fromtext_error(callback, callbacks, name,
+					       line, &token, result);
+				callback = NULL;
+			}
+		} else if (result != ISC_R_SUCCESS && callback != NULL) {
+			fromtext_error(callback, callbacks, name, line,
+				       &token, result);
+			break;
+		} else {
+			if (token.type == isc_tokentype_eof)
+				fromtext_warneof(lexer, callbacks);
+			break;
+		}
+	} while (1);
+
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = length;
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+	}
+	return (result);
+}
+
+static isc_result_t
+unknown_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	       isc_buffer_t *target)
+{
+	isc_result_t result;
+	char buf[sizeof("65535")];
+	isc_region_t sr;
+
+	strlcpy(buf, "\\# ", sizeof(buf));
+	result = str_totext(buf, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdata_toregion(rdata, &sr);
+	INSIST(sr.length < 65536);
+	snprintf(buf, sizeof(buf), "%u", sr.length);
+	result = str_totext(buf, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (sr.length != 0U) {
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+			result = str_totext(" ( ", target);
+		else
+			result = str_totext(" ", target);
+
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		if (tctx->width == 0) /* No splitting */
+			result = isc_hex_totext(&sr, 0, "", target);
+		else
+			result = isc_hex_totext(&sr, tctx->width - 2,
+						tctx->linebreak,
+						target);
+		if (result == ISC_R_SUCCESS &&
+		    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+			result = str_totext(" )", target);
+	}
+	return (result);
+}
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+	unsigned int cur;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(tctx->origin == NULL ||
+		dns_name_isabsolute(tctx->origin) == true);
+
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
+	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+		INSIST(rdata->length == 0);
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_UNKNOWNFORMAT) != 0)
+		return (unknown_totext(rdata, tctx, target));
+
+	cur = isc_buffer_usedlength(target);
+
+	TOTEXTSWITCH
+
+	if (use_default || (result == ISC_R_NOTIMPLEMENTED)) {
+		unsigned int u = isc_buffer_usedlength(target);
+
+		INSIST(u >= cur);
+		isc_buffer_subtract(target, u - cur);
+		result = unknown_totext(rdata, tctx, target);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target)
+{
+	dns_rdata_textctx_t tctx;
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Set up formatting options for single-line output.
+	 */
+	tctx.origin = origin;
+	tctx.flags = 0;
+	tctx.width = 60;
+	tctx.linebreak = " ";
+	return (rdata_totext(rdata, &tctx, target));
+}
+
+isc_result_t
+dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
+		    unsigned int flags, unsigned int width,
+		    unsigned int split_width, const char *linebreak,
+		    isc_buffer_t *target)
+{
+	dns_rdata_textctx_t tctx;
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Set up formatting options for formatted output.
+	 */
+	tctx.origin = origin;
+	tctx.flags = flags;
+	if (split_width == 0xffffffff)
+		tctx.width = width;
+	else
+		tctx.width = split_width;
+
+	if ((flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		tctx.linebreak = linebreak;
+	else {
+		if (split_width == 0xffffffff)
+			tctx.width = 60; /* Used for hex word length only. */
+		tctx.linebreak = " ";
+	}
+	return (rdata_totext(rdata, &tctx, target));
+}
+
+isc_result_t
+dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, void *source,
+		     isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_buffer_t st;
+	isc_region_t region;
+	bool use_default = false;
+	unsigned int length;
+
+	REQUIRE(source != NULL);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+
+	st = *target;
+
+	FROMSTRUCTSWITCH
+
+	if (use_default)
+		(void)NULL;
+
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = length;
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+	if (result != ISC_R_SUCCESS)
+		*target = st;
+	return (result);
+}
+
+isc_result_t
+dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	TOSTRUCTSWITCH
+
+	if (use_default)
+		(void)NULL;
+
+	return (result);
+}
+
+void
+dns_rdata_freestruct(void *source) {
+	dns_rdatacommon_t *common = source;
+	REQUIRE(source != NULL);
+
+	FREESTRUCTSWITCH
+}
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+
+	/*
+	 * Call 'add' for each name and type from 'rdata' which is subject to
+	 * additional section processing.
+	 */
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(add != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	ADDITIONALDATASWITCH
+
+	/* No additional processing for unknown types */
+	if (use_default)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	bool use_default = false;
+	isc_region_t r;
+
+	/*
+	 * Send 'rdata' in DNSSEC canonical form to 'digest'.
+	 */
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(digest != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	DIGESTSWITCH
+
+	if (use_default) {
+		dns_rdata_toregion(rdata, &r);
+		result = (digest)(arg, &r);
+	}
+
+	return (result);
+}
+
+bool
+dns_rdata_checkowner(dns_name_t *name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, bool wildcard)
+{
+	bool result;
+
+	CHECKOWNERSWITCH
+	return (result);
+}
+
+bool
+dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad)
+{
+	bool result;
+
+	CHECKNAMESSWITCH
+	return (result);
+}
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t type)
+{
+	RDATATYPE_ATTRIBUTE_SW
+	if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255)
+		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
+	return (DNS_RDATATYPEATTR_UNKNOWN);
+}
+
+isc_result_t
+dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
+	unsigned int hash;
+	unsigned int n;
+	unsigned char a, b;
+
+	n = source->length;
+
+	if (n == 0)
+		return (DNS_R_UNKNOWN);
+
+	a = tolower((unsigned char)source->base[0]);
+	b = tolower((unsigned char)source->base[n - 1]);
+
+	hash = ((a + n) * b) % 256;
+
+	/*
+	 * This switch block is inlined via \#define, and will use "return"
+	 * to return a result to the caller if it is a valid (known)
+	 * rdatatype name.
+	 */
+	RDATATYPE_FROMTEXT_SW(hash, source->base, n, typep);
+
+	if (source->length > 4 && source->length < (4 + sizeof("65000")) &&
+	    strncasecmp("type", source->base, 4) == 0) {
+		char buf[sizeof("65000")];
+		char *endp;
+		unsigned int val;
+
+		/*
+		 * source->base is not required to be NUL terminated.
+		 * Copy up to remaining bytes and NUL terminate.
+		 */
+		snprintf(buf, sizeof(buf), "%.*s",
+			 (int)(source->length - 4), source->base + 4);
+		val = strtoul(buf, &endp, 10);
+		if (*endp == '\0' && val <= 0xffff) {
+			*typep = (dns_rdatatype_t)val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
+	RDATATYPE_TOTEXT_SW
+
+	return (dns_rdatatype_tounknowntext(type, target));
+}
+
+isc_result_t
+dns_rdatatype_tounknowntext(dns_rdatatype_t type, isc_buffer_t *target) {
+	char buf[sizeof("TYPE65535")];
+
+	snprintf(buf, sizeof(buf), "TYPE%u", type);
+	return (str_totext(buf, target));
+}
+
+void
+dns_rdatatype_format(dns_rdatatype_t rdtype,
+		     char *array, unsigned int size)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	if (size == 0U)
+		return;
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdatatype_totext(rdtype, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+	if (result != ISC_R_SUCCESS)
+		strlcpy(array, "<unknown>", size);
+}
+
+/*
+ * Private function.
+ */
+
+static unsigned int
+name_length(dns_name_t *name) {
+	return (name->length);
+}
+
+static isc_result_t
+txt_totext(isc_region_t *source, bool quote, isc_buffer_t *target) {
+	unsigned int tl;
+	unsigned int n;
+	unsigned char *sp;
+	char *tp;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	sp = source->base;
+	tp = (char *)region.base;
+	tl = region.length;
+
+	n = *sp++;
+
+	REQUIRE(n + 1 <= source->length);
+	if (n == 0U)
+		REQUIRE(quote == true);
+
+	if (quote) {
+		if (tl < 1)
+			return (ISC_R_NOSPACE);
+		*tp++ = '"';
+		tl--;
+	}
+	while (n--) {
+		/*
+		 * \DDD space (0x20) if not quoting.
+		 */
+		if (*sp < (quote ? 0x20 : 0x21) || *sp >= 0x7f) {
+			if (tl < 4)
+				return (ISC_R_NOSPACE);
+			*tp++ = 0x5c;
+			*tp++ = 0x30 + ((*sp / 100) % 10);
+			*tp++ = 0x30 + ((*sp / 10) % 10);
+			*tp++ = 0x30 + (*sp % 10);
+			sp++;
+			tl -= 4;
+			continue;
+		}
+		/*
+		 * Escape double quote and backslash.  If we are not
+		 * enclosing the string in double quotes also escape
+		 * at sign and semicolon.
+		 */
+		if (*sp == 0x22 || *sp == 0x5c ||
+		    (!quote && (*sp == 0x40 || *sp == 0x3b))) {
+			if (tl < 2)
+				return (ISC_R_NOSPACE);
+			*tp++ = '\\';
+			tl--;
+		}
+		if (tl < 1)
+			return (ISC_R_NOSPACE);
+		*tp++ = *sp++;
+		tl--;
+	}
+	if (quote) {
+		if (tl < 1)
+			return (ISC_R_NOSPACE);
+		*tp++ = '"';
+		tl--;
+		POST(tl);
+	}
+	isc_buffer_add(target, (unsigned int)(tp - (char *)region.base));
+	isc_region_consume(source, *source->base + 1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
+	isc_region_t tregion;
+	bool escape;
+	unsigned int n, nrem;
+	char *s;
+	unsigned char *t;
+	int d;
+	int c;
+
+	isc_buffer_availableregion(target, &tregion);
+	s = source->base;
+	n = source->length;
+	t = tregion.base;
+	nrem = tregion.length;
+	escape = false;
+	if (nrem < 1)
+		return (ISC_R_NOSPACE);
+	/*
+	 * Length byte.
+	 */
+	nrem--;
+	t++;
+	/*
+	 * Maximum text string length.
+	 */
+	if (nrem > 255)
+		nrem = 255;
+	while (n-- != 0) {
+		c = (*s++) & 0xff;
+		if (escape && (d = decvalue((char)c)) != -1) {
+			c = d;
+			if (n == 0)
+				return (DNS_R_SYNTAX);
+			n--;
+			if ((d = decvalue(*s++)) != -1)
+				c = c * 10 + d;
+			else
+				return (DNS_R_SYNTAX);
+			if (n == 0)
+				return (DNS_R_SYNTAX);
+			n--;
+			if ((d = decvalue(*s++)) != -1)
+				c = c * 10 + d;
+			else
+				return (DNS_R_SYNTAX);
+			if (c > 255)
+				return (DNS_R_SYNTAX);
+		} else if (!escape && c == '\\') {
+			escape = true;
+			continue;
+		}
+		escape = false;
+		if (nrem == 0)
+			return ((tregion.length <= 256U) ?
+				ISC_R_NOSPACE : DNS_R_SYNTAX);
+		*t++ = c;
+		nrem--;
+	}
+	if (escape)
+		return (DNS_R_SYNTAX);
+	*tregion.base = (unsigned char)(t - tregion.base - 1);
+	isc_buffer_add(target, *tregion.base + 1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
+	unsigned int n;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length == 0)
+		return (ISC_R_UNEXPECTEDEND);
+	n = *sregion.base + 1;
+	if (n > sregion.length)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_availableregion(target, &tregion);
+	if (n > tregion.length)
+		return (ISC_R_NOSPACE);
+
+	if (tregion.base != sregion.base)
+		memmove(tregion.base, sregion.base, n);
+	isc_buffer_forward(source, n);
+	isc_buffer_add(target, n);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Conversion of TXT-like rdata fields without length limits.
+ */
+static isc_result_t
+multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
+	unsigned int tl;
+	unsigned int n0, n;
+	unsigned char *sp;
+	char *tp;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	sp = source->base;
+	tp = (char *)region.base;
+	tl = region.length;
+
+	if (tl < 1)
+		return (ISC_R_NOSPACE);
+	*tp++ = '"';
+	tl--;
+	do {
+		n = source->length;
+		n0 = source->length - 1;
+
+		while (n--) {
+			if (*sp < 0x20 || *sp >= 0x7f) {
+				if (tl < 4)
+					return (ISC_R_NOSPACE);
+				*tp++ = 0x5c;
+				*tp++ = 0x30 + ((*sp / 100) % 10);
+				*tp++ = 0x30 + ((*sp / 10) % 10);
+				*tp++ = 0x30 + (*sp % 10);
+				sp++;
+				tl -= 4;
+				continue;
+			}
+			/* double quote, backslash */
+			if (*sp == 0x22 || *sp == 0x5c) {
+				if (tl < 2)
+					return (ISC_R_NOSPACE);
+				*tp++ = '\\';
+				tl--;
+			}
+			if (tl < 1)
+				return (ISC_R_NOSPACE);
+			*tp++ = *sp++;
+			tl--;
+		}
+		isc_region_consume(source, n0 + 1);
+	} while (source->length != 0);
+	if (tl < 1)
+		return (ISC_R_NOSPACE);
+	*tp++ = '"';
+	tl--;
+	POST(tl);
+	isc_buffer_add(target, (unsigned int)(tp - (char *)region.base));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
+	isc_region_t tregion;
+	bool escape;
+	unsigned int n, nrem;
+	char *s;
+	unsigned char *t0, *t;
+	int d;
+	int c;
+
+	s = source->base;
+	n = source->length;
+	escape = false;
+
+	do {
+		isc_buffer_availableregion(target, &tregion);
+		t0 = t = tregion.base;
+		nrem = tregion.length;
+		if (nrem < 1)
+			return (ISC_R_NOSPACE);
+
+		while (n != 0) {
+			--n;
+			c = (*s++) & 0xff;
+			if (escape && (d = decvalue((char)c)) != -1) {
+				c = d;
+				if (n == 0)
+					return (DNS_R_SYNTAX);
+				n--;
+				if ((d = decvalue(*s++)) != -1)
+					c = c * 10 + d;
+				else
+					return (DNS_R_SYNTAX);
+				if (n == 0)
+					return (DNS_R_SYNTAX);
+				n--;
+				if ((d = decvalue(*s++)) != -1)
+					c = c * 10 + d;
+				else
+					return (DNS_R_SYNTAX);
+				if (c > 255)
+					return (DNS_R_SYNTAX);
+			} else if (!escape && c == '\\') {
+				escape = true;
+				continue;
+			}
+			escape = false;
+			*t++ = c;
+			nrem--;
+			if (nrem == 0)
+				break;
+		}
+		if (escape)
+			return (DNS_R_SYNTAX);
+
+		isc_buffer_add(target, (unsigned int)(t - t0));
+	} while (n != 0);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target) {
+	int l1, l2;
+
+	if (origin == NULL)
+		goto return_false;
+
+	if (dns_name_compare(origin, dns_rootname) == 0)
+		goto return_false;
+
+	if (!dns_name_issubdomain(name, origin))
+		goto return_false;
+
+	l1 = dns_name_countlabels(name);
+	l2 = dns_name_countlabels(origin);
+
+	if (l1 == l2)
+		goto return_false;
+
+	/* Master files should be case preserving. */
+	dns_name_getlabelsequence(name, l1 - l2, l2, target);
+	if (!dns_name_caseequal(origin, target))
+		goto return_false;
+
+	dns_name_getlabelsequence(name, 0, l1 - l2, target);
+	return (true);
+
+return_false:
+	*target = *name;
+	return (false);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+inet_totext(int af, isc_region_t *src, isc_buffer_t *target) {
+	char tmpbuf[64];
+
+	/* Note - inet_ntop doesn't do size checking on its input. */
+	if (inet_ntop(af, src->base, tmpbuf, sizeof(tmpbuf)) == NULL)
+		return (ISC_R_NOSPACE);
+	if (strlen(tmpbuf) > isc_buffer_availablelength(target))
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(target, tmpbuf);
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+buffer_empty(isc_buffer_t *source) {
+	return((source->current == source->active) ? true : false);
+}
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region) {
+	isc_buffer_init(buffer, region->base, region->length);
+	isc_buffer_add(buffer, region->length);
+	isc_buffer_setactive(buffer, region->length);
+}
+
+static isc_result_t
+uint32_tobuffer(uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint32(target, value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+uint16_tobuffer(uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	if (value > 0xffff)
+		return (ISC_R_RANGE);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 2)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint16(target, (uint16_t)value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+uint8_tobuffer(uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	if (value > 0xff)
+		return (ISC_R_RANGE);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 1)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint8(target, (uint8_t)value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+name_tobuffer(dns_name_t *name, isc_buffer_t *target) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (isc_buffer_copyregion(target, &r));
+}
+
+static uint32_t
+uint32_fromregion(isc_region_t *region) {
+	uint32_t value;
+
+	REQUIRE(region->length >= 4);
+	value = (uint32_t)region->base[0] << 24;
+	value |= (uint32_t)region->base[1] << 16;
+	value |= (uint32_t)region->base[2] << 8;
+	value |= (uint32_t)region->base[3];
+	return(value);
+}
+
+static uint16_t
+uint16_consume_fromregion(isc_region_t *region) {
+	uint16_t r = uint16_fromregion(region);
+
+	isc_region_consume(region, 2);
+	return r;
+}
+
+static uint16_t
+uint16_fromregion(isc_region_t *region) {
+
+	REQUIRE(region->length >= 2);
+
+	return ((region->base[0] << 8) | region->base[1]);
+}
+
+static uint8_t
+uint8_fromregion(isc_region_t *region) {
+
+	REQUIRE(region->length >= 1);
+
+	return (region->base[0]);
+}
+
+static uint8_t
+uint8_consume_fromregion(isc_region_t *region) {
+	uint8_t r = uint8_fromregion(region);
+
+	isc_region_consume(region, 1);
+	return r;
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	if (length == 0U)
+		return (ISC_R_SUCCESS);
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	if (tr.base != base)
+		memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+hexvalue(char value) {
+	const char *s;
+	unsigned char c;
+
+	c = (unsigned char)value;
+
+	if (!isascii(c))
+		return (-1);
+	if (isupper(c))
+		c = tolower(c);
+	if ((s = strchr(hexdigits, c)) == NULL)
+		return (-1);
+	return (int)(s - hexdigits);
+}
+
+static int
+decvalue(char value) {
+	const char *s;
+
+	/*
+	 * isascii() is valid for full range of int values, no need to
+	 * mask or cast.
+	 */
+	if (!isascii(value))
+		return (-1);
+	if ((s = strchr(decdigits, value)) == NULL)
+		return (-1);
+	return (int)(s - decdigits);
+}
+
+static const char atob_digits[86] =
+	"!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`" \
+	"abcdefghijklmnopqrstu";
+/*
+ * Subroutines to convert between 8 bit binary bytes and printable ASCII.
+ * Computes the number of bytes, and three kinds of simple checksums.
+ * Incoming bytes are collected into 32-bit words, then printed in base 85:
+ *	exp(85,5) > exp(2,32)
+ * The ASCII characters used are between '!' and 'u';
+ * 'z' encodes 32-bit zero; 'x' is used to mark the end of encoded data.
+ *
+ * Originally by Paul Rutter (philabs!per) and Joe Orost (petsd!joe) for
+ * the atob/btoa programs, released with the compress program, in mod.sources.
+ * Modified by Mike Schwartz 8/19/86 for use in BIND.
+ * Modified to be re-entrant 3/2/99.
+ */
+
+
+struct state {
+	int32_t Ceor;
+	int32_t Csum;
+	int32_t Crot;
+	int32_t word;
+	int32_t bcount;
+};
+
+#define Ceor state->Ceor
+#define Csum state->Csum
+#define Crot state->Crot
+#define word state->word
+#define bcount state->bcount
+
+#define times85(x)	((((((x<<2)+x)<<2)+x)<<2)+x)
+
+static isc_result_t	byte_atob(int c, isc_buffer_t *target,
+				  struct state *state);
+static isc_result_t	putbyte(int c, isc_buffer_t *, struct state *state);
+static isc_result_t	byte_btoa(int c, isc_buffer_t *, struct state *state);
+
+/*
+ * Decode ASCII-encoded byte c into binary representation and
+ * place into *bufp, advancing bufp.
+ */
+static isc_result_t
+byte_atob(int c, isc_buffer_t *target, struct state *state) {
+	const char *s;
+	if (c == 'z') {
+		if (bcount != 0)
+			return(DNS_R_SYNTAX);
+		else {
+			RETERR(putbyte(0, target, state));
+			RETERR(putbyte(0, target, state));
+			RETERR(putbyte(0, target, state));
+			RETERR(putbyte(0, target, state));
+		}
+	} else if ((s = strchr(atob_digits, c)) != NULL) {
+		if (bcount == 0) {
+			word = (int32_t)(s - atob_digits);
+			++bcount;
+		} else if (bcount < 4) {
+			word = times85(word);
+			word += (int32_t)(s - atob_digits);
+			++bcount;
+		} else {
+			word = times85(word);
+			word += (int32_t)(s - atob_digits);
+			RETERR(putbyte((word >> 24) & 0xff, target, state));
+			RETERR(putbyte((word >> 16) & 0xff, target, state));
+			RETERR(putbyte((word >> 8) & 0xff, target, state));
+			RETERR(putbyte(word & 0xff, target, state));
+			word = 0;
+			bcount = 0;
+		}
+	} else
+		return(DNS_R_SYNTAX);
+	return(ISC_R_SUCCESS);
+}
+
+/*
+ * Compute checksum info and place c into target.
+ */
+static isc_result_t
+putbyte(int c, isc_buffer_t *target, struct state *state) {
+	isc_region_t tr;
+
+	Ceor ^= c;
+	Csum += c;
+	Csum += 1;
+	if ((Crot & 0x80000000)) {
+		Crot <<= 1;
+		Crot += 1;
+	} else {
+		Crot <<= 1;
+	}
+	Crot += c;
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 1)
+		return (ISC_R_NOSPACE);
+	tr.base[0] = c;
+	isc_buffer_add(target, 1);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Read the ASCII-encoded data from inbuf, of length inbuflen, and convert
+ * it into T_UNSPEC (binary data) in outbuf, not to exceed outbuflen bytes;
+ * outbuflen must be divisible by 4.  (Note: this is because outbuf is filled
+ * in 4 bytes at a time.  If the actual data doesn't end on an even 4-byte
+ * boundary, there will be no problem...it will be padded with 0 bytes, and
+ * numbytes will indicate the correct number of bytes.  The main point is
+ * that since the buffer is filled in 4 bytes at a time, even if there is
+ * not a full 4 bytes of data at the end, there has to be room to 0-pad the
+ * data, so the buffer must be of size divisible by 4).  Place the number of
+ * output bytes in numbytes, and return a failure/success status.
+ */
+
+static isc_result_t
+atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
+	long oeor, osum, orot;
+	struct state statebuf, *state= &statebuf;
+	isc_token_t token;
+	char c;
+	char *e;
+
+	Ceor = Csum = Crot = word = bcount = 0;
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	while (token.value.as_textregion.length != 0) {
+		if ((c = token.value.as_textregion.base[0]) == 'x') {
+			break;
+		} else
+			RETERR(byte_atob(c, target, state));
+		isc_textregion_consume(&token.value.as_textregion, 1);
+	}
+
+	/*
+	 * Number of bytes.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if ((token.value.as_ulong % 4) != 0U) {
+		unsigned long padding = 4 - (token.value.as_ulong % 4);
+		if (isc_buffer_usedlength(target) < padding)
+			return (DNS_R_SYNTAX);
+		isc_buffer_subtract(target, padding);
+	}
+
+	/*
+	 * Checksum.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	oeor = strtol(DNS_AS_STR(token), &e, 16);
+	if (*e != 0)
+		return (DNS_R_SYNTAX);
+
+	/*
+	 * Checksum.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	osum = strtol(DNS_AS_STR(token), &e, 16);
+	if (*e != 0)
+		return (DNS_R_SYNTAX);
+
+	/*
+	 * Checksum.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	orot = strtol(DNS_AS_STR(token), &e, 16);
+	if (*e != 0)
+		return (DNS_R_SYNTAX);
+
+	if ((oeor != Ceor) || (osum != Csum) || (orot != Crot))
+		return(DNS_R_BADCKSUM);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Encode binary byte c into ASCII representation and place into *bufp,
+ * advancing bufp.
+ */
+static isc_result_t
+byte_btoa(int c, isc_buffer_t *target, struct state *state) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	Ceor ^= c;
+	Csum += c;
+	Csum += 1;
+	if ((Crot & 0x80000000)) {
+		Crot <<= 1;
+		Crot += 1;
+	} else {
+		Crot <<= 1;
+	}
+	Crot += c;
+
+	word <<= 8;
+	word |= c;
+	if (bcount == 3) {
+		if (word == 0) {
+			if (tr.length < 1)
+				return (ISC_R_NOSPACE);
+			tr.base[0] = 'z';
+			isc_buffer_add(target, 1);
+		} else {
+		    register int tmp = 0;
+		    register int32_t tmpword = word;
+
+		    if (tmpword < 0) {
+			   /*
+			    * Because some don't support u_long.
+			    */
+			tmp = 32;
+			tmpword -= (int32_t)(85 * 85 * 85 * 85 * 32);
+		    }
+		    if (tmpword < 0) {
+			tmp = 64;
+			tmpword -= (int32_t)(85 * 85 * 85 * 85 * 32);
+		    }
+			if (tr.length < 5)
+				return (ISC_R_NOSPACE);
+			tr.base[0] = atob_digits[(tmpword /
+					      (int32_t)(85 * 85 * 85 * 85))
+						+ tmp];
+			tmpword %= (int32_t)(85 * 85 * 85 * 85);
+			tr.base[1] = atob_digits[tmpword / (85 * 85 * 85)];
+			tmpword %= (85 * 85 * 85);
+			tr.base[2] = atob_digits[tmpword / (85 * 85)];
+			tmpword %= (85 * 85);
+			tr.base[3] = atob_digits[tmpword / 85];
+			tmpword %= 85;
+			tr.base[4] = atob_digits[tmpword];
+			isc_buffer_add(target, 5);
+		}
+		bcount = 0;
+	} else {
+		bcount += 1;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+
+/*
+ * Encode the binary data from inbuf, of length inbuflen, into a
+ * target.  Return success/failure status
+ */
+static isc_result_t
+btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target) {
+	int inc;
+	struct state statebuf, *state = &statebuf;
+	char buf[sizeof("x 2000000000 ffffffff ffffffff ffffffff")];
+
+	Ceor = Csum = Crot = word = bcount = 0;
+	for (inc = 0; inc < inbuflen; inbuf++, inc++)
+		RETERR(byte_btoa(*inbuf, target, state));
+
+	while (bcount != 0)
+		RETERR(byte_btoa(0, target, state));
+
+	/*
+	 * Put byte count and checksum information at end of buffer,
+	 * delimited by 'x'
+	 */
+	snprintf(buf, sizeof(buf), "x %d %x %x %x", inbuflen, Ceor, Csum, Crot);
+	return (str_totext(buf, target));
+}
+
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
+			  ...)
+{
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "\n");
+}
+
+static void
+fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
+	if (isc_lex_isfile(lexer) && callbacks != NULL) {
+		const char *name = isc_lex_getsourcename(lexer);
+		if (name == NULL)
+			name = "UNKNOWN";
+		(*callbacks->warn)(callbacks,
+				   "%s:%lu: file does not end with newline",
+				   name, isc_lex_getsourceline(lexer));
+	}
+}
+
+static void
+warn_badmx(isc_token_t *token, isc_lex_t *lexer,
+	   dns_rdatacallbacks_t *callbacks)
+{
+	const char *file;
+	unsigned long line;
+
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		(*callbacks->warn)(callbacks, "%s:%u: warning: '%s': %s",
+				   file, line, DNS_AS_STR(*token),
+				   dns_result_totext(DNS_R_MXISADDRESS));
+	}
+}
+
+static void
+warn_badname(dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks)
+{
+	const char *file;
+	unsigned long line;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%u: warning: %s: %s",
+				   file, line, namebuf,
+				   dns_result_totext(DNS_R_BADNAME));
+	}
+}
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
+	       dns_rdatacallbacks_t *callbacks, const char *name,
+	       unsigned long line, isc_token_t *token, isc_result_t result)
+{
+	if (name == NULL)
+		name = "UNKNOWN";
+
+	if (token != NULL) {
+		switch (token->type) {
+		case isc_tokentype_eol:
+			(*callback)(callbacks, "%s: %s:%lu: near eol: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_eof:
+			(*callback)(callbacks, "%s: %s:%lu: near eof: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_number:
+			(*callback)(callbacks, "%s: %s:%lu: near %lu: %s",
+				    "dns_rdata_fromtext", name, line,
+				    token->value.as_ulong,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_string:
+		case isc_tokentype_qstring:
+			(*callback)(callbacks, "%s: %s:%lu: near '%s': %s",
+				    "dns_rdata_fromtext", name, line,
+				    DNS_AS_STR(*token),
+				    dns_result_totext(result));
+			break;
+		default:
+			(*callback)(callbacks, "%s: %s:%lu: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		}
+	} else {
+		(*callback)(callbacks, "dns_rdata_fromtext: %s:%lu: %s",
+			    name, line, dns_result_totext(result));
+	}
+}
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata) {
+	if (rdata->type == dns_rdatatype_rrsig)
+		return (covers_rrsig(rdata));
+	return (covers_sig(rdata));
+}
+
+bool
+dns_rdatatype_ismeta(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_META) != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdatatype_issingleton(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_SINGLETON)
+	    != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdatatype_notquestion(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_NOTQUESTION)
+	    != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdatatype_questiononly(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_QUESTIONONLY)
+	    != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdatatype_atparent(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
+
+	if (rdclass == dns_rdataclass_reserved0
+	    || rdclass == dns_rdataclass_none
+	    || rdclass == dns_rdataclass_any)
+		return (true);
+
+	return (false);  /* Assume it is not a meta class. */
+}
+
+bool
+dns_rdatatype_isdnssec(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_DNSSEC) != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type)
+	     & (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH))
+	    != 0)
+		return (true);
+	return (false);
+}
+
+bool
+dns_rdatatype_isknown(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_UNKNOWN)
+	    == 0)
+		return (true);
+	return (false);
+}
+
+void
+dns_rdata_exists(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_notexist(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+void
+dns_rdata_deleterrset(dns_rdata_t *rdata, dns_rdatatype_t type) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->flags = DNS_RDATA_UPDATE;
+	rdata->type = type;
+	rdata->rdclass = dns_rdataclass_any;
+}
+
+void
+dns_rdata_makedelete(dns_rdata_t *rdata) {
+	REQUIRE(rdata != NULL);
+
+	rdata->rdclass = dns_rdataclass_none;
+}
+
+const char *
+dns_rdata_updateop(dns_rdata_t *rdata, dns_section_t section) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+
+	switch (section) {
+	case DNS_SECTION_PREREQUISITE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain doesn't exist");
+			default:
+				return ("rrset doesn't exist");
+			}
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("domain exists");
+			default:
+				return ("rrset exists (value independent)");
+			}
+		default:
+			return ("rrset exists (value dependent)");
+		}
+	case DNS_SECTION_UPDATE:
+		switch (rdata->rdclass) {
+		case dns_rdataclass_none:
+			return ("delete");
+		case dns_rdataclass_any:
+			switch (rdata->type) {
+			case dns_rdatatype_any:
+				return ("delete all rrsets");
+			default:
+				return ("delete rrset");
+			}
+		default:
+			return ("add");
+		}
+	}
+	return ("invalid");
+}
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
new file mode 100644
index 0000000..5cb24b2
--- /dev/null
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -0,0 +1,598 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_ANY_255_TSIG_250_C
+#define RDATA_ANY_255_TSIG_250_C
+
+#define RRTYPE_TSIG_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION)
+
+static inline isc_result_t
+fromtext_any_tsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	uint64_t sigtime;
+	isc_buffer_t buffer;
+	dns_rcode_t rcode;
+	long i;
+	char *e;
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	sigtime = isc_string_touint64(DNS_AS_STR(token), &e, 10);
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if ((sigtime >> 48) != 0)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer((uint16_t)(sigtime >> 32), target));
+	RETERR(uint32_tobuffer((uint32_t)(sigtime & 0xffffffffU), target));
+
+	/*
+	 * Fudge.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+
+	/*
+	 * Original ID.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
+				!= ISC_R_SUCCESS)
+	{
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0)
+			RETTOK(DNS_R_UNKNOWN);
+		if (i < 0 || i > 0xffff)
+			RETTOK(ISC_R_RANGE);
+		rcode = (dns_rcode_t)i;
+	}
+	RETERR(uint16_tobuffer(rcode, target));
+
+	/*
+	 * Other Len.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+}
+
+static inline isc_result_t
+totext_any_tsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t sigr;
+	char buf[sizeof(" 281474976710655 ")];
+	char *bufp;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	uint64_t sigtime;
+	unsigned short n;
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, name_length(&name));
+
+	/*
+	 * Time Signed.
+	 */
+	sigtime = ((uint64_t)sr.base[0] << 40) |
+		  ((uint64_t)sr.base[1] << 32) |
+		  ((uint64_t)sr.base[2] << 24) |
+		  ((uint64_t)sr.base[3] << 16) |
+		  ((uint64_t)sr.base[4] << 8) |
+		  (uint64_t)sr.base[5];
+	isc_region_consume(&sr, 6);
+	bufp = &buf[sizeof(buf) - 1];
+	*bufp-- = 0;
+	*bufp-- = ' ';
+	do {
+		*bufp-- = decdigits[sigtime % 10];
+		sigtime /= 10;
+	} while (sigtime != 0);
+	bufp++;
+	RETERR(str_totext(bufp, target));
+
+	/*
+	 * Fudge.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Signature Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Signature.
+	 */
+	if (n != 0U) {
+		REQUIRE(n <= sr.length);
+		sigr = sr;
+		sigr.length = n;
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+			RETERR(str_totext(" (", target));
+		RETERR(str_totext(tctx->linebreak, target));
+		if (tctx->width == 0)   /* No splitting */
+			RETERR(isc_base64_totext(&sigr, 60, "", target));
+		else
+			RETERR(isc_base64_totext(&sigr, tctx->width - 2,
+						 tctx->linebreak, target));
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+			RETERR(str_totext(" ) ", target));
+		else
+			RETERR(str_totext(" ", target));
+		isc_region_consume(&sr, n);
+	} else {
+		RETERR(str_totext(" ", target));
+	}
+
+	/*
+	 * Original ID.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Error.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	RETERR(dns_tsigrcode_totext((dns_rcode_t)n, target));
+
+	/*
+	 * Other Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), " %u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Other.
+	 */
+	if (tctx->width == 0)   /* No splitting */
+		return (isc_base64_totext(&sr, 60, "", target));
+	else
+		return (isc_base64_totext(&sr, 60, " ", target));
+}
+
+static inline isc_result_t
+fromwire_any_tsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	unsigned long n;
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Time Signed + Fudge.
+	 */
+	if (sr.length < 8)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 8));
+	isc_region_consume(&sr, 8);
+	isc_buffer_forward(source, 8);
+
+	/*
+	 * Signature Length + Signature.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, n + 2));
+	isc_region_consume(&sr, n + 2);
+	isc_buffer_forward(source, n + 2);
+
+	/*
+	 * Original ID + Error.
+	 */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base,  4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	/*
+	 * Other Length + Other.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	isc_buffer_forward(source, n + 2);
+	return (mem_tobuffer(target, sr.base, n + 2));
+}
+
+static inline isc_result_t
+towire_any_tsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&sr, name_length(&name));
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_any_tsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_tsig);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_any_tsig(ARGS_FROMSTRUCT) {
+	dns_rdata_any_tsig_t *tsig = source;
+	isc_region_t tr;
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+	REQUIRE(source != NULL);
+	REQUIRE(tsig->common.rdclass == rdclass);
+	REQUIRE(tsig->common.rdtype == type);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tsig->algorithm, target));
+
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 6 + 2 + 2)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(uint16_tobuffer((uint16_t)(tsig->timesigned >> 32),
+			       target));
+	RETERR(uint32_tobuffer((uint32_t)(tsig->timesigned & 0xffffffffU),
+			       target));
+
+	/*
+	 * Fudge.
+	 */
+	RETERR(uint16_tobuffer(tsig->fudge, target));
+
+	/*
+	 * Signature Size.
+	 */
+	RETERR(uint16_tobuffer(tsig->siglen, target));
+
+	/*
+	 * Signature.
+	 */
+	RETERR(mem_tobuffer(target, tsig->signature, tsig->siglen));
+
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 2 + 2 + 2)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Original ID.
+	 */
+	RETERR(uint16_tobuffer(tsig->originalid, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(uint16_tobuffer(tsig->error, target));
+
+	/*
+	 * Other Len.
+	 */
+	RETERR(uint16_tobuffer(tsig->otherlen, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (mem_tobuffer(target, tsig->other, tsig->otherlen));
+}
+
+static inline isc_result_t
+tostruct_any_tsig(ARGS_TOSTRUCT) {
+	dns_rdata_any_tsig_t *tsig;
+	dns_name_t alg;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+	REQUIRE(rdata->length != 0);
+
+	tsig = (dns_rdata_any_tsig_t *) target;
+	tsig->common.rdclass = rdata->rdclass;
+	tsig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tsig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&alg, NULL);
+	dns_name_fromregion(&alg, &sr);
+	dns_name_init(&tsig->algorithm, NULL);
+	RETERR(name_duporclone(&alg, mctx, &tsig->algorithm));
+
+	isc_region_consume(&sr, name_length(&tsig->algorithm));
+
+	/*
+	 * Time Signed.
+	 */
+	INSIST(sr.length >= 6);
+	tsig->timesigned = ((uint64_t)sr.base[0] << 40) |
+			   ((uint64_t)sr.base[1] << 32) |
+			   ((uint64_t)sr.base[2] << 24) |
+			   ((uint64_t)sr.base[3] << 16) |
+			   ((uint64_t)sr.base[4] << 8) |
+			   (uint64_t)sr.base[5];
+	isc_region_consume(&sr, 6);
+
+	/*
+	 * Fudge.
+	 */
+	tsig->fudge = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Signature Size.
+	 */
+	tsig->siglen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Signature.
+	 */
+	INSIST(sr.length >= tsig->siglen);
+	tsig->signature = mem_maybedup(mctx, sr.base, tsig->siglen);
+	if (tsig->signature == NULL)
+		goto cleanup;
+	isc_region_consume(&sr, tsig->siglen);
+
+	/*
+	 * Original ID.
+	 */
+	tsig->originalid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Error.
+	 */
+	tsig->error = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other Size.
+	 */
+	tsig->otherlen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other.
+	 */
+	INSIST(sr.length == tsig->otherlen);
+	tsig->other = mem_maybedup(mctx, sr.base, tsig->otherlen);
+	if (tsig->other == NULL)
+		goto cleanup;
+
+	tsig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&tsig->algorithm, tsig->mctx);
+	if (mctx != NULL && tsig->signature != NULL)
+		isc_mem_free(mctx, tsig->signature);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_any_tsig(ARGS_FREESTRUCT) {
+	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(tsig->common.rdtype == dns_rdatatype_tsig);
+	REQUIRE(tsig->common.rdclass == dns_rdataclass_any);
+
+	if (tsig->mctx == NULL)
+		return;
+
+	dns_name_free(&tsig->algorithm, tsig->mctx);
+	if (tsig->signature != NULL)
+		isc_mem_free(tsig->mctx, tsig->signature);
+	if (tsig->other != NULL)
+		isc_mem_free(tsig->mctx, tsig->other);
+	tsig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_any_tsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_any_tsig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline bool
+checkowner_any_tsig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_tsig);
+	REQUIRE(rdclass == dns_rdataclass_any);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_any_tsig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_tsig);
+	REQUIRE(rdata->rdclass == dns_rdataclass_any);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_any_tsig(ARGS_COMPARE) {
+	return (compare_any_tsig(rdata1, rdata2));
+}
+
+#endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/lib/dns/rdata/any_255/tsig_250.h b/lib/dns/rdata/any_255/tsig_250.h
new file mode 100644
index 0000000..6ace1d2
--- /dev/null
+++ b/lib/dns/rdata/any_255/tsig_250.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ANY_255_TSIG_250_H
+#define ANY_255_TSIG_250_H 1
+
+/*% RFC2845 */
+typedef struct dns_rdata_any_tsig {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_name_t		algorithm;
+	uint64_t		timesigned;
+	uint16_t		fudge;
+	uint16_t		siglen;
+	unsigned char *		signature;
+	uint16_t		originalid;
+	uint16_t		error;
+	uint16_t		otherlen;
+	unsigned char *		other;
+} dns_rdata_any_tsig_t;
+
+#endif /* ANY_255_TSIG_250_H */
diff --git a/lib/dns/rdata/ch_3/a_1.c b/lib/dns/rdata/ch_3/a_1.c
new file mode 100644
index 0000000..94cae92
--- /dev/null
+++ b/lib/dns/rdata/ch_3/a_1.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
+/* Based on generic/soa_6.c and generic/mx_15.c */
+
+#ifndef RDATA_CH_3_A_1_C
+#define RDATA_CH_3_A_1_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ch_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_ch); /* 3 */
+
+	UNUSED(type);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	/* get domain name */
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if ((options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
+		bool ok;
+		ok = dns_name_ishostname(&name, false);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+
+	/* 16-bit octal address */
+	RETERR(isc_lex_getoctaltoken(lexer, &token, false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	return (uint16_tobuffer(token.value.as_ulong, target));
+}
+
+static inline isc_result_t
+totext_ch_a(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("0177777")];
+	uint16_t addr;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch); /* 3 */
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	addr = uint16_fromregion(&region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	snprintf(buf, sizeof(buf), "%o", addr); /* note octal */
+	RETERR(str_totext(" ", target));
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_ch_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_ch);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 2)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_ch_a(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&name, &sregion);
+	isc_region_consume(&sregion, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 2)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 2);
+	isc_buffer_add(target, 2);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_ch_a(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	order = memcmp(region1.base, region2.base, 2);
+	if (order != 0)
+		order = (order < 0) ? -1 : 1;
+	return (order);
+}
+
+static inline isc_result_t
+fromstruct_ch_a(ARGS_FROMSTRUCT) {
+	dns_rdata_ch_a_t *a = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&a->ch_addr_dom, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	return (uint16_tobuffer(ntohs(a->ch_addr), target));
+}
+
+static inline isc_result_t
+tostruct_ch_a(ARGS_TOSTRUCT) {
+	dns_rdata_ch_a_t *a = target;
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+	REQUIRE(rdata->length != 0);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_init(&a->ch_addr_dom, NULL);
+	RETERR(name_duporclone(&name, mctx, &a->ch_addr_dom));
+	a->ch_addr = htons(uint16_fromregion(&region));
+	a->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ch_a(ARGS_FREESTRUCT) {
+	dns_rdata_ch_a_t *a = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == dns_rdatatype_a);
+
+	if (a->mctx == NULL)
+		return;
+
+	dns_name_free(&a->ch_addr_dom, a->mctx);
+	a->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ch_a(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ch_a(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	isc_region_consume(&r, name_length(&name));
+	RETERR(dns_name_digest(&name, digest, arg));
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_ch_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_ch);
+
+	UNUSED(type);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline bool
+checknames_ch_a(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_ch);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+
+	return (true);
+}
+
+static inline int
+casecompare_ch_a(ARGS_COMPARE) {
+	return (compare_ch_a(rdata1, rdata2));
+}
+#endif	/* RDATA_CH_3_A_1_C */
diff --git a/lib/dns/rdata/ch_3/a_1.h b/lib/dns/rdata/ch_3/a_1.h
new file mode 100644
index 0000000..a969534
--- /dev/null
+++ b/lib/dns/rdata/ch_3/a_1.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* by Bjorn.Victor@it.uu.se, 2005-05-07 */
+/* Based on generic/mx_15.h */
+
+#ifndef CH_3_A_1_H
+#define CH_3_A_1_H 1
+
+typedef uint16_t ch_addr_t;
+
+typedef struct dns_rdata_ch_a {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		ch_addr_dom; /* ch-addr domain for back mapping */
+	ch_addr_t		ch_addr; /* chaos address (16 bit) network order */
+} dns_rdata_ch_a_t;
+
+#endif /* CH_3_A_1_H */
diff --git a/lib/dns/rdata/generic/afsdb_18.c b/lib/dns/rdata/generic/afsdb_18.c
new file mode 100644
index 0000000..812dfa6
--- /dev/null
+++ b/lib/dns/rdata/generic/afsdb_18.c
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_AFSDB_18_C
+#define RDATA_GENERIC_AFSDB_18_C
+
+#define RRTYPE_AFSDB_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_afsdb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_buffer_t buffer;
+	dns_name_t name;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Subtype.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Hostname.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, false);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_afsdb(ARGS_TOTEXT) {
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_region_t region;
+	char buf[sizeof("64000 ")];
+	bool sub;
+	unsigned int num;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u ", num);
+	RETERR(str_totext(buf, target));
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_afsdb(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+	isc_region_t tr;
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 2)
+		return (ISC_R_NOSPACE);
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	memmove(tr.base, sr.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_afsdb(ARGS_TOWIRE) {
+	isc_region_t tr;
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
+	dns_rdata_toregion(rdata, &sr);
+	if (tr.length < 2)
+		return (ISC_R_NOSPACE);
+	memmove(tr.base, sr.base, 2);
+	isc_region_consume(&sr, 2);
+	isc_buffer_add(target, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_afsdb(ARGS_COMPARE) {
+	int result;
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_afsdb);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	result = memcmp(rdata1->data, rdata2->data, 2);
+	if (result != 0)
+		return (result < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_afsdb(ARGS_FROMSTRUCT) {
+	dns_rdata_afsdb_t *afsdb = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+	REQUIRE(source != NULL);
+	REQUIRE(afsdb->common.rdclass == rdclass);
+	REQUIRE(afsdb->common.rdtype == type);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(afsdb->subtype, target));
+	dns_name_toregion(&afsdb->server, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_afsdb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_afsdb_t *afsdb = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	afsdb->common.rdclass = rdata->rdclass;
+	afsdb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&afsdb->common, link);
+
+	dns_name_init(&afsdb->server, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	afsdb->subtype = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+
+	RETERR(name_duporclone(&name, mctx, &afsdb->server));
+	afsdb->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_afsdb(ARGS_FREESTRUCT) {
+	dns_rdata_afsdb_t *afsdb = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(afsdb->common.rdtype == dns_rdatatype_afsdb);
+
+	if (afsdb->mctx == NULL)
+		return;
+
+	dns_name_free(&afsdb->server, afsdb->mctx);
+	afsdb->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_afsdb(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_afsdb(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_afsdb(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_afsdb);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_afsdb(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_afsdb);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_afsdb(ARGS_COMPARE) {
+	return (compare_afsdb(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_AFSDB_18_C */
diff --git a/lib/dns/rdata/generic/afsdb_18.h b/lib/dns/rdata/generic/afsdb_18.h
new file mode 100644
index 0000000..24da1aa
--- /dev/null
+++ b/lib/dns/rdata/generic/afsdb_18.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_AFSDB_18_H
+#define GENERIC_AFSDB_18_H 1
+
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_afsdb {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		subtype;
+	dns_name_t		server;
+} dns_rdata_afsdb_t;
+
+#endif /* GENERIC_AFSDB_18_H */
+
diff --git a/lib/dns/rdata/generic/avc_258.c b/lib/dns/rdata/generic/avc_258.c
new file mode 100644
index 0000000..31bbaff
--- /dev/null
+++ b/lib/dns/rdata/generic/avc_258.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_AVC_258_C
+#define RDATA_GENERIC_AVC_258_C
+
+#define RRTYPE_AVC_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_avc(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_avc);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
+				     target, callbacks));
+}
+
+static inline isc_result_t
+totext_avc(ARGS_TOTEXT) {
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	return (generic_totext_txt(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_avc(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_avc);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
+				     target));
+}
+
+static inline isc_result_t
+towire_avc(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_avc(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_avc);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_avc(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_avc);
+
+	return (generic_fromstruct_txt(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_avc(ARGS_TOSTRUCT) {
+	dns_rdata_avc_t *avc = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+	REQUIRE(target != NULL);
+
+	avc->common.rdclass = rdata->rdclass;
+	avc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&avc->common, link);
+
+	return (generic_tostruct_txt(rdata, target, mctx));
+}
+
+static inline void
+freestruct_avc(ARGS_FREESTRUCT) {
+	dns_rdata_avc_t *txt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_avc);
+
+	generic_freestruct_txt(source);
+}
+
+static inline isc_result_t
+additionaldata_avc(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_avc(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_avc(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_avc);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_avc(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_avc);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_avc(ARGS_COMPARE) {
+	return (compare_avc(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_AVC_258_C */
diff --git a/lib/dns/rdata/generic/avc_258.h b/lib/dns/rdata/generic/avc_258.h
new file mode 100644
index 0000000..88abadd
--- /dev/null
+++ b/lib/dns/rdata/generic/avc_258.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_AVC_258_H
+#define GENERIC_AVC_258_H 1
+
+typedef dns_rdata_txt_string_t dns_rdata_avc_string_t;
+
+typedef struct dns_rdata_avc {
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	unsigned char           *data;
+	uint16_t            length;
+	/* private */
+	uint16_t            offset;
+} dns_rdata_avc_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+#endif /* GENERIC_AVC_258_H */
diff --git a/lib/dns/rdata/generic/caa_257.c b/lib/dns/rdata/generic/caa_257.c
new file mode 100644
index 0000000..4dc3639
--- /dev/null
+++ b/lib/dns/rdata/generic/caa_257.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CAA_257_C
+#define GENERIC_CAA_257_C 1
+
+#define RRTYPE_CAA_ATTRIBUTES (0)
+
+static unsigned char const alphanumeric[256] = {
+	/* 0x00-0x0f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0x10-0x1f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0x20-0x2f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0x30-0x3f */ 1, 1, 1, 1, 1, 1, 1, 1,  1, 1, 0, 0, 0, 0, 0, 0,
+	/* 0x40-0x4f */ 0, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 1, 1, 1, 1, 1,
+	/* 0x50-0x5f */ 1, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 0, 0, 0, 0, 0,
+	/* 0x60-0x6f */ 0, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 1, 1, 1, 1, 1,
+	/* 0x70-0x7f */ 1, 1, 1, 1, 1, 1, 1, 1,  1, 1, 1, 0, 0, 0, 0, 0,
+	/* 0x80-0x8f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0x90-0x9f */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0xa0-0xaf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0xb0-0xbf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0xc0-0xcf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0xd0-0xdf */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0xe0-0xef */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+	/* 0xf0-0xff */ 0, 0, 0, 0, 0, 0, 0, 0,  0, 0, 0, 0, 0, 0, 0, 0,
+};
+
+static inline isc_result_t
+fromtext_caa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_textregion_t tr;
+	uint8_t flags;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_caa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 255U)
+		RETTOK(ISC_R_RANGE);
+	flags = (uint8_t)(token.value.as_ulong & 255U);
+	RETERR(uint8_tobuffer(flags, target));
+
+	/*
+	 * Tag
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	tr = token.value.as_textregion;
+	for (i = 0; i < tr.length; i++)
+		if (!alphanumeric[(unsigned char) tr.base[i]])
+			RETTOK(DNS_R_SYNTAX);
+	RETERR(uint8_tobuffer(tr.length, target));
+	RETERR(mem_tobuffer(target, tr.base, tr.length));
+
+	/*
+	 * Value
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token,
+				      isc_tokentype_qstring, false));
+	if (token.type != isc_tokentype_qstring &&
+	    token.type != isc_tokentype_string)
+		RETERR(DNS_R_SYNTAX);
+	RETERR(multitxt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_caa(ARGS_TOTEXT) {
+	isc_region_t region;
+	uint8_t flags;
+	char buf[256];
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->length >= 3U);
+	REQUIRE(rdata->data != NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Flags
+	 */
+	flags = uint8_consume_fromregion(&region);
+	snprintf(buf, sizeof(buf), "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Tag
+	 */
+	RETERR(txt_totext(&region, false, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Value
+	 */
+	RETERR(multitxt_totext(&region, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_caa(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned int len, i;
+
+	REQUIRE(type == dns_rdatatype_caa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	/*
+	 * Flags
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/*
+	 * Flags, tag length
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 2));
+	len = sr.base[1];
+	isc_region_consume(&sr, 2);
+	isc_buffer_forward(source, 2);
+
+	/*
+	 * Zero length tag fields are illegal.
+	 */
+	if (sr.length < len || len == 0)
+		RETERR(DNS_R_FORMERR);
+
+	/* Check the Tag's value */
+	for (i = 0; i < len; i++)
+		if (!alphanumeric[sr.base[i]])
+			RETERR(DNS_R_FORMERR);
+	/*
+	 * Tag + Value
+	 */
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_caa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->length >= 3U);
+	REQUIRE(rdata->data != NULL);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_caa(ARGS_COMPARE) {
+	isc_region_t r1, r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_caa);
+	REQUIRE(rdata1->length >= 3U);
+	REQUIRE(rdata2->length >= 3U);
+	REQUIRE(rdata1->data != NULL);
+	REQUIRE(rdata2->data != NULL);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_caa(ARGS_FROMSTRUCT) {
+	dns_rdata_caa_t *caa = source;
+	isc_region_t region;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_caa);
+	REQUIRE(source != NULL);
+	REQUIRE(caa->common.rdtype == type);
+	REQUIRE(caa->common.rdclass == rdclass);
+	REQUIRE(caa->tag != NULL && caa->tag_len != 0);
+	REQUIRE(caa->value != NULL);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Flags
+	 */
+	RETERR(uint8_tobuffer(caa->flags, target));
+
+	/*
+	 * Tag length
+	 */
+	RETERR(uint8_tobuffer(caa->tag_len, target));
+
+	/*
+	 * Tag
+	 */
+	region.base = caa->tag;
+	region.length = caa->tag_len;
+	for (i = 0; i < region.length; i++)
+		if (!alphanumeric[region.base[i]])
+			RETERR(DNS_R_SYNTAX);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	/*
+	 * Value
+	 */
+	region.base = caa->value;
+	region.length = caa->value_len;
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_caa(ARGS_TOSTRUCT) {
+	dns_rdata_caa_t *caa = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length >= 3U);
+	REQUIRE(rdata->data != NULL);
+
+	caa->common.rdclass = rdata->rdclass;
+	caa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&caa->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Flags
+	 */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	caa->flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Tag length
+	 */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	caa->tag_len = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Tag
+	 */
+	if (sr.length < caa->tag_len)
+		return (ISC_R_UNEXPECTEDEND);
+	caa->tag = mem_maybedup(mctx, sr.base, caa->tag_len);
+	if (caa->tag == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&sr, caa->tag_len);
+
+	/*
+	 * Value
+	 */
+	caa->value_len = sr.length;
+	caa->value = mem_maybedup(mctx, sr.base, sr.length);
+	if (caa->value == NULL)
+		return (ISC_R_NOMEMORY);
+
+	caa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_caa(ARGS_FREESTRUCT) {
+	dns_rdata_caa_t *caa = (dns_rdata_caa_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(caa->common.rdtype == dns_rdatatype_caa);
+
+	if (caa->mctx == NULL)
+		return;
+
+	if (caa->tag != NULL)
+		isc_mem_free(caa->mctx, caa->tag);
+	if (caa->value != NULL)
+		isc_mem_free(caa->mctx, caa->value);
+	caa->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_caa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->data != NULL);
+	REQUIRE(rdata->length >= 3U);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_caa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->data != NULL);
+	REQUIRE(rdata->length >= 3U);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_caa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_caa);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_caa(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_caa);
+	REQUIRE(rdata->data != NULL);
+	REQUIRE(rdata->length >= 3U);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_caa(ARGS_COMPARE) {
+	return (compare_caa(rdata1, rdata2));
+}
+
+#endif /* GENERIC_CAA_257_C */
diff --git a/lib/dns/rdata/generic/caa_257.h b/lib/dns/rdata/generic/caa_257.h
new file mode 100644
index 0000000..c16e427
--- /dev/null
+++ b/lib/dns/rdata/generic/caa_257.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CAA_257_H
+#define GENERIC_CAA_257_H 1
+
+
+typedef struct dns_rdata_caa {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	uint8_t		flags;
+	unsigned char *		tag;
+	uint8_t		tag_len;
+	unsigned char		*value;
+	uint16_t		value_len;
+} dns_rdata_caa_t;
+
+#endif /* GENERIC_CAA_257_H */
diff --git a/lib/dns/rdata/generic/cdnskey_60.c b/lib/dns/rdata/generic/cdnskey_60.c
new file mode 100644
index 0000000..afcdbc2
--- /dev/null
+++ b/lib/dns/rdata/generic/cdnskey_60.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsop-delegation-trust-maintainance-14 */
+
+#ifndef RDATA_GENERIC_CDNSKEY_60_C
+#define RDATA_GENERIC_CDNSKEY_60_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_CDNSKEY_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_cdnskey(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	return (generic_fromtext_key(rdclass, type, lexer, origin,
+				     options, target, callbacks));
+}
+
+static inline isc_result_t
+totext_cdnskey(ARGS_TOTEXT) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	return (generic_totext_key(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_cdnskey(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	return (generic_fromwire_key(rdclass, type, source, dctx,
+				     options, target));
+}
+
+static inline isc_result_t
+towire_cdnskey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_cdnskey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cdnskey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_cdnskey(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	return (generic_fromstruct_key(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_cdnskey(ARGS_TOSTRUCT) {
+	dns_rdata_cdnskey_t *dnskey = target;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	dnskey->common.rdclass = rdata->rdclass;
+	dnskey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dnskey->common, link);
+
+	return (generic_tostruct_key(rdata, target, mctx));
+}
+
+static inline void
+freestruct_cdnskey(ARGS_FREESTRUCT) {
+	dns_rdata_cdnskey_t *dnskey = (dns_rdata_cdnskey_t *) source;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(dnskey->common.rdtype == dns_rdatatype_cdnskey);
+
+	generic_freestruct_key(source);
+}
+
+static inline isc_result_t
+additionaldata_cdnskey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_cdnskey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_cdnskey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_cdnskey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_cdnskey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_cdnskey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_cdnskey(ARGS_COMPARE) {
+
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 */
+	return (compare_cdnskey(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_CDNSKEY_60_C */
diff --git a/lib/dns/rdata/generic/cdnskey_60.h b/lib/dns/rdata/generic/cdnskey_60.h
new file mode 100644
index 0000000..541a4c2
--- /dev/null
+++ b/lib/dns/rdata/generic/cdnskey_60.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CDNSKEY_60_H
+#define GENERIC_CDNSKEY_60_H 1
+
+/* CDNSKEY records have the same RDATA fields as DNSKEY records. */
+typedef struct dns_rdata_key dns_rdata_cdnskey_t;
+
+#endif /* GENERIC_CDNSKEY_60_H */
diff --git a/lib/dns/rdata/generic/cds_59.c b/lib/dns/rdata/generic/cds_59.c
new file mode 100644
index 0000000..e1ea7ce
--- /dev/null
+++ b/lib/dns/rdata/generic/cds_59.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsop-delegation-trust-maintainance-14 */
+
+#ifndef RDATA_GENERIC_CDS_59_C
+#define RDATA_GENERIC_CDS_59_C
+
+#define RRTYPE_CDS_ATTRIBUTES 0
+
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+
+#include <dns/ds.h>
+
+#include "dst_gost.h"
+
+static inline isc_result_t
+fromtext_cds(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_cds);
+
+	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
+				    target, callbacks));
+}
+
+static inline isc_result_t
+totext_cds(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	return (generic_totext_ds(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_cds(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_cds);
+
+	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
+				    target));
+}
+
+static inline isc_result_t
+towire_cds(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_cds(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cds);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_cds(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_cds);
+
+	return (generic_fromstruct_ds(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_cds(ARGS_TOSTRUCT) {
+	dns_rdata_cds_t *cds = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	/*
+	 * Checked by generic_tostruct_ds().
+	 */
+	cds->common.rdclass = rdata->rdclass;
+	cds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cds->common, link);
+
+	return (generic_tostruct_ds(rdata, target, mctx));
+}
+
+static inline void
+freestruct_cds(ARGS_FREESTRUCT) {
+	dns_rdata_cds_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == dns_rdatatype_cds);
+
+	if (ds->mctx == NULL)
+		return;
+
+	if (ds->digest != NULL)
+		isc_mem_free(ds->mctx, ds->digest);
+	ds->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_cds(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_cds(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_cds(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_cds);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_cds(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_cds);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_cds(ARGS_COMPARE) {
+	return (compare_cds(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_CDS_59_C */
diff --git a/lib/dns/rdata/generic/cds_59.h b/lib/dns/rdata/generic/cds_59.h
new file mode 100644
index 0000000..0797bca
--- /dev/null
+++ b/lib/dns/rdata/generic/cds_59.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CDS_59_H
+#define GENERIC_CDS_59_H 1
+
+/* CDS records have the same RDATA fields as DS records. */
+typedef struct dns_rdata_ds dns_rdata_cds_t;
+
+#endif /* GENERIC_CDS_59_H */
diff --git a/lib/dns/rdata/generic/cert_37.c b/lib/dns/rdata/generic/cert_37.c
new file mode 100644
index 0000000..237a806
--- /dev/null
+++ b/lib/dns/rdata/generic/cert_37.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2538 */
+
+#ifndef RDATA_GENERIC_CERT_37_C
+#define RDATA_GENERIC_CERT_37_C
+
+#define RRTYPE_CERT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_cert(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t secalg;
+	dns_cert_t cert;
+
+	REQUIRE(type == dns_rdatatype_cert);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Cert type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_cert_fromtext(&cert, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(cert, target));
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &secalg, 1));
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_cert(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	RETERR(dns_cert_totext((dns_cert_t)n, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(dns_secalg_totext(sr.base[0], target));
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Cert.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0)   /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	else
+		RETERR(isc_base64_totext(&sr, tctx->width - 2,
+					 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_cert(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_cert);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 5)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_cert(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_cert(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cert);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_cert(ARGS_FROMSTRUCT) {
+	dns_rdata_cert_t *cert = source;
+
+	REQUIRE(type == dns_rdatatype_cert);
+	REQUIRE(source != NULL);
+	REQUIRE(cert->common.rdtype == type);
+	REQUIRE(cert->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(cert->type, target));
+	RETERR(uint16_tobuffer(cert->key_tag, target));
+	RETERR(uint8_tobuffer(cert->algorithm, target));
+
+	return (mem_tobuffer(target, cert->certificate, cert->length));
+}
+
+static inline isc_result_t
+tostruct_cert(ARGS_TOSTRUCT) {
+	dns_rdata_cert_t *cert = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	cert->common.rdclass = rdata->rdclass;
+	cert->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cert->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	cert->type = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	cert->length = region.length;
+
+	cert->certificate = mem_maybedup(mctx, region.base, region.length);
+	if (cert->certificate == NULL)
+		return (ISC_R_NOMEMORY);
+
+	cert->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_cert(ARGS_FREESTRUCT) {
+	dns_rdata_cert_t *cert = source;
+
+	REQUIRE(cert != NULL);
+	REQUIRE(cert->common.rdtype == dns_rdatatype_cert);
+
+	if (cert->mctx == NULL)
+		return;
+
+	if (cert->certificate != NULL)
+		isc_mem_free(cert->mctx, cert->certificate);
+	cert->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_cert(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_cert(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_cert(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_cert);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_cert(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_cert);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+
+static inline int
+casecompare_cert(ARGS_COMPARE) {
+	return (compare_cert(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_CERT_37_C */
diff --git a/lib/dns/rdata/generic/cert_37.h b/lib/dns/rdata/generic/cert_37.h
new file mode 100644
index 0000000..db760e1
--- /dev/null
+++ b/lib/dns/rdata/generic/cert_37.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_CERT_37_H
+#define GENERIC_CERT_37_H 1
+
+/*% RFC2538 */
+typedef struct dns_rdata_cert {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		type;
+	uint16_t		key_tag;
+	uint8_t		algorithm;
+	uint16_t		length;
+	unsigned char		*certificate;
+} dns_rdata_cert_t;
+
+#endif /* GENERIC_CERT_37_H */
diff --git a/lib/dns/rdata/generic/cname_5.c b/lib/dns/rdata/generic/cname_5.c
new file mode 100644
index 0000000..3da82eb
--- /dev/null
+++ b/lib/dns/rdata/generic/cname_5.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_CNAME_5_C
+#define RDATA_GENERIC_CNAME_5_C
+
+#define RRTYPE_CNAME_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON)
+
+static inline isc_result_t
+fromtext_cname(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_cname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_cname(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_cname(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_cname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_cname(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_cname(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_cname);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_cname(ARGS_FROMSTRUCT) {
+	dns_rdata_cname_t *cname = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_cname);
+	REQUIRE(source != NULL);
+	REQUIRE(cname->common.rdtype == type);
+	REQUIRE(cname->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&cname->cname, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_cname(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_cname_t *cname = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	cname->common.rdclass = rdata->rdclass;
+	cname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&cname->cname, NULL);
+	RETERR(name_duporclone(&name, mctx, &cname->cname));
+	cname->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_cname(ARGS_FREESTRUCT) {
+	dns_rdata_cname_t *cname = source;
+
+	REQUIRE(source != NULL);
+
+	if (cname->mctx == NULL)
+		return;
+
+	dns_name_free(&cname->cname, cname->mctx);
+	cname->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_cname(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_cname(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_cname(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_cname);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_cname(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_cname);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_cname(ARGS_COMPARE) {
+	return (compare_cname(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_CNAME_5_C */
diff --git a/lib/dns/rdata/generic/cname_5.h b/lib/dns/rdata/generic/cname_5.h
new file mode 100644
index 0000000..6a5b645
--- /dev/null
+++ b/lib/dns/rdata/generic/cname_5.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_CNAME_5_H
+#define GENERIC_CNAME_5_H 1
+
+typedef struct dns_rdata_cname {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		cname;
+} dns_rdata_cname_t;
+
+#endif /* GENERIC_CNAME_5_H */
diff --git a/lib/dns/rdata/generic/csync_62.c b/lib/dns/rdata/generic/csync_62.c
new file mode 100644
index 0000000..c639128
--- /dev/null
+++ b/lib/dns/rdata/generic/csync_62.c
@@ -0,0 +1,269 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 7477 */
+
+#ifndef RDATA_GENERIC_CSYNC_62_C
+#define RDATA_GENERIC_CSYNC_62_C
+
+#define RRTYPE_CSYNC_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_csync(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_csync);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* Serial. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* Type Map */
+	return (typemap_fromtext(lexer, target, true));
+}
+
+static inline isc_result_t
+totext_csync(ARGS_TOTEXT) {
+	unsigned long num;
+	char buf[sizeof("0123456789")];	/* Also TYPE65535 */
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+	REQUIRE(rdata->length >= 6);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	num = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	num = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
+	return (typemap_totext(&sr, NULL, target));
+}
+
+static /* inline */ isc_result_t
+fromwire_csync(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_csync);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	/*
+	 * Serial + Flags
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 6)
+		return (ISC_R_UNEXPECTEDEND);
+
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_buffer_forward(source, 6);
+	isc_region_consume(&sr, 6);
+
+	RETERR(typemap_test(&sr, true));
+
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_csync(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+	REQUIRE(rdata->length >= 6);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_csync(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_csync);
+	REQUIRE(rdata1->length >= 6);
+	REQUIRE(rdata2->length >= 6);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_csync(ARGS_FROMSTRUCT) {
+	dns_rdata_csync_t *csync = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_csync);
+	REQUIRE(source != NULL);
+	REQUIRE(csync->common.rdtype == type);
+	REQUIRE(csync->common.rdclass == rdclass);
+	REQUIRE(csync->typebits != NULL || csync->len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint32_tobuffer(csync->serial, target));
+	RETERR(uint16_tobuffer(csync->flags, target));
+
+	region.base = csync->typebits;
+	region.length = csync->len;
+	RETERR(typemap_test(&region, true));
+	return (mem_tobuffer(target, csync->typebits, csync->len));
+}
+
+static inline isc_result_t
+tostruct_csync(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_csync_t *csync = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	csync->common.rdclass = rdata->rdclass;
+	csync->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&csync->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	csync->serial = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	csync->flags = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	csync->len = region.length;
+	csync->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (csync->typebits == NULL)
+		goto cleanup;
+
+	csync->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_csync(ARGS_FREESTRUCT) {
+	dns_rdata_csync_t *csync = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(csync->common.rdtype == dns_rdatatype_csync);
+
+	if (csync->mctx == NULL)
+		return;
+
+	if (csync->typebits != NULL)
+		isc_mem_free(csync->mctx, csync->typebits);
+	csync->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_csync(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_csync(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_csync(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == dns_rdatatype_csync);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (true);
+}
+
+static inline bool
+checknames_csync(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_csync);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_csync(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_csync);
+	REQUIRE(rdata1->length >= 6);
+	REQUIRE(rdata2->length >= 6);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+#endif	/* RDATA_GENERIC_CSYNC_62_C */
diff --git a/lib/dns/rdata/generic/csync_62.h b/lib/dns/rdata/generic/csync_62.h
new file mode 100644
index 0000000..a1f63d5
--- /dev/null
+++ b/lib/dns/rdata/generic/csync_62.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_CSYNC_62_H
+#define GENERIC_CSYNC_62_H 1
+
+/*!
+ * \brief Per RFC 7477
+ */
+
+typedef struct dns_rdata_csync {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint32_t		serial;
+	uint16_t		flags;
+	unsigned char		*typebits;
+	uint16_t		len;
+} dns_rdata_csync_t;
+
+#endif /* GENERIC_CSYNC_62_H */
diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c
new file mode 100644
index 0000000..0f05ba8
--- /dev/null
+++ b/lib/dns/rdata/generic/dlv_32769.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC3658 */
+
+#ifndef RDATA_GENERIC_DLV_32769_C
+#define RDATA_GENERIC_DLV_32769_C
+
+#define RRTYPE_DLV_ATTRIBUTES 0
+
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+
+#include <dns/ds.h>
+
+#include "dst_gost.h"
+
+static inline isc_result_t
+fromtext_dlv(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
+				    target, callbacks));
+}
+
+static inline isc_result_t
+totext_dlv(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	return (generic_totext_ds(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_dlv(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
+				    target));
+}
+
+static inline isc_result_t
+towire_dlv(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dlv(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dlv);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dlv(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	return (generic_fromstruct_ds(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_dlv(ARGS_TOSTRUCT) {
+	dns_rdata_dlv_t *dlv = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	dlv->common.rdclass = rdata->rdclass;
+	dlv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dlv->common, link);
+
+	return (generic_tostruct_ds(rdata, target, mctx));
+}
+
+static inline void
+freestruct_dlv(ARGS_FREESTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(dlv != NULL);
+	REQUIRE(dlv->common.rdtype == dns_rdatatype_dlv);
+
+	if (dlv->mctx == NULL)
+		return;
+
+	if (dlv->digest != NULL)
+		isc_mem_free(dlv->mctx, dlv->digest);
+	dlv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dlv(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dlv(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_dlv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_dlv);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_dlv(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_dlv);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_dlv(ARGS_COMPARE) {
+	return (compare_dlv(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_DLV_32769_C */
diff --git a/lib/dns/rdata/generic/dlv_32769.h b/lib/dns/rdata/generic/dlv_32769.h
new file mode 100644
index 0000000..b94df71
--- /dev/null
+++ b/lib/dns/rdata/generic/dlv_32769.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DLV_32769_H
+#define GENERIC_DLV_32769_H 1
+
+typedef struct dns_rdata_ds dns_rdata_dlv_t;
+
+#endif /* GENERIC_DLV_32769_H */
diff --git a/lib/dns/rdata/generic/dname_39.c b/lib/dns/rdata/generic/dname_39.c
new file mode 100644
index 0000000..50c5838
--- /dev/null
+++ b/lib/dns/rdata/generic/dname_39.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2672 */
+
+#ifndef RDATA_GENERIC_DNAME_39_C
+#define RDATA_GENERIC_DNAME_39_C
+
+#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
+static inline isc_result_t
+fromtext_dname(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_dname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_dname(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_dname(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_dname);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	return(dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_dname(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_dname(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dname);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_dname(ARGS_FROMSTRUCT) {
+	dns_rdata_dname_t *dname = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_dname);
+	REQUIRE(source != NULL);
+	REQUIRE(dname->common.rdtype == type);
+	REQUIRE(dname->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&dname->dname, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_dname(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_dname_t *dname = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dname->common.rdclass = rdata->rdclass;
+	dname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&dname->dname, NULL);
+	RETERR(name_duporclone(&name, mctx, &dname->dname));
+	dname->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dname(ARGS_FREESTRUCT) {
+	dns_rdata_dname_t *dname = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(dname->common.rdtype == dns_rdatatype_dname);
+
+	if (dname->mctx == NULL)
+		return;
+
+	dns_name_free(&dname->dname, dname->mctx);
+	dname->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dname(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dname(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_dname(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_dname);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_dname(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_dname);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_dname(ARGS_COMPARE) {
+	return (compare_dname(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_DNAME_39_C */
diff --git a/lib/dns/rdata/generic/dname_39.h b/lib/dns/rdata/generic/dname_39.h
new file mode 100644
index 0000000..12b02e2
--- /dev/null
+++ b/lib/dns/rdata/generic/dname_39.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DNAME_39_H
+#define GENERIC_DNAME_39_H 1
+
+
+/*!
+ *  \brief per RFC2672 */
+
+typedef struct dns_rdata_dname {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		dname;
+} dns_rdata_dname_t;
+
+#endif /* GENERIC_DNAME_39_H */
diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c
new file mode 100644
index 0000000..f20a8f6
--- /dev/null
+++ b/lib/dns/rdata/generic/dnskey_48.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_DNSKEY_48_C
+#define RDATA_GENERIC_DNSKEY_48_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_dnskey(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	return (generic_fromtext_key(rdclass, type, lexer, origin,
+				     options, target, callbacks));
+}
+
+static inline isc_result_t
+totext_dnskey(ARGS_TOTEXT) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	return (generic_totext_key(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_dnskey(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	return (generic_fromwire_key(rdclass, type, source, dctx,
+				     options, target));
+}
+
+static inline isc_result_t
+towire_dnskey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dnskey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dnskey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dnskey(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	return (generic_fromstruct_key(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_dnskey(ARGS_TOSTRUCT) {
+	dns_rdata_dnskey_t *dnskey = target;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	dnskey->common.rdclass = rdata->rdclass;
+	dnskey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dnskey->common, link);
+
+	return (generic_tostruct_key(rdata, target, mctx));
+}
+
+static inline void
+freestruct_dnskey(ARGS_FREESTRUCT) {
+	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *) source;
+
+	REQUIRE(dnskey != NULL);
+	REQUIRE(dnskey->common.rdtype == dns_rdatatype_dnskey);
+
+	generic_freestruct_key(source);
+}
+
+static inline isc_result_t
+additionaldata_dnskey(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dnskey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_dnskey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_dnskey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_dnskey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_dnskey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_dnskey(ARGS_COMPARE) {
+
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 */
+	return (compare_dnskey(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/lib/dns/rdata/generic/dnskey_48.h b/lib/dns/rdata/generic/dnskey_48.h
new file mode 100644
index 0000000..ac4a6de
--- /dev/null
+++ b/lib/dns/rdata/generic/dnskey_48.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DNSKEY_48_H
+#define GENERIC_DNSKEY_48_H 1
+
+/*!
+ *  \brief per RFC2535
+ */
+
+typedef struct dns_rdata_key dns_rdata_dnskey_t;
+
+#endif /* GENERIC_DNSKEY_48_H */
diff --git a/lib/dns/rdata/generic/doa_259.c b/lib/dns/rdata/generic/doa_259.c
new file mode 100644
index 0000000..16c0703
--- /dev/null
+++ b/lib/dns/rdata/generic/doa_259.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_DOA_259_C
+#define RDATA_GENERIC_DOA_259_C
+
+#define RRTYPE_DOA_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_doa(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-TYPE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-LOCATION
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * DOA-DATA
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		isc_lex_ungettoken(lexer, &token);
+		return (isc_base64_tobuffer(lexer, target, -1));
+	}
+}
+
+static inline isc_result_t
+totext_doa(ARGS_TOTEXT) {
+	char buf[sizeof("4294967295 ")];
+	isc_region_t region;
+	uint32_t n;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	n = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-TYPE
+	 */
+	n = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-LOCATION
+	 */
+	n = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * DOA-DATA
+	 */
+	if (region.length == 0) {
+		return (str_totext("-", target));
+	} else {
+		return (isc_base64_totext(&region, 60, "", target));
+	}
+}
+
+static inline isc_result_t
+fromwire_doa(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	isc_buffer_activeregion(source, &region);
+	/*
+	 * DOA-MEDIA-TYPE may be an empty <character-string> (i.e.,
+	 * comprising of just the length octet) and DOA-DATA can have
+	 * zero length.
+	 */
+	if (region.length < 4 + 4 + 1 + 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Check whether DOA-MEDIA-TYPE length is not malformed.
+	 */
+	if (region.base[9] > region.length - 10) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, region.length);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline isc_result_t
+towire_doa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_doa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->type == dns_rdatatype_doa);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_doa(ARGS_FROMSTRUCT) {
+	dns_rdata_doa_t *doa = source;
+
+	REQUIRE(type == dns_rdatatype_doa);
+	REQUIRE(source != NULL);
+	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+	REQUIRE(doa->common.rdclass == rdclass);
+
+	RETERR(uint32_tobuffer(doa->enterprise, target));
+	RETERR(uint32_tobuffer(doa->type, target));
+	RETERR(uint8_tobuffer(doa->location, target));
+	RETERR(uint8_tobuffer(doa->mediatype_len, target));
+	RETERR(mem_tobuffer(target, doa->mediatype, doa->mediatype_len));
+	return (mem_tobuffer(target, doa->data, doa->data_len));
+}
+
+static inline isc_result_t
+tostruct_doa(ARGS_TOSTRUCT) {
+	dns_rdata_doa_t *doa = target;
+	isc_region_t region;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	doa->common.rdclass = rdata->rdclass;
+	doa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&doa->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->enterprise = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	/*
+	 * DOA-TYPE
+	 */
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->type = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	/*
+	 * DOA-LOCATION
+	 */
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->location = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->mediatype_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	INSIST(doa->mediatype_len <= region.length);
+	doa->mediatype = mem_maybedup(mctx, region.base, doa->mediatype_len);
+	if (doa->mediatype == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&region, doa->mediatype_len);
+
+	/*
+	 * DOA-DATA
+	 */
+	doa->data_len = region.length;
+	doa->data = NULL;
+	if (doa->data_len > 0) {
+		doa->data = mem_maybedup(mctx, region.base, doa->data_len);
+		if (doa->data == NULL) {
+			goto cleanup;
+		}
+		isc_region_consume(&region, doa->data_len);
+	}
+
+	doa->mctx = mctx;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL && doa->mediatype != NULL) {
+		isc_mem_free(mctx, doa->mediatype);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_doa(ARGS_FREESTRUCT) {
+	dns_rdata_doa_t *doa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+
+	if (doa->mctx == NULL) {
+		return;
+	}
+
+	if (doa->mediatype != NULL) {
+		isc_mem_free(doa->mctx, doa->mediatype);
+	}
+	if (doa->data != NULL) {
+		isc_mem_free(doa->mctx, doa->data);
+	}
+
+	doa->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_doa(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_doa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_doa(ARGS_CHECKOWNER) {
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	return (true);
+}
+
+static inline bool
+checknames_doa(ARGS_CHECKNAMES) {
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	return (true);
+}
+
+static inline int
+casecompare_doa(ARGS_COMPARE) {
+	return (compare_doa(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_DOA_259_C */
diff --git a/lib/dns/rdata/generic/doa_259.h b/lib/dns/rdata/generic/doa_259.h
new file mode 100644
index 0000000..5ac5fbb
--- /dev/null
+++ b/lib/dns/rdata/generic/doa_259.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DOA_259_H
+#define GENERIC_DOA_259_H 1
+
+typedef struct dns_rdata_doa {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	unsigned char *		mediatype;
+	unsigned char *		data;
+	uint32_t		enterprise;
+	uint32_t		type;
+	uint16_t		data_len;
+	uint8_t		location;
+	uint8_t		mediatype_len;
+} dns_rdata_doa_t;
+
+#endif /* GENERIC_DOA_259_H */
diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c
new file mode 100644
index 0000000..d25c1a6
--- /dev/null
+++ b/lib/dns/rdata/generic/ds_43.c
@@ -0,0 +1,400 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC3658 */
+
+#ifndef RDATA_GENERIC_DS_43_C
+#define RDATA_GENERIC_DS_43_C
+
+#define RRTYPE_DS_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT)
+
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+
+#include <dns/ds.h>
+
+#include "dst_gost.h"
+
+static inline isc_result_t
+generic_fromtext_ds(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	int length;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_dsdigest_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Digest.
+	 */
+	switch (c) {
+	case DNS_DSDIGEST_SHA1:
+		length = ISC_SHA1_DIGESTLENGTH;
+		break;
+	case DNS_DSDIGEST_SHA256:
+		length = ISC_SHA256_DIGESTLENGTH;
+		break;
+#ifdef ISC_GOST_DIGESTLENGTH
+	case DNS_DSDIGEST_GOST:
+		length = ISC_GOST_DIGESTLENGTH;
+		break;
+#endif
+	case DNS_DSDIGEST_SHA384:
+		length = ISC_SHA384_DIGESTLENGTH;
+		break;
+	default:
+		length = -1;
+		break;
+	}
+	return (isc_hex_tobuffer(lexer, target, length));
+}
+
+static inline isc_result_t
+fromtext_ds(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_ds);
+
+	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
+				    target, callbacks));
+}
+
+static inline isc_result_t
+generic_totext_ds(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0) /* No splitting */
+			RETERR(isc_hex_totext(&sr, 0, "", target));
+		else
+			RETERR(isc_hex_totext(&sr, tctx->width - 2,
+					      tctx->linebreak, target));
+	} else
+		RETERR(str_totext("[omitted]", target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_ds(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	return (generic_totext_ds(rdata, tctx, target));
+}
+
+static inline isc_result_t
+generic_fromwire_ds(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+
+	/*
+	 * Check digest lengths if we know them.
+	 */
+	if (sr.length < 4 ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA1 &&
+	     sr.length < 4 + ISC_SHA1_DIGESTLENGTH) ||
+	    (sr.base[3] == DNS_DSDIGEST_SHA256 &&
+	     sr.length < 4 + ISC_SHA256_DIGESTLENGTH) ||
+#ifdef ISC_GOST_DIGESTLENGTH
+	    (sr.base[3] == DNS_DSDIGEST_GOST &&
+	     sr.length < 4 + ISC_GOST_DIGESTLENGTH) ||
+#endif
+	    (sr.base[3] == DNS_DSDIGEST_SHA384 &&
+	     sr.length < 4 + ISC_SHA384_DIGESTLENGTH))
+		return (ISC_R_UNEXPECTEDEND);
+
+	/*
+	 * Only copy digest lengths if we know them.
+	 * If there is extra data dns_rdata_fromwire() will
+	 * detect that.
+	 */
+	if (sr.base[3] == DNS_DSDIGEST_SHA1)
+		sr.length = 4 + ISC_SHA1_DIGESTLENGTH;
+	else if (sr.base[3] == DNS_DSDIGEST_SHA256)
+		sr.length = 4 + ISC_SHA256_DIGESTLENGTH;
+#ifdef ISC_GOST_DIGESTLENGTH
+	else if (sr.base[3] == DNS_DSDIGEST_GOST)
+		sr.length = 4 + ISC_GOST_DIGESTLENGTH;
+#endif
+	else if (sr.base[3] == DNS_DSDIGEST_SHA384)
+		sr.length = 4 + ISC_SHA384_DIGESTLENGTH;
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+fromwire_ds(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_ds);
+
+	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
+				    target));
+}
+
+static inline isc_result_t
+towire_ds(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_ds(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ds);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+generic_fromstruct_ds(ARGS_FROMSTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(ds->common.rdtype == type);
+	REQUIRE(ds->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	switch (ds->digest_type) {
+	case DNS_DSDIGEST_SHA1:
+		REQUIRE(ds->length == ISC_SHA1_DIGESTLENGTH);
+		break;
+	case DNS_DSDIGEST_SHA256:
+		REQUIRE(ds->length == ISC_SHA256_DIGESTLENGTH);
+		break;
+#ifdef ISC_GOST_DIGESTLENGTH
+	case DNS_DSDIGEST_GOST:
+		REQUIRE(ds->length == ISC_GOST_DIGESTLENGTH);
+		break;
+#endif
+	case DNS_DSDIGEST_SHA384:
+		REQUIRE(ds->length == ISC_SHA384_DIGESTLENGTH);
+		break;
+	}
+
+	RETERR(uint16_tobuffer(ds->key_tag, target));
+	RETERR(uint8_tobuffer(ds->algorithm, target));
+	RETERR(uint8_tobuffer(ds->digest_type, target));
+
+	return (mem_tobuffer(target, ds->digest, ds->length));
+}
+
+static inline isc_result_t
+fromstruct_ds(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_ds);
+
+	return (generic_fromstruct_ds(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+generic_tostruct_ds(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+	isc_region_t region;
+
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+	REQUIRE(ds->common.rdtype == rdata->type);
+	REQUIRE(ds->common.rdclass == rdata->rdclass);
+	REQUIRE(!ISC_LINK_LINKED(&ds->common, link));
+
+	dns_rdata_toregion(rdata, &region);
+
+	ds->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	ds->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->length = region.length;
+
+	ds->digest = mem_maybedup(mctx, region.base, region.length);
+	if (ds->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ds->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+tostruct_ds(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+	REQUIRE(target != NULL);
+
+	ds->common.rdclass = rdata->rdclass;
+	ds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ds->common, link);
+
+	return (generic_tostruct_ds(rdata, target, mctx));
+}
+
+static inline void
+freestruct_ds(ARGS_FREESTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == dns_rdatatype_ds);
+
+	if (ds->mctx == NULL)
+		return;
+
+	if (ds->digest != NULL)
+		isc_mem_free(ds->mctx, ds->digest);
+	ds->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ds(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ds(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_ds(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_ds);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_ds(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ds);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_ds(ARGS_COMPARE) {
+	return (compare_ds(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_DS_43_C */
diff --git a/lib/dns/rdata/generic/ds_43.h b/lib/dns/rdata/generic/ds_43.h
new file mode 100644
index 0000000..0d373ec
--- /dev/null
+++ b/lib/dns/rdata/generic/ds_43.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_DS_43_H
+#define GENERIC_DS_43_H 1
+
+/*!
+ *  \brief per draft-ietf-dnsext-delegation-signer-05.txt */
+typedef struct dns_rdata_ds {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		key_tag;
+	uint8_t		algorithm;
+	uint8_t		digest_type;
+	uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_ds_t;
+
+#endif /* GENERIC_DS_43_H */
diff --git a/lib/dns/rdata/generic/eui48_108.c b/lib/dns/rdata/generic/eui48_108.c
new file mode 100644
index 0000000..686f23f
--- /dev/null
+++ b/lib/dns/rdata/generic/eui48_108.c
@@ -0,0 +1,210 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_EUI48_108_C
+#define RDATA_GENERIC_EUI48_108_C
+
+#include <string.h>
+
+#define RRTYPE_EUI48_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_eui48(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char eui48[6];
+	unsigned int l0, l1, l2, l3, l4, l5;
+	int n;
+
+	REQUIRE(type == dns_rdatatype_eui48);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	n = sscanf(DNS_AS_STR(token), "%2x-%2x-%2x-%2x-%2x-%2x",
+		   &l0, &l1, &l2, &l3, &l4, &l5);
+	if (n != 6 || l0 > 255U || l1 > 255U || l2 > 255U || l3 > 255U ||
+	    l4 > 255U || l5 > 255U)
+		return (DNS_R_BADEUI);
+
+	eui48[0] = l0;
+	eui48[1] = l1;
+	eui48[2] = l2;
+	eui48[3] = l3;
+	eui48[4] = l4;
+	eui48[5] = l5;
+	return (mem_tobuffer(target, eui48, sizeof(eui48)));
+}
+
+static inline isc_result_t
+totext_eui48(ARGS_TOTEXT) {
+	char buf[sizeof("xx-xx-xx-xx-xx-xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(tctx);
+
+	(void)snprintf(buf, sizeof(buf), "%02x-%02x-%02x-%02x-%02x-%02x",
+		       rdata->data[0], rdata->data[1], rdata->data[2],
+		       rdata->data[3], rdata->data[4], rdata->data[5]);
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_eui48(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_eui48);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 6)
+		return (DNS_R_FORMERR);
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static inline isc_result_t
+towire_eui48(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_eui48(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_eui48);
+	REQUIRE(rdata1->length == 6);
+	REQUIRE(rdata2->length == 6);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_eui48(ARGS_FROMSTRUCT) {
+	dns_rdata_eui48_t *eui48 = source;
+
+	REQUIRE(type == dns_rdatatype_eui48);
+	REQUIRE(source != NULL);
+	REQUIRE(eui48->common.rdtype == type);
+	REQUIRE(eui48->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, eui48->eui48, sizeof(eui48->eui48)));
+}
+
+static inline isc_result_t
+tostruct_eui48(ARGS_TOSTRUCT) {
+	dns_rdata_eui48_t *eui48 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(mctx);
+
+	eui48->common.rdclass = rdata->rdclass;
+	eui48->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&eui48->common, link);
+
+	memmove(eui48->eui48, rdata->data, rdata->length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_eui48(ARGS_FREESTRUCT) {
+	dns_rdata_eui48_t *eui48 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(eui48->common.rdtype == dns_rdatatype_eui48);
+
+	return;
+}
+
+static inline isc_result_t
+additionaldata_eui48(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_eui48(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_eui48(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_eui48);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_eui48(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_eui48);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_eui48(ARGS_COMPARE) {
+	return (compare_eui48(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_EUI48_108_C */
diff --git a/lib/dns/rdata/generic/eui48_108.h b/lib/dns/rdata/generic/eui48_108.h
new file mode 100644
index 0000000..1bb168a
--- /dev/null
+++ b/lib/dns/rdata/generic/eui48_108.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_EUI48_108_H
+#define GENERIC_EUI48_108_H 1
+
+typedef struct dns_rdata_eui48 {
+	dns_rdatacommon_t	common;
+	unsigned char		eui48[6];
+} dns_rdata_eui48_t;
+
+#endif /* GENERIC_EUI48_10k_H */
diff --git a/lib/dns/rdata/generic/eui64_109.c b/lib/dns/rdata/generic/eui64_109.c
new file mode 100644
index 0000000..0a37326
--- /dev/null
+++ b/lib/dns/rdata/generic/eui64_109.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_EUI64_109_C
+#define RDATA_GENERIC_EUI64_109_C
+
+#include <string.h>
+
+#define RRTYPE_EUI64_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_eui64(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char eui64[8];
+	unsigned int l0, l1, l2, l3, l4, l5, l6, l7;
+	int n;
+
+	REQUIRE(type == dns_rdatatype_eui64);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	n = sscanf(DNS_AS_STR(token), "%2x-%2x-%2x-%2x-%2x-%2x-%2x-%2x",
+		   &l0, &l1, &l2, &l3, &l4, &l5, &l6, &l7);
+	if (n != 8 || l0 > 255U || l1 > 255U || l2 > 255U || l3 > 255U ||
+	    l4 > 255U || l5 > 255U || l6 > 255U || l7 > 255U)
+		return (DNS_R_BADEUI);
+
+	eui64[0] = l0;
+	eui64[1] = l1;
+	eui64[2] = l2;
+	eui64[3] = l3;
+	eui64[4] = l4;
+	eui64[5] = l5;
+	eui64[6] = l6;
+	eui64[7] = l7;
+	return (mem_tobuffer(target, eui64, sizeof(eui64)));
+}
+
+static inline isc_result_t
+totext_eui64(ARGS_TOTEXT) {
+	char buf[sizeof("xx-xx-xx-xx-xx-xx-xx-xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(tctx);
+
+	(void)snprintf(buf, sizeof(buf),
+		       "%02x-%02x-%02x-%02x-%02x-%02x-%02x-%02x",
+		       rdata->data[0], rdata->data[1],
+		       rdata->data[2], rdata->data[3],
+		       rdata->data[4], rdata->data[5],
+		       rdata->data[6], rdata->data[7]);
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_eui64(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_eui64);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 8)
+		return (DNS_R_FORMERR);
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static inline isc_result_t
+towire_eui64(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_eui64(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_eui64);
+	REQUIRE(rdata1->length == 8);
+	REQUIRE(rdata2->length == 8);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_eui64(ARGS_FROMSTRUCT) {
+	dns_rdata_eui64_t *eui64 = source;
+
+	REQUIRE(type == dns_rdatatype_eui64);
+	REQUIRE(source != NULL);
+	REQUIRE(eui64->common.rdtype == type);
+	REQUIRE(eui64->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, eui64->eui64, sizeof(eui64->eui64)));
+}
+
+static inline isc_result_t
+tostruct_eui64(ARGS_TOSTRUCT) {
+	dns_rdata_eui64_t *eui64 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(mctx);
+
+	eui64->common.rdclass = rdata->rdclass;
+	eui64->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&eui64->common, link);
+
+	memmove(eui64->eui64, rdata->data, rdata->length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_eui64(ARGS_FREESTRUCT) {
+	dns_rdata_eui64_t *eui64 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(eui64->common.rdtype == dns_rdatatype_eui64);
+
+	return;
+}
+
+static inline isc_result_t
+additionaldata_eui64(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_eui64(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_eui64(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_eui64);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_eui64(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_eui64);
+	REQUIRE(rdata->length == 8);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_eui64(ARGS_COMPARE) {
+	return (compare_eui64(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_EUI64_109_C */
diff --git a/lib/dns/rdata/generic/eui64_109.h b/lib/dns/rdata/generic/eui64_109.h
new file mode 100644
index 0000000..638c72e
--- /dev/null
+++ b/lib/dns/rdata/generic/eui64_109.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_EUI64_109_H
+#define GENERIC_EUI64_109_H 1
+
+typedef struct dns_rdata_eui64 {
+	dns_rdatacommon_t	common;
+	unsigned char		eui64[8];
+} dns_rdata_eui64_t;
+
+#endif /* GENERIC_EUI64_10k_H */
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
new file mode 100644
index 0000000..6242932
--- /dev/null
+++ b/lib/dns/rdata/generic/gpos_27.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1712 */
+
+#ifndef RDATA_GENERIC_GPOS_27_C
+#define RDATA_GENERIC_GPOS_27_C
+
+#define RRTYPE_GPOS_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_gpos(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int i;
+
+	REQUIRE(type == dns_rdatatype_gpos);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      false));
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_gpos(ARGS_TOTEXT) {
+	isc_region_t region;
+	int i;
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(txt_totext(&region, true, target));
+		if (i != 2)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_gpos(ARGS_FROMWIRE) {
+	int i;
+
+	REQUIRE(type == dns_rdatatype_gpos);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	for (i = 0; i < 3; i++)
+		RETERR(txt_fromwire(source, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_gpos(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_gpos(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_gpos);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_gpos(ARGS_FROMSTRUCT) {
+	dns_rdata_gpos_t *gpos = source;
+
+	REQUIRE(type == dns_rdatatype_gpos);
+	REQUIRE(source != NULL);
+	REQUIRE(gpos->common.rdtype == type);
+	REQUIRE(gpos->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(gpos->long_len, target));
+	RETERR(mem_tobuffer(target, gpos->longitude, gpos->long_len));
+	RETERR(uint8_tobuffer(gpos->lat_len, target));
+	RETERR(mem_tobuffer(target, gpos->latitude, gpos->lat_len));
+	RETERR(uint8_tobuffer(gpos->alt_len, target));
+	return (mem_tobuffer(target, gpos->altitude, gpos->alt_len));
+}
+
+static inline isc_result_t
+tostruct_gpos(ARGS_TOSTRUCT) {
+	dns_rdata_gpos_t *gpos = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	gpos->common.rdclass = rdata->rdclass;
+	gpos->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&gpos->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	gpos->long_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	gpos->longitude = mem_maybedup(mctx, region.base, gpos->long_len);
+	if (gpos->longitude == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, gpos->long_len);
+
+	gpos->lat_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	gpos->latitude = mem_maybedup(mctx, region.base, gpos->lat_len);
+	if (gpos->latitude == NULL)
+		goto cleanup_longitude;
+	isc_region_consume(&region, gpos->lat_len);
+
+	gpos->alt_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (gpos->lat_len > 0) {
+		gpos->altitude =
+			mem_maybedup(mctx, region.base, gpos->alt_len);
+		if (gpos->altitude == NULL)
+			goto cleanup_latitude;
+	} else
+		gpos->altitude = NULL;
+
+	gpos->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup_latitude:
+	if (mctx != NULL && gpos->longitude != NULL)
+		isc_mem_free(mctx, gpos->longitude);
+
+ cleanup_longitude:
+	if (mctx != NULL && gpos->latitude != NULL)
+		isc_mem_free(mctx, gpos->latitude);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_gpos(ARGS_FREESTRUCT) {
+	dns_rdata_gpos_t *gpos = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(gpos->common.rdtype == dns_rdatatype_gpos);
+
+	if (gpos->mctx == NULL)
+		return;
+
+	if (gpos->longitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->longitude);
+	if (gpos->latitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->latitude);
+	if (gpos->altitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->altitude);
+	gpos->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_gpos(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_gpos(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_gpos(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_gpos);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_gpos(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_gpos);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_gpos(ARGS_COMPARE) {
+	return (compare_gpos(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_GPOS_27_C */
diff --git a/lib/dns/rdata/generic/gpos_27.h b/lib/dns/rdata/generic/gpos_27.h
new file mode 100644
index 0000000..fac72cd
--- /dev/null
+++ b/lib/dns/rdata/generic/gpos_27.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_GPOS_27_H
+#define GENERIC_GPOS_27_H 1
+
+
+/*!
+ *  \brief per RFC1712 */
+
+typedef struct dns_rdata_gpos {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*longitude;
+	char			*latitude;
+	char			*altitude;
+	uint8_t		long_len;
+	uint8_t		lat_len;
+	uint8_t		alt_len;
+} dns_rdata_gpos_t;
+
+#endif /* GENERIC_GPOS_27_H */
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
new file mode 100644
index 0000000..528be5e
--- /dev/null
+++ b/lib/dns/rdata/generic/hinfo_13.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_HINFO_13_C
+#define RDATA_GENERIC_HINFO_13_C
+
+#define RRTYPE_HINFO_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hinfo(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int i;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	REQUIRE(type == dns_rdatatype_hinfo);
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      false));
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hinfo(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+	return (txt_totext(&region, true, target));
+}
+
+static inline isc_result_t
+fromwire_hinfo(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_hinfo);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	RETERR(txt_fromwire(source, target));
+	return (txt_fromwire(source, target));
+}
+
+static inline isc_result_t
+towire_hinfo(ARGS_TOWIRE) {
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_hinfo(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_hinfo);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_hinfo(ARGS_FROMSTRUCT) {
+	dns_rdata_hinfo_t *hinfo = source;
+
+	REQUIRE(type == dns_rdatatype_hinfo);
+	REQUIRE(source != NULL);
+	REQUIRE(hinfo->common.rdtype == type);
+	REQUIRE(hinfo->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hinfo->cpu_len, target));
+	RETERR(mem_tobuffer(target, hinfo->cpu, hinfo->cpu_len));
+	RETERR(uint8_tobuffer(hinfo->os_len, target));
+	return (mem_tobuffer(target, hinfo->os, hinfo->os_len));
+}
+
+static inline isc_result_t
+tostruct_hinfo(ARGS_TOSTRUCT) {
+	dns_rdata_hinfo_t *hinfo = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hinfo->common.rdclass = rdata->rdclass;
+	hinfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hinfo->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	hinfo->cpu_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	hinfo->cpu = mem_maybedup(mctx, region.base, hinfo->cpu_len);
+	if (hinfo->cpu == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, hinfo->cpu_len);
+
+	hinfo->os_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	hinfo->os = mem_maybedup(mctx, region.base, hinfo->os_len);
+	if (hinfo->os == NULL)
+		goto cleanup;
+
+	hinfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && hinfo->cpu != NULL)
+		isc_mem_free(mctx, hinfo->cpu);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_hinfo(ARGS_FREESTRUCT) {
+	dns_rdata_hinfo_t *hinfo = source;
+
+	REQUIRE(source != NULL);
+
+	if (hinfo->mctx == NULL)
+		return;
+
+	if (hinfo->cpu != NULL)
+		isc_mem_free(hinfo->mctx, hinfo->cpu);
+	if (hinfo->os != NULL)
+		isc_mem_free(hinfo->mctx, hinfo->os);
+	hinfo->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_hinfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hinfo(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_hinfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_hinfo);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_hinfo(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_hinfo);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_hinfo(ARGS_COMPARE) {
+	return (compare_hinfo(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_HINFO_13_C */
diff --git a/lib/dns/rdata/generic/hinfo_13.h b/lib/dns/rdata/generic/hinfo_13.h
new file mode 100644
index 0000000..323be22
--- /dev/null
+++ b/lib/dns/rdata/generic/hinfo_13.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_HINFO_13_H
+#define GENERIC_HINFO_13_H 1
+
+
+typedef struct dns_rdata_hinfo {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*cpu;
+	char			*os;
+	uint8_t		cpu_len;
+	uint8_t		os_len;
+} dns_rdata_hinfo_t;
+
+#endif /* GENERIC_HINFO_13_H */
diff --git a/lib/dns/rdata/generic/hip_55.c b/lib/dns/rdata/generic/hip_55.c
new file mode 100644
index 0000000..36c9273
--- /dev/null
+++ b/lib/dns/rdata/generic/hip_55.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 5205 */
+
+#ifndef RDATA_GENERIC_HIP_5_C
+#define RDATA_GENERIC_HIP_5_C
+
+#define RRTYPE_HIP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hip(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_buffer_t hit_len;
+	isc_buffer_t key_len;
+	unsigned char *start;
+	size_t len;
+
+	REQUIRE(type == dns_rdatatype_hip);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Dummy HIT len.
+	 */
+	hit_len = *target;
+	RETERR(uint8_tobuffer(0, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Dummy KEY len.
+	 */
+	key_len = *target;
+	RETERR(uint16_tobuffer(0, target));
+
+	/*
+	 * HIT (base16).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(isc_hex_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in HIT len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer((uint32_t)len, &hit_len));
+
+	/*
+	 * Public key (base64).
+	 */
+	start = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(isc_base64_decodestring(DNS_AS_STR(token), target));
+
+	/*
+	 * Fill in KEY len.
+	 */
+	len = (unsigned char *)isc_buffer_used(target) - start;
+	if (len > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer((uint32_t)len, &key_len));
+
+	if (origin == NULL)
+		origin = dns_rootname;
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      true));
+		if (token.type != isc_tokentype_string)
+			break;
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin, options,
+					 target));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hip(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	unsigned int length, key_len, hit_len;
+	unsigned char algorithm;
+	char buf[sizeof("225 ")];
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( ", target));
+
+	/*
+	 * Algorithm
+	 */
+	snprintf(buf, sizeof(buf), "%u ", algorithm);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * HIT.
+	 */
+	INSIST(hit_len < region.length);
+	length = region.length;
+	region.length = hit_len;
+	RETERR(isc_hex_totext(&region, 1, "", target));
+	region.length = length - hit_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Public KEY.
+	 */
+	INSIST(key_len <= region.length);
+	length = region.length;
+	region.length = key_len;
+	RETERR(isc_base64_totext(&region, 1, "", target));
+	region.length = length - key_len;
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Rendezvous Servers.
+	 */
+	dns_name_init(&name, NULL);
+	while (region.length > 0) {
+		dns_name_fromregion(&name, &region);
+
+		RETERR(dns_name_totext(&name, false, target));
+		isc_region_consume(&region, name.length);
+		if (region.length > 0)
+			RETERR(str_totext(tctx->linebreak, target));
+	}
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_hip(ARGS_FROMWIRE) {
+	isc_region_t region, rr;
+	dns_name_t name;
+	uint8_t hit_len;
+	uint16_t key_len;
+
+	REQUIRE(type == dns_rdatatype_hip);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 4U)
+		RETERR(DNS_R_FORMERR);
+
+	rr = region;
+	hit_len = uint8_fromregion(&region);
+	if (hit_len == 0)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&region, 2);  	/* hit length + algorithm */
+	key_len = uint16_fromregion(&region);
+	if (key_len == 0)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&region, 2);
+	if (region.length < (unsigned) (hit_len + key_len))
+		RETERR(DNS_R_FORMERR);
+
+	RETERR(mem_tobuffer(target, rr.base, 4 + hit_len + key_len));
+	isc_buffer_forward(source, 4 + hit_len + key_len);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+	while (isc_buffer_activelength(source) > 0) {
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_hip(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_hip(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_hip);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_hip(ARGS_FROMSTRUCT) {
+	dns_rdata_hip_t *hip = source;
+	dns_rdata_hip_t myhip;
+	isc_result_t result;
+
+	REQUIRE(type == dns_rdatatype_hip);
+	REQUIRE(source != NULL);
+	REQUIRE(hip->common.rdtype == type);
+	REQUIRE(hip->common.rdclass == rdclass);
+	REQUIRE(hip->hit_len > 0 && hip->hit != NULL);
+	REQUIRE(hip->key_len > 0 && hip->key != NULL);
+	REQUIRE((hip->servers == NULL && hip->servers_len == 0) ||
+		 (hip->servers != NULL && hip->servers_len != 0));
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hip->hit_len, target));
+	RETERR(uint8_tobuffer(hip->algorithm, target));
+	RETERR(uint16_tobuffer(hip->key_len, target));
+	RETERR(mem_tobuffer(target, hip->hit, hip->hit_len));
+	RETERR(mem_tobuffer(target, hip->key, hip->key_len));
+
+	myhip = *hip;
+	for (result = dns_rdata_hip_first(&myhip);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdata_hip_next(&myhip))
+		/* empty */;
+
+	return(mem_tobuffer(target, hip->servers, hip->servers_len));
+}
+
+static inline isc_result_t
+tostruct_hip(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_hip_t *hip = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hip->common.rdclass = rdata->rdclass;
+	hip->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hip->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	hip->hit_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	hip->key_len = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	hip->hit = hip->key = hip->servers = NULL;
+
+	hip->hit = mem_maybedup(mctx, region.base, hip->hit_len);
+	if (hip->hit == NULL)
+		goto cleanup;
+	isc_region_consume(&region, hip->hit_len);
+
+	INSIST(hip->key_len <= region.length);
+
+	hip->key = mem_maybedup(mctx, region.base, hip->key_len);
+	if (hip->key == NULL)
+		goto cleanup;
+	isc_region_consume(&region, hip->key_len);
+
+	hip->servers_len = region.length;
+	if (hip->servers_len != 0) {
+		hip->servers = mem_maybedup(mctx, region.base, region.length);
+		if (hip->servers == NULL)
+			goto cleanup;
+	}
+
+	hip->offset = hip->servers_len;
+	hip->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (hip->hit != NULL)
+		isc_mem_free(mctx, hip->hit);
+	if (hip->key != NULL)
+		isc_mem_free(mctx, hip->key);
+	if (hip->servers != NULL)
+		isc_mem_free(mctx, hip->servers);
+	return (ISC_R_NOMEMORY);
+
+}
+
+static inline void
+freestruct_hip(ARGS_FREESTRUCT) {
+	dns_rdata_hip_t *hip = source;
+
+	REQUIRE(source != NULL);
+
+	if (hip->mctx == NULL)
+		return;
+
+	isc_mem_free(hip->mctx, hip->hit);
+	isc_mem_free(hip->mctx, hip->key);
+	if (hip->servers != NULL)
+		isc_mem_free(hip->mctx, hip->servers);
+	hip->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_hip(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hip(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_hip(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_hip);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_hip(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_hip);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *hip) {
+	if (hip->servers_len == 0)
+		return (ISC_R_NOMORE);
+	hip->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *hip) {
+	isc_region_t region;
+	dns_name_t name;
+
+	if (hip->offset >= hip->servers_len)
+		return (ISC_R_NOMORE);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	hip->offset += name.length;
+	INSIST(hip->offset <= hip->servers_len);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *hip, dns_name_t *name) {
+	isc_region_t region;
+
+	REQUIRE(hip->offset < hip->servers_len);
+
+	region.base = hip->servers + hip->offset;
+	region.length = hip->servers_len - hip->offset;
+	dns_name_fromregion(name, &region);
+
+	INSIST(name->length + hip->offset <= hip->servers_len);
+}
+
+static inline int
+casecompare_hip(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+	uint8_t hit_len;
+	uint16_t key_len;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_hip);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 4);
+	INSIST(r2.length > 4);
+	order = memcmp(r1.base, r2.base, 4);
+	if (order != 0)
+		return (order);
+
+	hit_len = uint8_fromregion(&r1);
+	isc_region_consume(&r1, 2);         /* hit length + algorithm */
+	key_len = uint16_fromregion(&r1);
+	isc_region_consume(&r1, 2);         /* key length */
+	isc_region_consume(&r2, 4);
+
+	INSIST(r1.length >= (unsigned) (hit_len + key_len));
+	INSIST(r2.length >= (unsigned) (hit_len + key_len));
+	order = memcmp(r1.base, r2.base, hit_len + key_len);
+	if (order != 0)
+		return (order);
+	isc_region_consume(&r1, hit_len + key_len);
+	isc_region_consume(&r2, hit_len + key_len);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	while (r1.length != 0 && r2.length != 0) {
+		dns_name_fromregion(&name1, &r1);
+		dns_name_fromregion(&name2, &r2);
+		order = dns_name_rdatacompare(&name1, &name2);
+		if (order != 0)
+			return (order);
+
+		isc_region_consume(&r1, name_length(&name1));
+		isc_region_consume(&r2, name_length(&name2));
+	}
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif	/* RDATA_GENERIC_HIP_5_C */
diff --git a/lib/dns/rdata/generic/hip_55.h b/lib/dns/rdata/generic/hip_55.h
new file mode 100644
index 0000000..12c195c
--- /dev/null
+++ b/lib/dns/rdata/generic/hip_55.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_HIP_5_H
+#define GENERIC_HIP_5_H 1
+
+/* RFC 5205 */
+
+typedef struct dns_rdata_hip {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	unsigned char *		hit;
+	unsigned char *		key;
+	unsigned char *		servers;
+	uint8_t		algorithm;
+	uint8_t		hit_len;
+	uint16_t		key_len;
+	uint16_t		servers_len;
+	/* Private */
+	uint16_t		offset;
+} dns_rdata_hip_t;
+
+isc_result_t
+dns_rdata_hip_first(dns_rdata_hip_t *);
+
+isc_result_t
+dns_rdata_hip_next(dns_rdata_hip_t *);
+
+void
+dns_rdata_hip_current(dns_rdata_hip_t *, dns_name_t *);
+
+#endif /* GENERIC_HIP_5_H */
diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
new file mode 100644
index 0000000..f68f0b8
--- /dev/null
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -0,0 +1,496 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef RDATA_GENERIC_IPSECKEY_45_C
+#define RDATA_GENERIC_IPSECKEY_45_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_IPSECKEY_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ipseckey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned int gateway;
+	struct in_addr addr;
+	unsigned char addr6[16];
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Precedence.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Gateway type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0x3U)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	gateway = token.value.as_ulong;
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Gateway.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	switch (gateway) {
+	case 0:
+		if (strcmp(DNS_AS_STR(token), ".") != 0)
+			RETTOK(DNS_R_SYNTAX);
+		break;
+
+	case 1:
+		if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+			RETTOK(DNS_R_BADDOTTEDQUAD);
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 4)
+			return (ISC_R_NOSPACE);
+		memmove(region.base, &addr, 4);
+		isc_buffer_add(target, 4);
+		break;
+
+	case 2:
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr6) != 1)
+			RETTOK(DNS_R_BADAAAA);
+		isc_buffer_availableregion(target, &region);
+		if (region.length < 16)
+			return (ISC_R_NOSPACE);
+		memmove(region.base, addr6, 16);
+		isc_buffer_add(target, 16);
+		break;
+
+	case 3:
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		if (origin == NULL)
+			origin = dns_rootname;
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		break;
+	}
+
+	/*
+	 * Public key.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_ipseckey(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	char buf[sizeof("255 ")];
+	unsigned short num;
+	unsigned short gateway;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata->length >= 3);
+
+	dns_name_init(&name, NULL);
+
+	if (rdata->data[1] > 3U)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( ", target));
+
+	/*
+	 * Precedence.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway type.
+	 */
+	gateway = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", gateway);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	num = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", num);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Gateway.
+	 */
+	switch (gateway) {
+	case 0:
+		RETERR(str_totext(".", target));
+		break;
+
+	case 1:
+		RETERR(inet_totext(AF_INET, &region, target));
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		RETERR(inet_totext(AF_INET6, &region, target));
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_fromregion(&name, &region);
+		RETERR(dns_name_totext(&name, false, target));
+		isc_region_consume(&region, name_length(&name));
+		break;
+	}
+
+	/*
+	 * Key.
+	 */
+	if (region.length > 0U) {
+		RETERR(str_totext(tctx->linebreak, target));
+		if (tctx->width == 0)   /* No splitting */
+			RETERR(isc_base64_totext(&region, 60, "", target));
+		else
+			RETERR(isc_base64_totext(&region, tctx->width - 2,
+						 tctx->linebreak, target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_ipseckey(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 3)
+		return (ISC_R_UNEXPECTEDEND);
+
+	switch (region.base[1]) {
+	case 0:
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 1:
+		if (region.length < 7)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 2:
+		if (region.length < 19)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_buffer_forward(source, region.length);
+		return (mem_tobuffer(target, region.base, region.length));
+
+	case 3:
+		RETERR(mem_tobuffer(target, region.base, 3));
+		isc_buffer_forward(source, 3);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+		isc_buffer_activeregion(source, &region);
+		isc_buffer_forward(source, region.length);
+		return(mem_tobuffer(target, region.base, region.length));
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+}
+
+static inline isc_result_t
+towire_ipseckey(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_ipseckey(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_ipseckey(ARGS_FROMSTRUCT) {
+	dns_rdata_ipseckey_t *ipseckey = source;
+	isc_region_t region;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+	REQUIRE(source != NULL);
+	REQUIRE(ipseckey->common.rdtype == type);
+	REQUIRE(ipseckey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (ipseckey->gateway_type > 3U)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	RETERR(uint8_tobuffer(ipseckey->precedence, target));
+	RETERR(uint8_tobuffer(ipseckey->gateway_type, target));
+	RETERR(uint8_tobuffer(ipseckey->algorithm, target));
+
+	switch  (ipseckey->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = ntohl(ipseckey->in_addr.s_addr);
+		RETERR(uint32_tobuffer(n, target));
+		break;
+
+	case 2:
+		RETERR(mem_tobuffer(target, ipseckey->in6_addr.s6_addr, 16));
+		break;
+
+	case 3:
+		dns_name_toregion(&ipseckey->gateway, &region);
+		RETERR(isc_buffer_copyregion(target, &region));
+		break;
+	}
+
+	return (mem_tobuffer(target, ipseckey->key, ipseckey->keylength));
+}
+
+static inline isc_result_t
+tostruct_ipseckey(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ipseckey_t *ipseckey = target;
+	dns_name_t name;
+	uint32_t n;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length >= 3);
+
+	if (rdata->data[1] > 3U)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	ipseckey->common.rdclass = rdata->rdclass;
+	ipseckey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ipseckey->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	ipseckey->precedence = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	ipseckey->gateway_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	ipseckey->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	switch (ipseckey->gateway_type) {
+	case 0:
+		break;
+
+	case 1:
+		n = uint32_fromregion(&region);
+		ipseckey->in_addr.s_addr = htonl(n);
+		isc_region_consume(&region, 4);
+		break;
+
+	case 2:
+		memmove(ipseckey->in6_addr.s6_addr, region.base, 16);
+		isc_region_consume(&region, 16);
+		break;
+
+	case 3:
+		dns_name_init(&ipseckey->gateway, NULL);
+		dns_name_fromregion(&name, &region);
+		RETERR(name_duporclone(&name, mctx, &ipseckey->gateway));
+		isc_region_consume(&region, name_length(&name));
+		break;
+	}
+
+	ipseckey->keylength = region.length;
+	if (ipseckey->keylength != 0U) {
+		ipseckey->key = mem_maybedup(mctx, region.base,
+					     ipseckey->keylength);
+		if (ipseckey->key == NULL) {
+			if (ipseckey->gateway_type == 3)
+				dns_name_free(&ipseckey->gateway,
+					      ipseckey->mctx);
+			return (ISC_R_NOMEMORY);
+		}
+	} else
+		ipseckey->key = NULL;
+
+	ipseckey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ipseckey(ARGS_FREESTRUCT) {
+	dns_rdata_ipseckey_t *ipseckey = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(ipseckey->common.rdtype == dns_rdatatype_ipseckey);
+
+	if (ipseckey->mctx == NULL)
+		return;
+
+	if (ipseckey->gateway_type == 3)
+		dns_name_free(&ipseckey->gateway, ipseckey->mctx);
+
+	if (ipseckey->key != NULL)
+		isc_mem_free(ipseckey->mctx, ipseckey->key);
+
+	ipseckey->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ipseckey(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ipseckey(ARGS_DIGEST) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+
+	dns_rdata_toregion(rdata, &region);
+	return ((digest)(arg, &region));
+}
+
+static inline bool
+checkowner_ipseckey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_ipseckey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_ipseckey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ipseckey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_ipseckey(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ipseckey);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	if (memcmp(region1.base, region2.base, 3) != 0 || region1.base[1] != 3)
+		return (isc_region_compare(&region1, &region2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	isc_region_consume(&region1, 3);
+	isc_region_consume(&region2, 3);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+#endif	/* RDATA_GENERIC_IPSECKEY_45_C */
diff --git a/lib/dns/rdata/generic/ipseckey_45.h b/lib/dns/rdata/generic/ipseckey_45.h
new file mode 100644
index 0000000..e3f5804
--- /dev/null
+++ b/lib/dns/rdata/generic/ipseckey_45.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_IPSECKEY_45_H
+#define GENERIC_IPSECKEY_45_H 1
+
+typedef struct dns_rdata_ipseckey {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint8_t		precedence;
+	uint8_t		gateway_type;
+	uint8_t		algorithm;
+	struct in_addr		in_addr;	/* gateway type 1 */
+	struct in6_addr		in6_addr;	/* gateway type 2 */
+	dns_name_t		gateway;	/* gateway type 3 */
+	unsigned char		*key;
+	uint16_t		keylength;
+} dns_rdata_ipseckey_t;
+
+#endif /* GENERIC_IPSECKEY_45_H */
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
new file mode 100644
index 0000000..a73cd1f
--- /dev/null
+++ b/lib/dns/rdata/generic/isdn_20.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_ISDN_20_C
+#define RDATA_GENERIC_ISDN_20_C
+
+#define RRTYPE_ISDN_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_isdn(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_isdn);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* ISDN-address */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/* sa: optional */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      true));
+	if (token.type != isc_tokentype_string &&
+	    token.type != isc_tokentype_qstring) {
+		isc_lex_ungettoken(lexer, &token);
+		return (ISC_R_SUCCESS);
+	}
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_isdn(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(txt_totext(&region, true, target));
+	if (region.length == 0)
+		return (ISC_R_SUCCESS);
+	RETERR(str_totext(" ", target));
+	return (txt_totext(&region, true, target));
+}
+
+static inline isc_result_t
+fromwire_isdn(ARGS_FROMWIRE) {
+	REQUIRE(type == dns_rdatatype_isdn);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	RETERR(txt_fromwire(source, target));
+	if (buffer_empty(source))
+		return (ISC_R_SUCCESS);
+	return (txt_fromwire(source, target));
+}
+
+static inline isc_result_t
+towire_isdn(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_isdn(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_isdn);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_isdn(ARGS_FROMSTRUCT) {
+	dns_rdata_isdn_t *isdn = source;
+
+	REQUIRE(type == dns_rdatatype_isdn);
+	REQUIRE(source != NULL);
+	REQUIRE(isdn->common.rdtype == type);
+	REQUIRE(isdn->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(isdn->isdn_len, target));
+	RETERR(mem_tobuffer(target, isdn->isdn, isdn->isdn_len));
+	if (isdn->subaddress == NULL)
+		return (ISC_R_SUCCESS);
+	RETERR(uint8_tobuffer(isdn->subaddress_len, target));
+	return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len));
+}
+
+static inline isc_result_t
+tostruct_isdn(ARGS_TOSTRUCT) {
+	dns_rdata_isdn_t *isdn = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	isdn->common.rdclass = rdata->rdclass;
+	isdn->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&isdn->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+
+	isdn->isdn_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	isdn->isdn = mem_maybedup(mctx, r.base, isdn->isdn_len);
+	if (isdn->isdn == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&r, isdn->isdn_len);
+
+	if (r.length == 0) {
+		isdn->subaddress_len = 0;
+		isdn->subaddress = NULL;
+	} else {
+		isdn->subaddress_len = uint8_fromregion(&r);
+		isc_region_consume(&r, 1);
+		isdn->subaddress = mem_maybedup(mctx, r.base,
+						isdn->subaddress_len);
+		if (isdn->subaddress == NULL)
+			goto cleanup;
+	}
+
+	isdn->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && isdn->isdn != NULL)
+		isc_mem_free(mctx, isdn->isdn);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_isdn(ARGS_FREESTRUCT) {
+	dns_rdata_isdn_t *isdn = source;
+
+	REQUIRE(source != NULL);
+
+	if (isdn->mctx == NULL)
+		return;
+
+	if (isdn->isdn != NULL)
+		isc_mem_free(isdn->mctx, isdn->isdn);
+	if (isdn->subaddress != NULL)
+		isc_mem_free(isdn->mctx, isdn->subaddress);
+	isdn->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_isdn(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_isdn(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_isdn(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_isdn);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_isdn(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_isdn);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_isdn(ARGS_COMPARE) {
+	return (compare_isdn(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_ISDN_20_C */
diff --git a/lib/dns/rdata/generic/isdn_20.h b/lib/dns/rdata/generic/isdn_20.h
new file mode 100644
index 0000000..48758bb
--- /dev/null
+++ b/lib/dns/rdata/generic/isdn_20.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_ISDN_20_H
+#define GENERIC_ISDN_20_H 1
+
+
+/*!
+ * \brief Per RFC1183 */
+
+typedef struct dns_rdata_isdn {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*isdn;
+	char			*subaddress;
+	uint8_t		isdn_len;
+	uint8_t		subaddress_len;
+} dns_rdata_isdn_t;
+
+#endif /* GENERIC_ISDN_20_H */
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
new file mode 100644
index 0000000..6dd2eab
--- /dev/null
+++ b/lib/dns/rdata/generic/key_25.c
@@ -0,0 +1,436 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_KEY_25_C
+#define RDATA_GENERIC_KEY_25_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_KEY_ATTRIBUTES (0)
+
+static inline isc_result_t
+generic_fromtext_key(ARGS_FROMTEXT) {
+	isc_result_t result;
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	result = isc_base64_tobuffer(lexer, target, -1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Ensure there's at least enough data to compute a key ID for MD5 */
+	if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7)
+		return (ISC_R_UNEXPECTEDEND);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+generic_totext_key(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("[key id = 64000]")];
+	unsigned int flags;
+	unsigned char algorithm;
+	char algbuf[DNS_NAME_FORMATSIZE];
+	const char *keyinfo;
+	isc_region_t tmpr;
+
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	if ((flags & DNS_KEYFLAG_KSK) != 0) {
+		if (flags & DNS_KEYFLAG_REVOKE)
+			keyinfo = "revoked KSK";
+		else
+			keyinfo = "KSK";
+	} else
+		keyinfo = "ZSK";
+
+
+	/* protocol */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	snprintf(buf, sizeof(buf), "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0 &&
+	     algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &sr);
+		dns_name_format(&name, algbuf, sizeof(algbuf));
+	} else {
+		dns_secalg_format((dns_secalg_t) algorithm, algbuf,
+				  sizeof(algbuf));
+	}
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0)   /* No splitting */
+			RETERR(isc_base64_totext(&sr, 60, "", target));
+		else
+			RETERR(isc_base64_totext(&sr, tctx->width - 2,
+						 tctx->linebreak, target));
+	} else {
+		dns_rdata_toregion(rdata, &tmpr);
+		snprintf(buf, sizeof(buf), "[key id = %u]",
+			 dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+	}
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
+		RETERR(str_totext(tctx->linebreak, target));
+	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(")", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+
+		if (rdata->type == dns_rdatatype_dnskey ||
+		    rdata->type == dns_rdatatype_cdnskey) {
+			RETERR(str_totext(" ; ", target));
+			RETERR(str_totext(keyinfo, target));
+		}
+		RETERR(str_totext("; alg = ", target));
+		RETERR(str_totext(algbuf, target));
+		RETERR(str_totext(" ; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		snprintf(buf, sizeof(buf), "%u",
+			 dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+generic_fromwire_key(ARGS_FROMWIRE) {
+	unsigned char algorithm;
+	isc_region_t sr;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	algorithm = sr.base[3];
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	if (algorithm == DNS_KEYALG_PRIVATEDNS) {
+		dns_name_t name;
+		dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+		dns_name_init(&name, NULL);
+		RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+	}
+
+	/*
+	 * RSAMD5 computes key ID differently from other
+	 * algorithms: we need to ensure there's enough data
+	 * present for the computation
+	 */
+	if (algorithm == DST_ALG_RSAMD5 && sr.length < 3)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+fromtext_key(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_key);
+
+	return (generic_fromtext_key(rdclass, type, lexer, origin,
+				     options, target, callbacks));
+}
+
+static inline isc_result_t
+totext_key(ARGS_TOTEXT) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	return (generic_totext_key(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_key(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_key);
+
+	return (generic_fromwire_key(rdclass, type, source, dctx,
+				     options, target));
+}
+
+static inline isc_result_t
+towire_key(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_key(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_key);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+generic_fromstruct_key(ARGS_FROMSTRUCT) {
+	dns_rdata_key_t *key = source;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->common.rdtype == type);
+	REQUIRE(key->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Flags */
+	RETERR(uint16_tobuffer(key->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(key->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(key->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, key->data, key->datalen));
+}
+
+static inline isc_result_t
+generic_tostruct_key(ARGS_TOSTRUCT) {
+	dns_rdata_key_t *key = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->length != 0);
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->common.rdclass == rdata->rdclass);
+	REQUIRE(key->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&key->common, link));
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Flags */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	key->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	key->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	key->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	key->datalen = sr.length;
+	key->data = mem_maybedup(mctx, sr.base, key->datalen);
+	if (key->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	key->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+generic_freestruct_key(ARGS_FREESTRUCT) {
+	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
+
+	REQUIRE(key != NULL);
+
+	if (key->mctx == NULL)
+		return;
+
+	if (key->data != NULL)
+		isc_mem_free(key->mctx, key->data);
+	key->mctx = NULL;
+}
+
+static inline isc_result_t
+fromstruct_key(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_key);
+
+	return (generic_fromstruct_key(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_key(ARGS_TOSTRUCT) {
+	dns_rdata_key_t *key = target;
+
+	REQUIRE(key != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	key->common.rdclass = rdata->rdclass;
+	key->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&key->common, link);
+
+	return (generic_tostruct_key(rdata, target, mctx));
+}
+
+static inline void
+freestruct_key(ARGS_FREESTRUCT) {
+	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->common.rdtype == dns_rdatatype_key);
+
+	generic_freestruct_key(source);
+}
+
+static inline isc_result_t
+additionaldata_key(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_key(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_key(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_key);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_key(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_key(ARGS_COMPARE) {
+	return (compare_key(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_KEY_25_C */
diff --git a/lib/dns/rdata/generic/key_25.h b/lib/dns/rdata/generic/key_25.h
new file mode 100644
index 0000000..330363b
--- /dev/null
+++ b/lib/dns/rdata/generic/key_25.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_KEY_25_H
+#define GENERIC_KEY_25_H 1
+
+
+/*!
+ * \brief Per RFC2535 */
+
+typedef struct dns_rdata_key {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	uint16_t		flags;
+	uint8_t		protocol;
+	uint8_t		algorithm;
+	uint16_t		datalen;
+	unsigned char *		data;
+} dns_rdata_key_t;
+
+
+#endif /* GENERIC_KEY_25_H */
diff --git a/lib/dns/rdata/generic/keydata_65533.c b/lib/dns/rdata/generic/keydata_65533.c
new file mode 100644
index 0000000..06b56c1
--- /dev/null
+++ b/lib/dns/rdata/generic/keydata_65533.c
@@ -0,0 +1,441 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_KEYDATA_65533_C
+#define GENERIC_KEYDATA_65533_C 1
+
+#include <isc/time.h>
+#include <isc/stdtime.h>
+
+#include <dst/dst.h>
+
+#define RRTYPE_KEYDATA_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_keydata(ARGS_FROMTEXT) {
+	isc_result_t result;
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+	uint32_t refresh, addhd, removehd;
+
+	REQUIRE(type == dns_rdatatype_keydata);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* refresh timer */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &refresh));
+	RETERR(uint32_tobuffer(refresh, target));
+
+	/* add hold-down */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &addhd));
+	RETERR(uint32_tobuffer(addhd, target));
+
+	/* remove hold-down */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &removehd));
+	RETERR(uint32_tobuffer(removehd, target));
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	result = isc_base64_tobuffer(lexer, target, -1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Ensure there's at least enough data to compute a key ID for MD5 */
+	if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 19)
+		return (ISC_R_UNEXPECTEDEND);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_keydata(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000")];
+	unsigned int flags;
+	unsigned char algorithm;
+	unsigned long refresh, add, deltime;
+	char algbuf[DNS_NAME_FORMATSIZE];
+	const char *keyinfo;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	if ((tctx->flags & DNS_STYLEFLAG_KEYDATA) == 0 || rdata->length < 16)
+		return (unknown_totext(rdata, tctx, target));
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* refresh timer */
+	refresh = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(refresh, target));
+	RETERR(str_totext(" ", target));
+
+	/* add hold-down */
+	add = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(add, target));
+	RETERR(str_totext(" ", target));
+
+	/* remove hold-down */
+	deltime = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(deltime, target));
+	RETERR(str_totext(" ", target));
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	if ((flags & DNS_KEYFLAG_KSK) != 0) {
+		if (flags & DNS_KEYFLAG_REVOKE)
+			keyinfo = "revoked KSK";
+		else
+			keyinfo = "KSK";
+	} else
+		keyinfo = "ZSK";
+
+	/* protocol */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	snprintf(buf, sizeof(buf), "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0)   /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	else
+		RETERR(isc_base64_totext(&sr, tctx->width - 2,
+					 tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0)
+		RETERR(str_totext(tctx->linebreak, target));
+	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(")", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) {
+		isc_region_t tmpr;
+		char rbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		char abuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		char dbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		isc_time_t t;
+
+		RETERR(str_totext(" ; ", target));
+		RETERR(str_totext(keyinfo, target));
+		dns_secalg_format((dns_secalg_t) algorithm, algbuf,
+				  sizeof(algbuf));
+		RETERR(str_totext("; alg = ", target));
+		RETERR(str_totext(algbuf, target));
+		RETERR(str_totext("; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		/* Skip over refresh, addhd, and removehd */
+		isc_region_consume(&tmpr, 12);
+		snprintf(buf, sizeof(buf), "%u",
+			 dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+
+		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+			isc_stdtime_t now;
+
+			isc_stdtime_get(&now);
+
+			RETERR(str_totext(tctx->linebreak, target));
+			RETERR(str_totext("; next refresh: ", target));
+			isc_time_set(&t, refresh, 0);
+			isc_time_formathttptimestamp(&t, rbuf, sizeof(rbuf));
+			RETERR(str_totext(rbuf, target));
+
+			if (add == 0U) {
+				RETERR(str_totext(tctx->linebreak, target));
+				RETERR(str_totext("; no trust", target));
+			} else {
+				RETERR(str_totext(tctx->linebreak, target));
+				if (add < now) {
+					RETERR(str_totext("; trusted since: ",
+							  target));
+				} else {
+					RETERR(str_totext("; trust pending: ",
+							  target));
+				}
+				isc_time_set(&t, add, 0);
+				isc_time_formathttptimestamp(&t, abuf,
+							     sizeof(abuf));
+				RETERR(str_totext(abuf, target));
+			}
+
+			if (deltime != 0U) {
+				RETERR(str_totext(tctx->linebreak, target));
+				RETERR(str_totext("; removal pending: ",
+						  target));
+				isc_time_set(&t, deltime, 0);
+				isc_time_formathttptimestamp(&t, dbuf,
+							     sizeof(dbuf));
+				RETERR(str_totext(dbuf, target));
+			}
+		}
+
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_keydata(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_keydata);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_keydata(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_keydata(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_keydata);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_keydata(ARGS_FROMSTRUCT) {
+	dns_rdata_keydata_t *keydata = source;
+
+	REQUIRE(type == dns_rdatatype_keydata);
+	REQUIRE(source != NULL);
+	REQUIRE(keydata->common.rdtype == type);
+	REQUIRE(keydata->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Refresh timer */
+	RETERR(uint32_tobuffer(keydata->refresh, target));
+
+	/* Add hold-down */
+	RETERR(uint32_tobuffer(keydata->addhd, target));
+
+	/* Remove hold-down */
+	RETERR(uint32_tobuffer(keydata->removehd, target));
+
+	/* Flags */
+	RETERR(uint16_tobuffer(keydata->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(keydata->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(keydata->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, keydata->data, keydata->datalen));
+}
+
+static inline isc_result_t
+tostruct_keydata(ARGS_TOSTRUCT) {
+	dns_rdata_keydata_t *keydata = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+	REQUIRE(target != NULL);
+
+	keydata->common.rdclass = rdata->rdclass;
+	keydata->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&keydata->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Refresh timer */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->refresh = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Add hold-down */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->addhd = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Remove hold-down */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->removehd = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/* Flags */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	keydata->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	keydata->datalen = sr.length;
+	keydata->data = mem_maybedup(mctx, sr.base, keydata->datalen);
+	if (keydata->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	keydata->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_keydata(ARGS_FREESTRUCT) {
+	dns_rdata_keydata_t *keydata = (dns_rdata_keydata_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(keydata->common.rdtype == dns_rdatatype_keydata);
+
+	if (keydata->mctx == NULL)
+		return;
+
+	if (keydata->data != NULL)
+		isc_mem_free(keydata->mctx, keydata->data);
+	keydata->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_keydata(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_keydata(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_keydata(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_keydata);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_keydata(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_keydata);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_keydata(ARGS_COMPARE) {
+	return (compare_keydata(rdata1, rdata2));
+}
+
+#endif /* GENERIC_KEYDATA_65533_C */
diff --git a/lib/dns/rdata/generic/keydata_65533.h b/lib/dns/rdata/generic/keydata_65533.h
new file mode 100644
index 0000000..40061e1
--- /dev/null
+++ b/lib/dns/rdata/generic/keydata_65533.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_KEYDATA_65533_H
+#define GENERIC_KEYDATA_65533_H 1
+
+
+typedef struct dns_rdata_keydata {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	uint32_t		refresh;      /* Timer for refreshing data */
+	uint32_t		addhd;	      /* Hold-down timer for adding */
+	uint32_t		removehd;     /* Hold-down timer for removing */
+	uint16_t		flags;	      /* Copy of DNSKEY_48 */
+	uint8_t		protocol;
+	uint8_t		algorithm;
+	uint16_t		datalen;
+	unsigned char *		data;
+} dns_rdata_keydata_t;
+
+#endif /* GENERIC_KEYDATA_65533_H */
diff --git a/lib/dns/rdata/generic/l32_105.c b/lib/dns/rdata/generic/l32_105.c
new file mode 100644
index 0000000..7d92cc2
--- /dev/null
+++ b/lib/dns/rdata/generic/l32_105.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_L32_105_C
+#define RDATA_GENERIC_L32_105_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_L32_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_l32(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_l32);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_l32(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("65000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	return (inet_totext(AF_INET, &region, target));
+}
+
+static inline isc_result_t
+fromwire_l32(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_l32);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 6)
+		return (DNS_R_FORMERR);
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static inline isc_result_t
+towire_l32(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_l32(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_l32);
+	REQUIRE(rdata1->length == 6);
+	REQUIRE(rdata2->length == 6);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_l32(ARGS_FROMSTRUCT) {
+	dns_rdata_l32_t *l32 = source;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_l32);
+	REQUIRE(source != NULL);
+	REQUIRE(l32->common.rdtype == type);
+	REQUIRE(l32->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(l32->pref, target));
+	n = ntohl(l32->l32.s_addr);
+	return (uint32_tobuffer(n, target));
+}
+
+static inline isc_result_t
+tostruct_l32(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_l32_t *l32 = target;
+	uint32_t n;
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(mctx);
+
+	l32->common.rdclass = rdata->rdclass;
+	l32->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&l32->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	l32->pref = uint16_fromregion(&region);
+	n = uint32_fromregion(&region);
+	l32->l32.s_addr = htonl(n);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_l32(ARGS_FREESTRUCT) {
+	dns_rdata_l32_t *l32 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(l32->common.rdtype == dns_rdatatype_l32);
+
+	return;
+}
+
+static inline isc_result_t
+additionaldata_l32(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_l32(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_l32(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_l32);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_l32(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_l32);
+	REQUIRE(rdata->length == 6);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_l32(ARGS_COMPARE) {
+	return (compare_l32(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_L32_105_C */
diff --git a/lib/dns/rdata/generic/l32_105.h b/lib/dns/rdata/generic/l32_105.h
new file mode 100644
index 0000000..3fca0f2
--- /dev/null
+++ b/lib/dns/rdata/generic/l32_105.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_L32_105_H
+#define GENERIC_L32_105_H 1
+
+typedef struct dns_rdata_l32 {
+	dns_rdatacommon_t	common;
+	uint16_t		pref;
+	struct in_addr		l32;
+} dns_rdata_l32_t;
+
+#endif /* GENERIC_L32_105_H */
diff --git a/lib/dns/rdata/generic/l64_106.c b/lib/dns/rdata/generic/l64_106.c
new file mode 100644
index 0000000..277c6a9
--- /dev/null
+++ b/lib/dns/rdata/generic/l64_106.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_L64_106_C
+#define RDATA_GENERIC_L64_106_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_L64_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_l64(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char locator[NS_LOCATORSZ];
+
+	REQUIRE(type == dns_rdatatype_l64);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (locator_pton(DNS_AS_STR(token), locator) != 1)
+		RETTOK(DNS_R_SYNTAX);
+	return (mem_tobuffer(target, locator, NS_LOCATORSZ));
+}
+
+static inline isc_result_t
+totext_l64(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	snprintf(buf, sizeof(buf), "%x:%x:%x:%x",
+		 region.base[0]<<8 | region.base[1],
+		 region.base[2]<<8 | region.base[3],
+		 region.base[4]<<8 | region.base[5],
+		 region.base[6]<<8 | region.base[7]);
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_l64(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_l64);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 10)
+		return (DNS_R_FORMERR);
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static inline isc_result_t
+towire_l64(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_l64(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_l64);
+	REQUIRE(rdata1->length == 10);
+	REQUIRE(rdata2->length == 10);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_l64(ARGS_FROMSTRUCT) {
+	dns_rdata_l64_t *l64 = source;
+
+	REQUIRE(type == dns_rdatatype_l64);
+	REQUIRE(source != NULL);
+	REQUIRE(l64->common.rdtype == type);
+	REQUIRE(l64->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(l64->pref, target));
+	return (mem_tobuffer(target, l64->l64, sizeof(l64->l64)));
+}
+
+static inline isc_result_t
+tostruct_l64(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_l64_t *l64 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(mctx);
+
+	l64->common.rdclass = rdata->rdclass;
+	l64->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&l64->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	l64->pref = uint16_fromregion(&region);
+	memmove(l64->l64, region.base, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_l64(ARGS_FREESTRUCT) {
+	dns_rdata_l64_t *l64 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(l64->common.rdtype == dns_rdatatype_l64);
+
+	return;
+}
+
+static inline isc_result_t
+additionaldata_l64(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_l64(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_l64(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_l64);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_l64(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_l64);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_l64(ARGS_COMPARE) {
+	return (compare_l64(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_L64_106_C */
diff --git a/lib/dns/rdata/generic/l64_106.h b/lib/dns/rdata/generic/l64_106.h
new file mode 100644
index 0000000..968a138
--- /dev/null
+++ b/lib/dns/rdata/generic/l64_106.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_L64_106_H
+#define GENERIC_L64_106_H 1
+
+typedef struct dns_rdata_l64 {
+	dns_rdatacommon_t	common;
+	uint16_t		pref;
+	unsigned char		l64[8];
+} dns_rdata_l64_t;
+
+#endif /* GENERIC_L64_106_H */
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
new file mode 100644
index 0000000..50c00ff
--- /dev/null
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -0,0 +1,811 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1876 */
+
+#ifndef RDATA_GENERIC_LOC_29_C
+#define RDATA_GENERIC_LOC_29_C
+
+#define RRTYPE_LOC_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_loc(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int d1, m1, s1;
+	int d2, m2, s2;
+	unsigned char size;
+	unsigned char hp;
+	unsigned char vp;
+	unsigned char version;
+	bool east = false;
+	bool north = false;
+	long tmp;
+	long m;
+	long cm;
+	long poweroften[8] = { 1, 10, 100, 1000,
+			       10000, 100000, 1000000, 10000000 };
+	int man;
+	int exp;
+	char *e;
+	int i;
+	unsigned long latitude;
+	unsigned long longitude;
+	unsigned long altitude;
+
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/*
+	 * Defaults.
+	 */
+	m1 = s1 = 0;
+	m2 = s2 = 0;
+	size = 0x12;	/* 1.00m */
+	hp = 0x16;	/* 10000.00 m */
+	vp = 0x13;	/* 10.00 m */
+	version = 0;
+
+	/*
+	 * Degrees.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 90U)
+		RETTOK(ISC_R_RANGE);
+	d1 = (int)token.value.as_ulong;
+	/*
+	 * Minutes.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
+		north = true;
+	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
+		goto getlong;
+	m1 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if (m1 < 0 || m1 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (d1 == 90 && m1 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Seconds.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
+		north = true;
+	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
+		goto getlong;
+	s1 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.')
+		RETTOK(DNS_R_SYNTAX);
+	if (s1 < 0 || s1 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (*e == '.') {
+		const char *l;
+		e++;
+		for (i = 0; i < 3; i++) {
+			if (*e == 0)
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			s1 *= 10;
+			s1 += tmp;
+		}
+		for (; i < 3; i++)
+			s1 *= 10;
+		l = e;
+		while (*e != 0) {
+			if (decvalue(*e++) < 0)
+				RETTOK(DNS_R_SYNTAX);
+		}
+		if (*l != '\0' && callbacks != NULL) {
+			const char *file = isc_lex_getsourcename(lexer);
+			unsigned long line = isc_lex_getsourceline(lexer);
+
+			if (file == NULL)
+				file = "UNKNOWN";
+			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
+					   "precision digits ignored",
+					   "dns_rdata_fromtext", file, line,
+					   DNS_AS_STR(token));
+		}
+	} else
+		s1 *= 1000;
+	if (d1 == 90 && s1 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Direction.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
+		north = true;
+	if (!north && strcasecmp(DNS_AS_STR(token), "S") != 0)
+		RETTOK(DNS_R_SYNTAX);
+
+ getlong:
+	/*
+	 * Degrees.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 180U)
+		RETTOK(ISC_R_RANGE);
+	d2 = (int)token.value.as_ulong;
+
+	/*
+	 * Minutes.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
+		east = true;
+	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
+		goto getalt;
+	m2 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if (m2 < 0 || m2 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (d2 == 180 && m2 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Seconds.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
+		east = true;
+	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
+		goto getalt;
+	s2 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.')
+		RETTOK(DNS_R_SYNTAX);
+	if (s2 < 0 || s2 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (*e == '.') {
+		const char *l;
+		e++;
+		for (i = 0; i < 3; i++) {
+			if (*e == 0)
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			s2 *= 10;
+			s2 += tmp;
+		}
+		for (; i < 3; i++)
+			s2 *= 10;
+		l = e;
+		while (*e != 0) {
+			if (decvalue(*e++) < 0)
+				RETTOK(DNS_R_SYNTAX);
+		}
+		if (*l != '\0' && callbacks != NULL) {
+			const char *file = isc_lex_getsourcename(lexer);
+			unsigned long line = isc_lex_getsourceline(lexer);
+
+			if (file == NULL)
+				file = "UNKNOWN";
+			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
+					   "precision digits ignored",
+					   "dns_rdata_fromtext",
+					   file, line, DNS_AS_STR(token));
+		}
+	} else
+		s2 *= 1000;
+	if (d2 == 180 && s2 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Direction.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
+		east = true;
+	if (!east && strcasecmp(DNS_AS_STR(token), "W") != 0)
+		RETTOK(DNS_R_SYNTAX);
+
+ getalt:
+	/*
+	 * Altitude.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < -100000 || m > 42849672)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				return (DNS_R_SYNTAX);
+			cm *= 10;
+			if (m < 0)
+				cm -= tmp;
+			else
+				cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if (m == -100000 && cm != 0)
+		RETTOK(ISC_R_RANGE);
+	if (m == 42849672 && cm > 95)
+		RETTOK(ISC_R_RANGE);
+	/*
+	 * Adjust base.
+	 */
+	altitude = m + 100000;
+	altitude *= 100;
+	altitude += cm;
+
+	/*
+	 * Size: optional.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      true));
+	if (token.type == isc_tokentype_eol ||
+	    token.type == isc_tokentype_eof) {
+		isc_lex_ungettoken(lexer, &token);
+		goto encode;
+	}
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < 0 || m > 90000000)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++)
+			if (m < poweroften[exp+1])
+				break;
+		man = m / poweroften[exp];
+		exp += 2;
+	} else {
+		if (cm >= 10) {
+			man = cm / 10;
+			exp = 1;
+		} else {
+			man = cm;
+			exp = 0;
+		}
+	}
+	size = (man << 4) + exp;
+
+	/*
+	 * Horizontal precision: optional.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      true));
+	if (token.type == isc_tokentype_eol ||
+	    token.type == isc_tokentype_eof) {
+		isc_lex_ungettoken(lexer, &token);
+		goto encode;
+	}
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < 0 || m > 90000000)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++)
+			if (m < poweroften[exp+1])
+				break;
+		man = m / poweroften[exp];
+		exp += 2;
+	} else if (cm >= 10) {
+		man = cm / 10;
+		exp = 1;
+	} else  {
+		man = cm;
+		exp = 0;
+	}
+	hp = (man << 4) + exp;
+
+	/*
+	 * Vertical precision: optional.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      true));
+	if (token.type == isc_tokentype_eol ||
+	    token.type == isc_tokentype_eof) {
+		isc_lex_ungettoken(lexer, &token);
+		goto encode;
+	}
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < 0 || m > 90000000)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++)
+			if (m < poweroften[exp+1])
+				break;
+		man = m / poweroften[exp];
+		exp += 2;
+	} else if (cm >= 10) {
+		man = cm / 10;
+		exp = 1;
+	} else {
+		man = cm;
+		exp = 0;
+	}
+	vp = (man << 4) + exp;
+
+ encode:
+	RETERR(mem_tobuffer(target, &version, 1));
+	RETERR(mem_tobuffer(target, &size, 1));
+	RETERR(mem_tobuffer(target, &hp, 1));
+	RETERR(mem_tobuffer(target, &vp, 1));
+	if (north)
+		latitude = 0x80000000 + ( d1 * 3600 + m1 * 60 ) * 1000 + s1;
+	else
+		latitude = 0x80000000 - ( d1 * 3600 + m1 * 60 ) * 1000 - s1;
+	RETERR(uint32_tobuffer(latitude, target));
+
+	if (east)
+		longitude = 0x80000000 + ( d2 * 3600 + m2 * 60 ) * 1000 + s2;
+	else
+		longitude = 0x80000000 - ( d2 * 3600 + m2 * 60 ) * 1000 - s2;
+	RETERR(uint32_tobuffer(longitude, target));
+
+	return (uint32_tobuffer(altitude, target));
+}
+
+static inline isc_result_t
+totext_loc(ARGS_TOTEXT) {
+	int d1, m1, s1, fs1;
+	int d2, m2, s2, fs2;
+	unsigned long latitude;
+	unsigned long longitude;
+	unsigned long altitude;
+	bool north;
+	bool east;
+	bool below;
+	isc_region_t sr;
+	char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
+			"-42849672.95m 90000000m 90000000m 90000000m")];
+	char sbuf[sizeof("90000000m")];
+	char hbuf[sizeof("90000000m")];
+	char vbuf[sizeof("90000000m")];
+	unsigned char size, hp, vp;
+	unsigned long poweroften[8] = { 1, 10, 100, 1000,
+					10000, 100000, 1000000, 10000000 };
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	if (sr.base[0] != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	REQUIRE(rdata->length == 16);
+
+	size = sr.base[1];
+	INSIST((size&0x0f) < 10 && (size>>4) < 10);
+	if ((size&0x0f)> 1) {
+		snprintf(sbuf, sizeof(sbuf),
+			 "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
+	} else {
+		snprintf(sbuf, sizeof(sbuf),
+			 "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
+	}
+	hp = sr.base[2];
+	INSIST((hp&0x0f) < 10 && (hp>>4) < 10);
+	if ((hp&0x0f)> 1) {
+		snprintf(hbuf, sizeof(hbuf),
+			"%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
+	} else {
+		snprintf(hbuf, sizeof(hbuf),
+			 "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
+	}
+	vp = sr.base[3];
+	INSIST((vp&0x0f) < 10 && (vp>>4) < 10);
+	if ((vp&0x0f)> 1) {
+		snprintf(vbuf, sizeof(vbuf),
+			 "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
+	} else {
+		snprintf(vbuf, sizeof(vbuf),
+			 "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
+	}
+	isc_region_consume(&sr, 4);
+
+	latitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (latitude >= 0x80000000) {
+		north = true;
+		latitude -= 0x80000000;
+	} else {
+		north = false;
+		latitude = 0x80000000 - latitude;
+	}
+	fs1 = (int)(latitude % 1000);
+	latitude /= 1000;
+	s1 = (int)(latitude % 60);
+	latitude /= 60;
+	m1 = (int)(latitude % 60);
+	latitude /= 60;
+	d1 = (int)latitude;
+	INSIST(latitude <= 90U);
+
+	longitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (longitude >= 0x80000000) {
+		east = true;
+		longitude -= 0x80000000;
+	} else {
+		east = false;
+		longitude = 0x80000000 - longitude;
+	}
+	fs2 = (int)(longitude % 1000);
+	longitude /= 1000;
+	s2 = (int)(longitude % 60);
+	longitude /= 60;
+	m2 = (int)(longitude % 60);
+	longitude /= 60;
+	d2 = (int)longitude;
+	INSIST(longitude <= 180U);
+
+	altitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (altitude < 10000000U) {
+		below = true;
+		altitude = 10000000 - altitude;
+	} else {
+		below =false;
+		altitude -= 10000000;
+	}
+
+	snprintf(buf, sizeof(buf),
+		 "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s",
+		 d1, m1, s1, fs1, north ? "N" : "S",
+		 d2, m2, s2, fs2, east ? "E" : "W",
+		 below ? "-" : "", altitude/100, altitude % 100,
+		 sbuf, hbuf, vbuf);
+
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_loc(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned char c;
+	unsigned long latitude;
+	unsigned long longitude;
+
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	if (sr.base[0] != 0) {
+		/* Treat as unknown. */
+		isc_buffer_forward(source, sr.length);
+		return (mem_tobuffer(target, sr.base, sr.length));
+	}
+	if (sr.length < 16)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/*
+	 * Size.
+	 */
+	c = sr.base[1];
+	if (c != 0)
+		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+			return (ISC_R_RANGE);
+
+	/*
+	 * Horizontal precision.
+	 */
+	c = sr.base[2];
+	if (c != 0)
+		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+			return (ISC_R_RANGE);
+
+	/*
+	 * Vertical precision.
+	 */
+	c = sr.base[3];
+	if (c != 0)
+		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+			return (ISC_R_RANGE);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Latitude.
+	 */
+	latitude = uint32_fromregion(&sr);
+	if (latitude < (0x80000000UL - 90 * 3600000) ||
+	    latitude > (0x80000000UL + 90 * 3600000))
+		return (ISC_R_RANGE);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Longitude.
+	 */
+	longitude = uint32_fromregion(&sr);
+	if (longitude < (0x80000000UL - 180 * 3600000) ||
+	    longitude > (0x80000000UL + 180 * 3600000))
+		return (ISC_R_RANGE);
+
+	/*
+	 * Altitude.
+	 * All values possible.
+	 */
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, 16);
+	return (mem_tobuffer(target, sr.base, 16));
+}
+
+static inline isc_result_t
+towire_loc(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_loc(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_loc);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_loc(ARGS_FROMSTRUCT) {
+	dns_rdata_loc_t *loc = source;
+	uint8_t c;
+
+	REQUIRE(type == dns_rdatatype_loc);
+	REQUIRE(source != NULL);
+	REQUIRE(loc->common.rdtype == type);
+	REQUIRE(loc->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (loc->v.v0.version != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+	RETERR(uint8_tobuffer(loc->v.v0.version, target));
+
+	c = loc->v.v0.size;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.size, target));
+
+	c = loc->v.v0.horizontal;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.horizontal, target));
+
+	c = loc->v.v0.vertical;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.vertical, target));
+
+	if (loc->v.v0.latitude < (0x80000000UL - 90 * 3600000) ||
+	    loc->v.v0.latitude > (0x80000000UL + 90 * 3600000))
+		return (ISC_R_RANGE);
+	RETERR(uint32_tobuffer(loc->v.v0.latitude, target));
+
+	if (loc->v.v0.longitude < (0x80000000UL - 180 * 3600000) ||
+	    loc->v.v0.longitude > (0x80000000UL + 180 * 3600000))
+		return (ISC_R_RANGE);
+	RETERR(uint32_tobuffer(loc->v.v0.longitude, target));
+	return (uint32_tobuffer(loc->v.v0.altitude, target));
+}
+
+static inline isc_result_t
+tostruct_loc(ARGS_TOSTRUCT) {
+	dns_rdata_loc_t *loc = target;
+	isc_region_t r;
+	uint8_t version;
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(mctx);
+
+	dns_rdata_toregion(rdata, &r);
+	version = uint8_fromregion(&r);
+	if (version != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	loc->common.rdclass = rdata->rdclass;
+	loc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&loc->common, link);
+
+	loc->v.v0.version = version;
+	isc_region_consume(&r, 1);
+	loc->v.v0.size = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.horizontal = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.vertical = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.latitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.longitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.altitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_loc(ARGS_FREESTRUCT) {
+	dns_rdata_loc_t *loc = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(loc->common.rdtype == dns_rdatatype_loc);
+
+	UNUSED(source);
+	UNUSED(loc);
+}
+
+static inline isc_result_t
+additionaldata_loc(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_loc(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_loc(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_loc);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_loc(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_loc);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_loc(ARGS_COMPARE) {
+	return (compare_loc(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_LOC_29_C */
diff --git a/lib/dns/rdata/generic/loc_29.h b/lib/dns/rdata/generic/loc_29.h
new file mode 100644
index 0000000..c879581
--- /dev/null
+++ b/lib/dns/rdata/generic/loc_29.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_LOC_29_H
+#define GENERIC_LOC_29_H 1
+
+
+/*!
+ * \brief Per RFC1876 */
+
+typedef struct dns_rdata_loc_0 {
+	uint8_t	version;	/* must be first and zero */
+	uint8_t	size;
+	uint8_t	horizontal;
+	uint8_t	vertical;
+	uint32_t	latitude;
+	uint32_t	longitude;
+	uint32_t	altitude;
+} dns_rdata_loc_0_t;
+
+typedef struct dns_rdata_loc {
+	dns_rdatacommon_t	common;
+	union {
+		dns_rdata_loc_0_t v0;
+	} v;
+} dns_rdata_loc_t;
+
+#endif /* GENERIC_LOC_29_H */
diff --git a/lib/dns/rdata/generic/lp_107.c b/lib/dns/rdata/generic/lp_107.c
new file mode 100644
index 0000000..49bc799
--- /dev/null
+++ b/lib/dns/rdata/generic/lp_107.c
@@ -0,0 +1,271 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_LP_107_C
+#define RDATA_GENERIC_LP_107_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_LP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_lp(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_lp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	return (dns_name_fromtext(&name, &buffer, origin, options, target));
+}
+
+static inline isc_result_t
+totext_lp(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_lp(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_lp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_lp(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_lp(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_lp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_lp(ARGS_FROMSTRUCT) {
+	dns_rdata_lp_t *lp = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_lp);
+	REQUIRE(source != NULL);
+	REQUIRE(lp->common.rdtype == type);
+	REQUIRE(lp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(lp->pref, target));
+	dns_name_toregion(&lp->lp, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_lp(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_lp_t *lp = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	lp->common.rdclass = rdata->rdclass;
+	lp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&lp->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	lp->pref = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&lp->lp, NULL);
+	RETERR(name_duporclone(&name, mctx, &lp->lp));
+	lp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_lp(ARGS_FREESTRUCT) {
+	dns_rdata_lp_t *lp = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(lp->common.rdtype == dns_rdatatype_lp);
+
+	if (lp->mctx == NULL)
+		return;
+
+	dns_name_free(&lp->lp, lp->mctx);
+	lp->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_lp(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	result = (add)(arg, &name, dns_rdatatype_l32);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return ((add)(arg, &name, dns_rdatatype_l64));
+}
+
+static inline isc_result_t
+digest_lp(ARGS_DIGEST) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+
+	dns_rdata_toregion(rdata, &region);
+	return ((digest)(arg, &region));
+}
+
+static inline bool
+checkowner_lp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_lp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(name);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_lp(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_lp);
+
+	UNUSED(bad);
+	UNUSED(owner);
+
+	return (true);
+}
+
+static inline int
+casecompare_lp(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_lp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+#endif	/* RDATA_GENERIC_LP_107_C */
diff --git a/lib/dns/rdata/generic/lp_107.h b/lib/dns/rdata/generic/lp_107.h
new file mode 100644
index 0000000..4ccffac
--- /dev/null
+++ b/lib/dns/rdata/generic/lp_107.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_LP_107_H
+#define GENERIC_LP_107_H 1
+
+typedef struct dns_rdata_lp {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		pref;
+	dns_name_t		lp;
+} dns_rdata_lp_t;
+
+#endif /* GENERIC_LP_107_H */
diff --git a/lib/dns/rdata/generic/mb_7.c b/lib/dns/rdata/generic/mb_7.c
new file mode 100644
index 0000000..299f89d
--- /dev/null
+++ b/lib/dns/rdata/generic/mb_7.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MB_7_C
+#define RDATA_GENERIC_MB_7_C
+
+#define RRTYPE_MB_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mb(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mb(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mb(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mb(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mb);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mb(ARGS_FROMSTRUCT) {
+	dns_rdata_mb_t *mb = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mb);
+	REQUIRE(source != NULL);
+	REQUIRE(mb->common.rdtype == type);
+	REQUIRE(mb->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mb->mb, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mb_t *mb = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mb->common.rdclass = rdata->rdclass;
+	mb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mb->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mb->mb, NULL);
+	RETERR(name_duporclone(&name, mctx, &mb->mb));
+	mb->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mb(ARGS_FREESTRUCT) {
+	dns_rdata_mb_t *mb = source;
+
+	REQUIRE(source != NULL);
+
+	if (mb->mctx == NULL)
+		return;
+
+	dns_name_free(&mb->mb, mb->mctx);
+	mb->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mb(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_mb(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_mb(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_mb);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static inline bool
+checknames_mb(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_mb);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_mb(ARGS_COMPARE) {
+	return (compare_mb(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MB_7_C */
diff --git a/lib/dns/rdata/generic/mb_7.h b/lib/dns/rdata/generic/mb_7.h
new file mode 100644
index 0000000..59f4115
--- /dev/null
+++ b/lib/dns/rdata/generic/mb_7.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MB_7_H
+#define GENERIC_MB_7_H 1
+
+
+typedef struct dns_rdata_mb {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mb;
+} dns_rdata_mb_t;
+
+#endif /* GENERIC_MB_7_H */
diff --git a/lib/dns/rdata/generic/md_3.c b/lib/dns/rdata/generic/md_3.c
new file mode 100644
index 0000000..9eefe69
--- /dev/null
+++ b/lib/dns/rdata/generic/md_3.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MD_3_C
+#define RDATA_GENERIC_MD_3_C
+
+#define RRTYPE_MD_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_md(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_md);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_md(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_md(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_md);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_md(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_md(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_md);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_md(ARGS_FROMSTRUCT) {
+	dns_rdata_md_t *md = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_md);
+	REQUIRE(source != NULL);
+	REQUIRE(md->common.rdtype == type);
+	REQUIRE(md->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&md->md, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_md(ARGS_TOSTRUCT) {
+	dns_rdata_md_t *md = target;
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	md->common.rdclass = rdata->rdclass;
+	md->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&md->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&md->md, NULL);
+	RETERR(name_duporclone(&name, mctx, &md->md));
+	md->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_md(ARGS_FREESTRUCT) {
+	dns_rdata_md_t *md = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(md->common.rdtype == dns_rdatatype_md);
+
+	if (md->mctx == NULL)
+		return;
+
+	dns_name_free(&md->md, md->mctx);
+	md->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_md(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_md(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_md(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_md);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_md(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_md);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_md(ARGS_COMPARE) {
+	return (compare_md(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MD_3_C */
diff --git a/lib/dns/rdata/generic/md_3.h b/lib/dns/rdata/generic/md_3.h
new file mode 100644
index 0000000..396c3c9
--- /dev/null
+++ b/lib/dns/rdata/generic/md_3.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MD_3_H
+#define GENERIC_MD_3_H 1
+
+
+typedef struct dns_rdata_md {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		md;
+} dns_rdata_md_t;
+
+
+#endif /* GENERIC_MD_3_H */
diff --git a/lib/dns/rdata/generic/mf_4.c b/lib/dns/rdata/generic/mf_4.c
new file mode 100644
index 0000000..5965981
--- /dev/null
+++ b/lib/dns/rdata/generic/mf_4.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MF_4_C
+#define RDATA_GENERIC_MF_4_C
+
+#define RRTYPE_MF_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mf(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mf);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mf(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mf(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mf);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mf(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mf(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mf);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mf(ARGS_FROMSTRUCT) {
+	dns_rdata_mf_t *mf = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mf);
+	REQUIRE(source != NULL);
+	REQUIRE(mf->common.rdtype == type);
+	REQUIRE(mf->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mf->mf, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mf(ARGS_TOSTRUCT) {
+	dns_rdata_mf_t *mf = target;
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mf->common.rdclass = rdata->rdclass;
+	mf->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mf->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&mf->mf, NULL);
+	RETERR(name_duporclone(&name, mctx, &mf->mf));
+	mf->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mf(ARGS_FREESTRUCT) {
+	dns_rdata_mf_t *mf = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mf->common.rdtype == dns_rdatatype_mf);
+
+	if (mf->mctx == NULL)
+		return;
+	dns_name_free(&mf->mf, mf->mctx);
+	mf->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mf(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_mf(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_mf(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_mf);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_mf(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_mf);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_mf(ARGS_COMPARE) {
+	return (compare_mf(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MF_4_C */
diff --git a/lib/dns/rdata/generic/mf_4.h b/lib/dns/rdata/generic/mf_4.h
new file mode 100644
index 0000000..d882155
--- /dev/null
+++ b/lib/dns/rdata/generic/mf_4.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MF_4_H
+#define GENERIC_MF_4_H 1
+
+
+typedef struct dns_rdata_mf {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mf;
+} dns_rdata_mf_t;
+
+#endif /* GENERIC_MF_4_H */
diff --git a/lib/dns/rdata/generic/mg_8.c b/lib/dns/rdata/generic/mg_8.c
new file mode 100644
index 0000000..45a38ce
--- /dev/null
+++ b/lib/dns/rdata/generic/mg_8.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MG_8_C
+#define RDATA_GENERIC_MG_8_C
+
+#define RRTYPE_MG_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mg(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mg);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mg(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mg(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mg);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mg(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mg(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mg);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mg(ARGS_FROMSTRUCT) {
+	dns_rdata_mg_t *mg = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mg);
+	REQUIRE(source != NULL);
+	REQUIRE(mg->common.rdtype == type);
+	REQUIRE(mg->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mg->mg, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mg(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mg_t *mg = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mg->common.rdclass = rdata->rdclass;
+	mg->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mg->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mg->mg, NULL);
+	RETERR(name_duporclone(&name, mctx, &mg->mg));
+	mg->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mg(ARGS_FREESTRUCT) {
+	dns_rdata_mg_t *mg = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mg->common.rdtype == dns_rdatatype_mg);
+
+	if (mg->mctx == NULL)
+		return;
+	dns_name_free(&mg->mg, mg->mctx);
+	mg->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mg(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_mg(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_mg(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_mg);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static inline bool
+checknames_mg(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_mg);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_mg(ARGS_COMPARE) {
+	return (compare_mg(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MG_8_C */
diff --git a/lib/dns/rdata/generic/mg_8.h b/lib/dns/rdata/generic/mg_8.h
new file mode 100644
index 0000000..0e0380e
--- /dev/null
+++ b/lib/dns/rdata/generic/mg_8.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MG_8_H
+#define GENERIC_MG_8_H 1
+
+
+typedef struct dns_rdata_mg {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mg;
+} dns_rdata_mg_t;
+
+#endif /* GENERIC_MG_8_H */
diff --git a/lib/dns/rdata/generic/minfo_14.c b/lib/dns/rdata/generic/minfo_14.c
new file mode 100644
index 0000000..23506e2
--- /dev/null
+++ b/lib/dns/rdata/generic/minfo_14.c
@@ -0,0 +1,321 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MINFO_14_C
+#define RDATA_GENERIC_MINFO_14_C
+
+#define RRTYPE_MINFO_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_minfo(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_minfo);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL)
+		origin = dns_rootname;
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      false));
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		ok = true;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0)
+			ok = dns_name_ismailbox(&name);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_minfo(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	dns_name_fromregion(&email, &region);
+	isc_region_consume(&region, email.length);
+
+	sub = name_prefix(&rmail, tctx->origin, &prefix);
+
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&email, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_minfo(ARGS_FROMWIRE) {
+	dns_name_t rmail;
+	dns_name_t email;
+
+	REQUIRE(type == dns_rdatatype_minfo);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+
+	RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+	return (dns_name_fromwire(&email, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_minfo(ARGS_TOWIRE) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_offsets_t roffsets;
+	dns_offsets_t eoffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&rmail, roffsets);
+	dns_name_init(&email, eoffsets);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, name_length(&rmail));
+
+	RETERR(dns_name_towire(&rmail, cctx, target));
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	return (dns_name_towire(&rmail, cctx, target));
+}
+
+static inline int
+compare_minfo(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_minfo);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	return (order);
+}
+
+static inline isc_result_t
+fromstruct_minfo(ARGS_FROMSTRUCT) {
+	dns_rdata_minfo_t *minfo = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_minfo);
+	REQUIRE(source != NULL);
+	REQUIRE(minfo->common.rdtype == type);
+	REQUIRE(minfo->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&minfo->rmailbox, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&minfo->emailbox, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_minfo(ARGS_TOSTRUCT) {
+	dns_rdata_minfo_t *minfo = target;
+	isc_region_t region;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	minfo->common.rdclass = rdata->rdclass;
+	minfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&minfo->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->rmailbox, NULL);
+	RETERR(name_duporclone(&name, mctx, &minfo->rmailbox));
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->emailbox, NULL);
+	result = name_duporclone(&name, mctx, &minfo->emailbox);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	minfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&minfo->rmailbox, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_minfo(ARGS_FREESTRUCT) {
+	dns_rdata_minfo_t *minfo = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(minfo->common.rdtype == dns_rdatatype_minfo);
+
+	if (minfo->mctx == NULL)
+		return;
+
+	dns_name_free(&minfo->rmailbox, minfo->mctx);
+	dns_name_free(&minfo->emailbox, minfo->mctx);
+	minfo->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_minfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_minfo(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_region_consume(&r, name_length(&name));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_minfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_minfo);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_minfo(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_minfo);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_minfo(ARGS_COMPARE) {
+	return (compare_minfo(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MINFO_14_C */
diff --git a/lib/dns/rdata/generic/minfo_14.h b/lib/dns/rdata/generic/minfo_14.h
new file mode 100644
index 0000000..10080fb
--- /dev/null
+++ b/lib/dns/rdata/generic/minfo_14.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MINFO_14_H
+#define GENERIC_MINFO_14_H 1
+
+
+typedef struct dns_rdata_minfo {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		rmailbox;
+	dns_name_t		emailbox;
+} dns_rdata_minfo_t;
+
+#endif /* GENERIC_MINFO_14_H */
diff --git a/lib/dns/rdata/generic/mr_9.c b/lib/dns/rdata/generic/mr_9.c
new file mode 100644
index 0000000..edea7b1
--- /dev/null
+++ b/lib/dns/rdata/generic/mr_9.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MR_9_C
+#define RDATA_GENERIC_MR_9_C
+
+#define RRTYPE_MR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_mr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mr(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_mr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mr);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mr(ARGS_FROMSTRUCT) {
+	dns_rdata_mr_t *mr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mr);
+	REQUIRE(source != NULL);
+	REQUIRE(mr->common.rdtype == type);
+	REQUIRE(mr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mr->mr, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mr_t *mr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mr->common.rdclass = rdata->rdclass;
+	mr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mr->mr, NULL);
+	RETERR(name_duporclone(&name, mctx, &mr->mr));
+	mr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mr(ARGS_FREESTRUCT) {
+	dns_rdata_mr_t *mr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mr->common.rdtype == dns_rdatatype_mr);
+
+	if (mr->mctx == NULL)
+		return;
+	dns_name_free(&mr->mr, mr->mctx);
+	mr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_mr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_mr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_mr);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_mr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_mr);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_mr(ARGS_COMPARE) {
+	return (compare_mr(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MR_9_C */
diff --git a/lib/dns/rdata/generic/mr_9.h b/lib/dns/rdata/generic/mr_9.h
new file mode 100644
index 0000000..888a82f
--- /dev/null
+++ b/lib/dns/rdata/generic/mr_9.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MR_9_H
+#define GENERIC_MR_9_H 1
+
+
+typedef struct dns_rdata_mr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mr;
+} dns_rdata_mr_t;
+
+#endif /* GENERIC_MR_9_H */
diff --git a/lib/dns/rdata/generic/mx_15.c b/lib/dns/rdata/generic/mx_15.c
new file mode 100644
index 0000000..c333740
--- /dev/null
+++ b/lib/dns/rdata/generic/mx_15.c
@@ -0,0 +1,336 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_MX_15_C
+#define RDATA_GENERIC_MX_15_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#include <dns/fixedname.h>
+
+#define RRTYPE_MX_ATTRIBUTES (0)
+
+static bool
+check_mx(isc_token_t *token) {
+	char tmp[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123.")];
+	struct in_addr addr;
+	struct in6_addr addr6;
+
+	if (strlcpy(tmp, DNS_AS_STR(*token), sizeof(tmp)) >= sizeof(tmp))
+		return (true);
+
+	if (tmp[strlen(tmp) - 1] == '.')
+		tmp[strlen(tmp) - 1] = '\0';
+	if (inet_aton(tmp, &addr) == 1 ||
+	    inet_pton(AF_INET6, tmp, &addr6) == 1)
+		return (false);
+
+	return (true);
+}
+
+static inline isc_result_t
+fromtext_mx(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_mx);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	ok = true;
+	if ((options & DNS_RDATA_CHECKMX) != 0)
+		ok = check_mx(&token);
+	if (!ok && (options & DNS_RDATA_CHECKMXFAIL) != 0)
+		RETTOK(DNS_R_MXISADDRESS);
+	if (!ok && callbacks != NULL)
+		warn_badmx(&token, lexer, callbacks);
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, false);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mx(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mx(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_mx);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mx(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mx(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_mx);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mx(ARGS_FROMSTRUCT) {
+	dns_rdata_mx_t *mx = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_mx);
+	REQUIRE(source != NULL);
+	REQUIRE(mx->common.rdtype == type);
+	REQUIRE(mx->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(mx->pref, target));
+	dns_name_toregion(&mx->mx, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mx(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mx_t *mx = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mx->common.rdclass = rdata->rdclass;
+	mx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mx->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	mx->pref = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mx->mx, NULL);
+	RETERR(name_duporclone(&name, mctx, &mx->mx));
+	mx->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mx(ARGS_FREESTRUCT) {
+	dns_rdata_mx_t *mx = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mx->common.rdtype == dns_rdatatype_mx);
+
+	if (mx->mctx == NULL)
+		return;
+
+	dns_name_free(&mx->mx, mx->mctx);
+	mx->mctx = NULL;
+}
+
+static unsigned char port25_offset[] = { 0, 3 };
+static unsigned char port25_ndata[] = "\003_25\004_tcp";
+static dns_name_t port25 =
+	 DNS_NAME_INITNONABSOLUTE(port25_ndata, port25_offset);
+
+static inline isc_result_t
+additionaldata_mx(ARGS_ADDLDATA) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	if (dns_name_equal(&name, dns_rootname))
+		return (ISC_R_SUCCESS);
+
+	result = (add)(arg, &name, dns_rdatatype_a);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_fixedname_init(&fixed);
+	result = dns_name_concatenate(&port25, &name,
+				      dns_fixedname_name(&fixed), NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	return ((add)(arg, dns_fixedname_name(&fixed), dns_rdatatype_tlsa));
+}
+
+static inline isc_result_t
+digest_mx(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_mx(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_mx);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline bool
+checknames_mx(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_mx);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_mx(ARGS_COMPARE) {
+	return (compare_mx(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_MX_15_C */
diff --git a/lib/dns/rdata/generic/mx_15.h b/lib/dns/rdata/generic/mx_15.h
new file mode 100644
index 0000000..ed96beb
--- /dev/null
+++ b/lib/dns/rdata/generic/mx_15.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_MX_15_H
+#define GENERIC_MX_15_H 1
+
+
+typedef struct dns_rdata_mx {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		pref;
+	dns_name_t		mx;
+} dns_rdata_mx_t;
+
+#endif /* GENERIC_MX_15_H */
diff --git a/lib/dns/rdata/generic/naptr_35.c b/lib/dns/rdata/generic/naptr_35.c
new file mode 100644
index 0000000..80c8f16
--- /dev/null
+++ b/lib/dns/rdata/generic/naptr_35.c
@@ -0,0 +1,662 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2915 */
+
+#ifndef RDATA_GENERIC_NAPTR_35_C
+#define RDATA_GENERIC_NAPTR_35_C
+
+#define RRTYPE_NAPTR_ATTRIBUTES (0)
+
+#include <isc/regex.h>
+
+/*
+ * Check the wire format of the Regexp field.
+ * Don't allow embeded NUL's.
+ */
+static inline isc_result_t
+txt_valid_regex(const unsigned char *txt) {
+	unsigned int nsub = 0;
+	char regex[256];
+	char *cp;
+	bool flags = false;
+	bool replace = false;
+	unsigned char c;
+	unsigned char delim;
+	unsigned int len;
+	int n;
+
+	len = *txt++;
+	if (len == 0U)
+		return (ISC_R_SUCCESS);
+
+	delim = *txt++;
+	len--;
+
+	/*
+	 * Digits, backslash and flags can't be delimiters.
+	 */
+	switch (delim) {
+	case '0': case '1': case '2': case '3': case '4':
+	case '5': case '6': case '7': case '8': case '9':
+	case '\\': case 'i': case 0:
+		return (DNS_R_SYNTAX);
+	}
+
+	cp = regex;
+	while (len-- > 0) {
+		c = *txt++;
+		if (c == 0)
+			return (DNS_R_SYNTAX);
+		if (c == delim && !replace) {
+			replace = true;
+			continue;
+		} else if (c == delim && !flags) {
+			flags = true;
+			continue;
+		} else if (c == delim)
+			return (DNS_R_SYNTAX);
+		/*
+		 * Flags are not escaped.
+		 */
+		if (flags) {
+			switch (c) {
+			case 'i':
+				continue;
+			default:
+				return (DNS_R_SYNTAX);
+			}
+		}
+		if (!replace)
+			*cp++ = c;
+		if (c == '\\') {
+			if (len == 0)
+				return (DNS_R_SYNTAX);
+			c = *txt++;
+			if (c == 0)
+				return (DNS_R_SYNTAX);
+			len--;
+			if (replace)
+				switch (c) {
+				case '0': return (DNS_R_SYNTAX);
+				case '1': if (nsub < 1) nsub = 1; break;
+				case '2': if (nsub < 2) nsub = 2; break;
+				case '3': if (nsub < 3) nsub = 3; break;
+				case '4': if (nsub < 4) nsub = 4; break;
+				case '5': if (nsub < 5) nsub = 5; break;
+				case '6': if (nsub < 6) nsub = 6; break;
+				case '7': if (nsub < 7) nsub = 7; break;
+				case '8': if (nsub < 8) nsub = 8; break;
+				case '9': if (nsub < 9) nsub = 9; break;
+				}
+			if (!replace)
+				*cp++ = c;
+		}
+	}
+	if (!flags)
+		return (DNS_R_SYNTAX);
+	*cp = '\0';
+	n = isc_regex_validate(regex);
+	if (n < 0 || nsub > (unsigned int)n)
+		return (DNS_R_SYNTAX);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromtext_naptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned char *regex;
+
+	REQUIRE(type == dns_rdatatype_naptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Order.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Preference.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Flags.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Regexp.
+	 */
+	regex = isc_buffer_used(target);
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	RETTOK(txt_valid_regex(regex));
+
+	/*
+	 * Replacement.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_naptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Order.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Preference.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Flags.
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(txt_totext(&region, true, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_naptr(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+	unsigned char *regex;
+
+	REQUIRE(type == dns_rdatatype_naptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * Order, preference.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_buffer_forward(source, 4);
+
+	/*
+	 * Flags.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Regexp.
+	 */
+	regex = isc_buffer_used(target);
+	RETERR(txt_fromwire(source, target));
+	RETERR(txt_valid_regex(regex));
+
+	/*
+	 * Replacement.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_naptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Order, preference.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Flags.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Service.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_naptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order, len;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_naptr);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	/*
+	 * Order, preference.
+	 */
+	order = memcmp(region1.base, region2.base, 4);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, 4);
+	isc_region_consume(&region2, 4);
+
+	/*
+	 * Flags.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Service.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_naptr(ARGS_FROMSTRUCT) {
+	dns_rdata_naptr_t *naptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_naptr);
+	REQUIRE(source != NULL);
+	REQUIRE(naptr->common.rdtype == type);
+	REQUIRE(naptr->common.rdclass == rdclass);
+	REQUIRE(naptr->flags != NULL || naptr->flags_len == 0);
+	REQUIRE(naptr->service != NULL || naptr->service_len == 0);
+	REQUIRE(naptr->regexp != NULL || naptr->regexp_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(naptr->order, target));
+	RETERR(uint16_tobuffer(naptr->preference, target));
+	RETERR(uint8_tobuffer(naptr->flags_len, target));
+	RETERR(mem_tobuffer(target, naptr->flags, naptr->flags_len));
+	RETERR(uint8_tobuffer(naptr->service_len, target));
+	RETERR(mem_tobuffer(target, naptr->service, naptr->service_len));
+	RETERR(uint8_tobuffer(naptr->regexp_len, target));
+	RETERR(mem_tobuffer(target, naptr->regexp, naptr->regexp_len));
+	dns_name_toregion(&naptr->replacement, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_naptr(ARGS_TOSTRUCT) {
+	dns_rdata_naptr_t *naptr = target;
+	isc_region_t r;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	naptr->common.rdclass = rdata->rdclass;
+	naptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&naptr->common, link);
+
+	naptr->flags = NULL;
+	naptr->service = NULL;
+	naptr->regexp = NULL;
+
+	dns_rdata_toregion(rdata, &r);
+
+	naptr->order = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->preference = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->flags_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->flags_len <= r.length);
+	naptr->flags = mem_maybedup(mctx, r.base, naptr->flags_len);
+	if (naptr->flags == NULL)
+		goto cleanup;
+	isc_region_consume(&r, naptr->flags_len);
+
+	naptr->service_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->service_len <= r.length);
+	naptr->service = mem_maybedup(mctx, r.base, naptr->service_len);
+	if (naptr->service == NULL)
+		goto cleanup;
+	isc_region_consume(&r, naptr->service_len);
+
+	naptr->regexp_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->regexp_len <= r.length);
+	naptr->regexp = mem_maybedup(mctx, r.base, naptr->regexp_len);
+	if (naptr->regexp == NULL)
+		goto cleanup;
+	isc_region_consume(&r, naptr->regexp_len);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&naptr->replacement, NULL);
+	result = name_duporclone(&name, mctx, &naptr->replacement);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	naptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && naptr->flags != NULL)
+		isc_mem_free(mctx, naptr->flags);
+	if (mctx != NULL && naptr->service != NULL)
+		isc_mem_free(mctx, naptr->service);
+	if (mctx != NULL && naptr->regexp != NULL)
+		isc_mem_free(mctx, naptr->regexp);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_naptr(ARGS_FREESTRUCT) {
+	dns_rdata_naptr_t *naptr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(naptr->common.rdtype == dns_rdatatype_naptr);
+
+	if (naptr->mctx == NULL)
+		return;
+
+	if (naptr->flags != NULL)
+		isc_mem_free(naptr->mctx, naptr->flags);
+	if (naptr->service != NULL)
+		isc_mem_free(naptr->mctx, naptr->service);
+	if (naptr->regexp != NULL)
+		isc_mem_free(naptr->mctx, naptr->regexp);
+	dns_name_free(&naptr->replacement, naptr->mctx);
+	naptr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_naptr(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+	dns_rdatatype_t atype;
+	unsigned int i, flagslen;
+	char *cp;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+
+	/*
+	 * Order, preference.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Flags.
+	 */
+	atype = 0;
+	flagslen = sr.base[0];
+	cp = (char *)&sr.base[1];
+	for (i = 0; i < flagslen; i++, cp++) {
+		if (*cp == 'S' || *cp == 's') {
+			atype = dns_rdatatype_srv;
+			break;
+		}
+		if (*cp == 'A' || *cp == 'a') {
+			atype = dns_rdatatype_a;
+			break;
+		}
+	}
+	isc_region_consume(&sr, flagslen + 1);
+
+	/*
+	 * Service.
+	 */
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+
+	if (atype != 0)
+		return ((add)(arg, &name, atype));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_naptr(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	unsigned int length, n;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	length = 0;
+
+	/*
+	 * Order, preference.
+	 */
+	length += 4;
+	isc_region_consume(&r2, 4);
+
+	/*
+	 * Flags.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Service.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Regexp.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Digest the RR up to the replacement name.
+	 */
+	r1.length = length;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Replacement.
+	 */
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_naptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_naptr);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_naptr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_naptr);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_naptr(ARGS_COMPARE) {
+	return (compare_naptr(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_NAPTR_35_C */
diff --git a/lib/dns/rdata/generic/naptr_35.h b/lib/dns/rdata/generic/naptr_35.h
new file mode 100644
index 0000000..e72b609
--- /dev/null
+++ b/lib/dns/rdata/generic/naptr_35.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NAPTR_35_H
+#define GENERIC_NAPTR_35_H 1
+
+
+/*!
+ *  \brief Per RFC2915 */
+
+typedef struct dns_rdata_naptr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		order;
+	uint16_t		preference;
+	char			*flags;
+	uint8_t		flags_len;
+	char			*service;
+	uint8_t		service_len;
+	char			*regexp;
+	uint8_t		regexp_len;
+	dns_name_t		replacement;
+} dns_rdata_naptr_t;
+
+#endif /* GENERIC_NAPTR_35_H */
diff --git a/lib/dns/rdata/generic/nid_104.c b/lib/dns/rdata/generic/nid_104.c
new file mode 100644
index 0000000..fee61fd
--- /dev/null
+++ b/lib/dns/rdata/generic/nid_104.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NID_104_C
+#define RDATA_GENERIC_NID_104_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_NID_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_nid(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char locator[NS_LOCATORSZ];
+
+	REQUIRE(type == dns_rdatatype_nid);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (locator_pton(DNS_AS_STR(token), locator) != 1)
+		RETTOK(DNS_R_SYNTAX);
+	return (mem_tobuffer(target, locator, NS_LOCATORSZ));
+}
+
+static inline isc_result_t
+totext_nid(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xxxx:xxxx:xxxx:xxxx")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	snprintf(buf, sizeof(buf), "%x:%x:%x:%x",
+		 region.base[0]<<8 | region.base[1],
+		 region.base[2]<<8 | region.base[3],
+		 region.base[4]<<8 | region.base[5],
+		 region.base[6]<<8 | region.base[7]);
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_nid(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_nid);
+
+	UNUSED(type);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length != 10)
+		return (DNS_R_FORMERR);
+	isc_buffer_forward(source, sregion.length);
+	return (mem_tobuffer(target, sregion.base, sregion.length));
+}
+
+static inline isc_result_t
+towire_nid(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_nid(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nid);
+	REQUIRE(rdata1->length == 10);
+	REQUIRE(rdata2->length == 10);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_nid(ARGS_FROMSTRUCT) {
+	dns_rdata_nid_t *nid = source;
+
+	REQUIRE(type == dns_rdatatype_nid);
+	REQUIRE(source != NULL);
+	REQUIRE(nid->common.rdtype == type);
+	REQUIRE(nid->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(nid->pref, target));
+	return (mem_tobuffer(target, nid->nid, sizeof(nid->nid)));
+}
+
+static inline isc_result_t
+tostruct_nid(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nid_t *nid = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(mctx);
+
+	nid->common.rdclass = rdata->rdclass;
+	nid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nid->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	nid->pref = uint16_fromregion(&region);
+	memmove(nid->nid, region.base, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_nid(ARGS_FREESTRUCT) {
+	dns_rdata_nid_t *nid = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nid->common.rdtype == dns_rdatatype_nid);
+
+	return;
+}
+
+static inline isc_result_t
+additionaldata_nid(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_nid(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_nid);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_nid(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nid);
+	REQUIRE(rdata->length == 10);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_nid(ARGS_COMPARE) {
+	return (compare_nid(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_NID_104_C */
diff --git a/lib/dns/rdata/generic/nid_104.h b/lib/dns/rdata/generic/nid_104.h
new file mode 100644
index 0000000..9362e2b
--- /dev/null
+++ b/lib/dns/rdata/generic/nid_104.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NID_104_H
+#define GENERIC_NID_104_H 1
+
+typedef struct dns_rdata_nid {
+	dns_rdatacommon_t	common;
+	uint16_t		pref;
+	unsigned char		nid[8];
+} dns_rdata_nid_t;
+
+#endif /* GENERIC_NID_104_H */
diff --git a/lib/dns/rdata/generic/ninfo_56.c b/lib/dns/rdata/generic/ninfo_56.c
new file mode 100644
index 0000000..fe8957a
--- /dev/null
+++ b/lib/dns/rdata/generic/ninfo_56.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NINFO_56_C
+#define RDATA_GENERIC_NINFO_56_C
+
+#define RRTYPE_NINFO_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ninfo(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
+				     target, callbacks));
+}
+
+static inline isc_result_t
+totext_ninfo(ARGS_TOTEXT) {
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	return (generic_totext_txt(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_ninfo(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
+				     target));
+}
+
+static inline isc_result_t
+towire_ninfo(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_ninfo(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ninfo);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_ninfo(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	return (generic_fromstruct_txt(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_ninfo(ARGS_TOSTRUCT) {
+	dns_rdata_ninfo_t *txt = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	txt->common.rdclass = rdata->rdclass;
+	txt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&txt->common, link);
+
+	return (generic_tostruct_txt(rdata, target, mctx));
+}
+
+static inline void
+freestruct_ninfo(ARGS_FREESTRUCT) {
+	dns_rdata_ninfo_t *ninfo = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	generic_freestruct_txt(source);
+}
+
+static inline isc_result_t
+additionaldata_ninfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ninfo(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_ninfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_ninfo);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_ninfo(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ninfo);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_ninfo(ARGS_COMPARE) {
+	return (compare_ninfo(rdata1, rdata2));
+}
+
+isc_result_t
+dns_rdata_ninfo_first(dns_rdata_ninfo_t *ninfo) {
+
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	return (generic_txt_first(ninfo));
+}
+
+isc_result_t
+dns_rdata_ninfo_next(dns_rdata_ninfo_t *ninfo) {
+
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	return (generic_txt_next(ninfo));
+}
+
+isc_result_t
+dns_rdata_ninfo_current(dns_rdata_ninfo_t *ninfo,
+			dns_rdata_ninfo_string_t *string)
+{
+
+	REQUIRE(ninfo != NULL);
+	REQUIRE(ninfo->common.rdtype == dns_rdatatype_ninfo);
+
+	return (generic_txt_current(ninfo, string));
+}
+#endif	/* RDATA_GENERIC_NINFO_56_C */
diff --git a/lib/dns/rdata/generic/ninfo_56.h b/lib/dns/rdata/generic/ninfo_56.h
new file mode 100644
index 0000000..68e9212
--- /dev/null
+++ b/lib/dns/rdata/generic/ninfo_56.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NINFO_56_H
+#define GENERIC_NINFO_56_H 1
+
+typedef struct dns_rdata_txt_string dns_rdata_ninfo_string_t;
+
+typedef struct dns_rdata_txt dns_rdata_ninfo_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_ninfo_first(dns_rdata_ninfo_t *);
+
+isc_result_t
+dns_rdata_ninfo_next(dns_rdata_ninfo_t *);
+
+isc_result_t
+dns_rdata_ninfo_current(dns_rdata_ninfo_t *, dns_rdata_ninfo_string_t *);
+
+#endif /* GENERIC_NINFO_16_H */
diff --git a/lib/dns/rdata/generic/ns_2.c b/lib/dns/rdata/generic/ns_2.c
new file mode 100644
index 0000000..7f3979f
--- /dev/null
+++ b/lib/dns/rdata/generic/ns_2.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NS_2_C
+#define RDATA_GENERIC_NS_2_C
+
+#define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH)
+
+static inline isc_result_t
+fromtext_ns(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_ns);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token,isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, false);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_ns(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_ns(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_ns);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_ns(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_ns(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ns);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_ns(ARGS_FROMSTRUCT) {
+	dns_rdata_ns_t *ns = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ns);
+	REQUIRE(source != NULL);
+	REQUIRE(ns->common.rdtype == type);
+	REQUIRE(ns->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&ns->name, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_ns(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ns_t *ns = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ns->common.rdclass = rdata->rdclass;
+	ns->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ns->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ns->name, NULL);
+	RETERR(name_duporclone(&name, mctx, &ns->name));
+	ns->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ns(ARGS_FREESTRUCT) {
+	dns_rdata_ns_t *ns = source;
+
+	REQUIRE(source != NULL);
+
+	if (ns->mctx == NULL)
+		return;
+
+	dns_name_free(&ns->name, ns->mctx);
+	ns->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ns(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_ns(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_ns(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_ns);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_ns(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ns);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_ns(ARGS_COMPARE) {
+	return (compare_ns(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_NS_2_C */
diff --git a/lib/dns/rdata/generic/ns_2.h b/lib/dns/rdata/generic/ns_2.h
new file mode 100644
index 0000000..db9b6c0
--- /dev/null
+++ b/lib/dns/rdata/generic/ns_2.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NS_2_H
+#define GENERIC_NS_2_H 1
+
+
+typedef struct dns_rdata_ns {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		name;
+} dns_rdata_ns_t;
+
+
+#endif /* GENERIC_NS_2_H */
diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
new file mode 100644
index 0000000..1aedf22
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * Copyright (C) 2004  Nominet, Ltd.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* RFC 5155 */
+
+#ifndef RDATA_GENERIC_NSEC3_50_C
+#define RDATA_GENERIC_NSEC3_50_C
+
+#include <isc/iterated_hash.h>
+#include <isc/base32.h>
+
+#define RRTYPE_NSEC3_ATTRIBUTES DNS_RDATATYPEATTR_DNSSEC
+
+static inline isc_result_t
+fromtext_nsec3(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int flags;
+	unsigned char hashalg;
+	isc_buffer_t b;
+	unsigned char buf[256];
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/* Hash. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
+	RETERR(uint8_tobuffer(hashalg, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	flags = token.value.as_ulong;
+	if (flags > 255U)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(flags, target));
+
+	/* Iterations. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* salt */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (token.value.as_textregion.length > (255*2))
+		RETTOK(DNS_R_TEXTTOOLONG);
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		RETERR(uint8_tobuffer(0, target));
+	} else {
+		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
+		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
+	}
+
+	/*
+	 * Next hash a single base32hex word.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	isc_buffer_init(&b, buf, sizeof(buf));
+	RETTOK(isc_base32hexnp_decodestring(DNS_AS_STR(token), &b));
+	if (isc_buffer_usedlength(&b) > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(isc_buffer_usedlength(&b), target));
+	RETERR(mem_tobuffer(target, &buf, isc_buffer_usedlength(&b)));
+
+	return (typemap_fromtext(lexer, target, true));
+}
+
+static inline isc_result_t
+totext_nsec3(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	unsigned char hash;
+	unsigned char flags;
+	char buf[sizeof("TYPE65535")];
+	uint32_t iterations;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Hash */
+	hash = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", hash);
+	RETERR(str_totext(buf, target));
+
+	/* Flags */
+	flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	/* Iterations */
+	iterations = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%u ", iterations);
+	RETERR(str_totext(buf, target));
+
+	/* Salt */
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	if (j != 0) {
+		i = sr.length;
+		sr.length = j;
+		RETERR(isc_hex_totext(&sr, 1, "", target));
+		sr.length = i - j;
+	} else
+		RETERR(str_totext("-", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/* Next hash */
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	i = sr.length;
+	sr.length = j;
+	RETERR(isc_base32hexnp_totext(&sr, 1, "", target));
+	sr.length = i - j;
+
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0) && (sr.length > 0)) {
+		RETERR(str_totext(" ", target));
+	}
+	RETERR(typemap_totext(&sr, tctx, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_nsec3(ARGS_FROMWIRE) {
+	isc_region_t sr, rr;
+	unsigned int saltlen, hashlen;
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sr);
+	rr = sr;
+
+	/* hash(1), flags(1), iteration(2), saltlen(1) */
+	if (sr.length < 5U)
+		RETERR(DNS_R_FORMERR);
+	saltlen = sr.base[4];
+	isc_region_consume(&sr, 5);
+
+	if (sr.length < saltlen)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&sr, saltlen);
+
+	if (sr.length < 1U)
+		RETERR(DNS_R_FORMERR);
+	hashlen = sr.base[0];
+	isc_region_consume(&sr, 1);
+
+	if (sr.length < hashlen)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&sr, hashlen);
+
+	RETERR(typemap_test(&sr, true));
+
+	RETERR(mem_tobuffer(target, rr.base, rr.length));
+	isc_buffer_forward(source, rr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec3(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec3(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec3);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec3(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec3_t *nsec3 = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3->common.rdtype == type);
+	REQUIRE(nsec3->common.rdclass == rdclass);
+	REQUIRE(nsec3->typebits != NULL || nsec3->len == 0);
+	REQUIRE(nsec3->hash == dns_hash_sha1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(nsec3->hash, target));
+	RETERR(uint8_tobuffer(nsec3->flags, target));
+	RETERR(uint16_tobuffer(nsec3->iterations, target));
+	RETERR(uint8_tobuffer(nsec3->salt_length, target));
+	RETERR(mem_tobuffer(target, nsec3->salt, nsec3->salt_length));
+	RETERR(uint8_tobuffer(nsec3->next_length, target));
+	RETERR(mem_tobuffer(target, nsec3->next, nsec3->next_length));
+
+	region.base = nsec3->typebits;
+	region.length = nsec3->len;
+	RETERR(typemap_test(&region, true));
+	return (mem_tobuffer(target, nsec3->typebits, nsec3->len));
+}
+
+static inline isc_result_t
+tostruct_nsec3(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec3_t *nsec3 = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec3->common.rdclass = rdata->rdclass;
+	nsec3->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec3->common, link);
+
+	region.base = rdata->data;
+	region.length = rdata->length;
+	nsec3->hash = uint8_consume_fromregion(&region);
+	nsec3->flags = uint8_consume_fromregion(&region);
+	nsec3->iterations = uint16_consume_fromregion(&region);
+
+	nsec3->salt_length = uint8_consume_fromregion(&region);
+	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
+	if (nsec3->salt == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, nsec3->salt_length);
+
+	nsec3->next_length = uint8_consume_fromregion(&region);
+	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
+	if (nsec3->next == NULL)
+		goto cleanup;
+	isc_region_consume(&region, nsec3->next_length);
+
+	nsec3->len = region.length;
+	nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec3->typebits == NULL)
+		goto cleanup;
+
+	nsec3->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	if (nsec3->next != NULL)
+		isc_mem_free(mctx, nsec3->next);
+	isc_mem_free(mctx, nsec3->salt);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nsec3(ARGS_FREESTRUCT) {
+	dns_rdata_nsec3_t *nsec3 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3->common.rdtype == dns_rdatatype_nsec3);
+
+	if (nsec3->mctx == NULL)
+		return;
+
+	if (nsec3->salt != NULL)
+		isc_mem_free(nsec3->mctx, nsec3->salt);
+	if (nsec3->next != NULL)
+		isc_mem_free(nsec3->mctx, nsec3->next);
+	if (nsec3->typebits != NULL)
+		isc_mem_free(nsec3->mctx, nsec3->typebits);
+	nsec3->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec3(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec3(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_nsec3(ARGS_CHECKOWNER) {
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	isc_buffer_t buffer;
+	dns_label_t label;
+
+	REQUIRE(type == dns_rdatatype_nsec3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	/*
+	 * First label is a base32hex string without padding.
+	 */
+	dns_name_getlabel(name, 0, &label);
+	isc_region_consume(&label, 1);
+	isc_buffer_init(&buffer, owner, sizeof(owner));
+	if (isc_base32hexnp_decoderegion(&label, &buffer) == ISC_R_SUCCESS)
+		return (true);
+
+	return (false);
+}
+
+static inline bool
+checknames_nsec3(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_nsec3(ARGS_COMPARE) {
+	return (compare_nsec3(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_NSEC3_50_C */
diff --git a/lib/dns/rdata/generic/nsec3_50.h b/lib/dns/rdata/generic/nsec3_50.h
new file mode 100644
index 0000000..36b9695
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3_50.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_NSEC3_50_H
+#define GENERIC_NSEC3_50_H 1
+
+
+/*!
+ * \brief Per RFC 5155 */
+
+#include <isc/iterated_hash.h>
+
+typedef struct dns_rdata_nsec3 {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_hash_t		hash;
+	unsigned char		flags;
+	dns_iterations_t	iterations;
+	unsigned char		salt_length;
+	unsigned char		next_length;
+	uint16_t		len;
+	unsigned char		*salt;
+	unsigned char		*next;
+	unsigned char		*typebits;
+} dns_rdata_nsec3_t;
+
+/*
+ * The corresponding NSEC3 interval is OPTOUT indicating possible
+ * insecure delegations.
+ */
+#define DNS_NSEC3FLAG_OPTOUT 0x01U
+
+/*%
+ * The following flags are used in the private-type record (implemented in
+ * lib/dns/private.c) which is used to store NSEC3PARAM data during the
+ * time when it is not legal to have an actual NSEC3PARAM record in the
+ * zone.  They are defined here because the private-type record uses the
+ * same flags field for the OPTOUT flag above and for the private flags
+ * below.  XXX: This should be considered for refactoring.
+ */
+
+/*%
+ * Non-standard, private type only.
+ *
+ * Create a corresponding NSEC3 chain.
+ * Once the NSEC3 chain is complete this flag will be removed to signal
+ * that there is a complete chain.
+ *
+ * This flag is automatically set when a NSEC3PARAM record is added to
+ * the zone via UPDATE.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
+ */
+#define DNS_NSEC3FLAG_CREATE 0x80U
+
+/*%
+ * Non-standard, private type only.
+ *
+ * The corresponding NSEC3 set is to be removed once the NSEC chain
+ * has been generated.
+ *
+ * This flag is automatically set when the last active NSEC3PARAM record
+ * is removed from the zone via UPDATE.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
+ */
+#define DNS_NSEC3FLAG_REMOVE 0x40U
+
+/*%
+ * Non-standard, private type only.
+ *
+ * When set with the CREATE flag, a corresponding NSEC3 chain will be
+ * created when the zone becomes capable of supporting one (i.e., when it
+ * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
+ * Without this flag, NSEC3 chain creation would be attempted immediately,
+ * fail, and the private type record would be removed.  With it, the NSEC3
+ * parameters are stored until they can be used.  When the zone has the
+ * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
+ * and the record will be cleaned up normally.
+ *
+ * NSEC3PARAM records containing this flag should never be published, but
+ * if they are, they should be ignored by RFC 5155 compliant nameservers.
+ */
+#define DNS_NSEC3FLAG_INITIAL 0x20U
+
+/*%
+ * Non-standard, private type only.
+ *
+ * Prevent the creation of a NSEC chain before the last NSEC3 chain
+ * is removed.  This will normally only be set when the zone is
+ * transitioning from secure with NSEC3 chains to insecure.
+ *
+ * NSEC3PARAM records containing this flag should never be published,
+ * but if they are, they should be ignored by RFC 5155 compliant
+ * nameservers.
+ */
+#define DNS_NSEC3FLAG_NONSEC 0x10U
+
+#endif /* GENERIC_NSEC3_50_H */
diff --git a/lib/dns/rdata/generic/nsec3param_51.c b/lib/dns/rdata/generic/nsec3param_51.c
new file mode 100644
index 0000000..8a24dee
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3param_51.c
@@ -0,0 +1,313 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * Copyright (C) 2004  Nominet, Ltd.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* RFC 5155 */
+
+#ifndef RDATA_GENERIC_NSEC3PARAM_51_C
+#define RDATA_GENERIC_NSEC3PARAM_51_C
+
+#include <isc/iterated_hash.h>
+#include <isc/base32.h>
+
+#define RRTYPE_NSEC3PARAM_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_nsec3param(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int flags = 0;
+	unsigned char hashalg;
+
+	REQUIRE(type == dns_rdatatype_nsec3param);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/* Hash. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
+	RETERR(uint8_tobuffer(hashalg, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	flags = token.value.as_ulong;
+	if (flags > 255U)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(flags, target));
+
+	/* Iterations. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* Salt. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (token.value.as_textregion.length > (255*2))
+		RETTOK(DNS_R_TEXTTOOLONG);
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		RETERR(uint8_tobuffer(0, target));
+	} else {
+		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
+		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_nsec3param(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	unsigned char hash;
+	unsigned char flags;
+	char buf[sizeof("65535 ")];
+	uint32_t iterations;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	hash = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	iterations = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	snprintf(buf, sizeof(buf), "%u ", hash);
+	RETERR(str_totext(buf, target));
+
+	snprintf(buf, sizeof(buf), "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	snprintf(buf, sizeof(buf), "%u ", iterations);
+	RETERR(str_totext(buf, target));
+
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	if (j != 0) {
+		i = sr.length;
+		sr.length = j;
+		RETERR(isc_hex_totext(&sr, 1, "", target));
+		sr.length = i - j;
+	} else
+		RETERR(str_totext("-", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_nsec3param(ARGS_FROMWIRE) {
+	isc_region_t sr, rr;
+	unsigned int saltlen;
+
+	REQUIRE(type == dns_rdatatype_nsec3param);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sr);
+	rr = sr;
+
+	/* hash(1), flags(1), iterations(2), saltlen(1) */
+	if (sr.length < 5U)
+		RETERR(DNS_R_FORMERR);
+	saltlen = sr.base[4];
+	isc_region_consume(&sr, 5);
+
+	if (sr.length < saltlen)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&sr, saltlen);
+	RETERR(mem_tobuffer(target, rr.base, rr.length));
+	isc_buffer_forward(source, rr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec3param(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec3param(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec3param);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec3param(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec3param_t *nsec3param = source;
+
+	REQUIRE(type == dns_rdatatype_nsec3param);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3param->common.rdtype == type);
+	REQUIRE(nsec3param->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(nsec3param->hash, target));
+	RETERR(uint8_tobuffer(nsec3param->flags, target));
+	RETERR(uint16_tobuffer(nsec3param->iterations, target));
+	RETERR(uint8_tobuffer(nsec3param->salt_length, target));
+	RETERR(mem_tobuffer(target, nsec3param->salt,
+			    nsec3param->salt_length));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+tostruct_nsec3param(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec3param_t *nsec3param = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec3param->common.rdclass = rdata->rdclass;
+	nsec3param->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec3param->common, link);
+
+	region.base = rdata->data;
+	region.length = rdata->length;
+	nsec3param->hash = uint8_consume_fromregion(&region);
+	nsec3param->flags = uint8_consume_fromregion(&region);
+	nsec3param->iterations = uint16_consume_fromregion(&region);
+
+	nsec3param->salt_length = uint8_consume_fromregion(&region);
+	nsec3param->salt = mem_maybedup(mctx, region.base,
+					nsec3param->salt_length);
+	if (nsec3param->salt == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, nsec3param->salt_length);
+
+	nsec3param->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_nsec3param(ARGS_FREESTRUCT) {
+	dns_rdata_nsec3param_t *nsec3param = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3param->common.rdtype == dns_rdatatype_nsec3param);
+
+	if (nsec3param->mctx == NULL)
+		return;
+
+	if (nsec3param->salt != NULL)
+		isc_mem_free(nsec3param->mctx, nsec3param->salt);
+	nsec3param->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec3param(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec3param(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_nsec3param(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == dns_rdatatype_nsec3param);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (true);
+}
+
+static inline bool
+checknames_nsec3param(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec3param);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_nsec3param(ARGS_COMPARE) {
+	return (compare_nsec3param(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_NSEC3PARAM_51_C */
diff --git a/lib/dns/rdata/generic/nsec3param_51.h b/lib/dns/rdata/generic/nsec3param_51.h
new file mode 100644
index 0000000..b8bc375
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3param_51.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_NSEC3PARAM_51_H
+#define GENERIC_NSEC3PARAM_51_H 1
+
+
+/*!
+ * \brief Per RFC 5155 */
+
+#include <isc/iterated_hash.h>
+
+typedef struct dns_rdata_nsec3param {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_hash_t		hash;
+	unsigned char		flags;		/* DNS_NSEC3FLAG_* */
+	dns_iterations_t	iterations;
+	unsigned char		salt_length;
+	unsigned char		*salt;
+} dns_rdata_nsec3param_t;
+
+#endif /* GENERIC_NSEC3PARAM_51_H */
diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c
new file mode 100644
index 0000000..05e575b
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -0,0 +1,282 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC 3845 */
+
+#ifndef RDATA_GENERIC_NSEC_47_C
+#define RDATA_GENERIC_NSEC_47_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NSEC pair.
+ */
+#define RRTYPE_NSEC_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_nsec(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_nsec);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	return (typemap_fromtext(lexer, target, false));
+}
+
+static inline isc_result_t
+totext_nsec(ARGS_TOTEXT) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_totext(&name, false, target));
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
+	return (typemap_totext(&sr, NULL, target));
+}
+
+static /* inline */ isc_result_t
+fromwire_nsec(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_nsec);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	RETERR(typemap_test(&sr, false));
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsec);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec->common.rdtype == type);
+	REQUIRE(nsec->common.rdclass == rdclass);
+	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsec->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	region.base = nsec->typebits;
+	region.length = nsec->len;
+	RETERR(typemap_test(&region, false));
+	return (mem_tobuffer(target, nsec->typebits, nsec->len));
+}
+
+static inline isc_result_t
+tostruct_nsec(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec_t *nsec = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec->common.rdclass = rdata->rdclass;
+	nsec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nsec->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsec->next));
+
+	nsec->len = region.length;
+	nsec->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec->typebits == NULL)
+		goto cleanup;
+
+	nsec->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&nsec->next, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nsec(ARGS_FREESTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec->common.rdtype == dns_rdatatype_nsec);
+
+	if (nsec->mctx == NULL)
+		return;
+
+	dns_name_free(&nsec->next, nsec->mctx);
+	if (nsec->typebits != NULL)
+		isc_mem_free(nsec->mctx, nsec->typebits);
+	nsec->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_nsec(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == dns_rdatatype_nsec);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (true);
+}
+
+static inline bool
+checknames_nsec(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nsec);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_nsec(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsec);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+#endif	/* RDATA_GENERIC_NSEC_47_C */
diff --git a/lib/dns/rdata/generic/nsec_47.h b/lib/dns/rdata/generic/nsec_47.h
new file mode 100644
index 0000000..b597864
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec_47.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NSEC_47_H
+#define GENERIC_NSEC_47_H 1
+
+
+/*!
+ * \brief Per RFC 3845 */
+
+typedef struct dns_rdata_nsec {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		next;
+	unsigned char		*typebits;
+	uint16_t		len;
+} dns_rdata_nsec_t;
+
+#endif /* GENERIC_NSEC_47_H */
diff --git a/lib/dns/rdata/generic/null_10.c b/lib/dns/rdata/generic/null_10.c
new file mode 100644
index 0000000..624adad
--- /dev/null
+++ b/lib/dns/rdata/generic/null_10.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_NULL_10_C
+#define RDATA_GENERIC_NULL_10_C
+
+#define RRTYPE_NULL_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_null(ARGS_FROMTEXT) {
+	REQUIRE(type == dns_rdatatype_null);
+
+	UNUSED(rdclass);
+	UNUSED(type);
+	UNUSED(lexer);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(target);
+	UNUSED(callbacks);
+
+	return (DNS_R_SYNTAX);
+}
+
+static inline isc_result_t
+totext_null(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	return (unknown_totext(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_null(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_null);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_null(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_null(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_null);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_null(ARGS_FROMSTRUCT) {
+	dns_rdata_null_t *null = source;
+
+	REQUIRE(type == dns_rdatatype_null);
+	REQUIRE(source != NULL);
+	REQUIRE(null->common.rdtype == type);
+	REQUIRE(null->common.rdclass == rdclass);
+	REQUIRE(null->data != NULL || null->length == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, null->data, null->length));
+}
+
+static inline isc_result_t
+tostruct_null(ARGS_TOSTRUCT) {
+	dns_rdata_null_t *null = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+	REQUIRE(target != NULL);
+
+	null->common.rdclass = rdata->rdclass;
+	null->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&null->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	null->length = r.length;
+	null->data = mem_maybedup(mctx, r.base, r.length);
+	if (null->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	null->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_null(ARGS_FREESTRUCT) {
+	dns_rdata_null_t *null = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(null->common.rdtype == dns_rdatatype_null);
+
+	if (null->mctx == NULL)
+		return;
+
+	if (null->data != NULL)
+		isc_mem_free(null->mctx, null->data);
+	null->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_null(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_null(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_null(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_null);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_null(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_null);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_null(ARGS_COMPARE) {
+	return (compare_null(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_NULL_10_C */
diff --git a/lib/dns/rdata/generic/null_10.h b/lib/dns/rdata/generic/null_10.h
new file mode 100644
index 0000000..0b01dd8
--- /dev/null
+++ b/lib/dns/rdata/generic/null_10.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_NULL_10_H
+#define GENERIC_NULL_10_H 1
+
+
+typedef struct dns_rdata_null {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		length;
+	unsigned char		*data;
+} dns_rdata_null_t;
+
+
+#endif /* GENERIC_NULL_10_H */
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
new file mode 100644
index 0000000..91a95b7
--- /dev/null
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_NXT_30_C
+#define RDATA_GENERIC_NXT_30_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NXT pair.
+ */
+#define RRTYPE_NXT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_nxt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	char *e;
+	unsigned char bm[8*1024]; /* 64k bits */
+	dns_rdatatype_t covered;
+	dns_rdatatype_t maxcovered = 0;
+	bool first = true;
+	long n;
+
+	REQUIRE(type == dns_rdatatype_nxt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string)
+			break;
+		n = strtol(DNS_AS_STR(token), &e, 10);
+		if (e != DNS_AS_STR(token) && *e == '\0') {
+			covered = (dns_rdatatype_t)n;
+		} else if (dns_rdatatype_fromtext(&covered,
+				&token.value.as_textregion) == DNS_R_UNKNOWN)
+			RETTOK(DNS_R_UNKNOWN);
+		/*
+		 * NXT is only specified for types 1..127.
+		 */
+		if (covered < 1 || covered > 127)
+			return (ISC_R_RANGE);
+		if (first || covered > maxcovered)
+			maxcovered = covered;
+		first = false;
+		bm[covered/8] |= (0x80>>(covered%8));
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	if (first)
+		return (ISC_R_SUCCESS);
+	n = (maxcovered + 8) / 8;
+	return (mem_tobuffer(target, bm, n));
+}
+
+static inline isc_result_t
+totext_nxt(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	for (i = 0; i < sr.length; i++) {
+		if (sr.base[i] != 0)
+			for (j = 0; j < 8; j++)
+				if ((sr.base[i] & (0x80 >> j)) != 0) {
+					dns_rdatatype_t t = i * 8 + j;
+					RETERR(str_totext(" ", target));
+					if (dns_rdatatype_isknown(t)) {
+						RETERR(dns_rdatatype_totext(t,
+								      target));
+					} else {
+						char buf[sizeof("65535")];
+						snprintf(buf, sizeof(buf),
+							 "%u", t);
+						RETERR(str_totext(buf,
+								  target));
+					}
+				}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_nxt(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_nxt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length > 0 && (sr.base[0] & 0x80) == 0 &&
+	    ((sr.length > 16) || sr.base[sr.length - 1] == 0))
+		return (DNS_R_BADBITMAP);
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nxt(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nxt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nxt);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nxt(ARGS_FROMSTRUCT) {
+	dns_rdata_nxt_t *nxt = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nxt);
+	REQUIRE(source != NULL);
+	REQUIRE(nxt->common.rdtype == type);
+	REQUIRE(nxt->common.rdclass == rdclass);
+	REQUIRE(nxt->typebits != NULL || nxt->len == 0);
+	if (nxt->typebits != NULL && (nxt->typebits[0] & 0x80) == 0) {
+		REQUIRE(nxt->len <= 16);
+		REQUIRE(nxt->typebits[nxt->len - 1] != 0);
+	}
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nxt->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	return (mem_tobuffer(target, nxt->typebits, nxt->len));
+}
+
+static inline isc_result_t
+tostruct_nxt(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nxt_t *nxt = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nxt->common.rdclass = rdata->rdclass;
+	nxt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nxt->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nxt->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nxt->next));
+
+	nxt->len = region.length;
+	nxt->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nxt->typebits == NULL)
+		goto cleanup;
+
+	nxt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&nxt->next, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nxt(ARGS_FREESTRUCT) {
+	dns_rdata_nxt_t *nxt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nxt->common.rdtype == dns_rdatatype_nxt);
+
+	if (nxt->mctx == NULL)
+		return;
+
+	dns_name_free(&nxt->next, nxt->mctx);
+	if (nxt->typebits != NULL)
+		isc_mem_free(nxt->mctx, nxt->typebits);
+	nxt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nxt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nxt(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_region_consume(&r, name_length(&name));
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_nxt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_nxt);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_nxt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nxt);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_nxt(ARGS_COMPARE) {
+	return (compare_nxt(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_NXT_30_C */
diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h
new file mode 100644
index 0000000..63bbc0f
--- /dev/null
+++ b/lib/dns/rdata/generic/nxt_30.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_NXT_30_H
+#define GENERIC_NXT_30_H 1
+
+
+/*!
+ *  \brief RFC2535 */
+
+typedef struct dns_rdata_nxt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		next;
+	unsigned char		*typebits;
+	uint16_t		len;
+} dns_rdata_nxt_t;
+
+#endif /* GENERIC_NXT_30_H */
diff --git a/lib/dns/rdata/generic/openpgpkey_61.c b/lib/dns/rdata/generic/openpgpkey_61.c
new file mode 100644
index 0000000..52c87d4
--- /dev/null
+++ b/lib/dns/rdata/generic/openpgpkey_61.c
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_OPENPGPKEY_61_C
+#define RDATA_GENERIC_OPENPGPKEY_61_C
+
+#define RRTYPE_OPENPGPKEY_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_openpgpkey(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(options);
+	UNUSED(origin);
+
+	/*
+	 * Keyring.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_openpgpkey(ARGS_TOTEXT) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Keyring
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0)   /* No splitting */
+			RETERR(isc_base64_totext(&sr, 60, "", target));
+		else
+			RETERR(isc_base64_totext(&sr, tctx->width - 2,
+						 tctx->linebreak, target));
+	} else
+		RETERR(str_totext("[omitted]", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_openpgpkey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	/*
+	 * Keyring.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_openpgpkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_openpgpkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_openpgpkey(ARGS_FROMSTRUCT) {
+	dns_rdata_openpgpkey_t *sig = source;
+
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->keyring != NULL && sig->length != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Keyring.
+	 */
+	return (mem_tobuffer(target, sig->keyring, sig->length));
+}
+
+static inline isc_result_t
+tostruct_openpgpkey(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_openpgpkey_t *sig = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Keyring.
+	 */
+	sig->length = sr.length;
+	sig->keyring = mem_maybedup(mctx, sr.base, sig->length);
+	if (sig->keyring == NULL)
+		goto cleanup;
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_openpgpkey(ARGS_FREESTRUCT) {
+	dns_rdata_openpgpkey_t *sig = (dns_rdata_openpgpkey_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == dns_rdatatype_openpgpkey);
+
+	if (sig->mctx == NULL)
+		return;
+
+	if (sig->keyring != NULL)
+		isc_mem_free(sig->mctx, sig->keyring);
+	sig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_openpgpkey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_openpgpkey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_openpgpkey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_openpgpkey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_openpgpkey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_openpgpkey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_openpgpkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_openpgpkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif	/* RDATA_GENERIC_OPENPGPKEY_61_C */
diff --git a/lib/dns/rdata/generic/openpgpkey_61.h b/lib/dns/rdata/generic/openpgpkey_61.h
new file mode 100644
index 0000000..7c68e7f
--- /dev/null
+++ b/lib/dns/rdata/generic/openpgpkey_61.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_OPENPGPKEY_61_H
+#define GENERIC_OPENPGPKEY_61_H 1
+
+typedef struct dns_rdata_openpgpkey {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	uint16_t		length;
+	unsigned char *		keyring;
+} dns_rdata_openpgpkey_t;
+
+#endif /* GENERIC_OPENPGPKEY_61_H */
diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c
new file mode 100644
index 0000000..b102cf2
--- /dev/null
+++ b/lib/dns/rdata/generic/opt_41.c
@@ -0,0 +1,413 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2671 */
+
+#ifndef RDATA_GENERIC_OPT_41_C
+#define RDATA_GENERIC_OPT_41_C
+
+#define RRTYPE_OPT_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON | \
+			       DNS_RDATATYPEATTR_META | \
+			       DNS_RDATATYPEATTR_NOTQUESTION)
+
+static inline isc_result_t
+fromtext_opt(ARGS_FROMTEXT) {
+	/*
+	 * OPT records do not have a text format.
+	 */
+
+	REQUIRE(type == dns_rdatatype_opt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(lexer);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(target);
+	UNUSED(callbacks);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+totext_opt(ARGS_TOTEXT) {
+	isc_region_t r;
+	isc_region_t or;
+	uint16_t option;
+	uint16_t length;
+	char buf[sizeof("64000 64000")];
+
+	/*
+	 * OPT records do not have a text format.
+	 */
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	dns_rdata_toregion(rdata, &r);
+	while (r.length > 0) {
+		option = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		length = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		snprintf(buf, sizeof(buf), "%u %u", option, length);
+		RETERR(str_totext(buf, target));
+		INSIST(r.length >= length);
+		if (length > 0) {
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				RETERR(str_totext(" (", target));
+			RETERR(str_totext(tctx->linebreak, target));
+			or = r;
+			or.length = length;
+			if (tctx->width == 0)   /* No splitting */
+				RETERR(isc_base64_totext(&or, 60, "", target));
+			else
+				RETERR(isc_base64_totext(&or, tctx->width - 2,
+							 tctx->linebreak,
+							 target));
+			isc_region_consume(&r, length);
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				RETERR(str_totext(" )", target));
+		}
+		if (r.length > 0)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_opt(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	uint16_t opt;
+	uint16_t length;
+	unsigned int total;
+
+	REQUIRE(type == dns_rdatatype_opt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length == 0)
+		return (ISC_R_SUCCESS);
+	total = 0;
+	while (sregion.length != 0) {
+		if (sregion.length < 4)
+			return (ISC_R_UNEXPECTEDEND);
+		opt = uint16_fromregion(&sregion);
+		isc_region_consume(&sregion, 2);
+		length = uint16_fromregion(&sregion);
+		isc_region_consume(&sregion, 2);
+		total += 4;
+		if (sregion.length < length)
+			return (ISC_R_UNEXPECTEDEND);
+		switch (opt) {
+		case DNS_OPT_CLIENT_SUBNET: {
+			uint16_t family;
+			uint8_t addrlen;
+			uint8_t scope;
+			uint8_t addrbytes;
+
+			if (length < 4)
+				return (DNS_R_OPTERR);
+			family = uint16_fromregion(&sregion);
+			isc_region_consume(&sregion, 2);
+			addrlen = uint8_fromregion(&sregion);
+			isc_region_consume(&sregion, 1);
+			scope = uint8_fromregion(&sregion);
+			isc_region_consume(&sregion, 1);
+
+			switch (family) {
+			case 0:
+				/*
+				 * XXXMUKS: In queries and replies, if
+				 * FAMILY is set to 0, SOURCE
+				 * PREFIX-LENGTH and SCOPE PREFIX-LENGTH
+				 * must be 0 and ADDRESS should not be
+				 * present as the address and prefix
+				 * lengths don't make sense because the
+				 * family is unknown.
+				 */
+				if (addrlen != 0U || scope != 0U)
+					return (DNS_R_OPTERR);
+				break;
+			case 1:
+				if (addrlen > 32U || scope > 32U)
+					return (DNS_R_OPTERR);
+				break;
+			case 2:
+				if (addrlen > 128U || scope > 128U)
+					return (DNS_R_OPTERR);
+				break;
+			default:
+				return (DNS_R_OPTERR);
+			}
+			addrbytes = (addrlen + 7) / 8;
+			if (addrbytes + 4 != length)
+				return (DNS_R_OPTERR);
+
+			if (addrbytes != 0U && (addrlen % 8) != 0) {
+				uint8_t bits = ~0U << (8 - (addrlen % 8));
+				bits &= sregion.base[addrbytes - 1];
+				if (bits != sregion.base[addrbytes - 1])
+					return (DNS_R_OPTERR);
+			}
+			isc_region_consume(&sregion, addrbytes);
+			break;
+		}
+		case DNS_OPT_EXPIRE:
+			/*
+			 * Request has zero length.  Response is 32 bits.
+			 */
+			if (length != 0 && length != 4)
+				return (DNS_R_OPTERR);
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_COOKIE:
+			if (length != 8 && (length < 16 || length > 40))
+				return (DNS_R_OPTERR);
+			isc_region_consume(&sregion, length);
+			break;
+		case DNS_OPT_KEY_TAG:
+			if (length == 0 || (length % 2) != 0)
+				return (DNS_R_OPTERR);
+			isc_region_consume(&sregion, length);
+			break;
+		default:
+			isc_region_consume(&sregion, length);
+			break;
+		}
+		total += length;
+	}
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < total)
+		return (ISC_R_NOSPACE);
+	memmove(tregion.base, sregion.base, total);
+	isc_buffer_forward(source, total);
+	isc_buffer_add(target, total);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_opt(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_opt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_opt);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_opt(ARGS_FROMSTRUCT) {
+	dns_rdata_opt_t *opt = source;
+	isc_region_t region;
+	uint16_t length;
+
+	REQUIRE(type == dns_rdatatype_opt);
+	REQUIRE(source != NULL);
+	REQUIRE(opt->common.rdtype == type);
+	REQUIRE(opt->common.rdclass == rdclass);
+	REQUIRE(opt->options != NULL || opt->length == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = opt->options;
+	region.length = opt->length;
+	while (region.length >= 4) {
+		isc_region_consume(&region, 2);	/* opt */
+		length = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+		if (region.length < length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
+	if (region.length != 0)
+		return (ISC_R_UNEXPECTEDEND);
+
+	return (mem_tobuffer(target, opt->options, opt->length));
+}
+
+static inline isc_result_t
+tostruct_opt(ARGS_TOSTRUCT) {
+	dns_rdata_opt_t *opt = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+	REQUIRE(target != NULL);
+
+	opt->common.rdclass = rdata->rdclass;
+	opt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&opt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	opt->length = r.length;
+	opt->options = mem_maybedup(mctx, r.base, r.length);
+	if (opt->options == NULL)
+		return (ISC_R_NOMEMORY);
+
+	opt->offset = 0;
+	opt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_opt(ARGS_FREESTRUCT) {
+	dns_rdata_opt_t *opt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+
+	if (opt->mctx == NULL)
+		return;
+
+	if (opt->options != NULL)
+		isc_mem_free(opt->mctx, opt->options);
+	opt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_opt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_opt(ARGS_DIGEST) {
+
+	/*
+	 * OPT records are not digested.
+	 */
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline bool
+checkowner_opt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_opt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_equal(name, dns_rootname));
+}
+
+static inline bool
+checknames_opt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_opt);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_opt(ARGS_COMPARE) {
+	return (compare_opt(rdata1, rdata2));
+}
+
+isc_result_t
+dns_rdata_opt_first(dns_rdata_opt_t *opt) {
+
+	REQUIRE(opt != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(opt->options != NULL || opt->length == 0);
+
+	if (opt->length == 0)
+		return (ISC_R_NOMORE);
+
+	opt->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_opt_next(dns_rdata_opt_t *opt) {
+	isc_region_t r;
+	uint16_t length;
+
+	REQUIRE(opt != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(opt->options != NULL && opt->length != 0);
+	REQUIRE(opt->offset < opt->length);
+
+	INSIST(opt->offset + 4 <= opt->length);
+	r.base = opt->options + opt->offset + 2;
+	r.length = opt->length - opt->offset - 2;
+	length = uint16_fromregion(&r);
+	INSIST(opt->offset + 4 + length <= opt->length);
+	opt->offset = opt->offset + 4 + length;
+	if (opt->offset == opt->length)
+		return (ISC_R_NOMORE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_opt_current(dns_rdata_opt_t *opt, dns_rdata_opt_opcode_t *opcode) {
+	isc_region_t r;
+
+	REQUIRE(opt != NULL);
+	REQUIRE(opcode != NULL);
+	REQUIRE(opt->common.rdtype == dns_rdatatype_opt);
+	REQUIRE(opt->options != NULL);
+	REQUIRE(opt->offset < opt->length);
+
+	INSIST(opt->offset + 4 <= opt->length);
+	r.base = opt->options + opt->offset;
+	r.length = opt->length - opt->offset;
+
+	opcode->opcode = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+	opcode->length = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+	opcode->data = r.base;
+	INSIST(opt->offset + 4 + opcode->length <= opt->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/lib/dns/rdata/generic/opt_41.h b/lib/dns/rdata/generic/opt_41.h
new file mode 100644
index 0000000..5b31f4d
--- /dev/null
+++ b/lib/dns/rdata/generic/opt_41.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_OPT_41_H
+#define GENERIC_OPT_41_H 1
+
+
+/*!
+ *  \brief Per RFC2671 */
+
+typedef struct dns_rdata_opt_opcode {
+		uint16_t	opcode;
+		uint16_t	length;
+		unsigned char	*data;
+} dns_rdata_opt_opcode_t;
+
+typedef struct dns_rdata_opt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*options;
+	uint16_t		length;
+	/* private */
+	uint16_t		offset;
+} dns_rdata_opt_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_opt_first(dns_rdata_opt_t *);
+
+isc_result_t
+dns_rdata_opt_next(dns_rdata_opt_t *);
+
+isc_result_t
+dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
+
+#endif /* GENERIC_OPT_41_H */
diff --git a/lib/dns/rdata/generic/proforma.c b/lib/dns/rdata/generic/proforma.c
new file mode 100644
index 0000000..c31b29f
--- /dev/null
+++ b/lib/dns/rdata/generic/proforma.c
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef RDATA_GENERIC_#_#_C
+#define RDATA_GENERIC_#_#_C
+
+#define RRTYPE_#_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_#(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdclass == #);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+totext_#(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0);	/* XXX */
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+fromwire_#(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdclass == #);
+
+	/* NONE or GLOBAL14 */
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+towire_#(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0);	/* XXX */
+
+	/* NONE or GLOBAL14 */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline int
+compare_#(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.crdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata1->rdclass == #);
+	REQUIRE(rdata1->length != 0);	/* XXX */
+	REQUIRE(rdata2->length != 0);	/* XXX */
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_#(ARGS_FROMSTRUCT) {
+	dns_rdata_#_t *# = source;
+
+	REQUIRE(type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdclass == #);
+	REQUIRE(source != NULL);
+	REQUIRE(#->common.rdtype == dns_rdatatype_proforma.ctype);
+	REQUIRE(#->common.rdclass == rdclass);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+tostruct_#(ARGS_TOSTRUCT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0);	/* XXX */
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline void
+freestruct_#(ARGS_FREESTRUCT) {
+	dns_rdata_#_t *# = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(#->common.rdtype == dns_rdatatype_proforma.c#);
+	REQUIRE(#->common.rdclass == #);
+
+}
+
+static inline isc_result_t
+additionaldata_#(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata->rdclass == #);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_#(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata->rdclass == #);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_#(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdclass == #);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_#(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata->rdclass == #);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_#(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.crdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_proforma.c#);
+	REQUIRE(rdata1->rdclass == #);
+	REQUIRE(rdata1->length != 0);	/* XXX */
+	REQUIRE(rdata2->length != 0);	/* XXX */
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif	/* RDATA_GENERIC_#_#_C */
diff --git a/lib/dns/rdata/generic/proforma.h b/lib/dns/rdata/generic/proforma.h
new file mode 100644
index 0000000..cb49ee4
--- /dev/null
+++ b/lib/dns/rdata/generic/proforma.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_PROFORMA_H
+#define GENERIC_PROFORMA_H 1
+
+
+typedef struct dns_rdata_# {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;	/* if required */
+	/* type & class specific elements */
+} dns_rdata_#_t;
+
+#endif /* GENERIC_PROFORMA_H */
diff --git a/lib/dns/rdata/generic/ptr_12.c b/lib/dns/rdata/generic/ptr_12.c
new file mode 100644
index 0000000..a2f5ef1
--- /dev/null
+++ b/lib/dns/rdata/generic/ptr_12.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_PTR_12_C
+#define RDATA_GENERIC_PTR_12_C
+
+#define RRTYPE_PTR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_ptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if (rdclass == dns_rdataclass_in &&
+	    (options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
+		bool ok;
+		ok = dns_name_ishostname(&name, false);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_ptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_ptr(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_ptr);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_ptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_ptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ptr);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_ptr(ARGS_FROMSTRUCT) {
+	dns_rdata_ptr_t *ptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_ptr);
+	REQUIRE(source != NULL);
+	REQUIRE(ptr->common.rdtype == type);
+	REQUIRE(ptr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&ptr->ptr, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_ptr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ptr_t *ptr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ptr->common.rdclass = rdata->rdclass;
+	ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ptr->ptr, NULL);
+	RETERR(name_duporclone(&name, mctx, &ptr->ptr));
+	ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ptr(ARGS_FREESTRUCT) {
+	dns_rdata_ptr_t *ptr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(ptr->common.rdtype == dns_rdatatype_ptr);
+
+	if (ptr->mctx == NULL)
+		return;
+
+	dns_name_free(&ptr->ptr, ptr->mctx);
+	ptr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ptr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ptr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_ptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_ptr);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa =
+	DNS_NAME_INITABSOLUTE(ip6_arpa_data, ip6_arpa_offsets);
+
+static unsigned char ip6_int_data[]  = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static const dns_name_t ip6_int =
+	DNS_NAME_INITABSOLUTE(ip6_int_data, ip6_int_offsets);
+
+static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static const dns_name_t in_addr_arpa =
+	DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets);
+
+static inline bool
+checknames_ptr(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_ptr);
+
+	if (rdata->rdclass != dns_rdataclass_in)
+	    return (true);
+
+	if (dns_name_isdnssd(owner))
+		return (true);
+
+	if (dns_name_issubdomain(owner, &in_addr_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_int)) {
+		dns_rdata_toregion(rdata, &region);
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &region);
+		if (!dns_name_ishostname(&name, false)) {
+			if (bad != NULL)
+				dns_name_clone(&name, bad);
+			return (false);
+		}
+	}
+	return (true);
+}
+
+static inline int
+casecompare_ptr(ARGS_COMPARE) {
+	return (compare_ptr(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_PTR_12_C */
diff --git a/lib/dns/rdata/generic/ptr_12.h b/lib/dns/rdata/generic/ptr_12.h
new file mode 100644
index 0000000..d71ebd9
--- /dev/null
+++ b/lib/dns/rdata/generic/ptr_12.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_PTR_12_H
+#define GENERIC_PTR_12_H 1
+
+
+typedef struct dns_rdata_ptr {
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	dns_name_t              ptr;
+} dns_rdata_ptr_t;
+
+#endif /* GENERIC_PTR_12_H */
diff --git a/lib/dns/rdata/generic/rkey_57.c b/lib/dns/rdata/generic/rkey_57.c
new file mode 100644
index 0000000..2475a48
--- /dev/null
+++ b/lib/dns/rdata/generic/rkey_57.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_RKEY_57_C
+#define RDATA_GENERIC_RKEY_57_C
+
+#define RRTYPE_RKEY_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_rkey(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	return (generic_fromtext_key(rdclass, type, lexer, origin,
+				     options, target, callbacks));
+}
+
+static inline isc_result_t
+totext_rkey(ARGS_TOTEXT) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	return (generic_totext_key(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_rkey(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	return (generic_fromwire_key(rdclass, type, source, dctx,
+				     options, target));
+}
+
+static inline isc_result_t
+towire_rkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_rkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_rkey(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	return (generic_fromstruct_key(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_rkey(ARGS_TOSTRUCT) {
+	dns_rdata_rkey_t *rkey = target;
+
+	REQUIRE(rkey != NULL);
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	rkey->common.rdclass = rdata->rdclass;
+	rkey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rkey->common, link);
+
+	return (generic_tostruct_key(rdata, target, mctx));
+}
+
+static inline void
+freestruct_rkey(ARGS_FREESTRUCT) {
+	dns_rdata_rkey_t *rkey = (dns_rdata_rkey_t *) source;
+
+	REQUIRE(rkey != NULL);
+	REQUIRE(rkey->common.rdtype == dns_rdatatype_rkey);
+
+	generic_freestruct_key(source);
+}
+
+static inline isc_result_t
+additionaldata_rkey(ARGS_ADDLDATA) {
+
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_rkey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_rkey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_rkey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_rkey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_rkey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_rkey(ARGS_COMPARE) {
+
+	/*
+	 * Treat ALG 253 (private DNS) subtype name case sensistively.
+	 */
+	return (compare_rkey(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_RKEY_57_C */
diff --git a/lib/dns/rdata/generic/rkey_57.h b/lib/dns/rdata/generic/rkey_57.h
new file mode 100644
index 0000000..000a725
--- /dev/null
+++ b/lib/dns/rdata/generic/rkey_57.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_RKEY_57_H
+#define GENERIC_RKEY_57_H 1
+
+typedef struct dns_rdata_key dns_rdata_rkey_t;
+
+#endif /* GENERIC_RKEY_57_H */
diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c
new file mode 100644
index 0000000..2e91565
--- /dev/null
+++ b/lib/dns/rdata/generic/rp_17.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_RP_17_C
+#define RDATA_GENERIC_RP_17_C
+
+#define RRTYPE_RP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_rp(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_rp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL)
+		origin = dns_rootname;
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      false));
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		ok = true;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0 && i == 0)
+			ok = dns_name_ismailbox(&name);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_rp(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	dns_name_fromregion(&email, &region);
+	isc_region_consume(&region, email.length);
+
+	sub = name_prefix(&rmail, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&email, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_rp(ARGS_FROMWIRE) {
+	dns_name_t rmail;
+	dns_name_t email;
+
+	REQUIRE(type == dns_rdatatype_rp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+
+	RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+	return (dns_name_fromwire(&email, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_rp(ARGS_TOWIRE) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_offsets_t roffsets;
+	dns_offsets_t eoffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&rmail, roffsets);
+	dns_name_init(&email, eoffsets);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	RETERR(dns_name_towire(&rmail, cctx, target));
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	return (dns_name_towire(&rmail, cctx, target));
+}
+
+static inline int
+compare_rp(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_rp(ARGS_FROMSTRUCT) {
+	dns_rdata_rp_t *rp = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_rp);
+	REQUIRE(source != NULL);
+	REQUIRE(rp->common.rdtype == type);
+	REQUIRE(rp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&rp->mail, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&rp->text, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_rp(ARGS_TOSTRUCT) {
+	isc_result_t result;
+	isc_region_t region;
+	dns_rdata_rp_t *rp = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	rp->common.rdclass = rdata->rdclass;
+	rp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rp->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->mail, NULL);
+	RETERR(name_duporclone(&name, mctx, &rp->mail));
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->text, NULL);
+	result = name_duporclone(&name, mctx, &rp->text);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&rp->mail, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_rp(ARGS_FREESTRUCT) {
+	dns_rdata_rp_t *rp = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(rp->common.rdtype == dns_rdatatype_rp);
+
+	if (rp->mctx == NULL)
+		return;
+
+	dns_name_free(&rp->mail, rp->mctx);
+	dns_name_free(&rp->text, rp->mctx);
+	rp->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_rp(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_rp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_rp);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_rp(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rp);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+				dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_rp(ARGS_COMPARE) {
+	return (compare_rp(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_RP_17_C */
diff --git a/lib/dns/rdata/generic/rp_17.h b/lib/dns/rdata/generic/rp_17.h
new file mode 100644
index 0000000..31b5768
--- /dev/null
+++ b/lib/dns/rdata/generic/rp_17.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_RP_17_H
+#define GENERIC_RP_17_H 1
+
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_rp {
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	dns_name_t              mail;
+	dns_name_t              text;
+} dns_rdata_rp_t;
+
+
+#endif /* GENERIC_RP_17_H */
diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c
new file mode 100644
index 0000000..fb945ff
--- /dev/null
+++ b/lib/dns/rdata/generic/rrsig_46.c
@@ -0,0 +1,613 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_RRSIG_46_C
+#define RDATA_GENERIC_RRSIG_46_C
+
+#define RRTYPE_RRSIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_rrsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	uint32_t time_signed, time_expire;
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535)
+			RETTOK(ISC_R_RANGE);
+		if (*e != 0)
+			RETTOK(result);
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strlen(DNS_AS_STR(token)) <= 10U &&
+	    *DNS_AS_STR(token) != '-' && *DNS_AS_STR(token) != '+') {
+		char *end;
+		unsigned long u;
+		uint64_t u64;
+
+		u64 = u = strtoul(DNS_AS_STR(token), &end, 10);
+		if (u == ULONG_MAX || *end != 0)
+			RETTOK(DNS_R_SYNTAX);
+		if (u64 > 0xffffffffUL)
+			RETTOK(ISC_R_RANGE);
+		time_expire = u;
+	} else
+		RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (strlen(DNS_AS_STR(token)) <= 10U &&
+	    *DNS_AS_STR(token) != '-' && *DNS_AS_STR(token) != '+') {
+		char *end;
+		unsigned long u;
+		uint64_t u64;
+
+		u64 = u = strtoul(DNS_AS_STR(token), &end, 10);
+		if (u == ULONG_MAX || *end != 0)
+			RETTOK(DNS_R_SYNTAX);
+		if (u64 > 0xffffffffUL)
+			RETTOK(ISC_R_RANGE);
+		time_signed = u;
+	} else
+		RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_rrsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")];	/* Also TYPE65000. */
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		snprintf(buf, sizeof(buf), "TYPE%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", ttl);
+	RETERR(str_totext(buf, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_totext(&name, false, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) {
+		if (tctx->width == 0)   /* No splitting */
+			RETERR(isc_base64_totext(&sr, 60, "", target));
+		else
+			RETERR(isc_base64_totext(&sr, tctx->width - 2,
+						 tctx->linebreak, target));
+	} else
+		RETERR(str_totext("[omitted]", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_rrsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_rrsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_rrsig(ARGS_FROMSTRUCT) {
+	dns_rdata_rrsig_t *sig = source;
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static inline isc_result_t
+tostruct_rrsig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_rrsig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL)
+		goto cleanup;
+
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&sig->signer, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_rrsig(ARGS_FREESTRUCT) {
+	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == dns_rdatatype_rrsig);
+
+	if (sig->mctx == NULL)
+		return;
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL)
+		isc_mem_free(sig->mctx, sig->signature);
+	sig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rrsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_rrsig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline dns_rdatatype_t
+covers_rrsig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static inline bool
+checkowner_rrsig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_rrsig);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_rrsig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_rrsig);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rrsig);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 18);
+	INSIST(r2.length > 18);
+	r1.length = 18;
+	r2.length = 18;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0)
+		return (order);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 18);
+	isc_region_consume(&r2, 18);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+#endif	/* RDATA_GENERIC_RRSIG_46_C */
diff --git a/lib/dns/rdata/generic/rrsig_46.h b/lib/dns/rdata/generic/rrsig_46.h
new file mode 100644
index 0000000..6dfbd42
--- /dev/null
+++ b/lib/dns/rdata/generic/rrsig_46.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_DNSSIG_46_H
+#define GENERIC_DNSSIG_46_H 1
+
+
+/*!
+ *  \brief Per RFC2535 */
+typedef struct dns_rdata_rrsig {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_rdatatype_t		covered;
+	dns_secalg_t		algorithm;
+	uint8_t		labels;
+	uint32_t		originalttl;
+	uint32_t		timeexpire;
+	uint32_t		timesigned;
+	uint16_t		keyid;
+	dns_name_t		signer;
+	uint16_t		siglen;
+	unsigned char *		signature;
+} dns_rdata_rrsig_t;
+
+
+#endif /* GENERIC_DNSSIG_46_H */
diff --git a/lib/dns/rdata/generic/rt_21.c b/lib/dns/rdata/generic/rt_21.c
new file mode 100644
index 0000000..e6450cb
--- /dev/null
+++ b/lib/dns/rdata/generic/rt_21.c
@@ -0,0 +1,307 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_RT_21_C
+#define RDATA_GENERIC_RT_21_C
+
+#define RRTYPE_RT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_rt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_rt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, false);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_rt(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_rt(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_rt);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 2)
+		return (ISC_R_NOSPACE);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	memmove(tregion.base, sregion.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_rt(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_region_t tr;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
+	dns_rdata_toregion(rdata, &region);
+	if (tr.length < 2)
+		return (ISC_R_NOSPACE);
+	memmove(tr.base, region.base, 2);
+	isc_region_consume(&region, 2);
+	isc_buffer_add(target, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_rt(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_rt);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_rt(ARGS_FROMSTRUCT) {
+	dns_rdata_rt_t *rt = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_rt);
+	REQUIRE(source != NULL);
+	REQUIRE(rt->common.rdtype == type);
+	REQUIRE(rt->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(rt->preference, target));
+	dns_name_toregion(&rt->host, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_rt(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_rt_t *rt = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	rt->common.rdclass = rdata->rdclass;
+	rt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rt->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	rt->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rt->host, NULL);
+	RETERR(name_duporclone(&name, mctx, &rt->host));
+
+	rt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_rt(ARGS_FREESTRUCT) {
+	dns_rdata_rt_t *rt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(rt->common.rdtype == dns_rdatatype_rt);
+
+	if (rt->mctx == NULL)
+		return;
+
+	dns_name_free(&rt->host, rt->mctx);
+	rt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rt(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	result = (add)(arg, &name, dns_rdatatype_x25);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = (add)(arg, &name, dns_rdatatype_isdn);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_rt(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_rt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_rt);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_rt(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_rt);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_rt(ARGS_COMPARE) {
+	return (compare_rt(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_RT_21_C */
diff --git a/lib/dns/rdata/generic/rt_21.h b/lib/dns/rdata/generic/rt_21.h
new file mode 100644
index 0000000..a9082c7
--- /dev/null
+++ b/lib/dns/rdata/generic/rt_21.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_RT_21_H
+#define GENERIC_RT_21_H 1
+
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_rt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		preference;
+	dns_name_t		host;
+} dns_rdata_rt_t;
+
+#endif /* GENERIC_RT_21_H */
diff --git a/lib/dns/rdata/generic/sig_24.c b/lib/dns/rdata/generic/sig_24.c
new file mode 100644
index 0000000..ca0ce4e
--- /dev/null
+++ b/lib/dns/rdata/generic/sig_24.c
@@ -0,0 +1,575 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2535 */
+
+#ifndef RDATA_GENERIC_SIG_24_C
+#define RDATA_GENERIC_SIG_24_C
+
+#define RRTYPE_SIG_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_sig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	uint32_t time_signed, time_expire;
+
+	REQUIRE(type == dns_rdatatype_sig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535)
+			RETTOK(ISC_R_RANGE);
+		if (*e != 0)
+			RETTOK(result);
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_sig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")];
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		snprintf(buf, sizeof(buf), "%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu", ttl);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0)   /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	else
+		RETERR(isc_base64_totext(&sr, tctx->width - 2,
+					 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_sig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_sig);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_sig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_sig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_sig);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 18);
+	INSIST(r2.length > 18);
+	r1.length = 18;
+	r2.length = 18;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0)
+		return (order);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 18);
+	isc_region_consume(&r2, 18);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_sig(ARGS_FROMSTRUCT) {
+	dns_rdata_sig_t *sig = source;
+
+	REQUIRE(type == dns_rdatatype_sig);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static inline isc_result_t
+tostruct_sig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_sig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL)
+		goto cleanup;
+
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&sig->signer, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_sig(ARGS_FREESTRUCT) {
+	dns_rdata_sig_t *sig = (dns_rdata_sig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == dns_rdatatype_sig);
+
+	if (sig->mctx == NULL)
+		return;
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL)
+		isc_mem_free(sig->mctx, sig->signature);
+	sig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_sig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_sig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline dns_rdatatype_t
+covers_sig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static inline bool
+checkowner_sig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_sig);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_sig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_sig);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_sig(ARGS_COMPARE) {
+	return (compare_sig(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_SIG_24_C */
diff --git a/lib/dns/rdata/generic/sig_24.h b/lib/dns/rdata/generic/sig_24.h
new file mode 100644
index 0000000..a3882d9
--- /dev/null
+++ b/lib/dns/rdata/generic/sig_24.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SIG_24_H
+#define GENERIC_SIG_24_H 1
+
+
+/*!
+ *  \brief Per RFC2535 */
+
+typedef struct dns_rdata_sig_t {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_rdatatype_t		covered;
+	dns_secalg_t		algorithm;
+	uint8_t		labels;
+	uint32_t		originalttl;
+	uint32_t		timeexpire;
+	uint32_t		timesigned;
+	uint16_t		keyid;
+	dns_name_t		signer;
+	uint16_t		siglen;
+	unsigned char *		signature;
+} dns_rdata_sig_t;
+
+
+#endif /* GENERIC_SIG_24_H */
diff --git a/lib/dns/rdata/generic/sink_40.c b/lib/dns/rdata/generic/sink_40.c
new file mode 100644
index 0000000..1289414
--- /dev/null
+++ b/lib/dns/rdata/generic/sink_40.c
@@ -0,0 +1,278 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SINK_40_C
+#define RDATA_GENERIC_SINK_40_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_SINK_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_sink(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_sink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* meaning */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/* coding */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/* subcoding */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	return(isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_sink(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("255 255 255")];
+	uint8_t meaning, coding, subcoding;
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+	REQUIRE(rdata->length >= 3);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Meaning, Coding and Subcoding */
+	meaning = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	coding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	subcoding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u %u %u", meaning, coding, subcoding);
+	RETERR(str_totext(buf, target));
+
+	if (sr.length == 0U)
+		return (ISC_R_SUCCESS);
+
+	/* data */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+
+	RETERR(str_totext(tctx->linebreak, target));
+
+	if (tctx->width == 0)   /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	else
+		RETERR(isc_base64_totext(&sr, tctx->width - 2,
+					 tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_sink(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_sink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 3)
+		return (ISC_R_UNEXPECTEDEND);
+
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_sink(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+	REQUIRE(rdata->length >= 3);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_sink(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_sink);
+	REQUIRE(rdata1->length >= 3);
+	REQUIRE(rdata2->length >= 3);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_sink(ARGS_FROMSTRUCT) {
+	dns_rdata_sink_t *sink = source;
+
+	REQUIRE(type == dns_rdatatype_sink);
+	REQUIRE(source != NULL);
+	REQUIRE(sink->common.rdtype == type);
+	REQUIRE(sink->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Meaning */
+	RETERR(uint8_tobuffer(sink->meaning, target));
+
+	/* Coding */
+	RETERR(uint8_tobuffer(sink->coding, target));
+
+	/* Subcoding */
+	RETERR(uint8_tobuffer(sink->subcoding, target));
+
+	/* Data */
+	return (mem_tobuffer(target, sink->data, sink->datalen));
+}
+
+static inline isc_result_t
+tostruct_sink(ARGS_TOSTRUCT) {
+	dns_rdata_sink_t *sink = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length >= 3);
+
+	sink->common.rdclass = rdata->rdclass;
+	sink->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sink->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Meaning */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	sink->meaning = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Coding */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	sink->coding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Subcoding */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	sink->subcoding = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	sink->datalen = sr.length;
+	sink->data = mem_maybedup(mctx, sr.base, sink->datalen);
+	if (sink->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sink->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_sink(ARGS_FREESTRUCT) {
+	dns_rdata_sink_t *sink = (dns_rdata_sink_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sink->common.rdtype == dns_rdatatype_sink);
+
+	if (sink->mctx == NULL)
+		return;
+
+	if (sink->data != NULL)
+		isc_mem_free(sink->mctx, sink->data);
+	sink->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_sink(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_sink(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_sink(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_sink);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_sink(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_sink);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_sink(ARGS_COMPARE) {
+	return (compare_sink(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_SINK_40_C */
diff --git a/lib/dns/rdata/generic/sink_40.h b/lib/dns/rdata/generic/sink_40.h
new file mode 100644
index 0000000..4e6e01e
--- /dev/null
+++ b/lib/dns/rdata/generic/sink_40.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SINK_40_H
+#define GENERIC_SINK_40_H 1
+
+typedef struct dns_rdata_sink_t {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	uint8_t		meaning;
+	uint8_t		coding;
+	uint8_t		subcoding;
+	uint16_t		datalen;
+	unsigned char *		data;
+} dns_rdata_sink_t;
+
+#endif /* GENERIC_SINK_40_H */
diff --git a/lib/dns/rdata/generic/smimea_53.c b/lib/dns/rdata/generic/smimea_53.c
new file mode 100644
index 0000000..efd7f01
--- /dev/null
+++ b/lib/dns/rdata/generic/smimea_53.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SMIMEA_53_C
+#define RDATA_GENERIC_SMIMEA_53_C
+
+#define RRTYPE_SMIMEA_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_smimea(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	return (generic_fromtext_tlsa(rdclass, type, lexer, origin, options,
+				      target, callbacks));
+}
+
+static inline isc_result_t
+totext_smimea(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	return (generic_totext_tlsa(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_smimea(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	return (generic_fromwire_tlsa(rdclass, type, source, dctx, options,
+				      target));
+}
+
+static inline isc_result_t
+towire_smimea(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_smimea(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_smimea);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_smimea(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	return (generic_fromstruct_tlsa(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_smimea(ARGS_TOSTRUCT) {
+	dns_rdata_smimea_t *smimea = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+	REQUIRE(target != NULL);
+
+	smimea->common.rdclass = rdata->rdclass;
+	smimea->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&smimea->common, link);
+
+	return (generic_tostruct_tlsa(rdata, target, mctx));
+}
+
+static inline void
+freestruct_smimea(ARGS_FREESTRUCT) {
+	dns_rdata_smimea_t *smimea = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(smimea->common.rdtype == dns_rdatatype_smimea);
+
+	generic_freestruct_tlsa(source);
+}
+
+static inline isc_result_t
+additionaldata_smimea(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_smimea(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_smimea(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_smimea);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_smimea(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_smimea);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_smimea(ARGS_COMPARE) {
+	return (compare_smimea(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_SMIMEA_53_C */
diff --git a/lib/dns/rdata/generic/smimea_53.h b/lib/dns/rdata/generic/smimea_53.h
new file mode 100644
index 0000000..cabec2b
--- /dev/null
+++ b/lib/dns/rdata/generic/smimea_53.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SMIMEA_53_H
+#define GENERIC_SMIMEA_53_H 1
+
+typedef struct dns_rdata_tlsa dns_rdata_smimea_t;
+
+#endif /* GENERIC_SMIMEA_53_H */
diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c
new file mode 100644
index 0000000..c21d64b
--- /dev/null
+++ b/lib/dns/rdata/generic/soa_6.c
@@ -0,0 +1,438 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SOA_6_C
+#define RDATA_GENERIC_SOA_6_C
+
+#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
+static inline isc_result_t
+fromtext_soa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	uint32_t n;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_soa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL)
+		origin = dns_rootname;
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      false));
+
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		ok = true;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0)
+			switch (i) {
+			case 0:
+				ok = dns_name_ishostname(&name, false);
+				break;
+			case 1:
+				ok = dns_name_ismailbox(&name);
+				break;
+
+			}
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	for (i = 0; i < 4; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      false));
+		RETTOK(dns_counter_fromtext(&token.value.as_textregion, &n));
+		RETERR(uint32_tobuffer(n, target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static const char *soa_fieldnames[5] = {
+	"serial", "refresh", "retry", "expire", "minimum"
+};
+
+static inline isc_result_t
+totext_soa(ARGS_TOTEXT) {
+	isc_region_t dregion;
+	dns_name_t mname;
+	dns_name_t rname;
+	dns_name_t prefix;
+	bool sub;
+	int i;
+	bool multiline;
+	bool comm;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+	REQUIRE(rdata->length != 0);
+
+	multiline = (tctx->flags & DNS_STYLEFLAG_MULTILINE);
+	comm = (multiline) ?
+		(tctx->flags & DNS_STYLEFLAG_RRCOMMENT) :
+		false;
+
+	dns_name_init(&mname, NULL);
+	dns_name_init(&rname, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &dregion);
+
+	dns_name_fromregion(&mname, &dregion);
+	isc_region_consume(&dregion, name_length(&mname));
+
+	dns_name_fromregion(&rname, &dregion);
+	isc_region_consume(&dregion, name_length(&rname));
+
+	sub = name_prefix(&mname, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&rname, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	if (multiline)
+		RETERR(str_totext(" (" , target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	for (i = 0; i < 5; i++) {
+		char buf[sizeof("0123456789 ; ")];
+		unsigned long num;
+		num = uint32_fromregion(&dregion);
+		isc_region_consume(&dregion, 4);
+		snprintf(buf, sizeof(buf), comm ? "%-10lu ; " : "%lu", num);
+		RETERR(str_totext(buf, target));
+		if (comm) {
+			RETERR(str_totext(soa_fieldnames[i], target));
+			/* Print times in week/day/hour/minute/second form */
+			if (i >= 1) {
+				RETERR(str_totext(" (", target));
+				RETERR(dns_ttl_totext(num, true, target));
+				RETERR(str_totext(")", target));
+			}
+			RETERR(str_totext(tctx->linebreak, target));
+		} else if (i < 4) {
+			RETERR(str_totext(tctx->linebreak, target));
+		}
+	}
+
+	if (multiline)
+		RETERR(str_totext(")", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_soa(ARGS_FROMWIRE) {
+	dns_name_t mname;
+	dns_name_t rname;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_soa);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&mname, NULL);
+	dns_name_init(&rname, NULL);
+
+	RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
+	RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+
+	if (sregion.length < 20)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 20)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 20);
+	isc_buffer_forward(source, 20);
+	isc_buffer_add(target, 20);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_soa(ARGS_TOWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	dns_name_t mname;
+	dns_name_t rname;
+	dns_offsets_t moffsets;
+	dns_offsets_t roffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&mname, moffsets);
+	dns_name_init(&rname, roffsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&mname, &sregion);
+	isc_region_consume(&sregion, name_length(&mname));
+	RETERR(dns_name_towire(&mname, cctx, target));
+
+	dns_name_fromregion(&rname, &sregion);
+	isc_region_consume(&sregion, name_length(&rname));
+	RETERR(dns_name_towire(&rname, cctx, target));
+
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 20)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 20);
+	isc_buffer_add(target, 20);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_soa(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_soa);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_soa(ARGS_FROMSTRUCT) {
+	dns_rdata_soa_t *soa = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_soa);
+	REQUIRE(source != NULL);
+	REQUIRE(soa->common.rdtype == type);
+	REQUIRE(soa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&soa->origin, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&soa->contact, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	RETERR(uint32_tobuffer(soa->serial, target));
+	RETERR(uint32_tobuffer(soa->refresh, target));
+	RETERR(uint32_tobuffer(soa->retry, target));
+	RETERR(uint32_tobuffer(soa->expire, target));
+	return (uint32_tobuffer(soa->minimum, target));
+}
+
+static inline isc_result_t
+tostruct_soa(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_soa_t *soa = target;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	soa->common.rdclass = rdata->rdclass;
+	soa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&soa->common, link);
+
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&soa->origin, NULL);
+	RETERR(name_duporclone(&name, mctx, &soa->origin));
+
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&soa->contact, NULL);
+	result = name_duporclone(&name, mctx, &soa->contact);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	soa->serial = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->refresh = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->retry = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->expire = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->minimum = uint32_fromregion(&region);
+
+	soa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&soa->origin, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_soa(ARGS_FREESTRUCT) {
+	dns_rdata_soa_t *soa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(soa->common.rdtype == dns_rdatatype_soa);
+
+	if (soa->mctx == NULL)
+		return;
+
+	dns_name_free(&soa->origin, soa->mctx);
+	dns_name_free(&soa->contact, soa->mctx);
+	soa->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_soa(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_soa(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_soa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_soa);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_soa(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_soa);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_soa(ARGS_COMPARE) {
+	return (compare_soa(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_SOA_6_C */
diff --git a/lib/dns/rdata/generic/soa_6.h b/lib/dns/rdata/generic/soa_6.h
new file mode 100644
index 0000000..c9be985
--- /dev/null
+++ b/lib/dns/rdata/generic/soa_6.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_SOA_6_H
+#define GENERIC_SOA_6_H 1
+
+
+typedef struct dns_rdata_soa {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		origin;
+	dns_name_t		contact;
+	uint32_t		serial;		/*%< host order */
+	uint32_t		refresh;	/*%< host order */
+	uint32_t		retry;		/*%< host order */
+	uint32_t		expire;		/*%< host order */
+	uint32_t		minimum;	/*%< host order */
+} dns_rdata_soa_t;
+
+
+#endif /* GENERIC_SOA_6_H */
diff --git a/lib/dns/rdata/generic/spf_99.c b/lib/dns/rdata/generic/spf_99.c
new file mode 100644
index 0000000..c41edf6
--- /dev/null
+++ b/lib/dns/rdata/generic/spf_99.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_SPF_99_C
+#define RDATA_GENERIC_SPF_99_C
+
+#define RRTYPE_SPF_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_spf(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_spf);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
+				     target, callbacks));
+}
+
+static inline isc_result_t
+totext_spf(ARGS_TOTEXT) {
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	return (generic_totext_txt(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_spf(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_spf);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
+				     target));
+}
+
+static inline isc_result_t
+towire_spf(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_spf(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_spf);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_spf(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_spf);
+
+	return (generic_fromstruct_txt(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_spf(ARGS_TOSTRUCT) {
+	dns_rdata_spf_t *spf = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+	REQUIRE(target != NULL);
+
+	spf->common.rdclass = rdata->rdclass;
+	spf->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&spf->common, link);
+
+	return (generic_tostruct_txt(rdata, target, mctx));
+}
+
+static inline void
+freestruct_spf(ARGS_FREESTRUCT) {
+	dns_rdata_spf_t *txt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_spf);
+
+	generic_freestruct_txt(source);
+}
+
+static inline isc_result_t
+additionaldata_spf(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_spf(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_spf(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_spf);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_spf(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_spf);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_spf(ARGS_COMPARE) {
+	return (compare_spf(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_SPF_99_C */
diff --git a/lib/dns/rdata/generic/spf_99.h b/lib/dns/rdata/generic/spf_99.h
new file mode 100644
index 0000000..f10b790
--- /dev/null
+++ b/lib/dns/rdata/generic/spf_99.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_SPF_99_H
+#define GENERIC_SPF_99_H 1
+
+
+typedef struct dns_rdata_spf_string {
+		uint8_t    length;
+		unsigned char   *data;
+} dns_rdata_spf_string_t;
+
+typedef struct dns_rdata_spf {
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	unsigned char           *txt;
+	uint16_t            txt_len;
+	/* private */
+	uint16_t            offset;
+} dns_rdata_spf_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+#endif /* GENERIC_SPF_99_H */
diff --git a/lib/dns/rdata/generic/sshfp_44.c b/lib/dns/rdata/generic/sshfp_44.c
new file mode 100644
index 0000000..1b5d7ca
--- /dev/null
+++ b/lib/dns/rdata/generic/sshfp_44.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC 4255 */
+
+#ifndef RDATA_GENERIC_SSHFP_44_C
+#define RDATA_GENERIC_SSHFP_44_C
+
+#define RRTYPE_SSHFP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_sshfp(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_sshfp(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) /* No splitting */
+		RETERR(isc_hex_totext(&sr, 0, "", target));
+	else
+		RETERR(isc_hex_totext(&sr, tctx->width - 2,
+				      tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_sshfp(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_sshfp(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_sshfp(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_sshfp);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_sshfp(ARGS_FROMSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+	REQUIRE(source != NULL);
+	REQUIRE(sshfp->common.rdtype == type);
+	REQUIRE(sshfp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(sshfp->algorithm, target));
+	RETERR(uint8_tobuffer(sshfp->digest_type, target));
+
+	return (mem_tobuffer(target, sshfp->digest, sshfp->length));
+}
+
+static inline isc_result_t
+tostruct_sshfp(ARGS_TOSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sshfp->common.rdclass = rdata->rdclass;
+	sshfp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sshfp->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	sshfp->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->length = region.length;
+
+	sshfp->digest = mem_maybedup(mctx, region.base, region.length);
+	if (sshfp->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sshfp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_sshfp(ARGS_FREESTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(sshfp != NULL);
+	REQUIRE(sshfp->common.rdtype == dns_rdatatype_sshfp);
+
+	if (sshfp->mctx == NULL)
+		return;
+
+	if (sshfp->digest != NULL)
+		isc_mem_free(sshfp->mctx, sshfp->digest);
+	sshfp->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_sshfp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_sshfp(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_sshfp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_sshfp);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_sshfp(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_sshfp);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_sshfp(ARGS_COMPARE) {
+	return (compare_sshfp(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_SSHFP_44_C */
diff --git a/lib/dns/rdata/generic/sshfp_44.h b/lib/dns/rdata/generic/sshfp_44.h
new file mode 100644
index 0000000..ba1129a
--- /dev/null
+++ b/lib/dns/rdata/generic/sshfp_44.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*!
+ *  \brief Per RFC 4255 */
+
+#ifndef GENERIC_SSHFP_44_H
+#define GENERIC_SSHFP_44_H 1
+
+typedef struct dns_rdata_sshfp {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint8_t		algorithm;
+	uint8_t		digest_type;
+	uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_sshfp_t;
+
+#endif /* GENERIC_SSHFP_44_H */
diff --git a/lib/dns/rdata/generic/ta_32768.c b/lib/dns/rdata/generic/ta_32768.c
new file mode 100644
index 0000000..12ec6e7
--- /dev/null
+++ b/lib/dns/rdata/generic/ta_32768.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* http://www.watson.org/~weiler/INI1999-19.pdf */
+
+#ifndef RDATA_GENERIC_TA_32768_C
+#define RDATA_GENERIC_TA_32768_C
+
+#define RRTYPE_TA_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_ta(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_ta);
+
+	return (generic_fromtext_ds(rdclass, type, lexer, origin, options,
+				    target, callbacks));
+}
+
+static inline isc_result_t
+totext_ta(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	return (generic_totext_ds(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_ta(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_ta);
+
+	return (generic_fromwire_ds(rdclass, type, source, dctx, options,
+				    target));
+}
+
+static inline isc_result_t
+towire_ta(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_ta(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_ta);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_ta(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_ta);
+
+	return (generic_fromstruct_ds(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_ta(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	/*
+	 * Checked by generic_tostruct_ds().
+	 */
+	ds->common.rdclass = rdata->rdclass;
+	ds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ds->common, link);
+
+	return (generic_tostruct_ds(rdata, target, mctx));
+}
+
+static inline void
+freestruct_ta(ARGS_FREESTRUCT) {
+	dns_rdata_ta_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == dns_rdatatype_ta);
+
+	if (ds->mctx == NULL)
+		return;
+
+	if (ds->digest != NULL)
+		isc_mem_free(ds->mctx, ds->digest);
+	ds->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ta(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ta(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_ta(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_ta);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_ta(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_ta);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_ta(ARGS_COMPARE) {
+	return (compare_ta(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_TA_32768_C */
diff --git a/lib/dns/rdata/generic/ta_32768.h b/lib/dns/rdata/generic/ta_32768.h
new file mode 100644
index 0000000..1bd7a28
--- /dev/null
+++ b/lib/dns/rdata/generic/ta_32768.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_TA_32768_H
+#define GENERIC_TA_32768_H 1
+
+/*
+ * TA records are identical to DS records.
+ */
+typedef struct dns_rdata_ds dns_rdata_ta_t;
+
+#endif /* GENERIC_TA_32768_H */
diff --git a/lib/dns/rdata/generic/talink_58.c b/lib/dns/rdata/generic/talink_58.c
new file mode 100644
index 0000000..7f6bacb
--- /dev/null
+++ b/lib/dns/rdata/generic/talink_58.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_TALINK_58_C
+#define RDATA_GENERIC_TALINK_58_C
+
+#define RRTYPE_TALINK_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_talink(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+
+	REQUIRE(type == dns_rdatatype_talink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL)
+		origin = dns_rootname;
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      false));
+
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_talink(ARGS_TOTEXT) {
+	isc_region_t dregion;
+	dns_name_t prev;
+	dns_name_t next;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&prev, NULL);
+	dns_name_init(&next, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &dregion);
+
+	dns_name_fromregion(&prev, &dregion);
+	isc_region_consume(&dregion, name_length(&prev));
+
+	dns_name_fromregion(&next, &dregion);
+	isc_region_consume(&dregion, name_length(&next));
+
+	sub = name_prefix(&prev, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&next, tctx->origin, &prefix);
+	return(dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_talink(ARGS_FROMWIRE) {
+	dns_name_t prev;
+	dns_name_t next;
+
+	REQUIRE(type == dns_rdatatype_talink);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&prev, NULL);
+	dns_name_init(&next, NULL);
+
+	RETERR(dns_name_fromwire(&prev, source, dctx, options, target));
+	return(dns_name_fromwire(&next, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_talink(ARGS_TOWIRE) {
+	isc_region_t sregion;
+	dns_name_t prev;
+	dns_name_t next;
+	dns_offsets_t moffsets;
+	dns_offsets_t roffsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&prev, moffsets);
+	dns_name_init(&next, roffsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&prev, &sregion);
+	isc_region_consume(&sregion, name_length(&prev));
+	RETERR(dns_name_towire(&prev, cctx, target));
+
+	dns_name_fromregion(&next, &sregion);
+	isc_region_consume(&sregion, name_length(&next));
+	return(dns_name_towire(&next, cctx, target));
+}
+
+static inline int
+compare_talink(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_talink);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_talink(ARGS_FROMSTRUCT) {
+	dns_rdata_talink_t *talink = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_talink);
+	REQUIRE(source != NULL);
+	REQUIRE(talink->common.rdtype == type);
+	REQUIRE(talink->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&talink->prev, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&talink->next, &region);
+	return(isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_talink(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_talink_t *talink = target;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	talink->common.rdclass = rdata->rdclass;
+	talink->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&talink->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&talink->prev, NULL);
+	RETERR(name_duporclone(&name, mctx, &talink->prev));
+
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&talink->next, NULL);
+	result = name_duporclone(&name, mctx, &talink->next);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	talink->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&talink->prev, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_talink(ARGS_FREESTRUCT) {
+	dns_rdata_talink_t *talink = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(talink->common.rdtype == dns_rdatatype_talink);
+
+	if (talink->mctx == NULL)
+		return;
+
+	dns_name_free(&talink->prev, talink->mctx);
+	dns_name_free(&talink->next, talink->mctx);
+	talink->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_talink(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_talink(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_talink(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_talink);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_talink(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_talink);
+
+	UNUSED(bad);
+	UNUSED(owner);
+
+	return (true);
+}
+
+static inline int
+casecompare_talink(ARGS_COMPARE) {
+	return (compare_talink(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_TALINK_58_C */
diff --git a/lib/dns/rdata/generic/talink_58.h b/lib/dns/rdata/generic/talink_58.h
new file mode 100644
index 0000000..03166a2
--- /dev/null
+++ b/lib/dns/rdata/generic/talink_58.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* http://www.iana.org/assignments/dns-parameters/TALINK/talink-completed-template */
+
+#ifndef GENERIC_TALINK_58_H
+#define GENERIC_TALINK_58_H 1
+
+typedef struct dns_rdata_talink {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		prev;
+	dns_name_t		next;
+} dns_rdata_talink_t;
+
+#endif /* GENERIC_TALINK_58_H */
diff --git a/lib/dns/rdata/generic/tkey_249.c b/lib/dns/rdata/generic/tkey_249.c
new file mode 100644
index 0000000..7bbd1d3
--- /dev/null
+++ b/lib/dns/rdata/generic/tkey_249.c
@@ -0,0 +1,556 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* draft-ietf-dnsext-tkey-01.txt */
+
+#ifndef RDATA_GENERIC_TKEY_249_C
+#define RDATA_GENERIC_TKEY_249_C
+
+#define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META)
+
+static inline isc_result_t
+fromtext_tkey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_rcode_t rcode;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	long i;
+	char *e;
+
+	REQUIRE(type == dns_rdatatype_tkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+
+	/*
+	 * Inception.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Mode.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
+				!= ISC_R_SUCCESS)
+	{
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0)
+			RETTOK(DNS_R_UNKNOWN);
+		if (i < 0 || i > 0xffff)
+			RETTOK(ISC_R_RANGE);
+		rcode = (dns_rcode_t)i;
+	}
+	RETERR(uint16_tobuffer(rcode, target));
+
+	/*
+	 * Key Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Key Data.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+
+	/*
+	 * Other Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+}
+
+static inline isc_result_t
+totext_tkey(ARGS_TOTEXT) {
+	isc_region_t sr, dr;
+	char buf[sizeof("4294967295 ")];
+	unsigned long n;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, name_length(&name));
+
+	/*
+	 * Inception.
+	 */
+	n = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Expiration.
+	 */
+	n = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	snprintf(buf, sizeof(buf), "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Mode.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Error.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
+		RETERR(str_totext(" ", target));
+	else {
+		snprintf(buf, sizeof(buf), "%lu ", n);
+		RETERR(str_totext(buf, target));
+	}
+
+	/*
+	 * Key Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Key Data.
+	 */
+	REQUIRE(n <= sr.length);
+	dr = sr;
+	dr.length = n;
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0)   /* No splitting */
+		RETERR(isc_base64_totext(&dr, 60, "", target));
+	else
+		RETERR(isc_base64_totext(&dr, tctx->width - 2,
+					 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ) ", target));
+	else
+		RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, n);
+
+	/*
+	 * Other Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	snprintf(buf, sizeof(buf), "%lu", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Other Data.
+	 */
+	REQUIRE(n <= sr.length);
+	if (n != 0U) {
+	    dr = sr;
+	    dr.length = n;
+	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		    RETERR(str_totext(" (", target));
+	    RETERR(str_totext(tctx->linebreak, target));
+		if (tctx->width == 0)   /* No splitting */
+			RETERR(isc_base64_totext(&dr, 60, "", target));
+		else
+			RETERR(isc_base64_totext(&dr, tctx->width - 2,
+						 tctx->linebreak, target));
+	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		    RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_tkey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned long n;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_tkey);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Inception: 4
+	 * Expiration: 4
+	 * Mode: 2
+	 * Error: 2
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 12)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 12));
+	isc_region_consume(&sr, 12);
+	isc_buffer_forward(source, 12);
+
+	/*
+	 * Key Length + Key Data.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, n + 2));
+	isc_region_consume(&sr, n + 2);
+	isc_buffer_forward(source, n + 2);
+
+	/*
+	 * Other Length + Other Data.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	isc_buffer_forward(source, n + 2);
+	return (mem_tobuffer(target, sr.base, n + 2));
+}
+
+static inline isc_result_t
+towire_tkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Algorithm.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&sr, name_length(&name));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_tkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_tkey);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	if ((order = dns_name_rdatacompare(&name1, &name2)) != 0)
+		return (order);
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_tkey(ARGS_FROMSTRUCT) {
+	dns_rdata_tkey_t *tkey = source;
+
+	REQUIRE(type == dns_rdatatype_tkey);
+	REQUIRE(source != NULL);
+	REQUIRE(tkey->common.rdtype == type);
+	REQUIRE(tkey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tkey->algorithm, target));
+
+	/*
+	 * Inception: 32 bits.
+	 */
+	RETERR(uint32_tobuffer(tkey->inception, target));
+
+	/*
+	 * Expire: 32 bits.
+	 */
+	RETERR(uint32_tobuffer(tkey->expire, target));
+
+	/*
+	 * Mode: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->mode, target));
+
+	/*
+	 * Error: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->error, target));
+
+	/*
+	 * Key size: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->keylen, target));
+
+	/*
+	 * Key.
+	 */
+	RETERR(mem_tobuffer(target, tkey->key, tkey->keylen));
+
+	/*
+	 * Other size: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->otherlen, target));
+
+	/*
+	 * Other data.
+	 */
+	return (mem_tobuffer(target, tkey->other, tkey->otherlen));
+}
+
+static inline isc_result_t
+tostruct_tkey(ARGS_TOSTRUCT) {
+	dns_rdata_tkey_t *tkey = target;
+	dns_name_t alg;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	tkey->common.rdclass = rdata->rdclass;
+	tkey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tkey->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&alg, NULL);
+	dns_name_fromregion(&alg, &sr);
+	dns_name_init(&tkey->algorithm, NULL);
+	RETERR(name_duporclone(&alg, mctx, &tkey->algorithm));
+	isc_region_consume(&sr, name_length(&tkey->algorithm));
+
+	/*
+	 * Inception.
+	 */
+	tkey->inception = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire.
+	 */
+	tkey->expire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Mode.
+	 */
+	tkey->mode = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Error.
+	 */
+	tkey->error = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Key size.
+	 */
+	tkey->keylen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Key.
+	 */
+	INSIST(tkey->keylen + 2U <= sr.length);
+	tkey->key = mem_maybedup(mctx, sr.base, tkey->keylen);
+	if (tkey->key == NULL)
+		goto cleanup;
+	isc_region_consume(&sr, tkey->keylen);
+
+	/*
+	 * Other size.
+	 */
+	tkey->otherlen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other.
+	 */
+	INSIST(tkey->otherlen <= sr.length);
+	tkey->other = mem_maybedup(mctx, sr.base, tkey->otherlen);
+	if (tkey->other == NULL)
+		goto cleanup;
+
+	tkey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&tkey->algorithm, mctx);
+	if (mctx != NULL && tkey->key != NULL)
+		isc_mem_free(mctx, tkey->key);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_tkey(ARGS_FREESTRUCT) {
+	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *) source;
+
+	REQUIRE(source != NULL);
+
+	if (tkey->mctx == NULL)
+		return;
+
+	dns_name_free(&tkey->algorithm, tkey->mctx);
+	if (tkey->key != NULL)
+		isc_mem_free(tkey->mctx, tkey->key);
+	if (tkey->other != NULL)
+		isc_mem_free(tkey->mctx, tkey->other);
+	tkey->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_tkey(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_tkey(ARGS_DIGEST) {
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline bool
+checkowner_tkey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_tkey);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_tkey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_tkey);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_tkey(ARGS_COMPARE) {
+	return (compare_tkey(rdata1, rdata2));
+}
+#endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/lib/dns/rdata/generic/tkey_249.h b/lib/dns/rdata/generic/tkey_249.h
new file mode 100644
index 0000000..2fab087
--- /dev/null
+++ b/lib/dns/rdata/generic/tkey_249.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_TKEY_249_H
+#define GENERIC_TKEY_249_H 1
+
+
+/*!
+ *  \brief Per draft-ietf-dnsind-tkey-00.txt */
+
+typedef struct dns_rdata_tkey {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_name_t		algorithm;
+	uint32_t		inception;
+	uint32_t		expire;
+	uint16_t		mode;
+	uint16_t		error;
+	uint16_t		keylen;
+	unsigned char *		key;
+	uint16_t		otherlen;
+	unsigned char *		other;
+} dns_rdata_tkey_t;
+
+
+#endif /* GENERIC_TKEY_249_H */
diff --git a/lib/dns/rdata/generic/tlsa_52.c b/lib/dns/rdata/generic/tlsa_52.c
new file mode 100644
index 0000000..1224dc1
--- /dev/null
+++ b/lib/dns/rdata/generic/tlsa_52.c
@@ -0,0 +1,334 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* rfc6698.txt */
+
+#ifndef RDATA_GENERIC_TLSA_52_C
+#define RDATA_GENERIC_TLSA_52_C
+
+#define RRTYPE_TLSA_ATTRIBUTES 0
+
+static inline isc_result_t
+generic_fromtext_tlsa(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Certificate Usage.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Selector.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Matching type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Certificate Association Data.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+generic_totext_tlsa(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Certificate Usage.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Selector.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Matching type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Certificate Association Data.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	if (tctx->width == 0) /* No splitting */
+		RETERR(isc_hex_totext(&sr, 0, "", target));
+	else
+		RETERR(isc_hex_totext(&sr, tctx->width - 2,
+				      tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+generic_fromwire_tlsa(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+
+	if (sr.length < 3)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+fromtext_tlsa(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	return (generic_fromtext_tlsa(rdclass, type, lexer, origin, options,
+				      target, callbacks));
+}
+
+static inline isc_result_t
+totext_tlsa(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	return (generic_totext_tlsa(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_tlsa(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	return (generic_fromwire_tlsa(rdclass, type, source, dctx, options,
+				      target));
+}
+
+static inline isc_result_t
+towire_tlsa(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_tlsa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_tlsa);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+generic_fromstruct_tlsa(ARGS_FROMSTRUCT) {
+	dns_rdata_tlsa_t *tlsa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(tlsa->common.rdtype == type);
+	REQUIRE(tlsa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(tlsa->usage, target));
+	RETERR(uint8_tobuffer(tlsa->selector, target));
+	RETERR(uint8_tobuffer(tlsa->match, target));
+
+	return (mem_tobuffer(target, tlsa->data, tlsa->length));
+}
+
+static inline isc_result_t
+generic_tostruct_tlsa(ARGS_TOSTRUCT) {
+	dns_rdata_tlsa_t *tlsa = target;
+	isc_region_t region;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->length != 0);
+
+	REQUIRE(tlsa != NULL);
+	REQUIRE(tlsa->common.rdclass == rdata->rdclass);
+	REQUIRE(tlsa->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&tlsa->common, link));
+
+	dns_rdata_toregion(rdata, &region);
+
+	tlsa->usage = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	tlsa->selector = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	tlsa->match = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	tlsa->length = region.length;
+
+	tlsa->data = mem_maybedup(mctx, region.base, region.length);
+	if (tlsa->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	tlsa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+generic_freestruct_tlsa(ARGS_FREESTRUCT) {
+	dns_rdata_tlsa_t *tlsa = source;
+
+	REQUIRE(tlsa != NULL);
+
+	if (tlsa->mctx == NULL)
+		return;
+
+	if (tlsa->data != NULL)
+		isc_mem_free(tlsa->mctx, tlsa->data);
+	tlsa->mctx = NULL;
+}
+
+static inline isc_result_t
+fromstruct_tlsa(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	return (generic_fromstruct_tlsa(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_tlsa(ARGS_TOSTRUCT) {
+	dns_rdata_tlsa_t *tlsa = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+	REQUIRE(target != NULL);
+
+	tlsa->common.rdclass = rdata->rdclass;
+	tlsa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tlsa->common, link);
+
+	return (generic_tostruct_tlsa(rdata, target, mctx));
+}
+
+static inline void
+freestruct_tlsa(ARGS_FREESTRUCT) {
+	dns_rdata_tlsa_t *tlsa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(tlsa->common.rdtype == dns_rdatatype_tlsa);
+
+	generic_freestruct_tlsa(source);
+}
+
+static inline isc_result_t
+additionaldata_tlsa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_tlsa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_tlsa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_tlsa);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_tlsa(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_tlsa);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_tlsa(ARGS_COMPARE) {
+	return (compare_tlsa(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_TLSA_52_C */
diff --git a/lib/dns/rdata/generic/tlsa_52.h b/lib/dns/rdata/generic/tlsa_52.h
new file mode 100644
index 0000000..422fd8b
--- /dev/null
+++ b/lib/dns/rdata/generic/tlsa_52.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_TLSA_52_H
+#define GENERIC_TLSA_52_H 1
+
+/*!
+ *  \brief per rfc6698.txt
+ */
+typedef struct dns_rdata_tlsa {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint8_t		usage;
+	uint8_t		selector;
+	uint8_t		match;
+	uint16_t		length;
+	unsigned char		*data;
+} dns_rdata_tlsa_t;
+
+#endif /* GENERIC_TLSA_52_H */
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
new file mode 100644
index 0000000..3f3842e
--- /dev/null
+++ b/lib/dns/rdata/generic/txt_16.c
@@ -0,0 +1,360 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_GENERIC_TXT_16_C
+#define RDATA_GENERIC_TXT_16_C
+
+#define RRTYPE_TXT_ATTRIBUTES (0)
+
+static inline isc_result_t
+generic_fromtext_txt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int strings;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	strings = 0;
+	if ((options & DNS_RDATA_UNKNOWNESCAPE) != 0) {
+		isc_textregion_t r;
+		DE_CONST("#", r.base);
+		r.length = 1;
+		RETERR(txt_fromtext(&r, target));
+		strings++;
+	}
+	for (;;) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      true));
+		if (token.type != isc_tokentype_qstring &&
+		    token.type != isc_tokentype_string)
+			break;
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+		strings++;
+	}
+	/* Let upper layer handle eol/eof. */
+	isc_lex_ungettoken(lexer, &token);
+	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+generic_totext_txt(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	while (region.length > 0) {
+		RETERR(txt_totext(&region, true, target));
+		if (region.length > 0)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+generic_fromwire_txt(ARGS_FROMWIRE) {
+	isc_result_t result;
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	do {
+		result = txt_fromwire(source, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} while (!buffer_empty(source));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromtext_txt(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_txt);
+
+	return (generic_fromtext_txt(rdclass, type, lexer, origin, options,
+				     target, callbacks));
+}
+
+static inline isc_result_t
+totext_txt(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	return (generic_totext_txt(rdata, tctx, target));
+}
+
+static inline isc_result_t
+fromwire_txt(ARGS_FROMWIRE) {
+
+	REQUIRE(type == dns_rdatatype_txt);
+
+	return (generic_fromwire_txt(rdclass, type, source, dctx, options,
+				     target));
+}
+
+static inline isc_result_t
+towire_txt(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_txt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_txt);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+generic_fromstruct_txt(ARGS_FROMSTRUCT) {
+	dns_rdata_txt_t *txt = source;
+	isc_region_t region;
+	uint8_t length;
+
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == type);
+	REQUIRE(txt->common.rdclass == rdclass);
+	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = txt->txt;
+	region.length = txt->txt_len;
+	while (region.length > 0) {
+		length = uint8_fromregion(&region);
+		isc_region_consume(&region, 1);
+		if (region.length < length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
+
+	return (mem_tobuffer(target, txt->txt, txt->txt_len));
+}
+
+static inline isc_result_t
+generic_tostruct_txt(ARGS_TOSTRUCT) {
+	dns_rdata_txt_t *txt = target;
+	isc_region_t r;
+
+	REQUIRE(target != NULL);
+	REQUIRE(txt->common.rdclass == rdata->rdclass);
+	REQUIRE(txt->common.rdtype == rdata->type);
+	REQUIRE(!ISC_LINK_LINKED(&txt->common, link));
+
+	dns_rdata_toregion(rdata, &r);
+	txt->txt_len = r.length;
+	txt->txt = mem_maybedup(mctx, r.base, r.length);
+	if (txt->txt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	txt->offset = 0;
+	txt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+generic_freestruct_txt(ARGS_FREESTRUCT) {
+	dns_rdata_txt_t *txt = source;
+
+	REQUIRE(source != NULL);
+
+	if (txt->mctx == NULL)
+		return;
+
+	if (txt->txt != NULL)
+		isc_mem_free(txt->mctx, txt->txt);
+	txt->mctx = NULL;
+}
+
+static inline isc_result_t
+fromstruct_txt(ARGS_FROMSTRUCT) {
+
+	REQUIRE(type == dns_rdatatype_txt);
+
+	return (generic_fromstruct_txt(rdclass, type, source, target));
+}
+
+static inline isc_result_t
+tostruct_txt(ARGS_TOSTRUCT) {
+	dns_rdata_txt_t *txt = target;
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+	REQUIRE(target != NULL);
+
+	txt->common.rdclass = rdata->rdclass;
+	txt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&txt->common, link);
+
+	return (generic_tostruct_txt(rdata, target, mctx));
+}
+
+static inline void
+freestruct_txt(ARGS_FREESTRUCT) {
+	dns_rdata_txt_t *txt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	generic_freestruct_txt(source);
+}
+
+static inline isc_result_t
+additionaldata_txt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_txt(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_txt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_txt);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_txt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_txt);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_txt(ARGS_COMPARE) {
+	return (compare_txt(rdata1, rdata2));
+}
+
+static isc_result_t
+generic_txt_first(dns_rdata_txt_t *txt) {
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->txt != NULL || txt->txt_len == 0);
+
+	if (txt->txt_len == 0)
+		return (ISC_R_NOMORE);
+
+	txt->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_txt_next(dns_rdata_txt_t *txt) {
+	isc_region_t r;
+	uint8_t length;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+
+	INSIST(txt->offset + 1 <= txt->txt_len);
+	r.base = txt->txt + txt->offset;
+	r.length = txt->txt_len - txt->offset;
+	length = uint8_fromregion(&r);
+	INSIST(txt->offset + 1 + length <= txt->txt_len);
+	txt->offset = txt->offset + 1 + length;
+	if (txt->offset == txt->txt_len)
+		return (ISC_R_NOMORE);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generic_txt_current(dns_rdata_txt_t *txt, dns_rdata_txt_string_t *string) {
+	isc_region_t r;
+
+	REQUIRE(txt != NULL);
+	REQUIRE(string != NULL);
+	REQUIRE(txt->txt != NULL);
+	REQUIRE(txt->offset < txt->txt_len);
+
+	INSIST(txt->offset + 1 <= txt->txt_len);
+	r.base = txt->txt + txt->offset;
+	r.length = txt->txt_len - txt->offset;
+
+	string->length = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	string->data = r.base;
+	INSIST(txt->offset + 1 + string->length <= txt->txt_len);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_txt_first(dns_rdata_txt_t *txt) {
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	return (generic_txt_first(txt));
+}
+
+isc_result_t
+dns_rdata_txt_next(dns_rdata_txt_t *txt) {
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	return (generic_txt_next(txt));
+}
+
+isc_result_t
+dns_rdata_txt_current(dns_rdata_txt_t *txt, dns_rdata_txt_string_t *string) {
+
+	REQUIRE(txt != NULL);
+	REQUIRE(txt->common.rdtype == dns_rdatatype_txt);
+
+	return (generic_txt_current(txt, string));
+}
+#endif	/* RDATA_GENERIC_TXT_16_C */
diff --git a/lib/dns/rdata/generic/txt_16.h b/lib/dns/rdata/generic/txt_16.h
new file mode 100644
index 0000000..aaf94bf
--- /dev/null
+++ b/lib/dns/rdata/generic/txt_16.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_TXT_16_H
+#define GENERIC_TXT_16_H 1
+
+
+typedef struct dns_rdata_txt_string {
+		uint8_t    length;
+		unsigned char   *data;
+} dns_rdata_txt_string_t;
+
+typedef struct dns_rdata_txt {
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	unsigned char           *txt;
+	uint16_t            txt_len;
+	/* private */
+	uint16_t            offset;
+} dns_rdata_txt_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_txt_first(dns_rdata_txt_t *);
+
+isc_result_t
+dns_rdata_txt_next(dns_rdata_txt_t *);
+
+isc_result_t
+dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
+
+#endif /* GENERIC_TXT_16_H */
diff --git a/lib/dns/rdata/generic/unspec_103.c b/lib/dns/rdata/generic/unspec_103.c
new file mode 100644
index 0000000..1c4654f
--- /dev/null
+++ b/lib/dns/rdata/generic/unspec_103.c
@@ -0,0 +1,187 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef RDATA_GENERIC_UNSPEC_103_C
+#define RDATA_GENERIC_UNSPEC_103_C
+
+#define RRTYPE_UNSPEC_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_unspec(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_unspec);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (atob_tobuffer(lexer, target));
+}
+
+static inline isc_result_t
+totext_unspec(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == dns_rdatatype_unspec);
+
+	UNUSED(tctx);
+
+	return (btoa_totext(rdata->data, rdata->length, target));
+}
+
+static inline isc_result_t
+fromwire_unspec(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_unspec);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_unspec(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == dns_rdatatype_unspec);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_unspec(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_unspec);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_unspec(ARGS_FROMSTRUCT) {
+	dns_rdata_unspec_t *unspec = source;
+
+	REQUIRE(type == dns_rdatatype_unspec);
+	REQUIRE(source != NULL);
+	REQUIRE(unspec->common.rdtype == type);
+	REQUIRE(unspec->common.rdclass == rdclass);
+	REQUIRE(unspec->data != NULL || unspec->datalen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, unspec->data, unspec->datalen));
+}
+
+static inline isc_result_t
+tostruct_unspec(ARGS_TOSTRUCT) {
+	dns_rdata_unspec_t *unspec = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_unspec);
+	REQUIRE(target != NULL);
+
+	unspec->common.rdclass = rdata->rdclass;
+	unspec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&unspec->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	unspec->datalen = r.length;
+	unspec->data = mem_maybedup(mctx, r.base, r.length);
+	if (unspec->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	unspec->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_unspec(ARGS_FREESTRUCT) {
+	dns_rdata_unspec_t *unspec = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(unspec->common.rdtype == dns_rdatatype_unspec);
+
+	if (unspec->mctx == NULL)
+		return;
+
+	if (unspec->data != NULL)
+		isc_mem_free(unspec->mctx, unspec->data);
+	unspec->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_unspec(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_unspec);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_unspec(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_unspec);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_unspec(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_unspec);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_unspec(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_unspec);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_unspec(ARGS_COMPARE) {
+	return (compare_unspec(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_UNSPEC_103_C */
diff --git a/lib/dns/rdata/generic/unspec_103.h b/lib/dns/rdata/generic/unspec_103.h
new file mode 100644
index 0000000..9afb1bd
--- /dev/null
+++ b/lib/dns/rdata/generic/unspec_103.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef GENERIC_UNSPEC_103_H
+#define GENERIC_UNSPEC_103_H 1
+
+
+typedef struct dns_rdata_unspec_t {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*data;
+	uint16_t		datalen;
+} dns_rdata_unspec_t;
+
+#endif /* GENERIC_UNSPEC_103_H */
diff --git a/lib/dns/rdata/generic/uri_256.c b/lib/dns/rdata/generic/uri_256.c
new file mode 100644
index 0000000..8fb0307
--- /dev/null
+++ b/lib/dns/rdata/generic/uri_256.c
@@ -0,0 +1,308 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef GENERIC_URI_256_C
+#define GENERIC_URI_256_C 1
+
+#define RRTYPE_URI_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_uri(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_uri);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Priority
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Weight
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Target URI
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token,
+				      isc_tokentype_qstring, false));
+	if (token.type != isc_tokentype_qstring)
+		RETTOK(DNS_R_SYNTAX);
+	RETTOK(multitxt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_uri(ARGS_TOTEXT) {
+	isc_region_t region;
+	unsigned short priority, weight;
+	char buf[sizeof("65000 ")];
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Priority
+	 */
+	priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u ", priority);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Weight
+	 */
+	weight = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u ", weight);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Target URI
+	 */
+	RETERR(multitxt_totext(&region, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_uri(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_uri);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	/*
+	 * Priority, weight
+	 */
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/*
+	 * Priority, weight and target URI
+	 */
+	isc_buffer_forward(source, region.length);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline isc_result_t
+towire_uri(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_uri(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_uri);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	/*
+	 * Priority
+	 */
+	order = memcmp(r1.base, r2.base, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&r1, 2);
+	isc_region_consume(&r2, 2);
+
+	/*
+	 * Weight
+	 */
+	order = memcmp(r1.base, r2.base, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&r1, 2);
+	isc_region_consume(&r2, 2);
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_uri(ARGS_FROMSTRUCT) {
+	dns_rdata_uri_t *uri = source;
+
+	REQUIRE(type == dns_rdatatype_uri);
+	REQUIRE(source != NULL);
+	REQUIRE(uri->common.rdtype == type);
+	REQUIRE(uri->common.rdclass == rdclass);
+	REQUIRE(uri->target != NULL && uri->tgt_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Priority
+	 */
+	RETERR(uint16_tobuffer(uri->priority, target));
+
+	/*
+	 * Weight
+	 */
+	RETERR(uint16_tobuffer(uri->weight, target));
+
+	/*
+	 * Target URI
+	 */
+	return (mem_tobuffer(target, uri->target, uri->tgt_len));
+}
+
+static inline isc_result_t
+tostruct_uri(ARGS_TOSTRUCT) {
+	dns_rdata_uri_t *uri = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	uri->common.rdclass = rdata->rdclass;
+	uri->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&uri->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Priority
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	uri->priority = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Weight
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	uri->weight = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Target URI
+	 */
+	uri->tgt_len = sr.length;
+	uri->target = mem_maybedup(mctx, sr.base, sr.length);
+	if (uri->target == NULL)
+		return (ISC_R_NOMEMORY);
+
+	uri->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_uri(ARGS_FREESTRUCT) {
+	dns_rdata_uri_t *uri = (dns_rdata_uri_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(uri->common.rdtype == dns_rdatatype_uri);
+
+	if (uri->mctx == NULL)
+		return;
+
+	if (uri->target != NULL)
+		isc_mem_free(uri->mctx, uri->target);
+	uri->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_uri(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_uri(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_uri(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_uri);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_uri(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_uri);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_uri(ARGS_COMPARE) {
+	return (compare_uri(rdata1, rdata2));
+}
+
+#endif /* GENERIC_URI_256_C */
diff --git a/lib/dns/rdata/generic/uri_256.h b/lib/dns/rdata/generic/uri_256.h
new file mode 100644
index 0000000..cea1d22
--- /dev/null
+++ b/lib/dns/rdata/generic/uri_256.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_URI_256_H
+#define GENERIC_URI_256_H 1
+
+
+typedef struct dns_rdata_uri {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	uint16_t		priority;
+	uint16_t		weight;
+	unsigned char *		target;
+	uint16_t		tgt_len;
+} dns_rdata_uri_t;
+
+#endif /* GENERIC_URI_256_H */
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
new file mode 100644
index 0000000..d267f65
--- /dev/null
+++ b/lib/dns/rdata/generic/x25_19.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1183 */
+
+#ifndef RDATA_GENERIC_X25_19_C
+#define RDATA_GENERIC_X25_19_C
+
+#define RRTYPE_X25_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_x25(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int i;
+
+	REQUIRE(type == dns_rdatatype_x25);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      false));
+	if (token.value.as_textregion.length < 4)
+		RETTOK(DNS_R_SYNTAX);
+	for (i = 0; i < token.value.as_textregion.length; i++)
+		if (!isdigit(token.value.as_textregion.base[i] & 0xff))
+			RETTOK(ISC_R_RANGE);
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_x25(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	return (txt_totext(&region, true, target));
+}
+
+static inline isc_result_t
+fromwire_x25(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_x25);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 5)
+		return (DNS_R_FORMERR);
+	return (txt_fromwire(source, target));
+}
+
+static inline isc_result_t
+towire_x25(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_x25(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_x25);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_x25(ARGS_FROMSTRUCT) {
+	dns_rdata_x25_t *x25 = source;
+	uint8_t i;
+
+	REQUIRE(type == dns_rdatatype_x25);
+	REQUIRE(source != NULL);
+	REQUIRE(x25->common.rdtype == type);
+	REQUIRE(x25->common.rdclass == rdclass);
+	REQUIRE(x25->x25 != NULL && x25->x25_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (x25->x25_len < 4)
+		return (ISC_R_RANGE);
+
+	for (i = 0; i < x25->x25_len; i++)
+		if (!isdigit(x25->x25[i] & 0xff))
+			return (ISC_R_RANGE);
+
+	RETERR(uint8_tobuffer(x25->x25_len, target));
+	return (mem_tobuffer(target, x25->x25, x25->x25_len));
+}
+
+static inline isc_result_t
+tostruct_x25(ARGS_TOSTRUCT) {
+	dns_rdata_x25_t *x25 = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	x25->common.rdclass = rdata->rdclass;
+	x25->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&x25->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	x25->x25_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	x25->x25 = mem_maybedup(mctx, r.base, x25->x25_len);
+	if (x25->x25 == NULL)
+		return (ISC_R_NOMEMORY);
+
+	x25->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_x25(ARGS_FREESTRUCT) {
+	dns_rdata_x25_t *x25 = source;
+	REQUIRE(source != NULL);
+	REQUIRE(x25->common.rdtype == dns_rdatatype_x25);
+
+	if (x25->mctx == NULL)
+		return;
+
+	if (x25->x25 != NULL)
+		isc_mem_free(x25->mctx, x25->x25);
+	x25->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_x25(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_x25(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_x25(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_x25);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_x25(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_x25);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_x25(ARGS_COMPARE) {
+	return (compare_x25(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_X25_19_C */
diff --git a/lib/dns/rdata/generic/x25_19.h b/lib/dns/rdata/generic/x25_19.h
new file mode 100644
index 0000000..b10063c
--- /dev/null
+++ b/lib/dns/rdata/generic/x25_19.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef GENERIC_X25_19_H
+#define GENERIC_X25_19_H 1
+
+
+/*!
+ *  \brief Per RFC1183 */
+
+typedef struct dns_rdata_x25 {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*x25;
+	uint8_t		x25_len;
+} dns_rdata_x25_t;
+
+#endif /* GENERIC_X25_19_H */
diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c
new file mode 100644
index 0000000..973465e
--- /dev/null
+++ b/lib/dns/rdata/hs_4/a_1.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_HS_4_A_1_C
+#define RDATA_HS_4_A_1_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hs_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hs_a(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET, &region, target));
+}
+
+static inline isc_result_t
+fromwire_hs_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 4)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 4);
+	isc_buffer_forward(source, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_hs_a(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_hs_a(ARGS_COMPARE) {
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata1->length == 4);
+	REQUIRE(rdata2->length == 4);
+
+	order = memcmp(rdata1->data, rdata2->data, 4);
+	if (order != 0)
+		order = (order < 0) ? -1 : 1;
+
+	return (order);
+}
+
+static inline isc_result_t
+fromstruct_hs_a(ARGS_FROMSTRUCT) {
+	dns_rdata_hs_a_t *a = source;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	n = ntohl(a->in_addr.s_addr);
+
+	return (uint32_tobuffer(n, target));
+}
+
+static inline isc_result_t
+tostruct_hs_a(ARGS_TOSTRUCT) {
+	dns_rdata_hs_a_t *a = target;
+	uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(mctx);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	a->in_addr.s_addr = htonl(n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_hs_a(ARGS_FREESTRUCT) {
+	UNUSED(source);
+
+	REQUIRE(source != NULL);
+}
+
+static inline isc_result_t
+additionaldata_hs_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hs_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_hs_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_hs);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_hs_a(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_hs);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_hs_a(ARGS_COMPARE) {
+	return (compare_hs_a(rdata1, rdata2));
+}
+
+#endif	/* RDATA_HS_4_A_1_C */
diff --git a/lib/dns/rdata/hs_4/a_1.h b/lib/dns/rdata/hs_4/a_1.h
new file mode 100644
index 0000000..c5f6996
--- /dev/null
+++ b/lib/dns/rdata/hs_4/a_1.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef HS_4_A_1_H
+#define HS_4_A_1_H 1
+
+
+typedef struct dns_rdata_hs_a {
+	dns_rdatacommon_t	common;
+	struct in_addr          in_addr;
+} dns_rdata_hs_a_t;
+
+#endif /* HS_4_A_1_H */
diff --git a/lib/dns/rdata/in_1/a6_38.c b/lib/dns/rdata/in_1/a6_38.c
new file mode 100644
index 0000000..9d7d431
--- /dev/null
+++ b/lib/dns/rdata/in_1/a6_38.c
@@ -0,0 +1,460 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC2874 */
+
+#ifndef RDATA_IN_1_A6_28_C
+#define RDATA_IN_1_A6_28_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A6_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_a6(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Prefix length.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 128U)
+		RETTOK(ISC_R_RANGE);
+
+	prefixlen = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &prefixlen, 1));
+
+	/*
+	 * Suffix.
+	 */
+	if (prefixlen != 128) {
+		/*
+		 * Prefix 0..127.
+		 */
+		octets = prefixlen/8;
+		/*
+		 * Octets 0..15.
+		 */
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      false));
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
+			RETTOK(DNS_R_BADAAAA);
+		mask = 0xff >> (prefixlen % 8);
+		addr[octets] &= mask;
+		RETERR(mem_tobuffer(target, &addr[octets], 16 - octets));
+	}
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, false);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_a6(ARGS_TOTEXT) {
+	isc_region_t sr, ar;
+	unsigned char addr[16];
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	char buf[sizeof("128")];
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	prefixlen = sr.base[0];
+	INSIST(prefixlen <= 128);
+	isc_region_consume(&sr, 1);
+	snprintf(buf, sizeof(buf), "%u", prefixlen);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	if (prefixlen != 128) {
+		octets = prefixlen/8;
+		memset(addr, 0, sizeof(addr));
+		memmove(&addr[octets], sr.base, 16 - octets);
+		mask = 0xff >> (prefixlen % 8);
+		addr[octets] &= mask;
+		ar.base = addr;
+		ar.length = sizeof(addr);
+		RETERR(inet_totext(AF_INET6, &ar, target));
+		isc_region_consume(&sr, 16 - octets);
+	}
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	RETERR(str_totext(" ", target));
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_a6(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Prefix length.
+	 */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	prefixlen = sr.base[0];
+	if (prefixlen > 128)
+		return (ISC_R_RANGE);
+	isc_region_consume(&sr, 1);
+	RETERR(mem_tobuffer(target, &prefixlen, 1));
+	isc_buffer_forward(source, 1);
+
+	/*
+	 * Suffix.
+	 */
+	if (prefixlen != 128) {
+		octets = 16 - prefixlen / 8;
+		if (sr.length < octets)
+			return (ISC_R_UNEXPECTEDEND);
+		mask = 0xff >> (prefixlen % 8);
+		sr.base[0] &= mask;	/* Ensure pad bits are zero. */
+		RETERR(mem_tobuffer(target, sr.base, octets));
+		isc_buffer_forward(source, octets);
+	}
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_a6(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	unsigned char prefixlen;
+	unsigned char octets;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	prefixlen = sr.base[0];
+	INSIST(prefixlen <= 128);
+
+	octets = 1 + 16 - prefixlen / 8;
+	RETERR(mem_tobuffer(target, sr.base, octets));
+	isc_region_consume(&sr, octets);
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_a6(ARGS_COMPARE) {
+	int order;
+	unsigned char prefixlen1, prefixlen2;
+	unsigned char octets;
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a6);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	prefixlen1 = region1.base[0];
+	prefixlen2 = region2.base[0];
+	isc_region_consume(&region1, 1);
+	isc_region_consume(&region2, 1);
+	if (prefixlen1 < prefixlen2)
+		return (-1);
+	else if (prefixlen1 > prefixlen2)
+		return (1);
+	/*
+	 * Prefix lengths are equal.
+	 */
+	octets = 16 - prefixlen1 / 8;
+
+	if (octets > 0) {
+		order = memcmp(region1.base, region2.base, octets);
+		if (order < 0)
+			return (-1);
+		else if (order > 0)
+			return (1);
+		/*
+		 * Address suffixes are equal.
+		 */
+		if (prefixlen1 == 0)
+			return (order);
+		isc_region_consume(&region1, octets);
+		isc_region_consume(&region2, octets);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_a6(ARGS_FROMSTRUCT) {
+	dns_rdata_in_a6_t *a6 = source;
+	isc_region_t region;
+	int octets;
+	uint8_t bits;
+	uint8_t first;
+	uint8_t mask;
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(a6->common.rdtype == type);
+	REQUIRE(a6->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (a6->prefixlen > 128)
+		return (ISC_R_RANGE);
+
+	RETERR(uint8_tobuffer(a6->prefixlen, target));
+
+	/* Suffix */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		bits = a6->prefixlen % 8;
+		if (bits != 0) {
+			mask = 0xffU >> bits;
+			first = a6->in6_addr.s6_addr[16 - octets] & mask;
+			RETERR(uint8_tobuffer(first, target));
+			octets--;
+		}
+		if (octets > 0)
+			RETERR(mem_tobuffer(target,
+					    a6->in6_addr.s6_addr + 16 - octets,
+					    octets));
+	}
+
+	if (a6->prefixlen == 0)
+		return (ISC_R_SUCCESS);
+	dns_name_toregion(&a6->prefix, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_a6(ARGS_TOSTRUCT) {
+	dns_rdata_in_a6_t *a6 = target;
+	unsigned char octets;
+	dns_name_t name;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	a6->common.rdclass = rdata->rdclass;
+	a6->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a6->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+
+	a6->prefixlen = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	memset(a6->in6_addr.s6_addr, 0, sizeof(a6->in6_addr.s6_addr));
+
+	/*
+	 * Suffix.
+	 */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		INSIST(r.length >= octets);
+		memmove(a6->in6_addr.s6_addr + 16 - octets, r.base, octets);
+		isc_region_consume(&r, octets);
+	}
+
+	/*
+	 * Prefix.
+	 */
+	dns_name_init(&a6->prefix, NULL);
+	if (a6->prefixlen != 0) {
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &r);
+		RETERR(name_duporclone(&name, mctx, &a6->prefix));
+	}
+	a6->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_a6(ARGS_FREESTRUCT) {
+	dns_rdata_in_a6_t *a6 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(a6->common.rdclass == dns_rdataclass_in);
+	REQUIRE(a6->common.rdtype == dns_rdatatype_a6);
+
+	if (a6->mctx == NULL)
+		return;
+
+	if (dns_name_dynamic(&a6->prefix))
+		dns_name_free(&a6->prefix, a6->mctx);
+	a6->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_a6(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_a6(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	unsigned char prefixlen, octets;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	prefixlen = r1.base[0];
+	octets = 1 + 16 - prefixlen / 8;
+
+	r1.length = octets;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	isc_region_consume(&r2, octets);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_in_a6(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_a6);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline bool
+checknames_in_a6(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+	unsigned int prefixlen;
+
+	REQUIRE(rdata->type == dns_rdatatype_a6);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	prefixlen = uint8_fromregion(&region);
+	if (prefixlen == 0)
+		return (true);
+	isc_region_consume(&region, 1 + 16 - prefixlen / 8);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_in_a6(ARGS_COMPARE) {
+	return (compare_in_a6(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_A6_38_C */
diff --git a/lib/dns/rdata/in_1/a6_38.h b/lib/dns/rdata/in_1/a6_38.h
new file mode 100644
index 0000000..9811640
--- /dev/null
+++ b/lib/dns/rdata/in_1/a6_38.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_A6_38_H
+#define IN_1_A6_38_H 1
+
+
+/*!
+ *  \brief Per RFC2874 */
+
+typedef struct dns_rdata_in_a6 {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		prefix;
+	uint8_t		prefixlen;
+	struct in6_addr		in6_addr;
+} dns_rdata_in_a6_t;
+
+#endif /* IN_1_A6_38_H */
diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c
new file mode 100644
index 0000000..d277699
--- /dev/null
+++ b/lib/dns/rdata/in_1/a_1.c
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_IN_1_A_1_C
+#define RDATA_IN_1_A_1_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_a(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET, &region, target));
+}
+
+static inline isc_result_t
+fromwire_in_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 4)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 4);
+	isc_buffer_forward(source, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_a(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_in_a(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_a);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length == 4);
+	REQUIRE(rdata2->length == 4);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_a(ARGS_FROMSTRUCT) {
+	dns_rdata_in_a_t *a = source;
+	uint32_t n;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	n = ntohl(a->in_addr.s_addr);
+
+	return (uint32_tobuffer(n, target));
+}
+
+
+static inline isc_result_t
+tostruct_in_a(ARGS_TOSTRUCT) {
+	dns_rdata_in_a_t *a = target;
+	uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(mctx);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	a->in_addr.s_addr = htonl(n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_a(ARGS_FREESTRUCT) {
+	dns_rdata_in_a_t *a = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == dns_rdatatype_a);
+	REQUIRE(a->common.rdclass == dns_rdataclass_in);
+
+	UNUSED(a);
+}
+
+static inline isc_result_t
+additionaldata_in_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_in_a(ARGS_CHECKOWNER) {
+	dns_name_t prefix, suffix;
+
+	REQUIRE(type == dns_rdatatype_a);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Handle Active Diretory gc._msdcs.<forest> name.
+	 */
+	if (dns_name_countlabels(name) > 2U) {
+		dns_name_init(&prefix, NULL);
+		dns_name_init(&suffix, NULL);
+		dns_name_split(name, dns_name_countlabels(name) - 2,
+			       &prefix, &suffix);
+		if (dns_name_equal(&gc_msdcs, &prefix) &&
+		    dns_name_ishostname(&suffix, false))
+			return (true);
+	}
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline bool
+checknames_in_a(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_a);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_a(ARGS_COMPARE) {
+	return (compare_in_a(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_A_1_C */
diff --git a/lib/dns/rdata/in_1/a_1.h b/lib/dns/rdata/in_1/a_1.h
new file mode 100644
index 0000000..f44809d
--- /dev/null
+++ b/lib/dns/rdata/in_1/a_1.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef IN_1_A_1_H
+#define IN_1_A_1_H 1
+
+
+typedef struct dns_rdata_in_a {
+	dns_rdatacommon_t	common;
+	struct in_addr          in_addr;
+} dns_rdata_in_a_t;
+
+#endif /* IN_1_A_1_H */
diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c
new file mode 100644
index 0000000..655c5ed
--- /dev/null
+++ b/lib/dns/rdata/in_1/aaaa_28.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1886 */
+
+#ifndef RDATA_IN_1_AAAA_28_C
+#define RDATA_IN_1_AAAA_28_C
+
+#include <isc/net.h>
+
+#define RRTYPE_AAAA_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_aaaa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
+		RETTOK(DNS_R_BADAAAA);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 16)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, addr, 16);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_aaaa(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 16);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET6, &region, target));
+}
+
+static inline isc_result_t
+fromwire_in_aaaa(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 16)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 16)
+		return (ISC_R_NOSPACE);
+
+	memmove(tregion.base, sregion.base, 16);
+	isc_buffer_forward(source, 16);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_aaaa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length == 16);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_in_aaaa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length == 16);
+	REQUIRE(rdata2->length == 16);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(aaaa->common.rdtype == type);
+	REQUIRE(aaaa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16));
+}
+
+static inline isc_result_t
+tostruct_in_aaaa(ARGS_TOSTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 16);
+
+	UNUSED(mctx);
+
+	aaaa->common.rdclass = rdata->rdclass;
+	aaaa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&aaaa->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	INSIST(r.length == 16);
+	memmove(aaaa->in6_addr.s6_addr, r.base, 16);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_aaaa(ARGS_FREESTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(aaaa->common.rdclass == dns_rdataclass_in);
+	REQUIRE(aaaa->common.rdtype == dns_rdatatype_aaaa);
+
+	UNUSED(aaaa);
+}
+
+static inline isc_result_t
+additionaldata_in_aaaa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_aaaa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_in_aaaa(ARGS_CHECKOWNER) {
+	dns_name_t prefix, suffix;
+
+	REQUIRE(type == dns_rdatatype_aaaa);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Handle Active Diretory gc._msdcs.<forest> name.
+	 */
+	if (dns_name_countlabels(name) > 2U) {
+		dns_name_init(&prefix, NULL);
+		dns_name_init(&suffix, NULL);
+		dns_name_split(name, dns_name_countlabels(name) - 2,
+			       &prefix, &suffix);
+		if (dns_name_equal(&gc_msdcs, &prefix) &&
+		    dns_name_ishostname(&suffix, false))
+			return (true);
+	}
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline bool
+checknames_in_aaaa(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_aaaa);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_aaaa(ARGS_COMPARE) {
+	return (compare_in_aaaa(rdata1, rdata2));
+}
+#endif	/* RDATA_IN_1_AAAA_28_C */
diff --git a/lib/dns/rdata/in_1/aaaa_28.h b/lib/dns/rdata/in_1/aaaa_28.h
new file mode 100644
index 0000000..caabf7e
--- /dev/null
+++ b/lib/dns/rdata/in_1/aaaa_28.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_AAAA_28_H
+#define IN_1_AAAA_28_H 1
+
+
+/*!
+ *  \brief Per RFC1886 */
+
+typedef struct dns_rdata_in_aaaa {
+	dns_rdatacommon_t	common;
+	struct in6_addr		in6_addr;
+} dns_rdata_in_aaaa_t;
+
+#endif /* IN_1_AAAA_28_H */
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
new file mode 100644
index 0000000..ae35db9
--- /dev/null
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -0,0 +1,456 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC3123 */
+
+#ifndef RDATA_IN_1_APL_42_C
+#define RDATA_IN_1_APL_42_C
+
+#define RRTYPE_APL_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_apl(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned long afi;
+	uint8_t prefix;
+	uint8_t len;
+	bool neg;
+	char *cp, *ap, *slash;
+	int n;
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string)
+			break;
+
+		cp = DNS_AS_STR(token);
+		neg = (*cp == '!');
+		if (neg)
+			cp++;
+		afi = strtoul(cp, &ap, 10);
+		if (*ap++ != ':' || cp == ap)
+			RETTOK(DNS_R_SYNTAX);
+		if (afi > 0xffffU)
+			RETTOK(ISC_R_RANGE);
+		slash = strchr(ap, '/');
+		if (slash == NULL || slash == ap)
+			RETTOK(DNS_R_SYNTAX);
+		RETTOK(isc_parse_uint8(&prefix, slash + 1, 10));
+		switch (afi) {
+		case 1:
+			*slash = '\0';
+			n = inet_pton(AF_INET, ap, addr);
+			*slash = '/';
+			if (n != 1)
+				RETTOK(DNS_R_BADDOTTEDQUAD);
+			if (prefix > 32)
+				RETTOK(ISC_R_RANGE);
+			for (len = 4; len > 0; len--)
+				if (addr[len - 1] != 0)
+					break;
+			break;
+
+		case 2:
+			*slash = '\0';
+			n = inet_pton(AF_INET6, ap, addr);
+			*slash = '/';
+			if (n != 1)
+				RETTOK(DNS_R_BADAAAA);
+			if (prefix > 128)
+				RETTOK(ISC_R_RANGE);
+			for (len = 16; len > 0; len--)
+				if (addr[len - 1] != 0)
+					break;
+			break;
+
+		default:
+			RETTOK(ISC_R_NOTIMPLEMENTED);
+		}
+		RETERR(uint16_tobuffer(afi, target));
+		RETERR(uint8_tobuffer(prefix, target));
+		RETERR(uint8_tobuffer(len | ((neg) ? 0x80 : 0), target));
+		RETERR(mem_tobuffer(target, addr, len));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_apl(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t ir;
+	uint16_t afi;
+	uint8_t prefix;
+	uint8_t len;
+	bool neg;
+	unsigned char buf[16];
+	char txt[sizeof(" !64000:")];
+	const char *sep = "";
+	int n;
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	ir.base = buf;
+	ir.length = sizeof(buf);
+
+	while (sr.length > 0) {
+		INSIST(sr.length >= 4);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		neg = (*sr.base & 0x80);
+		isc_region_consume(&sr, 1);
+		INSIST(len <= sr.length);
+		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
+			     neg ? "!" : "", afi);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		switch (afi) {
+		case 1:
+			INSIST(len <= 4);
+			INSIST(prefix <= 32);
+			memset(buf, 0, sizeof(buf));
+			memmove(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET, &ir, target));
+			break;
+
+		case 2:
+			INSIST(len <= 16);
+			INSIST(prefix <= 128);
+			memset(buf, 0, sizeof(buf));
+			memmove(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET6, &ir, target));
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		n = snprintf(txt, sizeof(txt), "/%u", prefix);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		isc_region_consume(&sr, len);
+		sep = " ";
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_apl(ARGS_FROMWIRE) {
+	isc_region_t sr, sr2;
+	isc_region_t tr;
+	uint16_t afi;
+	uint8_t prefix;
+	uint8_t len;
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (sr.length > tr.length)
+		return (ISC_R_NOSPACE);
+	sr2 = sr;
+
+	/* Zero or more items */
+	while (sr.length > 0) {
+		if (sr.length < 4)
+			return (ISC_R_UNEXPECTEDEND);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		isc_region_consume(&sr, 1);
+		if (len > sr.length)
+			return (ISC_R_UNEXPECTEDEND);
+		switch (afi) {
+		case 1:
+			if (prefix > 32 || len > 4)
+				return (ISC_R_RANGE);
+			break;
+		case 2:
+			if (prefix > 128 || len > 16)
+				return (ISC_R_RANGE);
+		}
+		if (len > 0 && sr.base[len - 1] == 0)
+			return (DNS_R_FORMERR);
+		isc_region_consume(&sr, len);
+	}
+	isc_buffer_forward(source, sr2.length);
+	return (mem_tobuffer(target, sr2.base, sr2.length));
+}
+
+static inline isc_result_t
+towire_in_apl(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_in_apl(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_apl);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_apl(ARGS_FROMSTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+	isc_buffer_t b;
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(apl->common.rdtype == type);
+	REQUIRE(apl->common.rdclass == rdclass);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	isc_buffer_init(&b, apl->apl, apl->apl_len);
+	isc_buffer_add(&b, apl->apl_len);
+	isc_buffer_setactive(&b, apl->apl_len);
+	return(fromwire_in_apl(rdclass, type, &b, NULL, false, target));
+}
+
+static inline isc_result_t
+tostruct_in_apl(ARGS_TOSTRUCT) {
+	dns_rdata_in_apl_t *apl = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	apl->common.rdclass = rdata->rdclass;
+	apl->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&apl->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	apl->apl_len = r.length;
+	apl->apl = mem_maybedup(mctx, r.base, r.length);
+	if (apl->apl == NULL)
+		return (ISC_R_NOMEMORY);
+
+	apl->offset = 0;
+	apl->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_apl(ARGS_FREESTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+
+	if (apl->mctx == NULL)
+		return;
+	if (apl->apl != NULL)
+		isc_mem_free(apl->mctx, apl->apl);
+	apl->mctx = NULL;
+}
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
+	uint32_t length;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	/*
+	 * If no APL return ISC_R_NOMORE.
+	 */
+	if (apl->apl == NULL)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->apl_len > 3U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	INSIST(4 + length <= apl->apl_len);
+
+	apl->offset = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
+	uint32_t length;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	/*
+	 * No APL or have already reached the end return ISC_R_NOMORE.
+	 */
+	if (apl->apl == NULL || apl->offset == apl->apl_len)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->offset < apl->apl_len);
+	INSIST(apl->apl_len > 3U);
+	INSIST(apl->offset <= apl->apl_len - 4U);
+	length = apl->apl[apl->offset + 3] & 0x7f;
+	/*
+	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
+	 * no overflow problems.
+	 */
+	INSIST(4 + length + apl->offset <= apl->apl_len);
+
+	apl->offset += 4 + length;
+	return ((apl->offset < apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
+	uint32_t length;
+
+	REQUIRE(apl != NULL);
+	REQUIRE(apl->common.rdtype == dns_rdatatype_apl);
+	REQUIRE(apl->common.rdclass == dns_rdataclass_in);
+	REQUIRE(ent != NULL);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+	REQUIRE(apl->offset <= apl->apl_len);
+
+	if (apl->offset == apl->apl_len)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * Sanity check data.
+	 */
+	INSIST(apl->apl_len > 3U);
+	INSIST(apl->offset <= apl->apl_len - 4U);
+	length = (apl->apl[apl->offset + 3] & 0x7f);
+	/*
+	 * 16 to 32 bits promotion as 'length' is 32 bits so there is
+	 * no overflow problems.
+	 */
+	INSIST(4 + length + apl->offset <= apl->apl_len);
+
+	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
+	ent->prefix = apl->apl[apl->offset + 2];
+	ent->length = length;
+	ent->negative = (apl->apl[apl->offset + 3] & 0x80);
+	if (ent->length != 0)
+		ent->data = &apl->apl[apl->offset + 4];
+	else
+		ent->data = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_rdata_apl_count(const dns_rdata_in_apl_t *apl) {
+	return (apl->apl_len);
+}
+
+static inline isc_result_t
+additionaldata_in_apl(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_apl(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_in_apl(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_apl);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+
+static inline bool
+checknames_in_apl(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_apl);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_apl(ARGS_COMPARE) {
+	return (compare_in_apl(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_APL_42_C */
diff --git a/lib/dns/rdata/in_1/apl_42.h b/lib/dns/rdata/in_1/apl_42.h
new file mode 100644
index 0000000..8c17a53
--- /dev/null
+++ b/lib/dns/rdata/in_1/apl_42.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef IN_1_APL_42_H
+#define IN_1_APL_42_H 1
+
+
+typedef struct dns_rdata_apl_ent {
+	bool	negative;
+	uint16_t	family;
+	uint8_t	prefix;
+	uint8_t	length;
+	unsigned char	*data;
+} dns_rdata_apl_ent_t;
+
+typedef struct dns_rdata_in_apl {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	/* type & class specific elements */
+	unsigned char           *apl;
+	uint16_t            apl_len;
+	/* private */
+	uint16_t            offset;
+} dns_rdata_in_apl_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
+
+unsigned int
+dns_rdata_apl_count(const dns_rdata_in_apl_t *apl);
+
+#endif /* IN_1_APL_42_H */
diff --git a/lib/dns/rdata/in_1/dhcid_49.c b/lib/dns/rdata/in_1/dhcid_49.c
new file mode 100644
index 0000000..90971b7
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* RFC 4701 */
+
+#ifndef RDATA_IN_1_DHCID_49_C
+#define RDATA_IN_1_DHCID_49_C 1
+
+#define RRTYPE_DHCID_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_in_dhcid(ARGS_FROMTEXT) {
+
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_in_dhcid(ARGS_TOTEXT) {
+	isc_region_t sr, sr2;
+	char buf[sizeof(" ; 64000 255 64000")];
+	size_t n;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	sr2 = sr;
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( " /*)*/, target));
+	if (tctx->width == 0)   /* No splitting */
+		RETERR(isc_base64_totext(&sr, 60, "", target));
+	else
+		RETERR(isc_base64_totext(&sr, tctx->width - 2,
+					 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(/* ( */ " )", target));
+		if (rdata->length > 2) {
+			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
+				     sr2.base[0] * 256U + sr2.base[1],
+				     sr2.base[2], rdata->length - 3U);
+			INSIST(n < sizeof(buf));
+			RETERR(str_totext(buf, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_dhcid(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length == 0)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_in_dhcid(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_in_dhcid(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(dhcid->common.rdtype == type);
+	REQUIRE(dhcid->common.rdclass == rdclass);
+	REQUIRE(dhcid->length != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, dhcid->dhcid, dhcid->length));
+}
+
+static inline isc_result_t
+tostruct_in_dhcid(ARGS_TOSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dhcid->common.rdclass = rdata->rdclass;
+	dhcid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dhcid->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dhcid->dhcid = mem_maybedup(mctx, region.base, region.length);
+	if (dhcid->dhcid == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dhcid->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_dhcid(ARGS_FREESTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(dhcid != NULL);
+	REQUIRE(dhcid->common.rdtype == dns_rdatatype_dhcid);
+	REQUIRE(dhcid->common.rdclass == dns_rdataclass_in);
+
+	if (dhcid->mctx == NULL)
+		return;
+
+	if (dhcid->dhcid != NULL)
+		isc_mem_free(dhcid->mctx, dhcid->dhcid);
+	dhcid->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_dhcid(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_dhcid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_in_dhcid(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_dhcid);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_in_dhcid(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_dhcid);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_dhcid(ARGS_COMPARE) {
+	return (compare_in_dhcid(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_DHCID_49_C */
diff --git a/lib/dns/rdata/in_1/dhcid_49.h b/lib/dns/rdata/in_1/dhcid_49.h
new file mode 100644
index 0000000..455eaed
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* */
+#ifndef IN_1_DHCID_49_H
+#define IN_1_DHCID_49_H 1
+
+
+typedef struct dns_rdata_in_dhcid {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*dhcid;
+	unsigned int		length;
+} dns_rdata_in_dhcid_t;
+
+#endif /* IN_1_DHCID_49_H */
diff --git a/lib/dns/rdata/in_1/kx_36.c b/lib/dns/rdata/in_1/kx_36.c
new file mode 100644
index 0000000..2786951
--- /dev/null
+++ b/lib/dns/rdata/in_1/kx_36.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2230 */
+
+#ifndef RDATA_IN_1_KX_36_C
+#define RDATA_IN_1_KX_36_C
+
+#define RRTYPE_KX_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_kx(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_kx(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_kx(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_kx(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_kx(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_kx);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_kx(ARGS_FROMSTRUCT) {
+	dns_rdata_in_kx_t *kx = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(kx->common.rdtype == type);
+	REQUIRE(kx->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(kx->preference, target));
+	dns_name_toregion(&kx->exchange, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_kx(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_kx_t *kx = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	kx->common.rdclass = rdata->rdclass;
+	kx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&kx->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	kx->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&kx->exchange, NULL);
+	RETERR(name_duporclone(&name, mctx, &kx->exchange));
+	kx->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_kx(ARGS_FREESTRUCT) {
+	dns_rdata_in_kx_t *kx = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(kx->common.rdclass == dns_rdataclass_in);
+	REQUIRE(kx->common.rdtype == dns_rdatatype_kx);
+
+	if (kx->mctx == NULL)
+		return;
+
+	dns_name_free(&kx->exchange, kx->mctx);
+	kx->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_kx(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_in_kx(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_in_kx(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_kx);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_in_kx(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_kx);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_kx(ARGS_COMPARE) {
+	return (compare_in_kx(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_KX_36_C */
diff --git a/lib/dns/rdata/in_1/kx_36.h b/lib/dns/rdata/in_1/kx_36.h
new file mode 100644
index 0000000..577a4c4
--- /dev/null
+++ b/lib/dns/rdata/in_1/kx_36.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_KX_36_H
+#define IN_1_KX_36_H 1
+
+
+/*!
+ *  \brief Per RFC2230 */
+
+typedef struct dns_rdata_in_kx {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		preference;
+	dns_name_t		exchange;
+} dns_rdata_in_kx_t;
+
+#endif /* IN_1_KX_36_H */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.c b/lib/dns/rdata/in_1/nsap-ptr_23.c
new file mode 100644
index 0000000..3217300
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
+
+#ifndef RDATA_IN_1_NSAP_PTR_23_C
+#define RDATA_IN_1_NSAP_PTR_23_C
+
+#define RRTYPE_NSAP_PTR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_nsap_ptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_nsap_ptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_nsap_ptr(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_nsap_ptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_nsap_ptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(nsap_ptr->common.rdtype == type);
+	REQUIRE(nsap_ptr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsap_ptr->owner, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsap_ptr->common.rdclass = rdata->rdclass;
+	nsap_ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap_ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&nsap_ptr->owner, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsap_ptr->owner));
+	nsap_ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_nsap_ptr(ARGS_FREESTRUCT) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsap_ptr->common.rdclass == dns_rdataclass_in);
+	REQUIRE(nsap_ptr->common.rdtype == dns_rdatatype_nsap_ptr);
+
+	if (nsap_ptr->mctx == NULL)
+		return;
+
+	dns_name_free(&nsap_ptr->owner, nsap_ptr->mctx);
+	nsap_ptr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_nsap_ptr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_nsap_ptr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_in_nsap_ptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap_ptr);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_nsap_ptr(ARGS_COMPARE) {
+	return (compare_in_nsap_ptr(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.h b/lib/dns/rdata/in_1/nsap-ptr_23.h
new file mode 100644
index 0000000..4880a09
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_NSAP_PTR_23_H
+#define IN_1_NSAP_PTR_23_H 1
+
+
+/*!
+ *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
+
+typedef struct dns_rdata_in_nsap_ptr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		owner;
+} dns_rdata_in_nsap_ptr_t;
+
+#endif /* IN_1_NSAP_PTR_23_H */
diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c
new file mode 100644
index 0000000..ba3e69c
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap_22.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC1706 */
+
+#ifndef RDATA_IN_1_NSAP_22_C
+#define RDATA_IN_1_NSAP_22_C
+
+#define RRTYPE_NSAP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_nsap(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_textregion_t *sr;
+	int n;
+	bool valid = false;
+	int digits = 0;
+	unsigned char c = 0;
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/* 0x<hex.string.with.periods> */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	sr = &token.value.as_textregion;
+	if (sr->length < 2)
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	if (sr->base[0] != '0' || (sr->base[1] != 'x' && sr->base[1] != 'X'))
+		RETTOK(DNS_R_SYNTAX);
+	isc_textregion_consume(sr, 2);
+	while (sr->length > 0) {
+		if (sr->base[0] == '.') {
+			isc_textregion_consume(sr, 1);
+			continue;
+		}
+		if ((n = hexvalue(sr->base[0])) == -1)
+			RETTOK(DNS_R_SYNTAX);
+		c <<= 4;
+		c += n;
+		if (++digits == 2) {
+			RETERR(mem_tobuffer(target, &c, 1));
+			valid = true;
+			digits = 0;
+			c = 0;
+		}
+		isc_textregion_consume(sr, 1);
+	}
+	if (digits != 0 || !valid)
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_nsap(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xx")];
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(str_totext("0x", target));
+	while (region.length != 0) {
+		snprintf(buf, sizeof(buf), "%02x", region.base[0]);
+		isc_region_consume(&region, 1);
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_nsap(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+
+	RETERR(mem_tobuffer(target, region.base, region.length));
+	isc_buffer_forward(source, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_nsap(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_in_nsap(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_nsap);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_nsap(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nsap_t *nsap = source;
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(nsap->common.rdtype == type);
+	REQUIRE(nsap->common.rdclass == rdclass);
+	REQUIRE(nsap->nsap != NULL || nsap->nsap_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len));
+}
+
+static inline isc_result_t
+tostruct_in_nsap(ARGS_TOSTRUCT) {
+	dns_rdata_in_nsap_t *nsap = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsap->common.rdclass = rdata->rdclass;
+	nsap->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	nsap->nsap_len = r.length;
+	nsap->nsap = mem_maybedup(mctx, r.base, r.length);
+	if (nsap->nsap == NULL)
+		return (ISC_R_NOMEMORY);
+
+	nsap->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_nsap(ARGS_FREESTRUCT) {
+	dns_rdata_in_nsap_t *nsap = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsap->common.rdclass == dns_rdataclass_in);
+	REQUIRE(nsap->common.rdtype == dns_rdatatype_nsap);
+
+	if (nsap->mctx == NULL)
+		return;
+
+	if (nsap->nsap != NULL)
+		isc_mem_free(nsap->mctx, nsap->nsap);
+	nsap->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_nsap(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_nsap(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_in_nsap(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_nsap);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_in_nsap(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_nsap);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_nsap(ARGS_COMPARE) {
+	return (compare_in_nsap(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_NSAP_22_C */
diff --git a/lib/dns/rdata/in_1/nsap_22.h b/lib/dns/rdata/in_1/nsap_22.h
new file mode 100644
index 0000000..79599ef
--- /dev/null
+++ b/lib/dns/rdata/in_1/nsap_22.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_NSAP_22_H
+#define IN_1_NSAP_22_H 1
+
+
+/*!
+ *  \brief Per RFC1706 */
+
+typedef struct dns_rdata_in_nsap {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*nsap;
+	uint16_t		nsap_len;
+} dns_rdata_in_nsap_t;
+
+#endif /* IN_1_NSAP_22_H */
diff --git a/lib/dns/rdata/in_1/px_26.c b/lib/dns/rdata/in_1/px_26.c
new file mode 100644
index 0000000..a94b9df
--- /dev/null
+++ b/lib/dns/rdata/in_1/px_26.c
@@ -0,0 +1,370 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2163 */
+
+#ifndef RDATA_IN_1_PX_26_C
+#define RDATA_IN_1_PX_26_C
+
+#define RRTYPE_PX_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_px(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	if (origin == NULL)
+		origin = dns_rootname;
+
+	/*
+	 * Preference.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * MAP822.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * MAPX400.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_px(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	/*
+	 * Preference.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * MAP822.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	isc_region_consume(&region, name_length(&name));
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * MAPX400.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return(dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_px(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * Preference.
+	 */
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+
+	/*
+	 * MAP822.
+	 */
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * MAPX400.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_px(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Preference.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	/*
+	 * MAP822.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&region, name_length(&name));
+
+	/*
+	 * MAPX400.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_px(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_px);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_px(ARGS_FROMSTRUCT) {
+	dns_rdata_in_px_t *px = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(px->common.rdtype == type);
+	REQUIRE(px->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(px->preference, target));
+	dns_name_toregion(&px->map822, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&px->mapx400, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_px(ARGS_TOSTRUCT) {
+	dns_rdata_in_px_t *px = target;
+	dns_name_t name;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	px->common.rdclass = rdata->rdclass;
+	px->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&px->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	px->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_fromregion(&name, &region);
+
+	dns_name_init(&px->map822, NULL);
+	RETERR(name_duporclone(&name, mctx, &px->map822));
+	isc_region_consume(&region, name_length(&px->map822));
+
+	dns_name_init(&px->mapx400, NULL);
+	result = name_duporclone(&name, mctx, &px->mapx400);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	px->mctx = mctx;
+	return (result);
+
+ cleanup:
+	dns_name_free(&px->map822, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_in_px(ARGS_FREESTRUCT) {
+	dns_rdata_in_px_t *px = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(px->common.rdclass == dns_rdataclass_in);
+	REQUIRE(px->common.rdtype == dns_rdatatype_px);
+
+	if (px->mctx == NULL)
+		return;
+
+	dns_name_free(&px->map822, px->mctx);
+	dns_name_free(&px->mapx400, px->mctx);
+	px->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_px(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_px(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_region_consume(&r2, name_length(&name));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_in_px(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_px);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_in_px(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_px);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_px(ARGS_COMPARE) {
+	return (compare_in_px(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_PX_26_C */
diff --git a/lib/dns/rdata/in_1/px_26.h b/lib/dns/rdata/in_1/px_26.h
new file mode 100644
index 0000000..3cab1f1
--- /dev/null
+++ b/lib/dns/rdata/in_1/px_26.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_PX_26_H
+#define IN_1_PX_26_H 1
+
+
+/*!
+ *  \brief Per RFC2163 */
+
+typedef struct dns_rdata_in_px {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		preference;
+	dns_name_t		map822;
+	dns_name_t		mapx400;
+} dns_rdata_in_px_t;
+
+#endif /* IN_1_PX_26_H */
diff --git a/lib/dns/rdata/in_1/srv_33.c b/lib/dns/rdata/in_1/srv_33.c
new file mode 100644
index 0000000..63a4e80
--- /dev/null
+++ b/lib/dns/rdata/in_1/srv_33.c
@@ -0,0 +1,394 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* RFC2782 */
+
+#ifndef RDATA_IN_1_SRV_33_C
+#define RDATA_IN_1_SRV_33_C
+
+#define RRTYPE_SRV_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_srv(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	bool ok;
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Priority.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Weight.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Port.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      false));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Target.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	if (origin == NULL)
+		origin = dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = true;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, false);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_srv(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	bool sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	/*
+	 * Priority.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Weight.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Port.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	snprintf(buf, sizeof(buf), "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Target.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_srv(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	/*
+	 * Priority, weight, port.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 6)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_buffer_forward(source, 6);
+
+	/*
+	 * Target.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_srv(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Priority, weight, port.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_region_consume(&sr, 6);
+
+	/*
+	 * Target.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_srv(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_srv);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	/*
+	 * Priority, weight, port.
+	 */
+	order = memcmp(rdata1->data, rdata2->data, 6);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	/*
+	 * Target.
+	 */
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 6);
+	isc_region_consume(&region2, 6);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_srv(ARGS_FROMSTRUCT) {
+	dns_rdata_in_srv_t *srv = source;
+	isc_region_t region;
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(srv->common.rdtype == type);
+	REQUIRE(srv->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(srv->priority, target));
+	RETERR(uint16_tobuffer(srv->weight, target));
+	RETERR(uint16_tobuffer(srv->port, target));
+	dns_name_toregion(&srv->target, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_srv(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_srv_t *srv = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	srv->common.rdclass = rdata->rdclass;
+	srv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&srv->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	srv->priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->weight = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->port = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&srv->target, NULL);
+	RETERR(name_duporclone(&name, mctx, &srv->target));
+	srv->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_srv(ARGS_FREESTRUCT) {
+	dns_rdata_in_srv_t *srv = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(srv->common.rdclass == dns_rdataclass_in);
+	REQUIRE(srv->common.rdtype == dns_rdatatype_srv);
+
+	if (srv->mctx == NULL)
+		return;
+
+	dns_name_free(&srv->target, srv->mctx);
+	srv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_srv(ARGS_ADDLDATA) {
+	char buf[sizeof("_65000._tcp")];
+	dns_fixedname_t fixed;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	uint16_t port;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 4);
+	port = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	if (dns_name_equal(&name, dns_rootname))
+		return (ISC_R_SUCCESS);
+
+	result = (add)(arg, &name, dns_rdatatype_a);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_fixedname_init(&fixed);
+	snprintf(buf, sizeof(buf), "_%u._tcp", port);
+	result = dns_name_fromstring2(dns_fixedname_name(&fixed), buf, NULL,
+				      0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	result = dns_name_concatenate(dns_fixedname_name(&fixed), &name,
+				      dns_fixedname_name(&fixed), NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	return ((add)(arg, dns_fixedname_name(&fixed), dns_rdatatype_tlsa));
+}
+
+static inline isc_result_t
+digest_in_srv(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 6);
+	r1.length = 6;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline bool
+checkowner_in_srv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_srv);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (true);
+}
+
+static inline bool
+checknames_in_srv(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == dns_rdatatype_srv);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 6);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, false)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (false);
+	}
+	return (true);
+}
+
+static inline int
+casecompare_in_srv(ARGS_COMPARE) {
+	return (compare_in_srv(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_SRV_33_C */
diff --git a/lib/dns/rdata/in_1/srv_33.h b/lib/dns/rdata/in_1/srv_33.h
new file mode 100644
index 0000000..78d5ba9
--- /dev/null
+++ b/lib/dns/rdata/in_1/srv_33.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_SRV_33_H
+#define IN_1_SRV_33_H 1
+
+/*!
+ *  \brief Per RFC2782 */
+
+typedef struct dns_rdata_in_srv {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	uint16_t		priority;
+	uint16_t		weight;
+	uint16_t		port;
+	dns_name_t		target;
+} dns_rdata_in_srv_t;
+
+#endif /* IN_1_SRV_33_H */
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
new file mode 100644
index 0000000..0dc5804
--- /dev/null
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef RDATA_IN_1_WKS_11_C
+#define RDATA_IN_1_WKS_11_C
+
+#include <limits.h>
+#include <stdlib.h>
+
+#include <isc/net.h>
+#include <isc/netdb.h>
+#include <isc/once.h>
+
+/*
+ * Redefine CHECK here so cppcheck "sees" the define.
+ */
+#ifndef CHECK
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+#endif
+
+#define RRTYPE_WKS_ATTRIBUTES (0)
+
+static isc_mutex_t wks_lock;
+
+static void init_lock(void) {
+	RUNTIME_CHECK(isc_mutex_init(&wks_lock) == ISC_R_SUCCESS);
+}
+
+static bool
+mygetprotobyname(const char *name, long *proto) {
+	struct protoent *pe;
+
+	LOCK(&wks_lock);
+	pe = getprotobyname(name);
+	if (pe != NULL)
+		*proto = pe->p_proto;
+	UNLOCK(&wks_lock);
+	return (pe != NULL);
+}
+
+static bool
+mygetservbyname(const char *name, const char *proto, long *port) {
+	struct servent *se;
+
+	LOCK(&wks_lock);
+	se = getservbyname(name, proto);
+	if (se != NULL)
+		*port = ntohs(se->s_port);
+	UNLOCK(&wks_lock);
+	return (se != NULL);
+}
+
+#ifdef _WIN32
+#include <windows.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#endif
+
+static inline isc_result_t
+fromtext_in_wks(ARGS_FROMTEXT) {
+	static isc_once_t once = ISC_ONCE_INIT;
+	isc_token_t token;
+	isc_region_t region;
+	struct in_addr addr;
+	char *e;
+	long proto;
+	unsigned char bm[8*1024]; /* 64k bits */
+	long port;
+	long maxport = -1;
+	const char *ps = NULL;
+	unsigned int n;
+	char service[32];
+	int i;
+	isc_result_t result;
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
+
+#ifdef _WIN32
+	{
+		WORD wVersionRequested;
+		WSADATA wsaData;
+		int err;
+
+		wVersionRequested = MAKEWORD(2, 0);
+
+		err = WSAStartup(wVersionRequested, &wsaData );
+		if (err != 0)
+			return (ISC_R_FAILURE);
+	}
+#endif
+
+	/*
+	 * IPv4 dotted quad.
+	 */
+	CHECK(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	isc_buffer_availableregion(target, &region);
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		CHECKTOK(DNS_R_BADDOTTEDQUAD);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+
+	/*
+	 * Protocol.
+	 */
+	CHECK(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      false));
+
+	proto = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e == 0)
+		;
+	else if (!mygetprotobyname(DNS_AS_STR(token), &proto))
+		CHECKTOK(DNS_R_UNKNOWNPROTO);
+
+	if (proto < 0 || proto > 0xff)
+		CHECKTOK(ISC_R_RANGE);
+
+	if (proto == IPPROTO_TCP)
+		ps = "tcp";
+	else if (proto == IPPROTO_UDP)
+		ps = "udp";
+
+	CHECK(uint8_tobuffer(proto, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		CHECK(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, true));
+		if (token.type != isc_tokentype_string)
+			break;
+
+		/*
+		 * Lowercase the service string as some getservbyname() are
+		 * case sensitive and the database is usually in lowercase.
+		 */
+		strncpy(service, DNS_AS_STR(token), sizeof(service));
+		service[sizeof(service)-1] = '\0';
+		for (i = strlen(service) - 1; i >= 0; i--)
+			if (isupper(service[i]&0xff))
+				service[i] = tolower(service[i]&0xff);
+
+		port = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e == 0)
+			;
+		else if (!mygetservbyname(service, ps, &port) &&
+			 !mygetservbyname(DNS_AS_STR(token), ps, &port))
+			CHECKTOK(DNS_R_UNKNOWNSERVICE);
+		if (port < 0 || port > 0xffff)
+			CHECKTOK(ISC_R_RANGE);
+		if (port > maxport)
+			maxport = port;
+		bm[port / 8] |= (0x80 >> (port % 8));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	n = (maxport + 8) / 8;
+	result = mem_tobuffer(target, bm, n);
+
+ cleanup:
+#ifdef _WIN32
+	WSACleanup();
+#endif
+
+	return (result);
+}
+
+static inline isc_result_t
+totext_in_wks(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned short proto;
+	char buf[sizeof("65535")];
+	unsigned int i, j;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length >= 5);
+
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(inet_totext(AF_INET, &sr, target));
+	isc_region_consume(&sr, 4);
+
+	proto = uint8_fromregion(&sr);
+	snprintf(buf, sizeof(buf), "%u", proto);
+	RETERR(str_totext(" ", target));
+	RETERR(str_totext(buf, target));
+	isc_region_consume(&sr, 1);
+
+	INSIST(sr.length <= 8*1024);
+	for (i = 0; i < sr.length; i++) {
+		if (sr.base[i] != 0)
+			for (j = 0; j < 8; j++)
+				if ((sr.base[i] & (0x80 >> j)) != 0) {
+					snprintf(buf, sizeof(buf),
+						 "%u", i * 8 + j);
+					RETERR(str_totext(" ", target));
+					RETERR(str_totext(buf, target));
+				}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_wks(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	isc_region_t tr;
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+
+	if (sr.length < 5)
+		return (ISC_R_UNEXPECTEDEND);
+	if (sr.length > 8 * 1024 + 5)
+		return (DNS_R_EXTRADATA);
+	if (tr.length < sr.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(tr.base, sr.base, sr.length);
+	isc_buffer_add(target, sr.length);
+	isc_buffer_forward(source, sr.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_wks(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_in_wks(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == dns_rdatatype_wks);
+	REQUIRE(rdata1->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_wks(ARGS_FROMSTRUCT) {
+	dns_rdata_in_wks_t *wks = source;
+	uint32_t a;
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+	REQUIRE(source != NULL);
+	REQUIRE(wks->common.rdtype == type);
+	REQUIRE(wks->common.rdclass == rdclass);
+	REQUIRE((wks->map != NULL && wks->map_len <= 8*1024) ||
+		 wks->map_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	a = ntohl(wks->in_addr.s_addr);
+	RETERR(uint32_tobuffer(a, target));
+	RETERR(uint8_tobuffer(wks->protocol, target));
+	return (mem_tobuffer(target, wks->map, wks->map_len));
+}
+
+static inline isc_result_t
+tostruct_in_wks(ARGS_TOSTRUCT) {
+	dns_rdata_in_wks_t *wks = target;
+	uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+	REQUIRE(rdata->length != 0);
+
+	wks->common.rdclass = rdata->rdclass;
+	wks->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&wks->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	wks->in_addr.s_addr = htonl(n);
+	isc_region_consume(&region, 4);
+	wks->protocol = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	wks->map_len = region.length;
+	wks->map = mem_maybedup(mctx, region.base, region.length);
+	if (wks->map == NULL)
+		return (ISC_R_NOMEMORY);
+	wks->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_wks(ARGS_FREESTRUCT) {
+	dns_rdata_in_wks_t *wks = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(wks->common.rdtype == dns_rdatatype_wks);
+	REQUIRE(wks->common.rdclass == dns_rdataclass_in);
+
+	if (wks->mctx == NULL)
+		return;
+
+	if (wks->map != NULL)
+		isc_mem_free(wks->mctx, wks->map);
+	wks->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_wks(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_wks(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline bool
+checkowner_in_wks(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == dns_rdatatype_wks);
+	REQUIRE(rdclass == dns_rdataclass_in);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline bool
+checknames_in_wks(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == dns_rdatatype_wks);
+	REQUIRE(rdata->rdclass == dns_rdataclass_in);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (true);
+}
+
+static inline int
+casecompare_in_wks(ARGS_COMPARE) {
+	return (compare_in_wks(rdata1, rdata2));
+}
+
+#endif	/* RDATA_IN_1_WKS_11_C */
diff --git a/lib/dns/rdata/in_1/wks_11.h b/lib/dns/rdata/in_1/wks_11.h
new file mode 100644
index 0000000..d7883dd
--- /dev/null
+++ b/lib/dns/rdata/in_1/wks_11.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef IN_1_WKS_11_H
+#define IN_1_WKS_11_H 1
+
+
+typedef	struct dns_rdata_in_wks {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	struct in_addr		in_addr;
+	uint16_t		protocol;
+	unsigned char		*map;
+	uint16_t		map_len;
+} dns_rdata_in_wks_t;
+
+#endif /* IN_1_WKS_11_H */
diff --git a/lib/dns/rdata/rdatastructpre.h b/lib/dns/rdata/rdatastructpre.h
new file mode 100644
index 0000000..d09cb27
--- /dev/null
+++ b/lib/dns/rdata/rdatastructpre.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATASTRUCT_H
+#define DNS_RDATASTRUCT_H 1
+
+#include <isc/lang.h>
+#include <isc/sockaddr.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dns_rdatacommon {
+	dns_rdataclass_t			rdclass;
+	dns_rdatatype_t				rdtype;
+	ISC_LINK(struct dns_rdatacommon)	link;
+} dns_rdatacommon_t;
+
+#define DNS_RDATACOMMON_INIT(_data, _rdtype, _rdclass) \
+	do { \
+		(_data)->common.rdtype = (_rdtype); \
+		(_data)->common.rdclass = (_rdclass); \
+		ISC_LINK_INIT(&(_data)->common, link); \
+	} while (0)
diff --git a/lib/dns/rdata/rdatastructsuf.h b/lib/dns/rdata/rdatastructsuf.h
new file mode 100644
index 0000000..d3a8e46
--- /dev/null
+++ b/lib/dns/rdata/rdatastructsuf.h
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASTRUCT_H */
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
new file mode 100644
index 0000000..59b3a74
--- /dev/null
+++ b/lib/dns/rdatalist.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+#include <string.h>
+
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+
+#include "rdatalist_p.h"
+
+static dns_rdatasetmethods_t methods = {
+	isc__rdatalist_disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	isc__rdatalist_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	isc__rdatalist_addclosest,
+	isc__rdatalist_getclosest,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	isc__rdatalist_setownercase,
+	isc__rdatalist_getownercase
+};
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist) {
+
+	REQUIRE(rdatalist != NULL);
+
+	/*
+	 * Initialize rdatalist.
+	 */
+
+	rdatalist->rdclass = 0;
+	rdatalist->type = 0;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LINK_INIT(rdatalist, link);
+	memset(rdatalist->upper, 0xeb, sizeof(rdatalist->upper));
+	/*
+	 * Clear upper set bit.
+	 */
+	rdatalist->upper[0] &= ~0x01;
+}
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
+			 dns_rdataset_t *rdataset)
+{
+	/*
+	 * Make 'rdataset' refer to the rdata in 'rdatalist'.
+	 */
+
+	REQUIRE(rdatalist != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
+
+	/* Check if dns_rdatalist_init has was called. */
+	REQUIRE(rdatalist->upper[0] == 0xea);
+
+	rdataset->methods = &methods;
+	rdataset->rdclass = rdatalist->rdclass;
+	rdataset->type = rdatalist->type;
+	rdataset->covers = rdatalist->covers;
+	rdataset->ttl = rdatalist->ttl;
+	rdataset->trust = 0;
+	rdataset->private1 = rdatalist;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
+			   dns_rdatalist_t **rdatalist)
+{
+	REQUIRE(rdatalist != NULL && rdataset != NULL);
+	*rdatalist = rdataset->private1;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+isc_result_t
+isc__rdatalist_first(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdatalist;
+
+	rdatalist = rdataset->private1;
+	rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata);
+
+	if (rdataset->private2 == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_next(dns_rdataset_t *rdataset) {
+	dns_rdata_t *rdata;
+
+	REQUIRE(rdataset != NULL);
+
+	rdata = rdataset->private2;
+	if (rdata == NULL)
+		return (ISC_R_NOMORE);
+
+	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
+
+	if (rdataset->private2 == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	dns_rdata_t *list_rdata;
+
+	REQUIRE(rdataset != NULL);
+
+	list_rdata = rdataset->private2;
+	INSIST(list_rdata != NULL);
+
+	dns_rdata_clone(list_rdata, rdata);
+}
+
+void
+isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL);
+
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->private2 = NULL;
+}
+
+unsigned int
+isc__rdatalist_count(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	unsigned int count;
+
+	REQUIRE(rdataset != NULL);
+
+	rdatalist = rdataset->private1;
+
+	count = 0;
+	for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
+	     rdata != NULL;
+	     rdata = ISC_LIST_NEXT(rdata, link))
+		count++;
+
+	return (count);
+}
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdataset_t *neg = NULL;
+	dns_rdataset_t *negsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	REQUIRE(rdataset != NULL);
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass)
+			continue;
+		if (rdset->type == dns_rdatatype_nsec ||
+		    rdset->type == dns_rdatatype_nsec3)
+			neg = rdset;
+	}
+	if (neg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == neg->type)
+			negsig = rdset;
+	}
+
+	if (negsig == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (neg->ttl < ttl)
+		ttl = neg->ttl;
+	if (negsig->ttl < ttl)
+		ttl = negsig->ttl;
+	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
+	rdataset->private6 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig)
+{
+	dns_rdataclass_t rdclass = rdataset->rdclass;
+	dns_rdataset_t *tneg = NULL;
+	dns_rdataset_t *tnegsig = NULL;
+	dns_name_t *noqname = rdataset->private6;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
+
+	(void)dns_name_dynamic(noqname);	/* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass)
+			continue;
+		if (rdataset->type == dns_rdatatype_nsec ||
+		    rdataset->type == dns_rdatatype_nsec3)
+			tneg = rdataset;
+	}
+	if (tneg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == tneg->type)
+			tnegsig = rdataset;
+	}
+	if (tnegsig == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_name_clone(noqname, name);
+	dns_rdataset_clone(tneg, neg);
+	dns_rdataset_clone(tnegsig, negsig);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdataset_t *neg = NULL;
+	dns_rdataset_t *negsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	REQUIRE(rdataset != NULL);
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass)
+			continue;
+		if (rdset->type == dns_rdatatype_nsec ||
+		    rdset->type == dns_rdatatype_nsec3)
+			neg = rdset;
+	}
+	if (neg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == neg->type)
+			negsig = rdset;
+	}
+
+	if (negsig == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (neg->ttl < ttl)
+		ttl = neg->ttl;
+	if (negsig->ttl < ttl)
+		ttl = negsig->ttl;
+	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_CLOSEST;
+	rdataset->private7 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig)
+{
+	dns_rdataclass_t rdclass = rdataset->rdclass;
+	dns_rdataset_t *tneg = NULL;
+	dns_rdataset_t *tnegsig = NULL;
+	dns_name_t *closest = rdataset->private7;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0);
+
+	(void)dns_name_dynamic(closest);	/* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(closest->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass)
+			continue;
+		if (rdataset->type == dns_rdatatype_nsec ||
+		    rdataset->type == dns_rdatatype_nsec3)
+			tneg = rdataset;
+	}
+	if (tneg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdataset = ISC_LIST_HEAD(closest->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == tneg->type)
+			tnegsig = rdataset;
+	}
+	if (tnegsig == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_name_clone(closest, name);
+	dns_rdataset_clone(tneg, neg);
+	dns_rdataset_clone(tnegsig, negsig);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	dns_rdatalist_t *rdatalist;
+	unsigned int i;
+
+	/*
+	 * We do not need to worry about label lengths as they are all
+	 * less than or equal to 63.
+	 */
+	rdatalist = rdataset->private1;
+	memset(rdatalist->upper, 0, sizeof(rdatalist->upper));
+	for (i = 1; i < name->length; i++)
+		if (name->ndata[i] >= 0x41 && name->ndata[i] <= 0x5a)
+			rdatalist->upper[i/8] |= 1 << (i%8);
+	/*
+	 * Record that upper has been set.
+	 */
+	rdatalist->upper[0] |= 0x01;
+}
+
+void
+isc__rdatalist_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdatalist_t *rdatalist;
+	unsigned int i;
+
+	rdatalist = rdataset->private1;
+	if ((rdatalist->upper[0] & 0x01) == 0)
+		return;
+	for (i = 0; i < name->length; i++) {
+		/*
+		 * Set the case bit if it does not match the recorded bit.
+		 */
+		if (name->ndata[i] >= 0x61 && name->ndata[i] <= 0x7a &&
+		    (rdatalist->upper[i/8] & (1 << (i%8))) != 0)
+			name->ndata[i] &= ~0x20; /* clear the lower case bit */
+		else if (name->ndata[i] >= 0x41 && name->ndata[i] <= 0x5a &&
+		    (rdatalist->upper[i/8] & (1 << (i%8))) == 0)
+			name->ndata[i] |= 0x20; /* set the lower case bit */
+	}
+}
diff --git a/lib/dns/rdatalist_p.h b/lib/dns/rdatalist_p.h
new file mode 100644
index 0000000..5a599fe
--- /dev/null
+++ b/lib/dns/rdatalist_p.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef DNS_RDATALIST_P_H
+#define DNS_RDATALIST_P_H
+
+/*! \file */
+
+#include <isc/result.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc__rdatalist_disassociate(dns_rdataset_t *rdatasetp);
+
+isc_result_t
+isc__rdatalist_first(dns_rdataset_t *rdataset);
+
+isc_result_t
+isc__rdatalist_next(dns_rdataset_t *rdataset);
+
+void
+isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+
+void
+isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+
+unsigned int
+isc__rdatalist_count(dns_rdataset_t *rdataset);
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
+
+isc_result_t
+isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
+
+void
+isc__rdatalist_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name);
+
+void
+isc__rdatalist_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_P_H */
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
new file mode 100644
index 0000000..a2ac36f
--- /dev/null
+++ b/lib/dns/rdataset.c
@@ -0,0 +1,834 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/serial.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+
+static const char *trustnames[] = {
+	"none",
+	"pending-additional",
+	"pending-answer",
+	"additional",
+	"glue",
+	"answer",
+	"authauthority",
+	"authanswer",
+	"secure",
+	"local" /* aka ultimate */
+};
+
+const char *
+dns_trust_totext(dns_trust_t trust) {
+	if (trust >= sizeof(trustnames)/sizeof(*trustnames))
+		return ("bad");
+	return (trustnames[trust]);
+}
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Make 'rdataset' a valid, disassociated rdataset.
+	 */
+
+	REQUIRE(rdataset != NULL);
+
+	rdataset->magic = DNS_RDATASET_MAGIC;
+	rdataset->methods = NULL;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = UINT32_MAX;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+	rdataset->private7 = NULL;
+	rdataset->resign = 0;
+}
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Invalidate 'rdataset'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods == NULL);
+
+	rdataset->magic = 0;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = UINT32_MAX;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+}
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	(rdataset->methods->disassociate)(rdataset);
+	rdataset->methods = NULL;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = UINT32_MAX;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
+
+bool
+dns_rdataset_isassociated(dns_rdataset_t *rdataset) {
+	/*
+	 * Is 'rdataset' associated?
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	if (rdataset->methods != NULL)
+		return (true);
+
+	return (false);
+}
+
+static void
+question_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+question_cursor(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+
+	return (ISC_R_NOMORE);
+}
+
+static void
+question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	/*
+	 * This routine should never be called.
+	 */
+	UNUSED(rdataset);
+	UNUSED(rdata);
+
+	REQUIRE(0);
+}
+
+static void
+question_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+}
+
+static unsigned int
+question_count(dns_rdataset_t *rdataset) {
+	/*
+	 * This routine should never be called.
+	 */
+	UNUSED(rdataset);
+	REQUIRE(0);
+
+	return (0);
+}
+
+static dns_rdatasetmethods_t question_methods = {
+	question_disassociate,
+	question_cursor,
+	question_cursor,
+	question_current,
+	question_clone,
+	question_count,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type)
+{
+
+	/*
+	 * Make 'rdataset' a valid, associated, question rdataset, with a
+	 * question class of 'rdclass' and type 'type'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods == NULL);
+
+	rdataset->methods = &question_methods;
+	rdataset->rdclass = rdclass;
+	rdataset->type = type;
+	rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
+}
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Return the number of records in 'rdataset'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->count)(rdataset));
+}
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+
+	/*
+	 * Make 'target' refer to the same rdataset as 'source'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(source));
+	REQUIRE(source->methods != NULL);
+	REQUIRE(DNS_RDATASET_VALID(target));
+	REQUIRE(target->methods == NULL);
+
+	(source->methods->clone)(source, target);
+}
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Move the rdata cursor to the first rdata in the rdataset (if any).
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->first)(rdataset));
+}
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Move the rdata cursor to the next rdata in the rdataset (if any).
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->next)(rdataset));
+}
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+
+	/*
+	 * Make 'rdata' refer to the current rdata.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	(rdataset->methods->current)(rdataset, rdata);
+}
+
+#define MAX_SHUFFLE	32
+#define WANT_FIXED(r)	(((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
+#define WANT_RANDOM(r)	(((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
+
+struct towire_sort {
+	int key;
+	dns_rdata_t *rdata;
+};
+
+static int
+towire_compare(const void *av, const void *bv) {
+	const struct towire_sort *a = (const struct towire_sort *) av;
+	const struct towire_sort *b = (const struct towire_sort *) bv;
+	return (a->key - b->key);
+}
+
+static isc_result_t
+towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
+	     dns_compress_t *cctx, isc_buffer_t *target,
+	     dns_rdatasetorderfunc_t order, const void *order_arg,
+	     bool partial, unsigned int options,
+	     unsigned int *countp, void **state)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int i, count = 0, added, choice;
+	isc_buffer_t savedbuffer, rdlen, rrbuffer;
+	unsigned int headlen;
+	bool question = false;
+	bool shuffle = false;
+	dns_rdata_t *in = NULL, in_fixed[MAX_SHUFFLE];
+	struct towire_sort *out = NULL, out_fixed[MAX_SHUFFLE];
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	UNUSED(state);
+
+	/*
+	 * Convert 'rdataset' to wire format, compressing names as specified
+	 * in cctx, and storing the result in 'target'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(countp != NULL);
+	REQUIRE((order == NULL) == (order_arg == NULL));
+	REQUIRE(cctx != NULL && cctx->mctx != NULL);
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) {
+		question = true;
+		count = 1;
+		result = dns_rdataset_first(rdataset);
+		INSIST(result == ISC_R_NOMORE);
+	} else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
+		/*
+		 * This is a negative caching rdataset.
+		 */
+		unsigned int ncache_opts = 0;
+		if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0)
+			ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
+		return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
+					  countp));
+	} else {
+		count = (rdataset->methods->count)(rdataset);
+		result = dns_rdataset_first(rdataset);
+		if (result == ISC_R_NOMORE)
+			return (ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * Do we want to shuffle this answer?
+	 */
+	if (!question && count > 1 &&
+	    (!WANT_FIXED(rdataset) || order != NULL) &&
+	    rdataset->type != dns_rdatatype_rrsig)
+		shuffle = true;
+
+	if (shuffle && count > MAX_SHUFFLE) {
+		in = isc_mem_get(cctx->mctx, count * sizeof(*in));
+		out = isc_mem_get(cctx->mctx, count * sizeof(*out));
+		if (in == NULL || out == NULL)
+			shuffle = false;
+	} else {
+		in = in_fixed;
+		out = out_fixed;
+	}
+
+	if (shuffle) {
+		/*
+		 * First we get handles to all of the rdata.
+		 */
+		i = 0;
+		do {
+			INSIST(i < count);
+			dns_rdata_init(&in[i]);
+			dns_rdataset_current(rdataset, &in[i]);
+			i++;
+			result = dns_rdataset_next(rdataset);
+		} while (result == ISC_R_SUCCESS);
+		if (result != ISC_R_NOMORE)
+			goto cleanup;
+		INSIST(i == count);
+
+		/*
+		 * Now we shuffle.
+		 */
+		if (WANT_FIXED(rdataset)) {
+			/*
+			 * 'Fixed' order.
+			 */
+			INSIST(order != NULL);
+			for (i = 0; i < count; i++) {
+				out[i].key = (*order)(&in[i], order_arg);
+				out[i].rdata = &in[i];
+			}
+		} else if (WANT_RANDOM(rdataset)) {
+			/*
+			 * 'Random' order.
+			 */
+			for (i = 0; i < count; i++) {
+				uint32_t val;
+
+				isc_random_get(&val);
+				choice = i + (val % (count - i));
+				rdata = in[i];
+				in[i] = in[choice];
+				in[choice] = rdata;
+				if (order != NULL)
+					out[i].key = (*order)(&in[i],
+							      order_arg);
+				else
+					out[i].key = 0; /* Unused */
+				out[i].rdata = &in[i];
+			}
+		} else {
+			/*
+			 * "Cyclic" order.
+			 */
+			uint32_t val;
+			unsigned int j;
+
+			val = rdataset->count;
+			if (val == UINT32_MAX)
+				isc_random_get(&val);
+			j = val % count;
+			for (i = 0; i < count; i++) {
+				if (order != NULL)
+					out[i].key = (*order)(&in[j],
+							      order_arg);
+				else
+					out[i].key = 0; /* Unused */
+				out[i].rdata = &in[j];
+				j++;
+				if (j == count)
+					j = 0; /* Wrap around. */
+			}
+		}
+
+		/*
+		 * Sorted order.
+		 */
+		if (order != NULL)
+			qsort(out, count, sizeof(out[0]), towire_compare);
+	}
+
+	savedbuffer = *target;
+	i = 0;
+	added = 0;
+
+	name = dns_fixedname_initname(&fixed);
+	dns_name_copy(owner_name, name, NULL);
+	dns_rdataset_getownercase(rdataset, name);
+
+	name->attributes |= owner_name->attributes &
+		DNS_NAMEATTR_NOCOMPRESS;
+
+	do {
+		/*
+		 * Copy out the name, type, class, ttl.
+		 */
+
+		rrbuffer = *target;
+		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+		result = dns_name_towire(name, cctx, target);
+		if (result != ISC_R_SUCCESS)
+			goto rollback;
+		headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
+		if (!question)
+			headlen += sizeof(dns_ttl_t)
+				+ 2;  /* XXX 2 for rdata len */
+		isc_buffer_availableregion(target, &r);
+		if (r.length < headlen) {
+			result = ISC_R_NOSPACE;
+			goto rollback;
+		}
+		isc_buffer_putuint16(target, rdataset->type);
+		isc_buffer_putuint16(target, rdataset->rdclass);
+		if (!question) {
+			isc_buffer_putuint32(target, rdataset->ttl);
+
+			/*
+			 * Save space for rdlen.
+			 */
+			rdlen = *target;
+			isc_buffer_add(target, 2);
+
+			/*
+			 * Copy out the rdata
+			 */
+			if (shuffle)
+				rdata = *(out[i].rdata);
+			else {
+				dns_rdata_reset(&rdata);
+				dns_rdataset_current(rdataset, &rdata);
+			}
+			result = dns_rdata_towire(&rdata, cctx, target);
+			if (result != ISC_R_SUCCESS)
+				goto rollback;
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
+			isc_buffer_putuint16(&rdlen,
+					     (uint16_t)(target->used -
+							    rdlen.used - 2));
+			added++;
+		}
+
+		if (shuffle) {
+			i++;
+			if (i == count)
+				result = ISC_R_NOMORE;
+			else
+				result = ISC_R_SUCCESS;
+		} else {
+			result = dns_rdataset_next(rdataset);
+		}
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		goto rollback;
+
+	*countp += count;
+
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+ rollback:
+	if (partial && result == ISC_R_NOSPACE) {
+		INSIST(rrbuffer.used < 65536);
+		dns_compress_rollback(cctx, (uint16_t)rrbuffer.used);
+		*countp += added;
+		*target = rrbuffer;
+		goto cleanup;
+	}
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (uint16_t)savedbuffer.used);
+	*countp = 0;
+	*target = savedbuffer;
+
+ cleanup:
+	if (out != NULL && out != out_fixed)
+		isc_mem_put(cctx->mctx, out, count * sizeof(*out));
+	if (in != NULL && in != in_fixed)
+		isc_mem_put(cctx->mctx, in, count * sizeof(*in));
+	return (result);
+}
+
+isc_result_t
+dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
+			  const dns_name_t *owner_name,
+			  dns_compress_t *cctx,
+			  isc_buffer_t *target,
+			  dns_rdatasetorderfunc_t order,
+			  const void *order_arg,
+			  unsigned int options,
+			  unsigned int *countp)
+{
+	return (towiresorted(rdataset, owner_name, cctx, target,
+			     order, order_arg, false, options,
+			     countp, NULL));
+}
+
+isc_result_t
+dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+			   const dns_name_t *owner_name,
+			   dns_compress_t *cctx,
+			   isc_buffer_t *target,
+			   dns_rdatasetorderfunc_t order,
+			   const void *order_arg,
+			   unsigned int options,
+			   unsigned int *countp,
+			   void **state)
+{
+	REQUIRE(state == NULL);	/* XXX remove when implemented */
+	return (towiresorted(rdataset, owner_name, cctx, target,
+			     order, order_arg, true, options,
+			     countp, state));
+}
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    dns_compress_t *cctx,
+		    isc_buffer_t *target,
+		    unsigned int options,
+		    unsigned int *countp)
+{
+	return (towiresorted(rdataset, owner_name, cctx, target,
+			     NULL, NULL, false, options, countp, NULL));
+}
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+			    dns_additionaldatafunc_t add, void *arg)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	/*
+	 * For each rdata in rdataset, call 'add' for each name and type in the
+	 * rdata which is subject to additional section processing.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_additionaldata(&rdata, add, arg);
+		if (result == ISC_R_SUCCESS)
+			result = dns_rdataset_next(rdataset);
+		dns_rdata_reset(&rdata);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addnoqname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->addnoqname)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getnoqname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->getnoqname)(rdataset, name, neg, negsig));
+}
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addclosest == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->addclosest)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getclosest == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->getclosest)(rdataset, name, neg, negsig));
+}
+
+/*
+ * Additional cache stuff
+ */
+isc_result_t
+dns_rdataset_getadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t **zonep,
+			   dns_db_t **dbp,
+			   dns_dbversion_t **versionp,
+			   dns_dbnode_t **nodep,
+			   dns_name_t *fname,
+			   dns_message_t *msg,
+			   isc_stdtime_t now)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	REQUIRE(zonep == NULL || *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(fname != NULL);
+	REQUIRE(msg != NULL);
+
+	if (acache != NULL && rdataset->methods->getadditional != NULL) {
+		return ((rdataset->methods->getadditional)(rdataset, type,
+							   qtype, acache,
+							   zonep, dbp,
+							   versionp, nodep,
+							   fname, msg, now));
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+dns_rdataset_setadditional(dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype,
+			   dns_acache_t *acache,
+			   dns_zone_t *zone,
+			   dns_db_t *db,
+			   dns_dbversion_t *version,
+			   dns_dbnode_t *node,
+			   dns_name_t *fname)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (acache != NULL && rdataset->methods->setadditional != NULL) {
+		return ((rdataset->methods->setadditional)(rdataset, type,
+							   qtype, acache, zone,
+							   db, version,
+							   node, fname));
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+isc_result_t
+dns_rdataset_putadditional(dns_acache_t *acache,
+			   dns_rdataset_t *rdataset,
+			   dns_rdatasetadditional_t type,
+			   dns_rdatatype_t qtype)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (acache != NULL && rdataset->methods->putadditional != NULL) {
+		return ((rdataset->methods->putadditional)(acache, rdataset,
+							   type, qtype));
+	}
+
+	return (ISC_R_FAILURE);
+}
+
+void
+dns_rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->settrust != NULL)
+		(rdataset->methods->settrust)(rdataset, trust);
+	else
+		rdataset->trust = trust;
+}
+
+void
+dns_rdataset_expire(dns_rdataset_t *rdataset) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->expire != NULL)
+		(rdataset->methods->expire)(rdataset);
+}
+
+void
+dns_rdataset_clearprefetch(dns_rdataset_t *rdataset) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->clearprefetch != NULL)
+		(rdataset->methods->clearprefetch)(rdataset);
+}
+
+void
+dns_rdataset_setownercase(dns_rdataset_t *rdataset, const dns_name_t *name) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->setownercase != NULL)
+		(rdataset->methods->setownercase)(rdataset, name);
+}
+
+void
+dns_rdataset_getownercase(const dns_rdataset_t *rdataset, dns_name_t *name) {
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getownercase != NULL)
+		(rdataset->methods->getownercase)(rdataset, name);
+}
+
+void
+dns_rdataset_trimttl(dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_rdata_rrsig_t *rrsig, isc_stdtime_t now,
+		     bool acceptexpired)
+{
+	uint32_t ttl = 0;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(DNS_RDATASET_VALID(sigrdataset));
+	REQUIRE(rrsig != NULL);
+
+	/*
+	 * If we accept expired RRsets keep them for no more than 120 seconds.
+	 */
+	if (acceptexpired &&
+	    (isc_serial_le(rrsig->timeexpire, ((now + 120) & 0xffffffff)) ||
+	     isc_serial_le(rrsig->timeexpire, now)))
+		ttl = 120;
+	else if (isc_serial_ge(rrsig->timeexpire, now))
+		ttl = rrsig->timeexpire - now;
+
+	ttl = ISC_MIN(ISC_MIN(rdataset->ttl, sigrdataset->ttl),
+		      ISC_MIN(rrsig->originalttl, ttl));
+	rdataset->ttl = ttl;
+	sigrdataset->ttl = ttl;
+}
diff --git a/lib/dns/rdatasetiter.c b/lib/dns/rdatasetiter.c
new file mode 100644
index 0000000..c292ef2
--- /dev/null
+++ b/lib/dns/rdatasetiter.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/util.h>
+
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	/*
+	 * Destroy '*iteratorp'.
+	 */
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
+
+	(*iteratorp)->methods->destroy(iteratorp);
+
+	ENSURE(*iteratorp == NULL);
+}
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	/*
+	 * Move the rdataset cursor to the first rdataset at the node (if any).
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	return (iterator->methods->first(iterator));
+}
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	/*
+	 * Move the rdataset cursor to the next rdataset at the node (if any).
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	return (iterator->methods->next(iterator));
+}
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t *rdataset)
+{
+	/*
+	 * Return the current rdataset.
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
+
+	iterator->methods->current(iterator, rdataset);
+}
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
new file mode 100644
index 0000000..930a822
--- /dev/null
+++ b/lib/dns/rdataslab.c
@@ -0,0 +1,1134 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdataslab.h>
+
+/*
+ * The rdataslab structure allows iteration to occur in both load order
+ * and DNSSEC order.  The structure is as follows:
+ *
+ *	header		(reservelen bytes)
+ *	record count	(2 bytes)
+ *	offset table	(4 x record count bytes in load order)
+ *	data records
+ *		data length	(2 bytes)
+ *		order		(2 bytes)
+ *		meta data	(1 byte for RRSIG's)
+ *		data		(data length bytes)
+ *
+ * If DNS_RDATASET_FIXED is defined to be zero (0) the format of a
+ * rdataslab is as follows:
+ *
+ *	header		(reservelen bytes)
+ *	record count	(2 bytes)
+ *	data records
+ *		data length	(2 bytes)
+ *		meta data	(1 byte for RRSIG's)
+ *		data		(data length bytes)
+ *
+ * Offsets are from the end of the header.
+ *
+ * Load order traversal is performed by walking the offset table to find
+ * the start of the record (DNS_RDATASET_FIXED = 1).
+ *
+ * DNSSEC order traversal is performed by walking the data records.
+ *
+ * The order is stored with record to allow for efficient reconstruction
+ * of the offset table following a merge or subtraction.
+ *
+ * The iterator methods here currently only support DNSSEC order iteration.
+ *
+ * The iterator methods in rbtdb support both load order and DNSSEC order
+ * iteration.
+ *
+ * WARNING:
+ *	rbtdb.c directly interacts with the slab's raw structures.  If the
+ *	structure changes then rbtdb.c also needs to be updated to reflect
+ *	the changes.  See the areas tagged with "RDATASLAB".
+ */
+
+struct xrdata {
+	dns_rdata_t	rdata;
+	unsigned int	order;
+};
+
+/*% Note: the "const void *" are just to make qsort happy.  */
+static int
+compare_rdata(const void *p1, const void *p2) {
+	const struct xrdata *x1 = p1;
+	const struct xrdata *x2 = p2;
+	return (dns_rdata_compare(&x1->rdata, &x2->rdata));
+}
+
+#if DNS_RDATASET_FIXED
+static void
+fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+	       unsigned length)
+{
+	unsigned int i, j;
+	unsigned char *raw;
+
+	for (i = 0, j = 0; i < length; i++) {
+
+		if (offsettable[i] == 0)
+			continue;
+
+		/*
+		 * Fill in offset table.
+		 */
+		raw = &offsetbase[j*4 + 2];
+		*raw++ = (offsettable[i] & 0xff000000) >> 24;
+		*raw++ = (offsettable[i] & 0xff0000) >> 16;
+		*raw++ = (offsettable[i] & 0xff00) >> 8;
+		*raw = offsettable[i] & 0xff;
+
+		/*
+		 * Fill in table index.
+		 */
+		raw = offsetbase + offsettable[i] + 2;
+		*raw++ = (j & 0xff00) >> 8;
+		*raw = j++ & 0xff;
+	}
+}
+#endif
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen)
+{
+	/*
+	 * Use &removed as a sentinal pointer for duplicate
+	 * rdata as rdata.data == NULL is valid.
+	 */
+	static unsigned char removed;
+	struct xrdata  *x;
+	unsigned char  *rawbuf;
+#if DNS_RDATASET_FIXED
+	unsigned char  *offsetbase;
+#endif
+	unsigned int	buflen;
+	isc_result_t	result;
+	unsigned int	nitems;
+	unsigned int	nalloc;
+	unsigned int	i;
+#if DNS_RDATASET_FIXED
+	unsigned int   *offsettable;
+#endif
+	unsigned int	length;
+
+	buflen = reservelen + 2;
+
+	nitems = dns_rdataset_count(rdataset);
+
+	/*
+	 * If there are no rdata then we can just need to allocate a header
+	 * with zero a record count.
+	 */
+	if (nitems == 0) {
+		if (rdataset->type != 0)
+			return (ISC_R_FAILURE);
+		rawbuf = isc_mem_get(mctx, buflen);
+		if (rawbuf == NULL)
+			return (ISC_R_NOMEMORY);
+		region->base = rawbuf;
+		region->length = buflen;
+		rawbuf += reservelen;
+		*rawbuf++ = 0;
+		*rawbuf = 0;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (nitems > 0xffff)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Remember the original number of items.
+	 */
+	nalloc = nitems;
+	x = isc_mem_get(mctx, nalloc * sizeof(struct xrdata));
+	if (x == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Save all of the rdata members into an array.
+	 */
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
+		goto free_rdatas;
+	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdata_init(&x[i].rdata);
+		dns_rdataset_current(rdataset, &x[i].rdata);
+		INSIST(x[i].rdata.data != &removed);
+#if DNS_RDATASET_FIXED
+		x[i].order = i;
+#endif
+		result = dns_rdataset_next(rdataset);
+	}
+	if (i != nalloc || result != ISC_R_NOMORE) {
+		/*
+		 * Somehow we iterated over fewer rdatas than
+		 * dns_rdataset_count() said there were or there
+		 * were more items than dns_rdataset_count said
+		 * there were.
+		 */
+		result = ISC_R_FAILURE;
+		goto free_rdatas;
+	}
+
+	/*
+	 * Put into DNSSEC order.
+	 */
+	if (nalloc > 1U)
+		qsort(x, nalloc, sizeof(struct xrdata), compare_rdata);
+
+	/*
+	 * Remove duplicates and compute the total storage required.
+	 *
+	 * If an rdata is not a duplicate, accumulate the storage size
+	 * required for the rdata.  We do not store the class, type, etc,
+	 * just the rdata, so our overhead is 2 bytes for the number of
+	 * records, and 8 for each rdata, (length(2), offset(4) and order(2))
+	 * and then the rdata itself.
+	 */
+	for (i = 1; i < nalloc; i++) {
+		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
+			x[i-1].rdata.data = &removed;
+#if DNS_RDATASET_FIXED
+			/*
+			 * Preserve the least order so A, B, A -> A, B
+			 * after duplicate removal.
+			 */
+			if (x[i-1].order < x[i].order)
+				x[i].order = x[i-1].order;
+#endif
+			nitems--;
+		} else {
+#if DNS_RDATASET_FIXED
+			buflen += (8 + x[i-1].rdata.length);
+#else
+			buflen += (2 + x[i-1].rdata.length);
+#endif
+			/*
+			 * Provide space to store the per RR meta data.
+			 */
+			if (rdataset->type == dns_rdatatype_rrsig)
+				buflen++;
+		}
+	}
+
+	/*
+	 * Don't forget the last item!
+	 */
+#if DNS_RDATASET_FIXED
+	buflen += (8 + x[i-1].rdata.length);
+#else
+	buflen += (2 + x[i-1].rdata.length);
+#endif
+	/*
+	 * Provide space to store the per RR meta data.
+	 */
+	if (rdataset->type == dns_rdatatype_rrsig)
+		buflen++;
+
+	/*
+	 * Ensure that singleton types are actually singletons.
+	 */
+	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
+		/*
+		 * We have a singleton type, but there's more than one
+		 * RR in the rdataset.
+		 */
+		result = DNS_R_SINGLETON;
+		goto free_rdatas;
+	}
+
+	/*
+	 * Allocate the memory, set up a buffer, start copying in
+	 * data.
+	 */
+	rawbuf = isc_mem_get(mctx, buflen);
+	if (rawbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto free_rdatas;
+	}
+
+#if DNS_RDATASET_FIXED
+	/* Allocate temporary offset table. */
+	offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, rawbuf, buflen);
+		result = ISC_R_NOMEMORY;
+		goto free_rdatas;
+	}
+	memset(offsettable, 0, nalloc * sizeof(unsigned int));
+#endif
+
+	region->base = rawbuf;
+	region->length = buflen;
+
+	memset(rawbuf, 0, buflen);
+	rawbuf += reservelen;
+
+#if DNS_RDATASET_FIXED
+	offsetbase = rawbuf;
+#endif
+
+	*rawbuf++ = (nitems & 0xff00) >> 8;
+	*rawbuf++ = (nitems & 0x00ff);
+
+#if DNS_RDATASET_FIXED
+	/* Skip load order table.  Filled in later. */
+	rawbuf += nitems * 4;
+#endif
+
+	for (i = 0; i < nalloc; i++) {
+		if (x[i].rdata.data == &removed)
+			continue;
+#if DNS_RDATASET_FIXED
+		offsettable[x[i].order] = rawbuf - offsetbase;
+#endif
+		length = x[i].rdata.length;
+		if (rdataset->type == dns_rdatatype_rrsig)
+			length++;
+		INSIST(length <= 0xffff);
+		*rawbuf++ = (length & 0xff00) >> 8;
+		*rawbuf++ = (length & 0x00ff);
+#if DNS_RDATASET_FIXED
+		rawbuf += 2;	/* filled in later */
+#endif
+		/*
+		 * Store the per RR meta data.
+		 */
+		if (rdataset->type == dns_rdatatype_rrsig) {
+			*rawbuf++ = (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
+					    DNS_RDATASLAB_OFFLINE : 0;
+		}
+		memmove(rawbuf, x[i].rdata.data, x[i].rdata.length);
+		rawbuf += x[i].rdata.length;
+	}
+
+#if DNS_RDATASET_FIXED
+	fillin_offsets(offsetbase, offsettable, nalloc);
+	isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int));
+#endif
+
+	result = ISC_R_SUCCESS;
+
+ free_rdatas:
+	isc_mem_put(mctx, x, nalloc * sizeof(struct xrdata));
+	return (result);
+}
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+#if DNS_RDATASET_FIXED
+	raw += 2 + (4 * count);
+#else
+	raw += 2;
+#endif
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += length + 4;
+#else
+	raw += length + 2;
+#endif
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+	unsigned int length;
+	unsigned int flags = 0;
+
+	REQUIRE(raw != NULL);
+
+	length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+	raw += 4;
+#else
+	raw += 2;
+#endif
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+void
+dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+			 dns_rdatatype_t covers, dns_ttl_t ttl,
+			 dns_rdataset_t *rdataset)
+{
+	REQUIRE(slab != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = rdclass;
+	rdataset->type = rdtype;
+	rdataset->covers = covers;
+	rdataset->ttl = ttl;
+	rdataset->trust = 0;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = slab + reservelen;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+}
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
+	unsigned int count, length;
+	unsigned char *current;
+
+	REQUIRE(slab != NULL);
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+#if DNS_RDATASET_FIXED
+	current += (4 * count);
+#endif
+	while (count > 0) {
+		count--;
+		length = *current++ * 256;
+		length += *current++;
+#if DNS_RDATASET_FIXED
+		current += length + 2;
+#else
+		current += length;
+#endif
+	}
+
+	return ((unsigned int)(current - slab));
+}
+
+unsigned int
+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) {
+	unsigned int count;
+	unsigned char *current;
+
+	REQUIRE(slab != NULL);
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+	return (count);
+}
+
+/*
+ * Make the dns_rdata_t 'rdata' refer to the slab item
+ * beginning at '*current', which is part of a slab of type
+ * 'type' and class 'rdclass', and advance '*current' to
+ * point to the next item in the slab.
+ */
+static inline void
+rdata_from_slab(unsigned char **current,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
+	      dns_rdata_t *rdata)
+{
+	unsigned char *tcurrent = *current;
+	isc_region_t region;
+	unsigned int length;
+	bool offline = false;
+
+	length = *tcurrent++ * 256;
+	length += *tcurrent++;
+
+	if (type == dns_rdatatype_rrsig) {
+		if ((*tcurrent & DNS_RDATASLAB_OFFLINE) != 0)
+			offline = true;
+		length--;
+		tcurrent++;
+	}
+	region.length = length;
+#if DNS_RDATASET_FIXED
+	tcurrent += 2;
+#endif
+	region.base = tcurrent;
+	tcurrent += region.length;
+	dns_rdata_fromregion(rdata, rdclass, type, &region);
+	if (offline)
+		rdata->flags |= DNS_RDATA_OFFLINE;
+	*current = tcurrent;
+}
+
+/*
+ * Return true iff 'slab' (slab data of type 'type' and class 'rdclass')
+ * contains an rdata identical to 'rdata'.  This does case insensitive
+ * comparisons per DNSSEC.
+ */
+static inline bool
+rdata_in_slab(unsigned char *slab, unsigned int reservelen,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
+	      dns_rdata_t *rdata)
+{
+	unsigned int count, i;
+	unsigned char *current;
+	dns_rdata_t trdata = DNS_RDATA_INIT;
+	int n;
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+
+#if DNS_RDATASET_FIXED
+	current += (4 * count);
+#endif
+
+	for (i = 0; i < count; i++) {
+		rdata_from_slab(&current, rdclass, type, &trdata);
+
+		n = dns_rdata_compare(&trdata, rdata);
+		if (n == 0)
+			return (true);
+		if (n > 0)	/* In DNSSEC order. */
+			break;
+		dns_rdata_reset(&trdata);
+	}
+	return (false);
+}
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    unsigned int flags, unsigned char **tslabp)
+{
+	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent, *data;
+	unsigned int ocount, ncount, count, olength, tlength, tcount, length;
+	dns_rdata_t ordata = DNS_RDATA_INIT;
+	dns_rdata_t nrdata = DNS_RDATA_INIT;
+	bool added_something = false;
+	unsigned int oadded = 0;
+	unsigned int nadded = 0;
+	unsigned int nncount = 0;
+#if DNS_RDATASET_FIXED
+	unsigned int oncount;
+	unsigned int norder = 0;
+	unsigned int oorder = 0;
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
+#endif
+
+	/*
+	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
+	 * or perhaps another merge routine for this purpose.
+	 */
+
+	REQUIRE(tslabp != NULL && *tslabp == NULL);
+	REQUIRE(oslab != NULL && nslab != NULL);
+
+	ocurrent = oslab + reservelen;
+	ocount = *ocurrent++ * 256;
+	ocount += *ocurrent++;
+#if DNS_RDATASET_FIXED
+	ocurrent += (4 * ocount);
+#endif
+	ostart = ocurrent;
+	ncurrent = nslab + reservelen;
+	ncount = *ncurrent++ * 256;
+	ncount += *ncurrent++;
+#if DNS_RDATASET_FIXED
+	ncurrent += (4 * ncount);
+#endif
+	INSIST(ocount > 0 && ncount > 0);
+
+#if DNS_RDATASET_FIXED
+	oncount = ncount;
+#endif
+
+	/*
+	 * Yes, this is inefficient!
+	 */
+
+	/*
+	 * Figure out the length of the old slab's data.
+	 */
+	olength = 0;
+	for (count = 0; count < ocount; count++) {
+		length = *ocurrent++ * 256;
+		length += *ocurrent++;
+#if DNS_RDATASET_FIXED
+		olength += length + 8;
+		ocurrent += length + 2;
+#else
+		olength += length + 2;
+		ocurrent += length;
+#endif
+	}
+
+	/*
+	 * Start figuring out the target length and count.
+	 */
+	tlength = reservelen + 2 + olength;
+	tcount = ocount;
+
+	/*
+	 * Add in the length of rdata in the new slab that aren't in
+	 * the old slab.
+	 */
+	do {
+		dns_rdata_init(&nrdata);
+		rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
+		if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata))
+		{
+			/*
+			 * This rdata isn't in the old slab.
+			 */
+#if DNS_RDATASET_FIXED
+			tlength += nrdata.length + 8;
+#else
+			tlength += nrdata.length + 2;
+#endif
+			if (type == dns_rdatatype_rrsig)
+				tlength++;
+			tcount++;
+			nncount++;
+			added_something = true;
+		}
+		ncount--;
+	} while (ncount > 0);
+	ncount = nncount;
+
+	if (((flags & DNS_RDATASLAB_EXACT) != 0) &&
+	    (tcount != ncount + ocount))
+		return (DNS_R_NOTEXACT);
+
+	if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0)
+		return (DNS_R_UNCHANGED);
+
+	/*
+	 * Ensure that singleton types are actually singletons.
+	 */
+	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
+		/*
+		 * We have a singleton type, but there's more than one
+		 * RR in the rdataset.
+		 */
+		return (DNS_R_SINGLETON);
+	}
+
+	if (tcount > 0xffff)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Copy the reserved area from the new slab.
+	 */
+	tstart = isc_mem_get(mctx, tlength);
+	if (tstart == NULL)
+		return (ISC_R_NOMEMORY);
+	memmove(tstart, nslab, reservelen);
+	tcurrent = tstart + reservelen;
+#if DNS_RDATASET_FIXED
+	offsetbase = tcurrent;
+#endif
+
+	/*
+	 * Write the new count.
+	 */
+	*tcurrent++ = (tcount & 0xff00) >> 8;
+	*tcurrent++ = (tcount & 0x00ff);
+
+#if DNS_RDATASET_FIXED
+	/*
+	 * Skip offset table.
+	 */
+	tcurrent += (tcount * 4);
+
+	offsettable = isc_mem_get(mctx,
+				  (ocount + oncount) * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, tstart, tlength);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(offsettable, 0, (ocount + oncount) * sizeof(unsigned int));
+#endif
+
+	/*
+	 * Merge the two slabs.
+	 */
+	ocurrent = ostart;
+	INSIST(ocount != 0);
+#if DNS_RDATASET_FIXED
+	oorder = ocurrent[2] * 256 + ocurrent[3];
+	INSIST(oorder < ocount);
+#endif
+	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
+
+	ncurrent = nslab + reservelen + 2;
+#if DNS_RDATASET_FIXED
+	ncurrent += (4 * oncount);
+#endif
+
+	if (ncount > 0) {
+		do {
+			dns_rdata_reset(&nrdata);
+#if DNS_RDATASET_FIXED
+			norder = ncurrent[2] * 256 + ncurrent[3];
+
+			INSIST(norder < oncount);
+#endif
+			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
+		} while (rdata_in_slab(oslab, reservelen, rdclass,
+				       type, &nrdata));
+	}
+
+	while (oadded < ocount || nadded < ncount) {
+		bool fromold;
+		if (oadded == ocount)
+			fromold = false;
+		else if (nadded == ncount)
+			fromold = true;
+		else
+			fromold = dns_rdata_compare(&ordata, &nrdata) < 0;
+		if (fromold) {
+#if DNS_RDATASET_FIXED
+			offsettable[oorder] = tcurrent - offsetbase;
+#endif
+			length = ordata.length;
+			data = ordata.data;
+			if (type == dns_rdatatype_rrsig) {
+				length++;
+				data--;
+			}
+			*tcurrent++ = (length & 0xff00) >> 8;
+			*tcurrent++ = (length & 0x00ff);
+#if DNS_RDATASET_FIXED
+			tcurrent += 2;	/* fill in later */
+#endif
+			memmove(tcurrent, data, length);
+			tcurrent += length;
+			oadded++;
+			if (oadded < ocount) {
+				dns_rdata_reset(&ordata);
+#if DNS_RDATASET_FIXED
+				oorder = ocurrent[2] * 256 + ocurrent[3];
+				INSIST(oorder < ocount);
+#endif
+				rdata_from_slab(&ocurrent, rdclass, type,
+						&ordata);
+			}
+		} else {
+#if DNS_RDATASET_FIXED
+			offsettable[ocount + norder] = tcurrent - offsetbase;
+#endif
+			length = nrdata.length;
+			data = nrdata.data;
+			if (type == dns_rdatatype_rrsig) {
+				length++;
+				data--;
+			}
+			*tcurrent++ = (length & 0xff00) >> 8;
+			*tcurrent++ = (length & 0x00ff);
+#if DNS_RDATASET_FIXED
+			tcurrent += 2;	/* fill in later */
+#endif
+			memmove(tcurrent, data, length);
+			tcurrent += length;
+			nadded++;
+			if (nadded < ncount) {
+				do {
+					dns_rdata_reset(&nrdata);
+#if DNS_RDATASET_FIXED
+					norder = ncurrent[2] * 256 + ncurrent[3];
+					INSIST(norder < oncount);
+#endif
+					rdata_from_slab(&ncurrent, rdclass,
+							type, &nrdata);
+				} while (rdata_in_slab(oslab, reservelen,
+						       rdclass, type,
+						       &nrdata));
+			}
+		}
+	}
+
+#if DNS_RDATASET_FIXED
+	fillin_offsets(offsetbase, offsettable, ocount + oncount);
+
+	isc_mem_put(mctx, offsettable,
+		    (ocount + oncount) * sizeof(unsigned int));
+#endif
+
+	INSIST(tcurrent == tstart + tlength);
+
+	*tslabp = tstart;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned int flags, unsigned char **tslabp)
+{
+	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
+	unsigned int mcount, scount, rcount ,count, tlength, tcount, i;
+	dns_rdata_t srdata = DNS_RDATA_INIT;
+	dns_rdata_t mrdata = DNS_RDATA_INIT;
+#if DNS_RDATASET_FIXED
+	unsigned char *offsetbase;
+	unsigned int *offsettable;
+	unsigned int order;
+#endif
+
+	REQUIRE(tslabp != NULL && *tslabp == NULL);
+	REQUIRE(mslab != NULL && sslab != NULL);
+
+	mcurrent = mslab + reservelen;
+	mcount = *mcurrent++ * 256;
+	mcount += *mcurrent++;
+	scurrent = sslab + reservelen;
+	scount = *scurrent++ * 256;
+	scount += *scurrent++;
+	INSIST(mcount > 0 && scount > 0);
+
+	/*
+	 * Yes, this is inefficient!
+	 */
+
+	/*
+	 * Start figuring out the target length and count.
+	 */
+	tlength = reservelen + 2;
+	tcount = 0;
+	rcount = 0;
+
+#if DNS_RDATASET_FIXED
+	mcurrent += 4 * mcount;
+	scurrent += 4 * scount;
+#endif
+	sstart = scurrent;
+
+	/*
+	 * Add in the length of rdata in the mslab that aren't in
+	 * the sslab.
+	 */
+	for (i = 0; i < mcount; i++) {
+		unsigned char *mrdatabegin = mcurrent;
+		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
+		scurrent = sstart;
+		for (count = 0; count < scount; count++) {
+			dns_rdata_reset(&srdata);
+			rdata_from_slab(&scurrent, rdclass, type, &srdata);
+			if (dns_rdata_compare(&mrdata, &srdata) == 0)
+				break;
+		}
+		if (count == scount) {
+			/*
+			 * This rdata isn't in the sslab, and thus isn't
+			 * being subtracted.
+			 */
+			tlength += (unsigned int)(mcurrent - mrdatabegin);
+			tcount++;
+		} else
+			rcount++;
+		dns_rdata_reset(&mrdata);
+	}
+
+#if DNS_RDATASET_FIXED
+	tlength += (4 * tcount);
+#endif
+
+	/*
+	 * Check that all the records originally existed.  The numeric
+	 * check only works as rdataslabs do not contain duplicates.
+	 */
+	if (((flags & DNS_RDATASLAB_EXACT) != 0) && (rcount != scount))
+		return (DNS_R_NOTEXACT);
+
+	/*
+	 * Don't continue if the new rdataslab would be empty.
+	 */
+	if (tcount == 0)
+		return (DNS_R_NXRRSET);
+
+	/*
+	 * If nothing is going to change, we can stop.
+	 */
+	if (rcount == 0)
+		return (DNS_R_UNCHANGED);
+
+	/*
+	 * Copy the reserved area from the mslab.
+	 */
+	tstart = isc_mem_get(mctx, tlength);
+	if (tstart == NULL)
+		return (ISC_R_NOMEMORY);
+	memmove(tstart, mslab, reservelen);
+	tcurrent = tstart + reservelen;
+#if DNS_RDATASET_FIXED
+	offsetbase = tcurrent;
+
+	offsettable = isc_mem_get(mctx, mcount * sizeof(unsigned int));
+	if (offsettable == NULL) {
+		isc_mem_put(mctx, tstart, tlength);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(offsettable, 0, mcount * sizeof(unsigned int));
+#endif
+
+	/*
+	 * Write the new count.
+	 */
+	*tcurrent++ = (tcount & 0xff00) >> 8;
+	*tcurrent++ = (tcount & 0x00ff);
+
+#if DNS_RDATASET_FIXED
+	tcurrent += (4 * tcount);
+#endif
+
+	/*
+	 * Copy the parts of mslab not in sslab.
+	 */
+	mcurrent = mslab + reservelen;
+	mcount = *mcurrent++ * 256;
+	mcount += *mcurrent++;
+#if DNS_RDATASET_FIXED
+	mcurrent += (4 * mcount);
+#endif
+	for (i = 0; i < mcount; i++) {
+		unsigned char *mrdatabegin = mcurrent;
+#if DNS_RDATASET_FIXED
+		order = mcurrent[2] * 256 + mcurrent[3];
+		INSIST(order < mcount);
+#endif
+		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
+		scurrent = sstart;
+		for (count = 0; count < scount; count++) {
+			dns_rdata_reset(&srdata);
+			rdata_from_slab(&scurrent, rdclass, type, &srdata);
+			if (dns_rdata_compare(&mrdata, &srdata) == 0)
+				break;
+		}
+		if (count == scount) {
+			/*
+			 * This rdata isn't in the sslab, and thus should be
+			 * copied to the tslab.
+			 */
+			unsigned int length;
+			length = (unsigned int)(mcurrent - mrdatabegin);
+#if DNS_RDATASET_FIXED
+			offsettable[order] = tcurrent - offsetbase;
+#endif
+			memmove(tcurrent, mrdatabegin, length);
+			tcurrent += length;
+		}
+		dns_rdata_reset(&mrdata);
+	}
+
+#if DNS_RDATASET_FIXED
+	fillin_offsets(offsetbase, offsettable, mcount);
+
+	isc_mem_put(mctx, offsettable, mcount * sizeof(unsigned int));
+#endif
+
+	INSIST(tcurrent == tstart + tlength);
+
+	*tslabp = tstart;
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
+		    unsigned int reservelen)
+{
+	unsigned char *current1, *current2;
+	unsigned int count1, count2;
+	unsigned int length1, length2;
+
+	current1 = slab1 + reservelen;
+	count1 = *current1++ * 256;
+	count1 += *current1++;
+
+	current2 = slab2 + reservelen;
+	count2 = *current2++ * 256;
+	count2 += *current2++;
+
+	if (count1 != count2)
+		return (false);
+
+#if DNS_RDATASET_FIXED
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+#endif
+
+	while (count1 > 0) {
+		length1 = *current1++ * 256;
+		length1 += *current1++;
+
+		length2 = *current2++ * 256;
+		length2 += *current2++;
+
+#if DNS_RDATASET_FIXED
+		current1 += 2;
+		current2 += 2;
+#endif
+
+		if (length1 != length2 ||
+		    memcmp(current1, current2, length1) != 0)
+			return (false);
+
+		current1 += length1;
+		current2 += length1;
+
+		count1--;
+	}
+	return (true);
+}
+
+bool
+dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+		     unsigned int reservelen, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type)
+{
+	unsigned char *current1, *current2;
+	unsigned int count1, count2;
+	dns_rdata_t rdata1 = DNS_RDATA_INIT;
+	dns_rdata_t rdata2 = DNS_RDATA_INIT;
+
+	current1 = slab1 + reservelen;
+	count1 = *current1++ * 256;
+	count1 += *current1++;
+
+	current2 = slab2 + reservelen;
+	count2 = *current2++ * 256;
+	count2 += *current2++;
+
+	if (count1 != count2)
+		return (false);
+
+#if DNS_RDATASET_FIXED
+	current1 += (4 * count1);
+	current2 += (4 * count2);
+#endif
+
+	while (count1-- > 0) {
+		rdata_from_slab(&current1, rdclass, type, &rdata1);
+		rdata_from_slab(&current2, rdclass, type, &rdata2);
+		if (dns_rdata_compare(&rdata1, &rdata2) != 0)
+			return (false);
+		dns_rdata_reset(&rdata1);
+		dns_rdata_reset(&rdata2);
+	}
+	return (true);
+}
diff --git a/lib/dns/request.c b/lib/dns/request.c
new file mode 100644
index 0000000..a235387
--- /dev/null
+++ b/lib/dns/request.c
@@ -0,0 +1,1604 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/compress.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#define REQUESTMGR_MAGIC	ISC_MAGIC('R', 'q', 'u', 'M')
+#define VALID_REQUESTMGR(mgr)	ISC_MAGIC_VALID(mgr, REQUESTMGR_MAGIC)
+
+#define REQUEST_MAGIC		ISC_MAGIC('R', 'q', 'u', '!')
+#define VALID_REQUEST(request)	ISC_MAGIC_VALID(request, REQUEST_MAGIC)
+
+typedef ISC_LIST(dns_request_t) dns_requestlist_t;
+
+#define DNS_REQUEST_NLOCKS 7
+
+struct dns_requestmgr {
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	isc_mem_t		       *mctx;
+
+	/* locked */
+	int32_t			eref;
+	int32_t			iref;
+	isc_timermgr_t		       *timermgr;
+	isc_socketmgr_t		       *socketmgr;
+	isc_taskmgr_t		       *taskmgr;
+	dns_dispatchmgr_t	       *dispatchmgr;
+	dns_dispatch_t		       *dispatchv4;
+	dns_dispatch_t		       *dispatchv6;
+	bool			exiting;
+	isc_eventlist_t			whenshutdown;
+	unsigned int			hash;
+	isc_mutex_t			locks[DNS_REQUEST_NLOCKS];
+	dns_requestlist_t 		requests;
+};
+
+struct dns_request {
+	unsigned int			magic;
+	unsigned int			hash;
+	isc_mem_t		       *mctx;
+	int32_t			flags;
+	ISC_LINK(dns_request_t) 	link;
+	isc_buffer_t		       *query;
+	isc_buffer_t		       *answer;
+	dns_requestevent_t	       *event;
+	dns_dispatch_t		       *dispatch;
+	dns_dispentry_t		       *dispentry;
+	isc_timer_t		       *timer;
+	dns_requestmgr_t	       *requestmgr;
+	isc_buffer_t		       *tsig;
+	dns_tsigkey_t		       *tsigkey;
+	isc_event_t			ctlevent;
+	bool			canceling; /* ctlevent outstanding */
+	isc_sockaddr_t			destaddr;
+	unsigned int			udpcount;
+	isc_dscp_t			dscp;
+};
+
+#define DNS_REQUEST_F_CONNECTING 0x0001
+#define DNS_REQUEST_F_SENDING 0x0002
+#define DNS_REQUEST_F_CANCELED 0x0004	/*%< ctlevent received, or otherwise
+					   synchronously canceled */
+#define DNS_REQUEST_F_TIMEDOUT 0x0008	/*%< canceled due to a timeout */
+#define DNS_REQUEST_F_TCP 0x0010	/*%< This request used TCP */
+#define DNS_REQUEST_CANCELED(r) \
+	(((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
+#define DNS_REQUEST_CONNECTING(r) \
+	(((r)->flags & DNS_REQUEST_F_CONNECTING) != 0)
+#define DNS_REQUEST_SENDING(r) \
+	(((r)->flags & DNS_REQUEST_F_SENDING) != 0)
+#define DNS_REQUEST_TIMEDOUT(r) \
+	(((r)->flags & DNS_REQUEST_F_TIMEDOUT) != 0)
+
+
+/***
+ *** Forward
+ ***/
+
+static void mgr_destroy(dns_requestmgr_t *requestmgr);
+static void mgr_shutdown(dns_requestmgr_t *requestmgr);
+static unsigned int mgr_gethash(dns_requestmgr_t *requestmgr);
+static void send_shutdown_events(dns_requestmgr_t *requestmgr);
+
+static isc_result_t req_render(dns_message_t *message, isc_buffer_t **buffer,
+			       unsigned int options, isc_mem_t *mctx);
+static void req_senddone(isc_task_t *task, isc_event_t *event);
+static void req_response(isc_task_t *task, isc_event_t *event);
+static void req_timeout(isc_task_t *task, isc_event_t *event);
+static isc_socket_t * req_getsocket(dns_request_t *request);
+static void req_connected(isc_task_t *task, isc_event_t *event);
+static void req_sendevent(dns_request_t *request, isc_result_t result);
+static void req_cancel(dns_request_t *request);
+static void req_destroy(dns_request_t *request);
+static void req_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+static void do_cancel(isc_task_t *task, isc_event_t *event);
+
+/***
+ *** Public
+ ***/
+
+isc_result_t
+dns_requestmgr_create(isc_mem_t *mctx,
+		      isc_timermgr_t *timermgr,
+		      isc_socketmgr_t *socketmgr,
+		      isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4,
+		      dns_dispatch_t *dispatchv6,
+		      dns_requestmgr_t **requestmgrp)
+{
+	dns_requestmgr_t *requestmgr;
+	isc_socket_t *sock;
+	isc_result_t result;
+	int i;
+	unsigned int dispattr;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create");
+
+	REQUIRE(requestmgrp != NULL && *requestmgrp == NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(dispatchmgr != NULL);
+	UNUSED(sock);
+	if (dispatchv4 != NULL) {
+		dispattr = dns_dispatch_getattributes(dispatchv4);
+		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
+	}
+	if (dispatchv6 != NULL) {
+		dispattr = dns_dispatch_getattributes(dispatchv6);
+		REQUIRE((dispattr & DNS_DISPATCHATTR_UDP) != 0);
+	}
+
+	requestmgr = isc_mem_get(mctx, sizeof(*requestmgr));
+	if (requestmgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&requestmgr->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
+		return (result);
+	}
+	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
+		result = isc_mutex_init(&requestmgr->locks[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (--i >= 0)
+				DESTROYLOCK(&requestmgr->locks[i]);
+			DESTROYLOCK(&requestmgr->lock);
+			isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
+			return (result);
+		}
+	}
+	requestmgr->timermgr = timermgr;
+	requestmgr->socketmgr = socketmgr;
+	requestmgr->taskmgr = taskmgr;
+	requestmgr->dispatchmgr = dispatchmgr;
+	requestmgr->dispatchv4 = NULL;
+	if (dispatchv4 != NULL)
+		dns_dispatch_attach(dispatchv4, &requestmgr->dispatchv4);
+	requestmgr->dispatchv6 = NULL;
+	if (dispatchv6 != NULL)
+		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
+	requestmgr->mctx = NULL;
+	isc_mem_attach(mctx, &requestmgr->mctx);
+	requestmgr->eref = 1;	/* implicit attach */
+	requestmgr->iref = 0;
+	ISC_LIST_INIT(requestmgr->whenshutdown);
+	ISC_LIST_INIT(requestmgr->requests);
+	requestmgr->exiting = false;
+	requestmgr->hash = 0;
+	requestmgr->magic = REQUESTMGR_MAGIC;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create: %p", requestmgr);
+
+	*requestmgrp = requestmgr;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
+			    isc_event_t **eventp)
+{
+	isc_task_t *tclone;
+	isc_event_t *event;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_whenshutdown");
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&requestmgr->lock);
+
+	if (requestmgr->exiting) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = requestmgr;
+		isc_task_send(task, &event);
+	} else {
+		tclone = NULL;
+		isc_task_attach(task, &tclone);
+		event->ev_sender = tclone;
+		ISC_LIST_APPEND(requestmgr->whenshutdown, event, ev_link);
+	}
+	UNLOCK(&requestmgr->lock);
+}
+
+void
+dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_shutdown: %p", requestmgr);
+
+	LOCK(&requestmgr->lock);
+	mgr_shutdown(requestmgr);
+	UNLOCK(&requestmgr->lock);
+}
+
+static void
+mgr_shutdown(dns_requestmgr_t *requestmgr) {
+	dns_request_t *request;
+
+	/*
+	 * Caller holds lock.
+	 */
+	if (!requestmgr->exiting) {
+		requestmgr->exiting = true;
+		for (request = ISC_LIST_HEAD(requestmgr->requests);
+		     request != NULL;
+		     request = ISC_LIST_NEXT(request, link)) {
+			dns_request_cancel(request);
+		}
+		if (requestmgr->iref == 0) {
+			INSIST(ISC_LIST_EMPTY(requestmgr->requests));
+			send_shutdown_events(requestmgr);
+		}
+	}
+}
+
+static void
+requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+
+	/*
+	 * Locked by caller.
+	 */
+
+	REQUIRE(VALID_REQUESTMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	REQUIRE(!source->exiting);
+
+	source->iref++;
+	*targetp = source;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+static void
+requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	bool need_destroy = false;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	*requestmgrp = NULL;
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->iref > 0);
+	requestmgr->iref--;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->iref == 0 && requestmgr->exiting) {
+		INSIST(ISC_LIST_HEAD(requestmgr->requests) == NULL);
+		send_shutdown_events(requestmgr);
+		if (requestmgr->eref == 0)
+			need_destroy = true;
+	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy)
+		mgr_destroy(requestmgr);
+}
+
+void
+dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+
+	REQUIRE(VALID_REQUESTMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	REQUIRE(!source->exiting);
+
+	LOCK(&source->lock);
+	source->eref++;
+	*targetp = source;
+	UNLOCK(&source->lock);
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+void
+dns_requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	bool need_destroy = false;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->eref > 0);
+	requestmgr->eref--;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->eref == 0 && requestmgr->iref == 0) {
+		INSIST(requestmgr->exiting &&
+		       ISC_LIST_HEAD(requestmgr->requests) == NULL);
+		need_destroy = true;
+	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy)
+		mgr_destroy(requestmgr);
+
+	*requestmgrp = NULL;
+}
+
+static void
+send_shutdown_events(dns_requestmgr_t *requestmgr) {
+	isc_event_t *event, *next_event;
+	isc_task_t *etask;
+
+	req_log(ISC_LOG_DEBUG(3), "send_shutdown_events: %p", requestmgr);
+
+	/*
+	 * Caller must be holding the manager lock.
+	 */
+	for (event = ISC_LIST_HEAD(requestmgr->whenshutdown);
+	     event != NULL;
+	     event = next_event) {
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = requestmgr;
+		isc_task_sendanddetach(&etask, &event);
+	}
+}
+
+static void
+mgr_destroy(dns_requestmgr_t *requestmgr) {
+	int i;
+	isc_mem_t *mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "mgr_destroy");
+
+	REQUIRE(requestmgr->eref == 0);
+	REQUIRE(requestmgr->iref == 0);
+
+	DESTROYLOCK(&requestmgr->lock);
+	for (i = 0; i < DNS_REQUEST_NLOCKS; i++)
+		DESTROYLOCK(&requestmgr->locks[i]);
+	if (requestmgr->dispatchv4 != NULL)
+		dns_dispatch_detach(&requestmgr->dispatchv4);
+	if (requestmgr->dispatchv6 != NULL)
+		dns_dispatch_detach(&requestmgr->dispatchv6);
+	requestmgr->magic = 0;
+	mctx = requestmgr->mctx;
+	isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
+	isc_mem_detach(&mctx);
+}
+
+static unsigned int
+mgr_gethash(dns_requestmgr_t *requestmgr) {
+	req_log(ISC_LOG_DEBUG(3), "mgr_gethash");
+	/*
+	 * Locked by caller.
+	 */
+	requestmgr->hash++;
+	return (requestmgr->hash % DNS_REQUEST_NLOCKS);
+}
+
+static inline isc_result_t
+req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
+	isc_region_t r;
+	isc_socket_t *sock;
+	isc_socketevent_t *sendevent;
+	isc_result_t result;
+
+	req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+	sock = req_getsocket(request);
+	isc_buffer_usedregion(request->query, &r);
+	/*
+	 * We could connect the socket when we are using an exclusive dispatch
+	 * as we do in resolver.c, but we prefer implementation simplicity
+	 * at this moment.
+	 */
+	sendevent = isc_socket_socketevent(request->mctx, sock,
+					   ISC_SOCKEVENT_SENDDONE,
+					   req_senddone, request);
+	if (sendevent == NULL)
+		return (ISC_R_NOMEMORY);
+	if (request->dscp == -1) {
+		sendevent->attributes &= ~ISC_SOCKEVENTATTR_DSCP;
+		sendevent->dscp = 0;
+	} else {
+		sendevent->attributes |= ISC_SOCKEVENTATTR_DSCP;
+		sendevent->dscp = request->dscp;
+	}
+
+	request->flags |= DNS_REQUEST_F_SENDING;
+	result = isc_socket_sendto2(sock, &r, task, address, NULL,
+				    sendevent, 0);
+	if (result != ISC_R_SUCCESS)
+		request->flags &= ~DNS_REQUEST_F_SENDING;
+	return (result);
+}
+
+static isc_result_t
+new_request(isc_mem_t *mctx, dns_request_t **requestp)
+{
+	dns_request_t *request;
+
+	request = isc_mem_get(mctx, sizeof(*request));
+	if (request == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Zero structure.
+	 */
+	request->magic = 0;
+	request->mctx = NULL;
+	request->flags = 0;
+	ISC_LINK_INIT(request, link);
+	request->query = NULL;
+	request->answer = NULL;
+	request->event = NULL;
+	request->dispatch = NULL;
+	request->dispentry = NULL;
+	request->timer = NULL;
+	request->requestmgr = NULL;
+	request->tsig = NULL;
+	request->tsigkey = NULL;
+	request->dscp = -1;
+	ISC_EVENT_INIT(&request->ctlevent, sizeof(request->ctlevent), 0, NULL,
+		       DNS_EVENT_REQUESTCONTROL, do_cancel, request, NULL,
+		       NULL, NULL);
+	request->canceling = false;
+	request->udpcount = 0;
+
+	isc_mem_attach(mctx, &request->mctx);
+
+	request->magic = REQUEST_MAGIC;
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+}
+
+
+static bool
+isblackholed(dns_dispatchmgr_t *dispatchmgr, isc_sockaddr_t *destaddr) {
+	dns_acl_t *blackhole;
+	isc_netaddr_t netaddr;
+	int match;
+	bool drop = false;
+	char netaddrstr[ISC_NETADDR_FORMATSIZE];
+
+	blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
+	if (blackhole != NULL) {
+		isc_netaddr_fromsockaddr(&netaddr, destaddr);
+		if (dns_acl_match(&netaddr, NULL, blackhole,
+				  NULL, &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+			drop = true;
+	}
+	if (drop) {
+		isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr));
+		req_log(ISC_LOG_DEBUG(10), "blackholed address %s", netaddrstr);
+	}
+	return (drop);
+}
+
+static isc_result_t
+create_tcp_dispatch(bool newtcp, bool share,
+		    dns_requestmgr_t *requestmgr,
+		    isc_sockaddr_t *srcaddr,
+		    isc_sockaddr_t *destaddr, isc_dscp_t dscp,
+		    bool *connected, dns_dispatch_t **dispatchp)
+{
+	isc_result_t result;
+	isc_socket_t *sock = NULL;
+	isc_sockaddr_t src;
+	unsigned int attrs;
+	isc_sockaddr_t bind_any;
+
+	if (!newtcp && share) {
+		result = dns_dispatch_gettcp2(requestmgr->dispatchmgr,
+					      destaddr, srcaddr,
+					      connected, dispatchp);
+		if (result == ISC_R_SUCCESS) {
+			char peer[ISC_SOCKADDR_FORMATSIZE];
+
+			isc_sockaddr_format(destaddr, peer, sizeof(peer));
+			req_log(ISC_LOG_DEBUG(1), "attached to %s TCP "
+				"connection to %s",
+				*connected ? "existing" : "pending", peer);
+			return (result);
+		}
+	} else if (!newtcp) {
+		result = dns_dispatch_gettcp(requestmgr->dispatchmgr, destaddr,
+					     srcaddr, dispatchp);
+		if (result == ISC_R_SUCCESS) {
+			char peer[ISC_SOCKADDR_FORMATSIZE];
+
+			*connected = true;
+			isc_sockaddr_format(destaddr, peer, sizeof(peer));
+			req_log(ISC_LOG_DEBUG(1), "attached to existing TCP "
+				"connection to %s", peer);
+			return (result);
+		}
+	}
+
+	result = isc_socket_create(requestmgr->socketmgr,
+				   isc_sockaddr_pf(destaddr),
+				   isc_sockettype_tcp, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
+	if (srcaddr == NULL) {
+		isc_sockaddr_anyofpf(&bind_any,
+				     isc_sockaddr_pf(destaddr));
+		result = isc_socket_bind(sock, &bind_any, 0);
+	} else {
+		src = *srcaddr;
+		isc_sockaddr_setport(&src, 0);
+		result = isc_socket_bind(sock, &src, 0);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#endif
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_TCP;
+	if (isc_sockaddr_pf(destaddr) == AF_INET)
+		attrs |= DNS_DISPATCHATTR_IPV4;
+	else
+		attrs |= DNS_DISPATCHATTR_IPV6;
+	attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+
+	isc_socket_dscp(sock, dscp);
+	result = dns_dispatch_createtcp2(requestmgr->dispatchmgr,
+					 sock, requestmgr->taskmgr,
+					 srcaddr, destaddr,
+					 4096, 32768, 32768, 16411, 16433,
+					 attrs, dispatchp);
+cleanup:
+	isc_socket_detach(&sock);
+	return (result);
+}
+
+static isc_result_t
+find_udp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
+		  isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
+{
+	dns_dispatch_t *disp = NULL;
+	unsigned int attrs, attrmask;
+
+	if (srcaddr == NULL) {
+		switch (isc_sockaddr_pf(destaddr)) {
+		case PF_INET:
+			disp = requestmgr->dispatchv4;
+			break;
+
+		case PF_INET6:
+			disp = requestmgr->dispatchv6;
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		if (disp == NULL)
+			return (ISC_R_FAMILYNOSUPPORT);
+		dns_dispatch_attach(disp, dispatchp);
+		return (ISC_R_SUCCESS);
+	}
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (isc_sockaddr_pf(srcaddr)) {
+	case PF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+
+	case PF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+	return (dns_dispatch_getudp(requestmgr->dispatchmgr,
+				    requestmgr->socketmgr,
+				    requestmgr->taskmgr,
+				    srcaddr, 4096,
+				    32768, 32768, 16411, 16433,
+				    attrs, attrmask,
+				    dispatchp));
+}
+
+static isc_result_t
+get_dispatch(bool tcp, bool newtcp, bool share,
+	     dns_requestmgr_t *requestmgr,
+	     isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+	     isc_dscp_t dscp, bool *connected,
+	     dns_dispatch_t **dispatchp)
+{
+	isc_result_t result;
+
+	if (tcp)
+		result = create_tcp_dispatch(newtcp, share, requestmgr,
+					     srcaddr, destaddr, dscp,
+					     connected, dispatchp);
+	else
+		result = find_udp_dispatch(requestmgr, srcaddr,
+					   destaddr, dispatchp);
+	return (result);
+}
+
+static isc_result_t
+set_timer(isc_timer_t *timer, unsigned int timeout, unsigned int udpresend) {
+	isc_time_t expires;
+	isc_interval_t interval;
+	isc_result_t result;
+	isc_timertype_t timertype;
+
+	isc_interval_set(&interval, timeout, 0);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	isc_interval_set(&interval, udpresend, 0);
+
+	timertype = udpresend != 0 ? isc_timertype_limited : isc_timertype_once;
+	if (result == ISC_R_SUCCESS)
+		result = isc_timer_reset(timer, timertype, &expires,
+					 &interval, false);
+	return (result);
+}
+
+isc_result_t
+dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, unsigned int timeout,
+		      isc_task_t *task, isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp)
+{
+	return(dns_request_createraw4(requestmgr, msgbuf, srcaddr, destaddr,
+				      -1, options, timeout, 0, 0, task, action,
+				      arg, requestp));
+}
+
+isc_result_t
+dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	unsigned int udpretries = 0;
+
+	if (udptimeout != 0)
+		udpretries = timeout / udptimeout;
+
+	return (dns_request_createraw4(requestmgr, msgbuf, srcaddr, destaddr,
+				       -1, options, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+
+isc_result_t
+dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	return (dns_request_createraw4(requestmgr, msgbuf, srcaddr, destaddr,
+				       -1, options, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+
+isc_result_t
+dns_request_createraw4(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       isc_dscp_t dscp, unsigned int options,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	dns_request_t *request = NULL;
+	isc_task_t *tclone = NULL;
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	dns_messageid_t	id;
+	bool tcp = false;
+	bool newtcp = false;
+	bool share = false;
+	isc_region_t r;
+	bool connected = false;
+	unsigned int dispopt = 0;
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(msgbuf != NULL);
+	REQUIRE(destaddr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	REQUIRE(requestp != NULL && *requestp == NULL);
+	REQUIRE(timeout > 0);
+	if (srcaddr != NULL)
+		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
+
+	mctx = requestmgr->mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw");
+
+	if (isblackholed(requestmgr->dispatchmgr, destaddr))
+		return (DNS_R_BLACKHOLED);
+
+	request = NULL;
+	result = new_request(mctx, &request);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0)
+			udptimeout = 1;
+	}
+	request->udpcount = udpretries;
+	request->dscp = dscp;
+
+	/*
+	 * Create timer now.  We will set it below once.
+	 */
+	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, task, req_timeout, request,
+				  &request->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	request->event = (dns_requestevent_t *)
+		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
+				   action, arg, sizeof(dns_requestevent_t));
+	if (request->event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	isc_task_attach(task, &tclone);
+	request->event->ev_sender = task;
+	request->event->request = request;
+	request->event->result = ISC_R_FAILURE;
+
+	isc_buffer_usedregion(msgbuf, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN || r.length > 65535) {
+		result = DNS_R_FORMERR;
+		goto cleanup;
+	}
+
+	if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length > 512)
+		tcp = true;
+	share = (options & DNS_REQUESTOPT_SHARE);
+
+ again:
+	result = get_dispatch(tcp, newtcp, share, requestmgr,
+			      srcaddr, destaddr, dscp,
+			      &connected, &request->dispatch);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if ((options & DNS_REQUESTOPT_FIXEDID) != 0) {
+		id = (r.base[0] << 8) | r.base[1];
+		dispopt |= DNS_DISPATCHOPT_FIXEDID;
+	}
+
+	result = dns_dispatch_addresponse3(request->dispatch, dispopt,
+					   destaddr, task, req_response,
+					   request, &id, &request->dispentry,
+					   requestmgr->socketmgr);
+	if (result != ISC_R_SUCCESS) {
+		if ((options & DNS_REQUESTOPT_FIXEDID) != 0 && !newtcp) {
+			newtcp = true;
+			connected = false;
+			dns_dispatch_detach(&request->dispatch);
+			goto again;
+		}
+		goto cleanup;
+	}
+
+	sock = req_getsocket(request);
+	INSIST(sock != NULL);
+
+	result = isc_buffer_allocate(mctx, &request->query,
+				     r.length + (tcp ? 2 : 0));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (tcp)
+		isc_buffer_putuint16(request->query, (uint16_t)r.length);
+	result = isc_buffer_copyregion(request->query, &r);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Add message ID. */
+	isc_buffer_usedregion(request->query, &r);
+	if (tcp)
+		isc_region_consume(&r, 2);
+	r.base[0] = (id>>8) & 0xff;
+	r.base[1] = id & 0xff;
+
+	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
+	request->hash = mgr_gethash(requestmgr);
+	ISC_LIST_APPEND(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
+	if (result != ISC_R_SUCCESS)
+		goto unlink;
+
+	request->destaddr = *destaddr;
+	if (tcp && !connected) {
+		result = isc_socket_connect(sock, destaddr, task,
+					    req_connected, request);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
+	} else {
+		result = req_send(request, task, connected ? NULL : destaddr);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+	}
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: request %p",
+		request);
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+
+ unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+ cleanup:
+	if (tclone != NULL)
+		isc_task_detach(&tclone);
+	req_destroy(request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: failed %s",
+		dns_result_totext(result));
+	return (result);
+}
+
+isc_result_t
+dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		   isc_sockaddr_t *address, unsigned int options,
+		   dns_tsigkey_t *key,
+		   unsigned int timeout, isc_task_t *task,
+		   isc_taskaction_t action, void *arg,
+		   dns_request_t **requestp)
+{
+	return (dns_request_createvia4(requestmgr, message, NULL, address,
+				       -1, options, key, timeout, 0, 0, task,
+				       action, arg, requestp));
+}
+
+isc_result_t
+dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, dns_tsigkey_t *key,
+		      unsigned int timeout, isc_task_t *task,
+		      isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp)
+{
+	return(dns_request_createvia4(requestmgr, message, srcaddr, destaddr,
+				      -1, options, key, timeout, 0, 0, task,
+				      action, arg, requestp));
+}
+
+isc_result_t
+dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	unsigned int udpretries = 0;
+
+	if (udptimeout != 0)
+		udpretries = timeout / udptimeout;
+	return (dns_request_createvia4(requestmgr, message, srcaddr, destaddr,
+				       -1, options, key, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+
+isc_result_t
+dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	return (dns_request_createvia4(requestmgr, message, srcaddr, destaddr,
+				       -1, options, key, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+
+isc_result_t
+dns_request_createvia4(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       isc_dscp_t dscp, unsigned int options,
+		       dns_tsigkey_t *key, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	dns_request_t *request = NULL;
+	isc_task_t *tclone = NULL;
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	dns_messageid_t	id;
+	bool tcp;
+	bool share;
+	bool settsigkey = true;
+	bool connected = false;
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(message != NULL);
+	REQUIRE(destaddr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	REQUIRE(requestp != NULL && *requestp == NULL);
+	REQUIRE(timeout > 0);
+
+	mctx = requestmgr->mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia");
+
+	if (srcaddr != NULL &&
+	    isc_sockaddr_pf(srcaddr) != isc_sockaddr_pf(destaddr))
+		return (ISC_R_FAMILYMISMATCH);
+
+	if (isblackholed(requestmgr->dispatchmgr, destaddr))
+		return (DNS_R_BLACKHOLED);
+
+	request = NULL;
+	result = new_request(mctx, &request);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0)
+			udptimeout = 1;
+	}
+	request->udpcount = udpretries;
+	request->dscp = dscp;
+
+	/*
+	 * Create timer now.  We will set it below once.
+	 */
+	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, task, req_timeout, request,
+				  &request->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	request->event = (dns_requestevent_t *)
+		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
+				   action, arg, sizeof(dns_requestevent_t));
+	if (request->event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	isc_task_attach(task, &tclone);
+	request->event->ev_sender = task;
+	request->event->request = request;
+	request->event->result = ISC_R_FAILURE;
+	if (key != NULL)
+		dns_tsigkey_attach(key, &request->tsigkey);
+
+ use_tcp:
+	tcp = (options & DNS_REQUESTOPT_TCP);
+	share = (options & DNS_REQUESTOPT_SHARE);
+	result = get_dispatch(tcp, false, share,
+			      requestmgr, srcaddr, destaddr,
+			      dscp, &connected, &request->dispatch);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_dispatch_addresponse2(request->dispatch, destaddr, task,
+					   req_response, request, &id,
+					   &request->dispentry,
+					   requestmgr->socketmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	sock = req_getsocket(request);
+	INSIST(sock != NULL);
+
+	message->id = id;
+	if (settsigkey) {
+		result = dns_message_settsigkey(message, request->tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	result = req_render(message, &request->query, options, mctx);
+	if (result == DNS_R_USETCP &&
+	    (options & DNS_REQUESTOPT_TCP) == 0) {
+		/*
+		 * Try again using TCP.
+		 */
+		dns_message_renderreset(message);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+		dns_dispatch_detach(&request->dispatch);
+		sock = NULL;
+		options |= DNS_REQUESTOPT_TCP;
+		settsigkey = false;
+		goto use_tcp;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_getquerytsig(message, mctx, &request->tsig);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
+	request->hash = mgr_gethash(requestmgr);
+	ISC_LIST_APPEND(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
+	if (result != ISC_R_SUCCESS)
+		goto unlink;
+
+	request->destaddr = *destaddr;
+	if (tcp && !connected) {
+		result = isc_socket_connect(sock, destaddr, task,
+					    req_connected, request);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
+	} else {
+		result = req_send(request, task, connected ? NULL : destaddr);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+	}
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: request %p",
+		request);
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+
+ unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+ cleanup:
+	if (tclone != NULL)
+		isc_task_detach(&tclone);
+	req_destroy(request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: failed %s",
+		dns_result_totext(result));
+	return (result);
+}
+
+static isc_result_t
+req_render(dns_message_t *message, isc_buffer_t **bufferp,
+	   unsigned int options, isc_mem_t *mctx)
+{
+	isc_buffer_t *buf1 = NULL;
+	isc_buffer_t *buf2 = NULL;
+	isc_result_t result;
+	isc_region_t r;
+	bool tcp = false;
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+
+	REQUIRE(bufferp != NULL && *bufferp == NULL);
+
+	req_log(ISC_LOG_DEBUG(3), "request_render");
+
+	/*
+	 * Create buffer able to hold largest possible message.
+	 */
+	result = isc_buffer_allocate(mctx, &buf1, 65535);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	cleanup_cctx = true;
+
+	if ((options & DNS_REQUESTOPT_CASE) != 0)
+		dns_compress_setsensitive(&cctx, true);
+
+	/*
+	 * Render message.
+	 */
+	result = dns_message_renderbegin(message, &cctx, buf1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_ANSWER, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_AUTHORITY, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_renderend(message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_compress_invalidate(&cctx);
+	cleanup_cctx = false;
+
+	/*
+	 * Copy rendered message to exact sized buffer.
+	 */
+	isc_buffer_usedregion(buf1, &r);
+	if ((options & DNS_REQUESTOPT_TCP) != 0) {
+		tcp = true;
+	} else if (r.length > 512) {
+		result = DNS_R_USETCP;
+		goto cleanup;
+	}
+	result = isc_buffer_allocate(mctx, &buf2, r.length + (tcp ? 2 : 0));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (tcp)
+		isc_buffer_putuint16(buf2, (uint16_t)r.length);
+	result = isc_buffer_copyregion(buf2, &r);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Cleanup and return.
+	 */
+	isc_buffer_free(&buf1);
+	*bufferp = buf2;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_message_renderreset(message);
+	if (buf1 != NULL)
+		isc_buffer_free(&buf1);
+	if (buf2 != NULL)
+		isc_buffer_free(&buf2);
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+	return (result);
+}
+
+
+/*
+ * If this request is no longer waiting for events,
+ * send the completion event.  This will ultimately
+ * cause the request to be destroyed.
+ *
+ * Requires:
+ *	'request' is locked by the caller.
+ */
+static void
+send_if_done(dns_request_t *request, isc_result_t result) {
+	if (request->event != NULL && !request->canceling)
+		req_sendevent(request, result);
+}
+
+/*
+ * Handle the control event.
+ */
+static void
+do_cancel(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = event->ev_arg;
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_REQUESTCONTROL);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->canceling = false;
+	if (!DNS_REQUEST_CANCELED(request))
+		req_cancel(request);
+	send_if_done(request, ISC_R_CANCELED);
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+void
+dns_request_cancel(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_cancel: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	if (!request->canceling && !DNS_REQUEST_CANCELED(request)) {
+		isc_event_t *ev =  &request->ctlevent;
+		isc_task_send(request->event->ev_sender, &ev);
+		request->canceling = true;
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+isc_result_t
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			unsigned int options)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(request->answer != NULL);
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
+		request);
+
+	result = dns_message_setquerytsig(message, request->tsig);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_settsigkey(message, request->tsigkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_parse(message, request->answer, options);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (request->tsigkey != NULL)
+		result = dns_tsig_verify(request->answer, message, NULL, NULL);
+	return (result);
+}
+
+bool
+dns_request_usedtcp(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	return (request->flags & DNS_REQUEST_F_TCP);
+}
+
+void
+dns_request_destroy(dns_request_t **requestp) {
+	dns_request_t *request;
+
+	REQUIRE(requestp != NULL && VALID_REQUEST(*requestp));
+
+	request = *requestp;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_destroy: request %p", request);
+
+	LOCK(&request->requestmgr->lock);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	ISC_LIST_UNLINK(request->requestmgr->requests, request, link);
+	INSIST(!DNS_REQUEST_CONNECTING(request));
+	INSIST(!DNS_REQUEST_SENDING(request));
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	UNLOCK(&request->requestmgr->lock);
+
+	/*
+	 * These should have been cleaned up by req_cancel() before
+	 * the completion event was sent.
+	 */
+	INSIST(!ISC_LINK_LINKED(request, link));
+	INSIST(request->dispentry == NULL);
+	INSIST(request->dispatch == NULL);
+	INSIST(request->timer == NULL);
+
+	req_destroy(request);
+
+	*requestp = NULL;
+}
+
+/***
+ *** Private: request.
+ ***/
+
+static isc_socket_t *
+req_getsocket(dns_request_t *request) {
+	unsigned int dispattr;
+	isc_socket_t *sock;
+
+	dispattr = dns_dispatch_getattributes(request->dispatch);
+	if ((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+		INSIST(request->dispentry != NULL);
+		sock = dns_dispatch_getentrysocket(request->dispentry);
+	} else
+		sock = dns_dispatch_getsocket(request->dispatch);
+
+	return (sock);
+}
+
+static void
+req_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_result_t result;
+	dns_request_t *request = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(DNS_REQUEST_CONNECTING(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->flags &= ~DNS_REQUEST_F_CONNECTING;
+
+	if (DNS_REQUEST_CANCELED(request)) {
+		/*
+		 * Send delayed event.
+		 */
+		if (DNS_REQUEST_TIMEDOUT(request))
+			send_if_done(request, ISC_R_TIMEDOUT);
+		else
+			send_if_done(request, ISC_R_CANCELED);
+	} else {
+		dns_dispatch_starttcp(request->dispatch);
+		result = sevent->result;
+		if (result == ISC_R_SUCCESS)
+			result = req_send(request, task, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			req_cancel(request);
+			send_if_done(request, ISC_R_CANCELED);
+		}
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	isc_event_free(&event);
+}
+
+static void
+req_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	dns_request_t *request = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(DNS_REQUEST_SENDING(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_senddone: request %p", request);
+
+	UNUSED(task);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->flags &= ~DNS_REQUEST_F_SENDING;
+
+	if (DNS_REQUEST_CANCELED(request)) {
+		/*
+		 * Send delayed event.
+		 */
+		if (DNS_REQUEST_TIMEDOUT(request))
+			send_if_done(request, ISC_R_TIMEDOUT);
+		else
+			send_if_done(request, ISC_R_CANCELED);
+	} else if (sevent->result != ISC_R_SUCCESS) {
+		req_cancel(request);
+		send_if_done(request, ISC_R_CANCELED);
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+
+	isc_event_free(&event);
+}
+
+static void
+req_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_request_t *request = event->ev_arg;
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	isc_region_t r;
+
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+
+	UNUSED(task);
+
+	req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request,
+		dns_result_totext(devent->result));
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	result = devent->result;
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	/*
+	 * Copy buffer to request.
+	 */
+	isc_buffer_usedregion(&devent->buffer, &r);
+	result = isc_buffer_allocate(request->mctx, &request->answer,
+				     r.length);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = isc_buffer_copyregion(request->answer, &r);
+	if (result != ISC_R_SUCCESS)
+		isc_buffer_free(&request->answer);
+ done:
+	/*
+	 * Cleanup.
+	 */
+	dns_dispatch_removeresponse(&request->dispentry, &devent);
+	req_cancel(request);
+	/*
+	 * Send completion event.
+	 */
+	send_if_done(request, result);
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+static void
+req_timeout(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = event->ev_arg;
+	isc_result_t result;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request);
+
+	UNUSED(task);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	if (event->ev_type == ISC_TIMEREVENT_TICK &&
+	    request->udpcount-- != 0) {
+		if (! DNS_REQUEST_SENDING(request)) {
+			result = req_send(request, task, &request->destaddr);
+			if (result != ISC_R_SUCCESS) {
+				req_cancel(request);
+				send_if_done(request, result);
+			}
+		}
+	} else {
+		request->flags |= DNS_REQUEST_F_TIMEDOUT;
+		req_cancel(request);
+		send_if_done(request, ISC_R_TIMEDOUT);
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	isc_event_free(&event);
+}
+
+static void
+req_sendevent(dns_request_t *request, isc_result_t result) {
+	isc_task_t *task;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_sendevent: request %p", request);
+
+	/*
+	 * Lock held by caller.
+	 */
+	task = request->event->ev_sender;
+	request->event->ev_sender = request;
+	request->event->result = result;
+	isc_task_sendanddetach(&task, (isc_event_t **)&request->event);
+}
+
+static void
+req_destroy(dns_request_t *request) {
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_destroy: request %p", request);
+
+	request->magic = 0;
+	if (request->query != NULL)
+		isc_buffer_free(&request->query);
+	if (request->answer != NULL)
+		isc_buffer_free(&request->answer);
+	if (request->event != NULL)
+		isc_event_free((isc_event_t **)&request->event);
+	if (request->dispentry != NULL)
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+	if (request->dispatch != NULL)
+		dns_dispatch_detach(&request->dispatch);
+	if (request->timer != NULL)
+		isc_timer_detach(&request->timer);
+	if (request->tsig != NULL)
+		isc_buffer_free(&request->tsig);
+	if (request->tsigkey != NULL)
+		dns_tsigkey_detach(&request->tsigkey);
+	if (request->requestmgr != NULL)
+		requestmgr_detach(&request->requestmgr);
+	mctx = request->mctx;
+	isc_mem_put(mctx, request, sizeof(*request));
+	isc_mem_detach(&mctx);
+}
+
+/*
+ * Stop the current request.  Must be called from the request's task.
+ */
+static void
+req_cancel(dns_request_t *request) {
+	isc_socket_t *sock;
+	unsigned int dispattr;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_cancel: request %p", request);
+
+	/*
+	 * Lock held by caller.
+	 */
+	request->flags |= DNS_REQUEST_F_CANCELED;
+
+	if (request->timer != NULL)
+		isc_timer_detach(&request->timer);
+	dispattr = dns_dispatch_getattributes(request->dispatch);
+	sock = NULL;
+	if (DNS_REQUEST_CONNECTING(request) || DNS_REQUEST_SENDING(request)) {
+		if ((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0) {
+			if (request->dispentry != NULL) {
+				sock = dns_dispatch_getentrysocket(
+					request->dispentry);
+			}
+		} else
+			sock = dns_dispatch_getsocket(request->dispatch);
+		if (DNS_REQUEST_CONNECTING(request) && sock != NULL)
+			isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_CONNECT);
+		if (DNS_REQUEST_SENDING(request) && sock != NULL)
+			isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_SEND);
+	}
+	if (request->dispentry != NULL)
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+	dns_dispatch_detach(&request->dispatch);
+}
+
+static void
+req_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_REQUEST, level, fmt, ap);
+	va_end(ap);
+}
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
new file mode 100644
index 0000000..0abf4de
--- /dev/null
+++ b/lib/dns/resolver.c
@@ -0,0 +1,10327 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/counter.h>
+#include <isc/log.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#ifdef AES_CC
+#include <isc/aes.h>
+#else
+#include <isc/hmacsha.h>
+#endif
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/dnstap.h>
+#include <dns/ds.h>
+#include <dns/edns.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/opcode.h>
+#include <dns/peer.h>
+#include <dns/rbt.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+#include <dns/stats.h>
+#include <dns/tsig.h>
+#include <dns/validator.h>
+
+#ifdef WANT_QUERYTRACE
+#define RTRACE(m)       isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "res %p: %s", res, (m))
+#define RRTRACE(r, m)   isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "res %p: %s", (r), (m))
+#define FCTXTRACE(m) \
+			isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s): %s", \
+				      fctx, fctx->info, (m))
+#define FCTXTRACE2(m1, m2) \
+			isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s): %s %s", \
+				      fctx, fctx->info, (m1), (m2))
+#define FCTXTRACE3(m, res) \
+			isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s): [result: %s] %s", \
+				      fctx, fctx->info, \
+				      isc_result_totext(res), (m))
+#define FCTXTRACE4(m1, m2, res) \
+			isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s): [result: %s] %s %s", \
+				      fctx, fctx->info, \
+				      isc_result_totext(res), (m1), (m2))
+#define FCTXTRACE5(m1, m2, v) \
+			isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s): %s %s%u", \
+				      fctx, fctx->info, (m1), (m2), (v))
+#define FTRACE(m)       isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fetch %p (fctx %p(%s)): %s", \
+				      fetch, fetch->private, \
+				      fetch->private->info, (m))
+#define QTRACE(m)       isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "resquery %p (fctx %p(%s)): %s", \
+				      query, query->fctx, \
+				      query->fctx->info, (m))
+#else
+#define RTRACE(m) do { UNUSED(m); } while (0)
+#define RRTRACE(r, m) do { UNUSED(r); UNUSED(m); } while (0)
+#define FCTXTRACE(m) do { UNUSED(m); } while (0)
+#define FCTXTRACE2(m1, m2) do { UNUSED(m1); UNUSED(m2); } while (0)
+#define FCTXTRACE3(m1, res) do { UNUSED(m1); UNUSED(res); } while (0)
+#define FCTXTRACE4(m1, m2, res) \
+	do { UNUSED(m1); UNUSED(m2); UNUSED(res); } while (0)
+#define FCTXTRACE5(m1, m2, v) \
+	do { UNUSED(m1); UNUSED(m2); UNUSED(v); } while (0)
+#define FTRACE(m) do { UNUSED(m); } while (0)
+#define QTRACE(m) do { UNUSED(m); } while (0)
+#endif /* WANT_QUERYTRACE */
+
+#define US_PER_SEC 1000000U
+/*
+ * The maximum time we will wait for a single query.
+ */
+#define MAX_SINGLE_QUERY_TIMEOUT 9U
+#define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC)
+
+/*
+ * We need to allow a individual query time to complete / timeout.
+ */
+#define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
+
+/* The default time in seconds for the whole query to live. */
+#ifndef DEFAULT_QUERY_TIMEOUT
+#define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT
+#endif
+
+/* The maximum time in seconds for the whole query to live. */
+#ifndef MAXIMUM_QUERY_TIMEOUT
+#define MAXIMUM_QUERY_TIMEOUT 30
+#endif
+
+/* The default maximum number of recursions to follow before giving up. */
+#ifndef DEFAULT_RECURSION_DEPTH
+#define DEFAULT_RECURSION_DEPTH 7
+#endif
+
+/* The default maximum number of iterative queries to allow before giving up. */
+#ifndef DEFAULT_MAX_QUERIES
+#define DEFAULT_MAX_QUERIES 75
+#endif
+
+/* Number of hash buckets for zone counters */
+#ifndef RES_DOMAIN_BUCKETS
+#define RES_DOMAIN_BUCKETS	523
+#endif
+#define RES_NOBUCKET		0xffffffff
+
+/*%
+ * Maximum EDNS0 input packet size.
+ */
+#define RECV_BUFFER_SIZE                4096            /* XXXRTH  Constant. */
+
+/*%
+ * This defines the maximum number of timeouts we will permit before we
+ * disable EDNS0 on the query.
+ */
+#define MAX_EDNS0_TIMEOUTS      3
+
+#define DNS_RESOLVER_BADCACHESIZE 1021
+#define DNS_RESOLVER_BADCACHETTL(fctx) \
+	(((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30)
+
+typedef struct fetchctx fetchctx_t;
+
+typedef struct query {
+	/* Locked by task event serialization. */
+	unsigned int			magic;
+	fetchctx_t *			fctx;
+	isc_mem_t *			mctx;
+	dns_dispatchmgr_t *		dispatchmgr;
+	dns_dispatch_t *		dispatch;
+	bool			exclusivesocket;
+	dns_adbaddrinfo_t *		addrinfo;
+	isc_socket_t *			tcpsocket;
+	isc_time_t			start;
+	dns_messageid_t			id;
+	dns_dispentry_t *		dispentry;
+	ISC_LINK(struct query)		link;
+	isc_buffer_t			buffer;
+	isc_buffer_t			*tsig;
+	dns_tsigkey_t			*tsigkey;
+	isc_socketevent_t		sendevent;
+	isc_dscp_t			dscp;
+	int 				ednsversion;
+	unsigned int			options;
+	unsigned int			attributes;
+	unsigned int			sends;
+	unsigned int			connects;
+	unsigned int			udpsize;
+	unsigned char			data[512];
+} resquery_t;
+
+struct tried {
+	isc_sockaddr_t			addr;
+	unsigned int			count;
+	ISC_LINK(struct tried)		link;
+};
+
+#define QUERY_MAGIC			ISC_MAGIC('Q', '!', '!', '!')
+#define VALID_QUERY(query)		ISC_MAGIC_VALID(query, QUERY_MAGIC)
+
+#define RESQUERY_ATTR_CANCELED          0x02
+
+#define RESQUERY_CONNECTING(q)          ((q)->connects > 0)
+#define RESQUERY_CANCELED(q)            (((q)->attributes & \
+					  RESQUERY_ATTR_CANCELED) != 0)
+#define RESQUERY_SENDING(q)             ((q)->sends > 0)
+
+typedef enum {
+	fetchstate_init = 0,            /*%< Start event has not run yet. */
+	fetchstate_active,
+	fetchstate_done                 /*%< FETCHDONE events posted. */
+} fetchstate;
+
+typedef enum {
+	badns_unreachable = 0,
+	badns_response,
+	badns_validation
+} badnstype_t;
+
+struct fetchctx {
+	/*% Not locked. */
+	unsigned int			magic;
+	dns_resolver_t *		res;
+	dns_name_t			name;
+	dns_rdatatype_t			type;
+	unsigned int			options;
+	unsigned int			bucketnum;
+	unsigned int			dbucketnum;
+	char *				info;
+	isc_mem_t *			mctx;
+
+	/*% Locked by appropriate bucket lock. */
+	fetchstate			state;
+	bool			want_shutdown;
+	bool			cloned;
+	bool			spilled;
+	unsigned int			references;
+	isc_event_t			control_event;
+	ISC_LINK(struct fetchctx)       link;
+	ISC_LIST(dns_fetchevent_t)      events;
+	/*% Locked by task event serialization. */
+	dns_name_t			domain;
+	dns_rdataset_t			nameservers;
+	unsigned int			attributes;
+	isc_timer_t *			timer;
+	isc_time_t			expires;
+	isc_interval_t			interval;
+	dns_message_t *			qmessage;
+	dns_message_t *			rmessage;
+	ISC_LIST(resquery_t)		queries;
+	dns_adbfindlist_t		finds;
+	dns_adbfind_t *			find;
+	dns_adbfindlist_t		altfinds;
+	dns_adbfind_t *			altfind;
+	dns_adbaddrinfolist_t		forwaddrs;
+	dns_adbaddrinfolist_t		altaddrs;
+	dns_forwarderlist_t		forwarders;
+	dns_fwdpolicy_t			fwdpolicy;
+	isc_sockaddrlist_t		bad;
+	ISC_LIST(struct tried)		edns;
+	ISC_LIST(struct tried)		edns512;
+	isc_sockaddrlist_t		bad_edns;
+	dns_validator_t *		validator;
+	ISC_LIST(dns_validator_t)       validators;
+	dns_db_t *			cache;
+	dns_adb_t *			adb;
+	bool			ns_ttl_ok;
+	uint32_t			ns_ttl;
+	isc_counter_t *			qc;
+
+	/*%
+	 * The number of events we're waiting for.
+	 */
+	unsigned int			pending;
+
+	/*%
+	 * The number of times we've "restarted" the current
+	 * nameserver set.  This acts as a failsafe to prevent
+	 * us from pounding constantly on a particular set of
+	 * servers that, for whatever reason, are not giving
+	 * us useful responses, but are responding in such a
+	 * way that they are not marked "bad".
+	 */
+	unsigned int			restarts;
+
+	/*%
+	 * The number of timeouts that have occurred since we
+	 * last successfully received a response packet.  This
+	 * is used for EDNS0 black hole detection.
+	 */
+	unsigned int			timeouts;
+
+	/*%
+	 * Look aside state for DS lookups.
+	 */
+	dns_name_t 			nsname;
+	dns_fetch_t *			nsfetch;
+	dns_rdataset_t			nsrrset;
+
+	/*%
+	 * Number of queries that reference this context.
+	 */
+	unsigned int			nqueries;
+
+	/*%
+	 * The reason to print when logging a successful
+	 * response to a query.
+	 */
+	const char *			reason;
+
+	/*%
+	 * Random numbers to use for mixing up server addresses.
+	 */
+	uint32_t                    rand_buf;
+	uint32_t                    rand_bits;
+
+	/*%
+	 * Fetch-local statistics for detailed logging.
+	 */
+	isc_result_t			result; /*%< fetch result  */
+	isc_result_t			vresult; /*%< validation result  */
+	int				exitline;
+	isc_time_t			start;
+	uint64_t			duration;
+	bool			logged;
+	unsigned int			querysent;
+	unsigned int			referrals;
+	unsigned int			lamecount;
+	unsigned int			quotacount;
+	unsigned int			neterr;
+	unsigned int			badresp;
+	unsigned int			adberr;
+	unsigned int			findfail;
+	unsigned int			valfail;
+	bool			timeout;
+	dns_adbaddrinfo_t 		*addrinfo;
+	isc_sockaddr_t			*client;
+	unsigned int			depth;
+};
+
+#define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
+#define VALID_FCTX(fctx)		ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
+
+#define FCTX_ATTR_HAVEANSWER            0x0001
+#define FCTX_ATTR_GLUING                0x0002
+#define FCTX_ATTR_ADDRWAIT              0x0004
+#define FCTX_ATTR_SHUTTINGDOWN          0x0008
+#define FCTX_ATTR_WANTCACHE             0x0010
+#define FCTX_ATTR_WANTNCACHE            0x0020
+#define FCTX_ATTR_NEEDEDNS0             0x0040
+#define FCTX_ATTR_TRIEDFIND             0x0080
+#define FCTX_ATTR_TRIEDALT              0x0100
+
+#define HAVE_ANSWER(f)          (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
+				 0)
+#define GLUING(f)               (((f)->attributes & FCTX_ATTR_GLUING) != \
+				 0)
+#define ADDRWAIT(f)             (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
+				 0)
+#define SHUTTINGDOWN(f)         (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
+				 != 0)
+#define WANTCACHE(f)            (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
+#define WANTNCACHE(f)           (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
+#define NEEDEDNS0(f)            (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
+#define TRIEDFIND(f)            (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
+#define TRIEDALT(f)             (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
+
+typedef struct {
+	dns_adbaddrinfo_t *		addrinfo;
+	fetchctx_t *			fctx;
+} dns_valarg_t;
+
+struct dns_fetch {
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	fetchctx_t *			private;
+};
+
+#define DNS_FETCH_MAGIC			ISC_MAGIC('F', 't', 'c', 'h')
+#define DNS_FETCH_VALID(fetch)		ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
+
+typedef struct fctxbucket {
+	isc_task_t *			task;
+	isc_mutex_t			lock;
+	ISC_LIST(fetchctx_t)		fctxs;
+	bool			exiting;
+	isc_mem_t *			mctx;
+} fctxbucket_t;
+
+typedef struct fctxcount fctxcount_t;
+struct fctxcount {
+	dns_fixedname_t			fdname;
+	dns_name_t			*domain;
+	uint32_t			count;
+	uint32_t			allowed;
+	uint32_t			dropped;
+	isc_stdtime_t			logged;
+	ISC_LINK(fctxcount_t)		link;
+};
+
+typedef struct zonebucket {
+	isc_mutex_t			lock;
+	isc_mem_t 			*mctx;
+	ISC_LIST(fctxcount_t)		list;
+} zonebucket_t;
+
+typedef struct alternate {
+	bool			isaddress;
+	union   {
+		isc_sockaddr_t		addr;
+		struct {
+			dns_name_t      name;
+			in_port_t       port;
+		} _n;
+	} _u;
+	ISC_LINK(struct alternate)      link;
+} alternate_t;
+
+struct dns_resolver {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_mutex_t			lock;
+	isc_mutex_t			nlock;
+	isc_mutex_t			primelock;
+	dns_rdataclass_t		rdclass;
+	isc_socketmgr_t *		socketmgr;
+	isc_timermgr_t *		timermgr;
+	isc_taskmgr_t *			taskmgr;
+	dns_view_t *			view;
+	bool			frozen;
+	unsigned int			options;
+	dns_dispatchmgr_t *		dispatchmgr;
+	dns_dispatchset_t *		dispatches4;
+	bool			exclusivev4;
+	dns_dispatchset_t *		dispatches6;
+	isc_dscp_t			querydscp4;
+	isc_dscp_t			querydscp6;
+	bool			exclusivev6;
+	unsigned int			nbuckets;
+	fctxbucket_t *			buckets;
+	zonebucket_t *			dbuckets;
+	uint32_t			lame_ttl;
+	ISC_LIST(alternate_t)		alternates;
+	uint16_t			udpsize;
+#if USE_ALGLOCK
+	isc_rwlock_t			alglock;
+#endif
+	dns_rbt_t *			algorithms;
+	dns_rbt_t *			digests;
+#if USE_MBSLOCK
+	isc_rwlock_t			mbslock;
+#endif
+	dns_rbt_t *			mustbesecure;
+	unsigned int			spillatmax;
+	unsigned int			spillatmin;
+	isc_timer_t *			spillattimer;
+	bool			zero_no_soa_ttl;
+	unsigned int			query_timeout;
+	unsigned int			maxdepth;
+	unsigned int			maxqueries;
+	isc_result_t			quotaresp[2];
+
+	/* Locked by lock. */
+	unsigned int			references;
+	bool			exiting;
+	isc_eventlist_t			whenshutdown;
+	unsigned int			activebuckets;
+	bool			priming;
+	unsigned int			spillat;	/* clients-per-query */
+	unsigned int			zspill;		/* fetches-per-zone */
+
+	dns_badcache_t  * 		badcache;	 /* Bad cache. */
+
+	/* Locked by primelock. */
+	dns_fetch_t *			primefetch;
+	/* Locked by nlock. */
+	unsigned int			nfctx;
+};
+
+#define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
+#define VALID_RESOLVER(res)		ISC_MAGIC_VALID(res, RES_MAGIC)
+
+/*%
+ * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0
+ * (0x008) which we also use as an addrinfo flag.
+ */
+#define FCTX_ADDRINFO_MARK              0x00001
+#define FCTX_ADDRINFO_FORWARDER         0x01000
+#define FCTX_ADDRINFO_EDNSOK            0x04000
+#define FCTX_ADDRINFO_NOCOOKIE          0x08000
+#define FCTX_ADDRINFO_BADCOOKIE         0x10000
+
+#define UNMARKED(a)                     (((a)->flags & FCTX_ADDRINFO_MARK) \
+					 == 0)
+#define ISFORWARDER(a)                  (((a)->flags & \
+					 FCTX_ADDRINFO_FORWARDER) != 0)
+#define NOCOOKIE(a)                        (((a)->flags & \
+					 FCTX_ADDRINFO_NOCOOKIE) != 0)
+#define EDNSOK(a)                       (((a)->flags & \
+					 FCTX_ADDRINFO_EDNSOK) != 0)
+#define BADCOOKIE(a)                    (((a)->flags & \
+					 FCTX_ADDRINFO_BADCOOKIE) != 0)
+
+
+#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
+#ifdef ENABLE_AFL
+bool dns_fuzzing_resolver = false;
+void dns_resolver_setfuzzing() {
+	dns_fuzzing_resolver = true;
+}
+#endif
+
+static void destroy(dns_resolver_t *res);
+static void empty_bucket(dns_resolver_t *res);
+static isc_result_t resquery_send(resquery_t *query);
+static void resquery_response(isc_task_t *task, isc_event_t *event);
+static void resquery_connected(isc_task_t *task, isc_event_t *event);
+static void fctx_try(fetchctx_t *fctx, bool retrying,
+		     bool badcache);
+static void fctx_destroy(fetchctx_t *fctx);
+static bool fctx_unlink(fetchctx_t *fctx);
+static isc_result_t ncache_adderesult(dns_message_t *message,
+				      dns_db_t *cache, dns_dbnode_t *node,
+				      dns_rdatatype_t covers,
+				      isc_stdtime_t now, dns_ttl_t maxttl,
+				      bool optout,
+				      bool secure,
+				      dns_rdataset_t *ardataset,
+				      isc_result_t *eresultp);
+static void validated(isc_task_t *task, isc_event_t *event);
+static bool maybe_destroy(fetchctx_t *fctx, bool locked);
+static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+		    isc_result_t reason, badnstype_t badtype);
+static inline isc_result_t findnoqname(fetchctx_t *fctx, dns_name_t *name,
+				       dns_rdatatype_t type,
+				       dns_name_t **noqname);
+static void fctx_increference(fetchctx_t *fctx);
+static bool fctx_decreference(fetchctx_t *fctx);
+
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static inline void
+inc_stats(dns_resolver_t *res, isc_statscounter_t counter) {
+	if (res->view->resstats != NULL)
+		isc_stats_increment(res->view->resstats, counter);
+}
+
+static inline void
+dec_stats(dns_resolver_t *res, isc_statscounter_t counter) {
+	if (res->view->resstats != NULL)
+		isc_stats_decrement(res->view->resstats, counter);
+}
+
+static isc_result_t
+valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+	  dns_rdatatype_t type, dns_rdataset_t *rdataset,
+	  dns_rdataset_t *sigrdataset, unsigned int valoptions,
+	  isc_task_t *task)
+{
+	dns_validator_t *validator = NULL;
+	dns_valarg_t *valarg;
+	isc_result_t result;
+
+	valarg = isc_mem_get(fctx->mctx, sizeof(*valarg));
+	if (valarg == NULL)
+		return (ISC_R_NOMEMORY);
+
+	valarg->fctx = fctx;
+	valarg->addrinfo = addrinfo;
+
+	if (!ISC_LIST_EMPTY(fctx->validators))
+		valoptions |= DNS_VALIDATOR_DEFER;
+	else
+		valoptions &= ~DNS_VALIDATOR_DEFER;
+
+	result = dns_validator_create(fctx->res->view, name, type, rdataset,
+				      sigrdataset, fctx->rmessage,
+				      valoptions, task, validated, valarg,
+				      &validator);
+	if (result == ISC_R_SUCCESS) {
+		inc_stats(fctx->res, dns_resstatscounter_val);
+		if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
+			INSIST(fctx->validator == NULL);
+			fctx->validator = validator;
+		}
+		ISC_LIST_APPEND(fctx->validators, validator, link);
+	} else
+		isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
+	return (result);
+}
+
+static bool
+rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
+	dns_namereln_t namereln;
+	dns_rdata_rrsig_t rrsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	int order;
+	isc_result_t result;
+	unsigned int labels;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain,
+						&order, &labels);
+		if (namereln == dns_namereln_subdomain)
+			return (true);
+		dns_rdata_reset(&rdata);
+	}
+	return (false);
+}
+
+static bool
+fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
+	dns_name_t *name;
+	dns_name_t *domain = &fctx->domain;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+	isc_result_t result;
+	bool keep_auth = false;
+
+	if (message->rcode == dns_rcode_nxdomain)
+		return (false);
+
+	/*
+	 * A DS RRset can appear anywhere in a zone, even for a delegation-only
+	 * zone.  So a response to an explicit query for this type should be
+	 * excluded from delegation-only fixup.
+	 *
+	 * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive
+	 * response to a query for these types can never violate the
+	 * delegation-only assumption: if the query name is below a
+	 * zone cut, the response should normally be a referral, which should
+	 * be accepted; if the query name is below a zone cut but the server
+	 * happens to have authority for the zone of the query name, the
+	 * response is a (non-referral) answer.  But this does not violate
+	 * delegation-only because the query name must be in a different zone
+	 * due to the "apex-only" nature of these types.  Note that if the
+	 * remote server happens to have authority for a child zone of a
+	 * delegation-only zone, we may still incorrectly "fix" the response
+	 * with NXDOMAIN for queries for other types.  Unfortunately it's
+	 * generally impossible to differentiate this case from violation of
+	 * the delegation-only assumption.  Once the resolver learns the
+	 * correct zone cut, possibly via a separate query for an "apex-only"
+	 * type, queries for other types will be resolved correctly.
+	 *
+	 * A query for type ANY will be accepted if it hits an exceptional
+	 * type above in the answer section as it should be from a child
+	 * zone.
+	 *
+	 * Also accept answers with RRSIG records from the child zone.
+	 * Direct queries for RRSIG records should not be answered from
+	 * the parent zone.
+	 */
+
+	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
+	    (fctx->type == dns_rdatatype_ns ||
+	     fctx->type == dns_rdatatype_ds ||
+	     fctx->type == dns_rdatatype_soa ||
+	     fctx->type == dns_rdatatype_any ||
+	     fctx->type == dns_rdatatype_rrsig ||
+	     fctx->type == dns_rdatatype_dnskey)) {
+		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(message, DNS_SECTION_ANSWER,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (!dns_name_equal(name, &fctx->name))
+					continue;
+				type = rdataset->type;
+				/*
+				 * RRsig from child?
+				 */
+				if (type == dns_rdatatype_rrsig &&
+				    rrsig_fromchildzone(fctx, rdataset))
+					return (false);
+				/*
+				 * Direct query for apex records or DS.
+				 */
+				if (fctx->type == type &&
+				    (type == dns_rdatatype_ds ||
+				     type == dns_rdatatype_ns ||
+				     type == dns_rdatatype_soa ||
+				     type == dns_rdatatype_dnskey))
+					return (false);
+				/*
+				 * Indirect query for apex records or DS.
+				 */
+				if (fctx->type == dns_rdatatype_any &&
+				    (type == dns_rdatatype_ns ||
+				     type == dns_rdatatype_ds ||
+				     type == dns_rdatatype_soa ||
+				     type == dns_rdatatype_dnskey))
+					return (false);
+			}
+			result = dns_message_nextname(message,
+						      DNS_SECTION_ANSWER);
+		}
+	}
+
+	/*
+	 * A NODATA response to a DS query?
+	 */
+	if (fctx->type == dns_rdatatype_ds &&
+	    message->counts[DNS_SECTION_ANSWER] == 0)
+		return (false);
+
+	/* Look for referral or indication of answer from child zone? */
+	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
+		goto munge;
+
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			type = rdataset->type;
+			if (type == dns_rdatatype_soa &&
+			    dns_name_equal(name, domain))
+				keep_auth = true;
+
+			if (type != dns_rdatatype_ns &&
+			    type != dns_rdatatype_soa &&
+			    type != dns_rdatatype_rrsig)
+				continue;
+
+			if (type == dns_rdatatype_rrsig) {
+				if (rrsig_fromchildzone(fctx, rdataset))
+					return (false);
+				else
+					continue;
+			}
+
+			/* NS or SOA records. */
+			if (dns_name_equal(name, domain)) {
+				/*
+				 * If a query for ANY causes a negative
+				 * response, we can be sure that this is
+				 * an empty node.  For other type of queries
+				 * we cannot differentiate an empty node
+				 * from a node that just doesn't have that
+				 * type of record.  We only accept the former
+				 * case.
+				 */
+				if (message->counts[DNS_SECTION_ANSWER] == 0 &&
+				    fctx->type == dns_rdatatype_any)
+					return (false);
+			} else if (dns_name_issubdomain(name, domain)) {
+				/* Referral or answer from child zone. */
+				return (false);
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+ munge:
+	message->rcode = dns_rcode_nxdomain;
+	message->counts[DNS_SECTION_ANSWER] = 0;
+	if (!keep_auth)
+		message->counts[DNS_SECTION_AUTHORITY] = 0;
+	message->counts[DNS_SECTION_ADDITIONAL] = 0;
+	return (true);
+}
+
+static inline isc_result_t
+fctx_starttimer(fetchctx_t *fctx) {
+	/*
+	 * Start the lifetime timer for fctx.
+	 *
+	 * This is also used for stopping the idle timer; in that
+	 * case we must purge events already posted to ensure that
+	 * no further idle events are delivered.
+	 */
+	return (isc_timer_reset(fctx->timer, isc_timertype_once,
+				&fctx->expires, NULL, true));
+}
+
+static inline void
+fctx_stoptimer(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	/*
+	 * We don't return a result if resetting the timer to inactive fails
+	 * since there's nothing to be done about it.  Resetting to inactive
+	 * should never fail anyway, since the code as currently written
+	 * cannot fail in that case.
+	 */
+	result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
+				 NULL, NULL, true);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_timer_reset(): %s",
+				 isc_result_totext(result));
+	}
+}
+
+static inline isc_result_t
+fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
+	/*
+	 * Start the idle timer for fctx.  The lifetime timer continues
+	 * to be in effect.
+	 */
+	return (isc_timer_reset(fctx->timer, isc_timertype_once,
+				&fctx->expires, interval, false));
+}
+
+/*
+ * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
+ * we use fctx_stopidletimer for readability in the code below.
+ */
+#define fctx_stopidletimer      fctx_starttimer
+
+static inline void
+resquery_destroy(resquery_t **queryp) {
+	dns_resolver_t *res;
+	bool empty;
+	resquery_t *query;
+	fetchctx_t *fctx;
+	unsigned int bucket;
+
+	REQUIRE(queryp != NULL);
+	query = *queryp;
+	REQUIRE(!ISC_LINK_LINKED(query, link));
+
+	INSIST(query->tcpsocket == NULL);
+
+	fctx = query->fctx;
+	res = fctx->res;
+	bucket = fctx->bucketnum;
+
+	fctx->nqueries--;
+
+	LOCK(&res->buckets[bucket].lock);
+	empty = fctx_decreference(query->fctx);
+	UNLOCK(&res->buckets[bucket].lock);
+
+	query->magic = 0;
+	isc_mem_put(query->mctx, query, sizeof(*query));
+	*queryp = NULL;
+
+	if (empty)
+		empty_bucket(res);
+}
+
+static void
+fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
+		 isc_time_t *finish, bool no_response,
+		 bool age_untried)
+{
+	fetchctx_t *fctx;
+	resquery_t *query;
+	unsigned int rtt, rttms;
+	unsigned int factor;
+	dns_adbfind_t *find;
+	dns_adbaddrinfo_t *addrinfo;
+	isc_socket_t *sock;
+	isc_stdtime_t now;
+
+	query = *queryp;
+	fctx = query->fctx;
+
+	FCTXTRACE("cancelquery");
+
+	REQUIRE(!RESQUERY_CANCELED(query));
+
+	query->attributes |= RESQUERY_ATTR_CANCELED;
+
+	/*
+	 * Should we update the RTT?
+	 */
+	if (finish != NULL || no_response) {
+		if (finish != NULL) {
+			/*
+			 * We have both the start and finish times for this
+			 * packet, so we can compute a real RTT.
+			 */
+			rtt = (unsigned int)isc_time_microdiff(finish,
+							       &query->start);
+			factor = DNS_ADB_RTTADJDEFAULT;
+
+			rttms = rtt / 1000;
+			if (rttms < DNS_RESOLVER_QRYRTTCLASS0) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt0);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt1);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt2);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt3);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt4);
+			} else {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt5);
+			}
+		} else {
+			uint32_t value;
+			uint32_t mask;
+
+			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
+				dns_adb_ednsto(fctx->adb, query->addrinfo,
+					       query->udpsize);
+			else
+				dns_adb_timeout(fctx->adb, query->addrinfo);
+
+			/*
+			 * We don't have an RTT for this query.  Maybe the
+			 * packet was lost, or maybe this server is very
+			 * slow.  We don't know.  Increase the RTT.
+			 */
+			INSIST(no_response);
+			isc_random_get(&value);
+			if (query->addrinfo->srtt > 800000)
+				mask = 0x3fff;
+			else if (query->addrinfo->srtt > 400000)
+				mask = 0x7fff;
+			else if (query->addrinfo->srtt > 200000)
+				mask = 0xffff;
+			else if (query->addrinfo->srtt > 100000)
+				mask = 0x1ffff;
+			else if (query->addrinfo->srtt > 50000)
+				mask = 0x3ffff;
+			else if (query->addrinfo->srtt > 25000)
+				mask = 0x7ffff;
+			else
+				mask = 0xfffff;
+
+			/*
+			 * Don't adjust timeout on EDNS queries unless we have
+			 * seen a EDNS response.
+			 */
+			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
+			    !EDNSOK(query->addrinfo)) {
+				mask >>= 2;
+			}
+
+			rtt = query->addrinfo->srtt + (value & mask);
+			if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US)
+				rtt = MAX_SINGLE_QUERY_TIMEOUT_US;
+
+			/*
+			 * Replace the current RTT with our value.
+			 */
+			factor = DNS_ADB_RTTADJREPLACE;
+		}
+
+		dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
+	}
+	dns_adb_endudpfetch(fctx->adb, query->addrinfo);
+
+	/*
+	 * Age RTTs of servers not tried.
+	 */
+	isc_stdtime_get(&now);
+	if (finish != NULL || age_untried)
+		for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			if (UNMARKED(addrinfo))
+				dns_adb_agesrtt(fctx->adb, addrinfo, now);
+
+	if ((finish != NULL || age_untried) && TRIEDFIND(fctx))
+		for (find = ISC_LIST_HEAD(fctx->finds);
+		     find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+				if (UNMARKED(addrinfo))
+					dns_adb_agesrtt(fctx->adb, addrinfo,
+							now);
+
+	if ((finish != NULL || age_untried) && TRIEDALT(fctx)) {
+		for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			if (UNMARKED(addrinfo))
+				dns_adb_agesrtt(fctx->adb, addrinfo, now);
+		for (find = ISC_LIST_HEAD(fctx->altfinds);
+		     find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+				if (UNMARKED(addrinfo))
+					dns_adb_agesrtt(fctx->adb, addrinfo,
+							now);
+	}
+
+	/*
+	 * Check for any outstanding socket events.  If they exist, cancel
+	 * them and let the event handlers finish the cleanup.  The resolver
+	 * only needs to worry about managing the connect and send events;
+	 * the dispatcher manages the recv events.
+	 */
+	if (RESQUERY_CONNECTING(query)) {
+		/*
+		 * Cancel the connect.
+		 */
+		if (query->tcpsocket != NULL) {
+			isc_socket_cancel(query->tcpsocket, NULL,
+					  ISC_SOCKCANCEL_CONNECT);
+		} else if (query->dispentry != NULL) {
+			INSIST(query->exclusivesocket);
+			sock = dns_dispatch_getentrysocket(query->dispentry);
+			if (sock != NULL)
+				isc_socket_cancel(sock, NULL,
+						  ISC_SOCKCANCEL_CONNECT);
+		}
+	} else if (RESQUERY_SENDING(query)) {
+		/*
+		 * Cancel the pending send.
+		 */
+		if (query->exclusivesocket && query->dispentry != NULL)
+			sock = dns_dispatch_getentrysocket(query->dispentry);
+		else
+			sock = dns_dispatch_getsocket(query->dispatch);
+		if (sock != NULL)
+			isc_socket_cancel(sock, NULL, ISC_SOCKCANCEL_SEND);
+	}
+
+	if (query->dispentry != NULL)
+		dns_dispatch_removeresponse(&query->dispentry, deventp);
+
+	ISC_LIST_UNLINK(fctx->queries, query, link);
+
+	if (query->tsig != NULL)
+		isc_buffer_free(&query->tsig);
+
+	if (query->tsigkey != NULL)
+		dns_tsigkey_detach(&query->tsigkey);
+
+	if (query->dispatch != NULL)
+		dns_dispatch_detach(&query->dispatch);
+
+	if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
+		/*
+		 * It's safe to destroy the query now.
+		 */
+		resquery_destroy(&query);
+}
+
+static void
+fctx_cancelqueries(fetchctx_t *fctx, bool no_response,
+		   bool age_untried)
+{
+	resquery_t *query, *next_query;
+
+	FCTXTRACE("cancelqueries");
+
+	for (query = ISC_LIST_HEAD(fctx->queries);
+	     query != NULL;
+	     query = next_query) {
+		next_query = ISC_LIST_NEXT(query, link);
+		fctx_cancelquery(&query, NULL, NULL, no_response,
+				 age_untried);
+	}
+}
+
+static void
+fctx_cleanupfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->finds);
+	     find != NULL;
+	     find = next_find)
+	{
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->finds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->find = NULL;
+}
+
+static void
+fctx_cleanupaltfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->altfinds);
+	     find != NULL;
+	     find = next_find)
+	{
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->altfind = NULL;
+}
+
+static void
+fctx_cleanupforwaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
+	     addr != NULL;
+	     addr = next_addr)
+	{
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
+static void
+fctx_cleanupaltaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->altaddrs);
+	     addr != NULL;
+	     addr = next_addr)
+	{
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
+static inline void
+fctx_stopqueries(fetchctx_t *fctx, bool no_response,
+		 bool age_untried)
+{
+	FCTXTRACE("stopqueries");
+	fctx_cancelqueries(fctx, no_response, age_untried);
+	fctx_stoptimer(fctx);
+}
+
+static inline void
+fctx_cleanupall(fetchctx_t *fctx) {
+	fctx_cleanupfinds(fctx);
+	fctx_cleanupaltfinds(fctx);
+	fctx_cleanupforwaddrs(fctx);
+	fctx_cleanupaltaddrs(fctx);
+}
+
+static void
+fcount_logspill(fetchctx_t *fctx, fctxcount_t *counter) {
+	char dbuf[DNS_NAME_FORMATSIZE];
+	isc_stdtime_t now;
+
+	if (! isc_log_wouldlog(dns_lctx, ISC_LOG_INFO))
+		return;
+
+	isc_stdtime_get(&now);
+	if (counter->logged > now - 60)
+		return;
+
+	dns_name_format(&fctx->domain, dbuf, sizeof(dbuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_SPILL,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "too many simultaneous fetches for %s "
+		      "(allowed %d spilled %d)",
+		      dbuf, counter->allowed, counter->dropped);
+
+	counter->logged = now;
+}
+
+static isc_result_t
+fcount_incr(fetchctx_t *fctx, bool force) {
+	isc_result_t result = ISC_R_SUCCESS;
+	zonebucket_t *dbucket;
+	fctxcount_t *counter;
+	unsigned int bucketnum, spill;
+
+	REQUIRE(fctx != NULL);
+	REQUIRE(fctx->res != NULL);
+
+	INSIST(fctx->dbucketnum == RES_NOBUCKET);
+	bucketnum = dns_name_fullhash(&fctx->domain, false)
+			% RES_DOMAIN_BUCKETS;
+
+	LOCK(&fctx->res->lock);
+	spill = fctx->res->zspill;
+	UNLOCK(&fctx->res->lock);
+
+	dbucket = &fctx->res->dbuckets[bucketnum];
+
+	LOCK(&dbucket->lock);
+	for (counter = ISC_LIST_HEAD(dbucket->list);
+	     counter != NULL;
+	     counter = ISC_LIST_NEXT(counter, link))
+	{
+		if (dns_name_equal(counter->domain, &fctx->domain))
+			break;
+	}
+
+	if (counter == NULL) {
+		counter = isc_mem_get(dbucket->mctx, sizeof(fctxcount_t));
+		if (counter == NULL)
+			result = ISC_R_NOMEMORY;
+		else {
+			ISC_LINK_INIT(counter, link);
+			counter->count = 1;
+			counter->logged = 0;
+			counter->allowed = 1;
+			counter->dropped = 0;
+			counter->domain =
+				dns_fixedname_initname(&counter->fdname);
+			dns_name_copy(&fctx->domain, counter->domain, NULL);
+			ISC_LIST_APPEND(dbucket->list, counter, link);
+		}
+	} else {
+		if (!force && spill != 0 && counter->count >= spill) {
+			counter->dropped++;
+			fcount_logspill(fctx, counter);
+			result = ISC_R_QUOTA;
+		} else {
+			counter->count++;
+			counter->allowed++;
+		}
+	}
+	UNLOCK(&dbucket->lock);
+
+	if (result == ISC_R_SUCCESS)
+		fctx->dbucketnum = bucketnum;
+
+	return (result);
+}
+
+static void
+fcount_decr(fetchctx_t *fctx) {
+	zonebucket_t *dbucket;
+	fctxcount_t *counter;
+
+	REQUIRE(fctx != NULL);
+
+	if (fctx->dbucketnum == RES_NOBUCKET)
+		return;
+
+	dbucket = &fctx->res->dbuckets[fctx->dbucketnum];
+
+	LOCK(&dbucket->lock);
+	for (counter = ISC_LIST_HEAD(dbucket->list);
+	     counter != NULL;
+	     counter = ISC_LIST_NEXT(counter, link))
+	{
+		if (dns_name_equal(counter->domain, &fctx->domain))
+			break;
+	}
+
+	if (counter != NULL) {
+		INSIST(counter->count != 0);
+		counter->count--;
+		fctx->dbucketnum = RES_NOBUCKET;
+
+		if (counter->count == 0) {
+			ISC_LIST_UNLINK(dbucket->list, counter, link);
+			isc_mem_put(dbucket->mctx, counter, sizeof(*counter));
+		}
+	}
+
+	UNLOCK(&dbucket->lock);
+}
+
+static inline void
+fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
+	dns_fetchevent_t *event, *next_event;
+	isc_task_t *task;
+	unsigned int count = 0;
+	isc_interval_t i;
+	bool logit = false;
+	isc_time_t now;
+	unsigned int old_spillat;
+	unsigned int new_spillat = 0;	/* initialized to silence
+					   compiler warnings */
+
+	/*
+	 * Caller must be holding the appropriate bucket lock.
+	 */
+	REQUIRE(fctx->state == fetchstate_done);
+
+	FCTXTRACE("sendevents");
+
+	/*
+	 * Keep some record of fetch result for logging later (if required).
+	 */
+	fctx->result = result;
+	fctx->exitline = line;
+	TIME_NOW(&now);
+	fctx->duration = isc_time_microdiff(&now, &fctx->start);
+
+	for (event = ISC_LIST_HEAD(fctx->events);
+	     event != NULL;
+	     event = next_event) {
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(fctx->events, event, ev_link);
+		task = event->ev_sender;
+		event->ev_sender = fctx;
+		event->vresult = fctx->vresult;
+		if (!HAVE_ANSWER(fctx))
+			event->result = result;
+
+		INSIST(event->result != ISC_R_SUCCESS ||
+		       dns_rdataset_isassociated(event->rdataset) ||
+		       fctx->type == dns_rdatatype_any ||
+		       fctx->type == dns_rdatatype_rrsig ||
+		       fctx->type == dns_rdatatype_sig);
+
+		/*
+		 * Negative results must be indicated in event->result.
+		 */
+		if (dns_rdataset_isassociated(event->rdataset) &&
+		    NEGATIVE(event->rdataset)) {
+			INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
+			       event->result == DNS_R_NCACHENXRRSET);
+		}
+
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+		count++;
+	}
+
+	if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 &&
+	    fctx->spilled &&
+	    (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
+		LOCK(&fctx->res->lock);
+		if (count == fctx->res->spillat && !fctx->res->exiting) {
+			old_spillat = fctx->res->spillat;
+			fctx->res->spillat += 5;
+			if (fctx->res->spillat > fctx->res->spillatmax &&
+			    fctx->res->spillatmax != 0)
+				fctx->res->spillat = fctx->res->spillatmax;
+			new_spillat = fctx->res->spillat;
+			if (new_spillat != old_spillat) {
+				logit = true;
+			}
+			isc_interval_set(&i, 20 * 60, 0);
+			result = isc_timer_reset(fctx->res->spillattimer,
+						 isc_timertype_ticker, NULL,
+						 &i, true);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+		UNLOCK(&fctx->res->lock);
+		if (logit)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "clients-per-query increased to %u",
+				      new_spillat);
+	}
+}
+
+static inline void
+log_edns(fetchctx_t *fctx) {
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	if (fctx->reason == NULL)
+		return;
+
+	/*
+	 * We do not know if fctx->domain is the actual domain the record
+	 * lives in or a parent domain so we have a '?' after it.
+	 */
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "success resolving '%s' (in '%s'?) after %s",
+		      fctx->info, domainbuf, fctx->reason);
+
+	fctx->reason = NULL;
+}
+
+static void
+fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
+	dns_resolver_t *res;
+	bool no_response = false;
+	bool age_untried = false;
+
+	REQUIRE(line >= 0);
+
+	FCTXTRACE("done");
+
+	res = fctx->res;
+
+	if (result == ISC_R_SUCCESS) {
+		/*%
+		 * Log any deferred EDNS timeout messages.
+		 */
+		log_edns(fctx);
+		no_response = true;
+	} else if (result == ISC_R_TIMEDOUT)
+		age_untried = true;
+
+	fctx->reason = NULL;
+
+	fctx_stopqueries(fctx, no_response, age_untried);
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	fctx->state = fetchstate_done;
+	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+	fctx_sendevents(fctx, result, line);
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+static void
+process_sendevent(resquery_t *query, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	bool destroy_query = false;
+	bool retry = false;
+	isc_result_t result;
+	fetchctx_t *fctx;
+
+	fctx = query->fctx;
+
+	if (RESQUERY_CANCELED(query)) {
+		if (query->sends == 0 && query->connects == 0) {
+			/*
+			 * This query was canceled while the
+			 * isc_socket_sendto/connect() was in progress.
+			 */
+			if (query->tcpsocket != NULL)
+				isc_socket_detach(&query->tcpsocket);
+			destroy_query = true;
+		}
+	} else {
+		switch (sevent->result) {
+		case ISC_R_SUCCESS:
+			break;
+
+		case ISC_R_HOSTUNREACH:
+		case ISC_R_NETUNREACH:
+		case ISC_R_NOPERM:
+		case ISC_R_ADDRNOTAVAIL:
+		case ISC_R_CONNREFUSED:
+			FCTXTRACE3("query canceled in sendevent(): "
+				   "no route to host; no response",
+				   sevent->result);
+
+			/*
+			 * No route to remote.
+			 */
+			add_bad(fctx, query->addrinfo, sevent->result,
+				badns_unreachable);
+			fctx_cancelquery(&query, NULL, NULL, true,
+					 false);
+			retry = true;
+			break;
+
+		default:
+			FCTXTRACE3("query canceled in sendevent() due to "
+				   "unexpected event result; responding",
+				   sevent->result);
+
+			fctx_cancelquery(&query, NULL, NULL, false,
+					 false);
+			break;
+		}
+	}
+
+	if (event->ev_type == ISC_SOCKEVENT_CONNECT)
+		isc_event_free(&event);
+
+	if (retry) {
+		/*
+		 * Behave as if the idle timer has expired.  For TCP
+		 * this may not actually reflect the latest timer.
+		 */
+		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+		else
+			fctx_try(fctx, true, false);
+	}
+
+	if (destroy_query)
+		resquery_destroy(&query);
+}
+
+static void
+resquery_udpconnected(isc_task_t *task, isc_event_t *event) {
+	resquery_t *query = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+
+	QTRACE("udpconnected");
+
+	UNUSED(task);
+
+	INSIST(RESQUERY_CONNECTING(query));
+
+	query->connects--;
+
+	process_sendevent(query, event);
+}
+
+static void
+resquery_senddone(isc_task_t *task, isc_event_t *event) {
+	resquery_t *query = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	QTRACE("senddone");
+
+	/*
+	 * XXXRTH
+	 *
+	 * Currently we don't wait for the senddone event before retrying
+	 * a query.  This means that if we get really behind, we may end
+	 * up doing extra work!
+	 */
+
+	UNUSED(task);
+
+	INSIST(RESQUERY_SENDING(query));
+
+	query->sends--;
+
+	process_sendevent(query, event);
+}
+
+static inline isc_result_t
+fctx_addopt(dns_message_t *message, unsigned int version,
+	    uint16_t udpsize, dns_ednsopt_t *ednsopts, size_t count)
+{
+	dns_rdataset_t *rdataset = NULL;
+	isc_result_t result;
+
+	result = dns_message_buildopt(message, &rdataset, version, udpsize,
+				      DNS_MESSAGEEXTFLAG_DO, ednsopts, count);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (dns_message_setopt(message, rdataset));
+}
+
+static inline void
+fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
+	unsigned int seconds;
+	unsigned int us;
+
+	/*
+	 * We retry every .8 seconds the first two times through the address
+	 * list, and then we do exponential back-off.
+	 */
+	if (fctx->restarts < 3)
+		us = 800000;
+	else
+		us = (800000 << (fctx->restarts - 2));
+
+	/*
+	 * Add a fudge factor to the expected rtt based on the current
+	 * estimate.
+	 */
+	if (rtt < 50000)
+		rtt += 50000;
+	else if (rtt < 100000)
+		rtt += 100000;
+	else
+		rtt += 200000;
+
+	/*
+	 * Always wait for at least the expected rtt.
+	 */
+	if (us < rtt)
+		us = rtt;
+
+	/*
+	 * But don't ever wait for more than 10 seconds.
+	 */
+	if (us > MAX_SINGLE_QUERY_TIMEOUT_US)
+		us = MAX_SINGLE_QUERY_TIMEOUT_US;
+
+	seconds = us / US_PER_SEC;
+	us -= seconds * US_PER_SEC;
+	isc_interval_set(&fctx->interval, seconds, us * 1000);
+}
+
+static isc_result_t
+fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+	   unsigned int options)
+{
+	dns_resolver_t *res;
+	isc_task_t *task;
+	isc_result_t result;
+	resquery_t *query;
+	isc_sockaddr_t addr;
+	bool have_addr = false;
+	unsigned int srtt;
+	isc_dscp_t dscp = -1;
+
+	FCTXTRACE("query");
+
+	res = fctx->res;
+	task = res->buckets[fctx->bucketnum].task;
+
+	srtt = addrinfo->srtt;
+
+	/*
+	 * A forwarder needs to make multiple queries. Give it at least
+	 * a second to do these in.
+	 */
+	if (ISFORWARDER(addrinfo) && srtt < 1000000)
+		srtt = 1000000;
+
+	fctx_setretryinterval(fctx, srtt);
+	result = fctx_startidletimer(fctx, &fctx->interval);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	INSIST(ISC_LIST_EMPTY(fctx->validators));
+
+	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	query = isc_mem_get(fctx->mctx, sizeof(*query));
+	if (query == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto stop_idle_timer;
+	}
+	query->mctx = fctx->mctx;
+	query->options = options;
+	query->attributes = 0;
+	query->sends = 0;
+	query->connects = 0;
+	query->dscp = addrinfo->dscp;
+	query->udpsize = 0;
+	/*
+	 * Note that the caller MUST guarantee that 'addrinfo' will remain
+	 * valid until this query is canceled.
+	 */
+	query->addrinfo = addrinfo;
+	TIME_NOW(&query->start);
+
+	/*
+	 * If this is a TCP query, then we need to make a socket and
+	 * a dispatch for it here.  Otherwise we use the resolver's
+	 * shared dispatch.
+	 */
+	query->dispatchmgr = res->dispatchmgr;
+	query->dispatch = NULL;
+	query->exclusivesocket = false;
+	query->tcpsocket = NULL;
+	if (res->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_netaddr_t dstip;
+		bool usetcp = false;
+		isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
+		result = dns_peerlist_peerbyaddr(res->view->peers,
+						 &dstip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getquerysource(peer, &addr);
+			if (result == ISC_R_SUCCESS)
+				have_addr = true;
+			result = dns_peer_getquerydscp(peer, &dscp);
+			if (result == ISC_R_SUCCESS)
+				query->dscp = dscp;
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp)
+				query->options |= DNS_FETCHOPT_TCP;
+		}
+	}
+
+	dscp = -1;
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		int pf;
+
+		pf = isc_sockaddr_pf(&addrinfo->sockaddr);
+		if (!have_addr) {
+			switch (pf) {
+			case PF_INET:
+				result = dns_dispatch_getlocaladdress(
+					      res->dispatches4->dispatches[0],
+					      &addr);
+				dscp = dns_resolver_getquerydscp4(fctx->res);
+				break;
+			case PF_INET6:
+				result = dns_dispatch_getlocaladdress(
+					      res->dispatches6->dispatches[0],
+					      &addr);
+				dscp = dns_resolver_getquerydscp6(fctx->res);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				break;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_query;
+		}
+		isc_sockaddr_setport(&addr, 0);
+		if (query->dscp == -1)
+			query->dscp = dscp;
+
+		result = isc_socket_create(res->socketmgr, pf,
+					   isc_sockettype_tcp,
+					   &query->tcpsocket);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_query;
+
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
+		result = isc_socket_bind(query->tcpsocket, &addr, 0);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_socket;
+#endif
+		/*
+		 * A dispatch will be created once the connect succeeds.
+		 */
+	} else {
+		if (have_addr) {
+			unsigned int attrs, attrmask;
+			attrs = DNS_DISPATCHATTR_UDP;
+			switch (isc_sockaddr_pf(&addr)) {
+			case AF_INET:
+				attrs |= DNS_DISPATCHATTR_IPV4;
+				dscp = dns_resolver_getquerydscp4(fctx->res);
+				break;
+			case AF_INET6:
+				attrs |= DNS_DISPATCHATTR_IPV6;
+				dscp = dns_resolver_getquerydscp6(fctx->res);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				goto cleanup_query;
+			}
+			attrmask = DNS_DISPATCHATTR_UDP;
+			attrmask |= DNS_DISPATCHATTR_TCP;
+			attrmask |= DNS_DISPATCHATTR_IPV4;
+			attrmask |= DNS_DISPATCHATTR_IPV6;
+			result = dns_dispatch_getudp(res->dispatchmgr,
+						     res->socketmgr,
+						     res->taskmgr, &addr,
+						     4096, 20000, 32768, 16411,
+						     16433, attrs, attrmask,
+						     &query->dispatch);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_query;
+		} else {
+			switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
+			case PF_INET:
+				dns_dispatch_attach(
+				    dns_resolver_dispatchv4(res),
+				    &query->dispatch);
+				query->exclusivesocket = res->exclusivev4;
+				dscp = dns_resolver_getquerydscp4(fctx->res);
+				break;
+			case PF_INET6:
+				dns_dispatch_attach(
+				    dns_resolver_dispatchv6(res),
+				    &query->dispatch);
+				query->exclusivesocket = res->exclusivev6;
+				dscp = dns_resolver_getquerydscp6(fctx->res);
+				break;
+			default:
+				result = ISC_R_NOTIMPLEMENTED;
+				goto cleanup_query;
+			}
+		}
+
+		if (query->dscp == -1)
+			query->dscp = dscp;
+		/*
+		 * We should always have a valid dispatcher here.  If we
+		 * don't support a protocol family, then its dispatcher
+		 * will be NULL, but we shouldn't be finding addresses for
+		 * protocol types we don't support, so the dispatcher
+		 * we found should never be NULL.
+		 */
+		INSIST(query->dispatch != NULL);
+	}
+
+	query->dispentry = NULL;
+	query->fctx = fctx;	/* reference added by caller */
+	query->tsig = NULL;
+	query->tsigkey = NULL;
+	ISC_LINK_INIT(query, link);
+	query->magic = QUERY_MAGIC;
+
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		/*
+		 * Connect to the remote server.
+		 *
+		 * XXXRTH  Should we attach to the socket?
+		 */
+		if (query->dscp != -1)
+			isc_socket_dscp(query->tcpsocket, query->dscp);
+		result = isc_socket_connect(query->tcpsocket,
+					    &addrinfo->sockaddr, task,
+					    resquery_connected, query);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_socket;
+		query->connects++;
+		QTRACE("connecting via TCP");
+	} else {
+		if (dns_adbentry_overquota(addrinfo->entry))
+			goto cleanup_dispatch;
+
+		/* Inform the ADB that we're starting a fetch */
+		dns_adb_beginudpfetch(fctx->adb, addrinfo);
+
+		result = resquery_send(query);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_dispatch;
+	}
+
+	fctx->querysent++;
+
+	ISC_LIST_APPEND(fctx->queries, query, link);
+	query->fctx->nqueries++;
+	if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET)
+		inc_stats(res, dns_resstatscounter_queryv4);
+	else
+		inc_stats(res, dns_resstatscounter_queryv6);
+	if (res->view->resquerystats != NULL)
+		dns_rdatatypestats_increment(res->view->resquerystats,
+					     fctx->type);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_socket:
+	isc_socket_detach(&query->tcpsocket);
+
+ cleanup_dispatch:
+	if (query->dispatch != NULL)
+		dns_dispatch_detach(&query->dispatch);
+
+ cleanup_query:
+	if (query->connects == 0) {
+		query->magic = 0;
+		isc_mem_put(fctx->mctx, query, sizeof(*query));
+	}
+
+ stop_idle_timer:
+	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
+
+	return (result);
+}
+
+static bool
+bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->bad_edns);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link)) {
+		if (isc_sockaddr_equal(sa, address))
+			return (true);
+	}
+
+	return (false);
+}
+
+static void
+add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver)
+		return;
+#endif
+	if (bad_edns(fctx, address))
+		return;
+
+	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
+	if (sa == NULL)
+		return;
+
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link);
+}
+
+static struct tried *
+triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	for (tried = ISC_LIST_HEAD(fctx->edns);
+	     tried != NULL;
+	     tried = ISC_LIST_NEXT(tried, link)) {
+		if (isc_sockaddr_equal(&tried->addr, address))
+			return (tried);
+	}
+
+	return (NULL);
+}
+
+static void
+add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	tried = triededns(fctx, address);
+	if (tried != NULL) {
+		tried->count++;
+		return;
+	}
+
+	tried = isc_mem_get(fctx->mctx, sizeof(*tried));
+	if (tried == NULL)
+		return;
+
+	tried->addr = *address;
+	tried->count = 1;
+	ISC_LIST_INITANDAPPEND(fctx->edns, tried, link);
+}
+
+static struct tried *
+triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	for (tried = ISC_LIST_HEAD(fctx->edns512);
+	     tried != NULL;
+	     tried = ISC_LIST_NEXT(tried, link)) {
+		if (isc_sockaddr_equal(&tried->addr, address))
+			return (tried);
+	}
+
+	return (NULL);
+}
+
+static void
+add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	struct tried *tried;
+
+	tried = triededns512(fctx, address);
+	if (tried != NULL) {
+		tried->count++;
+		return;
+	}
+
+	tried = isc_mem_get(fctx->mctx, sizeof(*tried));
+	if (tried == NULL)
+		return;
+
+	tried->addr = *address;
+	tried->count = 1;
+	ISC_LIST_INITANDAPPEND(fctx->edns512, tried, link);
+}
+
+static void
+compute_cc(resquery_t *query, unsigned char *cookie, size_t len) {
+#ifdef AES_CC
+	unsigned char digest[ISC_AES_BLOCK_LENGTH];
+	unsigned char input[16];
+	isc_netaddr_t netaddr;
+	unsigned int i;
+
+	INSIST(len >= 8U);
+
+	isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
+	switch (netaddr.family) {
+	case AF_INET:
+		memmove(input, (unsigned char *)&netaddr.type.in, 4);
+		memset(input + 4, 0, 12);
+		break;
+	case AF_INET6:
+		memmove(input, (unsigned char *)&netaddr.type.in6, 16);
+		break;
+	}
+	isc_aes128_crypt(query->fctx->res->view->secret, input, digest);
+	for (i = 0; i < 8; i++)
+		digest[i] ^= digest[i + 8];
+	memmove(cookie, digest, 8);
+#endif
+#ifdef HMAC_SHA1_CC
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	isc_netaddr_t netaddr;
+	isc_hmacsha1_t hmacsha1;
+
+	INSIST(len >= 8U);
+
+	isc_hmacsha1_init(&hmacsha1, query->fctx->res->view->secret,
+			  ISC_SHA1_DIGESTLENGTH);
+	isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
+	switch (netaddr.family) {
+	case AF_INET:
+		isc_hmacsha1_update(&hmacsha1,
+				    (unsigned char *)&netaddr.type.in, 4);
+		break;
+	case AF_INET6:
+		isc_hmacsha1_update(&hmacsha1,
+				    (unsigned char *)&netaddr.type.in6, 16);
+		break;
+	}
+	isc_hmacsha1_sign(&hmacsha1, digest, sizeof(digest));
+	memmove(cookie, digest, 8);
+	isc_hmacsha1_invalidate(&hmacsha1);
+#endif
+#ifdef HMAC_SHA256_CC
+	unsigned char digest[ISC_SHA256_DIGESTLENGTH];
+	isc_netaddr_t netaddr;
+	isc_hmacsha256_t hmacsha256;
+
+	INSIST(len >= 8U);
+
+	isc_hmacsha256_init(&hmacsha256, query->fctx->res->view->secret,
+			    ISC_SHA256_DIGESTLENGTH);
+	isc_netaddr_fromsockaddr(&netaddr, &query->addrinfo->sockaddr);
+	switch (netaddr.family) {
+	case AF_INET:
+		isc_hmacsha256_update(&hmacsha256,
+				      (unsigned char *)&netaddr.type.in, 4);
+		break;
+	case AF_INET6:
+		isc_hmacsha256_update(&hmacsha256,
+				      (unsigned char *)&netaddr.type.in6, 16);
+		break;
+	}
+	isc_hmacsha256_sign(&hmacsha256, digest, sizeof(digest));
+	memmove(cookie, digest, 8);
+	isc_hmacsha256_invalidate(&hmacsha256);
+#endif
+}
+
+static isc_result_t
+issecuredomain(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	       isc_stdtime_t now, bool checknta,
+	       bool *issecure)
+{
+	dns_name_t suffix;
+	unsigned int labels;
+
+	/*
+	 * For DS variants we need to check fom the parent domain,
+	 * since there may be a negative trust anchor for the name,
+	 * while the enclosing domain where the DS record lives is
+	 * under a secure entry point.
+	 */
+	labels = dns_name_countlabels(name);
+	if (dns_rdatatype_atparent(type) && labels > 1) {
+		dns_name_init(&suffix, NULL);
+		dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+		name = &suffix;
+	}
+
+	return (dns_view_issecuredomain(view, name, now, checknta, issecure));
+}
+
+static bool
+wouldvalidate(fetchctx_t *fctx) {
+	bool secure_domain;
+	isc_result_t result;
+	isc_stdtime_t now;
+
+	if (!fctx->res->view->enablevalidation)
+		return (false);
+
+	if (fctx->res->view->dlv != NULL)
+		return (true);
+
+	isc_stdtime_get(&now);
+	result = dns_view_issecuredomain(fctx->res->view, &fctx->name,
+					 now, true, &secure_domain);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+	return (secure_domain);
+}
+
+static isc_result_t
+resquery_send(resquery_t *query) {
+	fetchctx_t *fctx;
+	isc_result_t result;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_region_t r;
+	dns_resolver_t *res;
+	isc_task_t *task;
+	isc_socket_t *sock;
+	isc_buffer_t tcpbuffer;
+	isc_sockaddr_t *address;
+	isc_buffer_t *buffer;
+	isc_netaddr_t ipaddr;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_peer_t *peer = NULL;
+	bool useedns;
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+	bool secure_domain;
+	bool connecting = false;
+	bool tcp = (query->options & DNS_FETCHOPT_TCP);
+	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
+	unsigned ednsopt = 0;
+	uint16_t hint = 0, udpsize = 0;	/* No EDNS */
+#ifdef HAVE_DNSTAP
+	isc_sockaddr_t localaddr, *la = NULL;
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	dns_dtmsgtype_t dtmsgtype;
+	isc_region_t zr;
+	isc_buffer_t zb;
+#endif /* HAVE_DNSTAP */
+
+	fctx = query->fctx;
+	QTRACE("send");
+
+	res = fctx->res;
+	task = res->buckets[fctx->bucketnum].task;
+	address = NULL;
+
+	if (tcp) {
+		/*
+		 * Reserve space for the TCP message length.
+		 */
+		isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
+		isc_buffer_init(&query->buffer, query->data + 2,
+				sizeof(query->data) - 2);
+		buffer = &tcpbuffer;
+	} else {
+		isc_buffer_init(&query->buffer, query->data,
+				sizeof(query->data));
+		buffer = &query->buffer;
+	}
+
+	result = dns_message_gettempname(fctx->qmessage, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_temps;
+	result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_temps;
+
+	/*
+	 * Get a query id from the dispatch.
+	 */
+	result = dns_dispatch_addresponse2(query->dispatch,
+					   &query->addrinfo->sockaddr,
+					   task,
+					   resquery_response,
+					   query,
+					   &query->id,
+					   &query->dispentry,
+					   res->socketmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_temps;
+
+	fctx->qmessage->opcode = dns_opcode_query;
+
+	/*
+	 * Set up question.
+	 */
+	dns_name_init(qname, NULL);
+	dns_name_clone(&fctx->name, qname);
+	dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+	qrdataset = NULL;
+
+	/*
+	 * Set RD if the client has requested that we do a recursive query,
+	 * or if we're sending to a forwarder.
+	 */
+	if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
+	    ISFORWARDER(query->addrinfo))
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
+
+	/*
+	 * Set CD if the client says not to validate, or if the
+	 * question is under a secure entry point and this is a
+	 * recursive/forward query -- unless the client said not to.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOCDFLAG) != 0)
+		/* Do nothing */
+		;
+	else if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0)
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	else if (res->view->enablevalidation &&
+		 ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0))
+	{
+		bool checknta = !(query->options & DNS_FETCHOPT_NONTA);
+		result = issecuredomain(res->view, &fctx->name, fctx->type,
+					isc_time_seconds(&query->start),
+					checknta, &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			secure_domain = false;
+		if (res->view->dlv != NULL)
+			secure_domain = true;
+		if (secure_domain)
+			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	}
+
+	/*
+	 * We don't have to set opcode because it defaults to query.
+	 */
+	fctx->qmessage->id = query->id;
+
+	/*
+	 * Convert the question to wire format.
+	 */
+	result = dns_compress_init(&cctx, -1, fctx->res->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+	cleanup_cctx = true;
+
+	result = dns_message_renderbegin(fctx->qmessage, &cctx,
+					 &query->buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	result = dns_message_rendersection(fctx->qmessage,
+					   DNS_SECTION_QUESTION, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	peer = NULL;
+	isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
+	(void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
+
+	/*
+	 * The ADB does not know about servers with "edns no".  Check this,
+	 * and then inform the ADB for future use.
+	 */
+	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	    peer != NULL &&
+	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
+	    !useedns)
+	{
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0,
+				    DNS_FETCHOPT_NOEDNS0);
+	}
+
+	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
+	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+
+	/* See if response history indicates that EDNS is not supported. */
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	    dns_adb_noedns(fctx->adb, query->addrinfo))
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+
+	if (fctx->timeout && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		isc_sockaddr_t *sockaddr = &query->addrinfo->sockaddr;
+		struct tried *tried;
+
+		if (fctx->timeouts > (MAX_EDNS0_TIMEOUTS * 2) &&
+		    (!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) {
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+			fctx->reason = "disabling EDNS";
+		} else if ((tried = triededns512(fctx, sockaddr)) != NULL &&
+		    tried->count >= 2U &&
+		    (!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) {
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+			fctx->reason = "disabling EDNS";
+		} else if ((tried = triededns(fctx, sockaddr)) != NULL) {
+			if (tried->count == 1U) {
+				hint = dns_adb_getudpsize(fctx->adb,
+							  query->addrinfo);
+			} else if (tried->count >= 2U) {
+				query->options |= DNS_FETCHOPT_EDNS512;
+				fctx->reason = "reducing the advertised EDNS "
+					       "UDP packet size to 512 octets";
+			}
+		}
+	}
+	fctx->timeout = false;
+
+	/*
+	 * Use EDNS0, unless the caller doesn't want it, or we know that
+	 * the remote server doesn't like it.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
+			unsigned int version = DNS_EDNS_VERSION;
+			unsigned int flags = query->addrinfo->flags;
+			bool reqnsid = res->view->requestnsid;
+			bool sendcookie = res->view->sendcookie;
+			unsigned char cookie[64];
+
+			if ((flags & FCTX_ADDRINFO_EDNSOK) != 0 &&
+			    (query->options & DNS_FETCHOPT_EDNS512) == 0) {
+				udpsize = dns_adb_probesize2(fctx->adb,
+							     query->addrinfo,
+							     fctx->timeouts);
+				if (udpsize > res->udpsize)
+					udpsize = res->udpsize;
+			}
+
+			if (peer != NULL)
+				(void)dns_peer_getudpsize(peer, &udpsize);
+
+			if (udpsize == 0U && res->udpsize == 512U)
+				udpsize = 512;
+
+			/*
+			 * Was the size forced to 512 in the configuration?
+			 */
+			if (udpsize == 512U)
+			    query->options |= DNS_FETCHOPT_EDNS512;
+
+			/*
+			 * We have talked to this server before.
+			 */
+			if (hint != 0U)
+				udpsize = hint;
+
+			/*
+			 * We know nothing about the peer's capabilities
+			 * so start with minimal EDNS UDP size.
+			 */
+			if (udpsize == 0U)
+				udpsize = 512;
+
+			if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
+				version = flags & DNS_FETCHOPT_EDNSVERSIONMASK;
+				version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT;
+			}
+
+			/* Request NSID/COOKIE/VERSION for current peer? */
+			if (peer != NULL) {
+				uint8_t ednsversion;
+				(void) dns_peer_getrequestnsid(peer, &reqnsid);
+				(void) dns_peer_getsendcookie(peer,
+							      &sendcookie);
+				result = dns_peer_getednsversion(peer,
+								 &ednsversion);
+				if (result == ISC_R_SUCCESS &&
+				    ednsversion < version)
+					version = ednsversion;
+			}
+			if (NOCOOKIE(query->addrinfo))
+				sendcookie = false;
+			if (reqnsid) {
+				INSIST(ednsopt < DNS_EDNSOPTIONS);
+				ednsopts[ednsopt].code = DNS_OPT_NSID;
+				ednsopts[ednsopt].length = 0;
+				ednsopts[ednsopt].value = NULL;
+				ednsopt++;
+			}
+#if DNS_EDNS_VERSION > 0
+			/*
+			 * Some EDNS(0) servers don't ignore unknown options
+			 * as it was not a explict requirement of RFC 2671.
+			 * Only send COOKIE to EDNS(1) servers.
+			 */
+			if (version < 1)
+				sendcookie = false;
+#endif
+			if (sendcookie) {
+				INSIST(ednsopt < DNS_EDNSOPTIONS);
+				ednsopts[ednsopt].code = DNS_OPT_COOKIE;
+				ednsopts[ednsopt].length = (uint16_t)
+					dns_adb_getcookie(fctx->adb,
+							  query->addrinfo,
+							  cookie,
+							  sizeof(cookie));
+				if (ednsopts[ednsopt].length != 0) {
+					ednsopts[ednsopt].value = cookie;
+					inc_stats(fctx->res,
+						dns_resstatscounter_cookieout);
+				} else {
+					compute_cc(query, cookie, 8);
+					ednsopts[ednsopt].value = cookie;
+					ednsopts[ednsopt].length = 8;
+					inc_stats(fctx->res,
+						dns_resstatscounter_cookienew);
+				}
+				ednsopt++;
+			}
+			query->ednsversion = version;
+			result = fctx_addopt(fctx->qmessage, version,
+					     udpsize, ednsopts, ednsopt);
+			if (reqnsid && result == ISC_R_SUCCESS) {
+				query->options |= DNS_FETCHOPT_WANTNSID;
+			} else if (result != ISC_R_SUCCESS) {
+				/*
+				 * We couldn't add the OPT, but we'll press on.
+				 * We're not using EDNS0, so set the NOEDNS0
+				 * bit.
+				 */
+				query->options |= DNS_FETCHOPT_NOEDNS0;
+				query->ednsversion = -1;
+				udpsize = 0;
+			}
+		} else {
+			/*
+			 * We know this server doesn't like EDNS0, so we
+			 * won't use it.  Set the NOEDNS0 bit since we're
+			 * not using EDNS0.
+			 */
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+			query->ednsversion = -1;
+		}
+	} else
+		query->ednsversion = -1;
+
+	/*
+	 * Record the UDP EDNS size choosen.
+	 */
+	query->udpsize = udpsize;
+
+	/*
+	 * If we need EDNS0 to do this query and aren't using it, we lose.
+	 */
+	if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
+		result = DNS_R_SERVFAIL;
+		goto cleanup_message;
+	}
+
+	if (udpsize > 512U)
+		add_triededns(fctx, &query->addrinfo->sockaddr);
+
+	if (udpsize == 512U)
+		add_triededns512(fctx, &query->addrinfo->sockaddr);
+
+	/*
+	 * Clear CD if EDNS is not in use.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
+		fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
+
+	/*
+	 * Add TSIG record tailored to the current recipient.
+	 */
+	result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto cleanup_message;
+
+	if (tsigkey != NULL) {
+		result = dns_message_settsigkey(fctx->qmessage, tsigkey);
+		dns_tsigkey_detach(&tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_message;
+	}
+
+	result = dns_message_rendersection(fctx->qmessage,
+					   DNS_SECTION_ADDITIONAL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	result = dns_message_renderend(fctx->qmessage);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+#ifdef HAVE_DNSTAP
+	memset(&zr, 0, sizeof(zr));
+	isc_buffer_init(&zb, zone, sizeof(zone));
+	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+	result = dns_name_towire(&fctx->domain, &cctx, &zb);
+	if (result == ISC_R_SUCCESS)
+		isc_buffer_usedregion(&zb, &zr);
+#endif /* HAVE_DNSTAP */
+
+	dns_compress_invalidate(&cctx);
+	cleanup_cctx = false;
+
+	if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
+		dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
+				   &query->tsigkey);
+		result = dns_message_getquerytsig(fctx->qmessage,
+						  fctx->res->mctx,
+						  &query->tsig);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_message;
+	}
+
+	/*
+	 * If using TCP, write the length of the message at the beginning
+	 * of the buffer.
+	 */
+	if (tcp) {
+		isc_buffer_usedregion(&query->buffer, &r);
+		isc_buffer_putuint16(&tcpbuffer, (uint16_t)r.length);
+		isc_buffer_add(&tcpbuffer, r.length);
+	}
+
+	/*
+	 * Log the outgoing packet.
+	 */
+	dns_message_logfmtpacket2(fctx->qmessage, "sending packet to",
+				  &query->addrinfo->sockaddr,
+				  DNS_LOGCATEGORY_RESOLVER,
+				  DNS_LOGMODULE_PACKETS,
+				  &dns_master_style_comment,
+				  ISC_LOG_DEBUG(11),
+				  fctx->res->mctx);
+
+	/*
+	 * We're now done with the query message.
+	 */
+	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
+
+	if (query->exclusivesocket)
+		sock = dns_dispatch_getentrysocket(query->dispentry);
+	else
+		sock = dns_dispatch_getsocket(query->dispatch);
+	/*
+	 * Send the query!
+	 */
+	if (!tcp) {
+		address = &query->addrinfo->sockaddr;
+		if (query->exclusivesocket) {
+			result = isc_socket_connect(sock, address, task,
+						    resquery_udpconnected,
+						    query);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_message;
+			connecting = true;
+			query->connects++;
+		}
+	}
+	isc_buffer_usedregion(buffer, &r);
+
+	/*
+	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
+	 *		prune out these addresses when we get them from the ADB.
+	 */
+	memset(&query->sendevent, 0, sizeof(query->sendevent));
+	ISC_EVENT_INIT(&query->sendevent, sizeof(query->sendevent), 0, NULL,
+		       ISC_SOCKEVENT_SENDDONE, resquery_senddone, query,
+		       NULL, NULL, NULL);
+
+	if (query->dscp == -1) {
+		query->sendevent.attributes &= ~ISC_SOCKEVENTATTR_DSCP;
+		query->sendevent.dscp = 0;
+	} else {
+		query->sendevent.attributes |= ISC_SOCKEVENTATTR_DSCP;
+		query->sendevent.dscp = query->dscp;
+		if (tcp)
+			isc_socket_dscp(sock, query->dscp);
+	}
+
+	result = isc_socket_sendto2(sock, &r, task, address, NULL,
+				    &query->sendevent, 0);
+	if (result != ISC_R_SUCCESS) {
+		if (connecting) {
+			/*
+			 * This query is still connecting.
+			 * Mark it as canceled so that it will just be
+			 * cleaned up when the connected event is received.
+			 * Keep fctx around until the event is processed.
+			 */
+			query->fctx->nqueries++;
+			query->attributes |= RESQUERY_ATTR_CANCELED;
+		}
+		goto cleanup_message;
+	}
+
+	query->sends++;
+
+	QTRACE("sent");
+
+#ifdef HAVE_DNSTAP
+	/*
+	 * Log the outgoing query via dnstap.
+	 */
+	if ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0)
+		dtmsgtype = DNS_DTTYPE_FQ;
+	else
+		dtmsgtype = DNS_DTTYPE_RQ;
+
+	result = isc_socket_getsockname(sock, &localaddr);
+	if (result == ISC_R_SUCCESS)
+		la = &localaddr;
+
+	dns_dt_send(fctx->res->view, dtmsgtype, la, &query->addrinfo->sockaddr,
+		    tcp, &zr, &query->start, NULL, &query->buffer);
+#endif /* HAVE_DNSTAP */
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_message:
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+
+	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
+
+	/*
+	 * Stop the dispatcher from listening.
+	 */
+	dns_dispatch_removeresponse(&query->dispentry, NULL);
+
+ cleanup_temps:
+	if (qname != NULL)
+		dns_message_puttempname(fctx->qmessage, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
+
+	return (result);
+}
+
+static void
+resquery_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	resquery_t *query = event->ev_arg;
+	bool retry = false;
+	isc_interval_t interval;
+	isc_result_t result;
+	unsigned int attrs;
+	fetchctx_t *fctx;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(VALID_QUERY(query));
+
+	QTRACE("connected");
+
+	UNUSED(task);
+
+	/*
+	 * XXXRTH
+	 *
+	 * Currently we don't wait for the connect event before retrying
+	 * a query.  This means that if we get really behind, we may end
+	 * up doing extra work!
+	 */
+
+	query->connects--;
+	fctx = query->fctx;
+
+	if (RESQUERY_CANCELED(query)) {
+		/*
+		 * This query was canceled while the connect() was in
+		 * progress.
+		 */
+		isc_socket_detach(&query->tcpsocket);
+		resquery_destroy(&query);
+	} else {
+		switch (sevent->result) {
+		case ISC_R_SUCCESS:
+
+			/*
+			 * Extend the idle timer for TCP.  20 seconds
+			 * should be long enough for a TCP connection to be
+			 * established, a single DNS request to be sent,
+			 * and the response received.
+			 */
+			isc_interval_set(&interval, 20, 0);
+			result = fctx_startidletimer(query->fctx, &interval);
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE("query canceled: idle timer failed; "
+					  "responding");
+
+				fctx_cancelquery(&query, NULL, NULL, false,
+						 false);
+				fctx_done(fctx, result, __LINE__);
+				break;
+			}
+			/*
+			 * We are connected.  Create a dispatcher and
+			 * send the query.
+			 */
+			attrs = 0;
+			attrs |= DNS_DISPATCHATTR_TCP;
+			attrs |= DNS_DISPATCHATTR_PRIVATE;
+			attrs |= DNS_DISPATCHATTR_CONNECTED;
+			if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
+			    AF_INET)
+				attrs |= DNS_DISPATCHATTR_IPV4;
+			else
+				attrs |= DNS_DISPATCHATTR_IPV6;
+			attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+
+			result = dns_dispatch_createtcp(query->dispatchmgr,
+						     query->tcpsocket,
+						     query->fctx->res->taskmgr,
+						     4096, 2, 1, 1, 3, attrs,
+						     &query->dispatch);
+
+			/*
+			 * Regardless of whether dns_dispatch_create()
+			 * succeeded or not, we don't need our reference
+			 * to the socket anymore.
+			 */
+			isc_socket_detach(&query->tcpsocket);
+
+			if (result == ISC_R_SUCCESS)
+				result = resquery_send(query);
+
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE("query canceled: "
+					  "resquery_send() failed; responding");
+
+				fctx_cancelquery(&query, NULL, NULL, false, false);
+				fctx_done(fctx, result, __LINE__);
+			}
+			break;
+
+		case ISC_R_NETUNREACH:
+		case ISC_R_HOSTUNREACH:
+		case ISC_R_CONNREFUSED:
+		case ISC_R_NOPERM:
+		case ISC_R_ADDRNOTAVAIL:
+		case ISC_R_CONNECTIONRESET:
+			FCTXTRACE3("query canceled in connected(): "
+				   "no route to host; no response",
+				   sevent->result);
+
+			/*
+			 * No route to remote.
+			 */
+			isc_socket_detach(&query->tcpsocket);
+			fctx_cancelquery(&query, NULL, NULL, true, false);
+			retry = true;
+			break;
+
+		default:
+			FCTXTRACE3("query canceled in connected() due to "
+				   "unexpected event result; responding",
+				   sevent->result);
+
+			isc_socket_detach(&query->tcpsocket);
+			fctx_cancelquery(&query, NULL, NULL, false, false);
+			break;
+		}
+	}
+
+	isc_event_free(&event);
+
+	if (retry) {
+		/*
+		 * Behave as if the idle timer has expired.  For TCP
+		 * connections this may not actually reflect the latest timer.
+		 */
+		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+		else
+			fctx_try(fctx, true, false);
+	}
+}
+
+static void
+fctx_finddone(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	bool want_try = false;
+	bool want_done = false;
+	bool bucket_empty = false;
+	unsigned int bucketnum;
+	bool dodestroy = false;
+
+	find = event->ev_sender;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+
+	FCTXTRACE("finddone");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	INSIST(fctx->pending > 0);
+	fctx->pending--;
+
+	if (ADDRWAIT(fctx)) {
+		/*
+		 * The fetch is waiting for a name to be found.
+		 */
+		INSIST(!SHUTTINGDOWN(fctx));
+		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
+			fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+			want_try = true;
+		} else {
+			fctx->findfail++;
+			if (fctx->pending == 0) {
+				/*
+				 * We've got nothing else to wait for and don't
+				 * know the answer.  There's nothing to do but
+				 * fail the fctx.
+				 */
+				fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+				want_done = true;
+			}
+		}
+	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
+		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
+
+		if (fctx->references == 0) {
+			bucket_empty = fctx_unlink(fctx);
+			dodestroy = true;
+		}
+	}
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	isc_event_free(&event);
+	dns_adb_destroyfind(&find);
+
+	if (want_try) {
+		fctx_try(fctx, true, false);
+	} else if (want_done) {
+		FCTXTRACE("fetch failed in finddone(); return ISC_R_FAILURE");
+		fctx_done(fctx, ISC_R_FAILURE, __LINE__);
+	} else if (dodestroy) {
+		fctx_destroy(fctx);
+		if (bucket_empty)
+			empty_bucket(res);
+	}
+}
+
+
+static inline bool
+bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->bad);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link)) {
+		if (isc_sockaddr_equal(sa, address))
+			return (true);
+	}
+
+	return (false);
+}
+
+static inline bool
+mark_bad(fetchctx_t *fctx) {
+	dns_adbfind_t *curr;
+	dns_adbaddrinfo_t *addrinfo;
+	bool all_bad = true;
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver)
+		return false;
+#endif
+
+	/*
+	 * Mark all known bad servers, so we don't try to talk to them
+	 * again.
+	 */
+
+	/*
+	 * Mark any bad nameservers.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->finds);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink)) {
+		for (addrinfo = ISC_LIST_HEAD(curr->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (bad_server(fctx, &addrinfo->sockaddr))
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			else
+				all_bad = false;
+		}
+	}
+
+	/*
+	 * Mark any bad forwarders.
+	 */
+	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (bad_server(fctx, &addrinfo->sockaddr))
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		else
+			all_bad = false;
+	}
+
+	/*
+	 * Mark any bad alternates.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->altfinds);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink)) {
+		for (addrinfo = ISC_LIST_HEAD(curr->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (bad_server(fctx, &addrinfo->sockaddr))
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			else
+				all_bad = false;
+		}
+	}
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (bad_server(fctx, &addrinfo->sockaddr))
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		else
+			all_bad = false;
+	}
+
+	return (all_bad);
+}
+
+static void
+add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
+	badnstype_t badtype)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	char code[64];
+	isc_buffer_t b;
+	isc_sockaddr_t *sa;
+	const char *spc = "";
+	isc_sockaddr_t *address = &addrinfo->sockaddr;
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver)
+		return;
+#endif
+
+	if (reason == DNS_R_LAME)
+		fctx->lamecount++;
+	else {
+		switch (badtype) {
+		case badns_unreachable:
+			fctx->neterr++;
+			break;
+		case badns_response:
+			fctx->badresp++;
+			break;
+		case badns_validation:
+			break;	/* counted as 'valfail' */
+		}
+	}
+
+	if (bad_server(fctx, address)) {
+		/*
+		 * We already know this server is bad.
+		 */
+		return;
+	}
+
+	FCTXTRACE("add_bad");
+
+	sa = isc_mem_get(fctx->mctx, sizeof(*sa));
+	if (sa == NULL)
+		return;
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
+
+	if (reason == DNS_R_LAME)       /* already logged */
+		return;
+
+	if (reason == DNS_R_UNEXPECTEDRCODE &&
+	    fctx->rmessage->rcode == dns_rcode_servfail &&
+	    ISFORWARDER(addrinfo))
+		return;
+
+	if (reason == DNS_R_UNEXPECTEDRCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_rcode_totext(fctx->rmessage->rcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		spc = " ";
+	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		spc = " ";
+	} else {
+		code[0] = '\0';
+	}
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
+	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "%s%s%s resolving '%s/%s/%s': %s",
+		      code, spc, dns_result_totext(reason),
+		      namebuf, typebuf, classbuf, addrbuf);
+}
+
+/*
+ * Sort addrinfo list by RTT.
+ */
+static void
+sort_adbfind(dns_adbfind_t *find, unsigned int bias) {
+	dns_adbaddrinfo_t *best, *curr;
+	dns_adbaddrinfolist_t sorted;
+	unsigned int best_srtt, curr_srtt;
+
+	/* Lame N^2 bubble sort. */
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(find->list)) {
+		best = ISC_LIST_HEAD(find->list);
+		best_srtt = best->srtt;
+		if (isc_sockaddr_pf(&best->sockaddr) != AF_INET6)
+			best_srtt += bias;
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			curr_srtt = curr->srtt;
+			if (isc_sockaddr_pf(&curr->sockaddr) != AF_INET6)
+				curr_srtt += bias;
+			if (curr_srtt < best_srtt) {
+				best = curr;
+				best_srtt = curr_srtt;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(find->list, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	find->list = sorted;
+}
+
+/*
+ * Sort a list of finds by server RTT.
+ */
+static void
+sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) {
+	dns_adbfind_t *best, *curr;
+	dns_adbfindlist_t sorted;
+	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
+	unsigned int best_srtt, curr_srtt;
+
+	/* Sort each find's addrinfo list by SRTT. */
+	for (curr = ISC_LIST_HEAD(*findlist);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink))
+		sort_adbfind(curr, bias);
+
+	/* Lame N^2 bubble sort. */
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(*findlist)) {
+		best = ISC_LIST_HEAD(*findlist);
+		bestaddrinfo = ISC_LIST_HEAD(best->list);
+		INSIST(bestaddrinfo != NULL);
+		best_srtt = bestaddrinfo->srtt;
+		if (isc_sockaddr_pf(&bestaddrinfo->sockaddr) != AF_INET6)
+			best_srtt += bias;
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			addrinfo = ISC_LIST_HEAD(curr->list);
+			INSIST(addrinfo != NULL);
+			curr_srtt = addrinfo->srtt;
+			if (isc_sockaddr_pf(&addrinfo->sockaddr) != AF_INET6)
+				curr_srtt += bias;
+			if (curr_srtt < best_srtt) {
+				best = curr;
+				best_srtt = curr_srtt;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(*findlist, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	*findlist = sorted;
+}
+
+static void
+findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+	 unsigned int options, unsigned int flags, isc_stdtime_t now,
+	 bool *overquota, bool *need_alternate)
+{
+	dns_adbaddrinfo_t *ai;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	bool unshared;
+	isc_result_t result;
+
+	res = fctx->res;
+	unshared = (fctx->options & DNS_FETCHOPT_UNSHARED);
+	/*
+	 * If this name is a subdomain of the query domain, tell
+	 * the ADB to start looking using zone/hint data. This keeps us
+	 * from getting stuck if the nameserver is beneath the zone cut
+	 * and we don't know its address (e.g. because the A record has
+	 * expired).
+	 */
+	if (dns_name_issubdomain(name, &fctx->domain))
+		options |= DNS_ADBFIND_STARTATZONE;
+	options |= DNS_ADBFIND_GLUEOK;
+	options |= DNS_ADBFIND_HINTOK;
+
+	/*
+	 * See what we know about this address.
+	 */
+	find = NULL;
+	result = dns_adb_createfind2(fctx->adb,
+				     res->buckets[fctx->bucketnum].task,
+				     fctx_finddone, fctx, name,
+				     &fctx->name, fctx->type,
+				     options, now, NULL,
+				     res->view->dstport,
+				     fctx->depth + 1, fctx->qc, &find);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_ALIAS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			/*
+			 * XXXRTH  Follow the CNAME/DNAME chain?
+			 */
+			dns_adb_destroyfind(&find);
+			fctx->adberr++;
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_CNAME,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+				      "skipping nameserver '%s' because it "
+				      "is a CNAME, while resolving '%s'",
+				      namebuf, fctx->info);
+		}
+	} else if (!ISC_LIST_EMPTY(find->list)) {
+		/*
+		 * We have at least some of the addresses for the
+		 * name.
+		 */
+		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
+		if (flags != 0 || port != 0) {
+			for (ai = ISC_LIST_HEAD(find->list);
+			     ai != NULL;
+			     ai = ISC_LIST_NEXT(ai, publink)) {
+				ai->flags |= flags;
+				if (port != 0)
+					isc_sockaddr_setport(&ai->sockaddr,
+							     port);
+			}
+		}
+		if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
+			ISC_LIST_APPEND(fctx->altfinds, find, publink);
+		else
+			ISC_LIST_APPEND(fctx->finds, find, publink);
+	} else {
+		/*
+		 * We don't know any of the addresses for this
+		 * name.
+		 */
+		if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+			/*
+			 * We're looking for them and will get an
+			 * event about it later.
+			 */
+			fctx->pending++;
+			/*
+			 * Bootstrap.
+			 */
+			if (need_alternate != NULL &&
+			    !*need_alternate && unshared &&
+			    ((res->dispatches4 == NULL &&
+			      find->result_v6 != DNS_R_NXDOMAIN) ||
+			     (res->dispatches6 == NULL &&
+			      find->result_v4 != DNS_R_NXDOMAIN)))
+				*need_alternate = true;
+		} else {
+			if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) {
+				if (overquota != NULL)
+					*overquota = true;
+				fctx->quotacount++; /* quota exceeded */
+			}
+			else if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
+				fctx->lamecount++; /* cached lame server */
+			else
+				fctx->adberr++; /* unreachable server, etc. */
+
+			/*
+			 * If we know there are no addresses for
+			 * the family we are using then try to add
+			 * an alternative server.
+			 */
+			if (need_alternate != NULL && !*need_alternate &&
+			    ((res->dispatches4 == NULL &&
+			      find->result_v6 == DNS_R_NXRRSET) ||
+			     (res->dispatches6 == NULL &&
+			      find->result_v4 == DNS_R_NXRRSET)))
+				*need_alternate = true;
+			dns_adb_destroyfind(&find);
+		}
+	}
+}
+
+static bool
+isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t namereln;
+
+	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
+	return (namereln == dns_namereln_subdomain);
+}
+
+static isc_result_t
+fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_resolver_t *res;
+	isc_stdtime_t now;
+	unsigned int stdoptions = 0;
+	dns_forwarder_t *fwd;
+	dns_adbaddrinfo_t *ai;
+	bool all_bad;
+	dns_rdata_ns_t ns;
+	bool need_alternate = false;
+	bool all_spilled = true;
+
+	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+
+	/*
+	 * Don't pound on remote servers.  (Failsafe!)
+	 */
+	fctx->restarts++;
+	if (fctx->restarts > 100) {
+		FCTXTRACE("too many restarts");
+		return (DNS_R_SERVFAIL);
+	}
+
+	res = fctx->res;
+
+	if (fctx->depth > res->maxdepth) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "too much NS indirection resolving '%s' "
+			      "(depth=%u, maxdepth=%u)",
+			      fctx->info, fctx->depth, res->maxdepth);
+		return (DNS_R_SERVFAIL);
+	}
+
+	/*
+	 * Forwarders.
+	 */
+
+	INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
+	INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
+
+	/*
+	 * If this fctx has forwarders, use them; otherwise use any
+	 * selective forwarders specified in the view; otherwise use the
+	 * resolver's forwarders (if any).
+	 */
+	fwd = ISC_LIST_HEAD(fctx->forwarders);
+	if (fwd == NULL) {
+		dns_forwarders_t *forwarders = NULL;
+		dns_name_t *name = &fctx->name;
+		dns_name_t suffix;
+		unsigned int labels;
+		dns_fixedname_t fixed;
+		dns_name_t *domain;
+
+		/*
+		 * DS records are found in the parent server.
+		 * Strip label to get the correct forwarder (if any).
+		 */
+		if (dns_rdatatype_atparent(fctx->type) &&
+		    dns_name_countlabels(name) > 1) {
+			dns_name_init(&suffix, NULL);
+			labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+			name = &suffix;
+		}
+
+		domain = dns_fixedname_initname(&fixed);
+		result = dns_fwdtable_find2(res->view->fwdtable, name,
+					    domain, &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			fwd = ISC_LIST_HEAD(forwarders->fwdrs);
+			fctx->fwdpolicy = forwarders->fwdpolicy;
+			if (fctx->fwdpolicy == dns_fwdpolicy_only &&
+			    isstrictsubdomain(domain, &fctx->domain)) {
+				fcount_decr(fctx);
+				dns_name_free(&fctx->domain, fctx->mctx);
+				dns_name_init(&fctx->domain, NULL);
+				result = dns_name_dup(domain, fctx->mctx,
+						      &fctx->domain);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				result = fcount_incr(fctx, true);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+			}
+		}
+	}
+
+	while (fwd != NULL) {
+		if ((isc_sockaddr_pf(&fwd->addr) == AF_INET &&
+		     res->dispatches4 == NULL) ||
+		    (isc_sockaddr_pf(&fwd->addr) == AF_INET6 &&
+		     res->dispatches6 == NULL))
+		{
+				fwd = ISC_LIST_NEXT(fwd, link);
+				continue;
+		}
+		ai = NULL;
+		result = dns_adb_findaddrinfo(fctx->adb, &fwd->addr, &ai, 0);
+		if (result == ISC_R_SUCCESS) {
+			dns_adbaddrinfo_t *cur;
+			ai->flags |= FCTX_ADDRINFO_FORWARDER;
+			ai->dscp = fwd->dscp;
+			cur = ISC_LIST_HEAD(fctx->forwaddrs);
+			while (cur != NULL && cur->srtt < ai->srtt)
+				cur = ISC_LIST_NEXT(cur, publink);
+			if (cur != NULL)
+				ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
+						      ai, publink);
+			else
+				ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
+		}
+		fwd = ISC_LIST_NEXT(fwd, link);
+	}
+
+	/*
+	 * If the forwarding policy is "only", we don't need the addresses
+	 * of the nameservers.
+	 */
+	if (fctx->fwdpolicy == dns_fwdpolicy_only)
+		goto out;
+
+	/*
+	 * Normal nameservers.
+	 */
+
+	stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
+	if (fctx->restarts == 1) {
+		/*
+		 * To avoid sending out a flood of queries likely to
+		 * result in NXRRSET, we suppress fetches for address
+		 * families we don't have the first time through,
+		 * provided that we have addresses in some family we
+		 * can use.
+		 *
+		 * We don't want to set this option all the time, since
+		 * if fctx->restarts > 1, we've clearly been having trouble
+		 * with the addresses we had, so getting more could help.
+		 */
+		stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
+	}
+	if (res->dispatches4 != NULL)
+		stdoptions |= DNS_ADBFIND_INET;
+	if (res->dispatches6 != NULL)
+		stdoptions |= DNS_ADBFIND_INET6;
+
+	if ((stdoptions & DNS_ADBFIND_ADDRESSMASK) == 0)
+		return (DNS_R_SERVFAIL);
+
+	isc_stdtime_get(&now);
+
+	INSIST(ISC_LIST_EMPTY(fctx->finds));
+	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
+
+	for (result = dns_rdataset_first(&fctx->nameservers);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&fctx->nameservers))
+	{
+		bool overquota = false;
+
+		dns_rdataset_current(&fctx->nameservers, &rdata);
+		/*
+		 * Extract the name from the NS record.
+		 */
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		findname(fctx, &ns.name, 0, stdoptions, 0, now,
+			 &overquota, &need_alternate);
+
+		if (!overquota)
+			all_spilled = false;
+
+		dns_rdata_reset(&rdata);
+		dns_rdata_freestruct(&ns);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	/*
+	 * Do we need to use 6 to 4?
+	 */
+	if (need_alternate) {
+		int family;
+		alternate_t *a;
+		family = (res->dispatches6 != NULL) ? AF_INET6 : AF_INET;
+		for (a = ISC_LIST_HEAD(res->alternates);
+		     a != NULL;
+		     a = ISC_LIST_NEXT(a, link)) {
+			if (!a->isaddress) {
+				findname(fctx, &a->_u._n.name, a->_u._n.port,
+					 stdoptions, FCTX_ADDRINFO_FORWARDER,
+					 now, NULL, NULL);
+				continue;
+			}
+			if (isc_sockaddr_pf(&a->_u.addr) != family)
+				continue;
+			ai = NULL;
+			result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
+						      &ai, 0);
+			if (result == ISC_R_SUCCESS) {
+				dns_adbaddrinfo_t *cur;
+				ai->flags |= FCTX_ADDRINFO_FORWARDER;
+				cur = ISC_LIST_HEAD(fctx->altaddrs);
+				while (cur != NULL && cur->srtt < ai->srtt)
+					cur = ISC_LIST_NEXT(cur, publink);
+				if (cur != NULL)
+					ISC_LIST_INSERTBEFORE(fctx->altaddrs,
+							      cur, ai, publink);
+				else
+					ISC_LIST_APPEND(fctx->altaddrs, ai,
+							publink);
+			}
+		}
+	}
+
+ out:
+	/*
+	 * Mark all known bad servers.
+	 */
+	all_bad = mark_bad(fctx);
+
+	/*
+	 * How are we doing?
+	 */
+	if (all_bad) {
+		/*
+		 * We've got no addresses.
+		 */
+		if (fctx->pending > 0) {
+			/*
+			 * We're fetching the addresses, but don't have any
+			 * yet.   Tell the caller to wait for an answer.
+			 */
+			result = DNS_R_WAIT;
+		} else {
+			isc_time_t expire;
+			isc_interval_t i;
+			/*
+			 * We've lost completely.  We don't know any
+			 * addresses, and the ADB has told us it can't get
+			 * them.
+			 */
+			FCTXTRACE("no addresses");
+			isc_interval_set(&i, DNS_RESOLVER_BADCACHETTL(fctx), 0);
+			result = isc_time_nowplusinterval(&expire, &i);
+			if (badcache &&
+			    (fctx->type == dns_rdatatype_dnskey ||
+			     fctx->type == dns_rdatatype_dlv ||
+			     fctx->type == dns_rdatatype_ds) &&
+			     result == ISC_R_SUCCESS)
+				dns_resolver_addbadcache(res, &fctx->name,
+							 fctx->type, &expire);
+
+			result = ISC_R_FAILURE;
+
+			/*
+			 * If all of the addresses found were over the
+			 * fetches-per-server quota, return the configured
+			 * response.
+			 */
+			if (all_spilled) {
+				result = res->quotaresp[dns_quotatype_server];
+				inc_stats(res, dns_resstatscounter_serverquota);
+			}
+		}
+	} else {
+		/*
+		 * We've found some addresses.  We might still be looking
+		 * for more addresses.
+		 */
+		sort_finds(&fctx->finds, res->view->v6bias);
+		sort_finds(&fctx->altfinds, 0);
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static inline void
+possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) {
+	isc_netaddr_t na;
+	char buf[ISC_NETADDR_FORMATSIZE];
+	isc_sockaddr_t *sa;
+	bool aborted = false;
+	bool bogus;
+	dns_acl_t *blackhole;
+	isc_netaddr_t ipaddr;
+	dns_peer_t *peer = NULL;
+	dns_resolver_t *res;
+	const char *msg = NULL;
+
+	sa = &addr->sockaddr;
+
+	res = fctx->res;
+	isc_netaddr_fromsockaddr(&ipaddr, sa);
+	blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
+	(void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
+
+	if (blackhole != NULL) {
+		int match;
+
+		if (dns_acl_match(&ipaddr, NULL, blackhole,
+				  &res->view->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+			aborted = true;
+	}
+
+	if (peer != NULL &&
+	    dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
+	    bogus)
+		aborted = true;
+
+	if (aborted) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring blackholed / bogus server: ";
+	} else if (isc_sockaddr_isnetzero(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring net zero address: ";
+	} else if (isc_sockaddr_ismulticast(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring multicast address: ";
+	} else if (isc_sockaddr_isexperimental(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring experimental address: ";
+	} else if (sa->type.sa.sa_family != AF_INET6) {
+		return;
+	} else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring IPv6 mapped IPV4 address: ";
+	} else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring IPv6 compatibility IPV4 address: ";
+	} else
+		return;
+
+	if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+		isc_netaddr_fromsockaddr(&na, sa);
+		isc_netaddr_format(&na, buf, sizeof(buf));
+		FCTXTRACE2(msg, buf);
+	}
+}
+
+static inline dns_adbaddrinfo_t *
+fctx_nextaddress(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *start;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_adbaddrinfo_t *faddrinfo;
+
+	/*
+	 * Return the next untried address, if any.
+	 */
+
+	/*
+	 * Find the first unmarked forwarder (if any).
+	 */
+	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (!UNMARKED(addrinfo))
+			continue;
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo)) {
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			fctx->find = NULL;
+			return (addrinfo);
+		}
+	}
+
+	/*
+	 * No forwarders.  Move to the next find.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_TRIEDFIND;
+
+	find = fctx->find;
+	if (find == NULL)
+		find = ISC_LIST_HEAD(fctx->finds);
+	else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL)
+			find = ISC_LIST_HEAD(fctx->finds);
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	if (find != NULL) {
+		start = find;
+		do {
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+				if (!UNMARKED(addrinfo))
+					continue;
+				possibly_mark(fctx, addrinfo);
+				if (UNMARKED(addrinfo)) {
+					addrinfo->flags |= FCTX_ADDRINFO_MARK;
+					break;
+				}
+			}
+			if (addrinfo != NULL)
+				break;
+			find = ISC_LIST_NEXT(find, publink);
+			if (find == NULL)
+				find = ISC_LIST_HEAD(fctx->finds);
+		} while (find != start);
+	}
+
+	fctx->find = find;
+	if (addrinfo != NULL)
+		return (addrinfo);
+
+	/*
+	 * No nameservers left.  Try alternates.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_TRIEDALT;
+
+	find = fctx->altfind;
+	if (find == NULL)
+		find = ISC_LIST_HEAD(fctx->altfinds);
+	else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL)
+			find = ISC_LIST_HEAD(fctx->altfinds);
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	if (find != NULL) {
+		start = find;
+		do {
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+				if (!UNMARKED(addrinfo))
+					continue;
+				possibly_mark(fctx, addrinfo);
+				if (UNMARKED(addrinfo)) {
+					addrinfo->flags |= FCTX_ADDRINFO_MARK;
+					break;
+				}
+			}
+			if (addrinfo != NULL)
+				break;
+			find = ISC_LIST_NEXT(find, publink);
+			if (find == NULL)
+				find = ISC_LIST_HEAD(fctx->altfinds);
+		} while (find != start);
+	}
+
+	faddrinfo = addrinfo;
+
+	/*
+	 * See if we have a better alternate server by address.
+	 */
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (!UNMARKED(addrinfo))
+			continue;
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo) &&
+		    (faddrinfo == NULL ||
+		     addrinfo->srtt < faddrinfo->srtt)) {
+			if (faddrinfo != NULL)
+				faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			break;
+		}
+	}
+
+	if (addrinfo == NULL) {
+		addrinfo = faddrinfo;
+		fctx->altfind = find;
+	}
+
+	return (addrinfo);
+}
+
+static void
+fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) {
+	isc_result_t result;
+	dns_adbaddrinfo_t *addrinfo = NULL;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	bool bucket_empty;
+
+	FCTXTRACE5("try", "fctx->qc=", isc_counter_used(fctx->qc));
+
+	REQUIRE(!ADDRWAIT(fctx));
+
+	res = fctx->res;
+
+	/* We've already exceeded maximum query count */
+	if (isc_counter_used(fctx->qc) > res->maxqueries) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+			      "exceeded max queries resolving '%s' "
+			      "(querycount=%u, maxqueries=%u)",
+			      fctx->info,
+			      isc_counter_used(fctx->qc), res->maxqueries);
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
+	}
+
+	addrinfo = fctx_nextaddress(fctx);
+
+	/* Try to find an address that isn't over quota */
+	while (addrinfo != NULL && dns_adbentry_overquota(addrinfo->entry))
+		addrinfo = fctx_nextaddress(fctx);
+
+	if (addrinfo == NULL) {
+		/* We have no more addresses.  Start over. */
+		fctx_cancelqueries(fctx, true, false);
+		fctx_cleanupall(fctx);
+		result = fctx_getaddresses(fctx, badcache);
+		if (result == DNS_R_WAIT) {
+			/*
+			 * Sleep waiting for addresses.
+			 */
+			FCTXTRACE("addrwait");
+			fctx->attributes |= FCTX_ATTR_ADDRWAIT;
+			return;
+		} else if (result != ISC_R_SUCCESS) {
+			/*
+			 * Something bad happened.
+			 */
+			fctx_done(fctx, result, __LINE__);
+			return;
+		}
+
+		addrinfo = fctx_nextaddress(fctx);
+
+		while (addrinfo != NULL &&
+		       dns_adbentry_overquota(addrinfo->entry))
+			addrinfo = fctx_nextaddress(fctx);
+
+		/*
+		 * While we may have addresses from the ADB, they
+		 * might be bad ones.  In this case, return SERVFAIL.
+		 */
+		if (addrinfo == NULL) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+	}
+
+	if (dns_name_countlabels(&fctx->domain) > 2) {
+		result = isc_counter_increment(fctx->qc);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+				      "exceeded max queries resolving '%s'",
+				      fctx->info);
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			return;
+		}
+	}
+
+	bucketnum = fctx->bucketnum;
+	fctx_increference(fctx);
+	result = fctx_query(fctx, addrinfo, fctx->options);
+	if (result != ISC_R_SUCCESS) {
+		fctx_done(fctx, result, __LINE__);
+		LOCK(&res->buckets[bucketnum].lock);
+		bucket_empty = fctx_decreference(fctx);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		if (bucket_empty)
+			empty_bucket(res);
+	} else if (retrying)
+		inc_stats(res, dns_resstatscounter_retry);
+}
+
+static bool
+fctx_unlink(fetchctx_t *fctx) {
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+
+	/*
+	 * Caller must be holding the bucket lock.
+	 */
+
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(fctx->state == fetchstate_done ||
+		fctx->state == fetchstate_init);
+	REQUIRE(ISC_LIST_EMPTY(fctx->events));
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
+	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
+	REQUIRE(fctx->pending == 0);
+	REQUIRE(fctx->references == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
+
+	FCTXTRACE("unlink");
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
+
+	LOCK(&res->nlock);
+	res->nfctx--;
+	UNLOCK(&res->nlock);
+	dec_stats(res, dns_resstatscounter_nfetch);
+
+	if (res->buckets[bucketnum].exiting &&
+	    ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
+		return (true);
+
+	return (false);
+}
+
+static void
+fctx_destroy(fetchctx_t *fctx) {
+	isc_sockaddr_t *sa, *next_sa;
+	struct tried *tried;
+
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(fctx->state == fetchstate_done ||
+		fctx->state == fetchstate_init);
+	REQUIRE(ISC_LIST_EMPTY(fctx->events));
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
+	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
+	REQUIRE(fctx->pending == 0);
+	REQUIRE(fctx->references == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
+	REQUIRE(!ISC_LINK_LINKED(fctx, link));
+
+	FCTXTRACE("destroy");
+
+	/*
+	 * Free bad.
+	 */
+	for (sa = ISC_LIST_HEAD(fctx->bad);
+	     sa != NULL;
+	     sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->bad, sa, link);
+		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
+	}
+
+	for (tried = ISC_LIST_HEAD(fctx->edns);
+	     tried != NULL;
+	     tried = ISC_LIST_HEAD(fctx->edns)) {
+		ISC_LIST_UNLINK(fctx->edns, tried, link);
+		isc_mem_put(fctx->mctx, tried, sizeof(*tried));
+	}
+
+	for (tried = ISC_LIST_HEAD(fctx->edns512);
+	     tried != NULL;
+	     tried = ISC_LIST_HEAD(fctx->edns512)) {
+		ISC_LIST_UNLINK(fctx->edns512, tried, link);
+		isc_mem_put(fctx->mctx, tried, sizeof(*tried));
+	}
+
+	for (sa = ISC_LIST_HEAD(fctx->bad_edns);
+	     sa != NULL;
+	     sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->bad_edns, sa, link);
+		isc_mem_put(fctx->mctx, sa, sizeof(*sa));
+	}
+
+	isc_counter_detach(&fctx->qc);
+	fcount_decr(fctx);
+	isc_timer_detach(&fctx->timer);
+	dns_message_destroy(&fctx->rmessage);
+	dns_message_destroy(&fctx->qmessage);
+	if (dns_name_countlabels(&fctx->domain) > 0)
+		dns_name_free(&fctx->domain, fctx->mctx);
+	if (dns_rdataset_isassociated(&fctx->nameservers))
+		dns_rdataset_disassociate(&fctx->nameservers);
+	dns_name_free(&fctx->name, fctx->mctx);
+	dns_db_detach(&fctx->cache);
+	dns_adb_detach(&fctx->adb);
+	isc_mem_free(fctx->mctx, fctx->info);
+	isc_mem_putanddetach(&fctx->mctx, fctx, sizeof(*fctx));
+}
+
+/*
+ * Fetch event handlers.
+ */
+
+static void
+fctx_timeout(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	isc_timerevent_t *tevent = (isc_timerevent_t *)event;
+	resquery_t *query;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	FCTXTRACE("timeout");
+
+	inc_stats(fctx->res, dns_resstatscounter_querytimeout);
+
+	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
+		fctx->reason = NULL;
+		fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__);
+	} else {
+		isc_result_t result;
+
+		fctx->timeouts++;
+		fctx->timeout = true;
+
+		/*
+		 * We could cancel the running queries here, or we could let
+		 * them keep going.  Since we normally use separate sockets for
+		 * different queries, we adopt the former approach to reduce
+		 * the number of open sockets: cancel the oldest query if it
+		 * expired after the query had started (this is usually the
+		 * case but is not always so, depending on the task schedule
+		 * timing).
+		 */
+		query = ISC_LIST_HEAD(fctx->queries);
+		if (query != NULL &&
+		    isc_time_compare(&tevent->due, &query->start) >= 0)
+		{
+			FCTXTRACE("query timed out; no response");
+			fctx_cancelquery(&query, NULL, NULL, true, false);
+		}
+		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+
+		/*
+		 * Our timer has triggered.  Reestablish the fctx lifetime
+		 * timer.
+		 */
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+		else
+			/*
+			 * Keep trying.
+			 */
+			fctx_try(fctx, true, false);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+fctx_shutdown(fetchctx_t *fctx) {
+	isc_event_t *cevent;
+
+	/*
+	 * Start the shutdown process for fctx, if it isn't already underway.
+	 */
+
+	FCTXTRACE("shutdown");
+
+	/*
+	 * The caller must be holding the appropriate bucket lock.
+	 */
+
+	if (fctx->want_shutdown)
+		return;
+
+	fctx->want_shutdown = true;
+
+	/*
+	 * Unless we're still initializing (in which case the
+	 * control event is still outstanding), we need to post
+	 * the control event to tell the fetch we want it to
+	 * exit.
+	 */
+	if (fctx->state != fetchstate_init) {
+		cevent = &fctx->control_event;
+		isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
+			      &cevent);
+	}
+}
+
+static void
+fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	bool bucket_empty = false;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	dns_validator_t *validator;
+	bool dodestroy = false;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	FCTXTRACE("doshutdown");
+
+	/*
+	 * An fctx that is shutting down is no longer in ADDRWAIT mode.
+	 */
+	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+
+	/*
+	 * Cancel all pending validators.  Note that this must be done
+	 * without the bucket lock held, since that could cause deadlock.
+	 */
+	validator = ISC_LIST_HEAD(fctx->validators);
+	while (validator != NULL) {
+		dns_validator_cancel(validator);
+		validator = ISC_LIST_NEXT(validator, link);
+	}
+
+	if (fctx->nsfetch != NULL)
+		dns_resolver_cancelfetch(fctx->nsfetch);
+
+	/*
+	 * Shut down anything still running on behalf of this
+	 * fetch, and clean up finds and addresses.  To avoid deadlock
+	 * with the ADB, we must do this before we lock the bucket lock.
+	 */
+	fctx_stopqueries(fctx, false, false);
+	fctx_cleanupall(fctx);
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
+
+	INSIST(fctx->state == fetchstate_active ||
+	       fctx->state == fetchstate_done);
+	INSIST(fctx->want_shutdown);
+
+	if (fctx->state != fetchstate_done) {
+		fctx->state = fetchstate_done;
+		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
+	}
+
+	if (fctx->references == 0 && fctx->pending == 0 &&
+	    fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
+		bucket_empty = fctx_unlink(fctx);
+		dodestroy = true;
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (dodestroy) {
+		fctx_destroy(fctx);
+		if (bucket_empty)
+			empty_bucket(res);
+	}
+}
+
+static void
+fctx_start(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	bool done = false, bucket_empty = false;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	bool dodestroy = false;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	FCTXTRACE("start");
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	INSIST(fctx->state == fetchstate_init);
+	if (fctx->want_shutdown) {
+		/*
+		 * We haven't started this fctx yet, and we've been requested
+		 * to shut it down.
+		 */
+		fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
+		fctx->state = fetchstate_done;
+		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
+		/*
+		 * Since we haven't started, we INSIST that we have no
+		 * pending ADB finds and no pending validations.
+		 */
+		INSIST(fctx->pending == 0);
+		INSIST(fctx->nqueries == 0);
+		INSIST(ISC_LIST_EMPTY(fctx->validators));
+		if (fctx->references == 0) {
+			/*
+			 * It's now safe to destroy this fctx.
+			 */
+			bucket_empty = fctx_unlink(fctx);
+			dodestroy = true;
+		}
+		done = true;
+	} else {
+		/*
+		 * Normal fctx startup.
+		 */
+		fctx->state = fetchstate_active;
+		/*
+		 * Reset the control event for later use in shutting down
+		 * the fctx.
+		 */
+		ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
+			       DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
+			       NULL, NULL, NULL);
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (!done) {
+		isc_result_t result;
+
+		INSIST(!dodestroy);
+
+		/*
+		 * All is well.  Start working on the fetch.
+		 */
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+		else
+			fctx_try(fctx, false, false);
+	} else if (dodestroy) {
+			fctx_destroy(fctx);
+		if (bucket_empty)
+			empty_bucket(res);
+	}
+}
+
+/*
+ * Fetch Creation, Joining, and Cancelation.
+ */
+
+static inline isc_result_t
+fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
+	  dns_messageid_t id, isc_taskaction_t action, void *arg,
+	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+	  dns_fetch_t *fetch)
+{
+	isc_task_t *tclone;
+	dns_fetchevent_t *event;
+
+	FCTXTRACE("join");
+
+	/*
+	 * We store the task we're going to send this event to in the
+	 * sender field.  We'll make the fetch the sender when we actually
+	 * send the event.
+	 */
+	tclone = NULL;
+	isc_task_attach(task, &tclone);
+	event = (dns_fetchevent_t *)
+		isc_event_allocate(fctx->res->mctx, tclone, DNS_EVENT_FETCHDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		isc_task_detach(&tclone);
+		return (ISC_R_NOMEMORY);
+	}
+	event->result = DNS_R_SERVFAIL;
+	event->qtype = fctx->type;
+	event->db = NULL;
+	event->node = NULL;
+	event->rdataset = rdataset;
+	event->sigrdataset = sigrdataset;
+	event->fetch = fetch;
+	event->client = client;
+	event->id = id;
+	dns_fixedname_init(&event->foundname);
+
+	/*
+	 * Make sure that we can store the sigrdataset in the
+	 * first event if it is needed by any of the events.
+	 */
+	if (event->sigrdataset != NULL)
+		ISC_LIST_PREPEND(fctx->events, event, ev_link);
+	else
+		ISC_LIST_APPEND(fctx->events, event, ev_link);
+	fctx->references++;
+	fctx->client = client;
+
+	fetch->magic = DNS_FETCH_MAGIC;
+	fetch->private = fctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+log_ns_ttl(fetchctx_t *fctx, const char *where) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
+		      "log_ns_ttl: fctx %p: %s: %s (in '%s'?): %u %u",
+		      fctx, where, namebuf, domainbuf,
+		      fctx->ns_ttl_ok, fctx->ns_ttl);
+}
+
+static isc_result_t
+fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+	    dns_name_t *domain, dns_rdataset_t *nameservers,
+	    unsigned int options, unsigned int bucketnum, unsigned int depth,
+	    isc_counter_t *qc, fetchctx_t **fctxp)
+{
+	fetchctx_t *fctx;
+	isc_result_t result;
+	isc_result_t iresult;
+	isc_interval_t interval;
+	dns_fixedname_t fixed;
+	unsigned int findoptions = 0;
+	char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	isc_mem_t *mctx;
+
+	/*
+	 * Caller must be holding the lock for bucket number 'bucketnum'.
+	 */
+	REQUIRE(fctxp != NULL && *fctxp == NULL);
+
+	mctx = res->buckets[bucketnum].mctx;
+	fctx = isc_mem_get(mctx, sizeof(*fctx));
+	if (fctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	fctx->qc = NULL;
+	if (qc != NULL) {
+		isc_counter_attach(qc, &fctx->qc);
+	} else {
+		result = isc_counter_create(res->mctx,
+					    res->maxqueries, &fctx->qc);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_fetch;
+	}
+
+	/*
+	 * Make fctx->info point to a copy of a formatted string
+	 * "name/type".
+	 */
+	dns_name_format(name, buf, sizeof(buf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+	strlcat(buf, "/", sizeof(buf));
+	strlcat(buf, typebuf, sizeof(buf));
+	fctx->info = isc_mem_strdup(mctx, buf);
+	if (fctx->info == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_counter;
+	}
+
+	FCTXTRACE("create");
+	dns_name_init(&fctx->name, NULL);
+	result = dns_name_dup(name, mctx, &fctx->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_info;
+	dns_name_init(&fctx->domain, NULL);
+	dns_rdataset_init(&fctx->nameservers);
+
+	fctx->type = type;
+	fctx->options = options;
+	/*
+	 * Note!  We do not attach to the task.  We are relying on the
+	 * resolver to ensure that this task doesn't go away while we are
+	 * using it.
+	 */
+	fctx->res = res;
+	fctx->references = 0;
+	fctx->bucketnum = bucketnum;
+	fctx->dbucketnum = RES_NOBUCKET;
+	fctx->state = fetchstate_init;
+	fctx->want_shutdown = false;
+	fctx->cloned = false;
+	fctx->depth = depth;
+	ISC_LIST_INIT(fctx->queries);
+	ISC_LIST_INIT(fctx->finds);
+	ISC_LIST_INIT(fctx->altfinds);
+	ISC_LIST_INIT(fctx->forwaddrs);
+	ISC_LIST_INIT(fctx->altaddrs);
+	ISC_LIST_INIT(fctx->forwarders);
+	fctx->fwdpolicy = dns_fwdpolicy_none;
+	ISC_LIST_INIT(fctx->bad);
+	ISC_LIST_INIT(fctx->edns);
+	ISC_LIST_INIT(fctx->edns512);
+	ISC_LIST_INIT(fctx->bad_edns);
+	ISC_LIST_INIT(fctx->validators);
+	fctx->validator = NULL;
+	fctx->find = NULL;
+	fctx->altfind = NULL;
+	fctx->pending = 0;
+	fctx->restarts = 0;
+	fctx->querysent = 0;
+	fctx->referrals = 0;
+	TIME_NOW(&fctx->start);
+	fctx->timeouts = 0;
+	fctx->lamecount = 0;
+	fctx->quotacount = 0;
+	fctx->adberr = 0;
+	fctx->neterr = 0;
+	fctx->badresp = 0;
+	fctx->findfail = 0;
+	fctx->valfail = 0;
+	fctx->result = ISC_R_FAILURE;
+	fctx->vresult = ISC_R_SUCCESS;
+	fctx->exitline = -1;	/* sentinel */
+	fctx->logged = false;
+	fctx->attributes = 0;
+	fctx->spilled = false;
+	fctx->nqueries = 0;
+	fctx->reason = NULL;
+	fctx->rand_buf = 0;
+	fctx->rand_bits = 0;
+	fctx->timeout = false;
+	fctx->addrinfo = NULL;
+	fctx->client = NULL;
+	fctx->ns_ttl = 0;
+	fctx->ns_ttl_ok = false;
+
+	dns_name_init(&fctx->nsname, NULL);
+	fctx->nsfetch = NULL;
+	dns_rdataset_init(&fctx->nsrrset);
+
+	if (domain == NULL) {
+		dns_forwarders_t *forwarders = NULL;
+		unsigned int labels;
+		dns_name_t *fwdname = name;
+		dns_name_t suffix;
+
+		/*
+		 * DS records are found in the parent server. Strip one
+		 * leading label from the name (to be used in finding
+		 * the forwarder).
+		 */
+		if (dns_rdatatype_atparent(fctx->type) &&
+		    dns_name_countlabels(name) > 1) {
+			dns_name_init(&suffix, NULL);
+			labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+			fwdname = &suffix;
+		}
+
+		/* Find the forwarder for this name. */
+		domain = dns_fixedname_initname(&fixed);
+		result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
+					    domain, &forwarders);
+		if (result == ISC_R_SUCCESS)
+			fctx->fwdpolicy = forwarders->fwdpolicy;
+
+		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+			/*
+			 * The caller didn't supply a query domain and
+			 * nameservers, and we're not in forward-only mode,
+			 * so find the best nameservers to use.
+			 */
+			if (dns_rdatatype_atparent(fctx->type))
+				findoptions |= DNS_DBFIND_NOEXACT;
+			result = dns_view_findzonecut(res->view, name,
+						      domain, 0, findoptions,
+						      true,
+						      &fctx->nameservers,
+						      NULL);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_nameservers;
+
+			result = dns_name_dup(domain, mctx, &fctx->domain);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_nameservers;
+
+			fctx->ns_ttl = fctx->nameservers.ttl;
+			fctx->ns_ttl_ok = true;
+		} else {
+			/*
+			 * We're in forward-only mode.  Set the query domain.
+			 */
+			result = dns_name_dup(domain, mctx, &fctx->domain);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_name;
+		}
+	} else {
+		result = dns_name_dup(domain, mctx, &fctx->domain);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_name;
+		dns_rdataset_clone(nameservers, &fctx->nameservers);
+		fctx->ns_ttl = fctx->nameservers.ttl;
+		fctx->ns_ttl_ok = true;
+	}
+
+	/*
+	 * Are there too many simultaneous queries for this domain?
+	 */
+	result = fcount_incr(fctx, false);
+	if (result != ISC_R_SUCCESS) {
+		result = fctx->res->quotaresp[dns_quotatype_zone];
+		inc_stats(res, dns_resstatscounter_zonequota);
+		goto cleanup_domain;
+	}
+
+	log_ns_ttl(fctx, "fctx_create");
+
+	INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
+
+	fctx->qmessage = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+				    &fctx->qmessage);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_fcount;
+
+	fctx->rmessage = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+				    &fctx->rmessage);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_qmessage;
+
+	/*
+	 * Compute an expiration time for the entire fetch.
+	 */
+	isc_interval_set(&interval, res->query_timeout, 0);
+	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
+	if (iresult != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_time_nowplusinterval: %s",
+				 isc_result_totext(iresult));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rmessage;
+	}
+
+	/*
+	 * Default retry interval initialization.  We set the interval now
+	 * mostly so it won't be uninitialized.  It will be set to the
+	 * correct value before a query is issued.
+	 */
+	isc_interval_set(&fctx->interval, 2, 0);
+
+	/*
+	 * Create an inactive timer.  It will be made active when the fetch
+	 * is actually started.
+	 */
+	fctx->timer = NULL;
+	iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
+				   NULL, NULL,
+				   res->buckets[bucketnum].task, fctx_timeout,
+				   fctx, &fctx->timer);
+	if (iresult != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_timer_create: %s",
+				 isc_result_totext(iresult));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rmessage;
+	}
+
+	/*
+	 * Attach to the view's cache and adb.
+	 */
+	fctx->cache = NULL;
+	dns_db_attach(res->view->cachedb, &fctx->cache);
+	fctx->adb = NULL;
+	dns_adb_attach(res->view->adb, &fctx->adb);
+	fctx->mctx = NULL;
+	isc_mem_attach(mctx, &fctx->mctx);
+
+	ISC_LIST_INIT(fctx->events);
+	ISC_LINK_INIT(fctx, link);
+	fctx->magic = FCTX_MAGIC;
+
+	ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
+
+	LOCK(&res->nlock);
+	res->nfctx++;
+	UNLOCK(&res->nlock);
+	inc_stats(res, dns_resstatscounter_nfetch);
+
+	*fctxp = fctx;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_rmessage:
+	dns_message_destroy(&fctx->rmessage);
+
+ cleanup_qmessage:
+	dns_message_destroy(&fctx->qmessage);
+
+ cleanup_fcount:
+	fcount_decr(fctx);
+
+ cleanup_domain:
+	if (dns_name_countlabels(&fctx->domain) > 0)
+		dns_name_free(&fctx->domain, mctx);
+
+ cleanup_nameservers:
+	if (dns_rdataset_isassociated(&fctx->nameservers))
+		dns_rdataset_disassociate(&fctx->nameservers);
+
+ cleanup_name:
+	dns_name_free(&fctx->name, mctx);
+
+ cleanup_info:
+	isc_mem_free(mctx, fctx->info);
+
+ cleanup_counter:
+	isc_counter_detach(&fctx->qc);
+
+ cleanup_fetch:
+	isc_mem_put(mctx, fctx, sizeof(*fctx));
+
+	return (result);
+}
+
+/*
+ * Handle Responses
+ */
+static inline bool
+is_lame(fetchctx_t *fctx) {
+	dns_message_t *message = fctx->rmessage;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_yxdomain &&
+	    message->rcode != dns_rcode_nxdomain)
+		return (false);
+
+	if (message->counts[DNS_SECTION_ANSWER] != 0)
+		return (false);
+
+	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
+		return (false);
+
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			dns_namereln_t namereln;
+			int order;
+			unsigned int labels;
+			if (rdataset->type != dns_rdatatype_ns)
+				continue;
+			namereln = dns_name_fullcompare(name, &fctx->domain,
+							&order, &labels);
+			if (namereln == dns_namereln_equal &&
+			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
+				return (false);
+			if (namereln == dns_namereln_subdomain)
+				return (false);
+			return (true);
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+	return (false);
+}
+
+static inline void
+log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char domainbuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "lame server resolving '%s' (in '%s'?): %s",
+		      namebuf, domainbuf, addrbuf);
+}
+
+static inline void
+log_formerr(fetchctx_t *fctx, const char *format, ...) {
+	char nsbuf[ISC_SOCKADDR_FORMATSIZE];
+	char clbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *clmsg = "";
+	char msgbuf[2048];
+	va_list args;
+
+	va_start(args, format);
+	vsnprintf(msgbuf, sizeof(msgbuf), format, args);
+	va_end(args);
+
+	isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
+
+	if (fctx->client != NULL) {
+		clmsg = " for client ";
+		isc_sockaddr_format(fctx->client, clbuf, sizeof(clbuf));
+	} else {
+		clbuf[0] = '\0';
+	}
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+		      "DNS format error from %s resolving %s%s%s: %s",
+		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
+}
+
+static isc_result_t
+same_question(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_message_t *message = fctx->rmessage;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	/*
+	 * Caller must be holding the fctx lock.
+	 */
+
+	/*
+	 * XXXRTH  Currently we support only one question.
+	 */
+	if (ISC_UNLIKELY(message->counts[DNS_SECTION_QUESTION] == 0)) {
+		if ((message->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			/*
+			 * If TC=1 and the question section is empty, we
+			 * accept the reply message as a truncated
+			 * answer, to be retried over TCP.
+			 *
+			 * It is really a FORMERR condition, but this is
+			 * a workaround to accept replies from some
+			 * implementations.
+			 *
+			 * Because the question section matching is not
+			 * performed, the worst that could happen is
+			 * that an attacker who gets past the ID and
+			 * source port checks can force the use of
+			 * TCP. This is considered an acceptable risk.
+			 */
+			log_formerr(fctx,
+				    "empty question section, "
+				    "accepting it anyway as TC=1");
+			return (ISC_R_SUCCESS);
+		} else {
+			log_formerr(fctx, "empty question section");
+			return (DNS_R_FORMERR);
+		}
+	} else if (ISC_UNLIKELY(message->counts[DNS_SECTION_QUESTION] > 1)) {
+		log_formerr(fctx, "too many questions");
+		return (DNS_R_FORMERR);
+	}
+
+	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	name = NULL;
+	dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
+	rdataset = ISC_LIST_HEAD(name->list);
+	INSIST(rdataset != NULL);
+	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
+
+	if (fctx->type != rdataset->type ||
+	    fctx->res->rdclass != rdataset->rdclass ||
+	    !dns_name_equal(&fctx->name, name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char classbuf[DNS_RDATACLASS_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdataclass_format(rdataset->rdclass, classbuf,
+				      sizeof(classbuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+		log_formerr(fctx, "question section mismatch: got %s/%s/%s",
+			    namebuf, classbuf, typebuf);
+		return (DNS_R_FORMERR);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+clone_results(fetchctx_t *fctx) {
+	dns_fetchevent_t *event, *hevent;
+	isc_result_t result;
+	dns_name_t *name, *hname;
+
+	FCTXTRACE("clone_results");
+
+	/*
+	 * Set up any other events to have the same data as the first
+	 * event.
+	 *
+	 * Caller must be holding the appropriate lock.
+	 */
+
+	fctx->cloned = true;
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent == NULL)
+		return;
+	hname = dns_fixedname_name(&hevent->foundname);
+	for (event = ISC_LIST_NEXT(hevent, ev_link);
+	     event != NULL;
+	     event = ISC_LIST_NEXT(event, ev_link)) {
+		name = dns_fixedname_name(&event->foundname);
+		result = dns_name_copy(hname, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			event->result = result;
+		else
+			event->result = hevent->result;
+		dns_db_attach(hevent->db, &event->db);
+		dns_db_attachnode(hevent->db, hevent->node, &event->node);
+		INSIST(hevent->rdataset != NULL);
+		INSIST(event->rdataset != NULL);
+		if (dns_rdataset_isassociated(hevent->rdataset))
+			dns_rdataset_clone(hevent->rdataset, event->rdataset);
+		INSIST(! (hevent->sigrdataset == NULL &&
+			  event->sigrdataset != NULL));
+		if (hevent->sigrdataset != NULL &&
+		    dns_rdataset_isassociated(hevent->sigrdataset) &&
+		    event->sigrdataset != NULL)
+			dns_rdataset_clone(hevent->sigrdataset,
+					   event->sigrdataset);
+	}
+}
+
+#define CACHE(r)        (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
+#define ANSWER(r)       (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
+#define ANSWERSIG(r)    (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
+#define EXTERNAL(r)     (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
+#define CHAINING(r)     (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
+#define CHASE(r)        (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
+#define CHECKNAMES(r)   (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
+
+/*
+ * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
+ * no references and is no longer waiting for any events).
+ *
+ * Requires:
+ *      '*fctx' is shutting down.
+ *
+ * Returns:
+ *	true if the resolver is exiting and this is the last fctx in the bucket.
+ */
+static bool
+maybe_destroy(fetchctx_t *fctx, bool locked) {
+	unsigned int bucketnum;
+	bool bucket_empty = false;
+	dns_resolver_t *res = fctx->res;
+	dns_validator_t *validator, *next_validator;
+	bool dodestroy = false;
+
+	REQUIRE(SHUTTINGDOWN(fctx));
+
+	bucketnum = fctx->bucketnum;
+	if (!locked)
+		LOCK(&res->buckets[bucketnum].lock);
+	if (fctx->pending != 0 || fctx->nqueries != 0)
+		goto unlock;
+
+	for (validator = ISC_LIST_HEAD(fctx->validators);
+	     validator != NULL; validator = next_validator) {
+		next_validator = ISC_LIST_NEXT(validator, link);
+		dns_validator_cancel(validator);
+	}
+
+	if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators)) {
+		bucket_empty = fctx_unlink(fctx);
+		dodestroy = true;
+	}
+ unlock:
+	if (!locked)
+		UNLOCK(&res->buckets[bucketnum].lock);
+	if (dodestroy)
+		fctx_destroy(fctx);
+	return (bucket_empty);
+}
+
+/*
+ * The validator has finished.
+ */
+static void
+validated(isc_task_t *task, isc_event_t *event) {
+	dns_adbaddrinfo_t *addrinfo;
+	dns_dbnode_t *node = NULL;
+	dns_dbnode_t *nsnode = NULL;
+	dns_fetchevent_t *hevent;
+	dns_name_t *name;
+	dns_rdataset_t *ardataset = NULL;
+	dns_rdataset_t *asigrdataset = NULL;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+	dns_resolver_t *res;
+	dns_valarg_t *valarg;
+	dns_validatorevent_t *vevent;
+	fetchctx_t *fctx;
+	bool chaining;
+	bool negative;
+	bool sentresponse;
+	isc_result_t eresult = ISC_R_SUCCESS;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_stdtime_t now;
+	uint32_t ttl;
+	unsigned options;
+	uint32_t bucketnum;
+
+	UNUSED(task); /* for now */
+
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	valarg = event->ev_arg;
+	fctx = valarg->fctx;
+	res = fctx->res;
+	addrinfo = valarg->addrinfo;
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
+
+	vevent = (dns_validatorevent_t *)event;
+	fctx->vresult = vevent->result;
+
+	FCTXTRACE("received validation completion event");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
+	fctx->validator = NULL;
+
+	/*
+	 * Destroy the validator early so that we can
+	 * destroy the fctx if necessary.
+	 */
+	dns_validator_destroy(&vevent->validator);
+	isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
+
+	negative = (vevent->rdataset == NULL);
+
+	sentresponse = (fctx->options & DNS_FETCHOPT_NOVALIDATE);
+
+	/*
+	 * If shutting down, ignore the results.  Check to see if we're
+	 * done waiting for validator completions and ADB pending events; if
+	 * so, destroy the fctx.
+	 */
+	if (SHUTTINGDOWN(fctx) && !sentresponse) {
+		bool bucket_empty;
+		bucket_empty = maybe_destroy(fctx, true);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		if (bucket_empty)
+			empty_bucket(res);
+		goto cleanup_event;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * If chaining, we need to make sure that the right result code is
+	 * returned, and that the rdatasets are bound.
+	 */
+	if (vevent->result == ISC_R_SUCCESS &&
+	    !negative &&
+	    vevent->rdataset != NULL &&
+	    CHAINING(vevent->rdataset))
+	{
+		if (vevent->rdataset->type == dns_rdatatype_cname)
+			eresult = DNS_R_CNAME;
+		else {
+			INSIST(vevent->rdataset->type == dns_rdatatype_dname);
+			eresult = DNS_R_DNAME;
+		}
+		chaining = true;
+	} else
+		chaining = false;
+
+	/*
+	 * Either we're not shutting down, or we are shutting down but want
+	 * to cache the result anyway (if this was a validation started by
+	 * a query with cd set)
+	 */
+
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent != NULL) {
+		if (!negative && !chaining &&
+		    (fctx->type == dns_rdatatype_any ||
+		     fctx->type == dns_rdatatype_rrsig ||
+		     fctx->type == dns_rdatatype_sig)) {
+			/*
+			 * Don't bind rdatasets; the caller
+			 * will iterate the node.
+			 */
+		} else {
+			ardataset = hevent->rdataset;
+			asigrdataset = hevent->sigrdataset;
+		}
+	}
+
+	if (vevent->result != ISC_R_SUCCESS) {
+		FCTXTRACE("validation failed");
+		inc_stats(res, dns_resstatscounter_valfail);
+		fctx->valfail++;
+		fctx->vresult = vevent->result;
+		if (fctx->vresult != DNS_R_BROKENCHAIN) {
+			result = ISC_R_NOTFOUND;
+			if (vevent->rdataset != NULL)
+				result = dns_db_findnode(fctx->cache,
+							 vevent->name,
+							 true, &node);
+			if (result == ISC_R_SUCCESS)
+				(void)dns_db_deleterdataset(fctx->cache, node,
+							     NULL,
+							    vevent->type, 0);
+			if (result == ISC_R_SUCCESS &&
+			     vevent->sigrdataset != NULL)
+				(void)dns_db_deleterdataset(fctx->cache, node,
+							    NULL,
+							    dns_rdatatype_rrsig,
+							    vevent->type);
+			if (result == ISC_R_SUCCESS)
+				dns_db_detachnode(fctx->cache, &node);
+		}
+		if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) {
+			/*
+			 * Cache the data as pending for later validation.
+			 */
+			result = ISC_R_NOTFOUND;
+			if (vevent->rdataset != NULL)
+				result = dns_db_findnode(fctx->cache,
+							 vevent->name,
+							 true, &node);
+			if (result == ISC_R_SUCCESS) {
+				(void)dns_db_addrdataset(fctx->cache, node,
+							 NULL, now,
+							 vevent->rdataset, 0,
+							 NULL);
+			}
+			if (result == ISC_R_SUCCESS &&
+			    vevent->sigrdataset != NULL)
+				(void)dns_db_addrdataset(fctx->cache, node,
+							 NULL, now,
+							 vevent->sigrdataset,
+							 0, NULL);
+			if (result == ISC_R_SUCCESS)
+				dns_db_detachnode(fctx->cache, &node);
+		}
+		result = fctx->vresult;
+		add_bad(fctx, addrinfo, result, badns_validation);
+		isc_event_free(&event);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		INSIST(fctx->validator == NULL);
+		fctx->validator = ISC_LIST_HEAD(fctx->validators);
+		if (fctx->validator != NULL)
+			dns_validator_send(fctx->validator);
+		else if (sentresponse)
+			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
+		else if (result == DNS_R_BROKENCHAIN) {
+			isc_result_t tresult;
+			isc_time_t expire;
+			isc_interval_t i;
+
+			isc_interval_set(&i, DNS_RESOLVER_BADCACHETTL(fctx), 0);
+			tresult = isc_time_nowplusinterval(&expire, &i);
+			if (negative &&
+			    (fctx->type == dns_rdatatype_dnskey ||
+			     fctx->type == dns_rdatatype_dlv ||
+			     fctx->type == dns_rdatatype_ds) &&
+			     tresult == ISC_R_SUCCESS)
+				dns_resolver_addbadcache(res, &fctx->name,
+							 fctx->type, &expire);
+			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
+		} else
+			fctx_try(fctx, true, true); /* Locks bucket. */
+		return;
+	}
+
+
+	if (negative) {
+		dns_rdatatype_t covers;
+		FCTXTRACE("nonexistence validation OK");
+
+		inc_stats(res, dns_resstatscounter_valnegsuccess);
+
+		/*
+		 * Cache DS NXDOMAIN seperately to other types.
+		 */
+		if (fctx->rmessage->rcode == dns_rcode_nxdomain &&
+		    fctx->type != dns_rdatatype_ds)
+			covers = dns_rdatatype_any;
+		else
+			covers = fctx->type;
+
+		result = dns_db_findnode(fctx->cache, vevent->name, true,
+					 &node);
+		if (result != ISC_R_SUCCESS)
+			goto noanswer_response;
+
+		/*
+		 * If we are asking for a SOA record set the cache time
+		 * to zero to facilitate locating the containing zone of
+		 * a arbitrary zone.
+		 */
+		ttl = res->view->maxncachettl;
+		if (fctx->type == dns_rdatatype_soa &&
+		    covers == dns_rdatatype_any && res->zero_no_soa_ttl)
+			ttl = 0;
+
+		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+					   covers, now, ttl, vevent->optout,
+					   vevent->secure, ardataset, &eresult);
+		if (result != ISC_R_SUCCESS)
+			goto noanswer_response;
+		goto answer_response;
+	} else
+		inc_stats(res, dns_resstatscounter_valsuccess);
+
+	FCTXTRACE("validation OK");
+
+	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
+		result = dns_rdataset_addnoqname(vevent->rdataset,
+				   vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		INSIST(vevent->sigrdataset != NULL);
+		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
+		if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) {
+			result = dns_rdataset_addclosest(vevent->rdataset,
+				 vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+	} else if (vevent->rdataset->trust == dns_trust_answer &&
+		   vevent->rdataset->type != dns_rdatatype_rrsig)
+	{
+		isc_result_t tresult;
+		dns_name_t *noqname = NULL;
+		tresult = findnoqname(fctx, vevent->name,
+				      vevent->rdataset->type, &noqname);
+		if (tresult == ISC_R_SUCCESS && noqname != NULL) {
+			tresult = dns_rdataset_addnoqname(vevent->rdataset,
+							  noqname);
+			RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * The data was already cached as pending data.
+	 * Re-cache it as secure and bind the cached
+	 * rdatasets to the first event on the fetch
+	 * event list.
+	 */
+	result = dns_db_findnode(fctx->cache, vevent->name, true, &node);
+	if (result != ISC_R_SUCCESS)
+		goto noanswer_response;
+
+	options = 0;
+	if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
+		options = DNS_DBADD_PREFETCH;
+	result = dns_db_addrdataset(fctx->cache, node, NULL, now,
+				    vevent->rdataset, options, ardataset);
+	if (result != ISC_R_SUCCESS &&
+	    result != DNS_R_UNCHANGED)
+		goto noanswer_response;
+	if (ardataset != NULL && NEGATIVE(ardataset)) {
+		if (NXDOMAIN(ardataset))
+			eresult = DNS_R_NCACHENXDOMAIN;
+		else
+			eresult = DNS_R_NCACHENXRRSET;
+	} else if (vevent->sigrdataset != NULL) {
+		result = dns_db_addrdataset(fctx->cache, node, NULL, now,
+					    vevent->sigrdataset, options,
+					    asigrdataset);
+		if (result != ISC_R_SUCCESS &&
+		    result != DNS_R_UNCHANGED)
+			goto noanswer_response;
+	}
+
+	if (sentresponse) {
+		bool bucket_empty = false;
+		/*
+		 * If we only deferred the destroy because we wanted to cache
+		 * the data, destroy now.
+		 */
+		dns_db_detachnode(fctx->cache, &node);
+		if (SHUTTINGDOWN(fctx))
+			bucket_empty = maybe_destroy(fctx, true);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		if (bucket_empty)
+			empty_bucket(res);
+		goto cleanup_event;
+	}
+
+	if (!ISC_LIST_EMPTY(fctx->validators)) {
+		INSIST(!negative);
+		INSIST(fctx->type == dns_rdatatype_any ||
+		       fctx->type == dns_rdatatype_rrsig ||
+		       fctx->type == dns_rdatatype_sig);
+		/*
+		 * Don't send a response yet - we have
+		 * more rdatasets that still need to
+		 * be validated.
+		 */
+		dns_db_detachnode(fctx->cache, &node);
+		UNLOCK(&res->buckets[bucketnum].lock);
+		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+		goto cleanup_event;
+	}
+
+ answer_response:
+	/*
+	 * Cache any NS/NSEC records that happened to be validated.
+	 */
+	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if ((rdataset->type != dns_rdatatype_ns &&
+			     rdataset->type != dns_rdatatype_nsec) ||
+			    rdataset->trust != dns_trust_secure)
+				continue;
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+				if (sigrdataset->type != dns_rdatatype_rrsig ||
+				    sigrdataset->covers != rdataset->type)
+					continue;
+				break;
+			}
+			if (sigrdataset == NULL ||
+			    sigrdataset->trust != dns_trust_secure)
+				continue;
+			result = dns_db_findnode(fctx->cache, name, true,
+						 &nsnode);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
+						    now, rdataset, 0, NULL);
+			if (result == ISC_R_SUCCESS)
+				result = dns_db_addrdataset(fctx->cache, nsnode,
+							    NULL, now,
+							    sigrdataset, 0,
+							    NULL);
+			dns_db_detachnode(fctx->cache, &nsnode);
+			if (result != ISC_R_SUCCESS)
+				continue;
+		}
+		result = dns_message_nextname(fctx->rmessage,
+					      DNS_SECTION_AUTHORITY);
+	}
+
+	result = ISC_R_SUCCESS;
+
+	/*
+	 * Respond with an answer, positive or negative,
+	 * as opposed to an error.  'node' must be non-NULL.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+
+	if (hevent != NULL) {
+		/*
+		 * Negative results must be indicated in event->result.
+		 */
+		if (dns_rdataset_isassociated(hevent->rdataset) &&
+		    NEGATIVE(hevent->rdataset)) {
+			INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
+			       eresult == DNS_R_NCACHENXRRSET);
+		}
+		hevent->result = eresult;
+		RUNTIME_CHECK(dns_name_copy(vevent->name,
+			      dns_fixedname_name(&hevent->foundname), NULL)
+			      == ISC_R_SUCCESS);
+		dns_db_attach(fctx->cache, &hevent->db);
+		dns_db_transfernode(fctx->cache, &node, &hevent->node);
+		clone_results(fctx);
+	}
+
+ noanswer_response:
+	if (node != NULL)
+		dns_db_detachnode(fctx->cache, &node);
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+	fctx_done(fctx, result, __LINE__); /* Locks bucket. */
+
+ cleanup_event:
+	INSIST(node == NULL);
+	isc_event_free(&event);
+}
+
+static void
+fctx_log(void *arg, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list args;
+	fetchctx_t *fctx = arg;
+
+	va_start(args, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
+	va_end(args);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level,
+		      "fctx %p(%s): %s", fctx, fctx->info, msgbuf);
+}
+
+static inline isc_result_t
+findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
+	    dns_name_t **noqnamep)
+{
+	dns_rdataset_t *nrdataset, *next, *sigrdataset;
+	dns_rdata_rrsig_t rrsig;
+	isc_result_t result;
+	unsigned int labels;
+	dns_section_t section;
+	dns_name_t *zonename;
+	dns_fixedname_t fzonename;
+	dns_name_t *closest;
+	dns_fixedname_t fclosest;
+	dns_name_t *nearest;
+	dns_fixedname_t fnearest;
+	dns_rdatatype_t found = dns_rdatatype_none;
+	dns_name_t *noqname = NULL;
+
+	FCTXTRACE("findnoqname");
+
+	REQUIRE(noqnamep != NULL && *noqnamep == NULL);
+
+	/*
+	 * Find the SIG for this rdataset, if we have it.
+	 */
+	for (sigrdataset = ISC_LIST_HEAD(name->list);
+	     sigrdataset != NULL;
+	     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+		if (sigrdataset->type == dns_rdatatype_rrsig &&
+		    sigrdataset->covers == type)
+			break;
+	}
+
+	if (sigrdataset == NULL)
+		return (ISC_R_NOTFOUND);
+
+	labels = dns_name_countlabels(name);
+
+	for (result = dns_rdataset_first(sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(sigrdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		/* Wildcard has rrsig.labels < labels - 1. */
+		if (rrsig.labels + 1U >= labels)
+			continue;
+		break;
+	}
+
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_NOTFOUND);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	zonename = dns_fixedname_initname(&fzonename);
+	closest = dns_fixedname_initname(&fclosest);
+	nearest = dns_fixedname_initname(&fnearest);
+
+#define NXND(x) ((x) == ISC_R_SUCCESS)
+
+	section = DNS_SECTION_AUTHORITY;
+	for (result = dns_message_firstname(fctx->rmessage, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(fctx->rmessage, section)) {
+		dns_name_t *nsec = NULL;
+		dns_message_currentname(fctx->rmessage, section, &nsec);
+		for (nrdataset = ISC_LIST_HEAD(nsec->list);
+		      nrdataset != NULL; nrdataset = next) {
+			bool data = false, exists = false;
+			bool optout = false, unknown = false;
+			bool setclosest = false;
+			bool setnearest = false;
+
+			next = ISC_LIST_NEXT(nrdataset, link);
+			if (nrdataset->type != dns_rdatatype_nsec &&
+			    nrdataset->type != dns_rdatatype_nsec3)
+				continue;
+
+			if (nrdataset->type == dns_rdatatype_nsec &&
+			    NXND(dns_nsec_noexistnodata(type, name, nsec,
+							nrdataset, &exists,
+							&data, NULL, fctx_log,
+							fctx)))
+			{
+				if (!exists) {
+					noqname = nsec;
+					found = dns_rdatatype_nsec;
+				}
+			}
+
+			if (nrdataset->type == dns_rdatatype_nsec3 &&
+			    NXND(dns_nsec3_noexistnodata(type, name, nsec,
+							 nrdataset, zonename,
+							 &exists, &data,
+							 &optout, &unknown,
+							 &setclosest,
+							 &setnearest,
+							 closest, nearest,
+							 fctx_log, fctx)))
+			{
+				if (!exists && setnearest) {
+					noqname = nsec;
+					found = dns_rdatatype_nsec3;
+				}
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (noqname != NULL) {
+		for (sigrdataset = ISC_LIST_HEAD(noqname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+			if (sigrdataset->type == dns_rdatatype_rrsig &&
+			    sigrdataset->covers == found)
+				break;
+		}
+		if (sigrdataset != NULL)
+			*noqnamep = noqname;
+	}
+	return (result);
+}
+
+static inline isc_result_t
+cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+	   isc_stdtime_t now)
+{
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *addedrdataset = NULL;
+	dns_rdataset_t *ardataset = NULL, *asigrdataset = NULL;
+	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
+	dns_dbnode_t *node = NULL, **anodep = NULL;
+	dns_db_t **adbp = NULL;
+	dns_name_t *aname = NULL;
+	dns_resolver_t *res = fctx->res;
+	bool need_validation = false;
+	bool secure_domain = false;
+	bool have_answer = false;
+	isc_result_t result, eresult = ISC_R_SUCCESS;
+	dns_fetchevent_t *event = NULL;
+	unsigned int options;
+	isc_task_t *task;
+	bool fail;
+	unsigned int valoptions = 0;
+	bool checknta = true;
+
+	/*
+	 * The appropriate bucket lock must be held.
+	 */
+	task = res->buckets[fctx->bucketnum].task;
+
+	/*
+	 * Is DNSSEC validation required for this name?
+	 */
+	if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+		valoptions |= DNS_VALIDATOR_NONTA;
+		checknta = false;
+	}
+
+	if (res->view->enablevalidation) {
+		result = issecuredomain(res->view, name, fctx->type,
+					now, checknta, &secure_domain);
+		if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions |= DNS_VALIDATOR_DLV;
+			secure_domain = true;
+		}
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
+		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
+		need_validation = false;
+	} else {
+		need_validation = secure_domain;
+	}
+
+	if (((name->attributes & DNS_NAMEATTR_ANSWER) != 0) &&
+	    (!need_validation))
+	{
+		have_answer = true;
+		event = ISC_LIST_HEAD(fctx->events);
+		if (event != NULL) {
+			adbp = &event->db;
+			aname = dns_fixedname_name(&event->foundname);
+			result = dns_name_copy(name, aname, NULL);
+			if (result != ISC_R_SUCCESS) {
+				return (result);
+			}
+			anodep = &event->node;
+			/*
+			 * If this is an ANY, SIG or RRSIG query, we're not
+			 * going to return any rdatasets, unless we encountered
+			 * a CNAME or DNAME as "the answer".  In this case,
+			 * we're going to return DNS_R_CNAME or DNS_R_DNAME
+			 * and we must set up the rdatasets.
+			 */
+			if ((fctx->type != dns_rdatatype_any &&
+			     fctx->type != dns_rdatatype_rrsig &&
+			     fctx->type != dns_rdatatype_sig) ||
+			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0)
+			{
+				ardataset = event->rdataset;
+				asigrdataset = event->sigrdataset;
+			}
+		}
+	}
+
+	/*
+	 * Find or create the cache node.
+	 */
+	node = NULL;
+	result = dns_db_findnode(fctx->cache, name, true, &node);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Cache or validate each cacheable rdataset.
+	 */
+	fail = (fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL);
+	for (rdataset = ISC_LIST_HEAD(name->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (!CACHE(rdataset)) {
+			continue;
+		}
+		if (CHECKNAMES(rdataset)) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+			char classbuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "check-names %s %s/%s/%s",
+				      fail ? "failure" : "warning",
+				      namebuf, typebuf, classbuf);
+			if (fail) {
+				if (ANSWER(rdataset)) {
+					dns_db_detachnode(fctx->cache, &node);
+					return (DNS_R_BADNAME);
+				}
+				continue;
+			}
+		}
+
+		/*
+		 * Enforce the configure maximum cache TTL.
+		 */
+		if (rdataset->ttl > res->view->maxcachettl) {
+			rdataset->ttl = res->view->maxcachettl;
+		}
+
+		/*
+		 * Mark the rdataset as being prefetch eligible.
+		 */
+		if (rdataset->ttl > fctx->res->view->prefetch_eligible) {
+			rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
+		}
+
+		/*
+		 * Find the SIG for this rdataset, if we have it.
+		 */
+		for (sigrdataset = ISC_LIST_HEAD(name->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (sigrdataset->type == dns_rdatatype_rrsig &&
+			    sigrdataset->covers == rdataset->type)
+			{
+				break;
+			}
+		}
+
+		/*
+		 * If this RRset is in a secure domain, is in bailiwick,
+		 * and is not glue, attempt DNSSEC validation.	(We do not
+		 * attempt to validate glue or out-of-bailiwick data--even
+		 * though there might be some performance benefit to doing
+		 * so--because it makes it simpler and safer to ensure that
+		 * records from a secure domain are only cached if validated
+		 * within the context of a query to the domain that owns
+		 * them.)
+		 */
+		if (secure_domain && rdataset->trust != dns_trust_glue &&
+		    !EXTERNAL(rdataset))
+		{
+			dns_trust_t trust;
+
+			/*
+			 * RRSIGs are validated as part of validating the
+			 * type they cover.
+			 */
+			if (rdataset->type == dns_rdatatype_rrsig) {
+				continue;
+			}
+
+			if (sigrdataset == NULL && need_validation &&
+			    !ANSWER(rdataset))
+			{
+				/*
+				 * Ignore unrelated non-answer
+				 * rdatasets that are missing signatures.
+				 */
+				continue;
+			}
+
+			/*
+			 * Normalize the rdataset and sigrdataset TTLs.
+			 */
+			if (sigrdataset != NULL) {
+				rdataset->ttl = ISC_MIN(rdataset->ttl,
+							sigrdataset->ttl);
+				sigrdataset->ttl = rdataset->ttl;
+			}
+
+			/*
+			 * Mark the rdataset as being prefetch eligible.
+			 */
+			if (rdataset->ttl > fctx->res->view->prefetch_eligible)
+			{
+				rdataset->attributes |=
+					DNS_RDATASETATTR_PREFETCH;
+			}
+
+			/*
+			 * Cache this rdataset/sigrdataset pair as
+			 * pending data.  Track whether it was additional
+			 * or not. If this was a priming query, additional
+			 * should be cached as glue.
+			 */
+			if (rdataset->trust == dns_trust_additional) {
+				trust = dns_trust_pending_additional;
+			} else {
+				trust = dns_trust_pending_answer;
+			}
+
+			rdataset->trust = trust;
+			if (sigrdataset != NULL) {
+				sigrdataset->trust = trust;
+			}
+			if (!need_validation || !ANSWER(rdataset)) {
+				options = 0;
+				if (ANSWER(rdataset) &&
+				   rdataset->type != dns_rdatatype_rrsig)
+				{
+					isc_result_t tresult;
+					dns_name_t *noqname = NULL;
+					tresult = findnoqname(fctx, name,
+							      rdataset->type,
+							      &noqname);
+					if (tresult == ISC_R_SUCCESS &&
+					    noqname != NULL)
+					{
+						(void) dns_rdataset_addnoqname(
+							    rdataset, noqname);
+					}
+				}
+				if ((fctx->options &
+				     DNS_FETCHOPT_PREFETCH) != 0)
+				{
+					options = DNS_DBADD_PREFETCH;
+				}
+				if ((fctx->options &
+				     DNS_FETCHOPT_NOCACHED) != 0)
+				{
+					options |= DNS_DBADD_FORCE;
+				}
+				addedrdataset = ardataset;
+				result = dns_db_addrdataset(fctx->cache, node,
+							    NULL, now, rdataset,
+							    options,
+							    addedrdataset);
+				if (result == DNS_R_UNCHANGED) {
+					result = ISC_R_SUCCESS;
+					if (!need_validation &&
+					    ardataset != NULL &&
+					    NEGATIVE(ardataset))
+					{
+						/*
+						 * The answer in the cache is
+						 * better than the answer we
+						 * found, and is a negative
+						 * cache entry, so we must set
+						 * eresult appropriately.
+						 */
+						if (NXDOMAIN(ardataset)) {
+							eresult =
+							   DNS_R_NCACHENXDOMAIN;
+						} else {
+							eresult =
+							   DNS_R_NCACHENXRRSET;
+						}
+						/*
+						 * We have a negative response
+						 * from the cache so don't
+						 * attempt to add the RRSIG
+						 * rrset.
+						 */
+						continue;
+					}
+				}
+				if (result != ISC_R_SUCCESS) {
+					break;
+				}
+				if (sigrdataset != NULL) {
+					addedrdataset = asigrdataset;
+					result = dns_db_addrdataset(fctx->cache,
+								node, NULL, now,
+								sigrdataset,
+								options,
+								addedrdataset);
+					if (result == DNS_R_UNCHANGED) {
+						result = ISC_R_SUCCESS;
+					}
+					if (result != ISC_R_SUCCESS) {
+						break;
+					}
+				} else if (!ANSWER(rdataset)) {
+					continue;
+				}
+			}
+
+			if (ANSWER(rdataset) && need_validation) {
+				if (fctx->type != dns_rdatatype_any &&
+				    fctx->type != dns_rdatatype_rrsig &&
+				    fctx->type != dns_rdatatype_sig)
+				{
+					/*
+					 * This is The Answer.  We will
+					 * validate it, but first we cache
+					 * the rest of the response - it may
+					 * contain useful keys.
+					 */
+					INSIST(valrdataset == NULL &&
+					       valsigrdataset == NULL);
+					valrdataset = rdataset;
+					valsigrdataset = sigrdataset;
+				} else {
+					/*
+					 * This is one of (potentially)
+					 * multiple answers to an ANY
+					 * or SIG query.  To keep things
+					 * simple, we just start the
+					 * validator right away rather
+					 * than caching first and
+					 * having to remember which
+					 * rdatasets needed validation.
+					 */
+					result = valcreate(fctx, addrinfo,
+							   name, rdataset->type,
+							   rdataset,
+							   sigrdataset,
+							   valoptions, task);
+				}
+			} else if (CHAINING(rdataset)) {
+				if (rdataset->type == dns_rdatatype_cname) {
+					eresult = DNS_R_CNAME;
+				} else {
+					INSIST(rdataset->type ==
+					       dns_rdatatype_dname);
+					eresult = DNS_R_DNAME;
+				}
+			}
+		} else if (!EXTERNAL(rdataset)) {
+			/*
+			 * It's OK to cache this rdataset now.
+			 */
+			if (ANSWER(rdataset)) {
+				addedrdataset = ardataset;
+			} else if (ANSWERSIG(rdataset)) {
+				addedrdataset = asigrdataset;
+			} else {
+				addedrdataset = NULL;
+			}
+			if (CHAINING(rdataset)) {
+				if (rdataset->type == dns_rdatatype_cname) {
+					eresult = DNS_R_CNAME;
+				} else {
+					INSIST(rdataset->type ==
+					       dns_rdatatype_dname);
+					eresult = DNS_R_DNAME;
+				}
+			}
+			if (rdataset->trust == dns_trust_glue &&
+			    (rdataset->type == dns_rdatatype_ns ||
+			     (rdataset->type == dns_rdatatype_rrsig &&
+			      rdataset->covers == dns_rdatatype_ns)))
+			{
+				/*
+				 * If the trust level is 'dns_trust_glue'
+				 * then we are adding data from a referral
+				 * we got while executing the search algorithm.
+				 * New referral data always takes precedence
+				 * over the existing cache contents.
+				 */
+				options = DNS_DBADD_FORCE;
+			} else if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
+			{
+				options = DNS_DBADD_PREFETCH;
+			} else {
+				options = 0;
+			}
+
+			if (ANSWER(rdataset) &&
+			   rdataset->type != dns_rdatatype_rrsig)
+			{
+				isc_result_t tresult;
+				dns_name_t *noqname = NULL;
+				tresult = findnoqname(fctx, name,
+						      rdataset->type, &noqname);
+				if (tresult == ISC_R_SUCCESS &&
+				    noqname != NULL)
+				{
+					(void) dns_rdataset_addnoqname(
+						       rdataset, noqname);
+				}
+			}
+
+			/*
+			 * Now we can add the rdataset.
+			 */
+			result = dns_db_addrdataset(fctx->cache,
+						    node, NULL, now,
+						    rdataset,
+						    options,
+						    addedrdataset);
+
+			if (result == DNS_R_UNCHANGED) {
+				if (ANSWER(rdataset) &&
+				    ardataset != NULL &&
+				    NEGATIVE(ardataset))
+				{
+					/*
+					 * The answer in the cache is better
+					 * than the answer we found, and is
+					 * a negative cache entry, so we
+					 * must set eresult appropriately.
+					 */
+					if (NXDOMAIN(ardataset)) {
+						eresult = DNS_R_NCACHENXDOMAIN;
+					} else {
+						eresult = DNS_R_NCACHENXRRSET;
+					}
+				}
+				result = ISC_R_SUCCESS;
+			} else if (result != ISC_R_SUCCESS) {
+				break;
+			}
+		}
+	}
+
+	if (valrdataset != NULL) {
+		dns_rdatatype_t vtype = fctx->type;
+		if (CHAINING(valrdataset)) {
+			if (valrdataset->type == dns_rdatatype_cname) {
+				vtype = dns_rdatatype_cname;
+			} else {
+				vtype = dns_rdatatype_dname;
+			}
+		}
+		result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
+				   valsigrdataset, valoptions, task);
+	}
+
+	if (result == ISC_R_SUCCESS && have_answer) {
+		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+		if (event != NULL) {
+			/*
+			 * Negative results must be indicated in event->result.
+			 */
+			if (dns_rdataset_isassociated(event->rdataset) &&
+			    NEGATIVE(event->rdataset))
+			{
+				INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
+				       eresult == DNS_R_NCACHENXRRSET);
+			}
+			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL) {
+					dns_db_detachnode(*adbp, anodep);
+				}
+				dns_db_detach(adbp);
+			}
+			dns_db_attach(fctx->cache, adbp);
+			dns_db_transfernode(fctx->cache, &node, anodep);
+			clone_results(fctx);
+		}
+	}
+
+	if (node != NULL) {
+		dns_db_detachnode(fctx->cache, &node);
+	}
+
+	return (result);
+}
+
+static inline isc_result_t
+cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
+{
+	isc_result_t result;
+	dns_section_t section;
+	dns_name_t *name;
+
+	FCTXTRACE("cache_message");
+
+	fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
+
+	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	for (section = DNS_SECTION_ANSWER;
+	     section <= DNS_SECTION_ADDITIONAL;
+	     section++) {
+		result = dns_message_firstname(fctx->rmessage, section);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(fctx->rmessage, section,
+						&name);
+			if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
+				result = cache_name(fctx, name, addrinfo, now);
+				if (result != ISC_R_SUCCESS)
+					break;
+			}
+			result = dns_message_nextname(fctx->rmessage, section);
+		}
+		if (result != ISC_R_NOMORE)
+			break;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	return (result);
+}
+
+/*
+ * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult.
+ */
+static isc_result_t
+ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+		  bool optout, bool secure,
+		  dns_rdataset_t *ardataset, isc_result_t *eresultp)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	if (ardataset == NULL) {
+		dns_rdataset_init(&rdataset);
+		ardataset = &rdataset;
+	}
+	if (secure)
+		result = dns_ncache_addoptout(message, cache, node, covers,
+					      now, maxttl, optout, ardataset);
+	else
+		result = dns_ncache_add(message, cache, node, covers, now,
+					maxttl, ardataset);
+	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
+		/*
+		 * If the cache now contains a negative entry and we
+		 * care about whether it is DNS_R_NCACHENXDOMAIN or
+		 * DNS_R_NCACHENXRRSET then extract it.
+		 */
+		if (NEGATIVE(ardataset)) {
+			/*
+			 * The cache data is a negative cache entry.
+			 */
+			if (NXDOMAIN(ardataset))
+				*eresultp = DNS_R_NCACHENXDOMAIN;
+			else
+				*eresultp = DNS_R_NCACHENXRRSET;
+		} else {
+			/*
+			 * Either we don't care about the nature of the
+			 * cache rdataset (because no fetch is interested
+			 * in the outcome), or the cache rdataset is not
+			 * a negative cache entry.  Whichever case it is,
+			 * we can return success.
+			 *
+			 * XXXRTH  There's a CNAME/DNAME problem here.
+			 */
+			*eresultp = ISC_R_SUCCESS;
+		}
+		result = ISC_R_SUCCESS;
+	}
+	if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
+		dns_rdataset_disassociate(ardataset);
+
+	return (result);
+}
+
+static inline isc_result_t
+ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+	       dns_rdatatype_t covers, isc_stdtime_t now)
+{
+	isc_result_t result, eresult;
+	dns_name_t *name;
+	dns_resolver_t *res;
+	dns_db_t **adbp;
+	dns_dbnode_t *node, **anodep;
+	dns_rdataset_t *ardataset;
+	bool need_validation, secure_domain;
+	dns_name_t *aname;
+	dns_fetchevent_t *event;
+	uint32_t ttl;
+	unsigned int valoptions = 0;
+	bool checknta = true;
+
+	FCTXTRACE("ncache_message");
+
+	fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
+
+	res = fctx->res;
+	need_validation = false;
+	POST(need_validation);
+	secure_domain = false;
+	eresult = ISC_R_SUCCESS;
+	name = &fctx->name;
+	node = NULL;
+
+	/*
+	 * XXXMPA remove when we follow cnames and adjust the setting
+	 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
+	 */
+	INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
+
+	/*
+	 * Is DNSSEC validation required for this name?
+	 */
+	if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
+		valoptions |= DNS_VALIDATOR_NONTA;
+		checknta = false;
+	}
+
+	if (fctx->res->view->enablevalidation) {
+		result = issecuredomain(res->view, name, fctx->type,
+					now, checknta, &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		if (!secure_domain && res->view->dlv != NULL) {
+			valoptions |= DNS_VALIDATOR_DLV;
+			secure_domain = true;
+		}
+	}
+
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)
+		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
+		need_validation = false;
+	else
+		need_validation = secure_domain;
+
+	if (secure_domain) {
+		/*
+		 * Mark all rdatasets as pending.
+		 */
+		dns_rdataset_t *trdataset;
+		dns_name_t *tname;
+
+		result = dns_message_firstname(fctx->rmessage,
+					       DNS_SECTION_AUTHORITY);
+		while (result == ISC_R_SUCCESS) {
+			tname = NULL;
+			dns_message_currentname(fctx->rmessage,
+						DNS_SECTION_AUTHORITY,
+						&tname);
+			for (trdataset = ISC_LIST_HEAD(tname->list);
+			     trdataset != NULL;
+			     trdataset = ISC_LIST_NEXT(trdataset, link))
+				trdataset->trust = dns_trust_pending_answer;
+			result = dns_message_nextname(fctx->rmessage,
+						      DNS_SECTION_AUTHORITY);
+		}
+		if (result != ISC_R_NOMORE)
+			return (result);
+
+	}
+
+	if (need_validation) {
+		/*
+		 * Do negative response validation.
+		 */
+		result = valcreate(fctx, addrinfo, name, fctx->type,
+				   NULL, NULL, valoptions,
+				   res->buckets[fctx->bucketnum].task);
+		/*
+		 * If validation is necessary, return now.  Otherwise continue
+		 * to process the message, letting the validation complete
+		 * in its own good time.
+		 */
+		return (result);
+	}
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	adbp = NULL;
+	aname = NULL;
+	anodep = NULL;
+	ardataset = NULL;
+	if (!HAVE_ANSWER(fctx)) {
+		event = ISC_LIST_HEAD(fctx->events);
+		if (event != NULL) {
+			adbp = &event->db;
+			aname = dns_fixedname_name(&event->foundname);
+			result = dns_name_copy(name, aname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto unlock;
+			anodep = &event->node;
+			ardataset = event->rdataset;
+		}
+	} else
+		event = NULL;
+
+	result = dns_db_findnode(fctx->cache, name, true, &node);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	/*
+	 * If we are asking for a SOA record set the cache time
+	 * to zero to facilitate locating the containing zone of
+	 * a arbitrary zone.
+	 */
+	ttl = fctx->res->view->maxncachettl;
+	if (fctx->type == dns_rdatatype_soa &&
+	    covers == dns_rdatatype_any &&
+	    fctx->res->zero_no_soa_ttl)
+		ttl = 0;
+
+	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+				   covers, now, ttl, false,
+				   false, ardataset, &eresult);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	if (!HAVE_ANSWER(fctx)) {
+		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+		if (event != NULL) {
+			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL)
+					dns_db_detachnode(*adbp, anodep);
+				dns_db_detach(adbp);
+			}
+			dns_db_attach(fctx->cache, adbp);
+			dns_db_transfernode(fctx->cache, &node, anodep);
+			clone_results(fctx);
+		}
+	}
+
+ unlock:
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+
+	if (node != NULL)
+		dns_db_detachnode(fctx->cache, &node);
+
+	return (result);
+}
+
+static inline void
+mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
+	     bool external, bool gluing)
+{
+	name->attributes |= DNS_NAMEATTR_CACHE;
+	if (gluing) {
+		rdataset->trust = dns_trust_glue;
+		/*
+		 * Glue with 0 TTL causes problems.  We force the TTL to
+		 * 1 second to prevent this.
+		 */
+		if (rdataset->ttl == 0)
+			rdataset->ttl = 1;
+	} else
+		rdataset->trust = dns_trust_additional;
+	/*
+	 * Avoid infinite loops by only marking new rdatasets.
+	 */
+	if (!CACHE(rdataset)) {
+		name->attributes |= DNS_NAMEATTR_CHASE;
+		rdataset->attributes |= DNS_RDATASETATTR_CHASE;
+	}
+	rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+	if (external)
+		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
+}
+
+static isc_result_t
+check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
+	      dns_section_t section)
+{
+	fetchctx_t *fctx = arg;
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	bool external;
+	dns_rdatatype_t rtype;
+	bool gluing;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+#if CHECK_FOR_GLUE_IN_ANSWER
+	if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a)
+		return (ISC_R_SUCCESS);
+#endif
+
+	gluing = (GLUING(fctx) ||
+		  (fctx->type == dns_rdatatype_ns &&
+		   dns_name_equal(&fctx->name, dns_rootname)));
+
+	result = dns_message_findname(fctx->rmessage, section, addname,
+				      dns_rdatatype_any, 0, &name, NULL);
+	if (result == ISC_R_SUCCESS) {
+		external = !dns_name_issubdomain(name, &fctx->domain);
+		if (type == dns_rdatatype_a) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (rdataset->type == dns_rdatatype_rrsig)
+					rtype = rdataset->covers;
+				else
+					rtype = rdataset->type;
+				if (rtype == dns_rdatatype_a ||
+				    rtype == dns_rdatatype_aaaa)
+					mark_related(name, rdataset, external,
+						     gluing);
+			}
+		} else {
+			result = dns_message_findtype(name, type, 0,
+						      &rdataset);
+			if (result == ISC_R_SUCCESS) {
+				mark_related(name, rdataset, external, gluing);
+				/*
+				 * Do we have its SIG too?
+				 */
+				rdataset = NULL;
+				result = dns_message_findtype(name,
+						      dns_rdatatype_rrsig,
+						      type, &rdataset);
+				if (result == ISC_R_SUCCESS)
+					mark_related(name, rdataset, external,
+						     gluing);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
+}
+
+#ifndef CHECK_FOR_GLUE_IN_ANSWER
+#define CHECK_FOR_GLUE_IN_ANSWER 0
+#endif
+#if CHECK_FOR_GLUE_IN_ANSWER
+static isc_result_t
+check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
+}
+#endif
+
+static void
+chase_additional(fetchctx_t *fctx) {
+	bool rescan;
+	dns_section_t section = DNS_SECTION_ADDITIONAL;
+	isc_result_t result;
+
+ again:
+	rescan = false;
+
+	for (result = dns_message_firstname(fctx->rmessage, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(fctx->rmessage, section)) {
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset;
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
+					&name);
+		if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
+			continue;
+		name->attributes &= ~DNS_NAMEATTR_CHASE;
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (CHASE(rdataset)) {
+				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+				(void)dns_rdataset_additionaldata(rdataset,
+								  check_related,
+								  fctx);
+				rescan = true;
+			}
+		}
+	}
+	if (rescan)
+		goto again;
+}
+
+static bool
+is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
+			 dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_netaddr_t netaddr;
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	int match;
+
+	/* By default, we allow any addresses. */
+	if (view->denyansweracl == NULL)
+		return (true);
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answeracl_exclude != NULL) {
+		dns_rbtnode_t *node = NULL;
+
+		result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
+					  &node, NULL, 0, NULL, NULL);
+
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+			return (true);
+	}
+
+	/*
+	 * Otherwise, search the filter list for a match for each address
+	 * record.  If a match is found, the address should be filtered,
+	 * so should the entire answer.
+	 */
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdataset->type == dns_rdatatype_a) {
+			INSIST(rdata.length == sizeof(ina.s_addr));
+			memmove(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
+			isc_netaddr_fromin(&netaddr, &ina);
+		} else {
+			INSIST(rdata.length == sizeof(in6a.s6_addr));
+			memmove(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
+			isc_netaddr_fromin6(&netaddr, &in6a);
+		}
+
+		result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
+				       &view->aclenv, &match, NULL);
+
+		if (result == ISC_R_SUCCESS && match > 0) {
+			isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "answer address %s denied for %s/%s/%s",
+				      addrbuf, namebuf, typebuf, classbuf);
+			return (false);
+		}
+	}
+
+	return (true);
+}
+
+static bool
+is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
+			dns_rdataset_t *rdataset, bool *chainingp)
+{
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+	char qnamebuf[DNS_NAME_FORMATSIZE];
+	char tnamebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	dns_name_t *tname = NULL;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+	dns_view_t *view = fctx->res->view;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	dns_fixedname_t fixed;
+	dns_name_t prefix;
+	int order;
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == dns_rdatatype_cname ||
+		rdataset->type == dns_rdatatype_dname);
+
+	/*
+	 * By default, we allow any target name.
+	 * If newqname != NULL we also need to extract the newqname.
+	 */
+	if (chainingp == NULL && view->denyanswernames == NULL)
+		return (true);
+
+	result = dns_rdataset_first(rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	switch (rdataset->type) {
+	case dns_rdatatype_cname:
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		tname = &cname.cname;
+		break;
+	case dns_rdatatype_dname:
+		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+		    dns_namereln_subdomain)
+		{
+			return (true);
+		}
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_name_init(&prefix, NULL);
+		tname = dns_fixedname_initname(&fixed);
+		nlabels = dns_name_countlabels(rname);
+		dns_name_split(qname, nlabels, &prefix, NULL);
+		result = dns_name_concatenate(&prefix, &dname.dname, tname,
+					      NULL);
+		if (result == DNS_R_NAMETOOLONG) {
+			if (chainingp != NULL) {
+				*chainingp = true;
+			}
+			return (true);
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (chainingp != NULL)
+		*chainingp = true;
+
+	if (view->denyanswernames == NULL)
+		return (true);
+
+	/*
+	 * If the owner name matches one in the exclusion list, either exactly
+	 * or partially, allow it.
+	 */
+	if (view->answernames_exclude != NULL) {
+		result = dns_rbt_findnode(view->answernames_exclude, qname,
+					  NULL, &node, NULL, 0, NULL, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+			return (true);
+	}
+
+	/*
+	 * If the target name is a subdomain of the search domain, allow it.
+	 */
+	if (dns_name_issubdomain(tname, &fctx->domain))
+		return (true);
+
+	/*
+	 * Otherwise, apply filters.
+	 */
+	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
+				  NULL, 0, NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		dns_name_format(qname, qnamebuf, sizeof(qnamebuf));
+		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(view->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "%s target %s denied for %s/%s",
+			      typebuf, tnamebuf, qnamebuf, classbuf);
+		return (false);
+	}
+
+	return (true);
+}
+
+static void
+trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
+	char ns_namebuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char tbuf[DNS_RDATATYPE_FORMATSIZE];
+
+	if (fctx->ns_ttl_ok && rdataset->ttl > fctx->ns_ttl) {
+		dns_name_format(name, ns_namebuf, sizeof(ns_namebuf));
+		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(fctx->type, tbuf, sizeof(tbuf));
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
+			      "fctx %p: trimming ttl of %s/NS for %s/%s: "
+			      "%u -> %u", fctx, ns_namebuf, namebuf, tbuf,
+			      rdataset->ttl, fctx->ns_ttl);
+		rdataset->ttl = fctx->ns_ttl;
+	}
+}
+
+/*
+ * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
+ * If look_in_options has LOOK_FOR_NS_IN_ANSWER then we look in the answer
+ * section for the NS RRset if the query type is NS; if it has
+ * LOOK_FOR_GLUE_IN_ANSWER we look for glue incorrectly returned in the answer
+ * section for A and AAAA queries.
+ */
+#define LOOK_FOR_NS_IN_ANSWER 0x1
+#define LOOK_FOR_GLUE_IN_ANSWER 0x2
+
+static isc_result_t
+noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
+		  unsigned int look_in_options)
+{
+	isc_result_t result;
+	dns_message_t *message;
+	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name, *save_name;
+	dns_rdataset_t *rdataset, *ns_rdataset;
+	bool aa, negative_response;
+	dns_rdatatype_t type, save_type;
+	dns_section_t section;
+
+	FCTXTRACE("noanswer_response");
+
+	if ((look_in_options & LOOK_FOR_NS_IN_ANSWER) != 0) {
+		INSIST(fctx->type == dns_rdatatype_ns);
+		section = DNS_SECTION_ANSWER;
+	} else
+		section = DNS_SECTION_AUTHORITY;
+
+	message = fctx->rmessage;
+
+	/*
+	 * Setup qname.
+	 */
+	if (oqname == NULL) {
+		/*
+		 * We have a normal, non-chained negative response or
+		 * referral.
+		 */
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
+			aa = true;
+		else
+			aa = false;
+		qname = &fctx->name;
+	} else {
+		/*
+		 * We're being invoked by answer_response() after it has
+		 * followed a CNAME/DNAME chain.
+		 */
+		qname = oqname;
+		aa = false;
+		/*
+		 * If the current qname is not a subdomain of the query
+		 * domain, there's no point in looking at the authority
+		 * section without doing DNSSEC validation.
+		 *
+		 * Until we do that validation, we'll just return success
+		 * in this case.
+		 */
+		if (!dns_name_issubdomain(qname, &fctx->domain))
+			return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * We have to figure out if this is a negative response, or a
+	 * referral.
+	 */
+
+	/*
+	 * Sometimes we can tell if its a negative response by looking at
+	 * the message header.
+	 */
+	negative_response = false;
+	if (message->rcode == dns_rcode_nxdomain ||
+	    (message->counts[DNS_SECTION_ANSWER] == 0 &&
+	     message->counts[DNS_SECTION_AUTHORITY] == 0))
+		negative_response = true;
+
+	/*
+	 * Process the authority section.
+	 */
+	ns_name = NULL;
+	ns_rdataset = NULL;
+	soa_name = NULL;
+	ds_name = NULL;
+	save_name = NULL;
+	save_type = dns_rdatatype_none;
+	result = dns_message_firstname(message, section);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		if (dns_name_issubdomain(name, &fctx->domain)) {
+			/*
+			 * Look for NS/SOA RRsets first.
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (((type == dns_rdatatype_ns ||
+				      type == dns_rdatatype_soa) &&
+				     !dns_name_issubdomain(qname, name))) {
+					char qbuf[DNS_NAME_FORMATSIZE];
+					char nbuf[DNS_NAME_FORMATSIZE];
+					char tbuf[DNS_RDATATYPE_FORMATSIZE];
+					dns_rdatatype_format(type, tbuf,
+							     sizeof(tbuf));
+					dns_name_format(name, nbuf,
+							     sizeof(nbuf));
+					dns_name_format(qname, qbuf,
+							     sizeof(qbuf));
+					log_formerr(fctx,
+						    "unrelated %s %s in "
+						    "%s authority section",
+						    tbuf, nbuf, qbuf);
+					goto nextname;
+				}
+				if (type == dns_rdatatype_ns) {
+					/*
+					 * NS or RRSIG NS.
+					 *
+					 * Only one set of NS RRs is allowed.
+					 */
+					if (rdataset->type ==
+					    dns_rdatatype_ns) {
+						if (ns_name != NULL &&
+						    name != ns_name) {
+							log_formerr(fctx,
+								"multiple NS "
+								"RRsets in "
+								"authority "
+								"section");
+							return (DNS_R_FORMERR);
+						}
+						ns_name = name;
+						ns_rdataset = rdataset;
+					}
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					rdataset->trust = dns_trust_glue;
+				}
+				if (type == dns_rdatatype_soa) {
+					/*
+					 * SOA, or RRSIG SOA.
+					 *
+					 * Only one SOA is allowed.
+					 */
+					if (rdataset->type ==
+					    dns_rdatatype_soa) {
+						if (soa_name != NULL &&
+						    name != soa_name) {
+							log_formerr(fctx,
+								"multiple SOA "
+								"RRs in "
+								"authority "
+								"section");
+							return (DNS_R_FORMERR);
+						}
+						soa_name = name;
+					}
+					name->attributes |=
+						DNS_NAMEATTR_NCACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_NCACHE;
+					if (aa)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else if (ISFORWARDER(fctx->addrinfo))
+						rdataset->trust =
+							dns_trust_answer;
+					else
+						rdataset->trust =
+							dns_trust_additional;
+				}
+			}
+		}
+ nextname:
+		result = dns_message_nextname(message, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	log_ns_ttl(fctx, "noanswer_response");
+
+	if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
+	    !dns_name_equal(ns_name, dns_rootname))
+		trim_ns_ttl(fctx, ns_name, ns_rdataset);
+
+	/*
+	 * A negative response has a SOA record (Type 2)
+	 * and a optional NS RRset (Type 1) or it has neither
+	 * a SOA or a NS RRset (Type 3, handled above) or
+	 * rcode is NXDOMAIN (handled above) in which case
+	 * the NS RRset is allowed (Type 4).
+	 */
+	if (soa_name != NULL)
+		negative_response = true;
+
+	result = dns_message_firstname(message, section);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		if (dns_name_issubdomain(name, &fctx->domain)) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3) {
+					/*
+					 * NSEC or RRSIG NSEC.
+					 */
+					if (negative_response) {
+						name->attributes |=
+							DNS_NAMEATTR_NCACHE;
+						rdataset->attributes |=
+							DNS_RDATASETATTR_NCACHE;
+					} else if (type == dns_rdatatype_nsec) {
+						name->attributes |=
+							DNS_NAMEATTR_CACHE;
+						rdataset->attributes |=
+							DNS_RDATASETATTR_CACHE;
+					}
+					if (aa)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else if (ISFORWARDER(fctx->addrinfo))
+						rdataset->trust =
+							dns_trust_answer;
+					else
+						rdataset->trust =
+							dns_trust_additional;
+					/*
+					 * No additional data needs to be
+					 * marked.
+					 */
+				} else if (type == dns_rdatatype_ds) {
+					/*
+					 * DS or SIG DS.
+					 *
+					 * These should only be here if
+					 * this is a referral, and there
+					 * should only be one DS RRset.
+					 */
+					if (ns_name == NULL) {
+						log_formerr(fctx,
+							    "DS with no "
+							    "referral");
+						return (DNS_R_FORMERR);
+					}
+					if (rdataset->type ==
+					    dns_rdatatype_ds) {
+						if (ds_name != NULL &&
+						    name != ds_name) {
+							log_formerr(fctx,
+								"DS doesn't "
+								"match "
+								"referral "
+								"(NS)");
+							return (DNS_R_FORMERR);
+						}
+						ds_name = name;
+					}
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					if (aa)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else if (ISFORWARDER(fctx->addrinfo))
+						rdataset->trust =
+							dns_trust_answer;
+					else
+						rdataset->trust =
+							dns_trust_additional;
+				}
+			}
+		} else {
+			save_name = name;
+			save_type = ISC_LIST_HEAD(name->list)->type;
+		}
+		result = dns_message_nextname(message, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * Trigger lookups for DNS nameservers.
+	 */
+	if (negative_response && message->rcode == dns_rcode_noerror &&
+	    fctx->type == dns_rdatatype_ds && soa_name != NULL &&
+	    dns_name_equal(soa_name, qname) &&
+	    !dns_name_equal(qname, dns_rootname))
+		return (DNS_R_CHASEDSSERVERS);
+
+	/*
+	 * Did we find anything?
+	 */
+	if (!negative_response && ns_name == NULL) {
+		/*
+		 * Nope.
+		 */
+		if (oqname != NULL) {
+			/*
+			 * We've already got a partial CNAME/DNAME chain,
+			 * and haven't found else anything useful here, but
+			 * no error has occurred since we have an answer.
+			 */
+			return (ISC_R_SUCCESS);
+		} else {
+			/*
+			 * The responder is insane.
+			 */
+			if (save_name == NULL) {
+				log_formerr(fctx, "invalid response");
+				return (DNS_R_FORMERR);
+			}
+			if (!dns_name_issubdomain(save_name, &fctx->domain)) {
+				char nbuf[DNS_NAME_FORMATSIZE];
+				char dbuf[DNS_NAME_FORMATSIZE];
+				char tbuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(save_type, tbuf,
+					sizeof(tbuf));
+				dns_name_format(save_name, nbuf, sizeof(nbuf));
+				dns_name_format(&fctx->domain, dbuf,
+					sizeof(dbuf));
+
+				log_formerr(fctx, "Name %s (%s) not subdomain"
+					" of zone %s -- invalid response",
+					nbuf, tbuf, dbuf);
+			} else {
+				log_formerr(fctx, "invalid response");
+			}
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	/*
+	 * If we found both NS and SOA, they should be the same name.
+	 */
+	if (ns_name != NULL && soa_name != NULL && ns_name != soa_name) {
+		log_formerr(fctx, "NS/SOA mismatch");
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * Do we have a referral?  (We only want to follow a referral if
+	 * we're not following a chain.)
+	 */
+	if (!negative_response && ns_name != NULL && oqname == NULL) {
+		/*
+		 * We already know ns_name is a subdomain of fctx->domain.
+		 * If ns_name is equal to fctx->domain, we're not making
+		 * progress.  We return DNS_R_FORMERR so that we'll keep
+		 * trying other servers.
+		 */
+		if (dns_name_equal(ns_name, &fctx->domain)) {
+			log_formerr(fctx, "non-improving referral");
+			return (DNS_R_FORMERR);
+		}
+
+		/*
+		 * If the referral name is not a parent of the query
+		 * name, consider the responder insane.
+		 */
+		if (! dns_name_issubdomain(&fctx->name, ns_name)) {
+			/* Logged twice */
+			log_formerr(fctx, "referral to non-parent");
+			FCTXTRACE("referral to non-parent");
+			return (DNS_R_FORMERR);
+		}
+
+		/*
+		 * Mark any additional data related to this rdataset.
+		 * It's important that we do this before we change the
+		 * query domain.
+		 */
+		INSIST(ns_rdataset != NULL);
+		fctx->attributes |= FCTX_ATTR_GLUING;
+		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
+						  fctx);
+#if CHECK_FOR_GLUE_IN_ANSWER
+		/*
+		 * Look in the answer section for "glue" that is incorrectly
+		 * returned as a answer.  This is needed if the server also
+		 * minimizes the response size by not adding records to the
+		 * additional section that are in the answer section or if
+		 * the record gets dropped due to message size constraints.
+		 */
+		if ((look_in_options & LOOK_FOR_GLUE_IN_ANSWER) != 0 &&
+		    (fctx->type == dns_rdatatype_aaaa ||
+		     fctx->type == dns_rdatatype_a))
+			(void)dns_rdataset_additionaldata(ns_rdataset,
+							  check_answer, fctx);
+#endif
+		fctx->attributes &= ~FCTX_ATTR_GLUING;
+		/*
+		 * NS rdatasets with 0 TTL cause problems.
+		 * dns_view_findzonecut() will not find them when we
+		 * try to follow the referral, and we'll SERVFAIL
+		 * because the best nameservers are now above QDOMAIN.
+		 * We force the TTL to 1 second to prevent this.
+		 */
+		if (ns_rdataset->ttl == 0)
+			ns_rdataset->ttl = 1;
+		/*
+		 * Set the current query domain to the referral name.
+		 *
+		 * XXXRTH  We should check if we're in forward-only mode, and
+		 *		if so we should bail out.
+		 */
+		INSIST(dns_name_countlabels(&fctx->domain) > 0);
+		fcount_decr(fctx);
+		dns_name_free(&fctx->domain, fctx->mctx);
+		if (dns_rdataset_isassociated(&fctx->nameservers))
+			dns_rdataset_disassociate(&fctx->nameservers);
+		dns_name_init(&fctx->domain, NULL);
+		result = dns_name_dup(ns_name, fctx->mctx, &fctx->domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = fcount_incr(fctx, true);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		fctx->attributes |= FCTX_ATTR_WANTCACHE;
+		fctx->ns_ttl_ok = false;
+		log_ns_ttl(fctx, "DELEGATION");
+		return (DNS_R_DELEGATION);
+	}
+
+	/*
+	 * Since we're not doing a referral, we don't want to cache any
+	 * NS RRs we may have found.
+	 */
+	if (ns_name != NULL)
+		ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
+
+	if (negative_response && oqname == NULL)
+		fctx->attributes |= FCTX_ATTR_WANTNCACHE;
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
+	if (rdataset->type == dns_rdatatype_nsec3) {
+		/*
+		 * NSEC3 records are not allowed to
+		 * appear in the answer section.
+		 */
+		log_formerr(fctx, "NSEC3 in answer");
+		return (false);
+	}
+	if (rdataset->type == dns_rdatatype_tkey) {
+		/*
+		 * TKEY is not a valid record in a
+		 * response to any query we can make.
+		 */
+		log_formerr(fctx, "TKEY in answer");
+		return (false);
+	}
+	if (rdataset->rdclass != fctx->res->rdclass) {
+		log_formerr(fctx, "Mismatched class in answer");
+		return (false);
+	}
+	return (true);
+}
+
+static isc_result_t
+answer_response(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL;
+	dns_name_t *aname = NULL, *cname = NULL, *dname = NULL;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *ardataset = NULL, *crdataset = NULL;
+	dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL;
+	bool done = false, aa;
+	unsigned int dname_labels, domain_labels;
+	bool chaining = false;
+	dns_rdatatype_t type;
+	dns_view_t *view = NULL;
+	dns_trust_t trust;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	FCTXTRACE("answer_response");
+
+	message = fctx->rmessage;
+	qname = &fctx->name;
+	view = fctx->res->view;
+	type = fctx->type;
+
+	/*
+	 * There can be multiple RRSIG and SIG records at a name so
+	 * we treat these types as a subset of ANY.
+	 */
+	if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
+		type = dns_rdatatype_any;
+	}
+
+	/*
+	 * Bigger than any valid DNAME label count.
+	 */
+	dname_labels = dns_name_countlabels(qname);
+	domain_labels = dns_name_countlabels(&fctx->domain);
+
+	/*
+	 * Perform a single pass looking for the answer, cname or covering
+	 * dname.
+	 */
+	for (result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_ANSWER))
+	{
+		int order;
+		unsigned int nlabels;
+		dns_namereln_t namereln;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+		switch (namereln) {
+		case dns_namereln_equal:
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type == type ||
+				    type == dns_rdatatype_any)
+				{
+					aname = name;
+					if (type != dns_rdatatype_any) {
+						ardataset = rdataset;
+					}
+					break;
+				}
+				if (rdataset->type == dns_rdatatype_cname) {
+					cname = name;
+					crdataset = rdataset;
+					break;
+				}
+			}
+			break;
+
+		case dns_namereln_subdomain:
+			/*
+			 * In-scope DNAME records must have at least
+			 * as many labels as the domain being queried.
+			 * They also must be less that qname's labels
+			 * and any previously found dname.
+			 */
+			if (nlabels >= dname_labels || nlabels < domain_labels)
+			{
+				continue;
+			}
+
+			/*
+			 * We are looking for the shortest DNAME if there
+			 * are multiple ones (which there shouldn't be).
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
+			{
+				if (rdataset->type != dns_rdatatype_dname) {
+					continue;
+				}
+				dname = name;
+				drdataset = rdataset;
+				dname_labels = nlabels;
+				break;
+			}
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (dname != NULL) {
+		aname = NULL;
+		ardataset = NULL;
+		cname = NULL;
+		crdataset = NULL;
+	} else if (aname != NULL) {
+		cname = NULL;
+		crdataset = NULL;
+	}
+
+	aa = (message->flags & DNS_MESSAGEFLAG_AA);
+	trust = aa ? dns_trust_authanswer : dns_trust_answer;
+
+	if (aname != NULL && type == dns_rdatatype_any) {
+		for (rdataset = ISC_LIST_HEAD(aname->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (!validinanswer(rdataset, fctx)) {
+				return (DNS_R_FORMERR);
+			}
+			if ((fctx->type == dns_rdatatype_sig ||
+			     fctx->type == dns_rdatatype_rrsig) &&
+			     rdataset->type != fctx->type)
+			{
+				continue;
+			}
+			if ((rdataset->type == dns_rdatatype_a ||
+			     rdataset->type == dns_rdatatype_aaaa) &&
+			    !is_answeraddress_allowed(view, aname, rdataset))
+			{
+				return (DNS_R_SERVFAIL);
+			}
+			if ((rdataset->type == dns_rdatatype_cname ||
+			     rdataset->type == dns_rdatatype_dname) &&
+			     !is_answertarget_allowed(fctx, qname, aname,
+						      rdataset, NULL))
+			{
+				return (DNS_R_SERVFAIL);
+			}
+			aname->attributes |= DNS_NAMEATTR_CACHE;
+			aname->attributes |= DNS_NAMEATTR_ANSWER;
+			rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+			rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			rdataset->trust = trust;
+			(void)dns_rdataset_additionaldata(rdataset,
+							  check_related,
+							  fctx);
+		}
+	} else if (aname != NULL) {
+		if (!validinanswer(ardataset, fctx))
+			return (DNS_R_FORMERR);
+		if ((ardataset->type == dns_rdatatype_a ||
+		     ardataset->type == dns_rdatatype_aaaa) &&
+		    !is_answeraddress_allowed(view, aname, ardataset)) {
+			return (DNS_R_SERVFAIL);
+		}
+		if ((ardataset->type == dns_rdatatype_cname ||
+		     ardataset->type == dns_rdatatype_dname) &&
+		    type != ardataset->type &&
+		    type != dns_rdatatype_any &&
+		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+					      NULL))
+		{
+			return (DNS_R_SERVFAIL);
+		}
+		aname->attributes |= DNS_NAMEATTR_CACHE;
+		aname->attributes |= DNS_NAMEATTR_ANSWER;
+		ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		ardataset->attributes |= DNS_RDATASETATTR_CACHE;
+		ardataset->trust = trust;
+		(void)dns_rdataset_additionaldata(ardataset, check_related,
+						  fctx);
+		for (sigrdataset = ISC_LIST_HEAD(aname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+			if (!validinanswer(sigrdataset, fctx))
+				return (DNS_R_FORMERR);
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
+			    sigrdataset->covers != type)
+				continue;
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			sigrdataset->trust = trust;
+			break;
+		}
+	} else if (cname != NULL) {
+		if (!validinanswer(crdataset, fctx)) {
+			return (DNS_R_FORMERR);
+		}
+		if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key ||
+		    type == dns_rdatatype_nsec)
+		{
+			char buf[DNS_RDATATYPE_FORMATSIZE];
+			dns_rdatatype_format(type, buf, sizeof(buf));
+			log_formerr(fctx, "CNAME response for %s RR", buf);
+			return (DNS_R_FORMERR);
+		}
+		if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+					     NULL))
+		{
+			return (DNS_R_SERVFAIL);
+		}
+		cname->attributes |= DNS_NAMEATTR_CACHE;
+		cname->attributes |= DNS_NAMEATTR_ANSWER;
+		cname->attributes |= DNS_NAMEATTR_CHAINING;
+		crdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		crdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		crdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+		crdataset->trust = trust;
+		for (sigrdataset = ISC_LIST_HEAD(cname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (!validinanswer(sigrdataset, fctx)) {
+				return (DNS_R_FORMERR);
+			}
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
+			    sigrdataset->covers != dns_rdatatype_cname)
+			{
+				continue;
+			}
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			sigrdataset->trust = trust;
+			break;
+		}
+		chaining = true;
+	} else if (dname != NULL) {
+		if (!validinanswer(drdataset, fctx)) {
+			return (DNS_R_FORMERR);
+		}
+		if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+					     &chaining)) {
+			return (DNS_R_SERVFAIL);
+		}
+		dname->attributes |= DNS_NAMEATTR_CACHE;
+		dname->attributes |= DNS_NAMEATTR_ANSWER;
+		dname->attributes |= DNS_NAMEATTR_CHAINING;
+		drdataset->attributes |= DNS_RDATASETATTR_ANSWER;
+		drdataset->attributes |= DNS_RDATASETATTR_CACHE;
+		drdataset->attributes |= DNS_RDATASETATTR_CHAINING;
+		drdataset->trust = trust;
+		for (sigrdataset = ISC_LIST_HEAD(dname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
+			if (!validinanswer(sigrdataset, fctx)) {
+				return (DNS_R_FORMERR);
+			}
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
+			    sigrdataset->covers != dns_rdatatype_dname)
+			{
+				continue;
+			}
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
+			sigrdataset->trust = trust;
+			break;
+		}
+	} else {
+		log_formerr(fctx, "reply has no answer");
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * This response is now potentially cacheable.
+	 */
+	fctx->attributes |= FCTX_ATTR_WANTCACHE;
+
+	/*
+	 * Did chaining end before we got the final answer?
+	 */
+	if (chaining) {
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * We didn't end with an incomplete chain, so the rcode should be
+	 * "no error".
+	 */
+	if (message->rcode != dns_rcode_noerror) {
+		log_formerr(fctx, "CNAME/DNAME chain complete, but RCODE "
+				  "indicates error");
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * Examine the authority section (if there is one).
+	 *
+	 * We expect there to be only one owner name for all the rdatasets
+	 * in this section, and we expect that it is not external.
+	 */
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (!done && result == ISC_R_SUCCESS) {
+		bool external;
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		external = !dns_name_issubdomain(name, &fctx->domain);
+		if (!external) {
+			/*
+			 * We expect to find NS or SIG NS rdatasets, and
+			 * nothing else.
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (rdataset->type == dns_rdatatype_ns ||
+				    (rdataset->type == dns_rdatatype_rrsig &&
+				     rdataset->covers == dns_rdatatype_ns)) {
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					if (aa && !chaining) {
+						rdataset->trust =
+						    dns_trust_authauthority;
+					} else {
+						rdataset->trust =
+						    dns_trust_additional;
+					}
+
+					if (rdataset->type == dns_rdatatype_ns)
+					{
+						ns_name = name;
+						ns_rdataset = rdataset;
+					}
+					/*
+					 * Mark any additional data related
+					 * to this rdataset.
+					 */
+					(void)dns_rdataset_additionaldata(
+							rdataset,
+							check_related,
+							fctx);
+					done = true;
+				}
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	log_ns_ttl(fctx, "answer_response");
+
+	if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
+	    !dns_name_equal(ns_name, dns_rootname))
+		trim_ns_ttl(fctx, ns_name, ns_rdataset);
+
+	return (result);
+}
+
+static void
+fctx_increference(fetchctx_t *fctx) {
+	REQUIRE(VALID_FCTX(fctx));
+
+	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+	fctx->references++;
+	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+}
+
+static bool
+fctx_decreference(fetchctx_t *fctx) {
+	bool bucket_empty = false;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	INSIST(fctx->references > 0);
+	fctx->references--;
+	if (fctx->references == 0) {
+		/*
+		 * No one cares about the result of this fetch anymore.
+		 */
+		if (fctx->pending == 0 && fctx->nqueries == 0 &&
+		    ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) {
+			/*
+			 * This fctx is already shutdown; we were just
+			 * waiting for the last reference to go away.
+			 */
+			bucket_empty = fctx_unlink(fctx);
+			fctx_destroy(fctx);
+		} else {
+			/*
+			 * Initiate shutdown.
+			 */
+			fctx_shutdown(fctx);
+		}
+	}
+	return (bucket_empty);
+}
+
+static void
+resume_dslookup(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *fevent;
+	dns_resolver_t *res;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	bool bucket_empty;
+	bool locked = false;
+	unsigned int bucketnum;
+	dns_rdataset_t nameservers;
+	dns_fixedname_t fixed;
+	dns_name_t *domain;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+	FCTXTRACE("resume_dslookup");
+
+	if (fevent->node != NULL)
+		dns_db_detachnode(fevent->db, &fevent->node);
+	if (fevent->db != NULL)
+		dns_db_detach(&fevent->db);
+
+	dns_rdataset_init(&nameservers);
+
+	bucketnum = fctx->bucketnum;
+
+	/*
+	 * Note: fevent->rdataset must be disassociated and
+	 * isc_event_free(&event) be called before resuming
+	 * processing of the 'fctx' to prevent use-after-free.
+	 * 'fevent' is set to NULL so as to not have a dangling
+	 * pointer.
+	 */
+	if (fevent->result == ISC_R_CANCELED) {
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		fctx_done(fctx, ISC_R_CANCELED, __LINE__);
+	} else if (fevent->result == ISC_R_SUCCESS) {
+		FCTXTRACE("resuming DS lookup");
+
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		if (dns_rdataset_isassociated(&fctx->nameservers)) {
+			dns_rdataset_disassociate(&fctx->nameservers);
+		}
+		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
+		fctx->ns_ttl = fctx->nameservers.ttl;
+		fctx->ns_ttl_ok = true;
+		log_ns_ttl(fctx, "resume_dslookup");
+
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
+		fcount_decr(fctx);
+		dns_name_free(&fctx->domain, fctx->mctx);
+		dns_name_init(&fctx->domain, NULL);
+		result = dns_name_dup(&fctx->nsname, fctx->mctx, &fctx->domain);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			goto cleanup;
+		}
+		result = fcount_incr(fctx, true);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			goto cleanup;
+		}
+		/*
+		 * Try again.
+		 */
+		fctx_try(fctx, true, false);
+	} else {
+		unsigned int n;
+		dns_rdataset_t *nsrdataset = NULL;
+
+		/*
+		 * Retrieve state from fctx->nsfetch before we destroy it.
+		 */
+		dns_fixedname_init(&fixed);
+		domain = dns_fixedname_name(&fixed);
+		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
+		if (dns_name_equal(&fctx->nsname, domain)) {
+			if (dns_rdataset_isassociated(fevent->rdataset)) {
+				dns_rdataset_disassociate(fevent->rdataset);
+			}
+			fevent = NULL;
+			isc_event_free(&event);
+
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+			dns_resolver_destroyfetch(&fctx->nsfetch);
+			goto cleanup;
+		}
+		if (dns_rdataset_isassociated(
+		    &fctx->nsfetch->private->nameservers)) {
+			dns_rdataset_clone(
+			    &fctx->nsfetch->private->nameservers,
+			    &nameservers);
+			nsrdataset = &nameservers;
+		} else
+			domain = NULL;
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		n = dns_name_countlabels(&fctx->nsname);
+		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
+					  &fctx->nsname);
+
+		if (dns_rdataset_isassociated(fevent->rdataset))
+			dns_rdataset_disassociate(fevent->rdataset);
+		fevent = NULL;
+		isc_event_free(&event);
+
+		FCTXTRACE("continuing to look for parent's NS records");
+
+		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
+						  dns_rdatatype_ns, domain,
+						  nsrdataset, NULL,
+						  fctx->options, task,
+						  resume_dslookup, fctx,
+						  &fctx->nsrrset, NULL,
+						  &fctx->nsfetch);
+		/*
+		 * fevent->rdataset (a.k.a. fctx->nsrrset) must not be
+		 * accessed below this point to prevent races with
+		 * another thread concurrently processing the fetch.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+		} else {
+			LOCK(&res->buckets[bucketnum].lock);
+			locked = true;
+			fctx->references++;
+		}
+	}
+
+ cleanup:
+	INSIST(event == NULL);
+	INSIST(fevent == NULL);
+	if (dns_rdataset_isassociated(&nameservers))
+		dns_rdataset_disassociate(&nameservers);
+	if (!locked)
+		LOCK(&res->buckets[bucketnum].lock);
+	bucket_empty = fctx_decreference(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+static inline void
+checknamessection(dns_message_t *message, dns_section_t section) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t *rdataset;
+
+	for (result = dns_message_firstname(message, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, section))
+	{
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (!dns_rdata_checkowner(name, rdata.rdclass,
+							  rdata.type,
+							  false) ||
+				    !dns_rdata_checknames(&rdata, name, NULL))
+				{
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CHECKNAMES;
+				}
+				dns_rdata_reset(&rdata);
+			}
+		}
+	}
+}
+
+static void
+checknames(dns_message_t *message) {
+
+	checknamessection(message, DNS_SECTION_ANSWER);
+	checknamessection(message, DNS_SECTION_AUTHORITY);
+	checknamessection(message, DNS_SECTION_ADDITIONAL);
+}
+
+/*
+ * Log server NSID at log level 'level'
+ */
+static void
+log_nsid(isc_buffer_t *opt, size_t nsid_len, resquery_t *query,
+	 int level, isc_mem_t *mctx)
+{
+	static const char hex[17] = "0123456789abcdef";
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	uint16_t buflen, i;
+	unsigned char *p, *nsid;
+	unsigned char *buf = NULL, *pbuf = NULL;
+
+	/* Allocate buffer for storing hex version of the NSID */
+	buflen = (uint16_t)nsid_len * 2 + 1;
+	buf = isc_mem_get(mctx, buflen);
+	if (buf == NULL)
+		goto cleanup;
+	pbuf = isc_mem_get(mctx, nsid_len + 1);
+	if (pbuf == NULL)
+		goto cleanup;
+
+	/* Convert to hex */
+	p = buf;
+	nsid = isc_buffer_current(opt);
+	for (i = 0; i < nsid_len; i++) {
+		*p++ = hex[(nsid[i] >> 4) & 0xf];
+		*p++ = hex[nsid[i] & 0xf];
+	}
+	*p = '\0';
+
+	/* Make printable version */
+	p = pbuf;
+	for (i = 0; i < nsid_len; i++) {
+		if (isprint(nsid[i]))
+			*p++ = nsid[i];
+		else
+			*p++ = '.';
+	}
+	*p = '\0';
+
+	isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+			    sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level,
+		      "received NSID %s (\"%s\") from %s", buf, pbuf, addrbuf);
+ cleanup:
+	if (pbuf != NULL)
+		isc_mem_put(mctx, pbuf, nsid_len + 1);
+	if (buf != NULL)
+		isc_mem_put(mctx, buf, buflen);
+}
+
+static bool
+iscname(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
+				      &fctx->name, dns_rdatatype_cname, 0,
+				      NULL, NULL);
+	return (result == ISC_R_SUCCESS ? true : false);
+}
+
+static bool
+betterreferral(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_message_t *message = fctx->rmessage;
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if (!isstrictsubdomain(name, &fctx->domain))
+			continue;
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+			if (rdataset->type == dns_rdatatype_ns)
+				return (true);
+	}
+	return (false);
+}
+
+static void
+process_opt(resquery_t *query, dns_rdataset_t *opt) {
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	isc_result_t result;
+	uint16_t optcode;
+	uint16_t optlen;
+	unsigned char *optvalue;
+	dns_adbaddrinfo_t *addrinfo;
+	unsigned char cookie[8];
+	bool seen_cookie = false;
+	bool seen_nsid = false;
+
+	result = dns_rdataset_first(opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+			switch (optcode) {
+			case DNS_OPT_NSID:
+				if (!seen_nsid &&
+				    query->options & DNS_FETCHOPT_WANTNSID)
+					log_nsid(&optbuf, optlen, query,
+						 ISC_LOG_DEBUG(3),
+						 query->fctx->res->mctx);
+				isc_buffer_forward(&optbuf, optlen);
+				seen_nsid = true;
+				break;
+			case DNS_OPT_COOKIE:
+				/*
+				 * Only process the first cookie option.
+				 */
+				if (seen_cookie) {
+					isc_buffer_forward(&optbuf, optlen);
+					break;
+				}
+				optvalue = isc_buffer_current(&optbuf);
+				compute_cc(query, cookie, sizeof(cookie));
+				INSIST(query->fctx->rmessage->cc_bad == 0 &&
+				       query->fctx->rmessage->cc_ok == 0);
+				if (optlen >= 8U &&
+				    memcmp(cookie, optvalue, 8) == 0) {
+					query->fctx->rmessage->cc_ok = 1;
+					inc_stats(query->fctx->res,
+						  dns_resstatscounter_cookieok);
+					addrinfo = query->addrinfo;
+					dns_adb_setcookie(query->fctx->adb,
+							  addrinfo, optvalue,
+							  optlen);
+				} else
+					query->fctx->rmessage->cc_bad = 1;
+				isc_buffer_forward(&optbuf, optlen);
+				inc_stats(query->fctx->res,
+					  dns_resstatscounter_cookiein);
+				seen_cookie = true;
+				break;
+			default:
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			}
+		}
+		INSIST(isc_buffer_remaininglength(&optbuf) == 0U);
+	}
+}
+
+static void
+resquery_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	resquery_t *query = event->ev_arg;
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	bool keep_trying, get_nameservers, resend, nextitem;
+	bool truncated;
+	dns_message_t *message;
+	dns_rdataset_t *opt;
+	fetchctx_t *fctx;
+	dns_name_t *fname;
+	dns_fixedname_t foundname;
+	isc_stdtime_t now;
+	isc_time_t tnow, *finish;
+	dns_adbaddrinfo_t *addrinfo;
+	unsigned int options;
+	unsigned int findoptions;
+	isc_result_t broken_server;
+	badnstype_t broken_type = badns_response;
+	bool no_response;
+	unsigned int bucketnum;
+	dns_resolver_t *res;
+	bool bucket_empty;
+#ifdef HAVE_DNSTAP
+	isc_socket_t *sock = NULL;
+	isc_sockaddr_t localaddr, *la = NULL;
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	dns_dtmsgtype_t dtmsgtype;
+	dns_compress_t cctx;
+	isc_region_t zr;
+	isc_buffer_t zb;
+#endif /* HAVE_DNSTAP */
+
+	REQUIRE(VALID_QUERY(query));
+	fctx = query->fctx;
+	options = query->options;
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+
+	QTRACE("response");
+
+	res = fctx->res;
+	if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET)
+		inc_stats(res, dns_resstatscounter_responsev4);
+	else
+		inc_stats(res, dns_resstatscounter_responsev6);
+
+	(void)isc_timer_touch(fctx->timer);
+
+	keep_trying = false;
+	broken_server = ISC_R_SUCCESS;
+	get_nameservers = false;
+	resend = false;
+	nextitem = false;
+	truncated = false;
+	finish = NULL;
+	no_response = false;
+
+	if (res->exiting) {
+		result = ISC_R_SHUTTINGDOWN;
+		FCTXTRACE("resolver shutting down");
+		goto done;
+	}
+
+	fctx->timeouts = 0;
+	fctx->timeout = false;
+	fctx->addrinfo = query->addrinfo;
+
+	/*
+	 * XXXRTH  We should really get the current time just once.  We
+	 *		need a routine to convert from an isc_time_t to an
+	 *		isc_stdtime_t.
+	 */
+	TIME_NOW(&tnow);
+	finish = &tnow;
+	isc_stdtime_get(&now);
+
+	/*
+	 * Did the dispatcher have a problem?
+	 */
+	if (devent->result != ISC_R_SUCCESS) {
+		if (devent->result == ISC_R_EOF &&
+		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			/*
+			 * The problem might be that they
+			 * don't understand EDNS0.  Turn it
+			 * off and try again.
+			 */
+			options |= DNS_FETCHOPT_NOEDNS0;
+			resend = true;
+			add_bad_edns(fctx, &query->addrinfo->sockaddr);
+		} else {
+			/*
+			 * There's no hope for this query.
+			 */
+			keep_trying = true;
+
+			/*
+			 * If this is a network error on an exclusive query
+			 * socket, mark the server as bad so that we won't try
+			 * it for this fetch again.  Also adjust finish and
+			 * no_response so that we penalize this address in SRTT
+			 * adjustment later.
+			 */
+			if (query->exclusivesocket &&
+			    (devent->result == ISC_R_HOSTUNREACH ||
+			     devent->result == ISC_R_NETUNREACH ||
+			     devent->result == ISC_R_CONNREFUSED ||
+			     devent->result == ISC_R_CANCELED)) {
+				    broken_server = devent->result;
+				    broken_type = badns_unreachable;
+				    finish = NULL;
+				    no_response = true;
+			}
+		}
+		FCTXTRACE3("dispatcher failure", devent->result);
+		goto done;
+	}
+
+	message = fctx->rmessage;
+
+	if (query->tsig != NULL) {
+		result = dns_message_setquerytsig(message, query->tsig);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("unable to set query tsig", result);
+			goto done;
+		}
+	}
+
+	if (query->tsigkey) {
+		result = dns_message_settsigkey(message, query->tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("unable to set tsig key", result);
+			goto done;
+		}
+	}
+
+	dns_message_setclass(message, res->rdclass);
+
+	if ((options & DNS_FETCHOPT_TCP) == 0) {
+		if ((options & DNS_FETCHOPT_NOEDNS0) == 0)
+			dns_adb_setudpsize(fctx->adb, query->addrinfo,
+				   isc_buffer_usedlength(&devent->buffer));
+		else
+			dns_adb_plainresponse(fctx->adb, query->addrinfo);
+	}
+	result = dns_message_parse(message, &devent->buffer, 0);
+	if (result != ISC_R_SUCCESS) {
+		FCTXTRACE3("message failed to parse", result);
+		switch (result) {
+		case ISC_R_UNEXPECTEDEND:
+			if (!message->question_ok ||
+			    (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
+			    (options & DNS_FETCHOPT_TCP) != 0) {
+				/*
+				 * Either the message ended prematurely,
+				 * and/or wasn't marked as being truncated,
+				 * and/or this is a response to a query we
+				 * sent over TCP.  In all of these cases,
+				 * something is wrong with the remote
+				 * server and we don't want to retry using
+				 * TCP.
+				 */
+				if ((query->options & DNS_FETCHOPT_NOEDNS0)
+				    == 0) {
+					/*
+					 * The problem might be that they
+					 * don't understand EDNS0.  Turn it
+					 * off and try again.
+					 */
+					options |= DNS_FETCHOPT_NOEDNS0;
+					resend = true;
+					add_bad_edns(fctx,
+						    &query->addrinfo->sockaddr);
+					inc_stats(res,
+						 dns_resstatscounter_edns0fail);
+				} else {
+					broken_server = result;
+					keep_trying = true;
+				}
+				goto done;
+			}
+			/*
+			 * We defer retrying via TCP for a bit so we can
+			 * check out this message further.
+			 */
+			truncated = true;
+			break;
+		case DNS_R_FORMERR:
+			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+				/*
+				 * The problem might be that they
+				 * don't understand EDNS0.  Turn it
+				 * off and try again.
+				 */
+				options |= DNS_FETCHOPT_NOEDNS0;
+				resend = true;
+				add_bad_edns(fctx, &query->addrinfo->sockaddr);
+				inc_stats(res, dns_resstatscounter_edns0fail);
+			} else {
+				broken_server = DNS_R_UNEXPECTEDRCODE;
+				keep_trying = true;
+			}
+			goto done;
+		default:
+			/*
+			 * Something bad has happened.
+			 */
+			goto done;
+		}
+	}
+
+	/*
+	 * Log the incoming packet.
+	 */
+	dns_message_logfmtpacket2(message, "received packet from",
+				  &query->addrinfo->sockaddr,
+				  DNS_LOGCATEGORY_RESOLVER,
+				  DNS_LOGMODULE_PACKETS,
+				  &dns_master_style_comment,
+				  ISC_LOG_DEBUG(10), res->mctx);
+
+#ifdef HAVE_DNSTAP
+	/*
+	 * Log the response via dnstap.
+	 */
+	memset(&zr, 0, sizeof(zr));
+	result = dns_compress_init(&cctx, -1, res->mctx);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_init(&zb, zone, sizeof(zone));
+		dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+		result = dns_name_towire(&fctx->domain, &cctx, &zb);
+		if (result == ISC_R_SUCCESS)
+			isc_buffer_usedregion(&zb, &zr);
+		dns_compress_invalidate(&cctx);
+	}
+
+	if ((fctx->qmessage->flags & DNS_MESSAGEFLAG_RD) != 0) {
+		dtmsgtype = DNS_DTTYPE_FR;
+	} else {
+		dtmsgtype = DNS_DTTYPE_RR;
+	}
+
+	if (query->exclusivesocket) {
+		sock = dns_dispatch_getentrysocket(query->dispentry);
+	} else {
+		sock = dns_dispatch_getsocket(query->dispatch);
+	}
+
+	if (sock != NULL) {
+		result = isc_socket_getsockname(sock, &localaddr);
+		if (result == ISC_R_SUCCESS) {
+			la = &localaddr;
+		}
+	}
+
+	dns_dt_send(res->view, dtmsgtype, la, &query->addrinfo->sockaddr,
+		    (query->options & DNS_FETCHOPT_TCP),
+		    &zr, &query->start, NULL, &devent->buffer);
+#endif /* HAVE_DNSTAP */
+
+	if (message->rdclass != res->rdclass) {
+		resend = true;
+		FCTXTRACE("bad class");
+		goto done;
+	}
+
+	/*
+	 * Process receive opt record.
+	 */
+	opt = dns_message_getopt(message);
+	if (opt != NULL)
+		process_opt(query, opt);
+
+	if (message->cc_bad && (options & DNS_FETCHOPT_TCP) == 0) {
+		/*
+		 * If the COOKIE is bad, assume it is an attack and
+		 * keep listening for a good answer.
+		 */
+		nextitem = true;
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_INFO)) {
+			char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+			isc_sockaddr_format(&query->addrinfo->sockaddr,
+					    addrbuf, sizeof(addrbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+				      "bad cookie from %s", addrbuf);
+		}
+		goto done;
+	}
+
+	/*
+	 * Is the question the same as the one we asked?
+	 * NOERROR/NXDOMAIN/YXDOMAIN/REFUSED/SERVFAIL/BADCOOKIE must have
+	 * the same question.
+	 * FORMERR/NOTIMP if they have a question section then it must match.
+	 */
+	switch (message->rcode) {
+	case dns_rcode_notimp:
+	case dns_rcode_formerr:
+		if (message->counts[DNS_SECTION_QUESTION] == 0)
+			break;
+		/* FALLTHROUGH */
+	case dns_rcode_nxrrset:	/* Not expected. */
+	case dns_rcode_badcookie:
+	case dns_rcode_noerror:
+	case dns_rcode_nxdomain:
+	case dns_rcode_yxdomain:
+	case dns_rcode_refused:
+	case dns_rcode_servfail:
+	default:
+		result = same_question(fctx);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("response did not match question", result);
+			nextitem = true;
+			goto done;
+		}
+		break;
+	}
+
+	/*
+	 * If the message is signed, check the signature.  If not, this
+	 * returns success anyway.
+	 */
+	result = dns_message_checksig(message, res->view);
+	if (result != ISC_R_SUCCESS) {
+		FCTXTRACE3("signature check failed", result);
+		goto done;
+	}
+
+	/*
+	 * The dispatcher should ensure we only get responses with QR set.
+	 */
+	INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
+	/*
+	 * INSIST() that the message comes from the place we sent it to,
+	 * since the dispatch code should ensure this.
+	 *
+	 * INSIST() that the message id is correct (this should also be
+	 * ensured by the dispatch code).
+	 */
+
+	/*
+	 * We have an affirmative response to the query and we have
+	 * previously got a response from this server which indicated
+	 * EDNS may not be supported so we can now cache the lack of
+	 * EDNS support.
+	 */
+	if (opt == NULL && !EDNSOK(query->addrinfo) &&
+	    (message->rcode == dns_rcode_noerror ||
+	     message->rcode == dns_rcode_nxdomain ||
+	     message->rcode == dns_rcode_refused ||
+	     message->rcode == dns_rcode_yxdomain) &&
+	     bad_edns(fctx, &query->addrinfo->sockaddr)) {
+		dns_message_logpacket2(message,
+				       "received packet (bad edns) from",
+				       &query->addrinfo->sockaddr,
+				       DNS_LOGCATEGORY_RESOLVER,
+				       DNS_LOGMODULE_RESOLVER,
+				       ISC_LOG_DEBUG(3),
+				       res->mctx);
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0,
+				    DNS_FETCHOPT_NOEDNS0);
+	} else if (opt == NULL && (message->flags & DNS_MESSAGEFLAG_TC) == 0 &&
+		   !EDNSOK(query->addrinfo) &&
+		   (message->rcode == dns_rcode_noerror ||
+		    message->rcode == dns_rcode_nxdomain) &&
+		   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		/*
+		 * We didn't get a OPT record in response to a EDNS query.
+		 *
+		 * Old versions of named incorrectly drop the OPT record
+		 * when there is a signed, truncated response so we check
+		 * that TC is not set.
+		 *
+		 * Record that the server is not talking EDNS.  While this
+		 * should be safe to do for any rcode we limit it to NOERROR
+		 * and NXDOMAIN.
+		 */
+		dns_message_logpacket2(message, "received packet (no opt) from",
+				       &query->addrinfo->sockaddr,
+				       DNS_LOGCATEGORY_RESOLVER,
+				       DNS_LOGMODULE_RESOLVER,
+				       ISC_LOG_DEBUG(3), res->mctx);
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0,
+				    DNS_FETCHOPT_NOEDNS0);
+	}
+
+	/*
+	 * If we get a non error EDNS response record the fact so we
+	 * won't fallback to plain DNS in the future for this server.
+	 */
+	if (opt != NULL && !EDNSOK(query->addrinfo) &&
+	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	    (message->rcode == dns_rcode_noerror ||
+	     message->rcode == dns_rcode_nxdomain ||
+	     message->rcode == dns_rcode_refused ||
+	     message->rcode == dns_rcode_yxdomain)) {
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    FCTX_ADDRINFO_EDNSOK,
+				    FCTX_ADDRINFO_EDNSOK);
+	}
+
+	/*
+	 * Deal with truncated responses by retrying using TCP.
+	 */
+	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
+		truncated = true;
+
+	if (truncated) {
+		inc_stats(res, dns_resstatscounter_truncated);
+		if ((options & DNS_FETCHOPT_TCP) != 0) {
+			broken_server = DNS_R_TRUNCATEDTCP;
+			keep_trying = true;
+		} else {
+			options |= DNS_FETCHOPT_TCP;
+			resend = true;
+		}
+		FCTXTRACE3("message truncated", result);
+		goto done;
+	}
+
+	/*
+	 * Is it a query response?
+	 */
+	if (message->opcode != dns_opcode_query) {
+		/* XXXRTH Log */
+		broken_server = DNS_R_UNEXPECTEDOPCODE;
+		keep_trying = true;
+		FCTXTRACE("invalid message opcode");
+		goto done;
+	}
+
+	/*
+	 * Update statistics about erroneous responses.
+	 */
+	if (message->rcode != dns_rcode_noerror) {
+		switch (message->rcode) {
+		case dns_rcode_nxdomain:
+			inc_stats(res, dns_resstatscounter_nxdomain);
+			break;
+		case dns_rcode_servfail:
+			inc_stats(res, dns_resstatscounter_servfail);
+			break;
+		case dns_rcode_formerr:
+			inc_stats(res, dns_resstatscounter_formerr);
+			break;
+		case dns_rcode_refused:
+			inc_stats(res, dns_resstatscounter_refused);
+			break;
+		case dns_rcode_badvers:
+			inc_stats(res, dns_resstatscounter_badvers);
+			break;
+		case dns_rcode_badcookie:
+			inc_stats(res, dns_resstatscounter_badcookie);
+			break;
+		default:
+			inc_stats(res, dns_resstatscounter_othererror);
+			break;
+		}
+	}
+
+	/*
+	 * Is the remote server broken, or does it dislike us?
+	 */
+	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_yxdomain &&
+	    message->rcode != dns_rcode_nxdomain) {
+		isc_buffer_t b;
+		char code[64];
+		unsigned char cookie[64];
+
+		/*
+		 * Some servers do not ignore unknown EDNS options.
+		 */
+		if (!NOCOOKIE(query->addrinfo) &&
+		    (message->rcode == dns_rcode_formerr ||
+		     message->rcode == dns_rcode_notimp ||
+		     message->rcode == dns_rcode_refused) &&
+		     dns_adb_getcookie(fctx->adb, query->addrinfo,
+				       cookie, sizeof(cookie)) == 0U) {
+			dns_adb_changeflags(fctx->adb, query->addrinfo,
+					    FCTX_ADDRINFO_NOCOOKIE,
+					    FCTX_ADDRINFO_NOCOOKIE);
+			resend = true;
+		} else if ((message->rcode == dns_rcode_formerr ||
+			    message->rcode == dns_rcode_notimp ||
+			    (message->rcode == dns_rcode_servfail &&
+			     dns_message_getopt(message) == NULL)) &&
+			   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			/*
+			 * It's very likely they don't like EDNS0.
+			 * If the response code is SERVFAIL, also check if the
+			 * response contains an OPT RR and don't cache the
+			 * failure since it can be returned for various other
+			 * reasons.
+			 *
+			 * XXXRTH  We should check if the question
+			 *		we're asking requires EDNS0, and
+			 *		if so, we should bail out.
+			 */
+			options |= DNS_FETCHOPT_NOEDNS0;
+			resend = true;
+			/*
+			 * Remember that they may not like EDNS0.
+			 */
+			add_bad_edns(fctx, &query->addrinfo->sockaddr);
+			inc_stats(res, dns_resstatscounter_edns0fail);
+		} else if (message->rcode == dns_rcode_formerr) {
+			if (ISFORWARDER(query->addrinfo)) {
+				/*
+				 * This forwarder doesn't understand us,
+				 * but other forwarders might.  Keep trying.
+				 */
+				broken_server = DNS_R_REMOTEFORMERR;
+				keep_trying = true;
+			} else {
+				/*
+				 * The server doesn't understand us.  Since
+				 * all servers for a zone need similar
+				 * capabilities, we assume that we will get
+				 * FORMERR from all servers, and thus we
+				 * cannot make any more progress with this
+				 * fetch.
+				 */
+				log_formerr(fctx, "server sent FORMERR");
+				result = DNS_R_FORMERR;
+			}
+		} else if (message->rcode == dns_rcode_badvers) {
+			unsigned int version;
+			bool setnocookie = false;
+#if DNS_EDNS_VERSION > 0
+			unsigned int flags, mask;
+#endif
+
+			/*
+			 * Some servers return BADVERS to unknown
+			 * EDNS options.  This cannot be long term
+			 * strategy.  Do not disable COOKIE if we have
+			 * already have received a COOKIE from this
+			 * server.
+			 */
+			if (dns_adb_getcookie(fctx->adb, query->addrinfo,
+					      cookie, sizeof(cookie)) == 0U) {
+				if (!NOCOOKIE(query->addrinfo))
+					setnocookie = true;
+				dns_adb_changeflags(fctx->adb, query->addrinfo,
+						    FCTX_ADDRINFO_NOCOOKIE,
+						    FCTX_ADDRINFO_NOCOOKIE);
+			}
+
+			INSIST(opt != NULL);
+			version = (opt->ttl >> 16) & 0xff;
+#if DNS_EDNS_VERSION > 0
+			flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
+				DNS_FETCHOPT_EDNSVERSIONSET;
+			mask = DNS_FETCHOPT_EDNSVERSIONMASK |
+			       DNS_FETCHOPT_EDNSVERSIONSET;
+#endif
+
+			/*
+			 * Record that we got a good EDNS response.
+			 */
+			if (query->ednsversion > (int)version &&
+			    !EDNSOK(query->addrinfo)) {
+				dns_adb_changeflags(fctx->adb, query->addrinfo,
+						    FCTX_ADDRINFO_EDNSOK,
+						    FCTX_ADDRINFO_EDNSOK);
+			}
+
+			/*
+			 * RFC 2671 was not clear that unknown options should
+			 * be ignored.  RFC 6891 is clear that that they
+			 * should be ignored. If we are supporting the
+			 * experimental EDNS > 0 then perform strict
+			 * version checking of badvers responses.  We won't
+			 * be sending COOKIE etc. in that case.
+			 */
+#if DNS_EDNS_VERSION > 0
+			if ((int)version < query->ednsversion) {
+				dns_adb_changeflags(fctx->adb, query->addrinfo,
+						    flags, mask);
+				resend = true;
+			} else {
+				broken_server = DNS_R_BADVERS;
+				keep_trying = true;
+			}
+#else
+			if (version == 0U && setnocookie) {
+				resend = true;
+			} else {
+				broken_server = DNS_R_BADVERS;
+				keep_trying = true;
+			}
+#endif
+		} else if (message->rcode == dns_rcode_badcookie &&
+			   message->cc_ok) {
+			/*
+			 * We have recorded the new cookie.
+			 */
+			if (BADCOOKIE(query->addrinfo))
+				query->options |= DNS_FETCHOPT_TCP;
+			query->addrinfo->flags |= FCTX_ADDRINFO_BADCOOKIE;
+			resend = true;
+		} else {
+			/*
+			 * XXXRTH log.
+			 */
+			broken_server = DNS_R_UNEXPECTEDRCODE;
+			INSIST(broken_server != ISC_R_SUCCESS);
+			keep_trying = true;
+		}
+
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_rcode_totext(fctx->rmessage->rcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		FCTXTRACE2("remote server broken: returned ", code);
+		goto done;
+	}
+
+	/*
+	 * Is the server lame?
+	 */
+	if (res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
+	    is_lame(fctx)) {
+		inc_stats(res, dns_resstatscounter_lame);
+		log_lame(fctx, query->addrinfo);
+		result = dns_adb_marklame(fctx->adb, query->addrinfo,
+					  &fctx->name, fctx->type,
+					  now + res->lame_ttl);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "could not mark server as lame: %s",
+				      isc_result_totext(result));
+		broken_server = DNS_R_LAME;
+		keep_trying = true;
+		FCTXTRACE("lame server");
+		goto done;
+	}
+
+	/*
+	 * Enforce delegations only zones like NET and COM.
+	 */
+	if (!ISFORWARDER(query->addrinfo) &&
+	    dns_view_isdelegationonly(res->view, &fctx->domain) &&
+	    !dns_name_equal(&fctx->domain, &fctx->name) &&
+	    fix_mustbedelegationornxdomain(message, fctx)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char domainbuf[DNS_NAME_FORMATSIZE];
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+		char classbuf[64];
+		char typebuf[64];
+
+		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(res->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+				    sizeof(addrbuf));
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
+			     DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			     "enforced delegation-only for '%s' (%s/%s/%s) "
+			     "from %s",
+			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
+	}
+
+	if ((res->options & DNS_RESOLVER_CHECKNAMES) != 0)
+		checknames(message);
+
+	/*
+	 * Clear cache bits.
+	 */
+	fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
+
+	/*
+	 * Did we get any answers?
+	 */
+	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
+	    (message->rcode == dns_rcode_noerror ||
+	     message->rcode == dns_rcode_yxdomain ||
+	     message->rcode == dns_rcode_nxdomain)) {
+		/*
+		 * [normal case]
+		 * We've got answers.  If it has an authoritative answer or an
+		 * answer from a forwarder, we're done.
+		 */
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
+		    ISFORWARDER(query->addrinfo))
+		{
+			result = answer_response(fctx);
+			if (result != ISC_R_SUCCESS)
+				FCTXTRACE3("answer_response (AA/fwd)", result);
+		} else if (iscname(fctx) &&
+			 fctx->type != dns_rdatatype_any &&
+			 fctx->type != dns_rdatatype_cname)
+		{
+			/*
+			 * A BIND8 server could return a non-authoritative
+			 * answer when a CNAME is followed.  We should treat
+			 * it as a valid answer.
+			 */
+			result = answer_response(fctx);
+			if (result != ISC_R_SUCCESS)
+				FCTXTRACE3("answer_response (!ANY/!CNAME)",
+					   result);
+		} else if (fctx->type != dns_rdatatype_ns &&
+			   !betterreferral(fctx)) {
+			/*
+			 * Lame response !!!.
+			 */
+			result = answer_response(fctx);
+			if (result != ISC_R_SUCCESS)
+				FCTXTRACE3("answer_response (!NS)", result);
+		} else {
+			if (fctx->type == dns_rdatatype_ns) {
+				/*
+				 * A BIND 8 server could incorrectly return a
+				 * non-authoritative answer to an NS query
+				 * instead of a referral. Since this answer
+				 * lacks the SIGs necessary to do DNSSEC
+				 * validation, we must invoke the following
+				 * special kludge to treat it as a referral.
+				 */
+				result = noanswer_response(fctx, NULL,
+						   LOOK_FOR_NS_IN_ANSWER);
+				if (result != ISC_R_SUCCESS)
+					FCTXTRACE3("noanswer_response (NS)",
+						   result);
+			} else {
+				/*
+				 * Some other servers may still somehow include
+				 * an answer when it should return a referral
+				 * with an empty answer.  Check to see if we can
+				 * treat this as a referral by ignoring the
+				 * answer.  Further more, there may be an
+				 * implementation that moves A/AAAA glue records
+				 * to the answer section for that type of
+				 * delegation when the query is for that glue
+				 * record.  LOOK_FOR_GLUE_IN_ANSWER will handle
+				 * such a corner case.
+				 */
+				result = noanswer_response(fctx, NULL,
+						   LOOK_FOR_GLUE_IN_ANSWER);
+				if (result != ISC_R_SUCCESS)
+					FCTXTRACE3("noanswer_response", result);
+			}
+			if (result != DNS_R_DELEGATION) {
+				/*
+				 * At this point, AA is not set, the response
+				 * is not a referral, and the server is not a
+				 * forwarder.  It is technically lame and it's
+				 * easier to treat it as such than to figure out
+				 * some more elaborate course of action.
+				 */
+				broken_server = DNS_R_LAME;
+				keep_trying = true;
+				goto done;
+			}
+			goto force_referral;
+		}
+		if (result != ISC_R_SUCCESS) {
+			if (result == DNS_R_FORMERR)
+				keep_trying = true;
+			goto done;
+		}
+	} else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
+		   message->rcode == dns_rcode_noerror ||
+		   message->rcode == dns_rcode_nxdomain) {
+		/*
+		 * NXDOMAIN, NXRDATASET, or referral.
+		 */
+		result = noanswer_response(fctx, NULL, 0);
+		switch (result) {
+		case ISC_R_SUCCESS:
+		case DNS_R_CHASEDSSERVERS:
+			break;
+		case DNS_R_DELEGATION:
+ force_referral:
+			/*
+			 * We don't have the answer, but we know a better
+			 * place to look.
+			 */
+			get_nameservers = true;
+			keep_trying = true;
+			/*
+			 * We have a new set of name servers, and it
+			 * has not experienced any restarts yet.
+			 */
+			fctx->restarts = 0;
+
+			/*
+			 * Update local statistics counters collected for each
+			 * new zone.
+			 */
+			fctx->referrals++;
+			fctx->querysent = 0;
+			fctx->lamecount = 0;
+			fctx->quotacount = 0;
+			fctx->neterr = 0;
+			fctx->badresp = 0;
+			fctx->adberr = 0;
+
+			result = ISC_R_SUCCESS;
+			break;
+		default:
+			/*
+			 * Something has gone wrong.
+			 */
+			if (result == DNS_R_FORMERR)
+				keep_trying = true;
+			FCTXTRACE3("noanswer_response", result);
+			goto done;
+		}
+	} else {
+		/*
+		 * The server is insane.
+		 */
+		/* XXXRTH Log */
+		broken_server = DNS_R_UNEXPECTEDRCODE;
+		keep_trying = true;
+		FCTXTRACE("broken server: unexpected rcode");
+		goto done;
+	}
+
+	/*
+	 * Follow additional section data chains.
+	 */
+	chase_additional(fctx);
+
+	/*
+	 * Cache the cacheable parts of the message.  This may also cause
+	 * work to be queued to the DNSSEC validator.
+	 */
+	if (WANTCACHE(fctx)) {
+		result = cache_message(fctx, query->addrinfo, now);
+		if (result != ISC_R_SUCCESS) {
+			FCTXTRACE3("cache_message complete", result);
+			goto done;
+		}
+	}
+
+	/*
+	 * Ncache the negatively cacheable parts of the message.  This may
+	 * also cause work to be queued to the DNSSEC validator.
+	 */
+	if (WANTNCACHE(fctx)) {
+		dns_rdatatype_t covers;
+
+		/*
+		 * Cache DS NXDOMAIN seperately to other types.
+		 */
+		if (message->rcode == dns_rcode_nxdomain &&
+		    fctx->type != dns_rdatatype_ds)
+			covers = dns_rdatatype_any;
+		else
+			covers = fctx->type;
+
+		/*
+		 * Cache any negative cache entries in the message.
+		 */
+		result = ncache_message(fctx, query->addrinfo, covers, now);
+		if (result != ISC_R_SUCCESS)
+			FCTXTRACE3("ncache_message complete", result);
+	}
+
+ done:
+	/*
+	 * Remember the query's addrinfo, in case we need to mark the
+	 * server as broken.
+	 */
+	addrinfo = query->addrinfo;
+
+	FCTXTRACE4("query canceled in response(); ",
+		   no_response ? "no response" : "responding",
+		   result);
+
+	/*
+	 * Cancel the query.
+	 *
+	 * XXXRTH  Don't cancel the query if waiting for validation?
+	 */
+	if (!nextitem)
+		fctx_cancelquery(&query, &devent, finish,
+				 no_response, false);
+
+#ifdef ENABLE_AFL
+	if (dns_fuzzing_resolver && (keep_trying || resend)) {
+		fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+		return;
+	} else
+#endif
+	if (keep_trying) {
+		if (result == DNS_R_FORMERR)
+			broken_server = DNS_R_FORMERR;
+		if (broken_server != ISC_R_SUCCESS) {
+			/*
+			 * Add this server to the list of bad servers for
+			 * this fctx.
+			 */
+			add_bad(fctx, addrinfo, broken_server, broken_type);
+		}
+
+		if (get_nameservers) {
+			dns_name_t *name;
+			fname = dns_fixedname_initname(&foundname);
+			if (result != ISC_R_SUCCESS) {
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+				return;
+			}
+			findoptions = 0;
+			if (dns_rdatatype_atparent(fctx->type))
+				findoptions |= DNS_DBFIND_NOEXACT;
+			if ((options & DNS_FETCHOPT_UNSHARED) == 0)
+				name = &fctx->name;
+			else
+				name = &fctx->domain;
+			result = dns_view_findzonecut(res->view,
+						      name, fname,
+						      now, findoptions,
+						      true,
+						      &fctx->nameservers,
+						      NULL);
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE("couldn't find a zonecut");
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+				return;
+			}
+			if (!dns_name_issubdomain(fname, &fctx->domain)) {
+				/*
+				 * The best nameservers are now above our
+				 * QDOMAIN.
+				 */
+				FCTXTRACE("nameservers now above QDOMAIN");
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+				return;
+			}
+
+			fcount_decr(fctx);
+			dns_name_free(&fctx->domain, fctx->mctx);
+			dns_name_init(&fctx->domain, NULL);
+			result = dns_name_dup(fname, fctx->mctx, &fctx->domain);
+			if (result != ISC_R_SUCCESS) {
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+				return;
+			}
+			result = fcount_incr(fctx, true);
+			if (result != ISC_R_SUCCESS) {
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+				return;
+			}
+			fctx->ns_ttl = fctx->nameservers.ttl;
+			fctx->ns_ttl_ok = true;
+			fctx_cancelqueries(fctx, true, false);
+			fctx_cleanupfinds(fctx);
+			fctx_cleanupaltfinds(fctx);
+			fctx_cleanupforwaddrs(fctx);
+			fctx_cleanupaltaddrs(fctx);
+		}
+		/*
+		 * Try again.
+		 */
+		fctx_try(fctx, !get_nameservers, false);
+	} else if (resend) {
+		/*
+		 * Resend (probably with changed options).
+		 */
+		FCTXTRACE("resend");
+		inc_stats(res, dns_resstatscounter_retry);
+		bucketnum = fctx->bucketnum;
+		fctx_increference(fctx);
+		result = fctx_query(fctx, addrinfo, options);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, result, __LINE__);
+			LOCK(&res->buckets[bucketnum].lock);
+			bucket_empty = fctx_decreference(fctx);
+			UNLOCK(&res->buckets[bucketnum].lock);
+			if (bucket_empty)
+				empty_bucket(res);
+		}
+	} else if (nextitem) {
+		/*
+		 * Wait for next item.
+		 */
+		FCTXTRACE("nextitem");
+		inc_stats(fctx->res, dns_resstatscounter_nextitem);
+		INSIST(query->dispentry != NULL);
+		dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
+		result = dns_dispatch_getnext(query->dispentry, &devent);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+	} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
+		/*
+		 * All has gone well so far, but we are waiting for the
+		 * DNSSEC validator to validate the answer.
+		 */
+		FCTXTRACE("wait for validator");
+		fctx_cancelqueries(fctx, true, false);
+		/*
+		 * We must not retransmit while the validator is working;
+		 * it has references to the current rmessage.
+		 */
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+	} else if (result == DNS_R_CHASEDSSERVERS) {
+		unsigned int n;
+		add_bad(fctx, addrinfo, result, broken_type);
+		fctx_cancelqueries(fctx, true, false);
+		fctx_cleanupfinds(fctx);
+		fctx_cleanupforwaddrs(fctx);
+
+		n = dns_name_countlabels(&fctx->name);
+		dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
+
+		FCTXTRACE("suspending DS lookup to find parent's NS records");
+
+		result = dns_resolver_createfetch(res, &fctx->nsname,
+						  dns_rdatatype_ns,
+						  NULL, NULL, NULL,
+						  fctx->options, task,
+						  resume_dslookup, fctx,
+						  &fctx->nsrrset, NULL,
+						  &fctx->nsfetch);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result, __LINE__);
+		else {
+			fctx_increference(fctx);
+			result = fctx_stopidletimer(fctx);
+			if (result != ISC_R_SUCCESS)
+				fctx_done(fctx, result, __LINE__);
+		}
+	} else {
+		/*
+		 * We're done.
+		 */
+		fctx_done(fctx, result, __LINE__);
+	}
+}
+
+/***
+ *** Resolver Methods
+ ***/
+static void
+destroy(dns_resolver_t *res) {
+	unsigned int i;
+	alternate_t *a;
+
+	REQUIRE(res->references == 0);
+	REQUIRE(!res->priming);
+	REQUIRE(res->primefetch == NULL);
+
+	RTRACE("destroy");
+
+	INSIST(res->nfctx == 0);
+
+	DESTROYLOCK(&res->primelock);
+	DESTROYLOCK(&res->nlock);
+	DESTROYLOCK(&res->lock);
+	for (i = 0; i < res->nbuckets; i++) {
+		INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
+		isc_task_shutdown(res->buckets[i].task);
+		isc_task_detach(&res->buckets[i].task);
+		DESTROYLOCK(&res->buckets[i].lock);
+		isc_mem_detach(&res->buckets[i].mctx);
+	}
+	isc_mem_put(res->mctx, res->buckets,
+		    res->nbuckets * sizeof(fctxbucket_t));
+	for (i = 0; i < RES_DOMAIN_BUCKETS; i++) {
+		INSIST(ISC_LIST_EMPTY(res->dbuckets[i].list));
+		isc_mem_detach(&res->dbuckets[i].mctx);
+		DESTROYLOCK(&res->dbuckets[i].lock);
+	}
+	isc_mem_put(res->mctx, res->dbuckets,
+		    RES_DOMAIN_BUCKETS * sizeof(zonebucket_t));
+	if (res->dispatches4 != NULL)
+		dns_dispatchset_destroy(&res->dispatches4);
+	if (res->dispatches6 != NULL)
+		dns_dispatchset_destroy(&res->dispatches6);
+	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
+		ISC_LIST_UNLINK(res->alternates, a, link);
+		if (!a->isaddress)
+			dns_name_free(&a->_u._n.name, res->mctx);
+		isc_mem_put(res->mctx, a, sizeof(*a));
+	}
+	dns_resolver_reset_algorithms(res);
+	dns_resolver_reset_ds_digests(res);
+	dns_badcache_destroy(&res->badcache);
+	dns_resolver_resetmustbesecure(res);
+#if USE_ALGLOCK
+	isc_rwlock_destroy(&res->alglock);
+#endif
+#if USE_MBSLOCK
+	isc_rwlock_destroy(&res->mbslock);
+#endif
+	isc_timer_detach(&res->spillattimer);
+	res->magic = 0;
+	isc_mem_put(res->mctx, res, sizeof(*res));
+}
+
+static void
+send_shutdown_events(dns_resolver_t *res) {
+	isc_event_t *event, *next_event;
+	isc_task_t *etask;
+
+	/*
+	 * Caller must be holding the resolver lock.
+	 */
+
+	for (event = ISC_LIST_HEAD(res->whenshutdown);
+	     event != NULL;
+	     event = next_event) {
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = res;
+		isc_task_sendanddetach(&etask, &event);
+	}
+}
+
+static void
+empty_bucket(dns_resolver_t *res) {
+	RTRACE("empty_bucket");
+
+	LOCK(&res->lock);
+
+	INSIST(res->activebuckets > 0);
+	res->activebuckets--;
+	if (res->activebuckets == 0)
+		send_shutdown_events(res);
+
+	UNLOCK(&res->lock);
+}
+
+static void
+spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res = event->ev_arg;
+	isc_result_t result;
+	unsigned int count;
+	bool logit = false;
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	UNUSED(task);
+
+	LOCK(&res->lock);
+	INSIST(!res->exiting);
+	if (res->spillat > res->spillatmin) {
+		res->spillat--;
+		logit = true;
+	}
+	if (res->spillat <= res->spillatmin) {
+		result = isc_timer_reset(res->spillattimer,
+					 isc_timertype_inactive, NULL,
+					 NULL, true);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+	count = res->spillat;
+	UNLOCK(&res->lock);
+	if (logit)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+			      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			      "clients-per-query decreased to %u", count);
+
+	isc_event_free(&event);
+}
+
+isc_result_t
+dns_resolver_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr,
+		    unsigned int ntasks, unsigned int ndisp,
+		    isc_socketmgr_t *socketmgr,
+		    isc_timermgr_t *timermgr,
+		    unsigned int options,
+		    dns_dispatchmgr_t *dispatchmgr,
+		    dns_dispatch_t *dispatchv4,
+		    dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp)
+{
+	dns_resolver_t *res;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int i, buckets_created = 0, dbuckets_created = 0;
+	isc_task_t *task = NULL;
+	char name[16];
+	unsigned dispattr;
+
+	/*
+	 * Create a resolver.
+	 */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ntasks > 0);
+	REQUIRE(ndisp > 0);
+	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(dispatchmgr != NULL);
+	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
+
+	res = isc_mem_get(view->mctx, sizeof(*res));
+	if (res == NULL)
+		return (ISC_R_NOMEMORY);
+	RTRACE("create");
+	res->mctx = view->mctx;
+	res->rdclass = view->rdclass;
+	res->socketmgr = socketmgr;
+	res->timermgr = timermgr;
+	res->taskmgr = taskmgr;
+	res->dispatchmgr = dispatchmgr;
+	res->view = view;
+	res->options = options;
+	res->lame_ttl = 0;
+	ISC_LIST_INIT(res->alternates);
+	res->udpsize = RECV_BUFFER_SIZE;
+	res->algorithms = NULL;
+	res->digests = NULL;
+	res->badcache = NULL;
+	dns_badcache_init(res->mctx, DNS_RESOLVER_BADCACHESIZE,
+			  &res->badcache);
+	res->mustbesecure = NULL;
+	res->spillatmin = res->spillat = 10;
+	res->spillatmax = 100;
+	res->spillattimer = NULL;
+	res->zspill = 0;
+	res->zero_no_soa_ttl = false;
+	res->query_timeout = DEFAULT_QUERY_TIMEOUT;
+	res->maxdepth = DEFAULT_RECURSION_DEPTH;
+	res->maxqueries = DEFAULT_MAX_QUERIES;
+	res->quotaresp[dns_quotatype_zone] = DNS_R_DROP;
+	res->quotaresp[dns_quotatype_server] = DNS_R_SERVFAIL;
+	res->nbuckets = ntasks;
+	if (view->resstats != NULL)
+		isc_stats_set(view->resstats, ntasks,
+			      dns_resstatscounter_buckets);
+	res->activebuckets = ntasks;
+	res->buckets = isc_mem_get(view->mctx,
+				   ntasks * sizeof(fctxbucket_t));
+	if (res->buckets == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_res;
+	}
+	for (i = 0; i < ntasks; i++) {
+		result = isc_mutex_init(&res->buckets[i].lock);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_buckets;
+		res->buckets[i].task = NULL;
+		result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
+		if (result != ISC_R_SUCCESS) {
+			DESTROYLOCK(&res->buckets[i].lock);
+			goto cleanup_buckets;
+		}
+		res->buckets[i].mctx = NULL;
+		snprintf(name, sizeof(name), "res%u", i);
+#ifdef ISC_PLATFORM_USETHREADS
+		/*
+		 * Use a separate memory context for each bucket to reduce
+		 * contention among multiple threads.  Do this only when
+		 * enabling threads because it will be require more memory.
+		 */
+		result = isc_mem_create(0, 0, &res->buckets[i].mctx);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_detach(&res->buckets[i].task);
+			DESTROYLOCK(&res->buckets[i].lock);
+			goto cleanup_buckets;
+		}
+		isc_mem_setname(res->buckets[i].mctx, name, NULL);
+#else
+		isc_mem_attach(view->mctx, &res->buckets[i].mctx);
+#endif
+		isc_task_setname(res->buckets[i].task, name, res);
+		ISC_LIST_INIT(res->buckets[i].fctxs);
+		res->buckets[i].exiting = false;
+		buckets_created++;
+	}
+
+	res->dbuckets = isc_mem_get(view->mctx,
+				    RES_DOMAIN_BUCKETS * sizeof(zonebucket_t));
+	if (res->dbuckets == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_buckets;
+	}
+	for (i = 0; i < RES_DOMAIN_BUCKETS; i++) {
+		ISC_LIST_INIT(res->dbuckets[i].list);
+		res->dbuckets[i].mctx = NULL;
+		isc_mem_attach(view->mctx, &res->dbuckets[i].mctx);
+		result = isc_mutex_init(&res->dbuckets[i].lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_detach(&res->dbuckets[i].mctx);
+			goto cleanup_dbuckets;
+		}
+		dbuckets_created++;
+	}
+
+	res->dispatches4 = NULL;
+	if (dispatchv4 != NULL) {
+		dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
+				       dispatchv4, &res->dispatches4, ndisp);
+		dispattr = dns_dispatch_getattributes(dispatchv4);
+		res->exclusivev4 = (dispattr & DNS_DISPATCHATTR_EXCLUSIVE);
+	}
+
+	res->dispatches6 = NULL;
+	if (dispatchv6 != NULL) {
+		dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
+				       dispatchv6, &res->dispatches6, ndisp);
+		dispattr = dns_dispatch_getattributes(dispatchv6);
+		res->exclusivev6 = (dispattr & DNS_DISPATCHATTR_EXCLUSIVE);
+	}
+
+	res->querydscp4 = -1;
+	res->querydscp6 = -1;
+	res->references = 1;
+	res->exiting = false;
+	res->frozen = false;
+	ISC_LIST_INIT(res->whenshutdown);
+	res->priming = false;
+	res->primefetch = NULL;
+	res->nfctx = 0;
+
+	result = isc_mutex_init(&res->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dispatches;
+
+	result = isc_mutex_init(&res->nlock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	result = isc_mutex_init(&res->primelock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_nlock;
+
+	task = NULL;
+	result = isc_task_create(taskmgr, 0, &task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_primelock;
+	isc_task_setname(task, "resolver_task", NULL);
+
+	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+				  task, spillattimer_countdown, res,
+				  &res->spillattimer);
+	isc_task_detach(&task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_primelock;
+
+#if USE_ALGLOCK
+	result = isc_rwlock_init(&res->alglock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_spillattimer;
+#endif
+#if USE_MBSLOCK
+	result = isc_rwlock_init(&res->mbslock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+#if USE_ALGLOCK
+		goto cleanup_alglock;
+#else
+		goto cleanup_spillattimer;
+#endif
+#endif
+
+	res->magic = RES_MAGIC;
+
+	*resp = res;
+
+	return (ISC_R_SUCCESS);
+
+#if USE_ALGLOCK && USE_MBSLOCK
+ cleanup_alglock:
+	isc_rwlock_destroy(&res->alglock);
+#endif
+
+#if USE_ALGLOCK || USE_MBSLOCK
+ cleanup_spillattimer:
+	isc_timer_detach(&res->spillattimer);
+#endif
+
+ cleanup_primelock:
+	DESTROYLOCK(&res->primelock);
+
+ cleanup_nlock:
+	DESTROYLOCK(&res->nlock);
+
+ cleanup_lock:
+	DESTROYLOCK(&res->lock);
+
+ cleanup_dispatches:
+	if (res->dispatches6 != NULL)
+		dns_dispatchset_destroy(&res->dispatches6);
+	if (res->dispatches4 != NULL)
+		dns_dispatchset_destroy(&res->dispatches4);
+
+ cleanup_dbuckets:
+	for (i = 0; i < dbuckets_created; i++) {
+		DESTROYLOCK(&res->dbuckets[i].lock);
+		isc_mem_detach(&res->dbuckets[i].mctx);
+	}
+	isc_mem_put(view->mctx, res->dbuckets,
+		    RES_DOMAIN_BUCKETS * sizeof(zonebucket_t));
+
+ cleanup_buckets:
+	for (i = 0; i < buckets_created; i++) {
+		isc_mem_detach(&res->buckets[i].mctx);
+		DESTROYLOCK(&res->buckets[i].lock);
+		isc_task_shutdown(res->buckets[i].task);
+		isc_task_detach(&res->buckets[i].task);
+	}
+	isc_mem_put(view->mctx, res->buckets,
+		    res->nbuckets * sizeof(fctxbucket_t));
+
+ cleanup_res:
+	isc_mem_put(view->mctx, res, sizeof(*res));
+
+	return (result);
+}
+
+static void
+prime_done(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res;
+	dns_fetchevent_t *fevent;
+	dns_fetch_t *fetch;
+	dns_db_t *db = NULL;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	res = event->ev_arg;
+	REQUIRE(VALID_RESOLVER(res));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "resolver priming query complete");
+
+	UNUSED(task);
+
+	LOCK(&res->lock);
+
+	INSIST(res->priming);
+	res->priming = false;
+	LOCK(&res->primelock);
+	fetch = res->primefetch;
+	res->primefetch = NULL;
+	UNLOCK(&res->primelock);
+
+	UNLOCK(&res->lock);
+
+	if (fevent->result == ISC_R_SUCCESS &&
+	    res->view->cache != NULL && res->view->hints != NULL) {
+		dns_cache_attachdb(res->view->cache, &db);
+		dns_root_checkhints(res->view, res->view->hints, db);
+		dns_db_detach(&db);
+	}
+
+	if (fevent->node != NULL)
+		dns_db_detachnode(fevent->db, &fevent->node);
+	if (fevent->db != NULL)
+		dns_db_detach(&fevent->db);
+	if (dns_rdataset_isassociated(fevent->rdataset))
+		dns_rdataset_disassociate(fevent->rdataset);
+	INSIST(fevent->sigrdataset == NULL);
+
+	isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&fetch);
+}
+
+void
+dns_resolver_prime(dns_resolver_t *res) {
+	bool want_priming = false;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(res->frozen);
+
+	RTRACE("dns_resolver_prime");
+
+	LOCK(&res->lock);
+
+	if (!res->exiting && !res->priming) {
+		INSIST(res->primefetch == NULL);
+		res->priming = true;
+		want_priming = true;
+	}
+
+	UNLOCK(&res->lock);
+
+	if (want_priming) {
+		/*
+		 * To avoid any possible recursive locking problems, we
+		 * start the priming fetch like any other fetch, and holding
+		 * no resolver locks.  No one else will try to start it
+		 * because we're the ones who set res->priming to true.
+		 * Any other callers of dns_resolver_prime() while we're
+		 * running will see that res->priming is already true and
+		 * do nothing.
+		 */
+		RTRACE("priming");
+		rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
+		if (rdataset == NULL) {
+			LOCK(&res->lock);
+			INSIST(res->priming);
+			INSIST(res->primefetch == NULL);
+			res->priming = false;
+			UNLOCK(&res->lock);
+			return;
+		}
+		dns_rdataset_init(rdataset);
+		LOCK(&res->primelock);
+		result = dns_resolver_createfetch(res, dns_rootname,
+						  dns_rdatatype_ns,
+						  NULL, NULL, NULL, 0,
+						  res->buckets[0].task,
+						  prime_done,
+						  res, rdataset, NULL,
+						  &res->primefetch);
+		UNLOCK(&res->primelock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(res->mctx, rdataset, sizeof(*rdataset));
+			LOCK(&res->lock);
+			INSIST(res->priming);
+			res->priming = false;
+			UNLOCK(&res->lock);
+		}
+	}
+}
+
+void
+dns_resolver_freeze(dns_resolver_t *res) {
+	/*
+	 * Freeze resolver.
+	 */
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	res->frozen = true;
+}
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
+	REQUIRE(VALID_RESOLVER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	RRTRACE(source, "attach");
+	LOCK(&source->lock);
+	REQUIRE(!source->exiting);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp)
+{
+	isc_task_t *tclone;
+	isc_event_t *event;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&res->lock);
+
+	if (res->exiting && res->activebuckets == 0) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = res;
+		isc_task_send(task, &event);
+	} else {
+		tclone = NULL;
+		isc_task_attach(task, &tclone);
+		event->ev_sender = tclone;
+		ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
+	}
+
+	UNLOCK(&res->lock);
+}
+
+void
+dns_resolver_shutdown(dns_resolver_t *res) {
+	unsigned int i;
+	fetchctx_t *fctx;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	RTRACE("shutdown");
+
+	LOCK(&res->lock);
+
+	if (!res->exiting) {
+		RTRACE("exiting");
+		res->exiting = true;
+
+		for (i = 0; i < res->nbuckets; i++) {
+			LOCK(&res->buckets[i].lock);
+			for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
+			     fctx != NULL;
+			     fctx = ISC_LIST_NEXT(fctx, link))
+				fctx_shutdown(fctx);
+			if (res->dispatches4 != NULL && !res->exclusivev4) {
+				dns_dispatchset_cancelall(res->dispatches4,
+							  res->buckets[i].task);
+			}
+			if (res->dispatches6 != NULL && !res->exclusivev6) {
+				dns_dispatchset_cancelall(res->dispatches6,
+							  res->buckets[i].task);
+			}
+			res->buckets[i].exiting = true;
+			if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
+				INSIST(res->activebuckets > 0);
+				res->activebuckets--;
+			}
+			UNLOCK(&res->buckets[i].lock);
+		}
+		if (res->activebuckets == 0)
+			send_shutdown_events(res);
+		result = isc_timer_reset(res->spillattimer,
+					 isc_timertype_inactive, NULL,
+					 NULL, true);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+	UNLOCK(&res->lock);
+}
+
+void
+dns_resolver_detach(dns_resolver_t **resp) {
+	dns_resolver_t *res;
+	bool need_destroy = false;
+
+	REQUIRE(resp != NULL);
+	res = *resp;
+	REQUIRE(VALID_RESOLVER(res));
+
+	RTRACE("detach");
+
+	LOCK(&res->lock);
+
+	INSIST(res->references > 0);
+	res->references--;
+	if (res->references == 0) {
+		INSIST(res->exiting && res->activebuckets == 0);
+		need_destroy = true;
+	}
+
+	UNLOCK(&res->lock);
+
+	if (need_destroy)
+		destroy(res);
+
+	*resp = NULL;
+}
+
+static inline bool
+fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
+	   unsigned int options)
+{
+	/*
+	 * Don't match fetch contexts that are shutting down.
+	 */
+	if (fctx->cloned || fctx->state == fetchstate_done ||
+	    ISC_LIST_EMPTY(fctx->events))
+		return (false);
+
+	if (fctx->type != type || fctx->options != options)
+		return (false);
+	return (dns_name_equal(&fctx->name, name));
+}
+
+static inline void
+log_fetch(dns_name_t *name, dns_rdatatype_t type) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_DEBUG(1);
+
+	/*
+	 * If there's no chance of logging it, don't render (format) the
+	 * name and RDATA type (further below), and return early.
+	 */
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level,
+		      "fetch: %s/%s", namebuf, typebuf);
+}
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+			 dns_rdatatype_t type,
+			 dns_name_t *domain, dns_rdataset_t *nameservers,
+			 dns_forwarders_t *forwarders,
+			 unsigned int options, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset,
+			 dns_fetch_t **fetchp)
+{
+	return (dns_resolver_createfetch3(res, name, type, domain,
+					  nameservers, forwarders, NULL, 0,
+					  options, 0, NULL, task, action, arg,
+					  rdataset, sigrdataset, fetchp));
+}
+
+isc_result_t
+dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
+			  dns_rdatatype_t type,
+			  dns_name_t *domain, dns_rdataset_t *nameservers,
+			  dns_forwarders_t *forwarders,
+			  isc_sockaddr_t *client, dns_messageid_t id,
+			  unsigned int options, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_rdataset_t *rdataset,
+			  dns_rdataset_t *sigrdataset,
+			  dns_fetch_t **fetchp)
+{
+	return (dns_resolver_createfetch3(res, name, type, domain,
+					  nameservers, forwarders, client, id,
+					  options, 0, NULL, task, action, arg,
+					  rdataset, sigrdataset, fetchp));
+}
+
+isc_result_t
+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
+			  dns_rdatatype_t type,
+			  dns_name_t *domain, dns_rdataset_t *nameservers,
+			  dns_forwarders_t *forwarders,
+			  isc_sockaddr_t *client, dns_messageid_t id,
+			  unsigned int options, unsigned int depth,
+			  isc_counter_t *qc, isc_task_t *task,
+			  isc_taskaction_t action, void *arg,
+			  dns_rdataset_t *rdataset,
+			  dns_rdataset_t *sigrdataset,
+			  dns_fetch_t **fetchp)
+{
+	dns_fetch_t *fetch;
+	fetchctx_t *fctx = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int bucketnum;
+	bool new_fctx = false;
+	isc_event_t *event;
+	unsigned int count = 0;
+	unsigned int spillat;
+	unsigned int spillatmin;
+	bool dodestroy = false;
+
+	UNUSED(forwarders);
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(res->frozen);
+	/* XXXRTH  Check for meta type */
+	if (domain != NULL) {
+		REQUIRE(DNS_RDATASET_VALID(nameservers));
+		REQUIRE(nameservers->type == dns_rdatatype_ns);
+	} else
+		REQUIRE(nameservers == NULL);
+	REQUIRE(forwarders == NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(sigrdataset == NULL ||
+		!dns_rdataset_isassociated(sigrdataset));
+	REQUIRE(fetchp != NULL && *fetchp == NULL);
+
+	log_fetch(name, type);
+
+	/*
+	 * XXXRTH  use a mempool?
+	 */
+	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
+	if (fetch == NULL)
+		return (ISC_R_NOMEMORY);
+	fetch->mctx = NULL;
+	isc_mem_attach(res->mctx, &fetch->mctx);
+
+	bucketnum = dns_name_fullhash(name, false) % res->nbuckets;
+
+	LOCK(&res->lock);
+	spillat = res->spillat;
+	spillatmin = res->spillatmin;
+	UNLOCK(&res->lock);
+	LOCK(&res->buckets[bucketnum].lock);
+
+	if (res->buckets[bucketnum].exiting) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto unlock;
+	}
+
+	if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
+		for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
+		     fctx != NULL;
+		     fctx = ISC_LIST_NEXT(fctx, link)) {
+			if (fctx_match(fctx, name, type, options))
+				break;
+		}
+	}
+
+	/*
+	 * Is this a duplicate?
+	 */
+	if (fctx != NULL && client != NULL) {
+		dns_fetchevent_t *fevent;
+		for (fevent = ISC_LIST_HEAD(fctx->events);
+		     fevent != NULL;
+		     fevent = ISC_LIST_NEXT(fevent, ev_link)) {
+			if (fevent->client != NULL && fevent->id == id &&
+			    isc_sockaddr_equal(fevent->client, client)) {
+				result = DNS_R_DUPLICATE;
+				goto unlock;
+			}
+			count++;
+		}
+	}
+	if (count >= spillatmin && spillatmin != 0) {
+		INSIST(fctx != NULL);
+		if (count >= spillat)
+			fctx->spilled = true;
+		if (fctx->spilled) {
+			result = DNS_R_DROP;
+			goto unlock;
+		}
+	}
+
+	if (fctx == NULL) {
+		result = fctx_create(res, name, type, domain, nameservers,
+				     options, bucketnum, depth, qc, &fctx);
+		if (result != ISC_R_SUCCESS)
+			goto unlock;
+		new_fctx = true;
+	} else if (fctx->depth > depth)
+		fctx->depth = depth;
+
+	result = fctx_join(fctx, task, client, id, action, arg,
+			   rdataset, sigrdataset, fetch);
+	if (new_fctx) {
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Launch this fctx.
+			 */
+			event = &fctx->control_event;
+			ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
+				       DNS_EVENT_FETCHCONTROL,
+				       fctx_start, fctx, NULL,
+				       NULL, NULL);
+			isc_task_send(res->buckets[bucketnum].task, &event);
+		} else {
+			/*
+			 * We don't care about the result of fctx_unlink()
+			 * since we know we're not exiting.
+			 */
+			(void)fctx_unlink(fctx);
+			dodestroy = true;
+		}
+	}
+
+ unlock:
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (dodestroy)
+		fctx_destroy(fctx);
+
+	if (result == ISC_R_SUCCESS) {
+		FTRACE("created");
+		*fetchp = fetch;
+	} else
+		isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
+
+	return (result);
+}
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch) {
+	fetchctx_t *fctx;
+	dns_resolver_t *res;
+	dns_fetchevent_t *event, *next_event;
+	isc_task_t *etask;
+
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	FTRACE("cancelfetch");
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	/*
+	 * Find the completion event for this fetch (as opposed
+	 * to those for other fetches that have joined the same
+	 * fctx) and send it with result = ISC_R_CANCELED.
+	 */
+	event = NULL;
+	if (fctx->state != fetchstate_done) {
+		for (event = ISC_LIST_HEAD(fctx->events);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			if (event->fetch == fetch) {
+				ISC_LIST_UNLINK(fctx->events, event, ev_link);
+				break;
+			}
+		}
+	}
+	if (event != NULL) {
+		etask = event->ev_sender;
+		event->ev_sender = fctx;
+		event->result = ISC_R_CANCELED;
+		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
+	}
+	/*
+	 * The fctx continues running even if no fetches remain;
+	 * the answer is still cached.
+	 */
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
+	dns_fetch_t *fetch;
+	dns_resolver_t *res;
+	dns_fetchevent_t *event, *next_event;
+	fetchctx_t *fctx;
+	unsigned int bucketnum;
+	bool bucket_empty;
+
+	REQUIRE(fetchp != NULL);
+	fetch = *fetchp;
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	FTRACE("destroyfetch");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	/*
+	 * Sanity check: the caller should have gotten its event before
+	 * trying to destroy the fetch.
+	 */
+	event = NULL;
+	if (fctx->state != fetchstate_done) {
+		for (event = ISC_LIST_HEAD(fctx->events);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			RUNTIME_CHECK(event->fetch != fetch);
+		}
+	}
+
+	bucket_empty = fctx_decreference(fctx);
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
+	*fetchp = NULL;
+
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, bool duplicateok)
+{
+	fetchctx_t *fctx;
+	dns_resolver_t *res;
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	INSIST(fctx->exitline >= 0);
+	if (!fctx->logged || duplicateok) {
+		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		isc_log_write(lctx, category, module, level,
+			      "fetch completed at %s:%d for %s in "
+			      "%" PRIu64 "."
+			      "%06" PRIu64 ": %s/%s "
+			      "[domain:%s,referral:%u,restart:%u,qrysent:%u,"
+			      "timeout:%u,lame:%u,quota:%u,neterr:%u,"
+			      "badresp:%u,adberr:%u,findfail:%u,valfail:%u]",
+			      __FILE__, fctx->exitline, fctx->info,
+			      fctx->duration / US_PER_SEC,
+			      fctx->duration % US_PER_SEC,
+			      isc_result_totext(fctx->result),
+			      isc_result_totext(fctx->vresult), domainbuf,
+			      fctx->referrals, fctx->restarts,
+			      fctx->querysent, fctx->timeouts,
+			      fctx->lamecount, fctx->quotacount,
+			      fctx->neterr, fctx->badresp, fctx->adberr,
+			      fctx->findfail, fctx->valfail);
+		fctx->logged = true;
+	}
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchmgr);
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (dns_dispatchset_get(resolver->dispatches4));
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (dns_dispatchset_get(resolver->dispatches6));
+}
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->socketmgr);
+}
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->taskmgr);
+}
+
+uint32_t
+dns_resolver_getlamettl(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->lame_ttl);
+}
+
+void
+dns_resolver_setlamettl(dns_resolver_t *resolver, uint32_t lame_ttl) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->lame_ttl = lame_ttl;
+}
+
+unsigned int
+dns_resolver_nrunning(dns_resolver_t *resolver) {
+	unsigned int n;
+	LOCK(&resolver->nlock);
+	n = resolver->nfctx;
+	UNLOCK(&resolver->nlock);
+	return (n);
+}
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
+			  dns_name_t *name, in_port_t port) {
+	alternate_t *a;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(!resolver->frozen);
+	REQUIRE((alt == NULL) ^ (name == NULL));
+
+	a = isc_mem_get(resolver->mctx, sizeof(*a));
+	if (a == NULL)
+		return (ISC_R_NOMEMORY);
+	if (alt != NULL) {
+		a->isaddress = true;
+		a->_u.addr = *alt;
+	} else {
+		a->isaddress = false;
+		a->_u._n.port = port;
+		dns_name_init(&a->_u._n.name, NULL);
+		result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(resolver->mctx, a, sizeof(*a));
+			return (result);
+		}
+	}
+	ISC_LINK_INIT(a, link);
+	ISC_LIST_APPEND(resolver->alternates, a, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, uint16_t udpsize) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->udpsize = udpsize;
+}
+
+uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->udpsize);
+}
+
+void
+dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) {
+	if (name != NULL)
+		dns_badcache_flushname(resolver->badcache, name);
+	else
+		dns_badcache_flush(resolver->badcache);
+}
+
+void
+dns_resolver_flushbadnames(dns_resolver_t *resolver, dns_name_t *name) {
+	dns_badcache_flushtree(resolver->badcache, name);
+}
+
+void
+dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *expire)
+{
+#ifdef ENABLE_AFL
+	if (!dns_fuzzing_resolver)
+#endif
+	{
+		(void) dns_badcache_add(resolver->badcache, name, type,
+					false, 0, expire);
+	}
+}
+
+bool
+dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
+			 dns_rdatatype_t type, isc_time_t *now)
+{
+	return (dns_badcache_find(resolver->badcache, name, type, NULL, now));
+}
+
+void
+dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) {
+	(void) dns_badcache_print(resolver->badcache, "Bad cache", fp);
+}
+
+static void
+free_algorithm(void *node, void *arg) {
+	unsigned char *algorithms = node;
+	isc_mem_t *mctx = arg;
+
+	isc_mem_put(mctx, algorithms, *algorithms);
+}
+
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->algorithms != NULL)
+		dns_rbt_destroy(&resolver->algorithms);
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+}
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int alg)
+{
+	unsigned int len, mask;
+	unsigned char *tmp;
+	unsigned char *algorithms;
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	/*
+	 * Whether an algorithm is disabled (or not) is stored in a
+	 * per-name bitfield that is stored as the node data of an
+	 * RBT.
+	 */
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	if (alg > 255)
+		return (ISC_R_RANGE);
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->algorithms == NULL) {
+		result = dns_rbt_create(resolver->mctx, free_algorithm,
+					resolver->mctx, &resolver->algorithms);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	len = alg/8 + 2;
+	mask = 1 << (alg%8);
+
+	result = dns_rbt_addnode(resolver->algorithms, name, &node);
+
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		algorithms = node->data;
+		/*
+		 * If algorithms is set, algorithms[0] contains its
+		 * length.
+		 */
+		if (algorithms == NULL || len > *algorithms) {
+			/*
+			 * If no bitfield exists in the node data, or if
+			 * it is not long enough, allocate a new
+			 * bitfield and copy the old (smaller) bitfield
+			 * into it if one exists.
+			 */
+			tmp = isc_mem_get(resolver->mctx, len);
+			if (tmp == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			memset(tmp, 0, len);
+			if (algorithms != NULL)
+				memmove(tmp, algorithms, *algorithms);
+			tmp[len-1] |= mask;
+			/* 'tmp[0]' should contain the length of 'tmp'. */
+			*tmp = len;
+			node->data = tmp;
+			/* Free the older bitfield. */
+			if (algorithms != NULL)
+				isc_mem_put(resolver->mctx, algorithms,
+					    *algorithms);
+		} else
+			algorithms[len-1] |= mask;
+	}
+	result = ISC_R_SUCCESS;
+ cleanup:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	return (result);
+}
+
+bool
+dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int alg)
+{
+	unsigned int len, mask;
+	unsigned char *algorithms;
+	void *data = NULL;
+	isc_result_t result;
+	bool found = false;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	/*
+	 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
+	 */
+	if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
+		return (false);
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif
+	if (resolver->algorithms == NULL)
+		goto unlock;
+	result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		len = alg/8 + 2;
+		mask = 1 << (alg%8);
+		algorithms = data;
+		if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
+			found = true;
+	}
+ unlock:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif
+	if (found)
+		return (false);
+
+	return (dst_algorithm_supported(alg));
+}
+
+static void
+free_digest(void *node, void *arg) {
+	unsigned char *digests = node;
+	isc_mem_t *mctx = arg;
+
+	isc_mem_put(mctx, digests, *digests);
+}
+
+void
+dns_resolver_reset_ds_digests(dns_resolver_t *resolver) {
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->digests != NULL)
+		dns_rbt_destroy(&resolver->digests);
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+}
+
+isc_result_t
+dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int digest_type)
+{
+	unsigned int len, mask;
+	unsigned char *tmp;
+	unsigned char *digests;
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	/*
+	 * Whether a digest is disabled (or not) is stored in a per-name
+	 * bitfield that is stored as the node data of an RBT.
+	 */
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	if (digest_type > 255)
+		return (ISC_R_RANGE);
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->digests == NULL) {
+		result = dns_rbt_create(resolver->mctx, free_digest,
+					resolver->mctx, &resolver->digests);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	len = digest_type/8 + 2;
+	mask = 1 << (digest_type%8);
+
+	result = dns_rbt_addnode(resolver->digests, name, &node);
+
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		digests = node->data;
+		/* If digests is set, digests[0] contains its length. */
+		if (digests == NULL || len > *digests) {
+			/*
+			 * If no bitfield exists in the node data, or if
+			 * it is not long enough, allocate a new
+			 * bitfield and copy the old (smaller) bitfield
+			 * into it if one exists.
+			 */
+			tmp = isc_mem_get(resolver->mctx, len);
+			if (tmp == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			memset(tmp, 0, len);
+			if (digests != NULL)
+				memmove(tmp, digests, *digests);
+			tmp[len-1] |= mask;
+			/* tmp[0] should contain the length of 'tmp'. */
+			*tmp = len;
+			node->data = tmp;
+			/* Free the older bitfield. */
+			if (digests != NULL)
+				isc_mem_put(resolver->mctx, digests,
+					    *digests);
+		} else
+			digests[len-1] |= mask;
+	}
+	result = ISC_R_SUCCESS;
+ cleanup:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	return (result);
+}
+
+bool
+dns_resolver_ds_digest_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int digest_type)
+{
+	unsigned int len, mask;
+	unsigned char *digests;
+	void *data = NULL;
+	isc_result_t result;
+	bool found = false;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif
+	if (resolver->digests == NULL)
+		goto unlock;
+	result = dns_rbt_findname(resolver->digests, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		len = digest_type/8 + 2;
+		mask = 1 << (digest_type%8);
+		digests = data;
+		if (len <= *digests && (digests[len-1] & mask) != 0)
+			found = true;
+	}
+ unlock:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif
+	if (found)
+		return (false);
+	return (dst_ds_digest_supported(digest_type));
+}
+
+void
+dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+	if (resolver->mustbesecure != NULL)
+		dns_rbt_destroy(&resolver->mustbesecure);
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+}
+
+static bool yes = true, no = false;
+
+isc_result_t
+dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
+			     bool value)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+	if (resolver->mustbesecure == NULL) {
+		result = dns_rbt_create(resolver->mctx, NULL, NULL,
+					&resolver->mustbesecure);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	result = dns_rbt_addname(resolver->mustbesecure, name,
+				 value ? &yes : &no);
+ cleanup:
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+	return (result);
+}
+
+bool
+dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
+	void *data = NULL;
+	bool value = false;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
+#endif
+	if (resolver->mustbesecure == NULL)
+		goto unlock;
+	result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		value = *(bool*)data;
+ unlock:
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
+#endif
+	return (value);
+}
+
+void
+dns_resolver_getclientsperquery(dns_resolver_t *resolver, uint32_t *cur,
+				uint32_t *min, uint32_t *max)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	if (cur != NULL)
+		*cur = resolver->spillat;
+	if (min != NULL)
+		*min = resolver->spillatmin;
+	if (max != NULL)
+		*max = resolver->spillatmax;
+	UNLOCK(&resolver->lock);
+}
+
+void
+dns_resolver_setclientsperquery(dns_resolver_t *resolver, uint32_t min,
+				uint32_t max)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	resolver->spillatmin = resolver->spillat = min;
+	resolver->spillatmax = max;
+	UNLOCK(&resolver->lock);
+}
+
+void
+dns_resolver_setfetchesperzone(dns_resolver_t *resolver, uint32_t clients)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	LOCK(&resolver->lock);
+	resolver->zspill = clients;
+	UNLOCK(&resolver->lock);
+}
+
+
+bool
+dns_resolver_getzeronosoattl(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->zero_no_soa_ttl);
+}
+
+void
+dns_resolver_setzeronosoattl(dns_resolver_t *resolver, bool state) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->zero_no_soa_ttl = state;
+}
+
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->options);
+}
+
+unsigned int
+dns_resolver_gettimeout(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->query_timeout);
+}
+
+void
+dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	if (seconds == 0)
+		seconds = DEFAULT_QUERY_TIMEOUT;
+	if (seconds > MAXIMUM_QUERY_TIMEOUT)
+		seconds = MAXIMUM_QUERY_TIMEOUT;
+	if (seconds < MINIMUM_QUERY_TIMEOUT)
+		seconds =  MINIMUM_QUERY_TIMEOUT;
+
+	resolver->query_timeout = seconds;
+}
+
+void
+dns_resolver_setquerydscp4(dns_resolver_t *resolver, isc_dscp_t dscp) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->querydscp4 = dscp;
+}
+
+isc_dscp_t
+dns_resolver_getquerydscp4(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->querydscp4);
+}
+
+void
+dns_resolver_setquerydscp6(dns_resolver_t *resolver, isc_dscp_t dscp) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	resolver->querydscp6 = dscp;
+}
+
+isc_dscp_t
+dns_resolver_getquerydscp6(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->querydscp6);
+}
+
+void
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->maxdepth = maxdepth;
+}
+
+unsigned int
+dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->maxdepth);
+}
+
+void
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->maxqueries = queries;
+}
+
+unsigned int
+dns_resolver_getmaxqueries(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->maxqueries);
+}
+
+void
+dns_resolver_dumpfetches(dns_resolver_t *resolver,
+			 isc_statsformat_t format, FILE *fp)
+{
+	int i;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(fp != NULL);
+	REQUIRE(format == isc_statsformat_file);
+
+	for (i = 0; i < RES_DOMAIN_BUCKETS; i++) {
+		fctxcount_t *fc;
+		LOCK(&resolver->dbuckets[i].lock);
+		for (fc = ISC_LIST_HEAD(resolver->dbuckets[i].list);
+		     fc != NULL;
+		     fc = ISC_LIST_NEXT(fc, link))
+		{
+			dns_name_print(fc->domain, fp);
+			fprintf(fp, ": %u active (%u spilled, %u allowed)\n",
+				fc->count, fc->dropped, fc->allowed);
+		}
+		UNLOCK(&resolver->dbuckets[i].lock);
+	}
+}
+
+void
+dns_resolver_setquotaresponse(dns_resolver_t *resolver,
+			      dns_quotatype_t which, isc_result_t resp)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(which == dns_quotatype_zone || which == dns_quotatype_server);
+	REQUIRE(resp == DNS_R_DROP || resp == DNS_R_SERVFAIL);
+
+	resolver->quotaresp[which] = resp;
+}
+
+isc_result_t
+dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which)
+{
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(which == dns_quotatype_zone || which == dns_quotatype_server);
+
+	return (resolver->quotaresp[which]);
+}
diff --git a/lib/dns/result.c b/lib/dns/result.c
new file mode 100644
index 0000000..e7507c5
--- /dev/null
+++ b/lib/dns/result.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/lib.h>
+
+static const char *text[DNS_R_NRESULTS] = {
+	"label too long",		       /*%< 0 DNS_R_LABELTOOLONG */
+	"bad escape",			       /*%< 1 DNS_R_BADESCAPE */
+	/*!
+	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
+	 * deprecated.
+	 */
+	"bad bitstring",		       /*%< 2 DNS_R_BADBITSTRING */
+	"bitstring too long",		       /*%< 3 DNS_R_BITSTRINGTOOLONG */
+	"empty label",			       /*%< 4 DNS_R_EMPTYLABEL */
+
+	"bad dotted quad",		       /*%< 5 DNS_R_BADDOTTEDQUAD */
+	"invalid NS owner name (wildcard)",    /*%< 6 DNS_R_INVALIDNS */
+	"unknown class/type",		       /*%< 7 DNS_R_UNKNOWN */
+	"bad label type",		       /*%< 8 DNS_R_BADLABELTYPE */
+	"bad compression pointer",	       /*%< 9 DNS_R_BADPOINTER */
+
+	"too many hops",		       /*%< 10 DNS_R_TOOMANYHOPS */
+	"disallowed (by application policy)",  /*%< 11 DNS_R_DISALLOWED */
+	"extra input text",		       /*%< 12 DNS_R_EXTRATOKEN */
+	"extra input data",		       /*%< 13 DNS_R_EXTRADATA */
+	"text too long",		       /*%< 14 DNS_R_TEXTTOOLONG */
+
+	"not at top of zone",		       /*%< 15 DNS_R_NOTZONETOP */
+	"syntax error",			       /*%< 16 DNS_R_SYNTAX */
+	"bad checksum",			       /*%< 17 DNS_R_BADCKSUM */
+	"bad IPv6 address",		       /*%< 18 DNS_R_BADAAAA */
+	"no owner",			       /*%< 19 DNS_R_NOOWNER */
+
+	"no ttl",			       /*%< 20 DNS_R_NOTTL */
+	"bad class",			       /*%< 21 DNS_R_BADCLASS */
+	"name too long",		       /*%< 22 DNS_R_NAMETOOLONG */
+	"partial match",		       /*%< 23 DNS_R_PARTIALMATCH */
+	"new origin",			       /*%< 24 DNS_R_NEWORIGIN */
+
+	"unchanged",			       /*%< 25 DNS_R_UNCHANGED */
+	"bad ttl",			       /*%< 26 DNS_R_BADTTL */
+	"more data needed/to be rendered",     /*%< 27 DNS_R_NOREDATA */
+	"continue",			       /*%< 28 DNS_R_CONTINUE */
+	"delegation",			       /*%< 29 DNS_R_DELEGATION */
+
+	"glue",				       /*%< 30 DNS_R_GLUE */
+	"dname",			       /*%< 31 DNS_R_DNAME */
+	"cname",			       /*%< 32 DNS_R_CNAME */
+	"bad database",			       /*%< 33 DNS_R_BADDB */
+	"zonecut",			       /*%< 34 DNS_R_ZONECUT */
+
+	"bad zone",			       /*%< 35 DNS_R_BADZONE */
+	"more data",			       /*%< 36 DNS_R_MOREDATA */
+	"up to date",			       /*%< 37 DNS_R_UPTODATE */
+	"tsig verify failure",		       /*%< 38 DNS_R_TSIGVERIFYFAILURE */
+	"tsig indicates error",		       /*%< 39 DNS_R_TSIGERRORSET */
+
+	"RRSIG failed to verify",	       /*%< 40 DNS_R_SIGINVALID */
+	"RRSIG has expired",		       /*%< 41 DNS_R_SIGEXPIRED */
+	"RRSIG validity period has not begun", /*%< 42 DNS_R_SIGFUTURE */
+	"key is unauthorized to sign data",    /*%< 43 DNS_R_KEYUNAUTHORIZED */
+	"invalid time",			       /*%< 44 DNS_R_INVALIDTIME */
+
+	"expected a TSIG or SIG(0)",	       /*%< 45 DNS_R_EXPECTEDTSIG */
+	"did not expect a TSIG or SIG(0)",     /*%< 46 DNS_R_UNEXPECTEDTSIG */
+	"TKEY is unacceptable",		       /*%< 47 DNS_R_INVALIDTKEY */
+	"hint",				       /*%< 48 DNS_R_HINT */
+	"drop",				       /*%< 49 DNS_R_DROP */
+
+	"zone not loaded",		       /*%< 50 DNS_R_NOTLOADED */
+	"ncache nxdomain",		       /*%< 51 DNS_R_NCACHENXDOMAIN */
+	"ncache nxrrset",		       /*%< 52 DNS_R_NCACHENXRRSET */
+	"wait",				       /*%< 53 DNS_R_WAIT */
+	"not verified yet",		       /*%< 54 DNS_R_NOTVERIFIEDYET */
+
+	"no identity",			       /*%< 55 DNS_R_NOIDENTITY */
+	"no journal",			       /*%< 56 DNS_R_NOJOURNAL */
+	"alias",			       /*%< 57 DNS_R_ALIAS */
+	"use TCP",			       /*%< 58 DNS_R_USETCP */
+	"no valid RRSIG",		       /*%< 59 DNS_R_NOVALIDSIG */
+
+	"no valid NSEC",		       /*%< 60 DNS_R_NOVALIDNSEC */
+	"insecurity proof failed",	       /*%< 61 DNS_R_NOTINSECURE */
+	"unknown service",		       /*%< 62 DNS_R_UNKNOWNSERVICE */
+	"recoverable error occurred",	       /*%< 63 DNS_R_RECOVERABLE */
+	"unknown opt attribute record",	       /*%< 64 DNS_R_UNKNOWNOPT */
+
+	"unexpected message id",	       /*%< 65 DNS_R_UNEXPECTEDID */
+	"seen include file",		       /*%< 66 DNS_R_SEENINCLUDE */
+	"not exact",		       	       /*%< 67 DNS_R_NOTEXACT */
+	"address blackholed",	       	       /*%< 68 DNS_R_BLACKHOLED */
+	"bad algorithm",		       /*%< 69 DNS_R_BADALG */
+
+	"invalid use of a meta type",	       /*%< 70 DNS_R_METATYPE */
+	"CNAME and other data",		       /*%< 71 DNS_R_CNAMEANDOTHER */
+	"multiple RRs of singleton type",      /*%< 72 DNS_R_SINGLETON */
+	"hint nxrrset",			       /*%< 73 DNS_R_HINTNXRRSET */
+	"no master file configured",	       /*%< 74 DNS_R_NOMASTERFILE */
+
+	"unknown protocol",		       /*%< 75 DNS_R_UNKNOWNPROTO */
+	"clocks are unsynchronized",	       /*%< 76 DNS_R_CLOCKSKEW */
+	"IXFR failed",			       /*%< 77 DNS_R_BADIXFR */
+	"not authoritative",		       /*%< 78 DNS_R_NOTAUTHORITATIVE */
+	"no valid KEY",		       	       /*%< 79 DNS_R_NOVALIDKEY */
+
+	"obsolete",			       /*%< 80 DNS_R_OBSOLETE */
+	"already frozen",		       /*%< 81 DNS_R_FROZEN */
+	"unknown flag",			       /*%< 82 DNS_R_UNKNOWNFLAG */
+	"expected a response",		       /*%< 83 DNS_R_EXPECTEDRESPONSE */
+	"no valid DS",			       /*%< 84 DNS_R_NOVALIDDS */
+
+	"NS is an address",		       /*%< 85 DNS_R_NSISADDRESS */
+	"received FORMERR",		       /*%< 86 DNS_R_REMOTEFORMERR */
+	"truncated TCP response",	       /*%< 87 DNS_R_TRUNCATEDTCP */
+	"lame server detected",		       /*%< 88 DNS_R_LAME */
+	"unexpected RCODE",		       /*%< 89 DNS_R_UNEXPECTEDRCODE */
+
+	"unexpected OPCODE",		       /*%< 90 DNS_R_UNEXPECTEDOPCODE */
+	"chase DS servers",		       /*%< 91 DNS_R_CHASEDSSERVERS */
+	"empty name",			       /*%< 92 DNS_R_EMPTYNAME */
+	"empty wild",			       /*%< 93 DNS_R_EMPTYWILD */
+	"bad bitmap",			       /*%< 94 DNS_R_BADBITMAP */
+
+	"from wildcard",		       /*%< 95 DNS_R_FROMWILDCARD */
+	"bad owner name (check-names)",	       /*%< 96 DNS_R_BADOWNERNAME */
+	"bad name (check-names)",	       /*%< 97 DNS_R_BADNAME */
+	"dynamic zone",			       /*%< 98 DNS_R_DYNAMIC */
+	"unknown command",		       /*%< 99 DNS_R_UNKNOWNCOMMAND */
+
+	"must-be-secure",		       /*%< 100 DNS_R_MUSTBESECURE */
+	"covering NSEC record returned",       /*%< 101 DNS_R_COVERINGNSEC */
+	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
+	"duplicate query",		       /*%< 103 DNS_R_DUPLICATE */
+	"invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */
+
+	"not master",			       /*%< 105 DNS_R_NOTMASTER */
+	"broken trust chain",		       /*%< 106 DNS_R_BROKENCHAIN */
+	"expired",			       /*%< 107 DNS_R_EXPIRED */
+	"not dynamic",			       /*%< 108 DNS_R_NOTDYNAMIC */
+	"bad EUI",			       /*%< 109 DNS_R_BADEUI */
+
+	"covered by negative trust anchor",    /*%< 110 DNS_R_NTACOVERED */
+	"bad CDS",			       /*%< 111 DNS_R_BADCDS */
+	"bad CDNSKEY",			       /*%< 112 DNS_R_BADCDNSKEY */
+	"malformed OPT option",		       /*%< 113 DNS_R_OPTERR */
+	"malformed DNSTAP data",	       /*%< 114 DNS_R_BADDNSTAP */
+
+	"TSIG in wrong location",	       /*%< 115 DNS_R_BADTSIG */
+	"SIG(0) in wrong location",	       /*%< 116 DNS_R_BADSIG0 */
+	"too many records",	               /*%< 117 DNS_R_TOOMANYRECORDS */
+};
+
+static const char *ids[DNS_R_NRESULTS] = {
+	"DNS_R_LABELTOOLONG",
+	"DNS_R_BADESCAPE",
+	/*!
+	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
+	 * deprecated.
+	 */
+	"DNS_R_BADBITSTRING",
+	"DNS_R_BITSTRINGTOOLONG",
+	"DNS_R_EMPTYLABEL",
+	"DNS_R_BADDOTTEDQUAD",
+	"DNS_R_INVALIDNS",
+	"DNS_R_UNKNOWN",
+	"DNS_R_BADLABELTYPE",
+	"DNS_R_BADPOINTER",
+	"DNS_R_TOOMANYHOPS",
+	"DNS_R_DISALLOWED",
+	"DNS_R_EXTRATOKEN",
+	"DNS_R_EXTRADATA",
+	"DNS_R_TEXTTOOLONG",
+	"DNS_R_NOTZONETOP",
+	"DNS_R_SYNTAX",
+	"DNS_R_BADCKSUM",
+	"DNS_R_BADAAAA",
+	"DNS_R_NOOWNER",
+	"DNS_R_NOTTL",
+	"DNS_R_BADCLASS",
+	"DNS_R_NAMETOOLONG",
+	"DNS_R_PARTIALMATCH",
+	"DNS_R_NEWORIGIN",
+	"DNS_R_UNCHANGED",
+	"DNS_R_BADTTL",
+	"DNS_R_NOREDATA",
+	"DNS_R_CONTINUE",
+	"DNS_R_DELEGATION",
+	"DNS_R_GLUE",
+	"DNS_R_DNAME",
+	"DNS_R_CNAME",
+	"DNS_R_BADDB",
+	"DNS_R_ZONECUT",
+	"DNS_R_BADZONE",
+	"DNS_R_MOREDATA",
+	"DNS_R_UPTODATE",
+	"DNS_R_TSIGVERIFYFAILURE",
+	"DNS_R_TSIGERRORSET",
+	"DNS_R_SIGINVALID",
+	"DNS_R_SIGEXPIRED",
+	"DNS_R_SIGFUTURE",
+	"DNS_R_KEYUNAUTHORIZED",
+	"DNS_R_INVALIDTIME",
+	"DNS_R_EXPECTEDTSIG",
+	"DNS_R_UNEXPECTEDTSIG",
+	"DNS_R_INVALIDTKEY",
+	"DNS_R_HINT",
+	"DNS_R_DROP",
+	"DNS_R_NOTLOADED",
+	"DNS_R_NCACHENXDOMAIN",
+	"DNS_R_NCACHENXRRSET",
+	"DNS_R_WAIT",
+	"DNS_R_NOTVERIFIEDYET",
+	"DNS_R_NOIDENTITY",
+	"DNS_R_NOJOURNAL",
+	"DNS_R_ALIAS",
+	"DNS_R_USETCP",
+	"DNS_R_NOVALIDSIG",
+	"DNS_R_NOVALIDNSEC",
+	"DNS_R_NOTINSECURE",
+	"DNS_R_UNKNOWNSERVICE",
+	"DNS_R_RECOVERABLE",
+	"DNS_R_UNKNOWNOPT",
+	"DNS_R_UNEXPECTEDID",
+	"DNS_R_SEENINCLUDE",
+	"DNS_R_NOTEXACT",
+	"DNS_R_BLACKHOLED",
+	"DNS_R_BADALG",
+	"DNS_R_METATYPE",
+	"DNS_R_CNAMEANDOTHER",
+	"DNS_R_SINGLETON",
+	"DNS_R_HINTNXRRSET",
+	"DNS_R_NOMASTERFILE",
+	"DNS_R_UNKNOWNPROTO",
+	"DNS_R_CLOCKSKEW",
+	"DNS_R_BADIXFR",
+	"DNS_R_NOTAUTHORITATIVE",
+	"DNS_R_NOVALIDKEY",
+	"DNS_R_OBSOLETE",
+	"DNS_R_FROZEN",
+	"DNS_R_UNKNOWNFLAG",
+	"DNS_R_EXPECTEDRESPONSE",
+	"DNS_R_NOVALIDDS",
+	"DNS_R_NSISADDRESS",
+	"DNS_R_REMOTEFORMERR",
+	"DNS_R_TRUNCATEDTCP",
+	"DNS_R_LAME",
+	"DNS_R_UNEXPECTEDRCODE",
+	"DNS_R_UNEXPECTEDOPCODE",
+	"DNS_R_CHASEDSSERVERS",
+	"DNS_R_EMPTYNAME",
+	"DNS_R_EMPTYWILD",
+	"DNS_R_BADBITMAP",
+	"DNS_R_FROMWILDCARD",
+	"DNS_R_BADOWNERNAME",
+	"DNS_R_BADNAME",
+	"DNS_R_DYNAMIC",
+	"DNS_R_UNKNOWNCOMMAND",
+	"DNS_R_MUSTBESECURE",
+	"DNS_R_COVERINGNSEC",
+	"DNS_R_MXISADDRESS",
+	"DNS_R_DUPLICATE",
+	"DNS_R_INVALIDNSEC3",
+	"DNS_R_NOTMASTER",
+	"DNS_R_BROKENCHAIN",
+	"DNS_R_EXPIRED",
+	"DNS_R_NOTDYNAMIC",
+	"DNS_R_BADEUI",
+	"DNS_R_NTACOVERED",
+	"DNS_R_BADCDS",
+	"DNS_R_BADCDNSKEY",
+	"DNS_R_OPTERR",
+	"DNS_R_BADDNSTAP",
+	"DNS_R_BADTSIG",
+	"DNS_R_BADSIG0",
+};
+
+static const char *rcode_text[DNS_R_NRCODERESULTS] = {
+	"NOERROR",				/*%< 0 DNS_R_NOERROR */
+	"FORMERR",				/*%< 1 DNS_R_FORMERR */
+	"SERVFAIL",				/*%< 2 DNS_R_SERVFAIL */
+	"NXDOMAIN",				/*%< 3 DNS_R_NXDOMAIN */
+	"NOTIMP",				/*%< 4 DNS_R_NOTIMP */
+
+	"REFUSED",				/*%< 5 DNS_R_REFUSED */
+	"YXDOMAIN",				/*%< 6 DNS_R_YXDOMAIN */
+	"YXRRSET",				/*%< 7 DNS_R_YXRRSET */
+	"NXRRSET",				/*%< 8 DNS_R_NXRRSET */
+	"NOTAUTH",				/*%< 9 DNS_R_NOTAUTH */
+
+	"NOTZONE",				/*%< 10 DNS_R_NOTZONE */
+	"<rcode 11>",				/*%< 11 DNS_R_RCODE11 */
+	"<rcode 12>",				/*%< 12 DNS_R_RCODE12 */
+	"<rcode 13>",				/*%< 13 DNS_R_RCODE13 */
+	"<rcode 14>",				/*%< 14 DNS_R_RCODE14 */
+
+	"<rcode 15>",				/*%< 15 DNS_R_RCODE15 */
+	"BADVERS",				/*%< 16 DNS_R_BADVERS */
+};
+
+static const char *rcode_ids[DNS_R_NRCODERESULTS] = {
+	"DNS_R_NOERROR",
+	"DNS_R_FORMERR",
+	"DNS_R_SERVFAIL",
+	"DNS_R_NXDOMAIN",
+	"DNS_R_NOTIMP",
+	"DNS_R_REFUSED",
+	"DNS_R_YXDOMAIN",
+	"DNS_R_YXRRSET",
+	"DNS_R_NXRRSET",
+	"DNS_R_NOTAUTH",
+	"DNS_R_NOTZONE",
+	"DNS_R_RCODE11",
+	"RNS_R_RCODE12",
+	"DNS_R_RCODE13",
+	"DNS_R_RCODE14",
+	"DNS_R_RCODE15",
+	"DNS_R_BADVERS",
+};
+
+#define DNS_RESULT_RESULTSET			2
+#define DNS_RESULT_RCODERESULTSET		3
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
+				     text, dns_msgcat, DNS_RESULT_RESULTSET);
+	if (result == ISC_R_SUCCESS)
+		result = isc_result_register(ISC_RESULTCLASS_DNSRCODE,
+					     DNS_R_NRCODERESULTS,
+					     rcode_text, dns_msgcat,
+					     DNS_RESULT_RCODERESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+
+	result = isc_result_registerids(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
+					ids, dns_msgcat, DNS_RESULT_RESULTSET);
+	if (result == ISC_R_SUCCESS)
+		result = isc_result_registerids(ISC_RESULTCLASS_DNSRCODE,
+						DNS_R_NRCODERESULTS,
+						rcode_ids, dns_msgcat,
+						DNS_RESULT_RCODERESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	dns_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+dns_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+dns_result_register(void) {
+	initialize();
+}
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result) {
+	dns_rcode_t rcode = dns_rcode_servfail;
+
+	if (DNS_RESULT_ISRCODE(result)) {
+		/*
+		 * Rcodes can't be bigger than 12 bits, which is why we
+		 * AND with 0xFFF instead of 0xFFFF.
+		 */
+		return ((dns_rcode_t)((result) & 0xFFF));
+	}
+
+	/*
+	 * Try to supply an appropriate rcode.
+	 */
+	switch (result) {
+	case ISC_R_SUCCESS:
+		rcode = dns_rcode_noerror;
+		break;
+	case ISC_R_BADBASE64:
+	case ISC_R_NOSPACE:
+	case ISC_R_RANGE:
+	case ISC_R_UNEXPECTEDEND:
+	case DNS_R_BADAAAA:
+	/* case DNS_R_BADBITSTRING: deprecated */
+	case DNS_R_BADCKSUM:
+	case DNS_R_BADCLASS:
+	case DNS_R_BADLABELTYPE:
+	case DNS_R_BADPOINTER:
+	case DNS_R_BADTTL:
+	case DNS_R_BADZONE:
+	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
+	case DNS_R_EXTRADATA:
+	case DNS_R_LABELTOOLONG:
+	case DNS_R_NOREDATA:
+	case DNS_R_SYNTAX:
+	case DNS_R_TEXTTOOLONG:
+	case DNS_R_TOOMANYHOPS:
+	case DNS_R_TSIGERRORSET:
+	case DNS_R_UNKNOWN:
+	case DNS_R_NAMETOOLONG:
+	case DNS_R_OPTERR:
+		rcode = dns_rcode_formerr;
+		break;
+	case DNS_R_DISALLOWED:
+		rcode = dns_rcode_refused;
+		break;
+	case DNS_R_TSIGVERIFYFAILURE:
+	case DNS_R_CLOCKSKEW:
+		rcode = dns_rcode_notauth;
+		break;
+	default:
+		rcode = dns_rcode_servfail;
+	}
+
+	return (rcode);
+}
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
new file mode 100644
index 0000000..70b2b7d
--- /dev/null
+++ b/lib/dns/rootns.c
@@ -0,0 +1,528 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+#include <dns/view.h>
+
+static char root_ns[] =
+";\n"
+"; Internet Root Nameservers\n"
+";\n"
+"$TTL 518400\n"
+".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
+"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
+"A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
+"B.ROOT-SERVERS.NET.     3600000 IN      A       199.9.14.201\n"
+"B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:200::b\n"
+"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
+"C.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2::c\n"
+"D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13\n"
+"D.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2d::d\n"
+"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
+"E.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:a8::e\n"
+"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
+"F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2F::F\n"
+"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
+"G.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:12::d0d\n"
+"H.ROOT-SERVERS.NET.     3600000 IN      A       198.97.190.53\n"
+"H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::53\n"
+"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
+"I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53\n"
+"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
+"J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30\n"
+"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
+"K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7FD::1\n"
+"L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42\n"
+"L.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:9f::42\n"
+"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n"
+"M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:DC3::35\n";
+
+static isc_result_t
+in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_ns_t ns;
+
+	if (!dns_rdataset_isassociated(rootns))
+		return (ISC_R_NOTFOUND);
+
+	result = dns_rdataset_first(rootns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rootns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (dns_name_compare(name, &ns.name) == 0)
+			return (ISC_R_SUCCESS);
+		result = dns_rdataset_next(rootns);
+		dns_rdata_reset(&rdata);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_NOTFOUND;
+	return (result);
+}
+
+static isc_result_t
+check_node(dns_rdataset_t *rootns, dns_name_t *name,
+	   dns_rdatasetiter_t *rdsiter) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		switch (rdataset.type) {
+		case dns_rdatatype_a:
+		case dns_rdatatype_aaaa:
+			result = in_rootns(rootns, name);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			break;
+		case dns_rdatatype_ns:
+			if (dns_name_compare(name, dns_rootname) == 0)
+				break;
+			/* FALLTHROUGH */
+		default:
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+check_hints(dns_db_t *db) {
+	isc_result_t result;
+	dns_rdataset_t rootns;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_stdtime_t now;
+	dns_fixedname_t fixname;
+	dns_name_t *name;
+	dns_rdatasetiter_t *rdsiter = NULL;
+
+	isc_stdtime_get(&now);
+
+	name = dns_fixedname_initname(&fixname);
+
+	dns_rdataset_init(&rootns);
+	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			  now, NULL, name, &rootns, NULL);
+	result = dns_db_createiterator(db, 0, &dbiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_dbiterator_first(dbiter);
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = dns_db_allrdatasets(db, node, NULL, now, &rdsiter);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = check_node(&rootns, name, rdsiter);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiter);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rootns))
+		dns_rdataset_disassociate(&rootns);
+	if (rdsiter != NULL)
+		dns_rdatasetiter_destroy(&rdsiter);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (dbiter != NULL)
+		dns_dbiterator_destroy(&dbiter);
+	return (result);
+}
+
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		  const char *filename, dns_db_t **target)
+{
+	isc_result_t result, eresult;
+	isc_buffer_t source;
+	unsigned int len;
+	dns_rdatacallbacks_t callbacks;
+	dns_db_t *db = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	len = strlen(root_ns);
+	isc_buffer_init(&source, root_ns, len);
+	isc_buffer_add(&source, len);
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	if (filename != NULL) {
+		/*
+		 * Load the hints from the specified filename.
+		 */
+		result = dns_master_loadfile(filename, &db->origin,
+					     &db->origin, db->rdclass,
+					     DNS_MASTER_HINT,
+					     &callbacks, db->mctx);
+	} else if (rdclass == dns_rdataclass_in) {
+		/*
+		 * Default to using the Internet root servers.
+		 */
+		result = dns_master_loadbuffer(&source, &db->origin,
+					       &db->origin, db->rdclass,
+					       DNS_MASTER_HINT,
+					       &callbacks, db->mctx);
+	} else
+		result = ISC_R_NOTFOUND;
+	eresult = dns_db_endload(db, &callbacks);
+	if (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE)
+		result = eresult;
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		goto failure;
+	if (check_hints(db) != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "extra data in root hints '%s'",
+			      (filename != NULL) ? filename : "<BUILT-IN>");
+	*target = db;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_HINTS,
+		      ISC_LOG_ERROR, "could not configure root hints from "
+		      "'%s': %s", (filename != NULL) ? filename : "<BUILT-IN>",
+		      isc_result_totext(result));
+
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	return (result);
+}
+
+static void
+report(dns_view_t *view, dns_name_t *name, bool missing,
+       dns_rdata_t *rdata)
+{
+	const char *viewname = "", *sep = "";
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	char databuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
+	isc_buffer_t buffer;
+	isc_result_t result;
+
+	if (strcmp(view->name, "_bind") != 0 &&
+	    strcmp(view->name, "_default") != 0) {
+		viewname = view->name;
+		sep = ": view ";
+	}
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+	isc_buffer_init(&buffer, databuf, sizeof(databuf) - 1);
+	result = dns_rdata_totext(rdata, NULL, &buffer);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	databuf[isc_buffer_usedlength(&buffer)] = '\0';
+
+	if (missing)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: %s/%s (%s) missing from hints",
+			      sep, viewname, namebuf, typebuf, databuf);
+	else
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: %s/%s (%s) extra record "
+			      "in hints", sep, viewname, namebuf, typebuf,
+			      databuf);
+}
+
+static bool
+inrrset(dns_rdataset_t *rrset, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_rdata_t current = DNS_RDATA_INIT;
+
+	result = dns_rdataset_first(rrset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rrset, &current);
+		if (dns_rdata_compare(rdata, &current) == 0)
+			return (true);
+		dns_rdata_reset(&current);
+		result = dns_rdataset_next(rrset);
+	}
+	return (false);
+}
+
+/*
+ * Check that the address RRsets match.
+ *
+ * Note we don't complain about missing glue records.
+ */
+
+static void
+check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
+		      dns_name_t *name, isc_stdtime_t now)
+{
+	isc_result_t hresult, rresult, result;
+	dns_rdataset_t hintrrset, rootrrset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_name_t *foundname;
+	dns_fixedname_t fixed;
+
+	dns_rdataset_init(&hintrrset);
+	dns_rdataset_init(&rootrrset);
+	foundname = dns_fixedname_initname(&fixed);
+
+	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_a, 0,
+			      now, NULL, foundname, &hintrrset, NULL);
+	rresult = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
+			      &rootrrset, NULL);
+	if (hresult == ISC_R_SUCCESS &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			if (!inrrset(&hintrrset, &rdata))
+				report(view, name, true, &rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+		result = dns_rdataset_first(&hintrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&hintrrset, &rdata);
+			if (!inrrset(&rootrrset, &rdata))
+				report(view, name, false, &rdata);
+			result = dns_rdataset_next(&hintrrset);
+		}
+	}
+	if (hresult == ISC_R_NOTFOUND &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			report(view, name, true, &rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+	}
+	if (dns_rdataset_isassociated(&rootrrset))
+		dns_rdataset_disassociate(&rootrrset);
+	if (dns_rdataset_isassociated(&hintrrset))
+		dns_rdataset_disassociate(&hintrrset);
+
+	/*
+	 * Check AAAA records.
+	 */
+	hresult = dns_db_find(hints, name, NULL, dns_rdatatype_aaaa, 0,
+			      now, NULL, foundname, &hintrrset, NULL);
+	rresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+			      DNS_DBFIND_GLUEOK, now, NULL, foundname,
+			      &rootrrset, NULL);
+	if (hresult == ISC_R_SUCCESS &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			if (!inrrset(&hintrrset, &rdata))
+				report(view, name, true, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+		result = dns_rdataset_first(&hintrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&hintrrset, &rdata);
+			if (!inrrset(&rootrrset, &rdata))
+				report(view, name, false, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&hintrrset);
+		}
+	}
+	if (hresult == ISC_R_NOTFOUND &&
+	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
+		result = dns_rdataset_first(&rootrrset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&rootrrset, &rdata);
+			report(view, name, true, &rdata);
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rootrrset);
+		}
+	}
+	if (dns_rdataset_isassociated(&rootrrset))
+		dns_rdataset_disassociate(&rootrrset);
+	if (dns_rdataset_isassociated(&hintrrset))
+		dns_rdataset_disassociate(&hintrrset);
+}
+
+void
+dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_ns_t ns;
+	dns_rdataset_t hintns, rootns;
+	const char *viewname = "", *sep = "";
+	isc_stdtime_t now;
+	dns_name_t *name;
+	dns_fixedname_t fixed;
+
+	REQUIRE(hints != NULL);
+	REQUIRE(db != NULL);
+	REQUIRE(view != NULL);
+
+	isc_stdtime_get(&now);
+
+	if (strcmp(view->name, "_bind") != 0 &&
+	    strcmp(view->name, "_default") != 0) {
+		viewname = view->name;
+		sep = ": view ";
+	}
+
+	dns_rdataset_init(&hintns);
+	dns_rdataset_init(&rootns);
+	name = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(hints, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			     now, NULL, name, &hintns, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: unable to get root NS rrset "
+			      "from hints: %s", sep, viewname,
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+
+	result = dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			     now, NULL, name, &rootns, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "checkhints%s%s: unable to get root NS rrset "
+			      "from cache: %s", sep, viewname,
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * Look for missing root NS names.
+	 */
+	result = dns_rdataset_first(&rootns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&rootns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = in_rootns(&hintns, &ns.name);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			/* missing from hints */
+			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+				      "checkhints%s%s: unable to find root "
+				      "NS '%s' in hints", sep, viewname,
+				      namebuf);
+		} else
+			check_address_records(view, hints, db, &ns.name, now);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rootns);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+	/*
+	 * Look for extra root NS names.
+	 */
+	result = dns_rdataset_first(&hintns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&hintns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = in_rootns(&rootns, &ns.name);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			/* extra entry in hints */
+			dns_name_format(&ns.name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+				      "checkhints%s%s: extra NS '%s' in hints",
+				      sep, viewname, namebuf);
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&hintns);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto cleanup;
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rootns))
+		dns_rdataset_disassociate(&rootns);
+	if (dns_rdataset_isassociated(&hintns))
+		dns_rdataset_disassociate(&hintns);
+}
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
new file mode 100644
index 0000000..f0993be
--- /dev/null
+++ b/lib/dns/rpz.c
@@ -0,0 +1,2413 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/stdlib.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/rbt.h>
+#include <dns/rpz.h>
+#include <dns/view.h>
+
+
+/*
+ * Parallel radix trees for databases of response policy IP addresses
+ *
+ * The radix or patricia trees are somewhat specialized to handle response
+ * policy addresses by representing the two sets of IP addresses and name
+ * server IP addresses in a single tree.  One set of IP addresses is
+ * for rpz-ip policies or policies triggered by addresses in A or
+ * AAAA records in responses.
+ * The second set is for rpz-nsip policies or policies triggered by addresses
+ * in A or AAAA records for NS records that are authorities for responses.
+ *
+ * Each leaf indicates that an IP address is listed in the IP address or the
+ * name server IP address policy sub-zone (or both) of the corresponding
+ * response policy zone.  The policy data such as a CNAME or an A record
+ * is kept in the policy zone.  After an IP address has been found in a radix
+ * tree, the node in the policy zone's database is found by converting
+ * the IP address to a domain name in a canonical form.
+ *
+ *
+ * The response policy zone canonical form of an IPv6 address is one of:
+ *	prefix.W.W.W.W.W.W.W.W
+ *	prefix.WORDS.zz
+ *	prefix.WORDS.zz.WORDS
+ *	prefix.zz.WORDS
+ *  where
+ *	prefix	is the prefix length of the IPv6 address between 1 and 128
+ *	W	is a number between 0 and 65535
+ *	WORDS	is one or more numbers W separated with "."
+ *	zz	corresponds to :: in the standard IPv6 text representation
+ *
+ * The canonical form of IPv4 addresses is:
+ *	prefix.B.B.B.B
+ *  where
+ *	prefix	is the prefix length of the address between 1 and 32
+ *	B	is a number between 0 and 255
+ *
+ * Names for IPv4 addresses are distinguished from IPv6 addresses by having
+ * 5 labels all of which are numbers, and a prefix between 1 and 32.
+ */
+
+
+/*
+ * Use a private definition of IPv6 addresses because s6_addr32 is not
+ * always defined and our IPv6 addresses are in non-standard byte order
+ */
+typedef uint32_t		dns_rpz_cidr_word_t;
+#define DNS_RPZ_CIDR_WORD_BITS	((int)sizeof(dns_rpz_cidr_word_t)*8)
+#define DNS_RPZ_CIDR_KEY_BITS	((int)sizeof(dns_rpz_cidr_key_t)*8)
+#define DNS_RPZ_CIDR_WORDS	(128/DNS_RPZ_CIDR_WORD_BITS)
+typedef struct {
+	dns_rpz_cidr_word_t	w[DNS_RPZ_CIDR_WORDS];
+} dns_rpz_cidr_key_t;
+
+#define ADDR_V4MAPPED		0xffff
+#define KEY_IS_IPV4(prefix,ip) ((prefix) >= 96 && (ip)->w[0] == 0 &&	\
+				(ip)->w[1] == 0 && (ip)->w[2] == ADDR_V4MAPPED)
+
+#define DNS_RPZ_WORD_MASK(b) ((b) == 0 ? (dns_rpz_cidr_word_t)(-1)	\
+			      : ((dns_rpz_cidr_word_t)(-1)		\
+				 << (DNS_RPZ_CIDR_WORD_BITS - (b))))
+
+/*
+ * Get bit #n from the array of words of an IP address.
+ */
+#define DNS_RPZ_IP_BIT(ip, n) (1 & ((ip)->w[(n)/DNS_RPZ_CIDR_WORD_BITS] >>  \
+				    (DNS_RPZ_CIDR_WORD_BITS		    \
+				     - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS))))
+
+/*
+ * A triplet of arrays of bits flagging the existence of
+ * client-IP, IP, and NSIP policy triggers.
+ */
+typedef struct dns_rpz_addr_zbits dns_rpz_addr_zbits_t;
+struct dns_rpz_addr_zbits {
+	dns_rpz_zbits_t		client_ip;
+	dns_rpz_zbits_t		ip;
+	dns_rpz_zbits_t		nsip;
+};
+
+/*
+ * A CIDR or radix tree node.
+ */
+struct dns_rpz_cidr_node {
+	dns_rpz_cidr_node_t	*parent;
+	dns_rpz_cidr_node_t	*child[2];
+	dns_rpz_cidr_key_t	ip;
+	dns_rpz_prefix_t	prefix;
+	dns_rpz_addr_zbits_t	set;
+	dns_rpz_addr_zbits_t	sum;
+};
+
+/*
+ * A pair of arrays of bits flagging the existence of
+ * QNAME and NSDNAME policy triggers.
+ */
+typedef struct dns_rpz_nm_zbits dns_rpz_nm_zbits_t;
+struct dns_rpz_nm_zbits {
+	dns_rpz_zbits_t		qname;
+	dns_rpz_zbits_t		ns;
+};
+
+/*
+ * The data in a RBT node has two pairs of bits for policy zones.
+ * One pair is for the corresponding name of the node such as example.com
+ * and the other pair is for a wildcard child such as *.example.com.
+ */
+typedef struct dns_rpz_nm_data dns_rpz_nm_data_t;
+struct dns_rpz_nm_data {
+	dns_rpz_nm_zbits_t	set;
+	dns_rpz_nm_zbits_t	wild;
+};
+
+#if 0
+/*
+ * Catch a name while debugging.
+ */
+static void
+catch_name(const dns_name_t *src_name, const char *tgt, const char *str) {
+	dns_fixedname_t tgt_namef;
+	dns_name_t *tgt_name;
+
+	tgt_name = dns_fixedname_initname(&tgt_namef);
+	dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL);
+	if (dns_name_equal(src_name, tgt_name)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz hit failed: %s %s", str, tgt);
+	}
+}
+#endif
+
+const char *
+dns_rpz_type2str(dns_rpz_type_t type) {
+	switch (type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		return ("CLIENT-IP");
+	case DNS_RPZ_TYPE_QNAME:
+		return ("QNAME");
+	case DNS_RPZ_TYPE_IP:
+		return ("IP");
+	case DNS_RPZ_TYPE_NSIP:
+		return ("NSIP");
+	case DNS_RPZ_TYPE_NSDNAME:
+		return ("NSDNAME");
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+	FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type);
+	return ("impossible");
+}
+
+dns_rpz_policy_t
+dns_rpz_str2policy(const char *str) {
+	static struct {
+		const char *str;
+		dns_rpz_policy_t policy;
+	} tbl[] = {
+		{"given",	DNS_RPZ_POLICY_GIVEN},
+		{"disabled",	DNS_RPZ_POLICY_DISABLED},
+		{"passthru",	DNS_RPZ_POLICY_PASSTHRU},
+		{"drop",	DNS_RPZ_POLICY_DROP},
+		{"tcp-only",	DNS_RPZ_POLICY_TCP_ONLY},
+		{"nxdomain",	DNS_RPZ_POLICY_NXDOMAIN},
+		{"nodata",	DNS_RPZ_POLICY_NODATA},
+		{"cname",	DNS_RPZ_POLICY_CNAME},
+		{"no-op",	DNS_RPZ_POLICY_PASSTHRU},   /* old passthru */
+	};
+	unsigned int n;
+
+	if (str == NULL)
+		return (DNS_RPZ_POLICY_ERROR);
+	for (n = 0; n < sizeof(tbl)/sizeof(tbl[0]); ++n) {
+		if (!strcasecmp(tbl[n].str, str))
+			return (tbl[n].policy);
+	}
+	return (DNS_RPZ_POLICY_ERROR);
+}
+
+const char *
+dns_rpz_policy2str(dns_rpz_policy_t policy) {
+	const char *str;
+
+	switch (policy) {
+	case DNS_RPZ_POLICY_PASSTHRU:
+		str = "PASSTHRU";
+		break;
+	case DNS_RPZ_POLICY_DROP:
+		str = "DROP";
+		break;
+	case DNS_RPZ_POLICY_TCP_ONLY:
+		str = "TCP-ONLY";
+		break;
+	case DNS_RPZ_POLICY_NXDOMAIN:
+		str = "NXDOMAIN";
+		break;
+	case DNS_RPZ_POLICY_NODATA:
+		str = "NODATA";
+		break;
+	case DNS_RPZ_POLICY_RECORD:
+		str = "Local-Data";
+		break;
+	case DNS_RPZ_POLICY_CNAME:
+	case DNS_RPZ_POLICY_WILDCNAME:
+		str = "CNAME";
+		break;
+	case DNS_RPZ_POLICY_MISS:
+		str = "MISS";
+		break;
+	default:
+		str = "";
+		POST(str);
+		INSIST(0);
+	}
+	return (str);
+}
+
+/*
+ * Return the bit number of the highest set bit in 'zbit'.
+ * (for example, 0x01 returns 0, 0xFF returns 7, etc.)
+ */
+static int
+zbit_to_num(dns_rpz_zbits_t zbit) {
+	dns_rpz_num_t rpz_num;
+
+	REQUIRE(zbit != 0);
+	rpz_num = 0;
+#if DNS_RPZ_MAX_ZONES > 32
+	if ((zbit & 0xffffffff00000000L) != 0) {
+		zbit >>= 32;
+		rpz_num += 32;
+	}
+#endif
+	if ((zbit & 0xffff0000) != 0) {
+		zbit >>= 16;
+		rpz_num += 16;
+	}
+	if ((zbit & 0xff00) != 0) {
+		zbit >>= 8;
+		rpz_num += 8;
+	}
+	if ((zbit & 0xf0) != 0) {
+		zbit >>= 4;
+		rpz_num += 4;
+	}
+	if ((zbit & 0xc) != 0) {
+		zbit >>= 2;
+		rpz_num += 2;
+	}
+	if ((zbit & 2) != 0)
+		++rpz_num;
+	return (rpz_num);
+}
+
+/*
+ * Make a set of bit masks given one or more bits and their type.
+ */
+static void
+make_addr_set(dns_rpz_addr_zbits_t *tgt_set, dns_rpz_zbits_t zbits,
+	      dns_rpz_type_t type)
+{
+	switch (type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		tgt_set->client_ip = zbits;
+		tgt_set->ip = 0;
+		tgt_set->nsip = 0;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		tgt_set->client_ip = 0;
+		tgt_set->ip = zbits;
+		tgt_set->nsip = 0;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		tgt_set->client_ip = 0;
+		tgt_set->ip = 0;
+		tgt_set->nsip = zbits;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+static void
+make_nm_set(dns_rpz_nm_zbits_t *tgt_set,
+	    dns_rpz_num_t rpz_num, dns_rpz_type_t type)
+{
+	switch (type) {
+	case DNS_RPZ_TYPE_QNAME:
+		tgt_set->qname = DNS_RPZ_ZBIT(rpz_num);
+		tgt_set->ns = 0;
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		tgt_set->qname = 0;
+		tgt_set->ns = DNS_RPZ_ZBIT(rpz_num);
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+/*
+ * Mark a node and all of its parents as having client-IP, IP, or NSIP data
+ */
+static void
+set_sum_pair(dns_rpz_cidr_node_t *cnode) {
+	dns_rpz_cidr_node_t *child;
+	dns_rpz_addr_zbits_t sum;
+
+	do {
+		sum = cnode->set;
+
+		child = cnode->child[0];
+		if (child != NULL) {
+			sum.client_ip |= child->sum.client_ip;
+			sum.ip |= child->sum.ip;
+			sum.nsip |= child->sum.nsip;
+		}
+
+		child = cnode->child[1];
+		if (child != NULL) {
+			sum.client_ip |= child->sum.client_ip;
+			sum.ip |= child->sum.ip;
+			sum.nsip |= child->sum.nsip;
+		}
+
+		if (cnode->sum.client_ip == sum.client_ip &&
+		    cnode->sum.ip == sum.ip &&
+		    cnode->sum.nsip == sum.nsip)
+			break;
+		cnode->sum = sum;
+		cnode = cnode->parent;
+	} while (cnode != NULL);
+}
+
+/* Caller must hold rpzs->maint_lock */
+static void
+fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) {
+	dns_rpz_zbits_t mask;
+
+	/*
+	 * qname_wait_recurse and qname_skip_recurse are used to
+	 * implement the "qname-wait-recurse" config option.
+	 *
+	 * When "qname-wait-recurse" is yes, no processing happens
+	 * without recursion. In this case, qname_wait_recurse is true,
+	 * and qname_skip_recurse (a bitfield indicating which policy
+	 * zones can be processed without recursion) is set to all 0's
+	 * by fix_qname_skip_recurse().
+	 *
+	 * When "qname-wait-recurse" is no, qname_skip_recurse may be
+	 * set to a non-zero value by fix_qname_skip_recurse(). The mask
+	 * has to have bits set for the policy zones for which
+	 * processing may continue without recursion, and bits cleared
+	 * for the rest.
+	 *
+	 * (1) The ARM says:
+	 *
+	 *   The "qname-wait-recurse no" option overrides that default
+	 *   behavior when recursion cannot change a non-error
+	 *   response. The option does not affect QNAME or client-IP
+	 *   triggers in policy zones listed after other zones
+	 *   containing IP, NSIP and NSDNAME triggers, because those may
+	 *   depend on the A, AAAA, and NS records that would be found
+	 *   during recursive resolution.
+	 *
+	 * Let's consider the following:
+	 *
+	 *     zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
+	 *		    rpzs->have.nsdname |
+	 *		    rpzs->have.nsipv4 | rpzs->have.nsipv6);
+	 *
+	 * zbits_req now contains bits set for zones which require
+	 * recursion.
+	 *
+	 * But going by the description in the ARM, if the first policy
+	 * zone requires recursion, then all zones after that (higher
+	 * order bits) have to wait as well.  If the Nth zone requires
+	 * recursion, then (N+1)th zone onwards all need to wait.
+	 *
+	 * So mapping this, examples:
+	 *
+	 * zbits_req = 0b000  mask = 0xffffffff (no zones have to wait for
+	 *					 recursion)
+	 * zbits_req = 0b001  mask = 0x00000000 (all zones have to wait)
+	 * zbits_req = 0b010  mask = 0x00000001 (the first zone doesn't have to
+	 *					 wait, second zone onwards need
+	 *					 to wait)
+	 * zbits_req = 0b011  mask = 0x00000000 (all zones have to wait)
+	 * zbits_req = 0b100  mask = 0x00000011 (the 1st and 2nd zones don't
+	 *					 have to wait, third zone
+	 *					 onwards need to wait)
+	 *
+	 * More generally, we have to count the number of trailing 0
+	 * bits in zbits_req and only these can be processed without
+	 * recursion. All the rest need to wait.
+	 *
+	 * (2) The ARM says that "qname-wait-recurse no" option
+	 * overrides the default behavior when recursion cannot change a
+	 * non-error response. So, in the order of listing of policy
+	 * zones, within the first policy zone where recursion may be
+	 * required, we should first allow CLIENT-IP and QNAME policy
+	 * records to be attempted without recursion.
+	 */
+
+	/*
+	 * Get a mask covering all policy zones that are not subordinate to
+	 * other policy zones containing triggers that require that the
+	 * qname be resolved before they can be checked.
+	 */
+	rpzs->have.client_ip = rpzs->have.client_ipv4 | rpzs->have.client_ipv6;
+	rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6;
+	rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6;
+
+	if (rpzs->p.qname_wait_recurse) {
+		mask = 0;
+	} else {
+		dns_rpz_zbits_t zbits_req;
+		dns_rpz_zbits_t zbits_notreq;
+		dns_rpz_zbits_t mask2;
+		dns_rpz_zbits_t req_mask;
+
+		/*
+		 * Get the masks of zones with policies that
+		 * do/don't require recursion
+		 */
+
+		zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
+			     rpzs->have.nsdname |
+			     rpzs->have.nsipv4 | rpzs->have.nsipv6);
+		zbits_notreq = (rpzs->have.client_ip | rpzs->have.qname);
+
+		if (zbits_req == 0) {
+			mask = DNS_RPZ_ALL_ZBITS;
+			goto set;
+		}
+
+		/*
+		 * req_mask is a mask covering used bits in
+		 * zbits_req. (For instance, 0b1 => 0b1, 0b101 => 0b111,
+		 * 0b11010101 => 0b11111111).
+		 */
+		req_mask = zbits_req;
+		req_mask |= req_mask >> 1;
+		req_mask |= req_mask >> 2;
+		req_mask |= req_mask >> 4;
+		req_mask |= req_mask >> 8;
+		req_mask |= req_mask >> 16;
+#if DNS_RPZ_MAX_ZONES > 32
+		req_mask |= req_mask >> 32;
+#endif
+
+		/*
+		 * There's no point in skipping recursion for a later
+		 * zone if it is required in a previous zone.
+		 */
+		if ((zbits_notreq & req_mask) == 0) {
+			mask = 0;
+			goto set;
+		}
+
+		/*
+		 * This bit arithmetic creates a mask of zones in which
+		 * it is okay to skip recursion. After the first zone
+		 * that has to wait for recursion, all the others have
+		 * to wait as well, so we want to create a mask in which
+		 * all the trailing zeroes in zbits_req are are 1, and
+		 * more significant bits are 0. (For instance,
+		 * 0x0700 => 0x00ff, 0x0007 => 0x0000)
+		 */
+		mask = ~(zbits_req | ((~zbits_req) + 1));
+
+		/*
+		 * As mentioned in (2) above, the zone corresponding to
+		 * the least significant zero could have its CLIENT-IP
+		 * and QNAME policies checked before recursion, if it
+		 * has any of those policies.  So if it does, we
+		 * can set its 0 to 1.
+		 *
+		 * Locate the least significant 0 bit in the mask (for
+		 * instance, 0xff => 0x100)...
+		 */
+		mask2 = (mask << 1) & ~mask;
+
+		/*
+		 * Also set the bit for zone 0, because if it's in
+		 * zbits_notreq then it's definitely okay to attempt to
+		 * skip recursion for zone 0...
+		 */
+		mask2 |= 1;
+
+		/* Clear any bits *not* in zbits_notreq... */
+		mask2 &= zbits_notreq;
+
+		/* And merge the result into the skip-recursion mask */
+		mask |= mask2;
+	}
+
+ set:
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
+		      DNS_RPZ_DEBUG_QUIET,
+		      "computed RPZ qname_skip_recurse mask=0x%" PRIx64,
+		      (uint64_t) mask);
+	rpzs->have.qname_skip_recurse = mask;
+}
+
+static void
+adj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+		dns_rpz_type_t rpz_type,
+		const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
+		bool inc)
+{
+	dns_rpz_trigger_counter_t *cnt;
+	dns_rpz_zbits_t *have;
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		REQUIRE(tgt_ip != NULL);
+		if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+			cnt = &rpzs->triggers[rpz_num].client_ipv4;
+			have = &rpzs->have.client_ipv4;
+		} else {
+			cnt = &rpzs->triggers[rpz_num].client_ipv6;
+			have = &rpzs->have.client_ipv6;
+		}
+		break;
+	case DNS_RPZ_TYPE_QNAME:
+		cnt = &rpzs->triggers[rpz_num].qname;
+		have = &rpzs->have.qname;
+		break;
+	case DNS_RPZ_TYPE_IP:
+		REQUIRE(tgt_ip != NULL);
+		if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+			cnt = &rpzs->triggers[rpz_num].ipv4;
+			have = &rpzs->have.ipv4;
+		} else {
+			cnt = &rpzs->triggers[rpz_num].ipv6;
+			have = &rpzs->have.ipv6;
+		}
+		break;
+	case DNS_RPZ_TYPE_NSDNAME:
+		cnt = &rpzs->triggers[rpz_num].nsdname;
+		have = &rpzs->have.nsdname;
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		REQUIRE(tgt_ip != NULL);
+		if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+			cnt = &rpzs->triggers[rpz_num].nsipv4;
+			have = &rpzs->have.nsipv4;
+		} else {
+			cnt = &rpzs->triggers[rpz_num].nsipv6;
+			have = &rpzs->have.nsipv6;
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (inc) {
+		if (++*cnt == 1U) {
+			*have |= DNS_RPZ_ZBIT(rpz_num);
+			fix_qname_skip_recurse(rpzs);
+		}
+	} else {
+		REQUIRE(*cnt != 0U);
+		if (--*cnt == 0U) {
+			*have &= ~DNS_RPZ_ZBIT(rpz_num);
+			fix_qname_skip_recurse(rpzs);
+		}
+	}
+}
+
+static dns_rpz_cidr_node_t *
+new_node(dns_rpz_zones_t *rpzs,
+	 const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix,
+	 const dns_rpz_cidr_node_t *child)
+{
+	dns_rpz_cidr_node_t *node;
+	int i, words, wlen;
+
+	node = isc_mem_get(rpzs->mctx, sizeof(*node));
+	if (node == NULL)
+		return (NULL);
+	memset(node, 0, sizeof(*node));
+
+	if (child != NULL)
+		node->sum = child->sum;
+
+	node->prefix = prefix;
+	words = prefix / DNS_RPZ_CIDR_WORD_BITS;
+	wlen = prefix % DNS_RPZ_CIDR_WORD_BITS;
+	i = 0;
+	while (i < words) {
+		node->ip.w[i] = ip->w[i];
+		++i;
+	}
+	if (wlen != 0) {
+		node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
+		++i;
+	}
+	while (i < DNS_RPZ_CIDR_WORDS)
+		node->ip.w[i++] = 0;
+
+	return (node);
+}
+
+static void
+badname(int level, dns_name_t *name, const char *str1, const char *str2) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	/*
+	 * bin/tests/system/rpz/tests.sh looks for "invalid rpz".
+	 */
+	if (level < DNS_RPZ_DEBUG_QUIET &&
+	    isc_log_wouldlog(dns_lctx, level)) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, level,
+			      "invalid rpz IP address \"%s\"%s%s",
+			      namebuf, str1, str2);
+	}
+}
+
+/*
+ * Convert an IP address from radix tree binary (host byte order) to
+ * to its canonical response policy domain name without the origin of the
+ * policy zone.
+ *
+ * Generate a name for an IPv6 address that fits RFC 5952, except that
+ * our reversed format requires that when the length of the consecutive
+ * 16-bit 0 fields are equal (e.g., 1.0.0.1.0.0.db8.2001 corresponding
+ * to 2001:db8:0:0:1:0:0:1), we shorted the last instead of the first
+ * (e.g., 1.0.0.1.zz.db8.2001 corresponding to 2001:db8::1:0:0:1).
+ */
+static isc_result_t
+ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
+	dns_name_t *base_name, dns_name_t *ip_name)
+{
+#ifndef INET6_ADDRSTRLEN
+#define INET6_ADDRSTRLEN 46
+#endif
+	int w[DNS_RPZ_CIDR_WORDS*2];
+	char str[1+8+1+INET6_ADDRSTRLEN+1];
+	isc_buffer_t buffer;
+	isc_result_t result;
+	int best_first, best_len, cur_first, cur_len;
+	int i, n, len;
+
+	if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
+		len = snprintf(str, sizeof(str), "%u.%u.%u.%u.%u",
+			       tgt_prefix - 96U,
+			       tgt_ip->w[3] & 0xffU,
+			       (tgt_ip->w[3]>>8) & 0xffU,
+			       (tgt_ip->w[3]>>16) & 0xffU,
+			       (tgt_ip->w[3]>>24) & 0xffU);
+		if (len < 0 || len > (int)sizeof(str)) {
+			return (ISC_R_FAILURE);
+		}
+	} else {
+		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
+		if (len == -1)
+			return (ISC_R_FAILURE);
+		for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
+			w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
+				    & 0xffff);
+			w[i*2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] & 0xffff;
+		}
+		/*
+		 * Find the start and length of the first longest sequence
+		 * of zeros in the address.
+		 */
+		best_first = -1;
+		best_len = 0;
+		cur_first = -1;
+		cur_len = 0;
+		for (n = 0; n <=7; ++n) {
+			if (w[n] != 0) {
+				cur_len = 0;
+				cur_first = -1;
+			} else {
+				++cur_len;
+				if (cur_first < 0) {
+					cur_first = n;
+				} else if (cur_len >= best_len) {
+					best_first = cur_first;
+					best_len = cur_len;
+				}
+			}
+		}
+
+		for (n = 0; n <= 7; ++n) {
+			INSIST(len < (int)sizeof(str));
+			if (n == best_first) {
+				len += snprintf(str + len, sizeof(str) - len,
+						".zz");
+				n += best_len - 1;
+			} else {
+				len += snprintf(str + len, sizeof(str) - len,
+						".%x", w[n]);
+			}
+		}
+	}
+
+	isc_buffer_init(&buffer, str, sizeof(str));
+	isc_buffer_add(&buffer, len);
+	result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL);
+	return (result);
+}
+
+/*
+ * Determine the type of a name in a response policy zone.
+ */
+static dns_rpz_type_t
+type_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) {
+
+	if (dns_name_issubdomain(name, &rpz->ip))
+		return (DNS_RPZ_TYPE_IP);
+
+	if (dns_name_issubdomain(name, &rpz->client_ip))
+		return (DNS_RPZ_TYPE_CLIENT_IP);
+
+#ifdef ENABLE_RPZ_NSIP
+	if (dns_name_issubdomain(name, &rpz->nsip))
+		return (DNS_RPZ_TYPE_NSIP);
+#endif
+
+#ifdef ENABLE_RPZ_NSDNAME
+	if (dns_name_issubdomain(name, &rpz->nsdname))
+		return (DNS_RPZ_TYPE_NSDNAME);
+#endif
+
+	return (DNS_RPZ_TYPE_QNAME);
+}
+
+/*
+ * Convert an IP address from canonical response policy domain name form
+ * to radix tree binary (host byte order) for adding or deleting IP or NSIP
+ * data.
+ */
+static isc_result_t
+name2ipkey(int log_level,
+	   const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	   dns_rpz_type_t rpz_type, dns_name_t *src_name,
+	   dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix,
+	   dns_rpz_addr_zbits_t *new_set)
+{
+	dns_rpz_zone_t *rpz;
+	char ip_str[DNS_NAME_FORMATSIZE];
+	char ip2_str[DNS_NAME_FORMATSIZE];
+	dns_offsets_t ip_name_offsets;
+	dns_fixedname_t ip_name2f;
+	dns_name_t ip_name, *ip_name2;
+	const char *prefix_str, *cp, *end;
+	char *cp2;
+	int ip_labels;
+	dns_rpz_prefix_t prefix;
+	unsigned long prefix_num, l;
+	isc_result_t result;
+	int i;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	make_addr_set(new_set, DNS_RPZ_ZBIT(rpz_num), rpz_type);
+
+	ip_labels = dns_name_countlabels(src_name);
+	if (rpz_type == DNS_RPZ_TYPE_QNAME)
+		ip_labels -= dns_name_countlabels(&rpz->origin);
+	else
+		ip_labels -= dns_name_countlabels(&rpz->nsdname);
+	if (ip_labels < 2) {
+		badname(log_level, src_name, "; too short", "");
+		return (ISC_R_FAILURE);
+	}
+	dns_name_init(&ip_name, ip_name_offsets);
+	dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name);
+
+	/*
+	 * Get text for the IP address
+	 */
+	dns_name_format(&ip_name, ip_str, sizeof(ip_str));
+	end = &ip_str[strlen(ip_str)+1];
+	prefix_str = ip_str;
+
+	prefix_num = strtoul(prefix_str, &cp2, 10);
+	if (*cp2 != '.') {
+		badname(log_level, src_name,
+			"; invalid leading prefix length", "");
+		return (ISC_R_FAILURE);
+	}
+
+	if (prefix_num < 1U || prefix_num > 128U) {
+		badname(log_level, src_name,
+			"; invalid prefix length of ", prefix_str);
+		return (ISC_R_FAILURE);
+	}
+	cp = cp2+1;
+
+	if (--ip_labels == 4 && !strchr(cp, 'z')) {
+		/*
+		 * Convert an IPv4 address
+		 * from the form "prefix.z.y.x.w"
+		 */
+		if (prefix_num > 32U) {
+			badname(log_level, src_name,
+				"; invalid IPv4 prefix length of ", prefix_str);
+			return (ISC_R_FAILURE);
+		}
+		prefix_num += 96;
+		*tgt_prefix = (dns_rpz_prefix_t)prefix_num;
+		tgt_ip->w[0] = 0;
+		tgt_ip->w[1] = 0;
+		tgt_ip->w[2] = ADDR_V4MAPPED;
+		tgt_ip->w[3] = 0;
+		for (i = 0; i < 32; i += 8) {
+			l = strtoul(cp, &cp2, 10);
+			if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) {
+				if (*cp2 == '.')
+					*cp2 = '\0';
+				badname(log_level, src_name,
+					"; invalid IPv4 octet ", cp);
+				return (ISC_R_FAILURE);
+			}
+			tgt_ip->w[3] |= l << i;
+			cp = cp2 + 1;
+		}
+	} else {
+		/*
+		 * Convert a text IPv6 address.
+		 */
+		*tgt_prefix = (dns_rpz_prefix_t)prefix_num;
+		for (i = 0;
+		     ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2;
+		     ip_labels--) {
+			if (cp[0] == 'z' && cp[1] == 'z' &&
+			    (cp[2] == '.' || cp[2] == '\0') &&
+			    i <= 6) {
+				do {
+					if ((i & 1) == 0)
+					    tgt_ip->w[3-i/2] = 0;
+					++i;
+				} while (ip_labels + i <= 8);
+				cp += 3;
+			} else {
+				l = strtoul(cp, &cp2, 16);
+				if (l > 0xffffu ||
+				    (*cp2 != '.' && *cp2 != '\0')) {
+					if (*cp2 == '.')
+					    *cp2 = '\0';
+					badname(log_level, src_name,
+						"; invalid IPv6 word ", cp);
+					return (ISC_R_FAILURE);
+				}
+				if ((i & 1) == 0)
+					tgt_ip->w[3-i/2] = l;
+				else
+					tgt_ip->w[3-i/2] |= l << 16;
+				i++;
+				cp = cp2 + 1;
+			}
+		}
+	}
+	if (cp != end) {
+		badname(log_level, src_name, "", "");
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Check for 1s after the prefix length.
+	 */
+	prefix = (dns_rpz_prefix_t)prefix_num;
+	while (prefix < DNS_RPZ_CIDR_KEY_BITS) {
+		dns_rpz_cidr_word_t aword;
+
+		i = prefix % DNS_RPZ_CIDR_WORD_BITS;
+		aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS];
+		if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
+			badname(log_level, src_name,
+				"; too small prefix length of ", prefix_str);
+			return (ISC_R_FAILURE);
+		}
+		prefix -= i;
+		prefix += DNS_RPZ_CIDR_WORD_BITS;
+	}
+
+	/*
+	 * Complain about bad names but be generous and accept them.
+	 */
+	if (log_level < DNS_RPZ_DEBUG_QUIET &&
+	    isc_log_wouldlog(dns_lctx, log_level)) {
+		/*
+		 * Convert the address back to a canonical domain name
+		 * to ensure that the original name is in canonical form.
+		 */
+		ip_name2 = dns_fixedname_initname(&ip_name2f);
+		result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num,
+				 NULL, ip_name2);
+		if (result != ISC_R_SUCCESS ||
+		    !dns_name_equal(&ip_name, ip_name2)) {
+			dns_name_format(ip_name2, ip2_str, sizeof(ip2_str));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, log_level,
+				      "rpz IP address \"%s\""
+				      " is not the canonical \"%s\"",
+				      ip_str, ip2_str);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Get trigger name and data bits for adding or deleting summary NSDNAME
+ * or QNAME data.
+ */
+static void
+name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	  dns_rpz_type_t rpz_type, const dns_name_t *src_name,
+	  dns_name_t *trig_name, dns_rpz_nm_data_t *new_data)
+{
+	dns_rpz_zone_t *rpz;
+	dns_offsets_t tmp_name_offsets;
+	dns_name_t tmp_name;
+	unsigned int prefix_len, n;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	/*
+	 * Handle wildcards by putting only the parent into the
+	 * summary RBT.  The summary database only causes a check of the
+	 * real policy zone where wildcards will be handled.
+	 */
+	if (dns_name_iswildcard(src_name)) {
+		prefix_len = 1;
+		memset(&new_data->set, 0, sizeof(new_data->set));
+		make_nm_set(&new_data->wild, rpz_num, rpz_type);
+	} else {
+		prefix_len = 0;
+		make_nm_set(&new_data->set, rpz_num, rpz_type);
+		memset(&new_data->wild, 0, sizeof(new_data->wild));
+	}
+
+	dns_name_init(&tmp_name, tmp_name_offsets);
+	n = dns_name_countlabels(src_name);
+	n -= prefix_len;
+	if (rpz_type == DNS_RPZ_TYPE_QNAME)
+		n -= dns_name_countlabels(&rpz->origin);
+	else
+		n -= dns_name_countlabels(&rpz->nsdname);
+	dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name);
+	(void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL);
+}
+
+#ifndef HAVE_BUILTIN_CLZ
+/**
+ * \brief Count Leading Zeros: Find the location of the left-most set
+ * bit.
+ */
+static inline unsigned int
+clz(dns_rpz_cidr_word_t w) {
+	unsigned int bit;
+
+	bit = DNS_RPZ_CIDR_WORD_BITS-1;
+
+	if ((w & 0xffff0000) != 0) {
+		w >>= 16;
+		bit -= 16;
+	}
+
+	if ((w & 0xff00) != 0) {
+		w >>= 8;
+		bit -= 8;
+	}
+
+	if ((w & 0xf0) != 0) {
+		w >>= 4;
+		bit -= 4;
+	}
+
+	if ((w & 0xc) != 0) {
+		w >>= 2;
+		bit -= 2;
+	}
+
+	if ((w & 2) != 0)
+		--bit;
+
+	return (bit);
+}
+#endif
+
+/*
+ * Find the first differing bit in two keys (IP addresses).
+ */
+static int
+diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1,
+	  const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2)
+{
+	dns_rpz_cidr_word_t delta;
+	dns_rpz_prefix_t maxbit, bit;
+	int i;
+
+	bit = 0;
+	maxbit = ISC_MIN(prefix1, prefix2);
+
+	/*
+	 * find the first differing words
+	 */
+	for (i = 0; bit < maxbit; i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
+		delta = key1->w[i] ^ key2->w[i];
+		if (ISC_UNLIKELY(delta != 0)) {
+#ifdef HAVE_BUILTIN_CLZ
+			bit += __builtin_clz(delta);
+#else
+			bit += clz(delta);
+#endif
+			break;
+		}
+	}
+	return (ISC_MIN(bit, maxbit));
+}
+
+/*
+ * Given a hit while searching the radix trees,
+ * clear all bits for higher numbered zones.
+ */
+static inline dns_rpz_zbits_t
+trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) {
+	dns_rpz_zbits_t x;
+
+	/*
+	 * Isolate the first or smallest numbered hit bit.
+	 * Make a mask of that bit and all smaller numbered bits.
+	 */
+	x = zbits & found;
+	x &= (~x + 1);
+	x = (x << 1) - 1;
+	return (zbits &= x);
+}
+
+/*
+ * Search a radix tree for an IP address for ordinary lookup
+ *	or for a CIDR block adding or deleting an entry
+ *
+ * Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND,
+ *	    and *found=longest match node
+ *	or with create==true, ISC_R_EXISTS or ISC_R_NOMEMORY
+ */
+static isc_result_t
+search(dns_rpz_zones_t *rpzs,
+       const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
+       const dns_rpz_addr_zbits_t *tgt_set, bool create,
+       dns_rpz_cidr_node_t **found)
+{
+	dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling;
+	dns_rpz_addr_zbits_t set;
+	int cur_num, child_num;
+	dns_rpz_prefix_t dbit;
+	isc_result_t find_result;
+
+	set = *tgt_set;
+	find_result = ISC_R_NOTFOUND;
+	*found = NULL;
+	cur = rpzs->cidr;
+	parent = NULL;
+	cur_num = 0;
+	for (;;) {
+		if (cur == NULL) {
+			/*
+			 * No child so we cannot go down.
+			 * Quit with whatever we already found
+			 * or add the target as a child of the current parent.
+			 */
+			if (!create)
+				return (find_result);
+			child = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
+			if (child == NULL)
+				return (ISC_R_NOMEMORY);
+			if (parent == NULL)
+				rpzs->cidr = child;
+			else
+				parent->child[cur_num] = child;
+			child->parent = parent;
+			child->set.client_ip |= tgt_set->client_ip;
+			child->set.ip |= tgt_set->ip;
+			child->set.nsip |= tgt_set->nsip;
+			set_sum_pair(child);
+			*found = child;
+			return (ISC_R_SUCCESS);
+		}
+
+		if ((cur->sum.client_ip & set.client_ip) == 0 &&
+		    (cur->sum.ip & set.ip) == 0 &&
+		    (cur->sum.nsip & set.nsip) == 0) {
+			/*
+			 * This node has no relevant data
+			 * and is in none of the target trees.
+			 * Pretend it does not exist if we are not adding.
+			 *
+			 * If we are adding, continue down to eventually add
+			 * a node and mark/put this node in the correct tree.
+			 */
+			if (!create)
+				return (find_result);
+		}
+
+		dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix);
+		/*
+		 * dbit <= tgt_prefix and dbit <= cur->prefix always.
+		 * We are finished searching if we matched all of the target.
+		 */
+		if (dbit == tgt_prefix) {
+			if (tgt_prefix == cur->prefix) {
+				/*
+				 * The node's key matches the target exactly.
+				 */
+				if ((cur->set.client_ip & set.client_ip) != 0 ||
+				    (cur->set.ip & set.ip) != 0 ||
+				    (cur->set.nsip & set.nsip) != 0) {
+					/*
+					 * It is the answer if it has data.
+					 */
+					*found = cur;
+					if (create) {
+					    find_result = ISC_R_EXISTS;
+					} else {
+					    find_result = ISC_R_SUCCESS;
+					}
+				} else if (create) {
+					/*
+					 * The node lacked relevant data,
+					 * but will have it now.
+					 */
+					cur->set.client_ip |= tgt_set->client_ip;
+					cur->set.ip |= tgt_set->ip;
+					cur->set.nsip |= tgt_set->nsip;
+					set_sum_pair(cur);
+					*found = cur;
+					find_result = ISC_R_SUCCESS;
+				}
+				return (find_result);
+			}
+
+			/*
+			 * We know tgt_prefix < cur->prefix which means that
+			 * the target is shorter than the current node.
+			 * Add the target as the current node's parent.
+			 */
+			if (!create)
+				return (find_result);
+
+			new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur);
+			if (new_parent == NULL)
+				return (ISC_R_NOMEMORY);
+			new_parent->parent = parent;
+			if (parent == NULL)
+				rpzs->cidr = new_parent;
+			else
+				parent->child[cur_num] = new_parent;
+			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix);
+			new_parent->child[child_num] = cur;
+			cur->parent = new_parent;
+			new_parent->set = *tgt_set;
+			set_sum_pair(new_parent);
+			*found = new_parent;
+			return (ISC_R_SUCCESS);
+		}
+
+		if (dbit == cur->prefix) {
+			if ((cur->set.client_ip & set.client_ip) != 0 ||
+			    (cur->set.ip & set.ip) != 0 ||
+			    (cur->set.nsip & set.nsip) != 0) {
+				/*
+				 * We have a partial match between of all of the
+				 * current node but only part of the target.
+				 * Continue searching for other hits in the
+				 * same or lower numbered trees.
+				 */
+				find_result = DNS_R_PARTIALMATCH;
+				*found = cur;
+				set.client_ip = trim_zbits(set.client_ip,
+							   cur->set.client_ip);
+				set.ip = trim_zbits(set.ip,
+						    cur->set.ip);
+				set.nsip = trim_zbits(set.nsip,
+						      cur->set.nsip);
+			}
+			parent = cur;
+			cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
+			cur = cur->child[cur_num];
+			continue;
+		}
+
+
+		/*
+		 * dbit < tgt_prefix and dbit < cur->prefix,
+		 * so we failed to match both the target and the current node.
+		 * Insert a fork of a parent above the current node and
+		 * add the target as a sibling of the current node
+		 */
+		if (!create)
+			return (find_result);
+
+		sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
+		if (sibling == NULL)
+			return (ISC_R_NOMEMORY);
+		new_parent = new_node(rpzs, tgt_ip, dbit, cur);
+		if (new_parent == NULL) {
+			isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling));
+			return (ISC_R_NOMEMORY);
+		}
+		new_parent->parent = parent;
+		if (parent == NULL)
+			rpzs->cidr = new_parent;
+		else
+			parent->child[cur_num] = new_parent;
+		child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
+		new_parent->child[child_num] = sibling;
+		new_parent->child[1-child_num] = cur;
+		cur->parent = new_parent;
+		sibling->parent = new_parent;
+		sibling->set = *tgt_set;
+		set_sum_pair(sibling);
+		*found = sibling;
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*
+ * Add an IP address to the radix tree.
+ */
+static isc_result_t
+add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	 dns_rpz_type_t rpz_type, dns_name_t *src_name)
+{
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_prefix_t tgt_prefix;
+	dns_rpz_addr_zbits_t set;
+	dns_rpz_cidr_node_t *found;
+	isc_result_t result;
+
+	result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type,
+			    src_name, &tgt_ip, &tgt_prefix, &set);
+	/*
+	 * Log complaints about bad owner names but let the zone load.
+	 */
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	result = search(rpzs, &tgt_ip, tgt_prefix, &set, true, &found);
+	if (result != ISC_R_SUCCESS) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		/*
+		 * Do not worry if the radix tree already exists,
+		 * because diff_apply() likes to add nodes before deleting.
+		 */
+		if (result == ISC_R_EXISTS)
+			return (ISC_R_SUCCESS);
+
+		/*
+		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+		 */
+		dns_name_format(src_name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz add_cidr(%s) failed: %s",
+			      namebuf, isc_result_totext(result));
+		return (result);
+	}
+
+	adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, true);
+	return (result);
+}
+
+static isc_result_t
+add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name,
+	 const dns_rpz_nm_data_t *new_data)
+{
+	dns_rbtnode_t *nmnode;
+	dns_rpz_nm_data_t *nm_data;
+	isc_result_t result;
+
+	nmnode = NULL;
+	result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case ISC_R_EXISTS:
+		nm_data = nmnode->data;
+		if (nm_data == NULL) {
+			nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data));
+			if (nm_data == NULL)
+				return (ISC_R_NOMEMORY);
+			*nm_data = *new_data;
+			nmnode->data = nm_data;
+			return (ISC_R_SUCCESS);
+		}
+		break;
+	default:
+		return (result);
+	}
+
+	/*
+	 * Do not count bits that are already present
+	 */
+	if ((nm_data->set.qname & new_data->set.qname) != 0 ||
+	    (nm_data->set.ns & new_data->set.ns) != 0 ||
+	    (nm_data->wild.qname & new_data->wild.qname) != 0 ||
+	    (nm_data->wild.ns & new_data->wild.ns) != 0)
+		return (ISC_R_EXISTS);
+
+	nm_data->set.qname |= new_data->set.qname;
+	nm_data->set.ns |= new_data->set.ns;
+	nm_data->wild.qname |= new_data->wild.qname;
+	nm_data->wild.ns |= new_data->wild.ns;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	 dns_rpz_type_t rpz_type, dns_name_t *src_name)
+{
+	dns_rpz_nm_data_t new_data;
+	dns_fixedname_t trig_namef;
+	dns_name_t *trig_name;
+	isc_result_t result;
+
+	/*
+	 * We need a summary database of names even with 1 policy zone,
+	 * because wildcard triggers are handled differently.
+	 */
+
+	trig_name = dns_fixedname_initname(&trig_namef);
+	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data);
+
+	result = add_nm(rpzs, trig_name, &new_data);
+
+	/*
+	 * Do not worry if the node already exists,
+	 * because diff_apply() likes to add nodes before deleting.
+	 */
+	if (result == ISC_R_EXISTS)
+		return (ISC_R_SUCCESS);
+	if (result == ISC_R_SUCCESS)
+		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, true);
+	return (result);
+}
+
+/*
+ * Callback to free the data for a node in the summary RBT database.
+ */
+static void
+rpz_node_deleter(void *nm_data, void *mctx) {
+	isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t));
+}
+
+/*
+ * Get ready for a new set of policy zones for a view.
+ */
+isc_result_t
+dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) {
+	dns_rpz_zones_t *new;
+	isc_result_t result;
+
+	REQUIRE(rpzsp != NULL && *rpzsp == NULL);
+
+	*rpzsp = NULL;
+
+	new = isc_mem_get(mctx, sizeof(*new));
+	if (new == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(new, 0, sizeof(*new));
+
+	result = isc_rwlock_init(&new->search_lock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, new, sizeof(*new));
+		return (result);
+	}
+
+	result = isc_mutex_init(&new->maint_lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_rwlock_destroy(&new->search_lock);
+		isc_mem_put(mctx, new, sizeof(*new));
+		return (result);
+	}
+
+	result = isc_refcount_init(&new->refs, 1);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&new->maint_lock);
+		isc_rwlock_destroy(&new->search_lock);
+		isc_mem_put(mctx, new, sizeof(*new));
+		return (result);
+	}
+
+	result = dns_rbt_create(mctx, rpz_node_deleter, mctx, &new->rbt);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_decrement(&new->refs, NULL);
+		isc_refcount_destroy(&new->refs);
+		DESTROYLOCK(&new->maint_lock);
+		isc_rwlock_destroy(&new->search_lock);
+		isc_mem_put(mctx, new, sizeof(*new));
+		return (result);
+	}
+
+	isc_mem_attach(mctx, &new->mctx);
+
+	*rpzsp = new;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Free the radix tree of a response policy database.
+ */
+static void
+cidr_free(dns_rpz_zones_t *rpzs) {
+	dns_rpz_cidr_node_t *cur, *child, *parent;
+
+	cur = rpzs->cidr;
+	while (cur != NULL) {
+		/* Depth first. */
+		child = cur->child[0];
+		if (child != NULL) {
+			cur = child;
+			continue;
+		}
+		child = cur->child[1];
+		if (child != NULL) {
+			cur = child;
+			continue;
+		}
+
+		/* Delete this leaf and go up. */
+		parent = cur->parent;
+		if (parent == NULL)
+			rpzs->cidr = NULL;
+		else
+			parent->child[parent->child[1] == cur] = NULL;
+		isc_mem_put(rpzs->mctx, cur, sizeof(*cur));
+		cur = parent;
+	}
+}
+
+/*
+ * Discard a response policy zone blob
+ * before discarding the overall rpz structure.
+ */
+static void
+rpz_detach(dns_rpz_zone_t **rpzp, dns_rpz_zones_t *rpzs) {
+	dns_rpz_zone_t *rpz;
+	unsigned int refs;
+
+	rpz = *rpzp;
+	*rpzp = NULL;
+	isc_refcount_decrement(&rpz->refs, &refs);
+	if (refs != 0)
+		return;
+	isc_refcount_destroy(&rpz->refs);
+
+	if (dns_name_dynamic(&rpz->origin))
+		dns_name_free(&rpz->origin, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->client_ip))
+		dns_name_free(&rpz->client_ip, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->ip))
+		dns_name_free(&rpz->ip, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->nsdname))
+		dns_name_free(&rpz->nsdname, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->nsip))
+		dns_name_free(&rpz->nsip, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->passthru))
+		dns_name_free(&rpz->passthru, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->drop))
+		dns_name_free(&rpz->drop, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->tcp_only))
+		dns_name_free(&rpz->tcp_only, rpzs->mctx);
+	if (dns_name_dynamic(&rpz->cname))
+		dns_name_free(&rpz->cname, rpzs->mctx);
+
+	isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz));
+}
+
+void
+dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) {
+	REQUIRE(rpzsp != NULL && *rpzsp == NULL);
+	isc_refcount_increment(&rpzs->refs, NULL);
+	*rpzsp = rpzs;
+}
+
+/*
+ * Forget a view's policy zones.
+ */
+void
+dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) {
+	dns_rpz_zones_t *rpzs;
+	dns_rpz_zone_t *rpz;
+	dns_rpz_num_t rpz_num;
+	unsigned int refs;
+
+	REQUIRE(rpzsp != NULL);
+	rpzs = *rpzsp;
+	REQUIRE(rpzs != NULL);
+
+	*rpzsp = NULL;
+	isc_refcount_decrement(&rpzs->refs, &refs);
+	if (refs > 0)
+		return;
+
+	/*
+	 * Forget the last of view's rpz machinery after the last
+	 * reference.
+	 */
+	for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) {
+		rpz = rpzs->zones[rpz_num];
+		rpzs->zones[rpz_num] = NULL;
+		if (rpz != NULL)
+			rpz_detach(&rpz, rpzs);
+	}
+
+	cidr_free(rpzs);
+	dns_rbt_destroy(&rpzs->rbt);
+	DESTROYLOCK(&rpzs->maint_lock);
+	isc_rwlock_destroy(&rpzs->search_lock);
+	isc_refcount_destroy(&rpzs->refs);
+	isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs));
+}
+
+/*
+ * Create empty summary database to load one zone.
+ * The RBTDB write tree lock must be held.
+ */
+isc_result_t
+dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp,
+		  dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
+{
+	dns_rpz_zones_t *load_rpzs;
+	dns_rpz_zone_t *rpz;
+	dns_rpz_zbits_t tgt;
+	isc_result_t result;
+
+	REQUIRE(rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	/*
+	 * When reloading a zone, there are usually records among the summary
+	 * data for the zone.  Some of those records might be deleted by the
+	 * reloaded zone data.  To deal with that case:
+	 *    reload the new zone data into a new blank summary database
+	 *    if the reload fails, discard the new summary database
+	 *    if the new zone data is acceptable, copy the records for the
+	 *	other zones into the new summary CIDR and RBT databases
+	 *	and replace the old summary databases with the new, and
+	 *	correct the triggers and have values for the updated
+	 *	zone.
+	 *
+	 * At the first attempt to load a zone, there is no summary data
+	 * for the zone and so no records that need to be deleted.
+	 * This is also the most common case of policy zone loading.
+	 * Most policy zone maintenance should be by incremental changes
+	 * and so by the addition and deletion of individual records.
+	 * Detect that case and load records the first time into the
+	 * operational summary database
+	 */
+	tgt = DNS_RPZ_ZBIT(rpz_num);
+	LOCK(&rpzs->maint_lock);
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+	if ((rpzs->load_begun & tgt) == 0) {
+		/*
+		 * There is no existing version of the target zone.
+		 */
+		rpzs->load_begun |= tgt;
+		dns_rpz_attach_rpzs(rpzs, load_rpzsp);
+	} else {
+		/*
+		 * Setup the new RPZ struct with empty summary trees.
+		 */
+		result = dns_rpz_new_zones(load_rpzsp, rpzs->mctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		load_rpzs = *load_rpzsp;
+		/*
+		 * Initialize some members so that dns_rpz_add() works.
+		 */
+		load_rpzs->p.num_zones = rpzs->p.num_zones;
+		memset(&load_rpzs->triggers, 0, sizeof(load_rpzs->triggers));
+		load_rpzs->zones[rpz_num] = rpz;
+		isc_refcount_increment(&rpz->refs, NULL);
+	}
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+	UNLOCK(&rpzs->maint_lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This function updates "have" bits and also the qname_skip_recurse
+ * mask. It must be called when holding a write lock on rpzs->search_lock.
+ */
+static void
+fix_triggers(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) {
+	dns_rpz_num_t n;
+	dns_rpz_triggers_t old_totals;
+	dns_rpz_zbits_t zbit;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	/*
+	 * rpzs->total_triggers is only used to log a message below.
+	 */
+
+	memmove(&old_totals, &rpzs->total_triggers, sizeof(old_totals));
+	memset(&rpzs->total_triggers, 0, sizeof(rpzs->total_triggers));
+
+#define SET_TRIG(n, zbit, type)						\
+	if (rpzs->triggers[n].type == 0U) {				\
+		rpzs->have.type &= ~zbit;				\
+	} else {							\
+		rpzs->total_triggers.type += rpzs->triggers[n].type;	\
+		rpzs->have.type |= zbit;				\
+	}
+
+	for (n = 0; n < rpzs->p.num_zones; ++n) {
+		zbit = DNS_RPZ_ZBIT(n);
+		SET_TRIG(n, zbit, client_ipv4);
+		SET_TRIG(n, zbit, client_ipv6);
+		SET_TRIG(n, zbit, qname);
+		SET_TRIG(n, zbit, ipv4);
+		SET_TRIG(n, zbit, ipv6);
+		SET_TRIG(n, zbit, nsdname);
+		SET_TRIG(n, zbit, nsipv4);
+		SET_TRIG(n, zbit, nsipv6);
+	}
+
+#undef SET_TRIG
+
+	fix_qname_skip_recurse(rpzs);
+
+	dns_name_format(&rpzs->zones[rpz_num]->origin,
+			namebuf, sizeof(namebuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+		      DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL,
+		      "(re)loading policy zone '%s' changed from"
+		      " %lu to %lu qname, %lu to %lu nsdname,"
+		      " %lu to %lu IP, %lu to %lu NSIP,"
+		      " %lu to %lu CLIENTIP entries",
+		      namebuf,
+		      (unsigned long) old_totals.qname,
+		      (unsigned long) rpzs->total_triggers.qname,
+		      (unsigned long) old_totals.nsdname,
+		      (unsigned long) rpzs->total_triggers.nsdname,
+		      (unsigned long) old_totals.ipv4 + old_totals.ipv6,
+		      (unsigned long) (rpzs->total_triggers.ipv4 +
+				       rpzs->total_triggers.ipv6),
+		      (unsigned long) old_totals.nsipv4 + old_totals.nsipv6,
+		      (unsigned long) (rpzs->total_triggers.nsipv4 +
+				       rpzs->total_triggers.nsipv6),
+		      (unsigned long) old_totals.client_ipv4 +
+				      old_totals.client_ipv6,
+		      (unsigned long) (rpzs->total_triggers.client_ipv4 +
+				       rpzs->total_triggers.client_ipv6));
+}
+
+/*
+ * Finish loading one zone. This function is called during a commit when
+ * a RPZ zone loading is complete.  The RBTDB write tree lock must be
+ * held.
+ *
+ * Here, rpzs is a pointer to the view's common rpzs
+ * structure. *load_rpzsp is a rpzs structure that is local to the
+ * RBTDB, which is used during a single zone's load.
+ *
+ * During the zone load, i.e., between dns_rpz_beginload() and
+ * dns_rpz_ready(), only the zone that is being loaded updates
+ * *load_rpzsp. These updates in the summary databases inside load_rpzsp
+ * are made only for the rpz_num (and corresponding bit) of that
+ * zone. Nothing else reads or writes *load_rpzsp. The view's common
+ * rpzs is used during this time for queries.
+ *
+ * When zone loading is complete and we arrive here, the parts of the
+ * summary databases (CIDR and nsdname+qname RBT trees) from the view's
+ * common rpzs struct have to be merged into the summary databases of
+ * *load_rpzsp, as the summary databases of the view's common rpzs
+ * struct may have changed during the time the zone was being loaded.
+ *
+ * The function below carries out the merge. During the merge, it holds
+ * the maint_lock of the view's common rpzs struct so that it is not
+ * updated while the merging is taking place.
+ *
+ * After the merging is carried out, *load_rpzsp contains the most
+ * current state of the rpzs structure, i.e., the summary trees contain
+ * data for the new zone that was just loaded, as well as all other
+ * zones.
+ *
+ * Pointers to the summary databases of *load_rpzsp (CIDR and
+ * nsdname+qname RBT trees) are then swapped into the view's common rpz
+ * struct, so that the query path can continue using it. During the
+ * swap, the search_lock of the view's common rpz struct is acquired so
+ * that queries are paused while this swap occurs.
+ *
+ * The trigger counts for the new zone are also copied into the view's
+ * common rpz struct, and some other summary counts and masks are
+ * updated.
+ */
+isc_result_t
+dns_rpz_ready(dns_rpz_zones_t *rpzs,
+	      dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num)
+{
+	dns_rpz_zones_t *load_rpzs;
+	const dns_rpz_cidr_node_t *cnode, *next_cnode, *parent_cnode;
+	dns_rpz_cidr_node_t *found;
+	dns_rpz_zbits_t new_bit;
+	dns_rpz_addr_zbits_t new_ip;
+	dns_rbt_t *rbt;
+	dns_rbtnodechain_t chain;
+	dns_rbtnode_t *nmnode;
+	dns_rpz_nm_data_t *nm_data, new_data;
+	dns_fixedname_t labelf, originf, namef;
+	dns_name_t *label, *origin, *name;
+	isc_result_t result;
+
+	INSIST(rpzs != NULL);
+	LOCK(&rpzs->maint_lock);
+	load_rpzs = *load_rpzsp;
+	INSIST(load_rpzs != NULL);
+
+	if (load_rpzs == rpzs) {
+		/*
+		 * This is a successful initial zone loading, perhaps
+		 * for a new instance of a view.
+		 */
+		RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+		fix_triggers(rpzs, rpz_num);
+		RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+		UNLOCK(&rpzs->maint_lock);
+		dns_rpz_detach_rpzs(load_rpzsp);
+		return (ISC_R_SUCCESS);
+	}
+
+	LOCK(&load_rpzs->maint_lock);
+	RWLOCK(&load_rpzs->search_lock, isc_rwlocktype_write);
+
+	/*
+	 * Unless there is only one policy zone, copy the other policy zones
+	 * from the old policy structure to the new summary databases.
+	 */
+	if (rpzs->p.num_zones > 1) {
+		new_bit = ~DNS_RPZ_ZBIT(rpz_num);
+
+		/*
+		 * Copy to the radix tree.
+		 */
+		for (cnode = rpzs->cidr; cnode != NULL; cnode = next_cnode) {
+			new_ip.ip = cnode->set.ip & new_bit;
+			new_ip.client_ip = cnode->set.client_ip & new_bit;
+			new_ip.nsip = cnode->set.nsip & new_bit;
+			if (new_ip.client_ip != 0 ||
+			    new_ip.ip != 0 ||
+			    new_ip.nsip != 0) {
+				result = search(load_rpzs,
+						&cnode->ip, cnode->prefix,
+						&new_ip, true, &found);
+				if (result == ISC_R_NOMEMORY)
+					goto unlock_and_detach;
+				INSIST(result == ISC_R_SUCCESS);
+			}
+			/*
+			 * Do down and to the left as far as possible.
+			 */
+			next_cnode = cnode->child[0];
+			if (next_cnode != NULL)
+				continue;
+			/*
+			 * Go up until we find a branch to the right where
+			 * we previously took the branch to the left.
+			 */
+			for (;;) {
+				parent_cnode = cnode->parent;
+				if (parent_cnode == NULL)
+					break;
+				if (parent_cnode->child[0] == cnode) {
+					next_cnode = parent_cnode->child[1];
+					if (next_cnode != NULL)
+					    break;
+				}
+				cnode = parent_cnode;
+			}
+		}
+
+		/*
+		 * Copy to the summary RBT.
+		 */
+		dns_fixedname_init(&namef);
+		name = dns_fixedname_name(&namef);
+		dns_fixedname_init(&labelf);
+		label = dns_fixedname_name(&labelf);
+		dns_fixedname_init(&originf);
+		origin = dns_fixedname_name(&originf);
+		dns_rbtnodechain_init(&chain, NULL);
+		result = dns_rbtnodechain_first(&chain, rpzs->rbt, NULL, NULL);
+		while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+			result = dns_rbtnodechain_current(&chain, label, origin,
+							&nmnode);
+			INSIST(result == ISC_R_SUCCESS);
+			nm_data = nmnode->data;
+			if (nm_data != NULL) {
+				new_data.set.qname = (nm_data->set.qname &
+						      new_bit);
+				new_data.set.ns = nm_data->set.ns & new_bit;
+				new_data.wild.qname = (nm_data->wild.qname &
+						       new_bit);
+				new_data.wild.ns = nm_data->wild.ns & new_bit;
+				if (new_data.set.qname != 0 ||
+				    new_data.set.ns != 0 ||
+				    new_data.wild.qname != 0 ||
+				    new_data.wild.ns != 0) {
+					result = dns_name_concatenate(label,
+							origin, name, NULL);
+					INSIST(result == ISC_R_SUCCESS);
+					result = add_nm(load_rpzs, name,
+							&new_data);
+					if (result != ISC_R_SUCCESS)
+						goto unlock_and_detach;
+				}
+			}
+			result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		}
+		if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+				      "dns_rpz_ready(): unexpected %s",
+				      isc_result_totext(result));
+			goto unlock_and_detach;
+		}
+	}
+
+	/*
+	 * Exchange the summary databases.
+	 */
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	rpzs->triggers[rpz_num] = load_rpzs->triggers[rpz_num];
+	fix_triggers(rpzs, rpz_num);
+
+	found = rpzs->cidr;
+	rpzs->cidr = load_rpzs->cidr;
+	load_rpzs->cidr = found;
+
+	rbt = rpzs->rbt;
+	rpzs->rbt = load_rpzs->rbt;
+	load_rpzs->rbt = rbt;
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	result = ISC_R_SUCCESS;
+
+ unlock_and_detach:
+	UNLOCK(&rpzs->maint_lock);
+	RWUNLOCK(&load_rpzs->search_lock, isc_rwlocktype_write);
+	UNLOCK(&load_rpzs->maint_lock);
+	dns_rpz_detach_rpzs(load_rpzsp);
+	return (result);
+}
+
+/*
+ * Add an IP address to the radix tree or a name to the summary database.
+ */
+isc_result_t
+dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *src_name)
+{
+	dns_rpz_zone_t *rpz;
+	dns_rpz_type_t rpz_type;
+	isc_result_t result = ISC_R_FAILURE;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	rpz_type = type_from_name(rpz, src_name);
+
+	LOCK(&rpzs->maint_lock);
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_QNAME:
+	case DNS_RPZ_TYPE_NSDNAME:
+		result = add_name(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_CLIENT_IP:
+	case DNS_RPZ_TYPE_IP:
+	case DNS_RPZ_TYPE_NSIP:
+		result = add_cidr(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+	UNLOCK(&rpzs->maint_lock);
+	return (result);
+}
+
+/*
+ * Remove an IP address from the radix tree.
+ */
+static void
+del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	 dns_rpz_type_t rpz_type, dns_name_t *src_name)
+{
+	isc_result_t result;
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_prefix_t tgt_prefix;
+	dns_rpz_addr_zbits_t tgt_set;
+	dns_rpz_cidr_node_t *tgt, *parent, *child;
+
+	/*
+	 * Do not worry about invalid rpz IP address names.  If we
+	 * are here, then something relevant was added and so was
+	 * valid.  Invalid names here are usually internal RBTDB nodes.
+	 */
+	result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type,
+			    src_name, &tgt_ip, &tgt_prefix, &tgt_set);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	result = search(rpzs, &tgt_ip, tgt_prefix, &tgt_set, false, &tgt);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(result == ISC_R_NOTFOUND ||
+		       result == DNS_R_PARTIALMATCH);
+		/*
+		 * Do not worry about missing summary RBT nodes that probably
+		 * correspond to RBTDB nodes that were implicit RBT nodes
+		 * that were later added for (often empty) wildcards
+		 * and then to the RBTDB deferred cleanup list.
+		 */
+		return;
+	}
+
+	/*
+	 * Mark the node and its parents to reflect the deleted IP address.
+	 * Do not count bits that are already clear for internal RBTDB nodes.
+	 */
+	tgt_set.client_ip &= tgt->set.client_ip;
+	tgt_set.ip &= tgt->set.ip;
+	tgt_set.nsip &= tgt->set.nsip;
+	tgt->set.client_ip &= ~tgt_set.client_ip;
+	tgt->set.ip &= ~tgt_set.ip;
+	tgt->set.nsip &= ~tgt_set.nsip;
+	set_sum_pair(tgt);
+
+	adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, false);
+
+	/*
+	 * We might need to delete 2 nodes.
+	 */
+	do {
+		/*
+		 * The node is now useless if it has no data of its own
+		 * and 0 or 1 children.  We are finished if it is not useless.
+		 */
+		if ((child = tgt->child[0]) != NULL) {
+			if (tgt->child[1] != NULL)
+				break;
+		} else {
+			child = tgt->child[1];
+		}
+		if (tgt->set.client_ip != 0 ||
+		    tgt->set.ip != 0 ||
+		    tgt->set.nsip != 0)
+			break;
+
+		/*
+		 * Replace the pointer to this node in the parent with
+		 * the remaining child or NULL.
+		 */
+		parent = tgt->parent;
+		if (parent == NULL) {
+			rpzs->cidr = child;
+		} else {
+			parent->child[parent->child[1] == tgt] = child;
+		}
+		/*
+		 * If the child exists fix up its parent pointer.
+		 */
+		if (child != NULL)
+			child->parent = parent;
+		isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt));
+
+		tgt = parent;
+	} while (tgt != NULL);
+}
+
+static void
+del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	 dns_rpz_type_t rpz_type, dns_name_t *src_name)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t trig_namef;
+	dns_name_t *trig_name;
+	dns_rbtnode_t *nmnode;
+	dns_rpz_nm_data_t *nm_data, del_data;
+	isc_result_t result;
+	bool exists;
+
+	/*
+	 * We need a summary database of names even with 1 policy zone,
+	 * because wildcard triggers are handled differently.
+	 */
+
+	trig_name = dns_fixedname_initname(&trig_namef);
+	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data);
+
+	nmnode = NULL;
+	result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0,
+				  NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Do not worry about missing summary RBT nodes that probably
+		 * correspond to RBTDB nodes that were implicit RBT nodes
+		 * that were later added for (often empty) wildcards
+		 * and then to the RBTDB deferred cleanup list.
+		 */
+		if (result == ISC_R_NOTFOUND ||
+		    result == DNS_R_PARTIALMATCH)
+			return;
+		dns_name_format(src_name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz del_name(%s) node search failed: %s",
+			      namebuf, isc_result_totext(result));
+		return;
+	}
+
+	nm_data = nmnode->data;
+	INSIST(nm_data != NULL);
+
+	/*
+	 * Do not count bits that next existed for RBT nodes that would we
+	 * would not have found in a summary for a single RBTDB tree.
+	 */
+	del_data.set.qname &= nm_data->set.qname;
+	del_data.set.ns &= nm_data->set.ns;
+	del_data.wild.qname &= nm_data->wild.qname;
+	del_data.wild.ns &= nm_data->wild.ns;
+
+	exists = (del_data.set.qname != 0 ||
+		  del_data.set.ns != 0 ||
+		  del_data.wild.qname != 0 ||
+		  del_data.wild.ns != 0);
+
+	nm_data->set.qname &= ~del_data.set.qname;
+	nm_data->set.ns &= ~del_data.set.ns;
+	nm_data->wild.qname &= ~del_data.wild.qname;
+	nm_data->wild.ns &= ~del_data.wild.ns;
+
+	if (nm_data->set.qname == 0 && nm_data->set.ns == 0 &&
+	    nm_data->wild.qname == 0 && nm_data->wild.ns == 0) {
+		result = dns_rbt_deletenode(rpzs->rbt, nmnode, false);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+			 */
+			dns_name_format(src_name, namebuf, sizeof(namebuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+				      "rpz del_name(%s) node delete failed: %s",
+				      namebuf, isc_result_totext(result));
+		}
+	}
+
+	if (exists)
+		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, false);
+}
+
+/*
+ * Remove an IP address from the radix tree or a name from the summary database.
+ */
+void
+dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
+	       dns_name_t *src_name) {
+	dns_rpz_zone_t *rpz;
+	dns_rpz_type_t rpz_type;
+
+	REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
+	rpz = rpzs->zones[rpz_num];
+	REQUIRE(rpz != NULL);
+
+	rpz_type = type_from_name(rpz, src_name);
+
+	LOCK(&rpzs->maint_lock);
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_QNAME:
+	case DNS_RPZ_TYPE_NSDNAME:
+		del_name(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_CLIENT_IP:
+	case DNS_RPZ_TYPE_IP:
+	case DNS_RPZ_TYPE_NSIP:
+		del_cidr(rpzs, rpz_num, rpz_type, src_name);
+		break;
+	case DNS_RPZ_TYPE_BAD:
+		break;
+	}
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
+	UNLOCK(&rpzs->maint_lock);
+}
+
+/*
+ * Search the summary radix tree to get a relative owner name in a
+ * policy zone relevant to a triggering IP address.
+ *	rpz_type and zbits limit the search for IP address netaddr
+ *	return the policy zone's number or DNS_RPZ_INVALID_NUM
+ *	ip_name is the relative owner name found and
+ *	*prefixp is its prefix length.
+ */
+dns_rpz_num_t
+dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
+		dns_name_t *ip_name, dns_rpz_prefix_t *prefixp)
+{
+	dns_rpz_cidr_key_t tgt_ip;
+	dns_rpz_addr_zbits_t tgt_set;
+	dns_rpz_cidr_node_t *found;
+	isc_result_t result;
+	dns_rpz_num_t rpz_num;
+	dns_rpz_have_t have;
+	int i;
+
+	LOCK(&rpzs->maint_lock);
+	have = rpzs->have;
+	UNLOCK(&rpzs->maint_lock);
+
+	/*
+	 * Convert IP address to CIDR tree key.
+	 */
+	if (netaddr->family == AF_INET) {
+		tgt_ip.w[0] = 0;
+		tgt_ip.w[1] = 0;
+		tgt_ip.w[2] = ADDR_V4MAPPED;
+		tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr);
+		switch (rpz_type) {
+		case DNS_RPZ_TYPE_CLIENT_IP:
+			zbits &= have.client_ipv4;
+			break;
+		case DNS_RPZ_TYPE_IP:
+			zbits &= have.ipv4;
+			break;
+		case DNS_RPZ_TYPE_NSIP:
+			zbits &= have.nsipv4;
+			break;
+		default:
+			INSIST(0);
+			break;
+		}
+	} else if (netaddr->family == AF_INET6) {
+		dns_rpz_cidr_key_t src_ip6;
+
+		/*
+		 * Given the int aligned struct in_addr member of netaddr->type
+		 * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
+		 * but some people object.
+		 */
+		memmove(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
+		for (i = 0; i < 4; i++) {
+			tgt_ip.w[i] = ntohl(src_ip6.w[i]);
+		}
+		switch (rpz_type) {
+		case DNS_RPZ_TYPE_CLIENT_IP:
+			zbits &= have.client_ipv6;
+			break;
+		case DNS_RPZ_TYPE_IP:
+			zbits &= have.ipv6;
+			break;
+		case DNS_RPZ_TYPE_NSIP:
+			zbits &= have.nsipv6;
+			break;
+		default:
+			INSIST(0);
+			break;
+		}
+	} else {
+		return (DNS_RPZ_INVALID_NUM);
+	}
+
+	if (zbits == 0)
+		return (DNS_RPZ_INVALID_NUM);
+	make_addr_set(&tgt_set, zbits, rpz_type);
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	result = search(rpzs, &tgt_ip, 128, &tgt_set, false, &found);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * There are no eligible zones for this IP address.
+		 */
+		RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+		return (DNS_RPZ_INVALID_NUM);
+	}
+
+	/*
+	 * Construct the trigger name for the longest matching trigger
+	 * in the first eligible zone with a match.
+	 */
+	*prefixp = found->prefix;
+	switch (rpz_type) {
+	case DNS_RPZ_TYPE_CLIENT_IP:
+		rpz_num = zbit_to_num(found->set.client_ip & tgt_set.client_ip);
+		break;
+	case DNS_RPZ_TYPE_IP:
+		rpz_num = zbit_to_num(found->set.ip & tgt_set.ip);
+		break;
+	case DNS_RPZ_TYPE_NSIP:
+		rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip);
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+	result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name);
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+		 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "rpz ip2name() failed: %s",
+			      isc_result_totext(result));
+		return (DNS_RPZ_INVALID_NUM);
+	}
+	return (rpz_num);
+}
+
+/*
+ * Search the summary radix tree for policy zones with triggers matching
+ * a name.
+ */
+dns_rpz_zbits_t
+dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
+		  dns_rpz_zbits_t zbits, dns_name_t *trig_name)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rbtnode_t *nmnode;
+	const dns_rpz_nm_data_t *nm_data;
+	dns_rpz_zbits_t found_zbits;
+	isc_result_t result;
+
+	if (zbits == 0)
+		return (0);
+
+	found_zbits = 0;
+
+	RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+
+	nmnode = NULL;
+	result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		nm_data = nmnode->data;
+		if (nm_data != NULL) {
+			if (rpz_type == DNS_RPZ_TYPE_QNAME)
+				found_zbits = nm_data->set.qname;
+			else
+				found_zbits = nm_data->set.ns;
+		}
+		nmnode = nmnode->parent;
+		/* fall thru */
+	case DNS_R_PARTIALMATCH:
+		while (nmnode != NULL) {
+			nm_data = nmnode->data;
+			if (nm_data != NULL) {
+				if (rpz_type == DNS_RPZ_TYPE_QNAME)
+					found_zbits |= nm_data->wild.qname;
+				else
+					found_zbits |= nm_data->wild.ns;
+			}
+			nmnode = nmnode->parent;
+		}
+		break;
+
+	case ISC_R_NOTFOUND:
+		break;
+
+	default:
+		/*
+		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
+		 */
+		dns_name_format(trig_name, namebuf, sizeof(namebuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
+			      "dns_rpz_find_name(%s) failed: %s",
+			      namebuf, isc_result_totext(result));
+		break;
+	}
+
+	RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
+	return (zbits & found_zbits);
+}
+
+/*
+ * Translate CNAME rdata to a QNAME response policy action.
+ */
+dns_rpz_policy_t
+dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
+		     dns_name_t *selfname)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_cname_t cname;
+	isc_result_t result;
+
+	result = dns_rdataset_first(rdataset);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &cname, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * CNAME . means NXDOMAIN
+	 */
+	if (dns_name_equal(&cname.cname, dns_rootname))
+		return (DNS_RPZ_POLICY_NXDOMAIN);
+
+	if (dns_name_iswildcard(&cname.cname)) {
+		/*
+		 * CNAME *. means NODATA
+		 */
+		if (dns_name_countlabels(&cname.cname) == 2)
+			return (DNS_RPZ_POLICY_NODATA);
+
+		/*
+		 * A qname of www.evil.com and a policy of
+		 *	*.evil.com    CNAME   *.garden.net
+		 * gives a result of
+		 *	evil.com    CNAME   evil.com.garden.net
+		 */
+		if (dns_name_countlabels(&cname.cname) > 2)
+			return (DNS_RPZ_POLICY_WILDCNAME);
+	}
+
+	/*
+	 * CNAME rpz-tcp-only. means "send truncated UDP responses."
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->tcp_only))
+		return (DNS_RPZ_POLICY_TCP_ONLY);
+
+	/*
+	 * CNAME rpz-drop. means "do not respond."
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->drop))
+		return (DNS_RPZ_POLICY_DROP);
+
+	/*
+	 * CNAME rpz-passthru. means "do not rewrite."
+	 */
+	if (dns_name_equal(&cname.cname, &rpz->passthru))
+		return (DNS_RPZ_POLICY_PASSTHRU);
+
+	/*
+	 * 128.1.0.127.rpz-ip CNAME  128.1.0.0.127. is obsolete PASSTHRU
+	 */
+	if (selfname != NULL && dns_name_equal(&cname.cname, selfname))
+		return (DNS_RPZ_POLICY_PASSTHRU);
+
+	/*
+	 * Any other rdata gives a response consisting of the rdata.
+	 */
+	return (DNS_RPZ_POLICY_RECORD);
+}
diff --git a/lib/dns/rriterator.c b/lib/dns/rriterator.c
new file mode 100644
index 0000000..3a6b9a1
--- /dev/null
+++ b/lib/dns/rriterator.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <inttypes.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/rriterator.h>
+
+/***
+ *** RRiterator methods
+ ***/
+
+isc_result_t
+dns_rriterator_init(dns_rriterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now)
+{
+	isc_result_t result;
+	it->magic = RRITERATOR_MAGIC;
+	it->db = db;
+	it->dbit = NULL;
+	it->ver = ver;
+	it->now = now;
+	it->node = NULL;
+	result = dns_db_createiterator(it->db, 0, &it->dbit);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	it->rdatasetit = NULL;
+	dns_rdata_init(&it->rdata);
+	dns_rdataset_init(&it->rdataset);
+	dns_fixedname_init(&it->fixedname);
+	INSIST(! dns_rdataset_isassociated(&it->rdataset));
+	it->result = ISC_R_SUCCESS;
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_first(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	/* Reset state */
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	if (it->rdatasetit != NULL)
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	if (it->node != NULL)
+		dns_db_detachnode(it->db, &it->node);
+	it->result = dns_dbiterator_first(it->dbit);
+
+	/*
+	 * The top node may be empty when out of zone glue exists.
+	 * Walk the tree to find the first node with data.
+	 */
+	while (it->result == ISC_R_SUCCESS) {
+		it->result = dns_dbiterator_current(it->dbit, &it->node,
+					   dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+
+		it->result = dns_db_allrdatasets(it->db, it->node, it->ver,
+						 it->now, &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS) {
+			/*
+			 * This node is empty. Try next node.
+			 */
+			dns_rdatasetiter_destroy(&it->rdatasetit);
+			dns_db_detachnode(it->db, &it->node);
+			it->result = dns_dbiterator_next(it->dbit);
+			continue;
+		}
+		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+		dns_rdataset_getownercase(&it->rdataset,
+					  dns_fixedname_name(&it->fixedname));
+		it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
+		it->result = dns_rdataset_first(&it->rdataset);
+		return (it->result);
+	}
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_nextrrset(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	it->result = dns_rdatasetiter_next(it->rdatasetit);
+	/*
+	 * The while loop body is executed more than once
+	 * only when an empty dbnode needs to be skipped.
+	 */
+	while (it->result == ISC_R_NOMORE) {
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+		dns_db_detachnode(it->db, &it->node);
+		it->result = dns_dbiterator_next(it->dbit);
+		if (it->result == ISC_R_NOMORE) {
+			/* We are at the end of the entire database. */
+			return (it->result);
+		}
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		it->result = dns_dbiterator_current(it->dbit, &it->node,
+					   dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		it->result = dns_db_allrdatasets(it->db, it->node, it->ver,
+						 it->now, &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+	}
+	if (it->result != ISC_R_SUCCESS)
+		return (it->result);
+	dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+	dns_rdataset_getownercase(&it->rdataset,
+				  dns_fixedname_name(&it->fixedname));
+	it->rdataset.attributes |= DNS_RDATASETATTR_LOADORDER;
+	it->result = dns_rdataset_first(&it->rdataset);
+	return (it->result);
+}
+
+isc_result_t
+dns_rriterator_next(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (it->result != ISC_R_SUCCESS)
+		return (it->result);
+
+	INSIST(it->dbit != NULL);
+	INSIST(it->node != NULL);
+	INSIST(it->rdatasetit != NULL);
+
+	it->result = dns_rdataset_next(&it->rdataset);
+	if (it->result == ISC_R_NOMORE)
+		return (dns_rriterator_nextrrset(it));
+	return (it->result);
+}
+
+void
+dns_rriterator_pause(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
+}
+
+void
+dns_rriterator_destroy(dns_rriterator_t *it) {
+	REQUIRE(VALID_RRITERATOR(it));
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	if (it->rdatasetit != NULL)
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	if (it->node != NULL)
+		dns_db_detachnode(it->db, &it->node);
+	dns_dbiterator_destroy(&it->dbit);
+}
+
+void
+dns_rriterator_current(dns_rriterator_t *it, dns_name_t **name,
+		       uint32_t *ttl, dns_rdataset_t **rdataset,
+		       dns_rdata_t **rdata)
+{
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(VALID_RRITERATOR(it));
+	REQUIRE(it->result == ISC_R_SUCCESS);
+	REQUIRE(rdataset == NULL || *rdataset == NULL);
+	REQUIRE(rdata == NULL || *rdata == NULL);
+
+	*name = dns_fixedname_name(&it->fixedname);
+	*ttl = it->rdataset.ttl;
+
+	dns_rdata_reset(&it->rdata);
+	dns_rdataset_current(&it->rdataset, &it->rdata);
+
+	if (rdataset != NULL)
+		*rdataset = &it->rdataset;
+
+	if (rdata != NULL)
+		*rdata = &it->rdata;
+}
diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c
new file mode 100644
index 0000000..cb7e7b6
--- /dev/null
+++ b/lib/dns/rrl.c
@@ -0,0 +1,1320 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * Rate limit DNS responses.
+ */
+
+/* #define ISC_LIST_CHECKINIT */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/rcode.h>
+#include <dns/rdatatype.h>
+#include <dns/rdataclass.h>
+#include <dns/log.h>
+#include <dns/rrl.h>
+#include <dns/view.h>
+
+static void
+log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, bool early,
+	char *log_buf, unsigned int log_buf_len);
+
+/*
+ * Get a modulus for a hash function that is tolerably likely to be
+ * relatively prime to most inputs.  Of course, we get a prime for for initial
+ * values not larger than the square of the last prime.  We often get a prime
+ * after that.
+ * This works well in practice for hash tables up to at least 100
+ * times the square of the last prime and better than a multiplicative hash.
+ */
+static int
+hash_divisor(unsigned int initial) {
+	static uint16_t primes[] = {
+		  3,   5,   7,  11,  13,  17,  19,  23,  29,  31,  37,  41,
+		 43,  47,  53,  59,  61,  67,  71,  73,  79,  83,  89,  97,
+#if 0
+		101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157,
+		163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
+		229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283,
+		293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367,
+		373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439,
+		443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509,
+		521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599,
+		601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661,
+		673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751,
+		757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829,
+		839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919,
+		929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997,1009,
+#endif
+	};
+	int divisions, tries;
+	unsigned int result;
+	uint16_t *pp, p;
+
+	result = initial;
+
+	if (primes[sizeof(primes)/sizeof(primes[0])-1] >= result) {
+		pp = primes;
+		while (*pp < result)
+			++pp;
+		return (*pp);
+	}
+
+	if ((result & 1) == 0)
+		++result;
+
+	divisions = 0;
+	tries = 1;
+	pp = primes;
+	do {
+		p = *pp++;
+		++divisions;
+		if ((result % p) == 0) {
+			++tries;
+			result += 2;
+			pp = primes;
+		}
+	} while (pp < &primes[sizeof(primes) / sizeof(primes[0])]);
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3))
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3,
+			      "%d hash_divisor() divisions in %d tries"
+			      " to get %d from %d",
+			      divisions, tries, result, initial);
+
+	return (result);
+}
+
+/*
+ * Convert a timestamp to a number of seconds in the past.
+ */
+static inline int
+delta_rrl_time(isc_stdtime_t ts, isc_stdtime_t now) {
+	int delta;
+
+	delta = now - ts;
+	if (delta >= 0)
+		return (delta);
+
+	/*
+	 * The timestamp is in the future.  That future might result from
+	 * re-ordered requests, because we use timestamps on requests
+	 * instead of consulting a clock.  Timestamps in the distant future are
+	 * assumed to result from clock changes.  When the clock changes to
+	 * the past, make existing timestamps appear to be in the past.
+	 */
+	if (delta < -DNS_RRL_MAX_TIME_TRAVEL)
+		return (DNS_RRL_FOREVER);
+	return (0);
+}
+
+static inline int
+get_age(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, isc_stdtime_t now) {
+	if (!e->ts_valid)
+		return (DNS_RRL_FOREVER);
+	return (delta_rrl_time(e->ts + rrl->ts_bases[e->ts_gen], now));
+}
+
+static inline void
+set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) {
+	dns_rrl_entry_t *e_old;
+	unsigned int ts_gen;
+	int i, ts;
+
+	ts_gen = rrl->ts_gen;
+	ts = now - rrl->ts_bases[ts_gen];
+	if (ts < 0) {
+		if (ts < -DNS_RRL_MAX_TIME_TRAVEL)
+			ts = DNS_RRL_FOREVER;
+		else
+			ts = 0;
+	}
+
+	/*
+	 * Make a new timestamp base if the current base is too old.
+	 * All entries older than DNS_RRL_MAX_WINDOW seconds are ancient,
+	 * useless history.  Their timestamps can be treated as if they are
+	 * all the same.
+	 * We only do arithmetic on more recent timestamps, so bases for
+	 * older timestamps can be recycled provided the old timestamps are
+	 * marked as ancient history.
+	 * This loop is almost always very short because most entries are
+	 * recycled after one second and any entries that need to be marked
+	 * are older than (DNS_RRL_TS_BASES)*DNS_RRL_MAX_TS seconds.
+	 */
+	if (ts >= DNS_RRL_MAX_TS) {
+		ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES;
+		for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0;
+		     e_old != NULL && (e_old->ts_gen == ts_gen ||
+				       !ISC_LINK_LINKED(e_old, hlink));
+		     e_old = ISC_LIST_PREV(e_old, lru), ++i)
+		{
+			e_old->ts_valid = false;
+		}
+		if (i != 0)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+				      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1,
+				      "rrl new time base scanned %d entries"
+				      " at %d for %d %d %d %d",
+				      i, now, rrl->ts_bases[ts_gen],
+				      rrl->ts_bases[(ts_gen + 1) %
+					DNS_RRL_TS_BASES],
+				      rrl->ts_bases[(ts_gen + 2) %
+					DNS_RRL_TS_BASES],
+				      rrl->ts_bases[(ts_gen + 3) %
+					DNS_RRL_TS_BASES]);
+		rrl->ts_gen = ts_gen;
+		rrl->ts_bases[ts_gen] = now;
+		ts = 0;
+	}
+
+	e->ts_gen = ts_gen;
+	e->ts = ts;
+	e->ts_valid = true;
+}
+
+static isc_result_t
+expand_entries(dns_rrl_t *rrl, int newsize) {
+	unsigned int bsize;
+	dns_rrl_block_t *b;
+	dns_rrl_entry_t *e;
+	double rate;
+	int i;
+
+	if (rrl->num_entries + newsize >= rrl->max_entries &&
+	    rrl->max_entries != 0)
+	{
+		newsize = rrl->max_entries - rrl->num_entries;
+		if (newsize <= 0)
+			return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Log expansions so that the user can tune max-table-size
+	 * and min-table-size.
+	 */
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) &&
+	    rrl->hash != NULL) {
+		rate = rrl->probes;
+		if (rrl->searches != 0)
+			rate /= rrl->searches;
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
+			      "increase from %d to %d RRL entries with"
+			      " %d bins; average search length %.1f",
+			      rrl->num_entries, rrl->num_entries+newsize,
+			      rrl->hash->length, rate);
+	}
+
+	bsize = sizeof(dns_rrl_block_t) + (newsize-1)*sizeof(dns_rrl_entry_t);
+	b = isc_mem_get(rrl->mctx, bsize);
+	if (b == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL,
+			      "isc_mem_get(%d) failed for RRL entries",
+			      bsize);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(b, 0, bsize);
+	b->size = bsize;
+
+	e = b->entries;
+	for (i = 0; i < newsize; ++i, ++e) {
+		ISC_LINK_INIT(e, hlink);
+		ISC_LIST_INITANDAPPEND(rrl->lru, e, lru);
+	}
+	rrl->num_entries += newsize;
+	ISC_LIST_INITANDAPPEND(rrl->blocks, b, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline dns_rrl_bin_t *
+get_bin(dns_rrl_hash_t *hash, unsigned int hval) {
+	INSIST(hash != NULL);
+	return (&hash->bins[hval % hash->length]);
+}
+
+static void
+free_old_hash(dns_rrl_t *rrl) {
+	dns_rrl_hash_t *old_hash;
+	dns_rrl_bin_t *old_bin;
+	dns_rrl_entry_t *e, *e_next;
+
+	old_hash = rrl->old_hash;
+	for (old_bin = &old_hash->bins[0];
+	     old_bin < &old_hash->bins[old_hash->length];
+	     ++old_bin)
+	{
+		for (e = ISC_LIST_HEAD(*old_bin); e != NULL; e = e_next) {
+			e_next = ISC_LIST_NEXT(e, hlink);
+			ISC_LINK_INIT(e, hlink);
+		}
+	}
+
+	isc_mem_put(rrl->mctx, old_hash,
+		    sizeof(*old_hash)
+		      + (old_hash->length - 1) * sizeof(old_hash->bins[0]));
+	rrl->old_hash = NULL;
+}
+
+static isc_result_t
+expand_rrl_hash(dns_rrl_t *rrl, isc_stdtime_t now) {
+	dns_rrl_hash_t *hash;
+	int old_bins, new_bins, hsize;
+	double rate;
+
+	if (rrl->old_hash != NULL)
+		free_old_hash(rrl);
+
+	/*
+	 * Most searches fail and so go to the end of the chain.
+	 * Use a small hash table load factor.
+	 */
+	old_bins = (rrl->hash == NULL) ? 0 : rrl->hash->length;
+	new_bins = old_bins/8 + old_bins;
+	if (new_bins < rrl->num_entries)
+		new_bins = rrl->num_entries;
+	new_bins = hash_divisor(new_bins);
+
+	hsize = sizeof(dns_rrl_hash_t) + (new_bins-1)*sizeof(hash->bins[0]);
+	hash = isc_mem_get(rrl->mctx, hsize);
+	if (hash == NULL) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL,
+			      "isc_mem_get(%d) failed for"
+			      " RRL hash table",
+			      hsize);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(hash, 0, hsize);
+	hash->length = new_bins;
+	rrl->hash_gen ^= 1;
+	hash->gen = rrl->hash_gen;
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && old_bins != 0) {
+		rate = rrl->probes;
+		if (rrl->searches != 0)
+			rate /= rrl->searches;
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
+			      "increase from %d to %d RRL bins for"
+			      " %d entries; average search length %.1f",
+			      old_bins, new_bins, rrl->num_entries, rate);
+	}
+
+	rrl->old_hash = rrl->hash;
+	if (rrl->old_hash != NULL)
+		rrl->old_hash->check_time = now;
+	rrl->hash = hash;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+ref_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, int probes, isc_stdtime_t now) {
+	/*
+	 * Make the entry most recently used.
+	 */
+	if (ISC_LIST_HEAD(rrl->lru) != e) {
+		if (e == rrl->last_logged)
+			rrl->last_logged = ISC_LIST_PREV(e, lru);
+		ISC_LIST_UNLINK(rrl->lru, e, lru);
+		ISC_LIST_PREPEND(rrl->lru, e, lru);
+	}
+
+	/*
+	 * Expand the hash table if it is time and necessary.
+	 * This will leave the newly referenced entry in a chain in the
+	 * old hash table.  It will migrate to the new hash table the next
+	 * time it is used or be cut loose when the old hash table is destroyed.
+	 */
+	rrl->probes += probes;
+	++rrl->searches;
+	if (rrl->searches > 100 &&
+	    delta_rrl_time(rrl->hash->check_time, now) > 1) {
+		if (rrl->probes/rrl->searches > 2)
+			expand_rrl_hash(rrl, now);
+		rrl->hash->check_time = now;
+		rrl->probes = 0;
+		rrl->searches = 0;
+	}
+}
+
+static inline bool
+key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) {
+	if (memcmp(a, b, sizeof(dns_rrl_key_t)) == 0)
+		return (true);
+	return (false);
+}
+
+static inline uint32_t
+hash_key(const dns_rrl_key_t *key) {
+	uint32_t hval;
+	int i;
+
+	hval = key->w[0];
+	for (i = sizeof(key->w) / sizeof(key->w[0]) - 1; i >= 0; --i) {
+		hval = key->w[i] + (hval<<1);
+	}
+	return (hval);
+}
+
+/*
+ * Construct the hash table key.
+ * Use a hash of the DNS query name to save space in the database.
+ * Collisions result in legitimate rate limiting responses for one
+ * query name also limiting responses for other names to the
+ * same client.  This is rare and benign enough given the large
+ * space costs compared to keeping the entire name in the database
+ * entry or the time costs of dynamic allocation.
+ */
+static void
+make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key,
+	 const isc_sockaddr_t *client_addr,
+	 dns_rdatatype_t qtype, dns_name_t *qname, dns_rdataclass_t qclass,
+	 dns_rrl_rtype_t rtype)
+{
+	dns_name_t base;
+	dns_offsets_t base_offsets;
+	int labels, i;
+
+	memset(key, 0, sizeof(*key));
+
+	key->s.rtype = rtype;
+	if (rtype == DNS_RRL_RTYPE_QUERY) {
+		key->s.qtype = qtype;
+		key->s.qclass = qclass & 0xff;
+	} else if (rtype == DNS_RRL_RTYPE_REFERRAL ||
+		   rtype == DNS_RRL_RTYPE_NODATA) {
+		/*
+		 * Because there is no qtype in the empty answer sections of
+		 * referral and NODATA responses, count them as the same.
+		 */
+		key->s.qclass = qclass & 0xff;
+	}
+
+	if (qname != NULL && qname->labels != 0) {
+		/*
+		 * Ignore the first label of wildcards.
+		 */
+		if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 &&
+		    (labels = dns_name_countlabels(qname)) > 1)
+		{
+			dns_name_init(&base, base_offsets);
+			dns_name_getlabelsequence(qname, 1, labels-1, &base);
+			key->s.qname_hash =
+				dns_name_fullhash(&base, false);
+		} else {
+			key->s.qname_hash =
+				dns_name_fullhash(qname, false);
+		}
+	}
+
+	switch (client_addr->type.sa.sa_family) {
+	case AF_INET:
+		key->s.ip[0] = (client_addr->type.sin.sin_addr.s_addr &
+			      rrl->ipv4_mask);
+		break;
+	case AF_INET6:
+		key->s.ipv6 = true;
+		memmove(key->s.ip, &client_addr->type.sin6.sin6_addr,
+			sizeof(key->s.ip));
+		for (i = 0; i < DNS_RRL_MAX_PREFIX/32; ++i)
+			key->s.ip[i] &= rrl->ipv6_mask[i];
+		break;
+	}
+}
+
+static inline dns_rrl_rate_t *
+get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) {
+	switch (rtype) {
+	case DNS_RRL_RTYPE_QUERY:
+		return (&rrl->responses_per_second);
+	case DNS_RRL_RTYPE_REFERRAL:
+		return (&rrl->referrals_per_second);
+	case DNS_RRL_RTYPE_NODATA:
+		return (&rrl->nodata_per_second);
+	case DNS_RRL_RTYPE_NXDOMAIN:
+		return (&rrl->nxdomains_per_second);
+	case DNS_RRL_RTYPE_ERROR:
+		return (&rrl->errors_per_second);
+	case DNS_RRL_RTYPE_ALL:
+		return (&rrl->all_per_second);
+	default:
+		INSIST(0);
+	}
+	return (NULL);
+}
+
+static int
+response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) {
+	dns_rrl_rate_t *ratep;
+	int balance, rate;
+
+	if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) {
+		rate = 1;
+	} else {
+		ratep = get_rate(rrl, e->key.s.rtype);
+		rate = ratep->scaled;
+	}
+
+	balance = e->responses + age * rate;
+	if (balance > rate)
+		balance = rate;
+	return (balance);
+}
+
+/*
+ * Search for an entry for a response and optionally create it.
+ */
+static dns_rrl_entry_t *
+get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
+	  dns_rdataclass_t qclass, dns_rdatatype_t qtype, dns_name_t *qname,
+	  dns_rrl_rtype_t rtype, isc_stdtime_t now, bool create,
+	  char *log_buf, unsigned int log_buf_len)
+{
+	dns_rrl_key_t key;
+	uint32_t hval;
+	dns_rrl_entry_t *e;
+	dns_rrl_hash_t *hash;
+	dns_rrl_bin_t *new_bin, *old_bin;
+	int probes, age;
+
+	make_key(rrl, &key, client_addr, qtype, qname, qclass, rtype);
+	hval = hash_key(&key);
+
+	/*
+	 * Look for the entry in the current hash table.
+	 */
+	new_bin = get_bin(rrl->hash, hval);
+	probes = 1;
+	e = ISC_LIST_HEAD(*new_bin);
+	while (e != NULL) {
+		if (key_cmp(&e->key, &key)) {
+			ref_entry(rrl, e, probes, now);
+			return (e);
+		}
+		++probes;
+		e = ISC_LIST_NEXT(e, hlink);
+	}
+
+	/*
+	 * Look in the old hash table.
+	 */
+	if (rrl->old_hash != NULL) {
+		old_bin = get_bin(rrl->old_hash, hval);
+		e = ISC_LIST_HEAD(*old_bin);
+		while (e != NULL) {
+			if (key_cmp(&e->key, &key)) {
+				ISC_LIST_UNLINK(*old_bin, e, hlink);
+				ISC_LIST_PREPEND(*new_bin, e, hlink);
+				e->hash_gen = rrl->hash_gen;
+				ref_entry(rrl, e, probes, now);
+				return (e);
+			}
+			e = ISC_LIST_NEXT(e, hlink);
+		}
+
+		/*
+		 * Discard prevous hash table when all of its entries are old.
+		 */
+		age = delta_rrl_time(rrl->old_hash->check_time, now);
+		if (age > rrl->window)
+			free_old_hash(rrl);
+	}
+
+	if (!create)
+		return (NULL);
+
+	/*
+	 * The entry does not exist, so create it by finding a free entry.
+	 * Keep currently penalized and logged entries.
+	 * Try to make more entries if none are idle.
+	 * Steal the oldest entry if we cannot create more.
+	 */
+	for (e = ISC_LIST_TAIL(rrl->lru);
+	     e != NULL;
+	     e = ISC_LIST_PREV(e, lru))
+	{
+		if (!ISC_LINK_LINKED(e, hlink))
+			break;
+		age = get_age(rrl, e, now);
+		if (age <= 1) {
+			e = NULL;
+			break;
+		}
+		if (!e->logged && response_balance(rrl, e, age) > 0)
+			break;
+	}
+	if (e == NULL) {
+		expand_entries(rrl, ISC_MIN((rrl->num_entries+1)/2, 1000));
+		e = ISC_LIST_TAIL(rrl->lru);
+	}
+	if (e->logged)
+		log_end(rrl, e, true, log_buf, log_buf_len);
+	if (ISC_LINK_LINKED(e, hlink)) {
+		if (e->hash_gen == rrl->hash_gen)
+			hash = rrl->hash;
+		else
+			hash = rrl->old_hash;
+		old_bin = get_bin(hash, hash_key(&e->key));
+		ISC_LIST_UNLINK(*old_bin, e, hlink);
+	}
+	ISC_LIST_PREPEND(*new_bin, e, hlink);
+	e->hash_gen = rrl->hash_gen;
+	e->key = key;
+	e->ts_valid = false;
+	ref_entry(rrl, e, probes, now);
+	return (e);
+}
+
+static void
+debit_log(const dns_rrl_entry_t *e, int age, const char *action) {
+	char buf[sizeof("age=12345678")];
+	const char *age_str;
+
+	if (age == DNS_RRL_FOREVER) {
+		age_str = "";
+	} else {
+		snprintf(buf, sizeof(buf), "age=%d", age);
+		age_str = buf;
+	}
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+		      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3,
+		      "rrl %08x %6s  responses=%-3d %s",
+		      hash_key(&e->key), age_str, e->responses, action);
+}
+
+static inline dns_rrl_result_t
+debit_rrl_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, double qps, double scale,
+		const isc_sockaddr_t *client_addr, isc_stdtime_t now,
+		char *log_buf, unsigned int log_buf_len)
+{
+	int rate, new_rate, slip, new_slip, age, log_secs, min;
+	dns_rrl_rate_t *ratep;
+	dns_rrl_entry_t const *credit_e;
+
+	/*
+	 * Pick the rate counter.
+	 * Optionally adjust the rate by the estimated query/second rate.
+	 */
+	ratep = get_rate(rrl, e->key.s.rtype);
+	rate = ratep->r;
+	if (rate == 0)
+		return (DNS_RRL_RESULT_OK);
+
+	if (scale < 1.0) {
+		/*
+		 * The limit for clients that have used TCP is not scaled.
+		 */
+		credit_e = get_entry(rrl, client_addr,
+				     0, dns_rdatatype_none, NULL,
+				     DNS_RRL_RTYPE_TCP, now, false,
+				     log_buf, log_buf_len);
+		if (credit_e != NULL) {
+			age = get_age(rrl, e, now);
+			if (age < rrl->window)
+				scale = 1.0;
+		}
+	}
+	if (scale < 1.0) {
+		new_rate = (int) (rate * scale);
+		if (new_rate < 1)
+			new_rate = 1;
+		if (ratep->scaled != new_rate) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+				      DNS_LOGMODULE_REQUEST,
+				      DNS_RRL_LOG_DEBUG1,
+				      "%d qps scaled %s by %.2f"
+				      " from %d to %d",
+				      (int)qps, ratep->str, scale,
+				      rate, new_rate);
+			rate = new_rate;
+			ratep->scaled = rate;
+		}
+	}
+
+	min = -rrl->window * rate;
+
+	/*
+	 * Treat time jumps into the recent past as no time.
+	 * Treat entries older than the window as if they were just created
+	 * Credit other entries.
+	 */
+	age = get_age(rrl, e, now);
+	if (age > 0) {
+		/*
+		 * Credit tokens earned during elapsed time.
+		 */
+		if (age > rrl->window) {
+			e->responses = rate;
+			e->slip_cnt = 0;
+		} else {
+			e->responses += rate*age;
+			if (e->responses > rate) {
+				e->responses = rate;
+				e->slip_cnt = 0;
+			}
+		}
+		/*
+		 * Find the seconds since last log message without overflowing
+		 * small counter.  This counter is reset when an entry is
+		 * created.  It is not necessarily reset when some requests
+		 * are answered provided other requests continue to be dropped
+		 * or slipped.  This can happen when the request rate is just
+		 * at the limit.
+		 */
+		if (e->logged) {
+			log_secs = e->log_secs;
+			log_secs += age;
+			if (log_secs > DNS_RRL_MAX_LOG_SECS || log_secs < 0)
+				log_secs = DNS_RRL_MAX_LOG_SECS;
+			e->log_secs = log_secs;
+		}
+	}
+	set_age(rrl, e, now);
+
+	/*
+	 * Debit the entry for this response.
+	 */
+	if (--e->responses >= 0) {
+		if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3))
+			debit_log(e, age, "");
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	if (e->responses < min)
+		e->responses = min;
+
+	/*
+	 * Drop this response unless it should slip or leak.
+	 */
+	slip = rrl->slip.r;
+	if (slip > 2 && scale < 1.0) {
+		new_slip = (int) (slip * scale);
+		if (new_slip < 2)
+			new_slip = 2;
+		if (rrl->slip.scaled != new_slip) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+				      DNS_LOGMODULE_REQUEST,
+				      DNS_RRL_LOG_DEBUG1,
+				      "%d qps scaled slip"
+				      " by %.2f from %d to %d",
+				      (int)qps, scale,
+				      slip, new_slip);
+			slip = new_slip;
+			rrl->slip.scaled = slip;
+		}
+	}
+	if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) {
+		if (e->slip_cnt++ == 0) {
+			if ((int) e->slip_cnt >= slip)
+				e->slip_cnt = 0;
+			if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3))
+				debit_log(e, age, "slip");
+			return (DNS_RRL_RESULT_SLIP);
+		} else if ((int) e->slip_cnt >= slip) {
+			e->slip_cnt = 0;
+		}
+	}
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3))
+		debit_log(e, age, "drop");
+	return (DNS_RRL_RESULT_DROP);
+}
+
+static inline dns_rrl_qname_buf_t *
+get_qname(dns_rrl_t *rrl, const dns_rrl_entry_t *e) {
+	dns_rrl_qname_buf_t *qbuf;
+
+	qbuf = rrl->qnames[e->log_qname];
+	if (qbuf == NULL || qbuf->e != e)
+		return (NULL);
+	return (qbuf);
+}
+
+static inline void
+free_qname(dns_rrl_t *rrl, dns_rrl_entry_t *e) {
+	dns_rrl_qname_buf_t *qbuf;
+
+	qbuf = get_qname(rrl, e);
+	if (qbuf != NULL) {
+		qbuf->e = NULL;
+		ISC_LIST_APPEND(rrl->qname_free, qbuf, link);
+	}
+}
+
+static void
+add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) {
+	isc_region_t region;
+
+	isc_buffer_availableregion(lb, &region);
+	if (str_len >= region.length) {
+		if (region.length == 0U)
+			return;
+		str_len = region.length;
+	}
+	memmove(region.base, str, str_len);
+	isc_buffer_add(lb, str_len);
+}
+
+#define ADD_LOG_CSTR(eb, s) add_log_str(eb, s, sizeof(s)-1)
+
+/*
+ * Build strings for the logs
+ */
+static void
+make_log_buf(dns_rrl_t *rrl, dns_rrl_entry_t *e,
+	     const char *str1, const char *str2, bool plural,
+	     dns_name_t *qname, bool save_qname,
+	     dns_rrl_result_t rrl_result, isc_result_t resp_result,
+	     char *log_buf, unsigned int log_buf_len)
+{
+	isc_buffer_t lb;
+	dns_rrl_qname_buf_t *qbuf;
+	isc_netaddr_t cidr;
+	char strbuf[ISC_MAX(sizeof("/123"), sizeof("  (12345678)"))];
+	const char *rstr;
+	isc_result_t msg_result;
+
+	if (log_buf_len <= 1) {
+		if (log_buf_len == 1)
+			log_buf[0] = '\0';
+		return;
+	}
+	isc_buffer_init(&lb, log_buf, log_buf_len-1);
+
+	if (str1 != NULL)
+		add_log_str(&lb, str1, strlen(str1));
+	if (str2 != NULL)
+		add_log_str(&lb, str2, strlen(str2));
+
+	switch (rrl_result) {
+	case DNS_RRL_RESULT_OK:
+		break;
+	case DNS_RRL_RESULT_DROP:
+		ADD_LOG_CSTR(&lb, "drop ");
+		break;
+	case DNS_RRL_RESULT_SLIP:
+		ADD_LOG_CSTR(&lb, "slip ");
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+
+	switch (e->key.s.rtype) {
+	case DNS_RRL_RTYPE_QUERY:
+		break;
+	case DNS_RRL_RTYPE_REFERRAL:
+		ADD_LOG_CSTR(&lb, "referral ");
+		break;
+	case DNS_RRL_RTYPE_NODATA:
+		ADD_LOG_CSTR(&lb, "NODATA ");
+		break;
+	case DNS_RRL_RTYPE_NXDOMAIN:
+		ADD_LOG_CSTR(&lb, "NXDOMAIN ");
+		break;
+	case DNS_RRL_RTYPE_ERROR:
+		if (resp_result == ISC_R_SUCCESS) {
+			ADD_LOG_CSTR(&lb, "error ");
+		} else {
+			rstr = isc_result_totext(resp_result);
+			add_log_str(&lb, rstr, strlen(rstr));
+			ADD_LOG_CSTR(&lb, " error ");
+		}
+		break;
+	case DNS_RRL_RTYPE_ALL:
+		ADD_LOG_CSTR(&lb, "all ");
+		break;
+	default:
+		INSIST(0);
+	}
+
+	if (plural)
+		ADD_LOG_CSTR(&lb, "responses to ");
+	else
+		ADD_LOG_CSTR(&lb, "response to ");
+
+	memset(&cidr, 0, sizeof(cidr));
+	if (e->key.s.ipv6) {
+		snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv6_prefixlen);
+		cidr.family = AF_INET6;
+		memset(&cidr.type.in6, 0,  sizeof(cidr.type.in6));
+		memmove(&cidr.type.in6, e->key.s.ip, sizeof(e->key.s.ip));
+	} else {
+		snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv4_prefixlen);
+		cidr.family = AF_INET;
+		cidr.type.in.s_addr = e->key.s.ip[0];
+	}
+	msg_result = isc_netaddr_totext(&cidr, &lb);
+	if (msg_result != ISC_R_SUCCESS)
+		ADD_LOG_CSTR(&lb, "?");
+	add_log_str(&lb, strbuf, strlen(strbuf));
+
+	if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY ||
+	    e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL ||
+	    e->key.s.rtype == DNS_RRL_RTYPE_NODATA ||
+	    e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN) {
+		qbuf = get_qname(rrl, e);
+		if (save_qname && qbuf == NULL &&
+		    qname != NULL && dns_name_isabsolute(qname)) {
+			/*
+			 * Capture the qname for the "stop limiting" message.
+			 */
+			qbuf = ISC_LIST_TAIL(rrl->qname_free);
+			if (qbuf != NULL) {
+				ISC_LIST_UNLINK(rrl->qname_free, qbuf, link);
+			} else if (rrl->num_qnames < DNS_RRL_QNAMES) {
+				qbuf = isc_mem_get(rrl->mctx, sizeof(*qbuf));
+				if (qbuf != NULL) {
+					memset(qbuf, 0, sizeof(*qbuf));
+					ISC_LINK_INIT(qbuf, link);
+					qbuf->index = rrl->num_qnames;
+					rrl->qnames[rrl->num_qnames++] = qbuf;
+				} else {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_RRL,
+						      DNS_LOGMODULE_REQUEST,
+						      DNS_RRL_LOG_FAIL,
+						      "isc_mem_get(%d)"
+						      " failed for RRL qname",
+						      (int)sizeof(*qbuf));
+				}
+			}
+			if (qbuf != NULL) {
+				e->log_qname = qbuf->index;
+				qbuf->e = e;
+				dns_fixedname_init(&qbuf->qname);
+				dns_name_copy(qname,
+					      dns_fixedname_name(&qbuf->qname),
+					      NULL);
+			}
+		}
+		if (qbuf != NULL)
+			qname = dns_fixedname_name(&qbuf->qname);
+		if (qname != NULL) {
+			ADD_LOG_CSTR(&lb, " for ");
+			(void)dns_name_totext(qname, true, &lb);
+		} else {
+			ADD_LOG_CSTR(&lb, " for (?)");
+		}
+		if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) {
+			ADD_LOG_CSTR(&lb, " ");
+			(void)dns_rdataclass_totext(e->key.s.qclass, &lb);
+			if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) {
+				ADD_LOG_CSTR(&lb, " ");
+				(void)dns_rdatatype_totext(e->key.s.qtype, &lb);
+			}
+		}
+		snprintf(strbuf, sizeof(strbuf), "  (%08x)",
+			 e->key.s.qname_hash);
+		add_log_str(&lb, strbuf, strlen(strbuf));
+	}
+
+	/*
+	 * We saved room for '\0'.
+	 */
+	log_buf[isc_buffer_usedlength(&lb)] = '\0';
+}
+
+static void
+log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, bool early,
+	char *log_buf, unsigned int log_buf_len)
+{
+	if (e->logged) {
+		make_log_buf(rrl, e,
+			     early ? "*" : NULL,
+			     rrl->log_only ? "would stop limiting "
+					   : "stop limiting ",
+			     true, NULL, false,
+			     DNS_RRL_RESULT_OK, ISC_R_SUCCESS,
+			     log_buf, log_buf_len);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
+			      "%s", log_buf);
+		free_qname(rrl, e);
+		e->logged = false;
+		--rrl->num_logged;
+	}
+}
+
+/*
+ * Log messages for streams that have stopped being rate limited.
+ */
+static void
+log_stops(dns_rrl_t *rrl, isc_stdtime_t now, int limit,
+	  char *log_buf, unsigned int log_buf_len)
+{
+	dns_rrl_entry_t *e;
+	int age;
+
+	for (e = rrl->last_logged; e != NULL; e = ISC_LIST_PREV(e, lru)) {
+		if (!e->logged)
+			continue;
+		if (now != 0) {
+			age = get_age(rrl, e, now);
+			if (age < DNS_RRL_STOP_LOG_SECS ||
+			    response_balance(rrl, e, age) < 0)
+				break;
+		}
+
+		log_end(rrl, e, now == 0, log_buf, log_buf_len);
+		if (rrl->num_logged <= 0)
+			break;
+
+		/*
+		 * Too many messages could stall real work.
+		 */
+		if (--limit < 0) {
+			rrl->last_logged = ISC_LIST_PREV(e, lru);
+			return;
+		}
+	}
+	if (e == NULL) {
+		INSIST(rrl->num_logged == 0);
+		rrl->log_stops_time = now;
+	}
+	rrl->last_logged = e;
+}
+
+/*
+ * Main rate limit interface.
+ */
+dns_rrl_result_t
+dns_rrl(dns_view_t *view,
+	const isc_sockaddr_t *client_addr, bool is_tcp,
+	dns_rdataclass_t qclass, dns_rdatatype_t qtype,
+	dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now,
+	bool wouldlog, char *log_buf, unsigned int log_buf_len)
+{
+	dns_rrl_t *rrl;
+	dns_rrl_rtype_t rtype;
+	dns_rrl_entry_t *e;
+	isc_netaddr_t netclient;
+	int secs;
+	double qps, scale;
+	int exempt_match;
+	isc_result_t result;
+	dns_rrl_result_t rrl_result;
+
+	INSIST(log_buf != NULL && log_buf_len > 0);
+
+	rrl = view->rrl;
+	if (rrl->exempt != NULL) {
+		isc_netaddr_fromsockaddr(&netclient, client_addr);
+		result = dns_acl_match(&netclient, NULL, rrl->exempt,
+				       &view->aclenv, &exempt_match, NULL);
+		if (result == ISC_R_SUCCESS && exempt_match > 0)
+			return (DNS_RRL_RESULT_OK);
+	}
+
+	LOCK(&rrl->lock);
+
+	/*
+	 * Estimate total query per second rate when scaling by qps.
+	 */
+	if (rrl->qps_scale == 0) {
+		qps = 0.0;
+		scale = 1.0;
+	} else {
+		++rrl->qps_responses;
+		secs = delta_rrl_time(rrl->qps_time, now);
+		if (secs <= 0) {
+			qps = rrl->qps;
+		} else {
+			qps = (1.0*rrl->qps_responses) / secs;
+			if (secs >= rrl->window) {
+				if (isc_log_wouldlog(dns_lctx,
+						     DNS_RRL_LOG_DEBUG3))
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_RRL,
+						      DNS_LOGMODULE_REQUEST,
+						      DNS_RRL_LOG_DEBUG3,
+						      "%d responses/%d seconds"
+						      " = %d qps",
+						      rrl->qps_responses, secs,
+						      (int)qps);
+				rrl->qps = qps;
+				rrl->qps_responses = 0;
+				rrl->qps_time = now;
+			} else if (qps < rrl->qps) {
+				qps = rrl->qps;
+			}
+		}
+		scale = rrl->qps_scale / qps;
+	}
+
+	/*
+	 * Do maintenance once per second.
+	 */
+	if (rrl->num_logged > 0 && rrl->log_stops_time != now)
+		log_stops(rrl, now, 8, log_buf, log_buf_len);
+
+	/*
+	 * Notice TCP responses when scaling limits by qps.
+	 * Do not try to rate limit TCP responses.
+	 */
+	if (is_tcp) {
+		if (scale < 1.0) {
+			e = get_entry(rrl, client_addr,
+				      0, dns_rdatatype_none, NULL,
+				      DNS_RRL_RTYPE_TCP, now, true,
+				      log_buf, log_buf_len);
+			if (e != NULL) {
+				e->responses = -(rrl->window+1);
+				set_age(rrl, e, now);
+			}
+		}
+		UNLOCK(&rrl->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Find the right kind of entry, creating it if necessary.
+	 * If that is impossible, then nothing more can be done
+	 */
+	switch (resp_result) {
+	case ISC_R_SUCCESS:
+		rtype = DNS_RRL_RTYPE_QUERY;
+		break;
+	case DNS_R_DELEGATION:
+		rtype = DNS_RRL_RTYPE_REFERRAL;
+		break;
+	case DNS_R_NXRRSET:
+		rtype = DNS_RRL_RTYPE_NODATA;
+		break;
+	case DNS_R_NXDOMAIN:
+		rtype = DNS_RRL_RTYPE_NXDOMAIN;
+		break;
+	default:
+		rtype = DNS_RRL_RTYPE_ERROR;
+		break;
+	}
+	e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype,
+		      now, true, log_buf, log_buf_len);
+	if (e == NULL) {
+		UNLOCK(&rrl->lock);
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) {
+		/*
+		 * Do not worry about speed or releasing the lock.
+		 * This message appears before messages from debit_rrl_entry().
+		 */
+		make_log_buf(rrl, e, "consider limiting ", NULL, false,
+			     qname, false, DNS_RRL_RESULT_OK, resp_result,
+			     log_buf, log_buf_len);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1,
+			      "%s", log_buf);
+	}
+
+	rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now,
+				     log_buf, log_buf_len);
+
+	if (rrl->all_per_second.r != 0) {
+		/*
+		 * We must debit the all-per-second token bucket if we have
+		 * an all-per-second limit for the IP address.
+		 * The all-per-second limit determines the log message
+		 * when both limits are hit.
+		 * The response limiting must continue if the
+		 * all-per-second limiting lapses.
+		 */
+		dns_rrl_entry_t *e_all;
+		dns_rrl_result_t rrl_all_result;
+
+		e_all = get_entry(rrl, client_addr,
+				  0, dns_rdatatype_none, NULL,
+				  DNS_RRL_RTYPE_ALL, now, true,
+				  log_buf, log_buf_len);
+		if (e_all == NULL) {
+			UNLOCK(&rrl->lock);
+			return (DNS_RRL_RESULT_OK);
+		}
+		rrl_all_result = debit_rrl_entry(rrl, e_all, qps, scale,
+						 client_addr, now,
+						 log_buf, log_buf_len);
+		if (rrl_all_result != DNS_RRL_RESULT_OK) {
+			e = e_all;
+			rrl_result = rrl_all_result;
+			if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) {
+				make_log_buf(rrl, e,
+					     "prefer all-per-second limiting ",
+					     NULL, true, qname, false,
+					     DNS_RRL_RESULT_OK, resp_result,
+					     log_buf, log_buf_len);
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+					      DNS_LOGMODULE_REQUEST,
+					      DNS_RRL_LOG_DEBUG1,
+					      "%s", log_buf);
+			}
+		}
+	}
+
+	if (rrl_result == DNS_RRL_RESULT_OK) {
+		UNLOCK(&rrl->lock);
+		return (DNS_RRL_RESULT_OK);
+	}
+
+	/*
+	 * Log occassionally in the rate-limit category.
+	 */
+	if ((!e->logged || e->log_secs >= DNS_RRL_MAX_LOG_SECS) &&
+	    isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP)) {
+		make_log_buf(rrl, e, rrl->log_only ? "would " : NULL,
+			     e->logged ? "continue limiting " : "limit ",
+			     true, qname, true,
+			     DNS_RRL_RESULT_OK, resp_result,
+			     log_buf, log_buf_len);
+		if (!e->logged) {
+			e->logged = true;
+			if (++rrl->num_logged <= 1)
+				rrl->last_logged = e;
+		}
+		e->log_secs = 0;
+
+		/*
+		 * Avoid holding the lock.
+		 */
+		if (!wouldlog) {
+			UNLOCK(&rrl->lock);
+			e = NULL;
+		}
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
+			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
+			      "%s", log_buf);
+	}
+
+	/*
+	 * Make a log message for the caller.
+	 */
+	if (wouldlog)
+		make_log_buf(rrl, e,
+			     rrl->log_only ? "would rate limit " : "rate limit ",
+			     NULL, false, qname, false,
+			     rrl_result, resp_result, log_buf, log_buf_len);
+
+	if (e != NULL) {
+		/*
+		 * Do not save the qname unless we might need it for
+		 * the ending log message.
+		 */
+		if (!e->logged)
+			free_qname(rrl, e);
+		UNLOCK(&rrl->lock);
+	}
+
+	return (rrl_result);
+}
+
+void
+dns_rrl_view_destroy(dns_view_t *view) {
+	dns_rrl_t *rrl;
+	dns_rrl_block_t *b;
+	dns_rrl_hash_t *h;
+	char log_buf[DNS_RRL_LOG_BUF_LEN];
+	int i;
+
+	rrl = view->rrl;
+	if (rrl == NULL)
+		return;
+	view->rrl = NULL;
+
+	/*
+	 * Assume the caller takes care of locking the view and anything else.
+	 */
+
+	if (rrl->num_logged > 0)
+		log_stops(rrl, 0, INT32_MAX, log_buf, sizeof(log_buf));
+
+	for (i = 0; i < DNS_RRL_QNAMES; ++i) {
+		if (rrl->qnames[i] == NULL)
+			break;
+		isc_mem_put(rrl->mctx, rrl->qnames[i], sizeof(*rrl->qnames[i]));
+	}
+
+	if (rrl->exempt != NULL)
+		dns_acl_detach(&rrl->exempt);
+
+	DESTROYLOCK(&rrl->lock);
+
+	while (!ISC_LIST_EMPTY(rrl->blocks)) {
+		b = ISC_LIST_HEAD(rrl->blocks);
+		ISC_LIST_UNLINK(rrl->blocks, b, link);
+		isc_mem_put(rrl->mctx, b, b->size);
+	}
+
+	h = rrl->hash;
+	if (h != NULL)
+		isc_mem_put(rrl->mctx, h,
+			    sizeof(*h) + (h->length - 1) * sizeof(h->bins[0]));
+
+	h = rrl->old_hash;
+	if (h != NULL)
+		isc_mem_put(rrl->mctx, h,
+			    sizeof(*h) + (h->length - 1) * sizeof(h->bins[0]));
+
+	isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl));
+}
+
+isc_result_t
+dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries) {
+	dns_rrl_t *rrl;
+	isc_result_t result;
+
+	*rrlp = NULL;
+
+	rrl = isc_mem_get(view->mctx, sizeof(*rrl));
+	if (rrl == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(rrl, 0, sizeof(*rrl));
+	isc_mem_attach(view->mctx, &rrl->mctx);
+	result = isc_mutex_init(&rrl->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl));
+		return (result);
+	}
+	isc_stdtime_get(&rrl->ts_bases[0]);
+
+	view->rrl = rrl;
+
+	result = expand_entries(rrl, min_entries);
+	if (result != ISC_R_SUCCESS) {
+		dns_rrl_view_destroy(view);
+		return (result);
+	}
+	result = expand_rrl_hash(rrl, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_rrl_view_destroy(view);
+		return (result);
+	}
+
+	*rrlp = rrl;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
new file mode 100644
index 0000000..cabda7f
--- /dev/null
+++ b/lib/dns/sdb.c
@@ -0,0 +1,1593 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/sdb.h>
+#include <dns/types.h>
+
+#include "rdatalist_p.h"
+
+struct dns_sdbimplementation {
+	const dns_sdbmethods_t		*methods;
+	void				*driverdata;
+	unsigned int			flags;
+	isc_mem_t			*mctx;
+	isc_mutex_t			driverlock;
+	dns_dbimplementation_t		*dbimp;
+};
+
+struct dns_sdb {
+	/* Unlocked */
+	dns_db_t			common;
+	char				*zone;
+	dns_sdbimplementation_t		*implementation;
+	void				*dbdata;
+	isc_mutex_t			lock;
+	/* Locked */
+	unsigned int			references;
+};
+
+struct dns_sdblookup {
+	/* Unlocked */
+	unsigned int			magic;
+	dns_sdb_t			*sdb;
+	ISC_LIST(dns_rdatalist_t)	lists;
+	ISC_LIST(isc_buffer_t)		buffers;
+	dns_name_t			*name;
+	ISC_LINK(dns_sdblookup_t)	link;
+	isc_mutex_t			lock;
+	dns_rdatacallbacks_t		callbacks;
+	/* Locked */
+	unsigned int			references;
+};
+
+typedef struct dns_sdblookup dns_sdbnode_t;
+
+struct dns_sdballnodes {
+	dns_dbiterator_t		common;
+	ISC_LIST(dns_sdbnode_t)		nodelist;
+	dns_sdbnode_t			*current;
+	dns_sdbnode_t			*origin;
+};
+
+typedef dns_sdballnodes_t sdb_dbiterator_t;
+
+typedef struct sdb_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	dns_rdatalist_t			*current;
+} sdb_rdatasetiter_t;
+
+#define SDB_MAGIC		ISC_MAGIC('S', 'D', 'B', '-')
+
+/*%
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+#define VALID_SDB(sdb)		((sdb) != NULL && \
+				 (sdb)->common.impmagic == SDB_MAGIC)
+
+#define SDBLOOKUP_MAGIC		ISC_MAGIC('S','D','B','L')
+#define VALID_SDBLOOKUP(sdbl)	ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC)
+#define VALID_SDBNODE(sdbn)	VALID_SDBLOOKUP(sdbn)
+
+/* These values are taken from RFC1537 */
+#define SDB_DEFAULT_REFRESH	28800U		/* 8 hours */
+#define SDB_DEFAULT_RETRY	7200U		/* 2 hours */
+#define SDB_DEFAULT_EXPIRE	604800U		/* 7 days */
+#define SDB_DEFAULT_MINIMUM	86400U		/* 1 day */
+
+/* This is a reasonable value */
+#define SDB_DEFAULT_TTL		(60 * 60 * 24)
+
+#ifdef __COVERITY__
+#define MAYBE_LOCK(sdb) LOCK(&sdb->implementation->driverlock)
+#define MAYBE_UNLOCK(sdb) UNLOCK(&sdb->implementation->driverlock)
+#else
+#define MAYBE_LOCK(sdb)							\
+	do {								\
+		unsigned int flags = sdb->implementation->flags;	\
+		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
+			LOCK(&sdb->implementation->driverlock);		\
+	} while (0)
+
+#define MAYBE_UNLOCK(sdb)						\
+	do {								\
+		unsigned int flags = sdb->implementation->flags;	\
+		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
+			UNLOCK(&sdb->implementation->driverlock);	\
+	} while (0)
+#endif
+
+static int dummy;
+
+static isc_result_t dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin,
+				   dns_dbtype_t type, dns_rdataclass_t rdclass,
+				   unsigned int argc, char *argv[],
+				   void *driverarg, dns_db_t **dbp);
+
+static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node,
+				 dns_dbversion_t *version,
+				 dns_rdatatype_t type, dns_rdatatype_t covers,
+				 isc_stdtime_t now, dns_rdataset_t *rdataset,
+				 dns_rdataset_t *sigrdataset);
+
+static isc_result_t createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep);
+
+static void destroynode(dns_sdbnode_t *node);
+
+static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
+
+
+static void list_tordataset(dns_rdatalist_t *rdatalist,
+			    dns_db_t *db, dns_dbnode_t *node,
+			    dns_rdataset_t *rdataset);
+
+static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
+					dns_name_t *name);
+static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *name);
+static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
+					  dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy,
+	dbiterator_first,
+	dbiterator_last,
+	dbiterator_seek,
+	dbiterator_prev,
+	dbiterator_next,
+	dbiterator_current,
+	dbiterator_pause,
+	dbiterator_origin
+};
+
+static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
+					     dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+/*
+ * Functions used by implementors of simple databases
+ */
+isc_result_t
+dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
+		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdbimplementation_t **sdbimp)
+{
+	dns_sdbimplementation_t *imp;
+	isc_result_t result;
+
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->lookup != NULL || methods->lookup2 != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sdbimp != NULL && *sdbimp == NULL);
+	REQUIRE((flags & ~(DNS_SDBFLAG_RELATIVEOWNER |
+			   DNS_SDBFLAG_RELATIVERDATA |
+			   DNS_SDBFLAG_THREADSAFE|
+			   DNS_SDBFLAG_DNS64)) == 0);
+
+	imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t));
+	if (imp == NULL)
+		return (ISC_R_NOMEMORY);
+	imp->methods = methods;
+	imp->driverdata = driverdata;
+	imp->flags = flags;
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	result = isc_mutex_init(&imp->driverlock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mctx;
+
+	imp->dbimp = NULL;
+	result = dns_db_register(drivername, dns_sdb_create, imp, mctx,
+				 &imp->dbimp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutex;
+	*sdbimp = imp;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_mutex:
+	DESTROYLOCK(&imp->driverlock);
+ cleanup_mctx:
+	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
+	return (result);
+}
+
+void
+dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
+	dns_sdbimplementation_t *imp;
+	isc_mem_t *mctx;
+
+	REQUIRE(sdbimp != NULL && *sdbimp != NULL);
+
+	imp = *sdbimp;
+	dns_db_unregister(&imp->dbimp);
+	DESTROYLOCK(&imp->driverlock);
+
+	mctx = imp->mctx;
+	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
+	isc_mem_detach(&mctx);
+
+	*sdbimp = NULL;
+}
+
+static inline unsigned int
+initial_size(unsigned int len) {
+	unsigned int size;
+
+	for (size = 1024; size < (64 * 1024); size *= 2)
+		if (len < size)
+			return (size);
+	return (65535);
+}
+
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval,
+		 dns_ttl_t ttl, const unsigned char *rdatap,
+		 unsigned int rdlen)
+{
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	isc_buffer_t *rdatabuf = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	isc_region_t region;
+
+	mctx = lookup->sdb->common.mctx;
+
+	rdatalist = ISC_LIST_HEAD(lookup->lists);
+	while (rdatalist != NULL) {
+		if (rdatalist->type == typeval)
+			break;
+		rdatalist = ISC_LIST_NEXT(rdatalist, link);
+	}
+
+	if (rdatalist == NULL) {
+		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
+		if (rdatalist == NULL)
+			return (ISC_R_NOMEMORY);
+		dns_rdatalist_init(rdatalist);
+		rdatalist->rdclass = lookup->sdb->common.rdclass;
+		rdatalist->type = typeval;
+		rdatalist->ttl = ttl;
+		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
+	} else
+		if (rdatalist->ttl != ttl)
+			return (DNS_R_BADTTL);
+
+	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+	if (rdata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_buffer_allocate(mctx, &rdatabuf, rdlen);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	DE_CONST(rdatap, region.base);
+	region.length = rdlen;
+	isc_buffer_copyregion(rdatabuf, &region);
+	isc_buffer_usedregion(rdatabuf, &region);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type,
+			     &region);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+	rdata = NULL;
+
+ failure:
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+	return (result);
+}
+
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data)
+{
+	unsigned int datalen;
+	dns_rdatatype_t typeval;
+	isc_textregion_t r;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	unsigned char *p = NULL;
+	unsigned int size = 0; /* Init to suppress compiler warning */
+	isc_mem_t *mctx;
+	dns_sdbimplementation_t *imp;
+	dns_name_t *origin;
+	isc_buffer_t b;
+	isc_buffer_t rb;
+
+	REQUIRE(VALID_SDBLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdb->common.mctx;
+
+	DE_CONST(type, r.base);
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, &r);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	imp = lookup->sdb->implementation;
+	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
+		origin = &lookup->sdb->common.origin;
+	else
+		origin = dns_rootname;
+
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	datalen = strlen(data);
+	size = initial_size(datalen);
+	do {
+		isc_buffer_constinit(&b, data, datalen);
+		isc_buffer_add(&b, datalen);
+		result = isc_lex_openbuffer(lex, &b);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		if (size >= 65535)
+			size = 65535;
+		p = isc_mem_get(mctx, size);
+		if (p == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		isc_buffer_init(&rb, p, size);
+		result = dns_rdata_fromtext(NULL,
+					    lookup->sdb->common.rdclass,
+					    typeval, lex,
+					    origin, 0,
+					    mctx, &rb,
+					    &lookup->callbacks);
+		if (result != ISC_R_NOSPACE)
+			break;
+
+		/*
+		 * Is the RR too big?
+		 */
+		if (size >= 65535)
+			break;
+		isc_mem_put(mctx, p, size);
+		p = NULL;
+		size *= 2;
+	} while (result == ISC_R_NOSPACE);
+
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_sdb_putrdata(lookup, typeval, ttl,
+				  isc_buffer_base(&rb),
+				  isc_buffer_usedlength(&rb));
+ failure:
+	if (p != NULL)
+		isc_mem_put(mctx, p, size);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+
+	return (result);
+}
+
+static isc_result_t
+getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
+	dns_name_t *newname, *origin;
+	dns_fixedname_t fnewname;
+	dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+	dns_sdbnode_t *sdbnode;
+	isc_mem_t *mctx = sdb->common.mctx;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	newname = dns_fixedname_initname(&fnewname);
+
+	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
+		origin = &sdb->common.origin;
+	else
+		origin = dns_rootname;
+	isc_buffer_constinit(&b, name, strlen(name));
+	isc_buffer_add(&b, strlen(name));
+
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (allnodes->common.relative_names) {
+		/* All names are relative to the root */
+		unsigned int nlabels = dns_name_countlabels(newname);
+		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
+	}
+
+	sdbnode = ISC_LIST_HEAD(allnodes->nodelist);
+	if (sdbnode == NULL || !dns_name_equal(sdbnode->name, newname)) {
+		sdbnode = NULL;
+		result = createnode(sdb, &sdbnode);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		sdbnode->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (sdbnode->name == NULL) {
+			destroynode(sdbnode);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(sdbnode->name, NULL);
+		result = dns_name_dup(newname, mctx, sdbnode->name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, sdbnode->name, sizeof(dns_name_t));
+			destroynode(sdbnode);
+			return (result);
+		}
+		ISC_LIST_PREPEND(allnodes->nodelist, sdbnode, link);
+		if (allnodes->origin == NULL &&
+		    dns_name_equal(newname, &sdb->common.origin))
+			allnodes->origin = sdbnode;
+	}
+	*nodep = sdbnode;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data)
+{
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (dns_sdb_putrr(sdbnode, type, ttl, data));
+}
+
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl,
+		      const void *rdata, unsigned int rdlen)
+{
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen));
+}
+
+isc_result_t
+dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
+	       uint32_t serial)
+{
+	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
+	int n;
+
+	REQUIRE(mname != NULL);
+	REQUIRE(rname != NULL);
+
+	n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u",
+		     mname, rname, serial,
+		     SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY,
+		     SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM);
+	if (n >= (int)sizeof(str) || n < 0)
+		return (ISC_R_NOSPACE);
+	return (dns_sdb_putrr(lookup, "SOA", SDB_DEFAULT_TTL, str));
+}
+
+/*
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *) source;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	LOCK(&sdb->lock);
+	REQUIRE(sdb->references > 0);
+	sdb->references++;
+	UNLOCK(&sdb->lock);
+
+	*targetp = source;
+}
+
+static void
+destroy(dns_sdb_t *sdb) {
+	isc_mem_t *mctx;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+
+	mctx = sdb->common.mctx;
+
+	if (imp->methods->destroy != NULL) {
+		MAYBE_LOCK(sdb);
+		imp->methods->destroy(sdb->zone, imp->driverdata,
+				      &sdb->dbdata);
+		MAYBE_UNLOCK(sdb);
+	}
+
+	isc_mem_free(mctx, sdb->zone);
+	DESTROYLOCK(&sdb->lock);
+
+	sdb->common.magic = 0;
+	sdb->common.impmagic = 0;
+
+	dns_name_free(&sdb->common.origin, mctx);
+
+	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
+	isc_mem_detach(&mctx);
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)(*dbp);
+	bool need_destroy = false;
+
+	REQUIRE(VALID_SDB(sdb));
+	LOCK(&sdb->lock);
+	REQUIRE(sdb->references > 0);
+	sdb->references--;
+	if (sdb->references == 0)
+		need_destroy = true;
+	UNLOCK(&sdb->lock);
+
+	if (need_destroy)
+		destroy(sdb);
+
+	*dbp = NULL;
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat) {
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	UNUSED(db);
+
+	*versionp = (void *) &dummy;
+	return;
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	UNUSED(db);
+	UNUSED(versionp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp)
+{
+	REQUIRE(source != NULL && source == (void *) &dummy);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	UNUSED(db);
+	*targetp = source;
+	return;
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	REQUIRE(versionp != NULL && *versionp == (void *) &dummy);
+	REQUIRE(commit == false);
+
+	UNUSED(db);
+	UNUSED(commit);
+
+	*versionp = NULL;
+}
+
+static isc_result_t
+createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) {
+	dns_sdbnode_t *node;
+	isc_result_t result;
+
+	node = isc_mem_get(sdb->common.mctx, sizeof(dns_sdbnode_t));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	node->sdb = NULL;
+	attach((dns_db_t *)sdb, (dns_db_t **)&node->sdb);
+	ISC_LIST_INIT(node->lists);
+	ISC_LIST_INIT(node->buffers);
+	ISC_LINK_INIT(node, link);
+	node->name = NULL;
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(sdb->common.mctx, node, sizeof(dns_sdbnode_t));
+		return (result);
+	}
+	dns_rdatacallbacks_init(&node->callbacks);
+	node->references = 1;
+	node->magic = SDBLOOKUP_MAGIC;
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroynode(dns_sdbnode_t *node) {
+	dns_rdatalist_t *list;
+	dns_rdata_t *rdata;
+	isc_buffer_t *b;
+	dns_sdb_t *sdb;
+	isc_mem_t *mctx;
+
+	sdb = node->sdb;
+	mctx = sdb->common.mctx;
+
+	while (!ISC_LIST_EMPTY(node->lists)) {
+		list = ISC_LIST_HEAD(node->lists);
+		while (!ISC_LIST_EMPTY(list->rdata)) {
+			rdata = ISC_LIST_HEAD(list->rdata);
+			ISC_LIST_UNLINK(list->rdata, rdata, link);
+			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+		}
+		ISC_LIST_UNLINK(node->lists, list, link);
+		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
+	}
+
+	while (!ISC_LIST_EMPTY(node->buffers)) {
+		b = ISC_LIST_HEAD(node->buffers);
+		ISC_LIST_UNLINK(node->buffers, b, link);
+		isc_buffer_free(&b);
+	}
+
+	if (node->name != NULL) {
+		dns_name_free(node->name, mctx);
+		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
+	}
+	DESTROYLOCK(&node->lock);
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(dns_sdbnode_t));
+	detach((dns_db_t **) (void *)&sdb);
+}
+
+static isc_result_t
+findnodeext(dns_db_t *db, dns_name_t *name, bool create,
+	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	    dns_dbnode_t **nodep)
+{
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	bool isorigin;
+	dns_sdbimplementation_t *imp;
+	dns_name_t relname;
+	unsigned int labels;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(create == false);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+	UNUSED(create);
+
+	imp = sdb->implementation;
+
+	isorigin = dns_name_equal(name, &sdb->common.origin);
+
+	if (imp->methods->lookup2 != NULL) {
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+			labels = dns_name_countlabels(name) -
+				 dns_name_countlabels(&db->origin);
+			dns_name_init(&relname, NULL);
+			dns_name_getlabelsequence(name, 0, labels, &relname);
+			name = &relname;
+		}
+	} else {
+		isc_buffer_init(&b, namestr, sizeof(namestr));
+		if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+
+			labels = dns_name_countlabels(name) -
+				 dns_name_countlabels(&db->origin);
+			dns_name_init(&relname, NULL);
+			dns_name_getlabelsequence(name, 0, labels, &relname);
+			result = dns_name_totext(&relname, true, &b);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		} else {
+			result = dns_name_totext(name, true, &b);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		isc_buffer_putuint8(&b, 0);
+	}
+
+	result = createnode(sdb, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	MAYBE_LOCK(sdb);
+	if (imp->methods->lookup2 != NULL)
+		result = imp->methods->lookup2(&sdb->common.origin, name,
+					       sdb->dbdata, node, methods,
+					       clientinfo);
+	else
+		result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata,
+					      node, methods, clientinfo);
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS &&
+	    !(result == ISC_R_NOTFOUND &&
+	      isorigin && imp->methods->authority != NULL))
+	{
+		destroynode(node);
+		return (result);
+	}
+
+	if (isorigin && imp->methods->authority != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS) {
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	dns_dbnode_t **nodep, dns_name_t *foundname,
+	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fname;
+	dns_rdataset_t xrdataset;
+	dns_name_t *xname;
+	unsigned int nlabels, olabels;
+	isc_result_t result;
+	unsigned int i;
+	unsigned int flags;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(version == NULL || version == (void *) &dummy);
+
+	UNUSED(options);
+
+	if (!dns_name_issubdomain(name, &db->origin))
+		return (DNS_R_NXDOMAIN);
+
+	olabels = dns_name_countlabels(&db->origin);
+	nlabels = dns_name_countlabels(name);
+
+	xname = dns_fixedname_initname(&fname);
+
+	if (rdataset == NULL) {
+		dns_rdataset_init(&xrdataset);
+		rdataset = &xrdataset;
+	}
+
+	result = DNS_R_NXDOMAIN;
+	flags = sdb->implementation->flags;
+	i = (flags & DNS_SDBFLAG_DNS64) != 0 ? nlabels : olabels;
+	for (; i <= nlabels; i++) {
+		/*
+		 * Look up the next label.
+		 */
+		dns_name_getlabelsequence(name, nlabels - i, i, xname);
+		result = findnodeext(db, xname, false, methods,
+				     clientinfo, &node);
+		if (result == ISC_R_NOTFOUND) {
+			/*
+			 * No data at zone apex?
+			 */
+			if (i == olabels)
+				return (DNS_R_BADDB);
+			result = DNS_R_NXDOMAIN;
+			continue;
+		}
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * DNS64 zone's don't have DNAME or NS records.
+		 */
+		if ((flags & DNS_SDBFLAG_DNS64) != 0)
+			goto skip;
+
+		/*
+		 * DNS64 zone's don't have DNAME or NS records.
+		 */
+		if ((flags & DNS_SDBFLAG_DNS64) != 0)
+			goto skip;
+
+		/*
+		 * Look for a DNAME at the current label, unless this is
+		 * the qname.
+		 */
+		if (i < nlabels) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_dname,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DNAME;
+				break;
+			}
+		}
+
+		/*
+		 * Look for an NS at the current label, unless this is the
+		 * origin or glue is ok.
+		 */
+		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_ns,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				if (i == nlabels && type == dns_rdatatype_any)
+				{
+					result = DNS_R_ZONECUT;
+					dns_rdataset_disassociate(rdataset);
+					if (sigrdataset != NULL &&
+					    dns_rdataset_isassociated
+							(sigrdataset)) {
+						dns_rdataset_disassociate
+								(sigrdataset);
+					}
+				} else
+					result = DNS_R_DELEGATION;
+				break;
+			}
+		}
+
+		/*
+		 * If the current name is not the qname, add another label
+		 * and try again.
+		 */
+		if (i < nlabels) {
+			destroynode(node);
+			node = NULL;
+			continue;
+		}
+
+ skip:
+		/*
+		 * If we're looking for ANY, we're done.
+		 */
+		if (type == dns_rdatatype_any) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+
+		/*
+		 * Look for the qtype.
+		 */
+		result = findrdataset(db, node, version, type,
+				      0, now, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Look for a CNAME
+		 */
+		if (type != dns_rdatatype_cname) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_cname,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_CNAME;
+				break;
+			}
+		}
+
+		result = DNS_R_NXRRSET;
+		break;
+	}
+
+	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	if (foundname != NULL) {
+		isc_result_t xresult;
+
+		xresult = dns_name_copy(xname, foundname, NULL);
+		if (xresult != ISC_R_SUCCESS) {
+			if (node != NULL)
+				destroynode(node);
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			return (DNS_R_BADDB);
+		}
+	}
+
+	if (nodep != NULL)
+		*nodep = node;
+	else if (node != NULL)
+		detachnode(db, &node);
+
+	return (result);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = (dns_sdbnode_t *)source;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	UNUSED(sdb);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node;
+	bool need_destroy = false;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	UNUSED(sdb);
+
+	node = (dns_sdbnode_t *)(*targetp);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = true;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*targetp = NULL;
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(now);
+	INSIST(0);
+	return (ISC_R_UNEXPECTED);
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(out);
+	return;
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
+{
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	sdb_dbiterator_t *sdbiter;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+	isc_result_t result;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	if (imp->methods->allnodes == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
+	    (options & DNS_DB_NONSEC3) != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t));
+	if (sdbiter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sdbiter->common.methods = &dbiterator_methods;
+	sdbiter->common.db = NULL;
+	dns_db_attach(db, &sdbiter->common.db);
+	sdbiter->common.relative_names = (options & DNS_DB_RELATIVENAMES);
+	sdbiter->common.magic = DNS_DBITERATOR_MAGIC;
+	ISC_LIST_INIT(sdbiter->nodelist);
+	sdbiter->current = NULL;
+	sdbiter->origin = NULL;
+
+	MAYBE_LOCK(sdb);
+	result = imp->methods->allnodes(sdb->zone, sdb->dbdata, sdbiter);
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS) {
+		dbiterator_destroy((dns_dbiterator_t **) (void *)&sdbiter);
+		return (result);
+	}
+
+	if (sdbiter->origin != NULL) {
+		ISC_LIST_UNLINK(sdbiter->nodelist, sdbiter->origin, link);
+		ISC_LIST_PREPEND(sdbiter->nodelist, sdbiter->origin, link);
+	}
+
+	*iteratorp = (dns_dbiterator_t *)sdbiter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
+	     isc_stdtime_t now, dns_rdataset_t *rdataset,
+	     dns_rdataset_t *sigrdataset)
+{
+	dns_rdatalist_t *list;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
+
+	REQUIRE(VALID_SDBNODE(node));
+
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (type == dns_rdatatype_rrsig)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	list = ISC_LIST_HEAD(sdbnode->lists);
+	while (list != NULL) {
+		if (list->type == type)
+			break;
+		list = ISC_LIST_NEXT(list, link);
+	}
+	if (list == NULL)
+		return (ISC_R_NOTFOUND);
+
+	list_tordataset(list, db, node, rdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	sdb_rdatasetiter_t *iterator;
+
+	REQUIRE(version == NULL || version == &dummy);
+
+	UNUSED(version);
+	UNUSED(now);
+
+	iterator = isc_mem_get(db->mctx, sizeof(sdb_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(addedrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(newrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static bool
+issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (false);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	UNUSED(db);
+
+	return (0);
+}
+
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (true);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	UNUSED(db);
+	UNUSED(over);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	UNUSED(db);
+	UNUSED(task);
+}
+
+
+static dns_dbmethods_t sdb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	NULL,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	NULL,
+	NULL,
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	NULL,			/* getoriginnode */
+	NULL,			/* transfernode */
+	NULL,			/* getnsec3parameters */
+	NULL,			/* findnsec3node */
+	NULL,			/* setsigningtime */
+	NULL,			/* getsigningtime */
+	NULL,			/* resigned */
+	NULL,			/* isdnssec */
+	NULL,			/* getrrsetstats */
+	NULL,			/* rpz_attach */
+	NULL,			/* rpz_ready */
+	findnodeext,
+	findext,
+	NULL,			/* setcachestats */
+	NULL,			/* hashsize */
+	NULL,			/* nodefullname */
+	NULL			/* getsize */
+};
+
+static isc_result_t
+dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+	       dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+	       void *driverarg, dns_db_t **dbp)
+{
+	dns_sdb_t *sdb;
+	isc_result_t result;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_t b;
+	dns_sdbimplementation_t *imp;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = driverarg;
+
+	if (type != dns_dbtype_zone)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdb = isc_mem_get(mctx, sizeof(dns_sdb_t));
+	if (sdb == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(sdb, 0, sizeof(dns_sdb_t));
+
+	dns_name_init(&sdb->common.origin, NULL);
+	sdb->common.attributes = 0;
+	sdb->common.methods = &sdb_methods;
+	sdb->common.rdclass = rdclass;
+	sdb->common.mctx = NULL;
+	sdb->implementation = imp;
+
+	isc_mem_attach(mctx, &sdb->common.mctx);
+
+	result = isc_mutex_init(&sdb->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mctx;
+
+	result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	isc_buffer_init(&b, zonestr, sizeof(zonestr));
+	result = dns_name_totext(origin, true, &b);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_origin;
+	isc_buffer_putuint8(&b, 0);
+
+	sdb->zone = isc_mem_strdup(mctx, zonestr);
+	if (sdb->zone == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_origin;
+	}
+
+	sdb->dbdata = NULL;
+	if (imp->methods->create != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->create(sdb->zone, argc, argv,
+					      imp->driverdata, &sdb->dbdata);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_zonestr;
+	}
+
+	sdb->references = 1;
+
+	sdb->common.magic = DNS_DB_MAGIC;
+	sdb->common.impmagic = SDB_MAGIC;
+
+	*dbp = (dns_db_t *)sdb;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_zonestr:
+	isc_mem_free(mctx, sdb->zone);
+ cleanup_origin:
+	dns_name_free(&sdb->common.origin, mctx);
+ cleanup_lock:
+	(void)isc_mutex_destroy(&sdb->lock);
+ cleanup_mctx:
+	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+
+/*
+ * Rdataset Methods
+ */
+
+static void
+disassociate(dns_rdataset_t *rdataset) {
+	dns_dbnode_t *node = rdataset->private5;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
+
+	detachnode(db, &node);
+	isc__rdatalist_disassociate(rdataset);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_dbnode_t *node = source->private5;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
+	dns_dbnode_t *tempdb = NULL;
+
+	isc__rdatalist_clone(source, target);
+	attachnode(db, node, &tempdb);
+	source->private5 = tempdb;
+}
+
+static dns_rdatasetmethods_t sdb_rdataset_methods = {
+	disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	rdataset_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist,
+		dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset)
+{
+	/*
+	 * The sdb rdataset is an rdatalist with some additions.
+	 *	- private1 & private2 are used by the rdatalist.
+	 *	- private3 & private 4 are unused.
+	 *	- private5 is the node.
+	 */
+
+	/* This should never fail. */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+
+	rdataset->methods = &sdb_rdataset_methods;
+	dns_db_attachnode(db, node, &rdataset->private5);
+}
+
+/*
+ * Database Iterator Methods
+ */
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)(*iteratorp);
+	dns_sdb_t *sdb = (dns_sdb_t *)sdbiter->common.db;
+
+	while (!ISC_LIST_EMPTY(sdbiter->nodelist)) {
+		dns_sdbnode_t *node;
+		node = ISC_LIST_HEAD(sdbiter->nodelist);
+		ISC_LIST_UNLINK(sdbiter->nodelist, node, link);
+		destroynode(node);
+	}
+
+	dns_db_detach(&sdbiter->common.db);
+	isc_mem_put(sdb->common.mctx, sdbiter, sizeof(sdb_dbiterator_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_TAIL(sdbiter->nodelist);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
+	while (sdbiter->current != NULL) {
+		if (dns_name_equal(sdbiter->current->name, name))
+			return (ISC_R_SUCCESS);
+		sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_PREV(sdbiter->current, link);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name)
+{
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	attachnode(iterator->db, sdbiter->current, nodep);
+	if (name != NULL)
+		return (dns_name_copy(sdbiter->current->name, name, NULL));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	UNUSED(iterator);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	UNUSED(iterator);
+	return (dns_name_copy(dns_rootname, name, NULL));
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)(*iteratorp);
+	detachnode(sdbiterator->common.db, &sdbiterator->common.node);
+	isc_mem_put(sdbiterator->common.db->mctx, sdbiterator,
+		    sizeof(sdb_rdatasetiter_t));
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(sdbnode->lists))
+		return (ISC_R_NOMORE);
+	sdbiterator->current = ISC_LIST_HEAD(sdbnode->lists);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+
+	sdbiterator->current = ISC_LIST_NEXT(sdbiterator->current, link);
+	if (sdbiterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+
+	list_tordataset(sdbiterator->current, iterator->db, iterator->node,
+			rdataset);
+}
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
new file mode 100644
index 0000000..11c4c73
--- /dev/null
+++ b/lib/dns/sdlz.c
@@ -0,0 +1,2172 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
+ * conceived and contributed by Rob Butler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all
+ * copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ * ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
+ * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+ * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
+ * USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/region.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/master.h>
+#include <dns/sdlz.h>
+#include <dns/types.h>
+
+#include "rdatalist_p.h"
+
+/*
+ * Private Types
+ */
+
+struct dns_sdlzimplementation {
+	const dns_sdlzmethods_t		*methods;
+	isc_mem_t			*mctx;
+	void				*driverarg;
+	unsigned int			flags;
+	isc_mutex_t			driverlock;
+	dns_dlzimplementation_t		*dlz_imp;
+};
+
+struct dns_sdlz_db {
+	/* Unlocked */
+	dns_db_t			common;
+	void				*dbdata;
+	dns_sdlzimplementation_t	*dlzimp;
+	isc_mutex_t			refcnt_lock;
+	/* Locked */
+	unsigned int			references;
+	dns_dbversion_t			*future_version;
+	int				dummy_version;
+};
+
+struct dns_sdlzlookup {
+	/* Unlocked */
+	unsigned int			magic;
+	dns_sdlz_db_t			*sdlz;
+	ISC_LIST(dns_rdatalist_t)	lists;
+	ISC_LIST(isc_buffer_t)		buffers;
+	dns_name_t			*name;
+	ISC_LINK(dns_sdlzlookup_t)	link;
+	isc_mutex_t			lock;
+	dns_rdatacallbacks_t		callbacks;
+	/* Locked */
+	unsigned int			references;
+};
+
+typedef struct dns_sdlzlookup dns_sdlznode_t;
+
+struct dns_sdlzallnodes {
+	dns_dbiterator_t		common;
+	ISC_LIST(dns_sdlznode_t)	nodelist;
+	dns_sdlznode_t			*current;
+	dns_sdlznode_t			*origin;
+};
+
+typedef dns_sdlzallnodes_t sdlz_dbiterator_t;
+
+typedef struct sdlz_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	dns_rdatalist_t			*current;
+} sdlz_rdatasetiter_t;
+
+
+#define SDLZDB_MAGIC		ISC_MAGIC('D', 'L', 'Z', 'S')
+
+/*
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+
+#define VALID_SDLZDB(sdlzdb)	((sdlzdb) != NULL && \
+				 (sdlzdb)->common.impmagic == SDLZDB_MAGIC)
+
+#define SDLZLOOKUP_MAGIC	ISC_MAGIC('D','L','Z','L')
+#define VALID_SDLZLOOKUP(sdlzl)	ISC_MAGIC_VALID(sdlzl, SDLZLOOKUP_MAGIC)
+#define VALID_SDLZNODE(sdlzn)	VALID_SDLZLOOKUP(sdlzn)
+
+/* These values are taken from RFC 1537 */
+#define SDLZ_DEFAULT_REFRESH	28800U		/* 8 hours */
+#define SDLZ_DEFAULT_RETRY	7200U		/* 2 hours */
+#define SDLZ_DEFAULT_EXPIRE	604800U		/* 7 days */
+#define SDLZ_DEFAULT_MINIMUM	86400U		/* 1 day */
+
+/* This is a reasonable value */
+#define SDLZ_DEFAULT_TTL	(60 * 60 * 24)
+
+#ifdef __COVERITY__
+#define MAYBE_LOCK(imp) LOCK(&imp->driverlock)
+#define MAYBE_UNLOCK(imp) UNLOCK(&imp->driverlock)
+#else
+#define MAYBE_LOCK(imp) \
+	do { \
+		unsigned int flags = imp->flags; \
+		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
+			LOCK(&imp->driverlock); \
+	} while (0)
+
+#define MAYBE_UNLOCK(imp) \
+	do { \
+		unsigned int flags = imp->flags; \
+		if ((flags & DNS_SDLZFLAG_THREADSAFE) == 0) \
+			UNLOCK(&imp->driverlock); \
+	} while (0)
+#endif
+
+/*
+ * Forward references.
+ */
+static isc_result_t getnodedata(dns_db_t *db, dns_name_t *name,
+				bool create, unsigned int options,
+				dns_clientinfomethods_t *methods,
+				dns_clientinfo_t *clientinfo,
+				dns_dbnode_t **nodep);
+
+static void list_tordataset(dns_rdatalist_t *rdatalist,
+			    dns_db_t *db, dns_dbnode_t *node,
+			    dns_rdataset_t *rdataset);
+
+static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
+
+static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
+					dns_name_t *name);
+static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *name);
+static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
+					  dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy,
+	dbiterator_first,
+	dbiterator_last,
+	dbiterator_seek,
+	dbiterator_prev,
+	dbiterator_next,
+	dbiterator_current,
+	dbiterator_pause,
+	dbiterator_origin
+};
+
+/*
+ * Utility functions
+ */
+
+/*
+ * Log a message at the given level
+ */
+static void
+sdlz_log(int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		       DNS_LOGMODULE_DLZ, ISC_LOG_DEBUG(level),
+		       fmt, ap);
+	va_end(ap);
+}
+
+/*% Converts the input string to lowercase, in place. */
+static void
+dns_sdlz_tolower(char *str) {
+	unsigned int len = strlen(str);
+	unsigned int i;
+
+	for (i = 0; i < len; i++) {
+		if (str[i] >= 'A' && str[i] <= 'Z')
+			str[i] += 32;
+	}
+}
+
+static inline unsigned int
+initial_size(const char *data) {
+	unsigned int len = (strlen(data) / 64) + 1;
+	return (len * 64 + 64);
+}
+
+/*
+ * Rdataset Iterator Methods. These methods were "borrowed" from the SDB
+ * driver interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	sdlz_rdatasetiter_t *sdlziterator =
+		(sdlz_rdatasetiter_t *)(*iteratorp);
+
+	detachnode(sdlziterator->common.db, &sdlziterator->common.node);
+	isc_mem_put(sdlziterator->common.db->mctx, sdlziterator,
+		    sizeof(sdlz_rdatasetiter_t));
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(sdlznode->lists))
+		return (ISC_R_NOMORE);
+	sdlziterator->current = ISC_LIST_HEAD(sdlznode->lists);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+
+	sdlziterator->current = ISC_LIST_NEXT(sdlziterator->current, link);
+	if (sdlziterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	sdlz_rdatasetiter_t *sdlziterator = (sdlz_rdatasetiter_t *)iterator;
+
+	list_tordataset(sdlziterator->current, iterator->db, iterator->node,
+			rdataset);
+}
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+/*
+ * DB routines. These methods were "borrowed" from the SDB driver interface.
+ * See the SDB driver interface documentation for more info.
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) source;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	LOCK(&sdlz->refcnt_lock);
+	REQUIRE(sdlz->references > 0);
+	sdlz->references++;
+	UNLOCK(&sdlz->refcnt_lock);
+
+	*targetp = source;
+}
+
+static void
+destroy(dns_sdlz_db_t *sdlz) {
+	isc_mem_t *mctx;
+	mctx = sdlz->common.mctx;
+
+	sdlz->common.magic = 0;
+	sdlz->common.impmagic = 0;
+
+	(void)isc_mutex_destroy(&sdlz->refcnt_lock);
+
+	dns_name_free(&sdlz->common.origin, mctx);
+
+	isc_mem_put(mctx, sdlz, sizeof(dns_sdlz_db_t));
+	isc_mem_detach(&mctx);
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)(*dbp);
+	bool need_destroy = false;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	LOCK(&sdlz->refcnt_lock);
+	REQUIRE(sdlz->references > 0);
+	sdlz->references--;
+	if (sdlz->references == 0)
+		need_destroy = true;
+	UNLOCK(&sdlz->refcnt_lock);
+
+	if (need_destroy)
+		destroy(sdlz);
+
+	*dbp = NULL;
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_rdatacallbacks_t *callbacks) {
+	UNUSED(db);
+	UNUSED(callbacks);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename,
+     dns_masterformat_t masterformat)
+{
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	UNUSED(masterformat);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	*versionp = (void *) &sdlz->dummy_version;
+	return;
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char origin[DNS_NAME_MAXTEXT + 1];
+	isc_result_t result;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->newversion == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
+
+	result = sdlz->dlzimp->methods->newversion(origin,
+						   sdlz->dlzimp->driverarg,
+						   sdlz->dbdata, versionp);
+	if (result != ISC_R_SUCCESS) {
+		sdlz_log(ISC_LOG_ERROR,
+			 "sdlz newversion on origin %s failed : %s",
+			 origin, isc_result_totext(result));
+		return (result);
+	}
+
+	sdlz->future_version = *versionp;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source, dns_dbversion_t **targetp)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(source != NULL && source == (void *)&sdlz->dummy_version);
+
+	*targetp = source;
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, bool commit) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char origin[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(versionp != NULL);
+
+	if (*versionp == (void *)&sdlz->dummy_version) {
+		*versionp = NULL;
+		return;
+	}
+
+	REQUIRE(*versionp == sdlz->future_version);
+	REQUIRE(sdlz->dlzimp->methods->closeversion != NULL);
+
+	dns_name_format(&sdlz->common.origin, origin, sizeof(origin));
+
+	sdlz->dlzimp->methods->closeversion(origin, commit,
+					    sdlz->dlzimp->driverarg,
+					    sdlz->dbdata, versionp);
+	if (*versionp != NULL)
+		sdlz_log(ISC_LOG_ERROR,
+			"sdlz closeversion on origin %s failed", origin);
+
+	sdlz->future_version = NULL;
+}
+
+static isc_result_t
+createnode(dns_sdlz_db_t *sdlz, dns_sdlznode_t **nodep) {
+	dns_sdlznode_t *node;
+	isc_result_t result;
+
+	node = isc_mem_get(sdlz->common.mctx, sizeof(dns_sdlznode_t));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	node->sdlz = NULL;
+	attach((dns_db_t *)sdlz, (dns_db_t **)&node->sdlz);
+	ISC_LIST_INIT(node->lists);
+	ISC_LIST_INIT(node->buffers);
+	ISC_LINK_INIT(node, link);
+	node->name = NULL;
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		isc_mem_put(sdlz->common.mctx, node, sizeof(dns_sdlznode_t));
+		return (ISC_R_UNEXPECTED);
+	}
+	dns_rdatacallbacks_init(&node->callbacks);
+	node->references = 1;
+	node->magic = SDLZLOOKUP_MAGIC;
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroynode(dns_sdlznode_t *node) {
+	dns_rdatalist_t *list;
+	dns_rdata_t *rdata;
+	isc_buffer_t *b;
+	dns_sdlz_db_t *sdlz;
+	dns_db_t *db;
+	isc_mem_t *mctx;
+
+	sdlz = node->sdlz;
+	mctx = sdlz->common.mctx;
+
+	while (!ISC_LIST_EMPTY(node->lists)) {
+		list = ISC_LIST_HEAD(node->lists);
+		while (!ISC_LIST_EMPTY(list->rdata)) {
+			rdata = ISC_LIST_HEAD(list->rdata);
+			ISC_LIST_UNLINK(list->rdata, rdata, link);
+			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+		}
+		ISC_LIST_UNLINK(node->lists, list, link);
+		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
+	}
+
+	while (!ISC_LIST_EMPTY(node->buffers)) {
+		b = ISC_LIST_HEAD(node->buffers);
+		ISC_LIST_UNLINK(node->buffers, b, link);
+		isc_buffer_free(&b);
+	}
+
+	if (node->name != NULL) {
+		dns_name_free(node->name, mctx);
+		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
+	}
+	DESTROYLOCK(&node->lock);
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(dns_sdlznode_t));
+	db = &sdlz->common;
+	detach(&db);
+}
+
+static isc_result_t
+getnodedata(dns_db_t *db, dns_name_t *name, bool create,
+	    unsigned int options, dns_clientinfomethods_t *methods,
+	    dns_clientinfo_t *clientinfo, dns_dbnode_t **nodep)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_t b2;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+	bool isorigin;
+	dns_sdlzauthorityfunc_t authority;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	if (sdlz->dlzimp->methods->newversion == NULL) {
+		REQUIRE(create == false);
+	}
+
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVEOWNER) != 0) {
+		dns_name_t relname;
+		unsigned int labels;
+
+		labels = dns_name_countlabels(name) -
+			 dns_name_countlabels(&sdlz->common.origin);
+		dns_name_init(&relname, NULL);
+		dns_name_getlabelsequence(name, 0, labels, &relname);
+		result = dns_name_totext(&relname, true, &b);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		result = dns_name_totext(name, true, &b);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	isc_buffer_init(&b2, zonestr, sizeof(zonestr));
+	result = dns_name_totext(&sdlz->common.origin, true, &b2);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b2, 0);
+
+	result = createnode(sdlz, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isorigin = dns_name_equal(name, &sdlz->common.origin);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(zonestr);
+	dns_sdlz_tolower(namestr);
+
+	MAYBE_LOCK(sdlz->dlzimp);
+
+	/* try to lookup the host (namestr) */
+	result = sdlz->dlzimp->methods->lookup(zonestr, namestr,
+					       sdlz->dlzimp->driverarg,
+					       sdlz->dbdata, node,
+					       methods, clientinfo);
+
+	/*
+	 * If the name was not found and DNS_DBFIND_NOWILD is not
+	 * set, then we try to find a wildcard entry.
+	 *
+	 * If DNS_DBFIND_NOZONECUT is set and there are multiple
+	 * levels between the host and the zone origin, we also look
+	 * for wildcards at each level.
+	 */
+	if (result == ISC_R_NOTFOUND && !create &&
+	    (options & DNS_DBFIND_NOWILD) == 0)
+	{
+		unsigned int i, dlabels, nlabels;
+
+		nlabels = dns_name_countlabels(name);
+		dlabels = nlabels - dns_name_countlabels(&sdlz->common.origin);
+		for (i = 0; i < dlabels; i++) {
+			char wildstr[DNS_NAME_MAXTEXT + 1];
+			dns_fixedname_t fixed;
+			dns_name_t *wild;
+
+			dns_fixedname_init(&fixed);
+			if (i == dlabels)
+				wild = dns_wildcardname;
+			else {
+				wild = dns_fixedname_name(&fixed);
+				dns_name_getlabelsequence(name, i + 1,
+							  dlabels - i - 1,
+							  wild);
+				result = dns_name_concatenate(dns_wildcardname,
+							      wild, wild, NULL);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+			}
+
+			isc_buffer_init(&b, wildstr, sizeof(wildstr));
+			result = dns_name_totext(wild, true, &b);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_putuint8(&b, 0);
+
+			result = sdlz->dlzimp->methods->lookup(zonestr, wildstr,
+						       sdlz->dlzimp->driverarg,
+						       sdlz->dbdata, node,
+						       methods, clientinfo);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+	}
+
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+	if (result == ISC_R_NOTFOUND && (isorigin || create))
+		result = ISC_R_SUCCESS;
+
+	if (result != ISC_R_SUCCESS) {
+		destroynode(node);
+		return (result);
+	}
+
+	if (isorigin && sdlz->dlzimp->methods->authority != NULL) {
+		MAYBE_LOCK(sdlz->dlzimp);
+		authority = sdlz->dlzimp->methods->authority;
+		result = (*authority)(zonestr, sdlz->dlzimp->driverarg,
+				      sdlz->dbdata, node);
+		MAYBE_UNLOCK(sdlz->dlzimp);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_NOTIMPLEMENTED)
+		{
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	if (node->name == NULL) {
+		node->name = isc_mem_get(sdlz->common.mctx,
+					 sizeof(dns_name_t));
+		if (node->name == NULL) {
+			destroynode(node);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(node->name, NULL);
+		result = dns_name_dup(name, sdlz->common.mctx, node->name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(sdlz->common.mctx, node->name,
+				    sizeof(dns_name_t));
+			destroynode(node);
+			return (result);
+		}
+	}
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnodeext(dns_db_t *db, dns_name_t *name, bool create,
+	    dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	    dns_dbnode_t **nodep)
+{
+	return (getnodedata(db, name, create, 0, methods, clientinfo, nodep));
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, bool create,
+	 dns_dbnode_t **nodep)
+{
+	return (getnodedata(db, name, create, 0, NULL, NULL, nodep));
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node = (dns_sdlznode_t *)source;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	UNUSED(sdlz);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_sdlznode_t *node;
+	bool need_destroy = false;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	UNUSED(sdlz);
+
+	node = (dns_sdlznode_t *)(*targetp);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = true;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*targetp = NULL;
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(now);
+	INSIST(0);
+	return (ISC_R_UNEXPECTED);
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(out);
+	return;
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	sdlz_dbiterator_t *sdlziter;
+	isc_result_t result;
+	isc_buffer_t b;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->allnodes == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
+	    (options & DNS_DB_NONSEC3) != 0)
+		 return (ISC_R_NOTIMPLEMENTED);
+
+	isc_buffer_init(&b, zonestr, sizeof(zonestr));
+	result = dns_name_totext(&sdlz->common.origin, true, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b, 0);
+
+	sdlziter = isc_mem_get(sdlz->common.mctx, sizeof(sdlz_dbiterator_t));
+	if (sdlziter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sdlziter->common.methods = &dbiterator_methods;
+	sdlziter->common.db = NULL;
+	dns_db_attach(db, &sdlziter->common.db);
+	sdlziter->common.relative_names = (options & DNS_DB_RELATIVENAMES);
+	sdlziter->common.magic = DNS_DBITERATOR_MAGIC;
+	ISC_LIST_INIT(sdlziter->nodelist);
+	sdlziter->current = NULL;
+	sdlziter->origin = NULL;
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(zonestr);
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = sdlz->dlzimp->methods->allnodes(zonestr,
+						 sdlz->dlzimp->driverarg,
+						 sdlz->dbdata, sdlziter);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+	if (result != ISC_R_SUCCESS) {
+		dns_dbiterator_t *iter = &sdlziter->common;
+		dbiterator_destroy(&iter);
+		return (result);
+	}
+
+	if (sdlziter->origin != NULL) {
+		ISC_LIST_UNLINK(sdlziter->nodelist, sdlziter->origin, link);
+		ISC_LIST_PREPEND(sdlziter->nodelist, sdlziter->origin, link);
+	}
+
+	*iteratorp = (dns_dbiterator_t *)sdlziter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
+	     isc_stdtime_t now, dns_rdataset_t *rdataset,
+	     dns_rdataset_t *sigrdataset)
+{
+	dns_rdatalist_t *list;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *)node;
+
+	REQUIRE(VALID_SDLZNODE(node));
+
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (type == dns_rdatatype_sig || type == dns_rdatatype_rrsig)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	list = ISC_LIST_HEAD(sdlznode->lists);
+	while (list != NULL) {
+		if (list->type == type)
+			break;
+		list = ISC_LIST_NEXT(list, link);
+	}
+	if (list == NULL)
+		return (ISC_R_NOTFOUND);
+
+	list_tordataset(list, db, node, rdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	dns_dbnode_t **nodep, dns_name_t *foundname,
+	dns_clientinfomethods_t *methods, dns_clientinfo_t *clientinfo,
+	dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fname;
+	dns_rdataset_t xrdataset;
+	dns_name_t *xname;
+	unsigned int nlabels, olabels;
+	isc_result_t result;
+	unsigned int i;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(version == NULL ||
+		version == (void*)&sdlz->dummy_version ||
+		version == sdlz->future_version);
+
+	UNUSED(sdlz);
+
+	if (!dns_name_issubdomain(name, &db->origin))
+		return (DNS_R_NXDOMAIN);
+
+	olabels = dns_name_countlabels(&db->origin);
+	nlabels = dns_name_countlabels(name);
+
+	xname = dns_fixedname_initname(&fname);
+
+	if (rdataset == NULL) {
+		dns_rdataset_init(&xrdataset);
+		rdataset = &xrdataset;
+	}
+
+	result = DNS_R_NXDOMAIN;
+
+	/*
+	 * If we're not walking down searching for zone
+	 * cuts, we can cut straight to the chase
+	 */
+	if ((options & DNS_DBFIND_NOZONECUT) != 0) {
+		i = nlabels;
+		goto search;
+	}
+
+	for (i = olabels; i <= nlabels; i++) {
+ search:
+		/*
+		 * Look up the next label.
+		 */
+		dns_name_getlabelsequence(name, nlabels - i, i, xname);
+		result = getnodedata(db, xname, false, options,
+				     methods, clientinfo, &node);
+		if (result == ISC_R_NOTFOUND) {
+			result = DNS_R_NXDOMAIN;
+			continue;
+		} else if (result != ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Look for a DNAME at the current label, unless this is
+		 * the qname.
+		 */
+		if (i < nlabels) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_dname, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DNAME;
+				break;
+			}
+		}
+
+		/*
+		 * Look for an NS at the current label, unless this is the
+		 * origin, glue is ok, or there are known to be no zone cuts.
+		 */
+		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0 &&
+		    (options & DNS_DBFIND_NOZONECUT) == 0)
+		{
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_ns, 0, now,
+					      rdataset, sigrdataset);
+
+			if (result == ISC_R_SUCCESS &&
+			    i == nlabels && type == dns_rdatatype_any)
+			{
+				result = DNS_R_ZONECUT;
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+					dns_rdataset_disassociate(sigrdataset);
+				break;
+			} else if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DELEGATION;
+				break;
+			}
+		}
+
+		/*
+		 * If the current name is not the qname, add another label
+		 * and try again.
+		 */
+		if (i < nlabels) {
+			destroynode(node);
+			node = NULL;
+			continue;
+		}
+
+		/*
+		 * If we're looking for ANY, we're done.
+		 */
+		if (type == dns_rdatatype_any) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+
+		/*
+		 * Look for the qtype.
+		 */
+		result = findrdataset(db, node, version, type, 0, now,
+				      rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Look for a CNAME
+		 */
+		if (type != dns_rdatatype_cname) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_cname, 0, now,
+					      rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_CNAME;
+				break;
+			}
+		}
+
+		result = DNS_R_NXRRSET;
+		break;
+	}
+
+	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	if (foundname != NULL) {
+		isc_result_t xresult;
+
+		xresult = dns_name_copy(xname, foundname, NULL);
+		if (xresult != ISC_R_SUCCESS) {
+			if (node != NULL)
+				destroynode(node);
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			return (DNS_R_BADDB);
+		}
+	}
+
+	if (nodep != NULL)
+		*nodep = node;
+	else if (node != NULL)
+		detachnode(db, &node);
+
+	return (result);
+}
+
+static isc_result_t
+find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+     dns_dbnode_t **nodep, dns_name_t *foundname,
+     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	return (findext(db, name, version, type, options, now, nodep,
+			foundname, NULL, NULL, rdataset, sigrdataset));
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *) db;
+	sdlz_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	REQUIRE(version == NULL ||
+		version == (void*)&sdlz->dummy_version ||
+		version == sdlz->future_version);
+
+	UNUSED(version);
+	UNUSED(now);
+
+	iterator = isc_mem_get(db->mctx, sizeof(sdlz_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+modrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    dns_rdataset_t *rdataset, unsigned int options,
+	    dns_sdlzmodrdataset_t mod_function)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	dns_master_style_t *style = NULL;
+	isc_result_t result;
+	isc_buffer_t *buffer = NULL;
+	isc_mem_t *mctx;
+	dns_sdlznode_t *sdlznode;
+	char *rdatastr = NULL;
+	char name[DNS_NAME_MAXTEXT + 1];
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (mod_function == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdlznode = (dns_sdlznode_t *)node;
+
+	UNUSED(options);
+
+	dns_name_format(sdlznode->name, name, sizeof(name));
+
+	mctx = sdlz->common.mctx;
+
+	result = isc_buffer_allocate(mctx, &buffer, 1024);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_master_stylecreate(&style, 0, 0, 0, 0, 0, 0, 1, mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_master_rdatasettotext(sdlznode->name, rdataset,
+					   style, buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (isc_buffer_usedlength(buffer) < 1) {
+		result = ISC_R_BADADDRESSFORM;
+		goto cleanup;
+	}
+
+	rdatastr = isc_buffer_base(buffer);
+	if (rdatastr == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	rdatastr[isc_buffer_usedlength(buffer) - 1] = 0;
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = mod_function(name, rdatastr, sdlz->dlzimp->driverarg,
+			      sdlz->dbdata, version);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+cleanup:
+	isc_buffer_free(&buffer);
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
+
+	return (result);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	UNUSED(now);
+	UNUSED(addedrdataset);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->addrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	result = modrdataset(db, node, version, rdataset, options,
+			     sdlz->dlzimp->methods->addrdataset);
+	return (result);
+}
+
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	UNUSED(newrdataset);
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->subtractrdataset == NULL) {
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+
+	result = modrdataset(db, node, version, rdataset, options,
+			     sdlz->dlzimp->methods->subtractrdataset);
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	char name[DNS_NAME_MAXTEXT + 1];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	dns_sdlznode_t *sdlznode;
+	isc_result_t result;
+
+	UNUSED(covers);
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+
+	if (sdlz->dlzimp->methods->delrdataset == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdlznode = (dns_sdlznode_t *)node;
+	dns_name_format(sdlznode->name, name, sizeof(name));
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	MAYBE_LOCK(sdlz->dlzimp);
+	result = sdlz->dlzimp->methods->delrdataset(name, b_type,
+						    sdlz->dlzimp->driverarg,
+						    sdlz->dbdata, version);
+	MAYBE_UNLOCK(sdlz->dlzimp);
+
+	return (result);
+}
+
+static bool
+issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (false);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	UNUSED(db);
+
+	return (0);
+}
+
+static bool
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (true);
+}
+
+static void
+overmem(dns_db_t *db, bool over) {
+	UNUSED(db);
+	UNUSED(over);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	UNUSED(db);
+	UNUSED(task);
+}
+
+/*
+ * getoriginnode() is used by the update code to find the
+ * dns_rdatatype_dnskey record for a zone
+ */
+static isc_result_t
+getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
+	isc_result_t result;
+
+	REQUIRE(VALID_SDLZDB(sdlz));
+	if (sdlz->dlzimp->methods->newversion == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	result = getnodedata(db, &sdlz->common.origin, false,
+			     0, NULL, NULL, nodep);
+	if (result != ISC_R_SUCCESS)
+		sdlz_log(ISC_LOG_ERROR, "sdlz getoriginnode failed: %s",
+			 isc_result_totext(result));
+	return (result);
+}
+
+static dns_dbmethods_t sdlzdb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	NULL,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask,
+	getoriginnode,
+	NULL,			/* transfernode */
+	NULL,			/* getnsec3parameters */
+	NULL,			/* findnsec3node */
+	NULL,			/* setsigningtime */
+	NULL,			/* getsigningtime */
+	NULL,			/* resigned */
+	NULL,			/* isdnssec */
+	NULL,			/* getrrsetstats */
+	NULL,			/* rpz_attach */
+	NULL,			/* rpz_ready */
+	findnodeext,
+	findext,
+	NULL,			/* setcachestats */
+	NULL,			/* hashsize */
+	NULL,			/* nodefullname */
+	NULL			/* getsize */
+};
+
+/*
+ * Database Iterator Methods.  These methods were "borrowed" from the SDB
+ * driver interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)(*iteratorp);
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)sdlziter->common.db;
+
+	while (!ISC_LIST_EMPTY(sdlziter->nodelist)) {
+		dns_sdlznode_t *node;
+		node = ISC_LIST_HEAD(sdlziter->nodelist);
+		ISC_LIST_UNLINK(sdlziter->nodelist, node, link);
+		destroynode(node);
+	}
+
+	dns_db_detach(&sdlziter->common.db);
+	isc_mem_put(sdlz->common.mctx, sdlziter, sizeof(sdlz_dbiterator_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_TAIL(sdlziter->nodelist);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_HEAD(sdlziter->nodelist);
+	while (sdlziter->current != NULL) {
+		if (dns_name_equal(sdlziter->current->name, name))
+			return (ISC_R_SUCCESS);
+		sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_PREV(sdlziter->current, link);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	sdlziter->current = ISC_LIST_NEXT(sdlziter->current, link);
+	if (sdlziter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name)
+{
+	sdlz_dbiterator_t *sdlziter = (sdlz_dbiterator_t *)iterator;
+
+	attachnode(iterator->db, sdlziter->current, nodep);
+	if (name != NULL)
+		return (dns_name_copy(sdlziter->current->name, name, NULL));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	UNUSED(iterator);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	UNUSED(iterator);
+	return (dns_name_copy(dns_rootname, name, NULL));
+}
+
+/*
+ * Rdataset Methods. These methods were "borrowed" from the SDB driver
+ * interface.  See the SDB driver interface documentation for more info.
+ */
+
+static void
+disassociate(dns_rdataset_t *rdataset) {
+	dns_dbnode_t *node = rdataset->private5;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdlznode->sdlz;
+
+	detachnode(db, &node);
+	isc__rdatalist_disassociate(rdataset);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_dbnode_t *node = source->private5;
+	dns_sdlznode_t *sdlznode = (dns_sdlznode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdlznode->sdlz;
+	dns_dbnode_t *tempdb = NULL;
+
+	isc__rdatalist_clone(source, target);
+	attachnode(db, node, &tempdb);
+	source->private5 = tempdb;
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	rdataset_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
+};
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist,
+		dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset)
+{
+	/*
+	 * The sdlz rdataset is an rdatalist with some additions.
+	 *	- private1 & private2 are used by the rdatalist.
+	 *	- private3 & private 4 are unused.
+	 *	- private5 is the node.
+	 */
+
+	/* This should never fail. */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+
+	rdataset->methods = &rdataset_methods;
+	dns_db_attachnode(db, node, &rdataset->private5);
+}
+
+/*
+ * SDLZ core methods. This is the core of the new DLZ functionality.
+ */
+
+/*%
+ * Build a 'bind' database driver structure to be returned by
+ * either the find zone or the allow zone transfer method.
+ * This method is only available in this source file, it is
+ * not made available anywhere else.
+ */
+
+static isc_result_t
+dns_sdlzcreateDBP(isc_mem_t *mctx, void *driverarg, void *dbdata,
+		  dns_name_t *name, dns_rdataclass_t rdclass, dns_db_t **dbp)
+{
+	isc_result_t result;
+	dns_sdlz_db_t *sdlzdb;
+	dns_sdlzimplementation_t *imp;
+
+	/* check that things are as we expect */
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(name != NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* allocate and zero memory for driver structure */
+	sdlzdb = isc_mem_get(mctx, sizeof(dns_sdlz_db_t));
+	if (sdlzdb == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(sdlzdb, 0, sizeof(dns_sdlz_db_t));
+
+	/* initialize and set origin */
+	dns_name_init(&sdlzdb->common.origin, NULL);
+	result = dns_name_dupwithoffsets(name, mctx, &sdlzdb->common.origin);
+	if (result != ISC_R_SUCCESS)
+		goto mem_cleanup;
+
+	/* initialize the reference count mutex */
+	result = isc_mutex_init(&sdlzdb->refcnt_lock);
+	if (result != ISC_R_SUCCESS)
+		goto name_cleanup;
+
+	/* set the rest of the database structure attributes */
+	sdlzdb->dlzimp = imp;
+	sdlzdb->common.methods = &sdlzdb_methods;
+	sdlzdb->common.attributes = 0;
+	sdlzdb->common.rdclass = rdclass;
+	sdlzdb->common.mctx = NULL;
+	sdlzdb->dbdata = dbdata;
+	sdlzdb->references = 1;
+
+	/* attach to the memory context */
+	isc_mem_attach(mctx, &sdlzdb->common.mctx);
+
+	/* mark structure as valid */
+	sdlzdb->common.magic = DNS_DB_MAGIC;
+	sdlzdb->common.impmagic = SDLZDB_MAGIC;
+	*dbp = (dns_db_t *) sdlzdb;
+
+	return (result);
+
+	/*
+	 * reference count mutex could not be initialized, clean up
+	 * name memory
+	 */
+ name_cleanup:
+	dns_name_free(&sdlzdb->common.origin, mctx);
+ mem_cleanup:
+	isc_mem_put(mctx, sdlzdb, sizeof(dns_sdlz_db_t));
+	return (result);
+}
+
+static isc_result_t
+dns_sdlzallowzonexfr(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		     dns_rdataclass_t rdclass, dns_name_t *name,
+		     isc_sockaddr_t *clientaddr, dns_db_t **dbp)
+{
+	isc_buffer_t b;
+	isc_buffer_t b2;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	char clientstr[(sizeof "xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")
+		       + 1];
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(clientaddr != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* Convert DNS name to ascii text */
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	result = dns_name_totext(name, true, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b, 0);
+
+	/* convert client address to ascii text */
+	isc_buffer_init(&b2, clientstr, sizeof(clientstr));
+	isc_netaddr_fromsockaddr(&netaddr, clientaddr);
+	result = isc_netaddr_totext(&netaddr, &b2);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b2, 0);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(namestr);
+	dns_sdlz_tolower(clientstr);
+
+	/* Call SDLZ driver's find zone method */
+	if (imp->methods->allowzonexfr != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->allowzonexfr(imp->driverarg, dbdata,
+						    namestr, clientstr);
+		MAYBE_UNLOCK(imp);
+		/*
+		 * if zone is supported and transfers allowed build a 'bind'
+		 * database driver
+		 */
+		if (result == ISC_R_SUCCESS)
+			result = dns_sdlzcreateDBP(mctx, driverarg, dbdata,
+						   name, rdclass, dbp);
+		return (result);
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dns_sdlzcreate(isc_mem_t *mctx, const char *dlzname, unsigned int argc,
+	       char *argv[], void *driverarg, void **dbdata)
+{
+	dns_sdlzimplementation_t *imp;
+	isc_result_t result = ISC_R_NOTFOUND;
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Loading SDLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(dlzname != NULL);
+	REQUIRE(dbdata != NULL);
+	UNUSED(mctx);
+
+	imp = driverarg;
+
+	/* If the create method exists, call it. */
+	if (imp->methods->create != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->create(dlzname, argc, argv,
+					      imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	}
+
+	/* Write debugging message to log */
+	if (result == ISC_R_SUCCESS) {
+		sdlz_log(ISC_LOG_DEBUG(2), "SDLZ driver loaded successfully.");
+	} else {
+		sdlz_log(ISC_LOG_ERROR, "SDLZ driver failed to load.");
+	}
+
+	return (result);
+}
+
+static void
+dns_sdlzdestroy(void *driverdata, void **dbdata) {
+	dns_sdlzimplementation_t *imp;
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Unloading SDLZ driver.");
+
+	imp = driverdata;
+
+	/* If the destroy method exists, call it. */
+	if (imp->methods->destroy != NULL) {
+		MAYBE_LOCK(imp);
+		imp->methods->destroy(imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	}
+}
+
+static isc_result_t
+dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx,
+		 dns_rdataclass_t rdclass, dns_name_t *name,
+		 dns_clientinfomethods_t *methods,
+		 dns_clientinfo_t *clientinfo,
+		 dns_db_t **dbp)
+{
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	/*
+	 * Perform checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(driverarg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* Convert DNS name to ascii text */
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	result = dns_name_totext(name, true, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putuint8(&b, 0);
+
+	/* make sure strings are always lowercase */
+	dns_sdlz_tolower(namestr);
+
+	/* Call SDLZ driver's find zone method */
+	MAYBE_LOCK(imp);
+	result = imp->methods->findzone(imp->driverarg, dbdata, namestr,
+					methods, clientinfo);
+	MAYBE_UNLOCK(imp);
+
+	/*
+	 * if zone is supported build a 'bind' database driver
+	 * structure to return
+	 */
+	if (result == ISC_R_SUCCESS)
+		result = dns_sdlzcreateDBP(mctx, driverarg, dbdata, name,
+					   rdclass, dbp);
+
+	return (result);
+}
+
+
+static isc_result_t
+dns_sdlzconfigure(void *driverarg, void *dbdata,
+		  dns_view_t *view, dns_dlzdb_t *dlzdb)
+{
+	isc_result_t result;
+	dns_sdlzimplementation_t *imp;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+
+	/* Call SDLZ driver's configure method */
+	if (imp->methods->configure != NULL) {
+		MAYBE_LOCK(imp);
+		result = imp->methods->configure(view, dlzdb,
+						 imp->driverarg, dbdata);
+		MAYBE_UNLOCK(imp);
+	} else {
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static bool
+dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
+		 dns_rdatatype_t type, const dst_key_t *key, void *driverarg,
+		 void *dbdata)
+{
+	dns_sdlzimplementation_t *imp;
+	char b_signer[DNS_NAME_FORMATSIZE];
+	char b_name[DNS_NAME_FORMATSIZE];
+	char b_addr[ISC_NETADDR_FORMATSIZE];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	char b_key[DST_KEY_FORMATSIZE];
+	isc_buffer_t *tkey_token = NULL;
+	isc_region_t token_region = { NULL, 0 };
+	uint32_t token_len = 0;
+	bool ret;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = (dns_sdlzimplementation_t *) driverarg;
+	if (imp->methods->ssumatch == NULL)
+		return (false);
+
+	/*
+	 * Format the request elements. sdlz operates on strings, not
+	 * structures
+	 */
+	if (signer != NULL)
+		dns_name_format(signer, b_signer, sizeof(b_signer));
+	else
+		b_signer[0] = 0;
+
+	dns_name_format(name, b_name, sizeof(b_name));
+
+	if (tcpaddr != NULL)
+		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
+	else
+		b_addr[0] = 0;
+
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	if (key != NULL) {
+		dst_key_format(key, b_key, sizeof(b_key));
+		tkey_token = dst_key_tkeytoken(key);
+	} else
+		b_key[0] = 0;
+
+	if (tkey_token != NULL) {
+		isc_buffer_region(tkey_token, &token_region);
+		token_len = token_region.length;
+	}
+
+	MAYBE_LOCK(imp);
+	ret = imp->methods->ssumatch(b_signer, b_name, b_addr, b_type, b_key,
+				     token_len,
+				     token_len != 0 ? token_region.base : NULL,
+				     imp->driverarg, dbdata);
+	MAYBE_UNLOCK(imp);
+	return (ret);
+}
+
+static dns_dlzmethods_t sdlzmethods = {
+	dns_sdlzcreate,
+	dns_sdlzdestroy,
+	dns_sdlzfindzone,
+	dns_sdlzallowzonexfr,
+	dns_sdlzconfigure,
+	dns_sdlzssumatch
+};
+
+/*
+ * Public functions.
+ */
+
+isc_result_t
+dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
+	       const char *data)
+{
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	dns_rdatatype_t typeval;
+	isc_consttextregion_t r;
+	isc_buffer_t b;
+	isc_buffer_t *rdatabuf = NULL;
+	isc_lex_t *lex;
+	isc_result_t result;
+	unsigned int size;
+	isc_mem_t *mctx;
+	dns_name_t *origin;
+
+	REQUIRE(VALID_SDLZLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdlz->common.mctx;
+
+	r.base = type;
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, (void *) &r);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	rdatalist = ISC_LIST_HEAD(lookup->lists);
+	while (rdatalist != NULL) {
+		if (rdatalist->type == typeval)
+			break;
+		rdatalist = ISC_LIST_NEXT(rdatalist, link);
+	}
+
+	if (rdatalist == NULL) {
+		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
+		if (rdatalist == NULL)
+			return (ISC_R_NOMEMORY);
+		dns_rdatalist_init(rdatalist);
+		rdatalist->rdclass = lookup->sdlz->common.rdclass;
+		rdatalist->type = typeval;
+		rdatalist->ttl = ttl;
+		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
+	} else
+		if (rdatalist->ttl > ttl) {
+			/*
+			 * BIND9 doesn't enforce all RRs in an RRset
+			 * having the same TTL, as per RFC 2136,
+			 * section 7.12. If a DLZ backend has
+			 * different TTLs, then the best
+			 * we can do is return the lowest.
+			*/
+			rdatalist->ttl = ttl;
+		}
+
+	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+	if (rdata == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_rdata_init(rdata);
+
+	if ((lookup->sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0)
+		origin = &lookup->sdlz->common.origin;
+	else
+		origin = dns_rootname;
+
+	lex = NULL;
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	size = initial_size(data);
+	do {
+		isc_buffer_constinit(&b, data, strlen(data));
+		isc_buffer_add(&b, strlen(data));
+
+		result = isc_lex_openbuffer(lex, &b);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		rdatabuf = NULL;
+		result = isc_buffer_allocate(mctx, &rdatabuf, size);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		result = dns_rdata_fromtext(rdata, rdatalist->rdclass,
+					    rdatalist->type, lex,
+					    origin, false,
+					    mctx, rdatabuf,
+					    &lookup->callbacks);
+		if (result != ISC_R_SUCCESS)
+			isc_buffer_free(&rdatabuf);
+		if (size >= 65535)
+			break;
+		size *= 2;
+		if (size >= 65535)
+			size = 65535;
+	} while (result == ISC_R_NOSPACE);
+
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (rdatabuf != NULL)
+		isc_buffer_free(&rdatabuf);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_sdlz_putnamedrr(dns_sdlzallnodes_t *allnodes, const char *name,
+		    const char *type, dns_ttl_t ttl, const char *data)
+{
+	dns_name_t *newname, *origin;
+	dns_fixedname_t fnewname;
+	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)allnodes->common.db;
+	dns_sdlznode_t *sdlznode;
+	isc_mem_t *mctx = sdlz->common.mctx;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	newname = dns_fixedname_initname(&fnewname);
+
+	if ((sdlz->dlzimp->flags & DNS_SDLZFLAG_RELATIVERDATA) != 0)
+		origin = &sdlz->common.origin;
+	else
+		origin = dns_rootname;
+	isc_buffer_constinit(&b, name, strlen(name));
+	isc_buffer_add(&b, strlen(name));
+
+	result = dns_name_fromtext(newname, &b, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (allnodes->common.relative_names) {
+		/* All names are relative to the root */
+		unsigned int nlabels = dns_name_countlabels(newname);
+		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
+	}
+
+	sdlznode = ISC_LIST_HEAD(allnodes->nodelist);
+	if (sdlznode == NULL || !dns_name_equal(sdlznode->name, newname)) {
+		sdlznode = NULL;
+		result = createnode(sdlz, &sdlznode);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		sdlznode->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (sdlznode->name == NULL) {
+			destroynode(sdlznode);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(sdlznode->name, NULL);
+		result = dns_name_dup(newname, mctx, sdlznode->name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, sdlznode->name, sizeof(dns_name_t));
+			destroynode(sdlznode);
+			return (result);
+		}
+		ISC_LIST_PREPEND(allnodes->nodelist, sdlznode, link);
+		if (allnodes->origin == NULL &&
+		    dns_name_equal(newname, &sdlz->common.origin))
+			allnodes->origin = sdlznode;
+	}
+	return (dns_sdlz_putrr(sdlznode, type, ttl, data));
+
+}
+
+isc_result_t
+dns_sdlz_putsoa(dns_sdlzlookup_t *lookup, const char *mname, const char *rname,
+		uint32_t serial)
+{
+	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
+	int n;
+
+	REQUIRE(mname != NULL);
+	REQUIRE(rname != NULL);
+
+	n = snprintf(str, sizeof str, "%s %s %u %u %u %u %u",
+		     mname, rname, serial,
+		     SDLZ_DEFAULT_REFRESH, SDLZ_DEFAULT_RETRY,
+		     SDLZ_DEFAULT_EXPIRE, SDLZ_DEFAULT_MINIMUM);
+	if (n >= (int)sizeof(str) || n < 0)
+		return (ISC_R_NOSPACE);
+	return (dns_sdlz_putrr(lookup, "SOA", SDLZ_DEFAULT_TTL, str));
+}
+
+isc_result_t
+dns_sdlzregister(const char *drivername, const dns_sdlzmethods_t *methods,
+		 void *driverarg, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdlzimplementation_t **sdlzimp)
+{
+
+	dns_sdlzimplementation_t *imp;
+	isc_result_t result;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->findzone != NULL);
+	REQUIRE(methods->lookup != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sdlzimp != NULL && *sdlzimp == NULL);
+	REQUIRE((flags & ~(DNS_SDLZFLAG_RELATIVEOWNER |
+			   DNS_SDLZFLAG_RELATIVERDATA |
+			   DNS_SDLZFLAG_THREADSAFE)) == 0);
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Registering SDLZ driver '%s'", drivername);
+
+	/*
+	 * Allocate memory for a sdlz_implementation object.  Error if
+	 * we cannot.
+	 */
+	imp = isc_mem_get(mctx, sizeof(dns_sdlzimplementation_t));
+	if (imp == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* Make sure memory region is set to all 0's */
+	memset(imp, 0, sizeof(dns_sdlzimplementation_t));
+
+	/* Store the data passed into this method */
+	imp->methods = methods;
+	imp->driverarg = driverarg;
+	imp->flags = flags;
+	imp->mctx = NULL;
+
+	/* attach the new sdlz_implementation object to a memory context */
+	isc_mem_attach(mctx, &imp->mctx);
+
+	/*
+	 * initialize the driver lock, error if we cannot
+	 * (used if a driver does not support multiple threads)
+	 */
+	result = isc_mutex_init(&imp->driverlock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		goto cleanup_mctx;
+	}
+
+	imp->dlz_imp = NULL;
+
+	/*
+	 * register the DLZ driver.  Pass in our "extra" sdlz information as
+	 * a driverarg.  (that's why we stored the passed in driver arg in our
+	 * sdlz_implementation structure)  Also, store the dlz_implementation
+	 * structure in our sdlz_implementation.
+	 */
+	result = dns_dlzregister(drivername, &sdlzmethods, imp, mctx,
+				 &imp->dlz_imp);
+
+	/* if registration fails, cleanup and get outta here. */
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutex;
+
+	*sdlzimp = imp;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_mutex:
+	/* destroy the driver lock, we don't need it anymore */
+	DESTROYLOCK(&imp->driverlock);
+
+ cleanup_mctx:
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t));
+	isc_mem_detach(&mctx);
+	return (result);
+}
+
+void
+dns_sdlzunregister(dns_sdlzimplementation_t **sdlzimp) {
+	dns_sdlzimplementation_t *imp;
+	isc_mem_t *mctx;
+
+	/* Write debugging message to log */
+	sdlz_log(ISC_LOG_DEBUG(2), "Unregistering SDLZ driver.");
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(sdlzimp != NULL && *sdlzimp != NULL);
+
+	imp = *sdlzimp;
+
+	/* Unregister the DLZ driver implementation */
+	dns_dlzunregister(&imp->dlz_imp);
+
+	/* destroy the driver lock, we don't need it anymore */
+	DESTROYLOCK(&imp->driverlock);
+
+	mctx = imp->mctx;
+
+	/*
+	 * return the memory back to the available memory pool and
+	 * remove it from the memory context.
+	 */
+	isc_mem_put(mctx, imp, sizeof(dns_sdlzimplementation_t));
+	isc_mem_detach(&mctx);
+
+	*sdlzimp = NULL;
+}
+
+
+isc_result_t
+dns_sdlz_setdb(dns_dlzdb_t *dlzdatabase, dns_rdataclass_t rdclass,
+	       dns_name_t *name, dns_db_t **dbp)
+{
+	isc_result_t result;
+
+	result = dns_sdlzcreateDBP(dlzdatabase->mctx,
+				   dlzdatabase->implementation->driverarg,
+				   dlzdatabase->dbdata, name, rdclass, dbp);
+	return (result);
+}
diff --git a/lib/dns/soa.c b/lib/dns/soa.c
new file mode 100644
index 0000000..9be3467
--- /dev/null
+++ b/lib/dns/soa.c
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/soa.h>
+
+static inline uint32_t
+decode_uint32(unsigned char *p) {
+	return ((p[0] << 24) +
+		(p[1] << 16) +
+		(p[2] <<  8) +
+		(p[3] <<  0));
+}
+
+static inline void
+encode_uint32(uint32_t val, unsigned char *p) {
+	p[0] = (uint8_t)(val >> 24);
+	p[1] = (uint8_t)(val >> 16);
+	p[2] = (uint8_t)(val >>  8);
+	p[3] = (uint8_t)(val >>  0);
+}
+
+static uint32_t
+soa_get(dns_rdata_t *rdata, int offset) {
+	INSIST(rdata->type == dns_rdatatype_soa);
+	/*
+	 * Locate the field within the SOA RDATA based
+	 * on its position relative to the end of the data.
+	 *
+	 * This is a bit of a kludge, but the alternative approach of
+	 * using dns_rdata_tostruct() and dns_rdata_fromstruct() would
+	 * involve a lot of unnecessary work (like building domain
+	 * names and allocating temporary memory) when all we really
+	 * want to do is to get 32 bits of fixed-sized data.
+	 */
+	INSIST(rdata->length >= 20);
+	INSIST(offset >= 0 && offset <= 16);
+	return (decode_uint32(rdata->data + rdata->length - 20 + offset));
+}
+
+isc_result_t
+dns_soa_buildrdata(dns_name_t *origin, dns_name_t *contact,
+		   dns_rdataclass_t rdclass,
+		   uint32_t serial, uint32_t refresh,
+		   uint32_t retry, uint32_t expire,
+		   uint32_t minimum, unsigned char *buffer,
+		   dns_rdata_t *rdata) {
+	dns_rdata_soa_t soa;
+	isc_buffer_t rdatabuf;
+
+	REQUIRE(origin != NULL);
+	REQUIRE(contact != NULL);
+
+	memset(buffer, 0, DNS_SOA_BUFFERSIZE);
+	isc_buffer_init(&rdatabuf, buffer, DNS_SOA_BUFFERSIZE);
+
+	soa.common.rdtype = dns_rdatatype_soa;
+	soa.common.rdclass = rdclass;
+	soa.mctx = NULL;
+	soa.serial = serial;
+	soa.refresh = refresh;
+	soa.retry = retry;
+	soa.expire = expire;
+	soa.minimum = minimum;
+	dns_name_init(&soa.origin, NULL);
+	dns_name_clone(origin, &soa.origin);
+	dns_name_init(&soa.contact, NULL);
+	dns_name_clone(contact, &soa.contact);
+
+	return (dns_rdata_fromstruct(rdata, rdclass, dns_rdatatype_soa,
+				      &soa, &rdatabuf));
+}
+
+uint32_t
+dns_soa_getserial(dns_rdata_t *rdata) {
+	return soa_get(rdata, 0);
+}
+uint32_t
+dns_soa_getrefresh(dns_rdata_t *rdata) {
+	return soa_get(rdata, 4);
+}
+uint32_t
+dns_soa_getretry(dns_rdata_t *rdata) {
+	return soa_get(rdata, 8);
+}
+uint32_t
+dns_soa_getexpire(dns_rdata_t *rdata) {
+	return soa_get(rdata, 12);
+}
+uint32_t
+dns_soa_getminimum(dns_rdata_t *rdata) {
+	return soa_get(rdata, 16);
+}
+
+static void
+soa_set(dns_rdata_t *rdata, uint32_t val, int offset) {
+	INSIST(rdata->type == dns_rdatatype_soa);
+	INSIST(rdata->length >= 20);
+	INSIST(offset >= 0 && offset <= 16);
+	encode_uint32(val, rdata->data + rdata->length - 20 + offset);
+}
+
+void
+dns_soa_setserial(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 0);
+}
+void
+dns_soa_setrefresh(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 4);
+}
+void
+dns_soa_setretry(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 8);
+}
+void
+dns_soa_setexpire(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 12);
+}
+void
+dns_soa_setminimum(uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 16);
+}
diff --git a/lib/dns/spnego.asn1 b/lib/dns/spnego.asn1
new file mode 100644
index 0000000..abf9b76
--- /dev/null
+++ b/lib/dns/spnego.asn1
@@ -0,0 +1,50 @@
+-- Copyright (C) The Internet Society 2005.  This version of
+-- this module is part of RFC 4178; see the RFC itself for
+-- full legal notices.
+
+-- (The above copyright notice is per RFC 3978 5.6 (a), q.v.)
+
+-- This is the SPNEGO ASN.1 module from RFC 4178, tweaked
+-- to get the Heimdal ASN.1 compiler to accept it.
+
+SPNEGOASNOneSpec DEFINITIONS ::= BEGIN
+
+MechType ::= OBJECT IDENTIFIER
+
+MechTypeList ::= SEQUENCE OF MechType
+
+ContextFlags ::= BIT STRING {
+    delegFlag       (0),
+    mutualFlag      (1),
+    replayFlag      (2),
+    sequenceFlag    (3),
+    anonFlag        (4),
+    confFlag        (5),
+    integFlag       (6)
+}
+
+NegTokenInit ::= SEQUENCE {
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags  OPTIONAL,
+    mechToken       [2] OCTET STRING  OPTIONAL,
+    mechListMIC     [3] OCTET STRING  OPTIONAL
+}
+
+NegTokenResp ::= SEQUENCE {
+    negState       [0] ENUMERATED {
+	accept-completed    (0),
+	accept-incomplete   (1),
+	reject              (2),
+	request-mic         (3)
+    }                                 OPTIONAL,
+    supportedMech   [1] MechType      OPTIONAL,
+    responseToken   [2] OCTET STRING  OPTIONAL,
+    mechListMIC     [3] OCTET STRING  OPTIONAL
+}
+
+NegotiationToken ::= CHOICE {
+    negTokenInit    [0] NegTokenInit,
+    negTokenResp    [1] NegTokenResp
+}
+
+END
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
new file mode 100644
index 0000000..ad77f24
--- /dev/null
+++ b/lib/dns/spnego.c
@@ -0,0 +1,1825 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * \brief
+ * Portable SPNEGO implementation.
+ *
+ * This is part of a portable implementation of the SPNEGO protocol
+ * (RFCs 2478 and 4178).  This implementation uses the RFC 4178 ASN.1
+ * module but is not a full implementation of the RFC 4178 protocol;
+ * at the moment, we only support GSS-TSIG with Kerberos
+ * authentication, so we only need enough of the SPNEGO protocol to
+ * support that.
+ *
+ * The files that make up this portable SPNEGO implementation are:
+ * \li	spnego.c	(this file)
+ * \li	spnego.h	(API SPNEGO exports to the rest of lib/dns)
+ * \li	spnego.asn1	(SPNEGO ASN.1 module)
+ * \li	spnego_asn1.c	(routines generated from spngo.asn1)
+ * \li	spnego_asn1.pl	(perl script to generate spnego_asn1.c)
+ *
+ * Everything but the functions exported in spnego.h is static, to
+ * avoid possible conflicts with other libraries (particularly Heimdal,
+ * since much of this code comes from Heimdal by way of mod_auth_kerb).
+ *
+ * spnego_asn1.c is shipped as part of lib/dns because generating it
+ * requires both Perl and the Heimdal ASN.1 compiler.  See
+ * spnego_asn1.pl for further details.  We've tried to eliminate all
+ * compiler warnings from the generated code, but you may see a few
+ * when using a compiler version we haven't tested yet.
+ */
+
+/*
+ * Portions of this code were derived from mod_auth_kerb and Heimdal.
+ * These packages are available from:
+ *
+ *   http://modauthkerb.sourceforge.net/
+ *   http://www.pdc.kth.se/heimdal/
+ *
+ * and were released under the following licenses:
+ *
+ * ----------------------------------------------------------------
+ *
+ * Copyright (c) 2004 Masarykova universita
+ * (Masaryk University, Brno, Czech Republic)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the University nor the names of its contributors may
+ *    be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ----------------------------------------------------------------
+ *
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * XXXSRA We should omit this file entirely in Makefile.in via autoconf,
+ * but this will keep it from generating errors until that's written.
+ */
+
+#ifdef GSSAPI
+
+/*
+ * XXXSRA Some of the following files are almost certainly unnecessary,
+ * but using this list (borrowed from gssapictx.c) gets rid of some
+ * whacky compilation errors when building with MSVC and should be
+ * harmless in any case.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+/*
+ * The API we export
+ */
+#include "spnego.h"
+
+/* asn1_err.h */
+/* Generated from ../../../lib/asn1/asn1_err.et */
+
+#ifndef ERROR_TABLE_BASE_asn1
+/* these may be brought in already via gssapi_krb5.h */
+typedef enum asn1_error_number {
+	ASN1_BAD_TIMEFORMAT = 1859794432,
+	ASN1_MISSING_FIELD = 1859794433,
+	ASN1_MISPLACED_FIELD = 1859794434,
+	ASN1_TYPE_MISMATCH = 1859794435,
+	ASN1_OVERFLOW = 1859794436,
+	ASN1_OVERRUN = 1859794437,
+	ASN1_BAD_ID = 1859794438,
+	ASN1_BAD_LENGTH = 1859794439,
+	ASN1_BAD_FORMAT = 1859794440,
+	ASN1_PARSE_ERROR = 1859794441
+} asn1_error_number;
+
+#define ERROR_TABLE_BASE_asn1 1859794432
+#endif
+
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+	size_t length;
+	void *data;
+} octet_string;
+
+typedef char *general_string;
+
+typedef char *utf8_string;
+
+typedef struct oid {
+	size_t length;
+	unsigned *components;
+} oid;
+
+/* der.h */
+
+typedef enum {
+	ASN1_C_UNIV = 0, ASN1_C_APPL = 1,
+	ASN1_C_CONTEXT = 2, ASN1_C_PRIVATE = 3
+} Der_class;
+
+typedef enum {
+	PRIM = 0, CONS = 1
+} Der_type;
+
+/* Universal tags */
+
+enum {
+	UT_Boolean = 1,
+	UT_Integer = 2,
+	UT_BitString = 3,
+	UT_OctetString = 4,
+	UT_Null = 5,
+	UT_OID = 6,
+	UT_Enumerated = 10,
+	UT_Sequence = 16,
+	UT_Set = 17,
+	UT_PrintableString = 19,
+	UT_IA5String = 22,
+	UT_UTCTime = 23,
+	UT_GeneralizedTime = 24,
+	UT_VisibleString = 26,
+	UT_GeneralString = 27
+};
+
+#define ASN1_INDEFINITE 0xdce0deed
+
+static int
+der_get_length(const unsigned char *p, size_t len,
+	       size_t * val, size_t * size);
+
+static int
+der_get_octet_string(const unsigned char *p, size_t len,
+		     octet_string * data, size_t * size);
+static int
+der_get_oid(const unsigned char *p, size_t len,
+	    oid * data, size_t * size);
+static int
+der_get_tag(const unsigned char *p, size_t len,
+	    Der_class * xclass, Der_type * type,
+	    int *tag, size_t * size);
+
+static int
+der_match_tag(const unsigned char *p, size_t len,
+	      Der_class xclass, Der_type type,
+	      int tag, size_t * size);
+static int
+der_match_tag_and_length(const unsigned char *p, size_t len,
+			 Der_class xclass, Der_type type, int tag,
+			 size_t * length_ret, size_t * size);
+
+static int
+decode_oid(const unsigned char *p, size_t len,
+	   oid * k, size_t * size);
+
+static int
+decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size);
+
+static int
+decode_octet_string(const unsigned char *, size_t, octet_string *, size_t *);
+
+static int
+der_put_int(unsigned char *p, size_t len, int val, size_t *);
+
+static int
+der_put_length(unsigned char *p, size_t len, size_t val, size_t *);
+
+static int
+der_put_octet_string(unsigned char *p, size_t len,
+		     const octet_string * data, size_t *);
+static int
+der_put_oid(unsigned char *p, size_t len,
+	    const oid * data, size_t * size);
+static int
+der_put_tag(unsigned char *p, size_t len, Der_class xclass, Der_type type,
+	    int tag, size_t *);
+static int
+der_put_length_and_tag(unsigned char *, size_t, size_t,
+		       Der_class, Der_type, int, size_t *);
+
+static int
+encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *);
+
+static int
+encode_octet_string(unsigned char *p, size_t len,
+		    const octet_string * k, size_t *);
+static int
+encode_oid(unsigned char *p, size_t len,
+	   const oid * k, size_t *);
+
+static void
+free_octet_string(octet_string * k);
+
+static void
+free_oid  (oid * k);
+
+static size_t
+length_len(size_t len);
+
+static int
+fix_dce(size_t reallen, size_t * len);
+
+/*
+ * Include stuff generated by the ASN.1 compiler.
+ */
+
+#include "spnego_asn1.c"
+
+/*
+ * Force the oid arrays to be uint64_t aligned to silence warnings
+ * about the arrays not being properly aligned for (void *).
+ */
+typedef union { unsigned char b[8]; uint64_t _align; } aligned8;
+typedef union { unsigned char b[16]; uint64_t _align[2]; } aligned16;
+
+static aligned16 gss_krb5_mech_oid_bytes = {
+	{ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 }
+};
+
+static gss_OID_desc gss_krb5_mech_oid_desc = {
+	9, gss_krb5_mech_oid_bytes.b
+};
+
+static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
+
+static aligned16 gss_mskrb5_mech_oid_bytes = {
+	{ 0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02 }
+};
+
+static gss_OID_desc gss_mskrb5_mech_oid_desc = {
+	9, gss_mskrb5_mech_oid_bytes.b
+};
+
+static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
+
+static aligned8 gss_spnego_mech_oid_bytes = {
+	{ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 }
+};
+
+static gss_OID_desc gss_spnego_mech_oid_desc = {
+	6, gss_spnego_mech_oid_bytes.b
+};
+
+static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
+
+/* spnegokrb5_locl.h */
+
+static OM_uint32
+gssapi_spnego_encapsulate(OM_uint32 *,
+			  unsigned char *,
+			  size_t,
+			  gss_buffer_t,
+			  const gss_OID);
+
+static OM_uint32
+gssapi_spnego_decapsulate(OM_uint32 *,
+			  gss_buffer_t,
+			  unsigned char **,
+			  size_t *,
+			  const gss_OID);
+
+/* mod_auth_kerb.c */
+
+static int
+cmp_gss_type(gss_buffer_t token, gss_OID gssoid)
+{
+	unsigned char *p;
+	size_t len;
+
+	if (token->length == 0U)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	p = token->value;
+	if (*p++ != 0x60)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	len = *p++;
+	if (len & 0x80) {
+		if ((len & 0x7f) > 4U)
+			return (GSS_S_DEFECTIVE_TOKEN);
+		p += len & 0x7f;
+	}
+	if (*p++ != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	if (((OM_uint32) *p++) != gssoid->length)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	return (isc_safe_memcompare(p, gssoid->elements, gssoid->length));
+}
+
+/* accept_sec_context.c */
+/*
+ * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
+ * based on Heimdal code)
+ */
+
+static OM_uint32
+code_NegTokenArg(OM_uint32 * minor_status,
+		 const NegTokenResp * resp,
+		 unsigned char **outbuf,
+		 size_t * outbuf_size)
+{
+	OM_uint32 ret;
+	u_char *buf;
+	size_t buf_size, buf_len = 0;
+
+	buf_size = 1024;
+	buf = malloc(buf_size);
+	if (buf == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	do {
+		ret = encode_NegTokenResp(buf + buf_size - 1,
+					  buf_size,
+					  resp, &buf_len);
+		if (ret == 0) {
+			size_t tmp;
+
+			ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
+						     buf_size - buf_len,
+						     buf_len,
+						     ASN1_C_CONTEXT,
+						     CONS,
+						     1,
+						     &tmp);
+			if (ret == 0)
+				buf_len += tmp;
+		}
+		if (ret) {
+			if (ret == ASN1_OVERFLOW) {
+				u_char *tmp;
+
+				buf_size *= 2;
+				tmp = realloc(buf, buf_size);
+				if (tmp == NULL) {
+					*minor_status = ENOMEM;
+					free(buf);
+					return (GSS_S_FAILURE);
+				}
+				buf = tmp;
+			} else {
+				*minor_status = ret;
+				free(buf);
+				return (GSS_S_FAILURE);
+			}
+		}
+	} while (ret == ASN1_OVERFLOW);
+
+	*outbuf = malloc(buf_len);
+	if (*outbuf == NULL) {
+		*minor_status = ENOMEM;
+		free(buf);
+		return (GSS_S_FAILURE);
+	}
+	memmove(*outbuf, buf + buf_size - buf_len, buf_len);
+	*outbuf_size = buf_len;
+
+	free(buf);
+
+	return (GSS_S_COMPLETE);
+}
+
+static OM_uint32
+send_reject(OM_uint32 * minor_status,
+	    gss_buffer_t output_token)
+{
+	NegTokenResp resp;
+	OM_uint32 ret;
+
+	resp.negState = malloc(sizeof(*resp.negState));
+	if (resp.negState == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	*(resp.negState) = reject;
+
+	resp.supportedMech = NULL;
+	resp.responseToken = NULL;
+	resp.mechListMIC = NULL;
+
+	ret = code_NegTokenArg(minor_status, &resp,
+			       (unsigned char **)&output_token->value,
+			       &output_token->length);
+	free_NegTokenResp(&resp);
+	if (ret)
+		return (ret);
+
+	return (GSS_S_BAD_MECH);
+}
+
+static OM_uint32
+send_accept(OM_uint32 * minor_status,
+	    gss_buffer_t output_token,
+	    gss_buffer_t mech_token,
+	    const gss_OID pref)
+{
+	NegTokenResp resp;
+	OM_uint32 ret;
+
+	memset(&resp, 0, sizeof(resp));
+	resp.negState = malloc(sizeof(*resp.negState));
+	if (resp.negState == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	*(resp.negState) = accept_completed;
+
+	resp.supportedMech = malloc(sizeof(*resp.supportedMech));
+	if (resp.supportedMech == NULL) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	ret = der_get_oid(pref->elements,
+			  pref->length,
+			  resp.supportedMech,
+			  NULL);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	if (mech_token != NULL && mech_token->length != 0U) {
+		resp.responseToken = malloc(sizeof(*resp.responseToken));
+		if (resp.responseToken == NULL) {
+			free_NegTokenResp(&resp);
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		resp.responseToken->length = mech_token->length;
+		resp.responseToken->data = mech_token->value;
+	}
+
+	ret = code_NegTokenArg(minor_status, &resp,
+			       (unsigned char **)&output_token->value,
+			       &output_token->length);
+	if (resp.responseToken != NULL) {
+		free(resp.responseToken);
+		resp.responseToken = NULL;
+	}
+	free_NegTokenResp(&resp);
+	if (ret)
+		return (ret);
+
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_accept_sec_context_spnego(OM_uint32 *minor_status,
+			      gss_ctx_id_t *context_handle,
+			      const gss_cred_id_t acceptor_cred_handle,
+			      const gss_buffer_t input_token_buffer,
+			      const gss_channel_bindings_t input_chan_bindings,
+			      gss_name_t *src_name,
+			      gss_OID *mech_type,
+			      gss_buffer_t output_token,
+			      OM_uint32 *ret_flags,
+			      OM_uint32 *time_rec,
+			      gss_cred_id_t *delegated_cred_handle)
+{
+	NegTokenInit init_token;
+	OM_uint32 major_status = GSS_S_COMPLETE;
+	OM_uint32 minor_status2;
+	gss_buffer_desc ibuf, obuf;
+	gss_buffer_t ot = NULL;
+	gss_OID pref = GSS_KRB5_MECH;
+	unsigned char *buf;
+	size_t buf_size;
+	size_t len, taglen, ni_len;
+	int found = 0;
+	int ret;
+	unsigned i;
+
+	/*
+	 * Before doing anything else, see whether this is a SPNEGO
+	 * PDU.  If not, dispatch to the GSSAPI library and get out.
+	 */
+
+	if (cmp_gss_type(input_token_buffer, GSS_SPNEGO_MECH))
+		return (gss_accept_sec_context(minor_status,
+					       context_handle,
+					       acceptor_cred_handle,
+					       input_token_buffer,
+					       input_chan_bindings,
+					       src_name,
+					       mech_type,
+					       output_token,
+					       ret_flags,
+					       time_rec,
+					       delegated_cred_handle));
+
+	/*
+	 * If we get here, it's SPNEGO.
+	 */
+
+	memset(&init_token, 0, sizeof(init_token));
+
+	ret = gssapi_spnego_decapsulate(minor_status, input_token_buffer,
+					&buf, &buf_size, GSS_SPNEGO_MECH);
+	if (ret)
+		return (ret);
+
+	ret = der_match_tag_and_length(buf, buf_size, ASN1_C_CONTEXT, CONS,
+				       0, &len, &taglen);
+	if (ret)
+		return (ret);
+
+	ret = decode_NegTokenInit(buf + taglen, len, &init_token, &ni_len);
+	if (ret) {
+		*minor_status = EINVAL;	/* XXX */
+		return (GSS_S_DEFECTIVE_TOKEN);
+	}
+
+	for (i = 0; !found && i < init_token.mechTypes.len; ++i) {
+		unsigned char mechbuf[17];
+		size_t mech_len;
+
+		ret = der_put_oid(mechbuf + sizeof(mechbuf) - 1,
+				  sizeof(mechbuf),
+				  &init_token.mechTypes.val[i],
+				  &mech_len);
+		if (ret) {
+			free_NegTokenInit(&init_token);
+			return (GSS_S_DEFECTIVE_TOKEN);
+		}
+		if (mech_len == GSS_KRB5_MECH->length &&
+		    isc_safe_memequal(GSS_KRB5_MECH->elements,
+				      mechbuf + sizeof(mechbuf) - mech_len,
+				      mech_len))
+		{
+			found = 1;
+			break;
+		}
+		if (mech_len == GSS_MSKRB5_MECH->length &&
+		    isc_safe_memequal(GSS_MSKRB5_MECH->elements,
+				      mechbuf + sizeof(mechbuf) - mech_len,
+				      mech_len))
+		{
+			found = 1;
+			if (i == 0)
+				pref = GSS_MSKRB5_MECH;
+			break;
+		}
+	}
+
+	if (!found) {
+		free_NegTokenInit(&init_token);
+		return (send_reject(minor_status, output_token));
+	}
+
+	if (i == 0 && init_token.mechToken != NULL) {
+		ibuf.length = init_token.mechToken->length;
+		ibuf.value = init_token.mechToken->data;
+
+		major_status = gss_accept_sec_context(minor_status,
+						      context_handle,
+						      acceptor_cred_handle,
+						      &ibuf,
+						      input_chan_bindings,
+						      src_name,
+						      mech_type,
+						      &obuf,
+						      ret_flags,
+						      time_rec,
+						      delegated_cred_handle);
+		if (GSS_ERROR(major_status)) {
+			free_NegTokenInit(&init_token);
+			send_reject(&minor_status2, output_token);
+			return (major_status);
+		}
+		ot = &obuf;
+	}
+	ret = send_accept(&minor_status2, output_token, ot, pref);
+	free_NegTokenInit(&init_token);
+	if (ot != NULL && ot->length != 0U)
+		gss_release_buffer(&minor_status2, ot);
+
+	return (ret != GSS_S_COMPLETE ? (OM_uint32) ret : major_status);
+}
+
+/* decapsulate.c */
+
+static OM_uint32
+gssapi_verify_mech_header(u_char ** str,
+			  size_t total_len,
+			  const gss_OID mech)
+{
+	size_t len, len_len, mech_len, foo;
+	int e;
+	u_char *p = *str;
+
+	if (total_len < 1U)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	if (*p++ != 0x60)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	e = der_get_length(p, total_len - 1, &len, &len_len);
+	if (e || 1 + len_len + len != total_len)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	p += len_len;
+	if (*p++ != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	e = der_get_length(p, total_len - 1 - len_len - 1,
+			   &mech_len, &foo);
+	if (e)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	p += foo;
+	if (mech_len != mech->length)
+		return (GSS_S_BAD_MECH);
+	if (!isc_safe_memequal(p, mech->elements, mech->length))
+		return (GSS_S_BAD_MECH);
+	p += mech_len;
+	*str = p;
+	return (GSS_S_COMPLETE);
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `buf and buf_size' Does
+ * not copy data, so just free `in_token'.
+ */
+
+static OM_uint32
+gssapi_spnego_decapsulate(OM_uint32 *minor_status,
+			  gss_buffer_t input_token_buffer,
+			  unsigned char **buf,
+			  size_t *buf_len,
+			  const gss_OID mech)
+{
+	u_char *p;
+	OM_uint32 ret;
+
+	p = input_token_buffer->value;
+	ret = gssapi_verify_mech_header(&p,
+					input_token_buffer->length,
+					mech);
+	if (ret) {
+		*minor_status = ret;
+		return (GSS_S_FAILURE);
+	}
+	*buf_len = input_token_buffer->length -
+		(p - (u_char *) input_token_buffer->value);
+	*buf = p;
+	return (GSS_S_COMPLETE);
+}
+
+/* der_free.c */
+
+static void
+free_octet_string(octet_string *k)
+{
+	free(k->data);
+	k->data = NULL;
+}
+
+static void
+free_oid(oid *k)
+{
+	free(k->components);
+	k->components = NULL;
+}
+
+/* der_get.c */
+
+/*
+ * All decoding functions take a pointer `p' to first position in which to
+ * read, from the left, `len' which means the maximum number of characters we
+ * are able to read, `ret' were the value will be returned and `size' where
+ * the number of used bytes is stored. Either 0 or an error code is returned.
+ */
+
+static int
+der_get_unsigned(const unsigned char *p, size_t len,
+		 unsigned *ret, size_t *size)
+{
+	unsigned val = 0;
+	size_t oldlen = len;
+
+	while (len--)
+		val = val * 256 + *p++;
+	*ret = val;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_int(const unsigned char *p, size_t len,
+	    int *ret, size_t *size)
+{
+	int val = 0;
+	size_t oldlen = len;
+
+	if (len > 0U) {
+		val = (signed char)*p++;
+		while (--len)
+			val = val * 256 + *p++;
+	}
+	*ret = val;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_length(const unsigned char *p, size_t len,
+	       size_t *val, size_t *size)
+{
+	size_t v;
+
+	if (len <= 0U)
+		return (ASN1_OVERRUN);
+	--len;
+	v = *p++;
+	if (v < 128U) {
+		*val = v;
+		if (size)
+			*size = 1;
+	} else {
+		int e;
+		size_t l;
+		unsigned tmp;
+
+		if (v == 0x80U) {
+			*val = ASN1_INDEFINITE;
+			if (size)
+				*size = 1;
+			return (0);
+		}
+		v &= 0x7F;
+		if (len < v)
+			return (ASN1_OVERRUN);
+		e = der_get_unsigned(p, v, &tmp, &l);
+		if (e)
+			return (e);
+		*val = tmp;
+		if (size)
+			*size = l + 1;
+	}
+	return (0);
+}
+
+static int
+der_get_octet_string(const unsigned char *p, size_t len,
+		     octet_string *data, size_t *size)
+{
+	data->length = len;
+	if (len != 0U) {
+		data->data = malloc(len);
+		if (data->data == NULL)
+			return (ENOMEM);
+		memmove(data->data, p, len);
+	} else
+		data->data = NULL;
+	if (size)
+		*size = len;
+	return (0);
+}
+
+static int
+der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+	int n;
+	size_t oldlen = len;
+
+	data->components = NULL;
+	data->length = 0;
+	if (len < 1U) {
+		return (ASN1_OVERRUN);
+	}
+
+	data->components = malloc(len * sizeof(*data->components));
+	if (data->components == NULL) {
+		return (ENOMEM);
+	}
+	data->components[0] = (*p) / 40;
+	data->components[1] = (*p) % 40;
+	--len;
+	++p;
+	for (n = 2; len > 0U; ++n) {
+		unsigned u = 0;
+
+		do {
+			--len;
+			u = u * 128 + (*p++ % 128);
+		} while (len > 0U && p[-1] & 0x80);
+		data->components[n] = u;
+	}
+	if (p[-1] & 0x80) {
+		free_oid(data);
+		return (ASN1_OVERRUN);
+	}
+	data->length = n;
+	if (size) {
+		*size = oldlen;
+	}
+	return (0);
+}
+
+static int
+der_get_tag(const unsigned char *p, size_t len,
+	    Der_class *xclass, Der_type *type,
+	    int *tag, size_t *size)
+{
+	if (len < 1U)
+		return (ASN1_OVERRUN);
+	*xclass = (Der_class) (((*p) >> 6) & 0x03);
+	*type = (Der_type) (((*p) >> 5) & 0x01);
+	*tag = (*p) & 0x1F;
+	if (size)
+		*size = 1;
+	return (0);
+}
+
+static int
+der_match_tag(const unsigned char *p, size_t len,
+	      Der_class xclass, Der_type type,
+	      int tag, size_t *size)
+{
+	size_t l;
+	Der_class thisclass;
+	Der_type thistype;
+	int thistag;
+	int e;
+
+	e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
+	if (e)
+		return (e);
+	if (xclass != thisclass || type != thistype)
+		return (ASN1_BAD_ID);
+	if (tag > thistag)
+		return (ASN1_MISPLACED_FIELD);
+	if (tag < thistag)
+		return (ASN1_MISSING_FIELD);
+	if (size)
+		*size = l;
+	return (0);
+}
+
+static int
+der_match_tag_and_length(const unsigned char *p, size_t len,
+			 Der_class xclass, Der_type type, int tag,
+			 size_t *length_ret, size_t *size)
+{
+	size_t l, ret = 0;
+	int e;
+
+	e = der_match_tag(p, len, xclass, type, tag, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_length(p, len, length_ret, &l);
+	if (e)
+		return (e);
+	/* p += l; */
+	len -= l;
+	POST(len);
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_enumerated(const unsigned char *p, size_t len, void *num, size_t *size)
+{
+	size_t ret = 0;
+	size_t l, reallen;
+	int e;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_length(p, len, &reallen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_int(p, reallen, num, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_octet_string(const unsigned char *p, size_t len,
+		    octet_string *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+	size_t slen;
+
+	k->data = NULL;
+	k->length = 0;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+
+	e = der_get_length(p, len, &slen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (len < slen)
+		return (ASN1_OVERRUN);
+
+	e = der_get_octet_string(p, slen, k, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_oid(const unsigned char *p, size_t len,
+	   oid *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+	size_t slen;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+
+	e = der_get_length(p, len, &slen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (len < slen)
+		return (ASN1_OVERRUN);
+
+	e = der_get_oid(p, slen, k, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+fix_dce(size_t reallen, size_t *len)
+{
+	if (reallen == ASN1_INDEFINITE)
+		return (1);
+	if (*len < reallen)
+		return (-1);
+	*len = reallen;
+	return (0);
+}
+
+/* der_length.c */
+
+static size_t
+len_unsigned(unsigned val)
+{
+	size_t ret = 0;
+
+	do {
+		++ret;
+		val /= 256;
+	} while (val);
+	return (ret);
+}
+
+static size_t
+length_len(size_t len)
+{
+	if (len < 128U)
+		return (1);
+	else
+		return (len_unsigned((unsigned int)len) + 1);
+}
+
+
+/* der_put.c */
+
+/*
+ * All encoding functions take a pointer `p' to first position in which to
+ * write, from the right, `len' which means the maximum number of characters
+ * we are able to write.  The function returns the number of characters
+ * written in `size' (if non-NULL). The return value is 0 or an error.
+ */
+
+static int
+der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size)
+{
+	unsigned char *base = p;
+
+	if (val) {
+		while (len > 0U && val) {
+			*p-- = val % 256;
+			val /= 256;
+			--len;
+		}
+		if (val != 0)
+			return (ASN1_OVERFLOW);
+		else {
+			*size = base - p;
+			return (0);
+		}
+	} else if (len < 1U)
+		return (ASN1_OVERFLOW);
+	else {
+		*p = 0;
+		*size = 1;
+		return (0);
+	}
+}
+
+static int
+der_put_int(unsigned char *p, size_t len, int val, size_t *size)
+{
+	unsigned char *base = p;
+
+	if (val >= 0) {
+		do {
+			if (len < 1U)
+				return (ASN1_OVERFLOW);
+			*p-- = val % 256;
+			len--;
+			val /= 256;
+		} while (val);
+		if (p[1] >= 128) {
+			if (len < 1U)
+				return (ASN1_OVERFLOW);
+			*p-- = 0;
+			len--;
+			POST(len);
+		}
+	} else {
+		val = ~val;
+		do {
+			if (len < 1U)
+				return (ASN1_OVERFLOW);
+			*p-- = ~(val % 256);
+			len--;
+			val /= 256;
+		} while (val);
+		if (p[1] < 128) {
+			if (len < 1U)
+				return (ASN1_OVERFLOW);
+			*p-- = 0xff;
+			len--;
+			POST(len);
+		}
+	}
+	*size = base - p;
+	return (0);
+}
+
+static int
+der_put_length(unsigned char *p, size_t len, size_t val, size_t *size)
+{
+	if (len < 1U)
+		return (ASN1_OVERFLOW);
+	if (val < 128U) {
+		*p = (unsigned char)val;
+		*size = 1;
+		return (0);
+	} else {
+		size_t l;
+		int e;
+
+		e = der_put_unsigned(p, len - 1, (unsigned int)val, &l);
+		if (e)
+			return (e);
+		p -= l;
+		*p = 0x80 | (unsigned char)l;
+		*size = l + 1;
+		return (0);
+	}
+}
+
+static int
+der_put_octet_string(unsigned char *p, size_t len,
+		     const octet_string *data, size_t *size)
+{
+	if (len < data->length)
+		return (ASN1_OVERFLOW);
+	p -= data->length;
+	len -= data->length;
+	POST(len);
+	memmove(p + 1, data->data, data->length);
+	*size = data->length;
+	return (0);
+}
+
+static int
+der_put_oid(unsigned char *p, size_t len,
+	    const oid *data, size_t *size)
+{
+	unsigned char *base = p;
+	size_t n;
+
+	for (n = data->length; n >= 3u; --n) {
+		unsigned	u = data->components[n - 1];
+
+		if (len < 1U)
+			return (ASN1_OVERFLOW);
+		*p-- = u % 128;
+		u /= 128;
+		--len;
+		while (u > 0) {
+			if (len < 1U)
+				return (ASN1_OVERFLOW);
+			*p-- = 128 + u % 128;
+			u /= 128;
+			--len;
+		}
+	}
+	if (len < 1U)
+		return (ASN1_OVERFLOW);
+	*p-- = 40 * data->components[0] + data->components[1];
+	*size = base - p;
+	return (0);
+}
+
+static int
+der_put_tag(unsigned char *p, size_t len, Der_class xclass, Der_type type,
+	    int tag, size_t *size)
+{
+	if (len < 1U)
+		return (ASN1_OVERFLOW);
+	*p = (xclass << 6) | (type << 5) | tag;	/* XXX */
+	*size = 1;
+	return (0);
+}
+
+static int
+der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
+		       Der_class xclass, Der_type type, int tag, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_length(p, len, len_val, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_tag(p, len, xclass, type, tag, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_enumerated(unsigned char *p, size_t len, const void *data, size_t *size)
+{
+	unsigned num = *(const unsigned *)data;
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_int(p, len, num, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_octet_string(unsigned char *p, size_t len,
+		    const octet_string *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_octet_string(p, len, k, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_oid(unsigned char *p, size_t len,
+	   const oid *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_oid(p, len, k, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	POST(p); POST(len);
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+
+/* encapsulate.c */
+
+static void
+gssapi_encap_length(size_t data_len,
+		    size_t *len,
+		    size_t *total_len,
+		    const gss_OID mech)
+{
+	size_t len_len;
+
+	*len = 1 + 1 + mech->length + data_len;
+
+	len_len = length_len(*len);
+
+	*total_len = 1 + len_len + *len;
+}
+
+static u_char *
+gssapi_mech_make_header(u_char *p,
+			size_t len,
+			const gss_OID mech)
+{
+	int e;
+	size_t len_len, foo;
+
+	*p++ = 0x60;
+	len_len = length_len(len);
+	e = der_put_length(p + len_len - 1, len_len, len, &foo);
+	if (e || foo != len_len)
+		return (NULL);
+	p += len_len;
+	*p++ = 0x06;
+	*p++ = mech->length;
+	memmove(p, mech->elements, mech->length);
+	p += mech->length;
+	return (p);
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
+ */
+
+static OM_uint32
+gssapi_spnego_encapsulate(OM_uint32 * minor_status,
+			  unsigned char *buf,
+			  size_t buf_size,
+			  gss_buffer_t output_token,
+			  const gss_OID mech)
+{
+	size_t len, outer_len;
+	u_char *p;
+
+	gssapi_encap_length(buf_size, &len, &outer_len, mech);
+
+	output_token->length = outer_len;
+	output_token->value = malloc(outer_len);
+	if (output_token->value == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	p = gssapi_mech_make_header(output_token->value, len, mech);
+	if (p == NULL) {
+		if (output_token->length != 0U)
+			gss_release_buffer(minor_status, output_token);
+		return (GSS_S_FAILURE);
+	}
+	memmove(p, buf, buf_size);
+	return (GSS_S_COMPLETE);
+}
+
+/* init_sec_context.c */
+/*
+ * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
+ * based on Heimdal code)
+ */
+
+static int
+add_mech(MechTypeList * mech_list, gss_OID mech)
+{
+	MechType *tmp;
+	int ret;
+
+	tmp = realloc(mech_list->val, (mech_list->len + 1) * sizeof(*tmp));
+	if (tmp == NULL)
+		return (ENOMEM);
+	mech_list->val = tmp;
+
+	ret = der_get_oid(mech->elements, mech->length,
+			  &mech_list->val[mech_list->len], NULL);
+	if (ret)
+		return (ret);
+
+	mech_list->len++;
+	return (0);
+}
+
+/*
+ * return the length of the mechanism in token or -1
+ * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
+ */
+
+static ssize_t
+gssapi_krb5_get_mech(const u_char *ptr,
+		     size_t total_len,
+		     const u_char **mech_ret)
+{
+	size_t len, len_len, mech_len, foo;
+	const u_char *p = ptr;
+	int e;
+
+	if (total_len < 1U)
+		return (-1);
+	if (*p++ != 0x60)
+		return (-1);
+	e = der_get_length (p, total_len - 1, &len, &len_len);
+	if (e || 1 + len_len + len != total_len)
+		return (-1);
+	p += len_len;
+	if (*p++ != 0x06)
+		return (-1);
+	e = der_get_length (p, total_len - 1 - len_len - 1,
+			    &mech_len, &foo);
+	if (e)
+		return (-1);
+	p += foo;
+	*mech_ret = p;
+	return (mech_len);
+}
+
+static OM_uint32
+spnego_initial(OM_uint32 *minor_status,
+	       const gss_cred_id_t initiator_cred_handle,
+	       gss_ctx_id_t *context_handle,
+	       const gss_name_t target_name,
+	       const gss_OID mech_type,
+	       OM_uint32 req_flags,
+	       OM_uint32 time_req,
+	       const gss_channel_bindings_t input_chan_bindings,
+	       const gss_buffer_t input_token,
+	       gss_OID *actual_mech_type,
+	       gss_buffer_t output_token,
+	       OM_uint32 *ret_flags,
+	       OM_uint32 *time_rec)
+{
+	NegTokenInit token_init;
+	OM_uint32 major_status, minor_status2;
+	gss_buffer_desc	krb5_output_token = GSS_C_EMPTY_BUFFER;
+	unsigned char *buf = NULL;
+	size_t buf_size;
+	size_t len;
+	int ret;
+
+	(void)mech_type;
+
+	memset(&token_init, 0, sizeof(token_init));
+
+	ret = add_mech(&token_init.mechTypes, GSS_KRB5_MECH);
+	if (ret) {
+		*minor_status = ret;
+		ret = GSS_S_FAILURE;
+		goto end;
+	}
+
+	major_status = gss_init_sec_context(minor_status,
+					    initiator_cred_handle,
+					    context_handle,
+					    target_name,
+					    GSS_KRB5_MECH,
+					    req_flags,
+					    time_req,
+					    input_chan_bindings,
+					    input_token,
+					    actual_mech_type,
+					    &krb5_output_token,
+					    ret_flags,
+					    time_rec);
+	if (GSS_ERROR(major_status)) {
+		ret = major_status;
+		goto end;
+	}
+	if (krb5_output_token.length > 0U) {
+		token_init.mechToken = malloc(sizeof(*token_init.mechToken));
+		if (token_init.mechToken == NULL) {
+			*minor_status = ENOMEM;
+			ret = GSS_S_FAILURE;
+			goto end;
+		}
+		token_init.mechToken->data = krb5_output_token.value;
+		token_init.mechToken->length = krb5_output_token.length;
+	}
+	/*
+	 * The MS implementation of SPNEGO seems to not like the mechListMIC
+	 * field, so we omit it (it's optional anyway)
+	 */
+
+	buf_size = 1024;
+	buf = malloc(buf_size);
+	if (buf == NULL) {
+		*minor_status = ENOMEM;
+		ret = GSS_S_FAILURE;
+		goto end;
+	}
+
+	do {
+		ret = encode_NegTokenInit(buf + buf_size - 1,
+					  buf_size,
+					  &token_init, &len);
+		if (ret == 0) {
+			size_t tmp;
+
+			ret = der_put_length_and_tag(buf + buf_size - len - 1,
+						     buf_size - len,
+						     len,
+						     ASN1_C_CONTEXT,
+						     CONS,
+						     0,
+						     &tmp);
+			if (ret == 0)
+				len += tmp;
+		}
+		if (ret) {
+			if (ret == ASN1_OVERFLOW) {
+				u_char *tmp;
+
+				buf_size *= 2;
+				tmp = realloc(buf, buf_size);
+				if (tmp == NULL) {
+					*minor_status = ENOMEM;
+					ret = GSS_S_FAILURE;
+					goto end;
+				}
+				buf = tmp;
+			} else {
+				*minor_status = ret;
+				ret = GSS_S_FAILURE;
+				goto end;
+			}
+		}
+	} while (ret == ASN1_OVERFLOW);
+
+	ret = gssapi_spnego_encapsulate(minor_status,
+					buf + buf_size - len, len,
+					output_token, GSS_SPNEGO_MECH);
+	if (ret == GSS_S_COMPLETE)
+		ret = major_status;
+
+end:
+	if (token_init.mechToken != NULL) {
+		free(token_init.mechToken);
+		token_init.mechToken = NULL;
+	}
+	free_NegTokenInit(&token_init);
+	if (krb5_output_token.length != 0U)
+		gss_release_buffer(&minor_status2, &krb5_output_token);
+	if (buf)
+		free(buf);
+
+	return (ret);
+}
+
+static OM_uint32
+spnego_reply(OM_uint32 *minor_status,
+	     const gss_cred_id_t initiator_cred_handle,
+	     gss_ctx_id_t *context_handle,
+	     const gss_name_t target_name,
+	     const gss_OID mech_type,
+	     OM_uint32 req_flags,
+	     OM_uint32 time_req,
+	     const gss_channel_bindings_t input_chan_bindings,
+	     const gss_buffer_t input_token,
+	     gss_OID *actual_mech_type,
+	     gss_buffer_t output_token,
+	     OM_uint32 *ret_flags,
+	     OM_uint32 *time_rec)
+{
+	OM_uint32 ret;
+	NegTokenResp resp;
+	unsigned char *buf;
+	size_t buf_size;
+	u_char oidbuf[17];
+	size_t oidlen;
+	gss_buffer_desc sub_token;
+	ssize_t mech_len;
+	const u_char *p;
+	size_t len, taglen;
+
+	(void)mech_type;
+
+	output_token->length = 0;
+	output_token->value  = NULL;
+
+	/*
+	 * SPNEGO doesn't include gss wrapping on SubsequentContextToken
+	 * like the Kerberos 5 mech does. But lets check for it anyway.
+	 */
+
+	mech_len = gssapi_krb5_get_mech(input_token->value,
+					input_token->length,
+					&p);
+
+	if (mech_len < 0) {
+		buf = input_token->value;
+		buf_size = input_token->length;
+	} else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
+		   isc_safe_memequal(GSS_KRB5_MECH->elements, p, mech_len))
+		return (gss_init_sec_context(minor_status,
+					     initiator_cred_handle,
+					     context_handle,
+					     target_name,
+					     GSS_KRB5_MECH,
+					     req_flags,
+					     time_req,
+					     input_chan_bindings,
+					     input_token,
+					     actual_mech_type,
+					     output_token,
+					     ret_flags,
+					     time_rec));
+	else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
+		 isc_safe_memequal(GSS_SPNEGO_MECH->elements, p, mech_len)) {
+		ret = gssapi_spnego_decapsulate(minor_status,
+						input_token,
+						&buf,
+						&buf_size,
+						GSS_SPNEGO_MECH);
+		if (ret)
+			return (ret);
+	} else
+		return (GSS_S_BAD_MECH);
+
+	ret = der_match_tag_and_length(buf, buf_size,
+				       ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
+	if (ret)
+		return (ret);
+
+	if(len > buf_size - taglen)
+		return (ASN1_OVERRUN);
+
+	ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+
+	if (resp.negState == NULL ||
+	    *(resp.negState) == reject ||
+	    resp.supportedMech == NULL) {
+		free_NegTokenResp(&resp);
+		return (GSS_S_BAD_MECH);
+	}
+
+	ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
+			  sizeof(oidbuf),
+			  resp.supportedMech,
+			  &oidlen);
+	if (ret || oidlen != GSS_KRB5_MECH->length ||
+	    !isc_safe_memequal(oidbuf + sizeof(oidbuf) - oidlen,
+			      GSS_KRB5_MECH->elements, oidlen))
+	{
+		free_NegTokenResp(&resp);
+		return GSS_S_BAD_MECH;
+	}
+
+	if (resp.responseToken != NULL) {
+		sub_token.length = resp.responseToken->length;
+		sub_token.value  = resp.responseToken->data;
+	} else {
+		sub_token.length = 0;
+		sub_token.value  = NULL;
+	}
+
+	ret = gss_init_sec_context(minor_status,
+				   initiator_cred_handle,
+				   context_handle,
+				   target_name,
+				   GSS_KRB5_MECH,
+				   req_flags,
+				   time_req,
+				   input_chan_bindings,
+				   &sub_token,
+				   actual_mech_type,
+				   output_token,
+				   ret_flags,
+				   time_rec);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		return (ret);
+	}
+
+	/*
+	 * XXXSRA I don't think this limited implementation ever needs
+	 * to check the MIC -- our preferred mechanism (Kerberos)
+	 * authenticates its own messages and is the only mechanism
+	 * we'll accept, so if the mechanism negotiation completes
+	 * successfully, we don't need the MIC.  See RFC 4178.
+	 */
+
+	free_NegTokenResp(&resp);
+	return (ret);
+}
+
+
+
+OM_uint32
+gss_init_sec_context_spnego(OM_uint32 *minor_status,
+			    const gss_cred_id_t initiator_cred_handle,
+			    gss_ctx_id_t *context_handle,
+			    const gss_name_t target_name,
+			    const gss_OID mech_type,
+			    OM_uint32 req_flags,
+			    OM_uint32 time_req,
+			    const gss_channel_bindings_t input_chan_bindings,
+			    const gss_buffer_t input_token,
+			    gss_OID *actual_mech_type,
+			    gss_buffer_t output_token,
+			    OM_uint32 *ret_flags,
+			    OM_uint32 *time_rec)
+{
+	/* Dirty trick to suppress compiler warnings */
+
+	/* Figure out whether we're starting over or processing a reply */
+
+	if (input_token == GSS_C_NO_BUFFER || input_token->length == 0U)
+		return (spnego_initial(minor_status,
+				       initiator_cred_handle,
+				       context_handle,
+				       target_name,
+				       mech_type,
+				       req_flags,
+				       time_req,
+				       input_chan_bindings,
+				       input_token,
+				       actual_mech_type,
+				       output_token,
+				       ret_flags,
+				       time_rec));
+	else
+		return (spnego_reply(minor_status,
+				     initiator_cred_handle,
+				     context_handle,
+				     target_name,
+				     mech_type,
+				     req_flags,
+				     time_req,
+				     input_chan_bindings,
+				     input_token,
+				     actual_mech_type,
+				     output_token,
+				     ret_flags,
+				     time_rec));
+}
+
+#endif /* GSSAPI */
diff --git a/lib/dns/spnego.h b/lib/dns/spnego.h
new file mode 100644
index 0000000..3118720
--- /dev/null
+++ b/lib/dns/spnego.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief
+ * Entry points into portable SPNEGO implementation.
+ * See spnego.c for information on the SPNEGO implementation itself.
+ */
+
+#ifndef _SPNEGO_H_
+#define _SPNEGO_H_
+
+/*%
+ * Wrapper for GSSAPI gss_init_sec_context(), using portable SPNEGO
+ * implementation instead of the one that's part of the GSSAPI
+ * library.  Takes arguments identical to the standard GSSAPI
+ * function, uses standard gss_init_sec_context() to handle
+ * everything inside the SPNEGO wrapper.
+ */
+OM_uint32
+gss_init_sec_context_spnego(OM_uint32 *,
+			    const gss_cred_id_t,
+			    gss_ctx_id_t *,
+			    const gss_name_t,
+			    const gss_OID,
+			    OM_uint32,
+			    OM_uint32,
+			    const gss_channel_bindings_t,
+			    const gss_buffer_t,
+			    gss_OID *,
+			    gss_buffer_t,
+			    OM_uint32 *,
+			    OM_uint32 *);
+
+/*%
+ * Wrapper for GSSAPI gss_accept_sec_context(), using portable SPNEGO
+ * implementation instead of the one that's part of the GSSAPI
+ * library.  Takes arguments identical to the standard GSSAPI
+ * function.  Checks the OID of the input token to see if it's SPNEGO;
+ * if so, processes it, otherwise hands the call off to the standard
+ * gss_accept_sec_context() function.
+ */
+OM_uint32 gss_accept_sec_context_spnego(OM_uint32 *,
+					gss_ctx_id_t *,
+					const gss_cred_id_t,
+					const gss_buffer_t,
+					const gss_channel_bindings_t,
+					gss_name_t *,
+					gss_OID *,
+					gss_buffer_t,
+					OM_uint32 *,
+					OM_uint32 *,
+					gss_cred_id_t *);
+
+
+#endif
diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c
new file mode 100644
index 0000000..6fbce55
--- /dev/null
+++ b/lib/dns/spnego_asn1.c
@@ -0,0 +1,862 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief Method routines generated from SPNEGO ASN.1 module.
+ * See spnego_asn1.pl for details.  Do not edit.
+ */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+#ifndef __asn1_h__
+#define __asn1_h__
+
+
+#ifndef __asn1_common_definitions__
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+	size_t length;
+	void *data;
+} octet_string;
+
+typedef char *general_string;
+
+typedef char *utf8_string;
+
+typedef struct oid {
+	size_t length;
+	unsigned *components;
+} oid;
+
+#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
+  do {                                                         \
+    (BL) = length_##T((S));                                    \
+    (B) = malloc((BL));                                        \
+    if((B) == NULL) {                                          \
+      (R) = ENOMEM;                                            \
+    } else {                                                   \
+      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
+		       (S), (L));                              \
+      if((R) != 0) {                                           \
+	free((B));                                             \
+	(B) = NULL;                                            \
+      }                                                        \
+    }                                                          \
+  } while (0)
+
+#endif
+
+/*
+ * MechType ::= OBJECT IDENTIFIER
+ */
+
+typedef oid MechType;
+
+static int encode_MechType(unsigned char *, size_t, const MechType *, size_t *);
+static int decode_MechType(const unsigned char *, size_t, MechType *, size_t *);
+static void free_MechType(MechType *);
+/* unused declaration: length_MechType */
+/* unused declaration: copy_MechType */
+
+
+/*
+ * MechTypeList ::= SEQUENCE OF MechType
+ */
+
+typedef struct MechTypeList {
+	unsigned int len;
+	MechType *val;
+} MechTypeList;
+
+static int encode_MechTypeList(unsigned char *, size_t, const MechTypeList *, size_t *);
+static int decode_MechTypeList(const unsigned char *, size_t, MechTypeList *, size_t *);
+static void free_MechTypeList(MechTypeList *);
+/* unused declaration: length_MechTypeList */
+/* unused declaration: copy_MechTypeList */
+
+
+/*
+ * ContextFlags ::= BIT STRING { delegFlag(0), mutualFlag(1), replayFlag(2),
+ * sequenceFlag(3), anonFlag(4), confFlag(5), integFlag(6) }
+ */
+
+typedef struct ContextFlags {
+	unsigned int delegFlag:1;
+	unsigned int mutualFlag:1;
+	unsigned int replayFlag:1;
+	unsigned int sequenceFlag:1;
+	unsigned int anonFlag:1;
+	unsigned int confFlag:1;
+	unsigned int integFlag:1;
+} ContextFlags;
+
+
+static int encode_ContextFlags(unsigned char *, size_t, const ContextFlags *, size_t *);
+static int decode_ContextFlags(const unsigned char *, size_t, ContextFlags *, size_t *);
+static void free_ContextFlags(ContextFlags *);
+/* unused declaration: length_ContextFlags */
+/* unused declaration: copy_ContextFlags */
+/* unused declaration: ContextFlags2int */
+/* unused declaration: int2ContextFlags */
+/* unused declaration: asn1_ContextFlags_units */
+
+/*
+ * NegTokenInit ::= SEQUENCE { mechTypes[0]    MechTypeList, reqFlags[1]
+ * ContextFlags OPTIONAL, mechToken[2]    OCTET STRING OPTIONAL,
+ * mechListMIC[3]  OCTET STRING OPTIONAL }
+ */
+
+typedef struct NegTokenInit {
+	MechTypeList mechTypes;
+	ContextFlags *reqFlags;
+	octet_string *mechToken;
+	octet_string *mechListMIC;
+} NegTokenInit;
+
+static int encode_NegTokenInit(unsigned char *, size_t, const NegTokenInit *, size_t *);
+static int decode_NegTokenInit(const unsigned char *, size_t, NegTokenInit *, size_t *);
+static void free_NegTokenInit(NegTokenInit *);
+/* unused declaration: length_NegTokenInit */
+/* unused declaration: copy_NegTokenInit */
+
+
+/*
+ * NegTokenResp ::= SEQUENCE { negState[0]       ENUMERATED {
+ * accept-completed(0), accept-incomplete(1), reject(2), request-mic(3) }
+ * OPTIONAL, supportedMech[1]  MechType OPTIONAL, responseToken[2]  OCTET
+ * STRING OPTIONAL, mechListMIC[3]    OCTET STRING OPTIONAL }
+ */
+
+typedef struct NegTokenResp {
+	enum {
+		accept_completed = 0,
+		accept_incomplete = 1,
+		reject = 2,
+		request_mic = 3
+	} *negState;
+
+	MechType *supportedMech;
+	octet_string *responseToken;
+	octet_string *mechListMIC;
+} NegTokenResp;
+
+static int encode_NegTokenResp(unsigned char *, size_t, const NegTokenResp *, size_t *);
+static int decode_NegTokenResp(const unsigned char *, size_t, NegTokenResp *, size_t *);
+static void free_NegTokenResp(NegTokenResp *);
+/* unused declaration: length_NegTokenResp */
+/* unused declaration: copy_NegTokenResp */
+
+
+
+
+#endif				/* __asn1_h__ */
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l; POST(p); POST(len); POST(ret)
+
+static int
+encode_MechType(unsigned char *p, size_t len, const MechType * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = encode_oid(p, len, data, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l; POST(p); POST(len); POST(ret)
+
+static int
+decode_MechType(const unsigned char *p, size_t len, MechType * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	e = decode_oid(p, len, data, &l);
+	FORW;
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_MechType(data);
+	return e;
+}
+
+static void
+free_MechType(MechType * data)
+{
+	free_oid(data);
+}
+
+/* unused function: length_MechType */
+
+
+/* unused function: copy_MechType */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+static int
+encode_MechTypeList(unsigned char *p, size_t len, const MechTypeList * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	for (i = (data)->len - 1; i >= 0; --i) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_MechType(p, len, &(data)->val[i], &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+static int
+decode_MechTypeList(const unsigned char *p, size_t len, MechTypeList * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	if (len < reallen)
+		return ASN1_OVERRUN;
+	len = reallen;
+	{
+		size_t origlen = len;
+		size_t oldret = ret;
+		ret = 0;
+		(data)->len = 0;
+		(data)->val = NULL;
+		while (ret < origlen) {
+			void *old = (data)->val;
+			(data)->len++;
+			(data)->val = realloc((data)->val, sizeof(*((data)->val)) * (data)->len);
+			if ((data)->val == NULL) {
+				(data)->val = old;
+				(data)->len--;
+				return ENOMEM;
+			}
+			e = decode_MechType(p, len, &(data)->val[(data)->len - 1], &l);
+			FORW;
+			len = origlen - ret;
+		}
+		ret += oldret;
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_MechTypeList(data);
+	return e;
+}
+
+static void
+free_MechTypeList(MechTypeList * data)
+{
+	while ((data)->len) {
+		free_MechType(&(data)->val[(data)->len - 1]);
+		(data)->len--;
+	}
+	free((data)->val);
+	(data)->val = NULL;
+}
+
+/* unused function: length_MechTypeList */
+
+
+/* unused function: copy_MechTypeList */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+static int
+encode_ContextFlags(unsigned char *p, size_t len, const ContextFlags * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	{
+		unsigned char c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		if (data->integFlag)
+			c |= 1 << 1;
+		if (data->confFlag)
+			c |= 1 << 2;
+		if (data->anonFlag)
+			c |= 1 << 3;
+		if (data->sequenceFlag)
+			c |= 1 << 4;
+		if (data->replayFlag)
+			c |= 1 << 5;
+		if (data->mutualFlag)
+			c |= 1 << 6;
+		if (data->delegFlag)
+			c |= 1 << 7;
+		*p-- = c;
+		*p-- = 0;
+		len -= 2;
+		ret += 2;
+	}
+
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, PRIM, UT_BitString, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+static int
+decode_ContextFlags(const unsigned char *p, size_t len, ContextFlags * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, PRIM, UT_BitString, &reallen, &l);
+	FORW;
+	if (len < reallen)
+		return ASN1_OVERRUN;
+	p++;
+	len--;
+	POST(len);
+	reallen--;
+	ret++;
+	data->delegFlag = (*p >> 7) & 1;
+	data->mutualFlag = (*p >> 6) & 1;
+	data->replayFlag = (*p >> 5) & 1;
+	data->sequenceFlag = (*p >> 4) & 1;
+	data->anonFlag = (*p >> 3) & 1;
+	data->confFlag = (*p >> 2) & 1;
+	data->integFlag = (*p >> 1) & 1;
+	ret += reallen;
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_ContextFlags(data);
+	return e;
+}
+
+static void
+free_ContextFlags(ContextFlags * data)
+{
+	(void)data;
+}
+
+/* unused function: length_ContextFlags */
+
+
+/* unused function: copy_ContextFlags */
+
+
+/* unused function: ContextFlags2int */
+
+
+/* unused function: int2ContextFlags */
+
+
+/* unused variable: ContextFlags_units */
+
+/* unused function: asn1_ContextFlags_units */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+static int
+encode_NegTokenInit(unsigned char *p, size_t len, const NegTokenInit * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	if ((data)->mechListMIC) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->mechToken) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechToken, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->reqFlags) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_ContextFlags(p, len, (data)->reqFlags, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
+		BACK;
+		ret += oldret;
+	} {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_MechTypeList(p, len, &(data)->mechTypes, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+static int
+decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	{
+		int dce_fix;
+		if ((dce_fix = fix_dce(reallen, &len)) < 0)
+			return ASN1_BAD_FORMAT;
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
+			if (e)
+				return e;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
+			if (e)
+				(data)->reqFlags = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
+					if ((data)->reqFlags == NULL)
+						return ENOMEM;
+					e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
+			if (e)
+				(data)->mechToken = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechToken = malloc(sizeof(*(data)->mechToken));
+					if ((data)->mechToken == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechToken, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
+			if (e)
+				(data)->mechListMIC = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
+					if ((data)->mechListMIC == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		if (dce_fix) {
+			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+			FORW;
+		}
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_NegTokenInit(data);
+	return e;
+}
+
+static void
+free_NegTokenInit(NegTokenInit * data)
+{
+	free_MechTypeList(&(data)->mechTypes);
+	if ((data)->reqFlags) {
+		free_ContextFlags((data)->reqFlags);
+		free((data)->reqFlags);
+		(data)->reqFlags = NULL;
+	}
+	if ((data)->mechToken) {
+		free_octet_string((data)->mechToken);
+		free((data)->mechToken);
+		(data)->mechToken = NULL;
+	}
+	if ((data)->mechListMIC) {
+		free_octet_string((data)->mechListMIC);
+		free((data)->mechListMIC);
+		(data)->mechListMIC = NULL;
+	}
+}
+
+/* unused function: length_NegTokenInit */
+
+
+/* unused function: copy_NegTokenInit */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+static int
+encode_NegTokenResp(unsigned char *p, size_t len, const NegTokenResp * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	if ((data)->mechListMIC) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->responseToken) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->responseToken, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->supportedMech) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_MechType(p, len, (data)->supportedMech, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->negState) {
+		size_t oldret = ret;
+		ret = 0;
+		e = encode_enumerated(p, len, (data)->negState, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+static int
+decode_NegTokenResp(const unsigned char *p, size_t len, NegTokenResp * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	{
+		int dce_fix;
+		if ((dce_fix = fix_dce(reallen, &len)) < 0)
+			return ASN1_BAD_FORMAT;
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
+			if (e)
+				(data)->negState = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->negState = malloc(sizeof(*(data)->negState));
+					if ((data)->negState == NULL)
+						return ENOMEM;
+					e = decode_enumerated(p, len, (data)->negState, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
+			if (e)
+				(data)->supportedMech = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->supportedMech = malloc(sizeof(*(data)->supportedMech));
+					if ((data)->supportedMech == NULL)
+						return ENOMEM;
+					e = decode_MechType(p, len, (data)->supportedMech, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
+			if (e)
+				(data)->responseToken = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->responseToken = malloc(sizeof(*(data)->responseToken));
+					if ((data)->responseToken == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->responseToken, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
+			if (e)
+				(data)->mechListMIC = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int mydce_fix;
+					oldlen = len;
+					if ((mydce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
+					if ((data)->mechListMIC == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
+					FORW;
+					if (mydce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		if (dce_fix) {
+			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+			FORW;
+		}
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_NegTokenResp(data);
+	return e;
+}
+
+static void
+free_NegTokenResp(NegTokenResp * data)
+{
+	if ((data)->negState) {
+		free((data)->negState);
+		(data)->negState = NULL;
+	}
+	if ((data)->supportedMech) {
+		free_MechType((data)->supportedMech);
+		free((data)->supportedMech);
+		(data)->supportedMech = NULL;
+	}
+	if ((data)->responseToken) {
+		free_octet_string((data)->responseToken);
+		free((data)->responseToken);
+		(data)->responseToken = NULL;
+	}
+	if ((data)->mechListMIC) {
+		free_octet_string((data)->mechListMIC);
+		free((data)->mechListMIC);
+		(data)->mechListMIC = NULL;
+	}
+}
+
+/* unused function: length_NegTokenResp */
+
+
+/* unused function: copy_NegTokenResp */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+/* CHOICE */
+/* unused variable: asn1_NegotiationToken_dummy_holder */
diff --git a/lib/dns/spnego_asn1.pl b/lib/dns/spnego_asn1.pl
new file mode 100644
index 0000000..66f7b73
--- /dev/null
+++ b/lib/dns/spnego_asn1.pl
@@ -0,0 +1,193 @@
+#!/bin/bin/perl -w
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Our SPNEGO implementation uses some functions generated by the
+# Heimdal ASN.1 compiler, which this script then whacks a bit to make
+# them work properly in this stripped down implementation.  We don't
+# want to require our users to have a copy of the compiler, so we ship
+# the output of this script, but we need to keep the script around in
+# any case to cope with future changes to the SPNEGO ASN.1 code, so we
+# might as well supply the script for users who want it.
+
+# Overall plan: run the ASN.1 compiler, run each of its output files
+# through indent, fix up symbols and whack everything to be static.
+# We use indent for two reasons: (1) to whack the Heimdal compiler's
+# output into something closer to ISC's coding standard, and (2) to
+# make it easier for this script to parse the result.
+
+# Output from this script is C code which we expect to be #included
+# into another C file, which is why everything generated by this
+# script is marked "static".  The intent is to minimize the number of
+# extern symbols exported by the SPNEGO implementation, to avoid
+# potential conflicts with the GSSAPI libraries.
+
+###
+
+# Filename of the ASN.1 specification.  Hardcoded for the moment
+# since this script is intended for compiling exactly one module.
+
+my $asn1_source = $ENV{ASN1_SOURCE} || "spnego.asn1";
+
+# Heimdal ASN.1 compiler.  This script was written using the version
+# from Heimdal 0.7.1.  To build this, download a copy of
+# heimdal-0.7.1.tar.gz, configure and build with the default options,
+# then look for the compiler in heimdal-0.7.1/lib/asn1/asn1_compile.
+
+my $asn1_compile = $ENV{ASN1_COMPILE} || "asn1_compile";
+
+# BSD indent program.  This script was written using the version of
+# indent that comes with FreeBSD 4.11-STABLE.  The GNU project, as
+# usual, couldn't resist the temptation to monkey with indent's
+# command line syntax, so this probably won't work with GNU indent.
+
+my $indent = $ENV{INDENT} || "indent";
+
+###
+
+# Step 1: run the compiler.  Input is the ASN.1 file.  Outputs are a
+# header file (name specified on command line without the .h suffix),
+# a file called "asn1_files" listing the names of the other output
+# files, and a set of files containing C code generated by the
+# compiler for each data type that the compiler found.
+
+if (! -r $asn1_source || system($asn1_compile, $asn1_source, "asn1")) {
+    die("Couldn't compile ASN.1 source file $asn1_source\n");
+}
+
+my @files = ("asn1.h");
+
+open(F, "asn1_files")
+    or die("Couldn't open asn1_files: $!\n");
+push(@files, split)
+    while (<F>);
+close(F);
+
+unlink("asn1_files");
+
+###
+
+# Step 2: generate header block.
+
+print(q~/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego_asn1.pl,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
+
+/*! \file
+ * \brief Method routines generated from SPNEGO ASN.1 module.
+ * See spnego_asn1.pl for details.  Do not edit.
+ */
+
+~);
+
+###
+
+# Step 3: read and process each generated file, then delete it.
+
+my $output;
+
+for my $file (@files) {
+
+    my $is_static = 0;
+
+    system($indent, "-di1", "-ldi1", $file) == 0
+	or die("Couldn't indent $file");
+
+    unlink("$file.BAK");
+
+    open(F, $file)
+	or die("Couldn't open $file: $!");
+
+    while (<F>) {
+
+	# Symbol name fixups
+
+	s/heim_general_string/general_string/g;
+	s/heim_octet_string/octet_string/g;
+	s/heim_oid/oid/g;
+	s/heim_utf8_string/utf8_string/g;
+
+	# Convert all externs to statics
+
+	if (/^static/) {
+	    $is_static = 1;
+	}
+
+	if (!/^typedef/ &&
+	    !$is_static &&
+	    /^[A-Za-z_][0-9A-Za-z_]*[ \t]*($|[^:0-9A-Za-z_])/) {
+	    $_ = "static " . $_;
+	    $is_static = 1;
+	}
+
+	if (/[{};]/) {
+	    $is_static = 0;
+	}
+
+	# Suppress file inclusion, pass anything else through
+
+	if (!/#include/) {
+	    $output .= $_;
+	}
+    }
+
+    close(F);
+    unlink($file);
+}
+
+# Step 4: Delete unused stuff to avoid code bloat and compiler warnings.
+
+my @unused_functions = qw(ContextFlags2int
+			  int2ContextFlags
+			  asn1_ContextFlags_units
+			  length_NegTokenInit
+			  copy_NegTokenInit
+			  length_NegTokenResp
+			  copy_NegTokenResp
+			  length_MechTypeList
+			  length_MechType
+			  copy_MechTypeList
+			  length_ContextFlags
+			  copy_ContextFlags
+			  copy_MechType);
+
+$output =~ s<^static [^\n]+\n$_\(.+?^}></* unused function: $_ */\n>ms
+    foreach (@unused_functions);
+
+$output =~ s<^static .+$_\(.*\);$></* unused declaration: $_ */>m
+    foreach (@unused_functions);
+
+$output =~ s<^static struct units ContextFlags_units\[\].+?^};>
+            </* unused variable: ContextFlags_units */>ms;
+
+$output =~ s<^static int asn1_NegotiationToken_dummy_holder = 1;>
+            </* unused variable: asn1_NegotiationToken_dummy_holder */>ms;
+
+$output =~ s<^static void\nfree_ContextFlags\(ContextFlags \* data\)\n{\n>
+            <$&\t(void)data;\n>ms;
+
+# Step 5: Write the result.
+
+print($output);
+
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
new file mode 100644
index 0000000..71ded66
--- /dev/null
+++ b/lib/dns/ssu.c
@@ -0,0 +1,711 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ssu.h>
+
+#include <dst/gssapi.h>
+#include <dst/dst.h>
+
+#define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
+#define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
+
+#define SSURULEMAGIC		ISC_MAGIC('S', 'S', 'U', 'R')
+#define VALID_SSURULE(table)	ISC_MAGIC_VALID(table, SSURULEMAGIC)
+
+struct dns_ssurule {
+	unsigned int magic;
+	bool grant;	/*%< is this a grant or a deny? */
+	unsigned int matchtype;	/*%< which type of pattern match? */
+	dns_name_t *identity;	/*%< the identity to match */
+	dns_name_t *name;	/*%< the name being updated */
+	unsigned int ntypes;	/*%< number of data types covered */
+	dns_rdatatype_t *types;	/*%< the data types.  Can include ANY, */
+				/*%< defaults to all but SIG,SOA,NS if NULL */
+	ISC_LINK(dns_ssurule_t) link;
+};
+
+struct dns_ssutable {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	unsigned int references;
+	isc_mutex_t lock;
+	dns_dlzdb_t *dlzdatabase;
+	ISC_LIST(dns_ssurule_t) rules;
+};
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
+	isc_result_t result;
+	dns_ssutable_t *table;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+	REQUIRE(mctx != NULL);
+
+	table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
+	if (table == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutex_init(&table->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
+		return (result);
+	}
+	table->references = 1;
+	table->mctx = NULL;
+	isc_mem_attach(mctx, &table->mctx);
+	ISC_LIST_INIT(table->rules);
+	table->magic = SSUTABLEMAGIC;
+	*tablep = table;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+destroy(dns_ssutable_t *table) {
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_SSUTABLE(table));
+
+	mctx = table->mctx;
+	while (!ISC_LIST_EMPTY(table->rules)) {
+		dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
+		if (rule->identity != NULL) {
+			dns_name_free(rule->identity, mctx);
+			isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+		}
+		if (rule->name != NULL) {
+			dns_name_free(rule->name, mctx);
+			isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+		}
+		if (rule->types != NULL)
+			isc_mem_put(mctx, rule->types,
+				    rule->ntypes * sizeof(dns_rdatatype_t));
+		ISC_LIST_UNLINK(table->rules, rule, link);
+		rule->magic = 0;
+		isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+	}
+	DESTROYLOCK(&table->lock);
+	table->magic = 0;
+	isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t));
+}
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
+	REQUIRE(VALID_SSUTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep) {
+	dns_ssutable_t *table;
+	bool done = false;
+
+	REQUIRE(tablep != NULL);
+	table = *tablep;
+	REQUIRE(VALID_SSUTABLE(table));
+
+	LOCK(&table->lock);
+
+	INSIST(table->references > 0);
+	if (--table->references == 0)
+		done = true;
+	UNLOCK(&table->lock);
+
+	*tablep = NULL;
+
+	if (done)
+		destroy(table);
+}
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
+		     dns_name_t *identity, unsigned int matchtype,
+		     dns_name_t *name, unsigned int ntypes,
+		     dns_rdatatype_t *types)
+{
+	dns_ssurule_t *rule;
+	isc_mem_t *mctx;
+	isc_result_t result;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(dns_name_isabsolute(identity));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_MAX);
+	if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
+		REQUIRE(dns_name_iswildcard(name));
+	if (ntypes > 0)
+		REQUIRE(types != NULL);
+
+	mctx = table->mctx;
+	rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
+	if (rule == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+
+	rule->grant = grant;
+
+	rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
+	if (rule->identity == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	dns_name_init(rule->identity, NULL);
+	result = dns_name_dup(identity, mctx, rule->identity);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
+	if (rule->name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	dns_name_init(rule->name, NULL);
+	result = dns_name_dup(name, mctx, rule->name);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	rule->matchtype = matchtype;
+
+	rule->ntypes = ntypes;
+	if (ntypes > 0) {
+		rule->types = isc_mem_get(mctx,
+					  ntypes * sizeof(dns_rdatatype_t));
+		if (rule->types == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		memmove(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
+	} else
+		rule->types = NULL;
+
+	rule->magic = SSURULEMAGIC;
+	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (rule->identity != NULL) {
+		if (dns_name_dynamic(rule->identity))
+			dns_name_free(rule->identity, mctx);
+		isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+	}
+	if (rule->name != NULL) {
+		if (dns_name_dynamic(rule->name))
+			dns_name_free(rule->name, mctx);
+		isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+	}
+	if (rule->types != NULL)
+		isc_mem_put(mctx, rule->types,
+			    ntypes * sizeof(dns_rdatatype_t));
+	isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+
+	return (result);
+}
+
+static inline bool
+isusertype(dns_rdatatype_t type) {
+	return (type != dns_rdatatype_ns &&
+		type != dns_rdatatype_soa &&
+		type != dns_rdatatype_rrsig);
+}
+
+static void
+reverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) {
+	char buf[16 * 4 + sizeof("IP6.ARPA.")];
+	isc_result_t result;
+	unsigned char *ap;
+	isc_buffer_t b;
+	unsigned long l;
+
+	switch (tcpaddr->family) {
+	case AF_INET:
+		l = ntohl(tcpaddr->type.in.s_addr);
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
+					   (l >> 0) & 0xff, (l >> 8) & 0xff,
+					   (l >> 16) & 0xff, (l >> 24) & 0xff);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	case AF_INET6:
+		ap = tcpaddr->type.in6.s6_addr;
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "IP6.ARPA.",
+					   ap[15] & 0x0f, (ap[15] >> 4) & 0x0f,
+					   ap[14] & 0x0f, (ap[14] >> 4) & 0x0f,
+					   ap[13] & 0x0f, (ap[13] >> 4) & 0x0f,
+					   ap[12] & 0x0f, (ap[12] >> 4) & 0x0f,
+					   ap[11] & 0x0f, (ap[11] >> 4) & 0x0f,
+					   ap[10] & 0x0f, (ap[10] >> 4) & 0x0f,
+					   ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
+					   ap[8] & 0x0f, (ap[8] >> 4) & 0x0f,
+					   ap[7] & 0x0f, (ap[7] >> 4) & 0x0f,
+					   ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
+					   ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
+					   ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
+					   ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+					   ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
+					   ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
+					   ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+	isc_buffer_init(&b, buf, strlen(buf));
+	isc_buffer_add(&b, strlen(buf));
+	result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+static void
+stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
+	char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
+	isc_result_t result;
+	unsigned char *ap;
+	isc_buffer_t b;
+	unsigned long l;
+
+	switch(tcpaddr->family) {
+	case AF_INET:
+		l = ntohl(tcpaddr->type.in.s_addr);
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
+					   "2.0.0.2.IP6.ARPA.",
+					   l & 0xf, (l >> 4) & 0xf,
+					   (l >> 8) & 0xf, (l >> 12) & 0xf,
+					   (l >> 16) & 0xf, (l >> 20) & 0xf,
+					   (l >> 24) & 0xf, (l >> 28) & 0xf);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	case AF_INET6:
+		ap = tcpaddr->type.in6.s6_addr;
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.IP6.ARPA.",
+					   ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
+					   ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
+					   ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+					   ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
+					   ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
+					   ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+	isc_buffer_init(&b, buf, strlen(buf));
+	isc_buffer_add(&b, strlen(buf));
+	result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+bool
+dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, isc_netaddr_t *addr,
+			dns_rdatatype_t type, const dst_key_t *key)
+{
+	return (dns_ssutable_checkrules2
+		(table, signer, name, addr,
+		 addr == NULL ? false : true,
+		 NULL, type, key));
+}
+
+bool
+dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
+			 dns_name_t *name, isc_netaddr_t *addr,
+			 bool tcp, const dns_aclenv_t *env,
+			 dns_rdatatype_t type, const dst_key_t *key)
+{
+	dns_ssurule_t *rule;
+	unsigned int i;
+	dns_fixedname_t fixed;
+	dns_name_t *wildcard;
+	dns_name_t *tcpself;
+	dns_name_t *stfself;
+	isc_result_t result;
+	int match;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(addr == NULL || env != NULL);
+
+	if (signer == NULL && addr == NULL)
+		return (false);
+
+	for (rule = ISC_LIST_HEAD(table->rules);
+	     rule != NULL;
+	     rule = ISC_LIST_NEXT(rule, link))
+	{
+		switch (rule->matchtype) {
+		case DNS_SSUMATCHTYPE_NAME:
+		case DNS_SSUMATCHTYPE_LOCAL:
+		case DNS_SSUMATCHTYPE_SUBDOMAIN:
+		case DNS_SSUMATCHTYPE_WILDCARD:
+		case DNS_SSUMATCHTYPE_SELF:
+		case DNS_SSUMATCHTYPE_SELFSUB:
+		case DNS_SSUMATCHTYPE_SELFWILD:
+			if (signer == NULL)
+				continue;
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(signer,
+							      rule->identity))
+					continue;
+			} else {
+				if (!dns_name_equal(signer, rule->identity))
+					continue;
+			}
+			break;
+		case dns_ssumatchtype_selfkrb5:
+		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_selfsubkrb5:
+		case dns_ssumatchtype_selfsubms:
+		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_subdomainms:
+			if (signer == NULL)
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_TCPSELF:
+		case DNS_SSUMATCHTYPE_6TO4SELF:
+			if (!tcp || addr == NULL)
+				continue;
+			break;
+		}
+
+		switch (rule->matchtype) {
+		case DNS_SSUMATCHTYPE_NAME:
+			if (!dns_name_equal(name, rule->name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAIN:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_LOCAL:
+			if (addr == NULL) {
+				continue;
+			}
+			if (!dns_name_issubdomain(name, rule->name)) {
+				continue;
+			}
+			dns_acl_match(addr, NULL, env->localhost,
+				      NULL, &match, NULL);
+			if (match == 0) {
+				if (signer != NULL) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_SSU,
+						      ISC_LOG_WARNING,
+						      "update-policy local: "
+						      "match on session "
+						      "key not from "
+						      "localhost");
+				}
+				continue;
+			}
+			break;
+		case DNS_SSUMATCHTYPE_WILDCARD:
+			if (!dns_name_matcheswildcard(name, rule->name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELF:
+			if (!dns_name_equal(signer, name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELFSUB:
+			if (!dns_name_issubdomain(name, signer))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELFWILD:
+			wildcard = dns_fixedname_initname(&fixed);
+			result = dns_name_concatenate(dns_wildcardname, signer,
+						      wildcard, NULL);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (!dns_name_matcheswildcard(name, wildcard))
+				continue;
+			break;
+		case dns_ssumatchtype_selfkrb5:
+			if (dst_gssapi_identitymatchesrealmkrb5(signer, name,
+								rule->identity,
+								false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfms:
+			if (dst_gssapi_identitymatchesrealmms(signer, name,
+							      rule->identity,
+							      false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfsubkrb5:
+			if (dst_gssapi_identitymatchesrealmkrb5(signer, name,
+								rule->identity,
+								true))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_selfsubms:
+			if (dst_gssapi_identitymatchesrealmms(signer, name,
+							      rule->identity,
+							      true))
+				break;
+			continue;
+		case dns_ssumatchtype_subdomainkrb5:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			if (dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
+								rule->identity,
+								false))
+			{
+				break;
+			}
+			continue;
+		case dns_ssumatchtype_subdomainms:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			if (dst_gssapi_identitymatchesrealmms(signer, NULL,
+							      rule->identity,
+							      false))
+			{
+				break;
+			}
+			continue;
+		case DNS_SSUMATCHTYPE_TCPSELF:
+			tcpself = dns_fixedname_initname(&fixed);
+			reverse_from_address(tcpself, addr);
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(tcpself,
+							      rule->identity))
+					continue;
+			} else {
+				if (!dns_name_equal(tcpself, rule->identity))
+					continue;
+			}
+			if (!dns_name_equal(tcpself, name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_6TO4SELF:
+			stfself = dns_fixedname_initname(&fixed);
+			stf_from_address(stfself, addr);
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(stfself,
+							      rule->identity))
+					continue;
+			} else {
+				if (!dns_name_equal(stfself, rule->identity))
+					continue;
+			}
+			if (!dns_name_equal(stfself, name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_EXTERNAL:
+			if (!dns_ssu_external_match(rule->identity, signer,
+						    name, addr, type, key,
+						    table->mctx))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_DLZ:
+			if (!dns_dlz_ssumatch(table->dlzdatabase, signer,
+					      name, addr, type, key))
+				continue;
+			break;
+		}
+
+		if (rule->ntypes == 0) {
+			/*
+			 * If this is a DLZ rule, then the DLZ ssu
+			 * checks will have already checked
+			 * the type.
+			 */
+			if (rule->matchtype != DNS_SSUMATCHTYPE_DLZ &&
+			    !isusertype(type))
+				continue;
+		} else {
+			for (i = 0; i < rule->ntypes; i++) {
+				if (rule->types[i] == dns_rdatatype_any ||
+				    rule->types[i] == type)
+					break;
+			}
+			if (i == rule->ntypes)
+				continue;
+		}
+		return (rule->grant);
+	}
+
+	return (false);
+}
+
+bool
+dns_ssurule_isgrant(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->grant);
+}
+
+dns_name_t *
+dns_ssurule_identity(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->identity);
+}
+
+unsigned int
+dns_ssurule_matchtype(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->matchtype);
+}
+
+dns_name_t *
+dns_ssurule_name(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->name);
+}
+
+unsigned int
+dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
+	REQUIRE(VALID_SSURULE(rule));
+	REQUIRE(types != NULL && *types != NULL);
+	*types = rule->types;
+	return (rule->ntypes);
+}
+
+isc_result_t
+dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(rule != NULL && *rule == NULL);
+	*rule = ISC_LIST_HEAD(table->rules);
+	return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
+	REQUIRE(VALID_SSURULE(rule));
+	REQUIRE(nextrule != NULL && *nextrule == NULL);
+	*nextrule = ISC_LIST_NEXT(rule, link);
+	return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+/*
+ * Create a specialised SSU table that points at an external DLZ database
+ */
+isc_result_t
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+		       dns_dlzdb_t *dlzdatabase)
+{
+	isc_result_t result;
+	dns_ssurule_t *rule;
+	dns_ssutable_t *table = NULL;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+
+	result = dns_ssutable_create(mctx, &table);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	table->dlzdatabase = dlzdatabase;
+
+	rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
+	if (rule == NULL) {
+		dns_ssutable_detach(&table);
+		return (ISC_R_NOMEMORY);
+	}
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+	rule->grant = true;
+	rule->matchtype = DNS_SSUMATCHTYPE_DLZ;
+	rule->ntypes = 0;
+	rule->types = NULL;
+	rule->magic = SSURULEMAGIC;
+
+	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+	*tablep = table;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
+
+	REQUIRE(str != NULL);
+	REQUIRE(mtype != NULL);
+
+	if (strcasecmp(str, "name") == 0) {
+		*mtype = dns_ssumatchtype_name;
+	} else if (strcasecmp(str, "subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomain;
+	} else if (strcasecmp(str, "wildcard") == 0) {
+		*mtype = dns_ssumatchtype_wildcard;
+	} else if (strcasecmp(str, "self") == 0) {
+		*mtype = dns_ssumatchtype_self;
+	} else if (strcasecmp(str, "selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsub;
+	} else if (strcasecmp(str, "selfwild") == 0) {
+		*mtype = dns_ssumatchtype_selfwild;
+	} else if (strcasecmp(str, "ms-self") == 0) {
+		*mtype = dns_ssumatchtype_selfms;
+	} else if (strcasecmp(str, "ms-selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsubms;
+	} else if (strcasecmp(str, "krb5-self") == 0) {
+		*mtype = dns_ssumatchtype_selfkrb5;
+	} else if (strcasecmp(str, "krb5-selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsubkrb5;
+	} else if (strcasecmp(str, "ms-subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomainms;
+	} else if (strcasecmp(str, "krb5-subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomainkrb5;
+	} else if (strcasecmp(str, "tcp-self") == 0) {
+		*mtype = dns_ssumatchtype_tcpself;
+	} else if (strcasecmp(str, "6to4-self") == 0) {
+		*mtype = dns_ssumatchtype_6to4self;
+	} else if (strcasecmp(str, "zonesub") == 0) {
+		*mtype = dns_ssumatchtype_subdomain;
+	} else if (strcasecmp(str, "external") == 0) {
+		*mtype = dns_ssumatchtype_external;
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/ssu_external.c b/lib/dns/ssu_external.c
new file mode 100644
index 0000000..a1b638e
--- /dev/null
+++ b/lib/dns/ssu_external.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This implements external update-policy rules.  This allows permission
+ * to update a zone to be checked by consulting an external daemon (e.g.,
+ * kerberos).
+ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/socket.h>
+#include <sys/un.h>
+#endif
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/strerror.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ssu.h>
+#include <dns/log.h>
+#include <dns/rdatatype.h>
+
+#include <dst/dst.h>
+
+
+static void
+ssu_e_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_SECURITY,
+		       DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
+
+
+/*
+ * Connect to a UNIX domain socket.
+ */
+static int
+ux_socket_connect(const char *path) {
+	int fd = -1;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	struct sockaddr_un addr;
+
+	REQUIRE(path != NULL);
+
+	if (strlen(path) > sizeof(addr.sun_path)) {
+		ssu_e_log(3, "ssu_external: socket path '%s' "
+			     "longer than system maximum %u",
+			  path, sizeof(addr.sun_path));
+		return (-1);
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sun_family = AF_UNIX;
+	strlcpy(addr.sun_path, path, sizeof(addr.sun_path));
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to create socket - %s",
+			  strbuf);
+		return (-1);
+	}
+
+	if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to connect to "
+			     "socket '%s' - %s",
+			  path, strbuf);
+		close(fd);
+		return (-1);
+	}
+#endif
+	return (fd);
+}
+
+/* Change this version if you update the format of the request */
+#define SSU_EXTERNAL_VERSION 1
+
+/*
+ * Perform an update-policy rule check against an external application
+ * over a socket.
+ *
+ * This currently only supports local: for unix domain datagram sockets.
+ *
+ * Note that by using a datagram socket and creating a new socket each
+ * time we avoid the need for locking and allow for parallel access to
+ * the authorization server.
+ */
+bool
+dns_ssu_external_match(dns_name_t *identity,
+		       dns_name_t *signer, dns_name_t *name,
+		       isc_netaddr_t *tcpaddr, dns_rdatatype_t type,
+		       const dst_key_t *key, isc_mem_t *mctx)
+{
+	char b_identity[DNS_NAME_FORMATSIZE];
+	char b_signer[DNS_NAME_FORMATSIZE];
+	char b_name[DNS_NAME_FORMATSIZE];
+	char b_addr[ISC_NETADDR_FORMATSIZE];
+	char b_type[DNS_RDATATYPE_FORMATSIZE];
+	char b_key[DST_KEY_FORMATSIZE];
+	isc_buffer_t *tkey_token = NULL;
+	int fd;
+	const char *sock_path;
+	unsigned int req_len;
+	isc_region_t token_region = {NULL, 0};
+	unsigned char *data;
+	isc_buffer_t buf;
+	uint32_t token_len = 0;
+	uint32_t reply;
+	ssize_t ret;
+
+	/* The identity contains local:/path/to/socket */
+	dns_name_format(identity, b_identity, sizeof(b_identity));
+
+	/* For now only local: is supported */
+	if (strncmp(b_identity, "local:", 6) != 0) {
+		ssu_e_log(3, "ssu_external: invalid socket path '%s'",
+			  b_identity);
+		return (false);
+	}
+	sock_path = &b_identity[6];
+
+	fd = ux_socket_connect(sock_path);
+	if (fd == -1)
+		return (false);
+
+	if (key != NULL) {
+		dst_key_format(key, b_key, sizeof(b_key));
+		tkey_token = dst_key_tkeytoken(key);
+	} else
+		b_key[0] = 0;
+
+	if (tkey_token != NULL) {
+		isc_buffer_region(tkey_token, &token_region);
+		token_len = token_region.length;
+	}
+
+	/* Format the request elements */
+	if (signer != NULL)
+		dns_name_format(signer, b_signer, sizeof(b_signer));
+	else
+		b_signer[0] = 0;
+
+	dns_name_format(name, b_name, sizeof(b_name));
+
+	if (tcpaddr != NULL)
+		isc_netaddr_format(tcpaddr, b_addr, sizeof(b_addr));
+	else
+		b_addr[0] = 0;
+
+	dns_rdatatype_format(type, b_type, sizeof(b_type));
+
+	/* Work out how big the request will be */
+	req_len = sizeof(uint32_t)     + /* Format version */
+		  sizeof(uint32_t)     + /* Length */
+		  strlen(b_signer) + 1 + /* Signer */
+		  strlen(b_name) + 1   + /* Name */
+		  strlen(b_addr) + 1   + /* Address */
+		  strlen(b_type) + 1   + /* Type */
+		  strlen(b_key) + 1    + /* Key */
+		  sizeof(uint32_t)     + /* tkey_token length */
+		  token_len;             /* tkey_token */
+
+
+	/* format the buffer */
+	data = isc_mem_allocate(mctx, req_len);
+	if (data == NULL) {
+		close(fd);
+		return (false);
+	}
+
+	isc_buffer_init(&buf, data, req_len);
+	isc_buffer_putuint32(&buf, SSU_EXTERNAL_VERSION);
+	isc_buffer_putuint32(&buf, req_len);
+
+	/* Strings must be null-terminated */
+	isc_buffer_putstr(&buf, b_signer);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_name);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_addr);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_type);
+	isc_buffer_putuint8(&buf, 0);
+	isc_buffer_putstr(&buf, b_key);
+	isc_buffer_putuint8(&buf, 0);
+
+	isc_buffer_putuint32(&buf, token_len);
+	if (tkey_token && token_len != 0)
+		isc_buffer_putmem(&buf, token_region.base, token_len);
+
+	ENSURE(isc_buffer_availablelength(&buf) == 0);
+
+	/* Send the request */
+	ret = write(fd, data, req_len);
+	isc_mem_free(mctx, data);
+	if (ret != (ssize_t) req_len) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to send request - %s",
+			  strbuf);
+		close(fd);
+		return (false);
+	}
+
+	/* Receive the reply */
+	ret = read(fd, &reply, sizeof(uint32_t));
+	if (ret != (ssize_t) sizeof(uint32_t)) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ssu_e_log(3, "ssu_external: unable to receive reply - %s",
+			  strbuf);
+		close(fd);
+		return (false);
+	}
+
+	close(fd);
+
+	reply = ntohl(reply);
+
+	if (reply == 0) {
+		ssu_e_log(3, "ssu_external: denied external auth for '%s'",
+			  b_name);
+		return (false);
+	} else if (reply == 1) {
+		ssu_e_log(3, "ssu_external: allowed external auth for '%s'",
+			  b_name);
+		return (true);
+	}
+
+	ssu_e_log(3, "ssu_external: invalid reply 0x%08x", reply);
+
+	return (false);
+}
diff --git a/lib/dns/stats.c b/lib/dns/stats.c
new file mode 100644
index 0000000..617ed3b
--- /dev/null
+++ b/lib/dns/stats.c
@@ -0,0 +1,475 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#include <dns/opcode.h>
+#include <dns/rdatatype.h>
+#include <dns/stats.h>
+
+#define DNS_STATS_MAGIC			ISC_MAGIC('D', 's', 't', 't')
+#define DNS_STATS_VALID(x)		ISC_MAGIC_VALID(x, DNS_STATS_MAGIC)
+
+/*%
+ * Statistics types.
+ */
+typedef enum {
+	dns_statstype_general = 0,
+	dns_statstype_rdtype = 1,
+	dns_statstype_rdataset = 2,
+	dns_statstype_opcode = 3,
+	dns_statstype_rcode = 4
+} dns_statstype_t;
+
+/*%
+ * It doesn't make sense to have 2^16 counters for all possible types since
+ * most of them won't be used.  We have counters for the first 256 types and
+ * those explicitly supported in the rdata implementation.
+ * XXXJT: this introduces tight coupling with the rdata implementation.
+ * Ideally, we should have rdata handle this type of details.
+ */
+/*
+ * types, !types, nxdomain, stale types, stale !types, stale nxdomain
+ */
+enum {
+	/* For 0-255, we use the rdtype value as counter indices */
+	rdtypecounter_dlv = 256,	/* for dns_rdatatype_dlv */
+	rdtypecounter_others = 257,	/* anything else */
+	rdtypecounter_max = 258,
+	/* The following are used for rdataset */
+	rdtypenxcounter_max = rdtypecounter_max * 2,
+	rdtypecounter_nxdomain = rdtypenxcounter_max,
+	/* stale counters offset */
+	rdtypecounter_stale = rdtypecounter_nxdomain + 1,
+	rdatasettypecounter_max = rdtypecounter_stale * 2
+};
+
+struct dns_stats {
+	/*% Unlocked */
+	unsigned int	magic;
+	dns_statstype_t	type;
+	isc_mem_t	*mctx;
+	isc_mutex_t	lock;
+	isc_stats_t	*counters;
+
+	/*%  Locked by lock */
+	unsigned int	references;
+};
+
+typedef struct rdatadumparg {
+	dns_rdatatypestats_dumper_t	fn;
+	void				*arg;
+} rdatadumparg_t;
+
+typedef struct opcodedumparg {
+	dns_opcodestats_dumper_t	fn;
+	void				*arg;
+} opcodedumparg_t;
+
+typedef struct rcodedumparg {
+	dns_rcodestats_dumper_t	fn;
+	void				*arg;
+} rcodedumparg_t;
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp) {
+	REQUIRE(DNS_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	LOCK(&stats->lock);
+	stats->references++;
+	UNLOCK(&stats->lock);
+
+	*statsp = stats;
+}
+
+void
+dns_stats_detach(dns_stats_t **statsp) {
+	dns_stats_t *stats;
+
+	REQUIRE(statsp != NULL && DNS_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	LOCK(&stats->lock);
+	stats->references--;
+	UNLOCK(&stats->lock);
+
+	if (stats->references == 0) {
+		isc_stats_detach(&stats->counters);
+		DESTROYLOCK(&stats->lock);
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+	}
+}
+
+/*%
+ * Create methods
+ */
+static isc_result_t
+create_stats(isc_mem_t *mctx, dns_statstype_t type, int ncounters,
+	     dns_stats_t **statsp)
+{
+	dns_stats_t *stats;
+	isc_result_t result;
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+	if (stats == NULL)
+		return (ISC_R_NOMEMORY);
+
+	stats->counters = NULL;
+	stats->references = 1;
+
+	result = isc_mutex_init(&stats->lock);
+	if (result != ISC_R_SUCCESS)
+		goto clean_stats;
+
+	result = isc_stats_create(mctx, &stats->counters, ncounters);
+	if (result != ISC_R_SUCCESS)
+		goto clean_mutex;
+
+	stats->magic = DNS_STATS_MAGIC;
+	stats->type = type;
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	*statsp = stats;
+
+	return (ISC_R_SUCCESS);
+
+  clean_mutex:
+	DESTROYLOCK(&stats->lock);
+  clean_stats:
+	isc_mem_put(mctx, stats, sizeof(*stats));
+
+	return (result);
+}
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_general, ncounters, statsp));
+}
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rdtype, rdtypecounter_max,
+			     statsp));
+}
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rdataset,
+			     rdatasettypecounter_max, statsp));
+}
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_opcode, 16, statsp));
+}
+
+isc_result_t
+dns_rcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rcode,
+			     dns_rcode_badcookie + 1, statsp));
+}
+
+/*%
+ * Increment/Decrement methods
+ */
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
+
+	isc_stats_increment(stats->counters, counter);
+}
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type) {
+	int counter;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
+
+	if (type == dns_rdatatype_dlv)
+		counter = rdtypecounter_dlv;
+	else if (type > dns_rdatatype_any)
+		counter = rdtypecounter_others;
+	else
+		counter = (int)type;
+
+	isc_stats_increment(stats->counters, (isc_statscounter_t)counter);
+}
+
+static inline void
+update_rdatasetstats(dns_stats_t *stats, dns_rdatastatstype_t rrsettype,
+		     bool increment)
+{
+	int counter;
+	dns_rdatatype_t rdtype;
+
+	if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+	     DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0) {
+		counter = rdtypecounter_nxdomain;
+	} else {
+		rdtype = DNS_RDATASTATSTYPE_BASE(rrsettype);
+		if (rdtype == dns_rdatatype_dlv)
+			counter = (int)rdtypecounter_dlv;
+		else if (rdtype > dns_rdatatype_any)
+			counter = (int)rdtypecounter_others;
+		else
+			counter = (int)rdtype;
+
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_NXRRSET) != 0)
+			counter += rdtypecounter_max;
+	}
+
+	if (increment) {
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_STALE) != 0) {
+			isc_stats_decrement(stats->counters, counter);
+			counter += rdtypecounter_stale;
+		}
+		isc_stats_increment(stats->counters, counter);
+	} else {
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_STALE) != 0)
+			counter += rdtypecounter_stale;
+		isc_stats_decrement(stats->counters, counter);
+	}
+}
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype)
+{
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	update_rdatasetstats(stats, rrsettype, true);
+}
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype)
+{
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	update_rdatasetstats(stats, rrsettype, false);
+}
+
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
+
+	isc_stats_increment(stats->counters, (isc_statscounter_t)code);
+}
+
+void
+dns_rcodestats_increment(dns_stats_t *stats, dns_rcode_t code) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rcode);
+
+	if (code <= dns_rcode_badcookie)
+		isc_stats_increment(stats->counters, (isc_statscounter_t)code);
+}
+
+/*%
+ * Dump methods
+ */
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+		      void *arg, unsigned int options)
+{
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
+
+	isc_stats_dump(stats->counters, (isc_stats_dumper_t)dump_fn,
+		       arg, options);
+}
+
+static void
+dump_rdentry(int rdcounter, uint64_t value, dns_rdatastatstype_t attributes,
+	     dns_rdatatypestats_dumper_t dump_fn, void * arg)
+{
+	dns_rdatatype_t rdtype = dns_rdatatype_none; /* sentinel */
+	dns_rdatastatstype_t type;
+
+	if (rdcounter == rdtypecounter_others)
+		attributes |= DNS_RDATASTATSTYPE_ATTR_OTHERTYPE;
+	else {
+		if (rdcounter == rdtypecounter_dlv)
+			rdtype = dns_rdatatype_dlv;
+		else
+			rdtype = (dns_rdatatype_t)rdcounter;
+	}
+	type = DNS_RDATASTATSTYPE_VALUE((dns_rdatastatstype_t)rdtype,
+					attributes);
+	dump_fn(type, value, arg);
+}
+
+static void
+rdatatype_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	rdatadumparg_t *rdatadumparg = arg;
+
+	dump_rdentry(counter, value, 0, rdatadumparg->fn, rdatadumparg->arg);
+}
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+			void *arg0, unsigned int options)
+{
+	rdatadumparg_t arg;
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rdatatype_dumpcb, &arg, options);
+}
+
+static void
+rdataset_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	rdatadumparg_t *rdatadumparg = arg;
+	unsigned int attributes;
+
+	if (counter < rdtypecounter_max) {
+		dump_rdentry(counter, value, 0, rdatadumparg->fn,
+			     rdatadumparg->arg);
+	} else if (counter < rdtypecounter_nxdomain) {
+		counter -= rdtypecounter_max;
+		attributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+		dump_rdentry(counter, value, attributes, rdatadumparg->fn,
+			     rdatadumparg->arg);
+	} else if (counter == rdtypecounter_nxdomain) {
+		dump_rdentry(0, value, DNS_RDATASTATSTYPE_ATTR_NXDOMAIN,
+			     rdatadumparg->fn, rdatadumparg->arg);
+	} else if (counter < rdtypecounter_stale + rdtypecounter_max) {
+		counter -= rdtypecounter_stale;
+		attributes = DNS_RDATASTATSTYPE_ATTR_STALE;
+		dump_rdentry(counter, value, attributes, rdatadumparg->fn,
+			     rdatadumparg->arg);
+	} else if (counter < rdtypecounter_stale + rdtypecounter_nxdomain) {
+		counter -= rdtypecounter_stale + rdtypecounter_max;
+		attributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET |
+			     DNS_RDATASTATSTYPE_ATTR_STALE;
+		dump_rdentry(counter, value, attributes, rdatadumparg->fn,
+			     rdatadumparg->arg);
+	} else {
+		attributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN |
+			     DNS_RDATASTATSTYPE_ATTR_STALE;
+		dump_rdentry(0, value, attributes, rdatadumparg->fn,
+			     rdatadumparg->arg);
+	}
+}
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+		       void *arg0, unsigned int options)
+{
+	rdatadumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rdataset_dumpcb, &arg, options);
+}
+
+static void
+opcode_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	opcodedumparg_t *opcodearg = arg;
+
+	opcodearg->fn((dns_opcode_t)counter, value, opcodearg->arg);
+}
+
+static void
+rcode_dumpcb(isc_statscounter_t counter, uint64_t value, void *arg) {
+	rcodedumparg_t *rcodearg = arg;
+
+	rcodearg->fn((dns_rcode_t)counter, value, rcodearg->arg);
+}
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+		     void *arg0, unsigned int options)
+{
+	opcodedumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, opcode_dumpcb, &arg, options);
+}
+
+void
+dns_rcodestats_dump(dns_stats_t *stats, dns_rcodestats_dumper_t dump_fn,
+		     void *arg0, unsigned int options)
+{
+	rcodedumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rcode);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rcode_dumpcb, &arg, options);
+}
+
+/***
+ *** Obsolete variables and functions follow:
+ ***/
+LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] =
+	{
+	"success",
+	"referral",
+	"nxrrset",
+	"nxdomain",
+	"recursion",
+	"failure",
+	"duplicate",
+	"dropped"
+	};
+
+isc_result_t
+dns_stats_alloccounters(isc_mem_t *mctx, uint64_t **ctrp) {
+	int i;
+	uint64_t *p =
+		isc_mem_get(mctx, DNS_STATS_NCOUNTERS * sizeof(uint64_t));
+	if (p == NULL)
+		return (ISC_R_NOMEMORY);
+	for (i = 0; i < DNS_STATS_NCOUNTERS; i++)
+		p[i] = 0;
+	*ctrp = p;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_stats_freecounters(isc_mem_t *mctx, uint64_t **ctrp) {
+	isc_mem_put(mctx, *ctrp, DNS_STATS_NCOUNTERS * sizeof(uint64_t));
+	*ctrp = NULL;
+}
diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c
new file mode 100644
index 0000000..bb2a5d9
--- /dev/null
+++ b/lib/dns/tcpmsg.c
@@ -0,0 +1,239 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/events.h>
+#include <dns/result.h>
+#include <dns/tcpmsg.h>
+
+#ifdef TCPMSG_DEBUG
+#include <stdio.h>		/* Required for printf. */
+#define XDEBUG(x) printf x
+#else
+#define XDEBUG(x)
+#endif
+
+#define TCPMSG_MAGIC		ISC_MAGIC('T', 'C', 'P', 'm')
+#define VALID_TCPMSG(foo)	ISC_MAGIC_VALID(foo, TCPMSG_MAGIC)
+
+static void recv_length(isc_task_t *, isc_event_t *);
+static void recv_message(isc_task_t *, isc_event_t *);
+
+
+static void
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+	isc_region_t region;
+	isc_result_t result;
+
+	INSIST(VALID_TCPMSG(tcpmsg));
+
+	dev = &tcpmsg->event;
+	tcpmsg->address = ev->address;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		tcpmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	/*
+	 * Success.
+	 */
+	tcpmsg->size = ntohs(tcpmsg->size);
+	if (tcpmsg->size == 0) {
+		tcpmsg->result = ISC_R_UNEXPECTEDEND;
+		goto send_and_free;
+	}
+	if (tcpmsg->size > tcpmsg->maxsize) {
+		tcpmsg->result = ISC_R_RANGE;
+		goto send_and_free;
+	}
+
+	region.base = isc_mem_get(tcpmsg->mctx, tcpmsg->size);
+	region.length = tcpmsg->size;
+	if (region.base == NULL) {
+		tcpmsg->result = ISC_R_NOMEMORY;
+		goto send_and_free;
+	}
+	XDEBUG(("Allocated %d bytes\n", tcpmsg->size));
+
+	isc_buffer_init(&tcpmsg->buffer, region.base, region.length);
+	result = isc_socket_recv(tcpmsg->sock, &region, 0,
+				 task, recv_message, tcpmsg);
+	if (result != ISC_R_SUCCESS) {
+		tcpmsg->result = result;
+		goto send_and_free;
+	}
+
+	isc_event_free(&ev_in);
+	return;
+
+ send_and_free:
+	isc_task_send(tcpmsg->task, &dev);
+	tcpmsg->task = NULL;
+	isc_event_free(&ev_in);
+	return;
+}
+
+static void
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+
+	(void)task;
+
+	INSIST(VALID_TCPMSG(tcpmsg));
+
+	dev = &tcpmsg->event;
+	tcpmsg->address = ev->address;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		tcpmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	tcpmsg->result = ISC_R_SUCCESS;
+	isc_buffer_add(&tcpmsg->buffer, ev->n);
+
+	XDEBUG(("Received %u bytes (of %d)\n", ev->n, tcpmsg->size));
+
+ send_and_free:
+	isc_task_send(tcpmsg->task, &dev);
+	tcpmsg->task = NULL;
+	isc_event_free(&ev_in);
+}
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(tcpmsg != NULL);
+
+	tcpmsg->magic = TCPMSG_MAGIC;
+	tcpmsg->size = 0;
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+	tcpmsg->maxsize = 65535;		/* Largest message possible. */
+	tcpmsg->mctx = mctx;
+	tcpmsg->sock = sock;
+	tcpmsg->task = NULL;			/* None yet. */
+	tcpmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
+	/*
+	 * Should probably initialize the event here, but it can wait.
+	 */
+}
+
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(maxsize < 65536);
+
+	tcpmsg->maxsize = maxsize;
+}
+
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(task != NULL);
+	REQUIRE(tcpmsg->task == NULL);  /* not currently in use */
+
+	if (tcpmsg->buffer.base != NULL) {
+		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
+			    tcpmsg->buffer.length);
+		tcpmsg->buffer.base = NULL;
+		tcpmsg->buffer.length = 0;
+	}
+
+	tcpmsg->task = task;
+	tcpmsg->action = action;
+	tcpmsg->arg = arg;
+	tcpmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
+
+	ISC_EVENT_INIT(&tcpmsg->event, sizeof(isc_event_t), 0, 0,
+		       DNS_EVENT_TCPMSG, action, arg, tcpmsg,
+		       NULL, NULL);
+
+	region.base = (unsigned char *)&tcpmsg->size;
+	region.length = 2;  /* uint16_t */
+	result = isc_socket_recv(tcpmsg->sock, &region, 0,
+				 tcpmsg->task, recv_length, tcpmsg);
+
+	if (result != ISC_R_SUCCESS)
+		tcpmsg->task = NULL;
+
+	return (result);
+}
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	isc_socket_cancel(tcpmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
+}
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(buffer != NULL);
+
+	*buffer = tcpmsg->buffer;
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+}
+
+#if 0
+void
+dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	if (tcpmsg->buffer.base == NULL)
+		return;
+
+	isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base, tcpmsg->buffer.length);
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+}
+#endif
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	tcpmsg->magic = 0;
+
+	if (tcpmsg->buffer.base != NULL) {
+		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
+			    tcpmsg->buffer.length);
+		tcpmsg->buffer.base = NULL;
+		tcpmsg->buffer.length = 0;
+	}
+}
diff --git a/lib/dns/tests/Atffile b/lib/dns/tests/Atffile
new file mode 100644
index 0000000..953082d
--- /dev/null
+++ b/lib/dns/tests/Atffile
@@ -0,0 +1,34 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: acl_test
+tp: db_test
+tp: dbdiff_test
+tp: dbiterator_test
+tp: dbversion_test
+tp: dh_test
+tp: dispatch_test
+tp: dnstap_test
+tp: dst_test
+tp: geoip_test
+tp: gost_test
+tp: keytable_test
+tp: master_test
+tp: name_test
+tp: nsec3_test
+tp: peer_test
+tp: private_test
+tp: rbt_serialize_test
+tp: rbt_test
+tp: rdata_test
+tp: rdataset_test
+tp: rdatasetstats_test
+tp: resolver_test
+tp: rsa_test
+tp: sigs_test
+tp: time_test
+tp: tsig_test
+tp: update_test
+tp: zonemgr_test
+tp: zt_test
diff --git a/lib/dns/tests/Kdh.+002+18602.key b/lib/dns/tests/Kdh.+002+18602.key
new file mode 100644
index 0000000..09b4cf5
--- /dev/null
+++ b/lib/dns/tests/Kdh.+002+18602.key
@@ -0,0 +1 @@
+dh. IN KEY 0 2 2 AAEBAAAAYIHI/wjtOagNga9GILSoS02IVelgLilPE/TfhtvShsiDAXqb IfxQcj2JkuOnNLs5ttb2WZXWl5/jsSjIxHMwMF2XY4gwt/lwHBf/vgYH r7aIxnKXov1jk9rymTLHGKIOtg==
diff --git a/lib/dns/tests/Krsa.+005+29235.key b/lib/dns/tests/Krsa.+005+29235.key
new file mode 100644
index 0000000..e2d81e7
--- /dev/null
+++ b/lib/dns/tests/Krsa.+005+29235.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 29235, for rsa.
+; Created: 20160819191802 (Fri Aug 19 21:18:02 2016)
+; Publish: 20160819191802 (Fri Aug 19 21:18:02 2016)
+; Activate: 20160819191802 (Fri Aug 19 21:18:02 2016)
+rsa. IN DNSKEY 256 3 5 AwEAAdLT1R3qiqCqll3Xzh2qFMvehQ9FODsPftw5U4UjB3QwnJ/3+dph 9kZBBeaJagUBVYzoArk6XNydpp3HhSCFDcIiepL6r8XAifW3SqI1KCne OD38kSCl/Qm9P0+3CFWokGVubsSQ+3dpQZxqx5bzOXthbuzAr6X+gDUE LAyHtCQNmJ+4ktdCoj3DNYW0z/xLvrcB2Lns7H+/qWnGPL4f3hr7Vbak Oeay+4J4KGdY2LFxJUVts6QrgAA8gz4mV9YIJFP+C4B3b/Z7qgqZRxmT 0pic+fJC5+sq0l8KwavPn0n+HqVuJNvppVKMdTbsmmuk69RFGMjbFkP7 tnCiqC9Zi6s=
diff --git a/lib/dns/tests/Kyuafile b/lib/dns/tests/Kyuafile
new file mode 100644
index 0000000..0353a73
--- /dev/null
+++ b/lib/dns/tests/Kyuafile
@@ -0,0 +1,33 @@
+syntax(2)
+test_suite('bind9')
+
+atf_test_program{name='acl_test'}
+atf_test_program{name='db_test'}
+atf_test_program{name='dbdiff_test'}
+atf_test_program{name='dbiterator_test'}
+atf_test_program{name='dbversion_test'}
+atf_test_program{name='dh_test'}
+atf_test_program{name='dispatch_test'}
+atf_test_program{name='dnstap_test'}
+atf_test_program{name='dst_test'}
+atf_test_program{name='geoip_test'}
+atf_test_program{name='gost_test'}
+atf_test_program{name='keytable_test'}
+atf_test_program{name='master_test'}
+atf_test_program{name='name_test'}
+atf_test_program{name='nsec3_test'}
+atf_test_program{name='peer_test'}
+atf_test_program{name='private_test'}
+atf_test_program{name='rbt_serialize_test', is_exclusive=true}
+atf_test_program{name='rbt_test'}
+atf_test_program{name='rdata_test'}
+atf_test_program{name='rdataset_test'}
+atf_test_program{name='rdatasetstats_test'}
+atf_test_program{name='resolver_test'}
+atf_test_program{name='rsa_test'}
+atf_test_program{name='sigs_test'}
+atf_test_program{name='time_test'}
+atf_test_program{name='tsig_test'}
+atf_test_program{name='update_test'}
+atf_test_program{name='zonemgr_test'}
+atf_test_program{name='zt_test'}
diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
new file mode 100644
index 0000000..58fa872
--- /dev/null
+++ b/lib/dns/tests/Makefile.in
@@ -0,0 +1,266 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		@DST_OPENSSL_INC@
+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+
+ISCLIBS =	../../isc/libisc.@A@
+ISCDEPLIBS =	../../isc/libisc.@A@
+DNSLIBS =	../libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSDEPLIBS =	../libdns.@A@
+
+LIBS =		@LIBS@ @ATFLIBS@
+
+OBJS =		dnstest.@O@
+SRCS =		acl_test.c \
+		db_test.c \
+		dbdiff_test.c \
+		dbiterator_test.c \
+		dh_test.c \
+		dispatch_test.c \
+		dnstap_test.c \
+		dst_test.c \
+		dnstest.c \
+		geoip_test.c \
+		gost_test.c \
+		keytable_test.c \
+		master_test.c \
+		name_test.c \
+		nsec3_test.c \
+		peer_test.c \
+		private_test.c \
+		rbt_test.c \
+		rbt_serialize_test.c \
+		rdata_test.c \
+		rdataset_test.c \
+		rdatasetstats_test.c \
+		resolver_test.c \
+		rsa_test.c \
+		sigs_test.c \
+		time_test.c \
+		tsig_test.c \
+		update_test.c \
+		zonemgr_test.c \
+		zt_test.c
+
+SUBDIRS =
+TARGETS =	acl_test@EXEEXT@ \
+		db_test@EXEEXT@ \
+		dbdiff_test@EXEEXT@ \
+		dbiterator_test@EXEEXT@ \
+		dbversion_test@EXEEXT@ \
+		dh_test@EXEEXT@ \
+		dispatch_test@EXEEXT@ \
+		dnstap_test@EXEEXT@ \
+		dst_test@EXEEXT@ \
+		geoip_test@EXEEXT@ \
+		gost_test@EXEEXT@ \
+		keytable_test@EXEEXT@ \
+		master_test@EXEEXT@ \
+		name_test@EXEEXT@ \
+		nsec3_test@EXEEXT@ \
+		peer_test@EXEEXT@ \
+		private_test@EXEEXT@ \
+		rbt_test@EXEEXT@ \
+		rbt_serialize_test@EXEEXT@ \
+		rdata_test@EXEEXT@ \
+		rdataset_test@EXEEXT@ \
+		rdatasetstats_test@EXEEXT@ \
+		resolver_test@EXEEXT@ \
+		rsa_test@EXEEXT@ \
+		sigs_test@EXEEXT@ \
+		time_test@EXEEXT@ \
+		tsig_test@EXEEXT@ \
+		update_test@EXEEXT@ \
+		zonemgr_test@EXEEXT@ \
+		zt_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+acl_test@EXEEXT@: acl_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			acl_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+master_test@EXEEXT@: master_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	test -d testdata || mkdir testdata
+	test -d testdata/master || mkdir testdata/master
+	${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master12.data.in \
+		> testdata/master/master12.data
+	${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master13.data.in \
+		> testdata/master/master13.data
+	${PERL} ${srcdir}/mkraw.pl < ${srcdir}/testdata/master/master14.data.in \
+		> testdata/master/master14.data
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			master_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+keytable_test@EXEEXT@: keytable_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			keytable_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+time_test@EXEEXT@: time_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			time_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+peer_test@EXEEXT@: peer_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			peer_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+private_test@EXEEXT@: private_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			private_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+update_test@EXEEXT@: update_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			update_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+zonemgr_test@EXEEXT@: zonemgr_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			zonemgr_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+dbiterator_test@EXEEXT@: dbiterator_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dbiterator_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+dbdiff_test@EXEEXT@: dbdiff_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dbdiff_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+dbversion_test@EXEEXT@: dbversion_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dbversion_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+zt_test@EXEEXT@: zt_test.@O@ dnstest.@O@ \
+		${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			zt_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+name_test@EXEEXT@: name_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			name_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			nsec3_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+rdataset_test@EXEEXT@: rdataset_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rdataset_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+dispatch_test@EXEEXT@: dispatch_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dispatch_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+dnstap_test@EXEEXT@: dnstap_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dnstap_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+rdatasetstats_test@EXEEXT@: rdatasetstats_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rdatasetstats_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+rbt_test@EXEEXT@: rbt_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rbt_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+rbt_serialize_test@EXEEXT@: rbt_serialize_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rbt_serialize_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+resolver_test@EXEEXT@: resolver_test.@O@ dnstest.@O@ \
+		${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			resolver_test.@O@ dnstest.@O@ ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rdata_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+sigs_test@EXEEXT@: sigs_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			sigs_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+db_test@EXEEXT@: db_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			db_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+gost_test@EXEEXT@: gost_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			gost_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+dh_test@EXEEXT@: dh_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dh_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+dst_test@EXEEXT@: dst_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			dst_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+rsa_test@EXEEXT@: rsa_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rsa_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
+			${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
+	rm -f testdata/master/master12.data testdata/master/master13.data \
+		testdata/master/master14.data
+	rm -f zone.bin
diff --git a/lib/dns/tests/acl_test.c b/lib/dns/tests/acl_test.c
new file mode 100644
index 0000000..285a990
--- /dev/null
+++ b/lib/dns/tests/acl_test.c
@@ -0,0 +1,374 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+
+#include <dns/acl.h>
+#include "dnstest.h"
+
+/*
+ * Helper functions
+ */
+
+#define	BUFLEN		255
+#define	BIGBUFLEN	(70 * 1024)
+#define TEST_ORIGIN	"test"
+
+ATF_TC(dns_acl_isinsecure);
+ATF_TC_HEAD(dns_acl_isinsecure, tc) {
+	atf_tc_set_md_var(tc, "descr", "test that dns_acl_isinsecure works");
+}
+ATF_TC_BODY(dns_acl_isinsecure, tc) {
+	isc_result_t result;
+	unsigned int pass;
+	struct {
+		bool first;
+		bool second;
+	} ecs[] = {
+		{ false, false },
+		{ true, true },
+		{ true, false },
+		{ false, true }
+	};
+
+	dns_acl_t *any = NULL;
+	dns_acl_t *none = NULL;
+	dns_acl_t *notnone = NULL;
+	dns_acl_t *notany = NULL;
+#ifdef HAVE_GEOIP
+	dns_acl_t *geoip = NULL;
+	dns_acl_t *notgeoip = NULL;
+	dns_aclelement_t *de;
+#endif
+
+	dns_acl_t *pos4pos6 = NULL;
+	dns_acl_t *notpos4pos6 = NULL;
+	dns_acl_t *neg4pos6 = NULL;
+	dns_acl_t *notneg4pos6 = NULL;
+	dns_acl_t *pos4neg6 = NULL;
+	dns_acl_t *notpos4neg6 = NULL;
+	dns_acl_t *neg4neg6 = NULL;
+	dns_acl_t *notneg4neg6 = NULL;
+
+	dns_acl_t *loop4 = NULL;
+	dns_acl_t *notloop4 = NULL;
+
+	dns_acl_t *loop6 = NULL;
+	dns_acl_t *notloop6 = NULL;
+
+	dns_acl_t *loop4pos6 = NULL;
+	dns_acl_t *notloop4pos6 = NULL;
+	dns_acl_t *loop4neg6 = NULL;
+	dns_acl_t *notloop4neg6 = NULL;
+
+	struct in_addr inaddr;
+	isc_netaddr_t addr;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_any(mctx, &any);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_none(mctx, &none);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_create(mctx, 1, &notnone);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_create(mctx, 1, &notany);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notnone, none, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notany, any, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+#ifdef HAVE_GEOIP
+	result = dns_acl_create(mctx, 1, &geoip);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	de = geoip->elements;
+	ATF_REQUIRE(de != NULL);
+	strlcpy(de->geoip_elem.as_string, "AU",
+		sizeof(de->geoip_elem.as_string));
+	de->geoip_elem.subtype = dns_geoip_country_code;
+	de->type = dns_aclelementtype_geoip;
+	de->negative = false;
+	ATF_REQUIRE(geoip->length < geoip->alloc);
+	geoip->node_count++;
+	de->node_num = geoip->node_count;
+	geoip->length++;
+
+	result = dns_acl_create(mctx, 1, &notgeoip);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_acl_merge(notgeoip, geoip, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+#endif
+
+	ATF_CHECK(dns_acl_isinsecure(any));		/* any; */
+	ATF_CHECK(!dns_acl_isinsecure(none));		/* none; */
+	ATF_CHECK(!dns_acl_isinsecure(notany));		/* !any; */
+	ATF_CHECK(!dns_acl_isinsecure(notnone));	/* !none; */
+
+#ifdef HAVE_GEOIP
+	ATF_CHECK(dns_acl_isinsecure(geoip));		/* geoip; */
+	ATF_CHECK(!dns_acl_isinsecure(notgeoip));	/* !geoip; */
+#endif
+
+	dns_acl_detach(&any);
+	dns_acl_detach(&none);
+	dns_acl_detach(&notany);
+	dns_acl_detach(&notnone);
+#ifdef HAVE_GEOIP
+	dns_acl_detach(&geoip);
+	dns_acl_detach(&notgeoip);
+#endif
+
+	for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) {
+		result = dns_acl_create(mctx, 1, &pos4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notpos4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &neg4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notneg4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &pos4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notpos4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &neg4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notneg4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x0a000000);	/* 10.0.0.0 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
+						true, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		addr.family = AF_INET6;			/* 0a00:: */
+		result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
+						true, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notpos4pos6, pos4pos6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x0a000000);	/* !10.0.0.0/8 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
+						false, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		addr.family = AF_INET6;			/* 0a00::/8 */
+		result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
+						true, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notneg4pos6, neg4pos6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x0a000000);	/* 10.0.0.0/8 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
+						true, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		addr.family = AF_INET6;			/* !0a00::/8 */
+		result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
+						false, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notpos4neg6, pos4neg6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x0a000000);	/* !10.0.0.0/8 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
+						false, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		addr.family = AF_INET6;			/* !0a00::/8 */
+		result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
+						false, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notneg4neg6, neg4neg6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		ATF_CHECK(dns_acl_isinsecure(pos4pos6));
+		ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
+		ATF_CHECK(dns_acl_isinsecure(neg4pos6));
+		ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
+		ATF_CHECK(dns_acl_isinsecure(pos4neg6));
+		ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
+		ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
+		ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
+
+		dns_acl_detach(&pos4pos6);
+		dns_acl_detach(&notpos4pos6);
+		dns_acl_detach(&neg4pos6);
+		dns_acl_detach(&notneg4pos6);
+		dns_acl_detach(&pos4neg6);
+		dns_acl_detach(&notpos4neg6);
+		dns_acl_detach(&neg4neg6);
+		dns_acl_detach(&notneg4neg6);
+
+		result = dns_acl_create(mctx, 1, &loop4);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notloop4);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &loop6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notloop6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x7f000001);	/* 127.0.0.1 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
+						true, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notloop4, loop4, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		isc_netaddr_fromin6(&addr, &in6addr_loopback);	/* ::1 */
+		result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
+						true, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notloop6, loop6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		if (!ecs[pass].first) {
+			ATF_CHECK(!dns_acl_isinsecure(loop4));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4));
+			ATF_CHECK(!dns_acl_isinsecure(loop6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop6));
+		} else if (ecs[pass].first) {
+			ATF_CHECK(dns_acl_isinsecure(loop4));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4));
+			ATF_CHECK(dns_acl_isinsecure(loop6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop6));
+		}
+
+		dns_acl_detach(&loop4);
+		dns_acl_detach(&notloop4);
+		dns_acl_detach(&loop6);
+		dns_acl_detach(&notloop6);
+
+		result = dns_acl_create(mctx, 1, &loop4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notloop4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &loop4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_create(mctx, 1, &notloop4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x7f000001);	/* 127.0.0.1 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
+						true, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		addr.family = AF_INET6;			/* f700:0001::/32 */
+		result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
+						true, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notloop4pos6, loop4pos6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		inaddr.s_addr = htonl(0x7f000001);	/* 127.0.0.1 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
+						true, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		addr.family = AF_INET6;			/* !f700:0001::/32 */
+		result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
+						false, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = dns_acl_merge(notloop4neg6, loop4neg6, false);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		if (!ecs[pass].first && !ecs[pass].second) {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		} else if (ecs[pass].first && !ecs[pass].second) {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		} else if (!ecs[pass].first && ecs[pass].second) {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		} else {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		}
+
+		dns_acl_detach(&loop4pos6);
+		dns_acl_detach(&notloop4pos6);
+		dns_acl_detach(&loop4neg6);
+		dns_acl_detach(&notloop4neg6);
+	}
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, dns_acl_isinsecure);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/db_test.c b/lib/dns/tests/db_test.c
new file mode 100644
index 0000000..d12a497
--- /dev/null
+++ b/lib/dns/tests/db_test.c
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+#include <dns/journal.h>
+
+#include "dnstest.h"
+
+/*
+ * Helper functions
+ */
+
+#define	BUFLEN		255
+#define	BIGBUFLEN	(64 * 1024)
+#define TEST_ORIGIN	"test"
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(getoriginnode);
+ATF_TC_HEAD(getoriginnode, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "test multiple calls to dns_db_getoriginnode");
+}
+ATF_TC_BODY(getoriginnode, tc) {
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_mem_t *mymctx = NULL;
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, &mymctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_hash_create(mymctx, NULL, 256);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_create(mymctx, "rbt", dns_rootname, dns_dbtype_zone,
+			    dns_rdataclass_in, 0, NULL, &db);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_getoriginnode(db, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_db_detachnode(db, &node);
+
+	result = dns_db_getoriginnode(db, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_db_detachnode(db, &node);
+
+	dns_db_detach(&db);
+	isc_mem_detach(&mymctx);
+}
+
+ATF_TC(class);
+ATF_TC_HEAD(class, tc) {
+	atf_tc_set_md_var(tc, "descr", "database class");
+}
+ATF_TC_BODY(class, tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_load(db, "testdata/db/data.db");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK_EQ(dns_db_class(db), dns_rdataclass_in);
+
+	dns_db_detach(&db);
+}
+
+ATF_TC(dbtype);
+ATF_TC_HEAD(dbtype, tc) {
+	atf_tc_set_md_var(tc, "descr", "database type");
+}
+ATF_TC_BODY(dbtype, tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* DB has zone semantics */
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_db_load(db, "testdata/db/data.db");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(dns_db_iszone(db));
+	ATF_CHECK(!dns_db_iscache(db));
+	dns_db_detach(&db);
+
+	/* DB has cache semantics */
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_cache,
+			       dns_rdataclass_in, 0, NULL, &db);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_db_load(db, "testdata/db/data.db");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(dns_db_iscache(db));
+	ATF_CHECK(!dns_db_iszone(db));
+	dns_db_detach(&db);
+
+	dns_test_end();
+}
+
+ATF_TC(version);
+ATF_TC_HEAD(version, tc) {
+	atf_tc_set_md_var(tc, "descr", "database versions");
+}
+ATF_TC_BODY(version, tc) {
+	isc_result_t result;
+	dns_fixedname_t fname, ffound;
+	dns_name_t *name, *foundname;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL, *new = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_zone, "test.test",
+				 "testdata/db/data.db");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Open current version for reading */
+	dns_db_currentversion(db, &ver);
+	dns_test_namefromstring("b.test.test", &fname);
+	name = dns_fixedname_name(&fname);
+	foundname = dns_fixedname_initname(&ffound);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_find(db, name , ver, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &ver, false);
+
+	/* Open new version for writing */
+	dns_db_currentversion(db, &ver);
+	dns_test_namefromstring("b.test.test", &fname);
+	name = dns_fixedname_name(&fname);
+	foundname = dns_fixedname_initname(&ffound);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_find(db, name , ver, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_newversion(db, &new);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Delete the rdataset from the new verison */
+	result = dns_db_deleterdataset(db, node, new, dns_rdatatype_a, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+
+	/* This should fail now */
+	result = dns_db_find(db, name, new, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	ATF_REQUIRE_EQ(result, DNS_R_NXDOMAIN);
+
+	dns_db_closeversion(db, &new, true);
+
+	/* But this should still succeed */
+	result = dns_db_find(db, name, ver, dns_rdatatype_a, 0, 0, &node,
+			     foundname, &rdataset, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &ver, false);
+
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, getoriginnode);
+	ATF_TP_ADD_TC(tp, class);
+	ATF_TP_ADD_TC(tp, dbtype);
+	ATF_TP_ADD_TC(tp, version);
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/dbdiff_test.c b/lib/dns/tests/dbdiff_test.c
new file mode 100644
index 0000000..2ddd243
--- /dev/null
+++ b/lib/dns/tests/dbdiff_test.c
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+#include <dns/journal.h>
+
+#include "dnstest.h"
+
+/*
+ * Helper functions
+ */
+
+#define	BUFLEN		255
+#define	BIGBUFLEN	(64 * 1024)
+#define TEST_ORIGIN	"test"
+
+static void
+test_create(const atf_tc_t *tc, dns_db_t **old, dns_db_t **newdb) {
+	isc_result_t result;
+
+	result = dns_test_loaddb(old, dns_dbtype_zone, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-old"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(newdb, dns_dbtype_zone, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-new"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(diffx_same);
+ATF_TC_HEAD(diffx_same, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_db_diffx of identical content");
+	atf_tc_set_md_var(tc, "X-old", "testdata/diff/zone1.data");
+	atf_tc_set_md_var(tc, "X-new", "testdata/diff/zone1.data"); }
+ATF_TC_BODY(diffx_same, tc) {
+	dns_db_t *newdb = NULL, *olddb = NULL;
+	isc_result_t result;
+	dns_diff_t diff;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	test_create(tc, &olddb, &newdb);
+
+	dns_diff_init(mctx, &diff);
+
+	result = dns_db_diffx(&diff, newdb, NULL, olddb, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(ISC_LIST_EMPTY(diff.tuples), true);
+
+	dns_diff_clear(&diff);
+	dns_db_detach(&newdb);
+	dns_db_detach(&olddb);
+	dns_test_end();
+}
+
+ATF_TC(diffx_add);
+ATF_TC_HEAD(diffx_add, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "dns_db_diffx of zone with record added");
+	atf_tc_set_md_var(tc, "X-old", "testdata/diff/zone1.data");
+	atf_tc_set_md_var(tc, "X-new", "testdata/diff/zone2.data");
+}
+ATF_TC_BODY(diffx_add, tc) {
+	dns_db_t *newdb = NULL, *olddb = NULL;
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+	dns_diff_t diff;
+	int count = 0;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	test_create(tc, &olddb, &newdb);
+
+	dns_diff_init(mctx, &diff);
+
+	result = dns_db_diffx(&diff, newdb, NULL, olddb, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(ISC_LIST_EMPTY(diff.tuples), false);
+	for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		ATF_REQUIRE_EQ(tuple->op, DNS_DIFFOP_ADD);
+		count++;
+	}
+	ATF_REQUIRE_EQ(count, 1);
+
+	dns_diff_clear(&diff);
+	dns_db_detach(&newdb);
+	dns_db_detach(&olddb);
+	dns_test_end();
+}
+
+ATF_TC(diffx_remove);
+ATF_TC_HEAD(diffx_remove, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "dns_db_diffx of zone with record removed");
+	atf_tc_set_md_var(tc, "X-old", "testdata/diff/zone1.data");
+	atf_tc_set_md_var(tc, "X-new", "testdata/diff/zone3.data");
+}
+ATF_TC_BODY(diffx_remove, tc) {
+	dns_db_t *newdb = NULL, *olddb = NULL;
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+	dns_diff_t diff;
+	int count = 0;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	test_create(tc, &olddb, &newdb);
+
+	dns_diff_init(mctx, &diff);
+
+	result = dns_db_diffx(&diff, newdb, NULL, olddb, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(ISC_LIST_EMPTY(diff.tuples), false);
+	for (tuple = ISC_LIST_HEAD(diff.tuples); tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		ATF_REQUIRE_EQ(tuple->op, DNS_DIFFOP_DEL);
+		count++;
+	}
+	ATF_REQUIRE_EQ(count, 1);
+
+	dns_diff_clear(&diff);
+	dns_db_detach(&newdb);
+	dns_db_detach(&olddb);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, diffx_same);
+	ATF_TP_ADD_TC(tp, diffx_add);
+	ATF_TP_ADD_TC(tp, diffx_remove);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/dbiterator_test.c b/lib/dns/tests/dbiterator_test.c
new file mode 100644
index 0000000..643627b
--- /dev/null
+++ b/lib/dns/tests/dbiterator_test.c
@@ -0,0 +1,425 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+
+#include "dnstest.h"
+
+/*
+ * Helper functions
+ */
+
+#define	BUFLEN		255
+#define	BIGBUFLEN	(64 * 1024)
+#define TEST_ORIGIN	"test"
+
+static isc_result_t
+make_name(const char *src, dns_name_t *name) {
+	isc_buffer_t b;
+	isc_buffer_constinit(&b, src, strlen(src));
+	isc_buffer_add(&b, strlen(src));
+	return (dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* create: make sure we can create a dbiterator */
+static void
+test_create(const atf_tc_t *tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-filename"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+ATF_TC(create);
+ATF_TC_HEAD(create, tc) {
+	atf_tc_set_md_var(tc, "descr", "create a database iterator");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone1.data");
+}
+ATF_TC_BODY(create, tc) {
+	test_create(tc);
+}
+
+ATF_TC(create_nsec3);
+ATF_TC_HEAD(create_nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "create a database iterator (NSEC3)");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone2.data");
+}
+ATF_TC_BODY(create_nsec3, tc) {
+	test_create(tc);
+}
+
+/* walk: walk a database */
+static void
+test_walk(const atf_tc_t *tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name;
+	dns_fixedname_t f;
+	int i = 0;
+
+	UNUSED(tc);
+
+	name = dns_fixedname_initname(&f);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-filename"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (result = dns_dbiterator_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(iter)) {
+		result = dns_dbiterator_current(iter, &node, name);
+		if (result == DNS_R_NEWORIGIN)
+			result = ISC_R_SUCCESS;
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		dns_db_detachnode(db, &node);
+		i++;
+	}
+
+	ATF_CHECK_EQ(i, atoi(atf_tc_get_md_var(tc, "X-nodes")));
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+ATF_TC(walk);
+ATF_TC_HEAD(walk, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone1.data");
+	atf_tc_set_md_var(tc, "X-nodes", "12");
+}
+ATF_TC_BODY(walk, tc) {
+	test_walk(tc);
+}
+
+ATF_TC(walk_nsec3);
+ATF_TC_HEAD(walk_nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone2.data");
+	atf_tc_set_md_var(tc, "X-nodes", "33");
+}
+ATF_TC_BODY(walk_nsec3, tc) {
+	test_walk(tc);
+}
+
+/* reverse: walk database backwards */
+static void test_reverse(const atf_tc_t *tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name;
+	dns_fixedname_t f;
+	int i = 0;
+
+	UNUSED(tc);
+
+	name = dns_fixedname_initname(&f);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-filename"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (result = dns_dbiterator_last(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_prev(iter)) {
+		result = dns_dbiterator_current(iter, &node, name);
+		if (result == DNS_R_NEWORIGIN)
+			result = ISC_R_SUCCESS;
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		dns_db_detachnode(db, &node);
+		i++;
+	}
+
+	ATF_CHECK_EQ(i, 12);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+ATF_TC(reverse);
+ATF_TC_HEAD(reverse, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database backwards");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone1.data");
+}
+ATF_TC_BODY(reverse, tc) {
+	test_reverse(tc);
+}
+
+ATF_TC(reverse_nsec3);
+ATF_TC_HEAD(reverse_nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database backwards");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone2.data");
+}
+ATF_TC_BODY(reverse_nsec3, tc) {
+	test_reverse(tc);
+}
+
+/* seek: walk database starting at a particular node */
+static void test_seek(const atf_tc_t *tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name, *seekname;
+	dns_fixedname_t f1, f2;
+	int i = 0;
+
+	UNUSED(tc);
+
+	name = dns_fixedname_initname(&f1);
+	seekname = dns_fixedname_initname(&f2);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-filename"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = make_name("c." TEST_ORIGIN, seekname);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(iter, &node, name);
+		if (result == DNS_R_NEWORIGIN)
+			result = ISC_R_SUCCESS;
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(iter);
+		i++;
+	}
+
+	ATF_CHECK_EQ(i, atoi(atf_tc_get_md_var(tc, "X-nodes")));
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+ATF_TC(seek);
+ATF_TC_HEAD(seek, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database starting at "
+				       "a particular node");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone1.data");
+	atf_tc_set_md_var(tc, "X-nodes", "9");
+}
+ATF_TC_BODY(seek, tc) {
+	test_seek(tc);
+}
+
+ATF_TC(seek_nsec3);
+ATF_TC_HEAD(seek_nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database starting at "
+				       "a particular node");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone2.data");
+	atf_tc_set_md_var(tc, "X-nodes", "30");
+}
+ATF_TC_BODY(seek_nsec3, tc) {
+	test_seek(tc);
+}
+
+/*
+ * seek_emty: walk database starting at an empty nonterminal node
+ * (should fail)
+ */
+static void test_seek_empty(const atf_tc_t *tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_name_t *seekname;
+	dns_fixedname_t f1;
+
+	UNUSED(tc);
+
+	seekname = dns_fixedname_initname(&f1);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-filename"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = make_name("d." TEST_ORIGIN, seekname);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	ATF_CHECK_EQ(result, DNS_R_PARTIALMATCH);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+ATF_TC(seek_empty);
+ATF_TC_HEAD(seek_empty, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database starting at an "
+				       "empty nonterminal node");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone1.data");
+}
+ATF_TC_BODY(seek_empty, tc) {
+	test_seek_empty(tc);
+}
+
+ATF_TC(seek_empty_nsec3);
+ATF_TC_HEAD(seek_empty_nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "walk database starting at an "
+				       "empty nonterminal node");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone2.data");
+}
+ATF_TC_BODY(seek_empty_nsec3, tc) {
+	test_seek_empty(tc);
+}
+
+/*
+ * seek_emty: walk database starting at an empty nonterminal node
+ * (should fail)
+ */
+static void test_seek_nx(const atf_tc_t *tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbiterator_t *iter = NULL;
+	dns_name_t *seekname;
+	dns_fixedname_t f1;
+
+	UNUSED(tc);
+
+	seekname = dns_fixedname_initname(&f1);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN,
+				 atf_tc_get_md_var(tc, "X-filename"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_createiterator(db, 0, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = make_name("nonexistent." TEST_ORIGIN, seekname);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	ATF_CHECK_EQ(result, DNS_R_PARTIALMATCH);
+
+	result = make_name("nonexistent.", seekname);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dbiterator_seek(iter, seekname);
+	ATF_CHECK_EQ(result, ISC_R_NOTFOUND);
+
+	dns_dbiterator_destroy(&iter);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+ATF_TC(seek_nx);
+ATF_TC_HEAD(seek_nx, tc) {
+	atf_tc_set_md_var(tc, "descr", "attempt to walk database starting "
+				       "at a nonexistent node");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone1.data");
+}
+ATF_TC_BODY(seek_nx, tc) {
+	test_seek_nx(tc);
+}
+
+ATF_TC(seek_nx_nsec3);
+ATF_TC_HEAD(seek_nx_nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "attempt to walk database starting "
+				       "at a nonexistent node");
+	atf_tc_set_md_var(tc, "X-filename", "testdata/dbiterator/zone2.data");
+}
+ATF_TC_BODY(seek_nx_nsec3, tc) {
+	test_seek_nx(tc);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, create);
+	ATF_TP_ADD_TC(tp, create_nsec3);
+	ATF_TP_ADD_TC(tp, walk);
+	ATF_TP_ADD_TC(tp, walk_nsec3);
+	ATF_TP_ADD_TC(tp, reverse);
+	ATF_TP_ADD_TC(tp, reverse_nsec3);
+	ATF_TP_ADD_TC(tp, seek);
+	ATF_TP_ADD_TC(tp, seek_nsec3);
+	ATF_TP_ADD_TC(tp, seek_empty);
+	ATF_TP_ADD_TC(tp, seek_empty_nsec3);
+	ATF_TP_ADD_TC(tp, seek_nx);
+	ATF_TP_ADD_TC(tp, seek_nx_nsec3);
+	return (atf_no_error());
+}
+
+/*
+ * XXX:
+ * dns_dbiterator API calls that are not yet part of this unit test:
+ *
+ * dns_dbiterator_pause
+ * dns_dbiterator_origin
+ * dns_dbiterator_setcleanmode
+ */
diff --git a/lib/dns/tests/dbversion_test.c b/lib/dns/tests/dbversion_test.c
new file mode 100644
index 0000000..275fc9b
--- /dev/null
+++ b/lib/dns/tests/dbversion_test.c
@@ -0,0 +1,735 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <atf-c.h>
+
+#include <isc/file.h>
+#include <isc/result.h>
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+#include <isc/msgcat.h>
+
+#include <dns/db.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/nsec3.h>
+
+#include "dnstest.h"
+
+static char tempname[11] = "dtXXXXXXXX";
+
+static void
+local_callback(const char *file, int line, isc_assertiontype_t type,
+	       const char *cond)
+{
+	UNUSED(file); UNUSED(line); UNUSED(type); UNUSED(cond);
+	if (strcmp(tempname, "dtXXXXXXXX"))
+		unlink(tempname);
+	atf_tc_pass();
+	exit(0);
+}
+
+static dns_db_t *db1 = NULL, *db2 = NULL;
+static dns_dbversion_t *v1 = NULL, *v2 = NULL;
+
+static void
+setup_db(void) {
+	isc_result_t result;
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_db_newversion(db1, &v1);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_db_newversion(db2, &v2);
+}
+
+static void
+close_db(void) {
+	if (v1 != NULL) {
+		dns_db_closeversion(db1, &v1, false);
+		ATF_REQUIRE_EQ(v1, NULL);
+	}
+	if (db1 != NULL) {
+		dns_db_detach(&db1);
+		ATF_REQUIRE_EQ(db1, NULL);
+	}
+
+	if (v2 != NULL) {
+		dns_db_closeversion(db2, &v2, false);
+		ATF_REQUIRE_EQ(v2, NULL);
+	}
+	if (db2 != NULL) {
+		dns_db_detach(&db2);
+		ATF_REQUIRE_EQ(db2, NULL);
+	}
+}
+
+#define VERSION(callback) ((callback == NULL) ? v1 : v2)
+#define VERSIONP(callback) ((callback == NULL) ? &v1 : &v2)
+/*
+ * Individual unit tests
+ */
+static void
+attachversion(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_dbversion_t *v = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	isc_assertion_setcallback(callback);
+	dns_db_attachversion(db1, VERSION(callback), &v);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_attachversion did not assert");
+
+	ATF_REQUIRE_EQ(v, v1);
+	dns_db_closeversion(db1, &v, false);
+	ATF_REQUIRE_EQ(v, NULL);
+
+	close_db();
+	dns_test_end();
+}
+
+ATF_TC(attachversion);
+ATF_TC_HEAD(attachversion, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_attachversion passes with matching db/verison");
+}
+ATF_TC_BODY(attachversion, tc) {
+
+	UNUSED(tc);
+
+	attachversion(NULL);
+}
+
+ATF_TC(attachversion_bad);
+ATF_TC_HEAD(attachversion_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_attachversion aborts with mis-matching db/verison");
+}
+ATF_TC_BODY(attachversion_bad, tc) {
+
+	UNUSED(tc);
+
+	attachversion(local_callback);
+}
+
+static void
+closeversion(isc_assertioncallback_t callback) {
+	isc_result_t result;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	isc_assertion_setcallback(callback);
+	dns_db_closeversion(db1, VERSIONP(callback), false);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_closeversion did not assert");
+	ATF_REQUIRE_EQ(v1, NULL);
+
+	close_db();
+	dns_test_end();
+}
+
+ATF_TC(closeversion);
+ATF_TC_HEAD(closeversion, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_closeversion passes with matching db/verison");
+}
+ATF_TC_BODY(closeversion, tc) {
+
+	UNUSED(tc);
+
+	closeversion(NULL);
+}
+
+ATF_TC(closeversion_bad);
+ATF_TC_HEAD(closeversion_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_closeversion asserts with mis-matching db/verison");
+}
+ATF_TC_BODY(closeversion_bad, tc) {
+
+	UNUSED(tc);
+
+	closeversion(local_callback);
+}
+
+static void
+find(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_find(db1, dns_rootname, VERSION(callback),
+			     dns_rdatatype_soa, 0, 0, NULL,
+			     dns_fixedname_name(&fixed), &rdataset, NULL);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_find did not assert");
+	ATF_REQUIRE_EQ(result, DNS_R_NXDOMAIN);
+
+	close_db();
+
+	dns_test_end();
+}
+ATF_TC(find);
+ATF_TC_HEAD(find, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_find passes with matching db/version");
+}
+ATF_TC_BODY(find, tc) {
+
+	UNUSED(tc);
+
+	find(NULL);
+}
+
+ATF_TC(find_bad);
+ATF_TC_HEAD(find_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_find asserts with mis-matching db/version");
+}
+ATF_TC_BODY(find_bad, tc) {
+
+	UNUSED(tc);
+
+	find(local_callback);
+}
+
+static void
+allrdatasets(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *iterator = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	result = dns_db_findnode(db1, dns_rootname, false, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_allrdatasets(db1, node, VERSION(callback), 0,
+				     &iterator);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_allrdatasets did not assert");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_rdatasetiter_destroy(&iterator);
+	ATF_REQUIRE_EQ(iterator, NULL);
+
+	dns_db_detachnode(db1, &node);
+	ATF_REQUIRE_EQ(node, NULL);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(allrdatasets);
+ATF_TC_HEAD(allrdatasets, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_allrdatasets passes with matching db/version");
+}
+ATF_TC_BODY(allrdatasets, tc) {
+
+	UNUSED(tc);
+
+	allrdatasets(NULL);
+}
+
+ATF_TC(allrdatasets_bad);
+ATF_TC_HEAD(allrdatasets_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_allrdatasets aborts with mis-matching db/version");
+}
+ATF_TC_BODY(allrdatasets_bad, tc) {
+
+	UNUSED(tc);
+
+	allrdatasets(local_callback);
+}
+
+static void
+findrdataset(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_dbnode_t *node = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+
+	result = dns_db_findnode(db1, dns_rootname, false, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_findrdataset(db1, node, VERSION(callback),
+				     dns_rdatatype_soa, 0, 0, &rdataset, NULL);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_findrdataset did not assert");
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+
+	dns_db_detachnode(db1, &node);
+	ATF_REQUIRE_EQ(node, NULL);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(findrdataset);
+ATF_TC_HEAD(findrdataset, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_findrdataset passes with matching db/version");
+}
+ATF_TC_BODY(findrdataset, tc) {
+
+	UNUSED(tc);
+
+	findrdataset(NULL);
+}
+
+ATF_TC(findrdataset_bad);
+ATF_TC_HEAD(findrdataset_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_findrdataset aborts with mis-matching db/version");
+}
+ATF_TC_BODY(findrdataset_bad, tc) {
+
+	UNUSED(tc);
+
+	findrdataset(local_callback);
+}
+
+static void
+deleterdataset(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_dbnode_t *node = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+
+	result = dns_db_findnode(db1, dns_rootname, false, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_deleterdataset(db1, node, VERSION(callback),
+				       dns_rdatatype_soa, 0);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_deleterdataset did not assert");
+	ATF_REQUIRE_EQ(result, DNS_R_UNCHANGED);
+
+	dns_db_detachnode(db1, &node);
+	ATF_REQUIRE_EQ(node, NULL);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(deleterdataset);
+ATF_TC_HEAD(deleterdataset, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_deleterdataset passes with matching db/version");
+}
+ATF_TC_BODY(deleterdataset, tc) {
+
+	UNUSED(tc);
+
+	deleterdataset(NULL);
+}
+
+ATF_TC(deleterdataset_bad);
+ATF_TC_HEAD(deleterdataset_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_deleterdataset aborts with mis-matching db/version");
+}
+ATF_TC_BODY(deleterdataset_bad, tc) {
+
+	UNUSED(tc);
+
+	deleterdataset(local_callback);
+}
+
+static void
+subtract(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_dbnode_t *node = NULL;
+	dns_rdatalist_t rdatalist;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	dns_fixedname_init(&fixed);
+
+	rdatalist.rdclass = dns_rdataclass_in;
+
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_findnode(db1, dns_rootname, false, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_subtractrdataset(db1, node, VERSION(callback),
+					 &rdataset, 0, NULL);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_subtractrdataset did not assert");
+	ATF_REQUIRE_EQ(result, DNS_R_UNCHANGED);
+
+	dns_db_detachnode(db1, &node);
+	ATF_REQUIRE_EQ(node, NULL);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(subtractrdataset);
+ATF_TC_HEAD(subtractrdataset, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_subtractrdataset passes with matching db/version");
+}
+ATF_TC_BODY(subtractrdataset, tc) {
+
+	UNUSED(tc);
+
+	subtract(NULL);
+}
+
+ATF_TC(subtractrdataset_bad);
+ATF_TC_HEAD(subtractrdataset_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_subtractrdataset aborts with mis-matching db/version");
+}
+ATF_TC_BODY(subtractrdataset_bad, tc) {
+
+	UNUSED(tc);
+
+	subtract(local_callback);
+}
+
+static void
+dump(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	FILE *f = NULL;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	result = isc_file_openunique(tempname, &f);
+	fclose(f);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_dump(db1, VERSION(callback), tempname);
+	(void)unlink(tempname);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_dump did not assert");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(dump);
+ATF_TC_HEAD(dump, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_dump passes with matching db/version");
+}
+ATF_TC_BODY(dump, tc) {
+
+	UNUSED(tc);
+
+	dump(NULL);
+}
+
+ATF_TC(dump_bad);
+ATF_TC_HEAD(dump_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_dump aborts with mis-matching db/version");
+}
+ATF_TC_BODY(dump_bad, tc) {
+
+	UNUSED(tc);
+
+	dump(local_callback);
+}
+
+static void
+addrdataset(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_dbnode_t *node = NULL;
+	dns_rdatalist_t rdatalist;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	dns_fixedname_init(&fixed);
+
+	rdatalist.rdclass = dns_rdataclass_in;
+
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_findnode(db1, dns_rootname, false, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_addrdataset(db1, node, VERSION(callback), 0, &rdataset,
+				    0, NULL);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_adddataset did not assert");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_db_detachnode(db1, &node);
+	ATF_REQUIRE_EQ(node, NULL);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(addrdataset);
+ATF_TC_HEAD(addrdataset, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_addrdataset passes with matching db/version");
+}
+ATF_TC_BODY(addrdataset, tc) {
+
+	UNUSED(tc);
+
+	addrdataset(NULL);
+}
+
+ATF_TC(addrdataset_bad);
+ATF_TC_HEAD(addrdataset_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_addrdataset aborts with mis-matching db/version");
+}
+ATF_TC_BODY(addrdataset_bad, tc) {
+
+	UNUSED(tc);
+
+	addrdataset(local_callback);
+}
+
+static void
+getnsec3parameters(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_hash_t hash;
+	uint8_t flags;
+	uint16_t iterations;
+	unsigned char salt[DNS_NSEC3_SALTSIZE];
+	size_t salt_length = sizeof(salt);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	isc_assertion_setcallback(callback);
+	result = dns_db_getnsec3parameters(db1, VERSION(callback), &hash,
+					   &flags, &iterations, salt,
+					   &salt_length);
+	if (callback != NULL)
+		atf_tc_fail("dns_db_dump did not assert");
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(getnsec3parameters);
+ATF_TC_HEAD(getnsec3parameters, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_getnsec3parameters passes with matching db/version");
+}
+ATF_TC_BODY(getnsec3parameters, tc) {
+
+	UNUSED(tc);
+
+	getnsec3parameters(NULL);
+}
+
+ATF_TC(getnsec3parameters_bad);
+ATF_TC_HEAD(getnsec3parameters_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_db_getnsec3parameters aborts with mis-matching db/version");
+}
+ATF_TC_BODY(getnsec3parameters_bad, tc) {
+
+	UNUSED(tc);
+
+	getnsec3parameters(local_callback);
+}
+
+static void
+resigned(isc_assertioncallback_t callback) {
+	isc_result_t result;
+	dns_rdataset_t rdataset, added;
+	dns_dbnode_t *node = NULL;
+	dns_rdatalist_t rdatalist;
+	dns_rdata_rrsig_t rrsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t b;
+	unsigned char buf[1024];
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	setup_db();
+
+	/*
+	 * Create a dummy RRSIG record and set a resigning time.
+	 */
+	dns_rdataset_init(&added);
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	DNS_RDATACOMMON_INIT(&rrsig, dns_rdatatype_rrsig, dns_rdataclass_in);
+	rrsig.covered = dns_rdatatype_a;
+	rrsig.algorithm = 100;
+	rrsig.labels = 0;
+	rrsig.originalttl = 0;
+	rrsig.timeexpire = 3600;
+	rrsig.timesigned = 0;
+	rrsig.keyid = 0;
+	dns_name_init(&rrsig.signer, NULL);
+	dns_name_clone(dns_rootname, &rrsig.signer);
+	rrsig.siglen = 0;
+	rrsig.signature = NULL;
+
+	result = dns_rdata_fromstruct(&rdata, dns_rdataclass_in,
+				      dns_rdatatype_rrsig, &rrsig, &b);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	rdatalist.rdclass = dns_rdataclass_in;
+	rdatalist.type = dns_rdatatype_rrsig;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	rdataset.attributes |= DNS_RDATASETATTR_RESIGN;
+	rdataset.resign = 7200;
+
+	result = dns_db_findnode(db1, dns_rootname, false, &node);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_addrdataset(db1, node, v1, 0, &rdataset, 0, &added);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_db_detachnode(db1, &node);
+	ATF_REQUIRE_EQ(node, NULL);
+
+	isc_assertion_setcallback(callback);
+	dns_db_resigned(db1, &added, VERSION(callback));
+	if (callback != NULL)
+		atf_tc_fail("dns_db_resigned did not assert");
+
+	dns_rdataset_disassociate(&added);
+
+	close_db();
+
+	dns_test_end();
+}
+
+ATF_TC(resigned);
+ATF_TC_HEAD(resigned, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_rdataset_resigned passes with matching db/version");
+}
+ATF_TC_BODY(resigned, tc) {
+
+	UNUSED(tc);
+
+	resigned(NULL);
+}
+
+ATF_TC(resigned_bad);
+ATF_TC_HEAD(resigned_bad, tc) {
+  atf_tc_set_md_var(tc, "descr", "check dns_rdataset_resigned aborts with mis-matching db/version");
+}
+ATF_TC_BODY(resigned_bad, tc) {
+
+	UNUSED(tc);
+
+	resigned(local_callback);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, dump);
+	ATF_TP_ADD_TC(tp, dump_bad);
+	ATF_TP_ADD_TC(tp, find);
+	ATF_TP_ADD_TC(tp, find_bad);
+	ATF_TP_ADD_TC(tp, allrdatasets);
+	ATF_TP_ADD_TC(tp, allrdatasets_bad);
+	ATF_TP_ADD_TC(tp, findrdataset);
+	ATF_TP_ADD_TC(tp, findrdataset_bad);
+	ATF_TP_ADD_TC(tp, addrdataset);
+	ATF_TP_ADD_TC(tp, addrdataset_bad);
+	ATF_TP_ADD_TC(tp, deleterdataset);
+	ATF_TP_ADD_TC(tp, deleterdataset_bad);
+	ATF_TP_ADD_TC(tp, subtractrdataset);
+	ATF_TP_ADD_TC(tp, subtractrdataset_bad);
+	ATF_TP_ADD_TC(tp, attachversion);
+	ATF_TP_ADD_TC(tp, attachversion_bad);
+	ATF_TP_ADD_TC(tp, closeversion);
+	ATF_TP_ADD_TC(tp, closeversion_bad);
+	ATF_TP_ADD_TC(tp, getnsec3parameters);
+	ATF_TP_ADD_TC(tp, getnsec3parameters_bad);
+	ATF_TP_ADD_TC(tp, resigned);
+	ATF_TP_ADD_TC(tp, resigned_bad);
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/dh_test.c b/lib/dns/tests/dh_test.c
new file mode 100644
index 0000000..6216b4e
--- /dev/null
+++ b/lib/dns/tests/dh_test.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/util.h>
+#include <isc/string.h>
+
+#include <pk11/site.h>
+
+#include <dns/name.h>
+#include <dst/result.h>
+
+#include "../dst_internal.h"
+
+#include "dnstest.h"
+
+#if defined(OPENSSL) && !defined(PK11_DH_DISABLE)
+
+ATF_TC(isc_dh_computesecret);
+ATF_TC_HEAD(isc_dh_computesecret, tc) {
+	atf_tc_set_md_var(tc, "descr", "OpenSSL DH_compute_key() failure");
+}
+ATF_TC_BODY(isc_dh_computesecret, tc) {
+	dst_key_t *key = NULL;
+	isc_buffer_t buf;
+	unsigned char array[1024];
+	isc_result_t ret;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	UNUSED(tc);
+
+	ret = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&buf, "dh.", 3);
+	isc_buffer_add(&buf, 3);
+	ret = dns_name_fromtext(name, &buf, NULL, 0, NULL);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	ret = dst_key_fromfile(name, 18602, DST_ALG_DH,
+			       DST_TYPE_PUBLIC | DST_TYPE_KEY,
+			       "./", mctx, &key);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	isc_buffer_init(&buf, array, sizeof(array));
+	ret = dst_key_computesecret(key, key, &buf);
+	ATF_REQUIRE_EQ(ret, DST_R_NOTPRIVATEKEY);
+	ret = key->func->computesecret(key, key, &buf);
+	ATF_REQUIRE_EQ(ret, DST_R_COMPUTESECRETFAILURE);
+
+	dst_key_free(&key);
+	dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping OpenSSL DH test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("OpenSSL DH not compiled in");
+}
+#endif
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(OPENSSL) && !defined(PK11_DH_DISABLE)
+	ATF_TP_ADD_TC(tp, isc_dh_computesecret);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/dispatch_test.c b/lib/dns/tests/dispatch_test.c
new file mode 100644
index 0000000..156fe9f
--- /dev/null
+++ b/lib/dns/tests/dispatch_test.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <atf-c.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+#include <dns/dispatch.h>
+#include <dns/name.h>
+#include <dns/view.h>
+
+#include "dnstest.h"
+
+dns_dispatchmgr_t *dispatchmgr = NULL;
+dns_dispatchset_t *dset = NULL;
+
+static isc_result_t
+make_dispatchset(unsigned int ndisps) {
+	isc_result_t result;
+	isc_sockaddr_t any;
+	unsigned int attrs;
+	dns_dispatch_t *disp = NULL;
+
+	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_sockaddr_any(&any);
+	attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+				     &any, 512, 6, 1024, 17, 19, attrs,
+				     attrs, &disp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_dispatchset_create(mctx, socketmgr, taskmgr, disp,
+					&dset, ndisps);
+	dns_dispatch_detach(&disp);
+
+	return (result);
+}
+
+static void
+teardown(void) {
+	if (dset != NULL)
+		dns_dispatchset_destroy(&dset);
+	if (dispatchmgr != NULL)
+		dns_dispatchmgr_destroy(&dispatchmgr);
+}
+
+/*
+ * Individual unit tests
+ */
+ATF_TC(dispatchset_create);
+ATF_TC_HEAD(dispatchset_create, tc) {
+	atf_tc_set_md_var(tc, "descr", "create dispatch set");
+}
+ATF_TC_BODY(dispatchset_create, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = make_dispatchset(1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	teardown();
+
+	result = make_dispatchset(10);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	teardown();
+
+	dns_test_end();
+}
+
+ATF_TC(dispatchset_get);
+ATF_TC_HEAD(dispatchset_get, tc) {
+	atf_tc_set_md_var(tc, "descr", "test dispatch set round-robin");
+}
+ATF_TC_BODY(dispatchset_get, tc) {
+	isc_result_t result;
+	dns_dispatch_t *d1, *d2, *d3, *d4, *d5;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = make_dispatchset(1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	d1 = dns_dispatchset_get(dset);
+	d2 = dns_dispatchset_get(dset);
+	d3 = dns_dispatchset_get(dset);
+	d4 = dns_dispatchset_get(dset);
+	d5 = dns_dispatchset_get(dset);
+
+	ATF_CHECK_EQ(d1, d2);
+	ATF_CHECK_EQ(d2, d3);
+	ATF_CHECK_EQ(d3, d4);
+	ATF_CHECK_EQ(d4, d5);
+
+	teardown();
+
+	result = make_dispatchset(4);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	d1 = dns_dispatchset_get(dset);
+	d2 = dns_dispatchset_get(dset);
+	d3 = dns_dispatchset_get(dset);
+	d4 = dns_dispatchset_get(dset);
+	d5 = dns_dispatchset_get(dset);
+
+	ATF_CHECK_EQ(d1, d5);
+	ATF_CHECK(d1 != d2);
+	ATF_CHECK(d2 != d3);
+	ATF_CHECK(d3 != d4);
+	ATF_CHECK(d4 != d5);
+
+	teardown();
+	dns_test_end();
+}
+
+static void
+senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socket_t *sock = event->ev_arg;
+
+	UNUSED(task);
+
+	isc_socket_detach(&sock);
+	isc_event_free(&event);
+}
+
+static void
+nameserver(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_region_t region;
+	isc_socket_t *dummy;
+	isc_socket_t *sock = event->ev_arg;
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+	static unsigned char buf1[16];
+	static unsigned char buf2[16];
+
+	memmove(buf1, ev->region.base, 12);
+	memset(buf1 + 12, 0, 4);
+	buf1[2] |= 0x80;	/* qr=1 */
+
+	memmove(buf2, ev->region.base, 12);
+	memset(buf2 + 12, 1, 4);
+	buf2[2] |= 0x80;	/* qr=1 */
+
+	/*
+	 * send message to be discarded.
+	 */
+	region.base = buf1;
+	region.length = sizeof(buf1);
+	dummy = NULL;
+	isc_socket_attach(sock, &dummy);
+	result = isc_socket_sendto(sock, &region, task, senddone, sock,
+				   &ev->address, NULL);
+	if (result != ISC_R_SUCCESS)
+		isc_socket_detach(&dummy);
+
+	/*
+	 * send nextitem message.
+	 */
+	region.base = buf2;
+	region.length = sizeof(buf2);
+	dummy = NULL;
+	isc_socket_attach(sock, &dummy);
+	result = isc_socket_sendto(sock, &region, task, senddone, sock,
+				   &ev->address, NULL);
+	if (result != ISC_R_SUCCESS)
+		isc_socket_detach(&dummy);
+	isc_event_free(&event);
+}
+
+static dns_dispatch_t *dispatch = NULL;
+static dns_dispentry_t *dispentry = NULL;
+static bool first = true;
+static isc_mutex_t lock;
+static isc_sockaddr_t local;
+static unsigned int responses = 0;
+
+static void
+response(isc_task_t *task, isc_event_t *event) {
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	isc_result_t result;
+	bool wasfirst;
+
+	UNUSED(task);
+
+	LOCK(&lock);
+	wasfirst = first;
+	first = false;
+	responses++;
+	UNLOCK(&lock);
+
+	if (wasfirst) {
+		result = dns_dispatch_getnext(dispentry, &devent);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	} else {
+		dns_dispatch_removeresponse(&dispentry, &devent);
+		isc_app_shutdown();
+	}
+}
+
+static void
+startit(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_socket_t *sock = NULL;
+
+	isc_socket_attach(dns_dispatch_getsocket(dispatch), &sock);
+	result = isc_socket_sendto(sock, event->ev_arg, task, senddone, sock,
+				   &local, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_event_free(&event);
+}
+
+ATF_TC(dispatch_getnext);
+ATF_TC_HEAD(dispatch_getnext, tc) {
+	atf_tc_set_md_var(tc, "descr", "test dispatch getnext");
+}
+ATF_TC_BODY(dispatch_getnext, tc) {
+	isc_region_t region;
+	isc_result_t result;
+	isc_socket_t *sock = NULL;
+	isc_task_t *task = NULL;
+	uint16_t id;
+	struct in_addr ina;
+	unsigned char message[12];
+	unsigned int attrs;
+	unsigned char rbuf[12];
+
+	UNUSED(tc);
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ina.s_addr = htonl(INADDR_LOOPBACK);
+	isc_sockaddr_fromin(&local, &ina, 0);
+	attrs = DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_UDP;
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+				     &local, 512, 6, 1024, 17, 19, attrs,
+				     attrs, &dispatch);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create a local udp nameserver on the loopback.
+	 */
+	result = isc_socket_create(socketmgr, AF_INET, isc_sockettype_udp,
+				   &sock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ina.s_addr = htonl(INADDR_LOOPBACK);
+	isc_sockaddr_fromin(&local, &ina, 0);
+	result = isc_socket_bind(sock, &local, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_socket_getsockname(sock, &local);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	first = true;
+	region.base = rbuf;
+	region.length = sizeof(rbuf);
+	result = isc_socket_recv(sock, &region, 1, task, nameserver, sock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dispatch_addresponse(dispatch, &local, task, response,
+					  NULL, &id, &dispentry);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(message, 0, sizeof(message));
+	message[0] = (id >> 8) & 0xff;
+	message[1] = id & 0xff;
+
+	region.base = message;
+	region.length = sizeof(message);
+	result = isc_app_onrun(mctx, task, startit, &region);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_app_run();
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK_EQ(responses, 2);
+
+	/*
+	 * Shutdown nameserver.
+	 */
+	isc_socket_cancel(sock, task, ISC_SOCKCANCEL_RECV);
+	isc_socket_detach(&sock);
+	isc_task_detach(&task);
+
+	/*
+	 * Shutdown the dispatch.
+	 */
+	dns_dispatch_detach(&dispatch);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, dispatchset_create);
+	ATF_TP_ADD_TC(tp, dispatchset_get);
+	ATF_TP_ADD_TC(tp, dispatch_getnext);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/dnstap_test.c b/lib/dns/tests/dnstap_test.c
new file mode 100644
index 0000000..56e3da4
--- /dev/null
+++ b/lib/dns/tests/dnstap_test.c
@@ -0,0 +1,383 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/stdio.h>
+#include <isc/print.h>
+#include <isc/types.h>
+
+#include <dns/dnstap.h>
+#include <dns/view.h>
+
+#include "dnstest.h"
+
+#ifdef HAVE_DNSTAP
+#include <dns/dnstap.pb-c.h>
+#include <protobuf-c/protobuf-c.h>
+
+#define TAPFILE "testdata/dnstap/dnstap.file"
+#define TAPSOCK "testdata/dnstap/dnstap.sock"
+
+#define TAPSAVED "testdata/dnstap/dnstap.saved"
+#define TAPTEXT "testdata/dnstap/dnstap.text"
+
+/*
+ * Helper functions
+ */
+static void
+cleanup() {
+	(void) isc_file_remove(TAPFILE);
+	(void) isc_file_remove(TAPSOCK);
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(create);
+ATF_TC_HEAD(create, tc) {
+	atf_tc_set_md_var(tc, "descr", "set up dnstap environment");
+}
+ATF_TC_BODY(create, tc) {
+	isc_result_t result;
+	dns_dtenv_t *dtenv = NULL;
+	struct fstrm_iothr_options *fopt;
+
+	UNUSED(tc);
+
+	cleanup();
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	fopt = fstrm_iothr_options_init();
+	ATF_REQUIRE(fopt != NULL);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(mctx, dns_dtmode_file, TAPFILE, &fopt, &dtenv);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	if (dtenv != NULL)
+		dns_dt_detach(&dtenv);
+	if (fopt != NULL)
+		fstrm_iothr_options_destroy(&fopt);
+
+	ATF_CHECK(isc_file_exists(TAPFILE));
+
+	fopt = fstrm_iothr_options_init();
+	ATF_REQUIRE(fopt != NULL);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(mctx, dns_dtmode_unix, TAPSOCK, &fopt, &dtenv);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	if (dtenv != NULL)
+		dns_dt_detach(&dtenv);
+	if (fopt != NULL)
+		fstrm_iothr_options_destroy(&fopt);
+
+	/* 'create' should succeed, but the file shouldn't exist yet */
+	ATF_CHECK(!isc_file_exists(TAPSOCK));
+
+	fopt = fstrm_iothr_options_init();
+	ATF_REQUIRE(fopt != NULL);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(mctx, 33, TAPSOCK, &fopt, &dtenv);
+	ATF_CHECK_EQ(result, ISC_R_FAILURE);
+	ATF_CHECK_EQ(dtenv, NULL);
+	if (dtenv != NULL)
+		dns_dt_detach(&dtenv);
+	if (fopt != NULL)
+		fstrm_iothr_options_destroy(&fopt);
+
+	cleanup();
+
+	dns_dt_shutdown();
+	dns_test_end();
+}
+
+ATF_TC(send);
+ATF_TC_HEAD(send, tc) {
+	atf_tc_set_md_var(tc, "descr", "send dnstap messages");
+}
+ATF_TC_BODY(send, tc) {
+	isc_result_t result;
+	dns_dtenv_t *dtenv = NULL;
+	dns_dthandle_t *handle = NULL;
+	uint8_t *data;
+	size_t dsize;
+	unsigned char zone[DNS_NAME_MAXWIRE];
+	unsigned char qambuffer[4096], rambuffer[4096];
+	unsigned char qrmbuffer[4096], rrmbuffer[4096];
+	isc_buffer_t zb, qamsg, ramsg, qrmsg, rrmsg;
+	size_t qasize, qrsize, rasize, rrsize;
+	dns_fixedname_t zfname;
+	dns_name_t *zname;
+	dns_dtmsgtype_t dt;
+	dns_view_t *view = NULL;
+	dns_compress_t cctx;
+	isc_region_t zr;
+	isc_sockaddr_t qaddr;
+	isc_sockaddr_t raddr;
+	struct in_addr in;
+	isc_stdtime_t now;
+	isc_time_t p, f;
+	struct fstrm_iothr_options *fopt;
+
+	UNUSED(tc);
+
+	cleanup();
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	result = dns_test_makeview("test", &view);
+
+	fopt = fstrm_iothr_options_init();
+	ATF_REQUIRE(fopt != NULL);
+	fstrm_iothr_options_set_num_input_queues(fopt, 1);
+
+	result = dns_dt_create(mctx, dns_dtmode_file, TAPFILE, &fopt, &dtenv);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	dns_dt_attach(dtenv, &view->dtenv);
+	view->dttypes = DNS_DTTYPE_ALL;
+
+	/*
+	 * Set up some test data
+	 */
+	zname = dns_fixedname_initname(&zfname);
+	isc_buffer_constinit(&zb, "example.com.", 12);
+	isc_buffer_add(&zb, 12);
+	result = dns_name_fromtext(zname, &zb, NULL, 0, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(&zr, 0, sizeof(zr));
+	isc_buffer_init(&zb, zone, sizeof(zone));
+	result = dns_compress_init(&cctx, -1, mctx);
+	dns_compress_setmethods(&cctx, DNS_COMPRESS_NONE);
+	result = dns_name_towire(zname, &cctx, &zb);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_compress_invalidate(&cctx);
+	isc_buffer_usedregion(&zb, &zr);
+
+	in.s_addr = inet_addr("10.53.0.1");
+	isc_sockaddr_fromin(&qaddr, &in, 2112);
+	in.s_addr = inet_addr("10.53.0.2");
+	isc_sockaddr_fromin(&raddr, &in, 2112);
+
+	isc_stdtime_get(&now);
+	isc_time_set(&p, now - 3600, 0); /* past */
+	isc_time_set(&f, now + 3600, 0); /* future */
+
+	result = dns_test_getdata("testdata/dnstap/query.auth",
+				  qambuffer, sizeof(qambuffer), &qasize);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_buffer_init(&qamsg, qambuffer, qasize);
+	isc_buffer_add(&qamsg, qasize);
+
+	result = dns_test_getdata("testdata/dnstap/response.auth",
+				  rambuffer, sizeof(rambuffer), &rasize);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_buffer_init(&ramsg, rambuffer, rasize);
+	isc_buffer_add(&ramsg, rasize);
+
+	result = dns_test_getdata("testdata/dnstap/query.recursive", qrmbuffer,
+				  sizeof(qrmbuffer), &qrsize);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_buffer_init(&qrmsg, qrmbuffer, qrsize);
+	isc_buffer_add(&qrmsg, qrsize);
+
+	result = dns_test_getdata("testdata/dnstap/response.recursive",
+				  rrmbuffer, sizeof(rrmbuffer), &rrsize);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_buffer_init(&rrmsg, rrmbuffer, rrsize);
+	isc_buffer_add(&rrmsg, rrsize);
+
+	for (dt = DNS_DTTYPE_SQ; dt <= DNS_DTTYPE_TR; dt <<= 1) {
+		isc_buffer_t *m;
+		isc_sockaddr_t *q = &qaddr, *r = &raddr;
+
+		switch (dt) {
+		case DNS_DTTYPE_AQ:
+			m = &qamsg;
+			break;
+		case DNS_DTTYPE_AR:
+			m = &ramsg;
+			break;
+		default:
+			m = &qrmsg;
+			if ((dt & DNS_DTTYPE_RESPONSE) != 0)
+				m = &ramsg;
+			break;
+		}
+
+		dns_dt_send(view, dt, q, r, false, &zr, &p, &f, m);
+		dns_dt_send(view, dt, q, r, false, &zr, NULL, &f, m);
+		dns_dt_send(view, dt, q, r, false, &zr, &p, NULL, m);
+		dns_dt_send(view, dt, q, r, false, &zr, NULL, NULL, m);
+		dns_dt_send(view, dt, q, r, true, &zr, &p, &f, m);
+		dns_dt_send(view, dt, q, r, true, &zr, NULL, &f, m);
+		dns_dt_send(view, dt, q, r, true, &zr, &p, NULL, m);
+		dns_dt_send(view, dt, q, r, true, &zr, NULL, NULL, m);
+	}
+
+	dns_dt_detach(&view->dtenv);
+	dns_dt_detach(&dtenv);
+	dns_dt_shutdown();
+	dns_view_detach(&view);
+
+	/*
+	 * XXX now read back and check content.
+	 */
+
+	result = dns_dt_open(TAPFILE, dns_dtmode_file, mctx, &handle);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
+		dns_dtdata_t *dtdata = NULL;
+		isc_region_t r;
+		static dns_dtmsgtype_t expected = DNS_DTTYPE_SQ;
+		static int n = 0;
+
+		r.base = data;
+		r.length = dsize;
+
+		result = dns_dt_parse(mctx, &r, &dtdata);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS) {
+			n++;
+			continue;
+		}
+
+		ATF_CHECK_EQ(dtdata->type, expected);
+		if (++n % 8 == 0)
+			expected <<= 1;
+
+		dns_dtdata_free(&dtdata);
+	}
+
+	if (fopt != NULL)
+		fstrm_iothr_options_destroy(&fopt);
+	if (handle != NULL)
+		dns_dt_close(&handle);
+	cleanup();
+
+	dns_test_end();
+}
+
+ATF_TC(totext);
+ATF_TC_HEAD(totext, tc) {
+	atf_tc_set_md_var(tc, "descr", "dnstap message to text");
+}
+ATF_TC_BODY(totext, tc) {
+	isc_result_t result;
+	dns_dthandle_t *handle = NULL;
+	uint8_t *data;
+	size_t dsize;
+	FILE *fp = NULL;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	result = dns_dt_open(TAPSAVED, dns_dtmode_file, mctx, &handle);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_stdio_open(TAPTEXT, "r", &fp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* make sure text conversion gets the right local time */
+	setenv("TZ", "PST8", 1);
+
+	while (dns_dt_getframe(handle, &data, &dsize) == ISC_R_SUCCESS) {
+		dns_dtdata_t *dtdata = NULL;
+		isc_buffer_t *b = NULL;
+		isc_region_t r;
+		char s[BUFSIZ], *p;
+
+		r.base = data;
+		r.length = dsize;
+
+		/* read the corresponding line of text */
+		p = fgets(s, sizeof(s), fp);
+		ATF_CHECK_EQ(p, s);
+		if (p == NULL)
+			break;
+
+		p = strchr(p, '\n');
+		if (p != NULL)
+			*p = '\0';
+
+		/* parse dnstap frame */
+		result = dns_dt_parse(mctx, &r, &dtdata);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		isc_buffer_allocate(mctx, &b, 2048);
+		ATF_CHECK(b != NULL);
+		if (b == NULL)
+			break;
+
+		/* convert to text and compare */
+		result = dns_dt_datatotext(dtdata, &b);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+		ATF_CHECK_STREQ((char *) isc_buffer_base(b), s);
+
+		dns_dtdata_free(&dtdata);
+		isc_buffer_free(&b);
+	}
+
+	if (handle != NULL)
+		dns_dt_close(&handle);
+	cleanup();
+
+	dns_test_end();
+}
+
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping dnstap test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("dnstap not available");
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#ifdef HAVE_DNSTAP
+	ATF_TP_ADD_TC(tp, create);
+	ATF_TP_ADD_TC(tp, send);
+	ATF_TP_ADD_TC(tp, totext);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/dnstest.c b/lib/dns/tests/dnstest.c
new file mode 100644
index 0000000..51bb90b
--- /dev/null
+++ b/lib/dns/tests/dnstest.c
@@ -0,0 +1,596 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "dnstest.h"
+
+isc_mem_t *mctx = NULL;
+isc_entropy_t *ectx = NULL;
+isc_log_t *lctx = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *maintask = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+dns_zonemgr_t *zonemgr = NULL;
+bool app_running = false;
+int ncpus;
+bool debug_mem_record = true;
+
+static bool hash_active = false, dst_active = false;
+
+/*
+ * Logging categories: this needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = {
+		{ "",                0 },
+		{ "client",          0 },
+		{ "network",         0 },
+		{ "update",          0 },
+		{ "queries",         0 },
+		{ "unmatched",       0 },
+		{ "update-security", 0 },
+		{ "query-errors",    0 },
+		{ NULL,              0 }
+};
+
+static void
+cleanup_managers(void) {
+	if (app_running)
+		isc_app_finish();
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (maintask != NULL)
+		isc_task_destroy(&maintask);
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+}
+
+static isc_result_t
+create_managers(void) {
+	isc_result_t result;
+#ifdef ISC_PLATFORM_USETHREADS
+	ncpus = isc_os_ncpus();
+#else
+	ncpus = 1;
+#endif
+
+	CHECK(isc_taskmgr_create(mctx, ncpus, 0, &taskmgr));
+	CHECK(isc_timermgr_create(mctx, &timermgr));
+	CHECK(isc_socketmgr_create(mctx, &socketmgr));
+	CHECK(isc_task_create(taskmgr, 0, &maintask));
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cleanup_managers();
+	return (result);
+}
+
+isc_result_t
+dns_test_begin(FILE *logfile, bool start_managers) {
+	isc_result_t result;
+
+	if (start_managers)
+		CHECK(isc_app_start());
+	if (debug_mem_record)
+		isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	CHECK(isc_mem_create(0, 0, &mctx));
+	CHECK(isc_entropy_create(mctx, &ectx));
+
+	CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE));
+	hash_active = true;
+
+	CHECK(dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING));
+	dst_active = true;
+
+	if (logfile != NULL) {
+		isc_logdestination_t destination;
+		isc_logconfig_t *logconfig = NULL;
+
+		CHECK(isc_log_create(mctx, &lctx, &logconfig));
+		isc_log_registercategories(lctx, categories);
+		isc_log_setcontext(lctx);
+		dns_log_init(lctx);
+		dns_log_setcontext(lctx);
+
+		destination.file.stream = logfile;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		CHECK(isc_log_createchannel(logconfig, "stderr",
+					    ISC_LOG_TOFILEDESC,
+					    ISC_LOG_DYNAMIC,
+					    &destination, 0));
+		CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+	}
+
+	dns_result_register();
+
+	if (start_managers)
+		CHECK(create_managers());
+
+	/*
+	 * atf-run changes us to a /tmp directory, so tests
+	 * that access test data files must first chdir to the proper
+	 * location.
+	 */
+	if (chdir(TESTS) == -1)
+		CHECK(ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_test_end();
+	return (result);
+}
+
+void
+dns_test_end(void) {
+	if (dst_active) {
+		dst_lib_destroy();
+		dst_active = false;
+	}
+	if (hash_active) {
+		isc_hash_destroy();
+		hash_active = false;
+	}
+	if (ectx != NULL)
+		isc_entropy_detach(&ectx);
+
+	cleanup_managers();
+
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+
+	if (mctx != NULL)
+		isc_mem_destroy(&mctx);
+}
+
+/*
+ * Create a view.
+ */
+isc_result_t
+dns_test_makeview(const char *name, dns_view_t **viewp) {
+	isc_result_t result;
+	dns_view_t *view = NULL;
+
+	CHECK(dns_view_create(mctx, dns_rdataclass_in, name, &view));
+	*viewp = view;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (view != NULL)
+		dns_view_detach(&view);
+	return (result);
+}
+
+isc_result_t
+dns_test_makezone(const char *name, dns_zone_t **zonep, dns_view_t *view,
+		  bool createview)
+{
+	dns_fixedname_t fixed_origin;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+	dns_name_t *origin;
+
+	REQUIRE(view == NULL || !createview);
+
+	/*
+	 * Create the zone structure.
+	 */
+	result = dns_zone_create(&zone, mctx);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Set zone type and origin.
+	 */
+	dns_zone_settype(zone, dns_zone_master);
+	origin = dns_fixedname_initname(&fixed_origin);
+	result = dns_name_fromstring(origin, name, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_zone;
+	}
+	result = dns_zone_setorigin(zone, origin);
+	if (result != ISC_R_SUCCESS) {
+		goto detach_zone;
+	}
+
+	/*
+	 * If requested, create a view.
+	 */
+	if (createview) {
+		result = dns_test_makeview("view", &view);
+		if (result != ISC_R_SUCCESS) {
+			goto detach_zone;
+		}
+	}
+
+	/*
+	 * If a view was passed as an argument or created above, attach the
+	 * created zone to it.  Otherwise, set the zone's class to IN.
+	 */
+	if (view != NULL) {
+		dns_zone_setview(zone, view);
+		dns_zone_setclass(zone, view->rdclass);
+		dns_view_addzone(view, zone);
+	} else {
+		dns_zone_setclass(zone, dns_rdataclass_in);
+	}
+
+	*zonep = zone;
+
+	return (ISC_R_SUCCESS);
+
+ detach_zone:
+	dns_zone_detach(&zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_test_setupzonemgr(void) {
+	isc_result_t result;
+	REQUIRE(zonemgr == NULL);
+
+	result = dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+				    &zonemgr);
+	return (result);
+}
+
+isc_result_t
+dns_test_managezone(dns_zone_t *zone) {
+	isc_result_t result;
+	REQUIRE(zonemgr != NULL);
+
+	result = dns_zonemgr_setsize(zonemgr, 1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_zonemgr_managezone(zonemgr, zone);
+	return (result);
+}
+
+void
+dns_test_releasezone(dns_zone_t *zone) {
+	REQUIRE(zonemgr != NULL);
+	dns_zonemgr_releasezone(zonemgr, zone);
+}
+
+void
+dns_test_closezonemgr(void) {
+	REQUIRE(zonemgr != NULL);
+
+	dns_zonemgr_shutdown(zonemgr);
+	dns_zonemgr_detach(&zonemgr);
+}
+
+/*
+ * Sleep for 'usec' microseconds.
+ */
+void
+dns_test_nap(uint32_t usec) {
+#ifdef HAVE_NANOSLEEP
+	struct timespec ts;
+
+	ts.tv_sec = usec / 1000000;
+	ts.tv_nsec = (usec % 1000000) * 1000;
+	nanosleep(&ts, NULL);
+#elif HAVE_USLEEP
+	usleep(usec);
+#else
+	/*
+	 * No fractional-second sleep function is available, so we
+	 * round up to the nearest second and sleep instead
+	 */
+	sleep((usec / 1000000) + 1);
+#endif
+}
+
+isc_result_t
+dns_test_loaddb(dns_db_t **db, dns_dbtype_t dbtype, const char *origin,
+		const char *testfile)
+{
+	isc_result_t		result;
+	dns_fixedname_t		fixed;
+	dns_name_t		*name;
+
+	name = dns_fixedname_initname(&fixed);
+
+	result = dns_name_fromstring(name, origin, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return(result);
+
+	result = dns_db_create(mctx, "rbt", name, dbtype, dns_rdataclass_in,
+			       0, NULL, db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_load(*db, testfile);
+	return (result);
+}
+
+static int
+fromhex(char c) {
+	if (c >= '0' && c <= '9')
+		return (c - '0');
+	else if (c >= 'a' && c <= 'f')
+		return (c - 'a' + 10);
+	else if (c >= 'A' && c <= 'F')
+		return (c - 'A' + 10);
+
+	printf("bad input format: %02x\n", c);
+	exit(3);
+	/* NOTREACHED */
+}
+
+/*
+ * Format contents of given memory region as a hex string, using the buffer
+ * of length 'buflen' pointed to by 'buf'. 'buflen' must be at least three
+ * times 'len'. Always returns 'buf'.
+ */
+char *
+dns_test_tohex(const unsigned char *data, size_t len, char *buf, size_t buflen)
+{
+	isc_constregion_t source = {
+		.base = data,
+		.length = len
+	};
+	isc_buffer_t target;
+	isc_result_t result;
+
+	memset(buf, 0, buflen);
+	isc_buffer_init(&target, buf, buflen);
+	result = isc_hex_totext((isc_region_t *)&source, 1, " ", &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	return (buf);
+}
+
+isc_result_t
+dns_test_getdata(const char *file, unsigned char *buf,
+		 size_t bufsiz, size_t *sizep)
+{
+	isc_result_t result;
+	unsigned char *bp;
+	char *rp, *wp;
+	char s[BUFSIZ];
+	size_t len, i;
+	FILE *f = NULL;
+	int n;
+
+	result = isc_stdio_open(file, "r", &f);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	bp = buf;
+	while (fgets(s, sizeof(s), f) != NULL) {
+		rp = s;
+		wp = s;
+		len = 0;
+		while (*rp != '\0') {
+			if (*rp == '#')
+				break;
+			if (*rp != ' ' && *rp != '\t' &&
+			    *rp != '\r' && *rp != '\n') {
+				*wp++ = *rp;
+				len++;
+			}
+			rp++;
+		}
+		if (len == 0U)
+			continue;
+		if (len % 2 != 0U)
+			CHECK(ISC_R_UNEXPECTEDEND);
+		if (len > bufsiz * 2)
+			CHECK(ISC_R_NOSPACE);
+		rp = s;
+		for (i = 0; i < len; i += 2) {
+			n = fromhex(*rp++);
+			n *= 16;
+			n += fromhex(*rp++);
+			*bp++ = n;
+		}
+	}
+
+
+	*sizep = bp - buf;
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	isc_stdio_close(f);
+	return (result);
+}
+
+isc_result_t
+dns_test_rdatafromstring(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+			 dns_rdatatype_t rdtype, unsigned char *dst,
+			 size_t dstlen, const char *src)
+{
+	isc_buffer_t source, target;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	size_t length;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+	REQUIRE(dst != NULL);
+	REQUIRE(src != NULL);
+
+	/*
+	 * Set up source to hold the input string.
+	 */
+	length = strlen(src);
+	isc_buffer_constinit(&source, src, length);
+	isc_buffer_add(&source, length);
+
+	/*
+	 * Create a lexer as one is required by dns_rdata_fromtext().
+	 */
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Point lexer at source.
+	 */
+	result = isc_lex_openbuffer(lex, &source);
+	if (result != ISC_R_SUCCESS) {
+		goto destroy_lexer;
+	}
+
+	/*
+	 * Set up target for storing uncompressed wire form of provided RDATA.
+	 */
+	isc_buffer_init(&target, dst, dstlen);
+
+	/*
+	 * Parse input string, determining result.
+	 */
+	result = dns_rdata_fromtext(rdata, rdclass, rdtype, lex, dns_rootname,
+				    0, NULL, &target, NULL);
+
+ destroy_lexer:
+	isc_lex_destroy(&lex);
+
+	return (result);
+}
+
+void
+dns_test_namefromstring(const char *namestr, dns_fixedname_t *fname) {
+	size_t length;
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+	dns_name_t *name;
+
+	length = strlen(namestr);
+
+	result = isc_buffer_allocate(mctx, &b, length);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_buffer_putmem(b, (const unsigned char *) namestr, length);
+
+	name = dns_fixedname_initname(fname);
+	ATF_REQUIRE(name != NULL);
+	result = dns_name_fromtext(name, b, dns_rootname, 0, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_buffer_free(&b);
+}
+
+isc_result_t
+dns_test_difffromchanges(dns_diff_t *diff, const zonechange_t *changes) {
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned char rdata_buf[1024];
+	dns_difftuple_t *tuple = NULL;
+	isc_consttextregion_t region;
+	dns_rdatatype_t rdatatype;
+	dns_fixedname_t fixedname;
+	dns_rdata_t rdata;
+	dns_name_t *name;
+	size_t i;
+
+	REQUIRE(diff != NULL);
+	REQUIRE(changes != NULL);
+
+	dns_diff_init(mctx, diff);
+
+	for (i = 0; changes[i].owner != NULL; i++) {
+		/*
+		 * Parse owner name.
+		 */
+		name = dns_fixedname_initname(&fixedname);
+		result = dns_name_fromstring(name, changes[i].owner, 0, mctx);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Parse RDATA type.
+		 */
+		region.base = changes[i].type;
+		region.length = strlen(changes[i].type);
+		result = dns_rdatatype_fromtext(&rdatatype,
+						(isc_textregion_t *)&region);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Parse RDATA.
+		 */
+		dns_rdata_init(&rdata);
+		result = dns_test_rdatafromstring(&rdata, dns_rdataclass_in,
+						  rdatatype, rdata_buf,
+						  sizeof(rdata_buf),
+						  changes[i].rdata);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+
+		/*
+		 * Create a diff tuple for the parsed change and append it to
+		 * the diff.
+		 */
+		result = dns_difftuple_create(mctx, changes[i].op, name,
+					      changes[i].ttl, &rdata, &tuple);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+		dns_diff_append(diff, &tuple);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		dns_diff_clear(diff);
+	}
+
+	return (result);
+}
diff --git a/lib/dns/tests/dnstest.h b/lib/dns/tests/dnstest.h
new file mode 100644
index 0000000..ebbca6c
--- /dev/null
+++ b/lib/dns/tests/dnstest.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/diff.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#define CHECK(r) \
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+typedef struct {
+	dns_diffop_t op;
+	const char *owner;
+	dns_ttl_t ttl;
+	const char *type;
+	const char *rdata;
+} zonechange_t;
+
+#define ZONECHANGE_SENTINEL { 0, NULL, 0, NULL, NULL }
+
+extern isc_mem_t *mctx;
+extern isc_entropy_t *ectx;
+extern isc_log_t *lctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *maintask;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern dns_zonemgr_t *zonemgr;
+extern bool app_running;
+extern int ncpus;
+extern bool debug_mem_record;
+
+isc_result_t
+dns_test_begin(FILE *logfile, bool create_managers);
+
+void
+dns_test_end(void);
+
+isc_result_t
+dns_test_makeview(const char *name, dns_view_t **viewp);
+
+/*%
+ * Create a zone with origin 'name', return a pointer to the zone object in
+ * 'zonep'.
+ *
+ * If 'view' is set, the returned zone will be assigned to the passed view.
+ * 'createview' must be set to false when 'view' is non-NULL.
+ *
+ * If 'view' is not set and 'createview' is true, a new view is also created
+ * and the returned zone is assigned to it.  This imposes two requirements on
+ * the caller: 1) the returned zone has to be subsequently assigned to a zone
+ * manager, otherwise its cleanup will fail, 2) the created view has to be
+ * cleaned up by the caller.
+ *
+ * If 'view' is not set and 'createview' is false, the returned zone will not
+ * be assigned to any view.
+ */
+isc_result_t
+dns_test_makezone(const char *name, dns_zone_t **zonep, dns_view_t *view,
+		  bool createview);
+
+isc_result_t
+dns_test_setupzonemgr(void);
+
+isc_result_t
+dns_test_managezone(dns_zone_t *zone);
+
+void
+dns_test_releasezone(dns_zone_t *zone);
+
+void
+dns_test_closezonemgr(void);
+
+void
+dns_test_nap(uint32_t usec);
+
+isc_result_t
+dns_test_loaddb(dns_db_t **db, dns_dbtype_t dbtype, const char *origin,
+		const char *testfile);
+
+isc_result_t
+dns_test_getdata(const char *file, unsigned char *buf,
+		 size_t bufsiz, size_t *sizep);
+
+char *
+dns_test_tohex(const unsigned char *data, size_t len, char *buf, size_t buflen);
+
+/*%
+ * Try parsing text form RDATA in "src" (of class "rdclass" and type "rdtype")
+ * into a structure representing that RDATA at "rdata", storing the
+ * uncompressed wire form of that RDATA at "dst", which is "dstlen" bytes long.
+ */
+isc_result_t
+dns_test_rdatafromstring(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+			 dns_rdatatype_t rdtype, unsigned char *dst,
+			 size_t dstlen, const char *src);
+
+void
+dns_test_namefromstring(const char *namestr, dns_fixedname_t *fname);
+
+/*%
+ * Given a pointer to an uninitialized dns_diff_t structure in 'diff', make it
+ * contain diff tuples representing zone database changes listed in 'changes'.
+ */
+isc_result_t
+dns_test_difffromchanges(dns_diff_t *diff, const zonechange_t *changes);
diff --git a/lib/dns/tests/dst_test.c b/lib/dns/tests/dst_test.c
new file mode 100644
index 0000000..421ab2f
--- /dev/null
+++ b/lib/dns/tests/dst_test.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/file.h>
+#include <isc/util.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include "../dst_internal.h"
+
+#include "dnstest.h"
+
+ATF_TC(sig);
+ATF_TC_HEAD(sig, tc) {
+	atf_tc_set_md_var(tc, "descr", "signature ineffability");
+}
+
+/*
+ * Read sig in file at path to buf.
+ */
+static isc_result_t
+sig_fromfile(const char *path, isc_buffer_t *buf) {
+	isc_result_t result;
+	size_t rval, len;
+	FILE *fp = NULL;
+	unsigned char val;
+	char *p, *data;
+	off_t size;
+
+	result = isc_stdio_open(path, "rb", &fp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_file_getsizefd(fileno(fp), &size);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	data = isc_mem_get(mctx, (size + 1));
+	ATF_REQUIRE(data != NULL);
+
+	len = (size_t)size;
+	p = data;
+	while (len != 0U) {
+		result = isc_stdio_read(p, 1, len, fp, &rval);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		len -= rval;
+		p += rval;
+	}
+	isc_stdio_close(fp);
+
+	p = data;
+	len = size;
+	while (len > 0U) {
+		if ((*p == '\r') || (*p == '\n')) {
+			++p;
+			--len;
+			continue;
+		} else if (len < 2U)
+		       goto err;
+		if (('0' <= *p) && (*p <= '9')) {
+			val = *p - '0';
+		} else if (('A' <= *p) && (*p <= 'F')) {
+			val = *p - 'A' + 10;
+		} else {
+			result = ISC_R_BADHEX;
+			goto err;
+		}
+		++p;
+		val <<= 4;
+		--len;
+		if (('0' <= *p) && (*p <= '9')) {
+			val |= (*p - '0');
+		} else if (('A' <= *p) && (*p <= 'F')) {
+			val |= (*p - 'A' + 10);
+		} else {
+			result = ISC_R_BADHEX;
+			goto err;
+		}
+		++p;
+		--len;
+		isc_buffer_putuint8(buf, val);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ err:
+	isc_mem_put(mctx, data, size + 1);
+	return (result);
+}
+
+static void
+check_sig(const char *datapath, const char *sigpath, const char *keyname,
+	  dns_keytag_t id, dns_secalg_t alg, int type, bool expect)
+{
+	isc_result_t result;
+	size_t rval, len;
+	FILE *fp;
+	dst_key_t *key = NULL;
+	unsigned char sig[512];
+	unsigned char *p;
+	unsigned char *data;
+	off_t size;
+	isc_buffer_t b;
+	isc_buffer_t databuf, sigbuf;
+	isc_region_t datareg, sigreg;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dst_context_t *ctx = NULL;
+
+	/*
+	 * Read data from file in a form usable by dst_verify.
+	 */
+	result = isc_stdio_open(datapath, "rb", &fp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_file_getsizefd(fileno(fp), &size);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	data = isc_mem_get(mctx, (size + 1));
+	ATF_REQUIRE(data != NULL);
+
+	p = data;
+	len = (size_t)size;
+	do {
+		result = isc_stdio_read(p, 1, len, fp, &rval);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		len -= rval;
+		p += rval;
+	} while (len);
+	isc_stdio_close(fp);
+
+	/*
+	 * Read key from file in a form usable by dst_verify.
+	 */
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&b, keyname, strlen(keyname));
+	isc_buffer_add(&b, strlen(keyname));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dst_key_fromfile(name, id, alg, type, "testdata/dst",
+				  mctx, &key);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&databuf, data, (unsigned int)size);
+	isc_buffer_add(&databuf, (unsigned int)size);
+	isc_buffer_usedregion(&databuf, &datareg);
+
+	memset(sig, 0, sizeof(sig));
+	isc_buffer_init(&sigbuf, sig, sizeof(sig));
+
+	/*
+	 * Read precomputed signature from file in a form usable by dst_verify.
+	 */
+	result = sig_fromfile(sigpath, &sigbuf);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Verify that the key signed the data.
+	 */
+	isc_buffer_remainingregion(&sigbuf, &sigreg);
+
+	result = dst_context_create3(key, mctx, DNS_LOGCATEGORY_GENERAL,
+				     false, &ctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dst_context_adddata(ctx, &datareg);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dst_context_verify(ctx, &sigreg);
+
+	ATF_REQUIRE((expect && (result == ISC_R_SUCCESS)) ||
+		    (!expect && (result != ISC_R_SUCCESS)));
+
+
+	isc_mem_put(mctx, data, size + 1);
+	dst_context_destroy(&ctx);
+	dst_key_free(&key);
+
+	return;
+}
+
+ATF_TC_BODY(sig, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	struct {
+		const char *datapath;
+		const char *sigpath;
+		const char *keyname;
+		dns_keytag_t keyid;
+		dns_secalg_t alg;
+		bool expect;
+	} testcases[] = {
+		{
+			"testdata/dst/test1.data",
+			"testdata/dst/test1.dsasig",
+			"test.", 23616, DST_ALG_DSA, true
+		},
+		{
+			"testdata/dst/test1.data",
+			"testdata/dst/test1.rsasig",
+			"test.", 54622, DST_ALG_RSAMD5, true
+		},
+		{
+			/* wrong sig */
+			"testdata/dst/test1.data",
+			"testdata/dst/test1.dsasig",
+			"test.", 54622, DST_ALG_RSAMD5, false
+		},
+		{
+			/* wrong data */
+			"testdata/dst/test2.data",
+			"testdata/dst/test1.dsasig",
+			"test.", 23616, DST_ALG_DSA, false
+		},
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		if (!dst_algorithm_supported(testcases[i].alg)) {
+			continue;
+		}
+
+		check_sig(testcases[i].datapath,
+			  testcases[i].sigpath,
+			  testcases[i].keyname,
+			  testcases[i].keyid,
+			  testcases[i].alg,
+			  DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
+			  testcases[i].expect);
+	}
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, sig);
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/geoip_test.c b/lib/dns/tests/geoip_test.c
new file mode 100644
index 0000000..4e8a5f0
--- /dev/null
+++ b/lib/dns/tests/geoip_test.c
@@ -0,0 +1,711 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/types.h>
+
+#include <dns/geoip.h>
+
+#include "dnstest.h"
+
+#ifdef HAVE_GEOIP
+#include <GeoIP.h>
+
+/* We use GeoIP databases from the 'geoip' system test */
+#define TEST_GEOIP_DATA "../../../bin/tests/system/geoip/data"
+
+/*
+ * Helper functions
+ * (Mostly copied from bin/named/geoip.c)
+ */
+static dns_geoip_databases_t geoip = {
+	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+};
+
+static void
+init_geoip_db(GeoIP **dbp, GeoIPDBTypes edition, GeoIPDBTypes fallback,
+	      GeoIPOptions method, const char *name)
+{
+	char *info;
+	GeoIP *db;
+
+	REQUIRE(dbp != NULL);
+
+	db = *dbp;
+
+	if (db != NULL) {
+		GeoIP_delete(db);
+		db = *dbp = NULL;
+	}
+
+	if (! GeoIP_db_avail(edition)) {
+		fprintf(stderr, "GeoIP %s (type %d) DB not available\n",
+			name, edition);
+		goto fail;
+	}
+
+	fprintf(stderr, "initializing GeoIP %s (type %d) DB\n",
+		name, edition);
+
+	db = GeoIP_open_type(edition, method);
+	if (db == NULL) {
+		fprintf(stderr,
+			"failed to initialize GeoIP %s (type %d) DB%s\n",
+			name, edition, fallback == 0
+			 ? "; geoip matches using this database will fail"
+			 : "");
+		goto fail;
+	}
+
+	info = GeoIP_database_info(db);
+	if (info != NULL)
+		fprintf(stderr, "%s\n", info);
+
+	*dbp = db;
+	return;
+
+ fail:
+	if (fallback != 0)
+		init_geoip_db(dbp, fallback, 0, method, name);
+}
+
+static void
+load_geoip(const char *dir) {
+	GeoIPOptions method;
+
+#ifdef _WIN32
+	method = GEOIP_STANDARD;
+#else
+	method = GEOIP_MMAP_CACHE;
+#endif
+
+	if (dir != NULL) {
+		char *p;
+		DE_CONST(dir, p);
+		GeoIP_setup_custom_directory(p);
+	}
+
+	init_geoip_db(&geoip.country_v4, GEOIP_COUNTRY_EDITION, 0,
+		      method, "Country (IPv4)");
+#ifdef HAVE_GEOIP_V6
+	init_geoip_db(&geoip.country_v6, GEOIP_COUNTRY_EDITION_V6, 0,
+		      method, "Country (IPv6)");
+#endif
+
+	init_geoip_db(&geoip.city_v4, GEOIP_CITY_EDITION_REV1,
+		      GEOIP_CITY_EDITION_REV0, method, "City (IPv4)");
+#if defined(HAVE_GEOIP_V6) && defined(HAVE_GEOIP_CITY_V6)
+	init_geoip_db(&geoip.city_v6, GEOIP_CITY_EDITION_REV1_V6,
+		      GEOIP_CITY_EDITION_REV0_V6, method, "City (IPv6)");
+#endif
+
+	init_geoip_db(&geoip.region, GEOIP_REGION_EDITION_REV1,
+		      GEOIP_REGION_EDITION_REV0, method, "Region");
+	init_geoip_db(&geoip.isp, GEOIP_ISP_EDITION, 0,
+		      method, "ISP");
+	init_geoip_db(&geoip.org, GEOIP_ORG_EDITION, 0,
+		      method, "Org");
+	init_geoip_db(&geoip.as, GEOIP_ASNUM_EDITION, 0,
+		      method, "AS");
+	init_geoip_db(&geoip.domain, GEOIP_DOMAIN_EDITION, 0,
+		      method, "Domain");
+	init_geoip_db(&geoip.netspeed, GEOIP_NETSPEED_EDITION, 0,
+		      method, "NetSpeed");
+}
+
+static bool
+do_lookup_string(const char *addr, uint8_t *scope,
+		 dns_geoip_subtype_t subtype, const char *string)
+{
+	dns_geoip_elem_t elt;
+	struct in_addr in4;
+	isc_netaddr_t na;
+
+	inet_pton(AF_INET, addr, &in4);
+	isc_netaddr_fromin(&na, &in4);
+
+	elt.subtype = subtype;
+	strlcpy(elt.as_string, string, sizeof(elt.as_string));
+
+	return (dns_geoip_match(&na, scope, &geoip, &elt));
+}
+
+static bool
+do_lookup_string_v6(const char *addr, uint8_t *scope,
+		    dns_geoip_subtype_t subtype, const char *string)
+{
+	dns_geoip_elem_t elt;
+	struct in6_addr in6;
+	isc_netaddr_t na;
+
+	inet_pton(AF_INET6, addr, &in6);
+	isc_netaddr_fromin6(&na, &in6);
+
+	elt.subtype = subtype;
+	strlcpy(elt.as_string, string, sizeof(elt.as_string));
+
+	return (dns_geoip_match(&na, scope, &geoip, &elt));
+}
+
+static bool
+do_lookup_int(const char *addr, uint8_t *scope,
+	      dns_geoip_subtype_t subtype, int id)
+{
+	dns_geoip_elem_t elt;
+	struct in_addr in4;
+	isc_netaddr_t na;
+
+	inet_pton(AF_INET, addr, &in4);
+	isc_netaddr_fromin(&na, &in4);
+
+	elt.subtype = subtype;
+	elt.as_int = id;
+
+	return (dns_geoip_match(&na, scope, &geoip, &elt));
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* GeoIP country matching */
+ATF_TC(country);
+ATF_TC_HEAD(country, tc) {
+	atf_tc_set_md_var(tc, "descr", "test country database matching");
+}
+ATF_TC_BODY(country, tc) {
+	isc_result_t result;
+	bool match;
+	uint8_t scope;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.country_v4 == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.1", &scope,
+				 dns_geoip_country_code, "AU");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 32);
+
+	match = do_lookup_string("10.53.0.1", &scope,
+				 dns_geoip_country_code3, "AUS");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 32);
+
+	match = do_lookup_string("10.53.0.1", &scope,
+				 dns_geoip_country_name, "Australia");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 32);
+
+	match = do_lookup_string("192.0.2.128", &scope,
+				 dns_geoip_country_code, "O1");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 24);
+
+	match = do_lookup_string("192.0.2.128", &scope,
+				 dns_geoip_country_name, "Other");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 24);
+
+	dns_test_end();
+}
+
+/* GeoIP country (ipv6) matching */
+ATF_TC(country_v6);
+ATF_TC_HEAD(country_v6, tc) {
+	atf_tc_set_md_var(tc, "descr", "test country (ipv6) database matching");
+}
+ATF_TC_BODY(country_v6, tc) {
+	isc_result_t result;
+	bool match;
+	uint8_t scope;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.country_v6 == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope,
+				    dns_geoip_country_code, "AU");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 128);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope,
+				    dns_geoip_country_code3, "AUS");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 128);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope,
+				    dns_geoip_country_name, "Australia");
+	ATF_CHECK(match);
+	ATF_CHECK_EQ(scope, 128);
+
+	dns_test_end();
+}
+
+/* GeoIP city (ipv4) matching */
+ATF_TC(city);
+ATF_TC_HEAD(city, tc) {
+	atf_tc_set_md_var(tc, "descr", "test city database matching");
+}
+ATF_TC_BODY(city, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.city_v4 == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_continentcode, "NA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_countrycode, "US");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_countrycode3, "USA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_countryname, "United States");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_region, "CA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_regionname, "California");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_name, "Redwood City");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_city_postalcode, "94063");
+	ATF_CHECK(match);
+
+	match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_areacode, 650);
+	ATF_CHECK(match);
+
+	match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_metrocode, 807);
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+/* GeoIP city (ipv6) matching */
+ATF_TC(city_v6);
+ATF_TC_HEAD(city_v6, tc) {
+	atf_tc_set_md_var(tc, "descr", "test city (ipv6) database matching");
+}
+ATF_TC_BODY(city_v6, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.city_v6 == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_continentcode, "NA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_countrycode, "US");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_countrycode3, "USA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_countryname,
+				    "United States");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_region, "CA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_regionname, "California");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_name, "Redwood City");
+	ATF_CHECK(match);
+
+	match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+				    dns_geoip_city_postalcode, "94063");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+
+/* GeoIP region matching */
+ATF_TC(region);
+ATF_TC_HEAD(region, tc) {
+	atf_tc_set_md_var(tc, "descr", "test region database matching");
+}
+ATF_TC_BODY(region, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.region == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_region_code, "CA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_region_name, "California");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.1", NULL,
+				 dns_geoip_region_countrycode, "US");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+/*
+ * GeoIP best-database matching
+ * (With no specified databse and a city database available, answers
+ * should come from city database.  With city database unavailable, region
+ * database.  Region database unavailable, country database.)
+ */
+ATF_TC(best);
+ATF_TC_HEAD(best, tc) {
+	atf_tc_set_md_var(tc, "descr", "test best database matching");
+}
+ATF_TC_BODY(best, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.region == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countrycode, "US");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countrycode3, "USA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countryname, "United States");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_regionname, "Virginia");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_region, "VA");
+	ATF_CHECK(match);
+
+	GeoIP_delete(geoip.city_v4);
+	geoip.city_v4 = NULL;
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countrycode, "AU");
+	ATF_CHECK(match);
+
+	/*
+	 * Note, region doesn't support code3 or countryname, so
+	 * the next two would be answered from the country database instead
+	 */
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countrycode3, "CAN");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countryname, "Canada");
+	ATF_CHECK(match);
+
+	GeoIP_delete(geoip.region);
+	geoip.region = NULL;
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countrycode, "CA");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countrycode3, "CAN");
+	ATF_CHECK(match);
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_countryname, "Canada");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+
+/* GeoIP asnum matching */
+ATF_TC(asnum);
+ATF_TC_HEAD(asnum, tc) {
+	atf_tc_set_md_var(tc, "descr", "test asnum database matching");
+}
+ATF_TC_BODY(asnum, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.as == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+
+	match = do_lookup_string("10.53.0.3", NULL, dns_geoip_as_asnum,
+				 "AS100003 Three Network Labs");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+/* GeoIP isp matching */
+ATF_TC(isp);
+ATF_TC_HEAD(isp, tc) {
+	atf_tc_set_md_var(tc, "descr", "test isp database matching");
+}
+ATF_TC_BODY(isp, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.isp == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.1", NULL, dns_geoip_isp_name,
+				 "One Systems, Inc.");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+/* GeoIP org matching */
+ATF_TC(org);
+ATF_TC_HEAD(org, tc) {
+	atf_tc_set_md_var(tc, "descr", "test org database matching");
+}
+ATF_TC_BODY(org, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.org == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.2", NULL, dns_geoip_org_name,
+				 "Two Technology Ltd.");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+/* GeoIP domain matching */
+ATF_TC(domain);
+ATF_TC_HEAD(domain, tc) {
+	atf_tc_set_md_var(tc, "descr", "test domain database matching");
+}
+ATF_TC_BODY(domain, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.domain == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_string("10.53.0.4", NULL,
+				 dns_geoip_domain_name, "four.com");
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+
+/* GeoIP netspeed matching */
+ATF_TC(netspeed);
+ATF_TC_HEAD(netspeed, tc) {
+	atf_tc_set_md_var(tc, "descr", "test netspeed database matching");
+}
+ATF_TC_BODY(netspeed, tc) {
+	isc_result_t result;
+	bool match;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* Use databases from the geoip system test */
+	load_geoip(TEST_GEOIP_DATA);
+
+	if (geoip.netspeed == NULL) {
+		dns_test_end();
+		atf_tc_skip("Database not available");
+	}
+
+	match = do_lookup_int("10.53.0.1", NULL, dns_geoip_netspeed_id, 0);
+	ATF_CHECK(match);
+
+	match = do_lookup_int("10.53.0.2", NULL, dns_geoip_netspeed_id, 1);
+	ATF_CHECK(match);
+
+	match = do_lookup_int("10.53.0.3", NULL, dns_geoip_netspeed_id, 2);
+	ATF_CHECK(match);
+
+	match = do_lookup_int("10.53.0.4", NULL, dns_geoip_netspeed_id, 3);
+	ATF_CHECK(match);
+
+	dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping geoip test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("GeoIP not available");
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#ifdef HAVE_GEOIP
+	ATF_TP_ADD_TC(tp, country);
+	ATF_TP_ADD_TC(tp, country_v6);
+	ATF_TP_ADD_TC(tp, city);
+	ATF_TP_ADD_TC(tp, city_v6);
+	ATF_TP_ADD_TC(tp, region);
+	ATF_TP_ADD_TC(tp, best);
+	ATF_TP_ADD_TC(tp, asnum);
+	ATF_TP_ADD_TC(tp, isp);
+	ATF_TP_ADD_TC(tp, org);
+	ATF_TP_ADD_TC(tp, domain);
+	ATF_TP_ADD_TC(tp, netspeed);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/gost_test.c b/lib/dns/tests/gost_test.c
new file mode 100644
index 0000000..204c6cc
--- /dev/null
+++ b/lib/dns/tests/gost_test.c
@@ -0,0 +1,379 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/util.h>
+#include <isc/print.h>
+#include <isc/string.h>
+
+#include "dnstest.h"
+
+#ifdef HAVE_OPENSSL_GOST
+#include "../dst_gost.h"
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#include <openssl/engine.h>
+#include <openssl/bn.h>
+#endif
+
+#ifdef HAVE_PKCS11_GOST
+#include "../dst_gost.h"
+#include <pk11/internal.h>
+#define WANT_GOST_PARAMS
+#include <pk11/constants.h>
+#include <pkcs11/pkcs11.h>
+#endif
+
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+/*
+ * Test data from Wikipedia GOST (hash function)
+ */
+
+unsigned char digest[ISC_GOST_DIGESTLENGTH];
+unsigned char buffer[1024];
+const char *s;
+char str[2 * ISC_GOST_DIGESTLENGTH + 3];
+int i = 0;
+
+/*
+ * Precondition: a hexadecimal number in *d, the length of that number in len,
+ *   and a pointer to a character array to put the output (*out).
+ * Postcondition: A String representation of the given hexadecimal number is
+ *   placed into the array *out
+ *
+ * 'out' MUST point to an array of at least len * 2 + 1
+ *
+ * Return values: ISC_R_SUCCESS if the operation is sucessful
+ */
+static isc_result_t
+tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) {
+	char c_ret[] = "AA";
+	unsigned int j;
+
+	out[0] = '\0';
+	strlcat(out, "0x", out_size);
+	for (j = 0; j < len; j++) {
+		snprintf(c_ret, sizeof(c_ret), "%02X", d[j]);
+		strlcat(out, c_ret, out_size);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+
+#define TEST_INPUT(x) (x), sizeof(x)-1
+
+typedef struct hash_testcase {
+	const char *input;
+	size_t input_len;
+	const char *result;
+	int repeats;
+} hash_testcase_t;
+
+ATF_TC(isc_gost_md);
+ATF_TC_HEAD(isc_gost_md, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "GOST R 34.11-94 examples from Wikipedia");
+}
+ATF_TC_BODY(isc_gost_md, tc) {
+	isc_gost_t gost;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT(""),
+			"0x981E5F3CA30C841487830F84FB433E1"
+			"3AC1101569B9C13584AC483234CD656C0",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("a"),
+			"0xE74C52DD282183BF37AF0079C9F7805"
+			"5715A103F17E3133CEFF1AACF2F403011",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("abc"),
+			"0xB285056DBF18D7392D7677369524DD1"
+			"4747459ED8143997E163B2986F92FD42C",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("message digest"),
+			"0xBC6041DD2AA401EBFA6E9886734174F"
+			"EBDB4729AA972D60F549AC39B29721BA0",
+			1
+		},
+		/* Test 5 */
+		{
+			TEST_INPUT("The quick brown fox jumps "
+				   "over the lazy dog"),
+			"0x9004294A361A508C586FE53D1F1B027"
+			"46765E71B765472786E4770D565830A76",
+			1
+		},
+
+		/* Test 6 */
+		{
+			TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcde"
+				   "fghijklmnopqrstuvwxyz0123456789"),
+			"0x73B70A39497DE53A6E08C67B6D4DB85"
+			"3540F03E9389299D9B0156EF7E85D0F61",
+			1
+		},
+		/* Test 7 */
+		{
+			TEST_INPUT("1234567890123456789012345678901"
+				   "2345678901234567890123456789012"
+				   "345678901234567890"),
+			"0x6BC7B38989B28CF93AE8842BF9D7529"
+			"05910A7528A61E5BCE0782DE43E610C90",
+			1
+		},
+		/* Test 8 */
+		{
+			TEST_INPUT("This is message, length=32 bytes"),
+			"0x2CEFC2F7B7BDC514E18EA57FA74FF35"
+			"7E7FA17D652C75F69CB1BE7893EDE48EB",
+			1
+		},
+		/* Test 9 */
+		{
+			TEST_INPUT("Suppose the original message "
+				   "has length = 50 bytes"),
+			"0xC3730C5CBCCACF915AC292676F21E8B"
+			"D4EF75331D9405E5F1A61DC3130A65011",
+			1
+		},
+		/* Test 10 */
+		{
+			TEST_INPUT("U") /* times 128 */,
+			"0x1C4AC7614691BBF427FA2316216BE8F"
+			"10D92EDFD37CD1027514C1008F649C4E8",
+			128
+		},
+		/* Test 11 */
+		{
+			TEST_INPUT("a") /* times 1000000 */,
+			"0x8693287AA62F9478F7CB312EC0866B6"
+			"C4E4A0F11160441E8F4FFCD2715DD554F",
+			1000000
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		result = isc_gost_init(&gost);
+		ATF_REQUIRE(result == ISC_R_SUCCESS);
+		for(i = 0; i < testcase->repeats; i++) {
+			result = isc_gost_update(&gost,
+					(const uint8_t *) testcase->input,
+					testcase->input_len);
+			ATF_REQUIRE(result == ISC_R_SUCCESS);
+		}
+		result = isc_gost_final(&gost, digest);
+		ATF_REQUIRE(result == ISC_R_SUCCESS);
+		tohexstr(digest, ISC_GOST_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+
+	dns_test_end();
+}
+
+ATF_TC(isc_gost_private);
+ATF_TC_HEAD(isc_gost_private, tc) {
+  atf_tc_set_md_var(tc, "descr", "GOST R 34.10-2001 private key");
+}
+ATF_TC_BODY(isc_gost_private, tc) {
+	isc_result_t result;
+	unsigned char privraw[31] = {
+		0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+		0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+		0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+		0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e
+	};
+#ifdef HAVE_OPENSSL_GOST
+	unsigned char rbuf[32];
+	unsigned char privasn1[70] = {
+		0x30, 0x44, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
+		0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
+		0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
+		0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
+		0x02, 0x1e, 0x01, 0x04, 0x21, 0x02, 0x1f, 0x01,
+		0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
+		0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
+		0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
+		0x1a, 0x1b, 0x1c, 0x1d, 0x1e
+	};
+	unsigned char abuf[71];
+	unsigned char gost_dummy_key[71] = {
+		0x30, 0x45, 0x02, 0x01, 0x00, 0x30, 0x1c, 0x06,
+		0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x13, 0x30,
+		0x12, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02,
+		0x23, 0x01, 0x06, 0x07, 0x2a, 0x85, 0x03, 0x02,
+		0x02, 0x1e, 0x01, 0x04, 0x22, 0x02, 0x20, 0x1b,
+		0x3f, 0x94, 0xf7, 0x1a, 0x5f, 0x2f, 0xe7, 0xe5,
+		0x74, 0x0b, 0x8c, 0xd4, 0xb7, 0x18, 0xdd, 0x65,
+		0x68, 0x26, 0xd1, 0x54, 0xfb, 0x77, 0xba, 0x63,
+		0x72, 0xd9, 0xf0, 0x63, 0x87, 0xe0, 0xd6
+	};
+	EVP_PKEY *pkey;
+	EC_KEY *eckey;
+	BIGNUM *privkey;
+	const BIGNUM *privkey1;
+	const unsigned char *p;
+	int len;
+	unsigned char *q;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* raw parse */
+	privkey = BN_bin2bn(privraw, (int) sizeof(privraw), NULL);
+	ATF_REQUIRE(privkey != NULL);
+	p = gost_dummy_key;
+	pkey = NULL;
+	ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+				   (long) sizeof(gost_dummy_key)) != NULL);
+	ATF_REQUIRE(pkey != NULL);
+	ATF_REQUIRE(EVP_PKEY_bits(pkey) == 256);
+	eckey = EVP_PKEY_get0(pkey);
+	ATF_REQUIRE(eckey != NULL);
+	ATF_REQUIRE(EC_KEY_set_private_key(eckey, privkey) == 1);
+	BN_clear_free(privkey);
+
+	/* asn1 tofile */
+	len = i2d_PrivateKey(pkey, NULL);
+	ATF_REQUIRE(len == 70);
+	q = abuf;
+	ATF_REQUIRE(i2d_PrivateKey(pkey, &q) == len);
+	ATF_REQUIRE(memcmp(abuf, privasn1, len) == 0);
+	EVP_PKEY_free(pkey);
+
+	/* asn1 parse */
+	p = privasn1;
+	pkey = NULL;
+	ATF_REQUIRE(d2i_PrivateKey(NID_id_GostR3410_2001, &pkey, &p,
+				   (long) len) != NULL);
+	ATF_REQUIRE(pkey != NULL);
+	eckey = EVP_PKEY_get0(pkey);
+	ATF_REQUIRE(eckey != NULL);
+	privkey1 = EC_KEY_get0_private_key(eckey);
+	len = BN_num_bytes(privkey1);
+	ATF_REQUIRE(len == 31);
+	ATF_REQUIRE(BN_bn2bin(privkey1, rbuf) == len);
+	ATF_REQUIRE(memcmp(rbuf, privraw, len) == 0);
+
+	dns_test_end();
+#else
+	CK_BBOOL truevalue = TRUE;
+	CK_BBOOL falsevalue = FALSE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_GOSTR3410;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, privraw, sizeof(privraw) },
+		{ CKA_GOSTR3410_PARAMS, pk11_gost_a_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_a_paramset) },
+		{ CKA_GOSTR3411_PARAMS, pk11_gost_paramset,
+		  (CK_ULONG) sizeof(pk11_gost_paramset) }
+	};
+	CK_MECHANISM mech = { CKM_GOSTR3410_WITH_GOSTR3411, NULL, 0 };
+	CK_BYTE sig[64];
+	CK_ULONG siglen;
+	pk11_context_t pk11_ctx;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+
+	/* create the private key */
+	memset(&pk11_ctx, 0, sizeof(pk11_ctx));
+	ATF_REQUIRE(pk11_get_session(&pk11_ctx, OP_GOST, true,
+				     false, false, NULL,
+				     pk11_get_best_token(OP_GOST)) ==
+		    ISC_R_SUCCESS);
+	pk11_ctx.object = CK_INVALID_HANDLE;
+	pk11_ctx.ontoken = false;
+	ATF_REQUIRE(pkcs_C_CreateObject(pk11_ctx.session, keyTemplate,
+					(CK_ULONG) 9, &pk11_ctx.object) ==
+		    CKR_OK);
+	ATF_REQUIRE(pk11_ctx.object != CK_INVALID_HANDLE);
+
+	/* sign something */
+	ATF_REQUIRE(pkcs_C_SignInit(pk11_ctx.session, &mech,
+				    pk11_ctx.object) == CKR_OK);
+	siglen = 0;
+	ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64,
+				NULL, &siglen) == CKR_OK);
+	ATF_REQUIRE(siglen == 64);
+	ATF_REQUIRE(pkcs_C_Sign(pk11_ctx.session, sig, 64,
+				sig, &siglen) == CKR_OK);
+	ATF_REQUIRE(siglen == 64);
+
+	dns_test_end();
+#endif
+};
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping gost test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("GOST not available");
+}
+#endif
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
+	ATF_TP_ADD_TC(tp, isc_gost_md);
+	ATF_TP_ADD_TC(tp, isc_gost_private);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+	return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/keytable_test.c b/lib/dns/tests/keytable_test.c
new file mode 100644
index 0000000..ed69fcc
--- /dev/null
+++ b/lib/dns/tests/keytable_test.c
@@ -0,0 +1,622 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <inttypes.h>
+#include <unistd.h>
+
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/fixedname.h>
+#include <dns/keytable.h>
+#include <dns/nta.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
+#include <dns/rootns.h>
+#include <dns/view.h>
+
+#include <dst/dst.h>
+
+#include "dnstest.h"
+
+dns_keytable_t *keytable = NULL;
+dns_ntatable_t *ntatable = NULL;
+
+static const char *keystr1 = "BQEAAAABok+vaUC9neRv8yeT/FEGgN7svR8s7VBUVSBd8NsAiV8AlaAg O5FHar3JQd95i/puZos6Vi6at9/JBbN8qVmO2AuiXxVqfxMKxIcy+LEB 0Vw4NaSJ3N3uaVREso6aTSs98H/25MjcwLOr7SFfXA7bGhZatLtYY/xu kp6Km5hMfkE=";
+static const dns_keytag_t keytag1 = 30591;
+
+static const char *keystr2 = "BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=";
+
+static dns_view_t *view = NULL;
+
+/*
+ * Test utilities.  In general, these assume input parameters are valid
+ * (checking with ATF_REQUIRE_EQ, thus aborting if not) and unlikely run time
+ * errors (such as memory allocation failure) won't happen.  This helps keep
+ * the test code concise.
+ */
+
+/*
+ * Utility to convert C-string to dns_name_t.  Return a pointer to
+ * static data, and so is not thread safe.
+ */
+static dns_name_t *
+str2name(const char *namestr) {
+	static dns_fixedname_t fname;
+	static dns_name_t *name;
+	static isc_buffer_t namebuf;
+	void *deconst_namestr;
+
+	name = dns_fixedname_initname(&fname);
+	DE_CONST(namestr, deconst_namestr); /* OK, since we don't modify it */
+	isc_buffer_init(&namebuf, deconst_namestr, strlen(deconst_namestr));
+	isc_buffer_add(&namebuf, strlen(namestr));
+	ATF_REQUIRE_EQ(dns_name_fromtext(name, &namebuf, dns_rootname, 0,
+					 NULL), ISC_R_SUCCESS);
+
+	return (name);
+}
+
+static void
+create_key(uint16_t flags, uint8_t proto, uint8_t alg,
+	   const char *keynamestr, const char *keystr, dst_key_t **target)
+{
+	dns_rdata_dnskey_t keystruct;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	const dns_rdataclass_t rdclass = dns_rdataclass_in; /* for brevity */
+
+	keystruct.common.rdclass = rdclass;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	keystruct.mctx = NULL;
+	ISC_LINK_INIT(&keystruct.common, link);
+	keystruct.flags = flags;
+	keystruct.protocol = proto;
+	keystruct.algorithm = alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+	ATF_REQUIRE_EQ(isc_base64_decodestring(keystr, &keydatabuf),
+		       ISC_R_SUCCESS);
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+	ATF_REQUIRE_EQ(dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
+					    keystruct.common.rdtype,
+					    &keystruct, &rrdatabuf),
+		       ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(dst_key_fromdns(str2name(keynamestr), rdclass,
+				       &rrdatabuf, mctx, target),
+		       ISC_R_SUCCESS);
+}
+
+/* Common setup: create a keytable and ntatable to test with a few keys */
+static void
+create_tables() {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	isc_stdtime_t now;
+
+	result = dns_test_makeview("view", &view);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(dns_keytable_create(mctx, &keytable), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_ntatable_create(view, taskmgr, timermgr,
+					   &ntatable), ISC_R_SUCCESS);
+
+	/* Add a normal key */
+	create_key(257, 3, 5, "example.com", keystr1, &key);
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, false, &key),
+		       ISC_R_SUCCESS);
+
+	/* Add a null key */
+	ATF_REQUIRE_EQ(dns_keytable_marksecure(keytable,
+					       str2name("null.example")),
+		       ISC_R_SUCCESS);
+
+	/* Add a negative trust anchor, duration 1 hour */
+	isc_stdtime_get(&now);
+	ATF_REQUIRE_EQ(dns_ntatable_add(ntatable,
+					str2name("insecure.example"),
+					false, now, 3600),
+		       ISC_R_SUCCESS);
+}
+
+static void
+destroy_tables() {
+	if (ntatable != NULL)
+		dns_ntatable_detach(&ntatable);
+	if (keytable != NULL)
+		dns_keytable_detach(&keytable);
+
+	dns_view_detach(&view);
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(add);
+ATF_TC_HEAD(add, tc) {
+	atf_tc_set_md_var(tc, "descr", "add keys to the keytable");
+}
+ATF_TC_BODY(add, tc) {
+	dst_key_t *key = NULL;
+	dns_keynode_t *keynode = NULL;
+	dns_keynode_t *next_keynode = NULL;
+	dns_keynode_t *null_keynode = NULL;
+
+	UNUSED(tc);
+
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, true), ISC_R_SUCCESS);
+	create_tables();
+
+	/*
+	 * Get the keynode for the example.com key.  There's no other key for
+	 * the name, so nextkeynode() should return NOTFOUND.
+	 */
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
+					 &keynode), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
+						&next_keynode), ISC_R_NOTFOUND);
+
+	/*
+	 * Try to add the same key.  This should have no effect, so
+	 * nextkeynode() should still return NOTFOUND.
+	 */
+	create_key(257, 3, 5, "example.com", keystr1, &key);
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, false, &key),
+		       ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
+						&next_keynode), ISC_R_NOTFOUND);
+
+	/* Add another key (different keydata) */
+	dns_keytable_detachkeynode(keytable, &keynode);
+	create_key(257, 3, 5, "example.com", keystr2, &key);
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, false, &key),
+		       ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
+					 &keynode), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
+						&next_keynode), ISC_R_SUCCESS);
+	dns_keytable_detachkeynode(keytable, &next_keynode);
+
+	/*
+	 * Add a normal key to a name that has a null key.  The null key node
+	 * will be updated with the normal key.
+	 */
+	dns_keytable_detachkeynode(keytable, &keynode);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
+					 &null_keynode), ISC_R_SUCCESS);
+	create_key(257, 3, 5, "null.example", keystr2, &key);
+	ATF_REQUIRE_EQ(dns_keytable_add(keytable, false, &key),
+		       ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
+					 &keynode), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(keynode, null_keynode); /* should be the same node */
+	ATF_REQUIRE(dns_keynode_key(keynode) != NULL); /* now have a key */
+	dns_keytable_detachkeynode(keytable, &null_keynode);
+
+	/*
+	 * Try to add a null key to a name that already has a key.  It's
+	 * effectively no-op, so the same key node is still there, with no
+	 * no next node.
+	 * (Note: this and above checks confirm that if a name has a null key
+	 * that's the only key for the name).
+	 */
+	ATF_REQUIRE_EQ(dns_keytable_marksecure(keytable,
+					       str2name("null.example")),
+		       ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
+					 &null_keynode), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(keynode, null_keynode);
+	ATF_REQUIRE(dns_keynode_key(keynode) != NULL);
+	ATF_REQUIRE_EQ(dns_keytable_nextkeynode(keytable, keynode,
+						&next_keynode), ISC_R_NOTFOUND);
+	dns_keytable_detachkeynode(keytable, &null_keynode);
+
+	dns_keytable_detachkeynode(keytable, &keynode);
+	destroy_tables();
+	dns_test_end();
+}
+
+ATF_TC(delete);
+ATF_TC_HEAD(delete, tc) {
+	atf_tc_set_md_var(tc, "descr", "delete keys from the keytable");
+}
+ATF_TC_BODY(delete, tc) {
+	UNUSED(tc);
+
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, true), ISC_R_SUCCESS);
+	create_tables();
+
+	/* dns_keytable_delete requires exact match */
+	ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("example.org")),
+		       ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("s.example.com")),
+		       ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("example.com")),
+		       ISC_R_SUCCESS);
+
+	/* works also for nodes with a null key */
+	ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("null.example")),
+		       ISC_R_SUCCESS);
+
+	/* or a negative trust anchor */
+	ATF_REQUIRE_EQ(dns_ntatable_delete(ntatable,
+					   str2name("insecure.example")),
+		       ISC_R_SUCCESS);
+
+	destroy_tables();
+	dns_test_end();
+}
+
+ATF_TC(deletekeynode);
+ATF_TC_HEAD(deletekeynode, tc) {
+	atf_tc_set_md_var(tc, "descr", "delete key nodes from the keytable");
+}
+ATF_TC_BODY(deletekeynode, tc) {
+	dst_key_t *key = NULL;
+
+	UNUSED(tc);
+
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, true), ISC_R_SUCCESS);
+	create_tables();
+
+	/* key name doesn't match */
+	create_key(257, 3, 5, "example.org", keystr1, &key);
+	ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
+		       ISC_R_NOTFOUND);
+	dst_key_free(&key);
+
+	/* subdomain match is the same as no match */
+	create_key(257, 3, 5, "sub.example.com", keystr1, &key);
+	ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
+		       ISC_R_NOTFOUND);
+	dst_key_free(&key);
+
+	/* name matches but key doesn't match (resulting in PARTIALMATCH) */
+	create_key(257, 3, 5, "example.com", keystr2, &key);
+	ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
+		       DNS_R_PARTIALMATCH);
+	dst_key_free(&key);
+
+	/*
+	 * exact match.  after deleting the node the internal rbt node will be
+	 * empty, and any delete or deletekeynode attempt should result in
+	 * NOTFOUND.
+	 */
+	create_key(257, 3, 5, "example.com", keystr1, &key);
+	ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
+		       ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
+		       ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_delete(keytable, str2name("example.com")),
+		       ISC_R_NOTFOUND);
+	dst_key_free(&key);
+
+	/*
+	 * A null key node for a name is not deleted when searched by key;
+	 * it must be deleted by dns_keytable_delete()
+	 */
+	create_key(257, 3, 5, "null.example", keystr1, &key);
+	ATF_REQUIRE_EQ(dns_keytable_deletekeynode(keytable, key),
+		       DNS_R_PARTIALMATCH);
+	ATF_REQUIRE_EQ(dns_keytable_delete(keytable, dst_key_name(key)),
+		       ISC_R_SUCCESS);
+	dst_key_free(&key);
+
+	destroy_tables();
+	dns_test_end();
+}
+
+ATF_TC(find);
+ATF_TC_HEAD(find, tc) {
+	atf_tc_set_md_var(tc, "descr", "check find-variant operations");
+}
+ATF_TC_BODY(find, tc) {
+	dns_keynode_t *keynode = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	UNUSED(tc);
+
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, true), ISC_R_SUCCESS);
+	create_tables();
+
+	/*
+	 * dns_keytable_find() requires exact name match.  It matches node
+	 * that has a null key, too.
+	 */
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.org"),
+					 &keynode), ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("sub.example.com"),
+					 &keynode), ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.com"),
+					 &keynode), ISC_R_SUCCESS);
+	dns_keytable_detachkeynode(keytable, &keynode);
+	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("null.example"),
+					 &keynode), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_keynode_key(keynode), NULL);
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	/*
+	 * dns_keytable_finddeepestmatch() allows partial match.  Also match
+	 * nodes with a null key.
+	 */
+	name = dns_fixedname_initname(&fname);
+	ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
+						     str2name("example.com"),
+						     name), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_name_equal(name, str2name("example.com")), true);
+	ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
+						     str2name("s.example.com"),
+						     name), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_name_equal(name, str2name("example.com")), true);
+	ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
+						     str2name("example.org"),
+						     name), ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_finddeepestmatch(keytable,
+						     str2name("null.example"),
+						     name), ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dns_name_equal(name, str2name("null.example")),
+		       true);
+
+	/*
+	 * dns_keytable_findkeynode() requires exact name, algorithm, keytag
+	 * match.  If algorithm or keytag doesn't match, should result in
+	 * PARTIALMATCH.  Same for a node with a null key.
+	 */
+	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
+						str2name("example.org"),
+						5, keytag1, &keynode),
+		       ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
+						str2name("sub.example.com"),
+						5, keytag1, &keynode),
+		       ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
+						str2name("example.com"),
+						4, keytag1, &keynode),
+		       DNS_R_PARTIALMATCH); /* different algorithm */
+	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
+						str2name("example.com"),
+						5, keytag1 + 1, &keynode),
+		       DNS_R_PARTIALMATCH); /* different keytag */
+	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
+						str2name("null.example"),
+						5, 0, &keynode),
+		       DNS_R_PARTIALMATCH); /* null key */
+	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
+						str2name("example.com"),
+						5, keytag1, &keynode),
+		       ISC_R_SUCCESS); /* complete match */
+	dns_keytable_detachkeynode(keytable, &keynode);
+
+	destroy_tables();
+	dns_test_end();
+}
+
+ATF_TC(issecuredomain);
+ATF_TC_HEAD(issecuredomain, tc) {
+	atf_tc_set_md_var(tc, "descr", "check issecuredomain()");
+}
+ATF_TC_BODY(issecuredomain, tc) {
+	bool issecure;
+	const char **n;
+	const char *names[] = {"example.com", "sub.example.com",
+			       "null.example", "sub.null.example", NULL};
+
+	UNUSED(tc);
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, true), ISC_R_SUCCESS);
+	create_tables();
+
+	/*
+	 * Domains that are an exact or partial match of a key name are
+	 * considered secure.  It's the case even if the key is null
+	 * (validation will then fail, but that's actually the intended effect
+	 * of installing a null key).
+	 */
+	for (n = names; *n != NULL; n++) {
+		ATF_REQUIRE_EQ(dns_keytable_issecuredomain(keytable,
+							   str2name(*n),
+							   NULL,
+							   &issecure),
+			       ISC_R_SUCCESS);
+		ATF_REQUIRE_EQ(issecure, true);
+	}
+
+	/*
+	 * If the key table has no entry (not even a null one) for a domain or
+	 * any of its ancestors, that domain is considered insecure.
+	 */
+	ATF_REQUIRE_EQ(dns_keytable_issecuredomain(keytable,
+						   str2name("example.org"),
+						   NULL,
+						   &issecure),
+		       ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(issecure, false);
+
+	destroy_tables();
+	dns_test_end();
+}
+
+ATF_TC(dump);
+ATF_TC_HEAD(dump, tc) {
+	atf_tc_set_md_var(tc, "descr", "check dns_keytable_dump()");
+}
+ATF_TC_BODY(dump, tc) {
+	UNUSED(tc);
+
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, true), ISC_R_SUCCESS);
+	create_tables();
+
+	/*
+	 * Right now, we only confirm the dump attempt doesn't cause disruption
+	 * (so we don't check the dump content).
+	 */
+	ATF_REQUIRE_EQ(dns_keytable_dump(keytable, stdout), ISC_R_SUCCESS);
+
+	destroy_tables();
+	dns_test_end();
+}
+
+ATF_TC(nta);
+ATF_TC_HEAD(nta, tc) {
+	atf_tc_set_md_var(tc, "descr", "check negative trust anchors");
+}
+ATF_TC_BODY(nta, tc) {
+	isc_result_t result;
+	dst_key_t *key = NULL;
+	bool issecure, covered;
+	dns_view_t *myview = NULL;
+	isc_stdtime_t now;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makeview("view", &myview);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &myview->task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_view_initsecroots(myview, mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_view_getsecroots(myview, &keytable);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_view_initntatable(myview, taskmgr, timermgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_view_getntatable(myview, &ntatable);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	create_key(257, 3, 5, "example", keystr1, &key);
+	result = dns_keytable_add(keytable, false, &key);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_stdtime_get(&now);
+	result = dns_ntatable_add(ntatable,
+				  str2name("insecure.example"),
+				  false, now, 1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Should be secure */
+	result = dns_view_issecuredomain(myview,
+					 str2name("test.secure.example"),
+					 now, true, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(issecure);
+
+	/* Should not be secure */
+	result = dns_view_issecuredomain(myview,
+					 str2name("test.insecure.example"),
+					 now, true, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(!issecure);
+
+	/* NTA covered */
+	covered = dns_view_ntacovers(myview, now, str2name("insecure.example"),
+				     dns_rootname);
+	ATF_CHECK(covered);
+
+	/* Not NTA covered */
+	covered = dns_view_ntacovers(myview, now, str2name("secure.example"),
+				     dns_rootname);
+	ATF_CHECK(!covered);
+
+	/* As of now + 2, the NTA should be clear */
+	result = dns_view_issecuredomain(myview,
+					 str2name("test.insecure.example"),
+					 now + 2, true, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(issecure);
+
+	/* Now check deletion */
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, true, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(issecure);
+
+	result = dns_ntatable_add(ntatable, str2name("new.example"),
+				  false, now, 3600);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, true, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(!issecure);
+
+	result = dns_ntatable_delete(ntatable, str2name("new.example"));
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, true, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(issecure);
+
+	/* Clean up */
+	dns_ntatable_detach(&ntatable);
+	dns_keytable_detach(&keytable);
+	dns_view_detach(&myview);
+
+	dns_test_end();
+}
+
+#else
+#include <isc/util.h>
+
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping keytable test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("DNSSEC not available");
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+	ATF_TP_ADD_TC(tp, add);
+	ATF_TP_ADD_TC(tp, delete);
+	ATF_TP_ADD_TC(tp, deletekeynode);
+	ATF_TP_ADD_TC(tp, find);
+	ATF_TP_ADD_TC(tp, issecuredomain);
+	ATF_TP_ADD_TC(tp, dump);
+	ATF_TP_ADD_TC(tp, nta);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/master_test.c b/lib/dns/tests/master_test.c
new file mode 100644
index 0000000..5cce2f3
--- /dev/null
+++ b/lib/dns/tests/master_test.c
@@ -0,0 +1,684 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/xml.h>
+
+#include <dns/cache.h>
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+
+#include "dnstest.h"
+
+/*
+ * Helper functions
+ */
+
+#define	BUFLEN		255
+#define	BIGBUFLEN	(70 * 1024)
+#define TEST_ORIGIN	"test"
+
+static dns_masterrawheader_t header;
+static bool headerset;
+
+dns_name_t dns_origin;
+char origin[sizeof(TEST_ORIGIN)];
+unsigned char name_buf[BUFLEN];
+dns_rdatacallbacks_t callbacks;
+char *include_file = NULL;
+
+static isc_result_t
+add_callback(void *arg, dns_name_t *owner, dns_rdataset_t *dataset);
+
+static void
+rawdata_callback(dns_zone_t *zone, dns_masterrawheader_t *header);
+
+static isc_result_t
+add_callback(void *arg, dns_name_t *owner, dns_rdataset_t *dataset) {
+	char buf[BIGBUFLEN];
+	isc_buffer_t target;
+	isc_result_t result;
+
+	UNUSED(arg);
+
+	isc_buffer_init(&target, buf, BIGBUFLEN);
+	result = dns_rdataset_totext(dataset, owner, false, false,
+				     &target);
+	return(result);
+}
+
+static void
+rawdata_callback(dns_zone_t *zone, dns_masterrawheader_t *h) {
+	UNUSED(zone);
+	header = *h;
+	headerset = true;
+}
+
+static isc_result_t
+setup_master(void (*warn)(struct dns_rdatacallbacks *, const char *, ...),
+	     void (*error)(struct dns_rdatacallbacks *, const char *, ...))
+{
+	isc_result_t		result;
+	int			len;
+	isc_buffer_t		source;
+	isc_buffer_t		target;
+
+	strlcpy(origin, TEST_ORIGIN, sizeof(origin));
+	len = strlen(origin);
+	isc_buffer_init(&source, origin, len);
+	isc_buffer_add(&source, len);
+	isc_buffer_setactive(&source, len);
+	isc_buffer_init(&target, name_buf, BUFLEN);
+	dns_name_init(&dns_origin, NULL);
+	dns_master_initrawheader(&header);
+
+	result = dns_name_fromtext(&dns_origin, &source, dns_rootname,
+				   0, &target);
+	if (result != ISC_R_SUCCESS)
+		return(result);
+
+	dns_rdatacallbacks_init_stdio(&callbacks);
+	callbacks.add = add_callback;
+	callbacks.rawdata = rawdata_callback;
+	callbacks.zone = NULL;
+	if (warn != NULL)
+		callbacks.warn = warn;
+	if (error != NULL)
+		callbacks.error = error;
+	headerset = false;
+	return (result);
+}
+
+static isc_result_t
+test_master(const char *testfile, dns_masterformat_t format,
+	    void (*warn)(struct dns_rdatacallbacks *, const char *, ...),
+	    void (*error)(struct dns_rdatacallbacks *, const char *, ...))
+{
+	isc_result_t		result;
+
+	result = setup_master(warn, error);
+	if (result != ISC_R_SUCCESS)
+		return(result);
+
+	result = dns_master_loadfile2(testfile, &dns_origin, &dns_origin,
+				      dns_rdataclass_in, true,
+				      &callbacks, mctx, format);
+	return (result);
+}
+
+static void
+include_callback(const char *filename, void *arg) {
+	char **argp = (char **) arg;
+	*argp = isc_mem_strdup(mctx, filename);
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* Successful load test */
+ATF_TC(load);
+ATF_TC_HEAD(load, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() loads a "
+				       "valid master file and returns success");
+}
+ATF_TC_BODY(load, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master1.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+
+/* Unepxected end of file test */
+ATF_TC(unexpected);
+ATF_TC_HEAD(unexpected, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "DNS_R_UNEXPECTED when file ends "
+				       "too soon");
+}
+ATF_TC_BODY(unexpected, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master2.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_UNEXPECTEDEND);
+
+	dns_test_end();
+}
+
+
+/* No owner test */
+ATF_TC(noowner);
+ATF_TC_HEAD(noowner, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() accepts broken "
+				       "zones with no TTL for first record "
+				       "if it is an SOA");
+}
+ATF_TC_BODY(noowner, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master3.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, DNS_R_NOOWNER);
+
+	dns_test_end();
+}
+
+
+/* No TTL test */
+ATF_TC(nottl);
+ATF_TC_HEAD(nottl, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "DNS_R_NOOWNER when no owner name "
+				       "is specified");
+}
+
+ATF_TC_BODY(nottl, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master4.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+
+/* Bad class test */
+ATF_TC(badclass);
+ATF_TC_HEAD(badclass, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "DNS_R_BADCLASS when record class "
+				       "doesn't match zone class");
+}
+ATF_TC_BODY(badclass, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master5.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, DNS_R_BADCLASS);
+
+	dns_test_end();
+}
+
+/* Too big rdata test */
+ATF_TC(toobig);
+ATF_TC_HEAD(toobig, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "ISC_R_NOSPACE when record is too big");
+}
+ATF_TC_BODY(toobig, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master15.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_NOSPACE);
+
+	dns_test_end();
+}
+
+/* Maximum rdata test */
+ATF_TC(maxrdata);
+ATF_TC_HEAD(maxrdata, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "ISC_R_SUCCESS when record is maximum "
+				       "size");
+}
+ATF_TC_BODY(maxrdata, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master16.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+/* DNSKEY test */
+ATF_TC(dnskey);
+ATF_TC_HEAD(dnskey, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
+				       "DNSKEY with key material");
+}
+ATF_TC_BODY(dnskey, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master6.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+
+/* DNSKEY with no key material test */
+ATF_TC(dnsnokey);
+ATF_TC_HEAD(dnsnokey, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
+				       "DNSKEY with no key material");
+}
+ATF_TC_BODY(dnsnokey, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master7.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+/* Include test */
+ATF_TC(include);
+ATF_TC_HEAD(include, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
+				       "$INCLUDE");
+}
+ATF_TC_BODY(include, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master8.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, DNS_R_SEENINCLUDE);
+
+	dns_test_end();
+}
+
+/* Include file list test */
+ATF_TC(master_includelist);
+ATF_TC_HEAD(master_includelist, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile4() returns "
+				       "names of included file");
+}
+ATF_TC_BODY(master_includelist, tc) {
+	isc_result_t result;
+	char *filename = NULL;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = setup_master(NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_master_loadfile4("testdata/master/master8.data",
+				      &dns_origin, &dns_origin,
+				      dns_rdataclass_in, 0, true,
+				      &callbacks, include_callback,
+				      &filename, mctx, dns_masterformat_text);
+	ATF_CHECK_EQ(result, DNS_R_SEENINCLUDE);
+	ATF_CHECK(filename != NULL);
+	if (filename != NULL) {
+		ATF_CHECK_STREQ(filename, "testdata/master/master7.data");
+		isc_mem_free(mctx, filename);
+	}
+
+	dns_test_end();
+}
+
+/* Include failure test */
+ATF_TC(includefail);
+ATF_TC_HEAD(includefail, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
+				       "$INCLUDE failures");
+}
+ATF_TC_BODY(includefail, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master9.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, DNS_R_BADCLASS);
+
+	dns_test_end();
+}
+
+
+/* Non-empty blank lines test */
+ATF_TC(blanklines);
+ATF_TC_HEAD(blanklines, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() handles "
+				       "non-empty blank lines");
+}
+ATF_TC_BODY(blanklines, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master10.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+/* SOA leading zeroes test */
+ATF_TC(leadingzero);
+ATF_TC_HEAD(leadingzero, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() allows "
+				       "leading zeroes in SOA");
+}
+ATF_TC_BODY(leadingzero, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master11.data",
+			     dns_masterformat_text, NULL, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
+ATF_TC(totext);
+ATF_TC_HEAD(totext, tc) {
+	atf_tc_set_md_var(tc, "descr", "masterfile totext tests");
+}
+ATF_TC_BODY(totext, tc) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatalist_t rdatalist;
+	isc_buffer_t target;
+	unsigned char buf[BIGBUFLEN];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* First, test with an empty rdataset */
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_rdataclass_in;
+	rdatalist.type = dns_rdatatype_none;
+	rdatalist.covers = dns_rdatatype_none;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&target, buf, BIGBUFLEN);
+	result = dns_master_rdatasettotext(dns_rootname,
+					   &rdataset, &dns_master_style_debug,
+					   &target);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(isc_buffer_usedlength(&target), 0);
+
+	/*
+	 * XXX: We will also need to add tests for dumping various
+	 * rdata types, classes, etc, and comparing the results against
+	 * known-good output.
+	 */
+
+	dns_test_end();
+}
+
+/* Raw load */
+ATF_TC(loadraw);
+ATF_TC_HEAD(loadraw, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() loads a "
+				       "valid raw file and returns success");
+}
+ATF_TC_BODY(loadraw, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Raw format version 0 */
+	result = test_master("testdata/master/master12.data",
+			     dns_masterformat_raw, NULL, NULL);
+	ATF_CHECK_STREQ(isc_result_totext(result), "success");
+	ATF_CHECK(headerset);
+	ATF_CHECK_EQ(header.flags, 0);
+
+	/* Raw format version 1, no source serial  */
+	result = test_master("testdata/master/master13.data",
+			     dns_masterformat_raw, NULL, NULL);
+	ATF_CHECK_STREQ(isc_result_totext(result), "success");
+	ATF_CHECK(headerset);
+	ATF_CHECK_EQ(header.flags, 0);
+
+	/* Raw format version 1, source serial == 2011120101 */
+	result = test_master("testdata/master/master14.data",
+			     dns_masterformat_raw, NULL, NULL);
+	ATF_CHECK_STREQ(isc_result_totext(result), "success");
+	ATF_CHECK(headerset);
+	ATF_CHECK((header.flags & DNS_MASTERRAW_SOURCESERIALSET) != 0);
+	ATF_CHECK_EQ(header.sourceserial, 2011120101);
+
+	dns_test_end();
+}
+
+/* Raw dump*/
+ATF_TC(dumpraw);
+ATF_TC_HEAD(dumpraw, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_dump*() functions "
+				       "dump valid raw files");
+}
+ATF_TC_BODY(dumpraw, tc) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	char myorigin[sizeof(TEST_ORIGIN)];
+	dns_name_t dnsorigin;
+	isc_buffer_t source, target;
+	unsigned char namebuf[BUFLEN];
+	int len;
+
+	UNUSED(tc);
+
+	strlcpy(myorigin, TEST_ORIGIN, sizeof(myorigin));
+	len = strlen(myorigin);
+	isc_buffer_init(&source, myorigin, len);
+	isc_buffer_add(&source, len);
+	isc_buffer_setactive(&source, len);
+	isc_buffer_init(&target, namebuf, BUFLEN);
+	dns_name_init(&dnsorigin, NULL);
+	result = dns_name_fromtext(&dnsorigin, &source, dns_rootname,
+				   0, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_create(mctx, "rbt", &dnsorigin, dns_dbtype_zone,
+			       dns_rdataclass_in, 0, NULL, &db);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_db_load(db, "testdata/master/master1.data");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_db_currentversion(db, &version);
+
+	result = dns_master_dump2(mctx, db, version,
+				  &dns_master_style_default, "test.dump",
+				  dns_masterformat_raw);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("test.dump", dns_masterformat_raw, NULL, NULL);
+	ATF_CHECK_STREQ(isc_result_totext(result), "success");
+	ATF_CHECK(headerset);
+	ATF_CHECK_EQ(header.flags, 0);
+
+	dns_master_initrawheader(&header);
+	header.sourceserial = 12345;
+	header.flags |= DNS_MASTERRAW_SOURCESERIALSET;
+
+	unlink("test.dump");
+	result = dns_master_dump3(mctx, db, version,
+				  &dns_master_style_default, "test.dump",
+				  dns_masterformat_raw, &header);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("test.dump", dns_masterformat_raw, NULL, NULL);
+	ATF_CHECK_STREQ(isc_result_totext(result), "success");
+	ATF_CHECK(headerset);
+	ATF_CHECK((header.flags & DNS_MASTERRAW_SOURCESERIALSET) != 0);
+	ATF_CHECK_EQ(header.sourceserial, 12345);
+
+	unlink("test.dump");
+	dns_db_closeversion(db, &version, false);
+	dns_db_detach(&db);
+	dns_test_end();
+}
+
+static const char *warn_expect_value;
+static bool warn_expect_result;
+
+static void
+warn_expect(struct dns_rdatacallbacks *mycallbacks, const char *fmt, ...) {
+	char buf[4096];
+	va_list ap;
+
+	UNUSED(mycallbacks);
+
+	va_start(ap, fmt);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
+	va_end(ap);
+	if (warn_expect_value != NULL && strstr(buf, warn_expect_value) != NULL)
+		warn_expect_result = true;
+}
+
+/* Origin change test */
+ATF_TC(neworigin);
+ATF_TC_HEAD(neworigin, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() rejects "
+				       "zones with inherited name following "
+				       "$ORIGIN");
+}
+ATF_TC_BODY(neworigin, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	warn_expect_value = "record with inherited owner";
+	warn_expect_result = false;
+	result = test_master("testdata/master/master17.data",
+			     dns_masterformat_text, warn_expect, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_MSG(warn_expect_result, "'%s' warning not emitted",
+		      warn_expect_value);
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, load);
+	ATF_TP_ADD_TC(tp, unexpected);
+	ATF_TP_ADD_TC(tp, noowner);
+	ATF_TP_ADD_TC(tp, nottl);
+	ATF_TP_ADD_TC(tp, badclass);
+	ATF_TP_ADD_TC(tp, dnskey);
+	ATF_TP_ADD_TC(tp, dnsnokey);
+	ATF_TP_ADD_TC(tp, include);
+	ATF_TP_ADD_TC(tp, master_includelist);
+	ATF_TP_ADD_TC(tp, includefail);
+	ATF_TP_ADD_TC(tp, blanklines);
+	ATF_TP_ADD_TC(tp, leadingzero);
+	ATF_TP_ADD_TC(tp, totext);
+	ATF_TP_ADD_TC(tp, loadraw);
+	ATF_TP_ADD_TC(tp, dumpraw);
+	ATF_TP_ADD_TC(tp, toobig);
+	ATF_TP_ADD_TC(tp, maxrdata);
+	ATF_TP_ADD_TC(tp, neworigin);
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/mkraw.pl b/lib/dns/tests/mkraw.pl
new file mode 100644
index 0000000..9791adc
--- /dev/null
+++ b/lib/dns/tests/mkraw.pl
@@ -0,0 +1,24 @@
+#!/usr/bin/perl -w
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Convert a hexdump to binary format.
+#
+# To convert binary data to the input format for this command,
+# use the following:
+#
+# perl -e 'while (read(STDIN, my $byte, 1)) {
+#              print unpack("H2", $byte);
+#          }
+#          print "\n";' < file > file.in
+
+use strict;
+chomp(my $line = <STDIN>);
+print pack("H*", $line);
diff --git a/lib/dns/tests/name_test.c b/lib/dns/tests/name_test.c
new file mode 100644
index 0000000..1953b41
--- /dev/null
+++ b/lib/dns/tests/name_test.c
@@ -0,0 +1,772 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <atf-c.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/name.h>
+#include <dns/fixedname.h>
+
+#include "dnstest.h"
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(fullcompare);
+ATF_TC_HEAD(fullcompare, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_name_fullcompare test");
+}
+ATF_TC_BODY(fullcompare, tc) {
+	dns_fixedname_t fixed1;
+	dns_fixedname_t fixed2;
+	dns_name_t *name1;
+	dns_name_t *name2;
+	dns_namereln_t relation;
+	int i;
+	isc_result_t result;
+	struct {
+		const char *name1;
+		const char *name2;
+		dns_namereln_t relation;
+		int order;
+		unsigned int nlabels;
+	} data[] = {
+		/* relative */
+		{ "", "", dns_namereln_equal, 0, 0 },
+		{ "foo", "", dns_namereln_subdomain, 1, 0 },
+		{ "", "foo", dns_namereln_contains, -1, 0 },
+		{ "foo", "bar", dns_namereln_none, 4, 0 },
+		{ "bar", "foo", dns_namereln_none, -4, 0 },
+		{ "bar.foo", "foo", dns_namereln_subdomain, 1, 1 },
+		{ "foo", "bar.foo", dns_namereln_contains, -1, 1 },
+		{ "baz.bar.foo", "bar.foo", dns_namereln_subdomain, 1, 2 },
+		{ "bar.foo", "baz.bar.foo", dns_namereln_contains, -1, 2 },
+		{ "foo.example", "bar.example", dns_namereln_commonancestor,
+		  4, 1 },
+
+		/* absolute */
+		{ ".", ".", dns_namereln_equal, 0, 1 },
+		{ "foo.", "bar.", dns_namereln_commonancestor, 4, 1 },
+		{ "bar.", "foo.", dns_namereln_commonancestor, -4, 1 },
+		{ "foo.example.", "bar.example.", dns_namereln_commonancestor,
+		  4, 2 },
+		{ "bar.foo.", "foo.", dns_namereln_subdomain, 1, 2 },
+		{ "foo.", "bar.foo.", dns_namereln_contains, -1, 2 },
+		{ "baz.bar.foo.", "bar.foo.", dns_namereln_subdomain, 1, 3 },
+		{ "bar.foo.", "baz.bar.foo.", dns_namereln_contains, -1, 3 },
+		{ NULL, NULL, dns_namereln_none, 0, 0 }
+	};
+
+	UNUSED(tc);
+
+	name1 = dns_fixedname_initname(&fixed1);
+	name2 = dns_fixedname_initname(&fixed2);
+	for (i = 0; data[i].name1 != NULL; i++) {
+		int order = 3000;
+		unsigned int nlabels = 3000;
+
+		if (data[i].name1[0] == 0) {
+			dns_fixedname_init(&fixed1);
+		} else {
+			result = dns_name_fromstring2(name1, data[i].name1,
+						      NULL, 0, NULL);
+			ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		}
+		if (data[i].name2[0] == 0) {
+			dns_fixedname_init(&fixed2);
+		} else {
+			result = dns_name_fromstring2(name2, data[i].name2,
+						      NULL, 0, NULL);
+			ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		}
+		relation = dns_name_fullcompare(name1, name1, &order, &nlabels);
+		ATF_REQUIRE_EQ(relation, dns_namereln_equal);
+		ATF_REQUIRE_EQ(order, 0);
+		ATF_REQUIRE_EQ(nlabels, name1->labels);
+
+		/* Some random initializer */
+		order = 3001;
+		nlabels = 3001;
+
+		relation = dns_name_fullcompare(name1, name2, &order, &nlabels);
+		ATF_REQUIRE_EQ(relation, data[i].relation);
+		ATF_REQUIRE_EQ(order, data[i].order);
+		ATF_REQUIRE_EQ(nlabels, data[i].nlabels);
+	}
+}
+
+static void
+compress_test(dns_name_t *name1, dns_name_t *name2, dns_name_t *name3,
+	      unsigned char *expected, unsigned int length,
+	      dns_compress_t *cctx, dns_decompress_t *dctx)
+{
+	isc_buffer_t source;
+	isc_buffer_t target;
+	dns_name_t name;
+	unsigned char buf1[1024];
+	unsigned char buf2[1024];
+
+	isc_buffer_init(&source, buf1, sizeof(buf1));
+	isc_buffer_init(&target, buf2, sizeof(buf2));
+
+	ATF_REQUIRE_EQ(dns_name_towire(name1, cctx, &source), ISC_R_SUCCESS);
+
+	ATF_CHECK_EQ(dns_name_towire(name2, cctx, &source), ISC_R_SUCCESS);
+	ATF_CHECK_EQ(dns_name_towire(name2, cctx, &source), ISC_R_SUCCESS);
+	ATF_CHECK_EQ(dns_name_towire(name3, cctx, &source), ISC_R_SUCCESS);
+
+	isc_buffer_setactive(&source, source.used);
+
+	dns_name_init(&name, NULL);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, false,
+					&target) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, false,
+					&target) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, false,
+					&target) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_name_fromwire(&name, &source, dctx, false,
+					&target) == ISC_R_SUCCESS);
+	dns_decompress_invalidate(dctx);
+
+	ATF_CHECK_EQ(target.used, length);
+	ATF_CHECK(memcmp(target.base, expected, target.used) == 0);
+}
+
+ATF_TC(compression);
+ATF_TC_HEAD(compression, tc) {
+	atf_tc_set_md_var(tc, "descr", "name compression test");
+}
+ATF_TC_BODY(compression, tc) {
+	unsigned int allowed;
+	dns_compress_t cctx;
+	dns_decompress_t dctx;
+	dns_name_t name1;
+	dns_name_t name2;
+	dns_name_t name3;
+	isc_region_t r;
+	unsigned char plain1[] = "\003yyy\003foo";
+	unsigned char plain2[] = "\003bar\003yyy\003foo";
+	unsigned char plain3[] = "\003xxx\003bar\003foo";
+	unsigned char plain[] = "\003yyy\003foo\0\003bar\003yyy\003foo\0\003"
+				"bar\003yyy\003foo\0\003xxx\003bar\003foo";
+
+	ATF_REQUIRE_EQ(dns_test_begin(NULL, false), ISC_R_SUCCESS);;
+
+	dns_name_init(&name1, NULL);
+	r.base = plain1;
+	r.length = sizeof(plain1);
+	dns_name_fromregion(&name1, &r);
+
+	dns_name_init(&name2, NULL);
+	r.base = plain2;
+	r.length = sizeof(plain2);
+	dns_name_fromregion(&name2, &r);
+
+	dns_name_init(&name3, NULL);
+	r.base = plain3;
+	r.length = sizeof(plain3);
+	dns_name_fromregion(&name3, &r);
+
+	/* Test 1: NONE */
+	allowed = DNS_COMPRESS_NONE;
+	ATF_REQUIRE_EQ(dns_compress_init(&cctx, -1, mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain),
+		      &cctx, &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test2: GLOBAL14 */
+	allowed = DNS_COMPRESS_GLOBAL14;
+	ATF_REQUIRE_EQ(dns_compress_init(&cctx, -1, mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain),
+		      &cctx, &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test3: ALL */
+	allowed = DNS_COMPRESS_ALL;
+	ATF_REQUIRE_EQ(dns_compress_init(&cctx, -1, mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain),
+		      &cctx, &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test4: NONE disabled */
+	allowed = DNS_COMPRESS_NONE;
+	ATF_REQUIRE_EQ(dns_compress_init(&cctx, -1, mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_compress_disable(&cctx);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain),
+		      &cctx, &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test5: GLOBAL14 disabled */
+	allowed = DNS_COMPRESS_GLOBAL14;
+	ATF_REQUIRE_EQ(dns_compress_init(&cctx, -1, mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_compress_disable(&cctx);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain),
+		      &cctx, &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	/* Test6: ALL disabled */
+	allowed = DNS_COMPRESS_ALL;
+	ATF_REQUIRE_EQ(dns_compress_init(&cctx, -1, mctx), ISC_R_SUCCESS);
+	dns_compress_setmethods(&cctx, allowed);
+	dns_compress_disable(&cctx);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, allowed);
+
+	compress_test(&name1, &name2, &name3, plain, sizeof(plain),
+		      &cctx, &dctx);
+
+	dns_compress_rollback(&cctx, 0);
+	dns_compress_invalidate(&cctx);
+
+	dns_test_end();
+}
+
+ATF_TC(istat);
+ATF_TC_HEAD(istat, tc) {
+	atf_tc_set_md_var(tc, "descr", "is trust-anchor-telemetry test");
+}
+ATF_TC_BODY(istat, tc) {
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	size_t i;
+	struct {
+		const char *name;
+		bool istat;
+	} data[] = {
+		{ ".", false },
+		{ "_ta-", false },
+		{ "_ta-1234", true },
+		{ "_TA-1234", true },
+		{ "+TA-1234", false },
+		{ "_fa-1234", false },
+		{ "_td-1234", false },
+		{ "_ta_1234", false },
+		{ "_ta-g234", false },
+		{ "_ta-1h34", false },
+		{ "_ta-12i4", false },
+		{ "_ta-123j", false },
+		{ "_ta-1234-abcf", true },
+		{ "_ta-1234-abcf-ED89", true },
+		{ "_ta-12345-abcf-ED89", false },
+		{ "_ta-.example", false },
+		{ "_ta-1234.example", true },
+		{ "_ta-1234-abcf.example", true },
+		{ "_ta-1234-abcf-ED89.example", true },
+		{ "_ta-12345-abcf-ED89.example", false },
+		{ "_ta-1234-abcfe-ED89.example", false },
+		{ "_ta-1234-abcf-EcD89.example", false }
+	};
+
+	name = dns_fixedname_initname(&fixed);
+
+	for (i = 0; i < sizeof(data)/sizeof(data[0]); i++) {
+		result = dns_name_fromstring(name, data[i].name, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		ATF_CHECK_EQ_MSG(dns_name_istat(name), data[i].istat,
+				 "testing %s - expected %u", data[i].name, data[i].istat);
+	}
+}
+
+ATF_TC(init);
+ATF_TC_HEAD(init, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_init");
+}
+ATF_TC_BODY(init, tc) {
+	dns_name_t name;
+	unsigned char offsets[1];
+
+	dns_name_init(&name, offsets);
+
+	ATF_CHECK_EQ(name.ndata, NULL);
+	ATF_CHECK_EQ(name.length, 0);
+	ATF_CHECK_EQ(name.labels, 0);
+	ATF_CHECK_EQ(name.attributes, 0);
+	ATF_CHECK_EQ(name.offsets, offsets);
+	ATF_CHECK_EQ(name.buffer, NULL);
+}
+
+ATF_TC(invalidate);
+ATF_TC_HEAD(invalidate, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_invalidate");
+}
+ATF_TC_BODY(invalidate, tc) {
+	dns_name_t name;
+	unsigned char offsets[1];
+
+	dns_name_init(&name, offsets);
+	dns_name_invalidate(&name);
+
+	ATF_CHECK_EQ(name.ndata, NULL);
+	ATF_CHECK_EQ(name.length, 0);
+	ATF_CHECK_EQ(name.labels, 0);
+	ATF_CHECK_EQ(name.attributes, 0);
+	ATF_CHECK_EQ(name.offsets, NULL);
+	ATF_CHECK_EQ(name.buffer, NULL);
+}
+
+ATF_TC(buffer);
+ATF_TC_HEAD(buffer, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_setbuffer/hasbuffer");
+}
+ATF_TC_BODY(buffer, tc) {
+	dns_name_t name;
+	unsigned char buf[BUFSIZ];
+	isc_buffer_t b;
+
+	isc_buffer_init(&b, buf, BUFSIZ);
+	dns_name_init(&name, NULL);
+	dns_name_setbuffer(&name, &b);
+	ATF_CHECK_EQ(name.buffer, &b);
+	ATF_CHECK(dns_name_hasbuffer(&name));
+}
+
+ATF_TC(isabsolute);
+ATF_TC_HEAD(isabsolute, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_isabsolute");
+}
+ATF_TC_BODY(isabsolute, tc) {
+	struct {
+		const char *namestr;
+		bool expect;
+	} testcases[] = {
+		{ "x", false },
+		{ "a.b.c.d.", true },
+		{ "x.z", false}
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_name_t name;
+		unsigned char data[BUFSIZ];
+		isc_buffer_t b, nb;
+		size_t len;
+
+		len = strlen(testcases[i].namestr);
+		isc_buffer_constinit(&b, testcases[i].namestr, len);
+		isc_buffer_add(&b, len);
+
+		dns_name_init(&name, NULL);
+		isc_buffer_init(&nb, data, BUFSIZ);
+		dns_name_setbuffer(&name, &nb);
+		result = dns_name_fromtext(&name, &b, NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		ATF_CHECK_EQ(dns_name_isabsolute(&name), testcases[i].expect);
+	}
+}
+
+ATF_TC(hash);
+ATF_TC_HEAD(hash, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_hash");
+}
+ATF_TC_BODY(hash, tc) {
+	struct {
+		const char *name1;
+		const char *name2;
+		bool expect;
+		bool expecti;
+	} testcases[] = {
+		{ "a.b.c.d", "A.B.C.D", true, false },
+		{ "a.b.c.d.", "A.B.C.D.", true, false },
+		{ "a.b.c.d", "a.b.c.d", true, true },
+		{ "A.B.C.D.", "A.B.C.D.", true, false },
+		{ "x.y.z.w", "a.b.c.d", false, false },
+		{ "x.y.z.w.", "a.b.c.d.", false, false },
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+		unsigned int h1, h2;
+
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		/* Check case-insensitive hashing first */
+		h1 = dns_name_hash(n1, false);
+		h2 = dns_name_hash(n2, false);
+
+		printf("%s hashes to %u, %s to %u, case insensitive\n",
+		       testcases[i].name1, h1, testcases[i].name2, h2);
+
+		ATF_REQUIRE_EQ((h1 == h2), testcases[i].expect);
+
+		/* Now case-sensitive */
+		h1 = dns_name_hash(n1, false);
+		h2 = dns_name_hash(n2, false);
+
+		printf("%s hashes to %u, %s to %u, case sensitive\n",
+		       testcases[i].name1, h1, testcases[i].name2, h2);
+
+		ATF_REQUIRE_EQ((h1 == h2), testcases[i].expect);
+	}
+}
+
+ATF_TC(issubdomain);
+ATF_TC_HEAD(issubdomain, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_issubdomain");
+}
+ATF_TC_BODY(issubdomain, tc) {
+	struct {
+		const char *name1;
+		const char *name2;
+		bool expect;
+	} testcases[] = {
+		{ "c.d", "a.b.c.d", false },
+		{ "c.d.", "a.b.c.d.", false },
+		{ "b.c.d", "c.d", true },
+		{ "a.b.c.d.", "c.d.", true },
+		{ "a.b.c", "a.b.c", true },
+		{ "a.b.c.", "a.b.c.", true },
+		{ "x.y.z", "a.b.c", false}
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		printf("check: %s %s a subdomain of %s\n",
+		       testcases[i].name1,
+		       testcases[i].expect ? "is" : "is not",
+		       testcases[i].name2);
+
+		ATF_CHECK_EQ(dns_name_issubdomain(n1, n2),
+			     testcases[i].expect);
+	}
+}
+
+ATF_TC(countlabels);
+ATF_TC_HEAD(countlabels, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_countlabels");
+}
+ATF_TC_BODY(countlabels, tc) {
+	struct {
+		const char *namestr;
+		unsigned int expect;
+	} testcases[] = {
+		{ "c.d", 2 },
+		{ "c.d.", 3 },
+		{ "a.b.c.d.", 5 },
+		{ "a.b.c.d", 4 },
+		{ "a.b.c", 3 },
+		{ ".", 1 },
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t fname;
+		dns_name_t *name;
+
+		name = dns_fixedname_initname(&fname);
+
+		result = dns_name_fromstring2(name, testcases[i].namestr,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		printf("%s: expect %u labels\n",
+		       testcases[i].namestr, testcases[i].expect);
+
+		ATF_REQUIRE_EQ(dns_name_countlabels(name),
+			       testcases[i].expect);
+	}
+}
+
+ATF_TC(getlabel);
+ATF_TC_HEAD(getlabel, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_getlabel");
+}
+ATF_TC_BODY(getlabel, tc) {
+	struct {
+		const char *name1;
+		unsigned int pos1;
+		const char *name2;
+		unsigned int pos2;
+	} testcases[] = {
+		{ "c.d", 	1, "a.b.c.d", 	3 },
+		{ "a.b.c.d", 	3, "c.d", 	1 },
+		{ "a.b.c.", 	3, "A.B.C.", 	3 },
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+		dns_label_t l1, l2;
+		unsigned char *p1, *p2;
+		unsigned int j;
+
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		dns_name_getlabel(n1, testcases[i].pos1, &l1);
+		dns_name_getlabel(n2, testcases[i].pos2, &l2);
+		ATF_CHECK_EQ(l1.length, l2.length);
+
+		p1 = l1.base;
+		p2 = l2.base;
+		for (j = 0; j < l1.length; j++) {
+			ATF_REQUIRE_EQ(*p1++, *p2++);
+		}
+	}
+}
+
+ATF_TC(getlabelsequence);
+ATF_TC_HEAD(getlabelsequence, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_nane_getlabelsequence");
+}
+ATF_TC_BODY(getlabelsequence, tc) {
+	struct {
+		const char *name1;
+		unsigned int pos1;
+		const char *name2;
+		unsigned int pos2;
+		unsigned int range;
+	} testcases[] = {
+		{ "c.d",	1,	"a.b.c.d",	3,	1 },
+		{ "a.b.c.d.e",	2,	"c.d",		0,	2 },
+		{ "a.b.c",	0,	"a.b.c",	0,	3 },
+
+	};
+	unsigned int i;
+
+	for (i = 0; i < (sizeof(testcases)/sizeof(testcases[0])); i++) {
+		isc_result_t result;
+		dns_name_t t1, t2;
+		dns_fixedname_t f1, f2;
+		dns_name_t *n1, *n2;
+
+		/* target names */
+		dns_name_init(&t1, NULL);
+		dns_name_init(&t2, NULL);
+
+		/* source names */
+		n1 = dns_fixedname_initname(&f1);
+		n2 = dns_fixedname_initname(&f2);
+
+		result = dns_name_fromstring2(n1, testcases[i].name1,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_name_fromstring2(n2, testcases[i].name2,
+					      NULL, 0, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		dns_name_getlabelsequence(n1, testcases[i].pos1,
+					  testcases[i].range, &t1);
+		dns_name_getlabelsequence(n2, testcases[i].pos2,
+					  testcases[i].range, &t2);
+
+		ATF_REQUIRE(dns_name_equal(&t1, &t2));
+	}
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef DNS_BENCHMARK_TESTS
+
+/*
+ * XXXMUKS: Don't delete this code. It is useful in benchmarking the
+ * name parser, but we don't require it as part of the unit test runs.
+ */
+
+ATF_TC(benchmark);
+ATF_TC_HEAD(benchmark, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Benchmark dns_name_fromwire() implementation");
+}
+
+static void *
+fromwire_thread(void *arg) {
+	unsigned int maxval = 32000000;
+	uint8_t data[] = {
+		3, 'w', 'w', 'w',
+		7, 'e', 'x', 'a', 'm', 'p', 'l', 'e',
+		7, 'i', 'n', 'v', 'a', 'l', 'i', 'd',
+		0
+	};
+	unsigned char output_data[DNS_NAME_MAXWIRE];
+	isc_buffer_t source, target;
+	unsigned int i;
+	dns_decompress_t dctx;
+
+	UNUSED(arg);
+
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_STRICT);
+	dns_decompress_setmethods(&dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_init(&source, data, sizeof(data));
+	isc_buffer_add(&source, sizeof(data));
+	isc_buffer_init(&target, output_data, sizeof(output_data));
+
+	/* Parse 32 million names in each thread */
+	for (i = 0; i < maxval; i++) {
+		dns_name_t name;
+
+		isc_buffer_clear(&source);
+		isc_buffer_clear(&target);
+		isc_buffer_add(&source, sizeof(data));
+		isc_buffer_setactive(&source, sizeof(data));
+
+		dns_name_init(&name, NULL);
+		(void) dns_name_fromwire(&name, &source, &dctx, 0, &target);
+	}
+
+	return (NULL);
+}
+
+ATF_TC_BODY(benchmark, tc) {
+	isc_result_t result;
+	unsigned int i;
+	isc_time_t ts1, ts2;
+	double t;
+	unsigned int nthreads;
+	isc_thread_t threads[32];
+
+	UNUSED(tc);
+
+	debug_mem_record = false;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_time_now(&ts1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	nthreads = ISC_MIN(isc_os_ncpus(), 32);
+	nthreads = ISC_MAX(nthreads, 1);
+	for (i = 0; i < nthreads; i++) {
+		result = isc_thread_create(fromwire_thread, NULL, &threads[i]);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < nthreads; i++) {
+		result = isc_thread_join(threads[i], NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	result = isc_time_now(&ts2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	t = isc_time_microdiff(&ts2, &ts1);
+
+	printf("%u dns_name_fromwire() calls, %f seconds, %f calls/second\n",
+	       nthreads * 32000000, t / 1000000.0,
+	       (nthreads * 32000000) / (t / 1000000.0));
+
+	dns_test_end();
+}
+
+#endif /* DNS_BENCHMARK_TESTS */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, fullcompare);
+	ATF_TP_ADD_TC(tp, compression);
+	ATF_TP_ADD_TC(tp, istat);
+	ATF_TP_ADD_TC(tp, init);
+	ATF_TP_ADD_TC(tp, invalidate);
+	ATF_TP_ADD_TC(tp, buffer);
+	ATF_TP_ADD_TC(tp, isabsolute);
+	ATF_TP_ADD_TC(tp, hash);
+	ATF_TP_ADD_TC(tp, issubdomain);
+	ATF_TP_ADD_TC(tp, countlabels);
+	ATF_TP_ADD_TC(tp, getlabel);
+	ATF_TP_ADD_TC(tp, getlabelsequence);
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef DNS_BENCHMARK_TESTS
+	ATF_TP_ADD_TC(tp, benchmark);
+#endif /* DNS_BENCHMARK_TESTS */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/nsec3_test.c b/lib/dns/tests/nsec3_test.c
new file mode 100644
index 0000000..8a53344
--- /dev/null
+++ b/lib/dns/tests/nsec3_test.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <dns/db.h>
+#include <dns/nsec3.h>
+
+#include "dnstest.h"
+
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+/*
+ * Helper functions
+ */
+
+static void
+iteration_test(const char *file, unsigned int expected) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	unsigned int iterations;
+
+	result = dns_test_loaddb(&db, dns_dbtype_zone, "test", file);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s", file);
+
+	result = dns_nsec3_maxiterations(db, NULL, mctx, &iterations);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s", file);
+
+	ATF_CHECK_EQ_MSG(iterations, expected, "%s", file);
+
+	dns_db_detach(&db);
+}
+
+/*%
+ * Structure containing parameters for nsec3param_salttotext_test().
+ */
+typedef struct {
+	const char *nsec3param_text;	/* NSEC3PARAM RDATA in text form */
+	const char *expected_salt;	/* string expected in target buffer */
+} nsec3param_salttotext_test_params_t;
+
+/*%
+ * Check whether dns_nsec3param_salttotext() handles supplied text form
+ * NSEC3PARAM RDATA correctly: test whether the result of calling the former is
+ * as expected and whether it properly checks available buffer space.
+ *
+ * Assumes supplied text form NSEC3PARAM RDATA is valid as testing handling of
+ * invalid NSEC3PARAM RDATA is out of scope of this unit test.
+ */
+static void
+nsec3param_salttotext_test(const nsec3param_salttotext_test_params_t *params) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3param_t nsec3param;
+	unsigned char buf[1024];
+	isc_result_t result;
+	char salt[64];
+	size_t length;
+
+	/*
+	 * Prepare a dns_rdata_nsec3param_t structure for testing.
+	 */
+	result = dns_test_rdatafromstring(&rdata, dns_rdataclass_in,
+					  dns_rdatatype_nsec3param, buf,
+					  sizeof(buf),
+					  params->nsec3param_text);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Check typical use.
+	 */
+	result = dns_nsec3param_salttotext(&nsec3param, salt, sizeof(salt));
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "\"%s\": expected success, got %s\n",
+			 params->nsec3param_text, isc_result_totext(result));
+	ATF_CHECK_EQ_MSG(strcmp(salt, params->expected_salt), 0,
+			 "\"%s\": expected salt \"%s\", got \"%s\"",
+			 params->nsec3param_text, params->expected_salt, salt);
+
+	/*
+	 * Ensure available space in the buffer is checked before the salt is
+	 * printed to it and that the amount of space checked for includes the
+	 * terminating NULL byte.
+	 */
+	length = strlen(params->expected_salt);
+	ATF_REQUIRE(length < sizeof(salt) - 1);	/* prevent buffer overwrite */
+	ATF_REQUIRE(length > 0U);		/* prevent length underflow */
+
+	result = dns_nsec3param_salttotext(&nsec3param, salt, length - 1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_NOSPACE,
+			 "\"%s\": expected a %lu-byte target buffer to be "
+			 "rejected, got %s\n",
+			 params->nsec3param_text, (unsigned long)(length - 1),
+			 isc_result_totext(result));
+	result = dns_nsec3param_salttotext(&nsec3param, salt, length);
+	ATF_CHECK_EQ_MSG(result, ISC_R_NOSPACE,
+			 "\"%s\": expected a %lu-byte target buffer to be "
+			 "rejected, got %s\n",
+			 params->nsec3param_text, (unsigned long)length,
+			 isc_result_totext(result));
+	result = dns_nsec3param_salttotext(&nsec3param, salt, length + 1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "\"%s\": expected a %lu-byte target buffer to be "
+			 "accepted, got %s\n",
+			 params->nsec3param_text, (unsigned long)(length + 1),
+			 isc_result_totext(result));
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(max_iterations);
+ATF_TC_HEAD(max_iterations, tc) {
+	atf_tc_set_md_var(tc, "descr", "check that appropriate max iterations "
+			  " is returned for different key size mixes");
+}
+ATF_TC_BODY(max_iterations, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	iteration_test("testdata/nsec3/1024.db", 150);
+	iteration_test("testdata/nsec3/2048.db", 500);
+	iteration_test("testdata/nsec3/4096.db", 2500);
+	iteration_test("testdata/nsec3/min-1024.db", 150);
+	iteration_test("testdata/nsec3/min-2048.db", 500);
+
+	dns_test_end();
+}
+
+ATF_TC(nsec3param_salttotext);
+ATF_TC_HEAD(nsec3param_salttotext, tc) {
+	atf_tc_set_md_var(tc, "descr", "check dns_nsec3param_salttotext()");
+}
+ATF_TC_BODY(nsec3param_salttotext, tc) {
+	isc_result_t result;
+	size_t i;
+
+	const nsec3param_salttotext_test_params_t tests[] = {
+		/*
+		 * Tests with non-empty salts.
+		 */
+		{ "0 0 10 0123456789abcdef", "0123456789ABCDEF" },
+		{ "0 1 11 0123456789abcdef", "0123456789ABCDEF" },
+		{ "1 0 12 42", "42" },
+		{ "1 1 13 42", "42" },
+		/*
+		 * Test with empty salt.
+		 */
+		{ "0 0 0 -", "-" },
+	};
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		nsec3param_salttotext_test(&tests[i]);
+	}
+
+	dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping nsec3 test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("DNSSEC not available");
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+	ATF_TP_ADD_TC(tp, max_iterations);
+	ATF_TP_ADD_TC(tp, nsec3param_salttotext);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/peer_test.c b/lib/dns/tests/peer_test.c
new file mode 100644
index 0000000..1cff105
--- /dev/null
+++ b/lib/dns/tests/peer_test.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <dns/peer.h>
+
+#include "dnstest.h"
+
+/*
+ * Individual unit tests
+ */
+ATF_TC(dscp);
+ATF_TC_HEAD(dscp, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Test DSCP set/get functions");
+}
+ATF_TC_BODY(dscp, tc) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	struct in_addr ina;
+	dns_peer_t *peer = NULL;
+	isc_dscp_t dscp;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create peer structure for the loopback address.
+	 */
+	ina.s_addr = INADDR_LOOPBACK;
+	isc_netaddr_fromin(&netaddr, &ina);
+	result = dns_peer_new(mctx, &netaddr, &peer);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * All should be not set on creation.
+	 * 'dscp' should remain unchanged.
+	 */
+	dscp = 100;
+	result = dns_peer_getquerydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dscp, 100);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dscp, 100);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dscp, 100);
+
+	/*
+	 * Test that setting query dscp does not affect the other
+	 * dscp values.  'dscp' should remain unchanged until
+	 * dns_peer_getquerydscp is called.
+	 */
+	dscp = 100;
+	result = dns_peer_setquerydscp(peer, 1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dscp, 100);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dscp, 100);
+
+	result = dns_peer_getquerydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dscp, 1);
+
+	/*
+	 * Test that setting notify dscp does not affect the other
+	 * dscp values.  'dscp' should remain unchanged until
+	 * dns_peer_getquerydscp is called then should change again
+	 * on dns_peer_getnotifydscp.
+	 */
+	dscp = 100;
+	result = dns_peer_setnotifydscp(peer, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+	ATF_REQUIRE_EQ(dscp, 100);
+
+	result = dns_peer_getquerydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dscp, 1);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dscp, 2);
+
+	/*
+	 * Test that setting notify dscp does not affect the other
+	 * dscp values.  Check that appropriate values are returned.
+	 */
+	dscp = 100;
+	result = dns_peer_settransferdscp(peer, 3);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_peer_getquerydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dscp, 1);
+
+	result = dns_peer_getnotifydscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dscp, 2);
+
+	result = dns_peer_gettransferdscp(peer, &dscp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(dscp, 3);
+
+	dns_peer_detach(&peer);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, dscp);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/private_test.c b/lib/dns/tests/private_test.c
new file mode 100644
index 0000000..dcb859e
--- /dev/null
+++ b/lib/dns/tests/private_test.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+
+#include <dns/nsec3.h>
+#include <dns/private.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+
+#include <dst/dst.h>
+
+#include "dnstest.h"
+
+static dns_rdatatype_t privatetype = 65534;
+
+typedef struct {
+	unsigned char alg;
+	dns_keytag_t keyid;
+	bool remove;
+	bool complete;
+} signing_testcase_t;
+
+typedef struct {
+	unsigned char hash;
+	unsigned char flags;
+	unsigned int iterations;
+	unsigned long salt;
+	bool remove;
+	bool pending;
+	bool nonsec;
+} nsec3_testcase_t;
+
+/*
+ * Helper functions
+ */
+static void
+make_signing(signing_testcase_t *testcase, dns_rdata_t *private,
+	     unsigned char *buf, size_t len)
+{
+	dns_rdata_init(private);
+
+	buf[0] = testcase->alg;
+	buf[1] = (testcase->keyid & 0xff00) >> 8;
+	buf[2] = (testcase->keyid & 0xff);
+	buf[3] = testcase->remove;
+	buf[4] = testcase->complete;
+	private->data = buf;
+	private->length = len;
+	private->type = privatetype;
+	private->rdclass = dns_rdataclass_in;
+}
+
+static void
+make_nsec3(nsec3_testcase_t *testcase, dns_rdata_t *private,
+	   unsigned char *pbuf)
+{
+	dns_rdata_nsec3param_t params;
+	dns_rdata_t nsec3param = DNS_RDATA_INIT;
+	unsigned char bufdata[BUFSIZ];
+	isc_buffer_t buf;
+	uint32_t salt;
+	unsigned char *sp;
+	int slen = 4;
+
+	/* for simplicity, we're using a maximum salt length of 4 */
+	salt = htonl(testcase->salt);
+	sp = (unsigned char *) &salt;
+	while (*sp == '\0' && slen > 0) {
+		slen--;
+		sp++;
+	}
+
+	params.common.rdclass = dns_rdataclass_in;
+	params.common.rdtype = dns_rdatatype_nsec3param;
+	params.hash = testcase->hash;
+	params.iterations = testcase->iterations;
+	params.salt = sp;
+	params.salt_length = slen;
+
+	params.flags = testcase->flags;
+	if (testcase->remove) {
+		params.flags |= DNS_NSEC3FLAG_REMOVE;
+		if (testcase->nonsec)
+			params.flags |= DNS_NSEC3FLAG_NONSEC;
+	} else {
+		params.flags |= DNS_NSEC3FLAG_CREATE;
+		if (testcase->pending)
+			params.flags |= DNS_NSEC3FLAG_INITIAL;
+	}
+
+	isc_buffer_init(&buf, bufdata, sizeof(bufdata));
+	dns_rdata_fromstruct(&nsec3param, dns_rdataclass_in,
+			     dns_rdatatype_nsec3param, &params, &buf);
+
+	dns_rdata_init(private);
+
+	dns_nsec3param_toprivate(&nsec3param, private, privatetype,
+				 pbuf, DNS_NSEC3PARAM_BUFFERSIZE + 1);
+}
+
+/*
+ * Individual unit tests
+ */
+ATF_TC(private_signing_totext);
+ATF_TC_HEAD(private_signing_totext, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "convert private signing records to text");
+}
+ATF_TC_BODY(private_signing_totext, tc) {
+	isc_result_t result;
+	dns_rdata_t private;
+	int i;
+
+	signing_testcase_t testcases[] = {
+		{ DST_ALG_RSASHA512, 12345, 0, 0 },
+		{ DST_ALG_RSASHA256, 54321, 1, 0 },
+		{ DST_ALG_NSEC3RSASHA1, 22222, 0, 1 },
+		{ DST_ALG_RSASHA1, 33333, 1, 1 }
+	};
+	const char *results[] = {
+		"Signing with key 12345/RSASHA512",
+		"Removing signatures for key 54321/RSASHA256",
+		"Done signing with key 22222/NSEC3RSASHA1",
+		"Done removing signatures for key 33333/RSASHA1"
+	};
+	int ncases = 4;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < ncases; i++) {
+		unsigned char data[5];
+		char output[BUFSIZ];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, output, sizeof(output));
+
+		make_signing(&testcases[i], &private, data, sizeof(data));
+		dns_private_totext(&private, &buf);
+		ATF_CHECK_STREQ(output, results[i]);
+	}
+
+	dns_test_end();
+}
+
+ATF_TC(private_nsec3_totext);
+ATF_TC_HEAD(private_nsec3_totext, tc) {
+	atf_tc_set_md_var(tc, "descr", "convert private chain records to text");
+}
+ATF_TC_BODY(private_nsec3_totext, tc) {
+	isc_result_t result;
+	dns_rdata_t private;
+	int i;
+
+	nsec3_testcase_t testcases[] = {
+		{ 1, 0, 1, 0xbeef, 0, 0, 0 },
+		{ 1, 1, 10, 0xdadd, 0, 0, 0 },
+		{ 1, 0, 20, 0xbead, 0, 1, 0 },
+		{ 1, 0, 30, 0xdeaf, 1, 0, 0 },
+		{ 1, 0, 100, 0xfeedabee, 1, 0, 1 },
+	};
+	const char *results[] = {
+		"Creating NSEC3 chain 1 0 1 BEEF",
+		"Creating NSEC3 chain 1 1 10 DADD",
+		"Pending NSEC3 chain 1 0 20 BEAD",
+		"Removing NSEC3 chain 1 0 30 DEAF / creating NSEC chain",
+		"Removing NSEC3 chain 1 0 100 FEEDABEE"
+	};
+	int ncases = 5;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < ncases; i++) {
+		unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+		char output[BUFSIZ];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, output, sizeof(output));
+
+		make_nsec3(&testcases[i], &private, data);
+		dns_private_totext(&private, &buf);
+		ATF_CHECK_STREQ(output, results[i]);
+	}
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, private_signing_totext);
+	ATF_TP_ADD_TC(tp, private_nsec3_totext);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/rbt_serialize_test.c b/lib/dns/tests/rbt_serialize_test.c
new file mode 100644
index 0000000..07d4e56
--- /dev/null
+++ b/lib/dns/tests/rbt_serialize_test.c
@@ -0,0 +1,456 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/mman.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+
+#include <dns/rbt.h>
+#include <dns/fixedname.h>
+#include <dns/result.h>
+#include <dns/compress.h>
+#include "dnstest.h"
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/string.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#ifndef MAP_FILE
+#define MAP_FILE 0
+#endif
+
+typedef struct data_holder {
+	int len;
+	const char *data;
+} data_holder_t;
+
+typedef struct rbt_testdata {
+	const char *name;
+	size_t name_len;
+	data_holder_t data;
+} rbt_testdata_t;
+
+#define DATA_ITEM(name) { (name), sizeof(name) - 1, { sizeof(name), (name) } }
+
+rbt_testdata_t testdata[] = {
+	DATA_ITEM("first.com."),
+	DATA_ITEM("one.net."),
+	DATA_ITEM("two.com."),
+	DATA_ITEM("three.org."),
+	DATA_ITEM("asdf.com."),
+	DATA_ITEM("ghjkl.com."),
+	DATA_ITEM("1.edu."),
+	DATA_ITEM("2.edu."),
+	DATA_ITEM("3.edu."),
+	DATA_ITEM("123.edu."),
+	DATA_ITEM("1236.com."),
+	DATA_ITEM("and_so_forth.com."),
+	DATA_ITEM("thisisalongname.com."),
+	DATA_ITEM("a.b."),
+	DATA_ITEM("test.net."),
+	DATA_ITEM("whoknows.org."),
+	DATA_ITEM("blargh.com."),
+	DATA_ITEM("www.joe.com."),
+	DATA_ITEM("test.com."),
+	DATA_ITEM("isc.org."),
+	DATA_ITEM("uiop.mil."),
+	DATA_ITEM("last.fm."),
+	{ NULL, 0, { 0, NULL } }
+};
+
+static void
+delete_data(void *data, void *arg) {
+	UNUSED(arg);
+	UNUSED(data);
+}
+
+static isc_result_t
+write_data(FILE *file, unsigned char *datap, void *arg, uint64_t *crc) {
+	isc_result_t result;
+	size_t ret = 0;
+	data_holder_t *data = (data_holder_t *)datap;
+	data_holder_t temp;
+	off_t where;
+
+	UNUSED(arg);
+
+	REQUIRE(file != NULL);
+	REQUIRE(crc != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE((data->len == 0 && data->data == NULL) ||
+		(data->len != 0 && data->data != NULL));
+
+	result = isc_stdio_tell(file, &where);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	temp = *data;
+	temp.data = (data->len == 0
+		     ? NULL
+		     : (char *)((uintptr_t)where + sizeof(data_holder_t)));
+
+	isc_crc64_update(crc, (void *)&temp, sizeof(temp));
+	ret = fwrite(&temp, sizeof(data_holder_t), 1, file);
+	if (ret != 1)
+		return (ISC_R_FAILURE);
+	if (data->len > 0) {
+		isc_crc64_update(crc, (const void *)data->data, data->len);
+		ret = fwrite(data->data, data->len, 1, file);
+		if (ret != 1)
+			return (ISC_R_FAILURE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fix_data(dns_rbtnode_t *p, void *base, size_t max, void *arg,
+	 uint64_t *crc)
+{
+	data_holder_t *data = p->data;
+	size_t size;
+
+	UNUSED(base);
+	UNUSED(max);
+	UNUSED(arg);
+
+	REQUIRE(crc != NULL);
+	REQUIRE(p != NULL);
+
+
+	if (data == NULL)
+		printf("fixing data: data NULL\n");
+	else
+		printf("fixing data: len %d, data %p\n", data->len, data->data);
+
+	if (data == NULL ||
+	    (data->len == 0 && data->data != NULL) ||
+	    (data->len != 0 && data->data == NULL))
+		return (ISC_R_INVALIDFILE);
+
+	size = max - ((char *)p - (char *)base);
+
+	if (data->len > (int) size || data->data > (const char *) max) {
+		printf("data invalid\n");
+		return (ISC_R_INVALIDFILE);
+	}
+
+	isc_crc64_update(crc, (void *)data, sizeof(*data));
+
+	data->data = (data->len == 0)
+		? NULL
+		: (char *)data + sizeof(data_holder_t);
+
+	if (data->len > 0)
+		isc_crc64_update(crc, (const void *)data->data, data->len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Load test data into the RBT.
+ */
+static void
+add_test_data(isc_mem_t *mymctx, dns_rbt_t *rbt) {
+	char buffer[1024];
+	isc_buffer_t b;
+	isc_result_t result;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dns_compress_t cctx;
+	rbt_testdata_t *testdatap = testdata;
+
+	dns_compress_init(&cctx, -1, mymctx);
+
+	while (testdatap->name != NULL && testdatap->data.data != NULL) {
+		memmove(buffer, testdatap->name, testdatap->name_len);
+
+		isc_buffer_init(&b, buffer, testdatap->name_len);
+		isc_buffer_add(&b, testdatap->name_len);
+		name = dns_fixedname_initname(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			testdatap++;
+			continue;
+		}
+
+		if (name != NULL) {
+			result = dns_rbt_addname(rbt, name, &testdatap->data);
+			ATF_CHECK_STREQ(dns_result_totext(result), "success");
+		}
+		testdatap++;
+	}
+
+	dns_compress_invalidate(&cctx);
+}
+
+/*
+ * Walk the tree and ensure that all the test nodes are present.
+ */
+static void
+check_test_data(dns_rbt_t *rbt) {
+	char buffer[1024];
+	char *arg;
+	dns_fixedname_t fname;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	data_holder_t *data;
+	isc_result_t result;
+	dns_name_t *foundname;
+	rbt_testdata_t *testdatap = testdata;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	while (testdatap->name != NULL && testdatap->data.data != NULL) {
+		memmove(buffer, testdatap->name, testdatap->name_len + 1);
+		arg = buffer;
+
+		isc_buffer_init(&b, arg, testdatap->name_len);
+		isc_buffer_add(&b, testdatap->name_len);
+		name = dns_fixedname_initname(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			testdatap++;
+			continue;
+		}
+
+		data = NULL;
+		result = dns_rbt_findname(rbt, name, 0, foundname,
+					  (void *) &data);
+		ATF_CHECK_STREQ(dns_result_totext(result), "success");
+
+		testdatap++;
+	}
+}
+
+static void
+data_printer(FILE *out, void *datap)
+{
+	data_holder_t *data = (data_holder_t *)datap;
+
+	fprintf(out, "%d bytes, %s", data->len, data->data);
+}
+
+ATF_TC(serialize);
+ATF_TC_HEAD(serialize, tc) {
+	atf_tc_set_md_var(tc, "descr", "Test writing an rbt to file");
+}
+ATF_TC_BODY(serialize, tc) {
+	dns_rbt_t *rbt = NULL;
+	isc_result_t result;
+	FILE *rbtfile = NULL;
+	dns_rbt_t *rbt_deserialized = NULL;
+	off_t offset;
+	int fd;
+	off_t filesize = 0;
+	char *base;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_STREQ(dns_result_totext(result), "success");
+	result = dns_rbt_create(mctx, delete_data, NULL, &rbt);
+	ATF_CHECK_STREQ(dns_result_totext(result), "success");
+
+	add_test_data(mctx, rbt);
+
+	dns_rbt_printtext(rbt, data_printer, stdout);
+
+	/*
+	 * Serialize the tree.
+	 */
+	printf("serialization begins.\n");
+	rbtfile = fopen("./zone.bin", "w+b");
+	ATF_REQUIRE(rbtfile != NULL);
+	result = dns_rbt_serialize_tree(rbtfile, rbt, write_data, NULL,
+					&offset);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+	dns_rbt_destroy(&rbt);
+
+	/*
+	 * Deserialize the tree
+	 */
+	printf("deserialization begins.\n");
+
+	/*
+	 * Map in the whole file in one go
+	 */
+	fd = open("zone.bin", O_RDWR);
+	isc_file_getsizefd(fd, &filesize);
+	base = mmap(NULL, filesize,
+		    PROT_READ|PROT_WRITE,
+		    MAP_FILE|MAP_PRIVATE, fd, 0);
+	ATF_REQUIRE(base != NULL && base != MAP_FAILED);
+	close(fd);
+
+	result = dns_rbt_deserialize_tree(base, filesize, 0, mctx,
+					  delete_data, NULL, fix_data, NULL,
+					  NULL, &rbt_deserialized);
+
+	/* Test to make sure we have a valid tree */
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+	if (rbt_deserialized == NULL)
+		atf_tc_fail("deserialized rbt is null!"); /* Abort execution. */
+
+	check_test_data(rbt_deserialized);
+
+	dns_rbt_printtext(rbt_deserialized, data_printer, stdout);
+
+	dns_rbt_destroy(&rbt_deserialized);
+	munmap(base, filesize);
+	unlink("zone.bin");
+	dns_test_end();
+}
+
+ATF_TC(deserialize_corrupt);
+ATF_TC_HEAD(deserialize_corrupt, tc) {
+	atf_tc_set_md_var(tc, "descr", "Test reading a corrupt map file");
+}
+ATF_TC_BODY(deserialize_corrupt, tc) {
+	dns_rbt_t *rbt = NULL;
+	isc_result_t result;
+	FILE *rbtfile = NULL;
+	off_t offset;
+	int fd;
+	off_t filesize = 0;
+	char *base, *p, *q;
+	uint32_t r;
+	int i;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Set up map file */
+	result = dns_rbt_create(mctx, delete_data, NULL, &rbt);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	add_test_data(mctx, rbt);
+	rbtfile = fopen("./zone.bin", "w+b");
+	ATF_REQUIRE(rbtfile != NULL);
+	result = dns_rbt_serialize_tree(rbtfile, rbt, write_data, NULL,
+					&offset);
+	ATF_REQUIRE(result == ISC_R_SUCCESS);
+	dns_rbt_destroy(&rbt);
+
+	/* Read back with random fuzzing */
+	for (i = 0; i < 256; i++) {
+		dns_rbt_t *rbt_deserialized = NULL;
+
+		fd = open("zone.bin", O_RDWR);
+		isc_file_getsizefd(fd, &filesize);
+		base = mmap(NULL, filesize,
+			    PROT_READ|PROT_WRITE,
+			    MAP_FILE|MAP_PRIVATE, fd, 0);
+		ATF_REQUIRE(base != NULL && base != MAP_FAILED);
+		close(fd);
+
+		/* Randomly fuzz a portion of the memory */
+		isc_random_get(&r);
+		p = base + (r % filesize);
+		q = base + filesize;
+		isc_random_get(&r);
+		q -= (r % (q - p));
+		while (p++ < q) {
+			isc_random_get(&r);
+			*p = r & 0xff;
+		}
+
+		result = dns_rbt_deserialize_tree(base, filesize, 0, mctx,
+						  delete_data, NULL,
+						  fix_data, NULL,
+						  NULL, &rbt_deserialized);
+		printf("%d: %s\n", i, isc_result_totext(result));
+
+		/* Test to make sure we have a valid tree */
+		ATF_REQUIRE(result == ISC_R_SUCCESS ||
+			    result == ISC_R_INVALIDFILE);
+		if (result != ISC_R_SUCCESS)
+			ATF_REQUIRE(rbt_deserialized == NULL);
+
+		if (rbt_deserialized != NULL)
+			dns_rbt_destroy(&rbt_deserialized);
+
+		munmap(base, filesize);
+	}
+
+	unlink("zone.bin");
+	dns_test_end();
+}
+
+
+ATF_TC(serialize_align);
+ATF_TC_HEAD(serialize_align, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Test the dns_rbt_serialize_align() function.");
+}
+ATF_TC_BODY(serialize_align, tc) {
+	UNUSED(tc);
+
+	ATF_CHECK(dns_rbt_serialize_align(0) == 0);
+	ATF_CHECK(dns_rbt_serialize_align(1) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(2) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(3) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(4) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(5) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(6) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(7) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(8) == 8);
+	ATF_CHECK(dns_rbt_serialize_align(9) == 16);
+	ATF_CHECK(dns_rbt_serialize_align(0xff) == 0x100);
+	ATF_CHECK(dns_rbt_serialize_align(0x301) == 0x308);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, serialize);
+	ATF_TP_ADD_TC(tp, deserialize_corrupt);
+	ATF_TP_ADD_TC(tp, serialize_align);
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/rbt_test.c b/lib/dns/tests/rbt_test.c
new file mode 100644
index 0000000..81d97d4
--- /dev/null
+++ b/lib/dns/tests/rbt_test.c
@@ -0,0 +1,1437 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+#include <atf-c.h>
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <inttypes.h> /* uintptr_t */
+#include <stdbool.h>
+
+#include <dns/rbt.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/result.h>
+#include <dns/compress.h>
+#include "dnstest.h"
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/string.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+#include <isc/print.h>
+#include <isc/time.h>
+
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <time.h>
+
+typedef struct {
+	dns_rbt_t *rbt;
+	dns_rbt_t *rbt_distances;
+} test_context_t;
+
+/* The initial structure of domain tree will be as follows:
+ *
+ *	       .
+ *	       |
+ *	       b
+ *	     /	 \
+ *	    a	 d.e.f
+ *		/  |   \
+ *	       c   |	g.h
+ *		   |	 |
+ *		  w.y	 i
+ *		/  |  \	  \
+ *	       x   |   z   k
+ *		   |   |
+ *		   p   j
+ *		 /   \
+ *		o     q
+ */
+
+/* The full absolute names of the nodes in the tree (the tree also
+ * contains "." which is not included in this list).
+ */
+static const char * const domain_names[] = {
+    "c", "b", "a", "x.d.e.f", "z.d.e.f", "g.h", "i.g.h", "o.w.y.d.e.f",
+    "j.z.d.e.f", "p.w.y.d.e.f", "q.w.y.d.e.f", "k.g.h"
+};
+
+static const size_t domain_names_count = (sizeof(domain_names) /
+					  sizeof(domain_names[0]));
+
+/* These are set as the node data for the tree used in distances check
+ * (for the names in domain_names[] above).
+ */
+static const int node_distances[] = {
+    3, 1, 2, 2, 2, 3, 1, 2, 1, 1, 2, 2
+};
+
+/*
+ * The domain order should be:
+ * ., a, b, c, d.e.f, x.d.e.f, w.y.d.e.f, o.w.y.d.e.f, p.w.y.d.e.f,
+ * q.w.y.d.e.f, z.d.e.f, j.z.d.e.f, g.h, i.g.h, k.g.h
+ *	       . (no data, can't be found)
+ *	       |
+ *	       b
+ *	     /	 \
+ *	    a	 d.e.f
+ *		/  |   \
+ *	       c   |	g.h
+ *		   |	 |
+ *		  w.y	 i
+ *		/  |  \	  \
+ *	       x   |   z   k
+ *		   |   |
+ *		   p   j
+ *		 /   \
+ *		o     q
+ */
+
+static const char * const ordered_names[] = {
+    "a", "b", "c", "d.e.f", "x.d.e.f", "w.y.d.e.f", "o.w.y.d.e.f",
+    "p.w.y.d.e.f", "q.w.y.d.e.f", "z.d.e.f", "j.z.d.e.f",
+    "g.h", "i.g.h", "k.g.h"};
+
+static const size_t ordered_names_count = (sizeof(ordered_names) /
+					   sizeof(*ordered_names));
+
+static void
+delete_data(void *data, void *arg) {
+	UNUSED(arg);
+
+	isc_mem_put(mctx, data, sizeof(size_t));
+}
+
+static test_context_t *
+test_context_setup(void) {
+	test_context_t *ctx;
+	isc_result_t result;
+	size_t i;
+
+	ctx = isc_mem_get(mctx, sizeof(*ctx));
+	ATF_REQUIRE(ctx != NULL);
+
+	ctx->rbt = NULL;
+	result = dns_rbt_create(mctx, delete_data, NULL, &ctx->rbt);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ctx->rbt_distances = NULL;
+	result = dns_rbt_create(mctx, delete_data, NULL, &ctx->rbt_distances);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < domain_names_count; i++) {
+		size_t *n;
+		dns_fixedname_t fname;
+		dns_name_t *name;
+
+		dns_test_namefromstring(domain_names[i], &fname);
+
+		name = dns_fixedname_name(&fname);
+
+		n = isc_mem_get(mctx, sizeof(size_t));
+		ATF_REQUIRE(n != NULL);
+		*n = i + 1;
+		result = dns_rbt_addname(ctx->rbt, name, n);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		n = isc_mem_get(mctx, sizeof(size_t));
+		ATF_REQUIRE(n != NULL);
+		*n = node_distances[i];
+		result = dns_rbt_addname(ctx->rbt_distances, name, n);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	return (ctx);
+}
+
+static void
+test_context_teardown(test_context_t *ctx) {
+	dns_rbt_destroy(&ctx->rbt);
+	dns_rbt_destroy(&ctx->rbt_distances);
+
+	isc_mem_put(mctx, ctx, sizeof(*ctx));
+}
+
+/*
+ * Walk the tree and ensure that all the test nodes are present.
+ */
+static void
+check_test_data(dns_rbt_t *rbt) {
+	dns_fixedname_t fixed;
+	isc_result_t result;
+	dns_name_t *foundname;
+	size_t i;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	for (i = 0; i < domain_names_count; i++) {
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		size_t *n;
+
+		dns_test_namefromstring(domain_names[i], &fname);
+
+		name = dns_fixedname_name(&fname);
+		n = NULL;
+		result = dns_rbt_findname(rbt, name, 0, foundname,
+					  (void *) &n);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		ATF_CHECK_EQ(*n, i + 1);
+	}
+}
+
+ATF_TC(rbt_create);
+ATF_TC_HEAD(rbt_create, tc) {
+	atf_tc_set_md_var(tc, "descr", "Test the creation of an rbt");
+}
+ATF_TC_BODY(rbt_create, tc) {
+	isc_result_t result;
+	test_context_t *ctx;
+	bool tree_ok;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	check_test_data(ctx->rbt);
+
+	tree_ok = dns__rbt_checkproperties(ctx->rbt);
+	ATF_CHECK_EQ(tree_ok, true);
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_nodecount);
+ATF_TC_HEAD(rbt_nodecount, tc) {
+	atf_tc_set_md_var(tc, "descr", "Test dns_rbt_nodecount() on a tree");
+}
+ATF_TC_BODY(rbt_nodecount, tc) {
+	isc_result_t result;
+	test_context_t *ctx;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	ATF_CHECK_EQ(15, dns_rbt_nodecount(ctx->rbt));
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbtnode_get_distance);
+ATF_TC_HEAD(rbtnode_get_distance, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Test dns_rbtnode_get_distance() on a tree");
+}
+ATF_TC_BODY(rbtnode_get_distance, tc) {
+	isc_result_t result;
+	test_context_t *ctx;
+	const char *name_str = "a";
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dns_rbtnode_t *node = NULL;
+	dns_rbtnodechain_t chain;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	dns_test_namefromstring(name_str, &fname);
+	name = dns_fixedname_name(&fname);
+
+	dns_rbtnodechain_init(&chain, mctx);
+
+	result = dns_rbt_findnode(ctx->rbt_distances, name, NULL,
+				  &node, &chain, 0, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	while (node != NULL) {
+		const size_t *distance = (const size_t *) node->data;
+		if (distance != NULL)
+			ATF_CHECK_EQ(*distance,
+				     dns__rbtnode_getdistance(node));
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+		if (result == ISC_R_NOMORE)
+		      break;
+		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
+	}
+
+	ATF_CHECK_EQ(result, ISC_R_NOMORE);
+
+	dns_rbtnodechain_invalidate(&chain);
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_check_distance_random);
+ATF_TC_HEAD(rbt_check_distance_random, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Test tree balance, inserting names in random order");
+}
+ATF_TC_BODY(rbt_check_distance_random, tc) {
+	/* This test checks an important performance-related property of
+	 * the red-black tree, which is important for us: the longest
+	 * path from a sub-tree's root to a node is no more than
+	 * 2log(n). This check verifies that the tree is balanced.
+	 */
+	dns_rbt_t *mytree = NULL;
+	const unsigned int log_num_nodes = 16;
+
+	int i;
+	isc_result_t result;
+	bool tree_ok;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_rbt_create(mctx, delete_data, NULL, &mytree);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Names are inserted in random order. */
+
+	/* Make a large 65536 node top-level domain tree, i.e., the
+	 * following code inserts names such as:
+	 *
+	 * savoucnsrkrqzpkqypbygwoiliawpbmz.
+	 * wkadamcbbpjtundbxcmuayuycposvngx.
+	 * wzbpznemtooxdpjecdxynsfztvnuyfao.
+	 * yueojmhyffslpvfmgyfwioxegfhepnqq.
+	 */
+	for (i = 0; i < (1 << log_num_nodes); i++) {
+		size_t *n;
+		char namebuf[34];
+
+		n = isc_mem_get(mctx, sizeof(size_t));
+		ATF_REQUIRE(n != NULL);
+		*n = i + 1;
+
+		while (1) {
+			int j;
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			for (j = 0; j < 32; j++) {
+				uint32_t v;
+				isc_random_get(&v);
+				namebuf[j] = 'a' + (v % 26);
+			}
+			namebuf[32] = '.';
+			namebuf[33] = 0;
+
+			dns_test_namefromstring(namebuf, &fname);
+			name = dns_fixedname_name(&fname);
+
+			result = dns_rbt_addname(mytree, name, n);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+	}
+
+	/* 1 (root . node) + (1 << log_num_nodes) */
+	ATF_CHECK_EQ(1U + (1U << log_num_nodes), dns_rbt_nodecount(mytree));
+
+	/* The distance from each node to its sub-tree root must be less
+	 * than 2 * log(n).
+	 */
+	ATF_CHECK((2U * log_num_nodes) >= dns__rbt_getheight(mytree));
+
+	/* Also check RB tree properties */
+	tree_ok = dns__rbt_checkproperties(mytree);
+	ATF_CHECK_EQ(tree_ok, true);
+
+	dns_rbt_destroy(&mytree);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_check_distance_ordered);
+ATF_TC_HEAD(rbt_check_distance_ordered, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Test tree balance, inserting names in sorted order");
+}
+ATF_TC_BODY(rbt_check_distance_ordered, tc) {
+	/* This test checks an important performance-related property of
+	 * the red-black tree, which is important for us: the longest
+	 * path from a sub-tree's root to a node is no more than
+	 * 2log(n). This check verifies that the tree is balanced.
+	 */
+	dns_rbt_t *mytree = NULL;
+	const unsigned int log_num_nodes = 16;
+
+	int i;
+	isc_result_t result;
+	bool tree_ok;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_rbt_create(mctx, delete_data, NULL, &mytree);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Names are inserted in sorted order. */
+
+	/* Make a large 65536 node top-level domain tree, i.e., the
+	 * following code inserts names such as:
+	 *
+	 *   name00000000.
+	 *   name00000001.
+	 *   name00000002.
+	 *   name00000003.
+	 */
+	for (i = 0; i < (1 << log_num_nodes); i++) {
+		size_t *n;
+		char namebuf[14];
+		dns_fixedname_t fname;
+		dns_name_t *name;
+
+		n = isc_mem_get(mctx, sizeof(size_t));
+		ATF_REQUIRE(n != NULL);
+		*n = i + 1;
+
+		snprintf(namebuf, sizeof(namebuf), "name%08x.", i);
+		dns_test_namefromstring(namebuf, &fname);
+		name = dns_fixedname_name(&fname);
+
+		result = dns_rbt_addname(mytree, name, n);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	/* 1 (root . node) + (1 << log_num_nodes) */
+	ATF_CHECK_EQ(1U + (1U << log_num_nodes), dns_rbt_nodecount(mytree));
+
+	/* The distance from each node to its sub-tree root must be less
+	 * than 2 * log(n).
+	 */
+	ATF_CHECK((2U * log_num_nodes) >= dns__rbt_getheight(mytree));
+
+	/* Also check RB tree properties */
+	tree_ok = dns__rbt_checkproperties(mytree);
+	ATF_CHECK_EQ(tree_ok, true);
+
+	dns_rbt_destroy(&mytree);
+
+	dns_test_end();
+}
+
+static isc_result_t
+insert_helper(dns_rbt_t *rbt, const char *namestr, dns_rbtnode_t **node) {
+	dns_fixedname_t fname;
+	dns_name_t *name;
+
+	dns_test_namefromstring(namestr, &fname);
+	name = dns_fixedname_name(&fname);
+
+	return (dns_rbt_addnode(rbt, name, node));
+}
+
+static bool
+compare_labelsequences(dns_rbtnode_t *node, const char *labelstr) {
+	dns_name_t name;
+	isc_result_t result;
+	char *nodestr = NULL;
+	bool is_equal;
+
+	dns_name_init(&name, NULL);
+	dns_rbt_namefromnode(node, &name);
+
+	result = dns_name_tostring(&name, &nodestr, mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	is_equal = strcmp(labelstr, nodestr) == 0 ? true : false;
+
+	isc_mem_free(mctx, nodestr);
+
+	return (is_equal);
+}
+
+ATF_TC(rbt_insert);
+ATF_TC_HEAD(rbt_insert, tc) {
+	atf_tc_set_md_var(tc, "descr", "Test insertion into a tree");
+}
+ATF_TC_BODY(rbt_insert, tc) {
+	isc_result_t result;
+	test_context_t *ctx;
+	dns_rbtnode_t *node;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	/* Check node count before beginning. */
+	ATF_CHECK_EQ(15, dns_rbt_nodecount(ctx->rbt));
+
+	/* Try to insert a node that already exists. */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "d.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_EXISTS);
+
+	/* Node count must not have changed. */
+	ATF_CHECK_EQ(15, dns_rbt_nodecount(ctx->rbt));
+
+	/* Try to insert a node that doesn't exist. */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "0", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(compare_labelsequences(node, "0"), true);
+
+	/* Node count must have increased. */
+	ATF_CHECK_EQ(16, dns_rbt_nodecount(ctx->rbt));
+
+	/* Another. */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "example.com", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(node != NULL);
+	ATF_CHECK_EQ(node->data, NULL);
+
+	/* Node count must have increased. */
+	ATF_CHECK_EQ(17, dns_rbt_nodecount(ctx->rbt));
+
+	/* Re-adding it should return EXISTS */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "example.com", &node);
+	ATF_CHECK_EQ(result, ISC_R_EXISTS);
+
+	/* Node count must not have changed. */
+	ATF_CHECK_EQ(17, dns_rbt_nodecount(ctx->rbt));
+
+	/* Fission the node d.e.f */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "k.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(compare_labelsequences(node, "k"), true);
+
+	/* Node count must have incremented twice ("d.e.f" fissioned to
+	 * "d" and "e.f", and the newly added "k").
+	 */
+	ATF_CHECK_EQ(19, dns_rbt_nodecount(ctx->rbt));
+
+	/* Fission the node "g.h" */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "h", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(compare_labelsequences(node, "h"), true);
+
+	/* Node count must have incremented ("g.h" fissioned to "g" and
+	 * "h").
+	 */
+	ATF_CHECK_EQ(20, dns_rbt_nodecount(ctx->rbt));
+
+	/* Add child domains */
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "m.p.w.y.d.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(compare_labelsequences(node, "m"), true);
+	ATF_CHECK_EQ(21, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "n.p.w.y.d.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(compare_labelsequences(node, "n"), true);
+	ATF_CHECK_EQ(22, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "l.a", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(compare_labelsequences(node, "l"), true);
+	ATF_CHECK_EQ(23, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "r.d.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	node = NULL;
+	result = insert_helper(ctx->rbt, "s.d.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(25, dns_rbt_nodecount(ctx->rbt));
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "h.w.y.d.e.f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	/* Add more nodes one by one to cover left and right rotation
+	 * functions.
+	 */
+	node = NULL;
+	result = insert_helper(ctx->rbt, "f", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "m", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "nm", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "om", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "k", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "l", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "fe", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "ge", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "i", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "ae", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	node = NULL;
+	result = insert_helper(ctx->rbt, "n", &node);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_remove);
+ATF_TC_HEAD(rbt_remove, tc) {
+	atf_tc_set_md_var(tc, "descr", "Test removal from a tree");
+}
+ATF_TC_BODY(rbt_remove, tc) {
+	/*
+	 * This testcase checks that after node removal, the
+	 * binary-search tree is valid and all nodes that are supposed
+	 * to exist are present in the correct order. It mainly tests
+	 * DomainTree as a BST, and not particularly as a red-black
+	 * tree. This test checks node deletion when upper nodes have
+	 * data.
+	 */
+	isc_result_t result;
+	size_t j;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Delete single nodes and check if the rest of the nodes exist.
+	 */
+	for (j = 0; j < ordered_names_count; j++) {
+		dns_rbt_t *mytree = NULL;
+		dns_rbtnode_t *node;
+		size_t i;
+		size_t *n;
+		bool tree_ok;
+		dns_rbtnodechain_t chain;
+		size_t start_node;
+
+		/* Create a tree. */
+		result = dns_rbt_create(mctx, delete_data, NULL, &mytree);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		/* Insert test data into the tree. */
+		for (i = 0; i < domain_names_count; i++) {
+			node = NULL;
+			result = insert_helper(mytree, domain_names[i], &node);
+			ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		}
+
+		/* Check that all names exist in order. */
+		for (i = 0; i < ordered_names_count; i++) {
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[i], &fname);
+
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL,
+						  &node, NULL,
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+			/* Add node data */
+			ATF_REQUIRE(node != NULL);
+			ATF_REQUIRE_EQ(node->data, NULL);
+
+			n = isc_mem_get(mctx, sizeof(size_t));
+			ATF_REQUIRE(n != NULL);
+			*n = i;
+
+			node->data = n;
+		}
+
+		/* Now, delete the j'th node from the tree. */
+		{
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[j], &fname);
+
+			name = dns_fixedname_name(&fname);
+
+			result = dns_rbt_deletename(mytree, name, false);
+			ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		}
+
+		/* Check RB tree properties. */
+		tree_ok = dns__rbt_checkproperties(mytree);
+		ATF_CHECK_EQ(tree_ok, true);
+
+		dns_rbtnodechain_init(&chain, mctx);
+
+		/* Now, walk through nodes in order. */
+		if (j == 0) {
+			/*
+			 * Node for ordered_names[0] was already deleted
+			 * above. We start from node 1.
+			 */
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[0], &fname);
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL,
+						  &node, NULL,
+						  0,
+						  NULL, NULL);
+			ATF_CHECK_EQ(result, ISC_R_NOTFOUND);
+
+			dns_test_namefromstring(ordered_names[1], &fname);
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL,
+						  &node, &chain,
+						  0,
+						  NULL, NULL);
+			ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+			start_node = 1;
+		} else {
+			/* Start from node 0. */
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			dns_test_namefromstring(ordered_names[0], &fname);
+			name = dns_fixedname_name(&fname);
+			node = NULL;
+			result = dns_rbt_findnode(mytree, name, NULL,
+						  &node, &chain,
+						  0,
+						  NULL, NULL);
+			ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+			start_node = 0;
+		}
+
+		/*
+		 * node and chain have been set by the code above at
+		 * this point.
+		 */
+		for (i = start_node; i < ordered_names_count; i++) {
+			dns_fixedname_t fname_j, fname_i;
+			dns_name_t *name_j, *name_i;
+
+			dns_test_namefromstring(ordered_names[j], &fname_j);
+			name_j = dns_fixedname_name(&fname_j);
+			dns_test_namefromstring(ordered_names[i], &fname_i);
+			name_i = dns_fixedname_name(&fname_i);
+
+			if (dns_name_equal(name_i, name_j)) {
+				/*
+				 * This may be true for the last node if
+				 * we seek ahead in the loop using
+				 * dns_rbtnodechain_next() below.
+				 */
+				if (node == NULL) {
+					break;
+				}
+
+				/* All ordered nodes have data
+				 * initially. If any node is empty, it
+				 * means it was removed, but an empty
+				 * node exists because it is a
+				 * super-domain. Just skip it.
+				 */
+				if (node->data == NULL) {
+					result = dns_rbtnodechain_next(&chain,
+								       NULL,
+								       NULL);
+					if (result == ISC_R_NOMORE) {
+						node = NULL;
+					} else {
+						dns_rbtnodechain_current(&chain,
+									 NULL,
+									 NULL,
+									 &node);
+					}
+				}
+				continue;
+			}
+
+			ATF_REQUIRE(node != NULL);
+
+			n = (size_t *) node->data;
+			if (n != NULL) {
+				/* printf("n=%zu, i=%zu\n", *n, i); */
+				ATF_CHECK_EQ(*n, i);
+			}
+
+			result = dns_rbtnodechain_next(&chain, NULL, NULL);
+			if (result == ISC_R_NOMORE) {
+				node = NULL;
+			} else {
+				dns_rbtnodechain_current(&chain, NULL, NULL,
+							 &node);
+			}
+		}
+
+		/* We should have reached the end of the tree. */
+		ATF_REQUIRE_EQ(node, NULL);
+
+		dns_rbt_destroy(&mytree);
+	}
+
+	dns_test_end();
+}
+
+static void
+insert_nodes(dns_rbt_t *mytree, char **names,
+	     size_t *names_count, uint32_t num_names)
+{
+	uint32_t i;
+	dns_rbtnode_t *node;
+
+	for (i = 0; i < num_names; i++) {
+		size_t *n;
+		char namebuf[34];
+
+		n = isc_mem_get(mctx, sizeof(size_t));
+		ATF_REQUIRE(n != NULL);
+
+		*n = i; /* Unused value */
+
+		while (1) {
+			int j;
+			dns_fixedname_t fname;
+			dns_name_t *name;
+			isc_result_t result;
+
+			for (j = 0; j < 32; j++) {
+				uint32_t v;
+				isc_random_get(&v);
+				namebuf[j] = 'a' + (v % 26);
+			}
+			namebuf[32] = '.';
+			namebuf[33] = 0;
+
+			dns_test_namefromstring(namebuf, &fname);
+			name = dns_fixedname_name(&fname);
+
+			node = NULL;
+			result = dns_rbt_addnode(mytree, name, &node);
+			if (result == ISC_R_SUCCESS) {
+				node->data = n;
+				names[*names_count] = isc_mem_strdup(mctx,
+								     namebuf);
+				ATF_REQUIRE(names[*names_count] != NULL);
+				*names_count += 1;
+				break;
+			}
+		}
+	}
+}
+
+static void
+remove_nodes(dns_rbt_t *mytree, char **names,
+	     size_t *names_count, uint32_t num_names)
+{
+	uint32_t i;
+
+	UNUSED(mytree);
+
+	for (i = 0; i < num_names; i++) {
+		uint32_t node;
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		isc_result_t result;
+
+		isc_random_get(&node);
+
+		node %= *names_count;
+
+		dns_test_namefromstring(names[node], &fname);
+		name = dns_fixedname_name(&fname);
+
+		result = dns_rbt_deletename(mytree, name, false);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+		isc_mem_free(mctx, names[node]);
+		if (*names_count > 0) {
+			names[node] = names[*names_count - 1];
+			names[*names_count - 1] = NULL;
+			*names_count -= 1;
+		}
+	}
+}
+
+static void
+check_tree(dns_rbt_t *mytree, char **names, size_t names_count,
+	   unsigned int line)
+{
+	bool tree_ok;
+
+	UNUSED(names);
+
+	ATF_CHECK_EQ_MSG(names_count + 1, dns_rbt_nodecount(mytree),
+			 "line:%u: %lu != %u", line,
+			 (unsigned long)(names_count + 1),
+			 dns_rbt_nodecount(mytree));
+
+	/*
+	 * The distance from each node to its sub-tree root must be less
+	 * than 2 * log_2(1024).
+	 */
+	ATF_CHECK((2 * 10) >= dns__rbt_getheight(mytree));
+
+	/* Also check RB tree properties */
+	tree_ok = dns__rbt_checkproperties(mytree);
+	ATF_CHECK_EQ(tree_ok, true);
+}
+
+ATF_TC(rbt_insert_and_remove);
+ATF_TC_HEAD(rbt_insert_and_remove, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "Test insert and remove in a loop");
+}
+ATF_TC_BODY(rbt_insert_and_remove, tc) {
+	/*
+	 * What is the best way to test our red-black tree code? It is
+	 * not a good method to test every case handled in the actual
+	 * code itself. This is because our approach itself may be
+	 * incorrect.
+	 *
+	 * We test our code at the interface level here by exercising the
+	 * tree randomly multiple times, checking that red-black tree
+	 * properties are valid, and all the nodes that are supposed to be
+	 * in the tree exist and are in order.
+	 *
+	 * NOTE: These tests are run within a single tree level in the
+	 * forest. The number of nodes in the tree level doesn't grow
+	 * over 1024.
+	 */
+	isc_result_t result;
+	dns_rbt_t *mytree = NULL;
+	size_t *n;
+	/*
+	 * We use an array for storing names instead of a set
+	 * structure. It's slow, but works and is good enough for tests.
+	 */
+	char *names[1024];
+	size_t names_count;
+	int i;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_rbt_create(mctx, delete_data, NULL, &mytree);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	n = isc_mem_get(mctx, sizeof(size_t));
+	ATF_REQUIRE(n != NULL);
+	result = dns_rbt_addname(mytree, dns_rootname, n);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(names, 0, sizeof(names));
+	names_count = 0;
+
+	/* Repeat the insert/remove test some 4096 times */
+	for (i = 0; i < 4096; i++) {
+		uint32_t num_names;
+		isc_random_get(&num_names);
+
+		if (names_count < 1024) {
+			num_names %= 1024 - names_count;
+			num_names++;
+		} else {
+			num_names = 0;
+		}
+
+		insert_nodes(mytree, names, &names_count, num_names);
+		check_tree(mytree, names, names_count, __LINE__);
+
+		isc_random_get(&num_names);
+		if (names_count > 0) {
+			num_names %= names_count;
+			num_names++;
+		} else {
+			num_names = 0;
+		}
+
+		remove_nodes(mytree, names, &names_count, num_names);
+		check_tree(mytree, names, names_count, __LINE__);
+	}
+
+	/* Remove the rest of the nodes */
+	remove_nodes(mytree, names, &names_count, names_count);
+	check_tree(mytree, names, names_count, __LINE__);
+
+	for (i = 0; i < 1024; i++) {
+		if (names[i] != NULL) {
+			isc_mem_free(mctx, names[i]);
+		}
+	}
+
+	result = dns_rbt_deletename(mytree, dns_rootname, false);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "result: %s", isc_result_totext(result));
+	ATF_CHECK_EQ_MSG(dns_rbt_nodecount(mytree), 0,
+			 "%u != 0", dns_rbt_nodecount(mytree));
+
+	dns_rbt_destroy(&mytree);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_findname);
+ATF_TC_HEAD(rbt_findname, tc) {
+	atf_tc_set_md_var(tc, "descr", "findname return values");
+}
+ATF_TC_BODY(rbt_findname, tc) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_fixedname_t fname, found;
+	dns_name_t *name = NULL, *foundname = NULL;
+	size_t *n = NULL;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	/* Try to find a name that exists. */
+	dns_test_namefromstring("d.e.f", &fname);
+	name = dns_fixedname_name(&fname);
+
+	foundname = dns_fixedname_initname(&found);
+
+	result = dns_rbt_findname(ctx->rbt, name,
+				  DNS_RBTFIND_EMPTYDATA,
+				  foundname, (void *) &n);
+	ATF_CHECK(dns_name_equal(foundname, name));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	/* Now without EMPTYDATA */
+	result = dns_rbt_findname(ctx->rbt, name, 0,
+				  foundname, (void *) &n);
+	ATF_CHECK_EQ(result, ISC_R_NOTFOUND);
+
+	/* Now one that partially matches */
+	dns_test_namefromstring("d.e.f.g.h.i.j", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_findname(ctx->rbt, name,
+				  DNS_RBTFIND_EMPTYDATA,
+				  foundname, (void *) &n);
+	ATF_CHECK_EQ(result, DNS_R_PARTIALMATCH);
+
+	/* Now one that doesn't match */
+	dns_test_namefromstring("1.2", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_findname(ctx->rbt, name,
+				  DNS_RBTFIND_EMPTYDATA,
+				  foundname, (void *) &n);
+	ATF_CHECK_EQ(result, DNS_R_PARTIALMATCH);
+	ATF_CHECK(dns_name_equal(foundname, dns_rootname));
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_addname);
+ATF_TC_HEAD(rbt_addname, tc) {
+	atf_tc_set_md_var(tc, "descr", "addname return values");
+}
+ATF_TC_BODY(rbt_addname, tc) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+	size_t *n;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	n = isc_mem_get(mctx, sizeof(size_t));
+	ATF_REQUIRE(n != NULL);
+	*n = 1;
+
+	dns_test_namefromstring("d.e.f.g.h.i.j.k", &fname);
+	name = dns_fixedname_name(&fname);
+
+	/* Add a name that doesn't exist */
+	result = dns_rbt_addname(ctx->rbt, name, n);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Now add again, should get ISC_R_EXISTS */
+	n = isc_mem_get(mctx, sizeof(size_t));
+	ATF_REQUIRE(n != NULL);
+	*n = 2;
+	result = dns_rbt_addname(ctx->rbt, name, n);
+	ATF_REQUIRE_EQ(result, ISC_R_EXISTS);
+	isc_mem_put(mctx, n, sizeof(size_t));
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_deletename);
+ATF_TC_HEAD(rbt_deletename, tc) {
+	atf_tc_set_md_var(tc, "descr", "deletename return values");
+}
+ATF_TC_BODY(rbt_deletename, tc) {
+	isc_result_t result;
+	test_context_t *ctx = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	/* Delete a name that doesn't exist */
+	dns_test_namefromstring("z.x.y.w", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_deletename(ctx->rbt, name, false);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+
+	/* Now one that does */
+	dns_test_namefromstring("d.e.f", &fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_rbt_deletename(ctx->rbt, name, false);
+	ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+ATF_TC(rbt_nodechain);
+ATF_TC_HEAD(rbt_nodechain, tc) {
+	atf_tc_set_md_var(tc, "descr", "nodechain");
+}
+ATF_TC_BODY(rbt_nodechain, tc) {
+	isc_result_t result;
+	test_context_t *ctx;
+	dns_fixedname_t fname, found, expect;
+	dns_name_t *name, *foundname, *expected;
+	dns_rbtnode_t *node = NULL;
+	dns_rbtnodechain_t chain;
+
+	UNUSED(tc);
+
+	isc_mem_debugging = ISC_MEM_DEBUGRECORD;
+
+	result = dns_test_begin(NULL, true);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ctx = test_context_setup();
+
+	dns_rbtnodechain_init(&chain, mctx);
+
+	dns_test_namefromstring("a", &fname);
+	name = dns_fixedname_name(&fname);
+
+	result = dns_rbt_findnode(ctx->rbt, name, NULL,
+				  &node, &chain, 0, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	foundname = dns_fixedname_initname(&found);
+
+	dns_test_namefromstring("a", &expect);
+	expected = dns_fixedname_name(&expect);
+	UNUSED(expected);
+
+	result = dns_rbtnodechain_first(&chain, ctx->rbt, foundname, NULL);
+	ATF_CHECK_EQ(result, DNS_R_NEWORIGIN);
+	ATF_CHECK_EQ(dns_name_countlabels(foundname), 0);
+
+	result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_NOMORE);
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_rbtnodechain_last(&chain, ctx->rbt, NULL, NULL);
+	ATF_CHECK_EQ(result, DNS_R_NEWORIGIN);
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_NOMORE);
+
+	result = dns_rbtnodechain_last(&chain, ctx->rbt, NULL, NULL);
+	ATF_CHECK_EQ(result, DNS_R_NEWORIGIN);
+
+	result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	dns_rbtnodechain_invalidate(&chain);
+
+	test_context_teardown(ctx);
+
+	dns_test_end();
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef DNS_BENCHMARK_TESTS
+
+/*
+ * XXXMUKS: Don't delete this code. It is useful in benchmarking the
+ * RBT, but we don't require it as part of the unit test runs.
+ */
+
+ATF_TC(benchmark);
+ATF_TC_HEAD(benchmark, tc) {
+	atf_tc_set_md_var(tc, "descr", "Benchmark RBT implementation");
+}
+
+static dns_fixedname_t *fnames;
+static dns_name_t **names;
+static int *values;
+
+static void *
+find_thread(void *arg) {
+	dns_rbt_t *mytree;
+	isc_result_t result;
+	dns_rbtnode_t *node;
+	unsigned int j, i;
+	unsigned int start = 0;
+
+	mytree = (dns_rbt_t *) arg;
+	while (start == 0)
+		start = random() % 4000000;
+
+	/* Query 32 million random names from it in each thread */
+	for (j = 0; j < 8; j++) {
+		for (i = start; i != start - 1; i = (i + 1) % 4000000) {
+			node = NULL;
+			result = dns_rbt_findnode(mytree, names[i], NULL,
+						  &node, NULL,
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+			ATF_REQUIRE(node != NULL);
+			ATF_CHECK_EQ(values[i], (intptr_t) node->data);
+		}
+	}
+
+	return (NULL);
+}
+
+ATF_TC_BODY(benchmark, tc) {
+	isc_result_t result;
+	char namestr[sizeof("name18446744073709551616.example.org.")];
+	unsigned int r;
+	dns_rbt_t *mytree;
+	dns_rbtnode_t *node;
+	unsigned int i;
+	unsigned int maxvalue = 1000000;
+	isc_time_t ts1, ts2;
+	double t;
+	unsigned int nthreads;
+	isc_thread_t threads[32];
+
+	UNUSED(tc);
+
+	srandom(time(NULL));
+
+	debug_mem_record = false;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	fnames = (dns_fixedname_t *) malloc(4000000 * sizeof(dns_fixedname_t));
+	names = (dns_name_t **) malloc(4000000 * sizeof(dns_name_t *));
+	values = (int *) malloc(4000000 * sizeof(int));
+
+	for (i = 0; i < 4000000; i++) {
+		  r = ((unsigned long) random()) % maxvalue;
+		  snprintf(namestr, sizeof(namestr), "name%u.example.org.", r);
+		  dns_test_namefromstring(namestr, &fnames[i]);
+		  names[i] = dns_fixedname_name(&fnames[i]);
+		  values[i] = r;
+	}
+
+	/* Create a tree. */
+	mytree = NULL;
+	result = dns_rbt_create(mctx, NULL, NULL, &mytree);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Insert test data into the tree. */
+	for (i = 0; i < maxvalue; i++) {
+		snprintf(namestr, sizeof(namestr), "name%u.example.org.", i);
+		node = NULL;
+		result = insert_helper(mytree, namestr, &node);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		node->data = (void *) (intptr_t) i;
+	}
+
+	result = isc_time_now(&ts1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	nthreads = ISC_MIN(isc_os_ncpus(), 32);
+	nthreads = ISC_MAX(nthreads, 1);
+	for (i = 0; i < nthreads; i++) {
+		result = isc_thread_create(find_thread, mytree, &threads[i]);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < nthreads; i++) {
+		result = isc_thread_join(threads[i], NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	result = isc_time_now(&ts2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	t = isc_time_microdiff(&ts2, &ts1);
+
+	printf("%u findnode calls, %f seconds, %f calls/second\n",
+	       nthreads * 8 * 4000000, t / 1000000.0,
+	       (nthreads * 8 * 4000000) / (t / 1000000.0));
+
+	free(values);
+	free(names);
+	free(fnames);
+
+	dns_rbt_destroy(&mytree);
+
+	dns_test_end();
+}
+
+#endif /* DNS_BENCHMARK_TESTS */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, rbt_create);
+	ATF_TP_ADD_TC(tp, rbt_nodecount);
+	ATF_TP_ADD_TC(tp, rbtnode_get_distance);
+	ATF_TP_ADD_TC(tp, rbt_check_distance_random);
+	ATF_TP_ADD_TC(tp, rbt_check_distance_ordered);
+	ATF_TP_ADD_TC(tp, rbt_insert);
+	ATF_TP_ADD_TC(tp, rbt_remove);
+	ATF_TP_ADD_TC(tp, rbt_insert_and_remove);
+	ATF_TP_ADD_TC(tp, rbt_findname);
+	ATF_TP_ADD_TC(tp, rbt_addname);
+	ATF_TP_ADD_TC(tp, rbt_deletename);
+	ATF_TP_ADD_TC(tp, rbt_nodechain);
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef DNS_BENCHMARK_TESTS
+	ATF_TP_ADD_TC(tp, benchmark);
+#endif /* DNS_BENCHMARK_TESTS */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/rdata_test.c b/lib/dns/tests/rdata_test.c
new file mode 100644
index 0000000..6837516
--- /dev/null
+++ b/lib/dns/tests/rdata_test.c
@@ -0,0 +1,1214 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/types.h>
+
+#include <dns/callbacks.h>
+#include <dns/rdata.h>
+
+#include "dnstest.h"
+
+/*****
+ ***** Commonly used structures
+ *****/
+
+/*
+ * An array of these structures is passed to check_text_ok().
+ */
+struct text_ok {
+	const char *text_in;		/* text passed to fromtext_*() */
+	const char *text_out;		/* text expected from totext_*();
+					   NULL indicates text_in is invalid */
+	int lineno;			/* source line defining this RDATA */
+};
+typedef struct text_ok text_ok_t;
+
+/*
+ * An array of these structures is passed to check_wire_ok().
+ */
+struct wire_ok {
+	unsigned char data[512];	/* RDATA in wire format */
+	size_t len;			/* octets of data to parse */
+	bool ok;		/* is this RDATA valid? */
+	int lineno;			/* source line defining this RDATA */
+};
+typedef struct wire_ok wire_ok_t;
+
+/*****
+ ***** Convenience macros for creating the above structures
+ *****/
+
+#define TEXT_VALID_CHANGED(data_in, data_out) \
+				{ data_in, data_out, __LINE__ }
+#define TEXT_VALID(data)	{ data, data, __LINE__ }
+#define TEXT_INVALID(data)	{ data, NULL, __LINE__ }
+#define TEXT_SENTINEL()		TEXT_INVALID(NULL)
+
+#define VARGC(...)		(sizeof((unsigned char[]){ __VA_ARGS__ }))
+#define WIRE_TEST(ok, ...)	{					      \
+					{ __VA_ARGS__ }, VARGC(__VA_ARGS__),  \
+					ok, __LINE__			      \
+				}
+#define WIRE_VALID(...)		WIRE_TEST(true, __VA_ARGS__)
+#define WIRE_INVALID(...)	WIRE_TEST(false, __VA_ARGS__)
+#define WIRE_SENTINEL()		WIRE_TEST(false)
+
+/*****
+ ***** Checking functions used by test cases
+ *****/
+
+/*
+ * Test whether converting rdata to a type-specific struct and then back to
+ * rdata results in the same uncompressed wire form.  This checks whether
+ * tostruct_*() and fromstruct_*() routines for given RR class and type behave
+ * consistently.
+ *
+ * This function is called for every correctly processed input RDATA, from both
+ * check_text_ok_single() and check_wire_ok_single().
+ */
+static void
+check_struct_conversions(dns_rdata_t *rdata, size_t structsize, int lineno) {
+	dns_rdataclass_t rdclass = rdata->rdclass;
+	dns_rdatatype_t type = rdata->type;
+	isc_result_t result;
+	isc_buffer_t target;
+	void *rdata_struct;
+	char buf[1024], hex[BUFSIZ];
+
+	rdata_struct = isc_mem_allocate(mctx, structsize);
+	ATF_REQUIRE(rdata_struct != NULL);
+
+	/*
+	 * Convert from uncompressed wire form into type-specific struct.
+	 */
+	result = dns_rdata_tostruct(rdata, rdata_struct, NULL);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "%s (%u): dns_rdata_tostruct() failed",
+			   dns_test_tohex(rdata->data, rdata->length,
+					  hex, sizeof(hex)),
+			   rdata->length);
+	/*
+	 * Convert from type-specific struct into uncompressed wire form.
+	 */
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_rdata_fromstruct(NULL, rdclass, type, rdata_struct,
+				      &target);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "line %d: %s (%u): dns_rdata_fromstruct() failed",
+			   lineno, dns_test_tohex(rdata->data, rdata->length,
+						  hex, sizeof(hex)),
+			   rdata->length);
+	/*
+	 * Ensure results are consistent.
+	 */
+	ATF_REQUIRE_EQ_MSG(isc_buffer_usedlength(&target), rdata->length,
+			   "line %d: %s (%u): wire form data length changed "
+			   "after converting to type-specific struct and back",
+			   lineno, dns_test_tohex(rdata->data, rdata->length,
+						  hex, sizeof(hex)),
+			   rdata->length);
+	ATF_REQUIRE_EQ_MSG(memcmp(buf, rdata->data, rdata->length), 0,
+			   "line %d: %s (%u): wire form data different after "
+			   "converting to type-specific struct and back",
+			   lineno, dns_test_tohex(rdata->data, rdata->length,
+						  hex, sizeof(hex)),
+			   rdata->length);
+
+	isc_mem_free(mctx, rdata_struct);
+}
+
+/*
+ * Check whether converting supplied text form RDATA into uncompressed wire
+ * form succeeds (tests fromtext_*()).  If so, try converting it back into text
+ * form and see if it results in the original text (tests totext_*()).
+ */
+static void
+check_text_ok_single(const text_ok_t *text_ok, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, size_t structsize)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char buf_fromtext[1024];
+	char buf_totext[1024] = { 0 };
+	isc_buffer_t target;
+	isc_result_t result;
+
+	/*
+	 * Try converting text form RDATA into uncompressed wire form.
+	 */
+	result = dns_test_rdatafromstring(&rdata, rdclass, type, buf_fromtext,
+					  sizeof(buf_fromtext),
+					  text_ok->text_in);
+	/*
+	 * Check whether result is as expected.
+	 */
+	if (text_ok->text_out != NULL) {
+		ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+				   "line %d: '%s': "
+				   "expected success, got failure",
+				   text_ok->lineno, text_ok->text_in);
+	} else {
+		ATF_REQUIRE_MSG(result != ISC_R_SUCCESS,
+				"line %d: '%s': "
+				"expected failure, got success",
+				text_ok->lineno, text_ok->text_in);
+	}
+	/*
+	 * If text form RDATA was not parsed correctly, performing any
+	 * additional checks is pointless.
+	 */
+	if (result != ISC_R_SUCCESS) {
+		return;
+	}
+	/*
+	 * Try converting uncompressed wire form RDATA back into text form and
+	 * check whether the resulting text is the same as the original one.
+	 */
+	isc_buffer_init(&target, buf_totext, sizeof(buf_totext));
+	result = dns_rdata_totext(&rdata, NULL, &target);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "line %d: '%s': "
+			   "failed to convert rdata back to text form",
+			   text_ok->lineno, text_ok->text_in);
+	ATF_REQUIRE_EQ_MSG(strcmp(buf_totext, text_ok->text_out), 0,
+			   "line %d: '%s': "
+			   "converts back to '%s', expected '%s'",
+			   text_ok->lineno, text_ok->text_in, buf_totext,
+			   text_ok->text_out);
+	/*
+	 * Perform two-way conversion checks between uncompressed wire form and
+	 * type-specific struct.
+	 */
+	check_struct_conversions(&rdata, structsize, text_ok->lineno);
+}
+
+/*
+ * Test whether supplied wire form RDATA is properly handled as being either
+ * valid or invalid for an RR of given rdclass and type.
+ */
+static void
+check_wire_ok_single(const wire_ok_t *wire_ok, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, size_t structsize)
+{
+	isc_buffer_t source, target;
+	unsigned char buf[1024];
+	dns_decompress_t dctx;
+	isc_result_t result;
+	dns_rdata_t rdata;
+	char hex[BUFSIZ];
+
+	/*
+	 * Set up len-octet buffer pointing at data.
+	 */
+	isc_buffer_constinit(&source, wire_ok->data, wire_ok->len);
+	isc_buffer_add(&source, wire_ok->len);
+	isc_buffer_setactive(&source, wire_ok->len);
+	/*
+	 * Initialize target structures.
+	 */
+	isc_buffer_init(&target, buf, sizeof(buf));
+	dns_rdata_init(&rdata);
+	/*
+	 * Try converting wire data into uncompressed wire form.
+	 */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+	result = dns_rdata_fromwire(&rdata, rdclass, type, &source, &dctx, 0,
+				    &target);
+	dns_decompress_invalidate(&dctx);
+	/*
+	 * Check whether result is as expected.
+	 */
+	if (wire_ok->ok) {
+		ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+				   "line %d: %s (%lu): "
+				   "expected success, got failure",
+				   wire_ok->lineno,
+				   dns_test_tohex(wire_ok->data, wire_ok->len,
+						  hex, sizeof(hex)),
+				   (unsigned long)wire_ok->len);
+	} else {
+		ATF_REQUIRE_MSG(result != ISC_R_SUCCESS,
+				"line %d: %s (%lu): "
+				"expected failure, got success",
+				wire_ok->lineno,
+				dns_test_tohex(wire_ok->data, wire_ok->len,
+					       hex, sizeof(hex)),
+				(unsigned long)wire_ok->len);
+	}
+	/*
+	 * If data was parsed correctly, perform two-way conversion checks
+	 * between uncompressed wire form and type-specific struct.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		check_struct_conversions(&rdata, structsize, wire_ok->lineno);
+	}
+}
+
+/*
+ * Test fromtext_*() and totext_*() routines for given RR class and type for
+ * each text form RDATA in the supplied array.  See the comment for
+ * check_text_ok_single() for an explanation of how exactly these routines are
+ * tested.
+ */
+static void
+check_text_ok(const text_ok_t *text_ok, dns_rdataclass_t rdclass,
+	      dns_rdatatype_t type, size_t structsize)
+{
+	size_t i;
+
+	/*
+	 * Check all entries in the supplied array.
+	 */
+	for (i = 0; text_ok[i].text_in != NULL; i++) {
+		check_text_ok_single(&text_ok[i], rdclass, type, structsize);
+	}
+}
+
+/*
+ * For each wire form RDATA in the supplied array, check whether it is properly
+ * handled as being either valid or invalid for an RR of given rdclass and
+ * type, then check whether trying to process a zero-length wire data buffer
+ * yields the expected result.  This checks whether the fromwire_*() routine
+ * for given RR class and type behaves as expected.
+ */
+static void
+check_wire_ok(const wire_ok_t *wire_ok, bool empty_ok,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
+	      size_t structsize)
+{
+	wire_ok_t empty_wire = WIRE_TEST(empty_ok);
+	size_t i;
+
+	/*
+	 * Check all entries in the supplied array.
+	 */
+	for (i = 0; wire_ok[i].len != 0; i++) {
+		check_wire_ok_single(&wire_ok[i], rdclass, type, structsize);
+	}
+
+	/*
+	 * Check empty wire data.
+	 */
+	check_wire_ok_single(&empty_wire, rdclass, type, structsize);
+}
+
+/*
+ * Test whether supplied sets of text form and/or wire form RDATA are handled
+ * as expected.  This is just a helper function which should be the only
+ * function called for a test case using it, due to the use of dns_test_begin()
+ * and dns_test_end().
+ *
+ * The empty_ok argument denotes whether an attempt to parse a zero-length wire
+ * data buffer should succeed or not (it is valid for some RR types).  There is
+ * no point in performing a similar check for empty text form RDATA, because
+ * dns_rdata_fromtext() returns ISC_R_UNEXPECTEDEND before calling fromtext_*()
+ * for the given RR class and type.
+ */
+static void
+check_rdata(const text_ok_t *text_ok, const wire_ok_t *wire_ok,
+	    bool empty_ok, dns_rdataclass_t rdclass,
+	    dns_rdatatype_t type, size_t structsize)
+{
+	isc_result_t result;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	if (text_ok != NULL) {
+		check_text_ok(text_ok, rdclass, type, structsize);
+	}
+	if (wire_ok != NULL) {
+		check_wire_ok(wire_ok, empty_ok, rdclass, type, structsize);
+	}
+
+	dns_test_end();
+}
+
+/*****
+ ***** Individual unit tests
+ *****/
+
+/*
+ * CSYNC tests.
+ *
+ * RFC 7477:
+ *
+ * 2.1.  The CSYNC Resource Record Format
+ *
+ * 2.1.1.  The CSYNC Resource Record Wire Format
+ *
+ *    The CSYNC RDATA consists of the following fields:
+ *
+ *                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ *       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      |                          SOA Serial                           |
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      |       Flags                   |            Type Bit Map       /
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *      /                     Type Bit Map (continued)                  /
+ *      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * 2.1.1.1.  The SOA Serial Field
+ *
+ *    The SOA Serial field contains a copy of the 32-bit SOA serial number
+ *    from the child zone.  If the soaminimum flag is set, parental agents
+ *    querying children's authoritative servers MUST NOT act on data from
+ *    zones advertising an SOA serial number less than this value.  See
+ *    [RFC1982] for properly implementing "less than" logic.  If the
+ *    soaminimum flag is not set, parental agents MUST ignore the value in
+ *    the SOA Serial field.  Clients can set the field to any value if the
+ *    soaminimum flag is unset, such as the number zero.
+ *
+ * (...)
+ *
+ * 2.1.1.2.  The Flags Field
+ *
+ *    The Flags field contains 16 bits of boolean flags that define
+ *    operations that affect the processing of the CSYNC record.  The flags
+ *    defined in this document are as follows:
+ *
+ *       0x00 0x01: "immediate"
+ *
+ *       0x00 0x02: "soaminimum"
+ *
+ *    The definitions for how the flags are to be used can be found in
+ *    Section 3.
+ *
+ *    The remaining flags are reserved for use by future specifications.
+ *    Undefined flags MUST be set to 0 by CSYNC publishers.  Parental
+ *    agents MUST NOT process a CSYNC record if it contains a 1 value for a
+ *    flag that is unknown to or unsupported by the parental agent.
+ *
+ * 2.1.1.2.1.  The Type Bit Map Field
+ *
+ *    The Type Bit Map field indicates the record types to be processed by
+ *    the parental agent, according to the procedures in Section 3.  The
+ *    Type Bit Map field is encoded in the same way as the Type Bit Map
+ *    field of the NSEC record, described in [RFC4034], Section 4.1.2.  If
+ *    a bit has been set that a parental agent implementation does not
+ *    understand, the parental agent MUST NOT act upon the record.
+ *    Specifically, a parental agent must not simply copy the data, and it
+ *    must understand the semantics associated with a bit in the Type Bit
+ *    Map field that has been set to 1.
+ */
+ATF_TC(csync);
+ATF_TC_HEAD(csync, tc) {
+	atf_tc_set_md_var(tc, "descr", "CSYNC RDATA manipulations");
+}
+ATF_TC_BODY(csync, tc) {
+	text_ok_t text_ok[] = {
+		TEXT_INVALID(""),
+		TEXT_INVALID("0"),
+		TEXT_VALID("0 0"),
+		TEXT_VALID("0 0 A"),
+		TEXT_VALID("0 0 NS"),
+		TEXT_VALID("0 0 AAAA"),
+		TEXT_VALID("0 0 A AAAA"),
+		TEXT_VALID("0 0 A NS AAAA"),
+		TEXT_INVALID("0 0 A NS AAAA BOGUS"),
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Short.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Serial + flags only.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Bad type map.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Bad type map.
+		 */
+		WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Good type map.
+		 */
+		WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+			   0x02),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(text_ok, wire_ok, false, dns_rdataclass_in,
+		    dns_rdatatype_csync, sizeof(dns_rdata_csync_t));
+}
+
+/*
+ * DOA tests.
+ *
+ * draft-durand-doa-over-dns-03:
+ *
+ * 3.2.  DOA RDATA Wire Format
+ *
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *     0: |                                                               |
+ *        |                        DOA-ENTERPRISE                         |
+ *        |                                                               |
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *     4: |                                                               |
+ *        |                           DOA-TYPE                            |
+ *        |                                                               |
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *     8: |         DOA-LOCATION          |         DOA-MEDIA-TYPE        /
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    10: /                                                               /
+ *        /                  DOA-MEDIA-TYPE (continued)                   /
+ *        /                                                               /
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *        /                                                               /
+ *        /                           DOA-DATA                            /
+ *        /                                                               /
+ *        +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *
+ *    DOA-ENTERPRISE: a 32-bit unsigned integer in network order.
+ *
+ *    DOA-TYPE: a 32-bit unsigned integer in network order.
+ *
+ *    DOA-LOCATION: an 8-bit unsigned integer.
+ *
+ *    DOA-MEDIA-TYPE: A <character-string> (see [RFC1035]).  The first
+ *    octet of the <character-string> contains the number of characters to
+ *    follow.
+ *
+ *    DOA-DATA: A variable length blob of binary data.  The length of the
+ *    DOA-DATA is not contained within the wire format of the RR and has to
+ *    be computed from the RDLENGTH of the entire RR once other fields have
+ *    been taken into account.
+ *
+ * 3.3.  DOA RDATA Presentation Format
+ *
+ *    The DOA-ENTERPRISE field is presented as an unsigned 32-bit decimal
+ *    integer with range 0 - 4,294,967,295.
+ *
+ *    The DOA-TYPE field is presented as an unsigned 32-bit decimal integer
+ *    with range 0 - 4,294,967,295.
+ *
+ *    The DOA-LOCATION field is presented as an unsigned 8-bit decimal
+ *    integer with range 0 - 255.
+ *
+ *    The DOA-MEDIA-TYPE field is presented as a single <character-string>.
+ *
+ *    The DOA-DATA is presented as Base64 encoded data [RFC4648] unless the
+ *    DOA-DATA is empty in which case it is presented as a single dash
+ *    character ("-", ASCII 45).  White space is permitted within Base64
+ *    data.
+ */
+ATF_TC(doa);
+ATF_TC_HEAD(doa, tc) {
+	atf_tc_set_md_var(tc, "descr", "DOA RDATA manipulations");
+}
+ATF_TC_BODY(doa, tc) {
+	text_ok_t text_ok[] = {
+		/*
+		 * Valid, non-empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 1 \"text/plain\" Zm9v"),
+		/*
+		 * Valid, non-empty DOA-DATA with whitespace in between.
+		 */
+		TEXT_VALID_CHANGED("0 0 1 \"text/plain\" Zm 9v",
+				   "0 0 1 \"text/plain\" Zm9v"),
+		/*
+		 * Valid, unquoted DOA-MEDIA-TYPE, non-empty DOA-DATA.
+		 */
+		TEXT_VALID_CHANGED("0 0 1 text/plain Zm9v",
+				   "0 0 1 \"text/plain\" Zm9v"),
+		/*
+		 * Invalid, quoted non-empty DOA-DATA.
+		 */
+		TEXT_INVALID("0 0 1 \"text/plain\" \"Zm9v\""),
+		/*
+		 * Valid, empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 1 \"text/plain\" -"),
+		/*
+		 * Invalid, quoted empty DOA-DATA.
+		 */
+		TEXT_INVALID("0 0 1 \"text/plain\" \"-\""),
+		/*
+		 * Invalid, missing "-" in empty DOA-DATA.
+		 */
+		TEXT_INVALID("0 0 1 \"text/plain\""),
+		/*
+		 * Valid, undefined DOA-LOCATION.
+		 */
+		TEXT_VALID("0 0 100 \"text/plain\" Zm9v"),
+		/*
+		 * Invalid, DOA-LOCATION too big.
+		 */
+		TEXT_INVALID("0 0 256 \"text/plain\" ZM9v"),
+		/*
+		 * Valid, empty DOA-MEDIA-TYPE, non-empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 2 \"\" aHR0cHM6Ly93d3cuaXNjLm9yZy8="),
+		/*
+		 * Valid, empty DOA-MEDIA-TYPE, empty DOA-DATA.
+		 */
+		TEXT_VALID("0 0 1 \"\" -"),
+		/*
+		 * Valid, DOA-MEDIA-TYPE with a space.
+		 */
+		TEXT_VALID("0 0 1 \"plain text\" Zm9v"),
+		/*
+		 * Invalid, missing DOA-MEDIA-TYPE.
+		 */
+		TEXT_INVALID("1234567890 1234567890 1"),
+		/*
+		 * Valid, DOA-DATA over 255 octets.
+		 */
+		TEXT_VALID("1234567890 1234567890 1 \"image/gif\" "
+			   "R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM"
+			   "/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAA"
+			   "AAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c"
+			   "3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS"
+			   "1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeF"
+			   "AgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9"
+			   "pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1"
+			   "SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7"),
+		/*
+		 * Invalid, bad Base64 in DOA-DATA.
+		 */
+		TEXT_INVALID("1234567890 1234567890 1 \"image/gif\" R0lGODl"),
+		/*
+		 * Sentinel.
+		 */
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Valid, empty DOA-MEDIA-TYPE, empty DOA-DATA.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			   0x01, 0x00),
+		/*
+		 * Invalid, missing DOA-MEDIA-TYPE.
+		 */
+		WIRE_INVALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			     0x01),
+		/*
+		 * Invalid, malformed DOA-MEDIA-TYPE length.
+		 */
+		WIRE_INVALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			     0x01, 0xff),
+		/*
+		 * Valid, empty DOA-DATA.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			   0x01, 0x03, 0x66, 0x6f, 0x6f),
+		/*
+		 * Valid, non-empty DOA-DATA.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			   0x01, 0x03, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72),
+		/*
+		 * Valid, DOA-DATA over 255 octets.
+		 */
+		WIRE_VALID(0x12, 0x34, 0x56, 0x78, 0x12, 0x34, 0x56, 0x78,
+			   0x01, 0x06, 0x62, 0x69, 0x6e, 0x61, 0x72, 0x79,
+			   0x00, 0x66, 0x99, 0xff, 0xff, 0xff, 0x33, 0x99,
+			   0xcc, 0xcc, 0xff, 0xff, 0x99, 0xcc, 0xff, 0x33,
+			   0x66, 0x99, 0x66, 0xcc, 0xff, 0x99, 0xcc, 0xcc,
+			   0xcc, 0xcc, 0xcc, 0x00, 0x99, 0xff, 0xff, 0xff,
+			   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+			   0xff, 0xff, 0xff, 0xff, 0xff, 0x21, 0xf9, 0x04,
+			   0x01, 0x0a, 0x00, 0x0f, 0x00, 0x2c, 0x00, 0x00,
+			   0x00, 0x00, 0x28, 0x00, 0x19, 0x00, 0x00, 0x04,
+			   0xc7, 0xf0, 0x81, 0x49, 0x2b, 0x95, 0x36, 0x6b,
+			   0x8d, 0xf7, 0xec, 0x5e, 0x68, 0x81, 0x19, 0x29,
+			   0x9e, 0x80, 0x89, 0xae, 0x5c, 0xbb, 0x3e, 0xb0,
+			   0x8a, 0xca, 0x1f, 0x1c, 0xdc, 0x78, 0x00, 0x87,
+			   0x34, 0xf7, 0xe4, 0xc0, 0xdb, 0x6e, 0xd3, 0xbb,
+			   0xfc, 0x82, 0x48, 0x1d, 0xb1, 0xa2, 0x3a, 0x26,
+			   0x93, 0xc5, 0x54, 0xe9, 0x49, 0x55, 0x96, 0x2e,
+			   0xa3, 0x6a, 0xd5, 0x45, 0x72, 0x6a, 0x93, 0x52,
+			   0xd7, 0x07, 0x77, 0x38, 0x0c, 0x6e, 0x83, 0x42,
+			   0xe1, 0x9c, 0x2b, 0x9b, 0x71, 0x58, 0x6c, 0xc7,
+			   0x2b, 0x10, 0x9c, 0xeb, 0x78, 0x01, 0x3a, 0x6f,
+			   0xbf, 0x31, 0xe5, 0x17, 0x39, 0x75, 0x03, 0x03,
+			   0x83, 0x85, 0x67, 0x85, 0x02, 0x04, 0x69, 0x7a,
+			   0x7e, 0x7f, 0x52, 0x18, 0x5e, 0x01, 0x83, 0x05,
+			   0x75, 0x40, 0x78, 0x48, 0x57, 0x29, 0x18, 0x41,
+			   0x86, 0x75, 0x07, 0x82, 0x02, 0xa0, 0x41, 0x2d,
+			   0x3b, 0x92, 0x93, 0x7d, 0x04, 0x79, 0x77, 0x7d,
+			   0xa4, 0x4b, 0x00, 0x6c, 0xa1, 0xb1, 0x8c, 0x7a,
+			   0x83, 0x48, 0x4d, 0x12, 0xa7, 0xa8, 0xb1, 0x37,
+			   0x83, 0x75, 0x04, 0x99, 0x9b, 0x73, 0xb9, 0x48,
+			   0x86, 0x6b, 0x01, 0x89, 0xc8, 0x75, 0x6b, 0x03,
+			   0xc0, 0x8e, 0x46, 0x35, 0x49, 0x94, 0x7c, 0x6c,
+			   0x95, 0xab, 0xcf, 0x7f, 0x36, 0x48, 0x6a, 0x88,
+			   0x05, 0x04, 0x05, 0x41, 0xde, 0x08, 0xb1, 0x44,
+			   0xda, 0x5f, 0xe7, 0x1e, 0xba, 0xe7, 0x4f, 0x11,
+			   0x00, 0x3b),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(text_ok, wire_ok, false, dns_rdataclass_in,
+		    dns_rdatatype_doa, sizeof(dns_rdata_doa_t));
+}
+
+/*
+ * EDNS Client Subnet tests.
+ *
+ * RFC 7871:
+ *
+ * 6.  Option Format
+ *
+ *    This protocol uses an EDNS0 [RFC6891] option to include client
+ *    address information in DNS messages.  The option is structured as
+ *    follows:
+ *
+ *                 +0 (MSB)                            +1 (LSB)
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    0: |                          OPTION-CODE                          |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    2: |                         OPTION-LENGTH                         |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    4: |                            FAMILY                             |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    6: |     SOURCE PREFIX-LENGTH      |     SCOPE PREFIX-LENGTH       |
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *    8: |                           ADDRESS...                          /
+ *       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+ *
+ *    o  (Defined in [RFC6891]) OPTION-CODE, 2 octets, for ECS is 8 (0x00
+ *       0x08).
+ *
+ *    o  (Defined in [RFC6891]) OPTION-LENGTH, 2 octets, contains the
+ *       length of the payload (everything after OPTION-LENGTH) in octets.
+ *
+ *    o  FAMILY, 2 octets, indicates the family of the address contained in
+ *       the option, using address family codes as assigned by IANA in
+ *       Address Family Numbers [Address_Family_Numbers].
+ *
+ *    The format of the address part depends on the value of FAMILY.  This
+ *    document only defines the format for FAMILY 1 (IPv4) and FAMILY 2
+ *    (IPv6), which are as follows:
+ *
+ *    o  SOURCE PREFIX-LENGTH, an unsigned octet representing the leftmost
+ *       number of significant bits of ADDRESS to be used for the lookup.
+ *       In responses, it mirrors the same value as in the queries.
+ *
+ *    o  SCOPE PREFIX-LENGTH, an unsigned octet representing the leftmost
+ *       number of significant bits of ADDRESS that the response covers.
+ *       In queries, it MUST be set to 0.
+ *
+ *    o  ADDRESS, variable number of octets, contains either an IPv4 or
+ *       IPv6 address, depending on FAMILY, which MUST be truncated to the
+ *       number of bits indicated by the SOURCE PREFIX-LENGTH field,
+ *       padding with 0 bits to pad to the end of the last octet needed.
+ *
+ *    o  A server receiving an ECS option that uses either too few or too
+ *       many ADDRESS octets, or that has non-zero ADDRESS bits set beyond
+ *       SOURCE PREFIX-LENGTH, SHOULD return FORMERR to reject the packet,
+ *       as a signal to the software developer making the request to fix
+ *       their implementation.
+ *
+ *    All fields are in network byte order ("big-endian", per [RFC1700],
+ *    Data Notation).
+ */
+ATF_TC(edns_client_subnet);
+ATF_TC_HEAD(edns_client_subnet, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "OPT RDATA with EDNS Client Subnet manipulations");
+}
+ATF_TC_BODY(edns_client_subnet, tc) {
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Option code with no content.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 0x00),
+		/*
+		 * Option code family 0, source 0, scope 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x04,
+			   0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Option code family 1 (IPv4), source 0, scope 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x04,
+			   0x00, 0x01, 0x00, 0x00),
+		/*
+		 * Option code family 2 (IPv6) , source 0, scope 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x04,
+			   0x00, 0x02, 0x00, 0x00),
+		/*
+		 * Extra octet.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 0x05,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00),
+		/*
+		 * Source too long for IPv4.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,    8,
+			     0x00, 0x01,   33, 0x00,
+			     0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Source too long for IPv6.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,   20,
+			     0x00, 0x02,  129, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Scope too long for IPv4.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,    8,
+			     0x00, 0x01, 0x00,   33,
+			     0x00, 0x00, 0x00, 0x00),
+		/*
+		 * Scope too long for IPv6.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,   20,
+			     0x00, 0x02, 0x00,  129,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00),
+		/*
+		 * When family=0, source and scope should be 0.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00,    4,
+			   0x00, 0x00, 0x00, 0x00),
+		/*
+		 * When family=0, source and scope should be 0.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,    5,
+			     0x00, 0x00, 0x01, 0x00,
+			     0x00),
+		/*
+		 * When family=0, source and scope should be 0.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,    5,
+			     0x00, 0x00, 0x00, 0x01,
+			     0x00),
+		/*
+		 * Length too short for source IPv4.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,    7,
+			     0x00, 0x01,   32, 0x00,
+			     0x00, 0x00, 0x00),
+		/*
+		 * Length too short for source IPv6.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00,   19,
+			     0x00, 0x02,  128, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00, 0x00,
+			     0x00, 0x00, 0x00),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(NULL, wire_ok, true, dns_rdataclass_in,
+		    dns_rdatatype_opt, sizeof(dns_rdata_opt_t));
+}
+
+/*
+ * Successful load test.
+ */
+ATF_TC(hip);
+ATF_TC_HEAD(hip, tc) {
+	atf_tc_set_md_var(tc, "descr", "that a oversized HIP record will "
+				       "be rejected");
+}
+ATF_TC_BODY(hip, tc) {
+	unsigned char hipwire[DNS_RDATA_MAXLENGTH] = {
+				    0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
+				    0x04, 0x41, 0x42, 0x43, 0x44, 0x00 };
+	unsigned char buf[1024*1024];
+	isc_buffer_t source, target;
+	dns_rdata_t rdata;
+	dns_decompress_t dctx;
+	isc_result_t result;
+	size_t i;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Fill the rest of input buffer with compression pointers.
+	 */
+	for (i = 12; i < sizeof(hipwire) - 2; i += 2) {
+		hipwire[i] = 0xc0;
+		hipwire[i+1] = 0x06;
+	}
+
+	isc_buffer_init(&source, hipwire, sizeof(hipwire));
+	isc_buffer_add(&source, sizeof(hipwire));
+	isc_buffer_setactive(&source, i);
+	isc_buffer_init(&target, buf, sizeof(buf));
+	dns_rdata_init(&rdata);
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+	result = dns_rdata_fromwire(&rdata, dns_rdataclass_in,
+				    dns_rdatatype_hip, &source, &dctx,
+				    0, &target);
+	dns_decompress_invalidate(&dctx);
+	ATF_REQUIRE_EQ(result, DNS_R_FORMERR);
+
+	dns_test_end();
+}
+
+/*
+ * ISDN tests.
+ *
+ * RFC 1183:
+ *
+ * 3.2. The ISDN RR
+ *
+ *    The ISDN RR is defined with mnemonic ISDN and type code 20 (decimal).
+ *
+ *    An ISDN (Integrated Service Digital Network) number is simply a
+ *    telephone number.  The intent of the members of the CCITT is to
+ *    upgrade all telephone and data network service to a common service.
+ *
+ *    The numbering plan (E.163/E.164) is the same as the familiar
+ *    international plan for POTS (an un-official acronym, meaning Plain
+ *    Old Telephone Service).  In E.166, CCITT says "An E.163/E.164
+ *    telephony subscriber may become an ISDN subscriber without a number
+ *    change."
+ *
+ *    ISDN has the following format:
+ *
+ *    <owner> <ttl> <class> ISDN <ISDN-address> <sa>
+ *
+ *    The <ISDN-address> field is required; <sa> is optional.
+ *
+ *    <ISDN-address> identifies the ISDN number of <owner> and DDI (Direct
+ *    Dial In) if any, as defined by E.164 [8] and E.163 [7], the ISDN and
+ *    PSTN (Public Switched Telephone Network) numbering plan.  E.163
+ *    defines the country codes, and E.164 the form of the addresses.  Its
+ *    format in master files is a <character-string> syntactically
+ *    identical to that used in TXT and HINFO.
+ *
+ *    <sa> specifies the subaddress (SA).  The format of <sa> in master
+ *    files is a <character-string> syntactically identical to that used in
+ *    TXT and HINFO.
+ *
+ *    The format of ISDN is class insensitive.  ISDN RRs cause no
+ *    additional section processing.
+ *
+ *    The <ISDN-address> is a string of characters, normally decimal
+ *    digits, beginning with the E.163 country code and ending with the DDI
+ *    if any.  Note that ISDN, in Q.931, permits any IA5 character in the
+ *    general case.
+ *
+ *    The <sa> is a string of hexadecimal digits.  For digits 0-9, the
+ *    concrete encoding in the Q.931 call setup information element is
+ *    identical to BCD.
+ *
+ *    For example:
+ *
+ *    Relay.Prime.COM.   IN   ISDN      150862028003217
+ *    sh.Prime.COM.      IN   ISDN      150862028003217 004
+ *
+ *    (Note: "1" is the country code for the North American Integrated
+ *    Numbering Area, i.e., the system of "area codes" familiar to people
+ *    in those countries.)
+ *
+ *    The RR data is the ASCII representation of the digits.  It is encoded
+ *    as one or two <character-string>s, i.e., count followed by
+ *    characters.
+ */
+ATF_TC(isdn);
+ATF_TC_HEAD(isdn, tc) {
+	atf_tc_set_md_var(tc, "descr", "ISDN RDATA manipulations");
+}
+ATF_TC_BODY(isdn, tc) {
+	wire_ok_t wire_ok[] = {
+		/*
+		 * "".
+		 */
+		WIRE_VALID(0x00),
+		/*
+		 * "\001".
+		 */
+		WIRE_VALID(0x01, 0x01),
+		/*
+		 * "\001" "".
+		 */
+		WIRE_VALID(0x01, 0x01, 0x00),
+		/*
+		 * "\001" "\001".
+		 */
+		WIRE_VALID(0x01, 0x01, 0x01, 0x01),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(NULL, wire_ok, false, dns_rdataclass_in,
+		    dns_rdatatype_isdn, sizeof(dns_rdata_isdn_t));
+}
+
+/*
+ * NSEC tests.
+ *
+ * RFC 4034:
+ *
+ * 4.1.  NSEC RDATA Wire Format
+ *
+ *   The RDATA of the NSEC RR is as shown below:
+ *
+ *                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+ *     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    /                      Next Domain Name                         /
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *    /                       Type Bit Maps                           /
+ *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ * 4.1.1.  The Next Domain Name Field
+ *
+ *    The Next Domain field contains the next owner name (in the canonical
+ *    ordering of the zone) that has authoritative data or contains a
+ *    delegation point NS RRset; see Section 6.1 for an explanation of
+ *    canonical ordering.  The value of the Next Domain Name field in the
+ *    last NSEC record in the zone is the name of the zone apex (the owner
+ *    name of the zone's SOA RR).  This indicates that the owner name of
+ *    the NSEC RR is the last name in the canonical ordering of the zone.
+ *
+ *    A sender MUST NOT use DNS name compression on the Next Domain Name
+ *    field when transmitting an NSEC RR.
+ *
+ *    Owner names of RRsets for which the given zone is not authoritative
+ *    (such as glue records) MUST NOT be listed in the Next Domain Name
+ *    unless at least one authoritative RRset exists at the same owner
+ *    name.
+ *
+ * 4.1.2.  The Type Bit Maps Field
+ *
+ *    The Type Bit Maps field identifies the RRset types that exist at the
+ *    NSEC RR's owner name.
+ *
+ *    The RR type space is split into 256 window blocks, each representing
+ *    the low-order 8 bits of the 16-bit RR type space.  Each block that
+ *    has at least one active RR type is encoded using a single octet
+ *    window number (from 0 to 255), a single octet bitmap length (from 1
+ *    to 32) indicating the number of octets used for the window block's
+ *    bitmap, and up to 32 octets (256 bits) of bitmap.
+ *
+ *    Blocks are present in the NSEC RR RDATA in increasing numerical
+ *    order.
+ *
+ *       Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+ *
+ *       where "|" denotes concatenation.
+ *
+ *    Each bitmap encodes the low-order 8 bits of RR types within the
+ *    window block, in network bit order.  The first bit is bit 0.  For
+ *    window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+ *    to RR type 2 (NS), and so forth.  For window block 1, bit 1
+ *    corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
+ *    set, it indicates that an RRset of that type is present for the NSEC
+ *    RR's owner name.  If a bit is clear, it indicates that no RRset of
+ *    that type is present for the NSEC RR's owner name.
+ *
+ *    Bits representing pseudo-types MUST be clear, as they do not appear
+ *    in zone data.  If encountered, they MUST be ignored upon being read.
+ */
+ATF_TC(nsec);
+ATF_TC_HEAD(nsec, tc) {
+	atf_tc_set_md_var(tc, "descr", "NSEC RDATA manipulations");
+}
+ATF_TC_BODY(nsec, tc) {
+	text_ok_t text_ok[] = {
+		TEXT_INVALID(""),
+		TEXT_INVALID("."),
+		TEXT_VALID(". RRSIG"),
+		TEXT_SENTINEL()
+	};
+	wire_ok_t wire_ok[] = {
+		WIRE_INVALID(0x00),
+		WIRE_INVALID(0x00, 0x00),
+		WIRE_INVALID(0x00, 0x00, 0x00),
+		WIRE_VALID(0x00, 0x00, 0x01, 0x02),
+		WIRE_INVALID()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(text_ok, wire_ok, false, dns_rdataclass_in,
+		    dns_rdatatype_nsec, sizeof(dns_rdata_nsec_t));
+}
+
+/*
+ * NSEC3 tests.
+ *
+ * RFC 5155.
+ */
+ATF_TC(nsec3);
+ATF_TC_HEAD(nsec3, tc) {
+	atf_tc_set_md_var(tc, "descr", "NSEC3 RDATA manipulations");
+}
+ATF_TC_BODY(nsec3, tc) {
+	text_ok_t text_ok[] = {
+		TEXT_INVALID(""),
+		TEXT_INVALID("."),
+		TEXT_INVALID(". RRSIG"),
+		TEXT_INVALID("1 0 10 76931F"),
+		TEXT_INVALID("1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS"),
+		TEXT_INVALID("1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS A RRSIG"),
+		TEXT_VALID("1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM A RRSIG"),
+		TEXT_VALID("1 0 10 76931F AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+		TEXT_VALID("1 0 10 - AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+		TEXT_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(text_ok, NULL, false, dns_rdataclass_in,
+		    dns_rdatatype_nsec3, sizeof(dns_rdata_nsec3_t));
+}
+
+/*
+ * WKS tests.
+ *
+ * RFC 1035:
+ *
+ * 3.4.2. WKS RDATA format
+ *
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *     |                    ADDRESS                    |
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *     |       PROTOCOL        |                       |
+ *     +--+--+--+--+--+--+--+--+                       |
+ *     |                                               |
+ *     /                   <BIT MAP>                   /
+ *     /                                               /
+ *     +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+ *
+ * where:
+ *
+ * ADDRESS         An 32 bit Internet address
+ *
+ * PROTOCOL        An 8 bit IP protocol number
+ *
+ * <BIT MAP>       A variable length bit map.  The bit map must be a
+ *                 multiple of 8 bits long.
+ *
+ * The WKS record is used to describe the well known services supported by
+ * a particular protocol on a particular internet address.  The PROTOCOL
+ * field specifies an IP protocol number, and the bit map has one bit per
+ * port of the specified protocol.  The first bit corresponds to port 0,
+ * the second to port 1, etc.  If the bit map does not include a bit for a
+ * protocol of interest, that bit is assumed zero.  The appropriate values
+ * and mnemonics for ports and protocols are specified in [RFC-1010].
+ *
+ * For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+ * 25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+ * port 25; if zero, SMTP service is not supported on the specified
+ * address.
+ */
+ATF_TC(wks);
+ATF_TC_HEAD(wks, tc) {
+	atf_tc_set_md_var(tc, "descr", "WKS RDATA manipulations");
+}
+ATF_TC_BODY(wks, tc) {
+	wire_ok_t wire_ok[] = {
+		/*
+		 * Too short.
+		 */
+		WIRE_INVALID(0x00, 0x08, 0x00, 0x00),
+		/*
+		 * Minimal TCP.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x00, 6),
+		/*
+		 * Minimal UDP.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x00, 17),
+		/*
+		 * Minimal other.
+		 */
+		WIRE_VALID(0x00, 0x08, 0x00, 0x00, 1),
+		/*
+		 * Sentinel.
+		 */
+		WIRE_SENTINEL()
+	};
+
+	UNUSED(tc);
+
+	check_rdata(NULL, wire_ok, false, dns_rdataclass_in,
+		    dns_rdatatype_wks, sizeof(dns_rdata_in_wks_t));
+}
+
+/*****
+ ***** Main
+ *****/
+
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, csync);
+	ATF_TP_ADD_TC(tp, doa);
+	ATF_TP_ADD_TC(tp, edns_client_subnet);
+	ATF_TP_ADD_TC(tp, hip);
+	ATF_TP_ADD_TC(tp, isdn);
+	ATF_TP_ADD_TC(tp, nsec);
+	ATF_TP_ADD_TC(tp, nsec3);
+	ATF_TP_ADD_TC(tp, wks);
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/rdataset_test.c b/lib/dns/tests/rdataset_test.c
new file mode 100644
index 0000000..b055846
--- /dev/null
+++ b/lib/dns/tests/rdataset_test.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+
+#include "dnstest.h"
+
+
+/*
+ * Individual unit tests
+ */
+
+/* Successful load test */
+ATF_TC(trimttl);
+ATF_TC_HEAD(trimttl, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() loads a "
+				       "valid master file and returns success");
+}
+ATF_TC_BODY(trimttl, tc) {
+	isc_result_t result;
+	dns_rdataset_t rdataset, sigrdataset;
+	dns_rdata_rrsig_t rrsig;
+	isc_stdtime_t ttltimenow, ttltimeexpire;
+
+	ttltimenow = 10000000;
+	ttltimeexpire = ttltimenow + 800;
+
+	UNUSED(tc);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigrdataset);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	rdataset.ttl = 900;
+	sigrdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimeexpire;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     true);
+	ATF_REQUIRE_EQ(rdataset.ttl, 800);
+	ATF_REQUIRE_EQ(sigrdataset.ttl, 800);
+
+	rdataset.ttl = 900;
+	sigrdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     true);
+	ATF_REQUIRE_EQ(rdataset.ttl, 120);
+	ATF_REQUIRE_EQ(sigrdataset.ttl, 120);
+
+	rdataset.ttl = 900;
+	sigrdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     false);
+	ATF_REQUIRE_EQ(rdataset.ttl, 0);
+	ATF_REQUIRE_EQ(sigrdataset.ttl, 0);
+
+	sigrdataset.ttl = 900;
+	rdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimeexpire;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     true);
+	ATF_REQUIRE_EQ(rdataset.ttl, 800);
+	ATF_REQUIRE_EQ(sigrdataset.ttl, 800);
+
+	sigrdataset.ttl = 900;
+	rdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     true);
+	ATF_REQUIRE_EQ(rdataset.ttl, 120);
+	ATF_REQUIRE_EQ(sigrdataset.ttl, 120);
+
+	sigrdataset.ttl = 900;
+	rdataset.ttl = 1000;
+	rrsig.timeexpire = ttltimenow - 200;
+	rrsig.originalttl = 1000;
+
+	dns_rdataset_trimttl(&rdataset, &sigrdataset, &rrsig, ttltimenow,
+			     false);
+	ATF_REQUIRE_EQ(rdataset.ttl, 0);
+	ATF_REQUIRE_EQ(sigrdataset.ttl, 0);
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, trimttl);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/rdatasetstats_test.c b/lib/dns/tests/rdatasetstats_test.c
new file mode 100644
index 0000000..0c2d5c5
--- /dev/null
+++ b/lib/dns/tests/rdatasetstats_test.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/print.h>
+
+#include <dns/stats.h>
+
+#include "dnstest.h"
+
+/*
+ * Helper functions
+ */
+static void
+set_typestats(dns_stats_t *stats, dns_rdatatype_t type,
+	      bool stale)
+{
+	dns_rdatastatstype_t which;
+	unsigned int attributes;
+
+	attributes = 0;
+	if (stale) attributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_increment(stats, which);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+	if (stale) attributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+	which = DNS_RDATASTATSTYPE_VALUE(type, attributes);
+	dns_rdatasetstats_increment(stats, which);
+}
+
+static void
+set_nxdomainstats(dns_stats_t *stats, bool stale) {
+	dns_rdatastatstype_t which;
+	unsigned int attributes;
+
+	attributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+	if (stale) attributes |= DNS_RDATASTATSTYPE_ATTR_STALE;
+	which = DNS_RDATASTATSTYPE_VALUE(0, attributes);
+	dns_rdatasetstats_increment(stats, which);
+}
+
+#define ATTRIBUTE_SET(y) ((attributes & (y)) != 0)
+static void
+checkit1(dns_rdatastatstype_t which, uint64_t value, void *arg) {
+	unsigned int attributes;
+#if debug
+	unsigned int type;
+#endif
+
+	UNUSED(which);
+	UNUSED(arg);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR(which);
+#if debug
+	type = DNS_RDATASTATSTYPE_BASE(which);
+
+	fprintf(stderr, "%s%s%s%s/%u, %u\n",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) ? "O" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXRRSET) ? "!" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_STALE) ? "#" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) ? "X" : " ",
+		type, (unsigned)value);
+#endif
+	if ((attributes & DNS_RDATASTATSTYPE_ATTR_STALE) == 0)
+		ATF_REQUIRE_EQ(value, 1);
+	else
+		ATF_REQUIRE_EQ(value, 0);
+}
+
+static void
+checkit2(dns_rdatastatstype_t which, uint64_t value, void *arg) {
+	unsigned int attributes;
+#if debug
+	unsigned int type;
+#endif
+
+	UNUSED(which);
+	UNUSED(arg);
+
+	attributes = DNS_RDATASTATSTYPE_ATTR(which);
+#if debug
+	type = DNS_RDATASTATSTYPE_BASE(which);
+
+	fprintf(stderr, "%s%s%s%s/%u, %u\n",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) ? "O" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXRRSET) ? "!" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_STALE) ? "#" : " ",
+		ATTRIBUTE_SET(DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) ? "X" : " ",
+		type, (unsigned)value);
+#endif
+	if ((attributes & DNS_RDATASTATSTYPE_ATTR_STALE) == 0)
+		ATF_REQUIRE_EQ(value, 0);
+	else
+		ATF_REQUIRE_EQ(value, 1);
+}
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(rdatasetstats);
+ATF_TC_HEAD(rdatasetstats, tc) {
+	atf_tc_set_md_var(tc, "descr", "test that rdatasetstats counters are properly set");
+}
+ATF_TC_BODY(rdatasetstats, tc) {
+	unsigned int i;
+	dns_stats_t *stats = NULL;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_rdatasetstats_create(mctx, &stats);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* First 256 types. */
+	for (i = 0; i <= 255; i++)
+		set_typestats(stats, (dns_rdatatype_t)i, false);
+	/* Specials */
+	set_typestats(stats, dns_rdatatype_dlv, false);
+	set_typestats(stats, (dns_rdatatype_t)1000, false);
+	set_nxdomainstats(stats, false);
+
+	/*
+	 * Check that all counters are set to appropriately.
+	 */
+	dns_rdatasetstats_dump(stats, checkit1, NULL, 1);
+
+	/* First 256 types. */
+	for (i = 0; i <= 255; i++)
+		set_typestats(stats, (dns_rdatatype_t)i, true);
+	/* Specials */
+	set_typestats(stats, dns_rdatatype_dlv, true);
+	set_typestats(stats, (dns_rdatatype_t)1000, true);
+	set_nxdomainstats(stats, true);
+
+	/*
+	 * Check that all counters are set to appropriately.
+	 */
+	dns_rdatasetstats_dump(stats, checkit2, NULL, 1);
+
+	dns_stats_detach(&stats);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, rdatasetstats);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/resolver_test.c b/lib/dns/tests/resolver_test.c
new file mode 100644
index 0000000..518622d
--- /dev/null
+++ b/lib/dns/tests/resolver_test.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+#include <dns/dispatch.h>
+#include <dns/name.h>
+#include <dns/resolver.h>
+#include <dns/view.h>
+
+#include "dnstest.h"
+
+static dns_dispatchmgr_t *dispatchmgr = NULL;
+static dns_dispatch_t *dispatch = NULL;
+static dns_view_t *view = NULL;
+
+
+static void
+setup(void) {
+	isc_result_t result;
+	isc_sockaddr_t local;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_dispatchmgr_create(mctx, NULL, &dispatchmgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makeview("view", &view);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_sockaddr_any(&local);
+	result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr, &local,
+				     4096, 100, 100, 100, 500, 0, 0,
+				     &dispatch);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+}
+
+static void
+teardown(void) {
+	dns_dispatch_detach(&dispatch);
+	dns_view_detach(&view);
+	dns_dispatchmgr_destroy(&dispatchmgr);
+	dns_test_end();
+}
+
+
+static void
+mkres(dns_resolver_t **resolverp) {
+	isc_result_t result;
+
+	result = dns_resolver_create(view, taskmgr, 1, 1,
+			    socketmgr, timermgr, 0,
+			    dispatchmgr, dispatch, NULL, resolverp);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+}
+
+static void
+destroy_resolver(dns_resolver_t **resolverp) {
+	dns_resolver_shutdown(*resolverp);
+	dns_resolver_detach(resolverp);
+}
+
+ATF_TC(create);
+ATF_TC_HEAD(create, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_resolver_create");
+}
+ATF_TC_BODY(create, tc) {
+	dns_resolver_t *resolver = NULL;
+
+	UNUSED(tc);
+
+	setup();
+	mkres(&resolver);
+	destroy_resolver(&resolver);
+	teardown();
+}
+
+ATF_TC(gettimeout);
+ATF_TC_HEAD(gettimeout, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_resolver_gettimeout");
+}
+ATF_TC_BODY(gettimeout, tc) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int timeout;
+
+	UNUSED(tc);
+
+	setup();
+	mkres(&resolver);
+
+	timeout = dns_resolver_gettimeout(resolver);
+	ATF_CHECK(timeout > 0);
+
+	destroy_resolver(&resolver);
+	teardown();
+}
+
+ATF_TC(settimeout);
+ATF_TC_HEAD(settimeout, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_resolver_settimeout");
+}
+ATF_TC_BODY(settimeout, tc) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int default_timeout, timeout;
+
+	UNUSED(tc);
+
+	setup();
+
+	mkres(&resolver);
+
+	default_timeout = dns_resolver_gettimeout(resolver);
+	dns_resolver_settimeout(resolver, default_timeout + 1);
+	timeout = dns_resolver_gettimeout(resolver);
+	ATF_CHECK(timeout == default_timeout + 1);
+
+	destroy_resolver(&resolver);
+	teardown();
+}
+
+ATF_TC(settimeout_default);
+ATF_TC_HEAD(settimeout_default, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_resolver_settimeout to default");
+}
+ATF_TC_BODY(settimeout_default, tc) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int default_timeout, timeout;
+
+	UNUSED(tc);
+
+	setup();
+
+	mkres(&resolver);
+
+	default_timeout = dns_resolver_gettimeout(resolver);
+	dns_resolver_settimeout(resolver, default_timeout + 10);
+
+	timeout = dns_resolver_gettimeout(resolver);
+	ATF_CHECK_EQ(timeout, default_timeout + 10);
+
+	dns_resolver_settimeout(resolver, 0);
+	timeout = dns_resolver_gettimeout(resolver);
+	ATF_CHECK_EQ(timeout, default_timeout);
+
+	destroy_resolver(&resolver);
+	teardown();
+}
+
+ATF_TC(settimeout_belowmin);
+ATF_TC_HEAD(settimeout_belowmin, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "dns_resolver_settimeout below minimum");
+}
+ATF_TC_BODY(settimeout_belowmin, tc) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int default_timeout, timeout;
+
+	UNUSED(tc);
+
+	setup();
+
+	mkres(&resolver);
+
+	default_timeout = dns_resolver_gettimeout(resolver);
+	dns_resolver_settimeout(resolver, 9);
+
+	timeout = dns_resolver_gettimeout(resolver);
+	ATF_CHECK_EQ(timeout, default_timeout);
+
+	destroy_resolver(&resolver);
+	teardown();
+}
+
+ATF_TC(settimeout_overmax);
+ATF_TC_HEAD(settimeout_overmax, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_resolver_settimeout over maximum");
+}
+ATF_TC_BODY(settimeout_overmax, tc) {
+	dns_resolver_t *resolver = NULL;
+	unsigned int timeout;
+
+	UNUSED(tc);
+
+	setup();
+
+	mkres(&resolver);
+
+	dns_resolver_settimeout(resolver, 4000000);
+	timeout = dns_resolver_gettimeout(resolver);
+	ATF_CHECK(timeout < 4000000 && timeout > 0);
+
+	destroy_resolver(&resolver);
+	teardown();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, create);
+	ATF_TP_ADD_TC(tp, gettimeout);
+	ATF_TP_ADD_TC(tp, settimeout);
+	ATF_TP_ADD_TC(tp, settimeout_default);
+	ATF_TP_ADD_TC(tp, settimeout_belowmin);
+	ATF_TP_ADD_TC(tp, settimeout_overmax);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/rsa_test.c b/lib/dns/tests/rsa_test.c
new file mode 100644
index 0000000..fb207ef
--- /dev/null
+++ b/lib/dns/tests/rsa_test.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/util.h>
+#include <isc/print.h>
+
+#include <pk11/site.h>
+
+#include "dnstest.h"
+
+#include "../dst_internal.h"
+
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+
+static unsigned char d[10] = {
+	0xa, 0x10, 0xbb, 0, 0xfe, 0x15, 0x1, 0x88, 0xcc, 0x7d
+};
+
+static unsigned char sigsha1[256] = {
+	0x45, 0x55, 0xd6, 0xf8, 0x05, 0xd2, 0x2e, 0x79,
+	0x14, 0x2b, 0x1b, 0xd1, 0x4b, 0xb7, 0xcd, 0xc0,
+	0xa2, 0xf3, 0x85, 0x32, 0x1f, 0xa3, 0xfd, 0x1f,
+	0x30, 0xe0, 0xde, 0xb2, 0x6f, 0x3c, 0x8e, 0x2b,
+	0x82, 0x92, 0xcd, 0x1c, 0x1b, 0xdf, 0xe6, 0xd5,
+	0x4d, 0x93, 0xe6, 0xaa, 0x40, 0x28, 0x1b, 0x7b,
+	0x2e, 0x40, 0x4d, 0xb5, 0x4d, 0x43, 0xe8, 0xfc,
+	0x93, 0x86, 0x68, 0xe3, 0xbf, 0x73, 0x9a, 0x1e,
+	0x6b, 0x5d, 0x52, 0xb8, 0x98, 0x1c, 0x94, 0xe1,
+	0x85, 0x8b, 0xee, 0xb1, 0x4f, 0x22, 0x71, 0xcb,
+	0xfd, 0xb2, 0xa8, 0x88, 0x64, 0xb4, 0xb1, 0x4a,
+	0xa1, 0x7a, 0xce, 0x52, 0x83, 0xd8, 0xf2, 0x9e,
+	0x67, 0x4c, 0xc3, 0x37, 0x74, 0xfe, 0xe0, 0x25,
+	0x2a, 0xfd, 0xa3, 0x09, 0xff, 0x8a, 0x92, 0x0d,
+	0xa9, 0xb3, 0x90, 0x23, 0xbe, 0x6a, 0x2c, 0x9e,
+	0x5c, 0x6d, 0xb4, 0xa7, 0xd7, 0x97, 0xdd, 0xc6,
+	0xb8, 0xae, 0xd4, 0x88, 0x64, 0x63, 0x1e, 0x85,
+	0x20, 0x09, 0xea, 0xc4, 0x0b, 0xca, 0xbf, 0x83,
+	0x5c, 0x89, 0xae, 0x64, 0x15, 0x76, 0x06, 0x51,
+	0xb6, 0xa1, 0x99, 0xb2, 0x3c, 0x50, 0x99, 0x86,
+	0x7d, 0xc7, 0xca, 0x4e, 0x1d, 0x2c, 0x17, 0xbb,
+	0x6c, 0x7a, 0xc9, 0x3f, 0x5e, 0x28, 0x57, 0x2c,
+	0xda, 0x01, 0x1d, 0xe8, 0x01, 0xf8, 0xf6, 0x37,
+	0xe1, 0x34, 0x56, 0xae, 0x6e, 0xb1, 0xd4, 0xa2,
+	0xc4, 0x02, 0xc1, 0xca, 0x96, 0xb0, 0x06, 0x72,
+	0x2a, 0x27, 0xaa, 0xc8, 0xd5, 0x50, 0x81, 0x49,
+	0x46, 0x33, 0xf8, 0xf7, 0x6b, 0xf4, 0x9c, 0x30,
+	0x90, 0x50, 0xf6, 0x16, 0x76, 0x9d, 0xc6, 0x73,
+	0xb5, 0xbc, 0x8a, 0xb6, 0x1d, 0x98, 0xcb, 0xce,
+	0x36, 0x6f, 0x60, 0xec, 0x96, 0x49, 0x08, 0x85,
+	0x5b, 0xc1, 0x8e, 0xb0, 0xea, 0x9e, 0x1f, 0xd6,
+	0x27, 0x7f, 0xb6, 0xe0, 0x04, 0x12, 0xd2, 0x81
+};
+
+#ifndef PK11_MD5_DISABLE
+static unsigned char sigmd5[256] = {
+	0xc0, 0x99, 0x90, 0xd6, 0xea, 0xc1, 0x5f, 0xc7,
+	0x23, 0x60, 0xfc, 0x13, 0x3d, 0xcc, 0xda, 0x93,
+	0x19, 0xf7, 0x22, 0xa9, 0x55, 0xbe, 0x70, 0x3c,
+	0x87, 0x24, 0x8a, 0x7e, 0xa7, 0x59, 0x58, 0xd3,
+	0x0e, 0x7c, 0x50, 0x3c, 0x81, 0x0f, 0x7a, 0x2b,
+	0xb1, 0x94, 0x21, 0x87, 0xe4, 0x87, 0xcd, 0x2b,
+	0xb9, 0xf1, 0xb8, 0x26, 0xc1, 0x02, 0xf4, 0x30,
+	0x83, 0x41, 0x89, 0x61, 0xcc, 0x3d, 0xe3, 0x0f,
+	0xec, 0x4a, 0x74, 0x95, 0x10, 0x65, 0xac, 0xd1,
+	0xf5, 0x95, 0xe9, 0x99, 0xa8, 0x45, 0x98, 0x99,
+	0xb5, 0xfd, 0x7a, 0x78, 0x80, 0xe5, 0x00, 0x33,
+	0xa5, 0x54, 0xe5, 0xa3, 0xc0, 0x1b, 0x6c, 0xb9,
+	0x77, 0x52, 0x6f, 0xe5, 0x85, 0xa8, 0xfa, 0x45,
+	0x78, 0x49, 0x14, 0xa0, 0x10, 0x58, 0x40, 0x80,
+	0x90, 0xc6, 0x55, 0x52, 0x6d, 0x46, 0x58, 0x50,
+	0x3d, 0x5e, 0x40, 0x25, 0x51, 0x7c, 0xc4, 0x12,
+	0x87, 0x2d, 0x7b, 0x10, 0xcd, 0x80, 0xec, 0x5d,
+	0x27, 0x15, 0x09, 0x37, 0x1f, 0xa7, 0x86, 0x15,
+	0xd1, 0xdd, 0xf1, 0x86, 0x1e, 0x42, 0x3a, 0xf9,
+	0x5a, 0xed, 0x33, 0x07, 0xa9, 0x98, 0x08, 0x79,
+	0xc5, 0xa4, 0x09, 0x95, 0x6e, 0x12, 0xfe, 0xee,
+	0x49, 0x61, 0xe0, 0x99, 0xaa, 0x34, 0xa5, 0xca,
+	0x82, 0xd3, 0x9b, 0x1c, 0x5b, 0x79, 0xf5, 0x0e,
+	0x2c, 0x6c, 0x3b, 0x48, 0xd1, 0xbc, 0xd0, 0xda,
+	0x73, 0xba, 0xe1, 0x81, 0x48, 0x27, 0x39, 0x2f,
+	0x98, 0x77, 0x08, 0xb3, 0xf7, 0x38, 0x28, 0x6d,
+	0x02, 0x56, 0xfa, 0x31, 0xbb, 0x14, 0x81, 0x6b,
+	0x3c, 0x24, 0xa2, 0x68, 0x7a, 0x0a, 0x53, 0xbd,
+	0x9d, 0x57, 0xd0, 0x99, 0x10, 0x28, 0x78, 0x69,
+	0x31, 0x93, 0xa4, 0x73, 0x8d, 0x1a, 0xe4, 0xdc,
+	0x0c, 0x15, 0xb8, 0x51, 0xd8, 0x66, 0x6a, 0x95,
+	0x56, 0x17, 0x0a, 0x45, 0x72, 0xb5, 0xb8, 0xc4
+};
+#endif
+
+static unsigned char sigsha256[256] = {
+	0x83, 0x53, 0x15, 0xfc, 0xca, 0xdb, 0xf6, 0x0d,
+	0x53, 0x24, 0x5b, 0x5a, 0x8e, 0xd0, 0xbe, 0x5e,
+	0xbc, 0xe8, 0x9e, 0x92, 0x3c, 0xfa, 0x93, 0x03,
+	0xce, 0x2f, 0xc7, 0x6d, 0xd0, 0xbb, 0x9d, 0x06,
+	0x83, 0xc6, 0xd3, 0xc0, 0xc1, 0x57, 0x9c, 0x82,
+	0x17, 0x7f, 0xb5, 0xf8, 0x31, 0x18, 0xda, 0x46,
+	0x05, 0x2c, 0xf8, 0xea, 0xaa, 0xcd, 0x99, 0x18,
+	0xff, 0x23, 0x5e, 0xef, 0xf0, 0x87, 0x47, 0x6e,
+	0x91, 0xfd, 0x19, 0x0b, 0x39, 0x19, 0x6a, 0xc8,
+	0xdf, 0x71, 0x66, 0x8e, 0xa9, 0xa0, 0x79, 0x5c,
+	0x2c, 0x52, 0x00, 0x61, 0x17, 0x86, 0x66, 0x03,
+	0x52, 0xad, 0xec, 0x06, 0x53, 0xd9, 0x6d, 0xe3,
+	0xe3, 0xea, 0x28, 0x15, 0xb3, 0x75, 0xf4, 0x61,
+	0x7d, 0xed, 0x69, 0x2c, 0x24, 0xf3, 0x21, 0xb1,
+	0x8a, 0xea, 0x60, 0xa2, 0x9e, 0x6a, 0xa6, 0x53,
+	0x12, 0xf6, 0x5c, 0xef, 0xd7, 0x49, 0x4a, 0x02,
+	0xe7, 0xf8, 0x64, 0x89, 0x13, 0xac, 0xd5, 0x1e,
+	0x58, 0xff, 0xa1, 0x63, 0xdd, 0xa0, 0x1f, 0x44,
+	0x99, 0x6a, 0x59, 0x7f, 0x35, 0xbd, 0xf1, 0xf3,
+	0x7a, 0x28, 0x44, 0xe3, 0x4c, 0x68, 0xb1, 0xb3,
+	0x97, 0x3c, 0x46, 0xe3, 0xc2, 0x12, 0x9e, 0x68,
+	0x0b, 0xa6, 0x6c, 0x8f, 0x58, 0x48, 0x44, 0xa4,
+	0xf7, 0xa7, 0xc2, 0x91, 0x8f, 0xbf, 0x00, 0xd0,
+	0x01, 0x35, 0xd4, 0x86, 0x6e, 0x1f, 0xea, 0x42,
+	0x60, 0xb1, 0x84, 0x27, 0xf4, 0x99, 0x36, 0x06,
+	0x98, 0x12, 0x83, 0x32, 0x9f, 0xcd, 0x50, 0x5a,
+	0x5e, 0xb8, 0x8e, 0xfe, 0x8d, 0x8d, 0x33, 0x2d,
+	0x45, 0xe1, 0xc9, 0xdf, 0x2a, 0xd8, 0x38, 0x1d,
+	0x95, 0xd4, 0x42, 0xee, 0x93, 0x5b, 0x0f, 0x1e,
+	0x07, 0x06, 0x3a, 0x92, 0xf1, 0x59, 0x1d, 0x6e,
+	0x1c, 0x31, 0xf3, 0xce, 0xa9, 0x1f, 0xad, 0x4d,
+	0x76, 0x4d, 0x24, 0x98, 0xe2, 0x0e, 0x8c, 0x35
+};
+
+static unsigned char sigsha512[512] = {
+	0x4e, 0x2f, 0x63, 0x42, 0xc5, 0xf3, 0x05, 0x4a,
+	0xa6, 0x3a, 0x93, 0xa0, 0xd9, 0x33, 0xa0, 0xd1,
+	0x46, 0x33, 0x42, 0xe8, 0x74, 0xeb, 0x3b, 0x10,
+	0x82, 0xd7, 0xcf, 0x39, 0x23, 0xb3, 0xe9, 0x23,
+	0x53, 0x87, 0x8c, 0xee, 0x78, 0xcb, 0xb3, 0xd9,
+	0xd2, 0x6d, 0x1a, 0x7c, 0x01, 0x4f, 0xed, 0x8d,
+	0xf2, 0x72, 0xe4, 0x6a, 0x00, 0x8a, 0x60, 0xa6,
+	0xd5, 0x9c, 0x43, 0x6c, 0xef, 0x38, 0x0c, 0x74,
+	0x82, 0x5d, 0x22, 0xaa, 0x87, 0x81, 0x90, 0x9c,
+	0x64, 0x07, 0x9b, 0x13, 0x51, 0xe0, 0xa5, 0xc2,
+	0x83, 0x78, 0x2b, 0x9b, 0xb3, 0x8a, 0x9d, 0x36,
+	0x33, 0xbd, 0x0d, 0x53, 0x84, 0xae, 0xe8, 0x13,
+	0x36, 0xf6, 0xdf, 0x96, 0xe9, 0xda, 0xc3, 0xd7,
+	0xa9, 0x2f, 0xf3, 0x5e, 0x5f, 0x1f, 0x7f, 0x38,
+	0x7e, 0x8d, 0xbe, 0x90, 0x5e, 0x13, 0xb2, 0x20,
+	0xbb, 0x9d, 0xfe, 0xe1, 0x52, 0xce, 0xe6, 0x80,
+	0xa7, 0x95, 0x24, 0x59, 0xe3, 0xac, 0x24, 0xc4,
+	0xfa, 0x1c, 0x44, 0x34, 0x29, 0x8d, 0xb1, 0xd0,
+	0xd9, 0x4c, 0xff, 0xc4, 0xdb, 0xca, 0xc4, 0x3f,
+	0x38, 0xf9, 0xe4, 0xaf, 0x75, 0x0a, 0x67, 0x4d,
+	0xa0, 0x2b, 0xb0, 0x83, 0xce, 0x53, 0xc4, 0xb9,
+	0x2e, 0x61, 0xb6, 0x64, 0xe5, 0xb5, 0xe5, 0xac,
+	0x9d, 0x51, 0xec, 0x58, 0x42, 0x90, 0x78, 0xf6,
+	0x46, 0x96, 0xef, 0xb6, 0x97, 0xb7, 0x54, 0x28,
+	0x1a, 0x4c, 0x29, 0xf4, 0x7a, 0x33, 0xc6, 0x07,
+	0xfd, 0xec, 0x97, 0x36, 0x1d, 0x42, 0x88, 0x94,
+	0x27, 0xc2, 0xa3, 0xe1, 0xd4, 0x87, 0xa1, 0x8a,
+	0x2b, 0xff, 0x47, 0x60, 0xfe, 0x1f, 0xaf, 0xc2,
+	0xeb, 0x17, 0xdd, 0x56, 0xc5, 0x94, 0x5c, 0xcb,
+	0x23, 0xe5, 0x49, 0x4d, 0x99, 0x06, 0x02, 0x5a,
+	0xfc, 0xfc, 0xdc, 0xee, 0x49, 0xbc, 0x47, 0x60,
+	0xff, 0x6a, 0x63, 0x8b, 0xe1, 0x2e, 0xa3, 0xa7
+};
+
+ATF_TC(isc_rsa_verify);
+ATF_TC_HEAD(isc_rsa_verify, tc) {
+	atf_tc_set_md_var(tc, "descr", "RSA verify");
+}
+ATF_TC_BODY(isc_rsa_verify, tc) {
+	isc_result_t ret;
+	dns_fixedname_t fname;
+	isc_buffer_t buf;
+	dns_name_t *name;
+	dst_key_t *key = NULL;
+	dst_context_t *ctx = NULL;
+	isc_region_t r;
+
+	UNUSED(tc);
+
+	ret = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_constinit(&buf, "rsa.", 4);
+	isc_buffer_add(&buf, 4);
+	ret = dns_name_fromtext(name, &buf, NULL, 0, NULL);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	ret = dst_key_fromfile(name, 29235, DST_ALG_RSASHA1,
+			       DST_TYPE_PUBLIC, "./", mctx, &key);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	/* RSASHA1 */
+
+	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+				  false, &ctx);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = d;
+	r.length = 10;
+	ret = dst_context_adddata(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = sigsha1;
+	r.length = 256;
+	ret = dst_context_verify(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	dst_context_destroy(&ctx);
+
+	/* RSAMD5 */
+
+#ifndef PK11_MD5_DISABLE
+	key->key_alg = DST_ALG_RSAMD5;
+
+	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+				  false, &ctx);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = d;
+	r.length = 10;
+	ret = dst_context_adddata(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = sigmd5;
+	r.length = 256;
+	ret = dst_context_verify(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	dst_context_destroy(&ctx);
+#endif
+
+	/* RSASHA256 */
+
+	key->key_alg = DST_ALG_RSASHA256;
+
+	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+				  false, &ctx);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = d;
+	r.length = 10;
+	ret = dst_context_adddata(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = sigsha256;
+	r.length = 256;
+	ret = dst_context_verify(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	dst_context_destroy(&ctx);
+
+	/* RSASHA512 */
+
+	key->key_alg = DST_ALG_RSASHA512;
+
+	ret = dst_context_create3(key, mctx, DNS_LOGCATEGORY_DNSSEC,
+				  false, &ctx);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = d;
+	r.length = 10;
+	ret = dst_context_adddata(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	r.base = sigsha512;
+	r.length = 256;
+	ret = dst_context_verify(ctx, &r);
+	ATF_REQUIRE_EQ(ret, ISC_R_SUCCESS);
+
+	dst_context_destroy(&ctx);
+
+
+	dst_key_free(&key);
+	dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping RSA test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("RSA not available");
+}
+#endif
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+	ATF_TP_ADD_TC(tp, isc_rsa_verify);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+	return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/sigs_test.c b/lib/dns/tests/sigs_test.c
new file mode 100644
index 0000000..20fd4b6
--- /dev/null
+++ b/lib/dns/tests/sigs_test.c
@@ -0,0 +1,479 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <isc/util.h>
+
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+#include <string.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+#include <isc/buffer.h>
+#include <isc/list.h>
+#include <isc/region.h>
+#include <isc/stdtime.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include "../zone_p.h"
+
+#include "dnstest.h"
+
+/*%
+ * Structure characterizing a single diff tuple in the dns_diff_t structure
+ * prepared by dns__zone_updatesigs().
+ */
+typedef struct {
+	dns_diffop_t op;
+	const char *owner;
+	dns_ttl_t ttl;
+	const char *type;
+} zonediff_t;
+
+#define ZONEDIFF_SENTINEL { 0, NULL, 0, NULL }
+
+/*%
+ * Structure defining a dns__zone_updatesigs() test.
+ */
+typedef struct {
+	const char *description;	/* test description */
+	const zonechange_t *changes;	/* array of "raw" zone changes */
+	const zonediff_t *zonediff;	/* array of "processed" zone changes */
+} updatesigs_test_params_t;
+
+/*%
+ * Check whether the 'found' tuple matches the 'expected' tuple.  'found' is
+ * the 'index'th tuple output by dns__zone_updatesigs() in test 'test'.
+ */
+static void
+compare_tuples(const zonediff_t *expected, dns_difftuple_t *found,
+	       const updatesigs_test_params_t *test, size_t index)
+{
+	char found_covers[DNS_RDATATYPE_FORMATSIZE] = { };
+	char found_type[DNS_RDATATYPE_FORMATSIZE] = { };
+	char found_name[DNS_NAME_FORMATSIZE];
+	isc_consttextregion_t typeregion;
+	dns_fixedname_t expected_fname;
+	dns_rdatatype_t expected_type;
+	dns_name_t *expected_name;
+	dns_rdata_rrsig_t rrsig;
+	isc_buffer_t typebuf;
+	isc_result_t result;
+
+	REQUIRE(expected != NULL);
+	REQUIRE(found != NULL);
+	REQUIRE(index > 0);
+
+	/*
+	 * Check operation.
+	 */
+	ATF_CHECK_EQ_MSG(expected->op, found->op,
+			 "test \"%s\": tuple %zu: "
+			 "expected op %d, found %d",
+			 test->description, index,
+			 expected->op, found->op);
+
+	/*
+	 * Check owner name.
+	 */
+	expected_name = dns_fixedname_initname(&expected_fname);
+	result = dns_name_fromstring(expected_name, expected->owner, 0, mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_name_format(&found->name, found_name, sizeof(found_name));
+	ATF_CHECK_MSG(dns_name_equal(expected_name, &found->name),
+		      "test \"%s\": tuple %zu: "
+		      "expected owner \"%s\", found \"%s\"",
+		      test->description, index,
+		      expected->owner, found_name);
+
+	/*
+	 * Check TTL.
+	 */
+	ATF_CHECK_EQ_MSG(expected->ttl, found->ttl,
+		      "test \"%s\": tuple %zu: "
+		      "expected TTL %u, found %u",
+		      test->description, index,
+		      expected->ttl, found->ttl);
+
+	/*
+	 * Parse expected RR type.
+	 */
+	typeregion.base = expected->type;
+	typeregion.length = strlen(expected->type);
+	result = dns_rdatatype_fromtext(&expected_type,
+					(isc_textregion_t*)&typeregion);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Format found RR type for reporting purposes.
+	 */
+	isc_buffer_init(&typebuf, found_type, sizeof(found_type));
+	result = dns_rdatatype_totext(found->rdata.type, &typebuf);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Check RR type.
+	 */
+	switch (expected->op) {
+	case DNS_DIFFOP_ADDRESIGN:
+	case DNS_DIFFOP_DELRESIGN:
+		/*
+		 * Found tuple must be of type RRSIG.
+		 */
+		ATF_CHECK_EQ_MSG(found->rdata.type, dns_rdatatype_rrsig,
+				 "test \"%s\": tuple %zu: "
+				 "expected type RRSIG, found %s",
+				 test->description, index,
+				 found_type);
+		if (found->rdata.type != dns_rdatatype_rrsig) {
+			break;
+		}
+		/*
+		 * The signature must cover an RRset of type 'expected->type'.
+		 */
+		result = dns_rdata_tostruct(&found->rdata, &rrsig, NULL);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		isc_buffer_init(&typebuf, found_covers, sizeof(found_covers));
+		result = dns_rdatatype_totext(rrsig.covered, &typebuf);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		ATF_CHECK_EQ_MSG(expected_type, rrsig.covered,
+				 "test \"%s\": tuple %zu: "
+				 "expected RRSIG to cover %s, found covers %s",
+				 test->description, index,
+				 expected->type, found_covers);
+		break;
+	default:
+		/*
+		 * Found tuple must be of type 'expected->type'.
+		 */
+		ATF_CHECK_EQ_MSG(expected_type, found->rdata.type,
+				 "test \"%s\": tuple %zu: "
+				 "expected type %s, found %s",
+				 test->description, index,
+				 expected->type, found_type);
+		break;
+	}
+}
+
+/*%
+ * Perform a single dns__zone_updatesigs() test defined in 'test'.  All other
+ * arguments are expected to remain constant between subsequent invocations of
+ * this function.
+ */
+static void
+updatesigs_test(const updatesigs_test_params_t *test, dns_zone_t *zone,
+		dns_db_t *db, dst_key_t *zone_keys[], unsigned int nkeys,
+		isc_stdtime_t now)
+{
+	size_t tuples_expected, tuples_found, index;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t raw_diff, zone_diff;
+	const zonediff_t *expected;
+	dns_difftuple_t *found;
+	isc_result_t result;
+
+	dns__zonediff_t zonediff = {
+		.diff = &zone_diff,
+		.offline = false,
+	};
+
+	REQUIRE(test != NULL);
+	REQUIRE(test->description != NULL);
+	REQUIRE(test->changes != NULL);
+	REQUIRE(zone != NULL);
+	REQUIRE(db != NULL);
+	REQUIRE(zone_keys != NULL);
+
+	/*
+	 * Create a new version of the zone's database.
+	 */
+	result = dns_db_newversion(db, &version);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create a diff representing the supplied changes.
+	 */
+	result = dns_test_difffromchanges(&raw_diff, test->changes);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Apply the "raw" diff to the new version of the zone's database as
+	 * this is what dns__zone_updatesigs() expects to happen before it is
+	 * called.
+	 */
+	dns_diff_apply(&raw_diff, db, version);
+
+	/*
+	 * Initialize the structure dns__zone_updatesigs() will modify.
+	 */
+	dns_diff_init(mctx, &zone_diff);
+
+	/*
+	 * Check whether dns__zone_updatesigs() behaves as expected.
+	 */
+	result = dns__zone_updatesigs(&raw_diff, db, version, zone_keys, nkeys,
+				      zone, now - 3600, now + 3600, now,
+				      true, false, &zonediff);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "test \"%s\": expected success, got %s",
+			 test->description, isc_result_totext(result));
+	ATF_CHECK_MSG(ISC_LIST_EMPTY(raw_diff.tuples),
+		      "test \"%s\": raw diff was not emptied",
+		      test->description);
+	ATF_CHECK_MSG(!ISC_LIST_EMPTY(zone_diff.tuples),
+		      "test \"%s\": zone diff was not created",
+		      test->description);
+
+	/*
+	 * Ensure that the number of tuples in the zone diff is as expected.
+	 */
+
+	tuples_expected = 0;
+	for (expected = test->zonediff;
+	     expected->owner != NULL;
+	     expected++)
+	{
+		tuples_expected++;
+	}
+
+	tuples_found = 0;
+	for (found = ISC_LIST_HEAD(zone_diff.tuples);
+	     found != NULL;
+	     found = ISC_LIST_NEXT(found, link))
+	{
+		tuples_found++;
+	}
+
+	ATF_REQUIRE_EQ_MSG(tuples_expected, tuples_found,
+			   "test \"%s\": "
+			   "expected %zu tuples in output, found %zu",
+			   test->description,
+			   tuples_expected, tuples_found);
+
+	/*
+	 * Ensure that every tuple in the zone diff matches expectations.
+	 */
+	expected = test->zonediff;
+	index = 1;
+	for (found = ISC_LIST_HEAD(zone_diff.tuples);
+	     found != NULL;
+	     found = ISC_LIST_NEXT(found, link))
+	{
+		compare_tuples(expected, found, test, index);
+		expected++;
+		index++;
+	}
+
+	/*
+	 * Apply changes to zone database contents and clean up.
+	 */
+	dns_db_closeversion(db, &version, true);
+	dns_diff_clear(&zone_diff);
+	dns_diff_clear(&raw_diff);
+}
+
+ATF_TC(updatesigs);
+ATF_TC_HEAD(updatesigs, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns__zone_updatesigs() tests");
+}
+ATF_TC_BODY(updatesigs, tc) {
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	isc_result_t result;
+	unsigned int nkeys;
+	isc_stdtime_t now;
+	size_t i;
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Prepare a zone along with its signing keys.
+	 */
+
+	result = dns_test_makezone("example", &zone, NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_loaddb(&db, dns_dbtype_zone, "example",
+				 "testdata/master/master18.data");
+	ATF_REQUIRE_EQ(result, DNS_R_SEENINCLUDE);
+
+	result = dns_zone_setkeydirectory(zone, "testkeys");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_stdtime_get(&now);
+	result = dns__zone_findkeys(zone, db, NULL, now, mctx, DNS_MAXZONEKEYS,
+				    zone_keys, &nkeys);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(nkeys, 2);
+
+	/*
+	 * Define the tests to be run.  Note that changes to zone database
+	 * contents introduced by each test are preserved between tests.
+	 */
+
+	const zonechange_t changes_add[] = {
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT", "foo" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT", "bar" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_add[] = {
+		{ DNS_DIFFOP_ADDRESIGN, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_add = {
+		.description = "add new RRsets",
+		.changes = changes_add,
+		.zonediff = zonediff_add,
+	};
+
+	const zonechange_t changes_append[] = {
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT", "foo1" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT", "foo2" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_append[] = {
+		{ DNS_DIFFOP_DELRESIGN, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT" },
+		{ DNS_DIFFOP_ADD, "foo.example", 300, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_append = {
+		.description = "append multiple RRs to an existing RRset",
+		.changes = changes_append,
+		.zonediff = zonediff_append,
+	};
+
+	const zonechange_t changes_replace[] = {
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT", "bar" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT", "rab" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_replace[] = {
+		{ DNS_DIFFOP_DELRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_ADD, "bar.example", 600, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_replace = {
+		.description = "replace an existing RRset",
+		.changes = changes_replace,
+		.zonediff = zonediff_replace,
+	};
+
+	const zonechange_t changes_delete[] = {
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT", "rab" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_delete[] = {
+		{ DNS_DIFFOP_DELRESIGN, "bar.example", 600, "TXT" },
+		{ DNS_DIFFOP_DEL, "bar.example", 600, "TXT" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_delete = {
+		.description = "delete an existing RRset",
+		.changes = changes_delete,
+		.zonediff = zonediff_delete,
+	};
+
+	const zonechange_t changes_mixed[] = {
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT", "baz1" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "A", "127.0.0.1" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT", "baz2" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "AAAA", "::1" },
+		ZONECHANGE_SENTINEL,
+	};
+	const zonediff_t zonediff_mixed[] = {
+		{ DNS_DIFFOP_ADDRESIGN, "baz.example", 900, "TXT" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "TXT" },
+		{ DNS_DIFFOP_ADDRESIGN, "baz.example", 900, "A" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "A" },
+		{ DNS_DIFFOP_ADDRESIGN, "baz.example", 900, "AAAA" },
+		{ DNS_DIFFOP_ADD, "baz.example", 900, "AAAA" },
+		ZONEDIFF_SENTINEL,
+	};
+	const updatesigs_test_params_t test_mixed = {
+		.description = "add different RRsets with common owner name",
+		.changes = changes_mixed,
+		.zonediff = zonediff_mixed,
+	};
+
+	const updatesigs_test_params_t *tests[] = {
+		&test_add,
+		&test_append,
+		&test_replace,
+		&test_delete,
+		&test_mixed,
+	};
+
+	/*
+	 * Run tests.
+	 */
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		updatesigs_test(tests[i], zone, db, zone_keys, nkeys, now);
+	}
+
+	/*
+	 * Clean up.
+	 */
+	for (i = 0; i < nkeys; i++) {
+		dst_key_free(&zone_keys[i]);
+	}
+	dns_db_detach(&db);
+	dns_zone_detach(&zone);
+
+	dns_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping dns__zone_updatesigs() test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("DNSSEC support not compiled in");
+}
+#endif
+
+ATF_TP_ADD_TCS(tp) {
+#if defined(OPENSSL) || defined(PKCS11CRYPTO)
+	ATF_TP_ADD_TC(tp, updatesigs);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/testdata/db/data.db b/lib/dns/tests/testdata/db/data.db
new file mode 100644
index 0000000..9ac043e
--- /dev/null
+++ b/lib/dns/tests/testdata/db/data.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		in	ns	ns.vix.com.
+a		in	ns	ns2.vix.com.
+a		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/dbiterator/zone1.data b/lib/dns/tests/testdata/dbiterator/zone1.data
new file mode 100644
index 0000000..81c0abe
--- /dev/null
+++ b/lib/dns/tests/testdata/dbiterator/zone1.data
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600
+@		in	soa	localhost. postmaster.localhost. (
+				2011080901	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				600 )		;minimum
+ 		in	ns	ns
+ 		in	ns	ns2
+ns		in	a	10.0.0.1
+ns2		in	a	10.0.0.2
+
+a		in	txt	"test"
+b		in	txt	"test"
+c		in	txt	"test"
+d.e.f		in	txt	"test"
+e		in	txt	"test"
+f.g.h		in	txt	"test"
+f.g.i		in	txt	"test"
+f.g.j		in	txt	"test"
+k		in	txt	"test"
diff --git a/lib/dns/tests/testdata/dbiterator/zone2.data b/lib/dns/tests/testdata/dbiterator/zone2.data
new file mode 100644
index 0000000..7265c27
--- /dev/null
+++ b/lib/dns/tests/testdata/dbiterator/zone2.data
@@ -0,0 +1,319 @@
+; File written on Mon Aug 15 16:51:56 2011
+; dnssec_signzone version 9.7.3rc1
+test.			600	IN SOA	localhost. postmaster.localhost. (
+					2011080901 ; serial
+					3600       ; refresh (1 hour)
+					1800       ; retry (30 minutes)
+					604800     ; expire (1 week)
+					600        ; minimum (10 minutes)
+					)
+			600	RRSIG	SOA 7 1 600 20110914225156 (
+					20110815225156 39833 test.
+					IoQPcpx+Y2btVBBdM2H/9ppRMjphB1thwrdh
+					midhKH+MXDAauUIENucugi3zLsc1o2ke8LnQ
+					v3lCLd/bb5MD1otuS8vOw1GWEFhXOUBZU6wS
+					QwEIcG4BiSlz7/GvOlRa2znkOmZ3c8bD/J3Y
+					XUWDI3BEDPgrZqfxEvoMyPEWjO8= )
+			600	NS	ns.test.
+			600	NS	ns2.test.
+			600	RRSIG	NS 7 1 600 20110914225156 (
+					20110815225156 39833 test.
+					OgEimhmFIAqlH0hyQy3pTsveBHKyqs9WfO1S
+					uDPRj3DFgFEAjoY473T8GxG2C+jTVL/UMVcb
+					BTZ8wIAiUHhqKLcmr0q/1X+kNUs7tNi+6oMn
+					/jxaOuRL6c8Kf2gl2t4g6JTwQqLQhUHTfQP+
+					bEfKUr75VsVfxCQZIHlZ3/AlxZM= )
+			600	DNSKEY	256 3 7 (
+					AwEAAc0FzrE7jUiaKIGZpIaFE8E989topAJN
+					dWIQUQ7BSKabmpBP2M+SXHwIiQ/yC25iqudO
+					IxjRcK7nHB1VoP84xU2oMj6eeSqQHf/bYaji
+					Y8IfR7lgrzoDWzq+0rtnKMJc/JM8SMkcoBAS
+					llvxarDJTZheZjlrCvhpRJC+FAkBsx81
+					) ; key id = 39833
+			600	DNSKEY	257 3 7 (
+					AwEAAc55LPDhBLqfDUpjYYbBt+N63CiZtKrD
+					UDGeFAerbw0MWIUi3PgMr7yGVrj8e5Qjp9UN
+					zBUax6NdhlYVtFA8CwMTXGBjxgyqUoWpce08
+					lswxfE70BpgUA6w5efs0/mYtX9/A76etCaSI
+					oNH2vfa47BCdCPDfC1uTgyeuNuDvhszHaSiD
+					8OY7tLa/voecUlq38sdqi2raf2DvgOm7rdFa
+					reXOS/WIj7zd4XYrV1JGthxOMVlQ7zdv9rVd
+					UNUIF2d4hwCZJQr0ejhmvB3m/DuNmNOPYmnv
+					KTmLSE+IJ6baqYvKOVxwV+SaCnuJEjv+3Yrx
+					8WQYD/iS9WBhC9FUit0dy+0=
+					) ; key id = 57183
+			600	RRSIG	DNSKEY 7 1 600 20110914225156 (
+					20110815225156 39833 test.
+					xPV+bSGUlbxA5MKBeeRbwUDh3Qc+dm77+OHQ
+					BHIr1L8/kRP5o5J7MqPA37kea6nhyltYf9xM
+					RsxyiaBGUUeLyWg/q6hTtkNgAHifOPAhiDz8
+					AJDSTdSsq9RVtjdobAD0jyzz9sWnB+TPSOmj
+					Nlyd7VtPVEuSYljgawwfBBO3Kho= )
+			600	RRSIG	DNSKEY 7 1 600 20110914225156 (
+					20110815225156 57183 test.
+					S3jkC7AvyFc4ShfHt6AWgS4zpx9DzWHBK9gV
+					2H23OJzy8H1At/CjKxWVHLJ/io+ygryVnt/I
+					47Jyhh9i43TnXj8il475YsweGnXGZSorrcXA
+					3IsD2lOuRYnp3yetxe2ZrMGNDqqImE6X4x1a
+					UJI0cbE2UMZfUt8Rm5USiGzwAEgFD1OXxvMD
+					UT3flyp+Ote9FConK8gewV4wlJuBFemWT7BZ
+					lUYnoqfuAeEn2+1pIBS0iA0LNFjNBaEgtcjo
+					QeweN32yKoApau47Dl/Klw7KFT8+PLZ0QPbt
+					XAkJU7q94Q5aucDuHCSCTCc+2vZxdEnXKvRY
+					rfLuG8r/V5Kn+1iYrQ== )
+			0	NSEC3PARAM 1 0 10 -
+			0	RRSIG	NSEC3PARAM 7 1 0 20110914225156 (
+					20110815225156 39833 test.
+					kghSSeP8AZiQ/zmxgxAyG0itoUMo5adG5pxD
+					p8T3ZmbxEUSyG5acxBFkmeY39wVU0Cda8tWc
+					HHrMbB5e2GN8z6xJ0A4rVyXfKSYJSz+iKWfk
+					7sOFRjd8OLYE3di6PwIpk6ORUiRPMFLDQCH0
+					Q27hLsSoKyd50orKKI+ncjz7WzU= )
+a.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					UEVOlnL6CDRNCfk/Xge2oaGYCV1+ewwi5zJ0
+					CX4DdwiNEkItL4HgBe8xXfxgFC3qySdsSYPE
+					1krdFyIkAclMCwHECd1UwZbGlMTEUGrE1KOB
+					8vQY+OhIV9TAhqNwnjbu7s2ZdNUv3wiUPcfk
+					hCJ4rzP6yeV2inLwZulXnhxb6Pk= )
+b.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					HcyQlO9io6Rc5e4vVqlRmK5PacOaFQJmdERG
+					5Aobpgm1FuCLC7F+IMZ0d1XvBWnsw9iDzV43
+					UKzTGqUSmDiSBzs4QzHlacGickIW8EOV4xyJ
+					+mcJ0FZh4YNbkt6CiX+8SF6IxfCMhRMjpSsK
+					rWqJMG3LXkI6W9stShzsYAFBOzQ= )
+e.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					jUn5FGRTL9OcFU7tvfkUnSwY8jA+8JynE0hi
+					ZJbYXDU5CiWGmR2B3yPHxUCewRqouyVCV8bc
+					xZsSuBxvcdYKryYDbjsmB83GlSEuxE9J7XZs
+					8SxUP8PobLVqzXgEZS/XRU2G+R915ZDP9/iL
+					z9oYwc9TkeyXbp8J/ZsH88tG980= )
+c.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					cRxAj45oFDDCd8xQXxD1F0Qq8XeBWAj8EYS3
+					7nFXAgAy8sTczFvYCNGj79o7BALJwM4vc/wx
+					6rjsiO/sHgfTMEBDq6lH9Wql72uhwavI2SrL
+					/h/wBP5q4BXlQ4xp6cLhhdifOWhNTvLP+Fe5
+					U6yjvqneiKspze9SiFbcmRDiJds= )
+d.e.f.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					ENjCzr/P9rJmj5OJLzYwWtHtBg2Uz+qJDucz
+					I97Pq9F819/c5sxNfT4hgICCw6ZfT4ffbzye
+					fFJ0JVrh2cYOzu68ozlgek/Uml1UW0pDQVdI
+					s4zEgp4XK9wXUxtWChSqp5YXMdeHegZFu32i
+					IMNTbJDudwYSwhr2FyG92ZRi8Y8= )
+f.g.h.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					HT7iocFsfDjeX6j9RJdE3xfVGkIxhajFHgM/
+					T/mJj/al4HKV6Ajia8DhpdfDrgM2m7r+Pgcn
+					FSIstfebQsuFCnHX/gIalDND/grHKsetQnMP
+					Y7O4QLsRnTV53fdlqQ4eT+jBW6fzJdGySVN+
+					bg6kNJZS8DebjmlKtZz7tXjkP+4= )
+f.g.i.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					kHJJeNSL1rz4QRYqOzhGMQl1yIdio7l8Lg8H
+					f0TsvFLa6BudVtwKUm+Kz2QiDn7/Lew8w0KX
+					vVHxX/Vwl3Ixk54YgMKLNogz2TEvnh/VGiS7
+					8r0oSUrg0CFd+xDfxnLeRqX5NNfMuSJap5WH
+					Aw7IVeRjXDwJFYnytMEnTrhHHHg= )
+f.g.j.test.		600	IN TXT	"test"
+			600	RRSIG	TXT 7 4 600 20110914225156 (
+					20110815225156 39833 test.
+					lIEHEhDFhOWK8W/F2xWELU2p/X77S2KTivm9
+					sY4k3RPsLNHE7p+lF8p72Lcb79rtltnoVYtE
+					pTIiaUcmgGwfaI4cwfXbeuEgnuTiLg7Xrefx
+					3GT86Q+8gfgbMXUmRA/eouWZhCOaYJN99gYz
+					urzDMiRLYmILHmLlnvo82SgXeuk= )
+k.test.			600	IN TXT	"test"
+			600	RRSIG	TXT 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					wC3zgYWsuLga8Vu3QFu/Ci8SzRbA5bvjSmDj
+					NzcpjU5cvJBxtgzatCr02AaUC94bI0JzNrEB
+					nFyWCYw55lyy+bAHU1u05UcQmz0n5yxkvmHX
+					i8ZjMyQkAvNKodJHaFQqUKKIDuSHD2EziKqg
+					eNn55YRS11ihkODehUVNl7TnYeA= )
+ns.test.		600	IN A	10.0.0.1
+			600	RRSIG	A 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					VyK/WlQ6ikXdjF/arGzyAyYhOc8IYNBp4QLW
+					gtYjvbjIcV5+9JINWmUs61VjJ14nES1sI0xb
+					9vQJuiPXTM1awUAnvOKLhaX6fbJaEiR1w6Cf
+					RT5QKBMxNBKVStqdabHcigY4DUuc1PQk1vCw
+					yMUJt3nHNVMZk+XAycNHzBeYjik= )
+ns2.test.		600	IN A	10.0.0.2
+			600	RRSIG	A 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					CX6UlZL+5NQJViKfbe/E3uIJk/wjUzoiHBhY
+					B6gS8nxZzlRPdTTXyMZoRa4etTZEbrRjnyXk
+					1rP47faCUwbh//XqukN9f7FZ4Y39NpPS2XpX
+					0Lx6M93Jz46lbzmseMFs2YmNMzzhN4uhRvl/
+					8gPtYsn9KMXnAlFfa4XrE5LNVyY= )
+1F3JQ6EANHNHOCMUPQTVNM339VDTR51C.test. 600 IN NSEC3 1 0 10 - 7QKPELF33JOK9BVJ7CKE99AHG40B0SH7 A RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					w7aS12lxLNh+G1B/2kEq1BO6IzYvyC8n/MGV
+					0jvFnapNXGZMPrPxGeO2wkw1JXepuXCv98be
+					M4SjQywaH+VP6ZMTIfjxRxtcCM+aLAFhiz0l
+					/MILEkjemmxjAfvV7emRVMwCGcoGI7qC3Xxq
+					q5g8EzJiYyTCOnI5LKRggn97wGg= )
+7QKPELF33JOK9BVJ7CKE99AHG40B0SH7.test. 600 IN NSEC3 1 0 10 - 94Q15K1V1VE5F87EI37T2B9A39EEC368 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					J4ObL3p4eN0jWh06M+rX2SSPANQoKfnosElB
+					KcKE7fLqEjKK7N6Yh6KUlbEP25tfeZ7W6GBJ
+					b7q6Nh0Ax8fYdc/6JVvmxcwWcx5Lw1TfITGB
+					ttFntJlbp1A8lwP3pn8Ksql1X2ogh78AsgTb
+					X5kmXVukC1oEzt98EAa/V/an8QA= )
+CS8M3UVG0UJDR6USBES4U9SNUGQI2RJE.test. 600 IN NSEC3 1 0 10 - ETEQB5V431INUIIE547FKSOF7O4DJ62J A RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					Vyd/2b0S15fACJ8TiPXKtScV9A/ZztVumZAm
+					o2S6jaVJKWik+8orDW+WiJ4/PEl26PK2m1uv
+					HD2beuUCHj9EnYkN/dzL3Bsc302qr9xqsh0q
+					VFS2moznoNG415ZV3vgYR7L9DAp43ZeFuw6I
+					7sr21hLYLUeo31xBsJg7RlOL+4s= )
+ETEQB5V431INUIIE547FKSOF7O4DJ62J.test. 600 IN NSEC3 1 0 10 - F8G1MB0JUEU3FBI11CAVFIPGEA3POOIM
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					oOHs1eb3JYeOMOnzE2PS6NIXBNzSoTYPIxo/
+					P0d/ihsLKra3yNJNPTlu4kf+FZoNYAGtMK/D
+					6dZWFvtdswDdi2C5WSgsanuHqXq5Lr3A1nCe
+					cQI5PO4RrLymB+MtYg15CNKcnc0WmJO8deSR
+					WzNOarC+Iz1Xj3FkKDS4FFr+02Q= )
+94Q15K1V1VE5F87EI37T2B9A39EEC368.test. 600 IN NSEC3 1 0 10 - CS8M3UVG0UJDR6USBES4U9SNUGQI2RJE
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					K0PvN7YtHQ63x/x2yXXa2S9GBGuTNJywDZ8M
+					wyMSwytCb9mn4hnKD5mJHaXGTw3YX7usbnEO
+					ce6hiJdN/VhMfbRMOvUpgyblOj4kXiYVZY1a
+					SyycfugK/Hu1j4az7lIhhnnx58GChA6mg8Vx
+					3Uz6cNDDCSTBTl09NyeUUrKWsHQ= )
+FBH6B0LHT9PPQB1P98D228HA1H52L8PO.test. 600 IN NSEC3 1 0 10 - JGU2L7C3LKLHAKC5RHUOORTI2DCKK3KL
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					giXRE+4ZeIzDrhx1XkFSpIKGFd3UGzlrLZnO
+					Ur9nMUfwvU5A3fitEkdayo3ZDH7MQGpSotaH
+					ReiFXx3Z6Hm2NIN/RHYZQr9e0vbMYSjkANdu
+					HWBA1SrSq5SHyuy970mPd4jfTHiABCo6fJGB
+					ykGClZGou0WSaB+Ak19fMbeQ2Wo= )
+JGU2L7C3LKLHAKC5RHUOORTI2DCKK3KL.test. 600 IN NSEC3 1 0 10 - KFMJ88CKMKUQQJE59IKFBOLLLD4DF55H TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					BHTDUgZdWNLgz3xHYMqvlWK/IJ0xrXESoREc
+					6D3sO9bcLTMYPO9t80itOlipwp4AmaVOBXPt
+					cKSdgsUXDEtHqNSxtGbNr5xQ+Aqsep0GX71V
+					HkcIuiNdTUw83dkajCHMkmQCbEjp9mbdiTmS
+					haNW2EsscldfaS1aq5tYUhCT3l4= )
+L993U6VC0DUV5QJ8TRPD2IQLM8FJ7AT9.test. 600 IN NSEC3 1 0 10 - LSMRLLNBQGGK8J6V40KLM2LG5TE4FS0P
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					vE7K0Nrju4qLFDYkIyMY5bIMT0wu8MJdxL6u
+					7WVA4HepccKQcUnvVoBAcrA9+MUeteyrad8Y
+					SJvQIt7sz5t7FViWSq5IMPVPujWtW5J30LhJ
+					mOLd1KmnFWoVthJ1oFNzBM80A60seKNnEw1M
+					lV6Y+v0gNYIQensUb9w6SVMTpxE= )
+F8G1MB0JUEU3FBI11CAVFIPGEA3POOIM.test. 600 IN NSEC3 1 0 10 - FA1T7MKUUV9SD4VDBJQ3GRFK1IDTCKL7
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					DkL9ONc0vpsKdG20ol8XPAaVfLb7kf1wnKbR
+					rQUB1trGSHm/Igo06of43zm9J+56htFJg1xD
+					I2de0sCUBQYyHVBBDiBAd1g+ZvcpUlLP0w8M
+					NxMviMiG/WQAdGXHwYfUimwMWD7gNGl1m05H
+					HwYmzGs+d1bClDNBrFhdfdL2+iA= )
+LSMRLLNBQGGK8J6V40KLM2LG5TE4FS0P.test. 600 IN NSEC3 1 0 10 - LUAN2Q3I2OCVSD41MP08HNA9JP22D38K
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					ZgiWuMqodQuhwuAF6CIiJTsdRahi+poOiZAM
+					WXNP0wXfdptcG2uhbdDwy+0crhe3tuybhwcb
+					CuiaQUh0XNPhgF+qmXpGobaqBhCEvCF4K9qY
+					OCIoMfsI1pIBVbMw0+YXVarFZ8+mfNU/+6n6
+					yy2+1nCg3k4XR2Dpv4CeDBfcAuM= )
+NAL1UIEBM38NKMN6RQOKE8T781IA7UKI.test. 600 IN NSEC3 1 0 10 - OUSGP0LO9FGAROHDULQVSTI3OLQIBB39 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					x8JiXPI+EXHz8ZO/VW0/+9wWsBNqeSMxXZIV
+					ibOnogSg7Wi7Yq1xftKC2+xEevNxSZnBibEy
+					Sgro5xKTf0n7pD9hHVBLoYmOOnbXY3QNQ2EQ
+					y3LdPT355WmwVddVOOxNpNRp2zQyqg7BhVA3
+					wxY7tyVQd4x1+95ATUQBnFditdE= )
+KFMJ88CKMKUQQJE59IKFBOLLLD4DF55H.test. 600 IN NSEC3 1 0 10 - L993U6VC0DUV5QJ8TRPD2IQLM8FJ7AT9 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					KQPaN2Ecebifbl4Bz5Yo0x2DgGmZiVhpSydm
+					oy/5NtMjt7G472JrKlqByap+VxW0bpzo3IER
+					3P8Dsv7pfBD4/Cl5sFqwZL7wYy7RB4dQLVCi
+					Pepc/Mr3gR2XmL91fpGttMj5jGscnVQJCyFa
+					obzhsVaVImUQZFDPb0UQUHwIhOA= )
+LUAN2Q3I2OCVSD41MP08HNA9JP22D38K.test. 600 IN NSEC3 1 0 10 - NAL1UIEBM38NKMN6RQOKE8T781IA7UKI TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					NJ+X3d0qh2+fbSnG0iQPxAeDIOzX5NTmY9fS
+					x7IO/DDcgUhPvl1YYdz5J999cec1zzOKp10J
+					YbsIAzg0w/Y4D4CBUw3IkcOrUFOODb6eJQGb
+					rVFRqmp3BUP4qOAWUZvx4oQ0KG4K/h/KJMbU
+					Vcdl7PF7G5O5hMyR9UWg4zal7Sk= )
+OUSGP0LO9FGAROHDULQVSTI3OLQIBB39.test. 600 IN NSEC3 1 0 10 - PQQ28M3U2MM08GGFV3JKR76G2H9IUJPC TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					A/qxYrSE/smBGbST8j8eGPCrRnwvVa25kDha
+					IuA3nv0vzXhFvlruc9f0HRGwsq6A2pw3I5W+
+					xo2/JxsNyFOotdwaDDEBzqPkJmrzupxQS4Hm
+					rHSLnRnNw4QzvzNjAGWMYAoe3OeHC47wmAtI
+					qE91EHZTlPP28CUXOMo+7sCaOa8= )
+U0UVS2SUP89P2TM3PJO4TC1GPJ2O6519.test. 600 IN NSEC3 1 0 10 - VA2VG5BEMCKQP6MS5NHHGL18031BIA7M NS SOA RRSIG DNSKEY NSEC3PARAM
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					rahhkfiF+Rk6oqbWTdu9qcwhmj5hbDuIFdiJ
+					GmaG+cFSv5Mjp+txNVCvBK9Hq/VpW0ypen/3
+					JC0sVAugSX+HAKAgyaMKmgWCvoQZ6ZSJUh7o
+					LRPcT+oxVXQAqjovxpaV8k6sYo44tpljPdOD
+					UluWAP5SrmJKjzCxs27KGRx8MK4= )
+VA2VG5BEMCKQP6MS5NHHGL18031BIA7M.test. 600 IN NSEC3 1 0 10 - VAKOQ2TPD7S25NFBJT73J3C4OGU10RJ5 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					XcBeZ8lo9Qo8z56+1FdGDjh6ZHCfO+MQ/wnY
+					TEUo/aWLkPTyq39nLhe0qVBJxmDpM+KQFuG9
+					cjQT5fvrlrY+lv6dedB64EBMYy4kKbIv7N5+
+					r6+sfWlvtKsfXxysLSk2+jLEm5NuLFrOdNas
+					WLVsq741D3YcWt4kM1HCyk3DNF8= )
+FA1T7MKUUV9SD4VDBJQ3GRFK1IDTCKL7.test. 600 IN NSEC3 1 0 10 - FBH6B0LHT9PPQB1P98D228HA1H52L8PO TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					jB/vLrvx4sQQD7J3ZacAAyhcFmIPh7LH3ljw
+					IAIaeLb10oX5q1/nQKYdfq976TMy5sWpBcmd
+					i91WLxd+T/gOSumyP8bC3g+SUoyZ9wxY6A6a
+					MMx1rn0QA9IKrxMqojs9M3urJ8QAeIS+KyAn
+					rbyyJuG+EVm0prqlPZtzUi28WCI= )
+PQQ28M3U2MM08GGFV3JKR76G2H9IUJPC.test. 600 IN NSEC3 1 0 10 - U0UVS2SUP89P2TM3PJO4TC1GPJ2O6519
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					asCOU9OkVWMvUU2IUpwMgdYf0faA04zPbaFf
+					qywYsv3NH01Lky6G3a0WUPAbBm7TAYx/ln8a
+					559vlpp/gpXEl9CcLrjO6wy5i0ryp8gVHtKJ
+					rQlEc/uw4SY+S5t7FuZc2rNRdAbxVMYuwrvm
+					HBsKDPblre3e06ZZFEmnGFzCgmg= )
+VAKOQ2TPD7S25NFBJT73J3C4OGU10RJ5.test. 600 IN NSEC3 1 0 10 - VNCCJH8JPOLGLAGVMV3FKS09M7RRDU47 TXT RRSIG
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					Pt4tKB1p/jsyLYab9LSt5MF1KTRT18nRTOox
+					q0IACkXkKx7W5xv6nSYXIB+nQzNp1Y1hhoXn
+					9IFi0liPnIAOp73w4vybhfIdTFiEmHPHT6O9
+					VIx5cSriqBI6Qda8GtfeIb96P8SojbUk5BDI
+					g18iYjviGhQYRgpU3tg1qd7pbcc= )
+VNCCJH8JPOLGLAGVMV3FKS09M7RRDU47.test. 600 IN NSEC3 1 0 10 - 1F3JQ6EANHNHOCMUPQTVNM339VDTR51C
+			600	RRSIG	NSEC3 7 2 600 20110914225156 (
+					20110815225156 39833 test.
+					ZMZPHawhkuzSV7C7zkgghH/jpw9CQVR1JUXq
+					pAeY2iIIWwNhfuskJaLgtu/5SuKnJtrv6D4N
+					g+lfEkBReia5xO/SCcHv8/hXEPH8vZ4xe1C9
+					6GVB6ip2hKw2g5HpyF7X18WgwZ0cqPWVg+Q+
+					xRLpXH+53391Wt5rG7qJswn5RLE= )
diff --git a/lib/dns/tests/testdata/diff/zone1.data b/lib/dns/tests/testdata/diff/zone1.data
new file mode 100644
index 0000000..6eb87ab
--- /dev/null
+++ b/lib/dns/tests/testdata/diff/zone1.data
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 	0	SOA . . 0 0 0 0 0
+@	0	NS @
+@	0	A 1.2.3.4
+remove	0	A 5.6.7.8
diff --git a/lib/dns/tests/testdata/diff/zone2.data b/lib/dns/tests/testdata/diff/zone2.data
new file mode 100644
index 0000000..d57d586
--- /dev/null
+++ b/lib/dns/tests/testdata/diff/zone2.data
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 	0	SOA . . 0 0 0 0 0
+@	0	NS @
+@	0	A 1.2.3.4
+remove	0	A 5.6.7.8
+added	0	A 5.6.7.8
diff --git a/lib/dns/tests/testdata/diff/zone3.data b/lib/dns/tests/testdata/diff/zone3.data
new file mode 100644
index 0000000..65f12dd
--- /dev/null
+++ b/lib/dns/tests/testdata/diff/zone3.data
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ 	0	SOA . . 0 0 0 0 0
+@	0	NS @
+@	0	A 1.2.3.4
diff --git a/lib/dns/tests/testdata/dnstap/dnstap.saved b/lib/dns/tests/testdata/dnstap/dnstap.saved
new file mode 100644
index 0000000..c657f41
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/dnstap.saved
diff --git a/lib/dns/tests/testdata/dnstap/dnstap.text b/lib/dns/tests/testdata/dnstap/dnstap.text
new file mode 100644
index 0000000..71977e4
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/dnstap.text
@@ -0,0 +1,96 @@
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 SR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 CR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 AR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 RR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 FR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 UDP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 15:47:16.000 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TQ 10.53.0.1:2112 -> 10.53.0.2:2112 TCP 40b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 UDP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 17:47:16.000 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
+03-Feb-2017 16:47:16.830 TR 10.53.0.1:2112 <- 10.53.0.2:2112 TCP 287b www.isc.org/IN/A
diff --git a/lib/dns/tests/testdata/dnstap/query.auth b/lib/dns/tests/testdata/dnstap/query.auth
new file mode 100644
index 0000000..a14f850
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/query.auth
@@ -0,0 +1,4 @@
+# authoritative query, www.isc.org/A
+8d 24 00 20 00 01 00 00 00 00 00 01 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 00 00 29
+10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dnstap/query.recursive b/lib/dns/tests/testdata/dnstap/query.recursive
new file mode 100644
index 0000000..8ee705f
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/query.recursive
@@ -0,0 +1,4 @@
+# recursive query for www.isc.org/A
+bf 08 01 20 00 01 00 00 00 00 00 01 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 00 00 29
+10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dnstap/response.auth b/lib/dns/tests/testdata/dnstap/response.auth
new file mode 100644
index 0000000..4d0ea81
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/response.auth
@@ -0,0 +1,19 @@
+# authoritative response, www.isc.org/A
+8d 24 84 00 00 01 00 01 00 04 00 07 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 c0 0c 00
+01 00 01 00 00 00 3c 00 04 95 14 40 45 c0 10 00
+02 00 01 00 00 1c 20 00 0d 03 61 6d 73 06 73 6e
+73 2d 70 62 c0 10 c0 10 00 02 00 01 00 00 1c 20
+00 07 04 73 66 62 61 c0 3d c0 10 00 02 00 01 00
+00 1c 20 00 19 02 6e 73 03 69 73 63 0b 61 66 69
+6c 69 61 73 2d 6e 73 74 04 69 6e 66 6f 00 c0 10
+00 02 00 01 00 00 1c 20 00 06 03 6f 72 64 c0 3d
+c0 39 00 01 00 01 00 00 1c 20 00 04 c7 06 01 1e
+c0 39 00 1c 00 01 00 00 1c 20 00 10 20 01 05 00
+00 60 00 00 00 00 00 00 00 00 00 30 c0 8a 00 01
+00 01 00 00 1c 20 00 04 c7 06 00 1e c0 8a 00 1c
+00 01 00 00 1c 20 00 10 20 01 05 00 00 71 00 00
+00 00 00 00 00 00 00 30 c0 52 00 01 00 01 00 00
+1c 20 00 04 95 14 40 03 c0 52 00 1c 00 01 00 00
+1c 20 00 10 20 01 04 f8 00 00 00 02 00 00 00 00
+00 00 00 19 00 00 29 10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dnstap/response.recursive b/lib/dns/tests/testdata/dnstap/response.recursive
new file mode 100644
index 0000000..6e3a3cf
--- /dev/null
+++ b/lib/dns/tests/testdata/dnstap/response.recursive
@@ -0,0 +1,19 @@
+# recursive response, www.isc.org/A
+bf 08 81 a0 00 01 00 01 00 04 00 07 03 77 77 77
+03 69 73 63 03 6f 72 67 00 00 01 00 01 c0 0c 00
+01 00 01 00 00 00 15 00 04 95 14 40 45 c0 10 00
+02 00 01 00 00 1b a6 00 0e 04 73 66 62 61 06 73
+6e 73 2d 70 62 c0 10 c0 10 00 02 00 01 00 00 1b
+a6 00 06 03 6f 72 64 c0 3e c0 10 00 02 00 01 00
+00 1b a6 00 19 02 6e 73 03 69 73 63 0b 61 66 69
+6c 69 61 73 2d 6e 73 74 04 69 6e 66 6f 00 c0 10
+00 02 00 01 00 00 1b a6 00 06 03 61 6d 73 c0 3e
+c0 8a 00 01 00 01 00 00 b1 d5 00 04 c7 06 01 1e
+c0 8a 00 1c 00 01 00 00 b1 d5 00 10 20 01 05 00
+00 60 00 00 00 00 00 00 00 00 00 30 c0 53 00 01
+00 01 00 00 b1 d5 00 04 c7 06 00 1e c0 53 00 1c
+00 01 00 00 b1 d5 00 10 20 01 05 00 00 71 00 00
+00 00 00 00 00 00 00 30 c0 39 00 01 00 01 00 00
+b1 d5 00 04 95 14 40 03 c0 39 00 1c 00 01 00 00
+b1 d5 00 10 20 01 04 f8 00 00 00 02 00 00 00 00
+00 00 00 19 00 00 29 10 00 00 00 00 00 00 00
diff --git a/lib/dns/tests/testdata/dst/Ktest.+001+00002.key b/lib/dns/tests/testdata/dst/Ktest.+001+00002.key
new file mode 100644
index 0000000..a8b4b4d
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+001+00002.key
@@ -0,0 +1 @@
+test. IN DNSKEY 49152 2 1
diff --git a/lib/dns/tests/testdata/dst/Ktest.+001+54622.key b/lib/dns/tests/testdata/dst/Ktest.+001+54622.key
new file mode 100644
index 0000000..b0277e3
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+001+54622.key
@@ -0,0 +1 @@
+test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+001+54622.private b/lib/dns/tests/testdata/dst/Ktest.+001+54622.private
new file mode 100644
index 0000000..c97ac30
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+001+54622.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 1 (RSA)
+Modulus: 0I8EqWlc8SIEQqYlKKM1EChodqF/DSBSgzr7cSvrZ+d+jmYNnETik5YBhB1ySvWB31v+p80FC01aW+tz/kkDJowgonW/CGMoSLYsUc7VXiU=
+PublicExponent: Aw==
+PrivateExponent: iwoDG5uTS2wC1xluGxd4tXBFpGuqCMA3AidSS3Kc7++ptEQJEtiXC9kfCJMvZhGfQLaujft2OgrmkcuDVtPIbQWEENhyJhb4Lk82kFXbfus=
+Prime1: /rSKuzcZY7R5cY2YWD4CiBNyj9WJMq1wWmBnb9+5M08nTl5E9NW5qQ==
+Prime2: 0Z5shXQYd16E2Gs6e5WxtO0Oqlly2KkSqXohwTQWDWTb8Pw0WTZmHQ==
+Exponent1: qc2x0iS7l82mS7O65X6sWrehtTkGIcj1kZWaSpUmIjTE3umDTePRGw==
+Exponent2: i77zA6K6+j8DOvIm/Q52eJ4JxuZMkHC3G6bBK3gOs5iSoKgi5iREEw==
+Coefficient: 3+wYZB0SJad7z2EsjzgbSlg6CawoaOvrROGSbwSiW5DCsMFROudOTw==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+003+23616.key b/lib/dns/tests/testdata/dst/Ktest.+003+23616.key
new file mode 100644
index 0000000..958d585
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+003+23616.key
@@ -0,0 +1 @@
+test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx
diff --git a/lib/dns/tests/testdata/dst/Ktest.+003+23616.private b/lib/dns/tests/testdata/dst/Ktest.+003+23616.private
new file mode 100644
index 0000000..5781c9d
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+003+23616.private
@@ -0,0 +1,7 @@
+Private-key-format: v1.2
+Algorithm: 3 (DSA)
+Prime(p): 73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mQ==
+Subprime(q): 2nX/+WoOUR9Nq9wUj5zK501+ATM=
+Base(g): sQaXrPC973CrnPsihNjn8niXtcsIp+2D/Aa+vNdCGCAiRG8SHebKHF36i4gtyl+9Mi2FaVMqIfn21ImmaCaJIw==
+Private_value(x): Nky4tvIwg6xlcyeHXr4k2DEZg0E=
+Public_value(y): ExO5w2Gn9dIlUVjegzEqa4Ho4h9Of36ZsmQLeOLcgIeJtcF0ubuLWptT1wyWCaM5+xH0PHtsHiL9cgvrejx0sQ==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+003+49667.key b/lib/dns/tests/testdata/dst/Ktest.+003+49667.key
new file mode 100644
index 0000000..fb73f57
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+003+49667.key
@@ -0,0 +1 @@
+test. IN DNSKEY 49152 2 3
diff --git a/lib/dns/tests/testdata/dst/test1.data b/lib/dns/tests/testdata/dst/test1.data
new file mode 100644
index 0000000..b1a9bf5
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.data
@@ -0,0 +1,3077 @@
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1035                                           ISI
+                                                           November 1987
+Obsoletes: RFCs 882, 883, 973
+
+            DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
+
+
+1. STATUS OF THIS MEMO
+
+This RFC describes the details of the domain system and protocol, and
+assumes that the reader is familiar with the concepts discussed in a
+companion RFC, "Domain Names - Concepts and Facilities" [RFC-1034].
+
+The domain system is a mixture of functions and data types which are an
+official protocol and functions and data types which are still
+experimental.  Since the domain system is intentionally extensible, new
+data types and experimental behavior should always be expected in parts
+of the system beyond the official protocol.  The official protocol parts
+include standard queries, responses and the Internet class RR data
+formats (e.g., host addresses).  Since the previous RFC set, several
+definitions have changed, so some previous definitions are obsolete.
+
+Experimental or obsolete features are clearly marked in these RFCs, and
+such information should be used with caution.
+
+The reader is especially cautioned not to depend on the values which
+appear in examples to be current or complete, since their purpose is
+primarily pedagogical.  Distribution of this memo is unlimited.
+
+                           Table of Contents
+
+  1. STATUS OF THIS MEMO                                              1
+  2. INTRODUCTION                                                     3
+      2.1. Overview                                                   3
+      2.2. Common configurations                                      4
+      2.3. Conventions                                                7
+          2.3.1. Preferred name syntax                                7
+          2.3.2. Data Transmission Order                              8
+          2.3.3. Character Case                                       9
+          2.3.4. Size limits                                         10
+  3. DOMAIN NAME SPACE AND RR DEFINITIONS                            10
+      3.1. Name space definitions                                    10
+      3.2. RR definitions                                            11
+          3.2.1. Format                                              11
+          3.2.2. TYPE values                                         12
+          3.2.3. QTYPE values                                        12
+          3.2.4. CLASS values                                        13
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          3.2.5. QCLASS values                                       13
+      3.3. Standard RRs                                              13
+          3.3.1. CNAME RDATA format                                  14
+          3.3.2. HINFO RDATA format                                  14
+          3.3.3. MB RDATA format (EXPERIMENTAL)                      14
+          3.3.4. MD RDATA format (Obsolete)                          15
+          3.3.5. MF RDATA format (Obsolete)                          15
+          3.3.6. MG RDATA format (EXPERIMENTAL)                      16
+          3.3.7. MINFO RDATA format (EXPERIMENTAL)                   16
+          3.3.8. MR RDATA format (EXPERIMENTAL)                      17
+          3.3.9. MX RDATA format                                     17
+          3.3.10. NULL RDATA format (EXPERIMENTAL)                   17
+          3.3.11. NS RDATA format                                    18
+          3.3.12. PTR RDATA format                                   18
+          3.3.13. SOA RDATA format                                   19
+          3.3.14. TXT RDATA format                                   20
+      3.4. ARPA Internet specific RRs                                20
+          3.4.1. A RDATA format                                      20
+          3.4.2. WKS RDATA format                                    21
+      3.5. IN-ADDR.ARPA domain                                       22
+      3.6. Defining new types, classes, and special namespaces       24
+  4. MESSAGES                                                        25
+      4.1. Format                                                    25
+          4.1.1. Header section format                               26
+          4.1.2. Question section format                             28
+          4.1.3. Resource record format                              29
+          4.1.4. Message compression                                 30
+      4.2. Transport                                                 32
+          4.2.1. UDP usage                                           32
+          4.2.2. TCP usage                                           32
+  5. MASTER FILES                                                    33
+      5.1. Format                                                    33
+      5.2. Use of master files to define zones                       35
+      5.3. Master file example                                       36
+  6. NAME SERVER IMPLEMENTATION                                      37
+      6.1. Architecture                                              37
+          6.1.1. Control                                             37
+          6.1.2. Database                                            37
+          6.1.3. Time                                                39
+      6.2. Standard query processing                                 39
+      6.3. Zone refresh and reload processing                        39
+      6.4. Inverse queries (Optional)                                40
+          6.4.1. The contents of inverse queries and responses       40
+          6.4.2. Inverse query and response example                  41
+          6.4.3. Inverse query processing                            42
+
+
+
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+      6.5. Completion queries and responses                          42
+  7. RESOLVER IMPLEMENTATION                                         43
+      7.1. Transforming a user request into a query                  43
+      7.2. Sending the queries                                       44
+      7.3. Processing responses                                      46
+      7.4. Using the cache                                           47
+  8. MAIL SUPPORT                                                    47
+      8.1. Mail exchange binding                                     48
+      8.2. Mailbox binding (Experimental)                            48
+  9. REFERENCES and BIBLIOGRAPHY                                     50
+  Index                                                              54
+
+2. INTRODUCTION
+
+2.1. Overview
+
+The goal of domain names is to provide a mechanism for naming resources
+in such a way that the names are usable in different hosts, networks,
+protocol families, internets, and administrative organizations.
+
+From the user's point of view, domain names are useful as arguments to a
+local agent, called a resolver, which retrieves information associated
+with the domain name.  Thus a user might ask for the host address or
+mail information associated with a particular domain name.  To enable
+the user to request a particular type of information, an appropriate
+query type is passed to the resolver with the domain name.  To the user,
+the domain tree is a single information space; the resolver is
+responsible for hiding the distribution of data among name servers from
+the user.
+
+From the resolver's point of view, the database that makes up the domain
+space is distributed among various name servers.  Different parts of the
+domain space are stored in different name servers, although a particular
+data item will be stored redundantly in two or more name servers.  The
+resolver starts with knowledge of at least one name server.  When the
+resolver processes a user query it asks a known name server for the
+information; in return, the resolver either receives the desired
+information or a referral to another name server.  Using these
+referrals, resolvers learn the identities and contents of other name
+servers.  Resolvers are responsible for dealing with the distribution of
+the domain space and dealing with the effects of name server failure by
+consulting redundant databases in other servers.
+
+Name servers manage two kinds of data.  The first kind of data held in
+sets called zones; each zone is the complete database for a particular
+"pruned" subtree of the domain space.  This data is called
+authoritative.  A name server periodically checks to make sure that its
+zones are up to date, and if not, obtains a new copy of updated zones
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+from master files stored locally or in another name server.  The second
+kind of data is cached data which was acquired by a local resolver.
+This data may be incomplete, but improves the performance of the
+retrieval process when non-local data is repeatedly accessed.  Cached
+data is eventually discarded by a timeout mechanism.
+
+This functional structure isolates the problems of user interface,
+failure recovery, and distribution in the resolvers and isolates the
+database update and refresh problems in the name servers.
+
+2.2. Common configurations
+
+A host can participate in the domain name system in a number of ways,
+depending on whether the host runs programs that retrieve information
+from the domain system, name servers that answer queries from other
+hosts, or various combinations of both functions.  The simplest, and
+perhaps most typical, configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  cache   |         |
+                              +----------+         |
+
+User programs interact with the domain name space through resolvers; the
+format of user queries and user responses is specific to the host and
+its operating system.  User queries will typically be operating system
+calls, and the resolver and its cache will be part of the host operating
+system.  Less capable hosts may choose to implement the resolver as a
+subroutine to be linked in with every program that needs its services.
+Resolvers answer user queries with information they acquire via queries
+to foreign name servers and the local cache.
+
+Note that the resolver may have to make several queries to several
+different foreign name servers to answer a particular user query, and
+hence the resolution of a user query may involve several network
+accesses and an arbitrary amount of time.  The queries to foreign name
+servers and the corresponding responses have a standard format described
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in this memo, and may be datagrams.
+
+Depending on its capabilities, a name server could be a stand alone
+program on a dedicated machine or a process or processes on a large
+timeshared host.  A simple configuration might be:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+
+Here a primary name server acquires information about one or more zones
+by reading master files from its local file system, and answers queries
+about those zones that arrive from foreign resolvers.
+
+The DNS requires that all zones be redundantly supported by more than
+one name server.  Designated secondary servers can acquire zones and
+check for updates from the primary server using the zone transfer
+protocol of the DNS.  This configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+In this configuration, the name server periodically establishes a
+virtual circuit to a foreign name server to acquire a copy of a zone or
+to check that an existing copy has not changed.  The messages sent for
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+these maintenance activities follow the same form as queries and
+responses, but the message sequences are somewhat different.
+
+The information flow in a host that supports all aspects of the domain
+name system is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  Shared  |         |
+                              | database |         |
+                              +----------+         |
+                                A     |            |
+      +---------+     refreshes |     | references |
+     /         /|               |     V            |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+The shared database holds domain space data for the local name server
+and resolver.  The contents of the shared database will typically be a
+mixture of authoritative data maintained by the periodic refresh
+operations of the name server and cached data from previous resolver
+requests.  The structure of the domain data and the necessity for
+synchronization between name servers and resolvers imply the general
+characteristics of this database, but the actual format is up to the
+local implementor.
+
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Information flow can also be tailored so that a group of hosts act
+together to optimize activities.  Sometimes this is done to offload less
+capable hosts so that they do not have to implement a full resolver.
+This can be appropriate for PCs or hosts which want to minimize the
+amount of new network code which is required.  This scheme can also
+allow a group of hosts can share a small number of caches rather than
+maintaining a large number of separate caches, on the premise that the
+centralized caches will have a higher hit ratio.  In either case,
+resolvers are replaced with stub resolvers which act as front ends to
+resolvers located in a recursive server in one or more name servers
+known to perform that service:
+
+                   Local Hosts                     |  Foreign
+                                                   |
+    +---------+                                    |
+    |         | responses                          |
+    | Stub    |<--------------------+              |
+    | Resolver|                     |              |
+    |         |----------------+    |              |
+    +---------+ recursive      |    |              |
+                queries        |    |              |
+                               V    |              |
+    +---------+ recursive     +----------+         |  +--------+
+    |         | queries       |          |queries  |  |        |
+    | Stub    |-------------->| Recursive|---------|->|Foreign |
+    | Resolver|               | Server   |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    +---------+ responses     |          |responses|  |        |
+                              +----------+         |  +--------+
+                              |  Central |         |
+                              |   cache  |         |
+                              +----------+         |
+
+In any case, note that domain components are always replicated for
+reliability whenever possible.
+
+2.3. Conventions
+
+The domain system has several conventions dealing with low-level, but
+fundamental, issues.  While the implementor is free to violate these
+conventions WITHIN HIS OWN SYSTEM, he must observe these conventions in
+ALL behavior observed from other hosts.
+
+2.3.1. Preferred name syntax
+
+The DNS specifications attempt to be as general as possible in the rules
+for constructing domain names.  The idea is that the name of any
+existing object can be expressed as a domain name with minimal changes.
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+However, when assigning a domain name for an object, the prudent user
+will select a name which satisfies both the rules of the domain system
+and any existing rules for the object, whether these rules are published
+or implied by existing programs.
+
+For example, when naming a mail domain, the user should satisfy both the
+rules of this memo and those in RFC-822.  When creating a new host name,
+the old rules for HOSTS.TXT should be followed.  This avoids problems
+when old software is converted to use domain names.
+
+The following syntax will result in fewer problems with many
+
+applications that use domain names (e.g., mail, TELNET).
+
+<domain> ::= <subdomain> | " "
+
+<subdomain> ::= <label> | <subdomain> "." <label>
+
+<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
+
+<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
+
+<let-dig-hyp> ::= <let-dig> | "-"
+
+<let-dig> ::= <letter> | <digit>
+
+<letter> ::= any one of the 52 alphabetic characters A through Z in
+upper case and a through z in lower case
+
+<digit> ::= any one of the ten digits 0 through 9
+
+Note that while upper and lower case letters are allowed in domain
+names, no significance is attached to the case.  That is, two names with
+the same spelling but different case are to be treated as if identical.
+
+The labels must follow the rules for ARPANET host names.  They must
+start with a letter, end with a letter or digit, and have as interior
+characters only letters, digits, and hyphen.  There are also some
+restrictions on the length.  Labels must be 63 characters or less.
+
+For example, the following strings identify hosts in the Internet:
+
+A.ISI.EDU XX.LCS.MIT.EDU SRI-NIC.ARPA
+
+2.3.2. Data Transmission Order
+
+The order of transmission of the header and data described in this
+document is resolved to the octet level.  Whenever a diagram shows a
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+group of octets, the order of transmission of those octets is the normal
+order in which they are read in English.  For example, in the following
+diagram, the octets are transmitted in the order they are numbered.
+
+     0                   1
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       1       |       2       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       3       |       4       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       5       |       6       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Whenever an octet represents a numeric quantity, the left most bit in
+the diagram is the high order or most significant bit.  That is, the bit
+labeled 0 is the most significant bit.  For example, the following
+diagram represents the value 170 (decimal).
+
+     0 1 2 3 4 5 6 7
+    +-+-+-+-+-+-+-+-+
+    |1 0 1 0 1 0 1 0|
+    +-+-+-+-+-+-+-+-+
+
+Similarly, whenever a multi-octet field represents a numeric quantity
+the left most bit of the whole field is the most significant bit.  When
+a multi-octet quantity is transmitted the most significant octet is
+transmitted first.
+
+2.3.3. Character Case
+
+For all parts of the DNS that are part of the official protocol, all
+comparisons between character strings (e.g., labels, domain names, etc.)
+are done in a case-insensitive manner.  At present, this rule is in
+force throughout the domain system without exception.  However, future
+additions beyond current usage may need to use the full binary octet
+capabilities in names, so attempts to store domain names in 7-bit ASCII
+or use of special bytes to terminate labels, etc., should be avoided.
+
+When data enters the domain system, its original case should be
+preserved whenever possible.  In certain circumstances this cannot be
+done.  For example, if two RRs are stored in a database, one at x.y and
+one at X.Y, they are actually stored at the same place in the database,
+and hence only one casing would be preserved.  The basic rule is that
+case can be discarded only when data is used to define structure in a
+database, and two names are identical when compared in a case
+insensitive manner.
+
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Loss of case sensitive data must be minimized.  Thus while data for x.y
+and X.Y may both be stored under a single location x.y or X.Y, data for
+a.x and B.X would never be stored under A.x, A.X, b.x, or b.X.  In
+general, this preserves the case of the first label of a domain name,
+but forces standardization of interior node labels.
+
+Systems administrators who enter data into the domain database should
+take care to represent the data they supply to the domain system in a
+case-consistent manner if their system is case-sensitive.  The data
+distribution system in the domain system will ensure that consistent
+representations are preserved.
+
+2.3.4. Size limits
+
+Various objects and parameters in the DNS have size limits.  They are
+listed below.  Some could be easily changed, others are more
+fundamental.
+
+labels          63 octets or less
+
+names           255 octets or less
+
+TTL             positive values of a signed 32 bit number.
+
+UDP messages    512 octets or less
+
+3. DOMAIN NAME SPACE AND RR DEFINITIONS
+
+3.1. Name space definitions
+
+Domain names in messages are expressed in terms of a sequence of labels.
+Each label is represented as a one octet length field followed by that
+number of octets.  Since every domain name ends with the null label of
+the root, a domain name is terminated by a length byte of zero.  The
+high order two bits of every length octet must be zero, and the
+remaining six bits of the length field limit the label to 63 octets or
+less.
+
+To simplify implementations, the total length of a domain name (i.e.,
+label octets and label length octets) is restricted to 255 octets or
+less.
+
+Although labels can contain any 8 bit values in octets that make up a
+label, it is strongly recommended that labels follow the preferred
+syntax described elsewhere in this memo, which is compatible with
+existing host naming conventions.  Name servers and resolvers must
+compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
+with zero parity.  Non-alphabetic codes must match exactly.
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.2. RR definitions
+
+3.2.1. Format
+
+All RRs have the same top level format shown below:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+where:
+
+NAME            an owner name, i.e., the name of the node to which this
+                resource record pertains.
+
+TYPE            two octets containing one of the RR TYPE codes.
+
+CLASS           two octets containing one of the RR CLASS codes.
+
+TTL             a 32 bit signed integer that specifies the time interval
+                that the resource record may be cached before the source
+                of the information should again be consulted.  Zero
+                values are interpreted to mean that the RR can only be
+                used for the transaction in progress, and should not be
+                cached.  For example, SOA records are always distributed
+                with a zero TTL to prohibit caching.  Zero values can
+                also be used for extremely volatile data.
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+
+3.2.2. TYPE values
+
+TYPE fields are used in resource records.  Note that these types are a
+subset of QTYPEs.
+
+TYPE            value and meaning
+
+A               1 a host address
+
+NS              2 an authoritative name server
+
+MD              3 a mail destination (Obsolete - use MX)
+
+MF              4 a mail forwarder (Obsolete - use MX)
+
+CNAME           5 the canonical name for an alias
+
+SOA             6 marks the start of a zone of authority
+
+MB              7 a mailbox domain name (EXPERIMENTAL)
+
+MG              8 a mail group member (EXPERIMENTAL)
+
+MR              9 a mail rename domain name (EXPERIMENTAL)
+
+NULL            10 a null RR (EXPERIMENTAL)
+
+WKS             11 a well known service description
+
+PTR             12 a domain name pointer
+
+HINFO           13 host information
+
+MINFO           14 mailbox or mail list information
+
+MX              15 mail exchange
+
+TXT             16 text strings
+
+3.2.3. QTYPE values
+
+QTYPE fields appear in the question part of a query.  QTYPES are a
+superset of TYPEs, hence all TYPEs are valid QTYPEs.  In addition, the
+following QTYPEs are defined:
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+AXFR            252 A request for a transfer of an entire zone
+
+MAILB           253 A request for mailbox-related records (MB, MG or MR)
+
+MAILA           254 A request for mail agent RRs (Obsolete - see MX)
+
+*               255 A request for all records
+
+3.2.4. CLASS values
+
+CLASS fields appear in resource records.  The following CLASS mnemonics
+and values are defined:
+
+IN              1 the Internet
+
+CS              2 the CSNET class (Obsolete - used only for examples in
+                some obsolete RFCs)
+
+CH              3 the CHAOS class
+
+HS              4 Hesiod [Dyer 87]
+
+3.2.5. QCLASS values
+
+QCLASS fields appear in the question section of a query.  QCLASS values
+are a superset of CLASS values; every CLASS is a valid QCLASS.  In
+addition to CLASS values, the following QCLASSes are defined:
+
+*               255 any class
+
+3.3. Standard RRs
+
+The following RR definitions are expected to occur, at least
+potentially, in all classes.  In particular, NS, SOA, CNAME, and PTR
+will be used in all classes, and have the same format in all classes.
+Because their RDATA format is known, all domain names in the RDATA
+section of these RRs may be compressed.
+
+<domain-name> is a domain name represented as a series of labels, and
+terminated by a label with zero length.  <character-string> is a single
+length octet followed by that number of characters.  <character-string>
+is treated as binary information, and can be up to 256 characters in
+length (including the length octet).
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.1. CNAME RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     CNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CNAME           A <domain-name> which specifies the canonical or primary
+                name for the owner.  The owner name is an alias.
+
+CNAME RRs cause no additional section processing, but name servers may
+choose to restart the query at the canonical name in certain cases.  See
+the description of name server logic in [RFC-1034] for details.
+
+3.3.2. HINFO RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                      CPU                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                       OS                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CPU             A <character-string> which specifies the CPU type.
+
+OS              A <character-string> which specifies the operating
+                system type.
+
+Standard values for CPU and OS can be found in [RFC-1010].
+
+HINFO records are used to acquire general information about a host.  The
+main use is for protocols such as FTP that can use special procedures
+when talking between machines or operating systems of the same type.
+
+3.3.3. MB RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has the
+                specified mailbox.
+
+
+
+Mockapetris                                                    [Page 14]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MB records cause additional section processing which looks up an A type
+RRs corresponding to MADNAME.
+
+3.3.4. MD RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which should be able to deliver
+                mail for the domain.
+
+MD records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MD is obsolete.  See the definition of MX and [RFC-974] for details of
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 0.
+
+3.3.5. MF RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which will accept mail for
+                forwarding to the domain.
+
+MF records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MF is obsolete.  See the definition of MX and [RFC-974] for details ofw
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 10.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 15]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.6. MG RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MGMNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MGMNAME         A <domain-name> which specifies a mailbox which is a
+                member of the mail group specified by the domain name.
+
+MG records cause no additional section processing.
+
+3.3.7. MINFO RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    RMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    EMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+RMAILBX         A <domain-name> which specifies a mailbox which is
+                responsible for the mailing list or mailbox.  If this
+                domain name names the root, the owner of the MINFO RR is
+                responsible for itself.  Note that many existing mailing
+                lists use a mailbox X-request for the RMAILBX field of
+                mailing list X, e.g., Msgroup-request for Msgroup.  This
+                field provides a more general mechanism.
+
+
+EMAILBX         A <domain-name> which specifies a mailbox which is to
+                receive error messages related to the mailing list or
+                mailbox specified by the owner of the MINFO RR (similar
+                to the ERRORS-TO: field which has been proposed).  If
+                this domain name names the root, errors should be
+                returned to the sender of the message.
+
+MINFO records cause no additional section processing.  Although these
+records can be associated with a simple mailbox, they are usually used
+with a mailing list.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 16]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.8. MR RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NEWNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NEWNAME         A <domain-name> which specifies a mailbox which is the
+                proper rename of the specified mailbox.
+
+MR records cause no additional section processing.  The main use for MR
+is as a forwarding entry for a user who has moved to a different
+mailbox.
+
+3.3.9. MX RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                  PREFERENCE                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   EXCHANGE                    /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PREFERENCE      A 16 bit integer which specifies the preference given to
+                this RR among others at the same owner.  Lower values
+                are preferred.
+
+EXCHANGE        A <domain-name> which specifies a host willing to act as
+                a mail exchange for the owner name.
+
+MX records cause type A additional section processing for the host
+specified by EXCHANGE.  The use of MX RRs is explained in detail in
+[RFC-974].
+
+3.3.10. NULL RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                  <anything>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+Anything at all may be in the RDATA field so long as it is 65535 octets
+or less.
+
+
+
+
+Mockapetris                                                    [Page 17]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+NULL records cause no additional section processing.  NULL RRs are not
+allowed in master files.  NULLs are used as placeholders in some
+experimental extensions of the DNS.
+
+3.3.11. NS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NSDNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NSDNAME         A <domain-name> which specifies a host which should be
+                authoritative for the specified class and domain.
+
+NS records cause both the usual additional section processing to locate
+a type A record, and, when used in a referral, a special search of the
+zone in which they reside for glue information.
+
+The NS RR states that the named host should be expected to have a zone
+starting at owner name of the specified class.  Note that the class may
+not indicate the protocol family which should be used to communicate
+with the host, although it is typically a strong hint.  For example,
+hosts which are name servers for either Internet (IN) or Hesiod (HS)
+class information are normally queried using IN class protocols.
+
+3.3.12. PTR RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   PTRDNAME                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PTRDNAME        A <domain-name> which points to some location in the
+                domain name space.
+
+PTR records cause no additional section processing.  These RRs are used
+in special domains to point to some other location in the domain space.
+These records are simple data, and don't imply any special processing
+similar to that performed by CNAME, which identifies aliases.  See the
+description of the IN-ADDR.ARPA domain for an example.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 18]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.13. SOA RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     MNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     RNAME                     /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    SERIAL                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    REFRESH                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     RETRY                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    EXPIRE                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    MINIMUM                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MNAME           The <domain-name> of the name server that was the
+                original or primary source of data for this zone.
+
+RNAME           A <domain-name> which specifies the mailbox of the
+                person responsible for this zone.
+
+SERIAL          The unsigned 32 bit version number of the original copy
+                of the zone.  Zone transfers preserve this value.  This
+                value wraps and should be compared using sequence space
+                arithmetic.
+
+REFRESH         A 32 bit time interval before the zone should be
+                refreshed.
+
+RETRY           A 32 bit time interval that should elapse before a
+                failed refresh should be retried.
+
+EXPIRE          A 32 bit time value that specifies the upper limit on
+                the time interval that can elapse before the zone is no
+                longer authoritative.
+
+
+
+
+
+Mockapetris                                                    [Page 19]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MINIMUM         The unsigned 32 bit minimum TTL field that should be
+                exported with any RR from this zone.
+
+SOA records cause no additional section processing.
+
+All times are in units of seconds.
+
+Most of these fields are pertinent only for name server maintenance
+operations.  However, MINIMUM is used in all query operations that
+retrieve RRs from a zone.  Whenever a RR is sent in a response to a
+query, the TTL field is set to the maximum of the TTL field from the RR
+and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
+bound on the TTL field for all RRs in a zone.  Note that this use of
+MINIMUM should occur when the RRs are copied into the response and not
+when the zone is loaded from a master file or via a zone transfer.  The
+reason for this provison is to allow future dynamic update facilities to
+change the SOA RR with known semantics.
+
+
+3.3.14. TXT RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   TXT-DATA                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+TXT-DATA        One or more <character-string>s.
+
+TXT RRs are used to hold descriptive text.  The semantics of the text
+depends on the domain where it is found.
+
+3.4. Internet specific RRs
+
+3.4.1. A RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         A 32 bit Internet address.
+
+Hosts that have multiple Internet addresses will have multiple A
+records.
+
+
+
+
+
+Mockapetris                                                    [Page 20]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+A records cause no additional section processing.  The RDATA section of
+an A line in a master file is an Internet address expressed as four
+decimal numbers separated by dots without any imbedded spaces (e.g.,
+"10.2.0.52" or "192.0.5.6").
+
+3.4.2. WKS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |       PROTOCOL        |                       |
+    +--+--+--+--+--+--+--+--+                       |
+    |                                               |
+    /                   <BIT MAP>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         An 32 bit Internet address
+
+PROTOCOL        An 8 bit IP protocol number
+
+<BIT MAP>       A variable length bit map.  The bit map must be a
+                multiple of 8 bits long.
+
+The WKS record is used to describe the well known services supported by
+a particular protocol on a particular internet address.  The PROTOCOL
+field specifies an IP protocol number, and the bit map has one bit per
+port of the specified protocol.  The first bit corresponds to port 0,
+the second to port 1, etc.  If the bit map does not include a bit for a
+protocol of interest, that bit is assumed zero.  The appropriate values
+and mnemonics for ports and protocols are specified in [RFC-1010].
+
+For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+port 25; if zero, SMTP service is not supported on the specified
+address.
+
+The purpose of WKS RRs is to provide availability information for
+servers for TCP and UDP.  If a server supports both TCP and UDP, or has
+multiple Internet addresses, then multiple WKS RRs are used.
+
+WKS RRs cause no additional section processing.
+
+In master files, both ports and protocols are expressed using mnemonics
+or decimal numbers.
+
+
+
+
+Mockapetris                                                    [Page 21]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.5. IN-ADDR.ARPA domain
+
+The Internet uses a special domain to support gateway location and
+Internet address to host mapping.  Other classes may employ a similar
+strategy in other domains.  The intent of this domain is to provide a
+guaranteed method to perform host address to host name mapping, and to
+facilitate queries to locate all gateways on a particular network in the
+Internet.
+
+Note that both of these services are similar to functions that could be
+performed by inverse queries; the difference is that this part of the
+domain name space is structured according to address, and hence can
+guarantee that the appropriate data can be located without an exhaustive
+search of the domain space.
+
+The domain begins at IN-ADDR.ARPA and has a substructure which follows
+the Internet addressing structure.
+
+Domain names in the IN-ADDR.ARPA domain are defined to have up to four
+labels in addition to the IN-ADDR.ARPA suffix.  Each label represents
+one octet of an Internet address, and is expressed as a character string
+for a decimal value in the range 0-255 (with leading zeros omitted
+except in the case of a zero octet which is represented by a single
+zero).
+
+Host addresses are represented by domain names that have all four labels
+specified.  Thus data for Internet address 10.2.0.52 is located at
+domain name 52.0.2.10.IN-ADDR.ARPA.  The reversal, though awkward to
+read, allows zones to be delegated which are exactly one network of
+address space.  For example, 10.IN-ADDR.ARPA can be a zone containing
+data for the ARPANET, while 26.IN-ADDR.ARPA can be a separate zone for
+MILNET.  Address nodes are used to hold pointers to primary host names
+in the normal domain space.
+
+Network numbers correspond to some non-terminal nodes at various depths
+in the IN-ADDR.ARPA domain, since Internet network numbers are either 1,
+2, or 3 octets.  Network nodes are used to hold pointers to the primary
+host names of gateways attached to that network.  Since a gateway is, by
+definition, on more than one network, it will typically have two or more
+network nodes which point at it.  Gateways will also have host level
+pointers at their fully qualified addresses.
+
+Both the gateway pointers at network nodes and the normal host pointers
+at full address nodes use the PTR RR to point back to the primary domain
+names of the corresponding hosts.
+
+For example, the IN-ADDR.ARPA domain will contain information about the
+ISI gateway between net 10 and 26, an MIT gateway from net 10 to MIT's
+
+
+
+Mockapetris                                                    [Page 22]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+net 18, and hosts A.ISI.EDU and MULTICS.MIT.EDU.  Assuming that ISI
+gateway has addresses 10.2.0.22 and 26.0.0.103, and a name MILNET-
+GW.ISI.EDU, and the MIT gateway has addresses 10.0.0.77 and 18.10.0.4
+and a name GW.LCS.MIT.EDU, the domain database would contain:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    18.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    26.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    22.0.2.10.IN-ADDR.ARPA.    PTR MILNET-GW.ISI.EDU.
+    103.0.0.26.IN-ADDR.ARPA.   PTR MILNET-GW.ISI.EDU.
+    77.0.0.10.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    4.0.10.18.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    103.0.3.26.IN-ADDR.ARPA.   PTR A.ISI.EDU.
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Thus a program which wanted to locate gateways on net 10 would originate
+a query of the form QTYPE=PTR, QCLASS=IN, QNAME=10.IN-ADDR.ARPA.  It
+would receive two RRs in response:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+
+The program could then originate QTYPE=A, QCLASS=IN queries for MILNET-
+GW.ISI.EDU. and GW.LCS.MIT.EDU. to discover the Internet addresses of
+these gateways.
+
+A resolver which wanted to find the host name corresponding to Internet
+host address 10.0.0.6 would pursue a query of the form QTYPE=PTR,
+QCLASS=IN, QNAME=6.0.0.10.IN-ADDR.ARPA, and would receive:
+
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Several cautions apply to the use of these services:
+   - Since the IN-ADDR.ARPA special domain and the normal domain
+     for a particular host or gateway will be in different zones,
+     the possibility exists that that the data may be inconsistent.
+
+   - Gateways will often have two names in separate domains, only
+     one of which can be primary.
+
+   - Systems that use the domain database to initialize their
+     routing tables must start with enough gateway information to
+     guarantee that they can access the appropriate name server.
+
+   - The gateway data only reflects the existence of a gateway in a
+     manner equivalent to the current HOSTS.TXT file.  It doesn't
+     replace the dynamic availability information from GGP or EGP.
+
+
+
+Mockapetris                                                    [Page 23]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.6. Defining new types, classes, and special namespaces
+
+The previously defined types and classes are the ones in use as of the
+date of this memo.  New definitions should be expected.  This section
+makes some recommendations to designers considering additions to the
+existing facilities.  The mailing list NAMEDROPPERS@SRI-NIC.ARPA is the
+forum where general discussion of design issues takes place.
+
+In general, a new type is appropriate when new information is to be
+added to the database about an existing object, or we need new data
+formats for some totally new object.  Designers should attempt to define
+types and their RDATA formats that are generally applicable to all
+classes, and which avoid duplication of information.  New classes are
+appropriate when the DNS is to be used for a new protocol, etc which
+requires new class-specific data formats, or when a copy of the existing
+name space is desired, but a separate management domain is necessary.
+
+New types and classes need mnemonics for master files; the format of the
+master files requires that the mnemonics for type and class be disjoint.
+
+TYPE and CLASS values must be a proper subset of QTYPEs and QCLASSes
+respectively.
+
+The present system uses multiple RRs to represent multiple values of a
+type rather than storing multiple values in the RDATA section of a
+single RR.  This is less efficient for most applications, but does keep
+RRs shorter.  The multiple RRs assumption is incorporated in some
+experimental work on dynamic update methods.
+
+The present system attempts to minimize the duplication of data in the
+database in order to insure consistency.  Thus, in order to find the
+address of the host for a mail exchange, you map the mail domain name to
+a host name, then the host name to addresses, rather than a direct
+mapping to host address.  This approach is preferred because it avoids
+the opportunity for inconsistency.
+
+In defining a new type of data, multiple RR types should not be used to
+create an ordering between entries or express different formats for
+equivalent bindings, instead this information should be carried in the
+body of the RR and a single type used.  This policy avoids problems with
+caching multiple types and defining QTYPEs to match multiple types.
+
+For example, the original form of mail exchange binding used two RR
+types one to represent a "closer" exchange (MD) and one to represent a
+"less close" exchange (MF).  The difficulty is that the presence of one
+RR type in a cache doesn't convey any information about the other
+because the query which acquired the cached information might have used
+a QTYPE of MF, MD, or MAILA (which matched both).  The redesigned
+
+
+
+Mockapetris                                                    [Page 24]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+service used a single type (MX) with a "preference" value in the RDATA
+section which can order different RRs.  However, if any MX RRs are found
+in the cache, then all should be there.
+
+4. MESSAGES
+
+4.1. Format
+
+All communications inside of the domain protocol are carried in a single
+format called a message.  The top level format of message is divided
+into 5 sections (some of which are empty in certain cases) shown below:
+
+    +---------------------+
+    |        Header       |
+    +---------------------+
+    |       Question      | the question for the name server
+    +---------------------+
+    |        Answer       | RRs answering the question
+    +---------------------+
+    |      Authority      | RRs pointing toward an authority
+    +---------------------+
+    |      Additional     | RRs holding additional information
+    +---------------------+
+
+The header section is always present.  The header includes fields that
+specify which of the remaining sections are present, and also specify
+whether the message is a query or a response, a standard query or some
+other opcode, etc.
+
+The names of the sections after the header are derived from their use in
+standard queries.  The question section contains fields that describe a
+question to a name server.  These fields are a query type (QTYPE), a
+query class (QCLASS), and a query domain name (QNAME).  The last three
+sections have the same format: a possibly empty list of concatenated
+resource records (RRs).  The answer section contains RRs that answer the
+question; the authority section contains RRs that point toward an
+authoritative name server; the additional records section contains RRs
+which relate to the query, but are not strictly answers for the
+question.
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 25]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+4.1.1. Header section format
+
+The header contains the following fields:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      ID                       |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    QDCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ANCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    NSCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ARCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ID              A 16 bit identifier assigned by the program that
+                generates any kind of query.  This identifier is copied
+                the corresponding reply and can be used by the requester
+                to match up replies to outstanding queries.
+
+QR              A one bit field that specifies whether this message is a
+                query (0), or a response (1).
+
+OPCODE          A four bit field that specifies kind of query in this
+                message.  This value is set by the originator of a query
+                and copied into the response.  The values are:
+
+                0               a standard query (QUERY)
+
+                1               an inverse query (IQUERY)
+
+                2               a server status request (STATUS)
+
+                3-15            reserved for future use
+
+AA              Authoritative Answer - this bit is valid in responses,
+                and specifies that the responding name server is an
+                authority for the domain name in question section.
+
+                Note that the contents of the answer section may have
+                multiple owner names because of aliases.  The AA bit
+
+
+
+Mockapetris                                                    [Page 26]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                corresponds to the name which matches the query name, or
+                the first owner name in the answer section.
+
+TC              TrunCation - specifies that this message was truncated
+                due to length greater than that permitted on the
+                transmission channel.
+
+RD              Recursion Desired - this bit may be set in a query and
+                is copied into the response.  If RD is set, it directs
+                the name server to pursue the query recursively.
+                Recursive query support is optional.
+
+RA              Recursion Available - this be is set or cleared in a
+                response, and denotes whether recursive query support is
+                available in the name server.
+
+Z               Reserved for future use.  Must be zero in all queries
+                and responses.
+
+RCODE           Response code - this 4 bit field is set as part of
+                responses.  The values have the following
+                interpretation:
+
+                0               No error condition
+
+                1               Format error - The name server was
+                                unable to interpret the query.
+
+                2               Server failure - The name server was
+                                unable to process this query due to a
+                                problem with the name server.
+
+                3               Name Error - Meaningful only for
+                                responses from an authoritative name
+                                server, this code signifies that the
+                                domain name referenced in the query does
+                                not exist.
+
+                4               Not Implemented - The name server does
+                                not support the requested kind of query.
+
+                5               Refused - The name server refuses to
+                                perform the specified operation for
+                                policy reasons.  For example, a name
+                                server may not wish to provide the
+                                information to the particular requester,
+                                or a name server may not wish to perform
+                                a particular operation (e.g., zone
+
+
+
+Mockapetris                                                    [Page 27]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                                transfer) for particular data.
+
+                6-15            Reserved for future use.
+
+QDCOUNT         an unsigned 16 bit integer specifying the number of
+                entries in the question section.
+
+ANCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the answer section.
+
+NSCOUNT         an unsigned 16 bit integer specifying the number of name
+                server resource records in the authority records
+                section.
+
+ARCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the additional records section.
+
+4.1.2. Question section format
+
+The question section is used to carry the "question" in most queries,
+i.e., the parameters that define what is being asked.  The section
+contains QDCOUNT (usually 1) entries, each of the following format:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                     QNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QTYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QCLASS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+QNAME           a domain name represented as a sequence of labels, where
+                each label consists of a length octet followed by that
+                number of octets.  The domain name terminates with the
+                zero length octet for the null label of the root.  Note
+                that this field may be an odd number of octets; no
+                padding is used.
+
+QTYPE           a two octet code which specifies the type of the query.
+                The values for this field include all codes valid for a
+                TYPE field, together with some more general codes which
+                can match more than one type of RR.
+
+
+
+Mockapetris                                                    [Page 28]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+QCLASS          a two octet code that specifies the class of the query.
+                For example, the QCLASS field is IN for the Internet.
+
+4.1.3. Resource record format
+
+The answer, authority, and additional sections all share the same
+format: a variable number of resource records, where the number of
+records is specified in the corresponding count field in the header.
+Each resource record has the following format:
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NAME            a domain name to which this resource record pertains.
+
+TYPE            two octets containing one of the RR type codes.  This
+                field specifies the meaning of the data in the RDATA
+                field.
+
+CLASS           two octets which specify the class of the data in the
+                RDATA field.
+
+TTL             a 32 bit unsigned integer that specifies the time
+                interval (in seconds) that the resource record may be
+                cached before it should be discarded.  Zero values are
+                interpreted to mean that the RR can only be used for the
+                transaction in progress, and should not be cached.
+
+
+
+
+
+Mockapetris                                                    [Page 29]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+                For example, the if the TYPE is A and the CLASS is IN,
+                the RDATA field is a 4 octet ARPA Internet address.
+
+4.1.4. Message compression
+
+In order to reduce the size of messages, the domain system utilizes a
+compression scheme which eliminates the repetition of domain names in a
+message.  In this scheme, an entire domain name or a list of labels at
+the end of a domain name is replaced with a pointer to a prior occurance
+of the same name.
+
+The pointer takes the form of a two octet sequence:
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    | 1  1|                OFFSET                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The first two bits are ones.  This allows a pointer to be distinguished
+from a label, since the label must begin with two zero bits because
+labels are restricted to 63 octets or less.  (The 10 and 01 combinations
+are reserved for future use.)  The OFFSET field specifies an offset from
+the start of the message (i.e., the first octet of the ID field in the
+domain header).  A zero offset specifies the first byte of the ID field,
+etc.
+
+The compression scheme allows a domain name in a message to be
+represented as either:
+
+   - a sequence of labels ending in a zero octet
+
+   - a pointer
+
+   - a sequence of labels ending with a pointer
+
+Pointers can only be used for occurances of a domain name where the
+format is not class specific.  If this were not the case, a name server
+or resolver would be required to know the format of all RRs it handled.
+As yet, there are no such cases, but they may occur in future RDATA
+formats.
+
+If a domain name is contained in a part of the message subject to a
+length field (such as the RDATA section of an RR), and compression is
+
+
+
+Mockapetris                                                    [Page 30]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+used, the length of the compressed name is used in the length
+calculation, rather than the length of the expanded name.
+
+Programs are free to avoid using pointers in messages they generate,
+although this will reduce datagram capacity, and may cause truncation.
+However all programs are required to understand arriving messages that
+contain pointers.
+
+For example, a datagram might need to use the domain names F.ISI.ARPA,
+FOO.F.ISI.ARPA, ARPA, and the root.  Ignoring the other fields of the
+message, these domain names might be represented as:
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    20 |           1           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    22 |           3           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    24 |           S           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    26 |           4           |           A           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    28 |           R           |           P           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    30 |           A           |           0           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    40 |           3           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    42 |           O           |           O           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    44 | 1  1|                20                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    64 | 1  1|                26                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    92 |           0           |                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The domain name for F.ISI.ARPA is shown at offset 20.  The domain name
+FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to
+concatenate a label for FOO to the previously defined F.ISI.ARPA.  The
+domain name ARPA is defined at offset 64 using a pointer to the ARPA
+component of the name F.ISI.ARPA at 20; note that this pointer relies on
+ARPA being the last label in the string at 20.  The root domain name is
+
+
+
+Mockapetris                                                    [Page 31]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+defined by a single octet of zeros at 92; the root domain name has no
+labels.
+
+4.2. Transport
+
+The DNS assumes that messages will be transmitted as datagrams or in a
+byte stream carried by a virtual circuit.  While virtual circuits can be
+used for any DNS activity, datagrams are preferred for queries due to
+their lower overhead and better performance.  Zone refresh activities
+must use virtual circuits because of the need for reliable transfer.
+
+The Internet supports name server access using TCP [RFC-793] on server
+port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
+port 53 (decimal).
+
+4.2.1. UDP usage
+
+Messages sent using UDP user server port 53 (decimal).
+
+Messages carried by UDP are restricted to 512 bytes (not counting the IP
+or UDP headers).  Longer messages are truncated and the TC bit is set in
+the header.
+
+UDP is not acceptable for zone transfers, but is the recommended method
+for standard queries in the Internet.  Queries sent using UDP may be
+lost, and hence a retransmission strategy is required.  Queries or their
+responses may be reordered by the network, or by processing in name
+servers, so resolvers should not depend on them being returned in order.
+
+The optimal UDP retransmission policy will vary with performance of the
+Internet and the needs of the client, but the following are recommended:
+
+   - The client should try other servers and server addresses
+     before repeating a query to a specific address of a server.
+
+   - The retransmission interval should be based on prior
+     statistics if possible.  Too aggressive retransmission can
+     easily slow responses for the community at large.  Depending
+     on how well connected the client is to its expected servers,
+     the minimum retransmission interval should be 2-5 seconds.
+
+More suggestions on server selection and retransmission policy can be
+found in the resolver section of this memo.
+
+4.2.2. TCP usage
+
+Messages sent over TCP connections use server port 53 (decimal).  The
+message is prefixed with a two byte length field which gives the message
+
+
+
+Mockapetris                                                    [Page 32]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+length, excluding the two byte length field.  This length field allows
+the low-level processing to assemble a complete message before beginning
+to parse it.
+
+Several connection management policies are recommended:
+
+   - The server should not block other activities waiting for TCP
+     data.
+
+   - The server should support multiple connections.
+
+   - The server should assume that the client will initiate
+     connection closing, and should delay closing its end of the
+     connection until all outstanding client requests have been
+     satisfied.
+
+   - If the server needs to close a dormant connection to reclaim
+     resources, it should wait until the connection has been idle
+     for a period on the order of two minutes.  In particular, the
+     server should allow the SOA and AXFR request sequence (which
+     begins a refresh operation) to be made on a single connection.
+     Since the server would be unable to answer queries anyway, a
+     unilateral close or reset may be used instead of a graceful
+     close.
+
+5. MASTER FILES
+
+Master files are text files that contain RRs in text form.  Since the
+contents of a zone can be expressed in the form of a list of RRs a
+master file is most often used to define a zone, though it can be used
+to list a cache's contents.  Hence, this section first discusses the
+format of RRs in a master file, and then the special considerations when
+a master file is used to create a zone in some name server.
+
+5.1. Format
+
+The format of these files is a sequence of entries.  Entries are
+predominantly line-oriented, though parentheses can be used to continue
+a list of items across a line boundary, and text literals can contain
+CRLF within the text.  Any combination of tabs and spaces act as a
+delimiter between the separate items that make up an entry.  The end of
+any line in the master file can end with a comment.  The comment starts
+with a ";" (semicolon).
+
+The following entries are defined:
+
+    <blank>[<comment>]
+
+
+
+
+Mockapetris                                                    [Page 33]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+    $ORIGIN <domain-name> [<comment>]
+
+    $INCLUDE <file-name> [<domain-name>] [<comment>]
+
+    <domain-name><rr> [<comment>]
+
+    <blank><rr> [<comment>]
+
+Blank lines, with or without comments, are allowed anywhere in the file.
+
+Two control entries are defined: $ORIGIN and $INCLUDE.  $ORIGIN is
+followed by a domain name, and resets the current origin for relative
+domain names to the stated name.  $INCLUDE inserts the named file into
+the current file, and may optionally specify a domain name that sets the
+relative domain name origin for the included file.  $INCLUDE may also
+have a comment.  Note that a $INCLUDE entry never changes the relative
+origin of the parent file, regardless of changes to the relative origin
+made within the included file.
+
+The last two forms represent RRs.  If an entry for an RR begins with a
+blank, then the RR is assumed to be owned by the last stated owner.  If
+an RR entry begins with a <domain-name>, then the owner name is reset.
+
+<rr> contents take one of the following forms:
+
+    [<TTL>] [<class>] <type> <RDATA>
+
+    [<class>] [<TTL>] <type> <RDATA>
+
+The RR begins with optional TTL and class fields, followed by a type and
+RDATA field appropriate to the type and class.  Class and type use the
+standard mnemonics, TTL is a decimal integer.  Omitted class and TTL
+values are default to the last explicitly stated values.  Since type and
+class mnemonics are disjoint, the parse is unique.  (Note that this
+order is different from the order used in examples and the order used in
+the actual RRs; the given order allows easier parsing and defaulting.)
+
+<domain-name>s make up a large share of the data in the master file.
+The labels in the domain name are expressed as character strings and
+separated by dots.  Quoting conventions allow arbitrary characters to be
+stored in domain names.  Domain names that end in a dot are called
+absolute, and are taken as complete.  Domain names which do not end in a
+dot are called relative; the actual domain name is the concatenation of
+the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
+an argument to the master file loading routine.  A relative name is an
+error when no origin is available.
+
+
+
+
+
+Mockapetris                                                    [Page 34]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+<character-string> is expressed in one or two ways: as a contiguous set
+of characters without interior spaces, or as a string beginning with a "
+and ending with a ".  Inside a " delimited string any character can
+occur, except for a " itself, which must be quoted using \ (back slash).
+
+Because these files are text files several special encodings are
+necessary to allow arbitrary data to be loaded.  In particular:
+
+                of the root.
+
+@               A free standing @ is used to denote the current origin.
+
+\X              where X is any character other than a digit (0-9), is
+                used to quote that character so that its special meaning
+                does not apply.  For example, "\." can be used to place
+                a dot character in a label.
+
+\DDD            where each D is a digit is the octet corresponding to
+                the decimal number described by DDD.  The resulting
+                octet is assumed to be text and is not checked for
+                special meaning.
+
+( )             Parentheses are used to group data that crosses a line
+                boundary.  In effect, line terminations are not
+                recognized within parentheses.
+
+;               Semicolon is used to start a comment; the remainder of
+                the line is ignored.
+
+5.2. Use of master files to define zones
+
+When a master file is used to load a zone, the operation should be
+suppressed if any errors are encountered in the master file.  The
+rationale for this is that a single error can have widespread
+consequences.  For example, suppose that the RRs defining a delegation
+have syntax errors; then the server will return authoritative name
+errors for all names in the subzone (except in the case where the
+subzone is also present on the server).
+
+Several other validity checks that should be performed in addition to
+insuring that the file is syntactically correct:
+
+   1. All RRs in the file should have the same class.
+
+   2. Exactly one SOA RR should be present at the top of the zone.
+
+   3. If delegations are present and glue information is required,
+      it should be present.
+
+
+
+Mockapetris                                                    [Page 35]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   4. Information present outside of the authoritative nodes in the
+      zone should be glue information, rather than the result of an
+      origin or similar error.
+
+5.3. Master file example
+
+The following is an example file which might be used to define the
+ISI.EDU zone.and is loaded with an origin of ISI.EDU:
+
+@   IN  SOA     VENERA      Action\.domains (
+                                 20     ; SERIAL
+                                 7200   ; REFRESH
+                                 600    ; RETRY
+                                 3600000; EXPIRE
+                                 60)    ; MINIMUM
+
+        NS      A.ISI.EDU.
+        NS      VENERA
+        NS      VAXA
+        MX      10      VENERA
+        MX      20      VAXA
+
+A       A       26.3.0.103
+
+VENERA  A       10.1.0.52
+        A       128.9.0.32
+
+VAXA    A       10.2.0.27
+        A       128.9.0.33
+
+
+$INCLUDE <SUBSYS>ISI-MAILBOXES.TXT
+
+Where the file <SUBSYS>ISI-MAILBOXES.TXT is:
+
+    MOE     MB      A.ISI.EDU.
+    LARRY   MB      A.ISI.EDU.
+    CURLEY  MB      A.ISI.EDU.
+    STOOGES MG      MOE
+            MG      LARRY
+            MG      CURLEY
+
+Note the use of the \ character in the SOA RR to specify the responsible
+person mailbox "Action.domains@E.ISI.EDU".
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 36]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+6. NAME SERVER IMPLEMENTATION
+
+6.1. Architecture
+
+The optimal structure for the name server will depend on the host
+operating system and whether the name server is integrated with resolver
+operations, either by supporting recursive service, or by sharing its
+database with a resolver.  This section discusses implementation
+considerations for a name server which shares a database with a
+resolver, but most of these concerns are present in any name server.
+
+6.1.1. Control
+
+A name server must employ multiple concurrent activities, whether they
+are implemented as separate tasks in the host's OS or multiplexing
+inside a single name server program.  It is simply not acceptable for a
+name server to block the service of UDP requests while it waits for TCP
+data for refreshing or query activities.  Similarly, a name server
+should not attempt to provide recursive service without processing such
+requests in parallel, though it may choose to serialize requests from a
+single client, or to regard identical requests from the same client as
+duplicates.  A name server should not substantially delay requests while
+it reloads a zone from master files or while it incorporates a newly
+refreshed zone into its database.
+
+6.1.2. Database
+
+While name server implementations are free to use any internal data
+structures they choose, the suggested structure consists of three major
+parts:
+
+   - A "catalog" data structure which lists the zones available to
+     this server, and a "pointer" to the zone data structure.  The
+     main purpose of this structure is to find the nearest ancestor
+     zone, if any, for arriving standard queries.
+
+   - Separate data structures for each of the zones held by the
+     name server.
+
+   - A data structure for cached data. (or perhaps separate caches
+     for different classes)
+
+All of these data structures can be implemented an identical tree
+structure format, with different data chained off the nodes in different
+parts: in the catalog the data is pointers to zones, while in the zone
+and cache data structures, the data will be RRs.  In designing the tree
+framework the designer should recognize that query processing will need
+to traverse the tree using case-insensitive label comparisons; and that
+
+
+
+Mockapetris                                                    [Page 37]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in real data, a few nodes have a very high branching factor (100-1000 or
+more), but the vast majority have a very low branching factor (0-1).
+
+One way to solve the case problem is to store the labels for each node
+in two pieces: a standardized-case representation of the label where all
+ASCII characters are in a single case, together with a bit mask that
+denotes which characters are actually of a different case.  The
+branching factor diversity can be handled using a simple linked list for
+a node until the branching factor exceeds some threshold, and
+transitioning to a hash structure after the threshold is exceeded.  In
+any case, hash structures used to store tree sections must insure that
+hash functions and procedures preserve the casing conventions of the
+DNS.
+
+The use of separate structures for the different parts of the database
+is motivated by several factors:
+
+   - The catalog structure can be an almost static structure that
+     need change only when the system administrator changes the
+     zones supported by the server.  This structure can also be
+     used to store parameters used to control refreshing
+     activities.
+
+   - The individual data structures for zones allow a zone to be
+     replaced simply by changing a pointer in the catalog.  Zone
+     refresh operations can build a new structure and, when
+     complete, splice it into the database via a simple pointer
+     replacement.  It is very important that when a zone is
+     refreshed, queries should not use old and new data
+     simultaneously.
+
+   - With the proper search procedures, authoritative data in zones
+     will always "hide", and hence take precedence over, cached
+     data.
+
+   - Errors in zone definitions that cause overlapping zones, etc.,
+     may cause erroneous responses to queries, but problem
+     determination is simplified, and the contents of one "bad"
+     zone can't corrupt another.
+
+   - Since the cache is most frequently updated, it is most
+     vulnerable to corruption during system restarts.  It can also
+     become full of expired RR data.  In either case, it can easily
+     be discarded without disturbing zone data.
+
+A major aspect of database design is selecting a structure which allows
+the name server to deal with crashes of the name server's host.  State
+information which a name server should save across system crashes
+
+
+
+Mockapetris                                                    [Page 38]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+includes the catalog structure (including the state of refreshing for
+each zone) and the zone data itself.
+
+6.1.3. Time
+
+Both the TTL data for RRs and the timing data for refreshing activities
+depends on 32 bit timers in units of seconds.  Inside the database,
+refresh timers and TTLs for cached data conceptually "count down", while
+data in the zone stays with constant TTLs.
+
+A recommended implementation strategy is to store time in two ways:  as
+a relative increment and as an absolute time.  One way to do this is to
+use positive 32 bit numbers for one type and negative numbers for the
+other.  The RRs in zones use relative times; the refresh timers and
+cache data use absolute times.  Absolute numbers are taken with respect
+to some known origin and converted to relative values when placed in the
+response to a query.  When an absolute TTL is negative after conversion
+to relative, then the data is expired and should be ignored.
+
+6.2. Standard query processing
+
+The major algorithm for standard query processing is presented in
+[RFC-1034].
+
+When processing queries with QCLASS=*, or some other QCLASS which
+matches multiple classes, the response should never be authoritative
+unless the server can guarantee that the response covers all classes.
+
+When composing a response, RRs which are to be inserted in the
+additional section, but duplicate RRs in the answer or authority
+sections, may be omitted from the additional section.
+
+When a response is so long that truncation is required, the truncation
+should start at the end of the response and work forward in the
+datagram.  Thus if there is any data for the authority section, the
+answer section is guaranteed to be unique.
+
+The MINIMUM value in the SOA should be used to set a floor on the TTL of
+data distributed from a zone.  This floor function should be done when
+the data is copied into a response.  This will allow future dynamic
+update protocols to change the SOA MINIMUM field without ambiguous
+semantics.
+
+6.3. Zone refresh and reload processing
+
+In spite of a server's best efforts, it may be unable to load zone data
+from a master file due to syntax errors, etc., or be unable to refresh a
+zone within the its expiration parameter.  In this case, the name server
+
+
+
+Mockapetris                                                    [Page 39]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+should answer queries as if it were not supposed to possess the zone.
+
+If a master is sending a zone out via AXFR, and a new version is created
+during the transfer, the master should continue to send the old version
+if possible.  In any case, it should never send part of one version and
+part of another.  If completion is not possible, the master should reset
+the connection on which the zone transfer is taking place.
+
+6.4. Inverse queries (Optional)
+
+Inverse queries are an optional part of the DNS.  Name servers are not
+required to support any form of inverse queries.  If a name server
+receives an inverse query that it does not support, it returns an error
+response with the "Not Implemented" error set in the header.  While
+inverse query support is optional, all name servers must be at least
+able to return the error response.
+
+6.4.1. The contents of inverse queries and responses          Inverse
+queries reverse the mappings performed by standard query operations;
+while a standard query maps a domain name to a resource, an inverse
+query maps a resource to a domain name.  For example, a standard query
+might bind a domain name to a host address; the corresponding inverse
+query binds the host address to a domain name.
+
+Inverse queries take the form of a single RR in the answer section of
+the message, with an empty question section.  The owner name of the
+query RR and its TTL are not significant.  The response carries
+questions in the question section which identify all names possessing
+the query RR WHICH THE NAME SERVER KNOWS.  Since no name server knows
+about all of the domain name space, the response can never be assumed to
+be complete.  Thus inverse queries are primarily useful for database
+management and debugging activities.  Inverse queries are NOT an
+acceptable method of mapping host addresses to host names; use the IN-
+ADDR.ARPA domain instead.
+
+Where possible, name servers should provide case-insensitive comparisons
+for inverse queries.  Thus an inverse query asking for an MX RR of
+"Venera.isi.edu" should get the same response as a query for
+"VENERA.ISI.EDU"; an inverse query for HINFO RR "IBM-PC UNIX" should
+produce the same result as an inverse query for "IBM-pc unix".  However,
+this cannot be guaranteed because name servers may possess RRs that
+contain character strings but the name server does not know that the
+data is character.
+
+When a name server processes an inverse query, it either returns:
+
+   1. zero, one, or multiple domain names for the specified
+      resource as QNAMEs in the question section
+
+
+
+Mockapetris                                                    [Page 40]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   2. an error code indicating that the name server doesn't support
+      inverse mapping of the specified resource type.
+
+When the response to an inverse query contains one or more QNAMEs, the
+owner name and TTL of the RR in the answer section which defines the
+inverse query is modified to exactly match an RR found at the first
+QNAME.
+
+RRs returned in the inverse queries cannot be cached using the same
+mechanism as is used for the replies to standard queries.  One reason
+for this is that a name might have multiple RRs of the same type, and
+only one would appear.  For example, an inverse query for a single
+address of a multiply homed host might create the impression that only
+one address existed.
+
+6.4.2. Inverse query and response example          The overall structure
+of an inverse query for retrieving the domain name that corresponds to
+Internet address 10.1.0.52 is shown below:
+
+                         +-----------------------------------------+
+           Header        |          OPCODE=IQUERY, ID=997          |
+                         +-----------------------------------------+
+          Question       |                 <empty>                 |
+                         +-----------------------------------------+
+           Answer        |        <anyname> A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+This query asks for a question whose answer is the Internet style
+address 10.1.0.52.  Since the owner name is not known, any domain name
+can be used as a placeholder (and is ignored).  A single octet of zero,
+signifying the root, is usually used because it minimizes the length of
+the message.  The TTL of the RR is not significant.  The response to
+this query might be:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 41]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                         +-----------------------------------------+
+           Header        |         OPCODE=RESPONSE, ID=997         |
+                         +-----------------------------------------+
+          Question       |QTYPE=A, QCLASS=IN, QNAME=VENERA.ISI.EDU |
+                         +-----------------------------------------+
+           Answer        |  VENERA.ISI.EDU  A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+Note that the QTYPE in a response to an inverse query is the same as the
+TYPE field in the answer section of the inverse query.  Responses to
+inverse queries may contain multiple questions when the inverse is not
+unique.  If the question section in the response is not empty, then the
+RR in the answer section is modified to correspond to be an exact copy
+of an RR at the first QNAME.
+
+6.4.3. Inverse query processing
+
+Name servers that support inverse queries can support these operations
+through exhaustive searches of their databases, but this becomes
+impractical as the size of the database increases.  An alternative
+approach is to invert the database according to the search key.
+
+For name servers that support multiple zones and a large amount of data,
+the recommended approach is separate inversions for each zone.  When a
+particular zone is changed during a refresh, only its inversions need to
+be redone.
+
+Support for transfer of this type of inversion may be included in future
+versions of the domain system, but is not supported in this version.
+
+6.5. Completion queries and responses
+
+The optional completion services described in RFC-882 and RFC-883 have
+been deleted.  Redesigned services may become available in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 42]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7. RESOLVER IMPLEMENTATION
+
+The top levels of the recommended resolver algorithm are discussed in
+[RFC-1034].  This section discusses implementation details assuming the
+database structure suggested in the name server implementation section
+of this memo.
+
+7.1. Transforming a user request into a query
+
+The first step a resolver takes is to transform the client's request,
+stated in a format suitable to the local OS, into a search specification
+for RRs at a specific name which match a specific QTYPE and QCLASS.
+Where possible, the QTYPE and QCLASS should correspond to a single type
+and a single class, because this makes the use of cached data much
+simpler.  The reason for this is that the presence of data of one type
+in a cache doesn't confirm the existence or non-existence of data of
+other types, hence the only way to be sure is to consult an
+authoritative source.  If QCLASS=* is used, then authoritative answers
+won't be available.
+
+Since a resolver must be able to multiplex multiple requests if it is to
+perform its function efficiently, each pending request is usually
+represented in some block of state information.  This state block will
+typically contain:
+
+   - A timestamp indicating the time the request began.
+     The timestamp is used to decide whether RRs in the database
+     can be used or are out of date.  This timestamp uses the
+     absolute time format previously discussed for RR storage in
+     zones and caches.  Note that when an RRs TTL indicates a
+     relative time, the RR must be timely, since it is part of a
+     zone.  When the RR has an absolute time, it is part of a
+     cache, and the TTL of the RR is compared against the timestamp
+     for the start of the request.
+
+     Note that using the timestamp is superior to using a current
+     time, since it allows RRs with TTLs of zero to be entered in
+     the cache in the usual manner, but still used by the current
+     request, even after intervals of many seconds due to system
+     load, query retransmission timeouts, etc.
+
+   - Some sort of parameters to limit the amount of work which will
+     be performed for this request.
+
+     The amount of work which a resolver will do in response to a
+     client request must be limited to guard against errors in the
+     database, such as circular CNAME references, and operational
+     problems, such as network partition which prevents the
+
+
+
+Mockapetris                                                    [Page 43]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+     resolver from accessing the name servers it needs.  While
+     local limits on the number of times a resolver will retransmit
+     a particular query to a particular name server address are
+     essential, the resolver should have a global per-request
+     counter to limit work on a single request.  The counter should
+     be set to some initial value and decremented whenever the
+     resolver performs any action (retransmission timeout,
+     retransmission, etc.)  If the counter passes zero, the request
+     is terminated with a temporary error.
+
+     Note that if the resolver structure allows one request to
+     start others in parallel, such as when the need to access a
+     name server for one request causes a parallel resolve for the
+     name server's addresses, the spawned request should be started
+     with a lower counter.  This prevents circular references in
+     the database from starting a chain reaction of resolver
+     activity.
+
+   - The SLIST data structure discussed in [RFC-1034].
+
+     This structure keeps track of the state of a request if it
+     must wait for answers from foreign name servers.
+
+7.2. Sending the queries
+
+As described in [RFC-1034], the basic task of the resolver is to
+formulate a query which will answer the client's request and direct that
+query to name servers which can provide the information.  The resolver
+will usually only have very strong hints about which servers to ask, in
+the form of NS RRs, and may have to revise the query, in response to
+CNAMEs, or revise the set of name servers the resolver is asking, in
+response to delegation responses which point the resolver to name
+servers closer to the desired information.  In addition to the
+information requested by the client, the resolver may have to call upon
+its own services to determine the address of name servers it wishes to
+contact.
+
+In any case, the model used in this memo assumes that the resolver is
+multiplexing attention between multiple requests, some from the client,
+and some internally generated.  Each request is represented by some
+state information, and the desired behavior is that the resolver
+transmit queries to name servers in a way that maximizes the probability
+that the request is answered, minimizes the time that the request takes,
+and avoids excessive transmissions.  The key algorithm uses the state
+information of the request to select the next name server address to
+query, and also computes a timeout which will cause the next action
+should a response not arrive.  The next action will usually be a
+transmission to some other server, but may be a temporary error to the
+
+
+
+Mockapetris                                                    [Page 44]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+client.
+
+The resolver always starts with a list of server names to query (SLIST).
+This list will be all NS RRs which correspond to the nearest ancestor
+zone that the resolver knows about.  To avoid startup problems, the
+resolver should have a set of default servers which it will ask should
+it have no current NS RRs which are appropriate.  The resolver then adds
+to SLIST all of the known addresses for the name servers, and may start
+parallel requests to acquire the addresses of the servers when the
+resolver has the name, but no addresses, for the name servers.
+
+To complete initialization of SLIST, the resolver attaches whatever
+history information it has to the each address in SLIST.  This will
+usually consist of some sort of weighted averages for the response time
+of the address, and the batting average of the address (i.e., how often
+the address responded at all to the request).  Note that this
+information should be kept on a per address basis, rather than on a per
+name server basis, because the response time and batting average of a
+particular server may vary considerably from address to address.  Note
+also that this information is actually specific to a resolver address /
+server address pair, so a resolver with multiple addresses may wish to
+keep separate histories for each of its addresses.  Part of this step
+must deal with addresses which have no such history; in this case an
+expected round trip time of 5-10 seconds should be the worst case, with
+lower estimates for the same local network, etc.
+
+Note that whenever a delegation is followed, the resolver algorithm
+reinitializes SLIST.
+
+The information establishes a partial ranking of the available name
+server addresses.  Each time an address is chosen and the state should
+be altered to prevent its selection again until all other addresses have
+been tried.  The timeout for each transmission should be 50-100% greater
+than the average predicted value to allow for variance in response.
+
+Some fine points:
+
+   - The resolver may encounter a situation where no addresses are
+     available for any of the name servers named in SLIST, and
+     where the servers in the list are precisely those which would
+     normally be used to look up their own addresses.  This
+     situation typically occurs when the glue address RRs have a
+     smaller TTL than the NS RRs marking delegation, or when the
+     resolver caches the result of a NS search.  The resolver
+     should detect this condition and restart the search at the
+     next ancestor zone, or alternatively at the root.
+
+
+
+
+
+Mockapetris                                                    [Page 45]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   - If a resolver gets a server error or other bizarre response
+     from a name server, it should remove it from SLIST, and may
+     wish to schedule an immediate transmission to the next
+     candidate server address.
+
+7.3. Processing responses
+
+The first step in processing arriving response datagrams is to parse the
+response.  This procedure should include:
+
+   - Check the header for reasonableness.  Discard datagrams which
+     are queries when responses are expected.
+
+   - Parse the sections of the message, and insure that all RRs are
+     correctly formatted.
+
+   - As an optional step, check the TTLs of arriving data looking
+     for RRs with excessively long TTLs.  If a RR has an
+     excessively long TTL, say greater than 1 week, either discard
+     the whole response, or limit all TTLs in the response to 1
+     week.
+
+The next step is to match the response to a current resolver request.
+The recommended strategy is to do a preliminary matching using the ID
+field in the domain header, and then to verify that the question section
+corresponds to the information currently desired.  This requires that
+the transmission algorithm devote several bits of the domain ID field to
+a request identifier of some sort.  This step has several fine points:
+
+   - Some name servers send their responses from different
+     addresses than the one used to receive the query.  That is, a
+     resolver cannot rely that a response will come from the same
+     address which it sent the corresponding query to.  This name
+     server bug is typically encountered in UNIX systems.
+
+   - If the resolver retransmits a particular request to a name
+     server it should be able to use a response from any of the
+     transmissions.  However, if it is using the response to sample
+     the round trip time to access the name server, it must be able
+     to determine which transmission matches the response (and keep
+     transmission times for each outgoing message), or only
+     calculate round trip times based on initial transmissions.
+
+   - A name server will occasionally not have a current copy of a
+     zone which it should have according to some NS RRs.  The
+     resolver should simply remove the name server from the current
+     SLIST, and continue.
+
+
+
+
+Mockapetris                                                    [Page 46]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7.4. Using the cache
+
+In general, we expect a resolver to cache all data which it receives in
+responses since it may be useful in answering future client requests.
+However, there are several types of data which should not be cached:
+
+   - When several RRs of the same type are available for a
+     particular owner name, the resolver should either cache them
+     all or none at all.  When a response is truncated, and a
+     resolver doesn't know whether it has a complete set, it should
+     not cache a possibly partial set of RRs.
+
+   - Cached data should never be used in preference to
+     authoritative data, so if caching would cause this to happen
+     the data should not be cached.
+
+   - The results of an inverse query should not be cached.
+
+   - The results of standard queries where the QNAME contains "*"
+     labels if the data might be used to construct wildcards.  The
+     reason is that the cache does not necessarily contain existing
+     RRs or zone boundary information which is necessary to
+     restrict the application of the wildcard RRs.
+
+   - RR data in responses of dubious reliability.  When a resolver
+     receives unsolicited responses or RR data other than that
+     requested, it should discard it without caching it.  The basic
+     implication is that all sanity checks on a packet should be
+     performed before any of it is cached.
+
+In a similar vein, when a resolver has a set of RRs for some name in a
+response, and wants to cache the RRs, it should check its cache for
+already existing RRs.  Depending on the circumstances, either the data
+in the response or the cache is preferred, but the two should never be
+combined.  If the data in the response is from authoritative data in the
+answer section, it is always preferred.
+
+8. MAIL SUPPORT
+
+The domain system defines a standard for mapping mailboxes into domain
+names, and two methods for using the mailbox information to derive mail
+routing information.  The first method is called mail exchange binding
+and the other method is mailbox binding.  The mailbox encoding standard
+and mail exchange binding are part of the DNS official protocol, and are
+the recommended method for mail routing in the Internet.  Mailbox
+binding is an experimental feature which is still under development and
+subject to change.
+
+
+
+
+Mockapetris                                                    [Page 47]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+The mailbox encoding standard assumes a mailbox name of the form
+"<local-part>@<mail-domain>".  While the syntax allowed in each of these
+sections varies substantially between the various mail internets, the
+preferred syntax for the ARPA Internet is given in [RFC-822].
+
+The DNS encodes the <local-part> as a single label, and encodes the
+<mail-domain> as a domain name.  The single label from the <local-part>
+is prefaced to the domain name from <mail-domain> to form the domain
+name corresponding to the mailbox.  Thus the mailbox HOSTMASTER@SRI-
+NIC.ARPA is mapped into the domain name HOSTMASTER.SRI-NIC.ARPA.  If the
+<local-part> contains dots or other special characters, its
+representation in a master file will require the use of backslash
+quoting to ensure that the domain name is properly encoded.  For
+example, the mailbox Action.domains@ISI.EDU would be represented as
+Action\.domains.ISI.EDU.
+
+8.1. Mail exchange binding
+
+Mail exchange binding uses the <mail-domain> part of a mailbox
+specification to determine where mail should be sent.  The <local-part>
+is not even consulted.  [RFC-974] specifies this method in detail, and
+should be consulted before attempting to use mail exchange support.
+
+One of the advantages of this method is that it decouples mail
+destination naming from the hosts used to support mail service, at the
+cost of another layer of indirection in the lookup function.  However,
+the addition layer should eliminate the need for complicated "%", "!",
+etc encodings in <local-part>.
+
+The essence of the method is that the <mail-domain> is used as a domain
+name to locate type MX RRs which list hosts willing to accept mail for
+<mail-domain>, together with preference values which rank the hosts
+according to an order specified by the administrators for <mail-domain>.
+
+In this memo, the <mail-domain> ISI.EDU is used in examples, together
+with the hosts VENERA.ISI.EDU and VAXA.ISI.EDU as mail exchanges for
+ISI.EDU.  If a mailer had a message for Mockapetris@ISI.EDU, it would
+route it by looking up MX RRs for ISI.EDU.  The MX RRs at ISI.EDU name
+VENERA.ISI.EDU and VAXA.ISI.EDU, and type A queries can find the host
+addresses.
+
+8.2. Mailbox binding (Experimental)
+
+In mailbox binding, the mailer uses the entire mail destination
+specification to construct a domain name.  The encoded domain name for
+the mailbox is used as the QNAME field in a QTYPE=MAILB query.
+
+Several outcomes are possible for this query:
+
+
+
+Mockapetris                                                    [Page 48]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   1. The query can return a name error indicating that the mailbox
+      does not exist as a domain name.
+
+      In the long term, this would indicate that the specified
+      mailbox doesn't exist.  However, until the use of mailbox
+      binding is universal, this error condition should be
+      interpreted to mean that the organization identified by the
+      global part does not support mailbox binding.  The
+      appropriate procedure is to revert to exchange binding at
+      this point.
+
+   2. The query can return a Mail Rename (MR) RR.
+
+      The MR RR carries new mailbox specification in its RDATA
+      field.  The mailer should replace the old mailbox with the
+      new one and retry the operation.
+
+   3. The query can return a MB RR.
+
+      The MB RR carries a domain name for a host in its RDATA
+      field.  The mailer should deliver the message to that host
+      via whatever protocol is applicable, e.g., b,SMTP.
+
+   4. The query can return one or more Mail Group (MG) RRs.
+
+      This condition means that the mailbox was actually a mailing
+      list or mail group, rather than a single mailbox.  Each MG RR
+      has a RDATA field that identifies a mailbox that is a member
+      of the group.  The mailer should deliver a copy of the
+      message to each member.
+
+   5. The query can return a MB RR as well as one or more MG RRs.
+
+      This condition means the the mailbox was actually a mailing
+      list.  The mailer can either deliver the message to the host
+      specified by the MB RR, which will in turn do the delivery to
+      all members, or the mailer can use the MG RRs to do the
+      expansion itself.
+
+In any of these cases, the response may include a Mail Information
+(MINFO) RR.  This RR is usually associated with a mail group, but is
+legal with a MB.  The MINFO RR identifies two mailboxes.  One of these
+identifies a responsible person for the original mailbox name.  This
+mailbox should be used for requests to be added to a mail group, etc.
+The second mailbox name in the MINFO RR identifies a mailbox that should
+receive error messages for mail failures.  This is particularly
+appropriate for mailing lists when errors in member names should be
+reported to a person other than the one who sends a message to the list.
+
+
+
+Mockapetris                                                    [Page 49]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+New fields may be added to this RR in the future.
+
+
+9. REFERENCES and BIBLIOGRAPHY
+
+[Dyer 87]       S. Dyer, F. Hsu, "Hesiod", Project Athena
+                Technical Plan - Name Service, April 1987, version 1.9.
+
+                Describes the fundamentals of the Hesiod name service.
+
+[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
+                USC/Information Sciences Institute, August 1979.
+
+                A name service obsoleted by the Domain Name System, but
+                still in use.
+
+[Quarterman 86] J. Quarterman, and J. Hoskins, "Notable Computer Networks",
+                Communications of the ACM, October 1986, volume 29, number
+                10.
+
+[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
+                Information Center, SRI International, December 1977.
+
+[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
+                USC/Information Sciences Institute, September 1981.
+
+[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
+                September 1981.
+
+                Suggests introduction of a hierarchy in place of a flat
+                name space for the Internet.
+
+[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
+                USC/Information Sciences Institute, February 1982.
+
+[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
+                Internet Host Table Specification", RFC-810, Network
+                Information Center, SRI International, March 1982.
+
+                Obsolete.  See RFC-952.
+
+[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
+                Server", RFC-811, Network Information Center, SRI
+                International, March 1982.
+
+
+
+
+Mockapetris                                                    [Page 50]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Obsolete.  See RFC-953.
+
+[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
+                Network Information Center, SRI International, March
+                1982.
+
+[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
+                Internet User Applications", RFC-819, Network
+                Information Center, SRI International, August 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
+                RFC-830, Network Information Center, SRI International,
+                October 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-882]       P. Mockapetris, "Domain names - Concepts and
+                Facilities," RFC-882, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-883]       P. Mockapetris, "Domain names - Implementation and
+                Specification," RFC-883, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
+                RFC-920, USC/Information Sciences Institute,
+                October 1984.
+
+                Explains the naming scheme for top level domains.
+
+[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
+                Table Specification", RFC-952, SRI, October 1985.
+
+                Specifies the format of HOSTS.TXT, the host/address
+                table replaced by the DNS.
+
+
+
+
+
+Mockapetris                                                    [Page 51]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
+                RFC-953, SRI, October 1985.
+
+                This RFC contains the official specification of the
+                hostname server protocol, which is obsoleted by the DNS.
+                This TCP based protocol accesses information stored in
+                the RFC-952 format, and is used to obtain copies of the
+                host table.
+
+[RFC-973]       P. Mockapetris, "Domain System Changes and
+                Observations", RFC-973, USC/Information Sciences
+                Institute, January 1986.
+
+                Describes changes to RFC-882 and RFC-883 and reasons for
+                them.
+
+[RFC-974]       C. Partridge, "Mail routing and the domain system",
+                RFC-974, CSNET CIC BBN Labs, January 1986.
+
+                Describes the transition from HOSTS.TXT based mail
+                addressing to the more powerful MX system used with the
+                domain system.
+
+[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Concepts and Methods",
+                RFC-1001, March 1987.
+
+                This RFC and RFC-1002 are a preliminary design for
+                NETBIOS on top of TCP/IP which proposes to base NetBIOS
+                name service on top of the DNS.
+
+[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Detailed
+                Specifications", RFC-1002, March 1987.
+
+[RFC-1010]      J. Reynolds, and J. Postel, "Assigned Numbers", RFC-1010,
+                USC/Information Sciences Institute, May 1987.
+
+                Contains socket numbers and mnemonics for host names,
+                operating systems, etc.
+
+[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
+                November 1987.
+
+                Describes a plan for converting the MILNET to the DNS.
+
+[RFC-1032]      M. Stahl, "Establishing a Domain - Guidelines for
+                Administrators", RFC-1032, November 1987.
+
+
+
+Mockapetris                                                    [Page 52]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Describes the registration policies used by the NIC to
+                administer the top level domains and delegate subzones.
+
+[RFC-1033]      M. Lottor, "Domain Administrators Operations Guide",
+                RFC-1033, November 1987.
+
+                A cookbook for domain administrators.
+
+[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
+                Name Server", Computer Networks, vol 6, nr 3, July 1982.
+
+                Describes a name service for CSNET which is independent
+                from the DNS and DNS use in the CSNET.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 53]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Index
+
+          *   13
+
+          ;   33, 35
+
+          <character-string>   35
+          <domain-name>   34
+
+          @   35
+
+          \   35
+
+          A   12
+
+          Byte order   8
+
+          CH   13
+          Character case   9
+          CLASS   11
+          CNAME   12
+          Completion   42
+          CS   13
+
+          Hesiod   13
+          HINFO   12
+          HS   13
+
+          IN   13
+          IN-ADDR.ARPA domain   22
+          Inverse queries   40
+
+          Mailbox names   47
+          MB   12
+          MD   12
+          MF   12
+          MG   12
+          MINFO   12
+          MINIMUM   20
+          MR   12
+          MX   12
+
+          NS   12
+          NULL   12
+
+          Port numbers   32
+          Primary server   5
+          PTR   12, 18
+
+
+
+Mockapetris                                                    [Page 54]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          QCLASS   13
+          QTYPE   12
+
+          RDATA   12
+          RDLENGTH  11
+
+          Secondary server   5
+          SOA   12
+          Stub resolvers   7
+
+          TCP   32
+          TXT   12
+          TYPE   11
+
+          UDP   32
+
+          WKS   12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 55]
+
diff --git a/lib/dns/tests/testdata/dst/test1.dsasig b/lib/dns/tests/testdata/dst/test1.dsasig
new file mode 100644
index 0000000..5dd12e1
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.dsasig
@@ -0,0 +1,3 @@
+0009B55FDB62034326278C9371F32D92
+3D0E1161A32D491BEC38546FC452D903
+A91D806345B2F7F22E
diff --git a/lib/dns/tests/testdata/dst/test1.rsasig b/lib/dns/tests/testdata/dst/test1.rsasig
new file mode 100644
index 0000000..5ba62b4
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.rsasig
@@ -0,0 +1,5 @@
+A8A20D2F26F792B3CE76DD0E12A85DFE
+FF66AB866EF0BDB0F515001E234E699B
+F5CD6FB41FB15D4213705ABE9B563896
+2196228648E0F8AA7F2F4EED3C19165C
+1B4C70C9D69B93A1F2BE5B2F948CE023
diff --git a/lib/dns/tests/testdata/dst/test2.data b/lib/dns/tests/testdata/dst/test2.data
new file mode 100644
index 0000000..7b0e35d
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test2.data
@@ -0,0 +1,3077 @@
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1035                                           ISI
+                                                           November 1987
+Obsoletes: RFCs 882, 883, 973
+
+            DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
+
+
+1. STATUS OF THIS MEMO
+
+This RFC describes the details of the domain system and protocol, and
+assumes that the reader is familiar with the concepts discussed in a
+companion RFC, "Domain Names - Concepts and Facilities" [RFC-4301].
+
+The domain system is a mixture of functions and data types which are an
+official protocol and functions and data types which are still
+experimental.  Since the domain system is intentionally extensible, new
+data types and experimental behavior should always be expected in parts
+of the system beyond the official protocol.  The official protocol parts
+include standard queries, responses and the Internet class RR data
+formats (e.g., host addresses).  Since the previous RFC set, several
+definitions have changed, so some previous definitions are obsolete.
+
+Experimental or obsolete features are clearly marked in these RFCs, and
+such information should be used with caution.
+
+The reader is especially cautioned not to depend on the values which
+appear in examples to be current or complete, since their purpose is
+primarily pedagogical.  Distribution of this memo is unlimited.
+
+                           Table of Contents
+
+  1. STATUS OF THIS MEMO                                              1
+  2. INTRODUCTION                                                     3
+      2.1. Overview                                                   3
+      2.2. Common configurations                                      4
+      2.3. Conventions                                                7
+          2.3.1. Preferred name syntax                                7
+          2.3.2. Data Transmission Order                              8
+          2.3.3. Character Case                                       9
+          2.3.4. Size limits                                         10
+  3. DOMAIN NAME SPACE AND RR DEFINITIONS                            10
+      3.1. Name space definitions                                    10
+      3.2. RR definitions                                            11
+          3.2.1. Format                                              11
+          3.2.2. TYPE values                                         12
+          3.2.3. QTYPE values                                        12
+          3.2.4. CLASS values                                        13
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          3.2.5. QCLASS values                                       13
+      3.3. Standard RRs                                              13
+          3.3.1. CNAME RDATA format                                  14
+          3.3.2. HINFO RDATA format                                  14
+          3.3.3. MB RDATA format (EXPERIMENTAL)                      14
+          3.3.4. MD RDATA format (Obsolete)                          15
+          3.3.5. MF RDATA format (Obsolete)                          15
+          3.3.6. MG RDATA format (EXPERIMENTAL)                      16
+          3.3.7. MINFO RDATA format (EXPERIMENTAL)                   16
+          3.3.8. MR RDATA format (EXPERIMENTAL)                      17
+          3.3.9. MX RDATA format                                     17
+          3.3.10. NULL RDATA format (EXPERIMENTAL)                   17
+          3.3.11. NS RDATA format                                    18
+          3.3.12. PTR RDATA format                                   18
+          3.3.13. SOA RDATA format                                   19
+          3.3.14. TXT RDATA format                                   20
+      3.4. ARPA Internet specific RRs                                20
+          3.4.1. A RDATA format                                      20
+          3.4.2. WKS RDATA format                                    21
+      3.5. IN-ADDR.ARPA domain                                       22
+      3.6. Defining new types, classes, and special namespaces       24
+  4. MESSAGES                                                        25
+      4.1. Format                                                    25
+          4.1.1. Header section format                               26
+          4.1.2. Question section format                             28
+          4.1.3. Resource record format                              29
+          4.1.4. Message compression                                 30
+      4.2. Transport                                                 32
+          4.2.1. UDP usage                                           32
+          4.2.2. TCP usage                                           32
+  5. MASTER FILES                                                    33
+      5.1. Format                                                    33
+      5.2. Use of master files to define zones                       35
+      5.3. Master file example                                       36
+  6. NAME SERVER IMPLEMENTATION                                      37
+      6.1. Architecture                                              37
+          6.1.1. Control                                             37
+          6.1.2. Database                                            37
+          6.1.3. Time                                                39
+      6.2. Standard query processing                                 39
+      6.3. Zone refresh and reload processing                        39
+      6.4. Inverse queries (Optional)                                40
+          6.4.1. The contents of inverse queries and responses       40
+          6.4.2. Inverse query and response example                  41
+          6.4.3. Inverse query processing                            42
+
+
+
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+      6.5. Completion queries and responses                          42
+  7. RESOLVER IMPLEMENTATION                                         43
+      7.1. Transforming a user request into a query                  43
+      7.2. Sending the queries                                       44
+      7.3. Processing responses                                      46
+      7.4. Using the cache                                           47
+  8. MAIL SUPPORT                                                    47
+      8.1. Mail exchange binding                                     48
+      8.2. Mailbox binding (Experimental)                            48
+  9. REFERENCES and BIBLIOGRAPHY                                     50
+  Index                                                              54
+
+2. INTRODUCTION
+
+2.1. Overview
+
+The goal of domain names is to provide a mechanism for naming resources
+in such a way that the names are usable in different hosts, networks,
+protocol families, internets, and administrative organizations.
+
+From the user's point of view, domain names are useful as arguments to a
+local agent, called a resolver, which retrieves information associated
+with the domain name.  Thus a user might ask for the host address or
+mail information associated with a particular domain name.  To enable
+the user to request a particular type of information, an appropriate
+query type is passed to the resolver with the domain name.  To the user,
+the domain tree is a single information space; the resolver is
+responsible for hiding the distribution of data among name servers from
+the user.
+
+From the resolver's point of view, the database that makes up the domain
+space is distributed among various name servers.  Different parts of the
+domain space are stored in different name servers, although a particular
+data item will be stored redundantly in two or more name servers.  The
+resolver starts with knowledge of at least one name server.  When the
+resolver processes a user query it asks a known name server for the
+information; in return, the resolver either receives the desired
+information or a referral to another name server.  Using these
+referrals, resolvers learn the identities and contents of other name
+servers.  Resolvers are responsible for dealing with the distribution of
+the domain space and dealing with the effects of name server failure by
+consulting redundant databases in other servers.
+
+Name servers manage two kinds of data.  The first kind of data held in
+sets called zones; each zone is the complete database for a particular
+"pruned" subtree of the domain space.  This data is called
+authoritative.  A name server periodically checks to make sure that its
+zones are up to date, and if not, obtains a new copy of updated zones
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+from master files stored locally or in another name server.  The second
+kind of data is cached data which was acquired by a local resolver.
+This data may be incomplete, but improves the performance of the
+retrieval process when non-local data is repeatedly accessed.  Cached
+data is eventually discarded by a timeout mechanism.
+
+This functional structure isolates the problems of user interface,
+failure recovery, and distribution in the resolvers and isolates the
+database update and refresh problems in the name servers.
+
+2.2. Common configurations
+
+A host can participate in the domain name system in a number of ways,
+depending on whether the host runs programs that retrieve information
+from the domain system, name servers that answer queries from other
+hosts, or various combinations of both functions.  The simplest, and
+perhaps most typical, configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  cache   |         |
+                              +----------+         |
+
+User programs interact with the domain name space through resolvers; the
+format of user queries and user responses is specific to the host and
+its operating system.  User queries will typically be operating system
+calls, and the resolver and its cache will be part of the host operating
+system.  Less capable hosts may choose to implement the resolver as a
+subroutine to be linked in with every program that needs its services.
+Resolvers answer user queries with information they acquire via queries
+to foreign name servers and the local cache.
+
+Note that the resolver may have to make several queries to several
+different foreign name servers to answer a particular user query, and
+hence the resolution of a user query may involve several network
+accesses and an arbitrary amount of time.  The queries to foreign name
+servers and the corresponding responses have a standard format described
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in this memo, and may be datagrams.
+
+Depending on its capabilities, a name server could be a stand alone
+program on a dedicated machine or a process or processes on a large
+timeshared host.  A simple configuration might be:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+
+Here a primary name server acquires information about one or more zones
+by reading master files from its local file system, and answers queries
+about those zones that arrive from foreign resolvers.
+
+The DNS requires that all zones be redundantly supported by more than
+one name server.  Designated secondary servers can acquire zones and
+check for updates from the primary server using the zone transfer
+protocol of the DNS.  This configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+In this configuration, the name server periodically establishes a
+virtual circuit to a foreign name server to acquire a copy of a zone or
+to check that an existing copy has not changed.  The messages sent for
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+these maintenance activities follow the same form as queries and
+responses, but the message sequences are somewhat different.
+
+The information flow in a host that supports all aspects of the domain
+name system is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  Shared  |         |
+                              | database |         |
+                              +----------+         |
+                                A     |            |
+      +---------+     refreshes |     | references |
+     /         /|               |     V            |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+The shared database holds domain space data for the local name server
+and resolver.  The contents of the shared database will typically be a
+mixture of authoritative data maintained by the periodic refresh
+operations of the name server and cached data from previous resolver
+requests.  The structure of the domain data and the necessity for
+synchronization between name servers and resolvers imply the general
+characteristics of this database, but the actual format is up to the
+local implementor.
+
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Information flow can also be tailored so that a group of hosts act
+together to optimize activities.  Sometimes this is done to offload less
+capable hosts so that they do not have to implement a full resolver.
+This can be appropriate for PCs or hosts which want to minimize the
+amount of new network code which is required.  This scheme can also
+allow a group of hosts can share a small number of caches rather than
+maintaining a large number of separate caches, on the premise that the
+centralized caches will have a higher hit ratio.  In either case,
+resolvers are replaced with stub resolvers which act as front ends to
+resolvers located in a recursive server in one or more name servers
+known to perform that service:
+
+                   Local Hosts                     |  Foreign
+                                                   |
+    +---------+                                    |
+    |         | responses                          |
+    | Stub    |<--------------------+              |
+    | Resolver|                     |              |
+    |         |----------------+    |              |
+    +---------+ recursive      |    |              |
+                queries        |    |              |
+                               V    |              |
+    +---------+ recursive     +----------+         |  +--------+
+    |         | queries       |          |queries  |  |        |
+    | Stub    |-------------->| Recursive|---------|->|Foreign |
+    | Resolver|               | Server   |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    +---------+ responses     |          |responses|  |        |
+                              +----------+         |  +--------+
+                              |  Central |         |
+                              |   cache  |         |
+                              +----------+         |
+
+In any case, note that domain components are always replicated for
+reliability whenever possible.
+
+2.3. Conventions
+
+The domain system has several conventions dealing with low-level, but
+fundamental, issues.  While the implementor is free to violate these
+conventions WITHIN HIS OWN SYSTEM, he must observe these conventions in
+ALL behavior observed from other hosts.
+
+2.3.1. Preferred name syntax
+
+The DNS specifications attempt to be as general as possible in the rules
+for constructing domain names.  The idea is that the name of any
+existing object can be expressed as a domain name with minimal changes.
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+However, when assigning a domain name for an object, the prudent user
+will select a name which satisfies both the rules of the domain system
+and any existing rules for the object, whether these rules are published
+or implied by existing programs.
+
+For example, when naming a mail domain, the user should satisfy both the
+rules of this memo and those in RFC-822.  When creating a new host name,
+the old rules for HOSTS.TXT should be followed.  This avoids problems
+when old software is converted to use domain names.
+
+The following syntax will result in fewer problems with many
+
+applications that use domain names (e.g., mail, TELNET).
+
+<domain> ::= <subdomain> | " "
+
+<subdomain> ::= <label> | <subdomain> "." <label>
+
+<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
+
+<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
+
+<let-dig-hyp> ::= <let-dig> | "-"
+
+<let-dig> ::= <letter> | <digit>
+
+<letter> ::= any one of the 52 alphabetic characters A through Z in
+upper case and a through z in lower case
+
+<digit> ::= any one of the ten digits 0 through 9
+
+Note that while upper and lower case letters are allowed in domain
+names, no significance is attached to the case.  That is, two names with
+the same spelling but different case are to be treated as if identical.
+
+The labels must follow the rules for ARPANET host names.  They must
+start with a letter, end with a letter or digit, and have as interior
+characters only letters, digits, and hyphen.  There are also some
+restrictions on the length.  Labels must be 63 characters or less.
+
+For example, the following strings identify hosts in the Internet:
+
+A.ISI.EDU XX.LCS.MIT.EDU SRI-NIC.ARPA
+
+2.3.2. Data Transmission Order
+
+The order of transmission of the header and data described in this
+document is resolved to the octet level.  Whenever a diagram shows a
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+group of octets, the order of transmission of those octets is the normal
+order in which they are read in English.  For example, in the following
+diagram, the octets are transmitted in the order they are numbered.
+
+     0                   1
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       1       |       2       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       3       |       4       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       5       |       6       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Whenever an octet represents a numeric quantity, the left most bit in
+the diagram is the high order or most significant bit.  That is, the bit
+labeled 0 is the most significant bit.  For example, the following
+diagram represents the value 170 (decimal).
+
+     0 1 2 3 4 5 6 7
+    +-+-+-+-+-+-+-+-+
+    |1 0 1 0 1 0 1 0|
+    +-+-+-+-+-+-+-+-+
+
+Similarly, whenever a multi-octet field represents a numeric quantity
+the left most bit of the whole field is the most significant bit.  When
+a multi-octet quantity is transmitted the most significant octet is
+transmitted first.
+
+2.3.3. Character Case
+
+For all parts of the DNS that are part of the official protocol, all
+comparisons between character strings (e.g., labels, domain names, etc.)
+are done in a case-insensitive manner.  At present, this rule is in
+force throughout the domain system without exception.  However, future
+additions beyond current usage may need to use the full binary octet
+capabilities in names, so attempts to store domain names in 7-bit ASCII
+or use of special bytes to terminate labels, etc., should be avoided.
+
+When data enters the domain system, its original case should be
+preserved whenever possible.  In certain circumstances this cannot be
+done.  For example, if two RRs are stored in a database, one at x.y and
+one at X.Y, they are actually stored at the same place in the database,
+and hence only one casing would be preserved.  The basic rule is that
+case can be discarded only when data is used to define structure in a
+database, and two names are identical when compared in a case
+insensitive manner.
+
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Loss of case sensitive data must be minimized.  Thus while data for x.y
+and X.Y may both be stored under a single location x.y or X.Y, data for
+a.x and B.X would never be stored under A.x, A.X, b.x, or b.X.  In
+general, this preserves the case of the first label of a domain name,
+but forces standardization of interior node labels.
+
+Systems administrators who enter data into the domain database should
+take care to represent the data they supply to the domain system in a
+case-consistent manner if their system is case-sensitive.  The data
+distribution system in the domain system will ensure that consistent
+representations are preserved.
+
+2.3.4. Size limits
+
+Various objects and parameters in the DNS have size limits.  They are
+listed below.  Some could be easily changed, others are more
+fundamental.
+
+labels          63 octets or less
+
+names           255 octets or less
+
+TTL             positive values of a signed 32 bit number.
+
+UDP messages    512 octets or less
+
+3. DOMAIN NAME SPACE AND RR DEFINITIONS
+
+3.1. Name space definitions
+
+Domain names in messages are expressed in terms of a sequence of labels.
+Each label is represented as a one octet length field followed by that
+number of octets.  Since every domain name ends with the null label of
+the root, a domain name is terminated by a length byte of zero.  The
+high order two bits of every length octet must be zero, and the
+remaining six bits of the length field limit the label to 63 octets or
+less.
+
+To simplify implementations, the total length of a domain name (i.e.,
+label octets and label length octets) is restricted to 255 octets or
+less.
+
+Although labels can contain any 8 bit values in octets that make up a
+label, it is strongly recommended that labels follow the preferred
+syntax described elsewhere in this memo, which is compatible with
+existing host naming conventions.  Name servers and resolvers must
+compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
+with zero parity.  Non-alphabetic codes must match exactly.
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.2. RR definitions
+
+3.2.1. Format
+
+All RRs have the same top level format shown below:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+where:
+
+NAME            an owner name, i.e., the name of the node to which this
+                resource record pertains.
+
+TYPE            two octets containing one of the RR TYPE codes.
+
+CLASS           two octets containing one of the RR CLASS codes.
+
+TTL             a 32 bit signed integer that specifies the time interval
+                that the resource record may be cached before the source
+                of the information should again be consulted.  Zero
+                values are interpreted to mean that the RR can only be
+                used for the transaction in progress, and should not be
+                cached.  For example, SOA records are always distributed
+                with a zero TTL to prohibit caching.  Zero values can
+                also be used for extremely volatile data.
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+
+3.2.2. TYPE values
+
+TYPE fields are used in resource records.  Note that these types are a
+subset of QTYPEs.
+
+TYPE            value and meaning
+
+A               1 a host address
+
+NS              2 an authoritative name server
+
+MD              3 a mail destination (Obsolete - use MX)
+
+MF              4 a mail forwarder (Obsolete - use MX)
+
+CNAME           5 the canonical name for an alias
+
+SOA             6 marks the start of a zone of authority
+
+MB              7 a mailbox domain name (EXPERIMENTAL)
+
+MG              8 a mail group member (EXPERIMENTAL)
+
+MR              9 a mail rename domain name (EXPERIMENTAL)
+
+NULL            10 a null RR (EXPERIMENTAL)
+
+WKS             11 a well known service description
+
+PTR             12 a domain name pointer
+
+HINFO           13 host information
+
+MINFO           14 mailbox or mail list information
+
+MX              15 mail exchange
+
+TXT             16 text strings
+
+3.2.3. QTYPE values
+
+QTYPE fields appear in the question part of a query.  QTYPES are a
+superset of TYPEs, hence all TYPEs are valid QTYPEs.  In addition, the
+following QTYPEs are defined:
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+AXFR            252 A request for a transfer of an entire zone
+
+MAILB           253 A request for mailbox-related records (MB, MG or MR)
+
+MAILA           254 A request for mail agent RRs (Obsolete - see MX)
+
+*               255 A request for all records
+
+3.2.4. CLASS values
+
+CLASS fields appear in resource records.  The following CLASS mnemonics
+and values are defined:
+
+IN              1 the Internet
+
+CS              2 the CSNET class (Obsolete - used only for examples in
+                some obsolete RFCs)
+
+CH              3 the CHAOS class
+
+HS              4 Hesiod [Dyer 87]
+
+3.2.5. QCLASS values
+
+QCLASS fields appear in the question section of a query.  QCLASS values
+are a superset of CLASS values; every CLASS is a valid QCLASS.  In
+addition to CLASS values, the following QCLASSes are defined:
+
+*               255 any class
+
+3.3. Standard RRs
+
+The following RR definitions are expected to occur, at least
+potentially, in all classes.  In particular, NS, SOA, CNAME, and PTR
+will be used in all classes, and have the same format in all classes.
+Because their RDATA format is known, all domain names in the RDATA
+section of these RRs may be compressed.
+
+<domain-name> is a domain name represented as a series of labels, and
+terminated by a label with zero length.  <character-string> is a single
+length octet followed by that number of characters.  <character-string>
+is treated as binary information, and can be up to 256 characters in
+length (including the length octet).
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.1. CNAME RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     CNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CNAME           A <domain-name> which specifies the canonical or primary
+                name for the owner.  The owner name is an alias.
+
+CNAME RRs cause no additional section processing, but name servers may
+choose to restart the query at the canonical name in certain cases.  See
+the description of name server logic in [RFC-1034] for details.
+
+3.3.2. HINFO RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                      CPU                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                       OS                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CPU             A <character-string> which specifies the CPU type.
+
+OS              A <character-string> which specifies the operating
+                system type.
+
+Standard values for CPU and OS can be found in [RFC-1010].
+
+HINFO records are used to acquire general information about a host.  The
+main use is for protocols such as FTP that can use special procedures
+when talking between machines or operating systems of the same type.
+
+3.3.3. MB RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has the
+                specified mailbox.
+
+
+
+Mockapetris                                                    [Page 14]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MB records cause additional section processing which looks up an A type
+RRs corresponding to MADNAME.
+
+3.3.4. MD RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which should be able to deliver
+                mail for the domain.
+
+MD records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MD is obsolete.  See the definition of MX and [RFC-974] for details of
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 0.
+
+3.3.5. MF RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which will accept mail for
+                forwarding to the domain.
+
+MF records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MF is obsolete.  See the definition of MX and [RFC-974] for details ofw
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 10.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 15]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.6. MG RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MGMNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MGMNAME         A <domain-name> which specifies a mailbox which is a
+                member of the mail group specified by the domain name.
+
+MG records cause no additional section processing.
+
+3.3.7. MINFO RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    RMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    EMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+RMAILBX         A <domain-name> which specifies a mailbox which is
+                responsible for the mailing list or mailbox.  If this
+                domain name names the root, the owner of the MINFO RR is
+                responsible for itself.  Note that many existing mailing
+                lists use a mailbox X-request for the RMAILBX field of
+                mailing list X, e.g., Msgroup-request for Msgroup.  This
+                field provides a more general mechanism.
+
+
+EMAILBX         A <domain-name> which specifies a mailbox which is to
+                receive error messages related to the mailing list or
+                mailbox specified by the owner of the MINFO RR (similar
+                to the ERRORS-TO: field which has been proposed).  If
+                this domain name names the root, errors should be
+                returned to the sender of the message.
+
+MINFO records cause no additional section processing.  Although these
+records can be associated with a simple mailbox, they are usually used
+with a mailing list.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 16]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.8. MR RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NEWNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NEWNAME         A <domain-name> which specifies a mailbox which is the
+                proper rename of the specified mailbox.
+
+MR records cause no additional section processing.  The main use for MR
+is as a forwarding entry for a user who has moved to a different
+mailbox.
+
+3.3.9. MX RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                  PREFERENCE                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   EXCHANGE                    /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PREFERENCE      A 16 bit integer which specifies the preference given to
+                this RR among others at the same owner.  Lower values
+                are preferred.
+
+EXCHANGE        A <domain-name> which specifies a host willing to act as
+                a mail exchange for the owner name.
+
+MX records cause type A additional section processing for the host
+specified by EXCHANGE.  The use of MX RRs is explained in detail in
+[RFC-974].
+
+3.3.10. NULL RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                  <anything>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+Anything at all may be in the RDATA field so long as it is 65535 octets
+or less.
+
+
+
+
+Mockapetris                                                    [Page 17]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+NULL records cause no additional section processing.  NULL RRs are not
+allowed in master files.  NULLs are used as placeholders in some
+experimental extensions of the DNS.
+
+3.3.11. NS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NSDNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NSDNAME         A <domain-name> which specifies a host which should be
+                authoritative for the specified class and domain.
+
+NS records cause both the usual additional section processing to locate
+a type A record, and, when used in a referral, a special search of the
+zone in which they reside for glue information.
+
+The NS RR states that the named host should be expected to have a zone
+starting at owner name of the specified class.  Note that the class may
+not indicate the protocol family which should be used to communicate
+with the host, although it is typically a strong hint.  For example,
+hosts which are name servers for either Internet (IN) or Hesiod (HS)
+class information are normally queried using IN class protocols.
+
+3.3.12. PTR RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   PTRDNAME                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PTRDNAME        A <domain-name> which points to some location in the
+                domain name space.
+
+PTR records cause no additional section processing.  These RRs are used
+in special domains to point to some other location in the domain space.
+These records are simple data, and don't imply any special processing
+similar to that performed by CNAME, which identifies aliases.  See the
+description of the IN-ADDR.ARPA domain for an example.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 18]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.13. SOA RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     MNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     RNAME                     /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    SERIAL                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    REFRESH                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     RETRY                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    EXPIRE                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    MINIMUM                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MNAME           The <domain-name> of the name server that was the
+                original or primary source of data for this zone.
+
+RNAME           A <domain-name> which specifies the mailbox of the
+                person responsible for this zone.
+
+SERIAL          The unsigned 32 bit version number of the original copy
+                of the zone.  Zone transfers preserve this value.  This
+                value wraps and should be compared using sequence space
+                arithmetic.
+
+REFRESH         A 32 bit time interval before the zone should be
+                refreshed.
+
+RETRY           A 32 bit time interval that should elapse before a
+                failed refresh should be retried.
+
+EXPIRE          A 32 bit time value that specifies the upper limit on
+                the time interval that can elapse before the zone is no
+                longer authoritative.
+
+
+
+
+
+Mockapetris                                                    [Page 19]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MINIMUM         The unsigned 32 bit minimum TTL field that should be
+                exported with any RR from this zone.
+
+SOA records cause no additional section processing.
+
+All times are in units of seconds.
+
+Most of these fields are pertinent only for name server maintenance
+operations.  However, MINIMUM is used in all query operations that
+retrieve RRs from a zone.  Whenever a RR is sent in a response to a
+query, the TTL field is set to the maximum of the TTL field from the RR
+and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
+bound on the TTL field for all RRs in a zone.  Note that this use of
+MINIMUM should occur when the RRs are copied into the response and not
+when the zone is loaded from a master file or via a zone transfer.  The
+reason for this provison is to allow future dynamic update facilities to
+change the SOA RR with known semantics.
+
+
+3.3.14. TXT RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   TXT-DATA                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+TXT-DATA        One or more <character-string>s.
+
+TXT RRs are used to hold descriptive text.  The semantics of the text
+depends on the domain where it is found.
+
+3.4. Internet specific RRs
+
+3.4.1. A RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         A 32 bit Internet address.
+
+Hosts that have multiple Internet addresses will have multiple A
+records.
+
+
+
+
+
+Mockapetris                                                    [Page 20]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+A records cause no additional section processing.  The RDATA section of
+an A line in a master file is an Internet address expressed as four
+decimal numbers separated by dots without any imbedded spaces (e.g.,
+"10.2.0.52" or "192.0.5.6").
+
+3.4.2. WKS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |       PROTOCOL        |                       |
+    +--+--+--+--+--+--+--+--+                       |
+    |                                               |
+    /                   <BIT MAP>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         An 32 bit Internet address
+
+PROTOCOL        An 8 bit IP protocol number
+
+<BIT MAP>       A variable length bit map.  The bit map must be a
+                multiple of 8 bits long.
+
+The WKS record is used to describe the well known services supported by
+a particular protocol on a particular internet address.  The PROTOCOL
+field specifies an IP protocol number, and the bit map has one bit per
+port of the specified protocol.  The first bit corresponds to port 0,
+the second to port 1, etc.  If the bit map does not include a bit for a
+protocol of interest, that bit is assumed zero.  The appropriate values
+and mnemonics for ports and protocols are specified in [RFC-1010].
+
+For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+port 25; if zero, SMTP service is not supported on the specified
+address.
+
+The purpose of WKS RRs is to provide availability information for
+servers for TCP and UDP.  If a server supports both TCP and UDP, or has
+multiple Internet addresses, then multiple WKS RRs are used.
+
+WKS RRs cause no additional section processing.
+
+In master files, both ports and protocols are expressed using mnemonics
+or decimal numbers.
+
+
+
+
+Mockapetris                                                    [Page 21]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.5. IN-ADDR.ARPA domain
+
+The Internet uses a special domain to support gateway location and
+Internet address to host mapping.  Other classes may employ a similar
+strategy in other domains.  The intent of this domain is to provide a
+guaranteed method to perform host address to host name mapping, and to
+facilitate queries to locate all gateways on a particular network in the
+Internet.
+
+Note that both of these services are similar to functions that could be
+performed by inverse queries; the difference is that this part of the
+domain name space is structured according to address, and hence can
+guarantee that the appropriate data can be located without an exhaustive
+search of the domain space.
+
+The domain begins at IN-ADDR.ARPA and has a substructure which follows
+the Internet addressing structure.
+
+Domain names in the IN-ADDR.ARPA domain are defined to have up to four
+labels in addition to the IN-ADDR.ARPA suffix.  Each label represents
+one octet of an Internet address, and is expressed as a character string
+for a decimal value in the range 0-255 (with leading zeros omitted
+except in the case of a zero octet which is represented by a single
+zero).
+
+Host addresses are represented by domain names that have all four labels
+specified.  Thus data for Internet address 10.2.0.52 is located at
+domain name 52.0.2.10.IN-ADDR.ARPA.  The reversal, though awkward to
+read, allows zones to be delegated which are exactly one network of
+address space.  For example, 10.IN-ADDR.ARPA can be a zone containing
+data for the ARPANET, while 26.IN-ADDR.ARPA can be a separate zone for
+MILNET.  Address nodes are used to hold pointers to primary host names
+in the normal domain space.
+
+Network numbers correspond to some non-terminal nodes at various depths
+in the IN-ADDR.ARPA domain, since Internet network numbers are either 1,
+2, or 3 octets.  Network nodes are used to hold pointers to the primary
+host names of gateways attached to that network.  Since a gateway is, by
+definition, on more than one network, it will typically have two or more
+network nodes which point at it.  Gateways will also have host level
+pointers at their fully qualified addresses.
+
+Both the gateway pointers at network nodes and the normal host pointers
+at full address nodes use the PTR RR to point back to the primary domain
+names of the corresponding hosts.
+
+For example, the IN-ADDR.ARPA domain will contain information about the
+ISI gateway between net 10 and 26, an MIT gateway from net 10 to MIT's
+
+
+
+Mockapetris                                                    [Page 22]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+net 18, and hosts A.ISI.EDU and MULTICS.MIT.EDU.  Assuming that ISI
+gateway has addresses 10.2.0.22 and 26.0.0.103, and a name MILNET-
+GW.ISI.EDU, and the MIT gateway has addresses 10.0.0.77 and 18.10.0.4
+and a name GW.LCS.MIT.EDU, the domain database would contain:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    18.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    26.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    22.0.2.10.IN-ADDR.ARPA.    PTR MILNET-GW.ISI.EDU.
+    103.0.0.26.IN-ADDR.ARPA.   PTR MILNET-GW.ISI.EDU.
+    77.0.0.10.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    4.0.10.18.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    103.0.3.26.IN-ADDR.ARPA.   PTR A.ISI.EDU.
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Thus a program which wanted to locate gateways on net 10 would originate
+a query of the form QTYPE=PTR, QCLASS=IN, QNAME=10.IN-ADDR.ARPA.  It
+would receive two RRs in response:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+
+The program could then originate QTYPE=A, QCLASS=IN queries for MILNET-
+GW.ISI.EDU. and GW.LCS.MIT.EDU. to discover the Internet addresses of
+these gateways.
+
+A resolver which wanted to find the host name corresponding to Internet
+host address 10.0.0.6 would pursue a query of the form QTYPE=PTR,
+QCLASS=IN, QNAME=6.0.0.10.IN-ADDR.ARPA, and would receive:
+
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Several cautions apply to the use of these services:
+   - Since the IN-ADDR.ARPA special domain and the normal domain
+     for a particular host or gateway will be in different zones,
+     the possibility exists that that the data may be inconsistent.
+
+   - Gateways will often have two names in separate domains, only
+     one of which can be primary.
+
+   - Systems that use the domain database to initialize their
+     routing tables must start with enough gateway information to
+     guarantee that they can access the appropriate name server.
+
+   - The gateway data only reflects the existence of a gateway in a
+     manner equivalent to the current HOSTS.TXT file.  It doesn't
+     replace the dynamic availability information from GGP or EGP.
+
+
+
+Mockapetris                                                    [Page 23]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.6. Defining new types, classes, and special namespaces
+
+The previously defined types and classes are the ones in use as of the
+date of this memo.  New definitions should be expected.  This section
+makes some recommendations to designers considering additions to the
+existing facilities.  The mailing list NAMEDROPPERS@SRI-NIC.ARPA is the
+forum where general discussion of design issues takes place.
+
+In general, a new type is appropriate when new information is to be
+added to the database about an existing object, or we need new data
+formats for some totally new object.  Designers should attempt to define
+types and their RDATA formats that are generally applicable to all
+classes, and which avoid duplication of information.  New classes are
+appropriate when the DNS is to be used for a new protocol, etc which
+requires new class-specific data formats, or when a copy of the existing
+name space is desired, but a separate management domain is necessary.
+
+New types and classes need mnemonics for master files; the format of the
+master files requires that the mnemonics for type and class be disjoint.
+
+TYPE and CLASS values must be a proper subset of QTYPEs and QCLASSes
+respectively.
+
+The present system uses multiple RRs to represent multiple values of a
+type rather than storing multiple values in the RDATA section of a
+single RR.  This is less efficient for most applications, but does keep
+RRs shorter.  The multiple RRs assumption is incorporated in some
+experimental work on dynamic update methods.
+
+The present system attempts to minimize the duplication of data in the
+database in order to insure consistency.  Thus, in order to find the
+address of the host for a mail exchange, you map the mail domain name to
+a host name, then the host name to addresses, rather than a direct
+mapping to host address.  This approach is preferred because it avoids
+the opportunity for inconsistency.
+
+In defining a new type of data, multiple RR types should not be used to
+create an ordering between entries or express different formats for
+equivalent bindings, instead this information should be carried in the
+body of the RR and a single type used.  This policy avoids problems with
+caching multiple types and defining QTYPEs to match multiple types.
+
+For example, the original form of mail exchange binding used two RR
+types one to represent a "closer" exchange (MD) and one to represent a
+"less close" exchange (MF).  The difficulty is that the presence of one
+RR type in a cache doesn't convey any information about the other
+because the query which acquired the cached information might have used
+a QTYPE of MF, MD, or MAILA (which matched both).  The redesigned
+
+
+
+Mockapetris                                                    [Page 24]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+service used a single type (MX) with a "preference" value in the RDATA
+section which can order different RRs.  However, if any MX RRs are found
+in the cache, then all should be there.
+
+4. MESSAGES
+
+4.1. Format
+
+All communications inside of the domain protocol are carried in a single
+format called a message.  The top level format of message is divided
+into 5 sections (some of which are empty in certain cases) shown below:
+
+    +---------------------+
+    |        Header       |
+    +---------------------+
+    |       Question      | the question for the name server
+    +---------------------+
+    |        Answer       | RRs answering the question
+    +---------------------+
+    |      Authority      | RRs pointing toward an authority
+    +---------------------+
+    |      Additional     | RRs holding additional information
+    +---------------------+
+
+The header section is always present.  The header includes fields that
+specify which of the remaining sections are present, and also specify
+whether the message is a query or a response, a standard query or some
+other opcode, etc.
+
+The names of the sections after the header are derived from their use in
+standard queries.  The question section contains fields that describe a
+question to a name server.  These fields are a query type (QTYPE), a
+query class (QCLASS), and a query domain name (QNAME).  The last three
+sections have the same format: a possibly empty list of concatenated
+resource records (RRs).  The answer section contains RRs that answer the
+question; the authority section contains RRs that point toward an
+authoritative name server; the additional records section contains RRs
+which relate to the query, but are not strictly answers for the
+question.
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 25]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+4.1.1. Header section format
+
+The header contains the following fields:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      ID                       |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    QDCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ANCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    NSCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ARCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ID              A 16 bit identifier assigned by the program that
+                generates any kind of query.  This identifier is copied
+                the corresponding reply and can be used by the requester
+                to match up replies to outstanding queries.
+
+QR              A one bit field that specifies whether this message is a
+                query (0), or a response (1).
+
+OPCODE          A four bit field that specifies kind of query in this
+                message.  This value is set by the originator of a query
+                and copied into the response.  The values are:
+
+                0               a standard query (QUERY)
+
+                1               an inverse query (IQUERY)
+
+                2               a server status request (STATUS)
+
+                3-15            reserved for future use
+
+AA              Authoritative Answer - this bit is valid in responses,
+                and specifies that the responding name server is an
+                authority for the domain name in question section.
+
+                Note that the contents of the answer section may have
+                multiple owner names because of aliases.  The AA bit
+
+
+
+Mockapetris                                                    [Page 26]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                corresponds to the name which matches the query name, or
+                the first owner name in the answer section.
+
+TC              TrunCation - specifies that this message was truncated
+                due to length greater than that permitted on the
+                transmission channel.
+
+RD              Recursion Desired - this bit may be set in a query and
+                is copied into the response.  If RD is set, it directs
+                the name server to pursue the query recursively.
+                Recursive query support is optional.
+
+RA              Recursion Available - this be is set or cleared in a
+                response, and denotes whether recursive query support is
+                available in the name server.
+
+Z               Reserved for future use.  Must be zero in all queries
+                and responses.
+
+RCODE           Response code - this 4 bit field is set as part of
+                responses.  The values have the following
+                interpretation:
+
+                0               No error condition
+
+                1               Format error - The name server was
+                                unable to interpret the query.
+
+                2               Server failure - The name server was
+                                unable to process this query due to a
+                                problem with the name server.
+
+                3               Name Error - Meaningful only for
+                                responses from an authoritative name
+                                server, this code signifies that the
+                                domain name referenced in the query does
+                                not exist.
+
+                4               Not Implemented - The name server does
+                                not support the requested kind of query.
+
+                5               Refused - The name server refuses to
+                                perform the specified operation for
+                                policy reasons.  For example, a name
+                                server may not wish to provide the
+                                information to the particular requester,
+                                or a name server may not wish to perform
+                                a particular operation (e.g., zone
+
+
+
+Mockapetris                                                    [Page 27]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                                transfer) for particular data.
+
+                6-15            Reserved for future use.
+
+QDCOUNT         an unsigned 16 bit integer specifying the number of
+                entries in the question section.
+
+ANCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the answer section.
+
+NSCOUNT         an unsigned 16 bit integer specifying the number of name
+                server resource records in the authority records
+                section.
+
+ARCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the additional records section.
+
+4.1.2. Question section format
+
+The question section is used to carry the "question" in most queries,
+i.e., the parameters that define what is being asked.  The section
+contains QDCOUNT (usually 1) entries, each of the following format:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                     QNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QTYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QCLASS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+QNAME           a domain name represented as a sequence of labels, where
+                each label consists of a length octet followed by that
+                number of octets.  The domain name terminates with the
+                zero length octet for the null label of the root.  Note
+                that this field may be an odd number of octets; no
+                padding is used.
+
+QTYPE           a two octet code which specifies the type of the query.
+                The values for this field include all codes valid for a
+                TYPE field, together with some more general codes which
+                can match more than one type of RR.
+
+
+
+Mockapetris                                                    [Page 28]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+QCLASS          a two octet code that specifies the class of the query.
+                For example, the QCLASS field is IN for the Internet.
+
+4.1.3. Resource record format
+
+The answer, authority, and additional sections all share the same
+format: a variable number of resource records, where the number of
+records is specified in the corresponding count field in the header.
+Each resource record has the following format:
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NAME            a domain name to which this resource record pertains.
+
+TYPE            two octets containing one of the RR type codes.  This
+                field specifies the meaning of the data in the RDATA
+                field.
+
+CLASS           two octets which specify the class of the data in the
+                RDATA field.
+
+TTL             a 32 bit unsigned integer that specifies the time
+                interval (in seconds) that the resource record may be
+                cached before it should be discarded.  Zero values are
+                interpreted to mean that the RR can only be used for the
+                transaction in progress, and should not be cached.
+
+
+
+
+
+Mockapetris                                                    [Page 29]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+                For example, the if the TYPE is A and the CLASS is IN,
+                the RDATA field is a 4 octet ARPA Internet address.
+
+4.1.4. Message compression
+
+In order to reduce the size of messages, the domain system utilizes a
+compression scheme which eliminates the repetition of domain names in a
+message.  In this scheme, an entire domain name or a list of labels at
+the end of a domain name is replaced with a pointer to a prior occurance
+of the same name.
+
+The pointer takes the form of a two octet sequence:
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    | 1  1|                OFFSET                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The first two bits are ones.  This allows a pointer to be distinguished
+from a label, since the label must begin with two zero bits because
+labels are restricted to 63 octets or less.  (The 10 and 01 combinations
+are reserved for future use.)  The OFFSET field specifies an offset from
+the start of the message (i.e., the first octet of the ID field in the
+domain header).  A zero offset specifies the first byte of the ID field,
+etc.
+
+The compression scheme allows a domain name in a message to be
+represented as either:
+
+   - a sequence of labels ending in a zero octet
+
+   - a pointer
+
+   - a sequence of labels ending with a pointer
+
+Pointers can only be used for occurances of a domain name where the
+format is not class specific.  If this were not the case, a name server
+or resolver would be required to know the format of all RRs it handled.
+As yet, there are no such cases, but they may occur in future RDATA
+formats.
+
+If a domain name is contained in a part of the message subject to a
+length field (such as the RDATA section of an RR), and compression is
+
+
+
+Mockapetris                                                    [Page 30]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+used, the length of the compressed name is used in the length
+calculation, rather than the length of the expanded name.
+
+Programs are free to avoid using pointers in messages they generate,
+although this will reduce datagram capacity, and may cause truncation.
+However all programs are required to understand arriving messages that
+contain pointers.
+
+For example, a datagram might need to use the domain names F.ISI.ARPA,
+FOO.F.ISI.ARPA, ARPA, and the root.  Ignoring the other fields of the
+message, these domain names might be represented as:
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    20 |           1           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    22 |           3           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    24 |           S           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    26 |           4           |           A           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    28 |           R           |           P           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    30 |           A           |           0           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    40 |           3           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    42 |           O           |           O           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    44 | 1  1|                20                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    64 | 1  1|                26                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    92 |           0           |                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The domain name for F.ISI.ARPA is shown at offset 20.  The domain name
+FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to
+concatenate a label for FOO to the previously defined F.ISI.ARPA.  The
+domain name ARPA is defined at offset 64 using a pointer to the ARPA
+component of the name F.ISI.ARPA at 20; note that this pointer relies on
+ARPA being the last label in the string at 20.  The root domain name is
+
+
+
+Mockapetris                                                    [Page 31]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+defined by a single octet of zeros at 92; the root domain name has no
+labels.
+
+4.2. Transport
+
+The DNS assumes that messages will be transmitted as datagrams or in a
+byte stream carried by a virtual circuit.  While virtual circuits can be
+used for any DNS activity, datagrams are preferred for queries due to
+their lower overhead and better performance.  Zone refresh activities
+must use virtual circuits because of the need for reliable transfer.
+
+The Internet supports name server access using TCP [RFC-793] on server
+port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
+port 53 (decimal).
+
+4.2.1. UDP usage
+
+Messages sent using UDP user server port 53 (decimal).
+
+Messages carried by UDP are restricted to 512 bytes (not counting the IP
+or UDP headers).  Longer messages are truncated and the TC bit is set in
+the header.
+
+UDP is not acceptable for zone transfers, but is the recommended method
+for standard queries in the Internet.  Queries sent using UDP may be
+lost, and hence a retransmission strategy is required.  Queries or their
+responses may be reordered by the network, or by processing in name
+servers, so resolvers should not depend on them being returned in order.
+
+The optimal UDP retransmission policy will vary with performance of the
+Internet and the needs of the client, but the following are recommended:
+
+   - The client should try other servers and server addresses
+     before repeating a query to a specific address of a server.
+
+   - The retransmission interval should be based on prior
+     statistics if possible.  Too aggressive retransmission can
+     easily slow responses for the community at large.  Depending
+     on how well connected the client is to its expected servers,
+     the minimum retransmission interval should be 2-5 seconds.
+
+More suggestions on server selection and retransmission policy can be
+found in the resolver section of this memo.
+
+4.2.2. TCP usage
+
+Messages sent over TCP connections use server port 53 (decimal).  The
+message is prefixed with a two byte length field which gives the message
+
+
+
+Mockapetris                                                    [Page 32]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+length, excluding the two byte length field.  This length field allows
+the low-level processing to assemble a complete message before beginning
+to parse it.
+
+Several connection management policies are recommended:
+
+   - The server should not block other activities waiting for TCP
+     data.
+
+   - The server should support multiple connections.
+
+   - The server should assume that the client will initiate
+     connection closing, and should delay closing its end of the
+     connection until all outstanding client requests have been
+     satisfied.
+
+   - If the server needs to close a dormant connection to reclaim
+     resources, it should wait until the connection has been idle
+     for a period on the order of two minutes.  In particular, the
+     server should allow the SOA and AXFR request sequence (which
+     begins a refresh operation) to be made on a single connection.
+     Since the server would be unable to answer queries anyway, a
+     unilateral close or reset may be used instead of a graceful
+     close.
+
+5. MASTER FILES
+
+Master files are text files that contain RRs in text form.  Since the
+contents of a zone can be expressed in the form of a list of RRs a
+master file is most often used to define a zone, though it can be used
+to list a cache's contents.  Hence, this section first discusses the
+format of RRs in a master file, and then the special considerations when
+a master file is used to create a zone in some name server.
+
+5.1. Format
+
+The format of these files is a sequence of entries.  Entries are
+predominantly line-oriented, though parentheses can be used to continue
+a list of items across a line boundary, and text literals can contain
+CRLF within the text.  Any combination of tabs and spaces act as a
+delimiter between the separate items that make up an entry.  The end of
+any line in the master file can end with a comment.  The comment starts
+with a ";" (semicolon).
+
+The following entries are defined:
+
+    <blank>[<comment>]
+
+
+
+
+Mockapetris                                                    [Page 33]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+    $ORIGIN <domain-name> [<comment>]
+
+    $INCLUDE <file-name> [<domain-name>] [<comment>]
+
+    <domain-name><rr> [<comment>]
+
+    <blank><rr> [<comment>]
+
+Blank lines, with or without comments, are allowed anywhere in the file.
+
+Two control entries are defined: $ORIGIN and $INCLUDE.  $ORIGIN is
+followed by a domain name, and resets the current origin for relative
+domain names to the stated name.  $INCLUDE inserts the named file into
+the current file, and may optionally specify a domain name that sets the
+relative domain name origin for the included file.  $INCLUDE may also
+have a comment.  Note that a $INCLUDE entry never changes the relative
+origin of the parent file, regardless of changes to the relative origin
+made within the included file.
+
+The last two forms represent RRs.  If an entry for an RR begins with a
+blank, then the RR is assumed to be owned by the last stated owner.  If
+an RR entry begins with a <domain-name>, then the owner name is reset.
+
+<rr> contents take one of the following forms:
+
+    [<TTL>] [<class>] <type> <RDATA>
+
+    [<class>] [<TTL>] <type> <RDATA>
+
+The RR begins with optional TTL and class fields, followed by a type and
+RDATA field appropriate to the type and class.  Class and type use the
+standard mnemonics, TTL is a decimal integer.  Omitted class and TTL
+values are default to the last explicitly stated values.  Since type and
+class mnemonics are disjoint, the parse is unique.  (Note that this
+order is different from the order used in examples and the order used in
+the actual RRs; the given order allows easier parsing and defaulting.)
+
+<domain-name>s make up a large share of the data in the master file.
+The labels in the domain name are expressed as character strings and
+separated by dots.  Quoting conventions allow arbitrary characters to be
+stored in domain names.  Domain names that end in a dot are called
+absolute, and are taken as complete.  Domain names which do not end in a
+dot are called relative; the actual domain name is the concatenation of
+the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
+an argument to the master file loading routine.  A relative name is an
+error when no origin is available.
+
+
+
+
+
+Mockapetris                                                    [Page 34]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+<character-string> is expressed in one or two ways: as a contiguous set
+of characters without interior spaces, or as a string beginning with a "
+and ending with a ".  Inside a " delimited string any character can
+occur, except for a " itself, which must be quoted using \ (back slash).
+
+Because these files are text files several special encodings are
+necessary to allow arbitrary data to be loaded.  In particular:
+
+                of the root.
+
+@               A free standing @ is used to denote the current origin.
+
+\X              where X is any character other than a digit (0-9), is
+                used to quote that character so that its special meaning
+                does not apply.  For example, "\." can be used to place
+                a dot character in a label.
+
+\DDD            where each D is a digit is the octet corresponding to
+                the decimal number described by DDD.  The resulting
+                octet is assumed to be text and is not checked for
+                special meaning.
+
+( )             Parentheses are used to group data that crosses a line
+                boundary.  In effect, line terminations are not
+                recognized within parentheses.
+
+;               Semicolon is used to start a comment; the remainder of
+                the line is ignored.
+
+5.2. Use of master files to define zones
+
+When a master file is used to load a zone, the operation should be
+suppressed if any errors are encountered in the master file.  The
+rationale for this is that a single error can have widespread
+consequences.  For example, suppose that the RRs defining a delegation
+have syntax errors; then the server will return authoritative name
+errors for all names in the subzone (except in the case where the
+subzone is also present on the server).
+
+Several other validity checks that should be performed in addition to
+insuring that the file is syntactically correct:
+
+   1. All RRs in the file should have the same class.
+
+   2. Exactly one SOA RR should be present at the top of the zone.
+
+   3. If delegations are present and glue information is required,
+      it should be present.
+
+
+
+Mockapetris                                                    [Page 35]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   4. Information present outside of the authoritative nodes in the
+      zone should be glue information, rather than the result of an
+      origin or similar error.
+
+5.3. Master file example
+
+The following is an example file which might be used to define the
+ISI.EDU zone.and is loaded with an origin of ISI.EDU:
+
+@   IN  SOA     VENERA      Action\.domains (
+                                 20     ; SERIAL
+                                 7200   ; REFRESH
+                                 600    ; RETRY
+                                 3600000; EXPIRE
+                                 60)    ; MINIMUM
+
+        NS      A.ISI.EDU.
+        NS      VENERA
+        NS      VAXA
+        MX      10      VENERA
+        MX      20      VAXA
+
+A       A       26.3.0.103
+
+VENERA  A       10.1.0.52
+        A       128.9.0.32
+
+VAXA    A       10.2.0.27
+        A       128.9.0.33
+
+
+$INCLUDE <SUBSYS>ISI-MAILBOXES.TXT
+
+Where the file <SUBSYS>ISI-MAILBOXES.TXT is:
+
+    MOE     MB      A.ISI.EDU.
+    LARRY   MB      A.ISI.EDU.
+    CURLEY  MB      A.ISI.EDU.
+    STOOGES MG      MOE
+            MG      LARRY
+            MG      CURLEY
+
+Note the use of the \ character in the SOA RR to specify the responsible
+person mailbox "Action.domains@E.ISI.EDU".
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 36]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+6. NAME SERVER IMPLEMENTATION
+
+6.1. Architecture
+
+The optimal structure for the name server will depend on the host
+operating system and whether the name server is integrated with resolver
+operations, either by supporting recursive service, or by sharing its
+database with a resolver.  This section discusses implementation
+considerations for a name server which shares a database with a
+resolver, but most of these concerns are present in any name server.
+
+6.1.1. Control
+
+A name server must employ multiple concurrent activities, whether they
+are implemented as separate tasks in the host's OS or multiplexing
+inside a single name server program.  It is simply not acceptable for a
+name server to block the service of UDP requests while it waits for TCP
+data for refreshing or query activities.  Similarly, a name server
+should not attempt to provide recursive service without processing such
+requests in parallel, though it may choose to serialize requests from a
+single client, or to regard identical requests from the same client as
+duplicates.  A name server should not substantially delay requests while
+it reloads a zone from master files or while it incorporates a newly
+refreshed zone into its database.
+
+6.1.2. Database
+
+While name server implementations are free to use any internal data
+structures they choose, the suggested structure consists of three major
+parts:
+
+   - A "catalog" data structure which lists the zones available to
+     this server, and a "pointer" to the zone data structure.  The
+     main purpose of this structure is to find the nearest ancestor
+     zone, if any, for arriving standard queries.
+
+   - Separate data structures for each of the zones held by the
+     name server.
+
+   - A data structure for cached data. (or perhaps separate caches
+     for different classes)
+
+All of these data structures can be implemented an identical tree
+structure format, with different data chained off the nodes in different
+parts: in the catalog the data is pointers to zones, while in the zone
+and cache data structures, the data will be RRs.  In designing the tree
+framework the designer should recognize that query processing will need
+to traverse the tree using case-insensitive label comparisons; and that
+
+
+
+Mockapetris                                                    [Page 37]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in real data, a few nodes have a very high branching factor (100-1000 or
+more), but the vast majority have a very low branching factor (0-1).
+
+One way to solve the case problem is to store the labels for each node
+in two pieces: a standardized-case representation of the label where all
+ASCII characters are in a single case, together with a bit mask that
+denotes which characters are actually of a different case.  The
+branching factor diversity can be handled using a simple linked list for
+a node until the branching factor exceeds some threshold, and
+transitioning to a hash structure after the threshold is exceeded.  In
+any case, hash structures used to store tree sections must insure that
+hash functions and procedures preserve the casing conventions of the
+DNS.
+
+The use of separate structures for the different parts of the database
+is motivated by several factors:
+
+   - The catalog structure can be an almost static structure that
+     need change only when the system administrator changes the
+     zones supported by the server.  This structure can also be
+     used to store parameters used to control refreshing
+     activities.
+
+   - The individual data structures for zones allow a zone to be
+     replaced simply by changing a pointer in the catalog.  Zone
+     refresh operations can build a new structure and, when
+     complete, splice it into the database via a simple pointer
+     replacement.  It is very important that when a zone is
+     refreshed, queries should not use old and new data
+     simultaneously.
+
+   - With the proper search procedures, authoritative data in zones
+     will always "hide", and hence take precedence over, cached
+     data.
+
+   - Errors in zone definitions that cause overlapping zones, etc.,
+     may cause erroneous responses to queries, but problem
+     determination is simplified, and the contents of one "bad"
+     zone can't corrupt another.
+
+   - Since the cache is most frequently updated, it is most
+     vulnerable to corruption during system restarts.  It can also
+     become full of expired RR data.  In either case, it can easily
+     be discarded without disturbing zone data.
+
+A major aspect of database design is selecting a structure which allows
+the name server to deal with crashes of the name server's host.  State
+information which a name server should save across system crashes
+
+
+
+Mockapetris                                                    [Page 38]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+includes the catalog structure (including the state of refreshing for
+each zone) and the zone data itself.
+
+6.1.3. Time
+
+Both the TTL data for RRs and the timing data for refreshing activities
+depends on 32 bit timers in units of seconds.  Inside the database,
+refresh timers and TTLs for cached data conceptually "count down", while
+data in the zone stays with constant TTLs.
+
+A recommended implementation strategy is to store time in two ways:  as
+a relative increment and as an absolute time.  One way to do this is to
+use positive 32 bit numbers for one type and negative numbers for the
+other.  The RRs in zones use relative times; the refresh timers and
+cache data use absolute times.  Absolute numbers are taken with respect
+to some known origin and converted to relative values when placed in the
+response to a query.  When an absolute TTL is negative after conversion
+to relative, then the data is expired and should be ignored.
+
+6.2. Standard query processing
+
+The major algorithm for standard query processing is presented in
+[RFC-1034].
+
+When processing queries with QCLASS=*, or some other QCLASS which
+matches multiple classes, the response should never be authoritative
+unless the server can guarantee that the response covers all classes.
+
+When composing a response, RRs which are to be inserted in the
+additional section, but duplicate RRs in the answer or authority
+sections, may be omitted from the additional section.
+
+When a response is so long that truncation is required, the truncation
+should start at the end of the response and work forward in the
+datagram.  Thus if there is any data for the authority section, the
+answer section is guaranteed to be unique.
+
+The MINIMUM value in the SOA should be used to set a floor on the TTL of
+data distributed from a zone.  This floor function should be done when
+the data is copied into a response.  This will allow future dynamic
+update protocols to change the SOA MINIMUM field without ambiguous
+semantics.
+
+6.3. Zone refresh and reload processing
+
+In spite of a server's best efforts, it may be unable to load zone data
+from a master file due to syntax errors, etc., or be unable to refresh a
+zone within the its expiration parameter.  In this case, the name server
+
+
+
+Mockapetris                                                    [Page 39]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+should answer queries as if it were not supposed to possess the zone.
+
+If a master is sending a zone out via AXFR, and a new version is created
+during the transfer, the master should continue to send the old version
+if possible.  In any case, it should never send part of one version and
+part of another.  If completion is not possible, the master should reset
+the connection on which the zone transfer is taking place.
+
+6.4. Inverse queries (Optional)
+
+Inverse queries are an optional part of the DNS.  Name servers are not
+required to support any form of inverse queries.  If a name server
+receives an inverse query that it does not support, it returns an error
+response with the "Not Implemented" error set in the header.  While
+inverse query support is optional, all name servers must be at least
+able to return the error response.
+
+6.4.1. The contents of inverse queries and responses          Inverse
+queries reverse the mappings performed by standard query operations;
+while a standard query maps a domain name to a resource, an inverse
+query maps a resource to a domain name.  For example, a standard query
+might bind a domain name to a host address; the corresponding inverse
+query binds the host address to a domain name.
+
+Inverse queries take the form of a single RR in the answer section of
+the message, with an empty question section.  The owner name of the
+query RR and its TTL are not significant.  The response carries
+questions in the question section which identify all names possessing
+the query RR WHICH THE NAME SERVER KNOWS.  Since no name server knows
+about all of the domain name space, the response can never be assumed to
+be complete.  Thus inverse queries are primarily useful for database
+management and debugging activities.  Inverse queries are NOT an
+acceptable method of mapping host addresses to host names; use the IN-
+ADDR.ARPA domain instead.
+
+Where possible, name servers should provide case-insensitive comparisons
+for inverse queries.  Thus an inverse query asking for an MX RR of
+"Venera.isi.edu" should get the same response as a query for
+"VENERA.ISI.EDU"; an inverse query for HINFO RR "IBM-PC UNIX" should
+produce the same result as an inverse query for "IBM-pc unix".  However,
+this cannot be guaranteed because name servers may possess RRs that
+contain character strings but the name server does not know that the
+data is character.
+
+When a name server processes an inverse query, it either returns:
+
+   1. zero, one, or multiple domain names for the specified
+      resource as QNAMEs in the question section
+
+
+
+Mockapetris                                                    [Page 40]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   2. an error code indicating that the name server doesn't support
+      inverse mapping of the specified resource type.
+
+When the response to an inverse query contains one or more QNAMEs, the
+owner name and TTL of the RR in the answer section which defines the
+inverse query is modified to exactly match an RR found at the first
+QNAME.
+
+RRs returned in the inverse queries cannot be cached using the same
+mechanism as is used for the replies to standard queries.  One reason
+for this is that a name might have multiple RRs of the same type, and
+only one would appear.  For example, an inverse query for a single
+address of a multiply homed host might create the impression that only
+one address existed.
+
+6.4.2. Inverse query and response example          The overall structure
+of an inverse query for retrieving the domain name that corresponds to
+Internet address 10.1.0.52 is shown below:
+
+                         +-----------------------------------------+
+           Header        |          OPCODE=IQUERY, ID=997          |
+                         +-----------------------------------------+
+          Question       |                 <empty>                 |
+                         +-----------------------------------------+
+           Answer        |        <anyname> A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+This query asks for a question whose answer is the Internet style
+address 10.1.0.52.  Since the owner name is not known, any domain name
+can be used as a placeholder (and is ignored).  A single octet of zero,
+signifying the root, is usually used because it minimizes the length of
+the message.  The TTL of the RR is not significant.  The response to
+this query might be:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 41]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                         +-----------------------------------------+
+           Header        |         OPCODE=RESPONSE, ID=997         |
+                         +-----------------------------------------+
+          Question       |QTYPE=A, QCLASS=IN, QNAME=VENERA.ISI.EDU |
+                         +-----------------------------------------+
+           Answer        |  VENERA.ISI.EDU  A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+Note that the QTYPE in a response to an inverse query is the same as the
+TYPE field in the answer section of the inverse query.  Responses to
+inverse queries may contain multiple questions when the inverse is not
+unique.  If the question section in the response is not empty, then the
+RR in the answer section is modified to correspond to be an exact copy
+of an RR at the first QNAME.
+
+6.4.3. Inverse query processing
+
+Name servers that support inverse queries can support these operations
+through exhaustive searches of their databases, but this becomes
+impractical as the size of the database increases.  An alternative
+approach is to invert the database according to the search key.
+
+For name servers that support multiple zones and a large amount of data,
+the recommended approach is separate inversions for each zone.  When a
+particular zone is changed during a refresh, only its inversions need to
+be redone.
+
+Support for transfer of this type of inversion may be included in future
+versions of the domain system, but is not supported in this version.
+
+6.5. Completion queries and responses
+
+The optional completion services described in RFC-882 and RFC-883 have
+been deleted.  Redesigned services may become available in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 42]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7. RESOLVER IMPLEMENTATION
+
+The top levels of the recommended resolver algorithm are discussed in
+[RFC-1034].  This section discusses implementation details assuming the
+database structure suggested in the name server implementation section
+of this memo.
+
+7.1. Transforming a user request into a query
+
+The first step a resolver takes is to transform the client's request,
+stated in a format suitable to the local OS, into a search specification
+for RRs at a specific name which match a specific QTYPE and QCLASS.
+Where possible, the QTYPE and QCLASS should correspond to a single type
+and a single class, because this makes the use of cached data much
+simpler.  The reason for this is that the presence of data of one type
+in a cache doesn't confirm the existence or non-existence of data of
+other types, hence the only way to be sure is to consult an
+authoritative source.  If QCLASS=* is used, then authoritative answers
+won't be available.
+
+Since a resolver must be able to multiplex multiple requests if it is to
+perform its function efficiently, each pending request is usually
+represented in some block of state information.  This state block will
+typically contain:
+
+   - A timestamp indicating the time the request began.
+     The timestamp is used to decide whether RRs in the database
+     can be used or are out of date.  This timestamp uses the
+     absolute time format previously discussed for RR storage in
+     zones and caches.  Note that when an RRs TTL indicates a
+     relative time, the RR must be timely, since it is part of a
+     zone.  When the RR has an absolute time, it is part of a
+     cache, and the TTL of the RR is compared against the timestamp
+     for the start of the request.
+
+     Note that using the timestamp is superior to using a current
+     time, since it allows RRs with TTLs of zero to be entered in
+     the cache in the usual manner, but still used by the current
+     request, even after intervals of many seconds due to system
+     load, query retransmission timeouts, etc.
+
+   - Some sort of parameters to limit the amount of work which will
+     be performed for this request.
+
+     The amount of work which a resolver will do in response to a
+     client request must be limited to guard against errors in the
+     database, such as circular CNAME references, and operational
+     problems, such as network partition which prevents the
+
+
+
+Mockapetris                                                    [Page 43]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+     resolver from accessing the name servers it needs.  While
+     local limits on the number of times a resolver will retransmit
+     a particular query to a particular name server address are
+     essential, the resolver should have a global per-request
+     counter to limit work on a single request.  The counter should
+     be set to some initial value and decremented whenever the
+     resolver performs any action (retransmission timeout,
+     retransmission, etc.)  If the counter passes zero, the request
+     is terminated with a temporary error.
+
+     Note that if the resolver structure allows one request to
+     start others in parallel, such as when the need to access a
+     name server for one request causes a parallel resolve for the
+     name server's addresses, the spawned request should be started
+     with a lower counter.  This prevents circular references in
+     the database from starting a chain reaction of resolver
+     activity.
+
+   - The SLIST data structure discussed in [RFC-1034].
+
+     This structure keeps track of the state of a request if it
+     must wait for answers from foreign name servers.
+
+7.2. Sending the queries
+
+As described in [RFC-1034], the basic task of the resolver is to
+formulate a query which will answer the client's request and direct that
+query to name servers which can provide the information.  The resolver
+will usually only have very strong hints about which servers to ask, in
+the form of NS RRs, and may have to revise the query, in response to
+CNAMEs, or revise the set of name servers the resolver is asking, in
+response to delegation responses which point the resolver to name
+servers closer to the desired information.  In addition to the
+information requested by the client, the resolver may have to call upon
+its own services to determine the address of name servers it wishes to
+contact.
+
+In any case, the model used in this memo assumes that the resolver is
+multiplexing attention between multiple requests, some from the client,
+and some internally generated.  Each request is represented by some
+state information, and the desired behavior is that the resolver
+transmit queries to name servers in a way that maximizes the probability
+that the request is answered, minimizes the time that the request takes,
+and avoids excessive transmissions.  The key algorithm uses the state
+information of the request to select the next name server address to
+query, and also computes a timeout which will cause the next action
+should a response not arrive.  The next action will usually be a
+transmission to some other server, but may be a temporary error to the
+
+
+
+Mockapetris                                                    [Page 44]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+client.
+
+The resolver always starts with a list of server names to query (SLIST).
+This list will be all NS RRs which correspond to the nearest ancestor
+zone that the resolver knows about.  To avoid startup problems, the
+resolver should have a set of default servers which it will ask should
+it have no current NS RRs which are appropriate.  The resolver then adds
+to SLIST all of the known addresses for the name servers, and may start
+parallel requests to acquire the addresses of the servers when the
+resolver has the name, but no addresses, for the name servers.
+
+To complete initialization of SLIST, the resolver attaches whatever
+history information it has to the each address in SLIST.  This will
+usually consist of some sort of weighted averages for the response time
+of the address, and the batting average of the address (i.e., how often
+the address responded at all to the request).  Note that this
+information should be kept on a per address basis, rather than on a per
+name server basis, because the response time and batting average of a
+particular server may vary considerably from address to address.  Note
+also that this information is actually specific to a resolver address /
+server address pair, so a resolver with multiple addresses may wish to
+keep separate histories for each of its addresses.  Part of this step
+must deal with addresses which have no such history; in this case an
+expected round trip time of 5-10 seconds should be the worst case, with
+lower estimates for the same local network, etc.
+
+Note that whenever a delegation is followed, the resolver algorithm
+reinitializes SLIST.
+
+The information establishes a partial ranking of the available name
+server addresses.  Each time an address is chosen and the state should
+be altered to prevent its selection again until all other addresses have
+been tried.  The timeout for each transmission should be 50-100% greater
+than the average predicted value to allow for variance in response.
+
+Some fine points:
+
+   - The resolver may encounter a situation where no addresses are
+     available for any of the name servers named in SLIST, and
+     where the servers in the list are precisely those which would
+     normally be used to look up their own addresses.  This
+     situation typically occurs when the glue address RRs have a
+     smaller TTL than the NS RRs marking delegation, or when the
+     resolver caches the result of a NS search.  The resolver
+     should detect this condition and restart the search at the
+     next ancestor zone, or alternatively at the root.
+
+
+
+
+
+Mockapetris                                                    [Page 45]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   - If a resolver gets a server error or other bizarre response
+     from a name server, it should remove it from SLIST, and may
+     wish to schedule an immediate transmission to the next
+     candidate server address.
+
+7.3. Processing responses
+
+The first step in processing arriving response datagrams is to parse the
+response.  This procedure should include:
+
+   - Check the header for reasonableness.  Discard datagrams which
+     are queries when responses are expected.
+
+   - Parse the sections of the message, and insure that all RRs are
+     correctly formatted.
+
+   - As an optional step, check the TTLs of arriving data looking
+     for RRs with excessively long TTLs.  If a RR has an
+     excessively long TTL, say greater than 1 week, either discard
+     the whole response, or limit all TTLs in the response to 1
+     week.
+
+The next step is to match the response to a current resolver request.
+The recommended strategy is to do a preliminary matching using the ID
+field in the domain header, and then to verify that the question section
+corresponds to the information currently desired.  This requires that
+the transmission algorithm devote several bits of the domain ID field to
+a request identifier of some sort.  This step has several fine points:
+
+   - Some name servers send their responses from different
+     addresses than the one used to receive the query.  That is, a
+     resolver cannot rely that a response will come from the same
+     address which it sent the corresponding query to.  This name
+     server bug is typically encountered in UNIX systems.
+
+   - If the resolver retransmits a particular request to a name
+     server it should be able to use a response from any of the
+     transmissions.  However, if it is using the response to sample
+     the round trip time to access the name server, it must be able
+     to determine which transmission matches the response (and keep
+     transmission times for each outgoing message), or only
+     calculate round trip times based on initial transmissions.
+
+   - A name server will occasionally not have a current copy of a
+     zone which it should have according to some NS RRs.  The
+     resolver should simply remove the name server from the current
+     SLIST, and continue.
+
+
+
+
+Mockapetris                                                    [Page 46]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7.4. Using the cache
+
+In general, we expect a resolver to cache all data which it receives in
+responses since it may be useful in answering future client requests.
+However, there are several types of data which should not be cached:
+
+   - When several RRs of the same type are available for a
+     particular owner name, the resolver should either cache them
+     all or none at all.  When a response is truncated, and a
+     resolver doesn't know whether it has a complete set, it should
+     not cache a possibly partial set of RRs.
+
+   - Cached data should never be used in preference to
+     authoritative data, so if caching would cause this to happen
+     the data should not be cached.
+
+   - The results of an inverse query should not be cached.
+
+   - The results of standard queries where the QNAME contains "*"
+     labels if the data might be used to construct wildcards.  The
+     reason is that the cache does not necessarily contain existing
+     RRs or zone boundary information which is necessary to
+     restrict the application of the wildcard RRs.
+
+   - RR data in responses of dubious reliability.  When a resolver
+     receives unsolicited responses or RR data other than that
+     requested, it should discard it without caching it.  The basic
+     implication is that all sanity checks on a packet should be
+     performed before any of it is cached.
+
+In a similar vein, when a resolver has a set of RRs for some name in a
+response, and wants to cache the RRs, it should check its cache for
+already existing RRs.  Depending on the circumstances, either the data
+in the response or the cache is preferred, but the two should never be
+combined.  If the data in the response is from authoritative data in the
+answer section, it is always preferred.
+
+8. MAIL SUPPORT
+
+The domain system defines a standard for mapping mailboxes into domain
+names, and two methods for using the mailbox information to derive mail
+routing information.  The first method is called mail exchange binding
+and the other method is mailbox binding.  The mailbox encoding standard
+and mail exchange binding are part of the DNS official protocol, and are
+the recommended method for mail routing in the Internet.  Mailbox
+binding is an experimental feature which is still under development and
+subject to change.
+
+
+
+
+Mockapetris                                                    [Page 47]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+The mailbox encoding standard assumes a mailbox name of the form
+"<local-part>@<mail-domain>".  While the syntax allowed in each of these
+sections varies substantially between the various mail internets, the
+preferred syntax for the ARPA Internet is given in [RFC-822].
+
+The DNS encodes the <local-part> as a single label, and encodes the
+<mail-domain> as a domain name.  The single label from the <local-part>
+is prefaced to the domain name from <mail-domain> to form the domain
+name corresponding to the mailbox.  Thus the mailbox HOSTMASTER@SRI-
+NIC.ARPA is mapped into the domain name HOSTMASTER.SRI-NIC.ARPA.  If the
+<local-part> contains dots or other special characters, its
+representation in a master file will require the use of backslash
+quoting to ensure that the domain name is properly encoded.  For
+example, the mailbox Action.domains@ISI.EDU would be represented as
+Action\.domains.ISI.EDU.
+
+8.1. Mail exchange binding
+
+Mail exchange binding uses the <mail-domain> part of a mailbox
+specification to determine where mail should be sent.  The <local-part>
+is not even consulted.  [RFC-974] specifies this method in detail, and
+should be consulted before attempting to use mail exchange support.
+
+One of the advantages of this method is that it decouples mail
+destination naming from the hosts used to support mail service, at the
+cost of another layer of indirection in the lookup function.  However,
+the addition layer should eliminate the need for complicated "%", "!",
+etc encodings in <local-part>.
+
+The essence of the method is that the <mail-domain> is used as a domain
+name to locate type MX RRs which list hosts willing to accept mail for
+<mail-domain>, together with preference values which rank the hosts
+according to an order specified by the administrators for <mail-domain>.
+
+In this memo, the <mail-domain> ISI.EDU is used in examples, together
+with the hosts VENERA.ISI.EDU and VAXA.ISI.EDU as mail exchanges for
+ISI.EDU.  If a mailer had a message for Mockapetris@ISI.EDU, it would
+route it by looking up MX RRs for ISI.EDU.  The MX RRs at ISI.EDU name
+VENERA.ISI.EDU and VAXA.ISI.EDU, and type A queries can find the host
+addresses.
+
+8.2. Mailbox binding (Experimental)
+
+In mailbox binding, the mailer uses the entire mail destination
+specification to construct a domain name.  The encoded domain name for
+the mailbox is used as the QNAME field in a QTYPE=MAILB query.
+
+Several outcomes are possible for this query:
+
+
+
+Mockapetris                                                    [Page 48]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   1. The query can return a name error indicating that the mailbox
+      does not exist as a domain name.
+
+      In the long term, this would indicate that the specified
+      mailbox doesn't exist.  However, until the use of mailbox
+      binding is universal, this error condition should be
+      interpreted to mean that the organization identified by the
+      global part does not support mailbox binding.  The
+      appropriate procedure is to revert to exchange binding at
+      this point.
+
+   2. The query can return a Mail Rename (MR) RR.
+
+      The MR RR carries new mailbox specification in its RDATA
+      field.  The mailer should replace the old mailbox with the
+      new one and retry the operation.
+
+   3. The query can return a MB RR.
+
+      The MB RR carries a domain name for a host in its RDATA
+      field.  The mailer should deliver the message to that host
+      via whatever protocol is applicable, e.g., b,SMTP.
+
+   4. The query can return one or more Mail Group (MG) RRs.
+
+      This condition means that the mailbox was actually a mailing
+      list or mail group, rather than a single mailbox.  Each MG RR
+      has a RDATA field that identifies a mailbox that is a member
+      of the group.  The mailer should deliver a copy of the
+      message to each member.
+
+   5. The query can return a MB RR as well as one or more MG RRs.
+
+      This condition means the the mailbox was actually a mailing
+      list.  The mailer can either deliver the message to the host
+      specified by the MB RR, which will in turn do the delivery to
+      all members, or the mailer can use the MG RRs to do the
+      expansion itself.
+
+In any of these cases, the response may include a Mail Information
+(MINFO) RR.  This RR is usually associated with a mail group, but is
+legal with a MB.  The MINFO RR identifies two mailboxes.  One of these
+identifies a responsible person for the original mailbox name.  This
+mailbox should be used for requests to be added to a mail group, etc.
+The second mailbox name in the MINFO RR identifies a mailbox that should
+receive error messages for mail failures.  This is particularly
+appropriate for mailing lists when errors in member names should be
+reported to a person other than the one who sends a message to the list.
+
+
+
+Mockapetris                                                    [Page 49]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+New fields may be added to this RR in the future.
+
+
+9. REFERENCES and BIBLIOGRAPHY
+
+[Dyer 87]       S. Dyer, F. Hsu, "Hesiod", Project Athena
+                Technical Plan - Name Service, April 1987, version 1.9.
+
+                Describes the fundamentals of the Hesiod name service.
+
+[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
+                USC/Information Sciences Institute, August 1979.
+
+                A name service obsoleted by the Domain Name System, but
+                still in use.
+
+[Quarterman 86] J. Quarterman, and J. Hoskins, "Notable Computer Networks",
+                Communications of the ACM, October 1986, volume 29, number
+                10.
+
+[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
+                Information Center, SRI International, December 1977.
+
+[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
+                USC/Information Sciences Institute, September 1981.
+
+[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
+                September 1981.
+
+                Suggests introduction of a hierarchy in place of a flat
+                name space for the Internet.
+
+[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
+                USC/Information Sciences Institute, February 1982.
+
+[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
+                Internet Host Table Specification", RFC-810, Network
+                Information Center, SRI International, March 1982.
+
+                Obsolete.  See RFC-952.
+
+[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
+                Server", RFC-811, Network Information Center, SRI
+                International, March 1982.
+
+
+
+
+Mockapetris                                                    [Page 50]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Obsolete.  See RFC-953.
+
+[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
+                Network Information Center, SRI International, March
+                1982.
+
+[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
+                Internet User Applications", RFC-819, Network
+                Information Center, SRI International, August 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
+                RFC-830, Network Information Center, SRI International,
+                October 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-882]       P. Mockapetris, "Domain names - Concepts and
+                Facilities," RFC-882, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-883]       P. Mockapetris, "Domain names - Implementation and
+                Specification," RFC-883, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
+                RFC-920, USC/Information Sciences Institute,
+                October 1984.
+
+                Explains the naming scheme for top level domains.
+
+[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
+                Table Specification", RFC-952, SRI, October 1985.
+
+                Specifies the format of HOSTS.TXT, the host/address
+                table replaced by the DNS.
+
+
+
+
+
+Mockapetris                                                    [Page 51]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
+                RFC-953, SRI, October 1985.
+
+                This RFC contains the official specification of the
+                hostname server protocol, which is obsoleted by the DNS.
+                This TCP based protocol accesses information stored in
+                the RFC-952 format, and is used to obtain copies of the
+                host table.
+
+[RFC-973]       P. Mockapetris, "Domain System Changes and
+                Observations", RFC-973, USC/Information Sciences
+                Institute, January 1986.
+
+                Describes changes to RFC-882 and RFC-883 and reasons for
+                them.
+
+[RFC-974]       C. Partridge, "Mail routing and the domain system",
+                RFC-974, CSNET CIC BBN Labs, January 1986.
+
+                Describes the transition from HOSTS.TXT based mail
+                addressing to the more powerful MX system used with the
+                domain system.
+
+[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Concepts and Methods",
+                RFC-1001, March 1987.
+
+                This RFC and RFC-1002 are a preliminary design for
+                NETBIOS on top of TCP/IP which proposes to base NetBIOS
+                name service on top of the DNS.
+
+[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Detailed
+                Specifications", RFC-1002, March 1987.
+
+[RFC-1010]      J. Reynolds, and J. Postel, "Assigned Numbers", RFC-1010,
+                USC/Information Sciences Institute, May 1987.
+
+                Contains socket numbers and mnemonics for host names,
+                operating systems, etc.
+
+[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
+                November 1987.
+
+                Describes a plan for converting the MILNET to the DNS.
+
+[RFC-1032]      M. Stahl, "Establishing a Domain - Guidelines for
+                Administrators", RFC-1032, November 1987.
+
+
+
+Mockapetris                                                    [Page 52]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Describes the registration policies used by the NIC to
+                administer the top level domains and delegate subzones.
+
+[RFC-1033]      M. Lottor, "Domain Administrators Operations Guide",
+                RFC-1033, November 1987.
+
+                A cookbook for domain administrators.
+
+[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
+                Name Server", Computer Networks, vol 6, nr 3, July 1982.
+
+                Describes a name service for CSNET which is independent
+                from the DNS and DNS use in the CSNET.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 53]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Index
+
+          *   13
+
+          ;   33, 35
+
+          <character-string>   35
+          <domain-name>   34
+
+          @   35
+
+          \   35
+
+          A   12
+
+          Byte order   8
+
+          CH   13
+          Character case   9
+          CLASS   11
+          CNAME   12
+          Completion   42
+          CS   13
+
+          Hesiod   13
+          HINFO   12
+          HS   13
+
+          IN   13
+          IN-ADDR.ARPA domain   22
+          Inverse queries   40
+
+          Mailbox names   47
+          MB   12
+          MD   12
+          MF   12
+          MG   12
+          MINFO   12
+          MINIMUM   20
+          MR   12
+          MX   12
+
+          NS   12
+          NULL   12
+
+          Port numbers   32
+          Primary server   5
+          PTR   12, 18
+
+
+
+Mockapetris                                                    [Page 54]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          QCLASS   13
+          QTYPE   12
+
+          RDATA   12
+          RDLENGTH  11
+
+          Secondary server   5
+          SOA   12
+          Stub resolvers   7
+
+          TCP   32
+          TXT   12
+          TYPE   11
+
+          UDP   32
+
+          WKS   12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 55]
+
diff --git a/lib/dns/tests/testdata/master/master1.data b/lib/dns/tests/testdata/master/master1.data
new file mode 100644
index 0000000..030bc68
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master1.data
@@ -0,0 +1,11 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master10.data b/lib/dns/tests/testdata/master/master10.data
new file mode 100644
index 0000000..9ee052f
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master10.data
@@ -0,0 +1,7 @@
+;
+;	the following black line contains spaces
+
+;
+@	300	IN	A	10.0.0.1
+	;
+;
diff --git a/lib/dns/tests/testdata/master/master11.data b/lib/dns/tests/testdata/master/master11.data
new file mode 100644
index 0000000..0aaec25
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master11.data
@@ -0,0 +1,6 @@
+;
+;	The following serial number contains a leading 0 and a 9 so the
+;	we can catch cases where it is incorrectly treated as a octal
+;	number.
+;
+@	300	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
diff --git a/lib/dns/tests/testdata/master/master12.data.in b/lib/dns/tests/testdata/master/master12.data.in
new file mode 100644
index 0000000..3634388
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master12.data.in
@@ -0,0 +1 @@
+00000002000000004ed7306600000051000100060000000003e80000000100060474657374000035096c6f63616c686f7374000a706f73746d6173746572096c6f63616c686f73740076cb8ab100000e100000070800093a8000000e1000000046000100020000000003e8000000030006047465737400000c026e730376697803636f6d00000d036e73320376697803636f6d00000d036e73330376697803636f6d0000000022000100010000000003e80000000100080162047465737400000401020304
diff --git a/lib/dns/tests/testdata/master/master13.data.in b/lib/dns/tests/testdata/master/master13.data.in
new file mode 100644
index 0000000..d1c262f
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master13.data.in
@@ -0,0 +1 @@
+00000002000000014ed7337f00000000000000000000000000000051000100060000000003e80000000100060474657374000035096c6f63616c686f7374000a706f73746d6173746572096c6f63616c686f73740076cb8ab100000e100000070800093a8000000e1000000046000100020000000003e8000000030006047465737400000c026e730376697803636f6d00000d036e73320376697803636f6d00000d036e73330376697803636f6d0000000022000100010000000003e80000000100080162047465737400000401020304
diff --git a/lib/dns/tests/testdata/master/master14.data.in b/lib/dns/tests/testdata/master/master14.data.in
new file mode 100644
index 0000000..149a25f
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master14.data.in
@@ -0,0 +1 @@
+00000002000000014ed7337f0000000277df41e50000000000000051000100060000000003e80000000100060474657374000035096c6f63616c686f7374000a706f73746d6173746572096c6f63616c686f73740076cb8ab100000e100000070800093a8000000e1000000046000100020000000003e8000000030006047465737400000c026e730376697803636f6d00000d036e73320376697803636f6d00000d036e73330376697803636f6d0000000022000100010000000003e80000000100080162047465737400000401020304
diff --git a/lib/dns/tests/testdata/master/master15.data b/lib/dns/tests/testdata/master/master15.data
new file mode 100644
index 0000000..cf413ce
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master15.data
@@ -0,0 +1,1609 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
+c		in	txt	( TOOBIGTOOBIGTOOBIGTOOBIGTOOBIGTOOBI
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890 )
diff --git a/lib/dns/tests/testdata/master/master16.data b/lib/dns/tests/testdata/master/master16.data
new file mode 100644
index 0000000..e969bd3
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master16.data
@@ -0,0 +1,1609 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+b		in	a	1.2.3.4
+c		in	txt	( MAXSIZSEMAXSIZSEMAXSIZSEMAXSIZSMAX
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890
+				  1234567890123456789012345678901234567890 )
diff --git a/lib/dns/tests/testdata/master/master17.data b/lib/dns/tests/testdata/master/master17.data
new file mode 100644
index 0000000..4b2b63d
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master17.data
@@ -0,0 +1,14 @@
+$ORIGIN test.
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.test.
+		in	ns	ns2.test.
+		in	ns	ns3.test.
+b		in	a	1.2.3.4
+$ORIGIN sub.test.
+		in	a	4.3.2.1
diff --git a/lib/dns/tests/testdata/master/master18.data b/lib/dns/tests/testdata/master/master18.data
new file mode 100644
index 0000000..dddf04e
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master18.data
@@ -0,0 +1,10 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+
+$INCLUDE "testkeys/Kexample.+008+20386.key";
+$INCLUDE "testkeys/Kexample.+008+37464.key";
diff --git a/lib/dns/tests/testdata/master/master2.data b/lib/dns/tests/testdata/master/master2.data
new file mode 100644
index 0000000..b8ca38d
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master2.data
@@ -0,0 +1,11 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		in	ns
+a		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master3.data b/lib/dns/tests/testdata/master/master3.data
new file mode 100644
index 0000000..7283af6
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master3.data
@@ -0,0 +1,11 @@
+$TTL 1000
+		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com
+		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master4.data b/lib/dns/tests/testdata/master/master4.data
new file mode 100644
index 0000000..3a694ea
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master4.data
@@ -0,0 +1,11 @@
+
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		in	ns	ns.vix.com.
+a		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master5.data b/lib/dns/tests/testdata/master/master5.data
new file mode 100644
index 0000000..95234bd
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master5.data
@@ -0,0 +1,11 @@
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+a		any	ns	ns.vix.com.
+a		in	ns	ns2vix.com.
+a		in	ns	ns3vix.com.
+b		in	a	1.2.3.4
diff --git a/lib/dns/tests/testdata/master/master6.data b/lib/dns/tests/testdata/master/master6.data
new file mode 100644
index 0000000..a9a37bb
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master6.data
@@ -0,0 +1,33 @@
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+
+secure1	3600 IN	 DNSKEY (
+		FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
+		3 3
+		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
+		2OYggnPIzrgayyepgKU1PfTTypnJDTwrSrtISyEsj7tjM7/n
+		03DP8VWSn0aLwpUuc7Sx9vtM1Wi+YeiA4Bv2Oz1VB9de4qql
+		sIq+KLn8J4wz95bGnJ0mHUB7oTDJ3Hl1zeaCMdX69Kr46yAY
+		AvGJJdGGDYxYgxzx2zNdzypkYSkxpdsNqUt38tabSfdvCn12
+		pnmSWjlVJsjHhsaYnrPhouN5acOXMNbxNVbGU5LZ8Es6EYbV
+		/7YMt8VUkA8/8UCszBBT7XAJ3OFjiMO8mvxrZZFzvwJlPBQ1
+		oFq/TNZlSe+N )
+
+secure2	3600 in	 DNSKEY (
+		flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
+		3 3
+		ArT0a8FtOZWEONG2YQVl9+RA34op30JPz4NPEroCxm2yImT2
+		2OYggnPIzrgayyepgKU1PfTTypnJDTwrSrtISyEsj7tjM7/n
+		03DP8VWSn0aLwpUuc7Sx9vtM1Wi+YeiA4Bv2Oz1VB9de4qql
+		sIq+KLn8J4wz95bGnJ0mHUB7oTDJ3Hl1zeaCMdX69Kr46yAY
+		AvGJJdGGDYxYgxzx2zNdzypkYSkxpdsNqUt38tabSfdvCn12
+		pnmSWjlVJsjHhsaYnrPhouN5acOXMNbxNVbGU5LZ8Es6EYbV
+		/7YMt8VUkA8/8UCszBBT7XAJ3OFjiMO8mvxrZZFzvwJlPBQ1
+		oFq/TNZlSe+N )
+
diff --git a/lib/dns/tests/testdata/master/master7.data b/lib/dns/tests/testdata/master/master7.data
new file mode 100644
index 0000000..2638b5d
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master7.data
@@ -0,0 +1,17 @@
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+
+secure1	3600 IN	 DNSKEY (
+		NOKEY|FLAG2|FLAG4|FLAG5|NTYP3|FLAG8|FLAG9|FLAG10|FLAG11|SIG15
+		3 3 )
+
+secure2	3600 in	 DNSKEY (
+		nokey|flag2|flag4|flag5|ntyp3|flag8|flag9|flag10|flag11|sig15
+		3 3 )
+
diff --git a/lib/dns/tests/testdata/master/master8.data b/lib/dns/tests/testdata/master/master8.data
new file mode 100644
index 0000000..2210f42
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master8.data
@@ -0,0 +1,4 @@
+;
+; master7.data contains a good zone file
+;
+$include testdata/master/master7.data
diff --git a/lib/dns/tests/testdata/master/master9.data b/lib/dns/tests/testdata/master/master9.data
new file mode 100644
index 0000000..b22688b
--- /dev/null
+++ b/lib/dns/tests/testdata/master/master9.data
@@ -0,0 +1,4 @@
+;
+;	master5.data is bad
+;
+$include testdata/master/master5.data
diff --git a/lib/dns/tests/testdata/nsec3/1024.db b/lib/dns/tests/testdata/nsec3/1024.db
new file mode 100644
index 0000000..2e7f182
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/1024.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 1024 bit key.
+test. IN DNSKEY 256 3 5 AwEAAd5oKx06HRE6NRrTDz49lljdRmxgp/4YB/cyMkpwUMkaLhDNCfTq hql84ab2LRbtUWLHFXGWENvxPGQzVHeleXu+3ThNfFOwIaySedxHmLGT lTtBRDhPc8iSb+2IYDemmA+ut8kwHhCVz/tDMbD/dgAswdOtmXCpQyJk Q1HqY3Xj
diff --git a/lib/dns/tests/testdata/nsec3/2048.db b/lib/dns/tests/testdata/nsec3/2048.db
new file mode 100644
index 0000000..eed399a
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/2048.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 2048 bits
+test. IN DNSKEY 256 3 5 AwEAAcfQX59iZr9gK+XzhTZQ5KWrfCLA0iYHTqheEIhC2dXS8gUSppQS g9SmzH2129u/LSSb7gqJSoLLAsn36iinqCqUXl2BT6xzwznbSP3mn0hn N6DegsykcYhHycKH6ifjZiMN+SGGeNsi5rhoW5Cj9ptw3C3yQnrFNDbS GZCT97z5lpQU3ZcvP4RDNk7dhri7Bh3SJeaCFoqx00NgFvlBR48hosSG bGUbUKzNf58GBTkW4Us2jIWsreZx8LLLev232Hy7NU9L19k+hVq7pJOf Uvtrn5fmGSutWOzsR+8EacOnh0lwssCKjutk5MSmfdFC5P7CTZkdq58L 8he13HGmr00=
diff --git a/lib/dns/tests/testdata/nsec3/4096.db b/lib/dns/tests/testdata/nsec3/4096.db
new file mode 100644
index 0000000..b5c8b7e
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/4096.db
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 4096 bits
+test. IN DNSKEY 256 3 5 AwEAAbYlqbKxXoq9mzkqdsAaSZ3XywBVAb2sCTgrQBCExyGEYNpWw3LN +imCrLQi7jHKQW6GZIqKNgQaiFEwr3zK8nPWbwNwyKU9a2hhINv/gim1 5iA87Vu7DiiJrQ0O79ospvsGsKknBQ41zaaQMp3Q/W1S6WNe4uyh4C/f R0qmxT+8MyXEqCpTGb+e+YT6BuqpNQPuYYYvUJ1/HJltzY/lY2b9RZ+Q ZJ23Zje79YIRM0kJapqj11fDUDeynhDL1DUikYCwRfQiO/blChhOHjIa uTK1qqRY3fqanLGOufpLTr7GRpL7RxeRIMJfDzmcjFLmCsMA1AJ56Bxq jiXr3ODgn9D30vAB74Lr7lqLQSWyrSlJjoZLLhmPrEP/nnuCxEhOhDRA XJpJWpcQ4Hdu+yb5K/qldnsGLLI1Hr0GmhLTDHsxDb6BxM7/8rv8QeQY GKSGshBqD2lO1xUVT8inbi8uXI1iyN68vHX6xoFT5wsjls70PxSZPO5i F40vn6BWNsHtKWOCDqMKYx8hYwiv0zETVwxBaj58vylFwYGU+g1wIQmF Pgi2HKv4KaxgikUvdFISre5rxVoG5VrmmXWiNJcLTbwZ+tE1xujCNU1c V31CaIB5hdSnkEvQADr5V64RTxWAKuSLNMU+XUqTkaJHasSm3OPJOteo SPj2uoesuxNFYps3
diff --git a/lib/dns/tests/testdata/nsec3/min-1024.db b/lib/dns/tests/testdata/nsec3/min-1024.db
new file mode 100644
index 0000000..7d0f95c
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/min-1024.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 1024 bit key.
+test. IN DNSKEY 256 3 5 AwEAAd5oKx06HRE6NRrTDz49lljdRmxgp/4YB/cyMkpwUMkaLhDNCfTq hql84ab2LRbtUWLHFXGWENvxPGQzVHeleXu+3ThNfFOwIaySedxHmLGT lTtBRDhPc8iSb+2IYDemmA+ut8kwHhCVz/tDMbD/dgAswdOtmXCpQyJk Q1HqY3Xj
+; 2048 bits
+test. IN DNSKEY 256 3 5 AwEAAcfQX59iZr9gK+XzhTZQ5KWrfCLA0iYHTqheEIhC2dXS8gUSppQS g9SmzH2129u/LSSb7gqJSoLLAsn36iinqCqUXl2BT6xzwznbSP3mn0hn N6DegsykcYhHycKH6ifjZiMN+SGGeNsi5rhoW5Cj9ptw3C3yQnrFNDbS GZCT97z5lpQU3ZcvP4RDNk7dhri7Bh3SJeaCFoqx00NgFvlBR48hosSG bGUbUKzNf58GBTkW4Us2jIWsreZx8LLLev232Hy7NU9L19k+hVq7pJOf Uvtrn5fmGSutWOzsR+8EacOnh0lwssCKjutk5MSmfdFC5P7CTZkdq58L 8he13HGmr00=
+; 4096 bits
+test. IN DNSKEY 256 3 5 AwEAAbYlqbKxXoq9mzkqdsAaSZ3XywBVAb2sCTgrQBCExyGEYNpWw3LN +imCrLQi7jHKQW6GZIqKNgQaiFEwr3zK8nPWbwNwyKU9a2hhINv/gim1 5iA87Vu7DiiJrQ0O79ospvsGsKknBQ41zaaQMp3Q/W1S6WNe4uyh4C/f R0qmxT+8MyXEqCpTGb+e+YT6BuqpNQPuYYYvUJ1/HJltzY/lY2b9RZ+Q ZJ23Zje79YIRM0kJapqj11fDUDeynhDL1DUikYCwRfQiO/blChhOHjIa uTK1qqRY3fqanLGOufpLTr7GRpL7RxeRIMJfDzmcjFLmCsMA1AJ56Bxq jiXr3ODgn9D30vAB74Lr7lqLQSWyrSlJjoZLLhmPrEP/nnuCxEhOhDRA XJpJWpcQ4Hdu+yb5K/qldnsGLLI1Hr0GmhLTDHsxDb6BxM7/8rv8QeQY GKSGshBqD2lO1xUVT8inbi8uXI1iyN68vHX6xoFT5wsjls70PxSZPO5i F40vn6BWNsHtKWOCDqMKYx8hYwiv0zETVwxBaj58vylFwYGU+g1wIQmF Pgi2HKv4KaxgikUvdFISre5rxVoG5VrmmXWiNJcLTbwZ+tE1xujCNU1c V31CaIB5hdSnkEvQADr5V64RTxWAKuSLNMU+XUqTkaJHasSm3OPJOteo SPj2uoesuxNFYps3
diff --git a/lib/dns/tests/testdata/nsec3/min-2048.db b/lib/dns/tests/testdata/nsec3/min-2048.db
new file mode 100644
index 0000000..027c0b9
--- /dev/null
+++ b/lib/dns/tests/testdata/nsec3/min-2048.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 0
+test. SOA . . 0 0 0 0 0
+test. NS .
+; 2048 bits
+test. IN DNSKEY 256 3 5 AwEAAcfQX59iZr9gK+XzhTZQ5KWrfCLA0iYHTqheEIhC2dXS8gUSppQS g9SmzH2129u/LSSb7gqJSoLLAsn36iinqCqUXl2BT6xzwznbSP3mn0hn N6DegsykcYhHycKH6ifjZiMN+SGGeNsi5rhoW5Cj9ptw3C3yQnrFNDbS GZCT97z5lpQU3ZcvP4RDNk7dhri7Bh3SJeaCFoqx00NgFvlBR48hosSG bGUbUKzNf58GBTkW4Us2jIWsreZx8LLLev232Hy7NU9L19k+hVq7pJOf Uvtrn5fmGSutWOzsR+8EacOnh0lwssCKjutk5MSmfdFC5P7CTZkdq58L 8he13HGmr00=
+; 4096 bits
+test. IN DNSKEY 256 3 5 AwEAAbYlqbKxXoq9mzkqdsAaSZ3XywBVAb2sCTgrQBCExyGEYNpWw3LN +imCrLQi7jHKQW6GZIqKNgQaiFEwr3zK8nPWbwNwyKU9a2hhINv/gim1 5iA87Vu7DiiJrQ0O79ospvsGsKknBQ41zaaQMp3Q/W1S6WNe4uyh4C/f R0qmxT+8MyXEqCpTGb+e+YT6BuqpNQPuYYYvUJ1/HJltzY/lY2b9RZ+Q ZJ23Zje79YIRM0kJapqj11fDUDeynhDL1DUikYCwRfQiO/blChhOHjIa uTK1qqRY3fqanLGOufpLTr7GRpL7RxeRIMJfDzmcjFLmCsMA1AJ56Bxq jiXr3ODgn9D30vAB74Lr7lqLQSWyrSlJjoZLLhmPrEP/nnuCxEhOhDRA XJpJWpcQ4Hdu+yb5K/qldnsGLLI1Hr0GmhLTDHsxDb6BxM7/8rv8QeQY GKSGshBqD2lO1xUVT8inbi8uXI1iyN68vHX6xoFT5wsjls70PxSZPO5i F40vn6BWNsHtKWOCDqMKYx8hYwiv0zETVwxBaj58vylFwYGU+g1wIQmF Pgi2HKv4KaxgikUvdFISre5rxVoG5VrmmXWiNJcLTbwZ+tE1xujCNU1c V31CaIB5hdSnkEvQADr5V64RTxWAKuSLNMU+XUqTkaJHasSm3OPJOteo SPj2uoesuxNFYps3
diff --git a/lib/dns/tests/testdata/zt/zone1.db b/lib/dns/tests/testdata/zt/zone1.db
new file mode 100644
index 0000000..8286d88
--- /dev/null
+++ b/lib/dns/tests/testdata/zt/zone1.db
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 1000
+@		in	soa	localhost. postmaster.localhost. (
+				1993050801	;serial
+				3600		;refresh
+				1800		;retry
+				604800		;expiration
+				3600 )		;minimum
+		in	ns	ns.vix.com.
+		in	ns	ns2.vix.com.
+		in	ns	ns3.vix.com.
+a		in	a	1.2.3.4
diff --git a/lib/dns/tests/testkeys/Kexample.+008+20386.key b/lib/dns/tests/testkeys/Kexample.+008+20386.key
new file mode 100644
index 0000000..3404dca
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+20386.key
@@ -0,0 +1,5 @@
+; This is a key-signing key, keyid 20386, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 257 3 8 AwEAAZd7/hBRvMooz0sepkD/2r3Bp021f8lGzDj6sZEVbg1hcqZTzURc eGkS541wyOqjvJv2KBi5qLLE2HthmexmOBycjTQ7EiKd1P9bE8RgF8Et j73X/CHLiX6YL7cb93TXWiUvbRh4E6D2URgOmxMdMOXTuCvjvDaGVCOt Jc77UUosuBeurZzP8g8t/zccAUTzu2cdRyI5/ZxOBfJaDtc9TlRdWsaN Af+nT0C14ccH7QVlKjjaYV4lXueruDW3yTTzu9bQ1ikgegsCLi/tcD/1 dWTOI9whV06szs+ouhuJkZuhIjrGDtOHCpjPjIxOOrIZceU1YSY30kAR QNVzshJqyx8=
diff --git a/lib/dns/tests/testkeys/Kexample.+008+20386.private b/lib/dns/tests/testkeys/Kexample.+008+20386.private
new file mode 100644
index 0000000..d8cff93
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+20386.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: l3v+EFG8yijPSx6mQP/avcGnTbV/yUbMOPqxkRVuDWFyplPNRFx4aRLnjXDI6qO8m/YoGLmossTYe2GZ7GY4HJyNNDsSIp3U/1sTxGAXwS2Pvdf8IcuJfpgvtxv3dNdaJS9tGHgToPZRGA6bEx0w5dO4K+O8NoZUI60lzvtRSiy4F66tnM/yDy3/NxwBRPO7Zx1HIjn9nE4F8loO1z1OVF1axo0B/6dPQLXhxwftBWUqONphXiVe56u4NbfJNPO71tDWKSB6CwIuL+1wP/V1ZM4j3CFXTqzOz6i6G4mRm6EiOsYO04cKmM+MjE46shlx5TVhJjfSQBFA1XOyEmrLHw==
+PublicExponent: AQAB
+PrivateExponent: aSkynrGfldfuz/9e+xCjEcg2FMRDCb+UVpnyWv29gJx9sunKPgLTtF3jUVVSpVE1xi+EdmWsry3n+v8uk+YCXhpwDCpV1KItE3huqIzs8LZoaypdZjieIrwTo9JOX1aAxf++hJYXSk60zTaWgRZqs6He4Nkf99oY3wt8i8v8CrkfQy76K/qK9xUVv5GHrEZzCGLfLv77eqDab/J84ANxc0kUtQvgt2/JTHofXmcA6/YDh5PWB8KRw1PjQTck61/xIgfI6ky/yIF1riCQCYXwTv7jcmMV/QvQ+dfN+HZ2CSGp7xcH2Yxe9OhAY823ZkmkOQ2YZPjIj6dEoRMmSiaagQ==
+Prime1: x2GMnpRPwvUhM+yPRa7nh5Jjl4mbofeOtVrxe1hEVy8l2UGFh+FDZCbyoLRNUTYDji00NHpGtmcAyoY9pLdOn7ci4zqGVnNJcIY75Ie4p6J7pPfDh9d+AGtJ5NpNhr1sjD0bFncJC2FGY9vj4eC0CkatMu/Qovrd2FwZ8VpDsAk=
+Prime2: woB8MYsEfSYGD0hZGtmgK6UQ+Oo9smxdPmahLYXnLSAdqtqZbZX+ABk/kFduT+XwlHOXmp3HMmUtQTRZBaQyBrsFWfWjOGevByEsT9aLQSZOEgnqy4xrc9XNwDs4/WkrEgw/TOVnZYdaCyLxsFl4bpTX8Fj3yVqg/tJvuUMWG+c=
+Exponent1: iQO7a9rF+VcVSyZ8yslIaL0r3Z5+Kk8CbhSiMD5XMIbA/sztI5SlCDVPtSpSm8V/qfvcjVeeMokUXRjlUcV6rX1f50F3wf8V79L/Y6v1NJYPXC273CU1fLo+HJv8fOS9rJ3teIGy4HQnuEYLE1WkxA8PxRpSiT3WqHGajmaWb2k=
+Exponent2: elMWSI5Wz2KXkwr8Rz+xVWGl7/ZZwRoX9oPTQG8jeiTlo6uBrQMVUPiQGnZyQTuq96JPKYWrXs11DbofdsXSVJtQfUhYU8QZtxEs7jVPNTUjCoNEMKnqdlpz4T8d03pOBTbApNruEVNz1OcwO6m5bUqdGGLLy838zOaKL2i6wec=
+Coefficient: q2mejAmT3A4H2C0rT1hm8XQFuISHjAAEyM9t09Q8tEeQ0lHi4gMVA3bXoAn9U21eBkFQDwvyB0vqlVSGgRqHovOKx9uXAU9eoDxGcJsFlGsM0aUsUjGVXv5kVmaw8a5PHBbvYAbgAZUmKqrVF0PWD3o+/DbzP9PCmlJcqxoAulU=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/testkeys/Kexample.+008+37464.key b/lib/dns/tests/testkeys/Kexample.+008+37464.key
new file mode 100644
index 0000000..3dd0619
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+37464.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 37464, for example.
+; Created: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Publish: 20000101000000 (Sat Jan  1 00:00:00 2000)
+; Activate: 20000101000000 (Sat Jan  1 00:00:00 2000)
+example. IN DNSKEY 256 3 8 AwEAAbxHOF8G0xw9ekCodhL8KivuZ3o0jmGlycLiXBjBN8c5R5fjLjUh D0gy3IDbDC+kLaPhHGF/MwrSEjrgSowxZ8nrxDzsq5ZdpeUsYaNrbQEY /mqf35T/9/Ulm4v06x58v/NTugWd05Xq04aAyfm7EViyGFzmVOVfPnll h9xQtvWEWoRWPseFw+dY5/nc/+xB/IsQMihoH2rO+cek/lsP3R9DsHCG RbQ/ks/+rrp6/O+QJZyZrzsONl7mlMDXNy3Pz9J4qMW2W6Mz702LN324 7/9UsetDGGbuZfrCLMpKWXzdsJm36DOk4aMooS9111plfXaXQgQNcL5G 021utpTau+8=
diff --git a/lib/dns/tests/testkeys/Kexample.+008+37464.private b/lib/dns/tests/testkeys/Kexample.+008+37464.private
new file mode 100644
index 0000000..ecc2ad0
--- /dev/null
+++ b/lib/dns/tests/testkeys/Kexample.+008+37464.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: vEc4XwbTHD16QKh2EvwqK+5nejSOYaXJwuJcGME3xzlHl+MuNSEPSDLcgNsML6Qto+EcYX8zCtISOuBKjDFnyevEPOyrll2l5Sxho2ttARj+ap/flP/39SWbi/TrHny/81O6BZ3TlerThoDJ+bsRWLIYXOZU5V8+eWWH3FC29YRahFY+x4XD51jn+dz/7EH8ixAyKGgfas75x6T+Ww/dH0OwcIZFtD+Sz/6uunr875AlnJmvOw42XuaUwNc3Lc/P0nioxbZbozPvTYs3fbjv/1Sx60MYZu5l+sIsykpZfN2wmbfoM6ThoyihL3XXWmV9dpdCBA1wvkbTbW62lNq77w==
+PublicExponent: AQAB
+PrivateExponent: AhR3VvVoV6OGOjiiNUt728hidEMoX4PJWtHNWqinyRek5tSnqgaXeKC3NuU0mUIjDvBps9oH4lK3yNa5fBr/nodwP4wNyTd3obR/z6JcLersxJjHi4nYX2ju8vjdsBSIulNudqlrsPhLJe0+Tff3FRfClSQmQ/JtakHo4lIx8zxiOJY8aWFeHGdWJDkAf6NStt3eVYyOyAwISfv3muaGPZKShiIOfLyTvqFqzwYFgdTWmvFqTdwgjIMc5XAwqw73WP2BPCN+fdCiMtrw0fCrhWzw/gfMJBHdOPH0diUZysAJhM0vdVKQzEi/g3YOo00fahZiPzaxNtZnLNj2mA54YQ==
+Prime1: 5YpfVjEtL1owW9gSFbIMx65POr+fiktxirgy1bc5fSsVqUgG6zhbaN/VpWcNZG0Zg5xd6S7C8V3djGlnJN8wZIyjIh7+Z3WWjqbOD9oY7rC1fR+W0OvbCmZiEzOpRJ5qoMOh1MzkkanhMy0/ICpaa8eQ9zEb80oTIQpFgoLn7K0=
+Prime2: 0fs3ncL5/2qzq2dmPXLYcOfc1EGSuESO0VpREP8EpTkyPKeVw5LaF9TgZRqPWlRf2T0LPoZ766xLAn090u0pLQ5fWM96NMas7kS+rxtRssat6MiQo3YfoU3ysk3xuPzrMBHyn/N42CjSG+bJEToHR7V16KsCT6dBIPkI3tj/Yos=
+Exponent1: Bdsp44ENrg+W/EDe9T69pLqFuvH4mAaktu1MHre198OJoe/8fTPK4ToUsUuXw+Akrn7mxnQy9QV4CYUG5KHtEiOkZdJ0mx8c4DbROwZNbImFl9OefWYHCJTkG6lNwDpqbf+PuWYgzraO0EdvPNrXw7grsqLGG8bgBg/FBjdgw2E=
+Exponent2: uV1pxW0fwGhzX3aR/ODrTRCCEyYn3V84LHvsYHKfqTOKs5zFSrbSrIMR7G676ePeESogSPvzXSLlvLbO4urVlJ7BcOcHXJuegWBSbMZTItzdHUgg1wwp8/2Zp+nC36j1/aN6adVG8ptmj5b2HKz7TERWaCS+j454oiD1wbQSDu0=
+Coefficient: JO6RxBIaoEd/Z4ITcsYT8TslP1KmIuAqdhMt3FSpqeogUDut7f3FZIEyNi4wsrSK5peIQSVmO2pQLupS+eRIPHXZ1vh5kcFAsgd7XBb7Fvsg26/WSjhB4wjx+wgWzVomK0519pfdtH854fePWPkdDKtLNL2zh0APne3GjwrbNEM=
+Created: 20000101000000
+Publish: 20000101000000
+Activate: 20000101000000
diff --git a/lib/dns/tests/time_test.c b/lib/dns/tests/time_test.c
new file mode 100644
index 0000000..28b72b6
--- /dev/null
+++ b/lib/dns/tests/time_test.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <unistd.h>
+
+#include <dns/time.h>
+
+#include "dnstest.h"
+
+#define TEST_ORIGIN	"test"
+
+/*
+ * Individual unit tests
+ */
+
+/* value = 0xfffffffff <-> 19691231235959 */
+ATF_TC(epoch_minus_one);
+ATF_TC_HEAD(epoch_minus_one, tc) {
+  atf_tc_set_md_var(tc, "descr", "0xffffffff <-> 19691231235959");
+}
+ATF_TC_BODY(epoch_minus_one, tc) {
+	const char *test_text = "19691231235959";
+	const uint32_t test_time = 0xffffffff;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(when, test_time);
+	dns_test_end();
+}
+
+/* value = 0x000000000 <-> 19700101000000*/
+ATF_TC(epoch);
+ATF_TC_HEAD(epoch, tc) {
+  atf_tc_set_md_var(tc, "descr", "0x00000000 <-> 19700101000000");
+}
+ATF_TC_BODY(epoch, tc) {
+	const char *test_text = "19700101000000";
+	const uint32_t test_time = 0x00000000;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(when, test_time);
+	dns_test_end();
+}
+
+/* value = 0x7fffffff <-> 20380119031407 */
+ATF_TC(half_maxint);
+ATF_TC_HEAD(half_maxint, tc) {
+  atf_tc_set_md_var(tc, "descr", "0x7fffffff <-> 20380119031407");
+}
+ATF_TC_BODY(half_maxint, tc) {
+	const char *test_text = "20380119031407";
+	const uint32_t test_time = 0x7fffffff;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(when, test_time);
+	dns_test_end();
+}
+
+/* value = 0x80000000 <-> 20380119031408 */
+ATF_TC(half_plus_one);
+ATF_TC_HEAD(half_plus_one, tc) {
+  atf_tc_set_md_var(tc, "descr", "0x80000000 <-> 20380119031408");
+}
+ATF_TC_BODY(half_plus_one, tc) {
+	const char *test_text = "20380119031408";
+	const uint32_t test_time = 0x80000000;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(when, test_time);
+	dns_test_end();
+}
+
+/* value = 0xef68f5d0 <-> 19610307130000 */
+ATF_TC(fifty_before);
+ATF_TC_HEAD(fifty_before, tc) {
+  atf_tc_set_md_var(tc, "descr", "0xef68f5d0 <-> 19610307130000");
+}
+ATF_TC_BODY(fifty_before, tc) {
+	isc_result_t result;
+	const char *test_text = "19610307130000";
+	const uint32_t test_time = 0xef68f5d0;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(when, test_time);
+	dns_test_end();
+}
+
+/* value = 0x4d74d6d0 <-> 20110307130000 */
+ATF_TC(some_ago);
+ATF_TC_HEAD(some_ago, tc) {
+  atf_tc_set_md_var(tc, "descr", "0x4d74d6d0 <-> 20110307130000");
+}
+ATF_TC_BODY(some_ago, tc) {
+	const char *test_text = "20110307130000";
+	const uint32_t test_time = 0x4d74d6d0;
+	isc_result_t result;
+	isc_buffer_t target;
+	uint32_t when;
+	char buf[128];
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	memset(buf, 0, sizeof(buf));
+	isc_buffer_init(&target, buf, sizeof(buf));
+	result = dns_time32_totext(test_time, &target);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ(buf, test_text);
+	result = dns_time32_fromtext(test_text, &when);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(when, test_time);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, epoch_minus_one);
+	ATF_TP_ADD_TC(tp, epoch);
+	ATF_TP_ADD_TC(tp, half_maxint);
+	ATF_TP_ADD_TC(tp, half_plus_one);
+	ATF_TP_ADD_TC(tp, fifty_before);
+	ATF_TP_ADD_TC(tp, some_ago);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
new file mode 100644
index 0000000..443fb36
--- /dev/null
+++ b/lib/dns/tests/tsig_test.c
@@ -0,0 +1,491 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+#include <atf-c.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/tsig.h>
+
+#include "dnstest.h"
+
+
+static int debug = 0;
+
+static isc_result_t
+add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
+	dns_rdata_any_tsig_t tsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t databuf;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned char tsigbuf[1024];
+
+	isc_buffer_usedregion(buf, &r);
+	dns_rdata_fromregion(&rdata, dns_rdataclass_any,
+			     dns_rdatatype_tsig, &r);
+	isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
+	CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
+	isc_buffer_putuint16(&databuf, tsig.siglen);
+	isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
+	isc_buffer_usedregion(&databuf, &r);
+	result = dst_context_adddata(tsigctx, &r);
+	dns_rdata_freestruct(&tsig);
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
+	dns_compress_t cctx;
+	dns_rdata_any_tsig_t tsig;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_buffer_t *dynbuf = NULL;
+	isc_buffer_t databuf;
+	isc_buffer_t sigbuf;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_stdtime_t now;
+	unsigned char tsigbuf[1024];
+	unsigned int count;
+	unsigned int sigsize = 0;
+	bool invalidate_ctx = false;
+
+	memset(&tsig, 0, sizeof(tsig));
+
+	CHECK(dns_compress_init(&cctx, -1, mctx));
+	invalidate_ctx = true;
+
+	tsig.common.rdclass = dns_rdataclass_any;
+	tsig.common.rdtype = dns_rdatatype_tsig;
+	ISC_LINK_INIT(&tsig.common, link);
+	dns_name_init(&tsig.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tsig.algorithm);
+
+	isc_stdtime_get(&now);
+	tsig.timesigned = now;
+	tsig.fudge = DNS_TSIG_FUDGE;
+	tsig.originalid = 50;
+	tsig.error = dns_rcode_noerror;
+	tsig.otherlen = 0;
+	tsig.other = NULL;
+
+	isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
+	isc_buffer_putuint48(&databuf, tsig.timesigned);
+	isc_buffer_putuint16(&databuf, tsig.fudge);
+	isc_buffer_usedregion(&databuf, &r);
+	CHECK(dst_context_adddata(tsigctx, &r));
+
+	CHECK(dst_key_sigsize(key->key, &sigsize));
+	tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
+	if (tsig.signature == NULL)
+		CHECK(ISC_R_NOMEMORY);
+	isc_buffer_init(&sigbuf, tsig.signature, sigsize);
+	CHECK(dst_context_sign(tsigctx, &sigbuf));
+	tsig.siglen = isc_buffer_usedlength(&sigbuf);
+	ATF_CHECK_EQ(sigsize, tsig.siglen);
+
+	CHECK(isc_buffer_allocate(mctx, &dynbuf, 512));
+	CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any,
+				   dns_rdatatype_tsig, &tsig, dynbuf));
+	dns_rdatalist_init(&rdatalist);
+	rdatalist.rdclass = dns_rdataclass_any;
+	rdatalist.type = dns_rdatatype_tsig;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx,
+				  target, 0, &count));
+
+	/*
+	 * Fixup additional record count.
+	 */
+	((unsigned char*)target->base)[11]++;
+	if (((unsigned char*)target->base)[11] == 0)
+		((unsigned char*)target->base)[10]++;
+ cleanup:
+	if (tsig.signature != NULL)
+		isc_mem_put(mctx, tsig.signature, sigsize);
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	if (invalidate_ctx)
+		dns_compress_invalidate(&cctx);
+
+	return (result);
+}
+
+static void
+printmessage(dns_message_t *msg) {
+	isc_buffer_t b;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (!debug)
+		return;
+
+	do {
+		buf = isc_mem_get(mctx, len);
+		if (buf == NULL)
+			return;
+
+		isc_buffer_init(&b, buf, len);
+		result = dns_message_totext(msg, &dns_master_style_debug,
+					    0, &b);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(mctx, buf, len);
+			len *= 2;
+		} else if (result == ISC_R_SUCCESS)
+			printf("%.*s\n", (int) isc_buffer_usedlength(&b), buf);
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL)
+		isc_mem_put(mctx, buf, len);
+}
+
+static void
+render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
+       isc_buffer_t **tsigin, isc_buffer_t **tsigout,
+       dst_context_t *tsigctx)
+{
+	dns_message_t *msg = NULL;
+	dns_compress_t cctx;
+	isc_result_t result;
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_message_create: %s",
+			 dns_result_totext(result));
+	ATF_REQUIRE(msg != NULL);
+
+	msg->id = 50;
+	msg->rcode = dns_rcode_noerror;
+	msg->flags = flags;
+
+	/*
+	 * XXXMPA: this hack needs to be replaced with use of
+	 * dns_message_reply() at some point.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) != 0)
+		msg->verified_sig = 1;
+
+	if (tsigin == tsigout)
+		msg->tcp_continuation = 1;
+
+	if (tsigctx == NULL) {
+		result = dns_message_settsigkey(msg, key);
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+				 "dns_message_settsigkey: %s",
+				 dns_result_totext(result));
+
+		result = dns_message_setquerytsig(msg, *tsigin);
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+				 "dns_message_setquerytsig: %s",
+				 dns_result_totext(result));
+	}
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_compress_init: %s",
+			 dns_result_totext(result));
+
+	result = dns_message_renderbegin(msg, &cctx, buf);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_message_renderbegin: %s",
+			 dns_result_totext(result));
+
+	result = dns_message_renderend(msg);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_message_renderend: %s",
+			 dns_result_totext(result));
+
+	if (tsigctx != NULL) {
+		isc_region_t r;
+
+		isc_buffer_usedregion(buf, &r);
+		result = dst_context_adddata(tsigctx, &r);
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+				 "dst_context_adddata: %s",
+				 dns_result_totext(result));
+	} else {
+		if (tsigin == tsigout && *tsigin != NULL)
+			isc_buffer_free(tsigin);
+
+		result = dns_message_getquerytsig(msg, mctx, tsigout);
+		ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+				 "dns_message_getquerytsig: %s",
+				 dns_result_totext(result));
+	}
+
+	dns_compress_invalidate(&cctx);
+	dns_message_destroy(&msg);
+}
+
+/*
+ * Check that a simulated three message TCP sequence where the first
+ * and last messages contain TSIGs but the intermediate message doesn't
+ * correctly verifies.
+ */
+ATF_TC(tsig_tcp);
+ATF_TC_HEAD(tsig_tcp, tc) {
+	atf_tc_set_md_var(tc, "descr", "test tsig tcp-continuation validation");
+}
+ATF_TC_BODY(tsig_tcp, tc) {
+	dns_name_t *tsigowner = NULL;
+	dns_fixedname_t fkeyname;
+	dns_message_t *msg = NULL;
+	dns_name_t *keyname;
+	dns_tsig_keyring_t *ring = NULL;
+	dns_tsigkey_t *key = NULL;
+	isc_buffer_t *buf = NULL;
+	isc_buffer_t *querytsig = NULL;
+	isc_buffer_t *tsigin = NULL;
+	isc_buffer_t *tsigout = NULL;
+	isc_result_t result;
+	unsigned char secret[16] = { 0 };
+	dst_context_t *tsigctx = NULL;
+	dst_context_t *outctx = NULL;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(stderr, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* isc_log_setdebuglevel(lctx, 99); */
+
+	keyname = dns_fixedname_initname(&fkeyname);
+	result = dns_name_fromstring(keyname, "test", 0, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_tsigkeyring_create(mctx, &ring);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
+				    secret, sizeof(secret), false,
+				    NULL, 0, 0, mctx, ring, &key);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(key != NULL);
+
+	/*
+	 * Create request.
+	 */
+	result = isc_buffer_allocate(mctx, &buf, 65535);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	render(buf, 0, key, &tsigout, &querytsig, NULL);
+	isc_buffer_free(&buf);
+
+	/*
+	 * Create response message 1.
+	 */
+	result = isc_buffer_allocate(mctx, &buf, 65535);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
+
+	/*
+	 * Process response message 1.
+	 */
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_create: %s",
+			   dns_result_totext(result));
+	ATF_REQUIRE(msg != NULL);
+
+	result = dns_message_settsigkey(msg, key);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_settsigkey: %s",
+			   dns_result_totext(result));
+
+	result = dns_message_parse(msg, buf, 0);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_parse: %s",
+			   dns_result_totext(result));
+
+	printmessage(msg);
+
+	result = dns_message_setquerytsig(msg, querytsig);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "dns_message_setquerytsig: %s",
+			   dns_result_totext(result));
+
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_tsig_verify: %s",
+			 dns_result_totext(result));
+	ATF_CHECK_EQ(msg->verified_sig, 1);
+	ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
+
+	/*
+	 * Check that we have a TSIG in the first message.
+	 */
+	ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
+
+	result = dns_message_getquerytsig(msg, mctx, &tsigin);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "dns_message_getquerytsig: %s",
+			   dns_result_totext(result));
+
+	tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
+	isc_buffer_free(&buf);
+	dns_message_destroy(&msg);
+
+	result = dst_context_create3(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
+				     false, &outctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(outctx != NULL);
+
+	/*
+	 * Start digesting.
+	 */
+	result = add_mac(outctx, tsigout);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Create response message 2.
+	 */
+	result = isc_buffer_allocate(mctx, &buf, 65535);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
+
+	/*
+	 * Process response message 2.
+	 */
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_create: %s",
+			   dns_result_totext(result));
+	ATF_REQUIRE(msg != NULL);
+
+	msg->tcp_continuation = 1;
+	msg->tsigctx = tsigctx;
+	tsigctx = NULL;
+
+	result = dns_message_settsigkey(msg, key);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_settsigkey: %s",
+			   dns_result_totext(result));
+
+	result = dns_message_parse(msg, buf, 0);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_parse: %s",
+			   dns_result_totext(result));
+
+	printmessage(msg);
+
+	result = dns_message_setquerytsig(msg, tsigin);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "dns_message_setquerytsig: %s",
+			   dns_result_totext(result));
+
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_tsig_verify: %s",
+			 dns_result_totext(result));
+	ATF_CHECK_EQ(msg->verified_sig, 0);
+	ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
+
+	/*
+	 * Check that we don't have a TSIG in the second message.
+	 */
+	tsigowner = NULL;
+	ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL);
+
+	tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
+	isc_buffer_free(&buf);
+	dns_message_destroy(&msg);
+
+	/*
+	 * Create response message 3.
+	 */
+	result = isc_buffer_allocate(mctx, &buf, 65535);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
+
+	result = add_tsig(outctx, key, buf);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "add_tsig: %s",
+			   dns_result_totext(result));
+
+	/*
+	 * Process response message 3.
+	 */
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_create: %s",
+			   dns_result_totext(result));
+	ATF_REQUIRE(msg != NULL);
+
+	msg->tcp_continuation = 1;
+	msg->tsigctx = tsigctx;
+	tsigctx = NULL;
+
+	result = dns_message_settsigkey(msg, key);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_settsigkey: %s",
+			   dns_result_totext(result));
+
+	result = dns_message_parse(msg, buf, 0);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "dns_message_parse: %s",
+			   dns_result_totext(result));
+
+	printmessage(msg);
+
+	/*
+	 * Check that we had a TSIG in the third message.
+	 */
+	ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
+
+	result = dns_message_setquerytsig(msg, tsigin);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "dns_message_setquerytsig: %s",
+			   dns_result_totext(result));
+
+	result = dns_tsig_verify(buf, msg, NULL, NULL);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+			 "dns_tsig_verify: %s",
+			 dns_result_totext(result));
+	ATF_CHECK_EQ(msg->verified_sig, 1);
+	ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
+
+	if (tsigin != NULL)
+		isc_buffer_free(&tsigin);
+
+	result = dns_message_getquerytsig(msg, mctx, &tsigin);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS,
+			   "dns_message_getquerytsig: %s",
+			   dns_result_totext(result));
+
+	isc_buffer_free(&buf);
+	dns_message_destroy(&msg);
+
+	if (outctx != NULL)
+		dst_context_destroy(&outctx);
+	if (querytsig != NULL)
+		isc_buffer_free(&querytsig);
+	if (tsigin != NULL)
+		isc_buffer_free(&tsigin);
+	if (tsigout != NULL)
+		isc_buffer_free(&tsigout);
+	dns_tsigkey_detach(&key);
+	if (ring != NULL)
+		dns_tsigkeyring_detach(&ring);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, tsig_tcp);
+	return (atf_no_error());
+}
diff --git a/lib/dns/tests/update_test.c b/lib/dns/tests/update_test.c
new file mode 100644
index 0000000..1585ed7
--- /dev/null
+++ b/lib/dns/tests/update_test.c
@@ -0,0 +1,343 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <unistd.h>
+#include <time.h>
+
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+
+#include <dns/update.h>
+
+#include "dnstest.h"
+
+static uint32_t mystdtime;
+
+static void set_mystdtime(int year, int month, int day) {
+	struct tm tm;
+
+	memset(&tm, 0, sizeof(tm));
+	tm.tm_year = year - 1900;
+	tm.tm_mon = month - 1;
+	tm.tm_mday = day;
+	mystdtime = timegm(&tm) ;
+}
+
+void isc_stdtime_get(isc_stdtime_t *now) {
+	*now = mystdtime;
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(increment);
+ATF_TC_HEAD(increment, tc) {
+  atf_tc_set_md_var(tc, "descr", "simple increment by 1");
+}
+ATF_TC_BODY(increment, tc) {
+	uint32_t old = 50;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_increment);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK_MSG(serial != 0, "serial (%d) should not equal 0", serial);
+	ATF_REQUIRE_EQ(serial, 51);
+	dns_test_end();
+}
+
+/* 0xfffffffff -> 1 */
+ATF_TC(increment_past_zero);
+ATF_TC_HEAD(increment_past_zero, tc) {
+  atf_tc_set_md_var(tc, "descr", "increment past zero, ffffffff -> 1");
+}
+ATF_TC_BODY(increment_past_zero, tc) {
+	uint32_t old = 0xffffffffu;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_increment);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, 1u);
+	dns_test_end();
+}
+
+ATF_TC(past_to_unix);
+ATF_TC_HEAD(past_to_unix, tc) {
+  atf_tc_set_md_var(tc, "descr", "past to unixtime");
+}
+ATF_TC_BODY(past_to_unix, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime - 1;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, mystdtime);
+	dns_test_end();
+}
+
+ATF_TC(now_to_unix);
+ATF_TC_HEAD(now_to_unix, tc) {
+  atf_tc_set_md_var(tc, "descr", "now to unixtime");
+}
+ATF_TC_BODY(now_to_unix, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, old + 1);
+	dns_test_end();
+}
+
+ATF_TC(future_to_unix);
+ATF_TC_HEAD(future_to_unix, tc) {
+  atf_tc_set_md_var(tc, "descr", "future to unixtime");
+}
+ATF_TC_BODY(future_to_unix, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime + 1;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, old + 1);
+	dns_test_end();
+}
+
+ATF_TC(undefined_plus1_to_unix);
+ATF_TC_HEAD(undefined_plus1_to_unix, tc) {
+  atf_tc_set_md_var(tc, "descr", "undefined plus 1 to unixtime");
+}
+ATF_TC_BODY(undefined_plus1_to_unix, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime ^ 0x80000000u;
+	old += 1;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, mystdtime);
+	dns_test_end();
+}
+
+ATF_TC(undefined_minus1_to_unix);
+ATF_TC_HEAD(undefined_minus1_to_unix, tc) {
+  atf_tc_set_md_var(tc, "descr", "undefined minus 1 to unixtime");
+}
+ATF_TC_BODY(undefined_minus1_to_unix, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime ^ 0x80000000u;
+	old -= 1;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, old + 1);
+	dns_test_end();
+}
+
+ATF_TC(undefined_to_unix);
+ATF_TC_HEAD(undefined_to_unix, tc) {
+  atf_tc_set_md_var(tc, "descr", "undefined to unixtime");
+}
+ATF_TC_BODY(undefined_to_unix, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2011, 6, 22);
+	old = mystdtime ^ 0x80000000u;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, old + 1);
+	dns_test_end();
+}
+
+ATF_TC(unixtime_zero);
+ATF_TC_HEAD(unixtime_zero, tc) {
+  atf_tc_set_md_var(tc, "descr", "handle unixtime being zero");
+}
+ATF_TC_BODY(unixtime_zero, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	mystdtime = 0;
+	old = 0xfffffff0;
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_unixtime);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, old + 1);
+	dns_test_end();
+}
+
+ATF_TC(past_to_date);
+ATF_TC_HEAD(past_to_date, tc) {
+  atf_tc_set_md_var(tc, "descr", "past to date");
+}
+ATF_TC_BODY(past_to_date, tc) {
+	uint32_t old, serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2014, 3, 31);
+	old = dns_update_soaserial(0, dns_updatemethod_date);
+	set_mystdtime(2014, 4, 1);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_date);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, 2014040100);
+	dns_test_end();
+}
+
+ATF_TC(now_to_date);
+ATF_TC_HEAD(now_to_date, tc) {
+  atf_tc_set_md_var(tc, "descr", "now to date");
+}
+ATF_TC_BODY(now_to_date, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2014, 4, 1);
+	old = dns_update_soaserial(0, dns_updatemethod_date);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_date);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, 2014040101);
+	dns_test_end();
+}
+
+ATF_TC(future_to_date);
+ATF_TC_HEAD(future_to_date, tc) {
+  atf_tc_set_md_var(tc, "descr", "future to date");
+}
+ATF_TC_BODY(future_to_date, tc) {
+	uint32_t old;
+	uint32_t serial;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	set_mystdtime(2014, 4, 1);
+	old = dns_update_soaserial(0, dns_updatemethod_date);
+	set_mystdtime(2014, 3, 31);
+
+	result = dns_test_begin(NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	serial = dns_update_soaserial(old, dns_updatemethod_date);
+	ATF_REQUIRE_EQ(isc_serial_lt(old, serial), true);
+	ATF_CHECK(serial != 0);
+	ATF_REQUIRE_EQ(serial, 2014040101);
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, increment);
+	ATF_TP_ADD_TC(tp, increment_past_zero);
+	ATF_TP_ADD_TC(tp, past_to_unix);
+	ATF_TP_ADD_TC(tp, now_to_unix);
+	ATF_TP_ADD_TC(tp, future_to_unix);
+	ATF_TP_ADD_TC(tp, undefined_to_unix);
+	ATF_TP_ADD_TC(tp, undefined_plus1_to_unix);
+	ATF_TP_ADD_TC(tp, undefined_minus1_to_unix);
+	ATF_TP_ADD_TC(tp, unixtime_zero);
+	ATF_TP_ADD_TC(tp, past_to_date);
+	ATF_TP_ADD_TC(tp, now_to_date);
+	ATF_TP_ADD_TC(tp, future_to_date);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/dns/tests/zonemgr_test.c b/lib/dns/tests/zonemgr_test.c
new file mode 100644
index 0000000..03079c6
--- /dev/null
+++ b/lib/dns/tests/zonemgr_test.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+#include <dns/name.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include "dnstest.h"
+
+/*
+ * Individual unit tests
+ */
+ATF_TC(zonemgr_create);
+ATF_TC_HEAD(zonemgr_create, tc) {
+	atf_tc_set_md_var(tc, "descr", "create zone manager");
+}
+ATF_TC_BODY(zonemgr_create, tc) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	ATF_REQUIRE_EQ(myzonemgr, NULL);
+
+	dns_test_end();
+}
+
+
+ATF_TC(zonemgr_managezone);
+ATF_TC_HEAD(zonemgr_managezone, tc) {
+	atf_tc_set_md_var(tc, "descr", "manage and release a zone");
+}
+ATF_TC_BODY(zonemgr_managezone, tc) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone, NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* This should not succeed until the dns_zonemgr_setsize() is run */
+	result = dns_zonemgr_managezone(myzonemgr, zone);
+	ATF_REQUIRE_EQ(result, ISC_R_FAILURE);
+
+	ATF_REQUIRE_EQ(dns_zonemgr_getcount(myzonemgr, DNS_ZONESTATE_ANY), 0);
+
+	result = dns_zonemgr_setsize(myzonemgr, 1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Now it should succeed */
+	result = dns_zonemgr_managezone(myzonemgr, zone);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_REQUIRE_EQ(dns_zonemgr_getcount(myzonemgr, DNS_ZONESTATE_ANY), 1);
+
+	dns_zonemgr_releasezone(myzonemgr, zone);
+	dns_zone_detach(&zone);
+
+	ATF_REQUIRE_EQ(dns_zonemgr_getcount(myzonemgr, DNS_ZONESTATE_ANY), 0);
+
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	ATF_REQUIRE_EQ(myzonemgr, NULL);
+
+	dns_test_end();
+}
+
+ATF_TC(zonemgr_createzone);
+ATF_TC_HEAD(zonemgr_createzone, tc) {
+	atf_tc_set_md_var(tc, "descr", "create and release a zone");
+}
+ATF_TC_BODY(zonemgr_createzone, tc) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	dns_zone_t *zone = NULL;
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* This should not succeed until the dns_zonemgr_setsize() is run */
+	result = dns_zonemgr_createzone(myzonemgr, &zone);
+	ATF_REQUIRE_EQ(result, ISC_R_FAILURE);
+
+	result = dns_zonemgr_setsize(myzonemgr, 1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Now it should succeed */
+	result = dns_zonemgr_createzone(myzonemgr, &zone);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(zone != NULL);
+
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	ATF_REQUIRE_EQ(myzonemgr, NULL);
+
+	dns_test_end();
+}
+
+ATF_TC(zonemgr_unreachable);
+ATF_TC_HEAD(zonemgr_unreachable, tc) {
+	atf_tc_set_md_var(tc, "descr", "manage and release a zone");
+}
+ATF_TC_BODY(zonemgr_unreachable, tc) {
+	dns_zonemgr_t *myzonemgr = NULL;
+	dns_zone_t *zone = NULL;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	isc_result_t result;
+	isc_time_t now;
+
+	UNUSED(tc);
+
+	TIME_NOW(&now);
+
+	result = dns_test_begin(NULL, true);
+
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_create(mctx, taskmgr, timermgr, socketmgr,
+				    &myzonemgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone, NULL, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_setsize(myzonemgr, 1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_zonemgr_managezone(myzonemgr, zone);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("10.53.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 2112);
+	in.s_addr = inet_addr("10.53.0.2");
+	isc_sockaddr_fromin(&addr2, &in, 5150);
+	ATF_CHECK(! dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	/*
+	 * We require multiple unreachableadd calls to mark a server as
+	 * unreachable.
+	 */
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	ATF_CHECK(! dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	ATF_CHECK(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	in.s_addr = inet_addr("10.53.0.3");
+	isc_sockaddr_fromin(&addr2, &in, 5150);
+	ATF_CHECK(! dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	/*
+	 * We require multiple unreachableadd calls to mark a server as
+	 * unreachable.
+	 */
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	dns_zonemgr_unreachableadd(myzonemgr, &addr1, &addr2, &now);
+	ATF_CHECK(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	dns_zonemgr_unreachabledel(myzonemgr, &addr1, &addr2);
+	ATF_CHECK(! dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	in.s_addr = inet_addr("10.53.0.2");
+	isc_sockaddr_fromin(&addr2, &in, 5150);
+	ATF_CHECK(dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+	dns_zonemgr_unreachabledel(myzonemgr, &addr1, &addr2);
+	ATF_CHECK(! dns_zonemgr_unreachable(myzonemgr, &addr1, &addr2, &now));
+
+	dns_zonemgr_releasezone(myzonemgr, zone);
+	dns_zone_detach(&zone);
+	dns_zonemgr_shutdown(myzonemgr);
+	dns_zonemgr_detach(&myzonemgr);
+	ATF_REQUIRE_EQ(myzonemgr, NULL);
+
+	dns_test_end();
+}
+
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, zonemgr_create);
+	ATF_TP_ADD_TC(tp, zonemgr_managezone);
+	ATF_TP_ADD_TC(tp, zonemgr_createzone);
+	ATF_TP_ADD_TC(tp, zonemgr_unreachable);
+	return (atf_no_error());
+}
+
+/*
+ * XXX:
+ * dns_zonemgr API calls that are not yet part of this unit test:
+ *
+ * 	- dns_zonemgr_attach
+ * 	- dns_zonemgr_forcemaint
+ * 	- dns_zonemgr_resumexfrs
+ * 	- dns_zonemgr_shutdown
+ * 	- dns_zonemgr_setsize
+ * 	- dns_zonemgr_settransfersin
+ * 	- dns_zonemgr_getttransfersin
+ * 	- dns_zonemgr_settransfersperns
+ * 	- dns_zonemgr_getttransfersperns
+ * 	- dns_zonemgr_setiolimit
+ * 	- dns_zonemgr_getiolimit
+ * 	- dns_zonemgr_dbdestroyed
+ * 	- dns_zonemgr_setserialqueryrate
+ * 	- dns_zonemgr_getserialqueryrate
+ */
diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
new file mode 100644
index 0000000..d2756c2
--- /dev/null
+++ b/lib/dns/tests/zt_test.c
@@ -0,0 +1,342 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+
+#include <dns/db.h>
+#include <dns/name.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include "dnstest.h"
+
+struct args {
+	void *arg1;
+	void *arg2;
+	bool arg3;
+};
+
+/*
+ * Helper functions
+ */
+static isc_result_t
+count_zone(dns_zone_t *zone, void *uap) {
+	int *nzones = (int *)uap;
+
+	UNUSED(zone);
+
+	*nzones += 1;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+load_done(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
+	/* We treat zt as a pointer to a boolean for testing purposes */
+	bool *done = (bool *) zt;
+
+	UNUSED(zone);
+	UNUSED(task);
+
+	*done = true;
+	isc_app_shutdown();
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+all_done(void *arg) {
+	bool *done = (bool *) arg;
+
+	*done = true;
+	isc_app_shutdown();
+	return (ISC_R_SUCCESS);
+}
+
+static void
+start_zt_asyncload(isc_task_t *task, isc_event_t *event) {
+	struct args *args = (struct args *)(event->ev_arg);
+
+	UNUSED(task);
+
+	dns_zt_asyncload2(args->arg1, all_done, args->arg2, false);
+
+	isc_event_free(&event);
+}
+
+static void
+start_zone_asyncload(isc_task_t *task, isc_event_t *event) {
+	struct args *args = (struct args *)(event->ev_arg);
+
+	UNUSED(task);
+
+	dns_zone_asyncload2(args->arg1, load_done, args->arg2, args->arg3);
+	isc_event_free(&event);
+}
+
+/*
+ * Individual unit tests
+ */
+ATF_TC(apply);
+ATF_TC_HEAD(apply, tc) {
+	atf_tc_set_md_var(tc, "descr", "apply a function to a zone table");
+}
+ATF_TC_BODY(apply, tc) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_view_t *view = NULL;
+	int nzones = 0;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone, NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	view = dns_zone_getview(zone);
+	ATF_REQUIRE(view->zonetable != NULL);
+
+	ATF_CHECK_EQ(0, nzones);
+	result = dns_zt_apply(view->zonetable, false, count_zone, &nzones);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(1, nzones);
+
+	/* These steps are necessary so the zone can be detached properly */
+	result = dns_test_setupzonemgr();
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_test_releasezone(zone);
+	dns_test_closezonemgr();
+
+	/* The view was left attached in dns_test_makezone() */
+	dns_view_detach(&view);
+	dns_zone_detach(&zone);
+
+	dns_test_end();
+}
+
+ATF_TC(asyncload_zone);
+ATF_TC_HEAD(asyncload_zone, tc) {
+	atf_tc_set_md_var(tc, "descr", "asynchronous zone load");
+}
+ATF_TC_BODY(asyncload_zone, tc) {
+	isc_result_t result;
+	int n;
+	dns_zone_t *zone = NULL;
+	dns_view_t *view = NULL;
+	dns_db_t *db = NULL;
+	FILE* zonefile, *origfile;
+	char buf[4096];
+	bool done = false;
+	int i = 0;
+	struct args args;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone, NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_setupzonemgr();
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	view = dns_zone_getview(zone);
+	ATF_REQUIRE(view->zonetable != NULL);
+
+	ATF_CHECK(!dns__zone_loadpending(zone));
+	ATF_CHECK(!done);
+	zonefile = fopen("./zone.data", "wb");
+	ATF_CHECK(zonefile != NULL);
+	origfile = fopen("./testdata/zt/zone1.db", "r+b");
+	ATF_CHECK(origfile != NULL);
+	n = fread(buf, 1, 4096, origfile);
+	fclose(origfile);
+	fwrite(buf, 1, n, zonefile);
+	fflush(zonefile);
+
+	dns_zone_setfile(zone, "./zone.data");
+
+	args.arg1 = zone;
+	args.arg2 = &done;
+	args.arg3 = false;
+	isc_app_onrun(mctx, maintask, start_zone_asyncload, &args);
+
+	isc_app_run();
+	while (dns__zone_loadpending(zone) && i++ < 5000)
+		dns_test_nap(1000);
+	ATF_CHECK(done);
+	/* The zone should now be loaded; test it */
+	result = dns_zone_getdb(zone, &db);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	dns_db_detach(&db);
+	/*
+	 * Add something to zone file, reload zone with newonly - it should
+	 * not be reloaded.
+	 */
+	fprintf(zonefile, "\nb in b 1.2.3.4\n");
+	fflush(zonefile);
+	fclose(zonefile);
+
+	args.arg1 = zone;
+	args.arg2 = &done;
+	args.arg3 = false;
+	isc_app_onrun(mctx, maintask, start_zone_asyncload, &args);
+
+	isc_app_run();
+
+	while (dns__zone_loadpending(zone) && i++ < 5000)
+		dns_test_nap(1000);
+	ATF_CHECK(done);
+	/* The zone should now be loaded; test it */
+	result = dns_zone_getdb(zone, &db);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	dns_db_detach(&db);
+
+	/* Now reload it without newonly - it should be reloaded */
+	args.arg1 = zone;
+	args.arg2 = &done;
+	args.arg3 = false;
+	isc_app_onrun(mctx, maintask, start_zone_asyncload, &args);
+
+	isc_app_run();
+
+	while (dns__zone_loadpending(zone) && i++ < 5000)
+		dns_test_nap(1000);
+	ATF_CHECK(done);
+	/* The zone should now be loaded; test it */
+	result = dns_zone_getdb(zone, &db);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK(db != NULL);
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	dns_test_releasezone(zone);
+	dns_test_closezonemgr();
+
+	dns_zone_detach(&zone);
+	dns_view_detach(&view);
+
+	dns_test_end();
+}
+
+ATF_TC(asyncload_zt);
+ATF_TC_HEAD(asyncload_zt, tc) {
+	atf_tc_set_md_var(tc, "descr", "asynchronous zone table load");
+}
+ATF_TC_BODY(asyncload_zt, tc) {
+	isc_result_t result;
+	dns_zone_t *zone1 = NULL, *zone2 = NULL, *zone3 = NULL;
+	dns_view_t *view;
+	dns_zt_t *zt;
+	dns_db_t *db = NULL;
+	bool done = false;
+	int i = 0;
+	struct args args;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = dns_test_makezone("foo", &zone1, NULL, true);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_zone_setfile(zone1, "testdata/zt/zone1.db");
+	view = dns_zone_getview(zone1);
+
+	result = dns_test_makezone("bar", &zone2, view, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_zone_setfile(zone2, "testdata/zt/zone1.db");
+
+	/* This one will fail to load */
+	result = dns_test_makezone("fake", &zone3, view, false);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	dns_zone_setfile(zone3, "testdata/zt/nonexistent.db");
+
+	zt = view->zonetable;
+	ATF_REQUIRE(zt != NULL);
+
+	result = dns_test_setupzonemgr();
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = dns_test_managezone(zone3);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK(!dns__zone_loadpending(zone1));
+	ATF_CHECK(!dns__zone_loadpending(zone2));
+	ATF_CHECK(!done);
+
+	args.arg1 = zt;
+	args.arg2 = &done;
+	isc_app_onrun(mctx, maintask, start_zt_asyncload, &args);
+
+	isc_app_run();
+	while (!done && i++ < 5000)
+		dns_test_nap(1000);
+	ATF_CHECK(done);
+
+	/* Both zones should now be loaded; test them */
+	result = dns_zone_getdb(zone1, &db);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(db != NULL);
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	result = dns_zone_getdb(zone2, &db);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(db != NULL);
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	dns_test_releasezone(zone3);
+	dns_test_releasezone(zone2);
+	dns_test_releasezone(zone1);
+	dns_test_closezonemgr();
+
+	dns_zone_detach(&zone1);
+	dns_zone_detach(&zone2);
+	dns_zone_detach(&zone3);
+	dns_view_detach(&view);
+
+	dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, apply);
+	ATF_TP_ADD_TC(tp, asyncload_zone);
+	ATF_TP_ADD_TC(tp, asyncload_zt);
+	return (atf_no_error());
+}
diff --git a/lib/dns/time.c b/lib/dns/time.c
new file mode 100644
index 0000000..dedd518
--- /dev/null
+++ b/lib/dns/time.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <time.h>
+#include <ctype.h>
+
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/time.h>
+
+static const int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
+
+isc_result_t
+dns_time64_totext(int64_t t, isc_buffer_t *target) {
+	struct tm tm;
+	char buf[sizeof("!!!!!!YYYY!!!!!!!!MM!!!!!!!!DD!!!!!!!!HH!!!!!!!!MM!!!!!!!!SS")];
+	int secs;
+	unsigned int l;
+	isc_region_t region;
+
+/*
+ * Warning. Do NOT use arguments with side effects with these macros.
+ */
+#define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
+#define year_secs(y) ((is_leap(y) ? 366 : 365 ) * 86400)
+#define month_secs(m,y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400)
+
+	tm.tm_year = 70;
+	while (t < 0) {
+		if (tm.tm_year == 0)
+			return (ISC_R_RANGE);
+		tm.tm_year--;
+		secs = year_secs(tm.tm_year + 1900);
+		t += secs;
+	}
+	while ((secs = year_secs(tm.tm_year + 1900)) <= t) {
+		t -= secs;
+		tm.tm_year++;
+		if (tm.tm_year + 1900 > 9999)
+			return (ISC_R_RANGE);
+	}
+	tm.tm_mon = 0;
+	while ((secs = month_secs(tm.tm_mon, tm.tm_year + 1900)) <= t) {
+		t -= secs;
+		tm.tm_mon++;
+	}
+	tm.tm_mday = 1;
+	while (86400 <= t) {
+		t -= 86400;
+		tm.tm_mday++;
+	}
+	tm.tm_hour = 0;
+	while (3600 <= t) {
+		t -= 3600;
+		tm.tm_hour++;
+	}
+	tm.tm_min = 0;
+	while (60 <= t) {
+		t -= 60;
+		tm.tm_min++;
+	}
+	tm.tm_sec = (int)t;
+				 /* yyyy  mm  dd  HH  MM  SS */
+	snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d",
+		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
+		 tm.tm_hour, tm.tm_min, tm.tm_sec);
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(buf);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, buf, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+int64_t
+dns_time64_from32(uint32_t value) {
+	isc_stdtime_t now;
+	int64_t start;
+	int64_t t;
+
+	/*
+	 * Adjust the time to the closest epoch.  This should be changed
+	 * to use a 64-bit counterpart to isc_stdtime_get() if one ever
+	 * is defined, but even the current code is good until the year
+	 * 2106.
+	 */
+	isc_stdtime_get(&now);
+	start = (int64_t) now;
+	if (isc_serial_gt(value, now))
+		t = start + (value - now);
+	else
+		t = start - (now - value);
+
+	return (t);
+}
+
+isc_result_t
+dns_time32_totext(uint32_t value, isc_buffer_t *target) {
+	return (dns_time64_totext(dns_time64_from32(value), target));
+}
+
+isc_result_t
+dns_time64_fromtext(const char *source, int64_t *target) {
+	int year, month, day, hour, minute, second;
+	int64_t value;
+	int secs;
+	int i;
+
+#define RANGE(min, max, value) \
+	do { \
+		if (value < (min) || value > (max)) \
+			return (ISC_R_RANGE); \
+	} while (0)
+
+	if (strlen(source) != 14U)
+		return (DNS_R_SYNTAX);
+	/*
+	 * Confirm the source only consists digits.  sscanf() allows some
+	 * minor exceptions.
+	 */
+	for (i = 0; i < 14; i++) {
+		if (!isdigit((unsigned char)source[i]))
+			return (DNS_R_SYNTAX);
+	}
+	if (sscanf(source, "%4d%2d%2d%2d%2d%2d",
+		   &year, &month, &day, &hour, &minute, &second) != 6)
+		return (DNS_R_SYNTAX);
+
+	RANGE(0, 9999, year);
+	RANGE(1, 12, month);
+	RANGE(1, days[month - 1] +
+		 ((month == 2 && is_leap(year)) ? 1 : 0), day);
+#ifdef __COVERITY__
+	/*
+	 * Use a simplified range to silence Coverity warning (in
+	 * arithmetic with day below).
+	 */
+	RANGE(1, 31, day);
+#endif /* __COVERITY__ */
+
+	RANGE(0, 23, hour);
+	RANGE(0, 59, minute);
+	RANGE(0, 60, second);		/* 60 == leap second. */
+
+	/*
+	 * Calculate seconds from epoch.
+	 * Note: this uses a idealized calendar.
+	 */
+	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
+	for (i = 0; i < (month - 1); i++)
+		value += days[i] * 86400;
+	if (is_leap(year) && month > 2)
+		value += 86400;
+	if (year < 1970) {
+		for (i = 1969; i >= year; i--) {
+			secs = (is_leap(i) ? 366 : 365) * 86400;
+			value -= secs;
+		}
+	} else {
+		for (i = 1970; i < year; i++) {
+			secs = (is_leap(i) ? 366 : 365) * 86400;
+			value += secs;
+		}
+	}
+
+	*target = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_time32_fromtext(const char *source, uint32_t *target) {
+	int64_t value64;
+	isc_result_t result;
+	result = dns_time64_fromtext(source, &value64);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	*target = (uint32_t)value64;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/timer.c b/lib/dns/timer.c
new file mode 100644
index 0000000..8c5a328
--- /dev/null
+++ b/lib/dns/timer.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/types.h>
+#include <dns/timer.h>
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+isc_result_t
+dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
+		  unsigned int idletime, bool purge)
+{
+	isc_result_t result;
+	isc_interval_t maxinterval, idleinterval;
+	isc_time_t expires;
+
+	/* Compute the time of expiry. */
+	isc_interval_set(&maxinterval, maxtime, 0);
+	CHECK(isc_time_nowplusinterval(&expires, &maxinterval));
+
+	/*
+	 * Compute the idle interval, and add a spare nanosecond to
+	 * work around the silly limitation of the ISC timer interface
+	 * that you cannot specify an idle interval of zero.
+	 */
+	isc_interval_set(&idleinterval, idletime, 1);
+
+	CHECK(isc_timer_reset(timer, isc_timertype_once,
+			      &expires, &idleinterval,
+			      purge));
+ failure:
+	return (result);
+}
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
new file mode 100644
index 0000000..5b4ffd9
--- /dev/null
+++ b/lib/dns/tkey.c
@@ -0,0 +1,1526 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+#include "dst_internal.h"
+
+#define TEMP_BUFFER_SZ 8192
+#define TKEY_RANDOM_AMOUNT 16
+
+#ifdef PKCS11CRYPTO
+#include <pk11/pk11.h>
+#endif
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+static void
+tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+tkey_log(const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_REQUEST, ISC_LOG_DEBUG(4), fmt, ap);
+	va_end(ap);
+}
+
+static void
+dumpmessage(dns_message_t *msg) {
+	isc_buffer_t outbuf;
+	unsigned char *output;
+	int len = TEMP_BUFFER_SZ;
+	isc_result_t result;
+
+	for (;;) {
+		output = isc_mem_get(msg->mctx, len);
+		if (output == NULL)
+			return;
+
+		isc_buffer_init(&outbuf, output, len);
+		result = dns_message_totext(msg, &dns_master_style_debug,
+					    0, &outbuf);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(msg->mctx, output, len);
+			len *= 2;
+			continue;
+		}
+
+		if (result == ISC_R_SUCCESS)
+			tkey_log("%.*s",
+				 (int)isc_buffer_usedlength(&outbuf),
+				 (char *)isc_buffer_base(&outbuf));
+		else
+			tkey_log("Warning: dns_message_totext: %s",
+				 dns_result_totext(result));
+		break;
+	}
+
+	if (output != NULL)
+		isc_mem_put(msg->mctx, output, len);
+}
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
+{
+	dns_tkeyctx_t *tctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ectx != NULL);
+	REQUIRE(tctxp != NULL && *tctxp == NULL);
+
+	tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
+	if (tctx == NULL)
+		return (ISC_R_NOMEMORY);
+	tctx->mctx = NULL;
+	isc_mem_attach(mctx, &tctx->mctx);
+	tctx->ectx = NULL;
+	isc_entropy_attach(ectx, &tctx->ectx);
+	tctx->dhkey = NULL;
+	tctx->domain = NULL;
+	tctx->gsscred = NULL;
+	tctx->gssapi_keytab = NULL;
+
+	*tctxp = tctx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
+	isc_mem_t *mctx;
+	dns_tkeyctx_t *tctx;
+
+	REQUIRE(tctxp != NULL && *tctxp != NULL);
+
+	tctx = *tctxp;
+	mctx = tctx->mctx;
+
+	if (tctx->dhkey != NULL)
+		dst_key_free(&tctx->dhkey);
+	if (tctx->domain != NULL) {
+		if (dns_name_dynamic(tctx->domain))
+			dns_name_free(tctx->domain, mctx);
+		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
+	}
+	if (tctx->gssapi_keytab != NULL) {
+		isc_mem_free(mctx, tctx->gssapi_keytab);
+	}
+	if (tctx->gsscred != NULL)
+		dst_gssapi_releasecred(&tctx->gsscred);
+	isc_entropy_detach(&tctx->ectx);
+	isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
+	isc_mem_detach(&mctx);
+	*tctxp = NULL;
+}
+
+static isc_result_t
+add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
+		uint32_t ttl, dns_namelist_t *namelist)
+{
+	isc_result_t result;
+	isc_region_t r, newr;
+	dns_rdata_t *newrdata = NULL;
+	dns_name_t *newname = NULL;
+	dns_rdatalist_t *newlist = NULL;
+	dns_rdataset_t *newset = NULL;
+	isc_buffer_t *tmprdatabuf = NULL;
+
+	RETERR(dns_message_gettemprdata(msg, &newrdata));
+
+	dns_rdata_toregion(rdata, &r);
+	RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
+	isc_buffer_availableregion(tmprdatabuf, &newr);
+	memmove(newr.base, r.base, r.length);
+	dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
+	dns_message_takebuffer(msg, &tmprdatabuf);
+
+	RETERR(dns_message_gettempname(msg, &newname));
+	dns_name_init(newname, NULL);
+	RETERR(dns_name_dup(name, msg->mctx, newname));
+
+	RETERR(dns_message_gettemprdatalist(msg, &newlist));
+	newlist->rdclass = newrdata->rdclass;
+	newlist->type = newrdata->type;
+	newlist->ttl = ttl;
+	ISC_LIST_APPEND(newlist->rdata, newrdata, link);
+
+	RETERR(dns_message_gettemprdataset(msg, &newset));
+	RETERR(dns_rdatalist_tordataset(newlist, newset));
+
+	ISC_LIST_INIT(newname->list);
+	ISC_LIST_APPEND(newname->list, newset, link);
+
+	ISC_LIST_APPEND(*namelist, newname, link);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (newrdata != NULL) {
+		if (ISC_LINK_LINKED(newrdata, link)) {
+			INSIST(newlist != NULL);
+			ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
+		}
+		dns_message_puttemprdata(msg, &newrdata);
+	}
+	if (newname != NULL)
+		dns_message_puttempname(msg, &newname);
+	if (newset != NULL) {
+		dns_rdataset_disassociate(newset);
+		dns_message_puttemprdataset(msg, &newset);
+	}
+	if (newlist != NULL)
+		dns_message_puttemprdatalist(msg, &newlist);
+	return (result);
+}
+
+static void
+free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
+	dns_name_t *name;
+	dns_rdataset_t *set;
+
+	while (!ISC_LIST_EMPTY(*namelist)) {
+		name = ISC_LIST_HEAD(*namelist);
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while (!ISC_LIST_EMPTY(name->list)) {
+			set = ISC_LIST_HEAD(name->list);
+			ISC_LIST_UNLINK(name->list, set, link);
+			dns_message_puttemprdataset(msg, &set);
+		}
+		dns_message_puttempname(msg, &name);
+	}
+}
+
+static isc_result_t
+compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
+	       isc_region_t *serverrandomness, isc_buffer_t *secret)
+{
+#ifndef PK11_MD5_DISABLE
+	isc_md5_t md5ctx;
+	isc_region_t r, r2;
+	unsigned char digests[32];
+	unsigned int i;
+
+	isc_buffer_usedregion(shared, &r);
+
+	/*
+	 * MD5 ( query data | DH value ).
+	 */
+	isc_md5_init(&md5ctx);
+	isc_md5_update(&md5ctx, queryrandomness->base,
+		       queryrandomness->length);
+	isc_md5_update(&md5ctx, r.base, r.length);
+	isc_md5_final(&md5ctx, digests);
+
+	/*
+	 * MD5 ( server data | DH value ).
+	 */
+	isc_md5_init(&md5ctx);
+	isc_md5_update(&md5ctx, serverrandomness->base,
+		       serverrandomness->length);
+	isc_md5_update(&md5ctx, r.base, r.length);
+	isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]);
+
+	/*
+	 * XOR ( DH value, MD5-1 | MD5-2).
+	 */
+	isc_buffer_availableregion(secret, &r);
+	isc_buffer_usedregion(shared, &r2);
+	if (r.length < sizeof(digests) || r.length < r2.length)
+		return (ISC_R_NOSPACE);
+	if (r2.length > sizeof(digests)) {
+		memmove(r.base, r2.base, r2.length);
+		for (i = 0; i < sizeof(digests); i++)
+			r.base[i] ^= digests[i];
+		isc_buffer_add(secret, r2.length);
+	} else {
+		memmove(r.base, digests, sizeof(digests));
+		for (i = 0; i < r2.length; i++)
+			r.base[i] ^= r2.base[i];
+		isc_buffer_add(secret, sizeof(digests));
+	}
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(shared);
+	UNUSED(queryrandomness);
+	UNUSED(serverrandomness);
+	UNUSED(secret);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+static isc_result_t
+process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
+	       dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
+	       dns_rdata_tkey_t *tkeyout,
+	       dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_name_t *keyname, ourname;
+	dns_rdataset_t *keyset = NULL;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
+	bool found_key = false, found_incompatible = false;
+	dst_key_t *pubkey = NULL;
+	isc_buffer_t ourkeybuf, *shared = NULL;
+	isc_region_t r, r2, ourkeyr;
+	unsigned char keydata[DST_KEY_MAXSIZE];
+	unsigned int sharedsize;
+	isc_buffer_t secret;
+	unsigned char *randomdata = NULL, secretdata[256];
+	dns_ttl_t ttl = 0;
+
+	if (tctx->dhkey == NULL) {
+		tkey_log("process_dhtkey: tkey-dhkey not defined");
+		tkeyout->error = dns_tsigerror_badalg;
+		return (DNS_R_REFUSED);
+	}
+
+#ifndef PK11_MD5_DISABLE
+	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		tkey_log("process_dhtkey: algorithms other than "
+			 "hmac-md5 are not supported");
+		tkeyout->error = dns_tsigerror_badalg;
+		return (ISC_R_SUCCESS);
+	}
+#else
+	tkey_log("process_dhtkey: MD5 was disabled");
+	tkeyout->error = dns_tsigerror_badalg;
+	return (ISC_R_SUCCESS);
+#endif
+
+	/*
+	 * Look for a DH KEY record that will work with ours.
+	 */
+	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
+	     result == ISC_R_SUCCESS && !found_key;
+	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
+		keyname = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
+		keyset = NULL;
+		result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
+					      &keyset);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		for (result = dns_rdataset_first(keyset);
+		     result == ISC_R_SUCCESS && !found_key;
+		     result = dns_rdataset_next(keyset)) {
+			dns_rdataset_current(keyset, &keyrdata);
+			pubkey = NULL;
+			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
+							 msg->mctx, &pubkey);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdata_reset(&keyrdata);
+				continue;
+			}
+#ifndef PK11_DH_DISABLE
+			if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
+				if (dst_key_paramcompare(pubkey, tctx->dhkey))
+				{
+					found_key = true;
+					ttl = keyset->ttl;
+					break;
+				} else
+					found_incompatible = true;
+			}
+#endif
+			dst_key_free(&pubkey);
+			dns_rdata_reset(&keyrdata);
+		}
+	}
+
+	if (!found_key) {
+		if (found_incompatible) {
+			tkey_log("process_dhtkey: found an incompatible key");
+			tkeyout->error = dns_tsigerror_badkey;
+			return (ISC_R_SUCCESS);
+		} else {
+			tkey_log("process_dhtkey: failed to find a key");
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
+
+	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
+	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
+	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
+	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
+			     dns_rdatatype_key, &ourkeyr);
+
+	dns_name_init(&ourname, NULL);
+	dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
+
+	/*
+	 * XXXBEW The TTL should be obtained from the database, if it exists.
+	 */
+	RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
+
+	RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
+	RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
+
+	result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
+	if (result != ISC_R_SUCCESS) {
+		tkey_log("process_dhtkey: failed to compute shared secret: %s",
+			 isc_result_totext(result));
+		goto failure;
+	}
+	dst_key_free(&pubkey);
+
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
+
+	randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
+	if (randomdata == NULL)
+		goto failure;
+
+	result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
+				      false);
+	if (result != ISC_R_SUCCESS) {
+		tkey_log("process_dhtkey: failed to obtain entropy: %s",
+			 isc_result_totext(result));
+		goto failure;
+	}
+
+	r.base = randomdata;
+	r.length = TKEY_RANDOM_AMOUNT;
+	r2.base = tkeyin->key;
+	r2.length = tkeyin->keylen;
+	RETERR(compute_secret(shared, &r2, &r, &secret));
+	isc_buffer_free(&shared);
+
+	RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
+				  isc_buffer_base(&secret),
+				  isc_buffer_usedlength(&secret),
+				  true, signer, tkeyin->inception,
+				  tkeyin->expire, ring->mctx, ring, NULL));
+
+	/* This key is good for a long time */
+	tkeyout->inception = tkeyin->inception;
+	tkeyout->expire = tkeyin->expire;
+
+	tkeyout->key = randomdata;
+	tkeyout->keylen = TKEY_RANDOM_AMOUNT;
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (!ISC_LIST_EMPTY(*namelist))
+		free_namelist(msg, namelist);
+	if (shared != NULL)
+		isc_buffer_free(&shared);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (randomdata != NULL)
+		isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
+	return (result);
+}
+
+static isc_result_t
+process_gsstkey(dns_name_t *name, dns_rdata_tkey_t *tkeyin,
+		dns_tkeyctx_t *tctx, dns_rdata_tkey_t *tkeyout,
+		dns_tsig_keyring_t *ring)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *dstkey = NULL;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *principal;
+	isc_stdtime_t now;
+	isc_region_t intoken;
+	isc_buffer_t *outtoken = NULL;
+	gss_ctx_id_t gss_ctx = NULL;
+
+	/*
+	 * You have to define either a gss credential (principal) to
+	 * accept with tkey-gssapi-credential, or you have to
+	 * configure a specific keytab (with tkey-gssapi-keytab) in
+	 * order to use gsstkey
+	 */
+	if (tctx->gsscred == NULL && tctx->gssapi_keytab == NULL) {
+		tkey_log("process_gsstkey(): no tkey-gssapi-credential "
+			 "or tkey-gssapi-keytab configured");
+		return (ISC_R_NOPERM);
+	}
+
+	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
+	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		tkeyout->error = dns_tsigerror_badalg;
+		tkey_log("process_gsstkey(): dns_tsigerror_badalg");	/* XXXSRA */
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * XXXDCL need to check for key expiry per 4.1.1
+	 * XXXDCL need a way to check fully established, perhaps w/key_flags
+	 */
+
+	intoken.base = tkeyin->key;
+	intoken.length = tkeyin->keylen;
+
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result == ISC_R_SUCCESS)
+		gss_ctx = dst_key_getgssctx(tsigkey->key);
+
+	principal = dns_fixedname_initname(&fixed);
+
+	/*
+	 * Note that tctx->gsscred may be NULL if tctx->gssapi_keytab is set
+	 */
+	result = dst_gssapi_acceptctx(tctx->gsscred, tctx->gssapi_keytab,
+				      &intoken, &outtoken, &gss_ctx,
+				      principal, tctx->mctx);
+	if (result == DNS_R_INVALIDTKEY) {
+		if (tsigkey != NULL)
+			dns_tsigkey_detach(&tsigkey);
+		tkeyout->error = dns_tsigerror_badkey;
+		tkey_log("process_gsstkey(): dns_tsigerror_badkey");    /* XXXSRA */
+		return (ISC_R_SUCCESS);
+	}
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
+		goto failure;
+	/*
+	 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
+	 */
+
+	isc_stdtime_get(&now);
+
+	if (dns_name_countlabels(principal) == 0U) {
+		if (tsigkey != NULL)
+			dns_tsigkey_detach(&tsigkey);
+	} else if (tsigkey == NULL) {
+#ifdef GSSAPI
+		OM_uint32 gret, minor, lifetime;
+#endif
+		uint32_t expire;
+
+		RETERR(dst_key_fromgssapi(name, gss_ctx, ring->mctx,
+					  &dstkey, &intoken));
+		/*
+		 * Limit keys to 1 hour or the context's lifetime whichever
+		 * is smaller.
+		 */
+		expire = now + 3600;
+#ifdef GSSAPI
+		gret = gss_context_time(&minor, gss_ctx, &lifetime);
+		if (gret == GSS_S_COMPLETE && now + lifetime < expire)
+			expire = now + lifetime;
+#endif
+		RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
+						 dstkey, true, principal,
+						 now, expire, ring->mctx, ring,
+						 NULL));
+		dst_key_free(&dstkey);
+		tkeyout->inception = now;
+		tkeyout->expire = expire;
+	} else {
+		tkeyout->inception = tsigkey->inception;
+		tkeyout->expire = tsigkey->expire;
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	if (outtoken) {
+		tkeyout->key = isc_mem_get(tkeyout->mctx,
+					   isc_buffer_usedlength(outtoken));
+		if (tkeyout->key == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		tkeyout->keylen = isc_buffer_usedlength(outtoken);
+		memmove(tkeyout->key, isc_buffer_base(outtoken),
+		       isc_buffer_usedlength(outtoken));
+		isc_buffer_free(&outtoken);
+	} else {
+		tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
+		if (tkeyout->key == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		tkeyout->keylen = tkeyin->keylen;
+		memmove(tkeyout->key, tkeyin->key, tkeyin->keylen);
+	}
+
+	tkeyout->error = dns_rcode_noerror;
+
+	tkey_log("process_gsstkey(): dns_tsigerror_noerror");   /* XXXSRA */
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+
+	if (outtoken != NULL)
+		isc_buffer_free(&outtoken);
+
+	tkey_log("process_gsstkey(): %s",
+		isc_result_totext(result));	/* XXXSRA */
+
+	return (result);
+}
+
+static isc_result_t
+process_deletetkey(dns_name_t *signer, dns_name_t *name,
+		   dns_rdata_tkey_t *tkeyin, dns_rdata_tkey_t *tkeyout,
+		   dns_tsig_keyring_t *ring)
+{
+	isc_result_t result;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_name_t *identity;
+
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result != ISC_R_SUCCESS) {
+		tkeyout->error = dns_tsigerror_badname;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Only allow a delete if the identity that created the key is the
+	 * same as the identity that signed the message.
+	 */
+	identity = dns_tsigkey_identity(tsigkey);
+	if (identity == NULL || !dns_name_equal(identity, signer)) {
+		dns_tsigkey_detach(&tsigkey);
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * Set the key to be deleted when no references are left.  If the key
+	 * was not generated with TKEY and is in the config file, it may be
+	 * reloaded later.
+	 */
+	dns_tsigkey_setdeleted(tsigkey);
+
+	/* Release the reference */
+	dns_tsigkey_detach(&tsigkey);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
+		      dns_tsig_keyring_t *ring)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_tkey_t tkeyin, tkeyout;
+	bool freetkeyin = false;
+	dns_name_t *qname, *name, *keyname, *signer, tsigner;
+	dns_fixedname_t fkeyname;
+	dns_rdataset_t *tkeyset;
+	dns_rdata_t rdata;
+	dns_namelist_t namelist;
+	char tkeyoutdata[512];
+	isc_buffer_t tkeyoutbuf;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(tctx != NULL);
+	REQUIRE(ring != NULL);
+
+	ISC_LIST_INIT(namelist);
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS)
+		return (DNS_R_FORMERR);
+
+	qname = NULL;
+	dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
+
+	/*
+	 * Look for a TKEY record that matches the question.
+	 */
+	tkeyset = NULL;
+	name = NULL;
+	result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
+				      dns_rdatatype_tkey, 0, &name, &tkeyset);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Try the answer section, since that's where Win2000
+		 * puts it.
+		 */
+		name = NULL;
+		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					 dns_rdatatype_tkey, 0, &name,
+					 &tkeyset) != ISC_R_SUCCESS) {
+			result = DNS_R_FORMERR;
+			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
+				 "matching the question");
+			goto failure;
+		}
+	}
+	result = dns_rdataset_first(tkeyset);
+	if (result != ISC_R_SUCCESS) {
+		result = DNS_R_FORMERR;
+		goto failure;
+	}
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(tkeyset, &rdata);
+
+	RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
+	freetkeyin = true;
+
+	if (tkeyin.error != dns_rcode_noerror) {
+		result = DNS_R_FORMERR;
+		goto failure;
+	}
+
+	/*
+	 * Before we go any farther, verify that the message was signed.
+	 * GSSAPI TKEY doesn't require a signature, the rest do.
+	 */
+	dns_name_init(&tsigner, NULL);
+	result = dns_message_signer(msg, &tsigner);
+	if (result != ISC_R_SUCCESS) {
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
+		    result == ISC_R_NOTFOUND)
+		       signer = NULL;
+		else {
+			tkey_log("dns_tkey_processquery: query was not "
+				 "properly signed - rejecting");
+			result = DNS_R_FORMERR;
+			goto failure;
+		}
+	} else
+		signer = &tsigner;
+
+	tkeyout.common.rdclass = tkeyin.common.rdclass;
+	tkeyout.common.rdtype = tkeyin.common.rdtype;
+	ISC_LINK_INIT(&tkeyout.common, link);
+	tkeyout.mctx = msg->mctx;
+
+	dns_name_init(&tkeyout.algorithm, NULL);
+	dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
+
+	tkeyout.inception = tkeyout.expire = 0;
+	tkeyout.mode = tkeyin.mode;
+	tkeyout.error = 0;
+	tkeyout.keylen = tkeyout.otherlen = 0;
+	tkeyout.key = tkeyout.other = NULL;
+
+	/*
+	 * A delete operation must have a fully specified key name.  If this
+	 * is not a delete, we do the following:
+	 * if (qname != ".")
+	 *	keyname = qname + defaultdomain
+	 * else
+	 *	keyname = <random hex> + defaultdomain
+	 */
+	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
+		dns_tsigkey_t *tsigkey = NULL;
+
+		if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
+			tkey_log("dns_tkey_processquery: tkey-domain not set");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+
+		keyname = dns_fixedname_initname(&fkeyname);
+
+		if (!dns_name_equal(qname, dns_rootname)) {
+			unsigned int n = dns_name_countlabels(qname);
+			RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
+				      == ISC_R_SUCCESS);
+			dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
+		} else {
+			static char hexdigits[16] = {
+				'0', '1', '2', '3', '4', '5', '6', '7',
+				'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+			unsigned char randomdata[16];
+			char randomtext[32];
+			isc_buffer_t b;
+			unsigned int i, j;
+
+			result = isc_entropy_getdata(tctx->ectx,
+						     randomdata,
+						     sizeof(randomdata),
+						     NULL, 0);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			for (i = 0, j = 0; i < sizeof(randomdata); i++) {
+				unsigned char val = randomdata[i];
+				randomtext[j++] = hexdigits[val >> 4];
+				randomtext[j++] = hexdigits[val & 0xF];
+			}
+			isc_buffer_init(&b, randomtext, sizeof(randomtext));
+			isc_buffer_add(&b, sizeof(randomtext));
+			result = dns_name_fromtext(keyname, &b, NULL, 0, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		}
+
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
+			/* Yup.  This is a hack */
+			result = dns_name_concatenate(keyname, dns_rootname,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		} else {
+			result = dns_name_concatenate(keyname, tctx->domain,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		}
+
+		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
+
+		if (result == ISC_R_SUCCESS) {
+			tkeyout.error = dns_tsigerror_badname;
+			dns_tsigkey_detach(&tsigkey);
+			goto failure_with_tkey;
+		} else if (result != ISC_R_NOTFOUND)
+			goto failure;
+	} else
+		keyname = qname;
+
+	switch (tkeyin.mode) {
+		case DNS_TKEYMODE_DIFFIEHELLMAN:
+			tkeyout.error = dns_rcode_noerror;
+			RETERR(process_dhtkey(msg, signer, keyname, &tkeyin,
+					      tctx, &tkeyout, ring,
+					      &namelist));
+			break;
+		case DNS_TKEYMODE_GSSAPI:
+			tkeyout.error = dns_rcode_noerror;
+			RETERR(process_gsstkey(keyname, &tkeyin, tctx,
+					       &tkeyout, ring));
+			break;
+		case DNS_TKEYMODE_DELETE:
+			tkeyout.error = dns_rcode_noerror;
+			RETERR(process_deletetkey(signer, keyname, &tkeyin,
+						  &tkeyout, ring));
+			break;
+		case DNS_TKEYMODE_SERVERASSIGNED:
+		case DNS_TKEYMODE_RESOLVERASSIGNED:
+			result = DNS_R_NOTIMP;
+			goto failure;
+		default:
+			tkeyout.error = dns_tsigerror_badmode;
+	}
+
+ failure_with_tkey:
+	dns_rdata_init(&rdata);
+	isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
+	result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
+				      tkeyout.common.rdtype, &tkeyout,
+				      &tkeyoutbuf);
+
+	if (freetkeyin) {
+		dns_rdata_freestruct(&tkeyin);
+		freetkeyin = false;
+	}
+
+	if (tkeyout.key != NULL)
+		isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
+	if (tkeyout.other != NULL)
+		isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
+
+	RETERR(dns_message_reply(msg, true));
+
+	name = ISC_LIST_HEAD(namelist);
+	while (name != NULL) {
+		dns_name_t *next = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(namelist, name, link);
+		dns_message_addname(msg, name, DNS_SECTION_ANSWER);
+		name = next;
+	}
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (freetkeyin)
+		dns_rdata_freestruct(&tkeyin);
+	if (!ISC_LIST_EMPTY(namelist))
+		free_namelist(msg, &namelist);
+	return (result);
+}
+
+static isc_result_t
+buildquery(dns_message_t *msg, dns_name_t *name,
+	   dns_rdata_tkey_t *tkey, bool win2k)
+{
+	dns_name_t *qname = NULL, *aname = NULL;
+	dns_rdataset_t *question = NULL, *tkeyset = NULL;
+	dns_rdatalist_t *tkeylist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_buffer_t *dynbuf = NULL, *anamebuf = NULL, *qnamebuf = NULL;
+	isc_result_t result;
+	unsigned int len;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(tkey != NULL);
+
+	RETERR(dns_message_gettempname(msg, &qname));
+	RETERR(dns_message_gettempname(msg, &aname));
+
+	RETERR(dns_message_gettemprdataset(msg, &question));
+	dns_rdataset_makequestion(question, dns_rdataclass_any,
+				  dns_rdatatype_tkey);
+
+	len = 16 + tkey->algorithm.length + tkey->keylen + tkey->otherlen;
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, len));
+	RETERR(isc_buffer_allocate(msg->mctx, &anamebuf, name->length));
+	RETERR(isc_buffer_allocate(msg->mctx, &qnamebuf, name->length));
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				    dns_rdatatype_tkey, tkey, dynbuf));
+	dns_message_takebuffer(msg, &dynbuf);
+
+	RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
+	tkeylist->rdclass = dns_rdataclass_any;
+	tkeylist->type = dns_rdatatype_tkey;
+	ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
+
+	RETERR(dns_message_gettemprdataset(msg, &tkeyset));
+	RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
+
+	dns_name_init(qname, NULL);
+	RETERR(dns_name_copy(name, qname, qnamebuf));
+
+	dns_name_init(aname, NULL);
+	RETERR(dns_name_copy(name, aname, anamebuf));
+
+	ISC_LIST_APPEND(qname->list, question, link);
+	ISC_LIST_APPEND(aname->list, tkeyset, link);
+
+	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+	dns_message_takebuffer(msg, &qnamebuf);
+
+	/*
+	 * Windows 2000 needs this in the answer section, not the additional
+	 * section where the RFC specifies.
+	 */
+	if (win2k)
+		dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
+	else
+		dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
+	dns_message_takebuffer(msg, &anamebuf);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (qname != NULL)
+		dns_message_puttempname(msg, &qname);
+	if (aname != NULL)
+		dns_message_puttempname(msg, &aname);
+	if (question != NULL) {
+		dns_rdataset_disassociate(question);
+		dns_message_puttemprdataset(msg, &question);
+	}
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	if (qnamebuf != NULL)
+		isc_buffer_free(&qnamebuf);
+	if (anamebuf != NULL)
+		isc_buffer_free(&anamebuf);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
+		      dns_name_t *algorithm, isc_buffer_t *nonce,
+		      uint32_t lifetime)
+{
+	dns_rdata_tkey_t tkey;
+	dns_rdata_t *rdata = NULL;
+	isc_buffer_t *dynbuf = NULL;
+	isc_region_t r;
+	dns_name_t keyname;
+	dns_namelist_t namelist;
+	isc_result_t result;
+	isc_stdtime_t now;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
+	REQUIRE(dst_key_isprivate(key));
+	REQUIRE(name != NULL);
+	REQUIRE(algorithm != NULL);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = msg->mctx;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(algorithm, &tkey.algorithm);
+	isc_stdtime_get(&now);
+	tkey.inception = now;
+	tkey.expire = now + lifetime;
+	tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
+	if (nonce != NULL)
+		isc_buffer_usedregion(nonce, &r);
+	else {
+		r.base = NULL;
+		r.length = 0;
+	}
+	tkey.error = 0;
+	tkey.key = r.base;
+	tkey.keylen =  r.length;
+	tkey.other = NULL;
+	tkey.otherlen = 0;
+
+	RETERR(buildquery(msg, name, &tkey, false));
+
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
+	RETERR(dst_key_todns(key, dynbuf));
+	isc_buffer_usedregion(dynbuf, &r);
+	dns_rdata_fromregion(rdata, dns_rdataclass_any,
+			     dns_rdatatype_key, &r);
+	dns_message_takebuffer(msg, &dynbuf);
+
+	dns_name_init(&keyname, NULL);
+	dns_name_clone(dst_key_name(key), &keyname);
+
+	ISC_LIST_INIT(namelist);
+	RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
+	name = ISC_LIST_HEAD(namelist);
+	while (name != NULL) {
+		dns_name_t *next = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(namelist, name, link);
+		dns_message_addname(msg, name, DNS_SECTION_ADDITIONAL);
+		name = next;
+	}
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
+		       isc_buffer_t *intoken, uint32_t lifetime,
+		       gss_ctx_id_t *context, bool win2k,
+		       isc_mem_t *mctx, char **err_message)
+{
+	dns_rdata_tkey_t tkey;
+	isc_result_t result;
+	isc_stdtime_t now;
+	isc_buffer_t token;
+	unsigned char array[TEMP_BUFFER_SZ];
+
+	UNUSED(intoken);
+
+	REQUIRE(msg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(gname != NULL);
+	REQUIRE(context != NULL);
+	REQUIRE(mctx != NULL);
+
+	isc_buffer_init(&token, array, sizeof(array));
+	result = dst_gssapi_initctx(gname, NULL, &token, context,
+				    mctx, err_message);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
+		return (result);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = NULL;
+	dns_name_init(&tkey.algorithm, NULL);
+
+	if (win2k)
+		dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
+	else
+		dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+
+	isc_stdtime_get(&now);
+	tkey.inception = now;
+	tkey.expire = now + lifetime;
+	tkey.mode = DNS_TKEYMODE_GSSAPI;
+	tkey.error = 0;
+	tkey.key = isc_buffer_base(&token);
+	tkey.keylen = isc_buffer_usedlength(&token);
+	tkey.other = NULL;
+	tkey.otherlen = 0;
+
+	return (buildquery(msg, name, &tkey, win2k));
+}
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
+	dns_rdata_tkey_t tkey;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = msg->mctx;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tkey.algorithm);
+	tkey.inception = tkey.expire = 0;
+	tkey.mode = DNS_TKEYMODE_DELETE;
+	tkey.error = 0;
+	tkey.keylen = tkey.otherlen = 0;
+	tkey.key = tkey.other = NULL;
+
+	return (buildquery(msg, &key->name, &tkey, false));
+}
+
+static isc_result_t
+find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
+	  int section)
+{
+	dns_rdataset_t *tkeyset;
+	isc_result_t result;
+
+	result = dns_message_firstname(msg, section);
+	while (result == ISC_R_SUCCESS) {
+		*name = NULL;
+		dns_message_currentname(msg, section, name);
+		tkeyset = NULL;
+		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
+					      &tkeyset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_rdataset_first(tkeyset);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			dns_rdataset_current(tkeyset, rdata);
+			return (ISC_R_SUCCESS);
+		}
+		result = dns_message_nextname(msg, section);
+	}
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_NOTFOUND);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			   dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
+{
+	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
+	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
+	dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
+	dst_key_t *theirkey = NULL;
+	dns_rdata_tkey_t qtkey, rtkey;
+	unsigned char secretdata[256];
+	unsigned int sharedsize;
+	isc_buffer_t *shared = NULL, secret;
+	isc_region_t r, r2;
+	isc_result_t result;
+	bool freertkey = false;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
+	REQUIRE(dst_key_isprivate(key));
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+	freertkey = true;
+
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
+	    rtkey.mode != qtkey.mode ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
+	    rmsg->rcode != dns_rcode_noerror) {
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set(1)");
+		result = DNS_R_INVALIDTKEY;
+		dns_rdata_freestruct(&qtkey);
+		goto failure;
+	}
+
+	dns_rdata_freestruct(&qtkey);
+
+	dns_name_init(&keyname, NULL);
+	dns_name_clone(dst_key_name(key), &keyname);
+
+	ourkeyname = NULL;
+	ourkeyset = NULL;
+	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
+				    dns_rdatatype_key, 0, &ourkeyname,
+				    &ourkeyset));
+
+	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
+	while (result == ISC_R_SUCCESS) {
+		theirkeyname = NULL;
+		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
+					&theirkeyname);
+		if (dns_name_equal(theirkeyname, ourkeyname))
+			goto next;
+		theirkeyset = NULL;
+		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
+					      0, &theirkeyset);
+		if (result == ISC_R_SUCCESS) {
+			RETERR(dns_rdataset_first(theirkeyset));
+			break;
+		}
+ next:
+		result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
+	}
+
+	if (theirkeyset == NULL) {
+		tkey_log("dns_tkey_processdhresponse: failed to find server "
+			 "key");
+		result = ISC_R_NOTFOUND;
+		goto failure;
+	}
+
+	dns_rdataset_current(theirkeyset, &theirkeyrdata);
+	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
+				       rmsg->mctx, &theirkey));
+
+	RETERR(dst_key_secretsize(key, &sharedsize));
+	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
+
+	RETERR(dst_key_computesecret(theirkey, key, shared));
+
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
+
+	r.base = rtkey.key;
+	r.length = rtkey.keylen;
+	if (nonce != NULL)
+		isc_buffer_usedregion(nonce, &r2);
+	else {
+		r2.base = NULL;
+		r2.length = 0;
+	}
+	RETERR(compute_secret(shared, &r2, &r, &secret));
+
+	isc_buffer_usedregion(&secret, &r);
+	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
+				    r.base, r.length, true,
+				    NULL, rtkey.inception, rtkey.expire,
+				    rmsg->mctx, ring, outkey);
+	isc_buffer_free(&shared);
+	dns_rdata_freestruct(&rtkey);
+	dst_key_free(&theirkey);
+	return (result);
+
+ failure:
+	if (shared != NULL)
+		isc_buffer_free(&shared);
+
+	if (theirkey != NULL)
+		dst_key_free(&theirkey);
+
+	if (freertkey)
+		dns_rdata_freestruct(&rtkey);
+
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			    dns_name_t *gname, gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring, char **err_message)
+{
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey;
+	dst_key_t *dstkey = NULL;
+	isc_buffer_t intoken;
+	isc_result_t result;
+	unsigned char array[TEMP_BUFFER_SZ];
+
+	REQUIRE(outtoken != NULL);
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(gname != NULL);
+	REQUIRE(ring != NULL);
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	/*
+	 * Win2k puts the item in the ANSWER section, while the RFC
+	 * specifies it should be in the ADDITIONAL section.  Check first
+	 * where it should be, and then where it may be.
+	 */
+	result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			   DNS_SECTION_ADDITIONAL);
+	if (result == ISC_R_NOTFOUND)
+		result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				   DNS_SECTION_ANSWER);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
+		tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
+			 "or error set(2) %d", rtkey.error);
+		dumpmessage(qmsg);
+		dumpmessage(rmsg);
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(outtoken, array, sizeof(array));
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
+				  ring->mctx, err_message));
+
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
+				  &dstkey, NULL));
+
+	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
+					 dstkey, false, NULL,
+					 rtkey.inception, rtkey.expire,
+					 ring->mctx, ring, outkey));
+	dst_key_free(&dstkey);
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+ failure:
+	/*
+	 * XXXSRA This probably leaks memory from rtkey and qtkey.
+	 */
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring)
+{
+	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname, *tempname;
+	dns_rdata_tkey_t qtkey, rtkey;
+	dns_tsigkey_t *tsigkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_DELETE ||
+	    rtkey.mode != qtkey.mode ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
+	    rmsg->rcode != dns_rcode_noerror) {
+		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
+			 "or error set(3)");
+		result = DNS_R_INVALIDTKEY;
+		dns_rdata_freestruct(&qtkey);
+		dns_rdata_freestruct(&rtkey);
+		goto failure;
+	}
+
+	dns_rdata_freestruct(&qtkey);
+
+	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
+
+	dns_rdata_freestruct(&rtkey);
+
+	/*
+	 * Mark the key as deleted.
+	 */
+	dns_tsigkey_setdeleted(tsigkey);
+	/*
+	 * Release the reference.
+	 */
+	dns_tsigkey_detach(&tsigkey);
+
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      dns_name_t *server, gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      bool win2k, char **err_message)
+{
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey, tkey;
+	isc_buffer_t intoken, outtoken;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	unsigned char array[TEMP_BUFFER_SZ];
+	bool freertkey = false;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(server != NULL);
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+	freertkey = true;
+
+	if (win2k == true)
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				 DNS_SECTION_ANSWER));
+	else
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				 DNS_SECTION_ADDITIONAL));
+
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set(4)");
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	isc_buffer_init(&outtoken, array, sizeof(array));
+
+	result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
+				    ring->mctx, err_message);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
+		return (result);
+
+	if (result == DNS_R_CONTINUE) {
+		dns_fixedname_t fixed;
+
+		dns_fixedname_init(&fixed);
+		dns_name_copy(tkeyname, dns_fixedname_name(&fixed), NULL);
+		tkeyname = dns_fixedname_name(&fixed);
+
+		tkey.common.rdclass = dns_rdataclass_any;
+		tkey.common.rdtype = dns_rdatatype_tkey;
+		ISC_LINK_INIT(&tkey.common, link);
+		tkey.mctx = NULL;
+		dns_name_init(&tkey.algorithm, NULL);
+
+		if (win2k)
+			dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
+		else
+			dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+
+		tkey.inception = qtkey.inception;
+		tkey.expire = qtkey.expire;
+		tkey.mode = DNS_TKEYMODE_GSSAPI;
+		tkey.error = 0;
+		tkey.key = isc_buffer_base(&outtoken);
+		tkey.keylen = isc_buffer_usedlength(&outtoken);
+		tkey.other = NULL;
+		tkey.otherlen = 0;
+
+		dns_message_reset(qmsg, DNS_MESSAGE_INTENTRENDER);
+		RETERR(buildquery(qmsg, tkeyname, &tkey, win2k));
+		return (DNS_R_CONTINUE);
+	}
+
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
+				  &dstkey, NULL));
+
+	/*
+	 * XXXSRA This seems confused.  If we got CONTINUE from initctx,
+	 * the GSS negotiation hasn't completed yet, so we can't sign
+	 * anything yet.
+	 */
+
+	RETERR(dns_tsigkey_createfromkey(tkeyname,
+					 (win2k
+					  ? DNS_TSIG_GSSAPIMS_NAME
+					  : DNS_TSIG_GSSAPI_NAME),
+					 dstkey, true, NULL,
+					 rtkey.inception, rtkey.expire,
+					 ring->mctx, ring, outkey));
+	dst_key_free(&dstkey);
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+ failure:
+	/*
+	 * XXXSRA This probably leaks memory from qtkey.
+	 */
+	if (freertkey)
+		dns_rdata_freestruct(&rtkey);
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
diff --git a/lib/dns/tsec.c b/lib/dns/tsec.c
new file mode 100644
index 0000000..c5eca0e
--- /dev/null
+++ b/lib/dns/tsec.c
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <dns/tsec.h>
+#include <dns/tsig.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#define DNS_TSEC_MAGIC			ISC_MAGIC('T', 's', 'e', 'c')
+#define DNS_TSEC_VALID(t)		ISC_MAGIC_VALID(t, DNS_TSEC_MAGIC)
+
+/*%
+ * DNS Transaction Security object.  We assume this is not shared by
+ * multiple threads, and so the structure does not contain a lock.
+ */
+struct dns_tsec {
+	unsigned int		magic;
+	dns_tsectype_t		type;
+	isc_mem_t		*mctx;
+	union {
+		dns_tsigkey_t	*tsigkey;
+		dst_key_t	*key;
+	} ukey;
+};
+
+isc_result_t
+dns_tsec_create(isc_mem_t *mctx, dns_tsectype_t type, dst_key_t *key,
+		dns_tsec_t **tsecp)
+{
+	isc_result_t result;
+	dns_tsec_t *tsec;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_name_t *algname;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(tsecp != NULL && *tsecp == NULL);
+
+	tsec = isc_mem_get(mctx, sizeof(*tsec));
+	if (tsec == NULL)
+		return (ISC_R_NOMEMORY);
+
+	tsec->type = type;
+	tsec->mctx = mctx;
+
+	switch (type) {
+	case dns_tsectype_tsig:
+		switch (dst_key_alg(key)) {
+#ifndef PK11_MD5_DISABLE
+		case DST_ALG_HMACMD5:
+			algname = dns_tsig_hmacmd5_name;
+			break;
+#endif
+		case DST_ALG_HMACSHA1:
+			algname = dns_tsig_hmacsha1_name;
+			break;
+		case DST_ALG_HMACSHA224:
+			algname = dns_tsig_hmacsha224_name;
+			break;
+		case DST_ALG_HMACSHA256:
+			algname = dns_tsig_hmacsha256_name;
+			break;
+		case DST_ALG_HMACSHA384:
+			algname = dns_tsig_hmacsha384_name;
+			break;
+		case DST_ALG_HMACSHA512:
+			algname = dns_tsig_hmacsha512_name;
+			break;
+		default:
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (DNS_R_BADALG);
+		}
+		result = dns_tsigkey_createfromkey(dst_key_name(key),
+						   algname, key, false,
+						   NULL, 0, 0, mctx, NULL,
+						   &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, tsec, sizeof(*tsec));
+			return (result);
+		}
+		tsec->ukey.tsigkey = tsigkey;
+		break;
+	case dns_tsectype_sig0:
+		tsec->ukey.key = key;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	tsec->magic = DNS_TSEC_MAGIC;
+
+	*tsecp = tsec;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tsec_destroy(dns_tsec_t **tsecp) {
+	dns_tsec_t *tsec;
+
+	REQUIRE(tsecp != NULL && *tsecp != NULL);
+	tsec = *tsecp;
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_detach(&tsec->ukey.tsigkey);
+		break;
+	case dns_tsectype_sig0:
+		dst_key_free(&tsec->ukey.key);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	tsec->magic = 0;
+	isc_mem_put(tsec->mctx, tsec, sizeof(*tsec));
+
+	*tsecp = NULL;
+}
+
+dns_tsectype_t
+dns_tsec_gettype(dns_tsec_t *tsec) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+
+	return (tsec->type);
+}
+
+void
+dns_tsec_getkey(dns_tsec_t *tsec, void *keyp) {
+	REQUIRE(DNS_TSEC_VALID(tsec));
+	REQUIRE(keyp != NULL);
+
+	switch (tsec->type) {
+	case dns_tsectype_tsig:
+		dns_tsigkey_attach(tsec->ukey.tsigkey, (dns_tsigkey_t **)keyp);
+		break;
+	case dns_tsectype_sig0:
+		*(dst_key_t **)keyp = tsec->ukey.key;
+		break;
+	default:
+		INSIST(0);
+	}
+}
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
new file mode 100644
index 0000000..a94ec69
--- /dev/null
+++ b/lib/dns/tsig.c
@@ -0,0 +1,2019 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * $Id$
+ */
+/*! \file */
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/serial.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+#include <isc/time.h>
+
+#include <pk11/site.h>
+
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dst/result.h>
+
+#define TSIG_MAGIC		ISC_MAGIC('T', 'S', 'I', 'G')
+#define VALID_TSIG_KEY(x)	ISC_MAGIC_VALID(x, TSIG_MAGIC)
+
+#ifndef DNS_TSIG_MAXGENERATEDKEYS
+#define DNS_TSIG_MAXGENERATEDKEYS 4096
+#endif
+
+#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
+#ifndef PK11_MD5_DISABLE
+#define algname_is_allocated(algname) \
+	((algname) != dns_tsig_hmacmd5_name && \
+	 (algname) != dns_tsig_hmacsha1_name && \
+	 (algname) != dns_tsig_hmacsha224_name && \
+	 (algname) != dns_tsig_hmacsha256_name && \
+	 (algname) != dns_tsig_hmacsha384_name && \
+	 (algname) != dns_tsig_hmacsha512_name && \
+	 (algname) != dns_tsig_gssapi_name && \
+	 (algname) != dns_tsig_gssapims_name)
+#else
+#define algname_is_allocated(algname) \
+	((algname) != dns_tsig_hmacsha1_name && \
+	 (algname) != dns_tsig_hmacsha224_name && \
+	 (algname) != dns_tsig_hmacsha256_name && \
+	 (algname) != dns_tsig_hmacsha384_name && \
+	 (algname) != dns_tsig_hmacsha512_name && \
+	 (algname) != dns_tsig_gssapi_name && \
+	 (algname) != dns_tsig_gssapims_name)
+#endif
+
+#define BADTIMELEN 6
+
+#ifndef PK11_MD5_DISABLE
+static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
+static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
+
+static dns_name_t hmacmd5 =
+	DNS_NAME_INITABSOLUTE(hmacmd5_ndata, hmacmd5_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
+#endif
+
+static unsigned char gsstsig_ndata[] = "\010gss-tsig";
+static unsigned char gsstsig_offsets[] = { 0, 9 };
+static dns_name_t gsstsig =
+	DNS_NAME_INITABSOLUTE(gsstsig_ndata, gsstsig_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
+
+/*
+ * Since Microsoft doesn't follow its own standard, we will use this
+ * alternate name as a second guess.
+ */
+static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
+static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
+static dns_name_t gsstsigms =
+	DNS_NAME_INITABSOLUTE(gsstsigms_ndata, gsstsigms_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
+
+static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
+static unsigned char hmacsha1_offsets[] = { 0, 10 };
+static dns_name_t hmacsha1 =
+	DNS_NAME_INITABSOLUTE(hmacsha1_ndata, hmacsha1_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
+
+static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
+static unsigned char hmacsha224_offsets[] = { 0, 12 };
+static dns_name_t hmacsha224 =
+	DNS_NAME_INITABSOLUTE(hmacsha224_ndata, hmacsha224_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
+
+static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
+static unsigned char hmacsha256_offsets[] = { 0, 12 };
+static dns_name_t hmacsha256 =
+	DNS_NAME_INITABSOLUTE(hmacsha256_ndata, hmacsha256_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
+
+static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
+static unsigned char hmacsha384_offsets[] = { 0, 12 };
+static dns_name_t hmacsha384 =
+	DNS_NAME_INITABSOLUTE(hmacsha384_ndata, hmacsha384_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
+
+static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
+static unsigned char hmacsha512_offsets[] = { 0, 12 };
+static dns_name_t hmacsha512 =
+	DNS_NAME_INITABSOLUTE(hmacsha512_ndata, hmacsha512_offsets);
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
+
+static isc_result_t
+tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
+
+static void
+tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+cleanup_ring(dns_tsig_keyring_t *ring);
+static void
+tsigkey_free(dns_tsigkey_t *key);
+
+static void
+tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+
+	if (isc_log_wouldlog(dns_lctx, level) == false)
+		return;
+	if (key != NULL) {
+		dns_name_format(&key->name, namestr, sizeof(namestr));
+	} else {
+		strlcpy(namestr, "<null>", sizeof(namestr));
+	}
+
+	if (key != NULL && key->generated && key->creator) {
+		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
+	} else {
+		strlcpy(creatorstr, "<null>", sizeof(creatorstr));
+	}
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	if (key != NULL && key->generated) {
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+			      level, "tsig key '%s' (%s): %s",
+			      namestr, creatorstr, message);
+	} else {
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+			      level, "tsig key '%s': %s", namestr, message);
+	}
+}
+
+static void
+remove_fromring(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+		tkey->ring->generated--;
+	}
+	(void)dns_rbt_deletename(tkey->ring->keys, &tkey->name, false);
+}
+
+static void
+adjust_lru(dns_tsigkey_t *tkey) {
+	if (tkey->generated) {
+		RWLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+		/*
+		 * We may have been removed from the LRU list between
+		 * removing the read lock and aquiring the write lock.
+		 */
+		if (ISC_LINK_LINKED(tkey, link) &&
+		    tkey->ring->lru.tail != tkey)
+		{
+			ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
+			ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
+		}
+		RWUNLOCK(&tkey->ring->lock, isc_rwlocktype_write);
+	}
+}
+
+/*
+ * A supplemental routine just to add a key to ring.  Note that reference
+ * counter should be counted separately because we may be adding the key
+ * as part of creation of the key, in which case the reference counter was
+ * already initialized.  Also note we don't need RWLOCK for the reference
+ * counter: it's protected by a separate lock.
+ */
+static isc_result_t
+keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+	    dns_tsigkey_t *tkey)
+{
+	isc_result_t result;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	ring->writecount++;
+
+	/*
+	 * Do on the fly cleaning.  Find some nodes we might not
+	 * want around any more.
+	 */
+	if (ring->writecount > 10) {
+		cleanup_ring(ring);
+		ring->writecount = 0;
+	}
+
+	result = dns_rbt_addname(ring->keys, name, tkey);
+	if (result == ISC_R_SUCCESS && tkey->generated) {
+		/*
+		 * Add the new key to the LRU list and remove the least
+		 * recently used key if there are too many keys on the list.
+		 */
+		ISC_LIST_APPEND(ring->lru, tkey, link);
+		if (ring->generated++ > ring->maxgenerated)
+			remove_fromring(ISC_LIST_HEAD(ring->lru));
+	}
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
+			  dst_key_t *dstkey, bool generated,
+			  dns_name_t *creator, isc_stdtime_t inception,
+			  isc_stdtime_t expire, isc_mem_t *mctx,
+			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
+{
+	dns_tsigkey_t *tkey;
+	isc_result_t ret;
+	unsigned int refs = 0;
+
+	REQUIRE(key == NULL || *key == NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(algorithm != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(key != NULL || ring != NULL);
+
+	tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
+	if (tkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_name_init(&tkey->name, NULL);
+	ret = dns_name_dup(name, mctx, &tkey->name);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_key;
+	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
+
+#ifndef PK11_MD5_DISABLE
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else
+#endif
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA1_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACSHA1) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA224_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA224) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA256_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA256) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA384_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA384) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACSHA512_NAME;
+		if (dstkey != NULL &&
+		    dst_key_alg(dstkey) != DST_ALG_HMACSHA512) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
+		tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else {
+		if (dstkey != NULL) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+		tkey->algorithm = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (tkey->algorithm == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto cleanup_name;
+		}
+		dns_name_init(tkey->algorithm, NULL);
+		ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_algorithm;
+		(void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
+					NULL);
+	}
+
+	if (creator != NULL) {
+		tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (tkey->creator == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto cleanup_algorithm;
+		}
+		dns_name_init(tkey->creator, NULL);
+		ret = dns_name_dup(creator, mctx, tkey->creator);
+		if (ret != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
+			goto cleanup_algorithm;
+		}
+	} else
+		tkey->creator = NULL;
+
+	tkey->key = NULL;
+	if (dstkey != NULL)
+		dst_key_attach(dstkey, &tkey->key);
+	tkey->ring = ring;
+
+	if (key != NULL)
+		refs = 1;
+	if (ring != NULL)
+		refs++;
+	ret = isc_refcount_init(&tkey->refs, refs);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_creator;
+
+	tkey->generated = generated;
+	tkey->inception = inception;
+	tkey->expire = expire;
+	tkey->mctx = NULL;
+	isc_mem_attach(mctx, &tkey->mctx);
+	ISC_LINK_INIT(tkey, link);
+
+	tkey->magic = TSIG_MAGIC;
+
+	if (ring != NULL) {
+		ret = keyring_add(ring, name, tkey);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_refs;
+	}
+
+	/*
+	 * Ignore this if it's a GSS key, since the key size is meaningless.
+	 */
+	if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
+	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME) &&
+	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
+			      "the key '%s' is too short to be secure",
+			      namestr);
+	}
+
+	if (key != NULL)
+		*key = tkey;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_refs:
+	tkey->magic = 0;
+	while (refs-- > 0)
+		isc_refcount_decrement(&tkey->refs, NULL);
+	isc_refcount_destroy(&tkey->refs);
+ cleanup_creator:
+	if (tkey->key != NULL)
+		dst_key_free(&tkey->key);
+	if (tkey->creator != NULL) {
+		dns_name_free(tkey->creator, mctx);
+		isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
+	}
+ cleanup_algorithm:
+	if (algname_is_allocated(tkey->algorithm)) {
+		if (dns_name_dynamic(tkey->algorithm))
+			dns_name_free(tkey->algorithm, mctx);
+		isc_mem_put(mctx, tkey->algorithm, sizeof(dns_name_t));
+	}
+ cleanup_name:
+	dns_name_free(&tkey->name, mctx);
+ cleanup_key:
+	isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
+
+	return (ret);
+}
+
+/*
+ * Find a few nodes to destroy if possible.
+ */
+static void
+cleanup_ring(dns_tsig_keyring_t *ring)
+{
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	/*
+	 * Start up a new iterator each time.
+	 */
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+
+ again:
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL) {
+			if (tkey->generated
+			    && isc_refcount_current(&tkey->refs) == 1
+			    && tkey->inception != tkey->expire
+			    && tkey->expire < now) {
+				tsig_log(tkey, 2, "tsig expire: deleting");
+				/* delete the key */
+				dns_rbtnodechain_invalidate(&chain);
+				remove_fromring(tkey);
+				goto again;
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname,
+					       origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return;
+		}
+	}
+}
+
+static void
+destroyring(dns_tsig_keyring_t *ring) {
+	dns_rbt_destroy(&ring->keys);
+	isc_rwlock_destroy(&ring->lock);
+	isc_mem_putanddetach(&ring->mctx, ring, sizeof(dns_tsig_keyring_t));
+}
+
+static unsigned int
+dst_alg_fromname(dns_name_t *algorithm) {
+#ifndef PK11_MD5_DISABLE
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		return (DST_ALG_HMACMD5);
+	} else
+#endif
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+		return (DST_ALG_HMACSHA1);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
+		return (DST_ALG_HMACSHA224);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
+		return (DST_ALG_HMACSHA256);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
+		return (DST_ALG_HMACSHA384);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
+		return (DST_ALG_HMACSHA512);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
+		return (DST_ALG_GSSAPI);
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		return (DST_ALG_GSSAPI);
+	} else
+		return (0);
+}
+
+static isc_result_t
+restore_key(dns_tsig_keyring_t *ring, isc_stdtime_t now, FILE *fp) {
+	dst_key_t *dstkey = NULL;
+	char namestr[1024];
+	char creatorstr[1024];
+	char algorithmstr[1024];
+	char keystr[4096];
+	unsigned int inception, expire;
+	int n;
+	isc_buffer_t b;
+	dns_name_t *name, *creator, *algorithm;
+	dns_fixedname_t fname, fcreator, falgorithm;
+	isc_result_t result;
+	unsigned int dstalg;
+
+	n = fscanf(fp, "%1023s %1023s %u %u %1023s %4095s\n", namestr,
+		   creatorstr, &inception, &expire, algorithmstr, keystr);
+	if (n == EOF)
+		return (ISC_R_NOMORE);
+	if (n != 6)
+		return (ISC_R_FAILURE);
+
+	if (isc_serial_lt(expire, now))
+		return (DNS_R_EXPIRED);
+
+	name = dns_fixedname_initname(&fname);
+	isc_buffer_init(&b, namestr, strlen(namestr));
+	isc_buffer_add(&b, strlen(namestr));
+	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	creator = dns_fixedname_initname(&fcreator);
+	isc_buffer_init(&b, creatorstr, strlen(creatorstr));
+	isc_buffer_add(&b, strlen(creatorstr));
+	result = dns_name_fromtext(creator, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	algorithm = dns_fixedname_initname(&falgorithm);
+	isc_buffer_init(&b, algorithmstr, strlen(algorithmstr));
+	isc_buffer_add(&b, strlen(algorithmstr));
+	result = dns_name_fromtext(algorithm, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dstalg = dst_alg_fromname(algorithm);
+	if (dstalg == 0)
+		return (DNS_R_BADALG);
+
+	result = dst_key_restore(name, dstalg, DNS_KEYOWNER_ENTITY,
+				 DNS_KEYPROTO_DNSSEC, dns_rdataclass_in,
+				 ring->mctx, keystr, &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
+					   true, creator, inception,
+					   expire, ring->mctx, ring, NULL);
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+static void
+dump_key(dns_tsigkey_t *tkey, FILE *fp) {
+	char *buffer = NULL;
+	int length = 0;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+	char algorithmstr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+
+	REQUIRE(tkey != NULL);
+	REQUIRE(fp != NULL);
+
+	dns_name_format(&tkey->name, namestr, sizeof(namestr));
+	dns_name_format(tkey->creator, creatorstr, sizeof(creatorstr));
+	dns_name_format(tkey->algorithm, algorithmstr, sizeof(algorithmstr));
+	result = dst_key_dump(tkey->key, tkey->mctx, &buffer, &length);
+	if (result == ISC_R_SUCCESS)
+		fprintf(fp, "%s %s %u %u %s %.*s\n", namestr, creatorstr,
+			tkey->inception, tkey->expire, algorithmstr,
+			length, buffer);
+	if (buffer != NULL)
+		isc_mem_put(tkey->mctx, buffer, length);
+}
+
+isc_result_t
+dns_tsigkeyring_dumpanddetach(dns_tsig_keyring_t **ringp, FILE *fp) {
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+	dns_tsig_keyring_t *ring;
+	unsigned int references;
+
+	REQUIRE(ringp != NULL && *ringp != NULL);
+
+	ring = *ringp;
+	*ringp = NULL;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	INSIST(ring->references > 0);
+	ring->references--;
+	references = ring->references;
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	if (references != 0)
+		return (DNS_R_CONTINUE);
+
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	origin = dns_fixedname_initname(&fixedorigin);
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		goto destroy;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL && tkey->generated && tkey->expire >= now)
+			dump_key(tkey, fp);
+		result = dns_rbtnodechain_next(&chain, &foundname,
+					       origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			if (result == ISC_R_NOMORE)
+				result = ISC_R_SUCCESS;
+			goto destroy;
+		}
+	}
+
+ destroy:
+	destroyring(ring);
+	return (result);
+}
+
+isc_result_t
+dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+		   unsigned char *secret, int length, bool generated,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
+{
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(length >= 0);
+	if (length > 0)
+		REQUIRE(secret != NULL);
+
+#ifndef PK11_MD5_DISABLE
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else
+#endif
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA1_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA1,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA224_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA224,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA256_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA256,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA384_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA384,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_HMACSHA512_NAME)) {
+		if (secret != NULL) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, secret, length);
+			isc_buffer_add(&b, length);
+			result = dst_key_frombuffer(name, DST_ALG_HMACSHA512,
+						    DNS_KEYOWNER_ENTITY,
+						    DNS_KEYPROTO_DNSSEC,
+						    dns_rdataclass_in,
+						    &b, mctx, &dstkey);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+		}
+	} else if (length > 0)
+		return (DNS_R_BADALG);
+
+	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
+					   generated, creator,
+					   inception, expire, mctx, ring, key);
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+void
+dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
+	REQUIRE(VALID_TSIG_KEY(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->refs, NULL);
+	*targetp = source;
+}
+
+static void
+tsigkey_free(dns_tsigkey_t *key) {
+	REQUIRE(VALID_TSIG_KEY(key));
+
+	key->magic = 0;
+	dns_name_free(&key->name, key->mctx);
+	if (algname_is_allocated(key->algorithm)) {
+		dns_name_free(key->algorithm, key->mctx);
+		isc_mem_put(key->mctx, key->algorithm, sizeof(dns_name_t));
+	}
+	if (key->key != NULL)
+		dst_key_free(&key->key);
+	if (key->creator != NULL) {
+		dns_name_free(key->creator, key->mctx);
+		isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
+	}
+	isc_refcount_destroy(&key->refs);
+	isc_mem_putanddetach(&key->mctx, key, sizeof(dns_tsigkey_t));
+}
+
+void
+dns_tsigkey_detach(dns_tsigkey_t **keyp) {
+	dns_tsigkey_t *key;
+	unsigned int refs;
+
+	REQUIRE(keyp != NULL);
+	REQUIRE(VALID_TSIG_KEY(*keyp));
+
+	key = *keyp;
+	isc_refcount_decrement(&key->refs, &refs);
+
+	if (refs == 0)
+		tsigkey_free(key);
+
+	*keyp = NULL;
+}
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
+	REQUIRE(VALID_TSIG_KEY(key));
+	REQUIRE(key->ring != NULL);
+
+	RWLOCK(&key->ring->lock, isc_rwlocktype_write);
+	remove_fromring(key);
+	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
+}
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg) {
+	dns_tsigkey_t *key;
+	dns_rdata_any_tsig_t tsig, querytsig;
+	unsigned char data[128];
+	isc_buffer_t databuf, sigbuf;
+	isc_buffer_t *dynbuf;
+	dns_name_t *owner;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *datalist;
+	dns_rdataset_t *dataset;
+	isc_region_t r;
+	isc_stdtime_t now;
+	isc_mem_t *mctx;
+	dst_context_t *ctx = NULL;
+	isc_result_t ret;
+	unsigned char badtimedata[BADTIMELEN];
+	unsigned int sigsize = 0;
+	bool response;
+
+	REQUIRE(msg != NULL);
+	key = dns_message_gettsigkey(msg);
+	REQUIRE(VALID_TSIG_KEY(key));
+
+	/*
+	 * If this is a response, there should be a query tsig.
+	 */
+	response = is_response(msg);
+	if (response && msg->querytsig == NULL)
+		return (DNS_R_EXPECTEDTSIG);
+
+	dynbuf = NULL;
+
+	mctx = msg->mctx;
+
+	tsig.mctx = mctx;
+	tsig.common.rdclass = dns_rdataclass_any;
+	tsig.common.rdtype = dns_rdatatype_tsig;
+	ISC_LINK_INIT(&tsig.common, link);
+	dns_name_init(&tsig.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tsig.algorithm);
+
+	isc_stdtime_get(&now);
+	tsig.timesigned = now + msg->timeadjust;
+	tsig.fudge = DNS_TSIG_FUDGE;
+
+	tsig.originalid = msg->id;
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+
+	if (response)
+		tsig.error = msg->querytsigstatus;
+	else
+		tsig.error = dns_rcode_noerror;
+
+	if (tsig.error != dns_tsigerror_badtime) {
+		tsig.otherlen = 0;
+		tsig.other = NULL;
+	} else {
+		isc_buffer_t otherbuf;
+
+		tsig.otherlen = BADTIMELEN;
+		tsig.other = badtimedata;
+		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
+		isc_buffer_putuint48(&otherbuf, tsig.timesigned);
+	}
+
+	if ((key->key != NULL) &&
+	    (tsig.error != dns_tsigerror_badsig) &&
+	    (tsig.error != dns_tsigerror_badkey))
+	{
+		unsigned char header[DNS_MESSAGE_HEADERLEN];
+		isc_buffer_t headerbuf;
+		uint16_t digestbits;
+
+		/*
+		 * If it is a response, we assume that the request MAC
+		 * has validated at this point. This is why we include a
+		 * MAC length > 0 in the reply.
+		 */
+		ret = dst_context_create3(key->key, mctx,
+					  DNS_LOGCATEGORY_DNSSEC,
+					  true, &ctx);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+
+		/*
+		 * If this is a response, digest the request's MAC.
+		 */
+		if (response) {
+			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+
+			INSIST(msg->verified_sig);
+
+			ret = dns_rdataset_first(msg->querytsig);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+			dns_rdataset_current(msg->querytsig, &querytsigrdata);
+			ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
+						 NULL);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+			isc_buffer_putuint16(&databuf, querytsig.siglen);
+			if (isc_buffer_availablelength(&databuf) <
+			    querytsig.siglen) {
+				ret = ISC_R_NOSPACE;
+				goto cleanup_context;
+			}
+			isc_buffer_putmem(&databuf, querytsig.signature,
+					  querytsig.siglen);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+		}
+#if defined(__clang__)  && \
+       ( __clang_major__ < 3 || \
+	(__clang_major__ == 3 && __clang_minor__ < 2) || \
+	(__clang_major__ == 4 && __clang_minor__ < 2))
+	/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
+		else memset(&querytsig, 0, sizeof(querytsig));
+#endif
+
+		/*
+		 * Digest the header.
+		 */
+		isc_buffer_init(&headerbuf, header, sizeof(header));
+		dns_message_renderheader(msg, &headerbuf);
+		isc_buffer_usedregion(&headerbuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the remainder of the message.
+		 */
+		isc_buffer_usedregion(msg->buffer, &r);
+		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		if (msg->tcp_continuation == 0) {
+			/*
+			 * Digest the name, class, ttl, alg.
+			 */
+			dns_name_toregion(&key->name, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+			isc_buffer_clear(&databuf);
+			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
+			isc_buffer_putuint32(&databuf, 0); /* ttl */
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+			dns_name_toregion(&tsig.algorithm, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+		}
+		/* Digest the timesigned and fudge */
+		isc_buffer_clear(&databuf);
+		if (tsig.error == dns_tsigerror_badtime) {
+			INSIST(response);
+			tsig.timesigned = querytsig.timesigned;
+		}
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		if (msg->tcp_continuation == 0) {
+			/*
+			 * Digest the error and other data length.
+			 */
+			isc_buffer_clear(&databuf);
+			isc_buffer_putuint16(&databuf, tsig.error);
+			isc_buffer_putuint16(&databuf, tsig.otherlen);
+
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+			/*
+			 * Digest other data.
+			 */
+			if (tsig.otherlen > 0) {
+				r.length = tsig.otherlen;
+				r.base = tsig.other;
+				ret = dst_context_adddata(ctx, &r);
+				if (ret != ISC_R_SUCCESS)
+					goto cleanup_context;
+			}
+		}
+
+		ret = dst_key_sigsize(key->key, &sigsize);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+		tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
+		if (tsig.signature == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto cleanup_context;
+		}
+
+		isc_buffer_init(&sigbuf, tsig.signature, sigsize);
+		ret = dst_context_sign(ctx, &sigbuf);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_signature;
+		dst_context_destroy(&ctx);
+		digestbits = dst_key_getbits(key->key);
+		if (digestbits != 0) {
+			/*
+			 * XXXRAY: Is this correct? What is the
+			 * expected behavior when digestbits is not an
+			 * integral multiple of 8? It looks like bytes
+			 * should either be (digestbits/8) or
+			 * (digestbits+7)/8.
+			 *
+			 * In any case, for current algorithms,
+			 * digestbits are an integral multiple of 8, so
+			 * it has the same effect as (digestbits/8).
+			 */
+			unsigned int bytes = (digestbits + 1) / 8;
+			if (response && bytes < querytsig.siglen)
+				bytes = querytsig.siglen;
+			if (bytes > isc_buffer_usedlength(&sigbuf))
+				bytes = isc_buffer_usedlength(&sigbuf);
+			tsig.siglen = bytes;
+		} else
+			tsig.siglen = isc_buffer_usedlength(&sigbuf);
+	} else {
+		tsig.siglen = 0;
+		tsig.signature = NULL;
+	}
+
+	ret = dns_message_gettemprdata(msg, &rdata);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_signature;
+	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_rdata;
+	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				   dns_rdatatype_tsig, &tsig, dynbuf);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_dynbuf;
+
+	dns_message_takebuffer(msg, &dynbuf);
+
+	if (tsig.signature != NULL) {
+		isc_mem_put(mctx, tsig.signature, sigsize);
+		tsig.signature = NULL;
+	}
+
+	owner = NULL;
+	ret = dns_message_gettempname(msg, &owner);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_rdata;
+	dns_name_init(owner, NULL);
+	ret = dns_name_dup(&key->name, msg->mctx, owner);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_owner;
+
+	datalist = NULL;
+	ret = dns_message_gettemprdatalist(msg, &datalist);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_owner;
+	dataset = NULL;
+	ret = dns_message_gettemprdataset(msg, &dataset);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_rdatalist;
+	datalist->rdclass = dns_rdataclass_any;
+	datalist->type = dns_rdatatype_tsig;
+	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
+		      == ISC_R_SUCCESS);
+	msg->tsig = dataset;
+	msg->tsigname = owner;
+
+	/* Windows does not like the tsig name being compressed. */
+	msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_rdatalist:
+	dns_message_puttemprdatalist(msg, &datalist);
+ cleanup_owner:
+	dns_message_puttempname(msg, &owner);
+	goto cleanup_rdata;
+ cleanup_dynbuf:
+	isc_buffer_free(&dynbuf);
+ cleanup_rdata:
+	dns_message_puttemprdata(msg, &rdata);
+ cleanup_signature:
+	if (tsig.signature != NULL)
+		isc_mem_put(mctx, tsig.signature, sigsize);
+ cleanup_context:
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+	return (ret);
+}
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
+{
+	dns_rdata_any_tsig_t tsig, querytsig;
+	isc_region_t r, source_r, header_r, sig_r;
+	isc_buffer_t databuf;
+	unsigned char data[32];
+	dns_name_t *keyname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	dns_tsigkey_t *tsigkey;
+	dst_key_t *key = NULL;
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	uint16_t addcount, id;
+	unsigned int siglen;
+	unsigned int alg;
+	bool response;
+
+	REQUIRE(source != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	tsigkey = dns_message_gettsigkey(msg);
+	response = is_response(msg);
+
+	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
+
+	msg->verify_attempted = 1;
+	msg->verified_sig = 0;
+	msg->tsigstatus = dns_tsigerror_badsig;
+
+	if (msg->tcp_continuation) {
+		if (tsigkey == NULL || msg->querytsig == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
+		return (tsig_verify_tcp(source, msg));
+	}
+
+	/*
+	 * There should be a TSIG record...
+	 */
+	if (msg->tsig == NULL)
+		return (DNS_R_EXPECTEDTSIG);
+
+	/*
+	 * If this is a response and there's no key or query TSIG, there
+	 * shouldn't be one on the response.
+	 */
+	if (response && (tsigkey == NULL || msg->querytsig == NULL))
+		return (DNS_R_UNEXPECTEDTSIG);
+
+	mctx = msg->mctx;
+
+	/*
+	 * If we're here, we know the message is well formed and contains a
+	 * TSIG record.
+	 */
+
+	keyname = msg->tsigname;
+	ret = dns_rdataset_first(msg->tsig);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdataset_current(msg->tsig, &rdata);
+	ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdata_reset(&rdata);
+	if (response) {
+		ret = dns_rdataset_first(msg->querytsig);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+		dns_rdataset_current(msg->querytsig, &rdata);
+		ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+	}
+#if defined(__clang__) && \
+       ( __clang_major__ < 3 || \
+	(__clang_major__ == 3 && __clang_minor__ < 2) || \
+	(__clang_major__ == 4 && __clang_minor__ < 2))
+	/* false positive: http://llvm.org/bugs/show_bug.cgi?id=14461 */
+		else memset(&querytsig, 0, sizeof(querytsig));
+#endif
+
+	/*
+	 * Do the key name and algorithm match that of the query?
+	 */
+	if (response &&
+	    (!dns_name_equal(keyname, &tsigkey->name) ||
+	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
+		msg->tsigstatus = dns_tsigerror_badkey;
+		tsig_log(msg->tsigkey, 2,
+			 "key name and algorithm do not match");
+		return (DNS_R_TSIGVERIFYFAILURE);
+	}
+
+	/*
+	 * Get the current time.
+	 */
+	isc_stdtime_get(&now);
+
+	/*
+	 * Find dns_tsigkey_t based on keyname.
+	 */
+	if (tsigkey == NULL) {
+		ret = ISC_R_NOTFOUND;
+		if (ring1 != NULL)
+			ret = dns_tsigkey_find(&tsigkey, keyname,
+					       &tsig.algorithm, ring1);
+		if (ret == ISC_R_NOTFOUND && ring2 != NULL)
+			ret = dns_tsigkey_find(&tsigkey, keyname,
+					       &tsig.algorithm, ring2);
+		if (ret != ISC_R_SUCCESS) {
+			msg->tsigstatus = dns_tsigerror_badkey;
+			ret = dns_tsigkey_create(keyname, &tsig.algorithm,
+						 NULL, 0, false, NULL,
+						 now, now,
+						 mctx, NULL, &msg->tsigkey);
+			if (ret != ISC_R_SUCCESS)
+				return (ret);
+			tsig_log(msg->tsigkey, 2, "unknown key");
+			return (DNS_R_TSIGVERIFYFAILURE);
+		}
+		msg->tsigkey = tsigkey;
+	}
+
+	key = tsigkey->key;
+
+	/*
+	 * Check digest length.
+	 */
+	alg = dst_key_alg(key);
+	ret = dst_key_sigsize(key, &siglen);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	if (
+#ifndef PK11_MD5_DISABLE
+	    alg == DST_ALG_HMACMD5 ||
+#endif
+	    alg == DST_ALG_HMACSHA1 ||
+	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+	{
+		if (tsig.siglen > siglen) {
+			tsig_log(msg->tsigkey, 2, "signature length too big");
+			return (DNS_R_FORMERR);
+		}
+		if (tsig.siglen > 0 &&
+		    (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
+		{
+			tsig_log(msg->tsigkey, 2,
+				 "signature length below minimum");
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	if (tsig.siglen > 0) {
+		uint16_t addcount_n;
+
+		sig_r.base = tsig.signature;
+		sig_r.length = tsig.siglen;
+
+		ret = dst_context_create3(key, mctx,
+					  DNS_LOGCATEGORY_DNSSEC,
+					  false, &ctx);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+
+		if (response) {
+			isc_buffer_init(&databuf, data, sizeof(data));
+			isc_buffer_putuint16(&databuf, querytsig.siglen);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+			if (querytsig.siglen > 0) {
+				r.length = querytsig.siglen;
+				r.base = querytsig.signature;
+				ret = dst_context_adddata(ctx, &r);
+				if (ret != ISC_R_SUCCESS)
+					goto cleanup_context;
+			}
+		}
+
+		/*
+		 * Extract the header.
+		 */
+		isc_buffer_usedregion(source, &r);
+		memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
+		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+
+		/*
+		 * Decrement the additional field counter.
+		 */
+		memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+		addcount_n = ntohs(addcount);
+		addcount = htons((uint16_t)(addcount_n - 1));
+		memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+		/*
+		 * Put in the original id.
+		 */
+		id = htons(tsig.originalid);
+		memmove(&header[0], &id, 2);
+
+		/*
+		 * Digest the modified header.
+		 */
+		header_r.base = (unsigned char *) header;
+		header_r.length = DNS_MESSAGE_HEADERLEN;
+		ret = dst_context_adddata(ctx, &header_r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest all non-TSIG records.
+		 */
+		isc_buffer_usedregion(source, &source_r);
+		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the key name.
+		 */
+		dns_name_toregion(&tsigkey->name, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
+		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the key algorithm.
+		 */
+		dns_name_toregion(tsigkey->algorithm, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		isc_buffer_clear(&databuf);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_putuint16(&databuf, tsig.error);
+		isc_buffer_putuint16(&databuf, tsig.otherlen);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		if (tsig.otherlen > 0) {
+			r.base = tsig.other;
+			r.length = tsig.otherlen;
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+		}
+
+		ret = dst_context_verify(ctx, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			tsig_log(msg->tsigkey, 2,
+				 "signature failed to verify(1)");
+			goto cleanup_context;
+		} else if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+		msg->verified_sig = 1;
+	} else if (tsig.error != dns_tsigerror_badsig &&
+		   tsig.error != dns_tsigerror_badkey) {
+		tsig_log(msg->tsigkey, 2, "signature was empty");
+		return (DNS_R_TSIGVERIFYFAILURE);
+	}
+
+	/*
+	 * Here at this point, the MAC has been verified. Even if any of
+	 * the following code returns a TSIG error, the reply will be
+	 * signed and WILL always include the request MAC in the digest
+	 * computation.
+	 */
+
+	/*
+	 * Is the time ok?
+	 */
+	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+		msg->tsigstatus = dns_tsigerror_badtime;
+		tsig_log(msg->tsigkey, 2, "signature has expired");
+		ret = DNS_R_CLOCKSKEW;
+		goto cleanup_context;
+	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
+		msg->tsigstatus = dns_tsigerror_badtime;
+		tsig_log(msg->tsigkey, 2, "signature is in the future");
+		ret = DNS_R_CLOCKSKEW;
+		goto cleanup_context;
+	}
+
+	if (
+#ifndef PK11_MD5_DISABLE
+	    alg == DST_ALG_HMACMD5 ||
+#endif
+	    alg == DST_ALG_HMACSHA1 ||
+	    alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+	    alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+	{
+		uint16_t digestbits = dst_key_getbits(key);
+
+		/*
+		 * XXXRAY: Is this correct? What is the expected
+		 * behavior when digestbits is not an integral multiple
+		 * of 8? It looks like bytes should either be
+		 * (digestbits/8) or (digestbits+7)/8.
+		 *
+		 * In any case, for current algorithms, digestbits are
+		 * an integral multiple of 8, so it has the same effect
+		 * as (digestbits/8).
+		 */
+		if (tsig.siglen > 0 && digestbits != 0 &&
+		    tsig.siglen < ((digestbits + 1) / 8))
+		{
+			msg->tsigstatus = dns_tsigerror_badtrunc;
+			tsig_log(msg->tsigkey, 2,
+				 "truncated signature length too small");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		}
+		if (tsig.siglen > 0 && digestbits == 0 &&
+		    tsig.siglen < siglen)
+		{
+			msg->tsigstatus = dns_tsigerror_badtrunc;
+			tsig_log(msg->tsigkey, 2, "signature length too small");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		}
+	}
+
+	if (tsig.error != dns_rcode_noerror) {
+		msg->tsigstatus = tsig.error;
+		if (tsig.error == dns_tsigerror_badtime)
+			ret = DNS_R_CLOCKSKEW;
+		else
+			ret = DNS_R_TSIGERRORSET;
+		goto cleanup_context;
+	}
+
+	msg->tsigstatus = dns_rcode_noerror;
+	ret = ISC_R_SUCCESS;
+
+ cleanup_context:
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+
+	return (ret);
+}
+
+static isc_result_t
+tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+	dns_rdata_any_tsig_t tsig, querytsig;
+	isc_region_t r, source_r, header_r, sig_r;
+	isc_buffer_t databuf;
+	unsigned char data[32];
+	dns_name_t *keyname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	dns_tsigkey_t *tsigkey;
+	dst_key_t *key = NULL;
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	uint16_t addcount, id;
+	bool has_tsig = false;
+	isc_mem_t *mctx;
+	unsigned int siglen;
+	unsigned int alg;
+
+	REQUIRE(source != NULL);
+	REQUIRE(msg != NULL);
+	REQUIRE(dns_message_gettsigkey(msg) != NULL);
+	REQUIRE(msg->tcp_continuation == 1);
+	REQUIRE(msg->querytsig != NULL);
+
+	msg->verified_sig = 0;
+	msg->tsigstatus = dns_tsigerror_badsig;
+
+	if (!is_response(msg))
+		return (DNS_R_EXPECTEDRESPONSE);
+
+	mctx = msg->mctx;
+
+	tsigkey = dns_message_gettsigkey(msg);
+	key = tsigkey->key;
+
+	/*
+	 * Extract and parse the previous TSIG
+	 */
+	ret = dns_rdataset_first(msg->querytsig);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdataset_current(msg->querytsig, &rdata);
+	ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * If there is a TSIG in this message, do some checks.
+	 */
+	if (msg->tsig != NULL) {
+		has_tsig = true;
+
+		keyname = msg->tsigname;
+		ret = dns_rdataset_first(msg->tsig);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+		dns_rdataset_current(msg->tsig, &rdata);
+		ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+
+		/*
+		 * Do the key name and algorithm match that of the query?
+		 */
+		if (!dns_name_equal(keyname, &tsigkey->name) ||
+		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
+		{
+			msg->tsigstatus = dns_tsigerror_badkey;
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			tsig_log(msg->tsigkey, 2,
+				 "key name and algorithm do not match");
+			goto cleanup_querystruct;
+		}
+
+		/*
+		 * Check digest length.
+		 */
+		alg = dst_key_alg(key);
+		ret = dst_key_sigsize(key, &siglen);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+		if (
+#ifndef PK11_MD5_DISABLE
+			alg == DST_ALG_HMACMD5 ||
+#endif
+			alg == DST_ALG_HMACSHA1 ||
+			alg == DST_ALG_HMACSHA224 ||
+			alg == DST_ALG_HMACSHA256 ||
+			alg == DST_ALG_HMACSHA384 ||
+			alg == DST_ALG_HMACSHA512)
+		{
+			if (tsig.siglen > siglen) {
+				tsig_log(tsigkey, 2,
+					 "signature length too big");
+				ret = DNS_R_FORMERR;
+				goto cleanup_querystruct;
+			}
+			if (tsig.siglen > 0 &&
+			    (tsig.siglen < 10 ||
+			     tsig.siglen < ((siglen + 1) / 2)))
+			{
+				tsig_log(tsigkey, 2,
+					 "signature length below minimum");
+				ret = DNS_R_FORMERR;
+				goto cleanup_querystruct;
+			}
+		}
+	}
+
+	if (msg->tsigctx == NULL) {
+		ret = dst_context_create3(key, mctx,
+					  DNS_LOGCATEGORY_DNSSEC,
+					  false, &msg->tsigctx);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+
+		/*
+		 * Digest the length of the query signature
+		 */
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint16(&databuf, querytsig.siglen);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(msg->tsigctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the data of the query signature
+		 */
+		if (querytsig.siglen > 0) {
+			r.length = querytsig.siglen;
+			r.base = querytsig.signature;
+			ret = dst_context_adddata(msg->tsigctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+		}
+	}
+
+	/*
+	 * Extract the header.
+	 */
+	isc_buffer_usedregion(source, &r);
+	memmove(header, r.base, DNS_MESSAGE_HEADERLEN);
+	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+
+	/*
+	 * Decrement the additional field counter if necessary.
+	 */
+	if (has_tsig) {
+		uint16_t addcount_n;
+
+		memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+		addcount_n = ntohs(addcount);
+		addcount = htons((uint16_t)(addcount_n - 1));
+		memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+		/*
+		 * Put in the original id.
+		 *
+		 * XXX Can TCP transfers be forwarded?  How would that
+		 * work?
+		 */
+		id = htons(tsig.originalid);
+		memmove(&header[0], &id, 2);
+	}
+
+	/*
+	 * Digest the modified header.
+	 */
+	header_r.base = (unsigned char *) header;
+	header_r.length = DNS_MESSAGE_HEADERLEN;
+	ret = dst_context_adddata(msg->tsigctx, &header_r);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	/*
+	 * Digest all non-TSIG records.
+	 */
+	isc_buffer_usedregion(source, &source_r);
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+	if (has_tsig)
+		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+	else
+		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
+	ret = dst_context_adddata(msg->tsigctx, &r);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	/*
+	 * Digest the time signed and fudge.
+	 */
+	if (has_tsig) {
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(msg->tsigctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		sig_r.base = tsig.signature;
+		sig_r.length = tsig.siglen;
+		if (tsig.siglen == 0) {
+			if (tsig.error != dns_rcode_noerror) {
+				msg->tsigstatus = tsig.error;
+				if (tsig.error == dns_tsigerror_badtime) {
+					ret = DNS_R_CLOCKSKEW;
+				} else {
+					ret = DNS_R_TSIGERRORSET;
+				}
+			} else {
+				tsig_log(msg->tsigkey, 2,
+					 "signature is empty");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+			}
+			goto cleanup_context;
+		}
+
+		ret = dst_context_verify(msg->tsigctx, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
+			tsig_log(msg->tsigkey, 2,
+				 "signature failed to verify(2)");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		} else if (ret != ISC_R_SUCCESS) {
+			goto cleanup_context;
+		}
+		msg->verified_sig = 1;
+
+		/*
+		 * Here at this point, the MAC has been verified. Even
+		 * if any of the following code returns a TSIG error,
+		 * the reply will be signed and WILL always include the
+		 * request MAC in the digest computation.
+		 */
+
+		/*
+		 * Is the time ok?
+		 */
+		isc_stdtime_get(&now);
+
+		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+			msg->tsigstatus = dns_tsigerror_badtime;
+			tsig_log(msg->tsigkey, 2, "signature has expired");
+			ret = DNS_R_CLOCKSKEW;
+			goto cleanup_context;
+		} else if (now + msg->timeadjust <
+			   tsig.timesigned - tsig.fudge)
+		{
+			msg->tsigstatus = dns_tsigerror_badtime;
+			tsig_log(msg->tsigkey, 2,
+				 "signature is in the future");
+			ret = DNS_R_CLOCKSKEW;
+			goto cleanup_context;
+		}
+
+		alg = dst_key_alg(key);
+		ret = dst_key_sigsize(key, &siglen);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+		if (
+#ifndef PK11_MD5_DISABLE
+			alg == DST_ALG_HMACMD5 ||
+#endif
+			alg == DST_ALG_HMACSHA1 ||
+			alg == DST_ALG_HMACSHA224 ||
+			alg == DST_ALG_HMACSHA256 ||
+			alg == DST_ALG_HMACSHA384 ||
+			alg == DST_ALG_HMACSHA512)
+		{
+			uint16_t digestbits = dst_key_getbits(key);
+
+			/*
+			 * XXXRAY: Is this correct? What is the
+			 * expected behavior when digestbits is not an
+			 * integral multiple of 8? It looks like bytes
+			 * should either be (digestbits/8) or
+			 * (digestbits+7)/8.
+			 *
+			 * In any case, for current algorithms,
+			 * digestbits are an integral multiple of 8, so
+			 * it has the same effect as (digestbits/8).
+			 */
+			if (tsig.siglen > 0 && digestbits != 0 &&
+			    tsig.siglen < ((digestbits + 1) / 8))
+			{
+				msg->tsigstatus = dns_tsigerror_badtrunc;
+				tsig_log(msg->tsigkey, 2,
+					 "truncated signature length "
+					 "too small");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+				goto cleanup_context;
+			}
+			if (tsig.siglen > 0 && digestbits == 0 &&
+			    tsig.siglen < siglen)
+			{
+				msg->tsigstatus = dns_tsigerror_badtrunc;
+				tsig_log(msg->tsigkey, 2,
+					 "signature length too small");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+				goto cleanup_context;
+			}
+		}
+
+		if (tsig.error != dns_rcode_noerror) {
+			msg->tsigstatus = tsig.error;
+			if (tsig.error == dns_tsigerror_badtime)
+				ret = DNS_R_CLOCKSKEW;
+			else
+				ret = DNS_R_TSIGERRORSET;
+			goto cleanup_context;
+		}
+	}
+
+	msg->tsigstatus = dns_rcode_noerror;
+	ret = ISC_R_SUCCESS;
+
+ cleanup_context:
+	/*
+	 * Except in error conditions, don't destroy the DST context
+	 * for unsigned messages; it is a running sum till the next
+	 * TSIG signed message.
+	 */
+	if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
+		dst_context_destroy(&msg->tsigctx);
+	}
+
+ cleanup_querystruct:
+	dns_rdata_freestruct(&querytsig);
+
+	return (ret);
+}
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
+		 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
+{
+	dns_tsigkey_t *key;
+	isc_stdtime_t now;
+	isc_result_t result;
+
+	REQUIRE(tsigkey != NULL);
+	REQUIRE(*tsigkey == NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(ring != NULL);
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	cleanup_ring(ring);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	isc_stdtime_get(&now);
+	RWLOCK(&ring->lock, isc_rwlocktype_read);
+	key = NULL;
+	result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
+	if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+	if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+	if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
+		/*
+		 * The key has expired.
+		 */
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		remove_fromring(key);
+		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+#if 0
+	/*
+	 * MPAXXX We really should look at the inception time.
+	 */
+	if (key->inception != key->expire &&
+	    isc_serial_lt(key->inception, now)) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		adjust_lru(key);
+		return (ISC_R_NOTFOUND);
+	}
+#endif
+	isc_refcount_increment(&key->refs, NULL);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+	adjust_lru(key);
+	*tsigkey = key;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_tsignode(void *node, void *_unused) {
+	dns_tsigkey_t *key;
+
+	REQUIRE(node != NULL);
+
+	UNUSED(_unused);
+
+	key = node;
+	if (key->generated) {
+		if (ISC_LINK_LINKED(key, link))
+			ISC_LIST_UNLINK(key->ring->lru, key, link);
+	}
+	dns_tsigkey_detach(&key);
+}
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
+	isc_result_t result;
+	dns_tsig_keyring_t *ring;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ringp != NULL);
+	REQUIRE(*ringp == NULL);
+
+	ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
+	if (ring == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_rwlock_init(&ring->lock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
+		return (result);
+	}
+
+	ring->keys = NULL;
+	result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
+	if (result != ISC_R_SUCCESS) {
+		isc_rwlock_destroy(&ring->lock);
+		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
+		return (result);
+	}
+
+	ring->writecount = 0;
+	ring->mctx = NULL;
+	ring->generated = 0;
+	ring->maxgenerated = DNS_TSIG_MAXGENERATEDKEYS;
+	ISC_LIST_INIT(ring->lru);
+	isc_mem_attach(mctx, &ring->mctx);
+	ring->references = 1;
+
+	*ringp = ring;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tsigkeyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
+		    dns_tsigkey_t *tkey)
+{
+	isc_result_t result;
+
+	result = keyring_add(ring, name, tkey);
+	if (result == ISC_R_SUCCESS)
+		isc_refcount_increment(&tkey->refs, NULL);
+
+	return (result);
+}
+
+void
+dns_tsigkeyring_attach(dns_tsig_keyring_t *source, dns_tsig_keyring_t **target)
+{
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+
+	RWLOCK(&source->lock, isc_rwlocktype_write);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references > 0);
+	*target = source;
+	RWUNLOCK(&source->lock, isc_rwlocktype_write);
+}
+
+void
+dns_tsigkeyring_detach(dns_tsig_keyring_t **ringp) {
+	dns_tsig_keyring_t *ring;
+	unsigned int references;
+
+	REQUIRE(ringp != NULL);
+	REQUIRE(*ringp != NULL);
+
+	ring = *ringp;
+	*ringp = NULL;
+
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	INSIST(ring->references > 0);
+	ring->references--;
+	references = ring->references;
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
+	if (references == 0)
+		destroyring(ring);
+}
+
+void
+dns_keyring_restore(dns_tsig_keyring_t *ring, FILE *fp) {
+	isc_stdtime_t now;
+	isc_result_t result;
+
+	isc_stdtime_get(&now);
+	do {
+		result = restore_key(ring, now, fp);
+		if (result == ISC_R_NOMORE)
+			return;
+		if (result == DNS_R_BADALG || result == DNS_R_EXPIRED)
+			result = ISC_R_SUCCESS;
+	} while (result == ISC_R_SUCCESS);
+}
diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c
new file mode 100644
index 0000000..de2f9dc
--- /dev/null
+++ b/lib/dns/ttl.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/ttl.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+static isc_result_t bind_ttl(isc_textregion_t *source, uint32_t *ttl);
+
+/*
+ * Helper for dns_ttl_totext().
+ */
+static isc_result_t
+ttlfmt(unsigned int t, const char *s, bool verbose,
+       bool space, isc_buffer_t *target)
+{
+	char tmp[60];
+	unsigned int len;
+	isc_region_t region;
+
+	if (verbose)
+		len = snprintf(tmp, sizeof(tmp), "%s%u %s%s",
+			       space ? " " : "",
+			       t, s,
+			       t == 1 ? "" : "s");
+	else
+		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
+
+	INSIST(len + 1 <= sizeof(tmp));
+	isc_buffer_availableregion(target, &region);
+	if (len > region.length)
+		return (ISC_R_NOSPACE);
+	memmove(region.base, tmp, len);
+	isc_buffer_add(target, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Derived from bind8 ns_format_ttl().
+ */
+isc_result_t
+dns_ttl_totext(uint32_t src, bool verbose, isc_buffer_t *target) {
+	return (dns_ttl_totext2(src, verbose, true, target));
+}
+
+isc_result_t
+dns_ttl_totext2(uint32_t src, bool verbose,
+		bool upcase, isc_buffer_t *target)
+{
+	unsigned secs, mins, hours, days, weeks, x;
+
+	secs = src % 60;   src /= 60;
+	mins = src % 60;   src /= 60;
+	hours = src % 24;  src /= 24;
+	days = src % 7;    src /= 7;
+	weeks = src;       src = 0;
+	POST(src);
+
+	x = 0;
+	if (weeks != 0) {
+		RETERR(ttlfmt(weeks, "week", verbose, (x > 0), target));
+		x++;
+	}
+	if (days != 0) {
+		RETERR(ttlfmt(days, "day", verbose, (x > 0), target));
+		x++;
+	}
+	if (hours != 0) {
+		RETERR(ttlfmt(hours, "hour", verbose, (x > 0), target));
+		x++;
+	}
+	if (mins != 0) {
+		RETERR(ttlfmt(mins, "minute", verbose, (x > 0), target));
+		x++;
+	}
+	if (secs != 0 ||
+	    (weeks == 0 && days == 0 && hours == 0 && mins == 0)) {
+		RETERR(ttlfmt(secs, "second", verbose, (x > 0), target));
+		x++;
+	}
+	INSIST (x > 0);
+	/*
+	 * If only a single unit letter is printed, print it
+	 * in upper case. (Why?  Because BIND 8 does that.
+	 * Presumably it has a reason.)
+	 */
+	if (x == 1 && upcase && !verbose) {
+		isc_region_t region;
+		/*
+		 * The unit letter is the last character in the
+		 * used region of the buffer.
+		 *
+		 * toupper() does not need its argument to be masked of cast
+		 * here because region.base is type unsigned char *.
+		 */
+		isc_buffer_usedregion(target, &region);
+		region.base[region.length - 1] =
+			toupper(region.base[region.length - 1]);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, uint32_t *ttl) {
+	return (bind_ttl(source, ttl));
+}
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, uint32_t *ttl) {
+	isc_result_t result;
+
+	result = bind_ttl(source, ttl);
+	if (result != ISC_R_SUCCESS && result != ISC_R_RANGE)
+		result = DNS_R_BADTTL;
+	return (result);
+}
+
+static isc_result_t
+bind_ttl(isc_textregion_t *source, uint32_t *ttl) {
+	uint64_t tmp = 0ULL;
+	uint32_t n;
+	char *s;
+	char buf[64];
+	char nbuf[64]; /* Number buffer */
+
+	/*
+	 * Copy the buffer as it may not be NULL terminated.
+	 * No legal counter / ttl is longer that 63 characters.
+	 */
+	if (source->length > sizeof(buf) - 1)
+		return (DNS_R_SYNTAX);
+	/* Copy source->length bytes and NUL terminate. */
+	snprintf(buf, sizeof(buf), "%.*s", (int)source->length, source->base);
+	s = buf;
+
+	do {
+		isc_result_t result;
+
+		char *np = nbuf;
+		while (*s != '\0' && isdigit((unsigned char)*s))
+			*np++ = *s++;
+		*np++ = '\0';
+		INSIST(np - nbuf <= (int)sizeof(nbuf));
+		result = isc_parse_uint32(&n, nbuf, 10);
+		if (result != ISC_R_SUCCESS)
+			return (DNS_R_SYNTAX);
+		switch (*s) {
+		case 'w':
+		case 'W':
+			tmp += (uint64_t) n * 7 * 24 * 3600;
+			s++;
+			break;
+		case 'd':
+		case 'D':
+			tmp += (uint64_t) n * 24 * 3600;
+			s++;
+			break;
+		case 'h':
+		case 'H':
+			tmp += (uint64_t) n * 3600;
+			s++;
+			break;
+		case 'm':
+		case 'M':
+			tmp += (uint64_t) n * 60;
+			s++;
+			break;
+		case 's':
+		case 'S':
+			tmp += (uint64_t) n;
+			s++;
+			break;
+		case '\0':
+			/* Plain number? */
+			if (tmp != 0ULL)
+				return (DNS_R_SYNTAX);
+			tmp = n;
+			break;
+		default:
+			return (DNS_R_SYNTAX);
+		}
+	} while (*s != '\0');
+
+	if (tmp > 0xffffffffULL)
+		return (ISC_R_RANGE);
+
+	*ttl = (uint32_t)(tmp & 0xffffffffUL);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/dns/update.c b/lib/dns/update.c
new file mode 100644
index 0000000..1cc5f88
--- /dev/null
+++ b/lib/dns/update.c
@@ -0,0 +1,2077 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <time.h>
+
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/private.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/ssu.h>
+#include <dns/tsig.h>
+#include <dns/update.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+
+/**************************************************************************/
+
+#define STATE_MAGIC			ISC_MAGIC('S', 'T', 'T', 'E')
+#define DNS_STATE_VALID(state)		ISC_MAGIC_VALID(state, STATE_MAGIC)
+
+/*%
+ * Log level for tracing dynamic update protocol requests.
+ */
+#define LOGLEVEL_PROTOCOL	ISC_LOG_INFO
+
+/*%
+ * Log level for low-level debug tracing.
+ */
+#define LOGLEVEL_DEBUG		ISC_LOG_DEBUG(8)
+
+/*%
+ * Check an operation for failure.  These macros all assume that
+ * the function using them has a 'result' variable and a 'failure'
+ * label.
+ */
+#define CHECK(op) \
+	do { result = (op); \
+		if (result != ISC_R_SUCCESS) goto failure; \
+	} while (0)
+
+/*%
+ * Fail unconditionally with result 'code', which must not
+ * be ISC_R_SUCCESS.  The reason for failure presumably has
+ * been logged already.
+ *
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+
+#define FAIL(code) \
+	do {							\
+		result = (code);				\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+/*%
+ * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILC(code, msg) \
+	do {							\
+		const char *_what = "failed";			\
+		result = (code);				\
+		switch (result) {				\
+		case DNS_R_NXDOMAIN:				\
+		case DNS_R_YXDOMAIN:				\
+		case DNS_R_YXRRSET:				\
+		case DNS_R_NXRRSET:				\
+			_what = "unsuccessful";			\
+		}						\
+		update_log(log, zone, LOGLEVEL_PROTOCOL,	\
+			   "update %s: %s (%s)", _what,		\
+			   msg, isc_result_totext(result));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define FAILN(code, name, msg) \
+	do {								\
+		const char *_what = "failed";				\
+		result = (code);					\
+		switch (result) {					\
+		case DNS_R_NXDOMAIN:					\
+		case DNS_R_YXDOMAIN:					\
+		case DNS_R_YXRRSET:					\
+		case DNS_R_NXRRSET:					\
+			_what = "unsuccessful";				\
+		}							\
+		if (isc_log_wouldlog(dns_lctx, LOGLEVEL_PROTOCOL)) {	\
+			char _nbuf[DNS_NAME_FORMATSIZE];		\
+			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
+			update_log(log, zone, LOGLEVEL_PROTOCOL,	\
+				   "update %s: %s: %s (%s)", _what, _nbuf, \
+				   msg, isc_result_totext(result));	\
+		}							\
+		if (result != ISC_R_SUCCESS) goto failure;		\
+	} while (0)
+
+#define FAILNT(code, name, type, msg) \
+	do {								\
+		const char *_what = "failed";				\
+		result = (code);					\
+		switch (result) {					\
+		case DNS_R_NXDOMAIN:					\
+		case DNS_R_YXDOMAIN:					\
+		case DNS_R_YXRRSET:					\
+		case DNS_R_NXRRSET:					\
+			_what = "unsuccessful";				\
+		}							\
+		if (isc_log_wouldlog(dns_lctx, LOGLEVEL_PROTOCOL)) {	\
+			char _nbuf[DNS_NAME_FORMATSIZE];		\
+			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
+			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
+			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
+			update_log(log, zone, LOGLEVEL_PROTOCOL,	\
+				   "update %s: %s/%s: %s (%s)",		\
+				   _what, _nbuf, _tbuf, msg,		\
+				   isc_result_totext(result));		\
+		}							\
+		if (result != ISC_R_SUCCESS) goto failure;		\
+	} while (0)
+
+/*%
+ * Fail unconditionally and log as a server error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILS(code, msg) \
+	do {							\
+		result = (code);				\
+		update_log(log, zone, LOGLEVEL_PROTOCOL,	\
+			   "error: %s: %s",			\
+			   msg, isc_result_totext(result));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+/**************************************************************************/
+
+typedef struct rr rr_t;
+
+struct rr {
+	/* dns_name_t name; */
+	uint32_t		ttl;
+	dns_rdata_t		rdata;
+};
+
+typedef struct update_event update_event_t;
+
+/**************************************************************************/
+
+static void
+update_log(dns_update_log_t *callback, dns_zone_t *zone,
+	   int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
+
+static void
+update_log(dns_update_log_t *callback, dns_zone_t *zone,
+	   int level, const char *fmt, ...)
+{
+	va_list ap;
+	char message[4096];
+
+	if (callback == NULL)
+		return;
+
+	if (isc_log_wouldlog(dns_lctx, level) == false)
+		return;
+
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+
+	(callback->func)(callback->arg, zone, level, message);
+}
+
+/*%
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li	'*tuple' == NULL.  Either the tuple is freed, or its
+ *	ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata)
+{
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op,
+				      name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+/**************************************************************************/
+/*
+ * Callback-style iteration over rdatasets and rdatas.
+ *
+ * foreach_rrset() can be used to iterate over the RRsets
+ * of a name and call a callback function with each
+ * one.  Similarly, foreach_rr() can be used to iterate
+ * over the individual RRs at name, optionally restricted
+ * to RRs of a given type.
+ *
+ * The callback functions are called "actions" and take
+ * two arguments: a void pointer for passing arbitrary
+ * context information, and a pointer to the current RRset
+ * or RR.  By convention, their names end in "_action".
+ */
+
+/*
+ * XXXRTH  We might want to make this public somewhere in libdns.
+ */
+
+/*%
+ * Function type for foreach_rrset() iterator actions.
+ */
+typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
+
+/*%
+ * Function type for foreach_rr() iterator actions.
+ */
+typedef isc_result_t rr_func(void *data, rr_t *rr);
+
+/*%
+ * Internal context struct for foreach_node_rr().
+ */
+typedef struct {
+	rr_func *	rr_action;
+	void *		rr_action_data;
+} foreach_node_rr_ctx_t;
+
+/*%
+ * Internal helper function for foreach_node_rr().
+ */
+static isc_result_t
+foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	foreach_node_rr_ctx_t *ctx = data;
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+
+		dns_rdataset_current(rdataset, &rr.rdata);
+		rr.ttl = rdataset->ttl;
+		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * For each rdataset of 'name' in 'ver' of 'db', call 'action'
+ * with the rdataset and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      rrset_func *action, void *action_data)
+{
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+
+	node = NULL;
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver,
+				     (isc_stdtime_t) 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+
+		result = (*action)(action_data, &rdataset);
+
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iterator;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*%
+ * For each RR of 'name' in 'ver' of 'db', call 'action'
+ * with the RR and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration
+ * and return the error.
+ */
+static isc_result_t
+foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		rr_func *rr_action, void *rr_action_data)
+{
+	foreach_node_rr_ctx_t ctx;
+	ctx.rr_action = rr_action;
+	ctx.rr_action_data = rr_action_data;
+	return (foreach_rrset(db, ver, name,
+			      foreach_node_rr_action, &ctx));
+}
+
+
+/*%
+ * For each of the RRs specified by 'db', 'ver', 'name', 'type',
+ * (which can be dns_rdatatype_any to match any type), and 'covers', call
+ * 'action' with the RR and 'action_data' as arguments. If the name
+ * does not exist, or if no RRset of the given type exists at the name,
+ * do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
+	   void *rr_action_data)
+{
+
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+
+	if (type == dns_rdatatype_any)
+		return (foreach_node_rr(db, ver, name,
+					rr_action, rr_action_data));
+
+	node = NULL;
+	if (type == dns_rdatatype_nsec3 ||
+	    (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
+		result = dns_db_findnsec3node(db, name, false, &node);
+	else
+		result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, type, covers,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+		dns_rdataset_current(&rdataset, &rr.rdata);
+		rr.ttl = rdataset.ttl;
+		result = (*rr_action)(rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_rdataset;
+	}
+	if (result != ISC_R_NOMORE)
+		goto cleanup_rdataset;
+	result = ISC_R_SUCCESS;
+
+ cleanup_rdataset:
+	dns_rdataset_disassociate(&rdataset);
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Various tests on the database contents (for prerequisites, etc).
+ */
+
+/*%
+ * Function type for predicate functions that compare a database RR 'db_rr'
+ * against an update RR 'update_rr'.
+ */
+typedef bool rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
+
+/*%
+ * Helper function for rrset_exists().
+ */
+static isc_result_t
+rrset_exists_action(void *data, rr_t *rr) {
+	UNUSED(data);
+	UNUSED(rr);
+	return (ISC_R_EXISTS);
+}
+
+/*%
+ * Utility macro for RR existence checking functions.
+ *
+ * If the variable 'result' has the value ISC_R_EXISTS or
+ * ISC_R_SUCCESS, set *exists to true or false,
+ * respectively, and return success.
+ *
+ * If 'result' has any other value, there was a failure.
+ * Return the failure result code and do not set *exists.
+ *
+ * This would be more readable as "do { if ... } while(0)",
+ * but that form generates tons of warnings on Solaris 2.6.
+ */
+#define RETURN_EXISTENCE_FLAG				\
+	return ((result == ISC_R_EXISTS) ?		\
+		(*exists = true, ISC_R_SUCCESS) :	\
+		((result == ISC_R_SUCCESS) ?		\
+		 (*exists = false, ISC_R_SUCCESS) :	\
+		 result))
+
+/*%
+ * Set '*exists' to true iff an rrset of the given type exists,
+ * to false otherwise.
+ */
+static isc_result_t
+rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
+	     bool *exists)
+{
+	isc_result_t result;
+	result = foreach_rr(db, ver, name, type, covers,
+			    rrset_exists_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*%
+ * Set '*visible' to true if the RRset exists and is part of the
+ * visible zone.  Otherwise '*visible' is set to false unless a
+ * error occurs.
+ */
+static isc_result_t
+rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      dns_rdatatype_t type, bool *visible)
+{
+	isc_result_t result;
+	dns_fixedname_t fixed;
+
+	dns_fixedname_init(&fixed);
+	result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t) 0, NULL,
+			     dns_fixedname_name(&fixed), NULL, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		*visible = true;
+		break;
+	/*
+	 * Glue, obscured, deleted or replaced records.
+	 */
+	case DNS_R_DELEGATION:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+	case DNS_R_EMPTYNAME:
+	case DNS_R_COVERINGNSEC:
+		*visible = false;
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		*visible = false;	 /* silence false compiler warning */
+		break;
+	}
+	return (result);
+}
+
+/*%
+ * Context struct and helper function for name_exists().
+ */
+
+static isc_result_t
+name_exists_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	UNUSED(rrset);
+	return (ISC_R_EXISTS);
+}
+
+/*%
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    bool *exists)
+{
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name,
+			       name_exists_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/**************************************************************************/
+/*
+ * Checking of "RRset exists (value dependent)" prerequisites.
+ *
+ * In the RFC2136 section 3.2.5, this is the pseudocode involving
+ * a variable called "temp", a mapping of <name, type> tuples to rrsets.
+ *
+ * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
+ * where each tuple has op==DNS_DIFFOP_EXISTS.
+ */
+
+/*%
+ * A comparison function defining the sorting order for the entries
+ * in the "temp" data structure.  The major sort key is the owner name,
+ * followed by the type and rdata.
+ */
+static int
+temp_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = dns_name_compare(&a->name, &b->name);
+	if (r != 0)
+		return (r);
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0)
+		return (r);
+	r = dns_rdata_casecompare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+/**************************************************************************/
+/*
+ * Conditional deletion of RRs.
+ */
+
+/*%
+ * Context structure for delete_if().
+ */
+
+typedef struct {
+	rr_predicate *predicate;
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_name_t *name;
+	dns_rdata_t *update_rr;
+} conditional_delete_ctx_t;
+
+/*%
+ * Predicate functions for delete_if().
+ */
+
+/*%
+ * Return true always.
+ */
+static bool
+true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	UNUSED(db_rr);
+	return (true);
+}
+
+/*%
+ * Return true if the record is a RRSIG.
+ */
+static bool
+rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	return ((db_rr->type == dns_rdatatype_rrsig) ?
+		true : false);
+}
+
+/*%
+ * Internal helper function for delete_if().
+ */
+static isc_result_t
+delete_if_action(void *data, rr_t *rr) {
+	conditional_delete_ctx_t *ctx = data;
+	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
+		isc_result_t result;
+		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
+				       DNS_DIFFOP_DEL, ctx->name,
+				       rr->ttl, &rr->rdata);
+		return (result);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*%
+ * Conditionally delete RRs.  Apply 'predicate' to the RRs
+ * specified by 'db', 'ver', 'name', and 'type' (which can
+ * be dns_rdatatype_any to match any type).  Delete those
+ * RRs for which the predicate returns true, and log the
+ * deletions in 'diff'.
+ */
+static isc_result_t
+delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
+	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+	  dns_rdata_t *update_rr, dns_diff_t *diff)
+{
+	conditional_delete_ctx_t ctx;
+	ctx.predicate = predicate;
+	ctx.db = db;
+	ctx.ver = ver;
+	ctx.diff = diff;
+	ctx.name = name;
+	ctx.update_rr = update_rr;
+	return (foreach_rr(db, ver, name, type, covers,
+			   delete_if_action, &ctx));
+}
+
+/**************************************************************************/
+/*
+ * Incremental updating of NSECs and RRSIGs.
+ */
+
+/*%
+ * We abuse the dns_diff_t type to represent a set of domain names
+ * affected by the update.
+ */
+static isc_result_t
+namelist_append_name(dns_diff_t *list, dns_name_t *name) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	static dns_rdata_t dummy_rdata = DNS_RDATA_INIT;
+
+	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
+				   &dummy_rdata, &tuple));
+	dns_diff_append(list, &tuple);
+ failure:
+	return (result);
+}
+
+static isc_result_t
+namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
+{
+	isc_result_t result;
+	dns_fixedname_t fixedname;
+	dns_name_t *child;
+	dns_dbiterator_t *dbit = NULL;
+
+	child = dns_fixedname_initname(&fixedname);
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
+
+	for (result = dns_dbiterator_seek(dbit, name);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbit))
+	{
+		dns_dbnode_t *node = NULL;
+		CHECK(dns_dbiterator_current(dbit, &node, child));
+		dns_db_detachnode(db, &node);
+		if (! dns_name_issubdomain(child, name))
+			break;
+		CHECK(namelist_append_name(affected, child));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	return (result);
+}
+
+
+
+/*%
+ * Helper function for non_nsec_rrset_exists().
+ */
+static isc_result_t
+is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	if (!(rrset->type == dns_rdatatype_nsec ||
+	      rrset->type == dns_rdatatype_nsec3 ||
+	      (rrset->type == dns_rdatatype_rrsig &&
+	       (rrset->covers == dns_rdatatype_nsec ||
+		rrset->covers == dns_rdatatype_nsec3))))
+		return (ISC_R_EXISTS);
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
+ * i.e., anything that justifies the continued existence of a name
+ * after a secure update.
+ *
+ * If such an rrset exists, set '*exists' to true.
+ * Otherwise, set it to false.
+ */
+static isc_result_t
+non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
+		     dns_name_t *name, bool *exists)
+{
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*%
+ * A comparison function for sorting dns_diff_t:s by name.
+ */
+static int
+name_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	return (dns_name_compare(&a->name, &b->name));
+}
+
+static isc_result_t
+uniqify_name_list(dns_diff_t *list) {
+	isc_result_t result;
+	dns_difftuple_t *p, *q;
+
+	CHECK(dns_diff_sort(list, name_order));
+
+	p = ISC_LIST_HEAD(list->tuples);
+	while (p != NULL) {
+		do {
+			q = ISC_LIST_NEXT(p, link);
+			if (q == NULL || ! dns_name_equal(&p->name, &q->name))
+				break;
+			ISC_LIST_UNLINK(list->tuples, q, link);
+			dns_difftuple_free(&q);
+		} while (1);
+		p = ISC_LIST_NEXT(p, link);
+	}
+ failure:
+	return (result);
+}
+
+static isc_result_t
+is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  bool *flag, bool *cut, bool *unsecure)
+{
+	isc_result_t result;
+	dns_fixedname_t foundname;
+	dns_fixedname_init(&foundname);
+	result = dns_db_find(db, name, ver, dns_rdatatype_any,
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t) 0, NULL,
+			     dns_fixedname_name(&foundname),
+			     NULL, NULL);
+	if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) {
+		*flag = true;
+		*cut = false;
+		if (unsecure != NULL)
+			*unsecure = false;
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_ZONECUT) {
+		*flag = true;
+		*cut = true;
+		if (unsecure != NULL) {
+			/*
+			 * We are at the zonecut.  Check to see if there
+			 * is a DS RRset.
+			 */
+			if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0,
+					(isc_stdtime_t) 0, NULL,
+					dns_fixedname_name(&foundname),
+					NULL, NULL) == DNS_R_NXRRSET)
+				*unsecure = true;
+			else
+				*unsecure = false;
+		}
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+		   result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
+		*flag = false;
+		*cut = false;
+		if (unsecure != NULL)
+			*unsecure = false;
+		return (ISC_R_SUCCESS);
+	} else {
+		/*
+		 * Silence compiler.
+		 */
+		*flag = false;
+		*cut = false;
+		if (unsecure != NULL)
+			*unsecure = false;
+		return (result);
+	}
+}
+
+/*%
+ * Find the next/previous name that has a NSEC record.
+ * In other words, skip empty database nodes and names that
+ * have had their NSECs removed because they are obscured by
+ * a zone cut.
+ */
+static isc_result_t
+next_active(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+	    dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
+	    bool forward)
+{
+	isc_result_t result;
+	dns_dbiterator_t *dbit = NULL;
+	bool has_nsec = false;
+	unsigned int wraps = 0;
+	bool secure = dns_db_issecure(db);
+
+	CHECK(dns_db_createiterator(db, 0, &dbit));
+
+	CHECK(dns_dbiterator_seek(dbit, oldname));
+	do {
+		dns_dbnode_t *node = NULL;
+
+		if (forward)
+			result = dns_dbiterator_next(dbit);
+		else
+			result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			/*
+			 * Wrap around.
+			 */
+			if (forward)
+				CHECK(dns_dbiterator_first(dbit));
+			else
+				CHECK(dns_dbiterator_last(dbit));
+			wraps++;
+			if (wraps == 2) {
+				update_log(log, zone, ISC_LOG_ERROR,
+					   "secure zone with no NSECs");
+				result = DNS_R_BADZONE;
+				goto failure;
+			}
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
+		dns_db_detachnode(db, &node);
+
+		/*
+		 * The iterator may hold the tree lock, and
+		 * rrset_exists() calls dns_db_findnode() which
+		 * may try to reacquire it.  To avoid deadlock
+		 * we must pause the iterator first.
+		 */
+		CHECK(dns_dbiterator_pause(dbit));
+		if (secure) {
+			CHECK(rrset_exists(db, ver, newname,
+					   dns_rdatatype_nsec, 0, &has_nsec));
+		} else {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(db, newname, ver,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if (result == ISC_R_SUCCESS ||
+			    result == DNS_R_EMPTYNAME ||
+			    result == DNS_R_NXRRSET ||
+			    result == DNS_R_CNAME ||
+			    (result == DNS_R_DELEGATION &&
+			     dns_name_equal(newname, found))) {
+				has_nsec = true;
+				result = ISC_R_SUCCESS;
+			} else if (result != DNS_R_NXDOMAIN)
+				break;
+		}
+	} while (! has_nsec);
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+
+	return (result);
+}
+
+/*%
+ * Add a NSEC record for "name", recording the change in "diff".
+ * The existing NSEC is removed.
+ */
+static isc_result_t
+add_nsec(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+	 dns_dbversion_t *ver, dns_name_t *name, dns_ttl_t nsecttl,
+	 dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixedname;
+	dns_name_t *target;
+
+	target = dns_fixedname_initname(&fixedname);
+
+	/*
+	 * Find the successor name, aka NSEC target.
+	 */
+	CHECK(next_active(log, zone, db, ver, name, target, true));
+
+	/*
+	 * Create the NSEC RDATA.
+	 */
+	CHECK(dns_db_findnode(db, name, false, &node));
+	dns_rdata_init(&rdata);
+	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
+	dns_db_detachnode(db, &node);
+
+	/*
+	 * Delete the old NSEC and record the change.
+	 */
+	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
+			NULL, diff));
+	/*
+	 * Add the new NSEC and record the change.
+	 */
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
+				   nsecttl, &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, ver, diff));
+	INSIST(tuple == NULL);
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*%
+ * Add a placeholder NSEC record for "name", recording the change in "diff".
+ */
+static isc_result_t
+add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		     dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	isc_region_t r;
+	unsigned char data[1] = { 0 }; /* The root domain, no bits. */
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	r.base = data;
+	r.length = sizeof(data);
+	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
+				   &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, ver, diff));
+ failure:
+	return (result);
+}
+
+static isc_result_t
+find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       isc_mem_t *mctx, unsigned int maxkeys,
+	       dst_key_t **keys, unsigned int *nkeys)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
+	CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
+	CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
+				       directory, mctx, maxkeys, keys, nkeys));
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*%
+ * Add RRSIG records for an RRset, recording the change in "diff".
+ */
+static isc_result_t
+add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
+	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
+	 isc_stdtime_t inception, isc_stdtime_t expire,
+	 bool check_ksk, bool keyset_kskonly)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+	unsigned char data[1024]; /* XXX */
+	unsigned int i, j;
+	bool added_sig = false;
+	isc_mem_t *mctx = diff->mctx;
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	/* Get the rdataset to sign. */
+	if (type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	else
+		CHECK(dns_db_findnode(db, name, false, &node));
+	CHECK(dns_db_findrdataset(db, node, ver, type, 0,
+				  (isc_stdtime_t) 0, &rdataset, NULL));
+	dns_db_detachnode(db, &node);
+
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ALG(x) dst_key_alg(x)
+
+	/*
+	 * If we are honoring KSK flags then we need to check that we
+	 * have both KSK and non-KSK keys that are not revoked per
+	 * algorithm.
+	 */
+	for (i = 0; i < nkeys; i++) {
+		bool both = false;
+
+		if (!dst_key_isprivate(keys[i]))
+			continue;
+		if (dst_key_inactive(keys[i]))	/* Should be redundant. */
+			continue;
+
+		if (check_ksk && !REVOKE(keys[i])) {
+			bool have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = true;
+				have_nonksk = false;
+			} else {
+				have_ksk = false;
+				have_nonksk = true;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j]))
+					continue;
+				if (!dst_key_isprivate(keys[j]))
+					continue;
+				if (dst_key_inactive(keys[j]))	/* SBR */
+					continue;
+				if (REVOKE(keys[j]))
+					continue;
+				if (KSK(keys[j]))
+					have_ksk = true;
+				else
+					have_nonksk = true;
+				both = have_ksk && have_nonksk;
+				if (both)
+					break;
+			}
+		}
+
+		if (both) {
+			if (type == dns_rdatatype_dnskey) {
+				if (!KSK(keys[i]) && keyset_kskonly)
+					continue;
+			} else if (KSK(keys[i])) {
+				/*
+				 * CDS and CDNSKEY are signed with KSK
+				 * (RFC 7344, 4.1).
+				*/
+				if (type != dns_rdatatype_cds &&
+				    type != dns_rdatatype_cdnskey)
+					continue;
+			}
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+			continue;
+
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
+				      &inception, &expire,
+				      mctx, &buffer, &sig_rdata));
+
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
+				    rdataset.ttl, &sig_rdata));
+		dns_rdata_reset(&sig_rdata);
+		isc_buffer_init(&buffer, data, sizeof(data));
+		added_sig = true;
+	}
+	if (!added_sig) {
+		update_log(log, zone, ISC_LOG_ERROR,
+			   "found no active private keys, "
+			   "unable to generate any signatures");
+		result = ISC_R_NOTFOUND;
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Delete expired RRsigs and any RRsigs we are about to re-sign.
+ * See also zone.c:del_sigs().
+ */
+static isc_result_t
+del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i;
+	dns_rdata_rrsig_t rrsig;
+	bool found;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig,
+				     dns_rdatatype_dnskey, (isc_stdtime_t) 0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		found = false;
+		for (i = 0; i < nkeys; i++) {
+			if (rrsig.keyid == dst_key_id(keys[i])) {
+				found = true;
+				if (!dst_key_isprivate(keys[i]) &&
+				    !dst_key_inactive(keys[i]))
+				{
+					/*
+					 * The re-signing code in zone.c
+					 * will mark this as offline.
+					 * Just skip the record for now.
+					 */
+					break;
+				}
+				result = update_one_rr(db, ver, diff,
+						       DNS_DIFFOP_DEL, name,
+						       rdataset.ttl, &rdata);
+				break;
+			}
+		}
+		/*
+		 * If there is not a matching DNSKEY then delete the RRSIG.
+		 */
+		if (!found)
+			result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+					       name, rdataset.ttl, &rdata);
+		dns_rdata_reset(&rdata);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+add_exposed_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+		 dns_dbversion_t *ver, dns_name_t *name, bool cut,
+		 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
+		 isc_stdtime_t inception, isc_stdtime_t expire,
+		 bool check_ksk, bool keyset_kskonly,
+		 unsigned int *sigs)
+{
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+
+	node = NULL;
+	result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver,
+				     (isc_stdtime_t) 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdatatype_t type;
+		bool flag;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+		type = rdataset.type;
+		dns_rdataset_disassociate(&rdataset);
+
+		/*
+		 * We don't need to sign unsigned NSEC records at the cut
+		 * as they are handled elsewhere.
+		 */
+		if ((type == dns_rdatatype_rrsig) ||
+		    (cut && type != dns_rdatatype_ds))
+			continue;
+		result = rrset_exists(db, ver, name, dns_rdatatype_rrsig,
+				      type, &flag);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iterator;
+		if (flag)
+			continue;;
+		result = add_sigs(log, zone, db, ver, name, type, diff,
+				  keys, nkeys, inception, expire,
+				  check_ksk, keyset_kskonly);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iterator;
+		(*sigs)++;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*%
+ * Update RRSIG, NSEC and NSEC3 records affected by an update.  The original
+ * update, including the SOA serial update but excluding the RRSIG & NSEC
+ * changes, is in "diff" and has already been applied to "newver" of "db".
+ * The database version prior to the update is "oldver".
+ *
+ * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver"
+ * and added (as a minimal diff) to "diff".
+ *
+ * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
+ */
+isc_result_t
+dns_update_signatures(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+		      dns_dbversion_t *oldver, dns_dbversion_t *newver,
+		      dns_diff_t *diff, uint32_t sigvalidityinterval)
+{
+	return (dns_update_signaturesinc(log, zone, db, oldver, newver, diff,
+					 sigvalidityinterval, NULL));
+}
+
+struct dns_update_state {
+	unsigned int magic;
+	dns_diff_t diffnames;
+	dns_diff_t affected;
+	dns_diff_t sig_diff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec_mindiff;
+	dns_diff_t work;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	unsigned int nkeys;
+	isc_stdtime_t inception, expire;
+	dns_ttl_t nsecttl;
+	bool check_ksk, keyset_kskonly, build_nsec3;
+	enum { sign_updates, remove_orphaned, build_chain, process_nsec,
+	       sign_nsec, update_nsec3, process_nsec3, sign_nsec3 } state;
+};
+
+isc_result_t
+dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
+			 dns_dbversion_t *oldver, dns_dbversion_t *newver,
+			 dns_diff_t *diff, uint32_t sigvalidityinterval,
+			 dns_update_state_t **statep)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_update_state_t mystate, *state;
+
+	dns_difftuple_t *t, *next;
+	bool flag, build_nsec;
+	unsigned int i;
+	isc_stdtime_t now;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	bool unsecure;
+	bool cut;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+	unsigned int sigs = 0;
+	unsigned int maxsigs = dns_zone_getsignatures(zone);
+
+	if (statep == NULL || *statep == NULL) {
+		if (statep == NULL) {
+			state = &mystate;
+		} else {
+			state = isc_mem_get(diff->mctx, sizeof(*state));
+			if (state == NULL)
+				return (ISC_R_NOMEMORY);
+		}
+
+		dns_diff_init(diff->mctx, &state->diffnames);
+		dns_diff_init(diff->mctx, &state->affected);
+		dns_diff_init(diff->mctx, &state->sig_diff);
+		dns_diff_init(diff->mctx, &state->nsec_diff);
+		dns_diff_init(diff->mctx, &state->nsec_mindiff);
+		dns_diff_init(diff->mctx, &state->work);
+		state->nkeys = 0;
+		state->build_nsec3 = false;
+
+		result = find_zone_keys(zone, db, newver, diff->mctx,
+					DNS_MAXZONEKEYS, state->zone_keys,
+					&state->nkeys);
+		if (result != ISC_R_SUCCESS) {
+			update_log(log, zone, ISC_LOG_ERROR,
+				   "could not get zone keys for secure "
+				   "dynamic update");
+			goto failure;
+		}
+
+		isc_stdtime_get(&now);
+		state->inception = now - 3600; /* Allow for some clock skew. */
+		state->expire = now + sigvalidityinterval;
+
+		/*
+		 * Do we look at the KSK flag on the DNSKEY to determining which
+		 * keys sign which RRsets?  First check the zone option then
+		 * check the keys flags to make sure at least one has a ksk set
+		 * and one doesn't.
+		 */
+		state->check_ksk =
+			(dns_zone_getoptions(zone) & DNS_ZONEOPT_UPDATECHECKKSK);
+		state->keyset_kskonly =
+			(dns_zone_getoptions(zone) & DNS_ZONEOPT_DNSKEYKSKONLY);
+
+		/*
+		 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
+		 */
+		CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
+		dns_rdataset_init(&rdataset);
+		CHECK(dns_db_findrdataset(db, node, newver, dns_rdatatype_soa,
+					  0, (isc_stdtime_t) 0, &rdataset,
+					  NULL));
+		CHECK(dns_rdataset_first(&rdataset));
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &soa, NULL));
+		state->nsecttl = soa.minimum;
+		dns_rdataset_disassociate(&rdataset);
+		dns_db_detachnode(db, &node);
+
+		/*
+		 * Find all RRsets directly affected by the update, and
+		 * update their RRSIGs.  Also build a list of names affected
+		 * by the update in "diffnames".
+		 */
+		CHECK(dns_diff_sort(diff, temp_order));
+		state->state = sign_updates;
+		state->magic = STATE_MAGIC;
+		if (statep != NULL)
+			*statep = state;
+	} else {
+		REQUIRE(DNS_STATE_VALID(*statep));
+		state = *statep;
+	}
+
+ next_state:
+	switch (state->state) {
+	case sign_updates:
+		t = ISC_LIST_HEAD(diff->tuples);
+		while (t != NULL) {
+			dns_name_t *name = &t->name;
+			/*
+			 * Now "name" is a new, unique name affected by the
+			 * update.
+			 */
+
+			CHECK(namelist_append_name(&state->diffnames, name));
+
+			while (t != NULL && dns_name_equal(&t->name, name)) {
+				dns_rdatatype_t type;
+				type = t->rdata.type;
+
+				/*
+				 * Now "name" and "type" denote a new unique
+				 * RRset affected by the update.
+				 */
+
+				/* Don't sign RRSIGs. */
+				if (type == dns_rdatatype_rrsig)
+					goto skip;
+
+				/*
+				 * Delete all old RRSIGs covering this type,
+				 * since they are all invalid when the signed
+				 * RRset has changed.  We may not be able to
+				 * recreate all of them - tough.
+				 * Special case changes to the zone's DNSKEY
+				 * records to support offline KSKs.
+				 */
+				if (type == dns_rdatatype_dnskey)
+					del_keysigs(db, newver, name,
+						    &state->sig_diff,
+						    state->zone_keys,
+						    state->nkeys);
+				else
+					CHECK(delete_if(true_p, db, newver,
+							name,
+							dns_rdatatype_rrsig,
+							type, NULL,
+							&state->sig_diff));
+
+				/*
+				 * If this RRset is still visible after the
+				 * update, add a new signature for it.
+				 */
+				CHECK(rrset_visible(db, newver, name, type,
+						   &flag));
+				if (flag) {
+					CHECK(add_sigs(log, zone, db, newver,
+						       name, type,
+						       &state->sig_diff,
+						       state->zone_keys,
+						       state->nkeys,
+						       state->inception,
+						       state->expire,
+						       state->check_ksk,
+						       state->keyset_kskonly));
+					sigs++;
+				}
+			skip:
+				/* Skip any other updates to the same RRset. */
+				while (t != NULL &&
+				       dns_name_equal(&t->name, name) &&
+				       t->rdata.type == type)
+				{
+					next = ISC_LIST_NEXT(t, link);
+					ISC_LIST_UNLINK(diff->tuples, t, link);
+					ISC_LIST_APPEND(state->work.tuples, t,
+							link);
+					t = next;
+				}
+			}
+			if (state != &mystate && sigs > maxsigs)
+				return (DNS_R_CONTINUE);
+		}
+		ISC_LIST_APPENDLIST(diff->tuples, state->work.tuples, link);
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "updated data signatures");
+		/* FALLTHROUGH */
+	case remove_orphaned:
+		state->state = remove_orphaned;
+
+		/* Remove orphaned NSECs and RRSIG NSECs. */
+		for (t = ISC_LIST_HEAD(state->diffnames.tuples);
+		     t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			CHECK(non_nsec_rrset_exists(db, newver,
+						    &t->name, &flag));
+			if (!flag) {
+				CHECK(delete_if(true_p, db, newver, &t->name,
+						dns_rdatatype_any, 0,
+						NULL, &state->sig_diff));
+			}
+		}
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "removed any orphaned NSEC records");
+
+		/*
+		 * See if we need to build NSEC or NSEC3 chains.
+		 */
+		CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
+					 &state->build_nsec3));
+		if (!build_nsec) {
+			state->state = update_nsec3;
+			goto next_state;
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "rebuilding NSEC chain");
+
+		/* FALLTHROUGH */
+	case build_chain:
+		state->state = build_chain;
+		/*
+		 * When a name is created or deleted, its predecessor needs to
+		 * have its NSEC updated.
+		 */
+		for (t = ISC_LIST_HEAD(state->diffnames.tuples);
+		     t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			bool existed, exists;
+			dns_fixedname_t fixedname;
+			dns_name_t *prevname;
+
+			prevname = dns_fixedname_initname(&fixedname);
+
+			if (oldver != NULL)
+				CHECK(name_exists(db, oldver, &t->name,
+						  &existed));
+			else
+				existed = false;
+			CHECK(name_exists(db, newver, &t->name, &exists));
+			if (exists == existed)
+				continue;
+
+			/*
+			 * Find the predecessor.
+			 * When names become obscured or unobscured in this
+			 * update transaction, we may find the wrong
+			 * predecessor because the NSECs have not yet been
+			 * updated to reflect the delegation change.  This
+			 * should not matter because in this case, the correct
+			 * predecessor is either the delegation node or a
+			 * newly unobscured node, and those nodes are on the
+			 * "affected" list in any case.
+			 */
+			CHECK(next_active(log, zone, db, newver,
+					  &t->name, prevname, false));
+			CHECK(namelist_append_name(&state->affected, prevname));
+		}
+
+		/*
+		 * Find names potentially affected by delegation changes
+		 * (obscured by adding an NS or DNAME, or unobscured by
+		 * removing one).
+		 */
+		for (t = ISC_LIST_HEAD(state->diffnames.tuples);
+		     t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			bool ns_existed, dname_existed;
+			bool ns_exists, dname_exists;
+
+			if (oldver != NULL)
+				CHECK(rrset_exists(db, oldver, &t->name,
+						  dns_rdatatype_ns, 0,
+						  &ns_existed));
+			else
+				ns_existed = false;
+			if (oldver != NULL)
+				CHECK(rrset_exists(db, oldver, &t->name,
+						   dns_rdatatype_dname, 0,
+						   &dname_existed));
+			else
+				dname_existed = false;
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_ns, 0, &ns_exists));
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_dname, 0,
+					   &dname_exists));
+			if ((ns_exists || dname_exists) ==
+			    (ns_existed || dname_existed))
+				continue;
+			/*
+			 * There was a delegation change.  Mark all subdomains
+			 * of t->name as potentially needing a NSEC update.
+			 */
+			CHECK(namelist_append_subdomain(db, &t->name,
+							&state->affected));
+		}
+		ISC_LIST_APPENDLIST(state->affected.tuples,
+				    state->diffnames.tuples, link);
+		INSIST(ISC_LIST_EMPTY(state->diffnames.tuples));
+
+		CHECK(uniqify_name_list(&state->affected));
+
+		/* FALLTHROUGH */
+	case process_nsec:
+		state->state = process_nsec;
+
+		/*
+		 * Determine which names should have NSECs, and delete/create
+		 * NSECs to make it so.  We don't know the final NSEC targets
+		 * yet, so we just create placeholder NSECs with arbitrary
+		 * contents to indicate that their respective owner names
+		 * should be part of the NSEC chain.
+		 */
+		while ((t = ISC_LIST_HEAD(state->affected.tuples)) != NULL) {
+			bool exists;
+			dns_name_t *name = &t->name;
+
+			CHECK(name_exists(db, newver, name, &exists));
+			if (! exists)
+				goto unlink;
+			CHECK(is_active(db, newver, name, &flag, &cut, NULL));
+			if (!flag) {
+				/*
+				 * This name is obscured.  Delete any
+				 * existing NSEC record.
+				 */
+				CHECK(delete_if(true_p, db, newver, name,
+						dns_rdatatype_nsec, 0,
+						NULL, &state->nsec_diff));
+				CHECK(delete_if(rrsig_p, db, newver, name,
+						dns_rdatatype_any, 0, NULL,
+						diff));
+			} else {
+				/*
+				 * This name is not obscured.  It needs to have
+				 * a NSEC unless it is the at the origin, in
+				 * which case it should already exist if there
+				 * is a complete NSEC chain and if there isn't
+				 * a complete NSEC chain we don't want to add
+				 * one as that would signal that there is a
+				 * complete NSEC chain.
+				 */
+				if (!dns_name_equal(name, dns_db_origin(db))) {
+					CHECK(rrset_exists(db, newver, name,
+							   dns_rdatatype_nsec,
+							   0, &flag));
+					if (!flag)
+						CHECK(add_placeholder_nsec(db,
+							  newver, name, diff));
+				}
+				CHECK(add_exposed_sigs(log, zone, db, newver,
+						       name, cut,
+						       &state->sig_diff,
+						       state->zone_keys,
+						       state->nkeys,
+						       state->inception,
+						       state->expire,
+						       state->check_ksk,
+						       state->keyset_kskonly,
+						       &sigs));
+			}
+	 unlink:
+			ISC_LIST_UNLINK(state->affected.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs)
+				return (DNS_R_CONTINUE);
+		}
+		ISC_LIST_APPENDLIST(state->affected.tuples,
+				    state->work.tuples, link);
+
+		/*
+		 * Now we know which names are part of the NSEC chain.
+		 * Make them all point at their correct targets.
+		 */
+		for (t = ISC_LIST_HEAD(state->affected.tuples);
+		     t != NULL;
+		     t = ISC_LIST_NEXT(t, link))
+		{
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_nsec, 0, &flag));
+			if (flag) {
+				/*
+				 * There is a NSEC, but we don't know if it
+				 * is correct. Delete it and create a correct
+				 * one to be sure. If the update was
+				 * unnecessary, the diff minimization
+				 * will take care of eliminating it from the
+				 * journal, IXFRs, etc.
+				 *
+				 * The RRSIG bit should always be set in the
+				 * NSECs we generate, because they will all
+				 * get RRSIG NSECs.
+				 * (XXX what if the zone keys are missing?).
+				 * Because the RRSIG NSECs have not necessarily
+				 * been created yet, the correctness of the
+				 * bit mask relies on the assumption that NSECs
+				 * are only created if there is other data, and
+				 * if there is other data, there are other
+				 * RRSIGs.
+				 */
+				CHECK(add_nsec(log, zone, db, newver, &t->name,
+					       state->nsecttl,
+					       &state->nsec_diff));
+			}
+		}
+
+		/*
+		 * Minimize the set of NSEC updates so that we don't
+		 * have to regenerate the RRSIG NSECs for NSECs that were
+		 * replaced with identical ones.
+		 */
+		while ((t = ISC_LIST_HEAD(state->nsec_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->nsec_diff.tuples, t, link);
+			dns_diff_appendminimal(&state->nsec_mindiff, &t);
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "signing rebuilt NSEC chain");
+
+		/* FALLTHROUGH */
+	case sign_nsec:
+		state->state = sign_nsec;
+		/* Update RRSIG NSECs. */
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			if (t->op == DNS_DIFFOP_DEL) {
+				CHECK(delete_if(true_p, db, newver, &t->name,
+						dns_rdatatype_rrsig,
+						dns_rdatatype_nsec,
+						NULL, &state->sig_diff));
+			} else if (t->op == DNS_DIFFOP_ADD) {
+				CHECK(add_sigs(log, zone, db, newver, &t->name,
+					       dns_rdatatype_nsec,
+					       &state->sig_diff,
+					       state->zone_keys, state->nkeys,
+					       state->inception, state->expire,
+					       state->check_ksk,
+					       state->keyset_kskonly));
+				sigs++;
+			} else {
+				INSIST(0);
+			}
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs)
+				return (DNS_R_CONTINUE);
+		}
+		ISC_LIST_APPENDLIST(state->nsec_mindiff.tuples,
+				    state->work.tuples, link);
+		/* FALLTHROUGH */
+	case update_nsec3:
+		state->state = update_nsec3;
+
+		/* Record our changes for the journal. */
+		while ((t = ISC_LIST_HEAD(state->sig_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->sig_diff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+
+		INSIST(ISC_LIST_EMPTY(state->sig_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_mindiff.tuples));
+
+		if (!state->build_nsec3) {
+			update_log(log, zone, ISC_LOG_DEBUG(3),
+				   "no NSEC3 chains to rebuild");
+			goto failure;
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "rebuilding NSEC3 chains");
+
+		dns_diff_clear(&state->diffnames);
+		dns_diff_clear(&state->affected);
+
+		CHECK(dns_diff_sort(diff, temp_order));
+
+		/*
+		 * Find names potentially affected by delegation changes
+		 * (obscured by adding an NS or DNAME, or unobscured by
+		 * removing one).
+		 */
+		t = ISC_LIST_HEAD(diff->tuples);
+		while (t != NULL) {
+			dns_name_t *name = &t->name;
+
+			bool ns_existed, dname_existed;
+			bool ns_exists, dname_exists;
+			bool exists, existed;
+
+			if (t->rdata.type == dns_rdatatype_nsec ||
+			    t->rdata.type == dns_rdatatype_rrsig) {
+				t = ISC_LIST_NEXT(t, link);
+				continue;
+			}
+
+			CHECK(namelist_append_name(&state->affected, name));
+
+			if (oldver != NULL)
+				CHECK(rrset_exists(db, oldver, name,
+						   dns_rdatatype_ns,
+						   0, &ns_existed));
+			else
+				ns_existed = false;
+			if (oldver != NULL)
+				CHECK(rrset_exists(db, oldver, name,
+						   dns_rdatatype_dname, 0,
+						   &dname_existed));
+			else
+				dname_existed = false;
+			CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns,
+					   0, &ns_exists));
+			CHECK(rrset_exists(db, newver, name,
+					   dns_rdatatype_dname, 0,
+					   &dname_exists));
+
+			exists = ns_exists || dname_exists;
+			existed = ns_existed || dname_existed;
+			if (exists == existed)
+				goto nextname;
+			/*
+			 * There was a delegation change.  Mark all subdomains
+			 * of t->name as potentially needing a NSEC3 update.
+			 */
+			CHECK(namelist_append_subdomain(db, name,
+							&state->affected));
+
+	nextname:
+			while (t != NULL && dns_name_equal(&t->name, name))
+				t = ISC_LIST_NEXT(t, link);
+		}
+
+		/* FALLTHROUGH */
+	case process_nsec3:
+		state->state = process_nsec3;
+		while ((t = ISC_LIST_HEAD(state->affected.tuples)) != NULL) {
+			dns_name_t *name = &t->name;
+
+			unsecure = false;	/* Silence compiler warning. */
+			CHECK(is_active(db, newver, name, &flag, &cut,
+					&unsecure));
+
+			if (!flag) {
+				CHECK(delete_if(rrsig_p, db, newver, name,
+						dns_rdatatype_any, 0, NULL,
+						diff));
+				CHECK(dns_nsec3_delnsec3sx(db, newver, name,
+							   privatetype,
+							   &state->nsec_diff));
+			} else {
+				CHECK(add_exposed_sigs(log, zone, db, newver,
+						       name, cut,
+						       &state->sig_diff,
+						       state->zone_keys,
+						       state->nkeys,
+						       state->inception,
+						       state->expire,
+						       state->check_ksk,
+						       state->keyset_kskonly,
+						       &sigs));
+				CHECK(dns_nsec3_addnsec3sx(db, newver, name,
+							   state->nsecttl,
+							   unsecure,
+							   privatetype,
+							   &state->nsec_diff));
+			}
+			ISC_LIST_UNLINK(state->affected.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs)
+				return (DNS_R_CONTINUE);
+		}
+		ISC_LIST_APPENDLIST(state->affected.tuples,
+				    state->work.tuples, link);
+
+		/*
+		 * Minimize the set of NSEC3 updates so that we don't
+		 * have to regenerate the RRSIG NSEC3s for NSEC3s that were
+		 * replaced with identical ones.
+		 */
+		while ((t = ISC_LIST_HEAD(state->nsec_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->nsec_diff.tuples, t, link);
+			dns_diff_appendminimal(&state->nsec_mindiff, &t);
+		}
+
+		update_log(log, zone, ISC_LOG_DEBUG(3),
+			   "signing rebuilt NSEC3 chain");
+
+		/* FALLTHROUGH */
+	case sign_nsec3:
+		state->state = sign_nsec3;
+		/* Update RRSIG NSEC3s. */
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			if (t->op == DNS_DIFFOP_DEL) {
+				CHECK(delete_if(true_p, db, newver, &t->name,
+						dns_rdatatype_rrsig,
+						dns_rdatatype_nsec3,
+						NULL, &state->sig_diff));
+			} else if (t->op == DNS_DIFFOP_ADD) {
+				CHECK(add_sigs(log, zone, db, newver, &t->name,
+					       dns_rdatatype_nsec3,
+					       &state->sig_diff,
+					       state->zone_keys,
+					       state->nkeys, state->inception,
+					       state->expire, state->check_ksk,
+					       state->keyset_kskonly));
+				sigs++;
+			} else {
+				INSIST(0);
+			}
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			ISC_LIST_APPEND(state->work.tuples, t, link);
+			if (state != &mystate && sigs > maxsigs)
+				return (DNS_R_CONTINUE);
+		}
+		ISC_LIST_APPENDLIST(state->nsec_mindiff.tuples,
+				    state->work.tuples, link);
+
+		/* Record our changes for the journal. */
+		while ((t = ISC_LIST_HEAD(state->sig_diff.tuples)) != NULL) {
+			ISC_LIST_UNLINK(state->sig_diff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+		while ((t = ISC_LIST_HEAD(state->nsec_mindiff.tuples)) != NULL)
+		{
+			ISC_LIST_UNLINK(state->nsec_mindiff.tuples, t, link);
+			dns_diff_appendminimal(diff, &t);
+		}
+
+		INSIST(ISC_LIST_EMPTY(state->sig_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_diff.tuples));
+		INSIST(ISC_LIST_EMPTY(state->nsec_mindiff.tuples));
+		break;
+	default:
+		INSIST(0);
+	}
+
+ failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
+	dns_diff_clear(&state->sig_diff);
+	dns_diff_clear(&state->nsec_diff);
+	dns_diff_clear(&state->nsec_mindiff);
+
+	dns_diff_clear(&state->affected);
+	dns_diff_clear(&state->diffnames);
+	dns_diff_clear(&state->work);
+
+	for (i = 0; i < state->nkeys; i++)
+		dst_key_free(&state->zone_keys[i]);
+
+	if (state != &mystate && state != NULL) {
+		*statep = NULL;
+		state->magic = 0;
+		isc_mem_put(diff->mctx, state, sizeof(*state));
+	}
+
+	return (result);
+}
+
+static isc_stdtime_t
+epoch_to_yyyymmdd(time_t when) {
+	struct tm *tm;
+
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
+	struct tm tm0;
+	tm = localtime_r(&when, &tm0);
+#else
+	tm = localtime(&when);
+#endif
+	return (((tm->tm_year + 1900) * 10000) +
+		((tm->tm_mon + 1) * 100) + tm->tm_mday);
+}
+
+uint32_t
+dns_update_soaserial(uint32_t serial, dns_updatemethod_t method) {
+	isc_stdtime_t now;
+	uint32_t new_serial;
+
+	switch (method) {
+	case dns_updatemethod_none:
+		return (serial);
+	case dns_updatemethod_unixtime:
+		isc_stdtime_get(&now);
+		if (now != 0 && isc_serial_gt(now, serial))
+			return (now);
+		break;
+	case dns_updatemethod_date:
+		isc_stdtime_get(&now);
+		new_serial = epoch_to_yyyymmdd((time_t) now) * 100;
+		if (new_serial != 0 && isc_serial_gt(new_serial, serial))
+			return (new_serial);
+	case dns_updatemethod_increment:
+		break;
+	}
+
+	/* RFC1982 */
+	serial = (serial + 1) & 0xFFFFFFFF;
+	if (serial == 0)
+		serial = 1;
+
+	return (serial);
+}
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
new file mode 100644
index 0000000..9ae11a2
--- /dev/null
+++ b/lib/dns/validator.c
@@ -0,0 +1,3985 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/base32.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/events.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/validator.h>
+#include <dns/view.h>
+
+/*! \file
+ * \brief
+ * Basic processing sequences.
+ *
+ * \li When called with rdataset and sigrdataset:
+ * validator_start -> validate -> proveunsecure -> startfinddlvsep ->
+ *	dlv_validator_start -> validator_start -> validate -> proveunsecure
+ *
+ * validator_start -> validate -> nsecvalidate	(secure wildcard answer)
+ *
+ * \li When called with rdataset, sigrdataset and with DNS_VALIDATOR_DLV:
+ * validator_start -> startfinddlvsep -> dlv_validator_start ->
+ *	validator_start -> validate -> proveunsecure
+ *
+ * \li When called with rdataset:
+ * validator_start -> proveunsecure -> startfinddlvsep ->
+ *	dlv_validator_start -> validator_start -> proveunsecure
+ *
+ * \li When called with rdataset and with DNS_VALIDATOR_DLV:
+ * validator_start -> startfinddlvsep -> dlv_validator_start ->
+ *	validator_start -> proveunsecure
+ *
+ * \li When called without a rdataset:
+ * validator_start -> nsecvalidate -> proveunsecure -> startfinddlvsep ->
+ *	dlv_validator_start -> validator_start -> nsecvalidate -> proveunsecure
+ *
+ * Note: there isn't a case for DNS_VALIDATOR_DLV here as we want nsecvalidate()
+ * to always validate the authority section even when it does not contain
+ * signatures.
+ *
+ * validator_start: determines what type of validation to do.
+ * validate: attempts to perform a positive validation.
+ * proveunsecure: attempts to prove the answer comes from a unsecure zone.
+ * nsecvalidate: attempts to prove a negative response.
+ * startfinddlvsep: starts the DLV record lookup.
+ * dlv_validator_start: resets state and restarts the lookup using the
+ *	DLV RRset found by startfinddlvsep.
+ */
+
+#define VALIDATOR_MAGIC			ISC_MAGIC('V', 'a', 'l', '?')
+#define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
+
+#define VALATTR_SHUTDOWN		0x0001	/*%< Shutting down. */
+#define VALATTR_CANCELED		0x0002	/*%< Canceled. */
+#define VALATTR_TRIEDVERIFY		0x0004  /*%< We have found a key and
+						 * have attempted a verify. */
+#define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
+#define VALATTR_DLVTRIED		0x0020	/*%< Looked for a DLV record. */
+
+/*!
+ * NSEC proofs to be looked for.
+ */
+#define VALATTR_NEEDNOQNAME		0x00000100
+#define VALATTR_NEEDNOWILDCARD		0x00000200
+#define VALATTR_NEEDNODATA		0x00000400
+
+/*!
+ * NSEC proofs that have been found.
+ */
+#define VALATTR_FOUNDNOQNAME		0x00001000
+#define VALATTR_FOUNDNOWILDCARD		0x00002000
+#define VALATTR_FOUNDNODATA		0x00004000
+#define VALATTR_FOUNDCLOSEST		0x00008000
+
+/*
+ *
+ */
+#define VALATTR_FOUNDOPTOUT		0x00010000
+#define VALATTR_FOUNDUNKNOWN		0x00020000
+
+#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
+#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
+#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
+#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
+#define FOUNDNODATA(val) ((val->attributes & VALATTR_FOUNDNODATA) != 0)
+#define FOUNDNOQNAME(val) ((val->attributes & VALATTR_FOUNDNOQNAME) != 0)
+#define FOUNDNOWILDCARD(val) ((val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)
+#define FOUNDCLOSEST(val) ((val->attributes & VALATTR_FOUNDCLOSEST) != 0)
+#define FOUNDOPTOUT(val) ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
+
+#define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)
+#define CANCELED(v)		(((v)->attributes & VALATTR_CANCELED) != 0)
+
+#define NEGATIVE(r)	(((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
+static void
+destroy(dns_validator_t *val);
+
+static isc_result_t
+get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
+	    dns_rdataset_t *rdataset);
+
+static isc_result_t
+validate(dns_validator_t *val, bool resume);
+
+static isc_result_t
+validatezonekey(dns_validator_t *val);
+
+static isc_result_t
+nsecvalidate(dns_validator_t *val, bool resume);
+
+static isc_result_t
+proveunsecure(dns_validator_t *val, bool have_ds,
+	      bool resume);
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(5, 0);
+
+static void
+validator_log(void *val, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+validator_logcreate(dns_validator_t *val,
+		    dns_name_t *name, dns_rdatatype_t type,
+		    const char *caller, const char *operation);
+
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val);
+
+static void
+dlv_validator_start(dns_validator_t *val);
+
+static isc_result_t
+finddlvsep(dns_validator_t *val, bool resume);
+
+static isc_result_t
+startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure);
+
+/*%
+ * Mark the RRsets as a answer.
+ */
+static inline void
+markanswer(dns_validator_t *val, const char *where) {
+	validator_log(val, ISC_LOG_DEBUG(3), "marking as answer (%s)", where);
+	if (val->event->rdataset != NULL)
+		dns_rdataset_settrust(val->event->rdataset, dns_trust_answer);
+	if (val->event->sigrdataset != NULL)
+		dns_rdataset_settrust(val->event->sigrdataset,
+				      dns_trust_answer);
+}
+
+static inline void
+marksecure(dns_validatorevent_t *event) {
+	dns_rdataset_settrust(event->rdataset, dns_trust_secure);
+	if (event->sigrdataset != NULL)
+		dns_rdataset_settrust(event->sigrdataset, dns_trust_secure);
+	event->secure = true;
+}
+
+static void
+validator_done(dns_validator_t *val, isc_result_t result) {
+	isc_task_t *task;
+
+	if (val->event == NULL)
+		return;
+
+	/*
+	 * Caller must be holding the lock.
+	 */
+
+	val->event->result = result;
+	task = val->event->ev_sender;
+	val->event->ev_sender = val;
+	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
+	val->event->ev_action = val->action;
+	val->event->ev_arg = val->arg;
+	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
+}
+
+static inline bool
+exit_check(dns_validator_t *val) {
+	/*
+	 * Caller must be holding the lock.
+	 */
+	if (!SHUTDOWN(val))
+		return (false);
+
+	INSIST(val->event == NULL);
+
+	if (val->fetch != NULL || val->subvalidator != NULL)
+		return (false);
+
+	return (true);
+}
+
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline bool
+dlv_algorithm_supported(dns_validator_t *val) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dlv_t dlv;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&val->dlv, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.digest_type))
+			continue;
+
+		return (true);
+	}
+	return (false);
+}
+
+/*%
+ * Look in the NSEC record returned from a DS query to see if there is
+ * a NS RRset at this name.  If it is found we are at a delegation point.
+ */
+static bool
+isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
+	     isc_result_t dbresult)
+{
+	dns_fixedname_t fixed;
+	dns_label_t hashlabel;
+	dns_name_t nsec3name;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t set;
+	int order;
+	int scope;
+	bool found;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	unsigned int length;
+
+	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
+
+	dns_rdataset_init(&set);
+	if (dbresult == DNS_R_NXRRSET)
+		dns_rdataset_clone(rdataset, &set);
+	else {
+		result = dns_ncache_getrdataset(rdataset, name,
+						dns_rdatatype_nsec, &set);
+		if (result == ISC_R_NOTFOUND)
+			goto trynsec3;
+		if (result != ISC_R_SUCCESS)
+			return (false);
+	}
+
+	INSIST(set.type == dns_rdatatype_nsec);
+
+	found = false;
+	result = dns_rdataset_first(&set);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&set, &rdata);
+		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&set);
+	return (found);
+
+ trynsec3:
+	/*
+	 * Iterate over the ncache entry.
+	 */
+	found = false;
+	dns_name_init(&nsec3name, NULL);
+	dns_fixedname_init(&fixed);
+	dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
+	name = dns_fixedname_name(&fixed);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_ncache_current(rdataset, &nsec3name, &set);
+		if (set.type != dns_rdatatype_nsec3) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+		dns_name_getlabel(&nsec3name, 0, &hashlabel);
+		isc_region_consume(&hashlabel, 1);
+		isc_buffer_init(&buffer, owner, sizeof(owner));
+		result = isc_base32hexnp_decoderegion(&hashlabel, &buffer);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+		for (result = dns_rdataset_first(&set);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&set))
+		{
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&set, &rdata);
+			(void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
+			if (nsec3.hash != 1)
+				continue;
+			length = isc_iterated_hash(hash, nsec3.hash,
+						   nsec3.iterations, nsec3.salt,
+						   nsec3.salt_length,
+						   name->ndata, name->length);
+			if (length != isc_buffer_usedlength(&buffer))
+				continue;
+			order = memcmp(hash, owner, length);
+			if (order == 0) {
+				found = dns_nsec3_typepresent(&rdata,
+							      dns_rdatatype_ns);
+				dns_rdataset_disassociate(&set);
+				return (found);
+			}
+			if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0)
+				continue;
+			/*
+			 * Does this optout span cover the name?
+			 */
+			scope = memcmp(owner, nsec3.next, nsec3.next_length);
+			if ((scope < 0 && order > 0 &&
+			     memcmp(hash, nsec3.next, length) < 0) ||
+			    (scope >= 0 && (order > 0 ||
+					memcmp(hash, nsec3.next, length) < 0)))
+			{
+				dns_rdataset_disassociate(&set);
+				return (true);
+			}
+		}
+		dns_rdataset_disassociate(&set);
+	}
+	return (found);
+}
+
+/*%
+ * We have been asked to look for a key.
+ * If found resume the validation process.
+ * If not found fail the validation process.
+ */
+static void
+fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+	isc_result_t saved_result;
+	dns_fetch_t *fetch;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest. */
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	isc_event_free(&event);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
+	LOCK(&val->lock);
+	fetch = val->fetch;
+	val->fetch = NULL;
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyset with trust %s",
+			      dns_trust_totext(rdataset->trust));
+		/*
+		 * Only extract the dst key if the keyset is secure.
+		 */
+		if (rdataset->trust >= dns_trust_secure) {
+			result = get_dst_key(val, val->siginfo, rdataset);
+			if (result == ISC_R_SUCCESS)
+				val->keyset = &val->frdataset;
+		}
+		result = validate(val, true);
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			val->attributes |= VALATTR_INSECURITY;
+			result = proveunsecure(val, false, false);
+			if (result == DNS_R_NOTINSECURE)
+				result = saved_result;
+		}
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "fetch_callback_validator: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_BROKENCHAIN);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (fetch != NULL)
+		dns_resolver_destroyfetch(&fetch);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * We were asked to look for a DS record as part of following a key chain
+ * upwards.  If found resume the validation process.  If not found fail the
+ * validation process.
+ */
+static void
+dsfetched(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+	dns_fetch_t *fetch;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest. */
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	isc_event_free(&event);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
+	LOCK(&val->lock);
+	fetch = val->fetch;
+	val->fetch = NULL;
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsset with trust %s",
+			       dns_trust_totext(rdataset->trust));
+		val->dsset = &val->frdataset;
+		result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (eresult == DNS_R_CNAME ||
+		   eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NCACHENXRRSET ||
+		   eresult == DNS_R_SERVFAIL)	/* RFC 1034 parent? */
+	{
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "falling back to insecurity proof (%s)",
+			      dns_result_totext(eresult));
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, false, false);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsfetched: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_BROKENCHAIN);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (fetch != NULL)
+		dns_resolver_destroyfetch(&fetch);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * We were asked to look for the DS record as part of proving that a
+ * name is unsecure.
+ *
+ * If the DS record doesn't exist and the query name corresponds to
+ * a delegation point we are transitioning from a secure zone to a
+ * unsecure zone.
+ *
+ * If the DS record exists it will be secure.  We can continue looking
+ * for the break point in the chain of trust.
+ */
+static void
+dsfetched2(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_name_t *tname;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+	dns_fetch_t *fetch;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest. */
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2: %s",
+		      dns_result_totext(eresult));
+	LOCK(&val->lock);
+	fetch = val->fetch;
+	val->fetch = NULL;
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == DNS_R_CNAME ||
+		   eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NCACHENXRRSET)
+	{
+		/*
+		 * There is no DS.  If this is a delegation, we're done.
+		 */
+		tname = dns_fixedname_name(&devent->foundname);
+		if (eresult != DNS_R_CNAME &&
+		    isdelegation(tname, &val->frdataset, eresult)) {
+			if (val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure, no DS"
+					      " and this is a delegation");
+				validator_done(val, DNS_R_MUSTBESECURE);
+			} else if (val->view->dlv == NULL || DLVTRIED(val)) {
+				markanswer(val, "dsfetched2");
+				validator_done(val, ISC_R_SUCCESS);
+			} else {
+				result = startfinddlvsep(val, tname);
+				if (result != DNS_R_WAIT)
+					validator_done(val, result);
+			}
+		} else {
+			result = proveunsecure(val, false, true);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		}
+	} else if (eresult == ISC_R_SUCCESS ||
+		   eresult == DNS_R_NXDOMAIN ||
+		   eresult == DNS_R_NCACHENXDOMAIN)
+	{
+		/*
+		 * There is a DS which may or may not be a zone cut.
+		 * In either case we are still in a secure zone resume
+		 * validation.
+		 */
+		result = proveunsecure(val, (eresult == ISC_R_SUCCESS),
+				       true);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
+	}
+	isc_event_free(&event);
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (fetch != NULL)
+		dns_resolver_destroyfetch(&fetch);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * Callback from when a DNSKEY RRset has been validated.
+ *
+ * Resumes the stalled validation process.
+ */
+static void
+keyvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+	isc_result_t saved_result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
+		/*
+		 * Only extract the dst key if the keyset is secure.
+		 */
+		if (val->frdataset.trust >= dns_trust_secure)
+			(void) get_dst_key(val, val->siginfo, &val->frdataset);
+		result = validate(val, true);
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			val->attributes |= VALATTR_INSECURITY;
+			result = proveunsecure(val, false, false);
+			if (result == DNS_R_NOTINSECURE)
+				result = saved_result;
+		}
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_expire(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_expire(&val->fsigrdataset);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * Callback when the DS record has been validated.
+ *
+ * Resumes validation of the zone key or the unsecure zone proof.
+ */
+static void
+dsvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		bool have_dsset;
+		dns_name_t *name;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "%s with trust %s",
+			      val->frdataset.type == dns_rdatatype_ds ?
+			      "dsset" : "ds non-existance",
+			      dns_trust_totext(val->frdataset.trust));
+		have_dsset = (val->frdataset.type == dns_rdatatype_ds);
+		name = dns_fixedname_name(&val->fname);
+		if ((val->attributes & VALATTR_INSECURITY) != 0 &&
+		    val->frdataset.covers == dns_rdatatype_ds &&
+		    NEGATIVE(&val->frdataset) &&
+		    isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
+			if (val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure, no DS "
+					      "and this is a delegation");
+				result = DNS_R_MUSTBESECURE;
+			} else if (val->view->dlv == NULL || DLVTRIED(val)) {
+				markanswer(val, "dsvalidated");
+				result = ISC_R_SUCCESS;;
+			} else
+				result = startfinddlvsep(val, name);
+		} else if ((val->attributes & VALATTR_INSECURITY) != 0) {
+			result = proveunsecure(val, have_dsset, true);
+		} else
+			result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_expire(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_expire(&val->fsigrdataset);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * Callback when the CNAME record has been validated.
+ *
+ * Resumes validation of the unsecure zone proof.
+ */
+static void
+cnamevalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+	INSIST((val->attributes & VALATTR_INSECURITY) != 0);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in cnamevalidated");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
+		result = proveunsecure(val, false, true);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_expire(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_expire(&val->fsigrdataset);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "cnamevalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * Callback for when NSEC records have been validated.
+ *
+ * Looks for NOQNAME, NODATA and OPTOUT proofs.
+ *
+ * Resumes nsecvalidate.
+ */
+static void
+authvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	bool want_destroy;
+	isc_result_t result;
+	bool exists, data;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	rdataset = devent->rdataset;
+	val = devent->ev_arg;
+	result = devent->result;
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "authvalidated: got %s",
+			      isc_result_totext(result));
+		if (result == DNS_R_BROKENCHAIN)
+			val->authfail++;
+		if (result == ISC_R_CANCELED)
+			validator_done(val, result);
+		else {
+			result = nsecvalidate(val, true);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		}
+	} else {
+		dns_name_t **proofs = val->event->proofs;
+		dns_name_t *wild = dns_fixedname_name(&val->wild);
+
+		if (rdataset->trust == dns_trust_secure)
+			val->seensig = true;
+
+		if (rdataset->type == dns_rdatatype_nsec &&
+		    rdataset->trust == dns_trust_secure &&
+		    (NEEDNODATA(val) || NEEDNOQNAME(val)) &&
+		    !FOUNDNODATA(val) && !FOUNDNOQNAME(val) &&
+		    dns_nsec_noexistnodata(val->event->type, val->event->name,
+					   devent->name, rdataset, &exists,
+					   &data, wild, validator_log, val)
+				      == ISC_R_SUCCESS)
+		{
+			if (exists && !data) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+				if (NEEDNODATA(val))
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+						devent->name;
+			}
+			if (!exists) {
+				dns_name_t *closest;
+				unsigned int clabels;
+
+				val->attributes |= VALATTR_FOUNDNOQNAME;
+
+				closest = dns_fixedname_name(&val->closest);
+				clabels = dns_name_countlabels(closest);
+				/*
+				 * If we are validating a wildcard response
+				 * clabels will not be zero.  We then need
+				 * to check if the generated wilcard from
+				 * dns_nsec_noexistnodata is consistent with
+				 * the wildcard used to generate the response.
+				 */
+				if (clabels == 0 ||
+				    dns_name_countlabels(wild) == clabels + 1)
+					val->attributes |= VALATTR_FOUNDCLOSEST;
+				/*
+				 * The NSEC noqname proof also contains
+				 * the closest encloser.
+				 */
+				if (NEEDNOQNAME(val))
+					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
+						devent->name;
+			}
+		}
+
+		result = nsecvalidate(val, true);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+
+	/*
+	 * Free stuff from the event.
+	 */
+	isc_event_free(&event);
+}
+
+/*%
+ * Looks for the requested name and type in the view (zones and cache).
+ *
+ * When looking for a DLV record also checks to make sure the NSEC record
+ * returns covers the query name as part of aggressive negative caching.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOTFOUND
+ * \li	DNS_R_NCACHENXDOMAIN
+ * \li	DNS_R_NCACHENXRRSET
+ * \li	DNS_R_NXRRSET
+ * \li	DNS_R_NXDOMAIN
+ * \li	DNS_R_BROKENCHAIN
+ */
+static inline isc_result_t
+view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
+	dns_fixedname_t fixedname;
+	dns_name_t *foundname;
+	dns_rdata_nsec_t nsec;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	unsigned int options;
+	isc_time_t now;
+	char buf1[DNS_NAME_FORMATSIZE];
+	char buf2[DNS_NAME_FORMATSIZE];
+	char buf3[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	if (isc_time_now(&now) == ISC_R_SUCCESS &&
+	    dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
+
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+		validator_log(val, ISC_LOG_INFO, "bad cache hit (%s/%s)",
+			      namebuf, typebuf);
+		return (DNS_R_BROKENCHAIN);
+	}
+
+	options = DNS_DBFIND_PENDINGOK;
+	if (type == dns_rdatatype_dlv)
+		options |= DNS_DBFIND_COVERINGNSEC;
+	foundname = dns_fixedname_initname(&fixedname);
+	result = dns_view_find(val->view, name, type, 0, options,
+			       false, NULL, NULL, foundname,
+			       &val->frdataset, &val->fsigrdataset);
+
+	if (result == DNS_R_NXDOMAIN) {
+		if (dns_rdataset_isassociated(&val->frdataset))
+			dns_rdataset_disassociate(&val->frdataset);
+		if (dns_rdataset_isassociated(&val->fsigrdataset))
+			dns_rdataset_disassociate(&val->fsigrdataset);
+	} else if (result == DNS_R_COVERINGNSEC) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
+		/*
+		 * Check if the returned NSEC covers the name.
+		 */
+		INSIST(type == dns_rdatatype_dlv);
+		if (val->frdataset.trust != dns_trust_secure) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "covering nsec: trust %s",
+				      dns_trust_totext(val->frdataset.trust));
+			goto notfound;
+		}
+		result = dns_rdataset_first(&val->frdataset);
+		if (result != ISC_R_SUCCESS)
+			goto notfound;
+		dns_rdataset_current(&val->frdataset, &rdata);
+		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
+			/* Parent NSEC record. */
+			if (dns_name_issubdomain(name, foundname)) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "covering nsec: for parent");
+				goto notfound;
+			}
+		}
+		result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto notfound;
+		if (dns_name_compare(foundname, &nsec.next) >= 0) {
+			/* End of zone chain. */
+			if (!dns_name_issubdomain(name, &nsec.next)) {
+				/*
+				 * XXXMPA We could look for a parent NSEC
+				 * at nsec.next and if found retest with
+				 * this NSEC.
+				 */
+				dns_rdata_freestruct(&nsec);
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "covering nsec: not in zone");
+				goto notfound;
+			}
+		} else if (dns_name_compare(name, &nsec.next) >= 0) {
+			/*
+			 * XXXMPA We could check if this NSEC is at a zone
+			 * apex and if the qname is not below it and look for
+			 * a parent NSEC with the same name.  This requires
+			 * that we can cache both NSEC records which we
+			 * currently don't support.
+			 */
+			dns_rdata_freestruct(&nsec);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "covering nsec: not in range");
+			goto notfound;
+		}
+		if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
+			dns_name_format(name, buf1, sizeof buf1);
+			dns_name_format(foundname, buf2, sizeof buf2);
+			dns_name_format(&nsec.next, buf3, sizeof buf3);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "covering nsec found: '%s' '%s' '%s'",
+				      buf1, buf2, buf3);
+		}
+		if (dns_rdataset_isassociated(&val->frdataset))
+			dns_rdataset_disassociate(&val->frdataset);
+		if (dns_rdataset_isassociated(&val->fsigrdataset))
+			dns_rdataset_disassociate(&val->fsigrdataset);
+		dns_rdata_freestruct(&nsec);
+		result = DNS_R_NCACHENXDOMAIN;
+	} else if (result != ISC_R_SUCCESS &&
+		   result != DNS_R_NCACHENXDOMAIN &&
+		   result != DNS_R_NCACHENXRRSET &&
+		   result != DNS_R_EMPTYNAME &&
+		   result != DNS_R_NXRRSET &&
+		   result != ISC_R_NOTFOUND) {
+		goto  notfound;
+	}
+	return (result);
+
+ notfound:
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	return (ISC_R_NOTFOUND);
+}
+
+/*%
+ * Checks to make sure we are not going to loop.  As we use a SHARED fetch
+ * the validation process will stall if looping was to occur.
+ */
+static inline bool
+check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_validator_t *parent;
+
+	for (parent = val; parent != NULL; parent = parent->parent) {
+		if (parent->event != NULL &&
+		    parent->event->type == type &&
+		    dns_name_equal(parent->event->name, name) &&
+		    /*
+		     * As NSEC3 records are meta data you sometimes
+		     * need to prove a NSEC3 record which says that
+		     * itself doesn't exist.
+		     */
+		    (parent->event->type != dns_rdatatype_nsec3 ||
+		     rdataset == NULL || sigrdataset == NULL ||
+		     parent->event->message == NULL ||
+		     parent->event->rdataset != NULL ||
+		     parent->event->sigrdataset != NULL))
+		{
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "continuing validation would lead to "
+				      "deadlock: aborting validation");
+			return (true);
+		}
+	}
+	return (false);
+}
+
+/*%
+ * Start a fetch for the requested name and type.
+ */
+static inline isc_result_t
+create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	     isc_taskaction_t callback, const char *caller)
+{
+	unsigned int fopts = 0;
+
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	if (check_deadlock(val, name, type, NULL, NULL)) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "deadlock found (create_fetch)");
+		return (DNS_R_NOVALIDSIG);
+	}
+
+	if ((val->options & DNS_VALIDATOR_NOCDFLAG) != 0)
+		fopts |= DNS_FETCHOPT_NOCDFLAG;
+
+	if ((val->options & DNS_VALIDATOR_NONTA) != 0)
+		fopts |= DNS_FETCHOPT_NONTA;
+
+	validator_logcreate(val, name, type, caller, "fetch");
+	return (dns_resolver_createfetch(val->view->resolver, name, type,
+					 NULL, NULL, NULL, fopts,
+					 val->event->ev_sender,
+					 callback, val,
+					 &val->frdataset,
+					 &val->fsigrdataset,
+					 &val->fetch));
+}
+
+/*%
+ * Start a subvalidation process.
+ */
+static inline isc_result_t
+create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 isc_taskaction_t action, const char *caller)
+{
+	isc_result_t result;
+	unsigned int vopts = 0;
+
+	if (check_deadlock(val, name, type, rdataset, sigrdataset)) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "deadlock found (create_validator)");
+		return (DNS_R_NOVALIDSIG);
+	}
+
+	/* OK to clear other options, but preserve NOCDFLAG and NONTA. */
+	vopts |= (val->options & (DNS_VALIDATOR_NOCDFLAG|DNS_VALIDATOR_NONTA));
+
+	validator_logcreate(val, name, type, caller, "validator");
+	result = dns_validator_create(val->view, name, type,
+				      rdataset, sigrdataset, NULL, vopts,
+				      val->task, action, val,
+				      &val->subvalidator);
+	if (result == ISC_R_SUCCESS) {
+		val->subvalidator->parent = val;
+		val->subvalidator->depth = val->depth + 1;
+	}
+	return (result);
+}
+
+/*%
+ * Try to find a key that could have signed 'siginfo' among those
+ * in 'rdataset'.  If found, build a dst_key_t for it and point
+ * val->key at it.
+ *
+ * If val->key is non-NULL, this returns the next matching key.
+ */
+static isc_result_t
+get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
+	    dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *oldkey = val->key;
+	bool foundold;
+
+	if (oldkey == NULL)
+		foundold = true;
+	else {
+		foundold = false;
+		val->key = NULL;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+
+		isc_buffer_init(&b, rdata.data, rdata.length);
+		isc_buffer_add(&b, rdata.length);
+		INSIST(val->key == NULL);
+		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
+					 val->view->mctx, &val->key);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		if (siginfo->algorithm ==
+		    (dns_secalg_t)dst_key_alg(val->key) &&
+		    siginfo->keyid ==
+		    (dns_keytag_t)dst_key_id(val->key) &&
+		    dst_key_iszonekey(val->key))
+		{
+			if (foundold)
+				/*
+				 * This is the key we're looking for.
+				 */
+				return (ISC_R_SUCCESS);
+			else if (dst_key_compare(oldkey, val->key) == true)
+			{
+				foundold = true;
+				dst_key_free(&oldkey);
+			}
+		}
+		dst_key_free(&val->key);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_NOTFOUND;
+
+ failure:
+	if (oldkey != NULL)
+		dst_key_free(&oldkey);
+
+	return (result);
+}
+
+/*%
+ * Get the key that generated this signature.
+ */
+static isc_result_t
+get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
+	isc_result_t result;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+
+	/*
+	 * Is the signer name appropriate for this signature?
+	 *
+	 * The signer name must be at the same level as the owner name
+	 * or closer to the DNS root.
+	 */
+	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
+					&order, &nlabels);
+	if (namereln != dns_namereln_subdomain &&
+	    namereln != dns_namereln_equal)
+		return (DNS_R_CONTINUE);
+
+	if (namereln == dns_namereln_equal) {
+		/*
+		 * If this is a self-signed keyset, it must not be a zone key
+		 * (since get_key is not called from validatezonekey).
+		 */
+		if (val->event->rdataset->type == dns_rdatatype_dnskey)
+			return (DNS_R_CONTINUE);
+
+		/*
+		 * Records appearing in the parent zone at delegation
+		 * points cannot be self-signed.
+		 */
+		if (dns_rdatatype_atparent(val->event->rdataset->type))
+			return (DNS_R_CONTINUE);
+	} else {
+		/*
+		 * SOA and NS RRsets can only be signed by a key with
+		 * the same name.
+		 */
+		if (val->event->rdataset->type == dns_rdatatype_soa ||
+		    val->event->rdataset->type == dns_rdatatype_ns) {
+			const char *typename;
+
+			if (val->event->rdataset->type == dns_rdatatype_soa)
+				typename = "SOA";
+			else
+				typename = "NS";
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "%s signer mismatch", typename);
+			return (DNS_R_CONTINUE);
+		}
+	}
+
+	/*
+	 * Do we know about this key?
+	 */
+	result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We have an rrset for the given keyname.
+		 */
+		val->keyset = &val->frdataset;
+		if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
+		     DNS_TRUST_ANSWER(val->frdataset.trust)) &&
+		    dns_rdataset_isassociated(&val->fsigrdataset))
+		{
+			/*
+			 * We know the key but haven't validated it yet or
+			 * we have a key of trust answer but a DS/DLV
+			 * record for the zone may have been added.
+			 */
+			result = create_validator(val, &siginfo->signer,
+						  dns_rdatatype_dnskey,
+						  &val->frdataset,
+						  &val->fsigrdataset,
+						  keyvalidated,
+						  "get_key");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
+			/*
+			 * Having a pending key with no signature means that
+			 * something is broken.
+			 */
+			result = DNS_R_CONTINUE;
+		} else if (val->frdataset.trust < dns_trust_secure) {
+			/*
+			 * The key is legitimately insecure.  There's no
+			 * point in even attempting verification.
+			 */
+			val->key = NULL;
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * See if we've got the key used in the signature.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "keyset with trust %s",
+				      dns_trust_totext(val->frdataset.trust));
+			result = get_dst_key(val, siginfo, val->keyset);
+			if (result != ISC_R_SUCCESS) {
+				/*
+				 * Either the key we're looking for is not
+				 * in the rrset, or something bad happened.
+				 * Give up.
+				 */
+				result = DNS_R_CONTINUE;
+			}
+		}
+	} else if (result == ISC_R_NOTFOUND) {
+		/*
+		 * We don't know anything about this key.
+		 */
+		result = create_fetch(val, &siginfo->signer,
+				      dns_rdatatype_dnskey,
+				      fetch_callback_validator, "get_key");
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (DNS_R_WAIT);
+	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
+		   result == DNS_R_NCACHENXRRSET ||
+		   result == DNS_R_EMPTYNAME ||
+		   result == DNS_R_NXDOMAIN ||
+		   result == DNS_R_NXRRSET)
+	{
+		/*
+		 * This key doesn't exist.
+		 */
+		result = DNS_R_CONTINUE;
+	} else if (result == DNS_R_BROKENCHAIN)
+		return (result);
+
+	if (dns_rdataset_isassociated(&val->frdataset) &&
+	    val->keyset != &val->frdataset)
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	return (result);
+}
+
+static dns_keytag_t
+compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
+	isc_region_t r;
+
+	dns_rdata_toregion(rdata, &r);
+	return (dst_region_computeid(&r, key->algorithm));
+}
+
+/*%
+ * Is this keyset self-signed?
+ */
+static bool
+isselfsigned(dns_validator_t *val) {
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_keytag_t keytag;
+	dns_name_t *name;
+	isc_result_t result;
+	dst_key_t *dstkey;
+	isc_mem_t *mctx;
+	bool answer = false;
+
+	rdataset = val->event->rdataset;
+	sigrdataset = val->event->sigrdataset;
+	name = val->event->name;
+	mctx = val->view->mctx;
+
+	if (rdataset->type == dns_rdatatype_cname ||
+	    rdataset->type == dns_rdatatype_dname)
+		return (answer);
+
+	INSIST(rdataset->type == dns_rdatatype_dnskey);
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &key, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		keytag = compute_keytag(&rdata, &key);
+		for (result = dns_rdataset_first(sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(sigrdataset, &sigrdata);
+			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (sig.algorithm != key.algorithm ||
+			    sig.keyid != keytag ||
+			    !dns_name_equal(name, &sig.signer))
+				continue;
+
+			dstkey = NULL;
+			result = dns_dnssec_keyfromrdata(name, &rdata, mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			result = dns_dnssec_verify3(name, rdataset, dstkey,
+						    true,
+						    val->view->maxbits,
+						    mctx, &sigrdata, NULL);
+			dst_key_free(&dstkey);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
+				answer = true;
+				continue;
+			}
+			dns_view_untrust(val->view, name, &key, mctx);
+		}
+	}
+	return (answer);
+}
+
+/*%
+ * Attempt to verify the rdataset using the given key and rdata (RRSIG).
+ * The signature was good and from a wildcard record and the QNAME does
+ * not match the wildcard we need to look for a NOQNAME proof.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS if the verification succeeds.
+ * \li	Others if the verification fails.
+ */
+static isc_result_t
+verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata,
+       uint16_t keyid)
+{
+	isc_result_t result;
+	dns_fixedname_t fixed;
+	bool ignore = false;
+	dns_name_t *wild;
+
+	val->attributes |= VALATTR_TRIEDVERIFY;
+	wild = dns_fixedname_initname(&fixed);
+ again:
+	result = dns_dnssec_verify3(val->event->name, val->event->rdataset,
+				    key, ignore, val->view->maxbits,
+				    val->view->mctx, rdata, wild);
+	if ((result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE) &&
+	    val->view->acceptexpired)
+	{
+		ignore = true;
+		goto again;
+	}
+	if (ignore && (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD))
+		validator_log(val, ISC_LOG_INFO,
+			      "accepted expired %sRRSIG (keyid=%u)",
+			      (result == DNS_R_FROMWILDCARD) ?
+			      "wildcard " : "", keyid);
+	else if (result == DNS_R_SIGEXPIRED || result == DNS_R_SIGFUTURE)
+		validator_log(val, ISC_LOG_INFO,
+			      "verify failed due to bad signature (keyid=%u): "
+			      "%s", keyid, isc_result_totext(result));
+	else
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "verify rdataset (keyid=%u): %s",
+			      keyid, isc_result_totext(result));
+	if (result == DNS_R_FROMWILDCARD) {
+		if (!dns_name_equal(val->event->name, wild)) {
+			dns_name_t *closest;
+			unsigned int labels;
+
+			/*
+			 * Compute the closest encloser in case we need it
+			 * for the NSEC3 NOQNAME proof.
+			 */
+			closest = dns_fixedname_name(&val->closest);
+			dns_name_copy(wild, closest, NULL);
+			labels = dns_name_countlabels(closest) - 1;
+			dns_name_getlabelsequence(closest, 1, labels, closest);
+			val->attributes |= VALATTR_NEEDNOQNAME;
+		}
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*%
+ * Attempts positive response validation of a normal RRset.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ * \li	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validate(dns_validator_t *val, bool resume) {
+	isc_result_t result, vresult = DNS_R_NOVALIDSIG;
+	dns_validatorevent_t *event;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Caller must be holding the validator lock.
+	 */
+
+	event = val->event;
+
+	if (resume) {
+		/*
+		 * We already have a sigrdataset.
+		 */
+		result = ISC_R_SUCCESS;
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
+	} else {
+		result = dns_rdataset_first(event->sigrdataset);
+	}
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(event->sigrdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(event->sigrdataset, &rdata);
+		if (val->siginfo == NULL) {
+			val->siginfo = isc_mem_get(val->view->mctx,
+						   sizeof(*val->siginfo));
+			if (val->siginfo == NULL)
+				return (ISC_R_NOMEMORY);
+		}
+		result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * At this point we could check that the signature algorithm
+		 * was known and "sufficiently good".
+		 */
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						    event->name,
+						    val->siginfo->algorithm)) {
+			resume = false;
+			continue;
+		}
+
+		if (!resume) {
+			result = get_key(val, val->siginfo);
+			if (result == DNS_R_CONTINUE)
+				continue; /* Try the next SIG RR. */
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+
+		/*
+		 * There isn't a secure DNSKEY for this signature so move
+		 * onto the next RRSIG.
+		 */
+		if (val->key == NULL) {
+			resume = false;
+			continue;
+		}
+
+		do {
+			vresult = verify(val, val->key, &rdata,
+					val->siginfo->keyid);
+			if (vresult == ISC_R_SUCCESS)
+				break;
+			if (val->keynode != NULL) {
+				dns_keynode_t *nextnode = NULL;
+				result = dns_keytable_findnextkeynode(
+							val->keytable,
+							val->keynode,
+							&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &val->keynode);
+				val->keynode = nextnode;
+				if (result != ISC_R_SUCCESS) {
+					val->key = NULL;
+					break;
+				}
+				val->key = dns_keynode_key(val->keynode);
+				if (val->key == NULL)
+					break;
+			} else {
+				if (get_dst_key(val, val->siginfo, val->keyset)
+				    != ISC_R_SUCCESS)
+					break;
+			}
+		} while (1);
+		if (vresult != ISC_R_SUCCESS)
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "failed to verify rdataset");
+		else {
+			dns_rdataset_trimttl(event->rdataset,
+					     event->sigrdataset,
+					     val->siginfo, val->start,
+					     val->view->acceptexpired);
+		}
+
+		if (val->keynode != NULL)
+			dns_keytable_detachkeynode(val->keytable,
+						   &val->keynode);
+		else {
+			if (val->key != NULL)
+				dst_key_free(&val->key);
+			if (val->keyset != NULL) {
+				dns_rdataset_disassociate(val->keyset);
+				val->keyset = NULL;
+			}
+		}
+		val->key = NULL;
+		if (NEEDNOQNAME(val)) {
+			if (val->event->message == NULL) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+				      "no message available for noqname proof");
+				return (DNS_R_NOVALIDSIG);
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "looking for noqname proof");
+			return (nsecvalidate(val, false));
+		} else if (vresult == ISC_R_SUCCESS) {
+			marksecure(event);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure, "
+				      "noqname proof not needed");
+			return (ISC_R_SUCCESS);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "verify failure: %s",
+				      isc_result_totext(result));
+			resume = false;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "failed to iterate signatures: %s",
+			      isc_result_totext(result));
+		return (result);
+	}
+
+	validator_log(val, ISC_LOG_INFO, "no valid signature found");
+	return (vresult);
+}
+
+/*%
+ * Check whether this DNSKEY (keyrdata) signed the DNSKEY RRset
+ * (val->event->rdataset).
+ */
+static isc_result_t
+checkkey(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
+	 dns_secalg_t algorithm)
+{
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(val->event->sigrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->event->sigrdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(val->event->sigrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (keyid != sig.keyid || algorithm != sig.algorithm)
+			continue;
+		if (dstkey == NULL) {
+			result = dns_dnssec_keyfromrdata(val->event->name,
+							 keyrdata,
+							 val->view->mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+		}
+		result = verify(val, dstkey, &rdata, sig.keyid);
+		if (result == ISC_R_SUCCESS)
+			break;
+	}
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+/*%
+ * Find the DNSKEY that corresponds to the DS.
+ */
+static isc_result_t
+keyfromds(dns_validator_t *val, dns_rdataset_t *rdataset, dns_rdata_t *dsrdata,
+	  uint8_t digest, uint16_t keyid, dns_secalg_t algorithm,
+	  dns_rdata_t *keyrdata)
+{
+	dns_keytag_t keytag;
+	dns_rdata_dnskey_t key;
+	isc_result_t result;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+
+		dns_rdata_reset(keyrdata);
+		dns_rdataset_current(rdataset, keyrdata);
+		result = dns_rdata_tostruct(keyrdata, &key, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		keytag = compute_keytag(keyrdata, &key);
+		if (keyid != keytag || algorithm != key.algorithm)
+			continue;
+		dns_rdata_reset(&newdsrdata);
+		result = dns_ds_buildrdata(val->event->name, keyrdata, digest,
+					   dsbuf, &newdsrdata);
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "dns_ds_buildrdata() -> %s",
+				      dns_result_totext(result));
+			continue;
+		}
+		if (dns_rdata_compare(dsrdata, &newdsrdata) == 0)
+			break;
+	}
+	return (result);
+}
+
+/*%
+ * Validate the DNSKEY RRset by looking for a DNSKEY that matches a
+ * DLV record and that also verifies the DNSKEY RRset.
+ */
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val) {
+	dns_rdata_dlv_t dlv;
+	dns_rdata_t dlvrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdataset_t trdataset;
+	bool supported_algorithm;
+	isc_result_t result;
+	char digest_types[256];
+
+	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
+
+	/*
+	 * Look through the DLV record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+	supported_algorithm = false;
+
+	/*
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
+	 */
+	memset(digest_types, 1, sizeof(digest_types));
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv)) {
+		dns_rdata_reset(&dlvrdata);
+		dns_rdataset_current(&val->dlv, &dlvrdata);
+		result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.digest_type))
+			continue;
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
+		     dlv.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (dlv.digest_type == DNS_DSDIGEST_SHA384 &&
+		     dlv.length == ISC_SHA384_DIGESTLENGTH))
+		{
+			digest_types[DNS_DSDIGEST_SHA1] = 0;
+			break;
+		}
+	}
+
+	for (result = dns_rdataset_first(&val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&val->dlv))
+	{
+		dns_rdata_reset(&dlvrdata);
+		dns_rdataset_current(&val->dlv, &dlvrdata);
+		result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (digest_types[dlv.digest_type] == 0)
+			continue;
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.digest_type))
+			continue;
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		supported_algorithm = true;
+
+		dns_rdataset_init(&trdataset);
+		dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+		/*
+		 * Convert to DLV to DS and find matching DNSKEY.
+		 */
+		dlvrdata.type = dns_rdatatype_ds;
+		result = keyfromds(val, &trdataset, &dlvrdata,
+				   dlv.digest_type, dlv.key_tag,
+				   dlv.algorithm, &keyrdata);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&trdataset);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no DNSKEY matching DLV");
+			continue;
+		}
+
+		validator_log(val, ISC_LOG_DEBUG(3),
+		      "Found matching DLV record: checking for signature");
+		/*
+		 * Check that this DNSKEY signed the DNSKEY rrset.
+		 */
+		result = checkkey(val, &keyrdata, dlv.key_tag, dlv.algorithm);
+
+		dns_rdataset_disassociate(&trdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no RRSIG matching DLV key");
+	}
+	if (result == ISC_R_SUCCESS) {
+		marksecure(val->event);
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (dlv)");
+		return (result);
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure,"
+				      "no supported algorithm/digest (dlv)");
+			return (DNS_R_MUSTBESECURE);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm/digest (dlv)");
+		markanswer(val, "dlv_validatezonekey (2)");
+		return (ISC_R_SUCCESS);
+	} else
+		return (DNS_R_NOVALIDSIG);
+}
+
+/*%
+ * Attempts positive response validation of an RRset containing zone keys
+ * (i.e. a DNSKEY rrset).
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ * \li	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validatezonekey(dns_validator_t *val) {
+	isc_result_t result;
+	dns_validatorevent_t *event;
+	dns_rdataset_t trdataset;
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rdata_ds_t ds;
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey;
+	bool supported_algorithm;
+	bool atsep = false;
+	char digest_types[256];
+
+	/*
+	 * Caller must be holding the validator lock.
+	 */
+
+	event = val->event;
+
+	if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
+	    dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
+		return (dlv_validatezonekey(val));
+
+	if (val->dsset == NULL) {
+
+		/*
+		 * We have a dlv sep.  Skip looking up the SEP from
+		 * {trusted,managed}-keys.  If the dlv sep is for the
+		 * root then it will have been handled above so we don't
+		 * need to check whether val->event->name is "." prior to
+		 * looking up the DS.
+		 */
+		if (val->havedlvsep)
+			goto find_ds;
+
+		/*
+		 * First, see if this key was signed by a trusted key.
+		 */
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_keynode_t *keynode = NULL;
+			dns_fixedname_t fixed;
+			dns_name_t *found;
+
+			found = dns_fixedname_initname(&fixed);
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (!dns_name_equal(val->event->name, &sig.signer))
+				continue;
+
+			result = dns_keytable_findkeynode(val->keytable,
+							  val->event->name,
+							  sig.algorithm,
+							  sig.keyid, &keynode);
+			if (result == ISC_R_NOTFOUND &&
+			    dns_keytable_finddeepestmatch(val->keytable,
+				  val->event->name, found) != ISC_R_SUCCESS) {
+				if (val->mustbesecure) {
+					validator_log(val, ISC_LOG_WARNING,
+						     "must be secure failure, "
+						     "not beneath secure root");
+					return (DNS_R_MUSTBESECURE);
+				} else
+					validator_log(val, ISC_LOG_DEBUG(3),
+						     "not beneath secure root");
+				if (val->view->dlv == NULL) {
+					markanswer(val, "validatezonekey (1)");
+					return (ISC_R_SUCCESS);
+				}
+				return (startfinddlvsep(val, dns_rootname));
+			}
+			if (result == DNS_R_PARTIALMATCH ||
+			    result == ISC_R_SUCCESS)
+				atsep = true;
+			while (result == ISC_R_SUCCESS) {
+				dns_keynode_t *nextnode = NULL;
+				dstkey = dns_keynode_key(keynode);
+				if (dstkey == NULL) {
+					dns_keytable_detachkeynode(
+								val->keytable,
+								&keynode);
+					break;
+				}
+				result = verify(val, dstkey, &sigrdata,
+						sig.keyid);
+				if (result == ISC_R_SUCCESS) {
+					dns_keytable_detachkeynode(
+								val->keytable,
+								&keynode);
+					break;
+				}
+				result = dns_keytable_findnextkeynode(
+								val->keytable,
+								keynode,
+								&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &keynode);
+				keynode = nextnode;
+			}
+			if (result == ISC_R_SUCCESS) {
+				marksecure(event);
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "signed by trusted key; "
+					      "marking as secure");
+				return (result);
+			}
+		}
+
+		if (atsep) {
+			/*
+			 * We have not found a key to verify this DNSKEY
+			 * RRset.  As this is a SEP we have to assume that
+			 * the RRset is invalid.
+			 */
+			dns_name_format(val->event->name, namebuf,
+					sizeof(namebuf));
+			validator_log(val, ISC_LOG_NOTICE,
+				      "unable to find a DNSKEY which verifies "
+				      "the DNSKEY RRset and also matches a "
+				      "trusted key for '%s'",
+				      namebuf);
+			return (DNS_R_NOVALIDKEY);
+		}
+
+		/*
+		 * If this is the root name and there was no trusted key,
+		 * give up, since there's no DS at the root.
+		 */
+		if (dns_name_equal(event->name, dns_rootname)) {
+			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "root key failed to validate");
+				return (DNS_R_NOVALIDSIG);
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "no trusted root key");
+				return (DNS_R_NOVALIDDS);
+			}
+		}
+ find_ds:
+		/*
+		 * Otherwise, try to find the DS record.
+		 */
+		result = view_find(val, val->event->name, dns_rdatatype_ds);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We have DS records.
+			 */
+			val->dsset = &val->frdataset;
+			if ((DNS_TRUST_PENDING(val->frdataset.trust) ||
+			     DNS_TRUST_ANSWER(val->frdataset.trust)) &&
+			    dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = create_validator(val,
+							  val->event->name,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  &val->fsigrdataset,
+							  dsvalidated,
+							  "validatezonekey");
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				return (DNS_R_WAIT);
+			} else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
+				/*
+				 * There should never be an unsigned DS.
+				 */
+				dns_rdataset_disassociate(&val->frdataset);
+				validator_log(val, ISC_LOG_DEBUG(2),
+					      "unsigned DS record");
+				return (DNS_R_NOVALIDSIG);
+			} else {
+				result = ISC_R_SUCCESS;
+				POST(result);
+			}
+		} else if (result == ISC_R_NOTFOUND) {
+			/*
+			 * We don't have the DS.  Find it.
+			 */
+			result = create_fetch(val, val->event->name,
+					      dns_rdatatype_ds, dsfetched,
+					      "validatezonekey");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (result == DNS_R_NCACHENXDOMAIN ||
+			   result == DNS_R_NCACHENXRRSET ||
+			   result == DNS_R_EMPTYNAME ||
+			   result == DNS_R_NXDOMAIN ||
+			   result == DNS_R_NXRRSET ||
+			   result == DNS_R_CNAME)
+		{
+			/*
+			 * The DS does not exist.
+			 */
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+			validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
+			return (DNS_R_NOVALIDSIG);
+		} else if (result == DNS_R_BROKENCHAIN)
+			return (result);
+	}
+
+	/*
+	 * We have a DS set.
+	 */
+	INSIST(val->dsset != NULL);
+
+	if (val->dsset->trust < dns_trust_secure) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure,"
+				      " insecure DS");
+			return (DNS_R_MUSTBESECURE);
+		}
+		if (val->view->dlv == NULL || DLVTRIED(val)) {
+			markanswer(val, "validatezonekey (2)");
+			return (ISC_R_SUCCESS);
+		}
+		return (startfinddlvsep(val, val->event->name));
+	}
+
+	/*
+	 * Look through the DS record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+
+	supported_algorithm = false;
+
+	/*
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
+	 */
+	memset(digest_types, 1, sizeof(digest_types));
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset)) {
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      ds.digest_type))
+			continue;
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+			continue;
+
+		if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
+		     ds.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (ds.digest_type == DNS_DSDIGEST_SHA384 &&
+		     ds.length == ISC_SHA384_DIGESTLENGTH))
+		{
+			digest_types[DNS_DSDIGEST_SHA1] = 0;
+			break;
+		}
+	}
+
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset))
+	{
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (digest_types[ds.digest_type] == 0)
+			continue;
+
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      ds.digest_type))
+			continue;
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+			continue;
+
+		supported_algorithm = true;
+
+		dns_rdataset_init(&trdataset);
+		dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+		/*
+		 * Find matching DNSKEY from DS.
+		 */
+		result = keyfromds(val, &trdataset, &dsrdata, ds.digest_type,
+				   ds.key_tag, ds.algorithm, &keyrdata);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&trdataset);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no DNSKEY matching DS");
+			continue;
+		}
+
+		/*
+		 * Check that this DNSKEY signed the DNSKEY rrset.
+		 */
+		result = checkkey(val, &keyrdata, ds.key_tag, ds.algorithm);
+
+		dns_rdataset_disassociate(&trdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no RRSIG matching DS key");
+	}
+	if (result == ISC_R_SUCCESS) {
+		marksecure(event);
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
+		return (result);
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure, "
+				      "no supported algorithm/digest (DS)");
+			return (DNS_R_MUSTBESECURE);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm/digest (DS)");
+		markanswer(val, "validatezonekey (3)");
+		return (ISC_R_SUCCESS);
+	} else {
+		validator_log(val, ISC_LOG_INFO,
+			      "no valid signature found (DS)");
+		return (DNS_R_NOVALIDSIG);
+	}
+}
+
+/*%
+ * Starts a positive response validation.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS	Validation completed successfully
+ * \li	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ * \li	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+start_positive_validation(dns_validator_t *val) {
+	/*
+	 * If this is not a key, go straight into validate().
+	 */
+	if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
+		return (validate(val, false));
+
+	return (validatezonekey(val));
+}
+
+/*%
+ * val_rdataset_first and val_rdataset_next provide iteration methods
+ * that hide whether we are iterating across a message or a  negative
+ * cache rdataset.
+ */
+static isc_result_t
+val_rdataset_first(dns_validator_t *val, dns_name_t **namep,
+		   dns_rdataset_t **rdatasetp)
+{
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	REQUIRE(rdatasetp != NULL);
+	REQUIRE(namep != NULL);
+	if (message == NULL) {
+		REQUIRE(*rdatasetp != NULL);
+		REQUIRE(*namep != NULL);
+	} else {
+		REQUIRE(*rdatasetp == NULL);
+		REQUIRE(*namep == NULL);
+	}
+
+	if (message != NULL) {
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, namep);
+		*rdatasetp = ISC_LIST_HEAD((*namep)->list);
+		INSIST(*rdatasetp != NULL);
+	} else {
+		result = dns_rdataset_first(val->event->rdataset);
+		if (result == ISC_R_SUCCESS)
+			dns_ncache_current(val->event->rdataset, *namep,
+					   *rdatasetp);
+	}
+	return (result);
+}
+
+static isc_result_t
+val_rdataset_next(dns_validator_t *val, dns_name_t **namep,
+		  dns_rdataset_t **rdatasetp)
+{
+	dns_message_t *message = val->event->message;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rdatasetp != NULL && *rdatasetp != NULL);
+	REQUIRE(namep != NULL && *namep != NULL);
+
+	if (message != NULL) {
+		dns_rdataset_t *rdataset = *rdatasetp;
+		rdataset = ISC_LIST_NEXT(rdataset, link);
+		if (rdataset == NULL) {
+			*namep = NULL;
+			result = dns_message_nextname(message,
+						      DNS_SECTION_AUTHORITY);
+			if (result == ISC_R_SUCCESS) {
+				dns_message_currentname(message,
+							DNS_SECTION_AUTHORITY,
+							namep);
+				rdataset = ISC_LIST_HEAD((*namep)->list);
+				INSIST(rdataset != NULL);
+			}
+		}
+		*rdatasetp = rdataset;
+	} else {
+		dns_rdataset_disassociate(*rdatasetp);
+		result = dns_rdataset_next(val->event->rdataset);
+		if (result == ISC_R_SUCCESS)
+			dns_ncache_current(val->event->rdataset, *namep,
+					   *rdatasetp);
+	}
+	return (result);
+}
+
+/*%
+ * Look for NODATA at the wildcard and NOWILDCARD proofs in the
+ * previously validated NSEC records.  As these proofs are mutually
+ * exclusive we stop when one is found.
+ *
+ * Returns
+ * \li	ISC_R_SUCCESS
+ */
+static isc_result_t
+checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
+{
+	dns_name_t *name, *wild, tname;
+	isc_result_t result;
+	bool exists, data;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_rdataset_t *rdataset, trdataset;
+
+	dns_name_init(&tname, NULL);
+	dns_rdataset_init(&trdataset);
+	wild = dns_fixedname_name(&val->wild);
+
+	if (dns_name_countlabels(wild) == 0) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "in checkwildcard: no wildcard to check");
+		return (ISC_R_SUCCESS);
+	}
+
+	dns_name_format(wild, namebuf, sizeof(namebuf));
+	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
+
+	if (val->event->message == NULL) {
+		name = &tname;
+		rdataset = &trdataset;
+	} else {
+		name = NULL;
+		rdataset = NULL;
+	}
+
+	for (result = val_rdataset_first(val, &name, &rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = val_rdataset_next(val, &name, &rdataset))
+	{
+		if (rdataset->type != type ||
+		    rdataset->trust != dns_trust_secure)
+			continue;
+
+		if (rdataset->type == dns_rdatatype_nsec &&
+		    (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
+		    !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
+		    dns_nsec_noexistnodata(val->event->type, wild, name,
+					   rdataset, &exists, &data, NULL,
+					   validator_log, val)
+				       == ISC_R_SUCCESS)
+		{
+			dns_name_t **proofs = val->event->proofs;
+			if (exists && !data)
+				val->attributes |= VALATTR_FOUNDNODATA;
+			if (exists && !data && NEEDNODATA(val))
+				proofs[DNS_VALIDATOR_NODATAPROOF] =
+						 name;
+			if (!exists)
+				val->attributes |=
+					 VALATTR_FOUNDNOWILDCARD;
+			if (!exists && NEEDNOQNAME(val))
+				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
+						 name;
+			if (dns_rdataset_isassociated(&trdataset))
+				dns_rdataset_disassociate(&trdataset);
+			return (ISC_R_SUCCESS);
+		}
+
+		if (rdataset->type == dns_rdatatype_nsec3 &&
+		    (NEEDNODATA(val) || NEEDNOWILDCARD(val)) &&
+		    !FOUNDNODATA(val) && !FOUNDNOWILDCARD(val) &&
+		    dns_nsec3_noexistnodata(val->event->type, wild, name,
+					    rdataset, zonename, &exists, &data,
+					    NULL, NULL, NULL, NULL, NULL, NULL,
+					    validator_log, val)
+					    == ISC_R_SUCCESS)
+		{
+			dns_name_t **proofs = val->event->proofs;
+			if (exists && !data)
+				val->attributes |= VALATTR_FOUNDNODATA;
+			if (exists && !data && NEEDNODATA(val))
+				proofs[DNS_VALIDATOR_NODATAPROOF] =
+						 name;
+			if (!exists)
+				val->attributes |=
+					 VALATTR_FOUNDNOWILDCARD;
+			if (!exists && NEEDNOQNAME(val))
+				proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
+						 name;
+			if (dns_rdataset_isassociated(&trdataset))
+				dns_rdataset_disassociate(&trdataset);
+			return (ISC_R_SUCCESS);
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (dns_rdataset_isassociated(&trdataset))
+		dns_rdataset_disassociate(&trdataset);
+	return (result);
+}
+
+static isc_result_t
+findnsec3proofs(dns_validator_t *val) {
+	dns_name_t *name, tname;
+	isc_result_t result;
+	bool exists, data, optout, unknown;
+	bool setclosest, setnearest, *setclosestp;
+	dns_fixedname_t fclosest, fnearest, fzonename;
+	dns_name_t *closest, *nearest, *zonename, *closestp;
+	dns_name_t **proofs = val->event->proofs;
+	dns_rdataset_t *rdataset, trdataset;
+
+	dns_name_init(&tname, NULL);
+	dns_rdataset_init(&trdataset);
+	closest = dns_fixedname_initname(&fclosest);
+	nearest = dns_fixedname_initname(&fnearest);
+	zonename = dns_fixedname_initname(&fzonename);
+
+	if (val->event->message == NULL) {
+		name = &tname;
+		rdataset = &trdataset;
+	} else {
+		name = NULL;
+		rdataset = NULL;
+	}
+
+	for (result = val_rdataset_first(val, &name, &rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = val_rdataset_next(val, &name, &rdataset))
+	{
+		if (rdataset->type != dns_rdatatype_nsec3 ||
+		    rdataset->trust != dns_trust_secure)
+			continue;
+
+		result = dns_nsec3_noexistnodata(val->event->type,
+						 val->event->name, name,
+						 rdataset, zonename, NULL,
+						 NULL, NULL, NULL, NULL, NULL,
+						 NULL, NULL, validator_log,
+						 val);
+		if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS) {
+			if (dns_rdataset_isassociated(&trdataset))
+				dns_rdataset_disassociate(&trdataset);
+			return (result);
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	POST(result);
+
+	if (dns_name_countlabels(zonename) == 0)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * If the val->closest is set then we want to use it otherwise
+	 * we need to discover it.
+	 */
+	if (dns_name_countlabels(dns_fixedname_name(&val->closest)) != 0) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(dns_fixedname_name(&val->closest),
+				 namebuf, sizeof(namebuf));
+		validator_log(val, ISC_LOG_DEBUG(3), "closest encloser from "
+			      "wildcard signature '%s'", namebuf);
+		dns_name_copy(dns_fixedname_name(&val->closest), closest, NULL);
+		closestp = NULL;
+		setclosestp = NULL;
+	} else {
+		closestp = closest;
+		setclosestp = &setclosest;
+	}
+
+	for (result = val_rdataset_first(val, &name, &rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = val_rdataset_next(val, &name, &rdataset))
+	{
+		if (rdataset->type != dns_rdatatype_nsec3 ||
+		    rdataset->trust != dns_trust_secure)
+			continue;
+
+		/*
+		 * We process all NSEC3 records to find the closest
+		 * encloser and nearest name to the closest encloser.
+		 */
+		setclosest = setnearest = false;
+		optout = false;
+		unknown = false;
+		result = dns_nsec3_noexistnodata(val->event->type,
+						 val->event->name,
+						 name, rdataset, zonename,
+						 &exists, &data, &optout,
+						 &unknown, setclosestp,
+						 &setnearest, closestp,
+						 nearest, validator_log, val);
+		if (unknown)
+			val->attributes |= VALATTR_FOUNDUNKNOWN;
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (setclosest)
+			proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
+		if (exists && !data && NEEDNODATA(val)) {
+			val->attributes |= VALATTR_FOUNDNODATA;
+			proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+		}
+		if (!exists && setnearest) {
+			val->attributes |= VALATTR_FOUNDNOQNAME;
+			proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
+			if (optout)
+				val->attributes |= VALATTR_FOUNDOPTOUT;
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	/*
+	 * To know we have a valid noqname and optout proofs we need to also
+	 * have a valid closest encloser.  Otherwise we could still be looking
+	 * at proofs from the parent zone.
+	 */
+	if (dns_name_countlabels(closest) > 0 &&
+	    dns_name_countlabels(nearest) ==
+	    dns_name_countlabels(closest) + 1 &&
+	    dns_name_issubdomain(nearest, closest))
+	{
+		val->attributes |= VALATTR_FOUNDCLOSEST;
+		result = dns_name_concatenate(dns_wildcardname, closest,
+					      dns_fixedname_name(&val->wild),
+					      NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	} else {
+		val->attributes &= ~VALATTR_FOUNDNOQNAME;
+		val->attributes &= ~VALATTR_FOUNDOPTOUT;
+		proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL;
+	}
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+	    ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
+		result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (result);
+}
+
+/*%
+ * Validate the authority section records.
+ */
+static isc_result_t
+validate_authority(dns_validator_t *val, bool resume) {
+	dns_name_t *name;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	if (!resume)
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	else
+		result = ISC_R_SUCCESS;
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if (resume) {
+			rdataset = ISC_LIST_NEXT(val->currentset, link);
+			val->currentset = NULL;
+			resume = false;
+		} else
+			rdataset = ISC_LIST_HEAD(name->list);
+
+		for (;
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type == dns_rdatatype_rrsig)
+				continue;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
+							 link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == rdataset->type)
+					break;
+			}
+			/*
+			 * If a signed zone is missing the zone key, bad
+			 * things could happen.  A query for data in the zone
+			 * would lead to a query for the zone key, which
+			 * would return a negative answer, which would contain
+			 * an SOA and an NSEC signed by the missing key, which
+			 * would trigger another query for the DNSKEY (since
+			 * the first one is still in progress), and go into an
+			 * infinite loop.  Avoid that.
+			 */
+			if (val->event->type == dns_rdatatype_dnskey &&
+			    rdataset->type == dns_rdatatype_nsec &&
+			    dns_name_equal(name, val->event->name))
+			{
+				dns_rdata_t nsec = DNS_RDATA_INIT;
+
+				result = dns_rdataset_first(rdataset);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				dns_rdataset_current(rdataset, &nsec);
+				if (dns_nsec_typepresent(&nsec,
+							dns_rdatatype_soa))
+					continue;
+			}
+			val->currentset = rdataset;
+			result = create_validator(val, name, rdataset->type,
+						  rdataset, sigrdataset,
+						  authvalidated,
+						  "validate_authority");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			val->authcount++;
+			return (DNS_R_WAIT);
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+/*%
+ * Validate the ncache elements.
+ */
+static isc_result_t
+validate_ncache(dns_validator_t *val, bool resume) {
+	dns_name_t *name;
+	isc_result_t result;
+
+	if (!resume)
+		result = dns_rdataset_first(val->event->rdataset);
+	else
+		result = dns_rdataset_next(val->event->rdataset);
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->event->rdataset))
+	{
+		dns_rdataset_t *rdataset, *sigrdataset = NULL;
+
+		if (dns_rdataset_isassociated(&val->frdataset))
+			dns_rdataset_disassociate(&val->frdataset);
+		if (dns_rdataset_isassociated(&val->fsigrdataset))
+			dns_rdataset_disassociate(&val->fsigrdataset);
+
+		name = dns_fixedname_initname(&val->fname);
+		rdataset = &val->frdataset;
+		dns_ncache_current(val->event->rdataset, name, rdataset);
+
+		if (val->frdataset.type == dns_rdatatype_rrsig)
+			continue;
+
+		result = dns_ncache_getsigrdataset(val->event->rdataset, name,
+						   rdataset->type,
+						   &val->fsigrdataset);
+		if (result == ISC_R_SUCCESS)
+			sigrdataset = &val->fsigrdataset;
+
+		/*
+		 * If a signed zone is missing the zone key, bad
+		 * things could happen.  A query for data in the zone
+		 * would lead to a query for the zone key, which
+		 * would return a negative answer, which would contain
+		 * an SOA and an NSEC signed by the missing key, which
+		 * would trigger another query for the DNSKEY (since
+		 * the first one is still in progress), and go into an
+		 * infinite loop.  Avoid that.
+		 */
+		if (val->event->type == dns_rdatatype_dnskey &&
+		    rdataset->type == dns_rdatatype_nsec &&
+		    dns_name_equal(name, val->event->name))
+		{
+			dns_rdata_t nsec = DNS_RDATA_INIT;
+
+			result = dns_rdataset_first(rdataset);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			dns_rdataset_current(rdataset, &nsec);
+			if (dns_nsec_typepresent(&nsec,
+						dns_rdatatype_soa))
+				continue;
+		}
+		val->currentset = rdataset;
+		result = create_validator(val, name, rdataset->type,
+					  rdataset, sigrdataset,
+					  authvalidated,
+					  "validate_ncache");
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		val->authcount++;
+		return (DNS_R_WAIT);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+/*%
+ * Prove a negative answer is good or that there is a NOQNAME when the
+ * answer is from a wildcard.
+ *
+ * Loop through the authority section looking for NODATA, NOWILDCARD
+ * and NOQNAME proofs in the NSEC records by calling authvalidated().
+ *
+ * If the required proofs are found we are done.
+ *
+ * If the proofs are not found attempt to prove this is a unsecure
+ * response.
+ */
+static isc_result_t
+nsecvalidate(dns_validator_t *val, bool resume) {
+	isc_result_t result;
+
+	if (resume)
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
+
+	if (val->event->message == NULL)
+		result = validate_ncache(val, resume);
+	else
+		result = validate_authority(val, resume);
+
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Do we only need to check for NOQNAME?  To get here we must have
+	 * had a secure wildcard answer.
+	 */
+	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
+		if (!FOUNDNOQNAME(val))
+			findnsec3proofs(val);
+		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+		    !FOUNDOPTOUT(val)) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure, noqname proof found");
+			marksecure(val->event);
+			return (ISC_R_SUCCESS);
+		} else if (FOUNDOPTOUT(val) &&
+			   dns_name_countlabels(dns_fixedname_name(&val->wild))
+					 != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "optout proof found");
+			val->event->optout = true;
+			markanswer(val, "nsecvalidate (1)");
+			return (ISC_R_SUCCESS);
+		} else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "unknown NSEC3 hash algorithm found");
+			markanswer(val, "nsecvalidate (2)");
+			return (ISC_R_SUCCESS);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "noqname proof not found");
+		return (DNS_R_NOVALIDNSEC);
+	}
+
+	if (!FOUNDNOQNAME(val) && !FOUNDNODATA(val))
+		findnsec3proofs(val);
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+	    ((NEEDNODATA(val) && !FOUNDNODATA(val)) || NEEDNOWILDCARD(val))) {
+		result = checkwildcard(val, dns_rdatatype_nsec, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if ((NEEDNODATA(val) && (FOUNDNODATA(val) || FOUNDOPTOUT(val))) ||
+	    (NEEDNOQNAME(val) && FOUNDNOQNAME(val) &&
+	     NEEDNOWILDCARD(val) && FOUNDNOWILDCARD(val) &&
+	     FOUNDCLOSEST(val))) {
+		if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
+			val->event->optout = true;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof(s) found");
+		if (val->event->message == NULL)
+			marksecure(val->event);
+		else
+			val->event->secure = true;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (val->authfail != 0 && val->authcount == val->authfail)
+		return (DNS_R_BROKENCHAIN);
+	validator_log(val, ISC_LOG_DEBUG(3),
+		      "nonexistence proof(s) not found");
+	val->attributes |= VALATTR_INSECURITY;
+	return (proveunsecure(val, false, false));
+}
+
+static bool
+check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_ds_t ds;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdataset_current(rdataset, &dsrdata);
+		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dns_resolver_ds_digest_supported(val->view->resolver,
+						     name, ds.digest_type) &&
+		    dns_resolver_algorithm_supported(val->view->resolver,
+						     name, ds.algorithm)) {
+			dns_rdata_reset(&dsrdata);
+			return (true);
+		}
+		dns_rdata_reset(&dsrdata);
+	}
+	return (false);
+}
+
+static void
+dlvvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_result_t eresult;
+	bool want_destroy;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dlvvalidated");
+	LOCK(&val->lock);
+	if (CANCELED(val)) {
+		validator_done(val, ISC_R_CANCELED);
+	} else if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlvset with trust %s",
+			      dns_trust_totext(val->frdataset.trust));
+		dns_rdataset_clone(&val->frdataset, &val->dlv);
+		val->havedlvsep = true;
+		if (dlv_algorithm_supported(val))
+			dlv_validator_start(val);
+		else {
+			markanswer(val, "dlvvalidated");
+			validator_done(val, ISC_R_SUCCESS);
+		}
+	} else {
+		if (eresult != DNS_R_BROKENCHAIN) {
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_expire(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_expire(&val->fsigrdataset);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlvvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, DNS_R_BROKENCHAIN);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * Callback from fetching a DLV record.
+ *
+ * Resumes the DLV lookup process.
+ */
+static void
+dlvfetched(isc_task_t *task, isc_event_t *event) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	bool want_destroy;
+	isc_result_t eresult;
+	isc_result_t result;
+	dns_fetch_t *fetch;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest. */
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	isc_event_free(&event);
+
+	INSIST(val->event != NULL);
+	validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
+		      dns_result_totext(eresult));
+
+	LOCK(&val->lock);
+	fetch = val->fetch;
+	val->fetch = NULL;
+	if (eresult == ISC_R_SUCCESS) {
+		dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
+				sizeof(namebuf));
+		dns_rdataset_clone(&val->frdataset, &val->dlv);
+		val->havedlvsep = true;
+		if (dlv_algorithm_supported(val)) {
+			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+				      namebuf);
+			dlv_validator_start(val);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "DLV %s found with no supported algorithms",
+				      namebuf);
+			markanswer(val, "dlvfetched (1)");
+			validator_done(val, ISC_R_SUCCESS);
+		}
+	} else if (eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NXDOMAIN ||
+		   eresult == DNS_R_NCACHENXRRSET ||
+		   eresult == DNS_R_NCACHENXDOMAIN) {
+		result = finddlvsep(val, true);
+		if (result == ISC_R_SUCCESS) {
+			if (dlv_algorithm_supported(val)) {
+				dns_name_format(dns_fixedname_name(&val->dlvsep),
+						namebuf, sizeof(namebuf));
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found", namebuf);
+				dlv_validator_start(val);
+			} else {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV %s found with no supported "
+					      "algorithms", namebuf);
+				markanswer(val, "dlvfetched (2)");
+				validator_done(val, ISC_R_SUCCESS);
+			}
+		} else if (result == ISC_R_NOTFOUND) {
+			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
+			markanswer(val, "dlvfetched (3)");
+			validator_done(val, ISC_R_SUCCESS);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
+				      dns_result_totext(result));
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		}
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
+			      dns_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (fetch != NULL)
+		dns_resolver_destroyfetch(&fetch);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*%
+ * Start the DLV lookup process.
+ *
+ * Returns
+ * \li	ISC_R_SUCCESS
+ * \li	DNS_R_WAIT
+ * \li	Others on validation failures.
+ */
+static isc_result_t
+startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+
+	INSIST(!DLVTRIED(val));
+
+	val->attributes |= VALATTR_DLVTRIED;
+
+	dns_name_format(unsecure, namebuf, sizeof(namebuf));
+	validator_log(val, ISC_LOG_DEBUG(3),
+		      "plain DNSSEC returns unsecure (%s): looking for DLV",
+		      namebuf);
+
+	if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
+		validator_log(val, ISC_LOG_WARNING, "must be secure failure, "
+			      " %s is under DLV (startfinddlvsep)", namebuf);
+		return (DNS_R_MUSTBESECURE);
+	}
+
+	val->dlvlabels = dns_name_countlabels(unsecure) - 1;
+	result = finddlvsep(val, false);
+	if (result == ISC_R_NOTFOUND) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
+		markanswer(val, "startfinddlvsep (1)");
+		return (ISC_R_SUCCESS);
+	}
+	if (result == DNS_R_NTACOVERED) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV covered by NTA");
+		validator_done(val, ISC_R_SUCCESS);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
+			      dns_result_totext(result));
+		return (result);
+	}
+	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
+			sizeof(namebuf));
+	if (dlv_algorithm_supported(val)) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+		dlv_validator_start(val);
+		return (DNS_R_WAIT);
+	}
+	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+		      "algorithms", namebuf);
+	markanswer(val, "startfinddlvsep (2)");
+	validator_done(val, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Continue the DLV lookup process.
+ *
+ * Returns
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOTFOUND
+ * \li	DNS_R_WAIT
+ * \li	Others on validation failure.
+ */
+static isc_result_t
+finddlvsep(dns_validator_t *val, bool resume) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t dlvfixed;
+	dns_name_t *dlvname;
+	dns_name_t *dlvsep;
+	dns_name_t noroot;
+	isc_result_t result;
+	unsigned int labels;
+
+	INSIST(val->view->dlv != NULL);
+
+	if (!resume) {
+		if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
+			dns_name_format(val->event->name, namebuf,
+					sizeof(namebuf));
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure, "
+				      "%s is under DLV (finddlvsep)", namebuf);
+			return (DNS_R_MUSTBESECURE);
+		}
+
+		dlvsep = dns_fixedname_initname(&val->dlvsep);
+		dns_name_copy(val->event->name, dlvsep, NULL);
+		/*
+		 * If this is a response to a DS query, we need to look in
+		 * the parent zone for the trust anchor.
+		 */
+		if (val->event->type == dns_rdatatype_ds) {
+			labels = dns_name_countlabels(dlvsep);
+			if (labels == 0)
+				return (ISC_R_NOTFOUND);
+			dns_name_getlabelsequence(dlvsep, 1, labels - 1,
+						  dlvsep);
+		}
+	} else {
+		dlvsep = dns_fixedname_name(&val->dlvsep);
+		labels = dns_name_countlabels(dlvsep);
+		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
+	}
+	dns_name_init(&noroot, NULL);
+	dlvname = dns_fixedname_initname(&dlvfixed);
+	labels = dns_name_countlabels(dlvsep);
+	if (labels == 0)
+		return (ISC_R_NOTFOUND);
+	dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
+	result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
+	while (result == ISC_R_NOSPACE) {
+		labels = dns_name_countlabels(dlvsep);
+		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
+		dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
+		result = dns_name_concatenate(&noroot, val->view->dlv,
+					      dlvname, NULL);
+	}
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
+		return (DNS_R_NOVALIDSIG);
+	}
+
+	if (((val->options & DNS_VALIDATOR_NONTA) == 0) &&
+	    dns_view_ntacovers(val->view, val->start, dlvname, val->view->dlv))
+		return (DNS_R_NTACOVERED);
+
+	while (dns_name_countlabels(dlvname) >=
+	       dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
+		dns_name_format(dlvname, namebuf, sizeof(namebuf));
+		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
+			      namebuf);
+		result = view_find(val, dlvname, dns_rdatatype_dlv);
+		if (result == ISC_R_SUCCESS) {
+			if (DNS_TRUST_PENDING(val->frdataset.trust) &&
+			    dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				dns_fixedname_init(&val->fname);
+				dns_name_copy(dlvname,
+					      dns_fixedname_name(&val->fname),
+					      NULL);
+				result = create_validator(val,
+						dns_fixedname_name(&val->fname),
+							  dns_rdatatype_dlv,
+							  &val->frdataset,
+							  &val->fsigrdataset,
+							  dlvvalidated,
+							  "finddlvsep");
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				return (DNS_R_WAIT);
+			}
+			if (val->frdataset.trust < dns_trust_secure) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DLV not validated");
+				return (DNS_R_NOVALIDSIG);
+			}
+			val->havedlvsep = true;
+			dns_rdataset_clone(&val->frdataset, &val->dlv);
+			return (ISC_R_SUCCESS);
+		}
+		if (result == ISC_R_NOTFOUND) {
+			result = create_fetch(val, dlvname, dns_rdatatype_dlv,
+					      dlvfetched, "finddlvsep");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		}
+		if (result != DNS_R_NXRRSET &&
+		    result != DNS_R_NXDOMAIN &&
+		    result != DNS_R_EMPTYNAME &&
+		    result != DNS_R_NCACHENXRRSET &&
+		    result != DNS_R_NCACHENXDOMAIN)
+			return (result);
+		/*
+		 * Strip first labels from both dlvsep and dlvname.
+		 */
+		labels = dns_name_countlabels(dlvsep);
+		if (labels == 0)
+			break;
+		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
+		labels = dns_name_countlabels(dlvname);
+		dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+/*%
+ * proveunsecure walks down from the SEP looking for a break in the
+ * chain of trust.  That occurs when we can prove the DS record does
+ * not exist at a delegation point or the DS exists at a delegation
+ * but we don't support the algorithm/digest.
+ *
+ * If DLV is active and we look for a DLV record at or below the
+ * point we go insecure.  If found we restart the validation process.
+ * If not found or DLV isn't active we mark the response as a answer.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS		val->event->name is in a unsecure zone
+ * \li	DNS_R_WAIT		validation is in progress.
+ * \li	DNS_R_MUSTBESECURE	val->event->name is supposed to be secure
+ *				(policy) but we proved that it is unsecure.
+ * \li	DNS_R_NOVALIDSIG
+ * \li	DNS_R_NOVALIDNSEC
+ * \li	DNS_R_NOTINSECURE
+ * \li	DNS_R_BROKENCHAIN
+ */
+static isc_result_t
+proveunsecure(dns_validator_t *val, bool have_ds, bool resume)
+{
+	isc_result_t result;
+	dns_fixedname_t fixedsecroot;
+	dns_name_t *secroot;
+	dns_name_t *tname;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_name_t *found;
+	dns_fixedname_t fixedfound;
+
+	secroot = dns_fixedname_initname(&fixedsecroot);
+	found = dns_fixedname_initname(&fixedfound);
+	if (val->havedlvsep)
+		dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
+	else {
+		unsigned int labels;
+		dns_name_copy(val->event->name, secroot, NULL);
+		/*
+		 * If this is a response to a DS query, we need to look in
+		 * the parent zone for the trust anchor.
+		 */
+
+		labels = dns_name_countlabels(secroot);
+		if (val->event->type == dns_rdatatype_ds && labels > 1U)
+			dns_name_getlabelsequence(secroot, 1, labels - 1,
+						  secroot);
+		result = dns_keytable_finddeepestmatch(val->keytable,
+						       secroot, secroot);
+		if (result == ISC_R_NOTFOUND) {
+			if (val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure, "
+					      "not beneath secure root");
+				result = DNS_R_MUSTBESECURE;
+				goto out;
+			} else
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "not beneath secure root");
+			if (val->view->dlv == NULL || DLVTRIED(val)) {
+				markanswer(val, "proveunsecure (1)");
+				return (ISC_R_SUCCESS);
+			}
+			return (startfinddlvsep(val, dns_rootname));
+		} else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (!resume) {
+		/*
+		 * We are looking for breaks below the SEP so add a label.
+		 */
+		val->labels = dns_name_countlabels(secroot) + 1;
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
+		/*
+		 * If we have a DS rdataset and it is secure then check if
+		 * the DS rdataset has a supported algorithm combination.
+		 * If not this is an insecure delegation as far as this
+		 * resolver is concerned.  Fall back to DLV if available.
+		 */
+		if (have_ds && val->frdataset.trust >= dns_trust_secure &&
+		    !check_ds(val, dns_fixedname_name(&val->fname),
+			      &val->frdataset)) {
+			dns_name_format(dns_fixedname_name(&val->fname),
+					namebuf, sizeof(namebuf));
+			if ((val->view->dlv == NULL || DLVTRIED(val)) &&
+			    val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure at '%s', "
+					      "can't fall back to DLV",
+					      namebuf);
+				result = DNS_R_MUSTBESECURE;
+				goto out;
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no supported algorithm/digest (%s/DS)",
+				      namebuf);
+			if (val->view->dlv == NULL || DLVTRIED(val)) {
+				markanswer(val, "proveunsecure (2)");
+				result = ISC_R_SUCCESS;
+				goto out;
+			}
+			return(startfinddlvsep(val,
+					      dns_fixedname_name(&val->fname)));
+		}
+		val->labels++;
+	}
+
+	for (;
+	     val->labels <= dns_name_countlabels(val->event->name);
+	     val->labels++)
+	{
+
+		tname = dns_fixedname_initname(&val->fname);
+		if (val->labels == dns_name_countlabels(val->event->name))
+			dns_name_copy(val->event->name, tname, NULL);
+		else
+			dns_name_split(val->event->name, val->labels,
+				       NULL, tname);
+
+		dns_name_format(tname, namebuf, sizeof(namebuf));
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "checking existence of DS at '%s'",
+			      namebuf);
+
+		result = view_find(val, tname, dns_rdatatype_ds);
+		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
+			/*
+			 * There is no DS.  If this is a delegation,
+			 * we may be done.
+			 */
+			/*
+			 * If we have "trust == answer" then this namespace
+			 * has switched from insecure to should be secure.
+			 */
+			if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+			    DNS_TRUST_ANSWER(val->frdataset.trust)) {
+				result = create_validator(val, tname,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  NULL, dsvalidated,
+							  "proveunsecure");
+				if (result != ISC_R_SUCCESS)
+					goto out;
+				return (DNS_R_WAIT);
+			}
+			/*
+			 * Zones using NSEC3 don't return a NSEC RRset so
+			 * we need to use dns_view_findzonecut2 to find
+			 * the zone cut.
+			 */
+			if (result == DNS_R_NXRRSET &&
+			    !dns_rdataset_isassociated(&val->frdataset) &&
+			    dns_view_findzonecut2(val->view, tname, found,
+						 0, 0, false, false,
+						 NULL, NULL) == ISC_R_SUCCESS &&
+			    dns_name_equal(tname, found)) {
+				if (val->mustbesecure) {
+					validator_log(val, ISC_LOG_WARNING,
+						      "must be secure failure, "
+						      "no DS at zone cut");
+					return (DNS_R_MUSTBESECURE);
+				}
+				if (val->view->dlv == NULL || DLVTRIED(val)) {
+					markanswer(val, "proveunsecure (3)");
+					return (ISC_R_SUCCESS);
+				}
+				return (startfinddlvsep(val, tname));
+			}
+			if (val->frdataset.trust < dns_trust_secure) {
+				/*
+				 * This shouldn't happen, since the negative
+				 * response should have been validated.  Since
+				 * there's no way of validating existing
+				 * negative response blobs, give up.
+				 */
+				validator_log(val, ISC_LOG_WARNING,
+					      "can't validate existing "
+					      "negative responses (no DS)");
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			if (isdelegation(tname, &val->frdataset, result)) {
+				if (val->mustbesecure) {
+					validator_log(val, ISC_LOG_WARNING,
+						      "must be secure failure, "
+						      "%s is a delegation",
+						      namebuf);
+					return (DNS_R_MUSTBESECURE);
+				}
+				if (val->view->dlv == NULL || DLVTRIED(val)) {
+					markanswer(val, "proveunsecure (4)");
+					return (ISC_R_SUCCESS);
+				}
+				return (startfinddlvsep(val, tname));
+			}
+			continue;
+		} else if (result == DNS_R_CNAME) {
+			if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+			    DNS_TRUST_ANSWER(val->frdataset.trust)) {
+				result = create_validator(val, tname,
+							  dns_rdatatype_cname,
+							  &val->frdataset,
+							  NULL, cnamevalidated,
+							  "proveunsecure "
+							  "(cname)");
+				if (result != ISC_R_SUCCESS)
+					goto out;
+				return (DNS_R_WAIT);
+			}
+			continue;
+		} else if (result == ISC_R_SUCCESS) {
+			/*
+			 * There is a DS here.  Verify that it's secure and
+			 * continue.
+			 */
+			if (val->frdataset.trust >= dns_trust_secure) {
+				if (!check_ds(val, tname, &val->frdataset)) {
+					validator_log(val, ISC_LOG_DEBUG(3),
+						     "no supported algorithm/"
+						     "digest (%s/DS)", namebuf);
+					if (val->mustbesecure) {
+						validator_log(val,
+							      ISC_LOG_WARNING,
+						      "must be secure failure, "
+						      "no supported algorithm/"
+						      "digest (%s/DS)",
+						      namebuf);
+						result = DNS_R_MUSTBESECURE;
+						goto out;
+					}
+					if (val->view->dlv == NULL ||
+					    DLVTRIED(val)) {
+						markanswer(val,
+							   "proveunsecure (5)");
+						result = ISC_R_SUCCESS;
+						goto out;
+					}
+					return(startfinddlvsep(val, tname));
+				}
+				continue;
+			}
+			else if (!dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DS is unsigned");
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			/*
+			 * Validate / re-validate answer.
+			 */
+			result = create_validator(val, tname, dns_rdatatype_ds,
+						  &val->frdataset,
+						  &val->fsigrdataset,
+						  dsvalidated,
+						  "proveunsecure");
+			if (result != ISC_R_SUCCESS)
+				goto out;
+			return (DNS_R_WAIT);
+		} else if (result == DNS_R_NXDOMAIN ||
+			   result == DNS_R_NCACHENXDOMAIN) {
+			/*
+			 * This is not a zone cut.  Assuming things are
+			 * as expected, continue.
+			 */
+			if (!dns_rdataset_isassociated(&val->frdataset)) {
+				/*
+				 * There should be an NSEC here, since we
+				 * are still in a secure zone.
+				 */
+				result = DNS_R_NOVALIDNSEC;
+				goto out;
+			} else if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+				   DNS_TRUST_ANSWER(val->frdataset.trust)) {
+				/*
+				 * If we have "trust == answer" then this namespace
+				 * has switched from insecure to should be secure.
+				 */
+				result = create_validator(val, tname,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  NULL, dsvalidated,
+							  "proveunsecure");
+				if (result != ISC_R_SUCCESS)
+					goto out;
+				return (DNS_R_WAIT);
+			} else if (val->frdataset.trust < dns_trust_secure) {
+				/*
+				 * This shouldn't happen, since the negative
+				 * response should have been validated.  Since
+				 * there's no way of validating existing
+				 * negative response blobs, give up.
+				 */
+				validator_log(val, ISC_LOG_WARNING,
+					      "can't validate existing "
+					      "negative responses "
+					      "(not a zone cut)");
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			continue;
+		} else if (result == ISC_R_NOTFOUND) {
+			/*
+			 * We don't know anything about the DS.  Find it.
+			 */
+			result = create_fetch(val, tname, dns_rdatatype_ds,
+					      dsfetched2, "proveunsecure");
+			if (result != ISC_R_SUCCESS)
+				goto out;
+			return (DNS_R_WAIT);
+		} else if (result == DNS_R_BROKENCHAIN)
+			return (result);
+	}
+
+	/* Couldn't complete insecurity proof */
+	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
+	return (DNS_R_NOTINSECURE);
+
+ out:
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	return (result);
+}
+
+/*%
+ * Reset state and revalidate the answer using DLV.
+ */
+static void
+dlv_validator_start(dns_validator_t *val) {
+	isc_event_t *event;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
+
+	/*
+	 * Reset state and try again.
+	 */
+	val->attributes &= VALATTR_DLVTRIED;
+	val->options &= ~DNS_VALIDATOR_DLV;
+
+	event = (isc_event_t *)val->event;
+	isc_task_send(val->task, &event);
+}
+
+/*%
+ * Start the validation process.
+ *
+ * Attempt to validate the answer based on the category it appears to
+ * fall in.
+ * \li	1. secure positive answer.
+ * \li	2. unsecure positive answer.
+ * \li	3. a negative answer (secure or unsecure).
+ *
+ * Note a answer that appears to be a secure positive answer may actually
+ * be an unsecure positive answer.
+ */
+static void
+validator_start(isc_task_t *task, isc_event_t *event) {
+	dns_validator_t *val;
+	dns_validatorevent_t *vevent;
+	bool want_destroy = false;
+	isc_result_t result = ISC_R_FAILURE;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
+	vevent = (dns_validatorevent_t *)event;
+	val = vevent->validator;
+
+	/* If the validator has been canceled, val->event == NULL */
+	if (val->event == NULL)
+		return;
+
+	if (DLVTRIED(val))
+		validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
+	else
+		validator_log(val, ISC_LOG_DEBUG(3), "starting");
+
+	LOCK(&val->lock);
+
+	if ((val->options & DNS_VALIDATOR_DLV) != 0 &&
+	     val->event->rdataset != NULL) {
+		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
+		result = startfinddlvsep(val, dns_rootname);
+	} else if (val->event->rdataset != NULL &&
+		   val->event->sigrdataset != NULL) {
+		isc_result_t saved_result;
+
+		/*
+		 * This looks like a simple validation.  We say "looks like"
+		 * because it might end up requiring an insecurity proof.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting positive response validation");
+
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
+		result = start_positive_validation(val);
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			val->attributes |= VALATTR_INSECURITY;
+			result = proveunsecure(val, false, false);
+			if (result == DNS_R_NOTINSECURE)
+				result = saved_result;
+		}
+	} else if (val->event->rdataset != NULL &&
+		   val->event->rdataset->type != 0) {
+		/*
+		 * This is either an unsecure subdomain or a response from
+		 * a broken server.
+		 */
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting insecurity proof");
+
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, false, false);
+		if (result == DNS_R_NOTINSECURE)
+			validator_log(val, ISC_LOG_INFO,
+				      "got insecure response; "
+				      "parent indicates it should be secure");
+	} else if (val->event->rdataset == NULL &&
+		   val->event->sigrdataset == NULL)
+	{
+		/*
+		 * This is a nonexistence validation.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting negative response validation");
+
+		if (val->event->message->rcode == dns_rcode_nxdomain) {
+			val->attributes |= VALATTR_NEEDNOQNAME;
+			val->attributes |= VALATTR_NEEDNOWILDCARD;
+		} else
+			val->attributes |= VALATTR_NEEDNODATA;
+		result = nsecvalidate(val, false);
+	} else if (val->event->rdataset != NULL &&
+		    NEGATIVE(val->event->rdataset))
+	{
+		/*
+		 * This is a nonexistence validation.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting negative response validation");
+
+		if (val->event->rdataset->covers == dns_rdatatype_any) {
+			val->attributes |= VALATTR_NEEDNOQNAME;
+			val->attributes |= VALATTR_NEEDNOWILDCARD;
+		} else
+			val->attributes |= VALATTR_NEEDNODATA;
+		result = nsecvalidate(val, false);
+	} else {
+		/*
+		 * This shouldn't happen.
+		 */
+		INSIST(0);
+	}
+
+	if (result != DNS_R_WAIT) {
+		want_destroy = exit_check(val);
+		validator_done(val, result);
+	}
+
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+isc_result_t
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_message_t *message, unsigned int options,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     dns_validator_t **validatorp)
+{
+	isc_result_t result = ISC_R_FAILURE;
+	dns_validator_t *val;
+	isc_task_t *tclone = NULL;
+	dns_validatorevent_t *event;
+
+	REQUIRE(name != NULL);
+	REQUIRE(rdataset != NULL ||
+		(rdataset == NULL && sigrdataset == NULL && message != NULL));
+	REQUIRE(validatorp != NULL && *validatorp == NULL);
+
+	val = isc_mem_get(view->mctx, sizeof(*val));
+	if (val == NULL)
+		return (ISC_R_NOMEMORY);
+	val->view = NULL;
+	dns_view_weakattach(view, &val->view);
+
+	event = (dns_validatorevent_t *)
+		isc_event_allocate(view->mctx, task,
+				   DNS_EVENT_VALIDATORSTART,
+				   validator_start, NULL,
+				   sizeof(dns_validatorevent_t));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_val;
+	}
+	isc_task_attach(task, &tclone);
+	event->validator = val;
+	event->result = ISC_R_FAILURE;
+	event->name = name;
+	event->type = type;
+	event->rdataset = rdataset;
+	event->sigrdataset = sigrdataset;
+	event->message = message;
+	memset(event->proofs, 0, sizeof(event->proofs));
+	event->optout = false;
+	event->secure = false;
+	result = isc_mutex_init(&val->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_event;
+	val->event = event;
+	val->options = options;
+	val->attributes = 0;
+	val->fetch = NULL;
+	val->subvalidator = NULL;
+	val->parent = NULL;
+
+	val->keytable = NULL;
+	result = dns_view_getsecroots(val->view, &val->keytable);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutex;
+	val->keynode = NULL;
+	val->key = NULL;
+	val->siginfo = NULL;
+	val->task = task;
+	val->action = action;
+	val->arg = arg;
+	val->labels = 0;
+	val->currentset = NULL;
+	val->keyset = NULL;
+	val->dsset = NULL;
+	dns_rdataset_init(&val->dlv);
+	val->seensig = false;
+	val->havedlvsep = false;
+	val->depth = 0;
+	val->authcount = 0;
+	val->authfail = 0;
+	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
+	dns_rdataset_init(&val->frdataset);
+	dns_rdataset_init(&val->fsigrdataset);
+	dns_fixedname_init(&val->wild);
+	dns_fixedname_init(&val->nearest);
+	dns_fixedname_init(&val->closest);
+	isc_stdtime_get(&val->start);
+	ISC_LINK_INIT(val, link);
+	val->magic = VALIDATOR_MAGIC;
+
+	if ((options & DNS_VALIDATOR_DEFER) == 0)
+		isc_task_send(task, ISC_EVENT_PTR(&event));
+
+	*validatorp = val;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_mutex:
+	DESTROYLOCK(&val->lock);
+
+ cleanup_event:
+	isc_task_detach(&tclone);
+	isc_event_free(ISC_EVENT_PTR(&event));
+
+ cleanup_val:
+	dns_view_weakdetach(&val->view);
+	isc_mem_put(view->mctx, val, sizeof(*val));
+
+	return (result);
+}
+
+void
+dns_validator_send(dns_validator_t *validator) {
+	isc_event_t *event;
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+	event = (isc_event_t *)validator->event;
+	validator->options &= ~DNS_VALIDATOR_DEFER;
+	UNLOCK(&validator->lock);
+
+	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
+}
+
+void
+dns_validator_cancel(dns_validator_t *validator) {
+	dns_fetch_t *fetch = NULL;
+
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
+
+	if ((validator->attributes & VALATTR_CANCELED) == 0) {
+		validator->attributes |= VALATTR_CANCELED;
+		if (validator->event != NULL) {
+			fetch = validator->fetch;
+			validator->fetch = NULL;
+
+			if (validator->subvalidator != NULL)
+				dns_validator_cancel(validator->subvalidator);
+			if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+				validator->options &= ~DNS_VALIDATOR_DEFER;
+				validator_done(validator, ISC_R_CANCELED);
+			}
+		}
+	}
+	UNLOCK(&validator->lock);
+
+	/* Need to cancel and destroy the fetch outside validator lock */
+	if (fetch != NULL) {
+		dns_resolver_cancelfetch(fetch);
+		dns_resolver_destroyfetch(&fetch);
+	}
+}
+
+static void
+destroy(dns_validator_t *val) {
+	isc_mem_t *mctx;
+
+	REQUIRE(SHUTDOWN(val));
+	REQUIRE(val->event == NULL);
+	REQUIRE(val->fetch == NULL);
+
+	if (val->keynode != NULL)
+		dns_keytable_detachkeynode(val->keytable, &val->keynode);
+	else if (val->key != NULL)
+		dst_key_free(&val->key);
+	if (val->keytable != NULL)
+		dns_keytable_detach(&val->keytable);
+	if (val->subvalidator != NULL)
+		dns_validator_destroy(&val->subvalidator);
+	if (val->havedlvsep)
+		dns_rdataset_disassociate(&val->dlv);
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	mctx = val->view->mctx;
+	if (val->siginfo != NULL)
+		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
+	DESTROYLOCK(&val->lock);
+	dns_view_weakdetach(&val->view);
+	val->magic = 0;
+	isc_mem_put(mctx, val, sizeof(*val));
+}
+
+void
+dns_validator_destroy(dns_validator_t **validatorp) {
+	dns_validator_t *val;
+	bool want_destroy = false;
+
+	REQUIRE(validatorp != NULL);
+	val = *validatorp;
+	REQUIRE(VALID_VALIDATOR(val));
+
+	LOCK(&val->lock);
+
+	val->attributes |= VALATTR_SHUTDOWN;
+	validator_log(val, ISC_LOG_DEBUG(4), "dns_validator_destroy");
+
+	want_destroy = exit_check(val);
+
+	UNLOCK(&val->lock);
+
+	if (want_destroy)
+		destroy(val);
+
+	*validatorp = NULL;
+}
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+	static const char spaces[] = "        *";
+	int depth = val->depth * 2;
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+
+	if ((unsigned int) depth >= sizeof spaces)
+		depth = sizeof spaces - 1;
+
+	if (val->event != NULL && val->event->name != NULL) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(val->event->type, typebuf,
+				     sizeof(typebuf));
+		isc_log_write(dns_lctx, category, module, level,
+			      "%.*svalidating %s/%s: %s", depth, spaces,
+			      namebuf, typebuf, msgbuf);
+	} else {
+		isc_log_write(dns_lctx, category, module, level,
+			      "%.*svalidator @%p: %s", depth, spaces,
+			       val, msgbuf);
+	}
+}
+
+static void
+validator_log(void *val, int level, const char *fmt, ...) {
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+
+	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
+		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
+	va_end(ap);
+}
+
+static void
+validator_logcreate(dns_validator_t *val,
+		    dns_name_t *name, dns_rdatatype_t type,
+		    const char *caller, const char *operation)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	dns_rdatatype_format(type, typestr, sizeof(typestr));
+	validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
+		      caller, operation, namestr, typestr);
+}
diff --git a/lib/dns/version.c b/lib/dns/version.c
new file mode 100644
index 0000000..68ae7fe
--- /dev/null
+++ b/lib/dns/version.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <dns/version.h>
+
+const char dns_version[] = VERSION;
+const char dns_major[] = MAJOR;
+const char dns_mapapi[] = MAPAPI;
+
+const unsigned int dns_libinterface = LIBINTERFACE;
+const unsigned int dns_librevision = LIBREVISION;
+const unsigned int dns_libage = LIBAGE;
diff --git a/lib/dns/view.c b/lib/dns/view.c
new file mode 100644
index 0000000..ea6e431
--- /dev/null
+++ b/lib/dns/view.c
@@ -0,0 +1,2411 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <limits.h>
+#include <inttypes.h>
+#include <stdbool.h>
+
+#ifdef HAVE_LMDB
+ #include <lmdb.h>
+#endif
+
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/lex.h>
+#include <isc/print.h>
+#include <isc/sha2.h>
+#include <isc/stats.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/acache.h>
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/badcache.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/dlz.h>
+#include <dns/dns64.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nta.h>
+#include <dns/order.h>
+#include <dns/peer.h>
+#include <dns/rbt.h>
+#include <dns/rdataset.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/rpz.h>
+#include <dns/rrl.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/tsig.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#define CHECK(op) \
+	do { result = (op);					 \
+	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
+	} while (0)
+
+#define RESSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_RESSHUTDOWN) != 0)
+#define ADBSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
+#define REQSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0)
+
+#define DNS_VIEW_DELONLYHASH 111
+#define DNS_VIEW_FAILCACHESIZE 1021
+
+static void resolver_shutdown(isc_task_t *task, isc_event_t *event);
+static void adb_shutdown(isc_task_t *task, isc_event_t *event);
+static void req_shutdown(isc_task_t *task, isc_event_t *event);
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		const char *name, dns_view_t **viewp)
+{
+	dns_view_t *view;
+	isc_result_t result;
+	char buffer[1024];
+
+	/*
+	 * Create a view.
+	 */
+
+	REQUIRE(name != NULL);
+	REQUIRE(viewp != NULL && *viewp == NULL);
+
+	view = isc_mem_get(mctx, sizeof(*view));
+	if (view == NULL)
+		return (ISC_R_NOMEMORY);
+
+	view->nta_file = NULL;
+	view->mctx = NULL;
+	isc_mem_attach(mctx, &view->mctx);
+	view->name = isc_mem_strdup(mctx, name);
+	if (view->name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_view;
+	}
+
+	result = isc_file_sanitize(NULL, view->name, "nta",
+				   buffer, sizeof(buffer));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_name;
+	view->nta_file = isc_mem_strdup(mctx, buffer);
+	if (view->nta_file == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_name;
+	}
+
+	result = isc_mutex_init(&view->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_name;
+
+	view->zonetable = NULL;
+	if (isc_bind9) {
+		result = dns_zt_create(mctx, rdclass, &view->zonetable);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "dns_zt_create() failed: %s",
+					 isc_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup_mutex;
+		}
+	}
+	view->secroots_priv = NULL;
+	view->ntatable_priv = NULL;
+	view->fwdtable = NULL;
+	result = dns_fwdtable_create(mctx, &view->fwdtable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_fwdtable_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_zt;
+	}
+
+	view->acache = NULL;
+	view->cache = NULL;
+	view->cachedb = NULL;
+	ISC_LIST_INIT(view->dlz_searched);
+	ISC_LIST_INIT(view->dlz_unsearched);
+	view->hints = NULL;
+	view->resolver = NULL;
+	view->adb = NULL;
+	view->requestmgr = NULL;
+	view->rdclass = rdclass;
+	view->frozen = false;
+	view->task = NULL;
+	result = isc_refcount_init(&view->references, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_fwdtable;
+	view->weakrefs = 0;
+	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
+			    DNS_VIEWATTR_REQSHUTDOWN);
+	view->statickeys = NULL;
+	view->dynamickeys = NULL;
+	view->matchclients = NULL;
+	view->matchdestinations = NULL;
+	view->matchrecursiveonly = false;
+	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_references;
+	view->peers = NULL;
+	view->order = NULL;
+	view->delonly = NULL;
+	view->rootdelonly = false;
+	view->rootexclude = NULL;
+	view->adbstats = NULL;
+	view->resstats = NULL;
+	view->resquerystats = NULL;
+	view->cacheshared = false;
+	ISC_LIST_INIT(view->dns64);
+	view->dns64cnt = 0;
+
+	/*
+	 * Initialize configuration data with default values.
+	 */
+	view->recursion = true;
+	view->auth_nxdomain = false; /* Was true in BIND 8 */
+	view->additionalfromcache = true;
+	view->additionalfromauth = true;
+	view->enablednssec = true;
+	view->enablevalidation = true;
+	view->acceptexpired = false;
+	view->minimal_any = false;
+	view->minimalresponses = dns_minimal_no;
+	view->transfer_format = dns_one_answer;
+	view->cacheacl = NULL;
+	view->cacheonacl = NULL;
+	view->queryacl = NULL;
+	view->queryonacl = NULL;
+	view->recursionacl = NULL;
+	view->recursiononacl = NULL;
+	view->sortlist = NULL;
+	view->transferacl = NULL;
+	view->notifyacl = NULL;
+	view->updateacl = NULL;
+	view->upfwdacl = NULL;
+	view->denyansweracl = NULL;
+	view->nocasecompress = NULL;
+	view->msgcompression = true;
+	view->answeracl_exclude = NULL;
+	view->denyanswernames = NULL;
+	view->answernames_exclude = NULL;
+	view->rrl = NULL;
+	view->provideixfr = true;
+	view->maxcachettl = 7 * 24 * 3600;
+	view->maxncachettl = 3 * 3600;
+	view->nta_lifetime = 0;
+	view->nta_recheck = 0;
+	view->prefetch_eligible = 0;
+	view->prefetch_trigger = 0;
+	view->dstport = 53;
+	view->preferred_glue = 0;
+	view->flush = false;
+	view->dlv = NULL;
+	view->maxudp = 0;
+	view->nocookieudp = 0;
+	view->maxbits = 0;
+	view->v4_aaaa = dns_aaaa_ok;
+	view->v6_aaaa = dns_aaaa_ok;
+	view->aaaa_acl = NULL;
+	view->rpzs = NULL;
+	view->catzs = NULL;
+	dns_fixedname_init(&view->dlv_fixed);
+	view->managed_keys = NULL;
+	view->redirect = NULL;
+	view->redirectzone = NULL;
+	dns_fixedname_init(&view->redirectfixed);
+	view->requestnsid = false;
+	view->sendcookie = true;
+	view->requireservercookie = false;
+	view->trust_anchor_telemetry = true;
+	view->root_key_sentinel = true;
+	view->new_zone_file = NULL;
+	view->new_zone_db = NULL;
+	view->new_zone_dbenv = NULL;
+	view->new_zone_mapsize = 0ULL;
+	view->new_zone_config = NULL;
+	view->cfg_destroy = NULL;
+	view->fail_ttl = 0;
+	view->failcache = NULL;
+	(void)dns_badcache_init(view->mctx, DNS_VIEW_FAILCACHESIZE,
+				   &view->failcache);
+	view->v6bias = 0;
+	view->dtenv = NULL;
+	view->dttypes = 0;
+
+	result = isc_mutex_init(&view->new_zone_lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dynkeys;
+
+	if (isc_bind9) {
+		result = dns_order_create(view->mctx, &view->order);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_new_zone_lock;
+	}
+
+	result = dns_peerlist_new(view->mctx, &view->peers);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_order;
+
+	result = dns_aclenv_init(view->mctx, &view->aclenv);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_peerlist;
+
+	ISC_LINK_INIT(view, link);
+	ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
+		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
+		       view, NULL, NULL, NULL);
+	ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
+		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
+		       view, NULL, NULL, NULL);
+	ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
+		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
+		       view, NULL, NULL, NULL);
+	view->viewlist = NULL;
+	view->magic = DNS_VIEW_MAGIC;
+
+	*viewp = view;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_peerlist:
+	if (view->peers != NULL)
+		dns_peerlist_detach(&view->peers);
+
+ cleanup_order:
+	if (view->order != NULL)
+		dns_order_detach(&view->order);
+
+ cleanup_new_zone_lock:
+	DESTROYLOCK(&view->new_zone_lock);
+
+ cleanup_dynkeys:
+	if (view->dynamickeys != NULL)
+		dns_tsigkeyring_detach(&view->dynamickeys);
+
+ cleanup_references:
+	isc_refcount_decrement(&view->references, NULL);
+	isc_refcount_destroy(&view->references);
+
+ cleanup_fwdtable:
+	if (view->fwdtable != NULL)
+		dns_fwdtable_destroy(&view->fwdtable);
+
+ cleanup_zt:
+	if (view->zonetable != NULL)
+		dns_zt_detach(&view->zonetable);
+
+ cleanup_mutex:
+	DESTROYLOCK(&view->lock);
+
+	if (view->nta_file != NULL)
+		isc_mem_free(mctx, view->nta_file);
+
+ cleanup_name:
+	isc_mem_free(mctx, view->name);
+
+ cleanup_view:
+	isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
+
+	return (result);
+}
+
+static inline void
+destroy(dns_view_t *view) {
+	dns_dns64_t *dns64;
+	dns_dlzdb_t *dlzdb;
+
+	REQUIRE(!ISC_LINK_LINKED(view, link));
+	REQUIRE(isc_refcount_current(&view->references) == 0);
+	REQUIRE(view->weakrefs == 0);
+	REQUIRE(RESSHUTDOWN(view));
+	REQUIRE(ADBSHUTDOWN(view));
+	REQUIRE(REQSHUTDOWN(view));
+
+	if (view->order != NULL)
+		dns_order_detach(&view->order);
+	if (view->peers != NULL)
+		dns_peerlist_detach(&view->peers);
+
+	if (view->dynamickeys != NULL) {
+		isc_result_t result;
+		char template[PATH_MAX];
+		char keyfile[PATH_MAX];
+		FILE *fp = NULL;
+
+		result = isc_file_mktemplate(NULL, template, sizeof(template));
+		if (result == ISC_R_SUCCESS) {
+			(void)isc_file_openuniqueprivate(template, &fp);
+		}
+		if (fp == NULL) {
+			dns_tsigkeyring_detach(&view->dynamickeys);
+		} else {
+			result = dns_tsigkeyring_dumpanddetach
+				(&view->dynamickeys, fp);
+			if (result == ISC_R_SUCCESS) {
+				if (fclose(fp) == 0) {
+					result = isc_file_sanitize
+						(NULL, view->name, "tsigkeys",
+						 keyfile, sizeof(keyfile));
+					if (result == ISC_R_SUCCESS)
+						result = isc_file_rename
+							(template, keyfile);
+				}
+				if (result != ISC_R_SUCCESS)
+					(void)remove(template);
+			} else {
+				(void)fclose(fp);
+				(void)remove(template);
+			}
+		}
+	}
+	if (view->statickeys != NULL)
+		dns_tsigkeyring_detach(&view->statickeys);
+	if (view->adb != NULL)
+		dns_adb_detach(&view->adb);
+	if (view->resolver != NULL)
+		dns_resolver_detach(&view->resolver);
+	if (view->acache != NULL) {
+		if (view->cachedb != NULL)
+			dns_acache_putdb(view->acache, view->cachedb);
+		dns_acache_detach(&view->acache);
+	}
+	dns_rrl_view_destroy(view);
+	if (view->rpzs != NULL)
+		dns_rpz_detach_rpzs(&view->rpzs);
+	if (view->catzs != NULL)
+		dns_catz_catzs_detach(&view->catzs);
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_searched);
+	     dlzdb != NULL;
+	     dlzdb = ISC_LIST_HEAD(view->dlz_searched)) {
+		ISC_LIST_UNLINK(view->dlz_searched, dlzdb, link);
+		dns_dlzdestroy(&dlzdb);
+	}
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_unsearched);
+	     dlzdb != NULL;
+	     dlzdb = ISC_LIST_HEAD(view->dlz_unsearched)) {
+		ISC_LIST_UNLINK(view->dlz_unsearched, dlzdb, link);
+		dns_dlzdestroy(&dlzdb);
+	}
+	if (view->requestmgr != NULL)
+		dns_requestmgr_detach(&view->requestmgr);
+	if (view->task != NULL)
+		isc_task_detach(&view->task);
+	if (view->hints != NULL)
+		dns_db_detach(&view->hints);
+	if (view->cachedb != NULL)
+		dns_db_detach(&view->cachedb);
+	if (view->cache != NULL)
+		dns_cache_detach(&view->cache);
+	if (view->nocasecompress != NULL)
+		dns_acl_detach(&view->nocasecompress);
+	if (view->matchclients != NULL)
+		dns_acl_detach(&view->matchclients);
+	if (view->matchdestinations != NULL)
+		dns_acl_detach(&view->matchdestinations);
+	if (view->cacheacl != NULL)
+		dns_acl_detach(&view->cacheacl);
+	if (view->cacheonacl != NULL)
+		dns_acl_detach(&view->cacheonacl);
+	if (view->queryacl != NULL)
+		dns_acl_detach(&view->queryacl);
+	if (view->queryonacl != NULL)
+		dns_acl_detach(&view->queryonacl);
+	if (view->recursionacl != NULL)
+		dns_acl_detach(&view->recursionacl);
+	if (view->recursiononacl != NULL)
+		dns_acl_detach(&view->recursiononacl);
+	if (view->sortlist != NULL)
+		dns_acl_detach(&view->sortlist);
+	if (view->transferacl != NULL)
+		dns_acl_detach(&view->transferacl);
+	if (view->notifyacl != NULL)
+		dns_acl_detach(&view->notifyacl);
+	if (view->updateacl != NULL)
+		dns_acl_detach(&view->updateacl);
+	if (view->upfwdacl != NULL)
+		dns_acl_detach(&view->upfwdacl);
+	if (view->denyansweracl != NULL)
+		dns_acl_detach(&view->denyansweracl);
+	if (view->aaaa_acl != NULL)
+		dns_acl_detach(&view->aaaa_acl);
+	if (view->answeracl_exclude != NULL)
+		dns_rbt_destroy(&view->answeracl_exclude);
+	if (view->denyanswernames != NULL)
+		dns_rbt_destroy(&view->denyanswernames);
+	if (view->answernames_exclude != NULL)
+		dns_rbt_destroy(&view->answernames_exclude);
+	if (view->delonly != NULL) {
+		dns_name_t *name;
+		int i;
+
+		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+			name = ISC_LIST_HEAD(view->delonly[i]);
+			while (name != NULL) {
+				ISC_LIST_UNLINK(view->delonly[i], name, link);
+				dns_name_free(name, view->mctx);
+				isc_mem_put(view->mctx, name, sizeof(*name));
+				name = ISC_LIST_HEAD(view->delonly[i]);
+			}
+		}
+		isc_mem_put(view->mctx, view->delonly, sizeof(dns_namelist_t) *
+			    DNS_VIEW_DELONLYHASH);
+		view->delonly = NULL;
+	}
+	if (view->rootexclude != NULL) {
+		dns_name_t *name;
+		int i;
+
+		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+			name = ISC_LIST_HEAD(view->rootexclude[i]);
+			while (name != NULL) {
+				ISC_LIST_UNLINK(view->rootexclude[i],
+						name, link);
+				dns_name_free(name, view->mctx);
+				isc_mem_put(view->mctx, name, sizeof(*name));
+				name = ISC_LIST_HEAD(view->rootexclude[i]);
+			}
+		}
+		isc_mem_put(view->mctx, view->rootexclude,
+			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
+		view->rootexclude = NULL;
+	}
+	if (view->adbstats != NULL)
+		isc_stats_detach(&view->adbstats);
+	if (view->resstats != NULL)
+		isc_stats_detach(&view->resstats);
+	if (view->resquerystats != NULL)
+		dns_stats_detach(&view->resquerystats);
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
+	if (view->ntatable_priv != NULL)
+		dns_ntatable_detach(&view->ntatable_priv);
+	for (dns64 = ISC_LIST_HEAD(view->dns64);
+	     dns64 != NULL;
+	     dns64 = ISC_LIST_HEAD(view->dns64)) {
+		dns_dns64_unlink(&view->dns64, dns64);
+		dns_dns64_destroy(&dns64);
+	}
+	if (view->managed_keys != NULL)
+		dns_zone_detach(&view->managed_keys);
+	if (view->redirect != NULL)
+		dns_zone_detach(&view->redirect);
+#ifdef HAVE_DNSTAP
+	if (view->dtenv != NULL)
+		dns_dt_detach(&view->dtenv);
+#endif /* HAVE_DNSTAP */
+	dns_view_setnewzones(view, false, NULL, NULL, 0ULL);
+	if (view->new_zone_file != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_file);
+		view->new_zone_file = NULL;
+	}
+#ifdef HAVE_LMDB
+	if (view->new_zone_dbenv != NULL) {
+		mdb_env_close((MDB_env *) view->new_zone_dbenv);
+		view->new_zone_dbenv = NULL;
+	}
+	if (view->new_zone_db != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_db);
+		view->new_zone_db = NULL;
+	}
+#endif /* HAVE_LMDB */
+	dns_fwdtable_destroy(&view->fwdtable);
+	dns_aclenv_destroy(&view->aclenv);
+	if (view->failcache != NULL)
+		dns_badcache_destroy(&view->failcache);
+	DESTROYLOCK(&view->new_zone_lock);
+	DESTROYLOCK(&view->lock);
+	isc_refcount_destroy(&view->references);
+	isc_mem_free(view->mctx, view->nta_file);
+	isc_mem_free(view->mctx, view->name);
+	isc_mem_putanddetach(&view->mctx, view, sizeof(*view));
+}
+
+/*
+ * Return true iff 'view' may be freed.
+ * The caller must be holding the view lock.
+ */
+static bool
+all_done(dns_view_t *view) {
+
+	if (isc_refcount_current(&view->references) == 0 &&
+	    view->weakrefs == 0 &&
+	    RESSHUTDOWN(view) && ADBSHUTDOWN(view) && REQSHUTDOWN(view))
+		return (true);
+
+	return (false);
+}
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
+
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references, NULL);
+
+	*targetp = source;
+}
+
+static void
+view_flushanddetach(dns_view_t **viewp, bool flush) {
+	dns_view_t *view;
+	unsigned int refs;
+	bool done = false;
+
+	REQUIRE(viewp != NULL);
+	view = *viewp;
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (flush)
+		view->flush = true;
+	isc_refcount_decrement(&view->references, &refs);
+	if (refs == 0) {
+		dns_zone_t *mkzone = NULL, *rdzone = NULL;
+
+		LOCK(&view->lock);
+		if (!RESSHUTDOWN(view))
+			dns_resolver_shutdown(view->resolver);
+		if (!ADBSHUTDOWN(view))
+			dns_adb_shutdown(view->adb);
+		if (!REQSHUTDOWN(view))
+			dns_requestmgr_shutdown(view->requestmgr);
+		if (view->acache != NULL)
+			dns_acache_shutdown(view->acache);
+		if (view->zonetable != NULL) {
+			if (view->flush)
+				dns_zt_flushanddetach(&view->zonetable);
+			else
+				dns_zt_detach(&view->zonetable);
+		}
+		if (view->managed_keys != NULL) {
+			mkzone = view->managed_keys;
+			view->managed_keys = NULL;
+			if (view->flush)
+				dns_zone_flush(mkzone);
+		}
+		if (view->redirect != NULL) {
+			rdzone = view->redirect;
+			view->redirect = NULL;
+			if (view->flush)
+				dns_zone_flush(rdzone);
+		}
+		if (view->catzs != NULL) {
+			dns_catz_catzs_detach(&view->catzs);
+		}
+		done = all_done(view);
+		UNLOCK(&view->lock);
+
+		/* Need to detach zones outside view lock */
+		if (mkzone != NULL)
+			dns_zone_detach(&mkzone);
+
+		if (rdzone != NULL)
+			dns_zone_detach(&rdzone);
+	}
+
+	*viewp = NULL;
+
+	if (done)
+		destroy(view);
+}
+
+void
+dns_view_flushanddetach(dns_view_t **viewp) {
+	view_flushanddetach(viewp, true);
+}
+
+void
+dns_view_detach(dns_view_t **viewp) {
+	view_flushanddetach(viewp, false);
+}
+
+static isc_result_t
+dialup(dns_zone_t *zone, void *dummy) {
+	UNUSED(dummy);
+	dns_zone_dialup(zone);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_dialup(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	(void)dns_zt_apply(view->zonetable, false, dialup, NULL);
+}
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
+
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->weakrefs++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_view_weakdetach(dns_view_t **viewp) {
+	dns_view_t *view;
+	bool done = false;
+
+	REQUIRE(viewp != NULL);
+	view = *viewp;
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+
+	INSIST(view->weakrefs > 0);
+	view->weakrefs--;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	*viewp = NULL;
+
+	if (done)
+		destroy(view);
+}
+
+static void
+resolver_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	bool done;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_RESSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	if (done)
+		destroy(view);
+}
+
+static void
+adb_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	bool done;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	if (done)
+		destroy(view);
+}
+
+static void
+req_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	bool done;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_REQSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	if (done)
+		destroy(view);
+}
+
+isc_result_t
+dns_view_createzonetable(dns_view_t *view) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->zonetable == NULL);
+
+	return (dns_zt_create(view->mctx, view->rdclass, &view->zonetable));
+}
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view,
+			isc_taskmgr_t *taskmgr,
+			unsigned int ntasks,
+			unsigned int ndisp,
+			isc_socketmgr_t *socketmgr,
+			isc_timermgr_t *timermgr,
+			unsigned int options,
+			dns_dispatchmgr_t *dispatchmgr,
+			dns_dispatch_t *dispatchv4,
+			dns_dispatch_t *dispatchv6)
+{
+	isc_result_t result;
+	isc_event_t *event;
+	isc_mem_t *mctx = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resolver == NULL);
+
+	result = isc_task_create(taskmgr, 0, &view->task);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_task_setname(view->task, "view", view);
+
+	result = dns_resolver_create(view, taskmgr, ntasks, ndisp, socketmgr,
+				     timermgr, options, dispatchmgr,
+				     dispatchv4, dispatchv6,
+				     &view->resolver);
+	if (result != ISC_R_SUCCESS) {
+		isc_task_detach(&view->task);
+		return (result);
+	}
+	event = &view->resevent;
+	dns_resolver_whenshutdown(view->resolver, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_RESSHUTDOWN;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+
+	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
+	isc_mem_setname(mctx, "ADB", NULL);
+	isc_mem_detach(&mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->adbevent;
+	dns_adb_whenshutdown(view->adb, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_ADBSHUTDOWN;
+
+	result = dns_requestmgr_create(view->mctx, timermgr, socketmgr,
+				      dns_resolver_taskmgr(view->resolver),
+				      dns_resolver_dispatchmgr(view->resolver),
+				      dispatchv4, dispatchv6,
+				      &view->requestmgr);
+	if (result != ISC_R_SUCCESS) {
+		dns_adb_shutdown(view->adb);
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->reqevent;
+	dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_REQSHUTDOWN;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
+	dns_view_setcache2(view, cache, false);
+}
+
+void
+dns_view_setcache2(dns_view_t *view, dns_cache_t *cache, bool shared) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	view->cacheshared = shared;
+	if (view->cache != NULL) {
+		if (view->acache != NULL)
+			dns_acache_putdb(view->acache, view->cachedb);
+		dns_db_detach(&view->cachedb);
+		dns_cache_detach(&view->cache);
+	}
+	dns_cache_attach(cache, &view->cache);
+	dns_cache_attachdb(cache, &view->cachedb);
+	INSIST(DNS_DB_VALID(view->cachedb));
+
+	if (view->acache != NULL)
+		dns_acache_setdb(view->acache, view->cachedb);
+}
+
+bool
+dns_view_iscacheshared(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (view->cacheshared);
+}
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->hints == NULL);
+	REQUIRE(dns_db_iszone(hints));
+
+	dns_db_attach(hints, &view->hints);
+}
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ring != NULL);
+	if (view->statickeys != NULL)
+		dns_tsigkeyring_detach(&view->statickeys);
+	dns_tsigkeyring_attach(ring, &view->statickeys);
+}
+
+void
+dns_view_setdynamickeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ring != NULL);
+	if (view->dynamickeys != NULL)
+		dns_tsigkeyring_detach(&view->dynamickeys);
+	dns_tsigkeyring_attach(ring, &view->dynamickeys);
+}
+
+void
+dns_view_getdynamickeyring(dns_view_t *view, dns_tsig_keyring_t **ringp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ringp != NULL && *ringp == NULL);
+	if (view->dynamickeys != NULL)
+		dns_tsigkeyring_attach(view->dynamickeys, ringp);
+}
+
+void
+dns_view_restorekeyring(dns_view_t *view) {
+	FILE *fp;
+	char keyfile[PATH_MAX];
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->dynamickeys != NULL) {
+		result = isc_file_sanitize(NULL, view->name, "tsigkeys",
+					   keyfile, sizeof(keyfile));
+		if (result == ISC_R_SUCCESS) {
+			fp = fopen(keyfile, "r");
+			if (fp != NULL) {
+				dns_keyring_restore(view->dynamickeys, fp);
+				(void)fclose(fp);
+			}
+		}
+	}
+}
+
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->dstport = dstport;
+}
+
+void
+dns_view_freeze(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	if (view->resolver != NULL) {
+		INSIST(view->cachedb != NULL);
+		dns_resolver_freeze(view->resolver);
+	}
+	view->frozen = true;
+}
+
+void
+dns_view_thaw(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	view->frozen = false;
+}
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->zonetable != NULL);
+
+	result = dns_zt_mount(view->zonetable, zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+	if (view->zonetable != NULL) {
+		result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_zone_detach(zonep);
+			result = ISC_R_NOTFOUND;
+		}
+	} else
+		result = ISC_R_NOTFOUND;
+	UNLOCK(&view->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options, bool use_hints,
+	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) {
+	return (dns_view_find2(view, name, type, now, options, use_hints,
+			       false, dbp, nodep, foundname, rdataset,
+			       sigrdataset));
+}
+
+isc_result_t
+dns_view_find2(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	       isc_stdtime_t now, unsigned int options,
+	       bool use_hints, bool use_static_stub,
+	       dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_db_t *db, *zdb;
+	dns_dbnode_t *node, *znode;
+	bool is_cache, is_staticstub_zone;
+	dns_rdataset_t zrdataset, zsigrdataset;
+	dns_zone_t *zone;
+
+	/*
+	 * Find an rdataset whose owner name is 'name', and whose type is
+	 * 'type'.
+	 */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(rdataset != NULL);  /* XXXBEW - remove this */
+	REQUIRE(nodep == NULL || *nodep == NULL);
+
+	/*
+	 * Initialize.
+	 */
+	dns_rdataset_init(&zrdataset);
+	dns_rdataset_init(&zsigrdataset);
+	zdb = NULL;
+	znode = NULL;
+
+	/*
+	 * Find a database to answer the query.
+	 */
+	db = NULL;
+	node = NULL;
+	is_staticstub_zone = false;
+	zone = NULL;
+	LOCK(&view->lock);
+	if (view->zonetable != NULL)
+		result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	else
+		result = ISC_R_NOTFOUND;
+	UNLOCK(&view->lock);
+	if (zone != NULL && dns_zone_gettype(zone) == dns_zone_staticstub &&
+	    !use_static_stub)
+		result = ISC_R_NOTFOUND;
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = dns_zone_getdb(zone, &db);
+		if (result != ISC_R_SUCCESS && view->cachedb != NULL)
+			dns_db_attach(view->cachedb, &db);
+		else if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		if (dns_zone_gettype(zone) == dns_zone_staticstub &&
+		    dns_name_equal(name, dns_zone_getorigin(zone))) {
+			is_staticstub_zone = true;
+		}
+	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
+		dns_db_attach(view->cachedb, &db);
+	else
+		goto cleanup;
+
+	is_cache = dns_db_iscache(db);
+
+ db_find:
+	/*
+	 * Now look for an answer in the database.
+	 */
+	result = dns_db_find(db, name, NULL, type, options,
+			     now, &node, foundname, rdataset, sigrdataset);
+
+	if (result == DNS_R_DELEGATION || result == ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (!is_cache) {
+			dns_db_detach(&db);
+			if (view->cachedb != NULL && !is_staticstub_zone) {
+				/*
+				 * Either the answer is in the cache, or we
+				 * don't know it.
+				 * Note that if the result comes from a
+				 * static-stub zone we stop the search here
+				 * (see the function description in view.h).
+				 */
+				is_cache = true;
+				dns_db_attach(view->cachedb, &db);
+				goto db_find;
+			}
+		} else {
+			/*
+			 * We don't have the data in the cache.  If we've got
+			 * glue from the zone, use it.
+			 */
+			if (dns_rdataset_isassociated(&zrdataset)) {
+				dns_rdataset_clone(&zrdataset, rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(&zsigrdataset))
+					dns_rdataset_clone(&zsigrdataset,
+							   sigrdataset);
+				result = DNS_R_GLUE;
+				if (db != NULL)
+					dns_db_detach(&db);
+				dns_db_attach(zdb, &db);
+				dns_db_attachnode(db, znode, &node);
+				goto cleanup;
+			}
+		}
+		/*
+		 * We don't know the answer.
+		 */
+		result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_GLUE) {
+		if (view->cachedb != NULL && !is_staticstub_zone) {
+			/*
+			 * We found an answer, but the cache may be better.
+			 * Remember what we've got and go look in the cache.
+			 */
+			is_cache = true;
+			dns_rdataset_clone(rdataset, &zrdataset);
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset)) {
+				dns_rdataset_clone(sigrdataset, &zsigrdataset);
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			dns_db_attach(db, &zdb);
+			dns_db_attachnode(zdb, node, &znode);
+			dns_db_detachnode(db, &node);
+			dns_db_detach(&db);
+			dns_db_attach(view->cachedb, &db);
+			goto db_find;
+		}
+		/*
+		 * Otherwise, the glue is the best answer.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		if (db != NULL) {
+			if (node != NULL)
+				dns_db_detachnode(db, &node);
+			dns_db_detach(&db);
+		}
+		result = dns_db_find(view->hints, name, NULL, type, options,
+				     now, &node, foundname,
+				     rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS || result == DNS_R_GLUE) {
+			/*
+			 * We just used a hint.  Let the resolver know it
+			 * should consider priming.
+			 */
+			dns_resolver_prime(view->resolver);
+			dns_db_attach(view->hints, &db);
+			result = DNS_R_HINT;
+		} else if (result == DNS_R_NXRRSET) {
+			dns_db_attach(view->hints, &db);
+			result = DNS_R_HINTNXRRSET;
+		} else if (result == DNS_R_NXDOMAIN)
+			result = ISC_R_NOTFOUND;
+
+		/*
+		 * Cleanup if non-standard hints are used.
+		 */
+		if (db == NULL && node != NULL)
+			dns_db_detachnode(view->hints, &node);
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&zrdataset)) {
+		dns_rdataset_disassociate(&zrdataset);
+		if (dns_rdataset_isassociated(&zsigrdataset))
+			dns_rdataset_disassociate(&zsigrdataset);
+	}
+
+	if (zdb != NULL) {
+		if (znode != NULL)
+			dns_db_detachnode(zdb, &znode);
+		dns_db_detach(&zdb);
+	}
+
+	if (db != NULL) {
+		if (node != NULL) {
+			if (nodep != NULL)
+				*nodep = node;
+			else
+				dns_db_detachnode(db, &node);
+		}
+		if (dbp != NULL)
+			*dbp = db;
+		else
+			dns_db_detach(&db);
+	} else
+		INSIST(node == NULL);
+
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		    isc_stdtime_t now, unsigned int options,
+		    bool use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_fixedname_t foundname;
+
+	dns_fixedname_init(&foundname);
+	result = dns_view_find(view, name, type, now, options, use_hints,
+			       NULL, NULL, dns_fixedname_name(&foundname),
+			       rdataset, sigrdataset);
+	if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The rdataset and sigrdataset of the relevant NSEC record
+		 * may be returned, but the caller cannot use them because
+		 * foundname is not returned by this simplified API.  We
+		 * disassociate them here to prevent any misuse by the caller.
+		 */
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+	} else if (result != ISC_R_SUCCESS &&
+		   result != DNS_R_GLUE &&
+		   result != DNS_R_HINT &&
+		   result != DNS_R_NCACHENXDOMAIN &&
+		   result != DNS_R_NCACHENXRRSET &&
+		   result != DNS_R_NXRRSET &&
+		   result != DNS_R_HINTNXRRSET &&
+		   result != ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		     isc_stdtime_t now, unsigned int options,
+		     bool use_hints,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	return(dns_view_findzonecut2(view, name, fname, now, options,
+				     use_hints, true,
+				     rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		      isc_stdtime_t now, unsigned int options,
+		      bool use_hints,	bool use_cache,
+		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_db_t *db;
+	bool is_cache, use_zone, try_hints;
+	dns_zone_t *zone;
+	dns_name_t *zfname;
+	dns_rdataset_t zrdataset, zsigrdataset;
+	dns_fixedname_t zfixedname;
+	unsigned int ztoptions = 0;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	db = NULL;
+	use_zone = false;
+	try_hints = false;
+	zfname = NULL;
+
+	/*
+	 * Initialize.
+	 */
+	dns_fixedname_init(&zfixedname);
+	dns_rdataset_init(&zrdataset);
+	dns_rdataset_init(&zsigrdataset);
+
+	/*
+	 * Find the right database.
+	 */
+	zone = NULL;
+	LOCK(&view->lock);
+	if (view->zonetable != NULL) {
+		if ((options & DNS_DBFIND_NOEXACT) != 0)
+			ztoptions |= DNS_ZTFIND_NOEXACT;
+		result = dns_zt_find(view->zonetable, name, ztoptions,
+				     NULL, &zone);
+	} else
+		result = ISC_R_NOTFOUND;
+	UNLOCK(&view->lock);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = dns_zone_getdb(zone, &db);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * We're not directly authoritative for this query name, nor
+		 * is it a subdomain of any zone for which we're
+		 * authoritative.
+		 */
+		if (use_cache && view->cachedb != NULL) {
+			/*
+			 * We have a cache; try it.
+			 */
+			dns_db_attach(view->cachedb, &db);
+		} else {
+			/*
+			 * Maybe we have hints...
+			 */
+			try_hints = true;
+			goto finish;
+		}
+	} else if (result != ISC_R_SUCCESS) {
+		/*
+		 * Something is broken.
+		 */
+		goto cleanup;
+	}
+	is_cache = dns_db_iscache(db);
+
+ db_find:
+	/*
+	 * Look for the zonecut.
+	 */
+	if (!is_cache) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_ns, options,
+				     now, NULL, fname, rdataset, sigrdataset);
+		if (result == DNS_R_DELEGATION)
+			result = ISC_R_SUCCESS;
+		else if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		if (use_cache && view->cachedb != NULL && db != view->hints) {
+			/*
+			 * We found an answer, but the cache may be better.
+			 */
+			zfname = dns_fixedname_name(&zfixedname);
+			result = dns_name_copy(fname, zfname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_rdataset_clone(rdataset, &zrdataset);
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset)) {
+				dns_rdataset_clone(sigrdataset, &zsigrdataset);
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			dns_db_detach(&db);
+			dns_db_attach(view->cachedb, &db);
+			is_cache = true;
+			goto db_find;
+		}
+	} else {
+		result = dns_db_findzonecut(db, name, options, now, NULL,
+					    fname, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			if (zfname != NULL &&
+			    (!dns_name_issubdomain(fname, zfname) ||
+			     (dns_zone_gettype(zone) == dns_zone_staticstub &&
+			      dns_name_equal(fname, zfname)))) {
+				/*
+				 * We found a zonecut in the cache, but our
+				 * zone delegation is better.
+				 */
+				use_zone = true;
+			}
+		} else if (result == ISC_R_NOTFOUND) {
+			if (zfname != NULL) {
+				/*
+				 * We didn't find anything in the cache, but we
+				 * have a zone delegation, so use it.
+				 */
+				use_zone = true;
+			} else {
+				/*
+				 * Maybe we have hints...
+				 */
+				try_hints = true;
+			}
+		} else {
+			/*
+			 * Something bad happened.
+			 */
+			goto cleanup;
+		}
+	}
+
+ finish:
+	if (use_zone) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
+		}
+		result = dns_name_copy(zfname, fname, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		dns_rdataset_clone(&zrdataset, rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(&zrdataset))
+			dns_rdataset_clone(&zsigrdataset, sigrdataset);
+	} else if (try_hints && use_hints && view->hints != NULL) {
+		/*
+		 * We've found nothing so far, but we have hints.
+		 */
+		result = dns_db_find(view->hints, dns_rootname, NULL,
+				     dns_rdatatype_ns, 0, now, NULL, fname,
+				     rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We can't even find the hints for the root
+			 * nameservers!
+			 */
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			result = ISC_R_NOTFOUND;
+		}
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&zrdataset)) {
+		dns_rdataset_disassociate(&zrdataset);
+		if (dns_rdataset_isassociated(&zsigrdataset))
+			dns_rdataset_disassociate(&zsigrdataset);
+	}
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp)
+{
+	dns_view_t *view;
+
+	REQUIRE(list != NULL);
+
+	for (view = ISC_LIST_HEAD(*list);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (strcmp(view->name, name) == 0 && view->rdclass == rdclass)
+			break;
+	}
+	if (view == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_view_attach(view, viewp);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
+		      bool allclasses, dns_rdataclass_t rdclass,
+		      dns_zone_t **zonep)
+{
+	dns_view_t *view;
+	isc_result_t result;
+	dns_zone_t *zone1 = NULL, *zone2 = NULL;
+	dns_zone_t **zp = NULL;
+
+	REQUIRE(list != NULL);
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	for (view = ISC_LIST_HEAD(*list);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (allclasses == false && view->rdclass != rdclass)
+			continue;
+
+		/*
+		 * If the zone is defined in more than one view,
+		 * treat it as not found.
+		 */
+		zp = (zone1 == NULL) ? &zone1 : &zone2;
+		LOCK(&view->lock);
+		if (view->zonetable != NULL)
+			result = dns_zt_find(view->zonetable, name, 0,
+					     NULL, zp);
+		else
+			result = ISC_R_NOTFOUND;
+		UNLOCK(&view->lock);
+		INSIST(result == ISC_R_SUCCESS ||
+		       result == ISC_R_NOTFOUND ||
+		       result == DNS_R_PARTIALMATCH);
+
+		/* Treat a partial match as no match */
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_zone_detach(zp);
+			result = ISC_R_NOTFOUND;
+			POST(result);
+		}
+
+		if (zone2 != NULL) {
+			dns_zone_detach(&zone1);
+			dns_zone_detach(&zone2);
+			return (ISC_R_MULTIPLE);
+		}
+	}
+
+	if (zone1 != NULL) {
+		dns_zone_attach(zone1, zonep);
+		dns_zone_detach(&zone1);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_view_load(dns_view_t *view, bool stop) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_load(view->zonetable, stop));
+}
+
+isc_result_t
+dns_view_loadnew(dns_view_t *view, bool stop) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_loadnew(view->zonetable, stop));
+}
+
+isc_result_t
+dns_view_asyncload(dns_view_t *view, dns_zt_allloaded_t callback, void *arg) {
+	return (dns_view_asyncload2(view, callback, arg, false));
+}
+
+isc_result_t
+dns_view_asyncload2(dns_view_t *view, dns_zt_allloaded_t callback, void *arg,
+		    bool newonly) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_asyncload2(view->zonetable, callback, arg, newonly));
+}
+
+isc_result_t
+dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp)
+{
+	isc_result_t result;
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	result = dns_tsigkey_find(keyp, keyname, NULL,
+				  view->statickeys);
+	if (result == ISC_R_NOTFOUND)
+		result = dns_tsigkey_find(keyp, keyname, NULL,
+					  view->dynamickeys);
+	return (result);
+}
+
+isc_result_t
+dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
+		     dns_tsigkey_t **keyp)
+{
+	isc_result_t result;
+	dns_name_t *keyname = NULL;
+	dns_peer_t *peer = NULL;
+
+	result = dns_peerlist_peerbyaddr(view->peers, peeraddr, &peer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_peer_getkey(peer, &keyname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_view_gettsig(view, keyname, keyp);
+	return ((result == ISC_R_NOTFOUND) ? ISC_R_FAILURE : result);
+}
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(source != NULL);
+
+	return (dns_tsig_verify(source, msg, view->statickeys,
+				view->dynamickeys));
+}
+
+isc_result_t
+dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	(void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name);
+	result = dns_master_dumptostream(view->mctx, view->cachedb, NULL,
+					 &dns_master_style_cache, fp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_adb_dump(view->adb, fp);
+	dns_resolver_printbadcache(view->resolver, fp);
+	dns_badcache_print(view->failcache, "SERVFAIL cache", fp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_flushcache(dns_view_t *view) {
+	return (dns_view_flushcache2(view, false));
+}
+
+isc_result_t
+dns_view_flushcache2(dns_view_t *view, bool fixuponly) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->cachedb == NULL)
+		return (ISC_R_SUCCESS);
+	if (!fixuponly) {
+		result = dns_cache_flush(view->cache);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (view->acache != NULL)
+		dns_acache_putdb(view->acache, view->cachedb);
+	dns_db_detach(&view->cachedb);
+	dns_cache_attachdb(view->cache, &view->cachedb);
+	if (view->acache != NULL)
+		dns_acache_setdb(view->acache, view->cachedb);
+	if (view->resolver != NULL)
+		dns_resolver_flushbadcache(view->resolver, NULL);
+	if (view->failcache != NULL)
+		dns_badcache_flush(view->failcache);
+
+	dns_adb_flush(view->adb);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_flushname(dns_view_t *view, dns_name_t *name) {
+	return (dns_view_flushnode(view, name, false));
+}
+
+isc_result_t
+dns_view_flushnode(dns_view_t *view, dns_name_t *name, bool tree) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (tree) {
+		if (view->adb != NULL)
+			dns_adb_flushnames(view->adb, name);
+		if (view->resolver != NULL)
+			dns_resolver_flushbadnames(view->resolver, name);
+		if (view->failcache != NULL)
+			dns_badcache_flushtree(view->failcache, name);
+	} else {
+		if (view->adb != NULL)
+			dns_adb_flushname(view->adb, name);
+		if (view->resolver != NULL)
+			dns_resolver_flushbadcache(view->resolver, name);
+		if (view->failcache != NULL)
+			dns_badcache_flushname(view->failcache, name);
+	}
+
+	if (view->cache != NULL)
+		result = dns_cache_flushnode(view->cache, name, tree);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t *item;
+	uint32_t hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->delonly == NULL) {
+		view->delonly = isc_mem_get(view->mctx,
+					    sizeof(dns_namelist_t) *
+					    DNS_VIEW_DELONLYHASH);
+		if (view->delonly == NULL)
+			return (ISC_R_NOMEMORY);
+		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
+			ISC_LIST_INIT(view->delonly[hash]);
+	}
+	hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
+	item = ISC_LIST_HEAD(view->delonly[hash]);
+	while (item != NULL && !dns_name_equal(item, name))
+		item = ISC_LIST_NEXT(item, link);
+	if (item != NULL)
+		return (ISC_R_SUCCESS);
+	item = isc_mem_get(view->mctx, sizeof(*item));
+	if (item == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(item, NULL);
+	result = dns_name_dup(name, view->mctx, item);
+	if (result == ISC_R_SUCCESS)
+		ISC_LIST_APPEND(view->delonly[hash], item, link);
+	else
+		isc_mem_put(view->mctx, item, sizeof(*item));
+	return (result);
+}
+
+isc_result_t
+dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t *item;
+	uint32_t hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->rootexclude == NULL) {
+		view->rootexclude = isc_mem_get(view->mctx,
+					    sizeof(dns_namelist_t) *
+					    DNS_VIEW_DELONLYHASH);
+		if (view->rootexclude == NULL)
+			return (ISC_R_NOMEMORY);
+		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
+			ISC_LIST_INIT(view->rootexclude[hash]);
+	}
+	hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
+	item = ISC_LIST_HEAD(view->rootexclude[hash]);
+	while (item != NULL && !dns_name_equal(item, name))
+		item = ISC_LIST_NEXT(item, link);
+	if (item != NULL)
+		return (ISC_R_SUCCESS);
+	item = isc_mem_get(view->mctx, sizeof(*item));
+	if (item == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(item, NULL);
+	result = dns_name_dup(name, view->mctx, item);
+	if (result == ISC_R_SUCCESS)
+		ISC_LIST_APPEND(view->rootexclude[hash], item, link);
+	else
+		isc_mem_put(view->mctx, item, sizeof(*item));
+	return (result);
+}
+
+bool
+dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
+	dns_name_t *item;
+	uint32_t hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (!view->rootdelonly && view->delonly == NULL)
+		return (false);
+
+	hash = dns_name_hash(name, false) % DNS_VIEW_DELONLYHASH;
+	if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
+		if (view->rootexclude == NULL)
+			return (true);
+		item = ISC_LIST_HEAD(view->rootexclude[hash]);
+		while (item != NULL && !dns_name_equal(item, name))
+			item = ISC_LIST_NEXT(item, link);
+		if (item == NULL)
+			return (true);
+	}
+
+	if (view->delonly == NULL)
+		return (false);
+
+	item = ISC_LIST_HEAD(view->delonly[hash]);
+	while (item != NULL && !dns_name_equal(item, name))
+		item = ISC_LIST_NEXT(item, link);
+	if (item == NULL)
+		return (false);
+	return (true);
+}
+
+void
+dns_view_setrootdelonly(dns_view_t *view, bool value) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->rootdelonly = value;
+}
+
+bool
+dns_view_getrootdelonly(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (view->rootdelonly);
+}
+
+isc_result_t
+dns_view_freezezones(dns_view_t *view, bool value) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->zonetable != NULL);
+
+	return (dns_zt_freezezones(view->zonetable, value));
+}
+
+void
+dns_view_setadbstats(dns_view_t *view, isc_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->adbstats == NULL);
+
+	isc_stats_attach(stats, &view->adbstats);
+}
+
+void
+dns_view_getadbstats(dns_view_t *view, isc_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->adbstats != NULL)
+		isc_stats_attach(view->adbstats, statsp);
+}
+
+void
+dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resstats == NULL);
+
+	isc_stats_attach(stats, &view->resstats);
+}
+
+void
+dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->resstats != NULL)
+		isc_stats_attach(view->resstats, statsp);
+}
+
+void
+dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resquerystats == NULL);
+
+	dns_stats_attach(stats, &view->resquerystats);
+}
+
+void
+dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->resquerystats != NULL)
+		dns_stats_attach(view->resquerystats, statsp);
+}
+
+isc_result_t
+dns_view_initntatable(dns_view_t *view,
+		      isc_taskmgr_t *taskmgr, isc_timermgr_t *timermgr)
+{
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->ntatable_priv != NULL)
+		dns_ntatable_detach(&view->ntatable_priv);
+	return (dns_ntatable_create(view, taskmgr, timermgr,
+				    &view->ntatable_priv));
+}
+
+isc_result_t
+dns_view_getntatable(dns_view_t *view, dns_ntatable_t **ntp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ntp != NULL && *ntp == NULL);
+	if (view->ntatable_priv == NULL)
+		return (ISC_R_NOTFOUND);
+	dns_ntatable_attach(view->ntatable_priv, ntp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_initsecroots(dns_view_t *view, isc_mem_t *mctx) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	if (view->secroots_priv != NULL)
+		dns_keytable_detach(&view->secroots_priv);
+	return (dns_keytable_create(mctx, &view->secroots_priv));
+}
+
+isc_result_t
+dns_view_getsecroots(dns_view_t *view, dns_keytable_t **ktp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ktp != NULL && *ktp == NULL);
+	if (view->secroots_priv == NULL)
+		return (ISC_R_NOTFOUND);
+	dns_keytable_attach(view->secroots_priv, ktp);
+	return (ISC_R_SUCCESS);
+}
+
+bool
+dns_view_ntacovers(dns_view_t *view, isc_stdtime_t now,
+		   dns_name_t *name, dns_name_t *anchor)
+{
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->ntatable_priv == NULL)
+		return (false);
+
+	return (dns_ntatable_covered(view->ntatable_priv, now, name, anchor));
+}
+
+isc_result_t
+dns_view_issecuredomain(dns_view_t *view, dns_name_t *name,
+			isc_stdtime_t now, bool checknta,
+			bool *secure_domain)
+{
+	isc_result_t result;
+	bool secure = false;
+	dns_fixedname_t fn;
+	dns_name_t *anchor;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->secroots_priv == NULL)
+		return (ISC_R_NOTFOUND);
+
+	anchor = dns_fixedname_initname(&fn);
+
+	result = dns_keytable_issecuredomain(view->secroots_priv, name,
+					     anchor, &secure);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (checknta && secure && view->ntatable_priv != NULL &&
+	    dns_ntatable_covered(view->ntatable_priv, now, name, anchor))
+		secure = false;
+
+	*secure_domain = secure;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
+		 dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	unsigned char data[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+	dst_key_t *key = NULL;
+	dns_keytable_t *sr = NULL;
+
+	/*
+	 * Clear the revoke bit, if set, so that the key will match what's
+	 * in secroots now.
+	 */
+	dnskey->flags &= ~DNS_KEYFLAG_REVOKE;
+
+	/* Convert dnskey to DST key. */
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+
+	result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	result = dns_view_getsecroots(view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_keytable_deletekeynode(sr, key);
+
+		/*
+		 * If key was found in secroots, then it was a
+		 * configured trust anchor, and we want to fail
+		 * secure. If there are no other configured keys,
+		 * then leave a null key so that we can't validate
+		 * anymore.
+		 */
+
+		if (result == ISC_R_SUCCESS)
+			dns_keytable_marksecure(sr, keyname);
+
+		dns_keytable_detach(&sr);
+	}
+
+	dst_key_free(&key);
+}
+
+isc_result_t
+dns_view_setnewzones(dns_view_t *view, bool allow, void *cfgctx,
+		     void (*cfg_destroy)(void **), uint64_t mapsize)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	char buffer[1024];
+#ifdef HAVE_LMDB
+	MDB_env *env = NULL;
+	int status;
+#endif
+
+#ifndef HAVE_LMDB
+	UNUSED(mapsize);
+#endif
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE((cfgctx != NULL && cfg_destroy != NULL) || !allow);
+
+	if (view->new_zone_file != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_file);
+		view->new_zone_file = NULL;
+	}
+
+#ifdef HAVE_LMDB
+	if (view->new_zone_dbenv != NULL) {
+		mdb_env_close((MDB_env *) view->new_zone_dbenv);
+		view->new_zone_dbenv = NULL;
+	}
+
+	if (view->new_zone_db != NULL) {
+		isc_mem_free(view->mctx, view->new_zone_db);
+		view->new_zone_db = NULL;
+	}
+#endif /* HAVE_LMDB */
+
+	if (view->new_zone_config != NULL) {
+		view->cfg_destroy(&view->new_zone_config);
+		view->cfg_destroy = NULL;
+	}
+
+	if (!allow)
+		return (ISC_R_SUCCESS);
+
+	CHECK(isc_file_sanitize(NULL, view->name, "nzf",
+				buffer, sizeof(buffer)));
+
+	view->new_zone_file = isc_mem_strdup(view->mctx, buffer);
+	if (view->new_zone_file == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+#ifdef HAVE_LMDB
+	CHECK(isc_file_sanitize(NULL, view->name, "nzd",
+				buffer, sizeof(buffer)));
+
+	view->new_zone_db = isc_mem_strdup(view->mctx, buffer);
+	if (view->new_zone_db == NULL) {
+		CHECK(ISC_R_NOMEMORY);
+	}
+
+	status = mdb_env_create(&env);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+			      "mdb_env_create failed: %s",
+			      mdb_strerror(status));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	if (mapsize != 0ULL) {
+		status = mdb_env_set_mapsize(env, mapsize);
+		if (status != MDB_SUCCESS) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+				      "mdb_env_set_mapsize failed: %s",
+				      mdb_strerror(status));
+			CHECK(ISC_R_FAILURE);
+		}
+		view->new_zone_mapsize = mapsize;
+	}
+
+	status = mdb_env_open(env, view->new_zone_db, DNS_LMDB_FLAGS, 0600);
+	if (status != MDB_SUCCESS) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_OTHER, ISC_LOG_ERROR,
+			      "mdb_env_open of '%s' failed: %s",
+			      view->new_zone_db, mdb_strerror(status));
+		CHECK(ISC_R_FAILURE);
+	}
+
+	view->new_zone_dbenv = env;
+	env = NULL;
+#endif /* HAVE_LMDB */
+
+	view->new_zone_config = cfgctx;
+	view->cfg_destroy = cfg_destroy;
+
+ cleanup:
+	if (result != ISC_R_SUCCESS) {
+		if (view->new_zone_file != NULL) {
+			isc_mem_free(view->mctx, view->new_zone_file);
+			view->new_zone_file = NULL;
+		}
+
+#ifdef HAVE_LMDB
+		if (view->new_zone_db != NULL) {
+			isc_mem_free(view->mctx, view->new_zone_db);
+			view->new_zone_db = NULL;
+		}
+		if (env != NULL) {
+			mdb_env_close(env);
+		}
+#endif /* HAVE_LMDB */
+		view->new_zone_config = NULL;
+		view->cfg_destroy = NULL;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_searchdlz(dns_view_t *view, dns_name_t *name, unsigned int minlabels,
+		   dns_clientinfomethods_t *methods,
+		   dns_clientinfo_t *clientinfo,
+		   dns_db_t **dbp)
+{
+	dns_fixedname_t fname;
+	dns_name_t *zonename;
+	unsigned int namelabels;
+	unsigned int i;
+	isc_result_t result;
+	dns_dlzfindzone_t findzone;
+	dns_dlzdb_t *dlzdb;
+	dns_db_t *db, *best = NULL;
+
+	/*
+	 * Performs checks to make sure data is as we expect it to be.
+	 */
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(name != NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/* setup a "fixed" dns name */
+	zonename = dns_fixedname_initname(&fname);
+
+	/* count the number of labels in the name */
+	namelabels = dns_name_countlabels(name);
+
+	for (dlzdb = ISC_LIST_HEAD(view->dlz_searched);
+	     dlzdb != NULL;
+	     dlzdb = ISC_LIST_NEXT(dlzdb, link))
+	{
+		REQUIRE(DNS_DLZ_VALID(dlzdb));
+
+		/*
+		 * loop through starting with the longest domain name and
+		 * trying shorter names portions of the name until we find a
+		 * match, have an error, or are below the 'minlabels'
+		 * threshold.  minlabels is 0, if neither the standard
+		 * database nor any previous DLZ database had a zone name
+		 * match. Otherwise minlabels is the number of labels
+		 * in that name.  We need to beat that for a "better"
+		 * match for this DLZ database to be authoritative.
+		 */
+		for (i = namelabels; i > minlabels && i > 1; i--) {
+			if (i == namelabels) {
+				result = dns_name_copy(name, zonename, NULL);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+			} else
+				dns_name_split(name, i, NULL, zonename);
+
+			/* ask SDLZ driver if the zone is supported */
+			db = NULL;
+			findzone = dlzdb->implementation->methods->findzone;
+			result = (*findzone)(dlzdb->implementation->driverarg,
+					     dlzdb->dbdata, dlzdb->mctx,
+					     view->rdclass, zonename,
+					     methods, clientinfo, &db);
+
+			if (result != ISC_R_NOTFOUND) {
+				if (best != NULL)
+					dns_db_detach(&best);
+				if (result == ISC_R_SUCCESS) {
+					INSIST(db != NULL);
+					dns_db_attach(db, &best);
+					dns_db_detach(&db);
+					minlabels = i;
+				} else {
+					if (db != NULL)
+						dns_db_detach(&db);
+					break;
+				}
+			} else if (db != NULL)
+				dns_db_detach(&db);
+		}
+	}
+
+	if (best != NULL) {
+		dns_db_attach(best, dbp);
+		dns_db_detach(&best);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+uint32_t
+dns_view_getfailttl(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (view->fail_ttl);
+}
+
+void
+dns_view_setfailttl(dns_view_t *view, uint32_t fail_ttl) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->fail_ttl = fail_ttl;
+}
+
+isc_result_t
+dns_view_saventa(dns_view_t *view) {
+	isc_result_t result;
+	bool removefile = false;
+	dns_ntatable_t *ntatable = NULL;
+	FILE *fp = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->nta_lifetime == 0)
+		return (ISC_R_SUCCESS);
+
+	/* Open NTA save file for overwrite. */
+	CHECK(isc_stdio_open(view->nta_file, "w", &fp));
+
+	result = dns_view_getntatable(view, &ntatable);
+	if (result == ISC_R_NOTFOUND) {
+		removefile = true;
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	} else
+		CHECK(result);
+
+	result = dns_ntatable_save(ntatable, fp);
+	if (result == ISC_R_NOTFOUND) {
+		removefile = true;
+		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_SUCCESS) {
+		result = isc_stdio_close(fp);
+		fp = NULL;
+	}
+
+ cleanup:
+	if (ntatable != NULL)
+		dns_ntatable_detach(&ntatable);
+
+	if (fp != NULL)
+		(void)isc_stdio_close(fp);
+
+	/* Don't leave half-baked NTA save files lying around. */
+	if (result != ISC_R_SUCCESS || removefile)
+		(void) isc_file_remove(view->nta_file);
+
+	return (result);
+}
+
+#define TSTR(t) ((t).value.as_textregion.base)
+#define TLEN(t) ((t).value.as_textregion.length)
+
+isc_result_t
+dns_view_loadnta(dns_view_t *view) {
+	isc_result_t result;
+	dns_ntatable_t *ntatable = NULL;
+	isc_lex_t *lex = NULL;
+	isc_token_t token;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->nta_lifetime == 0)
+		return (ISC_R_SUCCESS);
+
+	CHECK(isc_lex_create(view->mctx, 1025, &lex));
+	CHECK(isc_lex_openfile(lex, view->nta_file));
+	CHECK(dns_view_getntatable(view, &ntatable));
+	isc_stdtime_get(&now);
+
+	for (;;) {
+		int options = (ISC_LEXOPT_EOL | ISC_LEXOPT_EOF);
+		char *name, *type, *timestamp;
+		size_t len;
+		dns_fixedname_t fn;
+		dns_name_t *ntaname;
+		isc_buffer_t b;
+		isc_stdtime_t t;
+		bool forced;
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type == isc_tokentype_eof)
+			break;
+		else if (token.type != isc_tokentype_string)
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		name = TSTR(token);
+		len = TLEN(token);
+
+		if (strcmp(name, ".") == 0)
+			ntaname = dns_rootname;
+		else {
+			ntaname = dns_fixedname_initname(&fn);
+
+			isc_buffer_init(&b, name, (unsigned int)len);
+			isc_buffer_add(&b, (unsigned int)len);
+			CHECK(dns_name_fromtext(ntaname, &b, dns_rootname,
+						0, NULL));
+		}
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type != isc_tokentype_string)
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		type = TSTR(token);
+
+		if (strcmp(type, "regular") == 0)
+			forced = false;
+		else if (strcmp(type, "forced") == 0)
+			forced = true;
+		else
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type != isc_tokentype_string)
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+		timestamp = TSTR(token);
+		CHECK(dns_time32_fromtext(timestamp, &t));
+
+		CHECK(isc_lex_gettoken(lex, options, &token));
+		if (token.type != isc_tokentype_eol &&
+		    token.type != isc_tokentype_eof)
+			CHECK(ISC_R_UNEXPECTEDTOKEN);
+
+		if (now <= t) {
+			if (t > (now + 604800))
+				t = now + 604800;
+
+			(void) dns_ntatable_add(ntatable, ntaname,
+						forced, 0, t);
+		} else {
+			char nb[DNS_NAME_FORMATSIZE];
+			dns_name_format(ntaname, nb, sizeof(nb));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+				      "ignoring expired NTA at %s", nb);
+		}
+	};
+
+ cleanup:
+	if (ntatable != NULL)
+		dns_ntatable_detach(&ntatable);
+
+	if (lex != NULL) {
+		isc_lex_close(lex);
+		isc_lex_destroy(&lex);
+	}
+
+	return (result);
+}
+
+void
+dns_view_setviewcommit(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+
+	if (view->redirect != NULL) {
+		dns_zone_setviewcommit(view->redirect);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_setviewcommit(view->managed_keys);
+	}
+	if (view->zonetable != NULL) {
+		dns_zt_setviewcommit(view->zonetable);
+	}
+
+	UNLOCK(&view->lock);
+}
+
+void
+dns_view_setviewrevert(dns_view_t *view) {
+	dns_zt_t *zonetable;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	/*
+	 * dns_zt_setviewrevert() attempts to lock this view, so we must
+	 * release the lock.
+	 */
+	LOCK(&view->lock);
+	if (view->redirect != NULL) {
+		dns_zone_setviewrevert(view->redirect);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_setviewrevert(view->managed_keys);
+	}
+	zonetable = view->zonetable;
+	UNLOCK(&view->lock);
+
+	if (zonetable != NULL) {
+		dns_zt_setviewrevert(zonetable);
+	}
+}
diff --git a/lib/dns/win32/DLLMain.c b/lib/dns/win32/DLLMain.c
new file mode 100644
index 0000000..8ff1017
--- /dev/null
+++ b/lib/dns/win32/DLLMain.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/dns/win32/gen.dsp.in b/lib/dns/win32/gen.dsp.in
new file mode 100644
index 0000000..fe172aa
--- /dev/null
+++ b/lib/dns/win32/gen.dsp.in
@@ -0,0 +1,107 @@
+# Microsoft Developer Studio Project File - Name="gen" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@BUILD_PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=gen - @BUILD_PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "gen.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "gen.mak" CFG="gen - @BUILD_PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "gen - @BUILD_PLATFORM@ Release" (based on "@BUILD_PLATFORM@ (x86) Console Application")
+!MESSAGE "gen - @BUILD_PLATFORM@ Debug" (based on "@BUILD_PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @BUILD_MACHINE@
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console @BUILD_MACHINE@ /out:"../gen.exe"
+
+!ELSEIF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @BUILD_MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug @BUILD_MACHINE@ /out:"../gen.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "gen - @BUILD_PLATFORM@ Release"
+# Name "gen - @BUILD_PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\gen.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE="..\gen-win32.h"
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/dns/win32/gen.dsw b/lib/dns/win32/gen.dsw
new file mode 100644
index 0000000..e44f589
--- /dev/null
+++ b/lib/dns/win32/gen.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "gen"=".\gen.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/dns/win32/gen.mak.in b/lib/dns/win32/gen.mak.in
new file mode 100644
index 0000000..57533ef
--- /dev/null
+++ b/lib/dns/win32/gen.mak.in
@@ -0,0 +1,267 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on gen.dsp
+!IF "$(CFG)" == ""
+CFG=gen - @BUILD_PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to gen - @BUILD_PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "gen - @BUILD_PLATFORM@ Release" && "$(CFG)" != "gen - @BUILD_PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "gen.mak" CFG="gen - @BUILD_PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "gen - @BUILD_PLATFORM@ Release" (based on "@BUILD_PLATFORM@ (x86) Console Application")
+!MESSAGE "gen - @BUILD_PLATFORM@ Debug" (based on "@BUILD_PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\gen.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\gen.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\gen.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo @COPTML@ /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\gen.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\gen.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\gen.pdb" @BUILD_MACHINE@ /out:"../gen.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\gen.obj"
+
+"..\gen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\gen.exe" "$(OUTDIR)\gen.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\gen.obj"
+	-@erase "$(INTDIR)\gen.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\gen.bsc"
+	-@erase "$(OUTDIR)\gen.pdb"
+	-@erase "..\gen.exe"
+	-@erase "..\gen.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo @COPTMLD@ /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\gen.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\gen.sbr"
+
+"$(OUTDIR)\gen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\gen.pdb" /debug @BUILD_MACHINE@ /out:"../gen.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\gen.obj"
+
+"..\gen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("gen.dep")
+!INCLUDE "gen.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "gen.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "gen - @BUILD_PLATFORM@ Release" || "$(CFG)" == "gen - @BUILD_PLATFORM@ Debug"
+SOURCE=..\gen.c
+
+!IF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Release"
+
+
+"$(INTDIR)\gen.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "gen - @BUILD_PLATFORM@ Debug"
+
+
+"$(INTDIR)\gen.obj"	"$(INTDIR)\gen.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/dns/win32/gen.vcxproj.filters.in b/lib/dns/win32/gen.vcxproj.filters.in
new file mode 100644
index 0000000..f6b3bb0
--- /dev/null
+++ b/lib/dns/win32/gen.vcxproj.filters.in
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\gen.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\gen-win32.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/dns/win32/gen.vcxproj.in b/lib/dns/win32/gen.vcxproj.in
new file mode 100644
index 0000000..2d6d8e0
--- /dev/null
+++ b/lib/dns/win32/gen.vcxproj.in
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@BUILD_PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@BUILD_PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@BUILD_PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@BUILD_PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A3F71D12-F38A-4C77-8D87-8E8854CA74A1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>gen</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@BUILD_PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..
+gen -s . -t &gt; include\dns\enumtype.h
+gen -s . -c &gt; include\dns\enumclass.h
+gen -s . -i -P ./rdata/rdatastructpre.h -S ./rdata/rdatastructsuf.h &gt; include\dns\rdatastruct.h
+gen -s . &gt; code.h
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@BUILD_PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+    <PostBuildEvent>
+      <Command>cd ..
+gen -s . -t &gt; include\dns\enumtype.h
+gen -s . -c &gt; include\dns\enumclass.h
+gen -s . -i -P ./rdata/rdatastructpre.h -S ./rdata/rdatastructsuf.h &gt; include\dns\rdatastruct.h
+gen -s . &gt; code.h
+</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\gen.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\gen-win32.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/dns/win32/gen.vcxproj.user b/lib/dns/win32/gen.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/dns/win32/gen.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
new file mode 100644
index 0000000..62a156c
--- /dev/null
+++ b/lib/dns/win32/libdns.def.in
@@ -0,0 +1,1504 @@
+LIBRARY libdns
+
+; Exported Functions
+EXPORTS
+
+dns__rbt_getheight
+dns__rbt_checkproperties
+dns__rbtnode_getdistance
+dns__zone_findkeys
+dns__zone_loadpending
+dns__zone_updatesigs
+dns_acache_attach
+dns_acache_attachentry
+dns_acache_cancelentry
+dns_acache_countquerymiss
+dns_acache_create
+dns_acache_createentry
+dns_acache_detach
+dns_acache_detachentry
+dns_acache_getentry
+dns_acache_putdb
+dns_acache_setcachesize
+dns_acache_setcleaninginterval
+dns_acache_setdb
+dns_acache_setentry
+dns_acache_shutdown
+dns_acl_any
+dns_acl_attach
+dns_acl_create
+dns_acl_detach
+dns_acl_isany
+dns_acl_isinsecure
+dns_acl_isnone
+dns_acl_match
+dns_acl_match2
+dns_acl_merge
+dns_acl_none
+dns_aclelement_match
+dns_aclelement_match2
+dns_aclenv_copy
+dns_aclenv_destroy
+dns_aclenv_init
+dns_adb_agesrtt
+dns_adb_adjustsrtt
+dns_adb_attach
+dns_adb_beginudpfetch
+dns_adb_cancelfind
+dns_adb_changeflags
+dns_adb_create
+dns_adb_createfind
+dns_adb_createfind2
+dns_adb_destroyfind
+dns_adb_detach
+dns_adb_dump
+dns_adb_dumpfind
+dns_adb_ednsto
+dns_adb_endudpfetch
+dns_adb_findaddrinfo
+dns_adb_flush
+dns_adb_flushname
+dns_adb_flushnames
+dns_adb_freeaddrinfo
+dns_adb_getcookie
+dns_adb_getudpsize
+dns_adb_marklame
+dns_adb_noedns
+dns_adb_plainresponse
+dns_adb_probesize
+dns_adb_probesize2
+dns_adb_setadbsize
+dns_adb_setcookie
+dns_adb_setquota
+dns_adb_setudpsize
+dns_adb_shutdown
+dns_adb_timeout
+dns_adb_whenshutdown
+dns_adbentry_overquota
+dns_badcache_add
+dns_badcache_destroy
+dns_badcache_find
+dns_badcache_flush
+dns_badcache_flushname
+dns_badcache_flushtree
+dns_badcache_init
+dns_badcache_print
+dns_byaddr_cancel
+dns_byaddr_create
+dns_byaddr_createptrname
+dns_byaddr_createptrname2
+dns_byaddr_destroy
+dns_cache_attach
+dns_cache_attachdb
+dns_cache_clean
+dns_cache_create
+dns_cache_create2
+dns_cache_create3
+dns_cache_detach
+dns_cache_dump
+dns_cache_dumpstats
+dns_cache_flush
+dns_cache_flushname
+dns_cache_flushnode
+dns_cache_getcachesize
+dns_cache_getcleaninginterval
+dns_cache_getname
+dns_cache_getstats
+dns_cache_load
+@IF NOTYET
+dns_cache_renderjson
+@END NOTYET
+@IF LIBXML2
+dns_cache_renderxml
+@END LIBXML2
+dns_cache_setcachesize
+dns_cache_setcleaninginterval
+dns_cache_setfilename
+dns_cache_updatestats
+dns_catz_add_zone
+dns_catz_catzs_attach
+dns_catz_catzs_detach
+dns_catz_catzs_set_view
+dns_catz_dbupdate_callback
+dns_catz_entry_attach
+dns_catz_entry_cmp
+dns_catz_entry_copy
+dns_catz_entry_detach
+dns_catz_entry_getname
+dns_catz_entry_new
+dns_catz_entry_validate
+dns_catz_generate_masterfilename
+dns_catz_generate_zonecfg
+dns_catz_get_iterator
+dns_catz_get_zone
+dns_catz_new_zone
+dns_catz_new_zones
+dns_catz_options_copy
+dns_catz_options_free
+dns_catz_options_init
+dns_catz_options_setdefault
+dns_catz_postreconfig
+dns_catz_prereconfig
+dns_catz_update_from_db
+dns_catz_update_process
+dns_catz_update_taskaction
+dns_catz_zone_attach
+dns_catz_zone_detach
+dns_catz_zone_getdefoptions
+dns_catz_zone_getname
+dns_catz_zone_resetdefoptions
+dns_catz_zones_merge
+dns_cert_fromtext
+dns_cert_totext
+dns_client_addtrustedkey
+dns_client_cancelrequest
+dns_client_cancelresolve
+dns_client_cancelupdate
+dns_client_clearservers
+dns_client_create
+dns_client_createx
+dns_client_createx2
+dns_client_destroy
+dns_client_destroyreqtrans
+dns_client_destroyrestrans
+dns_client_destroyupdatetrans
+dns_client_freeresanswer
+dns_client_freeupdate
+dns_client_mctx
+dns_client_request
+dns_client_resolve
+dns_client_setdlv
+dns_client_setservers
+dns_client_startrequest
+dns_client_startresolve
+dns_client_startupdate
+dns_client_update
+dns_client_updaterec
+dns_clientinfo_init
+dns_clientinfomethods_init
+dns_compress_add
+dns_compress_disable
+dns_compress_findglobal
+dns_compress_getedns
+dns_compress_getmethods
+dns_compress_getsensitive
+dns_compress_init
+dns_compress_invalidate
+dns_compress_rollback
+dns_compress_setmethods
+dns_compress_setsensitive
+dns_counter_fromtext
+dns_db_addrdataset
+dns_db_allrdatasets
+dns_db_attach
+dns_db_attachnode
+dns_db_attachversion
+dns_db_beginload
+dns_db_class
+dns_db_closeversion
+dns_db_create
+dns_db_createiterator
+dns_db_createsoatuple
+dns_db_currentversion
+dns_db_deleterdataset
+dns_db_detach
+dns_db_detachnode
+dns_db_diff
+dns_db_diffx
+dns_db_dump
+dns_db_dump2
+dns_db_endload
+dns_db_expirenode
+dns_db_getsize
+dns_db_find
+dns_db_findext
+dns_db_findnode
+dns_db_findnodeext
+dns_db_findnsec3node
+dns_db_findrdataset
+dns_db_findzonecut
+dns_db_getnsec3parameters
+dns_db_getoriginnode
+dns_db_getrrsetstats
+dns_db_getsigningtime
+dns_db_getsoaserial
+dns_db_hashsize
+dns_db_iscache
+dns_db_isdnssec
+dns_db_ispersistent
+dns_db_issecure
+dns_db_isstub
+dns_db_iszone
+dns_db_load
+dns_db_load2
+dns_db_load3
+dns_db_newversion
+dns_db_nodecount
+dns_db_nodefullname
+dns_db_ondestroy
+dns_db_origin
+dns_db_overmem
+dns_db_printnode
+dns_db_register
+dns_db_resigned
+dns_db_rpz_attach
+dns_db_rpz_ready
+dns_db_serialize
+dns_db_setcachestats
+dns_db_setsigningtime
+dns_db_settask
+dns_db_subtractrdataset
+dns_db_transfernode
+dns_db_unregister
+dns_db_updatenotify_register
+dns_db_updatenotify_unregister
+dns_dbiterator_current
+dns_dbiterator_destroy
+dns_dbiterator_first
+dns_dbiterator_last
+dns_dbiterator_next
+dns_dbiterator_origin
+dns_dbiterator_pause
+dns_dbiterator_prev
+dns_dbiterator_seek
+dns_dbiterator_setcleanmode
+dns_dbtable_add
+dns_dbtable_adddefault
+dns_dbtable_attach
+dns_dbtable_create
+dns_dbtable_detach
+dns_dbtable_find
+dns_dbtable_getdefault
+dns_dbtable_remove
+dns_dbtable_removedefault
+dns_decompress_edns
+dns_decompress_getmethods
+dns_decompress_init
+dns_decompress_invalidate
+dns_decompress_setmethods
+dns_decompress_type
+dns_diff_append
+dns_diff_appendminimal
+dns_diff_apply
+dns_diff_applysilently
+dns_diff_clear
+dns_diff_init
+dns_diff_load
+dns_diff_print
+dns_diff_sort
+dns_difftuple_copy
+dns_difftuple_create
+dns_difftuple_free
+dns_dispatch_addresponse
+dns_dispatch_addresponse2
+dns_dispatch_addresponse3
+dns_dispatch_attach
+dns_dispatch_cancel
+dns_dispatch_changeattributes
+dns_dispatch_createtcp
+dns_dispatch_createtcp2
+dns_dispatch_detach
+dns_dispatch_getattributes
+dns_dispatch_getdscp
+dns_dispatch_getentrysocket
+dns_dispatch_getlocaladdress
+dns_dispatch_getnext
+dns_dispatch_getsocket
+dns_dispatch_gettcp
+dns_dispatch_gettcp2
+dns_dispatch_getudp
+dns_dispatch_getudp_dup
+dns_dispatch_importrecv
+dns_dispatch_removeresponse
+dns_dispatch_setdscp
+dns_dispatch_starttcp
+dns_dispatchmgr_create
+dns_dispatchmgr_destroy
+dns_dispatchmgr_getblackhole
+dns_dispatchmgr_getblackportlist
+dns_dispatchmgr_setavailports
+dns_dispatchmgr_setblackhole
+dns_dispatchmgr_setblackportlist
+dns_dispatchmgr_setstats
+dns_dispatchset_cancelall
+dns_dispatchset_create
+dns_dispatchset_destroy
+dns_dispatchset_get
+dns_dlz_ssumatch
+dns_dlz_writeablezone
+dns_dlzallowzonexfr
+dns_dlzconfigure
+dns_dlzcreate
+dns_dlzdestroy
+dns_dlzregister
+dns_dlzstrtoargv
+dns_dlzunregister
+dns_dns64_aaaafroma
+dns_dns64_aaaaok
+dns_dns64_append
+dns_dns64_create
+dns_dns64_destroy
+dns_dns64_next
+dns_dns64_unlink
+dns_dnssec_findmatchingkeys
+dns_dnssec_findmatchingkeys2
+dns_dnssec_findzonekeys
+dns_dnssec_findzonekeys2
+dns_dnssec_findzonekeys3
+dns_dnssec_keyactive
+dns_dnssec_keyfromrdata
+dns_dnssec_keylistfromrdataset
+dns_dnssec_selfsigns
+dns_dnssec_sign
+dns_dnssec_signmessage
+dns_dnssec_signs
+dns_dnssec_syncupdate
+dns_dnssec_syncupdate
+dns_dnssec_updatekeys
+dns_dnssec_verify
+dns_dnssec_verify2
+dns_dnssec_verify3
+dns_dnssec_verifymessage
+dns_dnsseckey_create
+dns_dnsseckey_destroy
+dns_ds_buildrdata
+dns_dsdigest_fromtext
+dns_dsdigest_format
+dns_dsdigest_totext
+@IF NOTYET
+dns_dt_attach
+dns_dt_close
+dns_dt_create
+dns_dt_datatotext
+dns_dt_detach
+dns_dt_getframe
+dns_dt_getstats
+dns_dt_open
+dns_dt_parse
+dns_dt_reopen
+dns_dt_send
+dns_dt_setidentity
+dns_dt_setversion
+dns_dt_shutdown
+dns_dtdata_free
+@END NOTYET
+dns_dumpctx_attach
+dns_dumpctx_cancel
+dns_dumpctx_db
+dns_dumpctx_detach
+dns_dumpctx_version
+dns_dyndb_load
+dns_dyndb_cleanup
+dns_dyndb_createctx
+dns_dyndb_destroyctx
+dns_ecdb_register
+dns_ecdb_unregister
+dns_fixedname_init
+dns_fixedname_invalidate
+dns_fixedname_name
+dns_fixedname_initname
+dns_fwdtable_add
+dns_fwdtable_addfwd
+dns_fwdtable_create
+dns_fwdtable_delete
+dns_fwdtable_destroy
+dns_fwdtable_find
+dns_fwdtable_find2
+dns_generalstats_create
+dns_generalstats_dump
+dns_generalstats_increment
+@IF GEOIP
+dns_geoip_match
+dns_geoip_shutdown
+@END GEOIP
+dns_hashalg_fromtext
+dns_ipkeylist_clear
+dns_ipkeylist_copy
+dns_ipkeylist_init
+dns_ipkeylist_resize
+dns_iptable_addprefix
+dns_iptable_addprefix2
+dns_iptable_attach
+dns_iptable_create
+dns_iptable_detach
+dns_iptable_merge
+dns_journal_begin_transaction
+dns_journal_commit
+dns_journal_compact
+dns_journal_current_rr
+dns_journal_destroy
+dns_journal_first_rr
+dns_journal_first_serial
+dns_journal_get_sourceserial
+dns_journal_iter_init
+dns_journal_last_serial
+dns_journal_next_rr
+dns_journal_open
+dns_journal_print
+dns_journal_rollforward
+dns_journal_set_sourceserial
+dns_journal_write_transaction
+dns_journal_writediff
+dns_keydata_fromdnskey
+dns_keydata_todnskey
+dns_keyflags_fromtext
+dns_keynode_attach
+dns_keynode_create
+dns_keynode_detach
+dns_keynode_detachall
+dns_keynode_key
+dns_keynode_managed
+dns_keyring_restore
+dns_keytable_add
+dns_keytable_attach
+dns_keytable_attachkeynode
+dns_keytable_create
+dns_keytable_delete
+dns_keytable_deletekeynode
+dns_keytable_detach
+dns_keytable_detachkeynode
+dns_keytable_dump
+dns_keytable_find
+dns_keytable_finddeepestmatch
+dns_keytable_findkeynode
+dns_keytable_findnextkeynode
+dns_keytable_forall
+dns_keytable_issecuredomain
+dns_keytable_marksecure
+dns_keytable_nextkeynode
+dns_keytable_totext
+dns_lib_init
+dns_lib_initmsgcat
+dns_lib_shutdown
+dns_loadctx_attach
+dns_loadctx_cancel
+dns_loadctx_detach
+dns_log_init
+dns_log_setcontext
+dns_lookup_cancel
+dns_lookup_create
+dns_lookup_destroy
+dns_master_dump
+dns_master_dump2
+dns_master_dump3
+dns_master_dumpinc
+dns_master_dumpinc2
+dns_master_dumpinc3
+dns_master_dumpnode
+dns_master_dumpnodetostream
+dns_master_dumptostream
+dns_master_dumptostream2
+dns_master_dumptostream3
+dns_master_dumptostreaminc
+dns_master_initrawheader
+dns_master_loadbuffer
+dns_master_loadbufferinc
+dns_master_loadfile
+dns_master_loadfile2
+dns_master_loadfile3
+dns_master_loadfile4
+dns_master_loadfile5
+dns_master_loadfileinc
+dns_master_loadfileinc2
+dns_master_loadfileinc3
+dns_master_loadfileinc4
+dns_master_loadfileinc5
+dns_master_loadlexer
+dns_master_loadlexerinc
+dns_master_loadstream
+dns_master_loadstreaminc
+dns_master_questiontotext
+dns_master_rdatasettotext
+dns_master_stylecreate
+dns_master_stylecreate2
+dns_master_styledestroy
+dns_master_styleflags
+dns_message_addname
+dns_message_buildopt
+dns_message_checksig
+dns_message_create
+dns_message_currentname
+dns_message_destroy
+dns_message_find
+dns_message_findname
+dns_message_findtype
+dns_message_firstname
+dns_message_getopt
+dns_message_getquerytsig
+dns_message_getrawmessage
+dns_message_getsig0
+dns_message_getsig0key
+dns_message_gettempname
+dns_message_gettempoffsets
+dns_message_gettemprdata
+dns_message_gettemprdatalist
+dns_message_gettemprdataset
+dns_message_gettimeadjust
+dns_message_gettsig
+dns_message_gettsigkey
+dns_message_logfmtpacket
+dns_message_logfmtpacket2
+dns_message_logpacket
+dns_message_logpacket2
+dns_message_movename
+dns_message_nextname
+dns_message_parse
+dns_message_peekheader
+dns_message_pseudosectiontotext
+dns_message_puttempname
+dns_message_puttemprdata
+dns_message_puttemprdatalist
+dns_message_puttemprdataset
+dns_message_rechecksig
+dns_message_removename
+dns_message_renderbegin
+dns_message_renderchangebuffer
+dns_message_renderend
+dns_message_renderheader
+dns_message_renderrelease
+dns_message_renderreserve
+dns_message_renderreset
+dns_message_rendersection
+dns_message_reply
+dns_message_reset
+dns_message_resetsig
+dns_message_sectiontotext
+dns_message_setclass
+dns_message_setopt
+dns_message_setquerytsig
+dns_message_setsig0key
+dns_message_setsortorder
+dns_message_settimeadjust
+dns_message_settsigkey
+dns_message_signer
+dns_message_takebuffer
+dns_message_totext
+dns_name_caseequal
+dns_name_clone
+dns_name_compare
+dns_name_concatenate
+dns_name_copy
+dns_name_countlabels
+dns_name_destroy
+dns_name_digest
+dns_name_downcase
+dns_name_dup
+dns_name_dupwithoffsets
+dns_name_dynamic
+dns_name_equal
+dns_name_format
+dns_name_free
+dns_name_fromregion
+dns_name_fromstring
+dns_name_fromstring2
+dns_name_fromtext
+dns_name_fromwire
+dns_name_fullcompare
+dns_name_fullhash
+dns_name_getlabel
+dns_name_getlabelsequence
+dns_name_hasbuffer
+dns_name_hash
+dns_name_hashbylabel
+dns_name_init
+dns_name_internalwildcard
+dns_name_invalidate
+dns_name_isabsolute
+dns_name_isdnssd
+dns_name_ishostname
+dns_name_ismailbox
+dns_name_isrfc1918
+dns_name_issubdomain
+dns_name_istat
+dns_name_isula
+dns_name_isvalid
+dns_name_iswildcard
+dns_name_matcheswildcard
+dns_name_print
+dns_name_rdatacompare
+dns_name_reset
+dns_name_setbuffer
+dns_name_settotextfilter
+dns_name_split
+dns_name_tofilenametext
+dns_name_toprincipal
+dns_name_toregion
+dns_name_tostring
+dns_name_totext
+dns_name_totext2
+dns_name_towire
+dns_ncache_add
+dns_ncache_addoptout
+dns_ncache_current
+dns_ncache_getrdataset
+dns_ncache_getsigrdataset
+dns_ncache_towire
+dns_nsec3_active
+dns_nsec3_activex
+dns_nsec3_addnsec3
+dns_nsec3_addnsec3s
+dns_nsec3_addnsec3sx
+dns_nsec3_buildrdata
+dns_nsec3_delnsec3
+dns_nsec3_delnsec3s
+dns_nsec3_delnsec3sx
+dns_nsec3_hashlength
+dns_nsec3_hashname
+dns_nsec3_maxiterations
+dns_nsec3_noexistnodata
+dns_nsec3_supportedhash
+dns_nsec3_typepresent
+dns_nsec3param_deletechains
+dns_nsec3param_fromprivate
+dns_nsec3param_salttotext
+dns_nsec3param_toprivate
+dns_nsec_build
+dns_nsec_buildrdata
+dns_nsec_compressbitmap
+dns_nsec_isset
+dns_nsec_noexistnodata
+dns_nsec_nseconly
+dns_nsec_setbit
+dns_nsec_typepresent
+dns_ntatable_add
+dns_ntatable_attach
+dns_ntatable_covered
+dns_ntatable_create
+dns_ntatable_delete
+dns_ntatable_detach
+dns_ntatable_dump
+dns_ntatable_save
+dns_ntatable_totext
+dns_opcode_totext
+dns_opcodestats_create
+dns_opcodestats_dump
+dns_opcodestats_increment
+dns_order_add
+dns_order_attach
+dns_order_create
+dns_order_detach
+dns_order_find
+dns_peer_attach
+dns_peer_detach
+dns_peer_getbogus
+dns_peer_getednsversion
+dns_peer_getforcetcp
+dns_peer_getkey
+dns_peer_getmaxudp
+dns_peer_getnotifydscp
+dns_peer_getnotifysource
+dns_peer_getprovideixfr
+dns_peer_getquerydscp
+dns_peer_getquerysource
+dns_peer_getrequestexpire
+dns_peer_getrequestixfr
+dns_peer_getrequestnsid
+dns_peer_getsendcookie
+dns_peer_getsupportedns
+dns_peer_gettransferdscp
+dns_peer_gettransferformat
+dns_peer_gettransfers
+dns_peer_gettransfersource
+dns_peer_getudpsize
+dns_peer_new
+dns_peer_newprefix
+dns_peer_setbogus
+dns_peer_setednsversion
+dns_peer_setforcetcp
+dns_peer_setkey
+dns_peer_setkeybycharp
+dns_peer_setmaxudp
+dns_peer_setnotifydscp
+dns_peer_setnotifysource
+dns_peer_setprovideixfr
+dns_peer_setquerydscp
+dns_peer_setquerysource
+dns_peer_setrequestexpire
+dns_peer_setrequestixfr
+dns_peer_setrequestnsid
+dns_peer_setsendcookie
+dns_peer_setsupportedns
+dns_peer_settransferdscp
+dns_peer_settransferformat
+dns_peer_settransfers
+dns_peer_settransfersource
+dns_peer_setudpsize
+dns_peerlist_addpeer
+dns_peerlist_attach
+dns_peerlist_currpeer
+dns_peerlist_detach
+dns_peerlist_new
+dns_peerlist_peerbyaddr
+dns_portlist_add
+dns_portlist_attach
+dns_portlist_create
+dns_portlist_detach
+dns_portlist_match
+dns_portlist_remove
+dns_private_chains
+dns_private_totext
+dns_rbt_addname
+dns_rbt_addnode
+dns_rbt_create
+dns_rbt_deletename
+dns_rbt_deletenode
+dns_rbt_deserialize_tree
+dns_rbt_destroy
+dns_rbt_destroy2
+dns_rbt_findname
+dns_rbt_findnode
+dns_rbt_formatnodename
+dns_rbt_fullnamefromnode
+dns_rbt_hashsize
+dns_rbt_namefromnode
+dns_rbt_nodecount
+dns_rbt_printdot
+dns_rbt_printnodeinfo
+dns_rbt_printtext
+dns_rbt_root
+dns_rbt_serialize_align
+dns_rbt_serialize_tree
+dns_rbtnode_nodename
+dns_rbtnodechain_current
+dns_rbtnodechain_down
+dns_rbtnodechain_first
+dns_rbtnodechain_init
+dns_rbtnodechain_invalidate
+dns_rbtnodechain_last
+dns_rbtnodechain_next
+dns_rbtnodechain_nextflat
+dns_rbtnodechain_prev
+dns_rbtnodechain_reset
+dns_rcode_fromtext
+dns_rcode_totext
+dns_rcodestats_create
+dns_rcodestats_dump
+dns_rcodestats_increment
+dns_rdata_additionaldata
+dns_rdata_apl_current
+dns_rdata_apl_first
+dns_rdata_apl_next
+dns_rdata_casecompare
+dns_rdata_checknames
+dns_rdata_checkowner
+dns_rdata_clone
+dns_rdata_compare
+dns_rdata_covers
+dns_rdata_deleterrset
+dns_rdata_digest
+dns_rdata_exists
+dns_rdata_freestruct
+dns_rdata_fromregion
+dns_rdata_fromstruct
+dns_rdata_fromtext
+dns_rdata_fromwire
+dns_rdata_hip_current
+dns_rdata_hip_first
+dns_rdata_hip_next
+dns_rdata_init
+dns_rdata_makedelete
+dns_rdata_notexist
+dns_rdata_opt_current
+dns_rdata_opt_first
+dns_rdata_opt_next
+dns_rdata_reset
+dns_rdata_tofmttext
+dns_rdata_toregion
+dns_rdata_tostruct
+dns_rdata_totext
+dns_rdata_towire
+dns_rdata_txt_current
+dns_rdata_txt_first
+dns_rdata_txt_next
+dns_rdata_updateop
+dns_rdatacallbacks_init
+dns_rdatacallbacks_init_stdio
+dns_rdataclass_format
+dns_rdataclass_fromtext
+dns_rdataclass_ismeta
+dns_rdataclass_totext
+dns_rdataclass_tounknowntext
+dns_rdatalist_fromrdataset
+dns_rdatalist_init
+dns_rdatalist_tordataset
+dns_rdataset_addclosest
+dns_rdataset_additionaldata
+dns_rdataset_addnoqname
+dns_rdataset_clearprefetch
+dns_rdataset_clone
+dns_rdataset_count
+dns_rdataset_current
+dns_rdataset_disassociate
+dns_rdataset_expire
+dns_rdataset_first
+dns_rdataset_getadditional
+dns_rdataset_getclosest
+dns_rdataset_getnoqname
+dns_rdataset_getownercase
+dns_rdataset_init
+dns_rdataset_invalidate
+dns_rdataset_isassociated
+dns_rdataset_makequestion
+dns_rdataset_next
+dns_rdataset_putadditional
+dns_rdataset_setadditional
+dns_rdataset_setownercase
+dns_rdataset_settrust
+dns_rdataset_totext
+dns_rdataset_towire
+dns_rdataset_towirepartial
+dns_rdataset_towiresorted
+dns_rdataset_trimttl
+dns_rdatasetiter_current
+dns_rdatasetiter_destroy
+dns_rdatasetiter_first
+dns_rdatasetiter_next
+dns_rdatasetstats_create
+dns_rdatasetstats_decrement
+dns_rdatasetstats_dump
+dns_rdatasetstats_increment
+dns_rdataslab_count
+dns_rdataslab_equal
+dns_rdataslab_equalx
+dns_rdataslab_fromrdataset
+dns_rdataslab_merge
+dns_rdataslab_size
+dns_rdataslab_subtract
+dns_rdataslab_tordataset
+dns_rdatatype_atparent
+dns_rdatatype_attributes
+dns_rdatatype_format
+dns_rdatatype_fromtext
+dns_rdatatype_isdnssec
+dns_rdatatype_isknown
+dns_rdatatype_ismeta
+dns_rdatatype_issingleton
+dns_rdatatype_iszonecutauth
+dns_rdatatype_notquestion
+dns_rdatatype_questiononly
+dns_rdatatype_totext
+dns_rdatatype_tounknowntext
+dns_rdatatypestats_create
+dns_rdatatypestats_dump
+dns_rdatatypestats_increment
+dns_request_cancel
+dns_request_create
+dns_request_createraw
+dns_request_createraw2
+dns_request_createraw3
+dns_request_createraw4
+dns_request_createvia
+dns_request_createvia2
+dns_request_createvia3
+dns_request_createvia4
+dns_request_destroy
+dns_request_getresponse
+dns_request_usedtcp
+dns_requestmgr_attach
+dns_requestmgr_create
+dns_requestmgr_detach
+dns_requestmgr_shutdown
+dns_requestmgr_whenshutdown
+dns_resolver_addalternate
+dns_resolver_addbadcache
+dns_resolver_algorithm_supported
+dns_resolver_attach
+dns_resolver_cancelfetch
+dns_resolver_create
+dns_resolver_createfetch
+dns_resolver_createfetch2
+dns_resolver_createfetch3
+dns_resolver_destroyfetch
+dns_resolver_detach
+dns_resolver_disable_algorithm
+dns_resolver_disable_ds_digest
+dns_resolver_dispatchmgr
+dns_resolver_dispatchv4
+dns_resolver_dispatchv6
+dns_resolver_ds_digest_supported
+dns_resolver_dumpfetches
+dns_resolver_flushbadcache
+dns_resolver_flushbadnames
+dns_resolver_freeze
+dns_resolver_getbadcache
+dns_resolver_getclientsperquery
+dns_resolver_getlamettl
+dns_resolver_getmaxdepth
+dns_resolver_getmaxqueries
+dns_resolver_getmustbesecure
+dns_resolver_getoptions
+dns_resolver_getquerydscp4
+dns_resolver_getquerydscp6
+dns_resolver_getquotaresponse
+dns_resolver_gettimeout
+dns_resolver_getudpsize
+dns_resolver_getzeronosoattl
+dns_resolver_logfetch
+dns_resolver_nrunning
+dns_resolver_prime
+dns_resolver_printbadcache
+dns_resolver_reset_algorithms
+dns_resolver_reset_ds_digests
+dns_resolver_resetmustbesecure
+dns_resolver_setclientsperquery
+dns_resolver_setfetchesperzone
+dns_resolver_setlamettl
+dns_resolver_setmaxdepth
+dns_resolver_setmaxqueries
+dns_resolver_setmustbesecure
+dns_resolver_setquerydscp4
+dns_resolver_setquerydscp6
+dns_resolver_setquotaresponse
+dns_resolver_settimeout
+dns_resolver_setudpsize
+dns_resolver_setzeronosoattl
+dns_resolver_shutdown
+dns_resolver_socketmgr
+dns_resolver_taskmgr
+dns_resolver_whenshutdown
+dns_result_register
+dns_result_torcode
+dns_result_totext
+dns_root_checkhints
+dns_rootns_create
+dns_rpz_add
+dns_rpz_attach_rpzs
+dns_rpz_beginload
+dns_rpz_decode_cname
+dns_rpz_delete
+dns_rpz_detach_rpzs
+dns_rpz_find_ip
+dns_rpz_find_name
+dns_rpz_new_zones
+dns_rpz_policy2str
+dns_rpz_ready
+dns_rpz_str2policy
+dns_rpz_type2str
+dns_rriterator_current
+dns_rriterator_destroy
+dns_rriterator_first
+dns_rriterator_init
+dns_rriterator_next
+dns_rriterator_nextrrset
+dns_rriterator_pause
+dns_rrl
+dns_rrl_init
+dns_rrl_view_destroy
+dns_sdb_putnamedrdata
+dns_sdb_putnamedrr
+dns_sdb_putrdata
+dns_sdb_putrr
+dns_sdb_putsoa
+dns_sdb_register
+dns_sdb_unregister
+dns_sdlz_putnamedrr
+dns_sdlz_putrr
+dns_sdlz_putsoa
+dns_sdlz_setdb
+dns_sdlzregister
+dns_sdlzunregister
+dns_secalg_format
+dns_secalg_fromtext
+dns_secalg_totext
+dns_secproto_fromtext
+dns_secproto_totext
+dns_soa_buildrdata
+dns_soa_getexpire
+dns_soa_getminimum
+dns_soa_getrefresh
+dns_soa_getretry
+dns_soa_getserial
+dns_soa_setexpire
+dns_soa_setminimum
+dns_soa_setrefresh
+dns_soa_setretry
+dns_soa_setserial
+dns_ssu_external_match
+dns_ssu_mtypefromstring
+dns_ssutable_addrule
+dns_ssutable_attach
+dns_ssutable_checkrules
+dns_ssutable_checkrules2
+dns_ssutable_create
+dns_ssutable_createdlz
+dns_ssutable_detach
+dns_stats_alloccounters
+dns_stats_attach
+dns_stats_detach
+dns_stats_freecounters
+dns_tcpmsg_cancelread
+dns_tcpmsg_init
+dns_tcpmsg_invalidate
+dns_tcpmsg_keepbuffer
+dns_tcpmsg_readmessage
+dns_tcpmsg_setmaxsize
+dns_time32_fromtext
+dns_time32_totext
+dns_time64_from32
+dns_time64_fromtext
+dns_time64_totext
+dns_timer_setidle
+dns_tkey_builddeletequery
+dns_tkey_builddhquery
+dns_tkey_buildgssquery
+dns_tkey_gssnegotiate
+dns_tkey_processdeleteresponse
+dns_tkey_processdhresponse
+dns_tkey_processgssresponse
+dns_tkey_processquery
+dns_tkeyctx_create
+dns_tkeyctx_destroy
+dns_trust_totext
+dns_tsec_create
+dns_tsec_destroy
+dns_tsec_getkey
+dns_tsec_gettype
+dns_tsig_sign
+dns_tsig_verify
+dns_tsigkey_attach
+dns_tsigkey_create
+dns_tsigkey_createfromkey
+dns_tsigkey_detach
+dns_tsigkey_find
+dns_tsigkey_setdeleted
+dns_tsigkeyring_add
+dns_tsigkeyring_attach
+dns_tsigkeyring_create
+dns_tsigkeyring_detach
+dns_tsigkeyring_dumpanddetach
+dns_tsigrcode_fromtext
+dns_tsigrcode_totext
+dns_ttl_fromtext
+dns_ttl_totext
+dns_ttl_totext2
+dns_update_signatures
+dns_update_signaturesinc
+dns_update_soaserial
+dns_validator_cancel
+dns_validator_create
+dns_validator_destroy
+dns_validator_send
+dns_view_adddelegationonly
+dns_view_addzone
+dns_view_asyncload
+dns_view_asyncload2
+dns_view_attach
+dns_view_checksig
+dns_view_create
+dns_view_createresolver
+dns_view_createzonetable
+dns_view_detach
+dns_view_dialup
+dns_view_dumpdbtostream
+dns_view_excludedelegationonly
+dns_view_find
+dns_view_find2
+dns_view_findzone
+dns_view_findzonecut
+dns_view_findzonecut2
+dns_view_flushanddetach
+dns_view_flushcache
+dns_view_flushcache2
+dns_view_flushname
+dns_view_flushnode
+dns_view_freeze
+dns_view_freezezones
+dns_view_getadbstats
+dns_view_getdynamickeyring
+dns_view_getfailttl
+dns_view_getntatable
+dns_view_getpeertsig
+dns_view_getresquerystats
+dns_view_getresstats
+dns_view_getrootdelonly
+dns_view_getsecroots
+dns_view_gettsig
+dns_view_initntatable
+dns_view_initsecroots
+dns_view_iscacheshared
+dns_view_isdelegationonly
+dns_view_issecuredomain
+dns_view_load
+dns_view_loadnew
+dns_view_loadnta
+dns_view_ntacovers
+dns_view_restorekeyring
+dns_view_saventa
+dns_view_searchdlz
+dns_view_setadbstats
+dns_view_setcache
+dns_view_setcache2
+dns_view_setdstport
+dns_view_setdynamickeyring
+dns_view_setfailttl
+dns_view_sethints
+dns_view_setkeyring
+dns_view_setnewzones
+dns_view_setresquerystats
+dns_view_setresstats
+dns_view_setrootdelonly
+dns_view_setviewcommit
+dns_view_setviewrevert
+dns_view_simplefind
+dns_view_thaw
+dns_view_untrust
+dns_view_weakattach
+dns_view_weakdetach
+dns_viewlist_find
+dns_viewlist_findzone
+dns_xfrin_attach
+dns_xfrin_create
+dns_xfrin_create2
+dns_xfrin_create3
+dns_xfrin_detach
+dns_xfrin_shutdown
+dns_zone_addnsec3chain
+dns_zone_asyncload
+dns_zone_asyncload2
+dns_zone_attach
+dns_zone_catz_enable
+dns_zone_catz_enable_db
+dns_zone_cdscheck
+dns_zone_checknames
+dns_zone_clearforwardacl
+dns_zone_clearnotifyacl
+dns_zone_clearqueryacl
+dns_zone_clearqueryonacl
+dns_zone_clearupdateacl
+dns_zone_clearxfracl
+dns_zone_create
+dns_zone_detach
+dns_zone_dialup
+dns_zone_dlzpostload
+dns_zone_dump
+dns_zone_dumptostream
+dns_zone_dumptostream2
+dns_zone_dumptostream3
+dns_zone_expire
+dns_zone_first
+dns_zone_flush
+dns_zone_forcereload
+dns_zone_forwardupdate
+dns_zone_fulldumptostream
+dns_zone_get_parentcatz
+dns_zone_get_rpz_num
+dns_zone_getadded
+dns_zone_getaltxfrsource4
+dns_zone_getaltxfrsource4dscp
+dns_zone_getaltxfrsource6
+dns_zone_getaltxfrsource6dscp
+dns_zone_getautomatic
+dns_zone_getchecknames
+dns_zone_getclass
+dns_zone_getdb
+dns_zone_getdbtype
+dns_zone_getexpiretime
+dns_zone_getfile
+dns_zone_getforwardacl
+dns_zone_getidlein
+dns_zone_getidleout
+dns_zone_getincludes
+dns_zone_getjournal
+dns_zone_getjournalsize
+dns_zone_getkeydirectory
+dns_zone_getkeyopts
+dns_zone_getloadtime
+dns_zone_getmaxrecords
+dns_zone_getmaxttl
+dns_zone_getmaxxfrin
+dns_zone_getmaxxfrout
+dns_zone_getmctx
+dns_zone_getmgr
+dns_zone_getnotifyacl
+dns_zone_getnotifydelay
+dns_zone_getnotifysrc4
+dns_zone_getnotifysrc4dscp
+dns_zone_getnotifysrc6
+dns_zone_getnotifysrc6dscp
+dns_zone_getoptions
+dns_zone_getoptions2
+dns_zone_getorigin
+dns_zone_getprivatetype
+dns_zone_getqueryacl
+dns_zone_getqueryonacl
+dns_zone_getraw
+dns_zone_getrcvquerystats
+dns_zone_getrefreshkeytime
+dns_zone_getrefreshtime
+dns_zone_getrequestexpire
+dns_zone_getrequestixfr
+dns_zone_getrequeststats
+dns_zone_getserial
+dns_zone_getserial2
+dns_zone_getserialupdatemethod
+dns_zone_getsignatures
+dns_zone_getsigresigninginterval
+dns_zone_getsigvalidityinterval
+dns_zone_getssutable
+dns_zone_getstatlevel
+dns_zone_getstatscounters
+dns_zone_gettask
+dns_zone_gettype
+dns_zone_getupdateacl
+dns_zone_getupdatedisabled
+dns_zone_getview
+dns_zone_getxfracl
+dns_zone_getxfrsource4
+dns_zone_getxfrsource4dscp
+dns_zone_getxfrsource6
+dns_zone_getxfrsource6dscp
+dns_zone_getzeronosoattl
+dns_zone_iattach
+dns_zone_idetach
+dns_zone_isdynamic
+dns_zone_isforced
+dns_zone_keydone
+dns_zone_link
+dns_zone_load
+dns_zone_loadandthaw
+dns_zone_loadnew
+dns_zone_log
+dns_zone_logc
+dns_zone_logv
+dns_zone_maintenance
+dns_zone_markdirty
+dns_zone_name
+dns_zone_nameonly
+dns_zone_next
+dns_zone_notify
+dns_zone_notifyreceive
+dns_zone_notifyreceive2
+dns_zone_nscheck
+dns_zone_refresh
+dns_zone_rekey
+dns_zone_replacedb
+dns_zone_rpz_enable
+dns_zone_rpz_enable_db
+dns_zone_set_parentcatz
+dns_zone_setacache
+dns_zone_setadded
+dns_zone_setalsonotify
+dns_zone_setalsonotifydscpkeys
+dns_zone_setalsonotifywithkeys
+dns_zone_setaltxfrsource4
+dns_zone_setaltxfrsource4dscp
+dns_zone_setaltxfrsource6
+dns_zone_setaltxfrsource6dscp
+dns_zone_setautomatic
+dns_zone_setcheckmx
+dns_zone_setchecknames
+dns_zone_setcheckns
+dns_zone_setchecksrv
+dns_zone_setclass
+dns_zone_setdb
+dns_zone_setdbtype
+dns_zone_setdialup
+dns_zone_setfile
+dns_zone_setfile2
+dns_zone_setfile3
+dns_zone_setflag
+dns_zone_setforwardacl
+dns_zone_setidlein
+dns_zone_setidleout
+dns_zone_setisself
+dns_zone_setjournal
+dns_zone_setjournalsize
+dns_zone_setkeydirectory
+dns_zone_setkeyopt
+dns_zone_setmasters
+dns_zone_setmasterswithkeys
+dns_zone_setmaxrecords
+dns_zone_setmaxrefreshtime
+dns_zone_setmaxretrytime
+dns_zone_setmaxttl
+dns_zone_setmaxxfrin
+dns_zone_setmaxxfrout
+dns_zone_setminrefreshtime
+dns_zone_setminretrytime
+dns_zone_setnodes
+dns_zone_setnotifyacl
+dns_zone_setnotifydelay
+dns_zone_setnotifysrc4
+dns_zone_setnotifysrc4dscp
+dns_zone_setnotifysrc6
+dns_zone_setnotifysrc6dscp
+dns_zone_setnotifytype
+dns_zone_setnsec3param
+dns_zone_setoption
+dns_zone_setoption2
+dns_zone_setorigin
+dns_zone_setprivatetype
+dns_zone_setqueryacl
+dns_zone_setqueryonacl
+dns_zone_setrawdata
+dns_zone_setrcvquerystats
+dns_zone_setrefreshkeyinterval
+dns_zone_setrequestexpire
+dns_zone_setrequestixfr
+dns_zone_setrequeststats
+dns_zone_setserial
+dns_zone_setserialupdatemethod
+dns_zone_setsignatures
+dns_zone_setsigresigninginterval
+dns_zone_setsigvalidityinterval
+dns_zone_setssutable
+dns_zone_setstatistics
+dns_zone_setstatlevel
+dns_zone_setstats
+dns_zone_settask
+dns_zone_settype
+dns_zone_setupdateacl
+dns_zone_setupdatedisabled
+dns_zone_setview
+dns_zone_setviewcommit
+dns_zone_setviewrevert
+dns_zone_setxfracl
+dns_zone_setxfrsource4
+dns_zone_setxfrsource4dscp
+dns_zone_setxfrsource6
+dns_zone_setxfrsource6dscp
+dns_zone_setzeronosoattl
+dns_zone_signwithkey
+dns_zone_synckeyzone
+dns_zone_unload
+dns_zonekey_iszonekey
+dns_zonemgr_attach
+dns_zonemgr_create
+dns_zonemgr_createzone
+dns_zonemgr_detach
+dns_zonemgr_forcemaint
+dns_zonemgr_getcount
+dns_zonemgr_getiolimit
+dns_zonemgr_getnotifyrate
+dns_zonemgr_getserialqueryrate
+dns_zonemgr_getstartupnotifyrate
+dns_zonemgr_getttransfersin
+dns_zonemgr_getttransfersperns
+dns_zonemgr_managezone
+dns_zonemgr_releasezone
+dns_zonemgr_resumexfrs
+dns_zonemgr_setiolimit
+dns_zonemgr_setnotifyrate
+dns_zonemgr_setserialqueryrate
+dns_zonemgr_setsize
+dns_zonemgr_setstartupnotifyrate
+dns_zonemgr_settransfersin
+dns_zonemgr_settransfersperns
+dns_zonemgr_shutdown
+dns_zonemgr_unreachable
+dns_zonemgr_unreachableadd
+dns_zonemgr_unreachabledel
+dns_zt_apply
+dns_zt_apply2
+dns_zt_asyncload
+dns_zt_asyncload2
+dns_zt_attach
+dns_zt_create
+dns_zt_detach
+dns_zt_find
+dns_zt_flushanddetach
+dns_zt_freezezones
+dns_zt_load
+dns_zt_loadnew
+dns_zt_mount
+dns_zt_setviewcommit
+dns_zt_setviewrevert
+dns_zt_unmount
+dst_algorithm_supported
+dst_context_adddata
+dst_context_create
+dst_context_create2
+dst_context_create3
+dst_context_create4
+dst_context_destroy
+dst_context_sign
+dst_context_verify
+dst_context_verify2
+dst_ds_digest_supported
+dst_gssapi_acceptctx
+dst_gssapi_acquirecred
+dst_gssapi_deletectx
+dst_gssapi_identitymatchesrealmkrb5
+dst_gssapi_identitymatchesrealmms
+dst_gssapi_initctx
+dst_gssapi_releasecred
+dst_key_alg
+dst_key_attach
+dst_key_buildfilename
+dst_key_buildinternal
+dst_key_class
+dst_key_compare
+dst_key_computesecret
+dst_key_dump
+dst_key_flags
+dst_key_format
+dst_key_free
+dst_key_frombuffer
+dst_key_fromdns
+dst_key_fromfile
+dst_key_fromgssapi
+dst_key_fromlabel
+dst_key_fromnamedfile
+dst_key_generate
+dst_key_generate2
+dst_key_getbits
+dst_key_getfilename
+dst_key_getgssctx
+dst_key_getnum
+dst_key_getprivateformat
+dst_key_gettime
+dst_key_getttl
+dst_key_id
+dst_key_inactive
+dst_key_isexternal
+dst_key_isnullkey
+dst_key_isprivate
+dst_key_iszonekey
+dst_key_name
+dst_key_paramcompare
+dst_key_privatefrombuffer
+dst_key_proto
+dst_key_pubcompare
+dst_key_read_public
+dst_key_restore
+dst_key_rid
+dst_key_secretsize
+dst_key_setbits
+dst_key_setexternal
+dst_key_setflags
+dst_key_setinactive
+dst_key_setnum
+dst_key_setprivateformat
+dst_key_settime
+dst_key_setttl
+dst_key_sigsize
+dst_key_size
+dst_key_tkeytoken
+dst_key_tobuffer
+dst_key_todns
+dst_key_tofile
+dst_key_unsetnum
+dst_key_unsettime
+dst_lib_destroy
+dst_lib_init
+dst_lib_init2
+dst_lib_initmsgcat
+dst_region_computeid
+dst_region_computerid
+dst_result_register
+dst_result_totext
+@IF NOLONGER
+; Exported Data
+
+EXPORTS
+
+dns_pps			DATA
+dns_master_style_full	DATA
+dns_msgcat		DATA
+dns_tsig_hmacmd5_name	DATA
+dns_zone_mkey_day	DATA
+dns_zone_mkey_hour	DATA
+dns_zone_mkey_month	DATA
+dst__memory_pool	DATA
+dst_msgcat		DATA
+@END NOLONGER
diff --git a/lib/dns/win32/libdns.dsp.in b/lib/dns/win32/libdns.dsp.in
new file mode 100644
index 0000000..cc960fe
--- /dev/null
+++ b/lib/dns/win32/libdns.dsp.in
@@ -0,0 +1,937 @@
+# Microsoft Developer Studio Project File - Name="libdns" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libdns - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libdns.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libdns.mak" CFG="libdns - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libdns - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libdns - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @LIBXML2_INC@ @OPENSSL_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll @MACHINE@ /out:"../../../Build/Release/libdns.dll"
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libdns_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 @LIBXML2_LIB@ user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libdns.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libdns - @PLATFORM@ Release"
+# Name "libdns - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\dns\acache.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\acl.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\adb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\badcache.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\bit.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\byaddr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\cache.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\callbacks.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\catz.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\cert.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\client.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\clientinfo.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\code.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\compress.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\db.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dbiterator.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dbtable.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\diff.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dispatch.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dlz.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dns64.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dnssec.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dnstap.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ds.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\dyndb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ecdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\edns.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\enumclass.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\enumtype.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\events.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\fixedname.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\forward.h
+# End Source File
+@IF GEOIP
+# Begin Source File
+
+SOURCE=..\include\dns\geoip.h
+# End Source File
+@END GEOIP
+# Begin Source File
+
+SOURCE=..\include\dns\ipkeylist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\iptable.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\journal.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keydata.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keyflags.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keytable.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\keyvalues.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\lib.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\log.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\lookup.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\master.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\masterdump.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\message.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\name.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ncache.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\nsec.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\nsec3.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\nta.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\order.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\peer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\portlist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\private.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rbt.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb64.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdatalist_p.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rcode.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdata.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdataclass.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatalist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdataset.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatasetiter.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdataslab.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatastruct.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rdatatype.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\request.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\resolver.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\result.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rootns.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rpz.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rrl.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\rriterator.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\sdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\sdlz.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\secalg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\secproto.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\soa.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ssu.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\stats.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tcpmsg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\time.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\timer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tkey.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tsec.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\tsig.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\ttl.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\update.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\validator.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\version.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\view.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\xfrin.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\zone.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\zonekey.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\dns\zt.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Dns Lib"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\acache.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\acl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\adb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\badcache.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\byaddr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\cache.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\callbacks.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\catz.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\client.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\clientinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\compress.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\db.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dbiterator.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dbtable.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\diff.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dispatch.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dlz.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dns64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnssec.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ds.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dyndb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ecdb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\forward.c
+# End Source File
+@IF GEOIP
+# Begin Source File
+
+SOURCE=..\geoip.c
+# End Source File
+@END GEOIP
+# Begin Source File
+
+SOURCE=..\ipkeylist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\iptable.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\journal.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\keydata.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\keytable.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\log.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lookup.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\master.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\masterdump.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\message.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\name.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ncache.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\nsec.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\nsec3.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\nta.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\order.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\peer.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\portlist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\private.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbt.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rbtdb64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rcode.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdata.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdatalist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdataset.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdatasetiter.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rdataslab.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\request.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\resolver.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rootns.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rpz.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rrl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rriterator.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sdb.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\soa.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sdlz.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ssu.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ssu_external.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\stats.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tcpmsg.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\time.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\timer.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tkey.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tsec.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tsig.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ttl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\update.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\validator.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\view.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\xfrin.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zone.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zonekey.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\zt.c
+# End Source File
+# End Group
+# Begin Group "dst"
+
+# PROP Default_Filter "c"
+# Begin Source File
+
+SOURCE=..\dst_api.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dst_lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dst_parse.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dst_result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gssapi_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gssapictx.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\spnego.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hmac_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\key.c
+# End Source File
+@IF OPENSSL
+# Begin Source File
+
+SOURCE=..\openssl_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\openssldh_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\openssldsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\opensslecdsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\openssleddsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\opensslgost_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\opensslrsa_link.c
+# End Source File
+@END OPENSSL
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\pkcs11.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11dh_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11dsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11ecdsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11eddsa_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11gost_link.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pkcs11rsa_link.c
+# End Source File
+@END PKCS11
+# End Group
+# Begin Source File
+
+SOURCE=.\libdns.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/dns/win32/libdns.dsw b/lib/dns/win32/libdns.dsw
new file mode 100644
index 0000000..424a2cb
--- /dev/null
+++ b/lib/dns/win32/libdns.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "libdns"=".\libdns.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/dns/win32/libdns.mak.in b/lib/dns/win32/libdns.mak.in
new file mode 100644
index 0000000..df8666a
--- /dev/null
+++ b/lib/dns/win32/libdns.mak.in
@@ -0,0 +1,2890 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libdns.dsp
+!IF "$(CFG)" == ""
+CFG=libdns - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to libdns - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "libdns - @PLATFORM@ Release" && "$(CFG)" != "libdns - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libdns.mak" CFG="libdns - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libdns - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libdns - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libdns.dll"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Release" "..\..\..\Build\Release\libdns.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\acache.obj"
+	-@erase "$(INTDIR)\acl.obj"
+	-@erase "$(INTDIR)\adb.obj"
+	-@erase "$(INTDIR)\badcache.obj"
+	-@erase "$(INTDIR)\byaddr.obj"
+	-@erase "$(INTDIR)\cache.obj"
+	-@erase "$(INTDIR)\callbacks.obj"
+	-@erase "$(INTDIR)\client.obj"
+	-@erase "$(INTDIR)\clientinfo.obj"
+	-@erase "$(INTDIR)\compress.obj"
+	-@erase "$(INTDIR)\db.obj"
+	-@erase "$(INTDIR)\dbiterator.obj"
+	-@erase "$(INTDIR)\dbtable.obj"
+	-@erase "$(INTDIR)\diff.obj"
+	-@erase "$(INTDIR)\dispatch.obj"
+	-@erase "$(INTDIR)\dlz.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\dns64.obj"
+	-@erase "$(INTDIR)\dnssec.obj"
+	-@erase "$(INTDIR)\ds.obj"
+	-@erase "$(INTDIR)\dst_api.obj"
+	-@erase "$(INTDIR)\dst_lib.obj"
+	-@erase "$(INTDIR)\dst_parse.obj"
+	-@erase "$(INTDIR)\dst_result.obj"
+	-@erase "$(INTDIR)\dyndb.obj"
+	-@erase "$(INTDIR)\ecdb.obj"
+	-@erase "$(INTDIR)\forward.obj"
+@IF GEOIP
+	-@erase "$(INTDIR)\geoip.obj"
+@END GEOIP
+	-@erase "$(INTDIR)\gssapi_link.obj"
+	-@erase "$(INTDIR)\gssapictx.obj"
+	-@erase "$(INTDIR)\spnego.obj"
+	-@erase "$(INTDIR)\hmac_link.obj"
+	-@erase "$(INTDIR)\ipkeylist.obj"
+	-@erase "$(INTDIR)\iptable.obj"
+	-@erase "$(INTDIR)\journal.obj"
+	-@erase "$(INTDIR)\key.obj"
+	-@erase "$(INTDIR)\keytable.obj"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\lookup.obj"
+	-@erase "$(INTDIR)\master.obj"
+	-@erase "$(INTDIR)\masterdump.obj"
+	-@erase "$(INTDIR)\message.obj"
+	-@erase "$(INTDIR)\name.obj"
+	-@erase "$(INTDIR)\ncache.obj"
+	-@erase "$(INTDIR)\nsec.obj"
+	-@erase "$(INTDIR)\nsec3.obj"
+	-@erase "$(INTDIR)\nta.obj"
+@IF OPENSSL
+	-@erase "$(INTDIR)\openssl_link.obj"
+	-@erase "$(INTDIR)\openssldh_link.obj"
+	-@erase "$(INTDIR)\openssldsa_link.obj"
+	-@erase "$(INTDIR)\opensslecdsa_link.obj"
+	-@erase "$(INTDIR)\openssleddsa_link.obj"
+	-@erase "$(INTDIR)\opensslgost_link.obj"
+	-@erase "$(INTDIR)\opensslrsa_link.obj"
+@END OPENSSL
+	-@erase "$(INTDIR)\order.obj"
+	-@erase "$(INTDIR)\peer.obj"
+@IF PKCS11
+	-@erase "$(INTDIR)\pkcs11.obj"
+	-@erase "$(INTDIR)\pkcs11dh_link.obj"
+	-@erase "$(INTDIR)\pkcs11dsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11eddsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11gost_link.obj"
+	-@erase "$(INTDIR)\pkcs11rsa_link.obj"
+@END PKCS11
+	-@erase "$(INTDIR)\portlist.obj"
+	-@erase "$(INTDIR)\private.obj"
+	-@erase "$(INTDIR)\rbt.obj"
+	-@erase "$(INTDIR)\rbtdb.obj"
+	-@erase "$(INTDIR)\rbtdb64.obj"
+	-@erase "$(INTDIR)\rcode.obj"
+	-@erase "$(INTDIR)\rdata.obj"
+	-@erase "$(INTDIR)\rdatalist.obj"
+	-@erase "$(INTDIR)\rdataset.obj"
+	-@erase "$(INTDIR)\rdatasetiter.obj"
+	-@erase "$(INTDIR)\rdataslab.obj"
+	-@erase "$(INTDIR)\request.obj"
+	-@erase "$(INTDIR)\resolver.obj"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\rootns.obj"
+	-@erase "$(INTDIR)\rpz.obj"
+	-@erase "$(INTDIR)\rrl.obj"
+	-@erase "$(INTDIR)\sdb.obj"
+	-@erase "$(INTDIR)\sdlz.obj"
+	-@erase "$(INTDIR)\soa.obj"
+	-@erase "$(INTDIR)\ssu.obj"
+	-@erase "$(INTDIR)\ssu_external.obj"
+	-@erase "$(INTDIR)\stats.obj"
+	-@erase "$(INTDIR)\tcpmsg.obj"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\tkey.obj"
+	-@erase "$(INTDIR)\tsec.obj"
+	-@erase "$(INTDIR)\tsig.obj"
+	-@erase "$(INTDIR)\ttl.obj"
+	-@erase "$(INTDIR)\update.obj"
+	-@erase "$(INTDIR)\validator.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\view.obj"
+	-@erase "$(INTDIR)\xfrin.obj"
+	-@erase "$(INTDIR)\zone.obj"
+	-@erase "$(INTDIR)\zonekey.obj"
+	-@erase "$(INTDIR)\zt.obj"
+	-@erase "$(OUTDIR)\libdns.exp"
+	-@erase "$(OUTDIR)\libdns.lib"
+	-@erase "..\..\..\Build\Release\libdns.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+LIBXML=@LIBXML2_LIB@
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Release/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libdns.pdb" @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Release/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" 
+DEF_FILE= \
+	".\libdns.def"
+LINK32_OBJS= \
+	"$(INTDIR)\acache.obj" \
+	"$(INTDIR)\acl.obj" \
+	"$(INTDIR)\adb.obj" \
+	"$(INTDIR)\badcache.obj" \
+	"$(INTDIR)\byaddr.obj" \
+	"$(INTDIR)\cache.obj" \
+	"$(INTDIR)\callbacks.obj" \
+	"$(INTDIR)\client.obj" \
+	"$(INTDIR)\clientinfo.obj" \
+	"$(INTDIR)\compress.obj" \
+	"$(INTDIR)\db.obj" \
+	"$(INTDIR)\dbiterator.obj" \
+	"$(INTDIR)\dbtable.obj" \
+	"$(INTDIR)\diff.obj" \
+	"$(INTDIR)\dispatch.obj" \
+	"$(INTDIR)\dlz.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\dns64.obj" \
+	"$(INTDIR)\dnssec.obj" \
+	"$(INTDIR)\ds.obj" \
+	"$(INTDIR)\dyndb.obj" \
+	"$(INTDIR)\ecdb.obj" \
+	"$(INTDIR)\forward.obj" \
+@IF GEOIP
+	"$(INTDIR)\geoip.obj" \
+@END GEOIP
+	"$(INTDIR)\ipkeylist.obj" \
+	"$(INTDIR)\iptable.obj" \
+	"$(INTDIR)\journal.obj" \
+	"$(INTDIR)\keydata.obj" \
+	"$(INTDIR)\keytable.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\lookup.obj" \
+	"$(INTDIR)\master.obj" \
+	"$(INTDIR)\masterdump.obj" \
+	"$(INTDIR)\message.obj" \
+	"$(INTDIR)\name.obj" \
+	"$(INTDIR)\ncache.obj" \
+	"$(INTDIR)\nsec.obj" \
+	"$(INTDIR)\nsec3.obj" \
+	"$(INTDIR)\nta.obj" \
+	"$(INTDIR)\order.obj" \
+	"$(INTDIR)\peer.obj" \
+	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\private.obj" \
+	"$(INTDIR)\rbt.obj" \
+	"$(INTDIR)\rbtdb.obj" \
+	"$(INTDIR)\rbtdb64.obj" \
+	"$(INTDIR)\rcode.obj" \
+	"$(INTDIR)\rdata.obj" \
+	"$(INTDIR)\rdatalist.obj" \
+	"$(INTDIR)\rdataset.obj" \
+	"$(INTDIR)\rdatasetiter.obj" \
+	"$(INTDIR)\rdataslab.obj" \
+	"$(INTDIR)\request.obj" \
+	"$(INTDIR)\resolver.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rootns.obj" \
+	"$(INTDIR)\rpz.obj" \
+	"$(INTDIR)\rrl.obj" \
+	"$(INTDIR)\rriterator.obj" \
+	"$(INTDIR)\sdb.obj" \
+	"$(INTDIR)\sdlz.obj" \
+	"$(INTDIR)\soa.obj" \
+	"$(INTDIR)\ssu.obj" \
+	"$(INTDIR)\ssu_external.obj" \
+	"$(INTDIR)\stats.obj" \
+	"$(INTDIR)\tcpmsg.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\tkey.obj" \
+	"$(INTDIR)\tsec.obj" \
+	"$(INTDIR)\tsig.obj" \
+	"$(INTDIR)\ttl.obj" \
+	"$(INTDIR)\update.obj" \
+	"$(INTDIR)\validator.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\view.obj" \
+	"$(INTDIR)\xfrin.obj" \
+	"$(INTDIR)\zone.obj" \
+	"$(INTDIR)\zonekey.obj" \
+	"$(INTDIR)\zt.obj" \
+	"$(INTDIR)\dst_api.obj" \
+	"$(INTDIR)\dst_lib.obj" \
+	"$(INTDIR)\dst_parse.obj" \
+	"$(INTDIR)\dst_result.obj" \
+	"$(INTDIR)\gssapi_link.obj" \
+	"$(INTDIR)\gssapictx.obj" \
+	"$(INTDIR)\spnego.obj" \
+	"$(INTDIR)\hmac_link.obj" \
+	"$(INTDIR)\key.obj" \
+@IF OPENSSL
+	"$(INTDIR)\openssl_link.obj" \
+	"$(INTDIR)\openssldh_link.obj" \
+	"$(INTDIR)\openssldsa_link.obj" \
+	"$(INTDIR)\opensslecdsa_link.obj" \
+	"$(INTDIR)\openssleddsa_link.obj" \
+	"$(INTDIR)\opensslgost_link.obj" \
+	"$(INTDIR)\opensslrsa_link.obj" \
+@END OPENSSL
+@IF PKCS11
+	"$(INTDIR)\pkcs11.obj" \
+	"$(INTDIR)\pkcs11dh_link.obj" \
+	"$(INTDIR)\pkcs11dsa_link.obj" \
+	"$(INTDIR)\pkcs11ecdsa_link.obj" \
+	"$(INTDIR)\pkcs11eddsa_link.obj" \
+	"$(INTDIR)\pkcs11gost_link.obj" \
+	"$(INTDIR)\pkcs11rsa_link.obj" \
+@END PKCS11
+	"..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libdns.dll" "$(OUTDIR)\libdns.bsc"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Debug" "..\..\..\Build\Debug\libdns.dll" "$(OUTDIR)\libdns.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\acache.obj"
+	-@erase "$(INTDIR)\acache.sbr"
+	-@erase "$(INTDIR)\acl.obj"
+	-@erase "$(INTDIR)\acl.sbr"
+	-@erase "$(INTDIR)\adb.obj"
+	-@erase "$(INTDIR)\adb.sbr"
+	-@erase "$(INTDIR)\badcache.obj"
+	-@erase "$(INTDIR)\badcache.sbr"
+	-@erase "$(INTDIR)\byaddr.obj"
+	-@erase "$(INTDIR)\byaddr.sbr"
+	-@erase "$(INTDIR)\cache.obj"
+	-@erase "$(INTDIR)\cache.sbr"
+	-@erase "$(INTDIR)\callbacks.obj"
+	-@erase "$(INTDIR)\callbacks.sbr"
+	-@erase "$(INTDIR)\client.obj"
+	-@erase "$(INTDIR)\client.sbr"
+	-@erase "$(INTDIR)\clientinfo.obj"
+	-@erase "$(INTDIR)\clientinfo.sbr"
+	-@erase "$(INTDIR)\compress.obj"
+	-@erase "$(INTDIR)\compress.sbr"
+	-@erase "$(INTDIR)\db.obj"
+	-@erase "$(INTDIR)\db.sbr"
+	-@erase "$(INTDIR)\dbiterator.obj"
+	-@erase "$(INTDIR)\dbiterator.sbr"
+	-@erase "$(INTDIR)\dbtable.obj"
+	-@erase "$(INTDIR)\dbtable.sbr"
+	-@erase "$(INTDIR)\diff.obj"
+	-@erase "$(INTDIR)\diff.sbr"
+	-@erase "$(INTDIR)\dispatch.obj"
+	-@erase "$(INTDIR)\dispatch.sbr"
+	-@erase "$(INTDIR)\dlz.obj"
+	-@erase "$(INTDIR)\dlz.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\dns64.obj"
+	-@erase "$(INTDIR)\dns64.sbr"
+	-@erase "$(INTDIR)\dnssec.obj"
+	-@erase "$(INTDIR)\dnssec.sbr"
+	-@erase "$(INTDIR)\ds.obj"
+	-@erase "$(INTDIR)\ds.sbr"
+	-@erase "$(INTDIR)\dst_api.obj"
+	-@erase "$(INTDIR)\dst_api.sbr"
+	-@erase "$(INTDIR)\dst_lib.obj"
+	-@erase "$(INTDIR)\dst_lib.sbr"
+	-@erase "$(INTDIR)\dst_parse.obj"
+	-@erase "$(INTDIR)\dst_parse.sbr"
+	-@erase "$(INTDIR)\dst_result.obj"
+	-@erase "$(INTDIR)\dst_result.sbr"
+	-@erase "$(INTDIR)\dyndb.obj"
+	-@erase "$(INTDIR)\dyndb.sbr"
+	-@erase "$(INTDIR)\ecdb.obj"
+	-@erase "$(INTDIR)\ecdb.sbr"
+	-@erase "$(INTDIR)\forward.obj"
+	-@erase "$(INTDIR)\forward.sbr"
+@IF GEOIP
+	-@erase "$(INTDIR)\geoip.obj"
+	-@erase "$(INTDIR)\geoip.sbr"
+@END GEOIP
+	-@erase "$(INTDIR)\gssapi_link.obj"
+	-@erase "$(INTDIR)\gssapi_link.sbr"
+	-@erase "$(INTDIR)\gssapictx.obj"
+	-@erase "$(INTDIR)\gssapictx.sbr"
+	-@erase "$(INTDIR)\spnego.obj"
+	-@erase "$(INTDIR)\spnego.sbr"
+	-@erase "$(INTDIR)\hmac_link.obj"
+	-@erase "$(INTDIR)\hmac_link.sbr"
+	-@erase "$(INTDIR)\ipkeylist.obj"
+	-@erase "$(INTDIR)\ipkeylist.sbr"
+	-@erase "$(INTDIR)\iptable.obj"
+	-@erase "$(INTDIR)\iptable.sbr"
+	-@erase "$(INTDIR)\journal.obj"
+	-@erase "$(INTDIR)\journal.sbr"
+	-@erase "$(INTDIR)\key.obj"
+	-@erase "$(INTDIR)\key.sbr"
+	-@erase "$(INTDIR)\keydata.obj"
+	-@erase "$(INTDIR)\keydata.sbr"
+	-@erase "$(INTDIR)\keytable.obj"
+	-@erase "$(INTDIR)\keytable.sbr"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\lib.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\lookup.obj"
+	-@erase "$(INTDIR)\lookup.sbr"
+	-@erase "$(INTDIR)\master.obj"
+	-@erase "$(INTDIR)\master.sbr"
+	-@erase "$(INTDIR)\masterdump.obj"
+	-@erase "$(INTDIR)\masterdump.sbr"
+	-@erase "$(INTDIR)\message.obj"
+	-@erase "$(INTDIR)\message.sbr"
+	-@erase "$(INTDIR)\name.obj"
+	-@erase "$(INTDIR)\name.sbr"
+	-@erase "$(INTDIR)\ncache.obj"
+	-@erase "$(INTDIR)\ncache.sbr"
+	-@erase "$(INTDIR)\nsec.obj"
+	-@erase "$(INTDIR)\nsec.sbr"
+	-@erase "$(INTDIR)\nsec3.obj"
+	-@erase "$(INTDIR)\nsec3.sbr"
+	-@erase "$(INTDIR)\nta.obj"
+	-@erase "$(INTDIR)\nta.sbr"
+@IF OPENSSL
+	-@erase "$(INTDIR)\openssl_link.obj"
+	-@erase "$(INTDIR)\openssl_link.sbr"
+	-@erase "$(INTDIR)\openssldh_link.obj"
+	-@erase "$(INTDIR)\openssldh_link.sbr"
+	-@erase "$(INTDIR)\openssldsa_link.obj"
+	-@erase "$(INTDIR)\openssldsa_link.sbr"
+	-@erase "$(INTDIR)\opensslecdsa_link.obj"
+	-@erase "$(INTDIR)\opensslecdsa_link.sbr"
+	-@erase "$(INTDIR)\openssleddsa_link.obj"
+	-@erase "$(INTDIR)\openssleddsa_link.sbr"
+	-@erase "$(INTDIR)\opensslgost_link.obj"
+	-@erase "$(INTDIR)\opensslgost_link.sbr"
+	-@erase "$(INTDIR)\opensslrsa_link.obj"
+	-@erase "$(INTDIR)\opensslrsa_link.sbr"
+@END OPENSSL
+	-@erase "$(INTDIR)\order.obj"
+	-@erase "$(INTDIR)\order.sbr"
+	-@erase "$(INTDIR)\peer.obj"
+	-@erase "$(INTDIR)\peer.sbr"
+@IF PKCS11
+	-@erase "$(INTDIR)\pkcs11.obj"
+	-@erase "$(INTDIR)\pkcs11.sbr"
+	-@erase "$(INTDIR)\pkcs11dh_link.obj"
+	-@erase "$(INTDIR)\pkcs11dh_link.sbr"
+	-@erase "$(INTDIR)\pkcs11dsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11dsa_link.sbr"
+	-@erase "$(INTDIR)\pkcs11ecdsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11ecdsa_link.sbr"
+	-@erase "$(INTDIR)\pkcs11eddsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11eddsa_link.sbr"
+	-@erase "$(INTDIR)\pkcs11gost_link.obj"
+	-@erase "$(INTDIR)\pkcs11gost_link.sbr"
+	-@erase "$(INTDIR)\pkcs11rsa_link.obj"
+	-@erase "$(INTDIR)\pkcs11rsa_link.sbr"
+@END PKCS11
+	-@erase "$(INTDIR)\portlist.obj"
+	-@erase "$(INTDIR)\portlist.sbr"
+	-@erase "$(INTDIR)\private.obj"
+	-@erase "$(INTDIR)\private.sbr"
+	-@erase "$(INTDIR)\rbt.obj"
+	-@erase "$(INTDIR)\rbt.sbr"
+	-@erase "$(INTDIR)\rbtdb.obj"
+	-@erase "$(INTDIR)\rbtdb.sbr"
+	-@erase "$(INTDIR)\rbtdb64.obj"
+	-@erase "$(INTDIR)\rbtdb64.sbr"
+	-@erase "$(INTDIR)\rcode.obj"
+	-@erase "$(INTDIR)\rcode.sbr"
+	-@erase "$(INTDIR)\rdata.obj"
+	-@erase "$(INTDIR)\rdata.sbr"
+	-@erase "$(INTDIR)\rdatalist.obj"
+	-@erase "$(INTDIR)\rdatalist.sbr"
+	-@erase "$(INTDIR)\rdataset.obj"
+	-@erase "$(INTDIR)\rdataset.sbr"
+	-@erase "$(INTDIR)\rdatasetiter.obj"
+	-@erase "$(INTDIR)\rdatasetiter.sbr"
+	-@erase "$(INTDIR)\rdataslab.obj"
+	-@erase "$(INTDIR)\rdataslab.sbr"
+	-@erase "$(INTDIR)\request.obj"
+	-@erase "$(INTDIR)\request.sbr"
+	-@erase "$(INTDIR)\resolver.obj"
+	-@erase "$(INTDIR)\resolver.sbr"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\result.sbr"
+	-@erase "$(INTDIR)\rootns.obj"
+	-@erase "$(INTDIR)\rootns.sbr"
+	-@erase "$(INTDIR)\rpz.obj"
+	-@erase "$(INTDIR)\rpz.sbr"
+	-@erase "$(INTDIR)\rrl.obj"
+	-@erase "$(INTDIR)\rrl.sbr"
+	-@erase "$(INTDIR)\rriterator.obj"
+	-@erase "$(INTDIR)\rriterator.sbr"
+	-@erase "$(INTDIR)\sdb.obj"
+	-@erase "$(INTDIR)\sdb.sbr"
+	-@erase "$(INTDIR)\sdlz.obj"
+	-@erase "$(INTDIR)\sdlz.sbr"
+	-@erase "$(INTDIR)\soa.obj"
+	-@erase "$(INTDIR)\soa.sbr"
+	-@erase "$(INTDIR)\ssu.obj"
+	-@erase "$(INTDIR)\ssu_external.obj"
+	-@erase "$(INTDIR)\ssu.sbr"
+	-@erase "$(INTDIR)\ssu_external.sbr"
+	-@erase "$(INTDIR)\stats.obj"
+	-@erase "$(INTDIR)\stats.sbr"
+	-@erase "$(INTDIR)\tcpmsg.obj"
+	-@erase "$(INTDIR)\tcpmsg.sbr"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\time.sbr"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\timer.sbr"
+	-@erase "$(INTDIR)\tkey.obj"
+	-@erase "$(INTDIR)\tkey.sbr"
+	-@erase "$(INTDIR)\tsec.obj"
+	-@erase "$(INTDIR)\tsec.sbr"
+	-@erase "$(INTDIR)\tsig.obj"
+	-@erase "$(INTDIR)\tsig.sbr"
+	-@erase "$(INTDIR)\ttl.obj"
+	-@erase "$(INTDIR)\ttl.sbr"
+	-@erase "$(INTDIR)\update.obj"
+	-@erase "$(INTDIR)\update.sbr"
+	-@erase "$(INTDIR)\validator.obj"
+	-@erase "$(INTDIR)\validator.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(INTDIR)\view.obj"
+	-@erase "$(INTDIR)\view.sbr"
+	-@erase "$(INTDIR)\xfrin.obj"
+	-@erase "$(INTDIR)\xfrin.sbr"
+	-@erase "$(INTDIR)\zone.obj"
+	-@erase "$(INTDIR)\zone.sbr"
+	-@erase "$(INTDIR)\zonekey.obj"
+	-@erase "$(INTDIR)\zonekey.sbr"
+	-@erase "$(INTDIR)\zt.obj"
+	-@erase "$(INTDIR)\zt.sbr"
+	-@erase "$(OUTDIR)\libdns.bsc"
+	-@erase "$(OUTDIR)\libdns.exp"
+	-@erase "$(OUTDIR)\libdns.lib"
+	-@erase "$(OUTDIR)\libdns.map"
+	-@erase "$(OUTDIR)\libdns.pdb"
+	-@erase "..\..\..\Build\Debug\libdns.dll"
+	-@erase "..\..\..\Build\Debug\libdns.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+MTL=midl.exe
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libdns.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\acache.sbr" \
+	"$(INTDIR)\acl.sbr" \
+	"$(INTDIR)\adb.sbr" \
+	"$(INTDIR)\badcache.sbr" \
+	"$(INTDIR)\byaddr.sbr" \
+	"$(INTDIR)\cache.sbr" \
+	"$(INTDIR)\callbacks.sbr" \
+	"$(INTDIR)\client.sbr" \
+	"$(INTDIR)\clientinfo.sbr" \
+	"$(INTDIR)\compress.sbr" \
+	"$(INTDIR)\db.sbr" \
+	"$(INTDIR)\dbiterator.sbr" \
+	"$(INTDIR)\dbtable.sbr" \
+	"$(INTDIR)\diff.sbr" \
+	"$(INTDIR)\dispatch.sbr" \
+	"$(INTDIR)\dlz.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\dns64.sbr" \
+	"$(INTDIR)\dnssec.sbr" \
+	"$(INTDIR)\ds.sbr" \
+	"$(INTDIR)\dyndb.sbr" \
+	"$(INTDIR)\ecdb.sbr" \
+	"$(INTDIR)\forward.sbr" \
+@IF GEOIP
+	"$(INTDIR)\geoip.sbr" \
+@END GEOIP
+	"$(INTDIR)\ipkeylist.sbr" \
+	"$(INTDIR)\iptable.sbr" \
+	"$(INTDIR)\journal.sbr" \
+	"$(INTDIR)\keydata.sbr" \
+	"$(INTDIR)\keytable.sbr" \
+	"$(INTDIR)\lib.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\lookup.sbr" \
+	"$(INTDIR)\master.sbr" \
+	"$(INTDIR)\masterdump.sbr" \
+	"$(INTDIR)\message.sbr" \
+	"$(INTDIR)\name.sbr" \
+	"$(INTDIR)\ncache.sbr" \
+	"$(INTDIR)\nsec.sbr" \
+	"$(INTDIR)\nsec3.sbr" \
+	"$(INTDIR)\nta.sbr" \
+	"$(INTDIR)\order.sbr" \
+	"$(INTDIR)\peer.sbr" \
+	"$(INTDIR)\portlist.sbr" \
+	"$(INTDIR)\private.sbr" \
+	"$(INTDIR)\rbt.sbr" \
+	"$(INTDIR)\rbtdb.sbr" \
+	"$(INTDIR)\rbtdb64.sbr" \
+	"$(INTDIR)\rcode.sbr" \
+	"$(INTDIR)\rdata.sbr" \
+	"$(INTDIR)\rdatalist.sbr" \
+	"$(INTDIR)\rdataset.sbr" \
+	"$(INTDIR)\rdatasetiter.sbr" \
+	"$(INTDIR)\rdataslab.sbr" \
+	"$(INTDIR)\request.sbr" \
+	"$(INTDIR)\resolver.sbr" \
+	"$(INTDIR)\result.sbr" \
+	"$(INTDIR)\rootns.sbr" \
+	"$(INTDIR)\rpz.sbr" \
+	"$(INTDIR)\rrl.sbr" \
+	"$(INTDIR)\rriterator.sbr" \
+	"$(INTDIR)\sdb.sbr" \
+	"$(INTDIR)\sdlz.sbr" \
+	"$(INTDIR)\soa.sbr" \
+	"$(INTDIR)\ssu.sbr" \
+	"$(INTDIR)\ssu_external.sbr" \
+	"$(INTDIR)\stats.sbr" \
+	"$(INTDIR)\tcpmsg.sbr" \
+	"$(INTDIR)\time.sbr" \
+	"$(INTDIR)\timer.sbr" \
+	"$(INTDIR)\tkey.sbr" \
+	"$(INTDIR)\tsec.sbr" \
+	"$(INTDIR)\tsig.sbr" \
+	"$(INTDIR)\ttl.sbr" \
+	"$(INTDIR)\update.sbr" \
+	"$(INTDIR)\validator.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\view.sbr" \
+	"$(INTDIR)\xfrin.sbr" \
+	"$(INTDIR)\zone.sbr" \
+	"$(INTDIR)\zonekey.sbr" \
+	"$(INTDIR)\zt.sbr" \
+	"$(INTDIR)\dst_api.sbr" \
+	"$(INTDIR)\dst_lib.sbr" \
+	"$(INTDIR)\dst_parse.sbr" \
+	"$(INTDIR)\dst_result.sbr" \
+	"$(INTDIR)\gssapi_link.sbr" \
+	"$(INTDIR)\gssapictx.sbr" \
+	"$(INTDIR)\spnego.sbr" \
+	"$(INTDIR)\hmac_link.sbr" \
+	"$(INTDIR)\key.sbr" \
+@IF OPENSSL
+	"$(INTDIR)\openssl_link.sbr" \
+	"$(INTDIR)\openssldh_link.sbr" \
+	"$(INTDIR)\openssldsa_link.sbr" \
+	"$(INTDIR)\opensslecdsa_link.sbr" \
+	"$(INTDIR)\openssleddsa_link.sbr" \
+	"$(INTDIR)\opensslgost_link.sbr" \
+	"$(INTDIR)\opensslrsa_link.sbr" \
+@END OPENSSL
+@IF PKCS11
+	"$(INTDIR)\pkcs11.sbr" \
+	"$(INTDIR)\pkcs11dh_link.sbr" \
+	"$(INTDIR)\pkcs11dsa_link.sbr" \
+	"$(INTDIR)\pkcs11ecdsa_link.sbr" \
+	"$(INTDIR)\pkcs11eddsa_link.sbr" \
+	"$(INTDIR)\pkcs11gost_link.sbr" \
+	"$(INTDIR)\pkcs11rsa_link.sbr"
+@END PKCS11
+
+"$(OUTDIR)\libdns.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) ../../isc/win32/Debug/libisc.lib @OPENSSL_LIB@ @GSSAPI_LIB@ @KRB5_LIB@ @GEOIP_LIB@ @GEOIP_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libdns.pdb" /map:"$(INTDIR)\libdns.map" /debug @MACHINE@ /def:".\libdns.def" /out:"../../../Build/Debug/libdns.dll" /implib:"$(OUTDIR)\libdns.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libdns.def"
+LINK32_OBJS= \
+	"$(INTDIR)\acache.obj" \
+	"$(INTDIR)\acl.obj" \
+	"$(INTDIR)\adb.obj" \
+	"$(INTDIR)\badcache.obj" \
+	"$(INTDIR)\byaddr.obj" \
+	"$(INTDIR)\cache.obj" \
+	"$(INTDIR)\callbacks.obj" \
+	"$(INTDIR)\client.obj" \
+	"$(INTDIR)\clientinfo.obj" \
+	"$(INTDIR)\compress.obj" \
+	"$(INTDIR)\db.obj" \
+	"$(INTDIR)\dbiterator.obj" \
+	"$(INTDIR)\dbtable.obj" \
+	"$(INTDIR)\diff.obj" \
+	"$(INTDIR)\dispatch.obj" \
+	"$(INTDIR)\dlz.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\dns64.obj" \
+	"$(INTDIR)\dnssec.obj" \
+	"$(INTDIR)\ds.obj" \
+	"$(INTDIR)\dyndb.obj" \
+	"$(INTDIR)\ecdb.obj" \
+	"$(INTDIR)\forward.obj" \
+@IF GEOIP
+	"$(INTDIR)\geoip.obj" \
+@END GEOIP
+	"$(INTDIR)\ipkeylist.obj" \
+	"$(INTDIR)\iptable.obj" \
+	"$(INTDIR)\journal.obj" \
+	"$(INTDIR)\key.obj" \
+	"$(INTDIR)\keytable.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\lookup.obj" \
+	"$(INTDIR)\master.obj" \
+	"$(INTDIR)\masterdump.obj" \
+	"$(INTDIR)\message.obj" \
+	"$(INTDIR)\name.obj" \
+	"$(INTDIR)\ncache.obj" \
+	"$(INTDIR)\nsec.obj" \
+	"$(INTDIR)\nsec3.obj" \
+	"$(INTDIR)\nta.obj" \
+	"$(INTDIR)\order.obj" \
+	"$(INTDIR)\peer.obj" \
+	"$(INTDIR)\portlist.obj" \
+	"$(INTDIR)\private.obj" \
+	"$(INTDIR)\rbt.obj" \
+	"$(INTDIR)\rbtdb.obj" \
+	"$(INTDIR)\rbtdb64.obj" \
+	"$(INTDIR)\rcode.obj" \
+	"$(INTDIR)\rdata.obj" \
+	"$(INTDIR)\rdatalist.obj" \
+	"$(INTDIR)\rdataset.obj" \
+	"$(INTDIR)\rdatasetiter.obj" \
+	"$(INTDIR)\rdataslab.obj" \
+	"$(INTDIR)\request.obj" \
+	"$(INTDIR)\resolver.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rootns.obj" \
+	"$(INTDIR)\rpz.obj" \
+	"$(INTDIR)\rrl.obj" \
+	"$(INTDIR)\rriterator.obj" \
+	"$(INTDIR)\sdb.obj" \
+	"$(INTDIR)\sdlz.obj" \
+	"$(INTDIR)\soa.obj" \
+	"$(INTDIR)\ssu.obj" \
+	"$(INTDIR)\ssu_external.obj" \
+	"$(INTDIR)\stats.obj" \
+	"$(INTDIR)\tcpmsg.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\tkey.obj" \
+	"$(INTDIR)\tsec.obj" \
+	"$(INTDIR)\tsig.obj" \
+	"$(INTDIR)\ttl.obj" \
+	"$(INTDIR)\update.obj" \
+	"$(INTDIR)\validator.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\view.obj" \
+	"$(INTDIR)\xfrin.obj" \
+	"$(INTDIR)\zone.obj" \
+	"$(INTDIR)\zonekey.obj" \
+	"$(INTDIR)\zt.obj" \
+	"$(INTDIR)\dst_api.obj" \
+	"$(INTDIR)\dst_lib.obj" \
+	"$(INTDIR)\dst_parse.obj" \
+	"$(INTDIR)\dst_result.obj" \
+	"$(INTDIR)\gssapi_link.obj" \
+	"$(INTDIR)\gssapictx.obj" \
+	"$(INTDIR)\spnego.obj" \
+	"$(INTDIR)\hmac_link.obj" \
+	"$(INTDIR)\key.obj" \
+@IF OPENSSL
+	"$(INTDIR)\openssl_link.obj" \
+	"$(INTDIR)\openssldh_link.obj" \
+	"$(INTDIR)\openssldsa_link.obj" \
+	"$(INTDIR)\opensslecdsa_link.obj" \
+	"$(INTDIR)\openssleddsa_link.obj" \
+	"$(INTDIR)\opensslgost_link.obj" \
+	"$(INTDIR)\opensslrsa_link.obj" \
+@END OPENSSL
+@IF PKCS11
+	"$(INTDIR)\pkcs11.obj" \
+	"$(INTDIR)\pkcs11dh_link.obj" \
+	"$(INTDIR)\pkcs11dsa_link.obj" \
+	"$(INTDIR)\pkcs11ecdsa_link.obj" \
+	"$(INTDIR)\pkcs11eddsa_link.obj" \
+	"$(INTDIR)\pkcs11gost_link.obj" \
+	"$(INTDIR)\pkcs11rsa_link.obj" \
+@END PKCS11
+	"..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libdns.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libdns.dep")
+!INCLUDE "libdns.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libdns.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libdns - @PLATFORM@ Release" || "$(CFG)" == "libdns - @PLATFORM@ Debug"
+SOURCE=..\acache.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\acache.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\acache.obj"	"$(INTDIR)\acache.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\acl.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\acl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\acl.obj"	"$(INTDIR)\acl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\adb.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\adb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\adb.obj"	"$(INTDIR)\adb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\badcache.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\badcache.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\badcache.obj"	"$(INTDIR)\badcache.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\byaddr.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\byaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\byaddr.obj"	"$(INTDIR)\byaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\cache.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\cache.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\cache.obj"	"$(INTDIR)\cache.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\callbacks.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\callbacks.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\callbacks.obj"	"$(INTDIR)\callbacks.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\catz.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\catz.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\catz.obj"	"$(INTDIR)\catz.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\client.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\client.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\client.obj"	"$(INTDIR)\client.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\clientinfo.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\clientinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\clientinfo.obj"	"$(INTDIR)\clientinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\compress.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\compress.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\compress.obj"	"$(INTDIR)\compress.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\db.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\db.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\db.obj"	"$(INTDIR)\db.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dbiterator.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dbiterator.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dbiterator.obj"	"$(INTDIR)\dbiterator.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dbtable.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dbtable.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dbtable.obj"	"$(INTDIR)\dbtable.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\diff.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\diff.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\diff.obj"	"$(INTDIR)\diff.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dispatch.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+CPP_SWITCHES=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "NDEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+"$(INTDIR)\dispatch.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+CPP_SWITCHES=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" @OPENSSL_INC@ @LIBXML2_INC@ @GSSAPI_INC@ @GEOIP_INC@ /D "_DEBUG" /D "BIND9" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ @USE_GSSAPI@ @USE_ISC_SPNEGO@ /D "LIBDNS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libdns.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+"$(INTDIR)\dispatch.obj"	"$(INTDIR)\dispatch.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) @<<
+  $(CPP_SWITCHES) $(SOURCE)
+<<
+
+
+!ENDIF 
+
+SOURCE=..\dlz.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dlz.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+"$(INTDIR)\dlz.obj"	"$(INTDIR)\dlz.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\dns64.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dns64.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dns64.obj"	"$(INTDIR)\dns64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dnssec.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dnssec.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dnssec.obj"	"$(INTDIR)\dnssec.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ds.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ds.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ds.obj"	"$(INTDIR)\ds.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dyndb.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dyndb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dyndb.obj"	"$(INTDIR)\dyndb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ecdb.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ecdb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ecdb.obj"	"$(INTDIR)\ecdb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\forward.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\forward.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\forward.obj"	"$(INTDIR)\forward.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+@IF GEOIP
+SOURCE=..\geoip.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\geoip.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\geoip.obj"	"$(INTDIR)\geoip.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+@END GEOIP
+
+SOURCE=..\ipkeylist.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ipkeylist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ipkeylist.obj" "$(INTDIR)\ipkeylist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\iptable.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\iptable.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\iptable.obj"	"$(INTDIR)\iptable.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\journal.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\journal.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\journal.obj"	"$(INTDIR)\journal.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\keydata.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\keydata.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\keydata.obj"	"$(INTDIR)\keydata.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\keytable.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\keytable.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\keytable.obj"	"$(INTDIR)\keytable.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lib.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lookup.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lookup.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lookup.obj"	"$(INTDIR)\lookup.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\master.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\master.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\master.obj"	"$(INTDIR)\master.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\masterdump.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\masterdump.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\masterdump.obj"	"$(INTDIR)\masterdump.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\message.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\message.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\message.obj"	"$(INTDIR)\message.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\name.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\name.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\name.obj"	"$(INTDIR)\name.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ncache.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ncache.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ncache.obj"	"$(INTDIR)\ncache.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\nsec.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\nsec.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\nsec.obj"	"$(INTDIR)\nsec.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\nsec3.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\nsec3.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\nsec3.obj"	"$(INTDIR)\nsec3.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\nta.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\nta.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\nta.obj"	"$(INTDIR)\nta.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\order.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\order.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\order.obj"	"$(INTDIR)\order.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\peer.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\peer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\peer.obj"	"$(INTDIR)\peer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+SOURCE=..\portlist.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\portlist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\portlist.obj"	"$(INTDIR)\portlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+
+SOURCE=..\private.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\private.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\private.obj"	"$(INTDIR)\portlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rbt.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rbt.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rbt.obj"	"$(INTDIR)\rbt.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rbtdb.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rbtdb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rbtdb.obj"	"$(INTDIR)\rbtdb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rbtdb64.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rbtdb64.obj" : $(SOURCE) "$(INTDIR)" "..\rbtdb.c"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rbtdb64.obj"	"$(INTDIR)\rbtdb64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rcode.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rcode.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rcode.obj"	"$(INTDIR)\rcode.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdata.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rdata.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rdata.obj"	"$(INTDIR)\rdata.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdatalist.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rdatalist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rdatalist.obj"	"$(INTDIR)\rdatalist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdataset.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rdataset.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rdataset.obj"	"$(INTDIR)\rdataset.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdatasetiter.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rdatasetiter.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rdatasetiter.obj"	"$(INTDIR)\rdatasetiter.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rdataslab.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rdataslab.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rdataslab.obj"	"$(INTDIR)\rdataslab.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\request.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\request.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\request.obj"	"$(INTDIR)\request.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\resolver.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\resolver.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\resolver.obj"	"$(INTDIR)\resolver.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\result.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rootns.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rootns.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rootns.obj"	"$(INTDIR)\rootns.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rpz.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rpz.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rpz.obj"	"$(INTDIR)\rpz.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rrl.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rrl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rrl.obj"	"$(INTDIR)\rrl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\rriterator.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rriterator.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rriterator.obj"	"$(INTDIR)\rriterator.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sdb.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sdb.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sdb.obj"	"$(INTDIR)\sdb.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sdlz.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sdlz.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sdlz.obj"	"$(INTDIR)\sdlz.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\soa.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\soa.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\soa.obj"	"$(INTDIR)\soa.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ssu.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ssu.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ssu.obj"	"$(INTDIR)\ssu.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ssu_external.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ssu_external.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ssu_external.obj"	"$(INTDIR)\ssu_external.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\stats.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\stats.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\stats.obj"	"$(INTDIR)\stats.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tcpmsg.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\tcpmsg.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\tcpmsg.obj"	"$(INTDIR)\tcpmsg.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\time.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\time.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\time.obj"	"$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\timer.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\timer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\timer.obj"	"$(INTDIR)\timer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tkey.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\tkey.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\tkey.obj"	"$(INTDIR)\tkey.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tsec.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\tsec.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\tsec.obj"	"$(INTDIR)\tsec.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\tsig.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\tsig.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\tsig.obj"	"$(INTDIR)\tsig.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ttl.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ttl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ttl.obj"	"$(INTDIR)\ttl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\update.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\update.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\update.obj"	"$(INTDIR)\update.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\validator.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\validator.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\validator.obj"	"$(INTDIR)\validator.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\view.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\view.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\view.obj"	"$(INTDIR)\view.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\xfrin.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\xfrin.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\xfrin.obj"	"$(INTDIR)\xfrin.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zone.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\zone.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\zone.obj"	"$(INTDIR)\zone.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zonekey.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\zonekey.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\zonekey.obj"	"$(INTDIR)\zonekey.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\zt.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\zt.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\zt.obj"	"$(INTDIR)\zt.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dst_api.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dst_api.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dst_api.obj"	"$(INTDIR)\dst_api.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dst_lib.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dst_lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dst_lib.obj"	"$(INTDIR)\dst_lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dst_parse.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dst_parse.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dst_parse.obj"	"$(INTDIR)\dst_parse.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dst_result.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dst_result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dst_result.obj"	"$(INTDIR)\dst_result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\gssapi_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\gssapi_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\gssapi_link.obj"	"$(INTDIR)\gssapi_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\gssapictx.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\gssapictx.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\gssapictx.obj"	"$(INTDIR)\gssapictx.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\spnego.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\spnego.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\spnego.obj"	"$(INTDIR)\spnego.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\hmac_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\hmac_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\hmac_link.obj"	"$(INTDIR)\hmac_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\key.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\key.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\key.obj"	"$(INTDIR)\key.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+@IF OPENSSL
+SOURCE=..\openssl_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\openssl_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\openssl_link.obj"	"$(INTDIR)\openssl_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\openssldh_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\openssldh_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\openssldh_link.obj"	"$(INTDIR)\openssldh_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\openssldsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\openssldsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\openssldsa_link.obj"	"$(INTDIR)\openssldsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\opensslecdsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\opensslecdsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\opensslecdsa_link.obj"	"$(INTDIR)\opensslecdsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\openssleddsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\openssleddsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\openssleddsa_link.obj"	"$(INTDIR)\openssleddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\opensslgost_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\opensslgost_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\opensslgost_link.obj"	"$(INTDIR)\opensslgost_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\opensslrsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\opensslrsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\opensslrsa_link.obj"	"$(INTDIR)\opensslrsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+@END OPENSSL
+
+@IF PKCS11
+SOURCE=..\pkcs11.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11.obj"	"$(INTDIR)\pkcs11.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11dh_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11dh_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11dh_link.obj"	"$(INTDIR)\pkcs11dh_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11dsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11dsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11dsa_link.obj"	"$(INTDIR)\pkcs11dsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11ecdsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11ecdsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11ecdsa_link.obj"	"$(INTDIR)\pkcs11ecdsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11eddsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11eddsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11eddsa_link.obj"	"$(INTDIR)\pkcs11eddsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11gost_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11gost_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11gost_link.obj"	"$(INTDIR)\pkcs11gost_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\pkcs11rsa_link.c
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pkcs11rsa_link.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pkcs11rsa_link.obj"	"$(INTDIR)\pkcs11rsa_link.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+@END PKCS11
+
+!IF  "$(CFG)" == "libdns - @PLATFORM@ Release"
+
+"libisc - @PLATFORM@ Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" 
+   cd "..\..\dns\win32"
+
+"libisc - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\dns\win32"
+
+!ELSEIF  "$(CFG)" == "libdns - @PLATFORM@ Debug"
+
+"libisc - @PLATFORM@ Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" 
+   cd "..\..\dns\win32"
+
+"libisc - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\dns\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/dns/win32/libdns.vcxproj.filters.in b/lib/dns/win32/libdns.vcxproj.filters.in
new file mode 100644
index 0000000..5c51043
--- /dev/null
+++ b/lib/dns/win32/libdns.vcxproj.filters.in
@@ -0,0 +1,690 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+    <Filter Include="Library Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Dst Header Files">
+      <UniqueIdentifier>{c76276a2-cee5-4b70-bf37-e0f2ef1ae4d6}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Dst Source Files">
+      <UniqueIdentifier>{ae84c9c7-5da5-4c0e-9e53-bfc34a5825ae}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Library Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libdns.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\acache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\acl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\adb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\badcache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\byaddr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\cache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\callbacks.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\catz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\client.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\clientinfo.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\compress.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\db.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dbiterator.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dbtable.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\diff.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dispatch.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dlz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dns64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dnssec.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ds.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dyndb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ecdb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\fixedname.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\forward.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@IF GEOIP
+    <ClCompile Include="..\geoip.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@END GEOIP
+    <ClCompile Include="..\ipkeylist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\iptable.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\journal.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\keydata.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\keytable.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lib.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lookup.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\master.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\masterdump.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\message.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\name.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ncache.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nsec.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nsec3.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nta.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\order.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\peer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\portlist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\private.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rbt.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rbtdb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rbtdb64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rcode.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdata.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdatalist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdataset.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdatasetiter.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rdataslab.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\request.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\resolver.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rootns.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rpz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rriterator.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rrl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sdb.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sdlz.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\soa.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ssu.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ssu_external.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\stats.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tcpmsg.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\time.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\timer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tkey.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tsec.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tsig.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ttl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\update.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\validator.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\view.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\xfrin.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zone.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zonekey.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\zt.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_api.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_lib.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_parse.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dst_result.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gssapi_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gssapictx.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hmac_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\key.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+@IF OPENSSL
+    <ClCompile Include="..\openssl_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssldh_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssldsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\opensslecdsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\openssleddsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\opensslgost_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\opensslrsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+@END OPENSSL
+@IF PKCS11
+    <ClCompile Include="..\pkcs11.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11dh_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11dsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11ecdsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11eddsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11gost_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pkcs11rsa_link.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+@END PKCS11
+    <ClCompile Include="..\spnego.c">
+      <Filter>Dst Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\code.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\rbtdb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\rbtdb64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\rdatalist_p.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\acache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\acl.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\adb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\badcache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\bit.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\byaddr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\cache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\callbacks.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\catz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\cert.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\client.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\clientinfo.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\compress.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\db.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dbiterator.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dbtable.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\diff.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dispatch.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dlz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dns64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dnssec.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dnstap.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ds.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dsdigest.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\dyndb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ecdb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\edns.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\enumclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\enumtype.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\events.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\fixedname.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\forward.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@IF GEOIP
+    <ClInclude Include="..\include\dns\geoip.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@END GEOIP
+    <ClInclude Include="..\include\dns\ipkeylist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\iptable.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\journal.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keydata.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keyflags.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keytable.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\keyvalues.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\lib.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\log.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\lookup.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\master.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\masterdump.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\message.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\name.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ncache.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\nsec.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\nsec3.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\nta.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\opcode.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\order.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\peer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\portlist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\private.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rbt.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rcode.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdata.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdataclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatalist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdataset.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatasetiter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdataslab.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatastruct.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rdatatype.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\request.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\resolver.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rootns.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rpz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rriterator.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\rrl.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\sdb.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\sdlz.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\secalg.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\secproto.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\soa.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ssu.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\stats.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tcpmsg.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\time.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\timer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tkey.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tsec.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\tsig.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\ttl.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\types.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\update.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\validator.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\version.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\view.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\xfrin.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zone.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zonekey.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dns\zt.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\dst.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\gssapi.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\lib.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\dst\result.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\dst_gost.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\dst_internal.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+@IF OPENSSL
+    <ClInclude Include="..\dst_openssl.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+@END OPENSSL
+    <ClInclude Include="..\dst_parse.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+@IF PKCS11
+    <ClInclude Include="..\dst_pkcs11.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+@END PKCS11
+    <ClInclude Include="..\spnego.h">
+      <Filter>Dst Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
diff --git a/lib/dns/win32/libdns.vcxproj.in b/lib/dns/win32/libdns.vcxproj.in
new file mode 100644
index 0000000..7ceb68b
--- /dev/null
+++ b/lib/dns/win32/libdns.vcxproj.in
@@ -0,0 +1,346 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libdns</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@_DEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>BIND9;WIN32;USE_MD5;@CRYPTO@@USE_GSSAPI@@USE_ISC_SPNEGO@NDEBUG;_WINDOWS;_USRDLL;LIBDNS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;@LIBXML2_INC@@OPENSSL_INC@@GSSAPI_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;@LIBXML2_LIB@@OPENSSL_LIB@@GSSAPI_LIB@@KRB5_LIB@@GEOIP_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libdns.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\acache.c" />
+    <ClCompile Include="..\acl.c" />
+    <ClCompile Include="..\adb.c" />
+    <ClCompile Include="..\badcache.c" />
+    <ClCompile Include="..\byaddr.c" />
+    <ClCompile Include="..\cache.c" />
+    <ClCompile Include="..\callbacks.c" />
+    <ClCompile Include="..\catz.c" />
+    <ClCompile Include="..\client.c" />
+    <ClCompile Include="..\clientinfo.c" />
+    <ClCompile Include="..\compress.c" />
+    <ClCompile Include="..\db.c" />
+    <ClCompile Include="..\dbiterator.c" />
+    <ClCompile Include="..\dbtable.c" />
+    <ClCompile Include="..\diff.c" />
+    <ClCompile Include="..\dispatch.c" />
+    <ClCompile Include="..\dlz.c" />
+    <ClCompile Include="..\dns64.c" />
+    <ClCompile Include="..\dnssec.c" />
+    <ClCompile Include="..\ds.c" />
+    <ClCompile Include="..\dst_api.c" />
+    <ClCompile Include="..\dst_lib.c" />
+    <ClCompile Include="..\dst_parse.c" />
+    <ClCompile Include="..\dst_result.c" />
+    <ClCompile Include="..\dyndb.c" />
+    <ClCompile Include="..\ecdb.c" />
+    <ClCompile Include="..\fixedname.c" />
+    <ClCompile Include="..\forward.c" />
+@IF GEOIP
+    <ClCompile Include="..\geoip.c" />
+@END GEOIP
+    <ClCompile Include="..\gssapictx.c" />
+    <ClCompile Include="..\gssapi_link.c" />
+    <ClCompile Include="..\hmac_link.c" />
+    <ClCompile Include="..\ipkeylist.c" />
+    <ClCompile Include="..\iptable.c" />
+    <ClCompile Include="..\journal.c" />
+    <ClCompile Include="..\key.c" />
+    <ClCompile Include="..\keydata.c" />
+    <ClCompile Include="..\keytable.c" />
+    <ClCompile Include="..\lib.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\lookup.c" />
+    <ClCompile Include="..\master.c" />
+    <ClCompile Include="..\masterdump.c" />
+    <ClCompile Include="..\message.c" />
+    <ClCompile Include="..\name.c" />
+    <ClCompile Include="..\ncache.c" />
+    <ClCompile Include="..\nsec.c" />
+    <ClCompile Include="..\nsec3.c" />
+    <ClCompile Include="..\nta.c" />
+@IF OPENSSL
+    <ClCompile Include="..\openssldh_link.c" />
+    <ClCompile Include="..\openssldsa_link.c" />
+    <ClCompile Include="..\opensslecdsa_link.c" />
+    <ClCompile Include="..\openssleddsa_link.c" />
+    <ClCompile Include="..\opensslgost_link.c" />
+    <ClCompile Include="..\opensslrsa_link.c" />
+    <ClCompile Include="..\openssl_link.c" />
+@END OPENSSL
+    <ClCompile Include="..\order.c" />
+    <ClCompile Include="..\peer.c" />
+@IF PKCS11
+    <ClCompile Include="..\pkcs11.c" />
+    <ClCompile Include="..\pkcs11dh_link.c" />
+    <ClCompile Include="..\pkcs11dsa_link.c" />
+    <ClCompile Include="..\pkcs11ecdsa_link.c" />
+    <ClCompile Include="..\pkcs11eddsa_link.c" />
+    <ClCompile Include="..\pkcs11gost_link.c" />
+    <ClCompile Include="..\pkcs11rsa_link.c" />
+@END PKCS11
+    <ClCompile Include="..\portlist.c" />
+    <ClCompile Include="..\private.c" />
+    <ClCompile Include="..\rbt.c" />
+    <ClCompile Include="..\rbtdb.c" />
+    <ClCompile Include="..\rbtdb64.c" />
+    <ClCompile Include="..\rcode.c" />
+    <ClCompile Include="..\rdata.c" />
+    <ClCompile Include="..\rdatalist.c" />
+    <ClCompile Include="..\rdataset.c" />
+    <ClCompile Include="..\rdatasetiter.c" />
+    <ClCompile Include="..\rdataslab.c" />
+    <ClCompile Include="..\request.c" />
+    <ClCompile Include="..\resolver.c" />
+    <ClCompile Include="..\result.c" />
+    <ClCompile Include="..\rootns.c" />
+    <ClCompile Include="..\rpz.c" />
+    <ClCompile Include="..\rriterator.c" />
+    <ClCompile Include="..\rrl.c" />
+    <ClCompile Include="..\sdb.c" />
+    <ClCompile Include="..\sdlz.c" />
+    <ClCompile Include="..\soa.c" />
+    <ClCompile Include="..\spnego.c" />
+    <ClCompile Include="..\ssu.c" />
+    <ClCompile Include="..\ssu_external.c" />
+    <ClCompile Include="..\stats.c" />
+    <ClCompile Include="..\tcpmsg.c" />
+    <ClCompile Include="..\time.c" />
+    <ClCompile Include="..\timer.c" />
+    <ClCompile Include="..\tkey.c" />
+    <ClCompile Include="..\tsec.c" />
+    <ClCompile Include="..\tsig.c" />
+    <ClCompile Include="..\ttl.c" />
+    <ClCompile Include="..\update.c" />
+    <ClCompile Include="..\validator.c" />
+    <ClCompile Include="..\view.c" />
+    <ClCompile Include="..\xfrin.c" />
+    <ClCompile Include="..\zone.c" />
+    <ClCompile Include="..\zonekey.c" />
+    <ClCompile Include="..\zt.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\code.h" />
+    <ClInclude Include="..\dst_gost.h" />
+    <ClInclude Include="..\dst_internal.h" />
+@IF OPENSSL
+    <ClInclude Include="..\dst_openssl.h" />
+@END OPENSSL
+    <ClInclude Include="..\dst_parse.h" />
+@IF PKCS11
+    <ClInclude Include="..\dst_pkcs11.h" />
+@END PKCS11
+    <ClInclude Include="..\include\dns\acache.h" />
+    <ClInclude Include="..\include\dns\acl.h" />
+    <ClInclude Include="..\include\dns\adb.h" />
+    <ClInclude Include="..\include\dns\badcache.h" />
+    <ClInclude Include="..\include\dns\bit.h" />
+    <ClInclude Include="..\include\dns\byaddr.h" />
+    <ClInclude Include="..\include\dns\cache.h" />
+    <ClInclude Include="..\include\dns\callbacks.h" />
+    <ClInclude Include="..\include\dns\catz.h" />
+    <ClInclude Include="..\include\dns\cert.h" />
+    <ClInclude Include="..\include\dns\client.h" />
+    <ClInclude Include="..\include\dns\clientinfo.h" />
+    <ClInclude Include="..\include\dns\compress.h" />
+    <ClInclude Include="..\include\dns\db.h" />
+    <ClInclude Include="..\include\dns\dbiterator.h" />
+    <ClInclude Include="..\include\dns\dbtable.h" />
+    <ClInclude Include="..\include\dns\diff.h" />
+    <ClInclude Include="..\include\dns\dispatch.h" />
+    <ClInclude Include="..\include\dns\dlz.h" />
+    <ClInclude Include="..\include\dns\dns64.h" />
+    <ClInclude Include="..\include\dns\dnssec.h" />
+    <ClInclude Include="..\include\dns\dnstap.h" />
+    <ClInclude Include="..\include\dns\ds.h" />
+    <ClInclude Include="..\include\dns\dsdigest.h" />
+    <ClInclude Include="..\include\dns\dyndb.h" />
+    <ClInclude Include="..\include\dns\ecdb.h" />
+    <ClInclude Include="..\include\dns\edns.h" />
+    <ClInclude Include="..\include\dns\enumclass.h" />
+    <ClInclude Include="..\include\dns\enumtype.h" />
+    <ClInclude Include="..\include\dns\events.h" />
+    <ClInclude Include="..\include\dns\fixedname.h" />
+    <ClInclude Include="..\include\dns\forward.h" />
+@IF GEOIP
+    <ClInclude Include="..\include\dns\geoip.h" />
+@END GEOIP
+    <ClInclude Include="..\include\dns\ipkeylist.h" />
+    <ClInclude Include="..\include\dns\iptable.h" />
+    <ClInclude Include="..\include\dns\journal.h" />
+    <ClInclude Include="..\include\dns\keydata.h" />
+    <ClInclude Include="..\include\dns\keyflags.h" />
+    <ClInclude Include="..\include\dns\keytable.h" />
+    <ClInclude Include="..\include\dns\keyvalues.h" />
+    <ClInclude Include="..\include\dns\lib.h" />
+    <ClInclude Include="..\include\dns\log.h" />
+    <ClInclude Include="..\include\dns\lookup.h" />
+    <ClInclude Include="..\include\dns\master.h" />
+    <ClInclude Include="..\include\dns\masterdump.h" />
+    <ClInclude Include="..\include\dns\message.h" />
+    <ClInclude Include="..\include\dns\name.h" />
+    <ClInclude Include="..\include\dns\ncache.h" />
+    <ClInclude Include="..\include\dns\nsec.h" />
+    <ClInclude Include="..\include\dns\nsec3.h" />
+    <ClInclude Include="..\include\dns\nta.h" />
+    <ClInclude Include="..\include\dns\opcode.h" />
+    <ClInclude Include="..\include\dns\order.h" />
+    <ClInclude Include="..\include\dns\peer.h" />
+    <ClInclude Include="..\include\dns\portlist.h" />
+    <ClInclude Include="..\include\dns\private.h" />
+    <ClInclude Include="..\include\dns\rbt.h" />
+    <ClInclude Include="..\include\dns\rcode.h" />
+    <ClInclude Include="..\include\dns\rdata.h" />
+    <ClInclude Include="..\include\dns\rdataclass.h" />
+    <ClInclude Include="..\include\dns\rdatalist.h" />
+    <ClInclude Include="..\include\dns\rdataset.h" />
+    <ClInclude Include="..\include\dns\rdatasetiter.h" />
+    <ClInclude Include="..\include\dns\rdataslab.h" />
+    <ClInclude Include="..\include\dns\rdatastruct.h" />
+    <ClInclude Include="..\include\dns\rdatatype.h" />
+    <ClInclude Include="..\include\dns\request.h" />
+    <ClInclude Include="..\include\dns\resolver.h" />
+    <ClInclude Include="..\include\dns\result.h" />
+    <ClInclude Include="..\include\dns\rootns.h" />
+    <ClInclude Include="..\include\dns\rpz.h" />
+    <ClInclude Include="..\include\dns\rriterator.h" />
+    <ClInclude Include="..\include\dns\rrl.h" />
+    <ClInclude Include="..\include\dns\sdb.h" />
+    <ClInclude Include="..\include\dns\sdlz.h" />
+    <ClInclude Include="..\include\dns\secalg.h" />
+    <ClInclude Include="..\include\dns\secproto.h" />
+    <ClInclude Include="..\include\dns\soa.h" />
+    <ClInclude Include="..\include\dns\ssu.h" />
+    <ClInclude Include="..\include\dns\stats.h" />
+    <ClInclude Include="..\include\dns\tcpmsg.h" />
+    <ClInclude Include="..\include\dns\time.h" />
+    <ClInclude Include="..\include\dns\timer.h" />
+    <ClInclude Include="..\include\dns\tkey.h" />
+    <ClInclude Include="..\include\dns\tsec.h" />
+    <ClInclude Include="..\include\dns\tsig.h" />
+    <ClInclude Include="..\include\dns\ttl.h" />
+    <ClInclude Include="..\include\dns\types.h" />
+    <ClInclude Include="..\include\dns\update.h" />
+    <ClInclude Include="..\include\dns\validator.h" />
+    <ClInclude Include="..\include\dns\version.h" />
+    <ClInclude Include="..\include\dns\view.h" />
+    <ClInclude Include="..\include\dns\xfrin.h" />
+    <ClInclude Include="..\include\dns\zone.h" />
+    <ClInclude Include="..\include\dns\zonekey.h" />
+    <ClInclude Include="..\include\dns\zt.h" />
+    <ClInclude Include="..\include\dst\dst.h" />
+    <ClInclude Include="..\include\dst\gssapi.h" />
+    <ClInclude Include="..\include\dst\lib.h" />
+    <ClInclude Include="..\include\dst\result.h" />
+    <ClInclude Include="..\rbtdb.h" />
+    <ClInclude Include="..\rbtdb64.h" />
+    <ClInclude Include="..\rdatalist_p.h" />
+    <ClInclude Include="..\spnego.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/dns/win32/libdns.vcxproj.user b/lib/dns/win32/libdns.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/dns/win32/libdns.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/dns/win32/version.c b/lib/dns/win32/version.c
new file mode 100644
index 0000000..852f70e
--- /dev/null
+++ b/lib/dns/win32/version.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <versions.h>
+
+#include <dns/version.h>
+
+LIBDNS_EXTERNAL_DATA const char dns_version[] = VERSION;
+LIBDNS_EXTERNAL_DATA const char dns_major[] = MAJOR;
+LIBDNS_EXTERNAL_DATA const char dns_mapapi[] = MAPAPI;
+
+LIBDNS_EXTERNAL_DATA const unsigned int dns_libinterface = LIBINTERFACE;
+LIBDNS_EXTERNAL_DATA const unsigned int dns_librevision = LIBREVISION;
+LIBDNS_EXTERNAL_DATA const unsigned int dns_libage = LIBAGE;
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
new file mode 100644
index 0000000..d39ca26
--- /dev/null
+++ b/lib/dns/xfrin.c
@@ -0,0 +1,1618 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/catz.h>
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/events.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/tcpmsg.h>
+#include <dns/timer.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/xfrin.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+/*
+ * Incoming AXFR and IXFR.
+ */
+
+/*%
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code) \
+	do { result = (code);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+/*%
+ * The states of the *XFR state machine.  We handle both IXFR and AXFR
+ * with a single integrated state machine because they cannot be distinguished
+ * immediately - an AXFR response to an IXFR request can only be detected
+ * when the first two (2) response RRs have already been received.
+ */
+typedef enum {
+	XFRST_SOAQUERY,
+	XFRST_GOTSOA,
+	XFRST_INITIALSOA,
+	XFRST_FIRSTDATA,
+	XFRST_IXFR_DELSOA,
+	XFRST_IXFR_DEL,
+	XFRST_IXFR_ADDSOA,
+	XFRST_IXFR_ADD,
+	XFRST_IXFR_END,
+	XFRST_AXFR,
+	XFRST_AXFR_END
+} xfrin_state_t;
+
+/*%
+ * Incoming zone transfer context.
+ */
+
+struct dns_xfrin_ctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+
+	int			refcount;
+
+	isc_task_t 		*task;
+	isc_timer_t		*timer;
+	isc_socketmgr_t 	*socketmgr;
+
+	int			connects; 	/*%< Connect in progress */
+	int			sends;		/*%< Send in progress */
+	int			recvs;	  	/*%< Receive in progress */
+	bool		shuttingdown;
+	isc_result_t		shutdown_result;
+
+	dns_name_t 		name; 		/*%< Name of zone to transfer */
+	dns_rdataclass_t 	rdclass;
+
+	bool		checkid;
+	dns_messageid_t		id;
+
+	/*%
+	 * Requested transfer type (dns_rdatatype_axfr or
+	 * dns_rdatatype_ixfr).  The actual transfer type
+	 * may differ due to IXFR->AXFR fallback.
+	 */
+	dns_rdatatype_t 	reqtype;
+	isc_dscp_t 		dscp;
+
+	isc_sockaddr_t 		masteraddr;
+	isc_sockaddr_t		sourceaddr;
+	isc_socket_t 		*socket;
+
+	/*% Buffer for IXFR/AXFR request message */
+	isc_buffer_t 		qbuffer;
+	unsigned char 		qbuffer_data[512];
+
+	/*% Incoming reply TCP message */
+	dns_tcpmsg_t		tcpmsg;
+	bool		tcpmsg_valid;
+
+	dns_db_t 		*db;
+	dns_dbversion_t 	*ver;
+	dns_diff_t 		diff;		/*%< Pending database changes */
+	int 			difflen;	/*%< Number of pending tuples */
+
+	xfrin_state_t 		state;
+	uint32_t 		end_serial;
+	bool 		is_ixfr;
+
+	unsigned int		nmsg;		/*%< Number of messages recvd */
+	unsigned int		nrecs;		/*%< Number of records recvd */
+	uint64_t		nbytes;		/*%< Number of bytes received */
+
+	unsigned int		maxrecords;	/*%< The maximum number of
+						     records set for the zone */
+
+	isc_time_t		start;		/*%< Start time of the transfer */
+	isc_time_t		end;		/*%< End time of the transfer */
+
+	dns_tsigkey_t		*tsigkey;	/*%< Key used to create TSIG */
+	isc_buffer_t		*lasttsig;	/*%< The last TSIG */
+	dst_context_t		*tsigctx;	/*%< TSIG verification context */
+	unsigned int		sincetsig;	/*%< recvd since the last TSIG */
+	dns_xfrindone_t		done;
+
+	/*%
+	 * AXFR- and IXFR-specific data.  Only one is used at a time
+	 * according to the is_ixfr flag, so this could be a union,
+	 * but keeping them separate makes it a bit simpler to clean
+	 * things up when destroying the context.
+	 */
+	dns_rdatacallbacks_t	axfr;
+
+	struct {
+		uint32_t 	request_serial;
+		uint32_t 	current_serial;
+		dns_journal_t	*journal;
+
+	} ixfr;
+};
+
+#define XFRIN_MAGIC		  ISC_MAGIC('X', 'f', 'r', 'I')
+#define VALID_XFRIN(x)		  ISC_MAGIC_VALID(x, XFRIN_MAGIC)
+
+/**************************************************************************/
+/*
+ * Forward declarations.
+ */
+
+static isc_result_t
+xfrin_create(isc_mem_t *mctx,
+	     dns_zone_t *zone,
+	     dns_db_t *db,
+	     isc_task_t *task,
+	     isc_timermgr_t *timermgr,
+	     isc_socketmgr_t *socketmgr,
+	     dns_name_t *zonename,
+	     dns_rdataclass_t rdclass,
+	     dns_rdatatype_t reqtype,
+	     isc_sockaddr_t *masteraddr,
+	     isc_sockaddr_t *sourceaddr,
+	     isc_dscp_t dscp,
+	     dns_tsigkey_t *tsigkey,
+	     dns_xfrin_ctx_t **xfrp);
+
+static isc_result_t axfr_init(dns_xfrin_ctx_t *xfr);
+static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp);
+static isc_result_t axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+				   dns_name_t *name, dns_ttl_t ttl,
+				   dns_rdata_t *rdata);
+static isc_result_t axfr_apply(dns_xfrin_ctx_t *xfr);
+static isc_result_t axfr_commit(dns_xfrin_ctx_t *xfr);
+static isc_result_t axfr_finalize(dns_xfrin_ctx_t *xfr);
+
+static isc_result_t ixfr_init(dns_xfrin_ctx_t *xfr);
+static isc_result_t ixfr_apply(dns_xfrin_ctx_t *xfr);
+static isc_result_t ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+				 dns_name_t *name, dns_ttl_t ttl,
+				 dns_rdata_t *rdata);
+static isc_result_t ixfr_commit(dns_xfrin_ctx_t *xfr);
+
+static isc_result_t xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name,
+			   uint32_t ttl, dns_rdata_t *rdata);
+
+static isc_result_t xfrin_start(dns_xfrin_ctx_t *xfr);
+
+static void xfrin_connect_done(isc_task_t *task, isc_event_t *event);
+static isc_result_t xfrin_send_request(dns_xfrin_ctx_t *xfr);
+static void xfrin_send_done(isc_task_t *task, isc_event_t *event);
+static void xfrin_recv_done(isc_task_t *task, isc_event_t *event);
+static void xfrin_timeout(isc_task_t *task, isc_event_t *event);
+
+static void maybe_free(dns_xfrin_ctx_t *xfr);
+
+static void
+xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg);
+static isc_result_t
+render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
+
+static void
+xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(4, 0);
+
+static void
+xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, ...)
+     ISC_FORMAT_PRINTF(4, 5);
+
+static void
+xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+/**************************************************************************/
+/*
+ * AXFR handling
+ */
+
+static isc_result_t
+axfr_init(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	xfr->is_ixfr = false;
+
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+
+	CHECK(axfr_makedb(xfr, &xfr->db));
+	dns_rdatacallbacks_init(&xfr->axfr);
+	CHECK(dns_db_beginload(xfr->db, &xfr->axfr));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
+	isc_result_t result;
+
+	result = dns_db_create(xfr->mctx, /* XXX */
+			       "rbt",	/* XXX guess */
+			       &xfr->name,
+			       dns_dbtype_zone,
+			       xfr->rdclass,
+			       0, NULL, /* XXX guess */
+			       dbp);
+	if (result == ISC_R_SUCCESS) {
+		dns_zone_rpz_enable_db(xfr->zone, *dbp);
+		dns_zone_catz_enable_db(xfr->zone, *dbp);
+	}
+	return (result);
+}
+
+static isc_result_t
+axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+	dns_difftuple_t *tuple = NULL;
+
+	if (rdata->rdclass != xfr->rdclass)
+		return(DNS_R_BADCLASS);
+
+	CHECK(dns_zone_checknames(xfr->zone, name, rdata));
+	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
+				   name, ttl, rdata, &tuple));
+	dns_diff_append(&xfr->diff, &tuple);
+	if (++xfr->difflen > 100)
+		CHECK(axfr_apply(xfr));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * Store a set of AXFR RRs in the database.
+ */
+static isc_result_t
+axfr_apply(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	uint64_t records;
+
+	CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private));
+	xfr->difflen = 0;
+	dns_diff_clear(&xfr->diff);
+	if (xfr->maxrecords != 0U) {
+		result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
+		if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
+			result = DNS_R_TOOMANYRECORDS;
+			goto failure;
+		}
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_commit(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(axfr_apply(xfr));
+	CHECK(dns_db_endload(xfr->db, &xfr->axfr));
+
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_finalize(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(dns_zone_replacedb(xfr->zone, xfr->db, true));
+
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * IXFR handling
+ */
+
+static isc_result_t
+ixfr_init(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	char *journalfile;
+
+	if (xfr->reqtype != dns_rdatatype_ixfr) {
+		xfrin_log(xfr, ISC_LOG_ERROR,
+			  "got incremental response to AXFR request");
+		return (DNS_R_FORMERR);
+	}
+
+	xfr->is_ixfr = true;
+	INSIST(xfr->db != NULL);
+	xfr->difflen = 0;
+
+	journalfile = dns_zone_getjournal(xfr->zone);
+	if (journalfile != NULL)
+		CHECK(dns_journal_open(xfr->mctx, journalfile,
+				       DNS_JOURNAL_CREATE, &xfr->ixfr.journal));
+
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	if (rdata->rdclass != xfr->rdclass)
+		return(DNS_R_BADCLASS);
+
+	if (op == DNS_DIFFOP_ADD)
+		CHECK(dns_zone_checknames(xfr->zone, name, rdata));
+	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
+				   name, ttl, rdata, &tuple));
+	dns_diff_append(&xfr->diff, &tuple);
+	if (++xfr->difflen > 100)
+		CHECK(ixfr_apply(xfr));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * Apply a set of IXFR changes to the database.
+ */
+static isc_result_t
+ixfr_apply(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	uint64_t records;
+
+	if (xfr->ver == NULL) {
+		CHECK(dns_db_newversion(xfr->db, &xfr->ver));
+		if (xfr->ixfr.journal != NULL)
+			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
+	}
+	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
+	if (xfr->maxrecords != 0U) {
+		result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
+		if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
+			result = DNS_R_TOOMANYRECORDS;
+			goto failure;
+		}
+	}
+	if (xfr->ixfr.journal != NULL) {
+		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	dns_diff_clear(&xfr->diff);
+	xfr->difflen = 0;
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+ixfr_commit(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(ixfr_apply(xfr));
+	if (xfr->ver != NULL) {
+		/* XXX enter ready-to-commit state here */
+		if (xfr->ixfr.journal != NULL)
+			CHECK(dns_journal_commit(xfr->ixfr.journal));
+		dns_db_closeversion(xfr->db, &xfr->ver, true);
+		dns_zone_markdirty(xfr->zone);
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Common AXFR/IXFR protocol code
+ */
+
+/*
+ * Handle a single incoming resource record according to the current
+ * state.
+ */
+static isc_result_t
+xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, uint32_t ttl,
+       dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+	xfr->nrecs++;
+
+	if (rdata->type == dns_rdatatype_none ||
+	    dns_rdatatype_ismeta(rdata->type))
+		FAIL(DNS_R_FORMERR);
+
+ redo:
+	switch (xfr->state) {
+	case XFRST_SOAQUERY:
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "non-SOA response to SOA query");
+			FAIL(DNS_R_FORMERR);
+		}
+		xfr->end_serial = dns_soa_getserial(rdata);
+		if (!DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial) &&
+		    !dns_zone_isforced(xfr->zone)) {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "requested serial %u, "
+				  "master has %u, not updating",
+				  xfr->ixfr.request_serial, xfr->end_serial);
+			FAIL(DNS_R_UPTODATE);
+		}
+		xfr->state = XFRST_GOTSOA;
+		break;
+
+	case XFRST_GOTSOA:
+		/*
+		 * Skip other records in the answer section.
+		 */
+		break;
+
+	case XFRST_INITIALSOA:
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "first RR in zone transfer must be SOA");
+			FAIL(DNS_R_FORMERR);
+		}
+		/*
+		 * Remember the serial number in the initial SOA.
+		 * We need it to recognize the end of an IXFR.
+		 */
+		xfr->end_serial = dns_soa_getserial(rdata);
+		if (xfr->reqtype == dns_rdatatype_ixfr &&
+		    ! DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial)
+		    && !dns_zone_isforced(xfr->zone))
+		{
+			/*
+			 * This must be the single SOA record that is
+			 * sent when the current version on the master
+			 * is not newer than the version in the request.
+			 */
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "requested serial %u, "
+				  "master has %u, not updating",
+				  xfr->ixfr.request_serial, xfr->end_serial);
+			FAIL(DNS_R_UPTODATE);
+		}
+		if (xfr->reqtype == dns_rdatatype_axfr)
+			xfr->checkid = false;
+		xfr->state = XFRST_FIRSTDATA;
+		break;
+
+	case XFRST_FIRSTDATA:
+		/*
+		 * If the transfer begins with one SOA record, it is an AXFR,
+		 * if it begins with two SOAs, it is an IXFR.
+		 */
+		if (xfr->reqtype == dns_rdatatype_ixfr &&
+		    rdata->type == dns_rdatatype_soa &&
+		    xfr->ixfr.request_serial == dns_soa_getserial(rdata)) {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "got incremental response");
+			CHECK(ixfr_init(xfr));
+			xfr->state = XFRST_IXFR_DELSOA;
+		} else {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "got nonincremental response");
+			CHECK(axfr_init(xfr));
+			xfr->state = XFRST_AXFR;
+		}
+		goto redo;
+
+	case XFRST_IXFR_DELSOA:
+		INSIST(rdata->type == dns_rdatatype_soa);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
+		xfr->state = XFRST_IXFR_DEL;
+		break;
+
+	case XFRST_IXFR_DEL:
+		if (rdata->type == dns_rdatatype_soa) {
+			uint32_t soa_serial = dns_soa_getserial(rdata);
+			xfr->state = XFRST_IXFR_ADDSOA;
+			xfr->ixfr.current_serial = soa_serial;
+			goto redo;
+		}
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
+		break;
+
+	case XFRST_IXFR_ADDSOA:
+		INSIST(rdata->type == dns_rdatatype_soa);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		xfr->state = XFRST_IXFR_ADD;
+		break;
+
+	case XFRST_IXFR_ADD:
+		if (rdata->type == dns_rdatatype_soa) {
+			uint32_t soa_serial = dns_soa_getserial(rdata);
+			if (soa_serial == xfr->end_serial) {
+				CHECK(ixfr_commit(xfr));
+				xfr->state = XFRST_IXFR_END;
+				break;
+			} else if (soa_serial != xfr->ixfr.current_serial) {
+				xfrin_log(xfr, ISC_LOG_ERROR,
+					  "IXFR out of sync: "
+					  "expected serial %u, got %u",
+					  xfr->ixfr.current_serial, soa_serial);
+				FAIL(DNS_R_FORMERR);
+			} else {
+				CHECK(ixfr_commit(xfr));
+				xfr->state = XFRST_IXFR_DELSOA;
+				goto redo;
+			}
+		}
+		if (rdata->type == dns_rdatatype_ns &&
+		    dns_name_iswildcard(name))
+			FAIL(DNS_R_INVALIDNS);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		break;
+
+	case XFRST_AXFR:
+		/*
+		 * Old BINDs sent cross class A records for non IN classes.
+		 */
+		if (rdata->type == dns_rdatatype_a &&
+		    rdata->rdclass != xfr->rdclass &&
+		    xfr->rdclass != dns_rdataclass_in)
+			break;
+		CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		if (rdata->type == dns_rdatatype_soa) {
+			CHECK(axfr_commit(xfr));
+			xfr->state = XFRST_AXFR_END;
+			break;
+		}
+		break;
+	case XFRST_AXFR_END:
+	case XFRST_IXFR_END:
+		FAIL(DNS_R_EXTRADATA);
+		/* NOTREACHED */
+		/* FALLTHROUGH */
+	default:
+		INSIST(0);
+		break;
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
+		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		 isc_socketmgr_t *socketmgr, isc_task_t *task,
+		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
+{
+	isc_sockaddr_t sourceaddr;
+	isc_dscp_t dscp;
+
+	switch (isc_sockaddr_pf(masteraddr)) {
+	case PF_INET:
+		sourceaddr = *dns_zone_getxfrsource4(zone);
+		dscp = dns_zone_getxfrsource4dscp(zone);
+		break;
+	case PF_INET6:
+		sourceaddr = *dns_zone_getxfrsource6(zone);
+		dscp = dns_zone_getxfrsource6dscp(zone);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	return(dns_xfrin_create3(zone, xfrtype, masteraddr, &sourceaddr,
+				 dscp, tsigkey, mctx, timermgr, socketmgr,
+				 task, done, xfrp));
+}
+
+isc_result_t
+dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done,
+		  dns_xfrin_ctx_t **xfrp)
+{
+	return (dns_xfrin_create3(zone, xfrtype, masteraddr, sourceaddr, -1,
+				  tsigkey, mctx, timermgr, socketmgr, task,
+				  done, xfrp));
+}
+
+isc_result_t
+dns_xfrin_create3(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  isc_dscp_t dscp, dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done,
+		  dns_xfrin_ctx_t **xfrp)
+{
+	dns_name_t *zonename = dns_zone_getorigin(zone);
+	dns_xfrin_ctx_t *xfr = NULL;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	REQUIRE(xfrp != NULL && *xfrp == NULL);
+
+	(void)dns_zone_getdb(zone, &db);
+
+	if (xfrtype == dns_rdatatype_soa || xfrtype == dns_rdatatype_ixfr)
+		REQUIRE(db != NULL);
+
+	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
+			   dns_zone_getclass(zone), xfrtype, masteraddr,
+			   sourceaddr, dscp, tsigkey, &xfr));
+
+	CHECK(xfrin_start(xfr));
+
+	xfr->done = done;
+	if (xfr->done != NULL)
+		xfr->refcount++;
+	*xfrp = xfr;
+
+ failure:
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (result != ISC_R_SUCCESS) {
+		char zonetext[DNS_NAME_MAXTEXT+32];
+		dns_zone_name(zone, zonetext, sizeof(zonetext));
+		xfrin_log1(ISC_LOG_ERROR, zonetext, masteraddr,
+			   "zone transfer setup failed");
+	}
+	return (result);
+}
+
+void
+dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr) {
+	if (! xfr->shuttingdown)
+		xfrin_fail(xfr, ISC_R_CANCELED, "shut down");
+}
+
+void
+dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target) {
+	REQUIRE(target != NULL && *target == NULL);
+	source->refcount++;
+	*target = source;
+}
+
+void
+dns_xfrin_detach(dns_xfrin_ctx_t **xfrp) {
+	dns_xfrin_ctx_t *xfr = *xfrp;
+	INSIST(xfr->refcount > 0);
+	xfr->refcount--;
+	maybe_free(xfr);
+	*xfrp = NULL;
+}
+
+static void
+xfrin_cancelio(dns_xfrin_ctx_t *xfr) {
+	if (xfr->connects > 0) {
+		isc_socket_cancel(xfr->socket, xfr->task,
+				  ISC_SOCKCANCEL_CONNECT);
+	} else if (xfr->recvs > 0) {
+		dns_tcpmsg_cancelread(&xfr->tcpmsg);
+	} else if (xfr->sends > 0) {
+		isc_socket_cancel(xfr->socket, xfr->task,
+				  ISC_SOCKCANCEL_SEND);
+	}
+}
+
+static void
+xfrin_reset(dns_xfrin_ctx_t *xfr) {
+	REQUIRE(VALID_XFRIN(xfr));
+
+	xfrin_log(xfr, ISC_LOG_INFO, "resetting");
+
+	xfrin_cancelio(xfr);
+
+	if (xfr->socket != NULL)
+		isc_socket_detach(&xfr->socket);
+
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+
+	dns_diff_clear(&xfr->diff);
+	xfr->difflen = 0;
+
+	if (xfr->ixfr.journal != NULL)
+		dns_journal_destroy(&xfr->ixfr.journal);
+
+	if (xfr->axfr.add_private != NULL)
+		(void)dns_db_endload(xfr->db, &xfr->axfr);
+
+	if (xfr->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&xfr->tcpmsg);
+		xfr->tcpmsg_valid = false;
+	}
+
+	if (xfr->ver != NULL)
+		dns_db_closeversion(xfr->db, &xfr->ver, false);
+}
+
+
+static void
+xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
+	if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) {
+		xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
+			  msg, isc_result_totext(result));
+		if (xfr->is_ixfr)
+			/* Pass special result code to force AXFR retry */
+			result = DNS_R_BADIXFR;
+	}
+	xfrin_cancelio(xfr);
+	/*
+	 * Close the journal.
+	 */
+	if (xfr->ixfr.journal != NULL)
+		dns_journal_destroy(&xfr->ixfr.journal);
+	if (xfr->done != NULL) {
+		(xfr->done)(xfr->zone, result);
+		xfr->done = NULL;
+	}
+	xfr->shuttingdown = true;
+	xfr->shutdown_result = result;
+	maybe_free(xfr);
+}
+
+static isc_result_t
+xfrin_create(isc_mem_t *mctx,
+	     dns_zone_t *zone,
+	     dns_db_t *db,
+	     isc_task_t *task,
+	     isc_timermgr_t *timermgr,
+	     isc_socketmgr_t *socketmgr,
+	     dns_name_t *zonename,
+	     dns_rdataclass_t rdclass,
+	     dns_rdatatype_t reqtype,
+	     isc_sockaddr_t *masteraddr,
+	     isc_sockaddr_t *sourceaddr,
+	     isc_dscp_t dscp,
+	     dns_tsigkey_t *tsigkey,
+	     dns_xfrin_ctx_t **xfrp)
+{
+	dns_xfrin_ctx_t *xfr = NULL;
+	isc_result_t result;
+	uint32_t tmp;
+
+	xfr = isc_mem_get(mctx, sizeof(*xfr));
+	if (xfr == NULL)
+		return (ISC_R_NOMEMORY);
+	xfr->mctx = NULL;
+	isc_mem_attach(mctx, &xfr->mctx);
+	xfr->refcount = 0;
+	xfr->zone = NULL;
+	dns_zone_iattach(zone, &xfr->zone);
+	xfr->task = NULL;
+	isc_task_attach(task, &xfr->task);
+	xfr->timer = NULL;
+	xfr->socketmgr = socketmgr;
+	xfr->done = NULL;
+
+	xfr->connects = 0;
+	xfr->sends = 0;
+	xfr->recvs = 0;
+	xfr->shuttingdown = false;
+	xfr->shutdown_result = ISC_R_UNSET;
+
+	dns_name_init(&xfr->name, NULL);
+	xfr->rdclass = rdclass;
+	isc_random_get(&tmp);
+	xfr->checkid = true;
+	xfr->id	= (uint16_t)(tmp & 0xffff);
+	xfr->reqtype = reqtype;
+	xfr->dscp = dscp;
+
+	/* sockaddr */
+	xfr->socket = NULL;
+	/* qbuffer */
+	/* qbuffer_data */
+	/* tcpmsg */
+	xfr->tcpmsg_valid = false;
+
+	xfr->db = NULL;
+	if (db != NULL)
+		dns_db_attach(db, &xfr->db);
+	xfr->ver = NULL;
+	dns_diff_init(xfr->mctx, &xfr->diff);
+	xfr->difflen = 0;
+
+	if (reqtype == dns_rdatatype_soa)
+		xfr->state = XFRST_SOAQUERY;
+	else
+		xfr->state = XFRST_INITIALSOA;
+	/* end_serial */
+
+	xfr->nmsg = 0;
+	xfr->nrecs = 0;
+	xfr->nbytes = 0;
+	xfr->maxrecords = dns_zone_getmaxrecords(zone);
+	isc_time_now(&xfr->start);
+
+	xfr->tsigkey = NULL;
+	if (tsigkey != NULL)
+		dns_tsigkey_attach(tsigkey, &xfr->tsigkey);
+	xfr->lasttsig = NULL;
+	xfr->tsigctx = NULL;
+	xfr->sincetsig = 0;
+	xfr->is_ixfr = false;
+
+	/* ixfr.request_serial */
+	/* ixfr.current_serial */
+	xfr->ixfr.journal = NULL;
+
+	xfr->axfr.add = NULL;
+	xfr->axfr.add_private = NULL;
+
+	CHECK(dns_name_dup(zonename, mctx, &xfr->name));
+
+	CHECK(isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+			       task, xfrin_timeout, xfr, &xfr->timer));
+	CHECK(dns_timer_setidle(xfr->timer,
+				dns_zone_getmaxxfrin(xfr->zone),
+				dns_zone_getidlein(xfr->zone),
+				false));
+
+	xfr->masteraddr = *masteraddr;
+
+	INSIST(isc_sockaddr_pf(masteraddr) == isc_sockaddr_pf(sourceaddr));
+	xfr->sourceaddr = *sourceaddr;
+	isc_sockaddr_setport(&xfr->sourceaddr, 0);
+
+	/*
+	 * Reserve 2 bytes for TCP length at the begining of the buffer.
+	 */
+	isc_buffer_init(&xfr->qbuffer, &xfr->qbuffer_data[2],
+			sizeof(xfr->qbuffer_data) - 2);
+
+	xfr->magic = XFRIN_MAGIC;
+	*xfrp = xfr;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (xfr->timer != NULL)
+		isc_timer_detach(&xfr->timer);
+	if (dns_name_dynamic(&xfr->name))
+		dns_name_free(&xfr->name, xfr->mctx);
+	if (xfr->tsigkey != NULL)
+		dns_tsigkey_detach(&xfr->tsigkey);
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+	isc_task_detach(&xfr->task);
+	dns_zone_idetach(&xfr->zone);
+	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
+
+	return (result);
+}
+
+static isc_result_t
+xfrin_start(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	CHECK(isc_socket_create(xfr->socketmgr,
+				isc_sockaddr_pf(&xfr->sourceaddr),
+				isc_sockettype_tcp,
+				&xfr->socket));
+	isc_socket_setname(xfr->socket, "xfrin", NULL);
+#ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
+	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr,
+			      ISC_SOCKET_REUSEADDRESS));
+#endif
+	isc_socket_dscp(xfr->socket, xfr->dscp);
+	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
+				 xfrin_connect_done, xfr));
+	xfr->connects++;
+	return (ISC_R_SUCCESS);
+ failure:
+	xfrin_fail(xfr, result, "failed setting up socket");
+	return (result);
+}
+
+/* XXX the resolver could use this, too */
+
+static isc_result_t
+render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf) {
+	dns_compress_t cctx;
+	bool cleanup_cctx = false;
+	isc_result_t result;
+
+	CHECK(dns_compress_init(&cctx, -1, mctx));
+	cleanup_cctx = true;
+	CHECK(dns_message_renderbegin(msg, &cctx, buf));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0));
+	CHECK(dns_message_renderend(msg));
+	result = ISC_R_SUCCESS;
+ failure:
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+	return (result);
+}
+
+/*
+ * A connection has been established.
+ */
+static void
+xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
+	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+	isc_result_t result = cev->result;
+	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
+	char signerbuf[DNS_NAME_FORMATSIZE];
+	const char *signer = "", *sep = "";
+	isc_sockaddr_t sockaddr;
+	dns_zonemgr_t * zmgr;
+	isc_time_t now;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	isc_event_free(&event);
+
+	xfr->connects--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	zmgr = dns_zone_getmgr(xfr->zone);
+	if (zmgr != NULL) {
+		if (result != ISC_R_SUCCESS) {
+			TIME_NOW(&now);
+			dns_zonemgr_unreachableadd(zmgr, &xfr->masteraddr,
+						   &xfr->sourceaddr, &now);
+			goto failure;
+		} else
+			dns_zonemgr_unreachabledel(zmgr, &xfr->masteraddr,
+						   &xfr->sourceaddr);
+	}
+
+	result = isc_socket_getsockname(xfr->socket, &sockaddr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
+	} else {
+		strlcpy(sourcetext, "<UNKNOWN>", sizeof(sourcetext));
+	}
+
+	if (xfr->tsigkey != NULL && xfr->tsigkey->key != NULL) {
+		dns_name_format(dst_key_name(xfr->tsigkey->key),
+				signerbuf, sizeof(signerbuf));
+		sep = " TSIG ";
+		signer = signerbuf;
+	}
+
+	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s%s%s",
+		  sourcetext, sep, signer);
+
+	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
+	xfr->tcpmsg_valid = true;
+
+	CHECK(xfrin_send_request(xfr));
+ failure:
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed to connect");
+}
+
+/*
+ * Convert a tuple into a dns_name_t suitable for inserting
+ * into the given dns_message_t.
+ */
+static isc_result_t
+tuple2msgname(dns_difftuple_t *tuple, dns_message_t *msg, dns_name_t **target)
+{
+	isc_result_t result;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdl = NULL;
+	dns_rdataset_t *rds = NULL;
+	dns_name_t *name = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	CHECK(dns_message_gettemprdata(msg, &rdata));
+	dns_rdata_init(rdata);
+	dns_rdata_clone(&tuple->rdata, rdata);
+
+	CHECK(dns_message_gettemprdatalist(msg, &rdl));
+	dns_rdatalist_init(rdl);
+	rdl->type = tuple->rdata.type;
+	rdl->rdclass = tuple->rdata.rdclass;
+	rdl->ttl = tuple->ttl;
+	ISC_LIST_APPEND(rdl->rdata, rdata, link);
+
+	CHECK(dns_message_gettemprdataset(msg, &rds));
+	CHECK(dns_rdatalist_tordataset(rdl, rds));
+
+	CHECK(dns_message_gettempname(msg, &name));
+	dns_name_init(name, NULL);
+	dns_name_clone(&tuple->name, name);
+	ISC_LIST_APPEND(name->list, rds, link);
+
+	*target = name;
+	return (ISC_R_SUCCESS);
+
+ failure:
+
+	if (rds != NULL) {
+		dns_rdataset_disassociate(rds);
+		dns_message_puttemprdataset(msg, &rds);
+	}
+	if (rdl != NULL) {
+		ISC_LIST_UNLINK(rdl->rdata, rdata, link);
+		dns_message_puttemprdatalist(msg, &rdl);
+	}
+	if (rdata != NULL)
+		dns_message_puttemprdata(msg, &rdata);
+
+	return (result);
+}
+
+
+/*
+ * Build an *XFR request and send its length prefix.
+ */
+static isc_result_t
+xfrin_send_request(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	isc_region_t region;
+	dns_rdataset_t *qrdataset = NULL;
+	dns_message_t *msg = NULL;
+	dns_difftuple_t *soatuple = NULL;
+	dns_name_t *qname = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_name_t *msgsoaname = NULL;
+
+	/* Create the request message */
+	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER, &msg));
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+
+	/* Create a name for the question section. */
+	CHECK(dns_message_gettempname(msg, &qname));
+	dns_name_init(qname, NULL);
+	dns_name_clone(&xfr->name, qname);
+
+	/* Formulate the question and attach it to the question name. */
+	CHECK(dns_message_gettemprdataset(msg, &qrdataset));
+	dns_rdataset_makequestion(qrdataset, xfr->rdclass, xfr->reqtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	qrdataset = NULL;
+
+	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+
+	if (xfr->reqtype == dns_rdatatype_ixfr) {
+		/* Get the SOA and add it to the authority section. */
+		/* XXX is using the current version the right thing? */
+		dns_db_currentversion(xfr->db, &ver);
+		CHECK(dns_db_createsoatuple(xfr->db, ver, xfr->mctx,
+					    DNS_DIFFOP_EXISTS, &soatuple));
+		xfr->ixfr.request_serial = dns_soa_getserial(&soatuple->rdata);
+		xfr->ixfr.current_serial = xfr->ixfr.request_serial;
+		xfrin_log(xfr, ISC_LOG_DEBUG(3),
+			  "requesting IXFR for serial %u",
+			  xfr->ixfr.request_serial);
+
+		CHECK(tuple2msgname(soatuple, msg, &msgsoaname));
+		dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY);
+	} else if (xfr->reqtype == dns_rdatatype_soa)
+		CHECK(dns_db_getsoaserial(xfr->db, NULL,
+					  &xfr->ixfr.request_serial));
+
+	xfr->checkid = true;
+	xfr->id++;
+	xfr->nmsg = 0;
+	xfr->nrecs = 0;
+	xfr->nbytes = 0;
+	isc_time_now(&xfr->start);
+	msg->id = xfr->id;
+	if (xfr->tsigctx != NULL)
+		dst_context_destroy(&xfr->tsigctx);
+
+	CHECK(render(msg, xfr->mctx, &xfr->qbuffer));
+
+	/*
+	 * Free the last tsig, if there is one.
+	 */
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+
+	/*
+	 * Save the query TSIG and don't let message_destroy free it.
+	 */
+	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
+
+	isc_buffer_usedregion(&xfr->qbuffer, &region);
+	INSIST(region.length <= 65535);
+
+	/*
+	 * Record message length and adjust region to include TCP
+	 * length field.
+	 */
+	xfr->qbuffer_data[0] = (region.length >> 8) & 0xff;
+	xfr->qbuffer_data[1] = region.length & 0xff;
+	region.base -= 2;
+	region.length += 2;
+	CHECK(isc_socket_send(xfr->socket, &region, xfr->task,
+			      xfrin_send_done, xfr));
+	xfr->sends++;
+
+ failure:
+	if (qname != NULL)
+		dns_message_puttempname(msg, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(msg, &qrdataset);
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	if (soatuple != NULL)
+		dns_difftuple_free(&soatuple);
+	if (ver != NULL)
+		dns_db_closeversion(xfr->db, &ver, false);
+	return (result);
+}
+
+static void
+xfrin_send_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sev = (isc_socketevent_t *) event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+	isc_result_t result;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	xfr->sends--;
+	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request data");
+	CHECK(sev->result);
+
+	CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
+				     xfrin_recv_done, xfr));
+	xfr->recvs++;
+ failure:
+	isc_event_free(&event);
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed sending request data");
+}
+
+
+static void
+xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) ev->ev_arg;
+	isc_result_t result;
+	dns_message_t *msg = NULL;
+	dns_name_t *name;
+	dns_tcpmsg_t *tcpmsg;
+	dns_name_t *tsigowner = NULL;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(ev->ev_type == DNS_EVENT_TCPMSG);
+	tcpmsg = ev->ev_sender;
+	isc_event_free(&ev);
+
+	xfr->recvs--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	CHECK(tcpmsg->result);
+
+	xfrin_log(xfr, ISC_LOG_DEBUG(7), "received %u bytes",
+		  tcpmsg->buffer.used);
+
+	CHECK(isc_timer_touch(xfr->timer));
+
+	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTPARSE, &msg));
+
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
+
+	msg->tsigctx = xfr->tsigctx;
+	xfr->tsigctx = NULL;
+
+	dns_message_setclass(msg, xfr->rdclass);
+
+	if (xfr->nmsg > 0)
+		msg->tcp_continuation = 1;
+
+	result = dns_message_parse(msg, &tcpmsg->buffer,
+				   DNS_MESSAGEPARSE_PRESERVEORDER);
+
+	if (result == ISC_R_SUCCESS)
+		dns_message_logpacket2(msg, "received message from",
+				       &tcpmsg->address,
+				       DNS_LOGCATEGORY_XFER_IN,
+				       DNS_LOGMODULE_XFER_IN,
+				       ISC_LOG_DEBUG(10), xfr->mctx);
+	else
+		xfrin_log(xfr, ISC_LOG_DEBUG(10), "dns_message_parse: %s",
+			  dns_result_totext(result));
+
+	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror ||
+	    msg->opcode != dns_opcode_query ||msg->rdclass != xfr->rdclass ||
+	    (xfr->checkid && msg->id != xfr->id)) {
+		if (result == ISC_R_SUCCESS && msg->rcode != dns_rcode_noerror)
+			result = ISC_RESULTCLASS_DNSRCODE + msg->rcode; /*XXX*/
+		else if (result == ISC_R_SUCCESS &&
+			 msg->opcode != dns_opcode_query)
+			result = DNS_R_UNEXPECTEDOPCODE;
+		else if (result == ISC_R_SUCCESS &&
+			 msg->rdclass != xfr->rdclass)
+			result = DNS_R_BADCLASS;
+		else if (result == ISC_R_SUCCESS || result == DNS_R_NOERROR)
+			result = DNS_R_UNEXPECTEDID;
+		if (xfr->reqtype == dns_rdatatype_axfr ||
+		    xfr->reqtype == dns_rdatatype_soa)
+			goto failure;
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
+		       isc_result_totext(result));
+ try_axfr:
+		dns_message_destroy(&msg);
+		xfrin_reset(xfr);
+		xfr->reqtype = dns_rdatatype_soa;
+		xfr->state = XFRST_SOAQUERY;
+		(void)xfrin_start(xfr);
+		return;
+	}
+
+	/*
+	 * Does the server know about IXFR?  If it doesn't we will get
+	 * a message with a empty answer section or a potentially a CNAME /
+	 * DNAME, the later is handled by xfr_rr() which will return FORMERR
+	 * if the first RR in the answer section is not a SOA record.
+	 */
+	if (xfr->reqtype == dns_rdatatype_ixfr &&
+	    xfr->state == XFRST_INITIALSOA &&
+	    msg->counts[DNS_SECTION_ANSWER] == 0) {
+		xfrin_log(xfr, ISC_LOG_DEBUG(3),
+			  "empty answer section, retrying with AXFR");
+		goto try_axfr;
+	}
+
+	if (xfr->reqtype == dns_rdatatype_soa &&
+	    (msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		FAIL(DNS_R_NOTAUTHORITATIVE);
+	}
+
+
+	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
+	if (result != ISC_R_SUCCESS) {
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
+		       isc_result_totext(result));
+		goto failure;
+	}
+
+	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, DNS_SECTION_ANSWER))
+	{
+		dns_rdataset_t *rds;
+
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		for (rds = ISC_LIST_HEAD(name->list);
+		     rds != NULL;
+		     rds = ISC_LIST_NEXT(rds, link))
+		{
+			for (result = dns_rdataset_first(rds);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rds))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(rds, &rdata);
+				CHECK(xfr_rr(xfr, name, rds->ttl, &rdata));
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	if (dns_message_gettsig(msg, &tsigowner) != NULL) {
+		/*
+		 * Reset the counter.
+		 */
+		xfr->sincetsig = 0;
+
+		/*
+		 * Free the last tsig, if there is one.
+		 */
+		if (xfr->lasttsig != NULL)
+			isc_buffer_free(&xfr->lasttsig);
+
+		/*
+		 * Update the last tsig pointer.
+		 */
+		CHECK(dns_message_getquerytsig(msg, xfr->mctx,
+					       &xfr->lasttsig));
+
+	} else if (dns_message_gettsigkey(msg) != NULL) {
+		xfr->sincetsig++;
+		if (xfr->sincetsig > 100 || xfr->nmsg == 0 ||
+		    xfr->state == XFRST_AXFR_END ||
+		    xfr->state == XFRST_IXFR_END)
+		{
+			result = DNS_R_EXPECTEDTSIG;
+			goto failure;
+		}
+	}
+
+	/*
+	 * Update the number of messages received.
+	 */
+	xfr->nmsg++;
+
+	/*
+	 * Update the number of bytes received.
+	 */
+	xfr->nbytes += tcpmsg->buffer.used;
+
+	/*
+	 * Take the context back.
+	 */
+	INSIST(xfr->tsigctx == NULL);
+	xfr->tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
+
+	dns_message_destroy(&msg);
+
+	switch (xfr->state) {
+	case XFRST_GOTSOA:
+		xfr->reqtype = dns_rdatatype_axfr;
+		xfr->state = XFRST_INITIALSOA;
+		CHECK(xfrin_send_request(xfr));
+		break;
+	case XFRST_AXFR_END:
+		CHECK(axfr_finalize(xfr));
+		/* FALLTHROUGH */
+	case XFRST_IXFR_END:
+		/*
+		 * Close the journal.
+		 */
+		if (xfr->ixfr.journal != NULL)
+			dns_journal_destroy(&xfr->ixfr.journal);
+
+		/*
+		 * Inform the caller we succeeded.
+		 */
+		if (xfr->done != NULL) {
+			(xfr->done)(xfr->zone, ISC_R_SUCCESS);
+			xfr->done = NULL;
+		}
+		/*
+		 * We should have no outstanding events at this
+		 * point, thus maybe_free() should succeed.
+		 */
+		xfr->shuttingdown = true;
+		xfr->shutdown_result = ISC_R_SUCCESS;
+		maybe_free(xfr);
+		break;
+	default:
+		/*
+		 * Read the next message.
+		 */
+		CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
+					     xfrin_recv_done, xfr));
+		xfr->recvs++;
+	}
+	return;
+
+ failure:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed while receiving responses");
+}
+
+static void
+xfrin_timeout(isc_task_t *task, isc_event_t *event) {
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	/*
+	 * This will log "giving up: timeout".
+	 */
+	xfrin_fail(xfr, ISC_R_TIMEDOUT, "giving up");
+}
+
+static void
+maybe_free(dns_xfrin_ctx_t *xfr) {
+	uint64_t msecs;
+	uint64_t persec;
+	const char *result_str;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	if (! xfr->shuttingdown || xfr->refcount != 0 ||
+	    xfr->connects != 0 || xfr->sends != 0 ||
+	    xfr->recvs != 0)
+		return;
+
+	INSIST(! xfr->shuttingdown || xfr->shutdown_result != ISC_R_UNSET);
+
+	/* If we're called through dns_xfrin_detach() and are not
+	 * shutting down, we can't know what the transfer status is as
+	 * we are only called when the last reference is lost.
+	 */
+	result_str = (xfr->shuttingdown ?
+		      isc_result_totext(xfr->shutdown_result) : "unknown");
+	xfrin_log(xfr, ISC_LOG_INFO, "Transfer status: %s", result_str);
+
+	/*
+	 * Calculate the length of time the transfer took,
+	 * and print a log message with the bytes and rate.
+	 */
+	isc_time_now(&xfr->end);
+	msecs = isc_time_microdiff(&xfr->end, &xfr->start) / 1000;
+	if (msecs == 0)
+		msecs = 1;
+	persec = (xfr->nbytes * 1000) / msecs;
+	xfrin_log(xfr, ISC_LOG_INFO,
+		  "Transfer completed: %d messages, %d records, "
+		  "%" PRIu64 " bytes, "
+		  "%u.%03u secs (%u bytes/sec)",
+		  xfr->nmsg, xfr->nrecs, xfr->nbytes,
+		  (unsigned int) (msecs / 1000), (unsigned int) (msecs % 1000),
+		  (unsigned int) persec);
+
+	if (xfr->socket != NULL)
+		isc_socket_detach(&xfr->socket);
+
+	if (xfr->timer != NULL)
+		isc_timer_detach(&xfr->timer);
+
+	if (xfr->task != NULL)
+		isc_task_detach(&xfr->task);
+
+	if (xfr->tsigkey != NULL)
+		dns_tsigkey_detach(&xfr->tsigkey);
+
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+
+	dns_diff_clear(&xfr->diff);
+
+	if (xfr->ixfr.journal != NULL)
+		dns_journal_destroy(&xfr->ixfr.journal);
+
+	if (xfr->axfr.add_private != NULL)
+		(void)dns_db_endload(xfr->db, &xfr->axfr);
+
+	if (xfr->tcpmsg_valid)
+		dns_tcpmsg_invalidate(&xfr->tcpmsg);
+
+	if (xfr->tsigctx != NULL)
+		dst_context_destroy(&xfr->tsigctx);
+
+	if ((xfr->name.attributes & DNS_NAMEATTR_DYNAMIC) != 0)
+		dns_name_free(&xfr->name, xfr->mctx);
+
+	if (xfr->ver != NULL)
+		dns_db_closeversion(xfr->db, &xfr->ver, false);
+
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+
+	if (xfr->zone != NULL)
+		dns_zone_idetach(&xfr->zone);
+
+	isc_mem_putanddetach(&xfr->mctx, xfr, sizeof(*xfr));
+}
+
+/*
+ * Log incoming zone transfer messages in a format like
+ * transfer of <zone> from <address>: <message>
+ */
+static void
+xfrin_logv(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, va_list ap)
+{
+	char mastertext[ISC_SOCKADDR_FORMATSIZE];
+	char msgtext[2048];
+
+	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
+	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN,
+		      DNS_LOGMODULE_XFER_IN, level,
+		      "transfer of '%s' from %s: %s",
+		      zonetext, mastertext, msgtext);
+}
+
+/*
+ * Logging function for use when a xfrin_ctx_t has not yet been created.
+ */
+
+static void
+xfrin_log1(int level, const char *zonetext, isc_sockaddr_t *masteraddr,
+	   const char *fmt, ...)
+{
+	va_list ap;
+
+	if (isc_log_wouldlog(dns_lctx, level) == false)
+		return;
+
+	va_start(ap, fmt);
+	xfrin_logv(level, zonetext, masteraddr, fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Logging function for use when there is a xfrin_ctx_t.
+ */
+
+static void
+xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
+{
+	va_list ap;
+	char zonetext[DNS_NAME_MAXTEXT+32];
+
+	if (isc_log_wouldlog(dns_lctx, level) == false)
+		return;
+
+	dns_zone_name(xfr->zone, zonetext, sizeof(zonetext));
+
+	va_start(ap, fmt);
+	xfrin_logv(level, zonetext, &xfr->masteraddr, fmt, ap);
+	va_end(ap);
+}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
new file mode 100644
index 0000000..6d4426a
--- /dev/null
+++ b/lib/dns/zone.c
@@ -0,0 +1,19485 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+#include <errno.h>
+#include <stdbool.h>
+
+#include <isc/file.h>
+#include <isc/hex.h>
+#include <isc/mutex.h>
+#include <isc/pool.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/ratelimiter.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/thread.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acache.h>
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/callbacks.h>
+#include <dns/catz.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/dlz.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/journal.h>
+#include <dns/keydata.h>
+#include <dns/keytable.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
+#include <dns/peer.h>
+#include <dns/private.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/rriterator.h>
+#include <dns/soa.h>
+#include <dns/ssu.h>
+#include <dns/stats.h>
+#include <dns/time.h>
+#include <dns/tsig.h>
+#include <dns/update.h>
+#include <dns/xfrin.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <dst/dst.h>
+
+#include "zone_p.h"
+
+#define ZONE_MAGIC			ISC_MAGIC('Z', 'O', 'N', 'E')
+#define DNS_ZONE_VALID(zone)		ISC_MAGIC_VALID(zone, ZONE_MAGIC)
+
+#define NOTIFY_MAGIC			ISC_MAGIC('N', 't', 'f', 'y')
+#define DNS_NOTIFY_VALID(notify)	ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
+
+#define STUB_MAGIC			ISC_MAGIC('S', 't', 'u', 'b')
+#define DNS_STUB_VALID(stub)		ISC_MAGIC_VALID(stub, STUB_MAGIC)
+
+#define ZONEMGR_MAGIC			ISC_MAGIC('Z', 'm', 'g', 'r')
+#define DNS_ZONEMGR_VALID(stub)		ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
+
+#define LOAD_MAGIC			ISC_MAGIC('L', 'o', 'a', 'd')
+#define DNS_LOAD_VALID(load)		ISC_MAGIC_VALID(load, LOAD_MAGIC)
+
+#define FORWARD_MAGIC			ISC_MAGIC('F', 'o', 'r', 'w')
+#define DNS_FORWARD_VALID(load)		ISC_MAGIC_VALID(load, FORWARD_MAGIC)
+
+#define IO_MAGIC			ISC_MAGIC('Z', 'm', 'I', 'O')
+#define DNS_IO_VALID(load)		ISC_MAGIC_VALID(load, IO_MAGIC)
+
+/*%
+ * Ensure 'a' is at least 'min' but not more than 'max'.
+ */
+#define RANGE(a, min, max) \
+		(((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
+
+#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+
+/*%
+ * Key flags
+ */
+#define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
+#define KSK(x) ((dst_key_flags(x) & DNS_KEYFLAG_KSK) != 0)
+#define ALG(x) dst_key_alg(x)
+
+/*
+ * Default values.
+ */
+#define DNS_DEFAULT_IDLEIN 3600		/*%< 1 hour */
+#define DNS_DEFAULT_IDLEOUT 3600	/*%< 1 hour */
+#define MAX_XFER_TIME (2*3600)		/*%< Documented default is 2 hours */
+#define RESIGN_DELAY 3600		/*%< 1 hour */
+
+#ifndef DNS_MAX_EXPIRE
+#define DNS_MAX_EXPIRE	14515200	/*%< 24 weeks */
+#endif
+
+#ifndef DNS_DUMP_DELAY
+#define DNS_DUMP_DELAY 900		/*%< 15 minutes */
+#endif
+
+typedef struct dns_notify dns_notify_t;
+typedef struct dns_stub dns_stub_t;
+typedef struct dns_load dns_load_t;
+typedef struct dns_forward dns_forward_t;
+typedef ISC_LIST(dns_forward_t) dns_forwardlist_t;
+typedef struct dns_io dns_io_t;
+typedef ISC_LIST(dns_io_t) dns_iolist_t;
+typedef struct dns_signing dns_signing_t;
+typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
+typedef struct dns_nsec3chain dns_nsec3chain_t;
+typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
+typedef struct dns_keyfetch dns_keyfetch_t;
+typedef struct dns_asyncload dns_asyncload_t;
+typedef struct dns_include dns_include_t;
+
+#define DNS_ZONE_CHECKLOCK
+#ifdef DNS_ZONE_CHECKLOCK
+#define LOCK_ZONE(z) \
+	 do { LOCK(&(z)->lock); \
+	      INSIST((z)->locked == false); \
+	     (z)->locked = true; \
+		} while (0)
+#define UNLOCK_ZONE(z) \
+	do { (z)->locked = false; UNLOCK(&(z)->lock); } while (0)
+#define LOCKED_ZONE(z) ((z)->locked)
+#define TRYLOCK_ZONE(result, z) \
+	do { \
+	      result = isc_mutex_trylock(&(z)->lock); \
+	      if (result == ISC_R_SUCCESS) {  \
+		     INSIST((z)->locked == false); \
+		     (z)->locked = true; \
+	      } \
+	} while (0)
+#else
+#define LOCK_ZONE(z) LOCK(&(z)->lock)
+#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
+#define LOCKED_ZONE(z) true
+#define TRYLOCK_ZONE(result, z) \
+	do { result = isc_mutex_trylock(&(z)->lock); } while (0)
+#endif
+
+#ifdef ISC_RWLOCK_USEATOMIC
+#define ZONEDB_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
+#define ZONEDB_DESTROYLOCK(l)	isc_rwlock_destroy(l)
+#define ZONEDB_LOCK(l, t)	RWLOCK((l), (t))
+#define ZONEDB_UNLOCK(l, t)	RWUNLOCK((l), (t))
+#else
+#define ZONEDB_INITLOCK(l)	isc_mutex_init(l)
+#define ZONEDB_DESTROYLOCK(l)	DESTROYLOCK(l)
+#define ZONEDB_LOCK(l, t)	LOCK(l)
+#define ZONEDB_UNLOCK(l, t)	UNLOCK(l)
+#endif
+
+#ifdef ENABLE_AFL
+extern bool dns_fuzzing_resolver;
+#endif
+
+struct dns_zone {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+#ifdef DNS_ZONE_CHECKLOCK
+	bool		locked;
+#endif
+	isc_mem_t		*mctx;
+	isc_refcount_t		erefs;
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_t		dblock;
+#else
+	isc_mutex_t		dblock;
+#endif
+	dns_db_t		*db;		/* Locked by dblock */
+
+	/* Locked */
+	dns_zonemgr_t		*zmgr;
+	ISC_LINK(dns_zone_t)	link;		/* Used by zmgr. */
+	isc_timer_t		*timer;
+	unsigned int		irefs;
+	dns_name_t		origin;
+	char			*masterfile;
+	ISC_LIST(dns_include_t)	includes;	/* Include files */
+	ISC_LIST(dns_include_t)	newincludes;	/* Loading */
+	unsigned int		nincludes;
+	dns_masterformat_t	masterformat;
+	const dns_master_style_t *masterstyle;
+	char			*journal;
+	int32_t		journalsize;
+	dns_rdataclass_t	rdclass;
+	dns_zonetype_t		type;
+	unsigned int		flags;
+	unsigned int		options;
+	unsigned int		options2;
+	unsigned int		db_argc;
+	char			**db_argv;
+	isc_time_t		expiretime;
+	isc_time_t		refreshtime;
+	isc_time_t		dumptime;
+	isc_time_t		loadtime;
+	isc_time_t		notifytime;
+	isc_time_t		resigntime;
+	isc_time_t		keywarntime;
+	isc_time_t		signingtime;
+	isc_time_t		nsec3chaintime;
+	isc_time_t		refreshkeytime;
+	uint32_t		refreshkeyinterval;
+	uint32_t		refreshkeycount;
+	uint32_t		refresh;
+	uint32_t		retry;
+	uint32_t		expire;
+	uint32_t		minimum;
+	isc_stdtime_t		key_expiry;
+	isc_stdtime_t		log_key_expired_timer;
+	char			*keydirectory;
+
+	uint32_t		maxrefresh;
+	uint32_t		minrefresh;
+	uint32_t		maxretry;
+	uint32_t		minretry;
+
+	uint32_t		maxrecords;
+
+	isc_sockaddr_t		*masters;
+	isc_dscp_t		*masterdscps;
+	dns_name_t		**masterkeynames;
+	bool		*mastersok;
+	unsigned int		masterscnt;
+	unsigned int		curmaster;
+	isc_sockaddr_t		masteraddr;
+	dns_notifytype_t	notifytype;
+	isc_sockaddr_t		*notify;
+	dns_name_t		**notifykeynames;
+	isc_dscp_t		*notifydscp;
+	unsigned int		notifycnt;
+	isc_sockaddr_t		notifyfrom;
+	isc_task_t		*task;
+	isc_task_t		*loadtask;
+	isc_sockaddr_t		notifysrc4;
+	isc_sockaddr_t		notifysrc6;
+	isc_sockaddr_t		xfrsource4;
+	isc_sockaddr_t		xfrsource6;
+	isc_sockaddr_t		altxfrsource4;
+	isc_sockaddr_t		altxfrsource6;
+	isc_sockaddr_t		sourceaddr;
+	isc_dscp_t		notifysrc4dscp;
+	isc_dscp_t		notifysrc6dscp;
+	isc_dscp_t		xfrsource4dscp;
+	isc_dscp_t		xfrsource6dscp;
+	isc_dscp_t		altxfrsource4dscp;
+	isc_dscp_t		altxfrsource6dscp;
+	dns_xfrin_ctx_t		*xfr;		/* task locked */
+	dns_tsigkey_t		*tsigkey;	/* key used for xfr */
+	/* Access Control Lists */
+	dns_acl_t		*update_acl;
+	dns_acl_t		*forward_acl;
+	dns_acl_t		*notify_acl;
+	dns_acl_t		*query_acl;
+	dns_acl_t		*queryon_acl;
+	dns_acl_t		*xfr_acl;
+	bool		update_disabled;
+	bool		zero_no_soa_ttl;
+	dns_severity_t		check_names;
+	ISC_LIST(dns_notify_t)	notifies;
+	dns_request_t		*request;
+	dns_loadctx_t		*lctx;
+	dns_io_t		*readio;
+	dns_dumpctx_t		*dctx;
+	dns_io_t		*writeio;
+	uint32_t		maxxfrin;
+	uint32_t		maxxfrout;
+	uint32_t		idlein;
+	uint32_t		idleout;
+	isc_event_t		ctlevent;
+	dns_ssutable_t		*ssutable;
+	uint32_t		sigvalidityinterval;
+	uint32_t		sigresigninginterval;
+	dns_view_t		*view;
+	dns_view_t		*prev_view;
+	dns_acache_t		*acache;
+	dns_checkmxfunc_t	checkmx;
+	dns_checksrvfunc_t	checksrv;
+	dns_checknsfunc_t	checkns;
+	/*%
+	 * Zones in certain states such as "waiting for zone transfer"
+	 * or "zone transfer in progress" are kept on per-state linked lists
+	 * in the zone manager using the 'statelink' field.  The 'statelist'
+	 * field points at the list the zone is currently on.  It the zone
+	 * is not on any such list, statelist is NULL.
+	 */
+	ISC_LINK(dns_zone_t)	statelink;
+	dns_zonelist_t		*statelist;
+	/*%
+	 * Statistics counters about zone management.
+	 */
+	isc_stats_t		*stats;
+	/*%
+	 * Optional per-zone statistics counters.  Counted outside of this
+	 * module.
+	 */
+	dns_zonestat_level_t	statlevel;
+	bool		requeststats_on;
+	isc_stats_t		*requeststats;
+	dns_stats_t		*rcvquerystats;
+	uint32_t		notifydelay;
+	dns_isselffunc_t	isself;
+	void			*isselfarg;
+
+	char *			strnamerd;
+	char *			strname;
+	char *			strrdclass;
+	char *			strviewname;
+
+	/*%
+	 * Serial number for deferred journal compaction.
+	 */
+	uint32_t		compact_serial;
+	/*%
+	 * Keys that are signing the zone for the first time.
+	 */
+	dns_signinglist_t	signing;
+	dns_nsec3chainlist_t	nsec3chain;
+	/*%
+	 * List of outstanding NSEC3PARAM change requests.
+	 */
+	isc_eventlist_t		setnsec3param_queue;
+	/*%
+	 * Signing / re-signing quantum stopping parameters.
+	 */
+	uint32_t		signatures;
+	uint32_t		nodes;
+	dns_rdatatype_t		privatetype;
+
+	/*%
+	 * Autosigning/key-maintenance options
+	 */
+	uint32_t		keyopts;
+
+	/*%
+	 * True if added by "rndc addzone"
+	 */
+	bool           added;
+
+	/*%
+	 * True if added by automatically by named.
+	 */
+	bool           automatic;
+
+	/*%
+	 * response policy data to be relayed to the database
+	 */
+	dns_rpz_zones_t		*rpzs;
+	dns_rpz_num_t		rpz_num;
+
+	/*%
+	 * catalog zone data
+	 */
+	dns_catz_zones_t	*catzs;
+
+	/*%
+	 * parent catalog zone
+	 */
+	dns_catz_zone_t		*parentcatz;
+
+	/*%
+	 * Serial number update method.
+	 */
+	dns_updatemethod_t	updatemethod;
+
+	/*%
+	 * whether ixfr is requested
+	 */
+	bool		requestixfr;
+
+	/*%
+	 * whether EDNS EXPIRE is requested
+	 */
+	bool		requestexpire;
+
+	/*%
+	 * Outstanding forwarded UPDATE requests.
+	 */
+	dns_forwardlist_t	forwards;
+
+	dns_zone_t		*raw;
+	dns_zone_t		*secure;
+
+	bool		sourceserialset;
+	uint32_t		sourceserial;
+
+	/*%
+	 * maximum zone ttl
+	 */
+	dns_ttl_t		maxttl;
+
+	/*
+	 * Inline zone signing state.
+	 */
+	dns_diff_t		rss_diff;
+	isc_eventlist_t		rss_events;
+	dns_dbversion_t		*rss_newver;
+	dns_dbversion_t		*rss_oldver;
+	dns_db_t		*rss_db;
+	dns_zone_t		*rss_raw;
+	isc_event_t		*rss_event;
+	dns_update_state_t      *rss_state;
+};
+
+#define zonediff_init(z, d) \
+	do { \
+		dns__zonediff_t *_z = (z); \
+		(_z)->diff = (d); \
+		(_z)->offline = false; \
+	} while (0)
+
+#define DNS_ZONE_FLAG(z,f) ((z)->flags & (f))
+#define DNS_ZONE_SETFLAG(z,f) do { \
+		INSIST(LOCKED_ZONE(z)); \
+		(z)->flags |= (f); \
+		} while (0)
+#define DNS_ZONE_CLRFLAG(z,f) do { \
+		INSIST(LOCKED_ZONE(z)); \
+		(z)->flags &= ~(f); \
+		} while (0)
+	/* XXX MPA these may need to go back into zone.h */
+#define DNS_ZONEFLG_REFRESH	0x00000001U	/*%< refresh check in progress */
+#define DNS_ZONEFLG_NEEDDUMP	0x00000002U	/*%< zone need consolidation */
+#define DNS_ZONEFLG_USEVC	0x00000004U	/*%< use tcp for refresh query */
+#define DNS_ZONEFLG_DUMPING	0x00000008U	/*%< a dump is in progress */
+#define DNS_ZONEFLG_HASINCLUDE	0x00000010U	/*%< $INCLUDE in zone file */
+#define DNS_ZONEFLG_LOADED	0x00000020U	/*%< database has loaded */
+#define DNS_ZONEFLG_EXITING	0x00000040U	/*%< zone is being destroyed */
+#define DNS_ZONEFLG_EXPIRED	0x00000080U	/*%< zone has expired */
+#define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/*%< refresh check needed */
+#define DNS_ZONEFLG_UPTODATE	0x00000200U	/*%< zone contents are
+						 * uptodate */
+#define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/*%< need to send out notify
+						 * messages */
+#define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/*%< generate a journal diff on
+						 * reload */
+#define DNS_ZONEFLG_NOMASTERS	0x00001000U	/*%< an attempt to refresh a
+						 * zone with no masters
+						 * occurred */
+#define DNS_ZONEFLG_LOADING	0x00002000U	/*%< load from disk in progress*/
+#define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/*%< timer values have been set
+						 * from SOA (if not set, we
+						 * are still using
+						 * default timer values) */
+#define DNS_ZONEFLG_FORCEXFER	0x00008000U	/*%< Force a zone xfer */
+#define DNS_ZONEFLG_NOREFRESH	0x00010000U
+#define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
+#define DNS_ZONEFLG_DIALREFRESH	0x00040000U
+#define DNS_ZONEFLG_SHUTDOWN	0x00080000U
+#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/*%< IXFR failed, force AXFR */
+#define DNS_ZONEFLG_FLUSH	0x00200000U
+#define DNS_ZONEFLG_NOEDNS	0x00400000U
+#define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
+#define DNS_ZONEFLG_SOABEFOREAXFR 0x01000000U
+#define DNS_ZONEFLG_NEEDCOMPACT 0x02000000U
+#define DNS_ZONEFLG_REFRESHING	0x04000000U	/*%< Refreshing keydata */
+#define DNS_ZONEFLG_THAW	0x08000000U
+#define DNS_ZONEFLG_LOADPENDING	0x10000000U	/*%< Loading scheduled */
+#define DNS_ZONEFLG_NODELAY	0x20000000U
+#define DNS_ZONEFLG_SENDSECURE  0x40000000U
+#define DNS_ZONEFLG_NEEDSTARTUPNOTIFY 0x80000000U /*%< need to send out notify
+						   *   due to the zone just
+						   *   being loaded for the
+						   *   first time.  */
+
+#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
+#define DNS_ZONE_OPTION2(z,o) (((z)->options2 & (o)) != 0)
+#define DNS_ZONEKEY_OPTION(z,o) (((z)->keyopts & (o)) != 0)
+
+/* Flags for zone_load() */
+#define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
+#define DNS_ZONELOADFLAG_THAW	0x00000002U	/* Thaw the zone on successful
+						   load. */
+
+#define UNREACH_CHACHE_SIZE	10U
+#define UNREACH_HOLD_TIME	600	/* 10 minutes */
+
+#define CHECK(op) \
+	do { result = (op); \
+		if (result != ISC_R_SUCCESS) goto failure; \
+	} while (0)
+
+struct dns_unreachable {
+	isc_sockaddr_t	remote;
+	isc_sockaddr_t	local;
+	uint32_t	expire;
+	uint32_t	last;
+	uint32_t	count;
+};
+
+struct dns_zonemgr {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	int			refs;		/* Locked by rwlock */
+	isc_taskmgr_t *		taskmgr;
+	isc_timermgr_t *	timermgr;
+	isc_socketmgr_t *	socketmgr;
+	isc_taskpool_t *	zonetasks;
+	isc_taskpool_t *	loadtasks;
+	isc_task_t *		task;
+	isc_pool_t *		mctxpool;
+	isc_ratelimiter_t *	notifyrl;
+	isc_ratelimiter_t *	refreshrl;
+	isc_ratelimiter_t *	startupnotifyrl;
+	isc_ratelimiter_t *	startuprefreshrl;
+	isc_rwlock_t		rwlock;
+	isc_mutex_t		iolock;
+	isc_rwlock_t		urlock;
+
+	/* Locked by rwlock. */
+	dns_zonelist_t		zones;
+	dns_zonelist_t		waiting_for_xfrin;
+	dns_zonelist_t		xfrin_in_progress;
+
+	/* Configuration data. */
+	uint32_t		transfersin;
+	uint32_t		transfersperns;
+	unsigned int		notifyrate;
+	unsigned int		startupnotifyrate;
+	unsigned int		serialqueryrate;
+	unsigned int		startupserialqueryrate;
+
+	/* Locked by iolock */
+	uint32_t		iolimit;
+	uint32_t		ioactive;
+	dns_iolist_t		high;
+	dns_iolist_t		low;
+
+	/* Locked by urlock. */
+	/* LRU cache */
+	struct dns_unreachable	unreachable[UNREACH_CHACHE_SIZE];
+};
+
+/*%
+ * Hold notify state.
+ */
+struct dns_notify {
+	unsigned int		magic;
+	unsigned int		flags;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_adbfind_t		*find;
+	dns_request_t		*request;
+	dns_name_t		ns;
+	isc_sockaddr_t		dst;
+	dns_tsigkey_t		*key;
+	isc_dscp_t		dscp;
+	ISC_LINK(dns_notify_t)	link;
+	isc_event_t		*event;
+};
+
+#define DNS_NOTIFY_NOSOA	0x0001U
+#define DNS_NOTIFY_STARTUP	0x0002U
+
+/*%
+ *	dns_stub holds state while performing a 'stub' transfer.
+ *	'db' is the zone's 'db' or a new one if this is the initial
+ *	transfer.
+ */
+
+struct dns_stub {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_db_t		*db;
+	dns_dbversion_t		*version;
+};
+
+/*%
+ *	Hold load state.
+ */
+struct dns_load {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_db_t		*db;
+	isc_time_t		loadtime;
+	dns_rdatacallbacks_t	callbacks;
+};
+
+/*%
+ *	Hold forward state.
+ */
+struct dns_forward {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	isc_buffer_t		*msgbuf;
+	dns_request_t		*request;
+	uint32_t		which;
+	isc_sockaddr_t		addr;
+	dns_updatecallback_t	callback;
+	void			*callback_arg;
+	unsigned int		options;
+	ISC_LINK(dns_forward_t)	link;
+};
+
+/*%
+ *	Hold IO request state.
+ */
+struct dns_io {
+	unsigned int	magic;
+	dns_zonemgr_t	*zmgr;
+	bool	high;
+	isc_task_t	*task;
+	ISC_LINK(dns_io_t) link;
+	isc_event_t	*event;
+};
+
+/*%
+ *	Hold state for when we are signing a zone with a new
+ *	DNSKEY as result of an update.
+ */
+struct dns_signing {
+	unsigned int		magic;
+	dns_db_t		*db;
+	dns_dbiterator_t	*dbiterator;
+	dns_secalg_t		algorithm;
+	uint16_t		keyid;
+	bool		deleteit;
+	bool		done;
+	ISC_LINK(dns_signing_t)	link;
+};
+
+struct dns_nsec3chain {
+	unsigned int			magic;
+	dns_db_t			*db;
+	dns_dbiterator_t		*dbiterator;
+	dns_rdata_nsec3param_t		nsec3param;
+	unsigned char			salt[255];
+	bool			done;
+	bool			seen_nsec;
+	bool			delete_nsec;
+	bool			save_delete_nsec;
+	ISC_LINK(dns_nsec3chain_t)	link;
+};
+/*%<
+ * 'dbiterator' contains a iterator for the database.  If we are creating
+ * a NSEC3 chain only the non-NSEC3 nodes will be iterated.  If we are
+ * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
+ * iterated.
+ *
+ * 'nsec3param' contains the parameters of the NSEC3 chain being created
+ * or removed.
+ *
+ * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
+ *
+ * 'seen_nsec' will be set to true if, while iterating the zone to create a
+ * NSEC3 chain, a NSEC record is seen.
+ *
+ * 'delete_nsec' will be set to true if, at the completion of the creation
+ * of a NSEC3 chain, 'seen_nsec' is true.  If 'delete_nsec' is true then we
+ * are in the process of deleting the NSEC chain.
+ *
+ * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
+ * so it can be recovered in the event of a error.
+ */
+
+struct dns_keyfetch {
+	dns_fixedname_t name;
+	dns_rdataset_t keydataset;
+	dns_rdataset_t dnskeyset;
+	dns_rdataset_t dnskeysigset;
+	dns_zone_t *zone;
+	dns_db_t *db;
+	dns_fetch_t *fetch;
+};
+
+/*%
+ * Hold state for an asynchronous load
+ */
+struct dns_asyncload {
+	dns_zone_t *zone;
+	dns_zt_zoneloaded_t loaded;
+	void *loaded_arg;
+	bool newonly;
+};
+
+/*%
+ * Reference to an include file encountered during loading
+ */
+struct dns_include {
+	char *name;
+	isc_time_t filetime;
+	ISC_LINK(dns_include_t)	link;
+};
+
+/*
+ * These can be overridden by the -T mkeytimers option on the command
+ * line, so that we can test with shorter periods than specified in
+ * RFC 5011.
+ */
+#define HOUR 3600
+#define DAY (24*HOUR)
+#define MONTH (30*DAY)
+LIBDNS_EXTERNAL_DATA unsigned int dns_zone_mkey_hour = HOUR;
+LIBDNS_EXTERNAL_DATA unsigned int dns_zone_mkey_day = DAY;
+LIBDNS_EXTERNAL_DATA unsigned int dns_zone_mkey_month = MONTH;
+
+#define SEND_BUFFER_SIZE 2048
+
+static void zone_settimer(dns_zone_t *, isc_time_t *);
+static void cancel_refresh(dns_zone_t *);
+static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
+			  const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
+static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+static void queue_xfrin(dns_zone_t *zone);
+static isc_result_t update_one_rr(dns_db_t *db, dns_dbversion_t *ver,
+				  dns_diff_t *diff, dns_diffop_t op,
+				  dns_name_t *name, dns_ttl_t ttl,
+				  dns_rdata_t *rdata);
+static void zone_unload(dns_zone_t *zone);
+static void zone_expire(dns_zone_t *zone);
+static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
+static void zone_idetach(dns_zone_t **zonep);
+static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
+				   bool dump);
+static inline void zone_attachdb(dns_zone_t *zone, dns_db_t *db);
+static inline void zone_detachdb(dns_zone_t *zone);
+static isc_result_t default_journal(dns_zone_t *zone);
+static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
+static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db,
+				  isc_time_t loadtime, isc_result_t result);
+static void zone_needdump(dns_zone_t *zone, unsigned int delay);
+static void zone_shutdown(isc_task_t *, isc_event_t *);
+static void zone_loaddone(void *arg, isc_result_t result);
+static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
+				   isc_time_t loadtime);
+static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
+static isc_result_t zone_send_secureserial(dns_zone_t *zone,
+					   uint32_t serial);
+
+#if 0
+/* ondestroy example */
+static void dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event);
+#endif
+
+static void refresh_callback(isc_task_t *, isc_event_t *);
+static void stub_callback(isc_task_t *, isc_event_t *);
+static void queue_soa_query(dns_zone_t *zone);
+static void soa_query(isc_task_t *, isc_event_t *);
+static void ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset,
+		     dns_stub_t *stub);
+static int message_count(dns_message_t *msg, dns_section_t section,
+			 dns_rdatatype_t type);
+static void notify_cancel(dns_zone_t *zone);
+static void notify_find_address(dns_notify_t *notify);
+static void notify_send(dns_notify_t *notify);
+static isc_result_t notify_createmessage(dns_zone_t *zone,
+					 unsigned int flags,
+					 dns_message_t **messagep);
+static void notify_done(isc_task_t *task, isc_event_t *event);
+static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
+static isc_result_t zone_dump(dns_zone_t *, bool);
+static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
+static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr,
+					     dns_zone_t *zone);
+static void zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi);
+static void zonemgr_free(dns_zonemgr_t *zmgr);
+static isc_result_t zonemgr_getio(dns_zonemgr_t *zmgr, bool high,
+				  isc_task_t *task, isc_taskaction_t action,
+				  void *arg, dns_io_t **iop);
+static void zonemgr_putio(dns_io_t **iop);
+static void zonemgr_cancelio(dns_io_t *io);
+
+static isc_result_t
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
+		 unsigned int *soacount, uint32_t *serial,
+		 uint32_t *refresh, uint32_t *retry,
+		 uint32_t *expire, uint32_t *minimum,
+		 unsigned int *errors);
+
+static void zone_freedbargs(dns_zone_t *zone);
+static void forward_callback(isc_task_t *task, isc_event_t *event);
+static void zone_saveunique(dns_zone_t *zone, const char *path,
+			    const char *templat);
+static void zone_maintenance(dns_zone_t *zone);
+static void zone_notify(dns_zone_t *zone, isc_time_t *now);
+static void dump_done(void *arg, isc_result_t result);
+static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
+				     uint16_t keyid,
+				     bool deleteit);
+static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
+				dns_dbnode_t *node, dns_name_t *name,
+				dns_diff_t *diff);
+static void zone_rekey(dns_zone_t *zone);
+static isc_result_t zone_send_securedb(dns_zone_t *zone, dns_db_t *db);
+static void setrl(isc_ratelimiter_t *rl, unsigned int *rate,
+		  unsigned int value);
+
+#define ENTER zone_debuglog(zone, me, 1, "enter")
+
+static const unsigned int dbargc_default = 1;
+static const char *dbargv_default[] = { "rbt" };
+
+#define DNS_ZONE_JITTER_ADD(a, b, c) \
+	do { \
+		isc_interval_t _i; \
+		uint32_t _j; \
+		_j = isc_random_jitter((b), (b)/4); \
+		isc_interval_set(&_i, _j, 0); \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
+			dns_zone_log(zone, ISC_LOG_WARNING, \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed", #b); \
+			isc_interval_set(&_i, _j/2, 0); \
+			(void)isc_time_add((a), &_i, (c)); \
+		} \
+	} while (0)
+
+#define DNS_ZONE_TIME_ADD(a, b, c) \
+	do { \
+		isc_interval_t _i; \
+		isc_interval_set(&_i, (b), 0); \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
+			dns_zone_log(zone, ISC_LOG_WARNING, \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed", #b); \
+			isc_interval_set(&_i, (b)/2, 0); \
+			(void)isc_time_add((a), &_i, (c)); \
+		} \
+	} while (0)
+
+typedef struct nsec3param nsec3param_t;
+struct nsec3param {
+	unsigned char data[DNS_NSEC3PARAM_BUFFERSIZE + 1];
+	unsigned int length;
+	bool nsec;
+	bool replace;
+	ISC_LINK(nsec3param_t)	link;
+};
+typedef ISC_LIST(nsec3param_t) nsec3paramlist_t;
+struct np3event {
+	isc_event_t event;
+	nsec3param_t params;
+};
+
+struct ssevent {
+	isc_event_t event;
+	uint32_t serial;
+};
+
+/*%
+ * Increment resolver-related statistics counters.  Zone must be locked.
+ */
+static inline void
+inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
+	if (zone->stats != NULL)
+		isc_stats_increment(zone->stats, counter);
+}
+
+/***
+ ***	Public functions.
+ ***/
+
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_zone_t *zone;
+	isc_time_t now;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(mctx != NULL);
+
+	TIME_NOW(&now);
+	zone = isc_mem_get(mctx, sizeof(*zone));
+	if (zone == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	zone->mctx = NULL;
+	isc_mem_attach(mctx, &zone->mctx);
+
+	result = isc_mutex_init(&zone->lock);
+	if (result != ISC_R_SUCCESS) {
+		goto free_zone;
+	}
+
+	result = ZONEDB_INITLOCK(&zone->dblock);
+	if (result != ISC_R_SUCCESS) {
+		goto free_mutex;
+	}
+
+	/* XXX MPA check that all elements are initialised */
+#ifdef DNS_ZONE_CHECKLOCK
+	zone->locked = false;
+#endif
+	zone->db = NULL;
+	zone->zmgr = NULL;
+	ISC_LINK_INIT(zone, link);
+	result = isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
+	if (result != ISC_R_SUCCESS) {
+		goto free_dblock;
+	}
+	zone->irefs = 0;
+	dns_name_init(&zone->origin, NULL);
+	zone->strnamerd = NULL;
+	zone->strname = NULL;
+	zone->strrdclass = NULL;
+	zone->strviewname = NULL;
+	zone->masterfile = NULL;
+	ISC_LIST_INIT(zone->includes);
+	ISC_LIST_INIT(zone->newincludes);
+	zone->nincludes = 0;
+	zone->masterformat = dns_masterformat_none;
+	zone->masterstyle = NULL;
+	zone->keydirectory = NULL;
+	zone->journalsize = -1;
+	zone->journal = NULL;
+	zone->rdclass = dns_rdataclass_none;
+	zone->type = dns_zone_none;
+	zone->flags = 0;
+	zone->options = 0;
+	zone->options2 = 0;
+	zone->keyopts = 0;
+	zone->db_argc = 0;
+	zone->db_argv = NULL;
+	isc_time_settoepoch(&zone->expiretime);
+	isc_time_settoepoch(&zone->refreshtime);
+	isc_time_settoepoch(&zone->dumptime);
+	isc_time_settoepoch(&zone->loadtime);
+	zone->notifytime = now;
+	isc_time_settoepoch(&zone->resigntime);
+	isc_time_settoepoch(&zone->keywarntime);
+	isc_time_settoepoch(&zone->signingtime);
+	isc_time_settoepoch(&zone->nsec3chaintime);
+	isc_time_settoepoch(&zone->refreshkeytime);
+	zone->refreshkeyinterval = 0;
+	zone->refreshkeycount = 0;
+	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+	zone->retry = DNS_ZONE_DEFAULTRETRY;
+	zone->expire = 0;
+	zone->minimum = 0;
+	zone->maxrefresh = DNS_ZONE_MAXREFRESH;
+	zone->minrefresh = DNS_ZONE_MINREFRESH;
+	zone->maxretry = DNS_ZONE_MAXRETRY;
+	zone->minretry = DNS_ZONE_MINRETRY;
+	zone->masters = NULL;
+	zone->masterdscps = NULL;
+	zone->masterkeynames = NULL;
+	zone->mastersok = NULL;
+	zone->masterscnt = 0;
+	zone->curmaster = 0;
+	zone->maxttl = 0;
+	zone->notify = NULL;
+	zone->notifykeynames = NULL;
+	zone->notifydscp = NULL;
+	zone->notifytype = dns_notifytype_yes;
+	zone->notifycnt = 0;
+	zone->task = NULL;
+	zone->loadtask = NULL;
+	zone->update_acl = NULL;
+	zone->forward_acl = NULL;
+	zone->notify_acl = NULL;
+	zone->query_acl = NULL;
+	zone->queryon_acl = NULL;
+	zone->xfr_acl = NULL;
+	zone->update_disabled = false;
+	zone->zero_no_soa_ttl = true;
+	zone->check_names = dns_severity_ignore;
+	zone->request = NULL;
+	zone->lctx = NULL;
+	zone->readio = NULL;
+	zone->dctx = NULL;
+	zone->writeio = NULL;
+	zone->timer = NULL;
+	zone->idlein = DNS_DEFAULT_IDLEIN;
+	zone->idleout = DNS_DEFAULT_IDLEOUT;
+	zone->log_key_expired_timer = 0;
+	ISC_LIST_INIT(zone->notifies);
+	isc_sockaddr_any(&zone->notifysrc4);
+	isc_sockaddr_any6(&zone->notifysrc6);
+	isc_sockaddr_any(&zone->xfrsource4);
+	isc_sockaddr_any6(&zone->xfrsource6);
+	isc_sockaddr_any(&zone->altxfrsource4);
+	isc_sockaddr_any6(&zone->altxfrsource6);
+	zone->notifysrc4dscp = -1;
+	zone->notifysrc6dscp = -1;
+	zone->xfrsource4dscp = -1;
+	zone->xfrsource6dscp = -1;
+	zone->altxfrsource4dscp = -1;
+	zone->altxfrsource6dscp = -1;
+	zone->xfr = NULL;
+	zone->tsigkey = NULL;
+	zone->maxxfrin = MAX_XFER_TIME;
+	zone->maxxfrout = MAX_XFER_TIME;
+	zone->ssutable = NULL;
+	zone->sigvalidityinterval = 30 * 24 * 3600;
+	zone->sigresigninginterval = 7 * 24 * 3600;
+	zone->view = NULL;
+	zone->prev_view = NULL;
+	zone->acache = NULL;
+	zone->checkmx = NULL;
+	zone->checksrv = NULL;
+	zone->checkns = NULL;
+	ISC_LINK_INIT(zone, statelink);
+	zone->statelist = NULL;
+	zone->stats = NULL;
+	zone->requeststats_on = false;
+	zone->statlevel = dns_zonestat_none;
+	zone->requeststats = NULL;
+	zone->rcvquerystats = NULL;
+	zone->notifydelay = 5;
+	zone->isself = NULL;
+	zone->isselfarg = NULL;
+	ISC_LIST_INIT(zone->signing);
+	ISC_LIST_INIT(zone->nsec3chain);
+	ISC_LIST_INIT(zone->setnsec3param_queue);
+	zone->signatures = 10;
+	zone->nodes = 100;
+	zone->privatetype = (dns_rdatatype_t)0xffffU;
+	zone->added = false;
+	zone->automatic = false;
+	zone->rpzs = NULL;
+	zone->rpz_num = DNS_RPZ_INVALID_NUM;
+
+	zone->catzs = NULL;
+	zone->parentcatz = NULL;
+
+	ISC_LIST_INIT(zone->forwards);
+	zone->raw = NULL;
+	zone->secure = NULL;
+	zone->sourceserial = 0;
+	zone->sourceserialset = false;
+	zone->requestixfr = true;
+	zone->requestexpire = true;
+	ISC_LIST_INIT(zone->rss_events);
+	zone->rss_db = NULL;
+	zone->rss_raw = NULL;
+	zone->rss_newver = NULL;
+	zone->rss_oldver = NULL;
+	zone->rss_event = NULL;
+	zone->rss_state = NULL;
+	zone->updatemethod = dns_updatemethod_increment;
+	zone->maxrecords = 0U;
+
+	zone->magic = ZONE_MAGIC;
+
+	/* Must be after magic is set. */
+	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
+	if (result != ISC_R_SUCCESS) {
+		goto free_erefs;
+	}
+
+	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
+		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
+		       NULL, NULL);
+	*zonep = zone;
+	return (ISC_R_SUCCESS);
+
+ free_erefs:
+	isc_refcount_decrement(&zone->erefs, NULL);
+	isc_refcount_destroy(&zone->erefs);
+
+ free_dblock:
+	ZONEDB_DESTROYLOCK(&zone->dblock);
+
+ free_mutex:
+	DESTROYLOCK(&zone->lock);
+
+ free_zone:
+	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
+	return (result);
+}
+
+/*
+ * Free a zone.  Because we require that there be no more
+ * outstanding events or references, no locking is necessary.
+ */
+static void
+zone_free(dns_zone_t *zone) {
+	isc_mem_t *mctx = NULL;
+	dns_signing_t *signing;
+	dns_nsec3chain_t *nsec3chain;
+	isc_event_t *setnsec3param_event;
+	dns_include_t *include;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(isc_refcount_current(&zone->erefs) == 0);
+	REQUIRE(zone->irefs == 0);
+	REQUIRE(!LOCKED_ZONE(zone));
+	REQUIRE(zone->timer == NULL);
+	REQUIRE(zone->zmgr == NULL);
+
+	/*
+	 * Managed objects.  Order is important.
+	 */
+	if (zone->request != NULL) {
+		dns_request_destroy(&zone->request); /* XXXMPA */
+	}
+	INSIST(zone->readio == NULL);
+	INSIST(zone->statelist == NULL);
+	INSIST(zone->writeio == NULL);
+
+	if (zone->task != NULL) {
+		isc_task_detach(&zone->task);
+	}
+	if (zone->loadtask != NULL) {
+		isc_task_detach(&zone->loadtask);
+	}
+	if (zone->view != NULL) {
+		dns_view_weakdetach(&zone->view);
+	}
+	if (zone->prev_view != NULL) {
+		dns_view_weakdetach(&zone->prev_view);
+	}
+
+	/* Unmanaged objects */
+	while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
+		setnsec3param_event = ISC_LIST_HEAD(zone->setnsec3param_queue);
+		ISC_LIST_UNLINK(zone->setnsec3param_queue, setnsec3param_event,
+				ev_link);
+		isc_event_free(&setnsec3param_event);
+	}
+	for (signing = ISC_LIST_HEAD(zone->signing);
+	     signing != NULL;
+	     signing = ISC_LIST_HEAD(zone->signing)) {
+		ISC_LIST_UNLINK(zone->signing, signing, link);
+		dns_db_detach(&signing->db);
+		dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+	}
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	     nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_HEAD(zone->nsec3chain)) {
+		ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
+		dns_db_detach(&nsec3chain->db);
+		dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+	}
+	for (include = ISC_LIST_HEAD(zone->includes);
+	     include != NULL;
+	     include = ISC_LIST_HEAD(zone->includes)) {
+		ISC_LIST_UNLINK(zone->includes, include, link);
+		isc_mem_free(zone->mctx, include->name);
+		isc_mem_put(zone->mctx, include, sizeof *include);
+	}
+	for (include = ISC_LIST_HEAD(zone->newincludes);
+	     include != NULL;
+	     include = ISC_LIST_HEAD(zone->newincludes)) {
+		ISC_LIST_UNLINK(zone->newincludes, include, link);
+		isc_mem_free(zone->mctx, include->name);
+		isc_mem_put(zone->mctx, include, sizeof *include);
+	}
+	if (zone->masterfile != NULL) {
+		isc_mem_free(zone->mctx, zone->masterfile);
+	}
+	zone->masterfile = NULL;
+	if (zone->keydirectory != NULL) {
+		isc_mem_free(zone->mctx, zone->keydirectory);
+	}
+	zone->keydirectory = NULL;
+	zone->journalsize = -1;
+	if (zone->journal != NULL) {
+		isc_mem_free(zone->mctx, zone->journal);
+	}
+	zone->journal = NULL;
+	if (zone->stats != NULL) {
+		isc_stats_detach(&zone->stats);
+	}
+	if (zone->requeststats != NULL) {
+		isc_stats_detach(&zone->requeststats);
+	}
+	if (zone->rcvquerystats != NULL){
+		dns_stats_detach(&zone->rcvquerystats);
+	}
+	if (zone->db != NULL) {
+		zone_detachdb(zone);
+	}
+	if (zone->acache != NULL) {
+		dns_acache_detach(&zone->acache);
+	}
+	if (zone->rpzs != NULL) {
+		REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones);
+		dns_rpz_detach_rpzs(&zone->rpzs);
+		zone->rpz_num = DNS_RPZ_INVALID_NUM;
+	}
+	if (zone->catzs != NULL) {
+		dns_catz_catzs_detach(&zone->catzs);
+	}
+	zone_freedbargs(zone);
+	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL,
+						  NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0) == ISC_R_SUCCESS);
+	zone->check_names = dns_severity_ignore;
+	if (zone->update_acl != NULL) {
+		dns_acl_detach(&zone->update_acl);
+	}
+	if (zone->forward_acl != NULL) {
+		dns_acl_detach(&zone->forward_acl);
+	}
+	if (zone->notify_acl != NULL) {
+		dns_acl_detach(&zone->notify_acl);
+	}
+	if (zone->query_acl != NULL) {
+		dns_acl_detach(&zone->query_acl);
+	}
+	if (zone->queryon_acl != NULL) {
+		dns_acl_detach(&zone->queryon_acl);
+	}
+	if (zone->xfr_acl != NULL) {
+		dns_acl_detach(&zone->xfr_acl);
+	}
+	if (dns_name_dynamic(&zone->origin)) {
+		dns_name_free(&zone->origin, zone->mctx);
+	}
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+	if (zone->strname != NULL) {
+		isc_mem_free(zone->mctx, zone->strname);
+	}
+	if (zone->strrdclass != NULL) {
+		isc_mem_free(zone->mctx, zone->strrdclass);
+	}
+	if (zone->strviewname != NULL) {
+		isc_mem_free(zone->mctx, zone->strviewname);
+	}
+	if (zone->ssutable != NULL) {
+		dns_ssutable_detach(&zone->ssutable);
+	}
+
+	/* last stuff */
+	ZONEDB_DESTROYLOCK(&zone->dblock);
+	DESTROYLOCK(&zone->lock);
+	isc_refcount_destroy(&zone->erefs);
+	zone->magic = 0;
+	mctx = zone->mctx;
+	isc_mem_put(mctx, zone, sizeof(*zone));
+	isc_mem_detach(&mctx);
+}
+
+/*
+ * Returns true iff this the signed side of an inline-signing zone.
+ * Caller should hold zone lock.
+ */
+static inline bool
+inline_secure(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (zone->raw != NULL)
+		return (true);
+	return (false);
+}
+
+/*
+ * Returns true iff this the unsigned side of an inline-signing zone
+ * Caller should hold zone lock.
+ */
+static inline bool
+inline_raw(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (zone->secure != NULL)
+		return (true);
+	return (false);
+}
+
+/*
+ *	Single shot.
+ */
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
+	char namebuf[1024];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(rdclass != dns_rdataclass_none);
+
+	/*
+	 * Test and set.
+	 */
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	REQUIRE(zone->rdclass == dns_rdataclass_none ||
+		zone->rdclass == rdclass);
+	zone->rdclass = rdclass;
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strrdclass != NULL)
+		isc_mem_free(zone->mctx, zone->strrdclass);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
+	zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
+
+	if (inline_secure(zone))
+		dns_zone_setclass(zone->raw, rdclass);
+	UNLOCK_ZONE(zone);
+}
+
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->rdclass);
+}
+
+void
+dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifytype = notifytype;
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_getserial2(dns_zone_t *zone, uint32_t *serialp) {
+	isc_result_t result;
+	unsigned int soacount;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(serialp != NULL);
+
+	LOCK_ZONE(zone);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		result = zone_get_from_db(zone, zone->db, NULL, &soacount,
+					  serialp, NULL, NULL, NULL, NULL,
+					  NULL);
+		if (result == ISC_R_SUCCESS && soacount == 0)
+			result = ISC_R_FAILURE;
+	} else
+		result = DNS_R_NOTLOADED;
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+uint32_t
+dns_zone_getserial(dns_zone_t *zone) {
+	isc_result_t result;
+	uint32_t serial;
+
+	result = dns_zone_getserial2(zone, &serial);
+	if (result != ISC_R_SUCCESS)
+		serial = 0; /* XXX: not really correct, but no other choice */
+
+	return (serial);
+}
+
+/*
+ *	Single shot.
+ */
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
+	char namebuf[1024];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(type != dns_zone_none);
+
+	/*
+	 * Test and set.
+	 */
+	LOCK_ZONE(zone);
+	REQUIRE(zone->type == dns_zone_none || zone->type == type);
+	zone->type = type;
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_freedbargs(dns_zone_t *zone) {
+	unsigned int i;
+
+	/* Free the old database argument list. */
+	if (zone->db_argv != NULL) {
+		for (i = 0; i < zone->db_argc; i++)
+			isc_mem_free(zone->mctx, zone->db_argv[i]);
+		isc_mem_put(zone->mctx, zone->db_argv,
+			    zone->db_argc * sizeof(*zone->db_argv));
+	}
+	zone->db_argc = 0;
+	zone->db_argv = NULL;
+}
+
+isc_result_t
+dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
+	size_t size = 0;
+	unsigned int i;
+	isc_result_t result = ISC_R_SUCCESS;
+	void *mem;
+	char **tmp, *tmp2, *base;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(argv != NULL && *argv == NULL);
+
+	LOCK_ZONE(zone);
+	size = (zone->db_argc + 1) * sizeof(char *);
+	for (i = 0; i < zone->db_argc; i++)
+		size += strlen(zone->db_argv[i]) + 1;
+	mem = isc_mem_allocate(mctx, size);
+	if (mem != NULL) {
+		tmp = mem;
+		tmp2 = mem;
+		base = mem;
+		tmp2 += (zone->db_argc + 1) * sizeof(char *);
+		for (i = 0; i < zone->db_argc; i++) {
+			*tmp++ = tmp2;
+			strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base));
+			tmp2 += strlen(tmp2) + 1;
+		}
+		*tmp = NULL;
+	} else
+		result = ISC_R_NOMEMORY;
+	UNLOCK_ZONE(zone);
+	*argv = mem;
+	return (result);
+}
+
+isc_result_t
+dns_zone_setdbtype(dns_zone_t *zone,
+		   unsigned int dbargc, const char * const *dbargv)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	char **argv = NULL;
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(dbargc >= 1);
+	REQUIRE(dbargv != NULL);
+
+	LOCK_ZONE(zone);
+
+	/* Set up a new database argument list. */
+	argv = isc_mem_get(zone->mctx, dbargc * sizeof(*argv));
+	if (argv == NULL) {
+		goto nomem;
+	}
+	for (i = 0; i < dbargc; i++) {
+		argv[i] = NULL;
+	}
+	for (i = 0; i < dbargc; i++) {
+		argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
+		if (argv[i] == NULL)
+			goto nomem;
+	}
+
+	/* Free the old list. */
+	zone_freedbargs(zone);
+
+	zone->db_argc = dbargc;
+	zone->db_argv = argv;
+	result = ISC_R_SUCCESS;
+	goto unlock;
+
+ nomem:
+	if (argv != NULL) {
+		for (i = 0; i < dbargc; i++) {
+			if (argv[i] != NULL) {
+				isc_mem_free(zone->mctx, argv[i]);
+			}
+		}
+		isc_mem_put(zone->mctx, argv, dbargc * sizeof(*argv));
+	}
+	result = ISC_R_NOMEMORY;
+
+ unlock:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+static void
+dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) {
+	char namebuf[1024];
+
+	if (zone->prev_view == NULL && zone->view != NULL) {
+		dns_view_weakattach(zone->view, &zone->prev_view);
+	}
+
+	INSIST(zone != zone->raw);
+	if (zone->view != NULL) {
+		dns_view_weakdetach(&zone->view);
+	}
+	dns_view_weakattach(view, &zone->view);
+
+	if (zone->strviewname != NULL) {
+		isc_mem_free(zone->mctx, zone->strviewname);
+	}
+	if (zone->strnamerd != NULL) {
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_viewname_tostr(zone, namebuf, sizeof namebuf);
+	zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
+
+	if (inline_secure(zone)) {
+		dns_zone_setview(zone->raw, view);
+	}
+}
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	dns_zone_setview_helper(zone, view);
+	UNLOCK_ZONE(zone);
+}
+
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->view);
+}
+
+void
+dns_zone_setviewcommit(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->prev_view != NULL)
+		dns_view_weakdetach(&zone->prev_view);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setviewrevert(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->prev_view != NULL) {
+		dns_zone_setview_helper(zone, zone->prev_view);
+		dns_view_weakdetach(&zone->prev_view);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
+	isc_result_t result;
+	char namebuf[1024];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(origin != NULL);
+
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (dns_name_dynamic(&zone->origin)) {
+		dns_name_free(&zone->origin, zone->mctx);
+		dns_name_init(&zone->origin, NULL);
+	}
+	result = dns_name_dup(origin, zone->mctx, &zone->origin);
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strname != NULL)
+		isc_mem_free(zone->mctx, zone->strname);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_name_tostr(zone, namebuf, sizeof namebuf);
+	zone->strname = isc_mem_strdup(zone->mctx, namebuf);
+
+	if (result == ISC_R_SUCCESS && inline_secure(zone))
+		result = dns_zone_setorigin(zone->raw, origin);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+void
+dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(acache != NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->acache != NULL)
+		dns_acache_detach(&zone->acache);
+	dns_acache_attach(acache, &zone->acache);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		isc_result_t result;
+
+		/*
+		 * If the zone reuses an existing DB, the DB needs to be
+		 * set in the acache explicitly.  We can safely ignore the
+		 * case where the DB is already set.  If other error happens,
+		 * the acache will not work effectively.
+		 */
+		result = dns_acache_setdb(acache, zone->db);
+		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "dns_acache_setdb() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+}
+
+static isc_result_t
+dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
+	char *copy;
+
+	if (value != NULL) {
+		copy = isc_mem_strdup(zone->mctx, value);
+		if (copy == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		copy = NULL;
+	}
+
+	if (*field != NULL)
+		isc_mem_free(zone->mctx, *field);
+
+	*field = copy;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setfile(dns_zone_t *zone, const char *file) {
+	return (dns_zone_setfile3(zone, file, dns_masterformat_text,
+				  &dns_master_style_default));
+}
+
+isc_result_t
+dns_zone_setfile2(dns_zone_t *zone, const char *file,
+		  dns_masterformat_t format)
+{
+	return (dns_zone_setfile3(zone, file, format,
+				  &dns_master_style_default));
+}
+
+isc_result_t
+dns_zone_setfile3(dns_zone_t *zone, const char *file,
+		  dns_masterformat_t format,
+		  const dns_master_style_t *style)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->masterfile, file);
+	if (result == ISC_R_SUCCESS) {
+		zone->masterformat = format;
+		if (format == dns_masterformat_text)
+			zone->masterstyle = style;
+		result = default_journal(zone);
+	}
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getfile(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->masterfile);
+}
+
+dns_ttl_t
+dns_zone_getmaxttl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxttl);
+}
+
+void
+dns_zone_setmaxttl(dns_zone_t *zone, dns_ttl_t maxttl) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (maxttl != 0)
+		zone->options2 |= DNS_ZONEOPT2_CHECKTTL;
+	else
+		zone->options2 &= ~DNS_ZONEOPT2_CHECKTTL;
+	zone->maxttl = maxttl;
+	UNLOCK_ZONE(zone);
+
+	return;
+}
+
+static isc_result_t
+default_journal(dns_zone_t *zone) {
+	isc_result_t result;
+	char *journal;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (zone->masterfile != NULL) {
+		/* Calculate string length including '\0'. */
+		int len = strlen(zone->masterfile) + sizeof(".jnl");
+		journal = isc_mem_allocate(zone->mctx, len);
+		if (journal == NULL)
+			return (ISC_R_NOMEMORY);
+		strlcpy(journal, zone->masterfile, len);
+		strlcat(journal, ".jnl", len);
+	} else {
+		journal = NULL;
+	}
+	result = dns_zone_setstring(zone, &zone->journal, journal);
+	if (journal != NULL)
+		isc_mem_free(zone->mctx, journal);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *myjournal) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->journal, myjournal);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+char *
+dns_zone_getjournal(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->journal);
+}
+
+/*
+ * Return true iff the zone is "dynamic", in the sense that the zone's
+ * master file (if any) is written by the server, rather than being
+ * updated manually and read by the server.
+ *
+ * This is true for slave zones, stub zones, key zones, and zones that
+ * allow dynamic updates either by having an update policy ("ssutable")
+ * or an "allow-update" ACL with a value other than exactly "{ none; }".
+ */
+bool
+dns_zone_isdynamic(dns_zone_t *zone, bool ignore_freeze) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->type == dns_zone_slave || zone->type == dns_zone_stub ||
+	    zone->type == dns_zone_key ||
+	    (zone->type == dns_zone_redirect && zone->masters != NULL))
+		return (true);
+
+	/* Inline zones are always dynamic. */
+	if (zone->type == dns_zone_master && zone->raw != NULL)
+		return (true);
+
+	/* If !ignore_freeze, we need check whether updates are disabled.  */
+	if (zone->type == dns_zone_master &&
+	    (!zone->update_disabled || ignore_freeze) &&
+	    ((zone->ssutable != NULL) ||
+	     (zone->update_acl != NULL && !dns_acl_isnone(zone->update_acl))))
+		return (true);
+
+	return (false);
+
+}
+
+/*
+ * Set the response policy index and information for a zone.
+ */
+isc_result_t
+dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs,
+		    dns_rpz_num_t rpz_num)
+{
+	/*
+	 * Only RBTDB zones can be used for response policy zones,
+	 * because only they have the code to load the create the summary data.
+	 * Only zones that are loaded instead of mmap()ed create the
+	 * summary data and so can be policy zones.
+	 */
+	if (strcmp(zone->db_argv[0], "rbt") != 0 &&
+	    strcmp(zone->db_argv[0], "rbt64") != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+	if (zone->masterformat == dns_masterformat_map)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	/*
+	 * This must happen only once or be redundant.
+	 */
+	LOCK_ZONE(zone);
+	if (zone->rpzs != NULL) {
+		REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num);
+	} else {
+		REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM);
+		dns_rpz_attach_rpzs(rpzs, &zone->rpzs);
+		zone->rpz_num = rpz_num;
+	}
+	rpzs->defined |= DNS_RPZ_ZBIT(rpz_num);
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+dns_rpz_num_t
+dns_zone_get_rpz_num(dns_zone_t *zone) {
+	return (zone->rpz_num);
+}
+
+/*
+ * If a zone is a response policy zone, mark its new database.
+ */
+void
+dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+	if (zone->rpz_num != DNS_RPZ_INVALID_NUM) {
+		REQUIRE(zone->rpzs != NULL);
+		dns_db_rpz_attach(db, zone->rpzs, zone->rpz_num);
+	}
+}
+
+void
+dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(catzs != NULL);
+
+	LOCK_ZONE(zone);
+	INSIST(zone->catzs == NULL || zone->catzs == catzs);
+	dns_catz_catzs_set_view(catzs, zone->view);
+	if (zone->catzs == NULL)
+		dns_catz_catzs_attach(catzs, &zone->catzs);
+	UNLOCK_ZONE(zone);
+}
+
+/*
+ * If a zone is a catalog zone, attach it to update notification in database.
+ */
+void
+dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(db != NULL);
+
+	if (zone->catzs != NULL) {
+		dns_db_updatenotify_register(db, dns_catz_dbupdate_callback,
+					     zone->catzs);
+	}
+}
+
+/*
+ * Set catalog zone ownership of the zone
+ */
+void
+dns_zone_set_parentcatz(dns_zone_t *zone, dns_catz_zone_t *catz) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(catz != NULL);
+	LOCK_ZONE(zone);
+	INSIST(zone->parentcatz == NULL || zone->parentcatz == catz);
+	zone->parentcatz = catz;
+	UNLOCK_ZONE(zone);
+}
+
+dns_catz_zone_t *
+dns_zone_get_parentcatz(const dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->parentcatz);
+}
+
+
+static bool
+zone_touched(dns_zone_t *zone) {
+	isc_result_t result;
+	isc_time_t modtime;
+	dns_include_t *include;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	result = isc_file_getmodtime(zone->masterfile, &modtime);
+	if (result != ISC_R_SUCCESS ||
+	    isc_time_compare(&modtime, &zone->loadtime) > 0)
+		return (true);
+
+	for (include = ISC_LIST_HEAD(zone->includes);
+	     include != NULL;
+	     include = ISC_LIST_NEXT(include, link))
+	{
+		result = isc_file_getmodtime(include->name, &modtime);
+		if (result != ISC_R_SUCCESS ||
+		    isc_time_compare(&modtime, &include->filetime) > 0)
+			return (true);
+	}
+
+	return (false);
+}
+
+/*
+ * Note: when dealing with inline-signed zones, external callers will always
+ * call zone_load() for the secure zone; zone_load() calls itself recursively
+ * in order to load the raw zone.
+ */
+static isc_result_t
+zone_load(dns_zone_t *zone, unsigned int flags, bool locked) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t loadtime;
+	dns_db_t *db = NULL;
+	bool rbt, hasraw;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!locked)
+		LOCK_ZONE(zone);
+
+	INSIST(zone != zone->raw);
+	hasraw = inline_secure(zone);
+	if (hasraw) {
+		/*
+		 * We are trying to load an inline-signed zone.  First call
+		 * self recursively to try loading the raw version of the zone.
+		 * Assuming the raw zone file is readable, there are two
+		 * possibilities:
+		 *
+		 *  a) the raw zone was not yet loaded and thus it will be
+		 *     loaded now, synchronously; if this succeeds, a
+		 *     subsequent attempt to load the signed zone file will
+		 *     take place and thus zone_postload() will be called
+		 *     twice: first for the raw zone and then for the secure
+		 *     zone; the latter call will take care of syncing the raw
+		 *     version with the secure version,
+		 *
+		 *  b) the raw zone was already loaded and we are trying to
+		 *     reload it, which will happen asynchronously; this means
+		 *     zone_postload() will only be called for the raw zone
+		 *     because "result" returned by the zone_load() call below
+		 *     will not be ISC_R_SUCCESS but rather DNS_R_CONTINUE;
+		 *     zone_postload() called for the raw zone will take care
+		 *     of syncing the raw version with the secure version.
+		 */
+		result = zone_load(zone->raw, flags, false);
+		if (result != ISC_R_SUCCESS) {
+			if (!locked)
+				UNLOCK_ZONE(zone);
+			return(result);
+		}
+		LOCK_ZONE(zone->raw);
+	}
+
+	TIME_NOW(&now);
+
+	INSIST(zone->type != dns_zone_none);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
+		if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
+		result = DNS_R_CONTINUE;
+		goto cleanup;
+	}
+
+	INSIST(zone->db_argc >= 1);
+
+	rbt = strcmp(zone->db_argv[0], "rbt") == 0 ||
+	      strcmp(zone->db_argv[0], "rbt64") == 0;
+
+	if (zone->db != NULL && zone->masterfile == NULL && rbt) {
+		/*
+		 * The zone has no master file configured.
+		 */
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	if (zone->db != NULL && dns_zone_isdynamic(zone, false)) {
+		/*
+		 * This is a slave, stub, or dynamically updated
+		 * zone being reloaded.  Do nothing - the database
+		 * we already have is guaranteed to be up-to-date.
+		 */
+		if (zone->type == dns_zone_master && !hasraw)
+			result = DNS_R_DYNAMIC;
+		else
+			result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Store the current time before the zone is loaded, so that if the
+	 * file changes between the time of the load and the time that
+	 * zone->loadtime is set, then the file will still be reloaded
+	 * the next time dns_zone_load is called.
+	 */
+	TIME_NOW(&loadtime);
+
+	/*
+	 * Don't do the load if the file that stores the zone is older
+	 * than the last time the zone was loaded.  If the zone has not
+	 * been loaded yet, zone->loadtime will be the epoch.
+	 */
+	if (zone->masterfile != NULL) {
+		isc_time_t filetime;
+
+		/*
+		 * The file is already loaded.	If we are just doing a
+		 * "rndc reconfig", we are done.
+		 */
+		if (!isc_time_isepoch(&zone->loadtime) &&
+		    (flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    !zone_touched(zone))
+		{
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "skipping load: master file "
+				     "older than last load");
+			result = DNS_R_UPTODATE;
+			goto cleanup;
+		}
+
+		/*
+		 * If the file modification time is in the past
+		 * set loadtime to that value.
+		 */
+		result = isc_file_getmodtime(zone->masterfile, &filetime);
+		if (result == ISC_R_SUCCESS &&
+		    isc_time_compare(&loadtime, &filetime) > 0)
+			loadtime = filetime;
+	}
+
+	/*
+	 * Built in zones (with the exception of empty zones) don't need
+	 * to be reloaded.
+	 */
+	if (zone->type == dns_zone_master &&
+	    strcmp(zone->db_argv[0], "_builtin") == 0 &&
+	    (zone->db_argc < 2 || strcmp(zone->db_argv[1], "empty") != 0) &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Zones associated with a DLZ don't need to be loaded either,
+	 * but we need to associate the database with the zone object.
+	 */
+	if (strcmp(zone->db_argv[0], "dlz") == 0) {
+		dns_dlzdb_t *dlzdb;
+		dns_dlzfindzone_t findzone;
+
+		for (dlzdb = ISC_LIST_HEAD(zone->view->dlz_unsearched);
+		     dlzdb != NULL;
+		     dlzdb = ISC_LIST_NEXT(dlzdb, link))
+		{
+			INSIST(DNS_DLZ_VALID(dlzdb));
+			if (strcmp(zone->db_argv[1], dlzdb->dlzname) == 0)
+				break;
+		}
+
+		if (dlzdb == NULL) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "DLZ %s does not exist or is set "
+				     "to 'search yes;'", zone->db_argv[1]);
+			result = ISC_R_NOTFOUND;
+			goto cleanup;
+		}
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+		/* ask SDLZ driver if the zone is supported */
+		findzone = dlzdb->implementation->methods->findzone;
+		result = (*findzone)(dlzdb->implementation->driverarg,
+				     dlzdb->dbdata, dlzdb->mctx,
+				     zone->view->rdclass, &zone->origin,
+				     NULL, NULL, &db);
+		if (result != ISC_R_NOTFOUND) {
+			if (zone->db != NULL)
+				zone_detachdb(zone);
+			zone_attachdb(zone, db);
+			dns_db_detach(&db);
+			result = ISC_R_SUCCESS;
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+
+		if (result == ISC_R_SUCCESS) {
+			if (dlzdb->configure_callback == NULL)
+				goto cleanup;
+
+			result = (*dlzdb->configure_callback)(zone->view,
+							      dlzdb, zone);
+			if (result != ISC_R_SUCCESS)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "DLZ configuration callback: %s",
+					     isc_result_totext(result));
+		}
+		goto cleanup;
+	}
+
+	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub ||
+	     (zone->type == dns_zone_redirect && zone->masters != NULL)) &&
+	    rbt) {
+		if (zone->masterfile == NULL ||
+		    !isc_file_exists(zone->masterfile)) {
+			if (zone->masterfile != NULL) {
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "no master file");
+			}
+			zone->refreshtime = now;
+			if (zone->task != NULL)
+				zone_settimer(zone, &now);
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "starting load");
+
+	result = dns_db_create(zone->mctx, zone->db_argv[0],
+			       &zone->origin, (zone->type == dns_zone_stub) ?
+			       dns_dbtype_stub : dns_dbtype_zone,
+			       zone->rdclass,
+			       zone->db_argc - 1, zone->db_argv + 1,
+			       &db);
+
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "loading zone: creating database: %s",
+			     isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_db_settask(db, zone->task);
+
+	if (! dns_db_ispersistent(db)) {
+		if (zone->masterfile != NULL) {
+			result = zone_startload(db, zone, loadtime);
+		} else {
+			result = DNS_R_NOMASTERFILE;
+			if (zone->type == dns_zone_master ||
+			    (zone->type == dns_zone_redirect &&
+			     zone->masters == NULL)) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "loading zone: "
+					     "no master file configured");
+				goto cleanup;
+			}
+			dns_zone_log(zone, ISC_LOG_INFO, "loading zone: "
+				     "no master file configured: continuing");
+		}
+	}
+
+	if (result == DNS_R_CONTINUE) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
+		if ((flags & DNS_ZONELOADFLAG_THAW) != 0)
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_THAW);
+		goto cleanup;
+	}
+
+	result = zone_postload(zone, db, loadtime, result);
+
+ cleanup:
+	if (hasraw)
+		UNLOCK_ZONE(zone->raw);
+	if (!locked)
+		UNLOCK_ZONE(zone);
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+isc_result_t
+dns_zone_load(dns_zone_t *zone) {
+	return (zone_load(zone, 0, false));
+}
+
+isc_result_t
+dns_zone_loadnew(dns_zone_t *zone) {
+	return (zone_load(zone, DNS_ZONELOADFLAG_NOSTAT, false));
+}
+
+static void
+zone_asyncload(isc_task_t *task, isc_event_t *event) {
+	dns_asyncload_t *asl = event->ev_arg;
+	dns_zone_t *zone = asl->zone;
+	isc_result_t result;
+
+	UNUSED(task);
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	isc_event_free(&event);
+
+	LOCK_ZONE(zone);
+	result = zone_load(zone, asl->newonly ? DNS_ZONELOADFLAG_NOSTAT : 0,
+			   true);
+	if (result != DNS_R_CONTINUE) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	}
+	UNLOCK_ZONE(zone);
+
+	/* Inform the zone table we've finished loading */
+	if (asl->loaded != NULL)
+		(asl->loaded)(asl->loaded_arg, zone, task);
+
+	isc_mem_put(zone->mctx, asl, sizeof (*asl));
+	dns_zone_idetach(&zone);
+}
+
+isc_result_t
+dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg) {
+	return (dns_zone_asyncload2(zone, done, arg, false));
+}
+
+isc_result_t
+dns_zone_asyncload2(dns_zone_t *zone, dns_zt_zoneloaded_t done, void * arg,
+		    bool newonly)
+{
+	isc_event_t *e;
+	dns_asyncload_t *asl = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->zmgr == NULL)
+		return (ISC_R_FAILURE);
+
+	/* If we already have a load pending, stop now */
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) {
+		UNLOCK_ZONE(zone);
+		return (ISC_R_ALREADYRUNNING);
+	}
+
+	asl = isc_mem_get(zone->mctx, sizeof (*asl));
+	if (asl == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	asl->zone = NULL;
+	asl->loaded = done;
+	asl->loaded_arg = arg;
+	asl->newonly = newonly;
+
+	e = isc_event_allocate(zone->zmgr->mctx, zone->zmgr,
+			       DNS_EVENT_ZONELOAD,
+			       zone_asyncload, asl,
+			       sizeof(isc_event_t));
+	if (e == NULL)
+		CHECK(ISC_R_NOMEMORY);
+
+	zone_iattach(zone, &asl->zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	isc_task_send(zone->loadtask, &e);
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+
+  failure:
+	if (asl != NULL)
+		isc_mem_put(zone->mctx, asl, sizeof (*asl));
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+bool
+dns__zone_loadpending(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING));
+}
+
+isc_result_t
+dns_zone_loadandthaw(dns_zone_t *zone) {
+	isc_result_t result;
+
+	if (inline_raw(zone))
+		result = zone_load(zone->secure, DNS_ZONELOADFLAG_THAW,
+				   false);
+	else
+		result = zone_load(zone, DNS_ZONELOADFLAG_THAW, false);
+
+	switch (result) {
+	case DNS_R_CONTINUE:
+		/* Deferred thaw. */
+		break;
+	case DNS_R_UPTODATE:
+	case ISC_R_SUCCESS:
+	case DNS_R_SEENINCLUDE:
+		zone->update_disabled = false;
+		break;
+	case DNS_R_NOMASTERFILE:
+		zone->update_disabled = false;
+		break;
+	default:
+		/* Error, remain in disabled state. */
+		break;
+	}
+	return (result);
+}
+
+static unsigned int
+get_master_options(dns_zone_t *zone) {
+	unsigned int options;
+
+	options = DNS_MASTER_ZONE | DNS_MASTER_RESIGN;
+	if (zone->type == dns_zone_slave ||
+	    (zone->type == dns_zone_redirect && zone->masters == NULL))
+		options |= DNS_MASTER_SLAVE;
+	if (zone->type == dns_zone_key)
+		options |= DNS_MASTER_KEY;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
+		options |= DNS_MASTER_CHECKNS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
+		options |= DNS_MASTER_FATALNS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
+		options |= DNS_MASTER_CHECKNAMES;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
+		options |= DNS_MASTER_CHECKNAMESFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX))
+		options |= DNS_MASTER_CHECKMX;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
+		options |= DNS_MASTER_CHECKMXFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
+		options |= DNS_MASTER_CHECKWILDCARD;
+	if (DNS_ZONE_OPTION2(zone, DNS_ZONEOPT2_CHECKTTL))
+		options |= DNS_MASTER_CHECKTTL;
+	return (options);
+}
+
+static void
+zone_registerinclude(const char *filename, void *arg) {
+	isc_result_t result;
+	dns_zone_t *zone = (dns_zone_t *) arg;
+	dns_include_t *inc = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (filename == NULL)
+		return;
+
+	/*
+	 * Suppress duplicates.
+	 */
+	for (inc = ISC_LIST_HEAD(zone->newincludes);
+	     inc != NULL;
+	     inc = ISC_LIST_NEXT(inc, link))
+		if (strcmp(filename, inc->name) == 0)
+			return;
+
+	inc = isc_mem_get(zone->mctx, sizeof(dns_include_t));
+	if (inc == NULL)
+		return;
+	inc->name = isc_mem_strdup(zone->mctx, filename);
+	if (inc->name == NULL) {
+		isc_mem_put(zone->mctx, inc, sizeof(dns_include_t));
+		return;
+	}
+	ISC_LINK_INIT(inc, link);
+
+	result = isc_file_getmodtime(filename, &inc->filetime);
+	if (result != ISC_R_SUCCESS)
+		isc_time_settoepoch(&inc->filetime);
+
+	ISC_LIST_APPEND(zone->newincludes, inc, link);
+}
+
+static void
+zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
+	dns_load_t *load = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int options;
+
+	REQUIRE(DNS_LOAD_VALID(load));
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
+		result = ISC_R_CANCELED;
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED)
+		goto fail;
+
+	options = get_master_options(load->zone);
+
+	result = dns_master_loadfileinc5(load->zone->masterfile,
+					 dns_db_origin(load->db),
+					 dns_db_origin(load->db),
+					 load->zone->rdclass, options, 0,
+					 &load->callbacks, task,
+					 zone_loaddone, load,
+					 &load->zone->lctx,
+					 zone_registerinclude,
+					 load->zone, load->zone->mctx,
+					 load->zone->masterformat,
+					 load->zone->maxttl);
+	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
+	    result != DNS_R_SEENINCLUDE)
+		goto fail;
+	return;
+
+ fail:
+	zone_loaddone(load, result);
+}
+
+static void
+get_raw_serial(dns_zone_t *raw, dns_masterrawheader_t *rawdata) {
+	isc_result_t result;
+	unsigned int soacount;
+
+	LOCK(&raw->lock);
+	if (raw->db != NULL) {
+		result = zone_get_from_db(raw, raw->db, NULL, &soacount,
+					  &rawdata->sourceserial,
+					  NULL, NULL, NULL, NULL,
+					  NULL);
+		if (result == ISC_R_SUCCESS && soacount > 0U)
+			rawdata->flags |= DNS_MASTERRAW_SOURCESERIALSET;
+	}
+	UNLOCK(&raw->lock);
+}
+
+static void
+zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_gotwritehandle";
+	dns_zone_t *zone = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
+	dns_masterrawheader_t rawdata;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(task == zone->task);
+	ENTER;
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
+		result = ISC_R_CANCELED;
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED)
+		goto fail;
+
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		const dns_master_style_t *output_style;
+
+		dns_db_currentversion(zone->db, &version);
+		dns_master_initrawheader(&rawdata);
+		if (inline_secure(zone))
+			get_raw_serial(zone->raw, &rawdata);
+		if (zone->type == dns_zone_key)
+			output_style = &dns_master_style_keyzone;
+		else if (zone->masterstyle != NULL)
+			output_style = zone->masterstyle;
+		else
+			output_style = &dns_master_style_default;
+		result = dns_master_dumpinc3(zone->mctx, zone->db, version,
+					     output_style, zone->masterfile,
+					     zone->task, dump_done, zone,						     &zone->dctx, zone->masterformat,
+					     &rawdata);
+		dns_db_closeversion(zone->db, &version, false);
+	} else
+		result = ISC_R_CANCELED;
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+	if (result != DNS_R_CONTINUE)
+		goto fail;
+	return;
+
+ fail:
+	dump_done(zone, result);
+}
+
+/*
+ * Save the raw serial number for inline-signing zones.
+ * (XXX: Other information from the header will be used
+ * for other purposes in the future, but for now this is
+ * all we're interested in.)
+ */
+static void
+zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
+	if ((header->flags & DNS_MASTERRAW_SOURCESERIALSET) == 0)
+		return;
+
+	zone->sourceserial = header->sourceserial;
+	zone->sourceserialset = true;
+}
+
+void
+dns_zone_setrawdata(dns_zone_t *zone, dns_masterrawheader_t *header) {
+	if (zone == NULL)
+		return;
+
+	LOCK_ZONE(zone);
+	zone_setrawdata(zone, header);
+	UNLOCK_ZONE(zone);
+}
+
+static isc_result_t
+zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
+	dns_load_t *load;
+	isc_result_t result;
+	isc_result_t tresult;
+	unsigned int options;
+
+	dns_zone_rpz_enable_db(zone, db);
+	dns_zone_catz_enable_db(zone, db);
+	options = get_master_options(zone);
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
+		options |= DNS_MASTER_MANYERRORS;
+
+	if (zone->zmgr != NULL && zone->db != NULL && zone->loadtask != NULL) {
+		load = isc_mem_get(zone->mctx, sizeof(*load));
+		if (load == NULL)
+			return (ISC_R_NOMEMORY);
+
+		load->mctx = NULL;
+		load->zone = NULL;
+		load->db = NULL;
+		load->loadtime = loadtime;
+		load->magic = LOAD_MAGIC;
+
+		isc_mem_attach(zone->mctx, &load->mctx);
+		zone_iattach(zone, &load->zone);
+		dns_db_attach(db, &load->db);
+		dns_rdatacallbacks_init(&load->callbacks);
+		load->callbacks.rawdata = zone_setrawdata;
+		zone_iattach(zone, &load->callbacks.zone);
+		result = dns_db_beginload(db, &load->callbacks);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = zonemgr_getio(zone->zmgr, true, zone->loadtask,
+				       zone_gotreadhandle, load,
+				       &zone->readio);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We can't report multiple errors so ignore
+			 * the result of dns_db_endload().
+			 */
+			(void)dns_db_endload(load->db, &load->callbacks);
+			goto cleanup;
+		} else
+			result = DNS_R_CONTINUE;
+	} else {
+		dns_rdatacallbacks_t callbacks;
+
+		dns_rdatacallbacks_init(&callbacks);
+		callbacks.rawdata = zone_setrawdata;
+		zone_iattach(zone, &callbacks.zone);
+		result = dns_db_beginload(db, &callbacks);
+		if (result != ISC_R_SUCCESS) {
+			zone_idetach(&callbacks.zone);
+			return (result);
+		}
+		result = dns_master_loadfile5(zone->masterfile,
+					      &zone->origin, &zone->origin,
+					      zone->rdclass, options, 0,
+					      &callbacks,
+					      zone_registerinclude,
+					      zone, zone->mctx,
+					      zone->masterformat,
+					      zone->maxttl);
+		tresult = dns_db_endload(db, &callbacks);
+		if (result == ISC_R_SUCCESS)
+			result = tresult;
+		zone_idetach(&callbacks.zone);
+	}
+
+	return (result);
+
+ cleanup:
+	load->magic = 0;
+	dns_db_detach(&load->db);
+	zone_idetach(&load->zone);
+	zone_idetach(&load->callbacks.zone);
+	isc_mem_detach(&load->mctx);
+	isc_mem_put(zone->mctx, load, sizeof(*load));
+	return (result);
+}
+
+static bool
+zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+	      dns_name_t *owner)
+{
+	isc_result_t result;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+
+	/*
+	 * "." means the services does not exist.
+	 */
+	if (dns_name_equal(name, dns_rootname))
+		return (true);
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checkmx != NULL)
+			return ((zone->checkmx)(zone, name, owner));
+		return (true);
+	}
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (true);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (true);
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME) {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
+			level = ISC_LOG_WARNING;
+		dns_zone_log(zone, level,
+			     "%s/MX '%s' has no address records (A or AAAA)",
+			     ownerbuf, namebuf);
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+			dns_zone_log(zone, level,
+				     "%s/MX '%s' is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNMXCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNOREMXCNAME)) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level, "%s/MX '%s' is below a DNAME"
+				     " '%s' (illegal)", ownerbuf, namebuf,
+				     altbuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (zone->checkmx != NULL && result == DNS_R_DELEGATION)
+		return ((zone->checkmx)(zone, name, owner));
+
+	return (true);
+}
+
+static bool
+zone_check_srv(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+	       dns_name_t *owner)
+{
+	isc_result_t result;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+
+	/*
+	 * "." means the services does not exist.
+	 */
+	if (dns_name_equal(name, dns_rootname))
+		return (true);
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checksrv != NULL)
+			return ((zone->checksrv)(zone, name, owner));
+		return (true);
+	}
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (true);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (true);
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME) {
+		dns_zone_log(zone, level,
+			     "%s/SRV '%s' has no address records (A or AAAA)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		return (true);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+			dns_zone_log(zone, level,
+				     "%s/SRV '%s' is a CNAME (illegal)",
+				     ownerbuf, namebuf);
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_WARNSRVCNAME) ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME))
+			level = ISC_LOG_WARNING;
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IGNORESRVCNAME)) {
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level, "%s/SRV '%s' is below a "
+				     "DNAME '%s' (illegal)", ownerbuf, namebuf,
+				     altbuf);
+		}
+		return ((level == ISC_LOG_WARNING) ? true : false);
+	}
+
+	if (zone->checksrv != NULL && result == DNS_R_DELEGATION)
+		return ((zone->checksrv)(zone, name, owner));
+
+	return (true);
+}
+
+static bool
+zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
+		dns_name_t *owner)
+{
+	bool answer = true;
+	isc_result_t result, tresult;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	dns_rdataset_t a;
+	dns_rdataset_t aaaa;
+	int level;
+
+	/*
+	 * Outside of zone.
+	 */
+	if (!dns_name_issubdomain(name, &zone->origin)) {
+		if (zone->checkns != NULL)
+			return ((zone->checkns)(zone, name, owner, NULL, NULL));
+		return (true);
+	}
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	foundname = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&a);
+	dns_rdataset_init(&aaaa);
+
+	/*
+	 * Perform a regular lookup to catch DNAME records then look
+	 * for glue.
+	 */
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, &a, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+		break;
+	default:
+		if (dns_rdataset_isassociated(&a))
+			dns_rdataset_disassociate(&a);
+		result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+				     DNS_DBFIND_GLUEOK, 0, NULL,
+				     foundname, &a, NULL);
+	}
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&a);
+		return (true);
+	} else if (result == DNS_R_DELEGATION)
+		dns_rdataset_disassociate(&a);
+
+	if (result == DNS_R_NXRRSET || result == DNS_R_DELEGATION ||
+	    result == DNS_R_GLUE) {
+		tresult = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     DNS_DBFIND_GLUEOK, 0, NULL,
+				     foundname, &aaaa, NULL);
+		if (tresult == ISC_R_SUCCESS) {
+			if (dns_rdataset_isassociated(&a))
+				dns_rdataset_disassociate(&a);
+			dns_rdataset_disassociate(&aaaa);
+			return (true);
+		}
+		if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME)
+			dns_rdataset_disassociate(&aaaa);
+		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
+			/*
+			 * Check glue against child zone.
+			 */
+			if (zone->checkns != NULL)
+				answer = (zone->checkns)(zone, name, owner,
+							 &a, &aaaa);
+			if (dns_rdataset_isassociated(&a))
+				dns_rdataset_disassociate(&a);
+			if (dns_rdataset_isassociated(&aaaa))
+				dns_rdataset_disassociate(&aaaa);
+			return (answer);
+		}
+	}
+
+	dns_name_format(owner, ownerbuf, sizeof ownerbuf);
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME || result == DNS_R_DELEGATION) {
+		const char *what;
+		bool required = false;
+		if (dns_name_issubdomain(name, owner)) {
+			what = "REQUIRED GLUE ";
+			required = true;
+		 } else if (result == DNS_R_DELEGATION)
+			what = "SIBLING GLUE ";
+		else
+			what = "";
+
+		if (result != DNS_R_DELEGATION || required ||
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSIBLING)) {
+			dns_zone_log(zone, level, "%s/NS '%s' has no %s"
+				     "address records (A or AAAA)",
+				     ownerbuf, namebuf, what);
+			/*
+			 * Log missing address record.
+			 */
+			if (result == DNS_R_DELEGATION && zone->checkns != NULL)
+				(void)(zone->checkns)(zone, name, owner,
+						      &a, &aaaa);
+			/* XXX950 make fatal for 9.5.0. */
+			/* answer = false; */
+		}
+	} else if (result == DNS_R_CNAME) {
+		dns_zone_log(zone, level, "%s/NS '%s' is a CNAME (illegal)",
+			     ownerbuf, namebuf);
+		/* XXX950 make fatal for 9.5.0. */
+		/* answer = false; */
+	} else if (result == DNS_R_DNAME) {
+		dns_name_format(foundname, altbuf, sizeof altbuf);
+		dns_zone_log(zone, level,
+			     "%s/NS '%s' is below a DNAME '%s' (illegal)",
+			     ownerbuf, namebuf, altbuf);
+		/* XXX950 make fatal for 9.5.0. */
+		/* answer = false; */
+	}
+
+	if (dns_rdataset_isassociated(&a))
+		dns_rdataset_disassociate(&a);
+	if (dns_rdataset_isassociated(&aaaa))
+		dns_rdataset_disassociate(&aaaa);
+	return (answer);
+}
+
+static bool
+zone_rrset_check_dup(dns_zone_t *zone, dns_name_t *owner,
+		     dns_rdataset_t *rdataset)
+{
+	dns_rdataset_t tmprdataset;
+	isc_result_t result;
+	bool answer = true;
+	bool format = true;
+	int level = ISC_LOG_WARNING;
+	char ownerbuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	unsigned int count1 = 0;
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRRFAIL))
+		level = ISC_LOG_ERROR;
+
+	dns_rdataset_init(&tmprdataset);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata1 = DNS_RDATA_INIT;
+		unsigned int count2 = 0;
+
+		count1++;
+		dns_rdataset_current(rdataset, &rdata1);
+		dns_rdataset_clone(rdataset, &tmprdataset);
+		for (result = dns_rdataset_first(&tmprdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&tmprdataset)) {
+			dns_rdata_t rdata2 = DNS_RDATA_INIT;
+			count2++;
+			if (count1 >= count2)
+				continue;
+			dns_rdataset_current(&tmprdataset, &rdata2);
+			if (dns_rdata_casecompare(&rdata1, &rdata2) == 0) {
+				if (format) {
+					dns_name_format(owner, ownerbuf,
+							sizeof ownerbuf);
+					dns_rdatatype_format(rdata1.type,
+							     typebuf,
+							     sizeof(typebuf));
+					format = false;
+				}
+				dns_zone_log(zone, level, "%s/%s has "
+					     "semantically identical records",
+					     ownerbuf, typebuf);
+				if (level == ISC_LOG_ERROR)
+					answer = false;
+				break;
+			}
+		}
+		dns_rdataset_disassociate(&tmprdataset);
+		if (!format)
+			break;
+	}
+	return (answer);
+}
+
+static bool
+zone_check_dup(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsit = NULL;
+	bool ok = true;
+	isc_result_t result;
+
+	name = dns_fixedname_initname(&fixed);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_createiterator(db, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS)
+		return (true);
+
+	for (result = dns_dbiterator_first(dbiterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiterator)) {
+		result = dns_dbiterator_current(dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsit);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		for (result = dns_rdatasetiter_first(rdsit);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsit)) {
+			dns_rdatasetiter_current(rdsit, &rdataset);
+			if (!zone_rrset_check_dup(zone, name, &rdataset))
+				ok = false;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&rdsit);
+		dns_db_detachnode(db, &node);
+	}
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	dns_dbiterator_destroy(&dbiterator);
+
+	return (ok);
+}
+
+static bool
+isspf(const dns_rdata_t *rdata) {
+	char buf[1024];
+	const unsigned char *data = rdata->data;
+	unsigned int rdl = rdata->length, i = 0, tl, len;
+
+	while (rdl > 0U) {
+		len = tl = *data;
+		++data;
+		--rdl;
+		INSIST(tl <= rdl);
+		if (len > sizeof(buf) - i - 1)
+			len = sizeof(buf) - i - 1;
+		memmove(buf + i, data, len);
+		i += len;
+		data += tl;
+		rdl -= tl;
+	}
+
+	if (i < 6U)
+		return(false);
+
+	buf[i] = 0;
+	if (strncmp(buf, "v=spf1", 6) == 0 && (buf[6] == 0 || buf[6] == ' '))
+		return (true);
+	return (false);
+}
+
+static bool
+integrity_checks(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fixedbottom;
+	dns_rdata_mx_t mx;
+	dns_rdata_ns_t ns;
+	dns_rdata_in_srv_t srv;
+	dns_rdata_t rdata;
+	dns_name_t *name;
+	dns_name_t *bottom;
+	isc_result_t result;
+	bool ok = true, have_spf, have_txt;
+
+	name = dns_fixedname_initname(&fixed);
+	bottom = dns_fixedname_initname(&fixedbottom);
+	dns_rdataset_init(&rdataset);
+	dns_rdata_init(&rdata);
+
+	result = dns_db_createiterator(db, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS)
+		return (true);
+
+	result = dns_dbiterator_first(dbiterator);
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbiterator, &node, name);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Is this name visible in the zone?
+		 */
+		if (!dns_name_issubdomain(name, &zone->origin) ||
+		    (dns_name_countlabels(bottom) > 0 &&
+		     dns_name_issubdomain(name, bottom)))
+			goto next;
+
+		/*
+		 * Don't check the NS records at the origin.
+		 */
+		if (dns_name_equal(name, &zone->origin))
+			goto checkfordname;
+
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto checkfordname;
+		/*
+		 * Remember bottom of zone due to NS.
+		 */
+		dns_name_copy(name, bottom, NULL);
+
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_glue(zone, db, &ns.name, name))
+				ok = false;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		goto next;
+
+ checkfordname:
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_dname, 0, 0,
+					     &rdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Remember bottom of zone due to DNAME.
+			 */
+			dns_name_copy(name, bottom, NULL);
+			dns_rdataset_disassociate(&rdataset);
+		}
+
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto checksrv;
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &mx, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_mx(zone, db, &mx.mx, name))
+				ok = false;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+ checksrv:
+		if (zone->rdclass != dns_rdataclass_in)
+			goto next;
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_srv,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto checkspf;
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &srv, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (!zone_check_srv(zone, db, &srv.target, name))
+				ok = false;
+			dns_rdata_reset(&rdata);
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+ checkspf:
+		/*
+		 * Check if there is a type SPF record without an
+		 * SPF-formatted type TXT record also being present.
+		 */
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF))
+			goto next;
+		if (zone->rdclass != dns_rdataclass_in)
+			goto next;
+		have_spf = have_txt = false;
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_spf,
+					     0, 0, &rdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&rdataset);
+			have_spf = true;
+		}
+		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_txt,
+					     0, 0, &rdataset, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto notxt;
+		result = dns_rdataset_first(&rdataset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&rdataset, &rdata);
+			have_txt = isspf(&rdata);
+			dns_rdata_reset(&rdata);
+			if (have_txt)
+				break;
+			result = dns_rdataset_next(&rdataset);
+		}
+		dns_rdataset_disassociate(&rdataset);
+
+ notxt:
+		if (have_spf && !have_txt) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found type "
+				     "SPF record but no SPF TXT record found, "
+				     "add matching type TXT record", namebuf);
+		}
+
+ next:
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiterator);
+	}
+
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	dns_dbiterator_destroy(&dbiterator);
+
+	return (ok);
+}
+
+/*
+ * OpenSSL verification of RSA keys with exponent 3 is known to be
+ * broken prior OpenSSL 0.9.8c/0.9.7k.	Look for such keys and warn
+ * if they are in use.
+ */
+static void
+zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	bool logit, foundrsa = false, foundmd5 = false;
+	const char *algorithm;
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_currentversion(db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+
+		if ((dnskey.algorithm == DST_ALG_RSASHA1 ||
+		     dnskey.algorithm == DST_ALG_RSAMD5) &&
+		     dnskey.datalen > 1 && dnskey.data[0] == 1 &&
+		     dnskey.data[1] == 3)
+		{
+			if (dnskey.algorithm == DST_ALG_RSASHA1) {
+				logit = !foundrsa;
+				foundrsa = true;
+				algorithm = "RSASHA1";
+			} else {
+				logit = !foundmd5;
+				foundmd5 = true;
+				algorithm = "RSAMD5";
+			}
+			if (logit)
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "weak %s (%u) key found "
+					     "(exponent=3)", algorithm,
+					     dnskey.algorithm);
+			if (foundrsa && foundmd5)
+				break;
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (version != NULL)
+		dns_db_closeversion(db, &version, false);
+}
+
+static void
+resume_signingwithkey(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL)
+		goto cleanup;
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_currentversion(db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version,
+				     zone->privatetype,
+				     dns_rdatatype_none, 0,
+				     &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		if (rdata.length != 5 ||
+		    rdata.data[0] == 0 || rdata.data[4] != 0) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		result = zone_signwithkey(zone, rdata.data[0],
+					  (rdata.data[1] << 8) | rdata.data[2],
+					  rdata.data[3]);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_signwithkey failed: %s",
+				     dns_result_totext(result));
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ cleanup:
+	if (db != NULL) {
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (version != NULL)
+			dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	}
+}
+
+/*
+ * Initiate adding/removing NSEC3 records belonging to the chain defined by the
+ * supplied NSEC3PARAM RDATA.
+ *
+ * Zone must be locked by caller.
+ */
+static isc_result_t
+zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
+	dns_nsec3chain_t *nsec3chain, *current;
+	dns_dbversion_t *version = NULL;
+	bool nseconly = false, nsec3ok = false;
+	isc_result_t result;
+	isc_time_t now;
+	unsigned int options = 0;
+	char saltbuf[255*2+1];
+	char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
+	dns_db_t *db = NULL;
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	if (db == NULL) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * If this zone is not NSEC3-capable, attempting to remove any NSEC3
+	 * chain from it is pointless as it would not be possible for the
+	 * latter to exist in the first place.
+	 */
+	dns_db_currentversion(db, &version);
+	result = dns_nsec_nseconly(db, version, &nseconly);
+	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
+	dns_db_closeversion(db, &version, false);
+	if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Allocate and initialize structure preserving state of
+	 * adding/removing records belonging to this NSEC3 chain between
+	 * separate zone_nsec3chain() calls.
+	 */
+	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
+	if (nsec3chain == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	nsec3chain->magic = 0;
+	nsec3chain->done = false;
+	nsec3chain->db = NULL;
+	nsec3chain->dbiterator = NULL;
+	nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
+	nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
+	nsec3chain->nsec3param.hash = nsec3param->hash;
+	nsec3chain->nsec3param.iterations = nsec3param->iterations;
+	nsec3chain->nsec3param.flags = nsec3param->flags;
+	nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
+	memmove(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
+	nsec3chain->nsec3param.salt = nsec3chain->salt;
+	nsec3chain->seen_nsec = false;
+	nsec3chain->delete_nsec = false;
+	nsec3chain->save_delete_nsec = false;
+
+	/*
+	 * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
+	 */
+	if (nsec3param->flags == 0)
+		strlcpy(flags, "NONE", sizeof(flags));
+	else {
+		flags[0] = '\0';
+		if (nsec3param->flags & DNS_NSEC3FLAG_REMOVE)
+			strlcat(flags, "REMOVE", sizeof(flags));
+		if (nsec3param->flags & DNS_NSEC3FLAG_INITIAL) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "INITIAL", sizeof(flags));
+			else
+				strlcat(flags, "|INITIAL", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_CREATE) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "CREATE", sizeof(flags));
+			else
+				strlcat(flags, "|CREATE", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_NONSEC) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "NONSEC", sizeof(flags));
+			else
+				strlcat(flags, "|NONSEC", sizeof(flags));
+		}
+		if (nsec3param->flags & DNS_NSEC3FLAG_OPTOUT) {
+			if (flags[0] == '\0')
+				strlcpy(flags, "OPTOUT", sizeof(flags));
+			else
+				strlcat(flags, "|OPTOUT", sizeof(flags));
+		}
+	}
+	result = dns_nsec3param_salttotext(nsec3param, saltbuf,
+					   sizeof(saltbuf));
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_zone_log(zone, ISC_LOG_INFO,
+		     "zone_addnsec3chain(%u,%s,%u,%s)",
+		      nsec3param->hash, flags, nsec3param->iterations,
+		      saltbuf);
+
+	/*
+	 * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
+	 * currently being processed, interrupt its processing to avoid
+	 * simultaneously adding and removing records for the same NSEC3 chain.
+	 */
+	for (current = ISC_LIST_HEAD(zone->nsec3chain);
+	     current != NULL;
+	     current = ISC_LIST_NEXT(current, link)) {
+		if (current->db == db &&
+		    current->nsec3param.hash == nsec3param->hash &&
+		    current->nsec3param.iterations == nsec3param->iterations &&
+		    current->nsec3param.salt_length == nsec3param->salt_length
+		    && !memcmp(current->nsec3param.salt, nsec3param->salt,
+			       nsec3param->salt_length))
+			current->done = true;
+	}
+
+	/*
+	 * Attach zone database to the structure initialized above and create
+	 * an iterator for it with appropriate options in order to avoid
+	 * creating NSEC3 records for NSEC3 records.
+	 */
+	dns_db_attach(db, &nsec3chain->db);
+	if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0)
+		options = DNS_DB_NONSEC3;
+	result = dns_db_createiterator(nsec3chain->db, options,
+				       &nsec3chain->dbiterator);
+	if (result == ISC_R_SUCCESS)
+		result = dns_dbiterator_first(nsec3chain->dbiterator);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Database iterator initialization succeeded.  We are now
+		 * ready to kick off adding/removing records belonging to this
+		 * NSEC3 chain.  Append the structure initialized above to the
+		 * "nsec3chain" list for the zone and set the appropriate zone
+		 * timer so that zone_nsec3chain() is called as soon as
+		 * possible.
+		 */
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		ISC_LIST_INITANDAPPEND(zone->nsec3chain,
+				       nsec3chain, link);
+		nsec3chain = NULL;
+		if (isc_time_isepoch(&zone->nsec3chaintime)) {
+			TIME_NOW(&now);
+			zone->nsec3chaintime = now;
+			if (zone->task != NULL)
+				zone_settimer(zone, &now);
+		}
+	}
+
+	if (nsec3chain != NULL) {
+		if (nsec3chain->db != NULL)
+			dns_db_detach(&nsec3chain->db);
+		if (nsec3chain->dbiterator != NULL)
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+	}
+
+ cleanup:
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+/*
+ * Find private-type records at the zone apex which signal that an NSEC3 chain
+ * should be added or removed.  For each such record, extract NSEC3PARAM RDATA
+ * and pass it to zone_addnsec3chain().
+ *
+ * Zone must be locked by caller.
+ */
+static void
+resume_addnsec3chain(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	dns_rdata_nsec3param_t nsec3param;
+	bool nseconly = false, nsec3ok = false;
+	dns_db_t *db = NULL;
+
+	INSIST(LOCKED_ZONE(zone));
+
+	if (zone->privatetype == 0)
+		return;
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL)
+		goto cleanup;
+
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_currentversion(db, &version);
+
+	/*
+	 * In order to create NSEC3 chains we need the DNSKEY RRset at zone
+	 * apex to exist and contain no keys using NSEC-only algorithms.
+	 */
+	result = dns_nsec_nseconly(db, version, &nseconly);
+	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
+
+	/*
+	 * Get the RRset containing all private-type records at the zone apex.
+	 */
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version,
+				     zone->privatetype, dns_rdatatype_none,
+				     0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto cleanup;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &private);
+		/*
+		 * Try extracting NSEC3PARAM RDATA from this private-type
+		 * record.  Failure means this private-type record does not
+		 * represent an NSEC3PARAM record, so skip it.
+		 */
+		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
+						sizeof(buf)))
+			continue;
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
+		    ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok))
+		{
+			/*
+			 * Pass the NSEC3PARAM RDATA contained in this
+			 * private-type record to zone_addnsec3chain() so that
+			 * it can kick off adding or removing NSEC3 records.
+			 */
+			result = zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_addnsec3chain failed: %s",
+					     dns_result_totext(result));
+			}
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+ cleanup:
+	if (db != NULL) {
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (version != NULL)
+			dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	}
+}
+
+static void
+set_resigntime(dns_zone_t *zone) {
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	unsigned int resign;
+	isc_result_t result;
+	uint32_t nanosecs;
+	dns_db_t *db = NULL;
+
+	/* We only re-sign zones that can be dynamically updated */
+	if (zone->update_disabled)
+		return;
+
+	if (!inline_secure(zone) && (zone->type != dns_zone_master ||
+	    (zone->ssutable == NULL &&
+	     (zone->update_acl == NULL || dns_acl_isnone(zone->update_acl)))))
+		return;
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		isc_time_settoepoch(&zone->resigntime);
+		return;
+	}
+
+	result = dns_db_getsigningtime(db, &rdataset,
+				       dns_fixedname_name(&fixed));
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&zone->resigntime);
+		goto cleanup;
+	}
+
+	resign = rdataset.resign - zone->sigresigninginterval;
+	dns_rdataset_disassociate(&rdataset);
+	isc_random_get(&nanosecs);
+	nanosecs %= 1000000000;
+	isc_time_set(&zone->resigntime, resign, nanosecs);
+ cleanup:
+	dns_db_detach(&db);
+	return;
+}
+
+static isc_result_t
+check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	bool ok = false;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool dynamic = (zone->type == dns_zone_master) ?
+				dns_zone_isdynamic(zone, false) : false;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "nsec3param lookup failure: %s",
+			     dns_result_totext(result));
+		return (result);
+	}
+	dns_db_currentversion(db, &version);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "nsec3param lookup failure: %s",
+			     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * For dynamic zones we must support every algorithm so we can
+	 * regenerate all the NSEC3 chains.
+	 * For non-dynamic zones we only need to find a supported algorithm.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		dns_rdata_reset(&rdata);
+		INSIST(result == ISC_R_SUCCESS);
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
+		    nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
+		{
+			dns_zone_log(zone, ISC_LOG_WARNING,
+			     "nsec3 test \"unknown\" hash algorithm found: %u",
+				     nsec3param.hash);
+			ok = true;
+		} else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
+			if (dynamic) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "unsupported nsec3 hash algorithm"
+					     " in dynamic zone: %u",
+					     nsec3param.hash);
+				result = DNS_R_BADZONE;
+				/* Stop second error message. */
+				ok = true;
+				break;
+			} else
+				dns_zone_log(zone, ISC_LOG_WARNING,
+				     "unsupported nsec3 hash algorithm: %u",
+					     nsec3param.hash);
+		} else
+			ok = true;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (!ok) {
+		result = DNS_R_BADZONE;
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "no supported nsec3 hash algorithm");
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_closeversion(db, &version, false);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Set the timer for refreshing the key zone to the soonest future time
+ * of the set (current timer, keydata->refresh, keydata->addhd,
+ * keydata->removehd).
+ */
+static void
+set_refreshkeytimer(dns_zone_t *zone, dns_rdata_keydata_t *key,
+		    isc_stdtime_t now, bool force)
+{
+	const char me[] = "set_refreshkeytimer";
+	isc_stdtime_t then;
+	isc_time_t timenow, timethen;
+	char timebuf[80];
+
+	ENTER;
+	then = key->refresh;
+	if (force)
+		then = now;
+	if (key->addhd > now && key->addhd < then)
+		then = key->addhd;
+	if (key->removehd > now && key->removehd < then)
+		then = key->removehd;
+
+	TIME_NOW(&timenow);
+	if (then > now)
+		DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+	else
+		timethen = timenow;
+	if (isc_time_compare(&zone->refreshkeytime, &timenow) < 0 ||
+	    isc_time_compare(&timethen, &zone->refreshkeytime) < 0)
+		zone->refreshkeytime = timethen;
+
+	isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "next key refresh: %s", timebuf);
+	zone_settimer(zone, &timenow);
+}
+
+/*
+ * Convert key(s) linked from 'keynode' to KEYDATA and add to the key zone.
+ * If the key zone is changed, set '*changed' to true.
+ */
+static isc_result_t
+create_keydata(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       dns_diff_t *diff, dns_keytable_t *keytable,
+	       dns_keynode_t **keynodep, bool *changed)
+{
+	const char me[] = "create_keydata";
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_buffer_t keyb, dstb;
+	unsigned char key_buf[4096], dst_buf[DST_KEY_MAXSIZE];
+	dns_rdata_keydata_t keydata;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_keynode_t *keynode;
+	isc_stdtime_t now;
+	isc_region_t r;
+	dst_key_t *key;
+
+	REQUIRE(keynodep != NULL);
+	keynode = *keynodep;
+
+	ENTER;
+	isc_stdtime_get(&now);
+
+	/* Loop in case there's more than one key. */
+	while (result == ISC_R_SUCCESS) {
+		dns_keynode_t *nextnode = NULL;
+
+		key = dns_keynode_key(keynode);
+		if (key == NULL)
+			goto skip;
+
+		isc_buffer_init(&dstb, dst_buf, sizeof(dst_buf));
+		CHECK(dst_key_todns(key, &dstb));
+
+		/* Convert DST key to DNSKEY. */
+		dns_rdata_reset(&rdata);
+		isc_buffer_usedregion(&dstb, &r);
+		dns_rdata_fromregion(&rdata, dst_key_class(key),
+				     dns_rdatatype_dnskey, &r);
+
+		/* DSTKEY to KEYDATA. */
+		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+		CHECK(dns_keydata_fromdnskey(&keydata, &dnskey, now, 0, 0,
+					     NULL));
+
+		/* KEYDATA to rdata. */
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+		CHECK(dns_rdata_fromstruct(&rdata,
+					   zone->rdclass, dns_rdatatype_keydata,
+					   &keydata, &keyb));
+
+		/* Add rdata to zone. */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD,
+				    dst_key_name(key), 0, &rdata));
+		*changed = true;
+
+		/* Refresh new keys from the zone apex as soon as possible. */
+		set_refreshkeytimer(zone, &keydata, now, true);
+
+ skip:
+		result = dns_keytable_nextkeynode(keytable, keynode, &nextnode);
+		if (result != ISC_R_NOTFOUND) {
+			dns_keytable_detachkeynode(keytable, &keynode);
+			keynode = nextnode;
+		}
+	}
+
+	if (keynode != NULL)
+		dns_keytable_detachkeynode(keytable, &keynode);
+	*keynodep = NULL;
+
+	return (ISC_R_SUCCESS);
+
+  failure:
+	return (result);
+}
+
+/*
+ * Remove from the key zone all the KEYDATA records found in rdataset.
+ */
+static isc_result_t
+delete_keydata(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	       dns_name_t *name, dns_rdataset_t *rdataset)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result, uresult;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		uresult = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+					name, 0, &rdata);
+		if (uresult != ISC_R_SUCCESS)
+			return (uresult);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+/*
+ * Compute the DNSSEC key ID for a DNSKEY record.
+ */
+static isc_result_t
+compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
+	    dns_keytag_t *tag)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096];
+	isc_buffer_t buffer;
+	dst_key_t *dstkey = NULL;
+
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+
+	result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
+	if (result == ISC_R_SUCCESS) {
+		*tag = dst_key_id(dstkey);
+		dst_key_free(&dstkey);
+	}
+
+	return (result);
+}
+
+/*
+ * Add key to the security roots.
+ */
+static void
+trust_key(dns_zone_t *zone, dns_name_t *keyname,
+	  dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[4096];
+	isc_buffer_t buffer;
+	dns_keytable_t *sr = NULL;
+	dst_key_t *dstkey = NULL;
+
+	/* Convert dnskey to DST key. */
+	isc_buffer_init(&buffer, data, sizeof(data));
+	dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
+			     dns_rdatatype_dnskey, dnskey, &buffer);
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	CHECK(dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &dstkey));
+	CHECK(dns_keytable_add(sr, true, &dstkey));
+	dns_keytable_detach(&sr);
+
+  failure:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+	if (sr != NULL)
+		dns_keytable_detach(&sr);
+	return;
+}
+
+/*
+ * Add a null key to the security roots for so that all queries
+ * to the zone will fail.
+ */
+static void
+fail_secure(dns_zone_t *zone, dns_name_t *keyname) {
+	isc_result_t result;
+	dns_keytable_t *sr = NULL;
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_marksecure(sr, keyname);
+		dns_keytable_detach(&sr);
+	}
+}
+
+/*
+ * Scan a set of KEYDATA records from the key zone.  The ones that are
+ * valid (i.e., the add holddown timer has expired) become trusted keys.
+ */
+static void
+load_secroots(dns_zone_t *zone, dns_name_t *name, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t keydata;
+	dns_rdata_dnskey_t dnskey;
+	isc_mem_t *mctx = zone->mctx;
+	int trusted = 0, revoked = 0, pending = 0;
+	isc_stdtime_t now;
+	dns_keytable_t *sr = NULL;
+
+	isc_stdtime_get(&now);
+
+	result = dns_view_getsecroots(zone->view, &sr);
+	if (result == ISC_R_SUCCESS) {
+		dns_keytable_delete(sr, name);
+		dns_keytable_detach(&sr);
+	}
+
+	/* Now insert all the accepted trust anchors from this keydata set. */
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+
+		/* Convert rdata to keydata. */
+		result = dns_rdata_tostruct(&rdata, &keydata, NULL);
+		if (result == ISC_R_UNEXPECTEDEND)
+			continue;
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/* Set the key refresh timer to force a fast refresh. */
+		set_refreshkeytimer(zone, &keydata, now, true);
+
+		/* If the removal timer is nonzero, this key was revoked. */
+		if (keydata.removehd != 0) {
+			revoked++;
+			continue;
+		}
+
+		/*
+		 * If the add timer is still pending, this key is not
+		 * trusted yet.
+		 */
+		if (now < keydata.addhd) {
+			pending++;
+			continue;
+		}
+
+		/* Convert keydata to dnskey. */
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+
+		/* Add to keytables. */
+		trusted++;
+		trust_key(zone, name, &dnskey, mctx);
+	}
+
+	if (trusted == 0 && pending != 0) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof namebuf);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "No valid trust anchors for '%s'!", namebuf);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "%d key(s) revoked, %d still pending",
+			     revoked, pending);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "All queries to '%s' will fail", namebuf);
+		fail_secure(zone, name);
+	}
+}
+
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata)
+{
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op,
+				      name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+static isc_result_t
+update_soa_serial(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+		  isc_mem_t *mctx, dns_updatemethod_t method) {
+	dns_difftuple_t *deltuple = NULL;
+	dns_difftuple_t *addtuple = NULL;
+	uint32_t serial;
+	isc_result_t result;
+
+	INSIST(method != dns_updatemethod_none);
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
+	CHECK(dns_difftuple_copy(deltuple, &addtuple));
+	addtuple->op = DNS_DIFFOP_ADD;
+
+	serial = dns_soa_getserial(&addtuple->rdata);
+	serial = dns_update_soaserial(serial, method);
+	dns_soa_setserial(serial, &addtuple->rdata);
+	CHECK(do_one_tuple(&deltuple, db, ver, diff));
+	CHECK(do_one_tuple(&addtuple, db, ver, diff));
+	result = ISC_R_SUCCESS;
+
+	failure:
+	if (addtuple != NULL)
+		dns_difftuple_free(&addtuple);
+	if (deltuple != NULL)
+		dns_difftuple_free(&deltuple);
+	return (result);
+}
+
+/*
+ * Write all transactions in 'diff' to the zone journal file.
+ */
+static isc_result_t
+zone_journal(dns_zone_t *zone, dns_diff_t *diff, uint32_t *sourceserial,
+	     const char *caller)
+{
+	const char me[] = "zone_journal";
+	const char *journalfile;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_journal_t *journal = NULL;
+	unsigned int mode = DNS_JOURNAL_CREATE|DNS_JOURNAL_WRITE;
+
+	ENTER;
+	journalfile = dns_zone_getjournal(zone);
+	if (journalfile != NULL) {
+		result = dns_journal_open(zone->mctx, journalfile, mode,
+					  &journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s:dns_journal_open -> %s",
+				     caller, dns_result_totext(result));
+			return (result);
+		}
+
+		if (sourceserial != NULL)
+			dns_journal_set_sourceserial(journal, *sourceserial);
+
+		result = dns_journal_write_transaction(journal, diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s:dns_journal_write_transaction -> %s",
+				     caller, dns_result_totext(result));
+		}
+		dns_journal_destroy(&journal);
+	}
+
+	return (result);
+}
+
+/*
+ * Create an SOA record for a newly-created zone
+ */
+static isc_result_t
+add_soa(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "creating SOA");
+
+	dns_diff_init(zone->mctx, &diff);
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Build SOA record */
+	result = dns_soa_buildrdata(&zone->origin, dns_rootname, zone->rdclass,
+				    0, 0, 0, 0, 0, buf, &rdata);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "add_soa:dns_soa_buildrdata -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_one_rr(db, ver, &diff, DNS_DIFFOP_ADD,
+			       &zone->origin, 0, &rdata);
+
+failure:
+	dns_diff_clear(&diff);
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, (result == ISC_R_SUCCESS));
+
+	INSIST(ver == NULL);
+
+	return (result);
+}
+
+struct addifmissing_arg {
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_zone_t *zone;
+	bool *changed;
+	isc_result_t result;
+};
+
+static void
+addifmissing(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
+	dns_db_t *db = ((struct addifmissing_arg *)arg)->db;
+	dns_dbversion_t *ver = ((struct addifmissing_arg *)arg)->ver;
+	dns_diff_t *diff = ((struct addifmissing_arg *)arg)->diff;
+	dns_zone_t *zone = ((struct addifmissing_arg *)arg)->zone;
+	bool *changed = ((struct addifmissing_arg *)arg)->changed;
+	isc_result_t result;
+	dns_keynode_t *dummy = NULL;
+
+	if (((struct addifmissing_arg *)arg)->result != ISC_R_SUCCESS)
+		return;
+
+	if (dns_keynode_managed(keynode)) {
+		dns_fixedname_t fname;
+		dns_name_t *keyname;
+		dst_key_t *key;
+
+		key = dns_keynode_key(keynode);
+		if (key == NULL)
+			return;
+		dns_fixedname_init(&fname);
+
+		keyname = dst_key_name(key);
+		result = dns_db_find(db, keyname, ver,
+				     dns_rdatatype_keydata,
+				     DNS_DBFIND_NOWILD, 0, NULL,
+				     dns_fixedname_name(&fname),
+				     NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return;
+		dns_keytable_attachkeynode(keytable, keynode, &dummy);
+		result = create_keydata(zone, db, ver, diff, keytable,
+					&dummy, changed);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
+			((struct addifmissing_arg *)arg)->result = result;
+	}
+};
+
+/*
+ * Synchronize the set of initializing keys found in managed-keys {}
+ * statements with the set of trust anchors found in the managed-keys.bind
+ * zone.  If a domain is no longer named in managed-keys, delete all keys
+ * from that domain from the key zone.	If a domain is mentioned in in
+ * managed-keys but there are no references to it in the key zone, load
+ * the key zone with the initializing key(s) for that domain.
+ */
+static isc_result_t
+sync_keyzone(dns_zone_t *zone, dns_db_t *db) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool changed = false;
+	bool commit = false;
+	dns_keynode_t *keynode = NULL;
+	dns_view_t *view = zone->view;
+	dns_keytable_t *sr = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_rriterator_t rrit;
+	struct addifmissing_arg arg;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "synchronizing trusted keys");
+
+	dns_diff_init(zone->mctx, &diff);
+
+	CHECK(dns_view_getsecroots(view, &sr));
+
+	result = dns_db_newversion(db, &ver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sync_keyzone:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Walk the zone DB.  If we find any keys whose names are no longer
+	 * in managed-keys (or *are* in trusted-keys, meaning they are
+	 * permanent and not RFC5011-maintained), delete them from the
+	 * zone.  Otherwise call load_secroots(), which loads keys into
+	 * secroots as appropriate.
+	 */
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit)) {
+		dns_rdataset_t *rdataset = NULL;
+		dns_name_t *rrname = NULL;
+		uint32_t ttl;
+
+		dns_rriterator_current(&rrit, &rrname, &ttl,
+				       &rdataset, NULL);
+		if (!dns_rdataset_isassociated(rdataset)) {
+			dns_rriterator_destroy(&rrit);
+			goto failure;
+		}
+
+		if (rdataset->type != dns_rdatatype_keydata)
+			continue;
+
+		result = dns_keytable_find(sr, rrname, &keynode);
+		if ((result != ISC_R_SUCCESS &&
+		     result != DNS_R_PARTIALMATCH) ||
+		    dns_keynode_managed(keynode) == false)
+		{
+			CHECK(delete_keydata(db, ver, &diff,
+					     rrname, rdataset));
+			changed = true;
+		} else {
+			load_secroots(zone, rrname, rdataset);
+		}
+
+		if (keynode != NULL)
+			dns_keytable_detachkeynode(sr, &keynode);
+	}
+	dns_rriterator_destroy(&rrit);
+
+	/*
+	 * Now walk secroots to find any managed keys that aren't
+	 * in the zone.  If we find any, we add them to the zone.
+	 */
+	arg.db = db;
+	arg.ver = ver;
+	arg.result = ISC_R_SUCCESS;
+	arg.diff = &diff;
+	arg.zone = zone;
+	arg.changed = &changed;
+	dns_keytable_forall(sr, addifmissing, &arg);
+	result = arg.result;
+	if (changed) {
+		/* Write changes to journal file. */
+		CHECK(update_soa_serial(db, ver, &diff, zone->mctx,
+					zone->updatemethod));
+		CHECK(zone_journal(zone, &diff, NULL, "sync_keyzone"));
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+		commit = true;
+	}
+
+ failure:
+	if (result != ISC_R_SUCCESS &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "unable to synchronize managed keys: %s",
+			     dns_result_totext(result));
+		isc_time_settoepoch(&zone->refreshkeytime);
+	}
+	if (keynode != NULL)
+		dns_keytable_detachkeynode(sr, &keynode);
+	if (sr != NULL)
+		dns_keytable_detach(&sr);
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, commit);
+	dns_diff_clear(&diff);
+
+	INSIST(ver == NULL);
+
+	return (result);
+}
+
+isc_result_t
+dns_zone_synckeyzone(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	if (zone->type != dns_zone_key)
+		return (DNS_R_BADZONE);
+
+	CHECK(dns_zone_getdb(zone, &db));
+
+	LOCK_ZONE(zone);
+	result = sync_keyzone(zone, db);
+	UNLOCK_ZONE(zone);
+
+ failure:
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+static void
+maybe_send_secure(dns_zone_t *zone) {
+	isc_result_t result;
+
+	/*
+	 * We've finished loading, or else failed to load, an inline-signing
+	 * 'secure' zone.  We now need information about the status of the
+	 * 'raw' zone.  If we failed to load, then we need it to send a
+	 * copy of its database; if we succeeded, we need it to send its
+	 * serial number so that we can sync with it.  If it has not yet
+	 * loaded, we set a flag so that it will send the necessary
+	 * information when it has finished loading.
+	 */
+	if (zone->raw->db != NULL) {
+		if (zone->db != NULL) {
+			uint32_t serial;
+			unsigned int soacount;
+
+			result = zone_get_from_db(zone->raw, zone->raw->db,
+						  NULL, &soacount, &serial, NULL,
+						  NULL, NULL, NULL, NULL);
+			if (result == ISC_R_SUCCESS && soacount > 0U)
+				zone_send_secureserial(zone->raw, serial);
+		} else
+			zone_send_securedb(zone->raw, zone->raw->db);
+
+	} else
+		DNS_ZONE_SETFLAG(zone->raw, DNS_ZONEFLG_SENDSECURE);
+}
+
+static bool
+zone_unchanged(dns_db_t *db1, dns_db_t *db2, isc_mem_t *mctx) {
+	isc_result_t result;
+	bool answer = false;
+	dns_diff_t diff;
+
+	dns_diff_init(mctx, &diff);
+	result = dns_db_diffx(&diff, db1, NULL, db2, NULL, NULL);
+	if (result == ISC_R_SUCCESS && ISC_LIST_EMPTY(diff.tuples))
+		answer = true;
+	dns_diff_clear(&diff);
+	return (answer);
+}
+
+/*
+ * The zone is presumed to be locked.
+ * If this is a inline_raw zone the secure version is also locked.
+ */
+static isc_result_t
+zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
+	      isc_result_t result)
+{
+	unsigned int soacount = 0;
+	unsigned int nscount = 0;
+	unsigned int errors = 0;
+	uint32_t serial, oldserial, refresh, retry, expire, minimum;
+	isc_time_t now;
+	bool needdump = false;
+	bool hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	bool nomaster = false;
+	unsigned int options;
+	dns_include_t *inc;
+
+	INSIST(LOCKED_ZONE(zone));
+	if (inline_raw(zone))
+		INSIST(LOCKED_ZONE(zone->secure));
+
+	TIME_NOW(&now);
+
+	/*
+	 * Initiate zone transfer?  We may need a error code that
+	 * indicates that the "permanent" form does not exist.
+	 * XXX better error feedback to log.
+	 */
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		if (zone->type == dns_zone_slave ||
+		    zone->type == dns_zone_stub ||
+		    (zone->type == dns_zone_redirect &&
+		     zone->masters == NULL)) {
+			if (result == ISC_R_FILENOTFOUND)
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "no master file");
+			else if (result != DNS_R_NOMASTERFILE)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "loading from master file %s "
+					     "failed: %s",
+					     zone->masterfile,
+					     dns_result_totext(result));
+		} else if (zone->type == dns_zone_master &&
+			   inline_secure(zone) && result == ISC_R_FILENOTFOUND)
+		{
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "no master file, requesting db");
+			maybe_send_secure(zone);
+		} else {
+			int level = ISC_LOG_ERROR;
+			if (zone->type == dns_zone_key &&
+			    result == ISC_R_FILENOTFOUND)
+				level = ISC_LOG_DEBUG(1);
+			dns_zone_log(zone, level,
+				     "loading from master file %s failed: %s",
+				     zone->masterfile,
+				     dns_result_totext(result));
+			nomaster = true;
+		}
+
+		if (zone->type != dns_zone_key)
+			goto cleanup;
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(2),
+		     "number of nodes in database: %u",
+		     dns_db_nodecount(db));
+
+	if (result == DNS_R_SEENINCLUDE)
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	else
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+
+	/*
+	 * If there's no master file for a key zone, then the zone is new:
+	 * create an SOA record.  (We do this now, instead of later, so that
+	 * if there happens to be a journal file, we can roll forward from
+	 * a sane starting point.)
+	 */
+	if (nomaster && zone->type == dns_zone_key) {
+		result = add_soa(zone, db);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	/*
+	 * Apply update log, if any, on initial load.
+	 */
+	if (zone->journal != NULL &&
+	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
+	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		if (zone->type == dns_zone_master && (inline_secure(zone) ||
+		    (zone->update_acl != NULL || zone->ssutable != NULL)))
+		{
+			options = DNS_JOURNALOPT_RESIGN;
+		} else {
+			options = 0;
+		}
+		result = dns_journal_rollforward(zone->mctx, db, options,
+						 zone->journal);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
+		    result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
+		    result != ISC_R_RANGE) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "journal rollforward failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+
+
+		}
+		if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "journal rollforward failed: "
+				     "journal out of sync with zone");
+			goto cleanup;
+		}
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "journal rollforward completed "
+			     "successfully: %s",
+			     dns_result_totext(result));
+		if (result == ISC_R_SUCCESS)
+			needdump = true;
+	}
+
+	/*
+	 * Obtain ns, soa and cname counts for top of zone.
+	 */
+	INSIST(db != NULL);
+	result = zone_get_from_db(zone, db, &nscount, &soacount, &serial,
+				  &refresh, &retry, &expire, &minimum,
+				  &errors);
+	if (result != ISC_R_SUCCESS && zone->type != dns_zone_key) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "could not find NS and/or SOA records");
+	}
+
+	/*
+	 * Check to make sure the journal is up to date, and remove the
+	 * journal file if it isn't, as we wouldn't be able to apply
+	 * updates otherwise.
+	 */
+	if (zone->journal != NULL && dns_zone_isdynamic(zone, true) &&
+	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
+		uint32_t jserial;
+		dns_journal_t *journal = NULL;
+
+		result = dns_journal_open(zone->mctx, zone->journal,
+					  DNS_JOURNAL_READ, &journal);
+		if (result == ISC_R_SUCCESS) {
+			jserial = dns_journal_last_serial(journal);
+			dns_journal_destroy(&journal);
+		} else {
+			jserial = serial;
+			result = ISC_R_SUCCESS;
+		}
+
+		if (jserial != serial) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "journal file is out of date: "
+				     "removing journal file");
+			if (remove(zone->journal) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove journal "
+					      "'%s': '%s'",
+					      zone->journal, strbuf);
+			}
+		}
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded; checking validity");
+
+	/*
+	 * Master / Slave / Stub zones require both NS and SOA records at
+	 * the top of the zone.
+	 */
+
+	switch (zone->type) {
+	case dns_zone_dlz:
+	case dns_zone_master:
+	case dns_zone_slave:
+	case dns_zone_stub:
+	case dns_zone_redirect:
+		if (soacount != 1) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "has %d SOA records", soacount);
+			result = DNS_R_BADZONE;
+		}
+		if (nscount == 0) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "has no NS records");
+			result = DNS_R_BADZONE;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		if (zone->type == dns_zone_master && errors != 0) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+		if (zone->type != dns_zone_stub &&
+		    zone->type != dns_zone_redirect) {
+			result = check_nsec3param(zone, db);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+		if (zone->type == dns_zone_master &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
+		    !integrity_checks(zone, db)) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+		if (zone->type == dns_zone_master &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKDUPRR) &&
+		    !zone_check_dup(zone, db)) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
+
+		if (zone->db != NULL) {
+			unsigned int oldsoacount;
+
+			/*
+			 * This is checked in zone_replacedb() for slave zones
+			 * as they don't reload from disk.
+			 */
+			result = zone_get_from_db(zone, zone->db, NULL,
+						  &oldsoacount, &oldserial,
+						  NULL, NULL, NULL, NULL,
+						  NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			RUNTIME_CHECK(soacount > 0U);
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
+			    !isc_serial_gt(serial, oldserial)) {
+				uint32_t serialmin, serialmax;
+
+				INSIST(zone->type == dns_zone_master);
+				INSIST(zone->raw == NULL);
+
+				if (serial == oldserial &&
+				    zone_unchanged(zone->db, db, zone->mctx)) {
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "ixfr-from-differences: "
+						     "unchanged");
+					goto done;
+				}
+
+				serialmin = (oldserial + 1) & 0xffffffffU;
+				serialmax = (oldserial + 0x7fffffffU) &
+					     0xffffffffU;
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "ixfr-from-differences: "
+					     "new serial (%u) out of range "
+					     "[%u - %u]", serial, serialmin,
+					     serialmax);
+				result = DNS_R_BADZONE;
+				goto cleanup;
+			} else if (!isc_serial_ge(serial, oldserial))
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone serial (%u/%u) has gone "
+					     "backwards", serial, oldserial);
+			else if (serial == oldserial && !hasinclude &&
+				 strcmp(zone->db_argv[0], "_builtin") != 0)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone serial (%u) unchanged. "
+					     "zone may fail to transfer "
+					     "to slaves.", serial);
+		}
+
+		if (zone->type == dns_zone_master &&
+		    (zone->update_acl != NULL || zone->ssutable != NULL) &&
+		    zone->sigresigninginterval < (3 * refresh) &&
+		    dns_db_issecure(db))
+		{
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "sig-re-signing-interval less than "
+				     "3 * refresh.");
+		}
+
+		zone->refresh = RANGE(refresh,
+				      zone->minrefresh, zone->maxrefresh);
+		zone->retry = RANGE(retry,
+				    zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		zone->minimum = minimum;
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+
+		if (zone->type == dns_zone_slave ||
+		    zone->type == dns_zone_stub ||
+		    (zone->type == dns_zone_redirect &&
+		     zone->masters != NULL)) {
+			isc_time_t t;
+			uint32_t delay;
+
+			result = isc_file_getmodtime(zone->journal, &t);
+			if (result != ISC_R_SUCCESS)
+				result = isc_file_getmodtime(zone->masterfile,
+							     &t);
+			if (result == ISC_R_SUCCESS)
+				DNS_ZONE_TIME_ADD(&t, zone->expire,
+						  &zone->expiretime);
+			else
+				DNS_ZONE_TIME_ADD(&now, zone->retry,
+						  &zone->expiretime);
+
+			delay = isc_random_jitter(zone->retry,
+						  (zone->retry * 3) / 4);
+			DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
+			if (isc_time_compare(&zone->refreshtime,
+					     &zone->expiretime) >= 0)
+				zone->refreshtime = now;
+		}
+
+		break;
+
+	case dns_zone_key:
+		result = sync_keyzone(zone, db);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		break;
+
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unexpected zone type %d", zone->type);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+	/*
+	 * Check for weak DNSKEY's.
+	 */
+	if (zone->type == dns_zone_master)
+		zone_check_dnskeys(zone, db);
+
+	/*
+	 * Schedule DNSSEC key refresh.
+	 */
+	if (zone->type == dns_zone_master &&
+	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN))
+		zone->refreshkeytime = now;
+
+#if 0
+	/* destroy notification example. */
+	{
+		isc_event_t *e = isc_event_allocate(zone->mctx, NULL,
+						    DNS_EVENT_DBDESTROYED,
+						    dns_zonemgr_dbdestroyed,
+						    zone,
+						    sizeof(isc_event_t));
+		dns_db_ondestroy(db, zone->task, &e);
+	}
+#endif
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	if (zone->db != NULL) {
+		result = zone_replacedb(zone, db, false);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	} else {
+		result = dns_db_rpz_ready(db);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		zone_attachdb(zone, db);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+		DNS_ZONE_SETFLAG(zone,
+				 DNS_ZONEFLG_LOADED|
+				 DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SENDSECURE) &&
+		    inline_raw(zone))
+		{
+			if (zone->secure->db == NULL)
+				zone_send_securedb(zone, db);
+			else
+				zone_send_secureserial(zone, serial);
+		}
+	}
+
+	/*
+	 * Finished loading inline-signing zone; need to get status
+	 * from the raw side now.
+	 */
+	if (zone->type == dns_zone_master && inline_secure(zone))
+		maybe_send_secure(zone);
+
+
+	result = ISC_R_SUCCESS;
+
+	if (needdump) {
+		if (zone->type == dns_zone_key)
+			zone_needdump(zone, 30);
+		else
+			zone_needdump(zone, DNS_DUMP_DELAY);
+	}
+
+	if (zone->task != NULL) {
+		if (zone->type == dns_zone_master) {
+			set_resigntime(zone);
+			resume_signingwithkey(zone);
+			resume_addnsec3chain(zone);
+		}
+
+		if (zone->type == dns_zone_master &&
+		    !DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN) &&
+		    dns_zone_isdynamic(zone, false) &&
+		    dns_db_issecure(db)) {
+			dns_name_t *name;
+			dns_fixedname_t fixed;
+			dns_rdataset_t next;
+
+			dns_rdataset_init(&next);
+			name = dns_fixedname_initname(&fixed);
+
+			result = dns_db_getsigningtime(db, &next, name);
+			if (result == ISC_R_SUCCESS) {
+				isc_stdtime_t timenow;
+				char namebuf[DNS_NAME_FORMATSIZE];
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				isc_stdtime_get(&timenow);
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				dns_rdatatype_format(next.covers,
+						     typebuf, sizeof(typebuf));
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "next resign: %s/%s in %d seconds",
+					     namebuf, typebuf,
+					     next.resign - timenow -
+					     zone->sigresigninginterval);
+				dns_rdataset_disassociate(&next);
+			} else
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "signed dynamic zone has no "
+					     "resign event scheduled");
+		}
+
+		zone_settimer(zone, &now);
+	}
+
+	/*
+	 * Clear old include list.
+	 */
+	for (inc = ISC_LIST_HEAD(zone->includes);
+	     inc != NULL;
+	     inc = ISC_LIST_HEAD(zone->includes)) {
+		ISC_LIST_UNLINK(zone->includes, inc, link);
+		isc_mem_free(zone->mctx, inc->name);
+		isc_mem_put(zone->mctx, inc, sizeof(*inc));
+	}
+	zone->nincludes = 0;
+
+	/*
+	 * Transfer new include list.
+	 */
+	for (inc = ISC_LIST_HEAD(zone->newincludes);
+	     inc != NULL;
+	     inc = ISC_LIST_HEAD(zone->newincludes)) {
+		ISC_LIST_UNLINK(zone->newincludes, inc, link);
+		ISC_LIST_APPEND(zone->includes, inc, link);
+		zone->nincludes++;
+	}
+
+	if (! dns_db_ispersistent(db))
+		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s", serial,
+			     dns_db_issecure(db) ? " (DNSSEC signed)" : "");
+
+	zone->loadtime = loadtime;
+	goto done;
+
+ cleanup:
+	for (inc = ISC_LIST_HEAD(zone->newincludes);
+	     inc != NULL;
+	     inc = ISC_LIST_HEAD(zone->newincludes)) {
+		ISC_LIST_UNLINK(zone->newincludes, inc, link);
+		isc_mem_free(zone->mctx, inc->name);
+		isc_mem_put(zone->mctx, inc, sizeof(*inc));
+	}
+	if (zone->type == dns_zone_slave ||
+	    zone->type == dns_zone_stub ||
+	    zone->type == dns_zone_key ||
+	    (zone->type == dns_zone_redirect && zone->masters != NULL)) {
+		if (result != ISC_R_NOMEMORY) {
+			if (zone->journal != NULL)
+				zone_saveunique(zone, zone->journal,
+						"jn-XXXXXXXX");
+			if (zone->masterfile != NULL)
+				zone_saveunique(zone, zone->masterfile,
+						"db-XXXXXXXX");
+		}
+
+		/* Mark the zone for immediate refresh. */
+		zone->refreshtime = now;
+		if (zone->task != NULL)
+			zone_settimer(zone, &now);
+		result = ISC_R_SUCCESS;
+	} else if (zone->type == dns_zone_master ||
+		   zone->type == dns_zone_redirect) {
+		if (!(inline_secure(zone) && result == ISC_R_FILENOTFOUND))
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "not loaded due to errors.");
+		else if (zone->type == dns_zone_master)
+			result = ISC_R_SUCCESS;
+	}
+
+ done:
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	/*
+	 * If this is an inline-signed zone and we were called for the raw
+	 * zone, we need to clear DNS_ZONEFLG_LOADPENDING for the secure zone
+	 * as well, but only if this is a reload, not an initial zone load: in
+	 * the former case, zone_postload() will not be run for the secure
+	 * zone; in the latter case, it will be.  Check which case we are
+	 * dealing with by consulting the DNS_ZONEFLG_LOADED flag for the
+	 * secure zone: if it is set, this must be a reload.
+	 */
+	if (inline_raw(zone) &&
+	    DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
+	{
+		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
+	}
+
+	return (result);
+}
+
+static bool
+exit_check(dns_zone_t *zone) {
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) && zone->irefs == 0) {
+		/*
+		 * DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
+		 */
+		INSIST(isc_refcount_current(&zone->erefs) == 0);
+		return (true);
+	}
+	return (false);
+}
+
+static bool
+zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+	      dns_name_t *name, bool logit)
+{
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOCHECKNS))
+		return (true);
+
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	foundname = dns_fixedname_initname(&fixed);
+
+	result = dns_db_find(db, name, version, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (true);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, version, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (true);
+	}
+
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN ||
+	    result == DNS_R_EMPTYNAME) {
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_zone_log(zone, level, "NS '%s' has no address "
+				     "records (A or AAAA)", namebuf);
+		}
+		return (false);
+	}
+
+	if (result == DNS_R_CNAME) {
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_zone_log(zone, level, "NS '%s' is a CNAME "
+				     "(illegal)", namebuf);
+		}
+		return (false);
+	}
+
+	if (result == DNS_R_DNAME) {
+		if (logit) {
+			dns_name_format(name, namebuf, sizeof namebuf);
+			dns_name_format(foundname, altbuf, sizeof altbuf);
+			dns_zone_log(zone, level, "NS '%s' is below a DNAME "
+				     "'%s' (illegal)", namebuf, altbuf);
+		}
+		return (false);
+	}
+
+	return (true);
+}
+
+static isc_result_t
+zone_count_ns_rr(dns_zone_t *zone, dns_db_t *db, dns_dbnode_t *node,
+		 dns_dbversion_t *version, unsigned int *nscount,
+		 unsigned int *errors, bool logit)
+{
+	isc_result_t result;
+	unsigned int count = 0;
+	unsigned int ecount = 0;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata;
+	dns_rdata_ns_t ns;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto success;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto invalidate_rdataset;
+	}
+
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		if (errors != NULL && zone->rdclass == dns_rdataclass_in &&
+		    (zone->type == dns_zone_master ||
+		     zone->type == dns_zone_slave)) {
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &ns, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (dns_name_issubdomain(&ns.name, &zone->origin) &&
+			    !zone_check_ns(zone, db, version, &ns.name, logit))
+				ecount++;
+		}
+		count++;
+		result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ success:
+	if (nscount != NULL)
+		*nscount = count;
+	if (errors != NULL)
+		*errors = ecount;
+
+	result = ISC_R_SUCCESS;
+
+ invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
+}
+
+static isc_result_t
+zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 unsigned int *soacount,
+		 uint32_t *serial, uint32_t *refresh,
+		 uint32_t *retry, uint32_t *expire,
+		 uint32_t *minimum)
+{
+	isc_result_t result;
+	unsigned int count;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		if (soacount != NULL)
+			*soacount = 0;
+		if (serial != NULL)
+			*serial = 0;
+		if (refresh != NULL)
+			*refresh = 0;
+		if (retry != NULL)
+			*retry = 0;
+		if (expire != NULL)
+			*expire = 0;
+		if (minimum != NULL)
+			*minimum = 0;
+		result = ISC_R_SUCCESS;
+		goto invalidate_rdataset;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto invalidate_rdataset;
+	}
+
+	count = 0;
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		count++;
+		if (count == 1) {
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+
+		result = dns_rdataset_next(&rdataset);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+	if (soacount != NULL)
+		*soacount = count;
+
+	if (count > 0) {
+		if (serial != NULL)
+			*serial = soa.serial;
+		if (refresh != NULL)
+			*refresh = soa.refresh;
+		if (retry != NULL)
+			*retry = soa.retry;
+		if (expire != NULL)
+			*expire = soa.expire;
+		if (minimum != NULL)
+			*minimum = soa.minimum;
+	} else {
+		if (soacount != NULL)
+			*soacount = 0;
+		if (serial != NULL)
+			*serial = 0;
+		if (refresh != NULL)
+			*refresh = 0;
+		if (retry != NULL)
+			*retry = 0;
+		if (expire != NULL)
+			*expire = 0;
+		if (minimum != NULL)
+			*minimum = 0;
+	}
+
+	result = ISC_R_SUCCESS;
+
+ invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
+}
+
+/*
+ * zone must be locked.
+ */
+static isc_result_t
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
+		 unsigned int *soacount, uint32_t *serial,
+		 uint32_t *refresh, uint32_t *retry,
+		 uint32_t *expire, uint32_t *minimum,
+		 unsigned int *errors)
+{
+	isc_result_t result;
+	isc_result_t answer = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
+	dns_dbnode_t *node;
+
+	REQUIRE(db != NULL);
+	REQUIRE(zone != NULL);
+
+	dns_db_currentversion(db, &version);
+
+	if (nscount != NULL)
+		*nscount = 0;
+	if (soacount != NULL)
+		*soacount = 0;
+	if (serial != NULL)
+		*serial = 0;
+	if (refresh != NULL)
+		*refresh = 0;
+	if (retry != NULL)
+		*retry = 0;
+	if (expire != NULL)
+		*expire = 0;
+	if (errors != NULL)
+		*errors = 0;
+
+	node = NULL;
+	result = dns_db_findnode(db, &zone->origin, false, &node);
+	if (result != ISC_R_SUCCESS) {
+		answer = result;
+		goto closeversion;
+	}
+
+	if (nscount != NULL || errors != NULL) {
+		result = zone_count_ns_rr(zone, db, node, version,
+					  nscount, errors, true);
+		if (result != ISC_R_SUCCESS)
+			answer = result;
+	}
+
+	if (soacount != NULL || serial != NULL || refresh != NULL
+	    || retry != NULL || expire != NULL || minimum != NULL) {
+		result = zone_load_soa_rr(db, node, version, soacount,
+					  serial, refresh, retry, expire,
+					  minimum);
+		if (result != ISC_R_SUCCESS)
+			answer = result;
+	}
+
+	dns_db_detachnode(db, &node);
+ closeversion:
+	dns_db_closeversion(db, &version, false);
+
+	return (answer);
+}
+
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->erefs, NULL);
+	*target = source;
+}
+
+void
+dns_zone_detach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+	dns_zone_t *raw = NULL;
+	dns_zone_t *secure = NULL;
+	unsigned int refs;
+	bool free_now = false;
+
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+
+	zone = *zonep;
+
+	isc_refcount_decrement(&zone->erefs, &refs);
+
+	if (refs == 0) {
+		LOCK_ZONE(zone);
+		INSIST(zone != zone->raw);
+		/*
+		 * We just detached the last external reference.
+		 */
+		if (zone->task != NULL) {
+			/*
+			 * This zone is being managed.	Post
+			 * its control event and let it clean
+			 * up synchronously in the context of
+			 * its task.
+			 */
+			isc_event_t *ev = &zone->ctlevent;
+			isc_task_send(zone->task, &ev);
+		} else {
+			/*
+			 * This zone is not being managed; it has
+			 * no task and can have no outstanding
+			 * events.  Free it immediately.
+			 */
+			/*
+			 * Unmanaged zones should not have non-null views;
+			 * we have no way of detaching from the view here
+			 * without causing deadlock because this code is called
+			 * with the view already locked.
+			 */
+			INSIST(zone->view == NULL);
+			free_now = true;
+			raw = zone->raw;
+			zone->raw = NULL;
+			secure = zone->secure;
+			zone->secure = NULL;
+		}
+		UNLOCK_ZONE(zone);
+	}
+	*zonep = NULL;
+	if (free_now) {
+		if (raw != NULL)
+			dns_zone_detach(&raw);
+		if (secure != NULL)
+			dns_zone_idetach(&secure);
+		zone_free(zone);
+	}
+}
+
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	LOCK_ZONE(source);
+	zone_iattach(source, target);
+	UNLOCK_ZONE(source);
+}
+
+static void
+zone_iattach(dns_zone_t *source, dns_zone_t **target) {
+
+	/*
+	 * 'source' locked by caller.
+	 */
+	REQUIRE(LOCKED_ZONE(source));
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	INSIST(source->irefs + isc_refcount_current(&source->erefs) > 0);
+	source->irefs++;
+	INSIST(source->irefs != 0);
+	*target = source;
+}
+
+static void
+zone_idetach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+	zone = *zonep;
+	REQUIRE(LOCKED_ZONE(*zonep));
+	*zonep = NULL;
+
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	INSIST(zone->irefs + isc_refcount_current(&zone->erefs) > 0);
+}
+
+void
+dns_zone_idetach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+	bool free_needed;
+
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+	zone = *zonep;
+	*zonep = NULL;
+
+	LOCK_ZONE(zone);
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+}
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->mctx);
+}
+
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->zmgr);
+}
+
+void
+dns_zone_setflag(dns_zone_t *zone, unsigned int flags, bool value) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		DNS_ZONE_SETFLAG(zone, flags);
+	else
+		DNS_ZONE_CLRFLAG(zone, flags);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setoption(dns_zone_t *zone, unsigned int option,
+		   bool value)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		zone->options |= option;
+	else
+		zone->options &= ~option;
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setoption2(dns_zone_t *zone, unsigned int option,
+		    bool value)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		zone->options2 |= option;
+	else
+		zone->options2 &= ~option;
+	UNLOCK_ZONE(zone);
+}
+
+unsigned int
+dns_zone_getoptions(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->options);
+}
+
+unsigned int
+dns_zone_getoptions2(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->options2);
+}
+
+void
+dns_zone_setkeyopt(dns_zone_t *zone, unsigned int keyopt, bool value)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		zone->keyopts |= keyopt;
+	else
+		zone->keyopts &= ~keyopt;
+	UNLOCK_ZONE(zone);
+}
+
+unsigned int
+dns_zone_getkeyopts(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keyopts);
+}
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource4 = *xfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->xfrsource4);
+}
+
+isc_result_t
+dns_zone_setxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getxfrsource4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->xfrsource4dscp);
+}
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, const isc_sockaddr_t *xfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource6 = *xfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->xfrsource6);
+}
+
+isc_dscp_t
+dns_zone_getxfrsource6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->xfrsource6dscp);
+}
+
+isc_result_t
+dns_zone_setxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource4 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource4);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getaltxfrsource4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->altxfrsource4dscp);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone,
+			  const isc_sockaddr_t *altxfrsource)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource6 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource6);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getaltxfrsource6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->altxfrsource6dscp);
+}
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc4 = *notifysrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->notifysrc4);
+}
+
+isc_result_t
+dns_zone_setnotifysrc4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getnotifysrc4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->notifysrc4dscp);
+}
+
+isc_result_t
+dns_zone_setnotifysrc6(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc6 = *notifysrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->notifysrc6);
+}
+
+static bool
+same_addrs(isc_sockaddr_t const *oldlist, isc_sockaddr_t const *newlist,
+	   uint32_t count)
+{
+	unsigned int i;
+
+	for (i = 0; i < count; i++)
+		if (!isc_sockaddr_equal(&oldlist[i], &newlist[i]))
+			return (false);
+	return (true);
+}
+
+static bool
+same_keynames(dns_name_t * const *oldlist, dns_name_t * const *newlist,
+	      uint32_t count)
+{
+	unsigned int i;
+
+	if (oldlist == NULL && newlist == NULL)
+		return (true);
+	if (oldlist == NULL || newlist == NULL)
+		return (false);
+
+	for (i = 0; i < count; i++) {
+		if (oldlist[i] == NULL && newlist[i] == NULL)
+			continue;
+		if (oldlist[i] == NULL || newlist[i] == NULL ||
+		    !dns_name_equal(oldlist[i], newlist[i]))
+			return (false);
+	}
+	return (true);
+}
+
+static void
+clear_addresskeylist(isc_sockaddr_t **addrsp, isc_dscp_t **dscpsp,
+		     dns_name_t ***keynamesp, unsigned int *countp,
+		     isc_mem_t *mctx)
+{
+	unsigned int count;
+	isc_sockaddr_t *addrs;
+	isc_dscp_t *dscps;
+	dns_name_t **keynames;
+
+	REQUIRE(countp != NULL && addrsp != NULL && dscpsp != NULL &&
+		keynamesp != NULL);
+
+	count = *countp;
+	*countp = 0;
+	addrs = *addrsp;
+	*addrsp = NULL;
+	dscps = *dscpsp;
+	*dscpsp = NULL;
+	keynames = *keynamesp;
+	*keynamesp = NULL;
+
+	if (addrs != NULL)
+		isc_mem_put(mctx, addrs, count * sizeof(isc_sockaddr_t));
+
+	if (dscps != NULL)
+		isc_mem_put(mctx, dscps, count * sizeof(isc_dscp_t));
+
+	if (keynames != NULL) {
+		unsigned int i;
+		for (i = 0; i < count; i++) {
+			if (keynames[i] != NULL) {
+				dns_name_free(keynames[i], mctx);
+				isc_mem_put(mctx, keynames[i],
+					    sizeof(dns_name_t));
+				keynames[i] = NULL;
+			}
+		}
+		isc_mem_put(mctx, keynames, count * sizeof(dns_name_t *));
+	}
+}
+
+static isc_result_t
+set_addrkeylist(unsigned int count,
+		const isc_sockaddr_t *addrs, isc_sockaddr_t **newaddrsp,
+		const isc_dscp_t *dscp, isc_dscp_t **newdscpp,
+		dns_name_t **names, dns_name_t ***newnamesp,
+		isc_mem_t *mctx)
+{
+	isc_result_t result;
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscp = NULL;
+	dns_name_t **newnames = NULL;
+	unsigned int i;
+
+	REQUIRE(newaddrsp != NULL && *newaddrsp == NULL);
+	REQUIRE(newdscpp != NULL && *newdscpp == NULL);
+	REQUIRE(newnamesp != NULL && *newnamesp == NULL);
+
+	newaddrs = isc_mem_get(mctx, count * sizeof(*newaddrs));
+	if (newaddrs == NULL)
+		return (ISC_R_NOMEMORY);
+	memmove(newaddrs, addrs, count * sizeof(*newaddrs));
+
+	if (dscp != NULL) {
+		newdscp = isc_mem_get(mctx, count * sizeof(*newdscp));
+		if (newdscp == NULL) {
+			isc_mem_put(mctx, newaddrs, count * sizeof(*newaddrs));
+			return (ISC_R_NOMEMORY);
+		}
+		memmove(newdscp, dscp, count * sizeof(*newdscp));
+	} else
+		newdscp = NULL;
+
+	if (names != NULL) {
+		newnames = isc_mem_get(mctx, count * sizeof(*newnames));
+		if (newnames == NULL) {
+			if (newdscp != NULL)
+				isc_mem_put(mctx, newdscp,
+					    count * sizeof(*newdscp));
+			isc_mem_put(mctx, newaddrs, count * sizeof(*newaddrs));
+			return (ISC_R_NOMEMORY);
+		}
+		for (i = 0; i < count; i++)
+			newnames[i] = NULL;
+		for (i = 0; i < count; i++) {
+			if (names[i] != NULL) {
+				newnames[i] = isc_mem_get(mctx,
+							 sizeof(dns_name_t));
+				if (newnames[i] == NULL)
+					goto allocfail;
+				dns_name_init(newnames[i], NULL);
+				result = dns_name_dup(names[i], mctx,
+						      newnames[i]);
+				if (result != ISC_R_SUCCESS) {
+				allocfail:
+					for (i = 0; i < count; i++)
+						if (newnames[i] != NULL)
+							dns_name_free(
+							       newnames[i],
+							       mctx);
+					isc_mem_put(mctx, newaddrs,
+						    count * sizeof(*newaddrs));
+					isc_mem_put(mctx, newdscp,
+						    count * sizeof(*newdscp));
+					isc_mem_put(mctx, newnames,
+						    count * sizeof(*newnames));
+					return (ISC_R_NOMEMORY);
+				}
+			}
+		}
+	} else
+		newnames = NULL;
+
+	*newdscpp = newdscp;
+	*newaddrsp = newaddrs;
+	*newnamesp = newnames;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setnotifysrc6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getnotifysrc6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->notifysrc6dscp);
+}
+
+isc_result_t
+dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
+		       uint32_t count)
+{
+	return (dns_zone_setalsonotifydscpkeys(zone, notify, NULL, NULL,
+					       count));
+}
+
+isc_result_t
+dns_zone_setalsonotifywithkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       dns_name_t **keynames, uint32_t count)
+{
+	return (dns_zone_setalsonotifydscpkeys(zone, notify, NULL, keynames,
+					       count));
+}
+
+isc_result_t
+dns_zone_setalsonotifydscpkeys(dns_zone_t *zone, const isc_sockaddr_t *notify,
+			       const isc_dscp_t *dscps, dns_name_t **keynames,
+			       uint32_t count)
+{
+	isc_result_t result;
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscps = NULL;
+	dns_name_t **newnames = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || notify != NULL);
+	if (keynames != NULL)
+		REQUIRE(count != 0);
+
+	LOCK_ZONE(zone);
+
+	if (count == zone->notifycnt &&
+	    same_addrs(zone->notify, notify, count) &&
+	    same_keynames(zone->notifykeynames, keynames, count))
+		goto unlock;
+
+	clear_addresskeylist(&zone->notify, &zone->notifydscp,
+			     &zone->notifykeynames, &zone->notifycnt,
+			     zone->mctx);
+
+	if (count == 0)
+		goto unlock;
+
+	/*
+	 * Set up the notify and notifykey lists
+	 */
+	result = set_addrkeylist(count, notify, &newaddrs, dscps, &newdscps,
+				 keynames, &newnames, zone->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	/*
+	 * Everything is ok so attach to the zone.
+	 */
+	zone->notify = newaddrs;
+	zone->notifydscp = newdscps;
+	zone->notifykeynames = newnames;
+	zone->notifycnt = count;
+ unlock:
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setmasters(dns_zone_t *zone, const isc_sockaddr_t *masters,
+		    uint32_t count)
+{
+	isc_result_t result;
+
+	result = dns_zone_setmasterswithkeys(zone, masters, NULL, count);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setmasterswithkeys(dns_zone_t *zone,
+			    const isc_sockaddr_t *masters,
+			    dns_name_t **keynames,
+			    uint32_t count)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_sockaddr_t *newaddrs = NULL;
+	isc_dscp_t *newdscps = NULL;
+	dns_name_t **newnames = NULL;
+	bool *newok;
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || masters != NULL);
+	if (keynames != NULL) {
+		REQUIRE(count != 0);
+	}
+
+	LOCK_ZONE(zone);
+	/*
+	 * The refresh code assumes that 'masters' wouldn't change under it.
+	 * If it will change then kill off any current refresh in progress
+	 * and update the masters info.  If it won't change then we can just
+	 * unlock and exit.
+	 */
+	if (count != zone->masterscnt ||
+	    !same_addrs(zone->masters, masters, count) ||
+	    !same_keynames(zone->masterkeynames, keynames, count)) {
+		if (zone->request != NULL)
+			dns_request_cancel(zone->request);
+	} else
+		goto unlock;
+
+	/*
+	 * This needs to happen before clear_addresskeylist() sets
+	 * zone->masterscnt to 0:
+	 */
+	if (zone->mastersok != NULL) {
+		isc_mem_put(zone->mctx, zone->mastersok,
+			    zone->masterscnt * sizeof(bool));
+		zone->mastersok = NULL;
+	}
+	clear_addresskeylist(&zone->masters, &zone->masterdscps,
+			     &zone->masterkeynames, &zone->masterscnt,
+			     zone->mctx);
+	/*
+	 * If count == 0, don't allocate any space for masters, mastersok or
+	 * keynames so internally, those pointers are NULL if count == 0
+	 */
+	if (count == 0)
+		goto unlock;
+
+	/*
+	 * mastersok must contain count elements
+	 */
+	newok = isc_mem_get(zone->mctx, count * sizeof(*newok));
+	if (newok == NULL) {
+		result = ISC_R_NOMEMORY;
+		isc_mem_put(zone->mctx, newaddrs, count * sizeof(*newaddrs));
+		goto unlock;
+	};
+	for (i = 0; i < count; i++)
+		newok[i] = false;
+
+	/*
+	 * Now set up the masters and masterkey lists
+	 */
+	result = set_addrkeylist(count, masters, &newaddrs, NULL, &newdscps,
+				 keynames, &newnames, zone->mctx);
+	INSIST(newdscps == NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(zone->mctx, newok, count * sizeof(*newok));
+		goto unlock;
+	}
+
+	/*
+	 * Everything is ok so attach to the zone.
+	 */
+	zone->curmaster = 0;
+	zone->mastersok = newok;
+	zone->masters = newaddrs;
+	zone->masterdscps = newdscps;
+	zone->masterkeynames = newnames;
+	zone->masterscnt = count;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
+
+ unlock:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db == NULL)
+		result = DNS_R_NOTLOADED;
+	else
+		dns_db_attach(zone->db, dpb);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_zone_setdb(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->type == dns_zone_staticstub);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	REQUIRE(zone->db == NULL);
+	dns_db_attach(db, &zone->db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+}
+
+/*
+ * Co-ordinates the starting of routine jobs.
+ */
+void
+dns_zone_maintenance(dns_zone_t *zone) {
+	const char me[] = "dns_zone_maintenance";
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	LOCK_ZONE(zone);
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+static inline bool
+was_dumping(dns_zone_t *zone) {
+	bool dumping;
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dumping = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (!dumping) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		isc_time_settoepoch(&zone->dumptime);
+	}
+	return (dumping);
+}
+
+/*%
+ * Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database
+ * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'.
+ * Only load the public part of a given key if it is not active at timestamp
+ * 'now'.  Store the number of keys found in 'nkeys'.
+ */
+isc_result_t
+dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		   isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
+		   dst_key_t **keys, unsigned int *nkeys)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
+
+	CHECK(dns_db_findnode(db, dns_db_origin(db), false, &node));
+	memset(keys, 0, sizeof(*keys) * maxkeys);
+	result = dns_dnssec_findzonekeys3(db, ver, node, dns_db_origin(db),
+					  directory, now, mctx, maxkeys, keys,
+					  nkeys);
+	if (result == ISC_R_NOTFOUND)
+		result = ISC_R_SUCCESS;
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+offline(dns_db_t *db, dns_dbversion_t *ver, dns__zonediff_t *zonediff,
+	dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+	if ((rdata->flags & DNS_RDATA_OFFLINE) != 0)
+		return (ISC_R_SUCCESS);
+	result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_DELRESIGN,
+			       name, ttl, rdata);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdata->flags |= DNS_RDATA_OFFLINE;
+	result = update_one_rr(db, ver, zonediff->diff, DNS_DIFFOP_ADDRESIGN,
+			       name, ttl, rdata);
+	zonediff->offline = true;
+	return (result);
+}
+
+static void
+set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
+{
+	unsigned int delta;
+	char timebuf[80];
+
+	zone->key_expiry = when;
+	if (when <= now) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "DNSKEY RRSIG(s) have expired");
+		isc_time_settoepoch(&zone->keywarntime);
+	} else if (when < now + 7 * 24 * 3600) {
+		isc_time_t t;
+		isc_time_set(&t, when, 0);
+		isc_time_formattimestamp(&t, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "DNSKEY RRSIG(s) will expire within 7 days: %s",
+			     timebuf);
+		delta = when - now;
+		delta--;		/* loop prevention */
+		delta /= 24 * 3600;	/* to whole days */
+		delta *= 24 * 3600;	/* to seconds */
+		isc_time_set(&zone->keywarntime, when - delta, 0);
+	}  else {
+		isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
+		isc_time_formattimestamp(&zone->keywarntime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "setting keywarntime to %s", timebuf);
+	}
+}
+
+/*
+ * Helper function to del_sigs(). We don't want to delete RRSIGs that
+ * have no new key.
+ */
+static bool
+delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
+	  bool *warn)
+{
+	unsigned int i = 0;
+	bool have_ksk = false, have_zsk = false;
+	bool have_pksk = false, have_pzsk = false;
+
+	for (i = 0; i < nkeys; i++) {
+		if (rrsig_ptr->algorithm != dst_key_alg(keys[i]))
+			continue;
+		if (dst_key_isprivate(keys[i])) {
+			if (KSK(keys[i]))
+				have_ksk = have_pksk = true;
+			else
+				have_zsk = have_pzsk = true;
+		} else {
+			if (KSK(keys[i]))
+				have_ksk = true;
+			else
+				have_zsk = true;
+		}
+	}
+
+	if (have_zsk && have_ksk && !have_pzsk)
+		*warn = true;
+
+	/*
+	 * It's okay to delete a signature if there is an active key
+	 * with the same algorithm to replace it.
+	 */
+	if (have_pksk || have_pzsk)
+		return (true);
+
+	/*
+	 * Failing that, it is *not* okay to delete a signature
+	 * if the associated public key is still in the DNSKEY RRset
+	 */
+	for (i = 0; i < nkeys; i++) {
+		if ((rrsig_ptr->algorithm == dst_key_alg(keys[i])) &&
+		    (rrsig_ptr->keyid == dst_key_id(keys[i])))
+			return (false);
+	}
+
+	/*
+	 * But if the key is gone, then go ahead.
+	 */
+	return (true);
+}
+
+/*
+ * Delete expired RRsigs and any RRsigs we are about to re-sign.
+ * See also update.c:del_keysigs().
+ */
+static isc_result_t
+del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns__zonediff_t *zonediff, dst_key_t **keys,
+	 unsigned int nkeys, isc_stdtime_t now, bool incremental)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	unsigned int i;
+	dns_rdata_rrsig_t rrsig;
+	bool found;
+	int64_t timewarn = 0, timemaybe = 0;
+
+	dns_rdataset_init(&rdataset);
+
+	if (type == dns_rdatatype_nsec3)
+		result = dns_db_findnsec3node(db, name, false, &node);
+	else
+		result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (type != dns_rdatatype_dnskey) {
+			bool warn = false, deleted = false;
+			if (delsig_ok(&rrsig, keys, nkeys, &warn)) {
+				result = update_one_rr(db, ver, zonediff->diff,
+					       DNS_DIFFOP_DELRESIGN, name,
+					       rdataset.ttl, &rdata);
+				if (result != ISC_R_SUCCESS)
+					break;
+				deleted = true;
+			}
+			if (warn) {
+				/*
+				 * At this point, we've got an RRSIG,
+				 * which is signed by an inactive key.
+				 * An administrator needs to provide a new
+				 * key/alg, but until that time, we want to
+				 * keep the old RRSIG.  Marking the key as
+				 * offline will prevent us spinning waiting
+				 * for the private part.
+				 */
+				if (incremental && !deleted) {
+					result = offline(db, ver, zonediff,
+							 name, rdataset.ttl,
+							 &rdata);
+					if (result != ISC_R_SUCCESS)
+						break;
+				}
+
+				/*
+				 * Log the key id and algorithm of
+				 * the inactive key with no replacement
+				 */
+				if (zone->log_key_expired_timer <= now) {
+					char origin[DNS_NAME_FORMATSIZE];
+					char algbuf[DNS_NAME_FORMATSIZE];
+					dns_name_format(&zone->origin, origin,
+							sizeof(origin));
+					dns_secalg_format(rrsig.algorithm,
+							  algbuf,
+							  sizeof(algbuf));
+					dns_zone_log(zone, ISC_LOG_WARNING,
+						     "Key %s/%s/%d "
+						     "missing or inactive "
+						     "and has no replacement: "
+						     "retaining signatures.",
+						     origin, algbuf,
+						     rrsig.keyid);
+					zone->log_key_expired_timer = now +
+									3600;
+				}
+			}
+			continue;
+		}
+
+		/*
+		 * RRSIG(DNSKEY) requires special processing.
+		 */
+		found = false;
+		for (i = 0; i < nkeys; i++) {
+			if (rrsig.algorithm == dst_key_alg(keys[i]) &&
+			    rrsig.keyid == dst_key_id(keys[i])) {
+				found = true;
+				/*
+				 * Mark offline RRSIG(DNSKEY).
+				 * We want the earliest offline expire time
+				 * iff there is a new offline signature.
+				 */
+				if (!dst_key_inactive(keys[i]) &&
+				    !dst_key_isprivate(keys[i]))
+				{
+					int64_t timeexpire =
+					   dns_time64_from32(rrsig.timeexpire);
+					if (timewarn != 0 &&
+					    timewarn > timeexpire)
+						timewarn = timeexpire;
+					if (rdata.flags & DNS_RDATA_OFFLINE) {
+						if (timemaybe == 0 ||
+						    timemaybe > timeexpire)
+							timemaybe = timeexpire;
+						break;
+					}
+					if (timewarn == 0)
+						timewarn = timemaybe;
+					if (timewarn == 0 ||
+					    timewarn > timeexpire)
+						timewarn = timeexpire;
+					result = offline(db, ver, zonediff,
+							 name, rdataset.ttl,
+							 &rdata);
+					break;
+				}
+				result = update_one_rr(db, ver, zonediff->diff,
+						       DNS_DIFFOP_DELRESIGN,
+						       name, rdataset.ttl,
+						       &rdata);
+				break;
+			}
+		}
+
+		/*
+		 * If there is not a matching DNSKEY then
+		 * delete the RRSIG.
+		 */
+		if (!found)
+			result = update_one_rr(db, ver, zonediff->diff,
+					       DNS_DIFFOP_DELRESIGN, name,
+					       rdataset.ttl, &rdata);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (timewarn > 0) {
+#if defined(STDTIME_ON_32BITS)
+		isc_stdtime_t stdwarn = (isc_stdtime_t)timewarn;
+		if (timewarn == stdwarn)
+#endif
+			set_key_expiry_warning(zone, (isc_stdtime_t)timewarn,
+					       now);
+#if defined(STDTIME_ON_32BITS)
+		else
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "key expiry warning time out of range");
+#endif
+	}
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
+	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
+	 isc_stdtime_t expire, bool check_ksk,
+	 bool keyset_kskonly)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
+	unsigned char data[1024]; /* XXX */
+	isc_buffer_t buffer;
+	unsigned int i, j;
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	if (type == dns_rdatatype_nsec3)
+		result = dns_db_findnsec3node(db, name, false, &node);
+	else
+		result = dns_db_findnode(db, name, false, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findrdataset(db, node, ver, type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+
+	for (i = 0; i < nkeys; i++) {
+		bool both = false;
+
+		if (!dst_key_isprivate(keys[i]))
+			continue;
+		if (dst_key_inactive(keys[i]))	/* Should be redundant. */
+			continue;
+
+		if (check_ksk && !REVOKE(keys[i])) {
+			bool have_ksk, have_nonksk;
+			if (KSK(keys[i])) {
+				have_ksk = true;
+				have_nonksk = false;
+			} else {
+				have_ksk = false;
+				have_nonksk = true;
+			}
+			for (j = 0; j < nkeys; j++) {
+				if (j == i || ALG(keys[i]) != ALG(keys[j]))
+					continue;
+				if (!dst_key_isprivate(keys[j]))
+					continue;
+				if (dst_key_inactive(keys[j]))	/* SBR */
+					continue;
+				if (REVOKE(keys[j]))
+					continue;
+				if (KSK(keys[j]))
+					have_ksk = true;
+				else
+					have_nonksk = true;
+				both = have_ksk && have_nonksk;
+				if (both)
+					break;
+			}
+		}
+		if (both) {
+			if (type == dns_rdatatype_dnskey) {
+				if (!KSK(keys[i]) && keyset_kskonly)
+					continue;
+			} else if (KSK(keys[i]))
+				continue;
+		} else if (REVOKE(keys[i]) && type != dns_rdatatype_dnskey)
+				continue;
+
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		isc_buffer_clear(&buffer);
+		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
+				      &inception, &expire,
+				      mctx, &buffer, &sig_rdata));
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
+				    name, rdataset.ttl, &sig_rdata));
+		dns_rdata_reset(&sig_rdata);
+		isc_buffer_init(&buffer, data, sizeof(data));
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static void
+zone_resigninc(dns_zone_t *zone) {
+	const char *me = "zone_resigninc";
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t _sig_diff;
+	dns__zonediff_t zonediff;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdatatype_t covers;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	bool check_ksk, keyset_kskonly = false;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire, stop;
+	uint32_t jitter, sigvalidityinterval;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	unsigned int resign;
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	dns_diff_init(zone->mctx, &_sig_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+
+	/*
+	 * Zone is frozen or automatic resigning is disabled.
+	 * Pause for 5 minutes.
+	 */
+	if (zone->update_disabled ||
+	    DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_NORESIGN))
+	{
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+
+	result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns__zone_findkeys -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	sigvalidityinterval = zone->sigvalidityinterval;
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + sigvalidityinterval;
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
+	stop = now + 5;
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	name = dns_fixedname_initname(&fixed);
+	result = dns_db_getsigningtime(db, &rdataset, name);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_getsigningtime -> %s",
+			     dns_result_totext(result));
+	}
+
+	i = 0;
+	while (result == ISC_R_SUCCESS) {
+		resign = rdataset.resign - zone->sigresigninginterval;
+		covers = rdataset.covers;
+		dns_rdataset_disassociate(&rdataset);
+
+		/*
+		 * Stop if we hit the SOA as that means we have walked the
+		 * entire zone.  The SOA record should always be the most
+		 * recent signature.
+		 */
+		/* XXXMPA increase number of RRsets signed pre call */
+		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
+		    resign > stop)
+			break;
+
+		result = del_sigs(zone, db, version, name, covers, &zonediff,
+				  zone_keys, nkeys, now, true);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:del_sigs -> %s",
+				     dns_result_totext(result));
+			break;
+		}
+
+		result = add_sigs(db, version, name, covers, zonediff.diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk, keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:add_sigs -> %s",
+				     dns_result_totext(result));
+			break;
+		}
+		result	= dns_db_getsigningtime(db, &rdataset, name);
+		if (nkeys == 0 && result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+		if (result != ISC_R_SUCCESS)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_getsigningtime -> %s",
+				     dns_result_totext(result));
+	}
+
+	if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &zonediff, zone_keys, nkeys, now, true);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:del_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Did we change anything in the zone?
+	 */
+	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
+		/*
+		 * Commit the changes if any key has been marked as offline.
+		 */
+		if (zonediff.offline)
+			dns_db_closeversion(db, &version, true);
+		goto failure;
+	}
+
+	/* Increment SOA serial if we have made changes */
+	result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
+				   zone->updatemethod);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:update_soa_serial -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Generate maximum life time signatures so that the above loop
+	 * termination is sensible.
+	 */
+	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
+			  zonediff.diff, zone_keys, nkeys, zone->mctx,
+			  inception, soaexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:add_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_resigninc"));
+
+	/* Everything has succeeded. Commit the changes. */
+	dns_db_closeversion(db, &version, true);
+
+ failure:
+	dns_diff_clear(&_sig_diff);
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	} else if (db != NULL)
+		dns_db_detach(&db);
+	if (result == ISC_R_SUCCESS) {
+		set_resigntime(zone);
+		LOCK_ZONE(zone);
+		zone_needdump(zone, DNS_DUMP_DELAY);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		UNLOCK_ZONE(zone);
+	} else {
+		/*
+		 * Something failed.  Retry in 5 minutes.
+		 */
+		isc_interval_t ival;
+		isc_interval_set(&ival, 300, 0);
+		isc_time_nowplusinterval(&zone->resigntime, &ival);
+	}
+
+	INSIST(version == NULL);
+}
+
+static isc_result_t
+next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
+	    dns_name_t *newname, bool bottom)
+{
+	isc_result_t result;
+	dns_dbiterator_t *dbit = NULL;
+	dns_rdatasetiter_t *rdsit = NULL;
+	dns_dbnode_t *node = NULL;
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
+	CHECK(dns_dbiterator_seek(dbit, oldname));
+	do {
+		result = dns_dbiterator_next(dbit);
+		if (result == ISC_R_NOMORE)
+			CHECK(dns_dbiterator_first(dbit));
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
+		if (bottom && dns_name_issubdomain(newname, oldname) &&
+		    !dns_name_equal(newname, oldname)) {
+			dns_db_detachnode(db, &node);
+			continue;
+		}
+		/*
+		 * Is this node empty?
+		 */
+		CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsit));
+		result = dns_rdatasetiter_first(rdsit);
+		dns_db_detachnode(db, &node);
+		dns_rdatasetiter_destroy(&rdsit);
+		if (result != ISC_R_NOMORE)
+			break;
+	} while (1);
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	return (result);
+}
+
+static bool
+signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		dns_rdatatype_t type, dst_key_t *key)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
+				     type, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		return (false);
+	}
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (rrsig.algorithm == dst_key_alg(key) &&
+		    rrsig.keyid == dst_key_id(key)) {
+			dns_rdataset_disassociate(&rdataset);
+			return (true);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (false);
+}
+
+static isc_result_t
+add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	 dns_dbnode_t *node, dns_ttl_t ttl, bool bottom,
+	 dns_diff_t *diff)
+{
+	dns_fixedname_t fixed;
+	dns_name_t *next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
+
+	next = dns_fixedname_initname(&fixed);
+
+	CHECK(next_active(db, version, name, next, bottom));
+	CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer,
+				  &rdata));
+	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
+			    &rdata));
+ failure:
+	return (result);
+}
+
+static isc_result_t
+check_if_bottom_of_zone(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, bool *is_bottom_of_zone)
+{
+	isc_result_t result;
+	dns_rdatasetiter_t *iterator = NULL;
+	dns_rdataset_t rdataset;
+	bool seen_soa = false, seen_ns = false, seen_dname = false;
+
+	REQUIRE(is_bottom_of_zone != NULL);
+
+	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	for (result = dns_rdatasetiter_first(iterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator)) {
+		dns_rdatasetiter_current(iterator, &rdataset);
+		switch (rdataset.type) {
+		case dns_rdatatype_soa:
+			seen_soa = true;
+			break;
+		case dns_rdatatype_ns:
+			seen_ns = true;
+			break;
+		case dns_rdatatype_dname:
+			seen_dname = true;
+			break;
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOMORE) {
+		goto failure;
+	}
+	if ((seen_ns && !seen_soa) || seen_dname) {
+		*is_bottom_of_zone = true;
+	}
+	result = ISC_R_SUCCESS;
+
+ failure:
+	dns_rdatasetiter_destroy(&iterator);
+
+	return (result);
+}
+
+static isc_result_t
+sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
+	    dns_dbversion_t *version, bool build_nsec3,
+	    bool build_nsec, dst_key_t *key,
+	    isc_stdtime_t inception, isc_stdtime_t expire,
+	    unsigned int minimum, bool is_ksk,
+	    bool keyset_kskonly, bool is_bottom_of_zone,
+	    dns_diff_t *diff, int32_t *signatures, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdatasetiter_t *iterator = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+	unsigned char data[1024];
+	bool seen_soa, seen_ns, seen_rr, seen_dname, seen_nsec,
+		      seen_nsec3, seen_ds;
+
+	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+	seen_rr = seen_soa = seen_ns = seen_dname = seen_nsec =
+	seen_nsec3 = seen_ds = false;
+	for (result = dns_rdatasetiter_first(iterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator)) {
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (rdataset.type == dns_rdatatype_soa)
+			seen_soa = true;
+		else if (rdataset.type == dns_rdatatype_ns)
+			seen_ns = true;
+		else if (rdataset.type == dns_rdatatype_ds)
+			seen_ds = true;
+		else if (rdataset.type == dns_rdatatype_dname)
+			seen_dname = true;
+		else if (rdataset.type == dns_rdatatype_nsec)
+			seen_nsec = true;
+		else if (rdataset.type == dns_rdatatype_nsec3)
+			seen_nsec3 = true;
+		if (rdataset.type != dns_rdatatype_rrsig)
+			seen_rr = true;
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+	/*
+	 * Going from insecure to NSEC3.
+	 * Don't generate NSEC3 records for NSEC3 records.
+	 */
+	if (build_nsec3 && !seen_nsec3 && seen_rr) {
+		bool unsecure = !seen_ds && seen_ns && !seen_soa;
+		CHECK(dns_nsec3_addnsec3s(db, version, name, minimum,
+					  unsecure, diff));
+		(*signatures)--;
+	}
+	/*
+	 * Going from insecure to NSEC.
+	 * Don't generate NSEC records for NSEC3 records.
+	 */
+	if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
+		/*
+		 * Build a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			CHECK(add_nsec(db, version, name, node, minimum,
+				       is_bottom_of_zone, diff));
+			/* Count a NSEC generation as a signature generation. */
+			(*signatures)--;
+		}
+	}
+	result = dns_rdatasetiter_first(iterator);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (rdataset.type == dns_rdatatype_soa ||
+		    rdataset.type == dns_rdatatype_rrsig)
+			goto next_rdataset;
+		if (rdataset.type == dns_rdatatype_dnskey) {
+			if (!is_ksk && keyset_kskonly)
+				goto next_rdataset;
+		} else if (is_ksk) {
+			/*
+			 * CDS and CDNSKEY are signed with KSK (RFC 7344, 4.1).
+			 */
+			if (rdataset.type != dns_rdatatype_cds &&
+			    rdataset.type != dns_rdatatype_cdnskey)
+				goto next_rdataset;
+		}
+		if (seen_ns && !seen_soa &&
+		    rdataset.type != dns_rdatatype_ds &&
+		    rdataset.type != dns_rdatatype_nsec)
+			goto next_rdataset;
+		if (signed_with_key(db, node, version, rdataset.type, key))
+			goto next_rdataset;
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		isc_buffer_clear(&buffer);
+		CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
+				      &expire, mctx, &buffer, &rdata));
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
+				    name, rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+		(*signatures)--;
+ next_rdataset:
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(iterator);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (iterator != NULL)
+		dns_rdatasetiter_destroy(&iterator);
+	return (result);
+}
+
+/*
+ * If 'update_only' is set then don't create a NSEC RRset if it doesn't exist.
+ */
+static isc_result_t
+updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	     dns_ttl_t minimum, bool update_only, dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+
+	CHECK(dns_db_getoriginnode(db, &node));
+	if (update_only) {
+		dns_rdataset_init(&rdataset);
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec,
+					     dns_rdatatype_none,
+					     0, &rdataset, NULL);
+		if (dns_rdataset_isassociated(&rdataset))
+			dns_rdataset_disassociate(&rdataset);
+		if (result == ISC_R_NOTFOUND)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	CHECK(delete_nsec(db, version, node, name, diff));
+	CHECK(add_nsec(db, version, name, node, minimum, false, diff));
+ success:
+	result = ISC_R_SUCCESS;
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
+		  dns_dbversion_t *version, bool build_nsec3,
+		  dns_ttl_t minimum, dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[5];
+	bool seen_done = false;
+	bool have_rr = false;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_getoriginnode(signing->db, &node);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_db_findrdataset(signing->db, node, version,
+				     zone->privatetype, dns_rdatatype_none,
+				     0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		/*
+		 * If we don't match the algorithm or keyid skip the record.
+		 */
+		if (rdata.length != 5 ||
+		    rdata.data[0] != signing->algorithm ||
+		    rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
+		    rdata.data[2] != (signing->keyid & 0xff)) {
+			have_rr = true;
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+		/*
+		 * We have a match.  If we were signing (!signing->deleteit)
+		 * and we already have a record indicating that we have
+		 * finished signing (rdata.data[4] != 0) then keep it.
+		 * Otherwise it needs to be deleted as we have removed all
+		 * the signatures (signing->deleteit), so any record indicating
+		 * completion is now out of date, or we have finished signing
+		 * with the new record so we no longer need to remember that
+		 * we need to sign the zone with the matching key across a
+		 * nameserver re-start.
+		 */
+		if (!signing->deleteit && rdata.data[4] != 0) {
+			seen_done = true;
+			have_rr = true;
+		} else
+			CHECK(update_one_rr(signing->db, version, diff,
+					    DNS_DIFFOP_DEL, &zone->origin,
+					    rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (!signing->deleteit && !seen_done) {
+		/*
+		 * If we were signing then we need to indicate that we have
+		 * finished signing the zone with this key.  If it is already
+		 * there we don't need to add it a second time.
+		 */
+		data[0] = signing->algorithm;
+		data[1] = (signing->keyid >> 8) & 0xff;
+		data[2] = signing->keyid & 0xff;
+		data[3] = 0;
+		data[4] = 1;
+		rdata.length = sizeof(data);
+		rdata.data = data;
+		rdata.type = zone->privatetype;
+		rdata.rdclass = dns_db_class(signing->db);
+		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
+				    &zone->origin, rdataset.ttl, &rdata));
+	} else if (!have_rr) {
+		dns_name_t *origin = dns_db_origin(signing->db);
+		/*
+		 * Rebuild the NSEC/NSEC3 record for the origin as we no
+		 * longer have any private records.
+		 */
+		if (build_nsec3)
+			CHECK(dns_nsec3_addnsec3s(signing->db, version, origin,
+						  minimum, false, diff));
+		CHECK(updatesecure(signing->db, version, origin, minimum,
+				   true, diff));
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(signing->db, &node);
+	return (result);
+}
+
+/*
+ * Called from zone_nsec3chain() in order to update zone records indicating
+ * processing status of given NSEC3 chain:
+ *
+ *   - If the supplied dns_nsec3chain_t structure has been fully processed
+ *     (which is indicated by "active" being set to false):
+ *
+ *       - remove all NSEC3PARAM records matching the relevant NSEC3 chain,
+ *
+ *       - remove all private-type records containing NSEC3PARAM RDATA matching
+ *         the relevant NSEC3 chain.
+ *
+ *   - If the supplied dns_nsec3chain_t structure has not been fully processed
+ *     (which is indicated by "active" being set to true), only remove the
+ *     NSEC3PARAM record which matches the relevant NSEC3 chain and has the
+ *     "flags" field set to 0.
+ *
+ *   - If given NSEC3 chain is being added, add an NSEC3PARAM record contained
+ *     in the relevant private-type record, but with the "flags" field set to
+ *     0, indicating that this NSEC3 chain is now complete for this zone.
+ *
+ * Note that this function is called at different processing stages for NSEC3
+ * chain additions vs. removals and needs to handle all cases properly.
+ */
+static isc_result_t
+fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
+		 bool active, dns_rdatatype_t privatetype,
+		 dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name = dns_db_origin(db);
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+	isc_buffer_t buffer;
+	unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
+	dns_ttl_t ttl = 0;
+	bool nseconly = false, nsec3ok = false;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto try_private;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Preserve the existing ttl.
+	 */
+	ttl = rdataset.ttl;
+
+	/*
+	 * Delete all NSEC3PARAM records which match that in nsec3chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.hash != chain->nsec3param.hash ||
+		    (active && nsec3param.flags != 0) ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+				    name, rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	dns_rdataset_disassociate(&rdataset);
+
+ try_private:
+
+	if (active)
+		goto add;
+
+	result = dns_nsec_nseconly(db, ver, &nseconly);
+	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
+
+	/*
+	 * Delete all private records which match that in nsec3chain.
+	 */
+	result = dns_db_findrdataset(db, node, ver, privatetype,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto add;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t private = DNS_RDATA_INIT;
+		unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+		dns_rdataset_current(&rdataset, &private);
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if ((!nsec3ok &&
+		     (nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0) ||
+		    nsec3param.hash != chain->nsec3param.hash ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+				    name, rdataset.ttl, &private));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+  add:
+	if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	/*
+	 * Add a NSEC3PARAM record which matches that in nsec3chain but
+	 * with all flags bits cleared.
+	 *
+	 * Note: we do not clear chain->nsec3param.flags as this change
+	 * may be reversed.
+	 */
+	isc_buffer_init(&buffer, &parambuf, sizeof(parambuf));
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db),
+				   dns_rdatatype_nsec3param,
+				   &chain->nsec3param, &buffer));
+	rdata.data[1] = 0;	/* Clear flag bits. */
+	CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata));
+
+  failure:
+	dns_db_detachnode(db, &node);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+	    dns_name_t *name, dns_diff_t *diff)
+{
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+		    dns_name_t *name, const dns_rdata_nsec3param_t *param,
+		    dns_diff_t *diff)
+{
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
+		if (nsec3.hash != param->hash ||
+		    nsec3.iterations != param->iterations ||
+		    nsec3.salt_length != param->salt_length ||
+		    memcmp(nsec3.salt, param->salt, nsec3.salt_length))
+			continue;
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
+		const dns_rdata_nsec3param_t *param,
+		bool *answer)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3param_t myparam;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	*answer = false;
+
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&rdataset);
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+	if (result != ISC_R_NOTFOUND) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = true;
+		dns_db_detachnode(db, &node);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL));
+		dns_rdata_reset(&rdata);
+		/*
+		 * Ignore any NSEC3PARAM removals.
+		 */
+		if (NSEC3REMOVE(myparam.flags))
+			continue;
+		/*
+		 * Ignore the chain that we are in the process of deleting.
+		 */
+		if (myparam.hash == param->hash &&
+		    myparam.iterations == param->iterations &&
+		    myparam.salt_length == param->salt_length &&
+		    !memcmp(myparam.salt, param->salt, myparam.salt_length))
+			continue;
+		/*
+		 * Found an active NSEC3 chain.
+		 */
+		break;
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = true;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*%
+ * Add/remove DNSSEC signatures for the list of "raw" zone changes supplied in
+ * 'diff'.  Gradually remove tuples from 'diff' and append them to 'zonediff'
+ * along with tuples representing relevant signature changes.
+ */
+isc_result_t
+dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+		     dst_key_t *zone_keys[], unsigned int nkeys,
+		     dns_zone_t *zone, isc_stdtime_t inception,
+		     isc_stdtime_t expire, isc_stdtime_t now,
+		     bool check_ksk, bool keyset_kskonly,
+		     dns__zonediff_t *zonediff)
+{
+	dns_difftuple_t *tuple;
+	isc_result_t result;
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_HEAD(diff->tuples)) {
+		result = del_sigs(zone, db, version, &tuple->name,
+				  tuple->rdata.type, zonediff,
+				  zone_keys, nkeys, now, false);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "dns__zone_updatesigs:del_sigs -> %s",
+				     dns_result_totext(result));
+			return (result);
+		}
+		result = add_sigs(db, version, &tuple->name,
+				  tuple->rdata.type, zonediff->diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk, keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "dns__zone_updatesigs:add_sigs -> %s",
+				     dns_result_totext(result));
+			return (result);
+		}
+
+		do {
+			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
+			while (next != NULL &&
+			       (tuple->rdata.type != next->rdata.type ||
+				!dns_name_equal(&tuple->name, &next->name)))
+				next = ISC_LIST_NEXT(next, link);
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_diff_appendminimal(zonediff->diff, &tuple);
+			INSIST(tuple == NULL);
+			tuple = next;
+		} while (tuple != NULL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Incrementally build and sign a new NSEC3 chain using the parameters
+ * requested.
+ */
+static void
+zone_nsec3chain(dns_zone_t *zone) {
+	const char *me = "zone_nsec3chain";
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t _sig_diff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec3_diff;
+	dns_diff_t param_diff;
+	dns__zonediff_t zonediff;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nextfixed;
+	dns_name_t *name, *nextname;
+	dns_rdataset_t rdataset;
+	dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain;
+	dns_nsec3chainlist_t cleanup;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	int32_t signatures;
+	bool check_ksk, keyset_kskonly;
+	bool delegation;
+	bool first;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire;
+	uint32_t jitter, sigvalidityinterval;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	uint32_t nodes;
+	bool unsecure = false;
+	bool seen_soa, seen_ns, seen_dname, seen_ds;
+	bool seen_nsec, seen_nsec3, seen_rr;
+	dns_rdatasetiter_t *iterator = NULL;
+	bool buildnsecchain;
+	bool updatensec = false;
+	dns_rdatatype_t privatetype = zone->privatetype;
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	name = dns_fixedname_initname(&fixed);
+	nextname = dns_fixedname_initname(&nextfixed);
+	dns_diff_init(zone->mctx, &param_diff);
+	dns_diff_init(zone->mctx, &nsec3_diff);
+	dns_diff_init(zone->mctx, &nsec_diff);
+	dns_diff_init(zone->mctx, &_sig_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+	ISC_LIST_INIT(cleanup);
+
+	/*
+	 * Updates are disabled.  Pause for 5 minutes.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	/*
+	 * This function is called when zone timer fires, after the latter gets
+	 * set by zone_addnsec3chain().  If the action triggering the call to
+	 * zone_addnsec3chain() is closely followed by a zone deletion request,
+	 * it might turn out that the timer thread will not be woken up until
+	 * after the zone is deleted by rmzone(), which calls dns_db_detach()
+	 * for zone->db, causing the latter to become NULL.  Return immediately
+	 * if that happens.
+	 */
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		return;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_nsec3chain:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+
+	result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_nsec3chain:dns__zone_findkeys -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + sigvalidityinterval;
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/*
+	 * We keep pulling nodes off each iterator in turn until
+	 * we have no more nodes to pull off or we reach the limits
+	 * for this quantum.
+	 */
+	nodes = zone->nodes;
+	signatures = zone->signatures;
+	LOCK_ZONE(zone);
+	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	UNLOCK_ZONE(zone);
+	first = true;
+
+	if (nsec3chain != NULL)
+		nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+	/*
+	 * Generate new NSEC3 chains first.
+	 *
+	 * The following while loop iterates over nodes in the zone database,
+	 * updating the NSEC3 chain by calling dns_nsec3_addnsec3() for each of
+	 * them.  Once all nodes are processed, the "delete_nsec" field is
+	 * consulted to check whether we are supposed to remove NSEC records
+	 * from the zone database; if so, the database iterator is reset to
+	 * point to the first node and the loop traverses all of them again,
+	 * this time removing NSEC records.  If we hit a node which is obscured
+	 * by a delegation or a DNAME, nodes are skipped over until we find one
+	 * that is not obscured by the same obscuring name and then normal
+	 * processing is resumed.
+	 *
+	 * The above is repeated until all requested NSEC3 chain changes are
+	 * applied or when we reach the limits for this quantum, whichever
+	 * happens first.
+	 *
+	 * Note that the "signatures" variable is only used here to limit the
+	 * amount of work performed.  Actual DNSSEC signatures are only
+	 * generated by dns__zone_updatesigs() calls later in this function.
+	 */
+	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		LOCK_ZONE(zone);
+		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (nsec3chain->done || nsec3chain->db != zone->db) {
+			ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
+			ISC_LIST_APPEND(cleanup, nsec3chain, link);
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		UNLOCK_ZONE(zone);
+		if (ISC_LIST_TAIL(cleanup) == nsec3chain)
+			goto next_addchain;
+
+		/*
+		 * Possible future db.
+		 */
+		if (nsec3chain->db != db) {
+			goto next_addchain;
+		}
+
+		if (NSEC3REMOVE(nsec3chain->nsec3param.flags))
+			goto next_addchain;
+
+		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+
+		if (nsec3chain->delete_nsec) {
+			delegation = false;
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			CHECK(delete_nsec(db, version, node, name, &nsec_diff));
+			goto next_addnode;
+		}
+		/*
+		 * On the first pass we need to check if the current node
+		 * has not been obscured.
+		 */
+		delegation = false;
+		unsecure = false;
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(db, name, version,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			    result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found)) {
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copy(found, name, NULL);
+				delegation = true;
+				goto next_addnode;
+			}
+		}
+
+		/*
+		 * Check to see if this is a bottom of zone node.
+		 */
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+		if (result == ISC_R_NOTFOUND)	/* Empty node? */
+			goto next_addnode;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec =
+			false;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			INSIST(rdataset.type != dns_rdatatype_nsec3);
+			if (rdataset.type == dns_rdatatype_soa)
+				seen_soa = true;
+			else if (rdataset.type == dns_rdatatype_ns)
+				seen_ns = true;
+			else if (rdataset.type == dns_rdatatype_dname)
+				seen_dname = true;
+			else if (rdataset.type == dns_rdatatype_ds)
+				seen_ds = true;
+			else if (rdataset.type == dns_rdatatype_nsec)
+				seen_nsec = true;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+		/*
+		 * Is there a NSEC chain than needs to be cleaned up?
+		 */
+		if (seen_nsec)
+			nsec3chain->seen_nsec = true;
+		if (seen_ns && !seen_soa && !seen_ds)
+			unsecure = true;
+		if ((seen_ns && !seen_soa) || seen_dname)
+			delegation = true;
+
+		/*
+		 * Process one node.
+		 */
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		result = dns_nsec3_addnsec3(db, version, name,
+					    &nsec3chain->nsec3param,
+					    zone->minimum, unsecure,
+					    &nsec3_diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_nsec3_addnsec3 -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
+		/*
+		 * Treat each call to dns_nsec3_addnsec3() as if it's cost is
+		 * two signatures.  Additionally there will, in general, be
+		 * two signature generated below.
+		 *
+		 * If we are only changing the optout flag the cost is half
+		 * that of the cost of generating a completely new chain.
+		 */
+		signatures -= 4;
+
+		/*
+		 * Go onto next node.
+		 */
+ next_addnode:
+		first = false;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(nsec3chain->dbiterator);
+
+			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       false, privatetype,
+						       &param_diff));
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				goto next_addchain;
+			}
+			if (result == ISC_R_NOMORE) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				if (nsec3chain->seen_nsec) {
+					CHECK(fixup_nsec3param(db, version,
+							       nsec3chain,
+							       true,
+							       privatetype,
+							       &param_diff));
+					nsec3chain->delete_nsec = true;
+					goto same_addchain;
+				}
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       false, privatetype,
+						       &param_diff));
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				goto next_addchain;
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_dbiterator_next -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(nsec3chain->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name))
+					break;
+			} else
+				break;
+		} while (1);
+		continue;
+
+ same_addchain:
+		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
+		first = true;
+		continue;
+
+ next_addchain:
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		nsec3chain = nextnsec3chain;
+		first = true;
+		if (nsec3chain != NULL)
+			nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+	}
+
+	if (nsec3chain != NULL)
+		goto skip_removals;
+
+	/*
+	 * Process removals.
+	 *
+	 * This is a counterpart of the above while loop which takes care of
+	 * removing an NSEC3 chain.  It starts with determining whether the
+	 * zone needs to switch from NSEC3 to NSEC; if so, it first builds an
+	 * NSEC chain by iterating over all nodes in the zone database and only
+	 * then goes on to remove NSEC3 records be iterating over all nodes
+	 * again and calling deletematchingnsec3() for each of them; otherwise,
+	 * it starts removing NSEC3 records immediately.  Rules for processing
+	 * obscured nodes and interrupting work are the same as for the while
+	 * loop above.
+	 */
+	LOCK_ZONE(zone);
+	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	UNLOCK_ZONE(zone);
+	first = true;
+	buildnsecchain = false;
+	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		LOCK_ZONE(zone);
+		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
+		UNLOCK_ZONE(zone);
+
+		if (nsec3chain->db != db)
+			goto next_removechain;
+
+		if (!NSEC3REMOVE(nsec3chain->nsec3param.flags))
+			goto next_removechain;
+
+		/*
+		 * Work out if we need to build a NSEC chain as a consequence
+		 * of removing this NSEC3 chain.
+		 */
+		if (first && !updatensec &&
+		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
+		{
+			result = need_nsec_chain(db, version,
+						 &nsec3chain->nsec3param,
+						 &buildnsecchain);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "need_nsec_chain -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}
+
+		if (first)
+			dns_zone_log(zone, ISC_LOG_DEBUG(3), "zone_nsec3chain:"
+				     "buildnsecchain = %u\n", buildnsecchain);
+
+		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+		delegation = false;
+
+		if (!buildnsecchain) {
+			/*
+			 * Delete the NSEC3PARAM record matching this chain.
+			 */
+			if (first) {
+				result = fixup_nsec3param(db, version,
+							  nsec3chain,
+							  true, privatetype,
+							  &param_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "zone_nsec3chain:"
+						     "fixup_nsec3param -> %s",
+						     dns_result_totext(result));
+					goto failure;
+				}
+			}
+
+			/*
+			 * Delete the NSEC3 records.
+			 */
+			result = deletematchingnsec3(db, version, node, name,
+						     &nsec3chain->nsec3param,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "deletematchingnsec3 -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
+			goto next_removenode;
+		}
+
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(db, name, version,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			     result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found)) {
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copy(found, name, NULL);
+				delegation = true;
+				goto next_removenode;
+			}
+		}
+
+		/*
+		 * Check to see if this is a bottom of zone node.
+		 */
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+		if (result == ISC_R_NOTFOUND)	/* Empty node? */
+			goto next_removenode;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
+			seen_rr = false;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_soa)
+				seen_soa = true;
+			else if (rdataset.type == dns_rdatatype_ns)
+				seen_ns = true;
+			else if (rdataset.type == dns_rdatatype_dname)
+				seen_dname = true;
+			else if (rdataset.type == dns_rdatatype_nsec)
+				seen_nsec = true;
+			else if (rdataset.type == dns_rdatatype_nsec3)
+				seen_nsec3 = true;
+			if (rdataset.type != dns_rdatatype_rrsig)
+				seen_rr = true;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+
+		if (!seen_rr || seen_nsec3 || seen_nsec)
+			goto next_removenode;
+		if ((seen_ns && !seen_soa) || seen_dname)
+			delegation = true;
+
+		/*
+		 * Add a NSEC record except at the origin.
+		 */
+		if (!dns_name_equal(name, dns_db_origin(db))) {
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			CHECK(add_nsec(db, version, name, node, zone->minimum,
+				       delegation, &nsec_diff));
+			signatures--;
+		}
+
+ next_removenode:
+		first = false;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(nsec3chain->dbiterator);
+			if (result == ISC_R_NOMORE && buildnsecchain) {
+				/*
+				 * The NSEC chain should now be built.
+				 * We can now remove the NSEC3 chain.
+				 */
+				updatensec = true;
+				goto same_removechain;
+			}
+			if (result == ISC_R_NOMORE) {
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				result = fixup_nsec3param(db, version,
+							  nsec3chain, false,
+							  privatetype,
+							  &param_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "zone_nsec3chain:"
+						     "fixup_nsec3param -> %s",
+						     dns_result_totext(result));
+					goto failure;
+				}
+				goto next_removechain;
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_dbiterator_next -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(nsec3chain->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name))
+					break;
+			} else
+				break;
+		} while (1);
+		continue;
+
+ same_removechain:
+		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
+		buildnsecchain = false;
+		first = true;
+		continue;
+
+ next_removechain:
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		nsec3chain = nextnsec3chain;
+		first = true;
+	}
+
+ skip_removals:
+	/*
+	 * We may need to update the NSEC/NSEC3 records for the zone apex.
+	 */
+	if (!ISC_LIST_EMPTY(param_diff.tuples)) {
+		bool rebuild_nsec = false,
+			      rebuild_nsec3 = false;
+		result = dns_db_getoriginnode(db, &node);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_db_allrdatasets -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_nsec)
+				rebuild_nsec = true;
+			if (rdataset.type == dns_rdatatype_nsec3param)
+				rebuild_nsec3 = true;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+		dns_db_detachnode(db, &node);
+
+		if (rebuild_nsec) {
+			if (nsec3chain != NULL)
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+
+			result = updatesecure(db, version, &zone->origin,
+					      zone->minimum, true,
+					      &nsec_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "updatesecure -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}
+
+		if (rebuild_nsec3) {
+			if (nsec3chain != NULL)
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+
+			result = dns_nsec3_addnsec3s(db, version,
+						     dns_db_origin(db),
+						     zone->minimum, false,
+						     &nsec3_diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_nsec3_addnsec3s -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			}
+		}
+	}
+
+	/*
+	 * Add / update signatures for the NSEC3 records.
+	 */
+	if (nsec3chain != NULL)
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, now,
+				      check_ksk, keyset_kskonly, &zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * We have changed the NSEC3PARAM or private RRsets
+	 * above so we need to update the signatures.
+	 */
+	result = dns__zone_updatesigs(&param_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, now,
+				      check_ksk, keyset_kskonly, &zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	if (updatensec) {
+		result = updatesecure(db, version, &zone->origin,
+				      zone->minimum, false, &nsec_diff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "updatesecure -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, now,
+				      check_ksk, keyset_kskonly, &zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * If we made no effective changes to the zone then we can just
+	 * cleanup otherwise we need to increment the serial.
+	 */
+	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
+		/*
+		 * No need to call dns_db_closeversion() here as it is
+		 * called with commit = true below.
+		 */
+		goto done;
+	}
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &zonediff, zone_keys, nkeys, now, false);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "del_sigs -> %s", dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
+				   zone->updatemethod);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "update_soa_serial -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
+			  zonediff.diff, zone_keys, nkeys, zone->mctx,
+			  inception, soaexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "add_sigs -> %s", dns_result_totext(result));
+		goto failure;
+	}
+
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_nsec3chain"));
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	UNLOCK_ZONE(zone);
+
+ done:
+	/*
+	 * Pause all iterators so that dns_db_closeversion() can succeed.
+	 */
+	LOCK_ZONE(zone);
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	     nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 * Unconditionally commit as zonediff.offline not checked above.
+	 */
+	dns_db_closeversion(db, &version, true);
+
+	/*
+	 * Everything succeeded so we can clean these up now.
+	 */
+	nsec3chain = ISC_LIST_HEAD(cleanup);
+	while (nsec3chain != NULL) {
+		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
+		dns_db_detach(&nsec3chain->db);
+		dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		nsec3chain = ISC_LIST_HEAD(cleanup);
+	}
+
+	set_resigntime(zone);
+
+ failure:
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain: %s",
+			     dns_result_totext(result));
+	/*
+	 * On error roll back the current nsec3chain.
+	 */
+	if (result != ISC_R_SUCCESS && nsec3chain != NULL) {
+		if (nsec3chain->done) {
+			dns_db_detach(&nsec3chain->db);
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		} else {
+			result = dns_dbiterator_first(nsec3chain->dbiterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
+		}
+	}
+
+	/*
+	 * Rollback the cleanup list.
+	 */
+	nsec3chain = ISC_LIST_TAIL(cleanup);
+	while (nsec3chain != NULL) {
+		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
+		if (nsec3chain->done) {
+			dns_db_detach(&nsec3chain->db);
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		} else {
+			LOCK_ZONE(zone);
+			ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
+			UNLOCK_ZONE(zone);
+			result = dns_dbiterator_first(nsec3chain->dbiterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
+		}
+		nsec3chain = ISC_LIST_TAIL(cleanup);
+	}
+
+	LOCK_ZONE(zone);
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	     nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	UNLOCK_ZONE(zone);
+
+	dns_diff_clear(&param_diff);
+	dns_diff_clear(&nsec3_diff);
+	dns_diff_clear(&nsec_diff);
+	dns_diff_clear(&_sig_diff);
+
+	if (iterator != NULL)
+		dns_rdatasetiter_destroy(&iterator);
+
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	} else if (db != NULL)
+		dns_db_detach(&db);
+
+	LOCK_ZONE(zone);
+	if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
+		isc_interval_t interval;
+		if (zone->update_disabled || result != ISC_R_SUCCESS)
+			isc_interval_set(&interval, 60, 0);	  /* 1 minute */
+		else
+			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+		isc_time_nowplusinterval(&zone->nsec3chaintime, &interval);
+	} else
+		isc_time_settoepoch(&zone->nsec3chaintime);
+	UNLOCK_ZONE(zone);
+
+	INSIST(version == NULL);
+}
+
+/*%
+ * Delete all RRSIG records with the given algorithm and keyid.
+ * Remove the NSEC record and RRSIGs if nkeys is zero.
+ * If all remaining RRsets are signed with the given algorithm
+ * set *has_algp to true.
+ */
+static isc_result_t
+del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
+	uint16_t keyid, bool *has_algp, dns_diff_t *diff)
+{
+	dns_rdata_rrsig_t rrsig;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *iterator = NULL;
+	isc_result_t result;
+	bool alg_missed = false;
+	bool alg_found = false;
+
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_name_format(name, namebuf, sizeof(namebuf));
+
+	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	for (result = dns_rdatasetiter_first(iterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator)) {
+		bool has_alg = false;
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
+			for (result = dns_rdataset_first(&rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&rdataset)) {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rdataset, &rdata);
+				CHECK(update_one_rr(db, version, diff,
+						    DNS_DIFFOP_DEL, name,
+						    rdataset.ttl, &rdata));
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (rdataset.type != dns_rdatatype_rrsig) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &rdata);
+			CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
+			if (nkeys != 0 &&
+			    (rrsig.algorithm != algorithm ||
+			     rrsig.keyid != keyid))
+			{
+				if (rrsig.algorithm == algorithm) {
+					has_alg = true;
+				}
+				continue;
+			}
+			CHECK(update_one_rr(db, version, diff,
+					    DNS_DIFFOP_DELRESIGN, name,
+					    rdataset.ttl, &rdata));
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE)
+			break;
+
+		/*
+		 * After deleting, if there's still a signature for
+		 * 'algorithm', set alg_found; if not, set alg_missed.
+		 */
+		if (has_alg) {
+			alg_found = true;
+		} else {
+			alg_missed = true;
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	/*
+	 * Set `has_algp` if the algorithm was found in every RRset:
+	 * i.e., found in at least one, and not missing from any.
+	 */
+	*has_algp = (alg_found && !alg_missed);
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_rdatasetiter_destroy(&iterator);
+	return (result);
+}
+
+/*
+ * Incrementally sign the zone using the keys requested.
+ * Builds the NSEC chain if required.
+ */
+static void
+zone_sign(dns_zone_t *zone) {
+	const char *me = "zone_sign";
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t _sig_diff;
+	dns_diff_t post_diff;
+	dns__zonediff_t zonediff;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nextfixed;
+	dns_name_t *name, *nextname;
+	dns_rdataset_t rdataset;
+	dns_signing_t *signing, *nextsigning;
+	dns_signinglist_t cleanup;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	int32_t signatures;
+	bool check_ksk, keyset_kskonly, is_ksk;
+	bool with_ksk, with_zsk;
+	bool commit = false;
+	bool is_bottom_of_zone;
+	bool build_nsec = false;
+	bool build_nsec3 = false;
+	bool first;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire;
+	uint32_t jitter, sigvalidityinterval, expiryinterval;
+	unsigned int i, j;
+	unsigned int nkeys = 0;
+	uint32_t nodes;
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	name = dns_fixedname_initname(&fixed);
+	nextname = dns_fixedname_initname(&nextfixed);
+	dns_diff_init(zone->mctx, &_sig_diff);
+	dns_diff_init(zone->mctx, &post_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+	ISC_LIST_INIT(cleanup);
+
+	/*
+	 * Updates are disabled.  Pause for 5 minutes.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+
+	result = dns__zone_findkeys(zone, db, version, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:dns__zone_findkeys -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + sigvalidityinterval;
+	expiryinterval = dns_zone_getsigresigninginterval(zone);
+	if (expiryinterval > sigvalidityinterval) {
+		expiryinterval = sigvalidityinterval;
+	} else {
+		expiryinterval = sigvalidityinterval - expiryinterval;
+	}
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= expiryinterval;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
+
+	/*
+	 * We keep pulling nodes off each iterator in turn until
+	 * we have no more nodes to pull off or we reach the limits
+	 * for this quantum.
+	 */
+	nodes = zone->nodes;
+	signatures = zone->signatures;
+	signing = ISC_LIST_HEAD(zone->signing);
+	first = true;
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/* Determine which type of chain to build */
+	CHECK(dns_private_chains(db, version, zone->privatetype,
+				 &build_nsec, &build_nsec3));
+
+	/* If neither chain is found, default to NSEC */
+	if (!build_nsec && !build_nsec3)
+		build_nsec = true;
+
+	while (signing != NULL && nodes-- > 0 && signatures > 0) {
+		bool has_alg = false;
+		nextsigning = ISC_LIST_NEXT(signing, link);
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (signing->done || signing->db != zone->db) {
+			/*
+			 * The zone has been reloaded.	We will have
+			 * created new signings as part of the reload
+			 * process so we can destroy this one.
+			 */
+			ISC_LIST_UNLINK(zone->signing, signing, link);
+			ISC_LIST_APPEND(cleanup, signing, link);
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto next_signing;
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+		if (signing->db != db)
+			goto next_signing;
+
+		is_bottom_of_zone = false;
+
+		if (first && signing->deleteit) {
+			/*
+			 * Remove the key we are deleting from consideration.
+			 */
+			for (i = 0, j = 0; i < nkeys; i++) {
+				/*
+				 * Find the key we want to remove.
+				 */
+				if (ALG(zone_keys[i]) == signing->algorithm &&
+				    dst_key_id(zone_keys[i]) == signing->keyid)
+				{
+					if (KSK(zone_keys[i]))
+						dst_key_free(&zone_keys[i]);
+					continue;
+				}
+				zone_keys[j] = zone_keys[i];
+				j++;
+			}
+			for (i = j; i < nkeys; i++) {
+				zone_keys[i] = NULL;
+			}
+			nkeys = j;
+		}
+
+		dns_dbiterator_current(signing->dbiterator, &node, name);
+
+		if (signing->deleteit) {
+			dns_dbiterator_pause(signing->dbiterator);
+			CHECK(del_sig(db, version, name, node, nkeys,
+				      signing->algorithm, signing->keyid,
+				      &has_alg, zonediff.diff));
+		}
+
+		/*
+		 * On the first pass we need to check if the current node
+		 * has not been obscured.
+		 */
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			found = dns_fixedname_initname(&ffound);
+			result = dns_db_find(db, name, version,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			     result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found)) {
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copy(found, name, NULL);
+				is_bottom_of_zone = true;
+				goto next_node;
+			}
+		}
+
+		/*
+		 * Process one node.
+		 */
+		with_ksk = false;
+		with_zsk = false;
+		dns_dbiterator_pause(signing->dbiterator);
+
+		CHECK(check_if_bottom_of_zone(db, node, version,
+					      &is_bottom_of_zone));
+
+		for (i = 0; !has_alg && i < nkeys; i++) {
+			bool both = false;
+
+			/*
+			 * Find the keys we want to sign with.
+			 */
+			if (!dst_key_isprivate(zone_keys[i]))
+				continue;
+			/*
+			 * Should be redundant.
+			 */
+			if (dst_key_inactive(zone_keys[i]))
+				continue;
+
+			/*
+			 * When adding look for the specific key.
+			 */
+			if (!signing->deleteit &&
+			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
+			     dst_key_id(zone_keys[i]) != signing->keyid))
+				continue;
+
+			/*
+			 * When deleting make sure we are properly signed
+			 * with the algorithm that was being removed.
+			 */
+			if (signing->deleteit &&
+			    ALG(zone_keys[i]) != signing->algorithm)
+				continue;
+
+			/*
+			 * Do we do KSK processing?
+			 */
+			if (check_ksk && !REVOKE(zone_keys[i])) {
+				bool have_ksk, have_nonksk;
+				if (KSK(zone_keys[i])) {
+					have_ksk = true;
+					have_nonksk = false;
+				} else {
+					have_ksk = false;
+					have_nonksk = true;
+				}
+				for (j = 0; j < nkeys; j++) {
+					if (j == i ||
+					    ALG(zone_keys[i]) !=
+					    ALG(zone_keys[j]))
+						continue;
+					if (!dst_key_isprivate(zone_keys[j]))
+						continue;
+					/*
+					 * Should be redundant.
+					 */
+					if (dst_key_inactive(zone_keys[j]))
+						continue;
+					if (REVOKE(zone_keys[j]))
+						continue;
+					if (KSK(zone_keys[j]))
+						have_ksk = true;
+					else
+						have_nonksk = true;
+					both = have_ksk && have_nonksk;
+					if (both)
+						break;
+				}
+			}
+			if (both || REVOKE(zone_keys[i]))
+				is_ksk = KSK(zone_keys[i]);
+			else
+				is_ksk = false;
+
+			/*
+			 * If deleting signatures, we need to ensure that
+			 * the RRset is still signed at least once by a
+			 * KSK and a ZSK.
+			 */
+			if (signing->deleteit && !is_ksk && with_zsk) {
+				continue;
+			}
+
+			if (signing->deleteit && is_ksk && with_ksk) {
+				continue;
+			}
+
+			CHECK(sign_a_node(db, name, node, version, build_nsec3,
+					  build_nsec, zone_keys[i], inception,
+					  expire, zone->minimum, is_ksk,
+					  (both && keyset_kskonly),
+					  is_bottom_of_zone, zonediff.diff,
+					  &signatures, zone->mctx));
+			/*
+			 * If we are adding we are done.  Look for other keys
+			 * of the same algorithm if deleting.
+			 */
+			if (!signing->deleteit) {
+				break;
+			}
+			if (!is_ksk) {
+				with_zsk = true;
+			}
+			if (KSK(zone_keys[i])) {
+				with_ksk = true;
+			}
+		}
+
+		/*
+		 * Go onto next node.
+		 */
+ next_node:
+		first = false;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(signing->dbiterator);
+			if (result == ISC_R_NOMORE) {
+				ISC_LIST_UNLINK(zone->signing, signing, link);
+				ISC_LIST_APPEND(cleanup, signing, link);
+				dns_dbiterator_pause(signing->dbiterator);
+				if (nkeys != 0 && build_nsec) {
+					/*
+					 * We have finished regenerating the
+					 * zone with a zone signing key.
+					 * The NSEC chain is now complete and
+					 * there is a full set of signatures
+					 * for the zone.  We can now clear the
+					 * OPT bit from the NSEC record.
+					 */
+					result = updatesecure(db, version,
+							      &zone->origin,
+							      zone->minimum,
+							      false,
+							      &post_diff);
+					if (result != ISC_R_SUCCESS) {
+						dns_zone_log(zone,
+							     ISC_LOG_ERROR,
+						    "updatesecure -> %s",
+						    dns_result_totext(result));
+						goto failure;
+					}
+				}
+				result = updatesignwithkey(zone, signing,
+							   version,
+							   build_nsec3,
+							   zone->minimum,
+							   &post_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "updatesignwithkey -> %s",
+						     dns_result_totext(result));
+					goto failure;
+				}
+				build_nsec = false;
+				goto next_signing;
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					"zone_sign:dns_dbiterator_next -> %s",
+					     dns_result_totext(result));
+				goto failure;
+			} else if (is_bottom_of_zone) {
+				dns_dbiterator_current(signing->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name))
+					break;
+			} else
+				break;
+		} while (1);
+		continue;
+
+ next_signing:
+		dns_dbiterator_pause(signing->dbiterator);
+		signing = nextsigning;
+		first = true;
+	}
+
+	if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
+		result = dns__zone_updatesigs(&post_diff, db, version,
+					      zone_keys, nkeys, zone,
+					      inception, expire, now,
+					      check_ksk, keyset_kskonly,
+					      &zonediff);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
+				     "dns__zone_updatesigs -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	/*
+	 * Have we changed anything?
+	 */
+	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
+		if (zonediff.offline)
+			commit = true;
+		result = ISC_R_SUCCESS;
+		goto pauseall;
+	}
+
+	commit = true;
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &zonediff, zone_keys, nkeys, now, false);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:del_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = update_soa_serial(db, version, zonediff.diff, zone->mctx,
+				   zone->updatemethod);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:update_soa_serial -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Generate maximum life time signatures so that the above loop
+	 * termination is sensible.
+	 */
+	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
+			  zonediff.diff, zone_keys, nkeys, zone->mctx,
+			  inception, soaexpire, check_ksk, keyset_kskonly);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:add_sigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Write changes to journal file.
+	 */
+	CHECK(zone_journal(zone, zonediff.diff, NULL, "zone_sign"));
+
+ pauseall:
+	/*
+	 * Pause all iterators so that dns_db_closeversion() can succeed.
+	 */
+	for (signing = ISC_LIST_HEAD(zone->signing);
+	     signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+		dns_dbiterator_pause(signing->dbiterator);
+
+	for (signing = ISC_LIST_HEAD(cleanup);
+	     signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+		dns_dbiterator_pause(signing->dbiterator);
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 */
+	dns_db_closeversion(db, &version, commit);
+
+	/*
+	 * Everything succeeded so we can clean these up now.
+	 */
+	signing = ISC_LIST_HEAD(cleanup);
+	while (signing != NULL) {
+		ISC_LIST_UNLINK(cleanup, signing, link);
+		dns_db_detach(&signing->db);
+		dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+		signing = ISC_LIST_HEAD(cleanup);
+	}
+
+	set_resigntime(zone);
+
+	if (commit) {
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		zone_needdump(zone, DNS_DUMP_DELAY);
+		UNLOCK_ZONE(zone);
+	}
+
+ failure:
+	/*
+	 * Pause all dbiterators.
+	 */
+	for (signing = ISC_LIST_HEAD(zone->signing);
+	     signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+		dns_dbiterator_pause(signing->dbiterator);
+
+	/*
+	 * Rollback the cleanup list.
+	 */
+	signing = ISC_LIST_HEAD(cleanup);
+	while (signing != NULL) {
+		ISC_LIST_UNLINK(cleanup, signing, link);
+		ISC_LIST_PREPEND(zone->signing, signing, link);
+		dns_dbiterator_first(signing->dbiterator);
+		dns_dbiterator_pause(signing->dbiterator);
+		signing = ISC_LIST_HEAD(cleanup);
+	}
+
+	dns_diff_clear(&_sig_diff);
+
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	} else if (db != NULL)
+		dns_db_detach(&db);
+
+	if (ISC_LIST_HEAD(zone->signing) != NULL) {
+		isc_interval_t interval;
+		if (zone->update_disabled || result != ISC_R_SUCCESS)
+			isc_interval_set(&interval, 60, 0);	  /* 1 minute */
+		else
+			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+		isc_time_nowplusinterval(&zone->signingtime, &interval);
+	} else
+		isc_time_settoepoch(&zone->signingtime);
+
+	INSIST(version == NULL);
+}
+
+static isc_result_t
+normalize_key(dns_rdata_t *rr, dns_rdata_t *target,
+	      unsigned char *data, int size)
+{
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_keydata_t keydata;
+	isc_buffer_t buf;
+	isc_result_t result;
+
+	dns_rdata_reset(target);
+	isc_buffer_init(&buf, data, size);
+
+	switch (rr->type) {
+	    case dns_rdatatype_dnskey:
+		result = dns_rdata_tostruct(rr, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dnskey.flags &= ~DNS_KEYFLAG_REVOKE;
+		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &buf);
+		break;
+	    case dns_rdatatype_keydata:
+		result = dns_rdata_tostruct(rr, &keydata, NULL);
+		if (result == ISC_R_UNEXPECTEDEND)
+			return (result);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+		dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey,
+				     &dnskey, &buf);
+		break;
+	    default:
+		INSIST(0);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * 'rdset' contains either a DNSKEY rdataset from the zone apex, or
+ * a KEYDATA rdataset from the key zone.
+ *
+ * 'rr' contains either a DNSKEY record, or a KEYDATA record
+ *
+ * After normalizing keys to the same format (DNSKEY, with revoke bit
+ * cleared), return true if a key that matches 'rr' is found in
+ * 'rdset', or false if not.
+ */
+
+static bool
+matchkey(dns_rdataset_t *rdset, dns_rdata_t *rr) {
+	unsigned char data1[4096], data2[4096];
+	dns_rdata_t rdata, rdata1, rdata2;
+	isc_result_t result;
+
+	dns_rdata_init(&rdata);
+	dns_rdata_init(&rdata1);
+	dns_rdata_init(&rdata2);
+
+	result = normalize_key(rr, &rdata1, data1, sizeof(data1));
+	if (result != ISC_R_SUCCESS)
+		return (false);
+
+	for (result = dns_rdataset_first(rdset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdset, &rdata);
+		result = normalize_key(&rdata, &rdata2, data2, sizeof(data2));
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (dns_rdata_compare(&rdata1, &rdata2) == 0)
+			return (true);
+	}
+
+	return (false);
+}
+
+/*
+ * Calculate the refresh interval for a keydata zone, per
+ * RFC5011: MAX(1 hr,
+ *		MIN(15 days,
+ *		    1/2 * OrigTTL,
+ *		    1/2 * RRSigExpirationInterval))
+ * or for retries: MAX(1 hr,
+ *		       MIN(1 day,
+ *			   1/10 * OrigTTL,
+ *			   1/10 * RRSigExpirationInterval))
+ */
+static inline isc_stdtime_t
+refresh_time(dns_keyfetch_t *kfetch, bool retry) {
+	isc_result_t result;
+	uint32_t t;
+	dns_rdataset_t *rdset;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_sig_t sig;
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+
+	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
+		rdset = &kfetch->dnskeysigset;
+	else
+		return (now + dns_zone_mkey_hour);
+
+	result = dns_rdataset_first(rdset);
+	if (result != ISC_R_SUCCESS)
+		return (now + dns_zone_mkey_hour);
+
+	dns_rdataset_current(rdset, &sigrr);
+	result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (!retry) {
+		t = sig.originalttl / 2;
+
+		if (isc_serial_gt(sig.timeexpire, now)) {
+			uint32_t exp = (sig.timeexpire - now) / 2;
+			if (t > exp)
+				t = exp;
+		}
+
+		if (t > (15 * dns_zone_mkey_day))
+			t = (15 * dns_zone_mkey_day);
+
+		if (t < dns_zone_mkey_hour)
+			t = dns_zone_mkey_hour;
+	} else {
+		t = sig.originalttl / 10;
+
+		if (isc_serial_gt(sig.timeexpire, now)) {
+			uint32_t exp = (sig.timeexpire - now) / 10;
+			if (t > exp)
+				t = exp;
+		}
+
+		if (t > dns_zone_mkey_day)
+			t = dns_zone_mkey_day;
+
+		if (t < dns_zone_mkey_hour)
+			t = dns_zone_mkey_hour;
+	}
+
+	return (now + t);
+}
+
+/*
+ * This routine is called when no changes are needed in a KEYDATA
+ * record except to simply update the refresh timer.  Caller should
+ * hold zone lock.
+ */
+static isc_result_t
+minimal_update(dns_keyfetch_t *kfetch, dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	isc_result_t result;
+	isc_buffer_t keyb;
+	unsigned char key_buf[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t keydata;
+	dns_name_t *name;
+	dns_zone_t *zone = kfetch->zone;
+	isc_stdtime_t now;
+
+	name = dns_fixedname_name(&kfetch->name);
+	isc_stdtime_get(&now);
+
+	for (result = dns_rdataset_first(&kfetch->keydataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->keydataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&kfetch->keydataset, &rdata);
+
+		/* Delete old version */
+		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_DEL,
+				    name, 0, &rdata));
+
+		/* Update refresh timer */
+		result = dns_rdata_tostruct(&rdata, &keydata, NULL);
+		if (result == ISC_R_UNEXPECTEDEND)
+			continue;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		keydata.refresh = refresh_time(kfetch, true);
+		set_refreshkeytimer(zone, &keydata, now, false);
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+		CHECK(dns_rdata_fromstruct(&rdata,
+					   zone->rdclass, dns_rdatatype_keydata,
+					   &keydata, &keyb));
+
+		/* Insert updated version */
+		CHECK(update_one_rr(kfetch->db, ver, diff, DNS_DIFFOP_ADD,
+				    name, 0, &rdata));
+	}
+	result = ISC_R_SUCCESS;
+  failure:
+	return (result);
+}
+
+/*
+ * Verify that DNSKEY set is signed by the key specified in 'keydata'.
+ */
+static bool
+revocable(dns_keyfetch_t *kfetch, dns_rdata_keydata_t *keydata) {
+	isc_result_t result;
+	dns_name_t *keyname;
+	isc_mem_t *mctx;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_t rr = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_dnskey_t dnskey;
+	dst_key_t *dstkey = NULL;
+	unsigned char key_buf[4096];
+	isc_buffer_t keyb;
+	bool answer = false;
+
+	REQUIRE(kfetch != NULL && keydata != NULL);
+	REQUIRE(dns_rdataset_isassociated(&kfetch->dnskeysigset));
+
+	keyname = dns_fixedname_name(&kfetch->name);
+	mctx = kfetch->zone->view->mctx;
+
+	/* Generate a key from keydata */
+	isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+	dns_keydata_todnskey(keydata, &dnskey, NULL);
+	dns_rdata_fromstruct(&rr, keydata->common.rdclass,
+			     dns_rdatatype_dnskey, &dnskey, &keyb);
+	result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+
+	/* See if that key generated any of the signatures */
+	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeysigset))
+	{
+		dns_fixedname_t fixed;
+		dns_fixedname_init(&fixed);
+
+		dns_rdata_reset(&sigrr);
+		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
+		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dst_key_alg(dstkey) == sig.algorithm &&
+		    dst_key_rid(dstkey) == sig.keyid)
+		{
+			result = dns_dnssec_verify2(keyname,
+					    &kfetch->dnskeyset,
+					    dstkey, false, mctx, &sigrr,
+					    dns_fixedname_name(&fixed));
+
+			dns_zone_log(kfetch->zone, ISC_LOG_DEBUG(3),
+				     "Confirm revoked DNSKEY is self-signed: "
+				     "%s", dns_result_totext(result));
+
+			if (result == ISC_R_SUCCESS) {
+				answer = true;
+				break;
+			}
+		}
+	}
+
+	dst_key_free(&dstkey);
+	return (answer);
+}
+
+/*
+ * A DNSKEY set has been fetched from the zone apex of a zone whose trust
+ * anchors are being managed; scan the keyset, and update the key zone and the
+ * local trust anchors according to RFC5011.
+ */
+static void
+keyfetch_done(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result, eresult;
+	dns_fetchevent_t *devent;
+	dns_keyfetch_t *kfetch;
+	dns_zone_t *zone;
+	isc_mem_t *mctx = NULL;
+	dns_keytable_t *secroots = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	bool alldone = false;
+	bool commit = false;
+	dns_name_t *keyname;
+	dns_rdata_t sigrr = DNS_RDATA_INIT;
+	dns_rdata_t dnskeyrr = DNS_RDATA_INIT;
+	dns_rdata_t keydatarr = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_keydata_t keydata;
+	bool initializing;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned char key_buf[4096];
+	isc_buffer_t keyb;
+	dst_key_t *dstkey;
+	isc_stdtime_t now;
+	int pending = 0;
+	bool secure = false;
+	bool free_needed;
+
+	UNUSED(task);
+	INSIST(event != NULL && event->ev_type == DNS_EVENT_FETCHDONE);
+	INSIST(event->ev_arg != NULL);
+
+	kfetch = event->ev_arg;
+	zone = kfetch->zone;
+	isc_mem_attach(zone->mctx, &mctx);
+	keyname = dns_fixedname_name(&kfetch->name);
+
+	devent = (dns_fetchevent_t *) event;
+	eresult = devent->result;
+
+	/* Free resources which are not of interest */
+	if (devent->node != NULL)
+		dns_db_detachnode(devent->db, &devent->node);
+	if (devent->db != NULL)
+		dns_db_detach(&devent->db);
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&kfetch->fetch);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || zone->view == NULL)
+		goto cleanup;
+
+	isc_stdtime_get(&now);
+	dns_name_format(keyname, namebuf, sizeof(namebuf));
+
+	result = dns_view_getsecroots(zone->view, &secroots);
+	INSIST(result == ISC_R_SUCCESS);
+
+	dns_diff_init(mctx, &diff);
+
+	CHECK(dns_db_newversion(kfetch->db, &ver));
+
+	zone->refreshkeycount--;
+	alldone = (zone->refreshkeycount == 0);
+
+	if (alldone)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		     "Returned from key fetch in keyfetch_done() for "
+		     "'%s': %s", namebuf, dns_result_totext(eresult));
+
+	/* Fetch failed */
+	if (eresult != ISC_R_SUCCESS ||
+	    !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "Unable to fetch DNSKEY set "
+			     "'%s': %s", namebuf, dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto done;
+	}
+
+	/* No RRSIGs found */
+	if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "No DNSKEY RRSIGs found for "
+			     "'%s': %s", namebuf, dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto done;
+	}
+
+	/*
+	 * Clear any cached trust level, as we need to run validation
+	 * over again; trusted keys might have changed.
+	 */
+	kfetch->dnskeyset.trust = kfetch->dnskeysigset.trust = dns_trust_none;
+
+	/*
+	 * Validate the dnskeyset against the current trusted keys.
+	 */
+	for (result = dns_rdataset_first(&kfetch->dnskeysigset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeysigset)) {
+		dns_keynode_t *keynode = NULL;
+
+		dns_rdata_reset(&sigrr);
+		dns_rdataset_current(&kfetch->dnskeysigset, &sigrr);
+		result = dns_rdata_tostruct(&sigrr, &sig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		result = dns_keytable_find(secroots, keyname, &keynode);
+		while (result == ISC_R_SUCCESS) {
+			dns_keynode_t *nextnode = NULL;
+			dns_fixedname_t fixed;
+			dns_fixedname_init(&fixed);
+
+			dstkey = dns_keynode_key(keynode);
+			if (dstkey == NULL) /* fail_secure() was called */
+				break;
+
+			if (dst_key_alg(dstkey) == sig.algorithm &&
+			    dst_key_id(dstkey) == sig.keyid) {
+				result = dns_dnssec_verify2(keyname,
+						    &kfetch->dnskeyset,
+						    dstkey, false,
+						    zone->view->mctx, &sigrr,
+						    dns_fixedname_name(&fixed));
+
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Verifying DNSKEY set for zone "
+					     "'%s' using key %d/%d: %s",
+					     namebuf, sig.keyid, sig.algorithm,
+					     dns_result_totext(result));
+
+				if (result == ISC_R_SUCCESS) {
+					kfetch->dnskeyset.trust =
+						dns_trust_secure;
+					kfetch->dnskeysigset.trust =
+						dns_trust_secure;
+					break;
+				}
+			}
+
+			result = dns_keytable_nextkeynode(secroots,
+							  keynode, &nextnode);
+			dns_keytable_detachkeynode(secroots, &keynode);
+			keynode = nextnode;
+		}
+
+		if (keynode != NULL)
+			dns_keytable_detachkeynode(secroots, &keynode);
+
+		if (kfetch->dnskeyset.trust == dns_trust_secure) {
+			secure = true;
+			break;
+		}
+	}
+
+	/*
+	 * If we were not able to verify the answer using the current
+	 * trusted keys then all we can do is look at any revoked keys.
+	 */
+
+	if (!secure) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "DNSKEY set for zone '%s' could not be verified "
+			     "with current keys", namebuf);
+	}
+
+	/*
+	 * First scan keydataset to find keys that are not in dnskeyset
+	 *   - Missing keys which are not scheduled for removal,
+	 *     log a warning
+	 *   - Missing keys which are scheduled for removal and
+	 *     the remove hold-down timer has completed should
+	 *     be removed from the key zone
+	 *   - Missing keys whose acceptance timers have not yet
+	 *     completed, log a warning and reset the acceptance
+	 *     timer to 30 days in the future
+	 *   - All keys not being removed have their refresh timers
+	 *     updated
+	 */
+	initializing = true;
+	for (result = dns_rdataset_first(&kfetch->keydataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->keydataset))
+	{
+		dns_keytag_t keytag;
+
+		dns_rdata_reset(&keydatarr);
+		dns_rdataset_current(&kfetch->keydataset, &keydatarr);
+		result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				"Cannot compute tag for key in zone %s: %s "
+				"(skipping)",
+				namebuf, dns_result_totext(result));
+			continue;
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/*
+		 * If any keydata record has a nonzero add holddown, then
+		 * there was a pre-existing trust anchor for this domain;
+		 * that means we are *not* initializing it and shouldn't
+		 * automatically trust all the keys we find at the zone apex.
+		 */
+		initializing = initializing && (keydata.addhd == 0);
+
+		if (! matchkey(&kfetch->dnskeyset, &keydatarr)) {
+			bool deletekey = false;
+
+			if (!secure) {
+				if (keydata.removehd != 0 &&
+				    keydata.removehd <= now) {
+					deletekey = true;
+				}
+			} else if (keydata.addhd == 0) {
+				deletekey = true;
+			} else if (keydata.addhd > now) {
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Pending key %d for zone %s "
+					     "unexpectedly missing "
+					     "restarting 30-day acceptance "
+					     "timer", keytag, namebuf);
+				if (keydata.addhd < now + dns_zone_mkey_month)
+					keydata.addhd =
+						now + dns_zone_mkey_month;
+				keydata.refresh = refresh_time(kfetch,
+							       false);
+			} else if (keydata.removehd == 0) {
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Active key %d for zone %s "
+					     "unexpectedly missing",
+					     keytag, namebuf);
+				keydata.refresh = now + dns_zone_mkey_hour;
+			} else if (keydata.removehd <= now) {
+				deletekey = true;
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Revoked key %d for zone %s "
+					     "missing: deleting from "
+					     "managed keys database",
+					     keytag, namebuf);
+			} else {
+				keydata.refresh = refresh_time(kfetch,
+							       false);
+			}
+
+			if (secure || deletekey) {
+				/* Delete old version */
+				CHECK(update_one_rr(kfetch->db, ver, &diff,
+						    DNS_DIFFOP_DEL, keyname, 0,
+						    &keydatarr));
+			}
+
+			if (!secure || deletekey)
+				continue;
+
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata,
+					     &keydata, &keyb);
+
+			/* Insert updated version */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+
+			set_refreshkeytimer(zone, &keydata, now, false);
+		}
+	}
+
+	/*
+	 * Next scan dnskeyset:
+	 *   - If new keys are found (i.e., lacking a match in keydataset)
+	 *     add them to the key zone and set the acceptance timer
+	 *     to 30 days in the future (or to immediately if we've
+	 *     determined that we're initializing the zone for the
+	 *     first time)
+	 *   - Previously-known keys that have been revoked
+	 *     must be scheduled for removal from the key zone (or,
+	 *     if they hadn't been accepted as trust anchors yet
+	 *     anyway, removed at once)
+	 *   - Previously-known unrevoked keys whose acceptance timers
+	 *     have completed are promoted to trust anchors
+	 *   - All keys not being removed have their refresh
+	 *     timers updated
+	 */
+	for (result = dns_rdataset_first(&kfetch->dnskeyset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&kfetch->dnskeyset))
+	{
+		bool revoked = false;
+		bool newkey = false;
+		bool updatekey = false;
+		bool deletekey = false;
+		bool trustkey = false;
+		dns_keytag_t keytag;
+
+		dns_rdata_reset(&dnskeyrr);
+		dns_rdataset_current(&kfetch->dnskeyset, &dnskeyrr);
+		result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/* Skip ZSK's */
+		if (!(dnskey.flags & DNS_KEYFLAG_KSK))
+			continue;
+
+		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Skip if we cannot compute the key tag.
+			 * This may happen if the algorithm is unsupported
+			 */
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				"Cannot compute tag for key in zone %s: %s "
+				"(skipping)",
+				namebuf, dns_result_totext(result));
+			continue;
+		}
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		revoked = (dnskey.flags & DNS_KEYFLAG_REVOKE);
+
+		if (matchkey(&kfetch->keydataset, &dnskeyrr)) {
+			dns_rdata_reset(&keydatarr);
+			dns_rdataset_current(&kfetch->keydataset, &keydatarr);
+			result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (revoked && revocable(kfetch, &keydata)) {
+				if (keydata.addhd > now) {
+					/*
+					 * Key wasn't trusted yet, and now
+					 * it's been revoked?  Just remove it
+					 */
+					deletekey = true;
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "Pending key %d "
+						     "for zone %s is now "
+						     "revoked: "
+						     "deleting from the "
+						     "managed keys database",
+						     keytag, namebuf);
+				} else if (keydata.removehd == 0) {
+					/*
+					 * Remove key from secroots.
+					 */
+					dns_view_untrust(zone->view, keyname,
+							 &dnskey, mctx);
+
+					/* If initializing, delete now */
+					if (keydata.addhd == 0)
+						deletekey = true;
+					else {
+						keydata.removehd = now +
+							dns_zone_mkey_month;
+						keydata.flags |=
+							DNS_KEYFLAG_REVOKE;
+					}
+
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "Trusted key %d "
+						     "for zone %s is now "
+						     "revoked",
+						     keytag, namebuf);
+				} else if (keydata.removehd < now) {
+					/* Scheduled for removal */
+					deletekey = true;
+
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "Revoked key %d "
+						     "for zone %s removal "
+						     "timer complete: "
+						     "deleting from the "
+						     "managed keys database",
+						     keytag, namebuf);
+				}
+			} else if (revoked && keydata.removehd == 0) {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "Active key %d for zone "
+					     "%s is revoked but "
+					     "did not self-sign; "
+					     "ignoring", keytag, namebuf);
+					continue;
+			} else if (secure) {
+				if (keydata.removehd != 0) {
+					/*
+					 * Key isn't revoked--but it
+					 * seems it used to be.
+					 * Remove it now and add it
+					 * back as if it were a fresh key,
+					 * with a 30-day acceptance timer.
+					 */
+					deletekey = true;
+					newkey = true;
+					keydata.removehd = 0;
+					keydata.addhd =
+						now + dns_zone_mkey_month;
+
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "Revoked key %d "
+						     "for zone %s "
+						     "has returned: starting "
+						     "30-day acceptance timer",
+						     keytag, namebuf);
+				} else if (keydata.addhd > now)
+					pending++;
+				else if (keydata.addhd == 0)
+					keydata.addhd = now;
+
+				if (keydata.addhd <= now) {
+					trustkey = true;
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "Key %d for zone %s "
+						     "acceptance timer "
+						     "complete: "
+						     "key now trusted",
+						     keytag, namebuf);
+				}
+			} else if (keydata.addhd > now) {
+				/*
+				 * Not secure, and key is pending:
+				 * reset the acceptance timer
+				 */
+				pending++;
+				keydata.addhd = now + dns_zone_mkey_month;
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Pending key %d "
+					     "for zone %s was "
+					     "not validated: restarting "
+					     "30-day acceptance timer",
+					     keytag, namebuf);
+			}
+
+			if (!deletekey && !newkey)
+				updatekey = true;
+		} else if (secure) {
+			/*
+			 * Key wasn't in the key zone but it's
+			 * revoked now anyway, so just skip it
+			 */
+			if (revoked)
+				continue;
+
+			/* Key wasn't in the key zone: add it */
+			newkey = true;
+
+			if (initializing) {
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "Initializing automatic trust "
+					     "anchor management for zone '%s'; "
+					     "DNSKEY ID %d is now trusted, "
+					     "waiving the normal 30-day "
+					     "waiting period.",
+					     namebuf, keytag);
+				trustkey = true;
+			} else {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "New key %d observed "
+					     "for zone '%s': "
+					     "starting 30-day "
+					     "acceptance timer",
+					     keytag, namebuf);
+			}
+		} else {
+			/*
+			 * No previously known key, and the key is not
+			 * secure, so skip it.
+			 */
+			continue;
+		}
+
+		/* Delete old version */
+		if (deletekey || !newkey)
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_DEL, keyname, 0,
+					    &keydatarr));
+
+		if (updatekey) {
+			/* Set refresh timer */
+			keydata.refresh = refresh_time(kfetch, false);
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata,
+					     &keydata, &keyb);
+
+			/* Insert updated version */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+		} else if (newkey) {
+			/* Convert DNSKEY to KEYDATA */
+			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_keydata_fromdnskey(&keydata, &dnskey, 0, 0, 0,
+					       NULL);
+			keydata.addhd = initializing
+					 ? now : now + dns_zone_mkey_month;
+			keydata.refresh = refresh_time(kfetch, false);
+			dns_rdata_reset(&keydatarr);
+			isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+			dns_rdata_fromstruct(&keydatarr, zone->rdclass,
+					     dns_rdatatype_keydata,
+					     &keydata, &keyb);
+
+			/* Insert into key zone */
+			CHECK(update_one_rr(kfetch->db, ver, &diff,
+					    DNS_DIFFOP_ADD, keyname, 0,
+					    &keydatarr));
+		}
+
+		if (trustkey) {
+			/* Trust this key. */
+			result = dns_rdata_tostruct(&dnskeyrr, &dnskey, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			trust_key(zone, keyname, &dnskey, mctx);
+		}
+
+		if (secure && !deletekey) {
+			INSIST(newkey || updatekey);
+			set_refreshkeytimer(zone, &keydata, now, false);
+		}
+	}
+
+	/*
+	 * RFC5011 says, "A trust point that has all of its trust anchors
+	 * revoked is considered deleted and is treated as if the trust
+	 * point was never configured."  But if someone revoked their
+	 * active key before the standby was trusted, that would mean the
+	 * zone would suddenly be nonsecured.  We avoid this by checking to
+	 * see if there's pending keydata.  If so, we put a null key in
+	 * the security roots; then all queries to the zone will fail.
+	 */
+	if (pending != 0)
+		fail_secure(zone, keyname);
+
+ done:
+
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		/* Write changes to journal file. */
+		CHECK(update_soa_serial(kfetch->db, ver, &diff, mctx,
+					zone->updatemethod));
+		CHECK(zone_journal(zone, &diff, NULL, "keyfetch_done"));
+		commit = true;
+
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+	} else if (result == ISC_R_NOMORE) {
+		/*
+		 * If "updatekey" was true for all keys found in the DNSKEY
+		 * response and the previous update of those keys happened
+		 * during the same second (only possible if a key refresh was
+		 * externally triggered), it may happen that all relevant
+		 * update_one_rr() calls will return ISC_R_SUCCESS, but
+		 * diff.tuples will remain empty.  Reset result to
+		 * ISC_R_SUCCESS to prevent a bogus warning from being logged.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+
+	dns_diff_clear(&diff);
+	if (ver != NULL)
+		dns_db_closeversion(kfetch->db, &ver, commit);
+
+ cleanup:
+	dns_db_detach(&kfetch->db);
+
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	kfetch->zone = NULL;
+
+	if (dns_rdataset_isassociated(&kfetch->keydataset))
+		dns_rdataset_disassociate(&kfetch->keydataset);
+	if (dns_rdataset_isassociated(&kfetch->dnskeyset))
+		dns_rdataset_disassociate(&kfetch->dnskeyset);
+	if (dns_rdataset_isassociated(&kfetch->dnskeysigset))
+		dns_rdataset_disassociate(&kfetch->dnskeysigset);
+
+	dns_name_free(keyname, mctx);
+	isc_mem_put(mctx, kfetch, sizeof(dns_keyfetch_t));
+	isc_mem_detach(&mctx);
+
+	if (secroots != NULL)
+		dns_keytable_detach(&secroots);
+
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+
+	INSIST(ver == NULL);
+}
+
+/*
+ * Refresh the data in the key zone.  Initiate a fetch to get new DNSKEY
+ * records from the zone apex.
+ */
+static void
+zone_refreshkeys(dns_zone_t *zone) {
+	const char me[] = "zone_refreshkeys";
+	isc_result_t result;
+	dns_rriterator_t rrit;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_keydata_t kd;
+	isc_stdtime_t now;
+	bool commit = false;
+	bool fetching = false, fetch_err = false;
+
+	ENTER;
+	REQUIRE(zone->db != NULL);
+
+	isc_stdtime_get(&now);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		isc_time_settoepoch(&zone->refreshkeytime);
+		UNLOCK_ZONE(zone);
+		return;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	dns_diff_init(zone->mctx, &diff);
+
+	CHECK(dns_db_newversion(db, &ver));
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESHING);
+
+	dns_rriterator_init(&rrit, db, ver, 0);
+	for (result = dns_rriterator_first(&rrit);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rriterator_nextrrset(&rrit)) {
+		isc_stdtime_t timer = 0xffffffff;
+		dns_name_t *name = NULL, *kname = NULL;
+		dns_rdataset_t *kdset = NULL;
+		dns_keyfetch_t *kfetch;
+		uint32_t ttl;
+
+		dns_rriterator_current(&rrit, &name, &ttl, &kdset, NULL);
+		if (kdset == NULL || kdset->type != dns_rdatatype_keydata ||
+		    !dns_rdataset_isassociated(kdset))
+			continue;
+
+		/*
+		 * Scan the stored keys looking for ones that need
+		 * removal or refreshing
+		 */
+		for (result = dns_rdataset_first(kdset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(kdset)) {
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(kdset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &kd, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			/* Removal timer expired? */
+			if (kd.removehd != 0 && kd.removehd < now) {
+				CHECK(update_one_rr(db, ver, &diff,
+						    DNS_DIFFOP_DEL, name, ttl,
+						    &rdata));
+				continue;
+			}
+
+			/* Acceptance timer expired? */
+			if (kd.addhd <= now)
+				timer = kd.addhd;
+
+			/* Or do we just need to refresh the keyset? */
+			if (timer > kd.refresh)
+				timer = kd.refresh;
+		}
+
+		if (timer > now)
+			continue;
+
+		kfetch = isc_mem_get(zone->mctx, sizeof(dns_keyfetch_t));
+		if (kfetch == NULL) {
+			fetch_err = true;
+			goto failure;
+		}
+
+		zone->refreshkeycount++;
+		kfetch->zone = zone;
+		zone->irefs++;
+		INSIST(zone->irefs != 0);
+		kname = dns_fixedname_initname(&kfetch->name);
+		dns_name_dup(name, zone->mctx, kname);
+		dns_rdataset_init(&kfetch->dnskeyset);
+		dns_rdataset_init(&kfetch->dnskeysigset);
+		dns_rdataset_init(&kfetch->keydataset);
+		dns_rdataset_clone(kdset, &kfetch->keydataset);
+		kfetch->db = NULL;
+		dns_db_attach(db, &kfetch->db);
+		kfetch->fetch = NULL;
+
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(kname, namebuf,
+					sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+				     "Creating key fetch in "
+				     "zone_refreshkeys() for '%s'",
+				     namebuf);
+		}
+
+		/*
+		 * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is
+		 * not set and the cache still holds a non-expired, validated
+		 * version of the RRset being queried for by the time the
+		 * response is received, the cached RRset will be passed to
+		 * keyfetch_done() instead of the one received in the response
+		 * as the latter will have a lower trust level due to not being
+		 * validated until keyfetch_done() is called.
+		 */
+
+#ifdef ENABLE_AFL
+		if (dns_fuzzing_resolver == false) {
+#endif
+		result = dns_resolver_createfetch(zone->view->resolver,
+						  kname, dns_rdatatype_dnskey,
+						  NULL, NULL, NULL,
+						  DNS_FETCHOPT_NOVALIDATE|
+						  DNS_FETCHOPT_UNSHARED|
+						  DNS_FETCHOPT_NOCACHED,
+						  zone->task,
+						  keyfetch_done, kfetch,
+						  &kfetch->dnskeyset,
+						  &kfetch->dnskeysigset,
+						  &kfetch->fetch);
+#ifdef ENABLE_AFL
+		} else {
+			result = ISC_R_FAILURE;
+		}
+#endif
+		if (result == ISC_R_SUCCESS)
+			fetching = true;
+		else {
+			zone->refreshkeycount--;
+			zone->irefs--;
+			dns_db_detach(&kfetch->db);
+			dns_rdataset_disassociate(&kfetch->keydataset);
+			dns_name_free(kname, zone->mctx);
+			isc_mem_put(zone->mctx, kfetch, sizeof(dns_keyfetch_t));
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "Failed to create fetch for "
+				     "DNSKEY update");
+			fetch_err = true;
+		}
+	}
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		CHECK(update_soa_serial(db, ver, &diff, zone->mctx,
+					zone->updatemethod));
+		CHECK(zone_journal(zone, &diff, NULL, "zone_refreshkeys"));
+		commit = true;
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+	}
+
+  failure:
+	if (fetch_err) {
+		/*
+		 * Error during a key fetch; retry in an hour.
+		 */
+		isc_time_t timenow, timethen;
+		char timebuf[80];
+
+		TIME_NOW(&timenow);
+		DNS_ZONE_TIME_ADD(&timenow, dns_zone_mkey_hour, &timethen);
+		zone->refreshkeytime = timethen;
+		zone_settimer(zone, &timenow);
+
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
+			     timebuf);
+	}
+
+	if (!fetching)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
+
+	dns_diff_clear(&diff);
+	if (ver != NULL) {
+		dns_rriterator_destroy(&rrit);
+		dns_db_closeversion(db, &ver, commit);
+	}
+	dns_db_detach(&db);
+
+	UNLOCK_ZONE(zone);
+
+	INSIST(ver == NULL);
+}
+
+static void
+zone_maintenance(dns_zone_t *zone) {
+	const char me[] = "zone_maintenance";
+	isc_time_t now;
+	isc_result_t result;
+	bool dumping, load_pending;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	/*
+	 * Are we pending load/reload?
+	 */
+	LOCK_ZONE(zone);
+	load_pending = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING);
+	UNLOCK_ZONE(zone);
+
+	if (load_pending) {
+		return;
+	}
+
+	/*
+	 * Configuring the view of this zone may have
+	 * failed, for example because the config file
+	 * had a syntax error.	In that case, the view
+	 * adb or resolver will be NULL, and we had better not try
+	 * to do further maintenance on it.
+	 */
+	if (zone->view == NULL || zone->view->adb == NULL)
+		return;
+
+	TIME_NOW(&now);
+
+	/*
+	 * Expire check.
+	 */
+	switch (zone->type) {
+	case dns_zone_redirect:
+		if (zone->masters == NULL)
+			break;
+		/* FALLTHROUGH */
+	case dns_zone_slave:
+	case dns_zone_stub:
+		LOCK_ZONE(zone);
+		if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+			zone_expire(zone);
+			zone->refreshtime = now;
+		}
+		UNLOCK_ZONE(zone);
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Up to date check.
+	 */
+	switch (zone->type) {
+	case dns_zone_redirect:
+		if (zone->masters == NULL)
+			break;
+		/* FALLTHROUGH */
+	case dns_zone_slave:
+	case dns_zone_stub:
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
+		    isc_time_compare(&now, &zone->refreshtime) >= 0)
+			dns_zone_refresh(zone);
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Slaves send notifies before backing up to disk, masters after.
+	 */
+	if (zone->type == dns_zone_slave &&
+	    (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+	     DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY)) &&
+	    isc_time_compare(&now, &zone->notifytime) >= 0)
+		zone_notify(zone, &now);
+
+	/*
+	 * Do we need to consolidate the backing store?
+	 */
+	switch (zone->type) {
+	case dns_zone_master:
+	case dns_zone_slave:
+	case dns_zone_key:
+	case dns_zone_redirect:
+	case dns_zone_stub:
+		LOCK_ZONE(zone);
+		if (zone->masterfile != NULL &&
+		    isc_time_compare(&now, &zone->dumptime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) {
+			dumping = was_dumping(zone);
+		} else
+			dumping = true;
+		UNLOCK_ZONE(zone);
+		if (!dumping) {
+			result = zone_dump(zone, true); /* task locked */
+			if (result != ISC_R_SUCCESS)
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "dump failed: %s",
+					     dns_result_totext(result));
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Master/redirect zones send notifies now, if needed
+	 */
+	switch (zone->type) {
+	case dns_zone_master:
+	case dns_zone_redirect:
+		if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		     DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))&&
+		    isc_time_compare(&now, &zone->notifytime) >= 0)
+			zone_notify(zone, &now);
+	default:
+		break;
+	}
+
+	/*
+	 * Do we need to refresh keys?
+	 */
+	switch (zone->type) {
+	case dns_zone_key:
+		if (isc_time_compare(&now, &zone->refreshkeytime) >= 0) {
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
+				zone_refreshkeys(zone);
+			}
+		}
+		break;
+	case dns_zone_master:
+		if (!isc_time_isepoch(&zone->refreshkeytime) &&
+		    isc_time_compare(&now, &zone->refreshkeytime) >= 0 &&
+		    zone->rss_event == NULL)
+			zone_rekey(zone);
+	default:
+		break;
+	}
+
+	switch (zone->type) {
+	case dns_zone_master:
+	case dns_zone_redirect:
+	case dns_zone_slave:
+		/*
+		 * Do we need to sign/resign some RRsets?
+		 */
+		if (zone->rss_event != NULL)
+			break;
+		if (!isc_time_isepoch(&zone->signingtime) &&
+		    isc_time_compare(&now, &zone->signingtime) >= 0)
+			zone_sign(zone);
+		else if (!isc_time_isepoch(&zone->resigntime) &&
+		    isc_time_compare(&now, &zone->resigntime) >= 0)
+			zone_resigninc(zone);
+		else if (!isc_time_isepoch(&zone->nsec3chaintime) &&
+			isc_time_compare(&now, &zone->nsec3chaintime) >= 0)
+			zone_nsec3chain(zone);
+		/*
+		 * Do we need to issue a key expiry warning?
+		 */
+		if (!isc_time_isepoch(&zone->keywarntime) &&
+		    isc_time_compare(&now, &zone->keywarntime) >= 0)
+			set_key_expiry_warning(zone, zone->key_expiry,
+					       isc_time_seconds(&now));
+		break;
+
+	default:
+		break;
+	}
+	zone_settimer(zone, &now);
+}
+
+void
+dns_zone_markdirty(dns_zone_t *zone) {
+	uint32_t serial;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *secure = NULL;
+
+	/*
+	 * Obtaining a lock on the zone->secure (see zone_send_secureserial)
+	 * could result in a deadlock due to a LOR so we will spin if we
+	 * can't obtain the both locks.
+	 */
+ again:
+	LOCK_ZONE(zone);
+	if (zone->type == dns_zone_master) {
+		if (inline_raw(zone)) {
+			unsigned int soacount;
+			secure = zone->secure;
+			INSIST(secure != zone);
+			TRYLOCK_ZONE(result, secure);
+			if (result != ISC_R_SUCCESS) {
+				UNLOCK_ZONE(zone);
+				secure = NULL;
+#ifdef ISC_PLATFORM_USETHREADS
+				isc_thread_yield();
+#endif
+				goto again;
+			}
+
+			ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+			if (zone->db != NULL) {
+				result = zone_get_from_db(zone, zone->db, NULL,
+							  &soacount, &serial,
+							  NULL, NULL, NULL,
+							  NULL, NULL);
+			} else
+				result = DNS_R_NOTLOADED;
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			if (result == ISC_R_SUCCESS && soacount > 0U)
+				zone_send_secureserial(zone, serial);
+		}
+
+		/* XXXMPA make separate call back */
+		if (result == ISC_R_SUCCESS)
+			set_resigntime(zone);
+	}
+	if (secure != NULL)
+		UNLOCK_ZONE(secure);
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_expire(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_expire(zone);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_expire(dns_zone_t *zone) {
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dns_zone_log(zone, ISC_LOG_WARNING, "expired");
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
+	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+	zone->retry = DNS_ZONE_DEFAULTRETRY;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	zone_unload(zone);
+}
+
+void
+dns_zone_refresh(dns_zone_t *zone) {
+	isc_interval_t i;
+	uint32_t oldflags;
+	unsigned int j;
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+		return;
+
+	/*
+	 * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
+	 * in progress at a time.
+	 */
+
+	LOCK_ZONE(zone);
+	oldflags = zone->flags;
+	if (zone->masterscnt == 0) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
+		if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "cannot refresh: no masters");
+		goto unlock;
+	}
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+	if ((oldflags & (DNS_ZONEFLG_REFRESH|DNS_ZONEFLG_LOADING)) != 0)
+		goto unlock;
+
+	/*
+	 * Set the next refresh time as if refresh check has failed.
+	 * Setting this to the retry time will do that.  XXXMLG
+	 * If we are successful it will be reset using zone->refresh.
+	 */
+	isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
+			 0);
+	result = isc_time_nowplusinterval(&zone->refreshtime, &i);
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "isc_time_nowplusinterval() failed: %s",
+			     dns_result_totext(result));
+
+	/*
+	 * When lacking user-specified timer values from the SOA,
+	 * do exponential backoff of the retry time up to a
+	 * maximum of six hours.
+	 */
+	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
+		zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
+
+	zone->curmaster = 0;
+	for (j = 0; j < zone->masterscnt; j++)
+		zone->mastersok[j] = false;
+	/* initiate soa query */
+	queue_soa_query(zone);
+ unlock:
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_flush(dns_zone_t *zone) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+	    zone->masterfile != NULL) {
+		result = ISC_R_ALREADYRUNNING;
+		dumping = was_dumping(zone);
+	} else
+		dumping = true;
+	UNLOCK_ZONE(zone);
+	if (!dumping)
+		result = zone_dump(zone, false);	/* Unknown task. */
+	return (result);
+}
+
+isc_result_t
+dns_zone_dump(dns_zone_t *zone) {
+	isc_result_t result = ISC_R_ALREADYRUNNING;
+	bool dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	dumping = was_dumping(zone);
+	UNLOCK_ZONE(zone);
+	if (!dumping)
+		result = zone_dump(zone, false);	/* Unknown task. */
+	return (result);
+}
+
+static void
+zone_needdump(dns_zone_t *zone, unsigned int delay) {
+	const char me[] = "zone_needdump";
+	isc_time_t dumptime;
+	isc_time_t now;
+
+	/*
+	 * 'zone' locked by caller
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	ENTER;
+
+	/*
+	 * Do we have a place to dump to and are we loaded?
+	 */
+	if (zone->masterfile == NULL ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
+		return;
+
+	TIME_NOW(&now);
+	/* add some noise */
+	DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+	if (isc_time_isepoch(&zone->dumptime) ||
+	    isc_time_compare(&zone->dumptime, &dumptime) > 0)
+		zone->dumptime = dumptime;
+	if (zone->task != NULL)
+		zone_settimer(zone, &now);
+}
+
+static void
+dump_done(void *arg, isc_result_t result) {
+	const char me[] = "dump_done";
+	dns_zone_t *zone = arg;
+	dns_zone_t *secure = NULL;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	bool again = false;
+	bool compact = false;
+	uint32_t serial;
+	isc_result_t tresult;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	if (result == ISC_R_SUCCESS && zone->journal != NULL &&
+	    zone->journalsize != -1) {
+		/*
+		 * We don't own these, zone->dctx must stay valid.
+		 */
+		db = dns_dumpctx_db(zone->dctx);
+		version = dns_dumpctx_version(zone->dctx);
+		tresult = dns_db_getsoaserial(db, version, &serial);
+
+		/*
+		 * Handle lock order inversion.
+		 */
+ again:
+		LOCK_ZONE(zone);
+		if (inline_raw(zone)) {
+			secure = zone->secure;
+			INSIST(secure != zone);
+			TRYLOCK_ZONE(result, secure);
+			if (result != ISC_R_SUCCESS) {
+				UNLOCK_ZONE(zone);
+				secure = NULL;
+#if ISC_PLATFORM_USETHREADS
+				isc_thread_yield();
+#endif
+				goto again;
+			}
+		}
+
+		/*
+		 * If there is a secure version of this zone
+		 * use its serial if it is less than ours.
+		 */
+		if (tresult == ISC_R_SUCCESS && secure != NULL) {
+			uint32_t sserial;
+			isc_result_t mresult;
+
+			ZONEDB_LOCK(&secure->dblock, isc_rwlocktype_read);
+			if (secure->db != NULL) {
+				mresult = dns_db_getsoaserial(zone->secure->db,
+							      NULL, &sserial);
+				if (mresult == ISC_R_SUCCESS &&
+				    isc_serial_lt(sserial, serial))
+					serial = sserial;
+			}
+			ZONEDB_UNLOCK(&secure->dblock, isc_rwlocktype_read);
+		}
+		if (secure != NULL)
+			UNLOCK_ZONE(secure);
+		UNLOCK_ZONE(zone);
+
+		/*
+		 * Note: we are task locked here so we can test
+		 * zone->xfr safely.
+		 */
+		if (tresult == ISC_R_SUCCESS && zone->xfr == NULL) {
+			tresult = dns_journal_compact(zone->mctx,
+						      zone->journal,
+						      serial,
+						      zone->journalsize);
+			switch (tresult) {
+			case ISC_R_SUCCESS:
+			case ISC_R_NOSPACE:
+			case ISC_R_NOTFOUND:
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "dns_journal_compact: %s",
+					     dns_result_totext(tresult));
+				break;
+			default:
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "dns_journal_compact failed: %s",
+					     dns_result_totext(tresult));
+				break;
+			}
+		} else if (tresult == ISC_R_SUCCESS) {
+			compact = true;
+			zone->compact_serial = serial;
+		}
+	}
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (compact)
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
+	if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (result == ISC_R_SUCCESS &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = true;
+	} else if (result == ISC_R_SUCCESS)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+
+	if (zone->dctx != NULL)
+		dns_dumpctx_detach(&zone->dctx);
+	zonemgr_putio(&zone->writeio);
+	UNLOCK_ZONE(zone);
+	if (again)
+		(void)zone_dump(zone, false);
+	dns_zone_idetach(&zone);
+}
+
+static isc_result_t
+zone_dump(dns_zone_t *zone, bool compact) {
+	const char me[] = "zone_dump";
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	bool again;
+	dns_db_t *db = NULL;
+	char *masterfile = NULL;
+	dns_masterformat_t masterformat = dns_masterformat_none;
+
+/*
+ * 'compact' MUST only be set if we are task locked.
+ */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+ redo:
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	LOCK_ZONE(zone);
+	if (zone->masterfile != NULL) {
+		masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
+		masterformat = zone->masterformat;
+	}
+	UNLOCK_ZONE(zone);
+	if (db == NULL) {
+		result = DNS_R_NOTLOADED;
+		goto fail;
+	}
+	if (masterfile == NULL) {
+		result = DNS_R_NOMASTERFILE;
+		goto fail;
+	}
+
+	if (compact && zone->type != dns_zone_stub) {
+		dns_zone_t *dummy = NULL;
+		LOCK_ZONE(zone);
+		zone_iattach(zone, &dummy);
+		result = zonemgr_getio(zone->zmgr, false, zone->task,
+				       zone_gotwritehandle, zone,
+				       &zone->writeio);
+		if (result != ISC_R_SUCCESS)
+			zone_idetach(&dummy);
+		else
+			result = DNS_R_CONTINUE;
+		UNLOCK_ZONE(zone);
+	} else {
+		const dns_master_style_t *output_style;
+
+		dns_masterrawheader_t rawdata;
+		dns_db_currentversion(db, &version);
+		dns_master_initrawheader(&rawdata);
+		if (inline_secure(zone))
+			get_raw_serial(zone->raw, &rawdata);
+		if (zone->type == dns_zone_key)
+			output_style = &dns_master_style_keyzone;
+		else
+			output_style = &dns_master_style_default;
+		result = dns_master_dump3(zone->mctx, db, version,
+					  output_style, masterfile,
+					  masterformat, &rawdata);
+		dns_db_closeversion(db, &version, false);
+	}
+ fail:
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (masterfile != NULL)
+		isc_mem_free(zone->mctx, masterfile);
+	masterfile = NULL;
+
+	if (result == DNS_R_CONTINUE)
+		return (ISC_R_SUCCESS); /* XXXMPA */
+
+	again = false;
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = true;
+	} else
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+	UNLOCK_ZONE(zone);
+	if (again)
+		goto redo;
+
+	return (result);
+}
+
+static isc_result_t
+dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style,
+	     dns_masterformat_t format, const uint32_t rawversion)
+{
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	dns_db_t *db = NULL;
+	dns_masterrawheader_t rawdata;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL)
+		return (DNS_R_NOTLOADED);
+
+	dns_db_currentversion(db, &version);
+	dns_master_initrawheader(&rawdata);
+	if (rawversion == 0)
+		rawdata.flags |= DNS_MASTERRAW_COMPAT;
+	else if (inline_secure(zone))
+		get_raw_serial(zone->raw, &rawdata);
+	else if (zone->sourceserialset) {
+		rawdata.flags = DNS_MASTERRAW_SOURCESERIALSET;
+		rawdata.sourceserial = zone->sourceserial;
+	}
+	result = dns_master_dumptostream3(zone->mctx, db, version, style,
+					  format, &rawdata, fd);
+	dns_db_closeversion(db, &version, false);
+	dns_db_detach(&db);
+	return (result);
+}
+
+isc_result_t
+dns_zone_dumptostream3(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		       const dns_master_style_t *style,
+		       const uint32_t rawversion)
+{
+	return (dumptostream(zone, fd, style, format, rawversion));
+}
+
+isc_result_t
+dns_zone_dumptostream2(dns_zone_t *zone, FILE *fd, dns_masterformat_t format,
+		       const dns_master_style_t *style) {
+	return (dumptostream(zone, fd, style, format, DNS_RAWFORMAT_VERSION));
+}
+
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
+	return (dumptostream(zone, fd, &dns_master_style_default,
+			     dns_masterformat_text, 0));
+}
+
+isc_result_t
+dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
+	return (dumptostream(zone, fd, &dns_master_style_full,
+			     dns_masterformat_text, 0));
+}
+
+void
+dns_zone_unload(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_unload(zone);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+notify_cancel(dns_zone_t *zone) {
+	dns_notify_t *notify;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	for (notify = ISC_LIST_HEAD(zone->notifies);
+	     notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link)) {
+		if (notify->find != NULL)
+			dns_adb_cancelfind(notify->find);
+		if (notify->request != NULL)
+			dns_request_cancel(notify->request);
+	}
+}
+
+static void
+forward_cancel(dns_zone_t *zone) {
+	dns_forward_t *forward;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	for (forward = ISC_LIST_HEAD(zone->forwards);
+	     forward != NULL;
+	     forward = ISC_LIST_NEXT(forward, link)) {
+		if (forward->request != NULL)
+			dns_request_cancel(forward->request);
+	}
+}
+
+static void
+zone_unload(dns_zone_t *zone) {
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+		if (zone->writeio != NULL)
+			zonemgr_cancelio(zone->writeio);
+
+		if (zone->dctx != NULL)
+			dns_dumpctx_cancel(zone->dctx);
+	}
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	zone_detachdb(zone);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+}
+
+void
+dns_zone_setminrefreshtime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->minrefresh = val;
+}
+
+void
+dns_zone_setmaxrefreshtime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->maxrefresh = val;
+}
+
+void
+dns_zone_setminretrytime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->minretry = val;
+}
+
+void
+dns_zone_setmaxretrytime(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->maxretry = val;
+}
+
+uint32_t
+dns_zone_getmaxrecords(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxrecords);
+}
+
+void
+dns_zone_setmaxrecords(dns_zone_t *zone, uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->maxrecords = val;
+}
+
+static bool
+notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
+		isc_sockaddr_t *addr, dns_tsigkey_t *key)
+{
+	dns_notify_t *notify;
+	dns_zonemgr_t *zmgr;
+	isc_result_t result;
+
+	for (notify = ISC_LIST_HEAD(zone->notifies);
+	     notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link)) {
+		if (notify->request != NULL)
+			continue;
+		if (name != NULL && dns_name_dynamic(&notify->ns) &&
+		    dns_name_equal(name, &notify->ns))
+			goto requeue;
+		if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst) &&
+		    notify->key == key)
+			goto requeue;
+	}
+	return (false);
+
+requeue:
+	/*
+	 * If we are enqueued on the startup ratelimiter and this is
+	 * not a startup notify, re-enqueue on the normal notify
+	 * ratelimiter.
+	 */
+	if (notify->event != NULL && (flags & DNS_NOTIFY_STARTUP) == 0 &&
+	    (notify->flags & DNS_NOTIFY_STARTUP) != 0) {
+		zmgr = notify->zone->zmgr;
+		result = isc_ratelimiter_dequeue(zmgr->startupnotifyrl,
+						 notify->event);
+		if (result != ISC_R_SUCCESS)
+			return (true);
+
+		notify->flags &= ~DNS_NOTIFY_STARTUP;
+		result = isc_ratelimiter_enqueue(notify->zone->zmgr->notifyrl,
+						 notify->zone->task,
+						 &notify->event);
+		if (result != ISC_R_SUCCESS) {
+			isc_event_free(&notify->event);
+			return (false);
+		}
+	}
+
+	return (true);
+}
+
+static bool
+notify_isself(dns_zone_t *zone, isc_sockaddr_t *dst) {
+	dns_tsigkey_t *key = NULL;
+	isc_sockaddr_t src;
+	isc_sockaddr_t any;
+	bool isself;
+	isc_netaddr_t dstaddr;
+	isc_result_t result;
+
+	if (zone->view == NULL || zone->isself == NULL)
+		return (false);
+
+	switch (isc_sockaddr_pf(dst)) {
+	case PF_INET:
+		src = zone->notifysrc4;
+		isc_sockaddr_any(&any);
+		break;
+	case PF_INET6:
+		src = zone->notifysrc6;
+		isc_sockaddr_any6(&any);
+		break;
+	default:
+		return (false);
+	}
+
+	/*
+	 * When sending from any the kernel will assign a source address
+	 * that matches the destination address.
+	 */
+	if (isc_sockaddr_eqaddr(&any, &src))
+		src = *dst;
+
+	isc_netaddr_fromsockaddr(&dstaddr, dst);
+	result = dns_view_getpeertsig(zone->view, &dstaddr, &key);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		return (false);
+	isself = (zone->isself)(zone->view, key, &src, dst, zone->rdclass,
+				zone->isselfarg);
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	return (isself);
+}
+
+static void
+notify_destroy(dns_notify_t *notify, bool locked) {
+	isc_mem_t *mctx;
+
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	if (notify->zone != NULL) {
+		if (!locked)
+			LOCK_ZONE(notify->zone);
+		REQUIRE(LOCKED_ZONE(notify->zone));
+		if (ISC_LINK_LINKED(notify, link))
+			ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
+		if (!locked)
+			UNLOCK_ZONE(notify->zone);
+		if (locked)
+			zone_idetach(&notify->zone);
+		else
+			dns_zone_idetach(&notify->zone);
+	}
+	if (notify->find != NULL)
+		dns_adb_destroyfind(&notify->find);
+	if (notify->request != NULL)
+		dns_request_destroy(&notify->request);
+	if (dns_name_dynamic(&notify->ns))
+		dns_name_free(&notify->ns, notify->mctx);
+	if (notify->key != NULL)
+		dns_tsigkey_detach(&notify->key);
+	mctx = notify->mctx;
+	isc_mem_put(notify->mctx, notify, sizeof(*notify));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
+	dns_notify_t *notify;
+
+	REQUIRE(notifyp != NULL && *notifyp == NULL);
+
+	notify = isc_mem_get(mctx, sizeof(*notify));
+	if (notify == NULL)
+		return (ISC_R_NOMEMORY);
+
+	notify->mctx = NULL;
+	isc_mem_attach(mctx, &notify->mctx);
+	notify->flags = flags;
+	notify->zone = NULL;
+	notify->find = NULL;
+	notify->request = NULL;
+	notify->key = NULL;
+	notify->event = NULL;
+	isc_sockaddr_any(&notify->dst);
+	dns_name_init(&notify->ns, NULL);
+	ISC_LINK_INIT(notify, link);
+	notify->magic = NOTIFY_MAGIC;
+	*notifyp = notify;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * XXXAG should check for DNS_ZONEFLG_EXITING
+ */
+static void
+process_adb_event(isc_task_t *task, isc_event_t *ev) {
+	dns_notify_t *notify;
+	isc_eventtype_t result;
+
+	UNUSED(task);
+
+	notify = ev->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	INSIST(task == notify->zone->task);
+	result = ev->ev_type;
+	isc_event_free(&ev);
+	if (result == DNS_EVENT_ADBMOREADDRESSES) {
+		dns_adb_destroyfind(&notify->find);
+		notify_find_address(notify);
+		return;
+	}
+	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
+		LOCK_ZONE(notify->zone);
+		notify_send(notify);
+		UNLOCK_ZONE(notify->zone);
+	}
+	notify_destroy(notify, false);
+}
+
+static void
+notify_find_address(dns_notify_t *notify) {
+	isc_result_t result;
+	unsigned int options;
+
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET |
+		  DNS_ADBFIND_INET6 | DNS_ADBFIND_RETURNLAME;
+
+	if (notify->zone->view->adb == NULL)
+		goto destroy;
+
+	result = dns_adb_createfind(notify->zone->view->adb,
+				    notify->zone->task,
+				    process_adb_event, notify,
+				    &notify->ns, dns_rootname, 0,
+				    options, 0, NULL,
+				    notify->zone->view->dstport,
+				    &notify->find);
+
+	/* Something failed? */
+	if (result != ISC_R_SUCCESS)
+		goto destroy;
+
+	/* More addresses pending? */
+	if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0)
+		return;
+
+	/* We have as many addresses as we can get. */
+	LOCK_ZONE(notify->zone);
+	notify_send(notify);
+	UNLOCK_ZONE(notify->zone);
+
+ destroy:
+	notify_destroy(notify, false);
+}
+
+
+static isc_result_t
+notify_send_queue(dns_notify_t *notify, bool startup) {
+	isc_event_t *e;
+	isc_result_t result;
+
+	INSIST(notify->event == NULL);
+	e = isc_event_allocate(notify->mctx, NULL, DNS_EVENT_NOTIFYSENDTOADDR,
+			       notify_send_toaddr, notify, sizeof(isc_event_t));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+	if (startup)
+		notify->event = e;
+	e->ev_arg = notify;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(startup
+					  ? notify->zone->zmgr->startupnotifyrl
+					  : notify->zone->zmgr->notifyrl,
+					 notify->zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free(&e);
+		notify->event = NULL;
+	}
+	return (result);
+}
+
+static void
+notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
+	dns_notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t dstip;
+	dns_tsigkey_t *key = NULL;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t src;
+	unsigned int options, timeout;
+	bool have_notifysource = false;
+	bool have_notifydscp = false;
+	isc_dscp_t dscp = -1;
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	UNUSED(task);
+
+	LOCK_ZONE(notify->zone);
+
+	notify->event = NULL;
+
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
+	    DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
+	    notify->zone->view->requestmgr == NULL ||
+	    notify->zone->db == NULL) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	/*
+	 * The raw IPv4 address should also exist.  Don't send to the
+	 * mapped form.
+	 */
+	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr)) {
+		isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify: ignoring IPv6 mapped IPV4 address: %s",
+			   addrbuf);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	result = notify_createmessage(notify->zone, notify->flags, &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+	if (notify->key != NULL) {
+		/* Transfer ownership of key */
+		key = notify->key;
+		notify->key = NULL;
+	} else {
+		isc_netaddr_fromsockaddr(&dstip, &notify->dst);
+		result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			notify_log(notify->zone, ISC_LOG_ERROR,
+				   "NOTIFY to %s not sent. "
+				   "Peer TSIG key lookup failure.", addrbuf);
+			goto cleanup_message;
+		}
+	}
+
+	/* XXX: should we log the tsig key too? */
+	notify_log(notify->zone, ISC_LOG_DEBUG(3), "sending notify to %s",
+		   addrbuf);
+	options = 0;
+	if (notify->zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool usetcp = false;
+		result = dns_peerlist_peerbyaddr(notify->zone->view->peers,
+						 &dstip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getnotifysource(peer, &src);
+			if (result == ISC_R_SUCCESS)
+				have_notifysource = true;
+			dns_peer_getnotifydscp(peer, &dscp);
+			if (dscp != -1)
+				have_notifydscp = true;
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp)
+				options |= DNS_FETCHOPT_TCP;
+		}
+	}
+	switch (isc_sockaddr_pf(&notify->dst)) {
+	case PF_INET:
+		if (!have_notifysource)
+			src = notify->zone->notifysrc4;
+		if (!have_notifydscp)
+			dscp = notify->zone->notifysrc4dscp;
+		break;
+	case PF_INET6:
+		if (!have_notifysource)
+			src = notify->zone->notifysrc6;
+		if (!have_notifydscp)
+			dscp = notify->zone->notifysrc6dscp;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup_key;
+	}
+	timeout = 15;
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY))
+		timeout = 30;
+	result = dns_request_createvia4(notify->zone->view->requestmgr,
+					message, &src, &notify->dst, dscp,
+					options, key, timeout * 3, timeout,
+					0, notify->zone->task, notify_done,
+					notify, &notify->request);
+	if (result == ISC_R_SUCCESS) {
+		if (isc_sockaddr_pf(&notify->dst) == AF_INET) {
+			inc_stats(notify->zone,
+				  dns_zonestatscounter_notifyoutv4);
+		} else {
+			inc_stats(notify->zone,
+				  dns_zonestatscounter_notifyoutv6);
+		}
+	}
+
+ cleanup_key:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+ cleanup_message:
+	dns_message_destroy(&message);
+ cleanup:
+	UNLOCK_ZONE(notify->zone);
+	isc_event_free(&event);
+	if (result != ISC_R_SUCCESS)
+		notify_destroy(notify, false);
+}
+
+static void
+notify_send(dns_notify_t *notify) {
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t dst;
+	isc_result_t result;
+	dns_notify_t *newnotify = NULL;
+	unsigned int flags;
+	bool startup;
+
+	/*
+	 * Zone lock held by caller.
+	 */
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	REQUIRE(LOCKED_ZONE(notify->zone));
+
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING))
+		return;
+
+	for (ai = ISC_LIST_HEAD(notify->find->list);
+	     ai != NULL;
+	     ai = ISC_LIST_NEXT(ai, publink)) {
+		dst = ai->sockaddr;
+		if (notify_isqueued(notify->zone, notify->flags, NULL, &dst,
+				    NULL))
+			continue;
+		if (notify_isself(notify->zone, &dst))
+			continue;
+		newnotify = NULL;
+		flags = notify->flags & DNS_NOTIFY_NOSOA;
+		result = notify_create(notify->mctx, flags, &newnotify);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		zone_iattach(notify->zone, &newnotify->zone);
+		ISC_LIST_APPEND(newnotify->zone->notifies, newnotify, link);
+		newnotify->dst = dst;
+		startup = (notify->flags & DNS_NOTIFY_STARTUP);
+		result = notify_send_queue(newnotify, startup);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		newnotify = NULL;
+	}
+
+ cleanup:
+	if (newnotify != NULL)
+		notify_destroy(newnotify, true);
+}
+
+void
+dns_zone_notify(dns_zone_t *zone) {
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_notify(dns_zone_t *zone, isc_time_t *now) {
+	dns_dbnode_t *node = NULL;
+	dns_db_t *zonedb = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_name_t *origin = NULL;
+	dns_name_t master;
+	dns_rdata_ns_t ns;
+	dns_rdata_soa_t soa;
+	uint32_t serial;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t nsrdset;
+	dns_rdataset_t soardset;
+	isc_result_t result;
+	unsigned int i;
+	isc_sockaddr_t dst;
+	bool isqueued;
+	dns_notifytype_t notifytype;
+	unsigned int flags = 0;
+	bool loggednotify = false;
+	bool startup;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	startup = !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY);
+	notifytype = zone->notifytype;
+	DNS_ZONE_TIME_ADD(now, zone->notifydelay, &zone->notifytime);
+	UNLOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
+	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+		return;
+
+	if (notifytype == dns_notifytype_no)
+		return;
+
+	if (notifytype == dns_notifytype_masteronly &&
+	    zone->type != dns_zone_master)
+		return;
+
+	origin = &zone->origin;
+
+	/*
+	 * If the zone is dialup we are done as we don't want to send
+	 * the current soa so as to force a refresh query.
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
+		flags |= DNS_NOTIFY_NOSOA;
+
+	/*
+	 * Record that this was a notify due to starting up.
+	 */
+	if (startup)
+		flags |= DNS_NOTIFY_STARTUP;
+
+	/*
+	 * Get SOA RRset.
+	 */
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &zonedb);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zonedb == NULL)
+		return;
+	dns_db_currentversion(zonedb, &version);
+	result = dns_db_findnode(zonedb, origin, false, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup1;
+
+	dns_rdataset_init(&soardset);
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &soardset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup2;
+
+	/*
+	 * Find serial and master server's name.
+	 */
+	dns_name_init(&master, NULL);
+	result = dns_rdataset_first(&soardset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+	dns_rdataset_current(&soardset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+	result = dns_name_dup(&soa.origin, zone->mctx, &master);
+	serial = soa.serial;
+	dns_rdataset_disassociate(&soardset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+
+	/*
+	 * Enqueue notify requests for 'also-notify' servers.
+	 */
+	LOCK_ZONE(zone);
+	for (i = 0; i < zone->notifycnt; i++) {
+		dns_tsigkey_t *key = NULL;
+		dns_notify_t *notify = NULL;
+
+		if ((zone->notifykeynames != NULL) &&
+		    (zone->notifykeynames[i] != NULL)) {
+			dns_view_t *view = dns_zone_getview(zone);
+			dns_name_t *keyname = zone->notifykeynames[i];
+			(void)dns_view_gettsig(view, keyname, &key);
+		}
+
+		dst = zone->notify[i];
+		if (notify_isqueued(zone, flags, NULL, &dst, key)) {
+			if (key != NULL)
+				dns_tsigkey_detach(&key);
+			continue;
+		}
+
+		result = notify_create(zone->mctx, flags, &notify);
+		if (result != ISC_R_SUCCESS) {
+			if (key != NULL)
+				dns_tsigkey_detach(&key);
+			continue;
+		}
+
+		zone_iattach(zone, &notify->zone);
+		notify->dst = dst;
+
+		INSIST(notify->key == NULL);
+
+		if (key != NULL) {
+			notify->key = key;
+			key = NULL;
+		}
+
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		result = notify_send_queue(notify, startup);
+		if (result != ISC_R_SUCCESS)
+			notify_destroy(notify, true);
+		if (!loggednotify) {
+			notify_log(zone, ISC_LOG_INFO,
+				   "sending notifies (serial %u)",
+				   serial);
+			loggednotify = true;
+		}
+	}
+	UNLOCK_ZONE(zone);
+
+	if (notifytype == dns_notifytype_explicit)
+		goto cleanup3;
+
+	/*
+	 * Process NS RRset to generate notifies.
+	 */
+
+	dns_rdataset_init(&nsrdset);
+	result = dns_db_findrdataset(zonedb, node, version, dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &nsrdset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+
+	result = dns_rdataset_first(&nsrdset);
+	while (result == ISC_R_SUCCESS) {
+		dns_notify_t *notify = NULL;
+
+		dns_rdataset_current(&nsrdset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		/*
+		 * Don't notify the master server unless explicitly
+		 * configured to do so.
+		 */
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
+		    dns_name_compare(&master, &ns.name) == 0) {
+			result = dns_rdataset_next(&nsrdset);
+			continue;
+		}
+
+		if (!loggednotify) {
+			notify_log(zone, ISC_LOG_INFO,
+				   "sending notifies (serial %u)",
+				   serial);
+			loggednotify = true;
+		}
+
+		LOCK_ZONE(zone);
+		isqueued = notify_isqueued(zone, flags, &ns.name, NULL, NULL);
+		UNLOCK_ZONE(zone);
+		if (isqueued) {
+			result = dns_rdataset_next(&nsrdset);
+			continue;
+		}
+		result = notify_create(zone->mctx, flags, &notify);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		dns_zone_iattach(zone, &notify->zone);
+		result = dns_name_dup(&ns.name, zone->mctx, &notify->ns);
+		if (result != ISC_R_SUCCESS) {
+			LOCK_ZONE(zone);
+			notify_destroy(notify, true);
+			UNLOCK_ZONE(zone);
+			continue;
+		}
+		LOCK_ZONE(zone);
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		UNLOCK_ZONE(zone);
+		notify_find_address(notify);
+		result = dns_rdataset_next(&nsrdset);
+	}
+	dns_rdataset_disassociate(&nsrdset);
+
+ cleanup3:
+	if (dns_name_dynamic(&master))
+		dns_name_free(&master, zone->mctx);
+ cleanup2:
+	dns_db_detachnode(zonedb, &node);
+ cleanup1:
+	dns_db_closeversion(zonedb, &version, false);
+	dns_db_detach(&zonedb);
+}
+
+/***
+ *** Private
+ ***/
+
+static inline isc_result_t
+save_nsrrset(dns_message_t *message, dns_name_t *name,
+	     dns_db_t *db, dns_dbversion_t *version)
+{
+	dns_rdataset_t *nsrdataset = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdata_ns_t ns;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Extract NS RRset from message.
+	 */
+	result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
+				      dns_rdatatype_ns, dns_rdatatype_none,
+				      NULL, &nsrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/*
+	 * Add NS rdataset.
+	 */
+	result = dns_db_findnode(db, name, true, &node);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	result = dns_db_addrdataset(db, node, version, 0,
+				    nsrdataset, 0, NULL);
+	dns_db_detachnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	/*
+	 * Add glue rdatasets.
+	 */
+	for (result = dns_rdataset_first(nsrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(nsrdataset)) {
+		dns_rdataset_current(nsrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		if (!dns_name_issubdomain(&ns.name, name))
+			continue;
+		rdataset = NULL;
+		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
+					      &ns.name, dns_rdatatype_aaaa,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_db_findnode(db, &ns.name,
+						 true, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			result = dns_db_addrdataset(db, node, version, 0,
+						    rdataset, 0, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+		}
+		rdataset = NULL;
+		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
+					      &ns.name, dns_rdatatype_a,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_db_findnode(db, &ns.name,
+						 true, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			result = dns_db_addrdataset(db, node, version, 0,
+						    rdataset, 0, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	return (result);
+}
+
+static void
+stub_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "stub_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_stub_t *stub = NULL;
+	dns_message_t *msg = NULL;
+	dns_zone_t *zone = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	uint32_t nscnt, cnamecnt, refresh, retry, expire;
+	isc_result_t result;
+	isc_time_t now;
+	bool exiting = false;
+	isc_interval_t i;
+	unsigned int j, soacount;
+
+	stub = revent->ev_arg;
+	INSIST(DNS_STUB_VALID(stub));
+
+	UNUSED(task);
+
+	zone = stub->zone;
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	LOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		zone_debuglog(zone, me, 1, "exiting");
+		exiting = true;
+		goto next_master;
+	}
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: timeout retrying "
+				     " without EDNS master %s (source %s)",
+				     master, source);
+			goto same_master;
+		}
+		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
+					   &zone->sourceaddr, &now);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not refresh stub from master %s"
+			     " (source %s): %s", master, source,
+			     dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: rcode (%.*s) retrying "
+				     "without EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			goto same_master;
+		}
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected rcode (%.*s) from %s (source %s)",
+			     (int)rb.used, rcode, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * We need complete messages.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: truncated TCP "
+				     "response from master %s (source %s)",
+				     master, source);
+			goto next_master;
+		}
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
+		goto same_master;
+	}
+
+	/*
+	 * If non-auth log and next master.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
+			     "non-authoritative answer from "
+			     "master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Sanity checks.
+	 */
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
+
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unexpected CNAME response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	if (nscnt == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: no NS records in response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Save answer.
+	 */
+	result = save_nsrrset(msg, &zone->origin, stub->db, stub->version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unable to save NS records "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Tidy up.
+	 */
+	dns_db_closeversion(stub->db, &stub->version, true);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	if (zone->db == NULL)
+		zone_attachdb(zone, stub->db);
+	result = zone_get_from_db(zone, zone->db, NULL, &soacount, NULL,
+				  &refresh, &retry, &expire, NULL, NULL);
+	if (result == ISC_R_SUCCESS && soacount > 0U) {
+		zone->refresh = RANGE(refresh, zone->minrefresh,
+				      zone->maxrefresh);
+		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	dns_db_detach(&stub->db);
+
+	dns_message_destroy(&msg);
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+	isc_interval_set(&i, zone->expire, 0);
+	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+
+	if (zone->masterfile != NULL)
+		zone_needdump(zone, 0);
+
+	zone_settimer(zone, &now);
+	goto free_stub;
+
+ next_master:
+	if (stub->version != NULL)
+		dns_db_closeversion(stub->db, &stub->version, false);
+	if (stub->db != NULL)
+		dns_db_detach(&stub->db);
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	/*
+	 * Skip to next failed / untried master.
+	 */
+	do {
+		zone->curmaster++;
+	} while (zone->curmaster < zone->masterscnt &&
+		 zone->mastersok[zone->curmaster]);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	if (exiting || zone->curmaster >= zone->masterscnt) {
+		bool done = true;
+		if (!exiting &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			/*
+			 * Did we get a good answer from all the masters?
+			 */
+			for (j = 0; j < zone->masterscnt; j++)
+				if (zone->mastersok[j] == false) {
+					done = false;
+					break;
+				}
+		} else
+			done = true;
+		if (!done) {
+			zone->curmaster = 0;
+			/*
+			 * Find the next failed master.
+			 */
+			while (zone->curmaster < zone->masterscnt &&
+			       zone->mastersok[zone->curmaster])
+				zone->curmaster++;
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+
+			zone_settimer(zone, &now);
+			goto free_stub;
+		}
+	}
+	queue_soa_query(zone);
+	goto free_stub;
+
+ same_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	ns_query(zone, NULL, stub);
+	UNLOCK_ZONE(zone);
+	goto done;
+
+ free_stub:
+	UNLOCK_ZONE(zone);
+	stub->magic = 0;
+	dns_zone_idetach(&stub->zone);
+	INSIST(stub->db == NULL);
+	INSIST(stub->version == NULL);
+	isc_mem_put(stub->mctx, stub, sizeof(*stub));
+
+ done:
+	INSIST(event == NULL);
+	return;
+}
+
+/*
+ * Get the EDNS EXPIRE option from the response and if it exists trim
+ * expire to be not more than it.
+ */
+static void
+get_edns_expire(dns_zone_t * zone, dns_message_t *message,
+		uint32_t *expirep)
+{
+	isc_result_t result;
+	uint32_t expire;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t optbuf;
+	uint16_t optcode;
+	uint16_t optlen;
+
+	REQUIRE(expirep != NULL);
+	REQUIRE(message != NULL);
+
+	if (message->opt == NULL)
+		return;
+
+	result = dns_rdataset_first(message->opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(message->opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			/*
+			 * A EDNS EXPIRE response has a length of 4.
+			 */
+			if (optcode != DNS_OPT_EXPIRE || optlen != 4) {
+				isc_buffer_forward(&optbuf, optlen);
+				continue;
+			}
+			expire = isc_buffer_getuint32(&optbuf);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "got EDNS EXPIRE of %u", expire);
+			/*
+			 * Trim *expirep?
+			 */
+			if (expire < *expirep)
+				*expirep = expire;
+			break;
+		}
+	}
+}
+
+/*
+ * Set the file modification time zone->expire seconds before expiretime.
+ */
+static void
+setmodtime(dns_zone_t *zone, isc_time_t *expiretime) {
+	isc_result_t result;
+	isc_time_t when;
+	isc_interval_t i;
+
+	isc_interval_set(&i, zone->expire, 0);
+	result = isc_time_subtract(expiretime, &i, &when);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	result = ISC_R_FAILURE;
+	if (zone->journal != NULL)
+		result = isc_file_settime(zone->journal, &when);
+	if (result == ISC_R_SUCCESS &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP))
+		result = isc_file_settime(zone->masterfile, &when);
+	else if (result != ISC_R_SUCCESS)
+		result = isc_file_settime(zone->masterfile, &when);
+
+	/*
+	 * Someone removed the file from underneath us!
+	 */
+	if (result == ISC_R_FILENOTFOUND) {
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "refresh: could not set "
+			     "file modification time of '%s': %s",
+			     zone->masterfile, dns_result_totext(result));
+}
+
+/*
+ * An SOA query has finished (successfully or not).
+ */
+static void
+refresh_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "refresh_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_zone_t *zone;
+	dns_message_t *msg = NULL;
+	uint32_t soacnt, cnamecnt, soacount, nscount;
+	isc_time_t now;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	isc_result_t result;
+	uint32_t serial, oldserial = 0;
+	unsigned int j;
+	bool do_queue_xfrin = false;
+
+	zone = revent->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	LOCK_ZONE(zone);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		isc_event_free(&event);
+		dns_request_destroy(&zone->request);
+		goto detach;
+	}
+
+	/*
+	 * if timeout log and next master;
+	 */
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: timeout retrying without EDNS "
+				     "master %s (source %s)", master, source);
+			goto same_master;
+		}
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: retry limit for "
+				     "master %s exceeded (source %s)",
+				     master, source);
+			/* Try with slave with TCP. */
+			if ((zone->type == dns_zone_slave ||
+			     zone->type == dns_zone_redirect) &&
+			    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) {
+				if (!dns_zonemgr_unreachable(zone->zmgr,
+							     &zone->masteraddr,
+							     &zone->sourceaddr,
+							     &now))
+				{
+					DNS_ZONE_SETFLAG(zone,
+						     DNS_ZONEFLG_SOABEFOREAXFR);
+					goto tcp_transfer;
+				}
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "refresh: skipped tcp fallback "
+					     "as master %s (source %s) is "
+					     "unreachable (cached)",
+					      master, source);
+			}
+		} else
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: failure trying master "
+				     "%s (source %s): %s", master, source,
+				     dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: failure trying master "
+			     "%s (source %s): %s", master, source,
+			     dns_result_totext(result));
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: rcode (%.*s) retrying without "
+				     "EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			goto same_master;
+		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    msg->rcode == dns_rcode_badvers) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: rcode (%.*s) retrying without "
+				     "EDNS EXPIRE OPTION master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			goto same_master;
+		}
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: unexpected rcode (%.*s) from "
+			     "master %s (source %s)", (int)rb.used, rcode,
+			     master, source);
+		/*
+		 * Perhaps AXFR/IXFR is allowed even if SOA queries aren't.
+		 */
+		if (msg->rcode == dns_rcode_refused &&
+		    (zone->type == dns_zone_slave ||
+		     zone->type == dns_zone_redirect))
+			goto tcp_transfer;
+		goto next_master;
+	}
+
+	/*
+	 * If truncated punt to zone transfer which will query again.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (zone->type == dns_zone_slave ||
+		    zone->type == dns_zone_redirect) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: truncated UDP answer, "
+				     "initiating TCP zone xfer "
+				     "for master %s (source %s)",
+				     master, source);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
+			goto tcp_transfer;
+		} else {
+			INSIST(zone->type == dns_zone_stub);
+			if (dns_request_usedtcp(revent->request)) {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "refresh: truncated TCP response "
+					     "from master %s (source %s)",
+					     master, source);
+				goto next_master;
+			}
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
+			goto same_master;
+		}
+	}
+
+	/*
+	 * if non-auth log and next master;
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: non-authoritative answer from "
+			     "master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
+	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
+	soacount = message_count(msg, DNS_SECTION_AUTHORITY,
+				 dns_rdatatype_soa);
+
+	/*
+	 * There should not be a CNAME record at top of zone.
+	 */
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: CNAME at top of zone "
+			     "in master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * if referral log and next master;
+	 */
+	if (soacnt == 0 && soacount == 0 && nscount != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: referral response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * if nodata log and next master;
+	 */
+	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: NODATA response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Only one soa at top of zone.
+	 */
+	if (soacnt != 1) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: answer SOA count (%d) != 1 "
+			     "from master %s (source %s)",
+			     soacnt, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Extract serial
+	 */
+	rdataset = NULL;
+	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
+				      dns_rdatatype_soa, dns_rdatatype_none,
+				      NULL, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: unable to get SOA record "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: dns_rdataset_first() failed");
+		goto next_master;
+	}
+
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	serial = soa.serial;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		unsigned int dbsoacount;
+		result = zone_get_from_db(zone, zone->db, NULL, &dbsoacount,
+					  &oldserial, NULL, NULL, NULL, NULL,
+					  NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		RUNTIME_CHECK(dbsoacount > 0U);
+		zone_debuglog(zone, me, 1, "serial: new %u, old %u",
+			      serial, oldserial);
+	} else
+		zone_debuglog(zone, me, 1, "serial: new %u, old not loaded",
+			      serial);
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
+	    isc_serial_gt(serial, oldserial)) {
+		if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+					    &zone->sourceaddr, &now))
+		{
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: skipping %s as master %s "
+				     "(source %s) is unreachable (cached)",
+				     (zone->type == dns_zone_slave ||
+				      zone->type == dns_zone_redirect) ?
+				     "zone transfer" : "NS query",
+				     master, source);
+			goto next_master;
+		}
+ tcp_transfer:
+		isc_event_free(&event);
+		dns_request_destroy(&zone->request);
+		if (zone->type == dns_zone_slave ||
+		    zone->type == dns_zone_redirect) {
+			do_queue_xfrin = true;
+		} else {
+			INSIST(zone->type == dns_zone_stub);
+			ns_query(zone, rdataset, NULL);
+		}
+		if (msg != NULL)
+			dns_message_destroy(&msg);
+	} else if (isc_serial_eq(soa.serial, oldserial)) {
+		isc_time_t expiretime;
+		uint32_t expire;
+
+		/*
+		 * Compute the new expire time based on this response.
+		 */
+		expire = zone->expire;
+		get_edns_expire(zone, msg, &expire);
+		DNS_ZONE_TIME_ADD(&now, expire, &expiretime);
+
+		/*
+		 * Has the expire time improved?
+		 */
+		if (isc_time_compare(&expiretime, &zone->expiretime) > 0) {
+			zone->expiretime = expiretime;
+			if (zone->masterfile != NULL)
+				setmodtime(zone, &expiretime);
+		}
+
+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+		zone->mastersok[zone->curmaster] = true;
+		goto next_master;
+	} else {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
+			dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
+				     "received from master %s < ours (%u)",
+				     soa.serial, master, oldserial);
+		else
+			zone_debuglog(zone, me, 1, "ahead");
+		zone->mastersok[zone->curmaster] = true;
+		goto next_master;
+	}
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	goto detach;
+
+ next_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	/*
+	 * Skip to next failed / untried master.
+	 */
+	do {
+		zone->curmaster++;
+	} while (zone->curmaster < zone->masterscnt &&
+		 zone->mastersok[zone->curmaster]);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	if (zone->curmaster >= zone->masterscnt) {
+		bool done = true;
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			/*
+			 * Did we get a good answer from all the masters?
+			 */
+			for (j = 0; j < zone->masterscnt; j++)
+				if (zone->mastersok[j] == false) {
+					done = false;
+					break;
+				}
+		} else
+			done = true;
+		if (!done) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+			zone->curmaster = 0;
+			/*
+			 * Find the next failed master.
+			 */
+			while (zone->curmaster < zone->masterscnt &&
+			       zone->mastersok[zone->curmaster])
+				zone->curmaster++;
+			goto requeue;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+			zone->refreshtime = now;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		zone_settimer(zone, &now);
+		goto detach;
+	}
+
+ requeue:
+	queue_soa_query(zone);
+	goto detach;
+
+ same_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	dns_request_destroy(&zone->request);
+	queue_soa_query(zone);
+
+ detach:
+	UNLOCK_ZONE(zone);
+	if (do_queue_xfrin)
+		queue_xfrin(zone);
+	dns_zone_idetach(&zone);
+	return;
+}
+
+static void
+queue_soa_query(dns_zone_t *zone) {
+	const char me[] = "queue_soa_query";
+	isc_event_t *e;
+	dns_zone_t *dummy = NULL;
+	isc_result_t result;
+
+	ENTER;
+	/*
+	 * Locked by caller
+	 */
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
+			       soa_query, zone, sizeof(isc_event_t));
+	if (e == NULL) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	/*
+	 * Attach so that we won't clean up
+	 * until the event is delivered.
+	 */
+	zone_iattach(zone, &dummy);
+
+	e->ev_arg = zone;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(zone->zmgr->refreshrl, zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		zone_idetach(&dummy);
+		isc_event_free(&e);
+		cancel_refresh(zone);
+	}
+}
+
+static inline isc_result_t
+create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
+	     dns_message_t **messagep)
+{
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(qname, NULL);
+	dns_name_clone(&zone->origin, qname);
+	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+static isc_result_t
+add_opt(dns_message_t *message, uint16_t udpsize, bool reqnsid,
+	bool reqexpire)
+{
+	isc_result_t result;
+	dns_rdataset_t *rdataset = NULL;
+	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
+	int count = 0;
+
+	/* Set EDNS options if applicable */
+	if (reqnsid) {
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_NSID;
+		ednsopts[count].length = 0;
+		ednsopts[count].value = NULL;
+		count++;
+	}
+	if (reqexpire) {
+		INSIST(count < DNS_EDNSOPTIONS);
+		ednsopts[count].code = DNS_OPT_EXPIRE;
+		ednsopts[count].length = 0;
+		ednsopts[count].value = NULL;
+		count++;
+	}
+	result = dns_message_buildopt(message, &rdataset, 0, udpsize, 0,
+				      ednsopts, count);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	return (dns_message_setopt(message, rdataset));
+}
+
+static void
+soa_query(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "soa_query";
+	isc_result_t result = ISC_R_FAILURE;
+	dns_message_t *message = NULL;
+	dns_zone_t *zone = event->ev_arg;
+	dns_zone_t *dummy = NULL;
+	isc_netaddr_t masterip;
+	dns_tsigkey_t *key = NULL;
+	uint32_t options;
+	bool cancel = true;
+	int timeout;
+	bool have_xfrsource, have_xfrdscp, reqnsid, reqexpire;
+	uint16_t udpsize = SEND_BUFFER_SIZE;
+	isc_dscp_t dscp = -1;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+	if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
+	    zone->view->requestmgr == NULL) {
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+			cancel = false;
+		goto cleanup;
+	}
+
+ again:
+	result = create_query(zone, dns_rdatatype_soa, &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+
+	zone->masteraddr = zone->masters[zone->curmaster];
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL)) {
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &key);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "unable to find key: %s", namebuf);
+			goto skip_master;
+		}
+	}
+	if (key == NULL) {
+		result = dns_view_getpeertsig(zone->view, &masterip, &key);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+			char addrbuf[ISC_NETADDR_FORMATSIZE];
+			isc_netaddr_format(&masterip, addrbuf, sizeof(addrbuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "unable to find TSIG key for %s", addrbuf);
+			goto skip_master;
+		}
+	}
+
+	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
+		  DNS_REQUESTOPT_TCP : 0;
+	have_xfrsource = have_xfrdscp = false;
+	reqnsid = zone->view->requestnsid;
+	reqexpire = zone->requestexpire;
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool edns, usetcp;
+		result = dns_peerlist_peerbyaddr(zone->view->peers,
+						 &masterip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS)
+				have_xfrsource = true;
+			(void)dns_peer_gettransferdscp(peer, &dscp);
+			if (dscp != -1)
+				have_xfrdscp = true;
+			if (zone->view->resolver != NULL)
+				udpsize =
+				  dns_resolver_getudpsize(zone->view->resolver);
+			(void)dns_peer_getudpsize(peer, &udpsize);
+			(void)dns_peer_getrequestnsid(peer, &reqnsid);
+			(void)dns_peer_getrequestexpire(peer, &reqexpire);
+			result = dns_peer_getforcetcp(peer, &usetcp);
+			if (result == ISC_R_SUCCESS && usetcp)
+				options |= DNS_REQUESTOPT_TCP;
+		}
+	}
+
+	switch (isc_sockaddr_pf(&zone->masteraddr)) {
+	case PF_INET:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource4,
+					       &zone->xfrsource4))
+				goto skip_master;
+			zone->sourceaddr = zone->altxfrsource4;
+			if (!have_xfrdscp)
+				dscp = zone->altxfrsource4dscp;
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource4;
+			if (!have_xfrdscp)
+				dscp = zone->xfrsource4dscp;
+		}
+		break;
+	case PF_INET6:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource6,
+					       &zone->xfrsource6))
+				goto skip_master;
+			zone->sourceaddr = zone->altxfrsource6;
+			if (!have_xfrdscp)
+				dscp = zone->altxfrsource6dscp;
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource6;
+			if (!have_xfrdscp)
+				dscp = zone->xfrsource6dscp;
+		}
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message, udpsize, reqnsid, reqexpire);
+		if (result != ISC_R_SUCCESS)
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+	}
+
+	zone_iattach(zone, &dummy);
+	timeout = 15;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+		timeout = 30;
+	result = dns_request_createvia4(zone->view->requestmgr, message,
+					&zone->sourceaddr, &zone->masteraddr,
+					dscp, options, key, timeout * 3,
+					timeout, 0, zone->task,
+					refresh_callback, zone, &zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_idetach(&dummy);
+		zone_debuglog(zone, me, 1,
+			      "dns_request_createvia4() failed: %s",
+			      dns_result_totext(result));
+		goto skip_master;
+	} else {
+		if (isc_sockaddr_pf(&zone->masteraddr) == PF_INET)
+			inc_stats(zone, dns_zonestatscounter_soaoutv4);
+		else
+			inc_stats(zone, dns_zonestatscounter_soaoutv6);
+	}
+	cancel = false;
+
+ cleanup:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	if (result != ISC_R_SUCCESS)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	if (cancel)
+		cancel_refresh(zone);
+	isc_event_free(&event);
+	UNLOCK_ZONE(zone);
+	dns_zone_idetach(&zone);
+	return;
+
+ skip_master:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	dns_message_destroy(&message);
+	/*
+	 * Skip to next failed / untried master.
+	 */
+	do {
+		zone->curmaster++;
+	} while (zone->curmaster < zone->masterscnt &&
+		 zone->mastersok[zone->curmaster]);
+	if (zone->curmaster < zone->masterscnt)
+		goto again;
+	zone->curmaster = 0;
+	goto cleanup;
+}
+
+static void
+ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
+	const char me[] = "ns_query";
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t masterip;
+	dns_tsigkey_t *key = NULL;
+	dns_dbnode_t *node = NULL;
+	int timeout;
+	bool have_xfrsource = false, have_xfrdscp = false;
+	bool reqnsid;
+	uint16_t udpsize = SEND_BUFFER_SIZE;
+	isc_dscp_t dscp = -1;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	REQUIRE((soardataset != NULL && stub == NULL) ||
+		(soardataset == NULL && stub != NULL));
+	REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
+
+	ENTER;
+
+	if (stub == NULL) {
+		stub = isc_mem_get(zone->mctx, sizeof(*stub));
+		if (stub == NULL)
+			goto cleanup;
+		stub->magic = STUB_MAGIC;
+		stub->mctx = zone->mctx;
+		stub->zone = NULL;
+		stub->db = NULL;
+		stub->version = NULL;
+
+		/*
+		 * Attach so that the zone won't disappear from under us.
+		 */
+		zone_iattach(zone, &stub->zone);
+
+		/*
+		 * If a db exists we will update it, otherwise we create a
+		 * new one and attach it to the zone once we have the NS
+		 * RRset and glue.
+		 */
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db != NULL) {
+			dns_db_attach(zone->db, &stub->db);
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		} else {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+			INSIST(zone->db_argc >= 1);
+			result = dns_db_create(zone->mctx, zone->db_argv[0],
+					       &zone->origin, dns_dbtype_stub,
+					       zone->rdclass,
+					       zone->db_argc - 1,
+					       zone->db_argv + 1,
+					       &stub->db);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "refreshing stub: "
+					     "could not create "
+					     "database: %s",
+					     dns_result_totext(result));
+				goto cleanup;
+			}
+			dns_db_settask(stub->db, zone->task);
+		}
+
+		result = dns_db_newversion(stub->db, &stub->version);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
+				     "dns_db_newversion() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+
+		/*
+		 * Update SOA record.
+		 */
+		result = dns_db_findnode(stub->db, &zone->origin, true,
+					 &node);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
+				     "dns_db_findnode() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+
+		result = dns_db_addrdataset(stub->db, node, stub->version, 0,
+					    soardataset, 0, NULL);
+		dns_db_detachnode(stub->db, &node);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: "
+				     "dns_db_addrdataset() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * XXX Optimisation: Create message when zone is setup and reuse.
+	 */
+	result = create_query(zone, dns_rdatatype_ns, &message);
+	INSIST(result == ISC_R_SUCCESS);
+
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+	zone->masteraddr = zone->masters[zone->curmaster];
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL)) {
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &key);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "unable to find key: %s", namebuf);
+		}
+	}
+	if (key == NULL)
+		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
+
+	reqnsid = zone->view->requestnsid;
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		bool edns;
+		result = dns_peerlist_peerbyaddr(zone->view->peers,
+						 &masterip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS)
+				have_xfrsource = true;
+			result = dns_peer_gettransferdscp(peer, &dscp);
+			if (result == ISC_R_SUCCESS && dscp != -1)
+				have_xfrdscp = true;
+			if (zone->view->resolver != NULL)
+				udpsize =
+				  dns_resolver_getudpsize(zone->view->resolver);
+			(void)dns_peer_getudpsize(peer, &udpsize);
+			(void)dns_peer_getrequestnsid(peer, &reqnsid);
+		}
+
+	}
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message, udpsize, reqnsid, false);
+		if (result != ISC_R_SUCCESS)
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+	}
+
+	/*
+	 * Always use TCP so that we shouldn't truncate in additional section.
+	 */
+	switch (isc_sockaddr_pf(&zone->masteraddr)) {
+	case PF_INET:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			zone->sourceaddr = zone->altxfrsource4;
+			if (!have_xfrdscp)
+				dscp = zone->altxfrsource4dscp;
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource4;
+			if (!have_xfrdscp)
+				dscp = zone->xfrsource4dscp;
+		}
+		break;
+	case PF_INET6:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			zone->sourceaddr = zone->altxfrsource6;
+			if (!have_xfrdscp)
+				dscp = zone->altxfrsource6dscp;
+		} else if (!have_xfrsource) {
+			zone->sourceaddr = zone->xfrsource6;
+			if (!have_xfrdscp)
+				dscp = zone->xfrsource6dscp;
+		}
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		POST(result);
+		goto cleanup;
+	}
+	timeout = 15;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+		timeout = 30;
+	result = dns_request_createvia4(zone->view->requestmgr, message,
+					&zone->sourceaddr, &zone->masteraddr,
+					dscp, DNS_REQUESTOPT_TCP, key,
+					timeout * 3, timeout, 0, zone->task,
+					stub_callback, stub, &zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_debuglog(zone, me, 1,
+			      "dns_request_createvia() failed: %s",
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+	dns_message_destroy(&message);
+	goto unlock;
+
+ cleanup:
+	cancel_refresh(zone);
+	if (stub != NULL) {
+		stub->magic = 0;
+		if (stub->version != NULL)
+			dns_db_closeversion(stub->db, &stub->version,
+					    false);
+		if (stub->db != NULL)
+			dns_db_detach(&stub->db);
+		if (stub->zone != NULL)
+			zone_idetach(&stub->zone);
+		isc_mem_put(stub->mctx, stub, sizeof(*stub));
+	}
+	if (message != NULL)
+		dns_message_destroy(&message);
+ unlock:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	return;
+}
+
+/*
+ * Handle the control event.  Note that although this event causes the zone
+ * to shut down, it is not a shutdown event in the sense of the task library.
+ */
+static void
+zone_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_zone_t *zone = (dns_zone_t *) event->ev_arg;
+	bool free_needed, linked = false;
+	dns_zone_t *raw = NULL, *secure = NULL;
+
+	UNUSED(task);
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
+	INSIST(isc_refcount_current(&zone->erefs) == 0);
+
+	zone_debuglog(zone, "zone_shutdown", 3, "shutting down");
+
+	/*
+	 * Stop things being restarted after we cancel them below.
+	 */
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * If we were waiting for xfrin quota, step out of
+	 * the queue.
+	 * If there's no zone manager, we can't be waiting for the
+	 * xfrin quota
+	 */
+	if (zone->zmgr != NULL) {
+		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
+			ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
+					statelink);
+			linked = true;
+			zone->statelist = NULL;
+		}
+		if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
+			ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone,
+					statelink);
+			zone->statelist = NULL;
+			zmgr_resume_xfrs(zone->zmgr, false);
+		}
+		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+	}
+
+	/*
+	 * In task context, no locking required.  See zone_xfrdone().
+	 */
+	if (zone->xfr != NULL)
+		dns_xfrin_shutdown(zone->xfr);
+
+	/* Safe to release the zone now */
+	if (zone->zmgr != NULL)
+		dns_zonemgr_releasezone(zone->zmgr, zone);
+
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (linked) {
+		INSIST(zone->irefs > 0);
+		zone->irefs--;
+	}
+	if (zone->request != NULL) {
+		dns_request_cancel(zone->request);
+	}
+
+	if (zone->readio != NULL)
+		zonemgr_cancelio(zone->readio);
+
+	if (zone->lctx != NULL)
+		dns_loadctx_cancel(zone->lctx);
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+		if (zone->writeio != NULL)
+			zonemgr_cancelio(zone->writeio);
+
+		if (zone->dctx != NULL)
+			dns_dumpctx_cancel(zone->dctx);
+	}
+
+	notify_cancel(zone);
+
+	forward_cancel(zone);
+
+	if (zone->timer != NULL) {
+		isc_timer_detach(&zone->timer);
+		INSIST(zone->irefs > 0);
+		zone->irefs--;
+	}
+
+	/*
+	 * We have now canceled everything set the flag to allow exit_check()
+	 * to succeed.	We must not unlock between setting this flag and
+	 * calling exit_check().
+	 */
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
+	free_needed = exit_check(zone);
+	if (inline_secure(zone)) {
+		raw = zone->raw;
+		zone->raw = NULL;
+	}
+	if (inline_raw(zone)) {
+		secure = zone->secure;
+		zone->secure = NULL;
+	}
+	UNLOCK_ZONE(zone);
+	if (raw != NULL)
+		dns_zone_detach(&raw);
+	if (secure != NULL)
+		dns_zone_idetach(&secure);
+	if (free_needed)
+		zone_free(zone);
+}
+
+static void
+zone_timer(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_timer";
+	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
+
+	UNUSED(task);
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	zone_maintenance(zone);
+
+	isc_event_free(&event);
+}
+
+static void
+zone_settimer(dns_zone_t *zone, isc_time_t *now) {
+	const char me[] = "zone_settimer";
+	isc_time_t next;
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+		return;
+
+	isc_time_settoepoch(&next);
+
+	switch (zone->type) {
+	case dns_zone_redirect:
+		if (zone->masters != NULL)
+			goto treat_as_slave;
+		/* FALLTHROUGH */
+
+	case dns_zone_master:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
+			next = zone->notifytime;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
+		if (zone->type == dns_zone_redirect)
+			break;
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING) &&
+		    !isc_time_isepoch(&zone->refreshkeytime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->refreshkeytime, &next) < 0)
+				next = zone->refreshkeytime;
+		}
+		if (!isc_time_isepoch(&zone->resigntime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->resigntime, &next) < 0)
+				next = zone->resigntime;
+		}
+		if (!isc_time_isepoch(&zone->keywarntime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->keywarntime, &next) < 0)
+				next = zone->keywarntime;
+		}
+		if (!isc_time_isepoch(&zone->signingtime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->signingtime, &next) < 0)
+				next = zone->signingtime;
+		}
+		if (!isc_time_isepoch(&zone->nsec3chaintime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->nsec3chaintime, &next) < 0)
+				next = zone->nsec3chaintime;
+		}
+		break;
+
+	case dns_zone_slave:
+	treat_as_slave:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) ||
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDSTARTUPNOTIFY))
+			next = zone->notifytime;
+		/* FALLTHROUGH */
+
+	case dns_zone_stub:
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING) &&
+		    !isc_time_isepoch(&zone->refreshtime) &&
+		    (isc_time_isepoch(&next) ||
+		     isc_time_compare(&zone->refreshtime, &next) < 0))
+			next = zone->refreshtime;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    !isc_time_isepoch(&zone->expiretime)) {
+			if (isc_time_isepoch(&next) ||
+			     isc_time_compare(&zone->expiretime, &next) < 0)
+				next = zone->expiretime;
+		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
+		break;
+
+	case dns_zone_key:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESHING)) {
+			if (isc_time_isepoch(&next) ||
+			    (!isc_time_isepoch(&zone->refreshkeytime) &&
+			    isc_time_compare(&zone->refreshkeytime, &next) < 0))
+				next = zone->refreshkeytime;
+		}
+		break;
+
+	default:
+		break;
+	}
+
+	if (isc_time_isepoch(&next)) {
+		zone_debuglog(zone, me, 10, "settimer inactive");
+		result = isc_timer_reset(zone->timer, isc_timertype_inactive,
+					  NULL, NULL, true);
+		if (result != ISC_R_SUCCESS)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "could not deactivate zone timer: %s",
+				     isc_result_totext(result));
+	} else {
+		if (isc_time_compare(&next, now) <= 0)
+			next = *now;
+		result = isc_timer_reset(zone->timer, isc_timertype_once,
+					 &next, NULL, true);
+		if (result != ISC_R_SUCCESS)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "could not reset zone timer: %s",
+				     isc_result_totext(result));
+	}
+}
+
+static void
+cancel_refresh(dns_zone_t *zone) {
+	const char me[] = "cancel_refresh";
+	isc_time_t now;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	ENTER;
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+}
+
+static isc_result_t
+notify_createmessage(dns_zone_t *zone, unsigned int flags,
+		     dns_message_t **messagep)
+{
+	dns_db_t *zonedb = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_message_t *message = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	dns_name_t *tempname = NULL;
+	dns_rdata_t *temprdata = NULL;
+	dns_rdatalist_t *temprdatalist = NULL;
+	dns_rdataset_t *temprdataset = NULL;
+
+	isc_result_t result;
+	isc_region_t r;
+	isc_buffer_t *b = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(messagep != NULL && *messagep == NULL);
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &message);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	message->opcode = dns_opcode_notify;
+	message->flags |= DNS_MESSAGEFLAG_AA;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_rdataset_makequestion(temprdataset, zone->rdclass,
+				  dns_rdatatype_soa);
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
+	tempname = NULL;
+	temprdataset = NULL;
+
+	if ((flags & DNS_NOTIFY_NOSOA) != 0)
+		goto done;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_message_gettemprdata(message, &temprdata);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_message_gettemprdatalist(message, &temprdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	INSIST(zone->db != NULL); /* XXXJT: is this assumption correct? */
+	dns_db_attach(zone->db, &zonedb);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_db_currentversion(zonedb, &version);
+	result = dns_db_findnode(zonedb, tempname, false, &node);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(zonedb, node, version,
+				     dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset,
+				     NULL);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	dns_rdataset_current(&rdataset, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+	result = isc_buffer_allocate(zone->mctx, &b, r.length);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	isc_buffer_putmem(b, r.base, r.length);
+	isc_buffer_usedregion(b, &r);
+	dns_rdata_init(temprdata);
+	dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
+	dns_message_takebuffer(message, &b);
+	result = dns_rdataset_next(&rdataset);
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOMORE)
+		goto soa_cleanup;
+	temprdatalist->rdclass = rdata.rdclass;
+	temprdatalist->type = rdata.type;
+	temprdatalist->ttl = rdataset.ttl;
+	ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
+
+	result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
+	temprdatalist = NULL;
+	temprdataset = NULL;
+	temprdata = NULL;
+	tempname = NULL;
+
+ soa_cleanup:
+	if (node != NULL)
+		dns_db_detachnode(zonedb, &node);
+	if (version != NULL)
+		dns_db_closeversion(zonedb, &version, false);
+	if (zonedb != NULL)
+		dns_db_detach(&zonedb);
+	if (tempname != NULL)
+		dns_message_puttempname(message, &tempname);
+	if (temprdata != NULL)
+		dns_message_puttemprdata(message, &temprdata);
+	if (temprdataset != NULL)
+		dns_message_puttemprdataset(message, &temprdataset);
+	if (temprdatalist != NULL)
+		dns_message_puttemprdatalist(message, &temprdatalist);
+
+ done:
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (tempname != NULL)
+		dns_message_puttempname(message, &tempname);
+	if (temprdataset != NULL)
+		dns_message_puttemprdataset(message, &temprdataset);
+	dns_message_destroy(&message);
+	return (result);
+}
+
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       dns_message_t *msg)
+{
+	return (dns_zone_notifyreceive2(zone, from, NULL, msg));
+}
+
+isc_result_t
+dns_zone_notifyreceive2(dns_zone_t *zone, isc_sockaddr_t *from,
+			isc_sockaddr_t *to, dns_message_t *msg)
+{
+	unsigned int i;
+	dns_rdata_soa_t soa;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	char fromtext[ISC_SOCKADDR_FORMATSIZE];
+	int match = 0;
+	isc_netaddr_t netaddr;
+	uint32_t serial = 0;
+	bool have_serial = false;
+	dns_tsigkey_t *tsigkey;
+	dns_name_t *tsig;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * If type != T_SOA return DNS_R_NOTIMP.  We don't yet support
+	 * ROLLOVER.
+	 *
+	 * SOA:	RFC1996
+	 * Check that 'from' is a valid notify source, (zone->masters).
+	 *	Return DNS_R_REFUSED if not.
+	 *
+	 * If the notify message contains a serial number check it
+	 * against the zones serial and return if <= current serial
+	 *
+	 * If a refresh check is progress, if so just record the
+	 * fact we received a NOTIFY and from where and return.
+	 * We will perform a new refresh check when the current one
+	 * completes. Return ISC_R_SUCCESS.
+	 *
+	 * Otherwise initiate a refresh check using 'from' as the
+	 * first address to check.  Return ISC_R_SUCCESS.
+	 */
+
+	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+
+	/*
+	 * Notify messages are processed by the raw zone.
+	 */
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (inline_secure(zone)) {
+		result = dns_zone_notifyreceive2(zone->raw, from, to, msg);
+		UNLOCK_ZONE(zone);
+		return (result);
+	}
+	/*
+	 *  We only handle NOTIFY (SOA) at the present.
+	 */
+	if (isc_sockaddr_pf(from) == PF_INET)
+		inc_stats(zone, dns_zonestatscounter_notifyinv4);
+	else
+		inc_stats(zone, dns_zonestatscounter_notifyinv6);
+	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
+	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
+				 dns_rdatatype_soa, dns_rdatatype_none,
+				 NULL, NULL) != ISC_R_SUCCESS) {
+		UNLOCK_ZONE(zone);
+		if (msg->counts[DNS_SECTION_QUESTION] == 0) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "NOTIFY with no "
+				     "question section from: %s", fromtext);
+			return (DNS_R_FORMERR);
+		}
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "NOTIFY zone does not match");
+		return (DNS_R_NOTIMP);
+	}
+
+	/*
+	 * If we are a master zone just succeed.
+	 */
+	if (zone->type == dns_zone_master) {
+		UNLOCK_ZONE(zone);
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, from);
+	for (i = 0; i < zone->masterscnt; i++) {
+		if (isc_sockaddr_eqaddr(from, &zone->masters[i]))
+			break;
+		if (zone->view->aclenv.match_mapped &&
+		    IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
+		    isc_sockaddr_pf(&zone->masters[i]) == AF_INET) {
+			isc_netaddr_t na1, na2;
+			isc_netaddr_fromv4mapped(&na1, &netaddr);
+			isc_netaddr_fromsockaddr(&na2, &zone->masters[i]);
+			if (isc_netaddr_equal(&na1, &na2))
+				break;
+		}
+	}
+
+	/*
+	 * Accept notify requests from non masters if they are on
+	 * 'zone->notify_acl'.
+	 */
+	tsigkey = dns_message_gettsigkey(msg);
+	tsig = dns_tsigkey_identity(tsigkey);
+	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
+	    dns_acl_match(&netaddr, tsig, zone->notify_acl,
+			  &zone->view->aclenv,
+			  &match, NULL) == ISC_R_SUCCESS &&
+	    match > 0)
+	{
+		/* Accept notify. */
+	} else if (i >= zone->masterscnt) {
+		UNLOCK_ZONE(zone);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refused notify from non-master: %s", fromtext);
+		inc_stats(zone, dns_zonestatscounter_notifyrej);
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * If the zone is loaded and there are answers check the serial
+	 * to see if we need to do a refresh.  Do not worry about this
+	 * check if we are a dialup zone as we use the notify request
+	 * to trigger a refresh check.
+	 */
+	if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH)) {
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER,
+					      &zone->origin,
+					      dns_rdatatype_soa,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS)
+			result = dns_rdataset_first(rdataset);
+		if (result == ISC_R_SUCCESS) {
+			uint32_t oldserial;
+			unsigned int soacount;
+
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			serial = soa.serial;
+			have_serial = true;
+			/*
+			 * The following should safely be performed without DB
+			 * lock and succeed in this context.
+			 */
+			result = zone_get_from_db(zone, zone->db, NULL,
+						  &soacount, &oldserial, NULL,
+						  NULL, NULL, NULL, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			RUNTIME_CHECK(soacount > 0U);
+			if (isc_serial_le(serial, oldserial)) {
+				dns_zone_log(zone,
+					     ISC_LOG_INFO,
+					     "notify from %s: "
+					     "zone is up to date",
+					     fromtext);
+				UNLOCK_ZONE(zone);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+
+	/*
+	 * If we got this far and there was a refresh in progress just
+	 * let it complete.  Record where we got the notify from so we
+	 * can perform a refresh check when the current one completes
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+		zone->notifyfrom = *from;
+		UNLOCK_ZONE(zone);
+		if (have_serial)
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "notify from %s: serial %u: refresh in "
+				     "progress, refresh check queued",
+				      fromtext, serial);
+		else
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "notify from %s: refresh in progress, "
+				     "refresh check queued", fromtext);
+		return (ISC_R_SUCCESS);
+	}
+	if (have_serial)
+		dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: serial %u",
+			     fromtext, serial);
+	else
+		dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: no serial",
+			     fromtext);
+	zone->notifyfrom = *from;
+	UNLOCK_ZONE(zone);
+
+	if (to != NULL) {
+		dns_zonemgr_unreachabledel(zone->zmgr, from, to);
+	}
+	dns_zone_refresh(zone);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->notify_acl != NULL)
+		dns_acl_detach(&zone->notify_acl);
+	dns_acl_attach(acl, &zone->notify_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->query_acl != NULL)
+		dns_acl_detach(&zone->query_acl);
+	dns_acl_attach(acl, &zone->query_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	dns_acl_attach(acl, &zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->update_acl != NULL)
+		dns_acl_detach(&zone->update_acl);
+	dns_acl_attach(acl, &zone->update_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	dns_acl_attach(acl, &zone->forward_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->xfr_acl != NULL)
+		dns_acl_detach(&zone->xfr_acl);
+	dns_acl_attach(acl, &zone->xfr_acl);
+	UNLOCK_ZONE(zone);
+}
+
+dns_acl_t *
+dns_zone_getnotifyacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->notify_acl);
+}
+
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->query_acl);
+}
+
+dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->queryon_acl);
+}
+
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->update_acl);
+}
+
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->forward_acl);
+}
+
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->xfr_acl);
+}
+
+void
+dns_zone_clearupdateacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->update_acl != NULL)
+		dns_acl_detach(&zone->update_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearforwardacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearnotifyacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->notify_acl != NULL)
+		dns_acl_detach(&zone->notify_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearqueryacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->query_acl != NULL)
+		dns_acl_detach(&zone->query_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearxfracl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->xfr_acl != NULL)
+		dns_acl_detach(&zone->xfr_acl);
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_getupdatedisabled(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->update_disabled);
+
+}
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, bool state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->update_disabled = state;
+}
+
+bool
+dns_zone_getzeronosoattl(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->zero_no_soa_ttl);
+
+}
+
+void
+dns_zone_setzeronosoattl(dns_zone_t *zone, bool state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->zero_no_soa_ttl = state;
+}
+
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->check_names = severity;
+}
+
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->check_names);
+}
+
+void
+dns_zone_setjournalsize(dns_zone_t *zone, int32_t size) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->journalsize = size;
+}
+
+int32_t
+dns_zone_getjournalsize(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->journalsize);
+}
+
+static void
+zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+	if (zone->type != dns_zone_redirect && zone->type != dns_zone_key) {
+		if (dns_name_dynamic(&zone->origin))
+			result = dns_name_totext(&zone->origin, true, &buffer);
+		if (result != ISC_R_SUCCESS &&
+		    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
+			isc_buffer_putstr(&buffer, "<UNKNOWN>");
+
+		if (isc_buffer_availablelength(&buffer) > 0)
+			isc_buffer_putstr(&buffer, "/");
+		(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+	}
+
+	if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
+	    strcmp(zone->view->name, "_default") != 0 &&
+	    strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, "/");
+		isc_buffer_putstr(&buffer, zone->view->name);
+	}
+	if (inline_secure(zone) && 9U < isc_buffer_availablelength(&buffer))
+		isc_buffer_putstr(&buffer, " (signed)");
+	if (inline_raw(zone) && 11U < isc_buffer_availablelength(&buffer))
+		isc_buffer_putstr(&buffer, " (unsigned)");
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+	if (dns_name_dynamic(&zone->origin))
+		result = dns_name_totext(&zone->origin, true, &buffer);
+	if (result != ISC_R_SUCCESS &&
+	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
+		isc_buffer_putstr(&buffer, "<UNKNOWN>");
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, (unsigned int)length - 1);
+
+	if (zone->view == NULL) {
+		isc_buffer_putstr(&buffer, "_none");
+	} else if (strlen(zone->view->name)
+		   < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, zone->view->name);
+	} else {
+		isc_buffer_putstr(&buffer, "_toolong");
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(buf != NULL);
+	zone_namerd_tostr(zone, buf, length);
+}
+
+void
+dns_zone_nameonly(dns_zone_t *zone, char *buf, size_t length) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(buf != NULL);
+	zone_name_tostr(zone, buf, length);
+}
+
+void
+dns_zone_logv(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *prefix, const char *fmt, va_list ap)
+{
+	char message[4096];
+	const char *zstr;
+
+	if (!isc_log_wouldlog(dns_lctx, level)) {
+		return;
+	}
+
+	vsnprintf(message, sizeof(message), fmt, ap);
+
+	switch (zone->type) {
+	case dns_zone_key:
+		zstr = "managed-keys-zone";
+		break;
+	case dns_zone_redirect:
+		zstr = "redirect-zone";
+		break;
+	default:
+		zstr = "zone ";
+	}
+
+	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE, level,
+		      "%s%s%s%s: %s",
+		      (prefix != NULL ? prefix : ""),
+		      (prefix != NULL ? ": " : ""),
+		      zstr, zone->strnamerd, message);
+}
+
+static void
+notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_NOTIFY, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
+	      int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, category, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+void
+dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, NULL, fmt, ap);
+	va_end(ap);
+}
+
+static void
+zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
+	      const char *fmt, ...)
+{
+	int level = ISC_LOG_DEBUG(debuglevel);
+	va_list ap;
+
+	va_start(ap, fmt);
+	dns_zone_logv(zone, DNS_LOGCATEGORY_GENERAL, level, me, fmt, ap);
+	va_end(ap);
+}
+
+static int
+message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
+{
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *curr;
+	int count = 0;
+
+	result = dns_message_firstname(msg, section);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+
+		for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
+		     curr = ISC_LIST_PREV(curr, link)) {
+			if (curr->type == type)
+				count++;
+		}
+		result = dns_message_nextname(msg, section);
+	}
+
+	return (count);
+}
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, uint32_t maxxfrin) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->maxxfrin = maxxfrin;
+}
+
+uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxxfrin);
+}
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, uint32_t maxxfrout) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->maxxfrout = maxxfrout;
+}
+
+uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxxfrout);
+}
+
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->type);
+}
+
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (&zone->origin);
+}
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->task != NULL)
+		isc_task_detach(&zone->task);
+	isc_task_attach(task, &zone->task);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_settask(zone->db, zone->task);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	isc_task_attach(zone->task, target);
+}
+
+void
+dns_zone_setidlein(dns_zone_t *zone, uint32_t idlein) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (idlein == 0)
+		idlein = DNS_DEFAULT_IDLEIN;
+	zone->idlein = idlein;
+}
+
+uint32_t
+dns_zone_getidlein(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->idlein);
+}
+
+void
+dns_zone_setidleout(dns_zone_t *zone, uint32_t idleout) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->idleout = idleout;
+}
+
+uint32_t
+dns_zone_getidleout(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->idleout);
+}
+
+static void
+notify_done(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_buffer_t buf;
+	char rcode[128];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(task);
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	INSIST(task == notify->zone->task);
+
+	isc_buffer_init(&buf, rcode, sizeof(rcode));
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+
+	result = revent->result;
+	if (result == ISC_R_SUCCESS)
+		result = dns_message_create(notify->zone->mctx,
+					    DNS_MESSAGE_INTENTPARSE, &message);
+	if (result == ISC_R_SUCCESS)
+		result = dns_request_getresponse(revent->request, message,
+					DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == ISC_R_SUCCESS)
+		result = dns_rcode_totext(message->rcode, &buf);
+	if (result == ISC_R_SUCCESS)
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify response from %s: %.*s",
+			   addrbuf, (int)buf.used, rcode);
+	else
+		notify_log(notify->zone, ISC_LOG_DEBUG(2),
+			   "notify to %s failed: %s", addrbuf,
+			   dns_result_totext(result));
+
+	/*
+	 * Old bind's return formerr if they see a soa record.	Retry w/o
+	 * the soa if we see a formerr and had sent a SOA.
+	 */
+	isc_event_free(&event);
+	if (message != NULL && message->rcode == dns_rcode_formerr &&
+	    (notify->flags & DNS_NOTIFY_NOSOA) == 0) {
+		bool startup;
+
+		notify->flags |= DNS_NOTIFY_NOSOA;
+		dns_request_destroy(&notify->request);
+		startup = (notify->flags & DNS_NOTIFY_STARTUP);
+		result = notify_send_queue(notify, startup);
+		if (result != ISC_R_SUCCESS)
+			notify_destroy(notify, false);
+	} else {
+		if (result == ISC_R_TIMEDOUT)
+			notify_log(notify->zone, ISC_LOG_DEBUG(1),
+				   "notify to %s: retries exceeded", addrbuf);
+		notify_destroy(notify, false);
+	}
+	if (message != NULL)
+		dns_message_destroy(&message);
+}
+
+struct secure_event {
+	isc_event_t e;
+	dns_db_t *db;
+	uint32_t serial;
+};
+
+static void
+update_log_cb(void *arg, dns_zone_t *zone, int level, const char *message) {
+	UNUSED(arg);
+	dns_zone_log(zone, level, "%s", message);
+}
+
+static isc_result_t
+sync_secure_journal(dns_zone_t *zone, dns_zone_t *raw, dns_journal_t *journal,
+		    uint32_t start, uint32_t end,
+		    dns_difftuple_t **soatuplep, dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	dns_diffop_t op = DNS_DIFFOP_ADD;
+	int n_soa = 0;
+
+	REQUIRE(soatuplep != NULL);
+
+	if (start == end)
+		return (DNS_R_UNCHANGED);
+
+	CHECK(dns_journal_iter_init(journal, start, end));
+	for (result = dns_journal_first_rr(journal);
+	     result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(journal))
+	{
+		dns_name_t *name = NULL;
+		uint32_t ttl;
+		dns_rdata_t *rdata = NULL;
+		dns_journal_current_rr(journal, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa) {
+			n_soa++;
+			if (n_soa == 2) {
+				/*
+				 * Save the latest raw SOA record.
+				 */
+				if (*soatuplep != NULL)
+					dns_difftuple_free(soatuplep);
+				CHECK(dns_difftuple_create(diff->mctx,
+							   DNS_DIFFOP_ADD,
+							   name, ttl, rdata,
+							   soatuplep));
+			}
+			if (n_soa == 3)
+				n_soa = 1;
+			continue;
+		}
+
+		/* Sanity. */
+		if (n_soa == 0) {
+			dns_zone_log(raw, ISC_LOG_ERROR,
+				     "corrupt journal file: '%s'\n",
+				     raw->journal);
+			return (ISC_R_FAILURE);
+		}
+
+		if (zone->privatetype != 0 &&
+		    rdata->type == zone->privatetype)
+			continue;
+
+		if (rdata->type == dns_rdatatype_nsec ||
+		    rdata->type == dns_rdatatype_rrsig ||
+		    rdata->type == dns_rdatatype_nsec3 ||
+		    rdata->type == dns_rdatatype_dnskey ||
+		    rdata->type == dns_rdatatype_nsec3param)
+			continue;
+
+		op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
+
+		CHECK(dns_difftuple_create(diff->mctx, op, name, ttl, rdata,
+					   &tuple));
+		dns_diff_appendminimal(diff, &tuple);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	return(result);
+}
+
+static isc_result_t
+sync_secure_db(dns_zone_t *seczone, dns_zone_t *raw, dns_db_t *secdb,
+	       dns_dbversion_t *secver, dns_difftuple_t **soatuple,
+	       dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_db_t *rawdb = NULL;
+	dns_dbversion_t *rawver = NULL;
+	dns_difftuple_t *tuple = NULL, *next;
+	dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
+	dns_rdata_soa_t oldsoa, newsoa;
+
+	REQUIRE(DNS_ZONE_VALID(seczone));
+	REQUIRE(soatuple != NULL && *soatuple == NULL);
+
+	if (!seczone->sourceserialset)
+		return (DNS_R_UNCHANGED);
+
+	dns_db_attach(raw->db, &rawdb);
+	dns_db_currentversion(rawdb, &rawver);
+	result = dns_db_diffx(diff, rawdb, rawver, secdb, secver, NULL);
+	dns_db_closeversion(rawdb, &rawver, false);
+	dns_db_detach(&rawdb);
+
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = next)
+	{
+		next = ISC_LIST_NEXT(tuple, link);
+		if (tuple->rdata.type == dns_rdatatype_nsec ||
+		    tuple->rdata.type == dns_rdatatype_rrsig ||
+		    tuple->rdata.type == dns_rdatatype_dnskey ||
+		    tuple->rdata.type == dns_rdatatype_nsec3 ||
+		    tuple->rdata.type == dns_rdatatype_nsec3param)
+		{
+			ISC_LIST_UNLINK(diff->tuples, tuple, link);
+			dns_difftuple_free(&tuple);
+			continue;
+		}
+		if (tuple->rdata.type == dns_rdatatype_soa) {
+			if (tuple->op == DNS_DIFFOP_DEL) {
+				INSIST(oldtuple == NULL);
+				oldtuple = tuple;
+			}
+			if (tuple->op == DNS_DIFFOP_ADD) {
+				INSIST(newtuple == NULL);
+				newtuple = tuple;
+			}
+		}
+	}
+
+	if (oldtuple != NULL && newtuple != NULL) {
+
+		result = dns_rdata_tostruct(&oldtuple->rdata, &oldsoa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		result = dns_rdata_tostruct(&newtuple->rdata, &newsoa, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		/*
+		 * If the SOA records are the same except for the serial
+		 * remove them from the diff.
+		 */
+		if (oldsoa.refresh == newsoa.refresh &&
+		    oldsoa.retry == newsoa.retry &&
+		    oldsoa.minimum == newsoa.minimum &&
+		    oldsoa.expire == newsoa.expire &&
+		    dns_name_equal(&oldsoa.origin, &newsoa.origin) &&
+		    dns_name_equal(&oldsoa.contact, &newsoa.contact)) {
+			ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
+			dns_difftuple_free(&oldtuple);
+			ISC_LIST_UNLINK(diff->tuples, newtuple, link);
+			dns_difftuple_free(&newtuple);
+		}
+	}
+
+	if (ISC_LIST_EMPTY(diff->tuples))
+		return (DNS_R_UNCHANGED);
+
+	/*
+	 * If there are still SOA records in the diff they can now be removed
+	 * saving the new SOA record.
+	 */
+	if (oldtuple != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, oldtuple, link);
+		dns_difftuple_free(&oldtuple);
+	}
+
+	if (newtuple != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, newtuple, link);
+		*soatuple = newtuple;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+receive_secure_serial(isc_task_t *task, isc_event_t *event) {
+	static char me[] = "receive_secure_serial";
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_journal_t *rjournal = NULL;
+	dns_journal_t *sjournal = NULL;
+	uint32_t start, end;
+	dns_zone_t *zone;
+	dns_difftuple_t *tuple = NULL, *soatuple = NULL;
+	dns_update_log_t log = { update_log_cb, NULL };
+	uint32_t newserial = 0, desired = 0;
+	isc_time_t timenow;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	end = ((struct secure_event *)event)->serial;
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+
+	/*
+	 * If we are already processing a receive secure serial event
+	 * for the zone, just queue the new one and exit.
+	 */
+	if (zone->rss_event != NULL && zone->rss_event != event) {
+		ISC_LIST_APPEND(zone->rss_events, event, ev_link);
+		UNLOCK_ZONE(zone);
+		return;
+	}
+
+ nextevent:
+	if (zone->rss_event != NULL) {
+		INSIST(zone->rss_event == event);
+		UNLOCK_ZONE(zone);
+	} else {
+		zone->rss_event = event;
+		dns_diff_init(zone->mctx, &zone->rss_diff);
+
+		/*
+		 * zone->db may be NULL, if the load from disk failed.
+		 */
+		result = ISC_R_SUCCESS;
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db != NULL)
+			dns_db_attach(zone->db, &zone->rss_db);
+		else
+			result = ISC_R_FAILURE;
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+		if (result == ISC_R_SUCCESS && zone->raw != NULL)
+			dns_zone_attach(zone->raw, &zone->rss_raw);
+		else
+			result = ISC_R_FAILURE;
+
+		UNLOCK_ZONE(zone);
+
+		CHECK(result);
+
+		/*
+		 * We first attempt to sync the raw zone to the secure zone
+		 * by using the raw zone's journal, applying all the deltas
+		 * from the latest source-serial of the secure zone up to
+		 * the current serial number of the raw zone.
+		 *
+		 * If that fails, then we'll fall back to a direct comparison
+		 * between raw and secure zones.
+		 */
+		CHECK(dns_journal_open(zone->rss_raw->mctx,
+				       zone->rss_raw->journal,
+				       DNS_JOURNAL_WRITE, &rjournal));
+
+		result = dns_journal_open(zone->mctx, zone->journal,
+					  DNS_JOURNAL_READ, &sjournal);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+			goto failure;
+
+		if (!dns_journal_get_sourceserial(rjournal, &start)) {
+			start = dns_journal_first_serial(rjournal);
+			dns_journal_set_sourceserial(rjournal, start);
+		}
+		if (sjournal != NULL) {
+			uint32_t serial;
+			/*
+			 * We read the secure journal first, if that
+			 * exists use its value provided it is greater
+			 * that from the raw journal.
+			 */
+			if (dns_journal_get_sourceserial(sjournal, &serial)) {
+				if (isc_serial_gt(serial, start))
+					start = serial;
+			}
+			dns_journal_destroy(&sjournal);
+		}
+
+		dns_db_currentversion(zone->rss_db, &zone->rss_oldver);
+		CHECK(dns_db_newversion(zone->rss_db, &zone->rss_newver));
+
+		/*
+		 * Try to apply diffs from the raw zone's journal to the secure
+		 * zone.  If that fails, we recover by syncing up the databases
+		 * directly.
+		 */
+		result = sync_secure_journal(zone, zone->rss_raw, rjournal,
+					     start, end, &soatuple,
+					     &zone->rss_diff);
+		if (result == DNS_R_UNCHANGED)
+			goto failure;
+		else if (result != ISC_R_SUCCESS)
+			CHECK(sync_secure_db(zone, zone->rss_raw, zone->rss_db,
+					     zone->rss_oldver, &soatuple,
+					     &zone->rss_diff));
+
+		CHECK(dns_diff_apply(&zone->rss_diff, zone->rss_db,
+				     zone->rss_newver));
+
+		if (soatuple != NULL) {
+			uint32_t oldserial;
+
+			CHECK(dns_db_createsoatuple(zone->rss_db,
+						    zone->rss_oldver,
+						    zone->rss_diff.mctx,
+						    DNS_DIFFOP_DEL, &tuple));
+			oldserial = dns_soa_getserial(&tuple->rdata);
+			newserial = desired =
+				    dns_soa_getserial(&soatuple->rdata);
+			if (!isc_serial_gt(newserial, oldserial)) {
+				newserial = oldserial + 1;
+				if (newserial == 0)
+					newserial++;
+				dns_soa_setserial(newserial, &soatuple->rdata);
+			}
+			CHECK(do_one_tuple(&tuple, zone->rss_db,
+					   zone->rss_newver, &zone->rss_diff));
+			CHECK(do_one_tuple(&soatuple, zone->rss_db,
+					   zone->rss_newver, &zone->rss_diff));
+		} else
+			CHECK(update_soa_serial(zone->rss_db, zone->rss_newver,
+						&zone->rss_diff, zone->mctx,
+						zone->updatemethod));
+
+	}
+	result = dns_update_signaturesinc(&log, zone, zone->rss_db,
+					  zone->rss_oldver, zone->rss_newver,
+					  &zone->rss_diff,
+					  zone->sigvalidityinterval,
+					  &zone->rss_state);
+	if (result == DNS_R_CONTINUE) {
+		if (rjournal != NULL)
+			dns_journal_destroy(&rjournal);
+		isc_task_send(task, &event);
+		fprintf(stderr, "looping on dns_update_signaturesinc\n");
+		return;
+	}
+	/*
+	 * If something went wrong while trying to update the secure zone and
+	 * the latter was already signed before, do not apply raw zone deltas
+	 * to it as that would break existing DNSSEC signatures.  However, if
+	 * the secure zone was not yet signed (e.g. because no signing keys
+	 * were created for it), commence applying raw zone deltas to it so
+	 * that contents of the raw zone and the secure zone are kept in sync.
+	 */
+	if (result != ISC_R_SUCCESS && dns_db_issecure(zone->rss_db)) {
+		goto failure;
+	}
+
+	if (rjournal == NULL)
+		CHECK(dns_journal_open(zone->rss_raw->mctx,
+				       zone->rss_raw->journal,
+				       DNS_JOURNAL_WRITE, &rjournal));
+	CHECK(zone_journal(zone, &zone->rss_diff, &end,
+			   "receive_secure_serial"));
+
+	dns_journal_set_sourceserial(rjournal, end);
+	dns_journal_commit(rjournal);
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+	zone->sourceserial = end;
+	zone->sourceserialset = true;
+	zone_needdump(zone, DNS_DUMP_DELAY);
+
+	TIME_NOW(&timenow);
+	zone_settimer(zone, &timenow);
+	UNLOCK_ZONE(zone);
+
+	dns_db_closeversion(zone->rss_db, &zone->rss_oldver, false);
+	dns_db_closeversion(zone->rss_db, &zone->rss_newver, true);
+
+	if (newserial != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)",
+			     newserial, desired);
+	}
+
+ failure:
+	isc_event_free(&zone->rss_event);
+	event = ISC_LIST_HEAD(zone->rss_events);
+
+	if (zone->rss_raw != NULL)
+		dns_zone_detach(&zone->rss_raw);
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_serial: %s",
+			     dns_result_totext(result));
+	if (tuple != NULL)
+		dns_difftuple_free(&tuple);
+	if (soatuple != NULL)
+		dns_difftuple_free(&soatuple);
+	if (zone->rss_db != NULL) {
+		if (zone->rss_oldver != NULL)
+			dns_db_closeversion(zone->rss_db, &zone->rss_oldver,
+					    false);
+		if (zone->rss_newver != NULL)
+			dns_db_closeversion(zone->rss_db, &zone->rss_newver,
+					    false);
+		dns_db_detach(&zone->rss_db);
+	}
+	INSIST(zone->rss_oldver == NULL);
+	INSIST(zone->rss_newver == NULL);
+	if (rjournal != NULL)
+		dns_journal_destroy(&rjournal);
+	dns_diff_clear(&zone->rss_diff);
+
+	if (event != NULL) {
+		LOCK_ZONE(zone);
+		INSIST(zone->irefs > 1);
+		zone->irefs--;
+		ISC_LIST_UNLINK(zone->rss_events, event, ev_link);
+		goto nextevent;
+	}
+	dns_zone_idetach(&zone);
+}
+
+static isc_result_t
+zone_send_secureserial(dns_zone_t *zone, uint32_t serial) {
+	isc_event_t *e;
+	dns_zone_t *dummy = NULL;
+
+	e = isc_event_allocate(zone->secure->mctx, zone,
+			       DNS_EVENT_ZONESECURESERIAL,
+			       receive_secure_serial, zone->secure,
+			       sizeof(struct secure_event));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+	((struct secure_event *)e)->serial = serial;
+	INSIST(LOCKED_ZONE(zone->secure));
+	zone_iattach(zone->secure, &dummy);
+	isc_task_send(zone->secure->task, &e);
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+checkandaddsoa(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdataset_t *rdataset, uint32_t oldserial)
+{
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t temprdatalist;
+	dns_rdataset_t temprdataset;
+	isc_buffer_t b;
+	isc_result_t result;
+	unsigned char buf[DNS_SOA_BUFFERSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	result = dns_rdataset_first(rdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	if (isc_serial_gt(soa.serial, oldserial))
+		return (dns_db_addrdataset(db, node, version, 0, rdataset, 0,
+					   NULL));
+	/*
+	 * Always bump the serial.
+	 */
+	oldserial++;
+	if (oldserial == 0)
+		oldserial++;
+	soa.serial = oldserial;
+
+	/*
+	 * Construct a replacement rdataset.
+	 */
+	dns_rdata_reset(&rdata);
+	isc_buffer_init(&b, buf, sizeof(buf));
+	result = dns_rdata_fromstruct(&rdata, rdataset->rdclass,
+				      dns_rdatatype_soa, &soa, &b);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdatalist_init(&temprdatalist);
+	temprdatalist.rdclass = rdata.rdclass;
+	temprdatalist.type = rdata.type;
+	temprdatalist.ttl = rdataset->ttl;
+	ISC_LIST_APPEND(temprdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&temprdataset);
+	result = dns_rdatalist_tordataset(&temprdatalist, &temprdataset);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	name = dns_fixedname_initname(&fixed);
+	result = dns_db_nodefullname(db, node, name);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdataset_getownercase(rdataset, name);
+	dns_rdataset_setownercase(&temprdataset, name);
+	return (dns_db_addrdataset(db, node, version, 0, &temprdataset,
+				   0, NULL));
+}
+
+/*
+ * This function should populate an nsec3paramlist_t with the
+ * nsecparam_t data from a zone.
+ */
+static isc_result_t
+save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset, prdataset;
+	dns_dbversion_t *version = NULL;
+	nsec3param_t *nsec3param = NULL;
+	nsec3param_t *nsec3p = NULL;
+	nsec3param_t *next;
+	dns_db_t *db = NULL;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(nsec3list != NULL);
+	REQUIRE(ISC_LIST_EMPTY(*nsec3list));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&prdataset);
+
+	dns_db_attach(zone->db, &db);
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	dns_db_currentversion(db, &version);
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+
+	if (result != ISC_R_SUCCESS)
+		goto getprivate;
+
+	/*
+	 * walk nsec3param rdataset making a list of parameters (note that
+	 * multiple simultaneous nsec3 chains are annoyingly legal -- this
+	 * is why we use an nsec3list, even tho we will usually only have
+	 * one)
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+			      "looping through nsec3param data");
+		nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
+		if (nsec3param == NULL)
+			CHECK(ISC_R_NOMEMORY);
+		ISC_LINK_INIT(nsec3param, link);
+
+		/*
+		 * now transfer the data from the rdata to
+		 * the nsec3param
+		 */
+		dns_nsec3param_toprivate(&rdata, &private,
+					 zone->privatetype, nsec3param->data,
+					 sizeof(nsec3param->data));
+		nsec3param->length = private.length;
+		ISC_LIST_APPEND(*nsec3list, nsec3param, link);
+	}
+
+ getprivate:
+	result = dns_db_findrdataset(db, node, version, zone->privatetype,
+				     dns_rdatatype_none, 0, &prdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	/*
+	 * walk private type records, converting them to nsec3 parameters
+	 * using dns_nsec3param_fromprivate(), do the right thing based on
+	 * CREATE and REMOVE flags
+	 */
+	for (result = dns_rdataset_first(&prdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&prdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_t private = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&prdataset, &private);
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+			      "looping through nsec3param private data");
+
+		/*
+		 * Do we have a valid private record?
+		 */
+		if (!dns_nsec3param_fromprivate(&private, &rdata,
+						buf, sizeof(buf)))
+			continue;
+
+		/*
+		 * Remove any NSEC3PARAM records scheduled to be removed.
+		 */
+		if (NSEC3REMOVE(rdata.data[1])) {
+			/*
+			 * Zero out the flags.
+			 */
+			rdata.data[1] = 0;
+
+			for (nsec3p = ISC_LIST_HEAD(*nsec3list);
+			     nsec3p != NULL;
+			     nsec3p = next)
+			{
+				next = ISC_LIST_NEXT(nsec3p, link);
+
+				if (nsec3p->length == rdata.length + 1 &&
+				    memcmp(rdata.data, nsec3p->data + 1,
+					   nsec3p->length - 1) == 0) {
+					ISC_LIST_UNLINK(*nsec3list,
+							nsec3p, link);
+					isc_mem_put(zone->mctx, nsec3p,
+						    sizeof(nsec3param_t));
+				}
+			}
+			continue;
+		}
+
+		nsec3param = isc_mem_get(zone->mctx, sizeof(nsec3param_t));
+		if (nsec3param == NULL)
+			CHECK(ISC_R_NOMEMORY);
+		ISC_LINK_INIT(nsec3param, link);
+
+		/*
+		 * Copy the remaining private records so the nsec/nsec3
+		 * chain gets created.
+		 */
+		INSIST(private.length <= sizeof(nsec3param->data));
+		memmove(nsec3param->data, private.data, private.length);
+		nsec3param->length = private.length;
+		ISC_LIST_APPEND(*nsec3list, nsec3param, link);
+	}
+
+ done:
+	if (result == ISC_R_NOMORE || result == ISC_R_NOTFOUND)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (version != NULL)
+		dns_db_closeversion(db, &version, false);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
+	return (result);
+}
+
+/*
+ * Populate new zone db with private type records found by save_nsec3param().
+ */
+static isc_result_t
+restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		   nsec3paramlist_t *nsec3list)
+{
+	isc_result_t result;
+	dns_diff_t diff;
+	dns_rdata_t rdata;
+	nsec3param_t *nsec3p = NULL;
+	nsec3param_t *next;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(!ISC_LIST_EMPTY(*nsec3list));
+
+	dns_diff_init(zone->mctx, &diff);
+
+	/*
+	 * Loop through the list of private-type records, set the INITIAL
+	 * and CREATE flags, and the add the record to the apex of the tree
+	 * in db.
+	 */
+	for (nsec3p = ISC_LIST_HEAD(*nsec3list);
+	     nsec3p != NULL;
+	     nsec3p = next)
+	{
+		next = ISC_LIST_NEXT(nsec3p, link);
+		dns_rdata_init(&rdata);
+		nsec3p->data[2] = DNS_NSEC3FLAG_CREATE | DNS_NSEC3FLAG_INITIAL;
+		rdata.length = nsec3p->length;
+		rdata.data = nsec3p->data;
+		rdata.type = zone->privatetype;
+		rdata.rdclass = zone->rdclass;
+		result = update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
+				       &zone->origin, 0, &rdata);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
+	}
+
+	dns_diff_clear(&diff);
+	return (result);
+}
+
+static void
+receive_secure_db(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_zone_t *zone;
+	dns_db_t *rawdb, *db = NULL;
+	dns_dbnode_t *rawnode = NULL, *node = NULL;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	dns_dbiterator_t *dbiterator = NULL;
+	dns_rdatasetiter_t *rdsit = NULL;
+	dns_rdataset_t rdataset;
+	dns_dbversion_t *version = NULL;
+	isc_time_t loadtime;
+	unsigned int oldserial = 0;
+	bool have_oldserial = false;
+	nsec3paramlist_t nsec3list;
+	isc_event_t *setnsec3param_event;
+	dns_zone_t *dummy;
+
+	UNUSED(task);
+
+	ISC_LIST_INIT(nsec3list);
+
+	zone = event->ev_arg;
+	rawdb = ((struct secure_event *)event)->db;
+	isc_event_free(&event);
+
+	name = dns_fixedname_initname(&fname);
+	dns_rdataset_init(&rdataset);
+
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) || !inline_secure(zone)) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto failure;
+	}
+
+	TIME_NOW(&loadtime);
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		result = dns_db_getsoaserial(zone->db, NULL, &oldserial);
+		if (result == ISC_R_SUCCESS)
+			have_oldserial = true;
+
+		/*
+		 * assemble nsec3parameters from the old zone, and set a flag
+		 * if any are found
+		 */
+		result = save_nsec3param(zone, &nsec3list);
+		if (result != ISC_R_SUCCESS) {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto failure;
+		}
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = dns_db_create(zone->mctx, zone->db_argv[0],
+			       &zone->origin, dns_dbtype_zone, zone->rdclass,
+			       zone->db_argc - 1, zone->db_argv + 1, &db);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_db_createiterator(rawdb, 0, &dbiterator);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_dbiterator_first(dbiterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiterator)) {
+		result = dns_dbiterator_current(dbiterator, &rawnode, name);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		result = dns_db_findnode(db, name, true, &node);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		result = dns_db_allrdatasets(rawdb, rawnode, NULL, 0, &rdsit);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		for (result = dns_rdatasetiter_first(rdsit);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsit)) {
+			dns_rdatasetiter_current(rdsit, &rdataset);
+			if (rdataset.type == dns_rdatatype_nsec ||
+			    rdataset.type == dns_rdatatype_rrsig ||
+			    rdataset.type == dns_rdatatype_nsec3 ||
+			    rdataset.type == dns_rdatatype_dnskey ||
+			    rdataset.type == dns_rdatatype_nsec3param) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (rdataset.type == dns_rdatatype_soa &&
+			    have_oldserial) {
+				result = checkandaddsoa(db, node, version,
+							&rdataset, oldserial);
+			} else
+				result = dns_db_addrdataset(db, node, version,
+							    0, &rdataset, 0,
+							    NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&rdsit);
+		dns_db_detachnode(rawdb, &rawnode);
+		dns_db_detachnode(db, &node);
+	}
+
+	/*
+	 * Call restore_nsec3param() to create private-type records from
+	 * the old nsec3 parameters and insert them into db
+	 */
+	if (!ISC_LIST_EMPTY(nsec3list)) {
+		result = restore_nsec3param(zone, db, version, &nsec3list);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
+
+	dns_db_closeversion(db, &version, true);
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+	INSIST(zone != zone->raw);
+	LOCK_ZONE(zone->raw);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
+	zone_needdump(zone, 0); /* XXXMPA */
+	UNLOCK_ZONE(zone->raw);
+
+	/*
+	 * Process any queued NSEC3PARAM change requests.
+	 */
+	while (!ISC_LIST_EMPTY(zone->setnsec3param_queue)) {
+		setnsec3param_event = ISC_LIST_HEAD(zone->setnsec3param_queue);
+		ISC_LIST_UNLINK(zone->setnsec3param_queue, setnsec3param_event,
+				ev_link);
+		dummy = NULL;
+		zone_iattach(zone, &dummy);
+		isc_task_send(zone->task, &setnsec3param_event);
+	}
+
+ failure:
+	UNLOCK_ZONE(zone);
+	if (result != ISC_R_SUCCESS)
+		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_db: %s",
+			     dns_result_totext(result));
+
+	while (!ISC_LIST_EMPTY(nsec3list)) {
+		nsec3param_t *nsec3p;
+		nsec3p = ISC_LIST_HEAD(nsec3list);
+		ISC_LIST_UNLINK(nsec3list, nsec3p, link);
+		isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t));
+	}
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (db != NULL) {
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (version != NULL)
+			dns_db_closeversion(db, &version, false);
+		dns_db_detach(&db);
+	}
+	if (rawnode != NULL)
+		dns_db_detachnode(rawdb, &rawnode);
+	dns_db_detach(&rawdb);
+	if (dbiterator != NULL)
+		dns_dbiterator_destroy(&dbiterator);
+	dns_zone_idetach(&zone);
+
+	INSIST(version == NULL);
+}
+
+static isc_result_t
+zone_send_securedb(dns_zone_t *zone, dns_db_t *db) {
+	isc_event_t *e;
+	dns_db_t *dummy = NULL;
+	dns_zone_t *secure = NULL;
+
+	e = isc_event_allocate(zone->secure->mctx, zone,
+			       DNS_EVENT_ZONESECUREDB,
+			       receive_secure_db, zone->secure,
+			       sizeof(struct secure_event));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_db_attach(db, &dummy);
+	((struct secure_event *)e)->db = dummy;
+	INSIST(LOCKED_ZONE(zone->secure));
+	zone_iattach(zone->secure, &secure);
+	isc_task_send(zone->secure->task, &e);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SENDSECURE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
+	isc_result_t result;
+	dns_zone_t *secure = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+ again:
+	LOCK_ZONE(zone);
+	if (inline_raw(zone)) {
+		secure = zone->secure;
+		INSIST(secure != zone);
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+#if ISC_PLATFORM_USETHREADS
+			isc_thread_yield();
+#endif
+			goto again;
+		}
+	}
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
+	result = zone_replacedb(zone, db, dump);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
+	if (secure != NULL)
+		UNLOCK_ZONE(secure);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+static isc_result_t
+zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
+	dns_dbversion_t *ver;
+	isc_result_t result;
+	unsigned int soacount = 0;
+	unsigned int nscount = 0;
+
+	/*
+	 * 'zone' and 'zonedb' locked by caller.
+	 */
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+	if (inline_raw(zone))
+		REQUIRE(LOCKED_ZONE(zone->secure));
+
+	result = dns_db_rpz_ready(db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = zone_get_from_db(zone, db, &nscount, &soacount,
+				  NULL, NULL, NULL, NULL, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		if (soacount != 1) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "has %d SOA records", soacount);
+			result = DNS_R_BADZONE;
+		}
+		if (nscount == 0 && zone->type != dns_zone_key) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
+			result = DNS_R_BADZONE;
+		}
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			    "retrieving SOA and NS records failed: %s",
+			    dns_result_totext(result));
+		return (result);
+	}
+
+	result = check_nsec3param(zone, db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	ver = NULL;
+	dns_db_currentversion(db, &ver);
+
+	/*
+	 * The initial version of a slave zone is always dumped;
+	 * subsequent versions may be journaled instead if this
+	 * is enabled in the configuration.
+	 */
+	if (zone->db != NULL && zone->journal != NULL &&
+	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER))
+	{
+		uint32_t serial, oldserial;
+
+		dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
+
+		result = dns_db_getsoaserial(db, ver, &serial);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: unable to get "
+				     "new serial");
+			goto fail;
+		}
+
+		/*
+		 * This is checked in zone_postload() for master zones.
+		 */
+		result = zone_get_from_db(zone, zone->db, NULL, &soacount,
+					  &oldserial, NULL, NULL, NULL, NULL,
+					  NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		RUNTIME_CHECK(soacount > 0U);
+		if ((zone->type == dns_zone_slave ||
+		     (zone->type == dns_zone_redirect &&
+		      zone->masters != NULL))
+		    && !isc_serial_gt(serial, oldserial)) {
+			uint32_t serialmin, serialmax;
+			serialmin = (oldserial + 1) & 0xffffffffU;
+			serialmax = (oldserial + 0x7fffffffU) & 0xffffffffU;
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: failed: "
+				     "new serial (%u) out of range [%u - %u]",
+				     serial, serialmin, serialmax);
+			result = ISC_R_RANGE;
+			goto fail;
+		}
+
+		result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
+				     zone->journal);
+		if (result != ISC_R_SUCCESS) {
+			char strbuf[ISC_STRERRORSIZE];
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: failed: "
+				     "%s", strbuf);
+			goto fallback;
+		}
+		if (dump)
+			zone_needdump(zone, DNS_DUMP_DELAY);
+		else if (zone->journalsize != -1) {
+			result = dns_journal_compact(zone->mctx, zone->journal,
+						     serial, zone->journalsize);
+			switch (result) {
+			case ISC_R_SUCCESS:
+			case ISC_R_NOSPACE:
+			case ISC_R_NOTFOUND:
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "dns_journal_compact: %s",
+					     dns_result_totext(result));
+				break;
+			default:
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "dns_journal_compact failed: %s",
+					     dns_result_totext(result));
+				break;
+			}
+		}
+		if (zone->type == dns_zone_master && inline_raw(zone))
+			zone_send_secureserial(zone, serial);
+	} else {
+ fallback:
+		if (dump && zone->masterfile != NULL) {
+			/*
+			 * If DNS_ZONEFLG_FORCEXFER was set we don't want
+			 * to keep the old masterfile.
+			 */
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) &&
+			    remove(zone->masterfile) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove masterfile "
+					      "'%s': '%s'",
+					      zone->masterfile, strbuf);
+			}
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NODELAY);
+			else
+				zone_needdump(zone, 0);
+		}
+		if (dump && zone->journal != NULL) {
+			/*
+			 * The in-memory database just changed, and
+			 * because 'dump' is set, it didn't change by
+			 * being loaded from disk.  Also, we have not
+			 * journaled diffs for this change.
+			 * Therefore, the on-disk journal is missing
+			 * the deltas for this change.	Since it can
+			 * no longer be used to bring the zone
+			 * up-to-date, it is useless and should be
+			 * removed.
+			 */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+				      "removing journal file");
+			if (remove(zone->journal) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove journal "
+					      "'%s': '%s'",
+					      zone->journal, strbuf);
+			}
+		}
+
+		if (inline_raw(zone))
+			zone_send_securedb(zone, db);
+	}
+
+	dns_db_closeversion(db, &ver, false);
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(3), "replacing zone database");
+
+	if (zone->db != NULL)
+		zone_detachdb(zone);
+	zone_attachdb(zone, db);
+	dns_db_settask(zone->db, zone->task);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
+	return (ISC_R_SUCCESS);
+
+ fail:
+	dns_db_closeversion(db, &ver, false);
+	return (result);
+}
+
+/* The caller must hold the dblock as a writer. */
+static inline void
+zone_attachdb(dns_zone_t *zone, dns_db_t *db) {
+	REQUIRE(zone->db == NULL && db != NULL);
+
+	dns_db_attach(db, &zone->db);
+	if (zone->acache != NULL) {
+		isc_result_t result;
+		result = dns_acache_setdb(zone->acache, db);
+		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "dns_acache_setdb() failed: %s",
+					 isc_result_totext(result));
+		}
+	}
+}
+
+/* The caller must hold the dblock as a writer. */
+static inline void
+zone_detachdb(dns_zone_t *zone) {
+	REQUIRE(zone->db != NULL);
+
+	if (zone->acache != NULL)
+		(void)dns_acache_putdb(zone->acache, zone->db);
+	dns_db_detach(&zone->db);
+}
+
+static void
+zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
+	isc_time_t now;
+	bool again = false;
+	unsigned int soacount;
+	unsigned int nscount;
+	uint32_t serial, refresh, retry, expire, minimum;
+	isc_result_t xfrresult = result;
+	bool free_needed;
+	dns_zone_t *secure = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1),
+		     "zone transfer finished: %s", dns_result_totext(result));
+
+	/*
+	 * Obtaining a lock on the zone->secure (see zone_send_secureserial)
+	 * could result in a deadlock due to a LOR so we will spin if we
+	 * can't obtain the both locks.
+	 */
+ again:
+	LOCK_ZONE(zone);
+	if (inline_raw(zone)) {
+		secure = zone->secure;
+		INSIST(secure != zone);
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+#if ISC_PLATFORM_USETHREADS
+			isc_thread_yield();
+#endif
+			goto again;
+		}
+	}
+
+	INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
+
+	TIME_NOW(&now);
+	switch (xfrresult) {
+	case ISC_R_SUCCESS:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		/* FALLTHROUGH */
+	case DNS_R_UPTODATE:
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
+		/*
+		 * Has the zone expired underneath us?
+		 */
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (zone->db == NULL) {
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto same_master;
+		}
+
+		/*
+		 * Update the zone structure's data from the actual
+		 * SOA received.
+		 */
+		nscount = 0;
+		soacount = 0;
+		INSIST(zone->db != NULL);
+		result = zone_get_from_db(zone, zone->db, &nscount,
+					  &soacount, &serial, &refresh,
+					  &retry, &expire, &minimum, NULL);
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		if (result == ISC_R_SUCCESS) {
+			if (soacount != 1)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transferred zone "
+					     "has %d SOA record%s", soacount,
+					     (soacount != 0) ? "s" : "");
+			if (nscount == 0) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transferred zone "
+					     "has no NS records");
+				if (DNS_ZONE_FLAG(zone,
+						  DNS_ZONEFLG_HAVETIMERS)) {
+					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+					zone->retry = DNS_ZONE_DEFAULTRETRY;
+				}
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+				zone_unload(zone);
+				goto next_master;
+			}
+			zone->refresh = RANGE(refresh, zone->minrefresh,
+					      zone->maxrefresh);
+			zone->retry = RANGE(retry, zone->minretry,
+					    zone->maxretry);
+			zone->expire = RANGE(expire,
+					     zone->refresh + zone->retry,
+					     DNS_MAX_EXPIRE);
+			zone->minimum = minimum;
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+		}
+
+		/*
+		 * Set our next update/expire times.
+		 */
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+			zone->refreshtime = now;
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
+		} else {
+			DNS_ZONE_JITTER_ADD(&now, zone->refresh,
+					    &zone->refreshtime);
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
+		}
+		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
+			char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
+			if (zone->tsigkey != NULL) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(&zone->tsigkey->name, namebuf,
+						sizeof(namebuf));
+				snprintf(buf, sizeof(buf), ": TSIG '%s'",
+					 namebuf);
+			} else
+				buf[0] = '\0';
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "transferred serial %u%s",
+				     serial, buf);
+			if (inline_raw(zone))
+				zone_send_secureserial(zone, serial);
+		}
+
+		/*
+		 * This is not necessary if we just performed a AXFR
+		 * however it is necessary for an IXFR / UPTODATE and
+		 * won't hurt with an AXFR.
+		 */
+		if (zone->masterfile != NULL || zone->journal != NULL) {
+			unsigned int delay = DNS_DUMP_DELAY;
+
+			result = ISC_R_FAILURE;
+			if (zone->journal != NULL)
+				result = isc_file_settime(zone->journal, &now);
+			if (result != ISC_R_SUCCESS &&
+			    zone->masterfile != NULL)
+				result = isc_file_settime(zone->masterfile,
+							  &now);
+
+			if ((DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NODELAY) != 0) ||
+			    result == ISC_R_FILENOTFOUND)
+				delay = 0;
+
+			if ((result == ISC_R_SUCCESS ||
+			    result == ISC_R_FILENOTFOUND) &&
+			    zone->masterfile != NULL)
+				zone_needdump(zone, delay);
+			else if (result != ISC_R_SUCCESS)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transfer: could not set file "
+					     "modification time of '%s': %s",
+					     zone->masterfile,
+					     dns_result_totext(result));
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NODELAY);
+		inc_stats(zone, dns_zonestatscounter_xfrsuccess);
+		break;
+
+	case DNS_R_BADIXFR:
+		/* Force retry with AXFR. */
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+		goto same_master;
+
+	case DNS_R_TOOMANYRECORDS:
+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+		inc_stats(zone, dns_zonestatscounter_xfrfail);
+		break;
+
+	default:
+	next_master:
+		/*
+		 * Skip to next failed / untried master.
+		 */
+		do {
+			zone->curmaster++;
+		} while (zone->curmaster < zone->masterscnt &&
+			 zone->mastersok[zone->curmaster]);
+		/* FALLTHROUGH */
+	same_master:
+		if (zone->curmaster >= zone->masterscnt) {
+			zone->curmaster = 0;
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+				while (zone->curmaster < zone->masterscnt &&
+				       zone->mastersok[zone->curmaster])
+					zone->curmaster++;
+				again = true;
+			} else
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+			again = true;
+		}
+		inc_stats(zone, dns_zonestatscounter_xfrfail);
+		break;
+	}
+	zone_settimer(zone, &now);
+
+	/*
+	 * If creating the transfer object failed, zone->xfr is NULL.
+	 * Otherwise, we are called as the done callback of a zone
+	 * transfer object that just entered its shutting-down
+	 * state.  Since we are no longer responsible for shutting
+	 * it down, we can detach our reference.
+	 */
+	if (zone->xfr != NULL)
+		dns_xfrin_detach(&zone->xfr);
+
+	if (zone->tsigkey != NULL)
+		dns_tsigkey_detach(&zone->tsigkey);
+
+	/*
+	 * Handle any deferred journal compaction.
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDCOMPACT)) {
+		result = dns_journal_compact(zone->mctx, zone->journal,
+					     zone->compact_serial,
+					     zone->journalsize);
+		switch (result) {
+		case ISC_R_SUCCESS:
+		case ISC_R_NOSPACE:
+		case ISC_R_NOTFOUND:
+			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+				     "dns_journal_compact: %s",
+				     dns_result_totext(result));
+			break;
+		default:
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "dns_journal_compact failed: %s",
+				     dns_result_totext(result));
+			break;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDCOMPACT);
+	}
+
+	if (secure != NULL)
+		UNLOCK_ZONE(secure);
+	/*
+	 * This transfer finishing freed up a transfer quota slot.
+	 * Let any other zones waiting for quota have it.
+	 */
+	if (zone->zmgr != NULL &&
+	    zone->statelist == &zone->zmgr->xfrin_in_progress) {
+		UNLOCK_ZONE(zone);
+		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
+		zone->statelist = NULL;
+		zmgr_resume_xfrs(zone->zmgr, false);
+		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		LOCK_ZONE(zone);
+	}
+
+	/*
+	 * Retry with a different server if necessary.
+	 */
+	if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+		queue_soa_query(zone);
+
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+}
+
+static void
+zone_loaddone(void *arg, isc_result_t result) {
+	static char me[] = "zone_loaddone";
+	dns_load_t *load = arg;
+	dns_zone_t *zone;
+	isc_result_t tresult;
+	dns_zone_t *secure = NULL;
+
+	REQUIRE(DNS_LOAD_VALID(load));
+	zone = load->zone;
+
+	ENTER;
+
+	tresult = dns_db_endload(load->db, &load->callbacks);
+	if (tresult != ISC_R_SUCCESS &&
+	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
+		result = tresult;
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+ again:
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (inline_secure(zone))
+		LOCK_ZONE(zone->raw);
+	else if (inline_raw(zone)) {
+		secure = zone->secure;
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+#if ISC_PLATFORM_USETHREADS
+			isc_thread_yield();
+#endif
+			goto again;
+		}
+	}
+	(void)zone_postload(zone, load->db, load->loadtime, result);
+	zonemgr_putio(&zone->readio);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADING);
+	zone_idetach(&load->callbacks.zone);
+	/*
+	 * Leave the zone frozen if the reload fails.
+	 */
+	if ((result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE) &&
+	     DNS_ZONE_FLAG(zone, DNS_ZONEFLG_THAW))
+		zone->update_disabled = false;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_THAW);
+	if (inline_secure(zone))
+		UNLOCK_ZONE(zone->raw);
+	else if (secure != NULL)
+		UNLOCK_ZONE(secure);
+	UNLOCK_ZONE(zone);
+
+	load->magic = 0;
+	dns_db_detach(&load->db);
+	if (load->zone->lctx != NULL)
+		dns_loadctx_detach(&load->zone->lctx);
+	dns_zone_idetach(&load->zone);
+	isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
+}
+
+void
+dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(table != NULL);
+	REQUIRE(*table == NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->ssutable != NULL)
+		dns_ssutable_attach(zone->ssutable, table);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->ssutable != NULL)
+		dns_ssutable_detach(&zone->ssutable);
+	if (table != NULL)
+		dns_ssutable_attach(table, &zone->ssutable);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setsigvalidityinterval(dns_zone_t *zone, uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->sigvalidityinterval = interval;
+}
+
+uint32_t
+dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigvalidityinterval);
+}
+
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, uint32_t interval) {
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->sigresigninginterval = interval;
+	set_resigntime(zone);
+	if (zone->task != NULL) {
+		TIME_NOW(&now);
+		zone_settimer(zone, &now);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigresigninginterval);
+}
+
+static void
+queue_xfrin(dns_zone_t *zone) {
+	const char me[] = "queue_xfrin";
+	isc_result_t result;
+	dns_zonemgr_t *zmgr = zone->zmgr;
+
+	ENTER;
+
+	INSIST(zone->statelist == NULL);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
+	LOCK_ZONE(zone);
+	zone->irefs++;
+	UNLOCK_ZONE(zone);
+	zone->statelist = &zmgr->waiting_for_xfrin;
+	result = zmgr_start_xfrin_ifquota(zmgr, zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (result == ISC_R_QUOTA) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
+			      "zone transfer deferred due to quota");
+	} else if (result != ISC_R_SUCCESS) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+			      "starting zone transfer: %s",
+			      isc_result_totext(result));
+	}
+}
+
+/*
+ * This event callback is called when a zone has received
+ * any necessary zone transfer quota.  This is the time
+ * to go ahead and start the transfer.
+ */
+static void
+got_transfer_quota(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_peer_t *peer = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	dns_rdatatype_t xfrtype;
+	dns_zone_t *zone = event->ev_arg;
+	isc_netaddr_t masterip;
+	isc_sockaddr_t sourceaddr;
+	isc_sockaddr_t masteraddr;
+	isc_time_t now;
+	const char *soa_before = "";
+	isc_dscp_t dscp = -1;
+	bool loaded;
+
+	UNUSED(task);
+
+	INSIST(task == zone->task);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	TIME_NOW(&now);
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+				    &zone->sourceaddr, &now))
+	{
+		isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "got_transfer_quota: skipping zone transfer as "
+			     "master %s (source %s) is unreachable (cached)",
+			     master, source);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
+		soa_before = "SOA before ";
+	/*
+	 * Decide whether we should request IXFR or AXFR.
+	 */
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	loaded = (zone->db != NULL);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	if (!loaded) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "no database exists yet, requesting AXFR of "
+			     "initial version from %s", master);
+		xfrtype = dns_rdatatype_axfr;
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "forced reload, requesting AXFR of "
+			     "initial version from %s", master);
+		xfrtype = dns_rdatatype_axfr;
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "retrying with AXFR from %s due to "
+			     "previous IXFR failure", master);
+		xfrtype = dns_rdatatype_axfr;
+		LOCK_ZONE(zone);
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+		UNLOCK_ZONE(zone);
+	} else {
+		bool use_ixfr = true;
+		if (peer != NULL)
+			result = dns_peer_getrequestixfr(peer, &use_ixfr);
+		if (peer == NULL || result != ISC_R_SUCCESS)
+			use_ixfr = zone->requestixfr;
+		if (use_ixfr == false) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "IXFR disabled, requesting %sAXFR from %s",
+				     soa_before, master);
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
+				xfrtype = dns_rdatatype_soa;
+			else
+				xfrtype = dns_rdatatype_axfr;
+		} else {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "requesting IXFR from %s", master);
+			xfrtype = dns_rdatatype_ixfr;
+		}
+	}
+
+	/*
+	 * Determine if we should attempt to sign the request with TSIG.
+	 */
+	result = ISC_R_NOTFOUND;
+
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL)) {
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &zone->tsigkey);
+	}
+	if (zone->tsigkey == NULL)
+		result = dns_view_getpeertsig(zone->view, &masterip,
+					      &zone->tsigkey);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "could not get TSIG key for zone transfer: %s",
+			     isc_result_totext(result));
+	}
+
+	if (zone->masterdscps != NULL)
+	    dscp = zone->masterdscps[zone->curmaster];
+
+	LOCK_ZONE(zone);
+	masteraddr = zone->masteraddr;
+	sourceaddr = zone->sourceaddr;
+	switch (isc_sockaddr_pf(&masteraddr)) {
+	case PF_INET:
+		if (dscp == -1)
+			dscp = zone->xfrsource4dscp;
+		break;
+	case PF_INET6:
+		if (dscp == -1)
+			dscp = zone->xfrsource6dscp;
+		break;
+	default:
+		INSIST(0);
+	};
+	UNLOCK_ZONE(zone);
+	INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
+	result = dns_xfrin_create3(zone, xfrtype, &masteraddr, &sourceaddr,
+				   dscp, zone->tsigkey, zone->mctx,
+				   zone->zmgr->timermgr, zone->zmgr->socketmgr,
+				   zone->task, zone_xfrdone, &zone->xfr);
+	if (result == ISC_R_SUCCESS) {
+		LOCK_ZONE(zone);
+		if (xfrtype == dns_rdatatype_axfr) {
+			if (isc_sockaddr_pf(&masteraddr) == PF_INET)
+				inc_stats(zone, dns_zonestatscounter_axfrreqv4);
+			else
+				inc_stats(zone, dns_zonestatscounter_axfrreqv6);
+		} else if (xfrtype == dns_rdatatype_ixfr) {
+			if (isc_sockaddr_pf(&masteraddr) == PF_INET)
+				inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
+			else
+				inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
+		}
+		UNLOCK_ZONE(zone);
+	}
+ cleanup:
+	/*
+	 * Any failure in this function is handled like a failed
+	 * zone transfer.  This ensures that we get removed from
+	 * zmgr->xfrin_in_progress.
+	 */
+	if (result != ISC_R_SUCCESS)
+		zone_xfrdone(zone, result);
+
+	isc_event_free(&event);
+}
+
+/*
+ * Update forwarding support.
+ */
+
+static void
+forward_destroy(dns_forward_t *forward) {
+
+	forward->magic = 0;
+	if (forward->request != NULL)
+		dns_request_destroy(&forward->request);
+	if (forward->msgbuf != NULL)
+		isc_buffer_free(&forward->msgbuf);
+	if (forward->zone != NULL) {
+		LOCK(&forward->zone->lock);
+		if (ISC_LINK_LINKED(forward, link))
+			ISC_LIST_UNLINK(forward->zone->forwards, forward, link);
+		UNLOCK(&forward->zone->lock);
+		dns_zone_idetach(&forward->zone);
+	}
+	isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
+}
+
+static isc_result_t
+sendtomaster(dns_forward_t *forward) {
+	isc_result_t result;
+	isc_sockaddr_t src;
+	isc_dscp_t dscp = -1;
+
+	LOCK_ZONE(forward->zone);
+
+	if (DNS_ZONE_FLAG(forward->zone, DNS_ZONEFLG_EXITING)) {
+		UNLOCK_ZONE(forward->zone);
+		return (ISC_R_CANCELED);
+	}
+
+	if (forward->which >= forward->zone->masterscnt) {
+		UNLOCK_ZONE(forward->zone);
+		return (ISC_R_NOMORE);
+	}
+
+	forward->addr = forward->zone->masters[forward->which];
+	/*
+	 * Always use TCP regardless of whether the original update
+	 * used TCP.
+	 * XXX The timeout may but a bit small if we are far down a
+	 * transfer graph and the master has to try several masters.
+	 */
+	switch (isc_sockaddr_pf(&forward->addr)) {
+	case PF_INET:
+		src = forward->zone->xfrsource4;
+		dscp = forward->zone->xfrsource4dscp;
+		break;
+	case PF_INET6:
+		src = forward->zone->xfrsource6;
+		dscp = forward->zone->xfrsource6dscp;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto unlock;
+	}
+	result = dns_request_createraw4(forward->zone->view->requestmgr,
+					forward->msgbuf,
+					&src, &forward->addr, dscp,
+					forward->options, 15 /* XXX */,
+					0, 0, forward->zone->task,
+					forward_callback, forward,
+					&forward->request);
+	if (result == ISC_R_SUCCESS) {
+		if (!ISC_LINK_LINKED(forward, link))
+			ISC_LIST_APPEND(forward->zone->forwards, forward, link);
+	}
+
+ unlock:
+	UNLOCK_ZONE(forward->zone);
+	return (result);
+}
+
+static void
+forward_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "forward_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_message_t *msg = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+	dns_forward_t *forward;
+	dns_zone_t *zone;
+
+	UNUSED(task);
+
+	forward = revent->ev_arg;
+	INSIST(DNS_FORWARD_VALID(forward));
+	zone = forward->zone;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	isc_sockaddr_format(&forward->addr, master, sizeof(master));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not forward dynamic update to %s: %s",
+			     master, dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	result = dns_request_getresponse(revent->request, msg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER |
+					 DNS_MESSAGEPARSE_CLONEBUFFER);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	switch (msg->rcode) {
+	/*
+	 * Pass these rcodes back to client.
+	 */
+	case dns_rcode_noerror:
+	case dns_rcode_yxdomain:
+	case dns_rcode_yxrrset:
+	case dns_rcode_nxrrset:
+	case dns_rcode_refused:
+	case dns_rcode_nxdomain: {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "forwarded dynamic update: "
+			     "master %s returned: %.*s",
+			     master, (int)rb.used, rcode);
+		break;
+	}
+
+	/* These should not occur if the masters/zone are valid. */
+	case dns_rcode_notzone:
+	case dns_rcode_notauth: {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "forwarding dynamic update: "
+			     "unexpected response: master %s returned: %.*s",
+			     master, (int)rb.used, rcode);
+		goto next_master;
+	}
+
+	/* Try another server for these rcodes. */
+	case dns_rcode_formerr:
+	case dns_rcode_servfail:
+	case dns_rcode_notimp:
+	case dns_rcode_badvers:
+	default:
+		goto next_master;
+	}
+
+	/* call callback */
+	(forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
+	msg = NULL;
+	dns_request_destroy(&forward->request);
+	forward_destroy(forward);
+	isc_event_free(&event);
+	return;
+
+ next_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	forward->which++;
+	dns_request_destroy(&forward->request);
+	result = sendtomaster(forward);
+	if (result != ISC_R_SUCCESS) {
+		/* call callback */
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "exhausted dynamic update forwarder list");
+		(forward->callback)(forward->callback_arg, result, NULL);
+		forward_destroy(forward);
+	}
+}
+
+isc_result_t
+dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
+		       dns_updatecallback_t callback, void *callback_arg)
+{
+	dns_forward_t *forward;
+	isc_result_t result;
+	isc_region_t *mr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(msg != NULL);
+	REQUIRE(callback != NULL);
+
+	forward = isc_mem_get(zone->mctx, sizeof(*forward));
+	if (forward == NULL)
+		return (ISC_R_NOMEMORY);
+
+	forward->request = NULL;
+	forward->zone = NULL;
+	forward->msgbuf = NULL;
+	forward->which = 0;
+	forward->mctx = 0;
+	forward->callback = callback;
+	forward->callback_arg = callback_arg;
+	ISC_LINK_INIT(forward, link);
+	forward->magic = FORWARD_MAGIC;
+	forward->options = DNS_REQUESTOPT_TCP;
+	/*
+	 * If we have a SIG(0) signed message we need to preserve the
+	 * query id as that is included in the SIG(0) computation.
+	 */
+	if (msg->sig0 != NULL)
+		forward->options |= DNS_REQUESTOPT_FIXEDID;
+
+	mr = dns_message_getrawmessage(msg);
+	if (mr == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	result = isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_buffer_copyregion(forward->msgbuf, mr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_mem_attach(zone->mctx, &forward->mctx);
+	dns_zone_iattach(zone, &forward->zone);
+	result = sendtomaster(forward);
+
+ cleanup:
+	if (result != ISC_R_SUCCESS) {
+		forward_destroy(forward);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(next != NULL && *next == NULL);
+
+	*next = ISC_LIST_NEXT(zone, link);
+	if (*next == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(first != NULL && *first == NULL);
+
+	*first = ISC_LIST_HEAD(zmgr->zones);
+	if (*first == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+/***
+ ***	Zone manager.
+ ***/
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp)
+{
+	dns_zonemgr_t *zmgr;
+	isc_result_t result;
+
+	zmgr = isc_mem_get(mctx, sizeof(*zmgr));
+	if (zmgr == NULL)
+		return (ISC_R_NOMEMORY);
+	zmgr->mctx = NULL;
+	zmgr->refs = 1;
+	isc_mem_attach(mctx, &zmgr->mctx);
+	zmgr->taskmgr = taskmgr;
+	zmgr->timermgr = timermgr;
+	zmgr->socketmgr = socketmgr;
+	zmgr->zonetasks = NULL;
+	zmgr->loadtasks = NULL;
+	zmgr->mctxpool = NULL;
+	zmgr->task = NULL;
+	zmgr->notifyrl = NULL;
+	zmgr->refreshrl = NULL;
+	zmgr->startupnotifyrl = NULL;
+	zmgr->startuprefreshrl = NULL;
+	ISC_LIST_INIT(zmgr->zones);
+	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
+	ISC_LIST_INIT(zmgr->xfrin_in_progress);
+	memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
+	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto free_mem;
+
+	zmgr->transfersin = 10;
+	zmgr->transfersperns = 2;
+
+	/* Unreachable lock. */
+	result = isc_rwlock_init(&zmgr->urlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto free_rwlock;
+
+	/* Create a single task for queueing of SOA queries. */
+	result = isc_task_create(taskmgr, 1, &zmgr->task);
+	if (result != ISC_R_SUCCESS)
+		goto free_urlock;
+
+	isc_task_setname(zmgr->task, "zmgr", zmgr);
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->notifyrl);
+	if (result != ISC_R_SUCCESS)
+		goto free_task;
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->refreshrl);
+	if (result != ISC_R_SUCCESS)
+		goto free_notifyrl;
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->startupnotifyrl);
+	if (result != ISC_R_SUCCESS)
+		goto free_refreshrl;
+
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->startuprefreshrl);
+	if (result != ISC_R_SUCCESS)
+		goto free_startupnotifyrl;
+
+	/* default to 20 refresh queries / notifies per second. */
+	setrl(zmgr->notifyrl, &zmgr->notifyrate, 20);
+	setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, 20);
+	setrl(zmgr->refreshrl, &zmgr->serialqueryrate, 20);
+	setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, 20);
+	isc_ratelimiter_setpushpop(zmgr->startupnotifyrl, true);
+	isc_ratelimiter_setpushpop(zmgr->startuprefreshrl, true);
+
+	zmgr->iolimit = 1;
+	zmgr->ioactive = 0;
+	ISC_LIST_INIT(zmgr->high);
+	ISC_LIST_INIT(zmgr->low);
+
+	result = isc_mutex_init(&zmgr->iolock);
+	if (result != ISC_R_SUCCESS)
+		goto free_startuprefreshrl;
+
+	zmgr->magic = ZONEMGR_MAGIC;
+
+	*zmgrp = zmgr;
+	return (ISC_R_SUCCESS);
+
+#if 0
+ free_iolock:
+	DESTROYLOCK(&zmgr->iolock);
+#endif
+ free_startuprefreshrl:
+	isc_ratelimiter_detach(&zmgr->startuprefreshrl);
+ free_startupnotifyrl:
+	isc_ratelimiter_detach(&zmgr->startupnotifyrl);
+ free_refreshrl:
+	isc_ratelimiter_detach(&zmgr->refreshrl);
+ free_notifyrl:
+	isc_ratelimiter_detach(&zmgr->notifyrl);
+ free_task:
+	isc_task_detach(&zmgr->task);
+ free_urlock:
+	isc_rwlock_destroy(&zmgr->urlock);
+ free_rwlock:
+	isc_rwlock_destroy(&zmgr->rwlock);
+ free_mem:
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
+	isc_mem_detach(&mctx);
+	return (result);
+}
+
+isc_result_t
+dns_zonemgr_createzone(dns_zonemgr_t *zmgr, dns_zone_t **zonep) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	dns_zone_t *zone = NULL;
+	void *item;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	if (zmgr->mctxpool == NULL)
+		return (ISC_R_FAILURE);
+
+	item = isc_pool_get(zmgr->mctxpool);
+	if (item == NULL)
+		return (ISC_R_FAILURE);
+
+	isc_mem_attach((isc_mem_t *) item, &mctx);
+	result = dns_zone_create(&zone, mctx);
+	isc_mem_detach(&mctx);
+
+	if (result == ISC_R_SUCCESS)
+		*zonep = zone;
+
+	return (result);
+}
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	if (zmgr->zonetasks == NULL)
+		return (ISC_R_FAILURE);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+	REQUIRE(zone->task == NULL);
+	REQUIRE(zone->timer == NULL);
+	REQUIRE(zone->zmgr == NULL);
+
+	isc_taskpool_gettask(zmgr->zonetasks, &zone->task);
+	isc_taskpool_gettask(zmgr->loadtasks, &zone->loadtask);
+
+	/*
+	 * Set the task name.  The tag will arbitrarily point to one
+	 * of the zones sharing the task (in practice, the one
+	 * to be managed last).
+	 */
+	isc_task_setname(zone->task, "zone", zone);
+	isc_task_setname(zone->loadtask, "loadzone", zone);
+
+	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL,
+				  zone->task, zone_timer, zone,
+				  &zone->timer);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_tasks;
+
+	/*
+	 * The timer "holds" a iref.
+	 */
+	zone->irefs++;
+	INSIST(zone->irefs != 0);
+
+	ISC_LIST_APPEND(zmgr->zones, zone, link);
+	zone->zmgr = zmgr;
+	zmgr->refs++;
+
+	goto unlock;
+
+ cleanup_tasks:
+	isc_task_detach(&zone->loadtask);
+	isc_task_detach(&zone->task);
+
+ unlock:
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	bool free_now = false;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(zone->zmgr == zmgr);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+
+	ISC_LIST_UNLINK(zmgr->zones, zone, link);
+	zone->zmgr = NULL;
+	zmgr->refs--;
+	if (zmgr->refs == 0)
+		free_now = true;
+
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (free_now)
+		zonemgr_free(zmgr);
+	ENSURE(zone->zmgr == NULL);
+}
+
+void
+dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
+	REQUIRE(DNS_ZONEMGR_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	RWLOCK(&source->rwlock, isc_rwlocktype_write);
+	REQUIRE(source->refs > 0);
+	source->refs++;
+	INSIST(source->refs > 0);
+	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
+	*target = source;
+}
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
+	dns_zonemgr_t *zmgr;
+	bool free_now = false;
+
+	REQUIRE(zmgrp != NULL);
+	zmgr = *zmgrp;
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr->refs--;
+	if (zmgr->refs == 0)
+		free_now = true;
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (free_now)
+		zonemgr_free(zmgr);
+	*zmgrp = NULL;
+}
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
+	dns_zone_t *p;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	for (p = ISC_LIST_HEAD(zmgr->zones);
+	     p != NULL;
+	     p = ISC_LIST_NEXT(p, link))
+	{
+		dns_zone_maintenance(p);
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+
+	/*
+	 * Recent configuration changes may have increased the
+	 * amount of available transfers quota.  Make sure any
+	 * transfers currently blocked on quota get started if
+	 * possible.
+	 */
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, true);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, true);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+}
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
+	dns_zone_t *zone;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	isc_ratelimiter_shutdown(zmgr->notifyrl);
+	isc_ratelimiter_shutdown(zmgr->refreshrl);
+	isc_ratelimiter_shutdown(zmgr->startupnotifyrl);
+	isc_ratelimiter_shutdown(zmgr->startuprefreshrl);
+
+	if (zmgr->task != NULL)
+		isc_task_destroy(&zmgr->task);
+	if (zmgr->zonetasks != NULL)
+		isc_taskpool_destroy(&zmgr->zonetasks);
+	if (zmgr->loadtasks != NULL)
+		isc_taskpool_destroy(&zmgr->loadtasks);
+	if (zmgr->mctxpool != NULL)
+		isc_pool_destroy(&zmgr->mctxpool);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	for (zone = ISC_LIST_HEAD(zmgr->zones);
+	     zone != NULL;
+	     zone = ISC_LIST_NEXT(zone, link))
+	{
+		LOCK_ZONE(zone);
+		forward_cancel(zone);
+		UNLOCK_ZONE(zone);
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+}
+
+static isc_result_t
+mctxinit(void **target, void *arg) {
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+
+	UNUSED(arg);
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_mem_setname(mctx, "zonemgr-pool", NULL);
+
+	*target = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+mctxfree(void **target) {
+	isc_mem_t *mctx = *(isc_mem_t **) target;
+	isc_mem_detach(&mctx);
+	*target = NULL;
+}
+
+#define ZONES_PER_TASK 100
+#define ZONES_PER_MCTX 1000
+
+isc_result_t
+dns_zonemgr_setsize(dns_zonemgr_t *zmgr, int num_zones) {
+	isc_result_t result;
+	int ntasks = num_zones / ZONES_PER_TASK;
+	int nmctx = num_zones / ZONES_PER_MCTX;
+	isc_taskpool_t *pool = NULL;
+	isc_pool_t *mctxpool = NULL;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	/*
+	 * For anything fewer than 1000 zones we use 10 tasks in
+	 * the task pools.  More than that, and we'll scale at one
+	 * task per 100 zones.  Similarly, for anything smaller than
+	 * 2000 zones we use 2 memory contexts, then scale at 1:1000.
+	 */
+	if (ntasks < 10)
+		ntasks = 10;
+	if (nmctx < 2)
+		nmctx = 2;
+
+	/* Create or resize the zone task pools. */
+	if (zmgr->zonetasks == NULL)
+		result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx,
+					     ntasks, 2, &pool);
+	else
+		result = isc_taskpool_expand(&zmgr->zonetasks, ntasks, &pool);
+
+	if (result == ISC_R_SUCCESS)
+		zmgr->zonetasks = pool;
+
+	pool = NULL;
+	if (zmgr->loadtasks == NULL)
+		result = isc_taskpool_create(zmgr->taskmgr, zmgr->mctx,
+					     ntasks, 2, &pool);
+	else
+		result = isc_taskpool_expand(&zmgr->loadtasks, ntasks, &pool);
+
+	if (result == ISC_R_SUCCESS)
+		zmgr->loadtasks = pool;
+
+	/*
+	 * We always set all tasks in the zone-load task pool to
+	 * privileged.  This prevents other tasks in the system from
+	 * running while the server task manager is in privileged
+	 * mode.
+	 *
+	 * NOTE: If we start using task privileges for any other
+	 * part of the system than zone tasks, then this will need to be
+	 * revisted.  In that case we'd want to turn on privileges for
+	 * zone tasks only when we were loading, and turn them off the
+	 * rest of the time.  For now, however, it's okay to just
+	 * set it and forget it.
+	 */
+	isc_taskpool_setprivilege(zmgr->loadtasks, true);
+
+	/* Create or resize the zone memory context pool. */
+	if (zmgr->mctxpool == NULL)
+		result = isc_pool_create(zmgr->mctx, nmctx, mctxfree,
+					 mctxinit, NULL, &mctxpool);
+	else
+		result = isc_pool_expand(&zmgr->mctxpool, nmctx, &mctxpool);
+
+	if (result == ISC_R_SUCCESS)
+		zmgr->mctxpool = mctxpool;
+
+	return (result);
+}
+
+static void
+zonemgr_free(dns_zonemgr_t *zmgr) {
+	isc_mem_t *mctx;
+
+	INSIST(zmgr->refs == 0);
+	INSIST(ISC_LIST_EMPTY(zmgr->zones));
+
+	zmgr->magic = 0;
+
+	DESTROYLOCK(&zmgr->iolock);
+	isc_ratelimiter_detach(&zmgr->notifyrl);
+	isc_ratelimiter_detach(&zmgr->refreshrl);
+	isc_ratelimiter_detach(&zmgr->startupnotifyrl);
+	isc_ratelimiter_detach(&zmgr->startuprefreshrl);
+
+	isc_rwlock_destroy(&zmgr->urlock);
+	isc_rwlock_destroy(&zmgr->rwlock);
+	mctx = zmgr->mctx;
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
+	isc_mem_detach(&mctx);
+}
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, uint32_t value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	zmgr->transfersin = value;
+}
+
+uint32_t
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->transfersin);
+}
+
+void
+dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, uint32_t value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	zmgr->transfersperns = value;
+}
+
+uint32_t
+dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->transfersperns);
+}
+
+/*
+ * Try to start a new incoming zone transfer to fill a quota
+ * slot that was just vacated.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ */
+static void
+zmgr_resume_xfrs(dns_zonemgr_t *zmgr, bool multi) {
+	dns_zone_t *zone;
+	dns_zone_t *next;
+
+	for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
+	     zone != NULL;
+	     zone = next)
+	{
+		isc_result_t result;
+		next = ISC_LIST_NEXT(zone, statelink);
+		result = zmgr_start_xfrin_ifquota(zmgr, zone);
+		if (result == ISC_R_SUCCESS) {
+			if (multi)
+				continue;
+			/*
+			 * We successfully filled the slot.  We're done.
+			 */
+			break;
+		} else if (result == ISC_R_QUOTA) {
+			/*
+			 * Not enough quota.  This is probably the per-server
+			 * quota, because we usually get called when a unit of
+			 * global quota has just been freed.  Try the next
+			 * zone, it may succeed if it uses another master.
+			 */
+			continue;
+		} else {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "starting zone transfer: %s",
+				     isc_result_totext(result));
+			break;
+		}
+	}
+}
+
+/*
+ * Try to start an incoming zone transfer for 'zone', quota permitting.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	There was enough quota and we attempted to
+ *			start a transfer.  zone_xfrdone() has been or will
+ *			be called.
+ *	ISC_R_QUOTA	Not enough quota.
+ *	Others		Failure.
+ */
+static isc_result_t
+zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	dns_peer_t *peer = NULL;
+	isc_netaddr_t masterip;
+	uint32_t nxfrsin, nxfrsperns;
+	dns_zone_t *x;
+	uint32_t maxtransfersin, maxtransfersperns;
+	isc_event_t *e;
+
+	/*
+	 * If we are exiting just pretend we got quota so the zone will
+	 * be cleaned up in the zone's task context.
+	 */
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		UNLOCK_ZONE(zone);
+		goto gotquota;
+	}
+
+	/*
+	 * Find any configured information about the server we'd
+	 * like to transfer this zone from.
+	 */
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * Determine the total maximum number of simultaneous
+	 * transfers allowed, and the maximum for this specific
+	 * master.
+	 */
+	maxtransfersin = zmgr->transfersin;
+	maxtransfersperns = zmgr->transfersperns;
+	if (peer != NULL)
+		(void)dns_peer_gettransfers(peer, &maxtransfersperns);
+
+	/*
+	 * Count the total number of transfers that are in progress,
+	 * and the number of transfers in progress from this master.
+	 * We linearly scan a list of all transfers; if this turns
+	 * out to be too slow, we could hash on the master address.
+	 */
+	nxfrsin = nxfrsperns = 0;
+	for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
+	     x != NULL;
+	     x = ISC_LIST_NEXT(x, statelink))
+	{
+		isc_netaddr_t xip;
+
+		LOCK_ZONE(x);
+		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
+		UNLOCK_ZONE(x);
+
+		nxfrsin++;
+		if (isc_netaddr_equal(&xip, &masterip))
+			nxfrsperns++;
+	}
+
+	/* Enforce quota. */
+	if (nxfrsin >= maxtransfersin)
+		return (ISC_R_QUOTA);
+
+	if (nxfrsperns >= maxtransfersperns)
+		return (ISC_R_QUOTA);
+
+ gotquota:
+	/*
+	 * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
+	 * list and send it an event to let it start the actual transfer in the
+	 * context of its own task.
+	 */
+	e = isc_event_allocate(zmgr->mctx, zmgr, DNS_EVENT_ZONESTARTXFRIN,
+			       got_transfer_quota, zone, sizeof(isc_event_t));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK_ZONE(zone);
+	INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
+	ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
+	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
+	zone->statelist = &zmgr->xfrin_in_progress;
+	isc_task_send(zone->task, &e);
+	dns_zone_log(zone, ISC_LOG_INFO, "Transfer started.");
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, uint32_t iolimit) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(iolimit > 0);
+
+	zmgr->iolimit = iolimit;
+}
+
+uint32_t
+dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->iolimit);
+}
+
+/*
+ * Get permission to request a file handle from the OS.
+ * An event will be sent to action when one is available.
+ * There are two queues available (high and low), the high
+ * queue will be serviced before the low one.
+ *
+ * zonemgr_putio() must be called after the event is delivered to
+ * 'action'.
+ */
+
+static isc_result_t
+zonemgr_getio(dns_zonemgr_t *zmgr, bool high,
+	      isc_task_t *task, isc_taskaction_t action, void *arg,
+	      dns_io_t **iop)
+{
+	dns_io_t *io;
+	bool queue;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(iop != NULL && *iop == NULL);
+
+	io = isc_mem_get(zmgr->mctx, sizeof(*io));
+	if (io == NULL)
+		return (ISC_R_NOMEMORY);
+
+	io->event = isc_event_allocate(zmgr->mctx, task, DNS_EVENT_IOREADY,
+				       action, arg, sizeof(*io->event));
+	if (io->event == NULL) {
+		isc_mem_put(zmgr->mctx, io, sizeof(*io));
+		return (ISC_R_NOMEMORY);
+	}
+
+	io->zmgr = zmgr;
+	io->high = high;
+	io->task = NULL;
+	isc_task_attach(task, &io->task);
+	ISC_LINK_INIT(io, link);
+	io->magic = IO_MAGIC;
+
+	LOCK(&zmgr->iolock);
+	zmgr->ioactive++;
+	queue = (zmgr->ioactive > zmgr->iolimit);
+	if (queue) {
+		if (io->high)
+			ISC_LIST_APPEND(zmgr->high, io, link);
+		else
+			ISC_LIST_APPEND(zmgr->low, io, link);
+	}
+	UNLOCK(&zmgr->iolock);
+	*iop = io;
+
+	if (!queue)
+		isc_task_send(io->task, &io->event);
+	return (ISC_R_SUCCESS);
+}
+
+static void
+zonemgr_putio(dns_io_t **iop) {
+	dns_io_t *io;
+	dns_io_t *next;
+	dns_zonemgr_t *zmgr;
+
+	REQUIRE(iop != NULL);
+	io = *iop;
+	REQUIRE(DNS_IO_VALID(io));
+
+	*iop = NULL;
+
+	INSIST(!ISC_LINK_LINKED(io, link));
+	INSIST(io->event == NULL);
+
+	zmgr = io->zmgr;
+	isc_task_detach(&io->task);
+	io->magic = 0;
+	isc_mem_put(zmgr->mctx, io, sizeof(*io));
+
+	LOCK(&zmgr->iolock);
+	INSIST(zmgr->ioactive > 0);
+	zmgr->ioactive--;
+	next = HEAD(zmgr->high);
+	if (next == NULL)
+		next = HEAD(zmgr->low);
+	if (next != NULL) {
+		if (next->high)
+			ISC_LIST_UNLINK(zmgr->high, next, link);
+		else
+			ISC_LIST_UNLINK(zmgr->low, next, link);
+		INSIST(next->event != NULL);
+	}
+	UNLOCK(&zmgr->iolock);
+	if (next != NULL)
+		isc_task_send(next->task, &next->event);
+}
+
+static void
+zonemgr_cancelio(dns_io_t *io) {
+	bool send_event = false;
+
+	REQUIRE(DNS_IO_VALID(io));
+
+	/*
+	 * If we are queued to be run then dequeue.
+	 */
+	LOCK(&io->zmgr->iolock);
+	if (ISC_LINK_LINKED(io, link)) {
+		if (io->high)
+			ISC_LIST_UNLINK(io->zmgr->high, io, link);
+		else
+			ISC_LIST_UNLINK(io->zmgr->low, io, link);
+
+		send_event = true;
+		INSIST(io->event != NULL);
+	}
+	UNLOCK(&io->zmgr->iolock);
+	if (send_event) {
+		io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		isc_task_send(io->task, &io->event);
+	}
+}
+
+static void
+zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
+	char *buf;
+	int buflen;
+	isc_result_t result;
+
+	buflen = strlen(path) + strlen(templat) + 2;
+
+	buf = isc_mem_get(zone->mctx, buflen);
+	if (buf == NULL)
+		return;
+
+	result = isc_file_template(path, templat, buf, buflen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_file_renameunique(path, buf);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_zone_log(zone, ISC_LOG_WARNING, "unable to load from '%s'; "
+		     "renaming file to '%s' for failure analysis and "
+		     "retransferring.", path, buf);
+
+ cleanup:
+	isc_mem_put(zone->mctx, buf, buflen);
+}
+
+#if 0
+/* Hook for ondestroy notification from a database. */
+
+static void
+dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
+	dns_db_t *db = event->sender;
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+		      "database (%p) destroyed", (void*) db);
+}
+#endif
+
+static void
+setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value) {
+	isc_interval_t interval;
+	uint32_t s, ns;
+	uint32_t pertic;
+	isc_result_t result;
+
+	if (value == 0)
+		value = 1;
+
+	if (value == 1) {
+		s = 1;
+		ns = 0;
+		pertic = 1;
+	} else if (value <= 10) {
+		s = 0;
+		ns = 1000000000 / value;
+		pertic = 1;
+	} else {
+		s = 0;
+		ns = (1000000000 / value) * 10;
+		pertic = 10;
+	}
+
+	isc_interval_set(&interval, s, ns);
+
+	result = isc_ratelimiter_setinterval(rl, &interval);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_ratelimiter_setpertic(rl, pertic);
+
+	*rate = value;
+}
+
+void
+dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->notifyrl, &zmgr->notifyrate, value);
+}
+
+void
+dns_zonemgr_setstartupnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, value);
+}
+
+void
+dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->refreshrl, &zmgr->serialqueryrate, value);
+	/* XXXMPA seperate out once we have the code to support this. */
+	setrl(zmgr->startuprefreshrl, &zmgr->startupserialqueryrate, value);
+}
+
+unsigned int
+dns_zonemgr_getnotifyrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->notifyrate);
+}
+
+unsigned int
+dns_zonemgr_getstartupnotifyrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->startupnotifyrate);
+}
+
+unsigned int
+dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->serialqueryrate);
+}
+
+bool
+dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			isc_sockaddr_t *local, isc_time_t *now)
+{
+	unsigned int i;
+	isc_rwlocktype_t locktype;
+	isc_result_t result;
+	uint32_t seconds = isc_time_seconds(now);
+	uint32_t count = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	locktype = isc_rwlocktype_read;
+	RWLOCK(&zmgr->urlock, locktype);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		if (zmgr->unreachable[i].expire >= seconds &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
+			result = isc_rwlock_tryupgrade(&zmgr->urlock);
+			if (result == ISC_R_SUCCESS) {
+				locktype = isc_rwlocktype_write;
+				zmgr->unreachable[i].last = seconds;
+				count = zmgr->unreachable[i].count;
+			}
+			break;
+		}
+	}
+	RWUNLOCK(&zmgr->urlock, locktype);
+	return (i < UNREACH_CHACHE_SIZE && count > 1U);
+}
+
+void
+dns_zonemgr_unreachabledel(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local)
+{
+	unsigned int i;
+	isc_rwlocktype_t locktype;
+	isc_result_t result;
+
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(remote, master, sizeof(master));
+	isc_sockaddr_format(local, source, sizeof(source));
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	locktype = isc_rwlocktype_read;
+	RWLOCK(&zmgr->urlock, locktype);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
+			if (zmgr->unreachable[i].expire == 0)
+				break;
+			result = isc_rwlock_tryupgrade(&zmgr->urlock);
+			if (result == ISC_R_SUCCESS) {
+				locktype = isc_rwlocktype_write;
+				zmgr->unreachable[i].expire = 0;
+				isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE, ISC_LOG_INFO,
+					      "master %s (source %s) deleted "
+					      "from unreachable cache",
+					      master, source);
+			}
+			break;
+		}
+	}
+	RWUNLOCK(&zmgr->urlock, locktype);
+}
+
+void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now)
+{
+	uint32_t seconds = isc_time_seconds(now);
+	uint32_t last = seconds;
+	unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->urlock, isc_rwlocktype_write);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		/* Existing entry? */
+		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
+			break;
+		/* Empty slot? */
+		if (zmgr->unreachable[i].expire < seconds)
+			slot = i;
+		/* Least recently used slot? */
+		if (zmgr->unreachable[i].last < last) {
+			last = zmgr->unreachable[i].last;
+			oldest = i;
+		}
+	}
+	if (i < UNREACH_CHACHE_SIZE) {
+		/*
+		 * Found a existing entry.  Update the expire timer and
+		 * last usage timestamps.
+		 */
+		zmgr->unreachable[i].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[i].last = seconds;
+		if (zmgr->unreachable[i].expire < seconds)
+			zmgr->unreachable[i].count = 1;
+		else
+			zmgr->unreachable[i].count++;
+	} else if (slot != UNREACH_CHACHE_SIZE) {
+		/*
+		 * Found a empty slot. Add a new entry to the cache.
+		 */
+		zmgr->unreachable[slot].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[slot].last = seconds;
+		zmgr->unreachable[slot].remote = *remote;
+		zmgr->unreachable[slot].local = *local;
+		zmgr->unreachable[slot].count = 1;
+	} else {
+		/*
+		 * Replace the least recently used entry in the cache.
+		 */
+		zmgr->unreachable[oldest].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[oldest].last = seconds;
+		zmgr->unreachable[oldest].remote = *remote;
+		zmgr->unreachable[oldest].local = *local;
+		zmgr->unreachable[oldest].count = 1;
+	}
+	RWUNLOCK(&zmgr->urlock, isc_rwlocktype_write);
+}
+
+void
+dns_zone_forcereload(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (zone->type == dns_zone_master ||
+	    (zone->type == dns_zone_redirect && zone->masters == NULL))
+		return;
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
+	UNLOCK_ZONE(zone);
+	dns_zone_refresh(zone);
+}
+
+bool
+dns_zone_isforced(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
+}
+
+isc_result_t
+dns_zone_setstatistics(dns_zone_t *zone, bool on) {
+	/*
+	 * This function is obsoleted.
+	 */
+	UNUSED(zone);
+	UNUSED(on);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone) {
+	/*
+	 * This function is obsoleted.
+	 */
+	UNUSED(zone);
+	return (NULL);
+}
+
+void
+dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->stats == NULL);
+
+	LOCK_ZONE(zone);
+	zone->stats = NULL;
+	isc_stats_attach(stats, &zone->stats);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->requeststats_on && stats == NULL)
+		zone->requeststats_on = false;
+	else if (!zone->requeststats_on && stats != NULL) {
+		if (zone->requeststats == NULL) {
+			isc_stats_attach(stats, &zone->requeststats);
+			zone->requeststats_on = true;
+		}
+	}
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setrcvquerystats(dns_zone_t *zone, dns_stats_t *stats) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->requeststats_on && stats != NULL) {
+		if (zone->rcvquerystats == NULL) {
+			dns_stats_attach(stats, &zone->rcvquerystats);
+			zone->requeststats_on = true;
+		}
+	}
+	UNLOCK_ZONE(zone);
+}
+
+isc_stats_t *
+dns_zone_getrequeststats(dns_zone_t *zone) {
+	/*
+	 * We don't lock zone for efficiency reason.  This is not catastrophic
+	 * because requeststats must always be valid when requeststats_on is
+	 * true.
+	 * Some counters may be incremented while requeststats_on is becoming
+	 * false, or some cannot be incremented just after the statistics are
+	 * installed, but it shouldn't matter much in practice.
+	 */
+	if (zone->requeststats_on)
+		return (zone->requeststats);
+	else
+		return (NULL);
+}
+
+/*
+ * Return the received query stats bucket
+ * see note from dns_zone_getrequeststats()
+ */
+dns_stats_t *
+dns_zone_getrcvquerystats(dns_zone_t *zone) {
+	if (zone->requeststats_on)
+		return (zone->rcvquerystats);
+	else
+		return (NULL);
+}
+
+void
+dns_zone_dialup(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone_debuglog(zone, "dns_zone_dialup", 3,
+		      "notify = %d, refresh = %d",
+		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
+		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
+		dns_zone_notify(zone);
+	if (zone->type != dns_zone_master && zone->masters != NULL &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+		dns_zone_refresh(zone);
+}
+
+void
+dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
+			 DNS_ZONEFLG_DIALREFRESH |
+			 DNS_ZONEFLG_NOREFRESH);
+	switch (dialup) {
+	case dns_dialuptype_no:
+		break;
+	case dns_dialuptype_yes:
+		DNS_ZONE_SETFLAG(zone,	(DNS_ZONEFLG_DIALNOTIFY |
+				 DNS_ZONEFLG_DIALREFRESH |
+				 DNS_ZONEFLG_NOREFRESH));
+		break;
+	case dns_dialuptype_notify:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
+		break;
+	case dns_dialuptype_notifypassive:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	case dns_dialuptype_refresh:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	case dns_dialuptype_passive:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	default:
+		INSIST(0);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keydirectory);
+}
+
+unsigned int
+dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
+	dns_zone_t *zone;
+	unsigned int count = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	switch (state) {
+	case DNS_ZONESTATE_XFERRUNNING:
+		for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, statelink))
+			count++;
+		break;
+	case DNS_ZONESTATE_XFERDEFERRED:
+		for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, statelink))
+			count++;
+		break;
+	case DNS_ZONESTATE_SOAQUERY:
+		for (zone = ISC_LIST_HEAD(zmgr->zones);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link))
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH))
+				count++;
+		break;
+	case DNS_ZONESTATE_ANY:
+		for (zone = ISC_LIST_HEAD(zmgr->zones);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link)) {
+			dns_view_t *view = zone->view;
+			if (view != NULL && strcmp(view->name, "_bind") == 0)
+				continue;
+			count++;
+		}
+		break;
+	case DNS_ZONESTATE_AUTOMATIC:
+		for (zone = ISC_LIST_HEAD(zmgr->zones);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link)) {
+			dns_view_t *view = zone->view;
+			if (view != NULL && strcmp(view->name, "_bind") == 0)
+				continue;
+			if (zone->automatic)
+				count++;
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+
+	return (count);
+}
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
+	bool ok = true;
+	bool fail = false;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char namebuf2[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_WARNING;
+	dns_name_t bad;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES) &&
+	    rdata->type != dns_rdatatype_nsec3)
+		return (ISC_R_SUCCESS);
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL) ||
+	    rdata->type == dns_rdatatype_nsec3) {
+		level = ISC_LOG_ERROR;
+		fail = true;
+	}
+
+	ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, true);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
+			     dns_result_totext(DNS_R_BADOWNERNAME));
+		if (fail)
+			return (DNS_R_BADOWNERNAME);
+	}
+
+	dns_name_init(&bad, NULL);
+	ok = dns_rdata_checknames(rdata, name, &bad);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(&bad, namebuf2, sizeof(namebuf2));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
+			     namebuf2, dns_result_totext(DNS_R_BADNAME));
+		if (fail)
+			return (DNS_R_BADNAME);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checkmx = checkmx;
+}
+
+void
+dns_zone_setchecksrv(dns_zone_t *zone, dns_checksrvfunc_t checksrv) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checksrv = checksrv;
+}
+
+void
+dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->checkns = checkns;
+}
+
+void
+dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->isself = isself;
+	zone->isselfarg = arg;
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setnotifydelay(dns_zone_t *zone, uint32_t delay) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifydelay = delay;
+	UNLOCK_ZONE(zone);
+}
+
+uint32_t
+dns_zone_getnotifydelay(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->notifydelay);
+}
+
+isc_result_t
+dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
+		     uint16_t keyid, bool deleteit)
+{
+	isc_result_t result;
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dns_zone_log(zone, ISC_LOG_NOTICE,
+		     "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
+		     algorithm, keyid);
+	LOCK_ZONE(zone);
+	result = zone_signwithkey(zone, algorithm, keyid, deleteit);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+/*
+ * Called when a dynamic update for an NSEC3PARAM record is received.
+ *
+ * If set, transform the NSEC3 salt into human-readable form so that it can be
+ * logged.  Then call zone_addnsec3chain(), passing NSEC3PARAM RDATA to it.
+ */
+isc_result_t
+dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
+	isc_result_t result;
+	char salt[255*2+1];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt));
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_zone_log(zone, ISC_LOG_NOTICE,
+		     "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
+		     nsec3param->hash, nsec3param->iterations,
+		     salt);
+	LOCK_ZONE(zone);
+	result = zone_addnsec3chain(zone, nsec3param);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+void
+dns_zone_setnodes(dns_zone_t *zone, uint32_t nodes) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (nodes == 0)
+		nodes = 1;
+	zone->nodes = nodes;
+}
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, uint32_t signatures) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * We treat signatures as a signed value so explicitly
+	 * limit its range here.
+	 */
+	if (signatures > INT32_MAX)
+		signatures = INT32_MAX;
+	else if (signatures == 0)
+		signatures = 1;
+	zone->signatures = signatures;
+}
+
+uint32_t
+dns_zone_getsignatures(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->signatures);
+}
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->privatetype = type;
+}
+
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->privatetype);
+}
+
+static isc_result_t
+zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, uint16_t keyid,
+		 bool deleteit)
+{
+	dns_signing_t *signing;
+	dns_signing_t *current;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_time_t now;
+	dns_db_t *db = NULL;
+
+	signing = isc_mem_get(zone->mctx, sizeof *signing);
+	if (signing == NULL)
+		return (ISC_R_NOMEMORY);
+
+	signing->magic = 0;
+	signing->db  = NULL;
+	signing->dbiterator = NULL;
+	signing->algorithm = algorithm;
+	signing->keyid = keyid;
+	signing->deleteit = deleteit;
+	signing->done = false;
+
+	TIME_NOW(&now);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	if (db == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto cleanup;
+	}
+
+	dns_db_attach(db, &signing->db);
+
+	for (current = ISC_LIST_HEAD(zone->signing);
+	     current != NULL;
+	     current = ISC_LIST_NEXT(current, link)) {
+		if (current->db == signing->db &&
+		    current->algorithm == signing->algorithm &&
+		    current->keyid == signing->keyid) {
+			if (current->deleteit != signing->deleteit)
+				current->done = true;
+			else
+				goto cleanup;
+		}
+	}
+
+	result = dns_db_createiterator(signing->db, 0,
+				       &signing->dbiterator);
+
+	if (result == ISC_R_SUCCESS)
+		result = dns_dbiterator_first(signing->dbiterator);
+	if (result == ISC_R_SUCCESS) {
+		dns_dbiterator_pause(signing->dbiterator);
+		ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
+		signing = NULL;
+		if (isc_time_isepoch(&zone->signingtime)) {
+			zone->signingtime = now;
+			if (zone->task != NULL)
+				zone_settimer(zone, &now);
+		}
+	}
+
+ cleanup:
+	if (signing != NULL) {
+		if (signing->db != NULL)
+			dns_db_detach(&signing->db);
+		if (signing->dbiterator != NULL)
+			dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+	}
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+static void
+logmsg(const char *format, ...) {
+	va_list args;
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		       ISC_LOG_DEBUG(1), format, args);
+	va_end(args);
+}
+
+static void
+clear_keylist(dns_dnsseckeylist_t *list, isc_mem_t *mctx) {
+	dns_dnsseckey_t *key;
+	while (!ISC_LIST_EMPTY(*list)) {
+		key = ISC_LIST_HEAD(*list);
+		ISC_LIST_UNLINK(*list, key, link);
+		dns_dnsseckey_destroy(mctx, &key);
+	}
+}
+
+/* Called once; *timep should be set to the current time. */
+static isc_result_t
+next_keyevent(dst_key_t *key, isc_stdtime_t *timep) {
+	isc_result_t result;
+	isc_stdtime_t now, then = 0, event;
+	int i;
+
+	now = *timep;
+
+	for (i = 0; i <= DST_MAX_TIMES; i++) {
+		result = dst_key_gettime(key, i, &event);
+		if (result == ISC_R_SUCCESS && event > now &&
+		    (then == 0 || event < then))
+			then = event;
+	}
+
+	if (then != 0) {
+		*timep = then;
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag)
+{
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, false, &node));
+	else
+		CHECK(dns_db_findnode(db, name, false, &node));
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_compare(&myrdata, rdata))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = true;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = false;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Add records to signal the state of signing or of key removal.
+ */
+static isc_result_t
+add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
+		    dns_dbversion_t *ver, dns_diff_t *diff,
+		    bool sign_all)
+{
+	dns_difftuple_t *tuple, *newtuple = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	bool flag;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	uint16_t keyid;
+	unsigned char buf[5];
+	dns_name_t *name = dns_db_origin(db);
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		if (tuple->rdata.type != dns_rdatatype_dnskey)
+			continue;
+
+		result = dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((dnskey.flags &
+		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+			 != DNS_KEYOWNER_ZONE)
+			continue;
+
+		dns_rdata_toregion(&tuple->rdata, &r);
+
+		keyid = dst_region_computeid(&r, dnskey.algorithm);
+
+		buf[0] = dnskey.algorithm;
+		buf[1] = (keyid & 0xff00) >> 8;
+		buf[2] = (keyid & 0xff);
+		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
+		buf[4] = 0;
+		rdata.data = buf;
+		rdata.length = sizeof(buf);
+		rdata.type = privatetype;
+		rdata.rdclass = tuple->rdata.rdclass;
+
+		if (sign_all || tuple->op == DNS_DIFFOP_DEL) {
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+			if (flag)
+				continue;
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+
+		/*
+		 * Remove any record which says this operation has already
+		 * completed.
+		 */
+		buf[4] = 1;
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+	}
+ failure:
+	return (result);
+}
+
+static isc_result_t
+sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	  isc_stdtime_t now, dns_diff_t *diff, dns__zonediff_t *zonediff)
+{
+	isc_result_t result;
+	isc_stdtime_t inception, soaexpire;
+	bool check_ksk, keyset_kskonly;
+	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
+	unsigned int nkeys = 0, i;
+	dns_difftuple_t *tuple;
+
+	result = dns__zone_findkeys(zone, db, ver, now, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_apex:dns__zone_findkeys -> %s",
+			     dns_result_totext(result));
+		return (result);
+	}
+
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
+
+	/*
+	 * See if dns__zone_updatesigs() will update DNSKEY signature and if
+	 * not cause them to sign so that newly activated keys are used.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		if (tuple->rdata.type == dns_rdatatype_dnskey &&
+		    dns_name_equal(&tuple->name, &zone->origin))
+			break;
+	}
+
+	if (tuple == NULL) {
+		result = del_sigs(zone, db, ver, &zone->origin,
+				  dns_rdatatype_dnskey, zonediff,
+				  zone_keys, nkeys, now, false);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "sign_apex:del_sigs -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey,
+				  zonediff->diff, zone_keys, nkeys, zone->mctx,
+				  inception, soaexpire, check_ksk,
+				  keyset_kskonly);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "sign_apex:add_sigs -> %s",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
+				      inception, soaexpire, now, check_ksk,
+				      keyset_kskonly, zonediff);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "sign_apex:dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+ failure:
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+	return (result);
+}
+
+/*
+ * Prevent the zone entering a inconsistent state where
+ * NSEC only DNSKEYs are present with NSEC3 chains.
+ * See update.c:check_dnssec()
+ */
+static bool
+dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	    dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_difftuple_t *tuple;
+	bool nseconly = false, nsec3 = false;
+	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+
+	/* Scan the tuples for an NSEC-only DNSKEY */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		uint8_t alg;
+		if (tuple->rdata.type != dns_rdatatype_dnskey ||
+		    tuple->op != DNS_DIFFOP_ADD)
+			continue;
+
+		alg = tuple->rdata.data[3];
+		if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+		    alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+			nseconly = true;
+			break;
+		}
+	}
+
+	/* Check existing DB for NSEC-only DNSKEY */
+	if (!nseconly) {
+		result = dns_nsec_nseconly(db, ver, &nseconly);
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		CHECK(result);
+	}
+
+	/* Check existing DB for NSEC3 */
+	if (!nsec3)
+		CHECK(dns_nsec3_activex(db, ver, false,
+					privatetype, &nsec3));
+
+	/* Refuse to allow NSEC3 with NSEC-only keys */
+	if (nseconly && nsec3) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
+		goto failure;
+	}
+
+	return (true);
+
+ failure:
+	return (false);
+}
+
+static isc_result_t
+clean_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		 dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_nsec3param_deletechains(db, ver, zone, true, diff);
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Given an RRSIG rdataset and an algorithm, determine whether there
+ * are any signatures using that algorithm.
+ */
+static bool
+signed_with_alg(dns_rdataset_t *rdataset, dns_secalg_t alg) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	isc_result_t result;
+
+	REQUIRE(rdataset == NULL || rdataset->type == dns_rdatatype_rrsig);
+	if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) {
+		return (false);
+	}
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		if (rrsig.algorithm == alg)
+			return (true);
+	}
+
+	return (false);
+}
+
+static isc_result_t
+add_chains(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	   dns_diff_t *diff)
+{
+	dns_name_t *origin;
+	bool build_nsec3;
+	isc_result_t result;
+
+	origin = dns_db_origin(db);
+	CHECK(dns_private_chains(db, ver, zone->privatetype, NULL,
+				 &build_nsec3));
+	if (build_nsec3)
+		CHECK(dns_nsec3_addnsec3sx(db, ver, origin, zone->minimum,
+					   false, zone->privatetype, diff));
+	CHECK(updatesecure(db, ver, origin, zone->minimum, true, diff));
+
+ failure:
+	return (result);
+}
+
+static void
+zone_rekey(dns_zone_t *zone) {
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rdataset_t cdsset, soaset, soasigs, keyset, keysigs, cdnskeyset;
+	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
+	dns_dnsseckey_t *key;
+	dns_diff_t diff, _sig_diff;
+	dns__zonediff_t zonediff;
+	bool commit = false, newactive = false;
+	bool newalg = false;
+	bool fullsign;
+	dns_ttl_t ttl = 3600;
+	const char *dir;
+	isc_mem_t *mctx;
+	isc_stdtime_t now;
+	isc_time_t timenow;
+	isc_interval_t ival;
+	char timebuf[80];
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ISC_LIST_INIT(dnskeys);
+	ISC_LIST_INIT(keys);
+	ISC_LIST_INIT(rmkeys);
+	dns_rdataset_init(&soaset);
+	dns_rdataset_init(&soasigs);
+	dns_rdataset_init(&keyset);
+	dns_rdataset_init(&keysigs);
+	dns_rdataset_init(&cdsset);
+	dns_rdataset_init(&cdnskeyset);
+	dir = dns_zone_getkeydirectory(zone);
+	mctx = zone->mctx;
+	dns_diff_init(mctx, &diff);
+	dns_diff_init(mctx, &_sig_diff);
+	zonediff_init(&zonediff, &_sig_diff);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	CHECK(dns_db_newversion(db, &ver));
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	TIME_NOW(&timenow);
+	now = isc_time_seconds(&timenow);
+
+	dns_zone_log(zone, ISC_LOG_INFO, "reconfiguring zone keys");
+
+	/* Get the SOA record's TTL */
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_soa,
+				  dns_rdatatype_none, 0, &soaset, &soasigs));
+	ttl = soaset.ttl;
+	dns_rdataset_disassociate(&soaset);
+
+	/* Get the DNSKEY rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &keyset, &keysigs);
+	if (result == ISC_R_SUCCESS) {
+		ttl = keyset.ttl;
+		CHECK(dns_dnssec_keylistfromrdataset(&zone->origin, dir,
+						     mctx, &keyset,
+						     &keysigs, &soasigs,
+						     false, false,
+						     &dnskeys));
+	} else if (result != ISC_R_NOTFOUND)
+		goto failure;
+
+
+	/* Get the CDS rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cds,
+				     dns_rdatatype_none, 0, &cdsset, NULL);
+	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdsset))
+		dns_rdataset_disassociate(&cdsset);
+
+	/* Get the CDNSKEY rdataset */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_cdnskey,
+				     dns_rdatatype_none, 0, &cdnskeyset, NULL);
+	if (result != ISC_R_SUCCESS && dns_rdataset_isassociated(&cdnskeyset))
+		dns_rdataset_disassociate(&cdnskeyset);
+
+	/*
+	 * True when called from "rndc sign".  Indicates the zone should be
+	 * fully signed now.
+	 */
+	fullsign = DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_FULLSIGN);
+
+	result = dns_dnssec_findmatchingkeys2(&zone->origin, dir, now, mctx,
+					      &keys);
+	if (result == ISC_R_SUCCESS) {
+		bool check_ksk;
+		check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+
+		result = dns_dnssec_updatekeys(&dnskeys, &keys, &rmkeys,
+					       &zone->origin, ttl, &diff,
+					       !check_ksk,
+					       mctx, logmsg);
+		/*
+		 * Keys couldn't be updated for some reason;
+		 * try again later.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
+				     "couldn't update zone keys: %s",
+				     isc_result_totext(result));
+			goto failure;
+		}
+
+		/*
+		 * Update CDS / CDNSKEY records.
+		 */
+		result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
+					       &cdnskeyset, now, ttl,
+					       &diff, mctx);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_rekey:"
+				     "couldn't update CDS/CDNSKEY: %s",
+				     isc_result_totext(result));
+			goto failure;
+		}
+
+		/*
+		 * See if any pre-existing keys have newly become active;
+		 * also, see if any new key is for a new algorithm, as in that
+		 * event, we need to sign the zone fully.  (If there's a new
+		 * key, but it's for an already-existing algorithm, then
+		 * the zone signing can be handled incrementally.)
+		 */
+		for (key = ISC_LIST_HEAD(dnskeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			if (!key->first_sign)
+				continue;
+
+			newactive = true;
+
+			if (!dns_rdataset_isassociated(&keysigs)) {
+				newalg = true;
+				break;
+			}
+
+			if (signed_with_alg(&keysigs, dst_key_alg(key->key))) {
+				/*
+				 * This isn't a new algorithm; clear
+				 * first_sign so we won't sign the
+				 * whole zone with this key later
+				 */
+				key->first_sign = false;
+			} else {
+				newalg = true;
+				break;
+			}
+		}
+
+		if ((newactive || fullsign || !ISC_LIST_EMPTY(diff.tuples)) &&
+		    dnskey_sane(zone, db, ver, &diff)) {
+			CHECK(dns_diff_apply(&diff, db, ver));
+			CHECK(clean_nsec3param(zone, db, ver, &diff));
+			CHECK(add_signing_records(db, zone->privatetype,
+						  ver, &diff,
+						  (newalg || fullsign)));
+			CHECK(update_soa_serial(db, ver, &diff, mctx,
+						zone->updatemethod));
+			CHECK(add_chains(zone, db, ver, &diff));
+			CHECK(sign_apex(zone, db, ver, now, &diff, &zonediff));
+			CHECK(zone_journal(zone, zonediff.diff, NULL,
+					   "zone_rekey"));
+			commit = true;
+		}
+	}
+
+	dns_db_closeversion(db, &ver, true);
+
+	if (commit) {
+		dns_difftuple_t *tuple;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+		zone_needdump(zone, DNS_DUMP_DELAY);
+
+		zone_settimer(zone, &timenow);
+
+		/* Remove any signatures from removed keys.  */
+		if (!ISC_LIST_EMPTY(rmkeys)) {
+			for (key = ISC_LIST_HEAD(rmkeys);
+			     key != NULL;
+			     key = ISC_LIST_NEXT(key, link)) {
+				result = zone_signwithkey(zone,
+							  dst_key_alg(key->key),
+							  dst_key_id(key->key),
+							  true);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_signwithkey failed: %s",
+					     dns_result_totext(result));
+				}
+			}
+		}
+
+		if (fullsign) {
+			/*
+			 * "rndc sign" was called, so we now sign the zone
+			 * with all active keys, whether they're new or not.
+			 */
+			for (key = ISC_LIST_HEAD(dnskeys);
+			     key != NULL;
+			     key = ISC_LIST_NEXT(key, link)) {
+				if (!key->force_sign && !key->hint_sign)
+					continue;
+
+				result = zone_signwithkey(zone,
+							  dst_key_alg(key->key),
+							  dst_key_id(key->key),
+							  false);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_signwithkey failed: %s",
+					     dns_result_totext(result));
+				}
+			}
+		} else if (newalg) {
+			/*
+			 * We haven't been told to sign fully, but a new
+			 * algorithm was added to the DNSKEY.  We sign
+			 * the full zone, but only with newly active
+			 * keys.
+			 */
+			for (key = ISC_LIST_HEAD(dnskeys);
+			     key != NULL;
+			     key = ISC_LIST_NEXT(key, link)) {
+				if (!key->first_sign)
+					continue;
+
+				result = zone_signwithkey(zone,
+							  dst_key_alg(key->key),
+							  dst_key_id(key->key),
+							  false);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_signwithkey failed: %s",
+					     dns_result_totext(result));
+				}
+			}
+		}
+
+		/*
+		 * Clear fullsign flag, if it was set, so we don't do
+		 * another full signing next time
+		 */
+		zone->keyopts &= ~DNS_ZONEKEY_FULLSIGN;
+
+		/*
+		 * Cause the zone to add/delete NSEC3 chains for the
+		 * deferred NSEC3PARAM changes.
+		 */
+		for (tuple = ISC_LIST_HEAD(zonediff.diff->tuples);
+		     tuple != NULL;
+		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdata_nsec3param_t nsec3param;
+
+			if (tuple->rdata.type != zone->privatetype ||
+			    tuple->op != DNS_DIFFOP_ADD)
+				continue;
+
+			if (!dns_nsec3param_fromprivate(&tuple->rdata, &rdata,
+							buf, sizeof(buf)))
+				continue;
+			result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if (nsec3param.flags == 0)
+				continue;
+
+			result = zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_addnsec3chain failed: %s",
+					     dns_result_totext(result));
+			}
+		}
+
+		/*
+		 * Activate any NSEC3 chain updates that may have
+		 * been scheduled before this rekey.
+		 */
+		if (fullsign || newalg)
+			resume_addnsec3chain(zone);
+
+		/*
+		 * Schedule the next resigning event
+		 */
+		set_resigntime(zone);
+		UNLOCK_ZONE(zone);
+	}
+
+	isc_time_settoepoch(&zone->refreshkeytime);
+
+	/*
+	 * If we're doing key maintenance, set the key refresh timer to
+	 * the next scheduled key event or to 'dnssec-loadkeys-interval'
+	 * seconds in the future, whichever is sooner.
+	 */
+	if (DNS_ZONEKEY_OPTION(zone, DNS_ZONEKEY_MAINTAIN)) {
+		isc_time_t timethen;
+		isc_stdtime_t then;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
+				  &timethen);
+		zone->refreshkeytime = timethen;
+		UNLOCK_ZONE(zone);
+
+		for (key = ISC_LIST_HEAD(dnskeys);
+		     key != NULL;
+		     key = ISC_LIST_NEXT(key, link)) {
+			then = now;
+			result = next_keyevent(key->key, &then);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+			LOCK_ZONE(zone);
+			if (isc_time_compare(&timethen,
+					     &zone->refreshkeytime) < 0) {
+				zone->refreshkeytime = timethen;
+			}
+			UNLOCK_ZONE(zone);
+		}
+
+		zone_settimer(zone, &timenow);
+
+		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+	}
+
+ done:
+	dns_diff_clear(&diff);
+	dns_diff_clear(&_sig_diff);
+
+	clear_keylist(&dnskeys, mctx);
+	clear_keylist(&keys, mctx);
+	clear_keylist(&rmkeys, mctx);
+
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, false);
+	if (dns_rdataset_isassociated(&cdsset))
+		dns_rdataset_disassociate(&cdsset);
+	if (dns_rdataset_isassociated(&keyset))
+		dns_rdataset_disassociate(&keyset);
+	if (dns_rdataset_isassociated(&keysigs))
+		dns_rdataset_disassociate(&keysigs);
+	if (dns_rdataset_isassociated(&soasigs))
+		dns_rdataset_disassociate(&soasigs);
+	if (dns_rdataset_isassociated(&cdnskeyset))
+		dns_rdataset_disassociate(&cdnskeyset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	INSIST(ver == NULL);
+	return;
+
+ failure:
+	/*
+	 * Something went wrong; try again in ten minutes or
+	 * after a key refresh interval, whichever is shorter.
+	 */
+	isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
+	isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
+	goto done;
+}
+
+void
+dns_zone_rekey(dns_zone_t *zone, bool fullsign) {
+	isc_time_t now;
+
+	if (zone->type == dns_zone_master && zone->task != NULL) {
+		LOCK_ZONE(zone);
+
+		if (fullsign)
+			zone->keyopts |= DNS_ZONEKEY_FULLSIGN;
+
+		TIME_NOW(&now);
+		zone->refreshkeytime = now;
+		zone_settimer(zone, &now);
+
+		UNLOCK_ZONE(zone);
+	}
+}
+
+isc_result_t
+dns_zone_nscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
+		 unsigned int *errors)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(errors != NULL);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = zone_count_ns_rr(zone, db, node, version, NULL, errors,
+				  false);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_zone_cdscheck(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version) {
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t dnskey, cds, cdnskey;
+	unsigned char buffer[DNS_DS_BUFFERSIZE];
+	unsigned char algorithms[256];
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&cds);
+	dns_rdataset_init(&dnskey);
+	dns_rdataset_init(&cdnskey);
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_cds,
+				     dns_rdatatype_none, 0, &cds, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_cdnskey,
+				     dns_rdatatype_none, 0, &cdnskey, NULL);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto failure;
+
+	if (!dns_rdataset_isassociated(&cds) &&
+	    !dns_rdataset_isassociated(&cdnskey)) {
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     dns_rdatatype_none, 0, &dnskey, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(&cds))
+			result = DNS_R_BADCDS;
+		else
+			result = DNS_R_BADCDNSKEY;
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * For each DNSSEC algorithm in the CDS RRset there must be
+	 * a matching DNSKEY record.
+	 */
+	if (dns_rdataset_isassociated(&cds)) {
+		memset(algorithms, 0, sizeof(algorithms));
+		for (result = dns_rdataset_first(&cds);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&cds)) {
+			dns_rdata_t crdata = DNS_RDATA_INIT;
+			dns_rdata_cds_t structcds;
+
+			dns_rdataset_current(&cds, &crdata);
+			CHECK(dns_rdata_tostruct(&crdata, &structcds, NULL));
+			if (algorithms[structcds.algorithm] == 0)
+				algorithms[structcds.algorithm] = 1;
+			for (result = dns_rdataset_first(&dnskey);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&dnskey)) {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdata_t dsrdata = DNS_RDATA_INIT;
+
+				dns_rdataset_current(&dnskey, &rdata);
+				CHECK(dns_ds_buildrdata(&zone->origin, &rdata,
+							structcds.digest_type,
+							buffer, &dsrdata));
+				if (crdata.length == dsrdata.length &&
+				    memcmp(crdata.data, dsrdata.data,
+					   dsrdata.length) == 0) {
+					algorithms[structcds.algorithm] = 2;
+				}
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+		}
+		for (i = 0; i < sizeof(algorithms); i++) {
+			if (algorithms[i] == 1) {
+				result = DNS_R_BADCDNSKEY;
+				goto failure;
+			}
+		}
+	}
+
+	/*
+	 * For each DNSSEC algorithm in the CDNSKEY RRset there must be
+	 * a matching DNSKEY record.
+	 */
+	if (dns_rdataset_isassociated(&cdnskey)) {
+		memset(algorithms, 0, sizeof(algorithms));
+		for (result = dns_rdataset_first(&cdnskey);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&cdnskey)) {
+			dns_rdata_t crdata = DNS_RDATA_INIT;
+			dns_rdata_cdnskey_t structcdnskey;
+
+			dns_rdataset_current(&cdnskey, &crdata);
+			CHECK(dns_rdata_tostruct(&crdata, &structcdnskey,
+						 NULL));
+			if (algorithms[structcdnskey.algorithm] == 0)
+				algorithms[structcdnskey.algorithm] = 1;
+			for (result = dns_rdataset_first(&dnskey);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&dnskey)) {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+
+				dns_rdataset_current(&dnskey, &rdata);
+				if (crdata.length == rdata.length &&
+				    memcmp(crdata.data, rdata.data,
+					   rdata.length) == 0) {
+					algorithms[structcdnskey.algorithm] = 2;
+				}
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+		}
+		for (i = 0; i < sizeof(algorithms); i++) {
+			if (algorithms[i] == 1) {
+				result = DNS_R_BADCDS;
+				goto failure;
+			}
+		}
+	}
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&cds))
+		dns_rdataset_disassociate(&cds);
+	if (dns_rdataset_isassociated(&dnskey))
+		dns_rdataset_disassociate(&dnskey);
+	if (dns_rdataset_isassociated(&cdnskey))
+		dns_rdataset_disassociate(&cdnskey);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+void
+dns_zone_setautomatic(dns_zone_t *zone, bool automatic) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->automatic = automatic;
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_getautomatic(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->automatic);
+}
+
+void
+dns_zone_setadded(dns_zone_t *zone, bool added) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->added = added;
+	UNLOCK_ZONE(zone);
+}
+
+bool
+dns_zone_getadded(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->added);
+}
+
+isc_result_t
+dns_zone_dlzpostload(dns_zone_t *zone, dns_db_t *db)
+{
+	isc_time_t loadtime;
+	isc_result_t result;
+	dns_zone_t *secure = NULL;
+
+	TIME_NOW(&loadtime);
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+ again:
+	LOCK_ZONE(zone);
+	INSIST(zone != zone->raw);
+	if (inline_secure(zone))
+		LOCK_ZONE(zone->raw);
+	else if (inline_raw(zone)) {
+		secure = zone->secure;
+		TRYLOCK_ZONE(result, secure);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK_ZONE(zone);
+			secure = NULL;
+#if ISC_PLATFORM_USETHREADS
+			isc_thread_yield();
+#endif
+			goto again;
+		}
+	}
+	result = zone_postload(zone, db, loadtime, ISC_R_SUCCESS);
+	if (inline_secure(zone))
+		UNLOCK_ZONE(zone->raw);
+	else if (secure != NULL)
+		UNLOCK_ZONE(secure);
+	UNLOCK_ZONE(zone);
+	return result;
+}
+
+isc_result_t
+dns_zone_setrefreshkeyinterval(dns_zone_t *zone, uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (interval == 0)
+		return (ISC_R_RANGE);
+	/* Maximum value: 24 hours (3600 minutes) */
+	if (interval > (24 * 60))
+		interval = (24 * 60);
+	/* Multiply by 60 for seconds */
+	zone->refreshkeyinterval = interval * 60;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setrequestixfr(dns_zone_t *zone, bool flag) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->requestixfr = flag;
+}
+
+bool
+dns_zone_getrequestixfr(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->requestixfr);
+}
+
+void
+dns_zone_setrequestexpire(dns_zone_t *zone, bool flag) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->requestexpire = flag;
+}
+
+bool
+dns_zone_getrequestexpire(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->requestexpire);
+}
+
+void
+dns_zone_setserialupdatemethod(dns_zone_t *zone, dns_updatemethod_t method) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->updatemethod = method;
+}
+
+dns_updatemethod_t
+dns_zone_getserialupdatemethod(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return(zone->updatemethod);
+}
+
+/*
+ * Lock hierarchy: zmgr, zone, raw.
+ */
+isc_result_t
+dns_zone_link(dns_zone_t *zone, dns_zone_t *raw) {
+	isc_result_t result;
+	dns_zonemgr_t *zmgr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->zmgr != NULL);
+	REQUIRE(zone->task != NULL);
+	REQUIRE(zone->loadtask != NULL);
+	REQUIRE(zone->raw == NULL);
+
+	REQUIRE(DNS_ZONE_VALID(raw));
+	REQUIRE(raw->zmgr == NULL);
+	REQUIRE(raw->task == NULL);
+	REQUIRE(raw->loadtask == NULL);
+	REQUIRE(raw->secure == NULL);
+
+	REQUIRE(zone != raw);
+
+	/*
+	 * Lock hierarchy: zmgr, zone, raw.
+	 */
+	zmgr = zone->zmgr;
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+	LOCK_ZONE(raw);
+
+	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, zone->task, zone_timer, raw,
+				  &raw->timer);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	/*
+	 * The timer "holds" a iref.
+	 */
+	raw->irefs++;
+	INSIST(raw->irefs != 0);
+
+
+	/* dns_zone_attach(raw, &zone->raw); */
+	isc_refcount_increment(&raw->erefs, NULL);
+	zone->raw = raw;
+
+	/* dns_zone_iattach(zone,  &raw->secure); */
+	zone_iattach(zone, &raw->secure);
+
+	isc_task_attach(zone->task, &raw->task);
+	isc_task_attach(zone->loadtask, &raw->loadtask);
+
+	ISC_LIST_APPEND(zmgr->zones, raw, link);
+	raw->zmgr = zmgr;
+	zmgr->refs++;
+
+ unlock:
+	UNLOCK_ZONE(raw);
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+void
+dns_zone_getraw(dns_zone_t *zone, dns_zone_t **raw) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(raw != NULL && *raw == NULL);
+
+	LOCK(&zone->lock);
+	INSIST(zone != zone->raw);
+	if (zone->raw != NULL)
+		dns_zone_attach(zone->raw, raw);
+	UNLOCK(&zone->lock);
+}
+
+struct keydone {
+	isc_event_t event;
+	bool all;
+	unsigned char data[5];
+};
+
+#define PENDINGFLAGS (DNS_NSEC3FLAG_CREATE|DNS_NSEC3FLAG_INITIAL)
+
+static void
+keydone(isc_task_t *task, isc_event_t *event) {
+	const char *me = "keydone";
+	bool commit = false;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_dbversion_t *oldver = NULL, *newver = NULL;
+	dns_zone_t *zone;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_diff_t diff;
+	struct keydone *kd = (struct keydone *)event;
+	dns_update_log_t log = { update_log_cb, NULL };
+	bool clear_pending = false;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	dns_rdataset_init(&rdataset);
+	dns_diff_init(zone->mctx, &diff);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL)
+		goto failure;
+
+	dns_db_currentversion(db, &oldver);
+	result = dns_db_newversion(db, &newver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "keydone:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_db_findrdataset(db, node, newver, zone->privatetype,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS) {
+		INSIST(!dns_rdataset_isassociated(&rdataset));
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		bool found = false;
+
+		dns_rdataset_current(&rdataset, &rdata);
+
+		if (kd->all) {
+			if (rdata.length == 5 && rdata.data[0] != 0 &&
+			       rdata.data[3] == 0 && rdata.data[4] == 1)
+				found = true;
+			else if (rdata.data[0] == 0 &&
+				 (rdata.data[2] & PENDINGFLAGS) != 0) {
+				found = true;
+				clear_pending = true;
+			}
+		} else if (rdata.length == 5 &&
+			   memcmp(rdata.data, kd->data, 5) == 0)
+			found = true;
+
+		if (found)
+			CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_DEL,
+					    &zone->origin, rdataset.ttl,
+					    &rdata));
+		dns_rdata_reset(&rdata);
+	}
+
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		/* Write changes to journal file. */
+		CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
+					zone->updatemethod));
+
+		result = dns_update_signatures(&log, zone, db,
+					       oldver, newver, &diff,
+					       zone->sigvalidityinterval);
+		if (!clear_pending)
+			CHECK(result);
+
+		CHECK(zone_journal(zone, &diff, NULL, "keydone"));
+		commit = true;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+		UNLOCK_ZONE(zone);
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (db != NULL) {
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (oldver != NULL)
+			dns_db_closeversion(db, &oldver, false);
+		if (newver != NULL)
+			dns_db_closeversion(db, &newver, commit);
+		dns_db_detach(&db);
+	}
+	dns_diff_clear(&diff);
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+
+	INSIST(oldver == NULL);
+	INSIST(newver == NULL);
+}
+
+isc_result_t
+dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *e;
+	isc_buffer_t b;
+	dns_zone_t *dummy = NULL;
+	struct keydone *kd;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+
+	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_KEYDONE, keydone,
+			       zone, sizeof(struct keydone));
+	if (e == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	kd = (struct keydone *) e;
+	if (strcasecmp(keystr, "all") == 0)
+		kd->all = true;
+	else {
+		isc_textregion_t r;
+		const char *algstr;
+		dns_keytag_t keyid;
+		dns_secalg_t alg;
+		size_t n;
+
+		kd->all = false;
+
+		n = sscanf(keystr, "%hu/", &keyid);
+		if (n == 0U)
+			CHECK(ISC_R_FAILURE);
+
+		algstr = strchr(keystr, '/');
+		if (algstr != NULL)
+			algstr++;
+		else
+			CHECK(ISC_R_FAILURE);
+
+		n = sscanf(algstr, "%hhu", &alg);
+		if (n == 0U) {
+			DE_CONST(algstr, r.base);
+			r.length = strlen(algstr);
+			CHECK(dns_secalg_fromtext(&alg, &r));
+		}
+
+		/* construct a private-type rdata */
+		isc_buffer_init(&b, kd->data, sizeof(kd->data));
+		isc_buffer_putuint8(&b, alg);
+		isc_buffer_putuint8(&b, (keyid & 0xff00) >> 8);
+		isc_buffer_putuint8(&b, (keyid & 0xff));
+		isc_buffer_putuint8(&b, 0);
+		isc_buffer_putuint8(&b, 1);
+	}
+
+	zone_iattach(zone, &dummy);
+	isc_task_send(zone->task, &e);
+
+ failure:
+	if (e != NULL)
+		isc_event_free(&e);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+/*
+ * Called from the zone task's queue after the relevant event is posted by
+ * dns_zone_setnsec3param().
+ *
+ * Check whether NSEC3 chain addition or removal specified by the private-type
+ * record passed with the event was already queued (or even fully performed).
+ * If not, modify the relevant private-type records at the zone apex and call
+ * resume_addnsec3chain().
+ */
+static void
+setnsec3param(isc_task_t *task, isc_event_t *event) {
+	const char *me = "setnsec3param";
+	bool commit = false;
+	isc_result_t result;
+	dns_dbversion_t *oldver = NULL, *newver = NULL;
+	dns_zone_t *zone;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t prdataset, nrdataset;
+	dns_diff_t diff;
+	struct np3event *npe = (struct np3event *)event;
+	nsec3param_t *np;
+	dns_update_log_t log = { update_log_cb, NULL };
+	dns_rdata_t rdata;
+	bool nseconly;
+	bool exists = false;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	np = &npe->params;
+
+	dns_rdataset_init(&prdataset);
+	dns_rdataset_init(&nrdataset);
+	dns_diff_init(zone->mctx, &diff);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL)
+		goto failure;
+
+	dns_db_currentversion(db, &oldver);
+	result = dns_db_newversion(db, &newver);
+	if (result != ISC_R_SUCCESS) {
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "setnsec3param:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	CHECK(dns_db_getoriginnode(db, &node));
+
+	/*
+	 * Does a private-type record already exist for this chain?
+	 */
+	result = dns_db_findrdataset(db, node, newver, zone->privatetype,
+				     dns_rdatatype_none, 0, &prdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		for (result = dns_rdataset_first(&prdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&prdataset)) {
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&prdataset, &rdata);
+
+			if (np->length == rdata.length &&
+			    memcmp(rdata.data, np->data, np->length) == 0) {
+				exists = true;
+				break;
+			}
+		}
+	} else if (result != ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&prdataset));
+		goto failure;
+	}
+
+	/*
+	 * Does the chain already exist?
+	 */
+	result = dns_db_findrdataset(db, node, newver,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &nrdataset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		for (result = dns_rdataset_first(&nrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&nrdataset)) {
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&nrdataset, &rdata);
+
+			if (np->length == (rdata.length + 1) &&
+			    memcmp(rdata.data, np->data + 1,
+				   np->length - 1) == 0)
+			{
+				exists = true;
+				break;
+			}
+		}
+	} else if (result != ISC_R_NOTFOUND) {
+		INSIST(!dns_rdataset_isassociated(&nrdataset));
+		goto failure;
+	}
+
+
+	/*
+	 * We need to remove any existing NSEC3 chains if the supplied NSEC3
+	 * parameters are supposed to replace the current ones or if we are
+	 * switching to NSEC.
+	 */
+	if (!exists && np->replace && (np->length != 0 || np->nsec))
+		CHECK(dns_nsec3param_deletechains(db, newver, zone,
+						  !np->nsec, &diff));
+
+	if (!exists && np->length != 0) {
+		/*
+		 * We're creating an NSEC3 chain.  Add the private-type record
+		 * passed in the event handler's argument to the zone apex.
+		 *
+		 * If the zone is not currently capable of supporting an NSEC3
+		 * chain (due to the DNSKEY RRset at the zone apex not existing
+		 * or containing at least one key using an NSEC-only
+		 * algorithm), add the INITIAL flag, so these parameters can be
+		 * used later when NSEC3 becomes available.
+		 */
+		dns_rdata_init(&rdata);
+
+		np->data[2] |= DNS_NSEC3FLAG_CREATE;
+		result = dns_nsec_nseconly(db, newver, &nseconly);
+		if (result == ISC_R_NOTFOUND || nseconly)
+			np->data[2] |= DNS_NSEC3FLAG_INITIAL;
+
+		rdata.length = np->length;
+		rdata.data = np->data;
+		rdata.type = zone->privatetype;
+		rdata.rdclass = zone->rdclass;
+		CHECK(update_one_rr(db, newver, &diff, DNS_DIFFOP_ADD,
+				    &zone->origin, 0, &rdata));
+	}
+
+	/*
+	 * If we changed anything in the zone, write changes to journal file
+	 * and set commit to true so that resume_addnsec3chain() will be
+	 * called below in order to kick off adding/removing relevant NSEC3
+	 * records.
+	 */
+	if (!ISC_LIST_EMPTY(diff.tuples)) {
+		CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
+					zone->updatemethod));
+		result = dns_update_signatures(&log, zone, db,
+					       oldver, newver, &diff,
+					       zone->sigvalidityinterval);
+		if (result != ISC_R_NOTFOUND)
+			CHECK(result);
+		CHECK(zone_journal(zone, &diff, NULL, "setnsec3param"));
+		commit = true;
+
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
+		zone_needdump(zone, 30);
+		UNLOCK_ZONE(zone);
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&prdataset))
+		dns_rdataset_disassociate(&prdataset);
+	if (dns_rdataset_isassociated(&nrdataset))
+		dns_rdataset_disassociate(&nrdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (oldver != NULL)
+		dns_db_closeversion(db, &oldver, false);
+	if (newver != NULL)
+		dns_db_closeversion(db, &newver, commit);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (commit) {
+		LOCK_ZONE(zone);
+		resume_addnsec3chain(zone);
+		UNLOCK_ZONE(zone);
+	}
+	dns_diff_clear(&diff);
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+
+	INSIST(oldver == NULL);
+	INSIST(newver == NULL);
+}
+
+/*
+ * Called when an "rndc signing -nsec3param ..." command is received.
+ *
+ * Allocate and prepare an nsec3param_t structure which holds information about
+ * the NSEC3 changes requested for the zone:
+ *
+ *   - if NSEC3 is to be disabled ("-nsec3param none"), only set the "nsec"
+ *     field of the structure to true and the "replace" field to the value
+ *     of the "replace" argument, leaving other fields initialized to zeros, to
+ *     signal that the zone should be signed using NSEC instead of NSEC3,
+ *
+ *   - otherwise, prepare NSEC3PARAM RDATA that will eventually be inserted at
+ *     the zone apex, convert it to a private-type record and store the latter
+ *     in the "data" field of the nsec3param_t structure.
+ *
+ * Once the nsec3param_t structure is prepared, post an event to the zone's
+ * task which will cause setnsec3param() to be called with the prepared
+ * structure passed as an argument.
+ */
+isc_result_t
+dns_zone_setnsec3param(dns_zone_t *zone, uint8_t hash, uint8_t flags,
+		       uint16_t iter, uint8_t saltlen,
+		       unsigned char *salt, bool replace)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_nsec3param_t param;
+	dns_rdata_t nrdata = DNS_RDATA_INIT;
+	dns_rdata_t prdata = DNS_RDATA_INIT;
+	unsigned char nbuf[DNS_NSEC3PARAM_BUFFERSIZE];
+	struct np3event *npe;
+	nsec3param_t *np;
+	dns_zone_t *dummy = NULL;
+	isc_buffer_t b;
+	isc_event_t *e;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(salt != NULL);
+
+	LOCK_ZONE(zone);
+
+	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_SETNSEC3PARAM,
+			       setnsec3param, zone, sizeof(struct np3event));
+	if (e == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	npe = (struct np3event *) e;
+	np = &npe->params;
+
+	np->replace = replace;
+	if (hash == 0) {
+		np->length = 0;
+		np->nsec = true;
+	} else {
+		param.common.rdclass = zone->rdclass;
+		param.common.rdtype = dns_rdatatype_nsec3param;
+		ISC_LINK_INIT(&param.common, link);
+		param.mctx = NULL;
+		param.hash = hash;
+		param.flags = flags;
+		param.iterations = iter;
+		param.salt_length = saltlen;
+		param.salt = salt;
+		isc_buffer_init(&b, nbuf, sizeof(nbuf));
+		CHECK(dns_rdata_fromstruct(&nrdata, zone->rdclass,
+					   dns_rdatatype_nsec3param,
+					   &param, &b));
+		dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype,
+					 np->data, sizeof(np->data));
+		np->length = prdata.length;
+		np->nsec = false;
+	}
+
+	/*
+	 * setnsec3param() will silently return early if the zone does not yet
+	 * have a database.  Prevent that by queueing the event up if zone->db
+	 * is NULL.  All events queued here are subsequently processed by
+	 * receive_secure_db() if it ever gets called or simply freed by
+	 * zone_free() otherwise.
+	 */
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL) {
+		zone_iattach(zone, &dummy);
+		isc_task_send(zone->task, &e);
+	} else {
+		ISC_LIST_APPEND(zone->setnsec3param_queue, e, ev_link);
+		e = NULL;
+	}
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+ failure:
+	if (e != NULL)
+		isc_event_free(&e);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_getloadtime(dns_zone_t *zone, isc_time_t *loadtime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(loadtime != NULL);
+
+	LOCK_ZONE(zone);
+	*loadtime = zone->loadtime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_getexpiretime(dns_zone_t *zone, isc_time_t *expiretime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(expiretime != NULL);
+
+	LOCK_ZONE(zone);
+	*expiretime = zone->expiretime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_getrefreshtime(dns_zone_t *zone, isc_time_t *refreshtime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(refreshtime != NULL);
+
+	LOCK_ZONE(zone);
+	*refreshtime = zone->refreshtime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_getrefreshkeytime(dns_zone_t *zone, isc_time_t *refreshkeytime) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(refreshkeytime != NULL);
+
+	LOCK_ZONE(zone);
+	*refreshkeytime = zone->refreshkeytime;
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_zone_getincludes(dns_zone_t *zone, char ***includesp) {
+	dns_include_t *include;
+	char **array = NULL;
+	unsigned int n = 0;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(includesp != NULL && *includesp == NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->nincludes == 0)
+		goto done;
+
+	array = isc_mem_allocate(zone->mctx, sizeof(char *) * zone->nincludes);
+	if (array == NULL)
+		goto done;
+	for (include = ISC_LIST_HEAD(zone->includes);
+	     include != NULL;
+	     include = ISC_LIST_NEXT(include, link)) {
+		INSIST(n < zone->nincludes);
+		array[n++] = isc_mem_strdup(zone->mctx, include->name);
+	}
+	INSIST(n == zone->nincludes);
+	*includesp = array;
+
+ done:
+	UNLOCK_ZONE(zone);
+	return (n);
+}
+
+void
+dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->statlevel = level;
+}
+
+dns_zonestat_level_t
+dns_zone_getstatlevel(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->statlevel);
+}
+
+static void
+setserial(isc_task_t *task, isc_event_t *event) {
+	uint32_t oldserial, desired;
+	const char *me = "setserial";
+	bool commit = false;
+	isc_result_t result;
+	dns_dbversion_t *oldver = NULL, *newver = NULL;
+	dns_zone_t *zone;
+	dns_db_t *db = NULL;
+	dns_diff_t diff;
+	struct ssevent *sse = (struct ssevent *)event;
+	dns_update_log_t log = { update_log_cb, NULL };
+	dns_difftuple_t *oldtuple = NULL, *newtuple = NULL;
+
+	UNUSED(task);
+
+	zone = event->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	if (zone->update_disabled)
+		goto failure;
+
+	desired = sse->serial;
+
+	dns_diff_init(zone->mctx, &diff);
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL)
+		goto failure;
+
+	dns_db_currentversion(db, &oldver);
+	result = dns_db_newversion(db, &newver);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "setserial:dns_db_newversion -> %s",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	CHECK(dns_db_createsoatuple(db, oldver, diff.mctx,
+				    DNS_DIFFOP_DEL, &oldtuple));
+	CHECK(dns_difftuple_copy(oldtuple, &newtuple));
+	newtuple->op = DNS_DIFFOP_ADD;
+
+	oldserial = dns_soa_getserial(&oldtuple->rdata);
+	if (desired == 0U)
+		desired = 1;
+	if (!isc_serial_gt(desired, oldserial)) {
+		if (desired != oldserial)
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "setserial: desired serial (%u) "
+				     "out of range (%u-%u)", desired,
+				     oldserial + 1, (oldserial + 0x7fffffff));
+		goto failure;
+	}
+
+	dns_soa_setserial(desired, &newtuple->rdata);
+	CHECK(do_one_tuple(&oldtuple, db, newver, &diff));
+	CHECK(do_one_tuple(&newtuple, db, newver, &diff));
+	result = dns_update_signatures(&log, zone, db,
+				       oldver, newver, &diff,
+				       zone->sigvalidityinterval);
+	if (result != ISC_R_NOTFOUND)
+		CHECK(result);
+
+	/* Write changes to journal file. */
+	CHECK(zone_journal(zone, &diff, NULL, "setserial"));
+	commit = true;
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, 30);
+	UNLOCK_ZONE(zone);
+
+ failure:
+	if (oldtuple != NULL)
+		dns_difftuple_free(&oldtuple);
+	if (newtuple != NULL)
+		dns_difftuple_free(&newtuple);
+	if (oldver != NULL)
+		dns_db_closeversion(db, &oldver, false);
+	if (newver != NULL)
+		dns_db_closeversion(db, &newver, commit);
+	if (db != NULL)
+		dns_db_detach(&db);
+	dns_diff_clear(&diff);
+	isc_event_free(&event);
+	dns_zone_idetach(&zone);
+
+	INSIST(oldver == NULL);
+	INSIST(newver == NULL);
+}
+
+isc_result_t
+dns_zone_setserial(dns_zone_t *zone, uint32_t serial) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_zone_t *dummy = NULL;
+	isc_event_t *e = NULL;
+	struct ssevent *sse;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+
+	if (!inline_secure(zone)) {
+		if (!dns_zone_isdynamic(zone, true)) {
+			result = DNS_R_NOTDYNAMIC;
+			goto failure;
+		}
+	}
+
+	if (zone->update_disabled) {
+		result = DNS_R_FROZEN;
+		goto failure;
+	}
+
+	e = isc_event_allocate(zone->mctx, zone, DNS_EVENT_SETSERIAL,
+			       setserial, zone, sizeof(struct ssevent));
+	if (e == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	sse = (struct ssevent *)e;
+	sse->serial = serial;
+
+	zone_iattach(zone, &dummy);
+	isc_task_send(zone->task, &e);
+
+ failure:
+	if (e != NULL)
+		isc_event_free(&e);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
diff --git a/lib/dns/zone_p.h b/lib/dns/zone_p.h
new file mode 100644
index 0000000..1f4432a
--- /dev/null
+++ b/lib/dns/zone_p.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef DNS_ZONE_P_H
+#define DNS_ZONE_P_H
+
+#include <stdbool.h>
+
+/*! \file */
+
+/*%
+ *     Types and functions below not be used outside this module and its
+ *     associated unit tests.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	dns_diff_t	*diff;
+	bool	offline;
+} dns__zonediff_t;
+
+isc_result_t
+dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		   isc_stdtime_t now, isc_mem_t *mctx, unsigned int maxkeys,
+		   dst_key_t **keys, unsigned int *nkeys);
+
+isc_result_t
+dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+		     dst_key_t *zone_keys[], unsigned int nkeys,
+		     dns_zone_t *zone, isc_stdtime_t inception,
+		     isc_stdtime_t expire, isc_stdtime_t now,
+		     bool check_ksk, bool keyset_kskonly,
+		     dns__zonediff_t *zonediff);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONE_P_H */
diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c
new file mode 100644
index 0000000..ca55520
--- /dev/null
+++ b/lib/dns/zonekey.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+#include <dns/zonekey.h>
+
+bool
+dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
+	isc_result_t result;
+	dns_rdata_dnskey_t key;
+	bool iszonekey = true;
+
+	REQUIRE(keyrdata != NULL);
+
+	result = dns_rdata_tostruct(keyrdata, &key, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (false);
+
+	if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0)
+		iszonekey = false;
+	if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		iszonekey = false;
+	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
+	key.protocol != DNS_KEYPROTO_ANY)
+		iszonekey = false;
+
+	return (iszonekey);
+}
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
new file mode 100644
index 0000000..c84da2f
--- /dev/null
+++ b/lib/dns/zt.c
@@ -0,0 +1,601 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/file.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rbt.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+struct dns_zt {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_rdataclass_t	rdclass;
+	isc_rwlock_t		rwlock;
+	dns_zt_allloaded_t	loaddone;
+	void *			loaddone_arg;
+	/* Locked by lock. */
+	bool		flush;
+	uint32_t		references;
+	unsigned int		loads_pending;
+	dns_rbt_t		*table;
+};
+
+#define ZTMAGIC			ISC_MAGIC('Z', 'T', 'b', 'l')
+#define VALID_ZT(zt) 		ISC_MAGIC_VALID(zt, ZTMAGIC)
+
+struct zt_load_params {
+	dns_zt_zoneloaded_t dl;
+	bool newonly;
+	struct dns_zt* zt;
+};
+
+static void
+auto_detach(void *, void *);
+
+static isc_result_t
+load(dns_zone_t *zone, void *uap);
+
+static isc_result_t
+asyncload(dns_zone_t *zone, void *callback);
+
+static isc_result_t
+loadnew(dns_zone_t *zone, void *uap);
+
+static isc_result_t
+freezezones(dns_zone_t *zone, void *uap);
+
+static isc_result_t
+doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task);
+
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
+	dns_zt_t *zt;
+	isc_result_t result;
+
+	REQUIRE(ztp != NULL && *ztp == NULL);
+
+	zt = isc_mem_get(mctx, sizeof(*zt));
+	if (zt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	zt->table = NULL;
+	result = dns_rbt_create(mctx, auto_detach, zt, &zt->table);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_zt;
+
+	result = isc_rwlock_init(&zt->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rbt;
+
+	zt->mctx = NULL;
+	isc_mem_attach(mctx, &zt->mctx);
+	zt->references = 1;
+	zt->flush = false;
+	zt->rdclass = rdclass;
+	zt->magic = ZTMAGIC;
+	zt->loaddone = NULL;
+	zt->loaddone_arg = NULL;
+	zt->loads_pending = 0;
+	*ztp = zt;
+
+	return (ISC_R_SUCCESS);
+
+   cleanup_rbt:
+	dns_rbt_destroy(&zt->table);
+
+   cleanup_zt:
+	isc_mem_put(mctx, zt, sizeof(*zt));
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone) {
+	isc_result_t result;
+	dns_zone_t *dummy = NULL;
+	dns_name_t *name;
+
+	REQUIRE(VALID_ZT(zt));
+
+	name = dns_zone_getorigin(zone);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_addname(zt->table, name, zone);
+	if (result == ISC_R_SUCCESS)
+		dns_zone_attach(zone, &dummy);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone) {
+	isc_result_t result;
+	dns_name_t *name;
+
+	REQUIRE(VALID_ZT(zt));
+
+	name = dns_zone_getorigin(zone);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_deletename(zt->table, name, false);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_find(dns_zt_t *zt, const dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zonep)
+{
+	isc_result_t result;
+	dns_zone_t *dummy = NULL;
+	unsigned int rbtoptions = 0;
+
+	REQUIRE(VALID_ZT(zt));
+
+	if ((options & DNS_ZTFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(zt->table, name, rbtoptions, foundname,
+				  (void **) (void*)&dummy);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		dns_zone_attach(dummy, zonep);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp) {
+
+	REQUIRE(VALID_ZT(zt));
+	REQUIRE(ztp != NULL && *ztp == NULL);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	INSIST(zt->references > 0);
+	zt->references++;
+	INSIST(zt->references != 0);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	*ztp = zt;
+}
+
+static isc_result_t
+flush(dns_zone_t *zone, void *uap) {
+	UNUSED(uap);
+	return (dns_zone_flush(zone));
+}
+
+static void
+zt_destroy(dns_zt_t *zt) {
+	if (zt->flush)
+		(void)dns_zt_apply(zt, false, flush, NULL);
+	dns_rbt_destroy(&zt->table);
+	isc_rwlock_destroy(&zt->rwlock);
+	zt->magic = 0;
+	isc_mem_putanddetach(&zt->mctx, zt, sizeof(*zt));
+}
+
+static void
+zt_flushanddetach(dns_zt_t **ztp, bool need_flush) {
+	bool destroy = false;
+	dns_zt_t *zt;
+
+	REQUIRE(ztp != NULL && VALID_ZT(*ztp));
+
+	zt = *ztp;
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	INSIST(zt->references > 0);
+	zt->references--;
+	if (zt->references == 0)
+		destroy = true;
+	if (need_flush)
+		zt->flush = true;
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	if (destroy)
+		zt_destroy(zt);
+
+	*ztp = NULL;
+}
+
+void
+dns_zt_flushanddetach(dns_zt_t **ztp) {
+	zt_flushanddetach(ztp, true);
+}
+
+void
+dns_zt_detach(dns_zt_t **ztp) {
+	zt_flushanddetach(ztp, false);
+}
+
+isc_result_t
+dns_zt_load(dns_zt_t *zt, bool stop) {
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, stop, load, NULL);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+static isc_result_t
+load(dns_zone_t *zone, void *uap) {
+	isc_result_t result;
+	UNUSED(uap);
+
+	result = dns_zone_load(zone);
+	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_asyncload(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg) {
+	return (dns_zt_asyncload2(zt, alldone, arg, false));
+}
+
+isc_result_t
+dns_zt_asyncload2(dns_zt_t *zt, dns_zt_allloaded_t alldone, void *arg,
+		  bool newonly)
+{
+	isc_result_t result;
+	struct zt_load_params params;
+	params.dl = doneloading;
+	params.newonly = newonly;
+	params.zt = zt;
+	int pending;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	INSIST(zt->loads_pending == 0);
+	result = dns_zt_apply2(zt, false, NULL, asyncload, &params);
+
+	pending = zt->loads_pending;
+	if (pending != 0) {
+		zt->loaddone = alldone;
+		zt->loaddone_arg = arg;
+	}
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	if (pending == 0)
+		alldone(arg);
+
+	return (result);
+}
+
+/*
+ * Initiates asynchronous loading of zone 'zone'.  'callback' is a
+ * pointer to a function which will be used to inform the caller when
+ * the zone loading is complete.
+ */
+static isc_result_t
+asyncload(dns_zone_t *zone, void *paramsv) {
+	isc_result_t result;
+	struct zt_load_params * params = (struct zt_load_params*) paramsv;
+
+	dns_zt_t *zt = params->zt;
+
+	REQUIRE(zone != NULL);
+	zt = dns_zone_getview(zone)->zonetable;
+	INSIST(VALID_ZT(zt));
+
+	INSIST(zt->references > 0);
+	zt->references++;
+	zt->loads_pending++;
+
+	result = dns_zone_asyncload2(zone, *params->dl, zt, params->newonly);
+	if (result != ISC_R_SUCCESS) {
+		zt->references--;
+		zt->loads_pending--;
+		INSIST(zt->references > 0);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zt_loadnew(dns_zt_t *zt, bool stop) {
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, stop, loadnew, NULL);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+static isc_result_t
+loadnew(dns_zone_t *zone, void *uap) {
+	isc_result_t result;
+	UNUSED(uap);
+
+	result = dns_zone_loadnew(zone);
+	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE ||
+	    result == DNS_R_DYNAMIC)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+isc_result_t
+dns_zt_freezezones(dns_zt_t *zt, bool freeze) {
+	isc_result_t result, tresult;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply2(zt, false, &tresult, freezezones, &freeze);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	if (tresult == ISC_R_NOTFOUND)
+		tresult = ISC_R_SUCCESS;
+	return ((result == ISC_R_SUCCESS) ? tresult : result);
+}
+
+static isc_result_t
+freezezones(dns_zone_t *zone, void *uap) {
+	bool freeze = *(bool *)uap;
+	bool frozen;
+	isc_result_t result = ISC_R_SUCCESS;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_zone_t *raw = NULL;
+	dns_view_t *view;
+	const char *vname;
+	const char *sep;
+	int level;
+
+	dns_zone_getraw(zone, &raw);
+	if (raw != NULL)
+		zone = raw;
+	if (dns_zone_gettype(zone) != dns_zone_master) {
+		if (raw != NULL)
+			dns_zone_detach(&raw);
+		return (ISC_R_SUCCESS);
+	}
+	if (!dns_zone_isdynamic(zone, true)) {
+		if (raw != NULL)
+			dns_zone_detach(&raw);
+		return (ISC_R_SUCCESS);
+	}
+
+	frozen = dns_zone_getupdatedisabled(zone);
+	if (freeze) {
+		if (frozen)
+			result = DNS_R_FROZEN;
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_flush(zone);
+		if (result == ISC_R_SUCCESS)
+			dns_zone_setupdatedisabled(zone, freeze);
+	} else {
+		if (frozen) {
+			result = dns_zone_loadandthaw(zone);
+			if (result == DNS_R_CONTINUE ||
+			    result == DNS_R_UPTODATE)
+				result = ISC_R_SUCCESS;
+		}
+	}
+	view = dns_zone_getview(zone);
+	if (strcmp(view->name, "_bind") == 0 ||
+	    strcmp(view->name, "_default") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(zone), zonename, sizeof(zonename));
+	level = (result != ISC_R_SUCCESS) ? ISC_LOG_ERROR : ISC_LOG_DEBUG(1);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		      level, "%s zone '%s/%s'%s%s: %s",
+		      freeze ? "freezing" : "thawing",
+		      zonename, classstr, sep, vname,
+		      isc_result_totext(result));
+	if (raw != NULL)
+		dns_zone_detach(&raw);
+	return (result);
+}
+
+void
+dns_zt_setviewcommit(dns_zt_t *zt) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	dns_rbtnodechain_init(&chain, zt->mctx);
+
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL,
+						  &node);
+		if (result == ISC_R_SUCCESS && node->data != NULL) {
+			dns_zone_setviewcommit(node->data);
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+}
+
+void
+dns_zt_setviewrevert(dns_zt_t *zt) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	dns_rbtnodechain_init(&chain, zt->mctx);
+
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL,
+						  &node);
+		if (result == ISC_R_SUCCESS && node->data != NULL) {
+			dns_zone_setviewrevert(node->data);
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+}
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, bool stop,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+{
+	return (dns_zt_apply2(zt, stop, NULL, action, uap));
+}
+
+isc_result_t
+dns_zt_apply2(dns_zt_t *zt, bool stop, isc_result_t *sub,
+	      isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+{
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result, tresult = ISC_R_SUCCESS;
+	dns_zone_t *zone;
+
+	REQUIRE(VALID_ZT(zt));
+	REQUIRE(action != NULL);
+
+	dns_rbtnodechain_init(&chain, zt->mctx);
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * The tree is empty.
+		 */
+		tresult = result;
+		result = ISC_R_NOMORE;
+	}
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL,
+						  &node);
+		if (result == ISC_R_SUCCESS) {
+			zone = node->data;
+			if (zone != NULL)
+				result = (action)(zone, uap);
+			if (result != ISC_R_SUCCESS && stop) {
+				tresult = result;
+				goto cleanup;	/* don't break */
+			} else if (result != ISC_R_SUCCESS &&
+				   tresult == ISC_R_SUCCESS)
+				tresult = result;
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+	if (sub != NULL)
+		*sub = tresult;
+
+	return (result);
+}
+
+/*
+ * Decrement the loads_pending counter; when counter reaches
+ * zero, call the loaddone callback that was initially set by
+ * dns_zt_asyncload().
+ */
+static isc_result_t
+doneloading(dns_zt_t *zt, dns_zone_t *zone, isc_task_t *task) {
+	bool destroy = false;
+	dns_zt_allloaded_t alldone = NULL;
+	void *arg = NULL;
+
+	UNUSED(zone);
+	UNUSED(task);
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+	INSIST(zt->loads_pending != 0);
+	INSIST(zt->references != 0);
+	zt->references--;
+	if (zt->references == 0)
+		destroy = true;
+	zt->loads_pending--;
+	if (zt->loads_pending == 0) {
+		alldone = zt->loaddone;
+		arg = zt->loaddone_arg;
+		zt->loaddone = NULL;
+		zt->loaddone_arg = NULL;
+	}
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	if (alldone != NULL)
+		alldone(arg);
+
+	if (destroy)
+		zt_destroy(zt);
+
+	return (ISC_R_SUCCESS);
+}
+
+/***
+ *** Private
+ ***/
+
+static void
+auto_detach(void *data, void *arg) {
+	dns_zone_t *zone = data;
+
+	UNUSED(arg);
+	dns_zone_detach(&zone);
+}
diff --git a/lib/irs/Atffile b/lib/irs/Atffile
new file mode 100644
index 0000000..1edb838
--- /dev/null
+++ b/lib/irs/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: tests
diff --git a/lib/irs/Kyuafile b/lib/irs/Kyuafile
new file mode 100644
index 0000000..0739e3a
--- /dev/null
+++ b/lib/irs/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/irs/Makefile.in b/lib/irs/Makefile.in
new file mode 100644
index 0000000..fc11447
--- /dev/null
+++ b/lib/irs/Makefile.in
@@ -0,0 +1,80 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@LIBIRS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -I./include -I${srcdir}/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
+
+CDEFINES =	@CRYPTO@
+CWARNINGS =
+
+# Alphabetically
+OBJS =		context.@O@ \
+		dnsconf.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ getnameinfo.@O@ \
+		resconf.@O@
+
+# Alphabetically
+SRCS =		context.c \
+		dnsconf.c \
+		gai_strerror.c getaddrinfo.c getnameinfo.c \
+		resconf.c
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TESTDIRS =	@UNITTESTS@
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libirs.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+libirs.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS}
+
+timestamp: libirs.@A@
+	touch timestamp
+
+testdirs: libirs.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libirs.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libirs.@A@
+
+clean distclean::
+	rm -f libirs.@A@ libirs.la timestamp
diff --git a/lib/irs/api b/lib/irs/api
new file mode 100644
index 0000000..79bb9eb
--- /dev/null
+++ b/lib/irs/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 161
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/irs/context.c b/lib/irs/context.c
new file mode 100644
index 0000000..b644693
--- /dev/null
+++ b/lib/irs/context.c
@@ -0,0 +1,392 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/lib.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/lib.h>
+
+#include <irs/context.h>
+#include <irs/dnsconf.h>
+#include <irs/resconf.h>
+
+#define IRS_CONTEXT_MAGIC		ISC_MAGIC('I', 'R', 'S', 'c')
+#define IRS_CONTEXT_VALID(c)		ISC_MAGIC_VALID(c, IRS_CONTEXT_MAGIC)
+
+#ifndef RESOLV_CONF
+/*% location of resolve.conf */
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif
+
+#ifndef DNS_CONF
+/*% location of dns.conf */
+#define DNS_CONF "/etc/dns.conf"
+#endif
+
+#ifndef ISC_PLATFORM_USETHREADS
+irs_context_t *irs_g_context = NULL;
+#else
+static bool thread_key_initialized = false;
+static isc_mutex_t thread_key_mutex;
+static isc_thread_key_t irs_context_key;
+static isc_once_t once = ISC_ONCE_INIT;
+#endif
+
+
+struct irs_context {
+	/*
+	 * An IRS context is a thread-specific object, and does not need to
+	 * be locked.
+	 */
+	unsigned int			magic;
+	isc_mem_t			*mctx;
+	isc_appctx_t			*actx;
+	isc_taskmgr_t			*taskmgr;
+	isc_task_t			*task;
+	isc_socketmgr_t			*socketmgr;
+	isc_timermgr_t			*timermgr;
+	dns_client_t			*dnsclient;
+	irs_resconf_t			*resconf;
+	irs_dnsconf_t			*dnsconf;
+};
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+static void
+free_specific_context(void *arg) {
+	irs_context_t *context = arg;
+
+	irs_context_destroy(&context);
+
+	isc_thread_key_setspecific(irs_context_key, NULL);
+}
+
+static void
+thread_key_mutex_init(void) {
+	RUNTIME_CHECK(isc_mutex_init(&thread_key_mutex) == ISC_R_SUCCESS);
+}
+
+static isc_result_t
+thread_key_init(void) {
+	isc_result_t result;
+
+	result = isc_once_do(&once, thread_key_mutex_init);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (!thread_key_initialized) {
+		LOCK(&thread_key_mutex);
+
+		if (!thread_key_initialized &&
+		    isc_thread_key_create(&irs_context_key,
+					  free_specific_context) != 0) {
+			result = ISC_R_FAILURE;
+		} else
+			thread_key_initialized = true;
+
+		UNLOCK(&thread_key_mutex);
+	}
+
+	return (result);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp) {
+	irs_context_t *context;
+	isc_result_t result;
+
+	REQUIRE(contextp != NULL && *contextp == NULL);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (irs_g_context == NULL) {
+		result = irs_context_create(&irs_g_context);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	context = irs_g_context;
+#else
+	result = thread_key_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	context = isc_thread_key_getspecific(irs_context_key);
+	if (context == NULL) {
+		result = irs_context_create(&context);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = isc_thread_key_setspecific(irs_context_key, context);
+		if (result != ISC_R_SUCCESS) {
+			irs_context_destroy(&context);
+			return (result);
+		}
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+irs_context_create(irs_context_t **contextp) {
+	isc_result_t result;
+	irs_context_t *context;
+	isc_appctx_t *actx = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	dns_client_t *client = NULL;
+	isc_sockaddrlist_t *nameservers;
+	irs_dnsconf_dnskeylist_t *trustedkeys;
+	irs_dnsconf_dnskey_t *trustedkey;
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS) {
+		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+		return (result);
+	}
+
+	context = isc_mem_get(mctx, sizeof(*context));
+	if (context == NULL) {
+		ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+		return (ISC_R_NOMEMORY);
+	}
+
+	context->mctx = mctx;
+	context->actx = actx;
+	context->taskmgr = taskmgr;
+	context->socketmgr = socketmgr;
+	context->timermgr = timermgr;
+	context->resconf = NULL;
+	context->dnsconf = NULL;
+	context->task = NULL;
+	result = isc_task_create(taskmgr, 0, &context->task);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Create a DNS client object */
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
+				    0, &client);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	context->dnsclient = client;
+
+	/* Read resolver configuration file */
+	result = irs_resconf_load(mctx, RESOLV_CONF, &context->resconf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	/* Set nameservers */
+	nameservers = irs_resconf_getnameservers(context->resconf);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       nameservers);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/* Read advanced DNS configuration (if any) */
+	result = irs_dnsconf_load(mctx, DNS_CONF, &context->dnsconf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	trustedkeys = irs_dnsconf_gettrustedkeys(context->dnsconf);
+	for (trustedkey = ISC_LIST_HEAD(*trustedkeys);
+	     trustedkey != NULL;
+	     trustedkey = ISC_LIST_NEXT(trustedkey, link)) {
+		result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+						  trustedkey->keyname,
+						  trustedkey->keydatabuf);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	context->magic = IRS_CONTEXT_MAGIC;
+	*contextp = context;
+
+	return (ISC_R_SUCCESS);
+
+  fail:
+	if (context->task != NULL)
+		isc_task_detach(&context->task);
+	if (context->resconf != NULL)
+		irs_resconf_destroy(&context->resconf);
+	if (context->dnsconf != NULL)
+		irs_dnsconf_destroy(&context->dnsconf);
+	if (client != NULL)
+		dns_client_destroy(&client);
+	ctxs_destroy(NULL, &actx, &taskmgr, &socketmgr, &timermgr);
+	isc_mem_putanddetach(&mctx, context, sizeof(*context));
+
+	return (result);
+}
+
+void
+irs_context_destroy(irs_context_t **contextp) {
+	irs_context_t *context;
+
+	REQUIRE(contextp != NULL);
+	context = *contextp;
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	isc_task_detach(&context->task);
+	irs_dnsconf_destroy(&context->dnsconf);
+	irs_resconf_destroy(&context->resconf);
+	dns_client_destroy(&context->dnsclient);
+
+	ctxs_destroy(NULL, &context->actx, &context->taskmgr,
+		     &context->socketmgr, &context->timermgr);
+
+	context->magic = 0;
+
+	isc_mem_putanddetach(&context->mctx, context, sizeof(*context));
+
+	*contextp = NULL;
+
+#ifndef ISC_PLATFORM_USETHREADS
+	irs_g_context = NULL;
+#else
+	(void)isc_thread_key_setspecific(irs_context_key, NULL);
+#endif
+}
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->mctx);
+}
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->actx);
+}
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->taskmgr);
+}
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->timermgr);
+}
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->task);
+}
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsclient);
+}
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->resconf);
+}
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context) {
+	REQUIRE(IRS_CONTEXT_VALID(context));
+
+	return (context->dnsconf);
+}
diff --git a/lib/irs/dnsconf.c b/lib/irs/dnsconf.c
new file mode 100644
index 0000000..ee89af0
--- /dev/null
+++ b/lib/irs/dnsconf.c
@@ -0,0 +1,263 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <isccfg/dnsconf.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+
+#include <irs/dnsconf.h>
+
+#define IRS_DNSCONF_MAGIC		ISC_MAGIC('D', 'c', 'f', 'g')
+#define IRS_DNSCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_DNSCONF_MAGIC)
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_dnsconf {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	irs_dnsconf_dnskeylist_t trusted_keylist;
+};
+
+static isc_result_t
+configure_dnsseckeys(irs_dnsconf_t *conf, cfg_obj_t *cfgobj,
+		     dns_rdataclass_t rdclass)
+{
+	isc_mem_t *mctx = conf->mctx;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key, *keylist;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname_base, *keyname;
+	const cfg_listelt_t *element, *element2;
+	isc_result_t result;
+	uint32_t flags, proto, alg;
+	const char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf_base, *keydatabuf;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	cfg_map_get(cfgobj, "trusted-keys", &keys);
+	if (keys == NULL)
+		return (ISC_R_SUCCESS);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			keydatabuf = NULL;
+			keyname = NULL;
+
+			key = cfg_listelt_value(element2);
+
+			flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+			proto = cfg_obj_asuint32(cfg_tuple_get(key,
+							       "protocol"));
+			alg = cfg_obj_asuint32(cfg_tuple_get(key,
+							     "algorithm"));
+			keynamestr = cfg_obj_asstring(cfg_tuple_get(key,
+								    "name"));
+
+			keystruct.common.rdclass = rdclass;
+			keystruct.common.rdtype = dns_rdatatype_dnskey;
+			keystruct.mctx = NULL;
+			ISC_LINK_INIT(&keystruct.common, link);
+
+			if (flags > 0xffff)
+				return (ISC_R_RANGE);
+			if (proto > 0xff)
+				return (ISC_R_RANGE);
+			if (alg > 0xff)
+				return (ISC_R_RANGE);
+			keystruct.flags = (uint16_t)flags;
+			keystruct.protocol = (uint8_t)proto;
+			keystruct.algorithm = (uint8_t)alg;
+
+			isc_buffer_init(&keydatabuf_base, keydata,
+					sizeof(keydata));
+			isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+			/* Configure key value */
+			keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+			result = isc_base64_decodestring(keystr,
+							 &keydatabuf_base);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_usedregion(&keydatabuf_base, &r);
+			keystruct.datalen = r.length;
+			keystruct.data = r.base;
+
+			result = dns_rdata_fromstruct(NULL,
+						      keystruct.common.rdclass,
+						      keystruct.common.rdtype,
+						      &keystruct, &rrdatabuf);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			isc_buffer_usedregion(&rrdatabuf, &r);
+			result = isc_buffer_allocate(mctx, &keydatabuf,
+						     r.length);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			result = isc_buffer_copyregion(keydatabuf, &r);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/* Configure key name */
+			keyname_base = dns_fixedname_initname(&fkeyname);
+			isc_buffer_constinit(&namebuf, keynamestr,
+					     strlen(keynamestr));
+			isc_buffer_add(&namebuf, strlen(keynamestr));
+			result = dns_name_fromtext(keyname_base, &namebuf,
+						   dns_rootname, 0, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			keyname = isc_mem_get(mctx, sizeof(*keyname));
+			if (keyname == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			dns_name_init(keyname, NULL);
+			result = dns_name_dup(keyname_base, mctx, keyname);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			/* Add the key data to the list */
+			keyent = isc_mem_get(mctx, sizeof(*keyent));
+			if (keyent == NULL) {
+				dns_name_free(keyname, mctx);
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			keyent->keyname = keyname;
+			keyent->keydatabuf = keydatabuf;
+
+			ISC_LIST_APPEND(conf->trusted_keylist, keyent, link);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (keydatabuf != NULL)
+		isc_buffer_free(&keydatabuf);
+	if (keyname != NULL)
+		isc_mem_put(mctx, keyname, sizeof(*keyname));
+
+	return (result);
+}
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp)
+{
+	irs_dnsconf_t *conf;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *cfgobj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+	if (conf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->trusted_keylist);
+
+	/*
+	 * If the specified file does not exist, we'll simply with an empty
+	 * configuration.
+	 */
+	if (!isc_file_exists(filename))
+		goto cleanup;
+
+	result = cfg_parser_create(mctx, NULL, &parser);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = cfg_parse_file(parser, filename, &cfg_type_dnsconf,
+				&cfgobj);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = configure_dnsseckeys(conf, cfgobj, dns_rdataclass_in);
+
+ cleanup:
+	if (parser != NULL) {
+		if (cfgobj != NULL)
+			cfg_obj_destroy(parser, &cfgobj);
+		cfg_parser_destroy(&parser);
+	}
+
+	conf->magic = IRS_DNSCONF_MAGIC;
+
+	if (result == ISC_R_SUCCESS)
+		*confp = conf;
+	else
+		irs_dnsconf_destroy(&conf);
+
+	return (result);
+}
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp) {
+	irs_dnsconf_t *conf;
+	irs_dnsconf_dnskey_t *keyent;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	while ((keyent = ISC_LIST_HEAD(conf->trusted_keylist)) != NULL) {
+		ISC_LIST_UNLINK(conf->trusted_keylist, keyent, link);
+
+		isc_buffer_free(&keyent->keydatabuf);
+		dns_name_free(keyent->keyname, conf->mctx);
+		isc_mem_put(conf->mctx, keyent->keyname, sizeof(dns_name_t));
+		isc_mem_put(conf->mctx, keyent, sizeof(*keyent));
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+
+	*confp = NULL;
+}
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf) {
+	REQUIRE(IRS_DNSCONF_VALID(conf));
+
+	return (&conf->trusted_keylist);
+}
diff --git a/lib/irs/gai_strerror.c b/lib/irs/gai_strerror.c
new file mode 100644
index 0000000..76a561e
--- /dev/null
+++ b/lib/irs/gai_strerror.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file gai_strerror.c
+ * gai_strerror() returns an error message corresponding to an
+ * error code returned by getaddrinfo() and getnameinfo(). The following error
+ * codes and their meaning are defined in
+ * \link netdb.h include/irs/netdb.h.\endlink
+ * This implementation is almost an exact copy of lwres/gai_sterror.c except
+ * that it catches up the latest API standard, RFC3493.
+ *
+ * \li #EAI_ADDRFAMILY address family for hostname not supported
+ * \li #EAI_AGAIN temporary failure in name resolution
+ * \li #EAI_BADFLAGS invalid value for ai_flags
+ * \li #EAI_FAIL non-recoverable failure in name resolution
+ * \li #EAI_FAMILY ai_family not supported
+ * \li #EAI_MEMORY memory allocation failure
+ * \li #EAI_NODATA no address associated with hostname (obsoleted in RFC3493)
+ * \li #EAI_NONAME hostname nor servname provided, or not known
+ * \li #EAI_SERVICE servname not supported for ai_socktype
+ * \li #EAI_SOCKTYPE ai_socktype not supported
+ * \li #EAI_SYSTEM system error returned in errno
+ * \li #EAI_BADHINTS Invalid value for hints (non-standard)
+ * \li #EAI_PROTOCOL Resolved protocol is unknown (non-standard)
+ * \li #EAI_OVERFLOW Argument buffer overflow
+ * \li #EAI_INSECUREDATA Insecure Data (experimental)
+ *
+ * The message invalid error code is returned if ecode is out of range.
+ *
+ * ai_flags, ai_family and ai_socktype are elements of the struct
+ * addrinfo used by lwres_getaddrinfo().
+ *
+ * \section gai_strerror_see See Also
+ *
+ * strerror(), getaddrinfo(), getnameinfo(), RFC3493.
+ */
+#include <config.h>
+
+#include <isc/net.h>
+
+#include <irs/netdb.h>
+
+/*% Text of error messages. */
+static const char *gai_messages[] = {
+	"no error",
+	"address family for hostname not supported",
+	"temporary failure in name resolution",
+	"invalid value for ai_flags",
+	"non-recoverable failure in name resolution",
+	"ai_family not supported",
+	"memory allocation failure",
+	"no address associated with hostname",
+	"hostname nor servname provided, or not known",
+	"servname not supported for ai_socktype",
+	"ai_socktype not supported",
+	"system error returned in errno",
+	"bad hints",
+	"bad protocol",
+	"argument buffer overflow",
+	"insecure data provided"
+};
+
+/*%
+ * Returns an error message corresponding to an error code returned by
+ * getaddrinfo() and getnameinfo()
+ */
+IRS_GAISTRERROR_RETURN_T
+gai_strerror(int ecode) {
+	union {
+		const char *const_ptr;
+		char *deconst_ptr;
+	} ptr;
+
+	if ((ecode < 0) ||
+	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
+		ptr.const_ptr = "invalid error code";
+	else
+		ptr.const_ptr = gai_messages[ecode];
+	return (ptr.deconst_ptr);
+}
diff --git a/lib/irs/getaddrinfo.c b/lib/irs/getaddrinfo.c
new file mode 100644
index 0000000..33a7fb5
--- /dev/null
+++ b/lib/irs/getaddrinfo.c
@@ -0,0 +1,1311 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: getaddrinfo.c,v 1.3 2009/09/02 23:48:02 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    getaddrinfo() is used to get a list of IP addresses and port
+ *    numbers for host hostname and service servname as defined in RFC3493.
+ *    hostname and servname are pointers to null-terminated strings
+ *    or NULL. hostname is either a host name or a numeric host address
+ *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
+ *    either a decimal port number or a service name as listed in
+ *    /etc/services.
+ *
+ *    If the operating system does not provide a struct addrinfo, the
+ *    following structure is used:
+ *
+ * \code
+ * struct  addrinfo {
+ *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
+ *         int             ai_family;      // PF_xxx
+ *         int             ai_socktype;    // SOCK_xxx
+ *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
+ *         size_t          ai_addrlen;     // length of ai_addr
+ *         char            *ai_canonname;  // canonical name for hostname
+ *         struct sockaddr *ai_addr;       // binary address
+ *         struct addrinfo *ai_next;       // next structure in linked list
+ * };
+ * \endcode
+ *
+ *
+ *    hints is an optional pointer to a struct addrinfo. This structure can
+ *    be used to provide hints concerning the type of socket that the caller
+ *    supports or wishes to use. The caller can supply the following
+ *    structure elements in *hints:
+ *
+ * <ul>
+ *    <li>ai_family:
+ *           The protocol family that should be used. When ai_family is set
+ *           to PF_UNSPEC, it means the caller will accept any protocol
+ *           family supported by the operating system.</li>
+ *
+ *    <li>ai_socktype:
+ *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
+ *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
+ *           will accept any socket type.</li>
+ *
+ *    <li>ai_protocol:
+ *           indicates which transport protocol is wanted: IPPROTO_UDP or
+ *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
+ *           protocol.</li>
+ *
+ *    <li>ai_flags:
+ *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
+ *           getaddrinfo() will return a null-terminated string
+ *           containing the canonical name of the specified hostname in
+ *           ai_canonname of the first addrinfo structure returned. Setting
+ *           the AI_PASSIVE bit indicates that the returned socket address
+ *           structure is intended for used in a call to bind(2). In this
+ *           case, if the hostname argument is a NULL pointer, then the IP
+ *           address portion of the socket address structure will be set to
+ *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
+ *           address.<br /><br />
+ *
+ *           When ai_flags does not set the AI_PASSIVE bit, the returned
+ *           socket address structure will be ready for use in a call to
+ *           connect(2) for a connection-oriented protocol or connect(2),
+ *           sendto(2), or sendmsg(2) if a connectionless protocol was
+ *           chosen. The IP address portion of the socket address structure
+ *           will be set to the loopback address if hostname is a NULL
+ *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
+ *
+ *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
+ *           should be treated as a numeric string defining an IPv4 or IPv6
+ *           address and no name resolution should be attempted.
+ * </li></ul>
+ *
+ *    All other elements of the struct addrinfo passed via hints must be
+ *    zero.
+ *
+ *    A hints of NULL is treated as if the caller provided a struct addrinfo
+ *    initialized to zero with ai_familyset to PF_UNSPEC.
+ *
+ *    After a successful call to getaddrinfo(), *res is a pointer to a
+ *    linked list of one or more addrinfo structures. Each struct addrinfo
+ *    in this list cn be processed by following the ai_next pointer, until a
+ *    NULL pointer is encountered. The three members ai_family, ai_socktype,
+ *    and ai_protocol in each returned addrinfo structure contain the
+ *    corresponding arguments for a call to socket(2). For each addrinfo
+ *    structure in the list, the ai_addr member points to a filled-in socket
+ *    address structure of length ai_addrlen.
+ *
+ *    All of the information returned by getaddrinfo() is dynamically
+ *    allocated: the addrinfo structures, and the socket address structures
+ *    and canonical host name strings pointed to by the addrinfostructures.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to getaddrinfo() is released by freeaddrinfo().
+ *    ai is a pointer to a struct addrinfo created by a call to getaddrinfo().
+ *
+ * \section irsreturn RETURN VALUES
+ *
+ *    getaddrinfo() returns zero on success or one of the error codes
+ *    listed in gai_strerror() if an error occurs. If both hostname and
+ *    servname are NULL getaddrinfo() returns #EAI_NONAME.
+ *
+ * \section irssee SEE ALSO
+ *
+ *    getaddrinfo(), freeaddrinfo(),
+ *    gai_strerror(), RFC3493, getservbyname(3), connect(2),
+ *    sendto(2), sendmsg(2), socket(2).
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/mutex.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <irs/context.h>
+#include <irs/netdb.h>
+#include <irs/resconf.h>
+
+#define SA(addr)	((struct sockaddr *)(addr))
+#define SIN(addr)	((struct sockaddr_in *)(addr))
+#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
+#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
+
+/*! \struct addrinfo
+ */
+static struct addrinfo
+	*ai_concat(struct addrinfo *ai1, struct addrinfo *ai2),
+	*ai_reverse(struct addrinfo *oai),
+	*ai_clone(struct addrinfo *oai, int family),
+	*ai_alloc(int family, int addrlen);
+#ifdef AF_LOCAL
+static int get_local(const char *name, int socktype, struct addrinfo **res);
+#endif
+
+static int
+resolve_name(int family, const char *hostname, int flags,
+	     struct addrinfo **aip, int socktype, int port);
+
+static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+		    int socktype, int port);
+static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+		    int socktype, int port);
+static void set_order(int, int (**)(const char *, int, struct addrinfo **,
+				    int, int));
+static void _freeaddrinfo(struct addrinfo *ai);
+
+#define FOUND_IPV4	0x1
+#define FOUND_IPV6	0x2
+#define FOUND_MAX	2
+
+#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
+/*%
+ * Get a list of IP addresses and port numbers for host hostname and
+ * service servname.
+ */
+int
+getaddrinfo(const char *hostname, const char *servname,
+	    const struct addrinfo *hints, struct addrinfo **res)
+{
+	struct servent *sp;
+	const char *proto;
+	int family, socktype, flags, protocol;
+	struct addrinfo *ai, *ai_list;
+	int err = 0;
+	int port, i;
+	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
+				      int, int);
+
+	if (hostname == NULL && servname == NULL)
+		return (EAI_NONAME);
+
+	proto = NULL;
+	if (hints != NULL) {
+		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
+			return (EAI_BADFLAGS);
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next) {
+			errno = EINVAL;
+			return (EAI_SYSTEM);
+		}
+		family = hints->ai_family;
+		socktype = hints->ai_socktype;
+		protocol = hints->ai_protocol;
+		flags = hints->ai_flags;
+		switch (family) {
+		case AF_UNSPEC:
+			switch (hints->ai_socktype) {
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			}
+			break;
+		case AF_INET:
+		case AF_INET6:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_RAW:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#ifdef	AF_LOCAL
+		case AF_LOCAL:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				break;
+			case SOCK_DGRAM:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#endif
+		default:
+			return (EAI_FAMILY);
+		}
+	} else {
+		protocol = 0;
+		family = 0;
+		socktype = 0;
+		flags = 0;
+	}
+
+#ifdef	AF_LOCAL
+	/*!
+	 * First, deal with AF_LOCAL.  If the family was not set,
+	 * then assume AF_LOCAL if the first character of the
+	 * hostname/servname is '/'.
+	 */
+
+	if (hostname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
+		return (get_local(hostname, socktype, res));
+
+	if (servname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
+		return (get_local(servname, socktype, res));
+#endif
+
+	/*
+	 * Ok, only AF_INET and AF_INET6 left.
+	 */
+	ai_list = NULL;
+
+	/*
+	 * First, look up the service name (port) if it was
+	 * requested.  If the socket type wasn't specified, then
+	 * try and figure it out.
+	 */
+	if (servname != NULL) {
+		char *e;
+
+		port = strtol(servname, &e, 10);
+		if (*e == '\0') {
+			if (socktype == 0)
+				return (EAI_SOCKTYPE);
+			if (port < 0 || port > 65535)
+				return (EAI_SERVICE);
+			port = htons((unsigned short) port);
+		} else {
+			sp = getservbyname(servname, proto);
+			if (sp == NULL)
+				return (EAI_SERVICE);
+			port = sp->s_port;
+			if (socktype == 0) {
+				if (strcmp(sp->s_proto, "tcp") == 0)
+					socktype = SOCK_STREAM;
+				else if (strcmp(sp->s_proto, "udp") == 0)
+					socktype = SOCK_DGRAM;
+			}
+		}
+	} else
+		port = 0;
+
+	/*
+	 * Next, deal with just a service name, and no hostname.
+	 * (we verified that one of them was non-null up above).
+	 */
+	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
+		if (family == AF_INET || family == 0) {
+			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN(ai->ai_addr)->sin_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		if (family == AF_INET6 || family == 0) {
+			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
+			if (ai == NULL) {
+				_freeaddrinfo(ai_list);
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		*res = ai_list;
+		return (0);
+	}
+
+	/*
+	 * If the family isn't specified or AI_NUMERICHOST specified, check
+	 * first to see if it is a numeric address.
+	 * Though the gethostbyname2() routine will recognize numeric addresses,
+	 * it will only recognize the format that it is being called for.  Thus,
+	 * a numeric AF_INET address will be treated by the AF_INET6 call as
+	 * a domain name, and vice versa.  Checking for both numerics here
+	 * avoids that.
+	 */
+	if (hostname != NULL &&
+	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
+		char abuf[sizeof(struct in6_addr)];
+		char nbuf[NI_MAXHOST];
+		int addrsize, addroff;
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		char *p, *ep;
+		char ntmp[NI_MAXHOST];
+		uint32_t scopeid;
+#endif
+
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		/*
+		 * Scope identifier portion.
+		 */
+		ntmp[0] = '\0';
+		if (strchr(hostname, '%') != NULL) {
+			strlcpy(ntmp, hostname, sizeof(ntmp));
+			p = strchr(ntmp, '%');
+			ep = NULL;
+
+			/*
+			 * Vendors may want to support non-numeric
+			 * scopeid around here.
+			 */
+
+			if (p != NULL)
+				scopeid = (uint32_t)strtoul(p + 1,
+								&ep, 10);
+			if (p != NULL && ep != NULL && ep[0] == '\0')
+				*p = '\0';
+			else {
+				ntmp[0] = '\0';
+				scopeid = 0;
+			}
+		} else
+			scopeid = 0;
+#endif
+
+		if (inet_pton(AF_INET, hostname, (struct in_addr *)abuf)
+		    == 1) {
+			if (family == AF_INET6) {
+				/*
+				 * Convert to a V4 mapped address.
+				 */
+				struct in6_addr *a6 = (struct in6_addr *)abuf;
+				memmove(&a6->s6_addr[12], &a6->s6_addr[0], 4);
+				memset(&a6->s6_addr[10], 0xff, 2);
+				memset(&a6->s6_addr[0], 0, 10);
+				goto inet6_addr;
+			}
+			addrsize = sizeof(struct in_addr);
+			addroff = offsetof(struct sockaddr_in, sin_addr);
+			family = AF_INET;
+			goto common;
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+		} else if (ntmp[0] != '\0' &&
+			   inet_pton(AF_INET6, ntmp, abuf) == 1) {
+			if (family && family != AF_INET6)
+				return (EAI_NONAME);
+			addrsize = sizeof(struct in6_addr);
+			addroff = offsetof(struct sockaddr_in6, sin6_addr);
+			family = AF_INET6;
+			goto common;
+#endif
+		} else if (inet_pton(AF_INET6, hostname, abuf) == 1) {
+			if (family != 0 && family != AF_INET6)
+				return (EAI_NONAME);
+		inet6_addr:
+			addrsize = sizeof(struct in6_addr);
+			addroff = offsetof(struct sockaddr_in6, sin6_addr);
+			family = AF_INET6;
+
+		common:
+			ai = ai_alloc(family,
+				      ((family == AF_INET6) ?
+				       sizeof(struct sockaddr_in6) :
+				       sizeof(struct sockaddr_in)));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai_list = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memmove((char *)ai->ai_addr + addroff, abuf, addrsize);
+			if ((flags & AI_CANONNAME) != 0) {
+#ifdef IRS_HAVE_SIN6_SCOPE_ID
+				if (ai->ai_family == AF_INET6)
+					SIN6(ai->ai_addr)->sin6_scope_id =
+						scopeid;
+#endif
+				if (getnameinfo(ai->ai_addr,
+						(socklen_t)ai->ai_addrlen,
+						nbuf, sizeof(nbuf), NULL, 0,
+						NI_NUMERICHOST) == 0) {
+					ai->ai_canonname = strdup(nbuf);
+					if (ai->ai_canonname == NULL) {
+						_freeaddrinfo(ai);
+						return (EAI_MEMORY);
+					}
+				} else {
+					/* XXX raise error? */
+					ai->ai_canonname = NULL;
+				}
+			}
+			goto done;
+		} else if ((flags & AI_NUMERICHOST) != 0) {
+			return (EAI_NONAME);
+		}
+	}
+
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		set_order(family, net_order);
+		for (i = 0; i < FOUND_MAX; i++) {
+			if (net_order[i] == NULL)
+				break;
+			err = (net_order[i])(hostname, flags, &ai_list,
+					     socktype, port);
+			if (err != 0) {
+				if (ai_list != NULL) {
+					_freeaddrinfo(ai_list);
+					ai_list = NULL;
+				}
+				break;
+			}
+		}
+	} else
+		err = resolve_name(family, hostname, flags, &ai_list,
+				   socktype, port);
+
+	if (ai_list == NULL) {
+		if (err == 0)
+			err = EAI_NONAME;
+		return (err);
+	}
+
+done:
+	ai_list = ai_reverse(ai_list);
+
+	*res = ai_list;
+	return (0);
+}
+
+typedef struct gai_restrans {
+	dns_clientrestrans_t	*xid;
+	bool		is_inprogress;
+	int			error;
+	struct addrinfo		ai_sentinel;
+	struct gai_resstate	*resstate;
+} gai_restrans_t;
+
+typedef struct gai_resstate {
+	isc_mem_t			*mctx;
+	struct gai_statehead		*head;
+	dns_fixedname_t			fixedname;
+	dns_name_t			*qname;
+	gai_restrans_t			*trans4;
+	gai_restrans_t			*trans6;
+	ISC_LINK(struct gai_resstate)	link;
+} gai_resstate_t;
+
+typedef struct gai_statehead {
+	int				ai_family;
+	int				ai_flags;
+	int				ai_socktype;
+	int				ai_port;
+	isc_appctx_t			*actx;
+	dns_client_t			*dnsclient;
+	isc_mutex_t			list_lock;
+	ISC_LIST(struct gai_resstate)	resstates;
+	unsigned int			activestates;
+} gai_statehead_t;
+
+static isc_result_t
+make_resstate(isc_mem_t *mctx, gai_statehead_t *head, const char *hostname,
+	      const char *domain, gai_resstate_t **statep)
+{
+	isc_result_t result;
+	gai_resstate_t *state;
+	dns_fixedname_t fixeddomain;
+	dns_name_t *qdomain;
+	unsigned int namelen;
+	isc_buffer_t b;
+	bool need_v4 = false;
+	bool need_v6 = false;
+
+	state = isc_mem_get(mctx, sizeof(*state));
+	if (state == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* Construct base domain name */
+	namelen = strlen(domain);
+	isc_buffer_constinit(&b, domain, namelen);
+	isc_buffer_add(&b, namelen);
+	qdomain = dns_fixedname_initname(&fixeddomain);
+	result = dns_name_fromtext(qdomain, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	/* Construct query name */
+	namelen = strlen(hostname);
+	isc_buffer_constinit(&b, hostname, namelen);
+	isc_buffer_add(&b, namelen);
+	state->qname = dns_fixedname_initname(&state->fixedname);
+	result = dns_name_fromtext(state->qname, &b, qdomain, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, state, sizeof(*state));
+		return (result);
+	}
+
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET)
+		need_v4 = true;
+	if (head->ai_family == AF_UNSPEC || head->ai_family == AF_INET6)
+		need_v6 = true;
+
+	state->trans6 = NULL;
+	state->trans4 = NULL;
+	if (need_v4) {
+		state->trans4 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		if (state->trans4 == NULL) {
+			isc_mem_put(mctx, state, sizeof(*state));
+			return (ISC_R_NOMEMORY);
+		}
+		state->trans4->error = 0;
+		state->trans4->xid = NULL;
+		state->trans4->resstate = state;
+		state->trans4->is_inprogress = true;
+		state->trans4->ai_sentinel.ai_next = NULL;
+	}
+	if (need_v6) {
+		state->trans6 = isc_mem_get(mctx, sizeof(gai_restrans_t));
+		if (state->trans6 == NULL) {
+			if (state->trans4 != NULL)
+				isc_mem_put(mctx, state->trans4,
+					    sizeof(*state->trans4));
+			isc_mem_put(mctx, state, sizeof(*state));
+			return (ISC_R_NOMEMORY);
+		}
+		state->trans6->error = 0;
+		state->trans6->xid = NULL;
+		state->trans6->resstate = state;
+		state->trans6->is_inprogress = true;
+		state->trans6->ai_sentinel.ai_next = NULL;
+	}
+
+	state->mctx = mctx;
+	state->head = head;
+	ISC_LINK_INIT(state, link);
+
+	*statep = state;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+make_resstates(isc_mem_t *mctx, const char *hostname, gai_statehead_t *head,
+	       irs_resconf_t *resconf)
+{
+	isc_result_t result;
+	irs_resconf_searchlist_t *searchlist;
+	irs_resconf_search_t *searchent;
+	gai_resstate_t *resstate, *resstate0;
+
+	resstate0 = NULL;
+	result = make_resstate(mctx, head, hostname, ".", &resstate0);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	searchlist = irs_resconf_getsearchlist(resconf);
+	for (searchent = ISC_LIST_HEAD(*searchlist); searchent != NULL;
+	     searchent = ISC_LIST_NEXT(searchent, link)) {
+		resstate = NULL;
+		result = make_resstate(mctx, head, hostname,
+				       (const char *)searchent->domain,
+				       &resstate);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		ISC_LIST_APPEND(head->resstates, resstate, link);
+		head->activestates++;
+	}
+
+	/*
+	 * Insert the original hostname either at the head or the tail of the
+	 * state list, depending on the number of labels contained in the
+	 * original name and the 'ndots' configuration parameter.
+	 */
+	if (dns_name_countlabels(resstate0->qname) >
+	    irs_resconf_getndots(resconf) + 1) {
+		ISC_LIST_PREPEND(head->resstates, resstate0, link);
+	} else
+		ISC_LIST_APPEND(head->resstates, resstate0, link);
+	head->activestates++;
+
+	if (result != ISC_R_SUCCESS) {
+		while ((resstate = ISC_LIST_HEAD(head->resstates)) != NULL) {
+			ISC_LIST_UNLINK(head->resstates, resstate, link);
+			if (resstate->trans4 != NULL) {
+				isc_mem_put(mctx, resstate->trans4,
+					    sizeof(*resstate->trans4));
+			}
+			if (resstate->trans6 != NULL) {
+				isc_mem_put(mctx, resstate->trans6,
+					    sizeof(*resstate->trans6));
+			}
+
+			isc_mem_put(mctx, resstate, sizeof(*resstate));
+		}
+	}
+
+	return (result);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	int error = 0, family;
+	gai_restrans_t *trans = event->ev_arg;
+	gai_resstate_t *resstate;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_rdatatype_t qtype;
+	dns_name_t *name;
+	bool wantcname;
+
+	REQUIRE(trans != NULL);
+	resstate = trans->resstate;
+	REQUIRE(resstate != NULL);
+	REQUIRE(task != NULL);
+
+	if (trans == resstate->trans4) {
+		family = AF_INET;
+		qtype = dns_rdatatype_a;
+	} else {
+		INSIST(trans == resstate->trans6);
+		family = AF_INET6;
+		qtype = dns_rdatatype_aaaa;
+	}
+
+	INSIST(trans->is_inprogress);
+	trans->is_inprogress = false;
+
+	switch (rev->result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NCACHENXDOMAIN: /* treat this as a fatal error? */
+	case DNS_R_NCACHENXRRSET:
+		break;
+	default:
+		switch (rev->vresult) {
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			error = EAI_INSECUREDATA;
+			break;
+		default:
+			error = EAI_FAIL;
+		}
+		goto done;
+	}
+
+	wantcname = (resstate->head->ai_flags & AI_CANONNAME);
+
+	/* Parse the response and construct the addrinfo chain */
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		isc_result_t result;
+		dns_rdataset_t *rdataset;
+		char cname[1024];
+
+		if (wantcname) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, cname, sizeof(cname));
+			result = dns_name_totext(name, true, &b);
+			if (result != ISC_R_SUCCESS) {
+				error = EAI_FAIL;
+				goto done;
+			}
+			isc_buffer_putuint8(&b, '\0');
+		}
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (!dns_rdataset_isassociated(rdataset))
+				continue;
+			if (rdataset->type != qtype)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				struct addrinfo *ai;
+				dns_rdata_t rdata;
+				dns_rdata_in_a_t rdata_a;
+				dns_rdata_in_aaaa_t rdata_aaaa;
+
+				ai = ai_alloc(family,
+					      ((family == AF_INET6) ?
+					       sizeof(struct sockaddr_in6) :
+					       sizeof(struct sockaddr_in)));
+				if (ai == NULL) {
+					error = EAI_MEMORY;
+					goto done;
+				}
+				ai->ai_socktype = resstate->head->ai_socktype;
+				ai->ai_next = trans->ai_sentinel.ai_next;
+				trans->ai_sentinel.ai_next = ai;
+
+				/*
+				 * Set AF-specific parameters
+				 * (IPv4/v6 address/port)
+				 */
+				dns_rdata_init(&rdata);
+				switch (family) {
+				case AF_INET:
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tostruct(&rdata,
+								    &rdata_a,
+								    NULL);
+					RUNTIME_CHECK(result == ISC_R_SUCCESS);
+					SIN(ai->ai_addr)->sin_port =
+						resstate->head->ai_port;
+					memmove(&SIN(ai->ai_addr)->sin_addr,
+						&rdata_a.in_addr, 4);
+					dns_rdata_freestruct(&rdata_a);
+					break;
+				case AF_INET6:
+					dns_rdataset_current(rdataset, &rdata);
+					result = dns_rdata_tostruct(&rdata,
+								    &rdata_aaaa,
+								    NULL);
+					RUNTIME_CHECK(result == ISC_R_SUCCESS);
+					SIN6(ai->ai_addr)->sin6_port =
+						resstate->head->ai_port;
+					memmove(&SIN6(ai->ai_addr)->sin6_addr,
+						&rdata_aaaa.in6_addr, 16);
+					dns_rdata_freestruct(&rdata_aaaa);
+					break;
+				}
+
+				if (wantcname) {
+					ai->ai_canonname = strdup(cname);
+					if (ai->ai_canonname == NULL) {
+						error = EAI_MEMORY;
+						goto done;
+					}
+				}
+			}
+		}
+	}
+
+ done:
+	dns_client_freeresanswer(resstate->head->dnsclient, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	/* Make sure that error == 0 iff we have a non-empty list */
+	if (error == 0) {
+		if (trans->ai_sentinel.ai_next == NULL)
+			error = EAI_NONAME;
+	} else {
+		if (trans->ai_sentinel.ai_next != NULL) {
+			_freeaddrinfo(trans->ai_sentinel.ai_next);
+			trans->ai_sentinel.ai_next = NULL;
+		}
+	}
+	trans->error = error;
+
+	/* Check whether we are done */
+	if ((resstate->trans4 == NULL || !resstate->trans4->is_inprogress) &&
+	    (resstate->trans6 == NULL || !resstate->trans6->is_inprogress)) {
+		/*
+		 * We're done for this state.  If there is no other outstanding
+		 * state, we can exit.
+		 */
+		resstate->head->activestates--;
+		if (resstate->head->activestates == 0) {
+			isc_app_ctxsuspend(resstate->head->actx);
+			return;
+		}
+
+		/*
+		 * There are outstanding states, but if we are at the head
+		 * of the state list (i.e., at the highest search priority)
+		 * and have any answer, we can stop now by canceling the
+		 * others.
+		 */
+		LOCK(&resstate->head->list_lock);
+		if (resstate == ISC_LIST_HEAD(resstate->head->resstates)) {
+			if ((resstate->trans4 != NULL &&
+			     resstate->trans4->ai_sentinel.ai_next != NULL) ||
+			    (resstate->trans6 != NULL &&
+			     resstate->trans6->ai_sentinel.ai_next != NULL)) {
+				gai_resstate_t *rest;
+
+				for (rest = ISC_LIST_NEXT(resstate, link);
+				     rest != NULL;
+				     rest = ISC_LIST_NEXT(rest, link)) {
+					if (rest->trans4 != NULL &&
+					    rest->trans4->xid != NULL)
+						dns_client_cancelresolve(
+							rest->trans4->xid);
+					if (rest->trans6 != NULL &&
+					    rest->trans6->xid != NULL)
+						dns_client_cancelresolve(
+							rest->trans6->xid);
+				}
+			} else {
+				/*
+				 * This search fails, so we move to the tail
+				 * of the list so that the next entry will
+				 * have the highest priority.
+				 */
+				ISC_LIST_UNLINK(resstate->head->resstates,
+						resstate, link);
+				ISC_LIST_APPEND(resstate->head->resstates,
+						resstate, link);
+			}
+		}
+		UNLOCK(&resstate->head->list_lock);
+	}
+}
+
+static int
+resolve_name(int family, const char *hostname, int flags,
+	     struct addrinfo **aip, int socktype, int port)
+{
+	isc_result_t result;
+	irs_context_t *irsctx;
+	irs_resconf_t *conf;
+	isc_mem_t *mctx;
+	isc_appctx_t *actx;
+	isc_task_t *task;
+	int terror = 0;
+	int error = 0;
+	dns_client_t *client;
+	gai_resstate_t *resstate;
+	gai_statehead_t head;
+	bool all_fail = true;
+
+	/* get IRS context and the associated parameters */
+	irsctx = NULL;
+	result = irs_context_get(&irsctx);
+	if (result != ISC_R_SUCCESS)
+		return (EAI_FAIL);
+	actx = irs_context_getappctx(irsctx);
+
+	mctx = irs_context_getmctx(irsctx);
+	task = irs_context_gettask(irsctx);
+	conf = irs_context_getresconf(irsctx);
+	client = irs_context_getdnsclient(irsctx);
+
+	/* construct resolution states */
+	head.activestates = 0;
+	head.ai_family = family;
+	head.ai_socktype = socktype;
+	head.ai_flags = flags;
+	head.ai_port = port;
+	head.actx = actx;
+	head.dnsclient = client;
+	result = isc_mutex_init(&head.list_lock);
+	if (result != ISC_R_SUCCESS) {
+		return (EAI_FAIL);
+	}
+
+	ISC_LIST_INIT(head.resstates);
+	result = make_resstates(mctx, hostname, &head, conf);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&head.list_lock);
+		return (EAI_FAIL);
+	}
+
+	LOCK(&head.list_lock);
+	for (resstate = ISC_LIST_HEAD(head.resstates);
+	     resstate != NULL; resstate = ISC_LIST_NEXT(resstate, link)) {
+		if (resstate->trans4 != NULL) {
+			result = dns_client_startresolve(client,
+							 resstate->qname,
+							 dns_rdataclass_in,
+							 dns_rdatatype_a,
+							 0, task,
+							 process_answer,
+							 resstate->trans4,
+							 &resstate->trans4->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans4->is_inprogress = true;
+				all_fail = false;
+			} else
+				resstate->trans4->is_inprogress = false;
+		}
+		if (resstate->trans6 != NULL) {
+			result = dns_client_startresolve(client,
+							 resstate->qname,
+							 dns_rdataclass_in,
+							 dns_rdatatype_aaaa,
+							 0, task,
+							 process_answer,
+							 resstate->trans6,
+							 &resstate->trans6->xid);
+			if (result == ISC_R_SUCCESS) {
+				resstate->trans6->is_inprogress = true;
+				all_fail = false;
+			} else
+				resstate->trans6->is_inprogress= false;
+		}
+	}
+	UNLOCK(&head.list_lock);
+
+	if (!all_fail) {
+		/* Start all the events */
+		isc_app_ctxrun(actx);
+	} else
+		error = EAI_FAIL;
+
+	/* Cleanup */
+	while ((resstate = ISC_LIST_HEAD(head.resstates)) != NULL) {
+		int terror4 = 0, terror6 = 0;
+
+		ISC_LIST_UNLINK(head.resstates, resstate, link);
+
+		if (*aip == NULL) {
+			struct addrinfo *sentinel4 = NULL;
+			struct addrinfo *sentinel6 = NULL;
+
+			if (resstate->trans4 != NULL) {
+				sentinel4 =
+					resstate->trans4->ai_sentinel.ai_next;
+				resstate->trans4->ai_sentinel.ai_next = NULL;
+			}
+			if (resstate->trans6 != NULL) {
+				sentinel6 =
+					resstate->trans6->ai_sentinel.ai_next;
+				resstate->trans6->ai_sentinel.ai_next = NULL;
+			}
+			*aip = ai_concat(sentinel4, sentinel6);
+		}
+
+		if (resstate->trans4 != NULL) {
+			INSIST(resstate->trans4->xid == NULL);
+			terror4 = resstate->trans4->error;
+			isc_mem_put(mctx, resstate->trans4,
+				    sizeof(*resstate->trans4));
+		}
+		if (resstate->trans6 != NULL) {
+			INSIST(resstate->trans6->xid == NULL);
+			terror6 = resstate->trans6->error;
+			isc_mem_put(mctx, resstate->trans6,
+				    sizeof(*resstate->trans6));
+		}
+
+		/*
+		 * If the entire lookup fails, we need to choose an appropriate
+		 * error code from individual codes.  We'll try to provide as
+		 * specific a code as possible.  In general, we are going to
+		 * find an error code other than EAI_NONAME (which is too
+		 * generic and may actually not be problematic in some cases).
+		 * EAI_NONAME will be set below if no better code is found.
+		 */
+		if (terror == 0 || terror == EAI_NONAME) {
+			if (terror4 != 0 && terror4 != EAI_NONAME)
+				terror = terror4;
+			else if (terror6 != 0 && terror6 != EAI_NONAME)
+				terror = terror6;
+		}
+
+		isc_mem_put(mctx, resstate, sizeof(*resstate));
+	}
+
+	if (*aip == NULL) {
+		error = terror;
+		if (error == 0)
+			error = EAI_NONAME;
+	}
+
+#if 1	/*  XXX: enabled for finding leaks.  should be cleaned up later. */
+	isc_app_ctxfinish(actx);
+	irs_context_destroy(&irsctx);
+#endif
+
+	DESTROYLOCK(&head.list_lock);
+	return (error);
+}
+
+static char *
+irs_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
+					int, int))
+{
+	char *order, *tok;
+	int found;
+
+	if (family) {
+		switch (family) {
+		case AF_INET:
+			*net_order++ = add_ipv4;
+			break;
+		case AF_INET6:
+			*net_order++ = add_ipv6;
+			break;
+		}
+	} else {
+		order = getenv("NET_ORDER");
+		found = 0;
+		while (order != NULL) {
+			/*
+			 * We ignore any unknown names.
+			 */
+			tok = irs_strsep(&order, ":");
+			if (strcasecmp(tok, "inet6") == 0) {
+				if ((found & FOUND_IPV6) == 0)
+					*net_order++ = add_ipv6;
+				found |= FOUND_IPV6;
+			} else if (strcasecmp(tok, "inet") == 0 ||
+			    strcasecmp(tok, "inet4") == 0) {
+				if ((found & FOUND_IPV4) == 0)
+					*net_order++ = add_ipv4;
+				found |= FOUND_IPV4;
+			}
+		}
+
+		/*
+		 * Add in anything that we didn't find.
+		 */
+		if ((found & FOUND_IPV4) == 0)
+			*net_order++ = add_ipv4;
+		if ((found & FOUND_IPV6) == 0)
+			*net_order++ = add_ipv6;
+	}
+	*net_order = NULL;
+	return;
+}
+
+static char v4_loop[4] = { 127, 0, 0, 1 };
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET); /* don't use ai_clone() */
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN(ai->ai_addr)->sin_port = port;
+	memmove(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
+
+	return (0);
+}
+
+static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
+
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+
+	UNUSED(hostname);
+	UNUSED(flags);
+
+	ai = ai_clone(*aip, AF_INET6); /* don't use ai_clone() */
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	*aip = ai;
+	ai->ai_socktype = socktype;
+	SIN6(ai->ai_addr)->sin6_port = port;
+	memmove(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
+
+	return (0);
+}
+
+/*% Free address info. */
+void
+freeaddrinfo(struct addrinfo *ai) {
+	_freeaddrinfo(ai);
+}
+
+static void
+_freeaddrinfo(struct addrinfo *ai) {
+	struct addrinfo *ai_next;
+
+	while (ai != NULL) {
+		ai_next = ai->ai_next;
+		if (ai->ai_addr != NULL)
+			free(ai->ai_addr);
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		free(ai);
+		ai = ai_next;
+	}
+}
+
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res) {
+	struct addrinfo *ai;
+	struct sockaddr_un *slocal;
+
+	if (socktype == 0)
+		return (EAI_SOCKTYPE);
+
+	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	slocal = SLOCAL(ai->ai_addr);
+	strlcpy(slocal->sun_path, name, sizeof(slocal->sun_path));
+
+	ai->ai_socktype = socktype;
+	/*
+	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
+	 * and ai->ai_next were initialized to zero.
+	 */
+
+	*res = ai;
+	return (0);
+}
+#endif
+
+/*!
+ * Allocate an addrinfo structure, and a sockaddr structure
+ * of the specificed length.  We initialize:
+ *	ai_addrlen
+ *	ai_family
+ *	ai_addr
+ *	ai_addr->sa_family
+ *	ai_addr->sa_len	(IRS_PLATFORM_HAVESALEN)
+ * and everything else is initialized to zero.
+ */
+static struct addrinfo *
+ai_alloc(int family, int addrlen) {
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
+	if (ai == NULL)
+		return (NULL);
+
+	ai->ai_addr = SA(calloc(1, addrlen));
+	if (ai->ai_addr == NULL) {
+		free(ai);
+		return (NULL);
+	}
+	ai->ai_addrlen = addrlen;
+	ai->ai_family = family;
+	ai->ai_addr->sa_family = family;
+#ifdef IRS_PLATFORM_HAVESALEN
+	ai->ai_addr->sa_len = addrlen;
+#endif
+	return (ai);
+}
+
+static struct addrinfo *
+ai_clone(struct addrinfo *oai, int family) {
+	struct addrinfo *ai;
+
+	ai = ai_alloc(family, ((family == AF_INET6) ?
+	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
+
+	if (ai == NULL)
+		return (NULL);
+	if (oai == NULL)
+		return (ai);
+
+	ai->ai_flags = oai->ai_flags;
+	ai->ai_socktype = oai->ai_socktype;
+	ai->ai_protocol = oai->ai_protocol;
+	ai->ai_canonname = NULL;
+	ai->ai_next = oai;
+	return (ai);
+}
+
+static struct addrinfo *
+ai_reverse(struct addrinfo *oai) {
+	struct addrinfo *nai, *tai;
+
+	nai = NULL;
+
+	while (oai != NULL) {
+		/*
+		 * Grab one off the old list.
+		 */
+		tai = oai;
+		oai = oai->ai_next;
+		/*
+		 * Put it on the front of the new list.
+		 */
+		tai->ai_next = nai;
+		nai = tai;
+	}
+	return (nai);
+}
+
+
+static struct addrinfo *
+ai_concat(struct addrinfo *ai1, struct addrinfo *ai2) {
+	struct addrinfo *ai_tmp;
+
+	if (ai1 == NULL)
+		return (ai2);
+	else if (ai2 == NULL)
+		return (ai1);
+
+	for (ai_tmp = ai1; ai_tmp != NULL && ai_tmp->ai_next != NULL;
+	     ai_tmp = ai_tmp->ai_next)
+		;
+
+	ai_tmp->ai_next = ai2;
+
+	return (ai1);
+}
diff --git a/lib/irs/getnameinfo.c b/lib/irs/getnameinfo.c
new file mode 100644
index 0000000..5069ba7
--- /dev/null
+++ b/lib/irs/getnameinfo.c
@@ -0,0 +1,409 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/**
+ *    getnameinfo() returns the hostname for the struct sockaddr sa which is
+ *    salen bytes long. The hostname is of length hostlen and is returned via
+ *    *host. The maximum length of the hostname is 1025 bytes: #NI_MAXHOST.
+ *
+ *    The name of the service associated with the port number in sa is
+ *    returned in *serv. It is servlen bytes long. The maximum length of the
+ *    service name is #NI_MAXSERV - 32 bytes.
+ *
+ *    The flags argument sets the following bits:
+ *
+ * \li   #NI_NOFQDN:
+ *           A fully qualified domain name is not required for local hosts.
+ *           The local part of the fully qualified domain name is returned
+ *           instead.
+ *
+ * \li   #NI_NUMERICHOST
+ *           Return the address in numeric form, as if calling inet_ntop(),
+ *           instead of a host name.
+ *
+ * \li   #NI_NAMEREQD
+ *           A name is required. If the hostname cannot be found in the DNS
+ *           and this flag is set, a non-zero error code is returned. If the
+ *           hostname is not found and the flag is not set, the address is
+ *           returned in numeric form.
+ *
+ * \li   #NI_NUMERICSERV
+ *           The service name is returned as a digit string representing the
+ *           port number.
+ *
+ * \li   #NI_DGRAM
+ *           Specifies that the service being looked up is a datagram
+ *           service, and causes getservbyport() to be called with a second
+ *           argument of "udp" instead of its default of "tcp". This is
+ *           required for the few ports (512-514) that have different
+ *           services for UDP and TCP.
+ *
+ * \section getnameinfo_return Return Values
+ *
+ *    getnameinfo() returns 0 on success or a non-zero error code if
+ *    an error occurs.
+ *
+ * \section getname_see See Also
+ *
+ *    RFC3493, getservbyport(),
+ *    getnamebyaddr(). inet_ntop().
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <irs/context.h>
+#include <irs/netdb.h>
+
+#define SUCCESS 0
+
+/*% afd structure definition */
+static struct afd {
+	int a_af;
+	size_t a_addrlen;
+	size_t a_socklen;
+} afdl [] = {
+	/*!
+	 * First entry is linked last...
+	 */
+	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
+	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
+	{0, 0, 0},
+};
+
+/*!
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+int
+getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
+	    char *host, IRS_GETNAMEINFO_BUFLEN_T hostlen,
+	    char *serv, IRS_GETNAMEINFO_BUFLEN_T servlen,
+	    IRS_GETNAMEINFO_FLAGS_T flags)
+{
+	struct afd *afd = NULL;
+	struct servent *sp;
+	unsigned short port = 0;
+#ifdef IRS_PLATFORM_HAVESALEN
+	size_t len;
+#endif
+	int family, i;
+	const void *addr = NULL;
+	char *p;
+#if 0
+	unsigned long v4a;
+	unsigned char pfx;
+#endif
+	char numserv[sizeof("65000")];
+	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
+		    + 1 + sizeof("4294967295")];
+	const char *proto;
+	int result = SUCCESS;
+
+	if (sa == NULL)
+		ERR(EAI_FAIL);
+
+#ifdef IRS_PLATFORM_HAVESALEN
+	len = sa->sa_len;
+	if (len != salen)
+		ERR(EAI_FAIL);
+#endif
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	ERR(EAI_FAMILY);
+
+ found:
+	if (salen != afd->a_socklen)
+		ERR(EAI_FAIL);
+
+	switch (family) {
+	case AF_INET:
+		port = ((const struct sockaddr_in *)sa)->sin_port;
+		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
+		break;
+
+	case AF_INET6:
+		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
+		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
+		break;
+
+	default:
+		INSIST(0);
+	}
+	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * Caller does not want service.
+		 */
+	} else if ((flags & NI_NUMERICSERV) != 0 ||
+		   (sp = getservbyport(port, proto)) == NULL) {
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if ((strlen(numserv) + 1) > servlen)
+			ERR(EAI_OVERFLOW);
+		strlcpy(serv, numserv, servlen);
+	} else {
+		if ((strlen(sp->s_name) + 1) > servlen)
+			ERR(EAI_OVERFLOW);
+		strlcpy(serv, sp->s_name, servlen);
+	}
+
+#if 0
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+			flags |= NI_NUMERICHOST;
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET)
+			flags |= NI_NUMERICHOST;
+		break;
+
+	case AF_INET6:
+		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
+		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
+			flags |= NI_NUMERICHOST;
+		break;
+	}
+#endif
+
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * do nothing in this case.
+		 * in case you are wondering if "&&" is more correct than
+		 * "||" here: RFC3493 says that host == NULL or hostlen == 0
+		 * means that the caller does not want the result.
+		 */
+	} else if ((flags & NI_NUMERICHOST) != 0) {
+		if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+		    == NULL)
+			ERR(EAI_SYSTEM);
+#if defined(IRS_HAVE_SIN6_SCOPE_ID)
+		if (afd->a_af == AF_INET6 &&
+		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
+			char *p = numaddr + strlen(numaddr);
+			const char *stringscope = NULL;
+#ifdef VENDOR_SPECIFIC
+			/*
+			 * Vendors may want to add support for
+			 * non-numeric scope identifier.
+			 */
+			stringscope = foo;
+#endif
+			if (stringscope == NULL) {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%u",
+				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
+			} else {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%s", stringscope);
+			}
+		}
+#endif
+		if (strlen(numaddr) + 1 > hostlen)
+			ERR(EAI_OVERFLOW);
+		strlcpy(host, numaddr, hostlen);
+	} else {
+		isc_netaddr_t netaddr;
+		dns_fixedname_t ptrfname;
+		dns_name_t *ptrname;
+		irs_context_t *irsctx = NULL;
+		dns_client_t *client;
+		bool found = false;
+		dns_namelist_t answerlist;
+		dns_rdataset_t *rdataset;
+		isc_region_t hostregion;
+		char hoststr[1024]; /* is this enough? */
+		isc_result_t iresult;
+
+		/* Get IRS context and the associated DNS client object */
+		iresult = irs_context_get(&irsctx);
+		if (iresult != ISC_R_SUCCESS)
+			ERR(EAI_FAIL);
+		client = irs_context_getdnsclient(irsctx);
+
+		/* Make query name */
+		isc_netaddr_fromsockaddr(&netaddr, (const isc_sockaddr_t *)sa);
+		ptrname = dns_fixedname_initname(&ptrfname);
+		iresult = dns_byaddr_createptrname2(&netaddr, 0, ptrname);
+		if (iresult != ISC_R_SUCCESS)
+			ERR(EAI_FAIL);
+
+		/* Get the PTR RRset */
+		ISC_LIST_INIT(answerlist);
+		iresult = dns_client_resolve(client, ptrname,
+					     dns_rdataclass_in,
+					     dns_rdatatype_ptr,
+					     DNS_CLIENTRESOPT_ALLOWRUN,
+					     &answerlist);
+		switch (iresult) {
+		case ISC_R_SUCCESS:
+		/*
+		 * a 'non-existent' error is not necessarily fatal for
+		 * getnameinfo().
+		 */
+		case DNS_R_NCACHENXDOMAIN:
+		case DNS_R_NCACHENXRRSET:
+			break;
+		case DNS_R_SIGINVALID:
+		case DNS_R_SIGEXPIRED:
+		case DNS_R_SIGFUTURE:
+		case DNS_R_KEYUNAUTHORIZED:
+		case DNS_R_MUSTBESECURE:
+		case DNS_R_COVERINGNSEC:
+		case DNS_R_NOTAUTHORITATIVE:
+		case DNS_R_NOVALIDKEY:
+		case DNS_R_NOVALIDDS:
+		case DNS_R_NOVALIDSIG:
+			/*
+			 * Don't use ERR as GCC 7 wants to raise a
+			 * warning with ERR about possible falling
+			 * through which is impossible.
+			 */
+			result = EAI_INSECUREDATA;
+			goto cleanup;
+		default:
+			ERR(EAI_FAIL);
+		}
+
+		/* Parse the answer for the hostname */
+		for (ptrname = ISC_LIST_HEAD(answerlist); ptrname != NULL;
+		     ptrname = ISC_LIST_NEXT(ptrname, link)) {
+			for (rdataset = ISC_LIST_HEAD(ptrname->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (!dns_rdataset_isassociated(rdataset))
+					continue;
+				if (rdataset->type != dns_rdatatype_ptr)
+					continue;
+
+				for (iresult = dns_rdataset_first(rdataset);
+				     iresult == ISC_R_SUCCESS;
+				     iresult = dns_rdataset_next(rdataset)) {
+					dns_rdata_t rdata;
+					dns_rdata_ptr_t rdata_ptr;
+					isc_buffer_t b;
+
+					dns_rdata_init(&rdata);
+					dns_rdataset_current(rdataset, &rdata);
+					dns_rdata_tostruct(&rdata, &rdata_ptr,
+							   NULL);
+
+					isc_buffer_init(&b, hoststr,
+							sizeof(hoststr));
+					iresult =
+						dns_name_totext(&rdata_ptr.ptr,
+								true, &b);
+					dns_rdata_freestruct(&rdata_ptr);
+					if (iresult == ISC_R_SUCCESS) {
+						/*
+						 * We ignore the rest of the
+						 * answer.  After all,
+						 * getnameinfo() can return
+						 * at most one hostname.
+						 */
+						found = true;
+						isc_buffer_usedregion(
+							&b, &hostregion);
+						goto ptrfound;
+					}
+
+				}
+			}
+		}
+	ptrfound:
+		dns_client_freeresanswer(client, &answerlist);
+		if (found) {
+			if ((flags & NI_NOFQDN) != 0) {
+				p = strchr(hoststr, '.');
+				if (p)
+					*p = '\0';
+			}
+			if (hostregion.length + 1 > hostlen)
+				ERR(EAI_OVERFLOW);
+			snprintf(host, hostlen, "%.*s",
+				 (int)hostregion.length,
+				 (char *)hostregion.base);
+		} else {
+			if ((flags & NI_NAMEREQD) != 0)
+				ERR(EAI_NONAME);
+			if (inet_ntop(afd->a_af, addr, numaddr,
+				      sizeof(numaddr)) == NULL)
+				ERR(EAI_SYSTEM);
+			if ((strlen(numaddr) + 1) > hostlen)
+				ERR(EAI_OVERFLOW);
+			strlcpy(host, numaddr, hostlen);
+		}
+	}
+	result = SUCCESS;
+
+ cleanup:
+	return (result);
+}
diff --git a/lib/irs/include/Makefile.in b/lib/irs/include/Makefile.in
new file mode 100644
index 0000000..3601331
--- /dev/null
+++ b/lib/irs/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/include/irs/Makefile.in b/lib/irs/include/irs/Makefile.in
new file mode 100644
index 0000000..b0c5e14
--- /dev/null
+++ b/lib/irs/include/irs/Makefile.in
@@ -0,0 +1,44 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	context.h dnsconf.h resconf.h types.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs || exit 1; \
+	done
+	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/irs
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/irs
+
+uninstall::
+	rm -f ${DESTDIR}${includedir}/irs/platform.h
+	rm -f ${DESTDIR}${includedir}/irs/netdb.h
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/irs/$$i || exit 1; \
+	done
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/lib/irs/include/irs/context.h b/lib/irs/include/irs/context.h
new file mode 100644
index 0000000..94e55c6
--- /dev/null
+++ b/lib/irs/include/irs/context.h
@@ -0,0 +1,153 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef IRS_CONTEXT_H
+#define IRS_CONTEXT_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS context module provides an abstract interface to the DNS library
+ * with an application.  An IRS context object initializes and holds various
+ * resources used in the DNS library.
+ */
+
+#include <dns/types.h>
+#include <irs/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_context_create(irs_context_t **contextp);
+/*%<
+ * Create an IRS context.  It internally initializes the ISC and DNS libraries
+ * (if not yet), creates a DNS client object and initializes the client using
+ * the configuration files parsed via the 'resconf' and 'dnsconf' IRS modules.
+ * Some of the internally initialized objects can be used by the application
+ * via irs_context_getxxx() functions (see below).
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+isc_result_t
+irs_context_get(irs_context_t **contextp);
+/*%<
+ * Return an IRS context for the calling thread.  If no IRS context is
+ * associated to the thread, this function creates a new one by calling
+ * irs_context_create(), and associates it with the thread as a thread specific
+ * data value.  This function is provided for standard libraries that are
+ * expected to be thread-safe but do not accept an appropriate IRS context
+ * as a library parameter, e.g., getaddrinfo().
+ *
+ * Requires:
+ *
+ *\li	contextp != NULL && *contextp == NULL.
+ */
+
+void
+irs_context_destroy(irs_context_t **contextp);
+/*%<
+ * Destroy an IRS context.
+ *
+ * Requires:
+ *
+ *\li	'*contextp' is a valid IRS context.
+ *
+ * Ensures:
+ *\li	'*contextp' == NULL.
+ */
+
+isc_mem_t *
+irs_context_getmctx(irs_context_t *context);
+/*%<
+ * Return the memory context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_appctx_t *
+irs_context_getappctx(irs_context_t *context);
+/*%<
+ * Return the application context held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_taskmgr_t *
+irs_context_gettaskmgr(irs_context_t *context);
+/*%<
+ * Return the task manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_timermgr_t *
+irs_context_gettimermgr(irs_context_t *context);
+/*%<
+ * Return the timer manager held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+isc_task_t *
+irs_context_gettask(irs_context_t *context);
+/*%<
+ * Return the task object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+dns_client_t *
+irs_context_getdnsclient(irs_context_t *context);
+/*%<
+ * Return the DNS client object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_resconf_t *
+irs_context_getresconf(irs_context_t *context);
+/*%<
+ * Return the resolver configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+irs_dnsconf_t *
+irs_context_getdnsconf(irs_context_t *context);
+/*%<
+ * Return the advanced DNS configuration object held in the context.
+ *
+ * Requires:
+ *
+ *\li	'context' is a valid IRS context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_CONTEXT_H */
diff --git a/lib/irs/include/irs/dnsconf.h b/lib/irs/include/irs/dnsconf.h
new file mode 100644
index 0000000..89898ba
--- /dev/null
+++ b/lib/irs/include/irs/dnsconf.h
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef IRS_DNSCONF_H
+#define IRS_DNSCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS dnsconf module parses an "advanced" configuration file related to
+ * the DNS library, such as trusted keys for DNSSEC validation, and creates
+ * the corresponding configuration objects for the DNS library modules.
+ *
+ * Notes:
+ * This module is very experimental and the configuration syntax or library
+ * interfaces may change in future versions.  Currently, only the
+ * 'trusted-keys' statement is supported, whose syntax is the same as the
+ * same name of statement for named.conf.
+ */
+
+#include <irs/types.h>
+
+/*%
+ * A compound structure storing DNS key information mainly for DNSSEC
+ * validation.  A dns_key_t object will be created using the 'keyname' and
+ * 'keydatabuf' members with the dst_key_fromdns() function.
+ */
+typedef struct irs_dnsconf_dnskey {
+	dns_name_t				*keyname;
+	isc_buffer_t				*keydatabuf;
+	ISC_LINK(struct irs_dnsconf_dnskey)	link;
+} irs_dnsconf_dnskey_t;
+
+typedef ISC_LIST(irs_dnsconf_dnskey_t) irs_dnsconf_dnskeylist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_dnsconf_load(isc_mem_t *mctx, const char *filename, irs_dnsconf_t **confp);
+/*%<
+ * Load the "advanced" DNS configuration file 'filename' in the "dns.conf"
+ * format, and create a new irs_dnsconf_t object from the configuration.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_dnsconf_destroy(irs_dnsconf_t **confp);
+/*%<
+ * Destroy the dnsconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid dnsconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+irs_dnsconf_dnskeylist_t *
+irs_dnsconf_gettrustedkeys(irs_dnsconf_t *conf);
+/*%<
+ * Return a list of key information stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid dnsconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_DNSCONF_H */
diff --git a/lib/irs/include/irs/netdb.h.in b/lib/irs/include/irs/netdb.h.in
new file mode 100644
index 0000000..93fe47d
--- /dev/null
+++ b/lib/irs/include/irs/netdb.h.in
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_NETDB_H
+#define IRS_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+#include <netdb.h>	/* Contractual provision. */
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+@ISC_IRS_NEEDADDRINFO@
+
+#ifdef ISC_IRS_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
+ * and it's very unlikely to be already defined, but undef it just in case; it
+ * at least doesn't do any harm.
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_OVERFLOW
+#undef	EAI_INSECUREDATA
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_OVERFLOW	14
+#define EAI_INSECUREDATA 15
+#define EAI_MAX		16
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_NETDB_H */
diff --git a/lib/irs/include/irs/platform.h.in b/lib/irs/include/irs/platform.h.in
new file mode 100644
index 0000000..78c91ce
--- /dev/null
+++ b/lib/irs/include/irs/platform.h.in
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_PLATFORM_H
+#define IRS_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#ifndef IRS_PLATFORM_USEDECLSPEC
+#define LIBIRS_EXTERNAL_DATA
+#else
+#ifdef LIBIRS_EXPORTS
+#define LIBIRS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBIRS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_PLATFORM_H */
diff --git a/lib/irs/include/irs/resconf.h b/lib/irs/include/irs/resconf.h
new file mode 100644
index 0000000..6c0a8cc
--- /dev/null
+++ b/lib/irs/include/irs/resconf.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef IRS_RESCONF_H
+#define IRS_RESCONF_H 1
+
+/*! \file
+ *
+ * \brief
+ * The IRS resconf module parses the legacy "/etc/resolv.conf" file and
+ * creates the corresponding configuration objects for the DNS library
+ * modules.
+ */
+
+#include <irs/types.h>
+
+/*%
+ * A DNS search list specified in the 'domain' or 'search' statements
+ * in the "resolv.conf" file.
+ */
+typedef struct irs_resconf_search {
+	char					*domain;
+	ISC_LINK(struct irs_resconf_search)	link;
+} irs_resconf_search_t;
+
+typedef ISC_LIST(irs_resconf_search_t) irs_resconf_searchlist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp);
+/*%<
+ * Load the resolver configuration file 'filename' in the "resolv.conf" format,
+ * and create a new irs_resconf_t object from the configuration.  If the file
+ * is not found ISC_R_FILENOTFOUND is returned with the structure initialized
+ * as if file contained only:
+ *
+ *	nameserver ::1
+ *	nameserver 127.0.0.1
+ *
+ * Notes:
+ *
+ *\li	Currently, only the following options are supported:
+ *	nameserver, domain, search, sortlist, ndots, and options.
+ *	In addition, 'sortlist' is not actually effective; it's parsed, but
+ *	the application cannot use the configuration.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS on success
+ * \li  ISC_R_FILENOTFOUND if the file was not found. *confp will be valid.
+ * \li  other on error.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'filename' != NULL
+ *
+ *\li	'confp' != NULL && '*confp' == NULL
+ */
+
+void
+irs_resconf_destroy(irs_resconf_t **confp);
+/*%<
+ * Destroy the resconf object.
+ *
+ * Requires:
+ *
+ *\li	'*confp' is a valid resconf object.
+ *
+ * Ensures:
+ *
+ *\li	*confp == NULL
+ */
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf);
+/*%<
+ * Return a list of name server addresses stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf);
+/*%<
+ * Return the search list stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf);
+/*%<
+ * Return the 'ndots' value stored in 'conf'.
+ *
+ * Requires:
+ *
+ *\li	'conf' is a valid resconf object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* IRS_RESCONF_H */
diff --git a/lib/irs/include/irs/types.h b/lib/irs/include/irs/types.h
new file mode 100644
index 0000000..1251e68
--- /dev/null
+++ b/lib/irs/include/irs/types.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef IRS_TYPES_H
+#define IRS_TYPES_H 1
+
+/* Core Types.  Alphabetized by defined type. */
+
+/*%< per-thread IRS context */
+typedef struct irs_context		irs_context_t;
+/*%< resolv.conf configuration information */
+typedef struct irs_resconf		irs_resconf_t;
+/*%< advanced DNS-related configuration information */
+typedef struct irs_dnsconf		irs_dnsconf_t;
+
+#endif /* IRS_TYPES_H */
diff --git a/lib/irs/include/irs/version.h b/lib/irs/include/irs/version.h
new file mode 100644
index 0000000..a049374
--- /dev/null
+++ b/lib/irs/include/irs/version.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <irs/platform.h>
+
+LIBIRS_EXTERNAL_DATA extern const char irs_version[];
+
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libinterface;
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_librevision;
+LIBIRS_EXTERNAL_DATA extern const unsigned int irs_libage;
diff --git a/lib/irs/resconf.c b/lib/irs/resconf.c
new file mode 100644
index 0000000..7288c72
--- /dev/null
+++ b/lib/irs/resconf.c
@@ -0,0 +1,654 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file resconf.c */
+
+/**
+ * Module for parsing resolv.conf files (largely derived from lwconfig.c).
+ *
+ *    irs_resconf_load() opens the file filename and parses it to initialize
+ *    the configuration structure.
+ *
+ * \section lwconfig_return Return Values
+ *
+ *    irs_resconf_load() returns #IRS_R_SUCCESS if it successfully read and
+ *    parsed filename. It returns a non-0 error code if filename could not be
+ *    opened or contained incorrect resolver statements.
+ *
+ * \section lwconfig_see See Also
+ *
+ *    stdio(3), \link resolver resolver \endlink
+ *
+ * \section files Files
+ *
+ *    /etc/resolv.conf
+ */
+
+#include <config.h>
+
+#ifndef WIN32
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#endif
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <irs/netdb.h>
+#include <irs/resconf.h>
+
+#define IRS_RESCONF_MAGIC		ISC_MAGIC('R', 'E', 'S', 'c')
+#define IRS_RESCONF_VALID(c)		ISC_MAGIC_VALID(c, IRS_RESCONF_MAGIC)
+
+/*!
+ * protocol constants
+ */
+
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
+#endif
+
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
+#endif
+
+/*!
+ * resolv.conf parameters
+ */
+
+#define RESCONFMAXNAMESERVERS 3U	/*%< max 3 "nameserver" entries */
+#define RESCONFMAXSEARCH 8U		/*%< max 8 domains in "search" entry */
+#define RESCONFMAXLINELEN 256U		/*%< max size of a line */
+#define RESCONFMAXSORTLIST 10U		/*%< max 10 */
+
+/*!
+ * configuration data structure
+ */
+
+struct irs_resconf {
+	/*
+	 * The configuration data is a thread-specific object, and does not
+	 * need to be locked.
+	 */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+
+	isc_sockaddrlist_t	nameservers;
+	unsigned int		numns; /*%< number of configured servers */
+
+	char	       		*domainname;
+	char 	       		*search[RESCONFMAXSEARCH];
+	uint8_t		searchnxt; /*%< index for next free slot */
+
+	irs_resconf_searchlist_t searchlist;
+
+	struct {
+		isc_netaddr_t	addr;
+		/*% mask has a non-zero 'family' if set */
+		isc_netaddr_t	mask;
+	} sortlist[RESCONFMAXSORTLIST];
+	uint8_t		sortlistnxt;
+
+	/*%< non-zero if 'options debug' set */
+	uint8_t		resdebug;
+	/*%< set to n in 'options ndots:n' */
+	uint8_t		ndots;
+};
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp);
+static isc_result_t
+resconf_parseoption(irs_resconf_t *ctx,  FILE *fp);
+
+/*!
+ * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
+ */
+static int
+eatline(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF)
+		ch = fgetc(fp);
+
+	return (ch);
+}
+
+/*!
+ * Eats white space up to next newline or non-whitespace character (of
+ * EOF). Returns the last character read. Comments are considered white
+ * space.
+ */
+static int
+eatwhite(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
+		ch = fgetc(fp);
+
+	if (ch == ';' || ch == '#')
+		ch = eatline(fp);
+
+	return (ch);
+}
+
+/*!
+ * Skip over any leading whitespace and then read in the next sequence of
+ * non-whitespace characters. In this context newline is not considered
+ * whitespace. Returns EOF on end-of-file, or the character
+ * that caused the reading to stop.
+ */
+static int
+getword(FILE *fp, char *buffer, size_t size) {
+	int ch;
+	char *p;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(size > 0U);
+
+	p = buffer;
+	*p = '\0';
+
+	ch = eatwhite(fp);
+
+	if (ch == EOF)
+		return (EOF);
+
+	do {
+		*p = '\0';
+
+		if (ch == EOF || isspace((unsigned char)ch))
+			break;
+		else if ((size_t) (p - buffer) == size - 1)
+			return (EOF);	/* Not enough space. */
+
+		*p++ = (char)ch;
+		ch = fgetc(fp);
+	} while (1);
+
+	return (ch);
+}
+
+static isc_result_t
+add_server(isc_mem_t *mctx, const char *address_str,
+	   isc_sockaddrlist_t *nameservers)
+{
+	int error;
+	isc_sockaddr_t *address = NULL;
+	struct addrinfo hints, *res;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	res = NULL;
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(address_str, "53", &hints, &res);
+	if (error != 0)
+		return (ISC_R_BADADDRESSFORM);
+
+	/* XXX: special case: treat all-0 IPv4 address as loopback */
+	if (res->ai_family == AF_INET) {
+		struct in_addr *v4;
+		unsigned char zeroaddress[] = {0, 0, 0, 0};
+		unsigned char loopaddress[] = {127, 0, 0, 1};
+
+		v4 = &((struct sockaddr_in *)res->ai_addr)->sin_addr;
+		if (memcmp(v4, zeroaddress, 4) == 0)
+			memmove(v4, loopaddress, 4);
+	}
+
+	address = isc_mem_get(mctx, sizeof(*address));
+	if (address == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	if (res->ai_addrlen > sizeof(address->type)) {
+		isc_mem_put(mctx, address, sizeof(*address));
+		result = ISC_R_RANGE;
+		goto cleanup;
+	}
+	address->length = (unsigned int)res->ai_addrlen;
+	memmove(&address->type.ss, res->ai_addr, res->ai_addrlen);
+	ISC_LINK_INIT(address, link);
+	ISC_LIST_APPEND(*nameservers, address, link);
+
+  cleanup:
+	freeaddrinfo(res);
+
+	return (result);
+}
+
+static isc_result_t
+create_addr(const char *buffer, isc_netaddr_t *addr, int convert_zero) {
+	struct in_addr v4;
+	struct in6_addr v6;
+
+	if (inet_aton(buffer, &v4) == 1) {
+		if (convert_zero) {
+			unsigned char zeroaddress[] = {0, 0, 0, 0};
+			unsigned char loopaddress[] = {127, 0, 0, 1};
+			if (memcmp(&v4, zeroaddress, 4) == 0)
+				memmove(&v4, loopaddress, 4);
+		}
+		addr->family = AF_INET;
+		memmove(&addr->type.in, &v4, NS_INADDRSZ);
+		addr->zone = 0;
+	} else if (inet_pton(AF_INET6, buffer, &v6) == 1) {
+		addr->family = AF_INET6;
+		memmove(&addr->type.in6, &v6, NS_IN6ADDRSZ);
+		addr->zone = 0;
+	} else
+		return (ISC_R_BADADDRESSFORM); /* Unrecognised format. */
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsenameserver(irs_resconf_t *conf,  FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int cp;
+	isc_result_t result;
+
+	if (conf->numns == RESCONFMAXNAMESERVERS)
+		return (ISC_R_SUCCESS);
+
+	cp = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing on line. */
+	else if (cp == ' ' || cp == '\t')
+		cp = eatwhite(fp);
+
+	if (cp != EOF && cp != '\n')
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+
+	result = add_server(conf->mctx, word, &conf->nameservers);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	conf->numns++;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsedomain(irs_resconf_t *conf,  FILE *fp) {
+	char word[RESCONFMAXLINELEN];
+	int res;
+	unsigned int i;
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (ISC_R_UNEXPECTEDTOKEN); /* Extra junk on line. */
+
+	if (conf->domainname != NULL)
+		isc_mem_free(conf->mctx, conf->domainname);
+
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[i]);
+			conf->search[i] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	conf->domainname = isc_mem_strdup(conf->mctx, word);
+	if (conf->domainname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesearch(irs_resconf_t *conf,  FILE *fp) {
+	int delim;
+	unsigned int idx;
+	char word[RESCONFMAXLINELEN];
+
+	if (conf->domainname != NULL) {
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
+		isc_mem_free(conf->mctx, conf->domainname);
+		conf->domainname = NULL;
+	}
+
+	/*
+	 * Remove any previous search definitions.
+	 */
+	for (idx = 0; idx < RESCONFMAXSEARCH; idx++) {
+		if (conf->search[idx] != NULL) {
+			isc_mem_free(conf->mctx, conf->search[idx]);
+			conf->search[idx] = NULL;
+		}
+	}
+	conf->searchnxt = 0;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Nothing else on line. */
+
+	idx = 0;
+	while (strlen(word) > 0U) {
+		if (conf->searchnxt == RESCONFMAXSEARCH)
+			goto ignore; /* Too many domains. */
+
+		INSIST(idx < sizeof(conf->search)/sizeof(conf->search[0]));
+		conf->search[idx] = isc_mem_strdup(conf->mctx, word);
+		if (conf->search[idx] == NULL)
+			return (ISC_R_NOMEMORY);
+		idx++;
+		conf->searchnxt++;
+
+	ignore:
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parsesortlist(irs_resconf_t *conf,  FILE *fp) {
+	int delim, res;
+	unsigned int idx;
+	char word[RESCONFMAXLINELEN];
+	char *p;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (conf->sortlistnxt == RESCONFMAXSORTLIST)
+			return (ISC_R_QUOTA); /* Too many values. */
+
+		p = strchr(word, '/');
+		if (p != NULL)
+			*p++ = '\0';
+
+		idx = conf->sortlistnxt;
+		INSIST(idx < sizeof(conf->sortlist)/sizeof(conf->sortlist[0]));
+		res = create_addr(word, &conf->sortlist[idx].addr, 1);
+		if (res != ISC_R_SUCCESS)
+			return (res);
+
+		if (p != NULL) {
+			res = create_addr(p, &conf->sortlist[idx].mask, 0);
+			if (res != ISC_R_SUCCESS)
+				return (res);
+		} else {
+			/*
+			 * Make up a mask. (XXX: is this correct?)
+			 */
+			conf->sortlist[idx].mask = conf->sortlist[idx].addr;
+			memset(&conf->sortlist[idx].mask.type, 0xff,
+			       sizeof(conf->sortlist[idx].mask.type));
+		}
+
+		conf->sortlistnxt++;
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+resconf_parseoption(irs_resconf_t *conf,  FILE *fp) {
+	int delim;
+	long ndots;
+	char *p;
+	char word[RESCONFMAXLINELEN];
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (ISC_R_UNEXPECTEDEND); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (strcmp("debug", word) == 0) {
+			conf->resdebug = 1;
+		} else if (strncmp("ndots:", word, 6) == 0) {
+			ndots = strtol(word + 6, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (ISC_R_UNEXPECTEDTOKEN);
+			if (ndots < 0 || ndots > 0xff) /* Out of range. */
+				return (ISC_R_RANGE);
+			conf->ndots = (uint8_t)ndots;
+		}
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_search(irs_resconf_t *conf, char *domain) {
+	irs_resconf_search_t *entry;
+
+	entry = isc_mem_get(conf->mctx, sizeof(*entry));
+	if (entry == NULL)
+		return (ISC_R_NOMEMORY);
+
+	entry->domain = domain;
+	ISC_LINK_INIT(entry, link);
+	ISC_LIST_APPEND(conf->searchlist, entry, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*% parses a file and fills in the data structure. */
+isc_result_t
+irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
+{
+	FILE *fp = NULL;
+	char word[256];
+	isc_result_t rval, ret = ISC_R_SUCCESS;
+	irs_resconf_t *conf;
+	unsigned int i;
+	int stopchar;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(filename != NULL);
+	REQUIRE(strlen(filename) > 0U);
+	REQUIRE(confp != NULL && *confp == NULL);
+
+	conf = isc_mem_get(mctx, sizeof(*conf));
+	if (conf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	conf->mctx = mctx;
+	ISC_LIST_INIT(conf->nameservers);
+	ISC_LIST_INIT(conf->searchlist);
+	conf->numns = 0;
+	conf->domainname = NULL;
+	conf->searchnxt = 0;
+	conf->sortlistnxt = 0;
+	conf->resdebug = 0;
+	conf->ndots = 1;
+	for (i = 0; i < RESCONFMAXSEARCH; i++)
+		conf->search[i] = NULL;
+
+	errno = 0;
+	if ((fp = fopen(filename, "r")) != NULL) {
+		do {
+			stopchar = getword(fp, word, sizeof(word));
+			if (stopchar == EOF) {
+				rval = ISC_R_SUCCESS;
+				POST(rval);
+				break;
+			}
+
+			if (strlen(word) == 0U)
+				rval = ISC_R_SUCCESS;
+			else if (strcmp(word, "nameserver") == 0)
+				rval = resconf_parsenameserver(conf, fp);
+			else if (strcmp(word, "domain") == 0)
+				rval = resconf_parsedomain(conf, fp);
+			else if (strcmp(word, "search") == 0)
+				rval = resconf_parsesearch(conf, fp);
+			else if (strcmp(word, "sortlist") == 0)
+				rval = resconf_parsesortlist(conf, fp);
+			else if (strcmp(word, "options") == 0)
+				rval = resconf_parseoption(conf, fp);
+			else {
+				/* unrecognised word. Ignore entire line */
+				rval = ISC_R_SUCCESS;
+				stopchar = eatline(fp);
+				if (stopchar == EOF) {
+					break;
+				}
+			}
+			if (ret == ISC_R_SUCCESS && rval != ISC_R_SUCCESS)
+				ret = rval;
+		} while (1);
+
+		fclose(fp);
+	} else {
+		switch (errno) {
+		case ENOENT:
+			break;
+		default:
+			isc_mem_put(mctx, conf, sizeof(*conf));
+			return (ISC_R_INVALIDFILE);
+		}
+	}
+
+	if (ret != ISC_R_SUCCESS) {
+		goto error;
+	}
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (conf->numns == 0U) {
+		INSIST(ISC_LIST_EMPTY(conf->nameservers));
+
+		/* XXX: should we catch errors? */
+		(void)add_server(conf->mctx, "127.0.0.1", &conf->nameservers);
+		(void)add_server(conf->mctx, "::1", &conf->nameservers);
+	}
+
+	/*
+	 * Construct unified search list from domain or configured
+	 * search list
+	 */
+	if (conf->domainname != NULL) {
+		ret = add_search(conf, conf->domainname);
+	} else if (conf->searchnxt > 0) {
+		for (i = 0; i < conf->searchnxt; i++) {
+			ret = add_search(conf, conf->search[i]);
+			if (ret != ISC_R_SUCCESS)
+				break;
+		}
+	}
+
+ error:
+	conf->magic = IRS_RESCONF_MAGIC;
+
+	if (ret != ISC_R_SUCCESS)
+		irs_resconf_destroy(&conf);
+	else {
+		if (fp == NULL)
+			ret = ISC_R_FILENOTFOUND;
+		*confp = conf;
+	}
+
+	return (ret);
+}
+
+void
+irs_resconf_destroy(irs_resconf_t **confp) {
+	irs_resconf_t *conf;
+	isc_sockaddr_t *address;
+	irs_resconf_search_t *searchentry;
+	unsigned int i;
+
+	REQUIRE(confp != NULL);
+	conf = *confp;
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	while ((searchentry = ISC_LIST_HEAD(conf->searchlist)) != NULL) {
+		ISC_LIST_UNLINK(conf->searchlist, searchentry, link);
+		isc_mem_put(conf->mctx, searchentry, sizeof(*searchentry));
+	}
+
+	while ((address = ISC_LIST_HEAD(conf->nameservers)) != NULL) {
+		ISC_LIST_UNLINK(conf->nameservers, address, link);
+		isc_mem_put(conf->mctx, address, sizeof(*address));
+	}
+
+	if (conf->domainname != NULL)
+		isc_mem_free(conf->mctx, conf->domainname);
+
+	for (i = 0; i < RESCONFMAXSEARCH; i++) {
+		if (conf->search[i] != NULL)
+			isc_mem_free(conf->mctx, conf->search[i]);
+	}
+
+	isc_mem_put(conf->mctx, conf, sizeof(*conf));
+
+	*confp = NULL;
+}
+
+isc_sockaddrlist_t *
+irs_resconf_getnameservers(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->nameservers);
+}
+
+irs_resconf_searchlist_t *
+irs_resconf_getsearchlist(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return (&conf->searchlist);
+}
+
+unsigned int
+irs_resconf_getndots(irs_resconf_t *conf) {
+	REQUIRE(IRS_RESCONF_VALID(conf));
+
+	return ((unsigned int)conf->ndots);
+}
diff --git a/lib/irs/tests/Atffile b/lib/irs/tests/Atffile
new file mode 100644
index 0000000..90f6d60
--- /dev/null
+++ b/lib/irs/tests/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: resconf_test
diff --git a/lib/irs/tests/Kyuafile b/lib/irs/tests/Kyuafile
new file mode 100644
index 0000000..4ef7136
--- /dev/null
+++ b/lib/irs/tests/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+atf_test_program{name='resconf_test'}
diff --git a/lib/irs/tests/Makefile.in b/lib/irs/tests/Makefile.in
new file mode 100644
index 0000000..1a51aa9
--- /dev/null
+++ b/lib/irs/tests/Makefile.in
@@ -0,0 +1,53 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude -I../include ${ISC_INCLUDES} ${IRS_INCLUDES}
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/irs/tests/\""
+
+CFGLIBS =	../../isccfg/libisccfg.@A@
+CFGDEPLIBS =	../../isccfg/libisccfg.@A@
+DNSLIBS =	../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSDEPLIBS =	../../dns/libdns.@A@
+ISCLIBS =	../../isc/libisc.@A@
+ISCDEPLIBS =	../../isc/libisc.@A@
+IRSLIBS =	../libirs.@A@
+IRSDEPLIBS =	../libirs.@A@
+
+LIBS =		${IRSLIBS} ${CFGLIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@ @ATFLIBS@
+
+OBJS =
+SRCS =		resconf_test.c
+
+SUBDIRS =
+TARGETS =	resconf_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+resconf_test@EXEEXT@: resconf_test.@O@ ${CFGDEPLIBS} ${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			resconf_test.@O@ ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/irs/tests/resconf_test.c b/lib/irs/tests/resconf_test.c
new file mode 100644
index 0000000..488ed5b
--- /dev/null
+++ b/lib/irs/tests/resconf_test.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <irs/types.h>
+#include <irs/resconf.h>
+
+static isc_mem_t *mctx = NULL;
+
+static void
+setup_test() {
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, &mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * atf-run changes us to a /tmp directory, so tests
+	 * that access test data files must first chdir to the proper
+	 * location.
+	 */
+	ATF_REQUIRE(chdir(TESTS) != -1);
+}
+
+ATF_TC(irs_resconf_load);
+ATF_TC_HEAD(irs_resconf_load, tc) {
+	atf_tc_set_md_var(tc, "descr", "irs_resconf_load");
+}
+ATF_TC_BODY(irs_resconf_load, tc) {
+	isc_result_t result;
+	irs_resconf_t *resconf = NULL;
+	unsigned int i;
+	struct {
+		const char *file;
+		isc_result_t loadres;
+		isc_result_t (*check)(irs_resconf_t *resconf);
+		isc_result_t checkres;
+	} tests[] = {
+		{
+			"testdata/domain.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/nameserver-v4.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/nameserver-v6.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options-debug.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options-ndots.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options-timeout.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options-unknown.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options-bad-ndots.conf", ISC_R_RANGE,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/options-empty.conf", ISC_R_UNEXPECTEDEND,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/port.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/resolv.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/search.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/sortlist-v4.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/timeout.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}, {
+			"testdata/unknown.conf", ISC_R_SUCCESS,
+			NULL, ISC_R_SUCCESS
+		}
+
+	};
+
+	UNUSED(tc);
+
+	setup_test();
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[1]); i++) {
+		result = irs_resconf_load(mctx, tests[i].file, &resconf);
+		ATF_CHECK_EQ_MSG(result, tests[i].loadres, "%s", tests[i].file);
+		if (result == ISC_R_SUCCESS)
+			ATF_CHECK_MSG(resconf != NULL, "%s", tests[i].file);
+		else
+			ATF_CHECK_MSG(resconf == NULL, "%s", tests[i].file);
+		if (resconf != NULL && tests[i].check != NULL) {
+			result = (tests[i].check)(resconf);
+			ATF_CHECK_EQ_MSG(result, tests[i].checkres, "%s",
+					 tests[i].file);
+		}
+		if (resconf != NULL)
+			irs_resconf_destroy(&resconf);
+	}
+
+	isc_mem_detach(&mctx);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, irs_resconf_load);
+	return (atf_no_error());
+}
diff --git a/lib/irs/tests/testdata/domain.conf b/lib/irs/tests/testdata/domain.conf
new file mode 100644
index 0000000..6aef473
--- /dev/null
+++ b/lib/irs/tests/testdata/domain.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+domain example.com
diff --git a/lib/irs/tests/testdata/nameserver-v4.conf b/lib/irs/tests/testdata/nameserver-v4.conf
new file mode 100644
index 0000000..871d011
--- /dev/null
+++ b/lib/irs/tests/testdata/nameserver-v4.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+nameserver 10.0.0.1
diff --git a/lib/irs/tests/testdata/nameserver-v6.conf b/lib/irs/tests/testdata/nameserver-v6.conf
new file mode 100644
index 0000000..9147462
--- /dev/null
+++ b/lib/irs/tests/testdata/nameserver-v6.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+nameserver 2001:DB8::1
diff --git a/lib/irs/tests/testdata/options-bad-ndots.conf b/lib/irs/tests/testdata/options-bad-ndots.conf
new file mode 100644
index 0000000..5c104c7
--- /dev/null
+++ b/lib/irs/tests/testdata/options-bad-ndots.conf
@@ -0,0 +1,11 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+search example.com example.net
+options ndots:256
diff --git a/lib/irs/tests/testdata/options-debug.conf b/lib/irs/tests/testdata/options-debug.conf
new file mode 100644
index 0000000..b6e14c7
--- /dev/null
+++ b/lib/irs/tests/testdata/options-debug.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options debug
diff --git a/lib/irs/tests/testdata/options-empty.conf b/lib/irs/tests/testdata/options-empty.conf
new file mode 100644
index 0000000..e8b902e
--- /dev/null
+++ b/lib/irs/tests/testdata/options-empty.conf
@@ -0,0 +1,11 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+domain example.com
+options
diff --git a/lib/irs/tests/testdata/options-ndots.conf b/lib/irs/tests/testdata/options-ndots.conf
new file mode 100644
index 0000000..2f143e1
--- /dev/null
+++ b/lib/irs/tests/testdata/options-ndots.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+option ndots:2
diff --git a/lib/irs/tests/testdata/options-timeout.conf b/lib/irs/tests/testdata/options-timeout.conf
new file mode 100644
index 0000000..e211bba
--- /dev/null
+++ b/lib/irs/tests/testdata/options-timeout.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options timeout:1
diff --git a/lib/irs/tests/testdata/options-unknown.conf b/lib/irs/tests/testdata/options-unknown.conf
new file mode 100644
index 0000000..f5df6bf
--- /dev/null
+++ b/lib/irs/tests/testdata/options-unknown.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options unknown
diff --git a/lib/irs/tests/testdata/options.conf b/lib/irs/tests/testdata/options.conf
new file mode 100644
index 0000000..0d4dfa0
--- /dev/null
+++ b/lib/irs/tests/testdata/options.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+options unknown debug timeout:1 ndots:2
diff --git a/lib/irs/tests/testdata/port.conf b/lib/irs/tests/testdata/port.conf
new file mode 100644
index 0000000..04ed3e7
--- /dev/null
+++ b/lib/irs/tests/testdata/port.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+port 5300
diff --git a/lib/irs/tests/testdata/resolv.conf b/lib/irs/tests/testdata/resolv.conf
new file mode 100644
index 0000000..ddf93ff
--- /dev/null
+++ b/lib/irs/tests/testdata/resolv.conf
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+port 5300
+nameserver 10.0.0.1
+nameserver 2001:DB8::1
+search example.com example.net
+sortlist 130.155.160.0/255.255.240.0 130.155.0.0
+timeout 10
+unknown directive
+options unknown debug timeout:1 ndots:2
diff --git a/lib/irs/tests/testdata/search.conf b/lib/irs/tests/testdata/search.conf
new file mode 100644
index 0000000..5717006
--- /dev/null
+++ b/lib/irs/tests/testdata/search.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+search example.com example.net
diff --git a/lib/irs/tests/testdata/sortlist-v4.conf b/lib/irs/tests/testdata/sortlist-v4.conf
new file mode 100644
index 0000000..e903e37
--- /dev/null
+++ b/lib/irs/tests/testdata/sortlist-v4.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+sortlist 130.155.160.0/255.255.240.0 130.155.0.0
diff --git a/lib/irs/tests/testdata/timeout.conf b/lib/irs/tests/testdata/timeout.conf
new file mode 100644
index 0000000..2b87b25
--- /dev/null
+++ b/lib/irs/tests/testdata/timeout.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+timeout 10
diff --git a/lib/irs/tests/testdata/unknown.conf b/lib/irs/tests/testdata/unknown.conf
new file mode 100644
index 0000000..bfb9d7f
--- /dev/null
+++ b/lib/irs/tests/testdata/unknown.conf
@@ -0,0 +1,10 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+unknown directive
diff --git a/lib/irs/version.c b/lib/irs/version.c
new file mode 100644
index 0000000..4e33c77
--- /dev/null
+++ b/lib/irs/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <irs/version.h>
+
+const char irs_version[] = VERSION;
+
+const unsigned int irs_libinterface = LIBINTERFACE;
+const unsigned int irs_librevision = LIBREVISION;
+const unsigned int irs_libage = LIBAGE;
diff --git a/lib/irs/win32/DLLMain.c b/lib/irs/win32/DLLMain.c
new file mode 100644
index 0000000..8ff1017
--- /dev/null
+++ b/lib/irs/win32/DLLMain.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/irs/win32/Makefile.in b/lib/irs/win32/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/irs/win32/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/win32/include/Makefile.in b/lib/irs/win32/include/Makefile.in
new file mode 100644
index 0000000..3601331
--- /dev/null
+++ b/lib/irs/win32/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	irs
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/irs/win32/include/irs/Makefile.in b/lib/irs/win32/include/irs/Makefile.in
new file mode 100644
index 0000000..f73058f
--- /dev/null
+++ b/lib/irs/win32/include/irs/Makefile.in
@@ -0,0 +1,26 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/irs
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/irs || exit 1; \
+	done
diff --git a/lib/irs/win32/include/irs/netdb.h b/lib/irs/win32/include/irs/netdb.h
new file mode 100644
index 0000000..9e0fc72
--- /dev/null
+++ b/lib/irs/win32/include/irs/netdb.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#ifndef IRS_NETDB_H
+#define IRS_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+#undef ISC_IRS_NEEDADDRINFO
+
+#ifdef ISC_IRS_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo().  EAI_INSECUREDATA is our own extension
+ * and it's very unlikely to be already defined, but undef it just in case; it
+ * at least doesn't do any harm.
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_OVERFLOW
+#undef	EAI_INSECUREDATA
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_OVERFLOW	14
+#define EAI_INSECUREDATA 15
+#define EAI_MAX		16
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+
+/*
+ * Define to map into irs_ namespace.
+ */
+
+#define IRS_NAMESPACE
+
+#ifdef IRS_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo irs_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo irs_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo irs_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror irs_gai_strerror
+
+#endif
+
+int getaddrinfo(const char *, const char *,
+		const struct addrinfo *, struct addrinfo **);
+int getnameinfo(const struct sockaddr *, socklen_t, char *,
+		DWORD, char *, DWORD, int);
+void freeaddrinfo(struct addrinfo *);
+char *gai_strerror(int);
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_NETDB_H */
diff --git a/lib/irs/win32/include/irs/platform.h b/lib/irs/win32/include/irs/platform.h
new file mode 100644
index 0000000..78c91ce
--- /dev/null
+++ b/lib/irs/win32/include/irs/platform.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#ifndef IRS_PLATFORM_H
+#define IRS_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#ifndef IRS_PLATFORM_USEDECLSPEC
+#define LIBIRS_EXTERNAL_DATA
+#else
+#ifdef LIBIRS_EXPORTS
+#define LIBIRS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBIRS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* IRS_PLATFORM_H */
diff --git a/lib/irs/win32/libirs.def b/lib/irs/win32/libirs.def
new file mode 100644
index 0000000..d4e9f6f
--- /dev/null
+++ b/lib/irs/win32/libirs.def
@@ -0,0 +1,27 @@
+LIBRARY libirs
+
+; Exported Functions
+EXPORTS
+irs_context_create
+irs_context_destroy
+irs_context_get
+irs_context_getappctx
+irs_context_getdnsclient
+irs_context_getdnsconf
+irs_context_getmctx
+irs_context_getresconf
+irs_context_gettask
+irs_context_gettaskmgr
+irs_context_gettimermgr
+irs_dnsconf_destroy
+irs_dnsconf_gettrustedkeys
+irs_dnsconf_load
+irs_freeaddrinfo
+irs_gai_strerror
+irs_getaddrinfo
+irs_getnameinfo
+irs_resconf_destroy
+irs_resconf_getnameservers
+irs_resconf_getndots
+irs_resconf_getsearchlist
+irs_resconf_load
diff --git a/lib/irs/win32/libirs.dsp.in b/lib/irs/win32/libirs.dsp.in
new file mode 100644
index 0000000..3f6d1a7
--- /dev/null
+++ b/lib/irs/win32/libirs.dsp.in
@@ -0,0 +1,169 @@
+# Microsoft Developer Studio Project File - Name="libirs" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libirs - @PLATFORM@ Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libirs.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libirs.mak" CFG="libirs - @PLATFORM@ Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libirs - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libirs - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libirs_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBIRS_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib  ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libirs.dll"
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libirs_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBIRS_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib ../../isccfg/win32/debug/libisccfg.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/libirs.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libirs - @PLATFORM@ Release"
+# Name "libirs - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\context.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnsconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gai_strerror.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getaddrinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getnameinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\resconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\irs\context.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\irs\dnsconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\irs\netdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\irs\platform.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\irs\resconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\irs\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\irs\version.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libirs.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/irs/win32/libirs.dsw b/lib/irs/win32/libirs.dsw
new file mode 100644
index 0000000..2034776
--- /dev/null
+++ b/lib/irs/win32/libirs.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "libirs"=.\libirs.dsp - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/irs/win32/libirs.mak.in b/lib/irs/win32/libirs.mak.in
new file mode 100644
index 0000000..4894057
--- /dev/null
+++ b/lib/irs/win32/libirs.mak.in
@@ -0,0 +1,548 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libirs.dsp
+!IF "$(CFG)" == ""
+CFG=libirs - @PLATFORM@ Release
+!MESSAGE No configuration specified. Defaulting to libirs - @PLATFORM@ Release.
+!ENDIF 
+
+!IF "$(CFG)" != "libirs - @PLATFORM@ Release" && "$(CFG)" != "libirs - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libirs.mak" CFG="libirs - @PLATFORM@ Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libirs - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libirs - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libirs.dll"
+
+!ELSE 
+
+ALL : "libisccfg - @PLATFORM@ Release" "libisc - @PLATFORM@ Release" "libdns - @PLATFORM@ Release" "..\..\..\Build\Release\libirs.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - @PLATFORM@ ReleaseCLEAN" "libisc - @PLATFORM@ ReleaseCLEAN" "libisccfg - @PLATFORM@ ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\context.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\dnsconf.obj"
+	-@erase "$(INTDIR)\gai_strerror.obj"
+	-@erase "$(INTDIR)\getaddrinfo.obj"
+	-@erase "$(INTDIR)\getnameinfo.obj"
+	-@erase "$(INTDIR)\resconf.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libirs.exp"
+	-@erase "$(OUTDIR)\libirs.lib"
+	-@erase "..\..\..\Build\Release\libirs.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBIRS_EXPORTS" /Fp"$(INTDIR)\libirs.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libirs.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib  ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libirs.pdb" @MACHINE@ /def:".\libirs.def" /out:"../../../Build/Release/libirs.dll" /implib:"$(OUTDIR)\libirs.lib" 
+DEF_FILE= \
+	".\libirs.def"
+LINK32_OBJS= \
+	"$(INTDIR)\context.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\dnsconf.obj" \
+	"$(INTDIR)\gai_strerror.obj" \
+	"$(INTDIR)\getaddrinfo.obj" \
+	"$(INTDIR)\getnameinfo.obj" \
+	"$(INTDIR)\resconf.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\dns\win32\Release\libdns.lib" \
+	"..\..\isc\win32\Release\libisc.lib" \
+	"..\..\isccfg\win32\Release\libisccfg.lib"
+
+"..\..\..\Build\Release\libirs.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libirs.dll" "$(OUTDIR)\libirs.bsc"
+
+!ELSE 
+
+ALL : "libisccfg - @PLATFORM@ Debug" "libisc - @PLATFORM@ Debug" "libdns - @PLATFORM@ Debug" "..\..\..\Build\Debug\libirs.dll" "$(OUTDIR)\libirs.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - @PLATFORM@ DebugCLEAN" "libisc - @PLATFORM@ DebugCLEAN" "libisccfg - @PLATFORM@ DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\context.obj"
+	-@erase "$(INTDIR)\context.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\dnsconf.obj"
+	-@erase "$(INTDIR)\dnsconf.sbr"
+	-@erase "$(INTDIR)\gai_strerror.obj"
+	-@erase "$(INTDIR)\gai_strerror.sbr"
+	-@erase "$(INTDIR)\getaddrinfo.obj"
+	-@erase "$(INTDIR)\getaddrinfo.sbr"
+	-@erase "$(INTDIR)\getnameinfo.obj"
+	-@erase "$(INTDIR)\getnameinfo.sbr"
+	-@erase "$(INTDIR)\resconf.obj"
+	-@erase "$(INTDIR)\resconf.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libirs.bsc"
+	-@erase "$(OUTDIR)\libirs.exp"
+	-@erase "$(OUTDIR)\libirs.lib"
+	-@erase "$(OUTDIR)\libirs.pdb"
+	-@erase "..\..\..\Build\Debug\libirs.dll"
+	-@erase "..\..\..\Build\Debug\libirs.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od @LIBXML2_INC@ @OPENSSL_INC@ @GEOIP_INC@ /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isccfg/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBIRS_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libirs.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libirs.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\context.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\dnsconf.sbr" \
+	"$(INTDIR)\gai_strerror.sbr" \
+	"$(INTDIR)\getaddrinfo.sbr" \
+	"$(INTDIR)\getnameinfo.sbr" \
+	"$(INTDIR)\resconf.sbr" \
+	"$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libirs.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib ../../dns/win32/debug/libdns.lib ../../isccfg/win32/debug/libisccfg.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libirs.pdb" /debug @MACHINE@ /def:".\libirs.def" /out:"../../../Build/Debug/libirs.dll" /implib:"$(OUTDIR)\libirs.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libirs.def"
+LINK32_OBJS= \
+	"$(INTDIR)\context.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\dnsconf.obj" \
+	"$(INTDIR)\gai_strerror.obj" \
+	"$(INTDIR)\getaddrinfo.obj" \
+	"$(INTDIR)\getnameinfo.obj" \
+	"$(INTDIR)\resconf.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\dns\win32\Debug\libdns.lib" \
+	"..\..\isc\win32\Debug\libisc.lib" \
+	"..\..\isccfg\win32\Debug\libisccfg.lib"
+
+"..\..\..\Build\Debug\libirs.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libirs.dep")
+!INCLUDE "libirs.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libirs.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libirs - @PLATFORM@ Release" || "$(CFG)" == "libirs - @PLATFORM@ Debug"
+SOURCE=..\context.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\context.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\context.obj"	"$(INTDIR)\context.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\dnsconf.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dnsconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dnsconf.obj"	"$(INTDIR)\dnsconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\gai_strerror.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\gai_strerror.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\gai_strerror.obj"	"$(INTDIR)\gai_strerror.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getaddrinfo.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getaddrinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getaddrinfo.obj"	"$(INTDIR)\getaddrinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getnameinfo.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getnameinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getnameinfo.obj"	"$(INTDIR)\getnameinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\resconf.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\resconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\resconf.obj"	"$(INTDIR)\resconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+"libdns - @PLATFORM@ Release" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Release" 
+   cd "..\..\irs\win32"
+
+"libdns - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\irs\win32"
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+"libdns - @PLATFORM@ Debug" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Debug" 
+   cd "..\..\irs\win32"
+
+"libdns - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\irs\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+"libisc - @PLATFORM@ Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" 
+   cd "..\..\irs\win32"
+
+"libisc - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\irs\win32"
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+"libisc - @PLATFORM@ Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" 
+   cd "..\..\irs\win32"
+
+"libisc - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\irs\win32"
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libirs - @PLATFORM@ Release"
+
+"libisccfg - @PLATFORM@ Release" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Release" 
+   cd "..\..\irs\win32"
+
+"libisccfg - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\irs\win32"
+
+!ELSEIF  "$(CFG)" == "libirs - @PLATFORM@ Debug"
+
+"libisccfg - @PLATFORM@ Debug" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Debug" 
+   cd "..\..\irs\win32"
+
+"libisccfg - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isccfg\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisccfg.mak" CFG="libisccfg - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\irs\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/irs/win32/libirs.vcxproj.filters.in b/lib/irs/win32/libirs.vcxproj.filters.in
new file mode 100644
index 0000000..eae47de
--- /dev/null
+++ b/lib/irs/win32/libirs.vcxproj.filters.in
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libirs.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\context.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dnsconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gai_strerror.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getaddrinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getnameinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\resconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\irs\context.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\dnsconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\netdb.h.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\platform.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\resconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\irs\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/irs/win32/libirs.vcxproj.in b/lib/irs/win32/libirs.vcxproj.in
new file mode 100644
index 0000000..96af09b
--- /dev/null
+++ b/lib/irs/win32/libirs.vcxproj.in
@@ -0,0 +1,133 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A4F29CEB-7644-4A7F-BE9E-02B6A90E4919}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libirs</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBIRS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libirs.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBIRS_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\isccfg\include;..\..\dns\include;@LIBXML2_INC@@OPENSSL_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>.\libirs.def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libirs.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\context.c" />
+    <ClCompile Include="..\dnsconf.c" />
+    <ClCompile Include="..\gai_strerror.c" />
+    <ClCompile Include="..\getaddrinfo.c" />
+    <ClCompile Include="..\getnameinfo.c" />
+    <ClCompile Include="..\resconf.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\irs\context.h" />
+    <ClInclude Include="..\include\irs\dnsconf.h" />
+    <ClInclude Include="..\include\irs\netdb.h" />
+    <ClInclude Include="..\include\irs\platform.h" />
+    <ClInclude Include="..\include\irs\resconf.h" />
+    <ClInclude Include="..\include\irs\types.h" />
+    <ClInclude Include="..\include\irs\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/irs/win32/libirs.vcxproj.user b/lib/irs/win32/libirs.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/irs/win32/libirs.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/irs/win32/version.c b/lib/irs/win32/version.c
new file mode 100644
index 0000000..198e12d
--- /dev/null
+++ b/lib/irs/win32/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <versions.h>
+
+#include <irs/version.h>
+
+LIBIRS_EXTERNAL_DATA const char irs_version[] = VERSION;
+
+LIBIRS_EXTERNAL_DATA const unsigned int irs_libinterface = LIBINTERFACE;
+LIBIRS_EXTERNAL_DATA const unsigned int irs_librevision = LIBREVISION;
+LIBIRS_EXTERNAL_DATA const unsigned int irs_libage = LIBAGE;
diff --git a/lib/isc/Atffile b/lib/isc/Atffile
new file mode 100644
index 0000000..1edb838
--- /dev/null
+++ b/lib/isc/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: tests
diff --git a/lib/isc/Kyuafile b/lib/isc/Kyuafile
new file mode 100644
index 0000000..0739e3a
--- /dev/null
+++ b/lib/isc/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
new file mode 100644
index 0000000..ba53ef1
--- /dev/null
+++ b/lib/isc/Makefile.in
@@ -0,0 +1,146 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@LIBISC_API@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER =	@PKCS11_PROVIDER@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I${srcdir}/@ISC_THREAD_DIR@/include \
+		-I${srcdir}/@ISC_ARCH_DIR@/include \
+		-I./include \
+		-I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
+CDEFINES =	@CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+CWARNINGS =
+
+# Alphabetically
+UNIXOBJS =	@ISC_ISCIPV6_O@ @ISC_ISCPK11_API_O@ \
+		unix/app.@O@ unix/dir.@O@ unix/entropy.@O@ unix/errno.@O@ \
+		unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \
+		unix/interfaceiter.@O@ unix/keyboard.@O@ unix/meminfo.@O@ \
+		unix/net.@O@ unix/os.@O@ unix/resource.@O@ unix/socket.@O@ \
+		unix/stdio.@O@ unix/stdtime.@O@ unix/strerror.@O@ \
+		unix/syslog.@O@ unix/time.@O@
+
+NLSOBJS =	nls/msgcat.@O@
+
+THREADOPTOBJS = @ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@
+
+THREADOBJS =	@THREADOPTOBJS@ @ISC_THREAD_DIR@/thread.@O@
+
+WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/errno.@O@ \
+		win32/file.@O@ win32/fsaccess.@O@ \
+		win32/meminfo.@O@ win32/once.@O@ \
+		win32/stdtime.@O@ win32/thread.@O@ win32/time.@O@
+
+# Alphabetically
+OBJS =		@ISC_EXTRA_OBJS@ @ISC_PK11_O@ @ISC_PK11_RESULT_O@ \
+		aes.@O@ assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
+		bind9.@O@ buffer.@O@ bufferlist.@O@ \
+		commandline.@O@ counter.@O@ crc64.@O@ error.@O@ event.@O@ \
+		hash.@O@ ht.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ \
+		hmacsha.@O@ httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \
+		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
+		md5.@O@ mem.@O@ mutexblock.@O@ \
+		netaddr.@O@ netscope.@O@ pool.@O@ ondestroy.@O@ \
+		parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
+		ratelimiter.@O@ refcount.@O@ region.@O@ regex.@O@ result.@O@ \
+		rwlock.@O@ \
+		safe.@O@ serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
+		tm.@O@ timer.@O@ version.@O@ \
+		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+SYMTBLOBJS =	backtrace-emptytbl.@O@
+
+CHACHASRCS =	chacha_private.h
+
+# Alphabetically
+SRCS =		@ISC_EXTRA_SRCS@ @ISC_PK11_C@ @ISC_PK11_RESULT_C@ \
+		aes.c assertions.c backtrace.c base32.c base64.c bind9.c \
+		buffer.c bufferlist.c commandline.c counter.c crc64.c \
+		error.c event.c hash.c ht.c heap.c hex.c hmacmd5.c \
+		hmacsha.c httpd.c inet_aton.c iterated_hash.c \
+		lex.c lfsr.c lib.c log.c \
+		md5.c mem.c mutexblock.c \
+		netaddr.c netscope.c pool.c ondestroy.c \
+		parseint.c portset.c quota.c radix.c random.c ${CHACHASRCS} \
+		ratelimiter.c refcount.c region.c regex.c result.c rwlock.c \
+		safe.c serial.c sha1.c sha2.c sockaddr.c stats.c string.c \
+		strtoul.c symtab.c task.c taskpool.c timer.c \
+		tm.c version.c
+
+LIBS =		@ISC_OPENSSL_LIBS@ @LIBS@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	include unix nls @ISC_THREAD_DIR@ @ISC_ARCH_DIR@
+TARGETS =	timestamp
+TESTDIRS =	@UNITTESTS@
+
+@BIND9_MAKE_RULES@
+
+safe.@O@: safe.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} @CCNOOPT@ \
+		-c ${srcdir}/safe.c
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
+	${RANLIB} $@
+
+libisc-nosymtbl.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisc.la: ${OBJS} ${SYMTBLOBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${SYMTBLOBJS} ${LIBS}
+
+libisc-nosymtbl.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libisc.@A@ libisc-nosymtbl.@A@
+	touch timestamp
+
+testdirs: libisc.@A@ libisc-nosymtbl.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisc.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisc.@A@
+
+clean distclean::
+	rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
+	libisc-nosymtbl.la timestamp
diff --git a/lib/isc/aes.c b/lib/isc/aes.c
new file mode 100644
index 0000000..2ca07f6
--- /dev/null
+++ b/lib/isc/aes.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/aes.c */
+
+#include <config.h>
+
+#include <isc/assertions.h>
+#include <isc/aes.h>
+#include <isc/platform.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_WANTAES
+#if HAVE_OPENSSL_EVP_AES
+
+#include <openssl/opensslv.h>
+#include <openssl/evp.h>
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define EVP_CIPHER_CTX_new() &(_context), EVP_CIPHER_CTX_init(&_context)
+#define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1)
+#endif
+
+void
+isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	EVP_CIPHER_CTX _context;
+#endif
+	EVP_CIPHER_CTX *c;
+	int len;
+
+	c = EVP_CIPHER_CTX_new();
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_128_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
+					ISC_AES_BLOCK_LENGTH) == 1);
+	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
+	EVP_CIPHER_CTX_free(c);
+}
+
+void
+isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	EVP_CIPHER_CTX _context;
+#endif
+	EVP_CIPHER_CTX *c;
+	int len;
+
+	c = EVP_CIPHER_CTX_new();
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_192_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
+					ISC_AES_BLOCK_LENGTH) == 1);
+	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
+	EVP_CIPHER_CTX_free(c);
+}
+
+void
+isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	EVP_CIPHER_CTX _context;
+#endif
+	EVP_CIPHER_CTX *c;
+	int len;
+
+	c = EVP_CIPHER_CTX_new();
+	RUNTIME_CHECK(c != NULL);
+	RUNTIME_CHECK(EVP_EncryptInit(c, EVP_aes_256_ecb(), key, NULL) == 1);
+	EVP_CIPHER_CTX_set_padding(c, 0);
+	RUNTIME_CHECK(EVP_EncryptUpdate(c, out, &len, in,
+					ISC_AES_BLOCK_LENGTH) == 1);
+	RUNTIME_CHECK(len == ISC_AES_BLOCK_LENGTH);
+	EVP_CIPHER_CTX_free(c);
+}
+
+#elif HAVE_OPENSSL_AES
+
+#include <openssl/aes.h>
+
+void
+isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+	AES_KEY k;
+
+	RUNTIME_CHECK(AES_set_encrypt_key(key, 128, &k) == 0);
+	AES_encrypt(in, out, &k);
+}
+
+void
+isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+	AES_KEY k;
+
+	RUNTIME_CHECK(AES_set_encrypt_key(key, 192, &k) == 0);
+	AES_encrypt(in, out, &k);
+}
+
+void
+isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+	AES_KEY k;
+
+	RUNTIME_CHECK(AES_set_encrypt_key(key, 256, &k) == 0);
+	AES_encrypt(in, out, &k);
+}
+
+#elif PKCS11CRYPTO
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static void isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
+			  const unsigned char *in, unsigned char *out);
+
+void
+isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+	isc_aes_crypt(key, ISC_AES128_KEYLENGTH, in, out);
+}
+
+void
+isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+	isc_aes_crypt(key, ISC_AES192_KEYLENGTH, in, out);
+}
+
+void
+isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out)
+{
+	isc_aes_crypt(key, ISC_AES256_KEYLENGTH, in, out);
+}
+
+static void
+isc_aes_crypt(const unsigned char *key, CK_ULONG keylen,
+	      const unsigned char *in, unsigned char *out)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_AES_ECB, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_AES;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_ENCRYPT, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, keylen }
+	};
+	CK_ULONG blocklen;
+	CK_BYTE_PTR pData;
+	pk11_context_t ctx;
+
+	DE_CONST(key, keyTemplate[5].pValue);
+	RUNTIME_CHECK(pk11_get_session(&ctx, OP_AES, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx.object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx.session, keyTemplate,
+			 (CK_ULONG) 6, &ctx.object));
+	INSIST(ctx.object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_EncryptInit,
+			(ctx.session, &mech, ctx.object));
+
+	DE_CONST(in, pData);
+	blocklen = (CK_ULONG) ISC_AES_BLOCK_LENGTH;
+	PK11_FATALCHECK(pkcs_C_Encrypt,
+			(ctx.session,
+			 pData, (CK_ULONG) ISC_AES_BLOCK_LENGTH,
+			 out, &blocklen));
+	RUNTIME_CHECK(blocklen == (CK_ULONG) ISC_AES_BLOCK_LENGTH);
+
+	(void) pkcs_C_DestroyObject(ctx.session, ctx.object);
+	ctx.object = CK_INVALID_HANDLE;
+	pk11_return_session(&ctx);
+
+}
+
+#endif
+#endif /* ISC_PLATFORM_WANTAES */
diff --git a/lib/isc/alpha/Makefile.in b/lib/isc/alpha/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/alpha/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/alpha/include/Makefile.in b/lib/isc/alpha/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/alpha/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/alpha/include/isc/Makefile.in b/lib/isc/alpha/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/alpha/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
new file mode 100644
index 0000000..e704fef
--- /dev/null
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This code was written based on FreeBSD's kernel source whose copyright
+ * follows:
+ */
+
+/*-
+ * Copyright (c) 1998 Doug Rabson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/sys/alpha/include/atomic.h,v 1.18.6.1 2004/09/13 21:52:04 wilko Exp $
+ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEOSFASM
+#include <c_asm.h>
+
+#pragma intrinsic(asm)
+
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.  Memory access ordering around this function
+ * can be critical, so we add explicit memory block instructions at the
+ * beginning and the end of it (same for other functions).
+ */
+static inline int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	return (asm("mb;"
+		    "1:"
+		    "ldl_l %t0, 0(%a0);"	/* load old value */
+		    "mov %t0, %v0;"		/* copy the old value */
+		    "addl %t0, %a1, %t0;"	/* calculate new value */
+		    "stl_c %t0, 0(%a0);"	/* attempt to store */
+		    "beq %t0, 1b;"		/* spin if failed */
+		    "mb;",
+		    p, val));
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(int32_t *p, int32_t val) {
+	(void)asm("mb;"
+		  "1:"
+		  "ldl_l %t0, 0(%a0);"		/* load old value */
+		  "mov %a1, %t0;"		/* value to store */
+		  "stl_c %t0, 0(%a0);"		/* attempt to store */
+		  "beq %t0, 1b;"		/* spin if failed */
+		  "mb;",
+		  p, val);
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+
+	return(asm("mb;"
+		   "1:"
+		   "ldl_l %t0, 0(%a0);"		/* load old value */
+		   "mov %t0, %v0;"		/* copy the old value */
+		   "cmpeq %t0, %a1, %t0;"	/* compare */
+		   "beq %t0, 2f;"		/* exit if not equal */
+		   "mov %a2, %t0;"		/* value to store */
+		   "stl_c %t0, 0(%a0);"		/* attempt to store */
+		   "beq %t0, 1b;"		/* if it failed, spin */
+		   "2:"
+		   "mb;",
+		   p, cmpval, val));
+}
+#elif defined (ISC_PLATFORM_USEGCCASM)
+static inline int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	int32_t temp, prev;
+
+	__asm__ volatile(
+		"mb;"
+		"1:"
+		"ldl_l %0, %1;"			/* load old value */
+		"mov %0, %2;"			/* copy the old value */
+		"addl %0, %3, %0;"		/* calculate new value */
+		"stl_c %0, %1;"			/* attempt to store */
+		"beq %0, 1b;"			/* spin if failed */
+		"mb;"
+		: "=&r"(temp), "+m"(*p), "=&r"(prev)
+		: "r"(val)
+		: "memory");
+
+	return (prev);
+}
+
+static inline void
+isc_atomic_store(int32_t *p, int32_t val) {
+	int32_t temp;
+
+	__asm__ volatile(
+		"mb;"
+		"1:"
+		"ldl_l %0, %1;"			/* load old value */
+		"mov %2, %0;"			/* value to store */
+		"stl_c %0, %1;"			/* attempt to store */
+		"beq %0, 1b;"			/* if it failed, spin */
+		"mb;"
+		: "=&r"(temp), "+m"(*p)
+		: "r"(val)
+		: "memory");
+}
+
+static inline int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	int32_t temp, prev;
+
+	__asm__ volatile(
+		"mb;"
+		"1:"
+		"ldl_l %0, %1;"			/* load old value */
+		"mov %0, %2;"			/* copy the old value */
+		"cmpeq %0, %3, %0;"		/* compare */
+		"beq %0, 2f;"			/* exit if not equal */
+		"mov %4, %0;"			/* value to store */
+		"stl_c %0, %1;"			/* attempt to store */
+		"beq %0, 1b;"			/* if it failed, spin */
+		"2:"
+		"mb;"
+		: "=&r"(temp), "+m"(*p), "=&r"(prev)
+		: "r"(cmpval), "r"(val)
+		: "memory");
+
+	return (prev);
+}
+#else
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/api b/lib/isc/api
new file mode 100644
index 0000000..7b1b2b1
--- /dev/null
+++ b/lib/isc/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 1100
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/isc/app_api.c b/lib/isc/app_api.c
new file mode 100644
index 0000000..425eb5a
--- /dev/null
+++ b/lib/isc/app_api.c
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/util.h>
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_appctxcreatefunc_t appctx_createfunc = NULL;
+static bool is_running = false;
+
+#define ISCAPI_APPMETHODS_VALID(m) ISC_MAGIC_VALID(m, ISCAPI_APPMETHODS_MAGIC)
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_register(isc_appctxcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (appctx_createfunc == NULL)
+		appctx_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc_result_t result;
+
+	if (isc_bind9)
+		return (isc__appctx_create(mctx, ctxp));
+
+	LOCK(&createlock);
+
+	REQUIRE(appctx_createfunc != NULL);
+	result = (*appctx_createfunc)(mctx, ctxp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp) {
+	REQUIRE(ctxp != NULL && ISCAPI_APPCTX_VALID(*ctxp));
+
+	if (isc_bind9)
+		isc__appctx_destroy(ctxp);
+	else
+		(*ctxp)->methods->ctxdestroy(ctxp);
+
+	ENSURE(*ctxp == NULL);
+}
+
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	if (isc_bind9)
+		return (isc__app_ctxstart(ctx));
+
+	return (ctx->methods->ctxstart(ctx));
+}
+
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	if (isc_bind9)
+		return (isc__app_ctxrun(ctx));
+
+	return (ctx->methods->ctxrun(ctx));
+}
+
+isc_result_t
+isc_app_ctxonrun(isc_appctx_t *ctx, isc_mem_t *mctx,
+		 isc_task_t *task, isc_taskaction_t action,
+		 void *arg)
+{
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	if (isc_bind9)
+		return (isc__app_ctxonrun(ctx, mctx, task, action, arg));
+
+	return (ctx->methods->ctxonrun(ctx, mctx, task, action, arg));
+}
+
+isc_result_t
+isc_app_ctxsuspend(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	if (isc_bind9)
+		return (isc__app_ctxsuspend(ctx));
+
+	return (ctx->methods->ctxsuspend(ctx));
+}
+
+isc_result_t
+isc_app_ctxshutdown(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	if (isc_bind9)
+		return (isc__app_ctxshutdown(ctx));
+
+	return (ctx->methods->ctxshutdown(ctx));
+}
+
+void
+isc_app_ctxfinish(isc_appctx_t *ctx) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+
+	if (isc_bind9)
+		isc__app_ctxfinish(ctx);
+
+	ctx->methods->ctxfinish(ctx);
+}
+
+void
+isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(taskmgr != NULL);
+
+	if (isc_bind9)
+		isc__appctx_settaskmgr(ctx, taskmgr);
+
+	ctx->methods->settaskmgr(ctx, taskmgr);
+}
+
+void
+isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(socketmgr != NULL);
+
+	if (isc_bind9)
+		isc__appctx_setsocketmgr(ctx, socketmgr);
+
+	ctx->methods->setsocketmgr(ctx, socketmgr);
+}
+
+void
+isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr) {
+	REQUIRE(ISCAPI_APPCTX_VALID(ctx));
+	REQUIRE(timermgr != NULL);
+
+	if (isc_bind9)
+		isc__appctx_settimermgr(ctx, timermgr);
+
+	ctx->methods->settimermgr(ctx, timermgr);
+}
+
+isc_result_t
+isc_app_start(void) {
+	if (isc_bind9)
+		return (isc__app_start());
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+isc_app_onrun(isc_mem_t *mctx, isc_task_t *task,
+	       isc_taskaction_t action, void *arg)
+{
+	if (isc_bind9)
+		return (isc__app_onrun(mctx, task, action, arg));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+isc_app_run() {
+	if (isc_bind9) {
+		isc_result_t result;
+
+		is_running = true;
+		result = isc__app_run();
+		is_running = false;
+
+		return (result);
+	}
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+bool
+isc_app_isrunning() {
+	return (is_running);
+}
+
+isc_result_t
+isc_app_shutdown(void) {
+	if (isc_bind9)
+		return (isc__app_shutdown());
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+isc_app_reload(void) {
+	if (isc_bind9)
+		return (isc__app_reload());
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+isc_app_finish(void) {
+	if (!isc_bind9)
+		return;
+
+	isc__app_finish();
+}
+
+void
+isc_app_block(void) {
+	if (!isc_bind9)
+		return;
+
+	isc__app_block();
+}
+
+void
+isc_app_unblock(void) {
+	if (!isc_bind9)
+		return;
+
+	isc__app_unblock();
+}
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
new file mode 100644
index 0000000..b52342e
--- /dev/null
+++ b/lib/isc/assertions.c
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/backtrace.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+#include <isc/result.h>
+
+/*
+ * The maximum number of stack frames to dump on assertion failure.
+ */
+#ifndef BACKTRACE_MAXFRAME
+#define BACKTRACE_MAXFRAME 128
+#endif
+
+/*%
+ * Forward.
+ */
+static void
+default_callback(const char *, int, isc_assertiontype_t, const char *);
+
+static isc_assertioncallback_t isc_assertion_failed_cb = default_callback;
+
+/*%
+ * Public.
+ */
+
+/*% assertion failed handler */
+/* coverity[+kill] */
+void
+isc_assertion_failed(const char *file, int line, isc_assertiontype_t type,
+		     const char *cond)
+{
+	isc_assertion_failed_cb(file, line, type, cond);
+	abort();
+	/* NOTREACHED */
+}
+
+/*% Set callback. */
+void
+isc_assertion_setcallback(isc_assertioncallback_t cb) {
+	if (cb == NULL)
+		isc_assertion_failed_cb = default_callback;
+	else
+		isc_assertion_failed_cb = cb;
+}
+
+/*% Type to Text */
+const char *
+isc_assertion_typetotext(isc_assertiontype_t type) {
+	const char *result;
+
+	/*
+	 * These strings have purposefully not been internationalized
+	 * because they are considered to essentially be keywords of
+	 * the ISC development environment.
+	 */
+	switch (type) {
+	case isc_assertiontype_require:
+		result = "REQUIRE";
+		break;
+	case isc_assertiontype_ensure:
+		result = "ENSURE";
+		break;
+	case isc_assertiontype_insist:
+		result = "INSIST";
+		break;
+	case isc_assertiontype_invariant:
+		result = "INVARIANT";
+		break;
+	default:
+		result = NULL;
+	}
+	return (result);
+}
+
+/*
+ * Private.
+ */
+
+static void
+default_callback(const char *file, int line, isc_assertiontype_t type,
+		 const char *cond)
+{
+	void *tracebuf[BACKTRACE_MAXFRAME];
+	int i, nframes;
+	const char *logsuffix = ".";
+	const char *fname;
+	isc_result_t result;
+
+	result = isc_backtrace_gettrace(tracebuf, BACKTRACE_MAXFRAME, &nframes);
+		if (result == ISC_R_SUCCESS && nframes > 0)
+			logsuffix = ", back trace";
+
+	fprintf(stderr, "%s:%d: %s(%s) %s%s\n",
+		file, line, isc_assertion_typetotext(type), cond,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+			       ISC_MSG_FAILED, "failed"), logsuffix);
+	if (result == ISC_R_SUCCESS) {
+		for (i = 0; i < nframes; i++) {
+			unsigned long offset;
+
+			fname = NULL;
+			result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+							 &offset);
+			if (result == ISC_R_SUCCESS) {
+				fprintf(stderr, "#%d %p in %s()+0x%lx\n", i,
+					tracebuf[i], fname, offset);
+			} else {
+				fprintf(stderr, "#%d %p in ??\n", i,
+					tracebuf[i]);
+			}
+		}
+	}
+	fflush(stderr);
+}
diff --git a/lib/isc/backtrace-emptytbl.c b/lib/isc/backtrace-emptytbl.c
new file mode 100644
index 0000000..5822cfb
--- /dev/null
+++ b/lib/isc/backtrace-emptytbl.c
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+/*
+ * This file defines an empty (default) symbol table used in backtrace.c
+ * If the application wants to have a complete symbol table, it should redefine
+ * isc__backtrace_symtable with the complete table in some way, and link the
+ * version of the library not including this definition
+ * (e.g. libisc-nosymbol.a).
+ */
+
+#include <config.h>
+
+#include <isc/backtrace.h>
+
+LIBISC_EXTERNAL_DATA const int isc__backtrace_nsymbols = 0;
+LIBISC_EXTERNAL_DATA const
+	isc_backtrace_symmap_t isc__backtrace_symtable[] = { { NULL, "" } };
diff --git a/lib/isc/backtrace.c b/lib/isc/backtrace.c
new file mode 100644
index 0000000..0ea1455
--- /dev/null
+++ b/lib/isc/backtrace.c
@@ -0,0 +1,290 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <string.h>
+#include <stdlib.h>
+#ifdef HAVE_LIBCTRACE
+#include <execinfo.h>
+#endif
+
+#include <isc/backtrace.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_USEBACKTRACE
+/*
+ * Getting a back trace of a running process is tricky and highly platform
+ * dependent.  Our current approach is as follows:
+ * 1. If the system library supports the "backtrace()" function, use it.
+ * 2. Otherwise, if the compiler is gcc and the architecture is x86_64 or IA64,
+ *    then use gcc's (hidden) Unwind_Backtrace() function.  Note that this
+ *    function doesn't work for C programs on many other architectures.
+ * 3. Otherwise, if the architecture x86 or x86_64, try to unwind the stack
+ *    frame following frame pointers.  This assumes the executable binary
+ *    compiled with frame pointers; this is not always true for x86_64 (rather,
+ *    compiler optimizations often disable frame pointers).  The validation
+ *    checks in getnextframeptr() hopefully rejects bogus values stored in
+ *    the RBP register in such a case.  If the backtrace function itself crashes
+ *    due to this problem, the whole package should be rebuilt with
+ *    --disable-backtrace.
+ */
+#ifdef HAVE_LIBCTRACE
+#define BACKTRACE_LIBC
+#elif defined(__GNUC__) && (defined(__x86_64__) || defined(__ia64__))
+#define BACKTRACE_GCC
+#elif defined(WIN32)
+#define BACKTRACE_WIN32
+#elif defined(__x86_64__) || defined(__i386__)
+#define BACKTRACE_X86STACK
+#else
+#define BACKTRACE_DISABLED
+#endif  /* HAVE_LIBCTRACE */
+#else	/* !ISC_PLATFORM_USEBACKTRACE */
+#define BACKTRACE_DISABLED
+#endif	/* ISC_PLATFORM_USEBACKTRACE */
+
+#ifdef BACKTRACE_LIBC
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int n;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	/*
+	 * backtrace(3) includes this function itself in the address array,
+	 * which should be eliminated from the returned sequence.
+	 */
+	n = backtrace(addrs, maxaddrs);
+	if (n < 2)
+		return (ISC_R_NOTFOUND);
+	n--;
+	memmove(addrs, &addrs[1], sizeof(void *) * n);
+	*nframes = n;
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_GCC)
+extern int _Unwind_Backtrace(void* fn, void* a);
+extern void* _Unwind_GetIP(void* ctx);
+
+typedef struct {
+	void **result;
+	int max_depth;
+	int skip_count;
+	int count;
+} trace_arg_t;
+
+static int
+btcallback(void *uc, void *opq) {
+	trace_arg_t *arg = (trace_arg_t *)opq;
+
+	if (arg->skip_count > 0)
+		arg->skip_count--;
+	else
+		arg->result[arg->count++] = (void *)_Unwind_GetIP(uc);
+	if (arg->count == arg->max_depth)
+		return (5); /* _URC_END_OF_STACK */
+
+	return (0); /* _URC_NO_REASON */
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	trace_arg_t arg;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	arg.skip_count = 1;
+	arg.result = addrs;
+	arg.max_depth = maxaddrs;
+	arg.count = 0;
+	_Unwind_Backtrace(btcallback, &arg);
+
+	*nframes = arg.count;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_WIN32)
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	unsigned long ftc = (unsigned long)maxaddrs;
+
+	*nframes = (int)CaptureStackBackTrace(1, ftc, addrs, NULL);
+	return ISC_R_SUCCESS;
+}
+#elif defined(BACKTRACE_X86STACK)
+#ifdef __x86_64__
+static unsigned long
+getrbp(void) {
+	__asm("movq %rbp, %rax\n");
+}
+#endif
+
+static void **
+getnextframeptr(void **sp) {
+	void **newsp = (void **)*sp;
+
+	/*
+	 * Perform sanity check for the new frame pointer, derived from
+	 * google glog.  This can actually be bogus depending on compiler.
+	 */
+
+	/* prohibit the stack frames from growing downwards */
+	if (newsp <= sp)
+		return (NULL);
+
+	/* A heuristics to reject "too large" frame: this actually happened. */
+	if ((char *)newsp - (char *)sp > 100000)
+		return (NULL);
+
+	/*
+	 * Not sure if other checks used in glog are needed at this moment.
+	 * For our purposes we don't have to consider non-contiguous frames,
+	 * for example.
+	 */
+
+	return (newsp);
+}
+
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	int i = 0;
+	void **sp;
+
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+#ifdef __x86_64__
+	sp = (void **)getrbp();
+	if (sp == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * sp is the frame ptr of this function itself due to the call to
+	 * getrbp(), so need to unwind one frame for consistency.
+	 */
+	sp = getnextframeptr(sp);
+#else
+	/*
+	 * i386: the frame pointer is stored 2 words below the address for the
+	 * first argument.  Note that the body of this function cannot be
+	 * inlined since it depends on the address of the function argument.
+	 */
+	sp = (void **)&addrs - 2;
+#endif
+
+	while (sp != NULL && i < maxaddrs) {
+		addrs[i++] = *(sp + 1);
+		sp = getnextframeptr(sp);
+	}
+
+	*nframes = i;
+
+	return (ISC_R_SUCCESS);
+}
+#elif defined(BACKTRACE_DISABLED)
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes) {
+	/* Argument validation: see above. */
+	if (addrs == NULL || nframes == NULL)
+		return (ISC_R_FAILURE);
+
+	UNUSED(maxaddrs);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+#endif
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int idx, const void **addrp,
+				 const char **symbolp)
+{
+	REQUIRE(addrp != NULL && *addrp == NULL);
+	REQUIRE(symbolp != NULL && *symbolp == NULL);
+
+	if (idx < 0 || idx >= isc__backtrace_nsymbols)
+		return (ISC_R_RANGE);
+
+	*addrp = isc__backtrace_symtable[idx].addr;
+	*symbolp = isc__backtrace_symtable[idx].symbol;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+symtbl_compare(const void *addr, const void *entryarg) {
+	const isc_backtrace_symmap_t *entry = entryarg;
+	const isc_backtrace_symmap_t *end =
+		&isc__backtrace_symtable[isc__backtrace_nsymbols - 1];
+
+	if (isc__backtrace_nsymbols == 1 || entry == end) {
+		if (addr >= entry->addr) {
+			/*
+			 * If addr is equal to or larger than that of the last
+			 * entry of the table, we cannot be sure if this is
+			 * within a valid range so we consider it valid.
+			 */
+			return (0);
+		}
+		return (-1);
+	}
+
+	/* entry + 1 is a valid entry from now on. */
+	if (addr < entry->addr)
+		return (-1);
+	else if (addr >= (entry + 1)->addr)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_backtrace_symmap_t *found;
+
+	/*
+	 * Validate the arguments: intentionally avoid using REQUIRE().
+	 * See notes in backtrace.h.
+	 */
+	if (symbolp == NULL || *symbolp != NULL || offsetp == NULL)
+		return (ISC_R_FAILURE);
+
+	if (isc__backtrace_nsymbols < 1)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * Search the table for the entry that meets:
+	 * entry.addr <= addr < next_entry.addr.
+	 */
+	found = bsearch(addr, isc__backtrace_symtable, isc__backtrace_nsymbols,
+			sizeof(isc__backtrace_symtable[0]), symtbl_compare);
+	if (found == NULL)
+		result = ISC_R_NOTFOUND;
+	else {
+		*symbolp = found->symbol;
+		*offsetp = (unsigned long) ((const char *)addr -
+					    (char *)found->addr);
+	}
+
+	return (result);
+}
diff --git a/lib/isc/base32.c b/lib/isc/base32.c
new file mode 100644
index 0000000..bb8c2e1
--- /dev/null
+++ b/lib/isc/base32.c
@@ -0,0 +1,419 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+/*@{*/
+/*!
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
+ * sure where they should go. -- bwelling
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+/*@}*/
+
+static const char base32[] =
+	 "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567=abcdefghijklmnopqrstuvwxyz234567";
+static const char base32hex[] =
+	"0123456789ABCDEFGHIJKLMNOPQRSTUV=0123456789abcdefghijklmnopqrstuv";
+
+static isc_result_t
+base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+	      isc_buffer_t *target, const char base[], char pad)
+{
+	char buf[9];
+	unsigned int loops = 0;
+
+	if (wordlength >= 0 && wordlength < 8)
+		wordlength = 8;
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 0) {
+		buf[0] = base[((source->base[0]>>3)&0x1f)];	/* 5 + */
+		if (source->length == 1) {
+			buf[1] = base[(source->base[0]<<2)&0x1c];
+			buf[2] = buf[3] = buf[4] = pad;
+			buf[5] = buf[6] = buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[1] = base[((source->base[0]<<2)&0x1c)|	/* 3 = 8 */
+			      ((source->base[1]>>6)&0x03)];	/* 2 + */
+		buf[2] = base[((source->base[1]>>1)&0x1f)];	/* 5 + */
+		if (source->length == 2) {
+			buf[3] = base[(source->base[1]<<4)&0x10];
+			buf[4] = buf[5] = buf[6] = buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[3] = base[((source->base[1]<<4)&0x10)|	/* 1 = 8 */
+			      ((source->base[2]>>4)&0x0f)];	/* 4 + */
+		if (source->length == 3) {
+			buf[4] = base[(source->base[2]<<1)&0x1e];
+			buf[5] = buf[6] = buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[4] = base[((source->base[2]<<1)&0x1e)|	/* 4 = 8 */
+			      ((source->base[3]>>7)&0x01)];	/* 1 + */
+		buf[5] = base[((source->base[3]>>2)&0x1f)];	/* 5 + */
+		if (source->length == 4) {
+			buf[6] = base[(source->base[3]<<3)&0x18];
+			buf[7] = pad;
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[6] = base[((source->base[3]<<3)&0x18)|	/* 2 = 8 */
+			      ((source->base[4]>>5)&0x07)];	/* 3 + */
+		buf[7] = base[source->base[4]&0x1f];		/* 5 = 8 */
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 5);
+
+		loops++;
+		if (source->length != 0 && wordlength >= 0 &&
+		    (int)((loops + 1) * 8) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	if (source->length > 0)
+		isc_region_consume(source, source->length);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target)
+{
+	return (base32_totext(source, wordlength, wordbreak, target,
+			      base32, '='));
+}
+
+isc_result_t
+isc_base32hex_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target)
+{
+	return (base32_totext(source, wordlength, wordbreak, target,
+			      base32hex, '='));
+}
+
+isc_result_t
+isc_base32hexnp_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target)
+{
+	return (base32_totext(source, wordlength, wordbreak, target,
+			      base32hex, 0));
+}
+
+/*%
+ * State of a base32 decoding process in progress.
+ */
+typedef struct {
+	int length;		/*%< Desired length of binary data or -1 */
+	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
+	int digits;		/*%< Number of buffered base32 digits */
+	bool seen_end;	/*%< True if "=" end marker seen */
+	int val[8];
+	const char *base;	/*%< Which encoding we are using */
+	int seen_32;		/*%< Number of significant bytes if non zero */
+	bool pad;	/*%< Expect padding */
+} base32_decode_ctx_t;
+
+static inline void
+base32_decode_init(base32_decode_ctx_t *ctx, int length, const char base[],
+		   bool pad, isc_buffer_t *target)
+{
+	ctx->digits = 0;
+	ctx->seen_end = false;
+	ctx->seen_32 = 0;
+	ctx->length = length;
+	ctx->target = target;
+	ctx->base = base;
+	ctx->pad = pad;
+}
+
+static inline isc_result_t
+base32_decode_char(base32_decode_ctx_t *ctx, int c) {
+	const char *s;
+	unsigned int last;
+
+	if (ctx->seen_end)
+		return (ISC_R_BADBASE32);
+	if ((s = strchr(ctx->base, c)) == NULL)
+		return (ISC_R_BADBASE32);
+	last = (unsigned int)(s - ctx->base);
+
+	/*
+	 * Handle lower case.
+	 */
+	if (last > 32)
+		last -= 33;
+
+	/*
+	 * Check that padding is contiguous.
+	 */
+	if (last != 32 && ctx->seen_32 != 0)
+		return (ISC_R_BADBASE32);
+
+	/*
+	 * If padding is not permitted flag padding as a error.
+	 */
+	if (last == 32 && !ctx->pad)
+		return (ISC_R_BADBASE32);
+
+	/*
+	 * Check that padding starts at the right place and that
+	 * bits that should be zero are.
+	 * Record how many significant bytes in answer (seen_32).
+	 */
+	if (last == 32 && ctx->seen_32 == 0)
+		switch (ctx->digits) {
+		case 0:
+		case 1:
+			return (ISC_R_BADBASE32);
+		case 2:
+			if ((ctx->val[1]&0x03) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 1;
+			break;
+		case 3:
+			return (ISC_R_BADBASE32);
+		case 4:
+			if ((ctx->val[3]&0x0f) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 3;
+			break;
+		case 5:
+			if ((ctx->val[4]&0x01) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 3;
+			break;
+		case 6:
+			return (ISC_R_BADBASE32);
+		case 7:
+			if ((ctx->val[6]&0x07) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 4;
+			break;
+		}
+
+	/*
+	 * Zero fill pad values.
+	 */
+	ctx->val[ctx->digits++] = (last == 32) ? 0 : last;
+
+	if (ctx->digits == 8) {
+		int n = 5;
+		unsigned char buf[5];
+
+		if (ctx->seen_32 != 0) {
+			ctx->seen_end = true;
+			n = ctx->seen_32;
+		}
+		buf[0] = (ctx->val[0]<<3)|(ctx->val[1]>>2);
+		buf[1] = (ctx->val[1]<<6)|(ctx->val[2]<<1)|(ctx->val[3]>>4);
+		buf[2] = (ctx->val[3]<<4)|(ctx->val[4]>>1);
+		buf[3] = (ctx->val[4]<<7)|(ctx->val[5]<<2)|(ctx->val[6]>>3);
+		buf[4] = (ctx->val[6]<<5)|(ctx->val[7]);
+		RETERR(mem_tobuffer(ctx->target, buf, n));
+		if (ctx->length >= 0) {
+			if (n > ctx->length)
+				return (ISC_R_BADBASE32);
+			else
+				ctx->length -= n;
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+base32_decode_finish(base32_decode_ctx_t *ctx) {
+
+	if (ctx->length > 0)
+		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Add missing padding if required.
+	 */
+	if (!ctx->pad && ctx->digits != 0) {
+		ctx->pad = true;
+		do {
+			RETERR(base32_decode_char(ctx, '='));
+		} while (ctx->digits != 0);
+	}
+	if (ctx->digits != 0)
+		return (ISC_R_BADBASE32);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+base32_tobuffer(isc_lex_t *lexer, const char base[], bool pad,
+		isc_buffer_t *target, int length)
+{
+	base32_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	bool eol;
+
+	base32_decode_init(&ctx, length, base, pad, target);
+
+	while (!ctx.seen_end && (ctx.length != 0)) {
+		unsigned int i;
+
+		if (length > 0)
+			eol = false;
+		else
+			eol = true;
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string)
+			break;
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++)
+			RETERR(base32_decode_char(&ctx, tr->base[i]));
+	}
+	if (ctx.length < 0 && !ctx.seen_end)
+		isc_lex_ungettoken(lexer, &token);
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32, true, target, length));
+}
+
+isc_result_t
+isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32hex, true, target, length));
+}
+
+isc_result_t
+isc_base32hexnp_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32hex, false, target, length));
+}
+
+static isc_result_t
+base32_decodestring(const char *cstr, const char base[], bool pad,
+		    isc_buffer_t *target)
+{
+	base32_decode_ctx_t ctx;
+
+	base32_decode_init(&ctx, -1, base, pad, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0')
+			break;
+		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
+			continue;
+		RETERR(base32_decode_char(&ctx, c));
+	}
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32, true, target));
+}
+
+isc_result_t
+isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32hex, true, target));
+}
+
+isc_result_t
+isc_base32hexnp_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32hex, false, target));
+}
+
+static isc_result_t
+base32_decoderegion(isc_region_t *source, const char base[],
+		    bool pad, isc_buffer_t *target)
+{
+	base32_decode_ctx_t ctx;
+
+	base32_decode_init(&ctx, -1, base, pad, target);
+	while (source->length != 0) {
+		int c = *source->base;
+		RETERR(base32_decode_char(&ctx, c));
+		isc_region_consume(source, 1);
+	}
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32, true, target));
+}
+
+isc_result_t
+isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32hex, true, target));
+}
+
+isc_result_t
+isc_base32hexnp_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32hex, false, target));
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
new file mode 100644
index 0000000..c7a1722
--- /dev/null
+++ b/lib/isc/base64.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+/*@{*/
+/*!
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
+ * sure where they should go. -- bwelling
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static const char base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
+/*@}*/
+
+isc_result_t
+isc_base64_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target)
+{
+	char buf[5];
+	unsigned int loops = 0;
+
+	if (wordlength < 4)
+		wordlength = 4;
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 2) {
+		buf[0] = base64[(source->base[0]>>2)&0x3f];
+		buf[1] = base64[((source->base[0]<<4)&0x30)|
+				((source->base[1]>>4)&0x0f)];
+		buf[2] = base64[((source->base[1]<<2)&0x3c)|
+				((source->base[2]>>6)&0x03)];
+		buf[3] = base64[source->base[2]&0x3f];
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 3);
+
+		loops++;
+		if (source->length != 0 &&
+		    (int)((loops + 1) * 4) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	if (source->length == 2) {
+		buf[0] = base64[(source->base[0]>>2)&0x3f];
+		buf[1] = base64[((source->base[0]<<4)&0x30)|
+				((source->base[1]>>4)&0x0f)];
+		buf[2] = base64[((source->base[1]<<2)&0x3c)];
+		buf[3] = '=';
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 2);
+	} else if (source->length == 1) {
+		buf[0] = base64[(source->base[0]>>2)&0x3f];
+		buf[1] = base64[((source->base[0]<<4)&0x30)];
+		buf[2] = buf[3] = '=';
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 1);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * State of a base64 decoding process in progress.
+ */
+typedef struct {
+	int length;		/*%< Desired length of binary data or -1 */
+	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
+	int digits;		/*%< Number of buffered base64 digits */
+	bool seen_end;	/*%< True if "=" end marker seen */
+	int val[4];
+} base64_decode_ctx_t;
+
+static inline void
+base64_decode_init(base64_decode_ctx_t *ctx, int length, isc_buffer_t *target)
+{
+	ctx->digits = 0;
+	ctx->seen_end = false;
+	ctx->length = length;
+	ctx->target = target;
+}
+
+static inline isc_result_t
+base64_decode_char(base64_decode_ctx_t *ctx, int c) {
+	const char *s;
+
+	if (ctx->seen_end)
+		return (ISC_R_BADBASE64);
+	if ((s = strchr(base64, c)) == NULL)
+		return (ISC_R_BADBASE64);
+	ctx->val[ctx->digits++] = (int)(s - base64);
+	if (ctx->digits == 4) {
+		int n;
+		unsigned char buf[3];
+		if (ctx->val[0] == 64 || ctx->val[1] == 64)
+			return (ISC_R_BADBASE64);
+		if (ctx->val[2] == 64 && ctx->val[3] != 64)
+			return (ISC_R_BADBASE64);
+		/*
+		 * Check that bits that should be zero are.
+		 */
+		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0)
+			return (ISC_R_BADBASE64);
+		/*
+		 * We don't need to test for ctx->val[2] != 64 as
+		 * the bottom two bits of 64 are zero.
+		 */
+		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0)
+			return (ISC_R_BADBASE64);
+		n = (ctx->val[2] == 64) ? 1 :
+			(ctx->val[3] == 64) ? 2 : 3;
+		if (n != 3) {
+			ctx->seen_end = true;
+			if (ctx->val[2] == 64)
+				ctx->val[2] = 0;
+			if (ctx->val[3] == 64)
+				ctx->val[3] = 0;
+		}
+		buf[0] = (ctx->val[0]<<2)|(ctx->val[1]>>4);
+		buf[1] = (ctx->val[1]<<4)|(ctx->val[2]>>2);
+		buf[2] = (ctx->val[2]<<6)|(ctx->val[3]);
+		RETERR(mem_tobuffer(ctx->target, buf, n));
+		if (ctx->length >= 0) {
+			if (n > ctx->length)
+				return (ISC_R_BADBASE64);
+			else
+				ctx->length -= n;
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+base64_decode_finish(base64_decode_ctx_t *ctx) {
+	if (ctx->length > 0)
+		return (ISC_R_UNEXPECTEDEND);
+	if (ctx->digits != 0)
+		return (ISC_R_BADBASE64);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	base64_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	bool eol;
+
+	base64_decode_init(&ctx, length, target);
+
+	while (!ctx.seen_end && (ctx.length != 0)) {
+		unsigned int i;
+
+		if (length > 0)
+			eol = false;
+		else
+			eol = true;
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string)
+			break;
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++)
+			RETERR(base64_decode_char(&ctx, tr->base[i]));
+	}
+	if (ctx.length < 0 && !ctx.seen_end)
+		isc_lex_ungettoken(lexer, &token);
+	RETERR(base64_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base64_decodestring(const char *cstr, isc_buffer_t *target) {
+	base64_decode_ctx_t ctx;
+
+	base64_decode_init(&ctx, -1, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0')
+			break;
+		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
+			continue;
+		RETERR(base64_decode_char(&ctx, c));
+	}
+	RETERR(base64_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/bind9.c b/lib/isc/bind9.c
new file mode 100644
index 0000000..e5b2fef
--- /dev/null
+++ b/lib/isc/bind9.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/bind9.h>
+
+/*
+ * This determines whether we are using the libisc/libdns libraries
+ * in BIND9 or in some other application. It is initialized to true
+ * and remains unchanged for BIND9 and related tools; export library
+ * clients will run isc_lib_register(), which sets it to false,
+ * overriding certain BIND9 behaviors.
+ */
+LIBISC_EXTERNAL_DATA bool isc_bind9 = true;
diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c
new file mode 100644
index 0000000..9de1e06
--- /dev/null
+++ b/lib/isc/buffer.c
@@ -0,0 +1,649 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdarg.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+void
+isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length) {
+	/*
+	 * Make 'b' refer to the 'length'-byte region starting at 'base'.
+	 * XXXDCL see the comment in buffer.h about base being const.
+	 */
+
+	REQUIRE(b != NULL);
+
+	ISC__BUFFER_INIT(b, base, length);
+}
+
+void
+isc__buffer_initnull(isc_buffer_t *b) {
+	/*
+	 * Initialize a new buffer which has no backing store.  This can
+	 * later be grown as needed and swapped in place.
+	 */
+
+	ISC__BUFFER_INIT(b, NULL, 0);
+}
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length) {
+	/*
+	 * Re-initialize the buffer enough to reconfigure the base of the
+	 * buffer.  We will swap in the new buffer, after copying any
+	 * data we contain into the new buffer and adjusting all of our
+	 * internal pointers.
+	 *
+	 * The buffer must not be smaller than the length of the original
+	 * buffer.
+	 */
+	REQUIRE(b->length <= length);
+	REQUIRE(base != NULL);
+	REQUIRE(!b->autore);
+
+	if (b->length > 0U) {
+		(void)memmove(base, b->base, b->length);
+	}
+
+	b->base = base;
+	b->length = length;
+}
+
+void
+isc__buffer_invalidate(isc_buffer_t *b) {
+	/*
+	 * Make 'b' an invalid buffer.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(!ISC_LINK_LINKED(b, link));
+	REQUIRE(b->mctx == NULL);
+
+	ISC__BUFFER_INVALIDATE(b);
+}
+
+void
+isc_buffer_setautorealloc(isc_buffer_t *b, bool enable) {
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->mctx != NULL);
+	b->autore = enable;
+}
+
+void
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_REGION(b, r);
+}
+
+void
+isc__buffer_usedregion(const isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the used region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_USEDREGION(b, r);
+}
+
+void
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the available region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_AVAILABLEREGION(b, r);
+}
+
+void
+isc__buffer_add(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Increase the 'used' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + n <= b->length);
+
+	ISC__BUFFER_ADD(b, n);
+}
+
+void
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Decrease the 'used' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used >= n);
+
+	ISC__BUFFER_SUBTRACT(b, n);
+}
+
+void
+isc__buffer_clear(isc_buffer_t *b) {
+	/*
+	 * Make the used region empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	ISC__BUFFER_CLEAR(b);
+}
+
+void
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the consumed region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_CONSUMEDREGION(b, r);
+}
+
+void
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the remaining region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_REMAININGREGION(b, r);
+}
+
+void
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the active region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_ACTIVEREGION(b, r);
+}
+
+void
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Sets the end of the active region 'n' bytes after current.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->current + n <= b->used);
+
+	ISC__BUFFER_SETACTIVE(b, n);
+}
+
+void
+isc__buffer_first(isc_buffer_t *b) {
+	/*
+	 * Make the consumed region empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	ISC__BUFFER_FIRST(b);
+}
+
+void
+isc__buffer_forward(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Increase the 'consumed' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->current + n <= b->used);
+
+	ISC__BUFFER_FORWARD(b, n);
+}
+
+void
+isc__buffer_back(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(n <= b->current);
+
+	ISC__BUFFER_BACK(b, n);
+}
+
+void
+isc_buffer_compact(isc_buffer_t *b) {
+	unsigned int length;
+	void *src;
+
+	/*
+	 * Compact the used region by moving the remaining region so it occurs
+	 * at the start of the buffer.  The used region is shrunk by the size
+	 * of the consumed region, and the consumed region is then made empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	src = isc_buffer_current(b);
+	length = isc_buffer_remaininglength(b);
+	if (length > 0U) {
+		(void)memmove(b->base, src, (size_t)length);
+	}
+
+	if (b->active > b->current)
+		b->active -= b->current;
+	else
+		b->active = 0;
+	b->current = 0;
+	b->used = length;
+}
+
+uint8_t
+isc_buffer_getuint8(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint8_t result;
+
+	/*
+	 * Read an unsigned 8-bit integer from 'b' and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 1);
+
+	cp = isc_buffer_current(b);
+	b->current += 1;
+	result = ((uint8_t)(cp[0]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint8(isc_buffer_t *b, uint8_t val) {
+	isc_result_t result;
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, 1);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= 1);
+
+	ISC__BUFFER_PUTUINT8(b, val);
+}
+
+uint16_t
+isc_buffer_getuint16(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint16_t result;
+
+	/*
+	 * Read an unsigned 16-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 2);
+
+	cp = isc_buffer_current(b);
+	b->current += 2;
+	result = ((unsigned int)(cp[0])) << 8;
+	result |= ((unsigned int)(cp[1]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint16(isc_buffer_t *b, uint16_t val) {
+	isc_result_t result;
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, 2);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= 2);
+
+	ISC__BUFFER_PUTUINT16(b, val);
+}
+
+void
+isc__buffer_putuint24(isc_buffer_t *b, uint32_t val) {
+	isc_result_t result;
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, 3);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= 3);
+
+	ISC__BUFFER_PUTUINT24(b, val);
+}
+
+uint32_t
+isc_buffer_getuint32(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint32_t result;
+
+	/*
+	 * Read an unsigned 32-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 4);
+
+	cp = isc_buffer_current(b);
+	b->current += 4;
+	result = ((unsigned int)(cp[0])) << 24;
+	result |= ((unsigned int)(cp[1])) << 16;
+	result |= ((unsigned int)(cp[2])) << 8;
+	result |= ((unsigned int)(cp[3]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint32(isc_buffer_t *b, uint32_t val) {
+	isc_result_t result;
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, 4);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= 4);
+
+	ISC__BUFFER_PUTUINT32(b, val);
+}
+
+uint64_t
+isc_buffer_getuint48(isc_buffer_t *b) {
+	unsigned char *cp;
+	uint64_t result;
+
+	/*
+	 * Read an unsigned 48-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 6);
+
+	cp = isc_buffer_current(b);
+	b->current += 6;
+	result = ((int64_t)(cp[0])) << 40;
+	result |= ((int64_t)(cp[1])) << 32;
+	result |= ((int64_t)(cp[2])) << 24;
+	result |= ((int64_t)(cp[3])) << 16;
+	result |= ((int64_t)(cp[4])) << 8;
+	result |= ((int64_t)(cp[5]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, uint64_t val) {
+	isc_result_t result;
+	uint16_t valhi;
+	uint32_t vallo;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, 6);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= 6);
+
+	valhi = (uint16_t)(val >> 32);
+	vallo = (uint32_t)(val & 0xFFFFFFFF);
+	ISC__BUFFER_PUTUINT16(b, valhi);
+	ISC__BUFFER_PUTUINT32(b, vallo);
+}
+
+void
+isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
+		   unsigned int length)
+{
+	isc_result_t result;
+	REQUIRE(ISC_BUFFER_VALID(b));
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, length);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= length);
+
+	ISC__BUFFER_PUTMEM(b, base, length);
+}
+
+void
+isc__buffer_putstr(isc_buffer_t *b, const char *source) {
+	unsigned int l;
+	unsigned char *cp;
+	isc_result_t result;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(source != NULL);
+
+	/*
+	 * Do not use ISC__BUFFER_PUTSTR(), so strlen is only done once.
+	 */
+	l = strlen(source);
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, l);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= l);
+
+	cp = isc_buffer_used(b);
+	memmove(cp, source, l);
+	b->used += l;
+}
+
+void
+isc_buffer_putdecint(isc_buffer_t *b, int64_t v) {
+	unsigned int l=0;
+	unsigned char *cp;
+	char buf[21];
+	isc_result_t result;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	/* xxxwpk do it more low-level way ? */
+	l = snprintf(buf, 21, "%" PRId64, v);
+	RUNTIME_CHECK(l <= 21);
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, l);
+		REQUIRE(result == ISC_R_SUCCESS);
+	}
+	REQUIRE(isc_buffer_availablelength(b) >= l);
+
+	cp = isc_buffer_used(b);
+	memmove(cp, buf, l);
+	b->used += l;
+}
+
+isc_result_t
+isc_buffer_dup(isc_mem_t *mctx, isc_buffer_t **dstp, const isc_buffer_t *src) {
+	isc_buffer_t *dst = NULL;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(dstp != NULL && *dstp == NULL);
+	REQUIRE(ISC_BUFFER_VALID(src));
+
+	isc_buffer_usedregion(src, &region);
+
+	result = isc_buffer_allocate(mctx, &dst, region.length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_buffer_copyregion(dst, &region);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS); /* NOSPACE is impossible */
+	*dstp = dst;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r) {
+	unsigned char *base;
+	unsigned int available;
+	isc_result_t result;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	/*
+	 * XXXDCL
+	 */
+	base = isc_buffer_used(b);
+	available = isc_buffer_availablelength(b);
+	if (ISC_UNLIKELY(b->autore)) {
+		result = isc_buffer_reserve(&b, r->length);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (r->length > available)
+		return (ISC_R_NOSPACE);
+	if (r->length > 0U) {
+		memmove(base, r->base, r->length);
+		b->used += r->length;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
+		    unsigned int length)
+{
+	isc_buffer_t *dbuf;
+	unsigned char * bdata;
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(*dynbuffer == NULL);
+
+	dbuf = isc_mem_get(mctx, sizeof(isc_buffer_t));
+	if (dbuf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	bdata = isc_mem_get(mctx, length);
+	if (bdata == NULL) {
+		isc_mem_put(mctx, dbuf, sizeof(isc_buffer_t));
+		return (ISC_R_NOMEMORY);
+	}
+
+	isc_buffer_init(dbuf, bdata, length);
+	dbuf->mctx = mctx;
+
+	ENSURE(ISC_BUFFER_VALID(dbuf));
+
+	*dynbuffer = dbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_buffer_reallocate(isc_buffer_t **dynbuffer, unsigned int length) {
+	unsigned char *bdata;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
+	REQUIRE((*dynbuffer)->mctx != NULL);
+
+	if ((*dynbuffer)->length > length)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * XXXMUKS: This is far more expensive than plain realloc() as
+	 * it doesn't remap pages, but does ordinary copy. So is
+	 * isc_mem_reallocate(), which has additional issues.
+	 */
+	bdata = isc_mem_get((*dynbuffer)->mctx, length);
+	if (bdata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memmove(bdata, (*dynbuffer)->base, (*dynbuffer)->length);
+	isc_mem_put((*dynbuffer)->mctx, (*dynbuffer)->base,
+		    (*dynbuffer)->length);
+
+	(*dynbuffer)->base = bdata;
+	(*dynbuffer)->length = length;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_buffer_reserve(isc_buffer_t **dynbuffer, unsigned int size) {
+	uint64_t len;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
+
+	len = (*dynbuffer)->length;
+	if ((len - (*dynbuffer)->used) >= size)
+		return (ISC_R_SUCCESS);
+
+	if ((*dynbuffer)->mctx == NULL)
+		return (ISC_R_NOSPACE);
+
+	/* Round to nearest buffer size increment */
+	len = size + (*dynbuffer)->used;
+	len = (len + ISC_BUFFER_INCR - 1 - ((len - 1) % ISC_BUFFER_INCR));
+
+	/* Cap at UINT_MAX */
+	if (len > UINT_MAX) {
+		len = UINT_MAX;
+	}
+
+	if ((len - (*dynbuffer)->used) < size)
+		return (ISC_R_NOMEMORY);
+
+	return (isc_buffer_reallocate(dynbuffer, (unsigned int) len));
+}
+
+void
+isc_buffer_free(isc_buffer_t **dynbuffer) {
+	isc_buffer_t *dbuf;
+	isc_mem_t *mctx;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
+	REQUIRE((*dynbuffer)->mctx != NULL);
+
+	dbuf = *dynbuffer;
+	*dynbuffer = NULL;	/* destroy external reference */
+	mctx = dbuf->mctx;
+	dbuf->mctx = NULL;
+
+	isc_mem_put(mctx, dbuf->base, dbuf->length);
+	isc_buffer_invalidate(dbuf);
+	isc_mem_put(mctx, dbuf, sizeof(isc_buffer_t));
+}
diff --git a/lib/isc/bufferlist.c b/lib/isc/bufferlist.c
new file mode 100644
index 0000000..f6ebdea
--- /dev/null
+++ b/lib/isc/bufferlist.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/util.h>
+
+unsigned int
+isc_bufferlist_usedcount(isc_bufferlist_t *bl) {
+	isc_buffer_t *buffer;
+	unsigned int length;
+
+	REQUIRE(bl != NULL);
+
+	length = 0;
+	buffer = ISC_LIST_HEAD(*bl);
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		length += isc_buffer_usedlength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	return (length);
+}
+
+unsigned int
+isc_bufferlist_availablecount(isc_bufferlist_t *bl) {
+	isc_buffer_t *buffer;
+	unsigned int length;
+
+	REQUIRE(bl != NULL);
+
+	length = 0;
+	buffer = ISC_LIST_HEAD(*bl);
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		length += isc_buffer_availablelength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	return (length);
+}
diff --git a/lib/isc/chacha_private.h b/lib/isc/chacha_private.h
new file mode 100644
index 0000000..a6653c6
--- /dev/null
+++ b/lib/isc/chacha_private.h
@@ -0,0 +1,229 @@
+/*
+ * Taken from OpenBSD CVS src/lib/libc/crypt/chacha_private.h on
+ * May 12, 2014.
+ */
+
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',
+				'2', '-', 'b', 'y', 't', 'e', ' ', 'k' };
+static const char tau[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '1',
+			      '6', '-', 'b', 'y', 't', 'e', ' ', 'k' };
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  UNUSED(ivbits);
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 0;
+  x->input[13] = 0;
+  x->input[14] = U8TO32_LITTLE(iv + 0);
+  x->input[15] = U8TO32_LITTLE(iv + 4);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u_int i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}
diff --git a/lib/isc/commandline.c b/lib/isc/commandline.c
new file mode 100644
index 0000000..efee967
--- /dev/null
+++ b/lib/isc/commandline.c
@@ -0,0 +1,271 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1987, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+/*! \file
+ * This file was adapted from the NetBSD project's source tree, RCS ID:
+ *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
+ *
+ * The primary change has been to rename items to the ISC namespace
+ * and format in the ISC coding style.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/commandline.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*% Index into parent argv vector. */
+LIBISC_EXTERNAL_DATA int isc_commandline_index = 1;
+/*% Character checked for validity. */
+LIBISC_EXTERNAL_DATA int isc_commandline_option;
+/*% Argument associated with option. */
+LIBISC_EXTERNAL_DATA char *isc_commandline_argument;
+/*% For printing error messages. */
+LIBISC_EXTERNAL_DATA char *isc_commandline_progname;
+/*% Print error messages. */
+LIBISC_EXTERNAL_DATA bool isc_commandline_errprint = true;
+/*% Reset processing. */
+LIBISC_EXTERNAL_DATA bool isc_commandline_reset = true;
+
+static char endopt = '\0';
+
+#define	BADOPT	'?'
+#define	BADARG	':'
+#define ENDOPT  &endopt
+
+/*!
+ * getopt --
+ *	Parse argc/argv argument vector.
+ */
+int
+isc_commandline_parse(int argc, char * const *argv, const char *options) {
+	static char *place = ENDOPT;
+	const char *option;		/* Index into *options of option. */
+
+	REQUIRE(argc >= 0 && argv != NULL && options != NULL);
+
+	/*
+	 * Update scanning pointer, either because a reset was requested or
+	 * the previous argv was finished.
+	 */
+	if (isc_commandline_reset || *place == '\0') {
+		if (isc_commandline_reset) {
+			isc_commandline_index = 1;
+			isc_commandline_reset = false;
+		}
+
+		if (isc_commandline_progname == NULL)
+			isc_commandline_progname = argv[0];
+
+		if (isc_commandline_index >= argc ||
+		    *(place = argv[isc_commandline_index]) != '-') {
+			/*
+			 * Index out of range or points to non-option.
+			 */
+			place = ENDOPT;
+			return (-1);
+		}
+
+		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
+			/*
+			 * Found '--' to signal end of options.  Advance
+			 * index to next argv, the first non-option.
+			 */
+			isc_commandline_index++;
+			place = ENDOPT;
+			return (-1);
+		}
+	}
+
+	isc_commandline_option = *place++;
+	option = strchr(options, isc_commandline_option);
+
+	/*
+	 * Ensure valid option has been passed as specified by options string.
+	 * '-:' is never a valid command line option because it could not
+	 * distinguish ':' from the argument specifier in the options string.
+	 */
+	if (isc_commandline_option == ':' || option == NULL) {
+		if (*place == '\0')
+			isc_commandline_index++;
+
+		if (isc_commandline_errprint && *options != ':')
+			fprintf(stderr, "%s: %s -- %c\n",
+				isc_commandline_progname,
+				isc_msgcat_get(isc_msgcat,
+					       ISC_MSGSET_COMMANDLINE,
+					       ISC_MSG_ILLEGALOPT,
+					       "illegal option"),
+				isc_commandline_option);
+
+		return (BADOPT);
+	}
+
+	if (*++option != ':') {
+		/*
+		 * Option does not take an argument.
+		 */
+		isc_commandline_argument = NULL;
+
+		/*
+		 * Skip to next argv if at the end of the current argv.
+		 */
+		if (*place == '\0')
+			++isc_commandline_index;
+
+	} else {
+		/*
+		 * Option needs an argument.
+		 */
+		if (*place != '\0')
+			/*
+			 * Option is in this argv, -D1 style.
+			 */
+			isc_commandline_argument = place;
+
+		else if (argc > ++isc_commandline_index)
+			/*
+			 * Option is next argv, -D 1 style.
+			 */
+			isc_commandline_argument = argv[isc_commandline_index];
+
+		else {
+			/*
+			 * Argument needed, but no more argv.
+			 */
+			place = ENDOPT;
+
+			/*
+			 * Silent failure with "missing argument" return
+			 * when ':' starts options string, per historical spec.
+			 */
+			if (*options == ':')
+				return (BADARG);
+
+			if (isc_commandline_errprint)
+				fprintf(stderr, "%s: %s -- %c\n",
+					isc_commandline_progname,
+					isc_msgcat_get(isc_msgcat,
+						       ISC_MSGSET_COMMANDLINE,
+						       ISC_MSG_OPTNEEDARG,
+						       "option requires "
+						       "an argument"),
+					isc_commandline_option);
+
+			return (BADOPT);
+		}
+
+		place = ENDOPT;
+
+		/*
+		 * Point to argv that follows argument.
+		 */
+		isc_commandline_index++;
+	}
+
+	return (isc_commandline_option);
+}
+
+isc_result_t
+isc_commandline_strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp,
+			  char ***argvp, unsigned int n)
+{
+	isc_result_t result;
+
+ restart:
+	/* Discard leading whitespace. */
+	while (*s == ' ' || *s == '\t')
+		s++;
+
+	if (*s == '\0') {
+		/* We have reached the end of the string. */
+		*argcp = n;
+		*argvp = isc_mem_get(mctx, n * sizeof(char *));
+		if (*argvp == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		char *p = s;
+		while (*p != ' ' && *p != '\t' && *p != '\0' && *p != '{') {
+			if (*p == '\n') {
+				*p = ' ';
+				goto restart;
+			}
+			p++;
+		}
+
+		/* do "grouping", items between { and } are one arg */
+		if (*p == '{') {
+			char *t = p;
+			/*
+			 * shift all characters to left by 1 to get rid of '{'
+			 */
+			while (*t != '\0') {
+				t++;
+				*(t-1) = *t;
+			}
+			while (*p != '\0' && *p != '}') {
+				p++;
+			}
+			/* get rid of '}' character */
+			if (*p == '}') {
+				*p = '\0';
+				p++;
+			}
+			/* normal case, no "grouping" */
+		} else if (*p != '\0')
+			*p++ = '\0';
+
+		result = isc_commandline_strtoargv(mctx, p,
+						   argcp, argvp, n + 1);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		(*argvp)[n] = s;
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/counter.c b/lib/isc/counter.c
new file mode 100644
index 0000000..8c70051
--- /dev/null
+++ b/lib/isc/counter.c
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stddef.h>
+
+#include <isc/counter.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#define COUNTER_MAGIC			ISC_MAGIC('C', 'n', 't', 'r')
+#define VALID_COUNTER(r)		ISC_MAGIC_VALID(r, COUNTER_MAGIC)
+
+struct isc_counter {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	isc_mutex_t	lock;
+	unsigned int	references;
+	unsigned int	limit;
+	unsigned int	used;
+};
+
+isc_result_t
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp) {
+	isc_result_t result;
+	isc_counter_t *counter;
+
+	REQUIRE(counterp != NULL && *counterp == NULL);
+
+	counter = isc_mem_get(mctx, sizeof(*counter));
+	if (counter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&counter->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, counter, sizeof(*counter));
+		return (result);
+	}
+
+	counter->mctx = NULL;
+	isc_mem_attach(mctx, &counter->mctx);
+
+	counter->references = 1;
+	counter->limit = limit;
+	counter->used = 0;
+
+	counter->magic = COUNTER_MAGIC;
+	*counterp = counter;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_counter_increment(isc_counter_t *counter) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	LOCK(&counter->lock);
+	counter->used++;
+	if (counter->limit != 0 && counter->used >= counter->limit)
+		result = ISC_R_QUOTA;
+	UNLOCK(&counter->lock);
+
+	return (result);
+}
+
+unsigned int
+isc_counter_used(isc_counter_t *counter) {
+	REQUIRE(VALID_COUNTER(counter));
+
+	return (counter->used);
+}
+
+void
+isc_counter_setlimit(isc_counter_t *counter, int limit) {
+	REQUIRE(VALID_COUNTER(counter));
+
+	LOCK(&counter->lock);
+	counter->limit = limit;
+	UNLOCK(&counter->lock);
+}
+
+void
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp) {
+	REQUIRE(VALID_COUNTER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->references++;
+	INSIST(source->references > 0);
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+static void
+destroy(isc_counter_t *counter) {
+	counter->magic = 0;
+	isc_mutex_destroy(&counter->lock);
+	isc_mem_putanddetach(&counter->mctx, counter, sizeof(*counter));
+}
+
+void
+isc_counter_detach(isc_counter_t **counterp) {
+	isc_counter_t *counter;
+	bool want_destroy = false;
+
+	REQUIRE(counterp != NULL && *counterp != NULL);
+	counter = *counterp;
+	REQUIRE(VALID_COUNTER(counter));
+
+	*counterp = NULL;
+
+	LOCK(&counter->lock);
+	INSIST(counter->references > 0);
+	counter->references--;
+	if (counter->references == 0)
+		want_destroy = true;
+	UNLOCK(&counter->lock);
+
+	if (want_destroy)
+		destroy(counter);
+}
diff --git a/lib/isc/crc64.c b/lib/isc/crc64.c
new file mode 100644
index 0000000..1db2d5d
--- /dev/null
+++ b/lib/isc/crc64.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include "config.h"
+
+#include <inttypes.h>
+
+#include <isc/assertions.h>
+#include <isc/crc64.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+/*%<
+ * ECMA-182 CRC64 polynomial.
+ */
+static const uint64_t crc64_table[256] = {
+	0x0000000000000000ULL, 0x42F0E1EBA9EA3693ULL, 0x85E1C3D753D46D26ULL,
+	0xC711223CFA3E5BB5ULL, 0x493366450E42ECDFULL, 0x0BC387AEA7A8DA4CULL,
+	0xCCD2A5925D9681F9ULL, 0x8E224479F47CB76AULL, 0x9266CC8A1C85D9BEULL,
+	0xD0962D61B56FEF2DULL, 0x17870F5D4F51B498ULL, 0x5577EEB6E6BB820BULL,
+	0xDB55AACF12C73561ULL, 0x99A54B24BB2D03F2ULL, 0x5EB4691841135847ULL,
+	0x1C4488F3E8F96ED4ULL, 0x663D78FF90E185EFULL, 0x24CD9914390BB37CULL,
+	0xE3DCBB28C335E8C9ULL, 0xA12C5AC36ADFDE5AULL, 0x2F0E1EBA9EA36930ULL,
+	0x6DFEFF5137495FA3ULL, 0xAAEFDD6DCD770416ULL, 0xE81F3C86649D3285ULL,
+	0xF45BB4758C645C51ULL, 0xB6AB559E258E6AC2ULL, 0x71BA77A2DFB03177ULL,
+	0x334A9649765A07E4ULL, 0xBD68D2308226B08EULL, 0xFF9833DB2BCC861DULL,
+	0x388911E7D1F2DDA8ULL, 0x7A79F00C7818EB3BULL, 0xCC7AF1FF21C30BDEULL,
+	0x8E8A101488293D4DULL, 0x499B3228721766F8ULL, 0x0B6BD3C3DBFD506BULL,
+	0x854997BA2F81E701ULL, 0xC7B97651866BD192ULL, 0x00A8546D7C558A27ULL,
+	0x4258B586D5BFBCB4ULL, 0x5E1C3D753D46D260ULL, 0x1CECDC9E94ACE4F3ULL,
+	0xDBFDFEA26E92BF46ULL, 0x990D1F49C77889D5ULL, 0x172F5B3033043EBFULL,
+	0x55DFBADB9AEE082CULL, 0x92CE98E760D05399ULL, 0xD03E790CC93A650AULL,
+	0xAA478900B1228E31ULL, 0xE8B768EB18C8B8A2ULL, 0x2FA64AD7E2F6E317ULL,
+	0x6D56AB3C4B1CD584ULL, 0xE374EF45BF6062EEULL, 0xA1840EAE168A547DULL,
+	0x66952C92ECB40FC8ULL, 0x2465CD79455E395BULL, 0x3821458AADA7578FULL,
+	0x7AD1A461044D611CULL, 0xBDC0865DFE733AA9ULL, 0xFF3067B657990C3AULL,
+	0x711223CFA3E5BB50ULL, 0x33E2C2240A0F8DC3ULL, 0xF4F3E018F031D676ULL,
+	0xB60301F359DBE0E5ULL, 0xDA050215EA6C212FULL, 0x98F5E3FE438617BCULL,
+	0x5FE4C1C2B9B84C09ULL, 0x1D14202910527A9AULL, 0x93366450E42ECDF0ULL,
+	0xD1C685BB4DC4FB63ULL, 0x16D7A787B7FAA0D6ULL, 0x5427466C1E109645ULL,
+	0x4863CE9FF6E9F891ULL, 0x0A932F745F03CE02ULL, 0xCD820D48A53D95B7ULL,
+	0x8F72ECA30CD7A324ULL, 0x0150A8DAF8AB144EULL, 0x43A04931514122DDULL,
+	0x84B16B0DAB7F7968ULL, 0xC6418AE602954FFBULL, 0xBC387AEA7A8DA4C0ULL,
+	0xFEC89B01D3679253ULL, 0x39D9B93D2959C9E6ULL, 0x7B2958D680B3FF75ULL,
+	0xF50B1CAF74CF481FULL, 0xB7FBFD44DD257E8CULL, 0x70EADF78271B2539ULL,
+	0x321A3E938EF113AAULL, 0x2E5EB66066087D7EULL, 0x6CAE578BCFE24BEDULL,
+	0xABBF75B735DC1058ULL, 0xE94F945C9C3626CBULL, 0x676DD025684A91A1ULL,
+	0x259D31CEC1A0A732ULL, 0xE28C13F23B9EFC87ULL, 0xA07CF2199274CA14ULL,
+	0x167FF3EACBAF2AF1ULL, 0x548F120162451C62ULL, 0x939E303D987B47D7ULL,
+	0xD16ED1D631917144ULL, 0x5F4C95AFC5EDC62EULL, 0x1DBC74446C07F0BDULL,
+	0xDAAD56789639AB08ULL, 0x985DB7933FD39D9BULL, 0x84193F60D72AF34FULL,
+	0xC6E9DE8B7EC0C5DCULL, 0x01F8FCB784FE9E69ULL, 0x43081D5C2D14A8FAULL,
+	0xCD2A5925D9681F90ULL, 0x8FDAB8CE70822903ULL, 0x48CB9AF28ABC72B6ULL,
+	0x0A3B7B1923564425ULL, 0x70428B155B4EAF1EULL, 0x32B26AFEF2A4998DULL,
+	0xF5A348C2089AC238ULL, 0xB753A929A170F4ABULL, 0x3971ED50550C43C1ULL,
+	0x7B810CBBFCE67552ULL, 0xBC902E8706D82EE7ULL, 0xFE60CF6CAF321874ULL,
+	0xE224479F47CB76A0ULL, 0xA0D4A674EE214033ULL, 0x67C58448141F1B86ULL,
+	0x253565A3BDF52D15ULL, 0xAB1721DA49899A7FULL, 0xE9E7C031E063ACECULL,
+	0x2EF6E20D1A5DF759ULL, 0x6C0603E6B3B7C1CAULL, 0xF6FAE5C07D3274CDULL,
+	0xB40A042BD4D8425EULL, 0x731B26172EE619EBULL, 0x31EBC7FC870C2F78ULL,
+	0xBFC9838573709812ULL, 0xFD39626EDA9AAE81ULL, 0x3A28405220A4F534ULL,
+	0x78D8A1B9894EC3A7ULL, 0x649C294A61B7AD73ULL, 0x266CC8A1C85D9BE0ULL,
+	0xE17DEA9D3263C055ULL, 0xA38D0B769B89F6C6ULL, 0x2DAF4F0F6FF541ACULL,
+	0x6F5FAEE4C61F773FULL, 0xA84E8CD83C212C8AULL, 0xEABE6D3395CB1A19ULL,
+	0x90C79D3FEDD3F122ULL, 0xD2377CD44439C7B1ULL, 0x15265EE8BE079C04ULL,
+	0x57D6BF0317EDAA97ULL, 0xD9F4FB7AE3911DFDULL, 0x9B041A914A7B2B6EULL,
+	0x5C1538ADB04570DBULL, 0x1EE5D94619AF4648ULL, 0x02A151B5F156289CULL,
+	0x4051B05E58BC1E0FULL, 0x87409262A28245BAULL, 0xC5B073890B687329ULL,
+	0x4B9237F0FF14C443ULL, 0x0962D61B56FEF2D0ULL, 0xCE73F427ACC0A965ULL,
+	0x8C8315CC052A9FF6ULL, 0x3A80143F5CF17F13ULL, 0x7870F5D4F51B4980ULL,
+	0xBF61D7E80F251235ULL, 0xFD913603A6CF24A6ULL, 0x73B3727A52B393CCULL,
+	0x31439391FB59A55FULL, 0xF652B1AD0167FEEAULL, 0xB4A25046A88DC879ULL,
+	0xA8E6D8B54074A6ADULL, 0xEA16395EE99E903EULL, 0x2D071B6213A0CB8BULL,
+	0x6FF7FA89BA4AFD18ULL, 0xE1D5BEF04E364A72ULL, 0xA3255F1BE7DC7CE1ULL,
+	0x64347D271DE22754ULL, 0x26C49CCCB40811C7ULL, 0x5CBD6CC0CC10FAFCULL,
+	0x1E4D8D2B65FACC6FULL, 0xD95CAF179FC497DAULL, 0x9BAC4EFC362EA149ULL,
+	0x158E0A85C2521623ULL, 0x577EEB6E6BB820B0ULL, 0x906FC95291867B05ULL,
+	0xD29F28B9386C4D96ULL, 0xCEDBA04AD0952342ULL, 0x8C2B41A1797F15D1ULL,
+	0x4B3A639D83414E64ULL, 0x09CA82762AAB78F7ULL, 0x87E8C60FDED7CF9DULL,
+	0xC51827E4773DF90EULL, 0x020905D88D03A2BBULL, 0x40F9E43324E99428ULL,
+	0x2CFFE7D5975E55E2ULL, 0x6E0F063E3EB46371ULL, 0xA91E2402C48A38C4ULL,
+	0xEBEEC5E96D600E57ULL, 0x65CC8190991CB93DULL, 0x273C607B30F68FAEULL,
+	0xE02D4247CAC8D41BULL, 0xA2DDA3AC6322E288ULL, 0xBE992B5F8BDB8C5CULL,
+	0xFC69CAB42231BACFULL, 0x3B78E888D80FE17AULL, 0x7988096371E5D7E9ULL,
+	0xF7AA4D1A85996083ULL, 0xB55AACF12C735610ULL, 0x724B8ECDD64D0DA5ULL,
+	0x30BB6F267FA73B36ULL, 0x4AC29F2A07BFD00DULL, 0x08327EC1AE55E69EULL,
+	0xCF235CFD546BBD2BULL, 0x8DD3BD16FD818BB8ULL, 0x03F1F96F09FD3CD2ULL,
+	0x41011884A0170A41ULL, 0x86103AB85A2951F4ULL, 0xC4E0DB53F3C36767ULL,
+	0xD8A453A01B3A09B3ULL, 0x9A54B24BB2D03F20ULL, 0x5D45907748EE6495ULL,
+	0x1FB5719CE1045206ULL, 0x919735E51578E56CULL, 0xD367D40EBC92D3FFULL,
+	0x1476F63246AC884AULL, 0x568617D9EF46BED9ULL, 0xE085162AB69D5E3CULL,
+	0xA275F7C11F7768AFULL, 0x6564D5FDE549331AULL, 0x279434164CA30589ULL,
+	0xA9B6706FB8DFB2E3ULL, 0xEB46918411358470ULL, 0x2C57B3B8EB0BDFC5ULL,
+	0x6EA7525342E1E956ULL, 0x72E3DAA0AA188782ULL, 0x30133B4B03F2B111ULL,
+	0xF7021977F9CCEAA4ULL, 0xB5F2F89C5026DC37ULL, 0x3BD0BCE5A45A6B5DULL,
+	0x79205D0E0DB05DCEULL, 0xBE317F32F78E067BULL, 0xFCC19ED95E6430E8ULL,
+	0x86B86ED5267CDBD3ULL, 0xC4488F3E8F96ED40ULL, 0x0359AD0275A8B6F5ULL,
+	0x41A94CE9DC428066ULL, 0xCF8B0890283E370CULL, 0x8D7BE97B81D4019FULL,
+	0x4A6ACB477BEA5A2AULL, 0x089A2AACD2006CB9ULL, 0x14DEA25F3AF9026DULL,
+	0x562E43B4931334FEULL, 0x913F6188692D6F4BULL, 0xD3CF8063C0C759D8ULL,
+	0x5DEDC41A34BBEEB2ULL, 0x1F1D25F19D51D821ULL,
+	0xD80C07CD676F8394ULL, 0x9AFCE626CE85B507ULL
+};
+
+void
+isc_crc64_init(uint64_t *crc) {
+	REQUIRE(crc != NULL);
+
+	*crc = 0xffffffffffffffffULL;
+}
+
+void
+isc_crc64_update(uint64_t *crc, const void *data, size_t len) {
+	const unsigned char *p = data;
+	int i;
+
+	REQUIRE(crc != NULL);
+	REQUIRE(data != NULL);
+
+	while (len-- > 0U) {
+		i = ((int) (*crc >> 56) ^ *p++) & 0xff;
+		*crc = crc64_table[i] ^ (*crc << 8);
+	}
+}
+
+
+void
+isc_crc64_final(uint64_t *crc) {
+	REQUIRE(crc != NULL);
+
+	*crc ^= 0xffffffffffffffffULL;
+}
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
new file mode 100644
index 0000000..ab2f617
--- /dev/null
+++ b/lib/isc/entropy.c
@@ -0,0 +1,1288 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief
+ * This is the system independent part of the entropy module.  It is
+ * compiled via inclusion from the relevant OS source file, ie,
+ * \link unix/entropy.c unix/entropy.c \endlink or win32/entropy.c.
+ *
+ * \author Much of this code is modeled after the NetBSD /dev/random implementation,
+ * written by Michael Graff <explorer@netbsd.org>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/keyboard.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/safe.h>
+#include <isc/sha1.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef PKCS11CRYPTO
+#include <pk11/pk11.h>
+#endif
+
+#define ENTROPY_MAGIC		ISC_MAGIC('E', 'n', 't', 'e')
+#define SOURCE_MAGIC		ISC_MAGIC('E', 'n', 't', 's')
+
+#define VALID_ENTROPY(e)	ISC_MAGIC_VALID(e, ENTROPY_MAGIC)
+#define VALID_SOURCE(s)		ISC_MAGIC_VALID(s, SOURCE_MAGIC)
+
+/***
+ *** "constants."  Do not change these unless you _really_ know what
+ *** you are doing.
+ ***/
+
+/*%
+ * Size of entropy pool in 32-bit words.  This _MUST_ be a power of 2.
+ */
+#define RND_POOLWORDS	128
+/*% Pool in bytes. */
+#define RND_POOLBYTES	(RND_POOLWORDS * 4)
+/*% Pool in bits. */
+#define RND_POOLBITS	(RND_POOLWORDS * 32)
+
+/*%
+ * Number of bytes returned per hash.  This must be true:
+ *	threshold * 2 <= digest_size_in_bytes
+ */
+#define RND_ENTROPY_THRESHOLD	10
+#define THRESHOLD_BITS		(RND_ENTROPY_THRESHOLD * 8)
+
+/*%
+ * Size of the input event queue in samples.
+ */
+#define RND_EVENTQSIZE	32
+
+/*%
+ * The number of times we'll "reseed" for pseudorandom seeds.  This is an
+ * extremely weak pseudorandom seed.  If the caller is using lots of
+ * pseudorandom data and they cannot provide a stronger random source,
+ * there is little we can do other than hope they're smart enough to
+ * call _adddata() with something better than we can come up with.
+ */
+#define RND_INITIALIZE	128
+
+/*% Entropy Pool */
+typedef struct {
+	uint32_t	cursor;		/*%< current add point in the pool */
+	uint32_t	entropy;	/*%< current entropy estimate in bits */
+	uint32_t	pseudo;		/*%< bits extracted in pseudorandom */
+	uint32_t	rotate;		/*%< how many bits to rotate by */
+	uint32_t	pool[RND_POOLWORDS];	/*%< random pool data */
+} isc_entropypool_t;
+
+struct isc_entropy {
+	unsigned int			magic;
+	isc_mem_t		       *mctx;
+	isc_mutex_t			lock;
+	unsigned int			refcnt;
+	uint32_t			initialized;
+	uint32_t			initcount;
+	isc_entropypool_t		pool;
+	unsigned int			nsources;
+	isc_entropysource_t	       *nextsource;
+	ISC_LIST(isc_entropysource_t)	sources;
+};
+
+/*% Sample Queue */
+typedef struct {
+	uint32_t	last_time;	/*%< last time recorded */
+	uint32_t	last_delta;	/*%< last delta value */
+	uint32_t	last_delta2;	/*%< last delta2 value */
+	uint32_t	nsamples;	/*%< number of samples filled in */
+	uint32_t   *samples;	/*%< the samples */
+	uint32_t   *extra;		/*%< extra samples added in */
+} sample_queue_t;
+
+typedef struct {
+	sample_queue_t	samplequeue;
+} isc_entropysamplesource_t;
+
+typedef struct {
+	bool		start_called;
+	isc_entropystart_t	startfunc;
+	isc_entropyget_t	getfunc;
+	isc_entropystop_t	stopfunc;
+	void		       *arg;
+	sample_queue_t		samplequeue;
+} isc_cbsource_t;
+
+typedef struct {
+	FILESOURCE_HANDLE_TYPE handle;
+} isc_entropyfilesource_t;
+
+struct isc_entropysource {
+	unsigned int	magic;
+	unsigned int	type;
+	isc_entropy_t  *ent;
+	uint32_t	total;		/*%< entropy from this source */
+	ISC_LINK(isc_entropysource_t)	link;
+	char		name[32];
+	bool	bad;
+	bool	warn_keyboard;
+	isc_keyboard_t	kbd;
+	union {
+		isc_entropysamplesource_t	sample;
+		isc_entropyfilesource_t		file;
+		isc_cbsource_t			callback;
+		isc_entropyusocketsource_t	usocket;
+	} sources;
+};
+
+#define ENTROPY_SOURCETYPE_SAMPLE	1	/*%< Type is a sample source */
+#define ENTROPY_SOURCETYPE_FILE		2	/*%< Type is a file source */
+#define ENTROPY_SOURCETYPE_CALLBACK	3	/*%< Type is a callback source */
+#define ENTROPY_SOURCETYPE_USOCKET	4	/*%< Type is a Unix socket source */
+
+/*@{*/
+/*%
+ * The random pool "taps"
+ */
+#define TAP1	99
+#define TAP2	59
+#define TAP3	31
+#define TAP4	 9
+#define TAP5	 7
+/*@}*/
+
+/*@{*/
+/*%
+ * Declarations for function provided by the system dependent sources that
+ * include this file.
+ */
+static void
+fillpool(isc_entropy_t *, unsigned int, bool);
+
+static int
+wait_for_sources(isc_entropy_t *);
+
+static void
+destroyfilesource(isc_entropyfilesource_t *source);
+
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source);
+
+/*@}*/
+
+static void
+samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) {
+	REQUIRE(sq->samples != NULL);
+	REQUIRE(sq->extra != NULL);
+
+	isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
+	isc_mem_put(ent->mctx, sq->extra, RND_EVENTQSIZE * 4);
+	sq->samples = NULL;
+	sq->extra = NULL;
+}
+
+static isc_result_t
+samplesource_allocate(isc_entropy_t *ent, sample_queue_t *sq) {
+	sq->samples = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
+	if (sq->samples == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sq->extra = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
+	if (sq->extra == NULL) {
+		isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
+		sq->samples = NULL;
+		return (ISC_R_NOMEMORY);
+	}
+
+	sq->nsamples = 0;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Add in entropy, even when the value we're adding in could be
+ * very large.
+ */
+static inline void
+add_entropy(isc_entropy_t *ent, uint32_t entropy) {
+	/* clamp input.  Yes, this must be done. */
+	entropy = ISC_MIN(entropy, RND_POOLBITS);
+	/* Add in the entropy we already have. */
+	entropy += ent->pool.entropy;
+	/* Clamp. */
+	ent->pool.entropy = ISC_MIN(entropy, RND_POOLBITS);
+}
+
+/*%
+ * Decrement the amount of entropy the pool has.
+ */
+static inline void
+subtract_entropy(isc_entropy_t *ent, uint32_t entropy) {
+	entropy = ISC_MIN(entropy, ent->pool.entropy);
+	ent->pool.entropy -= entropy;
+}
+
+/*!
+ * Add in entropy, even when the value we're adding in could be
+ * very large.
+ */
+static inline void
+add_pseudo(isc_entropy_t *ent, uint32_t pseudo) {
+	/* clamp input.  Yes, this must be done. */
+	pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
+	/* Add in the pseudo we already have. */
+	pseudo += ent->pool.pseudo;
+	/* Clamp. */
+	ent->pool.pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
+}
+
+/*!
+ * Decrement the amount of pseudo the pool has.
+ */
+static inline void
+subtract_pseudo(isc_entropy_t *ent, uint32_t pseudo) {
+	pseudo = ISC_MIN(pseudo, ent->pool.pseudo);
+	ent->pool.pseudo -= pseudo;
+}
+
+/*!
+ * Add one word to the pool, rotating the input as needed.
+ */
+static inline void
+entropypool_add_word(isc_entropypool_t *rp, uint32_t val) {
+	/*
+	 * Steal some values out of the pool, and xor them into the
+	 * word we were given.
+	 *
+	 * Mix the new value into the pool using xor.  This will
+	 * prevent the actual values from being known to the caller
+	 * since the previous values are assumed to be unknown as well.
+	 */
+	val ^= rp->pool[(rp->cursor + TAP1) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP2) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP3) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP4) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP5) & (RND_POOLWORDS - 1)];
+	if (rp->rotate == 0)
+		rp->pool[rp->cursor++] ^= val;
+	else
+		rp->pool[rp->cursor++] ^=
+		  ((val << rp->rotate) | (val >> (32 - rp->rotate)));
+
+	/*
+	 * If we have looped around the pool, increment the rotate
+	 * variable so the next value will get xored in rotated to
+	 * a different position.
+	 * Increment by a value that is relatively prime to the word size
+	 * to try to spread the bits throughout the pool quickly when the
+	 * pool is empty.
+	 */
+	if (rp->cursor == RND_POOLWORDS) {
+		rp->cursor = 0;
+		rp->rotate = (rp->rotate + 7) & 31;
+	}
+}
+
+/*!
+ * Add a buffer's worth of data to the pool.
+ *
+ * Requires that the lock is held on the entropy pool.
+ */
+static void
+entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
+		    uint32_t entropy)
+{
+	uint32_t val;
+	unsigned long addr;
+	uint8_t *buf;
+
+	/* Silly MSVC in 64 bit mode complains here... */
+#ifdef _WIN64
+	addr = (unsigned long)((unsigned long long)p);
+#else
+	addr = (unsigned long)p;
+#endif
+	buf = p;
+
+	if ((addr & 0x03U) != 0U) {
+		val = 0;
+		switch (len) {
+		case 3:
+			val = *buf++;
+			len--;
+			/* FALLTHROUGH */
+		case 2:
+			val = val << 8 | *buf++;
+			len--;
+			/* FALLTHROUGH */
+		case 1:
+			val = val << 8 | *buf++;
+			len--;
+		}
+
+		entropypool_add_word(&ent->pool, val);
+	}
+
+	for (; len > 3; len -= 4) {
+		val = *((uint32_t *)buf);
+
+		entropypool_add_word(&ent->pool, val);
+		buf += 4;
+	}
+
+	if (len != 0) {
+		val = 0;
+		switch (len) {
+		case 3:
+			val = *buf++;
+			/* FALLTHROUGH */
+		case 2:
+			val = val << 8 | *buf++;
+			/* FALLTHROUGH */
+		case 1:
+			val = val << 8 | *buf++;
+		}
+
+		entropypool_add_word(&ent->pool, val);
+	}
+
+	add_entropy(ent, entropy);
+	subtract_pseudo(ent, entropy);
+}
+
+static inline void
+reseed(isc_entropy_t *ent) {
+	isc_time_t t;
+	pid_t pid;
+
+	if (ent->initcount == 0) {
+		pid = getpid();
+		entropypool_adddata(ent, &pid, sizeof(pid), 0);
+		pid = getppid();
+		entropypool_adddata(ent, &pid, sizeof(pid), 0);
+	}
+
+	/*!
+	 * After we've reseeded 100 times, only add new timing info every
+	 * 50 requests.  This will keep us from using lots and lots of
+	 * CPU just to return bad pseudorandom data anyway.
+	 */
+	if (ent->initcount > 100)
+		if ((ent->initcount % 50) != 0)
+			return;
+
+	TIME_NOW(&t);
+	entropypool_adddata(ent, &t, sizeof(t), 0);
+	ent->initcount++;
+}
+
+static inline unsigned int
+estimate_entropy(sample_queue_t *sq, uint32_t t) {
+	int32_t		delta;
+	int32_t		delta2;
+	int32_t		delta3;
+
+	/*!
+	 * If the time counter has overflowed, calculate the real difference.
+	 * If it has not, it is simpler.
+	 */
+	if (t < sq->last_time)
+		delta = UINT_MAX - sq->last_time + t;
+	else
+		delta = sq->last_time - t;
+
+	if (delta < 0)
+		delta = -delta;
+
+	/*
+	 * Calculate the second and third order differentials
+	 */
+	delta2 = sq->last_delta - delta;
+	if (delta2 < 0)
+		delta2 = -delta2;
+
+	delta3 = sq->last_delta2 - delta2;
+	if (delta3 < 0)
+		delta3 = -delta3;
+
+	sq->last_time = t;
+	sq->last_delta = delta;
+	sq->last_delta2 = delta2;
+
+	/*
+	 * If any delta is 0, we got no entropy.  If all are non-zero, we
+	 * might have something.
+	 */
+	if (delta == 0 || delta2 == 0 || delta3 == 0)
+		return 0;
+
+	/*
+	 * We could find the smallest delta and claim we got log2(delta)
+	 * bits, but for now return that we found 1 bit.
+	 */
+	return 1;
+}
+
+static unsigned int
+crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) {
+	unsigned int ns;
+	unsigned int added;
+
+	if (sq->nsamples < 6)
+		return (0);
+
+	added = 0;
+	sq->last_time = sq->samples[0];
+	sq->last_delta = 0;
+	sq->last_delta2 = 0;
+
+	/*
+	 * Prime the values by adding in the first 4 samples in.  This
+	 * should completely initialize the delta calculations.
+	 */
+	for (ns = 0; ns < 4; ns++)
+		(void)estimate_entropy(sq, sq->samples[ns]);
+
+	for (ns = 4; ns < sq->nsamples; ns++)
+		added += estimate_entropy(sq, sq->samples[ns]);
+
+	entropypool_adddata(ent, sq->samples, sq->nsamples * 4, added);
+	entropypool_adddata(ent, sq->extra, sq->nsamples * 4, 0);
+
+	/*
+	 * Move the last 4 samples into the first 4 positions, and start
+	 * adding new samples from that point.
+	 */
+	for (ns = 0; ns < 4; ns++) {
+		sq->samples[ns] = sq->samples[sq->nsamples - 4 + ns];
+		sq->extra[ns] = sq->extra[sq->nsamples - 4 + ns];
+	}
+
+	sq->nsamples = 4;
+
+	return (added);
+}
+
+static unsigned int
+get_from_callback(isc_entropysource_t *source, unsigned int desired,
+		  bool blocking)
+{
+	isc_entropy_t *ent = source->ent;
+	isc_cbsource_t *cbs = &source->sources.callback;
+	unsigned int added;
+	unsigned int got;
+	isc_result_t result;
+
+	if (desired == 0)
+		return (0);
+
+	if (source->bad)
+		return (0);
+
+	if (!cbs->start_called && cbs->startfunc != NULL) {
+		result = cbs->startfunc(source, cbs->arg, blocking);
+		if (result != ISC_R_SUCCESS)
+			return (0);
+		cbs->start_called = true;
+	}
+
+	added = 0;
+	result = ISC_R_SUCCESS;
+	while (desired > 0 && result == ISC_R_SUCCESS) {
+		result = cbs->getfunc(source, cbs->arg, blocking);
+		if (result == ISC_R_QUEUEFULL) {
+			got = crunchsamples(ent, &cbs->samplequeue);
+			added += got;
+			desired -= ISC_MIN(got, desired);
+			result = ISC_R_SUCCESS;
+		} else if (result != ISC_R_SUCCESS &&
+			   result != ISC_R_NOTBLOCKING)
+			source->bad = true;
+
+	}
+
+	return (added);
+}
+
+/*
+ * Extract some number of bytes from the random pool, decreasing the
+ * estimate of randomness as each byte is extracted.
+ *
+ * Do this by stiring the pool and returning a part of hash as randomness.
+ * Note that no secrets are given away here since parts of the hash are
+ * xored together before returned.
+ *
+ * Honor the request from the caller to only return good data, any data,
+ * etc.
+ */
+isc_result_t
+isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    unsigned int *returned, unsigned int flags)
+{
+	unsigned int i;
+	isc_sha1_t hash;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	uint32_t remain, deltae, count, total;
+	uint8_t *buf;
+	bool goodonly, partial, blocking;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(data != NULL);
+	REQUIRE(length > 0);
+
+	goodonly = (flags & ISC_ENTROPY_GOODONLY);
+	partial = (flags & ISC_ENTROPY_PARTIAL);
+	blocking = (flags & ISC_ENTROPY_BLOCKING);
+
+	REQUIRE(!partial || returned != NULL);
+
+	LOCK(&ent->lock);
+
+	remain = length;
+	buf = data;
+	total = 0;
+	while (remain != 0) {
+		count = ISC_MIN(remain, RND_ENTROPY_THRESHOLD);
+
+		/*
+		 * If we are extracting good data only, make certain we
+		 * have enough data in our pool for this pass.  If we don't,
+		 * get some, and fail if we can't, and partial returns
+		 * are not ok.
+		 */
+		if (goodonly) {
+			unsigned int fillcount;
+
+			fillcount = ISC_MAX(remain * 8, count * 8);
+
+			/*
+			 * If, however, we have at least THRESHOLD_BITS
+			 * of entropy in the pool, don't block here.  It is
+			 * better to drain the pool once in a while and
+			 * then refill it than it is to constantly keep the
+			 * pool full.
+			 */
+			if (ent->pool.entropy >= THRESHOLD_BITS)
+				fillpool(ent, fillcount, false);
+			else
+				fillpool(ent, fillcount, blocking);
+
+			/*
+			 * Verify that we got enough entropy to do one
+			 * extraction.  If we didn't, bail.
+			 */
+			if (ent->pool.entropy < THRESHOLD_BITS) {
+				if (!partial)
+					goto zeroize;
+				else
+					goto partial_output;
+			}
+		} else {
+			/*
+			 * If we've extracted half our pool size in bits
+			 * since the last refresh, try to refresh here.
+			 */
+			if (ent->initialized < THRESHOLD_BITS)
+				fillpool(ent, THRESHOLD_BITS, blocking);
+			else
+				fillpool(ent, 0, false);
+
+			/*
+			 * If we've not initialized with enough good random
+			 * data, seed with our crappy code.
+			 */
+			if (ent->initialized < THRESHOLD_BITS)
+				reseed(ent);
+		}
+
+		isc_sha1_init(&hash);
+		isc_sha1_update(&hash, (void *)(ent->pool.pool),
+				RND_POOLBYTES);
+		isc_sha1_final(&hash, digest);
+
+		/*
+		 * Stir the extracted data (all of it) back into the pool.
+		 */
+		entropypool_adddata(ent, digest, ISC_SHA1_DIGESTLENGTH, 0);
+
+		for (i = 0; i < count; i++)
+			buf[i] = digest[i] ^ digest[i + RND_ENTROPY_THRESHOLD];
+
+		buf += count;
+		remain -= count;
+
+		deltae = count * 8;
+		deltae = ISC_MIN(deltae, ent->pool.entropy);
+		total += deltae;
+		subtract_entropy(ent, deltae);
+		add_pseudo(ent, count * 8);
+	}
+
+ partial_output:
+	isc_safe_memwipe(digest, sizeof(digest));
+
+	if (returned != NULL)
+		*returned = (length - remain);
+
+	UNLOCK(&ent->lock);
+
+	return (ISC_R_SUCCESS);
+
+ zeroize:
+	/* put the entropy we almost extracted back */
+	add_entropy(ent, total);
+	isc_safe_memwipe(data, length);
+	isc_safe_memwipe(digest, sizeof(digest));
+	if (returned != NULL)
+		*returned = 0;
+
+	UNLOCK(&ent->lock);
+
+	return (ISC_R_NOENTROPY);
+}
+
+static void
+isc_entropypool_init(isc_entropypool_t *pool) {
+	pool->cursor = RND_POOLWORDS - 1;
+	pool->entropy = 0;
+	pool->pseudo = 0;
+	pool->rotate = 0;
+	memset(pool->pool, 0, RND_POOLBYTES);
+}
+
+static void
+isc_entropypool_invalidate(isc_entropypool_t *pool) {
+	pool->cursor = 0;
+	pool->entropy = 0;
+	pool->pseudo = 0;
+	pool->rotate = 0;
+	memset(pool->pool, 0, RND_POOLBYTES);
+}
+
+isc_result_t
+isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
+	isc_result_t result;
+	isc_entropy_t *ent;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(entp != NULL && *entp == NULL);
+
+	ent = isc_mem_get(mctx, sizeof(isc_entropy_t));
+	if (ent == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * We need a lock.
+	 */
+	result = isc_mutex_init(&ent->lock);
+	if (result != ISC_R_SUCCESS)
+		goto errout;
+
+	/*
+	 * From here down, no failures will/can occur.
+	 */
+	ISC_LIST_INIT(ent->sources);
+	ent->nextsource = NULL;
+	ent->nsources = 0;
+	ent->mctx = NULL;
+	isc_mem_attach(mctx, &ent->mctx);
+	ent->refcnt = 1;
+	ent->initialized = 0;
+	ent->initcount = 0;
+	ent->magic = ENTROPY_MAGIC;
+
+	isc_entropypool_init(&ent->pool);
+
+	*entp = ent;
+	return (ISC_R_SUCCESS);
+
+ errout:
+	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
+
+	return (result);
+}
+
+/*!
+ * Requires "ent" be locked.
+ */
+static void
+destroysource(isc_entropysource_t **sourcep) {
+	isc_entropysource_t *source;
+	isc_entropy_t *ent;
+	isc_cbsource_t *cbs;
+
+	source = *sourcep;
+	*sourcep = NULL;
+	ent = source->ent;
+
+	ISC_LIST_UNLINK(ent->sources, source, link);
+	ent->nextsource = NULL;
+	REQUIRE(ent->nsources > 0);
+	ent->nsources--;
+
+	switch (source->type) {
+	case ENTROPY_SOURCETYPE_FILE:
+		if (! source->bad)
+			destroyfilesource(&source->sources.file);
+		break;
+	case ENTROPY_SOURCETYPE_USOCKET:
+		if (! source->bad)
+			destroyusocketsource(&source->sources.usocket);
+		break;
+	case ENTROPY_SOURCETYPE_SAMPLE:
+		samplequeue_release(ent, &source->sources.sample.samplequeue);
+		break;
+	case ENTROPY_SOURCETYPE_CALLBACK:
+		cbs = &source->sources.callback;
+		if (cbs->start_called && cbs->stopfunc != NULL) {
+			cbs->stopfunc(source, cbs->arg);
+			cbs->start_called = false;
+		}
+		samplequeue_release(ent, &cbs->samplequeue);
+		break;
+	}
+
+	isc_safe_memwipe(source, sizeof(*source));
+	isc_mem_put(ent->mctx, source, sizeof(*source));
+}
+
+static inline bool
+destroy_check(isc_entropy_t *ent) {
+	isc_entropysource_t *source;
+
+	if (ent->refcnt > 0)
+		return (false);
+
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		switch (source->type) {
+		case ENTROPY_SOURCETYPE_FILE:
+		case ENTROPY_SOURCETYPE_USOCKET:
+			break;
+		default:
+			return (false);
+		}
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	return (true);
+}
+
+static void
+destroy(isc_entropy_t **entp) {
+	isc_entropy_t *ent;
+	isc_entropysource_t *source;
+	isc_mem_t *mctx;
+
+	REQUIRE(entp != NULL && *entp != NULL);
+	ent = *entp;
+	*entp = NULL;
+
+	LOCK(&ent->lock);
+
+	REQUIRE(ent->refcnt == 0);
+
+	/*
+	 * Here, detach non-sample sources.
+	 */
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		switch(source->type) {
+		case ENTROPY_SOURCETYPE_FILE:
+		case ENTROPY_SOURCETYPE_USOCKET:
+			destroysource(&source);
+			break;
+		}
+		source = ISC_LIST_HEAD(ent->sources);
+	}
+
+	/*
+	 * If there are other types of sources, we've found a bug.
+	 */
+	REQUIRE(ISC_LIST_EMPTY(ent->sources));
+
+	mctx = ent->mctx;
+
+	isc_entropypool_invalidate(&ent->pool);
+
+	UNLOCK(&ent->lock);
+
+	DESTROYLOCK(&ent->lock);
+
+	isc_safe_memwipe(ent, sizeof(*ent));
+	isc_mem_put(mctx, ent, sizeof(*ent));
+	isc_mem_detach(&mctx);
+}
+
+void
+isc_entropy_destroysource(isc_entropysource_t **sourcep) {
+	isc_entropysource_t *source;
+	isc_entropy_t *ent;
+	bool killit;
+
+	REQUIRE(sourcep != NULL);
+	REQUIRE(VALID_SOURCE(*sourcep));
+
+	source = *sourcep;
+	*sourcep = NULL;
+
+	ent = source->ent;
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+
+	destroysource(&source);
+
+	killit = destroy_check(ent);
+
+	UNLOCK(&ent->lock);
+
+	if (killit)
+		destroy(&ent);
+}
+
+isc_result_t
+isc_entropy_createcallbacksource(isc_entropy_t *ent,
+				 isc_entropystart_t start,
+				 isc_entropyget_t get,
+				 isc_entropystop_t stop,
+				 void *arg,
+				 isc_entropysource_t **sourcep)
+{
+	isc_result_t result;
+	isc_entropysource_t *source;
+	isc_cbsource_t *cbs;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(get != NULL);
+	REQUIRE(sourcep != NULL && *sourcep == NULL);
+
+	LOCK(&ent->lock);
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto errout;
+	}
+	source->bad = false;
+
+	cbs = &source->sources.callback;
+
+	result = samplesource_allocate(ent, &cbs->samplequeue);
+	if (result != ISC_R_SUCCESS)
+		goto errout;
+
+	cbs->start_called = false;
+	cbs->startfunc = start;
+	cbs->getfunc = get;
+	cbs->stopfunc = stop;
+	cbs->arg = arg;
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->type = ENTROPY_SOURCETYPE_CALLBACK;
+	source->ent = ent;
+	source->total = 0;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	*sourcep = source;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
+	UNLOCK(&ent->lock);
+
+	return (result);
+}
+
+void
+isc_entropy_stopcallbacksources(isc_entropy_t *ent) {
+	isc_entropysource_t *source;
+	isc_cbsource_t *cbs;
+
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		if (source->type == ENTROPY_SOURCETYPE_CALLBACK) {
+			cbs = &source->sources.callback;
+			if (cbs->start_called && cbs->stopfunc != NULL) {
+				cbs->stopfunc(source, cbs->arg);
+				cbs->start_called = false;
+			}
+		}
+
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	UNLOCK(&ent->lock);
+}
+
+isc_result_t
+isc_entropy_createsamplesource(isc_entropy_t *ent,
+			       isc_entropysource_t **sourcep)
+{
+	isc_result_t result;
+	isc_entropysource_t *source;
+	sample_queue_t *sq;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(sourcep != NULL && *sourcep == NULL);
+
+	LOCK(&ent->lock);
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto errout;
+	}
+
+	sq = &source->sources.sample.samplequeue;
+	result = samplesource_allocate(ent, sq);
+	if (result != ISC_R_SUCCESS)
+		goto errout;
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->type = ENTROPY_SOURCETYPE_SAMPLE;
+	source->ent = ent;
+	source->total = 0;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	*sourcep = source;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
+	UNLOCK(&ent->lock);
+
+	return (result);
+}
+
+/*!
+ * Add a sample, and return ISC_R_SUCCESS if the queue has become full,
+ * ISC_R_NOENTROPY if it has space remaining, and ISC_R_NOMORE if the
+ * queue was full when this function was called.
+ */
+static isc_result_t
+addsample(sample_queue_t *sq, uint32_t sample, uint32_t extra) {
+	if (sq->nsamples >= RND_EVENTQSIZE)
+		return (ISC_R_NOMORE);
+
+	sq->samples[sq->nsamples] = sample;
+	sq->extra[sq->nsamples] = extra;
+	sq->nsamples++;
+
+	if (sq->nsamples >= RND_EVENTQSIZE)
+		return (ISC_R_QUEUEFULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_entropy_addsample(isc_entropysource_t *source, uint32_t sample,
+		      uint32_t extra)
+{
+	isc_entropy_t *ent;
+	sample_queue_t *sq;
+	unsigned int entropy;
+	isc_result_t result;
+
+	REQUIRE(VALID_SOURCE(source));
+
+	ent = source->ent;
+
+	LOCK(&ent->lock);
+
+	sq = &source->sources.sample.samplequeue;
+	result = addsample(sq, sample, extra);
+	if (result == ISC_R_QUEUEFULL) {
+		entropy = crunchsamples(ent, sq);
+		add_entropy(ent, entropy);
+	}
+
+	UNLOCK(&ent->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_entropy_addcallbacksample(isc_entropysource_t *source, uint32_t sample,
+			      uint32_t extra)
+{
+	sample_queue_t *sq;
+	isc_result_t result;
+
+	REQUIRE(VALID_SOURCE(source));
+	REQUIRE(source->type == ENTROPY_SOURCETYPE_CALLBACK);
+
+	sq = &source->sources.callback.samplequeue;
+	result = addsample(sq, sample, extra);
+
+	return (result);
+}
+
+void
+isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    uint32_t entropy)
+{
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+
+	entropypool_adddata(ent, data, length, entropy);
+
+	if (ent->initialized < THRESHOLD_BITS)
+		ent->initialized = THRESHOLD_BITS;
+
+	UNLOCK(&ent->lock);
+}
+
+static void
+dumpstats(isc_entropy_t *ent, FILE *out) {
+	fprintf(out,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_ENTROPY,
+			       ISC_MSG_ENTROPYSTATS,
+			       "Entropy pool %p:  refcnt %u cursor %u,"
+			       " rotate %u entropy %u pseudo %u nsources %u"
+			       " nextsource %p initialized %u initcount %u\n"),
+		ent, ent->refcnt,
+		ent->pool.cursor, ent->pool.rotate,
+		ent->pool.entropy, ent->pool.pseudo,
+		ent->nsources, ent->nextsource, ent->initialized,
+		ent->initcount);
+}
+
+/*
+ * This function ignores locking.  Use at your own risk.
+ */
+void
+isc_entropy_stats(isc_entropy_t *ent, FILE *out) {
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+	dumpstats(ent, out);
+	UNLOCK(&ent->lock);
+}
+
+unsigned int
+isc_entropy_status(isc_entropy_t *ent) {
+	unsigned int estimate;
+
+	LOCK(&ent->lock);
+	estimate = ent->pool.entropy;
+	UNLOCK(&ent->lock);
+
+	return estimate;
+}
+
+void
+isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) {
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(entp != NULL && *entp == NULL);
+
+	LOCK(&ent->lock);
+
+	ent->refcnt++;
+	*entp = ent;
+
+	UNLOCK(&ent->lock);
+}
+
+void
+isc_entropy_detach(isc_entropy_t **entp) {
+	isc_entropy_t *ent;
+	bool killit;
+
+	REQUIRE(entp != NULL && VALID_ENTROPY(*entp));
+	ent = *entp;
+	*entp = NULL;
+
+	LOCK(&ent->lock);
+
+	REQUIRE(ent->refcnt > 0);
+	ent->refcnt--;
+
+	killit = destroy_check(ent);
+
+	UNLOCK(&ent->lock);
+
+	if (killit)
+		destroy(&ent);
+}
+
+static isc_result_t
+kbdstart(isc_entropysource_t *source, void *arg, bool blocking) {
+	/*
+	 * The intent of "first" is to provide a warning message only once
+	 * during the run of a program that might try to gather keyboard
+	 * entropy multiple times.
+	 */
+	static bool first = true;
+
+	UNUSED(arg);
+
+	if (! blocking)
+		return (ISC_R_NOENTROPY);
+
+	if (first) {
+		if (source->warn_keyboard)
+			fprintf(stderr, "You must use the keyboard to create "
+				"entropy, since your system is lacking\n"
+				"/dev/random (or equivalent)\n\n");
+		first = false;
+	}
+	fprintf(stderr, "start typing:\n");
+
+	return (isc_keyboard_open(&source->kbd));
+}
+
+static void
+kbdstop(isc_entropysource_t *source, void *arg) {
+
+	UNUSED(arg);
+
+	if (! isc_keyboard_canceled(&source->kbd))
+		fprintf(stderr, "stop typing.\r\n");
+
+	(void)isc_keyboard_close(&source->kbd, 3);
+}
+
+static isc_result_t
+kbdget(isc_entropysource_t *source, void *arg, bool blocking) {
+	isc_result_t result;
+	isc_time_t t;
+	uint32_t sample;
+	uint32_t extra;
+	unsigned char c;
+
+	UNUSED(arg);
+
+	if (!blocking)
+		return (ISC_R_NOTBLOCKING);
+
+	result = isc_keyboard_getchar(&source->kbd, &c);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	TIME_NOW(&t);
+
+	sample = isc_time_nanoseconds(&t);
+	extra = c;
+
+	result = isc_entropy_addcallbacksample(source, sample, extra);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "\r\n");
+		return (result);
+	}
+
+	fprintf(stderr, ".");
+	fflush(stderr);
+
+	return (result);
+}
+
+isc_result_t
+isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+			  const char *randomfile, int use_keyboard)
+{
+	isc_result_t result;
+	isc_result_t final_result = ISC_R_NOENTROPY;
+	bool userfile = true;
+
+	REQUIRE(VALID_ENTROPY(ectx));
+	REQUIRE(source != NULL && *source == NULL);
+	REQUIRE(use_keyboard == ISC_ENTROPY_KEYBOARDYES ||
+		use_keyboard == ISC_ENTROPY_KEYBOARDNO  ||
+		use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
+
+#ifdef PKCS11CRYPTO
+	if (randomfile != NULL)
+		pk11_rand_seed_fromfile(randomfile);
+#endif
+
+#ifdef PATH_RANDOMDEV
+	if (randomfile == NULL) {
+		randomfile = PATH_RANDOMDEV;
+		userfile = false;
+	}
+#endif
+
+	if (randomfile != NULL && use_keyboard != ISC_ENTROPY_KEYBOARDYES) {
+		result = isc_entropy_createfilesource(ectx, randomfile);
+		if (result == ISC_R_SUCCESS &&
+		    use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE)
+			use_keyboard = ISC_ENTROPY_KEYBOARDNO;
+		if (result != ISC_R_SUCCESS && userfile)
+			return (result);
+
+		final_result = result;
+	}
+
+	if (use_keyboard != ISC_ENTROPY_KEYBOARDNO) {
+		result = isc_entropy_createcallbacksource(ectx, kbdstart,
+							  kbdget, kbdstop,
+							  NULL, source);
+		if (result == ISC_R_SUCCESS)
+			(*source)->warn_keyboard =
+				(use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
+
+		if (final_result != ISC_R_SUCCESS)
+			final_result = result;
+	}
+
+	/*
+	 * final_result is ISC_R_SUCCESS if at least one source of entropy
+	 * could be started, otherwise it is the error from the most recently
+	 * failed operation (or ISC_R_NOENTROPY if PATH_RANDOMDEV is not
+	 * defined and use_keyboard is ISC_ENTROPY_KEYBOARDNO).
+	 */
+	return (final_result);
+}
diff --git a/lib/isc/error.c b/lib/isc/error.c
new file mode 100644
index 0000000..b0fe500
--- /dev/null
+++ b/lib/isc/error.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/error.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+
+/*% Default unexpected callback. */
+static void
+default_unexpected_callback(const char *, int, const char *, va_list)
+     ISC_FORMAT_PRINTF(3, 0);
+
+/*% Default fatal callback. */
+static void
+default_fatal_callback(const char *, int, const char *, va_list)
+     ISC_FORMAT_PRINTF(3, 0);
+
+/*% unexpected_callback */
+static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
+static isc_errorcallback_t fatal_callback = default_fatal_callback;
+
+void
+isc_error_setunexpected(isc_errorcallback_t cb) {
+	if (cb == NULL)
+		unexpected_callback = default_unexpected_callback;
+	else
+		unexpected_callback = cb;
+}
+
+void
+isc_error_setfatal(isc_errorcallback_t cb) {
+	if (cb == NULL)
+		fatal_callback = default_fatal_callback;
+	else
+		fatal_callback = cb;
+}
+
+void
+isc_error_unexpected(const char *file, int line, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	(unexpected_callback)(file, line, format, args);
+	va_end(args);
+}
+
+void
+isc_error_fatal(const char *file, int line, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	(fatal_callback)(file, line, format, args);
+	va_end(args);
+	abort();
+}
+
+void
+isc_error_runtimecheck(const char *file, int line, const char *expression) {
+	isc_error_fatal(file, line, "RUNTIME_CHECK(%s) %s", expression,
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				       ISC_MSG_FAILED, "failed"));
+}
+
+static void
+default_unexpected_callback(const char *file, int line, const char *format,
+			    va_list args)
+{
+	fprintf(stderr, "%s:%d: ", file, line);
+	vfprintf(stderr, format, args);
+	fprintf(stderr, "\n");
+	fflush(stderr);
+}
+
+static void
+default_fatal_callback(const char *file, int line, const char *format,
+		       va_list args)
+{
+	fprintf(stderr, "%s:%d: %s: ", file, line,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+			       ISC_MSG_FATALERROR, "fatal error"));
+	vfprintf(stderr, format, args);
+	fprintf(stderr, "\n");
+	fflush(stderr);
+}
diff --git a/lib/isc/event.c b/lib/isc/event.c
new file mode 100644
index 0000000..500b6fd
--- /dev/null
+++ b/lib/isc/event.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*!
+ * \file
+ */
+
+#include <config.h>
+
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+/***
+ *** Events.
+ ***/
+
+static void
+destroy(isc_event_t *event) {
+	isc_mem_t *mctx = event->ev_destroy_arg;
+
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+		   isc_taskaction_t action, void *arg, size_t size)
+{
+	isc_event_t *event;
+
+	REQUIRE(size >= sizeof(struct isc_event));
+	REQUIRE(action != NULL);
+
+	event = isc_mem_get(mctx, size);
+	if (event == NULL)
+		return (NULL);
+
+	ISC_EVENT_INIT(event, size, 0, NULL, type, action, arg,
+		       sender, destroy, mctx);
+
+	return (event);
+}
+
+isc_event_t *
+isc_event_constallocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+			isc_taskaction_t action, const void *arg, size_t size)
+{
+	isc_event_t *event;
+	void *deconst_arg;
+
+	REQUIRE(size >= sizeof(struct isc_event));
+	REQUIRE(action != NULL);
+
+	event = isc_mem_get(mctx, size);
+	if (event == NULL)
+		return (NULL);
+
+	/*
+	 * Removing the const attribute from "arg" is the best of two
+	 * evils here.  If the event->ev_arg member is made const, then
+	 * it affects a great many users of the task/event subsystem
+	 * which are not passing in an "arg" which starts its life as
+	 * const.  Changing isc_event_allocate() and isc_task_onshutdown()
+	 * to not have "arg" prototyped as const (which is quite legitimate,
+	 * because neither of those functions modify arg) can cause
+	 * compiler whining anytime someone does want to use a const
+	 * arg that they themselves never modify, such as with
+	 * gcc -Wwrite-strings and using a string "arg".
+	 */
+	DE_CONST(arg, deconst_arg);
+
+	ISC_EVENT_INIT(event, size, 0, NULL, type, action, deconst_arg,
+		       sender, destroy, mctx);
+
+	return (event);
+}
+
+void
+isc_event_free(isc_event_t **eventp) {
+	isc_event_t *event;
+
+	REQUIRE(eventp != NULL);
+	event = *eventp;
+	REQUIRE(event != NULL);
+
+	REQUIRE(!ISC_LINK_LINKED(event, ev_link));
+	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
+
+	if (event->ev_destroy != NULL)
+		(event->ev_destroy)(event);
+
+	*eventp = NULL;
+}
diff --git a/lib/isc/fsaccess.c b/lib/isc/fsaccess.c
new file mode 100644
index 0000000..deaffd8
--- /dev/null
+++ b/lib/isc/fsaccess.c
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief
+ * This file contains the OS-independent functionality of the API.
+ */
+
+#include <stdbool.h>
+
+#include <isc/fsaccess.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+/*!
+ * Shorthand.  Maybe ISC__FSACCESS_PERMISSIONBITS should not even be in
+ * <isc/fsaccess.h>.  Could check consistency with sizeof(isc_fsaccess_t)
+ * and the number of bits in each function.
+ */
+#define STEP		(ISC__FSACCESS_PERMISSIONBITS)
+#define GROUP		(STEP)
+#define OTHER		(STEP * 2)
+
+void
+isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access) {
+	REQUIRE(trustee <= 0x7);
+	REQUIRE(permission <= 0xFF);
+
+	if ((trustee & ISC_FSACCESS_OWNER) != 0)
+		*access |= permission;
+
+	if ((trustee & ISC_FSACCESS_GROUP) != 0)
+		*access |= (permission << GROUP);
+
+	if ((trustee & ISC_FSACCESS_OTHER) != 0)
+		*access |= (permission << OTHER);
+}
+
+void
+isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access) {
+	REQUIRE(trustee <= 0x7);
+	REQUIRE(permission <= 0xFF);
+
+
+	if ((trustee & ISC_FSACCESS_OWNER) != 0)
+		*access &= ~permission;
+
+	if ((trustee & ISC_FSACCESS_GROUP) != 0)
+		*access &= ~(permission << GROUP);
+
+	if ((trustee & ISC_FSACCESS_OTHER) != 0)
+		*access &= ~(permission << OTHER);
+}
+
+static isc_result_t
+check_bad_bits(isc_fsaccess_t access, bool is_dir) {
+	isc_fsaccess_t bits;
+
+	/*
+	 * Check for disallowed user bits.
+	 */
+	if (is_dir)
+		bits = ISC_FSACCESS_READ |
+		       ISC_FSACCESS_WRITE |
+		       ISC_FSACCESS_EXECUTE;
+	else
+		bits = ISC_FSACCESS_CREATECHILD |
+		       ISC_FSACCESS_ACCESSCHILD |
+		       ISC_FSACCESS_DELETECHILD |
+		       ISC_FSACCESS_LISTDIRECTORY;
+
+	/*
+	 * Set group bad bits.
+	 */
+	bits |= bits << STEP;
+	/*
+	 * Set other bad bits.
+	 */
+	bits |= bits << STEP;
+
+	if ((access & bits) != 0) {
+		if (is_dir)
+			return (ISC_R_NOTFILE);
+		else
+			return (ISC_R_NOTDIRECTORY);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
new file mode 100644
index 0000000..54be2fa
--- /dev/null
+++ b/lib/isc/hash.c
@@ -0,0 +1,579 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file
+ * Some portion of this code was derived from universal hash function
+ * libraries of Rice University.
+\section license UH Universal Hashing Library
+
+Copyright ((c)) 2002, Rice University
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+    copyright notice, this list of conditions and the following
+    disclaimer in the documentation and/or other materials provided
+    with the distribution.
+
+    * Neither the name of Rice University (RICE) nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+
+This software is provided by RICE and the contributors on an "as is"
+basis, without any representations or warranties of any kind, express
+or implied including, but not limited to, representations or
+warranties of non-infringement, merchantability or fitness for a
+particular purpose. In no event shall RICE or contributors be liable
+for any direct, indirect, incidental, special, exemplary, or
+consequential damages (including, but not limited to, procurement of
+substitute goods or services; loss of use, data, or profits; or
+business interruption) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence
+or otherwise) arising in any way out of the use of this software, even
+if advised of the possibility of such damage.
+*/
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define HASH_MAGIC		ISC_MAGIC('H', 'a', 's', 'h')
+#define VALID_HASH(h)		ISC_MAGIC_VALID((h), HASH_MAGIC)
+
+/*%
+ * A large 32-bit prime number that specifies the range of the hash output.
+ */
+#define PRIME32 0xFFFFFFFB              /* 2^32 -  5 */
+
+/*@{*/
+/*%
+ * Types of random seed and hash accumulator.  Perhaps they can be system
+ * dependent.
+ */
+typedef uint32_t hash_accum_t;
+typedef uint16_t hash_random_t;
+/*@}*/
+
+/*% isc hash structure */
+struct isc_hash {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	isc_mutex_t	lock;
+	bool	initialized;
+	isc_refcount_t	refcnt;
+	isc_entropy_t	*entropy; /*%< entropy source */
+	size_t		limit;	/*%< upper limit of key length */
+	size_t		vectorlen; /*%< size of the vector below */
+	hash_random_t	*rndvector; /*%< random vector for universal hashing */
+};
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+LIBISC_EXTERNAL_DATA isc_hash_t *isc_hashctx = NULL;
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+isc_result_t
+isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
+		   size_t limit, isc_hash_t **hctxp)
+{
+	isc_result_t result;
+	isc_hash_t *hctx;
+	size_t vlen;
+	hash_random_t *rv;
+	hash_accum_t overflow_limit;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(hctxp != NULL && *hctxp == NULL);
+
+	/*
+	 * Overflow check.  Since our implementation only does a modulo
+	 * operation at the last stage of hash calculation, the accumulator
+	 * must not overflow.
+	 */
+	overflow_limit =
+		1 << (((sizeof(hash_accum_t) - sizeof(hash_random_t))) * 8);
+	if (overflow_limit < (limit + 1) * 0xff)
+		return (ISC_R_RANGE);
+
+	hctx = isc_mem_get(mctx, sizeof(isc_hash_t));
+	if (hctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	vlen = sizeof(hash_random_t) * (limit + 1);
+	rv = isc_mem_get(mctx, vlen);
+	if (rv == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto errout;
+	}
+
+	/*
+	 * We need a lock.
+	 */
+	result = isc_mutex_init(&hctx->lock);
+	if (result != ISC_R_SUCCESS)
+		goto errout;
+
+	/*
+	 * From here down, no failures will/can occur.
+	 */
+	hctx->magic = HASH_MAGIC;
+	hctx->mctx = NULL;
+	isc_mem_attach(mctx, &hctx->mctx);
+	hctx->initialized = false;
+	result = isc_refcount_init(&hctx->refcnt, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+	hctx->entropy = NULL;
+	hctx->limit = limit;
+	hctx->vectorlen = vlen;
+	hctx->rndvector = rv;
+
+	if (entropy != NULL)
+		isc_entropy_attach(entropy, &hctx->entropy);
+
+	*hctxp = hctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup_lock:
+	DESTROYLOCK(&hctx->lock);
+ errout:
+	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
+	if (rv != NULL)
+		isc_mem_put(mctx, rv, vlen);
+
+	return (result);
+}
+
+static void
+initialize_lock(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(mctx != NULL);
+	INSIST(isc_hashctx == NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_lock) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+
+	if (isc_hashctx == NULL)
+		result = isc_hash_ctxcreate(mctx, entropy, limit,
+					    &isc_hashctx);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_hash_ctxinit(isc_hash_t *hctx) {
+	LOCK(&hctx->lock);
+
+	if (hctx->initialized == true)
+		goto out;
+
+	if (hctx->entropy != NULL) {
+		isc_result_t result;
+
+		result = isc_entropy_getdata(hctx->entropy,
+					     hctx->rndvector,
+					     (unsigned int)hctx->vectorlen,
+					     NULL, 0);
+		INSIST(result == ISC_R_SUCCESS);
+	} else {
+		uint32_t pr;
+		size_t i, copylen;
+		unsigned char *p;
+
+		p = (unsigned char *)hctx->rndvector;
+		for (i = 0; i < hctx->vectorlen; i += copylen, p += copylen) {
+			isc_random_get(&pr);
+			if (i + sizeof(pr) <= hctx->vectorlen)
+				copylen = sizeof(pr);
+			else
+				copylen = hctx->vectorlen - i;
+
+			memmove(p, &pr, copylen);
+		}
+		INSIST(p == (unsigned char *)hctx->rndvector +
+		       hctx->vectorlen);
+	}
+
+	hctx->initialized = true;
+
+ out:
+	UNLOCK(&hctx->lock);
+}
+
+void
+isc_hash_init(void) {
+	INSIST(isc_hashctx != NULL && VALID_HASH(isc_hashctx));
+
+	isc_hash_ctxinit(isc_hashctx);
+}
+
+void
+isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp) {
+	REQUIRE(VALID_HASH(hctx));
+	REQUIRE(hctxp != NULL && *hctxp == NULL);
+
+	isc_refcount_increment(&hctx->refcnt, NULL);
+	*hctxp = hctx;
+}
+
+static void
+destroy(isc_hash_t **hctxp) {
+	isc_hash_t *hctx;
+	isc_mem_t *mctx;
+
+	REQUIRE(hctxp != NULL && *hctxp != NULL);
+	hctx = *hctxp;
+	*hctxp = NULL;
+
+	LOCK(&hctx->lock);
+
+	isc_refcount_destroy(&hctx->refcnt);
+
+	mctx = hctx->mctx;
+	if (hctx->entropy != NULL)
+		isc_entropy_detach(&hctx->entropy);
+	if (hctx->rndvector != NULL)
+		isc_mem_put(mctx, hctx->rndvector, hctx->vectorlen);
+
+	UNLOCK(&hctx->lock);
+
+	DESTROYLOCK(&hctx->lock);
+
+	memset(hctx, 0, sizeof(isc_hash_t));
+	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
+	isc_mem_detach(&mctx);
+}
+
+void
+isc_hash_ctxdetach(isc_hash_t **hctxp) {
+	isc_hash_t *hctx;
+	unsigned int refs;
+
+	REQUIRE(hctxp != NULL && VALID_HASH(*hctxp));
+	hctx = *hctxp;
+
+	isc_refcount_decrement(&hctx->refcnt, &refs);
+	if (refs == 0)
+		destroy(&hctx);
+
+	*hctxp = NULL;
+}
+
+void
+isc_hash_destroy(void) {
+	unsigned int refs;
+
+	INSIST(isc_hashctx != NULL && VALID_HASH(isc_hashctx));
+
+	isc_refcount_decrement(&isc_hashctx->refcnt, &refs);
+	INSIST(refs == 0);
+
+	destroy(&isc_hashctx);
+}
+
+static inline unsigned int
+hash_calc(isc_hash_t *hctx, const unsigned char *key, unsigned int keylen,
+	  bool case_sensitive)
+{
+	hash_accum_t partial_sum = 0;
+	hash_random_t *p = hctx->rndvector;
+	unsigned int i = 0;
+
+	/* Make it sure that the hash context is initialized. */
+	if (hctx->initialized == false)
+		isc_hash_ctxinit(hctx);
+
+	if (case_sensitive) {
+		for (i = 0; i < keylen; i++)
+			partial_sum += key[i] * (hash_accum_t)p[i];
+	} else {
+		for (i = 0; i < keylen; i++)
+			partial_sum += maptolower[key[i]] * (hash_accum_t)p[i];
+	}
+
+	partial_sum += p[i];
+
+	return ((unsigned int)(partial_sum % PRIME32));
+}
+
+unsigned int
+isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
+		 unsigned int keylen, bool case_sensitive)
+{
+	REQUIRE(hctx != NULL && VALID_HASH(hctx));
+	REQUIRE(keylen <= hctx->limit);
+
+	return (hash_calc(hctx, key, keylen, case_sensitive));
+}
+
+unsigned int
+isc_hash_calc(const unsigned char *key, unsigned int keylen,
+	      bool case_sensitive)
+{
+	INSIST(isc_hashctx != NULL && VALID_HASH(isc_hashctx));
+	REQUIRE(keylen <= isc_hashctx->limit);
+
+	return (hash_calc(isc_hashctx, key, keylen, case_sensitive));
+}
+
+void
+isc__hash_setvec(const uint16_t *vec) {
+	int i;
+	hash_random_t *p;
+
+	if (isc_hashctx == NULL)
+		return;
+
+	p = isc_hashctx->rndvector;
+	for (i = 0; i < 256; i++) {
+		p[i] = vec[i];
+	}
+}
+
+static uint32_t fnv_offset_basis;
+static isc_once_t fnv_once = ISC_ONCE_INIT;
+static bool fnv_initialized = false;
+
+static void
+fnv_initialize(void) {
+	/*
+	 * This function should not leave fnv_offset_basis set to
+	 * 0. Also, after this function has been called, if it is called
+	 * again, it should not change fnv_offset_basis.
+	 */
+	while (fnv_offset_basis == 0) {
+		isc_random_get(&fnv_offset_basis);
+	}
+
+	fnv_initialized = true;
+}
+
+const void *
+isc_hash_get_initializer(void) {
+	if (ISC_UNLIKELY(!fnv_initialized))
+		RUNTIME_CHECK(isc_once_do(&fnv_once, fnv_initialize) == ISC_R_SUCCESS);
+
+	return (&fnv_offset_basis);
+}
+
+void
+isc_hash_set_initializer(const void *initializer) {
+	REQUIRE(initializer != NULL);
+
+	/*
+	 * Ensure that fnv_initialize() is not called after
+	 * isc_hash_set_initializer() is called.
+	 */
+	if (ISC_UNLIKELY(!fnv_initialized))
+		RUNTIME_CHECK(isc_once_do(&fnv_once, fnv_initialize) == ISC_R_SUCCESS);
+
+	fnv_offset_basis = *((const unsigned int *) initializer);
+}
+
+uint32_t
+isc_hash_function(const void *data, size_t length,
+		  bool case_sensitive,
+		  const uint32_t *previous_hashp)
+{
+	uint32_t hval;
+	const unsigned char *bp;
+	const unsigned char *be;
+
+	REQUIRE(length == 0 || data != NULL);
+
+	if (ISC_UNLIKELY(!fnv_initialized))
+		RUNTIME_CHECK(isc_once_do(&fnv_once, fnv_initialize) == ISC_R_SUCCESS);
+
+	hval = ISC_UNLIKELY(previous_hashp != NULL) ?
+		*previous_hashp : fnv_offset_basis;
+
+	if (length == 0)
+		return (hval);
+
+	bp = (const unsigned char *) data;
+	be = bp + length;
+
+	/*
+	 * Fowler-Noll-Vo FNV-1a hash function.
+	 *
+	 * NOTE: A random FNV offset basis is used by default to avoid
+	 * collision attacks as the hash function is reversible. This
+	 * makes the mapping non-deterministic, but the distribution in
+	 * the domain is still uniform.
+	 */
+
+	if (case_sensitive) {
+		while (bp <= be - 4) {
+			hval ^= bp[0];
+			hval *= 16777619;
+			hval ^= bp[1];
+			hval *= 16777619;
+			hval ^= bp[2];
+			hval *= 16777619;
+			hval ^= bp[3];
+			hval *= 16777619;
+			bp += 4;
+		}
+		while (bp < be) {
+			hval ^= *bp++;
+			hval *= 16777619;
+		}
+	} else {
+		while (bp <= be - 4) {
+			hval ^= maptolower[bp[0]];
+			hval *= 16777619;
+			hval ^= maptolower[bp[1]];
+			hval *= 16777619;
+			hval ^= maptolower[bp[2]];
+			hval *= 16777619;
+			hval ^= maptolower[bp[3]];
+			hval *= 16777619;
+			bp += 4;
+		}
+		while (bp < be) {
+			hval ^= maptolower[*bp++];
+			hval *= 16777619;
+		}
+	}
+
+	return (hval);
+}
+
+uint32_t
+isc_hash_function_reverse(const void *data, size_t length,
+			  bool case_sensitive,
+			  const uint32_t *previous_hashp)
+{
+	uint32_t hval;
+	const unsigned char *bp;
+	const unsigned char *be;
+
+	REQUIRE(length == 0 || data != NULL);
+
+	if (ISC_UNLIKELY(!fnv_initialized))
+		RUNTIME_CHECK(isc_once_do(&fnv_once, fnv_initialize) == ISC_R_SUCCESS);
+
+	hval = ISC_UNLIKELY(previous_hashp != NULL) ?
+		*previous_hashp : fnv_offset_basis;
+
+	if (length == 0)
+		return (hval);
+
+	bp = (const unsigned char *) data;
+	be = bp + length;
+
+	/*
+	 * Fowler-Noll-Vo FNV-1a hash function.
+	 *
+	 * NOTE: A random FNV offset basis is used by default to avoid
+	 * collision attacks as the hash function is reversible. This
+	 * makes the mapping non-deterministic, but the distribution in
+	 * the domain is still uniform.
+	 */
+
+	if (case_sensitive) {
+		while (be >= bp + 4) {
+			be -= 4;
+			hval ^= be[3];
+			hval *= 16777619;
+			hval ^= be[2];
+			hval *= 16777619;
+			hval ^= be[1];
+			hval *= 16777619;
+			hval ^= be[0];
+			hval *= 16777619;
+		}
+		while (--be >= bp) {
+			hval ^= *be;
+			hval *= 16777619;
+		}
+	} else {
+		while (be >= bp + 4) {
+			be -= 4;
+			hval ^= maptolower[be[3]];
+			hval *= 16777619;
+			hval ^= maptolower[be[2]];
+			hval *= 16777619;
+			hval ^= maptolower[be[1]];
+			hval *= 16777619;
+			hval ^= maptolower[be[0]];
+			hval *= 16777619;
+		}
+		while (--be >= bp) {
+			hval ^= maptolower[*be];
+			hval *= 16777619;
+		}
+	}
+
+	return (hval);
+}
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
new file mode 100644
index 0000000..22fa81c
--- /dev/null
+++ b/lib/isc/heap.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * Heap implementation of priority queues adapted from the following:
+ *
+ *	\li "Introduction to Algorithms," Cormen, Leiserson, and Rivest,
+ *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
+ *
+ *	\li "Algorithms," Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	ISBN 0-201-06673-4, chapter 11.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/heap.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for memmove. */
+#include <isc/util.h>
+
+/*@{*/
+/*%
+ * Note: to make heap_parent and heap_left easy to compute, the first
+ * element of the heap array is not used; i.e. heap subscripts are 1-based,
+ * not 0-based.  The parent is index/2, and the left-child is index*2.
+ * The right child is index*2+1.
+ */
+#define heap_parent(i)			((i) >> 1)
+#define heap_left(i)			((i) << 1)
+/*@}*/
+
+#define SIZE_INCREMENT			1024
+
+#define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
+#define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
+
+/*%
+ * When the heap is in a consistent state, the following invariant
+ * holds true: for every element i > 1, heap_parent(i) has a priority
+ * higher than or equal to that of i.
+ */
+#define HEAPCONDITION(i) ((i) == 1 || \
+			  ! heap->compare(heap->array[(i)], \
+					  heap->array[heap_parent(i)]))
+
+/*% ISC heap structure. */
+struct isc_heap {
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	unsigned int			size;
+	unsigned int			size_increment;
+	unsigned int			last;
+	void				**array;
+	isc_heapcompare_t		compare;
+	isc_heapindex_t			index;
+};
+
+#ifdef ISC_HEAP_CHECK
+static void
+heap_check(isc_heap_t *heap) {
+	unsigned int i;
+	for (i = 1; i <= heap->last; i++) {
+		INSIST(HEAPCONDITION(i));
+	}
+}
+#else
+#define heap_check(x) (void)0
+#endif
+
+isc_result_t
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t idx, unsigned int size_increment,
+		isc_heap_t **heapp)
+{
+	isc_heap_t *heap;
+
+	REQUIRE(heapp != NULL && *heapp == NULL);
+	REQUIRE(compare != NULL);
+
+	heap = isc_mem_get(mctx, sizeof(*heap));
+	if (heap == NULL)
+		return (ISC_R_NOMEMORY);
+	heap->magic = HEAP_MAGIC;
+	heap->size = 0;
+	heap->mctx = NULL;
+	isc_mem_attach(mctx, &heap->mctx);
+	if (size_increment == 0)
+		heap->size_increment = SIZE_INCREMENT;
+	else
+		heap->size_increment = size_increment;
+	heap->last = 0;
+	heap->array = NULL;
+	heap->compare = compare;
+	heap->index = idx;
+
+	*heapp = heap;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_heap_destroy(isc_heap_t **heapp) {
+	isc_heap_t *heap;
+
+	REQUIRE(heapp != NULL);
+	heap = *heapp;
+	REQUIRE(VALID_HEAP(heap));
+
+	if (heap->array != NULL)
+		isc_mem_put(heap->mctx, heap->array,
+			    heap->size * sizeof(void *));
+	heap->magic = 0;
+	isc_mem_putanddetach(&heap->mctx, heap, sizeof(*heap));
+
+	*heapp = NULL;
+}
+
+static bool
+resize(isc_heap_t *heap) {
+	void **new_array;
+	unsigned int new_size;
+
+	REQUIRE(VALID_HEAP(heap));
+
+	new_size = heap->size + heap->size_increment;
+	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
+	if (new_array == NULL)
+		return (false);
+	if (heap->array != NULL) {
+		memmove(new_array, heap->array, heap->size * sizeof(void *));
+		isc_mem_put(heap->mctx, heap->array,
+			    heap->size * sizeof(void *));
+	}
+	heap->size = new_size;
+	heap->array = new_array;
+
+	return (true);
+}
+
+static void
+float_up(isc_heap_t *heap, unsigned int i, void *elt) {
+	unsigned int p;
+
+	for (p = heap_parent(i) ;
+	     i > 1 && heap->compare(elt, heap->array[p]) ;
+	     i = p, p = heap_parent(i)) {
+		heap->array[i] = heap->array[p];
+		if (heap->index != NULL)
+			(heap->index)(heap->array[i], i);
+	}
+	heap->array[i] = elt;
+	if (heap->index != NULL)
+		(heap->index)(heap->array[i], i);
+
+	INSIST(HEAPCONDITION(i));
+	heap_check(heap);
+}
+
+static void
+sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
+	unsigned int j, size, half_size;
+	size = heap->last;
+	half_size = size / 2;
+	while (i <= half_size) {
+		/* Find the smallest of the (at most) two children. */
+		j = heap_left(i);
+		if (j < size && heap->compare(heap->array[j+1],
+					      heap->array[j]))
+			j++;
+		if (heap->compare(elt, heap->array[j]))
+			break;
+		heap->array[i] = heap->array[j];
+		if (heap->index != NULL)
+			(heap->index)(heap->array[i], i);
+		i = j;
+	}
+	heap->array[i] = elt;
+	if (heap->index != NULL)
+		(heap->index)(heap->array[i], i);
+
+	INSIST(HEAPCONDITION(i));
+	heap_check(heap);
+}
+
+isc_result_t
+isc_heap_insert(isc_heap_t *heap, void *elt) {
+	unsigned int new_last;
+
+	REQUIRE(VALID_HEAP(heap));
+
+	heap_check(heap);
+	new_last = heap->last + 1;
+	RUNTIME_CHECK(new_last > 0); /* overflow check */
+	if (new_last >= heap->size && !resize(heap))
+		return (ISC_R_NOMEMORY);
+	heap->last = new_last;
+
+	float_up(heap, new_last, elt);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int idx) {
+	void *elt;
+	bool less;
+
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1 && idx <= heap->last);
+
+	heap_check(heap);
+	if (heap->index != NULL)
+		(heap->index)(heap->array[idx], 0);
+	if (idx == heap->last) {
+		heap->array[heap->last] = NULL;
+		heap->last--;
+		heap_check(heap);
+	} else {
+		elt = heap->array[heap->last];
+		heap->array[heap->last] = NULL;
+		heap->last--;
+
+		less = heap->compare(elt, heap->array[idx]);
+		heap->array[idx] = elt;
+		if (less)
+			float_up(heap, idx, heap->array[idx]);
+		else
+			sink_down(heap, idx, heap->array[idx]);
+	}
+}
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int idx) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1 && idx <= heap->last);
+
+	float_up(heap, idx, heap->array[idx]);
+}
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int idx) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1 && idx <= heap->last);
+
+	sink_down(heap, idx, heap->array[idx]);
+}
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int idx) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(idx >= 1);
+
+	heap_check(heap);
+	if (idx <= heap->last)
+		return (heap->array[idx]);
+	return (NULL);
+}
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
+	unsigned int i;
+
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(action != NULL);
+
+	for (i = 1 ; i <= heap->last ; i++)
+		(action)(heap->array[i], uap);
+}
diff --git a/lib/isc/hex.c b/lib/isc/hex.c
new file mode 100644
index 0000000..6d231ab
--- /dev/null
+++ b/lib/isc/hex.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+/*
+ * BEW: These static functions are copied from lib/dns/rdata.c.
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static const char hex[] = "0123456789ABCDEF";
+
+isc_result_t
+isc_hex_totext(isc_region_t *source, int wordlength,
+	       const char *wordbreak, isc_buffer_t *target)
+{
+	char buf[3];
+	unsigned int loops = 0;
+
+	if (wordlength < 2)
+		wordlength = 2;
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 0) {
+		buf[0] = hex[(source->base[0] >> 4) & 0xf];
+		buf[1] = hex[(source->base[0]) & 0xf];
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 1);
+
+		loops++;
+		if (source->length != 0 &&
+		    (int)((loops + 1) * 2) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * State of a hex decoding process in progress.
+ */
+typedef struct {
+	int length;		/*%< Desired length of binary data or -1 */
+	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
+	int digits;		/*%< Number of buffered hex digits */
+	int val[2];
+} hex_decode_ctx_t;
+
+static inline void
+hex_decode_init(hex_decode_ctx_t *ctx, int length, isc_buffer_t *target)
+{
+	ctx->digits = 0;
+	ctx->length = length;
+	ctx->target = target;
+}
+
+static inline isc_result_t
+hex_decode_char(hex_decode_ctx_t *ctx, int c) {
+	const char *s;
+
+	if ((s = strchr(hex, toupper(c))) == NULL)
+		return (ISC_R_BADHEX);
+	ctx->val[ctx->digits++] = (int)(s - hex);
+	if (ctx->digits == 2) {
+		unsigned char num;
+
+		num = (ctx->val[0] << 4) + (ctx->val[1]);
+		RETERR(mem_tobuffer(ctx->target, &num, 1));
+		if (ctx->length >= 0) {
+			if (ctx->length == 0)
+				return (ISC_R_BADHEX);
+			else
+				ctx->length -= 1;
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+hex_decode_finish(hex_decode_ctx_t *ctx) {
+	if (ctx->length > 0)
+		return (ISC_R_UNEXPECTEDEND);
+	if (ctx->digits != 0)
+		return (ISC_R_BADHEX);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	hex_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	bool eol;
+
+	hex_decode_init(&ctx, length, target);
+
+	while (ctx.length != 0) {
+		unsigned int i;
+
+		if (length > 0)
+			eol = false;
+		else
+			eol = true;
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string)
+			break;
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++)
+			RETERR(hex_decode_char(&ctx, tr->base[i]));
+	}
+	if (ctx.length < 0)
+		isc_lex_ungettoken(lexer, &token);
+	RETERR(hex_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hex_decodestring(const char *cstr, isc_buffer_t *target) {
+	hex_decode_ctx_t ctx;
+
+	hex_decode_init(&ctx, -1, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0')
+			break;
+		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
+			continue;
+		RETERR(hex_decode_char(&ctx, c));
+	}
+	RETERR(hex_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memmove(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memmove(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
new file mode 100644
index 0000000..0aa270d
--- /dev/null
+++ b/lib/isc/hmacmd5.c
@@ -0,0 +1,423 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: hmacmd5.c,v 1.16 2009/02/06 23:47:42 tbox Exp $ */
+
+/*! \file
+ * This code implements the HMAC-MD5 keyed hash algorithm
+ * described in RFC2104.
+ */
+
+#include "config.h"
+
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/hmacmd5.h>
+#include <isc/md5.h>
+#include <isc/platform.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#if PKCS11CRYPTO
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#endif
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
+#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
+#endif
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	ctx->ctx = HMAC_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
+				   (int) len, EVP_md5(), NULL) == 1);
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	if (ctx->ctx == NULL)
+		return;
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	RUNTIME_CHECK(HMAC_Final(ctx->ctx, digest, NULL) == 1);
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+#elif PKCS11CRYPTO
+
+#ifndef PK11_MD5_HMAC_REPLACE
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_MD5_HMAC, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_MD5_HMAC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, (CK_ULONG) len }
+	};
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_MD5_DIGESTLENGTH];
+
+	if (len < ISC_MD5_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_MD5_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
+	DE_CONST(key, keyTemplate[5].pValue);
+#endif
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx->object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx->session, keyTemplate,
+			 (CK_ULONG) 6, &ctx->object));
+	INSIST(ctx->object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
+	CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_SignUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	CK_RV rv;
+	CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+	PK11_FATALCHECK(pkcs_C_SignFinal,
+			(ctx->session, (CK_BYTE_PTR) digest, &len));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+#else
+/* Replace missing CKM_MD5_HMAC PKCS#11 mechanism */
+
+#define PADLEN 64
+#define IPAD 0x36
+#define OPAD 0x5C
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+	unsigned char ipad[PADLEN];
+	unsigned int i;
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK((ctx->key = pk11_mem_get(PADLEN)) != NULL);
+	if (len > PADLEN) {
+		CK_BYTE_PTR kPart;
+		CK_ULONG kl;
+
+		PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+		DE_CONST(key, kPart);
+		PK11_FATALCHECK(pkcs_C_DigestUpdate,
+				(ctx->session, kPart, (CK_ULONG) len));
+		kl = ISC_MD5_DIGESTLENGTH;
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+	} else
+		memmove(ctx->key, key, len);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	memset(ipad, IPAD, PADLEN);
+	for (i = 0; i < PADLEN; i++)
+		ipad[i] ^= ctx->key[i];
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, ipad, (CK_ULONG) PADLEN));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	if (ctx->key != NULL)
+		pk11_mem_put(ctx->key, PADLEN);
+	ctx->key = NULL;
+	isc_md5_invalidate(ctx);
+}
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+	CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+	CK_BYTE opad[PADLEN];
+	unsigned int i;
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal,
+			(ctx->session, (CK_BYTE_PTR) digest,
+			 (CK_ULONG_PTR) &len));
+	memset(opad, OPAD, PADLEN);
+	for (i = 0; i < PADLEN; i++)
+		opad[i] ^= ctx->key[i];
+	pk11_mem_put(ctx->key, PADLEN);
+	ctx->key = NULL;
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, opad, (CK_ULONG) PADLEN));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, (CK_BYTE_PTR) digest, len));
+	PK11_FATALCHECK(pkcs_C_DigestFinal,
+			(ctx->session,
+			 (CK_BYTE_PTR) digest,
+			 (CK_ULONG_PTR) &len));
+	pk11_return_session(ctx);
+}
+#endif
+
+#else
+
+#define PADLEN 64
+#define IPAD 0x36
+#define OPAD 0x5C
+
+/*!
+ * Start HMAC-MD5 process.  Initialize an md5 context and digest the key.
+ */
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	unsigned char ipad[PADLEN];
+	int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_md5_t md5ctx;
+		isc_md5_init(&md5ctx);
+		isc_md5_update(&md5ctx, key, len);
+		isc_md5_final(&md5ctx, ctx->key);
+	} else
+		memmove(ctx->key, key, len);
+
+	isc_md5_init(&ctx->md5ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < PADLEN; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	isc_md5_invalidate(&ctx->md5ctx);
+	isc_safe_memwipe(ctx->key, sizeof(ctx->key));
+}
+
+/*!
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_md5_update(&ctx->md5ctx, buf, len);
+}
+
+/*!
+ * Compute signature - finalize MD5 operation and reapply MD5.
+ */
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	unsigned char opad[PADLEN];
+	int i;
+
+	isc_md5_final(&ctx->md5ctx, digest);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < PADLEN; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_md5_init(&ctx->md5ctx);
+	isc_md5_update(&ctx->md5ctx, opad, sizeof(opad));
+	isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH);
+	isc_md5_final(&ctx->md5ctx, digest);
+	isc_hmacmd5_invalidate(ctx);
+}
+
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*!
+ * Verify signature - finalize MD5 operation and reapply MD5, then
+ * compare to the supplied digest.
+ */
+bool
+isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	return (isc_hmacmd5_verify2(ctx, digest, ISC_MD5_DIGESTLENGTH));
+}
+
+bool
+isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_MD5_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_MD5_DIGESTLENGTH);
+	isc_hmacmd5_sign(ctx, newdigest);
+	return (isc_safe_memequal(digest, newdigest, len));
+}
+
+/*
+ * Check for MD5 support; if it does not work, raise a fatal error.
+ *
+ * Use the first test vector from RFC 2104, with a second round using
+ * a too-short key.
+ *
+ * Standard use is testing 0 and expecting result true.
+ * Testing use is testing 1..4 and expecting result false.
+ */
+bool
+isc_hmacmd5_check(int testing) {
+	isc_hmacmd5_t ctx;
+	unsigned char key[] = { /* 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b */
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
+	};
+	unsigned char input[] = { /* "Hi There" */
+		0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
+	};
+	unsigned char expected[] = {
+		0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
+		0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
+	};
+	unsigned char expected2[] = {
+		0xad, 0xb8, 0x48, 0x05, 0xb8, 0x8d, 0x03, 0xe5,
+		0x90, 0x1e, 0x4b, 0x05, 0x69, 0xce, 0x35, 0xea
+	};
+	bool result;
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	switch (testing) {
+	case 0:
+	default:
+		break;
+	case 1:
+		key[0] ^= 0x01;
+		break;
+	case 2:
+		input[0] ^= 0x01;
+		break;
+	case 3:
+		expected[0] ^= 0x01;
+		break;
+	case 4:
+		expected2[0] ^= 0x01;
+		break;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_hmacmd5_init(&ctx, key, 16U);
+	isc_hmacmd5_update(&ctx, input, 8U);
+	result = isc_hmacmd5_verify2(&ctx, expected, sizeof(expected));
+	if (!result) {
+		return (result);
+	}
+
+	/* Second round using a byte key */
+	isc_hmacmd5_init(&ctx, key, 1U);
+	isc_hmacmd5_update(&ctx, input, 8U);
+	return (isc_hmacmd5_verify2(&ctx, expected2, sizeof(expected2)));
+}
+
+#else /* !PK11_MD5_DISABLE */
+#ifdef WIN32
+/* Make the Visual Studio linker happy */
+#include <isc/util.h>
+
+void isc_hmacmd5_init() { INSIST(0); }
+void isc_hmacmd5_invalidate() { INSIST(0); }
+void isc_hmacmd5_sign() { INSIST(0); }
+void isc_hmacmd5_update() { INSIST(0); }
+void isc_hmacmd5_verify() { INSIST(0); }
+void isc_hmacmd5_verify2() { INSIST(0); }
+void isc_hmacmd5_check() { INSIST(0); }
+#endif
+#endif /* PK11_MD5_DISABLE */
diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
new file mode 100644
index 0000000..2839f4f
--- /dev/null
+++ b/lib/isc/hmacsha.c
@@ -0,0 +1,1575 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+/*
+ * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
+ * and HMAC-SHA512 keyed hash algorithm described in RFC 2104 and
+ * draft-ietf-dnsext-tsig-sha-01.txt.
+ */
+
+#include "config.h"
+
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/hmacsha.h>
+#include <isc/platform.h>
+#include <isc/safe.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#if PKCS11CRYPTO
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#endif
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
+#define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
+#endif
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len)
+{
+	ctx->ctx = HMAC_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
+				   (int) len, EVP_sha1(), NULL) == 1);
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	if (ctx->ctx == NULL)
+		return;
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+	RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	ctx->ctx = HMAC_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
+				   (int) len, EVP_sha224(), NULL) == 1);
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	if (ctx->ctx == NULL)
+		return;
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+	RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	ctx->ctx = HMAC_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
+				   (int) len, EVP_sha256(), NULL) == 1);
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	if (ctx->ctx == NULL)
+		return;
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+	RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	ctx->ctx = HMAC_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
+				   (int) len, EVP_sha384(), NULL) == 1);
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	if (ctx->ctx == NULL)
+		return;
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+	RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	ctx->ctx = HMAC_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	RUNTIME_CHECK(HMAC_Init_ex(ctx->ctx, (const void *) key,
+				   (int) len, EVP_sha512(), NULL) == 1);
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	if (ctx->ctx == NULL)
+		return;
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	RUNTIME_CHECK(HMAC_Update(ctx->ctx, buf, (int) len) == 1);
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+	RUNTIME_CHECK(HMAC_Final(ctx->ctx, newdigest, NULL) == 1);
+	HMAC_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+#elif PKCS11CRYPTO
+
+#if defined(PK11_SHA_1_HMAC_REPLACE) || \
+    defined(PK11_SHA224_HMAC_REPLACE) || \
+    defined(PK11_SHA256_HMAC_REPLACE) || \
+    defined(PK11_SHA384_HMAC_REPLACE) || \
+    defined(PK11_SHA512_HMAC_REPLACE)
+#define IPAD 0x36
+#define OPAD 0x5C
+#endif
+
+#if !defined(PK11_SHA_1_HMAC_REPLACE) && \
+    !defined(PK11_SHA224_HMAC_REPLACE) && \
+    !defined(PK11_SHA256_HMAC_REPLACE) && \
+    !defined(PK11_SHA384_HMAC_REPLACE) && \
+    !defined(PK11_SHA512_HMAC_REPLACE)
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+#endif
+
+#ifndef PK11_SHA_1_HMAC_REPLACE
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA_1_HMAC, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_SHA_1_HMAC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, (CK_ULONG) len }
+	};
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH];
+
+	if (len < ISC_SHA1_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA1_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
+	DE_CONST(key, keyTemplate[5].pValue);
+#endif
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx->object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx->session, keyTemplate,
+			 (CK_ULONG) 6, &ctx->object));
+	INSIST(ctx->object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_SignUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#else
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+	unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
+	unsigned int i;
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA1_BLOCK_LENGTH))
+		      != NULL);
+	if (len > ISC_SHA1_BLOCK_LENGTH) {
+		CK_BYTE_PTR kPart;
+		CK_ULONG kl;
+
+		PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+		DE_CONST(key, kPart);
+		PK11_FATALCHECK(pkcs_C_DigestUpdate,
+				(ctx->session, kPart, (CK_ULONG) len));
+		kl = ISC_SHA1_DIGESTLENGTH;
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+	} else
+		memmove(ctx->key, key, len);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	memset(ipad, IPAD, ISC_SHA1_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, ipad,
+			 (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	if (ctx->key != NULL)
+		pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
+	ctx->key = NULL;
+	isc_sha1_invalidate(ctx);
+}
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA1_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA1_DIGESTLENGTH;
+	CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+	CK_BYTE opad[ISC_SHA1_BLOCK_LENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	memset(opad, OPAD, ISC_SHA1_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+	pk11_mem_put(ctx->key, ISC_SHA1_BLOCK_LENGTH);
+	ctx->key = NULL;
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, opad,
+			 (CK_ULONG) ISC_SHA1_BLOCK_LENGTH));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, (CK_BYTE_PTR) newdigest, psl));
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA224_HMAC_REPLACE
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA224_HMAC, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_SHA224_HMAC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, (CK_ULONG) len }
+	};
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH];
+
+	if (len < ISC_SHA224_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA224_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
+	DE_CONST(key, keyTemplate[5].pValue);
+#endif
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx->object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx->session, keyTemplate,
+			 (CK_ULONG) 6, &ctx->object));
+	INSIST(ctx->object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_SignUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#else
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+	unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
+	unsigned int i;
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA224_BLOCK_LENGTH))
+		      != NULL);
+	if (len > ISC_SHA224_BLOCK_LENGTH) {
+		CK_BYTE_PTR kPart;
+		CK_ULONG kl;
+
+		PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+		DE_CONST(key, kPart);
+		PK11_FATALCHECK(pkcs_C_DigestUpdate,
+				(ctx->session, kPart, (CK_ULONG) len));
+		kl = ISC_SHA224_DIGESTLENGTH;
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+	} else
+		memmove(ctx->key, key, len);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	memset(ipad, IPAD, ISC_SHA224_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, ipad,
+			 (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	if (ctx->key != NULL)
+		pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
+	ctx->key = NULL;
+	isc_sha224_invalidate(ctx);
+}
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA224_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA224_DIGESTLENGTH;
+	CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+	CK_BYTE opad[ISC_SHA224_BLOCK_LENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	memset(opad, OPAD, ISC_SHA224_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+	pk11_mem_put(ctx->key, ISC_SHA224_BLOCK_LENGTH);
+	ctx->key = NULL;
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, opad,
+			 (CK_ULONG) ISC_SHA224_BLOCK_LENGTH));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, (CK_BYTE_PTR) newdigest, psl));
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA256_HMAC_REPLACE
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA256_HMAC, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_SHA256_HMAC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, (CK_ULONG) len }
+	};
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH];
+
+	if (len < ISC_SHA256_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA256_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
+	DE_CONST(key, keyTemplate[5].pValue);
+#endif
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx->object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx->session, keyTemplate,
+			 (CK_ULONG) 6, &ctx->object));
+	INSIST(ctx->object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_SignUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#else
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+	unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
+	unsigned int i;
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA256_BLOCK_LENGTH))
+		      != NULL);
+	if (len > ISC_SHA256_BLOCK_LENGTH) {
+		CK_BYTE_PTR kPart;
+		CK_ULONG kl;
+
+		PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+		DE_CONST(key, kPart);
+		PK11_FATALCHECK(pkcs_C_DigestUpdate,
+				(ctx->session, kPart, (CK_ULONG) len));
+		kl = ISC_SHA256_DIGESTLENGTH;
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+	} else
+		memmove(ctx->key, key, len);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	memset(ipad, IPAD, ISC_SHA256_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, ipad,
+			 (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	if (ctx->key != NULL)
+		pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
+	ctx->key = NULL;
+	isc_sha256_invalidate(ctx);
+}
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA256_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA256_DIGESTLENGTH;
+	CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+	CK_BYTE opad[ISC_SHA256_BLOCK_LENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	memset(opad, OPAD, ISC_SHA256_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+	pk11_mem_put(ctx->key, ISC_SHA256_BLOCK_LENGTH);
+	ctx->key = NULL;
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, opad,
+			 (CK_ULONG) ISC_SHA256_BLOCK_LENGTH));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, (CK_BYTE_PTR) newdigest, psl));
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA384_HMAC_REPLACE
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA384_HMAC, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_SHA384_HMAC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, (CK_ULONG) len }
+	};
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH];
+
+	if (len < ISC_SHA384_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA384_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
+	DE_CONST(key, keyTemplate[5].pValue);
+#endif
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx->object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx->session, keyTemplate,
+			 (CK_ULONG) 6, &ctx->object));
+	INSIST(ctx->object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_SignUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#else
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+	unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
+	unsigned int i;
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA384_BLOCK_LENGTH))
+		      != NULL);
+	if (len > ISC_SHA384_BLOCK_LENGTH) {
+		CK_BYTE_PTR kPart;
+		CK_ULONG kl;
+
+		PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+		DE_CONST(key, kPart);
+		PK11_FATALCHECK(pkcs_C_DigestUpdate,
+				(ctx->session, kPart, (CK_ULONG) len));
+		kl = ISC_SHA384_DIGESTLENGTH;
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+	} else
+		memmove(ctx->key, key, len);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	memset(ipad, IPAD, ISC_SHA384_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, ipad,
+			 (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	if (ctx->key != NULL)
+		pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
+	ctx->key = NULL;
+	isc_sha384_invalidate(ctx);
+}
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA384_DIGESTLENGTH;
+	CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+	CK_BYTE opad[ISC_SHA384_BLOCK_LENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	memset(opad, OPAD, ISC_SHA384_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+	pk11_mem_put(ctx->key, ISC_SHA384_BLOCK_LENGTH);
+	ctx->key = NULL;
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, opad,
+			 (CK_ULONG) ISC_SHA384_BLOCK_LENGTH));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, (CK_BYTE_PTR) newdigest, psl));
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#endif
+
+#ifndef PK11_SHA512_HMAC_REPLACE
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA512_HMAC, NULL, 0 };
+	CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
+	CK_KEY_TYPE keyType = CKK_SHA512_HMAC;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_VALUE, NULL, (CK_ULONG) len }
+	};
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH];
+
+	if (len < ISC_SHA512_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA512_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
+	DE_CONST(key, keyTemplate[5].pValue);
+#endif
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	ctx->object = CK_INVALID_HANDLE;
+	PK11_FATALCHECK(pkcs_C_CreateObject,
+			(ctx->session, keyTemplate,
+			 (CK_ULONG) 6, &ctx->object));
+	INSIST(ctx->object != CK_INVALID_HANDLE);
+	PK11_FATALCHECK(pkcs_C_SignInit, (ctx->session, &mech, ctx->object));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_SignUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_SignFinal, (ctx->session, newdigest, &psl));
+	if (ctx->object != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
+	ctx->object = CK_INVALID_HANDLE;
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#else
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+	unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
+	unsigned int i;
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK((ctx->key = pk11_mem_get(ISC_SHA512_BLOCK_LENGTH))
+		      != NULL);
+	if (len > ISC_SHA512_BLOCK_LENGTH) {
+		CK_BYTE_PTR kPart;
+		CK_ULONG kl;
+
+		PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+		DE_CONST(key, kPart);
+		PK11_FATALCHECK(pkcs_C_DigestUpdate,
+				(ctx->session, kPart, (CK_ULONG) len));
+		kl = ISC_SHA512_DIGESTLENGTH;
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(ctx->session, (CK_BYTE_PTR) ctx->key, &kl));
+	} else
+		memmove(ctx->key, key, len);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	memset(ipad, IPAD, ISC_SHA512_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, ipad,
+			 (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	if (ctx->key != NULL)
+		pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
+	ctx->key = NULL;
+	isc_sha512_invalidate(ctx);
+}
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		      unsigned int len)
+{
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	CK_RV rv;
+	CK_BYTE newdigest[ISC_SHA512_DIGESTLENGTH];
+	CK_ULONG psl = ISC_SHA512_DIGESTLENGTH;
+	CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+	CK_BYTE opad[ISC_SHA512_BLOCK_LENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	memset(opad, OPAD, ISC_SHA512_BLOCK_LENGTH);
+	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+	pk11_mem_put(ctx->key, ISC_SHA512_BLOCK_LENGTH);
+	ctx->key = NULL;
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, opad,
+			 (CK_ULONG) ISC_SHA512_BLOCK_LENGTH));
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, (CK_BYTE_PTR) newdigest, psl));
+	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
+	pk11_return_session(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#endif
+
+#else
+
+#define IPAD 0x36
+#define OPAD 0x5C
+
+/*
+ * Start HMAC-SHA1 process.  Initialize an sha1 context and digest the key.
+ */
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len)
+{
+	unsigned char ipad[ISC_SHA1_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha1_t sha1ctx;
+		isc_sha1_init(&sha1ctx);
+		isc_sha1_update(&sha1ctx, key, len);
+		isc_sha1_final(&sha1ctx, ctx->key);
+	} else
+		memmove(ctx->key, key, len);
+
+	isc_sha1_init(&ctx->sha1ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha1_update(&ctx->sha1ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
+	isc_sha1_invalidate(&ctx->sha1ctx);
+	isc_safe_memwipe(ctx, sizeof(*ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha1_update(&ctx->sha1ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA1 operation and reapply SHA1.
+ */
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA1_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+	isc_sha1_final(&ctx->sha1ctx, newdigest);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA1_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha1_init(&ctx->sha1ctx);
+	isc_sha1_update(&ctx->sha1ctx, opad, sizeof(opad));
+	isc_sha1_update(&ctx->sha1ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
+	isc_sha1_final(&ctx->sha1ctx, newdigest);
+	isc_hmacsha1_invalidate(ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+/*
+ * Start HMAC-SHA224 process.  Initialize an sha224 context and digest the key.
+ */
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA224_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha224_t sha224ctx;
+		isc_sha224_init(&sha224ctx);
+		isc_sha224_update(&sha224ctx, key, len);
+		isc_sha224_final(ctx->key, &sha224ctx);
+	} else
+		memmove(ctx->key, key, len);
+
+	isc_sha224_init(&ctx->sha224ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha224_update(&ctx->sha224ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
+	isc_safe_memwipe(ctx, sizeof(*ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha224_update(&ctx->sha224ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA224 operation and reapply SHA224.
+ */
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA224_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+	isc_sha224_final(newdigest, &ctx->sha224ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA224_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha224_init(&ctx->sha224ctx);
+	isc_sha224_update(&ctx->sha224ctx, opad, sizeof(opad));
+	isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
+	isc_sha224_final(newdigest, &ctx->sha224ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+/*
+ * Start HMAC-SHA256 process.  Initialize an sha256 context and digest the key.
+ */
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA256_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha256_t sha256ctx;
+		isc_sha256_init(&sha256ctx);
+		isc_sha256_update(&sha256ctx, key, len);
+		isc_sha256_final(ctx->key, &sha256ctx);
+	} else
+		memmove(ctx->key, key, len);
+
+	isc_sha256_init(&ctx->sha256ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha256_update(&ctx->sha256ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
+	isc_safe_memwipe(ctx, sizeof(*ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha256_update(&ctx->sha256ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA256 operation and reapply SHA256.
+ */
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA256_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+	isc_sha256_final(newdigest, &ctx->sha256ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA256_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha256_init(&ctx->sha256ctx);
+	isc_sha256_update(&ctx->sha256ctx, opad, sizeof(opad));
+	isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
+	isc_sha256_final(newdigest, &ctx->sha256ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+/*
+ * Start HMAC-SHA384 process.  Initialize an sha384 context and digest the key.
+ */
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA384_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha384_t sha384ctx;
+		isc_sha384_init(&sha384ctx);
+		isc_sha384_update(&sha384ctx, key, len);
+		isc_sha384_final(ctx->key, &sha384ctx);
+	} else
+		memmove(ctx->key, key, len);
+
+	isc_sha384_init(&ctx->sha384ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha384_update(&ctx->sha384ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
+	isc_safe_memwipe(ctx, sizeof(*ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha384_update(&ctx->sha384ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA384 operation and reapply SHA384.
+ */
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA384_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+	isc_sha384_final(newdigest, &ctx->sha384ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA384_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha384_init(&ctx->sha384ctx);
+	isc_sha384_update(&ctx->sha384ctx, opad, sizeof(opad));
+	isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
+	isc_sha384_final(newdigest, &ctx->sha384ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+
+/*
+ * Start HMAC-SHA512 process.  Initialize an sha512 context and digest the key.
+ */
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len)
+{
+	unsigned char ipad[ISC_SHA512_BLOCK_LENGTH];
+	unsigned int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_sha512_t sha512ctx;
+		isc_sha512_init(&sha512ctx);
+		isc_sha512_update(&sha512ctx, key, len);
+		isc_sha512_final(ctx->key, &sha512ctx);
+	} else
+		memmove(ctx->key, key, len);
+
+	isc_sha512_init(&ctx->sha512ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_sha512_update(&ctx->sha512ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
+	isc_safe_memwipe(ctx, sizeof(*ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_sha512_update(&ctx->sha512ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize SHA512 operation and reapply SHA512.
+ */
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char opad[ISC_SHA512_BLOCK_LENGTH];
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+	unsigned int i;
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+	isc_sha512_final(newdigest, &ctx->sha512ctx);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < ISC_SHA512_BLOCK_LENGTH; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_sha512_init(&ctx->sha512ctx);
+	isc_sha512_update(&ctx->sha512ctx, opad, sizeof(opad));
+	isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
+	isc_sha512_final(newdigest, &ctx->sha512ctx);
+	memmove(digest, newdigest, len);
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
+}
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*
+ * Verify signature - finalize SHA1 operation and reapply SHA1, then
+ * compare to the supplied digest.
+ */
+bool
+isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
+	return (isc_safe_memequal(digest, newdigest, len));
+}
+
+/*
+ * Verify signature - finalize SHA224 operation and reapply SHA224, then
+ * compare to the supplied digest.
+ */
+bool
+isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA224_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+	isc_hmacsha224_sign(ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
+	return (isc_safe_memequal(digest, newdigest, len));
+}
+
+/*
+ * Verify signature - finalize SHA256 operation and reapply SHA256, then
+ * compare to the supplied digest.
+ */
+bool
+isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA256_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+	isc_hmacsha256_sign(ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
+	return (isc_safe_memequal(digest, newdigest, len));
+}
+
+/*
+ * Verify signature - finalize SHA384 operation and reapply SHA384, then
+ * compare to the supplied digest.
+ */
+bool
+isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA384_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+	isc_hmacsha384_sign(ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
+	return (isc_safe_memequal(digest, newdigest, len));
+}
+
+/*
+ * Verify signature - finalize SHA512 operation and reapply SHA512, then
+ * compare to the supplied digest.
+ */
+bool
+isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
+	unsigned char newdigest[ISC_SHA512_DIGESTLENGTH];
+
+	REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+	isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
+	return (isc_safe_memequal(digest, newdigest, len));
+}
+
+/*
+ * Check for SHA-1 support; if it does not work, raise a fatal error.
+ *
+ * Use the first test vector from RFC 2104, with a second round using
+ * a too-short key.
+ *
+ * Standard use is testing 0 and expecting result true.
+ * Testing use is testing 1..4 and expecting result false.
+ */
+bool
+isc_hmacsha1_check(int testing) {
+	isc_hmacsha1_t ctx;
+	unsigned char key[] = { /* 20*0x0b */
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+		0x0b, 0x0b, 0x0b, 0x0b
+	};
+	unsigned char input[] = { /* "Hi There" */
+		0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
+	};
+	unsigned char expected[] = {
+		0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+		0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+		0xf1, 0x46, 0xbe, 0x00
+	};
+	unsigned char expected2[] = {
+		0xa0, 0x75, 0xe0, 0x5f, 0x7f, 0x17, 0x9d, 0x34,
+		0xb2, 0xab, 0xc5, 0x19, 0x8f, 0x38, 0x62, 0x36,
+		0x42, 0xbd, 0xec, 0xde
+	};
+	bool result;
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	switch (testing) {
+	case 0:
+	default:
+		break;
+	case 1:
+		key[0] ^= 0x01;
+		break;
+	case 2:
+		input[0] ^= 0x01;
+		break;
+	case 3:
+		expected[0] ^= 0x01;
+		break;
+	case 4:
+		expected2[0] ^= 0x01;
+		break;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_hmacsha1_init(&ctx, key, 20U);
+	isc_hmacsha1_update(&ctx, input, 8U);
+	result = isc_hmacsha1_verify(&ctx, expected, sizeof(expected));
+	if (!result) {
+		return (result);
+	}
+
+	/* Second round using a byte key */
+	isc_hmacsha1_init(&ctx, key, 1U);
+	isc_hmacsha1_update(&ctx, input, 8U);
+	return (isc_hmacsha1_verify(&ctx, expected2, sizeof(expected2)));
+}
diff --git a/lib/isc/ht.c b/lib/isc/ht.c
new file mode 100644
index 0000000..b3c6825
--- /dev/null
+++ b/lib/isc/ht.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/hash.h>
+#include <isc/ht.h>
+#include <isc/types.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+
+typedef struct isc_ht_node isc_ht_node_t;
+
+#define ISC_HT_MAGIC			ISC_MAGIC('H', 'T', 'a', 'b')
+#define ISC_HT_VALID(ht)		ISC_MAGIC_VALID(ht, ISC_HT_MAGIC)
+
+struct isc_ht_node {
+	void *value;
+	isc_ht_node_t *next;
+	size_t keysize;
+	unsigned char key[FLEXIBLE_ARRAY_MEMBER];
+};
+
+struct isc_ht {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	size_t size;
+	size_t mask;
+	unsigned int count;
+	isc_ht_node_t **table;
+};
+
+struct isc_ht_iter {
+	isc_ht_t *ht;
+	size_t i;
+	isc_ht_node_t *cur;
+};
+
+isc_result_t
+isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
+	isc_ht_t *ht = NULL;
+	size_t i;
+
+	REQUIRE(htp != NULL && *htp == NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(bits >= 1 && bits <= (sizeof(size_t)*8 - 1));
+
+	ht = isc_mem_get(mctx, sizeof(struct isc_ht));
+	if (ht == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	ht->mctx = NULL;
+	isc_mem_attach(mctx, &ht->mctx);
+
+	ht->size = ((size_t)1<<bits);
+	ht->mask = ((size_t)1<<bits)-1;
+	ht->count = 0;
+
+	ht->table = isc_mem_get(ht->mctx, ht->size * sizeof(isc_ht_node_t*));
+	if (ht->table == NULL) {
+		isc_mem_putanddetach(&ht->mctx, ht, sizeof(struct isc_ht));
+		return (ISC_R_NOMEMORY);
+	}
+
+	for (i = 0; i < ht->size; i++) {
+		ht->table[i] = NULL;
+	}
+
+	ht->magic = ISC_HT_MAGIC;
+
+	*htp = ht;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_ht_destroy(isc_ht_t **htp) {
+	isc_ht_t *ht;
+	size_t i;
+
+	REQUIRE(htp != NULL);
+
+	ht = *htp;
+	REQUIRE(ISC_HT_VALID(ht));
+
+	ht->magic = 0;
+
+	for (i = 0; i < ht->size; i++) {
+		isc_ht_node_t *node = ht->table[i];
+		while (node != NULL) {
+			isc_ht_node_t *next = node->next;
+			ht->count--;
+			isc_mem_put(ht->mctx, node,
+				    offsetof(isc_ht_node_t, key) +
+				    node->keysize);
+			node = next;
+		}
+	}
+
+	INSIST(ht->count == 0);
+
+	isc_mem_put(ht->mctx, ht->table, ht->size * sizeof(isc_ht_node_t*));
+	isc_mem_putanddetach(&ht->mctx, ht, sizeof(struct isc_ht));
+
+	*htp = NULL;
+}
+
+isc_result_t
+isc_ht_add(isc_ht_t *ht, const unsigned char *key,
+	   uint32_t keysize, void *value)
+{
+	isc_ht_node_t *node;
+	uint32_t hash;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+
+	hash = isc_hash_function(key, keysize, true, NULL);
+	node = ht->table[hash & ht->mask];
+	while (node != NULL) {
+		if (keysize == node->keysize &&
+		    memcmp(key, node->key, keysize) == 0) {
+			return (ISC_R_EXISTS);
+		}
+		node = node->next;
+	}
+
+	node = isc_mem_get(ht->mctx, offsetof(isc_ht_node_t, key) + keysize);
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memmove(node->key, key, keysize);
+	node->keysize = keysize;
+	node->next = ht->table[hash & ht->mask];
+	node->value = value;
+
+	ht->count++;
+	ht->table[hash & ht->mask] = node;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_ht_find(const isc_ht_t *ht, const unsigned char *key,
+	    uint32_t keysize, void **valuep)
+{
+	isc_ht_node_t *node;
+	uint32_t hash;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+	REQUIRE(valuep != NULL);
+
+	hash = isc_hash_function(key, keysize, true, NULL);
+	node = ht->table[hash & ht->mask];
+	while (node != NULL) {
+		if (keysize == node->keysize &&
+		    memcmp(key, node->key, keysize) == 0) {
+			*valuep = node->value;
+			return (ISC_R_SUCCESS);
+		}
+		node = node->next;
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize) {
+	isc_ht_node_t *node, *prev;
+	uint32_t hash;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(key != NULL && keysize > 0);
+
+	prev = NULL;
+	hash = isc_hash_function(key, keysize, true, NULL);
+	node = ht->table[hash & ht->mask];
+	while (node != NULL) {
+		if (keysize == node->keysize &&
+		    memcmp(key, node->key, keysize) == 0) {
+			if (prev == NULL)
+				ht->table[hash & ht->mask] = node->next;
+			else
+				prev->next = node->next;
+			isc_mem_put(ht->mctx, node,
+				    offsetof(isc_ht_node_t, key) +
+				    node->keysize);
+			ht->count--;
+
+			return (ISC_R_SUCCESS);
+		}
+
+		prev = node;
+		node = node->next;
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
+	isc_ht_iter_t *it;
+
+	REQUIRE(ISC_HT_VALID(ht));
+	REQUIRE(itp != NULL && *itp == NULL);
+
+	it = isc_mem_get(ht->mctx, sizeof(isc_ht_iter_t));
+	if (it == NULL)
+		return (ISC_R_NOMEMORY);
+
+	it->ht = ht;
+	it->i = 0;
+	it->cur = NULL;
+
+	*itp = it;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_ht_iter_destroy(isc_ht_iter_t **itp) {
+	isc_ht_iter_t *it;
+	isc_ht_t *ht;
+
+	REQUIRE(itp != NULL && *itp != NULL);
+
+	it = *itp;
+	ht = it->ht;
+	isc_mem_put(ht->mctx, it, sizeof(isc_ht_iter_t));
+
+	*itp = NULL;
+}
+
+isc_result_t
+isc_ht_iter_first(isc_ht_iter_t *it) {
+	REQUIRE(it != NULL);
+
+	it->i = 0;
+	while (it->i < it->ht->size && it->ht->table[it->i] == NULL)
+		it->i++;
+
+	if (it->i == it->ht->size)
+		return (ISC_R_NOMORE);
+
+	it->cur = it->ht->table[it->i];
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_ht_iter_next(isc_ht_iter_t *it) {
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+
+	it->cur = it->cur->next;
+	if (it->cur == NULL) {
+		do {
+			it->i++;
+		} while (it->i < it->ht->size && it->ht->table[it->i] == NULL);
+		if (it->i >= it->ht->size)
+			return (ISC_R_NOMORE);
+		it->cur = it->ht->table[it->i];
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_ht_iter_delcurrent_next(isc_ht_iter_t *it) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_ht_node_t *to_delete = NULL;
+	isc_ht_node_t *prev = NULL;
+	isc_ht_node_t *node = NULL;
+	uint32_t hash;
+	isc_ht_t *ht;
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+	to_delete = it->cur;
+	ht = it->ht;
+
+	it->cur = it->cur->next;
+	if (it->cur == NULL) {
+		do {
+			it->i++;
+		} while (it->i < ht->size && ht->table[it->i] == NULL);
+		if (it->i >= ht->size)
+			result = ISC_R_NOMORE;
+		else
+			it->cur = ht->table[it->i];
+	}
+
+	hash = isc_hash_function(to_delete->key, to_delete->keysize, true,
+				 NULL);
+	node = ht->table[hash & ht->mask];
+	while (node != to_delete) {
+		prev = node;
+		node = node->next;
+		INSIST(node != NULL);
+	}
+
+	if (prev == NULL)
+		ht->table[hash & ht->mask] = node->next;
+	else
+		prev->next = node->next;
+	isc_mem_put(ht->mctx, node,
+		    offsetof(isc_ht_node_t, key) + node->keysize);
+	ht->count--;
+
+	return (result);
+}
+
+void
+isc_ht_iter_current(isc_ht_iter_t *it, void **valuep) {
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+	*valuep = it->cur->value;
+}
+
+void
+isc_ht_iter_currentkey(isc_ht_iter_t *it, unsigned char **key, size_t *keysize)
+{
+	REQUIRE(it != NULL);
+	REQUIRE(it->cur != NULL);
+	*key = it->cur->key;
+	*keysize = it->cur->keysize;
+}
+
+unsigned int
+isc_ht_count(isc_ht_t *ht) {
+	REQUIRE(ISC_HT_VALID(ht));
+
+	return(ht->count);
+}
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
new file mode 100644
index 0000000..06e7a8b
--- /dev/null
+++ b/lib/isc/httpd.c
@@ -0,0 +1,1273 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/httpd.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef HAVE_ZLIB
+#include <zlib.h>
+#endif
+
+/*%
+ * TODO:
+ *
+ *  o  Put in better checks to make certain things are passed in correctly.
+ *     This includes a magic number for externally-visible structures,
+ *     checking for NULL-ness before dereferencing, etc.
+ *  o  Make the URL processing external functions which will fill-in a buffer
+ *     structure we provide, or return an error and we will render a generic
+ *     page and close the client.
+ */
+
+#define MSHUTTINGDOWN(cm) ((cm->flags & ISC_HTTPDMGR_FLAGSHUTTINGDOWN) != 0)
+#define MSETSHUTTINGDOWN(cm) (cm->flags |= ISC_HTTPDMGR_FLAGSHUTTINGDOWN)
+
+#ifdef DEBUG_HTTPD
+#define ENTER(x) do { fprintf(stderr, "ENTER %s\n", (x)); } while (0)
+#define EXIT(x) do { fprintf(stderr, "EXIT %s\n", (x)); } while (0)
+#define NOTICE(x) do { fprintf(stderr, "NOTICE %s\n", (x)); } while (0)
+#else
+#define ENTER(x) do { } while(0)
+#define EXIT(x) do { } while(0)
+#define NOTICE(x) do { } while(0)
+#endif
+
+#define HTTP_RECVLEN			1024
+#define HTTP_SENDGROW			1024
+#define HTTP_SEND_MAXLEN		10240
+
+#define HTTPD_CLOSE		0x0001 /* Got a Connection: close header */
+#define HTTPD_FOUNDHOST		0x0002 /* Got a Host: header */
+#define HTTPD_KEEPALIVE		0x0004 /* Got a Connection: Keep-Alive */
+#define HTTPD_ACCEPT_DEFLATE   0x0008
+
+/*% http client */
+struct isc_httpd {
+	isc_httpdmgr_t	       *mgr;		/*%< our parent */
+	ISC_LINK(isc_httpd_t)	link;
+	unsigned int		state;
+	isc_socket_t		*sock;
+
+	/*%
+	 * Received data state.
+	 */
+	char			recvbuf[HTTP_RECVLEN]; /*%< receive buffer */
+	uint32_t		recvlen;	/*%< length recv'd */
+	char		       *headers;	/*%< set in process_request() */
+	unsigned int		method;
+	char		       *url;
+	char		       *querystring;
+	char		       *protocol;
+
+	/*
+	 * Flags on the httpd client.
+	 */
+	int			flags;
+
+	/*%
+	 * Transmit data state.
+	 *
+	 * This is the data buffer we will transmit.
+	 *
+	 * This free function pointer is filled in by the rendering function
+	 * we call.  The free function is called after the data is transmitted
+	 * to the client.
+	 *
+	 * The bufflist is the list of buffers we are currently transmitting.
+	 * The headerbuffer is where we render our headers to.  If we run out of
+	 * space when rendering a header, we will change the size of our
+	 * buffer.  We will not free it until we are finished, and will
+	 * allocate an additional HTTP_SENDGROW bytes per header space grow.
+	 *
+	 * We currently use three buffers total, one for the headers (which
+	 * we manage), another for the client to fill in (which it manages,
+	 * it provides the space for it, etc) -- we will pass that buffer
+	 * structure back to the caller, who is responsible for managing the
+	 * space it may have allocated as backing store for it.  This second
+	 * buffer is bodybuffer, and we only allocate the buffer itself, not
+	 * the backing store.
+	 * The third buffer is compbuffer, managed by us, that contains the
+	 * compressed HTTP data, if compression is used.
+	 *
+	 */
+	isc_bufferlist_t	bufflist;
+	isc_buffer_t		headerbuffer;
+	isc_buffer_t		compbuffer;
+
+	const char	       *mimetype;
+	unsigned int		retcode;
+	const char	       *retmsg;
+	isc_buffer_t		bodybuffer;
+	isc_httpdfree_t	       *freecb;
+	void		       *freecb_arg;
+};
+
+/*% lightweight socket manager for httpd output */
+struct isc_httpdmgr {
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;		/*%< listening socket */
+	isc_task_t	       *task;		/*%< owning task */
+	isc_timermgr_t	       *timermgr;
+
+	isc_httpdclientok_t    *client_ok;	/*%< client validator */
+	isc_httpdondestroy_t   *ondestroy;	/*%< cleanup callback */
+	void		       *cb_arg;		/*%< argument for the above */
+
+	unsigned int		flags;
+	ISC_LIST(isc_httpd_t)	running;	/*%< running clients */
+
+	isc_mutex_t		lock;
+
+	ISC_LIST(isc_httpdurl_t) urls;		/*%< urls we manage */
+	isc_httpdaction_t      *render_404;
+	isc_httpdaction_t      *render_500;
+};
+
+/*%
+ * HTTP methods.
+ */
+#define ISC_HTTPD_METHODUNKNOWN	0
+#define ISC_HTTPD_METHODGET	1
+#define ISC_HTTPD_METHODPOST	2
+
+/*%
+ * Client states.
+ *
+ * _IDLE	The client is not doing anything at all.  This state should
+ *		only occur just after creation, and just before being
+ *		destroyed.
+ *
+ * _RECV	The client is waiting for data after issuing a socket recv().
+ *
+ * _RECVDONE	Data has been received, and is being processed.
+ *
+ * _SEND	All data for a response has completed, and a reply was
+ *		sent via a socket send() call.
+ *
+ * _SENDDONE	Send is completed.
+ *
+ * Badly formatted state table:
+ *
+ *	IDLE -> RECV when client has a recv() queued.
+ *
+ *	RECV -> RECVDONE when recvdone event received.
+ *
+ *	RECVDONE -> SEND if the data for a reply is at hand.
+ *
+ *	SEND -> RECV when a senddone event was received.
+ *
+ *	At any time -> RECV on error.  If RECV fails, the client will
+ *	self-destroy, closing the socket and freeing memory.
+ */
+#define ISC_HTTPD_STATEIDLE	0
+#define ISC_HTTPD_STATERECV	1
+#define ISC_HTTPD_STATERECVDONE	2
+#define ISC_HTTPD_STATESEND	3
+#define ISC_HTTPD_STATESENDDONE	4
+
+#define ISC_HTTPD_ISRECV(c)	((c)->state == ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_ISRECVDONE(c)	((c)->state == ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_ISSEND(c)	((c)->state == ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_ISSENDDONE(c)	((c)->state == ISC_HTTPD_STATESENDDONE)
+
+/*%
+ * Overall magic test that means we're not idle.
+ */
+#define ISC_HTTPD_SETRECV(c)	((c)->state = ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_SETRECVDONE(c)	((c)->state = ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_SETSEND(c)	((c)->state = ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_SETSENDDONE(c)	((c)->state = ISC_HTTPD_STATESENDDONE)
+
+static void isc_httpd_accept(isc_task_t *, isc_event_t *);
+static void isc_httpd_recvdone(isc_task_t *, isc_event_t *);
+static void isc_httpd_senddone(isc_task_t *, isc_event_t *);
+static void destroy_client(isc_httpd_t **);
+static isc_result_t process_request(isc_httpd_t *, int);
+static void httpdmgr_destroy(isc_httpdmgr_t *);
+static isc_result_t grow_headerspace(isc_httpd_t *);
+static void reset_client(isc_httpd_t *httpd);
+
+static isc_httpdaction_t render_404;
+static isc_httpdaction_t render_500;
+
+static void (*finishhook)(void) = NULL;
+
+static void
+destroy_client(isc_httpd_t **httpdp) {
+	isc_httpd_t *httpd = *httpdp;
+	isc_httpdmgr_t *httpdmgr = httpd->mgr;
+	isc_region_t r;
+
+	*httpdp = NULL;
+
+	LOCK(&httpdmgr->lock);
+
+	isc_socket_detach(&httpd->sock);
+	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
+
+	isc_buffer_region(&httpd->headerbuffer, &r);
+	if (r.length > 0) {
+		isc_mem_put(httpdmgr->mctx, r.base, r.length);
+	}
+
+	isc_buffer_region(&httpd->compbuffer, &r);
+	if (r.length > 0) {
+		isc_mem_put(httpdmgr->mctx, r.base, r.length);
+	}
+
+	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+
+	UNLOCK(&httpdmgr->lock);
+
+	if (finishhook != NULL)
+		finishhook();
+
+	httpdmgr_destroy(httpdmgr);
+}
+
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    isc_httpdclientok_t *client_ok,
+		    isc_httpdondestroy_t *ondestroy, void *cb_arg,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdmgrp)
+{
+	isc_result_t result;
+	isc_httpdmgr_t *httpdmgr;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(tmgr != NULL);
+	REQUIRE(httpdmgrp != NULL && *httpdmgrp == NULL);
+
+	httpdmgr = isc_mem_get(mctx, sizeof(isc_httpdmgr_t));
+	if (httpdmgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&httpdmgr->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+		return (result);
+	}
+	httpdmgr->mctx = NULL;
+	isc_mem_attach(mctx, &httpdmgr->mctx);
+	httpdmgr->sock = NULL;
+	isc_socket_attach(sock, &httpdmgr->sock);
+	httpdmgr->task = NULL;
+	isc_task_attach(task, &httpdmgr->task);
+	httpdmgr->timermgr = tmgr; /* XXXMLG no attach function? */
+	httpdmgr->client_ok = client_ok;
+	httpdmgr->ondestroy = ondestroy;
+	httpdmgr->cb_arg = cb_arg;
+	httpdmgr->flags = 0;
+
+	ISC_LIST_INIT(httpdmgr->running);
+	ISC_LIST_INIT(httpdmgr->urls);
+
+	/* XXXMLG ignore errors on isc_socket_listen() */
+	result = isc_socket_listen(sock, SOMAXCONN);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_listen() failed: %s",
+				 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	(void)isc_socket_filter(sock, "httpready");
+
+	result = isc_socket_accept(sock, task, isc_httpd_accept, httpdmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	httpdmgr->render_404 = render_404;
+	httpdmgr->render_500 = render_500;
+
+	*httpdmgrp = httpdmgr;
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	isc_task_detach(&httpdmgr->task);
+	isc_socket_detach(&httpdmgr->sock);
+	isc_mem_detach(&httpdmgr->mctx);
+	(void)isc_mutex_destroy(&httpdmgr->lock);
+	isc_mem_put(mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+	return (result);
+}
+
+static void
+httpdmgr_destroy(isc_httpdmgr_t *httpdmgr) {
+	isc_mem_t *mctx;
+	isc_httpdurl_t *url;
+
+	ENTER("httpdmgr_destroy");
+
+	LOCK(&httpdmgr->lock);
+
+	if (!MSHUTTINGDOWN(httpdmgr)) {
+		NOTICE("httpdmgr_destroy not shutting down yet");
+		UNLOCK(&httpdmgr->lock);
+		return;
+	}
+
+	/*
+	 * If all clients are not shut down, don't do anything yet.
+	 */
+	if (!ISC_LIST_EMPTY(httpdmgr->running)) {
+		NOTICE("httpdmgr_destroy clients still active");
+		UNLOCK(&httpdmgr->lock);
+		return;
+	}
+
+	NOTICE("httpdmgr_destroy detaching socket, task, and timermgr");
+
+	isc_socket_detach(&httpdmgr->sock);
+	isc_task_detach(&httpdmgr->task);
+	httpdmgr->timermgr = NULL;
+
+	/*
+	 * Clear out the list of all actions we know about.  Just free the
+	 * memory.
+	 */
+	url = ISC_LIST_HEAD(httpdmgr->urls);
+	while (url != NULL) {
+		isc_mem_free(httpdmgr->mctx, url->url);
+		ISC_LIST_UNLINK(httpdmgr->urls, url, link);
+		isc_mem_put(httpdmgr->mctx, url, sizeof(isc_httpdurl_t));
+		url = ISC_LIST_HEAD(httpdmgr->urls);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+	(void)isc_mutex_destroy(&httpdmgr->lock);
+
+	if (httpdmgr->ondestroy != NULL)
+		(httpdmgr->ondestroy)(httpdmgr->cb_arg);
+
+	mctx = httpdmgr->mctx;
+	isc_mem_putanddetach(&mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+
+	EXIT("httpdmgr_destroy");
+}
+
+#define LENGTHOK(s) (httpd->recvbuf - (s) < (int)httpd->recvlen)
+#define BUFLENOK(s) (httpd->recvbuf - (s) < HTTP_RECVLEN)
+
+/*
+ * Look for the given header in headers.
+ * If value is specified look for it terminated with a character in eov.
+ */
+static bool
+have_header(isc_httpd_t *httpd, const char *header, const char *value,
+	    const char *eov)
+{
+	char *cr, *nl, *h;
+	size_t hlen, vlen = 0;
+
+	h = httpd->headers;
+	hlen = strlen(header);
+	if (value != NULL) {
+		INSIST(eov != NULL);
+		vlen = strlen(value);
+	}
+
+	for (;;) {
+		if (strncasecmp(h, header, hlen) != 0) {
+			/*
+			 * Skip to next line;
+			 */
+			cr = strchr(h, '\r');
+			if (cr != NULL && cr[1] == '\n')
+				cr++;
+			nl = strchr(h, '\n');
+
+			/* last header? */
+			h = cr;
+			if (h == NULL || (nl != NULL && nl < h))
+				h = nl;
+			if (h == NULL)
+				return (false);
+			h++;
+			continue;
+		}
+
+		if (value == NULL)
+			return (true);
+
+		/*
+		 * Skip optional leading white space.
+		 */
+		h += hlen;
+		while (*h == ' ' || *h == '\t')
+			h++;
+		/*
+		 * Terminate token search on NULL or EOL.
+		 */
+		while (*h != 0 && *h != '\r' && *h != '\n') {
+			if (strncasecmp(h, value, vlen) == 0)
+				if (strchr(eov, h[vlen]) != NULL)
+					return (true);
+			/*
+			 * Skip to next token.
+			 */
+			h += strcspn(h, eov);
+			if (h[0] == '\r' && h[1] == '\n')
+				h++;
+			if (h[0] != 0)
+				h++;
+		}
+		return (false);
+	}
+}
+
+static isc_result_t
+process_request(isc_httpd_t *httpd, int length) {
+	char *s;
+	char *p;
+	int delim;
+
+	ENTER("request");
+
+	httpd->recvlen += length;
+
+	httpd->recvbuf[httpd->recvlen] = 0;
+	httpd->headers = NULL;
+
+	/*
+	 * If we don't find a blank line in our buffer, return that we need
+	 * more data.
+	 */
+	s = strstr(httpd->recvbuf, "\r\n\r\n");
+	delim = 2;
+	if (s == NULL) {
+		s = strstr(httpd->recvbuf, "\n\n");
+		delim = 1;
+	}
+	if (s == NULL)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * NUL terminate request at the blank line.
+	 */
+	s[delim] = 0;
+
+	/*
+	 * Determine if this is a POST or GET method.  Any other values will
+	 * cause an error to be returned.
+	 */
+	if (strncmp(httpd->recvbuf, "GET ", 4) == 0) {
+		httpd->method = ISC_HTTPD_METHODGET;
+		p = httpd->recvbuf + 4;
+	} else if (strncmp(httpd->recvbuf, "POST ", 5) == 0) {
+		httpd->method = ISC_HTTPD_METHODPOST;
+		p = httpd->recvbuf + 5;
+	} else {
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * From now on, p is the start of our buffer.
+	 */
+
+	/*
+	 * Extract the URL.
+	 */
+	s = p;
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0' && *s != ' '))
+		s++;
+	if (!LENGTHOK(s))
+		return (ISC_R_NOTFOUND);
+	if (!BUFLENOK(s))
+		return (ISC_R_NOMEMORY);
+	*s = 0;
+
+	/*
+	 * Make the URL relative.
+	 */
+	if ((strncmp(p, "http:/", 6) == 0)
+	    || (strncmp(p, "https:/", 7) == 0)) {
+		/* Skip first / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0)
+			return (ISC_R_RANGE);
+		p++;
+		/* Skip second / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0)
+			return (ISC_R_RANGE);
+		p++;
+		/* Find third / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0) {
+			p--;
+			*p = '/';
+		}
+	}
+
+	httpd->url = p;
+	p = s + 1;
+	s = p;
+
+	/*
+	 * Now, see if there is a ? mark in the URL.  If so, this is
+	 * part of the query string, and we will split it from the URL.
+	 */
+	httpd->querystring = strchr(httpd->url, '?');
+	if (httpd->querystring != NULL) {
+		*(httpd->querystring) = 0;
+		httpd->querystring++;
+	}
+
+	/*
+	 * Extract the HTTP/1.X protocol.  We will bounce on anything but
+	 * HTTP/1.0 or HTTP/1.1 for now.
+	 */
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0'))
+		s++;
+	if (!LENGTHOK(s))
+		return (ISC_R_NOTFOUND);
+	if (!BUFLENOK(s))
+		return (ISC_R_NOMEMORY);
+	/*
+	 * Check that we have the expected eol delimiter.
+	 */
+	if (strncmp(s, delim == 1 ? "\n" : "\r\n", delim) != 0)
+		return (ISC_R_RANGE);
+	*s = 0;
+	if ((strncmp(p, "HTTP/1.0", 8) != 0)
+	    && (strncmp(p, "HTTP/1.1", 8) != 0))
+		return (ISC_R_RANGE);
+	httpd->protocol = p;
+	p = s + delim;	/* skip past eol */
+	s = p;
+
+	httpd->headers = s;
+
+	if (have_header(httpd, "Connection:", "close", ", \t\r\n"))
+		httpd->flags |= HTTPD_CLOSE;
+
+	if (have_header(httpd, "Host:", NULL, NULL))
+		httpd->flags |= HTTPD_FOUNDHOST;
+
+	if (strncmp(httpd->protocol, "HTTP/1.0", 8) == 0) {
+		if (have_header(httpd, "Connection:", "Keep-Alive",
+				", \t\r\n"))
+			httpd->flags |= HTTPD_KEEPALIVE;
+		else
+			httpd->flags |= HTTPD_CLOSE;
+	}
+
+	/*
+	 * Check for Accept-Encoding:
+	 */
+#ifdef HAVE_ZLIB
+	if (have_header(httpd, "Accept-Encoding:", "deflate", ";, \t\r\n"))
+		httpd->flags |= HTTPD_ACCEPT_DEFLATE;
+#endif
+
+	/*
+	 * Standards compliance hooks here.
+	 */
+	if (strcmp(httpd->protocol, "HTTP/1.1") == 0
+	    && ((httpd->flags & HTTPD_FOUNDHOST) == 0))
+		return (ISC_R_RANGE);
+
+	EXIT("request");
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_accept(isc_task_t *task, isc_event_t *ev) {
+	isc_result_t result;
+	isc_httpdmgr_t *httpdmgr = ev->ev_arg;
+	isc_httpd_t *httpd;
+	isc_region_t r;
+	isc_socket_newconnev_t *nev = (isc_socket_newconnev_t *)ev;
+	isc_sockaddr_t peeraddr;
+	char *headerdata;
+
+	ENTER("accept");
+
+	LOCK(&httpdmgr->lock);
+	if (MSHUTTINGDOWN(httpdmgr)) {
+		NOTICE("accept shutting down, goto out");
+		goto out;
+	}
+
+	if (nev->result == ISC_R_CANCELED) {
+		NOTICE("accept canceled, goto out");
+		goto out;
+	}
+
+	if (nev->result != ISC_R_SUCCESS) {
+		/* XXXMLG log failure */
+		NOTICE("accept returned failure, goto requeue");
+		goto requeue;
+	}
+
+	(void)isc_socket_getpeername(nev->newsocket, &peeraddr);
+	if (httpdmgr->client_ok != NULL &&
+	    !(httpdmgr->client_ok)(&peeraddr, httpdmgr->cb_arg)) {
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+
+	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
+	if (httpd == NULL) {
+		/* XXXMLG log failure */
+		NOTICE("accept failed to allocate memory, goto requeue");
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+
+	httpd->mgr = httpdmgr;
+	ISC_LINK_INIT(httpd, link);
+	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
+	ISC_HTTPD_SETRECV(httpd);
+	httpd->sock = nev->newsocket;
+	isc_socket_setname(httpd->sock, "httpd", NULL);
+	httpd->flags = 0;
+
+	/*
+	 * Initialize the buffer for our headers.
+	 */
+	headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
+	if (headerdata == NULL) {
+		isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+	isc_buffer_init(&httpd->headerbuffer, headerdata, HTTP_SENDGROW);
+
+	ISC_LIST_INIT(httpd->bufflist);
+
+	isc_buffer_initnull(&httpd->compbuffer);
+	isc_buffer_initnull(&httpd->bodybuffer);
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
+				 httpd);
+	/* FIXME!!! */
+	POST(result);
+	NOTICE("accept queued recv on socket");
+
+ requeue:
+	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
+				   httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		/* XXXMLG what to do?  Log failure... */
+		NOTICE("accept could not reaccept due to failure");
+	}
+
+ out:
+	UNLOCK(&httpdmgr->lock);
+
+	httpdmgr_destroy(httpdmgr);
+
+	isc_event_free(&ev);
+
+	EXIT("accept");
+}
+
+static isc_result_t
+render_404(const char *url, isc_httpdurl_t *urlinfo,
+	   const char *querystring, const char *headers, void *arg,
+	   unsigned int *retcode, const char **retmsg,
+	   const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args)
+{
+	static char msg[] = "No such URL.\r\n";
+
+	UNUSED(url);
+	UNUSED(urlinfo);
+	UNUSED(querystring);
+	UNUSED(headers);
+	UNUSED(arg);
+
+	*retcode = 404;
+	*retmsg = "No such URL";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+render_500(const char *url, isc_httpdurl_t *urlinfo,
+	   const char *querystring, const char *headers, void *arg,
+	   unsigned int *retcode, const char **retmsg,
+	   const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args)
+{
+	static char msg[] = "Internal server failure.\r\n";
+
+	UNUSED(url);
+	UNUSED(urlinfo);
+	UNUSED(querystring);
+	UNUSED(headers);
+	UNUSED(arg);
+
+	*retcode = 500;
+	*retmsg = "Internal server failure";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef HAVE_ZLIB
+/*%<
+ * Reallocates compbuffer to size, does nothing if compbuffer is already
+ * larger than size.
+ *
+ * Requires:
+ *\li	httpd a valid isc_httpd_t object
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to extend buffer
+ */
+static isc_result_t
+alloc_compspace(isc_httpd_t *httpd, unsigned int size) {
+	char *newspace;
+	isc_region_t r;
+
+	isc_buffer_region(&httpd->compbuffer, &r);
+	if (size < r.length) {
+		return (ISC_R_SUCCESS);
+	}
+
+	newspace = isc_mem_get(httpd->mgr->mctx, size);
+	if (newspace == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_buffer_reinit(&httpd->compbuffer, newspace, size);
+
+	if (r.base != NULL) {
+		isc_mem_put(httpd->mgr->mctx, r.base, r.length);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%<
+ * Tries to compress httpd->bodybuffer to httpd->compbuffer, extending it
+ * if necessary.
+ *
+ * Requires:
+ *\li	httpd a valid isc_httpd_t object
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	  -- all is well.
+ *\li	#ISC_R_NOMEMORY	  -- not enough memory to compress data
+ *\li	#ISC_R_FAILURE	  -- error during compression or compressed
+ *			     data would be larger than input data
+ */
+static isc_result_t
+isc_httpd_compress(isc_httpd_t *httpd) {
+	z_stream zstr;
+	isc_region_t r;
+	isc_result_t result;
+	int ret;
+	int inputlen;
+
+	inputlen = isc_buffer_usedlength(&httpd->bodybuffer);
+	result = alloc_compspace(httpd, inputlen);
+	if (result != ISC_R_SUCCESS) {
+		return result;
+	}
+	isc_buffer_region(&httpd->compbuffer, &r);
+
+	/*
+	 * We're setting output buffer size to input size so it fails if the
+	 * compressed data size would be bigger than the input size.
+	 */
+	memset(&zstr, 0, sizeof(zstr));
+	zstr.total_in = zstr.avail_in =
+			zstr.total_out = zstr.avail_out = inputlen;
+
+	zstr.next_in = isc_buffer_base(&httpd->bodybuffer);
+	zstr.next_out = r.base;
+
+	ret = deflateInit(&zstr, Z_DEFAULT_COMPRESSION);
+	if (ret == Z_OK) {
+		ret = deflate(&zstr, Z_FINISH);
+	}
+	deflateEnd(&zstr);
+	if (ret == Z_STREAM_END) {
+		isc_buffer_add(&httpd->compbuffer, inputlen - zstr.avail_out);
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_FAILURE);
+	}
+}
+#endif
+
+static void
+isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev) {
+	isc_region_t r;
+	isc_result_t result;
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+	isc_httpdurl_t *url;
+	isc_time_t now;
+	bool is_compressed = false;
+	char datebuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+
+	ENTER("recv");
+
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+
+	if (sev->result != ISC_R_SUCCESS) {
+		NOTICE("recv destroying client");
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	result = process_request(httpd, sev->n);
+	if (result == ISC_R_NOTFOUND) {
+		if (httpd->recvlen >= HTTP_RECVLEN - 1) {
+			destroy_client(&httpd);
+			goto out;
+		}
+		r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
+		r.length = HTTP_RECVLEN - httpd->recvlen - 1;
+		/* check return code? */
+		(void)isc_socket_recv(httpd->sock, &r, 1, task,
+				      isc_httpd_recvdone, httpd);
+		goto out;
+	} else if (result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	ISC_HTTPD_SETSEND(httpd);
+
+	/*
+	 * XXXMLG Call function here.  Provide an add-header function
+	 * which will append the common headers to a response we generate.
+	 */
+	isc_buffer_initnull(&httpd->bodybuffer);
+	isc_time_now(&now);
+	isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
+	url = ISC_LIST_HEAD(httpd->mgr->urls);
+	while (url != NULL) {
+		if (strcmp(httpd->url, url->url) == 0)
+			break;
+		url = ISC_LIST_NEXT(url, link);
+	}
+	if (url == NULL)
+		result = httpd->mgr->render_404(httpd->url, NULL,
+						httpd->querystring,
+						NULL, NULL,
+						&httpd->retcode,
+						&httpd->retmsg,
+						&httpd->mimetype,
+						&httpd->bodybuffer,
+						&httpd->freecb,
+						&httpd->freecb_arg);
+	else
+		result = url->action(httpd->url, url,
+				     httpd->querystring,
+				     httpd->headers,
+				     url->action_arg,
+				     &httpd->retcode, &httpd->retmsg,
+				     &httpd->mimetype, &httpd->bodybuffer,
+				     &httpd->freecb, &httpd->freecb_arg);
+	if (result != ISC_R_SUCCESS) {
+		result = httpd->mgr->render_500(httpd->url, url,
+						httpd->querystring,
+						NULL, NULL,
+						&httpd->retcode,
+						&httpd->retmsg,
+						&httpd->mimetype,
+						&httpd->bodybuffer,
+						&httpd->freecb,
+						&httpd->freecb_arg);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+#ifdef HAVE_ZLIB
+	if (httpd->flags & HTTPD_ACCEPT_DEFLATE) {
+			result = isc_httpd_compress(httpd);
+			if (result == ISC_R_SUCCESS) {
+				is_compressed = true;
+			}
+	}
+#endif
+
+	isc_httpd_response(httpd);
+	if ((httpd->flags & HTTPD_KEEPALIVE) != 0)
+		isc_httpd_addheader(httpd, "Connection", "Keep-Alive");
+	isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
+	isc_httpd_addheader(httpd, "Date", datebuf);
+	isc_httpd_addheader(httpd, "Expires", datebuf);
+
+	if (url != NULL && url->isstatic) {
+		char loadbuf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+		isc_time_formathttptimestamp(&url->loadtime,
+					     loadbuf, sizeof(loadbuf));
+		isc_httpd_addheader(httpd, "Last-Modified", loadbuf);
+		isc_httpd_addheader(httpd, "Cache-Control: public", NULL);
+	} else {
+		isc_httpd_addheader(httpd, "Last-Modified", datebuf);
+		isc_httpd_addheader(httpd, "Pragma: no-cache", NULL);
+		isc_httpd_addheader(httpd, "Cache-Control: no-cache", NULL);
+	}
+
+	isc_httpd_addheader(httpd, "Server: libisc", NULL);
+
+	if (is_compressed == true) {
+		isc_httpd_addheader(httpd, "Content-Encoding", "deflate");
+		isc_httpd_addheaderuint(httpd, "Content-Length",
+					isc_buffer_usedlength(&httpd->compbuffer));
+	} else {
+		isc_httpd_addheaderuint(httpd, "Content-Length",
+		isc_buffer_usedlength(&httpd->bodybuffer));
+	}
+
+	isc_httpd_endheaders(httpd);  /* done */
+
+	ISC_LIST_APPEND(httpd->bufflist, &httpd->headerbuffer, link);
+	/*
+	 * Link the data buffer into our send queue, should we have any data
+	 * rendered into it.  If no data is present, we won't do anything
+	 * with the buffer.
+	 */
+	if (is_compressed == true) {
+		ISC_LIST_APPEND(httpd->bufflist, &httpd->compbuffer, link);
+	} else {
+		if (isc_buffer_length(&httpd->bodybuffer) > 0) {
+				ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer, link);
+		}
+	}
+
+	/* check return code? */
+	(void)isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
+			       isc_httpd_senddone, httpd);
+
+ out:
+	isc_event_free(&ev);
+	EXIT("recv");
+}
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp) {
+	isc_httpdmgr_t *httpdmgr;
+	isc_httpd_t *httpd;
+	httpdmgr = *httpdmgrp;
+	*httpdmgrp = NULL;
+
+	ENTER("isc_httpdmgr_shutdown");
+
+	LOCK(&httpdmgr->lock);
+
+	MSETSHUTTINGDOWN(httpdmgr);
+
+	isc_socket_cancel(httpdmgr->sock, httpdmgr->task, ISC_SOCKCANCEL_ALL);
+
+	httpd = ISC_LIST_HEAD(httpdmgr->running);
+	while (httpd != NULL) {
+		isc_socket_cancel(httpd->sock, httpdmgr->task,
+				  ISC_SOCKCANCEL_ALL);
+		httpd = ISC_LIST_NEXT(httpd, link);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+
+	EXIT("isc_httpdmgr_shutdown");
+}
+
+static isc_result_t
+grow_headerspace(isc_httpd_t *httpd) {
+	char *newspace;
+	unsigned int newlen;
+	isc_region_t r;
+
+	isc_buffer_region(&httpd->headerbuffer, &r);
+	newlen = r.length + HTTP_SENDGROW;
+	if (newlen > HTTP_SEND_MAXLEN)
+		return (ISC_R_NOSPACE);
+
+	newspace = isc_mem_get(httpd->mgr->mctx, newlen);
+	if (newspace == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_reinit(&httpd->headerbuffer, newspace, newlen);
+
+	isc_mem_put(httpd->mgr->mctx, r.base, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd) {
+	isc_result_t result;
+	unsigned int needlen;
+
+	needlen = strlen(httpd->protocol) + 1; /* protocol + space */
+	needlen += 3 + 1;  /* room for response code, always 3 bytes */
+	needlen += strlen(httpd->retmsg) + 2;  /* return msg + CRLF */
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	snprintf(isc_buffer_used(&httpd->headerbuffer),
+		 (int)isc_buffer_availablelength(&httpd->headerbuffer),
+		 "%s %03u %s\r\n", httpd->protocol, httpd->retcode,
+		 httpd->retmsg);
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
+		    const char *val)
+{
+	isc_result_t result;
+	unsigned int needlen;
+
+	needlen = strlen(name); /* name itself */
+	if (val != NULL)
+		needlen += 2 + strlen(val); /* :<space> and val */
+	needlen += 2; /* CRLF */
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (val != NULL)
+		snprintf(isc_buffer_used(&httpd->headerbuffer),
+			 isc_buffer_availablelength(&httpd->headerbuffer),
+			 "%s: %s\r\n", name, val);
+	else
+		snprintf(isc_buffer_used(&httpd->headerbuffer),
+			 isc_buffer_availablelength(&httpd->headerbuffer),
+			 "%s\r\n", name);
+
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_endheaders(isc_httpd_t *httpd) {
+	isc_result_t result;
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < 2) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	snprintf(isc_buffer_used(&httpd->headerbuffer),
+		 isc_buffer_availablelength(&httpd->headerbuffer), "\r\n");
+	isc_buffer_add(&httpd->headerbuffer, 2);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
+	isc_result_t result;
+	unsigned int needlen;
+	char buf[sizeof "18446744073709551616"];
+
+	snprintf(buf, sizeof(buf), "%d", val);
+
+	needlen = strlen(name); /* name itself */
+	needlen += 2 + strlen(buf); /* :<space> and val */
+	needlen += 2; /* CRLF */
+
+	while (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	snprintf(isc_buffer_used(&httpd->headerbuffer),
+		 isc_buffer_availablelength(&httpd->headerbuffer),
+		 "%s: %s\r\n", name, buf);
+
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_senddone(isc_task_t *task, isc_event_t *ev) {
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_region_t r;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+
+	ENTER("senddone");
+	INSIST(ISC_HTTPD_ISSEND(httpd));
+
+	/*
+	 * First, unlink our header buffer from the socket's bufflist.  This
+	 * is sort of an evil hack, since we know our buffer will be there,
+	 * and we know it's address, so we can just remove it directly.
+	 */
+	NOTICE("senddone unlinked header");
+	ISC_LIST_UNLINK(sev->bufferlist, &httpd->headerbuffer, link);
+
+	/*
+	 * We will always want to clean up our receive buffer, even if we
+	 * got an error on send or we are shutting down.
+	 *
+	 * We will pass in the buffer only if there is data in it.  If
+	 * there is no data, we will pass in a NULL.
+	 */
+	if (httpd->freecb != NULL) {
+		isc_buffer_t *b = NULL;
+		if (isc_buffer_length(&httpd->bodybuffer) > 0) {
+			b = &httpd->bodybuffer;
+			httpd->freecb(b, httpd->freecb_arg);
+		}
+		NOTICE("senddone free callback performed");
+	}
+	if (ISC_LINK_LINKED(&httpd->bodybuffer, link)) {
+		ISC_LIST_UNLINK(sev->bufferlist, &httpd->bodybuffer, link);
+		NOTICE("senddone body buffer unlinked");
+	} else if (ISC_LINK_LINKED(&httpd->compbuffer, link)) {
+		ISC_LIST_UNLINK(sev->bufferlist, &httpd->compbuffer, link);
+		NOTICE("senddone compressed data unlinked and freed");
+	}
+
+	if (sev->result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	if ((httpd->flags & HTTPD_CLOSE) != 0) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	ISC_HTTPD_SETRECV(httpd);
+
+	NOTICE("senddone restarting recv on socket");
+
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+	/* check return code? */
+	(void)isc_socket_recv(httpd->sock, &r, 1, task,
+			      isc_httpd_recvdone, httpd);
+
+out:
+	isc_event_free(&ev);
+	EXIT("senddone");
+}
+
+static void
+reset_client(isc_httpd_t *httpd) {
+	/*
+	 * Catch errors here.  We MUST be in RECV mode, and we MUST NOT have
+	 * any outstanding buffers.  If we have buffers, we have a leak.
+	 */
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+	INSIST(!ISC_LINK_LINKED(&httpd->headerbuffer, link));
+	INSIST(!ISC_LINK_LINKED(&httpd->bodybuffer, link));
+
+	httpd->recvbuf[0] = 0;
+	httpd->recvlen = 0;
+	httpd->headers = NULL;
+	httpd->method = ISC_HTTPD_METHODUNKNOWN;
+	httpd->url = NULL;
+	httpd->querystring = NULL;
+	httpd->protocol = NULL;
+	httpd->flags = 0;
+
+	isc_buffer_clear(&httpd->headerbuffer);
+	isc_buffer_clear(&httpd->compbuffer);
+	isc_buffer_invalidate(&httpd->bodybuffer);
+}
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg)
+{
+	return (isc_httpdmgr_addurl2(httpdmgr, url, false, func, arg));
+}
+
+isc_result_t
+isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url,
+		     bool isstatic,
+		     isc_httpdaction_t *func, void *arg)
+{
+	isc_httpdurl_t *item;
+
+	if (url == NULL) {
+		httpdmgr->render_404 = func;
+		return (ISC_R_SUCCESS);
+	}
+
+	item = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpdurl_t));
+	if (item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	item->url = isc_mem_strdup(httpdmgr->mctx, url);
+	if (item->url == NULL) {
+		isc_mem_put(httpdmgr->mctx, item, sizeof(isc_httpdurl_t));
+		return (ISC_R_NOMEMORY);
+	}
+
+	item->action = func;
+	item->action_arg = arg;
+	item->isstatic = isstatic;
+	isc_time_now(&item->loadtime);
+
+	ISC_LINK_INIT(item, link);
+	ISC_LIST_APPEND(httpdmgr->urls, item, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_httpd_setfinishhook(void (*fn)(void))
+{
+	finishhook = fn;
+}
diff --git a/lib/isc/ia64/Makefile.in b/lib/isc/ia64/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/ia64/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/ia64/include/Makefile.in b/lib/isc/ia64/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/ia64/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/ia64/include/isc/Makefile.in b/lib/isc/ia64/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/ia64/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/ia64/include/isc/atomic.h b/lib/isc/ia64/include/isc/atomic.h
new file mode 100644
index 0000000..e2f4331
--- /dev/null
+++ b/lib/isc/ia64/include/isc/atomic.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ *
+ * Open issue: can 'fetchadd' make the code faster for some particular values
+ * (e.g., 1 and -1)?
+ */
+static inline int32_t
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
+isc_atomic_xadd(int32_t *p, int32_t val)
+{
+	int32_t prev, swapped;
+
+	for (prev = *(volatile int32_t *)p; ; prev = swapped) {
+		swapped = prev + val;
+		__asm__ volatile(
+			"mov ar.ccv=%2;;"
+			"cmpxchg4.acq %0=%4,%3,ar.ccv"
+			: "=r" (swapped), "=m" (*p)
+			: "r" (prev), "r" (swapped), "m" (*p)
+			: "memory");
+		if (swapped == prev)
+			break;
+	}
+
+	return (prev);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
+isc_atomic_store(int32_t *p, int32_t val)
+{
+	__asm__ volatile(
+		"st4.rel %0=%1"
+		: "=m" (*p)
+		: "r" (val)
+		: "memory"
+		);
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline int32_t
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val)
+{
+	int32_t ret;
+
+	__asm__ volatile(
+		"mov ar.ccv=%2;;"
+		"cmpxchg4.acq %0=%4,%3,ar.ccv"
+		: "=r" (ret), "=m" (*p)
+		: "r" (cmpval), "r" (val), "m" (*p)
+		: "memory");
+
+	return (ret);
+}
+#else /* !ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/include/Makefile.in b/lib/isc/include/Makefile.in
new file mode 100644
index 0000000..3b21e6e
--- /dev/null
+++ b/lib/isc/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc pk11 pkcs11
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
new file mode 100644
index 0000000..4698206
--- /dev/null
+++ b/lib/isc/include/isc/Makefile.in
@@ -0,0 +1,59 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	aes.h app.h assertions.h boolean.h backtrace.h base32.h base64.h \
+		bind9.h buffer.h bufferlist.h commandline.h \
+		counter.h crc64.h deprecated.h entropy.h errno.h \
+		error.h event.h eventclass.h file.h formatcheck.h \
+		fsaccess.h hash.h heap.h hex.h hmacmd5.h hmacsha.h \
+		ht.h httpd.h int.h interfaceiter.h @ISC_IPV6_H@ iterated_hash.h \
+		json.h lang.h lex.h lfsr.h lib.h likely.h list.h \
+		log.h magic.h md5.h mem.h meminfo.h msgcat.h msgs.h \
+		mutexblock.h netaddr.h netscope.h ondestroy.h os.h \
+		parseint.h pool.h portset.h print.h queue.h quota.h \
+		radix.h random.h ratelimiter.h refcount.h regex.h \
+		region.h resource.h result.h resultclass.h rwlock.h \
+		safe.h serial.h sha1.h sha2.h sockaddr.h socket.h \
+		stats.h stdio.h stdlib.h string.h symtab.h task.h \
+		taskpool.h timer.h tm.h types.h util.h version.h \
+		xml.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/isc
+
+uninstall::
+	rm -f ${DESTDIR}${includedir}/isc/platform.h
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
+
+distclean::
+	rm -f platform.h
diff --git a/lib/isc/include/isc/aes.h b/lib/isc/include/isc/aes.h
new file mode 100644
index 0000000..75f2a2b
--- /dev/null
+++ b/lib/isc/include/isc/aes.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/aes.h */
+
+#ifndef ISC_AES_H
+#define ISC_AES_H 1
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_AES128_KEYLENGTH 16U
+#define ISC_AES192_KEYLENGTH 24U
+#define ISC_AES256_KEYLENGTH 32U
+#define ISC_AES_BLOCK_LENGTH 16U
+
+#ifdef ISC_PLATFORM_WANTAES
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out);
+
+void
+isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out);
+
+void
+isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
+		 unsigned char *out);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PLATFORM_WANTAES */
+
+#endif /* ISC_AES_H */
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
new file mode 100644
index 0000000..5ed2750
--- /dev/null
+++ b/lib/isc/include/isc/app.h
@@ -0,0 +1,385 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_APP_H
+#define ISC_APP_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/app.h
+ * \brief ISC Application Support
+ *
+ * Dealing with program termination can be difficult, especially in a
+ * multithreaded program.  The routines in this module help coordinate
+ * the shutdown process.  They are used as follows by the initial (main)
+ * thread of the application:
+ *
+ *\li		isc_app_start();	Call very early in main(), before
+ *					any other threads have been created.
+ *
+ *\li		isc_app_run();		This will post any on-run events,
+ *					and then block until application
+ *					shutdown is requested.  A shutdown
+ *					request is made by calling
+ *					isc_app_shutdown(), or by sending
+ *					SIGINT or SIGTERM to the process.
+ *					After isc_app_run() returns, the
+ *					application should shutdown itself.
+ *
+ *\li		isc_app_finish();	Call very late in main().
+ *
+ * Applications that want to use SIGHUP/isc_app_reload() to trigger reloading
+ * should check the result of isc_app_run() and call the reload routine if
+ * the result is ISC_R_RELOAD.  They should then call isc_app_run() again
+ * to resume waiting for reload or termination.
+ *
+ * Use of this module is not required.  In particular, isc_app_start() is
+ * NOT an ISC library initialization routine.
+ *
+ * This module also supports per-thread 'application contexts'.  With this
+ * mode, a thread-based application will have a separate context, in which
+ * it uses other ISC library services such as tasks or timers.  Signals are
+ * not caught in this mode, so that the application can handle the signals
+ * in its preferred way.
+ *
+ * \li MP:
+ *	Clients must ensure that isc_app_start(), isc_app_run(), and
+ *	isc_app_finish() are called at most once.  isc_app_shutdown()
+ *	is safe to use by any thread (provided isc_app_start() has been
+ *	called previously).
+ *
+ *	The same note applies to isc_app_ctxXXX() functions, but in this case
+ *	it's a per-thread restriction.  For example, a thread with an
+ *	application context must ensure that isc_app_ctxstart() with the
+ *	context is called at most once.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	None.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+#include <stdbool.h>
+
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/result.h>
+
+/***
+ *** Types
+ ***/
+
+typedef isc_event_t isc_appevent_t;
+
+#define ISC_APPEVENT_FIRSTEVENT		(ISC_EVENTCLASS_APP + 0)
+#define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
+#define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
+
+/*%
+ * app module methods.  Only app driver implementations use this structure.
+ * Other clients should use the top-level interfaces (i.e., isc_app_xxx
+ * functions).  magic must be ISCAPI_APPMETHODS_MAGIC.
+ */
+typedef struct isc_appmethods {
+	void		(*ctxdestroy)(isc_appctx_t **ctxp);
+	isc_result_t	(*ctxstart)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxrun)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxsuspend)(isc_appctx_t *ctx);
+	isc_result_t	(*ctxshutdown)(isc_appctx_t *ctx);
+	void		(*ctxfinish)(isc_appctx_t *ctx);
+	void		(*settaskmgr)(isc_appctx_t *ctx,
+				      isc_taskmgr_t *timermgr);
+	void		(*setsocketmgr)(isc_appctx_t *ctx,
+					isc_socketmgr_t *timermgr);
+	void		(*settimermgr)(isc_appctx_t *ctx,
+				       isc_timermgr_t *timermgr);
+	isc_result_t 	(*ctxonrun)(isc_appctx_t *ctx, isc_mem_t *mctx,
+				    isc_task_t *task, isc_taskaction_t action,
+				    void *arg);
+} isc_appmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of an application context
+ * implementation's version of an isc_appctx_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  app implementations
+ * may change the structure.  'magic' must be ISCAPI_APPCTX_MAGIC for any
+ * of the isc_app_ routines to work.  app implementations must maintain
+ * all app context invariants.
+ */
+struct isc_appctx {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_appmethods_t	*methods;
+};
+
+#define ISCAPI_APPCTX_MAGIC		ISC_MAGIC('A','a','p','c')
+#define ISCAPI_APPCTX_VALID(c)		((c) != NULL && \
+					 (c)->magic == ISCAPI_APPCTX_MAGIC)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_app_ctxstart(isc_appctx_t *ctx);
+
+isc_result_t
+isc_app_start(void);
+/*!<
+ * \brief Start an ISC library application.
+ *
+ * Notes:
+ *	This call should be made before any other ISC library call, and as
+ *	close to the beginning of the application as possible.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context (for app_ctxstart()).
+ */
+
+isc_result_t
+isc_app_ctxonrun(isc_appctx_t *ctx, isc_mem_t *mctx, isc_task_t *task,
+		 isc_taskaction_t action, void *arg);
+isc_result_t
+isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	      void *arg);
+/*!<
+ * \brief Request delivery of an event when the application is run.
+ *
+ * Requires:
+ *\li	isc_app_start() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxonrun()).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+isc_app_ctxrun(isc_appctx_t *ctx);
+
+isc_result_t
+isc_app_run(void);
+/*!<
+ * \brief Run an ISC library application.
+ *
+ * Notes:
+ *\li	The caller (typically the initial thread of an application) will
+ *	block until shutdown is requested.  When the call returns, the
+ *	caller should start shutting down the application.
+ *
+ * Requires:
+ *\li	isc_app_[ctx]start() has been called.
+ *
+ * Ensures:
+ *\li	Any events requested via isc_app_onrun() will have been posted (in
+ *	FIFO order) before isc_app_run() blocks.
+ *\li	'ctx' is a valid application context (for app_ctxrun()).
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS			Shutdown has been requested.
+ *\li	ISC_R_RELOAD			Reload has been requested.
+ */
+
+bool
+isc_app_isrunning(void);
+/*!<
+ * \brief Return if the ISC library application is running.
+ *
+ * Returns:
+ *\li	true    App is running.
+ *\li	false   App is not running.
+ */
+
+isc_result_t
+isc_app_ctxshutdown(isc_appctx_t *ctx);
+
+isc_result_t
+isc_app_shutdown(void);
+/*!<
+ * \brief Request application shutdown.
+ *
+ * Notes:
+ *\li	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
+ *	only be triggered once.
+ *
+ * Requires:
+ *\li	isc_app_[ctx]run() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxshutdown()).
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_app_ctxsuspend(isc_appctx_t *ctx);
+/*!<
+ * \brief This has the same behavior as isc_app_ctxsuspend().
+ */
+
+isc_result_t
+isc_app_reload(void);
+/*!<
+ * \brief Request application reload.
+ *
+ * Requires:
+ *\li	isc_app_run() has been called.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_UNEXPECTED
+ */
+
+void
+isc_app_ctxfinish(isc_appctx_t *ctx);
+
+void
+isc_app_finish(void);
+/*!<
+ * \brief Finish an ISC library application.
+ *
+ * Notes:
+ *\li	This call should be made at or near the end of main().
+ *
+ * Requires:
+ *\li	isc_app_start() has been called.
+ *\li	'ctx' is a valid application context (for app_ctxfinish()).
+ *
+ * Ensures:
+ *\li	Any resources allocated by isc_app_start() have been released.
+ */
+
+void
+isc_app_block(void);
+/*!<
+ * \brief Indicate that a blocking operation will be performed.
+ *
+ * Notes:
+ *\li	If a blocking operation is in process, a call to isc_app_shutdown()
+ *	or an external signal will abort the program, rather than allowing
+ *	clean shutdown.  This is primarily useful for reading user input.
+ *
+ * Requires:
+ * \li	isc_app_start() has been called.
+ * \li	No other blocking operations are in progress.
+ */
+
+void
+isc_app_unblock(void);
+/*!<
+ * \brief Indicate that a blocking operation is complete.
+ *
+ * Notes:
+ * \li	When a blocking operation has completed, return the program to a
+ * 	state where a call to isc_app_shutdown() or an external signal will
+ * 	shutdown normally.
+ *
+ * Requires:
+ * \li	isc_app_start() has been called.
+ * \li	isc_app_block() has been called by the same thread.
+ */
+
+isc_result_t
+isc_appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
+/*!<
+ * \brief Create an application context.
+ *
+ * Requires:
+ *\li	'mctx' is a valid memory context.
+ *\li	'ctxp' != NULL && *ctxp == NULL.
+ */
+
+void
+isc_appctx_destroy(isc_appctx_t **ctxp);
+/*!<
+ * \brief Destroy an application context.
+ *
+ * Requires:
+ *\li	'*ctxp' is a valid application context.
+ *
+ * Ensures:
+ *\li	*ctxp == NULL.
+ */
+
+void
+isc_appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr);
+/*!<
+ * \brief Associate a task manager with an application context.
+ *
+ * This must be done before running tasks within the application context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'taskmgr' is a valid task manager.
+ */
+
+void
+isc_appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr);
+/*!<
+ * \brief Associate a socket manager with an application context.
+ *
+ * This must be done before handling socket events within the application
+ * context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'socketmgr' is a valid socket manager.
+ */
+
+void
+isc_appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr);
+/*!<
+ * \brief Associate a socket timer with an application context.
+ *
+ * This must be done before handling timer events within the application
+ * context.
+ *
+ * Requires:
+ *\li	'ctx' is a valid application context.
+ *\li	'timermgr' is a valid timer manager.
+ */
+
+/*%<
+ * See isc_appctx_create() above.
+ */
+typedef isc_result_t
+(*isc_appctxcreatefunc_t)(isc_mem_t *mctx, isc_appctx_t **ctxp);
+
+isc_result_t
+isc_app_register(isc_appctxcreatefunc_t createfunc);
+/*%<
+ * Register a new application implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__app_register(void);
+/*%<
+ * A short cut function that specifies the application module in the ISC
+ * library for isc_app_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_APP_H */
diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h
new file mode 100644
index 0000000..e5719d9
--- /dev/null
+++ b/lib/isc/include/isc/assertions.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file isc/assertions.h
+ */
+
+#ifndef ISC_ASSERTIONS_H
+#define ISC_ASSERTIONS_H 1
+
+#include <isc/lang.h>
+#include <isc/likely.h>
+#include <isc/platform.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% isc assertion type */
+typedef enum {
+	isc_assertiontype_require,
+	isc_assertiontype_ensure,
+	isc_assertiontype_insist,
+	isc_assertiontype_invariant
+} isc_assertiontype_t;
+
+typedef void (*isc_assertioncallback_t)(const char *, int, isc_assertiontype_t,
+					const char *);
+
+/* coverity[+kill] */
+ISC_PLATFORM_NORETURN_PRE
+void isc_assertion_failed(const char *, int, isc_assertiontype_t,
+			  const char *) ISC_PLATFORM_NORETURN_POST;
+
+void
+isc_assertion_setcallback(isc_assertioncallback_t);
+
+const char *
+isc_assertion_typetotext(isc_assertiontype_t type);
+
+#if defined(ISC_CHECK_ALL) || defined(__COVERITY__)
+#define ISC_CHECK_REQUIRE		1
+#define ISC_CHECK_ENSURE		1
+#define ISC_CHECK_INSIST		1
+#define ISC_CHECK_INVARIANT		1
+#endif
+
+#if defined(ISC_CHECK_NONE) && !defined(__COVERITY__)
+#define ISC_CHECK_REQUIRE		0
+#define ISC_CHECK_ENSURE		0
+#define ISC_CHECK_INSIST		0
+#define ISC_CHECK_INVARIANT		0
+#endif
+
+#ifndef ISC_CHECK_REQUIRE
+#define ISC_CHECK_REQUIRE		1
+#endif
+
+#ifndef ISC_CHECK_ENSURE
+#define ISC_CHECK_ENSURE		1
+#endif
+
+#ifndef ISC_CHECK_INSIST
+#define ISC_CHECK_INSIST		1
+#endif
+
+#ifndef ISC_CHECK_INVARIANT
+#define ISC_CHECK_INVARIANT		1
+#endif
+
+#if ISC_CHECK_REQUIRE != 0
+#define ISC_REQUIRE(cond) \
+	((void) (ISC_LIKELY(cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_require, \
+					 #cond), 0)))
+#else
+#define ISC_REQUIRE(cond)	((void) 0)
+#endif /* ISC_CHECK_REQUIRE */
+
+#if ISC_CHECK_ENSURE != 0
+#define ISC_ENSURE(cond) \
+	((void) (ISC_LIKELY(cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_ensure, \
+					 #cond), 0)))
+#else
+#define ISC_ENSURE(cond)	((void) 0)
+#endif /* ISC_CHECK_ENSURE */
+
+#if ISC_CHECK_INSIST != 0
+#define ISC_INSIST(cond) \
+	((void) (ISC_LIKELY(cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_insist, \
+					 #cond), 0)))
+#else
+#define ISC_INSIST(cond)	((void) 0)
+#endif /* ISC_CHECK_INSIST */
+
+#if ISC_CHECK_INVARIANT != 0
+#define ISC_INVARIANT(cond) \
+	((void) (ISC_LIKELY(cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_invariant, \
+					 #cond), 0)))
+#else
+#define ISC_INVARIANT(cond)	((void) 0)
+#endif /* ISC_CHECK_INVARIANT */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ASSERTIONS_H */
diff --git a/lib/isc/include/isc/backtrace.h b/lib/isc/include/isc/backtrace.h
new file mode 100644
index 0000000..27ab9da
--- /dev/null
+++ b/lib/isc/include/isc/backtrace.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/backtrace.h
+ * \brief provide a back trace of the running process to help debug problems.
+ *
+ * This module tries to get a back trace of the process using some platform
+ * dependent way when available.  It also manages an internal symbol table
+ * that maps function addresses used in the process to their textual symbols.
+ * This module is expected to be used to help debug when some fatal error
+ * happens.
+ *
+ * IMPORTANT NOTE: since the (major) intended use case of this module is
+ * dumping a back trace on a fatal error, normally followed by self termination,
+ * functions defined in this module generally doesn't employ assertion checks
+ * (if it did, a program bug could cause infinite recursive calls to a
+ * backtrace function).  These functions still perform minimal checks and return
+ * ISC_R_FAILURE if they detect an error, but the caller should therefore be
+ * very careful about the use of these functions, and generally discouraged to
+ * use them except in an exit path.  The exception is
+ * isc_backtrace_getsymbolfromindex(), which is expected to be used in a
+ * non-error-handling context and validates arguments with assertion checks.
+ */
+
+#ifndef ISC_BACKTRACE_H
+#define ISC_BACKTRACE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/types.h>
+
+/***
+ *** Types
+ ***/
+struct isc_backtrace_symmap {
+	void		*addr;
+	const char	*symbol;
+};
+
+LIBISC_EXTERNAL_DATA extern const int isc__backtrace_nsymbols;
+LIBISC_EXTERNAL_DATA extern const
+	isc_backtrace_symmap_t isc__backtrace_symtable[];
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+isc_result_t
+isc_backtrace_gettrace(void **addrs, int maxaddrs, int *nframes);
+/*%<
+ * Get a back trace of the running process above this function itself.  On
+ * success, addrs[i] will store the address of the call point of the i-th
+ * stack frame (addrs[0] is the caller of this function).  *nframes will store
+ * the total number of frames.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'addrs' is a valid array containing at least 'maxaddrs' void * entries.
+ *
+ *\li	'nframes' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_backtrace_getsymbolfromindex(int index, const void **addrp,
+				 const char **symbolp);
+/*%<
+ * Returns the content of the internal symbol table of the given index.
+ * On success, *addrsp and *symbolp point to the address and the symbol of
+ * the 'index'th entry of the table, respectively.  If 'index' is not in the
+ * range of the symbol table, ISC_R_RANGE will be returned.
+ *
+ * Requires
+ *
+ *\li	'addrp' must be non NULL && '*addrp' == NULL.
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_RANGE
+ */
+
+isc_result_t
+isc_backtrace_getsymbol(const void *addr, const char **symbolp,
+			unsigned long *offsetp);
+/*%<
+ * Searches the internal symbol table for the symbol that most matches the
+ * given 'addr'.  On success, '*symbolp' will point to the name of function
+ * to which the address 'addr' belong, and '*offsetp' will store the offset
+ * from the function's entry address to 'addr'.
+ *
+ * Requires (note that these are not ensured by assertion checks, see above):
+ *
+ *\li	'symbolp' must be non NULL && '*symbolp' == NULL.
+ *
+ *\li	'offsetp' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_FAILURE
+ *\li	#ISC_R_NOTFOUND
+ */
+ISC_LANG_ENDDECLS
+
+#endif	/* ISC_BACKTRACE_H */
diff --git a/lib/isc/include/isc/base32.h b/lib/isc/include/isc/base32.h
new file mode 100644
index 0000000..96fe2ce
--- /dev/null
+++ b/lib/isc/include/isc/base32.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BASE32_H
+#define ISC_BASE32_H 1
+
+/*! \file */
+
+/*
+ * Routines for manipulating base 32 and base 32 hex encoded data.
+ * Based on RFC 4648.
+ *
+ * Base 32 hex preserves the sort order of data when it is encoded /
+ * decoded.
+ *
+ * Base 32 hex "np" is base 32 hex but no padding is produced or accepted.
+ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_base32_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target);
+isc_result_t
+isc_base32hexnp_totext(isc_region_t *source, int wordlength,
+		       const char *wordbreak, isc_buffer_t *target);
+/*!<
+ * \brief Convert data into base32 encoded text.
+ *
+ * Notes:
+ *\li	The base32 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the base32 encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_base32_decodestring(const char *cstr, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target);
+isc_result_t
+isc_base32hexnp_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated string in base32, base32hex, or
+ * base32hex non-padded.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE32 -- 'cstr' is not a valid base32 encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *\li		isc_lex_create(),
+ *\li		isc_lex_openbuffer(),
+ *\li		isc_base32_tobuffer().
+ */
+
+isc_result_t
+isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+isc_result_t
+isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+isc_result_t
+isc_base32hexnp_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert text encoded in base32, base32hex, or base32hex
+ * non-padded from a lexer context into data.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is an integer
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the base32 encoded
+ *	string parsed by the lexer.  No more than length bytes will be read,
+ *	if length is positive.  The 'used' pointer in target will be
+ *	advanced as necessary.
+ */
+
+isc_result_t
+isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target);
+isc_result_t
+isc_base32hexnp_decoderegion(isc_region_t *source, isc_buffer_t *target);
+/*!<
+ * \brief Decode a packed (no white space permitted) region in
+ * base32, base32hex or base32hex non-padded.
+ *
+ * Requires:
+ *\li   'source' is a valid region.
+ *\li   'target' is a valid buffer.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  -- the entire decoded representation of 'cstring'
+ *                         fit in 'target'.
+ *\li   #ISC_R_BADBASE32 -- 'source' is not a valid base32 encoding.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BASE32_H */
diff --git a/lib/isc/include/isc/base64.h b/lib/isc/include/isc/base64.h
new file mode 100644
index 0000000..1504d3d
--- /dev/null
+++ b/lib/isc/include/isc/base64.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_BASE64_H
+#define ISC_BASE64_H 1
+
+/*! \file isc/base64.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_base64_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target);
+/*!<
+ * \brief Convert data into base64 encoded text.
+ *
+ * Notes:
+ *\li	The base64 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the base64 encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_base64_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated base64 string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *\li		isc_lex_create(),
+ *\li		isc_lex_openbuffer(),
+ *\li		isc_base64_tobuffer().
+ */
+
+isc_result_t
+isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert base64 encoded text from a lexer context into data.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is an integer
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the base64 encoded
+ *	string parsed by the lexer.  No more than length bytes will be read,
+ *	if length is positive.  The 'used' pointer in target will be
+ *	advanced as necessary.
+ */
+
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BASE64_H */
diff --git a/lib/isc/include/isc/bind9.h b/lib/isc/include/isc/bind9.h
new file mode 100644
index 0000000..5a2837f
--- /dev/null
+++ b/lib/isc/include/isc/bind9.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_BIND9_H
+#define ISC_BIND9_H 1
+
+#include <stdbool.h>
+
+#include <isc/platform.h>
+
+/*
+ * This determines whether we are using the libisc/libdns libraries
+ * in BIND9 or in some other application.  For BIND9 (named and related
+ * tools) it must be set to true at runtime.  Export library clients
+ * will call isc_lib_register(), which will set it to false.
+ */
+LIBISC_EXTERNAL_DATA extern bool isc_bind9;
+
+#endif /* ISC_BIND9_H */
diff --git a/lib/isc/include/isc/boolean.h b/lib/isc/include/isc/boolean.h
new file mode 100644
index 0000000..2eebefa
--- /dev/null
+++ b/lib/isc/include/isc/boolean.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file isc/boolean.h */
+
+#define isc_boolean_t bool
+#define isc_boolean_false false
+#define isc_boolean_true true
+
+#define ISC_FALSE false
+#define ISC_TRUE true
+#define ISC_TF(x) (!!(x))
diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h
new file mode 100644
index 0000000..caaac57
--- /dev/null
+++ b/lib/isc/include/isc/buffer.h
@@ -0,0 +1,1047 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_BUFFER_H
+#define ISC_BUFFER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/buffer.h
+ *
+ * \brief A buffer is a region of memory, together with a set of related subregions.
+ * Buffers are used for parsing and I/O operations.
+ *
+ * The 'used region' and the 'available' region are disjoint, and their
+ * union is the buffer's region.  The used region extends from the beginning
+ * of the buffer region to the last used byte.  The available region
+ * extends from one byte greater than the last used byte to the end of the
+ * buffer's region.  The size of the used region can be changed using various
+ * buffer commands.  Initially, the used region is empty.
+ *
+ * The used region is further subdivided into two disjoint regions: the
+ * 'consumed region' and the 'remaining region'.  The union of these two
+ * regions is the used region.  The consumed region extends from the beginning
+ * of the used region to the byte before the 'current' offset (if any).  The
+ * 'remaining' region the current pointer to the end of the used
+ * region.  The size of the consumed region can be changed using various
+ * buffer commands.  Initially, the consumed region is empty.
+ *
+ * The 'active region' is an (optional) subregion of the remaining region.
+ * It extends from the current offset to an offset in the remaining region
+ * that is selected with isc_buffer_setactive().  Initially, the active region
+ * is empty.  If the current offset advances beyond the chosen offset, the
+ * active region will also be empty.
+ *
+ * \verbatim
+ *  /------------entire length---------------\
+ *  /----- used region -----\/-- available --\
+ *  +----------------------------------------+
+ *  | consumed  | remaining |                |
+ *  +----------------------------------------+
+ *  a           b     c     d                e
+ *
+ * a == base of buffer.
+ * b == current pointer.  Can be anywhere between a and d.
+ * c == active pointer.  Meaningful between b and d.
+ * d == used pointer.
+ * e == length of buffer.
+ *
+ * a-e == entire length of buffer.
+ * a-d == used region.
+ * a-b == consumed region.
+ * b-d == remaining region.
+ * b-c == optional active region.
+ *\endverbatim
+ *
+ * The following invariants are maintained by all routines:
+ *
+ *\code
+ *	length > 0
+ *
+ *	base is a valid pointer to length bytes of memory
+ *
+ *	0 <= used <= length
+ *
+ *	0 <= current <= used
+ *
+ *	0 <= active <= used
+ *	(although active < current implies empty active region)
+ *\endcode
+ *
+ * \li MP:
+ *	Buffers have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	Memory: 1 pointer + 6 unsigned integers per buffer.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/likely.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+/*!
+ * To make many functions be inline macros (via \#define) define this.
+ * If it is undefined, a function will be used.
+  */
+/* #define ISC_BUFFER_USEINLINE */
+
+
+ISC_LANG_BEGINDECLS
+
+/*@{*/
+/*!
+ *** Magic numbers
+ ***/
+#define ISC_BUFFER_MAGIC		0x42756621U	/* Buf!. */
+#define ISC_BUFFER_VALID(b)		ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
+/*@}*/
+
+/*!
+ * Size granularity for dynamically resizeable buffers; when reserving
+ * space in a buffer, we round the allocated buffer length up to the
+ * nearest * multiple of this value.
+ */
+#define ISC_BUFFER_INCR 2048
+
+/*
+ * The following macros MUST be used only on valid buffers.  It is the
+ * caller's responsibility to ensure this by using the ISC_BUFFER_VALID
+ * check above, or by calling another isc_buffer_*() function (rather than
+ * another macro.)
+ */
+
+/*@{*/
+/*!
+ * Fundamental buffer elements.  (A through E in the introductory comment.)
+ */
+#define isc_buffer_base(b)    ((void *)(b)->base)			  /*a*/
+#define isc_buffer_current(b) \
+		((void *)((unsigned char *)(b)->base + (b)->current))     /*b*/
+#define isc_buffer_active(b)  \
+		((void *)((unsigned char *)(b)->base + (b)->active))      /*c*/
+#define isc_buffer_used(b)    \
+		((void *)((unsigned char *)(b)->base + (b)->used))        /*d*/
+#define isc_buffer_length(b)  ((b)->length)				  /*e*/
+/*@}*/
+
+/*@{*/
+/*!
+ * Derived lengths.  (Described in the introductory comment.)
+ */
+#define isc_buffer_usedlength(b)	((b)->used)		      /* d-a */
+#define isc_buffer_consumedlength(b)	((b)->current)		      /* b-a */
+#define isc_buffer_remaininglength(b)	((b)->used - (b)->current)    /* d-b */
+#define isc_buffer_activelength(b)	((b)->active - (b)->current)  /* c-b */
+#define isc_buffer_availablelength(b)	((b)->length - (b)->used)     /* e-d */
+/*@}*/
+
+/*!
+ * Note that the buffer structure is public.  This is principally so buffer
+ * operations can be implemented using macros.  Applications are strongly
+ * discouraged from directly manipulating the structure.
+ */
+
+struct isc_buffer {
+	unsigned int		magic;
+	void		       *base;
+	/*@{*/
+	/*! The following integers are byte offsets from 'base'. */
+	unsigned int		length;
+	unsigned int		used;
+	unsigned int 		current;
+	unsigned int 		active;
+	/*@}*/
+	/*! linkable */
+	ISC_LINK(isc_buffer_t)	link;
+	/*! private internal elements */
+	isc_mem_t	       *mctx;
+	/* automatically realloc buffer at put* */
+	bool		autore;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
+		    unsigned int length);
+/*!<
+ * \brief Allocate a dynamic linkable buffer which has "length" bytes in the
+ * data region.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *
+ *\li	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- no memory available
+ *
+ * Note:
+ *\li	Changing the buffer's length field is not permitted.
+ */
+
+isc_result_t
+isc_buffer_reallocate(isc_buffer_t **dynbuffer, unsigned int length);
+/*!<
+ * \brief Reallocate the buffer to be "length" bytes long. The buffer
+ * pointer may move when you call this function.
+ *
+ * Requires:
+ *\li	"dynbuffer" is not NULL.
+ *
+ *\li	"*dynbuffer" is a valid dynamic buffer.
+ *
+ *\li	'length' > current length of buffer.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- no memory available
+ *
+ * Ensures:
+ *\li	"*dynbuffer" will be valid on return and will contain all the
+ *	original data. However, the buffer pointer may be moved during
+ *	reallocation.
+ */
+
+isc_result_t
+isc_buffer_reserve(isc_buffer_t **dynbuffer, unsigned int size);
+/*!<
+ * \brief Make "size" bytes of space available in the buffer. The buffer
+ * pointer may move when you call this function.
+ *
+ * Requires:
+ *\li	"dynbuffer" is not NULL.
+ *
+ *\li	"*dynbuffer" is a valid dynamic buffer.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- no memory available
+ *
+ * Ensures:
+ *\li	"*dynbuffer" will be valid on return and will contain all the
+ *	original data. However, the buffer pointer may be moved during
+ *	reallocation.
+ */
+
+void
+isc_buffer_free(isc_buffer_t **dynbuffer);
+/*!<
+ * \brief Release resources allocated for a dynamic buffer.
+ *
+ * Requires:
+ *\li	"dynbuffer" is not NULL.
+ *
+ *\li	"*dynbuffer" is a valid dynamic buffer.
+ *
+ * Ensures:
+ *\li	"*dynbuffer" will be NULL on return, and all memory associated with
+ *	the dynamic buffer is returned to the memory context used in
+ *	isc_buffer_allocate().
+ */
+
+void
+isc__buffer_init(isc_buffer_t *b, void *base, unsigned int length);
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
+ *
+ * Requires:
+ *
+ *\li	'length' > 0
+ *
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+isc__buffer_initnull(isc_buffer_t *b);
+/*!<
+ *\brief Initialize a buffer 'b' with a null data and zero length/
+ */
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length);
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
+ * Any existing data will be copied.
+ *
+ * Requires:
+ *
+ *\li	'length' > 0 AND length >= previous length
+ *
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+isc__buffer_invalidate(isc_buffer_t *b);
+/*!<
+ * \brief Make 'b' an invalid buffer.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ * Ensures:
+ *\li	If assertion checking is enabled, future attempts to use 'b' without
+ *	calling isc_buffer_init() on it will cause an assertion failure.
+ */
+
+void
+isc_buffer_setautorealloc(isc_buffer_t *b, bool enable);
+/*!<
+ * \brief Enable or disable autoreallocation on 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid dynamic buffer (b->mctx != NULL).
+ *
+ */
+
+void
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_usedregion(const isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the used region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the available region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_add(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Increase the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	used + n <= length
+ *
+ */
+
+void
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Decrease the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	used >= n
+ *
+ */
+
+void
+isc__buffer_clear(isc_buffer_t *b);
+/*!<
+ * \brief Make the used region empty.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *\li	used = 0
+ *
+ */
+
+void
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the consumed region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the remaining region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
+/*!<
+ * \brief Make 'r' refer to the active region of 'b'.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' points to a region structure.
+ */
+
+void
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Sets the end of the active region 'n' bytes after current.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	current + n <= used
+ */
+
+void
+isc__buffer_first(isc_buffer_t *b);
+/*!<
+ * \brief Make the consumed region empty.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *\li	current == 0
+ *
+ */
+
+void
+isc__buffer_forward(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Increase the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	current + n <= used
+ *
+ */
+
+void
+isc__buffer_back(isc_buffer_t *b, unsigned int n);
+/*!<
+ * \brief Decrease the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ *\li	n <= current
+ *
+ */
+
+void
+isc_buffer_compact(isc_buffer_t *b);
+/*!<
+ * \brief Compact the used region by moving the remaining region so it occurs
+ * at the start of the buffer.  The used region is shrunk by the size of
+ * the consumed region, and the consumed region is then made empty.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *\li	current == 0
+ *
+ *\li	The size of the used region is now equal to the size of the remaining
+ *	region (as it was before the call).  The contents of the used region
+ *	are those of the remaining region (as it was before the call).
+ */
+
+uint8_t
+isc_buffer_getuint8(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 8-bit integer from 'b' and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 1.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 1.
+ *
+ * Returns:
+ *
+ *\li	A 8-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint8(isc_buffer_t *b, uint8_t val);
+/*!<
+ * \brief Store an unsigned 8-bit integer from 'val' into 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the unused region of 'b' is at least 1
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 1.
+ */
+
+uint16_t
+isc_buffer_getuint16(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 16-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 2
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *\li	A 16-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint16(isc_buffer_t *b, uint16_t val);
+/*!<
+ * \brief Store an unsigned 16-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the unused region of 'b' is at least 2
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 2.
+ */
+
+uint32_t
+isc_buffer_getuint32(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 32-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 4.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 4.
+ *
+ * Returns:
+ *
+ *\li	A 32-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint32(isc_buffer_t *b, uint32_t val);
+/*!<
+ * \brief Store an unsigned 32-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the unused region of 'b' is at least 4
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 4.
+ */
+
+uint64_t
+isc_buffer_getuint48(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 48-bit integer in network byte order from 'b',
+ * convert it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 6.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 6.
+ *
+ * Returns:
+ *
+ *\li	A 48-bit unsigned integer (stored in a 64-bit integer).
+ */
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, uint64_t val);
+/*!<
+ * \brief Store an unsigned 48-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the unused region of 'b' is at least 6
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 6.
+ */
+
+void
+isc__buffer_putuint24(isc_buffer_t *b, uint32_t val);
+/*!<
+ * Store an unsigned 24-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 3
+ *	or the buffer has autoreallocation enabled.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 3.
+ */
+
+void
+isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
+		   unsigned int length);
+/*!<
+ * \brief Copy 'length' bytes of memory at 'base' into 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer, and it has at least 'length'
+ *	or the buffer has autoreallocation enabled.
+ *
+ *\li	'base' points to 'length' bytes of valid memory.
+ *
+ */
+
+void
+isc__buffer_putstr(isc_buffer_t *b, const char *source);
+/*!<
+ * \brief Copy 'source' into 'b', not including terminating NUL.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'source' to be a valid NULL terminated string.
+ *
+ *\li	strlen(source) <= isc_buffer_available(b) || b->mctx != NULL
+ */
+
+void
+isc_buffer_putdecint(isc_buffer_t *b, int64_t v);
+/*!<
+ * \brief Put decimal representation of 'v' in b
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	strlen(dec(v)) <= isc_buffer_available(b) || b->mctx != NULL
+ */
+
+
+
+isc_result_t
+isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r);
+/*!<
+ * \brief Copy the contents of 'r' into 'b'.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	'r' is a valid region.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOSPACE			The available region of 'b' is not
+ *					big enough.
+ */
+
+isc_result_t
+isc_buffer_dup(isc_mem_t *mctx, isc_buffer_t **dstp, const isc_buffer_t *src);
+/*!<
+ * \brief Allocate 'dst' and copy used contents  of 'src' into it
+ *
+ * Requires:
+ *\li	'dstp' is not NULL and *dst is NULL
+ *\li	'src' is a valid buffer.
+ *
+ * Returns:
+ *
+ *\li	ISC_R_SUCCESS
+ *\li	ISC_R_NOSPACE			The available region of 'b' is not
+ *					big enough.
+ */
+
+ISC_LANG_ENDDECLS
+
+/*
+ * Inline macro versions of the functions.  These should never be called
+ * directly by an application, but will be used by the functions within
+ * buffer.c.  The callers should always use "isc_buffer_*()" names, never
+ * ones beginning with "isc__"
+ */
+
+/*! \note
+ * XXXDCL Something more could be done with initializing buffers that
+ * point to const data.  For example, isc_buffer_constinit() could
+ * set a new boolean flag in the buffer structure indicating whether
+ * the buffer was initialized with that function.  * Then if the
+ * boolean were true, the isc_buffer_put* functions could assert a
+ * contractual requirement for a non-const buffer.
+ *
+ * One drawback is that the isc_buffer_* functions (macros) that return
+ * pointers would still need to return non-const pointers to avoid compiler
+ * warnings, so it would be up to code that uses them to have to deal
+ * with the possibility that the buffer was initialized as const --
+ * a problem that they *already* have to deal with but have absolutely
+ * no ability to.  With a new isc_buffer_isconst() function returning
+ * true/false, they could at least assert a contractual requirement for
+ * non-const buffers when needed.
+ */
+#define ISC__BUFFER_INIT(_b, _base, _length) \
+	do { \
+		(_b)->base = _base; \
+		(_b)->length = (_length); \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+		(_b)->mctx = NULL; \
+		ISC_LINK_INIT(_b, link); \
+		(_b)->magic = ISC_BUFFER_MAGIC; \
+		(_b)->autore = false; \
+	} while (0)
+
+#define ISC__BUFFER_INITNULL(_b) ISC__BUFFER_INIT(_b, NULL, 0)
+
+#define ISC__BUFFER_INVALIDATE(_b) \
+	do { \
+		(_b)->magic = 0; \
+		(_b)->base = NULL; \
+		(_b)->length = 0; \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+	} while (0)
+
+#define ISC__BUFFER_REGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->length; \
+	} while (0)
+
+#define ISC__BUFFER_USEDREGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_AVAILABLEREGION(_b, _r) \
+	do { \
+		(_r)->base = isc_buffer_used(_b); \
+		(_r)->length = isc_buffer_availablelength(_b); \
+	} while (0)
+
+#define ISC__BUFFER_ADD(_b, _n) \
+	do { \
+		(_b)->used += (_n); \
+	} while (0)
+
+#define ISC__BUFFER_SUBTRACT(_b, _n) \
+	do { \
+		(_b)->used -= (_n); \
+		if ((_b)->current > (_b)->used) \
+			(_b)->current = (_b)->used; \
+		if ((_b)->active > (_b)->used) \
+			(_b)->active = (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_CLEAR(_b) \
+	do { \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+	} while (0)
+
+#define ISC__BUFFER_CONSUMEDREGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->current; \
+	} while (0)
+
+#define ISC__BUFFER_REMAININGREGION(_b, _r) \
+	do { \
+		(_r)->base = isc_buffer_current(_b); \
+		(_r)->length = isc_buffer_remaininglength(_b); \
+	} while (0)
+
+#define ISC__BUFFER_ACTIVEREGION(_b, _r) \
+	do { \
+		if ((_b)->current < (_b)->active) { \
+			(_r)->base = isc_buffer_current(_b); \
+			(_r)->length = isc_buffer_activelength(_b); \
+		} else { \
+			(_r)->base = NULL; \
+			(_r)->length = 0; \
+		} \
+	} while (0)
+
+#define ISC__BUFFER_SETACTIVE(_b, _n) \
+	do { \
+		(_b)->active = (_b)->current + (_n); \
+	} while (0)
+
+#define ISC__BUFFER_FIRST(_b) \
+	do { \
+		(_b)->current = 0; \
+	} while (0)
+
+#define ISC__BUFFER_FORWARD(_b, _n) \
+	do { \
+		(_b)->current += (_n); \
+	} while (0)
+
+#define ISC__BUFFER_BACK(_b, _n) \
+	do { \
+		(_b)->current -= (_n); \
+	} while (0)
+
+#define ISC__BUFFER_PUTMEM(_b, _base, _length) \
+	do { \
+		if (ISC_UNLIKELY((_b)->autore)) { \
+			isc_buffer_t *_tmp = _b; \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, _length) \
+				== ISC_R_SUCCESS); \
+		} \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= (unsigned int) _length); \
+		if (_length > 0U) { \
+			memmove(isc_buffer_used(_b), (_base), (_length)); \
+			(_b)->used += (_length); \
+		} \
+	} while (0)
+
+#define ISC__BUFFER_PUTSTR(_b, _source) \
+	do { \
+		unsigned int _length; \
+		unsigned char *_cp; \
+		_length = (unsigned int)strlen(_source); \
+		if (ISC_UNLIKELY((_b)->autore)) { \
+			isc_buffer_t *_tmp = _b; \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, _length) \
+				== ISC_R_SUCCESS); \
+		} \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= _length); \
+		_cp = isc_buffer_used(_b); \
+		memmove(_cp, (_source), _length); \
+		(_b)->used += (_length); \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT8(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		/* evaluate (_val) only once */ \
+		uint8_t _val2 = (_val); \
+		if (ISC_UNLIKELY((_b)->autore)) { \
+			isc_buffer_t *_tmp = _b; \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 1) \
+				== ISC_R_SUCCESS); \
+		} \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 1U); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used++; \
+		_cp[0] = _val2; \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT16(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		/* evaluate (_val) only once */ \
+		uint16_t _val2 = (_val); \
+		if (ISC_UNLIKELY((_b)->autore)) { \
+			isc_buffer_t *_tmp = _b; \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 2) \
+				== ISC_R_SUCCESS); \
+		} \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 2U); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used += 2; \
+		_cp[0] = _val2 >> 8; \
+		_cp[1] = _val2; \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT24(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		/* evaluate (_val) only once */ \
+		uint32_t _val2 = (_val); \
+		if (ISC_UNLIKELY((_b)->autore)) { \
+			isc_buffer_t *_tmp = _b; \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 3) \
+				== ISC_R_SUCCESS); \
+		} \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 3U); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used += 3; \
+		_cp[0] = _val2 >> 16; \
+		_cp[1] = _val2 >> 8; \
+		_cp[2] = _val2; \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT32(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		/* evaluate (_val) only once */ \
+		uint32_t _val2 = (_val); \
+		if (ISC_UNLIKELY((_b)->autore)) { \
+			isc_buffer_t *_tmp = _b; \
+			ISC_REQUIRE(isc_buffer_reserve(&_tmp, 4) \
+				== ISC_R_SUCCESS); \
+		} \
+		ISC_REQUIRE(isc_buffer_availablelength(_b) >= 4U); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used += 4; \
+		_cp[0] = _val2 >> 24; \
+		_cp[1] = _val2 >> 16; \
+		_cp[2] = _val2 >> 8; \
+		_cp[3] = _val2; \
+	} while (0)
+
+#if defined(ISC_BUFFER_USEINLINE)
+#define isc_buffer_init			ISC__BUFFER_INIT
+#define isc_buffer_initnull		ISC__BUFFER_INITNULL
+#define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
+#define isc_buffer_region		ISC__BUFFER_REGION
+#define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
+#define isc_buffer_availableregion	ISC__BUFFER_AVAILABLEREGION
+#define isc_buffer_add			ISC__BUFFER_ADD
+#define isc_buffer_subtract		ISC__BUFFER_SUBTRACT
+#define isc_buffer_clear		ISC__BUFFER_CLEAR
+#define isc_buffer_consumedregion	ISC__BUFFER_CONSUMEDREGION
+#define isc_buffer_remainingregion	ISC__BUFFER_REMAININGREGION
+#define isc_buffer_activeregion		ISC__BUFFER_ACTIVEREGION
+#define isc_buffer_setactive		ISC__BUFFER_SETACTIVE
+#define isc_buffer_first		ISC__BUFFER_FIRST
+#define isc_buffer_forward		ISC__BUFFER_FORWARD
+#define isc_buffer_back			ISC__BUFFER_BACK
+#define isc_buffer_putmem		ISC__BUFFER_PUTMEM
+#define isc_buffer_putstr		ISC__BUFFER_PUTSTR
+#define isc_buffer_putuint8		ISC__BUFFER_PUTUINT8
+#define isc_buffer_putuint16		ISC__BUFFER_PUTUINT16
+#define isc_buffer_putuint24		ISC__BUFFER_PUTUINT24
+#define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
+#else
+#define isc_buffer_init			isc__buffer_init
+#define isc_buffer_initnull		isc__buffer_initnull
+#define isc_buffer_invalidate		isc__buffer_invalidate
+#define isc_buffer_region		isc__buffer_region
+#define isc_buffer_usedregion		isc__buffer_usedregion
+#define isc_buffer_availableregion	isc__buffer_availableregion
+#define isc_buffer_add			isc__buffer_add
+#define isc_buffer_subtract		isc__buffer_subtract
+#define isc_buffer_clear		isc__buffer_clear
+#define isc_buffer_consumedregion	isc__buffer_consumedregion
+#define isc_buffer_remainingregion	isc__buffer_remainingregion
+#define isc_buffer_activeregion		isc__buffer_activeregion
+#define isc_buffer_setactive		isc__buffer_setactive
+#define isc_buffer_first		isc__buffer_first
+#define isc_buffer_forward		isc__buffer_forward
+#define isc_buffer_back			isc__buffer_back
+#define isc_buffer_putmem		isc__buffer_putmem
+#define isc_buffer_putstr		isc__buffer_putstr
+#define isc_buffer_putuint8		isc__buffer_putuint8
+#define isc_buffer_putuint16		isc__buffer_putuint16
+#define isc_buffer_putuint24		isc__buffer_putuint24
+#define isc_buffer_putuint32		isc__buffer_putuint32
+#endif
+
+#define isc_buffer_constinit(_b, _d, _l) \
+	do { \
+		union { void *_var; const void *_const; } _deconst; \
+		_deconst._const = (_d); \
+		isc_buffer_init((_b), _deconst._var, (_l)); \
+	} while (0)
+
+/*
+ * No inline method for this one (yet).
+ */
+#define isc_buffer_putuint48		isc__buffer_putuint48
+
+#endif /* ISC_BUFFER_H */
diff --git a/lib/isc/include/isc/bufferlist.h b/lib/isc/include/isc/bufferlist.h
new file mode 100644
index 0000000..ffb4986
--- /dev/null
+++ b/lib/isc/include/isc/bufferlist.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_BUFFERLIST_H
+#define ISC_BUFFERLIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/bufferlist.h
+ *
+ *
+ *\brief	Buffer lists have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+unsigned int
+isc_bufferlist_usedcount(isc_bufferlist_t *bl);
+/*!<
+ * \brief Return the length of the sum of all used regions of all buffers in
+ * the buffer list 'bl'
+ *
+ * Requires:
+ *
+ *\li	'bl' is not NULL.
+ *
+ * Returns:
+ *\li	sum of all used regions' lengths.
+ */
+
+unsigned int
+isc_bufferlist_availablecount(isc_bufferlist_t *bl);
+/*!<
+ * \brief Return the length of the sum of all available regions of all buffers in
+ * the buffer list 'bl'
+ *
+ * Requires:
+ *
+ *\li	'bl' is not NULL.
+ *
+ * Returns:
+ *\li	sum of all available regions' lengths.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BUFFERLIST_H */
diff --git a/lib/isc/include/isc/commandline.h b/lib/isc/include/isc/commandline.h
new file mode 100644
index 0000000..a1a256e
--- /dev/null
+++ b/lib/isc/include/isc/commandline.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_COMMANDLINE_H
+#define ISC_COMMANDLINE_H 1
+
+/*! \file isc/commandline.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/result.h>
+
+/*% Index into parent argv vector. */
+LIBISC_EXTERNAL_DATA extern int isc_commandline_index;
+/*% Character checked for validity. */
+LIBISC_EXTERNAL_DATA extern int isc_commandline_option;
+/*% Argument associated with option. */
+LIBISC_EXTERNAL_DATA extern char *isc_commandline_argument;
+/*% For printing error messages. */
+LIBISC_EXTERNAL_DATA extern char *isc_commandline_progname;
+/*% Print error message. */
+LIBISC_EXTERNAL_DATA extern bool isc_commandline_errprint;
+/*% Reset getopt. */
+LIBISC_EXTERNAL_DATA extern bool isc_commandline_reset;
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_commandline_parse(int argc, char * const *argv, const char *options);
+/*%<
+ * Parse a command line (similar to getopt())
+ */
+
+isc_result_t
+isc_commandline_strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp,
+			  char ***argvp, unsigned int n);
+/*%<
+ * Tokenize the string "s" into whitespace-separated words,
+ * returning the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_free().  The string
+ * is modified in-place.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COMMANDLINE_H */
diff --git a/lib/isc/include/isc/counter.h b/lib/isc/include/isc/counter.h
new file mode 100644
index 0000000..28d9c79
--- /dev/null
+++ b/lib/isc/include/isc/counter.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_COUNTER_H
+#define ISC_COUNTER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/counter.h
+ *
+ * \brief The isc_counter_t object is a simplified version of the
+ * isc_quota_t object; it tracks the consumption of limited
+ * resources, returning an error condition when the quota is
+ * exceeded.  However, unlike isc_quota_t, attaching and detaching
+ * from a counter object does not increment or decrement the counter.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+/*****
+ ***** Types.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp);
+/*%<
+ * Allocate and initialize a counter object.
+ */
+
+isc_result_t
+isc_counter_increment(isc_counter_t *counter);
+/*%<
+ * Increment the counter.
+ *
+ * If the counter limit is nonzero and has been reached, then
+ * return ISC_R_QUOTA, otherwise ISC_R_SUCCESS. (The counter is
+ * incremented regardless of return value.)
+ */
+
+unsigned int
+isc_counter_used(isc_counter_t *counter);
+/*%<
+ * Return the current counter value.
+ */
+
+void
+isc_counter_setlimit(isc_counter_t *counter, int limit);
+/*%<
+ * Set the counter limit.
+ */
+
+void
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp);
+/*%<
+ * Attach to a counter object, increasing its reference counter.
+ */
+
+void
+isc_counter_detach(isc_counter_t **counterp);
+/*%<
+ * Detach (and destroy if reference counter has dropped to zero)
+ * a counter object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COUNTER_H */
diff --git a/lib/isc/include/isc/crc64.h b/lib/isc/include/isc/crc64.h
new file mode 100644
index 0000000..ed5860b
--- /dev/null
+++ b/lib/isc/include/isc/crc64.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_CRC64_H
+#define ISC_CRC64_H 1
+
+/*! \file isc/crc64.h
+ * \brief CRC64 in C
+ */
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_crc64_init(uint64_t *crc);
+/*%
+ * Initialize a new CRC.
+ *
+ * Requires:
+ * * 'crc' is not NULL.
+ */
+
+void
+isc_crc64_update(uint64_t *crc, const void *data, size_t len);
+/*%
+ * Add data to the CRC.
+ *
+ * Requires:
+ * * 'crc' is not NULL.
+ * * 'data' is not NULL.
+ */
+
+void
+isc_crc64_final(uint64_t *crc);
+/*%
+ * Finalize the CRC.
+ *
+ * Requires:
+ * * 'crc' is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_CRC64_H */
diff --git a/lib/isc/include/isc/deprecated.h b/lib/isc/include/isc/deprecated.h
new file mode 100644
index 0000000..d485e20
--- /dev/null
+++ b/lib/isc/include/isc/deprecated.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_DEPRECATED_H
+#define ISC_DEPRECATED_H
+
+#if (__GNUC__ + 0) > 3
+#define ISC_DEPRECATED                  __attribute__((deprecated))
+#else
+#define ISC_DEPRECATED                  /* none */
+#endif /* __GNUC__ > 3*/
+
+#endif
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
new file mode 100644
index 0000000..4bba8e1
--- /dev/null
+++ b/lib/isc/include/isc/entropy.h
@@ -0,0 +1,309 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: entropy.h,v 1.35 2009/10/19 02:37:08 marka Exp $ */
+
+#ifndef ISC_ENTROPY_H
+#define ISC_ENTROPY_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/entropy.h
+ * \brief The entropy API
+ *
+ * \li MP:
+ *	The entropy object is locked internally.  All callbacks into
+ *	application-provided functions (for setup, gathering, and
+ *	shutdown of sources) are guaranteed to be called with the
+ *	entropy API lock held.  This means these functions are
+ *	not permitted to call back into the entropy API.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	A buffer, used as an entropy pool.
+ *
+ * \li Security:
+ *	While this code is believed to implement good entropy gathering
+ *	and distribution, it has not been reviewed by a cryptographic
+ *	expert.
+ *	Since the added entropy is only as good as the sources used,
+ *	this module could hand out bad data and never know it.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*@{*/
+/*% Entropy callback function. */
+typedef isc_result_t (*isc_entropystart_t)(isc_entropysource_t *source,
+					   void *arg, bool blocking);
+typedef isc_result_t (*isc_entropyget_t)(isc_entropysource_t *source,
+					 void *arg, bool blocking);
+typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
+/*@}*/
+
+/***
+ *** Flags.
+ ***/
+
+/*!
+ * \brief
+ *	Extract only "good" data; return failure if there is not enough
+ *	data available and there are no sources which we can poll to get
+ *	data, or those sources are empty.
+ *
+ *
+ */
+#define ISC_ENTROPY_GOODONLY	0x00000001U
+/*!
+ * \brief
+ *	Extract as much good data as possible, but if there isn't enough
+ *	at hand, return what is available.  This flag only makes sense
+ *	when used with _GOODONLY.
+ */
+#define ISC_ENTROPY_PARTIAL	0x00000002U
+/*!
+ * \brief
+ *	Block the task until data is available.  This is contrary to the
+ *	ISC task system, where tasks should never block.  However, if
+ *	this is a special purpose application where blocking a task is
+ *	acceptable (say, an offline zone signer) this flag may be set.
+ *	This flag only makes sense when used with _GOODONLY, and will
+ *	block regardless of the setting for _PARTIAL.
+ */
+#define ISC_ENTROPY_BLOCKING	0x00000004U
+
+/*!
+ * \brief
+ *	Estimate the amount of entropy contained in the sample pool.
+ *	If this is not set, the source will be gathered and periodically
+ *	mixed into the entropy pool, but no increment in contained entropy
+ *	will be assumed.  This flag only makes sense on sample sources.
+ */
+#define ISC_ENTROPYSOURCE_ESTIMATE	0x00000001U
+
+/*
+ * For use with isc_entropy_usebestsource().
+ */
+/*!
+ * \brief
+ *	Use the keyboard as the only entropy source.
+ */
+#define ISC_ENTROPY_KEYBOARDYES		1
+/*!
+ * \brief
+ *	Never use the keyboard as an entropy source.
+ */
+#define ISC_ENTROPY_KEYBOARDNO		2
+/*!
+ * \brief
+ *	Use the keyboard as an entropy source only if opening the
+ *	random device fails.
+ */
+#define ISC_ENTROPY_KEYBOARDMAYBE	3
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp);
+/*!<
+ * \brief Create a new entropy object.
+ */
+
+void
+isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp);
+/*!<
+ * Attaches to an entropy object.
+ */
+
+void
+isc_entropy_detach(isc_entropy_t **entp);
+/*!<
+ * \brief Detaches from an entropy object.
+ */
+
+isc_result_t
+isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
+/*!<
+ * \brief Create a new entropy source from a file.
+ *
+ * The file is assumed to contain good randomness, and will be mixed directly
+ * into the pool with every byte adding 8 bits of entropy.
+ *
+ * The file will be put into non-blocking mode, so it may be a device file,
+ * such as /dev/random.  /dev/urandom should not be used here if it can
+ * be avoided, since it will always provide data even if it isn't good.
+ * We will make as much pseudorandom data as we need internally if our
+ * caller asks for it.
+ *
+ * If we hit end-of-file, we will stop reading from this source.  Callers
+ * who require strong random data will get failure when our pool drains.
+ * The file will never be opened/read again once EOF is reached.
+ */
+
+void
+isc_entropy_destroysource(isc_entropysource_t **sourcep);
+/*!<
+ * \brief Removes an entropy source from the entropy system.
+ */
+
+isc_result_t
+isc_entropy_createsamplesource(isc_entropy_t *ent,
+			       isc_entropysource_t **sourcep);
+/*!<
+ * \brief Create an entropy source that consists of samples.  Each sample is
+ * added to the source via isc_entropy_addsamples(), below.
+ */
+
+isc_result_t
+isc_entropy_createcallbacksource(isc_entropy_t *ent,
+				 isc_entropystart_t start,
+				 isc_entropyget_t get,
+				 isc_entropystop_t stop,
+				 void *arg,
+				 isc_entropysource_t **sourcep);
+/*!<
+ * \brief Create an entropy source that is polled via a callback.
+ *
+ * This would
+ * be used when keyboard input is used, or a GUI input method.  It can
+ * also be used to hook in any external entropy source.
+ *
+ * Samples are added via isc_entropy_addcallbacksample(), below.
+ * _addcallbacksample() is the only function which may be called from
+ * within an entropy API callback function.
+ */
+
+void
+isc_entropy_stopcallbacksources(isc_entropy_t *ent);
+/*!<
+ * \brief Call the stop functions for callback sources that have had their
+ * start functions called.
+ */
+
+/*@{*/
+isc_result_t
+isc_entropy_addcallbacksample(isc_entropysource_t *source, uint32_t sample,
+			      uint32_t extra);
+isc_result_t
+isc_entropy_addsample(isc_entropysource_t *source, uint32_t sample,
+		      uint32_t extra);
+/*!<
+ * \brief Add a sample to the sample source.
+ *
+ * The sample MUST be a timestamp
+ * that increases over time, with the exception of wrap-around for
+ * extremely high resolution timers which will quickly wrap-around
+ * a 32-bit integer.
+ *
+ * The "extra" parameter is used only to add a bit more unpredictable
+ * data.  It is not used other than included in the hash of samples.
+ *
+ * When in an entropy API callback function, _addcallbacksource() must be
+ * used.  At all other times, _addsample() must be used.
+ */
+/*@}*/
+
+isc_result_t
+isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    unsigned int *returned, unsigned int flags);
+/*!<
+ * \brief Extract data from the entropy pool.  This may load the pool from various
+ * sources.
+ *
+ * Do this by stiring the pool and returning a part of hash as randomness.
+ * Note that no secrets are given away here since parts of the hash are
+ * xored together before returned.
+ *
+ * Honor the request from the caller to only return good data, any data,
+ * etc.
+ */
+
+void
+isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    uint32_t entropy);
+/*!<
+ * \brief Add "length" bytes in "data" to the entropy pool, incrementing the
+ * pool's entropy count by "entropy."
+ *
+ * These bytes will prime the pseudorandom portion even if no entropy is
+ * actually added.
+ */
+
+void
+isc_entropy_stats(isc_entropy_t *ent, FILE *out);
+/*!<
+ * \brief Dump some (trivial) stats to the stdio stream "out".
+ */
+
+unsigned int
+isc_entropy_status(isc_entropy_t *end);
+/*
+ * Returns the number of bits the pool currently contains.  This is just
+ * an estimate.
+ */
+
+isc_result_t
+isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+			  const char *randomfile, int use_keyboard);
+/*!<
+ * \brief Use whatever source of entropy is best.
+ *
+ * Notes:
+ *\li	If "randomfile" is not NULL, open it with
+ *	isc_entropy_createfilesource().
+ *
+ *\li	If "randomfile" is NULL and the system's random device was detected
+ *	when the program was configured and built, open that device with
+ *	isc_entropy_createfilesource().
+ *
+ *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDYES, then always open
+ *	the keyboard as an entropy source (possibly in addition to
+ *	"randomfile" or the random device).
+ *
+ *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only
+ *	if opening the random file/device fails.  A message will be
+ *	printed describing the need for keyboard input.
+ *
+ *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDNO, the keyboard will
+ *	never be opened.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS if at least one source of entropy could be started.
+ *
+ *\li	#ISC_R_NOENTROPY if use_keyboard is #ISC_ENTROPY_KEYBOARDNO and
+ *	there is no random device pathname compiled into the program.
+ *
+ *\li	A return code from isc_entropy_createfilesource() or
+ *	isc_entropy_createcallbacksource().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ENTROPY_H */
diff --git a/lib/isc/include/isc/errno.h b/lib/isc/include/isc/errno.h
new file mode 100644
index 0000000..7777b8d
--- /dev/null
+++ b/lib/isc/include/isc/errno.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_ERRNO_H
+#define ISC_ERRNO_H 1
+
+/*! \file isc/file.h */
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_errno_toresult(int err);
+/*!<
+ * \brief Convert a POSIX errno value to an ISC result code.
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ERRNO_H */
diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h
new file mode 100644
index 0000000..87bb6ba
--- /dev/null
+++ b/lib/isc/include/isc/error.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ERROR_H
+#define ISC_ERROR_H 1
+
+/*! \file isc/error.h */
+
+#include <stdarg.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/likely.h>
+#include <isc/platform.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef void (*isc_errorcallback_t)(const char *, int, const char *, va_list);
+
+/*% set unexpected error */
+void
+isc_error_setunexpected(isc_errorcallback_t);
+
+/*% set fatal error */
+void
+isc_error_setfatal(isc_errorcallback_t);
+
+/*% unexpected error */
+void
+isc_error_unexpected(const char *, int, const char *, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+/*% fatal error */
+ISC_PLATFORM_NORETURN_PRE void
+isc_error_fatal(const char *, int, const char *, ...)
+ISC_FORMAT_PRINTF(3, 4) ISC_PLATFORM_NORETURN_POST;
+
+/*% runtimecheck error */
+ISC_PLATFORM_NORETURN_PRE void
+isc_error_runtimecheck(const char *, int, const char *) ISC_PLATFORM_NORETURN_POST;
+
+#define ISC_ERROR_RUNTIMECHECK(cond) \
+	((void) (ISC_LIKELY(cond) || \
+		 ((isc_error_runtimecheck)(__FILE__, __LINE__, #cond), 0)))
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ERROR_H */
diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h
new file mode 100644
index 0000000..22f735d
--- /dev/null
+++ b/lib/isc/include/isc/event.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_EVENT_H
+#define ISC_EVENT_H 1
+
+/*! \file isc/event.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*****
+ ***** Events.
+ *****/
+
+typedef void (*isc_eventdestructor_t)(isc_event_t *);
+
+#define ISC_EVENT_COMMON(ltype)		\
+	size_t				ev_size; \
+	unsigned int			ev_attributes; \
+	void *				ev_tag; \
+	isc_eventtype_t			ev_type; \
+	isc_taskaction_t		ev_action; \
+	void *				ev_arg; \
+	void *				ev_sender; \
+	isc_eventdestructor_t		ev_destroy; \
+	void *				ev_destroy_arg; \
+	ISC_LINK(ltype)			ev_link; \
+	ISC_LINK(ltype)			ev_ratelink
+
+/*%
+ * Attributes matching a mask of 0x000000ff are reserved for the task library's
+ * definition.  Attributes of 0xffffff00 may be used by the application
+ * or non-ISC libraries.
+ */
+#define ISC_EVENTATTR_NOPURGE		0x00000001
+
+/*%
+ * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
+ * that an event is delivered as a result of a canceled operation
+ * rather than successful completion, by mutual agreement
+ * between the sender and receiver.  It is not set or used by
+ * the task system.
+ */
+#define ISC_EVENTATTR_CANCELED		0x00000002
+
+#define ISC_EVENT_INIT(event, sz, at, ta, ty, ac, ar, sn, df, da) \
+do { \
+	(event)->ev_size = (sz); \
+	(event)->ev_attributes = (at); \
+	(event)->ev_tag = (ta); \
+	(event)->ev_type = (ty); \
+	(event)->ev_action = (ac); \
+	(event)->ev_arg = (ar); \
+	(event)->ev_sender = (sn); \
+	(event)->ev_destroy = (df); \
+	(event)->ev_destroy_arg = (da); \
+	ISC_LINK_INIT((event), ev_link); \
+	ISC_LINK_INIT((event), ev_ratelink); \
+} while (0)
+
+/*%
+ * This structure is public because "subclassing" it may be useful when
+ * defining new event types.
+ */
+struct isc_event {
+	ISC_EVENT_COMMON(struct isc_event);
+};
+
+#define ISC_EVENTTYPE_FIRSTEVENT	0x00000000
+#define ISC_EVENTTYPE_LASTEVENT		0xffffffff
+
+#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p))
+
+ISC_LANG_BEGINDECLS
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+		   isc_taskaction_t action, void *arg, size_t size);
+isc_event_t *
+isc_event_constallocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+			isc_taskaction_t action, const void *arg, size_t size);
+/*%<
+ * Allocate an event structure.
+ *
+ * Allocate and initialize in a structure with initial elements
+ * defined by:
+ *
+ * \code
+ *	struct {
+ *		ISC_EVENT_COMMON(struct isc_event);
+ *		...
+ *	};
+ * \endcode
+ *
+ * Requires:
+ *\li	'size' >= sizeof(struct isc_event)
+ *\li	'action' to be non NULL
+ *
+ * Returns:
+ *\li	a pointer to a initialized structure of the requested size.
+ *\li	NULL if unable to allocate memory.
+ */
+
+void
+isc_event_free(isc_event_t **);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_EVENT_H */
diff --git a/lib/isc/include/isc/eventclass.h b/lib/isc/include/isc/eventclass.h
new file mode 100644
index 0000000..15ad345
--- /dev/null
+++ b/lib/isc/include/isc/eventclass.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_EVENTCLASS_H
+#define ISC_EVENTCLASS_H 1
+
+/*! \file isc/eventclass.h
+ ***** Registry of Predefined Event Type Classes
+ *****/
+
+/*%
+ * An event class is an unsigned 16 bit number.  Each class may contain up
+ * to 65536 events.  An event type is formed by adding the event number
+ * within the class to the class number.
+ *
+ */
+
+#define ISC_EVENTCLASS(eclass)		((eclass) << 16)
+
+/*@{*/
+/*!
+ * Classes < 1024 are reserved for ISC use.
+ * Event classes >= 1024 and <= 65535 are reserved for application use.
+ */
+
+#define	ISC_EVENTCLASS_TASK		ISC_EVENTCLASS(0)
+#define	ISC_EVENTCLASS_TIMER		ISC_EVENTCLASS(1)
+#define	ISC_EVENTCLASS_SOCKET		ISC_EVENTCLASS(2)
+#define	ISC_EVENTCLASS_FILE		ISC_EVENTCLASS(3)
+#define	ISC_EVENTCLASS_DNS		ISC_EVENTCLASS(4)
+#define	ISC_EVENTCLASS_APP		ISC_EVENTCLASS(5)
+#define	ISC_EVENTCLASS_OMAPI		ISC_EVENTCLASS(6)
+#define	ISC_EVENTCLASS_RATELIMITER	ISC_EVENTCLASS(7)
+#define	ISC_EVENTCLASS_ISCCC		ISC_EVENTCLASS(8)
+/*@}*/
+
+#endif /* ISC_EVENTCLASS_H */
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
new file mode 100644
index 0000000..0797f02
--- /dev/null
+++ b/lib/isc/include/isc/file.h
@@ -0,0 +1,398 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_FILE_H
+#define ISC_FILE_H 1
+
+/*! \file isc/file.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/stat.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time);
+
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep);
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time);
+/*!<
+ * \brief Get the time of last modification of a file.
+ *
+ * Notes:
+ *\li	The time that is set is relative to the (OS-specific) epoch, as are
+ *	all isc_time_t structures.
+ *
+ * Requires:
+ *\li	file != NULL.
+ *\li	time != NULL.
+ *
+ * Ensures:
+ *\li	If the file could not be accessed, 'time' is unchanged.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success.
+ *\li	#ISC_R_NOTFOUND
+ *		No such file exists.
+ *\li	#ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *\li	#ISC_R_NOPERM
+ *		The file's metainformation could not be retrieved because
+ *		permission was denied to some part of the file's path.
+ *\li	#ISC_R_IOERROR
+ *		Hardware error interacting with the filesystem.
+ *\li	#ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ *
+ */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen);
+/*!<
+ * \brief Generate a template string suitable for use with isc_file_openunique().
+ *
+ * Notes:
+ *\li	This function is intended to make creating temporary files
+ *	portable between different operating systems.
+ *
+ *\li	The path is prepended to an implementation-defined string and
+ *	placed into buf.  The string has no path characters in it,
+ *	and its maximum length is 14 characters plus a NUL.  Thus
+ *	buflen should be at least strlen(path) + 15 characters or
+ *	an error will be returned.
+ *
+ * Requires:
+ *\li	buf != NULL.
+ *
+ * Ensures:
+ *\li	If result == #ISC_R_SUCCESS:
+ *		buf contains a string suitable for use as the template argument
+ *		to isc_file_openunique().
+ *
+ *\li	If result != #ISC_R_SUCCESS:
+ *		buf is unchanged.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS 	Success.
+ *\li	#ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
+ *				of the path with the internal template string.
+ */
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp);
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp);
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp);
+isc_result_t
+isc_file_bopenunique(char *templet, FILE **fp);
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp);
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp);
+/*!<
+ * \brief Create and open a file with a unique name based on 'templet'.
+ *	isc_file_bopen*() open the file in binary mode in Windows.
+ *	isc_file_open*() open the file in text mode in Windows.
+ *
+ * Notes:
+ *\li	'template' is a reserved work in C++.  If you want to complain
+ *	about the spelling of 'templet', first look it up in the
+ *	Merriam-Webster English dictionary. (http://www.m-w.com/)
+ *
+ *\li	This function works by using the template to generate file names.
+ *	The template must be a writable string, as it is modified in place.
+ *	Trailing X characters in the file name (full file name on Unix,
+ *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
+ *	are replaced with ASCII characters until a non-existent filename
+ *	is found.  If the template does not include pathname information,
+ *	the files in the working directory of the program are searched.
+ *
+ *\li	isc_file_mktemplate is a good, portable way to get a template.
+ *
+ * Requires:
+ *\li	'fp' is non-NULL and '*fp' is NULL.
+ *
+ *\li	'template' is non-NULL, and of a form suitable for use by
+ *	the system as described above.
+ *
+ * Ensures:
+ *\li	If result is #ISC_R_SUCCESS:
+ *		*fp points to an stream opening in stdio's "w+" mode.
+ *
+ *\li	If result is not #ISC_R_SUCCESS:
+ *		*fp is NULL.
+ *
+ *		No file is open.  Even if one was created (but unable
+ *		to be reopened as a stdio FILE pointer) then it has been
+ *		removed.
+ *
+ *\li	This function does *not* ensure that the template string has not been
+ *	modified, even if the operation was unsuccessful.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success.
+ *\li	#ISC_R_EXISTS
+ *		No file with a unique name could be created based on the
+ *		template.
+ *\li	#ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *\li	#ISC_R_NOPERM
+ *		The file could not be created because permission was denied
+ *		to some part of the file's path.
+ *\li	#ISC_R_IOERROR
+ *		Hardware error interacting with the filesystem.
+ *\li	#ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ */
+
+isc_result_t
+isc_file_remove(const char *filename);
+/*!<
+ * \brief Remove the file named by 'filename'.
+ */
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname);
+/*!<
+ * \brief Rename the file 'oldname' to 'newname'.
+ */
+
+bool
+isc_file_exists(const char *pathname);
+/*!<
+ * \brief Return #true if the calling process can tell that the given file exists.
+ * Will not return true if the calling process has insufficient privileges
+ * to search the entire path.
+ */
+
+bool
+isc_file_isabsolute(const char *filename);
+/*!<
+ * \brief Return #true if the given file name is absolute.
+ */
+
+isc_result_t
+isc_file_isplainfile(const char *name);
+
+isc_result_t
+isc_file_isplainfilefd(int fd);
+/*!<
+ * \brief Check that the file is a plain file
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success. The file is a plain file.
+ *\li	#ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *\li	#ISC_R_FILENOTFOUND
+ *		The file does not exist. This return code comes from
+ *		errno=ENOENT when stat returns -1. This code is mentioned
+ *		here, because in logconf.c, it is the one rcode that is
+ *		permitted in addition to ISC_R_SUCCESS. This is done since
+ *		the next call in logconf.c is to isc_stdio_open(), which
+ *		will create the file if it can.
+ *\li	other ISC_R_* errors translated from errno
+ *		These occur when stat returns -1 and an errno.
+ */
+
+isc_result_t
+isc_file_isdirectory(const char *name);
+/*!<
+ * \brief Check that 'name' exists and is a directory.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *		Success, file is a directory.
+ *\li	#ISC_R_INVALIDFILE
+ *		File is not a directory.
+ *\li	#ISC_R_FILENOTFOUND
+ *		File does not exist.
+ *\li	other ISC_R_* errors translated from errno
+ *		These occur when stat returns -1 and an errno.
+ */
+
+bool
+isc_file_iscurrentdir(const char *filename);
+/*!<
+ * \brief Return #true if the given file name is the current directory (".").
+ */
+
+bool
+isc_file_ischdiridempotent(const char *filename);
+/*%<
+ * Return #true if calling chdir(filename) multiple times will give
+ * the same result as calling it once.
+ */
+
+const char *
+isc_file_basename(const char *filename);
+/*%<
+ * Return the final component of the path in the file name.
+ */
+
+isc_result_t
+isc_file_progname(const char *filename, char *buf, size_t buflen);
+/*!<
+ * \brief Given an operating system specific file name "filename"
+ * referring to a program, return the canonical program name.
+ *
+ * Any directory prefix or executable file name extension (if
+ * used on the OS in case) is stripped.  On systems where program
+ * names are case insensitive, the name is canonicalized to all
+ * lower case.  The name is written to 'buf', an array of 'buflen'
+ * chars, and null terminated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE 	The name did not fit in 'buf'.
+ */
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen);
+/*%<
+ * Create an OS specific template using 'path' to define the directory
+ * 'templet' to describe the filename and store the result in 'buf'
+ * such that path can be renamed to buf atomically.
+ */
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet);
+/*%<
+ * Rename 'file' using 'templet' as a template for the new file name.
+ */
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
+/*%<
+ * Given a file name, return the fully qualified path to the file.
+ */
+
+/*
+ * XXX We should also have a isc_file_writeeopen() function
+ * for safely open a file in a publicly writable directory
+ * (see write_open() in BIND 8's ns_config.c).
+ */
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size);
+/*%<
+ * Truncate/extend the file specified to 'size' bytes.
+ */
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp);
+/*%<
+ * Open 'filename' for writing, truncating if necessary.  Ensure that
+ * if it existed it was a normal file.  If creating the file, ensure
+ * that only the owner can read/write it.
+ */
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, const char *path,
+		   char **dirname, char const **basename);
+/*%<
+ * Split a path into dirname and basename.  If 'path' contains no slash
+ * (or, on windows, backslash), then '*dirname' is set to ".".
+ *
+ * Allocates memory for '*dirname', which can be freed with isc_mem_free().
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ * - ISC_R_INVALIDFILE if 'path' is empty or ends with '/'
+ * - ISC_R_NOMEMORY if unable to allocate memory
+ */
+
+isc_result_t
+isc_file_getsize(const char *file, off_t *size);
+/*%<
+ * Return the size of the file (stored in the parameter pointed
+ * to by 'size') in bytes.
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ */
+
+isc_result_t
+isc_file_getsizefd(int fd, off_t *size);
+/*%<
+ * Return the size of the file (stored in the parameter pointed
+ * to by 'size') in bytes.
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ */
+
+void *
+isc_file_mmap(void *addr, size_t len, int prot,
+	      int flags, int fd, off_t offset);
+/*%<
+ * Portable front-end to mmap().  If mmap() is not defined on this
+ * platform, then we simulate it by calling malloc() and read().
+ * (In this event, the addr, prot, and flags parameters are ignored).
+ */
+
+int
+isc_file_munmap(void *addr, size_t len);
+/*%<
+ * Portable front-end to munmap().  If munmap() is not defined on
+ * this platform, then we simply free the memory.
+ */
+
+isc_result_t
+isc_file_sanitize(const char *dir, const char *base, const char *ext,
+		  char *path, size_t length);
+/*%<
+ * Generate a sanitized filename, such as for MKEYS or NZF files.
+ *
+ * Historically, MKEYS and NZF files used SHA256 hashes of the view
+ * name for the filename; this was to deal with the possibility of
+ * forbidden characters such as "/" being in a view name, and to
+ * avoid problems with case-insensitive file systems.
+ *
+ * Given a basename 'base' and an extension 'ext', this function checks
+ * for the existence of file using the old-style name format in directory
+ * 'dir'. If found, it returns the path to that file.  If there is no
+ * file already in place, a new pathname is generated; if the basename
+ * contains any excluded characters, then a truncated SHA256 hash is
+ * used, otherwise the basename is used.  The path name is copied
+ * into 'path', which must point to a buffer of at least 'length'
+ * bytes.
+ *
+ * Requires:
+ * - base != NULL
+ * - path != NULL
+ *
+ * Returns:
+ * - ISC_R_SUCCESS on success
+ * - ISC_R_NOSPACE if the resulting path would be longer than 'length'
+ */
+
+bool
+isc_file_isdirwritable(const char *path);
+/*%<
+ *	Return true if the path is a directory and is writable
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FILE_H */
diff --git a/lib/isc/include/isc/formatcheck.h b/lib/isc/include/isc/formatcheck.h
new file mode 100644
index 0000000..162c16e
--- /dev/null
+++ b/lib/isc/include/isc/formatcheck.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_FORMATCHECK_H
+#define ISC_FORMATCHECK_H 1
+
+/*! \file isc/formatcheck.h */
+
+/*%
+ * ISC_FORMAT_PRINTF().
+ *
+ * \li fmt is the location of the format string parameter.
+ * \li args is the location of the first argument (or 0 for no argument checking).
+ *
+ * Note:
+ * \li The first parameter is 1, not 0.
+ */
+#ifdef __GNUC__
+#define ISC_FORMAT_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
+#else
+#define ISC_FORMAT_PRINTF(fmt, args)
+#endif
+
+#endif /* ISC_FORMATCHECK_H */
diff --git a/lib/isc/include/isc/fsaccess.h b/lib/isc/include/isc/fsaccess.h
new file mode 100644
index 0000000..d842aaf
--- /dev/null
+++ b/lib/isc/include/isc/fsaccess.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_FSACCESS_H
+#define ISC_FSACCESS_H 1
+
+/*! \file isc/fsaccess.h
+ * \brief The ISC filesystem access module encapsulates the setting of file
+ * and directory access permissions into one API that is meant to be
+ * portable to multiple operating systems.
+ *
+ * The two primary operating system flavors that are initially accommodated
+ * are POSIX and Windows NT 4.0 and later.  The Windows NT access model is
+ * considerable more flexible than POSIX's model (as much as I am loathe to
+ * admit it), and so the ISC API has a higher degree of complexity than would
+ * be needed to simply address POSIX's needs.
+ *
+ * The full breadth of NT's flexibility is not available either, for the
+ * present time.  Much of it is to provide compatibility with what Unix
+ * programmers are expecting.  This is also due to not yet really needing all
+ * of the functionality of an NT system (or, for that matter, a POSIX system)
+ * in BIND9, and so resolving how to handle the various incompatibilities has
+ * been a purely theoretical exercise with no operational experience to
+ * indicate how flawed the thinking may be.
+ *
+ * Some of the more notable dumbing down of NT for this API includes:
+ *
+ *\li   Each of FILE_READ_DATA and FILE_READ_EA are set with #ISC_FSACCESS_READ.
+ *
+ * \li  All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
+ *     set with #ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
+ *     so as to be consistent with Unix, where only the owner of the file
+ *     or the superuser can change the attributes/mode of a file.
+ *
+ * \li  Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
+ *     #ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
+ *     permission on a Unix directory.
+ *
+ * \li  SYNCHRONIZE is always set for files and directories, unless someone
+ *     can give me a reason why this is a bad idea.
+ *
+ * \li  READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
+ *     consistent with Unix, where any file or directory can be stat()'d
+ *     unless the directory path disallows complete access somewhere along
+ *     the way.
+ *
+ * \li  WRITE_DAC is only set for the owner.  This too is consistent with
+ *     Unix, and is tighter security than allowing anyone else to be
+ *     able to set permissions.
+ *
+ * \li  DELETE is only set for the owner.  On Unix the ability to delete
+ *     a file is controlled by the directory permissions, but it isn't
+ *     currently clear to me what happens on NT if the directory has
+ *     FILE_DELETE_CHILD set but a file within it does not have DELETE
+ *     set.  Always setting DELETE on the file/directory for the owner
+ *     gives maximum flexibility to the owner without exposing the
+ *     file to deletion by others.
+ *
+ * \li  WRITE_OWNER is never set.  This too is consistent with Unix,
+ *     and is also tighter security than allowing anyone to change the
+ *     ownership of the file apart from the superu..ahem, Administrator.
+ *
+ * \li  Inheritance is set to NO_INHERITANCE.
+ *
+ * Unix's dumbing down includes:
+ *
+ * \li  The sticky bit cannot be set.
+ *
+ * \li  setuid and setgid cannot be set.
+ *
+ * \li  Only regular files and directories can be set.
+ *
+ * The rest of this comment discusses a few of the incompatibilities
+ * between the two systems that need more thought if this API is to
+ * be extended to accommodate them.
+ *
+ * The Windows standard access right "DELETE" doesn't have a direct
+ * equivalent in the Unix world, so it isn't clear what should be done
+ * with it.
+ *
+ * The Unix sticky bit is not supported.  While NT does have a concept
+ * of allowing users to create files in a directory but not delete or
+ * rename them, it does not have a concept of allowing them to be deleted
+ * if they are owned by the user trying to delete/rename.  While it is
+ * probable that something could be cobbled together in NT 5 with inheritance,
+ * it can't really be done in NT 4 as a single property that you could
+ * set on a directory.  You'd need to coordinate something with file creation
+ * so that every file created had DELETE set for the owner but noone else.
+ *
+ * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
+ * ... setting either #ISC_FSACCESS_CREATECHILD or #ISC_FSACCESS_DELETECHILD
+ *      sets WRITE.
+ * ... setting #ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
+ *
+ * On NT systems, setting #ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
+ * ... setting #ISC_FSACCESS_CREATECHILD sets FILE_CREATE_CHILD independently.
+ * ... setting #ISC_FSACCESS_DELETECHILD sets FILE_DELETE_CHILD independently.
+ * ... setting #ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
+ *
+ * Unresolved:							XXXDCL
+ * \li  What NT access right controls the ability to rename a file?
+ * \li  How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
+ *      file or directory within it does not have DELETE, is that file
+ *	or directory deletable?
+ * \li  To implement isc_fsaccess_get(), mapping an existing Unix permission
+ * 	mode_t back to an isc_fsaccess_t is pretty trivial; however, mapping
+ *	an NT DACL could be impossible to do in a responsible way.
+ * \li  Similarly, trying to implement the functionality of being able to
+ *	say "add group writability to whatever permissions already exist"
+ *	could be tricky on NT because of the order-of-entry issue combined
+ *	with possibly having one or more matching ACEs already explicitly
+ *	granting or denying access.  Because this functionality is
+ *	not yet needed by the ISC, no code has been written to try to
+ * 	solve this problem.
+ */
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Trustees.
+ */
+#define ISC_FSACCESS_OWNER	0x1 /*%< User account. */
+#define ISC_FSACCESS_GROUP	0x2 /*%< Primary group owner. */
+#define ISC_FSACCESS_OTHER	0x4 /*%< Not the owner or the group owner. */
+#define ISC_FSACCESS_WORLD	0x7 /*%< User, Group, Other. */
+
+/*
+ * Types of permission.
+ */
+#define ISC_FSACCESS_READ		0x00000001 /*%< File only. */
+#define ISC_FSACCESS_WRITE		0x00000002 /*%< File only. */
+#define ISC_FSACCESS_EXECUTE		0x00000004 /*%< File only. */
+#define ISC_FSACCESS_CREATECHILD	0x00000008 /*%< Dir only. */
+#define ISC_FSACCESS_DELETECHILD	0x00000010 /*%< Dir only. */
+#define ISC_FSACCESS_LISTDIRECTORY	0x00000020 /*%< Dir only. */
+#define ISC_FSACCESS_ACCESSCHILD	0x00000040 /*%< Dir only. */
+
+/*%
+ * Adding any permission bits beyond 0x200 would mean typedef'ing
+ * isc_fsaccess_t as uint64_t, and redefining this value to
+ * reflect the new range of permission types, Probably to 21 for
+ * maximum flexibility.  The number of bits has to accommodate all of
+ * the permission types, and three full sets of them have to fit
+ * within an isc_fsaccess_t.
+ */
+#define ISC__FSACCESS_PERMISSIONBITS 10
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access);
+
+void
+isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access);
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FSACCESS_H */
diff --git a/lib/isc/include/isc/hash.h b/lib/isc/include/isc/hash.h
new file mode 100644
index 0000000..fd558f7
--- /dev/null
+++ b/lib/isc/include/isc/hash.h
@@ -0,0 +1,250 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_HASH_H
+#define ISC_HASH_H 1
+
+#include <stdbool.h>
+
+#include <isc/deprecated.h>
+#include <isc/types.h>
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/hash.h
+ *
+ * \brief The hash API
+ *	provides an unpredictable hash value for variable length data.
+ *	A hash object contains a random vector (which is hidden from clients
+ *	of this API) to make the actual hash value unpredictable.
+ *
+ *	The algorithm used in the API guarantees the probability of hash
+ *	collision; in the current implementation, as long as the values stored
+ *	in the random vector are unpredictable, the probability of hash
+ *	collision between arbitrary two different values is at most 1/2^16.
+ *
+ *	Although the API is generic about the hash keys, it mainly expects
+ *	DNS names (and sometimes IPv4/v6 addresses) as inputs.  It has an
+ *	upper limit of the input length, and may run slow to calculate the
+ *	hash values for large inputs.
+ *
+ *	This API is designed to be general so that it can provide multiple
+ *	different hash contexts that have different random vectors.  However,
+ *	it should be typical to have a single context for an entire system.
+ *	To support such cases, the API also provides a single-context mode.
+ *
+ * \li MP:
+ *	The hash object is almost read-only.  Once the internal random vector
+ *	is initialized, no write operation will occur, and there will be no
+ *	need to lock the object to calculate actual hash values.
+ *
+ * \li Reliability:
+ *	In some cases this module uses low-level data copy to initialize the
+ *	random vector.  Errors in this part are likely to crash the server or
+ *	corrupt memory.
+ *
+ * \li Resources:
+ *	A buffer, used as a random vector for calculating hash values.
+ *
+ * \li Security:
+ *	This module intends to provide unpredictable hash values in
+ *	adversarial environments in order to avoid denial of service attacks
+ *	to hash buckets.
+ *	Its unpredictability relies on the quality of entropy to build the
+ *	random vector.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/types.h>
+
+/***
+ *** Functions
+ ***/
+ISC_LANG_BEGINDECLS
+
+LIBISC_EXTERNAL_DATA extern isc_hash_t *isc_hashctx;
+
+isc_result_t
+isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit,
+		   isc_hash_t **hctx);
+isc_result_t
+isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit);
+/*!<
+ * \brief Create a new hash object.
+ *
+ * isc_hash_ctxcreate() creates a different object.
+ *
+ * isc_hash_create() creates a module-internal object to support the
+ * single-context mode.  It should be called only once.
+ *
+ * 'entropy' must be NULL or a valid entropy object.  If 'entropy' is NULL,
+ * pseudo random values will be used to build the random vector, which may
+ * weaken security.
+ *
+ * 'limit' specifies the maximum number of hash keys.  If it is too large,
+ * these functions may fail.
+ */
+
+void
+isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp)
+	ISC_DEPRECATED;
+/*!<
+ * \brief Attach to a hash object.
+ *
+ * This function is only necessary for the multiple-context mode.
+ */
+
+void
+isc_hash_ctxdetach(isc_hash_t **hctxp)
+	ISC_DEPRECATED;
+/*!<
+ * \brief Detach from a hash object.
+ *
+ * This function  is for the multiple-context mode, and takes a valid
+ * hash object as an argument.
+ */
+
+void
+isc_hash_destroy(void);
+/*!<
+ * \brief This function is for the single-context mode, and is expected to be used
+ * as a counterpart of isc_hash_create().
+ *
+ * A valid module-internal hash object must have been created, and this
+ * function should be called only once.
+ */
+
+/*@{*/
+void
+isc_hash_ctxinit(isc_hash_t *hctx);
+void
+isc_hash_init(void);
+/*!<
+ * \brief Initialize a hash object.
+ *
+ * It fills in the random vector with a proper
+ * source of entropy, which is typically from the entropy object specified
+ * at the creation.  Thus, it is desirable to call these functions after
+ * initializing the entropy object with some good entropy sources.
+ *
+ * These functions should be called before the first hash calculation.
+ *
+ * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
+ * object as an argument.
+ *
+ * isc_hash_init() is for the single-context mode.  A valid module-internal
+ * hash object must have been created, and this function should be called only
+ * once.
+ */
+/*@}*/
+
+/*@{*/
+unsigned int
+isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
+		 unsigned int keylen, bool case_sensitive)
+	ISC_DEPRECATED;
+unsigned int
+isc_hash_calc(const unsigned char *key, unsigned int keylen,
+	      bool case_sensitive)
+	ISC_DEPRECATED;
+/*!<
+ * \brief Calculate a hash value.
+ *
+ * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
+ * object as an argument.
+ *
+ * isc_hash_init() is for the single-context mode.  A valid module-internal
+ * hash object must have been created.
+ *
+ * 'key' is the hash key, which is a variable length buffer.
+ *
+ * 'keylen' specifies the key length, which must not be larger than the limit
+ * specified for the corresponding hash object.
+ *
+ * 'case_sensitive' specifies whether the hash key should be treated as
+ * case_sensitive values.  It should typically be false if the hash key
+ * is a DNS name.
+ */
+/*@}*/
+
+void
+isc__hash_setvec(const uint16_t *vec)
+	ISC_DEPRECATED;
+
+/*!<
+ * \brief Set the contents of the random vector used in hashing.
+ *
+ * WARNING: This function is meant to be used only in testing code. It
+ * must not be used anywhere in normally running code.
+ *
+ * The hash context must have been created beforehand, otherwise this
+ * function is a nop.
+ *
+ * 'vec' is not documented here on purpose. You should know what you are
+ * doing before using this function.
+ */
+
+const void *
+isc_hash_get_initializer(void);
+
+void
+isc_hash_set_initializer(const void *initializer);
+
+uint32_t
+isc_hash_function(const void *data, size_t length,
+		  bool case_sensitive,
+		  const uint32_t *previous_hashp);
+uint32_t
+isc_hash_function_reverse(const void *data, size_t length,
+			  bool case_sensitive,
+			  const uint32_t *previous_hashp);
+/*!<
+ * \brief Calculate a hash over data.
+ *
+ * This hash function is useful for hashtables. The hash function is
+ * opaque and not important to the caller. The returned hash values are
+ * non-deterministic and will have different mapping every time a
+ * process using this library is run, but will have uniform
+ * distribution.
+ *
+ * isc_hash_function() calculates the hash from start to end over the
+ * input data. isc_hash_function_reverse() calculates the hash from the
+ * end to the start over the input data. The difference in order is
+ * useful in incremental hashing; for example, a previously hashed
+ * value for 'com' can be used as input when hashing 'example.com'.
+ *
+ * This is a new variant of isc_hash_calc() and will supercede
+ * isc_hash_calc() eventually.
+ *
+ * 'data' is the data to be hashed.
+ *
+ * 'length' is the size of the data to be hashed.
+ *
+ * 'case_sensitive' specifies whether the hash key should be treated as
+ * case_sensitive values.  It should typically be false if the hash key
+ * is a DNS name.
+ *
+ * 'previous_hashp' is a pointer to a previous hash value returned by
+ * this function. It can be used to perform incremental hashing. NULL
+ * must be passed during first calls.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HASH_H */
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
new file mode 100644
index 0000000..747287b
--- /dev/null
+++ b/lib/isc/include/isc/heap.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_HEAP_H
+#define ISC_HEAP_H 1
+
+/*! \file isc/heap.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * The comparison function returns true if the first argument has
+ * higher priority than the second argument, and false otherwise.
+ */
+typedef bool (*isc_heapcompare_t)(void *, void *);
+
+/*%
+ * The index function allows the client of the heap to receive a callback
+ * when an item's index number changes.  This allows it to maintain
+ * sync with its external state, but still delete itself, since deletions
+ * from the heap require the index be provided.
+ */
+typedef void (*isc_heapindex_t)(void *, unsigned int);
+
+/*%
+ * The heapaction function is used when iterating over the heap.
+ *
+ * NOTE:  The heap structure CANNOT BE MODIFIED during the call to
+ * isc_heap_foreach().
+ */
+typedef void (*isc_heapaction_t)(void *, void *);
+
+typedef struct isc_heap isc_heap_t;
+
+isc_result_t
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t index, unsigned int size_increment,
+		isc_heap_t **heapp);
+/*!<
+ * \brief Create a new heap.  The heap is implemented using a space-efficient
+ * storage method.  When the heap elements are deleted space is not freed
+ * but will be reused when new elements are inserted.
+ *
+ * Heap elements are indexed from 1.
+ *
+ * Requires:
+ *\li	"mctx" is valid.
+ *\li	"compare" is a function which takes two void * arguments and
+ *	returns true if the first argument has a higher priority than
+ *	the second, and false otherwise.
+ *\li	"index" is a function which takes a void *, and an unsigned int
+ *	argument.  This function will be called whenever an element's
+ *	index value changes, so it may continue to delete itself from the
+ *	heap.  This option may be NULL if this functionality is unneeded.
+ *\li	"size_increment" is a hint about how large the heap should grow
+ *	when resizing is needed.  If this is 0, a default size will be
+ *	used, which is currently 1024, allowing space for an additional 1024
+ *	heap elements to be inserted before adding more space.
+ *\li	"heapp" is not NULL, and "*heap" is NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS		- success
+ *\li	ISC_R_NOMEMORY		- insufficient memory
+ */
+
+void
+isc_heap_destroy(isc_heap_t **heapp);
+/*!<
+ * \brief Destroys a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+isc_result_t
+isc_heap_insert(isc_heap_t *heap, void *elt);
+/*!<
+ * \brief Inserts a new element into a heap.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ */
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Deletes an element from a heap, by element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has increased.
+ * This function MUST be called whenever an element has increased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Indicates to the heap that an element's priority has decreased.
+ * This function MUST be called whenever an element has decreased in priority.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ */
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int index);
+/*!<
+ * \brief Returns the element for a specific element index.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"index" is a valid element index, as provided by the "index" callback
+ *	provided during heap creation.
+ *
+ * Returns:
+ *\li	A pointer to the element for the element index.
+ */
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap);
+/*!<
+ * \brief Iterate over the heap, calling an action for each element.  The
+ * order of iteration is not sorted.
+ *
+ * Requires:
+ *\li	"heapp" is not NULL and "*heap" points to a valid isc_heap_t.
+ *\li	"action" is not NULL, and is a function which takes two arguments.
+ *	The first is a void *, representing the element, and the second is
+ *	"uap" as provided to isc_heap_foreach.
+ *\li	"uap" is a caller-provided argument, and may be NULL.
+ *
+ * Note:
+ *\li	The heap structure CANNOT be modified during this iteration.  The only
+ *	safe function to call while iterating the heap is isc_heap_element().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HEAP_H */
diff --git a/lib/isc/include/isc/hex.h b/lib/isc/include/isc/hex.h
new file mode 100644
index 0000000..3e09e59
--- /dev/null
+++ b/lib/isc/include/isc/hex.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_HEX_H
+#define ISC_HEX_H 1
+
+/*! \file isc/hex.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_hex_totext(isc_region_t *source, int wordlength,
+	       const char *wordbreak, isc_buffer_t *target);
+/*!<
+ * \brief Convert data into hex encoded text.
+ *
+ * Notes:
+ *\li	The hex encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the hex encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_hex_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated hex string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *		isc_lex_create(),
+ *		isc_lex_openbuffer(),
+ *		isc_hex_tobuffer().
+ */
+
+isc_result_t
+isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert hex encoded text from a lexer context into data.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is an integer
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the hex encoded
+ *	string parsed by the lexer.  No more than length bytes will be read,
+ *	if length is positive.  The 'used' pointer in target will be
+ *	advanced as necessary.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HEX_H */
diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h
new file mode 100644
index 0000000..ca2ec56
--- /dev/null
+++ b/lib/isc/include/isc/hmacmd5.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/hmacmd5.h
+ * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
+ * described in RFC2104.
+ */
+
+#ifndef ISC_HMACMD5_H
+#define ISC_HMACMD5_H 1
+
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/md5.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_HMACMD5_KEYLENGTH 64
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/opensslv.h>
+#include <openssl/hmac.h>
+
+typedef struct {
+	HMAC_CTX *ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	HMAC_CTX _ctx;
+#endif
+} isc_hmacmd5_t;
+
+#elif PKCS11CRYPTO
+#include <pk11/pk11.h>
+
+typedef pk11_context_t isc_hmacmd5_t;
+
+#else
+
+typedef struct {
+	isc_md5_t md5ctx;
+	unsigned char key[ISC_HMACMD5_KEYLENGTH];
+} isc_hmacmd5_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len);
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx);
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len);
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest);
+
+bool
+isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest);
+
+bool
+isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacmd5_check(int testing);
+
+ISC_LANG_ENDDECLS
+
+#endif /* !PK11_MD5_DISABLE */
+
+#endif /* ISC_HMACMD5_H */
diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h
new file mode 100644
index 0000000..3c80fba
--- /dev/null
+++ b/lib/isc/include/isc/hmacsha.h
@@ -0,0 +1,185 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/hmacsha.h
+ * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+ * HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104.
+ */
+
+#ifndef ISC_HMACSHA_H
+#define ISC_HMACSHA_H 1
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/types.h>
+
+#define ISC_HMACSHA1_KEYLENGTH ISC_SHA1_BLOCK_LENGTH
+#define ISC_HMACSHA224_KEYLENGTH ISC_SHA224_BLOCK_LENGTH
+#define ISC_HMACSHA256_KEYLENGTH ISC_SHA256_BLOCK_LENGTH
+#define ISC_HMACSHA384_KEYLENGTH ISC_SHA384_BLOCK_LENGTH
+#define ISC_HMACSHA512_KEYLENGTH ISC_SHA512_BLOCK_LENGTH
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/opensslv.h>
+#include <openssl/hmac.h>
+
+typedef struct {
+	HMAC_CTX *ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	HMAC_CTX _ctx;
+#endif
+} isc_hmacsha_t;
+
+typedef isc_hmacsha_t isc_hmacsha1_t;
+typedef isc_hmacsha_t isc_hmacsha224_t;
+typedef isc_hmacsha_t isc_hmacsha256_t;
+typedef isc_hmacsha_t isc_hmacsha384_t;
+typedef isc_hmacsha_t isc_hmacsha512_t;
+
+#elif PKCS11CRYPTO
+#include <pk11/pk11.h>
+
+typedef pk11_context_t isc_hmacsha1_t;
+typedef pk11_context_t isc_hmacsha224_t;
+typedef pk11_context_t isc_hmacsha256_t;
+typedef pk11_context_t isc_hmacsha384_t;
+typedef pk11_context_t isc_hmacsha512_t;
+
+#else
+
+typedef struct {
+	isc_sha1_t sha1ctx;
+	unsigned char key[ISC_HMACSHA1_KEYLENGTH];
+} isc_hmacsha1_t;
+
+typedef struct {
+	isc_sha224_t sha224ctx;
+	unsigned char key[ISC_HMACSHA224_KEYLENGTH];
+} isc_hmacsha224_t;
+
+typedef struct {
+	isc_sha256_t sha256ctx;
+	unsigned char key[ISC_HMACSHA256_KEYLENGTH];
+} isc_hmacsha256_t;
+
+typedef struct {
+	isc_sha384_t sha384ctx;
+	unsigned char key[ISC_HMACSHA384_KEYLENGTH];
+} isc_hmacsha384_t;
+
+typedef struct {
+	isc_sha512_t sha512ctx;
+	unsigned char key[ISC_HMACSHA512_KEYLENGTH];
+} isc_hmacsha512_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
+		  unsigned int len);
+
+void
+isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx);
+
+void
+isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
+		    unsigned int len);
+
+void
+isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacsha1_check(int testing);
+
+
+void
+isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx);
+
+void
+isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacsha224_verify(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx);
+
+void
+isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacsha256_verify(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx);
+
+void
+isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacsha384_verify(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len);
+
+
+void
+isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
+		    unsigned int len);
+
+void
+isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx);
+
+void
+isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
+		      unsigned int len);
+
+void
+isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
+
+bool
+isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HMACSHA_H */
diff --git a/lib/isc/include/isc/ht.h b/lib/isc/include/isc/ht.h
new file mode 100644
index 0000000..b36d77f
--- /dev/null
+++ b/lib/isc/include/isc/ht.h
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#ifndef ISC_HT_H
+#define ISC_HT_H 1
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/types.h>
+#include <isc/result.h>
+
+typedef struct isc_ht isc_ht_t;
+typedef struct isc_ht_iter isc_ht_iter_t;
+
+/*%
+ * Initialize hashtable at *htp, using memory context and size of (1<<bits)
+ *
+ * Requires:
+ *\li	htp is not NULL
+ *\li	*htp is NULL
+ *\li	mctx is a valid memory context
+ *\li	bits >=1 && bits <=32
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+isc_result_t
+isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits);
+
+/*%
+ * Destroy hashtable, freeing everything
+ *
+ * Requires:
+ * \li	*htp is valid hashtable
+ */
+void
+isc_ht_destroy(isc_ht_t **htp);
+
+/*%
+ * Add a node to hashtable, pointed by binary key 'key' of size 'keysize';
+ * set its value to 'value'
+ *
+ * Requires:
+ *\li	ht is a valid hashtable
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
+ *\li	#ISC_R_EXISTS		-- node of the same key already exists
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+isc_result_t
+isc_ht_add(isc_ht_t *ht, const unsigned char *key, uint32_t keysize,
+		   void *value);
+
+/*%
+ * Find a node matching 'key'/'keysize' in hashtable 'ht';
+ * if found, set 'value' to its value
+ *
+ * Requires:
+ * \li	'ht' is a valid hashtable
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS		-- success
+ * \li	#ISC_R_NOTFOUND		-- key not found
+ */
+isc_result_t
+isc_ht_find(const isc_ht_t *ht, const unsigned char *key,
+	    uint32_t keysize, void **valuep);
+
+/*%
+ * Delete node from hashtable
+ * Requires:
+ *\li	ht is a valid hashtable
+ *
+ * Returns:
+ *\li	#ISC_R_NOTFOUND		-- key not found
+ *\li	#ISC_R_SUCCESS		-- all is well
+ */
+isc_result_t
+isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize);
+
+/*%
+ * Create an iterator for the hashtable; point '*itp' to it.
+ */
+isc_result_t
+isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp);
+
+/*%
+ * Destroy the iterator '*itp', set it to NULL
+ */
+void
+isc_ht_iter_destroy(isc_ht_iter_t **itp);
+
+/*%
+ * Set an iterator to the first entry.
+ *
+ * Returns:
+ * \li 	#ISC_R_SUCCESS	-- success
+ * \li	#ISC_R_NOMORE	-- no data in the hashtable
+ */
+isc_result_t
+isc_ht_iter_first(isc_ht_iter_t *it);
+
+/*%
+ * Set an iterator to the next entry.
+ *
+ * Returns:
+ * \li 	#ISC_R_SUCCESS	-- success
+ * \li	#ISC_R_NOMORE	-- end of hashtable reached
+ */
+isc_result_t
+isc_ht_iter_next(isc_ht_iter_t *it);
+
+/*%
+ * Delete current entry and set an iterator to the next entry.
+ *
+ * Returns:
+ * \li 	#ISC_R_SUCCESS	-- success
+ * \li	#ISC_R_NOMORE	-- end of hashtable reached
+ */
+isc_result_t
+isc_ht_iter_delcurrent_next(isc_ht_iter_t *it);
+
+
+/*%
+ * Set 'value' to the current value under the iterator
+ */
+void
+isc_ht_iter_current(isc_ht_iter_t *it, void **valuep);
+
+/*%
+ * Set 'key' and 'keysize to the current key and keysize for the value
+ * under the iterator
+ */
+void
+isc_ht_iter_currentkey(isc_ht_iter_t *it, unsigned char **key, size_t *keysize);
+
+/*%
+ * Returns the number of items in the hashtable.
+ *
+ * Requires:
+ *\li	'ht' is a valid hashtable
+ */
+unsigned int
+isc_ht_count(isc_ht_t *ht);
+#endif
diff --git a/lib/isc/include/isc/httpd.h b/lib/isc/include/isc/httpd.h
new file mode 100644
index 0000000..b02b33e
--- /dev/null
+++ b/lib/isc/include/isc/httpd.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_HTTPD_H
+#define ISC_HTTPD_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/types.h>
+#include <isc/mutex.h>
+#include <isc/task.h>
+#include <isc/time.h>
+
+/*%
+ * HTTP urls.  These are the URLs we manage, and the function to call to
+ * provide the data for it.  We pass in the base url (so the same function
+ * can handle multiple requests), and a structure to fill in to return a
+ * result to the client.  We also pass in a pointer to be filled in for
+ * the data cleanup function.
+ */
+struct isc_httpdurl {
+	char			       *url;
+	isc_httpdaction_t	       *action;
+	void			       *action_arg;
+	bool			isstatic;
+	isc_time_t			loadtime;
+	ISC_LINK(isc_httpdurl_t)	link;
+};
+
+#define HTTPD_EVENTCLASS		ISC_EVENTCLASS(4300)
+#define HTTPD_SHUTDOWN			(HTTPD_EVENTCLASS + 0x0001)
+
+#define ISC_HTTPDMGR_FLAGSHUTTINGDOWN	0x00000001
+
+/*
+ * Create a new http daemon which will send, once every time period,
+ * a http-like header followed by HTTP data.
+ */
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    isc_httpdclientok_t *client_ok,
+		    isc_httpdondestroy_t *ondestory, void *cb_arg,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp);
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdp);
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg);
+
+isc_result_t
+isc_httpdmgr_addurl2(isc_httpdmgr_t *httpdmgr, const char *url,
+		     bool isstatic,
+		     isc_httpdaction_t *func, void *arg);
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd);
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
+		    const char *val);
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val);
+
+isc_result_t isc_httpd_endheaders(isc_httpd_t *httpd);
+
+void
+isc_httpd_setfinishhook(void (*fn)(void));
+
+#endif /* ISC_HTTPD_H */
diff --git a/lib/isc/include/isc/int.h b/lib/isc/include/isc/int.h
new file mode 100644
index 0000000..9bf3066
--- /dev/null
+++ b/lib/isc/include/isc/int.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+/*! \file */
+
+#include <inttypes.h>
+
+typedef int8_t				isc_int8_t;
+typedef	uint8_t				isc_uint8_t;
+typedef int16_t				isc_int16_t;
+typedef uint16_t			isc_uint16_t;
+typedef int32_t				isc_int32_t;
+typedef uint32_t			isc_uint32_t;
+typedef int64_t				isc_int64_t;
+typedef uint64_t			isc_uint64_t;
+
+#define ISC_INT8_MIN	INT8_MIN
+#define ISC_INT8_MAX	INT8_MAX
+#define ISC_UINT8_MAX	UINT8_MAX
+
+#define ISC_INT16_MIN	INT16_MIN
+#define ISC_INT16_MAX	INT16_MAX
+#define ISC_UINT16_MAX	UINT16_MAX
+
+#define ISC_INT32_MIN	INT32_MIN
+#define ISC_INT32_MAX	INT32_MAX
+#define ISC_UINT32_MAX	UINT32_MAX
+
+#define ISC_INT64_MIN	INT64_MIN
+#define ISC_INT64_MAX	INT64_MAX
+#define ISC_UINT64_MAX	UINT64_MAX
diff --git a/lib/isc/include/isc/interfaceiter.h b/lib/isc/include/isc/interfaceiter.h
new file mode 100644
index 0000000..2ef82a3
--- /dev/null
+++ b/lib/isc/include/isc/interfaceiter.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_INTERFACEITER_H
+#define ISC_INTERFACEITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/interfaceiter.h
+ * \brief Iterates over the list of network interfaces.
+ *
+ * Interfaces whose address family is not supported are ignored and never
+ * returned by the iterator.  Interfaces whose netmask, interface flags,
+ * or similar cannot be obtained are also ignored, and the failure is logged.
+ *
+ * Standards:
+ *	The API for scanning varies greatly among operating systems.
+ *	This module attempts to hide the differences.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/netaddr.h>
+#include <isc/types.h>
+
+/*!
+ * \brief Public structure describing a network interface.
+ */
+
+struct isc_interface {
+	char name[32];			/*%< Interface name, null-terminated. */
+	unsigned int af;		/*%< Address family. */
+	isc_netaddr_t address;		/*%< Local address. */
+	isc_netaddr_t netmask;		/*%< Network mask. */
+	isc_netaddr_t dstaddress; 	/*%< Destination address (point-to-point only). */
+	uint32_t flags;		/*%< Flags; see INTERFACE flags. */
+};
+
+/*@{*/
+/*! Interface flags. */
+
+#define INTERFACE_F_UP			0x00000001U
+#define INTERFACE_F_POINTTOPOINT	0x00000002U
+#define INTERFACE_F_LOOPBACK		0x00000004U
+/*@}*/
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
+/*!<
+ * \brief Create an iterator for traversing the operating system's list
+ * of network interfaces.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ *\li	Various network-related errors
+ */
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter);
+/*!<
+ * \brief Position the iterator on the first interface.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOMORE		There are no interfaces.
+ */
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter,
+			  isc_interface_t *ifdata);
+/*!<
+ * \brief Get information about the interface the iterator is currently
+ * positioned at and store it at *ifdata.
+ *
+ * Requires:
+ *\li 	The iterator has been successfully positioned using
+ * 	isc_interface_iter_first() / isc_interface_iter_next().
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ */
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter);
+/*!<
+ * \brief Position the iterator on the next interface.
+ *
+ * Requires:
+ * \li	The iterator has been successfully positioned using
+ * 	isc_interface_iter_first() / isc_interface_iter_next().
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOMORE		There are no more interfaces.
+ */
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
+/*!<
+ * \brief Destroy the iterator.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_INTERFACEITER_H */
diff --git a/lib/isc/include/isc/ipv6.h b/lib/isc/include/isc/ipv6.h
new file mode 100644
index 0000000..93852d0
--- /dev/null
+++ b/lib/isc/include/isc/ipv6.h
@@ -0,0 +1,142 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: ipv6.h,v 1.24 2007/06/19 23:47:18 tbox Exp $ */
+
+#ifndef ISC_IPV6_H
+#define ISC_IPV6_H 1
+
+/*!
+ * Also define LWRES_IPV6_H to keep it from being included if liblwres is
+ * being used, or redefinition errors will occur.
+ */
+#define LWRES_IPV6_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/ipv6.h
+ * \brief IPv6 definitions for systems which do not support IPv6.
+ *
+ * \li MP:
+ *	No impact.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	N/A.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	RFC2553.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <inttypes.h>
+#include <isc/platform.h>
+
+/***
+ *** Types.
+ ***/
+
+struct in6_addr {
+	union {
+		uint8_t	_S6_u8[16];
+		uint16_t	_S6_u16[8];
+		uint32_t	_S6_u32[4];
+	} _S6_un;
+};
+#define s6_addr		_S6_un._S6_u8
+#define s6_addr8	_S6_un._S6_u8
+#define s6_addr16	_S6_un._S6_u16
+#define s6_addr32	_S6_un._S6_u32
+
+#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
+
+LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
+
+struct sockaddr_in6 {
+#ifdef ISC_PLATFORM_HAVESALEN
+	uint8_t		sin6_len;
+	uint8_t		sin6_family;
+#else
+	uint16_t		sin6_family;
+#endif
+	uint16_t		sin6_port;
+	uint32_t		sin6_flowinfo;
+	struct in6_addr		sin6_addr;
+	uint32_t		sin6_scope_id;
+};
+
+#ifdef ISC_PLATFORM_HAVESALEN
+#define SIN6_LEN 1
+#endif
+
+/*%
+ * Unspecified
+ */
+#define IN6_IS_ADDR_UNSPECIFIED(a)      \
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == 0))
+
+/*%
+ * Loopback
+ */
+#define IN6_IS_ADDR_LOOPBACK(a)         \
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == htonl(1)))
+
+/*%
+ * IPv4 compatible
+ */
+#define IN6_IS_ADDR_V4COMPAT(a)         \
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] != 0) &&    \
+	 ((a)->s6_addr32[3] != htonl(1)))
+
+/*%
+ * Mapped
+ */
+#define IN6_IS_ADDR_V4MAPPED(a)               \
+	(((a)->s6_addr32[0] == 0) &&          \
+	 ((a)->s6_addr32[1] == 0) &&          \
+	 ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+
+/*%
+ * Multicast
+ */
+#define IN6_IS_ADDR_MULTICAST(a)	\
+	((a)->s6_addr8[0] == 0xffU)
+
+/*%
+ * Unicast link / site local.
+ */
+#define IN6_IS_ADDR_LINKLOCAL(a)	\
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#define IN6_IS_ADDR_SITELOCAL(a)	\
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+
+#endif /* ISC_IPV6_H */
diff --git a/lib/isc/include/isc/iterated_hash.h b/lib/isc/include/isc/iterated_hash.h
new file mode 100644
index 0000000..a43ae69
--- /dev/null
+++ b/lib/isc/include/isc/iterated_hash.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ITERATED_HASH_H
+#define ISC_ITERATED_HASH_H 1
+
+#include <isc/lang.h>
+#include <isc/sha1.h>
+
+/*
+ * The maximal hash length that can be encoded in a name
+ * using base32hex.  floor(255/8)*5
+ */
+#define NSEC3_MAX_HASH_LENGTH 155
+
+/*
+ * The maximum has that can be encoded in a single label using
+ * base32hex.  floor(63/8)*5
+ */
+#define NSEC3_MAX_LABEL_HASH 35
+
+ISC_LANG_BEGINDECLS
+
+int isc_iterated_hash(unsigned char out[NSEC3_MAX_HASH_LENGTH],
+		      unsigned int hashalg, int iterations,
+		      const unsigned char *salt, int saltlength,
+		      const unsigned char *in, int inlength);
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ITERATED_HASH_H */
diff --git a/lib/isc/include/isc/json.h b/lib/isc/include/isc/json.h
new file mode 100644
index 0000000..52295e6
--- /dev/null
+++ b/lib/isc/include/isc/json.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_JSON_H
+#define ISC_JSON_H 1
+
+#ifdef HAVE_JSON
+/*
+ * This file is here mostly to make it easy to add additional libjson header
+ * files as needed across all the users of this file.  Rather than place
+ * these libjson includes in each file, one include makes it easy to handle
+ * the ifdef as well as adding the ability to add additional functions
+ * which may be useful.
+ */
+#ifdef HAVE_JSON_C
+/*
+ * We don't include <json-c/json.h> as the subsequent includes do not
+ * prefix the header file names with "json-c/" and using
+ * -I <prefix>/include/json-c results in too many filename collisions.
+ */
+#include <json-c/linkhash.h>
+#include <json-c/json_util.h>
+#include <json-c/json_object.h>
+#include <json-c/json_tokener.h>
+#include <json-c/json_object_iterator.h>
+#include <json-c/json_c_version.h>
+#else
+#include <json/json.h>
+#endif
+#endif
+
+#define ISC_JSON_RENDERCONFIG		0x00000001 /* render config data */
+#define ISC_JSON_RENDERSTATS		0x00000002 /* render stats */
+#define ISC_JSON_RENDERALL		0x000000ff /* render everything */
+
+#endif /* ISC_JSON_H */
diff --git a/lib/isc/include/isc/lang.h b/lib/isc/include/isc/lang.h
new file mode 100644
index 0000000..bffcbac
--- /dev/null
+++ b/lib/isc/include/isc/lang.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_LANG_H
+#define ISC_LANG_H 1
+
+/*! \file isc/lang.h */
+
+#ifdef __cplusplus
+#define ISC_LANG_BEGINDECLS	extern "C" {
+#define ISC_LANG_ENDDECLS	}
+#else
+#define ISC_LANG_BEGINDECLS
+#define ISC_LANG_ENDDECLS
+#endif
+
+#endif /* ISC_LANG_H */
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
new file mode 100644
index 0000000..d63ecf9
--- /dev/null
+++ b/lib/isc/include/isc/lex.h
@@ -0,0 +1,442 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_LEX_H
+#define ISC_LEX_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/lex.h
+ * \brief The "lex" module provides a lightweight tokenizer.  It can operate
+ * on files or buffers, and can handle "include".  It is designed for
+ * parsing of DNS master files and the BIND configuration file, but
+ * should be general enough to tokenize other things, e.g. HTTP.
+ *
+ * \li MP:
+ *	No synchronization is provided.  Clients must ensure exclusive
+ *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ * 	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Options
+ ***/
+
+/*@{*/
+/*!
+ * Various options for isc_lex_gettoken().
+ */
+
+#define ISC_LEXOPT_EOL			0x01	/*%< Want end-of-line token. */
+#define ISC_LEXOPT_EOF			0x02	/*%< Want end-of-file token. */
+#define ISC_LEXOPT_INITIALWS		0x04	/*%< Want initial whitespace. */
+#define ISC_LEXOPT_NUMBER		0x08	/*%< Recognize numbers. */
+#define ISC_LEXOPT_QSTRING		0x10	/*%< Recognize qstrings. */
+/*@}*/
+
+/*@{*/
+/*!
+ * The ISC_LEXOPT_DNSMULTILINE option handles the processing of '(' and ')' in
+ * the DNS master file format.  If this option is set, then the
+ * ISC_LEXOPT_INITIALWS and ISC_LEXOPT_EOL options will be ignored when
+ * the paren count is > 0.  To use this option, '(' and ')' must be special
+ * characters.
+ */
+#define ISC_LEXOPT_DNSMULTILINE		0x20	/*%< Handle '(' and ')'. */
+#define ISC_LEXOPT_NOMORE		0x40	/*%< Want "no more" token. */
+
+#define ISC_LEXOPT_CNUMBER		0x80    /*%< Recognize octal and hex. */
+#define ISC_LEXOPT_ESCAPE		0x100	/*%< Recognize escapes. */
+#define ISC_LEXOPT_QSTRINGMULTILINE	0x200	/*%< Allow multiline "" strings */
+#define ISC_LEXOPT_OCTAL		0x400	/*%< Expect a octal number. */
+#define ISC_LEXOPT_BTEXT		0x800	/*%< Bracketed text. */
+/*@}*/
+/*@{*/
+/*!
+ * Various commenting styles, which may be changed at any time with
+ * isc_lex_setcomments().
+ */
+
+#define ISC_LEXCOMMENT_C		0x01
+#define ISC_LEXCOMMENT_CPLUSPLUS	0x02
+#define ISC_LEXCOMMENT_SHELL		0x04
+#define ISC_LEXCOMMENT_DNSMASTERFILE	0x08
+/*@}*/
+
+/***
+ *** Types
+ ***/
+
+/*! Lex */
+
+typedef char isc_lexspecials_t[256];
+
+/* Tokens */
+
+typedef enum {
+	isc_tokentype_unknown = 0,
+	isc_tokentype_string = 1,
+	isc_tokentype_number = 2,
+	isc_tokentype_qstring = 3,
+	isc_tokentype_eol = 4,
+	isc_tokentype_eof = 5,
+	isc_tokentype_initialws = 6,
+	isc_tokentype_special = 7,
+	isc_tokentype_nomore = 8,
+	isc_tokentype_btext = 8
+} isc_tokentype_t;
+
+typedef union {
+	char				as_char;
+	unsigned long			as_ulong;
+	isc_region_t			as_region;
+	isc_textregion_t		as_textregion;
+	void *				as_pointer;
+} isc_tokenvalue_t;
+
+typedef struct isc_token {
+	isc_tokentype_t			type;
+	isc_tokenvalue_t		value;
+} isc_token_t;
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
+/*%<
+ * Create a lexer.
+ *
+ * 'max_token' is a hint of the number of bytes in the largest token.
+ *
+ * Requires:
+ *\li	'*lexp' is a valid lexer.
+ *
+ * Ensures:
+ *\li	On success, *lexp is attached to the newly created lexer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_lex_destroy(isc_lex_t **lexp);
+/*%<
+ * Destroy the lexer.
+ *
+ * Requires:
+ *\li	'*lexp' is a valid lexer.
+ *
+ * Ensures:
+ *\li	*lexp == NULL
+ */
+
+unsigned int
+isc_lex_getcomments(isc_lex_t *lex);
+/*%<
+ * Return the current lexer commenting styles.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ *\li	The commenting sytles which are currently allowed.
+ */
+
+void
+isc_lex_setcomments(isc_lex_t *lex, unsigned int comments);
+/*%<
+ * Set allowed lexer commenting styles.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'comments' has meaningful values.
+ */
+
+void
+isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials);
+/*%<
+ * Put the current list of specials into 'specials'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ */
+
+void
+isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials);
+/*!<
+ * The characters in 'specials' are returned as tokens.  Along with
+ * whitespace, they delimit strings and numbers.
+ *
+ * Note:
+ *\li	Comment processing takes precedence over special character
+ *	recognition.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ */
+
+isc_result_t
+isc_lex_openfile(isc_lex_t *lex, const char *filename);
+/*%<
+ * Open 'filename' and make it the current input source for 'lex'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	filename is a valid C string.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ *\li	#ISC_R_NOTFOUND			File not found
+ *\li	#ISC_R_NOPERM			No permission to open file
+ *\li	#ISC_R_FAILURE			Couldn't open file, not sure why
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_lex_openstream(isc_lex_t *lex, FILE *stream);
+/*%<
+ * Make 'stream' the current input source for 'lex'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'stream' is a valid C stream.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ */
+
+isc_result_t
+isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer);
+/*%<
+ * Make 'buffer' the current input source for 'lex'.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'buffer' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY			Out of memory
+ */
+
+isc_result_t
+isc_lex_close(isc_lex_t *lex);
+/*%<
+ * Close the most recently opened object (i.e. file or buffer).
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMORE			No more input sources
+ */
+
+isc_result_t
+isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp);
+/*%<
+ * Get the next token.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'lex' has an input source.
+ *
+ *\li	'options' contains valid options.
+ *
+ *\li	'*tokenp' is a valid pointer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTEDEND
+ *\li	#ISC_R_NOMEMORY
+ *
+ *	These two results are returned only if their corresponding lexer
+ *	options are not set.
+ *
+ *\li	#ISC_R_EOF			End of input source
+ *\li	#ISC_R_NOMORE			No more input sources
+ */
+
+isc_result_t
+isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
+		       isc_tokentype_t expect, bool eol);
+/*%<
+ * Get the next token from a DNS master file type stream.  This is a
+ * convenience function that sets appropriate options and handles quoted
+ * strings and end of line correctly for master files.  It also ungets
+ * unexpected tokens.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'token' is a valid pointer
+ *
+ * Returns:
+ *
+ * \li	any return code from isc_lex_gettoken().
+ */
+
+isc_result_t
+isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, bool eol);
+/*%<
+ * Get the next token from a DNS master file type stream.  This is a
+ * convenience function that sets appropriate options and handles end
+ * of line correctly for master files.  It also ungets unexpected tokens.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'token' is a valid pointer
+ *
+ * Returns:
+ *
+ * \li	any return code from isc_lex_gettoken().
+ */
+
+void
+isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp);
+/*%<
+ * Unget the current token.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'lex' has an input source.
+ *
+ *\li	'tokenp' points to a valid token.
+ *
+ *\li	There is no ungotten token already.
+ */
+
+void
+isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r);
+/*%<
+ * Returns a region containing the text of the last token returned.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ *\li	'lex' has an input source.
+ *
+ *\li	'tokenp' points to a valid token.
+ *
+ *\li	A token has been gotten and not ungotten.
+ */
+
+char *
+isc_lex_getsourcename(isc_lex_t *lex);
+/*%<
+ * Return the input source name.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	source name or NULL if no current source.
+ *\li	result valid while current input source exists.
+ */
+
+
+unsigned long
+isc_lex_getsourceline(isc_lex_t *lex);
+/*%<
+ * Return the input source line number.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ *\li 	Current line number or 0 if no current source.
+ */
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name);
+/*%<
+ * Assigns a new name to the input source.
+ *
+ * Requires:
+ *
+ * \li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTFOUND - there are no sources.
+ */
+
+isc_result_t
+isc_lex_setsourceline(isc_lex_t *lex, unsigned long line);
+/*%<
+ * Assigns a new line number to the input source. This can be used
+ * when parsing a buffer that's been excerpted from the middle a file,
+ * allowing logged messages to display the correct line number,
+ * rather than the line number within the buffer.
+ *
+ * Requires:
+ *
+ * \li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - there are no sources.
+ */
+
+bool
+isc_lex_isfile(isc_lex_t *lex);
+/*%<
+ * Return whether the current input source is a file.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer.
+ *
+ * Returns:
+ * \li	#true if the current input is a file,
+ *\li	#false otherwise.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LEX_H */
diff --git a/lib/isc/include/isc/lfsr.h b/lib/isc/include/isc/lfsr.h
new file mode 100644
index 0000000..3f2cfb4
--- /dev/null
+++ b/lib/isc/include/isc/lfsr.h
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_LFSR_H
+#define ISC_LFSR_H 1
+
+/*! \file isc/lfsr.h */
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+typedef struct isc_lfsr isc_lfsr_t;
+
+/*%
+ * This function is called when reseeding is needed.  It is allowed to
+ * modify any state in the LFSR in any way it sees fit OTHER THAN "bits".
+ *
+ * It MUST set "count" to a new value or the lfsr will never reseed again.
+ *
+ * Also, a reseed will never occur in the middle of an extraction.  This
+ * is purely an optimization, and is probably what one would want.
+ */
+typedef void (*isc_lfsrreseed_t)(isc_lfsr_t *, void *);
+
+/*%
+ * The members of this structure can be used by the application, but care
+ * needs to be taken to not change state once the lfsr is in operation.
+ */
+struct isc_lfsr {
+	uint32_t		state;	/*%< previous state */
+	unsigned int		bits;	/*%< length */
+	uint32_t		tap;	/*%< bit taps */
+	unsigned int		count;	/*%< reseed count (in BITS!) */
+	isc_lfsrreseed_t	reseed;	/*%< reseed function */
+	void		       *arg;	/*%< reseed function argument */
+};
+
+ISC_LANG_BEGINDECLS
+
+
+void
+isc_lfsr_init(isc_lfsr_t *lfsr, uint32_t state, unsigned int bits,
+		   uint32_t tap, unsigned int count,
+		   isc_lfsrreseed_t reseed, void *arg);
+/*%<
+ * Initialize an LFSR.
+ *
+ * Note:
+ *
+ *\li	Putting untrusted values into this function will cause the LFSR to
+ *	generate (perhaps) non-maximal length sequences.
+ *
+ * Requires:
+ *
+ *\li	lfsr != NULL
+ *
+ *\li	8 <= bits <= 32
+ *
+ *\li	tap != 0
+ */
+
+void
+isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
+/*%<
+ * Returns "count" bytes of data from the LFSR.
+ *
+ * Requires:
+ *
+ *\li	lfsr be valid.
+ *
+ *\li	data != NULL.
+ *
+ *\li	count > 0.
+ */
+
+void
+isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
+/*%<
+ * Skip "skip" states.
+ *
+ * Requires:
+ *
+ *\li	lfsr be valid.
+ */
+
+uint32_t
+isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
+/*%<
+ * Given two LFSRs, use the current state from each to skip entries in the
+ * other.  The next states are then xor'd together and returned.
+ *
+ * WARNING:
+ *
+ *\li	This function is used only for very, very low security data, such
+ *	as DNS message IDs where it is desired to have an unpredictable
+ *	stream of bytes that are harder to predict than a simple flooding
+ *	attack.
+ *
+ * Notes:
+ *
+ *\li	Since the current state from each of the LFSRs is used to skip
+ *	state in the other, it is important that no state be leaked
+ *	from either LFSR.
+ *
+ * Requires:
+ *
+ *\li	lfsr1 and lfsr2 be valid.
+ *
+ *\li	1 <= skipbits <= 31
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LFSR_H */
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
new file mode 100644
index 0000000..55ef20a
--- /dev/null
+++ b/lib/isc/include/isc/lib.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_LIB_H
+#define ISC_LIB_H 1
+
+/*! \file isc/lib.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBISC_EXTERNAL_DATA extern isc_msgcat_t *isc_msgcat;
+
+void
+isc_lib_initmsgcat(void);
+/*!<
+ * \brief Initialize the ISC library's message catalog, isc_msgcat, if it
+ * has not already been initialized.
+ */
+
+void
+isc_lib_register(void);
+/*!<
+ * \brief Register the ISC library implementations for some base services
+ * such as memory or event management and handling socket or timer events.
+ * An external application that wants to use the ISC library must call this
+ * function very early in main().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LIB_H */
diff --git a/lib/isc/include/isc/likely.h b/lib/isc/include/isc/likely.h
new file mode 100644
index 0000000..6c77957
--- /dev/null
+++ b/lib/isc/include/isc/likely.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_LIKELY_H
+#define ISC_LIKELY_H 1
+
+/*%
+ * Performance
+ */
+#ifdef HAVE_BUILTIN_EXPECT
+#define ISC_LIKELY(x)            __builtin_expect((x), 1)
+#define ISC_UNLIKELY(x)          __builtin_expect((x), 0)
+#else
+#define ISC_LIKELY(x)            (x)
+#define ISC_UNLIKELY(x)          (x)
+#endif
+
+#endif /* ISC_LIKELY_H */
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
new file mode 100644
index 0000000..ab476ca
--- /dev/null
+++ b/lib/isc/include/isc/list.h
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_LIST_H
+#define ISC_LIST_H 1
+#include <isc/assertions.h>
+
+#ifdef ISC_LIST_CHECKINIT
+#define ISC_LINK_INSIST(x) ISC_INSIST(x)
+#else
+#define ISC_LINK_INSIST(x)
+#endif
+
+#define ISC_LIST(type) struct { type *head, *tail; }
+#define ISC_LIST_INIT(list) \
+	do { (list).head = NULL; (list).tail = NULL; } while (0)
+
+#define ISC_LINK(type) struct { type *prev, *next; }
+#define ISC_LINK_INIT_TYPE(elt, link, type) \
+	do { \
+		(elt)->link.prev = (type *)(-1); \
+		(elt)->link.next = (type *)(-1); \
+	} while (0)
+#define ISC_LINK_INIT(elt, link) \
+	ISC_LINK_INIT_TYPE(elt, link, void)
+#define ISC_LINK_LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1))
+
+#define ISC_LIST_HEAD(list) ((list).head)
+#define ISC_LIST_TAIL(list) ((list).tail)
+#define ISC_LIST_EMPTY(list) ((list).head == NULL)
+
+#define __ISC_LIST_PREPENDUNSAFE(list, elt, link) \
+	do { \
+		if ((list).head != NULL) \
+			(list).head->link.prev = (elt); \
+		else \
+			(list).tail = (elt); \
+		(elt)->link.prev = NULL; \
+		(elt)->link.next = (list).head; \
+		(list).head = (elt); \
+	} while (0)
+
+#define ISC_LIST_PREPEND(list, elt, link) \
+	do { \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_PREPENDUNSAFE(list, elt, link); \
+	} while (0)
+
+#define ISC_LIST_INITANDPREPEND(list, elt, link) \
+		__ISC_LIST_PREPENDUNSAFE(list, elt, link)
+
+#define __ISC_LIST_APPENDUNSAFE(list, elt, link) \
+	do { \
+		if ((list).tail != NULL) \
+			(list).tail->link.next = (elt); \
+		else \
+			(list).head = (elt); \
+		(elt)->link.prev = (list).tail; \
+		(elt)->link.next = NULL; \
+		(list).tail = (elt); \
+	} while (0)
+
+#define ISC_LIST_APPEND(list, elt, link) \
+	do { \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_APPENDUNSAFE(list, elt, link); \
+	} while (0)
+
+#define ISC_LIST_INITANDAPPEND(list, elt, link) \
+		__ISC_LIST_APPENDUNSAFE(list, elt, link)
+
+#define __ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type) \
+	do { \
+		if ((elt)->link.next != NULL) \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else { \
+			ISC_INSIST((list).tail == (elt)); \
+			(list).tail = (elt)->link.prev; \
+		} \
+		if ((elt)->link.prev != NULL) \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else { \
+			ISC_INSIST((list).head == (elt)); \
+			(list).head = (elt)->link.next; \
+		} \
+		(elt)->link.prev = (type *)(-1); \
+		(elt)->link.next = (type *)(-1); \
+		ISC_INSIST((list).head != (elt)); \
+		ISC_INSIST((list).tail != (elt)); \
+	} while (0)
+
+#define __ISC_LIST_UNLINKUNSAFE(list, elt, link) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
+
+#define ISC_LIST_UNLINK_TYPE(list, elt, link, type) \
+	do { \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type); \
+	} while (0)
+#define ISC_LIST_UNLINK(list, elt, link) \
+	ISC_LIST_UNLINK_TYPE(list, elt, link, void)
+
+#define ISC_LIST_PREV(elt, link) ((elt)->link.prev)
+#define ISC_LIST_NEXT(elt, link) ((elt)->link.next)
+
+#define __ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link) \
+	do { \
+		if ((before)->link.prev == NULL) \
+			ISC_LIST_PREPEND(list, elt, link); \
+		else { \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt); \
+			(elt)->link.prev->link.next = (elt); \
+			(elt)->link.next = (before); \
+		} \
+	} while (0)
+
+#define ISC_LIST_INSERTBEFORE(list, before, elt, link) \
+	do { \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(before, link)); \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link); \
+	} while (0)
+
+#define __ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link) \
+	do { \
+		if ((after)->link.next == NULL) \
+			ISC_LIST_APPEND(list, elt, link); \
+		else { \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt); \
+			(elt)->link.next->link.prev = (elt); \
+			(elt)->link.prev = (after); \
+		} \
+	} while (0)
+
+#define ISC_LIST_INSERTAFTER(list, after, elt, link) \
+	do { \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(after, link)); \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link); \
+	} while (0)
+
+#define ISC_LIST_APPENDLIST(list1, list2, link) \
+	do { \
+		if (ISC_LIST_EMPTY(list1)) \
+			(list1) = (list2); \
+		else if (!ISC_LIST_EMPTY(list2)) { \
+			(list1).tail->link.next = (list2).head; \
+			(list2).head->link.prev = (list1).tail; \
+			(list1).tail = (list2).tail; \
+		} \
+		(list2).head = NULL; \
+		(list2).tail = NULL; \
+	} while (0)
+
+#define ISC_LIST_PREPENDLIST(list1, list2, link) \
+	do { \
+		if (ISC_LIST_EMPTY(list1)) \
+			(list1) = (list2); \
+		else if (!ISC_LIST_EMPTY(list2)) { \
+			(list2).tail->link.next = (list1).head; \
+			(list1).head->link.prev = (list2).tail; \
+			(list1).head = (list2).head; \
+		} \
+		(list2).head = NULL; \
+		(list2).tail = NULL; \
+	} while (0)
+
+#define ISC_LIST_ENQUEUE(list, elt, link) ISC_LIST_APPEND(list, elt, link)
+#define __ISC_LIST_ENQUEUEUNSAFE(list, elt, link) \
+	__ISC_LIST_APPENDUNSAFE(list, elt, link)
+#define ISC_LIST_DEQUEUE(list, elt, link) \
+	 ISC_LIST_UNLINK_TYPE(list, elt, link, void)
+#define ISC_LIST_DEQUEUE_TYPE(list, elt, link, type) \
+	 ISC_LIST_UNLINK_TYPE(list, elt, link, type)
+#define __ISC_LIST_DEQUEUEUNSAFE(list, elt, link) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
+#define __ISC_LIST_DEQUEUEUNSAFE_TYPE(list, elt, link, type) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type)
+
+#endif /* ISC_LIST_H */
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
new file mode 100644
index 0000000..fd0443f
--- /dev/null
+++ b/lib/isc/include/isc/log.h
@@ -0,0 +1,920 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_LOG_H
+#define ISC_LOG_H 1
+
+/*! \file isc/log.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <syslog.h> /* XXXDCL NT */
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*@{*/
+/*!
+ * \brief Severity levels, patterned after Unix's syslog levels.
+ *
+ */
+#define ISC_LOG_DEBUG(level)	(level)
+/*!
+ * #ISC_LOG_DYNAMIC can only be used for defining channels with
+ * isc_log_createchannel(), not to specify a level in isc_log_write().
+ */
+#define ISC_LOG_DYNAMIC	  	  0
+#define ISC_LOG_INFO		(-1)
+#define ISC_LOG_NOTICE		(-2)
+#define ISC_LOG_WARNING 	(-3)
+#define ISC_LOG_ERROR		(-4)
+#define ISC_LOG_CRITICAL	(-5)
+/*@}*/
+
+/*@{*/
+/*!
+ * \brief Destinations.
+ */
+#define ISC_LOG_TONULL		1
+#define ISC_LOG_TOSYSLOG	2
+#define ISC_LOG_TOFILE		3
+#define ISC_LOG_TOFILEDESC	4
+/*@}*/
+
+/*@{*/
+/*%
+ * Channel flags.
+ */
+#define ISC_LOG_PRINTTIME	0x0001
+#define ISC_LOG_PRINTLEVEL	0x0002
+#define ISC_LOG_PRINTCATEGORY	0x0004
+#define ISC_LOG_PRINTMODULE	0x0008
+#define ISC_LOG_PRINTTAG	0x0010		/* tag and ":" */
+#define ISC_LOG_PRINTPREFIX	0x0020		/* tag only, no colon */
+#define ISC_LOG_PRINTALL	0x003F
+#define ISC_LOG_BUFFERED	0x0040
+#define ISC_LOG_DEBUGONLY	0x1000
+#define ISC_LOG_OPENERR		0x8000		/* internal */
+/*@}*/
+
+/*@{*/
+/*!
+ * \brief Other options.
+ *
+ * XXXDCL INFINITE doesn't yet work.  Arguably it isn't needed, but
+ *   since I am intend to make large number of versions work efficiently,
+ *   INFINITE is going to be trivial to add to that.
+ */
+#define ISC_LOG_ROLLINFINITE	(-1)
+#define ISC_LOG_ROLLNEVER	(-2)
+/*@}*/
+
+/*!
+ * \brief Used to name the categories used by a library.
+ *
+ * An array of isc_logcategory
+ * structures names each category, and the id value is initialized by calling
+ * isc_log_registercategories.
+ */
+struct isc_logcategory {
+	const char *name;
+	unsigned int id;
+};
+
+/*%
+ * Similar to isc_logcategory, but for all the modules a library defines.
+ */
+struct isc_logmodule {
+	const char *name;
+	unsigned int id;
+};
+
+/*%
+ * The isc_logfile structure is initialized as part of an isc_logdestination
+ * before calling isc_log_createchannel().
+ *
+ * When defining an #ISC_LOG_TOFILE
+ * channel the name, versions and maximum_size should be set before calling
+ * isc_log_createchannel().  To define an #ISC_LOG_TOFILEDESC channel set only
+ * the stream before the call.
+ *
+ * Setting maximum_size to zero implies no maximum.
+ */
+typedef struct isc_logfile {
+	FILE *stream;		/*%< Initialized to NULL for #ISC_LOG_TOFILE. */
+	const char *name;	/*%< NULL for #ISC_LOG_TOFILEDESC. */
+	int versions;	/* >= 0, #ISC_LOG_ROLLNEVER, #ISC_LOG_ROLLINFINITE. */
+	/*%
+	 * stdio's ftell is standardized to return a long, which may well not
+	 * be big enough for the largest file supportable by the operating
+	 * system (though it is _probably_ big enough for the largest log
+	 * anyone would want).  st_size returned by fstat should be typedef'd
+	 * to a size large enough for the largest possible file on a system.
+	 */
+	isc_offset_t maximum_size;
+	bool maximum_reached; /*%< Private. */
+} isc_logfile_t;
+
+/*%
+ * Passed to isc_log_createchannel to define the attributes of either
+ * a stdio or a syslog log.
+ */
+typedef union isc_logdestination {
+	isc_logfile_t file;
+	int facility;		/* XXXDCL NT */
+} isc_logdestination_t;
+
+/*@{*/
+/*%
+ * The built-in categories of libisc.
+ *
+ * Each library registering categories should provide library_LOGCATEGORY_name
+ * definitions with indexes into its isc_logcategory structure corresponding to
+ * the order of the names.
+ */
+LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[];
+LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx;
+LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
+/*@}*/
+
+/*@{*/
+/*%
+ * Do not log directly to DEFAULT.  Use another category.  When in doubt,
+ * use GENERAL.
+ */
+#define ISC_LOGCATEGORY_DEFAULT	(&isc_categories[0])
+#define ISC_LOGCATEGORY_GENERAL	(&isc_categories[1])
+/*@}*/
+
+#define ISC_LOGMODULE_SOCKET (&isc_modules[0])
+#define ISC_LOGMODULE_TIME (&isc_modules[1])
+#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
+#define ISC_LOGMODULE_TIMER (&isc_modules[3])
+#define ISC_LOGMODULE_FILE (&isc_modules[4])
+#define ISC_LOGMODULE_OTHER (&isc_modules[5])
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
+/*%<
+ * Establish a new logging context, with default channels.
+ *
+ * Notes:
+ *\li	isc_log_create() calls isc_logconfig_create(), so see its comment
+ *	below for more information.
+ *
+ * Requires:
+ *\li	mctx is a valid memory context.
+ *\li	lctxp is not null and *lctxp is null.
+ *\li	lcfgp is null or lcfgp is not null and *lcfgp is null.
+ *
+ * Ensures:
+ *\li	*lctxp will point to a valid logging context if all of the necessary
+ *	memory was allocated, or NULL otherwise.
+ *\li	*lcfgp will point to a valid logging configuration if all of the
+ *	necessary memory was allocated, or NULL otherwise.
+ *\li	On failure, no additional memory is allocated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
+ */
+
+isc_result_t
+isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
+/*%<
+ * Create the data structure that holds all of the configurable information
+ * about where messages are actually supposed to be sent -- the information
+ * that could changed based on some configuration file, as opposed to the
+ * the category/module specification of isc_log_[v]write[1] that is compiled
+ * into a program, or the debug_level which is dynamic state information.
+ *
+ * Notes:
+ *\li	It is necessary to specify the logging context the configuration
+ * 	will be used with because the number of categories and modules
+ *	needs to be known in order to set the configuration.  However,
+ *	the configuration is not used by the logging context until the
+ *	isc_logconfig_use function is called.
+ *
+ *\li	The memory context used for operations that allocate memory for
+ *	the configuration is that of the logging context, as specified
+ *	in the isc_log_create call.
+ *
+ *\li	Four default channels are established:
+ *\verbatim
+ *	    	default_syslog
+ *		 - log to syslog's daemon facility #ISC_LOG_INFO or higher
+ *		default_stderr
+ *		 - log to stderr #ISC_LOG_INFO or higher
+ *		default_debug
+ *		 - log to stderr #ISC_LOG_DEBUG dynamically
+ *		null
+ *		 - log nothing
+ *\endverbatim
+ *
+ * Requires:
+ *\li 	lctx is a valid logging context.
+ *\li	lcftp is not null and *lcfgp is null.
+ *
+ * Ensures:
+ *\li	*lcfgp will point to a valid logging context if all of the necessary
+ *	memory was allocated, or NULL otherwise.
+ *\li	On failure, no additional memory is allocated.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
+ */
+
+isc_logconfig_t *
+isc_logconfig_get(isc_log_t *lctx);
+/*%<
+ * Returns a pointer to the configuration currently in use by the log context.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *
+ * Ensures:
+ *\li	The configuration pointer is non-null.
+ *
+ * Returns:
+ *\li	The configuration pointer.
+ */
+
+isc_result_t
+isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg);
+/*%<
+ * Associate a new configuration with a logging context.
+ *
+ * Notes:
+ *\li	This is thread safe.  The logging context will lock a mutex
+ *	before attempting to swap in the new configuration, and isc_log_doit
+ *	(the internal function used by all of isc_log_[v]write[1]) locks
+ *	the same lock for the duration of its use of the configuration.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *\li	lcfg is a valid logging configuration.
+ *\li	lctx is the same configuration given to isc_logconfig_create
+ *		when the configuration was created.
+ *
+ * Ensures:
+ *\li	Future calls to isc_log_write will use the new configuration.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
+ */
+
+void
+isc_log_destroy(isc_log_t **lctxp);
+/*%<
+ * Deallocate the memory associated with a logging context.
+ *
+ * Requires:
+ *\li	*lctx is a valid logging context.
+ *
+ * Ensures:
+ *\li	All of the memory associated with the logging context is returned
+ *	to the free memory pool.
+ *
+ *\li	Any open files are closed.
+ *
+ *\li	The logging context is marked as invalid.
+ */
+
+void
+isc_logconfig_destroy(isc_logconfig_t **lcfgp);
+/*%<
+ * Destroy a logging configuration.
+ *
+ * Notes:
+ *\li	This function cannot be used directly with the return value of
+ *	isc_logconfig_get, because a logging context must always have
+ *	a valid configuration associated with it.
+ *
+ * Requires:
+ *\li	lcfgp is not null and *lcfgp is a valid logging configuration.
+ *\li	The logging configuration is not in use by an existing logging context.
+ *
+ * Ensures:
+ *\li	All memory allocated for the configuration is freed.
+ *
+ *\li	The configuration is marked as invalid.
+ */
+
+void
+isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]);
+/*%<
+ * Identify logging categories a library will use.
+ *
+ * Notes:
+ *\li	A category should only be registered once, but no mechanism enforces
+ *	this rule.
+ *
+ *\li	The end of the categories array is identified by a NULL name.
+ *
+ *\li	Because the name is used by #ISC_LOG_PRINTCATEGORY, it should not
+ *	be altered or destroyed after isc_log_registercategories().
+ *
+ *\li	Because each element of the categories array is used by
+ *	isc_log_categorybyname, it should not be altered or destroyed
+ *	after registration.
+ *
+ *\li	The value of the id integer in each structure is overwritten
+ *	by this function, and so id need not be initialized to any particular
+ *	value prior to the function call.
+ *
+ *\li	A subsequent call to isc_log_registercategories with the same
+ *	logging context (but new categories) will cause the last
+ *	element of the categories array from the prior call to have
+ *	its "name" member changed from NULL to point to the new
+ *	categories array, and its "id" member set to UINT_MAX.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *\li	categories != NULL.
+ *\li	categories[0].name != NULL.
+ *
+ * Ensures:
+ * \li	There are references to each category in the logging context,
+ * 	so they can be used with isc_log_usechannel() and isc_log_write().
+ */
+
+void
+isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]);
+/*%<
+ * Identify logging categories a library will use.
+ *
+ * Notes:
+ *\li	A module should only be registered once, but no mechanism enforces
+ *	this rule.
+ *
+ *\li	The end of the modules array is identified by a NULL name.
+ *
+ *\li	Because the name is used by #ISC_LOG_PRINTMODULE, it should not
+ *	be altered or destroyed after isc_log_registermodules().
+ *
+ *\li	Because each element of the modules array is used by
+ *	isc_log_modulebyname, it should not be altered or destroyed
+ *	after registration.
+ *
+ *\li	The value of the id integer in each structure is overwritten
+ *	by this function, and so id need not be initialized to any particular
+ *	value prior to the function call.
+ *
+ *\li	A subsequent call to isc_log_registermodules with the same
+ *	logging context (but new modules) will cause the last
+ *	element of the modules array from the prior call to have
+ *	its "name" member changed from NULL to point to the new
+ *	modules array, and its "id" member set to UINT_MAX.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *\li	modules != NULL.
+ *\li	modules[0].name != NULL;
+ *
+ * Ensures:
+ *\li	Each module has a reference in the logging context, so they can be
+ *	used with isc_log_usechannel() and isc_log_write().
+ */
+
+isc_result_t
+isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
+		      unsigned int type, int level,
+		      const isc_logdestination_t *destination,
+		      unsigned int flags);
+/*%<
+ * Specify the parameters of a logging channel.
+ *
+ * Notes:
+ *\li	The name argument is copied to memory in the logging context, so
+ *	it can be altered or destroyed after isc_log_createchannel().
+ *
+ *\li	Defining a very large number of channels will have a performance
+ *	impact on isc_log_usechannel(), since the names are searched
+ *	linearly until a match is made.  This same issue does not affect
+ *	isc_log_write, however.
+ *
+ *\li	Channel names can be redefined; this is primarily useful for programs
+ *	that want their own definition of default_syslog, default_debug
+ *	and default_stderr.
+ *
+ *\li	Any channel that is redefined will not affect logging that was
+ *	already directed to its original definition, _except_ for the
+ *	default_stderr channel.  This case is handled specially so that
+ *	the default logging category can be changed by redefining
+ *	default_stderr.  (XXXDCL Though now that I think of it, the default
+ *	logging category can be changed with only one additional function
+ *	call by defining a new channel and then calling isc_log_usechannel()
+ *	for #ISC_LOGCATEGORY_DEFAULT.)
+ *
+ *\li	Specifying #ISC_LOG_PRINTTIME or #ISC_LOG_PRINTTAG for syslog is
+ *	allowed, but probably not what you wanted to do.
+ *
+ *	#ISC_LOG_DEBUGONLY will mark the channel as usable only when the
+ *	debug level of the logging context (see isc_log_setdebuglevel)
+ *	is non-zero.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ *\li	name is not NULL.
+ *
+ *\li	type is #ISC_LOG_TOSYSLOG, #ISC_LOG_TOFILE, #ISC_LOG_TOFILEDESC or
+ *		#ISC_LOG_TONULL.
+ *
+ *\li	destination is not NULL unless type is #ISC_LOG_TONULL.
+ *
+ *\li	level is >= #ISC_LOG_CRITICAL (the most negative logging level).
+ *
+ *\li	flags does not include any bits aside from the ISC_LOG_PRINT* bits,
+ *	#ISC_LOG_DEBUGONLY or #ISC_LOG_BUFFERED.
+ *
+ * Ensures:
+ *\li	#ISC_R_SUCCESS
+ *		A channel with the given name is usable with
+ *		isc_log_usechannel().
+ *
+ *\li	#ISC_R_NOMEMORY or #ISC_R_UNEXPECTED
+ *		No additional memory is being used by the logging context.
+ *		Any channel that previously existed with the given name
+ *		is not redefined.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success
+ *\li	#ISC_R_NOMEMORY		Resource limit: Out of memory
+ *\li	#ISC_R_UNEXPECTED	type was out of range and REQUIRE()
+ *					was disabled.
+ */
+
+isc_result_t
+isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
+		   const isc_logcategory_t *category,
+		   const isc_logmodule_t *module);
+/*%<
+ * Associate a named logging channel with a category and module that
+ * will use it.
+ *
+ * Notes:
+ *\li	The name is searched for linearly in the set of known channel names
+ *	until a match is found.  (Note the performance impact of a very large
+ *	number of named channels.)  When multiple channels of the same
+ *	name are defined, the most recent definition is found.
+ *
+ *\li	Specifying a very large number of channels for a category will have
+ *	a moderate impact on performance in isc_log_write(), as each
+ *	call looks up the category for the start of a linked list, which
+ *	it follows all the way to the end to find matching modules.  The
+ *	test for matching modules is  integral, though.
+ *
+ *\li	If category is NULL, then the channel is associated with the indicated
+ *	module for all known categories (including the "default" category).
+ *
+ *\li	If module is NULL, then the channel is associated with every module
+ *	that uses that category.
+ *
+ *\li	Passing both category and module as NULL would make every log message
+ *	use the indicated channel.
+ *
+ * \li	Specifying a channel that is #ISC_LOG_TONULL for a category/module pair
+ *	has no effect on any other channels associated with that pair,
+ *	regardless of ordering.  Thus you cannot use it to "mask out" one
+ *	category/module pair when you have specified some other channel that
+ * 	is also used by that category/module pair.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ *\li	category is NULL or has an id that is in the range of known ids.
+ *
+ *	module is NULL or has an id that is in the range of known ids.
+ *
+ * Ensures:
+ *\li	#ISC_R_SUCCESS
+ *		The channel will be used by the indicated category/module
+ *		arguments.
+ *
+ *\li	#ISC_R_NOMEMORY
+ *		If assignment for a specific category has been requested,
+ *		the channel has not been associated with the indicated
+ *		category/module arguments and no additional memory is
+ *		used by the logging context.
+ *		If assignment for all categories has been requested
+ *		then _some_ may have succeeded (starting with category
+ *		"default" and progressing through the order of categories
+ *		passed to isc_log_registercategories()) and additional memory
+ *		is being used by whatever assignments succeeded.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY	Resource limit: Out of memory
+ */
+
+/* Attention: next four comments PRECEED code */
+/*!
+ *   \brief
+ * Write a message to the log channels.
+ *
+ * Notes:
+ *\li	Log messages containing natural language text should be logged with
+ *	isc_log_iwrite() to allow for localization.
+ *
+ *\li	lctx can be NULL; this is allowed so that programs which use
+ *	libraries that use the ISC logging system are not required to
+ *	also use it.
+ *
+ *\li	The format argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	The category and module arguments must have ids that are in the
+ *	range of known ids, as established by isc_log_registercategories()
+ *	and isc_log_registermodules().
+ *
+ *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *	channels, and explicit debugging level must be identified for
+ *	isc_log_write() via ISC_LOG_DEBUG(level).
+ *
+ *\li	format != NULL.
+ *
+ * Ensures:
+ *\li	The log message is written to every channel associated with the
+ *	indicated category/module pair.
+ *
+ * Returns:
+ *\li	Nothing.  Failure to log a message is not construed as a
+ *	meaningful error.
+ */
+void
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	      const char *format, ...)
+
+ISC_FORMAT_PRINTF(5, 6);
+
+/*%
+ * Write a message to the log channels.
+ *
+ * Notes:
+ *\li	lctx can be NULL; this is allowed so that programs which use
+ *	libraries that use the ISC logging system are not required to
+ *	also use it.
+ *
+ *\li	The format argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	The category and module arguments must have ids that are in the
+ *	range of known ids, as established by isc_log_registercategories()
+ *	and isc_log_registermodules().
+ *
+ *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *	channels, and explicit debugging level must be identified for
+ *	isc_log_write() via ISC_LOG_DEBUG(level).
+ *
+ *\li	format != NULL.
+ *
+ * Ensures:
+ *\li	The log message is written to every channel associated with the
+ *	indicated category/module pair.
+ *
+ * Returns:
+ *\li	Nothing.  Failure to log a message is not construed as a
+ *	meaningful error.
+ */
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       const char *format, va_list args)
+
+ISC_FORMAT_PRINTF(5, 0);
+
+/*%
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_write().
+ */
+void
+isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format, ...)
+
+ISC_FORMAT_PRINTF(5, 6);
+
+/*%
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_vwrite().
+ */
+void
+isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level, const char *format,
+		va_list args)
+
+ISC_FORMAT_PRINTF(5, 0);
+
+/*%
+ * These are four internationalized versions of the isc_log_[v]write[1]
+ * functions.
+ *
+ * The only difference is that they take arguments for a message
+ * catalog, message set, and message number, all immediately preceding the
+ * format argument.  The format argument becomes the default text, a la
+ * isc_msgcat_get.  If the message catalog is NULL, no lookup is attempted
+ * for a message -- which makes the message set and message number irrelevant,
+ * and the non-internationalized call should have probably been used instead.
+ *
+ * Yes, that means there are now *eight* interfaces to logging a message.
+ * Sheesh.   Make the madness stop!
+ */
+/*@{*/
+void
+isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level,
+	      isc_msgcat_t *msgcat, int msgset, int message,
+	      const char *format, ...)
+ISC_FORMAT_PRINTF(8, 9);
+
+void
+isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		isc_msgcat_t *msgcat, int msgset, int message,
+		const char *format, va_list args)
+ISC_FORMAT_PRINTF(8, 0);
+
+void
+isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		isc_msgcat_t *msgcat, int msgset, int message,
+		const char *format, ...)
+ISC_FORMAT_PRINTF(8, 9);
+
+void
+isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		 isc_logmodule_t *module, int level,
+		 isc_msgcat_t *msgcat, int msgset, int message,
+		 const char *format, va_list args)
+ISC_FORMAT_PRINTF(8, 0);
+/*@}*/
+
+void
+isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
+/*%<
+ * Set the debugging level used for logging.
+ *
+ * Notes:
+ *\li	Setting the debugging level to 0 disables debugging log messages.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ * Ensures:
+ *\li	The debugging level is set to the requested value.
+ */
+
+unsigned int
+isc_log_getdebuglevel(isc_log_t *lctx);
+/*%<
+ * Get the current debugging level.
+ *
+ * Notes:
+ *\li	This is provided so that a program can have a notion of
+ *	"increment debugging level" or "decrement debugging level"
+ *	without needing to keep track of what the current level is.
+ *
+ *\li	A return value of 0 indicates that debugging messages are disabled.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ * Ensures:
+ *\li	The current logging debugging level is returned.
+ */
+
+bool
+isc_log_wouldlog(isc_log_t *lctx, int level);
+/*%<
+ * Determine whether logging something to 'lctx' at 'level' would
+ * actually cause something to be logged somewhere.
+ *
+ * If #false is returned, it is guaranteed that nothing would
+ * be logged, allowing the caller to omit unnecessary
+ * isc_log_write() calls and possible message preformatting.
+ */
+
+void
+isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
+/*%<
+ * Set the interval over which duplicate log messages will be ignored
+ * by isc_log_[v]write1(), in seconds.
+ *
+ * Notes:
+ *\li	Increasing the duplicate interval from X to Y will not necessarily
+ *	filter out duplicates of messages logged in Y - X seconds since the
+ *	increase.  (Example: Message1 is logged at midnight.  Message2
+ *	is logged at 00:01:00, when the interval is only 30 seconds, causing
+ *	Message1 to be expired from the log message history.  Then the interval
+ *	is increased to 3000 (five minutes) and at 00:04:00 Message1 is logged
+ *	again.  It will appear the second time even though less than five
+ *	passed since the first occurrence.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ */
+
+unsigned int
+isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
+/*%<
+ * Get the current duplicate filtering interval.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ * Returns:
+ *\li	The current duplicate filtering interval.
+ */
+
+isc_result_t
+isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
+/*%<
+ * Set the program name or other identifier for #ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *\li	If this function has not set the tag to a non-NULL, non-empty value,
+ *	then the #ISC_LOG_PRINTTAG channel flag will not print anything.
+ *	Unlike some implementations of syslog on Unix systems, you *must* set
+ *	the tag in order to get it logged.  It is not implicitly derived from
+ *	the program name (which is pretty impossible to infer portably).
+ *
+ *\li	Setting the tag to NULL or the empty string will also cause the
+ *	#ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
+ *	empty string, calls to isc_log_gettag will return NULL.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY  Resource Limit: Out of memory
+ *
+ * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
+ * of the currently active isc_logconfig_t was inherited.  this does not
+ * currently happen.
+ */
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg);
+/*%<
+ * Get the current identifier printed with #ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *\li	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *\li	Since isc_log_settag() will not associate a zero-length string
+ *	with the logging configuration, attempts to do so will cause
+ *	this function to return NULL.  However, a determined programmer
+ *	will observe that (currently) a tag of length greater than zero
+ *	could be set, and then modified to be zero length.
+ *
+ * Returns:
+ *\li	A pointer to the current identifier, or NULL if none has been set.
+ */
+
+void
+isc_log_opensyslog(const char *tag, int options, int facility);
+/*%<
+ * Initialize syslog logging.
+ *
+ * Notes:
+ *\li	XXXDCL NT
+ *	This is currently equivalent to openlog(), but is not going to remain
+ *	that way.  In the meantime, the arguments are all identical to
+ *	those used by openlog(3), as follows:
+ *
+ * \code
+ *		tag: The string to use in the position of the program
+ *			name in syslog messages.  Most (all?) syslogs
+ *			will use basename(argv[0]) if tag is NULL.
+ *
+ *		options: LOG_CONS, LOG_PID, LOG_NDELAY ... whatever your
+ *			syslog supports.
+ *
+ *		facility: The default syslog facility.  This is irrelevant
+ *			since isc_log_write will ALWAYS use the channel's
+ *			declared facility.
+ * \endcode
+ *
+ *\li	Zero effort has been made (yet) to accommodate systems with openlog()
+ *	that only takes two arguments, or to identify valid syslog
+ *	facilities or options for any given architecture.
+ *
+ *\li	It is necessary to call isc_log_opensyslog() to initialize
+ *	syslogging on machines which do not support network connections to
+ *	syslogd because they require a Unix domain socket to be used.  Since
+ *	this is a chore to determine at run-time, it is suggested that it
+ *	always be called by programs using the ISC logging system.
+ *
+ * Requires:
+ *\li	Nothing.
+ *
+ * Ensures:
+ *\li	openlog() is called to initialize the syslog system.
+ */
+
+void
+isc_log_closefilelogs(isc_log_t *lctx);
+/*%<
+ * Close all open files used by #ISC_LOG_TOFILE channels.
+ *
+ * Notes:
+ *\li	This function is provided for programs that want to use their own
+ *	log rolling mechanism rather than the one provided internally.
+ *	For example, a program that wanted to keep daily logs would define
+ *	a channel which used #ISC_LOG_ROLLNEVER, then once a day would
+ *	rename the log file and call isc_log_closefilelogs().
+ *
+ *\li	#ISC_LOG_TOFILEDESC channels are unaffected.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *
+ * Ensures:
+ *\li	The open files are closed and will be reopened when they are
+ *	next needed.
+ */
+
+isc_logcategory_t *
+isc_log_categorybyname(isc_log_t *lctx, const char *name);
+/*%<
+ * Find a category by its name.
+ *
+ * Notes:
+ *\li	The string name of a category is not required to be unique.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *\li	name is not NULL.
+ *
+ * Returns:
+ *\li	A pointer to the _first_ isc_logcategory_t structure used by "name".
+ *
+ *\li	NULL if no category exists by that name.
+ */
+
+isc_logmodule_t *
+isc_log_modulebyname(isc_log_t *lctx, const char *name);
+/*%<
+ * Find a module by its name.
+ *
+ * Notes:
+ *\li	The string name of a module is not required to be unique.
+ *
+ * Requires:
+ *\li	lctx is a valid context.
+ *\li	name is not NULL.
+ *
+ * Returns:
+ *\li	A pointer to the _first_ isc_logmodule_t structure used by "name".
+ *
+ *\li	NULL if no module exists by that name.
+ */
+
+void
+isc_log_setcontext(isc_log_t *lctx);
+/*%<
+ * Sets the context used by the libisc for logging.
+ *
+ * Requires:
+ *\li	lctx be a valid context.
+ */
+
+isc_result_t
+isc_logfile_roll(isc_logfile_t *file);
+/*%<
+ * Roll a logfile.
+ *
+ * Requires:
+ *\li	file is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LOG_H */
diff --git a/lib/isc/include/isc/magic.h b/lib/isc/include/isc/magic.h
new file mode 100644
index 0000000..c342d0c
--- /dev/null
+++ b/lib/isc/include/isc/magic.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_MAGIC_H
+#define ISC_MAGIC_H 1
+
+#include <isc/likely.h>
+
+/*! \file isc/magic.h */
+
+typedef struct {
+	unsigned int magic;
+} isc__magic_t;
+
+
+/*%
+ * To use this macro the magic number MUST be the first thing in the
+ * structure, and MUST be of type "unsigned int".
+ * The intent of this is to allow magic numbers to be checked even though
+ * the object is otherwise opaque.
+ */
+#define ISC_MAGIC_VALID(a,b)	(ISC_LIKELY((a) != NULL) && \
+				 ISC_LIKELY(((const isc__magic_t *)(a))->magic == (b)))
+
+#define ISC_MAGIC(a, b, c, d)	((a) << 24 | (b) << 16 | (c) << 8 | (d))
+
+#endif /* ISC_MAGIC_H */
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
new file mode 100644
index 0000000..4d29398
--- /dev/null
+++ b/lib/isc/include/isc/md5.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/md5.h
+ * \brief This is the header file for the MD5 message-digest algorithm.
+ *
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ *
+ * To compute the message digest of a chunk of bytes, declare an
+ * MD5Context structure, pass it to MD5Init, call MD5Update as
+ * needed on buffers full of bytes, and then call MD5Final, which
+ * will fill a supplied 16-byte array with the digest.
+ *
+ * Changed so as no longer to depend on Colin Plumb's `usual.h'
+ * header definitions; now uses stuff from dpkg's config.h
+ *  - Ian Jackson <ijackson@nyx.cs.du.edu>.
+ * Still in the public domain.
+ */
+
+#ifndef ISC_MD5_H
+#define ISC_MD5_H 1
+
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_MD5_DIGESTLENGTH 16U
+#define ISC_MD5_BLOCK_LENGTH 64U
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/opensslv.h>
+#include <openssl/evp.h>
+
+typedef struct {
+	EVP_MD_CTX *ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	EVP_MD_CTX _ctx;
+#endif
+} isc_md5_t;
+
+#elif PKCS11CRYPTO
+#include <pk11/pk11.h>
+
+typedef pk11_context_t isc_md5_t;
+
+#else
+
+typedef struct {
+	uint32_t buf[4];
+	uint32_t bytes[2];
+	uint32_t in[16];
+} isc_md5_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_md5_init(isc_md5_t *ctx);
+
+void
+isc_md5_invalidate(isc_md5_t *ctx);
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len);
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
+
+bool
+isc_md5_check(bool testing);
+
+ISC_LANG_ENDDECLS
+
+#endif /* !PK11_MD5_DISABLE */
+
+#endif /* ISC_MD5_H */
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
new file mode 100644
index 0000000..8f01856
--- /dev/null
+++ b/lib/isc/include/isc/mem.h
@@ -0,0 +1,755 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MEM_H
+#define ISC_MEM_H 1
+
+/*! \file isc/mem.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/json.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+#include <isc/xml.h>
+
+ISC_LANG_BEGINDECLS
+
+#define ISC_MEM_LOWATER 0
+#define ISC_MEM_HIWATER 1
+typedef void (*isc_mem_water_t)(void *, int);
+
+typedef void * (*isc_memalloc_t)(void *, size_t);
+typedef void (*isc_memfree_t)(void *, void *);
+
+/*%
+ * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
+ * allocation and freeing by file and line number.
+ */
+#ifndef ISC_MEM_TRACKLINES
+#define ISC_MEM_TRACKLINES 1
+#endif
+
+/*%
+ * Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
+ * the requested space.  This will increase the size of each allocation.
+ *
+ * If we are performing a Coverity static analysis then ISC_MEM_CHECKOVERRUN
+ * can hide bugs that would otherwise discovered so force to zero.
+ */
+#ifdef __COVERITY__
+#undef ISC_MEM_CHECKOVERRUN
+#define ISC_MEM_CHECKOVERRUN 0
+#endif
+#ifndef ISC_MEM_CHECKOVERRUN
+#define ISC_MEM_CHECKOVERRUN 1
+#endif
+
+/*%
+ * Define ISC_MEM_FILL=1 to fill each block of memory returned to the system
+ * with the byte string '0xbe'.  This helps track down uninitialized pointers
+ * and the like.  On freeing memory, the space is filled with '0xde' for
+ * the same reasons.
+ *
+ * If we are performing a Coverity static analysis then ISC_MEM_FILL
+ * can hide bugs that would otherwise discovered so force to zero.
+ */
+#ifdef __COVERITY__
+#undef ISC_MEM_FILL
+#define ISC_MEM_FILL 0
+#endif
+#ifndef ISC_MEM_FILL
+#define ISC_MEM_FILL 1
+#endif
+
+/*%
+ * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
+ * name so that the leaking pool can be more readily identified in
+ * case of a memory leak.
+ */
+#ifndef ISC_MEMPOOL_NAMES
+#define ISC_MEMPOOL_NAMES 1
+#endif
+
+LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
+LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_defaultflags;
+
+/*@{*/
+#define ISC_MEM_DEBUGTRACE		0x00000001U
+#define ISC_MEM_DEBUGRECORD		0x00000002U
+#define ISC_MEM_DEBUGUSAGE		0x00000004U
+#define ISC_MEM_DEBUGSIZE		0x00000008U
+#define ISC_MEM_DEBUGCTX		0x00000010U
+#define ISC_MEM_DEBUGALL		0x0000001FU
+/*!<
+ * The variable isc_mem_debugging holds a set of flags for
+ * turning certain memory debugging options on or off at
+ * runtime.  It is initialized to the value ISC_MEM_DEGBUGGING,
+ * which is 0 by default but may be overridden at compile time.
+ * The following flags can be specified:
+ *
+ * \li #ISC_MEM_DEBUGTRACE
+ *	Log each allocation and free to isc_lctx.
+ *
+ * \li #ISC_MEM_DEBUGRECORD
+ *	Remember each allocation, and match them up on free.
+ *	Crash if a free doesn't match an allocation.
+ *
+ * \li #ISC_MEM_DEBUGUSAGE
+ *	If a hi_water mark is set, print the maximum inuse memory
+ *	every time it is raised once it exceeds the hi_water mark.
+ *
+ * \li #ISC_MEM_DEBUGSIZE
+ *	Check the size argument being passed to isc_mem_put() matches
+ *	that passed to isc_mem_get().
+ *
+ * \li #ISC_MEM_DEBUGCTX
+ *	Check the mctx argument being passed to isc_mem_put() matches
+ *	that passed to isc_mem_get().
+ */
+/*@}*/
+
+#if ISC_MEM_TRACKLINES
+#define _ISC_MEM_FILELINE	, __FILE__, __LINE__
+#define _ISC_MEM_FLARG		, const char *, unsigned int
+#else
+#define _ISC_MEM_FILELINE
+#define _ISC_MEM_FLARG
+#endif
+
+/*!
+ * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
+ * implementation in preference to the system one.  The internal malloc()
+ * is very space-efficient, and quite fast on uniprocessor systems.  It
+ * performs poorly on multiprocessor machines.
+ * JT: we can overcome the performance issue on multiprocessor machines
+ * by carefully separating memory contexts.
+ */
+
+#ifndef ISC_MEM_USE_INTERNAL_MALLOC
+#define ISC_MEM_USE_INTERNAL_MALLOC 1
+#endif
+
+/*
+ * Flags for isc_mem_create2()calls.
+ */
+#define ISC_MEMFLAG_NOLOCK	0x00000001	 /* no lock is necessary */
+#define ISC_MEMFLAG_INTERNAL	0x00000002	 /* use internal malloc */
+#if ISC_MEM_USE_INTERNAL_MALLOC
+#define ISC_MEMFLAG_DEFAULT 	ISC_MEMFLAG_INTERNAL
+#else
+#define ISC_MEMFLAG_DEFAULT 	0
+#endif
+
+
+/*%<
+ * We use either isc___mem (three underscores) or isc__mem (two) depending on
+ * whether it's for BIND9's internal purpose (with -DBIND9) or generic export
+ * library.
+ */
+#define ISCMEMFUNC(sfx) isc__mem_ ## sfx
+#define ISCMEMPOOLFUNC(sfx) isc__mempool_ ## sfx
+
+#define isc_mem_get(c, s)	ISCMEMFUNC(get)((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_allocate(c, s)	ISCMEMFUNC(allocate)((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) ISCMEMFUNC(reallocate)((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_strdup(c, p)	ISCMEMFUNC(strdup)((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_get(c)	ISCMEMPOOLFUNC(get)((c) _ISC_MEM_FILELINE)
+
+/*%
+ * isc_mem_putanddetach() is a convenience function for use where you
+ * have a structure with an attached memory context.
+ *
+ * Given:
+ *
+ * \code
+ * struct {
+ *	...
+ *	isc_mem_t *mctx;
+ *	...
+ * } *ptr;
+ *
+ * isc_mem_t *mctx;
+ *
+ * isc_mem_putanddetach(&ptr->mctx, ptr, sizeof(*ptr));
+ * \endcode
+ *
+ * is the equivalent of:
+ *
+ * \code
+ * mctx = NULL;
+ * isc_mem_attach(ptr->mctx, &mctx);
+ * isc_mem_detach(&ptr->mctx);
+ * isc_mem_put(mctx, ptr, sizeof(*ptr));
+ * isc_mem_detach(&mctx);
+ * \endcode
+ */
+
+/*% memory and memory pool methods */
+typedef struct isc_memmethods {
+	void (*attach)(isc_mem_t *source, isc_mem_t **targetp);
+	void (*detach)(isc_mem_t **mctxp);
+	void (*destroy)(isc_mem_t **mctxp);
+	void *(*memget)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void (*memput)(isc_mem_t *mctx, void *ptr, size_t size _ISC_MEM_FLARG);
+	void (*memputanddetach)(isc_mem_t **mctxp, void *ptr,
+				size_t size _ISC_MEM_FLARG);
+	void *(*memallocate)(isc_mem_t *mctx, size_t size _ISC_MEM_FLARG);
+	void *(*memreallocate)(isc_mem_t *mctx, void *ptr,
+			       size_t size _ISC_MEM_FLARG);
+	char *(*memstrdup)(isc_mem_t *mctx, const char *s _ISC_MEM_FLARG);
+	void (*memfree)(isc_mem_t *mctx, void *ptr _ISC_MEM_FLARG);
+	void (*setdestroycheck)(isc_mem_t *mctx, bool flag);
+	void (*setwater)(isc_mem_t *ctx, isc_mem_water_t water,
+			 void *water_arg, size_t hiwater, size_t lowater);
+	void (*waterack)(isc_mem_t *ctx, int flag);
+	size_t (*inuse)(isc_mem_t *mctx);
+	size_t (*maxinuse)(isc_mem_t *mctx);
+	size_t (*total)(isc_mem_t *mctx);
+	bool (*isovermem)(isc_mem_t *mctx);
+	isc_result_t (*mpcreate)(isc_mem_t *mctx, size_t size,
+				 isc_mempool_t **mpctxp);
+} isc_memmethods_t;
+
+typedef struct isc_mempoolmethods {
+	void (*destroy)(isc_mempool_t **mpctxp);
+	void *(*get)(isc_mempool_t *mpctx _ISC_MEM_FLARG);
+	void (*put)(isc_mempool_t *mpctx, void *mem _ISC_MEM_FLARG);
+	unsigned int (*getallocated)(isc_mempool_t *mpctx);
+	void (*setmaxalloc)(isc_mempool_t *mpctx, unsigned int limit);
+	void (*setfreemax)(isc_mempool_t *mpctx, unsigned int limit);
+	void (*setname)(isc_mempool_t *mpctx, const char *name);
+	void (*associatelock)(isc_mempool_t *mpctx, isc_mutex_t *lock);
+	void (*setfillcount)(isc_mempool_t *mpctx, unsigned int limit);
+} isc_mempoolmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a memory context
+ * implementation's version of an isc_mem_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  mctx implementations
+ * may change the structure.  'magic' must be ISCAPI_MCTX_MAGIC for any of the
+ * isc_mem_ routines to work.  mctx implementations must maintain all mctx
+ * invariants.
+ */
+struct isc_mem {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_memmethods_t	*methods;
+};
+
+#define ISCAPI_MCTX_MAGIC	ISC_MAGIC('A','m','c','x')
+#define ISCAPI_MCTX_VALID(m)	((m) != NULL && \
+				 (m)->magic == ISCAPI_MCTX_MAGIC)
+
+/*%
+ * This is the common prefix of a memory pool context.  The same note as
+ * that for the mem structure applies.
+ */
+struct isc_mempool {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_mempoolmethods_t	*methods;
+};
+
+#define ISCAPI_MPOOL_MAGIC	ISC_MAGIC('A','m','p','l')
+#define ISCAPI_MPOOL_VALID(mp)	((mp) != NULL && \
+				 (mp)->magic == ISCAPI_MPOOL_MAGIC)
+
+#define isc_mem_put(c, p, s) \
+	do { \
+		ISCMEMFUNC(put)((c), (p), (s) _ISC_MEM_FILELINE);	\
+		(p) = NULL; \
+	} while (0)
+#define isc_mem_putanddetach(c, p, s) \
+	do { \
+		ISCMEMFUNC(putanddetach)((c), (p), (s) _ISC_MEM_FILELINE); \
+		(p) = NULL; \
+	} while (0)
+#define isc_mem_free(c, p) \
+	do { \
+		ISCMEMFUNC(free)((c), (p) _ISC_MEM_FILELINE);	\
+		(p) = NULL; \
+	} while (0)
+#define isc_mempool_put(c, p) \
+	do { \
+		ISCMEMPOOLFUNC(put)((c), (p) _ISC_MEM_FILELINE);	\
+		(p) = NULL; \
+	} while (0)
+
+/*@{*/
+isc_result_t
+isc_mem_create(size_t max_size, size_t target_size,
+	       isc_mem_t **mctxp);
+
+isc_result_t
+isc_mem_create2(size_t max_size, size_t target_size,
+		isc_mem_t **mctxp, unsigned int flags);
+
+isc_result_t
+isc_mem_createx(size_t max_size, size_t target_size,
+		isc_memalloc_t memalloc, isc_memfree_t memfree,
+		void *arg, isc_mem_t **mctxp);
+
+isc_result_t
+isc_mem_createx2(size_t max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree,
+		 void *arg, isc_mem_t **mctxp, unsigned int flags);
+
+/*!<
+ * \brief Create a memory context.
+ *
+ * 'max_size' and 'target_size' are tuning parameters.  When
+ * ISC_MEMFLAG_INTERNAL is set, allocations smaller than 'max_size'
+ * will be satisfied by getting blocks of size 'target_size' from the
+ * system allocator and breaking them up into pieces; larger allocations
+ * will use the system allocator directly. If 'max_size' and/or
+ * 'target_size' are zero, default values will be * used.  When
+ * ISC_MEMFLAG_INTERNAL is not set, 'target_size' is ignored.
+ *
+ * 'max_size' is also used to size the statistics arrays and the array
+ * used to record active memory when ISC_MEM_DEBUGRECORD is set.  Setting
+ * 'max_size' too low can have detrimental effects on performance.
+ *
+ * A memory context created using isc_mem_createx() will obtain
+ * memory from the system by calling 'memalloc' and 'memfree',
+ * passing them the argument 'arg'.  A memory context created
+ * using isc_mem_create() will use the standard library malloc()
+ * and free().
+ *
+ * If ISC_MEMFLAG_NOLOCK is set in 'flags', the corresponding memory context
+ * will be accessed without locking.  The user who creates the context must
+ * ensure there be no race.  Since this can be a source of bug, it is generally
+ * inadvisable to use this flag unless the user is very sure about the race
+ * condition and the access to the object is highly performance sensitive.
+ *
+ * Requires:
+ * mctxp != NULL && *mctxp == NULL */
+/*@}*/
+
+/*@{*/
+void
+isc_mem_attach(isc_mem_t *, isc_mem_t **);
+void
+isc_mem_detach(isc_mem_t **);
+/*!<
+ * \brief Attach to / detach from a memory context.
+ *
+ * This is intended for applications that use multiple memory contexts
+ * in such a way that it is not obvious when the last allocations from
+ * a given context has been freed and destroying the context is safe.
+ *
+ * Most applications do not need to call these functions as they can
+ * simply create a single memory context at the beginning of main()
+ * and destroy it at the end of main(), thereby guaranteeing that it
+ * is not destroyed while there are outstanding allocations.
+ */
+/*@}*/
+
+void
+isc_mem_destroy(isc_mem_t **);
+/*%<
+ * Destroy a memory context.
+ */
+
+isc_result_t
+isc_mem_ondestroy(isc_mem_t *ctx,
+		  isc_task_t *task,
+		  isc_event_t **event);
+/*%<
+ * Request to be notified with an event when a memory context has
+ * been successfully destroyed.
+ */
+
+void
+isc_mem_stats(isc_mem_t *mctx, FILE *out);
+/*%<
+ * Print memory usage statistics for 'mctx' on the stream 'out'.
+ */
+
+void
+isc_mem_setdestroycheck(isc_mem_t *mctx,
+			bool on);
+/*%<
+ * If 'on' is true, 'mctx' will check for memory leaks when
+ * destroyed and abort the program if any are present.
+ */
+
+/*@{*/
+void
+isc_mem_setquota(isc_mem_t *, size_t);
+size_t
+isc_mem_getquota(isc_mem_t *);
+/*%<
+ * Set/get the memory quota of 'mctx'.  This is a hard limit
+ * on the amount of memory that may be allocated from mctx;
+ * if it is exceeded, allocations will fail.
+ */
+/*@}*/
+
+size_t
+isc_mem_inuse(isc_mem_t *mctx);
+/*%<
+ * Get an estimate of the amount of memory in use in 'mctx', in bytes.
+ * This includes quantization overhead, but does not include memory
+ * allocated from the system but not yet used.
+ */
+
+size_t
+isc_mem_maxinuse(isc_mem_t *mctx);
+/*%<
+ * Get an estimate of the largest amount of memory that has been in
+ * use in 'mctx' at any time.
+ */
+
+size_t
+isc_mem_total(isc_mem_t *mctx);
+/*%<
+ * Get the total amount of memory in 'mctx', in bytes, including memory
+ * not yet used.
+ */
+
+bool
+isc_mem_isovermem(isc_mem_t *mctx);
+/*%<
+ * Return true iff the memory context is in "over memory" state, i.e.,
+ * a hiwater mark has been set and the used amount of memory has exceeds
+ * the mark.
+ */
+
+void
+isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater);
+/*%<
+ * Set high and low water marks for this memory context.
+ *
+ * When the memory usage of 'mctx' exceeds 'hiwater',
+ * '(water)(water_arg, #ISC_MEM_HIWATER)' will be called.  'water' needs to
+ * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowledge the state
+ * change.  'water' may be called multiple times.
+ *
+ * When the usage drops below 'lowater', 'water' will again be called, this
+ * time with #ISC_MEM_LOWATER.  'water' need to calls isc_mem_waterack() with
+ * #ISC_MEM_LOWATER to acknowledge the change.
+ *
+ *	static void
+ *	water(void *arg, int mark) {
+ *		struct foo *foo = arg;
+ *
+ *		LOCK(&foo->marklock);
+ *		if (foo->mark != mark) {
+ * 			foo->mark = mark;
+ *			....
+ *			isc_mem_waterack(foo->mctx, mark);
+ *		}
+ *		UNLOCK(&foo->marklock);
+ *	}
+ *
+ * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
+ * ignored and the state is reset.
+ *
+ * Requires:
+ *
+ *	'water' is not NULL.
+ *	hi_water >= lo_water
+ */
+
+void
+isc_mem_waterack(isc_mem_t *ctx, int mark);
+/*%<
+ * Called to acknowledge changes in signaled by calls to 'water'.
+ */
+
+void
+isc_mem_printactive(isc_mem_t *mctx, FILE *file);
+/*%<
+ * Print to 'file' all active memory in 'mctx'.
+ *
+ * Requires ISC_MEM_DEBUGRECORD to have been set.
+ */
+
+void
+isc_mem_printallactive(FILE *file);
+/*%<
+ * Print to 'file' all active memory in all contexts.
+ *
+ * Requires ISC_MEM_DEBUGRECORD to have been set.
+ */
+
+void
+isc_mem_checkdestroyed(FILE *file);
+/*%<
+ * Check that all memory contexts have been destroyed.
+ * Prints out those that have not been.
+ * Fatally fails if there are still active contexts.
+ */
+
+unsigned int
+isc_mem_references(isc_mem_t *ctx);
+/*%<
+ * Return the current reference count.
+ */
+
+void
+isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag);
+/*%<
+ * Name 'ctx'.
+ *
+ * Notes:
+ *
+ *\li	Only the first 15 characters of 'name' will be copied.
+ *
+ *\li	'tag' is for debugging purposes only.
+ *
+ * Requires:
+ *
+ *\li	'ctx' is a valid ctx.
+ */
+
+const char *
+isc_mem_getname(isc_mem_t *ctx);
+/*%<
+ * Get the name of 'ctx', as previously set using isc_mem_setname().
+ *
+ * Requires:
+ *\li	'ctx' is a valid ctx.
+ *
+ * Returns:
+ *\li	A non-NULL pointer to a null-terminated string.
+ * 	If the ctx has not been named, the string is
+ * 	empty.
+ */
+
+void *
+isc_mem_gettag(isc_mem_t *ctx);
+/*%<
+ * Get the tag value for  'task', as previously set using isc_mem_setname().
+ *
+ * Requires:
+ *\li	'ctx' is a valid ctx.
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'ctx' is a valid task.
+ */
+
+#ifdef HAVE_LIBXML2
+int
+isc_mem_renderxml(xmlTextWriterPtr writer);
+/*%<
+ * Render all contexts' statistics and status in XML for writer.
+ */
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+isc_result_t
+isc_mem_renderjson(json_object *memobj);
+/*%<
+ * Render all contexts' statistics and status in JSON.
+ */
+#endif /* HAVE_JSON */
+
+
+/*
+ * Memory pools
+ */
+
+isc_result_t
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
+/*%<
+ * Create a memory pool.
+ *
+ * Requires:
+ *\li	mctx is a valid memory context.
+ *\li	size > 0
+ *\li	mpctxp != NULL and *mpctxp == NULL
+ *
+ * Defaults:
+ *\li	maxalloc = UINT_MAX
+ *\li	freemax = 1
+ *\li	fillcount = 1
+ *
+ * Returns:
+ *\li	#ISC_R_NOMEMORY		-- not enough memory to create pool
+ *\li	#ISC_R_SUCCESS		-- all is well.
+ */
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp);
+/*%<
+ * Destroy a memory pool.
+ *
+ * Requires:
+ *\li	mpctxp != NULL && *mpctxp is a valid pool.
+ *\li	The pool has no un"put" allocations outstanding
+ */
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name);
+/*%<
+ * Associate a name with a memory pool.  At most 15 characters may be used.
+ *
+ * Requires:
+ *\li	mpctx is a valid pool.
+ *\li	name != NULL;
+ */
+
+void
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
+/*%<
+ * Associate a lock with this memory pool.
+ *
+ * This lock is used when getting or putting items using this memory pool,
+ * and it is also used to set or get internal state via the isc_mempool_get*()
+ * and isc_mempool_set*() set of functions.
+ *
+ * Multiple pools can each share a single lock.  For instance, if "manager"
+ * type object contained pools for various sizes of events, and each of
+ * these pools used a common lock.  Note that this lock must NEVER be used
+ * by other than mempool routines once it is given to a pool, since that can
+ * easily cause double locking.
+ *
+ * Requires:
+ *
+ *\li	mpctpx is a valid pool.
+ *
+ *\li	lock != NULL.
+ *
+ *\li	No previous lock is assigned to this pool.
+ *
+ *\li	The lock is initialized before calling this function via the normal
+ *	means of doing that.
+ */
+
+/*
+ * The following functions get/set various parameters.  Note that due to
+ * the unlocked nature of pools these are potentially random values unless
+ * the imposed externally provided locking protocols are followed.
+ *
+ * Also note that the quota limits will not always take immediate effect.
+ * For instance, setting "maxalloc" to a number smaller than the currently
+ * allocated count is permitted.  New allocations will be refused until
+ * the count drops below this threshold.
+ *
+ * All functions require (in addition to other requirements):
+ *	mpctx is a valid memory pool
+ */
+
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx);
+/*%<
+ * Returns the maximum allowed size of the free list.
+ */
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
+/*%<
+ * Sets the maximum allowed size of the free list.
+ */
+
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx);
+/*%<
+ * Returns current size of the free list.
+ */
+
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
+/*!<
+ * Returns the maximum allowed number of allocations.
+ */
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
+/*%<
+ * Sets the maximum allowed number of allocations.
+ *
+ * Additional requirements:
+ *\li	limit > 0
+ */
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx);
+/*%<
+ * Returns the number of items allocated from this pool.
+ */
+
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx);
+/*%<
+ * Returns the number of items allocated as a block from the parent memory
+ * context when the free list is empty.
+ */
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
+/*%<
+ * Sets the fillcount.
+ *
+ * Additional requirements:
+ *\li	limit > 0
+ */
+
+
+/*
+ * Pseudo-private functions for use via macros.  Do not call directly.
+ */
+void *
+ISCMEMFUNC(get)(isc_mem_t *, size_t _ISC_MEM_FLARG);
+void
+ISCMEMFUNC(putanddetach)(isc_mem_t **, void *, size_t _ISC_MEM_FLARG);
+void
+ISCMEMFUNC(put)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+void *
+ISCMEMFUNC(allocate)(isc_mem_t *, size_t _ISC_MEM_FLARG);
+void *
+ISCMEMFUNC(reallocate)(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+void
+ISCMEMFUNC(free)(isc_mem_t *, void * _ISC_MEM_FLARG);
+char *
+ISCMEMFUNC(strdup)(isc_mem_t *, const char *_ISC_MEM_FLARG);
+void *
+ISCMEMPOOLFUNC(get)(isc_mempool_t * _ISC_MEM_FLARG);
+void
+ISCMEMPOOLFUNC(put)(isc_mempool_t *, void * _ISC_MEM_FLARG);
+
+/*%<
+ * See isc_mem_create2() above.
+ */
+typedef isc_result_t
+(*isc_memcreatefunc_t)(size_t init_max_size, size_t target_size,
+		       isc_mem_t **ctxp, unsigned int flags);
+
+isc_result_t
+isc_mem_register(isc_memcreatefunc_t createfunc);
+/*%<
+ * Register a new memory management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * memory management library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__mem_register(void);
+/*%<
+ * A short cut function that specifies the memory management module in the ISC
+ * library for isc_mem_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MEM_H */
diff --git a/lib/isc/include/isc/meminfo.h b/lib/isc/include/isc/meminfo.h
new file mode 100644
index 0000000..c2c7e57
--- /dev/null
+++ b/lib/isc/include/isc/meminfo.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MEMINFO_H
+#define ISC_MEMINFO_H 1
+
+#include <inttypes.h>
+
+#include <isc/types.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+uint64_t
+isc_meminfo_totalphys(void);
+/*%<
+ * Return total available physical memory in bytes, or 0 if this cannot
+ * be determined
+*/
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MEMINFO_H */
diff --git a/lib/isc/include/isc/msgcat.h b/lib/isc/include/isc/msgcat.h
new file mode 100644
index 0000000..3b533d6
--- /dev/null
+++ b/lib/isc/include/isc/msgcat.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_MSGCAT_H
+#define ISC_MSGCAT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/msgcat.h
+ * \brief The ISC Message Catalog
+ * aids internationalization of applications by allowing
+ * messages to be retrieved from locale-specific files instead of
+ * hardwiring them into the application.  This allows translations of
+ * messages appropriate to the locale to be supplied without recompiling
+ * the application.
+ *
+ * Notes:
+ *\li	It's very important that message catalogs work, even if only the
+ *	default_text can be used.
+ *
+ * MP:
+ *\li	The caller must ensure appropriate synchronization of
+ *	isc_msgcat_open() and isc_msgcat_close().  isc_msgcat_get()
+ *	ensures appropriate synchronization.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Methods
+ *****/
+
+void
+isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp);
+/*%<
+ * Open a message catalog.
+ *
+ * Notes:
+ *
+ *\li	If memory cannot be allocated or other failures occur, *msgcatp
+ *	will be set to NULL.  If a NULL msgcat is given to isc_msgcat_get(),
+ *	the default_text will be returned, ensuring that some message text
+ *	will be available, no matter what's going wrong.
+ *
+ * Requires:
+ *
+ *\li	'name' is a valid string.
+ *
+ *\li	msgcatp != NULL && *msgcatp == NULL
+ */
+
+void
+isc_msgcat_close(isc_msgcat_t **msgcatp);
+/*%<
+ * Close a message catalog.
+ *
+ * Notes:
+ *
+ *\li	Any string pointers returned by prior calls to isc_msgcat_get() are
+ *	invalid after isc_msgcat_close() has been called and must not be
+ *	used.
+ *
+ * Requires:
+ *
+ *\li	*msgcatp is a valid message catalog or is NULL.
+ *
+ * Ensures:
+ *
+ *\li	All resources associated with the message catalog are released.
+ *
+ *\li	*msgcatp == NULL
+ */
+
+const char *
+isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
+	       const char *default_text);
+/*%<
+ * Get message 'message' from message set 'set' in 'msgcat'.  If it
+ * is not available, use 'default_text'.
+ *
+ * Requires:
+ *
+ *\li	'msgcat' is a valid message catalog or is NULL.
+ *
+ *\li	set > 0
+ *
+ *\li	message > 0
+ *
+ *\li	'default_text' is a valid string.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MSGCAT_H */
diff --git a/lib/isc/include/isc/msgs.h b/lib/isc/include/isc/msgs.h
new file mode 100644
index 0000000..01e3b48
--- /dev/null
+++ b/lib/isc/include/isc/msgs.h
@@ -0,0 +1,188 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_MSGS_H
+#define ISC_MSGS_H 1
+
+/*! \file isc/msgs.h */
+
+#include <isc/lib.h>		/* Provide isc_msgcat global variable. */
+#include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
+
+/*@{*/
+/*!
+ * \brief Message sets, named per source file, excepting "GENERAL".
+ *
+ * IMPORTANT: The original list is alphabetical, but any new sets must
+ * be added to the end.
+ */
+#define ISC_MSGSET_GENERAL	1
+/*	ISC_RESULT_RESULTSET    2 */     /* XXX */
+/*	ISC_RESULT_UNAVAILABLESET 3 */   /* XXX */
+#define ISC_MSGSET_APP		4
+#define ISC_MSGSET_COMMANDLINE	5
+#define ISC_MSGSET_ENTROPY	6
+#define ISC_MSGSET_IFITERIOCTL	7
+#define ISC_MSGSET_IFITERSYSCTL	8
+#define ISC_MSGSET_LEX		9
+#define ISC_MSGSET_LOG		10
+#define ISC_MSGSET_MEM		11
+#define ISC_MSGSET_NETADDR	12
+#define ISC_MSGSET_PRINT	13
+#define ISC_MSGSET_RESULT	14
+#define ISC_MSGSET_RWLOCK	15
+#define ISC_MSGSET_SOCKADDR	16
+#define ISC_MSGSET_SOCKET	17
+#define ISC_MSGSET_TASK		18
+#define ISC_MSGSET_TIMER	19
+#define ISC_MSGSET_UTIL		20
+#define ISC_MSGSET_IFITERGETIFADDRS 21
+/*@}*/
+
+/*@{*/
+/*!
+ * Message numbers
+ * are only required to be unique per message set,
+ * but are unique throughout the entire catalog to not be as confusing when
+ * debugging.
+ *
+ * The initial numbering was done by multiply by 100 the set number the
+ * message appears in then adding the incremental message number.
+ */
+#define ISC_MSG_FAILED		101 /*%< "failed" */
+#define ISC_MSG_SUCCEEDED	102 /*%< Compatible with "failed" */
+#define ISC_MSG_SUCCESS		103 /*%< More usual way to say "success" */
+#define ISC_MSG_STARTING	104 /*%< As in "daemon: starting" */
+#define ISC_MSG_STOPING		105 /*%< As in "daemon: stopping" */
+#define ISC_MSG_ENTERING	106 /*%< As in "some_subr: entering" */
+#define ISC_MSG_EXITING		107 /*%< As in "some_subr: exiting" */
+#define ISC_MSG_CALLING		108 /*%< As in "calling some_subr()" */
+#define ISC_MSG_RETURNED	109 /*%< As in "some_subr: returned <foo>" */
+#define ISC_MSG_FATALERROR	110 /*%< "fatal error" */
+#define ISC_MSG_SHUTTINGDOWN	111 /*%< "shutting down" */
+#define ISC_MSG_RUNNING		112 /*%< "running" */
+#define ISC_MSG_WAIT		113 /*%< "wait" */
+#define ISC_MSG_WAITUNTIL	114 /*%< "waituntil" */
+
+#define ISC_MSG_SIGNALSETUP	201 /*%< "handle_signal() %d setup: %s" */
+
+#define ISC_MSG_ILLEGALOPT	301 /*%< "illegal option" */
+#define ISC_MSG_OPTNEEDARG	302 /*%< "option requires an argument" */
+
+#define ISC_MSG_ENTROPYSTATS	401 /*%< "Entropy pool %p:  refcnt %u ..." */
+
+#define ISC_MSG_MAKESCANSOCKET	501 /*%< "making interface scan socket: %s" */
+#define ISC_MSG_GETIFCONFIG	502 /*%< "get interface configuration: %s" */
+#define ISC_MSG_BUFFERMAX	503 /*%< "... maximum buffer size exceeded" */
+#define ISC_MSG_GETDESTADDR	504 /*%< "%s: getting destination address: %s" */
+#define ISC_MSG_GETNETMASK	505 /*%< "%s: getting netmask: %s" */
+
+#define ISC_MSG_GETIFLISTSIZE	601 /*%< "getting interface list size: ..." */
+#define ISC_MSG_GETIFLIST	602 /*%< "getting interface list: ..." */
+#define ISC_MSG_UNEXPECTEDTYPE	603 /*%< "... unexpected ... message type" */
+
+#define ISC_MSG_UNEXPECTEDSTATE	701 /*%< "Unexpected state %d" */
+
+#define ISC_MSG_BADTIME		801 /*%< "Bad 00 99:99:99.999 " */
+#define ISC_MSG_LEVEL		802 /*%< "level %d: " */
+
+#define ISC_MSG_ADDTRACE	901 /*%< "add %p size %u " */
+#define ISC_MSG_DELTRACE	902 /*%< "del %p size %u " */
+#define ISC_MSG_POOLSTATS	903 /*%< "[Pool statistics]\n" */
+#define ISC_MSG_POOLNAME	904 /*%< "name" */
+#define ISC_MSG_POOLSIZE	905 /*%< "size" */
+#define ISC_MSG_POOLMAXALLOC	906 /*%< "maxalloc" */
+#define ISC_MSG_POOLALLOCATED	907 /*%< "allocated" */
+#define ISC_MSG_POOLFREECOUNT	908 /*%< "freecount" */
+#define ISC_MSG_POOLFREEMAX	909 /*%< "freemax" */
+#define ISC_MSG_POOLFILLCOUNT	910 /*%< "fillcount" */
+#define ISC_MSG_POOLGETS	911 /*%< "gets" */
+#define ISC_MSG_DUMPALLOC	912 /*%< "DUMP OF ALL OUTSTANDING MEMORY ..." */
+#define ISC_MSG_NONE		913 /*%< "\tNone.\n" */
+#define ISC_MSG_PTRFILELINE	914 /*%< "\tptr %p file %s line %u\n" */
+
+#define ISC_MSG_UNKNOWNADDR    1001 /*%< "<unknown address, family %u>" */
+
+#define ISC_MSG_NOLONGDBL      1104 /*%< "long doubles are not supported" */
+
+#define ISC_MSG_PRINTLOCK      1201 /*%< "rwlock %p thread %lu ..." */
+#define ISC_MSG_READ	       1202 /*%< "read" */
+#define ISC_MSG_WRITE	       1203 /*%< "write" */
+#define ISC_MSG_READING	       1204 /*%< "reading" */
+#define ISC_MSG_WRITING	       1205 /*%< "writing" */
+#define ISC_MSG_PRELOCK	       1206 /*%< "prelock" */
+#define ISC_MSG_POSTLOCK       1207 /*%< "postlock" */
+#define ISC_MSG_PREUNLOCK      1208 /*%< "preunlock" */
+#define ISC_MSG_POSTUNLOCK     1209 /*%< "postunlock" */
+#define ISC_MSG_PRINTLOCK2     1210 /*%< "rwlock %p thread %lu ..." w/ atomic */
+
+#define ISC_MSG_UNKNOWNFAMILY  1301 /*%< "unknown address family: %d" */
+
+#define ISC_MSG_WRITEFAILED    1401 /*%< "write() failed during watcher ..." */
+#define ISC_MSG_READFAILED     1402 /*%< "read() failed during watcher ... " */
+#define ISC_MSG_PROCESSCMSG    1403 /*%< "processing cmsg %p" */
+#define ISC_MSG_IFRECEIVED     1404 /*%< "interface received on ifindex %u" */
+#define ISC_MSG_SENDTODATA     1405 /*%< "sendto pktinfo data, ifindex %u" */
+#define ISC_MSG_DOIORECV       1406 /*%< "doio_recv: recvmsg(%d) %d bytes ..." */
+#define ISC_MSG_PKTRECV	       1407 /*%< "packet received correctly" */
+#define ISC_MSG_DESTROYING     1408 /*%< "destroying" */
+#define ISC_MSG_CREATED	       1409 /*%< "created" */
+#define ISC_MSG_ACCEPTLOCK     1410 /*%< "internal_accept called, locked ..." */
+#define ISC_MSG_ACCEPTEDCXN    1411 /*%< "accepted connection, new socket %p" */
+#define ISC_MSG_INTERNALRECV   1412 /*%< "internal_recv: task %p got event %p" */
+#define ISC_MSG_INTERNALSEND   1413 /*%< "internal_send: task %p got event %p" */
+#define ISC_MSG_WATCHERMSG     1414 /*%< "watcher got message %d" */
+#define ISC_MSG_SOCKETSREMAIN  1415 /*%< "sockets exist" */
+#define ISC_MSG_PKTINFOPROVIDED	1416 /*%< "pktinfo structure provided, ..." */
+#define ISC_MSG_BOUND	       1417 /*%< "bound" */
+#define ISC_MSG_ACCEPTRETURNED 1418 /*%< accept() returned %d/%s */
+#define ISC_MSG_TOOMANYFDS     1419 /*%< %s: too many open file descriptors */
+#define ISC_MSG_ZEROPORT       1420 /*%< dropping source port zero packet */
+#define ISC_MSG_FILTER	       1421 /*%< setsockopt(SO_ACCEPTFILTER): %s */
+
+#define ISC_MSG_TOOMANYHANDLES 1422 /*%< %s: too many open WSA event handles: %s */
+#define ISC_MSG_POKED          1423 /*%< "poked flags: %d" */
+
+#define ISC_MSG_AWAKE	       1502 /*%< "awake" */
+#define ISC_MSG_WORKING	       1503 /*%< "working" */
+#define ISC_MSG_EXECUTE	       1504 /*%< "execute action" */
+#define ISC_MSG_EMPTY	       1505 /*%< "empty" */
+#define ISC_MSG_DONE	       1506 /*%< "done" */
+#define ISC_MSG_QUANTUM	       1507 /*%< "quantum" */
+
+#define ISC_MSG_SCHEDULE       1601 /*%< "schedule" */
+#define ISC_MSG_SIGNALSCHED    1602 /*%< "signal (schedule)" */
+#define ISC_MSG_SIGNALDESCHED  1603 /*%< "signal (deschedule)" */
+#define ISC_MSG_SIGNALDESTROY  1604 /*%< "signal (destroy)" */
+#define ISC_MSG_IDLERESCHED    1605 /*%< "idle reschedule" */
+#define ISC_MSG_EVENTNOTALLOC  1606 /*%< "couldn't allocate event" */
+#define ISC_MSG_SCHEDFAIL      1607 /*%< "couldn't schedule timer: %u" */
+#define ISC_MSG_POSTING	       1608 /*%< "posting" */
+#define ISC_MSG_WAKEUP	       1609 /*%< "wakeup" */
+
+#define ISC_MSG_LOCK	       1701 /*%< "LOCK" */
+#define ISC_MSG_LOCKING	       1702 /*%< "LOCKING" */
+#define ISC_MSG_LOCKED	       1703 /*%< "LOCKED" */
+#define ISC_MSG_UNLOCKED       1704 /*%< "UNLOCKED" */
+#define ISC_MSG_RWLOCK	       1705 /*%< "RWLOCK" */
+#define ISC_MSG_RWLOCKED       1706 /*%< "RWLOCKED" */
+#define ISC_MSG_RWUNLOCK       1707 /*%< "RWUNLOCK" */
+#define ISC_MSG_BROADCAST      1708 /*%< "BROADCAST" */
+#define ISC_MSG_SIGNAL	       1709 /*%< "SIGNAL" */
+#define ISC_MSG_UTILWAIT       1710 /*%< "WAIT" */
+#define ISC_MSG_WAITED	       1711 /*%< "WAITED" */
+
+#define ISC_MSG_GETIFADDRS     1801 /*%< "getting interface addresses: ..." */
+
+/*@}*/
+
+#endif /* ISC_MSGS_H */
diff --git a/lib/isc/include/isc/mutexblock.h b/lib/isc/include/isc/mutexblock.h
new file mode 100644
index 0000000..f00088d
--- /dev/null
+++ b/lib/isc/include/isc/mutexblock.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_MUTEXBLOCK_H
+#define ISC_MUTEXBLOCK_H 1
+
+/*! \file isc/mutexblock.h */
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count);
+/*%<
+ * Initialize a block of locks.  If an error occurs all initialized locks
+ * will be destroyed, if possible.
+ *
+ * Requires:
+ *
+ *\li	block != NULL
+ *
+ *\li	count > 0
+ *
+ * Returns:
+ *
+ *\li	Any code isc_mutex_init() can return is a valid return for this
+ *	function.
+ */
+
+isc_result_t
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count);
+/*%<
+ * Destroy a block of locks.
+ *
+ * Requires:
+ *
+ *\li	block != NULL
+ *
+ *\li	count > 0
+ *
+ *\li	Each lock in the block be initialized via isc_mutex_init() or
+ * 	the whole block was initialized via isc_mutex_initblock().
+ *
+ * Returns:
+ *
+ *\li	Any code isc_mutex_init() can return is a valid return for this
+ *	function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MUTEXBLOCK_H */
diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h
new file mode 100644
index 0000000..2d6b12b
--- /dev/null
+++ b/lib/isc/include/isc/netaddr.h
@@ -0,0 +1,188 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_NETADDR_H
+#define ISC_NETADDR_H 1
+
+/*! \file isc/netaddr.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/types.h>
+#include <sys/un.h>
+#endif
+
+ISC_LANG_BEGINDECLS
+
+struct isc_netaddr {
+	unsigned int family;
+	union {
+		struct in_addr in;
+		struct in6_addr in6;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		char un[sizeof(((struct sockaddr_un *)0)->sun_path)];
+#endif
+	} type;
+	uint32_t zone;
+};
+
+bool
+isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
+
+/*%<
+ * Compare network addresses 'a' and 'b'.  Return #true if
+ * they are equal, #false if not.
+ */
+
+bool
+isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
+		     unsigned int prefixlen);
+/*%<
+ * Compare the 'prefixlen' most significant bits of the network
+ * addresses 'a' and 'b'.  If 'b''s scope is zero then 'a''s scope is
+ * ignored.  Return #true if they are equal, #false if not.
+ */
+
+isc_result_t
+isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp);
+/*%<
+ * Convert a netmask in 's' into a prefix length in '*lenp'.
+ * The mask should consist of zero or more '1' bits in the
+ * most significant part of the address, followed by '0' bits.
+ * If this is not the case, #ISC_R_MASKNONCONTIG is returned.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_MASKNONCONTIG
+ */
+
+isc_result_t
+isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
+/*%<
+ * Append a text representation of 'sockaddr' to the buffer 'target'.
+ * The text is NOT null terminated.  Handles IPv4 and IPv6 addresses.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOSPACE	The text or the null termination did not fit.
+ *\li	#ISC_R_FAILURE	Unspecified failure
+ */
+
+void
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the network address '*na'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define ISC_NETADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS")
+/*%<
+ * Minimum size of array to pass to isc_netaddr_format().
+ */
+
+void
+isc_netaddr_fromsockaddr(isc_netaddr_t *netaddr, const isc_sockaddr_t *source);
+
+void
+isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina);
+
+void
+isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
+
+isc_result_t
+isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path);
+
+void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, uint32_t zone);
+
+uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr);
+
+void
+isc_netaddr_any(isc_netaddr_t *netaddr);
+/*%<
+ * Return the IPv4 wildcard address.
+ */
+
+void
+isc_netaddr_any6(isc_netaddr_t *netaddr);
+/*%<
+ * Return the IPv6 wildcard address.
+ */
+
+bool
+isc_netaddr_ismulticast(isc_netaddr_t *na);
+/*%<
+ * Returns true if the address is a multicast address.
+ */
+
+bool
+isc_netaddr_isexperimental(isc_netaddr_t *na);
+/*%<
+ * Returns true if the address is a experimental (CLASS E) address.
+ */
+
+bool
+isc_netaddr_islinklocal(isc_netaddr_t *na);
+/*%<
+ * Returns #true if the address is a link local address.
+ */
+
+bool
+isc_netaddr_issitelocal(isc_netaddr_t *na);
+/*%<
+ * Returns #true if the address is a site local address.
+ */
+
+bool
+isc_netaddr_isnetzero(isc_netaddr_t *na);
+/*%<
+ * Returns #true if the address is in net zero.
+ */
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
+/*%<
+ * Convert an IPv6 v4mapped address into an IPv4 address.
+ */
+
+isc_result_t
+isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
+/*
+ * Test whether the netaddr 'na' and 'prefixlen' are consistant.
+ * e.g. prefixlen within range.
+ *      na does not have bits set which are not covered by the prefixlen.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_RANGE		prefixlen out of range
+ *	ISC_R_NOTIMPLEMENTED	unsupported family
+ *	ISC_R_FAILURE		extra bits.
+ */
+
+bool
+isc_netaddr_isloopback(const isc_netaddr_t *na);
+/*
+ * Test whether the netaddr 'na' is a loopback IPv4 or IPv6 address (in
+ * 127.0.0.0/8 or ::1).
+ */
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETADDR_H */
diff --git a/lib/isc/include/isc/netscope.h b/lib/isc/include/isc/netscope.h
new file mode 100644
index 0000000..22224a1
--- /dev/null
+++ b/lib/isc/include/isc/netscope.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_NETSCOPE_H
+#define ISC_NETSCOPE_H 1
+
+/*! \file isc/netscope.h */
+
+#include <inttypes.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%
+ * Convert a string of an IPv6 scope zone to zone index.  If the conversion
+ * succeeds, 'zoneid' will store the index value.
+ *
+ * XXXJT: when a standard interface for this purpose is defined,
+ * we should use it.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS: conversion succeeds
+ * \li	ISC_R_FAILURE: conversion fails
+ */
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, uint32_t *zoneid);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETSCOPE_H */
diff --git a/lib/isc/include/isc/ondestroy.h b/lib/isc/include/isc/ondestroy.h
new file mode 100644
index 0000000..ad1aa61
--- /dev/null
+++ b/lib/isc/include/isc/ondestroy.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: ondestroy.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
+
+#ifndef ISC_ONDESTROY_H
+#define ISC_ONDESTROY_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*! \file isc/ondestroy.h
+ * ondestroy handling.
+ *
+ * Any class ``X'' of objects that wants to send out notifications
+ * on its destruction should declare a field of type isc_ondestroy_t
+ * (call it 'ondest').
+ *
+ * \code
+ * 	typedef struct {
+ * 		...
+ * 		isc_ondestroy_t	ondest;
+ * 		...
+ * 	} X;
+ * \endcode
+ *
+ * When an object ``A'' of type X is created
+ * it must initialize the field ondest with a call to
+ *
+ * \code
+ * 	isc_ondestroy_init(&A->ondest).
+ * \endcode
+ *
+ * X should also provide a registration function for third-party
+ * objects to call to register their interest in being told about
+ * the destruction of a particular instance of X.
+ *
+ * \code
+ *	isc_result_t
+ * 	X_ondestroy(X *instance, isc_task_t *task,
+ * 		     isc_event_t **eventp) {
+ * 		return(isc_ondestroy_register(&instance->ondest, task,eventp));
+ * 	}
+ * \endcode
+ *
+ *	Note: locking of the ondestory structure embedded inside of X, is
+ * 	X's responsibility.
+ *
+ * When an instance of X is destroyed, a call to  isc_ondestroy_notify()
+ * sends the notifications:
+ *
+ * \code
+ *	X *instance;
+ *	isc_ondestroy_t ondest = instance->ondest;
+ *
+ *	... completely cleanup 'instance' here...
+ *
+ * 	isc_ondestroy_notify(&ondest, instance);
+ * \endcode
+ *
+ *
+ * see lib/dns/zone.c for an ifdef'd-out example.
+ */
+
+struct isc_ondestroy {
+	unsigned int magic;
+	isc_eventlist_t events;
+};
+
+void
+isc_ondestroy_init(isc_ondestroy_t *ondest);
+/*%<
+ * Initialize the on ondest structure. *must* be called before first call
+ * to isc_ondestroy_register().
+ */
+
+isc_result_t
+isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
+		       isc_event_t **eventp);
+
+/*%<
+ * Stores task and *eventp away inside *ondest.  Ownership of **event is
+ * taken from the caller (and *eventp is set to NULL). The task is attached
+ * to.
+ */
+
+void
+isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
+/*%<
+ * Dispatches the event(s) to the task(s) that were given in
+ * isc_ondestroy_register call(s) (done via calls to
+ * isc_task_sendanddetach()).  Before dispatch, the sender value of each
+ * event structure is set to the value of the sender paramater. The
+ * internal structures of the ondest parameter are cleaned out, so no other
+ * cleanup is needed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ONDESTROY_H */
diff --git a/lib/isc/include/isc/os.h b/lib/isc/include/isc/os.h
new file mode 100644
index 0000000..eb8223e
--- /dev/null
+++ b/lib/isc/include/isc/os.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_OS_H
+#define ISC_OS_H 1
+
+/*! \file isc/os.h */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+unsigned int
+isc_os_ncpus(void);
+/*%<
+ * Return the number of CPUs available on the system, or 1 if this cannot
+ * be determined.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_OS_H */
diff --git a/lib/isc/include/isc/parseint.h b/lib/isc/include/isc/parseint.h
new file mode 100644
index 0000000..41e8a6c
--- /dev/null
+++ b/lib/isc/include/isc/parseint.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_PARSEINT_H
+#define ISC_PARSEINT_H 1
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*! \file isc/parseint.h
+ * \brief Parse integers, in a saner way than atoi() or strtoul() do.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_parse_uint32(uint32_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint16(uint16_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint8(uint8_t *uip, const char *string, int base);
+/*%<
+ * Parse the null-terminated string 'string' containing a base 'base'
+ * integer, storing the result in '*uip'.
+ * The base is interpreted
+ * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
+ * plus signs are not accepted, and all errors (including overflow)
+ * are reported uniformly through the return value.
+ *
+ * Requires:
+ *\li	'string' points to a null-terminated string
+ *\li	0 <= 'base' <= 36
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_BADNUMBER   The string is not numeric (in the given base)
+ *\li	#ISC_R_RANGE	  The number is not representable as the requested type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PARSEINT_H */
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
new file mode 100644
index 0000000..c902d46
--- /dev/null
+++ b/lib/isc/include/isc/platform.h.in
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PLATFORM_H
+#define ISC_PLATFORM_H 1
+
+/*! \file */
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+/***
+ *** Network.
+ ***/
+
+/*! \brief
+ * Define if this system needs the <netinet/in6.h> header file included
+ * for full IPv6 support (pretty much only UnixWare).
+ */
+@ISC_PLATFORM_NEEDNETINETIN6H@
+
+/*! \brief
+ * Define if this system needs the <netinet6/in6.h> header file included
+ * to support in6_pkinfo (pretty much only BSD/OS).
+ */
+@ISC_PLATFORM_NEEDNETINET6IN6H@
+
+/*! \brief
+ * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
+ * will be defined.
+ */
+@ISC_PLATFORM_HAVESALEN@
+
+/*! \brief
+ * If this system has the IPv6 structure definitions, ISC_PLATFORM_HAVEIPV6
+ * will be defined.
+ */
+@ISC_PLATFORM_HAVEIPV6@
+
+/*! \brief
+ * If this system is missing in6addr_any, ISC_PLATFORM_NEEDIN6ADDRANY will
+ * be defined.
+ */
+@ISC_PLATFORM_NEEDIN6ADDRANY@
+
+/*! \brief
+ * If this system is missing in6addr_loopback, ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
+ * will be defined.
+ */
+@ISC_PLATFORM_NEEDIN6ADDRLOOPBACK@
+
+/*! \brief
+ * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
+ * defined.
+ */
+@ISC_PLATFORM_HAVEIN6PKTINFO@
+
+/*! \brief
+ * If this system has in_addr6, rather than in6_addr, ISC_PLATFORM_HAVEINADDR6
+ * will be defined.
+ */
+@ISC_PLATFORM_HAVEINADDR6@
+
+/*! \brief
+ * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
+ */
+@ISC_PLATFORM_HAVESCOPEID@
+
+/*! \brief
+ * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
+ */
+@ISC_PLATFORM_NEEDNTOP@
+
+/*! \brief
+ * If this system needs inet_pton(), ISC_PLATFORM_NEEDPTON will be defined.
+ */
+@ISC_PLATFORM_NEEDPTON@
+
+/*! \brief
+ * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
+ */
+@ISC_PLATFORM_NEEDPORTT@
+
+/*! \brief
+ * Define if the system has struct lifconf which is a extended struct ifconf
+ * for IPv6.
+ */
+@ISC_PLATFORM_HAVELIFCONF@
+
+/*! \brief
+ * Define if the system has struct if_laddrconf which is a extended struct
+ * ifconf for IPv6.
+ */
+@ISC_PLATFORM_HAVEIF_LADDRCONF@
+
+/*! \brief
+ * Define if the system has struct if_laddrreq.
+ */
+@ISC_PLATFORM_HAVEIF_LADDRREQ@
+
+/*! \brief
+ * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
+ */
+@ISC_PLATFORM_MSGHDRFLAVOR@
+
+/*! \brief
+ * Define if the system supports if_nametoindex.
+ */
+@ISC_PLATFORM_HAVEIFNAMETOINDEX@
+
+/*! \brief
+ * Define on some UnixWare systems to fix erroneous definitions of various
+ * IN6_IS_ADDR_* macros.
+ */
+@ISC_PLATFORM_FIXIN6ISADDR@
+
+/*! \brief
+ * Define if the system has struct sockaddr_storage.
+ */
+@ISC_PLATFORM_HAVESOCKADDRSTORAGE@
+
+/*! \brief
+ * Define if the system has TCP_FASTOPEN socket option.
+ */
+@ISC_PLATFORM_HAVETFO@
+
+/*! \brief
+ * Define if the system supports kqueue multiplexing
+ */
+@ISC_PLATFORM_HAVEKQUEUE@
+
+/*! \brief
+ * Define if the system supports epoll multiplexing
+ */
+@ISC_PLATFORM_HAVEEPOLL@
+
+/*! \brief
+ * Define if the system supports /dev/poll multiplexing
+ */
+@ISC_PLATFORM_HAVEDEVPOLL@
+
+/*! \brief
+ * Define if we want to log backtrace
+ */
+@ISC_PLATFORM_USEBACKTRACE@
+
+/*
+ *** Printing.
+ ***/
+
+/*! \brief
+ * If this system needs vsnprintf() and snprintf(), ISC_PLATFORM_NEEDVSNPRINTF
+ * will be defined.
+ */
+@ISC_PLATFORM_NEEDVSNPRINTF@
+
+/*! \brief
+ * If this system need a modern sprintf() that returns (int) not (char*).
+ */
+@ISC_PLATFORM_NEEDSPRINTF@
+
+/*! \brief
+ * If this system need a modern printf() that format size %z (size_t).
+ */
+@ISC_PLATFORM_NEEDPRINTF@
+
+/*! \brief
+ * If this system need a modern fprintf() that format size %z (size_t).
+ */
+@ISC_PLATFORM_NEEDFPRINTF@
+
+/***
+ *** String functions.
+ ***/
+/*
+ * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRSEP@
+
+/*
+ * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCPY@
+
+/*
+ * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCAT@
+
+/*
+ * Define if this system needs strtoul.
+ */
+@ISC_PLATFORM_NEEDSTRTOUL@
+
+/*
+ * Define if this system needs memmove.
+ */
+@ISC_PLATFORM_NEEDMEMMOVE@
+
+/*
+ * Define if this system needs strcasestr.
+ */
+@ISC_PLATFORM_NEEDSTRCASESTR@
+
+/***
+ *** Miscellaneous.
+ ***/
+
+/*
+ * Defined if we are using threads.
+ */
+@ISC_PLATFORM_USETHREADS@
+
+/*
+ * Defined if unistd.h does not cause fd_set to be delared.
+ */
+@ISC_PLATFORM_NEEDSYSSELECTH@
+
+/*
+ * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
+ * the GSSAPI header.
+ */
+@ISC_PLATFORM_GSSAPIHEADER@
+
+/*
+ * Defined to <gssapi_krb5.h> or <gssapi/gssapi_krb5.h> for how to
+ * include the GSSAPI KRB5 header.
+ */
+@ISC_PLATFORM_GSSAPI_KRB5_HEADER@
+
+/*
+ * Defined to <krb5.h> or <krb5/krb5.h> for how to include
+ * the KRB5 header.
+ */
+@ISC_PLATFORM_KRB5HEADER@
+
+/*
+ * Define if the system has nanosecond-level accuracy in file stats.
+ */
+@ISC_PLATFORM_HAVESTATNSEC@
+
+/*
+ * Type used for resource limits.
+ */
+@ISC_PLATFORM_RLIMITTYPE@
+
+/*
+ * Define if your compiler supports "long long int".
+ */
+@ISC_PLATFORM_HAVELONGLONG@
+
+/*
+ * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
+ * prevent compiler warnings (such as with gcc on Solaris 2.8).
+ */
+@ISC_PLATFORM_BRACEPTHREADONCEINIT@
+
+/*
+ * Used to control how extern data is linked; needed for Win32 platforms.
+ */
+@ISC_PLATFORM_USEDECLSPEC@
+
+/*
+ * Define if the platform has <sys/un.h>.
+ */
+@ISC_PLATFORM_HAVESYSUNH@
+
+/*
+ * If the "xadd" operation is available on this architecture,
+ * ISC_PLATFORM_HAVEXADD will be defined.
+ */
+@ISC_PLATFORM_HAVEXADD@
+
+/*
+ * If the "xaddq" operation (64bit xadd) is available on this architecture,
+ * ISC_PLATFORM_HAVEXADDQ will be defined.
+ */
+@ISC_PLATFORM_HAVEXADDQ@
+
+/*
+ * If the 32-bit "atomic swap" operation is available on this
+ * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
+ */
+@ISC_PLATFORM_HAVEATOMICSTORE@
+
+/*
+ * If the 64-bit "atomic swap" operation is available on this
+ * architecture, ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
+ */
+@ISC_PLATFORM_HAVEATOMICSTOREQ@
+
+/*
+ * If the "compare-and-exchange" operation is available on this architecture,
+ * ISC_PLATFORM_HAVECMPXCHG will be defined.
+ */
+@ISC_PLATFORM_HAVECMPXCHG@
+
+/*
+ * If <stdatomic.h> is available on this architecture,
+ * ISC_PLATFORM_HAVESTDATOMIC will be defined.
+ */
+@ISC_PLATFORM_HAVESTDATOMIC@
+
+/*
+ * Define if gcc ASM extension is available
+ */
+@ISC_PLATFORM_USEGCCASM@
+
+/*
+ * Define if Tru64 style ASM syntax must be used.
+ */
+@ISC_PLATFORM_USEOSFASM@
+
+/*
+ * Define if the standard __asm function must be used.
+ */
+@ISC_PLATFORM_USESTDASM@
+
+/*
+ * Define with the busy wait nop asm or function call.
+ */
+@ISC_PLATFORM_BUSYWAITNOP@
+
+/*
+ * Define if the platform has <strings.h>.
+ */
+@ISC_PLATFORM_HAVESTRINGSH@
+
+/*
+ * Define if the hash functions must be provided by OpenSSL.
+ */
+@ISC_PLATFORM_OPENSSLHASH@
+
+/*
+ * Define if AES support is wanted
+ */
+@ISC_PLATFORM_WANTAES@
+
+/*
+ * Defines for the noreturn attribute.
+ */
+@ISC_PLATFORM_NORETURN_PRE@
+@ISC_PLATFORM_NORETURN_POST@
+
+/***
+ ***	Windows dll support.
+ ***/
+
+/*
+ * Define if MacOS style of PPC assembly must be used.
+ * e.g. "r6", not "6", for register six.
+ */
+@ISC_PLATFORM_USEMACASM@
+
+#ifndef ISC_PLATFORM_USEDECLSPEC
+#define LIBISC_EXTERNAL_DATA
+#define LIBDNS_EXTERNAL_DATA
+#define LIBISCCC_EXTERNAL_DATA
+#define LIBISCCFG_EXTERNAL_DATA
+#define LIBBIND9_EXTERNAL_DATA
+#define LIBTESTS_EXTERNAL_DATA
+#else /*! \brief ISC_PLATFORM_USEDECLSPEC */
+#ifdef LIBISC_EXPORTS
+#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBDNS_EXPORTS
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBISCCC_EXPORTS
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBISCCFG_EXPORTS
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBBIND9_EXPORTS
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBTESTS_EXPORTS
+#define LIBTESTS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBTESTS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif /*! \brief ISC_PLATFORM_USEDECLSPEC */
+
+/*
+ * Tell emacs to use C mode for this file.
+ *
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* ISC_PLATFORM_H */
diff --git a/lib/isc/include/isc/pool.h b/lib/isc/include/isc/pool.h
new file mode 100644
index 0000000..a648312
--- /dev/null
+++ b/lib/isc/include/isc/pool.h
@@ -0,0 +1,144 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_OBJPOOL_H
+#define ISC_OBJPOOL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/pool.h
+ * \brief An object pool is a mechanism for sharing a small pool of
+ * fungible objects among a large number of objects that depend on them.
+ *
+ * This is useful, for example, when it causes performance problems for
+ * large number of zones to share a single memory context or task object,
+ * but it would create a different set of problems for them each to have an
+ * independent task or memory context.
+ */
+
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mem.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types.
+ *****/
+
+typedef void
+(*isc_pooldeallocator_t)(void **object);
+
+typedef isc_result_t
+(*isc_poolinitializer_t)(void **target, void *arg);
+
+typedef struct isc_pool isc_pool_t;
+
+/*****
+ ***** Functions.
+ *****/
+
+isc_result_t
+isc_pool_create(isc_mem_t *mctx, unsigned int count,
+		isc_pooldeallocator_t free,
+		isc_poolinitializer_t init, void *initarg,
+		isc_pool_t **poolp);
+/*%<
+ * Create a pool of "count" object pointers. If 'free' is not NULL,
+ * it points to a function that will detach the objects.  'init'
+ * points to a function that will initialize the arguments, and
+ * 'arg' to an argument to be passed into that function (for example,
+ * a relevant manager or context object).
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	init != NULL
+ *
+ *\li	poolp != NULL && *poolp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*poolp' points to the new object pool.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void *
+isc_pool_get(isc_pool_t *pool);
+/*%<
+ * Returns a pointer to an object from the pool. Currently the object
+ * is chosen from the pool at random.  (This may be changed in the future
+ * to something that guaratees balance.)
+ */
+
+int
+isc_pool_count(isc_pool_t *pool);
+/*%<
+ * Returns the number of objcts in the pool 'pool'.
+ */
+
+isc_result_t
+isc_pool_expand(isc_pool_t **sourcep, unsigned int count, isc_pool_t **targetp);
+
+/*%<
+ * If 'size' is larger than the number of objects in the pool pointed to by
+ * 'sourcep', then a new pool of size 'count' is allocated, the existing
+ * objects are copied into it, additional ones created to bring the
+ * total number up to 'count', and the resulting pool is attached to
+ * 'targetp'.
+ *
+ * If 'count' is less than or equal to the number of objects in 'source', then
+ * 'sourcep' is attached to 'targetp' without any other action being taken.
+ *
+ * In either case, 'sourcep' is detached.
+ *
+ * Requires:
+ *
+ * \li	'sourcep' is not NULL and '*source' is not NULL
+ * \li	'targetp' is not NULL and '*source' is NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*targetp' points to a valid task pool.
+ * \li	On success, '*sourcep' points to NULL.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_pool_destroy(isc_pool_t **poolp);
+/*%<
+ * Destroy a task pool.  The tasks in the pool are detached but not
+ * shut down.
+ *
+ * Requires:
+ * \li	'*poolp' is a valid task pool.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_OBJPOOL_H */
diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h
new file mode 100644
index 0000000..1f0d928
--- /dev/null
+++ b/lib/isc/include/isc/portset.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/portset.h
+ * \brief Transport Protocol Port Manipulation Module
+ *
+ * This module provides simple utilities to handle a set of transport protocol
+ * (UDP or TCP) port numbers, e.g., for creating an ACL list.  An isc_portset_t
+ * object is an opaque instance of a port set, for which the user can add or
+ * remove a specific port or a range of consecutive ports.  This object is
+ * expected to be used as a temporary work space only, and does not protect
+ * simultaneous access from multiple threads.  Therefore it must not be stored
+ * in a place that can be accessed from multiple threads.
+ */
+
+#ifndef ISC_PORTSET_H
+#define ISC_PORTSET_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/net.h>
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_portset_create(isc_mem_t *mctx, isc_portset_t **portsetp);
+/*%<
+ * Create a port set and initialize it as an empty set.
+ *
+ * Requires:
+ *\li	'mctx' to be valid.
+ *\li	'portsetp' to be non NULL and '*portsetp' to be NULL;
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_portset_destroy(isc_mem_t *mctx, isc_portset_t **portsetp);
+/*%<
+ * Destroy a port set.
+ *
+ * Requires:
+ *\li	'mctx' to be valid and must be the same context given when the port set
+ *       was created.
+ *\li	'*portsetp' to be a valid set.
+ */
+
+bool
+isc_portset_isset(isc_portset_t *portset, in_port_t port);
+/*%<
+ * Test whether the given port is stored in the portset.
+ *
+ * Requires:
+ *\li	'portset' to be a valid set.
+ *
+ * Returns
+ * \li	#true if the port is found, false otherwise.
+ */
+
+unsigned int
+isc_portset_nports(isc_portset_t *portset);
+/*%<
+ * Provides the number of ports stored in the given portset.
+ *
+ * Requires:
+ *\li	'portset' to be a valid set.
+ *
+ * Returns
+ * \li	the number of ports stored in portset.
+ */
+
+void
+isc_portset_add(isc_portset_t *portset, in_port_t port);
+/*%<
+ * Add the given port to the portset.  The port may or may not be stored in
+ * the portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ */
+
+void
+isc_portset_remove(isc_portset_t *portset, in_port_t port);
+/*%<
+ * Remove the given port to the portset.  The port may or may not be stored in
+ * the portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ */
+
+void
+isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
+		     in_port_t port_hi);
+/*%<
+ * Add a subset of [port_lo, port_hi] (inclusive) to the portset.  Ports in the
+ * subset may or may not be stored in portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	port_lo <= port_hi
+ */
+
+void
+isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
+			in_port_t port_hi);
+/*%<
+ * Subtract a subset of [port_lo, port_hi] (inclusive) from the portset.  Ports
+ * in the subset may or may not be stored in portset.
+ *
+ * Requires:
+ *\li	'portlist' to be valid.
+ *\li	port_lo <= port_hi
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif	/* ISC_PORTSET_H */
diff --git a/lib/isc/include/isc/print.h b/lib/isc/include/isc/print.h
new file mode 100644
index 0000000..e4fa76c
--- /dev/null
+++ b/lib/isc/include/isc/print.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PRINT_H
+#define ISC_PRINT_H 1
+
+/*! \file isc/print.h */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/formatcheck.h>    /* Required for ISC_FORMAT_PRINTF() macro. */
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+/*!
+ * This block allows lib/isc/print.c to be cleanly compiled even if
+ * the platform does not need it.  The standard Makefile will still
+ * not compile print.c or archive print.o, so this is just to make test
+ * compilation ("make print.o") easier.
+ */
+#if !defined(ISC_PLATFORM_NEEDVSNPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDVSNPRINTF
+#undef snprintf
+#undef vsnprintf
+#endif
+
+#if !defined(ISC_PLATFORM_NEEDSPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDSPRINTF
+#undef sprintf
+#endif
+
+#if !defined(ISC_PLATFORM_NEEDFPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDFPRINTF
+#undef fprintf
+#endif
+
+#if !defined(ISC_PLATFORM_NEEDPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDPRINTF
+#undef printf
+#endif
+
+/***
+ *** Functions
+ ***/
+
+#ifdef ISC_PLATFORM_NEEDVSNPRINTF
+#include <stdarg.h>
+#include <stddef.h>
+#endif
+
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+#ifdef ISC_PLATFORM_NEEDVSNPRINTF
+int
+isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
+     ISC_FORMAT_PRINTF(3, 0);
+#undef vsnprintf
+#define vsnprintf isc_print_vsnprintf
+
+int
+isc_print_snprintf(char *str, size_t size, const char *format, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+#undef snprintf
+#define snprintf isc_print_snprintf
+#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
+
+#ifdef ISC_PLATFORM_NEEDSPRINTF
+int
+isc_print_sprintf(char *str, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+#undef sprintf
+#define sprintf isc_print_sprintf
+#endif
+
+#ifdef ISC_PLATFORM_NEEDPRINTF
+int
+isc_print_printf(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+#undef printf
+#define printf isc_print_printf
+#endif
+
+#ifdef ISC_PLATFORM_NEEDFPRINTF
+int
+isc_print_fprintf(FILE * fp, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+#undef fprintf
+#define fprintf isc_print_fprintf
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PRINT_H */
diff --git a/lib/isc/include/isc/queue.h b/lib/isc/include/isc/queue.h
new file mode 100644
index 0000000..210f302
--- /dev/null
+++ b/lib/isc/include/isc/queue.h
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This is a generic implementation of a two-lock concurrent queue.
+ * There are built-in mutex locks for the head and tail of the queue,
+ * allowing elements to be safely added and removed at the same time.
+ *
+ * NULL is "end of list"
+ * -1 is "not linked"
+ */
+
+#ifndef ISC_QUEUE_H
+#define ISC_QUEUE_H 1
+
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/mutex.h>
+
+#ifdef ISC_QUEUE_CHECKINIT
+#define ISC_QLINK_INSIST(x) ISC_INSIST(x)
+#else
+#define ISC_QLINK_INSIST(x) (void)0
+#endif
+
+#define ISC_QLINK(type) struct { type *prev, *next; }
+
+#define ISC_QLINK_INIT(elt, link) \
+	do { \
+		(elt)->link.next = (elt)->link.prev = (void *)(-1); \
+	} while(0)
+
+#define ISC_QLINK_LINKED(elt, link) ((void*)(elt)->link.next != (void*)(-1))
+
+#define ISC_QUEUE(type) struct { \
+	type *head, *tail; \
+	isc_mutex_t headlock, taillock; \
+}
+
+#define ISC_QUEUE_INIT(queue, link) \
+	do { \
+		(void) isc_mutex_init(&(queue).taillock); \
+		(void) isc_mutex_init(&(queue).headlock); \
+		(queue).tail = (queue).head = NULL; \
+	} while (0)
+
+#define ISC_QUEUE_EMPTY(queue) ((queue).head == NULL)
+
+#define ISC_QUEUE_DESTROY(queue) \
+	do { \
+		ISC_QLINK_INSIST(ISC_QUEUE_EMPTY(queue)); \
+		(void) isc_mutex_destroy(&(queue).taillock); \
+		(void) isc_mutex_destroy(&(queue).headlock); \
+	} while (0)
+
+/*
+ * queues are meant to separate the locks at either end.  For best effect, that
+ * means keeping the ends separate - i.e. non-empty queues work best.
+ *
+ * a push to an empty queue has to take the pop lock to update
+ * the pop side of the queue.
+ * Popping the last entry has to take the push lock to update
+ * the push side of the queue.
+ *
+ * The order is (pop, push), because a pop is presumably in the
+ * latency path and a push is when we're done.
+ *
+ * We do an MT hot test in push to see if we need both locks, so we can
+ * acquire them in order.  Hopefully that makes the case where we get
+ * the push lock and find we need the pop lock (and have to release it) rare.
+ *
+ * > 1 entry - no collision, push works on one end, pop on the other
+ *   0 entry - headlock race
+ *     pop wins - return(NULL), push adds new as both head/tail
+ *     push wins - updates head/tail, becomes 1 entry case.
+ *   1 entry - taillock race
+ *     pop wins - return(pop) sets head/tail NULL, becomes 0 entry case
+ *     push wins - updates {head,tail}->link.next, pop updates head
+ *                 with new ->link.next and doesn't update tail
+ *
+ */
+#define ISC_QUEUE_PUSH(queue, elt, link) \
+	do { \
+		bool headlocked = false; \
+		ISC_QLINK_INSIST(!ISC_QLINK_LINKED(elt, link)); \
+		if ((queue).head == NULL) { \
+			LOCK(&(queue).headlock); \
+			headlocked = true; \
+		} \
+		LOCK(&(queue).taillock); \
+		if ((queue).tail == NULL && !headlocked) { \
+			UNLOCK(&(queue).taillock); \
+			LOCK(&(queue).headlock); \
+			LOCK(&(queue).taillock); \
+			headlocked = true; \
+		} \
+		(elt)->link.prev = (queue).tail; \
+		(elt)->link.next = NULL; \
+		if ((queue).tail != NULL) \
+			(queue).tail->link.next = (elt); \
+		(queue).tail = (elt); \
+		UNLOCK(&(queue).taillock); \
+		if (headlocked) { \
+			if ((queue).head == NULL) \
+				(queue).head = (elt); \
+			UNLOCK(&(queue).headlock); \
+		} \
+	} while (0)
+
+#define ISC_QUEUE_POP(queue, link, ret) \
+	do { \
+		LOCK(&(queue).headlock); \
+		ret = (queue).head; \
+		while (ret != NULL) { \
+			if (ret->link.next == NULL) { \
+				LOCK(&(queue).taillock); \
+				if (ret->link.next == NULL) { \
+					(queue).head = (queue).tail = NULL; \
+					UNLOCK(&(queue).taillock); \
+					break; \
+				}\
+				UNLOCK(&(queue).taillock); \
+			} \
+			(queue).head = ret->link.next; \
+			(queue).head->link.prev = NULL; \
+			break; \
+		} \
+		UNLOCK(&(queue).headlock); \
+		if (ret != NULL) \
+			(ret)->link.next = (ret)->link.prev = (void *)(-1); \
+	} while(0)
+
+#define ISC_QUEUE_UNLINK(queue, elt, link) \
+	do { \
+		ISC_QLINK_INSIST(ISC_QLINK_LINKED(elt, link)); \
+		LOCK(&(queue).headlock); \
+		LOCK(&(queue).taillock); \
+		if ((elt)->link.prev == NULL) \
+			(queue).head = (elt)->link.next; \
+		else \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		if ((elt)->link.next == NULL) \
+			(queue).tail = (elt)->link.prev; \
+		else \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		UNLOCK(&(queue).taillock); \
+		UNLOCK(&(queue).headlock); \
+		(elt)->link.next = (elt)->link.prev = (void *)(-1); \
+	} while(0)
+
+#endif /* ISC_QUEUE_H */
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
new file mode 100644
index 0000000..b9bf598
--- /dev/null
+++ b/lib/isc/include/isc/quota.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_QUOTA_H
+#define ISC_QUOTA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/quota.h
+ *
+ * \brief The isc_quota_t object is a simple helper object for implementing
+ * quotas on things like the number of simultaneous connections to
+ * a server.  It keeps track of the amount of quota in use, and
+ * encapsulates the locking necessary to allow multiple tasks to
+ * share a quota.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+/*****
+ ***** Types.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+/*% isc_quota structure */
+struct isc_quota {
+	isc_mutex_t	lock; /*%< Locked by lock. */
+	int 		max;
+	int 		used;
+	int		soft;
+};
+
+isc_result_t
+isc_quota_init(isc_quota_t *quota, int max);
+/*%<
+ * Initialize a quota object.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ *	Other error	Lock creation failed.
+ */
+
+void
+isc_quota_destroy(isc_quota_t *quota);
+/*%<
+ * Destroy a quota object.
+ */
+
+void
+isc_quota_soft(isc_quota_t *quota, int soft);
+/*%<
+ * Set a soft quota.
+ */
+
+void
+isc_quota_max(isc_quota_t *quota, int max);
+/*%<
+ * Re-set a maximum quota.
+ */
+
+isc_result_t
+isc_quota_reserve(isc_quota_t *quota);
+/*%<
+ * Attempt to reserve one unit of 'quota'.
+ *
+ * Returns:
+ * \li 	#ISC_R_SUCCESS		Success
+ * \li	#ISC_R_SOFTQUOTA	Success soft quota reached
+ * \li	#ISC_R_QUOTA		Quota is full
+ */
+
+void
+isc_quota_release(isc_quota_t *quota);
+/*%<
+ * Release one unit of quota.
+ */
+
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
+/*%<
+ * Like isc_quota_reserve, and also attaches '*p' to the
+ * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
+ */
+
+void
+isc_quota_detach(isc_quota_t **p);
+/*%<
+ * Like isc_quota_release, and also detaches '*p' from the
+ * quota.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_QUOTA_H */
diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h
new file mode 100644
index 0000000..135552a
--- /dev/null
+++ b/lib/isc/include/isc/radix.h
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/types.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+
+#include <string.h>
+
+#ifndef _RADIX_H
+#define _RADIX_H
+
+#define NETADDR_TO_PREFIX_T(na,pt,bits,is_ecs)	\
+	do { \
+		const void *p = na; \
+		memset(&(pt), 0, sizeof(pt)); \
+		if (p != NULL) { \
+			(pt).family = (na)->family; \
+			(pt).bitlen = (bits); \
+			if ((pt).family == AF_INET6) { \
+				memmove(&(pt).add.sin6, &(na)->type.in6, \
+				       ((bits)+7)/8); \
+			} else \
+				memmove(&(pt).add.sin, &(na)->type.in, \
+				       ((bits)+7)/8); \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
+		(pt).ecs = is_ecs; \
+		isc_refcount_init(&(pt).refcount, 0); \
+	} while(0)
+
+typedef struct isc_prefix {
+	isc_mem_t *mctx;
+	unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+	unsigned int bitlen;	/* 0 for "any" */
+	bool ecs;	/* true for an EDNS client subnet address */
+	isc_refcount_t refcount;
+	union {
+		struct in_addr sin;
+		struct in6_addr sin6;
+	} add;
+} isc_prefix_t;
+
+typedef void (*isc_radix_destroyfunc_t)(void *);
+typedef void (*isc_radix_processfunc_t)(isc_prefix_t *, void **);
+
+#define isc_prefix_tochar(prefix) ((char *)&(prefix)->add.sin)
+#define isc_prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
+
+#define BIT_TEST(f, b)  ((f) & (b))
+
+/*
+ * We need "first match" when we search the radix tree to preserve
+ * compatibility with the existing ACL implementation. Radix trees
+ * naturally lend themselves to "best match". In order to get "first match"
+ * behavior, we keep track of the order in which entries are added to the
+ * tree--and when a search is made, we find all matching entries, and
+ * return the one that was added first.
+ *
+ * An IPv4 prefix and an IPv6 prefix may share a radix tree node if they
+ * have the same length and bit pattern (e.g., 127/8 and 7f::/8).  Also,
+ * a node that matches a client address may also match an EDNS client
+ * subnet address.  To disambiguate between these, node_num and data
+ * are four-element arrays;
+ *
+ *   - node_num[0] and data[0] are used for IPv4 client addresses
+ *   - node_num[1] and data[1] for IPv4 client subnet addresses
+ *   - node_num[2] and data[2] are used for IPv6 client addresses
+ *   - node_num[3] and data[3] for IPv6 client subnet addresses
+ *
+ * A prefix of 0/0 (aka "any" or "none"), is always stored as IPv4,
+ * but matches IPv6 addresses too, as well as all client subnet
+ * addresses.
+ */
+
+#define RADIX_NOECS 0
+#define RADIX_ECS 2
+#define RADIX_V4 0
+#define RADIX_V6 1
+#define RADIX_V4_ECS 2
+#define RADIX_V6_ECS 3
+#define RADIX_FAMILIES 4
+
+#define ISC_RADIX_FAMILY(p) \
+	((((p)->family == AF_INET6) ? RADIX_V6 : RADIX_V4) + \
+	 ((p)->ecs ? RADIX_ECS : RADIX_NOECS))
+
+typedef struct isc_radix_node {
+	isc_mem_t *mctx;
+	uint32_t bit;		/* bit length of the prefix */
+	isc_prefix_t *prefix;		/* who we are in radix tree */
+	struct isc_radix_node *l, *r;	/* left and right children */
+	struct isc_radix_node *parent;	/* may be used */
+	void *data[RADIX_FAMILIES];	/* pointers to IPv4 and IPV6 data */
+	int node_num[RADIX_FAMILIES];	/* which node this was in the tree,
+					   or -1 for glue nodes */
+} isc_radix_node_t;
+
+#define RADIX_TREE_MAGIC         ISC_MAGIC('R','d','x','T');
+#define RADIX_TREE_VALID(a)      ISC_MAGIC_VALID(a, RADIX_TREE_MAGIC);
+
+typedef struct isc_radix_tree {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	isc_radix_node_t *head;
+	uint32_t maxbits;		/* for IP, 32 bit addresses */
+	int num_active_node;		/* for debugging purposes */
+	int num_added_node;		/* total number of nodes */
+} isc_radix_tree_t;
+
+isc_result_t
+isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_prefix_t *prefix);
+/*%<
+ * Search 'radix' for the best match to 'prefix'.
+ * Return the node found in '*target'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'target' is not NULL and "*target" is NULL.
+ * \li	'prefix' to be valid.
+ *
+ * Returns:
+ * \li	ISC_R_NOTFOUND
+ * \li	ISC_R_SUCCESS
+ */
+
+isc_result_t
+isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_radix_node_t *source, isc_prefix_t *prefix);
+/*%<
+ * Insert 'source' or 'prefix' into the radix tree 'radix'.
+ * Return the node added in 'target'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'target' is not NULL and "*target" is NULL.
+ * \li	'prefix' to be valid or 'source' to be non NULL and contain
+ *	a valid prefix.
+ *
+ * Returns:
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node);
+/*%<
+ * Remove the node 'node' from the radix tree 'radix'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'node' to be valid.
+ */
+
+isc_result_t
+isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits);
+/*%<
+ * Create a radix tree with a maximum depth of 'maxbits';
+ *
+ * Requires:
+ * \li	'mctx' to be valid.
+ * \li	'target' to be non NULL and '*target' to be NULL.
+ * \li	'maxbits' to be less than or equal to RADIX_MAXBITS.
+ *
+ * Returns:
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
+/*%<
+ * Destroy a radix tree optionally calling 'func' to clean up node data.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ */
+
+void
+isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func);
+/*%<
+ * Walk a radix tree calling 'func' to process node data.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'func' to point to a function.
+ */
+
+#define RADIX_MAXBITS 128
+#define RADIX_NBIT(x)        (0x80 >> ((x) & 0x7f))
+#define RADIX_NBYTE(x)       ((x) >> 3)
+
+#define RADIX_WALK(Xhead, Xnode) \
+    do { \
+	isc_radix_node_t *Xstack[RADIX_MAXBITS+1]; \
+	isc_radix_node_t **Xsp = Xstack; \
+	isc_radix_node_t *Xrn = (Xhead); \
+	while ((Xnode = Xrn)) { \
+	    if (Xnode->prefix)
+
+#define RADIX_WALK_END \
+	    if (Xrn->l) { \
+		if (Xrn->r) { \
+		    *Xsp++ = Xrn->r; \
+		} \
+		Xrn = Xrn->l; \
+	    } else if (Xrn->r) { \
+		Xrn = Xrn->r; \
+	    } else if (Xsp != Xstack) { \
+		Xrn = *(--Xsp); \
+	    } else { \
+		Xrn = (isc_radix_node_t *) 0; \
+	    } \
+	} \
+    } while (0)
+
+#endif /* _RADIX_H */
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
new file mode 100644
index 0000000..f8aed34
--- /dev/null
+++ b/lib/isc/include/isc/random.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: random.h,v 1.20 2009/01/17 23:47:43 tbox Exp $ */
+
+#ifndef ISC_RANDOM_H
+#define ISC_RANDOM_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+
+/*! \file isc/random.h
+ * \brief Implements a random state pool which will let the caller return a
+ * series of possibly non-reproducible random values.
+ *
+ * Note that the
+ * strength of these numbers is not all that high, and should not be
+ * used in cryptography functions.  It is useful for jittering values
+ * a bit here and there, such as timeouts, etc.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct isc_rng isc_rng_t;
+/*%<
+ * Opaque type
+ */
+
+void
+isc_random_seed(uint32_t seed);
+/*%<
+ * Set the initial seed of the random state.
+ */
+
+void
+isc_random_get(uint32_t *val);
+/*%<
+ * Get a random value.
+ *
+ * Requires:
+ *	val != NULL.
+ */
+
+uint32_t
+isc_random_jitter(uint32_t max, uint32_t jitter);
+/*%<
+ * Get a random value between (max - jitter) and (max).
+ * This is useful for jittering timer values.
+ */
+
+isc_result_t
+isc_rng_create(isc_mem_t *mctx, isc_entropy_t *entropy, isc_rng_t **rngp);
+/*%<
+ * Creates and initializes a pseudo random number generator. The
+ * returned RNG can be used to generate pseudo random numbers.
+ *
+ * The reference count of the returned RNG is set to 1.
+ *
+ * Requires:
+ * \li mctx is a pointer to a valid memory context.
+ * \li entropy is an optional entopy source (can be NULL)
+ * \li rngp != NULL && *rngp == NULL is where a pointer to the RNG is
+ *     returned.
+ *
+ * Ensures:
+ *\li	If result is ISC_R_SUCCESS:
+ *		*rngp points to a valid RNG.
+ *
+ *\li	If result is failure:
+ *		*rngp does not point to a valid RNG.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success
+ *\li	#ISC_R_NOMEMORY Resource limit: Out of Memory
+ */
+
+void
+isc_rng_attach(isc_rng_t *source, isc_rng_t **targetp);
+/*%<
+ * Increments a reference count on the passed RNG.
+ *
+ * Requires:
+ * \li source the RNG struct to attach to (is refcount is incremented)
+ * \li targetp != NULL && *targetp == NULL where a pointer to the
+ *     reference incremented RNG is returned.
+ */
+
+void
+isc_rng_detach(isc_rng_t **rngp);
+/*%<
+ * Decrements a reference count on the passed RNG. If the reference
+ * count reaches 0, the RNG is destroyed.
+ *
+ * Requires:
+ * \li rngp != NULL the RNG struct to decrement reference for
+ */
+
+uint16_t
+isc_rng_random(isc_rng_t *rngctx);
+/*%<
+ * Returns a pseudo random 16-bit unsigned integer.
+ */
+
+uint16_t
+isc_rng_uniformrandom(isc_rng_t *rngctx, uint16_t upper_bound);
+/*%<
+ * Returns a uniformly distributed pseudo random 16-bit unsigned
+ * integer.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RANDOM_H */
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
new file mode 100644
index 0000000..f6320b2
--- /dev/null
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_RATELIMITER_H
+#define ISC_RATELIMITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/ratelimiter.h
+ * \brief A rate limiter is a mechanism for dispatching events at a limited
+ * rate.  This is intended to be used when sending zone maintenance
+ * SOA queries, NOTIFY messages, etc.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Functions.
+ *****/
+
+isc_result_t
+isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
+/*%<
+ * Create a rate limiter.  The execution interval is initially undefined.
+ */
+
+isc_result_t
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
+/*!<
+ * Set the minimum interval between event executions.
+ * The interval value is copied, so the caller need not preserve it.
+ *
+ * Requires:
+ *	'*interval' is a nonzero interval.
+ */
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, uint32_t perint);
+/*%<
+ * Set the number of events processed per interval timer tick.
+ * If 'perint' is zero it is treated as 1.
+ */
+
+void
+isc_ratelimiter_setpushpop(isc_ratelimiter_t *rl, bool pushpop);
+/*%<
+ * Set / clear the ratelimiter to from push pop mode rather
+ * first in - first out mode (default).
+ */
+
+isc_result_t
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp);
+/*%<
+ * Queue an event for rate-limited execution.
+ *
+ * This is similar
+ * to doing an isc_task_send() to the 'task', except that the
+ * execution may be delayed to achieve the desired rate of
+ * execution.
+ *
+ * '(*eventp)->ev_sender' is used to hold the task.  The caller
+ * must ensure that the task exists until the event is delivered.
+ *
+ * Requires:
+ *\li	An interval has been set by calling
+ *	isc_ratelimiter_setinterval().
+ *
+ *\li	'task' to be non NULL.
+ *\li	'(*eventp)->ev_sender' to be NULL.
+ */
+
+isc_result_t
+isc_ratelimiter_dequeue(isc_ratelimiter_t *rl, isc_event_t *event);
+/*
+ * Dequeue a event off the ratelimiter queue.
+ *
+ * Returns:
+ * \li	ISC_R_NOTFOUND if the event is no longer linked to the rate limiter.
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
+/*%<
+ * Shut down a rate limiter.
+ *
+ * Ensures:
+ *\li	All events that have not yet been
+ * 	dispatched to the task are dispatched immediately with
+ *	the #ISC_EVENTATTR_CANCELED bit set in ev_attributes.
+ *
+ *\li	Further attempts to enqueue events will fail with
+ * 	#ISC_R_SHUTTINGDOWN.
+ *
+ *\li	The rate limiter is no longer attached to its task.
+ */
+
+void
+isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target);
+/*%<
+ * Attach to a rate limiter.
+ */
+
+void
+isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
+/*%<
+ * Detach from a rate limiter.
+ */
+
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl);
+/*%<
+ * Stall event processing.
+ */
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl);
+/*%<
+ * Release a stalled rate limiter.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RATELIMITER_H */
diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h
new file mode 100644
index 0000000..c911e5b
--- /dev/null
+++ b/lib/isc/include/isc/refcount.h
@@ -0,0 +1,304 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_REFCOUNT_H
+#define ISC_REFCOUNT_H 1
+
+#include <inttypes.h>
+
+#include <isc/assertions.h>
+#include <isc/atomic.h>
+#include <isc/error.h>
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined (__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#endif
+
+/*! \file isc/refcount.h
+ * \brief Implements a locked reference counter.
+ *
+ * These functions may actually be
+ * implemented using macros, and implementations of these macros are below.
+ * The isc_refcount_t type should not be accessed directly, as its contents
+ * depend on the implementation.
+ */
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Function prototypes
+ */
+
+/*
+ * isc_result_t
+ * isc_refcount_init(isc_refcount_t *ref, unsigned int n);
+ *
+ * Initialize the reference counter.  There will be 'n' initial references.
+ *
+ * Requires:
+ *	ref != NULL
+ */
+
+/*
+ * void
+ * isc_refcount_destroy(isc_refcount_t *ref);
+ *
+ * Destroys a reference counter.
+ *
+ * Requires:
+ *	ref != NULL
+ *	The number of references is 0.
+ */
+
+/*
+ * void
+ * isc_refcount_increment(isc_refcount_t *ref, unsigned int *targetp);
+ * isc_refcount_increment0(isc_refcount_t *ref, unsigned int *targetp);
+ *
+ * Increments the reference count, returning the new value in targetp if it's
+ * not NULL.  The reference counter typically begins with the initial counter
+ * of 1, and will be destroyed once the counter reaches 0.  Thus,
+ * isc_refcount_increment() additionally requires the previous counter be
+ * larger than 0 so that an error which violates the usage can be easily
+ * caught.  isc_refcount_increment0() does not have this restriction.
+ *
+ * Requires:
+ *	ref != NULL.
+ */
+
+/*
+ * void
+ * isc_refcount_decrement(isc_refcount_t *ref, unsigned int *targetp);
+ *
+ * Decrements the reference count,  returning the new value in targetp if it's
+ * not NULL.
+ *
+ * Requires:
+ *	ref != NULL.
+ */
+
+
+/*
+ * Sample implementations
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || defined(ISC_PLATFORM_HAVEXADD)
+#define ISC_REFCOUNT_HAVEATOMIC 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE))
+#define ISC_REFCOUNT_HAVESTDATOMIC 1
+#endif
+
+typedef struct isc_refcount {
+#if defined(ISC_REFCOUNT_HAVESTDATOMIC)
+	atomic_int_fast32_t refs;
+#else
+	int32_t refs;
+#endif
+} isc_refcount_t;
+
+#if defined(ISC_REFCOUNT_HAVESTDATOMIC)
+
+#define isc_refcount_current(rp)					\
+	((unsigned int)(atomic_load_explicit(&(rp)->refs,		\
+					     memory_order_relaxed)))
+#define isc_refcount_destroy(rp) ISC_REQUIRE(isc_refcount_current(rp) == 0)
+
+#define isc_refcount_increment0(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		int32_t prev;				\
+		prev = atomic_fetch_add_explicit		\
+			(&(rp)->refs, 1, memory_order_relaxed); \
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_increment(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		int32_t prev;				\
+		prev = atomic_fetch_add_explicit		\
+			(&(rp)->refs, 1, memory_order_relaxed); \
+		ISC_REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		int32_t prev;				\
+		prev = atomic_fetch_sub_explicit		\
+			(&(rp)->refs, 1, memory_order_relaxed); \
+		ISC_REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev - 1;			\
+	} while (0)
+
+#else /* ISC_REFCOUNT_HAVESTDATOMIC */
+
+#define isc_refcount_current(rp)				\
+	((unsigned int)(isc_atomic_xadd(&(rp)->refs, 0)))
+#define isc_refcount_destroy(rp) ISC_REQUIRE(isc_refcount_current(rp) == 0)
+
+#define isc_refcount_increment0(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		int32_t prev;				\
+		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_increment(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		int32_t prev;				\
+		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
+		ISC_REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		int32_t prev;				\
+		prev = isc_atomic_xadd(&(rp)->refs, -1);	\
+		ISC_REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev - 1;			\
+	} while (0)
+
+#endif /* ISC_REFCOUNT_HAVESTDATOMIC */
+
+#else  /* ISC_PLATFORM_HAVEXADD */
+
+typedef struct isc_refcount {
+	int refs;
+	isc_mutex_t lock;
+} isc_refcount_t;
+
+/*% Destroys a reference counter. */
+#define isc_refcount_destroy(rp)					\
+	do {								\
+		isc_result_t _result;					\
+		ISC_REQUIRE((rp)->refs == 0);				\
+		_result = isc_mutex_destroy(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+	} while (0)
+
+#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+
+/*%
+ * Increments the reference count, returning the new value in
+ * 'tp' if it's not NULL.
+ */
+#define isc_refcount_increment0(rp, tp)					\
+	do {								\
+		isc_result_t _result;					\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		_result = isc_mutex_lock(&(rp)->lock);			\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+		++((rp)->refs);						\
+		if (_tmp != NULL)					\
+			*_tmp = ((rp)->refs);				\
+		_result = isc_mutex_unlock(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+	} while (0)
+
+#define isc_refcount_increment(rp, tp)					\
+	do {								\
+		isc_result_t _result;					\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		_result = isc_mutex_lock(&(rp)->lock);			\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+		ISC_REQUIRE((rp)->refs > 0);				\
+		++((rp)->refs);						\
+		if (_tmp != NULL)					\
+			*_tmp = ((rp)->refs);				\
+		_result = isc_mutex_unlock(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+	} while (0)
+
+/*%
+ * Decrements the reference count, returning the new value in 'tp'
+ * if it's not NULL.
+ */
+#define isc_refcount_decrement(rp, tp)					\
+	do {								\
+		isc_result_t _result;					\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		_result = isc_mutex_lock(&(rp)->lock);			\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+		ISC_REQUIRE((rp)->refs > 0);				\
+		--((rp)->refs);						\
+		if (_tmp != NULL)					\
+			*_tmp = ((rp)->refs);				\
+		_result = isc_mutex_unlock(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+	} while (0)
+
+#endif /* (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || defined(ISC_PLATFORM_HAVEXADD) */
+#else  /* ISC_PLATFORM_USETHREADS */
+
+typedef struct isc_refcount {
+	int refs;
+} isc_refcount_t;
+
+#define isc_refcount_destroy(rp) ISC_REQUIRE((rp)->refs == 0)
+#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+
+#define isc_refcount_increment0(rp, tp)					\
+	do {								\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		int _n = ++(rp)->refs;					\
+		if (_tmp != NULL)					\
+			*_tmp = _n;					\
+	} while (0)
+
+#define isc_refcount_increment(rp, tp)					\
+	do {								\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		int _n;							\
+		ISC_REQUIRE((rp)->refs > 0);				\
+		_n = ++(rp)->refs;					\
+		if (_tmp != NULL)					\
+			*_tmp = _n;					\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)					\
+	do {								\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		int _n;							\
+		ISC_REQUIRE((rp)->refs > 0);				\
+		_n = --(rp)->refs;					\
+		if (_tmp != NULL)					\
+			*_tmp = _n;					\
+	} while (0)
+
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc_refcount_init(isc_refcount_t *ref, unsigned int n);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_REFCOUNT_H */
diff --git a/lib/isc/include/isc/regex.h b/lib/isc/include/isc/regex.h
new file mode 100644
index 0000000..cab10c1
--- /dev/null
+++ b/lib/isc/include/isc/regex.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_REGEX_H
+#define ISC_REGEX_H 1
+
+/*! \file isc/regex.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_regex_validate(const char *expression);
+/*%<
+ * Check a regular expression for syntactic correctness.
+ *
+ * Returns:
+ *\li	 -1 on error.
+ *\li	 the number of groups in the expression.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_REGEX_H */
diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h
new file mode 100644
index 0000000..ee01354
--- /dev/null
+++ b/lib/isc/include/isc/region.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_REGION_H
+#define ISC_REGION_H 1
+
+/*! \file isc/region.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+struct isc_region {
+	unsigned char *	base;
+	unsigned int	length;
+};
+
+struct isc_textregion {
+	char *		base;
+	unsigned int	length;
+};
+
+/* XXXDCL questionable ... bears discussion.  we have been putting off
+ * discussing the region api.
+ */
+struct isc_constregion {
+	const void *	base;
+	unsigned int	length;
+};
+
+struct isc_consttextregion {
+	const char *	base;
+	unsigned int	length;
+};
+
+/*@{*/
+/*!
+ * The region structure is not opaque, and is usually directly manipulated.
+ * Some macros are defined below for convenience.
+ */
+
+#define isc_region_consume(r,l) \
+	do { \
+		isc_region_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
+	} while (0)
+
+#define isc_textregion_consume(r,l) \
+	do { \
+		isc_textregion_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
+	} while (0)
+
+#define isc_constregion_consume(r,l) \
+	do { \
+		isc_constregion_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
+	} while (0)
+/*@}*/
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2);
+/*%<
+ * Compares the contents of two regions
+ *
+ * Requires:
+ *\li	'r1' is a valid region
+ *\li	'r2' is a valid region
+ *
+ * Returns:
+ *\li	 < 0 if r1 is lexicographically less than r2
+ *\li	 = 0 if r1 is lexicographically identical to r2
+ *\li	 > 0 if r1 is lexicographically greater than r2
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_REGION_H */
diff --git a/lib/isc/include/isc/resource.h b/lib/isc/include/isc/resource.h
new file mode 100644
index 0000000..0179234
--- /dev/null
+++ b/lib/isc/include/isc/resource.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_RESOURCE_H
+#define ISC_RESOURCE_H 1
+
+/*! \file isc/resource.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_RESOURCE_UNLIMITED ((isc_resourcevalue_t)UINT64_MAX)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value);
+/*%<
+ * Set the maximum limit for a system resource.
+ *
+ * Notes:
+ *\li	If 'value' exceeds the maximum possible on the operating system,
+ *	it is silently limited to that maximum -- or to "infinity", if
+ *	the operating system has that concept.  #ISC_RESOURCE_UNLIMITED
+ *	can be used to explicitly ask for the maximum.
+ *
+ * Requires:
+ *\li	'resource' is a valid member of the isc_resource_t enumeration.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ *\li	#ISC_R_NOPERM	The calling process did not have adequate permission
+ *			to change the resource limit.
+ */
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
+/*%<
+ * Get the maximum limit for a system resource.
+ *
+ * Notes:
+ *\li	'value' is set to the maximum limit.
+ *
+ *\li	#ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
+ *
+ *\li	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
+ *	significantly less than #ISC_RESOURCE_UNLIMITED, but which in practice
+ *	behaves the same.
+ *
+ *\li	The current ISC libdns configuration file parser assigns a value
+ *	of UINT32_MAX for a size_spec of "unlimited" and ISC_UNIT32_MAX - 1
+ *	for "default", the latter of which is supposed to represent "the
+ *	limit that was in force when the server started".  Since these are
+ *	valid values in the middle of the range of isc_resourcevalue_t,
+ *	there is the possibility for confusion over what exactly those
+ *	particular values are supposed to represent in a particular context --
+ *	discrete integral values or generalized concepts.
+ *
+ * Requires:
+ *\li	'resource' is a valid member of the isc_resource_t enumeration.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ */
+
+isc_result_t
+isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value);
+/*%<
+ * Same as isc_resource_getlimit(), but returns the current (soft) limit.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		Success.
+ *\li	#ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RESOURCE_H */
+
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
new file mode 100644
index 0000000..246aefb
--- /dev/null
+++ b/lib/isc/include/isc/result.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_RESULT_H
+#define ISC_RESULT_H 1
+
+/*! \file isc/result.h */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_R_SUCCESS			0	/*%< success */
+#define ISC_R_NOMEMORY			1	/*%< out of memory */
+#define ISC_R_TIMEDOUT			2	/*%< timed out */
+#define ISC_R_NOTHREADS			3	/*%< no available threads */
+#define ISC_R_ADDRNOTAVAIL		4	/*%< address not available */
+#define ISC_R_ADDRINUSE			5	/*%< address in use */
+#define ISC_R_NOPERM			6	/*%< permission denied */
+#define ISC_R_NOCONN			7	/*%< no pending connections */
+#define ISC_R_NETUNREACH		8	/*%< network unreachable */
+#define ISC_R_HOSTUNREACH		9	/*%< host unreachable */
+#define ISC_R_NETDOWN			10	/*%< network down */
+#define ISC_R_HOSTDOWN			11	/*%< host down */
+#define ISC_R_CONNREFUSED		12	/*%< connection refused */
+#define ISC_R_NORESOURCES		13	/*%< not enough free resources */
+#define ISC_R_EOF			14	/*%< end of file */
+#define ISC_R_BOUND			15	/*%< socket already bound */
+#define ISC_R_RELOAD			16	/*%< reload */
+#define ISC_R_SUSPEND	      ISC_R_RELOAD	/*%< alias of 'reload' */
+#define ISC_R_LOCKBUSY			17	/*%< lock busy */
+#define ISC_R_EXISTS			18	/*%< already exists */
+#define ISC_R_NOSPACE			19	/*%< ran out of space */
+#define ISC_R_CANCELED			20	/*%< operation canceled */
+#define ISC_R_NOTBOUND			21	/*%< socket is not bound */
+#define ISC_R_SHUTTINGDOWN		22	/*%< shutting down */
+#define ISC_R_NOTFOUND			23	/*%< not found */
+#define ISC_R_UNEXPECTEDEND		24	/*%< unexpected end of input */
+#define ISC_R_FAILURE			25	/*%< generic failure */
+#define ISC_R_IOERROR			26	/*%< I/O error */
+#define ISC_R_NOTIMPLEMENTED		27	/*%< not implemented */
+#define ISC_R_UNBALANCED		28	/*%< unbalanced parentheses */
+#define ISC_R_NOMORE			29	/*%< no more */
+#define ISC_R_INVALIDFILE		30	/*%< invalid file */
+#define ISC_R_BADBASE64			31	/*%< bad base64 encoding */
+#define ISC_R_UNEXPECTEDTOKEN		32	/*%< unexpected token */
+#define ISC_R_QUOTA			33	/*%< quota reached */
+#define ISC_R_UNEXPECTED		34	/*%< unexpected error */
+#define ISC_R_ALREADYRUNNING		35	/*%< already running */
+#define ISC_R_IGNORE			36	/*%< ignore */
+#define ISC_R_MASKNONCONTIG             37	/*%< addr mask not contiguous */
+#define ISC_R_FILENOTFOUND		38	/*%< file not found */
+#define ISC_R_FILEEXISTS		39	/*%< file already exists */
+#define ISC_R_NOTCONNECTED		40	/*%< socket is not connected */
+#define ISC_R_RANGE			41	/*%< out of range */
+#define ISC_R_NOENTROPY			42	/*%< out of entropy */
+#define ISC_R_MULTICAST			43	/*%< invalid use of multicast */
+#define ISC_R_NOTFILE			44	/*%< not a file */
+#define ISC_R_NOTDIRECTORY		45	/*%< not a directory */
+#define ISC_R_QUEUEFULL			46	/*%< queue is full */
+#define ISC_R_FAMILYMISMATCH		47	/*%< address family mismatch */
+#define ISC_R_FAMILYNOSUPPORT		48	/*%< AF not supported */
+#define ISC_R_BADHEX			49	/*%< bad hex encoding */
+#define ISC_R_TOOMANYOPENFILES		50	/*%< too many open files */
+#define ISC_R_NOTBLOCKING		51	/*%< not blocking */
+#define ISC_R_UNBALANCEDQUOTES		52	/*%< unbalanced quotes */
+#define ISC_R_INPROGRESS		53	/*%< operation in progress */
+#define ISC_R_CONNECTIONRESET		54	/*%< connection reset */
+#define ISC_R_SOFTQUOTA			55	/*%< soft quota reached */
+#define ISC_R_BADNUMBER			56	/*%< not a valid number */
+#define ISC_R_DISABLED			57	/*%< disabled */
+#define ISC_R_MAXSIZE			58	/*%< max size */
+#define ISC_R_BADADDRESSFORM		59	/*%< invalid address format */
+#define ISC_R_BADBASE32			60	/*%< bad base32 encoding */
+#define ISC_R_UNSET			61	/*%< unset */
+#define ISC_R_MULTIPLE			62	/*%< multiple */
+#define ISC_R_WOULDBLOCK		63	/*%< would block */
+
+/*% Not a result code: the number of results. */
+#define ISC_R_NRESULTS 			64
+
+ISC_LANG_BEGINDECLS
+
+const char *
+isc_result_totext(isc_result_t);
+/*%<
+ * Convert an isc_result_t into a string message describing the result.
+ */
+
+const char *
+isc_result_toid(isc_result_t);
+/*%<
+ * Convert an isc_result_t into a string identifier such as
+ * "ISC_R_SUCCESS".
+ */
+
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults,
+		    const char **text, isc_msgcat_t *msgcat, int set);
+
+isc_result_t
+isc_result_registerids(unsigned int base, unsigned int nresults,
+		       const char **ids, isc_msgcat_t *msgcat, int set);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RESULT_H */
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
new file mode 100644
index 0000000..08135f4
--- /dev/null
+++ b/lib/isc/include/isc/resultclass.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_RESULTCLASS_H
+#define ISC_RESULTCLASS_H 1
+
+
+/*! \file isc/resultclass.h
+ * \brief Registry of Predefined Result Type Classes
+ *
+ * A result class number is an unsigned 16 bit number.  Each class may
+ * contain up to 65536 results.  A result code is formed by adding the
+ * result number within the class to the class number multiplied by 65536.
+ *
+ * Classes < 1024 are reserved for ISC use.
+ * Result classes >= 1024 and <= 65535 are reserved for application use.
+ */
+
+#define ISC_RESULTCLASS_FROMNUM(num)		((num) << 16)
+#define ISC_RESULTCLASS_TONUM(rclass)		((rclass) >> 16)
+#define ISC_RESULTCLASS_SIZE			65536
+#define ISC_RESULTCLASS_INCLASS(rclass, result) \
+	((rclass) == ((result) & 0xFFFF0000))
+
+
+#define	ISC_RESULTCLASS_ISC		ISC_RESULTCLASS_FROMNUM(0)
+#define	ISC_RESULTCLASS_DNS		ISC_RESULTCLASS_FROMNUM(1)
+#define	ISC_RESULTCLASS_DST		ISC_RESULTCLASS_FROMNUM(2)
+#define	ISC_RESULTCLASS_DNSRCODE	ISC_RESULTCLASS_FROMNUM(3)
+#define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
+#define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
+#define	ISC_RESULTCLASS_DHCP		ISC_RESULTCLASS_FROMNUM(6)
+#define	ISC_RESULTCLASS_PK11		ISC_RESULTCLASS_FROMNUM(7)
+
+#endif /* ISC_RESULTCLASS_H */
diff --git a/lib/isc/include/isc/rwlock.h b/lib/isc/include/isc/rwlock.h
new file mode 100644
index 0000000..b957509
--- /dev/null
+++ b/lib/isc/include/isc/rwlock.h
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_RWLOCK_H
+#define ISC_RWLOCK_H 1
+
+#include <inttypes.h>
+
+/*! \file isc/rwlock.h */
+
+#include <isc/condition.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#endif
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	isc_rwlocktype_none = 0,
+	isc_rwlocktype_read,
+	isc_rwlocktype_write
+} isc_rwlocktype_t;
+
+#ifdef ISC_PLATFORM_USETHREADS
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || (defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG))
+#define ISC_RWLOCK_USEATOMIC 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE))
+#define ISC_RWLOCK_USESTDATOMIC 1
+#endif
+#endif
+
+struct isc_rwlock {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	int32_t		spins;
+
+#if defined(ISC_RWLOCK_USEATOMIC)
+	/*
+	 * When some atomic instructions with hardware assistance are
+	 * available, rwlock will use those so that concurrent readers do not
+	 * interfere with each other through mutex as long as no writers
+	 * appear, massively reducing the lock overhead in the typical case.
+	 *
+	 * The basic algorithm of this approach is the "simple
+	 * writer-preference lock" shown in the following URL:
+	 * http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
+	 * but our implementation does not rely on the spin lock unlike the
+	 * original algorithm to be more portable as a user space application.
+	 */
+
+	/* Read or modified atomically. */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+	atomic_int_fast32_t	write_requests;
+	atomic_int_fast32_t	write_completions;
+	atomic_int_fast32_t	cnt_and_flag;
+#else
+	int32_t		write_requests;
+	int32_t		write_completions;
+	int32_t		cnt_and_flag;
+#endif
+
+	/* Locked by lock. */
+	isc_condition_t		readable;
+	isc_condition_t		writeable;
+	unsigned int		readers_waiting;
+
+	/* Locked by rwlock itself. */
+	unsigned int		write_granted;
+
+	/* Unlocked. */
+	unsigned int		write_quota;
+
+#else  /* ISC_RWLOCK_USEATOMIC */
+
+	/*%< Locked by lock. */
+	isc_condition_t		readable;
+	isc_condition_t		writeable;
+	isc_rwlocktype_t	type;
+
+	/*% The number of threads that have the lock. */
+	unsigned int		active;
+
+	/*%
+	 * The number of lock grants made since the lock was last switched
+	 * from reading to writing or vice versa; used in determining
+	 * when the quota is reached and it is time to switch.
+	 */
+	unsigned int		granted;
+
+	unsigned int		readers_waiting;
+	unsigned int		writers_waiting;
+	unsigned int		read_quota;
+	unsigned int		write_quota;
+	isc_rwlocktype_t	original;
+#endif  /* ISC_RWLOCK_USEATOMIC */
+};
+#else /* ISC_PLATFORM_USETHREADS */
+struct isc_rwlock {
+	unsigned int		magic;
+	isc_rwlocktype_t	type;
+	unsigned int		active;
+};
+#endif /* ISC_PLATFORM_USETHREADS */
+
+
+isc_result_t
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota);
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl);
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl);
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RWLOCK_H */
diff --git a/lib/isc/include/isc/safe.h b/lib/isc/include/isc/safe.h
new file mode 100644
index 0000000..66ed08b
--- /dev/null
+++ b/lib/isc/include/isc/safe.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SAFE_H
+#define ISC_SAFE_H 1
+
+/*! \file isc/safe.h */
+
+#include <stdbool.h>
+
+#include <isc/types.h>
+#include <stdlib.h>
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_safe_memequal(const void *s1, const void *s2, size_t n);
+/*%<
+ * Returns true iff. two blocks of memory are equal, otherwise
+ * false.
+ *
+ */
+
+int
+isc_safe_memcompare(const void *b1, const void *b2, size_t len);
+/*%<
+ * Clone of libc memcmp() which is safe to differential timing attacks.
+ */
+
+void
+isc_safe_memwipe(void *ptr, size_t len);
+/*%<
+ * Clear the memory of length `len` pointed to by `ptr`.
+ *
+ * Some crypto code calls memset() on stack allocated buffers just
+ * before return so that they are wiped. Such memset() calls can be
+ * optimized away by the compiler. We provide this external non-inline C
+ * function to perform the memset operation so that the compiler cannot
+ * infer about what the function does and optimize the call away.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SAFE_H */
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
new file mode 100644
index 0000000..2c6923f
--- /dev/null
+++ b/lib/isc/include/isc/serial.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SERIAL_H
+#define ISC_SERIAL_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*! \file isc/serial.h
+ *	\brief Implement 32 bit serial space arithmetic comparison functions.
+ *	Note: Undefined results are returned as false.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_serial_lt(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' < 'b' otherwise false.
+ */
+
+bool
+isc_serial_gt(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' > 'b' otherwise false.
+ */
+
+bool
+isc_serial_le(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' <= 'b' otherwise false.
+ */
+
+bool
+isc_serial_ge(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' >= 'b' otherwise false.
+ */
+
+bool
+isc_serial_eq(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' == 'b' otherwise false.
+ */
+
+bool
+isc_serial_ne(uint32_t a, uint32_t b);
+/*%<
+ *	Return true if 'a' != 'b' otherwise false.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SERIAL_H */
diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h
new file mode 100644
index 0000000..02bca12
--- /dev/null
+++ b/lib/isc/include/isc/sha1.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SHA1_H
+#define ISC_SHA1_H 1
+
+/*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
+
+/*! \file isc/sha1.h
+ * \brief SHA-1 in C
+ * \author By Steve Reid <steve@edmweb.com>
+ * \note 100% Public Domain
+ */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define ISC_SHA1_DIGESTLENGTH 20U
+#define ISC_SHA1_BLOCK_LENGTH 64U
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#include <openssl/opensslv.h>
+#include <openssl/evp.h>
+
+typedef struct {
+	EVP_MD_CTX *ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	EVP_MD_CTX _ctx;
+#endif
+} isc_sha1_t;
+
+#elif PKCS11CRYPTO
+#include <pk11/pk11.h>
+
+typedef pk11_context_t isc_sha1_t;
+
+#else
+
+typedef struct {
+	uint32_t state[5];
+	uint32_t count[2];
+	unsigned char buffer[ISC_SHA1_BLOCK_LENGTH];
+} isc_sha1_t;
+#endif
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_sha1_init(isc_sha1_t *ctx);
+
+void
+isc_sha1_invalidate(isc_sha1_t *ctx);
+
+void
+isc_sha1_update(isc_sha1_t *ctx, const unsigned char *data, unsigned int len);
+
+void
+isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest);
+
+bool
+isc_sha1_check(bool testing);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SHA1_H */
diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
new file mode 100644
index 0000000..f9e1be3
--- /dev/null
+++ b/lib/isc/include/isc/sha2.h
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*	$FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $	*/
+/*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
+
+/*
+ * sha2.h
+ *
+ * Version 1.0.0beta1
+ *
+ * Written by Aaron D. Gifford <me@aarongifford.com>
+ *
+ * Copyright 2000 Aaron D. Gifford.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+#ifndef ISC_SHA2_H
+#define ISC_SHA2_H
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*** SHA-224/256/384/512 Various Length Definitions ***********************/
+
+#define ISC_SHA224_BLOCK_LENGTH		64U
+#define ISC_SHA224_DIGESTLENGTH	28U
+#define ISC_SHA224_DIGESTSTRINGLENGTH	(ISC_SHA224_DIGESTLENGTH * 2 + 1)
+#define ISC_SHA256_BLOCK_LENGTH		64U
+#define ISC_SHA256_DIGESTLENGTH	32U
+#define ISC_SHA256_DIGESTSTRINGLENGTH	(ISC_SHA256_DIGESTLENGTH * 2 + 1)
+#define ISC_SHA384_BLOCK_LENGTH		128
+#define ISC_SHA384_DIGESTLENGTH	48U
+#define ISC_SHA384_DIGESTSTRINGLENGTH	(ISC_SHA384_DIGESTLENGTH * 2 + 1)
+#define ISC_SHA512_BLOCK_LENGTH		128U
+#define ISC_SHA512_DIGESTLENGTH	64U
+#define ISC_SHA512_DIGESTSTRINGLENGTH	(ISC_SHA512_DIGESTLENGTH * 2 + 1)
+
+/*** SHA-256/384/512 Context Structures *******************************/
+
+#if defined(ISC_PLATFORM_OPENSSLHASH)
+#include <openssl/opensslv.h>
+#include <openssl/evp.h>
+#endif
+
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+
+
+typedef struct {
+	EVP_MD_CTX *ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	EVP_MD_CTX _ctx;
+#endif
+} isc_sha2_t;
+
+typedef isc_sha2_t isc_sha256_t;
+typedef isc_sha2_t isc_sha512_t;
+
+#elif PKCS11CRYPTO
+#include <pk11/pk11.h>
+
+typedef pk11_context_t isc_sha256_t;
+typedef pk11_context_t isc_sha512_t;
+
+#else
+
+/*
+ * Keep buffer immediately after bitcount to preserve alignment.
+ */
+typedef struct {
+	uint32_t	state[8];
+	uint64_t	bitcount;
+	uint8_t	buffer[ISC_SHA256_BLOCK_LENGTH];
+} isc_sha256_t;
+
+/*
+ * Keep buffer immediately after bitcount to preserve alignment.
+ */
+typedef struct {
+	uint64_t	state[8];
+	uint64_t	bitcount[2];
+	uint8_t	buffer[ISC_SHA512_BLOCK_LENGTH];
+} isc_sha512_t;
+#endif
+
+typedef isc_sha256_t isc_sha224_t;
+typedef isc_sha512_t isc_sha384_t;
+
+ISC_LANG_BEGINDECLS
+
+/*** SHA-224/256/384/512 Function Prototypes ******************************/
+
+void isc_sha224_init (isc_sha224_t *);
+void isc_sha224_invalidate (isc_sha224_t *);
+void isc_sha224_update (isc_sha224_t *, const uint8_t *, size_t);
+void isc_sha224_final (uint8_t[ISC_SHA224_DIGESTLENGTH], isc_sha224_t *);
+char *isc_sha224_end (isc_sha224_t *, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
+char *isc_sha224_data (const uint8_t *, size_t, char[ISC_SHA224_DIGESTSTRINGLENGTH]);
+
+void isc_sha256_init (isc_sha256_t *);
+void isc_sha256_invalidate (isc_sha256_t *);
+void isc_sha256_update (isc_sha256_t *, const uint8_t *, size_t);
+void isc_sha256_final (uint8_t[ISC_SHA256_DIGESTLENGTH], isc_sha256_t *);
+char *isc_sha256_end (isc_sha256_t *, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
+char *isc_sha256_data (const uint8_t *, size_t, char[ISC_SHA256_DIGESTSTRINGLENGTH]);
+
+void isc_sha384_init (isc_sha384_t *);
+void isc_sha384_invalidate (isc_sha384_t *);
+void isc_sha384_update (isc_sha384_t *, const uint8_t *, size_t);
+void isc_sha384_final (uint8_t[ISC_SHA384_DIGESTLENGTH], isc_sha384_t *);
+char *isc_sha384_end (isc_sha384_t *, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
+char *isc_sha384_data (const uint8_t *, size_t, char[ISC_SHA384_DIGESTSTRINGLENGTH]);
+
+void isc_sha512_init (isc_sha512_t *);
+void isc_sha512_invalidate (isc_sha512_t *);
+void isc_sha512_update (isc_sha512_t *, const uint8_t *, size_t);
+void isc_sha512_final (uint8_t[ISC_SHA512_DIGESTLENGTH], isc_sha512_t *);
+char *isc_sha512_end (isc_sha512_t *, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
+char *isc_sha512_data (const uint8_t *, size_t, char[ISC_SHA512_DIGESTSTRINGLENGTH]);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SHA2_H */
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
new file mode 100644
index 0000000..478e77c
--- /dev/null
+++ b/lib/isc/include/isc/sockaddr.h
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SOCKADDR_H
+#define ISC_SOCKADDR_H 1
+
+/*! \file isc/sockaddr.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif
+
+struct isc_sockaddr {
+	union {
+		struct sockaddr		sa;
+		struct sockaddr_in	sin;
+		struct sockaddr_in6	sin6;
+		struct sockaddr_storage ss;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		struct sockaddr_un	sunix;
+#endif
+	}				type;
+	unsigned int			length;		/* XXXRTH beginning? */
+	ISC_LINK(struct isc_sockaddr)	link;
+};
+
+#define ISC_SOCKADDR_CMPADDR	  0x0001	/*%< compare the address
+						 *   sin_addr/sin6_addr */
+#define ISC_SOCKADDR_CMPPORT 	  0x0002	/*%< compare the port
+						 *   sin_port/sin6_port */
+#define ISC_SOCKADDR_CMPSCOPE     0x0004	/*%< compare the scope
+						 *   sin6_scope */
+#define ISC_SOCKADDR_CMPSCOPEZERO 0x0008	/*%< when comparing scopes
+						 *   zero scopes always match */
+
+ISC_LANG_BEGINDECLS
+
+bool
+isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+		     unsigned int flags);
+/*%<
+ * Compare the elements of the two address ('a' and 'b') as specified
+ * by 'flags' and report if they are equal or not.
+ *
+ * 'flags' is set from ISC_SOCKADDR_CMP*.
+ */
+
+bool
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
+/*%<
+ * Return true iff the socket addresses 'a' and 'b' are equal.
+ */
+
+bool
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
+/*%<
+ * Return true iff the address parts of the socket addresses
+ * 'a' and 'b' are equal, ignoring the ports.
+ */
+
+bool
+isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+			  unsigned int prefixlen);
+/*%<
+ * Return true iff the most significant 'prefixlen' bits of the
+ * socket addresses 'a' and 'b' are equal, ignoring the ports.
+ * If 'b''s scope is zero then 'a''s scope will be ignored.
+ */
+
+unsigned int
+isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, bool address_only);
+/*%<
+ * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
+ * is true, the hash value will not depend on the port.
+ *
+ * IPv6 addresses containing mapped IPv4 addresses generate the same hash
+ * value as the equivalent IPv4 address.
+ */
+
+void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr);
+/*%<
+ * Return the IPv4 wildcard address.
+ */
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
+/*%<
+ * Return the IPv6 wildcard address.
+ */
+
+void
+isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int family);
+/*%<
+ * Set '*sockaddr' to the wildcard address of protocol family
+ * 'family'.
+ *
+ * Requires:
+ * \li	'family' is AF_INET or AF_INET6.
+ */
+
+void
+isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		    in_port_t port);
+/*%<
+ * Construct an isc_sockaddr_t from an IPv4 address and port.
+ */
+
+void
+isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
+		     in_port_t port);
+/*%<
+ * Construct an isc_sockaddr_t from an IPv6 address and port.
+ */
+
+void
+isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		      in_port_t port);
+/*%<
+ * Construct an IPv6 isc_sockaddr_t representing a mapped IPv4 address.
+ */
+
+void
+isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
+			 in_port_t port);
+/*%<
+ * Construct an isc_sockaddr_t from an isc_netaddr_t and port.
+ */
+
+int
+isc_sockaddr_pf(const isc_sockaddr_t *sockaddr);
+/*%<
+ * Get the protocol family of 'sockaddr'.
+ *
+ * Requires:
+ *
+ *\li	'sockaddr' is a valid sockaddr with an address family of AF_INET
+ *	or AF_INET6.
+ *
+ * Returns:
+ *
+ *\li	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
+ */
+
+void
+isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
+/*%<
+ * Set the port of 'sockaddr' to 'port'.
+ */
+
+in_port_t
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr);
+/*%<
+ * Get the port stored in 'sockaddr'.
+ */
+
+isc_result_t
+isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
+/*%<
+ * Append a text representation of 'sockaddr' to the buffer 'target'.
+ * The text will include both the IP address (v4 or v6) and the port.
+ * The text is null terminated, but the terminating null is not
+ * part of the buffer's used region.
+ *
+ * Returns:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOSPACE	The text or the null termination did not fit.
+ */
+
+void
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
+/*%<
+ * Format a human-readable representation of the socket address '*sa'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+bool
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sa);
+/*%<
+ * Returns #true if the address is a multicast address.
+ */
+
+bool
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
+/*
+ * Returns true if the address is a experimental (CLASS E) address.
+ */
+
+bool
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
+/*%<
+ * Returns true if the address is a link local address.
+ */
+
+bool
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sa);
+/*%<
+ * Returns true if the address is a sitelocal address.
+ */
+
+bool
+isc_sockaddr_isnetzero(const isc_sockaddr_t *sa);
+/*%<
+ * Returns true if the address is in net zero.
+ */
+
+isc_result_t
+isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path);
+/*
+ *  Create a UNIX domain sockaddr that refers to path.
+ *
+ * Returns:
+ * \li	ISC_R_NOSPACE
+ * \li	ISC_R_NOTIMPLEMENTED
+ * \li	ISC_R_SUCCESS
+ */
+
+#define ISC_SOCKADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS#YYYYY")
+/*%<
+ * Minimum size of array to pass to isc_sockaddr_format().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SOCKADDR_H */
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
new file mode 100644
index 0000000..574de2a
--- /dev/null
+++ b/lib/isc/include/isc/socket.h
@@ -0,0 +1,1272 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_SOCKET_H
+#define ISC_SOCKET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/socket.h
+ * \brief Provides TCP and UDP sockets for network I/O.  The sockets are event
+ * sources in the task system.
+ *
+ * When I/O completes, a completion event for the socket is posted to the
+ * event queue of the task which requested the I/O.
+ *
+ * \li MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *	Clients of this module must not be holding a socket's task's lock when
+ *	making a call that affects that socket.  Failure to follow this rule
+ *	can result in deadlock.
+ *	The caller must ensure that isc_socketmgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/json.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/time.h>
+#include <isc/types.h>
+#include <isc/xml.h>
+
+#ifdef WIN32
+
+/* from the old namespace.h */
+
+#define isc_socket_create isc__socket_create
+#define isc_socket_dup isc__socket_dup
+#define isc_socket_attach isc__socket_attach
+#define isc_socket_detach isc__socket_detach
+#define isc_socketmgr_create isc__socketmgr_create
+#define isc_socketmgr_create2 isc__socketmgr_create2
+#define isc_socketmgr_destroy isc__socketmgr_destroy
+#define isc_socket_open isc__socket_open
+#define isc_socket_close isc__socket_close
+#define isc_socket_recvv isc__socket_recvv
+#define isc_socket_recv isc__socket_recv
+#define isc_socket_recv2 isc__socket_recv2
+#define isc_socket_send isc__socket_send
+#define isc_socket_sendto isc__socket_sendto
+#define isc_socket_sendv isc__socket_sendv
+#define isc_socket_sendtov isc__socket_sendtov
+#define isc_socket_sendtov2 isc__socket_sendtov2
+#define isc_socket_sendto2 isc__socket_sendto2
+#define isc_socket_cleanunix isc__socket_cleanunix
+#define isc_socket_permunix isc__socket_permunix
+#define isc_socket_bind isc__socket_bind
+#define isc_socket_filter isc__socket_filter
+#define isc_socket_listen isc__socket_listen
+#define isc_socket_accept isc__socket_accept
+#define isc_socket_connect isc__socket_connect
+#define isc_socket_getfd isc__socket_getfd
+#define isc_socket_getname isc__socket_getname
+#define isc_socket_gettag isc__socket_gettag
+#define isc_socket_getpeername isc__socket_getpeername
+#define isc_socket_getsockname isc__socket_getsockname
+#define isc_socket_cancel isc__socket_cancel
+#define isc_socket_gettype isc__socket_gettype
+#define isc_socket_isbound isc__socket_isbound
+#define isc_socket_ipv6only isc__socket_ipv6only
+#define isc_socket_setname isc__socket_setname
+#define isc_socketmgr_getmaxsockets isc__socketmgr_getmaxsockets
+#define isc_socketmgr_setstats isc__socketmgr_setstats
+#define isc_socketmgr_setreserved isc__socketmgr_setreserved
+#define isc__socketmgr_maxudp isc___socketmgr_maxudp
+#define isc_socket_fdwatchcreate isc__socket_fdwatchcreate
+#define isc_socket_fdwatchpoke isc__socket_fdwatchpoke
+#define isc_socket_dscp isc__socket_dscp
+
+#endif
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Constants
+ ***/
+
+/*%
+ * Maximum number of buffers in a scatter/gather read/write.  The operating
+ * system in use must support at least this number (plus one on some.)
+ */
+#define ISC_SOCKET_MAXSCATTERGATHER	8
+
+/*%
+ * In isc_socket_bind() set socket option SO_REUSEADDR prior to calling
+ * bind() if a non zero port is specified (AF_INET and AF_INET6).
+ */
+#define ISC_SOCKET_REUSEADDRESS		0x01U
+
+/*%
+ * Statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	isc_sockstatscounter_udp4open = 0,
+	isc_sockstatscounter_udp6open = 1,
+	isc_sockstatscounter_tcp4open = 2,
+	isc_sockstatscounter_tcp6open = 3,
+	isc_sockstatscounter_unixopen = 4,
+
+	isc_sockstatscounter_udp4openfail = 5,
+	isc_sockstatscounter_udp6openfail = 6,
+	isc_sockstatscounter_tcp4openfail = 7,
+	isc_sockstatscounter_tcp6openfail = 8,
+	isc_sockstatscounter_unixopenfail = 9,
+
+	isc_sockstatscounter_udp4close = 10,
+	isc_sockstatscounter_udp6close = 11,
+	isc_sockstatscounter_tcp4close = 12,
+	isc_sockstatscounter_tcp6close = 13,
+	isc_sockstatscounter_unixclose = 14,
+	isc_sockstatscounter_fdwatchclose = 15,
+
+	isc_sockstatscounter_udp4bindfail = 16,
+	isc_sockstatscounter_udp6bindfail = 17,
+	isc_sockstatscounter_tcp4bindfail = 18,
+	isc_sockstatscounter_tcp6bindfail = 19,
+	isc_sockstatscounter_unixbindfail = 20,
+	isc_sockstatscounter_fdwatchbindfail = 21,
+
+	isc_sockstatscounter_udp4connect = 22,
+	isc_sockstatscounter_udp6connect = 23,
+	isc_sockstatscounter_tcp4connect = 24,
+	isc_sockstatscounter_tcp6connect = 25,
+	isc_sockstatscounter_unixconnect = 26,
+	isc_sockstatscounter_fdwatchconnect = 27,
+
+	isc_sockstatscounter_udp4connectfail = 28,
+	isc_sockstatscounter_udp6connectfail = 29,
+	isc_sockstatscounter_tcp4connectfail = 30,
+	isc_sockstatscounter_tcp6connectfail = 31,
+	isc_sockstatscounter_unixconnectfail = 32,
+	isc_sockstatscounter_fdwatchconnectfail = 33,
+
+	isc_sockstatscounter_tcp4accept = 34,
+	isc_sockstatscounter_tcp6accept = 35,
+	isc_sockstatscounter_unixaccept = 36,
+
+	isc_sockstatscounter_tcp4acceptfail = 37,
+	isc_sockstatscounter_tcp6acceptfail = 38,
+	isc_sockstatscounter_unixacceptfail = 39,
+
+	isc_sockstatscounter_udp4sendfail = 40,
+	isc_sockstatscounter_udp6sendfail = 41,
+	isc_sockstatscounter_tcp4sendfail = 42,
+	isc_sockstatscounter_tcp6sendfail = 43,
+	isc_sockstatscounter_unixsendfail = 44,
+	isc_sockstatscounter_fdwatchsendfail = 45,
+
+	isc_sockstatscounter_udp4recvfail = 46,
+	isc_sockstatscounter_udp6recvfail = 47,
+	isc_sockstatscounter_tcp4recvfail = 48,
+	isc_sockstatscounter_tcp6recvfail = 49,
+	isc_sockstatscounter_unixrecvfail = 50,
+	isc_sockstatscounter_fdwatchrecvfail = 51,
+
+	isc_sockstatscounter_udp4active = 52,
+	isc_sockstatscounter_udp6active = 53,
+	isc_sockstatscounter_tcp4active = 54,
+	isc_sockstatscounter_tcp6active = 55,
+	isc_sockstatscounter_unixactive = 56,
+
+	isc_sockstatscounter_rawopen = 57,
+	isc_sockstatscounter_rawopenfail = 58,
+	isc_sockstatscounter_rawclose = 59,
+	isc_sockstatscounter_rawrecvfail = 60,
+	isc_sockstatscounter_rawactive = 61,
+
+	isc_sockstatscounter_max = 62
+};
+
+/***
+ *** Types
+ ***/
+
+struct isc_socketevent {
+	ISC_EVENT_COMMON(isc_socketevent_t);
+	isc_result_t		result;		/*%< OK, EOF, whatever else */
+	unsigned int		minimum;	/*%< minimum i/o for event */
+	unsigned int		n;		/*%< bytes read or written */
+	unsigned int		offset;		/*%< offset into buffer list */
+	isc_region_t		region;		/*%< for single-buffer i/o */
+	isc_bufferlist_t	bufferlist;	/*%< list of buffers */
+	isc_sockaddr_t		address;	/*%< source address */
+	isc_time_t		timestamp;	/*%< timestamp of packet recv */
+	struct in6_pktinfo	pktinfo;	/*%< ipv6 pktinfo */
+	uint32_t		attributes;	/*%< see below */
+	isc_eventdestructor_t   destroy;	/*%< original destructor */
+	unsigned int		dscp;		/*%< UDP dscp value */
+};
+
+typedef struct isc_socket_newconnev isc_socket_newconnev_t;
+struct isc_socket_newconnev {
+	ISC_EVENT_COMMON(isc_socket_newconnev_t);
+	isc_socket_t *		newsocket;
+	isc_result_t		result;		/*%< OK, EOF, whatever else */
+	isc_sockaddr_t		address;	/*%< source address */
+};
+
+typedef struct isc_socket_connev isc_socket_connev_t;
+struct isc_socket_connev {
+	ISC_EVENT_COMMON(isc_socket_connev_t);
+	isc_result_t		result;		/*%< OK, EOF, whatever else */
+};
+
+/*@{*/
+/*!
+ * _ATTACHED:	Internal use only.
+ * _TRUNC:	Packet was truncated on receive.
+ * _CTRUNC:	Packet control information was truncated.  This can
+ *		indicate that the packet is not complete, even though
+ *		all the data is valid.
+ * _TIMESTAMP:	The timestamp member is valid.
+ * _PKTINFO:	The pktinfo member is valid.
+ * _MULTICAST:	The UDP packet was received via a multicast transmission.
+ * _DSCP:	The UDP DSCP value is valid.
+ * _USEMINMTU:	Set the per packet IPV6_USE_MIN_MTU flag.
+ */
+#define ISC_SOCKEVENTATTR_ATTACHED		0x10000000U /* internal */
+#define ISC_SOCKEVENTATTR_TRUNC			0x00800000U /* public */
+#define ISC_SOCKEVENTATTR_CTRUNC		0x00400000U /* public */
+#define ISC_SOCKEVENTATTR_TIMESTAMP		0x00200000U /* public */
+#define ISC_SOCKEVENTATTR_PKTINFO		0x00100000U /* public */
+#define ISC_SOCKEVENTATTR_MULTICAST		0x00080000U /* public */
+#define ISC_SOCKEVENTATTR_DSCP			0x00040000U /* public */
+#define ISC_SOCKEVENTATTR_USEMINMTU		0x00020000U /* public */
+/*@}*/
+
+#define ISC_SOCKEVENT_ANYEVENT  (0)
+#define ISC_SOCKEVENT_RECVDONE	(ISC_EVENTCLASS_SOCKET + 1)
+#define ISC_SOCKEVENT_SENDDONE	(ISC_EVENTCLASS_SOCKET + 2)
+#define ISC_SOCKEVENT_NEWCONN	(ISC_EVENTCLASS_SOCKET + 3)
+#define ISC_SOCKEVENT_CONNECT	(ISC_EVENTCLASS_SOCKET + 4)
+
+/*
+ * Internal events.
+ */
+#define ISC_SOCKEVENT_INTR	(ISC_EVENTCLASS_SOCKET + 256)
+#define ISC_SOCKEVENT_INTW	(ISC_EVENTCLASS_SOCKET + 257)
+
+typedef enum {
+	isc_sockettype_udp = 1,
+	isc_sockettype_tcp = 2,
+	isc_sockettype_unix = 3,
+	isc_sockettype_fdwatch = 4,
+	isc_sockettype_raw = 5
+} isc_sockettype_t;
+
+/*@{*/
+/*!
+ * How a socket should be shutdown in isc_socket_shutdown() calls.
+ */
+#define ISC_SOCKSHUT_RECV	0x00000001	/*%< close read side */
+#define ISC_SOCKSHUT_SEND	0x00000002	/*%< close write side */
+#define ISC_SOCKSHUT_ALL	0x00000003	/*%< close them all */
+/*@}*/
+
+/*@{*/
+/*!
+ * What I/O events to cancel in isc_socket_cancel() calls.
+ */
+#define ISC_SOCKCANCEL_RECV	0x00000001	/*%< cancel recv */
+#define ISC_SOCKCANCEL_SEND	0x00000002	/*%< cancel send */
+#define ISC_SOCKCANCEL_ACCEPT	0x00000004	/*%< cancel accept */
+#define ISC_SOCKCANCEL_CONNECT	0x00000008	/*%< cancel connect */
+#define ISC_SOCKCANCEL_ALL	0x0000000f	/*%< cancel everything */
+/*@}*/
+
+/*@{*/
+/*!
+ * Flags for isc_socket_send() and isc_socket_recv() calls.
+ */
+#define ISC_SOCKFLAG_IMMEDIATE	0x00000001	/*%< send event only if needed */
+#define ISC_SOCKFLAG_NORETRY	0x00000002	/*%< drop failed UDP sends */
+/*@}*/
+
+/*@{*/
+/*!
+ * Flags for fdwatchcreate.
+ */
+#define ISC_SOCKFDWATCH_READ	0x00000001	/*%< watch for readable */
+#define ISC_SOCKFDWATCH_WRITE	0x00000002	/*%< watch for writable */
+/*@}*/
+
+/*% Socket and socket manager methods */
+typedef struct isc_socketmgrmethods {
+	void		(*destroy)(isc_socketmgr_t **managerp);
+	isc_result_t	(*socketcreate)(isc_socketmgr_t *manager, int pf,
+					isc_sockettype_t type,
+					isc_socket_t **socketp);
+	isc_result_t    (*fdwatchcreate)(isc_socketmgr_t *manager, int fd,
+					 int flags,
+					 isc_sockfdwatch_t callback,
+					 void *cbarg, isc_task_t *task,
+					 isc_socket_t **socketp);
+} isc_socketmgrmethods_t;
+
+typedef struct isc_socketmethods {
+	void		(*attach)(isc_socket_t *socket,
+				  isc_socket_t **socketp);
+	void		(*detach)(isc_socket_t **socketp);
+	isc_result_t	(*bind)(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+				unsigned int options);
+	isc_result_t	(*sendto)(isc_socket_t *sock, isc_region_t *region,
+				  isc_task_t *task, isc_taskaction_t action,
+				  void *arg, isc_sockaddr_t *address,
+				  struct in6_pktinfo *pktinfo);
+	isc_result_t	(*sendto2)(isc_socket_t *sock, isc_region_t *region,
+				   isc_task_t *task, isc_sockaddr_t *address,
+				   struct in6_pktinfo *pktinfo,
+				   isc_socketevent_t *event,
+				   unsigned int flags);
+	isc_result_t	(*connect)(isc_socket_t *sock, isc_sockaddr_t *addr,
+				   isc_task_t *task, isc_taskaction_t action,
+				   void *arg);
+	isc_result_t	(*recv)(isc_socket_t *sock, isc_region_t *region,
+				unsigned int minimum, isc_task_t *task,
+				isc_taskaction_t action, void *arg);
+	isc_result_t	(*recv2)(isc_socket_t *sock, isc_region_t *region,
+				 unsigned int minimum, isc_task_t *task,
+				 isc_socketevent_t *event, unsigned int flags);
+	void		(*cancel)(isc_socket_t *sock, isc_task_t *task,
+				  unsigned int how);
+	isc_result_t	(*getsockname)(isc_socket_t *sock,
+				       isc_sockaddr_t *addressp);
+	isc_sockettype_t (*gettype)(isc_socket_t *sock);
+	void		(*ipv6only)(isc_socket_t *sock, bool yes);
+	isc_result_t    (*fdwatchpoke)(isc_socket_t *sock, int flags);
+	isc_result_t		(*dup)(isc_socket_t *socket,
+				  isc_socket_t **socketp);
+	int 		(*getfd)(isc_socket_t *socket);
+	void 		(*dscp)(isc_socket_t *socket, isc_dscp_t dscp);
+} isc_socketmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a socket manager
+ * object implementation's version of an isc_socketmgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  socket implementations
+ * may change the structure.  'magic' must be ISCAPI_SOCKETMGR_MAGIC for any
+ * of the isc_socket_ routines to work.  socket implementations must maintain
+ * all socket invariants.
+ * In effect, this definition is used only for non-BIND9 version ("export")
+ * of the library, and the export version does not work for win32.  So, to avoid
+ * the definition conflict with win32/socket.c, we enable this definition only
+ * for non-Win32 (i.e. Unix) platforms.
+ */
+#ifndef WIN32
+struct isc_socketmgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_socketmgrmethods_t	*methods;
+};
+#endif
+
+#define ISCAPI_SOCKETMGR_MAGIC		ISC_MAGIC('A','s','m','g')
+#define ISCAPI_SOCKETMGR_VALID(m)	((m) != NULL && \
+					 (m)->magic == ISCAPI_SOCKETMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a socket object.  The same note as
+ * that for the socketmgr structure applies.
+ */
+#ifndef WIN32
+struct isc_socket {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_socketmethods_t	*methods;
+};
+#endif
+
+#define ISCAPI_SOCKET_MAGIC	ISC_MAGIC('A','s','c','t')
+#define ISCAPI_SOCKET_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_SOCKET_MAGIC)
+
+/***
+ *** Socket and Socket Manager Functions
+ ***
+ *** Note: all Ensures conditions apply only if the result is success for
+ *** those functions which return an isc_result.
+ ***/
+
+isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager,
+			 int fd,
+			 int flags,
+			 isc_sockfdwatch_t callback,
+			 void *cbarg,
+			 isc_task_t *task,
+			 isc_socket_t **socketp);
+/*%<
+ * Create a new file descriptor watch socket managed by 'manager'.
+ *
+ * Note:
+ *
+ *\li   'fd' is the already-opened file descriptor (must be less
+ * 	than maxsockets).
+ *\li	This function is not available on Windows.
+ *\li	The callback function is called "in-line" - this means the function
+ *	needs to return as fast as possible, as all other I/O will be suspended
+ *	until the callback completes.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'socketp' is a valid pointer, and *socketp == NULL
+ *
+ *\li	'fd' be opened.
+ *
+ * Ensures:
+ *
+ *	'*socketp' is attached to the newly created fdwatch socket
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NORESOURCES
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_RANGE
+ */
+
+isc_result_t
+isc_socket_fdwatchpoke(isc_socket_t *sock,
+		       int flags);
+/*%<
+ * Poke a file descriptor watch socket informing the manager that it
+ * should restart watching the socket
+ *
+ * Note:
+ *
+ *\li   'sock' is the socket returned by isc_socket_fdwatchcreate
+ *
+ *\li   'flags' indicates what the manager should watch for on the socket
+ *      in addition to what it may already be watching.  It can be one or
+ *      both of ISC_SOCKFDWATCH_READ and ISC_SOCKFDWATCH_WRITE.  To
+ *      temporarily disable watching on a socket the value indicating
+ *      no more data should be returned from the call back routine.
+ *
+ *\li	This function is not available on Windows.
+ *
+ * Requires:
+ *
+ *\li	'sock' is a valid isc socket
+ *
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager,
+		  int pf,
+		  isc_sockettype_t type,
+		  isc_socket_t **socketp);
+/*%<
+ * Create a new 'type' socket managed by 'manager'.
+ *
+ * For isc_sockettype_fdwatch sockets you should use isc_socket_fdwatchcreate()
+ * rather than isc_socket_create().
+ *
+ * Note:
+ *
+ *\li	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'socketp' is a valid pointer, and *socketp == NULL
+ *
+ *\li	'type' is not isc_sockettype_fdwatch
+ *
+ * Ensures:
+ *
+ *	'*socketp' is attached to the newly created socket
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NORESOURCES
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_dup(isc_socket_t *sock0, isc_socket_t **socketp);
+/*%<
+ * Duplicate an existing socket, reusing its file descriptor.
+ */
+
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
+		  unsigned int how);
+/*%<
+ * Cancel pending I/O of the type specified by "how".
+ *
+ * Note: if "task" is NULL, then the cancel applies to all tasks using the
+ * socket.
+ *
+ * Requires:
+ *
+ * \li	"socket" is a valid socket
+ *
+ * \li	"task" is NULL or a valid task
+ *
+ * "how" is a bitmask describing the type of cancelation to perform.
+ * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
+ * socket.
+ *
+ * \li ISC_SOCKCANCEL_RECV:
+ *	Cancel pending isc_socket_recv() calls.
+ *
+ * \li ISC_SOCKCANCEL_SEND:
+ *	Cancel pending isc_socket_send() and isc_socket_sendto() calls.
+ *
+ * \li ISC_SOCKCANCEL_ACCEPT:
+ *	Cancel pending isc_socket_accept() calls.
+ *
+ * \li ISC_SOCKCANCEL_CONNECT:
+ *	Cancel pending isc_socket_connect() call.
+ */
+
+void
+isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
+/*%<
+ * Shutdown 'socket' according to 'how'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket.
+ *
+ * \li	'task' is NULL or is a valid task.
+ *
+ * \li	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
+ *
+ *		The read queue must be empty.
+ *
+ *		No further read requests may be made.
+ *
+ * \li	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
+ *
+ *		The write queue must be empty.
+ *
+ *		No further write requests may be made.
+ */
+
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
+/*%<
+ * Attach *socketp to socket.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket.
+ *
+ * \li	'socketp' points to a NULL socket.
+ *
+ * Ensures:
+ *
+ * \li	*socketp is attached to socket.
+ */
+
+void
+isc_socket_detach(isc_socket_t **socketp);
+/*%<
+ * Detach *socketp from its socket.
+ *
+ * Requires:
+ *
+ * \li	'socketp' points to a valid socket.
+ *
+ * \li	If '*socketp' is the last reference to the socket,
+ *	then:
+ *
+ *		There must be no pending I/O requests.
+ *
+ * Ensures:
+ *
+ * \li	*socketp is NULL.
+ *
+ * \li	If '*socketp' is the last reference to the socket,
+ *	then:
+ *
+ *		The socket will be shutdown (both reading and writing)
+ *		for all tasks.
+ *
+ *		All resources used by the socket have been freed
+ */
+
+isc_result_t
+isc_socket_open(isc_socket_t *sock);
+/*%<
+ * Open a new socket file descriptor of the given socket structure.  It simply
+ * opens a new descriptor; all of the other parameters including the socket
+ * type are inherited from the existing socket.  This function is provided to
+ * avoid overhead of destroying and creating sockets when many short-lived
+ * sockets are frequently opened and closed.  When the efficiency is not an
+ * issue, it should be safer to detach the unused socket and re-create a new
+ * one.  This optimization may not be available for some systems, in which
+ * case this function will return ISC_R_NOTIMPLEMENTED and must not be used.
+ *
+ * isc_socket_open() should not be called on sockets created by
+ * isc_socket_fdwatchcreate().
+ *
+ * Requires:
+ *
+ * \li	there must be no other reference to this socket.
+ *
+ * \li	'socket' is a valid and previously closed by isc_socket_close()
+ *
+ * \li  'sock->type' is not isc_sockettype_fdwatch
+ *
+ * Returns:
+ *	Same as isc_socket_create().
+ * \li	ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_socket_close(isc_socket_t *sock);
+/*%<
+ * Close a socket file descriptor of the given socket structure.  This function
+ * is provided as an alternative to destroying an unused socket when overhead
+ * destroying/re-creating sockets can be significant, and is expected to be
+ * used with isc_socket_open().  This optimization may not be available for some
+ * systems, in which case this function will return ISC_R_NOTIMPLEMENTED and
+ * must not be used.
+ *
+ * isc_socket_close() should not be called on sockets created by
+ * isc_socket_fdwatchcreate().
+ *
+ * Requires:
+ *
+ * \li	The socket must have a valid descriptor.
+ *
+ * \li	There must be no other reference to this socket.
+ *
+ * \li	There must be no pending I/O requests.
+ *
+ * \li  'sock->type' is not isc_sockettype_fdwatch
+ *
+ * Returns:
+ * \li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *addressp,
+		unsigned int options);
+/*%<
+ * Bind 'socket' to '*addressp'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket
+ *
+ * \li	'addressp' points to a valid isc_sockaddr.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOPERM
+ * \li	ISC_R_ADDRNOTAVAIL
+ * \li	ISC_R_ADDRINUSE
+ * \li	ISC_R_BOUND
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter);
+/*%<
+ * Inform the kernel that it should perform accept filtering.
+ * If filter is NULL the current filter will be removed.:w
+ */
+
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
+/*%<
+ * Set listen mode on the socket.  After this call, the only function that
+ * can be used (other than attach and detach) is isc_socket_accept().
+ *
+ * Notes:
+ *
+ * \li	'backlog' is as in the UNIX system call listen() and may be
+ *	ignored by non-UNIX implementations.
+ *
+ * \li	If 'backlog' is zero, a reasonable system default is used, usually
+ *	SOMAXCONN.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid, bound TCP socket or a valid, bound UNIX socket.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_accept(isc_socket_t *sock,
+		  isc_task_t *task, isc_taskaction_t action, void *arg);
+/*%<
+ * Queue accept event.  When a new connection is received, the task will
+ * get an ISC_SOCKEVENT_NEWCONN event with the sender set to the listen
+ * socket.  The new socket structure is sent inside the isc_socket_newconnev_t
+ * event type, and is attached to the task 'task'.
+ *
+ * REQUIRES:
+ * \li	'socket' is a valid TCP socket that isc_socket_listen() was called
+ *	on.
+ *
+ * \li	'task' is a valid task
+ *
+ * \li	'action' is a valid action
+ *
+ * RETURNS:
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addressp,
+		   isc_task_t *task, isc_taskaction_t action,
+		   void *arg);
+/*%<
+ * Connect 'socket' to peer with address *saddr.  When the connection
+ * succeeds, or when an error occurs, a CONNECT event with action 'action'
+ * and arg 'arg' will be posted to the event queue for 'task'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid TCP socket
+ *
+ * \li	'addressp' points to a valid isc_sockaddr
+ *
+ * \li	'task' is a valid task
+ *
+ * \li	'action' is a valid action
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_UNEXPECTED
+ *
+ * Posted event's result code:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TIMEDOUT
+ * \li	ISC_R_CONNREFUSED
+ * \li	ISC_R_NETUNREACH
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*%<
+ * Get the name of the peer connected to 'socket'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid TCP socket.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TOOSMALL
+ * \li	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*%<
+ * Get the name of 'socket'.
+ *
+ * Requires:
+ *
+ * \li	'socket' is a valid socket.
+ *
+ * Returns:
+ *
+ * \li	ISC_R_SUCCESS
+ * \li	ISC_R_TOOSMALL
+ * \li	ISC_R_UNEXPECTED
+ */
+
+/*@{*/
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region,
+		unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, void *arg);
+isc_result_t
+isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum,
+		 isc_task_t *task, isc_taskaction_t action, void *arg);
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_socketevent_t *event, unsigned int flags);
+
+/*!
+ * Receive from 'socket', storing the results in region.
+ *
+ * Notes:
+ *
+ *\li	Let 'length' refer to the length of 'region' or to the sum of all
+ *	available regions in the list of buffers '*buflist'.
+ *
+ *\li	If 'minimum' is non-zero and at least that many bytes are read,
+ *	the completion event will be posted to the task 'task.'  If minimum
+ *	is zero, the exact number of bytes requested in the region must
+ * 	be read for an event to be posted.  This only makes sense for TCP
+ *	connections, and is always set to 1 byte for UDP.
+ *
+ *\li	The read will complete when the desired number of bytes have been
+ *	read, if end-of-input occurs, or if an error occurs.  A read done
+ *	event with the given 'action' and 'arg' will be posted to the
+ *	event queue of 'task'.
+ *
+ *\li	The caller may not modify 'region', the buffers which are passed
+ *	into this function, or any data they refer to until the completion
+ *	event is received.
+ *
+ *\li	For isc_socket_recvv():
+ *	On successful completion, '*buflist' will be empty, and the list of
+ *	all buffers will be returned in the done event's 'bufferlist'
+ *	member.  On error return, '*buflist' will be unchanged.
+ *
+ *\li	For isc_socket_recv2():
+ *	'event' is not NULL, and the non-socket specific fields are
+ *	expected to be initialized.
+ *
+ *\li	For isc_socket_recv2():
+ *	The only defined value for 'flags' is ISC_SOCKFLAG_IMMEDIATE.  If
+ *	set and the operation completes, the return value will be
+ *	ISC_R_SUCCESS and the event will be filled in and not sent.  If the
+ *	operation does not complete, the return value will be
+ *	ISC_R_INPROGRESS and the event will be sent when the operation
+ *	completes.
+ *
+ * Requires:
+ *
+ *\li	'socket' is a valid, bound socket.
+ *
+ *\li	For isc_socket_recv():
+ *	'region' is a valid region
+ *
+ *\li	For isc_socket_recvv():
+ *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
+ *
+ *\li	'task' is a valid task
+ *
+ *\li	For isc_socket_recv() and isc_socket_recvv():
+ *	action != NULL and is a valid action
+ *
+ *\li	For isc_socket_recv2():
+ *	event != NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_INPROGRESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *
+ * Event results:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ *\li	XXX needs other net-type errors
+ */
+/*@}*/
+
+/*@{*/
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region,
+		isc_task_t *task, isc_taskaction_t action, void *arg);
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		  isc_task_t *task, isc_taskaction_t action, void *arg,
+		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 isc_task_t *task, isc_taskaction_t action, void *arg);
+isc_result_t
+isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		   isc_task_t *task, isc_taskaction_t action, void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc_socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    unsigned int flags);
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		   isc_socketevent_t *event, unsigned int flags);
+
+/*!
+ * Send the contents of 'region' to the socket's peer.
+ *
+ * Notes:
+ *
+ *\li	Shutting down the requestor's task *may* result in any
+ *	still pending writes being dropped or completed, depending on the
+ *	underlying OS implementation.
+ *
+ *\li	If 'action' is NULL, then no completion event will be posted.
+ *
+ *\li	The caller may not modify 'region', the buffers which are passed
+ *	into this function, or any data they refer to until the completion
+ *	event is received.
+ *
+ *\li	For isc_socket_sendv() and isc_socket_sendtov():
+ *	On successful completion, '*buflist' will be empty, and the list of
+ *	all buffers will be returned in the done event's 'bufferlist'
+ *	member.  On error return, '*buflist' will be unchanged.
+ *
+ *\li	For isc_socket_sendto2():
+ *	'event' is not NULL, and the non-socket specific fields are
+ *	expected to be initialized.
+ *
+ *\li	For isc_socket_sendto2():
+ *	The only defined values for 'flags' are ISC_SOCKFLAG_IMMEDIATE
+ *	and ISC_SOCKFLAG_NORETRY.
+ *
+ *\li	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
+ *	return value will be ISC_R_SUCCESS and the event will be filled
+ *	in and not sent.  If the operation does not complete, the return
+ *	value will be ISC_R_INPROGRESS and the event will be sent when
+ *	the operation completes.
+ *
+ *\li	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
+ *	and the send operation fails due to a transient error, the send
+ *	will not be retried and the error will be indicated in the event.
+ *	Using this option along with ISC_SOCKFLAG_IMMEDIATE allows the caller
+ *	to specify a region that is allocated on the stack.
+ *
+ * Requires:
+ *
+ *\li	'socket' is a valid, bound socket.
+ *
+ *\li	For isc_socket_send():
+ *	'region' is a valid region
+ *
+ *\li	For isc_socket_sendv() and isc_socket_sendtov():
+ *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
+ *
+ *\li	'task' is a valid task
+ *
+ *\li	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
+ *	isc_socket_sendto():
+ *	action == NULL or is a valid action
+ *
+ *\li	For isc_socket_sendto2():
+ *	event != NULL
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_INPROGRESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *
+ * Event results:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_UNEXPECTED
+ *\li	XXX needs other net-type errors
+ */
+/*@}*/
+
+isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			  isc_socketmgr_t **managerp);
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+
+isc_result_t
+isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		      unsigned int maxsocks);
+/*%<
+ * Create a socket manager.  If "maxsocks" is non-zero, it specifies the
+ * maximum number of sockets that the created manager should handle.
+ * isc_socketmgr_create() is equivalent of isc_socketmgr_create2() with
+ * "maxsocks" being zero.
+ * isc_socketmgr_createinctx() also associates the new manager with the
+ * specified application context.
+ *
+ * Notes:
+ *
+ *\li	All memory will be allocated in memory context 'mctx'.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'managerp' points to a NULL isc_socketmgr_t.
+ *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
+ * Ensures:
+ *
+ *\li	'*managerp' is a valid isc_socketmgr_t.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp);
+/*%<
+ * Returns in "*nsockp" the maximum number of sockets this manager may open.
+ *
+ * Requires:
+ *
+ *\li	'*manager' is a valid isc_socketmgr_t.
+ *\li	'nsockp' is not NULL.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTIMPLEMENTED
+ */
+
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats);
+/*%<
+ * Set a general socket statistics counter set 'stats' for 'manager'.
+ *
+ * Requires:
+ * \li	'manager' is valid, hasn't opened any socket, and doesn't have
+ *	stats already set.
+ *
+ *\li	stats is a valid statistics supporting socket statistics counters
+ *	(see above).
+ */
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp);
+/*%<
+ * Destroy a socket manager.
+ *
+ * Notes:
+ *
+ *\li	This routine blocks until there are no sockets left in the manager,
+ *	so if the caller holds any socket references using the manager, it
+ *	must detach them before calling isc_socketmgr_destroy() or it will
+ *	block forever.
+ *
+ * Requires:
+ *
+ *\li	'*managerp' is a valid isc_socketmgr_t.
+ *
+ *\li	All sockets managed by this manager are fully detached.
+ *
+ * Ensures:
+ *
+ *\li	*managerp == NULL
+ *
+ *\li	All resources used by the manager have been freed.
+ */
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock);
+/*%<
+ * Returns the socket type for "sock."
+ *
+ * Requires:
+ *
+ *\li	"sock" is a valid socket.
+ */
+
+/*@{*/
+bool
+isc__socket_isbound(isc_socket_t *sock);
+/*%
+ * Intended for internal use in BIND9 only
+ */
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, bool yes);
+/*%<
+ * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
+ * option if the host OS supports this option.
+ *
+ * Requires:
+ *\li	'sock' is a valid socket.
+ */
+/*@}*/
+
+void
+isc_socket_dscp(isc_socket_t *sock, isc_dscp_t dscp);
+/*%<
+ * Sets the Differentiated Services Code Point (DSCP) field for packets
+ * transmitted on this socket.  If 'dscp' is -1, return immediately.
+ *
+ * Requires:
+ *\li	'sock' is a valid socket.
+ */
+
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender,
+		       isc_eventtype_t eventtype, isc_taskaction_t action,
+		       void *arg);
+/*%<
+ * Get a isc_socketevent_t to be used with isc_socket_sendto2(), etc.
+ */
+
+void
+isc_socket_cleanunix(isc_sockaddr_t *addr, bool active);
+
+/*%<
+ * Cleanup UNIX domain sockets in the file-system.  If 'active' is true
+ * then just unlink the socket.  If 'active' is false try to determine
+ * if there is a listener of the socket or not.  If no listener is found
+ * then unlink socket.
+ *
+ * Prior to unlinking the path is tested to see if it a socket.
+ *
+ * Note: there are a number of race conditions which cannot be avoided
+ *       both in the filesystem and any application using UNIX domain
+ *	 sockets (e.g. socket is tested between bind() and listen(),
+ *	 the socket is deleted and replaced in the file-system between
+ *	 stat() and unlink()).
+ */
+
+isc_result_t
+isc_socket_permunix(isc_sockaddr_t *sockaddr, uint32_t perm,
+		    uint32_t owner, uint32_t group);
+/*%<
+ * Set ownership and file permissions on the UNIX domain socket.
+ *
+ * Note: On Solaris and SunOS this secures the directory containing
+ *       the socket as Solaris and SunOS do not honour the filesystem
+ *	 permissions on the socket.
+ *
+ * Requires:
+ * \li	'sockaddr' to be a valid UNIX domain sockaddr.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_FAILURE
+ */
+
+void isc_socket_setname(isc_socket_t *socket, const char *name, void *tag);
+/*%<
+ * Set the name and optional tag for a socket.  This allows tracking of the
+ * owner or purpose for this socket, and is useful for tracing and statistics
+ * reporting.
+ */
+
+const char *isc_socket_getname(isc_socket_t *socket);
+/*%<
+ * Get the name associated with a socket, if any.
+ */
+
+void *isc_socket_gettag(isc_socket_t *socket);
+/*%<
+ * Get the tag associated with a socket, if any.
+ */
+
+int isc_socket_getfd(isc_socket_t *socket);
+/*%<
+ * Get the file descriptor associated with a socket
+ */
+
+void
+isc__socketmgr_setreserved(isc_socketmgr_t *mgr, uint32_t);
+/*%<
+ * Temporary.  For use by named only.
+ */
+
+void
+isc__socketmgr_maxudp(isc_socketmgr_t *mgr, int maxudp);
+/*%<
+ * Test interface. Drop UDP packet > 'maxudp'.
+ */
+
+#ifdef HAVE_LIBXML2
+int
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
+/*%<
+ * Render internal statistics and other state into the XML document.
+ */
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+isc_result_t
+isc_socketmgr_renderjson(isc_socketmgr_t *mgr, json_object *stats);
+/*%<
+ * Render internal statistics and other state into JSON format.
+ */
+#endif /* HAVE_JSON */
+
+/*%<
+ * See isc_socketmgr_create() above.
+ */
+typedef isc_result_t
+(*isc_socketmgrcreatefunc_t)(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+
+isc_result_t
+isc_socket_register(isc_socketmgrcreatefunc_t createfunc);
+/*%<
+ * Register a new socket I/O implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__socket_register(void);
+/*%<
+ * A short cut function that specifies the socket I/O module in the ISC
+ * library for isc_socket_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/stats.h b/lib/isc/include/isc/stats.h
new file mode 100644
index 0000000..8f41bb9
--- /dev/null
+++ b/lib/isc/include/isc/stats.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STATS_H
+#define ISC_STATS_H 1
+
+/*! \file isc/stats.h */
+
+#include <inttypes.h>
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%<
+ * Flag(s) for isc_stats_dump().
+ */
+#define ISC_STATSDUMP_VERBOSE	0x00000001 /*%< dump 0-value counters */
+
+/*%<
+ * Dump callback type.
+ */
+typedef void (*isc_stats_dumper_t)(isc_statscounter_t, uint64_t, void *);
+
+isc_result_t
+isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type.  It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+isc_stats_detach(isc_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li	'statsp' != NULL and '*statsp' is a valid isc_stats_t.
+ */
+
+int
+isc_stats_ncounters(isc_stats_t *stats);
+/*%<
+ * Returns the number of counters contained in stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ */
+
+void
+isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Decrement the counter-th counter of stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn, void *arg,
+	       unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_set(isc_stats_t *stats, uint64_t val,
+	      isc_statscounter_t counter);
+/*%<
+ * Set the given counter to the specfied value.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_set(isc_stats_t *stats, uint64_t val,
+	      isc_statscounter_t counter);
+/*%<
+ * Set the given counter to the specfied value.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STATS_H */
diff --git a/lib/isc/include/isc/stdatomic.h b/lib/isc/include/isc/stdatomic.h
new file mode 100644
index 0000000..723ed1e
--- /dev/null
+++ b/lib/isc/include/isc/stdatomic.h
@@ -0,0 +1,146 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#pragma once
+
+#if !defined(__has_feature)
+#define __has_feature(x) 0
+#endif
+
+#if !defined(__has_extension)
+#define __has_extension(x) __has_feature(x)
+#endif
+
+#if !defined(__GNUC_PREREQ__)
+#if defined(__GNUC__) && defined(__GNUC_MINOR__)
+#define __GNUC_PREREQ__(maj, min)                    \
+	((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
+#else
+#define __GNUC_PREREQ__(maj, min) 0
+#endif
+#endif
+
+#if !defined(__CLANG_ATOMICS) && !defined(__GNUC_ATOMICS)
+#if __has_extension(c_atomic) || __has_extension(cxx_atomic)
+#define __CLANG_ATOMICS
+#elif __GNUC_PREREQ__(4, 7)
+#define __GNUC_ATOMICS
+#elif !defined(__GNUC__)
+#error "isc/stdatomic.h does not support your compiler"
+#endif
+#endif
+
+#ifndef __ATOMIC_RELAXED
+#define __ATOMIC_RELAXED        0
+#endif
+#ifndef __ATOMIC_CONSUME
+#define __ATOMIC_CONSUME        1
+#endif
+#ifndef __ATOMIC_ACQUIRE
+#define __ATOMIC_ACQUIRE        2
+#endif
+#ifndef __ATOMIC_RELEASE
+#define __ATOMIC_RELEASE        3
+#endif
+#ifndef __ATOMIC_ACQ_REL
+#define __ATOMIC_ACQ_REL        4
+#endif
+#ifndef __ATOMIC_SEQ_CST
+#define __ATOMIC_SEQ_CST        5
+#endif
+
+
+enum memory_order {
+	memory_order_relaxed = __ATOMIC_RELAXED,
+	memory_order_consume = __ATOMIC_CONSUME,
+	memory_order_acquire = __ATOMIC_ACQUIRE,
+	memory_order_release = __ATOMIC_RELEASE,
+	memory_order_acq_rel = __ATOMIC_ACQ_REL,
+	memory_order_seq_cst = __ATOMIC_SEQ_CST
+};
+
+typedef enum memory_order memory_order;
+
+typedef int_fast32_t	atomic_int_fast32_t;
+typedef uint_fast32_t	atomic_uint_fast32_t;
+typedef int_fast64_t	atomic_int_fast64_t;
+typedef uint_fast64_t	atomic_uint_fast64_t;
+
+#if defined(__CLANG_ATOMICS) /* __c11_atomic builtins */
+#define atomic_init(obj, desired)		\
+	__c11_atomic_init(obj, desired)
+#define atomic_load_explicit(obj, order)	\
+	__c11_atomic_load(obj, order)
+#define atomic_store_explicit(obj, desired, order)	\
+	__c11_atomic_store(obj, desired, order)
+#define atomic_fetch_add_explicit(obj, arg, order)	\
+	__c11_atomic_fetch_add(obj, arg, order)
+#define atomic_fetch_sub_explicit(obj, arg, order)	\
+	__c11_atomic_fetch_sub(obj, arg, order)
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, fail)	\
+	__c11_atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, fail)
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, fail)	\
+	__c11_atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, fail)
+#elif defined(__GNUC_ATOMICS) /* __atomic builtins */
+#define atomic_init(obj, desired)			\
+	(*obj = desired)
+#define atomic_load_explicit(obj, order)		\
+	__atomic_load_n(obj, order)
+#define atomic_store_explicit(obj, desired, order)	\
+	__atomic_store_n(obj, desired, order)
+#define atomic_fetch_add_explicit(obj, arg, order)	\
+	__atomic_fetch_add(obj, arg, order)
+#define atomic_fetch_sub_explicit(obj, arg, order)	\
+	__atomic_fetch_sub(obj, arg, order)
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, fail)	\
+	__atomic_compare_exchange_n(obj, expected, desired, 0, succ, fail)
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, fail)	\
+	__atomic_compare_exchange_n(obj, expected, desired, 1, succ, fail)
+#else /* __sync builtins */
+#define atomic_init(obj, desired)			\
+	(*obj = desired)
+#define atomic_load_explicit(obj, order)		\
+	__sync_fetch_and_add(obj, 0)
+#define atomic_store_explicit(obj, desired, order)	\
+	do {						\
+		__sync_synchronize();			\
+		*obj = desired;				\
+		__sync_synchronize();			\
+	} while (0);
+#define atomic_fetch_add_explicit(obj, arg, order) \
+	__sync_fetch_and_add(obj, arg)
+#define atomic_fetch_sub_explicit(obj, arg, order) \
+	__sync_fetch_and_sub(obj, arg, order)
+#define atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, fail)	\
+	({									\
+		__typeof__(obj) __v;						\
+		_Bool __r;							\
+		__v = __sync_val_compare_and_swap(obj, *(expected), desired);	\
+		__r = *(expected) == __v;					\
+		*(expected) = __v;						\
+		__r;								\
+	})
+#define atomic_compare_exchange_weak_explicit(obj, expected, desired, succ, fail)	\
+	atomic_compare_exchange_strong_explicit(obj, expected, desired, succ, fail)
+#endif
+
+#define atomic_load(obj) \
+	atomic_load_explicit(obj, memory_order_seq_cst)
+#define atomic_store(obj) \
+	atomic_store_explicit(obj, memory_order_seq_cst)
+#define atomic_fetch_add(obj) \
+	atomic_fetch_add_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_fetch_sub(obj) \
+	atomic_fetch_sub_explicit(obj, arg, memory_order_seq_cst)
+#define atomic_compare_exchange_strong(obj, expected, desired)	\
+	atomic_compare_exchange_strong_explicit(obj, expected, desired, memory_order_seq_cst, memory_order_seq_cst)
+#define atomic_compare_exchange_weak(obj, expected, desired)	\
+	atomic_compare_exchange_weak_explicit(obj, expected, desired, memory_order_seq_cst, memory_order_seq_cst)
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
new file mode 100644
index 0000000..1f44b5a
--- /dev/null
+++ b/lib/isc/include/isc/stdio.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STDIO_H
+#define ISC_STDIO_H 1
+
+/*! \file isc/stdio.h */
+
+/*%
+ * These functions are wrappers around the corresponding stdio functions.
+ *
+ * They return a detailed error code in the form of an an isc_result_t.  ANSI C
+ * does not guarantee that stdio functions set errno, hence these functions
+ * must use platform dependent methods (e.g., the POSIX errno) to construct the
+ * error code.
+ */
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% Open */
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp);
+
+/*% Close */
+isc_result_t
+isc_stdio_close(FILE *f);
+
+/*% Seek */
+isc_result_t
+isc_stdio_seek(FILE *f, off_t offset, int whence);
+
+/*% Tell */
+isc_result_t
+isc_stdio_tell(FILE *f, off_t *offsetp);
+
+/*% Read */
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret);
+
+/*% Write */
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+		size_t *nret);
+
+/*% Flush */
+isc_result_t
+isc_stdio_flush(FILE *f);
+
+isc_result_t
+isc_stdio_sync(FILE *f);
+/*%<
+ * Invoke fsync() on the file descriptor underlying an stdio stream, or an
+ * equivalent system-dependent operation.  Note that this function has no
+ * direct counterpart in the stdio library.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDIO_H */
diff --git a/lib/isc/include/isc/stdlib.h b/lib/isc/include/isc/stdlib.h
new file mode 100644
index 0000000..c44b0ea
--- /dev/null
+++ b/lib/isc/include/isc/stdlib.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STDLIB_H
+#define ISC_STDLIB_H 1
+
+/*! \file isc/stdlib.h */
+
+#include <stdlib.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#ifdef ISC_PLATFORM_NEEDSTRTOUL
+#define strtoul isc_strtoul
+#endif
+
+ISC_LANG_BEGINDECLS
+
+unsigned long isc_strtoul(const char *, char **, int);
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h
new file mode 100644
index 0000000..5323aa7
--- /dev/null
+++ b/lib/isc/include/isc/string.h
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: string.h,v 1.23 2007/09/13 04:48:16 each Exp $ */
+
+#ifndef ISC_STRING_H
+#define ISC_STRING_H 1
+
+/*! \file isc/string.h */
+
+#include <inttypes.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#include <string.h>
+
+#ifdef ISC_PLATFORM_HAVESTRINGSH
+#include <strings.h>
+#endif
+
+#define ISC_STRING_MAGIC 0x5e
+
+ISC_LANG_BEGINDECLS
+
+uint64_t
+isc_string_touint64(char *source, char **endp, int base);
+/*%<
+ * Convert the string pointed to by 'source' to uint64_t.
+ *
+ * On successful conversion 'endp' points to the first character
+ * after conversion is complete.
+ *
+ * 'base': 0 or 2..36
+ *
+ * If base is 0 the base is computed from the string type.
+ *
+ * On error 'endp' points to 'source'.
+ */
+
+isc_result_t
+isc_string_copy(char *target, size_t size, const char *source);
+/*
+ * Copy the string pointed to by 'source' to 'target' which is a
+ * pointer to a string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS
+ *		'target' will be a NUL terminated string of no more
+ *		than 'size' bytes (including NUL).
+ *
+ *	If result == ISC_R_NOSPACE
+ *		'target' is undefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS  -- 'source' was successfully copied to 'target'.
+ *	ISC_R_NOSPACE  -- 'source' could not be copied since 'target'
+ *	                  is too small.
+ */
+
+void
+isc_string_copy_truncate(char *target, size_t size, const char *source);
+/*
+ * Copy the string pointed to by 'source' to 'target' which is a
+ * pointer to a string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	'target' will be a NUL terminated string of no more
+ *	than 'size' bytes (including NUL).
+ */
+
+isc_result_t
+isc_string_append(char *target, size_t size, const char *source);
+/*
+ * Append the string pointed to by 'source' to 'target' which is a
+ * pointer to a NUL terminated string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a NUL terminated char[] of at
+ *	least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS
+ *		'target' will be a NUL terminated string of no more
+ *		than 'size' bytes (including NUL).
+ *
+ *	If result == ISC_R_NOSPACE
+ *		'target' is undefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS  -- 'source' was successfully appended to 'target'.
+ *	ISC_R_NOSPACE  -- 'source' could not be appended since 'target'
+ *	                  is too small.
+ */
+
+void
+isc_string_append_truncate(char *target, size_t size, const char *source);
+/*
+ * Append the string pointed to by 'source' to 'target' which is a
+ * pointer to a NUL terminated string of at least 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a NUL terminated char[] of at
+ *	least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'source' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	'target' will be a NUL terminated string of no more
+ *	than 'size' bytes (including NUL).
+ */
+
+isc_result_t
+isc_string_printf(char *target, size_t size, const char *format, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*
+ * Print 'format' to 'target' which is a pointer to a string of at least
+ * 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'format' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS
+ *		'target' will be a NUL terminated string of no more
+ *		than 'size' bytes (including NUL).
+ *
+ *	If result == ISC_R_NOSPACE
+ *		'target' is undefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS  -- 'format' was successfully printed to 'target'.
+ *	ISC_R_NOSPACE  -- 'format' could not be printed to 'target' since it
+ *	                  is too small.
+ */
+
+void
+isc_string_printf_truncate(char *target, size_t size, const char *format, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*
+ * Print 'format' to 'target' which is a pointer to a string of at least
+ * 'size' bytes.
+ *
+ * Requires:
+ *	'target' is a pointer to a char[] of at least 'size' bytes.
+ *	'size' an integer > 0.
+ *	'format' == NULL or points to a NUL terminated string.
+ *
+ * Ensures:
+ *	'target' will be a NUL terminated string of no more
+ *	than 'size' bytes (including NUL).
+ */
+
+
+char *
+isc_string_regiondup(isc_mem_t *mctx, const isc_region_t *source);
+/*
+ * Copy the region pointed to by r to a NUL terminated string
+ * allocated from the memory context pointed to by mctx.
+ *
+ * The result should be deallocated using isc_mem_free()
+ *
+ * Requires:
+ *	'mctx' is a point to a valid memory context.
+ *	'source' is a pointer to a valid region.
+ *
+ * Returns:
+ *	a pointer to a NUL terminated string or
+ *	NULL if memory for the copy could not be allocated
+ *
+ */
+
+char *
+isc_string_separate(char **stringp, const char *delim);
+
+#ifdef ISC_PLATFORM_NEEDSTRSEP
+#define strsep isc_string_separate
+#endif
+
+#ifdef ISC_PLATFORM_NEEDMEMMOVE
+#define memmove(a,b,c) bcopy(b,a,c)
+#endif
+
+size_t
+isc_string_strlcpy(char *dst, const char *src, size_t size);
+
+
+#ifdef ISC_PLATFORM_NEEDSTRLCPY
+#define strlcpy isc_string_strlcpy
+#endif
+
+
+size_t
+isc_string_strlcat(char *dst, const char *src, size_t size);
+
+#ifdef ISC_PLATFORM_NEEDSTRLCAT
+#define strlcat isc_string_strlcat
+#endif
+
+char *
+isc_string_strcasestr(const char *big, const char *little);
+
+#ifdef ISC_PLATFORM_NEEDSTRCASESTR
+#define strcasestr isc_string_strcasestr
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STRING_H */
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
new file mode 100644
index 0000000..0f53b5e
--- /dev/null
+++ b/lib/isc/include/isc/symtab.h
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SYMTAB_H
+#define ISC_SYMTAB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/symtab.h
+ * \brief Provides a simple memory-based symbol table.
+ *
+ * Keys are C strings, and key comparisons are case-insensitive.  A type may
+ * be specified when looking up, defining, or undefining.  A type value of
+ * 0 means "match any type"; any other value will only match the given
+ * type.
+ *
+ * It's possible that a client will attempt to define a <key, type, value>
+ * tuple when a tuple with the given key and type already exists in the table.
+ * What to do in this case is specified by the client.  Possible policies are:
+ *
+ *\li	#isc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
+ *\li	#isc_symexists_replace	Replace the old value with the new.  The
+ *				undefine action (if provided) will be called
+ *				with the old <key, type, value> tuple.
+ *\li	#isc_symexists_add	Add the new tuple, leaving the old tuple in
+ *				the table.  Subsequent lookups will retrieve
+ *				the most-recently-defined tuple.
+ *
+ * A lookup of a key using type 0 will return the most-recently defined
+ * symbol with that key.  An undefine of a key using type 0 will undefine the
+ * most-recently defined symbol with that key.  Trying to define a key with
+ * type 0 is illegal.
+ *
+ * The symbol table library does not make a copy the key field, so the
+ * caller must ensure that any key it passes to isc_symtab_define() will not
+ * change until it calls isc_symtab_undefine() or isc_symtab_destroy().
+ *
+ * A user-specified action will be called (if provided) when a symbol is
+ * undefined.  It can be used to free memory associated with keys and/or
+ * values.
+ *
+ * A symbol table is implemented as a hash table of lists; the size of the
+ * hash table is set by the 'size' parameter to isc_symtbl_create().  When
+ * the number of entries in the symbol table reaches three quarters of this
+ * value, the hash table is reallocated with size doubled, in order to
+ * optimize lookup performance.  This has a negative effect on insertion
+ * performance, which can be mitigated by sizing the table appropriately
+ * when creating it.
+ *
+ * \li MP:
+ *	The callers of this module must ensure any required synchronization.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ *** Symbol Tables.
+ ***/
+/*% Symbol table value. */
+typedef union isc_symvalue {
+	void *				as_pointer;
+	const void *			as_cpointer;
+	int				as_integer;
+	unsigned int			as_uinteger;
+} isc_symvalue_t;
+
+typedef void (*isc_symtabaction_t)(char *key, unsigned int type,
+				   isc_symvalue_t value, void *userarg);
+/*% Symbol table exists. */
+typedef enum {
+	isc_symexists_reject = 0,	/*%< Disallow the define */
+	isc_symexists_replace = 1,	/*%< Replace the old value with the new */
+	isc_symexists_add = 2		/*%< Add the new tuple */
+} isc_symexists_t;
+
+ISC_LANG_BEGINDECLS
+
+/*% Create a symbol table. */
+isc_result_t
+isc_symtab_create(isc_mem_t *mctx, unsigned int size,
+		  isc_symtabaction_t undefine_action, void *undefine_arg,
+		  bool case_sensitive, isc_symtab_t **symtabp);
+
+/*% Destroy a symbol table. */
+void
+isc_symtab_destroy(isc_symtab_t **symtabp);
+
+/*% Lookup a symbol table. */
+isc_result_t
+isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t *value);
+
+/*% Define a symbol table. */
+isc_result_t
+isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t value, isc_symexists_t exists_policy);
+
+/*% Undefine a symbol table. */
+isc_result_t
+isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type);
+
+/*% Return the number of items in a symbol table. */
+unsigned int
+isc_symtab_count(isc_symtab_t *symtab);
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYMTAB_H */
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
new file mode 100644
index 0000000..6920395
--- /dev/null
+++ b/lib/isc/include/isc/task.h
@@ -0,0 +1,827 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_TASK_H
+#define ISC_TASK_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/task.h
+ * \brief The task system provides a lightweight execution context, which is
+ * basically an event queue.
+
+ * When a task's event queue is non-empty, the
+ * task is runnable.  A small work crew of threads, typically one per CPU,
+ * execute runnable tasks by dispatching the events on the tasks' event
+ * queues.  Context switching between tasks is fast.
+ *
+ * \li MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *	The caller must ensure that isc_taskmgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ *
+ * \section purge Purging and Unsending
+ *
+ * Events which have been queued for a task but not delivered may be removed
+ * from the task's event queue by purging or unsending.
+ *
+ * With both types, the caller specifies a matching pattern that selects
+ * events based upon their sender, type, and tag.
+ *
+ * Purging calls isc_event_free() on the matching events.
+ *
+ * Unsending returns a list of events that matched the pattern.
+ * The caller is then responsible for them.
+ *
+ * Consumers of events should purge, not unsend.
+ *
+ * Producers of events often want to remove events when the caller indicates
+ * it is no longer interested in the object, e.g. by canceling a timer.
+ * Sometimes this can be done by purging, but for some event types, the
+ * calls to isc_event_free() cause deadlock because the event free routine
+ * wants to acquire a lock the caller is already holding.  Unsending instead
+ * of purging solves this problem.  As a general rule, producers should only
+ * unsend events which they have sent.
+ */
+
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/eventclass.h>
+#include <isc/json.h>
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+#include <isc/types.h>
+#include <isc/xml.h>
+
+#define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
+#define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
+#define ISC_TASKEVENT_TEST		(ISC_EVENTCLASS_TASK + 1)
+#define ISC_TASKEVENT_LASTEVENT		(ISC_EVENTCLASS_TASK + 65535)
+
+/*****
+ ***** Tasks.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+		isc_taskmgrmode_normal = 0,
+		isc_taskmgrmode_privileged
+} isc_taskmgrmode_t;
+
+/*% Task and task manager methods */
+typedef struct isc_taskmgrmethods {
+	void		(*destroy)(isc_taskmgr_t **managerp);
+	void		(*setmode)(isc_taskmgr_t *manager,
+				   isc_taskmgrmode_t mode);
+	isc_taskmgrmode_t (*mode)(isc_taskmgr_t *manager);
+	isc_result_t	(*taskcreate)(isc_taskmgr_t *manager,
+				      unsigned int quantum,
+				      isc_task_t **taskp);
+	void (*setexcltask)(isc_taskmgr_t *mgr, isc_task_t *task);
+	isc_result_t (*excltask)(isc_taskmgr_t *mgr, isc_task_t **taskp);
+} isc_taskmgrmethods_t;
+
+typedef struct isc_taskmethods {
+	void (*attach)(isc_task_t *source, isc_task_t **targetp);
+	void (*detach)(isc_task_t **taskp);
+	void (*destroy)(isc_task_t **taskp);
+	void (*send)(isc_task_t *task, isc_event_t **eventp);
+	void (*sendanddetach)(isc_task_t **taskp, isc_event_t **eventp);
+	unsigned int (*unsend)(isc_task_t *task, void *sender, isc_eventtype_t type,
+			       void *tag, isc_eventlist_t *events);
+	isc_result_t (*onshutdown)(isc_task_t *task, isc_taskaction_t action,
+				   void *arg);
+	void (*shutdown)(isc_task_t *task);
+	void (*setname)(isc_task_t *task, const char *name, void *tag);
+	unsigned int (*purgeevents)(isc_task_t *task, void *sender,
+				    isc_eventtype_t type, void *tag);
+	unsigned int (*purgerange)(isc_task_t *task, void *sender,
+				   isc_eventtype_t first, isc_eventtype_t last,
+				   void *tag);
+	isc_result_t (*beginexclusive)(isc_task_t *task);
+	void (*endexclusive)(isc_task_t *task);
+    void (*setprivilege)(isc_task_t *task, bool priv);
+    bool (*privilege)(isc_task_t *task);
+} isc_taskmethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a task manager
+ * object implementation's version of an isc_taskmgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  task implementations
+ * may change the structure.  'magic' must be ISCAPI_TASKMGR_MAGIC for any
+ * of the isc_task_ routines to work.  task implementations must maintain
+ * all task invariants.
+ */
+struct isc_taskmgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_taskmgrmethods_t	*methods;
+};
+
+#define ISCAPI_TASKMGR_MAGIC	ISC_MAGIC('A','t','m','g')
+#define ISCAPI_TASKMGR_VALID(m)	((m) != NULL && \
+				 (m)->magic == ISCAPI_TASKMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a task object.  The same note as
+ * that for the taskmgr structure applies.
+ */
+struct isc_task {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_taskmethods_t	*methods;
+};
+
+#define ISCAPI_TASK_MAGIC	ISC_MAGIC('A','t','s','t')
+#define ISCAPI_TASK_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_TASK_MAGIC)
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp);
+/*%<
+ * Create a task.
+ *
+ * Notes:
+ *
+ *\li	If 'quantum' is non-zero, then only that many events can be dispatched
+ *	before the task must yield to other tasks waiting to execute.  If
+ *	quantum is zero, then the default quantum of the task manager will
+ *	be used.
+ *
+ *\li	The 'quantum' option may be removed from isc_task_create() in the
+ *	future.  If this happens, isc_task_getquantum() and
+ *	isc_task_setquantum() will be provided.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid task manager.
+ *
+ *\li	taskp != NULL && *taskp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*taskp' is bound to the new task.
+ *
+ * Returns:
+ *
+ *\li   #ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ *\li	#ISC_R_SHUTTINGDOWN
+ */
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp);
+/*%<
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *\li	'source' is a valid task.
+ *
+ *\li	'targetp' points to a NULL isc_task_t *.
+ *
+ * Ensures:
+ *
+ *\li	*targetp is attached to source.
+ */
+
+void
+isc_task_detach(isc_task_t **taskp);
+/*%<
+ * Detach *taskp from its task.
+ *
+ * Requires:
+ *
+ *\li	'*taskp' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	*taskp is NULL.
+ *
+ *\li	If '*taskp' is the last reference to the task, the task is idle (has
+ *	an empty event queue), and has not been shutdown, the task will be
+ *	shutdown.
+ *
+ *\li	If '*taskp' is the last reference to the task and
+ *	the task has been shutdown,
+ *		all resources used by the task will be freed.
+ */
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp);
+/*%<
+ * Send '*event' to 'task'.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *\li	eventp != NULL && *eventp != NULL.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ */
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
+/*%<
+ * Send '*event' to '*taskp' and then detach '*taskp' from its
+ * task.
+ *
+ * Requires:
+ *
+ *\li	'*taskp' is a valid task.
+ *\li	eventp != NULL && *eventp != NULL.
+ *
+ * Ensures:
+ *
+ *\li	*eventp == NULL.
+ *
+ *\li	*taskp == NULL.
+ *
+ *\li	If '*taskp' is the last reference to the task, the task is
+ *	idle (has an empty event queue), and has not been shutdown,
+ *	the task will be shutdown.
+ *
+ *\li	If '*taskp' is the last reference to the task and
+ *	the task has been shutdown,
+ *		all resources used by the task will be freed.
+ */
+
+
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag);
+/*%<
+ * Purge events from a task's event queue.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	last >= first
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is >= first and <= last, and whose tag is 'tag' will be purged,
+ *	unless they are marked as unpurgable.
+ *
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *\li	The number of events purged.
+ */
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+	       void *tag);
+/*%<
+ * Purge events from a task's event queue.
+ *
+ * Notes:
+ *
+ *\li	This function is equivalent to
+ *
+ *\code
+ *		isc_task_purgerange(task, sender, type, type, tag);
+ *\endcode
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is 'type', and whose tag is 'tag' will be purged, unless they
+ *	are marked as unpurgable.
+ *
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *\li	The number of events purged.
+ */
+
+bool
+isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
+/*%<
+ * Purge 'event' from a task's event queue.
+ *
+ * XXXRTH:  WARNING:  This method may be removed before beta.
+ *
+ * Notes:
+ *
+ *\li	If 'event' is on the task's event queue, it will be purged,
+ * 	unless it is marked as unpurgeable.  'event' does not have to be
+ *	on the task's event queue; in fact, it can even be an invalid
+ *	pointer.  Purging only occurs if the event is actually on the task's
+ *	event queue.
+ *
+ * \li	Purging never changes the state of the task.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	'event' is not in the event queue for 'task'.
+ *
+ * Returns:
+ *
+ *\li	#true			The event was purged.
+ *\li	#false			The event was not in the event queue,
+ *					or was marked unpurgeable.
+ */
+
+unsigned int
+isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag, isc_eventlist_t *events);
+/*%<
+ * Remove events from a task's event queue.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	last >= first.
+ *
+ *\li	*events is a valid list.
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is >= first and <= last, and whose tag is 'tag' will be dequeued
+ *	and appended to *events.
+ *
+ *\li	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *\li	The number of events unsent.
+ */
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag, isc_eventlist_t *events);
+/*%<
+ * Remove events from a task's event queue.
+ *
+ * Notes:
+ *
+ *\li	This function is equivalent to
+ *
+ *\code
+ *		isc_task_unsendrange(task, sender, type, type, tag, events);
+ *\endcode
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	*events is a valid list.
+ *
+ * Ensures:
+ *
+ *\li	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is 'type', and whose tag is 'tag' will be dequeued and appended
+ *	to *events.
+ *
+ * Returns:
+ *
+ *\li	The number of events unsent.
+ */
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action,
+		    void *arg);
+/*%<
+ * Send a shutdown event with action 'action' and argument 'arg' when
+ * 'task' is shutdown.
+ *
+ * Notes:
+ *
+ *\li	Shutdown events are posted in LIFO order.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ *\li	'action' is a valid task action.
+ *
+ * Ensures:
+ *
+ *\li	When the task is shutdown, shutdown events requested with
+ *	isc_task_onshutdown() will be appended to the task's event queue.
+ *
+
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_SHUTTINGDOWN			Task is shutting down.
+ */
+
+void
+isc_task_shutdown(isc_task_t *task);
+/*%<
+ * Shutdown 'task'.
+ *
+ * Notes:
+ *
+ *\li	Shutting down a task causes any shutdown events requested with
+ *	isc_task_onshutdown() to be posted (in LIFO order).  The task
+ *	moves into a "shutting down" mode which prevents further calls
+ *	to isc_task_onshutdown().
+ *
+ *\li	Trying to shutdown a task that has already been shutdown has no
+ *	effect.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	Any shutdown events requested with isc_task_onshutdown() have been
+ *	posted (in LIFO order).
+ */
+
+void
+isc_task_destroy(isc_task_t **taskp);
+/*%<
+ * Destroy '*taskp'.
+ *
+ * Notes:
+ *
+ *\li	This call is equivalent to:
+ *
+ *\code
+ *		isc_task_shutdown(*taskp);
+ *		isc_task_detach(taskp);
+ *\endcode
+ *
+ * Requires:
+ *
+ *	'*taskp' is a valid task.
+ *
+ * Ensures:
+ *
+ *\li	Any shutdown events requested with isc_task_onshutdown() have been
+ *	posted (in LIFO order).
+ *
+ *\li	*taskp == NULL
+ *
+ *\li	If '*taskp' is the last reference to the task,
+ *		all resources used by the task will be freed.
+ */
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag);
+/*%<
+ * Name 'task'.
+ *
+ * Notes:
+ *
+ *\li	Only the first 15 characters of 'name' will be copied.
+ *
+ *\li	Naming a task is currently only useful for debugging purposes.
+ *
+ * Requires:
+ *
+ *\li	'task' is a valid task.
+ */
+
+const char *
+isc_task_getname(isc_task_t *task);
+/*%<
+ * Get the name of 'task', as previously set using isc_task_setname().
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ *
+ * Returns:
+ *\li	A non-NULL pointer to a null-terminated string.
+ * 	If the task has not been named, the string is
+ * 	empty.
+ *
+ */
+
+void *
+isc_task_gettag(isc_task_t *task);
+/*%<
+ * Get the tag value for  'task', as previously set using isc_task_settag().
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task);
+/*%<
+ * Request exclusive access for 'task', which must be the calling
+ * task.  Waits for any other concurrently executing tasks to finish their
+ * current event, and prevents any new events from executing in any of the
+ * tasks sharing a task manager with 'task'.
+ *
+ * The exclusive access must be relinquished by calling
+ * isc_task_endexclusive() before returning from the current event handler.
+ *
+ * Requires:
+ *\li	'task' is the calling task.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS		The current task now has exclusive access.
+ *\li	#ISC_R_LOCKBUSY		Another task has already requested exclusive
+ *				access.
+ */
+
+void
+isc_task_endexclusive(isc_task_t *task);
+/*%<
+ * Relinquish the exclusive access obtained by isc_task_beginexclusive(),
+ * allowing other tasks to execute.
+ *
+ * Requires:
+ *\li	'task' is the calling task, and has obtained
+ *		exclusive access by calling isc_task_spl().
+ */
+
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
+void
+isc_task_getcurrenttimex(isc_task_t *task, isc_time_t *t);
+/*%<
+ * Provide the most recent timestamp on the task.  The timestamp is considered
+ * as the "current time".
+ *
+ * isc_task_getcurrentime() returns the time in one-second granularity;
+ * isc_task_getcurrentimex() returns it in nanosecond granularity.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ *\li	't' is a valid non NULL pointer.
+ *
+ * Ensures:
+ *\li	'*t' has the "current time".
+ */
+
+bool
+isc_task_exiting(isc_task_t *t);
+/*%<
+ * Returns true if the task is in the process of shutting down,
+ * false otherwise.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+void
+isc_task_setprivilege(isc_task_t *task, bool priv);
+/*%<
+ * Set or unset the task's "privileged" flag depending on the value of
+ * 'priv'.
+ *
+ * Under normal circumstances this flag has no effect on the task behavior,
+ * but when the task manager has been set to privileged execution mode via
+ * isc_taskmgr_setmode(), only tasks with the flag set will be executed,
+ * and all other tasks will wait until they're done.  Once all privileged
+ * tasks have finished executing, the task manager will automatically
+ * return to normal execution mode and nonprivileged task can resume.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+bool
+isc_task_privilege(isc_task_t *task);
+/*%<
+ * Returns the current value of the task's privilege flag.
+ *
+ * Requires:
+ *\li	'task' is a valid task.
+ */
+
+/*****
+ ***** Task Manager.
+ *****/
+
+isc_result_t
+isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			unsigned int workers, unsigned int default_quantum,
+			isc_taskmgr_t **managerp);
+isc_result_t
+isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		   unsigned int default_quantum, isc_taskmgr_t **managerp);
+/*%<
+ * Create a new task manager.  isc_taskmgr_createinctx() also associates
+ * the new manager with the specified application context.
+ *
+ * Notes:
+ *
+ *\li	'workers' in the number of worker threads to create.  In general,
+ *	the value should be close to the number of processors in the system.
+ *	The 'workers' value is advisory only.  An attempt will be made to
+ *	create 'workers' threads, but if at least one thread creation
+ *	succeeds, isc_taskmgr_create() may return ISC_R_SUCCESS.
+ *
+ *\li	If 'default_quantum' is non-zero, then it will be used as the default
+ *	quantum value when tasks are created.  If zero, then an implementation
+ *	defined default quantum will be used.
+ *
+ * Requires:
+ *
+ *\li      'mctx' is a valid memory context.
+ *
+ *\li	workers > 0
+ *
+ *\li	managerp != NULL && *managerp == NULL
+ *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
+ * Ensures:
+ *
+ *\li	On success, '*managerp' will be attached to the newly created task
+ *	manager.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NOTHREADS		No threads could be created.
+ *\li	#ISC_R_UNEXPECTED		An unexpected error occurred.
+ *\li	#ISC_R_SHUTTINGDOWN      	The non-threaded, shared, task
+ *					manager shutting down.
+ */
+
+void
+isc_taskmgr_setmode(isc_taskmgr_t *manager, isc_taskmgrmode_t mode);
+
+isc_taskmgrmode_t
+isc_taskmgr_mode(isc_taskmgr_t *manager);
+/*%<
+ * Set/get the current operating mode of the task manager.  Valid modes are:
+ *
+ *\li  isc_taskmgrmode_normal
+ *\li  isc_taskmgrmode_privileged
+ *
+ * In privileged execution mode, only tasks that have had the "privilege"
+ * flag set via isc_task_setprivilege() can be executed.  When all such
+ * tasks are complete, the manager automatically returns to normal mode
+ * and proceeds with running non-privileged ready tasks.  This means it is
+ * necessary to have at least one privileged task waiting on the ready
+ * queue *before* setting the manager into privileged execution mode,
+ * which in turn means the task which calls this function should be in
+ * task-exclusive mode when it does so.
+ *
+ * Requires:
+ *
+ *\li      'manager' is a valid task manager.
+ */
+
+void
+isc_taskmgr_destroy(isc_taskmgr_t **managerp);
+/*%<
+ * Destroy '*managerp'.
+ *
+ * Notes:
+ *
+ *\li	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
+ *	*managerp that haven't already been shutdown.  The call will block
+ *	until all tasks have entered the done state.
+ *
+ *\li	isc_taskmgr_destroy() must not be called by a task event action,
+ *	because it would block forever waiting for the event action to
+ *	complete.  An event action that wants to cause task manager shutdown
+ *	should request some non-event action thread of execution to do the
+ *	shutdown, e.g. by signaling a condition variable or using
+ *	isc_app_shutdown().
+ *
+ *\li	Task manager references are not reference counted, so the caller
+ *	must ensure that no attempt will be made to use the manager after
+ *	isc_taskmgr_destroy() returns.
+ *
+ * Requires:
+ *
+ *\li	'*managerp' is a valid task manager.
+ *
+ *\li	isc_taskmgr_destroy() has not be called previously on '*managerp'.
+ *
+ * Ensures:
+ *
+ *\li	All resources used by the task manager, and any tasks it managed,
+ *	have been freed.
+ */
+
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr, isc_task_t *task);
+/*%<
+ * Set a task which will be used for all task-exclusive operations.
+ *
+ * Requires:
+ *\li	'manager' is a valid task manager.
+ *
+ *\li	'task' is a valid task.
+ */
+
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr, isc_task_t **taskp);
+/*%<
+ * Attach '*taskp' to the task set by isc_taskmgr_getexcltask().
+ * This task should be used whenever running in task-exclusive mode,
+ * so as to prevent deadlock between two exclusive tasks.
+ *
+ * Requires:
+ *\li	'manager' is a valid task manager.
+
+ *\li	taskp != NULL && *taskp == NULL
+ */
+
+
+#ifdef HAVE_LIBXML2
+int
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer);
+#endif
+
+#ifdef HAVE_JSON
+isc_result_t
+isc_taskmgr_renderjson(isc_taskmgr_t *mgr, json_object *tasksobj);
+#endif
+
+/*%<
+ * See isc_taskmgr_create() above.
+ */
+typedef isc_result_t
+(*isc_taskmgrcreatefunc_t)(isc_mem_t *mctx, unsigned int workers,
+			   unsigned int default_quantum,
+			   isc_taskmgr_t **managerp);
+
+isc_result_t
+isc_task_register(isc_taskmgrcreatefunc_t createfunc);
+/*%<
+ * Register a new task management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc__task_register(void);
+/*%<
+ * A short cut function that specifies the task management module in the ISC
+ * library for isc_task_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TASK_H */
diff --git a/lib/isc/include/isc/taskpool.h b/lib/isc/include/isc/taskpool.h
new file mode 100644
index 0000000..32ca594
--- /dev/null
+++ b/lib/isc/include/isc/taskpool.h
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_TASKPOOL_H
+#define ISC_TASKPOOL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/taskpool.h
+ * \brief A task pool is a mechanism for sharing a small number of tasks
+ * among a large number of objects such that each object is
+ * assigned a unique task, but each task may be shared by several
+ * objects.
+ *
+ * Task pools are used to let objects that can exist in large
+ * numbers (e.g., zones) use tasks for synchronization without
+ * the memory overhead and unfair scheduling competition that
+ * could result from creating a separate task for each object.
+ */
+
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/task.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types.
+ *****/
+
+typedef struct isc_taskpool isc_taskpool_t;
+
+/*****
+ ***** Functions.
+ *****/
+
+isc_result_t
+isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
+		    unsigned int ntasks, unsigned int quantum,
+		    isc_taskpool_t **poolp);
+/*%<
+ * Create a task pool of "ntasks" tasks, each with quantum
+ * "quantum".
+ *
+ * Requires:
+ *
+ *\li	'tmgr' is a valid task manager.
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	poolp != NULL && *poolp == NULL
+ *
+ * Ensures:
+ *
+ *\li	On success, '*taskp' points to the new task pool.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+void
+isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp);
+/*%<
+ * Attach to a task from the pool.  Currently the next task is chosen
+ * from the pool at random.  (This may be changed in the future to
+ * something that guaratees balance.)
+ */
+
+int
+isc_taskpool_size(isc_taskpool_t *pool);
+/*%<
+ * Returns the number of tasks in the task pool 'pool'.
+ */
+
+isc_result_t
+isc_taskpool_expand(isc_taskpool_t **sourcep, unsigned int size,
+					isc_taskpool_t **targetp);
+
+/*%<
+ * If 'size' is larger than the number of tasks in the pool pointed to by
+ * 'sourcep', then a new taskpool of size 'size' is allocated, the existing
+ * tasks from are moved into it, additional tasks are created to bring the
+ * total number up to 'size', and the resulting pool is attached to
+ * 'targetp'.
+ *
+ * If 'size' is less than or equal to the tasks in pool 'source', then
+ * 'sourcep' is attached to 'targetp' without any other action being taken.
+ *
+ * In either case, 'sourcep' is detached.
+ *
+ * Requires:
+ *
+ * \li	'sourcep' is not NULL and '*source' is not NULL
+ * \li	'targetp' is not NULL and '*source' is NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, '*targetp' points to a valid task pool.
+ * \li	On success, '*sourcep' points to NULL.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ */
+
+void
+isc_taskpool_destroy(isc_taskpool_t **poolp);
+/*%<
+ * Destroy a task pool.  The tasks in the pool are detached but not
+ * shut down.
+ *
+ * Requires:
+ * \li	'*poolp' is a valid task pool.
+ */
+
+void
+isc_taskpool_setprivilege(isc_taskpool_t *pool, bool priv);
+/*%<
+ * Set the privilege flag on all tasks in 'pool' to 'priv'.  If 'priv' is
+ * true, then when the task manager is set into privileged mode, only
+ * tasks wihin this pool will be able to execute.  (Note:  It is important
+ * to turn the pool tasks' privilege back off before the last task finishes
+ * executing.)
+ *
+ * Requires:
+ * \li	'pool' is a valid task pool.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TASKPOOL_H */
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
new file mode 100644
index 0000000..40aa5a6
--- /dev/null
+++ b/lib/isc/include/isc/timer.h
@@ -0,0 +1,426 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_TIMER_H
+#define ISC_TIMER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/timer.h
+ * \brief Provides timers which are event sources in the task system.
+ *
+ * Three types of timers are supported:
+ *
+ *\li	'ticker' timers generate a periodic tick event.
+ *
+ *\li	'once' timers generate an idle timeout event if they are idle for too
+ *	long, and generate a life timeout event if their lifetime expires.
+ *	They are used to implement both (possibly expiring) idle timers and
+ *	'one-shot' timers.
+ *
+ *\li	'limited' timers generate a periodic tick event until they reach
+ *	their lifetime when they generate a life timeout event.
+ *
+ *\li	'inactive' timers generate no events.
+ *
+ * Timers can change type.  It is typical to create a timer as
+ * an 'inactive' timer and then change it into a 'ticker' or
+ * 'once' timer.
+ *
+ *\li MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *	Clients of this module must not be holding a timer's task's lock when
+ *	making a call that affects that timer.  Failure to follow this rule
+ *	can result in deadlock.
+ *	The caller must ensure that isc_timermgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	TBS
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+
+/***
+ *** Imports
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/types.h>
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/time.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*% Timer Type */
+typedef enum {
+	isc_timertype_undefined = -1,	/*%< Undefined */
+	isc_timertype_ticker = 0, 	/*%< Ticker */
+	isc_timertype_once = 1, 	/*%< Once */
+	isc_timertype_limited = 2, 	/*%< Limited */
+	isc_timertype_inactive = 3 	/*%< Inactive */
+} isc_timertype_t;
+
+typedef struct isc_timerevent {
+	struct isc_event	common;
+	isc_time_t		due;
+} isc_timerevent_t;
+
+#define ISC_TIMEREVENT_FIRSTEVENT	(ISC_EVENTCLASS_TIMER + 0)
+#define ISC_TIMEREVENT_TICK		(ISC_EVENTCLASS_TIMER + 1)
+#define ISC_TIMEREVENT_IDLE		(ISC_EVENTCLASS_TIMER + 2)
+#define ISC_TIMEREVENT_LIFE		(ISC_EVENTCLASS_TIMER + 3)
+#define ISC_TIMEREVENT_LASTEVENT	(ISC_EVENTCLASS_TIMER + 65535)
+
+/*% Timer and timer manager methods */
+typedef struct {
+	void		(*destroy)(isc_timermgr_t **managerp);
+	isc_result_t	(*timercreate)(isc_timermgr_t *manager,
+				       isc_timertype_t type,
+				       const isc_time_t *expires,
+				       const isc_interval_t *interval,
+				       isc_task_t *task,
+				       isc_taskaction_t action,
+				       void *arg,
+				       isc_timer_t **timerp);
+} isc_timermgrmethods_t;
+
+typedef struct {
+	void		(*attach)(isc_timer_t *timer, isc_timer_t **timerp);
+	void		(*detach)(isc_timer_t **timerp);
+	isc_result_t	(*reset)(isc_timer_t *timer, isc_timertype_t type,
+				 const isc_time_t *expires,
+				 const isc_interval_t *interval,
+				 bool purge);
+	isc_result_t	(*touch)(isc_timer_t *timer);
+} isc_timermethods_t;
+
+/*%
+ * This structure is actually just the common prefix of a timer manager
+ * object implementation's version of an isc_timermgr_t.
+ * \brief
+ * Direct use of this structure by clients is forbidden.  timer implementations
+ * may change the structure.  'magic' must be ISCAPI_TIMERMGR_MAGIC for any
+ * of the isc_timer_ routines to work.  timer implementations must maintain
+ * all timer invariants.
+ */
+struct isc_timermgr {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_timermgrmethods_t	*methods;
+};
+
+#define ISCAPI_TIMERMGR_MAGIC		ISC_MAGIC('A','t','m','g')
+#define ISCAPI_TIMERMGR_VALID(m)	((m) != NULL && \
+					 (m)->magic == ISCAPI_TIMERMGR_MAGIC)
+
+/*%
+ * This is the common prefix of a timer object.  The same note as
+ * that for the timermgr structure applies.
+ */
+struct isc_timer {
+	unsigned int		impmagic;
+	unsigned int		magic;
+	isc_timermethods_t	*methods;
+};
+
+#define ISCAPI_TIMER_MAGIC	ISC_MAGIC('A','t','m','r')
+#define ISCAPI_TIMER_VALID(s)	((s) != NULL && \
+				 (s)->magic == ISCAPI_TIMER_MAGIC)
+
+/***
+ *** Timer and Timer Manager Functions
+ ***
+ *** Note: all Ensures conditions apply only if the result is success for
+ *** those functions which return an isc_result_t.
+ ***/
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager,
+		 isc_timertype_t type,
+		 const isc_time_t *expires,
+		 const isc_interval_t *interval,
+		 isc_task_t *task,
+		 isc_taskaction_t action,
+		 void *arg,
+		 isc_timer_t **timerp);
+/*%<
+ * Create a new 'type' timer managed by 'manager'.  The timers parameters
+ * are specified by 'expires' and 'interval'.  Events will be posted to
+ * 'task' and when dispatched 'action' will be called with 'arg' as the
+ * arg value.  The new timer is returned in 'timerp'.
+ *
+ * Notes:
+ *
+ *\li	For ticker timers, the timer will generate a 'tick' event every
+ *	'interval' seconds.  The value of 'expires' is ignored.
+ *
+ *\li	For once timers, 'expires' specifies the time when a life timeout
+ *	event should be generated.  If 'expires' is 0 (the epoch), then no life
+ *	timeout will be generated.  'interval' specifies how long the timer
+ *	can be idle before it generates an idle timeout.  If 0, then no
+ *	idle timeout will be generated.
+ *
+ *\li	If 'expires' is NULL, the epoch will be used.
+ *
+ *	If 'interval' is NULL, the zero interval will be used.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'task' is a valid task
+ *
+ *\li	'action' is a valid action
+ *
+ *\li	'expires' points to a valid time, or is NULL.
+ *
+ *\li	'interval' points to a valid interval, or is NULL.
+ *
+ *\li	type == isc_timertype_inactive ||
+ *	('expires' and 'interval' are not both 0)
+ *
+ *\li	'timerp' is a valid pointer, and *timerp == NULL
+ *
+ * Ensures:
+ *
+ *\li	'*timerp' is attached to the newly created timer
+ *
+ *\li	The timer is attached to the task
+ *
+ *\li	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
+ */
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer,
+		isc_timertype_t type,
+		const isc_time_t *expires,
+		const isc_interval_t *interval,
+		bool purge);
+/*%<
+ * Change the timer's type, expires, and interval values to the given
+ * values.  If 'purge' is TRUE, any pending events from this timer
+ * are purged from its task's event queue.
+ *
+ * Notes:
+ *
+ *\li	If 'expires' is NULL, the epoch will be used.
+ *
+ *\li	If 'interval' is NULL, the zero interval will be used.
+ *
+ * Requires:
+ *
+ *\li	'timer' is a valid timer
+ *
+ *\li	The same requirements that isc_timer_create() imposes on 'type',
+ *	'expires' and 'interval' apply.
+ *
+ * Ensures:
+ *
+ *\li	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
+ */
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer);
+/*%<
+ * Set the last-touched time of 'timer' to the current time.
+ *
+ * Requires:
+ *
+ *\li	'timer' is a valid once timer.
+ *
+ * Ensures:
+ *
+ *\li	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ */
+
+void
+isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp);
+/*%<
+ * Attach *timerp to timer.
+ *
+ * Requires:
+ *
+ *\li	'timer' is a valid timer.
+ *
+ *\li	'timerp' points to a NULL timer.
+ *
+ * Ensures:
+ *
+ *\li	*timerp is attached to timer.
+ */
+
+void
+isc_timer_detach(isc_timer_t **timerp);
+/*%<
+ * Detach *timerp from its timer.
+ *
+ * Requires:
+ *
+ *\li	'timerp' points to a valid timer.
+ *
+ * Ensures:
+ *
+ *\li	*timerp is NULL.
+ *
+ *\li	If '*timerp' is the last reference to the timer,
+ *	then:
+ *
+ *\code
+ *		The timer will be shutdown
+ *
+ *		The timer will detach from its task
+ *
+ *		All resources used by the timer have been freed
+ *
+ *		Any events already posted by the timer will be purged.
+ *		Therefore, if isc_timer_detach() is called in the context
+ *		of the timer's task, it is guaranteed that no more
+ *		timer event callbacks will run after the call.
+ *\endcode
+ */
+
+isc_timertype_t
+isc_timer_gettype(isc_timer_t *timer);
+/*%<
+ * Return the timer type.
+ *
+ * Requires:
+ *
+ *\li	'timer' to be a valid timer.
+ */
+
+isc_result_t
+isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			 isc_timermgr_t **managerp);
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
+/*%<
+ * Create a timer manager.  isc_timermgr_createinctx() also associates
+ * the new manager with the specified application context.
+ *
+ * Notes:
+ *
+ *\li	All memory will be allocated in memory context 'mctx'.
+ *
+ * Requires:
+ *
+ *\li	'mctx' is a valid memory context.
+ *
+ *\li	'managerp' points to a NULL isc_timermgr_t.
+ *
+ *\li	'actx' is a valid application context (for createinctx()).
+ *
+ * Ensures:
+ *
+ *\li	'*managerp' is a valid isc_timermgr_t.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	No memory
+ *\li	Unexpected error
+ */
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp);
+/*%<
+ * Destroy a timer manager.
+ *
+ * Notes:
+ *
+ *\li	This routine blocks until there are no timers left in the manager,
+ *	so if the caller holds any timer references using the manager, it
+ *	must detach them before calling isc_timermgr_destroy() or it will
+ *	block forever.
+ *
+ * Requires:
+ *
+ *\li	'*managerp' is a valid isc_timermgr_t.
+ *
+ * Ensures:
+ *
+ *\li	*managerp == NULL
+ *
+ *\li	All resources used by the manager have been freed.
+ */
+
+void isc_timermgr_poke(isc_timermgr_t *m);
+
+/*%<
+ * See isc_timermgr_create() above.
+ */
+typedef isc_result_t
+(*isc_timermgrcreatefunc_t)(isc_mem_t *mctx, isc_timermgr_t **managerp);
+
+isc_result_t
+isc__timer_register(void);
+/*%<
+ * Register a new timer management implementation and add it to the list of
+ * supported implementations.  This function must be called when a different
+ * event library is used than the one contained in the ISC library.
+ */
+
+isc_result_t
+isc_timer_register(isc_timermgrcreatefunc_t createfunc);
+/*%<
+ * A short cut function that specifies the timer management module in the ISC
+ * library for isc_timer_register().  An application that uses the ISC library
+ * usually do not have to care about this function: it would call
+ * isc_lib_register(), which internally calls this function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIMER_H */
diff --git a/lib/isc/include/isc/tm.h b/lib/isc/include/isc/tm.h
new file mode 100644
index 0000000..b6f520c
--- /dev/null
+++ b/lib/isc/include/isc/tm.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_TM_H
+#define ISC_TM_H 1
+
+/*! \file isc/tm.h
+ * Provides portable conversion routines for struct tm.
+ */
+#include <time.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+
+ISC_LANG_BEGINDECLS
+
+time_t
+isc_tm_timegm(struct tm *tm);
+/*
+ * Convert a tm structure to time_t, using UTC rather than the local
+ * time zone.
+ */
+
+char *
+isc_tm_strptime(const char *buf, const char *fmt, struct tm *tm);
+/*
+ * Parse a formatted date string into struct tm.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIMER_H */
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
new file mode 100644
index 0000000..42ff7e0
--- /dev/null
+++ b/lib/isc/include/isc/types.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+#ifndef ISC_TYPES_H
+#define ISC_TYPES_H 1
+
+#include <stdbool.h>
+
+#include <isc/bind9.h>
+
+/*! \file isc/types.h
+ * \brief
+ * OS-specific types, from the OS-specific include directories.
+ */
+#include <inttypes.h>
+#include <isc/offset.h>
+
+/*
+ * XXXDCL should bool be moved here, requiring an explicit include
+ */
+/*
+ * XXXDCL This is just for ISC_LIST and ISC_LINK, but gets all of the other
+ * list macros too.
+ */
+#include <isc/list.h>
+
+/* Core Types.  Alphabetized by defined type. */
+
+typedef struct isc_appctx		isc_appctx_t;	 	/*%< Application context */
+typedef struct isc_backtrace_symmap	isc_backtrace_symmap_t; /*%< Symbol Table Entry */
+typedef struct isc_buffer		isc_buffer_t;		/*%< Buffer */
+typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;	/*%< Buffer List */
+typedef struct isc_constregion		isc_constregion_t;	/*%< Const region */
+typedef struct isc_consttextregion	isc_consttextregion_t;	/*%< Const Text Region */
+typedef struct isc_counter		isc_counter_t;		/*%< Counter */
+typedef int16_t			isc_dscp_t;		/*%< Diffserv code point */
+typedef struct isc_entropy		isc_entropy_t;		/*%< Entropy */
+typedef struct isc_entropysource	isc_entropysource_t;	/*%< Entropy Source */
+typedef struct isc_event		isc_event_t;		/*%< Event */
+typedef ISC_LIST(isc_event_t)		isc_eventlist_t;	/*%< Event List */
+typedef unsigned int			isc_eventtype_t;	/*%< Event Type */
+typedef uint32_t			isc_fsaccess_t;		/*%< FS Access */
+typedef struct isc_hash			isc_hash_t;		/*%< Hash */
+typedef struct isc_httpd		isc_httpd_t;		/*%< HTTP client */
+typedef void (isc_httpdfree_t)(isc_buffer_t *, void *);		/*%< HTTP free function */
+typedef struct isc_httpdmgr		isc_httpdmgr_t;		/*%< HTTP manager */
+typedef struct isc_httpdurl		isc_httpdurl_t;		/*%< HTTP URL */
+typedef void (isc_httpdondestroy_t)(void *);			/*%< Callback on destroying httpd */
+typedef struct isc_interface		isc_interface_t;	/*%< Interface */
+typedef struct isc_interfaceiter	isc_interfaceiter_t;	/*%< Interface Iterator */
+typedef struct isc_interval		isc_interval_t;		/*%< Interval */
+typedef struct isc_lex			isc_lex_t;		/*%< Lex */
+typedef struct isc_log 			isc_log_t;		/*%< Log */
+typedef struct isc_logcategory		isc_logcategory_t;	/*%< Log Category */
+typedef struct isc_logconfig		isc_logconfig_t;	/*%< Log Configuration */
+typedef struct isc_logmodule		isc_logmodule_t;	/*%< Log Module */
+typedef struct isc_mem			isc_mem_t;		/*%< Memory */
+typedef struct isc_mempool		isc_mempool_t;		/*%< Memory Pool */
+typedef struct isc_msgcat		isc_msgcat_t;		/*%< Message Catalog */
+typedef struct isc_ondestroy		isc_ondestroy_t;	/*%< On Destroy */
+typedef struct isc_netaddr		isc_netaddr_t;		/*%< Net Address */
+typedef struct isc_portset		isc_portset_t;		/*%< Port Set */
+typedef struct isc_quota		isc_quota_t;		/*%< Quota */
+typedef struct isc_random		isc_random_t;		/*%< Random */
+typedef struct isc_ratelimiter		isc_ratelimiter_t;	/*%< Rate Limiter */
+typedef struct isc_region		isc_region_t;		/*%< Region */
+typedef uint64_t			isc_resourcevalue_t;	/*%< Resource Value */
+typedef unsigned int			isc_result_t;		/*%< Result */
+typedef struct isc_rwlock		isc_rwlock_t;		/*%< Read Write Lock */
+typedef struct isc_sockaddr		isc_sockaddr_t;		/*%< Socket Address */
+typedef ISC_LIST(isc_sockaddr_t)	isc_sockaddrlist_t;	/*%< Socket Address List */
+typedef struct isc_socket		isc_socket_t;		/*%< Socket */
+typedef struct isc_socketevent		isc_socketevent_t;	/*%< Socket Event */
+typedef struct isc_socketmgr		isc_socketmgr_t;	/*%< Socket Manager */
+typedef struct isc_stats		isc_stats_t;		/*%< Statistics */
+typedef int				isc_statscounter_t;	/*%< Statistics Counter */
+typedef struct isc_symtab		isc_symtab_t;		/*%< Symbol Table */
+typedef struct isc_task			isc_task_t;		/*%< Task */
+typedef ISC_LIST(isc_task_t)		isc_tasklist_t;		/*%< Task List */
+typedef struct isc_taskmgr		isc_taskmgr_t;		/*%< Task Manager */
+typedef struct isc_textregion		isc_textregion_t;	/*%< Text Region */
+typedef struct isc_time			isc_time_t;		/*%< Time */
+typedef struct isc_timer		isc_timer_t;		/*%< Timer */
+typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
+
+typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
+typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *, int);
+
+/* The following cannot be listed alphabetically due to forward reference */
+typedef isc_result_t (isc_httpdaction_t)(const char *url,
+					 isc_httpdurl_t *urlinfo,
+					 const char *querystring,
+					 const char *headers,
+					 void *arg,
+					 unsigned int *retcode,
+					 const char **retmsg,
+					 const char **mimetype,
+					 isc_buffer_t *body,
+					 isc_httpdfree_t **freecb,
+					 void **freecb_args);
+typedef bool (isc_httpdclientok_t)(const isc_sockaddr_t *, void *);
+
+/*% Resource */
+typedef enum {
+	isc_resource_coresize = 1,
+	isc_resource_cputime,
+	isc_resource_datasize,
+	isc_resource_filesize,
+	isc_resource_lockedmemory,
+	isc_resource_openfiles,
+	isc_resource_processes,
+	isc_resource_residentsize,
+	isc_resource_stacksize
+} isc_resource_t;
+
+/*% Statistics formats (text file or XML) */
+typedef enum {
+	isc_statsformat_file,
+	isc_statsformat_xml,
+	isc_statsformat_json
+} isc_statsformat_t;
+
+#endif /* ISC_TYPES_H */
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
new file mode 100644
index 0000000..75a63c1
--- /dev/null
+++ b/lib/isc/include/isc/util.h
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_UTIL_H
+#define ISC_UTIL_H 1
+
+/*! \file isc/util.h
+ * NOTE:
+ *
+ * This file is not to be included from any <isc/???.h> (or other) library
+ * files.
+ *
+ * \brief
+ * Including this file puts several macros in your name space that are
+ * not protected (as all the other ISC functions/macros do) by prepending
+ * ISC_ or isc_ to the name.
+ */
+
+/***
+ *** General Macros.
+ ***/
+
+/*%
+ * Use this to hide unused function arguments.
+ * \code
+ * int
+ * foo(char *bar)
+ * {
+ *	UNUSED(bar);
+ * }
+ * \endcode
+ */
+#define UNUSED(x)      (void)(x)
+
+/*%
+ * The opposite: silent warnings about stored values which are never read.
+ */
+#define POST(x)        (void)(x)
+
+#define ISC_MAX(a, b)  ((a) > (b) ? (a) : (b))
+#define ISC_MIN(a, b)  ((a) < (b) ? (a) : (b))
+
+#define ISC_CLAMP(v, x, y) ((v) < (x) ? (x) : ((v) > (y) ? (y) : (v)))
+
+/*%
+ * Use this to remove the const qualifier of a variable to assign it to
+ * a non-const variable or pass it as a non-const function argument ...
+ * but only when you are sure it won't then be changed!
+ * This is necessary to sometimes shut up some compilers
+ * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
+ * situation.
+ */
+#define DE_CONST(konst, var) \
+	do { \
+		union { const void *k; void *v; } _u; \
+		_u.k = konst; \
+		var = _u.v; \
+	} while (0)
+
+/*%
+ * Use this in translation units that would otherwise be empty, to
+ * suppress compiler warnings.
+ */
+#define EMPTY_TRANSLATION_UNIT static void isc__empty(void) { isc__empty(); }
+
+/*%
+ * We use macros instead of calling the routines directly because
+ * the capital letters make the locking stand out.
+ * We RUNTIME_CHECK for success since in general there's no way
+ * for us to continue if they fail.
+ */
+
+#ifdef ISC_UTIL_TRACEON
+#define ISC_UTIL_TRACE(a) a
+#include <stdio.h>		/* Required for fprintf/stderr when tracing. */
+#include <isc/msgs.h>		/* Required for isc_msgcat when tracing. */
+#else
+#define ISC_UTIL_TRACE(a)
+#endif
+
+#include <isc/result.h>		/* Contractual promise. */
+
+#define LOCK(lp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCKING, "LOCKING"), \
+			       (lp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCKED, "LOCKED"), \
+			       (lp), __FILE__, __LINE__)); \
+	} while (0)
+#define UNLOCK(lp) do { \
+	RUNTIME_CHECK(isc_mutex_unlock((lp)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_UNLOCKED, "UNLOCKED"), \
+			       (lp), __FILE__, __LINE__)); \
+	} while (0)
+#define ISLOCKED(lp) (1)
+#define DESTROYLOCK(lp) \
+	RUNTIME_CHECK(isc_mutex_destroy((lp)) == ISC_R_SUCCESS)
+
+
+#define BROADCAST(cvp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_BROADCAST, "BROADCAST"),\
+			       (cvp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_condition_broadcast((cvp)) == ISC_R_SUCCESS); \
+	} while (0)
+#define SIGNAL(cvp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_SIGNAL, "SIGNAL"), \
+			       (cvp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_condition_signal((cvp)) == ISC_R_SUCCESS); \
+	} while (0)
+#define WAIT(cvp, lp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_UTILWAIT, "WAIT"), \
+			       (cvp), \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCK, "LOCK"), \
+			       (lp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_condition_wait((cvp), (lp)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_WAITED, "WAITED"), \
+			       (cvp), \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCKED, "LOCKED"), \
+			       (lp), __FILE__, __LINE__)); \
+	} while (0)
+
+/*
+ * isc_condition_waituntil can return ISC_R_TIMEDOUT, so we
+ * don't RUNTIME_CHECK the result.
+ *
+ *  XXX Also, can't really debug this then...
+ */
+
+#define WAITUNTIL(cvp, lp, tp) \
+	isc_condition_waituntil((cvp), (lp), (tp))
+
+#define RWLOCK(lp, t) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_RWLOCK, "RWLOCK"), \
+			       (lp), (t), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_rwlock_lock((lp), (t)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_RWLOCKED, "RWLOCKED"), \
+			       (lp), (t), __FILE__, __LINE__)); \
+	} while (0)
+#define RWUNLOCK(lp, t) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_RWUNLOCK, "RWUNLOCK"), \
+			       (lp), (t), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_rwlock_unlock((lp), (t)) == ISC_R_SUCCESS); \
+	} while (0)
+
+#define DESTROYMUTEXBLOCK(bp, n) \
+	RUNTIME_CHECK(isc_mutexblock_destroy((bp), (n)) == ISC_R_SUCCESS)
+
+/*
+ * List Macros.
+ */
+#include <isc/list.h>		/* Contractual promise. */
+
+#define LIST(type)			ISC_LIST(type)
+#define INIT_LIST(type)			ISC_LIST_INIT(type)
+#define LINK(type)			ISC_LINK(type)
+#define INIT_LINK(elt, link)		ISC_LINK_INIT(elt, link)
+#define HEAD(list)			ISC_LIST_HEAD(list)
+#define TAIL(list)			ISC_LIST_TAIL(list)
+#define EMPTY(list)			ISC_LIST_EMPTY(list)
+#define PREV(elt, link)			ISC_LIST_PREV(elt, link)
+#define NEXT(elt, link)			ISC_LIST_NEXT(elt, link)
+#define APPEND(list, elt, link)		ISC_LIST_APPEND(list, elt, link)
+#define PREPEND(list, elt, link)	ISC_LIST_PREPEND(list, elt, link)
+#define UNLINK(list, elt, link)		ISC_LIST_UNLINK(list, elt, link)
+#define ENQUEUE(list, elt, link)	ISC_LIST_APPEND(list, elt, link)
+#define DEQUEUE(list, elt, link)	ISC_LIST_UNLINK(list, elt, link)
+#define INSERTBEFORE(li, b, e, ln)	ISC_LIST_INSERTBEFORE(li, b, e, ln)
+#define INSERTAFTER(li, a, e, ln)	ISC_LIST_INSERTAFTER(li, a, e, ln)
+#define APPENDLIST(list1, list2, link)	ISC_LIST_APPENDLIST(list1, list2, link)
+
+/*%
+ * Performance
+ */
+#include <isc/likely.h>
+
+/*
+ * Assertions
+ */
+#include <isc/assertions.h>	/* Contractual promise. */
+
+/*% Require Assertion */
+#define REQUIRE(e)			ISC_REQUIRE(e)
+/*% Ensure Assertion */
+#define ENSURE(e)			ISC_ENSURE(e)
+/*% Insist Assertion */
+#define INSIST(e)			ISC_INSIST(e)
+/*% Invariant Assertion */
+#define INVARIANT(e)			ISC_INVARIANT(e)
+
+/*
+ * Errors
+ */
+#include <isc/error.h>		/* Contractual promise. */
+
+/*% Unexpected Error */
+#define UNEXPECTED_ERROR		isc_error_unexpected
+/*% Fatal Error */
+#define FATAL_ERROR			isc_error_fatal
+/*% Runtime Check */
+#define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
+
+/*%
+ * Time
+ */
+#define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+
+/*%
+ * Alignment
+ */
+#define ISC_ALIGN(x, a) (((x) + (a) - 1) & ~((typeof(x))(a)-1))
+
+/*%
+ * Misc
+ */
+#include <isc/deprecated.h>
+
+#endif /* ISC_UTIL_H */
diff --git a/lib/isc/include/isc/version.h b/lib/isc/include/isc/version.h
new file mode 100644
index 0000000..d371e0d
--- /dev/null
+++ b/lib/isc/include/isc/version.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isc/version.h */
+
+#include <isc/platform.h>
+
+LIBISC_EXTERNAL_DATA extern const char isc_version[];
+
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_libinterface;
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_librevision;
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_libage;
diff --git a/lib/isc/include/isc/xml.h b/lib/isc/include/isc/xml.h
new file mode 100644
index 0000000..a091d30
--- /dev/null
+++ b/lib/isc/include/isc/xml.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_XML_H
+#define ISC_XML_H 1
+
+/*
+ * This file is here mostly to make it easy to add additional libxml header
+ * files as needed across all the users of this file.  Rather than place
+ * these libxml includes in each file, one include makes it easy to handle
+ * the ifdef as well as adding the ability to add additional functions
+ * which may be useful.
+ */
+
+#ifdef HAVE_LIBXML2
+#include <libxml/encoding.h>
+#include <libxml/xmlwriter.h>
+#endif
+
+#define ISC_XMLCHAR (const xmlChar *)
+
+#define ISC_XML_RENDERCONFIG		0x00000001 /* render config data */
+#define ISC_XML_RENDERSTATS		0x00000002 /* render stats */
+#define ISC_XML_RENDERALL		0x000000ff /* render everything */
+
+#endif /* ISC_XML_H */
diff --git a/lib/isc/include/pk11/Makefile.in b/lib/isc/include/pk11/Makefile.in
new file mode 100644
index 0000000..395c924
--- /dev/null
+++ b/lib/isc/include/pk11/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	constants.h internal.h pk11.h result.h site.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pk11
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pk11 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/pk11/$$i || exit 1; \
+	done
diff --git a/lib/isc/include/pk11/README.site b/lib/isc/include/pk11/README.site
new file mode 100644
index 0000000..6c49891
--- /dev/null
+++ b/lib/isc/include/pk11/README.site
@@ -0,0 +1,72 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+How to use site.h for the PKCS#11 provider of your HSM
+------------------------------------------------------
+
+First run "pkcs11-tokens" (in bin/pkcs11). This tool is built when BIND9
+is configured with the --with-pcks11 flag.  It prints the addresses of
+selected tokens per algorithm:
+
+ - random number generation
+ - RSA (sign/verify)
+ - DSA (sign/verify)
+ - DH (secret derivation)
+ - digest (hash)
+ - EC (ECDSA, sign/verify)
+ - GOST (Russian hash and sign/verify)
+ - AES (encrypt/decrypt)
+
+...and a summary of PKCS#11 tokens that have been found.
+
+Current well-known HSMs are predefined in site.h according to HSM "flavors":
+
+ - Thales nCipher (default)
+ - OpenDNSSEC SoftHSMv2
+
+...and with experimental status:
+
+ - OpenDNSSEC SoftHSMv1 with SHA224 support added
+ - Cryptech
+ - AEP Keyper
+
+If BIND9 is configured with native PKCS#11 support (--enable-native-pkcs11),
+then pkcs11-tokens will raise an error when a mandatory algorithm is not
+supported.  (The usual error is 0x70, or CKR_MECHANISM_INVALID; 0x0
+indicates that a required flag is not available.)  The following steps
+may be taken, depending on which algorithms indicate failures:
+
+ - rand or RSA: nothing can be done; native PKCS#11 is not supported
+   in BIND9 with this HSM.
+
+ - DSA or DH: run pkcs11-tokens with the -v (verbose) flag.  If the
+   parameter generation mechanism is not supported you can make the token
+   selection to ignore the error.  Note DSA and DH are not critical
+   algorithms; you can use BIND9 in production without them.
+
+ - digest: run pkcs11-tokens with the -v (verbose) flag.  If the problem is
+   with HMAC mechanisms, use the corresponding REPLACE flags in site.h.
+   If the problem is with MD5, use the corresponding DISABLE flag in
+   site.h. If the problem is with SHA224, contact the implementor of the
+   PKCS#11 provider and ask to have this hash algorithm implemented.  For
+   any other problem, nothing can be done; native PKCS#11 is not supported
+   with this HSM.
+
+ - EC: you may wish to configure BIND9 without ECDSA support by adding
+   --without-ecdsa to the "configure" arguments.
+
+ - GOST: you SHOULD configure BIND9 without GOST support by adding
+   --without-gost to the "configure" arguments.
+
+ - AES: you MUST reconfigure bind9 without AES support by adding
+   --without-aes to configure arguments.
+
+You can disable some algorithms (e.g. DSA, DH and MD5) using the
+"disable-algorithms" option in named.conf, and some other algorithms can be
+disabled at compile time (ECDSA, GOST, AES).  Note, however, that disabling
+algorithms can have unwanted side effects; for instance, disabling DH breaks
+TKEY support.
+
+A final note: the DISABLE flags in site.h work for OpenSSL code too, but
+this feature is not officially supported yet and should not be relied on.
diff --git a/lib/isc/include/pk11/constants.h b/lib/isc/include/pk11/constants.h
new file mode 100644
index 0000000..0abbf7e
--- /dev/null
+++ b/lib/isc/include/pk11/constants.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef PK11_CONSTANTS_H
+#define PK11_CONSTANTS_H 1
+
+/*! \file pk11/constants.h */
+
+/*%
+ * Static arrays of data used for key template initalization
+ */
+#ifdef WANT_ECC_CURVES
+static CK_BYTE pk11_ecc_prime256v1[] = {
+	0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
+};
+static CK_BYTE pk11_ecc_secp384r1[] = {
+	0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
+};
+static CK_BYTE pk11_ecc_ed25519[] = {
+	0x06, 0x03, 0x2b, 0x65, 0x70
+};
+static CK_BYTE pk11_ecc_ed448[] = {
+	0x06, 0x03, 0x2b, 0x65, 0x71
+};
+#endif
+
+#ifdef WANT_DH_PRIMES
+static CK_BYTE pk11_dh_bn2[] = { 2 };
+static CK_BYTE pk11_dh_bn768[] = {
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+	0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+	0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+	0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+	0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+	0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+	0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+	0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+	0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+	0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x3a, 0x36, 0x20,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+static CK_BYTE pk11_dh_bn1024[] = {
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+	0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+	0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+	0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+	0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+	0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+	0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+	0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+	0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+	0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b,
+	0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+	0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5,
+	0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
+	0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+static CK_BYTE pk11_dh_bn1536[] = {
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
+	0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1,
+	0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
+	0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+	0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
+	0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b,
+	0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
+	0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45,
+	0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+	0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b,
+	0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
+	0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5,
+	0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
+	0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d,
+	0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05,
+	0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a,
+	0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f,
+	0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96,
+	0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb,
+	0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d,
+	0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04,
+	0xf1, 0x74, 0x6c, 0x08, 0xca, 0x23, 0x73, 0x27,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+};
+#endif
+
+#ifdef WANT_GOST_PARAMS
+static CK_BYTE pk11_gost_a_paramset[] = {
+	0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x01
+};
+static CK_BYTE pk11_gost_paramset[] = {
+	0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x1e, 0x01
+};
+#endif
+
+#endif /* PK11_CONSTANTS_H */
diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
new file mode 100644
index 0000000..aa8907a
--- /dev/null
+++ b/lib/isc/include/pk11/internal.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef PK11_INTERNAL_H
+#define PK11_INTERNAL_H 1
+
+/*! \file pk11/internal.h */
+
+ISC_LANG_BEGINDECLS
+
+const char *pk11_get_lib_name(void);
+
+void *pk11_mem_get(size_t size);
+
+void pk11_mem_put(void *ptr, size_t size);
+
+CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
+
+unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
+
+CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
+
+CK_ATTRIBUTE *pk11_attribute_next(const pk11_object_t *obj,
+				  CK_ATTRIBUTE *attr);
+
+CK_ATTRIBUTE *pk11_attribute_bytype(const pk11_object_t *obj,
+				    CK_ATTRIBUTE_TYPE type);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_INTERNAL_H */
diff --git a/lib/isc/include/pk11/pk11.h b/lib/isc/include/pk11/pk11.h
new file mode 100644
index 0000000..2ff21fb
--- /dev/null
+++ b/lib/isc/include/pk11/pk11.h
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef PK11_PK11_H
+#define PK11_PK11_H 1
+
+/*! \file pk11/pk11.h */
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+#define PK11_FATALCHECK(func, args) \
+	((void) (((rv = (func) args) == CKR_OK) || \
+		 ((pk11_error_fatalcheck)(__FILE__, __LINE__, #func, rv), 0)))
+
+#include <pkcs11/cryptoki.h>
+#include <pk11/site.h>
+
+ISC_LANG_BEGINDECLS
+
+#define SES_MAGIC	ISC_MAGIC('P','K','S','S')
+#define TOK_MAGIC	ISC_MAGIC('P','K','T','K')
+
+#define VALID_SES(x)	ISC_MAGIC_VALID(x, SES_MAGIC)
+#define VALID_TOK(x)	ISC_MAGIC_VALID(x, TOK_MAGIC)
+
+typedef struct pk11_context pk11_context_t;
+
+struct pk11_object {
+	CK_OBJECT_HANDLE	object;
+	CK_SLOT_ID		slot;
+	CK_BBOOL		ontoken;
+	CK_BBOOL		reqlogon;
+	CK_BYTE			attrcnt;
+	CK_ATTRIBUTE		*repr;
+};
+
+struct pk11_context {
+	void			*handle;
+	CK_SESSION_HANDLE	session;
+	CK_BBOOL		ontoken;
+	CK_OBJECT_HANDLE	object;
+#if defined(PK11_MD5_HMAC_REPLACE) ||  defined(PK11_SHA_1_HMAC_REPLACE) || \
+    defined(PK11_SHA224_HMAC_REPLACE) || defined(PK11_SHA256_HMAC_REPLACE) || \
+    defined(PK11_SHA384_HMAC_REPLACE) || defined(PK11_SHA512_HMAC_REPLACE)
+	unsigned char		*key;
+#endif
+};
+
+typedef struct pk11_object pk11_object_t;
+
+typedef enum {
+	OP_ANY = 0,
+	OP_RAND = 1,
+	OP_RSA = 2,
+	OP_DSA = 3,
+	OP_DH = 4,
+	OP_DIGEST = 5,
+	OP_EC = 6,
+	OP_GOST = 7,
+	OP_AES = 8,
+	OP_MAX = 9
+} pk11_optype_t;
+
+/*%
+ * Global flag to make choose_slots() verbose
+ */
+LIBISC_EXTERNAL_DATA extern bool pk11_verbose_init;
+
+/*%
+ * Function prototypes
+ */
+
+void pk11_set_lib_name(const char *lib_name);
+/*%<
+ * Set the PKCS#11 provider (aka library) path/name.
+ */
+
+isc_result_t pk11_initialize(isc_mem_t *mctx, const char *engine);
+/*%<
+ * Initialize PKCS#11 device
+ *
+ * mctx:   memory context to attach to pk11_mctx.
+ * engine: PKCS#11 provider (aka library) path/name.
+ *
+ * returns:
+ *         ISC_R_SUCCESS
+ *         PK11_R_NOPROVIDER: can't load the provider
+ *         PK11_R_INITFAILED: C_Initialize() failed
+ *         PK11_R_NORANDOMSERVICE: can't find required random service
+ *         PK11_R_NODIGESTSERVICE: can't find required digest service
+ *         PK11_R_NOAESSERVICE: can't find required AES service
+ */
+
+isc_result_t pk11_get_session(pk11_context_t *ctx,
+			      pk11_optype_t optype,
+			      bool need_services,
+			      bool rw,
+			      bool logon,
+			      const char *pin,
+			      CK_SLOT_ID slot);
+/*%<
+ * Initialize PKCS#11 device and acquire a session.
+ *
+ * need_services:
+ * 	  if true, this session requires full PKCS#11 API
+ * 	  support including random and digest services, and
+ * 	  the lack of these services will cause the session not
+ * 	  to be initialized.  If false, the function will return
+ * 	  an error code indicating the missing service, but the
+ * 	  session will be usable for other purposes.
+ * rw:    if true, session will be read/write (useful for
+ *        generating or destroying keys); otherwise read-only.
+ * login: indicates whether to log in to the device
+ * pin:   optional PIN, overriding any PIN currently associated
+ *        with the
+ * slot:  device slot ID
+ */
+
+void pk11_return_session(pk11_context_t *ctx);
+/*%<
+ * Release an active PKCS#11 session for reuse.
+ */
+
+isc_result_t pk11_finalize(void);
+/*%<
+ * Shut down PKCS#11 device and free all sessions.
+ */
+
+isc_result_t pk11_rand_bytes(unsigned char *buf, int num);
+
+void pk11_rand_seed_fromfile(const char *randomfile);
+
+isc_result_t pk11_parse_uri(pk11_object_t *obj, const char *label,
+			    isc_mem_t *mctx, pk11_optype_t optype);
+
+ISC_PLATFORM_NORETURN_PRE void
+pk11_error_fatalcheck(const char *file, int line,
+		      const char *funcname, CK_RV rv)
+ISC_PLATFORM_NORETURN_POST;
+
+void pk11_dump_tokens(void);
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved);
+
+char *pk11_get_load_error_message(void);
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved);
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+		   CK_ULONG_PTR pulCount);
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+			CK_MECHANISM_INFO_PTR pInfo);
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+		   CK_VOID_PTR pApplication,
+		   CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+				     CK_NOTIFICATION event,
+				     CK_VOID_PTR pApplication),
+		   CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+	     CK_CHAR_PTR pPin, CK_ULONG usPinLen);
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		       CK_ULONG usCount);
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+		   CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount);
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
+
+CK_RV
+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	       CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+	       CK_ULONG_PTR pulEncryptedDataLen);
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism);
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+		   CK_ULONG_PTR pulDigestLen);
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+	    CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		  CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		 CK_ULONG_PTR pulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		  CK_OBJECT_HANDLE hKey);
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	      CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+	      CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen);
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		   CK_ULONG ulSignatureLen);
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+		   CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+		       CK_MECHANISM_PTR pMechanism,
+		       CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		       CK_ULONG usPublicKeyAttributeCount,
+		       CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		       CK_ULONG usPrivateKeyAttributeCount,
+		       CK_OBJECT_HANDLE_PTR phPrivateKey,
+		       CK_OBJECT_HANDLE_PTR phPublicKey);
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+		 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey);
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+		  CK_ULONG ulSeedLen);
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+		      CK_ULONG ulRandomLen);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_PK11_H */
diff --git a/lib/isc/include/pk11/result.h b/lib/isc/include/pk11/result.h
new file mode 100644
index 0000000..cce9150
--- /dev/null
+++ b/lib/isc/include/pk11/result.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef PK11_RESULT_H
+#define PK11_RESULT_H 1
+
+/*! \file pk11/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * PK11 result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
+
+#define PK11_R_INITFAILED		(ISC_RESULTCLASS_PK11 + 0)
+#define PK11_R_NOPROVIDER		(ISC_RESULTCLASS_PK11 + 1)
+#define PK11_R_NORANDOMSERVICE		(ISC_RESULTCLASS_PK11 + 2)
+#define PK11_R_NODIGESTSERVICE		(ISC_RESULTCLASS_PK11 + 3)
+#define PK11_R_NOAESSERVICE		(ISC_RESULTCLASS_PK11 + 4)
+
+#define PK11_R_NRESULTS			5	/* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+LIBISC_EXTERNAL_DATA extern isc_msgcat_t *pk11_msgcat;
+
+void
+pk11_initmsgcat(void);
+
+const char *
+pk11_result_totext(isc_result_t);
+
+void
+pk11_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* PK11_RESULT_H */
diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h
new file mode 100644
index 0000000..1d97dbb
--- /dev/null
+++ b/lib/isc/include/pk11/site.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* The documentation about this file is in README.site */
+
+#ifndef PK11_SITE_H
+#define PK11_SITE_H 1
+
+/*! \file pk11/site.h */
+
+/*\brief Put here specific PKCS#11 tweaks
+ *
+ *\li PK11_<mechanism>_SKIP:
+ *	Don't consider the lack of this mechanism as a fatal error.
+ *
+ *\li PK11_<mechanism>_REPLACE:
+ *      Same as SKIP, and implement the mechanism using lower-level steps.
+ *
+ *\li PK11_<algorithm>_DISABLE:
+ *	Same as SKIP, and disable support for the algorithm.
+ *
+ *\li PK11_PAD_HMAC_KEYS:
+ *	Extend HMAC keys shorter than digest length.
+ */
+
+/* current implemented flags are:
+PK11_DH_PKCS_PARAMETER_GEN_SKIP
+PK11_DSA_PARAMETER_GEN_SKIP
+PK11_RSA_PKCS_REPLACE
+PK11_MD5_HMAC_REPLACE
+PK11_SHA_1_HMAC_REPLACE
+PK11_SHA224_HMAC_REPLACE
+PK11_SHA256_HMAC_REPLACE
+PK11_SHA384_HMAC_REPLACE
+PK11_SHA512_HMAC_REPLACE
+PK11_MD5_DISABLE
+PK11_DSA_DISABLE
+PK11_DH_DISABLE
+PK11_PAD_HMAC_KEYS
+*/
+
+/*
+ * Predefined flavors
+ */
+/* Thales nCipher */
+#define PK11_THALES_FLAVOR 0
+/* SoftHSMv1 with SHA224 */
+#define PK11_SOFTHSMV1_FLAVOR 1
+/* SoftHSMv2 */
+#define PK11_SOFTHSMV2_FLAVOR 2
+/* Cryptech */
+#define PK11_CRYPTECH_FLAVOR 3
+/* AEP Keyper */
+#define PK11_AEP_FLAVOR 4
+
+/* Default is for Thales nCipher */
+#ifndef PK11_FLAVOR
+#define PK11_FLAVOR PK11_THALES_FLAVOR
+#endif
+
+#if PK11_FLAVOR == PK11_THALES_FLAVOR
+#define PK11_DH_PKCS_PARAMETER_GEN_SKIP
+/* doesn't work but supported #define PK11_DSA_PARAMETER_GEN_SKIP */
+#define PK11_MD5_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
+#define PK11_PAD_HMAC_KEYS
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
+/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */
+#define PK11_MD5_HMAC_REPLACE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
+#define PK11_DH_DISABLE
+#define PK11_DSA_DISABLE
+#define PK11_MD5_DISABLE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#if PK11_FLAVOR == PK11_AEP_FLAVOR
+#define PK11_DH_DISABLE
+#define PK11_DSA_DISABLE
+#define PK11_RSA_PKCS_REPLACE
+#define PK11_MD5_HMAC_REPLACE
+#define PK11_SHA_1_HMAC_REPLACE
+#define PK11_SHA224_HMAC_REPLACE
+#define PK11_SHA256_HMAC_REPLACE
+#define PK11_SHA384_HMAC_REPLACE
+#define PK11_SHA512_HMAC_REPLACE
+#endif
+
+#endif /* PK11_SITE_H */
diff --git a/lib/isc/include/pkcs11/Makefile.in b/lib/isc/include/pkcs11/Makefile.in
new file mode 100644
index 0000000..8b442b4
--- /dev/null
+++ b/lib/isc/include/pkcs11/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	pkcs11f.h pkcs11.h pkcs11t.h eddsa.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/pkcs11 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/pkcs11/$$i || exit 1; \
+	done
diff --git a/lib/isc/include/pkcs11/eddsa.h b/lib/isc/include/pkcs11/eddsa.h
new file mode 100644
index 0000000..c0b2e9c
--- /dev/null
+++ b/lib/isc/include/pkcs11/eddsa.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef _EDDSA_H_
+#define _EDDSA_H_ 1
+
+#ifndef CKK_EDDSA
+#ifdef PK11_SOFTHSMV2_FLAVOR
+#define CKK_EDDSA               0x00008003UL
+#endif
+#endif
+
+#ifndef CKM_EDDSA_KEY_PAIR_GEN
+#ifdef PK11_SOFTHSMV2_FLAVOR
+#define CKM_EDDSA_KEY_PAIR_GEN         0x00009040UL
+#endif
+#endif
+
+#ifndef CKM_EDDSA
+#ifdef PK11_SOFTHSMV2_FLAVOR
+#define CKM_EDDSA                      0x00009041UL
+#endif
+#endif
+
+#endif /* _EDDSA_H_ */
diff --git a/lib/isc/include/pkcs11/pkcs11.h b/lib/isc/include/pkcs11/pkcs11.h
new file mode 100644
index 0000000..c66b0bc
--- /dev/null
+++ b/lib/isc/include/pkcs11/pkcs11.h
@@ -0,0 +1,264 @@
+/*
+ * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01
+ * Committee Specification Draft 01 / Public Review Draft 01
+ * 09 December 2015
+ * Copyright (c) OASIS Open 2015. All Rights Reserved.
+ * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/
+ * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ * https://www.oasis-open.org/policies-guidelines/ipr
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 5 platform-specific macros must be defined.  These
+ * macros are described below, and typical definitions for them
+ * are also given.  Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 5 macros, the packing convention
+ * for Cryptoki structures should be set.  The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this.  You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object.  It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name.  It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ *   CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ *   returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name.  It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 4. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV.  It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ *   returnType (* name)
+ *
+ *
+ * 5. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h.
+ */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y)      x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points.  That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST  1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points.  A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library.  This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+  __PASTE(CK_,name) name;
+
+struct CK_FUNCTION_LIST {
+
+  CK_VERSION    version;  /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes.
+ */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _PKCS11_H_ */
+
diff --git a/lib/isc/include/pkcs11/pkcs11f.h b/lib/isc/include/pkcs11/pkcs11f.h
new file mode 100644
index 0000000..48ba572
--- /dev/null
+++ b/lib/isc/include/pkcs11/pkcs11f.h
@@ -0,0 +1,938 @@
+/*
+ * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01
+ * Committee Specification Draft 01 / Public Review Draft 01
+ * 09 December 2015
+ * Copyright (c) OASIS Open 2015. All Rights Reserved.
+ * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/
+ * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ * https://www.oasis-open.org/policies-guidelines/ipr
+ */
+
+/* This header file contains pretty much everything about all the
+ * Cryptoki function prototypes.  Because this information is
+ * used for more than just declaring function prototypes, the
+ * order of the functions appearing herein is important, and
+ * should not be altered.
+ */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
+                            * cast to CK_C_INITIALIZE_ARGS_PTR
+                            * and dereferenced
+                            */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_INFO_PTR   pInfo  /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
+                                            * function list
+                                            */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_BBOOL       tokenPresent,  /* only slots with tokens */
+  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
+  CK_ULONG_PTR   pulCount       /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID       slotID,  /* the ID of the slot */
+  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID        slotID,  /* ID of the token's slot */
+  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,          /* ID of token's slot */
+  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
+  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,  /* ID of the token's slot */
+  CK_MECHANISM_TYPE     type,    /* type of mechanism */
+  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID      slotID,    /* ID of the token's slot */
+  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
+  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
+  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
+  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
+  CK_ULONG          ulOldLen,  /* length of the old PIN */
+  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
+  CK_ULONG          ulNewLen   /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID            slotID,        /* the slot's ID */
+  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
+  CK_VOID_PTR           pApplication,  /* passed to callback */
+  CK_NOTIFY             Notify,        /* callback function */
+  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SLOT_ID     slotID  /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE   hSession,  /* the session's handle */
+  CK_SESSION_INFO_PTR pInfo      /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,             /* session's handle */
+  CK_BYTE_PTR       pOperationState,      /* gets state */
+  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR      pOperationState,      /* holds state */
+  CK_ULONG         ulOperationStateLen,  /* holds state length */
+  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
+  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_USER_TYPE      userType,  /* the user type */
+  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
+  CK_ULONG          ulPinLen   /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
+  CK_ULONG          ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
+  CK_ULONG             ulCount,     /* attributes in template */
+  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject    /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
+  CK_ULONG_PTR      pulSize    /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
+  CK_ULONG          ulCount     /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
+  CK_ULONG          ulCount     /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE    hSession,          /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
+ CK_ULONG             ulMaxObjectCount,  /* max handles to get */
+ CK_ULONG_PTR         pulObjectCount     /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects.
+ */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pData,               /* the plaintext data */
+  CK_ULONG          ulDataLen,           /* bytes of plaintext */
+  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pPart,              /* the plaintext data */
+  CK_ULONG          ulPartLen,          /* plaintext data len */
+  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,                /* session handle */
+  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
+  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,           /* session's handle */
+  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
+  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
+  CK_BYTE_PTR       pData,              /* gets plaintext */
+  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
+  CK_ULONG          ulEncryptedPartLen,  /* input length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
+  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pData,        /* data to be digested */
+  CK_ULONG          ulDataLen,    /* bytes of data to digest */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* data to be digested */
+  CK_ULONG          ulPartLen  /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_BYTE_PTR       pDigest,      /* gets the message digest */
+  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ * signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* the data to sign */
+  CK_ULONG          ulPartLen  /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation,
+ * returning the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,   /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
+  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pData,           /* the data to sign */
+  CK_ULONG          ulDataLen,       /* count of bytes to sign */
+  CK_BYTE_PTR       pSignature,      /* gets the signature */
+  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ * cannot be recovered from the signature (e.g. DSA).
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pData,          /* signed data */
+  CK_ULONG          ulDataLen,      /* length of signed data */
+  CK_BYTE_PTR       pSignature,     /* signature */
+  CK_ULONG          ulSignatureLen  /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pPart,     /* signed data */
+  CK_ULONG          ulPartLen  /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,       /* the session's handle */
+  CK_BYTE_PTR       pSignature,     /* signature to verify */
+  CK_ULONG          ulSignatureLen  /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
+  CK_OBJECT_HANDLE  hKey         /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature.
+ */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_BYTE_PTR       pSignature,      /* signature to verify */
+  CK_ULONG          ulSignatureLen,  /* signature length */
+  CK_BYTE_PTR       pData,           /* gets signed data */
+  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pPart,               /* the plaintext data */
+  CK_ULONG          ulPartLen,           /* plaintext length */
+  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
+  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,            /* session's handle */
+  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
+  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
+  CK_BYTE_PTR       pPart,               /* gets plaintext */
+  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,    /* the session's handle */
+  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
+  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
+  CK_ULONG             ulCount,     /* # of attrs in template */
+  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,                    /* session handle */
+  CK_MECHANISM_PTR     pMechanism,                  /* key-gen mech. */
+  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template for pub. key */
+  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub. attrs. */
+  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template for priv. key */
+  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.  attrs. */
+  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub. key handle */
+  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets priv. key handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,        /* the session's handle */
+  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
+  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
+  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
+  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
+  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
+  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
+  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
+  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object.
+ */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE    hSession,          /* session's handle */
+  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
+  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
+  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
+  CK_ULONG             ulAttributeCount,  /* template length */
+  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator.
+ */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,  /* the session's handle */
+  CK_BYTE_PTR       pSeed,     /* the seed material */
+  CK_ULONG          ulSeedLen  /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession,    /* the session's handle */
+  CK_BYTE_PTR       RandomData,  /* receives the random data */
+  CK_ULONG          ulRandomLen  /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application.
+ */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel.
+ */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_SESSION_HANDLE hSession  /* the session's handle */
+);
+#endif
+
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur.
+ */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+  CK_FLAGS flags,        /* blocking/nonblocking flag */
+  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
+  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
+);
+#endif
+
diff --git a/lib/isc/include/pkcs11/pkcs11t.h b/lib/isc/include/pkcs11/pkcs11t.h
new file mode 100644
index 0000000..ed83ed3
--- /dev/null
+++ b/lib/isc/include/pkcs11/pkcs11t.h
@@ -0,0 +1,2006 @@
+/*
+ * PKCS #11 Cryptographic Token Interface Base Specification Version 2.40 Errata 01
+ * Committee Specification Draft 01 / Public Review Draft 01
+ * 09 December 2015
+ * Copyright (c) OASIS Open 2015. All Rights Reserved.
+ * Source: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/csprd01/include/pkcs11-v2.40/
+ * Latest version of the specification: http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
+ * https://www.oasis-open.org/policies-guidelines/ipr
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file.
+ */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CRYPTOKI_VERSION_MAJOR          2
+#define CRYPTOKI_VERSION_MINOR          40
+#define CRYPTOKI_VERSION_AMENDMENT      0
+
+#define CK_TRUE         1
+#define CK_FALSE        0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char     CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE           CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE           CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE           CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+typedef long int          CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG          CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION      (~0UL)
+#define CK_EFFECTIVELY_INFINITE         0UL
+
+
+typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
+typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
+typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
+typedef void        CK_PTR   CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session
+ * handle or object handle
+ */
+#define CK_INVALID_HANDLE       0UL
+
+
+typedef struct CK_VERSION {
+  CK_BYTE       major;  /* integer portion of version number */
+  CK_BYTE       minor;  /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_FLAGS      flags;               /* must be zero */
+  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
+  CK_VERSION    libraryVersion;          /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR    CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application
+ */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER           0UL
+#define CKN_OTP_CHANGED         1UL
+
+typedef CK_ULONG          CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
+  CK_FLAGS      flags;
+
+  CK_VERSION    hardwareVersion;  /* version of hardware */
+  CK_VERSION    firmwareVersion;  /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag              Mask        Meaning
+ */
+#define CKF_TOKEN_PRESENT     0x00000001UL  /* a token is there */
+#define CKF_REMOVABLE_DEVICE  0x00000002UL  /* removable devices*/
+#define CKF_HW_SLOT           0x00000004UL  /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+  CK_UTF8CHAR   label[32];           /* blank padded */
+  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
+  CK_UTF8CHAR   model[16];           /* blank padded */
+  CK_CHAR       serialNumber[16];    /* blank padded */
+  CK_FLAGS      flags;               /* see below */
+
+  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
+  CK_ULONG      ulSessionCount;        /* sess. now open */
+  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
+  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
+  CK_ULONG      ulMaxPinLen;           /* in bytes */
+  CK_ULONG      ulMinPinLen;           /* in bytes */
+  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
+  CK_ULONG      ulFreePublicMemory;    /* in bytes */
+  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
+  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
+  CK_VERSION    hardwareVersion;       /* version of hardware */
+  CK_VERSION    firmwareVersion;       /* version of firmware */
+  CK_CHAR       utcTime[16];           /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ *      Bit Flag                    Mask        Meaning
+ */
+#define CKF_RNG                     0x00000001UL  /* has random # generator */
+#define CKF_WRITE_PROTECTED         0x00000002UL  /* token is write-protected */
+#define CKF_LOGIN_REQUIRED          0x00000004UL  /* user must login */
+#define CKF_USER_PIN_INITIALIZED    0x00000008UL  /* normal user's PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED.  If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state
+ */
+#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020UL
+
+/* CKF_CLOCK_ON_TOKEN.  If it is set, that means
+ * that the token has some sort of clock.  The time on that
+ * clock is returned in the token info structure
+ */
+#define CKF_CLOCK_ON_TOKEN          0x00000040UL
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH.  If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself
+ */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100UL
+
+/* CKF_DUAL_CRYPTO_OPERATIONS.  If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign)
+ */
+#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200UL
+
+/* CKF_TOKEN_INITIALIZED. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized.
+ */
+#define CKF_TOKEN_INITIALIZED       0x00000400UL
+
+/* CKF_SECONDARY_AUTHENTICATION. If it is
+ * true, the token supports secondary authentication for
+ * private key objects.
+ */
+#define CKF_SECONDARY_AUTHENTICATION  0x00000800UL
+
+/* CKF_USER_PIN_COUNT_LOW. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication.
+ */
+#define CKF_USER_PIN_COUNT_LOW       0x00010000UL
+
+/* CKF_USER_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect user PIN will it to become locked.
+ */
+#define CKF_USER_PIN_FINAL_TRY       0x00020000UL
+
+/* CKF_USER_PIN_LOCKED. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible.
+ */
+#define CKF_USER_PIN_LOCKED          0x00040000UL
+
+/* CKF_USER_PIN_TO_BE_CHANGED. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card.
+ */
+#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000UL
+
+/* CKF_SO_PIN_COUNT_LOW. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication.
+ */
+#define CKF_SO_PIN_COUNT_LOW         0x00100000UL
+
+/* CKF_SO_PIN_FINAL_TRY. If it is true,
+ * supplying an incorrect SO PIN will it to become locked.
+ */
+#define CKF_SO_PIN_FINAL_TRY         0x00200000UL
+
+/* CKF_SO_PIN_LOCKED. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED            0x00400000UL
+
+/* CKF_SO_PIN_TO_BE_CHANGED. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card.
+ */
+#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000UL
+
+#define CKF_ERROR_STATE              0x01000000UL
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session
+ */
+typedef CK_ULONG          CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+typedef CK_ULONG          CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO                  0UL
+/* Normal user */
+#define CKU_USER                1UL
+/* Context specific */
+#define CKU_CONTEXT_SPECIFIC    2UL
+
+/* CK_STATE enumerates the session states */
+typedef CK_ULONG          CK_STATE;
+#define CKS_RO_PUBLIC_SESSION   0UL
+#define CKS_RO_USER_FUNCTIONS   1UL
+#define CKS_RW_PUBLIC_SESSION   2UL
+#define CKS_RW_USER_FUNCTIONS   3UL
+#define CKS_RW_SO_FUNCTIONS     4UL
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+  CK_SLOT_ID    slotID;
+  CK_STATE      state;
+  CK_FLAGS      flags;          /* see below */
+  CK_ULONG      ulDeviceError;  /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ *      Bit Flag                Mask        Meaning
+ */
+#define CKF_RW_SESSION          0x00000002UL /* session is r/w */
+#define CKF_SERIAL_SESSION      0x00000004UL /* no parallel    */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object
+ */
+typedef CK_ULONG          CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes.  It is defined
+ * as follows:
+ */
+typedef CK_ULONG          CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+#define CKO_DATA              0x00000000UL
+#define CKO_CERTIFICATE       0x00000001UL
+#define CKO_PUBLIC_KEY        0x00000002UL
+#define CKO_PRIVATE_KEY       0x00000003UL
+#define CKO_SECRET_KEY        0x00000004UL
+#define CKO_HW_FEATURE        0x00000005UL
+#define CKO_DOMAIN_PARAMETERS 0x00000006UL
+#define CKO_MECHANISM         0x00000007UL
+#define CKO_OTP_KEY           0x00000008UL
+
+#define CKO_VENDOR_DEFINED    0x80000000UL
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is a value that identifies the hardware feature type
+ * of an object with CK_OBJECT_CLASS equal to CKO_HW_FEATURE.
+ */
+typedef CK_ULONG          CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+#define CKH_MONOTONIC_COUNTER  0x00000001UL
+#define CKH_CLOCK              0x00000002UL
+#define CKH_USER_INTERFACE     0x00000003UL
+#define CKH_VENDOR_DEFINED     0x80000000UL
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+typedef CK_ULONG          CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA                 0x00000000UL
+#define CKK_DSA                 0x00000001UL
+#define CKK_DH                  0x00000002UL
+#define CKK_ECDSA               0x00000003UL /* Deprecated */
+#define CKK_EC                  0x00000003UL
+#define CKK_X9_42_DH            0x00000004UL
+#define CKK_KEA                 0x00000005UL
+#define CKK_GENERIC_SECRET      0x00000010UL
+#define CKK_RC2                 0x00000011UL
+#define CKK_RC4                 0x00000012UL
+#define CKK_DES                 0x00000013UL
+#define CKK_DES2                0x00000014UL
+#define CKK_DES3                0x00000015UL
+#define CKK_CAST                0x00000016UL
+#define CKK_CAST3               0x00000017UL
+#define CKK_CAST5               0x00000018UL /* Deprecated */
+#define CKK_CAST128             0x00000018UL
+#define CKK_RC5                 0x00000019UL
+#define CKK_IDEA                0x0000001AUL
+#define CKK_SKIPJACK            0x0000001BUL
+#define CKK_BATON               0x0000001CUL
+#define CKK_JUNIPER             0x0000001DUL
+#define CKK_CDMF                0x0000001EUL
+#define CKK_AES                 0x0000001FUL
+#define CKK_BLOWFISH            0x00000020UL
+#define CKK_TWOFISH             0x00000021UL
+#define CKK_SECURID             0x00000022UL
+#define CKK_HOTP                0x00000023UL
+#define CKK_ACTI                0x00000024UL
+#define CKK_CAMELLIA            0x00000025UL
+#define CKK_ARIA                0x00000026UL
+
+#define CKK_MD5_HMAC            0x00000027UL
+#define CKK_SHA_1_HMAC          0x00000028UL
+#define CKK_RIPEMD128_HMAC      0x00000029UL
+#define CKK_RIPEMD160_HMAC      0x0000002AUL
+#define CKK_SHA256_HMAC         0x0000002BUL
+#define CKK_SHA384_HMAC         0x0000002CUL
+#define CKK_SHA512_HMAC         0x0000002DUL
+#define CKK_SHA224_HMAC         0x0000002EUL
+
+#define CKK_SEED                0x0000002FUL
+#define CKK_GOSTR3410           0x00000030UL
+#define CKK_GOSTR3411           0x00000031UL
+#define CKK_GOST28147           0x00000032UL
+
+
+
+#define CKK_VENDOR_DEFINED      0x80000000UL
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type
+ */
+typedef CK_ULONG          CK_CERTIFICATE_TYPE;
+
+#define CK_CERTIFICATE_CATEGORY_UNSPECIFIED     0UL
+#define CK_CERTIFICATE_CATEGORY_TOKEN_USER      1UL
+#define CK_CERTIFICATE_CATEGORY_AUTHORITY       2UL
+#define CK_CERTIFICATE_CATEGORY_OTHER_ENTITY    3UL
+
+#define CK_SECURITY_DOMAIN_UNSPECIFIED     0UL
+#define CK_SECURITY_DOMAIN_MANUFACTURER    1UL
+#define CK_SECURITY_DOMAIN_OPERATOR        2UL
+#define CK_SECURITY_DOMAIN_THIRD_PARTY     3UL
+
+
+/* The following certificate types are defined: */
+#define CKC_X_509               0x00000000UL
+#define CKC_X_509_ATTR_CERT     0x00000001UL
+#define CKC_WTLS                0x00000002UL
+#define CKC_VENDOR_DEFINED      0x80000000UL
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type
+ */
+typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+ * consists of an array of values.
+ */
+#define CKF_ARRAY_ATTRIBUTE     0x40000000UL
+
+/* The following OTP-related defines relate to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL           0UL
+#define CK_OTP_FORMAT_HEXADECIMAL       1UL
+#define CK_OTP_FORMAT_ALPHANUMERIC      2UL
+#define CK_OTP_FORMAT_BINARY            3UL
+
+/* The following OTP-related defines relate to the CKA_OTP_..._REQUIREMENT
+ * attributes
+ */
+#define CK_OTP_PARAM_IGNORED            0UL
+#define CK_OTP_PARAM_OPTIONAL           1UL
+#define CK_OTP_PARAM_MANDATORY          2UL
+
+/* The following attribute types are defined: */
+#define CKA_CLASS              0x00000000UL
+#define CKA_TOKEN              0x00000001UL
+#define CKA_PRIVATE            0x00000002UL
+#define CKA_LABEL              0x00000003UL
+#define CKA_APPLICATION        0x00000010UL
+#define CKA_VALUE              0x00000011UL
+#define CKA_OBJECT_ID          0x00000012UL
+#define CKA_CERTIFICATE_TYPE   0x00000080UL
+#define CKA_ISSUER             0x00000081UL
+#define CKA_SERIAL_NUMBER      0x00000082UL
+#define CKA_AC_ISSUER          0x00000083UL
+#define CKA_OWNER              0x00000084UL
+#define CKA_ATTR_TYPES         0x00000085UL
+#define CKA_TRUSTED            0x00000086UL
+#define CKA_CERTIFICATE_CATEGORY        0x00000087UL
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088UL
+#define CKA_URL                         0x00000089UL
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008AUL
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008BUL
+#define CKA_NAME_HASH_ALGORITHM         0x0000008CUL
+#define CKA_CHECK_VALUE                 0x00000090UL
+
+#define CKA_KEY_TYPE           0x00000100UL
+#define CKA_SUBJECT            0x00000101UL
+#define CKA_ID                 0x00000102UL
+#define CKA_SENSITIVE          0x00000103UL
+#define CKA_ENCRYPT            0x00000104UL
+#define CKA_DECRYPT            0x00000105UL
+#define CKA_WRAP               0x00000106UL
+#define CKA_UNWRAP             0x00000107UL
+#define CKA_SIGN               0x00000108UL
+#define CKA_SIGN_RECOVER       0x00000109UL
+#define CKA_VERIFY             0x0000010AUL
+#define CKA_VERIFY_RECOVER     0x0000010BUL
+#define CKA_DERIVE             0x0000010CUL
+#define CKA_START_DATE         0x00000110UL
+#define CKA_END_DATE           0x00000111UL
+#define CKA_MODULUS            0x00000120UL
+#define CKA_MODULUS_BITS       0x00000121UL
+#define CKA_PUBLIC_EXPONENT    0x00000122UL
+#define CKA_PRIVATE_EXPONENT   0x00000123UL
+#define CKA_PRIME_1            0x00000124UL
+#define CKA_PRIME_2            0x00000125UL
+#define CKA_EXPONENT_1         0x00000126UL
+#define CKA_EXPONENT_2         0x00000127UL
+#define CKA_COEFFICIENT        0x00000128UL
+#define CKA_PUBLIC_KEY_INFO    0x00000129UL
+#define CKA_PRIME              0x00000130UL
+#define CKA_SUBPRIME           0x00000131UL
+#define CKA_BASE               0x00000132UL
+
+#define CKA_PRIME_BITS         0x00000133UL
+#define CKA_SUBPRIME_BITS      0x00000134UL
+#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
+
+#define CKA_VALUE_BITS         0x00000160UL
+#define CKA_VALUE_LEN          0x00000161UL
+#define CKA_EXTRACTABLE        0x00000162UL
+#define CKA_LOCAL              0x00000163UL
+#define CKA_NEVER_EXTRACTABLE  0x00000164UL
+#define CKA_ALWAYS_SENSITIVE   0x00000165UL
+#define CKA_KEY_GEN_MECHANISM  0x00000166UL
+
+#define CKA_MODIFIABLE         0x00000170UL
+#define CKA_COPYABLE           0x00000171UL
+
+#define CKA_DESTROYABLE        0x00000172UL
+
+#define CKA_ECDSA_PARAMS       0x00000180UL /* Deprecated */
+#define CKA_EC_PARAMS          0x00000180UL
+
+#define CKA_EC_POINT           0x00000181UL
+
+#define CKA_SECONDARY_AUTH     0x00000200UL /* Deprecated */
+#define CKA_AUTH_PIN_FLAGS     0x00000201UL /* Deprecated */
+
+#define CKA_ALWAYS_AUTHENTICATE  0x00000202UL
+
+#define CKA_WRAP_WITH_TRUSTED    0x00000210UL
+#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
+#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212UL)
+#define CKA_DERIVE_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000213UL)
+
+#define CKA_OTP_FORMAT                0x00000220UL
+#define CKA_OTP_LENGTH                0x00000221UL
+#define CKA_OTP_TIME_INTERVAL         0x00000222UL
+#define CKA_OTP_USER_FRIENDLY_MODE    0x00000223UL
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224UL
+#define CKA_OTP_TIME_REQUIREMENT      0x00000225UL
+#define CKA_OTP_COUNTER_REQUIREMENT   0x00000226UL
+#define CKA_OTP_PIN_REQUIREMENT       0x00000227UL
+#define CKA_OTP_COUNTER               0x0000022EUL
+#define CKA_OTP_TIME                  0x0000022FUL
+#define CKA_OTP_USER_IDENTIFIER       0x0000022AUL
+#define CKA_OTP_SERVICE_IDENTIFIER    0x0000022BUL
+#define CKA_OTP_SERVICE_LOGO          0x0000022CUL
+#define CKA_OTP_SERVICE_LOGO_TYPE     0x0000022DUL
+
+#define CKA_GOSTR3410_PARAMS            0x00000250UL
+#define CKA_GOSTR3411_PARAMS            0x00000251UL
+#define CKA_GOST28147_PARAMS            0x00000252UL
+
+#define CKA_HW_FEATURE_TYPE             0x00000300UL
+#define CKA_RESET_ON_INIT               0x00000301UL
+#define CKA_HAS_RESET                   0x00000302UL
+
+#define CKA_PIXEL_X                     0x00000400UL
+#define CKA_PIXEL_Y                     0x00000401UL
+#define CKA_RESOLUTION                  0x00000402UL
+#define CKA_CHAR_ROWS                   0x00000403UL
+#define CKA_CHAR_COLUMNS                0x00000404UL
+#define CKA_COLOR                       0x00000405UL
+#define CKA_BITS_PER_PIXEL              0x00000406UL
+#define CKA_CHAR_SETS                   0x00000480UL
+#define CKA_ENCODING_METHODS            0x00000481UL
+#define CKA_MIME_TYPES                  0x00000482UL
+#define CKA_MECHANISM_TYPE              0x00000500UL
+#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501UL
+#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502UL
+#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503UL
+#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600UL)
+
+#define CKA_VENDOR_DEFINED              0x80000000UL
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute
+ */
+typedef struct CK_ATTRIBUTE {
+  CK_ATTRIBUTE_TYPE type;
+  CK_VOID_PTR       pValue;
+  CK_ULONG          ulValueLen;  /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
+  CK_CHAR       month[2];  /* the month ("01" - "12") */
+  CK_CHAR       day[2];    /* the day   ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type
+ */
+typedef CK_ULONG          CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000UL
+#define CKM_RSA_PKCS                   0x00000001UL
+#define CKM_RSA_9796                   0x00000002UL
+#define CKM_RSA_X_509                  0x00000003UL
+
+#define CKM_MD2_RSA_PKCS               0x00000004UL
+#define CKM_MD5_RSA_PKCS               0x00000005UL
+#define CKM_SHA1_RSA_PKCS              0x00000006UL
+
+#define CKM_RIPEMD128_RSA_PKCS         0x00000007UL
+#define CKM_RIPEMD160_RSA_PKCS         0x00000008UL
+#define CKM_RSA_PKCS_OAEP              0x00000009UL
+
+#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000AUL
+#define CKM_RSA_X9_31                  0x0000000BUL
+#define CKM_SHA1_RSA_X9_31             0x0000000CUL
+#define CKM_RSA_PKCS_PSS               0x0000000DUL
+#define CKM_SHA1_RSA_PKCS_PSS          0x0000000EUL
+
+#define CKM_DSA_KEY_PAIR_GEN           0x00000010UL
+#define CKM_DSA                        0x00000011UL
+#define CKM_DSA_SHA1                   0x00000012UL
+#define CKM_DSA_SHA224                 0x00000013UL
+#define CKM_DSA_SHA256                 0x00000014UL
+#define CKM_DSA_SHA384                 0x00000015UL
+#define CKM_DSA_SHA512                 0x00000016UL
+
+#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020UL
+#define CKM_DH_PKCS_DERIVE             0x00000021UL
+
+#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030UL
+#define CKM_X9_42_DH_DERIVE            0x00000031UL
+#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032UL
+#define CKM_X9_42_MQV_DERIVE           0x00000033UL
+
+#define CKM_SHA256_RSA_PKCS            0x00000040UL
+#define CKM_SHA384_RSA_PKCS            0x00000041UL
+#define CKM_SHA512_RSA_PKCS            0x00000042UL
+#define CKM_SHA256_RSA_PKCS_PSS        0x00000043UL
+#define CKM_SHA384_RSA_PKCS_PSS        0x00000044UL
+#define CKM_SHA512_RSA_PKCS_PSS        0x00000045UL
+
+#define CKM_SHA224_RSA_PKCS            0x00000046UL
+#define CKM_SHA224_RSA_PKCS_PSS        0x00000047UL
+
+#define CKM_SHA512_224                 0x00000048UL
+#define CKM_SHA512_224_HMAC            0x00000049UL
+#define CKM_SHA512_224_HMAC_GENERAL    0x0000004AUL
+#define CKM_SHA512_224_KEY_DERIVATION  0x0000004BUL
+#define CKM_SHA512_256                 0x0000004CUL
+#define CKM_SHA512_256_HMAC            0x0000004DUL
+#define CKM_SHA512_256_HMAC_GENERAL    0x0000004EUL
+#define CKM_SHA512_256_KEY_DERIVATION  0x0000004FUL
+
+#define CKM_SHA512_T                   0x00000050UL
+#define CKM_SHA512_T_HMAC              0x00000051UL
+#define CKM_SHA512_T_HMAC_GENERAL      0x00000052UL
+#define CKM_SHA512_T_KEY_DERIVATION    0x00000053UL
+
+#define CKM_RC2_KEY_GEN                0x00000100UL
+#define CKM_RC2_ECB                    0x00000101UL
+#define CKM_RC2_CBC                    0x00000102UL
+#define CKM_RC2_MAC                    0x00000103UL
+
+#define CKM_RC2_MAC_GENERAL            0x00000104UL
+#define CKM_RC2_CBC_PAD                0x00000105UL
+
+#define CKM_RC4_KEY_GEN                0x00000110UL
+#define CKM_RC4                        0x00000111UL
+#define CKM_DES_KEY_GEN                0x00000120UL
+#define CKM_DES_ECB                    0x00000121UL
+#define CKM_DES_CBC                    0x00000122UL
+#define CKM_DES_MAC                    0x00000123UL
+
+#define CKM_DES_MAC_GENERAL            0x00000124UL
+#define CKM_DES_CBC_PAD                0x00000125UL
+
+#define CKM_DES2_KEY_GEN               0x00000130UL
+#define CKM_DES3_KEY_GEN               0x00000131UL
+#define CKM_DES3_ECB                   0x00000132UL
+#define CKM_DES3_CBC                   0x00000133UL
+#define CKM_DES3_MAC                   0x00000134UL
+
+#define CKM_DES3_MAC_GENERAL           0x00000135UL
+#define CKM_DES3_CBC_PAD               0x00000136UL
+#define CKM_DES3_CMAC_GENERAL          0x00000137UL
+#define CKM_DES3_CMAC                  0x00000138UL
+#define CKM_CDMF_KEY_GEN               0x00000140UL
+#define CKM_CDMF_ECB                   0x00000141UL
+#define CKM_CDMF_CBC                   0x00000142UL
+#define CKM_CDMF_MAC                   0x00000143UL
+#define CKM_CDMF_MAC_GENERAL           0x00000144UL
+#define CKM_CDMF_CBC_PAD               0x00000145UL
+
+#define CKM_DES_OFB64                  0x00000150UL
+#define CKM_DES_OFB8                   0x00000151UL
+#define CKM_DES_CFB64                  0x00000152UL
+#define CKM_DES_CFB8                   0x00000153UL
+
+#define CKM_MD2                        0x00000200UL
+
+#define CKM_MD2_HMAC                   0x00000201UL
+#define CKM_MD2_HMAC_GENERAL           0x00000202UL
+
+#define CKM_MD5                        0x00000210UL
+
+#define CKM_MD5_HMAC                   0x00000211UL
+#define CKM_MD5_HMAC_GENERAL           0x00000212UL
+
+#define CKM_SHA_1                      0x00000220UL
+
+#define CKM_SHA_1_HMAC                 0x00000221UL
+#define CKM_SHA_1_HMAC_GENERAL         0x00000222UL
+
+#define CKM_RIPEMD128                  0x00000230UL
+#define CKM_RIPEMD128_HMAC             0x00000231UL
+#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232UL
+#define CKM_RIPEMD160                  0x00000240UL
+#define CKM_RIPEMD160_HMAC             0x00000241UL
+#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242UL
+
+#define CKM_SHA256                     0x00000250UL
+#define CKM_SHA256_HMAC                0x00000251UL
+#define CKM_SHA256_HMAC_GENERAL        0x00000252UL
+#define CKM_SHA224                     0x00000255UL
+#define CKM_SHA224_HMAC                0x00000256UL
+#define CKM_SHA224_HMAC_GENERAL        0x00000257UL
+#define CKM_SHA384                     0x00000260UL
+#define CKM_SHA384_HMAC                0x00000261UL
+#define CKM_SHA384_HMAC_GENERAL        0x00000262UL
+#define CKM_SHA512                     0x00000270UL
+#define CKM_SHA512_HMAC                0x00000271UL
+#define CKM_SHA512_HMAC_GENERAL        0x00000272UL
+#define CKM_SECURID_KEY_GEN            0x00000280UL
+#define CKM_SECURID                    0x00000282UL
+#define CKM_HOTP_KEY_GEN               0x00000290UL
+#define CKM_HOTP                       0x00000291UL
+#define CKM_ACTI                       0x000002A0UL
+#define CKM_ACTI_KEY_GEN               0x000002A1UL
+
+#define CKM_CAST_KEY_GEN               0x00000300UL
+#define CKM_CAST_ECB                   0x00000301UL
+#define CKM_CAST_CBC                   0x00000302UL
+#define CKM_CAST_MAC                   0x00000303UL
+#define CKM_CAST_MAC_GENERAL           0x00000304UL
+#define CKM_CAST_CBC_PAD               0x00000305UL
+#define CKM_CAST3_KEY_GEN              0x00000310UL
+#define CKM_CAST3_ECB                  0x00000311UL
+#define CKM_CAST3_CBC                  0x00000312UL
+#define CKM_CAST3_MAC                  0x00000313UL
+#define CKM_CAST3_MAC_GENERAL          0x00000314UL
+#define CKM_CAST3_CBC_PAD              0x00000315UL
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST5_KEY_GEN              0x00000320UL
+#define CKM_CAST128_KEY_GEN            0x00000320UL
+#define CKM_CAST5_ECB                  0x00000321UL
+#define CKM_CAST128_ECB                0x00000321UL
+#define CKM_CAST5_CBC                  0x00000322UL /* Deprecated */
+#define CKM_CAST128_CBC                0x00000322UL
+#define CKM_CAST5_MAC                  0x00000323UL /* Deprecated */
+#define CKM_CAST128_MAC                0x00000323UL
+#define CKM_CAST5_MAC_GENERAL          0x00000324UL /* Deprecated */
+#define CKM_CAST128_MAC_GENERAL        0x00000324UL
+#define CKM_CAST5_CBC_PAD              0x00000325UL /* Deprecated */
+#define CKM_CAST128_CBC_PAD            0x00000325UL
+#define CKM_RC5_KEY_GEN                0x00000330UL
+#define CKM_RC5_ECB                    0x00000331UL
+#define CKM_RC5_CBC                    0x00000332UL
+#define CKM_RC5_MAC                    0x00000333UL
+#define CKM_RC5_MAC_GENERAL            0x00000334UL
+#define CKM_RC5_CBC_PAD                0x00000335UL
+#define CKM_IDEA_KEY_GEN               0x00000340UL
+#define CKM_IDEA_ECB                   0x00000341UL
+#define CKM_IDEA_CBC                   0x00000342UL
+#define CKM_IDEA_MAC                   0x00000343UL
+#define CKM_IDEA_MAC_GENERAL           0x00000344UL
+#define CKM_IDEA_CBC_PAD               0x00000345UL
+#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350UL
+#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360UL
+#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362UL
+#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363UL
+#define CKM_XOR_BASE_AND_DATA          0x00000364UL
+#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365UL
+#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370UL
+#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371UL
+#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372UL
+
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373UL
+#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374UL
+#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375UL
+#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376UL
+#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377UL
+
+#define CKM_TLS_PRF                    0x00000378UL
+
+#define CKM_SSL3_MD5_MAC               0x00000380UL
+#define CKM_SSL3_SHA1_MAC              0x00000381UL
+#define CKM_MD5_KEY_DERIVATION         0x00000390UL
+#define CKM_MD2_KEY_DERIVATION         0x00000391UL
+#define CKM_SHA1_KEY_DERIVATION        0x00000392UL
+
+#define CKM_SHA256_KEY_DERIVATION      0x00000393UL
+#define CKM_SHA384_KEY_DERIVATION      0x00000394UL
+#define CKM_SHA512_KEY_DERIVATION      0x00000395UL
+#define CKM_SHA224_KEY_DERIVATION      0x00000396UL
+
+#define CKM_PBE_MD2_DES_CBC            0x000003A0UL
+#define CKM_PBE_MD5_DES_CBC            0x000003A1UL
+#define CKM_PBE_MD5_CAST_CBC           0x000003A2UL
+#define CKM_PBE_MD5_CAST3_CBC          0x000003A3UL
+#define CKM_PBE_MD5_CAST5_CBC          0x000003A4UL /* Deprecated */
+#define CKM_PBE_MD5_CAST128_CBC        0x000003A4UL
+#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5UL /* Deprecated */
+#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5UL
+#define CKM_PBE_SHA1_RC4_128           0x000003A6UL
+#define CKM_PBE_SHA1_RC4_40            0x000003A7UL
+#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8UL
+#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9UL
+#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AAUL
+#define CKM_PBE_SHA1_RC2_40_CBC        0x000003ABUL
+
+#define CKM_PKCS5_PBKD2                0x000003B0UL
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0UL
+
+#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0UL
+#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1UL
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2UL
+#define CKM_WTLS_PRF                        0x000003D3UL
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4UL
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5UL
+
+#define CKM_TLS10_MAC_SERVER                0x000003D6UL
+#define CKM_TLS10_MAC_CLIENT                0x000003D7UL
+#define CKM_TLS12_MAC                       0x000003D8UL
+#define CKM_TLS12_KDF                       0x000003D9UL
+#define CKM_TLS12_MASTER_KEY_DERIVE         0x000003E0UL
+#define CKM_TLS12_KEY_AND_MAC_DERIVE        0x000003E1UL
+#define CKM_TLS12_MASTER_KEY_DERIVE_DH      0x000003E2UL
+#define CKM_TLS12_KEY_SAFE_DERIVE           0x000003E3UL
+#define CKM_TLS_MAC                         0x000003E4UL
+#define CKM_TLS_KDF                         0x000003E5UL
+
+#define CKM_KEY_WRAP_LYNKS             0x00000400UL
+#define CKM_KEY_WRAP_SET_OAEP          0x00000401UL
+
+#define CKM_CMS_SIG                    0x00000500UL
+#define CKM_KIP_DERIVE                 0x00000510UL
+#define CKM_KIP_WRAP                   0x00000511UL
+#define CKM_KIP_MAC                    0x00000512UL
+
+#define CKM_CAMELLIA_KEY_GEN           0x00000550UL
+#define CKM_CAMELLIA_ECB               0x00000551UL
+#define CKM_CAMELLIA_CBC               0x00000552UL
+#define CKM_CAMELLIA_MAC               0x00000553UL
+#define CKM_CAMELLIA_MAC_GENERAL       0x00000554UL
+#define CKM_CAMELLIA_CBC_PAD           0x00000555UL
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA  0x00000556UL
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA  0x00000557UL
+#define CKM_CAMELLIA_CTR               0x00000558UL
+
+#define CKM_ARIA_KEY_GEN               0x00000560UL
+#define CKM_ARIA_ECB                   0x00000561UL
+#define CKM_ARIA_CBC                   0x00000562UL
+#define CKM_ARIA_MAC                   0x00000563UL
+#define CKM_ARIA_MAC_GENERAL           0x00000564UL
+#define CKM_ARIA_CBC_PAD               0x00000565UL
+#define CKM_ARIA_ECB_ENCRYPT_DATA      0x00000566UL
+#define CKM_ARIA_CBC_ENCRYPT_DATA      0x00000567UL
+
+#define CKM_SEED_KEY_GEN               0x00000650UL
+#define CKM_SEED_ECB                   0x00000651UL
+#define CKM_SEED_CBC                   0x00000652UL
+#define CKM_SEED_MAC                   0x00000653UL
+#define CKM_SEED_MAC_GENERAL           0x00000654UL
+#define CKM_SEED_CBC_PAD               0x00000655UL
+#define CKM_SEED_ECB_ENCRYPT_DATA      0x00000656UL
+#define CKM_SEED_CBC_ENCRYPT_DATA      0x00000657UL
+
+#define CKM_SKIPJACK_KEY_GEN           0x00001000UL
+#define CKM_SKIPJACK_ECB64             0x00001001UL
+#define CKM_SKIPJACK_CBC64             0x00001002UL
+#define CKM_SKIPJACK_OFB64             0x00001003UL
+#define CKM_SKIPJACK_CFB64             0x00001004UL
+#define CKM_SKIPJACK_CFB32             0x00001005UL
+#define CKM_SKIPJACK_CFB16             0x00001006UL
+#define CKM_SKIPJACK_CFB8              0x00001007UL
+#define CKM_SKIPJACK_WRAP              0x00001008UL
+#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009UL
+#define CKM_SKIPJACK_RELAYX            0x0000100aUL
+#define CKM_KEA_KEY_PAIR_GEN           0x00001010UL
+#define CKM_KEA_KEY_DERIVE             0x00001011UL
+#define CKM_KEA_DERIVE                 0x00001012UL
+#define CKM_FORTEZZA_TIMESTAMP         0x00001020UL
+#define CKM_BATON_KEY_GEN              0x00001030UL
+#define CKM_BATON_ECB128               0x00001031UL
+#define CKM_BATON_ECB96                0x00001032UL
+#define CKM_BATON_CBC128               0x00001033UL
+#define CKM_BATON_COUNTER              0x00001034UL
+#define CKM_BATON_SHUFFLE              0x00001035UL
+#define CKM_BATON_WRAP                 0x00001036UL
+
+#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040UL /* Deprecated */
+#define CKM_EC_KEY_PAIR_GEN            0x00001040UL
+
+#define CKM_ECDSA                      0x00001041UL
+#define CKM_ECDSA_SHA1                 0x00001042UL
+#define CKM_ECDSA_SHA224               0x00001043UL
+#define CKM_ECDSA_SHA256               0x00001044UL
+#define CKM_ECDSA_SHA384               0x00001045UL
+#define CKM_ECDSA_SHA512               0x00001046UL
+
+#define CKM_ECDH1_DERIVE               0x00001050UL
+#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051UL
+#define CKM_ECMQV_DERIVE               0x00001052UL
+
+#define CKM_ECDH_AES_KEY_WRAP          0x00001053UL
+#define CKM_RSA_AES_KEY_WRAP           0x00001054UL
+
+#define CKM_JUNIPER_KEY_GEN            0x00001060UL
+#define CKM_JUNIPER_ECB128             0x00001061UL
+#define CKM_JUNIPER_CBC128             0x00001062UL
+#define CKM_JUNIPER_COUNTER            0x00001063UL
+#define CKM_JUNIPER_SHUFFLE            0x00001064UL
+#define CKM_JUNIPER_WRAP               0x00001065UL
+#define CKM_FASTHASH                   0x00001070UL
+
+#define CKM_AES_KEY_GEN                0x00001080UL
+#define CKM_AES_ECB                    0x00001081UL
+#define CKM_AES_CBC                    0x00001082UL
+#define CKM_AES_MAC                    0x00001083UL
+#define CKM_AES_MAC_GENERAL            0x00001084UL
+#define CKM_AES_CBC_PAD                0x00001085UL
+#define CKM_AES_CTR                    0x00001086UL
+#define CKM_AES_GCM                    0x00001087UL
+#define CKM_AES_CCM                    0x00001088UL
+#define CKM_AES_CTS                    0x00001089UL
+#define CKM_AES_CMAC                   0x0000108AUL
+#define CKM_AES_CMAC_GENERAL           0x0000108BUL
+
+#define CKM_AES_XCBC_MAC               0x0000108CUL
+#define CKM_AES_XCBC_MAC_96            0x0000108DUL
+#define CKM_AES_GMAC                   0x0000108EUL
+
+#define CKM_BLOWFISH_KEY_GEN           0x00001090UL
+#define CKM_BLOWFISH_CBC               0x00001091UL
+#define CKM_TWOFISH_KEY_GEN            0x00001092UL
+#define CKM_TWOFISH_CBC                0x00001093UL
+#define CKM_BLOWFISH_CBC_PAD           0x00001094UL
+#define CKM_TWOFISH_CBC_PAD            0x00001095UL
+
+#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100UL
+#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101UL
+#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102UL
+#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103UL
+#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104UL
+#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105UL
+
+#define CKM_GOSTR3410_KEY_PAIR_GEN     0x00001200UL
+#define CKM_GOSTR3410                  0x00001201UL
+#define CKM_GOSTR3410_WITH_GOSTR3411   0x00001202UL
+#define CKM_GOSTR3410_KEY_WRAP         0x00001203UL
+#define CKM_GOSTR3410_DERIVE           0x00001204UL
+#define CKM_GOSTR3411                  0x00001210UL
+#define CKM_GOSTR3411_HMAC             0x00001211UL
+#define CKM_GOST28147_KEY_GEN          0x00001220UL
+#define CKM_GOST28147_ECB              0x00001221UL
+#define CKM_GOST28147                  0x00001222UL
+#define CKM_GOST28147_MAC              0x00001223UL
+#define CKM_GOST28147_KEY_WRAP         0x00001224UL
+
+#define CKM_DSA_PARAMETER_GEN          0x00002000UL
+#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001UL
+#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002UL
+#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN    0x00002003UL
+#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN    0x00002004UL
+
+#define CKM_AES_OFB                    0x00002104UL
+#define CKM_AES_CFB64                  0x00002105UL
+#define CKM_AES_CFB8                   0x00002106UL
+#define CKM_AES_CFB128                 0x00002107UL
+
+#define CKM_AES_CFB1                   0x00002108UL
+#define CKM_AES_KEY_WRAP               0x00002109UL     /* WAS: 0x00001090 */
+#define CKM_AES_KEY_WRAP_PAD           0x0000210AUL     /* WAS: 0x00001091 */
+
+#define CKM_RSA_PKCS_TPM_1_1           0x00004001UL
+#define CKM_RSA_PKCS_OAEP_TPM_1_1      0x00004002UL
+
+#define CKM_VENDOR_DEFINED             0x80000000UL
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism
+ */
+typedef struct CK_MECHANISM {
+  CK_MECHANISM_TYPE mechanism;
+  CK_VOID_PTR       pParameter;
+  CK_ULONG          ulParameterLen;  /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism
+ */
+typedef struct CK_MECHANISM_INFO {
+    CK_ULONG    ulMinKeySize;
+    CK_ULONG    ulMaxKeySize;
+    CK_FLAGS    flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ *      Bit Flag               Mask          Meaning */
+#define CKF_HW                 0x00000001UL  /* performed by HW */
+
+/* Specify whether or not a mechanism can be used for a particular task */
+#define CKF_ENCRYPT            0x00000100UL
+#define CKF_DECRYPT            0x00000200UL
+#define CKF_DIGEST             0x00000400UL
+#define CKF_SIGN               0x00000800UL
+#define CKF_SIGN_RECOVER       0x00001000UL
+#define CKF_VERIFY             0x00002000UL
+#define CKF_VERIFY_RECOVER     0x00004000UL
+#define CKF_GENERATE           0x00008000UL
+#define CKF_GENERATE_KEY_PAIR  0x00010000UL
+#define CKF_WRAP               0x00020000UL
+#define CKF_UNWRAP             0x00040000UL
+#define CKF_DERIVE             0x00080000UL
+
+/* Describe a token's EC capabilities not available in mechanism
+ * information.
+ */
+#define CKF_EC_F_P             0x00100000UL
+#define CKF_EC_F_2M            0x00200000UL
+#define CKF_EC_ECPARAMETERS    0x00400000UL
+#define CKF_EC_NAMEDCURVE      0x00800000UL
+#define CKF_EC_UNCOMPRESS      0x01000000UL
+#define CKF_EC_COMPRESS        0x02000000UL
+
+#define CKF_EXTENSION          0x80000000UL
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function
+ */
+typedef CK_ULONG          CK_RV;
+
+#define CKR_OK                                0x00000000UL
+#define CKR_CANCEL                            0x00000001UL
+#define CKR_HOST_MEMORY                       0x00000002UL
+#define CKR_SLOT_ID_INVALID                   0x00000003UL
+
+#define CKR_GENERAL_ERROR                     0x00000005UL
+#define CKR_FUNCTION_FAILED                   0x00000006UL
+
+#define CKR_ARGUMENTS_BAD                     0x00000007UL
+#define CKR_NO_EVENT                          0x00000008UL
+#define CKR_NEED_TO_CREATE_THREADS            0x00000009UL
+#define CKR_CANT_LOCK                         0x0000000AUL
+
+#define CKR_ATTRIBUTE_READ_ONLY               0x00000010UL
+#define CKR_ATTRIBUTE_SENSITIVE               0x00000011UL
+#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012UL
+#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013UL
+
+#define CKR_ACTION_PROHIBITED                 0x0000001BUL
+
+#define CKR_DATA_INVALID                      0x00000020UL
+#define CKR_DATA_LEN_RANGE                    0x00000021UL
+#define CKR_DEVICE_ERROR                      0x00000030UL
+#define CKR_DEVICE_MEMORY                     0x00000031UL
+#define CKR_DEVICE_REMOVED                    0x00000032UL
+#define CKR_ENCRYPTED_DATA_INVALID            0x00000040UL
+#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041UL
+#define CKR_FUNCTION_CANCELED                 0x00000050UL
+#define CKR_FUNCTION_NOT_PARALLEL             0x00000051UL
+
+#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054UL
+
+#define CKR_KEY_HANDLE_INVALID                0x00000060UL
+
+#define CKR_KEY_SIZE_RANGE                    0x00000062UL
+#define CKR_KEY_TYPE_INCONSISTENT             0x00000063UL
+
+#define CKR_KEY_NOT_NEEDED                    0x00000064UL
+#define CKR_KEY_CHANGED                       0x00000065UL
+#define CKR_KEY_NEEDED                        0x00000066UL
+#define CKR_KEY_INDIGESTIBLE                  0x00000067UL
+#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068UL
+#define CKR_KEY_NOT_WRAPPABLE                 0x00000069UL
+#define CKR_KEY_UNEXTRACTABLE                 0x0000006AUL
+
+#define CKR_MECHANISM_INVALID                 0x00000070UL
+#define CKR_MECHANISM_PARAM_INVALID           0x00000071UL
+
+#define CKR_OBJECT_HANDLE_INVALID             0x00000082UL
+#define CKR_OPERATION_ACTIVE                  0x00000090UL
+#define CKR_OPERATION_NOT_INITIALIZED         0x00000091UL
+#define CKR_PIN_INCORRECT                     0x000000A0UL
+#define CKR_PIN_INVALID                       0x000000A1UL
+#define CKR_PIN_LEN_RANGE                     0x000000A2UL
+
+#define CKR_PIN_EXPIRED                       0x000000A3UL
+#define CKR_PIN_LOCKED                        0x000000A4UL
+
+#define CKR_SESSION_CLOSED                    0x000000B0UL
+#define CKR_SESSION_COUNT                     0x000000B1UL
+#define CKR_SESSION_HANDLE_INVALID            0x000000B3UL
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4UL
+#define CKR_SESSION_READ_ONLY                 0x000000B5UL
+#define CKR_SESSION_EXISTS                    0x000000B6UL
+
+#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7UL
+#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8UL
+
+#define CKR_SIGNATURE_INVALID                 0x000000C0UL
+#define CKR_SIGNATURE_LEN_RANGE               0x000000C1UL
+#define CKR_TEMPLATE_INCOMPLETE               0x000000D0UL
+#define CKR_TEMPLATE_INCONSISTENT             0x000000D1UL
+#define CKR_TOKEN_NOT_PRESENT                 0x000000E0UL
+#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1UL
+#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2UL
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0UL
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1UL
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2UL
+#define CKR_USER_ALREADY_LOGGED_IN            0x00000100UL
+#define CKR_USER_NOT_LOGGED_IN                0x00000101UL
+#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102UL
+#define CKR_USER_TYPE_INVALID                 0x00000103UL
+
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104UL
+#define CKR_USER_TOO_MANY_TYPES               0x00000105UL
+
+#define CKR_WRAPPED_KEY_INVALID               0x00000110UL
+#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112UL
+#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113UL
+#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114UL
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115UL
+#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120UL
+
+#define CKR_RANDOM_NO_RNG                     0x00000121UL
+
+#define CKR_DOMAIN_PARAMS_INVALID             0x00000130UL
+
+#define CKR_CURVE_NOT_SUPPORTED               0x00000140UL
+
+#define CKR_BUFFER_TOO_SMALL                  0x00000150UL
+#define CKR_SAVED_STATE_INVALID               0x00000160UL
+#define CKR_INFORMATION_SENSITIVE             0x00000170UL
+#define CKR_STATE_UNSAVEABLE                  0x00000180UL
+
+#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190UL
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191UL
+#define CKR_MUTEX_BAD                         0x000001A0UL
+#define CKR_MUTEX_NOT_LOCKED                  0x000001A1UL
+
+#define CKR_NEW_PIN_MODE                      0x000001B0UL
+#define CKR_NEXT_OTP                          0x000001B1UL
+
+#define CKR_EXCEEDED_MAX_ITERATIONS           0x000001B5UL
+#define CKR_FIPS_SELF_TEST_FAILED             0x000001B6UL
+#define CKR_LIBRARY_LOAD_FAILED               0x000001B7UL
+#define CKR_PIN_TOO_WEAK                      0x000001B8UL
+#define CKR_PUBLIC_KEY_INVALID                0x000001B9UL
+
+#define CKR_FUNCTION_REJECTED                 0x00000200UL
+
+#define CKR_VENDOR_DEFINED                    0x80000000UL
+
+/* private extra values */
+#define CKR_LIBRARY_ALREADY_INITIALIZED       0x000000FDUL
+#define CKR_LIBRARY_FAILED_TO_LOAD            0x000000FEUL
+#define CKR_SYMBOL_RESOLUTION_FAILED          0x000000FFUL
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+  CK_SESSION_HANDLE hSession,     /* the session's handle */
+  CK_NOTIFICATION   event,
+  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions
+ */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex
+ */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+  CK_VOID_PTR pMutex  /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize
+ */
+typedef struct CK_C_INITIALIZE_ARGS {
+  CK_CREATEMUTEX CreateMutex;
+  CK_DESTROYMUTEX DestroyMutex;
+  CK_LOCKMUTEX LockMutex;
+  CK_UNLOCKMUTEX UnlockMutex;
+  CK_FLAGS flags;
+  CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ *      Bit Flag                           Mask       Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001UL
+#define CKF_OS_LOCKING_OK                  0x00000002UL
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK     1
+
+/* CK_RSA_PKCS_MGF_TYPE  is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme.
+ */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+#define CKG_MGF1_SHA1         0x00000001UL
+#define CKG_MGF1_SHA256       0x00000002UL
+#define CKG_MGF1_SHA384       0x00000003UL
+#define CKG_MGF1_SHA512       0x00000004UL
+#define CKG_MGF1_SHA224       0x00000005UL
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme.
+ */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED    0x00000001UL
+
+/* CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism.
+ */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+        CK_MECHANISM_TYPE hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+        CK_VOID_PTR pSourceData;
+        CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s).
+ */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+        CK_MECHANISM_TYPE    hashAlg;
+        CK_RSA_PKCS_MGF_TYPE mgf;
+        CK_ULONG             sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL                 0x00000001UL
+#define CKD_SHA1_KDF             0x00000002UL
+
+/* The following X9.42 DH key derivation functions are defined */
+#define CKD_SHA1_KDF_ASN1        0x00000003UL
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004UL
+#define CKD_SHA224_KDF           0x00000005UL
+#define CKD_SHA256_KDF           0x00000006UL
+#define CKD_SHA384_KDF           0x00000007UL
+#define CKD_SHA512_KDF           0x00000008UL
+#define CKD_CPDIVERSIFY_KDF      0x00000009UL
+
+
+/* CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+/*
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs.
+ */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+  CK_EC_KDF_TYPE kdf;
+  CK_ULONG ulSharedDataLen;
+  CK_BYTE_PTR pSharedData;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms
+ */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair
+ */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs
+ */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+  CK_X9_42_DH_KDF_TYPE kdf;
+  CK_ULONG ulOtherInfoLen;
+  CK_BYTE_PTR pOtherInfo;
+  CK_ULONG ulPublicDataLen;
+  CK_BYTE_PTR pPublicData;
+  CK_ULONG ulPrivateDataLen;
+  CK_OBJECT_HANDLE hPrivateData;
+  CK_ULONG ulPublicDataLen2;
+  CK_BYTE_PTR pPublicData2;
+  CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism
+ */
+typedef struct CK_KEA_DERIVE_PARAMS {
+  CK_BBOOL      isSender;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pRandomB;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
+ * holds the effective keysize
+ */
+typedef CK_ULONG          CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism
+ */
+typedef struct CK_RC2_CBC_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_BYTE       iv[8];            /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism
+ */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
+  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms
+ */
+typedef struct CK_RC5_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism
+ */
+typedef struct CK_RC5_CBC_PARAMS {
+  CK_ULONG      ulWordsize;  /* wordsize in bits */
+  CK_ULONG      ulRounds;    /* number of rounds */
+  CK_BYTE_PTR   pIv;         /* pointer to IV */
+  CK_ULONG      ulIvLen;     /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism
+ */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+  CK_ULONG      ulWordsize;   /* wordsize in bits */
+  CK_ULONG      ulRounds;     /* number of rounds */
+  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+  CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
+ * the MAC
+ */
+typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[8];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+  CK_BYTE      iv[16];
+  CK_BYTE_PTR  pData;
+  CK_ULONG     length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism
+ */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+  CK_ULONG      ulPasswordLen;
+  CK_BYTE_PTR   pPassword;
+  CK_ULONG      ulPublicDataLen;
+  CK_BYTE_PTR   pPublicData;
+  CK_ULONG      ulPAndGLen;
+  CK_ULONG      ulQLen;
+  CK_ULONG      ulRandomLen;
+  CK_BYTE_PTR   pRandomA;
+  CK_BYTE_PTR   pPrimeP;
+  CK_BYTE_PTR   pBaseG;
+  CK_BYTE_PTR   pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+  CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism
+ */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+  CK_ULONG      ulOldWrappedXLen;
+  CK_BYTE_PTR   pOldWrappedX;
+  CK_ULONG      ulOldPasswordLen;
+  CK_BYTE_PTR   pOldPassword;
+  CK_ULONG      ulOldPublicDataLen;
+  CK_BYTE_PTR   pOldPublicData;
+  CK_ULONG      ulOldRandomLen;
+  CK_BYTE_PTR   pOldRandomA;
+  CK_ULONG      ulNewPasswordLen;
+  CK_BYTE_PTR   pNewPassword;
+  CK_ULONG      ulNewPublicDataLen;
+  CK_BYTE_PTR   pNewPublicData;
+  CK_ULONG      ulNewRandomLen;
+  CK_BYTE_PTR   pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+  CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+  CK_BYTE_PTR      pInitVector;
+  CK_UTF8CHAR_PTR  pPassword;
+  CK_ULONG         ulPasswordLen;
+  CK_BYTE_PTR      pSalt;
+  CK_ULONG         ulSaltLen;
+  CK_ULONG         ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism
+ */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+  CK_BYTE       bBC;     /* block contents byte */
+  CK_BYTE_PTR   pX;      /* extra data */
+  CK_ULONG      ulXLen;  /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+typedef struct CK_SSL3_RANDOM_DATA {
+  CK_BYTE_PTR  pClientRandom;
+  CK_ULONG     ulClientRandomLen;
+  CK_BYTE_PTR  pServerRandom;
+  CK_ULONG     ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+  CK_SSL3_RANDOM_DATA RandomInfo;
+  CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hClientMacSecret;
+  CK_OBJECT_HANDLE hServerMacSecret;
+  CK_OBJECT_HANDLE hClientKey;
+  CK_OBJECT_HANDLE hServerKey;
+  CK_BYTE_PTR      pIVClient;
+  CK_BYTE_PTR      pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_BBOOL                bIsExport;
+  CK_SSL3_RANDOM_DATA     RandomInfo;
+  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_TLS_PRF_PARAMS {
+  CK_BYTE_PTR  pSeed;
+  CK_ULONG     ulSeedLen;
+  CK_BYTE_PTR  pLabel;
+  CK_ULONG     ulLabelLen;
+  CK_BYTE_PTR  pOutput;
+  CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_RANDOM_DATA {
+  CK_BYTE_PTR pClientRandom;
+  CK_ULONG    ulClientRandomLen;
+  CK_BYTE_PTR pServerRandom;
+  CK_ULONG    ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+  CK_MECHANISM_TYPE   DigestMechanism;
+  CK_WTLS_RANDOM_DATA RandomInfo;
+  CK_BYTE_PTR         pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+  CK_MECHANISM_TYPE DigestMechanism;
+  CK_BYTE_PTR       pSeed;
+  CK_ULONG          ulSeedLen;
+  CK_BYTE_PTR       pLabel;
+  CK_ULONG          ulLabelLen;
+  CK_BYTE_PTR       pOutput;
+  CK_ULONG_PTR      pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+  CK_OBJECT_HANDLE hMacSecret;
+  CK_OBJECT_HANDLE hKey;
+  CK_BYTE_PTR      pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+  CK_MECHANISM_TYPE       DigestMechanism;
+  CK_ULONG                ulMacSizeInBits;
+  CK_ULONG                ulKeySizeInBits;
+  CK_ULONG                ulIVSizeInBits;
+  CK_ULONG                ulSequenceNumber;
+  CK_BBOOL                bIsExport;
+  CK_WTLS_RANDOM_DATA     RandomInfo;
+  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_CMS_SIG_PARAMS {
+  CK_OBJECT_HANDLE      certificateHandle;
+  CK_MECHANISM_PTR      pSigningMechanism;
+  CK_MECHANISM_PTR      pDigestMechanism;
+  CK_UTF8CHAR_PTR       pContentType;
+  CK_BYTE_PTR           pRequestedAttributes;
+  CK_ULONG              ulRequestedAttributesLen;
+  CK_BYTE_PTR           pRequiredAttributes;
+  CK_ULONG              ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+  CK_BYTE_PTR pData;
+  CK_ULONG    ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+  CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key
+ */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2.
+ */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR \
+                        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+#define CKP_PKCS5_PBKD2_HMAC_SHA1          0x00000001UL
+#define CKP_PKCS5_PBKD2_HMAC_GOSTR3411     0x00000002UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA224        0x00000003UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA256        0x00000004UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA384        0x00000005UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512        0x00000006UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512_224    0x00000007UL
+#define CKP_PKCS5_PBKD2_HMAC_SHA512_256    0x00000008UL
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2.
+ */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR \
+                        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED        0x00000001UL
+
+/* CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism.
+ */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
+        CK_VOID_PTR                                pSaltSourceData;
+        CK_ULONG                                   ulSaltSourceDataLen;
+        CK_ULONG                                   iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR                                pPrfData;
+        CK_ULONG                                   ulPrfDataLen;
+        CK_UTF8CHAR_PTR                            pPassword;
+        CK_ULONG_PTR                               ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PARAMS2 is a corrected version of the CK_PKCS5_PBKD2_PARAMS
+ * structure that provides the parameters to the CKM_PKCS5_PBKD2 mechanism
+ * noting that the ulPasswordLen field is a CK_ULONG and not a CK_ULONG_PTR.
+ */
+typedef struct CK_PKCS5_PBKD2_PARAMS2 {
+        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+        CK_VOID_PTR pSaltSourceData;
+        CK_ULONG ulSaltSourceDataLen;
+        CK_ULONG iterations;
+        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+        CK_VOID_PTR pPrfData;
+        CK_ULONG ulPrfDataLen;
+        CK_UTF8CHAR_PTR pPassword;
+        CK_ULONG ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS2;
+
+typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
+
+typedef CK_ULONG CK_OTP_PARAM_TYPE;
+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* backward compatibility */
+
+typedef struct CK_OTP_PARAM {
+    CK_OTP_PARAM_TYPE type;
+    CK_VOID_PTR pValue;
+    CK_ULONG ulValueLen;
+} CK_OTP_PARAM;
+
+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
+
+typedef struct CK_OTP_PARAMS {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_PARAMS;
+
+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
+
+typedef struct CK_OTP_SIGNATURE_INFO {
+    CK_OTP_PARAM_PTR pParams;
+    CK_ULONG ulCount;
+} CK_OTP_SIGNATURE_INFO;
+
+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
+
+#define CK_OTP_VALUE          0UL
+#define CK_OTP_PIN            1UL
+#define CK_OTP_CHALLENGE      2UL
+#define CK_OTP_TIME           3UL
+#define CK_OTP_COUNTER        4UL
+#define CK_OTP_FLAGS          5UL
+#define CK_OTP_OUTPUT_LENGTH  6UL
+#define CK_OTP_OUTPUT_FORMAT  7UL
+
+#define CKF_NEXT_OTP          0x00000001UL
+#define CKF_EXCLUDE_TIME      0x00000002UL
+#define CKF_EXCLUDE_COUNTER   0x00000004UL
+#define CKF_EXCLUDE_CHALLENGE 0x00000008UL
+#define CKF_EXCLUDE_PIN       0x00000010UL
+#define CKF_USER_FRIENDLY_OTP 0x00000020UL
+
+typedef struct CK_KIP_PARAMS {
+    CK_MECHANISM_PTR  pMechanism;
+    CK_OBJECT_HANDLE  hKey;
+    CK_BYTE_PTR       pSeed;
+    CK_ULONG          ulSeedLen;
+} CK_KIP_PARAMS;
+
+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
+
+typedef struct CK_AES_CTR_PARAMS {
+    CK_ULONG ulCounterBits;
+    CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+typedef struct CK_GCM_PARAMS {
+    CK_BYTE_PTR       pIv;
+    CK_ULONG          ulIvLen;
+    CK_ULONG          ulIvBits;
+    CK_BYTE_PTR       pAAD;
+    CK_ULONG          ulAADLen;
+    CK_ULONG          ulTagBits;
+} CK_GCM_PARAMS;
+
+typedef CK_GCM_PARAMS CK_PTR CK_GCM_PARAMS_PTR;
+
+typedef struct CK_CCM_PARAMS {
+    CK_ULONG          ulDataLen;
+    CK_BYTE_PTR       pNonce;
+    CK_ULONG          ulNonceLen;
+    CK_BYTE_PTR       pAAD;
+    CK_ULONG          ulAADLen;
+    CK_ULONG          ulMACLen;
+} CK_CCM_PARAMS;
+
+typedef CK_CCM_PARAMS CK_PTR CK_CCM_PARAMS_PTR;
+
+/* Deprecated. Use CK_GCM_PARAMS */
+typedef struct CK_AES_GCM_PARAMS {
+  CK_BYTE_PTR pIv;
+  CK_ULONG ulIvLen;
+  CK_ULONG ulIvBits;
+  CK_BYTE_PTR pAAD;
+  CK_ULONG ulAADLen;
+  CK_ULONG ulTagBits;
+} CK_AES_GCM_PARAMS;
+
+typedef CK_AES_GCM_PARAMS CK_PTR CK_AES_GCM_PARAMS_PTR;
+
+/* Deprecated. Use CK_CCM_PARAMS */
+typedef struct CK_AES_CCM_PARAMS {
+    CK_ULONG          ulDataLen;
+    CK_BYTE_PTR       pNonce;
+    CK_ULONG          ulNonceLen;
+    CK_BYTE_PTR       pAAD;
+    CK_ULONG          ulAADLen;
+    CK_ULONG          ulMACLen;
+} CK_AES_CCM_PARAMS;
+
+typedef CK_AES_CCM_PARAMS CK_PTR CK_AES_CCM_PARAMS_PTR;
+
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+    CK_ULONG          ulCounterBits;
+    CK_BYTE           cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE           iv[16];
+    CK_BYTE_PTR       pData;
+    CK_ULONG          length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+                                CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE           iv[16];
+    CK_BYTE_PTR       pData;
+    CK_ULONG          length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+                                CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_DSA_PARAMETER_GEN_PARAM {
+    CK_MECHANISM_TYPE  hash;
+    CK_BYTE_PTR        pSeed;
+    CK_ULONG           ulSeedLen;
+    CK_ULONG           ulIndex;
+} CK_DSA_PARAMETER_GEN_PARAM;
+
+typedef CK_DSA_PARAMETER_GEN_PARAM CK_PTR CK_DSA_PARAMETER_GEN_PARAM_PTR;
+
+typedef struct CK_ECDH_AES_KEY_WRAP_PARAMS {
+    CK_ULONG           ulAESKeyBits;
+    CK_EC_KDF_TYPE     kdf;
+    CK_ULONG           ulSharedDataLen;
+    CK_BYTE_PTR        pSharedData;
+} CK_ECDH_AES_KEY_WRAP_PARAMS;
+
+typedef CK_ECDH_AES_KEY_WRAP_PARAMS CK_PTR CK_ECDH_AES_KEY_WRAP_PARAMS_PTR;
+
+typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
+
+typedef CK_ULONG CK_CERTIFICATE_CATEGORY;
+
+typedef struct CK_RSA_AES_KEY_WRAP_PARAMS {
+    CK_ULONG                      ulAESKeyBits;
+    CK_RSA_PKCS_OAEP_PARAMS_PTR   pOAEPParams;
+} CK_RSA_AES_KEY_WRAP_PARAMS;
+
+typedef CK_RSA_AES_KEY_WRAP_PARAMS CK_PTR CK_RSA_AES_KEY_WRAP_PARAMS_PTR;
+
+typedef struct CK_TLS12_MASTER_KEY_DERIVE_PARAMS {
+    CK_SSL3_RANDOM_DATA       RandomInfo;
+    CK_VERSION_PTR            pVersion;
+    CK_MECHANISM_TYPE         prfHashMechanism;
+} CK_TLS12_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_TLS12_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+                                CK_TLS12_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_TLS12_KEY_MAT_PARAMS {
+    CK_ULONG                  ulMacSizeInBits;
+    CK_ULONG                  ulKeySizeInBits;
+    CK_ULONG                  ulIVSizeInBits;
+    CK_BBOOL                  bIsExport;
+    CK_SSL3_RANDOM_DATA       RandomInfo;
+    CK_SSL3_KEY_MAT_OUT_PTR   pReturnedKeyMaterial;
+    CK_MECHANISM_TYPE         prfHashMechanism;
+} CK_TLS12_KEY_MAT_PARAMS;
+
+typedef CK_TLS12_KEY_MAT_PARAMS CK_PTR CK_TLS12_KEY_MAT_PARAMS_PTR;
+
+typedef struct CK_TLS_KDF_PARAMS {
+    CK_MECHANISM_TYPE         prfMechanism;
+    CK_BYTE_PTR               pLabel;
+    CK_ULONG                  ulLabelLength;
+    CK_SSL3_RANDOM_DATA       RandomInfo;
+    CK_BYTE_PTR               pContextData;
+    CK_ULONG                  ulContextDataLength;
+} CK_TLS_KDF_PARAMS;
+
+typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
+
+typedef struct CK_TLS_MAC_PARAMS {
+    CK_MECHANISM_TYPE         prfHashMechanism;
+    CK_ULONG                  ulMacLength;
+    CK_ULONG                  ulServerOrClient;
+} CK_TLS_MAC_PARAMS;
+
+typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR;
+
+typedef struct CK_GOSTR3410_DERIVE_PARAMS {
+    CK_EC_KDF_TYPE            kdf;
+    CK_BYTE_PTR               pPublicData;
+    CK_ULONG                  ulPublicDataLen;
+    CK_BYTE_PTR               pUKM;
+    CK_ULONG                  ulUKMLen;
+} CK_GOSTR3410_DERIVE_PARAMS;
+
+typedef CK_GOSTR3410_DERIVE_PARAMS CK_PTR CK_GOSTR3410_DERIVE_PARAMS_PTR;
+
+typedef struct CK_GOSTR3410_KEY_WRAP_PARAMS {
+    CK_BYTE_PTR               pWrapOID;
+    CK_ULONG                  ulWrapOIDLen;
+    CK_BYTE_PTR               pUKM;
+    CK_ULONG                  ulUKMLen;
+    CK_OBJECT_HANDLE          hKey;
+} CK_GOSTR3410_KEY_WRAP_PARAMS;
+
+typedef CK_GOSTR3410_KEY_WRAP_PARAMS CK_PTR CK_GOSTR3410_KEY_WRAP_PARAMS_PTR;
+
+typedef struct CK_SEED_CBC_ENCRYPT_DATA_PARAMS {
+    CK_BYTE                   iv[16];
+    CK_BYTE_PTR               pData;
+    CK_ULONG                  length;
+} CK_SEED_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_SEED_CBC_ENCRYPT_DATA_PARAMS CK_PTR \
+                                        CK_SEED_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#endif /* _PKCS11T_H_ */
+
diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c
new file mode 100644
index 0000000..aa54667
--- /dev/null
+++ b/lib/isc/inet_aton.c
@@ -0,0 +1,187 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1983, 1990, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+/*! \file */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
+static char rcsid[] = "$Id: inet_aton.c,v 1.23 2008/12/01 23:47:45 tbox Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stddef.h>		/* Required for NULL. */
+
+#include <isc/types.h>
+#include <isc/net.h>
+
+/*%
+ * Check whether "cp" is a valid ascii representation
+ * of an Internet address and convert to a binary address.
+ * Returns 1 if the address is valid, 0 if not.
+ * This replaces inet_addr, the return value from which
+ * cannot distinguish between failure and a local broadcast address.
+ */
+int
+isc_net_aton(const char *cp, struct in_addr *addr) {
+	uint32_t val;
+	int base;
+	ptrdiff_t n;
+	unsigned char c;
+	uint32_t parts[4];
+	uint32_t *pp = parts;
+	int digit;
+
+	c = *cp;
+	for (;;) {
+		/*
+		 * Collect number up to ``.''.
+		 * Values are specified as for C:
+		 * 0x=hex, 0=octal, isdigit=decimal.
+		 */
+		if (!isdigit(c & 0xff))
+			return (0);
+		val = 0; base = 10; digit = 0;
+		if (c == '0') {
+			c = *++cp;
+			if (c == 'x' || c == 'X')
+				base = 16, c = *++cp;
+			else {
+				base = 8;
+				digit = 1;
+			}
+		}
+		for (;;) {
+			/*
+			 * isascii() is valid for all integer values, and
+			 * when it is true, c is known to be in scope
+			 * for isdigit().  No cast necessary.  Similar
+			 * comment applies for later ctype uses.
+			 */
+			if (isascii(c) && isdigit(c)) {
+				if (base == 8 && (c == '8' || c == '9'))
+					return (0);
+				val = (val * base) + (c - '0');
+				c = *++cp;
+				digit = 1;
+			} else if (base == 16 && isascii(c) && isxdigit(c)) {
+				val = (val << 4) |
+					(c + 10 - (islower(c) ? 'a' : 'A'));
+				c = *++cp;
+				digit = 1;
+			} else
+				break;
+		}
+		if (c == '.') {
+			/*
+			 * Internet format:
+			 *	a.b.c.d
+			 *	a.b.c	(with c treated as 16 bits)
+			 *	a.b	(with b treated as 24 bits)
+			 */
+			if (pp >= parts + 3 || val > 0xffU)
+				return (0);
+			*pp++ = val;
+			c = *++cp;
+		} else
+			break;
+	}
+	/*
+	 * Check for trailing characters.
+	 */
+	if (c != '\0' && (!isascii(c) || !isspace(c)))
+		return (0);
+	/*
+	 * Did we get a valid digit?
+	 */
+	if (!digit)
+		return (0);
+	/*
+	 * Concoct the address according to
+	 * the number of parts specified.
+	 */
+	n = pp - parts + 1;
+	switch (n) {
+	case 1:				/* a -- 32 bits */
+		break;
+
+	case 2:				/* a.b -- 8.24 bits */
+		if (val > 0xffffffU)
+			return (0);
+		val |= parts[0] << 24;
+		break;
+
+	case 3:				/* a.b.c -- 8.8.16 bits */
+		if (val > 0xffffU)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16);
+		break;
+
+	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
+		if (val > 0xffU)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
+		break;
+	}
+	if (addr != NULL)
+		addr->s_addr = htonl(val);
+
+	return (1);
+}
diff --git a/lib/isc/inet_ntop.c b/lib/isc/inet_ntop.c
new file mode 100644
index 0000000..fb06f85
--- /dev/null
+++ b/lib/isc/inet_ntop.c
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define NS_INT16SZ	 2
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static const char *inet_ntop4(const unsigned char *src, char *dst,
+			      size_t size);
+
+#ifdef AF_INET6
+static const char *inet_ntop6(const unsigned char *src, char *dst,
+			      size_t size);
+#endif
+
+/*! char *
+ * isc_net_ntop(af, src, dst, size)
+ *	convert a network format address to presentation format.
+ * \return
+ *	pointer to presentation format address (`dst'), or NULL (see errno).
+ * \author
+ *	Paul Vixie, 1996.
+ */
+const char *
+isc_net_ntop(int af, const void *src, char *dst, size_t size)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_ntop4(src, dst, size));
+#ifdef AF_INET6
+	case AF_INET6:
+		return (inet_ntop6(src, dst, size));
+#endif
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	/* NOTREACHED */
+}
+
+/*! const char *
+ * inet_ntop4(src, dst, size)
+ *	format an IPv4 address
+ * \return
+ *	`dst' (as a const)
+ * \note
+ *	(1) uses no statics
+ * \note
+ *	(2) takes a unsigned char* not an in_addr as input
+ * \author
+ *	Paul Vixie, 1996.
+ */
+static const char *
+inet_ntop4(const unsigned char *src, char *dst, size_t size)
+{
+	static const char *fmt = "%u.%u.%u.%u";
+	char tmp[sizeof("255.255.255.255")];
+	int n;
+
+
+	n = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
+	if (n < 0 || (size_t)n >= size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strlcpy(dst, tmp, size);
+
+	return (dst);
+}
+
+/*! const char *
+ * isc_inet_ntop6(src, dst, size)
+ *	convert IPv6 binary address into presentation (printable) format
+ * \author
+ *	Paul Vixie, 1996.
+ */
+#ifdef AF_INET6
+static const char *
+inet_ntop6(const unsigned char *src, char *dst, size_t size)
+{
+	/*
+	 * Note that int32_t and int16_t need only be "at least" large enough
+	 * to contain a value of the specified size.  On some systems, like
+	 * Crays, there is no such thing as an integer variable with 16 bits.
+	 * Keep this in mind if you think this function should have been coded
+	 * to use pointer overlays.  All the world's not a VAX.
+	 */
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
+	struct { int base, len; } best, cur;
+	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
+	int i;
+
+	/*
+	 * Preprocess:
+	 *	Copy the input (bytewise) array into a wordwise array.
+	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
+	 */
+	memset(words, '\0', sizeof(words));
+	for (i = 0; i < NS_IN6ADDRSZ; i++)
+		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
+	best.base = -1;
+	best.len = 0;	/* silence compiler */
+	cur.base = -1;
+	cur.len = 0;	/* silence compiler */
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		if (words[i] == 0) {
+			if (cur.base == -1)
+				cur.base = i, cur.len = 1;
+			else
+				cur.len++;
+		} else {
+			if (cur.base != -1) {
+				if (best.base == -1 || cur.len > best.len)
+					best = cur;
+				cur.base = -1;
+			}
+		}
+	}
+	if (cur.base != -1) {
+		if (best.base == -1 || cur.len > best.len)
+			best = cur;
+	}
+	if (best.base != -1 && best.len < 2)
+		best.base = -1;
+
+	/*
+	 * Format the result.
+	 */
+	tp = tmp;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		/* Are we inside the best run of 0x00's? */
+		if (best.base != -1 && i >= best.base &&
+		    i < (best.base + best.len)) {
+			if (i == best.base)
+				*tp++ = ':';
+			continue;
+		}
+		/* Are we following an initial run of 0x00s or any real hex? */
+		if (i != 0)
+			*tp++ = ':';
+		/* Is this address an encapsulated IPv4? */
+		if (i == 6 && best.base == 0 && (best.len == 6 ||
+		    (best.len == 7 && words[7] != 0x0001) ||
+		    (best.len == 5 && words[5] == 0xffff))) {
+			if (!inet_ntop4(src+12, tp,
+					sizeof(tmp) - (tp - tmp)))
+				return (NULL);
+			tp += strlen(tp);
+			break;
+		}
+		INSIST((size_t)(tp - tmp) < sizeof(tmp));
+		tp += snprintf(tp, sizeof(tmp) - (tp - tmp), "%x", words[i]);
+	}
+	/* Was it a trailing run of 0x00's? */
+	if (best.base != -1 && (best.base + best.len) ==
+	    (NS_IN6ADDRSZ / NS_INT16SZ))
+		*tp++ = ':';
+	*tp++ = '\0';
+
+	/*
+	 * Check for overflow, copy, and we're done.
+	 */
+	if ((size_t)(tp - tmp) > size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strlcpy(dst, tmp, size);
+	return (dst);
+}
+#endif /* AF_INET6 */
diff --git a/lib/isc/inet_pton.c b/lib/isc/inet_pton.c
new file mode 100644
index 0000000..bde88e3
--- /dev/null
+++ b/lib/isc/inet_pton.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include <isc/net.h>
+
+/*% INT16 Size */
+#define NS_INT16SZ	 2
+/*% IPv4 Address Size */
+#define NS_INADDRSZ	 4
+/*% IPv6 Address Size */
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int inet_pton4(const char *src, unsigned char *dst);
+static int inet_pton6(const char *src, unsigned char *dst);
+
+/*%
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * \return
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * \author
+ *	Paul Vixie, 1996.
+ */
+int
+isc_net_pton(int af, const char *src, void *dst) {
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/*!\fn static int inet_pton4(const char *src, unsigned char *dst)
+ * \brief
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * \return
+ *	1 if `src' is a valid dotted quad, else 0.
+ * \note
+ *	does not touch `dst' unless it's returning 1.
+ * \author
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(const char *src, unsigned char *dst) {
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	unsigned char tmp[NS_INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			unsigned int byte = *tp * 10;
+
+			byte += (int)(pch - digits);
+			if (saw_digit && *tp == 0)
+				return (0);
+			if (byte > 255)
+				return (0);
+			*tp = byte;
+			if (!saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+	memmove(dst, tmp, NS_INADDRSZ);
+	return (1);
+}
+
+/*%
+ *	convert presentation level address to network order binary form.
+ * \return
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * \note
+ *	(1) does not touch `dst' unless it's returning 1.
+ * \note
+ *	(2) :: in a full address is silently ignored.
+ * \author
+ *	inspired by Mark Andrews.
+ * \author
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(const char *src, unsigned char *dst) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, seen_xdigits;
+	unsigned int val;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	seen_xdigits = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (++seen_xdigits > 4)
+				return (0);
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!seen_xdigits) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			}
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (unsigned char) (val >> 8) & 0xff;
+			*tp++ = (unsigned char) val & 0xff;
+			seen_xdigits = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += NS_INADDRSZ;
+			seen_xdigits = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (seen_xdigits) {
+		if (tp + NS_INT16SZ > endp)
+			return (0);
+		*tp++ = (unsigned char) (val >> 8) & 0xff;
+		*tp++ = (unsigned char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = (int)(tp - colonp);
+		int i;
+
+		if (tp == endp)
+			return (0);
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memmove(dst, tmp, NS_IN6ADDRSZ);
+	return (1);
+}
diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
new file mode 100644
index 0000000..cf4e67f
--- /dev/null
+++ b/lib/isc/iterated_hash.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include "config.h"
+
+#include <stdio.h>
+
+#include <isc/sha1.h>
+#include <isc/iterated_hash.h>
+
+int
+isc_iterated_hash(unsigned char out[ISC_SHA1_DIGESTLENGTH],
+		  unsigned int hashalg, int iterations,
+		  const unsigned char *salt, int saltlength,
+		  const unsigned char *in, int inlength)
+{
+	isc_sha1_t ctx;
+	int n = 0;
+
+	if (hashalg != 1)
+		return (0);
+
+	do {
+		isc_sha1_init(&ctx);
+		isc_sha1_update(&ctx, in, inlength);
+		isc_sha1_update(&ctx, salt, saltlength);
+		isc_sha1_final(&ctx, out);
+		in = out;
+		inlength = ISC_SHA1_DIGESTLENGTH;
+	} while (n++ < iterations);
+
+	return (ISC_SHA1_DIGESTLENGTH);
+}
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
new file mode 100644
index 0000000..a8955bc
--- /dev/null
+++ b/lib/isc/lex.c
@@ -0,0 +1,1051 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+typedef struct inputsource {
+	isc_result_t			result;
+	bool			is_file;
+	bool			need_close;
+	bool			at_eof;
+	bool			last_was_eol;
+	isc_buffer_t *			pushback;
+	unsigned int			ignored;
+	void *				input;
+	char *				name;
+	unsigned long			line;
+	unsigned long			saved_line;
+	ISC_LINK(struct inputsource)	link;
+} inputsource;
+
+#define LEX_MAGIC			ISC_MAGIC('L', 'e', 'x', '!')
+#define VALID_LEX(l)			ISC_MAGIC_VALID(l, LEX_MAGIC)
+
+struct isc_lex {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	size_t				max_token;
+	char *				data;
+	unsigned int			comments;
+	bool			comment_ok;
+	bool			last_was_eol;
+	unsigned int			brace_count;
+	unsigned int			paren_count;
+	unsigned int			saved_paren_count;
+	isc_lexspecials_t		specials;
+	LIST(struct inputsource)	sources;
+};
+
+static inline isc_result_t
+grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
+	char *tmp;
+
+	tmp = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
+	if (tmp == NULL)
+		return (ISC_R_NOMEMORY);
+	memmove(tmp, lex->data, lex->max_token + 1);
+	*currp = tmp + (*currp - lex->data);
+	if (*prevp != NULL)
+		*prevp = tmp + (*prevp - lex->data);
+	isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
+	lex->data = tmp;
+	*remainingp += lex->max_token;
+	lex->max_token *= 2;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
+	isc_lex_t *lex;
+
+	/*
+	 * Create a lexer.
+	 */
+	REQUIRE(lexp != NULL && *lexp == NULL);
+
+	if (max_token == 0U)
+		max_token = 1;
+
+	lex = isc_mem_get(mctx, sizeof(*lex));
+	if (lex == NULL)
+		return (ISC_R_NOMEMORY);
+	lex->data = isc_mem_get(mctx, max_token + 1);
+	if (lex->data == NULL) {
+		isc_mem_put(mctx, lex, sizeof(*lex));
+		return (ISC_R_NOMEMORY);
+	}
+	lex->mctx = mctx;
+	lex->max_token = max_token;
+	lex->comments = 0;
+	lex->comment_ok = true;
+	lex->last_was_eol = true;
+	lex->brace_count = 0;
+	lex->paren_count = 0;
+	lex->saved_paren_count = 0;
+	memset(lex->specials, 0, 256);
+	INIT_LIST(lex->sources);
+	lex->magic = LEX_MAGIC;
+
+	*lexp = lex;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_lex_destroy(isc_lex_t **lexp) {
+	isc_lex_t *lex;
+
+	/*
+	 * Destroy the lexer.
+	 */
+
+	REQUIRE(lexp != NULL);
+	lex = *lexp;
+	REQUIRE(VALID_LEX(lex));
+
+	while (!EMPTY(lex->sources))
+		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
+	if (lex->data != NULL)
+		isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
+	lex->magic = 0;
+	isc_mem_put(lex->mctx, lex, sizeof(*lex));
+
+	*lexp = NULL;
+}
+
+unsigned int
+isc_lex_getcomments(isc_lex_t *lex) {
+	/*
+	 * Return the current lexer commenting styles.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	return (lex->comments);
+}
+
+void
+isc_lex_setcomments(isc_lex_t *lex, unsigned int comments) {
+	/*
+	 * Set allowed lexer commenting styles.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	lex->comments = comments;
+}
+
+void
+isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
+	/*
+	 * Put the current list of specials into 'specials'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	memmove(specials, lex->specials, 256);
+}
+
+void
+isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
+	/*
+	 * The characters in 'specials' are returned as tokens.  Along with
+	 * whitespace, they delimit strings and numbers.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	memmove(lex->specials, specials, 256);
+}
+
+static inline isc_result_t
+new_source(isc_lex_t *lex, bool is_file, bool need_close,
+	   void *input, const char *name)
+{
+	inputsource *source;
+	isc_result_t result;
+
+	source = isc_mem_get(lex->mctx, sizeof(*source));
+	if (source == NULL)
+		return (ISC_R_NOMEMORY);
+	source->result = ISC_R_SUCCESS;
+	source->is_file = is_file;
+	source->need_close = need_close;
+	source->at_eof = false;
+	source->last_was_eol = lex->last_was_eol;
+	source->input = input;
+	source->name = isc_mem_strdup(lex->mctx, name);
+	if (source->name == NULL) {
+		isc_mem_put(lex->mctx, source, sizeof(*source));
+		return (ISC_R_NOMEMORY);
+	}
+	source->pushback = NULL;
+	result = isc_buffer_allocate(lex->mctx, &source->pushback,
+				     (unsigned int)lex->max_token);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_free(lex->mctx, source->name);
+		isc_mem_put(lex->mctx, source, sizeof(*source));
+		return (result);
+	}
+	source->ignored = 0;
+	source->line = 1;
+	ISC_LIST_INITANDPREPEND(lex->sources, source, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_openfile(isc_lex_t *lex, const char *filename) {
+	isc_result_t result;
+	FILE *stream = NULL;
+
+	/*
+	 * Open 'filename' and make it the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	result = isc_stdio_open(filename, "r", &stream);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = new_source(lex, true, true, stream, filename);
+	if (result != ISC_R_SUCCESS)
+		(void)fclose(stream);
+	return (result);
+}
+
+isc_result_t
+isc_lex_openstream(isc_lex_t *lex, FILE *stream) {
+	char name[128];
+
+	/*
+	 * Make 'stream' the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	snprintf(name, sizeof(name), "stream-%p", stream);
+
+	return (new_source(lex, true, false, stream, name));
+}
+
+isc_result_t
+isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer) {
+	char name[128];
+
+	/*
+	 * Make 'buffer' the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	snprintf(name, sizeof(name), "buffer-%p", buffer);
+
+	return (new_source(lex, false, false, buffer, name));
+}
+
+isc_result_t
+isc_lex_close(isc_lex_t *lex) {
+	inputsource *source;
+
+	/*
+	 * Close the most recently opened object (i.e. file or buffer).
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	source = HEAD(lex->sources);
+	if (source == NULL)
+		return (ISC_R_NOMORE);
+
+	ISC_LIST_UNLINK(lex->sources, source, link);
+	lex->last_was_eol = source->last_was_eol;
+	if (source->is_file) {
+		if (source->need_close)
+			(void)fclose((FILE *)(source->input));
+	}
+	isc_mem_free(lex->mctx, source->name);
+	isc_buffer_free(&source->pushback);
+	isc_mem_put(lex->mctx, source, sizeof(*source));
+
+	return (ISC_R_SUCCESS);
+}
+
+typedef enum {
+	lexstate_start,
+	lexstate_crlf,
+	lexstate_string,
+	lexstate_number,
+	lexstate_maybecomment,
+	lexstate_ccomment,
+	lexstate_ccommentend,
+	lexstate_eatline,
+	lexstate_qstring,
+	lexstate_btext
+} lexstate;
+
+#define IWSEOL (ISC_LEXOPT_INITIALWS | ISC_LEXOPT_EOL)
+
+static void
+pushback(inputsource *source, int c) {
+	REQUIRE(source->pushback->current > 0);
+	if (c == EOF) {
+		source->at_eof = false;
+		return;
+	}
+	source->pushback->current--;
+	if (c == '\n')
+		source->line--;
+}
+
+static isc_result_t
+pushandgrow(isc_lex_t *lex, inputsource *source, int c) {
+	if (isc_buffer_availablelength(source->pushback) == 0) {
+		isc_buffer_t *tbuf = NULL;
+		unsigned int oldlen;
+		isc_region_t used;
+		isc_result_t result;
+
+		oldlen = isc_buffer_length(source->pushback);
+		result = isc_buffer_allocate(lex->mctx, &tbuf, oldlen * 2);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		isc_buffer_usedregion(source->pushback, &used);
+		result = isc_buffer_copyregion(tbuf, &used);
+		INSIST(result == ISC_R_SUCCESS);
+		tbuf->current = source->pushback->current;
+		isc_buffer_free(&source->pushback);
+		source->pushback = tbuf;
+	}
+	isc_buffer_putuint8(source->pushback, (uint8_t)c);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
+	inputsource *source;
+	int c;
+	bool done = false;
+	bool no_comments = false;
+	bool escaped = false;
+	lexstate state = lexstate_start;
+	lexstate saved_state = lexstate_start;
+	isc_buffer_t *buffer;
+	FILE *stream;
+	char *curr, *prev;
+	size_t remaining;
+	uint32_t as_ulong;
+	unsigned int saved_options;
+	isc_result_t result;
+
+	/*
+	 * Get the next token.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(tokenp != NULL);
+
+	if (source == NULL) {
+		if ((options & ISC_LEXOPT_NOMORE) != 0) {
+			tokenp->type = isc_tokentype_nomore;
+			return (ISC_R_SUCCESS);
+		}
+		return (ISC_R_NOMORE);
+	}
+
+	if (source->result != ISC_R_SUCCESS)
+		return (source->result);
+
+	lex->saved_paren_count = lex->paren_count;
+	source->saved_line = source->line;
+
+	if (isc_buffer_remaininglength(source->pushback) == 0 &&
+	    source->at_eof)
+	{
+		if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
+		    lex->paren_count != 0)
+		{
+			lex->paren_count = 0;
+			return (ISC_R_UNBALANCED);
+		}
+		if ((options & ISC_LEXOPT_BTEXT) != 0 &&
+		    lex->brace_count != 0)
+		{
+			lex->brace_count = 0;
+			return (ISC_R_UNBALANCED);
+		}
+		if ((options & ISC_LEXOPT_EOF) != 0) {
+			tokenp->type = isc_tokentype_eof;
+			return (ISC_R_SUCCESS);
+		}
+		return (ISC_R_EOF);
+	}
+
+	isc_buffer_compact(source->pushback);
+
+	saved_options = options;
+	if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 && lex->paren_count > 0)
+		options &= ~IWSEOL;
+
+	curr = lex->data;
+	*curr = '\0';
+
+	prev = NULL;
+	remaining = lex->max_token;
+
+#ifdef HAVE_FLOCKFILE
+	if (source->is_file)
+		flockfile(source->input);
+#endif
+
+	do {
+		if (isc_buffer_remaininglength(source->pushback) == 0) {
+			if (source->is_file) {
+				stream = source->input;
+
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
+				c = getc_unlocked(stream);
+#else
+				c = getc(stream);
+#endif
+				if (c == EOF) {
+					if (ferror(stream)) {
+						source->result = ISC_R_IOERROR;
+						result = source->result;
+						goto done;
+					}
+					source->at_eof = true;
+				}
+			} else {
+				buffer = source->input;
+
+				if (buffer->current == buffer->used) {
+					c = EOF;
+					source->at_eof = true;
+				} else {
+					c = *((unsigned char *)buffer->base +
+					      buffer->current);
+					buffer->current++;
+				}
+			}
+			if (c != EOF) {
+				source->result = pushandgrow(lex, source, c);
+				if (source->result != ISC_R_SUCCESS) {
+					result = source->result;
+					goto done;
+				}
+			}
+		}
+
+		if (!source->at_eof) {
+			if (state == lexstate_start)
+				/* Token has not started yet. */
+				source->ignored =
+				   isc_buffer_consumedlength(source->pushback);
+			c = isc_buffer_getuint8(source->pushback);
+		} else {
+			c = EOF;
+		}
+
+		if (c == '\n')
+			source->line++;
+
+		if (lex->comment_ok && !no_comments) {
+			if (!escaped && c == ';' &&
+			    ((lex->comments & ISC_LEXCOMMENT_DNSMASTERFILE)
+			     != 0)) {
+				saved_state = state;
+				state = lexstate_eatline;
+				no_comments = true;
+				continue;
+			} else if (c == '/' &&
+				   (lex->comments &
+				    (ISC_LEXCOMMENT_C|
+				     ISC_LEXCOMMENT_CPLUSPLUS)) != 0) {
+				saved_state = state;
+				state = lexstate_maybecomment;
+				no_comments = true;
+				continue;
+			} else if (c == '#' &&
+				   ((lex->comments & ISC_LEXCOMMENT_SHELL)
+				    != 0)) {
+				saved_state = state;
+				state = lexstate_eatline;
+				no_comments = true;
+				continue;
+			}
+		}
+
+	no_read:
+		/* INSIST(c == EOF || (c >= 0 && c <= 255)); */
+		switch (state) {
+		case lexstate_start:
+			if (c == EOF) {
+				lex->last_was_eol = false;
+				if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
+				    lex->paren_count != 0) {
+					lex->paren_count = 0;
+					result = ISC_R_UNBALANCED;
+					goto done;
+				}
+				if ((options & ISC_LEXOPT_BTEXT) != 0 &&
+				    lex->brace_count != 0) {
+					lex->brace_count = 0;
+					result = ISC_R_UNBALANCED;
+					goto done;
+				}
+				if ((options & ISC_LEXOPT_EOF) == 0) {
+					result = ISC_R_EOF;
+					goto done;
+				}
+				tokenp->type = isc_tokentype_eof;
+				done = true;
+			} else if (c == ' ' || c == '\t') {
+				if (lex->last_was_eol &&
+				    (options & ISC_LEXOPT_INITIALWS)
+				    != 0) {
+					lex->last_was_eol = false;
+					tokenp->type = isc_tokentype_initialws;
+					tokenp->value.as_char = c;
+					done = true;
+				}
+			} else if (c == '\n') {
+				if ((options & ISC_LEXOPT_EOL) != 0) {
+					tokenp->type = isc_tokentype_eol;
+					done = true;
+				}
+				lex->last_was_eol = true;
+			} else if (c == '\r') {
+				if ((options & ISC_LEXOPT_EOL) != 0)
+					state = lexstate_crlf;
+			} else if (c == '"' &&
+				   (options & ISC_LEXOPT_QSTRING) != 0) {
+				lex->last_was_eol = false;
+				no_comments = true;
+				state = lexstate_qstring;
+			} else if (lex->specials[c]) {
+				lex->last_was_eol = false;
+				if ((c == '(' || c == ')') &&
+				    (options & ISC_LEXOPT_DNSMULTILINE) != 0)
+				{
+					if (c == '(') {
+						if (lex->paren_count == 0)
+							options &= ~IWSEOL;
+						lex->paren_count++;
+					} else {
+						if (lex->paren_count == 0) {
+							result =
+							      ISC_R_UNBALANCED;
+							goto done;
+						}
+						lex->paren_count--;
+						if (lex->paren_count == 0)
+							options = saved_options;
+					}
+					continue;
+				} else if (c == '{' &&
+					   (options & ISC_LEXOPT_BTEXT) != 0)
+				{
+					if (lex->brace_count != 0) {
+						result = ISC_R_UNBALANCED;
+						goto done;
+					}
+					lex->brace_count++;
+					options &= ~IWSEOL;
+					state = lexstate_btext;
+					no_comments = true;
+					continue;
+				}
+				tokenp->type = isc_tokentype_special;
+				tokenp->value.as_char = c;
+				done = true;
+			} else if (isdigit((unsigned char)c) &&
+				   (options & ISC_LEXOPT_NUMBER) != 0) {
+				lex->last_was_eol = false;
+				if ((options & ISC_LEXOPT_OCTAL) != 0 &&
+				    (c == '8' || c == '9'))
+					state = lexstate_string;
+				else
+					state = lexstate_number;
+				goto no_read;
+			} else {
+				lex->last_was_eol = false;
+				state = lexstate_string;
+				goto no_read;
+			}
+			break;
+		case lexstate_crlf:
+			if (c != '\n')
+				pushback(source, c);
+			tokenp->type = isc_tokentype_eol;
+			done = true;
+			lex->last_was_eol = true;
+			break;
+		case lexstate_number:
+			if (c == EOF || !isdigit((unsigned char)c)) {
+				if (c == ' ' || c == '\t' || c == '\r' ||
+				    c == '\n' || c == EOF ||
+				    lex->specials[c]) {
+					int base;
+					if ((options & ISC_LEXOPT_OCTAL) != 0)
+						base = 8;
+					else if ((options & ISC_LEXOPT_CNUMBER) != 0)
+						base = 0;
+					else
+						base = 10;
+					pushback(source, c);
+
+					result = isc_parse_uint32(&as_ulong,
+								  lex->data,
+								  base);
+					if (result == ISC_R_SUCCESS) {
+						tokenp->type =
+							isc_tokentype_number;
+						tokenp->value.as_ulong =
+							as_ulong;
+					} else if (result == ISC_R_BADNUMBER) {
+						isc_tokenvalue_t *v;
+
+						tokenp->type =
+							isc_tokentype_string;
+						v = &(tokenp->value);
+						v->as_textregion.base =
+							lex->data;
+						v->as_textregion.length =
+							(unsigned int)
+							(lex->max_token -
+							 remaining);
+					} else
+						goto done;
+					done = true;
+					continue;
+				} else if (!(options & ISC_LEXOPT_CNUMBER) ||
+					   ((c != 'x' && c != 'X') ||
+					   (curr != &lex->data[1]) ||
+					   (lex->data[0] != '0'))) {
+					/* Above test supports hex numbers */
+					state = lexstate_string;
+				}
+			} else if ((options & ISC_LEXOPT_OCTAL) != 0 &&
+				   (c == '8' || c == '9')) {
+				state = lexstate_string;
+			}
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining,
+						   &curr, &prev);
+				if (result != ISC_R_SUCCESS)
+					goto done;
+			}
+			INSIST(remaining > 0U);
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		case lexstate_string:
+			/*
+			 * EOF needs to be checked before lex->specials[c]
+			 * as lex->specials[EOF] is not a good idea.
+			 */
+			if (c == '\r' || c == '\n' || c == EOF ||
+			    (!escaped &&
+			     (c == ' ' || c == '\t' || lex->specials[c]))) {
+				pushback(source, c);
+				if (source->result != ISC_R_SUCCESS) {
+					result = source->result;
+					goto done;
+				}
+				tokenp->type = isc_tokentype_string;
+				tokenp->value.as_textregion.base = lex->data;
+				tokenp->value.as_textregion.length =
+					(unsigned int)
+					(lex->max_token - remaining);
+				done = true;
+				continue;
+			}
+			if ((options & ISC_LEXOPT_ESCAPE) != 0)
+				escaped = (!escaped && c == '\\') ?
+						true : false;
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining,
+						   &curr, &prev);
+				if (result != ISC_R_SUCCESS)
+					goto done;
+			}
+			INSIST(remaining > 0U);
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		case lexstate_maybecomment:
+			if (c == '*' &&
+			    (lex->comments & ISC_LEXCOMMENT_C) != 0) {
+				state = lexstate_ccomment;
+				continue;
+			} else if (c == '/' &&
+			    (lex->comments & ISC_LEXCOMMENT_CPLUSPLUS) != 0) {
+				state = lexstate_eatline;
+				continue;
+			}
+			pushback(source, c);
+			c = '/';
+			no_comments = false;
+			state = saved_state;
+			goto no_read;
+		case lexstate_ccomment:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '*')
+				state = lexstate_ccommentend;
+			break;
+		case lexstate_ccommentend:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '/') {
+				/*
+				 * C-style comments become a single space.
+				 * We do this to ensure that a comment will
+				 * act as a delimiter for strings and
+				 * numbers.
+				 */
+				c = ' ';
+				no_comments = false;
+				state = saved_state;
+				goto no_read;
+			} else if (c != '*')
+				state = lexstate_ccomment;
+			break;
+		case lexstate_eatline:
+			if ((c == '\n') || (c == EOF)) {
+				no_comments = false;
+				state = saved_state;
+				goto no_read;
+			}
+			break;
+		case lexstate_qstring:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '"') {
+				if (escaped) {
+					escaped = false;
+					/*
+					 * Overwrite the preceding backslash.
+					 */
+					INSIST(prev != NULL);
+					*prev = '"';
+				} else {
+					tokenp->type = isc_tokentype_qstring;
+					tokenp->value.as_textregion.base =
+						lex->data;
+					tokenp->value.as_textregion.length =
+						(unsigned int)
+						(lex->max_token - remaining);
+					no_comments = false;
+					done = true;
+				}
+			} else {
+				if (c == '\n' && !escaped &&
+			    (options & ISC_LEXOPT_QSTRINGMULTILINE) == 0) {
+					pushback(source, c);
+					result = ISC_R_UNBALANCEDQUOTES;
+					goto done;
+				}
+				if (c == '\\' && !escaped)
+					escaped = true;
+				else
+					escaped = false;
+				if (remaining == 0U) {
+					result = grow_data(lex, &remaining,
+							   &curr, &prev);
+					if (result != ISC_R_SUCCESS)
+						goto done;
+				}
+				INSIST(remaining > 0U);
+				prev = curr;
+				*curr++ = c;
+				*curr = '\0';
+				remaining--;
+			}
+			break;
+		case lexstate_btext:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '{') {
+				if (escaped) {
+					escaped = false;
+				} else {
+					lex->brace_count++;
+				}
+			} else if (c == '}') {
+				if (escaped) {
+					escaped = false;
+				} else {
+					INSIST(lex->brace_count > 0);
+					lex->brace_count--;
+				}
+
+				if (lex->brace_count == 0) {
+					tokenp->type = isc_tokentype_btext;
+					tokenp->value.as_textregion.base =
+						lex->data;
+					tokenp->value.as_textregion.length =
+						(unsigned int) (lex->max_token -
+								remaining);
+					no_comments = false;
+					done = true;
+					break;
+				}
+			}
+
+			if (c == '\\' && !escaped)
+				escaped = true;
+			else
+				escaped = false;
+
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining,
+						   &curr, &prev);
+				if (result != ISC_R_SUCCESS)
+					goto done;
+			}
+			INSIST(remaining > 0U);
+			prev = curr;
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__,
+				    isc_msgcat_get(isc_msgcat, ISC_MSGSET_LEX,
+						   ISC_MSG_UNEXPECTEDSTATE,
+						   "Unexpected state %d"),
+				    state);
+			/* Does not return. */
+		}
+
+	} while (!done);
+
+	result = ISC_R_SUCCESS;
+ done:
+#ifdef HAVE_FLOCKFILE
+	if (source->is_file)
+		funlockfile(source->input);
+#endif
+	return (result);
+}
+
+isc_result_t
+isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
+		       isc_tokentype_t expect, bool eol)
+{
+	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	isc_result_t result;
+
+	if (expect == isc_tokentype_qstring)
+		options |= ISC_LEXOPT_QSTRING;
+	else if (expect == isc_tokentype_number)
+		options |= ISC_LEXOPT_NUMBER;
+	result = isc_lex_gettoken(lex, options, token);
+	if (result == ISC_R_RANGE)
+		isc_lex_ungettoken(lex, token);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (eol && ((token->type == isc_tokentype_eol) ||
+		    (token->type == isc_tokentype_eof)))
+		return (ISC_R_SUCCESS);
+	if (token->type == isc_tokentype_string &&
+	    expect == isc_tokentype_qstring)
+		return (ISC_R_SUCCESS);
+	if (token->type != expect) {
+		isc_lex_ungettoken(lex, token);
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+			return (ISC_R_UNEXPECTEDEND);
+		if (expect == isc_tokentype_number)
+			return (ISC_R_BADNUMBER);
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_getoctaltoken(isc_lex_t *lex, isc_token_t *token, bool eol)
+{
+	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE|
+			       ISC_LEXOPT_NUMBER | ISC_LEXOPT_OCTAL;
+	isc_result_t result;
+
+	result = isc_lex_gettoken(lex, options, token);
+	if (result == ISC_R_RANGE)
+		isc_lex_ungettoken(lex, token);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (eol && ((token->type == isc_tokentype_eol) ||
+		    (token->type == isc_tokentype_eof)))
+		return (ISC_R_SUCCESS);
+	if (token->type != isc_tokentype_number) {
+		isc_lex_ungettoken(lex, token);
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+			return (ISC_R_UNEXPECTEDEND);
+		return (ISC_R_BADNUMBER);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
+	inputsource *source;
+	/*
+	 * Unget the current token.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(source != NULL);
+	REQUIRE(tokenp != NULL);
+	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
+		tokenp->type == isc_tokentype_eof);
+
+	UNUSED(tokenp);
+
+	isc_buffer_first(source->pushback);
+	lex->paren_count = lex->saved_paren_count;
+	source->line = source->saved_line;
+	source->at_eof = false;
+}
+
+void
+isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r)
+{
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(source != NULL);
+	REQUIRE(tokenp != NULL);
+	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
+		tokenp->type == isc_tokentype_eof);
+
+	UNUSED(tokenp);
+
+	INSIST(source->ignored <= isc_buffer_consumedlength(source->pushback));
+	r->base = (unsigned char *)isc_buffer_base(source->pushback) +
+		  source->ignored;
+	r->length = isc_buffer_consumedlength(source->pushback) -
+		    source->ignored;
+}
+
+char *
+isc_lex_getsourcename(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (NULL);
+
+	return (source->name);
+}
+
+unsigned long
+isc_lex_getsourceline(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (0);
+
+	return (source->line);
+}
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name) {
+	inputsource *source;
+	char *newname;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (ISC_R_NOTFOUND);
+	newname = isc_mem_strdup(lex->mctx, name);
+	if (newname == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_mem_free(lex->mctx, source->name);
+	source->name = newname;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_setsourceline(isc_lex_t *lex, unsigned long line) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (ISC_R_NOTFOUND);
+
+	source->line = line;
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_lex_isfile(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (false);
+
+	return (source->is_file);
+}
diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c
new file mode 100644
index 0000000..3b0b47f
--- /dev/null
+++ b/lib/isc/lfsr.c
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/lfsr.h>
+#include <isc/util.h>
+
+#define VALID_LFSR(x)	(x != NULL)
+
+void
+isc_lfsr_init(isc_lfsr_t *lfsr, uint32_t state, unsigned int bits,
+	      uint32_t tap, unsigned int count,
+	      isc_lfsrreseed_t reseed, void *arg)
+{
+	REQUIRE(VALID_LFSR(lfsr));
+	REQUIRE(8 <= bits && bits <= 32);
+	REQUIRE(tap != 0);
+
+	lfsr->state = state;
+	lfsr->bits = bits;
+	lfsr->tap = tap;
+	lfsr->count = count;
+	lfsr->reseed = reseed;
+	lfsr->arg = arg;
+
+	if (count == 0 && reseed != NULL)
+		reseed(lfsr, arg);
+	if (lfsr->state == 0)
+		lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
+}
+
+/*!
+ * Return the next state of the lfsr.
+ */
+static inline uint32_t
+lfsr_generate(isc_lfsr_t *lfsr)
+{
+
+	/*
+	 * If the previous state is zero, we must fill it with something
+	 * here, or we will begin to generate an extremely predictable output.
+	 *
+	 * First, give the reseed function a crack at it.  If the state is
+	 * still 0, set it to all ones.
+	 */
+	if (lfsr->state == 0) {
+		if (lfsr->reseed != NULL)
+			lfsr->reseed(lfsr, lfsr->arg);
+		if (lfsr->state == 0)
+			lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
+	}
+
+	if (lfsr->state & 0x01) {
+		lfsr->state = (lfsr->state >> 1) ^ lfsr->tap;
+		return (1);
+	} else {
+		lfsr->state >>= 1;
+		return (0);
+	}
+}
+
+void
+isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count)
+{
+	unsigned char *p;
+	unsigned int bit;
+	unsigned int byte;
+
+	REQUIRE(VALID_LFSR(lfsr));
+	REQUIRE(data != NULL);
+	REQUIRE(count > 0);
+
+	p = data;
+	byte = count;
+
+	while (byte--) {
+		*p = 0;
+		for (bit = 0; bit < 7; bit++) {
+			*p |= lfsr_generate(lfsr);
+			*p <<= 1;
+		}
+		*p |= lfsr_generate(lfsr);
+		p++;
+	}
+
+	if (lfsr->count != 0 && lfsr->reseed != NULL) {
+		if (lfsr->count <= count * 8)
+			lfsr->reseed(lfsr, lfsr->arg);
+		else
+			lfsr->count -= (count * 8);
+	}
+}
+
+static inline uint32_t
+lfsr_skipgenerate(isc_lfsr_t *lfsr, unsigned int skip)
+{
+	while (skip--)
+		(void)lfsr_generate(lfsr);
+
+	(void)lfsr_generate(lfsr);
+
+	return (lfsr->state);
+}
+
+/*
+ * Skip "skip" states in "lfsr".
+ */
+void
+isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip)
+{
+	REQUIRE(VALID_LFSR(lfsr));
+
+	while (skip--)
+		(void)lfsr_generate(lfsr);
+}
+
+/*
+ * Skip states in lfsr1 and lfsr2 using the other's current state.
+ * Return the final state of lfsr1 ^ lfsr2.
+ */
+uint32_t
+isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2)
+{
+	uint32_t state1, state2;
+	uint32_t skip1, skip2;
+
+	REQUIRE(VALID_LFSR(lfsr1));
+	REQUIRE(VALID_LFSR(lfsr2));
+
+	skip1 = lfsr1->state & 0x01;
+	skip2 = lfsr2->state & 0x01;
+
+	/* cross-skip. */
+	state1 = lfsr_skipgenerate(lfsr1, skip2);
+	state2 = lfsr_skipgenerate(lfsr2, skip1);
+
+	return (state1 ^ state2);
+}
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
new file mode 100644
index 0000000..018cc3e
--- /dev/null
+++ b/lib/isc/lib.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libisc.cat", &isc_msgcat);
+}
+
+void
+isc_lib_initmsgcat(void) {
+	isc_result_t result;
+
+	/*!
+	 * Initialize the ISC library's message catalog, isc_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	result = isc_once_do(&msgcat_once, open_msgcat);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Normally we'd use RUNTIME_CHECK() or FATAL_ERROR(), but
+		 * we can't do that here, since they might call us!
+		 * (Note that the catalog might be open anyway, so we might
+		 * as well try to  provide an internationalized message.)
+		 */
+		fprintf(stderr, "%s:%d: %s: isc_once_do() %s.\n",
+			__FILE__, __LINE__,
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				       ISC_MSG_FATALERROR, "fatal error"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				       ISC_MSG_FAILED, "failed"));
+		abort();
+	}
+}
+
+static isc_once_t		register_once = ISC_ONCE_INIT;
+
+static void
+do_register(void) {
+	isc_bind9 = false;
+
+	RUNTIME_CHECK(isc__mem_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__app_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__task_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__socket_register() == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc__timer_register() == ISC_R_SUCCESS);
+}
+
+void
+isc_lib_register(void) {
+	RUNTIME_CHECK(isc_once_do(&register_once, do_register)
+		      == ISC_R_SUCCESS);
+}
diff --git a/lib/isc/log.c b/lib/isc/log.c
new file mode 100644
index 0000000..3387533
--- /dev/null
+++ b/lib/isc/log.c
@@ -0,0 +1,1761 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
+
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+#include <isc/stat.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#define LCTX_MAGIC		ISC_MAGIC('L', 'c', 't', 'x')
+#define VALID_CONTEXT(lctx)	ISC_MAGIC_VALID(lctx, LCTX_MAGIC)
+
+#define LCFG_MAGIC		ISC_MAGIC('L', 'c', 'f', 'g')
+#define VALID_CONFIG(lcfg)	ISC_MAGIC_VALID(lcfg, LCFG_MAGIC)
+
+/*
+ * XXXDCL make dynamic?
+ */
+#define LOG_BUFFER_SIZE	(8 * 1024)
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024	/* AIX and others don't define this. */
+#endif
+
+/*!
+ * This is the structure that holds each named channel.  A simple linked
+ * list chains all of the channels together, so an individual channel is
+ * found by doing strcmp()s with the names down the list.  Their should
+ * be no performance penalty from this as it is expected that the number
+ * of named channels will be no more than a dozen or so, and name lookups
+ * from the head of the list are only done when isc_log_usechannel() is
+ * called, which should also be very infrequent.
+ */
+typedef struct isc_logchannel isc_logchannel_t;
+
+struct isc_logchannel {
+	char *				name;
+	unsigned int			type;
+	int 				level;
+	unsigned int			flags;
+	isc_logdestination_t 		destination;
+	ISC_LINK(isc_logchannel_t)	link;
+};
+
+/*!
+ * The logchannellist structure associates categories and modules with
+ * channels.  First the appropriate channellist is found based on the
+ * category, and then each structure in the linked list is checked for
+ * a matching module.  It is expected that the number of channels
+ * associated with any given category will be very short, no more than
+ * three or four in the more unusual cases.
+ */
+typedef struct isc_logchannellist isc_logchannellist_t;
+
+struct isc_logchannellist {
+	const isc_logmodule_t *		module;
+	isc_logchannel_t *		channel;
+	ISC_LINK(isc_logchannellist_t)	link;
+};
+
+/*!
+ * This structure is used to remember messages for pruning via
+ * isc_log_[v]write1().
+ */
+typedef struct isc_logmessage isc_logmessage_t;
+
+struct isc_logmessage {
+	char *				text;
+	isc_time_t			time;
+	ISC_LINK(isc_logmessage_t)	link;
+};
+
+/*!
+ * The isc_logconfig structure is used to store the configurable information
+ * about where messages are actually supposed to be sent -- the information
+ * that could changed based on some configuration file, as opposed to the
+ * the category/module specification of isc_log_[v]write[1] that is compiled
+ * into a program, or the debug_level which is dynamic state information.
+ */
+struct isc_logconfig {
+	unsigned int			magic;
+	isc_log_t *			lctx;
+	ISC_LIST(isc_logchannel_t)	channels;
+	ISC_LIST(isc_logchannellist_t) *channellists;
+	unsigned int			channellist_count;
+	unsigned int			duplicate_interval;
+	int				highest_level;
+	char *				tag;
+	bool			dynamic;
+};
+
+/*!
+ * This isc_log structure provides the context for the isc_log functions.
+ * The log context locks itself in isc_log_doit, the internal backend to
+ * isc_log_write.  The locking is necessary both to provide exclusive access
+ * to the buffer into which the message is formatted and to guard against
+ * competing threads trying to write to the same syslog resource.  (On
+ * some systems, such as BSD/OS, stdio is thread safe but syslog is not.)
+ * Unfortunately, the lock cannot guard against a _different_ logging
+ * context in the same program competing for syslog's attention.  Thus
+ * There Can Be Only One, but this is not enforced.
+ * XXXDCL enforce it?
+ *
+ * Note that the category and module information is not locked.
+ * This is because in the usual case, only one isc_log_t is ever created
+ * in a program, and the category/module registration happens only once.
+ * XXXDCL it might be wise to add more locking overall.
+ */
+struct isc_log {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_logcategory_t *		categories;
+	unsigned int			category_count;
+	isc_logmodule_t *		modules;
+	unsigned int			module_count;
+	int				debug_level;
+	isc_mutex_t			lock;
+	/* Locked by isc_log lock. */
+	isc_logconfig_t * 		logconfig;
+	char 				buffer[LOG_BUFFER_SIZE];
+	ISC_LIST(isc_logmessage_t)	messages;
+};
+
+/*!
+ * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
+ */
+static const char *log_level_strings[] = {
+	"debug",
+	"info",
+	"notice",
+	"warning",
+	"error",
+	"critical"
+};
+
+/*!
+ * Used to convert ISC_LOG_* priorities into syslog priorities.
+ * XXXDCL This will need modification for NT.
+ */
+static const int syslog_map[] = {
+	LOG_DEBUG,
+	LOG_INFO,
+	LOG_NOTICE,
+	LOG_WARNING,
+	LOG_ERR,
+	LOG_CRIT
+};
+
+/*!
+ * When adding new categories, a corresponding ISC_LOGCATEGORY_foo
+ * definition needs to be added to <isc/log.h>.
+ *
+ * The default category is provided so that the internal default can
+ * be overridden.  Since the default is always looked up as the first
+ * channellist in the log context, it must come first in isc_categories[].
+ */
+LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = {
+	{ "default", 0 },	/* "default" must come first. */
+	{ "general", 0 },
+	{ NULL, 0 }
+};
+
+/*!
+ * See above comment for categories on LIBISC_EXTERNAL_DATA, and apply it to modules.
+ */
+LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
+	{ "socket", 0 },
+	{ "time", 0 },
+	{ "interface", 0 },
+	{ "timer", 0 },
+	{ "file", 0 },
+	{ "other", 0 },
+	{ NULL, 0 }
+};
+
+/*!
+ * This essentially constant structure must be filled in at run time,
+ * because its channel member is pointed to a channel that is created
+ * dynamically with isc_log_createchannel.
+ */
+static isc_logchannellist_t default_channel;
+
+/*!
+ * libisc logs to this context.
+ */
+LIBISC_EXTERNAL_DATA isc_log_t *isc_lctx = NULL;
+
+/*!
+ * Forward declarations.
+ */
+static isc_result_t
+assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
+	      const isc_logmodule_t *module, isc_logchannel_t *channel);
+
+static isc_result_t
+sync_channellist(isc_logconfig_t *lcfg);
+
+static isc_result_t
+greatest_version(isc_logfile_t *file, int versions, int *greatest);
+
+static void
+isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
+	     isc_logmodule_t *module, int level, bool write_once,
+	     isc_msgcat_t *msgcat, int msgset, int msg,
+	     const char *format, va_list args)
+     ISC_FORMAT_PRINTF(9, 0);
+
+/*@{*/
+/*!
+ * Convenience macros.
+ */
+
+#define FACILITY(channel)	 (channel->destination.facility)
+#define FILE_NAME(channel)	 (channel->destination.file.name)
+#define FILE_STREAM(channel)	 (channel->destination.file.stream)
+#define FILE_VERSIONS(channel)	 (channel->destination.file.versions)
+#define FILE_MAXSIZE(channel)	 (channel->destination.file.maximum_size)
+#define FILE_MAXREACHED(channel) (channel->destination.file.maximum_reached)
+
+/*@}*/
+/****
+ **** Public interfaces.
+ ****/
+
+/*
+ * Establish a new logging context, with default channels.
+ */
+isc_result_t
+isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg = NULL;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(lctxp != NULL && *lctxp == NULL);
+	REQUIRE(lcfgp == NULL || *lcfgp == NULL);
+
+	lctx = isc_mem_get(mctx, sizeof(*lctx));
+	if (lctx != NULL) {
+		lctx->mctx = NULL;
+		isc_mem_attach(mctx, &lctx->mctx);
+		lctx->categories = NULL;
+		lctx->category_count = 0;
+		lctx->modules = NULL;
+		lctx->module_count = 0;
+		lctx->debug_level = 0;
+
+		ISC_LIST_INIT(lctx->messages);
+
+		result = isc_mutex_init(&lctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_putanddetach(&mctx, lctx, sizeof(*lctx));
+			return (result);
+		}
+
+		/*
+		 * Normally setting the magic number is the last step done
+		 * in a creation function, but a valid log context is needed
+		 * by isc_log_registercategories and isc_logconfig_create.
+		 * If either fails, the lctx is destroyed and not returned
+		 * to the caller.
+		 */
+		lctx->magic = LCTX_MAGIC;
+
+		isc_log_registercategories(lctx, isc_categories);
+		isc_log_registermodules(lctx, isc_modules);
+		result = isc_logconfig_create(lctx, &lcfg);
+
+	} else
+		result = ISC_R_NOMEMORY;
+
+	if (result == ISC_R_SUCCESS)
+		result = sync_channellist(lcfg);
+
+	if (result == ISC_R_SUCCESS) {
+		lctx->logconfig = lcfg;
+
+		*lctxp = lctx;
+		if (lcfgp != NULL)
+			*lcfgp = lcfg;
+
+	} else {
+		if (lcfg != NULL)
+			isc_logconfig_destroy(&lcfg);
+		if (lctx != NULL)
+			isc_log_destroy(&lctx);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp) {
+	isc_logconfig_t *lcfg;
+	isc_logdestination_t destination;
+	isc_result_t result = ISC_R_SUCCESS;
+	int level = ISC_LOG_INFO;
+
+	REQUIRE(lcfgp != NULL && *lcfgp == NULL);
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	lcfg = isc_mem_get(lctx->mctx, sizeof(*lcfg));
+
+	if (lcfg != NULL) {
+		lcfg->lctx = lctx;
+		lcfg->channellists = NULL;
+		lcfg->channellist_count = 0;
+		lcfg->duplicate_interval = 0;
+		lcfg->highest_level = level;
+		lcfg->tag = NULL;
+		lcfg->dynamic = false;
+
+		ISC_LIST_INIT(lcfg->channels);
+
+		/*
+		 * Normally the magic number is the last thing set in the
+		 * structure, but isc_log_createchannel() needs a valid
+		 * config.  If the channel creation fails, the lcfg is not
+		 * returned to the caller.
+		 */
+		lcfg->magic = LCFG_MAGIC;
+
+	} else
+		result = ISC_R_NOMEMORY;
+
+	/*
+	 * Create the default channels:
+	 *   	default_syslog, default_stderr, default_debug and null.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		destination.facility = LOG_DAEMON;
+		result = isc_log_createchannel(lcfg, "default_syslog",
+					       ISC_LOG_TOSYSLOG, level,
+					       &destination, 0);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		destination.file.stream = stderr;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		result = isc_log_createchannel(lcfg, "default_stderr",
+					       ISC_LOG_TOFILEDESC,
+					       level,
+					       &destination,
+					       ISC_LOG_PRINTTIME);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Set the default category's channel to default_stderr,
+		 * which is at the head of the channels list because it was
+		 * just created.
+		 */
+		default_channel.channel = ISC_LIST_HEAD(lcfg->channels);
+
+		destination.file.stream = stderr;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		result = isc_log_createchannel(lcfg, "default_debug",
+					       ISC_LOG_TOFILEDESC,
+					       ISC_LOG_DYNAMIC,
+					       &destination,
+					       ISC_LOG_PRINTTIME);
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_log_createchannel(lcfg, "null",
+					       ISC_LOG_TONULL,
+					       ISC_LOG_DYNAMIC,
+					       NULL, 0);
+
+	if (result == ISC_R_SUCCESS)
+		*lcfgp = lcfg;
+
+	else
+		if (lcfg != NULL)
+			isc_logconfig_destroy(&lcfg);
+
+	return (result);
+}
+
+isc_logconfig_t *
+isc_logconfig_get(isc_log_t *lctx) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	ENSURE(lctx->logconfig != NULL);
+
+	return (lctx->logconfig);
+}
+
+isc_result_t
+isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg) {
+	isc_logconfig_t *old_cfg;
+	isc_result_t result;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(lcfg->lctx == lctx);
+
+	/*
+	 * Ensure that lcfg->channellist_count == lctx->category_count.
+	 * They won't be equal if isc_log_usechannel has not been called
+	 * since any call to isc_log_registercategories.
+	 */
+	result = sync_channellist(lcfg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	LOCK(&lctx->lock);
+
+	old_cfg = lctx->logconfig;
+	lctx->logconfig = lcfg;
+
+	UNLOCK(&lctx->lock);
+
+	isc_logconfig_destroy(&old_cfg);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_log_destroy(isc_log_t **lctxp) {
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_logmessage_t *message;
+
+	REQUIRE(lctxp != NULL && VALID_CONTEXT(*lctxp));
+
+	lctx = *lctxp;
+	mctx = lctx->mctx;
+
+	if (lctx->logconfig != NULL) {
+		lcfg = lctx->logconfig;
+		lctx->logconfig = NULL;
+		isc_logconfig_destroy(&lcfg);
+	}
+
+	DESTROYLOCK(&lctx->lock);
+
+	while ((message = ISC_LIST_HEAD(lctx->messages)) != NULL) {
+		ISC_LIST_UNLINK(lctx->messages, message, link);
+
+		isc_mem_put(mctx, message,
+			    sizeof(*message) + strlen(message->text) + 1);
+	}
+
+	lctx->buffer[0] = '\0';
+	lctx->debug_level = 0;
+	lctx->categories = NULL;
+	lctx->category_count = 0;
+	lctx->modules = NULL;
+	lctx->module_count = 0;
+	lctx->mctx = NULL;
+	lctx->magic = 0;
+
+	isc_mem_putanddetach(&mctx, lctx, sizeof(*lctx));
+
+	*lctxp = NULL;
+}
+
+void
+isc_logconfig_destroy(isc_logconfig_t **lcfgp) {
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_logchannel_t *channel;
+	isc_logchannellist_t *item;
+	char *filename;
+	unsigned int i;
+
+	REQUIRE(lcfgp != NULL && VALID_CONFIG(*lcfgp));
+
+	lcfg = *lcfgp;
+
+	/*
+	 * This function cannot be called with a logconfig that is in
+	 * use by a log context.
+	 */
+	REQUIRE(lcfg->lctx != NULL && lcfg->lctx->logconfig != lcfg);
+
+	mctx = lcfg->lctx->mctx;
+
+	while ((channel = ISC_LIST_HEAD(lcfg->channels)) != NULL) {
+		ISC_LIST_UNLINK(lcfg->channels, channel, link);
+
+		if (channel->type == ISC_LOG_TOFILE) {
+			/*
+			 * The filename for the channel may have ultimately
+			 * started its life in user-land as a const string,
+			 * but in isc_log_createchannel it gets copied
+			 * into writable memory and is not longer truly const.
+			 */
+			DE_CONST(FILE_NAME(channel), filename);
+			isc_mem_free(mctx, filename);
+
+			if (FILE_STREAM(channel) != NULL)
+				(void)fclose(FILE_STREAM(channel));
+		}
+
+		isc_mem_free(mctx, channel->name);
+		isc_mem_put(mctx, channel, sizeof(*channel));
+	}
+
+	for (i = 0; i < lcfg->channellist_count; i++)
+		while ((item = ISC_LIST_HEAD(lcfg->channellists[i])) != NULL) {
+			ISC_LIST_UNLINK(lcfg->channellists[i], item, link);
+			isc_mem_put(mctx, item, sizeof(*item));
+		}
+
+	if (lcfg->channellist_count > 0)
+		isc_mem_put(mctx, lcfg->channellists,
+			    lcfg->channellist_count *
+			    sizeof(ISC_LIST(isc_logchannellist_t)));
+
+	lcfg->dynamic = false;
+	if (lcfg->tag != NULL)
+		isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+	lcfg->tag = NULL;
+	lcfg->highest_level = 0;
+	lcfg->duplicate_interval = 0;
+	lcfg->magic = 0;
+
+	isc_mem_put(mctx, lcfg, sizeof(*lcfg));
+
+	*lcfgp = NULL;
+}
+
+void
+isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]) {
+	isc_logcategory_t *catp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(categories != NULL && categories[0].name != NULL);
+
+	/*
+	 * XXXDCL This somewhat sleazy situation of using the last pointer
+	 * in one category array to point to the next array exists because
+	 * this registration function returns void and I didn't want to have
+	 * change everything that used it by making it return an isc_result_t.
+	 * It would need to do that if it had to allocate memory to store
+	 * pointers to each array passed in.
+	 */
+	if (lctx->categories == NULL)
+		lctx->categories = categories;
+
+	else {
+		/*
+		 * Adjust the last (NULL) pointer of the already registered
+		 * categories to point to the incoming array.
+		 */
+		for (catp = lctx->categories; catp->name != NULL; )
+			if (catp->id == UINT_MAX)
+				/*
+				 * The name pointer points to the next array.
+				 * Ick.
+				 */
+				DE_CONST(catp->name, catp);
+			else
+				catp++;
+
+		catp->name = (void *)categories;
+		catp->id = UINT_MAX;
+	}
+
+	/*
+	 * Update the id number of the category with its new global id.
+	 */
+	for (catp = categories; catp->name != NULL; catp++)
+		catp->id = lctx->category_count++;
+}
+
+isc_logcategory_t *
+isc_log_categorybyname(isc_log_t *lctx, const char *name) {
+	isc_logcategory_t *catp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(name != NULL);
+
+	for (catp = lctx->categories; catp->name != NULL; )
+		if (catp->id == UINT_MAX)
+			/*
+			 * catp is neither modified nor returned to the
+			 * caller, so removing its const qualifier is ok.
+			 */
+			DE_CONST(catp->name, catp);
+		else {
+			if (strcmp(catp->name, name) == 0)
+				return (catp);
+			catp++;
+		}
+
+	return (NULL);
+}
+
+void
+isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]) {
+	isc_logmodule_t *modp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(modules != NULL && modules[0].name != NULL);
+
+	/*
+	 * XXXDCL This somewhat sleazy situation of using the last pointer
+	 * in one category array to point to the next array exists because
+	 * this registration function returns void and I didn't want to have
+	 * change everything that used it by making it return an isc_result_t.
+	 * It would need to do that if it had to allocate memory to store
+	 * pointers to each array passed in.
+	 */
+	if (lctx->modules == NULL)
+		lctx->modules = modules;
+
+	else {
+		/*
+		 * Adjust the last (NULL) pointer of the already registered
+		 * modules to point to the incoming array.
+		 */
+		for (modp = lctx->modules; modp->name != NULL; )
+			if (modp->id == UINT_MAX)
+				/*
+				 * The name pointer points to the next array.
+				 * Ick.
+				 */
+				DE_CONST(modp->name, modp);
+			else
+				modp++;
+
+		modp->name = (void *)modules;
+		modp->id = UINT_MAX;
+	}
+
+	/*
+	 * Update the id number of the module with its new global id.
+	 */
+	for (modp = modules; modp->name != NULL; modp++)
+		modp->id = lctx->module_count++;
+}
+
+isc_logmodule_t *
+isc_log_modulebyname(isc_log_t *lctx, const char *name) {
+	isc_logmodule_t *modp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(name != NULL);
+
+	for (modp = lctx->modules; modp->name != NULL; )
+		if (modp->id == UINT_MAX)
+			/*
+			 * modp is neither modified nor returned to the
+			 * caller, so removing its const qualifier is ok.
+			 */
+			DE_CONST(modp->name, modp);
+		else {
+			if (strcmp(modp->name, name) == 0)
+				return (modp);
+			modp++;
+		}
+
+	return (NULL);
+}
+
+isc_result_t
+isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
+		      unsigned int type, int level,
+		      const isc_logdestination_t *destination,
+		      unsigned int flags)
+{
+	isc_logchannel_t *channel;
+	isc_mem_t *mctx;
+	unsigned int permitted = ISC_LOG_PRINTALL | ISC_LOG_DEBUGONLY |
+				 ISC_LOG_BUFFERED;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(name != NULL);
+	REQUIRE(type == ISC_LOG_TOSYSLOG   || type == ISC_LOG_TOFILE ||
+		type == ISC_LOG_TOFILEDESC || type == ISC_LOG_TONULL);
+	REQUIRE(destination != NULL || type == ISC_LOG_TONULL);
+	REQUIRE(level >= ISC_LOG_CRITICAL);
+	REQUIRE((flags & ~permitted) == 0);
+
+	/* XXXDCL find duplicate names? */
+
+	mctx = lcfg->lctx->mctx;
+
+	channel = isc_mem_get(mctx, sizeof(*channel));
+	if (channel == NULL)
+		return (ISC_R_NOMEMORY);
+
+	channel->name = isc_mem_strdup(mctx, name);
+	if (channel->name == NULL) {
+		isc_mem_put(mctx, channel, sizeof(*channel));
+		return (ISC_R_NOMEMORY);
+	}
+
+	channel->type = type;
+	channel->level = level;
+	channel->flags = flags;
+	ISC_LINK_INIT(channel, link);
+
+	switch (type) {
+	case ISC_LOG_TOSYSLOG:
+		FACILITY(channel) = destination->facility;
+		break;
+
+	case ISC_LOG_TOFILE:
+		/*
+		 * The file name is copied because greatest_version wants
+		 * to scribble on it, so it needs to be definitely in
+		 * writable memory.
+		 */
+		FILE_NAME(channel) =
+			isc_mem_strdup(mctx, destination->file.name);
+		FILE_STREAM(channel) = NULL;
+		FILE_VERSIONS(channel) = destination->file.versions;
+		FILE_MAXSIZE(channel) = destination->file.maximum_size;
+		FILE_MAXREACHED(channel) = false;
+		break;
+
+	case ISC_LOG_TOFILEDESC:
+		FILE_NAME(channel) = NULL;
+		FILE_STREAM(channel) = destination->file.stream;
+		FILE_MAXSIZE(channel) = 0;
+		FILE_VERSIONS(channel) = ISC_LOG_ROLLNEVER;
+		break;
+
+	case ISC_LOG_TONULL:
+		/* Nothing. */
+		break;
+
+	default:
+		isc_mem_free(mctx, channel->name);
+		isc_mem_put(mctx, channel, sizeof(*channel));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	ISC_LIST_PREPEND(lcfg->channels, channel, link);
+
+	/*
+	 * If default_stderr was redefined, make the default category
+	 * point to the new default_stderr.
+	 */
+	if (strcmp(name, "default_stderr") == 0)
+		default_channel.channel = channel;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
+		   const isc_logcategory_t *category,
+		   const isc_logmodule_t *module)
+{
+	isc_log_t *lctx;
+	isc_logchannel_t *channel;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(name != NULL);
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(category == NULL || category->id < lctx->category_count);
+	REQUIRE(module == NULL || module->id < lctx->module_count);
+
+	for (channel = ISC_LIST_HEAD(lcfg->channels); channel != NULL;
+	     channel = ISC_LIST_NEXT(channel, link))
+		if (strcmp(name, channel->name) == 0)
+			break;
+
+	if (channel == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (category != NULL)
+		result = assignchannel(lcfg, category->id, module, channel);
+
+	else
+		/*
+		 * Assign to all categories.  Note that this includes
+		 * the default channel.
+		 */
+		for (i = 0; i < lctx->category_count; i++) {
+			result = assignchannel(lcfg, i, module, channel);
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+
+	return (result);
+}
+
+void
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level, const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, false,
+		     NULL, 0, 0, format, args);
+	va_end(args);
+}
+
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, false,
+		     NULL, 0, 0, format, args);
+}
+
+void
+isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, true,
+		     NULL, 0, 0, format, args);
+	va_end(args);
+}
+
+void
+isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, true,
+		     NULL, 0, 0, format, args);
+}
+
+void
+isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       isc_msgcat_t *msgcat, int msgset, int msg,
+	       const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, false,
+		     msgcat, msgset, msg, format, args);
+	va_end(args);
+}
+
+void
+isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       isc_msgcat_t *msgcat, int msgset, int msg,
+	       const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, false,
+		     msgcat, msgset, msg, format, args);
+}
+
+void
+isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		isc_msgcat_t *msgcat, int msgset, int msg,
+		const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, true,
+		     msgcat, msgset, msg, format, args);
+	va_end(args);
+}
+
+void
+isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		 isc_logmodule_t *module, int level,
+		 isc_msgcat_t *msgcat, int msgset, int msg,
+		 const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, true,
+		     msgcat, msgset, msg, format, args);
+}
+
+void
+isc_log_setcontext(isc_log_t *lctx) {
+	isc_lctx = lctx;
+}
+
+void
+isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level) {
+	isc_logchannel_t *channel;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	LOCK(&lctx->lock);
+
+	lctx->debug_level = level;
+	/*
+	 * Close ISC_LOG_DEBUGONLY channels if level is zero.
+	 */
+	if (lctx->debug_level == 0)
+		for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
+		     channel != NULL;
+		     channel = ISC_LIST_NEXT(channel, link))
+			if (channel->type == ISC_LOG_TOFILE &&
+			    (channel->flags & ISC_LOG_DEBUGONLY) != 0 &&
+			    FILE_STREAM(channel) != NULL) {
+				(void)fclose(FILE_STREAM(channel));
+				FILE_STREAM(channel) = NULL;
+			}
+	UNLOCK(&lctx->lock);
+}
+
+unsigned int
+isc_log_getdebuglevel(isc_log_t *lctx) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	return (lctx->debug_level);
+}
+
+void
+isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lcfg->duplicate_interval = interval;
+}
+
+unsigned int
+isc_log_getduplicateinterval(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONTEXT(lcfg));
+
+	return (lcfg->duplicate_interval);
+}
+
+isc_result_t
+isc_log_settag(isc_logconfig_t *lcfg, const char *tag) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	if (tag != NULL && *tag != '\0') {
+		if (lcfg->tag != NULL)
+			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+		lcfg->tag = isc_mem_strdup(lcfg->lctx->mctx, tag);
+		if (lcfg->tag == NULL)
+			return (ISC_R_NOMEMORY);
+
+	} else {
+		if (lcfg->tag != NULL)
+			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+		lcfg->tag = NULL;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	return (lcfg->tag);
+}
+
+/* XXXDCL NT  -- This interface will assuredly be changing. */
+void
+isc_log_opensyslog(const char *tag, int options, int facility) {
+	(void)openlog(tag, options, facility);
+}
+
+void
+isc_log_closefilelogs(isc_log_t *lctx) {
+	isc_logchannel_t *channel;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	LOCK(&lctx->lock);
+	for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
+	     channel != NULL;
+	     channel = ISC_LIST_NEXT(channel, link))
+
+		if (channel->type == ISC_LOG_TOFILE &&
+		    FILE_STREAM(channel) != NULL) {
+			(void)fclose(FILE_STREAM(channel));
+			FILE_STREAM(channel) = NULL;
+		}
+	UNLOCK(&lctx->lock);
+}
+
+/****
+ **** Internal functions
+ ****/
+
+static isc_result_t
+assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
+	      const isc_logmodule_t *module, isc_logchannel_t *channel)
+{
+	isc_logchannellist_t *new_item;
+	isc_log_t *lctx;
+	isc_result_t result;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(category_id < lctx->category_count);
+	REQUIRE(module == NULL || module->id < lctx->module_count);
+	REQUIRE(channel != NULL);
+
+	/*
+	 * Ensure lcfg->channellist_count == lctx->category_count.
+	 */
+	result = sync_channellist(lcfg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	new_item = isc_mem_get(lctx->mctx, sizeof(*new_item));
+	if (new_item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	new_item->channel = channel;
+	new_item->module = module;
+	ISC_LIST_INITANDPREPEND(lcfg->channellists[category_id],
+			       new_item, link);
+
+	/*
+	 * Remember the highest logging level set by any channel in the
+	 * logging config, so isc_log_doit() can quickly return if the
+	 * message is too high to be logged by any channel.
+	 */
+	if (channel->type != ISC_LOG_TONULL) {
+		if (lcfg->highest_level < channel->level)
+			lcfg->highest_level = channel->level;
+		if (channel->level == ISC_LOG_DYNAMIC)
+			lcfg->dynamic = true;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This would ideally be part of isc_log_registercategories(), except then
+ * that function would have to return isc_result_t instead of void.
+ */
+static isc_result_t
+sync_channellist(isc_logconfig_t *lcfg) {
+	unsigned int bytes;
+	isc_log_t *lctx;
+	void *lists;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(lctx->category_count != 0);
+
+	if (lctx->category_count == lcfg->channellist_count)
+		return (ISC_R_SUCCESS);
+
+	bytes = lctx->category_count * sizeof(ISC_LIST(isc_logchannellist_t));
+
+	lists = isc_mem_get(lctx->mctx, bytes);
+
+	if (lists == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(lists, 0, bytes);
+
+	if (lcfg->channellist_count != 0) {
+		bytes = lcfg->channellist_count *
+			sizeof(ISC_LIST(isc_logchannellist_t));
+		memmove(lists, lcfg->channellists, bytes);
+		isc_mem_put(lctx->mctx, lcfg->channellists, bytes);
+	}
+
+	lcfg->channellists = lists;
+	lcfg->channellist_count = lctx->category_count;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+greatest_version(isc_logfile_t *file, int versions, int *greatestp) {
+	char *bname, *digit_end;
+	const char *dirname;
+	int version, greatest = -1;
+	size_t bnamelen;
+	isc_dir_t dir;
+	isc_result_t result;
+	char sep = '/';
+#ifdef _WIN32
+	char *bname2;
+#endif
+
+	/*
+	 * It is safe to DE_CONST the file.name because it was copied
+	 * with isc_mem_strdup().
+	 */
+	bname = strrchr(file->name, sep);
+#ifdef _WIN32
+	bname2 = strrchr(file->name, '\\');
+	if ((bname != NULL && bname2 != NULL && bname2 > bname) ||
+	    (bname == NULL && bname2 != NULL)) {
+		bname = bname2;
+		sep = '\\';
+	}
+#endif
+	if (bname != NULL) {
+		*bname++ = '\0';
+		dirname = file->name;
+	} else {
+		DE_CONST(file->name, bname);
+		dirname = ".";
+	}
+	bnamelen = strlen(bname);
+
+	isc_dir_init(&dir);
+	result = isc_dir_open(&dir, dirname);
+
+	/*
+	 * Replace the file separator if it was taken out.
+	 */
+	if (bname != file->name)
+		*(bname - 1) = sep;
+
+	/*
+	 * Return if the directory open failed.
+	 */
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.length > bnamelen &&
+		    strncmp(dir.entry.name, bname, bnamelen) == 0 &&
+		    dir.entry.name[bnamelen] == '.')
+		{
+			version = strtol(&dir.entry.name[bnamelen + 1],
+					 &digit_end, 10);
+			/*
+			 * Remove any backup files that exceed versions.
+			 */
+			if (*digit_end == '\0' && version >= versions) {
+				result = isc_file_remove(dir.entry.name);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_FILENOTFOUND)
+					syslog(LOG_ERR, "unable to remove "
+					       "log file '%s': %s",
+					       dir.entry.name,
+					       isc_result_totext(result));
+			} else if (*digit_end == '\0' && version > greatest)
+				greatest = version;
+		}
+	}
+	isc_dir_close(&dir);
+
+	*greatestp = greatest;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_logfile_roll(isc_logfile_t *file) {
+	int i, n, greatest;
+	char current[PATH_MAX + 1];
+	char newpath[PATH_MAX + 1];
+	const char *path;
+	isc_result_t result;
+
+	REQUIRE(file != NULL);
+
+	/*
+	 * Do nothing (not even excess version trimming) if ISC_LOG_ROLLNEVER
+	 * is specified.  Apparently complete external control over the log
+	 * files is desired.
+	 */
+	if (file->versions == ISC_LOG_ROLLNEVER)
+		return (ISC_R_SUCCESS);
+
+	path = file->name;
+
+	if (file->versions == ISC_LOG_ROLLINFINITE) {
+		/*
+		 * Find the first missing entry in the log file sequence.
+		 */
+		for (greatest = 0; greatest < INT_MAX; greatest++) {
+			n = snprintf(current, sizeof(current),
+				     "%s.%u", path, (unsigned)greatest) ;
+			if (n >= (int)sizeof(current) || n < 0 ||
+			    !isc_file_exists(current))
+				break;
+		}
+	} else {
+		/*
+		 * Get the largest existing version and remove any
+		 * version greater than the permitted version.
+		 */
+		result = greatest_version(file, file->versions, &greatest);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * Increment if greatest is not the actual maximum value.
+		 */
+		if (greatest < file->versions - 1)
+			greatest++;
+	}
+
+	for (i = greatest; i > 0; i--) {
+		result = ISC_R_SUCCESS;
+		n = snprintf(current, sizeof(current), "%s.%u", path,
+			     (unsigned)(i - 1));
+		if (n >= (int)sizeof(current) || n < 0) {
+			result = ISC_R_NOSPACE;
+		}
+		if (result == ISC_R_SUCCESS) {
+			n = snprintf(newpath, sizeof(newpath), "%s.%u",
+				     path, (unsigned)i);
+			if (n >= (int)sizeof(newpath) || n < 0) {
+				result = ISC_R_NOSPACE;
+			}
+		}
+		if (result == ISC_R_SUCCESS)
+			result = isc_file_rename(current, newpath);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_FILENOTFOUND)
+			syslog(LOG_ERR,
+			       "unable to rename log file '%s.%u' to "
+			       "'%s.%u': %s", path, i - 1, path, i,
+			       isc_result_totext(result));
+	}
+
+	if (file->versions != 0) {
+		n = snprintf(newpath, sizeof(newpath), "%s.0", path);
+		if (n >= (int)sizeof(newpath) || n < 0)
+			result = ISC_R_NOSPACE;
+		else
+			result = isc_file_rename(path, newpath);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_FILENOTFOUND)
+			syslog(LOG_ERR,
+			       "unable to rename log file '%s' to '%s.0': %s",
+			       path, path, isc_result_totext(result));
+	} else {
+		result = isc_file_remove(path);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_FILENOTFOUND)
+			syslog(LOG_ERR, "unable to remove log file '%s': %s",
+			       path, isc_result_totext(result));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+isc_log_open(isc_logchannel_t *channel) {
+	struct stat statbuf;
+	bool regular_file;
+	bool roll = false;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *path;
+
+	REQUIRE(channel->type == ISC_LOG_TOFILE);
+	REQUIRE(FILE_STREAM(channel) == NULL);
+
+	path = FILE_NAME(channel);
+
+	REQUIRE(path != NULL && *path != '\0');
+
+	/*
+	 * Determine type of file; only regular files will be
+	 * version renamed, and only if the base file exists
+	 * and either has no size limit or has reached its size limit.
+	 */
+	if (stat(path, &statbuf) == 0) {
+		regular_file = S_ISREG(statbuf.st_mode) ? true : false;
+		/* XXXDCL if not regular_file complain? */
+		if ((FILE_MAXSIZE(channel) == 0 &&
+		     FILE_VERSIONS(channel) != ISC_LOG_ROLLNEVER) ||
+		    (FILE_MAXSIZE(channel) > 0 &&
+		     statbuf.st_size >= FILE_MAXSIZE(channel)))
+			roll = regular_file;
+	} else if (errno == ENOENT) {
+		regular_file = true;
+		POST(regular_file);
+	} else
+		result = ISC_R_INVALIDFILE;
+
+	/*
+	 * Version control.
+	 */
+	if (result == ISC_R_SUCCESS && roll) {
+		if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
+			return (ISC_R_MAXSIZE);
+		result = isc_logfile_roll(&channel->destination.file);
+		if (result != ISC_R_SUCCESS) {
+			if ((channel->flags & ISC_LOG_OPENERR) == 0) {
+				syslog(LOG_ERR,
+				       "isc_log_open: isc_logfile_roll '%s' "
+				       "failed: %s",
+				       FILE_NAME(channel),
+				       isc_result_totext(result));
+				channel->flags |= ISC_LOG_OPENERR;
+			}
+			return (result);
+		}
+	}
+
+	result = isc_stdio_open(path, "a", &FILE_STREAM(channel));
+
+	return (result);
+}
+
+bool
+isc_log_wouldlog(isc_log_t *lctx, int level) {
+	/*
+	 * Try to avoid locking the mutex for messages which can't
+	 * possibly be logged to any channels -- primarily debugging
+	 * messages that the debug level is not high enough to print.
+	 *
+	 * If the level is (mathematically) less than or equal to the
+	 * highest_level, or if there is a dynamic channel and the level is
+	 * less than or equal to the debug level, the main loop must be
+	 * entered to see if the message should really be output.
+	 *
+	 * NOTE: this is UNLOCKED access to the logconfig.  However,
+	 * the worst thing that can happen is that a bad decision is made
+	 * about returning without logging, and that's not a big concern,
+	 * because that's a risk anyway if the logconfig is being
+	 * dynamically changed.
+	 */
+
+	if (lctx == NULL || lctx->logconfig == NULL)
+		return (false);
+
+	return (level <= lctx->logconfig->highest_level ||
+		(lctx->logconfig->dynamic &&
+		 level <= lctx->debug_level));
+}
+
+static void
+isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
+	     isc_logmodule_t *module, int level, bool write_once,
+	     isc_msgcat_t *msgcat, int msgset, int msg,
+	     const char *format, va_list args)
+{
+	int syslog_level;
+	char time_string[64];
+	char level_string[24];
+	const char *iformat;
+	struct stat statbuf;
+	bool matched = false;
+	bool printtime, printtag, printcolon;
+	bool printcategory, printmodule, printlevel, buffered;
+	isc_logconfig_t *lcfg;
+	isc_logchannel_t *channel;
+	isc_logchannellist_t *category_channels;
+	isc_result_t result;
+
+	REQUIRE(lctx == NULL || VALID_CONTEXT(lctx));
+	REQUIRE(category != NULL);
+	REQUIRE(module != NULL);
+	REQUIRE(level != ISC_LOG_DYNAMIC);
+	REQUIRE(format != NULL);
+
+	/*
+	 * Programs can use libraries that use this logging code without
+	 * wanting to do any logging, thus the log context is allowed to
+	 * be non-existent.
+	 */
+	if (lctx == NULL)
+		return;
+
+	REQUIRE(category->id < lctx->category_count);
+	REQUIRE(module->id < lctx->module_count);
+
+	if (! isc_log_wouldlog(lctx, level))
+		return;
+
+	if (msgcat != NULL)
+		iformat = isc_msgcat_get(msgcat, msgset, msg, format);
+	else
+		iformat = format;
+
+	time_string[0]  = '\0';
+	level_string[0] = '\0';
+
+	LOCK(&lctx->lock);
+
+	lctx->buffer[0] = '\0';
+
+	lcfg = lctx->logconfig;
+
+	category_channels = ISC_LIST_HEAD(lcfg->channellists[category->id]);
+
+	/*
+	 * XXXDCL add duplicate filtering? (To not write multiple times to
+	 * the same source via various channels).
+	 */
+	do {
+		/*
+		 * If the channel list end was reached and a match was made,
+		 * everything is finished.
+		 */
+		if (category_channels == NULL && matched)
+			break;
+
+		if (category_channels == NULL && ! matched &&
+		    category_channels != ISC_LIST_HEAD(lcfg->channellists[0]))
+			/*
+			 * No category/module pair was explicitly configured.
+			 * Try the category named "default".
+			 */
+			category_channels =
+				ISC_LIST_HEAD(lcfg->channellists[0]);
+
+		if (category_channels == NULL && ! matched)
+			/*
+			 * No matching module was explicitly configured
+			 * for the category named "default".  Use the internal
+			 * default channel.
+			 */
+			category_channels = &default_channel;
+
+		if (category_channels->module != NULL &&
+		    category_channels->module != module) {
+			category_channels = ISC_LIST_NEXT(category_channels,
+							  link);
+			continue;
+		}
+
+		matched = true;
+
+		channel = category_channels->channel;
+		category_channels = ISC_LIST_NEXT(category_channels, link);
+
+		if (((channel->flags & ISC_LOG_DEBUGONLY) != 0) &&
+		    lctx->debug_level == 0)
+			continue;
+
+		if (channel->level == ISC_LOG_DYNAMIC) {
+			if (lctx->debug_level < level)
+				continue;
+		} else if (channel->level < level)
+			continue;
+
+		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
+		    time_string[0] == '\0') {
+			isc_time_t isctime;
+
+			TIME_NOW(&isctime);
+			isc_time_formattimestamp(&isctime, time_string,
+						 sizeof(time_string));
+		}
+
+		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
+		    level_string[0] == '\0') {
+			if (level < ISC_LOG_CRITICAL)
+				snprintf(level_string, sizeof(level_string),
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_LOG,
+							ISC_MSG_LEVEL,
+							"level %d: "),
+					 level);
+			else if (level > ISC_LOG_DYNAMIC)
+				snprintf(level_string, sizeof(level_string),
+					 "%s %d: ", log_level_strings[0],
+					 level);
+			else
+				snprintf(level_string, sizeof(level_string),
+					 "%s: ", log_level_strings[-level]);
+		}
+
+		/*
+		 * Only format the message once.
+		 */
+		if (lctx->buffer[0] == '\0') {
+			(void)vsnprintf(lctx->buffer, sizeof(lctx->buffer),
+					iformat, args);
+
+			/*
+			 * Check for duplicates.
+			 */
+			if (write_once) {
+				isc_logmessage_t *message, *next;
+				isc_time_t oldest;
+				isc_interval_t interval;
+				size_t size;
+
+				isc_interval_set(&interval,
+						 lcfg->duplicate_interval, 0);
+
+				/*
+				 * 'oldest' is the age of the oldest messages
+				 * which fall within the duplicate_interval
+				 * range.
+				 */
+				TIME_NOW(&oldest);
+				if (isc_time_subtract(&oldest, &interval,
+						      &oldest)
+				    != ISC_R_SUCCESS)
+					/*
+					 * Can't effectively do the checking
+					 * without having a valid time.
+					 */
+					message = NULL;
+				else
+					message = ISC_LIST_HEAD(lctx->messages);
+
+				while (message != NULL) {
+					if (isc_time_compare(&message->time,
+							     &oldest) < 0) {
+						/*
+						 * This message is older
+						 * than the duplicate_interval,
+						 * so it should be dropped from
+						 * the history.
+						 *
+						 * Setting the interval to be
+						 * to be longer will obviously
+						 * not cause the expired
+						 * message to spring back into
+						 * existence.
+						 */
+						next = ISC_LIST_NEXT(message,
+								     link);
+
+						ISC_LIST_UNLINK(lctx->messages,
+								message, link);
+
+						isc_mem_put(lctx->mctx,
+							message,
+							sizeof(*message) + 1 +
+							strlen(message->text));
+
+						message = next;
+						continue;
+					}
+
+					/*
+					 * This message is in the duplicate
+					 * filtering interval ...
+					 */
+					if (strcmp(lctx->buffer, message->text)
+					    == 0) {
+						/*
+						 * ... and it is a duplicate.
+						 * Unlock the mutex and
+						 * get the hell out of Dodge.
+						 */
+						UNLOCK(&lctx->lock);
+						return;
+					}
+
+					message = ISC_LIST_NEXT(message, link);
+				}
+
+				/*
+				 * It wasn't in the duplicate interval,
+				 * so add it to the message list.
+				 */
+				size = sizeof(isc_logmessage_t) +
+				       strlen(lctx->buffer) + 1;
+				message = isc_mem_get(lctx->mctx, size);
+				if (message != NULL) {
+					/*
+					 * Put the text immediately after
+					 * the struct.  The strcpy is safe.
+					 */
+					message->text = (char *)(message + 1);
+					size -= sizeof(isc_logmessage_t);
+					strlcpy(message->text, lctx->buffer,
+						size);
+
+					TIME_NOW(&message->time);
+
+					ISC_LINK_INIT(message, link);
+					ISC_LIST_APPEND(lctx->messages,
+							message, link);
+				}
+			}
+		}
+
+		printtime     = (channel->flags & ISC_LOG_PRINTTIME);
+		printtag      = ((channel->flags &
+				  (ISC_LOG_PRINTTAG|ISC_LOG_PRINTPREFIX))
+				 && lcfg->tag != NULL);
+		printcolon    = ((channel->flags & ISC_LOG_PRINTTAG)
+				 && lcfg->tag != NULL);
+		printcategory = (channel->flags & ISC_LOG_PRINTCATEGORY);
+		printmodule   = (channel->flags & ISC_LOG_PRINTMODULE);
+		printlevel    = (channel->flags & ISC_LOG_PRINTLEVEL);
+		buffered      = (channel->flags & ISC_LOG_BUFFERED);
+
+		switch (channel->type) {
+		case ISC_LOG_TOFILE:
+			if (FILE_MAXREACHED(channel)) {
+				/*
+				 * If the file can be rolled, OR
+				 * If the file no longer exists, OR
+				 * If the file is less than the maximum size,
+				 *    (such as if it had been renamed and
+				 *     a new one touched, or it was truncated
+				 *     in place)
+				 * ... then close it to trigger reopening.
+				 */
+				if (FILE_VERSIONS(channel) !=
+				    ISC_LOG_ROLLNEVER ||
+				    (stat(FILE_NAME(channel), &statbuf) != 0 &&
+				     errno == ENOENT) ||
+				    statbuf.st_size < FILE_MAXSIZE(channel)) {
+					(void)fclose(FILE_STREAM(channel));
+					FILE_STREAM(channel) = NULL;
+					FILE_MAXREACHED(channel) = false;
+				} else
+					/*
+					 * Eh, skip it.
+					 */
+					break;
+			}
+
+			if (FILE_STREAM(channel) == NULL) {
+				result = isc_log_open(channel);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_MAXSIZE &&
+				    (channel->flags & ISC_LOG_OPENERR) == 0) {
+					syslog(LOG_ERR,
+					       "isc_log_open '%s' failed: %s",
+					       FILE_NAME(channel),
+					       isc_result_totext(result));
+					channel->flags |= ISC_LOG_OPENERR;
+				}
+				if (result != ISC_R_SUCCESS)
+					break;
+				channel->flags &= ~ISC_LOG_OPENERR;
+			}
+			/* FALLTHROUGH */
+
+		case ISC_LOG_TOFILEDESC:
+			fprintf(FILE_STREAM(channel),
+				"%s%s%s%s%s%s%s%s%s%s\n",
+				printtime     ? time_string	: "",
+				printtime     ? " "		: "",
+				printtag      ? lcfg->tag	: "",
+				printcolon    ? ": "		: "",
+				printcategory ? category->name	: "",
+				printcategory ? ": "		: "",
+				printmodule   ? (module != NULL ? module->name
+								: "no_module")
+								: "",
+				printmodule   ? ": "		: "",
+				printlevel    ? level_string	: "",
+				lctx->buffer);
+
+			if (!buffered)
+				fflush(FILE_STREAM(channel));
+
+			/*
+			 * If the file now exceeds its maximum size
+			 * threshold, note it so that it will not be logged
+			 * to any more.
+			 */
+			if (FILE_MAXSIZE(channel) > 0) {
+				INSIST(channel->type == ISC_LOG_TOFILE);
+
+				/* XXXDCL NT fstat/fileno */
+				/* XXXDCL complain if fstat fails? */
+				if (fstat(fileno(FILE_STREAM(channel)),
+					  &statbuf) >= 0 &&
+				    statbuf.st_size > FILE_MAXSIZE(channel))
+					FILE_MAXREACHED(channel) = true;
+			}
+
+			break;
+
+		case ISC_LOG_TOSYSLOG:
+			if (level > 0)
+				syslog_level = LOG_DEBUG;
+			else if (level < ISC_LOG_CRITICAL)
+				syslog_level = LOG_CRIT;
+			else
+				syslog_level = syslog_map[-level];
+
+			(void)syslog(FACILITY(channel) | syslog_level,
+			       "%s%s%s%s%s%s%s%s%s%s",
+			       printtime     ? time_string	: "",
+			       printtime     ? " "		: "",
+			       printtag      ? lcfg->tag	: "",
+			       printcolon    ? ": "		: "",
+			       printcategory ? category->name	: "",
+			       printcategory ? ": "		: "",
+			       printmodule   ? (module != NULL
+						 ? module->name
+						 : "no_module")
+								: "",
+			       printmodule   ? ": "		: "",
+			       printlevel    ? level_string	: "",
+			       lctx->buffer);
+			break;
+
+		case ISC_LOG_TONULL:
+			break;
+
+		}
+
+	} while (1);
+
+	UNLOCK(&lctx->lock);
+}
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
new file mode 100644
index 0000000..25c71a2
--- /dev/null
+++ b/lib/isc/md5.c
@@ -0,0 +1,395 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * This code implements the MD5 message-digest algorithm.
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ *
+ * To compute the message digest of a chunk of bytes, declare an
+ * MD5Context structure, pass it to MD5Init, call MD5Update as
+ * needed on buffers full of bytes, and then call MD5Final, which
+ * will fill a supplied 16-byte array with the digest.
+ */
+
+#include "config.h"
+
+#include <pk11/site.h>
+
+#ifndef PK11_MD5_DISABLE
+
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/md5.h>
+#include <isc/platform.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/types.h>
+
+#if PKCS11CRYPTO
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#endif
+
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define EVP_MD_CTX_new() &(ctx->_ctx)
+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
+#endif
+
+void
+isc_md5_init(isc_md5_t *ctx) {
+	ctx->ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(ctx->ctx != NULL);
+	if (EVP_DigestInit(ctx->ctx, EVP_md5()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize MD5.");
+	}
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+	EVP_MD_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	if (len == 0U)
+		return;
+	RUNTIME_CHECK(EVP_DigestUpdate(ctx->ctx,
+				       (const void *) buf,
+				       (size_t) len) == 1);
+}
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+	RUNTIME_CHECK(EVP_DigestFinal(ctx->ctx, digest, NULL) == 1);
+	EVP_MD_CTX_free(ctx->ctx);
+	ctx->ctx = NULL;
+}
+
+#elif PKCS11CRYPTO
+
+void
+isc_md5_init(isc_md5_t *ctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_MD5, NULL, 0 };
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+	CK_BYTE garbage[ISC_MD5_DIGESTLENGTH];
+	CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(ctx);
+}
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+	CK_RV rv;
+	CK_ULONG len = ISC_MD5_DIGESTLENGTH;
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal,
+			(ctx->session, (CK_BYTE_PTR) digest, &len));
+	pk11_return_session(ctx);
+}
+
+#else
+
+static void
+byteSwap(uint32_t *buf, unsigned words)
+{
+	unsigned char *p = (unsigned char *)buf;
+
+	do {
+		*buf++ = (uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 |
+			((unsigned)p[1] << 8 | p[0]);
+		p += 4;
+	} while (--words);
+}
+
+/*!
+ * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
+ * initialization constants.
+ */
+void
+isc_md5_init(isc_md5_t *ctx) {
+	ctx->buf[0] = 0x67452301;
+	ctx->buf[1] = 0xefcdab89;
+	ctx->buf[2] = 0x98badcfe;
+	ctx->buf[3] = 0x10325476;
+
+	ctx->bytes[0] = 0;
+	ctx->bytes[1] = 0;
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+	isc_safe_memwipe(ctx, sizeof(*ctx));
+}
+
+/*@{*/
+/*! The four core functions - F1 is optimized somewhat */
+
+/* #define F1(x, y, z) (x & y | ~x & z) */
+#define F1(x, y, z) (z ^ (x & (y ^ z)))
+#define F2(x, y, z) F1(z, x, y)
+#define F3(x, y, z) (x ^ y ^ z)
+#define F4(x, y, z) (y ^ (x | ~z))
+/*@}*/
+
+/*! This is the central step in the MD5 algorithm. */
+#define MD5STEP(f,w,x,y,z,in,s) \
+	 (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x)
+
+/*!
+ * The core of the MD5 algorithm, this alters an existing MD5 hash to
+ * reflect the addition of 16 longwords of new data.  MD5Update blocks
+ * the data and converts bytes into longwords for this routine.
+ */
+static void
+transform(uint32_t buf[4], uint32_t const in[16]) {
+	register uint32_t a, b, c, d;
+
+	a = buf[0];
+	b = buf[1];
+	c = buf[2];
+	d = buf[3];
+
+	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+
+	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+
+	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+
+	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+
+	buf[0] += a;
+	buf[1] += b;
+	buf[2] += c;
+	buf[3] += d;
+}
+
+/*!
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	uint32_t t;
+
+	/* Update byte count */
+
+	t = ctx->bytes[0];
+	if ((ctx->bytes[0] = t + len) < t)
+		ctx->bytes[1]++;	/* Carry from low to high */
+
+	t = 64 - (t & 0x3f);	/* Space available in ctx->in (at least 1) */
+	if (t > len) {
+		memmove((unsigned char *)ctx->in + 64 - t, buf, len);
+		return;
+	}
+	/* First chunk is an odd size */
+	memmove((unsigned char *)ctx->in + 64 - t, buf, t);
+	byteSwap(ctx->in, 16);
+	transform(ctx->buf, ctx->in);
+	buf += t;
+	len -= t;
+
+	/* Process data in 64-byte chunks */
+	while (len >= 64) {
+		memmove(ctx->in, buf, 64);
+		byteSwap(ctx->in, 16);
+		transform(ctx->buf, ctx->in);
+		buf += 64;
+		len -= 64;
+	}
+
+	/* Handle any remaining bytes of data. */
+	memmove(ctx->in, buf, len);
+}
+
+/*!
+ * Final wrapup - pad to 64-byte boundary with the bit pattern
+ * 1 0* (64-bit count of bits processed, MSB-first)
+ */
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+	int count = ctx->bytes[0] & 0x3f;    /* Number of bytes in ctx->in */
+	unsigned char *p = (unsigned char *)ctx->in + count;
+
+	/* Set the first char of padding to 0x80.  There is always room. */
+	*p++ = 0x80;
+
+	/* Bytes of padding needed to make 56 bytes (-8..55) */
+	count = 56 - 1 - count;
+
+	if (count < 0) {	/* Padding forces an extra block */
+		memset(p, 0, count + 8);
+		byteSwap(ctx->in, 16);
+		transform(ctx->buf, ctx->in);
+		p = (unsigned char *)ctx->in;
+		count = 56;
+	}
+	memset(p, 0, count);
+	byteSwap(ctx->in, 14);
+
+	/* Append length in bits and transform */
+	ctx->in[14] = ctx->bytes[0] << 3;
+	ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29;
+	transform(ctx->buf, ctx->in);
+
+	byteSwap(ctx->buf, 4);
+	memmove(digest, ctx->buf, 16);
+	isc_safe_memwipe(ctx, sizeof(*ctx));	/* In case it's sensitive */
+}
+#endif
+
+/*
+ * Check for MD5 support; if it does not work, raise a fatal error.
+ *
+ * Use "a" as the test vector.
+ *
+ * Standard use is testing false and result true.
+ * Testing use is testing true and result false;
+ */
+bool
+isc_md5_check(bool testing) {
+	isc_md5_t ctx;
+	unsigned char input = 'a';
+	unsigned char digest[ISC_MD5_DIGESTLENGTH];
+	unsigned char expected[] = {
+		0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
+		0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
+	};
+
+	INSIST(sizeof(expected) == ISC_MD5_DIGESTLENGTH);
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	if (testing) {
+		input ^= 0x01;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_md5_init(&ctx);
+	isc_md5_update(&ctx, &input, 1U);
+	isc_md5_final(&ctx, digest);
+
+	/*
+	 * Must return true in standard case, should return false for testing.
+	 */
+	return (memcmp(digest, expected, ISC_MD5_DIGESTLENGTH) == 0);
+}
+
+#else /* !PK11_MD5_DISABLE */
+#ifdef WIN32
+/* Make the Visual Studio linker happy */
+#include <isc/util.h>
+
+void isc_md5_final() { INSIST(0); }
+void isc_md5_init() { INSIST(0); }
+void isc_md5_invalidate() { INSIST(0); }
+void isc_md5_update() { INSIST(0); }
+void isc_md5_check() { INSIST(0); }
+#endif
+#endif /* PK11_MD5_DISABLE */
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
new file mode 100644
index 0000000..3fec795
--- /dev/null
+++ b/lib/isc/mem.c
@@ -0,0 +1,3015 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <limits.h>
+
+#include <isc/bind9.h>
+#include <isc/json.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/once.h>
+#include <isc/ondestroy.h>
+#include <isc/string.h>
+#include <isc/mutex.h>
+#include <isc/print.h>
+#include <isc/util.h>
+#include <isc/xml.h>
+
+#define MCTXLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) LOCK(l)
+#define MCTXUNLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) UNLOCK(l)
+
+#ifndef ISC_MEM_DEBUGGING
+#define ISC_MEM_DEBUGGING 0
+#endif
+LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
+LIBISC_EXTERNAL_DATA unsigned int isc_mem_defaultflags = ISC_MEMFLAG_DEFAULT;
+
+/*
+ * Constants.
+ */
+
+#define DEF_MAX_SIZE		1100
+#define DEF_MEM_TARGET		4096
+#define ALIGNMENT_SIZE		8U		/*%< must be a power of 2 */
+#define NUM_BASIC_BLOCKS	64		/*%< must be > 1 */
+#define TABLE_INCREMENT		1024
+#define DEBUGLIST_COUNT		1024
+
+/*
+ * Types.
+ */
+typedef struct isc__mem isc__mem_t;
+typedef struct isc__mempool isc__mempool_t;
+
+#if ISC_MEM_TRACKLINES
+typedef struct debuglink debuglink_t;
+struct debuglink {
+	ISC_LINK(debuglink_t)	link;
+	const void	       *ptr[DEBUGLIST_COUNT];
+	size_t			size[DEBUGLIST_COUNT];
+	const char	       *file[DEBUGLIST_COUNT];
+	unsigned int		line[DEBUGLIST_COUNT];
+	unsigned int		count;
+};
+
+#define FLARG_PASS	, file, line
+#define FLARG		, const char *file, unsigned int line
+#else
+#define FLARG_PASS
+#define FLARG
+#endif
+
+typedef struct element element;
+struct element {
+	element *		next;
+};
+
+typedef struct {
+	/*!
+	 * This structure must be ALIGNMENT_SIZE bytes.
+	 */
+	union {
+		size_t		size;
+		isc__mem_t	*ctx;
+		char		bytes[ALIGNMENT_SIZE];
+	} u;
+} size_info;
+
+struct stats {
+	unsigned long		gets;
+	unsigned long		totalgets;
+	unsigned long		blocks;
+	unsigned long		freefrags;
+};
+
+#define MEM_MAGIC		ISC_MAGIC('M', 'e', 'm', 'C')
+#define VALID_CONTEXT(c)	ISC_MAGIC_VALID(c, MEM_MAGIC)
+
+#if ISC_MEM_TRACKLINES
+typedef ISC_LIST(debuglink_t)	debuglist_t;
+#endif
+
+/* List of all active memory contexts. */
+
+static ISC_LIST(isc__mem_t)	contexts;
+
+static isc_once_t		once = ISC_ONCE_INIT;
+static isc_mutex_t		contextslock;
+static isc_mutex_t 		createlock;
+
+/*%
+ * Total size of lost memory due to a bug of external library.
+ * Locked by the global lock.
+ */
+static uint64_t		totallost;
+
+struct isc__mem {
+	isc_mem_t		common;
+	isc_ondestroy_t		ondestroy;
+	unsigned int		flags;
+	isc_mutex_t		lock;
+	isc_memalloc_t		memalloc;
+	isc_memfree_t		memfree;
+	void *			arg;
+	size_t			max_size;
+	bool		checkfree;
+	struct stats *		stats;
+	unsigned int		references;
+	char			name[16];
+	void *			tag;
+	size_t			quota;
+	size_t			total;
+	size_t			inuse;
+	size_t			maxinuse;
+	size_t			hi_water;
+	size_t			lo_water;
+	bool		hi_called;
+	bool		is_overmem;
+	isc_mem_water_t		water;
+	void *			water_arg;
+	ISC_LIST(isc__mempool_t) pools;
+	unsigned int		poolcnt;
+
+	/*  ISC_MEMFLAG_INTERNAL */
+	size_t			mem_target;
+	element **		freelists;
+	element *		basic_blocks;
+	unsigned char **	basic_table;
+	unsigned int		basic_table_count;
+	unsigned int		basic_table_size;
+	unsigned char *		lowest;
+	unsigned char *		highest;
+
+#if ISC_MEM_TRACKLINES
+	debuglist_t *	 	debuglist;
+	unsigned int		debuglistcnt;
+#endif
+
+	unsigned int		memalloc_failures;
+	ISC_LINK(isc__mem_t)	link;
+};
+
+#define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
+#define VALID_MEMPOOL(c)	ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
+
+struct isc__mempool {
+	/* always unlocked */
+	isc_mempool_t	common;		/*%< common header of mempool's */
+	isc_mutex_t    *lock;		/*%< optional lock */
+	isc__mem_t      *mctx;		/*%< our memory context */
+	/*%< locked via the memory context's lock */
+	ISC_LINK(isc__mempool_t)	link;	/*%< next pool in this mem context */
+	/*%< optionally locked from here down */
+	element	       *items;		/*%< low water item list */
+	size_t		size;		/*%< size of each item on this pool */
+	unsigned int	maxalloc;	/*%< max number of items allowed */
+	unsigned int	allocated;	/*%< # of items currently given out */
+	unsigned int	freecount;	/*%< # of items on reserved list */
+	unsigned int	freemax;	/*%< # of items allowed on free list */
+	unsigned int	fillcount;	/*%< # of items to fetch on each fill */
+	/*%< Stats only. */
+	unsigned int	gets;		/*%< # of requests to this pool */
+	/*%< Debugging only. */
+#if ISC_MEMPOOL_NAMES
+	char		name[16];	/*%< printed name in stats reports */
+#endif
+};
+
+/*
+ * Private Inline-able.
+ */
+
+#if ! ISC_MEM_TRACKLINES
+#define ADD_TRACE(a, b, c, d, e)
+#define DELETE_TRACE(a, b, c, d, e)
+#define ISC_MEMFUNC_SCOPE
+#else
+#define TRACE_OR_RECORD (ISC_MEM_DEBUGTRACE|ISC_MEM_DEBUGRECORD)
+#define ADD_TRACE(a, b, c, d, e) \
+	do { \
+		if ((isc_mem_debugging & TRACE_OR_RECORD) != 0 && \
+		     b != NULL) \
+			 add_trace_entry(a, b, c, d, e); \
+	} while (0)
+#define DELETE_TRACE(a, b, c, d, e)					\
+	do {								\
+		if ((isc_mem_debugging & TRACE_OR_RECORD) != 0 &&	\
+		    b != NULL)						\
+			delete_trace_entry(a, b, c, d, e);		\
+	} while(0)
+
+static void
+print_active(isc__mem_t *ctx, FILE *out);
+
+#endif /* ISC_MEM_TRACKLINES */
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access
+ * from unit tests, etc.
+ */
+
+isc_result_t
+isc__mem_create2(size_t init_max_size, size_t target_size,
+		 isc_mem_t **ctxp, unsigned int flags);
+void
+isc__mem_attach(isc_mem_t *source, isc_mem_t **targetp);
+void
+isc__mem_detach(isc_mem_t **ctxp);
+void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG);
+void
+isc__mem_destroy(isc_mem_t **ctxp);
+isc_result_t
+isc__mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event);
+void *
+isc___mem_get(isc_mem_t *ctx, size_t size FLARG);
+void
+isc___mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+void
+isc__mem_stats(isc_mem_t *ctx, FILE *out);
+void *
+isc___mem_allocate(isc_mem_t *ctx, size_t size FLARG);
+void *
+isc___mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG);
+void
+isc___mem_free(isc_mem_t *ctx, void *ptr FLARG);
+char *
+isc___mem_strdup(isc_mem_t *mctx, const char *s FLARG);
+void
+isc__mem_setdestroycheck(isc_mem_t *ctx, bool flag);
+void
+isc__mem_setquota(isc_mem_t *ctx, size_t quota);
+size_t
+isc__mem_getquota(isc_mem_t *ctx);
+size_t
+isc__mem_inuse(isc_mem_t *ctx);
+size_t
+isc__mem_maxinuse(isc_mem_t *ctx);
+size_t
+isc__mem_total(isc_mem_t *ctx);
+bool
+isc__mem_isovermem(isc_mem_t *ctx);
+void
+isc__mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+		  size_t hiwater, size_t lowater);
+void
+isc__mem_waterack(isc_mem_t *ctx0, int flag);
+void
+isc__mem_setname(isc_mem_t *ctx, const char *name, void *tag);
+const char *
+isc__mem_getname(isc_mem_t *ctx);
+void *
+isc__mem_gettag(isc_mem_t *ctx);
+isc_result_t
+isc__mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
+void
+isc__mempool_setname(isc_mempool_t *mpctx, const char *name);
+void
+isc__mempool_destroy(isc_mempool_t **mpctxp);
+void
+isc__mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
+void *
+isc___mempool_get(isc_mempool_t *mpctx FLARG);
+void
+isc___mempool_put(isc_mempool_t *mpctx, void *mem FLARG);
+void
+isc__mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
+unsigned int
+isc__mempool_getfreemax(isc_mempool_t *mpctx);
+unsigned int
+isc__mempool_getfreecount(isc_mempool_t *mpctx);
+void
+isc__mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
+unsigned int
+isc__mempool_getmaxalloc(isc_mempool_t *mpctx);
+unsigned int
+isc__mempool_getallocated(isc_mempool_t *mpctx);
+void
+isc__mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
+unsigned int
+isc__mempool_getfillcount(isc_mempool_t *mpctx);
+void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file);
+void
+isc__mem_printallactive(FILE *file);
+unsigned int
+isc__mem_references(isc_mem_t *ctx0);
+
+static struct isc__memmethods {
+	isc_memmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *createx, *create, *create2, *ondestroy, *stats,
+	     *setquota, *getquota, *setname, *getname, *gettag;
+} memmethods = {
+	{
+		isc__mem_attach,
+		isc__mem_detach,
+		isc__mem_destroy,
+		isc___mem_get,
+		isc___mem_put,
+		isc___mem_putanddetach,
+		isc___mem_allocate,
+		isc___mem_reallocate,
+		isc___mem_strdup,
+		isc___mem_free,
+		isc__mem_setdestroycheck,
+		isc__mem_setwater,
+		isc__mem_waterack,
+		isc__mem_inuse,
+		isc__mem_maxinuse,
+		isc__mem_total,
+		isc__mem_isovermem,
+		isc__mempool_create
+	},
+	(void *)isc_mem_createx,
+	(void *)isc_mem_create,
+	(void *)isc_mem_create2,
+	(void *)isc_mem_ondestroy,
+	(void *)isc_mem_stats,
+	(void *)isc_mem_setquota,
+	(void *)isc_mem_getquota,
+	(void *)isc_mem_setname,
+	(void *)isc_mem_getname,
+	(void *)isc_mem_gettag
+};
+
+static struct isc__mempoolmethods {
+	isc_mempoolmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *getfreemax, *getfreecount, *getmaxalloc, *getfillcount;
+} mempoolmethods = {
+	{
+		isc__mempool_destroy,
+		isc___mempool_get,
+		isc___mempool_put,
+		isc__mempool_getallocated,
+		isc__mempool_setmaxalloc,
+		isc__mempool_setfreemax,
+		isc__mempool_setname,
+		isc__mempool_associatelock,
+		isc__mempool_setfillcount
+	},
+	(void *)isc_mempool_getfreemax,
+	(void *)isc_mempool_getfreecount,
+	(void *)isc_mempool_getmaxalloc,
+	(void *)isc_mempool_getfillcount
+};
+
+#if ISC_MEM_TRACKLINES
+/*!
+ * mctx must be locked.
+ */
+static inline void
+add_trace_entry(isc__mem_t *mctx, const void *ptr, size_t size FLARG) {
+	debuglink_t *dl;
+	unsigned int i;
+	size_t mysize = size;
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
+		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					       ISC_MSG_ADDTRACE,
+					       "add %p size %u "
+					       "file %s line %u mctx %p\n"),
+			ptr, size, file, line, mctx);
+
+	if (mctx->debuglist == NULL)
+		return;
+
+	if (mysize > mctx->max_size)
+		mysize = mctx->max_size;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[mysize]);
+	while (dl != NULL) {
+		if (dl->count == DEBUGLIST_COUNT)
+			goto next;
+		for (i = 0; i < DEBUGLIST_COUNT; i++) {
+			if (dl->ptr[i] == NULL) {
+				dl->ptr[i] = ptr;
+				dl->size[i] = size;
+				dl->file[i] = file;
+				dl->line[i] = line;
+				dl->count++;
+				return;
+			}
+		}
+	next:
+		dl = ISC_LIST_NEXT(dl, link);
+	}
+
+	dl = malloc(sizeof(debuglink_t));
+	INSIST(dl != NULL);
+
+	ISC_LINK_INIT(dl, link);
+	for (i = 1; i < DEBUGLIST_COUNT; i++) {
+		dl->ptr[i] = NULL;
+		dl->size[i] = 0;
+		dl->file[i] = NULL;
+		dl->line[i] = 0;
+	}
+
+	dl->ptr[0] = ptr;
+	dl->size[0] = size;
+	dl->file[0] = file;
+	dl->line[0] = line;
+	dl->count = 1;
+
+	ISC_LIST_PREPEND(mctx->debuglist[mysize], dl, link);
+	mctx->debuglistcnt++;
+}
+
+static inline void
+delete_trace_entry(isc__mem_t *mctx, const void *ptr, size_t size,
+		   const char *file, unsigned int line)
+{
+	debuglink_t *dl;
+	unsigned int i;
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
+		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					       ISC_MSG_DELTRACE,
+					       "del %p size %u "
+					       "file %s line %u mctx %p\n"),
+			ptr, size, file, line, mctx);
+
+	if (mctx->debuglist == NULL)
+		return;
+
+	if (size > mctx->max_size)
+		size = mctx->max_size;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
+	while (dl != NULL) {
+		for (i = 0; i < DEBUGLIST_COUNT; i++) {
+			if (dl->ptr[i] == ptr) {
+				dl->ptr[i] = NULL;
+				dl->size[i] = 0;
+				dl->file[i] = NULL;
+				dl->line[i] = 0;
+
+				INSIST(dl->count > 0);
+				dl->count--;
+				if (dl->count == 0) {
+					ISC_LIST_UNLINK(mctx->debuglist[size],
+							dl, link);
+					free(dl);
+				}
+				return;
+			}
+		}
+		dl = ISC_LIST_NEXT(dl, link);
+	}
+
+	/*
+	 * If we get here, we didn't find the item on the list.  We're
+	 * screwed.
+	 */
+	INSIST(dl != NULL);
+}
+#endif /* ISC_MEM_TRACKLINES */
+
+static inline size_t
+rmsize(size_t size) {
+	/*
+	 * round down to ALIGNMENT_SIZE
+	 */
+	return (size & (~(ALIGNMENT_SIZE - 1)));
+}
+
+static inline size_t
+quantize(size_t size) {
+	/*!
+	 * Round up the result in order to get a size big
+	 * enough to satisfy the request and be aligned on ALIGNMENT_SIZE
+	 * byte boundaries.
+	 */
+
+	if (size == 0U)
+		return (ALIGNMENT_SIZE);
+	return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1)));
+}
+
+static inline bool
+more_basic_blocks(isc__mem_t *ctx) {
+	void *tmp;
+	unsigned char *curr, *next;
+	unsigned char *first, *last;
+	unsigned char **table;
+	unsigned int table_size;
+	size_t increment;
+	int i;
+
+	/* Require: we hold the context lock. */
+
+	/*
+	 * Did we hit the quota for this context?
+	 */
+	increment = NUM_BASIC_BLOCKS * ctx->mem_target;
+	if (ctx->quota != 0U && ctx->total + increment > ctx->quota)
+		return (false);
+
+	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
+	if (ctx->basic_table_count == ctx->basic_table_size) {
+		table_size = ctx->basic_table_size + TABLE_INCREMENT;
+		table = (ctx->memalloc)(ctx->arg,
+					table_size * sizeof(unsigned char *));
+		if (table == NULL) {
+			ctx->memalloc_failures++;
+			return (false);
+		}
+		if (ctx->basic_table_size != 0) {
+			memmove(table, ctx->basic_table,
+				ctx->basic_table_size *
+				  sizeof(unsigned char *));
+			(ctx->memfree)(ctx->arg, ctx->basic_table);
+		}
+		ctx->basic_table = table;
+		ctx->basic_table_size = table_size;
+	}
+
+	tmp = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
+	if (tmp == NULL) {
+		ctx->memalloc_failures++;
+		return (false);
+	}
+	ctx->total += increment;
+	ctx->basic_table[ctx->basic_table_count] = tmp;
+	ctx->basic_table_count++;
+
+	curr = tmp;
+	next = curr + ctx->mem_target;
+	for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += ctx->mem_target;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	first = tmp;
+	last = first + NUM_BASIC_BLOCKS * ctx->mem_target - 1;
+	if (first < ctx->lowest || ctx->lowest == NULL)
+		ctx->lowest = first;
+	if (last > ctx->highest)
+		ctx->highest = last;
+	ctx->basic_blocks = tmp;
+
+	return (true);
+}
+
+static inline bool
+more_frags(isc__mem_t *ctx, size_t new_size) {
+	int i, frags;
+	size_t total_size;
+	void *tmp;
+	unsigned char *curr, *next;
+
+	/*!
+	 * Try to get more fragments by chopping up a basic block.
+	 */
+
+	if (ctx->basic_blocks == NULL) {
+		if (!more_basic_blocks(ctx)) {
+			/*
+			 * We can't get more memory from the OS, or we've
+			 * hit the quota for this context.
+			 */
+			/*
+			 * XXXRTH  "At quota" notification here.
+			 */
+			return (false);
+		}
+	}
+
+	total_size = ctx->mem_target;
+	tmp = ctx->basic_blocks;
+	ctx->basic_blocks = ctx->basic_blocks->next;
+	frags = (int)(total_size / new_size);
+	ctx->stats[new_size].blocks++;
+	ctx->stats[new_size].freefrags += frags;
+	/*
+	 * Set up a linked-list of blocks of size
+	 * "new_size".
+	 */
+	curr = tmp;
+	next = curr + new_size;
+	total_size -= new_size;
+	for (i = 0; i < (frags - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += new_size;
+		total_size -= new_size;
+	}
+	/*
+	 * Add the remaining fragment of the basic block to a free list.
+	 */
+	total_size = rmsize(total_size);
+	if (total_size > 0U) {
+		((element *)next)->next = ctx->freelists[total_size];
+		ctx->freelists[total_size] = (element *)next;
+		ctx->stats[total_size].freefrags++;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	ctx->freelists[new_size] = tmp;
+
+	return (true);
+}
+
+static inline void *
+mem_getunlocked(isc__mem_t *ctx, size_t size) {
+	size_t new_size = quantize(size);
+	void *ret;
+
+	if (new_size >= ctx->max_size) {
+		/*
+		 * memget() was called on something beyond our upper limit.
+		 */
+		if (ctx->quota != 0U && ctx->total + size > ctx->quota) {
+			ret = NULL;
+			goto done;
+		}
+		ret = (ctx->memalloc)(ctx->arg, size);
+		if (ret == NULL) {
+			ctx->memalloc_failures++;
+			goto done;
+		}
+		ctx->total += size;
+		ctx->inuse += size;
+		ctx->stats[ctx->max_size].gets++;
+		ctx->stats[ctx->max_size].totalgets++;
+		/*
+		 * If we don't set new_size to size, then the
+		 * ISC_MEM_FILL code might write over bytes we
+		 * don't own.
+		 */
+		new_size = size;
+		goto done;
+	}
+	/*
+	 * If there are no blocks in the free list for this size, get a chunk
+	 * of memory and then break it up into "new_size"-sized blocks, adding
+	 * them to the free list.
+	 */
+	if (ctx->freelists[new_size] == NULL && !more_frags(ctx, new_size))
+		return (NULL);
+
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
+
+	ret = ctx->freelists[new_size];
+	ctx->freelists[new_size] = ctx->freelists[new_size]->next;
+
+
+	/*
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	ctx->stats[size].gets++;
+	ctx->stats[size].totalgets++;
+	ctx->stats[new_size].freefrags--;
+	ctx->inuse += new_size;
+
+ done:
+
+#if ISC_MEM_FILL
+	if (ret != NULL)
+		memset(ret, 0xbe, new_size); /* Mnemonic for "beef". */
+#endif
+
+	return (ret);
+}
+
+#if ISC_MEM_FILL && ISC_MEM_CHECKOVERRUN
+static inline void
+check_overrun(void *mem, size_t size, size_t new_size) {
+	unsigned char *cp;
+
+	cp = (unsigned char *)mem;
+	cp += size;
+	while (size < new_size) {
+		INSIST(*cp == 0xbe);
+		cp++;
+		size++;
+	}
+}
+#endif
+
+/* coverity[+free : arg-1] */
+static inline void
+mem_putunlocked(isc__mem_t *ctx, void *mem, size_t size) {
+	size_t new_size = quantize(size);
+
+	if (new_size >= ctx->max_size) {
+		/*
+		 * memput() called on something beyond our upper limit.
+		 */
+#if ISC_MEM_FILL
+		memset(mem, 0xde, size); /* Mnemonic for "dead". */
+#endif
+		(ctx->memfree)(ctx->arg, mem);
+		INSIST(ctx->stats[ctx->max_size].gets != 0U);
+		ctx->stats[ctx->max_size].gets--;
+		INSIST(size <= ctx->inuse);
+		ctx->inuse -= size;
+		return;
+	}
+
+#if ISC_MEM_FILL
+#if ISC_MEM_CHECKOVERRUN
+	check_overrun(mem, size, new_size);
+#endif
+	memset(mem, 0xde, new_size); /* Mnemonic for "dead". */
+#endif
+
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
+	((element *)mem)->next = ctx->freelists[new_size];
+	ctx->freelists[new_size] = (element *)mem;
+
+	/*
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	INSIST(ctx->stats[size].gets != 0U);
+	ctx->stats[size].gets--;
+	ctx->stats[new_size].freefrags++;
+	ctx->inuse -= new_size;
+}
+
+/*!
+ * Perform a malloc, doing memory filling and overrun detection as necessary.
+ */
+static inline void *
+mem_get(isc__mem_t *ctx, size_t size) {
+	char *ret;
+
+#if ISC_MEM_CHECKOVERRUN
+	size += 1;
+#endif
+
+	ret = (ctx->memalloc)(ctx->arg, size);
+	if (ret == NULL)
+		ctx->memalloc_failures++;
+
+#if ISC_MEM_FILL
+	if (ret != NULL)
+		memset(ret, 0xbe, size); /* Mnemonic for "beef". */
+#else
+#  if ISC_MEM_CHECKOVERRUN
+	if (ret != NULL)
+		ret[size-1] = 0xbe;
+#  endif
+#endif
+
+	return (ret);
+}
+
+/*!
+ * Perform a free, doing memory filling and overrun detection as necessary.
+ */
+/* coverity[+free : arg-1] */
+static inline void
+mem_put(isc__mem_t *ctx, void *mem, size_t size) {
+#if ISC_MEM_CHECKOVERRUN
+	INSIST(((unsigned char *)mem)[size] == 0xbe);
+#endif
+#if ISC_MEM_FILL
+	memset(mem, 0xde, size); /* Mnemonic for "dead". */
+#else
+	UNUSED(size);
+#endif
+	(ctx->memfree)(ctx->arg, mem);
+}
+
+/*!
+ * Update internal counters after a memory get.
+ */
+static inline void
+mem_getstats(isc__mem_t *ctx, size_t size) {
+	ctx->total += size;
+	ctx->inuse += size;
+
+	if (size > ctx->max_size) {
+		ctx->stats[ctx->max_size].gets++;
+		ctx->stats[ctx->max_size].totalgets++;
+	} else {
+		ctx->stats[size].gets++;
+		ctx->stats[size].totalgets++;
+	}
+}
+
+/*!
+ * Update internal counters after a memory put.
+ */
+static inline void
+mem_putstats(isc__mem_t *ctx, void *ptr, size_t size) {
+	UNUSED(ptr);
+
+	INSIST(ctx->inuse >= size);
+	ctx->inuse -= size;
+
+	if (size > ctx->max_size) {
+		INSIST(ctx->stats[ctx->max_size].gets > 0U);
+		ctx->stats[ctx->max_size].gets--;
+	} else {
+		INSIST(ctx->stats[size].gets > 0U);
+		ctx->stats[size].gets--;
+	}
+}
+
+/*
+ * Private.
+ */
+
+static void *
+default_memalloc(void *arg, size_t size) {
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void
+default_memfree(void *arg, void *ptr) {
+	UNUSED(arg);
+	free(ptr);
+}
+
+static void
+initialize_action(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_mutex_init(&contextslock) == ISC_R_SUCCESS);
+	ISC_LIST_INIT(contexts);
+	totallost = 0;
+}
+
+/*
+ * Public.
+ */
+
+isc_result_t
+isc_mem_createx(size_t init_max_size, size_t target_size,
+		 isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		 isc_mem_t **ctxp)
+{
+	return (isc_mem_createx2(init_max_size, target_size, memalloc, memfree,
+				 arg, ctxp, isc_mem_defaultflags));
+
+}
+
+isc_result_t
+isc_mem_createx2(size_t init_max_size, size_t target_size,
+		  isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		  isc_mem_t **ctxp, unsigned int flags)
+{
+	isc__mem_t *ctx;
+	isc_result_t result;
+
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+	REQUIRE(memalloc != NULL);
+	REQUIRE(memfree != NULL);
+
+	INSIST((ALIGNMENT_SIZE & (ALIGNMENT_SIZE - 1)) == 0);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	ctx = (memalloc)(arg, sizeof(*ctx));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if ((flags & ISC_MEMFLAG_NOLOCK) == 0) {
+		result = isc_mutex_init(&ctx->lock);
+		if (result != ISC_R_SUCCESS) {
+			(memfree)(arg, ctx);
+			return (result);
+		}
+	}
+
+	if (init_max_size == 0U)
+		ctx->max_size = DEF_MAX_SIZE;
+	else
+		ctx->max_size = init_max_size;
+	ctx->flags = flags;
+	ctx->references = 1;
+	memset(ctx->name, 0, sizeof(ctx->name));
+	ctx->tag = NULL;
+	ctx->quota = 0;
+	ctx->total = 0;
+	ctx->inuse = 0;
+	ctx->maxinuse = 0;
+	ctx->hi_water = 0;
+	ctx->lo_water = 0;
+	ctx->hi_called = false;
+	ctx->is_overmem = false;
+	ctx->water = NULL;
+	ctx->water_arg = NULL;
+	ctx->common.impmagic = MEM_MAGIC;
+	ctx->common.magic = ISCAPI_MCTX_MAGIC;
+	ctx->common.methods = (isc_memmethods_t *)&memmethods;
+	isc_ondestroy_init(&ctx->ondestroy);
+	ctx->memalloc = memalloc;
+	ctx->memfree = memfree;
+	ctx->arg = arg;
+	ctx->stats = NULL;
+	ctx->checkfree = true;
+#if ISC_MEM_TRACKLINES
+	ctx->debuglist = NULL;
+	ctx->debuglistcnt = 0;
+#endif
+	ISC_LIST_INIT(ctx->pools);
+	ctx->poolcnt = 0;
+	ctx->freelists = NULL;
+	ctx->basic_blocks = NULL;
+	ctx->basic_table = NULL;
+	ctx->basic_table_count = 0;
+	ctx->basic_table_size = 0;
+	ctx->lowest = NULL;
+	ctx->highest = NULL;
+
+	ctx->stats = (memalloc)(arg,
+				(ctx->max_size+1) * sizeof(struct stats));
+	if (ctx->stats == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error;
+	}
+	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
+
+	if ((flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		if (target_size == 0U)
+			ctx->mem_target = DEF_MEM_TARGET;
+		else
+			ctx->mem_target = target_size;
+		ctx->freelists = (memalloc)(arg, ctx->max_size *
+						 sizeof(element *));
+		if (ctx->freelists == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto error;
+		}
+		memset(ctx->freelists, 0,
+		       ctx->max_size * sizeof(element *));
+	}
+
+#if ISC_MEM_TRACKLINES
+	if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) {
+		unsigned int i;
+
+		ctx->debuglist = (memalloc)(arg,
+				      (ctx->max_size+1) * sizeof(debuglist_t));
+		if (ctx->debuglist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto error;
+		}
+		for (i = 0; i <= ctx->max_size; i++)
+			ISC_LIST_INIT(ctx->debuglist[i]);
+	}
+#endif
+
+	ctx->memalloc_failures = 0;
+
+	LOCK(&contextslock);
+	ISC_LIST_INITANDAPPEND(contexts, ctx, link);
+	UNLOCK(&contextslock);
+
+	*ctxp = (isc_mem_t *)ctx;
+	return (ISC_R_SUCCESS);
+
+  error:
+	if (ctx != NULL) {
+		if (ctx->stats != NULL)
+			(memfree)(arg, ctx->stats);
+		if (ctx->freelists != NULL)
+			(memfree)(arg, ctx->freelists);
+#if ISC_MEM_TRACKLINES
+		if (ctx->debuglist != NULL)
+			(ctx->memfree)(ctx->arg, ctx->debuglist);
+#endif /* ISC_MEM_TRACKLINES */
+		if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
+			DESTROYLOCK(&ctx->lock);
+		(memfree)(arg, ctx);
+	}
+
+	return (result);
+}
+
+static void
+destroy(isc__mem_t *ctx) {
+	unsigned int i;
+	isc_ondestroy_t ondest;
+
+	LOCK(&contextslock);
+	ISC_LIST_UNLINK(contexts, ctx, link);
+	totallost += ctx->inuse;
+	UNLOCK(&contextslock);
+
+	ctx->common.impmagic = 0;
+	ctx->common.magic = 0;
+
+	INSIST(ISC_LIST_EMPTY(ctx->pools));
+
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		if (ctx->checkfree) {
+			for (i = 0; i <= ctx->max_size; i++) {
+				if (!ISC_LIST_EMPTY(ctx->debuglist[i]))
+					print_active(ctx, stderr);
+				INSIST(ISC_LIST_EMPTY(ctx->debuglist[i]));
+			}
+		} else {
+			debuglink_t *dl;
+
+			for (i = 0; i <= ctx->max_size; i++)
+				for (dl = ISC_LIST_HEAD(ctx->debuglist[i]);
+				     dl != NULL;
+				     dl = ISC_LIST_HEAD(ctx->debuglist[i])) {
+					ISC_LIST_UNLINK(ctx->debuglist[i],
+							dl, link);
+					free(dl);
+				}
+		}
+		(ctx->memfree)(ctx->arg, ctx->debuglist);
+	}
+#endif
+	INSIST(ctx->references == 0);
+
+	if (ctx->checkfree) {
+		for (i = 0; i <= ctx->max_size; i++) {
+			if (ctx->stats[i].gets != 0U) {
+				fprintf(stderr,
+					"Failing assertion due to probable "
+					"leaked memory in context %p (\"%s\") "
+					"(stats[%u].gets == %lu).\n",
+					ctx, ctx->name, i, ctx->stats[i].gets);
+#if ISC_MEM_TRACKLINES
+				print_active(ctx, stderr);
+#endif
+				INSIST(ctx->stats[i].gets == 0U);
+			}
+		}
+	}
+
+	(ctx->memfree)(ctx->arg, ctx->stats);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		for (i = 0; i < ctx->basic_table_count; i++)
+			(ctx->memfree)(ctx->arg, ctx->basic_table[i]);
+		(ctx->memfree)(ctx->arg, ctx->freelists);
+		if (ctx->basic_table != NULL)
+			(ctx->memfree)(ctx->arg, ctx->basic_table);
+	}
+
+	ondest = ctx->ondestroy;
+
+	if ((ctx->flags & ISC_MEMFLAG_NOLOCK) == 0)
+		DESTROYLOCK(&ctx->lock);
+	(ctx->memfree)(ctx->arg, ctx);
+
+	isc_ondestroy_notify(&ondest, ctx);
+}
+
+void
+isc__mem_attach(isc_mem_t *source0, isc_mem_t **targetp) {
+	isc__mem_t *source = (isc__mem_t *)source0;
+
+	REQUIRE(VALID_CONTEXT(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	MCTXLOCK(source, &source->lock);
+	source->references++;
+	MCTXUNLOCK(source, &source->lock);
+
+	*targetp = (isc_mem_t *)source;
+}
+
+void
+isc__mem_detach(isc_mem_t **ctxp) {
+	isc__mem_t *ctx;
+	bool want_destroy = false;
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__mem_t *)*ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+	INSIST(ctx->references > 0);
+	ctx->references--;
+	if (ctx->references == 0)
+		want_destroy = true;
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (want_destroy)
+		destroy(ctx);
+
+	*ctxp = NULL;
+}
+
+/*
+ * isc_mem_putanddetach() is the equivalent of:
+ *
+ * mctx = NULL;
+ * isc_mem_attach(ptr->mctx, &mctx);
+ * isc_mem_detach(&ptr->mctx);
+ * isc_mem_put(mctx, ptr, sizeof(*ptr);
+ * isc_mem_detach(&mctx);
+ */
+
+void
+isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx;
+	bool want_destroy = false;
+	size_info *si;
+	size_t oldsize;
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__mem_t *)*ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(ptr != NULL);
+
+	/*
+	 * Must be before mem_putunlocked() as ctxp is usually within
+	 * [ptr..ptr+size).
+	 */
+	*ctxp = NULL;
+
+	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0) {
+		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
+			si = &(((size_info *)ptr)[-1]);
+			oldsize = si->u.size - ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
+				oldsize -= ALIGNMENT_SIZE;
+			INSIST(oldsize == size);
+		}
+		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
+
+		MCTXLOCK(ctx, &ctx->lock);
+		ctx->references--;
+		if (ctx->references == 0)
+			want_destroy = true;
+		MCTXUNLOCK(ctx, &ctx->lock);
+		if (want_destroy)
+			destroy(ctx);
+
+		return;
+	}
+
+	MCTXLOCK(ctx, &ctx->lock);
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_putstats(ctx, ptr, size);
+		mem_put(ctx, ptr, size);
+	}
+
+	INSIST(ctx->references > 0);
+	ctx->references--;
+	if (ctx->references == 0)
+		want_destroy = true;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (want_destroy)
+		destroy(ctx);
+}
+
+void
+isc__mem_destroy(isc_mem_t **ctxp) {
+	isc__mem_t *ctx;
+
+	/*
+	 * This routine provides legacy support for callers who use mctxs
+	 * without attaching/detaching.
+	 */
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__mem_t *)*ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+#if ISC_MEM_TRACKLINES
+	if (ctx->references != 1)
+		print_active(ctx, stderr);
+#endif
+	REQUIRE(ctx->references == 1);
+	ctx->references--;
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	destroy(ctx);
+
+	*ctxp = NULL;
+}
+
+isc_result_t
+isc_mem_ondestroy(isc_mem_t *ctx0, isc_task_t *task, isc_event_t **event) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	isc_result_t res;
+
+	MCTXLOCK(ctx, &ctx->lock);
+	res = isc_ondestroy_register(&ctx->ondestroy, task, event);
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (res);
+}
+
+void *
+isc___mem_get(isc_mem_t *ctx0, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	void *ptr;
+	bool call_water = false;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0)
+		return (isc__mem_allocate(ctx0, size FLARG_PASS));
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		MCTXLOCK(ctx, &ctx->lock);
+		ptr = mem_getunlocked(ctx, size);
+	} else {
+		ptr = mem_get(ctx, size);
+		MCTXLOCK(ctx, &ctx->lock);
+		if (ptr != NULL)
+			mem_getstats(ctx, size);
+	}
+
+	ADD_TRACE(ctx, ptr, size, file, line);
+	if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water) {
+		ctx->is_overmem = true;
+		if (!ctx->hi_called)
+			call_water = true;
+	}
+	if (ctx->inuse > ctx->maxinuse) {
+		ctx->maxinuse = ctx->inuse;
+		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
+			fprintf(stderr, "maxinuse = %lu\n",
+				(unsigned long)ctx->inuse);
+	}
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (call_water && (ctx->water != NULL))
+		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
+
+	return (ptr);
+}
+
+void
+isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	bool call_water = false;
+	size_info *si;
+	size_t oldsize;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(ptr != NULL);
+
+	if ((isc_mem_debugging & (ISC_MEM_DEBUGSIZE|ISC_MEM_DEBUGCTX)) != 0) {
+		if ((isc_mem_debugging & ISC_MEM_DEBUGSIZE) != 0) {
+			si = &(((size_info *)ptr)[-1]);
+			oldsize = si->u.size - ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
+				oldsize -= ALIGNMENT_SIZE;
+			INSIST(oldsize == size);
+		}
+		isc__mem_free((isc_mem_t *)ctx, ptr FLARG_PASS);
+		return;
+	}
+
+	MCTXLOCK(ctx, &ctx->lock);
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_putstats(ctx, ptr, size);
+		mem_put(ctx, ptr, size);
+	}
+
+	/*
+	 * The check against ctx->lo_water == 0 is for the condition
+	 * when the context was pushed over hi_water but then had
+	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
+	 */
+	if ((ctx->inuse < ctx->lo_water) || (ctx->lo_water == 0U)) {
+		ctx->is_overmem = false;
+		if (ctx->hi_called)
+			call_water = true;
+	}
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (call_water && (ctx->water != NULL))
+		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
+}
+
+void
+isc__mem_waterack(isc_mem_t *ctx0, int flag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+	if (flag == ISC_MEM_LOWATER)
+		ctx->hi_called = false;
+	else if (flag == ISC_MEM_HIWATER)
+		ctx->hi_called = true;
+	MCTXUNLOCK(ctx, &ctx->lock);
+}
+
+#if ISC_MEM_TRACKLINES
+static void
+print_active(isc__mem_t *mctx, FILE *out) {
+	if (mctx->debuglist != NULL) {
+		debuglink_t *dl;
+		unsigned int i, j;
+		const char *format;
+		bool found;
+
+		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					    ISC_MSG_DUMPALLOC,
+					    "Dump of all outstanding "
+					    "memory allocations:\n"));
+		found = false;
+		format = isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					ISC_MSG_PTRFILELINE,
+					"\tptr %p size %u file %s line %u\n");
+		for (i = 0; i <= mctx->max_size; i++) {
+			dl = ISC_LIST_HEAD(mctx->debuglist[i]);
+
+			if (dl != NULL)
+				found = true;
+
+			while (dl != NULL) {
+				for (j = 0; j < DEBUGLIST_COUNT; j++)
+					if (dl->ptr[j] != NULL)
+						fprintf(out, format,
+							dl->ptr[j],
+							dl->size[j],
+							dl->file[j],
+							dl->line[j]);
+				dl = ISC_LIST_NEXT(dl, link);
+			}
+		}
+		if (!found)
+			fputs(isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					     ISC_MSG_NONE, "\tNone.\n"), out);
+	}
+}
+#endif
+
+/*
+ * Print the stats[] on the stream "out" with suitable formatting.
+ */
+void
+isc_mem_stats(isc_mem_t *ctx0, FILE *out) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t i;
+	const struct stats *s;
+	const isc__mempool_t *pool;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	for (i = 0; i <= ctx->max_size; i++) {
+		s = &ctx->stats[i];
+
+		if (s->totalgets == 0U && s->gets == 0U)
+			continue;
+		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
+			(i == ctx->max_size) ? ">=" : "  ",
+			(unsigned long) i, s->totalgets, s->gets);
+		if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0 &&
+		    (s->blocks != 0U || s->freefrags != 0U))
+			fprintf(out, " (%lu bl, %lu ff)",
+				s->blocks, s->freefrags);
+		fputc('\n', out);
+	}
+
+	/*
+	 * Note that since a pool can be locked now, these stats might be
+	 * somewhat off if the pool is in active use at the time the stats
+	 * are dumped.  The link fields are protected by the isc_mem_t's
+	 * lock, however, so walking this list and extracting integers from
+	 * stats fields is always safe.
+	 */
+	pool = ISC_LIST_HEAD(ctx->pools);
+	if (pool != NULL) {
+		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					    ISC_MSG_POOLSTATS,
+					    "[Pool statistics]\n"));
+		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLNAME, "name"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLSIZE, "size"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLMAXALLOC, "maxalloc"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLALLOCATED, "allocated"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLFREECOUNT, "freecount"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLFREEMAX, "freemax"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLFILLCOUNT, "fillcount"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLGETS, "gets"),
+			"L");
+	}
+	while (pool != NULL) {
+		fprintf(out, "%15s %10lu %10u %10u %10u %10u %10u %10u %s\n",
+#if ISC_MEMPOOL_NAMES
+			pool->name,
+#else
+			"(not tracked)",
+#endif
+			(unsigned long) pool->size, pool->maxalloc,
+			pool->allocated, pool->freecount, pool->freemax,
+			pool->fillcount, pool->gets,
+			(pool->lock == NULL ? "N" : "Y"));
+		pool = ISC_LIST_NEXT(pool, link);
+	}
+
+#if ISC_MEM_TRACKLINES
+	print_active(ctx, out);
+#endif
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+}
+
+/*
+ * Replacements for malloc() and free() -- they implicitly remember the
+ * size of the object allocated (with some additional overhead).
+ */
+
+static void *
+mem_allocateunlocked(isc_mem_t *ctx0, size_t size) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_info *si;
+
+	size += ALIGNMENT_SIZE;
+	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0)
+		size += ALIGNMENT_SIZE;
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0)
+		si = mem_getunlocked(ctx, size);
+	else
+		si = mem_get(ctx, size);
+
+	if (si == NULL)
+		return (NULL);
+	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+		si->u.ctx = ctx;
+		si++;
+	}
+	si->u.size = size;
+	return (&si[1]);
+}
+
+void *
+isc___mem_allocate(isc_mem_t *ctx0, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_info *si;
+	bool call_water = false;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+	si = mem_allocateunlocked((isc_mem_t *)ctx, size);
+	if (((ctx->flags & ISC_MEMFLAG_INTERNAL) == 0) && (si != NULL))
+		mem_getstats(ctx, si[-1].u.size);
+
+	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
+	if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+	    !ctx->is_overmem) {
+		ctx->is_overmem = true;
+	}
+
+	if (ctx->hi_water != 0U && !ctx->hi_called &&
+	    ctx->inuse > ctx->hi_water) {
+		ctx->hi_called = true;
+		call_water = true;
+	}
+	if (ctx->inuse > ctx->maxinuse) {
+		ctx->maxinuse = ctx->inuse;
+		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
+			fprintf(stderr, "maxinuse = %lu\n",
+				(unsigned long)ctx->inuse);
+	}
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (call_water)
+		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
+
+	return (si);
+}
+
+void *
+isc___mem_reallocate(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	void *new_ptr = NULL;
+	size_t oldsize, copysize;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	/*
+	 * This function emulates the realloc(3) standard library function:
+	 * - if size > 0, allocate new memory; and if ptr is non NULL, copy
+	 *   as much of the old contents to the new buffer and free the old one.
+	 *   Note that when allocation fails the original pointer is intact;
+	 *   the caller must free it.
+	 * - if size is 0 and ptr is non NULL, simply free the given ptr.
+	 * - this function returns:
+	 *     pointer to the newly allocated memory, or
+	 *     NULL if allocation fails or doesn't happen.
+	 */
+	if (size > 0U) {
+		new_ptr = isc__mem_allocate(ctx0, size FLARG_PASS);
+		if (new_ptr != NULL && ptr != NULL) {
+			oldsize = (((size_info *)ptr)[-1]).u.size;
+			INSIST(oldsize >= ALIGNMENT_SIZE);
+			oldsize -= ALIGNMENT_SIZE;
+			if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+				INSIST(oldsize >= ALIGNMENT_SIZE);
+				oldsize -= ALIGNMENT_SIZE;
+			}
+			copysize = (oldsize > size) ? size : oldsize;
+			memmove(new_ptr, ptr, copysize);
+			isc__mem_free(ctx0, ptr FLARG_PASS);
+		}
+	} else if (ptr != NULL)
+		isc__mem_free(ctx0, ptr FLARG_PASS);
+
+	return (new_ptr);
+}
+
+void
+isc___mem_free(isc_mem_t *ctx0, void *ptr FLARG) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_info *si;
+	size_t size;
+	bool call_water= false;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(ptr != NULL);
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGCTX) != 0) {
+		si = &(((size_info *)ptr)[-2]);
+		REQUIRE(si->u.ctx == ctx);
+		size = si[1].u.size;
+	} else {
+		si = &(((size_info *)ptr)[-1]);
+		size = si->u.size;
+	}
+
+	MCTXLOCK(ctx, &ctx->lock);
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, si, size);
+	} else {
+		mem_putstats(ctx, si, size);
+		mem_put(ctx, si, size);
+	}
+
+	/*
+	 * The check against ctx->lo_water == 0 is for the condition
+	 * when the context was pushed over hi_water but then had
+	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
+	 */
+	if (ctx->is_overmem &&
+	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
+		ctx->is_overmem = false;
+	}
+
+	if (ctx->hi_called &&
+	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
+		ctx->hi_called = false;
+
+		if (ctx->water != NULL)
+			call_water = true;
+	}
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (call_water)
+		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
+}
+
+
+/*
+ * Other useful things.
+ */
+
+char *
+isc___mem_strdup(isc_mem_t *mctx0, const char *s FLARG) {
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	size_t len;
+	char *ns;
+
+	REQUIRE(VALID_CONTEXT(mctx));
+	REQUIRE(s != NULL);
+
+	len = strlen(s) + 1;
+
+	ns = isc__mem_allocate((isc_mem_t *)mctx, len FLARG_PASS);
+
+	if (ns != NULL)
+		strlcpy(ns, s, len);
+
+	return (ns);
+}
+
+void
+isc__mem_setdestroycheck(isc_mem_t *ctx0, bool flag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	ctx->checkfree = flag;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+}
+
+/*
+ * Quotas
+ */
+
+void
+isc_mem_setquota(isc_mem_t *ctx0, size_t quota) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	ctx->quota = quota;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+}
+
+size_t
+isc_mem_getquota(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t quota;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	quota = ctx->quota;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (quota);
+}
+
+size_t
+isc__mem_inuse(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t inuse;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	inuse = ctx->inuse;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (inuse);
+}
+
+size_t
+isc__mem_maxinuse(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t maxinuse;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	maxinuse = ctx->maxinuse;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (maxinuse);
+}
+
+size_t
+isc__mem_total(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	size_t total;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	total = ctx->total;
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (total);
+}
+
+void
+isc__mem_setwater(isc_mem_t *ctx0, isc_mem_water_t water, void *water_arg,
+		  size_t hiwater, size_t lowater)
+{
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	bool callwater = false;
+	isc_mem_water_t oldwater;
+	void *oldwater_arg;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(hiwater >= lowater);
+
+	MCTXLOCK(ctx, &ctx->lock);
+	oldwater = ctx->water;
+	oldwater_arg = ctx->water_arg;
+	if (water == NULL) {
+		callwater = ctx->hi_called;
+		ctx->water = NULL;
+		ctx->water_arg = NULL;
+		ctx->hi_water = 0;
+		ctx->lo_water = 0;
+	} else {
+		if (ctx->hi_called &&
+		    (ctx->water != water || ctx->water_arg != water_arg ||
+		     ctx->inuse < lowater || lowater == 0U))
+			callwater = true;
+		ctx->water = water;
+		ctx->water_arg = water_arg;
+		ctx->hi_water = hiwater;
+		ctx->lo_water = lowater;
+	}
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	if (callwater && oldwater != NULL)
+		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
+}
+
+bool
+isc__mem_isovermem(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	/*
+	 * We don't bother to lock the context because 100% accuracy isn't
+	 * necessary (and even if we locked the context the returned value
+	 * could be different from the actual state when it's used anyway)
+	 */
+	return (ctx->is_overmem);
+}
+
+void
+isc_mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+	strlcpy(ctx->name, name, sizeof(ctx->name));
+	ctx->tag = tag;
+	UNLOCK(&ctx->lock);
+}
+
+const char *
+isc_mem_getname(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	if (ctx->name[0] == 0)
+		return ("");
+
+	return (ctx->name);
+}
+
+void *
+isc_mem_gettag(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	return (ctx->tag);
+}
+
+/*
+ * Memory pool stuff
+ */
+
+isc_result_t
+isc__mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
+	isc__mem_t *mctx = (isc__mem_t *)mctx0;
+	isc__mempool_t *mpctx;
+
+	REQUIRE(VALID_CONTEXT(mctx));
+	REQUIRE(size > 0U);
+	REQUIRE(mpctxp != NULL && *mpctxp == NULL);
+
+	/*
+	 * Allocate space for this pool, initialize values, and if all works
+	 * well, attach to the memory context.
+	 */
+	mpctx = isc_mem_get((isc_mem_t *)mctx, sizeof(isc__mempool_t));
+	if (mpctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	mpctx->common.methods = (isc_mempoolmethods_t *)&mempoolmethods;
+	mpctx->common.impmagic = MEMPOOL_MAGIC;
+	mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
+	mpctx->lock = NULL;
+	mpctx->mctx = mctx;
+	/*
+	 * Mempools are stored as a linked list of element.
+	 */
+	if (size < sizeof(element)) {
+		size = sizeof(element);
+	}
+	mpctx->size = size;
+	mpctx->maxalloc = UINT_MAX;
+	mpctx->allocated = 0;
+	mpctx->freecount = 0;
+	mpctx->freemax = 1;
+	mpctx->fillcount = 1;
+	mpctx->gets = 0;
+#if ISC_MEMPOOL_NAMES
+	mpctx->name[0] = 0;
+#endif
+	mpctx->items = NULL;
+
+	*mpctxp = (isc_mempool_t *)mpctx;
+
+	MCTXLOCK(mctx, &mctx->lock);
+	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
+	mctx->poolcnt++;
+	MCTXUNLOCK(mctx, &mctx->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__mempool_setname(isc_mempool_t *mpctx0, const char *name) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+#if ISC_MEMPOOL_NAMES
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	strlcpy(mpctx->name, name, sizeof(mpctx->name));
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+#else
+	UNUSED(mpctx);
+	UNUSED(name);
+#endif
+}
+
+void
+isc__mempool_destroy(isc_mempool_t **mpctxp) {
+	isc__mempool_t *mpctx;
+	isc__mem_t *mctx;
+	isc_mutex_t *lock;
+	element *item;
+
+	REQUIRE(mpctxp != NULL);
+	mpctx = (isc__mempool_t *)*mpctxp;
+	REQUIRE(VALID_MEMPOOL(mpctx));
+#if ISC_MEMPOOL_NAMES
+	if (mpctx->allocated > 0)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc__mempool_destroy(): mempool %s "
+				 "leaked memory",
+				 mpctx->name);
+#endif
+	REQUIRE(mpctx->allocated == 0);
+
+	mctx = mpctx->mctx;
+
+	lock = mpctx->lock;
+
+	if (lock != NULL)
+		LOCK(lock);
+
+	/*
+	 * Return any items on the free list
+	 */
+	MCTXLOCK(mctx, &mctx->lock);
+	while (mpctx->items != NULL) {
+		INSIST(mpctx->freecount > 0);
+		mpctx->freecount--;
+		item = mpctx->items;
+		mpctx->items = item->next;
+
+		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+			mem_putunlocked(mctx, item, mpctx->size);
+		} else {
+			mem_putstats(mctx, item, mpctx->size);
+			mem_put(mctx, item, mpctx->size);
+		}
+	}
+	MCTXUNLOCK(mctx, &mctx->lock);
+
+	/*
+	 * Remove our linked list entry from the memory context.
+	 */
+	MCTXLOCK(mctx, &mctx->lock);
+	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
+	mctx->poolcnt--;
+	MCTXUNLOCK(mctx, &mctx->lock);
+
+	mpctx->common.impmagic = 0;
+	mpctx->common.magic = 0;
+
+	isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
+
+	if (lock != NULL)
+		UNLOCK(lock);
+
+	*mpctxp = NULL;
+}
+
+void
+isc__mempool_associatelock(isc_mempool_t *mpctx0, isc_mutex_t *lock) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(mpctx->lock == NULL);
+	REQUIRE(lock != NULL);
+
+	mpctx->lock = lock;
+}
+
+void *
+isc___mempool_get(isc_mempool_t *mpctx0 FLARG) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	element *item;
+	isc__mem_t *mctx;
+	unsigned int i;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	mctx = mpctx->mctx;
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	/*
+	 * Don't let the caller go over quota
+	 */
+	if (ISC_UNLIKELY(mpctx->allocated >= mpctx->maxalloc)) {
+		item = NULL;
+		goto out;
+	}
+
+	if (ISC_UNLIKELY(mpctx->items == NULL)) {
+		/*
+		 * We need to dip into the well.  Lock the memory context
+		 * here and fill up our free list.
+		 */
+		MCTXLOCK(mctx, &mctx->lock);
+		for (i = 0; i < mpctx->fillcount; i++) {
+			if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+				item = mem_getunlocked(mctx, mpctx->size);
+			} else {
+				item = mem_get(mctx, mpctx->size);
+				if (item != NULL)
+					mem_getstats(mctx, mpctx->size);
+			}
+			if (ISC_UNLIKELY(item == NULL))
+				break;
+			item->next = mpctx->items;
+			mpctx->items = item;
+			mpctx->freecount++;
+		}
+		MCTXUNLOCK(mctx, &mctx->lock);
+	}
+
+	/*
+	 * If we didn't get any items, return NULL.
+	 */
+	item = mpctx->items;
+	if (ISC_UNLIKELY(item == NULL))
+		goto out;
+
+	mpctx->items = item->next;
+	INSIST(mpctx->freecount > 0);
+	mpctx->freecount--;
+	mpctx->gets++;
+	mpctx->allocated++;
+
+ out:
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+#if ISC_MEM_TRACKLINES
+	if (((isc_mem_debugging & TRACE_OR_RECORD) != 0) && item != NULL) {
+		MCTXLOCK(mctx, &mctx->lock);
+		ADD_TRACE(mctx, item, mpctx->size, file, line);
+		MCTXUNLOCK(mctx, &mctx->lock);
+	}
+#endif /* ISC_MEM_TRACKLINES */
+
+	return (item);
+}
+
+/* coverity[+free : arg-1] */
+void
+isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	isc__mem_t *mctx;
+	element *item;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(mem != NULL);
+
+	mctx = mpctx->mctx;
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	INSIST(mpctx->allocated > 0);
+	mpctx->allocated--;
+
+#if ISC_MEM_TRACKLINES
+	if ((isc_mem_debugging & TRACE_OR_RECORD) != 0) {
+		MCTXLOCK(mctx, &mctx->lock);
+		DELETE_TRACE(mctx, mem, mpctx->size, file, line);
+		MCTXUNLOCK(mctx, &mctx->lock);
+	}
+#endif /* ISC_MEM_TRACKLINES */
+
+	/*
+	 * If our free list is full, return this to the mctx directly.
+	 */
+	if (mpctx->freecount >= mpctx->freemax) {
+		MCTXLOCK(mctx, &mctx->lock);
+		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+			mem_putunlocked(mctx, mem, mpctx->size);
+		} else {
+			mem_putstats(mctx, mem, mpctx->size);
+			mem_put(mctx, mem, mpctx->size);
+		}
+		MCTXUNLOCK(mctx, &mctx->lock);
+		if (mpctx->lock != NULL)
+			UNLOCK(mpctx->lock);
+		return;
+	}
+
+	/*
+	 * Otherwise, attach it to our free list and bump the counter.
+	 */
+	mpctx->freecount++;
+	item = (element *)mem;
+	item->next = mpctx->items;
+	mpctx->items = item;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+/*
+ * Quotas
+ */
+
+void
+isc__mempool_setfreemax(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	mpctx->freemax = limit;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	unsigned int freemax;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	freemax = mpctx->freemax;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (freemax);
+}
+
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	unsigned int freecount;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	freecount = mpctx->freecount;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (freecount);
+}
+
+void
+isc__mempool_setmaxalloc(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	REQUIRE(limit > 0);
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	mpctx->maxalloc = limit;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	unsigned int maxalloc;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	maxalloc = mpctx->maxalloc;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (maxalloc);
+}
+
+unsigned int
+isc__mempool_getallocated(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+	unsigned int allocated;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	allocated = mpctx->allocated;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (allocated);
+}
+
+void
+isc__mempool_setfillcount(isc_mempool_t *mpctx0, unsigned int limit) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	REQUIRE(limit > 0);
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	mpctx->fillcount = limit;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx0) {
+	isc__mempool_t *mpctx = (isc__mempool_t *)mpctx0;
+
+	unsigned int fillcount;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	fillcount = mpctx->fillcount;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (fillcount);
+}
+
+isc_result_t
+isc__mem_register(void) {
+	return (isc_mem_register(isc_mem_create2));
+}
+
+void
+isc__mem_printactive(isc_mem_t *ctx0, FILE *file) {
+#if ISC_MEM_TRACKLINES
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(file != NULL);
+
+	print_active(ctx, file);
+#else
+	UNUSED(ctx0);
+	UNUSED(file);
+#endif
+}
+
+void
+isc_mem_printallactive(FILE *file) {
+#if !ISC_MEM_TRACKLINES
+	UNUSED(file);
+#else
+	isc__mem_t *ctx;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&contextslock);
+	for (ctx = ISC_LIST_HEAD(contexts);
+	     ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link)) {
+		fprintf(file, "context: %p\n", ctx);
+		print_active(ctx, file);
+	}
+	UNLOCK(&contextslock);
+#endif
+}
+
+void
+isc_mem_checkdestroyed(FILE *file) {
+#if !ISC_MEM_TRACKLINES
+	UNUSED(file);
+#endif
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&contextslock);
+	if (!ISC_LIST_EMPTY(contexts)) {
+#if ISC_MEM_TRACKLINES
+		if ((isc_mem_debugging & TRACE_OR_RECORD) != 0) {
+			isc__mem_t *ctx;
+
+			for (ctx = ISC_LIST_HEAD(contexts);
+			     ctx != NULL;
+			     ctx = ISC_LIST_NEXT(ctx, link)) {
+				fprintf(file, "context: %p\n", ctx);
+				print_active(ctx, file);
+			}
+			fflush(file);
+		}
+#endif
+		INSIST(0);
+	}
+	UNLOCK(&contextslock);
+}
+
+unsigned int
+isc_mem_references(isc_mem_t *ctx0) {
+	isc__mem_t *ctx = (isc__mem_t *)ctx0;
+	unsigned int references;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+	references = ctx->references;
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (references);
+}
+
+typedef struct summarystat {
+	uint64_t	total;
+	uint64_t	inuse;
+	uint64_t	blocksize;
+	uint64_t	contextsize;
+} summarystat_t;
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+static int
+xml_renderctx(isc__mem_t *ctx, summarystat_t *summary,
+	      xmlTextWriterPtr writer)
+{
+	int xmlrc;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "context"));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%p", ctx));
+	TRY0(xmlTextWriterEndElement(writer)); /* id */
+
+	if (ctx->name[0] != 0) {
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "name"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s", ctx->name));
+		TRY0(xmlTextWriterEndElement(writer)); /* name */
+	}
+
+	summary->contextsize += sizeof(*ctx) +
+		(ctx->max_size + 1) * sizeof(struct stats) +
+		ctx->max_size * sizeof(element *) +
+		ctx->basic_table_count * sizeof(char *);
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		summary->contextsize +=
+			(ctx->max_size + 1) * sizeof(debuglist_t) +
+			ctx->debuglistcnt * sizeof(debuglink_t);
+	}
+#endif
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", ctx->references));
+	TRY0(xmlTextWriterEndElement(writer)); /* references */
+
+	summary->total += ctx->total;
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "total"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    (uint64_t)ctx->total));
+	TRY0(xmlTextWriterEndElement(writer)); /* total */
+
+	summary->inuse += ctx->inuse;
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "inuse"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    (uint64_t)ctx->inuse));
+	TRY0(xmlTextWriterEndElement(writer)); /* inuse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "maxinuse"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    (uint64_t)ctx->maxinuse));
+	TRY0(xmlTextWriterEndElement(writer)); /* maxinuse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "blocksize"));
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		summary->blocksize += ctx->basic_table_count *
+			NUM_BASIC_BLOCKS * ctx->mem_target;
+		TRY0(xmlTextWriterWriteFormatString(writer,
+					       "%" PRIu64,
+					       (uint64_t)
+					       ctx->basic_table_count *
+					       NUM_BASIC_BLOCKS *
+					       ctx->mem_target));
+	} else
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s", "-"));
+	TRY0(xmlTextWriterEndElement(writer)); /* blocksize */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "pools"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%u", ctx->poolcnt));
+	TRY0(xmlTextWriterEndElement(writer)); /* pools */
+	summary->contextsize += ctx->poolcnt * sizeof(isc_mempool_t);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "hiwater"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    (uint64_t)ctx->hi_water));
+	TRY0(xmlTextWriterEndElement(writer)); /* hiwater */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "lowater"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64 "",
+					    (uint64_t)ctx->lo_water));
+	TRY0(xmlTextWriterEndElement(writer)); /* lowater */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* context */
+
+ error:
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (xmlrc);
+}
+
+int
+isc_mem_renderxml(xmlTextWriterPtr writer) {
+	isc__mem_t *ctx;
+	summarystat_t summary;
+	uint64_t lost;
+	int xmlrc;
+
+	memset(&summary, 0, sizeof(summary));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "contexts"));
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&contextslock);
+	lost = totallost;
+	for (ctx = ISC_LIST_HEAD(contexts);
+	     ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link)) {
+		xmlrc = xml_renderctx(ctx, &summary, writer);
+		if (xmlrc < 0) {
+			UNLOCK(&contextslock);
+			goto error;
+		}
+	}
+	UNLOCK(&contextslock);
+
+	TRY0(xmlTextWriterEndElement(writer)); /* contexts */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "summary"));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "TotalUse"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    summary.total));
+	TRY0(xmlTextWriterEndElement(writer)); /* TotalUse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "InUse"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    summary.inuse));
+	TRY0(xmlTextWriterEndElement(writer)); /* InUse */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "BlockSize"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    summary.blocksize));
+	TRY0(xmlTextWriterEndElement(writer)); /* BlockSize */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "ContextSize"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    summary.contextsize));
+	TRY0(xmlTextWriterEndElement(writer)); /* ContextSize */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "Lost"));
+	TRY0(xmlTextWriterWriteFormatString(writer,
+					    "%" PRIu64,
+					    lost));
+	TRY0(xmlTextWriterEndElement(writer)); /* Lost */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* summary */
+ error:
+	return (xmlrc);
+}
+
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+#define CHECKMEM(m) do { \
+	if (m == NULL) { \
+		result = ISC_R_NOMEMORY;\
+		goto error;\
+	} \
+} while(0)
+
+static isc_result_t
+json_renderctx(isc__mem_t *ctx, summarystat_t *summary, json_object *array) {
+	isc_result_t result = ISC_R_FAILURE;
+	json_object *ctxobj, *obj;
+	char buf[1024];
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(summary != NULL);
+	REQUIRE(array != NULL);
+
+	MCTXLOCK(ctx, &ctx->lock);
+
+	summary->contextsize += sizeof(*ctx) +
+		(ctx->max_size + 1) * sizeof(struct stats) +
+		ctx->max_size * sizeof(element *) +
+		ctx->basic_table_count * sizeof(char *);
+	summary->total += ctx->total;
+	summary->inuse += ctx->inuse;
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0)
+		summary->blocksize += ctx->basic_table_count *
+			NUM_BASIC_BLOCKS * ctx->mem_target;
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		summary->contextsize +=
+			(ctx->max_size + 1) * sizeof(debuglist_t) +
+			ctx->debuglistcnt * sizeof(debuglink_t);
+	}
+#endif
+
+	ctxobj = json_object_new_object();
+	CHECKMEM(ctxobj);
+
+	snprintf(buf, sizeof(buf), "%p", ctx);
+	obj = json_object_new_string(buf);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "id", obj);
+
+	if (ctx->name[0] != 0) {
+		obj = json_object_new_string(ctx->name);
+		CHECKMEM(obj);
+		json_object_object_add(ctxobj, "name", obj);
+	}
+
+	obj = json_object_new_int64(ctx->references);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "references", obj);
+
+	obj = json_object_new_int64(ctx->total);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "total", obj);
+
+	obj = json_object_new_int64(ctx->inuse);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "inuse", obj);
+
+	obj = json_object_new_int64(ctx->maxinuse);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "maxinuse", obj);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		uint64_t blocksize;
+		blocksize = ctx->basic_table_count * NUM_BASIC_BLOCKS *
+			ctx->mem_target;
+		obj = json_object_new_int64(blocksize);
+		CHECKMEM(obj);
+		json_object_object_add(ctxobj, "blocksize", obj);
+	}
+
+	obj = json_object_new_int64(ctx->poolcnt);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "pools", obj);
+
+	summary->contextsize += ctx->poolcnt * sizeof(isc_mempool_t);
+
+	obj = json_object_new_int64(ctx->hi_water);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "hiwater", obj);
+
+	obj = json_object_new_int64(ctx->lo_water);
+	CHECKMEM(obj);
+	json_object_object_add(ctxobj, "lowater", obj);
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+	json_object_array_add(array, ctxobj);
+	return (ISC_R_SUCCESS);
+
+ error:
+	MCTXUNLOCK(ctx, &ctx->lock);
+	if (ctxobj != NULL)
+		json_object_put(ctxobj);
+	return (result);
+}
+
+isc_result_t
+isc_mem_renderjson(json_object *memobj) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc__mem_t *ctx;
+	summarystat_t summary;
+	uint64_t lost;
+	json_object *ctxarray, *obj;
+
+	memset(&summary, 0, sizeof(summary));
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	ctxarray = json_object_new_array();
+	CHECKMEM(ctxarray);
+
+	LOCK(&contextslock);
+	lost = totallost;
+	for (ctx = ISC_LIST_HEAD(contexts);
+	     ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link)) {
+		result = json_renderctx(ctx, &summary, ctxarray);
+		if (result != ISC_R_SUCCESS) {
+			UNLOCK(&contextslock);
+			goto error;
+		}
+	}
+	UNLOCK(&contextslock);
+
+	obj = json_object_new_int64(summary.total);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "TotalUse", obj);
+
+	obj = json_object_new_int64(summary.inuse);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "InUse", obj);
+
+	obj = json_object_new_int64(summary.blocksize);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "BlockSize", obj);
+
+	obj = json_object_new_int64(summary.contextsize);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "ContextSize", obj);
+
+	obj = json_object_new_int64(lost);
+	CHECKMEM(obj);
+	json_object_object_add(memobj, "Lost", obj);
+
+	json_object_object_add(memobj, "contexts", ctxarray);
+	return (ISC_R_SUCCESS);
+
+ error:
+	if (ctxarray != NULL)
+		json_object_put(ctxarray);
+	return (result);
+}
+#endif /* HAVE_JSON */
+
+static isc_memcreatefunc_t mem_createfunc = NULL;
+
+isc_result_t
+isc_mem_register(isc_memcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (mem_createfunc == NULL)
+		mem_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+
+isc_result_t
+isc__mem_create2(size_t init_max_size, size_t target_size, isc_mem_t **mctxp,
+		 unsigned int flags)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(mem_createfunc != NULL);
+	result = (*mem_createfunc)(init_max_size, target_size, mctxp, flags);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create(size_t init_max_size, size_t target_size, isc_mem_t **mctxp) {
+	isc_result_t result;
+
+	if (isc_bind9)
+		return (isc_mem_createx2(init_max_size, target_size,
+					 default_memalloc, default_memfree,
+					 NULL, mctxp, isc_mem_defaultflags));
+	LOCK(&createlock);
+
+	REQUIRE(mem_createfunc != NULL);
+	result = (*mem_createfunc)(init_max_size, target_size, mctxp,
+				   isc_mem_defaultflags);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create2(size_t init_max_size, size_t target_size, isc_mem_t **mctxp,
+		 unsigned int flags)
+{
+	if (isc_bind9)
+		return (isc_mem_createx2(init_max_size, target_size,
+					 default_memalloc, default_memfree,
+					 NULL, mctxp, flags));
+
+	return (isc_mem_createx2(init_max_size, target_size,
+				 default_memalloc, default_memfree,
+				 NULL, mctxp, flags));
+}
+
+void
+isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+	REQUIRE(ISCAPI_MCTX_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	if (isc_bind9)
+		isc__mem_attach(source, targetp);
+	else
+		source->methods->attach(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+isc_mem_detach(isc_mem_t **mctxp) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	if (isc_bind9)
+		isc__mem_detach(mctxp);
+	else
+		(*mctxp)->methods->detach(mctxp);
+
+	ENSURE(*mctxp == NULL);
+}
+
+void
+isc_mem_destroy(isc_mem_t **mctxp) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	if (isc_bind9)
+		isc__mem_destroy(mctxp);
+	else
+		(*mctxp)->methods->destroy(mctxp);
+
+	ENSURE(*mctxp == NULL);
+}
+
+void
+isc_mem_setdestroycheck(isc_mem_t *mctx, bool flag) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	mctx->methods->setdestroycheck(mctx, flag);
+}
+
+void
+isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater)
+{
+	REQUIRE(ISCAPI_MCTX_VALID(ctx));
+
+	if (isc_bind9)
+		isc__mem_setwater(ctx, water, water_arg, hiwater, lowater);
+	else
+		ctx->methods->setwater(ctx, water, water_arg, hiwater, lowater);
+}
+
+void
+isc_mem_waterack(isc_mem_t *ctx, int flag) {
+	REQUIRE(ISCAPI_MCTX_VALID(ctx));
+
+	if (isc_bind9)
+		isc__mem_waterack(ctx, flag);
+	else
+		ctx->methods->waterack(ctx, flag);
+}
+
+size_t
+isc_mem_inuse(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc__mem_inuse(mctx));
+
+	return (mctx->methods->inuse(mctx));
+}
+
+size_t
+isc_mem_maxinuse(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc__mem_maxinuse(mctx));
+
+	return (mctx->methods->maxinuse(mctx));
+}
+
+size_t
+isc_mem_total(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc__mem_total(mctx));
+
+	return (mctx->methods->total(mctx));
+}
+
+bool
+isc_mem_isovermem(isc_mem_t *mctx) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc__mem_isovermem(mctx));
+
+	return (mctx->methods->isovermem(mctx));
+}
+
+
+isc_result_t
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	return (mctx->methods->mpcreate(mctx, size, mpctxp));
+}
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp) {
+	REQUIRE(mpctxp != NULL && ISCAPI_MPOOL_VALID(*mpctxp));
+
+	if (isc_bind9)
+		isc__mempool_destroy(mpctxp);
+	else
+		(*mpctxp)->methods->destroy(mpctxp);
+
+	ENSURE(*mpctxp == NULL);
+}
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		return (isc__mempool_getallocated(mpctx));
+
+	return (mpctx->methods->getallocated(mpctx));
+}
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		isc__mempool_setmaxalloc(mpctx, limit);
+	else
+		mpctx->methods->setmaxalloc(mpctx, limit);
+}
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		isc__mempool_setfreemax(mpctx, limit);
+	else
+		mpctx->methods->setfreemax(mpctx, limit);
+}
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		isc__mempool_setname(mpctx, name);
+	else
+		mpctx->methods->setname(mpctx, name);
+}
+
+void
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		isc__mempool_associatelock(mpctx, lock);
+	else
+		mpctx->methods->associatelock(mpctx, lock);
+}
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		isc__mempool_setfillcount(mpctx, limit);
+	else
+		mpctx->methods->setfillcount(mpctx, limit);
+}
+
+void *
+isc__mem_get(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc___mem_get(mctx, size FLARG_PASS));
+
+	return (mctx->methods->memget(mctx, size FLARG_PASS));
+
+}
+
+void
+isc__mem_put(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		isc___mem_put(mctx, ptr, size FLARG_PASS);
+	else
+		mctx->methods->memput(mctx, ptr, size FLARG_PASS);
+}
+
+void
+isc__mem_putanddetach(isc_mem_t **mctxp, void *ptr, size_t size FLARG) {
+	REQUIRE(mctxp != NULL && ISCAPI_MCTX_VALID(*mctxp));
+
+	if (isc_bind9)
+		isc___mem_putanddetach(mctxp, ptr, size FLARG_PASS);
+	else
+		(*mctxp)->methods->memputanddetach(mctxp, ptr, size FLARG_PASS);
+
+	/*
+	 * XXX: We cannot always ensure *mctxp == NULL here
+	 * (see lib/isc/mem.c).
+	 */
+}
+
+void *
+isc__mem_allocate(isc_mem_t *mctx, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc___mem_allocate(mctx, size FLARG_PASS));
+
+	return (mctx->methods->memallocate(mctx, size FLARG_PASS));
+}
+
+void *
+isc__mem_reallocate(isc_mem_t *mctx, void *ptr, size_t size FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc___mem_reallocate(mctx, ptr, size FLARG_PASS));
+
+	return (mctx->methods->memreallocate(mctx, ptr, size FLARG_PASS));
+}
+
+char *
+isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		return (isc___mem_strdup(mctx, s FLARG_PASS));
+
+	return (mctx->methods->memstrdup(mctx, s FLARG_PASS));
+}
+
+void
+isc__mem_free(isc_mem_t *mctx, void *ptr FLARG) {
+	REQUIRE(ISCAPI_MCTX_VALID(mctx));
+
+	if (isc_bind9)
+		isc___mem_free(mctx, ptr FLARG_PASS);
+	else
+		mctx->methods->memfree(mctx, ptr FLARG_PASS);
+}
+
+void *
+isc__mempool_get(isc_mempool_t *mpctx FLARG) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		return (isc___mempool_get(mpctx FLARG_PASS));
+
+	return (mpctx->methods->get(mpctx FLARG_PASS));
+}
+
+void
+isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
+	REQUIRE(ISCAPI_MPOOL_VALID(mpctx));
+
+	if (isc_bind9)
+		isc___mempool_put(mpctx, mem FLARG_PASS);
+	else
+		mpctx->methods->put(mpctx, mem FLARG_PASS);
+}
diff --git a/lib/isc/mips/Makefile.in b/lib/isc/mips/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/mips/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/mips/include/Makefile.in b/lib/isc/mips/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/mips/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/mips/include/isc/Makefile.in b/lib/isc/mips/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/mips/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/mips/include/isc/atomic.h b/lib/isc/mips/include/isc/atomic.h
new file mode 100644
index 0000000..caba82f
--- /dev/null
+++ b/lib/isc/mips/include/isc/atomic.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static inline int32_t
+isc_atomic_xadd(int32_t *p, int val) {
+	int32_t orig;
+
+	__asm__ __volatile__ (
+	"	.set	push		\n"
+	"	.set	mips2		\n"
+	"	.set	noreorder	\n"
+	"	.set	noat		\n"
+	"1:	ll	$1, %1		\n"
+	"	addu	%0, $1, %2	\n"
+	"	sc	%0, %1		\n"
+	"	beqz	%0, 1b		\n"
+	"	move	%0, $1		\n"
+	"	.set	pop		\n"
+	: "=&r" (orig), "+R" (*p)
+	: "r" (val)
+	: "memory");
+
+	return (orig);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(int32_t *p, int32_t val) {
+	*p = val;
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline int32_t
+isc_atomic_cmpxchg(int32_t *p, int cmpval, int val) {
+	int32_t orig;
+	int32_t tmp;
+
+	__asm__ __volatile__ (
+	"	.set	push		\n"
+	"	.set	mips2		\n"
+	"	.set	noreorder	\n"
+	"	.set	noat		\n"
+	"1:	ll	$1, %1		\n"
+	"	bne	$1, %3, 2f	\n"
+	"	move	%2, %4		\n"
+	"	sc	%2, %1		\n"
+	"	beqz	%2, 1b		\n"
+	"2:	move	%0, $1		\n"
+	"	.set	pop		\n"
+	: "=&r"(orig), "+R" (*p), "=r" (tmp)
+	: "r"(cmpval), "r"(val)
+	: "memory");
+
+	return (orig);
+}
+
+#else /* !ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c
new file mode 100644
index 0000000..6a629e7
--- /dev/null
+++ b/lib/isc/mutexblock.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/mutexblock.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
+	isc_result_t result;
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		result = isc_mutex_init(&block[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (i > 0U) {
+				i--;
+				DESTROYLOCK(&block[i]);
+			}
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
+	isc_result_t result;
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		result = isc_mutex_destroy(&block[i]);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
new file mode 100644
index 0000000..81851a0
--- /dev/null
+++ b/lib/isc/netaddr.c
@@ -0,0 +1,458 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+bool
+isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->family != b->family)
+		return (false);
+
+	if (a->zone != b->zone)
+		return (false);
+
+	switch (a->family) {
+	case AF_INET:
+		if (a->type.in.s_addr != b->type.in.s_addr)
+			return (false);
+		break;
+	case AF_INET6:
+		if (memcmp(&a->type.in6, &b->type.in6,
+			   sizeof(a->type.in6)) != 0 ||
+		    a->zone != b->zone)
+			return (false);
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		if (strcmp(a->type.un, b->type.un) != 0)
+			return (false);
+		break;
+#endif
+	default:
+		return (false);
+	}
+	return (true);
+}
+
+bool
+isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
+		     unsigned int prefixlen)
+{
+	const unsigned char *pa = NULL, *pb = NULL;
+	unsigned int ipabytes = 0; /* Length of whole IP address in bytes */
+	unsigned int nbytes;       /* Number of significant whole bytes */
+	unsigned int nbits;        /* Number of significant leftover bits */
+
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->family != b->family)
+		return (false);
+
+	if (a->zone != b->zone && b->zone != 0)
+		return (false);
+
+	switch (a->family) {
+	case AF_INET:
+		pa = (const unsigned char *) &a->type.in;
+		pb = (const unsigned char *) &b->type.in;
+		ipabytes = 4;
+		break;
+	case AF_INET6:
+		pa = (const unsigned char *) &a->type.in6;
+		pb = (const unsigned char *) &b->type.in6;
+		ipabytes = 16;
+		break;
+	default:
+		return (false);
+	}
+
+	/*
+	 * Don't crash if we get a pattern like 10.0.0.1/9999999.
+	 */
+	if (prefixlen > ipabytes * 8)
+		prefixlen = ipabytes * 8;
+
+	nbytes = prefixlen / 8;
+	nbits = prefixlen % 8;
+
+	if (nbytes > 0) {
+		if (memcmp(pa, pb, nbytes) != 0)
+			return (false);
+	}
+	if (nbits > 0) {
+		unsigned int bytea, byteb, mask;
+		INSIST(nbytes < ipabytes);
+		INSIST(nbits < 8);
+		bytea = pa[nbytes];
+		byteb = pb[nbytes];
+		mask = (0xFF << (8-nbits)) & 0xFF;
+		if ((bytea & mask) != (byteb & mask))
+			return (false);
+	}
+	return (true);
+}
+
+isc_result_t
+isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
+	char abuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
+	char zbuf[sizeof("%4294967295")];
+	unsigned int alen;
+	int zlen;
+	const char *r;
+	const void *type;
+
+	REQUIRE(netaddr != NULL);
+
+	switch (netaddr->family) {
+	case AF_INET:
+		type = &netaddr->type.in;
+		break;
+	case AF_INET6:
+		type = &netaddr->type.in6;
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		alen = strlen(netaddr->type.un);
+		if (alen > isc_buffer_availablelength(target))
+			return (ISC_R_NOSPACE);
+		isc_buffer_putmem(target,
+				  (const unsigned char *)(netaddr->type.un),
+				  alen);
+		return (ISC_R_SUCCESS);
+#endif
+	default:
+		return (ISC_R_FAILURE);
+	}
+	r = inet_ntop(netaddr->family, type, abuf, sizeof(abuf));
+	if (r == NULL)
+		return (ISC_R_FAILURE);
+
+	alen = strlen(abuf);
+	INSIST(alen < sizeof(abuf));
+
+	zlen = 0;
+	if (netaddr->family == AF_INET6 && netaddr->zone != 0) {
+		zlen = snprintf(zbuf, sizeof(zbuf), "%%%u", netaddr->zone);
+		if (zlen < 0)
+			return (ISC_R_FAILURE);
+		INSIST((unsigned int)zlen < sizeof(zbuf));
+	}
+
+	if (alen + zlen > isc_buffer_availablelength(target))
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_putmem(target, (unsigned char *)abuf, alen);
+	isc_buffer_putmem(target, (unsigned char *)zbuf, (unsigned int)zlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_netaddr_totext(na, &buf);
+
+	if (size == 0)
+		return;
+
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size,
+			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
+					ISC_MSG_UNKNOWNADDR,
+					"<unknown address, family %u>"),
+			 na->family);
+		array[size - 1] = '\0';
+	}
+}
+
+
+isc_result_t
+isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen) {
+	static const unsigned char zeros[16];
+	unsigned int nbits, nbytes, ipbytes = 0;
+	const unsigned char *p;
+
+	switch (na->family) {
+	case AF_INET:
+		p = (const unsigned char *) &na->type.in;
+		ipbytes = 4;
+		if (prefixlen > 32)
+			return (ISC_R_RANGE);
+		break;
+	case AF_INET6:
+		p = (const unsigned char *) &na->type.in6;
+		ipbytes = 16;
+		if (prefixlen > 128)
+			return (ISC_R_RANGE);
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	nbytes = prefixlen / 8;
+	nbits = prefixlen % 8;
+	if (nbits != 0) {
+		INSIST(nbytes < ipbytes);
+		if ((p[nbytes] & (0xff>>nbits)) != 0U)
+			return (ISC_R_FAILURE);
+		nbytes++;
+	}
+	if (nbytes < ipbytes && memcmp(p + nbytes, zeros, ipbytes - nbytes) != 0)
+		return (ISC_R_FAILURE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
+	unsigned int nbits = 0, nbytes = 0, ipbytes = 0, i;
+	const unsigned char *p;
+
+	switch (s->family) {
+	case AF_INET:
+		p = (const unsigned char *) &s->type.in;
+		ipbytes = 4;
+		break;
+	case AF_INET6:
+		p = (const unsigned char *) &s->type.in6;
+		ipbytes = 16;
+		break;
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	for (i = 0; i < ipbytes; i++) {
+		if (p[i] != 0xFF)
+			break;
+	}
+	nbytes = i;
+	if (i < ipbytes) {
+		unsigned int c = p[nbytes];
+		while ((c & 0x80) != 0 && nbits < 8) {
+			c <<= 1; nbits++;
+		}
+		if ((c & 0xFF) != 0)
+			return (ISC_R_MASKNONCONTIG);
+		i++;
+	}
+	for (; i < ipbytes; i++) {
+		if (p[i] != 0)
+			return (ISC_R_MASKNONCONTIG);
+	}
+	*lenp = nbytes * 8 + nbits;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET;
+	netaddr->type.in = *ina;
+}
+
+void
+isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET6;
+	netaddr->type.in6 = *ina6;
+}
+
+isc_result_t
+isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	if (strlen(path) > sizeof(netaddr->type.un) - 1)
+		return (ISC_R_NOSPACE);
+
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_UNIX;
+	strlcpy(netaddr->type.un, path, sizeof(netaddr->type.un));
+	netaddr->zone = 0;
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(netaddr);
+	UNUSED(path);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+
+void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, uint32_t zone) {
+	/* we currently only support AF_INET6. */
+	REQUIRE(netaddr->family == AF_INET6);
+
+	netaddr->zone = zone;
+}
+
+uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr) {
+	return (netaddr->zone);
+}
+
+void
+isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
+	int family = s->type.sa.sa_family;
+	t->family = family;
+	switch (family) {
+	case AF_INET:
+		t->type.in = s->type.sin.sin_addr;
+		t->zone = 0;
+		break;
+	case AF_INET6:
+		memmove(&t->type.in6, &s->type.sin6.sin6_addr, 16);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		t->zone = s->type.sin6.sin6_scope_id;
+#else
+		t->zone = 0;
+#endif
+		break;
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	case AF_UNIX:
+		memmove(t->type.un, s->type.sunix.sun_path, sizeof(t->type.un));
+		t->zone = 0;
+		break;
+#endif
+	default:
+		INSIST(0);
+	}
+}
+
+void
+isc_netaddr_any(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET;
+	netaddr->type.in.s_addr = INADDR_ANY;
+}
+
+void
+isc_netaddr_any6(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET6;
+	netaddr->type.in6 = in6addr_any;
+}
+
+bool
+isc_netaddr_ismulticast(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_IPADDR_ISMULTICAST(na->type.in.s_addr));
+	case AF_INET6:
+		return (IN6_IS_ADDR_MULTICAST(&na->type.in6));
+	default:
+		return (false);  /* XXXMLG ? */
+	}
+}
+
+bool
+isc_netaddr_isexperimental(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_IPADDR_ISEXPERIMENTAL(na->type.in.s_addr));
+	default:
+		return (false);  /* XXXMLG ? */
+	}
+}
+
+bool
+isc_netaddr_islinklocal(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (false);
+	case AF_INET6:
+		return (IN6_IS_ADDR_LINKLOCAL(&na->type.in6));
+	default:
+		return (false);
+	}
+}
+
+bool
+isc_netaddr_issitelocal(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (false);
+	case AF_INET6:
+		return (IN6_IS_ADDR_SITELOCAL(&na->type.in6));
+	default:
+		return (false);
+	}
+}
+
+#define ISC_IPADDR_ISNETZERO(i) \
+	       (((uint32_t)(i) & ISC__IPADDR(0xff000000)) \
+		== ISC__IPADDR(0x00000000))
+
+bool
+isc_netaddr_isnetzero(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_IPADDR_ISNETZERO(na->type.in.s_addr));
+	case AF_INET6:
+		return (false);
+	default:
+		return (false);
+	}
+}
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
+	isc_netaddr_t *src;
+
+	DE_CONST(s, src);	/* Must come before IN6_IS_ADDR_V4MAPPED. */
+
+	REQUIRE(s->family == AF_INET6);
+	REQUIRE(IN6_IS_ADDR_V4MAPPED(&src->type.in6));
+
+	memset(t, 0, sizeof(*t));
+	t->family = AF_INET;
+	memmove(&t->type.in, (char *)&src->type.in6 + 12, 4);
+	return;
+}
+
+bool
+isc_netaddr_isloopback(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return ((ntohl(na->type.in.s_addr) & 0xff000000U) ==
+			0x7f000000U);
+	case AF_INET6:
+		return (IN6_IS_ADDR_LOOPBACK(&na->type.in6));
+	default:
+		return (false);
+	}
+}
diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c
new file mode 100644
index 0000000..1c51d35
--- /dev/null
+++ b/lib/isc/netscope.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/string.h>
+#include <isc/net.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, uint32_t *zoneid) {
+	char *ep;
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	unsigned int ifid;
+	struct in6_addr *in6;
+#endif
+	uint32_t zone;
+	uint64_t llz;
+
+	/* at this moment, we only support AF_INET6 */
+	if (af != AF_INET6)
+		return (ISC_R_FAILURE);
+
+	/*
+	 * Basically, "names" are more stable than numeric IDs in terms of
+	 * renumbering, and are more preferred.  However, since there is no
+	 * standard naming convention and APIs to deal with the names.  Thus,
+	 * we only handle the case of link-local addresses, for which we use
+	 * interface names as link names, assuming one to one mapping between
+	 * interfaces and links.
+	 */
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	in6 = (struct in6_addr *)addr;
+	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
+	    (ifid = if_nametoindex((const char *)scopename)) != 0)
+		zone = (uint32_t)ifid;
+	else {
+#endif
+		llz = isc_string_touint64(scopename, &ep, 10);
+		if (ep == scopename)
+			return (ISC_R_FAILURE);
+
+		/* check overflow */
+		zone = (uint32_t)(llz & 0xffffffffUL);
+		if (zone != llz)
+			return (ISC_R_FAILURE);
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	}
+#endif
+
+	*zoneid = zone;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/nls/Makefile.in b/lib/isc/nls/Makefile.in
new file mode 100644
index 0000000..704dead
--- /dev/null
+++ b/lib/isc/nls/Makefile.in
@@ -0,0 +1,29 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I../unix/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		msgcat.@O@
+
+SRCS =		msgcat.c
+
+SUBDIRS =
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/nls/msgcat.c b/lib/isc/nls/msgcat.c
new file mode 100644
index 0000000..ab09b94
--- /dev/null
+++ b/lib/isc/nls/msgcat.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file msgcat.c */
+
+#include <config.h>
+
+#include <stddef.h>
+#include <stdlib.h>
+
+#include <isc/magic.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#ifdef HAVE_CATGETS
+#include <nl_types.h>		/* Required for nl_catd. */
+#endif
+
+/*
+ * Implementation Notes:
+ *
+ *	We use malloc() and free() instead of isc_mem_get() and isc_mem_put()
+ *	because we don't want to require a memory context to be specified
+ *	in order to use a message catalog.
+ */
+
+struct isc_msgcat {
+	unsigned int	magic;
+#ifdef HAVE_CATGETS
+	nl_catd		catalog;
+#endif
+};
+
+#define MSGCAT_MAGIC			ISC_MAGIC('M', 'C', 'a', 't')
+#define VALID_MSGCAT(m)			ISC_MAGIC_VALID(m, MSGCAT_MAGIC)
+
+void
+isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp) {
+	isc_msgcat_t *msgcat;
+
+	/*
+	 * Open a message catalog.
+	 */
+
+	REQUIRE(name != NULL);
+	REQUIRE(msgcatp != NULL && *msgcatp == NULL);
+
+	msgcat = malloc(sizeof(*msgcat));
+	if (msgcat == NULL) {
+		*msgcatp = NULL;
+		return;
+	}
+
+#ifdef HAVE_CATGETS
+	/*
+	 * We don't check if catopen() fails because we don't care.
+	 * If it does fail, then when we call catgets(), it will use
+	 * the default string.
+	 */
+	msgcat->catalog = catopen(name, 0);
+#endif
+	msgcat->magic = MSGCAT_MAGIC;
+
+	*msgcatp = msgcat;
+}
+
+void
+isc_msgcat_close(isc_msgcat_t **msgcatp) {
+	isc_msgcat_t *msgcat;
+
+	/*
+	 * Close a message catalog.
+	 */
+
+	REQUIRE(msgcatp != NULL);
+	msgcat = *msgcatp;
+	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
+
+	if (msgcat != NULL) {
+#ifdef HAVE_CATGETS
+		if (msgcat->catalog != (nl_catd)(-1))
+			(void)catclose(msgcat->catalog);
+#endif
+		msgcat->magic = 0;
+		free(msgcat);
+	}
+
+	*msgcatp = NULL;
+}
+
+const char *
+isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
+	       const char *default_text)
+{
+	/*
+	 * Get message 'message' from message set 'set' in 'msgcat'.  If it
+	 * is not available, use 'default'.
+	 */
+
+	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
+	REQUIRE(set > 0);
+	REQUIRE(message > 0);
+	REQUIRE(default_text != NULL);
+
+#ifdef HAVE_CATGETS
+	if (msgcat == NULL)
+		return (default_text);
+	return (catgets(msgcat->catalog, set, message, default_text));
+#else
+	return (default_text);
+#endif
+}
diff --git a/lib/isc/noatomic/Makefile.in b/lib/isc/noatomic/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/noatomic/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/noatomic/include/Makefile.in b/lib/isc/noatomic/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/noatomic/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/noatomic/include/isc/Makefile.in b/lib/isc/noatomic/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/noatomic/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/noatomic/include/isc/atomic.h b/lib/isc/noatomic/include/isc/atomic.h
new file mode 100644
index 0000000..5953e4b
--- /dev/null
+++ b/lib/isc/noatomic/include/isc/atomic.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+/* This file is inherently empty. */
+
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/nothreads/Makefile.in b/lib/isc/nothreads/Makefile.in
new file mode 100644
index 0000000..c794773
--- /dev/null
+++ b/lib/isc/nothreads/Makefile.in
@@ -0,0 +1,32 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+top_srcdir =	@top_srcdir@
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+THREADOPTOBJS = condition.@O@ mutex.@O@
+OBJS =		@THREADOPTOBJS@ thread.@O@
+
+THREADOPTSRCS = condition.c mutex.c
+SRCS =		@THREADOPTSRCS@ thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c
new file mode 100644
index 0000000..a549c30
--- /dev/null
+++ b/lib/isc/nothreads/condition.c
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
diff --git a/lib/isc/nothreads/include/Makefile.in b/lib/isc/nothreads/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/nothreads/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/nothreads/include/isc/Makefile.in b/lib/isc/nothreads/include/isc/Makefile.in
new file mode 100644
index 0000000..185534f
--- /dev/null
+++ b/lib/isc/nothreads/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/nothreads/include/isc/condition.h b/lib/isc/nothreads/include/isc/condition.h
new file mode 100644
index 0000000..0bea23d
--- /dev/null
+++ b/lib/isc/nothreads/include/isc/condition.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This provides a limited subset of the isc_condition_t
+ * functionality for use by single-threaded programs that
+ * need to block waiting for events.   Only a single
+ * call to isc_condition_wait() may be blocked at any given
+ * time, and the _waituntil and _broadcast functions are not
+ * supported.  This is intended primarily for use by the omapi
+ * library, and may go away once omapi goes away.  Use for
+ * other purposes is strongly discouraged.
+ */
+
+#ifndef ISC_CONDITION_H
+#define ISC_CONDITION_H 1
+
+#include <isc/mutex.h>
+
+typedef int isc_condition_t;
+
+isc_result_t isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp);
+isc_result_t isc__nothread_signal_hack(isc_condition_t *cp);
+
+#define isc_condition_init(cp) \
+	(*(cp) = 0, ISC_R_SUCCESS)
+
+#define isc_condition_wait(cp, mp) \
+	isc__nothread_wait_hack(cp, mp)
+
+#define isc_condition_waituntil(cp, mp, tp) \
+	((void)(cp), (void)(mp), (void)(tp), ISC_R_NOTIMPLEMENTED)
+
+#define isc_condition_signal(cp) \
+	isc__nothread_signal_hack(cp)
+
+#define isc_condition_broadcast(cp) \
+	((void)(cp), ISC_R_NOTIMPLEMENTED)
+
+#define isc_condition_destroy(cp) \
+	(*(cp) == 0 ? (*(cp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
+
+#endif /* ISC_CONDITION_H */
diff --git a/lib/isc/nothreads/include/isc/mutex.h b/lib/isc/nothreads/include/isc/mutex.h
new file mode 100644
index 0000000..a9c55f6
--- /dev/null
+++ b/lib/isc/nothreads/include/isc/mutex.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+#include <isc/result.h>		/* for ISC_R_ codes */
+
+typedef int isc_mutex_t;
+
+#define isc_mutex_init(mp) \
+	(*(mp) = 0, ISC_R_SUCCESS)
+#define isc_mutex_lock(mp) \
+	((*(mp))++ == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#define isc_mutex_unlock(mp) \
+	(--(*(mp)) == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#define isc_mutex_trylock(mp) \
+	(*(mp) == 0 ? ((*(mp))++, ISC_R_SUCCESS) : ISC_R_LOCKBUSY)
+#define isc_mutex_destroy(mp) \
+	(*(mp) == 0 ? (*(mp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
+#define isc_mutex_stats(fp)
+
+#endif /* ISC_MUTEX_H */
diff --git a/lib/isc/nothreads/include/isc/once.h b/lib/isc/nothreads/include/isc/once.h
new file mode 100644
index 0000000..c291814
--- /dev/null
+++ b/lib/isc/nothreads/include/isc/once.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+
+typedef bool isc_once_t;
+
+#define ISC_ONCE_INIT false
+
+#define isc_once_do(op, f) \
+	(!*(op) ? (f(), *(op) = true, ISC_R_SUCCESS) : ISC_R_SUCCESS)
+
+#endif /* ISC_ONCE_H */
diff --git a/lib/isc/nothreads/include/isc/thread.h b/lib/isc/nothreads/include/isc/thread.h
new file mode 100644
index 0000000..8486c3f
--- /dev/null
+++ b/lib/isc/nothreads/include/isc/thread.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Placeholder types (they are not accessed) */
+
+typedef void * isc_thread_t;
+typedef void * isc_threadresult_t;
+typedef void * isc_threadarg_t;
+typedef void * isc_threadfunc_t;
+typedef void * isc_thread_key_t;
+
+void
+isc_thread_setconcurrency(unsigned int level);
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name);
+
+#define isc_thread_self() ((unsigned long)0)
+#define isc_thread_yield() ((void)0)
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c
new file mode 100644
index 0000000..e092ac9
--- /dev/null
+++ b/lib/isc/nothreads/mutex.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
diff --git a/lib/isc/nothreads/thread.c b/lib/isc/nothreads/thread.c
new file mode 100644
index 0000000..671261f
--- /dev/null
+++ b/lib/isc/nothreads/thread.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <isc/thread.h>
+#include <isc/util.h>
+
+void
+isc_thread_setconcurrency(unsigned int level) {
+	UNUSED(level);
+}
+
+void isc_thread_setname(isc_thread_t thread, const char *name) {
+	UNUSED(thread);
+	UNUSED(name);
+}
diff --git a/lib/isc/ondestroy.c b/lib/isc/ondestroy.c
new file mode 100644
index 0000000..64d4d91
--- /dev/null
+++ b/lib/isc/ondestroy.c
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: ondestroy.c,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/event.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#define ONDESTROY_MAGIC		ISC_MAGIC('D', 'e', 'S', 't')
+#define VALID_ONDESTROY(s)	ISC_MAGIC_VALID(s, ONDESTROY_MAGIC)
+
+void
+isc_ondestroy_init(isc_ondestroy_t *ondest) {
+	ondest->magic = ONDESTROY_MAGIC;
+	ISC_LIST_INIT(ondest->events);
+}
+
+isc_result_t
+isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
+		       isc_event_t **eventp)
+{
+	isc_event_t *theevent;
+	isc_task_t *thetask = NULL;
+
+	REQUIRE(VALID_ONDESTROY(ondest));
+	REQUIRE(task != NULL);
+	REQUIRE(eventp != NULL);
+
+	theevent = *eventp;
+
+	REQUIRE(theevent != NULL);
+
+	isc_task_attach(task, &thetask);
+
+	theevent->ev_sender = thetask;
+
+	ISC_LIST_APPEND(ondest->events, theevent, ev_link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender) {
+	isc_event_t *eventp;
+	isc_task_t *task;
+
+	REQUIRE(VALID_ONDESTROY(ondest));
+
+	eventp = ISC_LIST_HEAD(ondest->events);
+	while (eventp != NULL) {
+		ISC_LIST_UNLINK(ondest->events, eventp, ev_link);
+
+		task = eventp->ev_sender;
+		eventp->ev_sender = sender;
+
+		isc_task_sendanddetach(&task, &eventp);
+
+		eventp = ISC_LIST_HEAD(ondest->events);
+	}
+}
+
+
diff --git a/lib/isc/parseint.c b/lib/isc/parseint.c
new file mode 100644
index 0000000..5859369
--- /dev/null
+++ b/lib/isc/parseint.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <inttypes.h>
+
+#include <isc/parseint.h>
+#include <isc/result.h>
+#include <isc/stdlib.h>
+
+isc_result_t
+isc_parse_uint32(uint32_t *uip, const char *string, int base) {
+	unsigned long n;
+	uint32_t r;
+	char *e;
+	if (! isalnum((unsigned char)(string[0])))
+		return (ISC_R_BADNUMBER);
+	errno = 0;
+	n = strtoul(string, &e, base);
+	if (*e != '\0')
+		return (ISC_R_BADNUMBER);
+	/*
+	 * Where long is 64 bits we need to convert to 32 bits then test for
+	 * equality.  This is a no-op on 32 bit machines and a good compiler
+	 * will optimise it away.
+	 */
+	r = (uint32_t)n;
+	if ((n == ULONG_MAX && errno == ERANGE) || (n != (unsigned long)r))
+		return (ISC_R_RANGE);
+	*uip = r;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint16(uint16_t *uip, const char *string, int base) {
+	uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (val > 0xFFFF)
+		return (ISC_R_RANGE);
+	*uip = (uint16_t) val;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint8(uint8_t *uip, const char *string, int base) {
+	uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (val > 0xFF)
+		return (ISC_R_RANGE);
+	*uip = (uint8_t) val;
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
new file mode 100644
index 0000000..c5d2310
--- /dev/null
+++ b/lib/isc/pk11.c
@@ -0,0 +1,1399 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+#include <pk11/result.h>
+#include <pk11/site.h>
+
+#include <pkcs11/cryptoki.h>
+#include <pkcs11/pkcs11.h>
+#include <pkcs11/eddsa.h>
+
+/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
+#ifndef PINLEN
+#define PINLEN	256
+#endif
+
+#ifndef PK11_NO_LOGERR
+#define PK11_NO_LOGERR 1
+#endif
+
+LIBISC_EXTERNAL_DATA bool pk11_verbose_init = false;
+
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_mem_t *pk11_mctx = NULL;
+static int32_t allocsize = 0;
+static bool initialized = false;
+
+typedef struct pk11_session pk11_session_t;
+typedef struct pk11_token pk11_token_t;
+typedef ISC_LIST(pk11_session_t) pk11_sessionlist_t;
+
+struct pk11_session {
+	unsigned int		magic;
+	CK_SESSION_HANDLE	session;
+	ISC_LINK(pk11_session_t) link;
+	pk11_token_t		*token;
+};
+
+struct pk11_token {
+	unsigned int		magic;
+	unsigned int		operations;
+	ISC_LINK(pk11_token_t)	link;
+	CK_SLOT_ID		slotid;
+	pk11_sessionlist_t	sessions;
+	bool		logged;
+	char			name[32];
+	char			manuf[32];
+	char			model[16];
+	char			serial[16];
+	char			pin[PINLEN + 1];
+};
+static ISC_LIST(pk11_token_t) tokens;
+
+static pk11_token_t *rand_token;
+static pk11_token_t *best_rsa_token;
+static pk11_token_t *best_dsa_token;
+static pk11_token_t *best_dh_token;
+static pk11_token_t *digest_token;
+static pk11_token_t *best_ec_token;
+static pk11_token_t *best_gost_token;
+static pk11_token_t *aes_token;
+
+static isc_result_t free_all_sessions(void);
+static isc_result_t free_session_list(pk11_sessionlist_t *slist);
+static isc_result_t setup_session(pk11_session_t *sp,
+				  pk11_token_t *token,
+				  bool rw);
+static void scan_slots(void);
+static isc_result_t token_login(pk11_session_t *sp);
+static char *percent_decode(char *x, size_t *len);
+static bool pk11strcmp(const char *x, size_t lenx,
+				const char *y, size_t leny);
+static CK_ATTRIBUTE *push_attribute(pk11_object_t *obj,
+				    isc_mem_t *mctx,
+				    size_t len);
+
+static isc_mutex_t alloclock;
+static isc_mutex_t sessionlock;
+
+static pk11_sessionlist_t actives;
+
+static CK_C_INITIALIZE_ARGS pk11_init_args = {
+	NULL_PTR,               /* CreateMutex */
+	NULL_PTR,               /* DestroyMutex */
+	NULL_PTR,               /* LockMutex */
+	NULL_PTR,               /* UnlockMutex */
+	CKF_OS_LOCKING_OK,      /* flags */
+	NULL_PTR,               /* pReserved */
+};
+
+#ifndef PK11_LIB_LOCATION
+#define PK11_LIB_LOCATION	"unknown_provider"
+#endif
+
+#ifndef WIN32
+static const char *lib_name = PK11_LIB_LOCATION;
+#else
+static const char *lib_name = PK11_LIB_LOCATION ".dll";
+#endif
+
+void
+pk11_set_lib_name(const char *name) {
+	lib_name = name;
+}
+
+const char *
+pk11_get_lib_name(void) {
+	return (lib_name);
+}
+
+static void
+initialize(void) {
+	char *pk11_provider;
+
+	RUNTIME_CHECK(isc_mutex_init(&alloclock) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_mutex_init(&sessionlock) == ISC_R_SUCCESS);
+
+	pk11_provider = getenv("PKCS11_PROVIDER");
+	if (pk11_provider != NULL)
+		lib_name = pk11_provider;
+}
+
+void *
+pk11_mem_get(size_t size) {
+	void *ptr;
+
+	LOCK(&alloclock);
+	if (pk11_mctx != NULL)
+		ptr = isc_mem_get(pk11_mctx, size);
+	else {
+		ptr = malloc(size);
+		if (ptr != NULL)
+			allocsize += (int)size;
+	}
+	UNLOCK(&alloclock);
+
+	if (ptr != NULL)
+		memset(ptr, 0, size);
+	return (ptr);
+}
+
+void
+pk11_mem_put(void *ptr, size_t size) {
+	if (ptr != NULL)
+		memset(ptr, 0, size);
+	LOCK(&alloclock);
+	if (pk11_mctx != NULL)
+		isc_mem_put(pk11_mctx, ptr, size);
+	else {
+		if (ptr != NULL)
+			allocsize -= (int)size;
+		free(ptr);
+	}
+	UNLOCK(&alloclock);
+}
+
+isc_result_t
+pk11_initialize(isc_mem_t *mctx, const char *engine) {
+	isc_result_t result = ISC_R_SUCCESS;
+	CK_RV rv;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&sessionlock);
+	LOCK(&alloclock);
+	if ((mctx != NULL) && (pk11_mctx == NULL) && (allocsize == 0))
+		isc_mem_attach(mctx, &pk11_mctx);
+	UNLOCK(&alloclock);
+	if (initialized) {
+		goto unlock;
+	} else {
+		initialized = true;
+	}
+
+	ISC_LIST_INIT(tokens);
+	ISC_LIST_INIT(actives);
+
+	if (engine != NULL)
+		lib_name = engine;
+
+	/* Initialize the CRYPTOKI library */
+	rv = pkcs_C_Initialize((CK_VOID_PTR) &pk11_init_args);
+
+	if (rv == 0xfe) {
+		result = PK11_R_NOPROVIDER;
+		fprintf(stderr, "Can't load PKCS#11 provider: %s\n",
+			pk11_get_load_error_message());
+		goto unlock;
+	}
+	if (rv != CKR_OK) {
+		result = PK11_R_INITFAILED;
+		goto unlock;
+	}
+
+	scan_slots();
+#ifdef PKCS11CRYPTO
+	if (rand_token == NULL) {
+		result = PK11_R_NORANDOMSERVICE;
+		goto unlock;
+	}
+	if (digest_token == NULL) {
+		result = PK11_R_NODIGESTSERVICE;
+		goto unlock;
+	}
+#if defined(AES_CC)
+	if (aes_token == NULL) {
+		result = PK11_R_NOAESSERVICE;
+		goto unlock;
+	}
+#endif
+#endif /* PKCS11CRYPTO */
+ unlock:
+	UNLOCK(&sessionlock);
+	return (result);
+}
+
+isc_result_t
+pk11_finalize(void) {
+	pk11_token_t *token, *next;
+	isc_result_t ret;
+
+	ret = free_all_sessions();
+	(void) pkcs_C_Finalize(NULL_PTR);
+	token = ISC_LIST_HEAD(tokens);
+	while (token != NULL) {
+		next = ISC_LIST_NEXT(token, link);
+		ISC_LIST_UNLINK(tokens, token, link);
+		if (token == rand_token)
+			rand_token = NULL;
+		if (token == best_rsa_token)
+			best_rsa_token = NULL;
+		if (token == best_dsa_token)
+			best_dsa_token = NULL;
+		if (token == best_dh_token)
+			best_dh_token = NULL;
+		if (token == digest_token)
+			digest_token = NULL;
+		if (token == best_ec_token)
+			best_ec_token = NULL;
+		if (token == best_gost_token)
+			best_gost_token = NULL;
+		if (token == aes_token)
+			aes_token = NULL;
+		pk11_mem_put(token, sizeof(*token));
+		token = next;
+	}
+	if (pk11_mctx != NULL)
+		isc_mem_detach(&pk11_mctx);
+	initialized = false;
+	return (ret);
+}
+
+isc_result_t
+pk11_rand_bytes(unsigned char *buf, int num) {
+	isc_result_t ret;
+	CK_RV rv;
+	pk11_context_t ctx;
+
+	ret = pk11_get_session(&ctx, OP_RAND, false, false,
+			       false, NULL, 0);
+	if ((ret != ISC_R_SUCCESS) &&
+	    (ret != PK11_R_NODIGESTSERVICE) &&
+	    (ret != PK11_R_NOAESSERVICE))
+		return (ret);
+	RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
+	rv = pkcs_C_GenerateRandom(ctx.session,
+				   (CK_BYTE_PTR) buf, (CK_ULONG) num);
+	pk11_return_session(&ctx);
+	if (rv == CKR_OK)
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_CRYPTOFAILURE);
+}
+
+#define SEEDSIZE	1024
+
+static CK_BYTE seed[SEEDSIZE];
+
+void
+pk11_rand_seed_fromfile(const char *randomfile) {
+	pk11_context_t ctx;
+	FILE *stream = NULL;
+	size_t cc = 0;
+	isc_result_t ret;
+
+	ret = pk11_get_session(&ctx, OP_RAND, false, false,
+			       false, NULL, 0);
+	if ((ret != ISC_R_SUCCESS) &&
+	    (ret != PK11_R_NODIGESTSERVICE) &&
+	    (ret != PK11_R_NOAESSERVICE))
+		return;
+	RUNTIME_CHECK(ctx.session != CK_INVALID_HANDLE);
+	ret = isc_stdio_open(randomfile, "r", &stream);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+	ret = isc_stdio_read(seed, 1, SEEDSIZE, stream, &cc);
+	if (ret!= ISC_R_SUCCESS)
+		goto cleanup;
+	ret = isc_stdio_close(stream);
+	stream = NULL;
+	if (ret!= ISC_R_SUCCESS)
+		goto cleanup;
+	(void) pkcs_C_SeedRandom(ctx.session, seed, (CK_ULONG) cc);
+
+    cleanup:
+	if (stream != NULL)
+		(void) isc_stdio_close(stream);
+	pk11_return_session(&ctx);
+}
+
+isc_result_t
+pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
+		 bool need_services, bool rw,
+		 bool logon, const char *pin, CK_SLOT_ID slot)
+{
+	pk11_token_t *token = NULL;
+	pk11_sessionlist_t *freelist;
+	pk11_session_t *sp;
+	isc_result_t ret;
+#ifdef PKCS11CRYPTO
+	isc_result_t service_ret = ISC_R_SUCCESS;
+#else
+	UNUSED(need_services);
+#endif
+
+	memset(ctx, 0, sizeof(pk11_context_t));
+	ctx->handle = NULL;
+	ctx->session = CK_INVALID_HANDLE;
+
+	ret = pk11_initialize(NULL, NULL);
+#ifdef PKCS11CRYPTO
+	if (ret == PK11_R_NORANDOMSERVICE ||
+	    ret == PK11_R_NODIGESTSERVICE ||
+	    ret == PK11_R_NOAESSERVICE) {
+		if (need_services)
+			return (ret);
+		service_ret = ret;
+	}
+	else
+#endif /* PKCS11CRYPTO */
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	LOCK(&sessionlock);
+	/* wait for initialization to finish */
+	UNLOCK(&sessionlock);
+
+	switch(optype) {
+#ifdef PKCS11CRYPTO
+	case OP_RAND:
+		token = rand_token;
+		break;
+	case OP_DIGEST:
+		token = digest_token;
+		break;
+	case OP_AES:
+		token = aes_token;
+		break;
+	case OP_ANY:
+		for (token = ISC_LIST_HEAD(tokens);
+		     token != NULL;
+		     token = ISC_LIST_NEXT(token, link))
+			if (token->slotid == slot)
+				break;
+		break;
+#endif
+	default:
+		for (token = ISC_LIST_HEAD(tokens);
+		     token != NULL;
+		     token = ISC_LIST_NEXT(token, link))
+			if (token->slotid == slot)
+				break;
+#ifdef PKCS11CRYPTO
+		if ((token == NULL) ||
+		    ((token->operations & (1 << optype)) == 0))
+			return (ISC_R_NOTFOUND);
+#endif
+		break;
+	}
+	if (token == NULL)
+		return (ISC_R_NOTFOUND);
+
+	/* Override the token's PIN */
+	if (logon && pin != NULL && *pin != '\0') {
+		if (strlen(pin) > PINLEN)
+			return (ISC_R_RANGE);
+		/*
+		 * We want to zero out the old pin before
+		 * overwriting with a new one.
+		 */
+		memset(token->pin, 0, sizeof(token->pin));
+		strlcpy(token->pin, pin, sizeof(token->pin));
+	}
+
+	freelist = &token->sessions;
+
+	LOCK(&sessionlock);
+	sp = ISC_LIST_HEAD(*freelist);
+	if (sp != NULL) {
+		ISC_LIST_UNLINK(*freelist, sp, link);
+		ISC_LIST_APPEND(actives, sp, link);
+		UNLOCK(&sessionlock);
+		if (logon)
+			ret = token_login(sp);
+		ctx->handle = sp;
+		ctx->session = sp->session;
+		return (ret);
+	}
+	UNLOCK(&sessionlock);
+
+	sp = pk11_mem_get(sizeof(*sp));
+	if (sp == NULL)
+		return (ISC_R_NOMEMORY);
+	sp->magic = SES_MAGIC;
+	sp->token = token;
+	sp->session = CK_INVALID_HANDLE;
+	ISC_LINK_INIT(sp, link);
+	ret = setup_session(sp, token, rw);
+	if ((ret == ISC_R_SUCCESS) && logon)
+		ret = token_login(sp);
+	LOCK(&sessionlock);
+	ISC_LIST_APPEND(actives, sp, link);
+	UNLOCK(&sessionlock);
+	ctx->handle = sp;
+	ctx->session = sp->session;
+#ifdef PKCS11CRYPTO
+	if (ret == ISC_R_SUCCESS)
+		ret = service_ret;
+#endif
+	return (ret);
+}
+
+void
+pk11_return_session(pk11_context_t *ctx) {
+	pk11_session_t *sp = (pk11_session_t *) ctx->handle;
+
+	if (sp == NULL)
+		return;
+	ctx->handle = NULL;
+	ctx->session = CK_INVALID_HANDLE;
+
+	LOCK(&sessionlock);
+	ISC_LIST_UNLINK(actives, sp, link);
+	UNLOCK(&sessionlock);
+	if (sp->session == CK_INVALID_HANDLE) {
+		pk11_mem_put(sp, sizeof(*sp));
+		return;
+	}
+
+	LOCK(&sessionlock);
+	ISC_LIST_APPEND(sp->token->sessions, sp, link);
+	UNLOCK(&sessionlock);
+}
+
+static isc_result_t
+free_all_sessions(void) {
+	pk11_token_t *token;
+	isc_result_t ret = ISC_R_SUCCESS;
+	isc_result_t oret;
+
+	for (token = ISC_LIST_HEAD(tokens);
+	     token != NULL;
+	     token = ISC_LIST_NEXT(token, link)) {
+		oret = free_session_list(&token->sessions);
+		if (oret != ISC_R_SUCCESS)
+			ret = oret;
+	}
+	if (!ISC_LIST_EMPTY(actives)) {
+		ret = ISC_R_ADDRINUSE;
+		oret = free_session_list(&actives);
+		if (oret != ISC_R_SUCCESS)
+			ret = oret;
+	}
+	return (ret);
+}
+
+static isc_result_t
+free_session_list(pk11_sessionlist_t *slist) {
+	pk11_session_t *sp;
+	CK_RV rv;
+	isc_result_t ret;
+
+	ret = ISC_R_SUCCESS;
+	LOCK(&sessionlock);
+	while (!ISC_LIST_EMPTY(*slist)) {
+		sp = ISC_LIST_HEAD(*slist);
+		ISC_LIST_UNLINK(*slist, sp, link);
+		UNLOCK(&sessionlock);
+		if (sp->session != CK_INVALID_HANDLE) {
+			rv = pkcs_C_CloseSession(sp->session);
+			if (rv != CKR_OK)
+				ret = DST_R_CRYPTOFAILURE;
+		}
+		LOCK(&sessionlock);
+		pk11_mem_put(sp, sizeof(*sp));
+	}
+	UNLOCK(&sessionlock);
+
+	return (ret);
+}
+
+static isc_result_t
+setup_session(pk11_session_t *sp, pk11_token_t *token,
+	      bool rw)
+{
+	CK_RV rv;
+	CK_FLAGS flags = CKF_SERIAL_SESSION;
+
+	if (rw)
+		flags += CKF_RW_SESSION;
+
+	rv = pkcs_C_OpenSession(token->slotid, flags, NULL_PTR,
+				NULL_PTR, &sp->session);
+	if (rv != CKR_OK)
+		return (DST_R_CRYPTOFAILURE);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+token_login(pk11_session_t *sp) {
+	CK_RV rv;
+	pk11_token_t *token = sp->token;
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	LOCK(&sessionlock);
+	if (!token->logged) {
+		rv = pkcs_C_Login(sp->session, CKU_USER,
+				  (CK_UTF8CHAR_PTR) token->pin,
+				  (CK_ULONG) strlen(token->pin));
+		if (rv != CKR_OK) {
+			ret = ISC_R_NOPERM;
+#if PK11_NO_LOGERR
+			pk11_error_fatalcheck(__FILE__, __LINE__,
+					      "pkcs_C_Login", rv);
+#endif
+		} else
+			token->logged = true;
+	}
+	UNLOCK(&sessionlock);
+	return (ret);
+}
+
+#define PK11_TRACE(fmt) \
+	if (pk11_verbose_init) fprintf(stderr, fmt)
+#define PK11_TRACE1(fmt, arg) \
+	if (pk11_verbose_init) fprintf(stderr, fmt, arg)
+#define PK11_TRACE2(fmt, arg1, arg2) \
+	if (pk11_verbose_init) fprintf(stderr, fmt, arg1, arg2)
+#define PK11_TRACEM(mech) \
+	if (pk11_verbose_init) fprintf(stderr, #mech ": 0x%lx\n", rv)
+
+static void
+scan_slots(void) {
+	CK_MECHANISM_INFO mechInfo;
+	CK_TOKEN_INFO tokenInfo;
+	CK_RV rv;
+	CK_SLOT_ID slot;
+	CK_SLOT_ID_PTR slotList;
+	CK_ULONG slotCount;
+	pk11_token_t *token;
+	unsigned int i;
+	bool bad;
+
+	slotCount = 0;
+	PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, NULL_PTR, &slotCount));
+	PK11_TRACE1("slotCount=%lu\n", slotCount);
+	/* it's not an error if we didn't find any providers */
+	if (slotCount == 0)
+		return;
+	slotList = pk11_mem_get(sizeof(CK_SLOT_ID) * slotCount);
+	RUNTIME_CHECK(slotList != NULL);
+	PK11_FATALCHECK(pkcs_C_GetSlotList, (CK_FALSE, slotList, &slotCount));
+
+	for (i = 0; i < slotCount; i++) {
+		slot = slotList[i];
+		PK11_TRACE2("slot#%u=0x%lx\n", i, slot);
+
+		rv = pkcs_C_GetTokenInfo(slot, &tokenInfo);
+		if (rv != CKR_OK)
+			continue;
+		token = pk11_mem_get(sizeof(*token));
+		RUNTIME_CHECK(token != NULL);
+		token->magic = TOK_MAGIC;
+		token->slotid = slot;
+		ISC_LINK_INIT(token, link);
+		ISC_LIST_INIT(token->sessions);
+		memmove(token->name, tokenInfo.label, 32);
+		memmove(token->manuf, tokenInfo.manufacturerID, 32);
+		memmove(token->model, tokenInfo.model, 16);
+		memmove(token->serial, tokenInfo.serialNumber, 16);
+		ISC_LIST_APPEND(tokens, token, link);
+		if ((tokenInfo.flags & CKF_RNG) == 0) {
+			PK11_TRACE("no CKF_RNG\n");
+			goto try_rsa;
+		}
+		token->operations |= 1 << OP_RAND;
+		if (rand_token == NULL)
+			rand_token = token;
+
+	try_rsa:
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_RSA_PKCS_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_RSA_PKCS_REPLACE)
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_MD5_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA1_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#ifndef PK11_RSA_PKCS_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA1_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#ifndef PK11_RSA_PKCS_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA256_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_RSA_PKCS,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#ifndef PK11_RSA_PKCS_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA512_RSA_PKCS);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_RSA_PKCS, &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+#ifdef PK11_RSA_PKCS_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_RSA_PKCS);
+		}
+		if (bad)
+			goto try_dsa;
+		token->operations |= 1 << OP_RSA;
+		if (best_rsa_token == NULL)
+			best_rsa_token = token;
+
+	try_dsa:
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
+#ifndef PK11_DSA_PARAMETER_GEN_SKIP
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_DSA_SHA1);
+		}
+		if (bad)
+			goto try_dh;
+#ifndef PK11_DSA_DISABLE
+		token->operations |= 1 << OP_DSA;
+		if (best_dsa_token == NULL)
+			best_dsa_token = token;
+#endif
+
+	try_dh:
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
+			PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
+					     &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_DH_PKCS_DERIVE);
+		}
+		if (bad)
+			goto try_digest;
+#ifndef PK11_DH_DISABLE
+		token->operations |= 1 << OP_DH;
+		if (best_dh_token == NULL)
+			best_dh_token = token;
+#endif
+
+	try_digest:
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+#ifndef PK11_MD5_DISABLE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_MD5);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_SHA_1);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_SHA224);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_SHA256);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_SHA384);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_SHA512);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_MD5_HMAC, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#if !defined(PK11_MD5_DISABLE) && !defined(PK11_MD5_HMAC_REPLACE)
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_MD5_HMAC);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA_1_HMAC, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA_1_HMAC_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA_1_HMAC);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA224_HMAC, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA224_HMAC_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA224_HMAC);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA256_HMAC, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA256_HMAC_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA256_HMAC);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA384_HMAC, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA384_HMAC_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA384_HMAC);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_SHA512_HMAC, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_SIGN) == 0)) {
+#ifndef PK11_SHA512_HMAC_REPLACE
+			bad = true;
+#endif
+			PK11_TRACEM(CKM_SHA512_HMAC);
+		}
+		if (!bad) {
+			token->operations |= 1 << OP_DIGEST;
+			if (digest_token == NULL)
+				digest_token = token;
+		}
+
+		/* ECDSA requires digest */
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_EC_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_ECDSA, &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_ECDSA);
+		}
+		if (bad)
+			goto try_gost;
+		token->operations |= 1 << OP_EC;
+		if (best_ec_token == NULL)
+			best_ec_token = token;
+
+	try_gost:
+		bad = false;
+		/* does GOST require digest too? */
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3411, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DIGEST) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_GOSTR3411);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_GOSTR3410_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_GOSTR3410_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot,
+					     CKM_GOSTR3410_WITH_GOSTR3411,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
+		}
+		if (bad)
+			goto try_eddsa;
+		token->operations |= 1 << OP_GOST;
+		if (best_gost_token == NULL)
+			best_gost_token = token;
+
+	try_eddsa:
+#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_EDDSA);
+		}
+		if (bad)
+			goto try_aes;
+
+	try_aes:
+#endif
+		bad = false;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
+		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
+			bad = true;
+			PK11_TRACEM(CKM_AES_ECB);
+		}
+		if (bad)
+			continue;
+		token->operations |= 1 << OP_AES;
+		if (aes_token == NULL)
+			aes_token = token;
+	}
+
+	if (slotList != NULL) {
+		pk11_mem_put(slotList, sizeof(CK_SLOT_ID) * slotCount);
+	}
+}
+
+CK_SLOT_ID
+pk11_get_best_token(pk11_optype_t optype) {
+	pk11_token_t *token = NULL;
+
+	switch (optype) {
+	case OP_RAND:
+		token = rand_token;
+		break;
+	case OP_RSA:
+		token = best_rsa_token;
+		break;
+	case OP_DSA:
+		token = best_dsa_token;
+		break;
+	case OP_DH:
+		token = best_dh_token;
+		break;
+	case OP_DIGEST:
+		token = digest_token;
+		break;
+	case OP_EC:
+		token = best_ec_token;
+		break;
+	case OP_GOST:
+		token = best_gost_token;
+		break;
+	case OP_AES:
+		token = aes_token;
+		break;
+	default:
+		break;
+	}
+	if (token == NULL)
+		return (0);
+	return (token->slotid);
+}
+
+unsigned int
+pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+	unsigned int bitcnt, i;
+	CK_BYTE top;
+
+	if (bytecnt == 0)
+		return (0);
+	bitcnt = bytecnt * 8;
+	for (i = 0; i < bytecnt; i++) {
+		top = data[i];
+		if (top == 0) {
+			bitcnt -= 8;
+			continue;
+		}
+		if (top & 0x80)
+			return (bitcnt);
+		if (top & 0x40)
+			return (bitcnt - 1);
+		if (top & 0x20)
+			return (bitcnt - 2);
+		if (top & 0x10)
+			return (bitcnt - 3);
+		if (top & 0x08)
+			return (bitcnt - 4);
+		if (top & 0x04)
+			return (bitcnt - 5);
+		if (top & 0x02)
+			return (bitcnt - 6);
+		if (top & 0x01)
+			return (bitcnt - 7);
+		break;
+	}
+	INSIST(0);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_first(const pk11_object_t *obj) {
+	return (obj->repr);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_next(const pk11_object_t *obj, CK_ATTRIBUTE *attr) {
+	CK_ATTRIBUTE *next;
+
+	next = attr + 1;
+	if ((next - obj->repr) >= obj->attrcnt)
+		return (NULL);
+	return (next);
+}
+
+CK_ATTRIBUTE *
+pk11_attribute_bytype(const pk11_object_t *obj, CK_ATTRIBUTE_TYPE type) {
+	CK_ATTRIBUTE *attr;
+
+	for(attr = pk11_attribute_first(obj);
+	    attr != NULL;
+	    attr = pk11_attribute_next(obj, attr))
+		if (attr->type == type)
+			return (attr);
+	return (NULL);
+}
+
+static char *
+percent_decode(char *x, size_t *len) {
+	char *p, *c;
+	unsigned char v;
+
+	INSIST(len != NULL);
+
+	for (p = c = x; p[0] != '\0'; p++, c++) {
+		switch (p[0]) {
+		case '%':
+			v = 0;
+			switch (p[1]) {
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+				v = (p[1] - '0') << 4;
+				break;
+			case 'A':
+			case 'B':
+			case 'C':
+			case 'D':
+			case 'E':
+			case 'F':
+				v = (p[1] - 'A' + 10) << 4;
+				break;
+			case 'a':
+			case 'b':
+			case 'c':
+			case 'd':
+			case 'e':
+			case 'f':
+				v = (p[1] - 'a' + 10) << 4;
+				break;
+			default:
+				return (NULL);
+			}
+			switch (p[2]) {
+			case '0':
+			case '1':
+			case '2':
+			case '3':
+			case '4':
+			case '5':
+			case '6':
+			case '7':
+			case '8':
+			case '9':
+				v |= (p[2] - '0') & 0x0f;
+				break;
+			case 'A':
+			case 'B':
+			case 'C':
+			case 'D':
+			case 'E':
+			case 'F':
+				v = (p[2] - 'A' + 10) & 0x0f;
+				break;
+			case 'a':
+			case 'b':
+			case 'c':
+			case 'd':
+			case 'e':
+			case 'f':
+				v = (p[2] - 'a' + 10) & 0x0f;
+				break;
+			default:
+				return (NULL);
+			}
+			p += 2;
+			*c = (char) v;
+			(*len)++;
+			break;
+		default:
+			*c = *p;
+			(*len)++;
+		}
+	}
+	return (x);
+}
+
+static bool
+pk11strcmp(const char *x, size_t lenx, const char *y, size_t leny) {
+	char buf[32];
+
+	INSIST((leny == 32) || (leny == 16));
+
+	memset(buf, ' ', 32);
+	if (lenx > leny)
+		lenx = leny;
+	memmove(buf, x, lenx);
+	return (memcmp(buf, y, leny) == 0);
+}
+
+static CK_ATTRIBUTE *
+push_attribute(pk11_object_t *obj, isc_mem_t *mctx, size_t len) {
+	CK_ATTRIBUTE *old = obj->repr;
+	CK_ATTRIBUTE *attr;
+	CK_BYTE cnt = obj->attrcnt;
+
+	obj->repr = isc_mem_get(mctx, (cnt + 1) * sizeof(*attr));
+	if (obj->repr == NULL) {
+		obj->repr = old;
+		return (NULL);
+	}
+	memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+	memmove(obj->repr, old, cnt * sizeof(*attr));
+	attr = obj->repr + cnt;
+	attr->ulValueLen = (CK_ULONG) len;
+	attr->pValue = isc_mem_get(mctx, len);
+	if (attr->pValue == NULL) {
+		memset(obj->repr, 0, (cnt + 1) * sizeof(*attr));
+		isc_mem_put(mctx, obj->repr, (cnt + 1) * sizeof(*attr));
+		obj->repr = old;
+		return (NULL);
+	}
+	memset(attr->pValue, 0, len);
+	if (old != NULL) {
+		memset(old, 0, cnt * sizeof(*attr));
+		isc_mem_put(mctx, old, cnt * sizeof(*attr));
+	}
+	obj->attrcnt++;
+	return (attr);
+}
+
+#define DST_RET(a)	{ ret = a; goto err; }
+
+isc_result_t
+pk11_parse_uri(pk11_object_t *obj, const char *label,
+	       isc_mem_t *mctx, pk11_optype_t optype)
+{
+	CK_ATTRIBUTE *attr;
+	pk11_token_t *token = NULL;
+	char *uri, *p, *a, *na, *v;
+	size_t len, l;
+	FILE *stream = NULL;
+	char pin[PINLEN + 1];
+	bool gotpin = false;
+	isc_result_t ret;
+
+	/* get values to work on */
+	len = strlen(label) + 1;
+	uri = isc_mem_get(mctx, len);
+	if (uri == NULL)
+		return (ISC_R_NOMEMORY);
+	memmove(uri, label, len);
+
+	/* get the URI scheme */
+	p = strchr(uri, ':');
+	if (p == NULL)
+		DST_RET(PK11_R_NOPROVIDER);
+	*p++ = '\0';
+	if (strcmp(uri, "pkcs11") != 0)
+		DST_RET(PK11_R_NOPROVIDER);
+
+	/* get attributes */
+	for (na = p; na != NULL;) {
+		a = na;
+		p = strchr(a, ';');
+		if (p == NULL) {
+			/* last attribute */
+			na = NULL;
+		} else {
+			*p++ = '\0';
+			na = p;
+		}
+		p = strchr(a, '=');
+		if (p != NULL) {
+			*p++ = '\0';
+			v = p;
+		} else
+			v = a;
+		l = 0;
+		v = percent_decode(v, &l);
+		if (v == NULL)
+			DST_RET(PK11_R_NOPROVIDER);
+		if ((a == v) || (strcmp(a, "object") == 0)) {
+			/* object: CKA_LABEL */
+			attr = pk11_attribute_bytype(obj, CKA_LABEL);
+			if (attr != NULL)
+				DST_RET(PK11_R_NOPROVIDER);
+			attr = push_attribute(obj, mctx, l);
+			if (attr == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			attr->type = CKA_LABEL;
+			memmove(attr->pValue, v, l);
+		} else if (strcmp(a, "token") == 0) {
+			/* token: CK_TOKEN_INFO label */
+			if (token == NULL)
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+					if (pk11strcmp(v, l, token->name, 32))
+						break;
+		} else if (strcmp(a, "manufacturer") == 0) {
+			/* manufacturer: CK_TOKEN_INFO manufacturerID */
+			if (token == NULL)
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+					if (pk11strcmp(v, l, token->manuf, 32))
+						break;
+		} else if (strcmp(a, "serial") == 0) {
+			/* serial: CK_TOKEN_INFO serialNumber */
+			if (token == NULL)
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+					if (pk11strcmp(v, l, token->serial, 16))
+						break;
+		} else if (strcmp(a, "model") == 0) {
+			/* model: CK_TOKEN_INFO model */
+			if (token == NULL)
+				for (token = ISC_LIST_HEAD(tokens);
+				     token != NULL;
+				     token = ISC_LIST_NEXT(token, link))
+					if (pk11strcmp(v, l, token->model, 16))
+						break;
+		} else if (strcmp(a, "library-manufacturer") == 0) {
+			/* ignored */
+		} else if (strcmp(a, "library-description") == 0) {
+			/* ignored */
+		} else if (strcmp(a, "library-version") == 0) {
+			/* ignored */
+		} else if (strcmp(a, "object-type") == 0) {
+			/* object-type: CKA_CLASS */
+			/* only private makes sense */
+			if (strcmp(v, "private") != 0)
+				DST_RET(PK11_R_NOPROVIDER);
+		} else if (strcmp(a, "id") == 0) {
+			/* id: CKA_ID */
+			attr = pk11_attribute_bytype(obj, CKA_ID);
+			if (attr != NULL)
+				DST_RET(PK11_R_NOPROVIDER);
+			attr = push_attribute(obj, mctx, l);
+			if (attr == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			attr->type = CKA_ID;
+			memmove(attr->pValue, v, l);
+		} else if (strcmp(a, "pin-source") == 0) {
+			/* pin-source: PIN */
+			ret = isc_stdio_open(v, "r", &stream);
+			if (ret != ISC_R_SUCCESS)
+				goto err;
+			memset(pin, 0, PINLEN + 1);
+			ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l);
+			if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
+				goto err;
+			if (l > PINLEN)
+				DST_RET(ISC_R_RANGE);
+			ret = isc_stdio_close(stream);
+			stream = NULL;
+			if (ret != ISC_R_SUCCESS)
+				goto err;
+			gotpin = true;
+		} else
+			DST_RET(PK11_R_NOPROVIDER);
+	}
+
+	if ((pk11_attribute_bytype(obj, CKA_LABEL) == NULL) &&
+	    (pk11_attribute_bytype(obj, CKA_ID) == NULL))
+		DST_RET(ISC_R_NOTFOUND);
+
+	if (token == NULL) {
+		if (optype == OP_RSA)
+			token = best_rsa_token;
+		else if (optype == OP_DSA)
+			token = best_dsa_token;
+		else if (optype == OP_DH)
+			token = best_dh_token;
+		else if (optype == OP_EC)
+			token = best_ec_token;
+	}
+	if (token == NULL)
+		DST_RET(ISC_R_NOTFOUND);
+	obj->slot = token->slotid;
+	if (gotpin) {
+		memmove(token->pin, pin, PINLEN + 1);
+		obj->reqlogon = true;
+	}
+
+	ret = ISC_R_SUCCESS;
+
+  err:
+	if (stream != NULL)
+		(void) isc_stdio_close(stream);
+	isc_mem_put(mctx, uri, len);
+	return (ret);
+}
+
+void
+pk11_error_fatalcheck(const char *file, int line,
+		      const char *funcname, CK_RV rv)
+{
+	isc_error_fatal(file, line, "%s: Error = 0x%.8lX\n", funcname, rv);
+}
+
+void
+pk11_dump_tokens(void) {
+	pk11_token_t *token;
+	bool first;
+
+	printf("DEFAULTS\n");
+	printf("\trand_token=%p\n", rand_token);
+	printf("\tbest_rsa_token=%p\n", best_rsa_token);
+	printf("\tbest_dsa_token=%p\n", best_dsa_token);
+	printf("\tbest_dh_token=%p\n", best_dh_token);
+	printf("\tdigest_token=%p\n", digest_token);
+	printf("\tbest_ec_token=%p\n", best_ec_token);
+	printf("\tbest_gost_token=%p\n", best_gost_token);
+	printf("\taes_token=%p\n", aes_token);
+
+	for (token = ISC_LIST_HEAD(tokens);
+	     token != NULL;
+	     token = ISC_LIST_NEXT(token, link)) {
+		printf("\nTOKEN\n");
+		printf("\taddress=%p\n", token);
+		printf("\tslotID=%lu\n", token->slotid);
+		printf("\tlabel=%.32s\n", token->name);
+		printf("\tmanufacturerID=%.32s\n", token->manuf);
+		printf("\tmodel=%.16s\n", token->model);
+		printf("\tserialNumber=%.16s\n", token->serial);
+		printf("\tsupported operations=0x%x (", token->operations);
+		first = true;
+		if (token->operations & (1 << OP_RAND)) {
+			if (!first)
+				printf(",");
+			first = false;
+			printf("RAND");
+		}
+		if (token->operations & (1 << OP_RSA)) {
+			first = false;
+			printf("RSA");
+		}
+		if (token->operations & (1 << OP_DSA)) {
+			if (!first)
+				printf(",");
+			first = false;
+			printf("DSA");
+		}
+		if (token->operations & (1 << OP_DH)) {
+			if (!first)
+				printf(",");
+			first = false;
+			printf("DH");
+		}
+		if (token->operations & (1 << OP_DIGEST)) {
+			if (!first)
+				printf(",");
+			first = false;
+			printf("DIGEST");
+		}
+		if (token->operations & (1 << OP_EC)) {
+			if (!first)
+				printf(",");
+			first = false;
+			printf("EC");
+		}
+		if (token->operations & (1 << OP_AES)) {
+			if (!first)
+				printf(",");
+			first = false;
+			printf("AES");
+		}
+		printf(")\n");
+	}
+}
diff --git a/lib/isc/pk11_result.c b/lib/isc/pk11_result.c
new file mode 100644
index 0000000..33143f8
--- /dev/null
+++ b/lib/isc/pk11_result.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <pk11/result.h>
+
+LIBISC_EXTERNAL_DATA isc_msgcat_t *		pk11_msgcat = NULL;
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+static const char *text[PK11_R_NRESULTS] = {
+	"PKCS#11 initialization failed",		/*%< 0 */
+	"no PKCS#11 provider",				/*%< 1 */
+	"PKCS#11 provider has no random service",	/*%< 2 */
+	"PKCS#11 provider has no digest service",	/*%< 3 */
+	"PKCS#11 provider has no AES service",		/*%< 4 */
+};
+
+static const char *ids[PK11_R_NRESULTS] = {
+	"PK11_R_INITFAILED",
+	"PK11_R_NOPROVIDER",
+	"PK11_R_NORANDOMSERVICE",
+	"PK11_R_NODIGESTSERVICE",
+	"PK11_R_NOAESSERVICE",
+};
+
+#define PK11_RESULT_RESULTSET			2
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libpk11.cat", &pk11_msgcat);
+}
+
+void
+pk11_initmsgcat(void) {
+
+	/*
+	 * Initialize the PKCS#11 support's message catalog,
+	 * pk11_msgcat, if it has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
+				     text, pk11_msgcat, PK11_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+
+	result = isc_result_registerids(ISC_RESULTCLASS_PK11, PK11_R_NRESULTS,
+					ids, pk11_msgcat,
+					PK11_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	pk11_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+pk11_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+pk11_result_register(void) {
+	initialize();
+}
diff --git a/lib/isc/pool.c b/lib/isc/pool.c
new file mode 100644
index 0000000..a445d8b
--- /dev/null
+++ b/lib/isc/pool.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/pool.h>
+#include <isc/util.h>
+
+/***
+ *** Types.
+ ***/
+
+struct isc_pool {
+	isc_mem_t *			mctx;
+	unsigned int			count;
+	isc_pooldeallocator_t		free;
+	isc_poolinitializer_t		init;
+	void *				initarg;
+	void **				pool;
+};
+
+/***
+ *** Functions.
+ ***/
+
+static isc_result_t
+alloc_pool(isc_mem_t *mctx, unsigned int count, isc_pool_t **poolp) {
+	isc_pool_t *pool;
+
+	pool = isc_mem_get(mctx, sizeof(*pool));
+	if (pool == NULL)
+		return (ISC_R_NOMEMORY);
+	pool->count = count;
+	pool->free = NULL;
+	pool->init = NULL;
+	pool->initarg = NULL;
+	pool->mctx = NULL;
+	isc_mem_attach(mctx, &pool->mctx);
+	pool->pool = isc_mem_get(mctx, count * sizeof(void *));
+	if (pool->pool == NULL) {
+		isc_mem_put(mctx, pool, sizeof(*pool));
+		return (ISC_R_NOMEMORY);
+	}
+	memset(pool->pool, 0, count * sizeof(void *));
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_pool_create(isc_mem_t *mctx, unsigned int count,
+		   isc_pooldeallocator_t release,
+		   isc_poolinitializer_t init, void *initarg,
+		   isc_pool_t **poolp)
+{
+	isc_pool_t *pool = NULL;
+	isc_result_t result;
+	unsigned int i;
+
+	INSIST(count > 0);
+
+	/* Allocate the pool structure */
+	result = alloc_pool(mctx, count, &pool);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	pool->free = release;
+	pool->init = init;
+	pool->initarg = initarg;
+
+	/* Populate the pool */
+	for (i = 0; i < count; i++) {
+		result = init(&pool->pool[i], initarg);
+		if (result != ISC_R_SUCCESS) {
+			isc_pool_destroy(&pool);
+			return (result);
+		}
+	}
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc_pool_get(isc_pool_t *pool) {
+	uint32_t i;
+	isc_random_get(&i);
+	return (pool->pool[i % pool->count]);
+}
+
+int
+isc_pool_count(isc_pool_t *pool) {
+	REQUIRE(pool != NULL);
+	return (pool->count);
+}
+
+isc_result_t
+isc_pool_expand(isc_pool_t **sourcep, unsigned int count,
+		   isc_pool_t **targetp)
+{
+	isc_result_t result;
+	isc_pool_t *pool;
+
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	pool = *sourcep;
+	if (count > pool->count) {
+		isc_pool_t *newpool = NULL;
+		unsigned int i;
+
+		/* Allocate a new pool structure */
+		result = alloc_pool(pool->mctx, count, &newpool);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		newpool->free = pool->free;
+		newpool->init = pool->init;
+		newpool->initarg = pool->initarg;
+
+		/* Copy over the objects from the old pool */
+		for (i = 0; i < pool->count; i++) {
+			newpool->pool[i] = pool->pool[i];
+			pool->pool[i] = NULL;
+		}
+
+		/* Populate the new entries */
+		for (i = pool->count; i < count; i++) {
+			result = pool->init(&newpool->pool[i], pool->initarg);
+			if (result != ISC_R_SUCCESS) {
+				isc_pool_destroy(&pool);
+				return (result);
+			}
+		}
+
+		isc_pool_destroy(&pool);
+		pool = newpool;
+	}
+
+	*sourcep = NULL;
+	*targetp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_pool_destroy(isc_pool_t **poolp) {
+	unsigned int i;
+	isc_pool_t *pool = *poolp;
+	for (i = 0; i < pool->count; i++) {
+		if (pool->free != NULL && pool->pool[i] != NULL)
+			pool->free(&pool->pool[i]);
+	}
+	isc_mem_put(pool->mctx, pool->pool, pool->count * sizeof(void *));
+	isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
+	*poolp = NULL;
+}
diff --git a/lib/isc/portset.c b/lib/isc/portset.c
new file mode 100644
index 0000000..b3af46d
--- /dev/null
+++ b/lib/isc/portset.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/portset.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#define ISC_PORTSET_BUFSIZE (65536 / (sizeof(uint32_t) * 8))
+
+/*%
+ * Internal representation of portset.  It's an array of 32-bit integers, each
+ * bit corresponding to a single port in the ascending order.  For example,
+ * the second most significant bit of buf[0] corresponds to port 1.
+ */
+struct isc_portset {
+	unsigned int nports;	/*%< number of ports in the set */
+	uint32_t buf[ISC_PORTSET_BUFSIZE];
+};
+
+static inline bool
+portset_isset(isc_portset_t *portset, in_port_t port) {
+	return (portset->buf[port >> 5] & ((uint32_t)1 << (port & 31)));
+}
+
+static inline void
+portset_add(isc_portset_t *portset, in_port_t port) {
+	if (!portset_isset(portset, port)) {
+		portset->nports++;
+		portset->buf[port >> 5] |= ((uint32_t)1 << (port & 31));
+	}
+}
+
+static inline void
+portset_remove(isc_portset_t *portset, in_port_t port) {
+	if (portset_isset(portset, port)) {
+		portset->nports--;
+		portset->buf[port >> 5] &= ~((uint32_t)1 << (port & 31));
+	}
+}
+
+isc_result_t
+isc_portset_create(isc_mem_t *mctx, isc_portset_t **portsetp) {
+	isc_portset_t *portset;
+
+	REQUIRE(portsetp != NULL && *portsetp == NULL);
+
+	portset = isc_mem_get(mctx, sizeof(*portset));
+	if (portset == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* Make the set 'empty' by default */
+	memset(portset, 0, sizeof(*portset));
+	*portsetp = portset;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_portset_destroy(isc_mem_t *mctx, isc_portset_t **portsetp) {
+	isc_portset_t *portset;
+
+	REQUIRE(portsetp != NULL);
+	portset = *portsetp;
+
+	isc_mem_put(mctx, portset, sizeof(*portset));
+}
+
+bool
+isc_portset_isset(isc_portset_t *portset, in_port_t port) {
+	REQUIRE(portset != NULL);
+
+	return (portset_isset(portset, port));
+}
+
+unsigned int
+isc_portset_nports(isc_portset_t *portset) {
+	REQUIRE(portset != NULL);
+
+	return (portset->nports);
+}
+
+void
+isc_portset_add(isc_portset_t *portset, in_port_t port) {
+	REQUIRE(portset != NULL);
+
+	portset_add(portset, port);
+}
+
+void
+isc_portset_remove(isc_portset_t *portset, in_port_t port) {
+	portset_remove(portset, port);
+}
+
+void
+isc_portset_addrange(isc_portset_t *portset, in_port_t port_lo,
+		     in_port_t port_hi)
+{
+	in_port_t p;
+
+	REQUIRE(portset != NULL);
+	REQUIRE(port_lo <= port_hi);
+
+	p = port_lo;
+	do {
+		portset_add(portset, p);
+	} while (p++ < port_hi);
+}
+
+void
+isc_portset_removerange(isc_portset_t *portset, in_port_t port_lo,
+			in_port_t port_hi)
+{
+	in_port_t p;
+
+	REQUIRE(portset != NULL);
+	REQUIRE(port_lo <= port_hi);
+
+	p = port_lo;
+	do {
+		portset_remove(portset, p);
+	} while (p++ < port_hi);
+}
diff --git a/lib/isc/powerpc/Makefile.in b/lib/isc/powerpc/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/powerpc/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/powerpc/include/Makefile.in b/lib/isc/powerpc/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/powerpc/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/powerpc/include/isc/Makefile.in b/lib/isc/powerpc/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/powerpc/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/powerpc/include/isc/atomic.h b/lib/isc/powerpc/include/isc/atomic.h
new file mode 100644
index 0000000..9899934
--- /dev/null
+++ b/lib/isc/powerpc/include/isc/atomic.h
@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*!\file
+ * static inline int32_t
+ * isc_atomic_xadd(int32_t *p, int32_t val);
+ *
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ *
+ * static inline void
+ * isc_atomic_store(void *p, int32_t val);
+ *
+ * This routine atomically stores the value 'val' in 'p'.
+ *
+ * static inline int32_t
+ * isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val);
+ *
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+
+#if defined(_AIX)
+
+#include <sys/atomic_op.h>
+
+#define isc_atomic_store(p, v) _clear_lock(p, v)
+
+#ifdef __GNUC__
+static inline int32_t
+#else
+static int32_t
+#endif
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	int ret;
+
+#ifdef __GNUC__
+	asm("ics");
+#else
+	 __isync();
+#endif
+
+	ret = fetch_and_add((atomic_p)p, (int)val);
+
+#ifdef __GNUC__
+	asm("ics");
+#else
+	 __isync();
+#endif
+
+	 return (ret);
+}
+
+#ifdef __GNUC__
+static inline int
+#else
+static int
+#endif
+isc_atomic_cmpxchg(atomic_p p, int old, int replacement) {
+	int orig = old;
+
+#ifdef __GNUC__
+	asm("ics");
+#else
+	 __isync();
+#endif
+	if (compare_and_swap(p, &orig, replacement))
+		orig = old;
+
+#ifdef __GNUC__
+	asm("ics");
+#else
+	 __isync();
+#endif
+
+	return (orig);
+}
+
+#elif defined(ISC_PLATFORM_USEGCCASM) || defined(ISC_PLATFORM_USEMACASM)
+static inline int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	int32_t orig;
+
+	__asm__ volatile (
+#ifdef ISC_PLATFORM_USEMACASM
+		"1:"
+		"lwarx r6, 0, %1\n"
+		"mr %0, r6\n"
+		"add r6, r6, %2\n"
+		"stwcx. r6, 0, %1\n"
+		"bne- 1b\n"
+		"sync"
+#else
+		"1:"
+		"lwarx 6, 0, %1\n"
+		"mr %0, 6\n"
+		"add 6, 6, %2\n"
+		"stwcx. 6, 0, %1\n"
+		"bne- 1b\n"
+		"sync"
+#endif
+		: "=&r"(orig)
+		: "r"(p), "r"(val)
+		: "r6", "memory"
+		);
+
+	return (orig);
+}
+
+static inline void
+isc_atomic_store(void *p, int32_t val) {
+	__asm__ volatile (
+#ifdef ISC_PLATFORM_USEMACASM
+		"1:"
+		"lwarx r6, 0, %0\n"
+		"lwz r6, %1\n"
+		"stwcx. r6, 0, %0\n"
+		"bne- 1b\n"
+		"sync"
+#else
+		"1:"
+		"lwarx 6, 0, %0\n"
+		"lwz 6, %1\n"
+		"stwcx. 6, 0, %0\n"
+		"bne- 1b\n"
+		"sync"
+#endif
+		:
+		: "r"(p), "m"(val)
+		: "r6", "memory"
+		);
+}
+
+static inline int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	int32_t orig;
+
+	__asm__ volatile (
+#ifdef ISC_PLATFORM_USEMACASM
+		"1:"
+		"lwarx r6, 0, %1\n"
+		"mr %0,r6\n"
+		"cmpw r6, %2\n"
+		"bne 2f\n"
+		"mr r6, %3\n"
+		"stwcx. r6, 0, %1\n"
+		"bne- 1b\n"
+		"2:\n"
+		"sync"
+#else
+		"1:"
+		"lwarx 6, 0, %1\n"
+		"mr %0,6\n"
+		"cmpw 6, %2\n"
+		"bne 2f\n"
+		"mr 6, %3\n"
+		"stwcx. 6, 0, %1\n"
+		"bne- 1b\n"
+		"2:\n"
+		"sync"
+#endif
+		: "=&r" (orig)
+		: "r"(p), "r"(cmpval), "r"(val)
+		: "r6", "memory"
+		);
+
+	return (orig);
+}
+
+#else
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/print.c b/lib/isc/print.c
new file mode 100644
index 0000000..d4d4880
--- /dev/null
+++ b/lib/isc/print.c
@@ -0,0 +1,706 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdio.h>		/* for sprintf() */
+#include <string.h>		/* for strlen() */
+#include <assert.h>		/* for assert() */
+
+#define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
+
+#include <isc/assertions.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+/*
+ * We use the system's sprintf so we undef it here.
+ */
+#undef sprintf
+
+static int
+isc__print_printf(void (*emit)(char, void *), void *arg,
+		  const char *format, va_list ap);
+
+static void
+file_emit(char c, void *arg) {
+	FILE *fp = arg;
+	int i = c & 0xff;
+
+	putc(i, fp);
+}
+
+#if 0
+static int
+isc_print_vfprintf(FILE *fp, const char *format, va_list ap) {
+	assert(fp != NULL);
+	assert(format != NULL);
+
+	return (isc__print_printf(file_emit, fp, format, ap));
+}
+#endif
+
+int
+isc_print_printf(const char *format, ...) {
+	va_list ap;
+	int n;
+
+	assert(format != NULL);
+
+	va_start(ap, format);
+	n = isc__print_printf(file_emit, stdout, format, ap);
+	va_end(ap);
+	return (n);
+}
+
+int
+isc_print_fprintf(FILE *fp, const char *format, ...) {
+	va_list ap;
+	int n;
+
+	assert(fp != NULL);
+	assert(format != NULL);
+
+	va_start(ap, format);
+	n = isc__print_printf(file_emit, fp, format, ap);
+	va_end(ap);
+	return (n);
+}
+
+static void
+nocheck_emit(char c, void *arg) {
+	struct { char *str; } *a = arg;
+
+	*(a->str)++ = c;
+}
+
+int
+isc_print_sprintf(char *str, const char *format, ...) {
+	struct { char *str; } arg;
+	int n;
+	va_list ap;
+
+	arg.str = str;
+
+	va_start(ap, format);
+	n = isc__print_printf(nocheck_emit, &arg, format, ap);
+	va_end(ap);
+	return (n);
+}
+
+/*!
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+isc_print_snprintf(char *str, size_t size, const char *format, ...) {
+	va_list ap;
+	int ret;
+
+	va_start(ap, format);
+	ret = isc_print_vsnprintf(str, size, format, ap);
+	va_end(ap);
+	return (ret);
+
+}
+
+/*!
+ * Return length of string that would have been written if not truncated.
+ */
+
+static void
+string_emit(char c, void *arg) {
+	struct { char *str; size_t size; } *p = arg;
+
+	if (p->size > 0U) {
+		*(p->str)++ = c;
+		p->size--;
+	}
+}
+
+int
+isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
+	struct { char *str; size_t size; } arg;
+	int n;
+
+	assert(str != NULL);
+	assert(format != NULL);
+
+	arg.str = str;
+	arg.size = size;
+
+	n = isc__print_printf(string_emit, &arg, format, ap);
+	if (arg.size > 0U)
+		*arg.str = '\0';
+	return (n);
+}
+
+static int
+isc__print_printf(void (*emit)(char, void *), void *arg,
+		  const char *format, va_list ap)
+{
+	int h;
+	int l;
+	int z;
+	int q;
+	int alt;
+	int zero;
+	int left;
+	int plus;
+	int space;
+	int neg;
+	int64_t tmpi;
+	uint64_t tmpui;
+	unsigned long width;
+	unsigned long precision;
+	unsigned int length;
+	char buf[1024];
+	char c;
+	void *v;
+	const char *cp;
+	const char *head;
+	int count = 0;
+	int pad;
+	int zeropad;
+	int dot;
+	double dbl;
+	bool precision_set;
+#ifdef HAVE_LONG_DOUBLE
+	long double ldbl;
+#endif
+	char fmt[32];
+
+	assert(emit != NULL);
+	assert(arg != NULL);
+	assert(format != NULL);
+
+	while (*format != '\0') {
+		if (*format != '%') {
+			emit(*format++, arg);
+			count++;
+			continue;
+		}
+		format++;
+
+		/*
+		 * Reset flags.
+		 */
+		dot = neg = space = plus = left = zero = alt = h = l = q = z = 0;
+		width = precision = 0;
+		head = "";
+		pad = zeropad = 0;
+		precision_set = false;
+
+		do {
+			if (*format == '#') {
+				alt = 1;
+				format++;
+			} else if (*format == '-') {
+				left = 1;
+				zero = 0;
+				format++;
+			} else if (*format == ' ') {
+				if (!plus)
+					space = 1;
+				format++;
+			} else if (*format == '+') {
+				plus = 1;
+				space = 0;
+				format++;
+			} else if (*format == '0') {
+				if (!left)
+					zero = 1;
+				format++;
+			} else
+				break;
+		} while (1);
+
+		/*
+		 * Width.
+		 */
+		if (*format == '*') {
+			width = va_arg(ap, int);
+			format++;
+		} else if (isdigit((unsigned char)*format)) {
+			char *e;
+			width = strtoul(format, &e, 10);
+			format = e;
+		}
+
+		/*
+		 * Precision.
+		 */
+		if (*format == '.') {
+			format++;
+			dot = 1;
+			if (*format == '*') {
+				precision = va_arg(ap, int);
+				precision_set = true;
+				format++;
+			} else if (isdigit((unsigned char)*format)) {
+				char *e;
+				precision = strtoul(format, &e, 10);
+				precision_set = true;
+				format = e;
+			}
+		}
+
+		switch (*format) {
+		case '\0':
+			continue;
+		case '%':
+			emit(*format, arg);
+			count++;
+			break;
+		case 'q':
+			q = 1;
+			format++;
+			goto doint;
+		case 'h':
+			h = 1;
+			format++;
+			goto doint;
+		case 'l':
+			l = 1;
+			format++;
+			if (*format == 'l') {
+				q = 1;
+				format++;
+			}
+			goto doint;
+		case 'z':
+			z = 1;
+			format++;
+			goto doint;
+#ifdef WIN32
+		case 'I':
+			/* Windows has I64 as a modifier for a quad. */
+			if (format[1] == '6' && format[2] == '4') {
+				q = 1;
+				format += 3;
+				goto doint;
+			}
+			continue;
+#endif
+		case 'n':
+		case 'i':
+		case 'd':
+		case 'o':
+		case 'u':
+		case 'x':
+		case 'X':
+		doint:
+			if (precision != 0U)
+				zero = 0;
+			switch (*format) {
+			case 'n':
+				if (h) {
+					short int *p;
+					p = va_arg(ap, short *);
+					assert(p != NULL);
+					*p = count;
+				} else if (l) {
+					long int *p;
+					p = va_arg(ap, long *);
+					assert(p != NULL);
+					*p = count;
+				} else if (z) {
+					size_t *p;
+					p = va_arg(ap, size_t *);
+					assert(p != NULL);
+					*p = count;
+				} else {
+					int *p;
+					p = va_arg(ap, int *);
+					assert(p != NULL);
+					*p = count;
+				}
+				break;
+			case 'i':
+			case 'd':
+				if (q)
+					tmpi = va_arg(ap, int64_t);
+				else if (l)
+					tmpi = va_arg(ap, long int);
+				else if (z)
+					tmpi = va_arg(ap, ssize_t);
+				else
+					tmpi = va_arg(ap, int);
+				if (tmpi < 0) {
+					head = "-";
+					tmpui = -tmpi;
+				} else {
+					if (plus)
+						head = "+";
+					else if (space)
+						head = " ";
+					else
+						head = "";
+					tmpui = tmpi;
+				}
+				if (tmpui <= 0xffffffffU)
+					sprintf(buf, "%lu",
+						(unsigned long)tmpui);
+				else {
+					unsigned long mid;
+					unsigned long lo;
+					unsigned long hi;
+					lo = tmpui % 1000000000;
+					tmpui /= 1000000000;
+					mid = tmpui % 1000000000;
+					hi = tmpui / 1000000000;
+					if (hi != 0U) {
+						sprintf(buf, "%lu", hi);
+						sprintf(buf + strlen(buf),
+							"%09lu", mid);
+					} else
+						sprintf(buf, "%lu", mid);
+					sprintf(buf + strlen(buf), "%09lu",
+						lo);
+				}
+				goto printint;
+			case 'o':
+				if (q)
+					tmpui = va_arg(ap, uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, int);
+				if (tmpui <= 0xffffffffU)
+					sprintf(buf, alt ?  "%#lo" : "%lo",
+						(unsigned long)tmpui);
+				else {
+					unsigned long mid;
+					unsigned long lo;
+					unsigned long hi;
+					lo = tmpui % 010000000000;
+					tmpui /= 010000000000;
+					mid = tmpui % 010000000000;
+					hi = tmpui / 010000000000;
+					if (hi != 0U) {
+						sprintf(buf,
+							alt ?  "%#lo" : "%lo",
+							hi);
+						sprintf(buf + strlen(buf),
+							"%09lo", mid);
+					} else
+						sprintf(buf,
+							alt ?  "%#lo" : "%lo",
+							mid);
+					sprintf(buf + strlen(buf), "%09lo", lo);
+				}
+				goto printint;
+			case 'u':
+				if (q)
+					tmpui = va_arg(ap, uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (tmpui <= 0xffffffffU)
+					sprintf(buf, "%lu",
+						(unsigned long)tmpui);
+				else {
+					unsigned long mid;
+					unsigned long lo;
+					unsigned long hi;
+					lo = tmpui % 1000000000;
+					tmpui /= 1000000000;
+					mid = tmpui % 1000000000;
+					hi = tmpui / 1000000000;
+					if (hi != 0U) {
+						sprintf(buf, "%lu", hi);
+						sprintf(buf + strlen(buf),
+							"%09lu", mid);
+					 } else
+						sprintf(buf, "%lu", mid);
+					sprintf(buf + strlen(buf), "%09lu",
+						lo);
+				}
+				goto printint;
+			case 'x':
+				if (q)
+					tmpui = va_arg(ap, uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0x";
+					if (precision > 2U)
+						precision -= 2;
+				}
+				if (tmpui <= 0xffffffffU)
+					sprintf(buf, "%lx",
+						(unsigned long)tmpui);
+				else {
+					unsigned long hi = tmpui>>32;
+					unsigned long lo = tmpui & 0xffffffff;
+					sprintf(buf, "%lx", hi);
+					sprintf(buf + strlen(buf), "%08lx", lo);
+				}
+				goto printint;
+			case 'X':
+				if (q)
+					tmpui = va_arg(ap, uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0X";
+					if (precision > 2U)
+						precision -= 2;
+				}
+				if (tmpui <= 0xffffffffU)
+					sprintf(buf, "%lX",
+						(unsigned long)tmpui);
+				else  {
+					unsigned long hi = tmpui>>32;
+					unsigned long lo = tmpui & 0xffffffff;
+					sprintf(buf, "%lX", hi);
+					sprintf(buf + strlen(buf), "%08lX", lo);
+				}
+				goto printint;
+			printint:
+				if (precision_set || width != 0U) {
+					length = strlen(buf);
+					if (length < precision)
+						zeropad = precision - length;
+					else if (length < width && zero)
+						zeropad = width - length;
+					if (width != 0U) {
+						pad = width - length -
+						      zeropad - strlen(head);
+						if (pad < 0)
+							pad = 0;
+					}
+				}
+				count += strlen(head) + strlen(buf) + pad +
+					 zeropad;
+				if (!left) {
+					while (pad > 0) {
+						emit(' ', arg);
+						pad--;
+					}
+				}
+				cp = head;
+				while (*cp != '\0')
+					emit(*cp++, arg);
+				while (zeropad > 0) {
+					emit('0', arg);
+					zeropad--;
+				}
+				cp = buf;
+				while (*cp != '\0')
+					emit(*cp++, arg);
+				while (pad > 0) {
+					emit(' ', arg);
+					pad--;
+				}
+				break;
+			default:
+				break;
+			}
+			break;
+		case 's':
+			cp = va_arg(ap, char *);
+
+			if (precision_set) {
+				/*
+				 * cp need not be NULL terminated.
+				 */
+				const char *tp;
+				unsigned long n;
+
+				if (precision != 0U)
+					assert(cp != NULL);
+				n = precision;
+				tp = cp;
+				while (n != 0U && *tp != '\0')
+					n--, tp++;
+				length = precision - n;
+			} else {
+				assert(cp != NULL);
+				length = strlen(cp);
+			}
+			if (width != 0U) {
+				pad = width - length;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += pad + length;
+			if (!left)
+				while (pad > 0) {
+					emit(' ', arg);
+					pad--;
+				}
+			if (precision_set)
+				while (precision > 0U && *cp != '\0') {
+					emit(*cp++, arg);
+					precision--;
+				}
+			else
+				while (*cp != '\0')
+					emit(*cp++, arg);
+			while (pad > 0) {
+				emit(' ', arg);
+				pad--;
+			}
+			break;
+		case 'c':
+			c = va_arg(ap, int);
+			if (width > 0U) {
+				count += width;
+				width--;
+				if (left)
+					emit(c, arg);
+				while (width-- > 0U)
+					emit(' ', arg);
+				if (!left)
+					emit(c, arg);
+			} else {
+				count++;
+				emit(c, arg);
+			}
+			break;
+		case 'p':
+			v = va_arg(ap, void *);
+			sprintf(buf, "%p", v);
+			length = strlen(buf);
+			if (precision > length)
+				zeropad = precision - length;
+			if (width > 0U) {
+				pad = width - length - zeropad;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += length + pad + zeropad;
+			if (!left)
+				while (pad > 0) {
+					emit(' ', arg);
+					pad--;
+				}
+			cp = buf;
+			if (zeropad > 0 && buf[0] == '0' &&
+			    (buf[1] == 'x' || buf[1] == 'X')) {
+				emit(*cp++, arg);
+				emit(*cp++, arg);
+				while (zeropad > 0) {
+					emit('0', arg);
+					zeropad--;
+				}
+			}
+			while (*cp != '\0')
+				emit(*cp++, arg);
+			while (pad > 0) {
+				emit(' ', arg);
+				pad--;
+			}
+			break;
+		case 'D':	/*deprecated*/
+			assert("use %ld instead of %D" == NULL);
+		case 'O':	/*deprecated*/
+			assert("use %lo instead of %O" == NULL);
+		case 'U':	/*deprecated*/
+			assert("use %lu instead of %U" == NULL);
+
+		case 'L':
+#ifdef HAVE_LONG_DOUBLE
+			l = 1;
+#else
+			assert("long doubles are not supported" == NULL);
+#endif
+			/* FALLTHROUGH */
+		case 'e':
+		case 'E':
+		case 'f':
+		case 'g':
+		case 'G':
+			if (!dot)
+				precision = 6;
+			/*
+			 * IEEE floating point.
+			 * MIN 2.2250738585072014E-308
+			 * MAX 1.7976931348623157E+308
+			 * VAX floating point has a smaller range than IEEE.
+			 *
+			 * precisions > 324 don't make much sense.
+			 * if we cap the precision at 512 we will not
+			 * overflow buf.
+			 */
+			if (precision > 512U)
+				precision = 512;
+			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
+				plus ? "+" : space ? " " : "",
+				precision, l ? "L" : "", *format);
+			switch (*format) {
+			case 'e':
+			case 'E':
+			case 'f':
+			case 'g':
+			case 'G':
+#ifdef HAVE_LONG_DOUBLE
+				if (l) {
+					ldbl = va_arg(ap, long double);
+					sprintf(buf, fmt, ldbl);
+				} else
+#endif
+				{
+					dbl = va_arg(ap, double);
+					sprintf(buf, fmt, dbl);
+				}
+				length = strlen(buf);
+				if (width > 0U) {
+					pad = width - length;
+					if (pad < 0)
+						pad = 0;
+				}
+				count += length + pad;
+				if (!left)
+					while (pad > 0) {
+						emit(' ', arg);
+						pad--;
+					}
+				cp = buf;
+				while (*cp != '\0')
+					emit(*cp++, arg);
+				while (pad > 0) {
+					emit(' ', arg);
+					pad--;
+				}
+				break;
+			default:
+				continue;
+			}
+			break;
+		default:
+			continue;
+		}
+		format++;
+	}
+	return (count);
+}
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
new file mode 100644
index 0000000..af4fd6e
--- /dev/null
+++ b/lib/isc/pthreads/Makefile.in
@@ -0,0 +1,30 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c
new file mode 100644
index 0000000..a7f1928
--- /dev/null
+++ b/lib/isc/pthreads/condition.c
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+
+#include <isc/condition.h>
+#include <isc/msgs.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
+	int presult;
+	isc_result_t result;
+	struct timespec ts;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(c != NULL && m != NULL && t != NULL);
+
+	/*
+	 * POSIX defines a timespec's tv_sec as time_t.
+	 */
+	result = isc_time_secondsastimet(t, &ts.tv_sec);
+
+	/*
+	 * If we have a range error ts.tv_sec is most probably a signed
+	 * 32 bit value.  Set ts.tv_sec to INT_MAX.  This is a kludge.
+	 */
+	if (result == ISC_R_RANGE)
+		ts.tv_sec = INT_MAX;
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*!
+	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
+	 * ensures its return value is < 1 billion, which will fit in a long.
+	 */
+	ts.tv_nsec = (long)isc_time_nanoseconds(t);
+
+	do {
+#if ISC_MUTEX_PROFILE
+		presult = pthread_cond_timedwait(c, &m->mutex, &ts);
+#else
+		presult = pthread_cond_timedwait(c, m, &ts);
+#endif
+		if (presult == 0)
+			return (ISC_R_SUCCESS);
+		if (presult == ETIMEDOUT)
+			return (ISC_R_TIMEDOUT);
+	} while (presult == EINTR);
+
+	isc__strerror(presult, strbuf, sizeof(strbuf));
+	UNEXPECTED_ERROR(__FILE__, __LINE__,
+			 "pthread_cond_timedwait() %s %s",
+			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					ISC_MSG_RETURNED, "returned"),
+			 strbuf);
+	return (ISC_R_UNEXPECTED);
+}
diff --git a/lib/isc/pthreads/include/Makefile.in b/lib/isc/pthreads/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/pthreads/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/pthreads/include/isc/Makefile.in b/lib/isc/pthreads/include/isc/Makefile.in
new file mode 100644
index 0000000..185534f
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/pthreads/include/isc/condition.h b/lib/isc/pthreads/include/isc/condition.h
new file mode 100644
index 0000000..28338c7
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/condition.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_CONDITION_H
+#define ISC_CONDITION_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+typedef pthread_cond_t isc_condition_t;
+
+#define isc_condition_init(cp) \
+	((pthread_cond_init((cp), NULL) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#if ISC_MUTEX_PROFILE
+#define isc_condition_wait(cp, mp) \
+	((pthread_cond_wait((cp), &((mp)->mutex)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#else
+#define isc_condition_wait(cp, mp) \
+	((pthread_cond_wait((cp), (mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#define isc_condition_signal(cp) \
+	((pthread_cond_signal((cp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_condition_broadcast(cp) \
+	((pthread_cond_broadcast((cp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_condition_destroy(cp) \
+	((pthread_cond_destroy((cp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_CONDITION_H */
diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h
new file mode 100644
index 0000000..6c34a69
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/mutex.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+/*! \file */
+
+#include <pthread.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>		/* for ISC_R_ codes */
+
+ISC_LANG_BEGINDECLS
+
+/*!
+ * Supply mutex attributes that enable deadlock detection
+ * (helpful when debugging).  This is system dependent and
+ * currently only supported on NetBSD.
+ */
+#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
+extern pthread_mutexattr_t isc__mutex_attrs;
+#define ISC__MUTEX_ATTRS &isc__mutex_attrs
+#else
+#define ISC__MUTEX_ATTRS NULL
+#endif
+
+/* XXX We could do fancier error handling... */
+
+/*!
+ * Define ISC_MUTEX_PROFILE to turn on profiling of mutexes by line.  When
+ * enabled, isc_mutex_stats() can be used to print a table showing the
+ * number of times each type of mutex was locked and the amount of time
+ * waiting to obtain the lock.
+ */
+#ifndef ISC_MUTEX_PROFILE
+#define ISC_MUTEX_PROFILE 0
+#endif
+
+#if ISC_MUTEX_PROFILE
+typedef struct isc_mutexstats isc_mutexstats_t;
+
+typedef struct {
+	pthread_mutex_t		mutex;	/*%< The actual mutex. */
+	isc_mutexstats_t *	stats;	/*%< Mutex statistics. */
+} isc_mutex_t;
+#else
+typedef pthread_mutex_t	isc_mutex_t;
+#endif
+
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_init(mp) \
+	isc_mutex_init_profile((mp), __FILE__, __LINE__)
+#else
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+#define isc_mutex_init(mp) \
+	isc_mutex_init_errcheck((mp))
+#else
+#define isc_mutex_init(mp) \
+	isc__mutex_init((mp), __FILE__, __LINE__)
+isc_result_t isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line);
+#endif
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_lock(mp) \
+	isc_mutex_lock_profile((mp), __FILE__, __LINE__)
+#else
+#define isc_mutex_lock(mp) \
+	((pthread_mutex_lock((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_unlock(mp) \
+	isc_mutex_unlock_profile((mp), __FILE__, __LINE__)
+#else
+#define isc_mutex_unlock(mp) \
+	((pthread_mutex_unlock((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_trylock(mp) \
+	((pthread_mutex_trylock((&(mp)->mutex)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#else
+#define isc_mutex_trylock(mp) \
+	((pthread_mutex_trylock((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_destroy(mp) \
+	((pthread_mutex_destroy((&(mp)->mutex)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#else
+#define isc_mutex_destroy(mp) \
+	((pthread_mutex_destroy((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_stats(fp) isc_mutex_statsprofile(fp);
+#else
+#define isc_mutex_stats(fp)
+#endif
+
+#if ISC_MUTEX_PROFILE
+
+isc_result_t
+isc_mutex_init_profile(isc_mutex_t *mp, const char * _file, int _line);
+isc_result_t
+isc_mutex_lock_profile(isc_mutex_t *mp, const char * _file, int _line);
+isc_result_t
+isc_mutex_unlock_profile(isc_mutex_t *mp, const char * _file, int _line);
+
+void
+isc_mutex_statsprofile(FILE *fp);
+
+isc_result_t
+isc_mutex_init_errcheck(isc_mutex_t *mp);
+
+#endif /* ISC_MUTEX_PROFILE */
+
+ISC_LANG_ENDDECLS
+#endif /* ISC_MUTEX_H */
diff --git a/lib/isc/pthreads/include/isc/once.h b/lib/isc/pthreads/include/isc/once.h
new file mode 100644
index 0000000..a0e9559
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/once.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+/*! \file */
+
+#include <pthread.h>
+
+#include <isc/platform.h>
+#include <isc/result.h>
+
+typedef pthread_once_t isc_once_t;
+
+#ifdef ISC_PLATFORM_BRACEPTHREADONCEINIT
+/*!
+ * This accomodates systems that define PTHRAD_ONCE_INIT improperly.
+ */
+#define ISC_ONCE_INIT { PTHREAD_ONCE_INIT }
+#else
+/*!
+ * This is the usual case.
+ */
+#define ISC_ONCE_INIT PTHREAD_ONCE_INIT
+#endif
+
+/* XXX We could do fancier error handling... */
+
+#define isc_once_do(op, f) \
+	((pthread_once((op), (f)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#endif /* ISC_ONCE_H */
diff --git a/lib/isc/pthreads/include/isc/thread.h b/lib/isc/pthreads/include/isc/thread.h
new file mode 100644
index 0000000..798af33
--- /dev/null
+++ b/lib/isc/pthreads/include/isc/thread.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+/*! \file */
+
+#include <pthread.h>
+
+#if defined(HAVE_PTHREAD_NP_H)
+#include <pthread_np.h>
+#endif
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef pthread_t isc_thread_t;
+typedef void * isc_threadresult_t;
+typedef void * isc_threadarg_t;
+typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
+typedef pthread_key_t isc_thread_key_t;
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
+
+void
+isc_thread_setconcurrency(unsigned int level);
+
+void
+isc_thread_yield(void);
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name);
+
+/* XXX We could do fancier error handling... */
+
+#define isc_thread_join(t, rp) \
+	((pthread_join((t), (rp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_thread_self \
+	(unsigned long)pthread_self
+
+#define isc_thread_key_create pthread_key_create
+#define isc_thread_key_getspecific pthread_getspecific
+#define isc_thread_key_setspecific pthread_setspecific
+#define isc_thread_key_delete pthread_key_delete
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/lib/isc/pthreads/mutex.c b/lib/isc/pthreads/mutex.c
new file mode 100644
index 0000000..cd45e6b
--- /dev/null
+++ b/lib/isc/pthreads/mutex.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <time.h>
+#include <sys/time.h>
+#include <errno.h>
+
+#include <isc/mutex.h>
+#include <isc/util.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/once.h>
+
+#if ISC_MUTEX_PROFILE
+
+/*@{*/
+/*% Operations on timevals; adapted from FreeBSD's sys/time.h */
+#define timevalclear(tvp)      ((tvp)->tv_sec = (tvp)->tv_usec = 0)
+#define timevaladd(vvp, uvp)						\
+	do {								\
+		(vvp)->tv_sec += (uvp)->tv_sec;				\
+		(vvp)->tv_usec += (uvp)->tv_usec;			\
+		if ((vvp)->tv_usec >= 1000000) {			\
+			(vvp)->tv_sec++;				\
+			(vvp)->tv_usec -= 1000000;			\
+		}							\
+	} while (0)
+#define timevalsub(vvp, uvp)						\
+	do {								\
+		(vvp)->tv_sec -= (uvp)->tv_sec;				\
+		(vvp)->tv_usec -= (uvp)->tv_usec;			\
+		if ((vvp)->tv_usec < 0) {				\
+			(vvp)->tv_sec--;				\
+			(vvp)->tv_usec += 1000000;			\
+		}							\
+	} while (0)
+
+/*@}*/
+
+#define ISC_MUTEX_MAX_LOCKERS 32
+
+typedef struct {
+	const char *		file;
+	int			line;
+	unsigned		count;
+	struct timeval		locked_total;
+	struct timeval		wait_total;
+} isc_mutexlocker_t;
+
+struct isc_mutexstats {
+	const char *		file;	/*%< File mutex was created in. */
+	int			line;	/*%< Line mutex was created on. */
+	unsigned		count;
+	struct timeval		lock_t;
+	struct timeval		locked_total;
+	struct timeval		wait_total;
+	isc_mutexlocker_t *	cur_locker;
+	isc_mutexlocker_t	lockers[ISC_MUTEX_MAX_LOCKERS];
+};
+
+#ifndef ISC_MUTEX_PROFTABLESIZE
+#define ISC_MUTEX_PROFTABLESIZE (1024 * 1024)
+#endif
+static isc_mutexstats_t stats[ISC_MUTEX_PROFTABLESIZE];
+static int stats_next = 0;
+static bool stats_init = false;
+static pthread_mutex_t statslock = PTHREAD_MUTEX_INITIALIZER;
+
+
+isc_result_t
+isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
+	int i, err;
+
+	err = pthread_mutex_init(&mp->mutex, NULL);
+	if (err == ENOMEM)
+		return (ISC_R_NOMEMORY);
+	if (err != 0)
+		return (ISC_R_UNEXPECTED);
+
+	RUNTIME_CHECK(pthread_mutex_lock(&statslock) == 0);
+
+	if (stats_init == false)
+		stats_init = true;
+
+	/*
+	 * If all statistics entries have been used, give up and trigger an
+	 * assertion failure.  There would be no other way to deal with this
+	 * because we'd like to keep record of all locks for the purpose of
+	 * debugging and the number of necessary locks is unpredictable.
+	 * If this failure is triggered while debugging, named should be
+	 * rebuilt with an increased ISC_MUTEX_PROFTABLESIZE.
+	 */
+	RUNTIME_CHECK(stats_next < ISC_MUTEX_PROFTABLESIZE);
+	mp->stats = &stats[stats_next++];
+
+	RUNTIME_CHECK(pthread_mutex_unlock(&statslock) == 0);
+
+	mp->stats->file = file;
+	mp->stats->line = line;
+	mp->stats->count = 0;
+	timevalclear(&mp->stats->locked_total);
+	timevalclear(&mp->stats->wait_total);
+	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
+		mp->stats->lockers[i].file = NULL;
+		mp->stats->lockers[i].line = 0;
+		mp->stats->lockers[i].count = 0;
+		timevalclear(&mp->stats->lockers[i].locked_total);
+		timevalclear(&mp->stats->lockers[i].wait_total);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
+	struct timeval prelock_t;
+	struct timeval postlock_t;
+	isc_mutexlocker_t *locker = NULL;
+	int i;
+
+	gettimeofday(&prelock_t, NULL);
+
+	if (pthread_mutex_lock(&mp->mutex) != 0)
+		return (ISC_R_UNEXPECTED);
+
+	gettimeofday(&postlock_t, NULL);
+	mp->stats->lock_t = postlock_t;
+
+	timevalsub(&postlock_t, &prelock_t);
+
+	mp->stats->count++;
+	timevaladd(&mp->stats->wait_total, &postlock_t);
+
+	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
+		if (mp->stats->lockers[i].file == NULL) {
+			locker = &mp->stats->lockers[i];
+			locker->file = file;
+			locker->line = line;
+			break;
+		} else if (mp->stats->lockers[i].file == file &&
+			   mp->stats->lockers[i].line == line) {
+			locker = &mp->stats->lockers[i];
+			break;
+		}
+	}
+
+	if (locker != NULL) {
+		locker->count++;
+		timevaladd(&locker->wait_total, &postlock_t);
+	}
+
+	mp->stats->cur_locker = locker;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mutex_unlock_profile(isc_mutex_t *mp, const char *file, int line) {
+	struct timeval unlock_t;
+
+	UNUSED(file);
+	UNUSED(line);
+
+	if (mp->stats->cur_locker != NULL) {
+		gettimeofday(&unlock_t, NULL);
+		timevalsub(&unlock_t, &mp->stats->lock_t);
+		timevaladd(&mp->stats->locked_total, &unlock_t);
+		timevaladd(&mp->stats->cur_locker->locked_total, &unlock_t);
+		mp->stats->cur_locker = NULL;
+	}
+
+	return ((pthread_mutex_unlock((&mp->mutex)) == 0) ? \
+		ISC_R_SUCCESS : ISC_R_UNEXPECTED);
+}
+
+
+void
+isc_mutex_statsprofile(FILE *fp) {
+	isc_mutexlocker_t *locker;
+	int i, j;
+
+	fprintf(fp, "Mutex stats (in us)\n");
+	for (i = 0; i < stats_next; i++) {
+		fprintf(fp, "%-12s %4d: %10u  %lu.%06lu %lu.%06lu %5d\n",
+			stats[i].file, stats[i].line, stats[i].count,
+			stats[i].locked_total.tv_sec,
+			stats[i].locked_total.tv_usec,
+			stats[i].wait_total.tv_sec,
+			stats[i].wait_total.tv_usec,
+			i);
+		for (j = 0; j < ISC_MUTEX_MAX_LOCKERS; j++) {
+			locker = &stats[i].lockers[j];
+			if (locker->file == NULL)
+				continue;
+			fprintf(fp, " %-11s %4d: %10u  %lu.%06lu %lu.%06lu %5d\n",
+				locker->file, locker->line, locker->count,
+				locker->locked_total.tv_sec,
+				locker->locked_total.tv_usec,
+				locker->wait_total.tv_sec,
+				locker->wait_total.tv_usec,
+				i);
+		}
+	}
+}
+
+#endif /* ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+
+static bool errcheck_initialized = false;
+static pthread_mutexattr_t errcheck;
+static isc_once_t once_errcheck = ISC_ONCE_INIT;
+
+static void
+initialize_errcheck(void) {
+	RUNTIME_CHECK(pthread_mutexattr_init(&errcheck) == 0);
+	RUNTIME_CHECK(pthread_mutexattr_settype
+		      (&errcheck, PTHREAD_MUTEX_ERRORCHECK) == 0);
+	errcheck_initialized = true;
+}
+
+isc_result_t
+isc_mutex_init_errcheck(isc_mutex_t *mp) {
+	isc_result_t result;
+	int err;
+
+	result = isc_once_do(&once_errcheck, initialize_errcheck);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	err = pthread_mutex_init(mp, &errcheck);
+	if (err == ENOMEM)
+		return (ISC_R_NOMEMORY);
+	return ((err == 0) ? ISC_R_SUCCESS : ISC_R_UNEXPECTED);
+}
+#endif
+
+#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
+pthread_mutexattr_t isc__mutex_attrs = {
+	PTHREAD_MUTEX_ERRORCHECK,	/* m_type */
+	0				/* m_flags, which appears to be unused. */
+};
+#endif
+
+#if !(ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)) && !ISC_MUTEX_PROFILE
+
+#ifdef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+static bool attr_initialized = false;
+static pthread_mutexattr_t attr;
+static isc_once_t once_attr = ISC_ONCE_INIT;
+#endif /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+
+#ifdef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+static void
+initialize_attr(void) {
+	RUNTIME_CHECK(pthread_mutexattr_init(&attr) == 0);
+	RUNTIME_CHECK(pthread_mutexattr_settype
+		      (&attr, PTHREAD_MUTEX_ADAPTIVE_NP) == 0);
+	attr_initialized = true;
+}
+#endif /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+
+isc_result_t
+isc__mutex_init(isc_mutex_t *mp, const char *file, unsigned int line) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result = ISC_R_SUCCESS;
+	int err;
+
+#ifdef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
+	result = isc_once_do(&once_attr, initialize_attr);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	err = pthread_mutex_init(mp, &attr);
+#else /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+	err = pthread_mutex_init(mp, ISC__MUTEX_ATTRS);
+#endif /* HAVE_PTHREAD_MUTEX_ADAPTIVE_NP */
+
+	if (err == ENOMEM)
+		return (ISC_R_NOMEMORY);
+	if (err != 0) {
+		isc__strerror(err, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(file, line, "isc_mutex_init() failed: %s",
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+	}
+	return (result);
+}
+#endif
diff --git a/lib/isc/pthreads/thread.c b/lib/isc/pthreads/thread.c
new file mode 100644
index 0000000..94fb2c2
--- /dev/null
+++ b/lib/isc/pthreads/thread.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#if defined(HAVE_SCHED_H)
+#include <sched.h>
+#endif
+
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#ifndef THREAD_MINSTACKSIZE
+#define THREAD_MINSTACKSIZE		(1024U * 1024)
+#endif
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
+		  isc_thread_t *thread)
+{
+	pthread_attr_t attr;
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
+	size_t stacksize;
+#endif
+	int ret;
+
+	pthread_attr_init(&attr);
+
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
+	ret = pthread_attr_getstacksize(&attr, &stacksize);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+
+	if (stacksize < THREAD_MINSTACKSIZE) {
+		ret = pthread_attr_setstacksize(&attr, THREAD_MINSTACKSIZE);
+		if (ret != 0)
+			return (ISC_R_UNEXPECTED);
+	}
+#endif
+
+#if defined(PTHREAD_SCOPE_SYSTEM) && defined(NEED_PTHREAD_SCOPE_SYSTEM)
+	ret = pthread_attr_setscope(&attr, PTHREAD_SCOPE_SYSTEM);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+#endif
+
+	ret = pthread_create(thread, &attr, func, arg);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+
+	pthread_attr_destroy(&attr);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_thread_setconcurrency(unsigned int level) {
+#if defined(CALL_PTHREAD_SETCONCURRENCY)
+	(void)pthread_setconcurrency(level);
+#else
+	UNUSED(level);
+#endif
+}
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name) {
+#if defined(HAVE_PTHREAD_SETNAME_NP) && defined(_GNU_SOURCE)
+	/*
+	 * macOS has pthread_setname_np but only works on the
+	 * current thread so it's not used here
+	*/
+	(void)pthread_setname_np(thread, name);
+#elif defined(HAVE_PTHREAD_SET_NAME_NP)
+	(void)pthread_set_name_np(thread, name);
+#else
+	UNUSED(thread);
+	UNUSED(name);
+#endif
+}
+
+void
+isc_thread_yield(void) {
+#if defined(HAVE_SCHED_YIELD)
+	sched_yield();
+#elif defined( HAVE_PTHREAD_YIELD)
+	pthread_yield();
+#elif defined( HAVE_PTHREAD_YIELD_NP)
+	pthread_yield_np();
+#endif
+}
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
new file mode 100644
index 0000000..3ddff0d
--- /dev/null
+++ b/lib/isc/quota.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/quota.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_quota_init(isc_quota_t *quota, int max) {
+	quota->max = max;
+	quota->used = 0;
+	quota->soft = 0;
+	return (isc_mutex_init(&quota->lock));
+}
+
+void
+isc_quota_destroy(isc_quota_t *quota) {
+	INSIST(quota->used == 0);
+	quota->max = 0;
+	quota->used = 0;
+	quota->soft = 0;
+	DESTROYLOCK(&quota->lock);
+}
+
+void
+isc_quota_soft(isc_quota_t *quota, int soft) {
+	LOCK(&quota->lock);
+	quota->soft = soft;
+	UNLOCK(&quota->lock);
+}
+
+void
+isc_quota_max(isc_quota_t *quota, int max) {
+	LOCK(&quota->lock);
+	quota->max = max;
+	UNLOCK(&quota->lock);
+}
+
+isc_result_t
+isc_quota_reserve(isc_quota_t *quota) {
+	isc_result_t result;
+	LOCK(&quota->lock);
+	if (quota->max == 0 || quota->used < quota->max) {
+		if (quota->soft == 0 || quota->used < quota->soft)
+			result = ISC_R_SUCCESS;
+		else
+			result = ISC_R_SOFTQUOTA;
+		quota->used++;
+	} else
+		result = ISC_R_QUOTA;
+	UNLOCK(&quota->lock);
+	return (result);
+}
+
+void
+isc_quota_release(isc_quota_t *quota) {
+	LOCK(&quota->lock);
+	INSIST(quota->used > 0);
+	quota->used--;
+	UNLOCK(&quota->lock);
+}
+
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
+{
+	isc_result_t result;
+	INSIST(p != NULL && *p == NULL);
+	result = isc_quota_reserve(quota);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+		*p = quota;
+	return (result);
+}
+
+void
+isc_quota_detach(isc_quota_t **p)
+{
+	INSIST(p != NULL && *p != NULL);
+	isc_quota_release(*p);
+	*p = NULL;
+}
diff --git a/lib/isc/radix.c b/lib/isc/radix.c
new file mode 100644
index 0000000..6299dfe
--- /dev/null
+++ b/lib/isc/radix.c
@@ -0,0 +1,728 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This source was adapted from MRT's RCS Ids:
+ * Id: radix.c,v 1.10.2.1 1999/11/29 05:16:24 masaki Exp
+ * Id: prefix.c,v 1.37.2.9 2000/03/10 02:53:19 labovit Exp
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/types.h>
+#include <isc/util.h>
+#include <isc/radix.h>
+
+static isc_result_t
+_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family,
+	    void *dest, int bitlen);
+
+static void
+_deref_prefix(isc_prefix_t *prefix);
+
+static isc_result_t
+_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix);
+
+static int
+_comp_with_mask(void *addr, void *dest, u_int mask);
+
+static void
+_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
+
+static isc_result_t
+_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest,
+	    int bitlen)
+{
+	isc_prefix_t *prefix;
+
+	REQUIRE(target != NULL);
+
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
+	if (prefix == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (family == AF_INET6) {
+		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
+		memmove(&prefix->add.sin6, dest, 16);
+	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
+		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
+		memmove(&prefix->add.sin, dest, 4);
+	}
+
+	prefix->family = family;
+	prefix->ecs = false;
+	prefix->mctx = NULL;
+	isc_mem_attach(mctx, &prefix->mctx);
+
+	isc_refcount_init(&prefix->refcount, 1);
+
+	*target = prefix;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+_deref_prefix(isc_prefix_t *prefix) {
+	int refs;
+
+	if (prefix == NULL)
+		return;
+
+	isc_refcount_decrement(&prefix->refcount, &refs);
+
+	if (refs <= 0) {
+		isc_refcount_destroy(&prefix->refcount);
+		isc_mem_putanddetach(&prefix->mctx, prefix,
+				     sizeof(isc_prefix_t));
+	}
+}
+
+static isc_result_t
+_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
+	INSIST(prefix != NULL);
+	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
+	REQUIRE(target != NULL && *target == NULL);
+
+	/*
+	 * If this prefix is a static allocation, copy it into new memory.
+	 * (Note, the refcount still has to be destroyed by the calling
+	 * routine.)
+	 */
+	if (isc_refcount_current(&prefix->refcount) == 0) {
+		isc_result_t ret;
+		ret = _new_prefix(mctx, target, prefix->family,
+				  &prefix->add, prefix->bitlen);
+		return (ret);
+	}
+
+	isc_refcount_increment(&prefix->refcount, NULL);
+
+	*target = prefix;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+_comp_with_mask(void *addr, void *dest, u_int mask) {
+
+	/* Mask length of zero matches everything */
+	if (mask == 0)
+		return (1);
+
+	if (memcmp(addr, dest, mask / 8) == 0) {
+		u_int n = mask / 8;
+		u_int m = ((~0U) << (8 - (mask % 8)));
+
+		if ((mask % 8) == 0 ||
+		    (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
+			return (1);
+	}
+	return (0);
+}
+
+isc_result_t
+isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits) {
+	isc_radix_tree_t *radix;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	radix = isc_mem_get(mctx, sizeof(isc_radix_tree_t));
+	if (radix == NULL)
+		return (ISC_R_NOMEMORY);
+
+	radix->mctx = NULL;
+	isc_mem_attach(mctx, &radix->mctx);
+	radix->maxbits = maxbits;
+	radix->head = NULL;
+	radix->num_active_node = 0;
+	radix->num_added_node = 0;
+	RUNTIME_CHECK(maxbits <= RADIX_MAXBITS); /* XXX */
+	radix->magic = RADIX_TREE_MAGIC;
+	*target = radix;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * if func is supplied, it will be called as func(node->data)
+ * before deleting the node
+ */
+
+static void
+_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
+	REQUIRE(radix != NULL);
+
+	if (radix->head != NULL) {
+		isc_radix_node_t *Xstack[RADIX_MAXBITS+1];
+		isc_radix_node_t **Xsp = Xstack;
+		isc_radix_node_t *Xrn = radix->head;
+
+		while (Xrn != NULL) {
+			isc_radix_node_t *l = Xrn->l;
+			isc_radix_node_t *r = Xrn->r;
+
+			if (Xrn->prefix != NULL) {
+				_deref_prefix(Xrn->prefix);
+				if (func != NULL)
+					func(Xrn->data);
+			} else {
+				INSIST(Xrn->data[RADIX_V4] == NULL &&
+				       Xrn->data[RADIX_V6] == NULL &&
+				       Xrn->data[RADIX_V4_ECS] == NULL &&
+				       Xrn->data[RADIX_V6_ECS] == NULL);
+			}
+
+			isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn));
+			radix->num_active_node--;
+
+			if (l != NULL) {
+				if (r != NULL) {
+					*Xsp++ = r;
+				}
+				Xrn = l;
+			} else if (r != NULL) {
+				Xrn = r;
+			} else if (Xsp != Xstack) {
+				Xrn = *(--Xsp);
+			} else {
+				Xrn = NULL;
+			}
+		}
+	}
+	RUNTIME_CHECK(radix->num_active_node == 0);
+}
+
+
+void
+isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
+	REQUIRE(radix != NULL);
+	_clear_radix(radix, func);
+	isc_mem_putanddetach(&radix->mctx, radix, sizeof(*radix));
+}
+
+
+/*
+ * func will be called as func(node->prefix, node->data)
+ */
+void
+isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func) {
+	isc_radix_node_t *node;
+
+	REQUIRE(func != NULL);
+
+	RADIX_WALK(radix->head, node) {
+		func(node->prefix, node->data);
+	} RADIX_WALK_END;
+}
+
+
+isc_result_t
+isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_prefix_t *prefix)
+{
+	isc_radix_node_t *node;
+	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
+	u_char *addr;
+	uint32_t bitlen;
+	int tfam = -1, cnt = 0;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(prefix != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+	RUNTIME_CHECK(prefix->bitlen <= radix->maxbits);
+
+	*target = NULL;
+
+	if (radix->head == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	node = radix->head;
+	addr = isc_prefix_touchar(prefix);
+	bitlen = prefix->bitlen;
+
+	while (node->bit < bitlen) {
+		if (node->prefix)
+			stack[cnt++] = node;
+
+		if (BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+			node = node->r;
+		else
+			node = node->l;
+
+		if (node == NULL)
+			break;
+	}
+
+	if (node && node->prefix)
+		stack[cnt++] = node;
+
+	while (cnt-- > 0) {
+		node = stack[cnt];
+
+		if (prefix->bitlen < node->bit)
+			continue;
+
+		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
+				    isc_prefix_tochar(prefix),
+				    node->prefix->bitlen))
+		{
+			int fam = ISC_RADIX_FAMILY(prefix);
+			if (node->node_num[fam] != -1 &&
+			    ((*target == NULL) ||
+			     (*target)->node_num[tfam] > node->node_num[fam]))
+			{
+				*target = node;
+				tfam = fam;
+			}
+		}
+	}
+
+	if (*target == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+isc_result_t
+isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_radix_node_t *source, isc_prefix_t *prefix)
+{
+	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
+	u_char *addr, *test_addr;
+	uint32_t bitlen, fam, check_bit, differ_bit;
+	uint32_t i, j, r;
+	isc_result_t result;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(prefix != NULL || (source != NULL && source->prefix != NULL));
+	RUNTIME_CHECK(prefix == NULL || prefix->bitlen <= radix->maxbits);
+
+	if (prefix == NULL)
+		prefix = source->prefix;
+
+	INSIST(prefix != NULL);
+
+	bitlen = prefix->bitlen;
+	fam = prefix->family;
+
+	if (radix->head == NULL) {
+		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+		if (node == NULL)
+			return (ISC_R_NOMEMORY);
+		node->bit = bitlen;
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			node->node_num[i] = -1;
+		}
+		node->prefix = NULL;
+		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(radix->mctx, node,
+				    sizeof(isc_radix_node_t));
+			return (result);
+		}
+		node->parent = NULL;
+		node->l = node->r = NULL;
+		if (source != NULL) {
+			/*
+			 * If source is non-NULL, then we're merging in a
+			 * node from an existing radix tree.  To keep
+			 * the node_num values consistent, the calling
+			 * function will add the total number of nodes
+			 * added to num_added_node at the end of
+			 * the merge operation--we don't do it here.
+			 */
+			for (i = 0; i < RADIX_FAMILIES; i++) {
+				if (source->node_num[i] != -1) {
+					node->node_num[i] =
+						radix->num_added_node +
+						source->node_num[i];
+				}
+				node->data[i] = source->data[i];
+			}
+		} else {
+			int next = ++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				for (i = 0; i < RADIX_FAMILIES; i++) {
+					node->node_num[i] = next;
+				}
+			} else {
+				node->node_num[ISC_RADIX_FAMILY(prefix)] = next;
+			}
+
+			memset(node->data, 0, sizeof(node->data));
+		}
+		radix->head = node;
+		radix->num_active_node++;
+		*target = node;
+		return (ISC_R_SUCCESS);
+	}
+
+	addr = isc_prefix_touchar(prefix);
+	node = radix->head;
+
+	while (node->bit < bitlen || node->prefix == NULL) {
+		if (node->bit < radix->maxbits &&
+		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			if (node->r == NULL)
+				break;
+			node = node->r;
+		} else {
+			if (node->l == NULL)
+				break;
+			node = node->l;
+		}
+
+		INSIST(node != NULL);
+	}
+
+	INSIST(node->prefix != NULL);
+
+	test_addr = isc_prefix_touchar(node->prefix);
+	/* Find the first bit different. */
+	check_bit = (node->bit < bitlen) ? node->bit : bitlen;
+	differ_bit = 0;
+	for (i = 0; i * 8 < check_bit; i++) {
+		if ((r = (addr[i] ^ test_addr[i])) == 0) {
+			differ_bit = (i + 1) * 8;
+			continue;
+		}
+		/* I know the better way, but for now. */
+		for (j = 0; j < 8; j++) {
+			if (BIT_TEST(r, (0x80 >> j)))
+				break;
+		}
+		/* Must be found. */
+		INSIST(j < 8);
+		differ_bit = i * 8 + j;
+		break;
+	}
+
+	if (differ_bit > check_bit)
+		differ_bit = check_bit;
+
+	parent = node->parent;
+	while (parent != NULL && parent->bit >= differ_bit) {
+		node = parent;
+		parent = node->parent;
+	}
+
+	if (differ_bit == bitlen && node->bit == bitlen) {
+		if (node->prefix != NULL) {
+			/* Set node_num only if it hasn't been set before */
+			if (source != NULL) {
+				/* Merging nodes */
+				for (i = 0; i < RADIX_FAMILIES; i++) {
+					if (node->node_num[i] == -1 &&
+					    source->node_num[i] != -1) {
+						node->node_num[i] =
+							radix->num_added_node +
+							source->node_num[i];
+						node->data[i] = source->data[i];
+					}
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+					/* "any" or "none" */
+					int next = radix->num_added_node + 1;
+					for (i = 0; i < RADIX_FAMILIES; i++) {
+						if (node->node_num[i] == -1) {
+							node->node_num[i] =
+								next;
+							radix->num_added_node =
+								next;
+						}
+					}
+				} else {
+					int foff = ISC_RADIX_FAMILY(prefix);
+					if (node->node_num[foff] == -1) {
+						node->node_num[foff] =
+							++radix->num_added_node;
+					}
+				}
+			}
+			*target = node;
+			return (ISC_R_SUCCESS);
+		} else {
+			result = _ref_prefix(radix->mctx,
+					     &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+
+		/* Check everything is null and empty before we proceed */
+		INSIST(node->data[RADIX_V4] == NULL &&
+		       node->node_num[RADIX_V4] == -1 &&
+		       node->data[RADIX_V6] == NULL &&
+		       node->node_num[RADIX_V6] == -1 &&
+		       node->data[RADIX_V4_ECS] == NULL &&
+		       node->node_num[RADIX_V4_ECS] == -1 &&
+		       node->data[RADIX_V6_ECS] == NULL &&
+		       node->node_num[RADIX_V6_ECS] == -1);
+
+		if (source != NULL) {
+			/* Merging node */
+			for (i = 0; i < RADIX_FAMILIES; i++) {
+				int cur = radix->num_added_node;
+				if (source->node_num[i] != -1) {
+					node->node_num[i] =
+						source->node_num[i] + cur;
+					node->data[i] = source->data[i];
+				}
+			}
+		} else {
+			int next = ++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				for (i = 0; i < RADIX_FAMILIES; i++) {
+					node->node_num[i] = next;
+				}
+			} else {
+				node->node_num[ISC_RADIX_FAMILY(prefix)] = next;
+			}
+		}
+		*target = node;
+		return (ISC_R_SUCCESS);
+	}
+
+	new_node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+	if (new_node == NULL)
+		return (ISC_R_NOMEMORY);
+	if (node->bit != differ_bit && bitlen != differ_bit) {
+		glue = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+		if (glue == NULL) {
+			isc_mem_put(radix->mctx, new_node,
+				    sizeof(isc_radix_node_t));
+			return (ISC_R_NOMEMORY);
+		}
+	}
+	new_node->bit = bitlen;
+	new_node->prefix = NULL;
+	result = _ref_prefix(radix->mctx, &new_node->prefix, prefix);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(radix->mctx, new_node, sizeof(isc_radix_node_t));
+		if (glue != NULL)
+			isc_mem_put(radix->mctx, glue,
+				    sizeof(isc_radix_node_t));
+		return (result);
+	}
+	new_node->parent = NULL;
+	new_node->l = new_node->r = NULL;
+	for (i = 0; i < RADIX_FAMILIES; i++) {
+		new_node->node_num[i] = -1;
+		new_node->data[i] = NULL;
+	}
+	radix->num_active_node++;
+
+	if (source != NULL) {
+		/* Merging node */
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			int cur = radix->num_added_node;
+			if (source->node_num[i] != -1) {
+				new_node->node_num[i] =
+					source->node_num[i] + cur;
+				new_node->data[i] = source->data[i];
+			}
+		}
+	} else {
+		int next = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			for (i = 0; i < RADIX_FAMILIES; i++) {
+				new_node->node_num[i] = next;
+			}
+		} else {
+			new_node->node_num[ISC_RADIX_FAMILY(prefix)] = next;
+		}
+		memset(new_node->data, 0, sizeof(new_node->data));
+	}
+
+	if (node->bit == differ_bit) {
+		INSIST(glue == NULL);
+		new_node->parent = node;
+		if (node->bit < radix->maxbits &&
+		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			INSIST(node->r == NULL);
+			node->r = new_node;
+		} else {
+			INSIST(node->l == NULL);
+			node->l = new_node;
+		}
+		*target = new_node;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (bitlen == differ_bit) {
+		INSIST(glue == NULL);
+		if (bitlen < radix->maxbits &&
+		    BIT_TEST(test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
+			new_node->r = node;
+		} else {
+			new_node->l = node;
+		}
+		new_node->parent = node->parent;
+		if (node->parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = new_node;
+		} else if (node->parent->r == node) {
+			node->parent->r = new_node;
+		} else {
+			node->parent->l = new_node;
+		}
+		node->parent = new_node;
+	} else {
+		INSIST(glue != NULL);
+		glue->bit = differ_bit;
+		glue->prefix = NULL;
+		glue->parent = node->parent;
+		for (i = 0; i < RADIX_FAMILIES; i++) {
+			glue->data[i] = NULL;
+			glue->node_num[i] = -1;
+		}
+		radix->num_active_node++;
+		if (differ_bit < radix->maxbits &&
+		    BIT_TEST(addr[differ_bit>>3], 0x80 >> (differ_bit & 07))) {
+			glue->r = new_node;
+			glue->l = node;
+		} else {
+			glue->r = node;
+			glue->l = new_node;
+		}
+		new_node->parent = glue;
+
+		if (node->parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = glue;
+		} else if (node->parent->r == node) {
+			node->parent->r = glue;
+		} else {
+			node->parent->l = glue;
+		}
+		node->parent = glue;
+	}
+
+	*target = new_node;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
+	isc_radix_node_t *parent, *child;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(node != NULL);
+
+	if (node->r && node->l) {
+		/*
+		 * This might be a placeholder node -- have to check and
+		 * make sure there is a prefix associated with it!
+		 */
+		if (node->prefix != NULL)
+			_deref_prefix(node->prefix);
+
+		node->prefix = NULL;
+		memset(node->data, 0, sizeof(node->data));
+		return;
+	}
+
+	if (node->r == NULL && node->l == NULL) {
+		parent = node->parent;
+		_deref_prefix(node->prefix);
+
+		if (parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = NULL;
+			isc_mem_put(radix->mctx, node, sizeof(*node));
+			radix->num_active_node--;
+			return;
+		}
+
+		if (parent->r == node) {
+			parent->r = NULL;
+			child = parent->l;
+		} else {
+			INSIST(parent->l == node);
+			parent->l = NULL;
+			child = parent->r;
+		}
+
+		isc_mem_put(radix->mctx, node, sizeof(*node));
+		radix->num_active_node--;
+
+		if (parent->prefix)
+			return;
+
+		/* We need to remove parent too. */
+		if (parent->parent == NULL) {
+			INSIST(radix->head == parent);
+			radix->head = child;
+		} else if (parent->parent->r == parent) {
+			parent->parent->r = child;
+		} else {
+			INSIST(parent->parent->l == parent);
+			parent->parent->l = child;
+		}
+
+		child->parent = parent->parent;
+		isc_mem_put(radix->mctx, parent, sizeof(*parent));
+		radix->num_active_node--;
+		return;
+	}
+
+	if (node->r) {
+		child = node->r;
+	} else {
+		INSIST(node->l != NULL);
+		child = node->l;
+	}
+
+	parent = node->parent;
+	child->parent = parent;
+
+	_deref_prefix(node->prefix);
+
+	if (parent == NULL) {
+		INSIST(radix->head == node);
+		radix->head = child;
+		isc_mem_put(radix->mctx, node, sizeof(*node));
+		radix->num_active_node--;
+		return;
+	}
+
+	isc_mem_put(radix->mctx, node, sizeof(*node));
+	radix->num_active_node--;
+
+	if (parent->r == node) {
+		parent->r = child;
+	} else {
+		INSIST(parent->l == node);
+		parent->l = child;
+	}
+}
+
+/*
+Local Variables:
+c-basic-offset: 4
+indent-tabs-mode: t
+End:
+*/
diff --git a/lib/isc/random.c b/lib/isc/random.c
new file mode 100644
index 0000000..b79b689
--- /dev/null
+++ b/lib/isc/random.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*%
+ * ChaCha based random number generator derived from OpenBSD.
+ *
+ * The original copyright follows:
+ * Copyright (c) 1996, David Mazieres <dm@uun.org>
+ * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
+ * Copyright (c) 2013, Markus Friedl <markus@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>		/* Required for time(). */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/mem.h>
+#include <isc/entropy.h>
+#include <isc/random.h>
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RNG_MAGIC			ISC_MAGIC('R', 'N', 'G', 'x')
+#define VALID_RNG(r)			ISC_MAGIC_VALID(r, RNG_MAGIC)
+
+#define KEYSTREAM_ONLY
+#include "chacha_private.h"
+
+#define CHACHA_KEYSIZE 32U
+#define CHACHA_IVSIZE 8U
+#define CHACHA_BLOCKSIZE 64
+#define CHACHA_BUFFERSIZE (16 * CHACHA_BLOCKSIZE)
+
+/* ChaCha RNG state */
+struct isc_rng {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	chacha_ctx	cpctx;
+	uint8_t	buffer[CHACHA_BUFFERSIZE];
+	size_t		have;
+	unsigned int	references;
+	int		count;
+	isc_entropy_t	*entropy;	/*%< entropy source */
+	isc_mutex_t	lock;
+};
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+initialize_rand(void) {
+#ifndef HAVE_ARC4RANDOM
+	unsigned int pid = getpid();
+
+	/*
+	 * The low bits of pid generally change faster.
+	 * Xor them with the high bits of time which change slowly.
+	 */
+	pid = ((pid << 16) & 0xffff0000) | ((pid >> 16) & 0xffff);
+
+	srand((unsigned)time(NULL) ^ pid);
+#endif
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_rand) == ISC_R_SUCCESS);
+}
+
+void
+isc_random_seed(uint32_t seed) {
+	initialize();
+
+#ifndef HAVE_ARC4RANDOM
+	srand(seed);
+#elif defined(HAVE_ARC4RANDOM_STIR)
+	/* Formally not necessary... */
+	UNUSED(seed);
+	arc4random_stir();
+#elif defined(HAVE_ARC4RANDOM_ADDRANDOM)
+	arc4random_addrandom((u_char *) &seed, sizeof(uint32_t));
+#else
+       /*
+	* If arc4random() is available and no corresponding seeding
+	* function arc4random_addrandom() is available, no seeding is
+	* done on such platforms (e.g., OpenBSD 5.5).  This is because
+	* the OS itself is supposed to seed the RNG and it is assumed
+	* that no explicit seeding is required.
+	*/
+       UNUSED(seed);
+#endif
+}
+
+void
+isc_random_get(uint32_t *val) {
+	REQUIRE(val != NULL);
+
+	initialize();
+
+#ifndef HAVE_ARC4RANDOM
+	/*
+	 * rand()'s lower bits are not random.
+	 * rand()'s upper bit is zero.
+	 */
+#if RAND_MAX >= 0xfffff
+	/* We have at least 20 bits.  Use lower 16 excluding lower most 4 */
+	*val = ((((unsigned int)rand()) & 0xffff0) >> 4) |
+	       ((((unsigned int)rand()) & 0xffff0) << 12);
+#elif RAND_MAX >= 0x7fff
+	/* We have at least 15 bits.  Use lower 10/11 excluding lower most 4 */
+	*val = ((rand() >> 4) & 0x000007ff) | ((rand() << 7) & 0x003ff800) |
+		((rand() << 18) & 0xffc00000);
+#else
+#error RAND_MAX is too small
+#endif
+#else
+	*val = arc4random();
+#endif
+}
+
+uint32_t
+isc_random_jitter(uint32_t max, uint32_t jitter) {
+	uint32_t rnd;
+
+	REQUIRE(jitter < max || (jitter == 0 && max == 0));
+
+	if (jitter == 0)
+		return (max);
+
+	isc_random_get(&rnd);
+	return (max - rnd % jitter);
+}
+
+static void
+chacha_reinit(isc_rng_t *rng, uint8_t *buffer, size_t n) {
+	REQUIRE(rng != NULL);
+
+	if (n < CHACHA_KEYSIZE + CHACHA_IVSIZE)
+		return;
+
+	chacha_keysetup(&rng->cpctx, buffer, CHACHA_KEYSIZE * 8, 0);
+	chacha_ivsetup(&rng->cpctx, buffer + CHACHA_KEYSIZE);
+}
+
+isc_result_t
+isc_rng_create(isc_mem_t *mctx, isc_entropy_t *entropy, isc_rng_t **rngp) {
+	union {
+		unsigned char rnd[128];
+		uint32_t rnd32[32];
+	} rnd;
+	isc_result_t result;
+	isc_rng_t *rng;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rngp != NULL && *rngp == NULL);
+
+	if (entropy != NULL) {
+		/*
+		 * We accept any quality of random data to avoid blocking.
+		 */
+		result = isc_entropy_getdata(entropy, rnd.rnd,
+					     sizeof(rnd), NULL, 0);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	} else {
+		int i;
+		for (i = 0; i < 32; i++)
+			isc_random_get(&rnd.rnd32[i]);
+	}
+
+	rng = isc_mem_get(mctx, sizeof(*rng));
+	if (rng == NULL)
+		return (ISC_R_NOMEMORY);
+
+	chacha_reinit(rng, rnd.rnd, sizeof(rnd.rnd));
+
+	rng->have = 0;
+	memset(rng->buffer, 0, CHACHA_BUFFERSIZE);
+
+	/* Create lock */
+	result = isc_mutex_init(&rng->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, rng, sizeof(*rng));
+		return (result);
+	}
+
+	/* Attach to memory context */
+	rng->mctx = NULL;
+	isc_mem_attach(mctx, &rng->mctx);
+
+	/* Local non-algorithm initializations. */
+	rng->count = 0;
+	rng->entropy = entropy; /* don't have to attach */
+	rng->references = 1;
+	rng->magic = RNG_MAGIC;
+
+	*rngp = rng;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_rng_attach(isc_rng_t *source, isc_rng_t **targetp) {
+
+	REQUIRE(VALID_RNG(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->references++;
+	UNLOCK(&source->lock);
+
+	*targetp = (isc_rng_t *)source;
+}
+
+static void
+destroy(isc_rng_t *rng) {
+
+	REQUIRE(VALID_RNG(rng));
+
+	rng->magic = 0;
+	isc_mutex_destroy(&rng->lock);
+	isc_mem_putanddetach(&rng->mctx, rng, sizeof(isc_rng_t));
+}
+
+void
+isc_rng_detach(isc_rng_t **rngp) {
+	isc_rng_t *rng;
+	bool dest = false;
+
+	REQUIRE(rngp != NULL && VALID_RNG(*rngp));
+
+	rng = *rngp;
+	*rngp = NULL;
+
+	LOCK(&rng->lock);
+
+	INSIST(rng->references > 0);
+	rng->references--;
+	if (rng->references == 0)
+		dest = true;
+	UNLOCK(&rng->lock);
+
+	if (dest)
+		destroy(rng);
+}
+
+static void
+chacha_rekey(isc_rng_t *rng, u_char *dat, size_t datlen) {
+	REQUIRE(VALID_RNG(rng));
+
+#ifndef KEYSTREAM_ONLY
+	memset(rng->buffer, 0, CHACHA_BUFFERSIZE);
+#endif
+
+	/* Fill buffer with the keystream. */
+	chacha_encrypt_bytes(&rng->cpctx, rng->buffer, rng->buffer,
+			     CHACHA_BUFFERSIZE);
+
+	/* Mix in optional user provided data. */
+	if (dat != NULL) {
+		size_t i, m;
+
+		m = ISC_MIN(datlen, CHACHA_KEYSIZE + CHACHA_IVSIZE);
+		for (i = 0; i < m; i++)
+			rng->buffer[i] ^= dat[i];
+	}
+
+	/* Immediately reinit for backtracking resistance. */
+	chacha_reinit(rng, rng->buffer,
+		      CHACHA_KEYSIZE + CHACHA_IVSIZE);
+	memset(rng->buffer, 0, CHACHA_KEYSIZE + CHACHA_IVSIZE);
+	rng->have = CHACHA_BUFFERSIZE - CHACHA_KEYSIZE - CHACHA_IVSIZE;
+}
+
+static inline uint16_t
+chacha_getuint16(isc_rng_t *rng) {
+	uint16_t val;
+
+	REQUIRE(VALID_RNG(rng));
+
+	if (rng->have < sizeof(val))
+		chacha_rekey(rng, NULL, 0);
+
+	memmove(&val, rng->buffer + CHACHA_BUFFERSIZE - rng->have,
+		sizeof(val));
+	/* Clear the copied region. */
+	memset(rng->buffer + CHACHA_BUFFERSIZE - rng->have,
+	       0, sizeof(val));
+	rng->have -= sizeof(val);
+
+	return (val);
+}
+
+static void
+chacha_stir(isc_rng_t *rng) {
+	union {
+		unsigned char rnd[128];
+		uint32_t rnd32[32];
+	} rnd;
+	isc_result_t result;
+
+	REQUIRE(VALID_RNG(rng));
+
+	if (rng->entropy != NULL) {
+		/*
+		 * We accept any quality of random data to avoid blocking.
+		 */
+		result = isc_entropy_getdata(rng->entropy, rnd.rnd,
+					     sizeof(rnd), NULL, 0);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	} else {
+		int i;
+		for (i = 0; i < 32; i++)
+			isc_random_get(&rnd.rnd32[i]);
+	}
+
+	chacha_rekey(rng, rnd.rnd, sizeof(rnd.rnd));
+
+	isc_safe_memwipe(rnd.rnd, sizeof(rnd.rnd));
+
+	/* Invalidate the buffer too. */
+	rng->have = 0;
+	memset(rng->buffer, 0, CHACHA_BUFFERSIZE);
+
+	/*
+	 * Derived from OpenBSD's implementation.  The rationale is not clear,
+	 * but should be conservative enough in safety, and reasonably large
+	 * for efficiency.
+	 */
+	rng->count = 1600000;
+}
+
+uint16_t
+isc_rng_random(isc_rng_t *rng) {
+	uint16_t result;
+
+	REQUIRE(VALID_RNG(rng));
+
+	LOCK(&rng->lock);
+
+	rng->count -= sizeof(uint16_t);
+	if (rng->count <= 0)
+		chacha_stir(rng);
+	result = chacha_getuint16(rng);
+
+	UNLOCK(&rng->lock);
+
+	return (result);
+}
+
+uint16_t
+isc_rng_uniformrandom(isc_rng_t *rng, uint16_t upper_bound) {
+	uint16_t min, r;
+
+	REQUIRE(VALID_RNG(rng));
+
+	if (upper_bound < 2)
+		return (0);
+
+	/*
+	 * Ensure the range of random numbers [min, 0xffff] be a multiple of
+	 * upper_bound and contain at least a half of the 16 bit range.
+	 */
+
+	if (upper_bound > 0x8000)
+		min = 1 + ~upper_bound; /* 0x8000 - upper_bound */
+	else
+		min = (uint16_t)(0x10000 % (uint32_t)upper_bound);
+
+	/*
+	 * This could theoretically loop forever but each retry has
+	 * p > 0.5 (worst case, usually far better) of selecting a
+	 * number inside the range we need, so it should rarely need
+	 * to re-roll.
+	 */
+	for (;;) {
+		r = isc_rng_random(rng);
+		if (r >= min)
+			break;
+	}
+
+	return (r % upper_bound);
+}
diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c
new file mode 100644
index 0000000..b950298
--- /dev/null
+++ b/lib/isc/ratelimiter.c
@@ -0,0 +1,375 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/ratelimiter.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+typedef enum {
+	isc_ratelimiter_stalled = 0,
+	isc_ratelimiter_ratelimited = 1,
+	isc_ratelimiter_idle = 2,
+	isc_ratelimiter_shuttingdown = 3
+} isc_ratelimiter_state_t;
+
+struct isc_ratelimiter {
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	int			refs;
+	isc_task_t *		task;
+	isc_timer_t *		timer;
+	isc_interval_t		interval;
+	uint32_t		pertic;
+	bool		pushpop;
+	isc_ratelimiter_state_t	state;
+	isc_event_t		shutdownevent;
+	ISC_LIST(isc_event_t)	pending;
+};
+
+#define ISC_RATELIMITEREVENT_SHUTDOWN (ISC_EVENTCLASS_RATELIMITER + 1)
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event);
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event);
+
+isc_result_t
+isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp)
+{
+	isc_result_t result;
+	isc_ratelimiter_t *rl;
+	INSIST(ratelimiterp != NULL && *ratelimiterp == NULL);
+
+	rl = isc_mem_get(mctx, sizeof(*rl));
+	if (rl == NULL)
+		return ISC_R_NOMEMORY;
+	rl->mctx = mctx;
+	rl->refs = 1;
+	rl->task = task;
+	isc_interval_set(&rl->interval, 0, 0);
+	rl->timer = NULL;
+	rl->pertic = 1;
+	rl->pushpop = false;
+	rl->state = isc_ratelimiter_idle;
+	ISC_LIST_INIT(rl->pending);
+
+	result = isc_mutex_init(&rl->lock);
+	if (result != ISC_R_SUCCESS)
+		goto free_mem;
+
+	result = isc_timer_create(timermgr, isc_timertype_inactive,
+				  NULL, NULL, rl->task, ratelimiter_tick,
+				  rl, &rl->timer);
+	if (result != ISC_R_SUCCESS)
+		goto free_mutex;
+
+	/*
+	 * Increment the reference count to indicate that we may
+	 * (soon) have events outstanding.
+	 */
+	rl->refs++;
+
+	ISC_EVENT_INIT(&rl->shutdownevent,
+		       sizeof(isc_event_t),
+		       0, NULL, ISC_RATELIMITEREVENT_SHUTDOWN,
+		       ratelimiter_shutdowncomplete, rl, rl, NULL, NULL);
+
+	*ratelimiterp = rl;
+	return (ISC_R_SUCCESS);
+
+free_mutex:
+	DESTROYLOCK(&rl->lock);
+free_mem:
+	isc_mem_put(mctx, rl, sizeof(*rl));
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+	REQUIRE(interval != NULL);
+
+	LOCK(&rl->lock);
+	rl->interval = *interval;
+	/*
+	 * If the timer is currently running, change its rate.
+	 */
+	if (rl->state == isc_ratelimiter_ratelimited) {
+		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
+					 &rl->interval, false);
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, uint32_t pertic) {
+
+	REQUIRE(rl != NULL);
+
+	if (pertic == 0)
+		pertic = 1;
+	rl->pertic = pertic;
+}
+
+void
+isc_ratelimiter_setpushpop(isc_ratelimiter_t *rl, bool pushpop) {
+
+	REQUIRE(rl != NULL);
+
+	rl->pushpop = pushpop;
+}
+
+isc_result_t
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *ev;
+
+	REQUIRE(rl != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(eventp != NULL && *eventp != NULL);
+	ev = *eventp;
+	REQUIRE(ev->ev_sender == NULL);
+
+	LOCK(&rl->lock);
+	if (rl->state == isc_ratelimiter_ratelimited ||
+	    rl->state == isc_ratelimiter_stalled) {
+		ev->ev_sender = task;
+		*eventp = NULL;
+		if (rl->pushpop)
+			ISC_LIST_PREPEND(rl->pending, ev, ev_ratelink);
+		else
+			ISC_LIST_APPEND(rl->pending, ev, ev_ratelink);
+	} else if (rl->state == isc_ratelimiter_idle) {
+		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
+					 &rl->interval, false);
+		if (result == ISC_R_SUCCESS) {
+			ev->ev_sender = task;
+			rl->state = isc_ratelimiter_ratelimited;
+		}
+	} else {
+		INSIST(rl->state == isc_ratelimiter_shuttingdown);
+		result = ISC_R_SHUTTINGDOWN;
+	}
+	UNLOCK(&rl->lock);
+	if (*eventp != NULL && result == ISC_R_SUCCESS)
+		isc_task_send(task, eventp);
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_dequeue(isc_ratelimiter_t *rl, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+	REQUIRE(event != NULL);
+
+	LOCK(&rl->lock);
+	if (ISC_LINK_LINKED(event, ev_ratelink)) {
+		ISC_LIST_UNLINK(rl->pending, event, ev_ratelink);
+		event->ev_sender = NULL;
+	} else
+		result = ISC_R_NOTFOUND;
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+	isc_event_t *p;
+	uint32_t pertic;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	pertic = rl->pertic;
+	while (pertic != 0) {
+		pertic--;
+		LOCK(&rl->lock);
+		p = ISC_LIST_HEAD(rl->pending);
+		if (p != NULL) {
+			/*
+			 * There is work to do.  Let's do it after unlocking.
+			 */
+			ISC_LIST_UNLINK(rl->pending, p, ev_ratelink);
+		} else {
+			/*
+			 * No work left to do.  Stop the timer so that we don't
+			 * waste resources by having it fire periodically.
+			 */
+			result = isc_timer_reset(rl->timer,
+						 isc_timertype_inactive,
+						 NULL, NULL, false);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			rl->state = isc_ratelimiter_idle;
+			pertic = 0;	/* Force the loop to exit. */
+		}
+		UNLOCK(&rl->lock);
+		if (p != NULL) {
+			isc_task_t *evtask = p->ev_sender;
+			isc_task_send(evtask, &p);
+		}
+		INSIST(p == NULL);
+	}
+}
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
+	isc_event_t *ev;
+	isc_task_t *task;
+
+	REQUIRE(rl != NULL);
+
+	LOCK(&rl->lock);
+	rl->state = isc_ratelimiter_shuttingdown;
+	(void)isc_timer_reset(rl->timer, isc_timertype_inactive,
+			      NULL, NULL, false);
+	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
+		ISC_LIST_UNLINK(rl->pending, ev, ev_ratelink);
+		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		task = ev->ev_sender;
+		isc_task_send(task, &ev);
+	}
+	isc_timer_detach(&rl->timer);
+
+	/*
+	 * Send an event to our task.  The delivery of this event
+	 * indicates that no more timer events will be delivered.
+	 */
+	ev = &rl->shutdownevent;
+	isc_task_send(rl->task, &ev);
+
+	UNLOCK(&rl->lock);
+}
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	isc_ratelimiter_detach(&rl);
+}
+
+static void
+ratelimiter_free(isc_ratelimiter_t *rl) {
+	DESTROYLOCK(&rl->lock);
+	isc_mem_put(rl->mctx, rl, sizeof(*rl));
+}
+
+void
+isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target) {
+
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&source->lock);
+	REQUIRE(source->refs > 0);
+	source->refs++;
+	INSIST(source->refs > 0);
+	UNLOCK(&source->lock);
+	*target = source;
+}
+
+void
+isc_ratelimiter_detach(isc_ratelimiter_t **rlp) {
+	isc_ratelimiter_t *rl;
+	bool free_now = false;
+
+	REQUIRE(rlp != NULL && *rlp != NULL);
+
+	rl = *rlp;
+
+	LOCK(&rl->lock);
+	REQUIRE(rl->refs > 0);
+	rl->refs--;
+	if (rl->refs == 0)
+		free_now = true;
+	UNLOCK(&rl->lock);
+
+	if (free_now)
+		ratelimiter_free(rl);
+
+	*rlp = NULL;
+}
+
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_ratelimited:
+		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
+					 NULL, NULL, false);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		/* FALLTHROUGH */
+	case isc_ratelimiter_idle:
+	case isc_ratelimiter_stalled:
+		rl->state = isc_ratelimiter_stalled;
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(rl != NULL);
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_stalled:
+		if (!ISC_LIST_EMPTY(rl->pending)) {
+			result = isc_timer_reset(rl->timer,
+						 isc_timertype_ticker, NULL,
+						 &rl->interval, false);
+			if (result == ISC_R_SUCCESS)
+				rl->state = isc_ratelimiter_ratelimited;
+		} else
+			rl->state = isc_ratelimiter_idle;
+		break;
+	case isc_ratelimiter_ratelimited:
+	case isc_ratelimiter_idle:
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
diff --git a/lib/isc/refcount.c b/lib/isc/refcount.c
new file mode 100644
index 0000000..033af7b
--- /dev/null
+++ b/lib/isc/refcount.c
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/mutex.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_refcount_init(isc_refcount_t *ref, unsigned int n) {
+	REQUIRE(ref != NULL);
+
+	ref->refs = n;
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(ISC_REFCOUNT_HAVEATOMIC)
+	return (isc_mutex_init(&ref->lock));
+#else
+	return (ISC_R_SUCCESS);
+#endif
+}
diff --git a/lib/isc/regex.c b/lib/isc/regex.c
new file mode 100644
index 0000000..63261bb
--- /dev/null
+++ b/lib/isc/regex.c
@@ -0,0 +1,368 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/file.h>
+#include <isc/print.h>
+#include <isc/regex.h>
+#include <isc/string.h>
+
+#if VALREGEX_REPORT_REASON
+#define FAIL(x) do { reason = (x); goto error; } while(0)
+#else
+#define FAIL(x) goto error
+#endif
+
+/*
+ * Validate the regular expression 'C' locale.
+ */
+int
+isc_regex_validate(const char *c) {
+	enum {
+		none, parse_bracket, parse_bound,
+		parse_ce, parse_ec, parse_cc
+	} state = none;
+	/* Well known character classes. */
+	const char *cc[] = {
+		":alnum:", ":digit:", ":punct:", ":alpha:", ":graph:",
+		":space:", ":blank:", ":lower:", ":upper:", ":cntrl:",
+		":print:", ":xdigit:"
+	};
+	bool seen_comma = false;
+	bool seen_high = false;
+	bool seen_char = false;
+	bool seen_ec = false;
+	bool seen_ce = false;
+	bool have_atom = false;
+	int group = 0;
+	int range = 0;
+	int sub = 0;
+	bool empty_ok = false;
+	bool neg = false;
+	bool was_multiple = false;
+	unsigned int low = 0;
+	unsigned int high = 0;
+	const char *ccname = NULL;
+	int range_start = 0;
+#if VALREGEX_REPORT_REASON
+	const char *reason = "";
+#endif
+
+	if (c == NULL || *c == 0)
+		FAIL("empty string");
+
+	while (c != NULL && *c != 0) {
+		switch (state) {
+		case none:
+			switch (*c) {
+			case '\\':	/* make literal */
+				++c;
+				switch (*c) {
+				case '1': case '2': case '3':
+				case '4': case '5': case '6':
+				case '7': case '8': case '9':
+					if ((*c - '0') > sub)
+						FAIL("bad back reference");
+					have_atom = true;
+					was_multiple = false;
+					break;
+				case 0:
+					FAIL("escaped end-of-string");
+				default:
+					goto literal;
+				}
+				++c;
+				break;
+			case '[':	/* bracket start */
+				++c;
+				neg = false;
+				was_multiple = false;
+				seen_char = false;
+				state = parse_bracket;
+				break;
+			case '{': 	/* bound start */
+				switch (c[1]) {
+				case '0': case '1': case '2': case '3':
+				case '4': case '5': case '6': case '7':
+				case '8': case '9':
+					if (!have_atom)
+						FAIL("no atom");
+					if (was_multiple)
+						FAIL("was multiple");
+					seen_comma = false;
+					seen_high = false;
+					low = high = 0;
+					state = parse_bound;
+					break;
+				default:
+					goto literal;
+				}
+				++c;
+				have_atom = true;
+				was_multiple = true;
+				break;
+			case '}':
+				goto literal;
+			case '(':	/* group start */
+				have_atom = false;
+				was_multiple = false;
+				empty_ok = true;
+				++group;
+				++sub;
+				++c;
+				break;
+			case ')':	/* group end */
+				if (group && !have_atom && !empty_ok)
+					FAIL("empty alternative");
+				have_atom = true;
+				was_multiple = false;
+				if (group != 0)
+					--group;
+				++c;
+				break;
+			case '|':	/* alternative seperator */
+				if (!have_atom)
+					FAIL("no atom");
+				have_atom = false;
+				empty_ok = false;
+				was_multiple = false;
+				++c;
+				break;
+			case '^':
+			case '$':
+				have_atom = true;
+				was_multiple = true;
+				++c;
+				break;
+			case '+':
+			case '*':
+			case '?':
+				if (was_multiple)
+					FAIL("was multiple");
+				if (!have_atom)
+					FAIL("no atom");
+				have_atom = true;
+				was_multiple = true;
+				++c;
+				break;
+			case '.':
+			default:
+			literal:
+				have_atom = true;
+				was_multiple = false;
+				++c;
+				break;
+			}
+			break;
+		case parse_bound:
+			switch (*c) {
+			case '0': case '1': case '2': case '3': case '4':
+			case '5': case '6': case '7': case '8': case '9':
+				if (!seen_comma) {
+					low = low * 10 + *c - '0';
+					if (low > 255)
+						FAIL("lower bound too big");
+				} else {
+					seen_high = true;
+					high = high * 10 + *c - '0';
+					if (high > 255)
+						FAIL("upper bound too big");
+				}
+				++c;
+				break;
+			case ',':
+				if (seen_comma)
+					FAIL("multiple commas");
+				seen_comma = true;
+				++c;
+				break;
+			default:
+			case '{':
+				FAIL("non digit/comma");
+			case '}':
+				if (seen_high && low > high)
+					FAIL("bad parse bound");
+				seen_comma = false;
+				state = none;
+				++c;
+				break;
+			}
+			break;
+		case parse_bracket:
+			switch (*c) {
+			case '^':
+				if (seen_char || neg) goto inside;
+				neg = true;
+				++c;
+				break;
+			case '-':
+				if (range == 2) goto inside;
+				if (!seen_char) goto inside;
+				if (range == 1)
+					FAIL("bad range");
+				range = 2;
+				++c;
+				break;
+			case '[':
+				++c;
+				switch (*c) {
+				case '.':	/* collating element */
+					if (range != 0) --range;
+					++c;
+					state = parse_ce;
+					seen_ce = false;
+					break;
+				case '=':	/* equivalence class */
+					if (range == 2)
+					    FAIL("equivalence class in range");
+					++c;
+					state = parse_ec;
+					seen_ec = false;
+					break;
+				case ':':	/* character class */
+					if (range == 2)
+					      FAIL("character class in range");
+					ccname = c;
+					++c;
+					state = parse_cc;
+					break;
+				}
+				seen_char = true;
+				break;
+			case ']':
+				if (!c[1] && !seen_char)
+					FAIL("unfinished brace");
+				if (!seen_char)
+					goto inside;
+				++c;
+				range = 0;
+				have_atom = true;
+				state = none;
+				break;
+			default:
+			inside:
+				seen_char = true;
+				if (range == 2 && (*c & 0xff) < range_start)
+					FAIL("out of order range");
+				if (range != 0)
+					--range;
+				range_start = *c & 0xff;
+				++c;
+				break;
+			};
+			break;
+		case parse_ce:
+			switch (*c) {
+			case '.':
+				++c;
+				switch (*c) {
+				case ']':
+					if (!seen_ce)
+						 FAIL("empty ce");
+					++c;
+					state = parse_bracket;
+					break;
+				default:
+					if (seen_ce)
+						range_start = 256;
+					else
+						range_start = '.';
+					seen_ce = true;
+					break;
+				}
+				break;
+			default:
+				if (seen_ce)
+					range_start = 256;
+				else
+					range_start = *c;
+				seen_ce = true;
+				++c;
+				break;
+			}
+			break;
+		case parse_ec:
+			switch (*c) {
+			case '=':
+				++c;
+				switch (*c) {
+				case ']':
+					if (!seen_ec)
+						FAIL("no ec");
+					++c;
+					state = parse_bracket;
+					break;
+				default:
+					seen_ec = true;
+					break;
+				}
+				break;
+			default:
+				seen_ec = true;
+				++c;
+				break;
+			}
+			break;
+		case parse_cc:
+			switch (*c) {
+			case ':':
+				++c;
+				switch (*c) {
+				case ']': {
+					unsigned int i;
+					bool found = false;
+					for (i = 0;
+					     i < sizeof(cc)/sizeof(*cc);
+					     i++)
+					{
+						unsigned int len;
+						len = strlen(cc[i]);
+						if (len !=
+						    (unsigned int)(c - ccname))
+							continue;
+						if (strncmp(cc[i], ccname, len))
+							continue;
+						found = true;
+					}
+					if (!found)
+						FAIL("unknown cc");
+					++c;
+					state = parse_bracket;
+					break;
+					}
+				default:
+					break;
+				}
+				break;
+			default:
+				++c;
+				break;
+			}
+			break;
+		}
+	}
+	if (group != 0)
+		FAIL("group open");
+	if (state != none)
+		FAIL("incomplete");
+	if (!have_atom)
+		FAIL("no atom");
+	return (sub);
+
+ error:
+#if VALREGEX_REPORT_REASON
+	fprintf(stderr, "%s\n", reason);
+#endif
+	return (-1);
+}
diff --git a/lib/isc/region.c b/lib/isc/region.c
new file mode 100644
index 0000000..2f85842
--- /dev/null
+++ b/lib/isc/region.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
+	unsigned int l;
+	int result;
+
+	REQUIRE(r1 != NULL);
+	REQUIRE(r2 != NULL);
+
+	l = (r1->length < r2->length) ? r1->length : r2->length;
+
+	if ((result = memcmp(r1->base, r2->base, l)) != 0)
+		return ((result < 0) ? -1 : 1);
+	else
+		return ((r1->length == r2->length) ? 0 :
+			(r1->length < r2->length) ? -1 : 1);
+}
diff --git a/lib/isc/result.c b/lib/isc/result.c
new file mode 100644
index 0000000..a707c32
--- /dev/null
+++ b/lib/isc/result.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+#include <stdlib.h>
+
+#include <isc/lib.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/resultclass.h>
+#include <isc/util.h>
+
+typedef struct resulttable {
+	unsigned int				base;
+	unsigned int				last;
+	const char **				text;
+	isc_msgcat_t *				msgcat;
+	int					set;
+	ISC_LINK(struct resulttable)		link;
+} resulttable;
+
+typedef ISC_LIST(resulttable) resulttable_list_t;
+
+static const char *description[ISC_R_NRESULTS] = {
+	"success",				/*%< 0 */
+	"out of memory",			/*%< 1 */
+	"timed out",				/*%< 2 */
+	"no available threads",			/*%< 3 */
+	"address not available",		/*%< 4 */
+	"address in use",			/*%< 5 */
+	"permission denied",			/*%< 6 */
+	"no pending connections",		/*%< 7 */
+	"network unreachable",			/*%< 8 */
+	"host unreachable",			/*%< 9 */
+	"network down",				/*%< 10 */
+	"host down",				/*%< 11 */
+	"connection refused",			/*%< 12 */
+	"not enough free resources",		/*%< 13 */
+	"end of file",				/*%< 14 */
+	"socket already bound",			/*%< 15 */
+	"reload",				/*%< 16 */
+	"lock busy",				/*%< 17 */
+	"already exists",			/*%< 18 */
+	"ran out of space",			/*%< 19 */
+	"operation canceled",			/*%< 20 */
+	"socket is not bound",			/*%< 21 */
+	"shutting down",			/*%< 22 */
+	"not found",				/*%< 23 */
+	"unexpected end of input",		/*%< 24 */
+	"failure",				/*%< 25 */
+	"I/O error",				/*%< 26 */
+	"not implemented",			/*%< 27 */
+	"unbalanced parentheses",		/*%< 28 */
+	"no more",				/*%< 29 */
+	"invalid file",				/*%< 30 */
+	"bad base64 encoding",			/*%< 31 */
+	"unexpected token",			/*%< 32 */
+	"quota reached",			/*%< 33 */
+	"unexpected error",			/*%< 34 */
+	"already running",			/*%< 35 */
+	"ignore",				/*%< 36 */
+	"address mask not contiguous",		/*%< 37 */
+	"file not found",			/*%< 38 */
+	"file already exists",			/*%< 39 */
+	"socket is not connected",		/*%< 40 */
+	"out of range",				/*%< 41 */
+	"out of entropy",			/*%< 42 */
+	"invalid use of multicast address",	/*%< 43 */
+	"not a file",				/*%< 44 */
+	"not a directory",			/*%< 45 */
+	"queue is full",			/*%< 46 */
+	"address family mismatch",		/*%< 47 */
+	"address family not supported",		/*%< 48 */
+	"bad hex encoding",			/*%< 49 */
+	"too many open files",			/*%< 50 */
+	"not blocking",				/*%< 51 */
+	"unbalanced quotes",			/*%< 52 */
+	"operation in progress",		/*%< 53 */
+	"connection reset",			/*%< 54 */
+	"soft quota reached",			/*%< 55 */
+	"not a valid number",			/*%< 56 */
+	"disabled",				/*%< 57 */
+	"max size",				/*%< 58 */
+	"invalid address format",		/*%< 59 */
+	"bad base32 encoding",			/*%< 60 */
+	"unset",				/*%< 61 */
+	"multiple",				/*%< 62 */
+	"would block",				/*%< 63 */
+};
+
+static const char *identifier[ISC_R_NRESULTS] = {
+	"ISC_R_SUCCESS",
+	"ISC_R_NOMEMORY",
+	"ISC_R_TIMEDOUT",
+	"ISC_R_NOTHREADS",
+	"ISC_R_ADDRNOTAVAIL",
+	"ISC_R_ADDRINUSE",
+	"ISC_R_NOPERM",
+	"ISC_R_NOCONN",
+	"ISC_R_NETUNREACH",
+	"ISC_R_HOSTUNREACH",
+	"ISC_R_NETDOWN",
+	"ISC_R_HOSTDOWN",
+	"ISC_R_CONNREFUSED",
+	"ISC_R_NORESOURCES",
+	"ISC_R_EOF",
+	"ISC_R_BOUND",
+	"ISC_R_RELOAD",
+	"ISC_R_LOCKBUSY",
+	"ISC_R_EXISTS",
+	"ISC_R_NOSPACE",
+	"ISC_R_CANCELED",
+	"ISC_R_NOTBOUND",
+	"ISC_R_SHUTTINGDOWN",
+	"ISC_R_NOTFOUND",
+	"ISC_R_UNEXPECTEDEND",
+	"ISC_R_FAILURE",
+	"ISC_R_IOERROR",
+	"ISC_R_NOTIMPLEMENTED",
+	"ISC_R_UNBALANCED",
+	"ISC_R_NOMORE",
+	"ISC_R_INVALIDFILE",
+	"ISC_R_BADBASE64",
+	"ISC_R_UNEXPECTEDTOKEN",
+	"ISC_R_QUOTA",
+	"ISC_R_UNEXPECTED",
+	"ISC_R_ALREADYRUNNING",
+	"ISC_R_IGNORE",
+	"ISC_R_MASKNONCONTIG",
+	"ISC_R_FILENOTFOUND",
+	"ISC_R_FILEEXISTS",
+	"ISC_R_NOTCONNECTED",
+	"ISC_R_RANGE",
+	"ISC_R_NOENTROPY",
+	"ISC_R_MULTICAST",
+	"ISC_R_NOTFILE",
+	"ISC_R_NOTDIRECTORY",
+	"ISC_R_QUEUEFULL",
+	"ISC_R_FAMILYMISMATCH",
+	"ISC_R_FAMILYNOSUPPORT",
+	"ISC_R_BADHEX",
+	"ISC_R_TOOMANYOPENFILES",
+	"ISC_R_NOTBLOCKING",
+	"ISC_R_UNBALANCEDQUOTES",
+	"ISC_R_INPROGRESS",
+	"ISC_R_CONNECTIONRESET",
+	"ISC_R_SOFTQUOTA",
+	"ISC_R_BADNUMBER",
+	"ISC_R_DISABLED",
+	"ISC_R_MAXSIZE",
+	"ISC_R_BADADDRESSFORM",
+	"ISC_R_BADBASE32",
+	"ISC_R_UNSET",
+	"ISC_R_MULTIPLE",
+	"ISC_R_WOULDBLOCK",
+};
+
+#define ISC_RESULT_RESULTSET			2
+#define ISC_RESULT_UNAVAILABLESET		3
+
+static isc_once_t		once = ISC_ONCE_INIT;
+static resulttable_list_t	description_tables;
+static resulttable_list_t	identifier_tables;
+static isc_mutex_t		lock;
+
+static isc_result_t
+register_table(resulttable_list_t *tables, unsigned int base,
+	       unsigned int nresults, const char **text,
+	       isc_msgcat_t *msgcat, int set)
+{
+	resulttable *table;
+
+	REQUIRE(base % ISC_RESULTCLASS_SIZE == 0);
+	REQUIRE(nresults <= ISC_RESULTCLASS_SIZE);
+	REQUIRE(text != NULL);
+
+	/*
+	 * We use malloc() here because we we want to be able to use
+	 * isc_result_totext() even if there is no memory context.
+	 */
+	table = malloc(sizeof(*table));
+	if (table == NULL)
+		return (ISC_R_NOMEMORY);
+	table->base = base;
+	table->last = base + nresults - 1;
+	table->text = text;
+	table->msgcat = msgcat;
+	table->set = set;
+	ISC_LINK_INIT(table, link);
+
+	LOCK(&lock);
+
+	ISC_LIST_APPEND(*tables, table, link);
+
+	UNLOCK(&lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
+	ISC_LIST_INIT(description_tables);
+	ISC_LIST_INIT(identifier_tables);
+
+	result = register_table(&description_tables,
+				ISC_RESULTCLASS_ISC, ISC_R_NRESULTS,
+				description, isc_msgcat, ISC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "register_table() %s: %u",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 result);
+
+	result = register_table(&identifier_tables,
+				ISC_RESULTCLASS_ISC, ISC_R_NRESULTS,
+				identifier, isc_msgcat, ISC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "register_table() %s: %u",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 result);
+}
+
+static void
+initialize(void) {
+	isc_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+static const char *
+isc_result_tomany_helper(resulttable_list_t *tables, isc_result_t result) {
+	resulttable *table;
+	const char *text, *default_text;
+	int index;
+
+	initialize();
+
+	LOCK(&lock);
+
+	text = NULL;
+	for (table = ISC_LIST_HEAD(*tables);
+	     table != NULL;
+	     table = ISC_LIST_NEXT(table, link)) {
+		if (result >= table->base && result <= table->last) {
+			index = (int)(result - table->base);
+			default_text = table->text[index];
+			/*
+			 * Note: we use 'index + 1' as the message number
+			 * instead of index because isc_msgcat_get() requires
+			 * the message number to be > 0.
+			 */
+			text = isc_msgcat_get(table->msgcat, table->set,
+					      index + 1, default_text);
+			break;
+		}
+	}
+	if (text == NULL)
+		text = isc_msgcat_get(isc_msgcat, ISC_RESULT_UNAVAILABLESET,
+				      1, "(result code text not available)");
+
+	UNLOCK(&lock);
+
+	return (text);
+}
+
+const char *
+isc_result_totext(isc_result_t result) {
+	return (isc_result_tomany_helper(&description_tables, result));
+}
+
+const char *
+isc_result_toid(isc_result_t result) {
+	return (isc_result_tomany_helper(&identifier_tables, result));
+}
+
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults,
+		    const char **text, isc_msgcat_t *msgcat, int set)
+{
+	initialize();
+
+	return (register_table(&description_tables, base, nresults, text,
+			       msgcat, set));
+}
+
+isc_result_t
+isc_result_registerids(unsigned int base, unsigned int nresults,
+		       const char **ids, isc_msgcat_t *msgcat, int set)
+{
+	initialize();
+
+	return (register_table(&identifier_tables, base, nresults, ids,
+			       msgcat, set));
+}
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
new file mode 100644
index 0000000..9533c0f
--- /dev/null
+++ b/lib/isc/rwlock.c
@@ -0,0 +1,982 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <inttypes.h>
+
+#include <isc/atomic.h>
+#include <isc/magic.h>
+#include <isc/msgs.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#define RWLOCK_MAGIC		ISC_MAGIC('R', 'W', 'L', 'k')
+#define VALID_RWLOCK(rwl)	ISC_MAGIC_VALID(rwl, RWLOCK_MAGIC)
+
+#ifdef ISC_PLATFORM_USETHREADS
+
+#ifndef RWLOCK_DEFAULT_READ_QUOTA
+#define RWLOCK_DEFAULT_READ_QUOTA 4
+#endif
+
+#ifndef RWLOCK_DEFAULT_WRITE_QUOTA
+#define RWLOCK_DEFAULT_WRITE_QUOTA 4
+#endif
+
+#ifndef RWLOCK_MAX_ADAPTIVE_COUNT
+#define RWLOCK_MAX_ADAPTIVE_COUNT 100
+#endif
+
+#if defined(ISC_RWLOCK_USEATOMIC)
+static isc_result_t
+isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+#endif
+
+#ifdef ISC_RWLOCK_TRACE
+#include <stdio.h>		/* Required for fprintf/stderr. */
+#include <isc/thread.h>		/* Required for isc_thread_self(). */
+
+static void
+print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+	fprintf(stderr,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+			       ISC_MSG_PRINTLOCK2,
+			       "rwlock %p thread %lu %s(%s): "
+			       "write_requests=%u, write_completions=%u, "
+			       "cnt_and_flag=0x%x, readers_waiting=%u, "
+			       "write_granted=%u, write_quota=%u\n"),
+		rwl, isc_thread_self(), operation,
+		(type == isc_rwlocktype_read ?
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_READ, "read") :
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_WRITE, "write")),
+		rwl->write_requests, rwl->write_completions,
+		rwl->cnt_and_flag, rwl->readers_waiting,
+		rwl->write_granted, rwl->write_quota);
+#else
+	fprintf(stderr,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+			       ISC_MSG_PRINTLOCK,
+			       "rwlock %p thread %lu %s(%s): %s, %u active, "
+			       "%u granted, %u rwaiting, %u wwaiting\n"),
+		rwl, isc_thread_self(), operation,
+		(type == isc_rwlocktype_read ?
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_READ, "read") :
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_WRITE, "write")),
+		(rwl->type == isc_rwlocktype_read ?
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_READING, "reading") :
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_WRITING, "writing")),
+		rwl->active, rwl->granted,
+		rwl->readers_waiting, rwl->writers_waiting);
+#endif
+}
+#endif /* ISC_RWLOCK_TRACE */
+
+isc_result_t
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota)
+{
+	isc_result_t result;
+
+	REQUIRE(rwl != NULL);
+
+	/*
+	 * In case there's trouble initializing, we zero magic now.  If all
+	 * goes well, we'll set it to RWLOCK_MAGIC.
+	 */
+	rwl->magic = 0;
+
+	rwl->spins = 0;
+#if defined(ISC_RWLOCK_USEATOMIC)
+	rwl->write_requests = 0;
+	rwl->write_completions = 0;
+	rwl->cnt_and_flag = 0;
+	rwl->readers_waiting = 0;
+	rwl->write_granted = 0;
+	if (read_quota != 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "read quota is not supported");
+	}
+	if (write_quota == 0)
+		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
+	rwl->write_quota = write_quota;
+#else
+	rwl->type = isc_rwlocktype_read;
+	rwl->original = isc_rwlocktype_none;
+	rwl->active = 0;
+	rwl->granted = 0;
+	rwl->readers_waiting = 0;
+	rwl->writers_waiting = 0;
+	if (read_quota == 0)
+		read_quota = RWLOCK_DEFAULT_READ_QUOTA;
+	rwl->read_quota = read_quota;
+	if (write_quota == 0)
+		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
+	rwl->write_quota = write_quota;
+#endif
+
+	result = isc_mutex_init(&rwl->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_condition_init(&rwl->readable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init(readable) %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto destroy_lock;
+	}
+	result = isc_condition_init(&rwl->writeable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init(writeable) %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto destroy_rcond;
+	}
+
+	rwl->magic = RWLOCK_MAGIC;
+
+	return (ISC_R_SUCCESS);
+
+  destroy_rcond:
+	(void)isc_condition_destroy(&rwl->readable);
+  destroy_lock:
+	DESTROYLOCK(&rwl->lock);
+
+	return (result);
+}
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#if defined(ISC_RWLOCK_USEATOMIC)
+	REQUIRE(rwl->write_requests == rwl->write_completions &&
+		rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
+#else
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->active == 0 &&
+		rwl->readers_waiting == 0 &&
+		rwl->writers_waiting == 0);
+	UNLOCK(&rwl->lock);
+#endif
+
+	rwl->magic = 0;
+	(void)isc_condition_destroy(&rwl->readable);
+	(void)isc_condition_destroy(&rwl->writeable);
+	DESTROYLOCK(&rwl->lock);
+}
+
+#if defined(ISC_RWLOCK_USEATOMIC)
+
+/*
+ * When some architecture-dependent atomic operations are available,
+ * rwlock can be more efficient than the generic algorithm defined below.
+ * The basic algorithm is described in the following URL:
+ *   http://www.cs.rochester.edu/u/scott/synchronization/pseudocode/rw.html
+ *
+ * The key is to use the following integer variables modified atomically:
+ *   write_requests, write_completions, and cnt_and_flag.
+ *
+ * write_requests and write_completions act as a waiting queue for writers
+ * in order to ensure the FIFO order.  Both variables begin with the initial
+ * value of 0.  When a new writer tries to get a write lock, it increments
+ * write_requests and gets the previous value of the variable as a "ticket".
+ * When write_completions reaches the ticket number, the new writer can start
+ * writing.  When the writer completes its work, it increments
+ * write_completions so that another new writer can start working.  If the
+ * write_requests is not equal to write_completions, it means a writer is now
+ * working or waiting.  In this case, a new readers cannot start reading, or
+ * in other words, this algorithm basically prefers writers.
+ *
+ * cnt_and_flag is a "lock" shared by all readers and writers.  This integer
+ * variable is a kind of structure with two members: writer_flag (1 bit) and
+ * reader_count (31 bits).  The writer_flag shows whether a writer is working,
+ * and the reader_count shows the number of readers currently working or almost
+ * ready for working.  A writer who has the current "ticket" tries to get the
+ * lock by exclusively setting the writer_flag to 1, provided that the whole
+ * 32-bit is 0 (meaning no readers or writers working).  On the other hand,
+ * a new reader tries to increment the "reader_count" field provided that
+ * the writer_flag is 0 (meaning there is no writer working).
+ *
+ * If some of the above operations fail, the reader or the writer sleeps
+ * until the related condition changes.  When a working reader or writer
+ * completes its work, some readers or writers are sleeping, and the condition
+ * that suspended the reader or writer has changed, it wakes up the sleeping
+ * readers or writers.
+ *
+ * As already noted, this algorithm basically prefers writers.  In order to
+ * prevent readers from starving, however, the algorithm also introduces the
+ * "writer quota" (Q).  When Q consecutive writers have completed their work,
+ * suspending readers, the last writer will wake up the readers, even if a new
+ * writer is waiting.
+ *
+ * Implementation specific note: due to the combination of atomic operations
+ * and a mutex lock, ordering between the atomic operation and locks can be
+ * very sensitive in some cases.  In particular, it is generally very important
+ * to check the atomic variable that requires a reader or writer to sleep after
+ * locking the mutex and before actually sleeping; otherwise, it could be very
+ * likely to cause a deadlock.  For example, assume "var" is a variable
+ * atomically modified, then the corresponding code would be:
+ *	if (var == need_sleep) {
+ *		LOCK(lock);
+ *		if (var == need_sleep)
+ *			WAIT(cond, lock);
+ *		UNLOCK(lock);
+ *	}
+ * The second check is important, since "var" is protected by the atomic
+ * operation, not by the mutex, and can be changed just before sleeping.
+ * (The first "if" could be omitted, but this is also important in order to
+ * make the code efficient by avoiding the use of the mutex unless it is
+ * really necessary.)
+ */
+
+#define WRITER_ACTIVE	0x1
+#define READER_INCR	0x2
+
+static isc_result_t
+isc__rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cntflag;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		if (rwl->write_requests != rwl->write_completions) {
+			/* there is a waiting or active writer */
+			LOCK(&rwl->lock);
+			if (rwl->write_requests != rwl->write_completions) {
+				rwl->readers_waiting++;
+				WAIT(&rwl->readable, &rwl->lock);
+				rwl->readers_waiting--;
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
+						    READER_INCR,
+						    memory_order_relaxed);
+#else
+		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+#endif
+		POST(cntflag);
+		while (1) {
+			if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
+				break;
+
+			/* A writer is still working */
+			LOCK(&rwl->lock);
+			rwl->readers_waiting++;
+			if ((rwl->cnt_and_flag & WRITER_ACTIVE) != 0)
+				WAIT(&rwl->readable, &rwl->lock);
+			rwl->readers_waiting--;
+			UNLOCK(&rwl->lock);
+
+			/*
+			 * Typically, the reader should be able to get a lock
+			 * at this stage:
+			 *   (1) there should have been no pending writer when
+			 *       the reader was trying to increment the
+			 *       counter; otherwise, the writer should be in
+			 *       the waiting queue, preventing the reader from
+			 *       proceeding to this point.
+			 *   (2) once the reader increments the counter, no
+			 *       more writer can get a lock.
+			 * Still, it is possible another writer can work at
+			 * this point, e.g. in the following scenario:
+			 *   A previous writer unlocks the writer lock.
+			 *   This reader proceeds to point (1).
+			 *   A new writer appears, and gets a new lock before
+			 *   the reader increments the counter.
+			 *   The reader then increments the counter.
+			 *   The previous writer notices there is a waiting
+			 *   reader who is almost ready, and wakes it up.
+			 * So, the reader needs to confirm whether it can now
+			 * read explicitly (thus we loop).  Note that this is
+			 * not an infinite process, since the reader has
+			 * incremented the counter at this point.
+			 */
+		}
+
+		/*
+		 * If we are temporarily preferred to writers due to the writer
+		 * quota, reset the condition (race among readers doesn't
+		 * matter).
+		 */
+		rwl->write_granted = 0;
+	} else {
+		int32_t prev_writer;
+
+		/* enter the waiting queue, and wait for our turn */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1,
+							memory_order_relaxed);
+#else
+		prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
+#endif
+		while (rwl->write_completions != prev_writer) {
+			LOCK(&rwl->lock);
+			if (rwl->write_completions != prev_writer) {
+				WAIT(&rwl->writeable, &rwl->lock);
+				UNLOCK(&rwl->lock);
+				continue;
+			}
+			UNLOCK(&rwl->lock);
+			break;
+		}
+
+		while (1) {
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+			int_fast32_t cntflag2 = 0;
+			atomic_compare_exchange_strong_explicit
+				(&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE,
+				 memory_order_relaxed, memory_order_relaxed);
+#else
+			int32_t cntflag2;
+			cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
+						      WRITER_ACTIVE);
+#endif
+
+			if (cntflag2 == 0)
+				break;
+
+			/* Another active reader or writer is working. */
+			LOCK(&rwl->lock);
+			if (rwl->cnt_and_flag != 0)
+				WAIT(&rwl->writeable, &rwl->lock);
+			UNLOCK(&rwl->lock);
+		}
+
+		INSIST((rwl->cnt_and_flag & WRITER_ACTIVE) != 0);
+		rwl->write_granted++;
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cnt = 0;
+	int32_t max_cnt = rwl->spins * 2 + 10;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
+		max_cnt = RWLOCK_MAX_ADAPTIVE_COUNT;
+
+	do {
+		if (cnt++ >= max_cnt) {
+			result = isc__rwlock_lock(rwl, type);
+			break;
+		}
+#ifdef ISC_PLATFORM_BUSYWAITNOP
+		ISC_PLATFORM_BUSYWAITNOP;
+#endif
+	} while (isc_rwlock_trylock(rwl, type) != ISC_R_SUCCESS);
+
+	rwl->spins += (cnt - rwl->spins) / 8;
+
+	return (result);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cntflag;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		/* If a writer is waiting or working, we fail. */
+		if (rwl->write_requests != rwl->write_completions)
+			return (ISC_R_LOCKBUSY);
+
+		/* Otherwise, be ready for reading. */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
+						    READER_INCR,
+						    memory_order_relaxed);
+#else
+		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+#endif
+		if ((cntflag & WRITER_ACTIVE) != 0) {
+			/*
+			 * A writer is working.  We lose, and cancel the read
+			 * request.
+			 */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+			cntflag = atomic_fetch_sub_explicit
+				(&rwl->cnt_and_flag, READER_INCR,
+				 memory_order_relaxed);
+#else
+			cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
+						  -READER_INCR);
+#endif
+			/*
+			 * If no other readers are waiting and we've suspended
+			 * new writers in this short period, wake them up.
+			 */
+			if (cntflag == READER_INCR &&
+			    rwl->write_completions != rwl->write_requests) {
+				LOCK(&rwl->lock);
+				BROADCAST(&rwl->writeable);
+				UNLOCK(&rwl->lock);
+			}
+
+			return (ISC_R_LOCKBUSY);
+		}
+	} else {
+		/* Try locking without entering the waiting queue. */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		int_fast32_t zero = 0;
+		if (!atomic_compare_exchange_strong_explicit
+		    (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE,
+		     memory_order_relaxed, memory_order_relaxed))
+			return (ISC_R_LOCKBUSY);
+#else
+		cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
+					     WRITER_ACTIVE);
+		if (cntflag != 0)
+			return (ISC_R_LOCKBUSY);
+#endif
+
+		/*
+		 * XXXJT: jump into the queue, possibly breaking the writer
+		 * order.
+		 */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		atomic_fetch_sub_explicit(&rwl->write_completions, 1,
+					  memory_order_relaxed);
+#else
+		(void)isc_atomic_xadd(&rwl->write_completions, -1);
+#endif
+
+		rwl->write_granted++;
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+	{
+		int_fast32_t reader_incr = READER_INCR;
+
+		/* Try to acquire write access. */
+		atomic_compare_exchange_strong_explicit
+			(&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE,
+			 memory_order_relaxed, memory_order_relaxed);
+		/*
+		 * There must have been no writer, and there must have
+		 * been at least one reader.
+		 */
+		INSIST((reader_incr & WRITER_ACTIVE) == 0 &&
+		       (reader_incr & ~WRITER_ACTIVE) != 0);
+
+		if (reader_incr == READER_INCR) {
+			/*
+			 * We are the only reader and have been upgraded.
+			 * Now jump into the head of the writer waiting queue.
+			 */
+			atomic_fetch_sub_explicit(&rwl->write_completions, 1,
+						  memory_order_relaxed);
+		} else
+			return (ISC_R_LOCKBUSY);
+
+	}
+#else
+	{
+		int32_t prevcnt;
+
+		/* Try to acquire write access. */
+		prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
+					     READER_INCR, WRITER_ACTIVE);
+		/*
+		 * There must have been no writer, and there must have
+		 * been at least one reader.
+		 */
+		INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
+		       (prevcnt & ~WRITER_ACTIVE) != 0);
+
+		if (prevcnt == READER_INCR) {
+			/*
+			 * We are the only reader and have been upgraded.
+			 * Now jump into the head of the writer waiting queue.
+			 */
+			(void)isc_atomic_xadd(&rwl->write_completions, -1);
+		} else
+			return (ISC_R_LOCKBUSY);
+	}
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+	int32_t prev_readers;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+	{
+		/* Become an active reader. */
+		prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
+							 READER_INCR,
+							 memory_order_relaxed);
+		/* We must have been a writer. */
+		INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+		/* Complete write */
+		atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
+					  memory_order_relaxed);
+		atomic_fetch_add_explicit(&rwl->write_completions, 1,
+					  memory_order_relaxed);
+	}
+#else
+	{
+		/* Become an active reader. */
+		prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+		/* We must have been a writer. */
+		INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+		/* Complete write */
+		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
+		(void)isc_atomic_xadd(&rwl->write_completions, 1);
+	}
+#endif
+
+	/* Resume other readers */
+	LOCK(&rwl->lock);
+	if (rwl->readers_waiting > 0)
+		BROADCAST(&rwl->readable);
+	UNLOCK(&rwl->lock);
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t prev_cnt;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
+						     READER_INCR,
+						     memory_order_relaxed);
+#else
+		prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
+#endif
+		/*
+		 * If we're the last reader and any writers are waiting, wake
+		 * them up.  We need to wake up all of them to ensure the
+		 * FIFO order.
+		 */
+		if (prev_cnt == READER_INCR &&
+		    rwl->write_completions != rwl->write_requests) {
+			LOCK(&rwl->lock);
+			BROADCAST(&rwl->writeable);
+			UNLOCK(&rwl->lock);
+		}
+	} else {
+		bool wakeup_writers = true;
+
+		/*
+		 * Reset the flag, and (implicitly) tell other writers
+		 * we are done.
+		 */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
+					  memory_order_relaxed);
+		atomic_fetch_add_explicit(&rwl->write_completions, 1,
+					  memory_order_relaxed);
+#else
+		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
+		(void)isc_atomic_xadd(&rwl->write_completions, 1);
+#endif
+
+		if (rwl->write_granted >= rwl->write_quota ||
+		    rwl->write_requests == rwl->write_completions ||
+		    (rwl->cnt_and_flag & ~WRITER_ACTIVE) != 0) {
+			/*
+			 * We have passed the write quota, no writer is
+			 * waiting, or some readers are almost ready, pending
+			 * possible writers.  Note that the last case can
+			 * happen even if write_requests != write_completions
+			 * (which means a new writer in the queue), so we need
+			 * to catch the case explicitly.
+			 */
+			LOCK(&rwl->lock);
+			if (rwl->readers_waiting > 0) {
+				wakeup_writers = false;
+				BROADCAST(&rwl->readable);
+			}
+			UNLOCK(&rwl->lock);
+		}
+
+		if (rwl->write_requests != rwl->write_completions &&
+		    wakeup_writers) {
+			LOCK(&rwl->lock);
+			BROADCAST(&rwl->writeable);
+			UNLOCK(&rwl->lock);
+		}
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTUNLOCK, "postunlock"),
+		   rwl, type);
+#endif
+
+	return (ISC_R_SUCCESS);
+}
+
+#else /* ISC_RWLOCK_USEATOMIC */
+
+static isc_result_t
+doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, bool nonblock) {
+	bool skip = false;
+	bool done = false;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	LOCK(&rwl->lock);
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		if (rwl->readers_waiting != 0)
+			skip = true;
+		while (!done) {
+			if (!skip &&
+			    ((rwl->active == 0 ||
+			      (rwl->type == isc_rwlocktype_read &&
+			       (rwl->writers_waiting == 0 ||
+				rwl->granted < rwl->read_quota)))))
+			{
+				rwl->type = isc_rwlocktype_read;
+				rwl->active++;
+				rwl->granted++;
+				done = true;
+			} else if (nonblock) {
+				result = ISC_R_LOCKBUSY;
+				done = true;
+			} else {
+				skip = false;
+				rwl->readers_waiting++;
+				WAIT(&rwl->readable, &rwl->lock);
+				rwl->readers_waiting--;
+			}
+		}
+	} else {
+		if (rwl->writers_waiting != 0)
+			skip = true;
+		while (!done) {
+			if (!skip && rwl->active == 0) {
+				rwl->type = isc_rwlocktype_write;
+				rwl->active = 1;
+				rwl->granted++;
+				done = true;
+			} else if (nonblock) {
+				result = ISC_R_LOCKBUSY;
+				done = true;
+			} else {
+				skip = false;
+				rwl->writers_waiting++;
+				WAIT(&rwl->writeable, &rwl->lock);
+				rwl->writers_waiting--;
+			}
+		}
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
+#endif
+
+	UNLOCK(&rwl->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	int32_t cnt = 0;
+	int32_t max_cnt = rwl->spins * 2 + 10;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (max_cnt > RWLOCK_MAX_ADAPTIVE_COUNT)
+		max_cnt = RWLOCK_MAX_ADAPTIVE_COUNT;
+
+	do {
+		if (cnt++ >= max_cnt) {
+			result = doit(rwl, type, false);
+			break;
+		}
+#ifdef ISC_PLATFORM_BUSYWAITNOP
+		ISC_PLATFORM_BUSYWAITNOP;
+#endif
+	} while (doit(rwl, type, true) != ISC_R_SUCCESS);
+
+	rwl->spins += (cnt - rwl->spins) / 8;
+
+	return (result);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	return (doit(rwl, type, true));
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->type == isc_rwlocktype_read);
+	REQUIRE(rwl->active != 0);
+
+	/* If we are the only reader then succeed. */
+	if (rwl->active == 1) {
+		rwl->original = (rwl->original == isc_rwlocktype_none) ?
+				isc_rwlocktype_read : isc_rwlocktype_none;
+		rwl->type = isc_rwlocktype_write;
+	} else
+		result = ISC_R_LOCKBUSY;
+
+	UNLOCK(&rwl->lock);
+	return (result);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->type == isc_rwlocktype_write);
+	REQUIRE(rwl->active == 1);
+
+	rwl->type = isc_rwlocktype_read;
+	rwl->original = (rwl->original == isc_rwlocktype_none) ?
+			isc_rwlocktype_write : isc_rwlocktype_none;
+	/*
+	 * Resume processing any read request that were blocked when
+	 * we upgraded.
+	 */
+	if (rwl->original == isc_rwlocktype_none &&
+	    (rwl->writers_waiting == 0 || rwl->granted < rwl->read_quota) &&
+	    rwl->readers_waiting > 0)
+		BROADCAST(&rwl->readable);
+
+	UNLOCK(&rwl->lock);
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->type == type);
+
+	UNUSED(type);
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
+#endif
+
+	INSIST(rwl->active > 0);
+	rwl->active--;
+	if (rwl->active == 0) {
+		if (rwl->original != isc_rwlocktype_none) {
+			rwl->type = rwl->original;
+			rwl->original = isc_rwlocktype_none;
+		}
+		if (rwl->type == isc_rwlocktype_read) {
+			rwl->granted = 0;
+			if (rwl->writers_waiting > 0) {
+				rwl->type = isc_rwlocktype_write;
+				SIGNAL(&rwl->writeable);
+			} else if (rwl->readers_waiting > 0) {
+				/* Does this case ever happen? */
+				BROADCAST(&rwl->readable);
+			}
+		} else {
+			if (rwl->readers_waiting > 0) {
+				if (rwl->writers_waiting > 0 &&
+				    rwl->granted < rwl->write_quota) {
+					SIGNAL(&rwl->writeable);
+				} else {
+					rwl->granted = 0;
+					rwl->type = isc_rwlocktype_read;
+					BROADCAST(&rwl->readable);
+				}
+			} else if (rwl->writers_waiting > 0) {
+				rwl->granted = 0;
+				SIGNAL(&rwl->writeable);
+			} else {
+				rwl->granted = 0;
+			}
+		}
+	}
+	INSIST(rwl->original == isc_rwlocktype_none);
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTUNLOCK, "postunlock"),
+		   rwl, type);
+#endif
+
+	UNLOCK(&rwl->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* ISC_RWLOCK_USEATOMIC */
+#else /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota)
+{
+	REQUIRE(rwl != NULL);
+
+	UNUSED(read_quota);
+	UNUSED(write_quota);
+
+	rwl->type = isc_rwlocktype_read;
+	rwl->active = 0;
+	rwl->magic = RWLOCK_MAGIC;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	if (type == isc_rwlocktype_read) {
+		if (rwl->type != isc_rwlocktype_read && rwl->active != 0)
+			return (ISC_R_LOCKBUSY);
+		rwl->type = isc_rwlocktype_read;
+		rwl->active++;
+	} else {
+		if (rwl->active != 0)
+			return (ISC_R_LOCKBUSY);
+		rwl->type = isc_rwlocktype_write;
+		rwl->active = 1;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	return (isc_rwlock_lock(rwl, type));
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	REQUIRE(rwl->type == isc_rwlocktype_read);
+	REQUIRE(rwl->active != 0);
+
+	/* If we are the only reader then succeed. */
+	if (rwl->active == 1)
+		rwl->type = isc_rwlocktype_write;
+	else
+		result = ISC_R_LOCKBUSY;
+	return (result);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	REQUIRE(rwl->type == isc_rwlocktype_write);
+	REQUIRE(rwl->active == 1);
+
+	rwl->type = isc_rwlocktype_read;
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	REQUIRE(VALID_RWLOCK(rwl));
+	REQUIRE(rwl->type == type);
+
+	UNUSED(type);
+
+	INSIST(rwl->active > 0);
+	rwl->active--;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	REQUIRE(rwl != NULL);
+	REQUIRE(rwl->active == 0);
+	rwl->magic = 0;
+}
+
+#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/lib/isc/safe.c b/lib/isc/safe.c
new file mode 100644
index 0000000..7a464b6
--- /dev/null
+++ b/lib/isc/safe.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/safe.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#ifdef WIN32
+#include <windows.h>
+#endif
+
+#ifdef _MSC_VER
+#pragma optimize("", off)
+#endif
+
+bool
+isc_safe_memequal(const void *s1, const void *s2, size_t n) {
+	uint8_t acc = 0;
+
+	if (n != 0U) {
+		const uint8_t *p1 = s1, *p2 = s2;
+
+		do {
+			acc |= *p1++ ^ *p2++;
+		} while (--n != 0U);
+	}
+	return (acc == 0);
+}
+
+
+int
+isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
+	const unsigned char *p1 = b1, *p2 = b2;
+	size_t i;
+	int res = 0, done = 0;
+
+	for (i = 0; i < len; i++) {
+		/* lt is -1 if p1[i] < p2[i]; else 0. */
+		int lt = (p1[i] - p2[i]) >> CHAR_BIT;
+
+		/* gt is -1 if p1[i] > p2[i]; else 0. */
+		int gt = (p2[i] - p1[i]) >> CHAR_BIT;
+
+		/* cmp is 1 if p1[i] > p2[i]; -1 if p1[i] < p2[i]; else 0. */
+		int cmp = lt - gt;
+
+		/* set res = cmp if !done. */
+		res |= cmp & ~done;
+
+		/* set done if p1[i] != p2[i]. */
+		done |= lt | gt;
+	}
+
+	return (res);
+}
+
+void
+isc_safe_memwipe(void *ptr, size_t len) {
+	if (ISC_UNLIKELY(ptr == NULL || len == 0))
+		return;
+
+#ifdef WIN32
+	SecureZeroMemory(ptr, len);
+#elif HAVE_EXPLICIT_BZERO
+	explicit_bzero(ptr, len);
+#else
+	memset(ptr, 0, len);
+#endif
+}
diff --git a/lib/isc/serial.c b/lib/isc/serial.c
new file mode 100644
index 0000000..860a0c6
--- /dev/null
+++ b/lib/isc/serial.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/serial.h>
+
+bool
+isc_serial_lt(uint32_t a, uint32_t b) {
+	/*
+	 * Undefined => false
+	 */
+	if (a == (b ^ 0x80000000U))
+		return (false);
+	return (((int32_t)(a - b) < 0) ? true : false);
+}
+
+bool
+isc_serial_gt(uint32_t a, uint32_t b) {
+	return (((int32_t)(a - b) > 0) ? true : false);
+}
+
+bool
+isc_serial_le(uint32_t a, uint32_t b) {
+	return ((a == b) ? true : isc_serial_lt(a, b));
+}
+
+bool
+isc_serial_ge(uint32_t a, uint32_t b) {
+	return ((a == b) ? true : isc_serial_gt(a, b));
+}
+
+bool
+isc_serial_eq(uint32_t a, uint32_t b) {
+	return ((a == b) ? true : false);
+}
+
+bool
+isc_serial_ne(uint32_t a, uint32_t b) {
+	return ((a != b) ? true : false);
+}
diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c
new file mode 100644
index 0000000..c0c89b4
--- /dev/null
+++ b/lib/isc/sha1.c
@@ -0,0 +1,456 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+/*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
+/*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
+
+/*! \file
+ * SHA-1 in C
+ * \author By Steve Reid <steve@edmweb.com>
+ * 100% Public Domain
+ * \verbatim
+ * Test Vectors (from FIPS PUB 180-1)
+ * "abc"
+ *   A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
+ * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+ *   84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
+ * A million repetitions of "a"
+ *   34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+ * \endverbatim
+ */
+
+#include "config.h"
+
+#include <stdbool.h>
+
+#include <isc/assertions.h>
+#include <isc/platform.h>
+#include <isc/safe.h>
+#include <isc/sha1.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#if PKCS11CRYPTO
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#endif
+
+#ifdef ISC_PLATFORM_OPENSSLHASH
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#define EVP_MD_CTX_new() &(context->_ctx)
+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
+#endif
+
+void
+isc_sha1_init(isc_sha1_t *context)
+{
+	INSIST(context != NULL);
+
+	context->ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(context->ctx != NULL);
+	if (EVP_DigestInit(context->ctx, EVP_sha1()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA1.");
+	}
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *context) {
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
+		unsigned int len)
+{
+	INSIST(context != 0);
+	INSIST(context->ctx != 0);
+	INSIST(data != 0);
+
+	RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
+				       (const void *) data,
+				       (size_t) len) == 1);
+}
+
+void
+isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
+	INSIST(digest != 0);
+	INSIST(context != 0);
+	INSIST(context->ctx != 0);
+
+	RUNTIME_CHECK(EVP_DigestFinal(context->ctx, digest, NULL) == 1);
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+#elif PKCS11CRYPTO
+
+void
+isc_sha1_init(isc_sha1_t *ctx) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA_1, NULL, 0 };
+
+	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (ctx->session, &mech));
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *ctx) {
+	CK_BYTE garbage[ISC_SHA1_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+	if (ctx->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(ctx);
+}
+
+void
+isc_sha1_update(isc_sha1_t *ctx, const unsigned char *buf, unsigned int len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	DE_CONST(buf, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(ctx->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest) {
+	CK_RV rv;
+	CK_ULONG len = ISC_SHA1_DIGESTLENGTH;
+
+	PK11_FATALCHECK(pkcs_C_DigestFinal,
+			(ctx->session, (CK_BYTE_PTR) digest, &len));
+	pk11_return_session(ctx);
+}
+
+#else
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/*@{*/
+/*!
+ * blk0() and blk() perform the initial expand.
+ * I got the idea of expanding during the round function from SSLeay
+ */
+#if !defined(WORDS_BIGENDIAN)
+# define blk0(i) \
+	(block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \
+	 | (rol(block->l[i], 8) & 0x00FF00FF))
+#else
+# define blk0(i) block->l[i]
+#endif
+#define blk(i) \
+	(block->l[i & 15] = rol(block->l[(i + 13) & 15] \
+				^ block->l[(i + 8) & 15] \
+				^ block->l[(i + 2) & 15] \
+				^ block->l[i & 15], 1))
+
+/*@}*/
+/*@{*/
+/*!
+ * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
+ */
+#define R0(v,w,x,y,z,i) \
+	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
+	w = rol(w, 30);
+#define R1(v,w,x,y,z,i) \
+	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
+	w = rol(w, 30);
+#define R2(v,w,x,y,z,i) \
+	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
+	w = rol(w, 30);
+#define R3(v,w,x,y,z,i) \
+	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
+	w = rol(w, 30);
+#define R4(v,w,x,y,z,i) \
+	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
+	w = rol(w, 30);
+
+/*@}*/
+
+typedef union {
+	unsigned char c[64];
+	unsigned int l[16];
+} CHAR64LONG16;
+
+#ifdef __sparc_v9__
+static void do_R01(uint32_t *a, uint32_t *b, uint32_t *c,
+		   uint32_t *d, uint32_t *e, CHAR64LONG16 *);
+static void do_R2(uint32_t *a, uint32_t *b, uint32_t *c,
+		  uint32_t *d, uint32_t *e, CHAR64LONG16 *);
+static void do_R3(uint32_t *a, uint32_t *b, uint32_t *c,
+		  uint32_t *d, uint32_t *e, CHAR64LONG16 *);
+static void do_R4(uint32_t *a, uint32_t *b, uint32_t *c,
+		  uint32_t *d, uint32_t *e, CHAR64LONG16 *);
+
+#define nR0(v,w,x,y,z,i) R0(*v,*w,*x,*y,*z,i)
+#define nR1(v,w,x,y,z,i) R1(*v,*w,*x,*y,*z,i)
+#define nR2(v,w,x,y,z,i) R2(*v,*w,*x,*y,*z,i)
+#define nR3(v,w,x,y,z,i) R3(*v,*w,*x,*y,*z,i)
+#define nR4(v,w,x,y,z,i) R4(*v,*w,*x,*y,*z,i)
+
+static void
+do_R01(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d,
+       uint32_t *e, CHAR64LONG16 *block)
+{
+	nR0(a,b,c,d,e, 0); nR0(e,a,b,c,d, 1); nR0(d,e,a,b,c, 2);
+	nR0(c,d,e,a,b, 3); nR0(b,c,d,e,a, 4); nR0(a,b,c,d,e, 5);
+	nR0(e,a,b,c,d, 6); nR0(d,e,a,b,c, 7); nR0(c,d,e,a,b, 8);
+	nR0(b,c,d,e,a, 9); nR0(a,b,c,d,e,10); nR0(e,a,b,c,d,11);
+	nR0(d,e,a,b,c,12); nR0(c,d,e,a,b,13); nR0(b,c,d,e,a,14);
+	nR0(a,b,c,d,e,15); nR1(e,a,b,c,d,16); nR1(d,e,a,b,c,17);
+	nR1(c,d,e,a,b,18); nR1(b,c,d,e,a,19);
+}
+
+static void
+do_R2(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d,
+      uint32_t *e, CHAR64LONG16 *block)
+{
+	nR2(a,b,c,d,e,20); nR2(e,a,b,c,d,21); nR2(d,e,a,b,c,22);
+	nR2(c,d,e,a,b,23); nR2(b,c,d,e,a,24); nR2(a,b,c,d,e,25);
+	nR2(e,a,b,c,d,26); nR2(d,e,a,b,c,27); nR2(c,d,e,a,b,28);
+	nR2(b,c,d,e,a,29); nR2(a,b,c,d,e,30); nR2(e,a,b,c,d,31);
+	nR2(d,e,a,b,c,32); nR2(c,d,e,a,b,33); nR2(b,c,d,e,a,34);
+	nR2(a,b,c,d,e,35); nR2(e,a,b,c,d,36); nR2(d,e,a,b,c,37);
+	nR2(c,d,e,a,b,38); nR2(b,c,d,e,a,39);
+}
+
+static void
+do_R3(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d,
+      uint32_t *e, CHAR64LONG16 *block)
+{
+	nR3(a,b,c,d,e,40); nR3(e,a,b,c,d,41); nR3(d,e,a,b,c,42);
+	nR3(c,d,e,a,b,43); nR3(b,c,d,e,a,44); nR3(a,b,c,d,e,45);
+	nR3(e,a,b,c,d,46); nR3(d,e,a,b,c,47); nR3(c,d,e,a,b,48);
+	nR3(b,c,d,e,a,49); nR3(a,b,c,d,e,50); nR3(e,a,b,c,d,51);
+	nR3(d,e,a,b,c,52); nR3(c,d,e,a,b,53); nR3(b,c,d,e,a,54);
+	nR3(a,b,c,d,e,55); nR3(e,a,b,c,d,56); nR3(d,e,a,b,c,57);
+	nR3(c,d,e,a,b,58); nR3(b,c,d,e,a,59);
+}
+
+static void
+do_R4(uint32_t *a, uint32_t *b, uint32_t *c, uint32_t *d,
+      uint32_t *e, CHAR64LONG16 *block)
+{
+	nR4(a,b,c,d,e,60); nR4(e,a,b,c,d,61); nR4(d,e,a,b,c,62);
+	nR4(c,d,e,a,b,63); nR4(b,c,d,e,a,64); nR4(a,b,c,d,e,65);
+	nR4(e,a,b,c,d,66); nR4(d,e,a,b,c,67); nR4(c,d,e,a,b,68);
+	nR4(b,c,d,e,a,69); nR4(a,b,c,d,e,70); nR4(e,a,b,c,d,71);
+	nR4(d,e,a,b,c,72); nR4(c,d,e,a,b,73); nR4(b,c,d,e,a,74);
+	nR4(a,b,c,d,e,75); nR4(e,a,b,c,d,76); nR4(d,e,a,b,c,77);
+	nR4(c,d,e,a,b,78); nR4(b,c,d,e,a,79);
+}
+#endif
+
+/*!
+ * Hash a single 512-bit block. This is the core of the algorithm.
+ */
+static void
+transform(uint32_t state[5], const unsigned char buffer[64]) {
+	uint32_t a, b, c, d, e;
+	CHAR64LONG16 *block;
+	CHAR64LONG16 workspace;
+
+	INSIST(buffer != NULL);
+	INSIST(state != NULL);
+
+	block = &workspace;
+	(void)memmove(block, buffer, 64);
+
+	/* Copy context->state[] to working vars */
+	a = state[0];
+	b = state[1];
+	c = state[2];
+	d = state[3];
+	e = state[4];
+
+#ifdef __sparc_v9__
+	do_R01(&a, &b, &c, &d, &e, block);
+	do_R2(&a, &b, &c, &d, &e, block);
+	do_R3(&a, &b, &c, &d, &e, block);
+	do_R4(&a, &b, &c, &d, &e, block);
+#else
+	/* 4 rounds of 20 operations each. Loop unrolled. */
+	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+#endif
+
+	/* Add the working vars back into context.state[] */
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+
+	/* Wipe variables */
+	a = b = c = d = e = 0;
+	/* Avoid compiler warnings */
+	POST(a); POST(b); POST(c); POST(d); POST(e);
+}
+
+
+/*!
+ * isc_sha1_init - Initialize new context
+ */
+void
+isc_sha1_init(isc_sha1_t *context)
+{
+	INSIST(context != NULL);
+
+	/* SHA1 initialization constants */
+	context->state[0] = 0x67452301;
+	context->state[1] = 0xEFCDAB89;
+	context->state[2] = 0x98BADCFE;
+	context->state[3] = 0x10325476;
+	context->state[4] = 0xC3D2E1F0;
+	context->count[0] = 0;
+	context->count[1] = 0;
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *context) {
+	isc_safe_memwipe(context, sizeof(*context));
+}
+
+/*!
+ * Run your data through this.
+ */
+void
+isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
+		unsigned int len)
+{
+	unsigned int i, j;
+
+	INSIST(context != 0);
+	INSIST(data != 0);
+
+	j = context->count[0];
+	if ((context->count[0] += len << 3) < j)
+		context->count[1] += (len >> 29) + 1;
+	j = (j >> 3) & 63;
+	if ((j + len) > 63) {
+		(void)memmove(&context->buffer[j], data, (i = 64 - j));
+		transform(context->state, context->buffer);
+		for (; i + 63 < len; i += 64)
+			transform(context->state, &data[i]);
+		j = 0;
+	} else {
+		i = 0;
+	}
+
+	(void)memmove(&context->buffer[j], &data[i], len - i);
+}
+
+
+/*!
+ * Add padding and return the message digest.
+ */
+
+static const unsigned char final_200 = 128;
+static const unsigned char final_0 = 0;
+
+void
+isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
+	unsigned int i;
+	unsigned char finalcount[8];
+
+	INSIST(digest != 0);
+	INSIST(context != 0);
+
+	for (i = 0; i < 8; i++) {
+		/* Endian independent */
+		finalcount[i] = (unsigned char)
+			((context->count[(i >= 4 ? 0 : 1)]
+			  >> ((3 - (i & 3)) * 8)) & 255);
+	}
+
+	isc_sha1_update(context, &final_200, 1);
+	while ((context->count[0] & 504) != 448)
+		isc_sha1_update(context, &final_0, 1);
+	/* The next Update should cause a transform() */
+	isc_sha1_update(context, finalcount, 8);
+
+	if (digest) {
+		for (i = 0; i < 20; i++)
+			digest[i] = (unsigned char)
+				((context->state[i >> 2]
+				  >> ((3 - (i & 3)) * 8)) & 255);
+	}
+
+	isc_safe_memwipe(context, sizeof(*context));
+}
+#endif
+
+/*
+ * Check for SHA-1 support; if it does not work, raise a fatal error.
+ *
+ * Use "a" as the test vector.
+ *
+ * Standard use is testing false and result true.
+ * Testing use is testing true and result false;
+ */
+bool
+isc_sha1_check(bool testing) {
+	isc_sha1_t ctx;
+	unsigned char input = 'a';
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	unsigned char expected[] = {
+		0x86, 0xf7, 0xe4, 0x37, 0xfa, 0xa5, 0xa7, 0xfc,
+		0xe1, 0x5d, 0x1d, 0xdc, 0xb9, 0xea, 0xea, 0xea,
+		0x37, 0x76, 0x67, 0xb8
+	};
+
+	INSIST(sizeof(expected) == ISC_SHA1_DIGESTLENGTH);
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	if (testing) {
+		input ^= 0x01;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_sha1_init(&ctx);
+	isc_sha1_update(&ctx, &input, 1U);
+	isc_sha1_final(&ctx, digest);
+
+	/*
+	 * Must return true in standard case, should return false for testing.
+	 */
+	return (memcmp(digest, expected, ISC_SHA1_DIGESTLENGTH) == 0);
+}
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
new file mode 100644
index 0000000..8e502bf
--- /dev/null
+++ b/lib/isc/sha2.c
@@ -0,0 +1,1767 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+/*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
+/*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
+
+/*
+ * sha2.c
+ *
+ * Version 1.0.0beta1
+ *
+ * Written by Aaron D. Gifford <me@aarongifford.com>
+ *
+ * Copyright 2000 Aaron D. Gifford.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ */
+
+
+#include <config.h>
+
+#include <inttypes.h>
+
+#include <isc/assertions.h>
+#include <isc/platform.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#if PKCS11CRYPTO
+#include <pk11/internal.h>
+#include <pk11/pk11.h>
+#endif
+
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_new() &(context->_ctx)
+#define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
+#define EVP_MD_CTX_reset(c) EVP_MD_CTX_cleanup(c)
+#endif
+
+void
+isc_sha224_init(isc_sha224_t *context) {
+	if (context == (isc_sha224_t *)0) {
+		return;
+	}
+	context->ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(context->ctx != NULL);
+	if (EVP_DigestInit(context->ctx, EVP_sha224()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA224.");
+	}
+}
+
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const uint8_t* data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+	REQUIRE(data != (uint8_t*)0);
+
+	RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
+				       (const void *) data, len) == 1);
+}
+
+void
+isc_sha224_final(uint8_t digest[], isc_sha224_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0)
+		RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
+					      digest, NULL) == 1);
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha256_init(isc_sha256_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	context->ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(context->ctx != NULL);
+	if (EVP_DigestInit(context->ctx, EVP_sha256()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA256.");
+	}
+}
+
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha256_update(isc_sha256_t *context, const uint8_t *data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+	REQUIRE(data != (uint8_t*)0);
+
+	RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
+				       (const void *) data, len) == 1);
+}
+
+void
+isc_sha256_final(uint8_t digest[], isc_sha256_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0)
+		RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
+					      digest, NULL) == 1);
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha512_init(isc_sha512_t *context) {
+	if (context == (isc_sha512_t *)0) {
+		return;
+	}
+	context->ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(context->ctx != NULL);
+	if (EVP_DigestInit(context->ctx, EVP_sha512()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA512.");
+	}
+}
+
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void isc_sha512_update(isc_sha512_t *context, const uint8_t *data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+	REQUIRE(data != (uint8_t*)0);
+
+	RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
+				       (const void *) data, len) == 1);
+}
+
+void isc_sha512_final(uint8_t digest[], isc_sha512_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0)
+		RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
+					      digest, NULL) == 1);
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha384_init(isc_sha384_t *context) {
+	if (context == (isc_sha384_t *)0) {
+		return;
+	}
+	context->ctx = EVP_MD_CTX_new();
+	RUNTIME_CHECK(context->ctx != NULL);
+	if (EVP_DigestInit(context->ctx, EVP_sha384()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA384.");
+	}
+}
+
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const uint8_t* data, size_t len) {
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+	REQUIRE(data != (uint8_t*)0);
+
+	RUNTIME_CHECK(EVP_DigestUpdate(context->ctx,
+				       (const void *) data, len) == 1);
+}
+
+void
+isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+	REQUIRE(context->ctx != (EVP_MD_CTX *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0)
+		RUNTIME_CHECK(EVP_DigestFinal(context->ctx,
+					      digest, NULL) == 1);
+	EVP_MD_CTX_free(context->ctx);
+	context->ctx = NULL;
+}
+
+#elif PKCS11CRYPTO
+
+void
+isc_sha224_init(isc_sha224_t *context) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA224, NULL, 0 };
+
+	if (context == (isc_sha224_t *)0) {
+		return;
+	}
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+	CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+	if (context->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(context);
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const uint8_t* data, size_t len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0 && data != (uint8_t*)0);
+
+	DE_CONST(data, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha224_final(uint8_t digest[], isc_sha224_t *context) {
+	CK_RV rv;
+	CK_ULONG len = ISC_SHA224_DIGESTLENGTH;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(context->session,
+				 (CK_BYTE_PTR) digest,
+				 &len));
+	} else {
+		CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
+
+		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+		isc_safe_memwipe(garbage, sizeof(garbage));
+	}
+	pk11_return_session(context);
+}
+
+void
+isc_sha256_init(isc_sha256_t *context) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA256, NULL, 0 };
+
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+	if (context->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(context);
+}
+
+void
+isc_sha256_update(isc_sha256_t *context, const uint8_t* data, size_t len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0 && data != (uint8_t*)0);
+
+	DE_CONST(data, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha256_final(uint8_t digest[], isc_sha256_t *context) {
+	CK_RV rv;
+	CK_ULONG len = ISC_SHA256_DIGESTLENGTH;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(context->session,
+				 (CK_BYTE_PTR) digest,
+				 &len));
+	} else {
+		CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
+
+		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+		isc_safe_memwipe(garbage, sizeof(garbage));
+	}
+	pk11_return_session(context);
+}
+
+void
+isc_sha512_init(isc_sha512_t *context) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA512, NULL, 0 };
+
+	if (context == (isc_sha512_t *)0) {
+		return;
+	}
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+	if (context->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(context);
+}
+
+void
+isc_sha512_update(isc_sha512_t *context, const uint8_t* data, size_t len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (uint8_t*)0);
+
+	DE_CONST(data, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha512_final(uint8_t digest[], isc_sha512_t *context) {
+	CK_RV rv;
+	CK_ULONG len = ISC_SHA512_DIGESTLENGTH;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(context->session,
+				 (CK_BYTE_PTR) digest,
+				 &len));
+	} else {
+		CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
+
+		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+		isc_safe_memwipe(garbage, sizeof(garbage));
+	}
+	pk11_return_session(context);
+}
+
+void
+isc_sha384_init(isc_sha384_t *context) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_SHA384, NULL, 0 };
+
+	if (context == (isc_sha384_t *)0) {
+		return;
+	}
+	RUNTIME_CHECK(pk11_get_session(context, OP_DIGEST, true, false,
+				       false, NULL, 0) == ISC_R_SUCCESS);
+	PK11_FATALCHECK(pkcs_C_DigestInit, (context->session, &mech));
+}
+
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+	CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+	CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+	if (context->handle == NULL)
+		return;
+	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+	isc_safe_memwipe(garbage, sizeof(garbage));
+	pk11_return_session(context);
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const uint8_t* data, size_t len) {
+	CK_RV rv;
+	CK_BYTE_PTR pPart;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0 && data != (uint8_t*)0);
+
+	DE_CONST(data, pPart);
+	PK11_FATALCHECK(pkcs_C_DigestUpdate,
+			(context->session, pPart, (CK_ULONG) len));
+}
+
+void
+isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
+	CK_RV rv;
+	CK_ULONG len = ISC_SHA384_DIGESTLENGTH;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		PK11_FATALCHECK(pkcs_C_DigestFinal,
+				(context->session,
+				 (CK_BYTE_PTR) digest,
+				 &len));
+	} else {
+		CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
+
+		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
+		isc_safe_memwipe(garbage, sizeof(garbage));
+	}
+	pk11_return_session(context);
+}
+
+#else
+
+/*
+ * UNROLLED TRANSFORM LOOP NOTE:
+ * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
+ * loop version for the hash transform rounds (defined using macros
+ * later in this file).  Either define on the command line, for example:
+ *
+ *   cc -DISC_SHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
+ *
+ * or define below:
+ *
+ *   \#define ISC_SHA2_UNROLL_TRANSFORM
+ *
+ */
+
+/*** SHA-256/384/512 Machine Architecture Definitions *****************/
+/*
+ * BYTE_ORDER NOTE:
+ *
+ * Please make sure that your system defines BYTE_ORDER.  If your
+ * architecture is little-endian, make sure it also defines
+ * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
+ * equivalent.
+ *
+ * If your system does not define the above, then you can do so by
+ * hand like this:
+ *
+ *   \#define LITTLE_ENDIAN 1234
+ *   \#define BIG_ENDIAN    4321
+ *
+ * And for little-endian machines, add:
+ *
+ *   \#define BYTE_ORDER LITTLE_ENDIAN
+ *
+ * Or for big-endian machines:
+ *
+ *   \#define BYTE_ORDER BIG_ENDIAN
+ *
+ * The FreeBSD machine this was written on defines BYTE_ORDER
+ * appropriately by including <sys/types.h> (which in turn includes
+ * <machine/endian.h> where the appropriate definitions are actually
+ * made).
+ */
+#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
+#ifndef BYTE_ORDER
+#ifndef BIG_ENDIAN
+#define BIG_ENDIAN 4321
+#endif
+#ifndef LITTLE_ENDIAN
+#define LITTLE_ENDIAN 1234
+#endif
+#ifdef WORDS_BIGENDIAN
+#define BYTE_ORDER BIG_ENDIAN
+#else
+#define BYTE_ORDER LITTLE_ENDIAN
+#endif
+#else
+#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
+#endif
+#endif
+
+/*** SHA-256/384/512 Various Length Definitions ***********************/
+/* NOTE: Most of these are in sha2.h */
+#define ISC_SHA256_SHORT_BLOCK_LENGTH	(ISC_SHA256_BLOCK_LENGTH - 8)
+#define ISC_SHA384_SHORT_BLOCK_LENGTH	(ISC_SHA384_BLOCK_LENGTH - 16)
+#define ISC_SHA512_SHORT_BLOCK_LENGTH	(ISC_SHA512_BLOCK_LENGTH - 16)
+
+
+/*** ENDIAN REVERSAL MACROS *******************************************/
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define REVERSE32(w,x)	{ \
+	uint32_t tmp = (w); \
+	tmp = (tmp >> 16) | (tmp << 16); \
+	(x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
+}
+#ifdef WIN32
+#define REVERSE64(w,x)	{ \
+	uint64_t tmp = (w); \
+	tmp = (tmp >> 32) | (tmp << 32); \
+	tmp = ((tmp & 0xff00ff00ff00ff00UL) >> 8) | \
+	      ((tmp & 0x00ff00ff00ff00ffUL) << 8); \
+	(x) = ((tmp & 0xffff0000ffff0000UL) >> 16) | \
+	      ((tmp & 0x0000ffff0000ffffUL) << 16); \
+}
+#else
+#define REVERSE64(w,x)	{ \
+	uint64_t tmp = (w); \
+	tmp = (tmp >> 32) | (tmp << 32); \
+	tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
+	      ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
+	(x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
+	      ((tmp & 0x0000ffff0000ffffULL) << 16); \
+}
+#endif
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+/*
+ * Macro for incrementally adding the unsigned 64-bit integer n to the
+ * unsigned 128-bit integer (represented using a two-element array of
+ * 64-bit words):
+ */
+#define ADDINC128(w,n)	{ \
+	(w)[0] += (uint64_t)(n); \
+	if ((w)[0] < (n)) { \
+		(w)[1]++; \
+	} \
+}
+
+/*** THE SIX LOGICAL FUNCTIONS ****************************************/
+/*
+ * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
+ *
+ *   NOTE:  The naming of R and S appears backwards here (R is a SHIFT and
+ *   S is a ROTATION) because the SHA-256/384/512 description document
+ *   (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
+ *   same "backwards" definition.
+ */
+/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
+#define R(b,x) 		((x) >> (b))
+/* 32-bit Rotate-right (used in SHA-256): */
+#define S32(b,x)	(((x) >> (b)) | ((x) << (32 - (b))))
+/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
+#define S64(b,x)	(((x) >> (b)) | ((x) << (64 - (b))))
+
+/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
+#define Ch(x,y,z)	(((x) & (y)) ^ ((~(x)) & (z)))
+#define Maj(x,y,z)	(((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
+
+/* Four of six logical functions used in SHA-256: */
+#define Sigma0_256(x)	(S32(2,  (x)) ^ S32(13, (x)) ^ S32(22, (x)))
+#define Sigma1_256(x)	(S32(6,  (x)) ^ S32(11, (x)) ^ S32(25, (x)))
+#define sigma0_256(x)	(S32(7,  (x)) ^ S32(18, (x)) ^ R(3 ,   (x)))
+#define sigma1_256(x)	(S32(17, (x)) ^ S32(19, (x)) ^ R(10,   (x)))
+
+/* Four of six logical functions used in SHA-384 and SHA-512: */
+#define Sigma0_512(x)	(S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
+#define Sigma1_512(x)	(S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
+#define sigma0_512(x)	(S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7,   (x)))
+#define sigma1_512(x)	(S64(19, (x)) ^ S64(61, (x)) ^ R( 6,   (x)))
+
+/*** INTERNAL FUNCTION PROTOTYPES *************************************/
+/* NOTE: These should not be accessed directly from outside this
+ * library -- they are intended for private internal visibility/use
+ * only.
+ */
+void isc_sha512_last(isc_sha512_t *);
+void isc_sha256_transform(isc_sha256_t *, const uint32_t*);
+void isc_sha512_transform(isc_sha512_t *, const uint64_t*);
+
+
+/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
+/* Hash constant words K for SHA-224 and SHA-256: */
+static const uint32_t K256[64] = {
+	0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
+	0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
+	0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
+	0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
+	0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+	0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
+	0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
+	0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
+	0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
+	0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+	0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
+	0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
+	0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
+	0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
+	0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+	0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+/* Initial hash value H for SHA-224: */
+static const uint32_t sha224_initial_hash_value[8] = {
+	0xc1059ed8UL,
+	0x367cd507UL,
+	0x3070dd17UL,
+	0xf70e5939UL,
+	0xffc00b31UL,
+	0x68581511UL,
+	0x64f98fa7UL,
+	0xbefa4fa4UL
+};
+
+/* Initial hash value H for SHA-256: */
+static const uint32_t sha256_initial_hash_value[8] = {
+	0x6a09e667UL,
+	0xbb67ae85UL,
+	0x3c6ef372UL,
+	0xa54ff53aUL,
+	0x510e527fUL,
+	0x9b05688cUL,
+	0x1f83d9abUL,
+	0x5be0cd19UL
+};
+
+#ifdef WIN32
+/* Hash constant words K for SHA-384 and SHA-512: */
+static const uint64_t K512[80] = {
+	0x428a2f98d728ae22UL, 0x7137449123ef65cdUL,
+	0xb5c0fbcfec4d3b2fUL, 0xe9b5dba58189dbbcUL,
+	0x3956c25bf348b538UL, 0x59f111f1b605d019UL,
+	0x923f82a4af194f9bUL, 0xab1c5ed5da6d8118UL,
+	0xd807aa98a3030242UL, 0x12835b0145706fbeUL,
+	0x243185be4ee4b28cUL, 0x550c7dc3d5ffb4e2UL,
+	0x72be5d74f27b896fUL, 0x80deb1fe3b1696b1UL,
+	0x9bdc06a725c71235UL, 0xc19bf174cf692694UL,
+	0xe49b69c19ef14ad2UL, 0xefbe4786384f25e3UL,
+	0x0fc19dc68b8cd5b5UL, 0x240ca1cc77ac9c65UL,
+	0x2de92c6f592b0275UL, 0x4a7484aa6ea6e483UL,
+	0x5cb0a9dcbd41fbd4UL, 0x76f988da831153b5UL,
+	0x983e5152ee66dfabUL, 0xa831c66d2db43210UL,
+	0xb00327c898fb213fUL, 0xbf597fc7beef0ee4UL,
+	0xc6e00bf33da88fc2UL, 0xd5a79147930aa725UL,
+	0x06ca6351e003826fUL, 0x142929670a0e6e70UL,
+	0x27b70a8546d22ffcUL, 0x2e1b21385c26c926UL,
+	0x4d2c6dfc5ac42aedUL, 0x53380d139d95b3dfUL,
+	0x650a73548baf63deUL, 0x766a0abb3c77b2a8UL,
+	0x81c2c92e47edaee6UL, 0x92722c851482353bUL,
+	0xa2bfe8a14cf10364UL, 0xa81a664bbc423001UL,
+	0xc24b8b70d0f89791UL, 0xc76c51a30654be30UL,
+	0xd192e819d6ef5218UL, 0xd69906245565a910UL,
+	0xf40e35855771202aUL, 0x106aa07032bbd1b8UL,
+	0x19a4c116b8d2d0c8UL, 0x1e376c085141ab53UL,
+	0x2748774cdf8eeb99UL, 0x34b0bcb5e19b48a8UL,
+	0x391c0cb3c5c95a63UL, 0x4ed8aa4ae3418acbUL,
+	0x5b9cca4f7763e373UL, 0x682e6ff3d6b2b8a3UL,
+	0x748f82ee5defb2fcUL, 0x78a5636f43172f60UL,
+	0x84c87814a1f0ab72UL, 0x8cc702081a6439ecUL,
+	0x90befffa23631e28UL, 0xa4506cebde82bde9UL,
+	0xbef9a3f7b2c67915UL, 0xc67178f2e372532bUL,
+	0xca273eceea26619cUL, 0xd186b8c721c0c207UL,
+	0xeada7dd6cde0eb1eUL, 0xf57d4f7fee6ed178UL,
+	0x06f067aa72176fbaUL, 0x0a637dc5a2c898a6UL,
+	0x113f9804bef90daeUL, 0x1b710b35131c471bUL,
+	0x28db77f523047d84UL, 0x32caab7b40c72493UL,
+	0x3c9ebe0a15c9bebcUL, 0x431d67c49c100d4cUL,
+	0x4cc5d4becb3e42b6UL, 0x597f299cfc657e2aUL,
+	0x5fcb6fab3ad6faecUL, 0x6c44198c4a475817UL
+};
+
+/* Initial hash value H for SHA-384: */
+static const uint64_t sha384_initial_hash_value[8] = {
+	0xcbbb9d5dc1059ed8UL,
+	0x629a292a367cd507UL,
+	0x9159015a3070dd17UL,
+	0x152fecd8f70e5939UL,
+	0x67332667ffc00b31UL,
+	0x8eb44a8768581511UL,
+	0xdb0c2e0d64f98fa7UL,
+	0x47b5481dbefa4fa4UL
+};
+
+/* Initial hash value H for SHA-512: */
+static const uint64_t sha512_initial_hash_value[8] = {
+	0x6a09e667f3bcc908U,
+	0xbb67ae8584caa73bUL,
+	0x3c6ef372fe94f82bUL,
+	0xa54ff53a5f1d36f1UL,
+	0x510e527fade682d1UL,
+	0x9b05688c2b3e6c1fUL,
+	0x1f83d9abfb41bd6bUL,
+	0x5be0cd19137e2179UL
+};
+#else
+/* Hash constant words K for SHA-384 and SHA-512: */
+static const uint64_t K512[80] = {
+	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
+	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
+	0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
+	0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
+	0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
+	0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
+	0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
+	0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
+	0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
+	0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
+	0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
+	0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
+	0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
+	0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
+	0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
+	0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
+	0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
+	0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
+	0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
+	0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
+	0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
+	0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
+	0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
+	0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
+	0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
+	0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
+	0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
+	0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
+	0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
+	0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
+	0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
+	0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
+	0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
+	0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
+	0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
+	0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
+	0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
+	0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
+	0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
+	0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
+};
+
+/* Initial hash value H for SHA-384: */
+static const uint64_t sha384_initial_hash_value[8] = {
+	0xcbbb9d5dc1059ed8ULL,
+	0x629a292a367cd507ULL,
+	0x9159015a3070dd17ULL,
+	0x152fecd8f70e5939ULL,
+	0x67332667ffc00b31ULL,
+	0x8eb44a8768581511ULL,
+	0xdb0c2e0d64f98fa7ULL,
+	0x47b5481dbefa4fa4ULL
+};
+
+/* Initial hash value H for SHA-512: */
+static const uint64_t sha512_initial_hash_value[8] = {
+	0x6a09e667f3bcc908ULL,
+	0xbb67ae8584caa73bULL,
+	0x3c6ef372fe94f82bULL,
+	0xa54ff53a5f1d36f1ULL,
+	0x510e527fade682d1ULL,
+	0x9b05688c2b3e6c1fULL,
+	0x1f83d9abfb41bd6bULL,
+	0x5be0cd19137e2179ULL
+};
+#endif
+
+
+/*** SHA-224: *********************************************************/
+void
+isc_sha224_init(isc_sha224_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	memmove(context->state, sha224_initial_hash_value,
+		ISC_SHA256_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
+	context->bitcount = 0;
+}
+
+void
+isc_sha224_invalidate(isc_sha224_t *context) {
+	isc_safe_memwipe(context, sizeof(*context));
+}
+
+void
+isc_sha224_update(isc_sha224_t *context, const uint8_t* data, size_t len) {
+	isc_sha256_update((isc_sha256_t *)context, data, len);
+}
+
+void
+isc_sha224_final(uint8_t digest[], isc_sha224_t *context) {
+	uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
+	isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
+	memmove(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH);
+	isc_safe_memwipe(sha256_digest, sizeof(sha256_digest));
+}
+
+/*** SHA-256: *********************************************************/
+void
+isc_sha256_init(isc_sha256_t *context) {
+	if (context == (isc_sha256_t *)0) {
+		return;
+	}
+	memmove(context->state, sha256_initial_hash_value,
+	       ISC_SHA256_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA256_BLOCK_LENGTH);
+	context->bitcount = 0;
+}
+
+void
+isc_sha256_invalidate(isc_sha256_t *context) {
+	isc_safe_memwipe(context, sizeof(*context));
+}
+
+#ifdef ISC_SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-256 round macros: */
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
+	REVERSE32(*data++, W256[j]); \
+	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
+	     K256[j] + W256[j]; \
+	(d) += T1; \
+	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+	j++
+
+
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
+	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
+	     K256[j] + (W256[j] = *data++); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+	j++
+
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND256(a,b,c,d,e,f,g,h)	\
+	s0 = W256[(j+1)&0x0f]; \
+	s0 = sigma0_256(s0); \
+	s1 = W256[(j+14)&0x0f]; \
+	s1 = sigma1_256(s1); \
+	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
+	     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
+	j++
+
+void isc_sha256_transform(isc_sha256_t *context, const uint32_t* data) {
+	uint32_t	a, b, c, d, e, f, g, h, s0, s1;
+	uint32_t	T1, *W256;
+	int		j;
+
+	W256 = (uint32_t*)context->buffer;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+		/* Rounds 0 to 15 (unrolled): */
+		ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
+		ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
+		ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
+		ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
+		ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
+		ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
+		ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
+		ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
+	} while (j < 16);
+
+	/* Now for the remaining rounds to 64: */
+	do {
+		ROUND256(a,b,c,d,e,f,g,h);
+		ROUND256(h,a,b,c,d,e,f,g);
+		ROUND256(g,h,a,b,c,d,e,f);
+		ROUND256(f,g,h,a,b,c,d,e);
+		ROUND256(e,f,g,h,a,b,c,d);
+		ROUND256(d,e,f,g,h,a,b,c);
+		ROUND256(c,d,e,f,g,h,a,b);
+		ROUND256(b,c,d,e,f,g,h,a);
+	} while (j < 64);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = 0;
+	/* Avoid compiler warnings */
+	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
+	POST(g); POST(h); POST(T1);
+}
+
+#else /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void
+isc_sha256_transform(isc_sha256_t *context, const uint32_t* data) {
+	uint32_t	a, b, c, d, e, f, g, h, s0, s1;
+	uint32_t	T1, T2, *W256;
+	int		j;
+
+	W256 = (uint32_t*)context->buffer;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+#if BYTE_ORDER == LITTLE_ENDIAN
+		/* Copy data while converting to host byte order */
+		REVERSE32(*data++,W256[j]);
+		/* Apply the SHA-256 compression function to update a..h */
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+		/* Apply the SHA-256 compression function to update a..h with copy */
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+		T2 = Sigma0_256(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 16);
+
+	do {
+		/* Part of the message block expansion: */
+		s0 = W256[(j+1)&0x0f];
+		s0 = sigma0_256(s0);
+		s1 = W256[(j+14)&0x0f];
+		s1 = sigma1_256(s1);
+
+		/* Apply the SHA-256 compression function to update a..h */
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
+		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
+		T2 = Sigma0_256(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 64);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = T2 = 0;
+	/* Avoid compiler warnings */
+	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
+	POST(g); POST(h); POST(T1); POST(T2);
+}
+
+#endif /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void
+isc_sha256_update(isc_sha256_t *context, const uint8_t *data, size_t len) {
+	unsigned int	freespace, usedspace;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0 && data != (uint8_t*)0);
+
+	usedspace = (unsigned int)((context->bitcount >> 3) %
+				   ISC_SHA256_BLOCK_LENGTH);
+	if (usedspace > 0) {
+		/* Calculate how much free space is available in the buffer */
+		freespace = ISC_SHA256_BLOCK_LENGTH - usedspace;
+
+		if (len >= freespace) {
+			/* Fill the buffer completely and process it */
+			memmove(&context->buffer[usedspace], data, freespace);
+			context->bitcount += freespace << 3;
+			len -= freespace;
+			data += freespace;
+			isc_sha256_transform(context,
+					     (uint32_t*)context->buffer);
+		} else {
+			/* The buffer is not yet full */
+			memmove(&context->buffer[usedspace], data, len);
+			context->bitcount += len << 3;
+			/* Clean up: */
+			usedspace = freespace = 0;
+			/* Avoid compiler warnings: */
+			POST(usedspace); POST(freespace);
+			return;
+		}
+	}
+	while (len >= ISC_SHA256_BLOCK_LENGTH) {
+		/* Process as many complete blocks as we can */
+		memmove(context->buffer, data, ISC_SHA256_BLOCK_LENGTH);
+		isc_sha256_transform(context, (uint32_t*)context->buffer);
+		context->bitcount += ISC_SHA256_BLOCK_LENGTH << 3;
+		len -= ISC_SHA256_BLOCK_LENGTH;
+		data += ISC_SHA256_BLOCK_LENGTH;
+	}
+	if (len > 0U) {
+		/* There's left-overs, so save 'em */
+		memmove(context->buffer, data, len);
+		context->bitcount += len << 3;
+	}
+	/* Clean up: */
+	usedspace = freespace = 0;
+	/* Avoid compiler warnings: */
+	POST(usedspace); POST(freespace);
+}
+
+void
+isc_sha256_final(uint8_t digest[], isc_sha256_t *context) {
+	uint32_t	*d = (uint32_t*)digest;
+	unsigned int	usedspace;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		usedspace = (unsigned int)((context->bitcount >> 3) %
+					   ISC_SHA256_BLOCK_LENGTH);
+#if BYTE_ORDER == LITTLE_ENDIAN
+		/* Convert FROM host byte order */
+		REVERSE64(context->bitcount,context->bitcount);
+#endif
+		if (usedspace > 0) {
+			/* Begin padding with a 1 bit: */
+			context->buffer[usedspace++] = 0x80;
+
+			if (usedspace <= ISC_SHA256_SHORT_BLOCK_LENGTH) {
+				/* Set-up for the last transform: */
+				memset(&context->buffer[usedspace], 0,
+				       ISC_SHA256_SHORT_BLOCK_LENGTH - usedspace);
+			} else {
+				if (usedspace < ISC_SHA256_BLOCK_LENGTH) {
+					memset(&context->buffer[usedspace], 0,
+					       ISC_SHA256_BLOCK_LENGTH -
+					       usedspace);
+				}
+				/* Do second-to-last transform: */
+				isc_sha256_transform(context,
+					       (uint32_t*)context->buffer);
+
+				/* And set-up for the last transform: */
+				memset(context->buffer, 0,
+				       ISC_SHA256_SHORT_BLOCK_LENGTH);
+			}
+		} else {
+			/* Set-up for the last transform: */
+			memset(context->buffer, 0, ISC_SHA256_SHORT_BLOCK_LENGTH);
+
+			/* Begin padding with a 1 bit: */
+			*context->buffer = 0x80;
+		}
+		/* Set the bit count: */
+		*(uint64_t*)&context->buffer[ISC_SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
+
+		/* Final transform: */
+		isc_sha256_transform(context, (uint32_t*)context->buffer);
+
+#if BYTE_ORDER == LITTLE_ENDIAN
+		{
+			/* Convert TO host byte order */
+			int	j;
+			for (j = 0; j < 8; j++) {
+				REVERSE32(context->state[j],context->state[j]);
+				*d++ = context->state[j];
+			}
+		}
+#else
+		memmove(d, context->state, ISC_SHA256_DIGESTLENGTH);
+#endif
+	}
+
+	/* Clean up state data: */
+	isc_safe_memwipe(context, sizeof(*context));
+	usedspace = 0;
+	POST(usedspace);
+}
+
+/*** SHA-512: *********************************************************/
+void
+isc_sha512_init(isc_sha512_t *context) {
+	if (context == (isc_sha512_t *)0) {
+		return;
+	}
+	memmove(context->state, sha512_initial_hash_value,
+		ISC_SHA512_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH);
+	context->bitcount[0] = context->bitcount[1] =  0;
+}
+
+void
+isc_sha512_invalidate(isc_sha512_t *context) {
+	isc_safe_memwipe(context, sizeof(*context));
+}
+
+#ifdef ISC_SHA2_UNROLL_TRANSFORM
+
+/* Unrolled SHA-512 round macros: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
+	REVERSE64(*data++, W512[j]); \
+	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
+	     K512[j] + W512[j]; \
+	(d) += T1, \
+	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
+	j++
+
+
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
+	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
+	     K512[j] + (W512[j] = *data++); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
+	j++
+
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+
+#define ROUND512(a,b,c,d,e,f,g,h)	\
+	s0 = W512[(j+1)&0x0f]; \
+	s0 = sigma0_512(s0); \
+	s1 = W512[(j+14)&0x0f]; \
+	s1 = sigma1_512(s1); \
+	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
+	     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
+	(d) += T1; \
+	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
+	j++
+
+void isc_sha512_transform(isc_sha512_t *context, const uint64_t* data) {
+	uint64_t	a, b, c, d, e, f, g, h, s0, s1;
+	uint64_t	T1, *W512 = (uint64_t*)context->buffer;
+	int		j;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+		ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
+		ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
+		ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
+		ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
+		ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
+		ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
+		ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
+		ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
+	} while (j < 16);
+
+	/* Now for the remaining rounds up to 79: */
+	do {
+		ROUND512(a,b,c,d,e,f,g,h);
+		ROUND512(h,a,b,c,d,e,f,g);
+		ROUND512(g,h,a,b,c,d,e,f);
+		ROUND512(f,g,h,a,b,c,d,e);
+		ROUND512(e,f,g,h,a,b,c,d);
+		ROUND512(d,e,f,g,h,a,b,c);
+		ROUND512(c,d,e,f,g,h,a,b);
+		ROUND512(b,c,d,e,f,g,h,a);
+	} while (j < 80);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = 0;
+	/* Avoid compiler warnings */
+	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
+	POST(g); POST(h); POST(T1);
+}
+
+#else /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void
+isc_sha512_transform(isc_sha512_t *context, const uint64_t* data) {
+	uint64_t	a, b, c, d, e, f, g, h, s0, s1;
+	uint64_t	T1, T2, *W512 = (uint64_t*)context->buffer;
+	int		j;
+
+	/* Initialize registers with the prev. intermediate value */
+	a = context->state[0];
+	b = context->state[1];
+	c = context->state[2];
+	d = context->state[3];
+	e = context->state[4];
+	f = context->state[5];
+	g = context->state[6];
+	h = context->state[7];
+
+	j = 0;
+	do {
+#if BYTE_ORDER == LITTLE_ENDIAN
+		/* Convert TO host byte order */
+		REVERSE64(*data++, W512[j]);
+		/* Apply the SHA-512 compression function to update a..h */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
+#else /* BYTE_ORDER == LITTLE_ENDIAN */
+		/* Apply the SHA-512 compression function to update a..h with copy */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
+#endif /* BYTE_ORDER == LITTLE_ENDIAN */
+		T2 = Sigma0_512(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 16);
+
+	do {
+		/* Part of the message block expansion: */
+		s0 = W512[(j+1)&0x0f];
+		s0 = sigma0_512(s0);
+		s1 = W512[(j+14)&0x0f];
+		s1 =  sigma1_512(s1);
+
+		/* Apply the SHA-512 compression function to update a..h */
+		T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
+		     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
+		T2 = Sigma0_512(a) + Maj(a, b, c);
+		h = g;
+		g = f;
+		f = e;
+		e = d + T1;
+		d = c;
+		c = b;
+		b = a;
+		a = T1 + T2;
+
+		j++;
+	} while (j < 80);
+
+	/* Compute the current intermediate hash value */
+	context->state[0] += a;
+	context->state[1] += b;
+	context->state[2] += c;
+	context->state[3] += d;
+	context->state[4] += e;
+	context->state[5] += f;
+	context->state[6] += g;
+	context->state[7] += h;
+
+	/* Clean up */
+	a = b = c = d = e = f = g = h = T1 = T2 = 0;
+	/* Avoid compiler warnings */
+	POST(a); POST(b); POST(c); POST(d); POST(e); POST(f);
+	POST(g); POST(h); POST(T1); POST(T2);
+}
+
+#endif /* ISC_SHA2_UNROLL_TRANSFORM */
+
+void isc_sha512_update(isc_sha512_t *context, const uint8_t *data, size_t len) {
+	unsigned int	freespace, usedspace;
+
+	if (len == 0U) {
+		/* Calling with no data is valid - we do nothing */
+		return;
+	}
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0 && data != (uint8_t*)0);
+
+	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
+				   ISC_SHA512_BLOCK_LENGTH);
+	if (usedspace > 0) {
+		/* Calculate how much free space is available in the buffer */
+		freespace = ISC_SHA512_BLOCK_LENGTH - usedspace;
+
+		if (len >= freespace) {
+			/* Fill the buffer completely and process it */
+			memmove(&context->buffer[usedspace], data, freespace);
+			ADDINC128(context->bitcount, freespace << 3);
+			len -= freespace;
+			data += freespace;
+			isc_sha512_transform(context,
+					     (uint64_t*)context->buffer);
+		} else {
+			/* The buffer is not yet full */
+			memmove(&context->buffer[usedspace], data, len);
+			ADDINC128(context->bitcount, len << 3);
+			/* Clean up: */
+			usedspace = freespace = 0;
+			/* Avoid compiler warnings: */
+			POST(usedspace); POST(freespace);
+			return;
+		}
+	}
+	while (len >= ISC_SHA512_BLOCK_LENGTH) {
+		/* Process as many complete blocks as we can */
+		memmove(context->buffer, data, ISC_SHA512_BLOCK_LENGTH);
+		isc_sha512_transform(context, (uint64_t*)context->buffer);
+		ADDINC128(context->bitcount, ISC_SHA512_BLOCK_LENGTH << 3);
+		len -= ISC_SHA512_BLOCK_LENGTH;
+		data += ISC_SHA512_BLOCK_LENGTH;
+	}
+	if (len > 0U) {
+		/* There's left-overs, so save 'em */
+		memmove(context->buffer, data, len);
+		ADDINC128(context->bitcount, len << 3);
+	}
+	/* Clean up: */
+	usedspace = freespace = 0;
+	/* Avoid compiler warnings: */
+	POST(usedspace); POST(freespace);
+}
+
+void isc_sha512_last(isc_sha512_t *context) {
+	unsigned int	usedspace;
+
+	usedspace = (unsigned int)((context->bitcount[0] >> 3) %
+				    ISC_SHA512_BLOCK_LENGTH);
+#if BYTE_ORDER == LITTLE_ENDIAN
+	/* Convert FROM host byte order */
+	REVERSE64(context->bitcount[0],context->bitcount[0]);
+	REVERSE64(context->bitcount[1],context->bitcount[1]);
+#endif
+	if (usedspace > 0) {
+		/* Begin padding with a 1 bit: */
+		context->buffer[usedspace++] = 0x80;
+
+		if (usedspace <= ISC_SHA512_SHORT_BLOCK_LENGTH) {
+			/* Set-up for the last transform: */
+			memset(&context->buffer[usedspace], 0,
+			       ISC_SHA512_SHORT_BLOCK_LENGTH - usedspace);
+		} else {
+			if (usedspace < ISC_SHA512_BLOCK_LENGTH) {
+				memset(&context->buffer[usedspace], 0,
+				       ISC_SHA512_BLOCK_LENGTH - usedspace);
+			}
+			/* Do second-to-last transform: */
+			isc_sha512_transform(context,
+					    (uint64_t*)context->buffer);
+
+			/* And set-up for the last transform: */
+			memset(context->buffer, 0, ISC_SHA512_BLOCK_LENGTH - 2);
+		}
+	} else {
+		/* Prepare for final transform: */
+		memset(context->buffer, 0, ISC_SHA512_SHORT_BLOCK_LENGTH);
+
+		/* Begin padding with a 1 bit: */
+		*context->buffer = 0x80;
+	}
+	/* Store the length of input data (in bits): */
+	*(uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
+	*(uint64_t*)&context->buffer[ISC_SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
+
+	/* Final transform: */
+	isc_sha512_transform(context, (uint64_t*)context->buffer);
+}
+
+void isc_sha512_final(uint8_t digest[], isc_sha512_t *context) {
+	uint64_t	*d = (uint64_t*)digest;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		isc_sha512_last(context);
+
+		/* Save the hash data for output: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+		{
+			/* Convert TO host byte order */
+			int	j;
+			for (j = 0; j < 8; j++) {
+				REVERSE64(context->state[j],context->state[j]);
+				*d++ = context->state[j];
+			}
+		}
+#else
+		memmove(d, context->state, ISC_SHA512_DIGESTLENGTH);
+#endif
+	}
+
+	/* Zero out state data */
+	isc_safe_memwipe(context, sizeof(*context));
+}
+
+
+/*** SHA-384: *********************************************************/
+void
+isc_sha384_init(isc_sha384_t *context) {
+	if (context == (isc_sha384_t *)0) {
+		return;
+	}
+	memmove(context->state, sha384_initial_hash_value,
+		ISC_SHA512_DIGESTLENGTH);
+	memset(context->buffer, 0, ISC_SHA384_BLOCK_LENGTH);
+	context->bitcount[0] = context->bitcount[1] = 0;
+}
+
+void
+isc_sha384_invalidate(isc_sha384_t *context) {
+	isc_safe_memwipe(context, sizeof(*context));
+}
+
+void
+isc_sha384_update(isc_sha384_t *context, const uint8_t* data, size_t len) {
+	isc_sha512_update((isc_sha512_t *)context, data, len);
+}
+
+void
+isc_sha384_final(uint8_t digest[], isc_sha384_t *context) {
+	uint64_t	*d = (uint64_t*)digest;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	/* If no digest buffer is passed, we don't bother doing this: */
+	if (digest != (uint8_t*)0) {
+		isc_sha512_last((isc_sha512_t *)context);
+
+		/* Save the hash data for output: */
+#if BYTE_ORDER == LITTLE_ENDIAN
+		{
+			/* Convert TO host byte order */
+			int	j;
+			for (j = 0; j < 6; j++) {
+				REVERSE64(context->state[j],context->state[j]);
+				*d++ = context->state[j];
+			}
+		}
+#else
+		memmove(d, context->state, ISC_SHA384_DIGESTLENGTH);
+#endif
+	}
+
+	/* Zero out state data */
+	isc_safe_memwipe(context, sizeof(*context));
+}
+#endif /* !ISC_PLATFORM_OPENSSLHASH */
+
+/*
+ * Constant used by SHA256/384/512_End() functions for converting the
+ * digest to a readable hexadecimal character string:
+ */
+static const char *sha2_hex_digits = "0123456789abcdef";
+
+char *
+isc_sha224_end(isc_sha224_t *context, char buffer[]) {
+	uint8_t	digest[ISC_SHA224_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha224_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha224_final(digest, context);
+
+		for (i = 0; i < ISC_SHA224_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+		EVP_MD_CTX_reset(context->ctx);
+#elif PKCS11CRYPTO
+		pk11_return_session(context);
+#else
+		isc_safe_memwipe(context, sizeof(*context));
+#endif
+	}
+	isc_safe_memwipe(digest, sizeof(digest));
+	return buffer;
+}
+
+char *
+isc_sha224_data(const uint8_t *data, size_t len,
+		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
+{
+	isc_sha224_t context;
+
+	isc_sha224_init(&context);
+	isc_sha224_update(&context, data, len);
+	return (isc_sha224_end(&context, digest));
+}
+
+char *
+isc_sha256_end(isc_sha256_t *context, char buffer[]) {
+	uint8_t	digest[ISC_SHA256_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha256_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha256_final(digest, context);
+
+		for (i = 0; i < ISC_SHA256_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+		EVP_MD_CTX_reset(context->ctx);
+#elif PKCS11CRYPTO
+		pk11_return_session(context);
+#else
+		isc_safe_memwipe(context, sizeof(*context));
+#endif
+	}
+	isc_safe_memwipe(digest, sizeof(digest));
+	return buffer;
+}
+
+char *
+isc_sha256_data(const uint8_t* data, size_t len,
+		char digest[ISC_SHA256_DIGESTSTRINGLENGTH])
+{
+	isc_sha256_t context;
+
+	isc_sha256_init(&context);
+	isc_sha256_update(&context, data, len);
+	return (isc_sha256_end(&context, digest));
+}
+
+char *
+isc_sha512_end(isc_sha512_t *context, char buffer[]) {
+	uint8_t	digest[ISC_SHA512_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha512_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha512_final(digest, context);
+
+		for (i = 0; i < ISC_SHA512_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+		EVP_MD_CTX_reset(context->ctx);
+#elif PKCS11CRYPTO
+		pk11_return_session(context);
+#else
+		isc_safe_memwipe(context, sizeof(*context));
+#endif
+	}
+	isc_safe_memwipe(digest, sizeof(digest));
+	return buffer;
+}
+
+char *
+isc_sha512_data(const uint8_t *data, size_t len,
+		char digest[ISC_SHA512_DIGESTSTRINGLENGTH])
+{
+	isc_sha512_t 	context;
+
+	isc_sha512_init(&context);
+	isc_sha512_update(&context, data, len);
+	return (isc_sha512_end(&context, digest));
+}
+
+char *
+isc_sha384_end(isc_sha384_t *context, char buffer[]) {
+	uint8_t	digest[ISC_SHA384_DIGESTLENGTH], *d = digest;
+	unsigned int	i;
+
+	/* Sanity check: */
+	REQUIRE(context != (isc_sha384_t *)0);
+
+	if (buffer != (char*)0) {
+		isc_sha384_final(digest, context);
+
+		for (i = 0; i < ISC_SHA384_DIGESTLENGTH; i++) {
+			*buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
+			*buffer++ = sha2_hex_digits[*d & 0x0f];
+			d++;
+		}
+		*buffer = (char)0;
+	} else {
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+		EVP_MD_CTX_reset(context->ctx);
+#elif PKCS11CRYPTO
+		pk11_return_session(context);
+#else
+		isc_safe_memwipe(context, sizeof(*context));
+#endif
+	}
+	isc_safe_memwipe(digest, sizeof(digest));
+	return buffer;
+}
+
+char *
+isc_sha384_data(const uint8_t *data, size_t len,
+		char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
+{
+	isc_sha384_t context;
+
+	isc_sha384_init(&context);
+	isc_sha384_update(&context, data, len);
+	return (isc_sha384_end(&context, digest));
+}
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
new file mode 100644
index 0000000..6a97e69
--- /dev/null
+++ b/lib/isc/sockaddr.c
@@ -0,0 +1,507 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/msgs.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+bool
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	return (isc_sockaddr_compare(a, b, ISC_SOCKADDR_CMPADDR|
+					   ISC_SOCKADDR_CMPPORT|
+					   ISC_SOCKADDR_CMPSCOPE));
+}
+
+bool
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	return (isc_sockaddr_compare(a, b, ISC_SOCKADDR_CMPADDR|
+					   ISC_SOCKADDR_CMPSCOPE));
+}
+
+bool
+isc_sockaddr_compare(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+		     unsigned int flags)
+{
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->length != b->length)
+		return (false);
+
+	/*
+	 * We don't just memcmp because the sin_zero field isn't always
+	 * zero.
+	 */
+
+	if (a->type.sa.sa_family != b->type.sa.sa_family)
+		return (false);
+	switch (a->type.sa.sa_family) {
+	case AF_INET:
+		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
+		    memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
+			   sizeof(a->type.sin.sin_addr)) != 0)
+			return (false);
+		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
+		    a->type.sin.sin_port != b->type.sin.sin_port)
+			return (false);
+		break;
+	case AF_INET6:
+		if ((flags & ISC_SOCKADDR_CMPADDR) != 0 &&
+		    memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
+			   sizeof(a->type.sin6.sin6_addr)) != 0)
+			return (false);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		/*
+		 * If ISC_SOCKADDR_CMPSCOPEZERO is set then don't return
+		 * false if one of the scopes in zero.
+		 */
+		if ((flags & ISC_SOCKADDR_CMPSCOPE) != 0 &&
+		    a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id &&
+		    ((flags & ISC_SOCKADDR_CMPSCOPEZERO) == 0 ||
+		      (a->type.sin6.sin6_scope_id != 0 &&
+		       b->type.sin6.sin6_scope_id != 0)))
+			return (false);
+#endif
+		if ((flags & ISC_SOCKADDR_CMPPORT) != 0 &&
+		    a->type.sin6.sin6_port != b->type.sin6.sin6_port)
+			return (false);
+		break;
+	default:
+		if (memcmp(&a->type, &b->type, a->length) != 0)
+			return (false);
+	}
+	return (true);
+}
+
+bool
+isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+			  unsigned int prefixlen)
+{
+	isc_netaddr_t na, nb;
+	isc_netaddr_fromsockaddr(&na, a);
+	isc_netaddr_fromsockaddr(&nb, b);
+	return (isc_netaddr_eqprefix(&na, &nb, prefixlen));
+}
+
+isc_result_t
+isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	char pbuf[sizeof("65000")];
+	unsigned int plen;
+	isc_region_t avail;
+
+	REQUIRE(sockaddr != NULL);
+
+	/*
+	 * Do the port first, giving us the opportunity to check for
+	 * unsupported address families before calling
+	 * isc_netaddr_fromsockaddr().
+	 */
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin.sin_port));
+		break;
+	case AF_INET6:
+		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
+		break;
+#ifdef ISC_PLAFORM_HAVESYSUNH
+	case AF_UNIX:
+		plen = strlen(sockaddr->type.sunix.sun_path);
+		if (plen >= isc_buffer_availablelength(target))
+			return (ISC_R_NOSPACE);
+
+		isc_buffer_putmem(target, sockaddr->type.sunix.sun_path, plen);
+
+		/*
+		 * Null terminate after used region.
+		 */
+		isc_buffer_availableregion(target, &avail);
+		INSIST(avail.length >= 1);
+		avail.base[0] = '\0';
+
+		return (ISC_R_SUCCESS);
+#endif
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	plen = strlen(pbuf);
+	INSIST(plen < sizeof(pbuf));
+
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+	result = isc_netaddr_totext(&netaddr, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (1 + plen + 1 > isc_buffer_availablelength(target))
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_putmem(target, (const unsigned char *)"#", 1);
+	isc_buffer_putmem(target, (const unsigned char *)pbuf, plen);
+
+	/*
+	 * Null terminate after used region.
+	 */
+	isc_buffer_availableregion(target, &avail);
+	INSIST(avail.length >= 1);
+	avail.base[0] = '\0';
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	if (size == 0U)
+		return;
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_sockaddr_totext(sa, &buf);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * The message is the same as in netaddr.c.
+		 */
+		snprintf(array, size,
+			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
+					ISC_MSG_UNKNOWNADDR,
+					"<unknown address, family %u>"),
+			 sa->type.sa.sa_family);
+		array[size - 1] = '\0';
+	}
+}
+
+unsigned int
+isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, bool address_only) {
+	unsigned int length = 0;
+	const unsigned char *s = NULL;
+	unsigned int h = 0;
+	unsigned int p = 0;
+	const struct in6_addr *in6;
+
+	REQUIRE(sockaddr != NULL);
+
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		s = (const unsigned char *)&sockaddr->type.sin.sin_addr;
+		p = ntohs(sockaddr->type.sin.sin_port);
+		length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
+		break;
+	case AF_INET6:
+		in6 = &sockaddr->type.sin6.sin6_addr;
+		s = (const unsigned char *)in6;
+		if (IN6_IS_ADDR_V4MAPPED(in6)) {
+			s += 12;
+			length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
+		} else
+			length = sizeof(sockaddr->type.sin6.sin6_addr);
+		p = ntohs(sockaddr->type.sin6.sin6_port);
+		break;
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_SOCKADDR,
+						ISC_MSG_UNKNOWNFAMILY,
+						"unknown address family: %d"),
+					     (int)sockaddr->type.sa.sa_family);
+		s = (const unsigned char *)&sockaddr->type;
+		length = sockaddr->length;
+		p = 0;
+	}
+
+	h = isc_hash_function(s, length, true, NULL);
+	if (!address_only)
+		h = isc_hash_function(&p, sizeof(p), true, &h);
+
+	return (h);
+}
+
+void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = AF_INET;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
+#endif
+	sockaddr->type.sin.sin_addr.s_addr = INADDR_ANY;
+	sockaddr->type.sin.sin_port = 0;
+	sockaddr->length = sizeof(sockaddr->type.sin);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+	sockaddr->type.sin6.sin6_addr = in6addr_any;
+	sockaddr->type.sin6.sin6_port = 0;
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		    in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = AF_INET;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
+#endif
+	sockaddr->type.sin.sin_addr = *ina;
+	sockaddr->type.sin.sin_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int pf) {
+     switch (pf) {
+     case AF_INET:
+	     isc_sockaddr_any(sockaddr);
+	     break;
+     case AF_INET6:
+	     isc_sockaddr_any6(sockaddr);
+	     break;
+     default:
+	     INSIST(0);
+     }
+}
+
+void
+isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
+		     in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+	sockaddr->type.sin6.sin6_addr = *ina6;
+	sockaddr->type.sin6.sin6_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		      in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+	sockaddr->type.sin6.sin6_addr.s6_addr[10] = 0xff;
+	sockaddr->type.sin6.sin6_addr.s6_addr[11] = 0xff;
+	memmove(&sockaddr->type.sin6.sin6_addr.s6_addr[12], ina, 4);
+	sockaddr->type.sin6.sin6_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+int
+isc_sockaddr_pf(const isc_sockaddr_t *sockaddr) {
+
+	/*
+	 * Get the protocol family of 'sockaddr'.
+	 */
+
+#if (AF_INET == PF_INET && AF_INET6 == PF_INET6)
+	/*
+	 * Assume that PF_xxx == AF_xxx for all AF and PF.
+	 */
+	return (sockaddr->type.sa.sa_family);
+#else
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		return (PF_INET);
+	case AF_INET6:
+		return (PF_INET6);
+	default:
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
+					   ISC_MSG_UNKNOWNFAMILY,
+					   "unknown address family: %d"),
+			    (int)sockaddr->type.sa.sa_family);
+	}
+#endif
+}
+
+void
+isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
+			 in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = na->family;
+	switch (na->family) {
+	case AF_INET:
+		sockaddr->length = sizeof(sockaddr->type.sin);
+#ifdef ISC_PLATFORM_HAVESALEN
+		sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
+#endif
+		sockaddr->type.sin.sin_addr = na->type.in;
+		sockaddr->type.sin.sin_port = htons(port);
+		break;
+	case AF_INET6:
+		sockaddr->length = sizeof(sockaddr->type.sin6);
+#ifdef ISC_PLATFORM_HAVESALEN
+		sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+		memmove(&sockaddr->type.sin6.sin6_addr, &na->type.in6, 16);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		sockaddr->type.sin6.sin6_scope_id = isc_netaddr_getzone(na);
+#endif
+		sockaddr->type.sin6.sin6_port = htons(port);
+		break;
+	default:
+		INSIST(0);
+	}
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		sockaddr->type.sin.sin_port = htons(port);
+		break;
+	case AF_INET6:
+		sockaddr->type.sin6.sin6_port = htons(port);
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
+					   ISC_MSG_UNKNOWNFAMILY,
+					   "unknown address family: %d"),
+			    (int)sockaddr->type.sa.sa_family);
+	}
+}
+
+in_port_t
+isc_sockaddr_getport(const isc_sockaddr_t *sockaddr) {
+	in_port_t port = 0;
+
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		port = ntohs(sockaddr->type.sin.sin_port);
+		break;
+	case AF_INET6:
+		port = ntohs(sockaddr->type.sin6.sin6_port);
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
+					   ISC_MSG_UNKNOWNFAMILY,
+					   "unknown address family: %d"),
+			    (int)sockaddr->type.sa.sa_family);
+	}
+
+	return (port);
+}
+
+bool
+isc_sockaddr_ismulticast(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET ||
+	    sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_ismulticast(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_isexperimental(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_isexperimental(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_issitelocal(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_issitelocal(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_islinklocal(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_islinklocal(&netaddr));
+	}
+	return (false);
+}
+
+bool
+isc_sockaddr_isnetzero(const isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_isnetzero(&netaddr));
+	}
+	return (false);
+}
+
+isc_result_t
+isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	if (strlen(path) >= sizeof(sockaddr->type.sunix.sun_path))
+		return (ISC_R_NOSPACE);
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->length = sizeof(sockaddr->type.sunix);
+	sockaddr->type.sunix.sun_family = AF_UNIX;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sunix.sun_len =
+			(unsigned char)sizeof(sockaddr->type.sunix);
+#endif
+	strlcpy(sockaddr->type.sunix.sun_path, path,
+		sizeof(sockaddr->type.sunix.sun_path));
+	return (ISC_R_SUCCESS);
+#else
+	UNUSED(sockaddr);
+	UNUSED(path);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
diff --git a/lib/isc/socket_api.c b/lib/isc/socket_api.c
new file mode 100644
index 0000000..5de98a9
--- /dev/null
+++ b/lib/isc/socket_api.c
@@ -0,0 +1,400 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/socket.h>
+#include <isc/util.h>
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_socketmgrcreatefunc_t socketmgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_register(isc_socketmgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (socketmgr_createfunc == NULL)
+		socketmgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			  isc_socketmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(socketmgr_createfunc != NULL);
+	result = (*socketmgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_setsocketmgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	isc_result_t result;
+
+	if (isc_bind9)
+		return (isc__socketmgr_create(mctx, managerp));
+
+	LOCK(&createlock);
+
+	REQUIRE(socketmgr_createfunc != NULL);
+	result = (*socketmgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+	REQUIRE(managerp != NULL && ISCAPI_SOCKETMGR_VALID(*managerp));
+
+	if (isc_bind9)
+		isc__socketmgr_destroy(managerp);
+	else
+		(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp)
+{
+	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
+
+	if (isc_bind9)
+		return (isc__socket_create(manager, pf, type, socketp));
+
+	return (manager->methods->socketcreate(manager, pf, type, socketp));
+}
+
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	if (isc_bind9)
+		isc__socket_attach(sock, socketp);
+	else
+		sock->methods->attach(sock, socketp);
+
+	ENSURE(*socketp == sock);
+}
+
+void
+isc_socket_detach(isc_socket_t **socketp) {
+	REQUIRE(socketp != NULL && ISCAPI_SOCKET_VALID(*socketp));
+
+	if (isc_bind9)
+		isc__socket_detach(socketp);
+	else
+		(*socketp)->methods->detach(socketp);
+
+	ENSURE(*socketp == NULL);
+}
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		unsigned int options)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_bind(sock, sockaddr, options));
+
+	return (sock->methods->bind(sock, sockaddr, options));
+}
+
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region, isc_task_t *task,
+		  isc_taskaction_t action, void *arg,
+		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_sendto(sock, region, task,
+					   action, arg, address, pktinfo));
+
+	return (sock->methods->sendto(sock, region, task, action, arg, address,
+				      pktinfo));
+}
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr, isc_task_t *task,
+		   isc_taskaction_t action, void *arg)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_connect(sock, addr, task, action, arg));
+
+	return (sock->methods->connect(sock, addr, task, action, arg));
+}
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_recv(sock, region, minimum,
+					 task, action, arg));
+
+	return (sock->methods->recv(sock, region, minimum, task, action, arg));
+}
+
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		isc__socket_cancel(sock, task, how);
+	else
+		sock->methods->cancel(sock, task, how);
+}
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_getsockname(sock, addressp));
+
+	return (sock->methods->getsockname(sock, addressp));
+}
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, bool yes) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		isc__socket_ipv6only(sock, yes);
+	else
+		sock->methods->ipv6only(sock, yes);
+}
+
+void
+isc_socket_dscp(isc_socket_t *sock, isc_dscp_t dscp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	sock->methods->dscp(sock, dscp);
+}
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_gettype(sock));
+
+	return (sock->methods->gettype(sock));
+}
+
+void
+isc_socket_setname(isc_socket_t *sock, const char *name, void *tag) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	UNUSED(sock);		/* in case REQUIRE() is empty */
+	UNUSED(name);
+	UNUSED(tag);
+}
+
+isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
+			 isc_sockfdwatch_t callback, void *cbarg,
+			 isc_task_t *task, isc_socket_t **socketp)
+{
+	REQUIRE(ISCAPI_SOCKETMGR_VALID(manager));
+
+	if (isc_bind9)
+		return (isc__socket_fdwatchcreate(manager, fd, flags,
+						  callback, cbarg,
+						  task, socketp));
+
+	return (manager->methods->fdwatchcreate(manager, fd, flags,
+						callback, cbarg, task,
+						socketp));
+}
+
+isc_result_t
+isc_socket_fdwatchpoke(isc_socket_t *sock, int flags)
+{
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_fdwatchpoke(sock, flags));
+
+	return (sock->methods->fdwatchpoke(sock, flags));
+}
+
+isc_result_t
+isc_socket_dup(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	if (isc_bind9)
+		return (isc__socket_dup(sock, socketp));
+
+	return (sock->methods->dup(sock, socketp));
+}
+
+int
+isc_socket_getfd(isc_socket_t *sock) {
+	REQUIRE(ISCAPI_SOCKET_VALID(sock));
+
+	if (isc_bind9)
+		return (isc__socket_getfd(sock));
+
+	return (sock->methods->getfd(sock));
+}
+
+isc_result_t
+isc_socket_open(isc_socket_t *sock) {
+	return (isc__socket_open(sock));
+}
+
+isc_result_t
+isc_socket_close(isc_socket_t *sock) {
+	return (isc__socket_close(sock));
+}
+
+isc_result_t
+isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks)
+{
+	return (isc__socketmgr_create2(mctx, managerp, maxsocks));
+}
+
+isc_result_t
+isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, void *arg)
+{
+	return (isc__socket_recvv(sock, buflist, minimum, task, action, arg));
+}
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags)
+{
+	return (isc__socket_recv2(sock, region, minimum, task, event, flags));
+}
+
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	return (isc__socket_send(sock, region, task, action, arg));
+}
+
+isc_result_t
+isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	return (isc__socket_sendv(sock, buflist, task, action, arg));
+}
+
+isc_result_t
+isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	return (isc__socket_sendtov(sock, buflist, task, action, arg,
+				    address, pktinfo));
+}
+
+isc_result_t
+isc_socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    unsigned int flags)
+{
+	return (isc__socket_sendtov2(sock, buflist, task, action, arg,
+				     address, pktinfo, flags));
+}
+
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags)
+{
+	return (isc__socket_sendto2(sock, region, task, address, pktinfo,
+				    event, flags));
+}
+
+void
+isc_socket_cleanunix(isc_sockaddr_t *sockaddr, bool active) {
+	isc__socket_cleanunix(sockaddr, active);
+}
+
+isc_result_t
+isc_socket_permunix(isc_sockaddr_t *sockaddr, uint32_t perm,
+		     uint32_t owner, uint32_t group)
+{
+	return (isc__socket_permunix(sockaddr, perm, owner, group));
+}
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter) {
+	return (isc__socket_filter(sock, filter));
+}
+
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+	return (isc__socket_listen(sock, backlog));
+}
+
+isc_result_t
+isc_socket_accept(isc_socket_t *sock, isc_task_t *task,
+		   isc_taskaction_t action, void *arg)
+{
+	return (isc__socket_accept(sock, task, action, arg));
+}
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	return (isc__socket_getpeername(sock, addressp));
+}
diff --git a/lib/isc/sparc64/Makefile.in b/lib/isc/sparc64/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/sparc64/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/sparc64/include/Makefile.in b/lib/isc/sparc64/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/sparc64/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/sparc64/include/isc/Makefile.in b/lib/isc/sparc64/include/isc/Makefile.in
new file mode 100644
index 0000000..6075633
--- /dev/null
+++ b/lib/isc/sparc64/include/isc/Makefile.in
@@ -0,0 +1,29 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
diff --git a/lib/isc/sparc64/include/isc/atomic.h b/lib/isc/sparc64/include/isc/atomic.h
new file mode 100644
index 0000000..21ec67e
--- /dev/null
+++ b/lib/isc/sparc64/include/isc/atomic.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This code was written based on FreeBSD's kernel source whose copyright
+ * follows:
+ */
+
+/*-
+ * Copyright (c) 1998 Doug Rabson.
+ * Copyright (c) 2001 Jake Burkholder.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	from: FreeBSD: src/sys/i386/include/atomic.h,v 1.20 2001/02/11
+ * $FreeBSD: src/sys/sparc64/include/atomic.h,v 1.8 2004/05/22 00:52:16 marius Exp $
+ */
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#define	ASI_P	0x80		/* Primary Address Space Identifier */
+
+#ifdef ISC_PLATFORM_USEGCCASM
+
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static inline int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	int32_t prev, swapped;
+
+	for (prev = *(volatile int32_t *)p; ; prev = swapped) {
+		swapped = prev + val;
+		__asm__ volatile(
+			"casa [%2] %3, %4, %0"
+			: "+r"(swapped), "=m"(*p)
+			: "r"(p), "n"(ASI_P), "r"(prev), "m"(*p));
+		if (swapped == prev)
+			break;
+	}
+
+	return (prev);
+}
+
+/*
+ * This routine atomically stores the value 'val' in 'p'.
+ */
+static inline void
+isc_atomic_store(int32_t *p, int32_t val) {
+	int32_t prev, swapped;
+
+	for (prev = *(volatile int32_t *)p; ; prev = swapped) {
+		swapped = val;
+		__asm__ volatile(
+			"casa [%2] %3, %4, %0"
+			: "+r"(swapped), "=m"(*p)
+			: "r"(p), "n"(ASI_P), "r"(prev), "m"(*p));
+		if (swapped == prev)
+			break;
+	}
+}
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static inline int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	int32_t temp = val;
+
+	__asm__ volatile(
+		"casa [%2] %3, %4, %0"
+		: "+r"(temp), "=m"(*p)
+		: "r"(p), "n"(ASI_P), "r"(cmpval), "m"(*p));
+
+	return (temp);
+}
+
+#else  /* ISC_PLATFORM_USEGCCASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif /* ISC_PLATFORM_USEGCCASM */
+
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/stats.c b/lib/isc/stats.c
new file mode 100644
index 0000000..196099e
--- /dev/null
+++ b/lib/isc/stats.c
@@ -0,0 +1,454 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#if defined(__cplusplus)
+#include <isc/stdatomic.h>
+#else
+#include <stdatomic.h>
+#endif
+#endif
+
+#define ISC_STATS_MAGIC			ISC_MAGIC('S', 't', 'a', 't')
+#define ISC_STATS_VALID(x)		ISC_MAGIC_VALID(x, ISC_STATS_MAGIC)
+
+/*%
+ * Local macro confirming prescence of 64-bit
+ * increment and store operations, just to make
+ * the later macros simpler
+ */
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE)) || \
+	(defined(ISC_PLATFORM_HAVEXADDQ) && defined(ISC_PLATFORM_HAVEATOMICSTOREQ))
+#define ISC_STATS_HAVEATOMICQ 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE))
+#define ISC_STATS_HAVESTDATOMICQ 1
+#endif
+#else
+#define ISC_STATS_HAVEATOMICQ 0
+#endif
+
+/*%
+ * Only lock the counters if 64-bit atomic operations are
+ * not available but cheap atomic lock operations are.
+ * On a modern 64-bit system this should never be the case.
+ *
+ * Normal locks are too expensive to be used whenever a counter
+ * is updated.
+ */
+#if !ISC_STATS_HAVEATOMICQ && defined(ISC_RWLOCK_HAVEATOMIC)
+#define ISC_STATS_LOCKCOUNTERS 1
+#else
+#define ISC_STATS_LOCKCOUNTERS 0
+#endif
+
+/*%
+ * If 64-bit atomic operations are not available but
+ * 32-bit operations are then split the counter into two,
+ * using the atomic operations to try to ensure that any carry
+ * from the low word is correctly carried into the high word.
+ *
+ * Otherwise, just rely on standard 64-bit data types
+ * and operations
+ */
+#if !ISC_STATS_HAVEATOMICQ && ((defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || defined(ISC_PLATFORM_HAVEXADD))
+#define ISC_STATS_USEMULTIFIELDS 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE))
+#define ISC_STATS_HAVESTDATOMIC 1
+#endif
+#else
+#define ISC_STATS_USEMULTIFIELDS 0
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+typedef struct {
+#if defined(ISC_STATS_HAVESTDATOMIC)
+	atomic_int_fast32_t hi;
+	atomic_int_fast32_t lo;
+#else
+	uint32_t hi;
+	uint32_t lo;
+#endif
+} isc_stat_t;
+#else
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+typedef atomic_int_fast64_t isc_stat_t;
+#else
+typedef uint64_t isc_stat_t;
+#endif
+#endif
+
+struct isc_stats {
+	/*% Unlocked */
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	int		ncounters;
+
+	isc_mutex_t	lock;
+	unsigned int	references; /* locked by lock */
+
+	/*%
+	 * Locked by counterlock or unlocked if efficient rwlock is not
+	 * available.
+	 */
+#if ISC_STATS_LOCKCOUNTERS
+	isc_rwlock_t	counterlock;
+#endif
+	isc_stat_t	*counters;
+
+	/*%
+	 * We don't want to lock the counters while we are dumping, so we first
+	 * copy the current counter values into a local array.  This buffer
+	 * will be used as the copy destination.  It's allocated on creation
+	 * of the stats structure so that the dump operation won't fail due
+	 * to memory allocation failure.
+	 * XXX: this approach is weird for non-threaded build because the
+	 * additional memory and the copy overhead could be avoided.  We prefer
+	 * simplicity here, however, under the assumption that this function
+	 * should be only rarely called.
+	 */
+	uint64_t	*copiedcounters;
+};
+
+static isc_result_t
+create_stats(isc_mem_t *mctx, int ncounters, isc_stats_t **statsp) {
+	isc_stats_t *stats;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+	if (stats == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&stats->lock);
+	if (result != ISC_R_SUCCESS)
+		goto clean_stats;
+
+	stats->counters = isc_mem_get(mctx, sizeof(isc_stat_t) * ncounters);
+	if (stats->counters == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto clean_mutex;
+	}
+	stats->copiedcounters = isc_mem_get(mctx,
+					    sizeof(uint64_t) * ncounters);
+	if (stats->copiedcounters == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto clean_counters;
+	}
+
+#if ISC_STATS_LOCKCOUNTERS
+	result = isc_rwlock_init(&stats->counterlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto clean_copiedcounters;
+#endif
+
+	stats->references = 1;
+	memset(stats->counters, 0, sizeof(isc_stat_t) * ncounters);
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	stats->ncounters = ncounters;
+	stats->magic = ISC_STATS_MAGIC;
+
+	*statsp = stats;
+
+	return (result);
+
+clean_counters:
+	isc_mem_put(mctx, stats->counters, sizeof(isc_stat_t) * ncounters);
+
+#if ISC_STATS_LOCKCOUNTERS
+clean_copiedcounters:
+	isc_mem_put(mctx, stats->copiedcounters,
+		    sizeof(isc_stat_t) * ncounters);
+#endif
+
+clean_mutex:
+	DESTROYLOCK(&stats->lock);
+
+clean_stats:
+	isc_mem_put(mctx, stats, sizeof(*stats));
+
+	return (result);
+}
+
+void
+isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	LOCK(&stats->lock);
+	stats->references++;
+	UNLOCK(&stats->lock);
+
+	*statsp = stats;
+}
+
+void
+isc_stats_detach(isc_stats_t **statsp) {
+	isc_stats_t *stats;
+
+	REQUIRE(statsp != NULL && ISC_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	LOCK(&stats->lock);
+	stats->references--;
+
+	if (stats->references == 0) {
+		isc_mem_put(stats->mctx, stats->copiedcounters,
+			    sizeof(isc_stat_t) * stats->ncounters);
+		isc_mem_put(stats->mctx, stats->counters,
+			    sizeof(isc_stat_t) * stats->ncounters);
+		UNLOCK(&stats->lock);
+		DESTROYLOCK(&stats->lock);
+#if ISC_STATS_LOCKCOUNTERS
+		isc_rwlock_destroy(&stats->counterlock);
+#endif
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+		return;
+	}
+
+	UNLOCK(&stats->lock);
+}
+
+int
+isc_stats_ncounters(isc_stats_t *stats) {
+	REQUIRE(ISC_STATS_VALID(stats));
+
+	return (stats->ncounters);
+}
+
+static inline void
+incrementcounter(isc_stats_t *stats, int counter) {
+	int32_t prev;
+
+#if ISC_STATS_LOCKCOUNTERS
+	/*
+	 * We use a "read" lock to prevent other threads from reading the
+	 * counter while we "writing" a counter field.  The write access itself
+	 * is protected by the atomic operation.
+	 */
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+#if defined(ISC_STATS_HAVESTDATOMIC)
+	prev = atomic_fetch_add_explicit(&stats->counters[counter].lo, 1,
+					 memory_order_relaxed);
+#else
+	prev = isc_atomic_xadd((int32_t *)&stats->counters[counter].lo, 1);
+#endif
+	/*
+	 * If the lower 32-bit field overflows, increment the higher field.
+	 * Note that it's *theoretically* possible that the lower field
+	 * overlaps again before the higher field is incremented.  It doesn't
+	 * matter, however, because we don't read the value until
+	 * isc_stats_copy() is called where the whole process is protected
+	 * by the write (exclusive) lock.
+	 */
+	if (prev == (int32_t)0xffffffff) {
+#if defined(ISC_STATS_HAVESTDATOMIC)
+		atomic_fetch_add_explicit(&stats->counters[counter].hi, 1,
+					  memory_order_relaxed);
+#else
+		isc_atomic_xadd((int32_t *)&stats->counters[counter].hi, 1);
+#endif
+	}
+#elif ISC_STATS_HAVEATOMICQ
+	UNUSED(prev);
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+	atomic_fetch_add_explicit(&stats->counters[counter], 1,
+				  memory_order_relaxed);
+#else
+	isc_atomic_xaddq((int64_t *)&stats->counters[counter], 1);
+#endif
+#else
+	UNUSED(prev);
+	stats->counters[counter]++;
+#endif
+
+#if ISC_STATS_LOCKCOUNTERS
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+}
+
+static inline void
+decrementcounter(isc_stats_t *stats, int counter) {
+	int32_t prev;
+
+#if ISC_STATS_LOCKCOUNTERS
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+#if defined(ISC_STATS_HAVESTDATOMIC)
+	prev = atomic_fetch_sub_explicit(&stats->counters[counter].lo, 1,
+					 memory_order_relaxed);
+#else
+	prev = isc_atomic_xadd((int32_t *)&stats->counters[counter].lo, -1);
+#endif
+	if (prev == 0) {
+#if defined(ISC_STATS_HAVESTDATOMIC)
+		atomic_fetch_sub_explicit(&stats->counters[counter].hi, 1,
+					  memory_order_relaxed);
+#else
+		isc_atomic_xadd((int32_t *)&stats->counters[counter].hi,
+				-1);
+#endif
+	}
+#elif ISC_STATS_HAVEATOMICQ
+	UNUSED(prev);
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+	atomic_fetch_sub_explicit(&stats->counters[counter], 1,
+				  memory_order_relaxed);
+#else
+	isc_atomic_xaddq((int64_t *)&stats->counters[counter], -1);
+#endif
+#else
+	UNUSED(prev);
+	stats->counters[counter]--;
+#endif
+
+#if ISC_STATS_LOCKCOUNTERS
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+}
+
+static void
+copy_counters(isc_stats_t *stats) {
+	int i;
+
+#if ISC_STATS_LOCKCOUNTERS
+	/*
+	 * We use a "write" lock before "reading" the statistics counters as
+	 * an exclusive lock.
+	 */
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_write);
+#endif
+
+	for (i = 0; i < stats->ncounters; i++) {
+#if ISC_STATS_USEMULTIFIELDS
+		stats->copiedcounters[i] =
+			(uint64_t)(stats->counters[i].hi) << 32 |
+			stats->counters[i].lo;
+#elif ISC_STATS_HAVEATOMICQ
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+		stats->copiedcounters[i] =
+			atomic_load_explicit(&stats->counters[i],
+					     memory_order_relaxed);
+#else
+		/* use xaddq(..., 0) as an atomic load */
+		stats->copiedcounters[i] =
+			(uint64_t)isc_atomic_xaddq((int64_t *)&stats->counters[i], 0);
+#endif
+#else
+		stats->copiedcounters[i] = stats->counters[i];
+#endif
+	}
+
+#if ISC_STATS_LOCKCOUNTERS
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_write);
+#endif
+}
+
+isc_result_t
+isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, ncounters, statsp));
+}
+
+void
+isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	incrementcounter(stats, (int)counter);
+}
+
+void
+isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	decrementcounter(stats, (int)counter);
+}
+
+void
+isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn,
+	       void *arg, unsigned int options)
+{
+	int i;
+
+	REQUIRE(ISC_STATS_VALID(stats));
+
+	copy_counters(stats);
+
+	for (i = 0; i < stats->ncounters; i++) {
+		if ((options & ISC_STATSDUMP_VERBOSE) == 0 &&
+		    stats->copiedcounters[i] == 0)
+				continue;
+		dump_fn((isc_statscounter_t)i, stats->copiedcounters[i], arg);
+	}
+}
+
+void
+isc_stats_set(isc_stats_t *stats, uint64_t val,
+	      isc_statscounter_t counter)
+{
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+#if ISC_STATS_LOCKCOUNTERS
+	/*
+	 * We use a "write" lock before "reading" the statistics counters as
+	 * an exclusive lock.
+	 */
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_write);
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+	stats->counters[counter].hi = (uint32_t)((val >> 32) & 0xffffffff);
+	stats->counters[counter].lo = (uint32_t)(val & 0xffffffff);
+#elif ISC_STATS_HAVEATOMICQ
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+	atomic_store_explicit(&stats->counters[counter], val,
+			      memory_order_relaxed);
+#else
+	isc_atomic_storeq((int64_t *)&stats->counters[counter], val);
+#endif
+#else
+	stats->counters[counter] = val;
+#endif
+
+#if ISC_STATS_LOCKCOUNTERS
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_write);
+#endif
+}
diff --git a/lib/isc/string.c b/lib/isc/string.c
new file mode 100644
index 0000000..6728cfb
--- /dev/null
+++ b/lib/isc/string.c
@@ -0,0 +1,313 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+static const char digits[] = "0123456789abcdefghijklmnoprstuvwxyz";
+
+uint64_t
+isc_string_touint64(char *source, char **end, int base) {
+	uint64_t tmp;
+	uint64_t overflow;
+	char *s = source;
+	const char *o;
+	char c;
+
+	if ((base < 0) || (base == 1) || (base > 36)) {
+		*end = source;
+		return (0);
+	}
+
+	while (*s != 0 && isascii(*s&0xff) && isspace(*s&0xff))
+		s++;
+	if (*s == '+' /* || *s == '-' */)
+		s++;
+	if (base == 0) {
+		if (*s == '0' && (*(s+1) == 'X' || *(s+1) == 'x')) {
+			s += 2;
+			base = 16;
+		} else if (*s == '0')
+			base = 8;
+		else
+			base = 10;
+	}
+	if (*s == 0) {
+		*end = source;
+		return (0);
+	}
+	overflow = ~0;
+	overflow /= base;
+	tmp = 0;
+
+	while ((c = *s) != 0) {
+		c = tolower(c&0xff);
+		/* end ? */
+		if ((o = strchr(digits, c)) == NULL) {
+			*end = s;
+			return (tmp);
+		}
+		/* end ? */
+		if ((o - digits) >= base) {
+			*end = s;
+			return (tmp);
+		}
+		/* overflow ? */
+		if (tmp > overflow) {
+			*end = source;
+			return (0);
+		}
+		tmp *= base;
+		/* overflow ? */
+		if ((tmp + (o - digits)) < tmp) {
+			*end = source;
+			return (0);
+		}
+		tmp += o - digits;
+		s++;
+	}
+	*end = s;
+	return (tmp);
+}
+
+isc_result_t
+isc_string_copy(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+
+	if (strlcpy(target, source, size) >= size) {
+		memset(target, ISC_STRING_MAGIC, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	ENSURE(strlen(target) < size);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_string_copy_truncate(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+
+	strlcpy(target, source, size);
+
+	ENSURE(strlen(target) < size);
+}
+
+isc_result_t
+isc_string_append(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+	REQUIRE(strlen(target) < size);
+
+	if (strlcat(target, source, size) >= size) {
+		memset(target, ISC_STRING_MAGIC, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	ENSURE(strlen(target) < size);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_string_append_truncate(char *target, size_t size, const char *source) {
+	REQUIRE(size > 0U);
+	REQUIRE(strlen(target) < size);
+
+	strlcat(target, source, size);
+
+	ENSURE(strlen(target) < size);
+}
+
+isc_result_t
+isc_string_printf(char *target, size_t size, const char *format, ...) {
+	va_list args;
+	size_t n;
+
+	REQUIRE(size > 0U);
+
+	va_start(args, format);
+	n = vsnprintf(target, size, format, args);
+	va_end(args);
+
+	if (n >= size) {
+		memset(target, ISC_STRING_MAGIC, size);
+		return (ISC_R_NOSPACE);
+	}
+
+	ENSURE(strlen(target) < size);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_string_printf_truncate(char *target, size_t size, const char *format, ...)
+{
+	va_list args;
+
+	REQUIRE(size > 0U);
+
+	va_start(args, format);
+	/* check return code? */
+	(void)vsnprintf(target, size, format, args);
+	va_end(args);
+
+	ENSURE(strlen(target) < size);
+}
+
+char *
+isc_string_regiondup(isc_mem_t *mctx, const isc_region_t *source) {
+	char *target;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(source != NULL);
+
+	target = (char *) isc_mem_allocate(mctx, source->length + 1);
+	if (target != NULL) {
+		memmove(source->base, target, source->length);
+		target[source->length] = '\0';
+	}
+
+	return (target);
+}
+
+char *
+isc_string_separate(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; (sc = *s) != '\0'; s++)
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	*stringp = NULL;
+	return (string);
+}
+
+size_t
+isc_string_strlcpy(char *dst, const char *src, size_t size)
+{
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+
+	/* Copy as many bytes as will fit */
+	if (n != 0U && --n != 0U) {
+		do {
+			if ((*d++ = *s++) == 0)
+				break;
+		} while (--n != 0U);
+	}
+
+	/* Not enough room in dst, add NUL and traverse rest of src */
+	if (n == 0U) {
+		if (size != 0U)
+			*d = '\0';		/* NUL-terminate dst */
+		while (*s++)
+			;
+	}
+
+	return(s - src - 1);	/* count does not include NUL */
+}
+
+size_t
+isc_string_strlcat(char *dst, const char *src, size_t size)
+{
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+	size_t dlen;
+
+	/* Find the end of dst and adjust bytes left but don't go past end */
+	while (n-- != 0U && *d != '\0')
+		d++;
+	dlen = d - dst;
+	n = size - dlen;
+
+	if (n == 0U)
+		return(dlen + strlen(s));
+	while (*s != '\0') {
+		if (n != 1U) {
+			*d++ = *s;
+			n--;
+		}
+		s++;
+	}
+	*d = '\0';
+
+	return(dlen + (s - src));	/* count does not include NUL */
+}
+
+char *
+isc_string_strcasestr(const char *str, const char *search) {
+	char c, sc, *s;
+	size_t len;
+
+	if ((c = *search++) != 0) {
+		c = tolower((unsigned char) c);
+		len = strlen(search);
+		do {
+			do {
+				if ((sc = *str++) == 0)
+					return (NULL);
+			} while ((char) tolower((unsigned char) sc) != c);
+		} while (strncasecmp(str, search, len) != 0);
+		str--;
+	}
+	DE_CONST(str, s);
+	return (s);
+
+}
diff --git a/lib/isc/strtoul.c b/lib/isc/strtoul.c
new file mode 100644
index 0000000..acc541a
--- /dev/null
+++ b/lib/isc/strtoul.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+/*! \file */
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include <limits.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+/*!
+ * Convert a string to an unsigned long integer.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+unsigned long
+isc_strtoul(const char *nptr, char **endptr, int base) {
+	const char *s = nptr;
+	unsigned long acc;
+	unsigned char c;
+	unsigned long cutoff;
+	int neg = 0, any, cutlim;
+
+	/*
+	 * See strtol for comments as to the logic used.
+	 */
+	do {
+		c = *s++;
+	} while (isspace(c));
+	if (c == '-') {
+		neg = 1;
+		c = *s++;
+	} else if (c == '+')
+		c = *s++;
+	if ((base == 0 || base == 16) &&
+	    c == '0' && (*s == 'x' || *s == 'X')) {
+		c = s[1];
+		s += 2;
+		base = 16;
+	}
+	if (base == 0)
+		base = c == '0' ? 8 : 10;
+	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
+	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
+	for (acc = 0, any = 0;; c = *s++) {
+		if (!isascii(c))
+			break;
+		if (isdigit(c))
+			c -= '0';
+		else if (isalpha(c))
+			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+		else
+			break;
+		if (c >= base)
+			break;
+		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
+			any = -1;
+		else {
+			any = 1;
+			acc *= base;
+			acc += c;
+		}
+	}
+	if (any < 0) {
+		acc = ULONG_MAX;
+		errno = ERANGE;
+	} else if (neg)
+		acc = -acc;
+	if (endptr != 0)
+		DE_CONST(any ? s - 1 : nptr, *endptr);
+	return (acc);
+}
diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c
new file mode 100644
index 0000000..b6466d3
--- /dev/null
+++ b/lib/isc/symtab.c
@@ -0,0 +1,303 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+typedef struct elt {
+	char *				key;
+	unsigned int			type;
+	isc_symvalue_t			value;
+	LINK(struct elt)		link;
+} elt_t;
+
+typedef LIST(elt_t)			eltlist_t;
+
+#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
+#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
+
+struct isc_symtab {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	unsigned int			size;
+	unsigned int			count;
+	unsigned int			maxload;
+	eltlist_t *			table;
+	isc_symtabaction_t		undefine_action;
+	void *				undefine_arg;
+	bool			case_sensitive;
+};
+
+isc_result_t
+isc_symtab_create(isc_mem_t *mctx, unsigned int size,
+		  isc_symtabaction_t undefine_action,
+		  void *undefine_arg,
+		  bool case_sensitive,
+		  isc_symtab_t **symtabp)
+{
+	isc_symtab_t *symtab;
+	unsigned int i;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(symtabp != NULL && *symtabp == NULL);
+	REQUIRE(size > 0);	/* Should be prime. */
+
+	symtab = (isc_symtab_t *)isc_mem_get(mctx, sizeof(*symtab));
+	if (symtab == NULL)
+		return (ISC_R_NOMEMORY);
+
+	symtab->mctx = NULL;
+	isc_mem_attach(mctx, &symtab->mctx);
+	symtab->table = (eltlist_t *)isc_mem_get(mctx,
+						 size * sizeof(eltlist_t));
+	if (symtab->table == NULL) {
+		isc_mem_putanddetach(&symtab->mctx, symtab, sizeof(*symtab));
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < size; i++)
+		INIT_LIST(symtab->table[i]);
+	symtab->size = size;
+	symtab->count = 0;
+	symtab->maxload = size * 3 / 4;
+	symtab->undefine_action = undefine_action;
+	symtab->undefine_arg = undefine_arg;
+	symtab->case_sensitive = case_sensitive;
+	symtab->magic = SYMTAB_MAGIC;
+
+	*symtabp = symtab;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_symtab_destroy(isc_symtab_t **symtabp) {
+	isc_symtab_t *symtab;
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(symtabp != NULL);
+	symtab = *symtabp;
+	REQUIRE(VALID_SYMTAB(symtab));
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
+			nelt = NEXT(elt, link);
+			if (symtab->undefine_action != NULL)
+			       (symtab->undefine_action)(elt->key,
+							 elt->type,
+							 elt->value,
+							 symtab->undefine_arg);
+			isc_mem_put(symtab->mctx, elt, sizeof(*elt));
+		}
+	}
+	isc_mem_put(symtab->mctx, symtab->table,
+		    symtab->size * sizeof(eltlist_t));
+	symtab->magic = 0;
+	isc_mem_putanddetach(&symtab->mctx, symtab, sizeof(*symtab));
+
+	*symtabp = NULL;
+}
+
+static inline unsigned int
+hash(const char *key, bool case_sensitive) {
+	const char *s;
+	unsigned int h = 0;
+	int c;
+
+	/*
+	 * This hash function is similar to the one Ousterhout
+	 * uses in Tcl.
+	 */
+
+	if (case_sensitive) {
+		for (s = key; *s != '\0'; s++) {
+			h += (h << 3) + *s;
+		}
+	} else {
+		for (s = key; *s != '\0'; s++) {
+			c = *s;
+			c = tolower((unsigned char)c);
+			h += (h << 3) + c;
+		}
+	}
+
+	return (h);
+}
+
+#define FIND(s, k, t, b, e) \
+	b = hash((k), (s)->case_sensitive) % (s)->size; \
+	if ((s)->case_sensitive) { \
+		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	} else { \
+		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcasecmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	}
+
+isc_result_t
+isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t *value)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (value != NULL)
+		*value = elt->value;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+grow_table(isc_symtab_t *symtab) {
+	eltlist_t *newtable;
+	unsigned int i, newsize, newmax;
+
+	REQUIRE(symtab != NULL);
+
+	newsize = symtab->size * 2;
+	newmax = newsize * 3 / 4;
+	INSIST(newsize > 0U && newmax > 0U);
+
+	newtable = isc_mem_get(symtab->mctx, newsize * sizeof(eltlist_t));
+	if (newtable == NULL)
+		return;
+
+	for (i = 0; i < newsize; i++)
+		INIT_LIST(newtable[i]);
+
+	for (i = 0; i < symtab->size; i++) {
+		elt_t *elt, *nelt;
+
+		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
+			unsigned int hv;
+
+			nelt = NEXT(elt, link);
+
+			UNLINK(symtab->table[i], elt, link);
+			hv = hash(elt->key, symtab->case_sensitive);
+			APPEND(newtable[hv % newsize], elt, link);
+		}
+	}
+
+	isc_mem_put(symtab->mctx, symtab->table,
+		    symtab->size * sizeof(eltlist_t));
+
+	symtab->table = newtable;
+	symtab->size = newsize;
+	symtab->maxload = newmax;
+}
+
+isc_result_t
+isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t value, isc_symexists_t exists_policy)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+	REQUIRE(type != 0);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (exists_policy != isc_symexists_add && elt != NULL) {
+		if (exists_policy == isc_symexists_reject)
+			return (ISC_R_EXISTS);
+		INSIST(exists_policy == isc_symexists_replace);
+		UNLINK(symtab->table[bucket], elt, link);
+		if (symtab->undefine_action != NULL)
+			(symtab->undefine_action)(elt->key, elt->type,
+						  elt->value,
+						  symtab->undefine_arg);
+	} else {
+		elt = (elt_t *)isc_mem_get(symtab->mctx, sizeof(*elt));
+		if (elt == NULL)
+			return (ISC_R_NOMEMORY);
+		ISC_LINK_INIT(elt, link);
+		symtab->count++;
+	}
+
+	/*
+	 * Though the "key" can be const coming in, it is not stored as const
+	 * so that the calling program can easily have writable access to
+	 * it in its undefine_action function.  In the event that it *was*
+	 * truly const coming in and then the caller modified it anyway ...
+	 * well, don't do that!
+	 */
+	DE_CONST(key, elt->key);
+	elt->type = type;
+	elt->value = value;
+
+	/*
+	 * We prepend so that the most recent definition will be found.
+	 */
+	PREPEND(symtab->table[bucket], elt, link);
+
+	if (symtab->count > symtab->maxload)
+		grow_table(symtab);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (symtab->undefine_action != NULL)
+		(symtab->undefine_action)(elt->key, elt->type,
+					  elt->value, symtab->undefine_arg);
+	UNLINK(symtab->table[bucket], elt, link);
+	isc_mem_put(symtab->mctx, elt, sizeof(*elt));
+	symtab->count--;
+
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+isc_symtab_count(isc_symtab_t *symtab) {
+	REQUIRE(VALID_SYMTAB(symtab));
+	return (symtab->count);
+}
diff --git a/lib/isc/task.c b/lib/isc/task.c
new file mode 100644
index 0000000..f9f1eed
--- /dev/null
+++ b/lib/isc/task.c
@@ -0,0 +1,2327 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/*
+ * XXXRTH  Need to document the states a task can be in, and the rules
+ * for changing states.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/condition.h>
+#include <isc/event.h>
+#include <isc/json.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/util.h>
+#include <isc/xml.h>
+
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
+/*%
+ * For BIND9 internal applications:
+ * when built with threads we use multiple worker threads shared by the whole
+ * application.
+ * when built without threads we share a single global task manager and use
+ * an integrated event loop for socket, timer, and other generic task events.
+ * For generic library:
+ * we don't use either of them: an application can have multiple task managers
+ * whether or not it's threaded, and if the application is threaded each thread
+ * is expected to have a separate manager; no "worker threads" are shared by
+ * the application threads.
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WORKER_THREADS
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+
+#include "task_p.h"
+
+#ifdef ISC_TASK_TRACE
+#define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
+				       task, isc_thread_self(), (m))
+#define XTTRACE(t, m)		fprintf(stderr, "task %p thread %lu: %s\n", \
+				       (t), isc_thread_self(), (m))
+#define XTHREADTRACE(m)		fprintf(stderr, "thread %lu: %s\n", \
+				       isc_thread_self(), (m))
+#else
+#define XTRACE(m)
+#define XTTRACE(t, m)
+#define XTHREADTRACE(m)
+#endif
+
+/***
+ *** Types.
+ ***/
+
+typedef enum {
+	task_state_idle, task_state_ready, task_state_running,
+	task_state_done
+} task_state_t;
+
+#if defined(HAVE_LIBXML2) || defined(HAVE_JSON)
+static const char *statenames[] = {
+	"idle", "ready", "running", "done",
+};
+#endif
+
+#define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
+#define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
+
+typedef struct isc__task isc__task_t;
+typedef struct isc__taskmgr isc__taskmgr_t;
+
+struct isc__task {
+	/* Not locked. */
+	isc_task_t			common;
+	isc__taskmgr_t *		manager;
+	isc_mutex_t			lock;
+	/* Locked by task lock. */
+	task_state_t			state;
+	unsigned int			references;
+	isc_eventlist_t			events;
+	isc_eventlist_t			on_shutdown;
+	unsigned int			nevents;
+	unsigned int			quantum;
+	unsigned int			flags;
+	isc_stdtime_t			now;
+	isc_time_t			tnow;
+	char				name[16];
+	void *				tag;
+	/* Locked by task manager lock. */
+	LINK(isc__task_t)		link;
+	LINK(isc__task_t)		ready_link;
+	LINK(isc__task_t)		ready_priority_link;
+};
+
+#define TASK_F_SHUTTINGDOWN		0x01
+#define TASK_F_PRIVILEGED		0x02
+
+#define TASK_SHUTTINGDOWN(t)		(((t)->flags & TASK_F_SHUTTINGDOWN) \
+					 != 0)
+
+#define TASK_MANAGER_MAGIC		ISC_MAGIC('T', 'S', 'K', 'M')
+#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
+
+typedef ISC_LIST(isc__task_t)	isc__tasklist_t;
+
+struct isc__taskmgr {
+	/* Not locked. */
+	isc_taskmgr_t			common;
+	isc_mem_t *			mctx;
+	isc_mutex_t			lock;
+#ifdef ISC_PLATFORM_USETHREADS
+	unsigned int			workers;
+	isc_thread_t *			threads;
+#endif /* ISC_PLATFORM_USETHREADS */
+	/* Locked by task manager lock. */
+	unsigned int			default_quantum;
+	LIST(isc__task_t)		tasks;
+	isc__tasklist_t			ready_tasks;
+	isc__tasklist_t			ready_priority_tasks;
+	isc_taskmgrmode_t		mode;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_condition_t			work_available;
+	isc_condition_t			exclusive_granted;
+	isc_condition_t			paused;
+#endif /* ISC_PLATFORM_USETHREADS */
+	unsigned int			tasks_running;
+	unsigned int			tasks_ready;
+	bool			pause_requested;
+	bool			exclusive_requested;
+	bool			exiting;
+
+	/*
+	 * Multiple threads can read/write 'excl' at the same time, so we need
+	 * to protect the access.  We can't use 'lock' since isc_task_detach()
+	 * will try to acquire it.
+	 */
+	isc_mutex_t			excl_lock;
+	isc__task_t			*excl;
+#ifdef USE_SHARED_MANAGER
+	unsigned int			refs;
+#endif /* ISC_PLATFORM_USETHREADS */
+};
+
+#define DEFAULT_TASKMGR_QUANTUM		10
+#define DEFAULT_DEFAULT_QUANTUM		5
+#define FINISHED(m)			((m)->exiting && EMPTY((m)->tasks))
+
+#ifdef USE_SHARED_MANAGER
+static isc__taskmgr_t *taskmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access from
+ * unit tests etc.
+ */
+
+isc_result_t
+isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
+		 isc_task_t **taskp);
+void
+isc__task_attach(isc_task_t *source0, isc_task_t **targetp);
+void
+isc__task_detach(isc_task_t **taskp);
+void
+isc__task_send(isc_task_t *task0, isc_event_t **eventp);
+void
+isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
+unsigned int
+isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag);
+unsigned int
+isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag);
+bool
+isc_task_purgeevent(isc_task_t *task0, isc_event_t *event);
+unsigned int
+isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		      isc_eventtype_t last, void *tag,
+		      isc_eventlist_t *events);
+unsigned int
+isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		 void *tag, isc_eventlist_t *events);
+isc_result_t
+isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
+		     void *arg);
+void
+isc__task_shutdown(isc_task_t *task0);
+void
+isc__task_destroy(isc_task_t **taskp);
+void
+isc__task_setname(isc_task_t *task0, const char *name, void *tag);
+const char *
+isc__task_getname(isc_task_t *task0);
+void *
+isc__task_gettag(isc_task_t *task0);
+void
+isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t);
+void
+isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t);
+isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		    unsigned int default_quantum, isc_taskmgr_t **managerp);
+void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp);
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0);
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp);
+isc_result_t
+isc__task_beginexclusive(isc_task_t *task);
+void
+isc__task_endexclusive(isc_task_t *task0);
+void
+isc__task_setprivilege(isc_task_t *task0, bool priv);
+bool
+isc__task_privilege(isc_task_t *task0);
+void
+isc__taskmgr_setmode(isc_taskmgr_t *manager0, isc_taskmgrmode_t mode);
+isc_taskmgrmode_t
+isc__taskmgr_mode(isc_taskmgr_t *manager0);
+
+static inline bool
+empty_readyq(isc__taskmgr_t *manager);
+
+static inline isc__task_t *
+pop_readyq(isc__taskmgr_t *manager);
+
+static inline void
+push_readyq(isc__taskmgr_t *manager, isc__task_t *task);
+
+static struct isc__taskmethods {
+	isc_taskmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *purgeevent, *unsendrange, *getname, *gettag,
+	     *getcurrenttime, *getcurrenttimex;
+} taskmethods = {
+	{
+		isc__task_attach,
+		isc__task_detach,
+		isc__task_destroy,
+		isc__task_send,
+		isc__task_sendanddetach,
+		isc__task_unsend,
+		isc__task_onshutdown,
+		isc__task_shutdown,
+		isc__task_setname,
+		isc__task_purge,
+		isc__task_purgerange,
+		isc__task_beginexclusive,
+		isc__task_endexclusive,
+		isc__task_setprivilege,
+		isc__task_privilege
+	},
+	(void *)isc_task_purgeevent,
+	(void *)isc__task_unsendrange,
+	(void *)isc__task_getname,
+	(void *)isc__task_gettag,
+	(void *)isc__task_getcurrenttime,
+	(void *)isc__task_getcurrenttimex
+};
+
+static isc_taskmgrmethods_t taskmgrmethods = {
+	isc__taskmgr_destroy,
+	isc__taskmgr_setmode,
+	isc__taskmgr_mode,
+	isc__task_create,
+	isc_taskmgr_setexcltask,
+	isc_taskmgr_excltask
+};
+
+/***
+ *** Tasks.
+ ***/
+
+static void
+task_finished(isc__task_t *task) {
+	isc__taskmgr_t *manager = task->manager;
+
+	REQUIRE(EMPTY(task->events));
+	REQUIRE(task->nevents == 0);
+	REQUIRE(EMPTY(task->on_shutdown));
+	REQUIRE(task->references == 0);
+	REQUIRE(task->state == task_state_done);
+
+	XTRACE("task_finished");
+
+	LOCK(&manager->lock);
+	UNLINK(manager->tasks, task, link);
+#ifdef USE_WORKER_THREADS
+	if (FINISHED(manager)) {
+		/*
+		 * All tasks have completed and the
+		 * task manager is exiting.  Wake up
+		 * any idle worker threads so they
+		 * can exit.
+		 */
+		BROADCAST(&manager->work_available);
+	}
+#endif /* USE_WORKER_THREADS */
+	UNLOCK(&manager->lock);
+
+	DESTROYLOCK(&task->lock);
+	task->common.impmagic = 0;
+	task->common.magic = 0;
+	isc_mem_put(manager->mctx, task, sizeof(*task));
+}
+
+isc_result_t
+isc__task_create(isc_taskmgr_t *manager0, unsigned int quantum,
+		 isc_task_t **taskp)
+{
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+	isc__task_t *task;
+	bool exiting;
+	isc_result_t result;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	task = isc_mem_get(manager->mctx, sizeof(*task));
+	if (task == NULL)
+		return (ISC_R_NOMEMORY);
+	XTRACE("isc_task_create");
+	task->manager = manager;
+	result = isc_mutex_init(&task->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(manager->mctx, task, sizeof(*task));
+		return (result);
+	}
+	task->state = task_state_idle;
+	task->references = 1;
+	INIT_LIST(task->events);
+	INIT_LIST(task->on_shutdown);
+	task->nevents = 0;
+	task->quantum = quantum;
+	task->flags = 0;
+	task->now = 0;
+	isc_time_settoepoch(&task->tnow);
+	memset(task->name, 0, sizeof(task->name));
+	task->tag = NULL;
+	INIT_LINK(task, link);
+	INIT_LINK(task, ready_link);
+	INIT_LINK(task, ready_priority_link);
+
+	exiting = false;
+	LOCK(&manager->lock);
+	if (!manager->exiting) {
+		if (task->quantum == 0)
+			task->quantum = manager->default_quantum;
+		APPEND(manager->tasks, task, link);
+	} else
+		exiting = true;
+	UNLOCK(&manager->lock);
+
+	if (exiting) {
+		DESTROYLOCK(&task->lock);
+		isc_mem_put(manager->mctx, task, sizeof(*task));
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	task->common.methods = (isc_taskmethods_t *)&taskmethods;
+	task->common.magic = ISCAPI_TASK_MAGIC;
+	task->common.impmagic = TASK_MAGIC;
+	*taskp = (isc_task_t *)task;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__task_attach(isc_task_t *source0, isc_task_t **targetp) {
+	isc__task_t *source = (isc__task_t *)source0;
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(VALID_TASK(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	XTTRACE(source, "isc_task_attach");
+
+	LOCK(&source->lock);
+	source->references++;
+	UNLOCK(&source->lock);
+
+	*targetp = (isc_task_t *)source;
+}
+
+static inline bool
+task_shutdown(isc__task_t *task) {
+	bool was_idle = false;
+	isc_event_t *event, *prev;
+
+	/*
+	 * Caller must be holding the task's lock.
+	 */
+
+	XTRACE("task_shutdown");
+
+	if (! TASK_SHUTTINGDOWN(task)) {
+		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				      ISC_MSG_SHUTTINGDOWN, "shutting down"));
+		task->flags |= TASK_F_SHUTTINGDOWN;
+		if (task->state == task_state_idle) {
+			INSIST(EMPTY(task->events));
+			task->state = task_state_ready;
+			was_idle = true;
+		}
+		INSIST(task->state == task_state_ready ||
+		       task->state == task_state_running);
+
+		/*
+		 * Note that we post shutdown events LIFO.
+		 */
+		for (event = TAIL(task->on_shutdown);
+		     event != NULL;
+		     event = prev) {
+			prev = PREV(event, ev_link);
+			DEQUEUE(task->on_shutdown, event, ev_link);
+			ENQUEUE(task->events, event, ev_link);
+			task->nevents++;
+		}
+	}
+
+	return (was_idle);
+}
+
+/*
+ * Moves a task onto the appropriate run queue.
+ *
+ * Caller must NOT hold manager lock.
+ */
+static inline void
+task_ready(isc__task_t *task) {
+	isc__taskmgr_t *manager = task->manager;
+#ifdef USE_WORKER_THREADS
+	bool has_privilege = isc__task_privilege((isc_task_t *) task);
+#endif /* USE_WORKER_THREADS */
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(task->state == task_state_ready);
+
+	XTRACE("task_ready");
+
+	LOCK(&manager->lock);
+	push_readyq(manager, task);
+#ifdef USE_WORKER_THREADS
+	if (manager->mode == isc_taskmgrmode_normal || has_privilege)
+		SIGNAL(&manager->work_available);
+#endif /* USE_WORKER_THREADS */
+	UNLOCK(&manager->lock);
+}
+
+static inline bool
+task_detach(isc__task_t *task) {
+
+	/*
+	 * Caller must be holding the task lock.
+	 */
+
+	REQUIRE(task->references > 0);
+
+	XTRACE("detach");
+
+	task->references--;
+	if (task->references == 0 && task->state == task_state_idle) {
+		INSIST(EMPTY(task->events));
+		/*
+		 * There are no references to this task, and no
+		 * pending events.  We could try to optimize and
+		 * either initiate shutdown or clean up the task,
+		 * depending on its state, but it's easier to just
+		 * make the task ready and allow run() or the event
+		 * loop to deal with shutting down and termination.
+		 */
+		task->state = task_state_ready;
+		return (true);
+	}
+
+	return (false);
+}
+
+void
+isc__task_detach(isc_task_t **taskp) {
+	isc__task_t *task;
+	bool was_idle;
+
+	/*
+	 * Detach *taskp from its task.
+	 */
+
+	REQUIRE(taskp != NULL);
+	task = (isc__task_t *)*taskp;
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_detach");
+
+	LOCK(&task->lock);
+	was_idle = task_detach(task);
+	UNLOCK(&task->lock);
+
+	if (was_idle)
+		task_ready(task);
+
+	*taskp = NULL;
+}
+
+static inline bool
+task_send(isc__task_t *task, isc_event_t **eventp) {
+	bool was_idle = false;
+	isc_event_t *event;
+
+	/*
+	 * Caller must be holding the task lock.
+	 */
+
+	REQUIRE(eventp != NULL);
+	event = *eventp;
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type > 0);
+	REQUIRE(task->state != task_state_done);
+	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
+
+	XTRACE("task_send");
+
+	if (task->state == task_state_idle) {
+		was_idle = true;
+		INSIST(EMPTY(task->events));
+		task->state = task_state_ready;
+	}
+	INSIST(task->state == task_state_ready ||
+	       task->state == task_state_running);
+	ENQUEUE(task->events, event, ev_link);
+	task->nevents++;
+	*eventp = NULL;
+
+	return (was_idle);
+}
+
+void
+isc__task_send(isc_task_t *task0, isc_event_t **eventp) {
+	isc__task_t *task = (isc__task_t *)task0;
+	bool was_idle;
+
+	/*
+	 * Send '*event' to 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_send");
+
+	/*
+	 * We're trying hard to hold locks for as short a time as possible.
+	 * We're also trying to hold as few locks as possible.  This is why
+	 * some processing is deferred until after the lock is released.
+	 */
+	LOCK(&task->lock);
+	was_idle = task_send(task, eventp);
+	UNLOCK(&task->lock);
+
+	if (was_idle) {
+		/*
+		 * We need to add this task to the ready queue.
+		 *
+		 * We've waited until now to do it because making a task
+		 * ready requires locking the manager.  If we tried to do
+		 * this while holding the task lock, we could deadlock.
+		 *
+		 * We've changed the state to ready, so no one else will
+		 * be trying to add this task to the ready queue.  The
+		 * only way to leave the ready state is by executing the
+		 * task.  It thus doesn't matter if events are added,
+		 * removed, or a shutdown is started in the interval
+		 * between the time we released the task lock, and the time
+		 * we add the task to the ready queue.
+		 */
+		task_ready(task);
+	}
+}
+
+void
+isc__task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+	bool idle1, idle2;
+	isc__task_t *task;
+
+	/*
+	 * Send '*event' to '*taskp' and then detach '*taskp' from its
+	 * task.
+	 */
+
+	REQUIRE(taskp != NULL);
+	task = (isc__task_t *)*taskp;
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_sendanddetach");
+
+	LOCK(&task->lock);
+	idle1 = task_send(task, eventp);
+	idle2 = task_detach(task);
+	UNLOCK(&task->lock);
+
+	/*
+	 * If idle1, then idle2 shouldn't be true as well since we're holding
+	 * the task lock, and thus the task cannot switch from ready back to
+	 * idle.
+	 */
+	INSIST(!(idle1 && idle2));
+
+	if (idle1 || idle2)
+		task_ready(task);
+
+	*taskp = NULL;
+}
+
+#define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
+
+static unsigned int
+dequeue_events(isc__task_t *task, void *sender, isc_eventtype_t first,
+	       isc_eventtype_t last, void *tag,
+	       isc_eventlist_t *events, bool purging)
+{
+	isc_event_t *event, *next_event;
+	unsigned int count = 0;
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(last >= first);
+
+	XTRACE("dequeue_events");
+
+	/*
+	 * Events matching 'sender', whose type is >= first and <= last, and
+	 * whose tag is 'tag' will be dequeued.  If 'purging', matching events
+	 * which are marked as unpurgable will not be dequeued.
+	 *
+	 * sender == NULL means "any sender", and tag == NULL means "any tag".
+	 */
+
+	LOCK(&task->lock);
+
+	for (event = HEAD(task->events); event != NULL; event = next_event) {
+		next_event = NEXT(event, ev_link);
+		if (event->ev_type >= first && event->ev_type <= last &&
+		    (sender == NULL || event->ev_sender == sender) &&
+		    (tag == NULL || event->ev_tag == tag) &&
+		    (!purging || PURGE_OK(event))) {
+			DEQUEUE(task->events, event, ev_link);
+			task->nevents--;
+			ENQUEUE(*events, event, ev_link);
+			count++;
+		}
+	}
+
+	UNLOCK(&task->lock);
+
+	return (count);
+}
+
+unsigned int
+isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag)
+{
+	isc__task_t *task = (isc__task_t *)task0;
+	unsigned int count;
+	isc_eventlist_t events;
+	isc_event_t *event, *next_event;
+
+	/*
+	 * Purge events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_purgerange");
+
+	ISC_LIST_INIT(events);
+
+	count = dequeue_events(task, sender, first, last, tag, &events,
+			       true);
+
+	for (event = HEAD(events); event != NULL; event = next_event) {
+		next_event = NEXT(event, ev_link);
+		ISC_LIST_UNLINK(events, event, ev_link);
+		isc_event_free(&event);
+	}
+
+	/*
+	 * Note that purging never changes the state of the task.
+	 */
+
+	return (count);
+}
+
+unsigned int
+isc__task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag)
+{
+	/*
+	 * Purge events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_purge");
+
+	return (isc__task_purgerange(task, sender, type, type, tag));
+}
+
+bool
+isc_task_purgeevent(isc_task_t *task0, isc_event_t *event) {
+	isc__task_t *task = (isc__task_t *)task0;
+	isc_event_t *curr_event, *next_event;
+
+	/*
+	 * Purge 'event' from a task's event queue.
+	 *
+	 * XXXRTH:  WARNING:  This method may be removed before beta.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	/*
+	 * If 'event' is on the task's event queue, it will be purged,
+	 * unless it is marked as unpurgeable.  'event' does not have to be
+	 * on the task's event queue; in fact, it can even be an invalid
+	 * pointer.  Purging only occurs if the event is actually on the task's
+	 * event queue.
+	 *
+	 * Purging never changes the state of the task.
+	 */
+
+	LOCK(&task->lock);
+	for (curr_event = HEAD(task->events);
+	     curr_event != NULL;
+	     curr_event = next_event) {
+		next_event = NEXT(curr_event, ev_link);
+		if (curr_event == event && PURGE_OK(event)) {
+			DEQUEUE(task->events, curr_event, ev_link);
+			task->nevents--;
+			break;
+		}
+	}
+	UNLOCK(&task->lock);
+
+	if (curr_event == NULL)
+		return (false);
+
+	isc_event_free(&curr_event);
+
+	return (true);
+}
+
+unsigned int
+isc__task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		      isc_eventtype_t last, void *tag,
+		      isc_eventlist_t *events)
+{
+	/*
+	 * Remove events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_unsendrange");
+
+	return (dequeue_events((isc__task_t *)task, sender, first,
+			       last, tag, events, false));
+}
+
+unsigned int
+isc__task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		 void *tag, isc_eventlist_t *events)
+{
+	/*
+	 * Remove events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_unsend");
+
+	return (dequeue_events((isc__task_t *)task, sender, type,
+			       type, tag, events, false));
+}
+
+isc_result_t
+isc__task_onshutdown(isc_task_t *task0, isc_taskaction_t action,
+		     void *arg)
+{
+	isc__task_t *task = (isc__task_t *)task0;
+	bool disallowed = false;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *event;
+
+	/*
+	 * Send a shutdown event with action 'action' and argument 'arg' when
+	 * 'task' is shutdown.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(action != NULL);
+
+	event = isc_event_allocate(task->manager->mctx,
+				   NULL,
+				   ISC_TASKEVENT_SHUTDOWN,
+				   action,
+				   arg,
+				   sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK(&task->lock);
+	if (TASK_SHUTTINGDOWN(task)) {
+		disallowed = true;
+		result = ISC_R_SHUTTINGDOWN;
+	} else
+		ENQUEUE(task->on_shutdown, event, ev_link);
+	UNLOCK(&task->lock);
+
+	if (disallowed)
+		isc_mem_put(task->manager->mctx, event, sizeof(*event));
+
+	return (result);
+}
+
+void
+isc__task_shutdown(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+	bool was_idle;
+
+	/*
+	 * Shutdown 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	was_idle = task_shutdown(task);
+	UNLOCK(&task->lock);
+
+	if (was_idle)
+		task_ready(task);
+}
+
+void
+isc__task_destroy(isc_task_t **taskp) {
+
+	/*
+	 * Destroy '*taskp'.
+	 */
+
+	REQUIRE(taskp != NULL);
+
+	isc_task_shutdown(*taskp);
+	isc_task_detach(taskp);
+}
+
+void
+isc__task_setname(isc_task_t *task0, const char *name, void *tag) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	/*
+	 * Name 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	strlcpy(task->name, name, sizeof(task->name));
+	task->tag = tag;
+	UNLOCK(&task->lock);
+}
+
+const char *
+isc__task_getname(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+
+	return (task->name);
+}
+
+void *
+isc__task_gettag(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+
+	return (task->tag);
+}
+
+void
+isc__task_getcurrenttime(isc_task_t *task0, isc_stdtime_t *t) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(t != NULL);
+
+	LOCK(&task->lock);
+	*t = task->now;
+	UNLOCK(&task->lock);
+}
+
+void
+isc__task_getcurrenttimex(isc_task_t *task0, isc_time_t *t) {
+	isc__task_t *task = (isc__task_t *)task0;
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(t != NULL);
+
+	LOCK(&task->lock);
+	*t = task->tnow;
+	UNLOCK(&task->lock);
+}
+
+/***
+ *** Task Manager.
+ ***/
+
+/*
+ * Return true if the current ready list for the manager, which is
+ * either ready_tasks or the ready_priority_tasks, depending on whether
+ * the manager is currently in normal or privileged execution mode.
+ *
+ * Caller must hold the task manager lock.
+ */
+static inline bool
+empty_readyq(isc__taskmgr_t *manager) {
+	isc__tasklist_t queue;
+
+	if (manager->mode == isc_taskmgrmode_normal)
+		queue = manager->ready_tasks;
+	else
+		queue = manager->ready_priority_tasks;
+
+	return (EMPTY(queue));
+}
+
+/*
+ * Dequeue and return a pointer to the first task on the current ready
+ * list for the manager.
+ * If the task is privileged, dequeue it from the other ready list
+ * as well.
+ *
+ * Caller must hold the task manager lock.
+ */
+static inline isc__task_t *
+pop_readyq(isc__taskmgr_t *manager) {
+	isc__task_t *task;
+
+	if (manager->mode == isc_taskmgrmode_normal)
+		task = HEAD(manager->ready_tasks);
+	else
+		task = HEAD(manager->ready_priority_tasks);
+
+	if (task != NULL) {
+		DEQUEUE(manager->ready_tasks, task, ready_link);
+		if (ISC_LINK_LINKED(task, ready_priority_link))
+			DEQUEUE(manager->ready_priority_tasks, task,
+				ready_priority_link);
+	}
+
+	return (task);
+}
+
+/*
+ * Push 'task' onto the ready_tasks queue.  If 'task' has the privilege
+ * flag set, then also push it onto the ready_priority_tasks queue.
+ *
+ * Caller must hold the task manager lock.
+ */
+static inline void
+push_readyq(isc__taskmgr_t *manager, isc__task_t *task) {
+	ENQUEUE(manager->ready_tasks, task, ready_link);
+	if ((task->flags & TASK_F_PRIVILEGED) != 0)
+		ENQUEUE(manager->ready_priority_tasks, task,
+			ready_priority_link);
+	manager->tasks_ready++;
+}
+
+static void
+dispatch(isc__taskmgr_t *manager) {
+	isc__task_t *task;
+#ifndef USE_WORKER_THREADS
+	unsigned int total_dispatch_count = 0;
+	isc__tasklist_t new_ready_tasks;
+	isc__tasklist_t new_priority_tasks;
+	unsigned int tasks_ready = 0;
+#endif /* USE_WORKER_THREADS */
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	/*
+	 * Again we're trying to hold the lock for as short a time as possible
+	 * and to do as little locking and unlocking as possible.
+	 *
+	 * In both while loops, the appropriate lock must be held before the
+	 * while body starts.  Code which acquired the lock at the top of
+	 * the loop would be more readable, but would result in a lot of
+	 * extra locking.  Compare:
+	 *
+	 * Straightforward:
+	 *
+	 *	LOCK();
+	 *	...
+	 *	UNLOCK();
+	 *	while (expression) {
+	 *		LOCK();
+	 *		...
+	 *		UNLOCK();
+	 *
+	 *	       	Unlocked part here...
+	 *
+	 *		LOCK();
+	 *		...
+	 *		UNLOCK();
+	 *	}
+	 *
+	 * Note how if the loop continues we unlock and then immediately lock.
+	 * For N iterations of the loop, this code does 2N+1 locks and 2N+1
+	 * unlocks.  Also note that the lock is not held when the while
+	 * condition is tested, which may or may not be important, depending
+	 * on the expression.
+	 *
+	 * As written:
+	 *
+	 *	LOCK();
+	 *	while (expression) {
+	 *		...
+	 *		UNLOCK();
+	 *
+	 *	       	Unlocked part here...
+	 *
+	 *		LOCK();
+	 *		...
+	 *	}
+	 *	UNLOCK();
+	 *
+	 * For N iterations of the loop, this code does N+1 locks and N+1
+	 * unlocks.  The while expression is always protected by the lock.
+	 */
+
+#ifndef USE_WORKER_THREADS
+	ISC_LIST_INIT(new_ready_tasks);
+	ISC_LIST_INIT(new_priority_tasks);
+#endif
+	LOCK(&manager->lock);
+
+	while (!FINISHED(manager)) {
+#ifdef USE_WORKER_THREADS
+		/*
+		 * For reasons similar to those given in the comment in
+		 * isc_task_send() above, it is safe for us to dequeue
+		 * the task while only holding the manager lock, and then
+		 * change the task to running state while only holding the
+		 * task lock.
+		 *
+		 * If a pause has been requested, don't do any work
+		 * until it's been released.
+		 */
+		while ((empty_readyq(manager) || manager->pause_requested ||
+			manager->exclusive_requested) && !FINISHED(manager))
+		{
+			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
+						    ISC_MSGSET_GENERAL,
+						    ISC_MSG_WAIT, "wait"));
+			WAIT(&manager->work_available, &manager->lock);
+			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
+						    ISC_MSGSET_TASK,
+						    ISC_MSG_AWAKE, "awake"));
+		}
+#else /* USE_WORKER_THREADS */
+		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
+		    empty_readyq(manager))
+			break;
+#endif /* USE_WORKER_THREADS */
+		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
+					    ISC_MSG_WORKING, "working"));
+
+		task = pop_readyq(manager);
+		if (task != NULL) {
+			unsigned int dispatch_count = 0;
+			bool done = false;
+			bool requeue = false;
+			bool finished = false;
+			isc_event_t *event;
+
+			INSIST(VALID_TASK(task));
+
+			/*
+			 * Note we only unlock the manager lock if we actually
+			 * have a task to do.  We must reacquire the manager
+			 * lock before exiting the 'if (task != NULL)' block.
+			 */
+			manager->tasks_ready--;
+			manager->tasks_running++;
+			UNLOCK(&manager->lock);
+
+			LOCK(&task->lock);
+			INSIST(task->state == task_state_ready);
+			task->state = task_state_running;
+			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					      ISC_MSG_RUNNING, "running"));
+			TIME_NOW(&task->tnow);
+			task->now = isc_time_seconds(&task->tnow);
+			do {
+				if (!EMPTY(task->events)) {
+					event = HEAD(task->events);
+					DEQUEUE(task->events, event, ev_link);
+					task->nevents--;
+
+					/*
+					 * Execute the event action.
+					 */
+					XTRACE(isc_msgcat_get(isc_msgcat,
+							    ISC_MSGSET_TASK,
+							    ISC_MSG_EXECUTE,
+							    "execute action"));
+					if (event->ev_action != NULL) {
+						UNLOCK(&task->lock);
+						(event->ev_action)(
+							(isc_task_t *)task,
+							event);
+						LOCK(&task->lock);
+					}
+					dispatch_count++;
+#ifndef USE_WORKER_THREADS
+					total_dispatch_count++;
+#endif /* USE_WORKER_THREADS */
+				}
+
+				if (task->references == 0 &&
+				    EMPTY(task->events) &&
+				    !TASK_SHUTTINGDOWN(task)) {
+					bool was_idle;
+
+					/*
+					 * There are no references and no
+					 * pending events for this task,
+					 * which means it will not become
+					 * runnable again via an external
+					 * action (such as sending an event
+					 * or detaching).
+					 *
+					 * We initiate shutdown to prevent
+					 * it from becoming a zombie.
+					 *
+					 * We do this here instead of in
+					 * the "if EMPTY(task->events)" block
+					 * below because:
+					 *
+					 *	If we post no shutdown events,
+					 *	we want the task to finish.
+					 *
+					 *	If we did post shutdown events,
+					 *	will still want the task's
+					 *	quantum to be applied.
+					 */
+					was_idle = task_shutdown(task);
+					INSIST(!was_idle);
+				}
+
+				if (EMPTY(task->events)) {
+					/*
+					 * Nothing else to do for this task
+					 * right now.
+					 */
+					XTRACE(isc_msgcat_get(isc_msgcat,
+							      ISC_MSGSET_TASK,
+							      ISC_MSG_EMPTY,
+							      "empty"));
+					if (task->references == 0 &&
+					    TASK_SHUTTINGDOWN(task)) {
+						/*
+						 * The task is done.
+						 */
+						XTRACE(isc_msgcat_get(
+							       isc_msgcat,
+							       ISC_MSGSET_TASK,
+							       ISC_MSG_DONE,
+							       "done"));
+						finished = true;
+						task->state = task_state_done;
+					} else
+						task->state = task_state_idle;
+					done = true;
+				} else if (dispatch_count >= task->quantum) {
+					/*
+					 * Our quantum has expired, but
+					 * there is more work to be done.
+					 * We'll requeue it to the ready
+					 * queue later.
+					 *
+					 * We don't check quantum until
+					 * dispatching at least one event,
+					 * so the minimum quantum is one.
+					 */
+					XTRACE(isc_msgcat_get(isc_msgcat,
+							      ISC_MSGSET_TASK,
+							      ISC_MSG_QUANTUM,
+							      "quantum"));
+					task->state = task_state_ready;
+					requeue = true;
+					done = true;
+				}
+			} while (!done);
+			UNLOCK(&task->lock);
+
+			if (finished)
+				task_finished(task);
+
+			LOCK(&manager->lock);
+			manager->tasks_running--;
+#ifdef USE_WORKER_THREADS
+			if (manager->exclusive_requested &&
+			    manager->tasks_running == 1) {
+				SIGNAL(&manager->exclusive_granted);
+			} else if (manager->pause_requested &&
+				   manager->tasks_running == 0) {
+				SIGNAL(&manager->paused);
+			}
+#endif /* USE_WORKER_THREADS */
+			if (requeue) {
+				/*
+				 * We know we're awake, so we don't have
+				 * to wakeup any sleeping threads if the
+				 * ready queue is empty before we requeue.
+				 *
+				 * A possible optimization if the queue is
+				 * empty is to 'goto' the 'if (task != NULL)'
+				 * block, avoiding the ENQUEUE of the task
+				 * and the subsequent immediate DEQUEUE
+				 * (since it is the only executable task).
+				 * We don't do this because then we'd be
+				 * skipping the exit_requested check.  The
+				 * cost of ENQUEUE is low anyway, especially
+				 * when you consider that we'd have to do
+				 * an extra EMPTY check to see if we could
+				 * do the optimization.  If the ready queue
+				 * were usually nonempty, the 'optimization'
+				 * might even hurt rather than help.
+				 */
+#ifdef USE_WORKER_THREADS
+				push_readyq(manager, task);
+#else
+				ENQUEUE(new_ready_tasks, task, ready_link);
+				if ((task->flags & TASK_F_PRIVILEGED) != 0)
+					ENQUEUE(new_priority_tasks, task,
+						ready_priority_link);
+				tasks_ready++;
+#endif
+			}
+		}
+
+#ifdef USE_WORKER_THREADS
+		/*
+		 * If we are in privileged execution mode and there are no
+		 * tasks remaining on the current ready queue, then
+		 * we're stuck.  Automatically drop privileges at that
+		 * point and continue with the regular ready queue.
+		 */
+		if (manager->tasks_running == 0 && empty_readyq(manager)) {
+			manager->mode = isc_taskmgrmode_normal;
+			if (!empty_readyq(manager))
+				BROADCAST(&manager->work_available);
+		}
+#endif
+	}
+
+#ifndef USE_WORKER_THREADS
+	ISC_LIST_APPENDLIST(manager->ready_tasks, new_ready_tasks, ready_link);
+	ISC_LIST_APPENDLIST(manager->ready_priority_tasks, new_priority_tasks,
+			    ready_priority_link);
+	manager->tasks_ready += tasks_ready;
+	if (empty_readyq(manager))
+		manager->mode = isc_taskmgrmode_normal;
+#endif
+
+	UNLOCK(&manager->lock);
+}
+
+#ifdef USE_WORKER_THREADS
+static isc_threadresult_t
+#ifdef _WIN32
+WINAPI
+#endif
+run(void *uap) {
+	isc__taskmgr_t *manager = uap;
+
+	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				    ISC_MSG_STARTING, "starting"));
+
+	dispatch(manager);
+
+	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				    ISC_MSG_EXITING, "exiting"));
+
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
+	return ((isc_threadresult_t)0);
+}
+#endif /* USE_WORKER_THREADS */
+
+static void
+manager_free(isc__taskmgr_t *manager) {
+	isc_mem_t *mctx;
+
+#ifdef USE_WORKER_THREADS
+	(void)isc_condition_destroy(&manager->exclusive_granted);
+	(void)isc_condition_destroy(&manager->work_available);
+	(void)isc_condition_destroy(&manager->paused);
+	isc_mem_free(manager->mctx, manager->threads);
+#endif /* USE_WORKER_THREADS */
+	DESTROYLOCK(&manager->lock);
+	DESTROYLOCK(&manager->excl_lock);
+	manager->common.impmagic = 0;
+	manager->common.magic = 0;
+	mctx = manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+	isc_mem_detach(&mctx);
+
+#ifdef USE_SHARED_MANAGER
+	taskmgr = NULL;
+#endif	/* USE_SHARED_MANAGER */
+}
+
+isc_result_t
+isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		    unsigned int default_quantum, isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+	unsigned int i, started = 0;
+	isc__taskmgr_t *manager;
+
+	/*
+	 * Create a new task manager.
+	 */
+
+	REQUIRE(workers > 0);
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+#ifndef USE_WORKER_THREADS
+	UNUSED(i);
+	UNUSED(started);
+#endif
+
+#ifdef USE_SHARED_MANAGER
+	if (taskmgr != NULL) {
+		if (taskmgr->refs == 0)
+			return (ISC_R_SHUTTINGDOWN);
+		taskmgr->refs++;
+		*managerp = (isc_taskmgr_t *)taskmgr;
+		return (ISC_R_SUCCESS);
+	}
+#endif /* USE_SHARED_MANAGER */
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+	manager->common.methods = &taskmgrmethods;
+	manager->common.impmagic = TASK_MANAGER_MAGIC;
+	manager->common.magic = ISCAPI_TASKMGR_MAGIC;
+	manager->mode = isc_taskmgrmode_normal;
+	manager->mctx = NULL;
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mgr;
+	result = isc_mutex_init(&manager->excl_lock);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&manager->lock);
+		goto cleanup_mgr;
+	}
+
+#ifdef USE_WORKER_THREADS
+	manager->workers = 0;
+	manager->threads = isc_mem_allocate(mctx,
+					    workers * sizeof(isc_thread_t));
+	if (manager->threads == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_lock;
+	}
+	if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_threads;
+	}
+	if (isc_condition_init(&manager->exclusive_granted) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_workavailable;
+	}
+	if (isc_condition_init(&manager->paused) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_exclusivegranted;
+	}
+#endif /* USE_WORKER_THREADS */
+	if (default_quantum == 0)
+		default_quantum = DEFAULT_DEFAULT_QUANTUM;
+	manager->default_quantum = default_quantum;
+	INIT_LIST(manager->tasks);
+	INIT_LIST(manager->ready_tasks);
+	INIT_LIST(manager->ready_priority_tasks);
+	manager->tasks_running = 0;
+	manager->tasks_ready = 0;
+	manager->exclusive_requested = false;
+	manager->pause_requested = false;
+	manager->exiting = false;
+	manager->excl = NULL;
+
+	isc_mem_attach(mctx, &manager->mctx);
+
+#ifdef USE_WORKER_THREADS
+	LOCK(&manager->lock);
+	/*
+	 * Start workers.
+	 */
+	for (i = 0; i < workers; i++) {
+		if (isc_thread_create(run, manager,
+				      &manager->threads[manager->workers]) ==
+		    ISC_R_SUCCESS) {
+			char name[16];	/* thread name limit on Linux */
+			snprintf(name, sizeof(name), "isc-worker%04u", i);
+			isc_thread_setname(manager->threads[manager->workers],
+					   name);
+			manager->workers++;
+			started++;
+		}
+	}
+	UNLOCK(&manager->lock);
+
+	if (started == 0) {
+		manager_free(manager);
+		return (ISC_R_NOTHREADS);
+	}
+	isc_thread_setconcurrency(workers);
+#endif /* USE_WORKER_THREADS */
+#ifdef USE_SHARED_MANAGER
+	manager->refs = 1;
+	taskmgr = manager;
+#endif /* USE_SHARED_MANAGER */
+
+	*managerp = (isc_taskmgr_t *)manager;
+
+	return (ISC_R_SUCCESS);
+
+#ifdef USE_WORKER_THREADS
+ cleanup_exclusivegranted:
+	(void)isc_condition_destroy(&manager->exclusive_granted);
+ cleanup_workavailable:
+	(void)isc_condition_destroy(&manager->work_available);
+ cleanup_threads:
+	isc_mem_free(mctx, manager->threads);
+ cleanup_lock:
+	DESTROYLOCK(&manager->lock);
+#endif
+ cleanup_mgr:
+	isc_mem_put(mctx, manager, sizeof(*manager));
+	return (result);
+}
+
+void
+isc__taskmgr_destroy(isc_taskmgr_t **managerp) {
+	isc__taskmgr_t *manager;
+	isc__task_t *task;
+	unsigned int i;
+
+	/*
+	 * Destroy '*managerp'.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = (isc__taskmgr_t *)*managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+#ifndef USE_WORKER_THREADS
+	UNUSED(i);
+#endif /* USE_WORKER_THREADS */
+
+#ifdef USE_SHARED_MANAGER
+	manager->refs--;
+	if (manager->refs > 0) {
+		*managerp = NULL;
+		return;
+	}
+#endif
+
+	XTHREADTRACE("isc_taskmgr_destroy");
+	/*
+	 * Only one non-worker thread may ever call this routine.
+	 * If a worker thread wants to initiate shutdown of the
+	 * task manager, it should ask some non-worker thread to call
+	 * isc_taskmgr_destroy(), e.g. by signalling a condition variable
+	 * that the startup thread is sleeping on.
+	 */
+
+	/*
+	 * Detach the exclusive task before acquiring the manager lock
+	 */
+	LOCK(&manager->excl_lock);
+	if (manager->excl != NULL)
+		isc__task_detach((isc_task_t **) &manager->excl);
+	UNLOCK(&manager->excl_lock);
+
+	/*
+	 * Unlike elsewhere, we're going to hold this lock a long time.
+	 * We need to do so, because otherwise the list of tasks could
+	 * change while we were traversing it.
+	 *
+	 * This is also the only function where we will hold both the
+	 * task manager lock and a task lock at the same time.
+	 */
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Make sure we only get called once.
+	 */
+	INSIST(!manager->exiting);
+	manager->exiting = true;
+
+	/*
+	 * If privileged mode was on, turn it off.
+	 */
+	manager->mode = isc_taskmgrmode_normal;
+
+	/*
+	 * Post shutdown event(s) to every task (if they haven't already been
+	 * posted).
+	 */
+	for (task = HEAD(manager->tasks);
+	     task != NULL;
+	     task = NEXT(task, link)) {
+		LOCK(&task->lock);
+		if (task_shutdown(task))
+			push_readyq(manager, task);
+		UNLOCK(&task->lock);
+	}
+#ifdef USE_WORKER_THREADS
+	/*
+	 * Wake up any sleeping workers.  This ensures we get work done if
+	 * there's work left to do, and if there are already no tasks left
+	 * it will cause the workers to see manager->exiting.
+	 */
+	BROADCAST(&manager->work_available);
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Wait for all the worker threads to exit.
+	 */
+	for (i = 0; i < manager->workers; i++)
+		(void)isc_thread_join(manager->threads[i], NULL);
+#else /* USE_WORKER_THREADS */
+	/*
+	 * Dispatch the shutdown events.
+	 */
+	UNLOCK(&manager->lock);
+	while (isc__taskmgr_ready((isc_taskmgr_t *)manager))
+		(void)isc__taskmgr_dispatch((isc_taskmgr_t *)manager);
+	if (!ISC_LIST_EMPTY(manager->tasks))
+		isc_mem_printallactive(stderr);
+	INSIST(ISC_LIST_EMPTY(manager->tasks));
+#ifdef USE_SHARED_MANAGER
+	taskmgr = NULL;
+#endif
+#endif /* USE_WORKER_THREADS */
+
+	manager_free(manager);
+
+	*managerp = NULL;
+}
+
+void
+isc__taskmgr_setmode(isc_taskmgr_t *manager0, isc_taskmgrmode_t mode) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+
+	LOCK(&manager->lock);
+	manager->mode = mode;
+	UNLOCK(&manager->lock);
+}
+
+isc_taskmgrmode_t
+isc__taskmgr_mode(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+	isc_taskmgrmode_t mode;
+	LOCK(&manager->lock);
+	mode = manager->mode;
+	UNLOCK(&manager->lock);
+	return (mode);
+}
+
+#ifndef USE_WORKER_THREADS
+bool
+isc__taskmgr_ready(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+	bool is_ready;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = taskmgr;
+#endif
+	if (manager == NULL)
+		return (false);
+
+	LOCK(&manager->lock);
+	is_ready = !empty_readyq(manager);
+	UNLOCK(&manager->lock);
+
+	return (is_ready);
+}
+
+isc_result_t
+isc__taskmgr_dispatch(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = taskmgr;
+#endif
+	if (manager == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dispatch(manager);
+
+	return (ISC_R_SUCCESS);
+}
+
+#else
+void
+isc__taskmgr_pause(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+	manager->pause_requested = true;
+	LOCK(&manager->lock);
+	while (manager->tasks_running > 0) {
+		WAIT(&manager->paused, &manager->lock);
+	}
+	UNLOCK(&manager->lock);
+}
+
+void
+isc__taskmgr_resume(isc_taskmgr_t *manager0) {
+	isc__taskmgr_t *manager = (isc__taskmgr_t *)manager0;
+
+	LOCK(&manager->lock);
+	if (manager->pause_requested) {
+		manager->pause_requested = false;
+		BROADCAST(&manager->work_available);
+	}
+	UNLOCK(&manager->lock);
+}
+#endif /* USE_WORKER_THREADS */
+
+void
+isc_taskmgr_setexcltask(isc_taskmgr_t *mgr0, isc_task_t *task0) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0;
+	isc__task_t *task = (isc__task_t *) task0;
+
+	REQUIRE(VALID_MANAGER(mgr));
+	REQUIRE(VALID_TASK(task));
+	LOCK(&mgr->excl_lock);
+	if (mgr->excl != NULL)
+		isc__task_detach((isc_task_t **) &mgr->excl);
+	isc__task_attach(task0, (isc_task_t **) &mgr->excl);
+	UNLOCK(&mgr->excl_lock);
+}
+
+isc_result_t
+isc_taskmgr_excltask(isc_taskmgr_t *mgr0, isc_task_t **taskp) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *) mgr0;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_MANAGER(mgr));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	LOCK(&mgr->excl_lock);
+	if (mgr->excl != NULL)
+		isc__task_attach((isc_task_t *) mgr->excl, taskp);
+	else
+		result = ISC_R_NOTFOUND;
+	UNLOCK(&mgr->excl_lock);
+
+	return (result);
+}
+
+isc_result_t
+isc__task_beginexclusive(isc_task_t *task0) {
+#ifdef USE_WORKER_THREADS
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
+
+	REQUIRE(task->state == task_state_running);
+/*
+ *  TODO REQUIRE(task == task->manager->excl);
+ *  it should be here, it fails on shutdown server->task
+ */
+
+	LOCK(&manager->lock);
+	if (manager->exclusive_requested) {
+		UNLOCK(&manager->lock);
+		return (ISC_R_LOCKBUSY);
+	}
+	manager->exclusive_requested = true;
+	while (manager->tasks_running > 1) {
+		WAIT(&manager->exclusive_granted, &manager->lock);
+	}
+	UNLOCK(&manager->lock);
+#else
+	UNUSED(task0);
+#endif
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__task_endexclusive(isc_task_t *task0) {
+#ifdef USE_WORKER_THREADS
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
+
+	REQUIRE(task->state == task_state_running);
+	LOCK(&manager->lock);
+	REQUIRE(manager->exclusive_requested);
+	manager->exclusive_requested = false;
+	BROADCAST(&manager->work_available);
+	UNLOCK(&manager->lock);
+#else
+	UNUSED(task0);
+#endif
+}
+
+void
+isc__task_setprivilege(isc_task_t *task0, bool priv) {
+	isc__task_t *task = (isc__task_t *)task0;
+	isc__taskmgr_t *manager = task->manager;
+	bool oldpriv;
+
+	LOCK(&task->lock);
+	oldpriv = (task->flags & TASK_F_PRIVILEGED);
+	if (priv)
+		task->flags |= TASK_F_PRIVILEGED;
+	else
+		task->flags &= ~TASK_F_PRIVILEGED;
+	UNLOCK(&task->lock);
+
+	if (priv == oldpriv)
+		return;
+
+	LOCK(&manager->lock);
+	if (priv && ISC_LINK_LINKED(task, ready_link))
+		ENQUEUE(manager->ready_priority_tasks, task,
+			ready_priority_link);
+	else if (!priv && ISC_LINK_LINKED(task, ready_priority_link))
+		DEQUEUE(manager->ready_priority_tasks, task,
+			ready_priority_link);
+	UNLOCK(&manager->lock);
+}
+
+bool
+isc__task_privilege(isc_task_t *task0) {
+	isc__task_t *task = (isc__task_t *)task0;
+	bool priv;
+
+	LOCK(&task->lock);
+	priv = (task->flags & TASK_F_PRIVILEGED);
+	UNLOCK(&task->lock);
+	return (priv);
+}
+
+isc_result_t
+isc__task_register(void) {
+	return (isc_task_register(isc__taskmgr_create));
+}
+
+bool
+isc_task_exiting(isc_task_t *t) {
+	isc__task_t *task = (isc__task_t *)t;
+
+	REQUIRE(VALID_TASK(task));
+	return (TASK_SHUTTINGDOWN(task));
+}
+
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+int
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr0, xmlTextWriterPtr writer) {
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *)mgr0;
+	isc__task_t *task = NULL;
+	int xmlrc;
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * Write out the thread-model, and some details about each depending
+	 * on which type is enabled.
+	 */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "thread-model"));
+#ifdef ISC_PLATFORM_USETHREADS
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "threaded"));
+	TRY0(xmlTextWriterEndElement(writer)); /* type */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "worker-threads"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->workers));
+	TRY0(xmlTextWriterEndElement(writer)); /* worker-threads */
+#else /* ISC_PLATFORM_USETHREADS */
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "type"));
+	TRY0(xmlTextWriterWriteString(writer, ISC_XMLCHAR "non-threaded"));
+	TRY0(xmlTextWriterEndElement(writer)); /* type */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->refs));
+	TRY0(xmlTextWriterEndElement(writer)); /* references */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "default-quantum"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+					    mgr->default_quantum));
+	TRY0(xmlTextWriterEndElement(writer)); /* default-quantum */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks-running"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->tasks_running));
+	TRY0(xmlTextWriterEndElement(writer)); /* tasks-running */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks-ready"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->tasks_ready));
+	TRY0(xmlTextWriterEndElement(writer)); /* tasks-ready */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* thread-model */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks"));
+	task = ISC_LIST_HEAD(mgr->tasks);
+	while (task != NULL) {
+		LOCK(&task->lock);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "task"));
+
+		if (task->name[0] != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "name"));
+			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+						       task->name));
+			TRY0(xmlTextWriterEndElement(writer)); /* name */
+		}
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "references"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    task->references));
+		TRY0(xmlTextWriterEndElement(writer)); /* references */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%p", task));
+		TRY0(xmlTextWriterEndElement(writer)); /* id */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "state"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+					       statenames[task->state]));
+		TRY0(xmlTextWriterEndElement(writer)); /* state */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "quantum"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    task->quantum));
+		TRY0(xmlTextWriterEndElement(writer)); /* quantum */
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "events"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    task->nevents));
+		TRY0(xmlTextWriterEndElement(writer)); /* events */
+
+		TRY0(xmlTextWriterEndElement(writer));
+
+		UNLOCK(&task->lock);
+		task = ISC_LIST_NEXT(task, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* tasks */
+
+ error:
+	if (task != NULL)
+		UNLOCK(&task->lock);
+	UNLOCK(&mgr->lock);
+
+	return (xmlrc);
+}
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+#define CHECKMEM(m) do { \
+	if (m == NULL) { \
+		result = ISC_R_NOMEMORY;\
+		goto error;\
+	} \
+} while(0)
+
+isc_result_t
+isc_taskmgr_renderjson(isc_taskmgr_t *mgr0, json_object *tasks) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc__taskmgr_t *mgr = (isc__taskmgr_t *)mgr0;
+	isc__task_t *task = NULL;
+	json_object *obj = NULL, *array = NULL, *taskobj = NULL;
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * Write out the thread-model, and some details about each depending
+	 * on which type is enabled.
+	 */
+#ifdef ISC_PLATFORM_USETHREADS
+	obj = json_object_new_string("threaded");
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "thread-model", obj);
+
+	obj = json_object_new_int(mgr->workers);
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "worker-threads", obj);
+#else /* ISC_PLATFORM_USETHREADS */
+	obj = json_object_new_string("non-threaded");
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "thread-model", obj);
+
+	obj = json_object_new_int(mgr->refs);
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "references", obj);
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	obj = json_object_new_int(mgr->default_quantum);
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "default-quantum", obj);
+
+	obj = json_object_new_int(mgr->tasks_running);
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "tasks-running", obj);
+
+	obj = json_object_new_int(mgr->tasks_ready);
+	CHECKMEM(obj);
+	json_object_object_add(tasks, "tasks-ready", obj);
+
+	array = json_object_new_array();
+	CHECKMEM(array);
+
+	for (task = ISC_LIST_HEAD(mgr->tasks);
+	     task != NULL;
+	     task = ISC_LIST_NEXT(task, link))
+	{
+		char buf[255];
+
+		LOCK(&task->lock);
+
+		taskobj = json_object_new_object();
+		CHECKMEM(taskobj);
+		json_object_array_add(array, taskobj);
+
+		snprintf(buf, sizeof(buf), "%p", task);
+		obj = json_object_new_string(buf);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "id", obj);
+
+		if (task->name[0] != 0) {
+			obj = json_object_new_string(task->name);
+			CHECKMEM(obj);
+			json_object_object_add(taskobj, "name", obj);
+		}
+
+		obj = json_object_new_int(task->references);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "references", obj);
+
+		obj = json_object_new_string(statenames[task->state]);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "state", obj);
+
+		obj = json_object_new_int(task->quantum);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "quantum", obj);
+
+		obj = json_object_new_int(task->nevents);
+		CHECKMEM(obj);
+		json_object_object_add(taskobj, "events", obj);
+
+		UNLOCK(&task->lock);
+	}
+
+	json_object_object_add(tasks, "tasks", array);
+	array = NULL;
+	result = ISC_R_SUCCESS;
+
+ error:
+	if (array != NULL)
+		json_object_put(array);
+
+	if (task != NULL)
+		UNLOCK(&task->lock);
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+#endif
+
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_taskmgrcreatefunc_t taskmgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_task_register(isc_taskmgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (taskmgr_createfunc == NULL)
+		taskmgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_taskmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			unsigned int workers, unsigned int default_quantum,
+			isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(taskmgr_createfunc != NULL);
+	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
+				       managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_settaskmgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		   unsigned int default_quantum, isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+
+	if (isc_bind9)
+		return (isc__taskmgr_create(mctx, workers,
+					    default_quantum, managerp));
+	LOCK(&createlock);
+
+	REQUIRE(taskmgr_createfunc != NULL);
+	result = (*taskmgr_createfunc)(mctx, workers, default_quantum,
+				       managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
+	REQUIRE(managerp != NULL && ISCAPI_TASKMGR_VALID(*managerp));
+
+	if (isc_bind9)
+		isc__taskmgr_destroy(managerp);
+	else
+		(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+void
+isc_taskmgr_setmode(isc_taskmgr_t *manager, isc_taskmgrmode_t mode) {
+	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
+
+	if (isc_bind9)
+		isc__taskmgr_setmode(manager, mode);
+	else
+		manager->methods->setmode(manager, mode);
+}
+
+isc_taskmgrmode_t
+isc_taskmgr_mode(isc_taskmgr_t *manager) {
+	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
+
+	if (isc_bind9)
+		return (isc__taskmgr_mode(manager));
+
+	return (manager->methods->mode(manager));
+}
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp)
+{
+	REQUIRE(ISCAPI_TASKMGR_VALID(manager));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	if (isc_bind9)
+		return (isc__task_create(manager, quantum, taskp));
+
+	return (manager->methods->taskcreate(manager, quantum, taskp));
+}
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+	REQUIRE(ISCAPI_TASK_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	if (isc_bind9)
+		isc__task_attach(source, targetp);
+	else
+		source->methods->attach(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+isc_task_detach(isc_task_t **taskp) {
+	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
+
+	if (isc_bind9)
+		isc__task_detach(taskp);
+	else
+		(*taskp)->methods->detach(taskp);
+
+	ENSURE(*taskp == NULL);
+}
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+	REQUIRE(eventp != NULL && *eventp != NULL);
+
+	if (isc_bind9)
+		isc__task_send(task, eventp);
+	else {
+		task->methods->send(task, eventp);
+		ENSURE(*eventp == NULL);
+	}
+}
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+	REQUIRE(taskp != NULL && ISCAPI_TASK_VALID(*taskp));
+	REQUIRE(eventp != NULL && *eventp != NULL);
+
+	if (isc_bind9)
+		isc__task_sendanddetach(taskp, eventp);
+	else {
+		(*taskp)->methods->sendanddetach(taskp, eventp);
+		ENSURE(*eventp == NULL);
+	}
+
+	ENSURE(*taskp == NULL);
+}
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag, isc_eventlist_t *events)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		return (isc__task_unsend(task, sender, type, tag, events));
+
+	return (task->methods->unsend(task, sender, type, tag, events));
+}
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		return (isc__task_onshutdown(task, action, arg));
+
+	return (task->methods->onshutdown(task, action, arg));
+}
+
+void
+isc_task_shutdown(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		isc__task_shutdown(task);
+	else
+		task->methods->shutdown(task);
+}
+
+void
+isc_task_destroy(isc_task_t **taskp) {
+	if (!isc_bind9)
+		return;
+
+	isc__task_destroy(taskp);
+}
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		isc__task_setname(task, name, tag);
+	else
+		task->methods->setname(task, name, tag);
+}
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type, void *tag)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		return (isc__task_purge(task, sender, type, tag));
+
+	return (task->methods->purgeevents(task, sender, type, tag));
+}
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		return (isc__task_beginexclusive(task));
+
+	return (task->methods->beginexclusive(task));
+}
+
+void
+isc_task_endexclusive(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		isc__task_endexclusive(task);
+	else
+		task->methods->endexclusive(task);
+}
+
+void
+isc_task_setprivilege(isc_task_t *task, bool priv) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		isc__task_setprivilege(task, priv);
+	else
+		task->methods->setprivilege(task, priv);
+}
+
+bool
+isc_task_privilege(isc_task_t *task) {
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		return (isc__task_privilege(task));
+
+	return (task->methods->privilege(task));
+}
+
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
+	if (!isc_bind9)
+		return;
+
+	isc__task_getcurrenttime(task, t);
+}
+
+void
+isc_task_getcurrenttimex(isc_task_t *task, isc_time_t *t) {
+	if (!isc_bind9)
+		return;
+
+	isc__task_getcurrenttimex(task, t);
+}
+
+/*%
+ * This is necessary for libisc's internal timer implementation.  Other
+ * implementation might skip implementing this.
+ */
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag)
+{
+	REQUIRE(ISCAPI_TASK_VALID(task));
+
+	if (isc_bind9)
+		return (isc__task_purgerange(task, sender, first, last, tag));
+
+	return (task->methods->purgerange(task, sender, first, last, tag));
+}
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
new file mode 100644
index 0000000..1fa3bb1
--- /dev/null
+++ b/lib/isc/task_p.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+#ifndef ISC_TASK_P_H
+#define ISC_TASK_P_H
+
+/*! \file */
+
+#if defined(ISC_PLATFORM_USETHREADS)
+void
+isc__taskmgr_pause(isc_taskmgr_t *taskmgr);
+
+void
+isc__taskmgr_resume(isc_taskmgr_t *taskmgr);
+#else
+bool
+isc__taskmgr_ready(isc_taskmgr_t *taskmgr);
+
+isc_result_t
+isc__taskmgr_dispatch(isc_taskmgr_t *taskmgr);
+#endif /* !ISC_PLATFORM_USETHREADS */
+
+#endif /* ISC_TASK_P_H */
diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c
new file mode 100644
index 0000000..5dfc1d1
--- /dev/null
+++ b/lib/isc/taskpool.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/taskpool.h>
+#include <isc/util.h>
+
+/***
+ *** Types.
+ ***/
+
+struct isc_taskpool {
+	isc_mem_t *			mctx;
+	isc_taskmgr_t *			tmgr;
+	unsigned int			ntasks;
+	unsigned int			quantum;
+	isc_task_t **			tasks;
+};
+
+/***
+ *** Functions.
+ ***/
+
+static isc_result_t
+alloc_pool(isc_taskmgr_t *tmgr, isc_mem_t *mctx, unsigned int ntasks,
+	   unsigned int quantum, isc_taskpool_t **poolp)
+{
+	isc_taskpool_t *pool;
+	unsigned int i;
+
+	pool = isc_mem_get(mctx, sizeof(*pool));
+	if (pool == NULL)
+		return (ISC_R_NOMEMORY);
+
+	pool->mctx = NULL;
+	isc_mem_attach(mctx, &pool->mctx);
+	pool->ntasks = ntasks;
+	pool->quantum = quantum;
+	pool->tmgr = tmgr;
+	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	if (pool->tasks == NULL) {
+		isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < ntasks; i++)
+		pool->tasks[i] = NULL;
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
+		    unsigned int ntasks, unsigned int quantum,
+		    isc_taskpool_t **poolp)
+{
+	unsigned int i;
+	isc_taskpool_t *pool = NULL;
+	isc_result_t result;
+
+	INSIST(ntasks > 0);
+
+	/* Allocate the pool structure */
+	result = alloc_pool(tmgr, mctx, ntasks, quantum, &pool);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Create the tasks */
+	for (i = 0; i < ntasks; i++) {
+		result = isc_task_create(tmgr, quantum, &pool->tasks[i]);
+		if (result != ISC_R_SUCCESS) {
+			isc_taskpool_destroy(&pool);
+			return (result);
+		}
+		isc_task_setname(pool->tasks[i], "taskpool", NULL);
+	}
+
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_taskpool_gettask(isc_taskpool_t *pool, isc_task_t **targetp) {
+	uint32_t i;
+	isc_random_get(&i);
+	isc_task_attach(pool->tasks[i % pool->ntasks], targetp);
+}
+
+int
+isc_taskpool_size(isc_taskpool_t *pool) {
+	REQUIRE(pool != NULL);
+	return (pool->ntasks);
+}
+
+isc_result_t
+isc_taskpool_expand(isc_taskpool_t **sourcep, unsigned int size,
+		    isc_taskpool_t **targetp)
+{
+	isc_result_t result;
+	isc_taskpool_t *pool;
+
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	pool = *sourcep;
+	if (size > pool->ntasks) {
+		isc_taskpool_t *newpool = NULL;
+		unsigned int i;
+
+		/* Allocate a new pool structure */
+		result = alloc_pool(pool->tmgr, pool->mctx, size,
+				    pool->quantum, &newpool);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/* Copy over the tasks from the old pool */
+		for (i = 0; i < pool->ntasks; i++) {
+			newpool->tasks[i] = pool->tasks[i];
+			pool->tasks[i] = NULL;
+		}
+
+		/* Create new tasks */
+		for (i = pool->ntasks; i < size; i++) {
+			result = isc_task_create(pool->tmgr, pool->quantum,
+						 &newpool->tasks[i]);
+			if (result != ISC_R_SUCCESS) {
+				isc_taskpool_destroy(&newpool);
+				return (result);
+			}
+			isc_task_setname(newpool->tasks[i], "taskpool", NULL);
+		}
+
+		isc_taskpool_destroy(&pool);
+		pool = newpool;
+	}
+
+	*sourcep = NULL;
+	*targetp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_taskpool_destroy(isc_taskpool_t **poolp) {
+	unsigned int i;
+	isc_taskpool_t *pool = *poolp;
+	for (i = 0; i < pool->ntasks; i++) {
+		if (pool->tasks[i] != NULL)
+			isc_task_detach(&pool->tasks[i]);
+	}
+	isc_mem_put(pool->mctx, pool->tasks,
+		    pool->ntasks * sizeof(isc_task_t *));
+	isc_mem_putanddetach(&pool->mctx, pool, sizeof(*pool));
+	*poolp = NULL;
+}
+
+void
+isc_taskpool_setprivilege(isc_taskpool_t *pool, bool priv) {
+	unsigned int i;
+
+	REQUIRE(pool != NULL);
+
+	for (i = 0; i < pool->ntasks; i++) {
+		if (pool->tasks[i] != NULL)
+			isc_task_setprivilege(pool->tasks[i], priv);
+	}
+}
diff --git a/lib/isc/tests/Atffile b/lib/isc/tests/Atffile
new file mode 100644
index 0000000..8681844
--- /dev/null
+++ b/lib/isc/tests/Atffile
@@ -0,0 +1,33 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: aes_test
+tp: atomic_test
+tp: buffer_test
+tp: counter_test
+tp: errno_test
+tp: file_test
+tp: hash_test
+tp: heap_test
+tp: ht_test
+tp: inet_ntop_test
+tp: lex_test
+tp: mem_test
+tp: netaddr_test
+tp: parse_test
+tp: pool_test
+tp: print_test
+tp: queue_test
+tp: radix_test
+tp: random_test
+tp: regex_test
+tp: result_test
+tp: safe_test
+tp: sockaddr_test
+tp: socket_test
+tp: symtab_test
+tp: task_test
+tp: taskpool_test
+tp: time_test
+tp: timer_test
diff --git a/lib/isc/tests/Kyuafile b/lib/isc/tests/Kyuafile
new file mode 100644
index 0000000..1c510c1
--- /dev/null
+++ b/lib/isc/tests/Kyuafile
@@ -0,0 +1,32 @@
+syntax(2)
+test_suite('bind9')
+
+atf_test_program{name='aes_test'}
+atf_test_program{name='atomic_test'}
+atf_test_program{name='buffer_test'}
+atf_test_program{name='counter_test'}
+atf_test_program{name='errno_test'}
+atf_test_program{name='file_test'}
+atf_test_program{name='hash_test'}
+atf_test_program{name='heap_test'}
+atf_test_program{name='ht_test'}
+atf_test_program{name='inet_ntop_test'}
+atf_test_program{name='lex_test'}
+atf_test_program{name='mem_test'}
+atf_test_program{name='netaddr_test'}
+atf_test_program{name='parse_test'}
+atf_test_program{name='pool_test'}
+atf_test_program{name='print_test'}
+atf_test_program{name='queue_test'}
+atf_test_program{name='radix_test'}
+atf_test_program{name='random_test'}
+atf_test_program{name='regex_test'}
+atf_test_program{name='result_test'}
+atf_test_program{name='safe_test'}
+atf_test_program{name='sockaddr_test'}
+atf_test_program{name='socket_test'}
+atf_test_program{name='symtab_test'}
+atf_test_program{name='task_test'}
+atf_test_program{name='taskpool_test'}
+atf_test_program{name='time_test'}
+atf_test_program{name='timer_test'}
diff --git a/lib/isc/tests/Makefile.in b/lib/isc/tests/Makefile.in
new file mode 100644
index 0000000..add8068
--- /dev/null
+++ b/lib/isc/tests/Makefile.in
@@ -0,0 +1,177 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude ${ISC_INCLUDES} @ISC_OPENSSL_INC@
+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/isc/tests/\""
+
+ISCLIBS =	../libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCDEPLIBS =	../libisc.@A@
+
+LIBS =		@LIBS@ @ATFLIBS@
+
+OBJS =		isctest.@O@
+SRCS =		isctest.c aes_test.c atomic_test.c buffer_test.c \
+		counter_test.c errno_test.c file_test.c hash_test.c \
+		heap_test.c ht_test.c inet_ntop_test.c lex_test.c \
+		mem_test.c netaddr_test.c parse_test.c pool_test.c \
+		print_test.c queue_test.c radix_test.c random_test.c \
+		regex_test.c result_test.c safe_test.c sockaddr_test.c \
+		socket_test.c socket_test.c symtab_test.c task_test.c \
+		taskpool_test.c time_test.c timer_test.c
+
+SUBDIRS =
+TARGETS =	aes_test@EXEEXT@ atomic_test@EXEEXT@ buffer_test@EXEEXT@ \
+		counter_test@EXEEXT@ errno_test@EXEEXT@ file_test@EXEEXT@ \
+		hash_test@EXEEXT@ heap_test@EXEEXT@ ht_test@EXEEXT@ \
+		inet_ntop_test@EXEEXT@ lex_test@EXEEXT@ mem_test@EXEEXT@ \
+		netaddr_test@EXEEXT@ parse_test@EXEEXT@ pool_test@EXEEXT@ \
+		print_test@EXEEXT@ queue_test@EXEEXT@ radix_test@EXEEXT@ \
+		random_test@EXEEXT@ regex_test@EXEEXT@ result_test@EXEEXT@ \
+		safe_test@EXEEXT@ sockaddr_test@EXEEXT@ socket_test@EXEEXT@ \
+		socket_test@EXEEXT@ symtab_test@EXEEXT@ task_test@EXEEXT@ \
+		taskpool_test@EXEEXT@ time_test@EXEEXT@ timer_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+atomic_test@EXEEXT@: atomic_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			atomic_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+aes_test@EXEEXT@: aes_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			aes_test.@O@ ${ISCLIBS} ${LIBS}
+
+buffer_test@EXEEXT@: buffer_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			buffer_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+counter_test@EXEEXT@: counter_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			counter_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+errno_test@EXEEXT@: errno_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			errno_test.@O@ ${ISCLIBS} ${LIBS}
+
+file_test@EXEEXT@: file_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			file_test.@O@ ${ISCLIBS} ${LIBS}
+
+hash_test@EXEEXT@: hash_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			hash_test.@O@ ${ISCLIBS} ${LIBS}
+
+heap_test@EXEEXT@: heap_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			heap_test.@O@ ${ISCLIBS} ${LIBS}
+
+ht_test@EXEEXT@: ht_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			ht_test.@O@ ${ISCLIBS} ${LIBS}
+
+inet_ntop_test.c.@O@:	${top_srcdir}/lib/isc/ntop_test.c
+inet_ntop_test@EXEEXT@: inet_ntop_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			inet_ntop_test.@O@ ${ISCLIBS} ${LIBS}
+
+lex_test@EXEEXT@: lex_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			lex_test.@O@ ${ISCLIBS} ${LIBS}
+
+parse_test@EXEEXT@: parse_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			parse_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+pool_test@EXEEXT@: pool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			pool_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+print_test.@O@:	${top_srcdir}/lib/isc/print.c
+print_test@EXEEXT@: print_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			print_test.@O@ ${ISCLIBS} ${LIBS}
+
+queue_test@EXEEXT@: queue_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			queue_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+radix_test@EXEEXT@: radix_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			radix_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+random_test@EXEEXT@: random_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			random_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+regex_test@EXEEXT@: regex_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			regex_test.@O@ ${ISCLIBS} ${LIBS}
+
+mem_test@EXEEXT@: mem_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			mem_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+netaddr_test@EXEEXT@: netaddr_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			netaddr_test.@O@ ${ISCLIBS} ${LIBS}
+
+result_test@EXEEXT@: result_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			result_test.@O@ ${ISCLIBS} ${LIBS}
+
+safe_test@EXEEXT@: safe_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			safe_test.@O@ ${ISCLIBS} ${LIBS}
+
+sockaddr_test@EXEEXT@: sockaddr_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			sockaddr_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+socket_test@EXEEXT@: socket_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			socket_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+symtab_test@EXEEXT@: symtab_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			symtab_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+task_test@EXEEXT@: task_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			task_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+taskpool_test@EXEEXT@: taskpool_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			taskpool_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+time_test@EXEEXT@: time_test.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			time_test.@O@ ${ISCLIBS} ${LIBS}
+
+timer_test@EXEEXT@: timer_test.@O@ isctest.@O@ ${ISCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			timer_test.@O@ isctest.@O@ ${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/isc/tests/aes_test.c b/lib/isc/tests/aes_test.c
new file mode 100644
index 0000000..9c15b52
--- /dev/null
+++ b/lib/isc/tests/aes_test.c
@@ -0,0 +1,294 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/aes.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/platform.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_WANTAES
+
+/*
+ * Test data from NIST KAT
+ */
+
+isc_result_t
+tohexstr(unsigned char *d, char *out);
+
+size_t
+fromhexstr(const char *in, unsigned char *d);
+
+unsigned char plaintext[3 * ISC_AES_BLOCK_LENGTH];
+unsigned char ciphertext[ISC_AES_BLOCK_LENGTH];
+char str[2 * ISC_AES_BLOCK_LENGTH + 1];
+unsigned char key[ISC_AES256_KEYLENGTH + 1];
+size_t len;
+
+isc_result_t
+tohexstr(unsigned char *d, char *out) {
+	isc_buffer_t b;
+	isc_region_t r;
+
+	isc_buffer_init(&b, out, 2 * ISC_AES_BLOCK_LENGTH + 1);
+	r.base = d;
+	r.length = ISC_AES_BLOCK_LENGTH;
+	return (isc_hex_totext(&r, 0, "", &b));
+}
+
+size_t
+fromhexstr(const char *in, unsigned char *d)
+{
+	isc_buffer_t b;
+	isc_result_t ret;
+
+	isc_buffer_init(&b, d, ISC_AES256_KEYLENGTH + 1);
+	ret = isc_hex_decodestring(in, &b);
+	if (ret != ISC_R_SUCCESS)
+		return 0;
+	return isc_buffer_usedlength(&b);
+}
+
+typedef struct aes_testcase {
+	const char *key;
+	const char *input;
+	const char *result;
+} aes_testcase_t;
+
+
+ATF_TC(isc_aes128);
+ATF_TC_HEAD(isc_aes128, tc) {
+	atf_tc_set_md_var(tc, "descr", "AES 128 test vectors");
+}
+ATF_TC_BODY(isc_aes128, tc) {
+	UNUSED(tc);
+
+	aes_testcase_t testcases[] = {
+		/* Test 1 (KAT ECBVarTxt128 #3) */
+		{
+			"00000000000000000000000000000000",
+			"F0000000000000000000000000000000",
+			"96D9FD5CC4F07441727DF0F33E401A36"
+		},
+		/* Test 2 (KAT ECBVarTxt128 #123) */
+		{
+			"00000000000000000000000000000000",
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+			"F9B0FDA0C4A898F5B9E6F661C4CE4D07"
+		},
+		/* Test 3 (KAT ECBVarKey128 #3) */
+		{
+			"F0000000000000000000000000000000",
+			"00000000000000000000000000000000",
+			"970014D634E2B7650777E8E84D03CCD8"
+		},
+		/* Test 4 (KAT ECBVarKey128 #123) */
+		{
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+			"00000000000000000000000000000000",
+			"41C78C135ED9E98C096640647265DA1E"
+		},
+		/* Test 5 (KAT ECBGFSbox128 #3) */
+		{
+			"00000000000000000000000000000000",
+			"6A118A874519E64E9963798A503F1D35",
+			"DC43BE40BE0E53712F7E2BF5CA707209"
+		},
+		/* Test 6 (KAT ECBKeySbox128 #3) */
+		{
+			"B6364AC4E1DE1E285EAF144A2415F7A0",
+			"00000000000000000000000000000000",
+			"5D9B05578FC944B3CF1CCF0E746CD581"
+		},
+		{ NULL, NULL, NULL }
+	};
+
+	aes_testcase_t *testcase = testcases;
+
+	while (testcase->key != NULL) {
+		len = fromhexstr(testcase->key, key);
+		ATF_CHECK_EQ(len, ISC_AES128_KEYLENGTH);
+		len = fromhexstr(testcase->input, plaintext);
+		ATF_CHECK_EQ(len, ISC_AES_BLOCK_LENGTH);
+		isc_aes128_crypt(key, plaintext, ciphertext);
+		ATF_CHECK(tohexstr(ciphertext, str) == ISC_R_SUCCESS);
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_aes192);
+ATF_TC_HEAD(isc_aes192, tc) {
+	atf_tc_set_md_var(tc, "descr", "AES 192 test vectors");
+}
+ATF_TC_BODY(isc_aes192, tc) {
+	UNUSED(tc);
+
+	aes_testcase_t testcases[] = {
+		/* Test 1 (KAT ECBVarTxt192 #3) */
+		{
+			"000000000000000000000000000000000000000000000000",
+			"F0000000000000000000000000000000",
+			"2A560364CE529EFC21788779568D5555"
+		},
+		/* Test 2 (KAT ECBVarTxt192 #123) */
+		{
+			"000000000000000000000000000000000000000000000000",
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+			"2AABB999F43693175AF65C6C612C46FB"
+		},
+		/* Test 3 (KAT ECBVarKey192 #3) */
+		{
+			"F00000000000000000000000000000000000000000000000",
+			"00000000000000000000000000000000",
+			"180B09F267C45145DB2F826C2582D35C"
+		},
+		/* Test 4 (KAT ECBVarKey192 #187) */
+		{
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+			"00000000000000000000000000000000",
+			"EACF1E6C4224EFB38900B185AB1DFD42"
+		},
+		/* Test 5 (KAT ECBGFSbox192 #3) */
+		{
+			"000000000000000000000000000000000000000000000000",
+			"51719783D3185A535BD75ADC65071CE1",
+			"4F354592FF7C8847D2D0870CA9481B7C"
+		},
+		/* Test 6 (KAT ECBKeySbox192 #3) */
+		{
+			"CD62376D5EBB414917F0C78F05266433DC9192A1EC943300",
+			"00000000000000000000000000000000",
+			"7F6C25FF41858561BB62F36492E93C29"
+		},
+		{ NULL, NULL, NULL }
+	};
+
+	aes_testcase_t *testcase = testcases;
+
+	while (testcase->key != NULL) {
+		len = fromhexstr(testcase->key, key);
+		ATF_CHECK_EQ(len, ISC_AES192_KEYLENGTH);
+		len = fromhexstr(testcase->input, plaintext);
+		ATF_CHECK_EQ(len, ISC_AES_BLOCK_LENGTH);
+		isc_aes192_crypt(key, plaintext, ciphertext);
+		ATF_CHECK(tohexstr(ciphertext, str) == ISC_R_SUCCESS);
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_aes256);
+ATF_TC_HEAD(isc_aes256, tc) {
+	atf_tc_set_md_var(tc, "descr", "AES 256 test vectors");
+}
+ATF_TC_BODY(isc_aes256, tc) {
+	UNUSED(tc);
+
+	aes_testcase_t testcases[] = {
+		/* Test 1 (KAT ECBVarTxt256 #3) */
+		{
+			"00000000000000000000000000000000"
+			"00000000000000000000000000000000",
+			"F0000000000000000000000000000000",
+			"7F2C5ECE07A98D8BEE13C51177395FF7"
+		},
+		/* Test 2 (KAT ECBVarTxt256 #123) */
+		{
+			"00000000000000000000000000000000"
+			"00000000000000000000000000000000",
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+			"7240E524BC51D8C4D440B1BE55D1062C"
+		},
+		/* Test 3 (KAT ECBVarKey256 #3) */
+		{
+			"F0000000000000000000000000000000"
+			"00000000000000000000000000000000",
+			"00000000000000000000000000000000",
+			"1C777679D50037C79491A94DA76A9A35"
+		},
+		/* Test 4 (KAT ECBVarKey256 #251) */
+		{
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+			"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0",
+			"00000000000000000000000000000000",
+			"03720371A04962EAEA0A852E69972858"
+		},
+		/* Test 5 (KAT ECBGFSbox256 #3) */
+		{
+			"00000000000000000000000000000000"
+			"00000000000000000000000000000000",
+			"8A560769D605868AD80D819BDBA03771",
+			"38F2C7AE10612415D27CA190D27DA8B4"
+		},
+		/* Test 6 (KAT ECBKeySbox256 #3) */
+		{
+			"984CA75F4EE8D706F46C2D98C0BF4A45"
+			"F5B00D791C2DFEB191B5ED8E420FD627",
+			"00000000000000000000000000000000",
+			"4307456A9E67813B452E15FA8FFFE398"
+		},
+		{ NULL, NULL, NULL }
+	};
+
+	aes_testcase_t *testcase = testcases;
+
+	while (testcase->key != NULL) {
+		len = fromhexstr(testcase->key, key);
+		ATF_CHECK_EQ(len, ISC_AES256_KEYLENGTH);
+		len = fromhexstr(testcase->input, plaintext);
+		ATF_CHECK_EQ(len, ISC_AES_BLOCK_LENGTH);
+		isc_aes256_crypt(key, plaintext, ciphertext);
+		ATF_CHECK(tohexstr(ciphertext, str) == ISC_R_SUCCESS);
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping aes test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("AES not available");
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#ifdef ISC_PLATFORM_WANTAES
+	ATF_TP_ADD_TC(tp, isc_aes128);
+	ATF_TP_ADD_TC(tp, isc_aes192);
+	ATF_TP_ADD_TC(tp, isc_aes256);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/atomic_test.c b/lib/isc/tests/atomic_test.c
new file mode 100644
index 0000000..8013010
--- /dev/null
+++ b/lib/isc/tests/atomic_test.c
@@ -0,0 +1,354 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#include <atf-c.h>
+
+#include <isc/atomic.h>
+#include <isc/print.h>
+#include <isc/result.h>
+
+#include "isctest.h"
+
+#define TASKS 32
+#define ITERATIONS 1000
+#define COUNTS_PER_ITERATION 1000
+#define INCREMENT_64 (int64_t)0x0000000010000000
+#define EXPECTED_COUNT_32 (TASKS * ITERATIONS * COUNTS_PER_ITERATION)
+#define EXPECTED_COUNT_64 (TASKS * ITERATIONS * COUNTS_PER_ITERATION * INCREMENT_64)
+
+typedef struct {
+	uint32_t iteration;
+} counter_t;
+
+counter_t counters[TASKS];
+
+#if defined(ISC_PLATFORM_HAVEXADD)
+static int32_t counter_32;
+
+static void
+do_xadd(isc_task_t *task, isc_event_t *ev) {
+	counter_t *state = (counter_t *)ev->ev_arg;
+	int i;
+
+	for (i = 0 ; i < COUNTS_PER_ITERATION ; i++) {
+		isc_atomic_xadd(&counter_32, 1);
+	}
+
+	state->iteration++;
+	if (state->iteration < ITERATIONS) {
+		isc_task_send(task, &ev);
+	} else {
+		isc_event_free(&ev);
+	}
+}
+
+ATF_TC(atomic_xadd);
+ATF_TC_HEAD(atomic_xadd, tc) {
+	atf_tc_set_md_var(tc, "descr", "atomic XADD");
+}
+ATF_TC_BODY(atomic_xadd, tc) {
+	isc_result_t result;
+	isc_task_t *tasks[TASKS];
+	isc_event_t *event = NULL;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(counters, 0, sizeof(counters));
+	counter_32 = 0;
+
+	/*
+	 * Create our tasks, and allocate an event to get the counters going.
+	 */
+	for (i = 0 ; i < TASKS ; i++) {
+		tasks[i] = NULL;
+		ATF_REQUIRE_EQ(isc_task_create(taskmgr, 0, &tasks[i]),
+			       ISC_R_SUCCESS);
+		event = isc_event_allocate(mctx, NULL, 1000, do_xadd,
+					   &counters[i],
+					   sizeof(struct isc_event));
+		ATF_REQUIRE(event != NULL);
+		isc_task_sendanddetach(&tasks[i], &event);
+	}
+
+	isc_test_end();
+
+	printf("32-bit counter %d, expected %d\n",
+	       counter_32, EXPECTED_COUNT_32);
+
+	ATF_CHECK_EQ(counter_32, EXPECTED_COUNT_32);
+	counter_32 = 0;
+}
+#endif
+
+#if defined(ISC_PLATFORM_HAVEXADDQ)
+static int64_t counter_64;
+
+static void
+do_xaddq(isc_task_t *task, isc_event_t *ev) {
+	counter_t *state = (counter_t *)ev->ev_arg;
+	int i;
+
+	for (i = 0 ; i < COUNTS_PER_ITERATION ; i++) {
+		isc_atomic_xaddq(&counter_64, INCREMENT_64);
+	}
+
+	state->iteration++;
+	if (state->iteration < ITERATIONS) {
+		isc_task_send(task, &ev);
+	} else {
+		isc_event_free(&ev);
+	}
+}
+
+ATF_TC(atomic_xaddq);
+ATF_TC_HEAD(atomic_xaddq, tc) {
+	atf_tc_set_md_var(tc, "descr", "atomic XADDQ");
+}
+ATF_TC_BODY(atomic_xaddq, tc) {
+	isc_result_t result;
+	isc_task_t *tasks[TASKS];
+	isc_event_t *event = NULL;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(counters, 0, sizeof(counters));
+	counter_64 = 0;
+
+	/*
+	 * Create our tasks, and allocate an event to get the counters going.
+	 */
+	for (i = 0 ; i < TASKS ; i++) {
+		tasks[i] = NULL;
+		ATF_REQUIRE_EQ(isc_task_create(taskmgr, 0, &tasks[i]),
+			       ISC_R_SUCCESS);
+		event = isc_event_allocate(mctx, NULL, 1000, do_xaddq,
+					   &counters[i],
+					   sizeof(struct isc_event));
+		ATF_REQUIRE(event != NULL);
+		isc_task_sendanddetach(&tasks[i], &event);
+	}
+
+	isc_test_end();
+
+	printf("64-bit counter %" PRId64 ", "
+	       "expected %" PRId64 "\n",
+	       counter_64, EXPECTED_COUNT_64);
+
+	ATF_CHECK_EQ(counter_64, EXPECTED_COUNT_64);
+	counter_32 = 0;
+}
+#endif
+
+#if defined(ISC_PLATFORM_HAVEATOMICSTORE)
+static int32_t store_32;
+
+static void
+do_store(isc_task_t *task, isc_event_t *ev) {
+	counter_t *state = (counter_t *)ev->ev_arg;
+	int i;
+	uint32_t r;
+	uint32_t val;
+
+	r = random() % 256;
+	val = (r << 24) | (r << 16) | (r << 8) | r;
+
+	for (i = 0 ; i < COUNTS_PER_ITERATION ; i++) {
+		isc_atomic_store(&store_32, val);
+	}
+
+	state->iteration++;
+	if (state->iteration < ITERATIONS) {
+		isc_task_send(task, &ev);
+	} else {
+		isc_event_free(&ev);
+	}
+}
+
+ATF_TC(atomic_store);
+ATF_TC_HEAD(atomic_store, tc) {
+	atf_tc_set_md_var(tc, "descr", "atomic STORE");
+}
+ATF_TC_BODY(atomic_store, tc) {
+	isc_result_t result;
+	isc_task_t *tasks[TASKS];
+	isc_event_t *event = NULL;
+	uint32_t val;
+	uint32_t r;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(counters, 0, sizeof(counters));
+	store_32 = 0;
+
+	/*
+	 * Create our tasks, and allocate an event to get the counters
+	 * going.
+	 */
+	for (i = 0 ; i < TASKS ; i++) {
+		tasks[i] = NULL;
+		ATF_REQUIRE_EQ(isc_task_create(taskmgr, 0, &tasks[i]),
+			       ISC_R_SUCCESS);
+		event = isc_event_allocate(mctx, NULL, 1000, do_store,
+					   &counters[i],
+					   sizeof(struct isc_event));
+		ATF_REQUIRE(event != NULL);
+		isc_task_sendanddetach(&tasks[i], &event);
+	}
+
+	isc_test_end();
+
+	r = store_32 & 0xff;
+	val = (r << 24) | (r << 16) | (r << 8) | r;
+
+	printf("32-bit store 0x%x, expected 0x%x\n",
+	       (uint32_t) store_32, val);
+
+	ATF_CHECK_EQ((uint32_t) store_32, val);
+	store_32 = 0;
+}
+#endif
+
+#if defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
+static int64_t store_64;
+
+static void
+do_storeq(isc_task_t *task, isc_event_t *ev) {
+	counter_t *state = (counter_t *)ev->ev_arg;
+	int i;
+	uint8_t r;
+	uint64_t val;
+
+	r = random() % 256;
+	val = (((uint64_t) r << 24) |
+	       ((uint64_t) r << 16) |
+	       ((uint64_t) r << 8) |
+	       (uint64_t) r);
+	val |= ((uint64_t) val << 32);
+
+	for (i = 0 ; i < COUNTS_PER_ITERATION ; i++) {
+		isc_atomic_storeq(&store_64, val);
+	}
+
+	state->iteration++;
+	if (state->iteration < ITERATIONS) {
+		isc_task_send(task, &ev);
+	} else {
+		isc_event_free(&ev);
+	}
+}
+
+ATF_TC(atomic_storeq);
+ATF_TC_HEAD(atomic_storeq, tc) {
+	atf_tc_set_md_var(tc, "descr", "atomic STOREQ");
+}
+ATF_TC_BODY(atomic_storeq, tc) {
+	isc_result_t result;
+	isc_task_t *tasks[TASKS];
+	isc_event_t *event = NULL;
+	uint64_t val;
+	uint32_t r;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	memset(counters, 0, sizeof(counters));
+	store_64 = 0;
+
+	/*
+	 * Create our tasks, and allocate an event to get the counters
+	 * going.
+	 */
+	for (i = 0 ; i < TASKS ; i++) {
+		tasks[i] = NULL;
+		ATF_REQUIRE_EQ(isc_task_create(taskmgr, 0, &tasks[i]),
+			       ISC_R_SUCCESS);
+		event = isc_event_allocate(mctx, NULL, 1000, do_storeq,
+					   &counters[i],
+					   sizeof(struct isc_event));
+		ATF_REQUIRE(event != NULL);
+		isc_task_sendanddetach(&tasks[i], &event);
+	}
+
+	isc_test_end();
+
+	r = store_64 & 0xff;
+	val = (((uint64_t) r << 24) |
+	       ((uint64_t) r << 16) |
+	       ((uint64_t) r << 8) |
+	       (uint64_t) r);
+	val |= ((uint64_t) val << 32);
+
+	printf("64-bit store 0x%" PRIx64 ", "
+	       "expected 0x%" PRIx64 "\n",
+	       (uint64_t) store_64, val);
+
+	ATF_CHECK_EQ((uint64_t) store_64, val);
+	store_64 = 0;
+}
+#endif
+
+#if !defined(ISC_PLATFORM_HAVEXADD) && \
+    !defined(ISC_PLATFORM_HAVEXADDQ) && \
+    !defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping aes test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("AES not available");
+}
+#endif /* !HAVEXADD, !HAVEXADDQ, !HAVEATOMICSTOREQ */
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#if defined(ISC_PLATFORM_HAVEXADD)
+	ATF_TP_ADD_TC(tp, atomic_xadd);
+#endif
+#if defined(ISC_PLATFORM_HAVEXADDQ)
+	ATF_TP_ADD_TC(tp, atomic_xaddq);
+#endif
+#ifdef ISC_PLATFORM_HAVEATOMICSTORE
+	ATF_TP_ADD_TC(tp, atomic_store);
+#endif
+#if defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
+	ATF_TP_ADD_TC(tp, atomic_storeq);
+#endif
+#if !defined(ISC_PLATFORM_HAVEXADD) && \
+    !defined(ISC_PLATFORM_HAVEXADDQ) && \
+    !defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/buffer_test.c b/lib/isc/tests/buffer_test.c
new file mode 100644
index 0000000..a2d76cc
--- /dev/null
+++ b/lib/isc/tests/buffer_test.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <atf-c.h>
+
+#include "isctest.h"
+
+#include <isc/buffer.h>
+#include <isc/result.h>
+
+ATF_TC(isc_buffer_reserve);
+ATF_TC_HEAD(isc_buffer_reserve, tc) {
+	atf_tc_set_md_var(tc, "descr", "reserve space in dynamic buffers");
+}
+
+ATF_TC_BODY(isc_buffer_reserve, tc) {
+	isc_result_t result;
+	isc_buffer_t *b;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	b = NULL;
+	result = isc_buffer_allocate(mctx, &b, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_EQ(b->length, 1024);
+
+	/*
+	 * 1024 bytes should already be available, so this call does
+	 * nothing.
+	 */
+	result = isc_buffer_reserve(&b, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 1024);
+
+	/*
+	 * This call should grow it to 2048 bytes as only 1024 bytes are
+	 * available in the buffer.
+	 */
+	result = isc_buffer_reserve(&b, 1025);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 2048);
+
+	/*
+	 * 2048 bytes should already be available, so this call does
+	 * nothing.
+	 */
+	result = isc_buffer_reserve(&b, 2000);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 2048);
+
+	/*
+	 * This call should grow it to 4096 bytes as only 2048 bytes are
+	 * available in the buffer.
+	 */
+	result = isc_buffer_reserve(&b, 3000);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 4096);
+
+	/* Consume some of the buffer so we can run the next test. */
+	isc_buffer_add(b, 4096);
+
+	/*
+	 * This call should fail and leave buffer untouched.
+	 */
+	result = isc_buffer_reserve(&b, UINT_MAX);
+	ATF_CHECK_EQ(result, ISC_R_NOMEMORY);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 4096);
+
+	isc_buffer_free(&b);
+
+	isc_test_end();
+}
+
+ATF_TC(isc_buffer_reallocate);
+ATF_TC_HEAD(isc_buffer_reallocate, tc) {
+	atf_tc_set_md_var(tc, "descr", "reallocate dynamic buffers");
+}
+
+ATF_TC_BODY(isc_buffer_reallocate, tc) {
+	isc_result_t result;
+	isc_buffer_t *b;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	b = NULL;
+	result = isc_buffer_allocate(mctx, &b, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 1024);
+
+	result = isc_buffer_reallocate(&b, 512);
+	ATF_CHECK_EQ(result, ISC_R_NOSPACE);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 1024);
+
+	result = isc_buffer_reallocate(&b, 1536);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(ISC_BUFFER_VALID(b));
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, 1536);
+
+	isc_buffer_free(&b);
+
+	isc_test_end();
+}
+
+ATF_TC(isc_buffer_dynamic);
+ATF_TC_HEAD(isc_buffer_dynamic, tc) {
+	atf_tc_set_md_var(tc, "descr", "dynamic buffer automatic reallocation");
+}
+
+ATF_TC_BODY(isc_buffer_dynamic, tc) {
+	isc_result_t result;
+	isc_buffer_t *b;
+	size_t last_length = 10;
+	int i;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	b = NULL;
+	result = isc_buffer_allocate(mctx, &b, last_length);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(b != NULL);
+	ATF_CHECK_EQ(b->length, last_length);
+
+	isc_buffer_setautorealloc(b, true);
+
+	isc_buffer_putuint8(b, 1);
+
+	for (i = 0; i < 1000; i++) {
+		isc_buffer_putstr(b, "thisisa24charslongstring");
+	}
+	ATF_CHECK(b->length-last_length >= 1000*24);
+	last_length+=1000*24;
+
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint8(b, 1);
+	}
+
+	ATF_CHECK(b->length-last_length >= 10000*1);
+	last_length += 10000*1;
+
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint16(b, 1);
+	}
+
+	ATF_CHECK(b->length-last_length >= 10000*2);
+
+	last_length += 10000*2;
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint24(b, 1);
+	}
+	ATF_CHECK(b->length-last_length >= 10000*3);
+
+	last_length+=10000*3;
+
+	for (i = 0; i < 10000; i++) {
+		isc_buffer_putuint32(b, 1);
+	}
+	ATF_CHECK(b->length-last_length >= 10000*4);
+
+
+	isc_buffer_free(&b);
+
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_buffer_reserve);
+	ATF_TP_ADD_TC(tp, isc_buffer_reallocate);
+	ATF_TP_ADD_TC(tp, isc_buffer_dynamic);
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/counter_test.c b/lib/isc/tests/counter_test.c
new file mode 100644
index 0000000..ddcdae3
--- /dev/null
+++ b/lib/isc/tests/counter_test.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+
+#include <atf-c.h>
+
+#include <isc/counter.h>
+#include <isc/result.h>
+
+#include "isctest.h"
+
+ATF_TC(isc_counter);
+ATF_TC_HEAD(isc_counter, tc) {
+	atf_tc_set_md_var(tc, "descr", "isc counter object");
+}
+ATF_TC_BODY(isc_counter, tc) {
+	isc_result_t result;
+	isc_counter_t *counter = NULL;
+	int i;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_counter_create(mctx, 0, &counter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < 10; i++) {
+		result = isc_counter_increment(counter);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	}
+
+	ATF_CHECK_EQ(isc_counter_used(counter), 10);
+
+	isc_counter_setlimit(counter, 15);
+	for (i = 0; i < 10; i++) {
+		result = isc_counter_increment(counter);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+
+	ATF_CHECK_EQ(isc_counter_used(counter), 15);
+
+	isc_counter_detach(&counter);
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_counter);
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/errno_test.c b/lib/isc/tests/errno_test.c
new file mode 100644
index 0000000..e45bdd8
--- /dev/null
+++ b/lib/isc/tests/errno_test.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <sys/errno.h>
+
+#include <atf-c.h>
+
+#include <isc/errno.h>
+#include <isc/result.h>
+
+typedef struct {
+	int err;
+	isc_result_t result;
+} testpair_t;
+
+testpair_t testpair[] = {
+	{ EPERM, ISC_R_NOPERM },
+	{ ENOENT, ISC_R_FILENOTFOUND },
+	{ EIO, ISC_R_IOERROR },
+	{ EBADF, ISC_R_INVALIDFILE },
+	{ ENOMEM, ISC_R_NOMEMORY },
+	{ EACCES, ISC_R_NOPERM },
+	{ EEXIST, ISC_R_FILEEXISTS },
+	{ ENOTDIR, ISC_R_INVALIDFILE },
+	{ EINVAL, ISC_R_INVALIDFILE },
+	{ ENFILE, ISC_R_TOOMANYOPENFILES },
+	{ EMFILE, ISC_R_TOOMANYOPENFILES },
+	{ EPIPE, ISC_R_CONNECTIONRESET },
+	{ ENAMETOOLONG, ISC_R_INVALIDFILE },
+	{ ELOOP, ISC_R_INVALIDFILE },
+#ifdef EOVERFLOW
+	{ EOVERFLOW, ISC_R_RANGE },
+#endif
+#ifdef EAFNOSUPPORT
+	{ EAFNOSUPPORT, ISC_R_FAMILYNOSUPPORT },
+#endif
+#ifdef EADDRINUSE
+	{ EADDRINUSE, ISC_R_ADDRINUSE },
+#endif
+	{ EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL },
+#ifdef ENETDOWN
+	{ ENETDOWN, ISC_R_NETDOWN },
+#endif
+#ifdef ENETUNREACH
+	{ ENETUNREACH, ISC_R_NETUNREACH },
+#endif
+#ifdef ECONNABORTED
+	{ ECONNABORTED, ISC_R_CONNECTIONRESET },
+#endif
+#ifdef ECONNRESET
+	{ ECONNRESET, ISC_R_CONNECTIONRESET },
+#endif
+#ifdef ENOBUFS
+	{ ENOBUFS, ISC_R_NORESOURCES },
+#endif
+#ifdef ENOTCONN
+	{ ENOTCONN, ISC_R_NOTCONNECTED },
+#endif
+#ifdef ETIMEDOUT
+	{ ETIMEDOUT, ISC_R_TIMEDOUT },
+#endif
+	{ ECONNREFUSED, ISC_R_CONNREFUSED },
+#ifdef EHOSTDOWN
+	{ EHOSTDOWN, ISC_R_HOSTDOWN },
+#endif
+#ifdef EHOSTUNREACH
+	{ EHOSTUNREACH, ISC_R_HOSTUNREACH },
+#endif
+	{ 0, ISC_R_UNEXPECTED }
+};
+
+ATF_TC(isc_errno_toresult);
+ATF_TC_HEAD(isc_errno_toresult, tc) {
+	atf_tc_set_md_var(tc, "descr", "convert errno to ISC result");
+}
+ATF_TC_BODY(isc_errno_toresult, tc) {
+	isc_result_t result, expect;
+	size_t i;
+
+	for (i = 0; i < sizeof(testpair)/sizeof(testpair[0]); i++) {
+		result = isc_errno_toresult(testpair[i].err);
+		expect = testpair[i].result;
+		ATF_CHECK(result == expect);
+	}
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_errno_toresult);
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/file_test.c b/lib/isc/tests/file_test.c
new file mode 100644
index 0000000..3dadb52
--- /dev/null
+++ b/lib/isc/tests/file_test.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <atf-c.h>
+
+#include <isc/file.h>
+#include <isc/result.h>
+
+ATF_TC(isc_file_sanitize);
+ATF_TC_HEAD(isc_file_sanitize, tc) {
+	atf_tc_set_md_var(tc, "descr", "sanitized filenames");
+}
+
+#define NAME "internal"
+#define SHA "3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f"
+#define TRUNC_SHA "3bed2cb3a3acf7b6"
+
+#define BAD1 "in/internal"
+#define BADHASH1 "8bbb97a888791399"
+
+#define BAD2 "Internal"
+#define BADHASH2 "2ea1842b445b0c81"
+
+#define F(x) "testdata/file/" x ".test"
+
+static void
+touch(const char *filename) {
+	int fd;
+
+	unlink(filename);
+	fd = creat(filename, 0644);
+	if (fd != -1)
+		close(fd);
+}
+
+ATF_TC_BODY(isc_file_sanitize, tc) {
+	isc_result_t result;
+	char buf[1024];
+
+	ATF_CHECK(chdir(TESTS) != -1);
+
+	result = isc_file_sanitize("testdata/file", NAME, "test", buf, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(strcmp(buf, F(NAME)) == 0);
+
+	touch(F(TRUNC_SHA));
+	result = isc_file_sanitize("testdata/file", NAME, "test", buf, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(strcmp(buf, F(TRUNC_SHA)) == 0);
+
+	touch(F(SHA));
+	result = isc_file_sanitize("testdata/file", NAME, "test", buf, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(strcmp(buf, F(SHA)) == 0);
+
+	result = isc_file_sanitize("testdata/file", BAD1, "test", buf, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(strcmp(buf, F(BADHASH1)) == 0);
+
+	result = isc_file_sanitize("testdata/file", BAD2, "test", buf, 1024);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(strcmp(buf, F(BADHASH2)) == 0);
+
+	unlink(F(TRUNC_SHA));
+	unlink(F(SHA));
+}
+
+ATF_TC(isc_file_template);
+ATF_TC_HEAD(isc_file_template, tc) {
+	atf_tc_set_md_var(tc, "descr", "file template");
+}
+
+ATF_TC_BODY(isc_file_template, tc) {
+	isc_result_t result;
+	char buf[1024];
+
+	ATF_CHECK(chdir(TESTS) != -1);
+
+	result = isc_file_template("/absolute/path", "file-XXXXXXXX",
+				   buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "/absolute/file-XXXXXXXX");
+
+	result = isc_file_template("relative/path", "file-XXXXXXXX",
+				   buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "relative/file-XXXXXXXX");
+
+	result = isc_file_template("/trailing/slash/", "file-XXXXXXXX",
+				   buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "/trailing/slash/file-XXXXXXXX");
+
+	result = isc_file_template("relative/trailing/slash/", "file-XXXXXXXX",
+				   buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "relative/trailing/slash/file-XXXXXXXX");
+
+	result = isc_file_template("/", "file-XXXXXXXX", buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "/file-XXXXXXXX");
+
+	result = isc_file_template("noslash", "file-XXXXXXXX",
+				   buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "file-XXXXXXXX");
+
+	result = isc_file_template(NULL, "file-XXXXXXXX", buf, sizeof(buf));
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(buf, "file-XXXXXXXX");
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_file_sanitize);
+	ATF_TP_ADD_TC(tp, isc_file_template);
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/hash_test.c b/lib/isc/tests/hash_test.c
new file mode 100644
index 0000000..8f12342
--- /dev/null
+++ b/lib/isc/tests/hash_test.c
@@ -0,0 +1,2038 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/hash.h>
+
+#include <isc/crc64.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+#include <isc/print.h>
+#include <isc/string.h>
+
+#include <pk11/site.h>
+
+/*
+ * Test data from RFC6234
+ */
+
+unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+unsigned char buffer[1024];
+const char *s;
+char str[2 * ISC_SHA512_DIGESTLENGTH + 3];
+unsigned char key[20];
+
+/*
+ * Precondition: a hexadecimal number in *d, the length of that number in len,
+ *   and a pointer to a character array to put the output (*out).
+ * Postcondition: A String representation of the given hexadecimal number is
+ *   placed into the array *out
+ *
+ * 'out' MUST point to an array of at least len * 2 + 1
+ *
+ * Return values: ISC_R_SUCCESS if the operation is sucessful
+ */
+static isc_result_t
+tohexstr(unsigned char *d, unsigned int len, char *out, size_t out_size) {
+	char c_ret[] = "AA";
+	unsigned int i;
+
+	out[0] = '\0';
+	strlcat(out, "0x", out_size);
+	for (i = 0; i < len; i++) {
+		snprintf(c_ret, sizeof(c_ret), "%02X", d[i]);
+		strlcat(out, c_ret, out_size);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+
+#define TEST_INPUT(x) (x), sizeof(x)-1
+
+typedef struct hash_testcase {
+	const char *input;
+	size_t input_len;
+	const char *result;
+	int repeats;
+} hash_testcase_t;
+
+typedef struct hash_test_key {
+	const char *key;
+	const int len;
+} hash_test_key_t;
+
+/* non-hmac tests */
+
+ATF_TC(isc_sha1);
+ATF_TC_HEAD(isc_sha1, tc) {
+	atf_tc_set_md_var(tc, "descr", "sha1 examples from RFC4634");
+}
+ATF_TC_BODY(isc_sha1, tc) {
+	isc_sha1_t sha1;
+	int i;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("abc"),
+			"0xA9993E364706816ABA3E25717850C26C9CD0D89D",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("abcdbcdecdefdefgefghfghighijhijkijk"
+				   "ljklmklmnlmnomnopnopq"),
+			"0x84983E441C3BD26EBAAE4AA1F95129E5E54670F1",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("a") /* times 1000000 */,
+			"0x34AA973CD4C4DAA4F61EEB2BDBAD27316534016F",
+			1000000
+		},
+		/* Test 4 -- exact multiple of 512 bits */
+		{
+			TEST_INPUT("01234567012345670123456701234567"),
+			"0xDEA356A2CDDD90C7A7ECEDC5EBB563934F460452",
+			20 /* 20 times */
+		},
+#if 0
+		/* Test 5 -- optional feature, not implemented */
+		{
+			TEST_INPUT(""),
+			/* "extrabits": 0x98 , "numberextrabits": 5 */
+			"0x29826B003B906E660EFF4027CE98AF3531AC75BA",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("\x5e"),
+			"0x5E6F80A34A9798CAFC6A5DB96CC57BA4C4DB59C2",
+			1
+		},
+#if 0
+		/* Test 7 -- optional feature, not implemented */
+		{
+			TEST_INPUT("\x49\xb2\xae\xc2\x59\x4b\xbe\x3a"
+				   "\x3b\x11\x75\x42\xd9\x4a\xc8"),
+			/* "extrabits": 0x80, "numberextrabits": 3 */
+		  "0x6239781E03729919C01955B3FFA8ACB60B988340", 1 },
+#endif
+		/* Test 8 */
+		{
+			TEST_INPUT("\x9a\x7d\xfd\xf1\xec\xea\xd0\x6e\xd6\x46"
+				   "\xaa\x55\xfe\x75\x71\x46"),
+			"0x82ABFF6605DBE1C17DEF12A394FA22A82B544A35",
+			1
+		},
+#if 0
+		/* Test 9 -- optional feature, not implemented */
+		{
+			TEST_INPUT("\x65\xf9\x32\x99\x5b\xa4\xce\x2c\xb1\xb4"
+				   "\xa2\xe7\x1a\xe7\x02\x20\xaa\xce\xc8\x96"
+				   "\x2d\xd4\x49\x9c\xbd\x7c\x88\x7a\x94\xea"
+				   "\xaa\x10\x1e\xa5\xaa\xbc\x52\x9b\x4e\x7e"
+				   "\x43\x66\x5a\x5a\xf2\xcd\x03\xfe\x67\x8e"
+				   "\xa6\xa5\x00\x5b\xba\x3b\x08\x22\x04\xc2"
+				   "\x8b\x91\x09\xf4\x69\xda\xc9\x2a\xaa\xb3"
+				   "\xaa\x7c\x11\xa1\xb3\x2a"),
+			/* "extrabits": 0xE0 , "numberextrabits": 3 */
+			"0x8C5B2A5DDAE5A97FC7F9D85661C672ADBF7933D4",
+			1
+		},
+#endif
+		/* Test 10 */
+		{
+			TEST_INPUT("\xf7\x8f\x92\x14\x1b\xcd\x17\x0a\xe8\x9b"
+				   "\x4f\xba\x15\xa1\xd5\x9f\x3f\xd8\x4d\x22"
+				   "\x3c\x92\x51\xbd\xac\xbb\xae\x61\xd0\x5e"
+				   "\xd1\x15\xa0\x6a\x7c\xe1\x17\xb7\xbe\xea"
+				   "\xd2\x44\x21\xde\xd9\xc3\x25\x92\xbd\x57"
+				   "\xed\xea\xe3\x9c\x39\xfa\x1f\xe8\x94\x6a"
+				   "\x84\xd0\xcf\x1f\x7b\xee\xad\x17\x13\xe2"
+				   "\xe0\x95\x98\x97\x34\x7f\x67\xc8\x0b\x04"
+				   "\x00\xc2\x09\x81\x5d\x6b\x10\xa6\x83\x83"
+				   "\x6f\xd5\x56\x2a\x56\xca\xb1\xa2\x8e\x81"
+				   "\xb6\x57\x66\x54\x63\x1c\xf1\x65\x66\xb8"
+				   "\x6e\x3b\x33\xa1\x08\xb0\x53\x07\xc0\x0a"
+				   "\xff\x14\xa7\x68\xed\x73\x50\x60\x6a\x0f"
+				   "\x85\xe6\xa9\x1d\x39\x6f\x5b\x5c\xbe\x57"
+				   "\x7f\x9b\x38\x80\x7c\x7d\x52\x3d\x6d\x79"
+				   "\x2f\x6e\xbc\x24\xa4\xec\xf2\xb3\xa4\x27"
+				   "\xcd\xbb\xfb"),
+			"0xCB0082C8F197D260991BA6A460E76E202BAD27B3",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_sha1_init(&sha1);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_sha1_update(&sha1,
+					(const uint8_t *) testcase->input,
+					testcase->input_len);
+		}
+		isc_sha1_final(&sha1, digest);
+		tohexstr(digest, ISC_SHA1_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_sha224);
+ATF_TC_HEAD(isc_sha224, tc) {
+	atf_tc_set_md_var(tc, "descr", "sha224 examples from RFC4634");
+}
+ATF_TC_BODY(isc_sha224, tc) {
+	isc_sha224_t sha224;
+	int i;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("abc"),
+			"0x23097D223405D8228642A477BDA255B32AADBCE4BDA0B3F7"
+				"E36C9DA7",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("abcdbcdecdefdefgefghfghighijhijkijklj"
+				   "klmklmnlmnomnopnopq"),
+			"0x75388B16512776CC5DBA5DA1FD890150B0C6455CB4F58B"
+				"1952522525",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("a"),
+			"0x20794655980C91D8BBB4C1EA97618A4BF03F42581948B2"
+				"EE4EE7AD67",
+			1000000
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("01234567012345670123456701234567"),
+			"0x567F69F168CD7844E65259CE658FE7AADFA25216E68ECA"
+				"0EB7AB8262",
+			20
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("\x07"),
+			"0x00ECD5F138422B8AD74C9799FD826C531BAD2FCABC7450"
+				"BEE2AA8C2A",
+			1
+		},
+#if 0
+		/* Test 7 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 8 */
+		{
+			TEST_INPUT("\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29"
+				   "\x9d\x6f\x9d\x93\xdf\x62"),
+			"0xDF90D78AA78821C99B40BA4C966921ACCD8FFB1E98AC38"
+				"8E56191DB1",
+			1
+		},
+#if 0
+		/* Test 9 */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 10 */
+		{
+			TEST_INPUT("\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52"
+				   "\x06\x22\xd1\xac\x97\xd5\xcd\xbe\x8c\xb3"
+				   "\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba"
+				   "\x09\xab\xc8\x53\x3c\x52\x50\x88\x7a\x43"
+				   "\xbe\xbb\xac\x90\x6c\x2e\x18\x37\xf2\x6b"
+				   "\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89"
+				   "\x6b\x71\x8b\x2a\x38\x3e\xcd\xac\x16\xb9"
+				   "\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74"
+				   "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11"
+				   "\x12\x24\x5f\x48\xee\x47\x0d\x39\x6c\x1e"
+				   "\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee"
+				   "\xa8\x14\xb6\x13\x5e\xca\x54\x39\x2b\xde"
+				   "\xdb\x94\x89\xbc\x9b\x87\x5a\x8b\xaf\x0d"
+				   "\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2"
+				   "\x64\xbc\x07\x9d\x26\x9f\x2c\x0d\x7e\xdd"
+				   "\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c"
+				   "\x87\x82\x73"),
+			"0x0B31894EC8937AD9B91BDFBCBA294D9ADEFAA18E09305E"
+				"9F20D5C3A4",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_sha224_init(&sha224);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_sha224_update(&sha224,
+					  (const uint8_t *) testcase->input,
+					  testcase->input_len);
+		}
+		isc_sha224_final(digest, &sha224);
+		/*
+		*API inconsistency BUG HERE
+		* in order to be consistant with the other isc_hash_final
+		* functions the call should be
+		* isc_sha224_final(&sha224, digest);
+		 */
+		tohexstr(digest, ISC_SHA224_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_sha256);
+ATF_TC_HEAD(isc_sha256, tc) {
+	atf_tc_set_md_var(tc, "descr", "sha224 examples from RFC4634");
+}
+ATF_TC_BODY(isc_sha256, tc) {
+	isc_sha256_t sha256;
+	int i;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("abc"),
+			"0xBA7816BF8F01CFEA414140DE5DAE2223B00361A396177A"
+				"9CB410FF61F20015AD",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("abcdbcdecdefdefgefghfghighijhijkijkljk"
+				   "lmklmnlmnomnopnopq"),
+			"0x248D6A61D20638B8E5C026930C3E6039A33CE45964FF21"
+				"67F6ECEDD419DB06C1",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("a"),
+			"0xCDC76E5C9914FB9281A1C7E284D73E67F1809A48A49720"
+				"0E046D39CCC7112CD0",
+			1000000 },
+		/* Test 4 */
+		{
+			TEST_INPUT("01234567012345670123456701234567"),
+			"0x594847328451BDFA85056225462CC1D867D877FB388DF0"
+				"CE35F25AB5562BFBB5",
+			20
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("\x19"),
+			"0x68AA2E2EE5DFF96E3355E6C7EE373E3D6A4E17F75F9518"
+				"D843709C0C9BC3E3D4",
+			1
+		},
+#if 0
+		/* Test 7 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 8 */
+		{
+			TEST_INPUT("\xe3\xd7\x25\x70\xdc\xdd\x78\x7c\xe3"
+				   "\x88\x7a\xb2\xcd\x68\x46\x52"),
+			"0x175EE69B02BA9B58E2B0A5FD13819CEA573F3940A94F82"
+				"5128CF4209BEABB4E8",
+			1
+		},
+#if 0
+		/* Test 9 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 10 */
+		{
+			TEST_INPUT("\x83\x26\x75\x4e\x22\x77\x37\x2f\x4f\xc1"
+				   "\x2b\x20\x52\x7a\xfe\xf0\x4d\x8a\x05\x69"
+				   "\x71\xb1\x1a\xd5\x71\x23\xa7\xc1\x37\x76"
+				   "\x00\x00\xd7\xbe\xf6\xf3\xc1\xf7\xa9\x08"
+				   "\x3a\xa3\x9d\x81\x0d\xb3\x10\x77\x7d\xab"
+				   "\x8b\x1e\x7f\x02\xb8\x4a\x26\xc7\x73\x32"
+				   "\x5f\x8b\x23\x74\xde\x7a\x4b\x5a\x58\xcb"
+				   "\x5c\x5c\xf3\x5b\xce\xe6\xfb\x94\x6e\x5b"
+				   "\xd6\x94\xfa\x59\x3a\x8b\xeb\x3f\x9d\x65"
+				   "\x92\xec\xed\xaa\x66\xca\x82\xa2\x9d\x0c"
+				   "\x51\xbc\xf9\x33\x62\x30\xe5\xd7\x84\xe4"
+				   "\xc0\xa4\x3f\x8d\x79\xa3\x0a\x16\x5c\xba"
+				   "\xbe\x45\x2b\x77\x4b\x9c\x71\x09\xa9\x7d"
+				   "\x13\x8f\x12\x92\x28\x96\x6f\x6c\x0a\xdc"
+				   "\x10\x6a\xad\x5a\x9f\xdd\x30\x82\x57\x69"
+				   "\xb2\xc6\x71\xaf\x67\x59\xdf\x28\xeb\x39"
+				   "\x3d\x54\xd6"),
+			"0x97DBCA7DF46D62C8A422C941DD7E835B8AD3361763F7E9"
+				"B2D95F4F0DA6E1CCBC",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_sha256_init(&sha256);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_sha256_update(&sha256,
+					  (const uint8_t *) testcase->input,
+					  testcase->input_len);
+		}
+		isc_sha256_final(digest, &sha256);
+		/*
+		*API inconsistency BUG HERE
+		* in order to be consistant with the other isc_hash_final
+		* functions the call should be
+		* isc_sha224_final(&sha224, digest);
+		 */
+		tohexstr(digest, ISC_SHA256_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_sha384);
+ATF_TC_HEAD(isc_sha384, tc) {
+	atf_tc_set_md_var(tc, "descr", "sha224 examples from RFC4634");
+}
+ATF_TC_BODY(isc_sha384, tc) {
+	isc_sha384_t sha384;
+	int i;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("abc"),
+			"0xCB00753F45A35E8BB5A03D699AC65007272C32AB0EDED1"
+				"631A8B605A43FF5BED8086072BA1E7CC2358BAEC"
+				"A134C825A7",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("abcdefghbcdefghicdefghijdefghijkefghijkl"
+				   "fghijklmghijklmnhijklmnoijklmnopjklmnopq"
+				   "klmnopqrlmnopqrsmnopqrstnopqrstu"),
+			"0x09330C33F71147E83D192FC782CD1B4753111B173B3B05"
+				"D22FA08086E3B0F712FCC7C71A557E2DB966C3E9"
+				"FA91746039",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("a"),
+			"0x9D0E1809716474CB086E834E310A4A1CED149E9C00F248"
+				"527972CEC5704C2A5B07B8B3DC38ECC4EBAE97DD"
+				"D87F3D8985",
+			1000000
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("01234567012345670123456701234567"),
+			"0x2FC64A4F500DDB6828F6A3430B8DD72A368EB7F3A8322A"
+				"70BC84275B9C0B3AB00D27A5CC3C2D224AA6B61A"
+				"0D79FB4596",
+			20
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 6 */
+		{ TEST_INPUT("\xb9"),
+			"0xBC8089A19007C0B14195F4ECC74094FEC64F01F9092928"
+				"2C2FB392881578208AD466828B1C6C283D2722CF"
+				"0AD1AB6938",
+			1
+		},
+#if 0
+		/* Test 7 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 8 */
+		{
+			TEST_INPUT("\xa4\x1c\x49\x77\x79\xc0\x37\x5f\xf1"
+				   "\x0a\x7f\x4e\x08\x59\x17\x39"),
+			"0xC9A68443A005812256B8EC76B00516F0DBB74FAB26D665"
+				"913F194B6FFB0E91EA9967566B58109CBC675CC2"
+				"08E4C823F7",
+			1
+		},
+#if 0
+		/* Test 9 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 10 */
+		{
+			TEST_INPUT("\x39\x96\x69\xe2\x8f\x6b\x9c\x6d\xbc\xbb"
+				   "\x69\x12\xec\x10\xff\xcf\x74\x79\x03\x49"
+				   "\xb7\xdc\x8f\xbe\x4a\x8e\x7b\x3b\x56\x21"
+				   "\xdb\x0f\x3e\x7d\xc8\x7f\x82\x32\x64\xbb"
+				   "\xe4\x0d\x18\x11\xc9\xea\x20\x61\xe1\xc8"
+				   "\x4a\xd1\x0a\x23\xfa\xc1\x72\x7e\x72\x02"
+				   "\xfc\x3f\x50\x42\xe6\xbf\x58\xcb\xa8\xa2"
+				   "\x74\x6e\x1f\x64\xf9\xb9\xea\x35\x2c\x71"
+				   "\x15\x07\x05\x3c\xf4\xe5\x33\x9d\x52\x86"
+				   "\x5f\x25\xcc\x22\xb5\xe8\x77\x84\xa1\x2f"
+				   "\xc9\x61\xd6\x6c\xb6\xe8\x95\x73\x19\x9a"
+				   "\x2c\xe6\x56\x5c\xbd\xf1\x3d\xca\x40\x38"
+				   "\x32\xcf\xcb\x0e\x8b\x72\x11\xe8\x3a\xf3"
+				   "\x2a\x11\xac\x17\x92\x9f\xf1\xc0\x73\xa5"
+				   "\x1c\xc0\x27\xaa\xed\xef\xf8\x5a\xad\x7c"
+				   "\x2b\x7c\x5a\x80\x3e\x24\x04\xd9\x6d\x2a"
+				   "\x77\x35\x7b\xda\x1a\x6d\xae\xed\x17\x15"
+				   "\x1c\xb9\xbc\x51\x25\xa4\x22\xe9\x41\xde"
+				   "\x0c\xa0\xfc\x50\x11\xc2\x3e\xcf\xfe\xfd"
+				   "\xd0\x96\x76\x71\x1c\xf3\xdb\x0a\x34\x40"
+				   "\x72\x0e\x16\x15\xc1\xf2\x2f\xbc\x3c\x72"
+				   "\x1d\xe5\x21\xe1\xb9\x9b\xa1\xbd\x55\x77"
+				   "\x40\x86\x42\x14\x7e\xd0\x96"),
+			"0x4F440DB1E6EDD2899FA335F09515AA025EE177A79F4B4A"
+				"AF38E42B5C4DE660F5DE8FB2A5B2FBD2A3CBFFD2"
+				"0CFF1288C0",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_sha384_init(&sha384);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_sha384_update(&sha384,
+					  (const uint8_t *) testcase->input,
+					  testcase->input_len);
+		}
+		isc_sha384_final(digest, &sha384);
+		/*
+		*API inconsistency BUG HERE
+		* in order to be consistant with the other isc_hash_final
+		* functions the call should be
+		* isc_sha224_final(&sha224, digest);
+		 */
+		tohexstr(digest, ISC_SHA384_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_sha512);
+ATF_TC_HEAD(isc_sha512, tc) {
+	atf_tc_set_md_var(tc, "descr", "sha224 examples from RFC4634");
+}
+ATF_TC_BODY(isc_sha512, tc) {
+	isc_sha512_t sha512;
+	int i;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("abc"),
+			"0xDDAF35A193617ABACC417349AE20413112E6FA4E89A97E"
+				"A20A9EEEE64B55D39A2192992A274FC1A836BA3C"
+				"23A3FEEBBD454D4423643CE80E2A9AC94FA54CA49F",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("abcdefghbcdefghicdefghijdefghijkefghijkl"
+				   "fghijklmghijklmnhijklmnoijklmnopjklmnopq"
+				   "klmnopqrlmnopqrsmnopqrstnopqrstu"),
+			"0x8E959B75DAE313DA8CF4F72814FC143F8F7779C6EB9F7F"
+				"A17299AEADB6889018501D289E4900F7E4331B99"
+				"DEC4B5433AC7D329EEB6DD26545E96E55B874BE909",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("a"),
+			"0xE718483D0CE769644E2E42C7BC15B4638E1F98B13B2044"
+				"285632A803AFA973EBDE0FF244877EA60A4CB043"
+				"2CE577C31BEB009C5C2C49AA2E4EADB217AD8CC09B",
+			1000000
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("01234567012345670123456701234567"),
+			"0x89D05BA632C699C31231DED4FFC127D5A894DAD412C0E0"
+				"24DB872D1ABD2BA8141A0F85072A9BE1E2AA04CF"
+				"33C765CB510813A39CD5A84C4ACAA64D3F3FB7BAE9",
+			20
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("\xD0"),
+			"0x9992202938E882E73E20F6B69E68A0A7149090423D93C8"
+				"1BAB3F21678D4ACEEEE50E4E8CAFADA4C85A54EA"
+				"8306826C4AD6E74CECE9631BFA8A549B4AB3FBBA15",
+			1
+		},
+#if 0
+		/* Test 7 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 8 */
+		{
+			TEST_INPUT("\x8d\x4e\x3c\x0e\x38\x89\x19\x14\x91\x81"
+				   "\x6e\x9d\x98\xbf\xf0\xa0"),
+			"0xCB0B67A4B8712CD73C9AABC0B199E9269B20844AFB75AC"
+				"BDD1C153C9828924C3DDEDAAFE669C5FDD0BC66F"
+				"630F6773988213EB1B16F517AD0DE4B2F0C95C90F8",
+			1
+		},
+#if 0
+		/* Test 9 -- unimplemented optional functionality */
+		{
+			TEST_INPUT(""),
+			"0xXXX",
+			1
+		},
+#endif
+		/* Test 10 */
+		{
+			TEST_INPUT("\xa5\x5f\x20\xc4\x11\xaa\xd1\x32\x80\x7a"
+				   "\x50\x2d\x65\x82\x4e\x31\xa2\x30\x54\x32"
+				   "\xaa\x3d\x06\xd3\xe2\x82\xa8\xd8\x4e\x0d"
+				   "\xe1\xde\x69\x74\xbf\x49\x54\x69\xfc\x7f"
+				   "\x33\x8f\x80\x54\xd5\x8c\x26\xc4\x93\x60"
+				   "\xc3\xe8\x7a\xf5\x65\x23\xac\xf6\xd8\x9d"
+				   "\x03\xe5\x6f\xf2\xf8\x68\x00\x2b\xc3\xe4"
+				   "\x31\xed\xc4\x4d\xf2\xf0\x22\x3d\x4b\xb3"
+				   "\xb2\x43\x58\x6e\x1a\x7d\x92\x49\x36\x69"
+				   "\x4f\xcb\xba\xf8\x8d\x95\x19\xe4\xeb\x50"
+				   "\xa6\x44\xf8\xe4\xf9\x5e\xb0\xea\x95\xbc"
+				   "\x44\x65\xc8\x82\x1a\xac\xd2\xfe\x15\xab"
+				   "\x49\x81\x16\x4b\xbb\x6d\xc3\x2f\x96\x90"
+				   "\x87\xa1\x45\xb0\xd9\xcc\x9c\x67\xc2\x2b"
+				   "\x76\x32\x99\x41\x9c\xc4\x12\x8b\xe9\xa0"
+				   "\x77\xb3\xac\xe6\x34\x06\x4e\x6d\x99\x28"
+				   "\x35\x13\xdc\x06\xe7\x51\x5d\x0d\x73\x13"
+				   "\x2e\x9a\x0d\xc6\xd3\xb1\xf8\xb2\x46\xf1"
+				   "\xa9\x8a\x3f\xc7\x29\x41\xb1\xe3\xbb\x20"
+				   "\x98\xe8\xbf\x16\xf2\x68\xd6\x4f\x0b\x0f"
+				   "\x47\x07\xfe\x1e\xa1\xa1\x79\x1b\xa2\xf3"
+				   "\xc0\xc7\x58\xe5\xf5\x51\x86\x3a\x96\xc9"
+				   "\x49\xad\x47\xd7\xfb\x40\xd2"),
+		  "0xC665BEFB36DA189D78822D10528CBF3B12B3EEF7260399"
+			  "09C1A16A270D48719377966B957A878E72058477"
+			  "9A62825C18DA26415E49A7176A894E7510FD1451F5",
+		  1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_sha512_init(&sha512);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_sha512_update(&sha512,
+					  (const uint8_t *) testcase->input,
+					  testcase->input_len);
+		}
+		isc_sha512_final(digest, &sha512);
+		/*
+		*API inconsistency BUG HERE
+		* in order to be consistant with the other isc_hash_final
+		* functions the call should be
+		* isc_sha224_final(&sha224, digest);
+		 */
+		tohexstr(digest, ISC_SHA512_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+#ifndef PK11_MD5_DISABLE
+ATF_TC(isc_md5);
+ATF_TC_HEAD(isc_md5, tc) {
+	atf_tc_set_md_var(tc, "descr", "md5 example from RFC1321");
+}
+ATF_TC_BODY(isc_md5, tc) {
+	isc_md5_t md5;
+	int i;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		{
+			TEST_INPUT(""),
+			"0xD41D8CD98F00B204E9800998ECF8427E",
+			1
+		},
+		{
+			TEST_INPUT("a"),
+			"0x0CC175B9C0F1B6A831C399E269772661",
+			1
+		},
+		{
+			TEST_INPUT("abc"),
+			"0x900150983CD24FB0D6963F7D28E17F72",
+			1
+		},
+		{
+			TEST_INPUT("message digest"),
+			"0xF96B697D7CB7938D525A2F31AAF161D0",
+			1
+		},
+		{
+			TEST_INPUT("abcdefghijklmnopqrstuvwxyz"),
+			"0xC3FCD3D76192E4007DFB496CCA67E13B",
+			1
+		},
+		{
+			TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm"
+				   "nopqrstuvwxyz0123456789"),
+			"0xD174AB98D277D9F5A5611C2C9F419D9F",
+			1
+		},
+		{
+			TEST_INPUT("123456789012345678901234567890123456789"
+				   "01234567890123456789012345678901234567890"),
+			"0x57EDF4A22BE3C955AC49DA2E2107B67A",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_md5_init(&md5);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_md5_update(&md5,
+				       (const uint8_t *) testcase->input,
+				       testcase->input_len);
+		}
+		isc_md5_final(&md5, digest);
+		tohexstr(digest, ISC_MD5_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+#endif
+
+/* HMAC-SHA1 test */
+ATF_TC(isc_hmacsha1);
+ATF_TC_HEAD(isc_hmacsha1, tc) {
+	atf_tc_set_md_var(tc, "descr", "HMAC-SHA1 examples from RFC2104");
+}
+ATF_TC_BODY(isc_hmacsha1, tc) {
+	isc_hmacsha1_t hmacsha1;
+
+	UNUSED(tc);
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+			"0xB617318655057264E28BC0B6FB378C8EF146BE00",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				   "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				   "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+			"0xEFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+			"0x125D7342B9AC11CD91A39AF48AA17B4F63F175D3",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+			"0x4C9007F4026250C6BC8414F9BF50C86C2D7235DA",
+			1
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test With Truncation"),
+			"0x4C1A03424B55E07FE7F27BE1",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				   "Hash Key First"),
+			"0xAA4AE5E15272D00E95705637CE8A3B55ED402112", 1 },
+		/* Test 7 */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key and "
+				   "Larger Than One Block-Size Data"),
+			"0xE8E99D0F45237D786D6BBAA7965C7808BBFF1A91",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	hash_test_key_t test_keys[] = {
+		/* Key 1 */
+		{ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20 },
+		/* Key 2 */
+		{ "Jefe", 4 },
+		/* Key 3 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20 },
+		/* Key 4 */
+		{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+		  "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+		  "\x15\x16\x17\x18\x19", 25 },
+#if 0
+		/* Key 5 */
+		{ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+		  "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20 },
+#endif
+		/* Key 6 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 80 },
+		/* Key 7 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 80 },
+		{ "", 0 }
+	};
+
+	hash_test_key_t *test_key = test_keys;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		memmove(buffer, test_key->key, test_key->len);
+		isc_hmacsha1_init(&hmacsha1, buffer, test_key->len);
+		isc_hmacsha1_update(&hmacsha1,
+				    (const uint8_t *) testcase->input,
+				    testcase->input_len);
+		isc_hmacsha1_sign(&hmacsha1, digest, ISC_SHA1_DIGESTLENGTH);
+		tohexstr(digest, ISC_SHA1_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+		test_key++;
+	}
+}
+
+/* HMAC-SHA224 test */
+ATF_TC(isc_hmacsha224);
+ATF_TC_HEAD(isc_hmacsha224, tc) {
+	atf_tc_set_md_var(tc, "descr", "HMAC-SHA224 examples from RFC4634");
+}
+ATF_TC_BODY(isc_hmacsha224, tc) {
+	isc_hmacsha224_t hmacsha224;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+			"0x896FB1128ABBDF196832107CD49DF33F47B4B1169912BA"
+				"4F53684B22",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				   "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				   "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+			"0xA30E01098BC6DBBF45690F3A7E9E6D0F8BBEA2A39E61480"
+				"08FD05E44",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+			"0x7FB3CB3588C6C1F6FFA9694D7D6AD2649365B0C1F65D69"
+				"D1EC8333EA",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+			"0x6C11506874013CAC6A2ABC1BB382627CEC6A90D86EFC01"
+				"2DE7AFEC5A",
+			1
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test With Truncation"),
+			"0x4C1A03424B55E07FE7F27BE1",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				   "Hash Key First"),
+			"0x95E9A0DB962095ADAEBE9B2D6F0DBCE2D499F112F2D2B7"
+				"273FA6870E",
+			1
+		},
+		/* Test 7 */
+		{
+			TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				   "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				   "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				   "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				   "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				   "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				   "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				   "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				   "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				   "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				   "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				   "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				   "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				   "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				   "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				   "\x6d\x2e"),
+			"0x3A854166AC5D9F023F54D517D0B39DBD946770DB9C2B95"
+				"C9F6F565D1",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	hash_test_key_t test_keys[] = {
+		/* Key 1 */
+		{ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20 },
+		/* Key 2 */
+		{ "Jefe", 4 },
+		/* Key 3 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20 },
+		/* Key 4 */
+		{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+		  "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+		  "\x15\x16\x17\x18\x19", 25 },
+#if 0
+		/* Key 5 */
+		{ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+		  "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20 },
+#endif
+		/* Key 6 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		/* Key 7 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		{ "", 0 }
+	};
+
+	hash_test_key_t *test_key = test_keys;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		memmove(buffer, test_key->key, test_key->len);
+		isc_hmacsha224_init(&hmacsha224, buffer, test_key->len);
+		isc_hmacsha224_update(&hmacsha224,
+				      (const uint8_t *) testcase->input,
+				      testcase->input_len);
+		isc_hmacsha224_sign(&hmacsha224, digest, ISC_SHA224_DIGESTLENGTH);
+		tohexstr(digest, ISC_SHA224_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+		test_key++;
+	}
+}
+
+/* HMAC-SHA256 test */
+ATF_TC(isc_hmacsha256);
+ATF_TC_HEAD(isc_hmacsha256, tc) {
+	atf_tc_set_md_var(tc, "descr", "HMAC-SHA256 examples from RFC4634");
+}
+ATF_TC_BODY(isc_hmacsha256, tc) {
+	isc_hmacsha256_t hmacsha256;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+			"0xB0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833D"
+				"A726E9376C2E32CFF7",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				   "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				   "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+			"0x5BDCC146BF60754E6A042426089575C75A003F089D2739"
+				"839DEC58B964EC3843",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+			"0x773EA91E36800E46854DB8EBD09181A72959098B3EF8C1"
+				"22D9635514CED565FE",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+			"0x82558A389A443C0EA4CC819899F2083A85F0FAA3E578F8"
+				"077A2E3FF46729665B",
+			1
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test With Truncation"),
+			"0x4C1A03424B55E07FE7F27BE1",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				   "Hash Key First"),
+			"0x60E431591EE0B67F0D8A26AACBF5B77F8E0BC6213728C5"
+				"140546040F0EE37F54",
+			1
+		},
+		/* Test 7 */
+		{
+			TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				   "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				   "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				   "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				   "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				   "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				   "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				   "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				   "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				   "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				   "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				   "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				   "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				   "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				   "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				   "\x6d\x2e"),
+			"0x9B09FFA71B942FCB27635FBCD5B0E944BFDC63644F0713"
+				"938A7F51535C3A35E2",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	hash_test_key_t test_keys[] = {
+		/* Key 1 */
+		{ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20 },
+		/* Key 2 */
+		{ "Jefe", 4 },
+		/* Key 3 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20 },
+		/* Key 4 */
+		{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+		  "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+		  "\x15\x16\x17\x18\x19", 25 },
+#if 0
+		/* Key 5 */
+		{ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+		  "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20 },
+#endif
+		/* Key 6 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		/* Key 7 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		{ "", 0 }
+	};
+
+	hash_test_key_t *test_key = test_keys;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		memmove(buffer, test_key->key, test_key->len);
+		isc_hmacsha256_init(&hmacsha256, buffer, test_key->len);
+		isc_hmacsha256_update(&hmacsha256,
+				      (const uint8_t *) testcase->input,
+				      testcase->input_len);
+		isc_hmacsha256_sign(&hmacsha256, digest, ISC_SHA256_DIGESTLENGTH);
+		tohexstr(digest, ISC_SHA256_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+		test_key++;
+	}
+}
+
+/* HMAC-SHA384 test */
+ATF_TC(isc_hmacsha384);
+ATF_TC_HEAD(isc_hmacsha384, tc) {
+	atf_tc_set_md_var(tc, "descr", "HMAC-SHA384 examples from RFC4634");
+}
+ATF_TC_BODY(isc_hmacsha384, tc) {
+	isc_hmacsha384_t hmacsha384;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+			"0xAFD03944D84895626B0825F4AB46907F15F9DADBE4101E"
+				"C682AA034C7CEBC59CFAEA9EA9076EDE7F4AF152"
+				"E8B2FA9CB6",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				   "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				   "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+			"0xAF45D2E376484031617F78D2B58A6B1B9C7EF464F5A01B"
+				"47E42EC3736322445E8E2240CA5E69E2C78B3239"
+				"ECFAB21649",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+			"0x88062608D3E6AD8A0AA2ACE014C8A86F0AA635D947AC9F"
+				"EBE83EF4E55966144B2A5AB39DC13814B94E3AB6"
+				"E101A34F27",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+			"0x3E8A69B7783C25851933AB6290AF6CA77A998148085000"
+				"9CC5577C6E1F573B4E6801DD23C4A7D679CCF8A3"
+				"86C674CFFB",
+			1
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test With Truncation"),
+			"0x4C1A03424B55E07FE7F27BE1",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				   "Hash Key First"),
+			"0x4ECE084485813E9088D2C63A041BC5B44F9EF1012A2B58"
+				"8F3CD11F05033AC4C60C2EF6AB4030FE8296248D"
+				"F163F44952",
+			1
+		},
+		/* Test 7 */
+		{
+			TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				   "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				   "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				   "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				   "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				   "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				   "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				   "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				   "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				   "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				   "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				   "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				   "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				   "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				   "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				   "\x6d\x2e"),
+			"0x6617178E941F020D351E2F254E8FD32C602420FEB0B8FB"
+				"9ADCCEBB82461E99C5A678CC31E799176D3860E6"
+				"110C46523E",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	hash_test_key_t test_keys[] = {
+		/* Key 1 */
+		{ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20 },
+		/* Key 2 */
+		{ "Jefe", 4 },
+		/* Key 3 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20 },
+		/* Key 4 */
+		{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+		  "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+		  "\x15\x16\x17\x18\x19", 25 },
+#if 0
+		/* Key 5 */
+		{ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+		  "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20 },
+#endif
+		/* Key 6 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		/* Key 7 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		{ "", 0 }
+	};
+
+	hash_test_key_t *test_key = test_keys;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		memmove(buffer, test_key->key, test_key->len);
+		isc_hmacsha384_init(&hmacsha384, buffer, test_key->len);
+		isc_hmacsha384_update(&hmacsha384,
+				      (const uint8_t *) testcase->input,
+				      testcase->input_len);
+		isc_hmacsha384_sign(&hmacsha384, digest, ISC_SHA384_DIGESTLENGTH);
+		tohexstr(digest, ISC_SHA384_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+		test_key++;
+	}
+}
+
+/* HMAC-SHA512 test */
+ATF_TC(isc_hmacsha512);
+ATF_TC_HEAD(isc_hmacsha512, tc) {
+	atf_tc_set_md_var(tc, "descr", "HMAC-SHA512 examples from RFC4634");
+}
+ATF_TC_BODY(isc_hmacsha512, tc) {
+	isc_hmacsha512_t hmacsha512;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+			"0x87AA7CDEA5EF619D4FF0B4241A1D6CB02379F4E2CE4EC2"
+				"787AD0B30545E17CDEDAA833B7D6B8A702038B27"
+				"4EAEA3F4E4BE9D914EEB61F1702E696C203A126854",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61"
+				   "\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20"
+				   "\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+			"0x164B7A7BFCF819E2E395FBE73B56E0A387BD64222E831F"
+				"D610270CD7EA2505549758BF75C05A994A6D034F"
+				"65F8F0E6FDCAEAB1A34D4A6B4B636E070A38BCE737",
+			1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+			"0xFA73B0089D56A284EFB0F0756C890BE9B1B5DBDD8EE81A"
+				"3655F83E33B2279D39BF3E848279A722C806B485"
+				"A47E67C807B946A337BEE8942674278859E13292FB",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+			"0xB0BA465637458C6990E5A8C5F61D4AF7E576D97FF94B87"
+				"2DE76F8050361EE3DBA91CA5C11AA25EB4D67927"
+				"5CC5788063A5F19741120C4F2DE2ADEBEB10A298DD",
+			1
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test With Truncation"),
+			"0x4C1A03424B55E07FE7F27BE1",
+			1
+		},
+#endif
+		/* Test 6 */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				   "Hash Key First"),
+			"0x80B24263C7C1A3EBB71493C1DD7BE8B49B46D1F41B4AEE"
+				"C1121B013783F8F3526B56D037E05F2598BD0FD2"
+				"215D6A1E5295E64F73F63F0AEC8B915A985D786598",
+			1
+		},
+		/* Test 7 */
+		{
+			TEST_INPUT("\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20"
+				   "\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67"
+				   "\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20"
+				   "\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b"
+				   "\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20"
+				   "\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67"
+				   "\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c"
+				   "\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64"
+				   "\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b"
+				   "\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74"
+				   "\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65"
+				   "\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62"
+				   "\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20"
+				   "\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41"
+				   "\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68"
+				   "\x6d\x2e"),
+			"0xE37B6A775DC87DBAA4DFA9F96E5E3FFDDEBD71F8867289"
+				"865DF5A32D20CDC944B6022CAC3C4982B10D5EEB"
+				"55C3E4DE15134676FB6DE0446065C97440FA8C6A58",
+			1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	hash_test_key_t test_keys[] = {
+		/* Key 1 */
+		{ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20 },
+		/* Key 2 */
+		{ "Jefe", 4 },
+		/* Key 3 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20 },
+		/* Key 4 */
+		{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+		  "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+		  "\x15\x16\x17\x18\x19", 25 },
+#if 0
+		/* Key 5 */
+		{ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+		  "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20 },
+#endif
+		/* Key 6 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		/* Key 7 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		{ "", 0 }
+	};
+
+	hash_test_key_t *test_key = test_keys;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		memmove(buffer, test_key->key, test_key->len);
+		isc_hmacsha512_init(&hmacsha512, buffer, test_key->len);
+		isc_hmacsha512_update(&hmacsha512,
+				      (const uint8_t *) testcase->input,
+				      testcase->input_len);
+		isc_hmacsha512_sign(&hmacsha512, digest, ISC_SHA512_DIGESTLENGTH);
+		tohexstr(digest, ISC_SHA512_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+		test_key++;
+	}
+}
+
+
+#ifndef PK11_MD5_DISABLE
+/* HMAC-MD5 Test */
+ATF_TC(isc_hmacmd5);
+ATF_TC_HEAD(isc_hmacmd5, tc) {
+	atf_tc_set_md_var(tc, "descr", "HMAC-MD5 examples from RFC2104");
+}
+ATF_TC_BODY(isc_hmacmd5, tc) {
+	isc_hmacmd5_t hmacmd5;
+
+	UNUSED(tc);
+
+	/*
+	 * These are the various test vectors.  All of these are passed
+	 * through the hash function and the results are compared to the
+	 * result specified here.
+	 */
+	hash_testcase_t testcases[] = {
+		/* Test 1 */
+		{
+			TEST_INPUT("\x48\x69\x20\x54\x68\x65\x72\x65"),
+			"0x9294727A3638BB1C13F48EF8158BFC9D",
+			1
+		},
+		/* Test 2 */
+		{
+			TEST_INPUT("\x77\x68\x61\x74\x20\x64\x6f\x20\x79"
+				   "\x61\x20\x77\x61\x6e\x74\x20\x66\x6f"
+				   "\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f"),
+			"0x750C783E6AB0B503EAA86E310A5DB738", 1
+		},
+		/* Test 3 */
+		{
+			TEST_INPUT("\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"
+				   "\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD\xDD"),
+			"0x56BE34521D144C88DBB8C733F0E8B3F6",
+			1
+		},
+		/* Test 4 */
+		{
+			TEST_INPUT("\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"
+				   "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd"),
+			"0x697EAF0ACA3A3AEA3A75164746FFAA79",
+			1
+		},
+#if 0
+		/* Test 5 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test With Truncation"),
+			"0x4C1A03424B55E07FE7F27BE1",
+			1
+		},
+		/* Test 6 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key - "
+				   "Hash Key First"),
+			"0xAA4AE5E15272D00E95705637CE8A3B55ED402112",
+			1
+		 },
+		/* Test 7 -- unimplemented optional functionality */
+		{
+			TEST_INPUT("Test Using Larger Than Block-Size Key and "
+				   "Larger Than One Block-Size Data"),
+			"0xE8E99D0F45237D786D6BBAA7965C7808BBFF1A91",
+			1
+		},
+#endif
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	hash_test_key_t test_keys[] = {
+		/* Key 1 */
+		{ "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b"
+		  "\x0b\x0b\x0b\x0b\x0b\x0b", 16 },
+		/* Key 2 */
+		{ "Jefe", 4 },
+		/* Key 3 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa", 16 },
+		/* Key 4 */
+		{ "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a"
+		  "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
+		  "\x15\x16\x17\x18\x19", 25 },
+#if 0
+		/* Key 5 */
+		{ "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c"
+		  "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20 },
+		/* Key 6 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+		/* Key 7 */
+		{ "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
+		  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 131 },
+#endif
+		{ "", 0 }
+	};
+
+	hash_test_key_t *test_key = test_keys;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		memmove(buffer, test_key->key, test_key->len);
+		isc_hmacmd5_init(&hmacmd5, buffer, test_key->len);
+		isc_hmacmd5_update(&hmacmd5,
+				   (const uint8_t *) testcase->input,
+				   testcase->input_len);
+		isc_hmacmd5_sign(&hmacmd5, digest);
+		tohexstr(digest, ISC_MD5_DIGESTLENGTH, str, sizeof(str));
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+		test_key++;
+	}
+}
+#endif
+
+/* CRC64 Test */
+ATF_TC(isc_crc64);
+ATF_TC_HEAD(isc_crc64, tc) {
+	atf_tc_set_md_var(tc, "descr", "64-bit cyclic redundancy check");
+}
+ATF_TC_BODY(isc_crc64, tc) {
+	uint64_t crc;
+	int i;
+
+	UNUSED(tc);
+
+	hash_testcase_t testcases[] = {
+		{
+			TEST_INPUT(""),
+			"0x0000000000000000", 1
+		},
+		{
+			TEST_INPUT("a"),
+			"0xCE73F427ACC0A99A", 1
+		},
+		{
+			TEST_INPUT("abc"),
+			"0x048B813AF9F49702", 1
+		},
+		{
+			TEST_INPUT("message digest"),
+			"0x5273F9EA7A357BF4", 1
+		},
+		{
+			TEST_INPUT("abcdefghijklmnopqrstuvwxyz"),
+			"0x59F079F9218BAAA1", 1
+		},
+		{
+			TEST_INPUT("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm"
+				   "nopqrstuvwxyz0123456789"),
+			"0xA36DA8F71E78B6FB", 1
+		},
+		{
+			TEST_INPUT("123456789012345678901234567890123456789"
+				   "01234567890123456789012345678901234567890"),
+			"0x81E5EB73C8E7874A", 1
+		},
+		{ NULL, 0, NULL, 1 }
+	};
+
+	hash_testcase_t *testcase = testcases;
+
+	while (testcase->input != NULL && testcase->result != NULL) {
+		isc_crc64_init(&crc);
+		for(i = 0; i < testcase->repeats; i++) {
+			isc_crc64_update(&crc,
+				       (const uint8_t *) testcase->input,
+				       testcase->input_len);
+		}
+		isc_crc64_final(&crc);
+		snprintf(str, sizeof(str),
+			 "0x%016" PRIX64, crc);
+		ATF_CHECK_STREQ(str, testcase->result);
+
+		testcase++;
+	}
+}
+
+ATF_TC(isc_hash_function);
+ATF_TC_HEAD(isc_hash_function, tc) {
+	atf_tc_set_md_var(tc, "descr", "Hash function test");
+}
+ATF_TC_BODY(isc_hash_function, tc) {
+	unsigned int h1;
+	unsigned int h2;
+
+	UNUSED(tc);
+
+	/* Incremental hashing */
+
+	h1 = isc_hash_function(NULL, 0, true, NULL);
+	h1 = isc_hash_function("This ", 5, true, &h1);
+	h1 = isc_hash_function("is ", 3, true, &h1);
+	h1 = isc_hash_function("a long test", 12, true, &h1);
+
+	h2 = isc_hash_function("This is a long test", 20,
+			       true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Immutability of hash function */
+	h1 = isc_hash_function(NULL, 0, true, NULL);
+	h2 = isc_hash_function(NULL, 0, true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Hash function characteristics */
+	h1 = isc_hash_function("Hello world", 12, true, NULL);
+	h2 = isc_hash_function("Hello world", 12, true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Case */
+	h1 = isc_hash_function("Hello world", 12, false, NULL);
+	h2 = isc_hash_function("heLLo WorLd", 12, false, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Unequal */
+	h1 = isc_hash_function("Hello world", 12, true, NULL);
+	h2 = isc_hash_function("heLLo WorLd", 12, true, NULL);
+
+	ATF_CHECK(h1 != h2);
+}
+
+ATF_TC(isc_hash_function_reverse);
+ATF_TC_HEAD(isc_hash_function_reverse, tc) {
+	atf_tc_set_md_var(tc, "descr", "Reverse hash function test");
+}
+ATF_TC_BODY(isc_hash_function_reverse, tc) {
+	unsigned int h1;
+	unsigned int h2;
+
+	UNUSED(tc);
+
+	/* Incremental hashing */
+
+	h1 = isc_hash_function_reverse(NULL, 0, true, NULL);
+	h1 = isc_hash_function_reverse("\000", 1, true, &h1);
+	h1 = isc_hash_function_reverse("\003org", 4, true, &h1);
+	h1 = isc_hash_function_reverse("\007example", 8, true, &h1);
+
+	h2 = isc_hash_function_reverse("\007example\003org\000", 13,
+				       true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Immutability of hash function */
+	h1 = isc_hash_function_reverse(NULL, 0, true, NULL);
+	h2 = isc_hash_function_reverse(NULL, 0, true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Hash function characteristics */
+	h1 = isc_hash_function_reverse("Hello world", 12, true, NULL);
+	h2 = isc_hash_function_reverse("Hello world", 12, true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Case */
+	h1 = isc_hash_function_reverse("Hello world", 12, false, NULL);
+	h2 = isc_hash_function_reverse("heLLo WorLd", 12, false, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	/* Unequal */
+	h1 = isc_hash_function_reverse("Hello world", 12, true, NULL);
+	h2 = isc_hash_function_reverse("heLLo WorLd", 12, true, NULL);
+
+	ATF_CHECK(h1 != h2);
+}
+
+ATF_TC(isc_hash_initializer);
+ATF_TC_HEAD(isc_hash_initializer, tc) {
+	atf_tc_set_md_var(tc, "descr", "Hash function initializer test");
+}
+ATF_TC_BODY(isc_hash_initializer, tc) {
+	unsigned int h1;
+	unsigned int h2;
+
+	UNUSED(tc);
+
+	h1 = isc_hash_function("Hello world", 12, true, NULL);
+	h2 = isc_hash_function("Hello world", 12, true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+
+	isc_hash_set_initializer(isc_hash_get_initializer());
+
+	/* Hash value must not change */
+	h2 = isc_hash_function("Hello world", 12, true, NULL);
+
+	ATF_CHECK_EQ(h1, h2);
+}
+
+#ifndef PK11_MD5_DISABLE
+ATF_TC(md5_check);
+ATF_TC_HEAD(md5_check, tc) {
+	atf_tc_set_md_var(tc, "descr", "Startup MD5 check test");
+}
+ATF_TC_BODY(md5_check, tc) {
+	UNUSED(tc);
+
+	ATF_REQUIRE(isc_md5_check(false));
+	ATF_CHECK(!isc_md5_check(true));
+
+	ATF_REQUIRE(isc_hmacmd5_check(0));
+	ATF_CHECK(!isc_hmacmd5_check(1));
+	ATF_CHECK(!isc_hmacmd5_check(2));
+	ATF_CHECK(!isc_hmacmd5_check(3));
+	ATF_CHECK(!isc_hmacmd5_check(4));
+}
+#endif
+
+ATF_TC(sha1_check);
+ATF_TC_HEAD(sha1_check, tc) {
+	atf_tc_set_md_var(tc, "descr", "Startup SHA-1 check test");
+}
+ATF_TC_BODY(sha1_check, tc) {
+	UNUSED(tc);
+
+	ATF_REQUIRE(isc_sha1_check(false));
+	ATF_CHECK(!isc_sha1_check(true));
+
+	ATF_REQUIRE(isc_hmacsha1_check(0));
+	ATF_CHECK(!isc_hmacsha1_check(1));
+	ATF_CHECK(!isc_hmacsha1_check(2));
+	ATF_CHECK(!isc_hmacsha1_check(3));
+	ATF_CHECK(!isc_hmacsha1_check(4));
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	/*
+	 * Tests of hash functions, including isc_hash and the
+	 * various cryptographic hashes.
+	 */
+#ifndef PK11_MD5_DISABLE
+	ATF_TP_ADD_TC(tp, md5_check);
+#endif
+	ATF_TP_ADD_TC(tp, sha1_check);
+
+	ATF_TP_ADD_TC(tp, isc_hash_function);
+	ATF_TP_ADD_TC(tp, isc_hash_function_reverse);
+	ATF_TP_ADD_TC(tp, isc_hash_initializer);
+#ifndef PK11_MD5_DISABLE
+	ATF_TP_ADD_TC(tp, isc_hmacmd5);
+#endif
+	ATF_TP_ADD_TC(tp, isc_hmacsha1);
+	ATF_TP_ADD_TC(tp, isc_hmacsha224);
+	ATF_TP_ADD_TC(tp, isc_hmacsha256);
+	ATF_TP_ADD_TC(tp, isc_hmacsha384);
+	ATF_TP_ADD_TC(tp, isc_hmacsha512);
+#ifndef PK11_MD5_DISABLE
+	ATF_TP_ADD_TC(tp, isc_md5);
+#endif
+	ATF_TP_ADD_TC(tp, isc_sha1);
+	ATF_TP_ADD_TC(tp, isc_sha224);
+	ATF_TP_ADD_TC(tp, isc_sha256);
+	ATF_TP_ADD_TC(tp, isc_sha384);
+	ATF_TP_ADD_TC(tp, isc_sha512);
+	ATF_TP_ADD_TC(tp, isc_crc64);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/heap_test.c b/lib/isc/tests/heap_test.c
new file mode 100644
index 0000000..c030573
--- /dev/null
+++ b/lib/isc/tests/heap_test.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/heap.h>
+#include <isc/mem.h>
+
+#include <isc/util.h>
+
+struct e {
+	unsigned int value;
+	unsigned int index;
+};
+
+static bool
+compare(void *p1, void *p2) {
+	struct e *e1 = p1;
+	struct e *e2 = p2;
+
+	return (e1->value < e2->value);
+}
+
+static void
+idx(void *p, unsigned int i) {
+	struct e *e = p;
+
+	e->index = i;
+}
+
+ATF_TC(isc_heap_delete);
+ATF_TC_HEAD(isc_heap_delete, tc) {
+	atf_tc_set_md_var(tc, "descr", "test isc_heap_delete");
+}
+ATF_TC_BODY(isc_heap_delete, tc) {
+	isc_mem_t *mctx = NULL;
+	isc_heap_t *heap = NULL;
+	isc_result_t result;
+	struct e e1 = { 100, 0 };
+
+	UNUSED(tc);
+
+	result = isc_mem_create(0, 0, &mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_heap_create(mctx, compare, idx, 0, &heap);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(heap != NULL);
+
+	isc_heap_insert(heap, &e1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(e1.index, 1);
+
+	isc_heap_delete(heap, e1.index);
+	ATF_CHECK_EQ(e1.index, 0);
+
+	isc_heap_destroy(&heap);
+	ATF_REQUIRE_EQ(heap, NULL);
+
+	isc_mem_detach(&mctx);
+	ATF_REQUIRE_EQ(mctx, NULL);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_heap_delete);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
new file mode 100644
index 0000000..5356142
--- /dev/null
+++ b/lib/isc/tests/ht_test.c
@@ -0,0 +1,362 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <isc/hash.h>
+#include <isc/ht.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+static void *
+default_memalloc(void *arg, size_t size) {
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void
+default_memfree(void *arg, void *ptr) {
+	UNUSED(arg);
+	free(ptr);
+}
+
+static void test_ht_full(int bits, uintptr_t count) {
+	isc_ht_t *ht = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	uintptr_t i;
+
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &mctx, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_ht_init(&ht, mctx, bits);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(ht != NULL);
+
+	for (i = 1; i < count; i++) {
+		/*
+		 * Note: snprintf() is followed with strlcat()
+		 * to ensure we are always filling the 16 byte key.
+		 */
+		unsigned char key[16];
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *) i);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		ATF_REQUIRE_EQ(i, (uintptr_t) f);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *) i);
+		ATF_REQUIRE_EQ(result, ISC_R_EXISTS);
+	}
+
+	for (i = 1; i < count; i++) {
+		char key[64];
+		/*
+		 * Note: the key size is now strlen(key) which is bigger
+		 * then the keys added above.
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, (const unsigned char *) key,
+				    strlen(key), (void *) i);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		/*
+		 * Note: case of KEY is now in capitals,
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " KEY of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+		ATF_REQUIRE_EQ(f, NULL);
+	}
+
+	for (i = 1; i < count; i++) {
+		char key[64];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, (const unsigned char *) key,
+				     strlen(key), &f);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		ATF_REQUIRE_EQ(f, (void *) i);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_delete(ht, key, 16);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = isc_ht_find(ht, key, 16, &f);
+		ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+		ATF_REQUIRE_EQ(f, NULL);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		/*
+		 * Note: upper case KEY.
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " KEY of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *) i);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	for (i = 1; i < count; i++) {
+		char key[64];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_delete(ht, (const unsigned char *) key,
+				       strlen(key));
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = isc_ht_find(ht, (const unsigned char *) key,
+				     strlen(key), &f);
+		ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+		ATF_REQUIRE_EQ(f, NULL);
+	}
+
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		/*
+		 * Note: case of KEY is now in capitals,
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " KEY of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		ATF_REQUIRE_EQ(i, (uintptr_t) f);
+	}
+
+	for (i = 1; i < count; i++) {
+		unsigned char key[16];
+		void *f = NULL;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, " key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_find(ht, key, 16, &f);
+		ATF_REQUIRE_EQ(result, ISC_R_NOTFOUND);
+		ATF_REQUIRE_EQ(f, NULL);
+	}
+
+	isc_ht_destroy(&ht);
+	ATF_REQUIRE_EQ(ht, NULL);
+}
+
+static void test_ht_iterator() {
+	isc_ht_t *ht = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx = NULL;
+	isc_ht_iter_t * iter = NULL;
+	uintptr_t i;
+	void *v;
+	uintptr_t count = 10000;
+	uint32_t walked;
+	unsigned char key[16];
+	unsigned char *tkey;
+	size_t tksize;
+
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &mctx, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_ht_init(&ht, mctx, 16);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(ht != NULL);
+	for (i = 1; i <= count; i++) {
+		/*
+		 * Note that the string we're snprintfing is always > 16 bytes
+		 * so we are always filling the key.
+		 */
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		result = isc_ht_add(ht, key, 16, (void *) i);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	walked = 0;
+	result = isc_ht_iter_create(ht, &iter);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (result = isc_ht_iter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_next(iter))
+	{
+		isc_ht_iter_current(iter, &v);
+		isc_ht_iter_currentkey(iter, &tkey, &tksize);
+		ATF_REQUIRE_EQ(tksize, 16);
+		i = (uintptr_t)v;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		ATF_REQUIRE_EQ(memcmp(key, tkey, 16), 0);
+		walked++;
+	}
+	ATF_REQUIRE_EQ(walked, count);
+	ATF_REQUIRE_EQ(result, ISC_R_NOMORE);
+
+	/* erase odd */
+	walked = 0;
+	result = isc_ht_iter_first(iter);
+	while (result == ISC_R_SUCCESS) {
+		isc_ht_iter_current(iter, &v);
+		isc_ht_iter_currentkey(iter, &tkey, &tksize);
+		ATF_REQUIRE_EQ(tksize, 16);
+		i = (uintptr_t)v;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		ATF_REQUIRE_EQ(memcmp(key, tkey, 16), 0);
+		if ((uintptr_t)v % 2 == 0) {
+			result = isc_ht_iter_delcurrent_next(iter);
+		} else {
+			result = isc_ht_iter_next(iter);
+		}
+		walked++;
+	}
+	ATF_REQUIRE_EQ(result, ISC_R_NOMORE);
+	ATF_REQUIRE_EQ(walked, count);
+
+	/* erase even */
+	walked = 0;
+	result = isc_ht_iter_first(iter);
+	while (result == ISC_R_SUCCESS) {
+		isc_ht_iter_current(iter, &v);
+		isc_ht_iter_currentkey(iter, &tkey, &tksize);
+		ATF_REQUIRE_EQ(tksize, 16);
+		i = (uintptr_t)v;
+		snprintf((char *)key, sizeof(key), "%u", (unsigned int)i);
+		strlcat((char *)key, "key of a raw hashtable!!", sizeof(key));
+		ATF_REQUIRE_EQ(memcmp(key, tkey, 16), 0);
+		if ((uintptr_t)v % 2 == 1) {
+			result = isc_ht_iter_delcurrent_next(iter);
+		} else {
+			result = isc_ht_iter_next(iter);
+		}
+		walked++;
+	}
+	ATF_REQUIRE_EQ(result, ISC_R_NOMORE);
+	ATF_REQUIRE_EQ(walked, count/2);
+
+	walked = 0;
+	for (result = isc_ht_iter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = isc_ht_iter_next(iter))
+	{
+		walked++;
+	}
+
+	ATF_REQUIRE_EQ(result, ISC_R_NOMORE);
+	ATF_REQUIRE_EQ(walked, 0);
+
+	isc_ht_destroy(&ht);
+	ATF_REQUIRE_EQ(ht, NULL);
+}
+
+ATF_TC(isc_ht_20);
+ATF_TC_HEAD(isc_ht_20, tc) {
+	atf_tc_set_md_var(tc, "descr", "20 bit, 200K elements test");
+}
+
+ATF_TC_BODY(isc_ht_20, tc) {
+	UNUSED(tc);
+	test_ht_full(20, 200000);
+}
+
+
+ATF_TC(isc_ht_8);
+ATF_TC_HEAD(isc_ht_8, tc) {
+	atf_tc_set_md_var(tc, "descr", "8 bit, 20000 elements crowded test");
+}
+
+ATF_TC_BODY(isc_ht_8, tc) {
+	UNUSED(tc);
+	test_ht_full(8, 20000);
+}
+
+ATF_TC(isc_ht_1);
+ATF_TC_HEAD(isc_ht_1, tc) {
+	atf_tc_set_md_var(tc, "descr", "1 bit, 100 elements corner case test");
+}
+
+ATF_TC_BODY(isc_ht_1, tc) {
+	UNUSED(tc);
+	test_ht_full(1, 100);
+}
+
+/* xxxwpk we should limit the size of hashtable, 32bit doesn't make sense */
+#if 0
+ATF_TC(isc_ht_32);
+ATF_TC_HEAD(isc_ht_32, tc) {
+	atf_tc_set_md_var(tc, "descr", "32 bit, 10000 elements corner case test");
+}
+
+ATF_TC_BODY(isc_ht_32, tc) {
+	UNUSED(tc);
+	test_ht_full(32, 10000);
+}
+#endif
+
+ATF_TC(isc_ht_iterator);
+ATF_TC_HEAD(isc_ht_iterator, tc) {
+	atf_tc_set_md_var(tc, "descr", "hashtable iterator");
+}
+
+ATF_TC_BODY(isc_ht_iterator, tc) {
+	UNUSED(tc);
+	test_ht_iterator();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_ht_20);
+	ATF_TP_ADD_TC(tp, isc_ht_8);
+	ATF_TP_ADD_TC(tp, isc_ht_1);
+/*	ATF_TP_ADD_TC(tp, isc_ht_32); */
+	ATF_TP_ADD_TC(tp, isc_ht_iterator);
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/inet_ntop_test.c b/lib/isc/tests/inet_ntop_test.c
new file mode 100644
index 0000000..2bfe9de
--- /dev/null
+++ b/lib/isc/tests/inet_ntop_test.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+/*
+ * Force the prototype for isc_net_ntop to be declared.
+ */
+#include <isc/platform.h>
+#undef ISC_PLATFORM_NEEDNTOP
+#define ISC_PLATFORM_NEEDNTOP
+#include "../inet_ntop.c"
+
+ATF_TC(isc_net_ntop);
+ATF_TC_HEAD(isc_net_ntop, tc) {
+	atf_tc_set_md_var(tc, "descr", "isc_net_ntop implementation");
+}
+ATF_TC_BODY(isc_net_ntop, tc) {
+	char buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+	int r;
+	size_t i;
+	unsigned char abuf[16];
+	struct {
+		int		family;
+		const char *	address;
+	} testdata[] = {
+		{ AF_INET, "0.0.0.0" },
+		{ AF_INET, "0.1.0.0" },
+		{ AF_INET, "0.0.2.0" },
+		{ AF_INET, "0.0.0.3" },
+		{ AF_INET, "255.255.255.255" },
+		{ AF_INET6, "::" },
+		{ AF_INET6, "::1.2.3.4" },
+		{ AF_INET6, "::ffff:1.2.3.4" },
+		{ AF_INET6, "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" }
+	};
+
+	for (i = 0; i < sizeof(testdata)/sizeof(testdata[0]); i++) {
+		r = inet_pton(testdata[i].family, testdata[i].address, abuf);
+		ATF_REQUIRE_EQ_MSG(r, 1, "%s", testdata[i].address);
+		isc_net_ntop(testdata[i].family, abuf, buf, sizeof(buf));
+		ATF_CHECK_STREQ(buf, testdata[i].address);
+	}
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_net_ntop);
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/isctest.c b/lib/isc/tests/isctest.c
new file mode 100644
index 0000000..cf4ae97
--- /dev/null
+++ b/lib/isc/tests/isctest.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/os.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+isc_mem_t *mctx = NULL;
+isc_entropy_t *ectx = NULL;
+isc_log_t *lctx = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+isc_task_t *maintask = NULL;
+int ncpus;
+
+static bool hash_active = false;
+
+/*
+ * Logging categories: this needs to match the list in bin/named/log.c.
+ */
+static isc_logcategory_t categories[] = {
+		{ "",                0 },
+		{ "client",          0 },
+		{ "network",         0 },
+		{ "update",          0 },
+		{ "queries",         0 },
+		{ "unmatched",       0 },
+		{ "update-security", 0 },
+		{ "query-errors",    0 },
+		{ NULL,              0 }
+};
+
+static void
+cleanup_managers(void) {
+	if (maintask != NULL)
+		isc_task_destroy(&maintask);
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+}
+
+static isc_result_t
+create_managers(unsigned int workers) {
+	isc_result_t result;
+	char *p;
+
+	if (workers == 0) {
+#ifdef ISC_PLATFORM_USETHREADS
+		workers = isc_os_ncpus();
+#else
+		workers = 1;
+#endif
+	}
+
+	p = getenv("ISC_TASK_WORKERS");
+	if (p != NULL) {
+		workers = atoi(p);
+	}
+
+	CHECK(isc_taskmgr_create(mctx, workers, 0, &taskmgr));
+	CHECK(isc_task_create(taskmgr, 0, &maintask));
+	isc_taskmgr_setexcltask(taskmgr, maintask);
+
+	CHECK(isc_timermgr_create(mctx, &timermgr));
+	CHECK(isc_socketmgr_create(mctx, &socketmgr));
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cleanup_managers();
+	return (result);
+}
+
+isc_result_t
+isc_test_begin(FILE *logfile, bool start_managers,
+	       unsigned int workers)
+{
+	isc_result_t result;
+
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	CHECK(isc_mem_create(0, 0, &mctx));
+	CHECK(isc_entropy_create(mctx, &ectx));
+
+	CHECK(isc_hash_create(mctx, ectx, 255));
+	hash_active = true;
+
+	if (logfile != NULL) {
+		isc_logdestination_t destination;
+		isc_logconfig_t *logconfig = NULL;
+
+		CHECK(isc_log_create(mctx, &lctx, &logconfig));
+		isc_log_registercategories(lctx, categories);
+		isc_log_setcontext(lctx);
+
+		destination.file.stream = logfile;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		CHECK(isc_log_createchannel(logconfig, "stderr",
+					    ISC_LOG_TOFILEDESC,
+					    ISC_LOG_DYNAMIC,
+					    &destination, 0));
+		CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+	}
+
+#ifdef ISC_PLATFORM_USETHREADS
+	ncpus = isc_os_ncpus();
+#else
+	ncpus = 1;
+#endif
+
+	if (start_managers) {
+		CHECK(create_managers(workers));
+	}
+
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	isc_test_end();
+	return (result);
+}
+
+void
+isc_test_end(void) {
+	if (maintask != NULL)
+		isc_task_detach(&maintask);
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (hash_active) {
+		isc_hash_destroy();
+		hash_active = false;
+	}
+	if (ectx != NULL)
+		isc_entropy_detach(&ectx);
+
+	cleanup_managers();
+
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+	if (mctx != NULL)
+		isc_mem_destroy(&mctx);
+}
+
+/*
+ * Sleep for 'usec' microseconds.
+ */
+void
+isc_test_nap(uint32_t usec) {
+#ifdef HAVE_NANOSLEEP
+	struct timespec ts;
+
+	ts.tv_sec = usec / 1000000;
+	ts.tv_nsec = (usec % 1000000) * 1000;
+	nanosleep(&ts, NULL);
+#elif HAVE_USLEEP
+	usleep(usec);
+#else
+	/*
+	 * No fractional-second sleep function is available, so we
+	 * round up to the nearest second and sleep instead
+	 */
+	sleep((usec / 1000000) + 1);
+#endif
+}
diff --git a/lib/isc/tests/isctest.h b/lib/isc/tests/isctest.h
new file mode 100644
index 0000000..e553b8a
--- /dev/null
+++ b/lib/isc/tests/isctest.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#define CHECK(r) \
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+extern isc_mem_t *mctx;
+extern isc_entropy_t *ectx;
+extern isc_log_t *lctx;
+extern isc_taskmgr_t *taskmgr;
+extern isc_timermgr_t *timermgr;
+extern isc_socketmgr_t *socketmgr;
+extern int ncpus;
+
+isc_result_t
+isc_test_begin(FILE *logfile, bool start_managers,
+	       unsigned int workers);
+/*%<
+ * Begin test, logging to 'logfile' or default if not specified.
+ *
+ * If 'start_managers' is set, start a task manager, timer manager,
+ * and socket manager.
+ *
+ * If 'workers' is zero, use the number of CPUs on the system as a default;
+ * otherwise, set up the task manager with the specified number of worker
+ * threads. The environment variable ISC_TASK_WORKERS overrides this value.
+ */
+
+void
+isc_test_end(void);
+
+void
+isc_test_nap(uint32_t usec);
diff --git a/lib/isc/tests/lex_test.c b/lib/isc/tests/lex_test.c
new file mode 100644
index 0000000..1315022
--- /dev/null
+++ b/lib/isc/tests/lex_test.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+ATF_TC(lex_0xff);
+ATF_TC_HEAD(lex_0xff, tc) {
+	atf_tc_set_md_var(tc, "descr", "check handling of 0xff");
+}
+ATF_TC_BODY(lex_0xff, tc) {
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_lex_t *lex = NULL;
+	isc_buffer_t death_buf;
+	isc_token_t token;
+
+	unsigned char death[] = { EOF, 'A' };
+
+	UNUSED(tc);
+
+	result = isc_mem_create(0, 0, &mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_lex_create(mctx, 1024, &lex);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&death_buf, &death[0], sizeof(death));
+	isc_buffer_add(&death_buf, sizeof(death));
+
+	result = isc_lex_openbuffer(lex, &death_buf);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_lex_gettoken(lex, 0, &token);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+}
+
+ATF_TC(lex_setline);
+ATF_TC_HEAD(lex_setline, tc) {
+	atf_tc_set_md_var(tc, "descr", "check setting of source line");
+}
+ATF_TC_BODY(lex_setline, tc) {
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_lex_t *lex = NULL;
+	unsigned char text[] = "text\nto\nbe\nprocessed\nby\nlexer";
+	isc_buffer_t buf;
+	isc_token_t token;
+	unsigned long line;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_mem_create(0, 0, &mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_lex_create(mctx, 1024, &lex);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_buffer_init(&buf, &text[0], sizeof(text));
+	isc_buffer_add(&buf, sizeof(text));
+
+	result = isc_lex_openbuffer(lex, &buf);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_lex_setsourceline(lex, 100);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < 6; i++) {
+		result = isc_lex_gettoken(lex, 0, &token);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		line = isc_lex_getsourceline(lex);
+		ATF_REQUIRE_EQ(line, 100U + i);
+	}
+
+	result = isc_lex_gettoken(lex, 0, &token);
+	ATF_REQUIRE_EQ(result, ISC_R_EOF);
+
+	line = isc_lex_getsourceline(lex);
+	ATF_REQUIRE_EQ(line, 105U);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, lex_0xff);
+	ATF_TP_ADD_TC(tp, lex_setline);
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/mem_test.c b/lib/isc/tests/mem_test.c
new file mode 100644
index 0000000..22de74f
--- /dev/null
+++ b/lib/isc/tests/mem_test.c
@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <atf-c.h>
+
+#include "isctest.h"
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+
+static void *
+default_memalloc(void *arg, size_t size) {
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void
+default_memfree(void *arg, void *ptr) {
+	UNUSED(arg);
+	free(ptr);
+}
+
+ATF_TC(isc_mem);
+ATF_TC_HEAD(isc_mem, tc) {
+	atf_tc_set_md_var(tc, "descr", "general memory system tests");
+}
+
+#define	MP1_FREEMAX	10
+#define	MP1_FILLCNT	10
+#define	MP1_MAXALLOC	30
+
+#define	MP2_FREEMAX	25
+#define	MP2_FILLCNT	25
+
+ATF_TC_BODY(isc_mem, tc) {
+	isc_result_t result;
+	void *items1[50];
+	void *items2[50];
+	void *tmp;
+	isc_mem_t *localmctx = NULL;
+	isc_mempool_t *mp1 = NULL, *mp2 = NULL;
+	unsigned int i, j;
+	int rval;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mem_create(0, 0, &localmctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mempool_create(localmctx, 24, &mp1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mempool_create(localmctx, 31, &mp2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_mempool_setfreemax(mp1, MP1_FREEMAX);
+	isc_mempool_setfillcount(mp1, MP1_FILLCNT);
+	isc_mempool_setmaxalloc(mp1, MP1_MAXALLOC);
+
+	/*
+	 * Allocate MP1_MAXALLOC items from the pool.  This is our max.
+	 */
+	for (i = 0; i < MP1_MAXALLOC; i++) {
+		items1[i] = isc_mempool_get(mp1);
+		ATF_CHECK(items1[i] != NULL);
+	}
+
+	/*
+	 * Try to allocate one more.  This should fail.
+	 */
+	tmp = isc_mempool_get(mp1);
+	ATF_CHECK_EQ(tmp, NULL);
+
+	/*
+	 * Free the first 11 items.  Verify that there are 10 free items on
+	 * the free list (which is our max).
+	 */
+	for (i = 0; i < 11; i++) {
+		isc_mempool_put(mp1, items1[i]);
+		items1[i] = NULL;
+	}
+
+	rval = isc_mempool_getfreecount(mp1);
+	ATF_CHECK_EQ(rval, 10);
+
+	rval = isc_mempool_getallocated(mp1);
+	ATF_CHECK_EQ(rval, 19);
+
+	/*
+	 * Now, beat up on mp2 for a while.  Allocate 50 items, then free
+	 * them, then allocate 50 more, etc.
+	 */
+
+	isc_mempool_setfreemax(mp2, 25);
+	isc_mempool_setfillcount(mp2, 25);
+
+	for (j = 0; j < 500000; j++) {
+		for (i = 0; i < 50; i++) {
+			items2[i] = isc_mempool_get(mp2);
+			ATF_CHECK(items2[i] != NULL);
+		}
+		for (i = 0; i < 50; i++) {
+			isc_mempool_put(mp2, items2[i]);
+			items2[i] = NULL;
+		}
+	}
+
+	/*
+	 * Free all the other items and blow away this pool.
+	 */
+	for (i = 11; i < MP1_MAXALLOC; i++) {
+		isc_mempool_put(mp1, items1[i]);
+		items1[i] = NULL;
+	}
+
+	isc_mempool_destroy(&mp1);
+	isc_mempool_destroy(&mp2);
+
+	isc_mem_destroy(&localmctx);
+
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &localmctx, ISC_MEMFLAG_INTERNAL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mempool_create(localmctx, 2, &mp1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	tmp = isc_mempool_get(mp1);
+	ATF_CHECK(tmp != NULL);
+
+	isc_mempool_put(mp1, tmp);
+
+	isc_mempool_destroy(&mp1);
+
+	isc_test_end();
+}
+
+ATF_TC(isc_mem_total);
+ATF_TC_HEAD(isc_mem_total, tc) {
+	atf_tc_set_md_var(tc, "descr", "test TotalUse calculation");
+}
+
+ATF_TC_BODY(isc_mem_total, tc) {
+	isc_result_t result;
+	isc_mem_t *mctx2 = NULL;
+	size_t before, after;
+	ssize_t diff;
+	int i;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* Local alloc, free */
+	mctx2 = NULL;
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &mctx2, 0);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	before = isc_mem_total(mctx2);
+
+	for (i = 0; i < 100000; i++) {
+		void *ptr;
+
+		ptr = isc_mem_allocate(mctx2, 2048);
+		isc_mem_free(mctx2, ptr);
+	}
+
+	after = isc_mem_total(mctx2);
+	diff = after - before;
+
+	printf("total_before=%lu, total_after=%lu, total_diff=%lu\n",
+	       (unsigned long)before, (unsigned long)after,
+	       (unsigned long)diff);
+	/* 2048 +8 bytes extra for size_info */
+	ATF_CHECK_EQ(diff, (2048 + 8) * 100000);
+
+	/* ISC_MEMFLAG_INTERNAL */
+
+	before = isc_mem_total(mctx);
+
+	for (i = 0; i < 100000; i++) {
+		void *ptr;
+
+		ptr = isc_mem_allocate(mctx, 2048);
+		isc_mem_free(mctx, ptr);
+	}
+
+	after = isc_mem_total(mctx);
+	diff = after - before;
+
+	printf("total_before=%lu, total_after=%lu, total_diff=%lu\n",
+	       (unsigned long)before, (unsigned long)after,
+	       (unsigned long)diff);
+	/* 2048 +8 bytes extra for size_info */
+	ATF_CHECK_EQ(diff, (2048 + 8) * 100000);
+
+ out:
+	if (mctx2 != NULL)
+		isc_mem_destroy(&mctx2);
+
+	isc_test_end();
+}
+
+ATF_TC(isc_mem_inuse);
+ATF_TC_HEAD(isc_mem_inuse, tc) {
+	atf_tc_set_md_var(tc, "descr", "test InUse calculation");
+}
+
+ATF_TC_BODY(isc_mem_inuse, tc) {
+	isc_result_t result;
+	isc_mem_t *mctx2 = NULL;
+	size_t before, during, after;
+	ssize_t diff;
+	void *ptr;
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	mctx2 = NULL;
+	result = isc_mem_createx2(0, 0, default_memalloc, default_memfree,
+				  NULL, &mctx2, 0);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	before = isc_mem_inuse(mctx2);
+	ptr = isc_mem_allocate(mctx2, 1024000);
+	during = isc_mem_inuse(mctx2);
+	isc_mem_free(mctx2, ptr);
+	after = isc_mem_inuse(mctx2);
+
+	diff = after - before;
+
+	printf("inuse_before=%lu, inuse_during=%lu, inuse_after=%lu\n",
+	       (unsigned long)before, (unsigned long)during,
+	       (unsigned long)after);
+	ATF_REQUIRE_EQ(diff, 0);
+
+ out:
+	if (mctx2 != NULL)
+		isc_mem_destroy(&mctx2);
+
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_mem);
+	ATF_TP_ADD_TC(tp, isc_mem_total);
+	ATF_TP_ADD_TC(tp, isc_mem_inuse);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/netaddr_test.c b/lib/isc/tests/netaddr_test.c
new file mode 100644
index 0000000..aa41b96
--- /dev/null
+++ b/lib/isc/tests/netaddr_test.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+ATF_TC(netaddr_isnetzero);
+ATF_TC_HEAD(netaddr_isnetzero, tc) {
+	atf_tc_set_md_var(tc, "descr", "test netaddr_isnetzero");
+}
+ATF_TC_BODY(netaddr_isnetzero, tc) {
+	unsigned int i;
+	struct in_addr ina;
+	struct {
+		const char *address;
+		bool expect;
+	} tests[] = {
+		{ "0.0.0.0", true },
+		{ "0.0.0.1", true },
+		{ "0.0.1.2", true },
+		{ "0.1.2.3", true },
+		{ "10.0.0.0", false },
+		{ "10.9.0.0", false },
+		{ "10.9.8.0", false },
+		{ "10.9.8.7", false },
+		{ "127.0.0.0", false },
+		{ "127.0.0.1", false }
+	};
+	bool result;
+	isc_netaddr_t netaddr;
+
+	for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) {
+		ina.s_addr = inet_addr(tests[i].address);
+		isc_netaddr_fromin(&netaddr, &ina);
+		result = isc_netaddr_isnetzero(&netaddr);
+		ATF_CHECK_EQ_MSG(result, tests[i].expect,
+				 "%s", tests[i].address);
+	}
+}
+
+ATF_TC(netaddr_masktoprefixlen);
+ATF_TC_HEAD(netaddr_masktoprefixlen, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "isc_netaddr_masktoprefixlen() "
+			  "calculates correct prefix lengths ");
+}
+ATF_TC_BODY(netaddr_masktoprefixlen, tc) {
+	struct in_addr na_a;
+	struct in_addr na_b;
+	struct in_addr na_c;
+	struct in_addr na_d;
+	isc_netaddr_t ina_a;
+	isc_netaddr_t ina_b;
+	isc_netaddr_t ina_c;
+	isc_netaddr_t ina_d;
+	unsigned int plen;
+
+	UNUSED(tc);
+
+	ATF_CHECK(inet_pton(AF_INET, "0.0.0.0", &na_a) >= 0);
+	ATF_CHECK(inet_pton(AF_INET, "255.255.255.254", &na_b) >= 0);
+	ATF_CHECK(inet_pton(AF_INET, "255.255.255.255", &na_c) >= 0);
+	ATF_CHECK(inet_pton(AF_INET, "255.255.255.0", &na_d) >= 0);
+
+	isc_netaddr_fromin(&ina_a, &na_a);
+	isc_netaddr_fromin(&ina_b, &na_b);
+	isc_netaddr_fromin(&ina_c, &na_c);
+	isc_netaddr_fromin(&ina_d, &na_d);
+
+	ATF_CHECK_EQ(isc_netaddr_masktoprefixlen(&ina_a, &plen),
+		     ISC_R_SUCCESS);
+	ATF_CHECK_EQ(plen, 0);
+
+	ATF_CHECK_EQ(isc_netaddr_masktoprefixlen(&ina_b, &plen),
+		     ISC_R_SUCCESS);
+	ATF_CHECK_EQ(plen, 31);
+
+	ATF_CHECK_EQ(isc_netaddr_masktoprefixlen(&ina_c, &plen),
+		     ISC_R_SUCCESS);
+	ATF_CHECK_EQ(plen, 32);
+
+	ATF_CHECK_EQ(isc_netaddr_masktoprefixlen(&ina_d, &plen),
+		     ISC_R_SUCCESS);
+	ATF_CHECK_EQ(plen, 24);
+}
+
+ATF_TC(netaddr_multicast);
+ATF_TC_HEAD(netaddr_multicast, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "check multicast addresses are detected properly");
+}
+ATF_TC_BODY(netaddr_multicast, tc) {
+	unsigned int i;
+	struct {
+		int family;
+		const char *addr;
+		bool is_multicast;
+	} tests[] = {
+		{ AF_INET, "1.2.3.4", false },
+		{ AF_INET, "4.3.2.1", false },
+		{ AF_INET, "224.1.1.1", true },
+		{ AF_INET, "1.1.1.244", false },
+		{ AF_INET6, "::1", false },
+		{ AF_INET6, "ff02::1", true }
+	};
+
+	for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) {
+		isc_netaddr_t na;
+		struct in_addr in;
+		struct in6_addr in6;
+		int r;
+
+		if (tests[i].family == AF_INET) {
+			r = inet_pton(AF_INET, tests[i].addr,
+				      (unsigned char *)&in);
+			ATF_REQUIRE_EQ(r, 1);
+			isc_netaddr_fromin(&na, &in);
+		} else {
+			r = inet_pton(AF_INET6, tests[i].addr,
+				      (unsigned char *)&in6);
+			ATF_REQUIRE_EQ(r, 1);
+			isc_netaddr_fromin6(&na, &in6);
+		}
+
+		ATF_CHECK_EQ(isc_netaddr_ismulticast(&na),
+			     tests[i].is_multicast);
+	}
+}
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, netaddr_isnetzero);
+	ATF_TP_ADD_TC(tp, netaddr_masktoprefixlen);
+	ATF_TP_ADD_TC(tp, netaddr_multicast);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/parse_test.c b/lib/isc/tests/parse_test.c
new file mode 100644
index 0000000..edc8139
--- /dev/null
+++ b/lib/isc/tests/parse_test.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <unistd.h>
+#include <time.h>
+
+#include <isc/parseint.h>
+
+#include "isctest.h"
+
+/*
+ * Individual unit tests
+ */
+
+/* Test for 32 bit overflow on 64 bit machines in isc_parse_uint32 */
+ATF_TC(parse_overflow);
+ATF_TC_HEAD(parse_overflow, tc) {
+	atf_tc_set_md_var(tc, "descr", "Check for 32 bit overflow");
+}
+ATF_TC_BODY(parse_overflow, tc) {
+	isc_result_t result;
+	uint32_t output;
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_parse_uint32(&output, "1234567890", 10);
+	ATF_CHECK_EQ(ISC_R_SUCCESS, result);
+	ATF_CHECK_EQ(1234567890, output);
+
+	result = isc_parse_uint32(&output, "123456789012345", 10);
+	ATF_CHECK_EQ(ISC_R_RANGE, result);
+
+	result = isc_parse_uint32(&output, "12345678901234567890", 10);
+	ATF_CHECK_EQ(ISC_R_RANGE, result);
+
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, parse_overflow);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/pool_test.c b/lib/isc/tests/pool_test.c
new file mode 100644
index 0000000..fb9197e
--- /dev/null
+++ b/lib/isc/tests/pool_test.c
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/mem.h>
+#include <isc/pool.h>
+
+#include "isctest.h"
+
+static isc_result_t
+poolinit(void **target, void *arg) {
+	isc_result_t result;
+
+	isc_taskmgr_t *mgr = (isc_taskmgr_t *) arg;
+	isc_task_t *task = NULL;
+	result = isc_task_create(mgr, 0, &task);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	*target = (void *) task;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+poolfree(void **target) {
+	isc_task_t *task = *(isc_task_t **) target;
+	isc_task_destroy(&task);
+	*target = NULL;
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* Create a pool */
+ATF_TC(create_pool);
+ATF_TC_HEAD(create_pool, tc) {
+	atf_tc_set_md_var(tc, "descr", "create a pool");
+}
+ATF_TC_BODY(create_pool, tc) {
+	isc_result_t result;
+	isc_pool_t *pool = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_pool_create(mctx, 8, poolfree, poolinit, taskmgr, &pool);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_pool_count(pool), 8);
+
+	isc_pool_destroy(&pool);
+	ATF_REQUIRE_EQ(pool, NULL);
+
+	isc_test_end();
+}
+
+/* Resize a pool */
+ATF_TC(expand_pool);
+ATF_TC_HEAD(expand_pool, tc) {
+	atf_tc_set_md_var(tc, "descr", "expand a pool");
+}
+ATF_TC_BODY(expand_pool, tc) {
+	isc_result_t result;
+	isc_pool_t *pool1 = NULL, *pool2 = NULL, *hold = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_pool_create(mctx, 10, poolfree, poolinit, taskmgr, &pool1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_pool_count(pool1), 10);
+
+	/* resizing to a smaller size should have no effect */
+	hold = pool1;
+	result = isc_pool_expand(&pool1, 5, &pool2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_pool_count(pool2), 10);
+	ATF_REQUIRE_EQ(pool2, hold);
+	ATF_REQUIRE_EQ(pool1, NULL);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to the same size should have no effect */
+	hold = pool1;
+	result = isc_pool_expand(&pool1, 10, &pool2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_pool_count(pool2), 10);
+	ATF_REQUIRE_EQ(pool2, hold);
+	ATF_REQUIRE_EQ(pool1, NULL);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to larger size should make a new pool */
+	hold = pool1;
+	result = isc_pool_expand(&pool1, 20, &pool2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_pool_count(pool2), 20);
+	ATF_REQUIRE(pool2 != hold);
+	ATF_REQUIRE_EQ(pool1, NULL);
+
+	isc_pool_destroy(&pool2);
+	ATF_REQUIRE_EQ(pool2, NULL);
+
+	isc_test_end();
+}
+
+/* Get objects */
+ATF_TC(get_objects);
+ATF_TC_HEAD(get_objects, tc) {
+	atf_tc_set_md_var(tc, "descr", "get objects");
+}
+ATF_TC_BODY(get_objects, tc) {
+	isc_result_t result;
+	isc_pool_t *pool = NULL;
+	void *item;
+	isc_task_t *task1 = NULL, *task2 = NULL, *task3 = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_pool_create(mctx, 2, poolfree, poolinit, taskmgr, &pool);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_pool_count(pool), 2);
+
+	item = isc_pool_get(pool);
+	ATF_REQUIRE(item != NULL);
+	isc_task_attach((isc_task_t *) item, &task1);
+
+	item = isc_pool_get(pool);
+	ATF_REQUIRE(item != NULL);
+	isc_task_attach((isc_task_t *) item, &task2);
+
+	item = isc_pool_get(pool);
+	ATF_REQUIRE(item != NULL);
+	isc_task_attach((isc_task_t *) item, &task3);
+
+	isc_task_detach(&task1);
+	isc_task_detach(&task2);
+	isc_task_detach(&task3);
+
+	isc_pool_destroy(&pool);
+	ATF_REQUIRE_EQ(pool, NULL);
+
+	isc_test_end();
+}
+
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, create_pool);
+	ATF_TP_ADD_TC(tp, expand_pool);
+	ATF_TP_ADD_TC(tp, get_objects);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/print_test.c b/lib/isc/tests/print_test.c
new file mode 100644
index 0000000..259e301
--- /dev/null
+++ b/lib/isc/tests/print_test.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+/*
+ * Workout if we need to force the inclusion of print.c so we can test
+ * it on all platforms even if we don't include it in libisc.
+ */
+#include <isc/platform.h>
+#if !defined(ISC_PLATFORM_NEEDPRINTF) && \
+    !defined(ISC_PLATFORM_NEEDFPRINTF) && \
+    !defined(ISC_PLATFORM_NEEDSPRINTF) && \
+    !defined(ISC_PLATFORM_NEEDVSNPRINTF)
+#define ISC__PRINT_SOURCE
+#include "../print.c"
+#else
+#if !defined(ISC_PLATFORM_NEEDPRINTF) || \
+    !defined(ISC_PLATFORM_NEEDFPRINTF) || \
+    !defined(ISC_PLATFORM_NEEDSPRINTF) || \
+    !defined(ISC_PLATFORM_NEEDVSNPRINTF)
+#define ISC__PRINT_SOURCE
+#endif
+#include <isc/print.h>
+#include <isc/types.h>
+#include <isc/util.h>
+#endif
+
+ATF_TC(snprintf);
+ATF_TC_HEAD(snprintf, tc) {
+	atf_tc_set_md_var(tc, "descr", "snprintf implementation");
+}
+ATF_TC_BODY(snprintf, tc) {
+	char buf[10000];
+	uint64_t ll = 8589934592ULL;
+	uint64_t nn = 20000000000000ULL;
+	uint64_t zz = 10000000000000000000ULL;
+	float pi = 3.141;
+	int n;
+	size_t size;
+
+	UNUSED(tc);
+
+	/*
+	 * 4294967296 <= 8589934592 < 1000000000^2 to verify fix for
+	 * RT#36505.
+	 */
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRIu64, ll);
+	ATF_CHECK_EQ(n, 10);
+	ATF_CHECK_STREQ(buf, "8589934592");
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRIu64, ll);
+	ATF_CHECK_EQ(n, 10);
+	ATF_CHECK_STREQ(buf, "8589934592");
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRIu64, nn);
+	ATF_CHECK_EQ(n, 14);
+	ATF_CHECK_STREQ(buf, "20000000000000");
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRIu64, nn);
+	ATF_CHECK_EQ(n, 14);
+	ATF_CHECK_STREQ(buf, "20000000000000");
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRIu64, zz);
+	ATF_CHECK_EQ(n, 20);
+	ATF_CHECK_STREQ(buf, "10000000000000000000");
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRIu64, zz);
+	ATF_CHECK_EQ(n, 20);
+	ATF_CHECK_STREQ(buf, "10000000000000000000");
+
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%" PRId64, nn);
+	ATF_CHECK_EQ(n, 14);
+	ATF_CHECK_STREQ(buf, "20000000000000");
+
+	size = 1000;
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%zu", size);
+	ATF_CHECK_EQ(n, 4);
+	ATF_CHECK_STREQ(buf, "1000");
+
+	size = 1000;
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%zx", size);
+	ATF_CHECK_EQ(n, 3);
+	ATF_CHECK_STREQ(buf, "3e8");
+
+	size = 1000;
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "%zo", size);
+	ATF_CHECK_EQ(n, 4);
+	ATF_CHECK_STREQ(buf, "1750");
+
+	zz = 0xf5f5f5f5f5f5f5f5ULL;
+	memset(buf, 0xff, sizeof(buf));
+	n = isc_print_snprintf(buf, sizeof(buf), "0x%" PRIx64, zz);
+	ATF_CHECK_EQ(n, 18);
+	ATF_CHECK_STREQ(buf, "0xf5f5f5f5f5f5f5f5");
+
+	n = isc_print_snprintf(buf, sizeof(buf), "%.2f", pi);
+	ATF_CHECK_EQ(n, 4);
+	ATF_CHECK_STREQ(buf, "3.14");
+
+	/* Similar to the above, but additional characters follows */
+	n = isc_print_snprintf(buf, sizeof(buf), "%.2f1592", pi);
+	ATF_CHECK_EQ(n, 8);
+	ATF_CHECK_STREQ(buf, "3.141592");
+
+	/* Similar to the above, but with leading spaces */
+	n = isc_print_snprintf(buf, sizeof(buf), "% 8.2f1592", pi);
+	ATF_CHECK_EQ(n, 12);
+	ATF_CHECK_STREQ(buf, "    3.141592");
+
+	/* Similar to the above, but with trail spaces after the 4 */
+	n = isc_print_snprintf(buf, sizeof(buf), "%-8.2f1592", pi);
+	ATF_CHECK_EQ(n, 12);
+	ATF_CHECK_STREQ(buf, "3.14    1592");
+}
+
+ATF_TC(fprintf);
+ATF_TC_HEAD(fprintf, tc) {
+	atf_tc_set_md_var(tc, "descr", "fprintf implementation");
+}
+ATF_TC_BODY(fprintf, tc) {
+	FILE *f;
+	int n;
+	size_t size;
+	char buf[10000];
+
+	UNUSED(tc);
+
+	f = fopen("fprintf.test", "w+");
+	ATF_REQUIRE(f != NULL);
+
+	size = 1000;
+	n = isc_print_fprintf(f, "%zu", size);
+	ATF_CHECK_EQ(n, 4);
+
+	rewind(f);
+
+	memset(buf, 0, sizeof(buf));
+	n = fread(buf, 1, sizeof(buf), f);
+	ATF_CHECK_EQ(n, 4);
+
+	fclose(f);
+
+	ATF_CHECK_STREQ(buf, "1000");
+
+	if ((n > 0) && (!strcmp(buf, "1000")))
+		unlink("fprintf.test");
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, snprintf);
+	ATF_TP_ADD_TC(tp, fprintf);
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/queue_test.c b/lib/isc/tests/queue_test.c
new file mode 100644
index 0000000..843e641
--- /dev/null
+++ b/lib/isc/tests/queue_test.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+#include <time.h>
+
+#include <isc/queue.h>
+
+#include "isctest.h"
+
+typedef struct item item_t;
+struct item {
+	int 			value;
+	ISC_QLINK(item_t)	qlink;
+};
+
+typedef ISC_QUEUE(item_t) item_queue_t;
+
+static void
+item_init(item_t *item, int value) {
+	item->value = value;
+	ISC_QLINK_INIT(item, qlink);
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* Test UDP sendto/recv (IPv4) */
+ATF_TC(queue_valid);
+ATF_TC_HEAD(queue_valid, tc) {
+	atf_tc_set_md_var(tc, "descr", "Check queue validity");
+}
+ATF_TC_BODY(queue_valid, tc) {
+	isc_result_t result;
+	item_queue_t queue;
+	item_t one, two, three, four, five;
+	item_t *p;
+
+	UNUSED(tc);
+
+	ISC_QUEUE_INIT(queue, qlink);
+
+	item_init(&one, 1);
+	item_init(&two, 2);
+	item_init(&three, 3);
+	item_init(&four, 4);
+	item_init(&five, 5);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK(ISC_QUEUE_EMPTY(queue));
+
+	ISC_QUEUE_POP(queue, qlink, p);
+	ATF_CHECK(p == NULL);
+
+	ATF_CHECK(! ISC_QLINK_LINKED(&one, qlink));
+	ISC_QUEUE_PUSH(queue, &one, qlink);
+	ATF_CHECK(ISC_QLINK_LINKED(&one, qlink));
+
+	ATF_CHECK(! ISC_QUEUE_EMPTY(queue));
+
+	ISC_QUEUE_POP(queue, qlink, p);
+	ATF_REQUIRE(p != NULL);
+	ATF_CHECK_EQ(p->value, 1);
+	ATF_CHECK(ISC_QUEUE_EMPTY(queue));
+	ATF_CHECK(! ISC_QLINK_LINKED(p, qlink));
+
+	ISC_QUEUE_PUSH(queue, p, qlink);
+	ATF_CHECK(! ISC_QUEUE_EMPTY(queue));
+	ATF_CHECK(ISC_QLINK_LINKED(p, qlink));
+
+	ATF_CHECK(! ISC_QLINK_LINKED(&two, qlink));
+	ISC_QUEUE_PUSH(queue, &two, qlink);
+	ATF_CHECK(ISC_QLINK_LINKED(&two, qlink));
+
+	ATF_CHECK(! ISC_QLINK_LINKED(&three, qlink));
+	ISC_QUEUE_PUSH(queue, &three, qlink);
+	ATF_CHECK(ISC_QLINK_LINKED(&three, qlink));
+
+	ATF_CHECK(! ISC_QLINK_LINKED(&four, qlink));
+	ISC_QUEUE_PUSH(queue, &four, qlink);
+	ATF_CHECK(ISC_QLINK_LINKED(&four, qlink));
+
+	ATF_CHECK(! ISC_QLINK_LINKED(&five, qlink));
+	ISC_QUEUE_PUSH(queue, &five, qlink);
+	ATF_CHECK(ISC_QLINK_LINKED(&five, qlink));
+
+	/* Test unlink by removing one item from the middle */
+	ISC_QUEUE_UNLINK(queue, &three, qlink);
+
+	ISC_QUEUE_POP(queue, qlink, p);
+	ATF_REQUIRE(p != NULL);
+	ATF_CHECK_EQ(p->value, 1);
+
+	ISC_QUEUE_POP(queue, qlink, p);
+	ATF_REQUIRE(p != NULL);
+	ATF_CHECK_EQ(p->value, 2);
+
+	ISC_QUEUE_POP(queue, qlink, p);
+	ATF_REQUIRE(p != NULL);
+	ATF_CHECK_EQ(p->value, 4);
+
+	ISC_QUEUE_POP(queue, qlink, p);
+	ATF_REQUIRE(p != NULL);
+	ATF_CHECK_EQ(p->value, 5);
+
+	ATF_CHECK(ISC_QUEUE_EMPTY(queue));
+
+	ISC_QUEUE_DESTROY(queue);
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, queue_valid);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/radix_test.c b/lib/isc/tests/radix_test.c
new file mode 100644
index 0000000..0a0b534
--- /dev/null
+++ b/lib/isc/tests/radix_test.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/radix.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <atf-c.h>
+
+#include <stdlib.h>
+
+#include "isctest.h"
+
+ATF_TC(isc_radix_search);
+ATF_TC_HEAD(isc_radix_search, tc) {
+	atf_tc_set_md_var(tc, "descr", "test radix seaching");
+}
+ATF_TC_BODY(isc_radix_search, tc) {
+	isc_radix_tree_t *radix = NULL;
+	isc_radix_node_t *node;
+	isc_prefix_t prefix;
+	isc_result_t result;
+	struct in_addr in_addr;
+	isc_netaddr_t netaddr;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_radix_create(mctx, &radix, 32);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in_addr.s_addr = inet_addr("3.3.3.0");
+	isc_netaddr_fromin(&netaddr, &in_addr);
+	NETADDR_TO_PREFIX_T(&netaddr, prefix, 24, false);
+
+	node = NULL;
+	result = isc_radix_insert(radix, &node, NULL, &prefix);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	node->data[0] = (void *)1;
+	isc_refcount_destroy(&prefix.refcount);
+
+	in_addr.s_addr = inet_addr("3.3.0.0");
+	isc_netaddr_fromin(&netaddr, &in_addr);
+	NETADDR_TO_PREFIX_T(&netaddr, prefix, 16, false);
+
+	node = NULL;
+	result = isc_radix_insert(radix, &node, NULL, &prefix);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	node->data[0] = (void *)2;
+	isc_refcount_destroy(&prefix.refcount);
+
+	in_addr.s_addr = inet_addr("3.3.3.3");
+	isc_netaddr_fromin(&netaddr, &in_addr);
+	NETADDR_TO_PREFIX_T(&netaddr, prefix, 22, false);
+
+	node = NULL;
+	result = isc_radix_search(radix, &node, &prefix);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(node->data[0], (void *)2);
+
+	isc_refcount_destroy(&prefix.refcount);
+
+	isc_radix_destroy(radix, NULL);
+
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_radix_search);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/random_test.c b/lib/isc/tests/random_test.c
new file mode 100644
index 0000000..5637139
--- /dev/null
+++ b/lib/isc/tests/random_test.c
@@ -0,0 +1,670 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * IMPORTANT NOTE:
+ * These tests work by generating a large number of pseudo-random numbers
+ * and then statistically analyzing them to determine whether they seem
+ * random. The test is expected to fail on occasion by random happenstance.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <atf-c.h>
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <math.h>
+
+#define REPS 25000
+
+typedef double (pvalue_func_t)(isc_mem_t *mctx,
+			       uint16_t *values, size_t length);
+
+/* igamc(), igam(), etc. were adapted (and cleaned up) from the Cephes
+ * math library:
+ *
+ * Cephes Math Library Release 2.8:  June, 2000
+ * Copyright 1985, 1987, 2000 by Stephen L. Moshier
+ *
+ * The Cephes math library was released into the public domain as part
+ * of netlib.
+*/
+
+static double MACHEP = 1.11022302462515654042E-16;
+static double MAXLOG = 7.09782712893383996843E2;
+static double big = 4.503599627370496e15;
+static double biginv =	2.22044604925031308085e-16;
+
+static double igamc(double a, double x);
+static double igam(double a, double x);
+
+static double
+igamc(double a, double x) {
+	double ans, ax, c, yc, r, t, y, z;
+	double pk, pkm1, pkm2, qk, qkm1, qkm2;
+
+	if ((x <= 0) || (a <= 0))
+		return (1.0);
+
+	if ((x < 1.0) || (x < a))
+		return (1.0 - igam(a, x));
+
+	ax = a * log(x) - x - lgamma(a);
+	if (ax < -MAXLOG) {
+		fprintf(stderr, "igamc: UNDERFLOW, ax=%f\n", ax);
+		return (0.0);
+	}
+	ax = exp(ax);
+
+	/* continued fraction */
+	y = 1.0 - a;
+	z = x + y + 1.0;
+	c = 0.0;
+	pkm2 = 1.0;
+	qkm2 = x;
+	pkm1 = x + 1.0;
+	qkm1 = z * x;
+	ans = pkm1 / qkm1;
+
+	do {
+		c += 1.0;
+		y += 1.0;
+		z += 2.0;
+		yc = y * c;
+		pk = pkm1 * z  -  pkm2 * yc;
+		qk = qkm1 * z  -  qkm2 * yc;
+		if (qk != 0) {
+			r = pk / qk;
+			t = fabs((ans - r) / r);
+			ans = r;
+		} else
+			t = 1.0;
+
+		pkm2 = pkm1;
+		pkm1 = pk;
+		qkm2 = qkm1;
+		qkm1 = qk;
+
+		if (fabs(pk) > big) {
+			pkm2 *= biginv;
+			pkm1 *= biginv;
+			qkm2 *= biginv;
+			qkm1 *= biginv;
+		}
+	} while (t > MACHEP);
+
+	return (ans * ax);
+}
+
+static double
+igam(double a, double x) {
+	double ans, ax, c, r;
+
+	if ((x <= 0) || (a <= 0))
+		return (0.0);
+
+	if ((x > 1.0) && (x > a))
+		return (1.0 - igamc(a, x));
+
+	/* Compute  x**a * exp(-x) / md_gamma(a)  */
+	ax = a * log(x) - x - lgamma(a);
+	if( ax < -MAXLOG ) {
+		fprintf(stderr, "igam: UNDERFLOW, ax=%f\n", ax);
+		return (0.0);
+	}
+	ax = exp(ax);
+
+	/* power series */
+	r = a;
+	c = 1.0;
+	ans = 1.0;
+
+	do {
+		r += 1.0;
+		c *= x / r;
+		ans += c;
+	} while (c / ans > MACHEP);
+
+	return (ans * ax / a);
+}
+
+static int8_t scounts_table[65536];
+static uint8_t bitcounts_table[65536];
+
+static int8_t
+scount_calculate(uint16_t n) {
+	int i;
+	int8_t sc;
+
+	sc = 0;
+	for (i = 0; i < 16; i++) {
+		uint16_t lsb;
+
+		lsb = n & 1;
+		if (lsb != 0)
+			sc += 1;
+		else
+			sc -= 1;
+
+		n >>= 1;
+	}
+
+	return (sc);
+}
+
+static uint8_t
+bitcount_calculate(uint16_t n) {
+	int i;
+	uint8_t bc;
+
+	bc = 0;
+	for (i = 0; i < 16; i++) {
+		uint16_t lsb;
+
+		lsb = n & 1;
+		if (lsb != 0)
+			bc += 1;
+
+		n >>= 1;
+	}
+
+	return (bc);
+}
+
+static void
+tables_init(void) {
+	uint32_t i;
+
+	for (i = 0; i < 65536; i++) {
+		scounts_table[i] = scount_calculate(i);
+		bitcounts_table[i] = bitcount_calculate(i);
+	}
+}
+
+/*
+ * The following code for computing Marsaglia's rank is based on the
+ * implementation in cdbinrnk.c from the diehard tests by George
+ * Marsaglia.
+ *
+ * This function destroys (modifies) the data passed in bits.
+ */
+static uint32_t
+matrix_binaryrank(uint32_t *bits, size_t rows, size_t cols) {
+	size_t i, j, k;
+	unsigned int rt = 0;
+	uint32_t rank = 0;
+	uint32_t tmp;
+
+	for (k = 0; k < rows; k++) {
+		i = k;
+
+		while (rt >= cols || ((bits[i] >> rt) & 1) == 0) {
+			i++;
+
+			if (i < rows)
+				continue;
+			else {
+				rt++;
+				if (rt < cols) {
+					i = k;
+					continue;
+				}
+			}
+
+			return (rank);
+		}
+
+		rank++;
+		if (i != k) {
+			tmp = bits[i];
+			bits[i] = bits[k];
+			bits[k] = tmp;
+		}
+
+		for (j = i + 1; j < rows; j++) {
+			if (((bits[j] >> rt) & 1) == 0)
+				continue;
+			else
+				bits[j] ^= bits[k];
+		}
+
+		rt++;
+	}
+
+	return (rank);
+}
+
+static void
+random_test(pvalue_func_t *func) {
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	isc_rng_t *rng;
+	uint32_t m;
+	uint32_t j;
+	uint32_t histogram[11] = { 0 };
+	uint32_t passed;
+	double proportion;
+	double p_hat;
+	double lower_confidence, higher_confidence;
+	double chi_square;
+	double p_value_t;
+	double alpha;
+
+	tables_init();
+
+	result = isc_mem_create(0, 0, &mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	rng = NULL;
+	result = isc_rng_create(mctx, NULL, &rng);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	m = 1000;
+	passed = 0;
+
+	for (j = 0; j < m; j++) {
+		uint32_t i;
+		uint16_t values[REPS];
+		double p_value;
+
+		for (i = 0; i < REPS; i++)
+			values[i] = isc_rng_random(rng);
+
+		p_value = (*func)(mctx, values, REPS);
+		if (p_value >= 0.01) {
+			passed++;
+		}
+
+		ATF_REQUIRE(p_value >= 0.0);
+		ATF_REQUIRE(p_value <= 1.0);
+
+		i = (int) floor(p_value * 10);
+		histogram[i]++;
+	}
+
+	isc_rng_detach(&rng);
+
+	/*
+	 * Check proportion of sequences passing a test (see section
+	 * 4.2.1 in NIST SP 800-22).
+	 */
+	alpha = 0.01; /* the significance level */
+	proportion = (double) passed / (double) m;
+	p_hat = 1.0 - alpha;
+	lower_confidence = p_hat - (3.0 * sqrt((p_hat * (1.0 - p_hat)) / m));
+	higher_confidence = p_hat + (3.0 * sqrt((p_hat * (1.0 - p_hat)) / m));
+
+	/* Debug message, not displayed when running via atf-run */
+	printf("passed=%u/1000\n", passed);
+	printf("higher_confidence=%f, lower_confidence=%f, proportion=%f\n",
+	       higher_confidence, lower_confidence, proportion);
+
+	ATF_REQUIRE(proportion >= lower_confidence);
+	ATF_REQUIRE(proportion <= higher_confidence);
+
+	/*
+	 * Check uniform distribution of p-values (see section 4.2.2 in
+	 * NIST SP 800-22).
+	 */
+
+	/* Fold histogram[10] (p_value = 1.0) into histogram[9] for
+	 * interval [0.9, 1.0]
+	 */
+	histogram[9] += histogram[10];
+	histogram[10] = 0;
+
+	/* Pre-requisite that at least 55 sequences are processed. */
+	ATF_REQUIRE(m >= 55);
+
+	chi_square = 0.0;
+	for (j = 0; j < 10; j++) {
+		double numer;
+		double denom;
+
+		/* Debug message, not displayed when running via atf-run */
+		printf("hist%u=%u ", j, histogram[j]);
+
+		numer = (histogram[j] - (m / 10.0)) *
+			(histogram[j] - (m / 10.0));
+		denom = m / 10.0;
+		chi_square += numer / denom;
+	}
+
+	printf("\n");
+
+	p_value_t = igamc(9 / 2.0, chi_square / 2.0);
+
+	ATF_REQUIRE(p_value_t >= 0.0001);
+}
+
+/*
+ * This is a frequency (monobits) test taken from the NIST SP 800-22
+ * RNG test suite.
+ */
+static double
+monobit(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	size_t i;
+	int32_t scount;
+	uint32_t numbits;
+	double s_obs;
+	double p_value;
+
+	UNUSED(mctx);
+
+	numbits = length * 16;
+	scount = 0;
+
+	for (i = 0; i < length; i++)
+		scount += scounts_table[values[i]];
+
+	/* Preconditions (section 2.1.7 in NIST SP 800-22) */
+	ATF_REQUIRE(numbits >= 100);
+
+	/* Debug message, not displayed when running via atf-run */
+	printf("numbits=%u, scount=%d\n", numbits, scount);
+
+	s_obs = abs(scount) / sqrt(numbits);
+	p_value = erfc(s_obs / sqrt(2.0));
+
+	return (p_value);
+}
+
+/*
+ * This is the runs test taken from the NIST SP 800-22 RNG test suite.
+ */
+static double
+runs(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	size_t i;
+	uint32_t bcount;
+	uint32_t numbits;
+	double pi;
+	double tau;
+	uint32_t j;
+	uint32_t b;
+	uint8_t bit_this;
+	uint8_t bit_prev;
+	uint32_t v_obs;
+	double numer;
+	double denom;
+	double p_value;
+
+	UNUSED(mctx);
+
+	numbits = length * 16;
+	bcount = 0;
+
+	for (i = 0; i < REPS; i++)
+		bcount += bitcounts_table[values[i]];
+
+	/* Debug message, not displayed when running via atf-run */
+	printf("numbits=%u, bcount=%u\n", numbits, bcount);
+
+	pi = (double) bcount / (double) numbits;
+	tau = 2.0 / sqrt(numbits);
+
+	/* Preconditions (section 2.3.7 in NIST SP 800-22) */
+	ATF_REQUIRE(numbits >= 100);
+
+	/*
+	 * Pre-condition implied from the monobit test. This can fail
+	 * for some sequences, and the p-value is taken as 0 in these
+	 * cases.
+	 */
+	if (fabs(pi - 0.5) >= tau)
+		return (0.0);
+
+	/* Compute v_obs */
+	j = 0;
+	b = 14;
+	bit_prev = (values[j] & (1U << 15)) == 0 ? 0 : 1;
+
+	v_obs = 0;
+
+	for (i = 1; i < numbits; i++) {
+		bit_this = (values[j] & (1U << b)) == 0 ? 0 : 1;
+		if (b == 0) {
+			b = 15;
+			j++;
+		} else {
+			b--;
+		}
+
+		v_obs += bit_this ^ bit_prev;
+
+		bit_prev = bit_this;
+	}
+
+	v_obs += 1;
+
+	numer = fabs(v_obs - (2.0 * numbits * pi * (1.0 - pi)));
+	denom = 2.0 * sqrt(2.0 * numbits) * pi * (1.0 - pi);
+
+	p_value = erfc(numer / denom);
+
+	return (p_value);
+}
+
+/*
+ * This is the block frequency test taken from the NIST SP 800-22 RNG
+ * test suite.
+ */
+static double
+blockfrequency(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	uint32_t i;
+	uint32_t numbits;
+	uint32_t mbits;
+	uint32_t mwords;
+	uint32_t numblocks;
+	double *pi;
+	double chi_square;
+	double p_value;
+
+	numbits = length * 16;
+	mbits = 32000;
+	mwords = mbits / 16;
+	numblocks = numbits / mbits;
+
+	/* Debug message, not displayed when running via atf-run */
+	printf("numblocks=%u\n", numblocks);
+
+	/* Preconditions (section 2.2.7 in NIST SP 800-22) */
+	ATF_REQUIRE(numbits >= 100);
+	ATF_REQUIRE(mbits >= 20);
+	ATF_REQUIRE((double) mbits > (0.01 * numbits));
+	ATF_REQUIRE(numblocks < 100);
+	ATF_REQUIRE(numbits >= (mbits * numblocks));
+
+	pi = isc_mem_get(mctx, numblocks * sizeof(double));
+	ATF_REQUIRE(pi != NULL);
+
+	for (i = 0; i < numblocks; i++) {
+		uint32_t j;
+		pi[i] = 0.0;
+		for (j = 0; j < mwords; j++) {
+			uint32_t idx;
+
+			idx = i * mwords + j;
+			pi[i] += bitcounts_table[values[idx]];
+		}
+		pi[i] /= mbits;
+	}
+
+	/* Compute chi_square */
+	chi_square = 0.0;
+	for (i = 0; i < numblocks; i++)
+		chi_square += (pi[i] - 0.5) * (pi[i] - 0.5);
+
+	chi_square *= 4 * mbits;
+
+	isc_mem_put(mctx, pi, numblocks * sizeof(double));
+
+	/* Debug message, not displayed when running via atf-run */
+	printf("chi_square=%f\n", chi_square);
+
+	p_value = igamc(numblocks * 0.5, chi_square * 0.5);
+
+	return (p_value);
+}
+
+/*
+ * This is the binary matrix rank test taken from the NIST SP 800-22 RNG
+ * test suite.
+ */
+static double
+binarymatrixrank(isc_mem_t *mctx, uint16_t *values, size_t length) {
+	uint32_t i;
+	size_t matrix_m;
+	size_t matrix_q;
+	uint32_t num_matrices;
+	size_t numbits;
+	uint32_t fm_0;
+	uint32_t fm_1;
+	uint32_t fm_rest;
+	double term1;
+	double term2;
+	double term3;
+	double chi_square;
+	double p_value;
+
+	UNUSED(mctx);
+
+	matrix_m = 32;
+	matrix_q = 32;
+	num_matrices = length / ((matrix_m * matrix_q) / 16);
+	numbits = num_matrices * matrix_m * matrix_q;
+
+	/* Preconditions (section 2.5.7 in NIST SP 800-22) */
+	ATF_REQUIRE(matrix_m == 32);
+	ATF_REQUIRE(matrix_q == 32);
+	ATF_REQUIRE(numbits >= (38 * matrix_m * matrix_q));
+
+	fm_0 = 0;
+	fm_1 = 0;
+	fm_rest = 0;
+	for (i = 0; i < num_matrices; i++) {
+		/*
+		 * Each uint32_t supplies 32 bits, so a 32x32 bit matrix
+		 * takes up uint32_t array of size 32.
+		 */
+		uint32_t bits[32];
+		int j;
+		uint32_t rank;
+
+		for (j = 0; j < 32; j++) {
+			size_t idx;
+			uint32_t r1;
+			uint32_t r2;
+
+			idx = i * ((matrix_m * matrix_q) / 16);
+			idx += j * 2;
+
+			r1 = values[idx];
+			r2 = values[idx + 1];
+			bits[j] = (r1 << 16) | r2;
+		}
+
+		rank = matrix_binaryrank(bits, matrix_m, matrix_q);
+
+		if (rank == matrix_m)
+			fm_0++;
+		else if (rank == (matrix_m - 1))
+			fm_1++;
+		else
+			fm_rest++;
+	}
+
+	/* Compute chi_square */
+	term1 = ((fm_0 - (0.2888 * num_matrices)) *
+		 (fm_0 - (0.2888 * num_matrices))) / (0.2888 * num_matrices);
+	term2 = ((fm_1 - (0.5776 * num_matrices)) *
+		 (fm_1 - (0.5776 * num_matrices))) / (0.5776 * num_matrices);
+	term3 = ((fm_rest - (0.1336 * num_matrices)) *
+		 (fm_rest - (0.1336 * num_matrices))) / (0.1336 * num_matrices);
+
+	chi_square = term1 + term2 + term3;
+
+	/* Debug message, not displayed when running via atf-run */
+	printf("fm_0=%u, fm_1=%u, fm_rest=%u, chi_square=%f\n",
+	       fm_0, fm_1, fm_rest, chi_square);
+
+	p_value = exp(-chi_square * 0.5);
+
+	return (p_value);
+}
+
+ATF_TC(isc_rng_monobit);
+ATF_TC_HEAD(isc_rng_monobit, tc) {
+	atf_tc_set_md_var(tc, "descr", "Monobit test for the RNG");
+}
+
+ATF_TC_BODY(isc_rng_monobit, tc) {
+	UNUSED(tc);
+
+	random_test(monobit);
+}
+
+ATF_TC(isc_rng_runs);
+ATF_TC_HEAD(isc_rng_runs, tc) {
+	atf_tc_set_md_var(tc, "descr", "Runs test for the RNG");
+}
+
+ATF_TC_BODY(isc_rng_runs, tc) {
+	UNUSED(tc);
+
+	random_test(runs);
+}
+
+ATF_TC(isc_rng_blockfrequency);
+ATF_TC_HEAD(isc_rng_blockfrequency, tc) {
+	atf_tc_set_md_var(tc, "descr", "Block frequency test for the RNG");
+}
+
+ATF_TC_BODY(isc_rng_blockfrequency, tc) {
+	UNUSED(tc);
+
+	random_test(blockfrequency);
+}
+
+ATF_TC(isc_rng_binarymatrixrank);
+ATF_TC_HEAD(isc_rng_binarymatrixrank, tc) {
+	atf_tc_set_md_var(tc, "descr", "Binary matrix rank test for the RNG");
+}
+
+/*
+ * This is the binary matrix rank test taken from the NIST SP 800-22 RNG
+ * test suite.
+ */
+ATF_TC_BODY(isc_rng_binarymatrixrank, tc) {
+	UNUSED(tc);
+
+	random_test(binarymatrixrank);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_rng_monobit);
+	ATF_TP_ADD_TC(tp, isc_rng_runs);
+	ATF_TP_ADD_TC(tp, isc_rng_blockfrequency);
+	ATF_TP_ADD_TC(tp, isc_rng_binarymatrixrank);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/regex_test.c b/lib/isc/tests/regex_test.c
new file mode 100644
index 0000000..b5e88b3
--- /dev/null
+++ b/lib/isc/tests/regex_test.c
@@ -0,0 +1,1121 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef HAVE_REGEX_H
+#include <regex.h>
+#endif
+
+#include <isc/regex.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+ATF_TC(regex_validate);
+ATF_TC_HEAD(regex_validate, tc) {
+	atf_tc_set_md_var(tc, "descr", "check isc_regex_validate()");
+}
+ATF_TC_BODY(regex_validate, tc) {
+	/*
+	 *  test regex were generated using http://code.google.com/p/regfuzz/
+	 *  modified to use only printable characters
+	 */
+	struct {
+		const char * expression;
+		int expect;
+		int exception;		/* regcomp accepts but is disallowed. */
+	} tests[] = {
+		{ "", -1, 0 },
+		{ "*", -1, 0 },
+		{ ".*", 0, 0 },
+		{ ".**", -1, 0 },
+		{ ".*\?", -1, 0 },
+		{ ".*+", -1, 0 },
+		{ "+", -1, 0 },
+		{ ".+", 0, 0 },
+		{ ".++", -1, 0 },
+		{ ".+\?", -1, 0 },
+		{ ".+*", -1, 0 },
+		{ "\?", -1, 0 },
+		{ ".\?", 0, 0 },
+		{ ".\?\?", -1, 0 },
+		{ ".\?*", -1, 0 },
+		{ ".\?+", -1, 0 },
+		{ "(", -1, 0 },
+		{ "()", 1, 0 },
+		{ "(|)", -1, 0 },
+		{ "(a|)", -1, 0 },
+		{ "(|b)", -1, 0 },
+		{ ".{", 0, 0 },
+		{ ".{1", -1, 0 },
+		{ ".\\{1", 0, 0 },
+		{ ".{1}", 0, 0 },
+		{ ".\\{1}", 0, 0 },
+		{ ".{,", 0, 0 },
+		{ ".{,}", 0, 0 },
+		{ ".{1,}", 0, 0 },
+		{ ".\\{1,}", 0, 0 },
+		{ ".{1,\\}", -1, 0 },
+		{ ".{1,", -1, 0 },
+		{ ".\\{1,", 0, 0 },
+		{ ".{1,2}", 0, 0 },
+		{ ".{1,2}*", -1, 0 },
+		{ ".{1,2}+", -1, 0 },
+		{ ".{1,2}\?", -1, 0 },
+		{ ".{1,2", -1, 0 },
+		{ ".{2,1}", -1, 0 },
+		{ "[", -1, 0 },
+		{ "[]", -1, 0 },
+		{ "[]]", 0, 0 },
+		{ "[[]", 0, 0 },
+		{ "[^]", -1, 0 },
+		{ "[1-2-3]", -1, 0 },
+		{ "[1-22-3]", 0, 0 },
+		{ "[+--23]", 0, 0 },
+		{ "[+--]", 0, 0 },
+		{ "[-1]", 0, 0 },
+		{ "[1-]", 0, 0 },
+		{ "[[.^.]]", 0, 0 },
+		{ "[^]]", 0, 0 },
+		{ "[^^]", 0, 0 },
+		{ "[]]\?", 0, 0 },
+		{ "[[]\?", 0, 0 },
+		{ "[[..]]", -1, 0 },
+		{ "[[...]]", 0, 0 },
+		{ "[[..5.]--]", -1, 0 },
+		{ "[[.+.]--]", 0, 0 },
+		{ "[[..+.]--]", -1, 0 },
+		{ "[[.5.]--]", -1, 0 },
+		{ "[1-[=x=]]", -1, 0 },
+		{ "[[:alpha:]]", 0, 0 },
+		{ "[[:alpha:]", -1, 0 },
+		{ "[[:alnum:]]", 0, 0 },
+		{ "[[:alnum:]", -1, 0 },
+		{ "[[:digit:]]", 0, 0 },
+		{ "[[:digit:]", -1, 0 },
+		{ "[[:punct:]]", 0, 0 },
+		{ "[[:punct:]", -1, 0 },
+		{ "[[:graph:]]", 0, 0 },
+		{ "[[:graph:]", -1, 0 },
+		{ "[[:space:]]", 0, 0 },
+		{ "[[:space:]", -1, 0 },
+		{ "[[:blank:]]", 0, 0 },
+		{ "[[:blank:]", -1, 0 },
+		{ "[[:upper:]]", 0, 0 },
+		{ "[[:upper:]", -1, 0 },
+		{ "[[:cntrl:]]", 0, 0 },
+		{ "[[:cntrl:]", -1, 0 },
+		{ "[[:print:]]", 0, 0 },
+		{ "[[:print:]", -1, 0 },
+		{ "[[:xdigit:]]", 0, 0 },
+		{ "[[:xdigit:]", -1, 0 },
+		{ "[[:unknown:]]", -1, 0 },
+		{ "\\[", 0, 0 },
+		{ "(a)\\1", 1, 0 },
+		{ "(a)\\2", -1, 1 },
+		{ "\\0", 0, 0 },
+		{ "[[][:g(\?(raph:][:alnu)(\?{m:][:space:]h]<Z3})AAA)S[:space:]{176,}", 0, 0 },
+		{ "(()IIIIIIII(III[[[[[[[[[[[[[[[[[[^[[[[[[[[              [^       fX][:ascii:].)N[:a(\?<!lpha:])][:punct:]e*y+)a{-124,223}", 3, 0 },
+		{ "(pP\\\\\\(\?<!\\\\\\\\\\\\\\\\\\\\\\lRRRRRRRRRRRRRRRRBBBBBBBBBBBBBBBB))kkkkkkkkkkkkkkkkkkkkk|^", 1, 0 },
+		{ "[^[^[{111}(\?=(\?:(\?>/r(\?<(\?=!(\?(\?!<!Q(\?:=0_{Meqipm`(\?((\?{x|N)))))|))+]+]Z)O{,-215}])}))___________________{}", 0, 0 },
+		{ "[C{,-218(\?=}E^< ]PP-Ga)t``````````````````````````{138}", 0, 0 },
+		{ "[^h(\?<!(\?>Nn(\?#])))", 0, 0 },
+		{ "[(\?!(\?<=[^{,37}AAAA(AAAAAAAAAAAAA])", 0, 0 },
+		{ "[^((\?(\?:ms(\?<!xims:A{}(\?{*</H(\?=xL $(\?<!,[})))*)qqqqqqqqqqqqqqqqqq)]33333333333333333333333333333{[:graph:]p)-+( oqD]){-10,}-{247}_______________________X-e[:alpha:][:upperword:]_(______wwwwwwwww /c[:upperword:][:alnum:][:alnum:][:pun(\?{ct:])[:blankcntrl:]})*_*", 2, 0 },
+		{ "[(\?<!:lowerprin(\?{t:]{}}){113,})[:punct:]IIIIIIIIIIIIIIIIIIIIIIII", 0, 0 },
+		{ "PP)", 0, 0 },
+		{ "(([^(\?<!((\?>\?=[])p.]}8X[:blankcntrl:],{-119,94})XmF1.{)-)[:upperword:])[:digit:]{zg-q", 2, 0 },
+		{ "[^[({(\?#254}))Z[l][x50]=444444444444(4444444444u[:punct:]\?[:punct:(\?!])])", 1, 0 },
+		{ "[^[^[^([^((*4[(^((\?<=])Ec)", 0, 0 },
+		{ "(0)Y:8biiiiiiiiiiiiiiiiiii", 1, 0 },
+		{ "[^w(\?!)P::::::::::::::(\?#::(\?<=:::::::::]\"\"{}[3333333333333333(\?<=33333(\?!)9Xja][:alph(\?<=a:])xB1)(PX8Cf\?4444)qq[:digit:])", 1, 0 },
+		{ "([U[^[^].]^m]/306KS7JJJJJJJJ{})", 1, 0 },
+		{ "[^[^([^[(\?!(\?>8j`Wg2(\?{,(\?>!#N++++(\?<![++++++)+44444444bA:K(\?<!O3([:digit:]3]}}}}}}}}}}}}}}}}}}}}}}}}LP})S", 0, 0 },
+		{ "[({(\?{,(\?(=213}*))})]WWWWWWWWWWWWWWW[:alnum:])", 0, 0 },
+		{ "[:(\?<=ascii:])", 0, 0 },
+		{ "[U(\?#)(\?<=+HzE])[:punct:]{-207,170}\?s.!", 0, 0 },
+		{ "{}z=jU75~n#soD\"&\?UL`X{xxxxxxxxxxxxxxxxxxxx(xxxxxx${-246,27}[:graph:]g\"{_bX)[:alnum:][:punct:]{-79,}-", 1, 0 },
+		{ "[^{,-186}@@@@[^(\?{@@(\?>@+(\?>l.]}))*\\BCYX]^W{52,123}(lXislccccccccccccccccc)-*)", 1, 0 },
+		{ "(x42+,)7=]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]", 1, 0 },
+		{ "[^(*[:graph:]q/TH\?B(\?{P)]})uZn[:digit:]+2", 0, 0 },
+		{ "([XXXXXXXXXXXXXXXXXXXXX[(:alnum:][:space:]i%[:upperw(\?=o(\?#rd:])) ", 1, 0 },
+		{ "(@@@@)", 1, 0 },
+		{ "{-18,}[:as[(\?>^[cii:]]{}>+{-46,}{,95}[:punct:]{}99999999999999])-{-134}'sK$wCKjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj", 0, 0 },
+		{ "(l[:alpha:(\?!]))", 1, 0 },
+		{ "[[^(\?{]|JJ[:alph(a:]X{})B^][:lowerprint:]n-219{-32}{19,105}k4P}){,-144}", 0, 0 },
+		{ "[[^]P[:punct:][:alpha:][:xdigit:]syh]|W#JS*(m<2,P-RK)cA@", 1, 0 },
+		{ "([^((\?({\?<=)}){[^}^]{}])^P4[:punct:[]$)]", 1, 0 },
+		{ "([(\?#:(\?{space:]}):{}{-242,}n)F[:alpha:]3$)d4H3up6qS[:blankcntrl:]B:C{}[:upperword:]r", 1, 0 },
+		{ "([(\?:]))[:digit:]mLV.{}", 1, 0 },
+		{ "[^PPP-[]{[,50}{128,}]111111111111111]p", 0, 0 },
+		{ "[^([^([^([[^[([^[^[[2[[[[[[[[[[[[[^[[[[(\?(\?{:[[[[[[(\?([-[:ascii:]--*)", -1, 0 },
+		{ ")!F^DA/ZZZZZZZZZZZZZZZZZZ", 0, 0 },
+		{ "[[[[[[[((\?=\?(\?>([[[[[[[^[[[[(\?()[[[K(\?#))])))]7Y[:space:]{,-96}pP)[:ascii:]u{-88}:N{-251}uo", 0, 0 },
+		{ "t[:x(\?<=digit:])eYYYYYYYYYYYYYYYYYY{,-220}A", 0, 0 },
+		{ "[[({10,}[:graph:]Pdddddd(\?#X)])[:alnum:(]]L-C){,50}[:blankcntrl:]p[:gra(ph:]){66,}", 0, 0 },
+		{ "[^[^]*4br]w[:digit(\?::]n99999999999999999)P[:punct:]pP", 0, 0 },
+		{ "[:digit:]{67,247}!N{122})VrXe", 0, 0 },
+		{ "[:xdigit:]^[:xdigit:]Z[:alnum:]^^^^1[:upperword:(\?=])[:lowerprint:]*JJ-", 0, 0 },
+		{ "[[(\?imsximsx:^*e(){,3[6}](V~\?^[:asc(\?!ii:]I.dZ))]$^AAAAAAAAAAAAAAAAAAAAAAAA[:space:]k)]", 1, 0 },
+		{ "W{,112}[:lowerp(\?<!rint:]$#GT>R7~t'\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"9,O).", 0, 0 },
+		{ "[^{6((\?>\?:4}(\?<=G))f)KKKKKKKKKKKKKKKKKKKKKKKKKKKKKpppppppp(\?=ppppp]{,-101}|[:blankcntrl:]Z{-182})", 0, 0 },
+		{ "([:punct:]@^,,,,,,,,,,,,,,,,,,,,,,,,,,0\?:-o8NPIIIIIIIII)pPKKKKKKKKKKKKKKKKKKKK", 1, 0 },
+		{ "([^[[^[^]]]])", 1, 0 },
+		{ "[([^[(333\"(\?#\\\\[)(\?isx-x:\"Tx]')", 0, 0 },
+		{ "[[n>^>T%.zzzzzzzzzzzzzzzzz$&|Fk.1o7^o, ^8{202,-12}$[:alnum:]]G[:upperword:]V[:xdigit:]L|[:upperword:]KKKKKKKKKKKKYX\"\")xJ ~B@[{,-68}/][:upperword:]QI.", 0, 0 },
+		{ "[^[]tN^hy3\"d@v T[GE\?^~{124,10(\?{2}]})\?[:upperword:]O", 0, 0 },
+		{ "d.``````````````````````````[:up(\?=perword:]RRRRRRRRRRRRRRR)", 0, 0 },
+		{ "[Z{{{{{{{{{{{{{(\?={(\?<!{{{{{{{{{(\?>{{J6N:H[tA+mN3Zmf:p\?]\?){-181,82}S4n.b[:lowerpri(\?{nt:]|ggggggggggggggggggggggggggggggg}))4)", 0, 0 },
+		{ "[^((/////[^////[^/////////[(^/////]fI{240}{-120}+]R]GA)", 0, 0 },
+		{ "[-(\?#.)(\?())[:alpha:](\?={(\?#}r)[:space:]PPW]o)", 0, 0 },
+		{ "[:lowerp(\?{rint:]})201{46,}[:a[^scii:]0Q{37,}][:blankcntrl:]1331", 0, 0 },
+		{ "[^(\?!(\?#)\\GIwxKKKKKKKKKK'$KKKKKKKK]l)bbb^&\?", 0, 0 },
+		{ "[:ascii:]*[:sp(\?<=ace:])", 0, 0 },
+		{ "({-66,}Z{})0I{-111,}[:punct(\?():])", 1, 0 },
+		{ "[[^(\?!()%%%%%%%%%%%%%(\?:%%%%%%%%%%%%%%%%)t(\?{VX>B#6sUU(\?<!UUUUUU(\?=UUU[^UUUUUUUUUUUU(\?((\?:UPPPPPPPPPPP)PPPPPPPPPPPPPPP]ffffffffffffffffffffffff)^[:space:]wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww{243}9[:lowerprint:]Dv[:graph:])][:blankcntrl:]V%E[:graph:]})[:space:]{-83,}cQZ{}4{-23,135}", 0, 0 },
+		{ "({,-76[}]O[:xdi(\?<!git:])\?5))))))))\?d[:lowerprint:]b666666[:graph:]c", 1, 0 },
+		{ "{}{-145,}[:(\?(spa)ce:])f", 0, 0 },
+		{ "[([^].{116,243}]T*[[^:punct(\?[{[^:(\?<!]]8()])[:alnum:])})]N{}{,243}*[n]][:graph:]", 1, 0 },
+		{ "[^w]8888888888888888_________(__________[:ascii:]BdqTE$^0|MNto*i#############[^#################])", 1, 0 },
+		{ "[^[[[<[()\?]GGG{,26[}[:alnum:]SSSSS.gggggggg[:graph:]CCCCCCCCCCC{79,}{138,191}][:di(git:]u]@]JJJJJJJJJJJJJJJJJJJJJJJ[:graph:(\?:][:alnum:]])[:alnum:])]", 0, 0 },
+		{ "[^(((BBBBBBBBBB(\?>BBBZvvvvvvvvvv(\?m(sximsx:vvv)iiiiiiii)))j>Rs:Sm]0MMMMMMMMMMM|@F)Y]*^#EEEEEEE)*", 0, 0 },
+		{ "([^([(U(\?!)<<<<<<<<<<(\?#<<<<(\?<!<<<)(\?=L.{73,})+]n9U}fk%Jn}'b Na<%yyyyyyyyyyyy)){-198,}]))[:space:].pP361U]3s@u_9AU Te/{s`6=IMZdL1|.ySRo", 1, 0 },
+		{ "[[((\?<=\?>(\?#){}]{}`){1,82}){-143[,}]^G", 0, 0 },
+		{ "[:digit:]W|[:up(\?<!perword:]{,-101}llllllllllllllllll[:upperword:])mmYYYYYYYYYYYYYYYYYYYYYYY*", 0, 0 },
+		{ "@NHy)", 0, 0 },
+		{ "([^[^]][:alnum:]222[^22222222(\?{2222222222222222][:lo(\?:werprint:][:xdigit:]^[:blankcntrl:]s+N)[:alpha:]-NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNWxxxxxxxxxxxxxxxxxxxxxxxxxxD[:space:]U)TTTTTTTTTTfffffffffffzzzzzzzzzzzzzzzzzzzzzzzzz})", 1, 0 },
+		{ "[^[^[[^[][^[]pP([^\?[^<=(\?=]){158,})]]]][:digit:]]K22222222222p^dUKJ`\">@]", 1, 0 },
+		{ "[^[^[(\?imsximsx::p(\?{unct:][(\?>:ascii:]5w)]{159}\\Q\?@C]4(44444444}[^)|)[:graph:]]C:b)", 1, 0 },
+		{ "[^[[(tYri[W<8%1(\?='yt][:lowerprint:[]))1r]][:alnum:][:digit:]{48}{-52,-183}+][:alpha:]r][:upperword:]\?{-105,155}{-55,-87}pPN#############################{63,232}]", 0, 0 },
+		{ "[*(\?>L(\?<(\?>=))]&&&&&&&(&&&&&&&&&&&&&&&&&&))[|WIX]{-62,-114}S  K=HW60XE<2+W", 1, 0 },
+		{ "(00000000000)z\\\\*t{}R{88}[:alnum:]*", 1, 0 },
+		{ "(([^(\?=\?gggggg[gLw)]{-250,}[:xdigit:]yZ[:g(raph:]8QNr[:space:][:blankcntrl:]A)][:digit:]D)[:xdigit:])", 2, 0 },
+		{ "[^([^,(\?<!]*))]", 0, 0 },
+		{ "[^(\?{[:alnum:]]}}}}}}}}}}}}}}}}}}}}}}}){-83}", 0, 0 },
+		{ "WWWWWWWW[:alnum(\?<=(\?#:]{,-1})@OSSS)[:digit:]", 0, 0 },
+		{ "[^(\?!*]+G)", 0, 0 },
+		{ "[LLLLLLLLLLLLLLLLLLLLLLLLLLLLLL>s8.>[^{}$(\?(]]XXXXXXX)XXXXXXXXXXXXXX[:alpha:]Whii\?p[:xdigit:])+", 0, 0 },
+		{ "(7777[:blankcntrl:])", 1, 0 },
+		{ "[^C[:digit:]]{}YYYY(YYYYYYYYYYYYYYYY)", 1, 0 },
+		{ "on|,#tve%F(w-::::::::::::::::::::::::::::*=->)", 1, 0 },
+		{ "([((\?=(\?!((\?=')))27(<{})S-vvvvvvvvvv(\?=vvvvvvvvvvvvvvvvv[:punct:][:alnum:]}}}}}}}}}}}}}}}}}}}}}}}PPPPPPPPPPPPPPPPPPPPPPPPPPPPPgggggggggggggggggggggggggg(\?#(\?#gggggg<X){}]{-164,61})>+))uQ)W>[:punct:][:xdigit:][:digit:][:punct:]{}[:digit:][:space:]){,-105}=xiAyf}o[:alpha:]akZSYK+sl{", 1, 0 },
+		{ "[^[^]/S:Hq<[:upperword:(\?<=]W[:alnum:]X])1973", 0, 0 },
+		{ "[[^[[^([^VVVV(\?!(VVVVVVVVVVVVVVVVVVVVV[VVVVX][^]2))98ppppppppppppppppppppppppppppppp/////////////////////b.]G{-101,}[:[ascii:]P].=~])AAAAAAAAAAAAA2{-153,}]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]][:alnum:][:lowerprint:]WN/D!rD]|4444{180}]V_@3lW#lat]", 0, 0 },
+		{ "[^[^([^TTTTT(\?:T(\?:T7777{,59}])[:graph:][:ascii(\?<=:]))f]AD{,-43}%%%%%%%%%%%%%%%%)S|[:digit:]FZm<[:blankcntrl:]QT&xj*{-114,}$[:xdigit:]042][:xdig[it:]{-180}027[:alpha:][:ascii:][:lowerprint:][:xdigit:]^|[:alnum:][^Mi]z!suQ{-44,-32}[:digit:]]", 0, 0 },
+		{ ")", 0, 0 },
+		{ "''''''''''[:a(\?imsxisx:lnum:])P", 0, 0 },
+		{ "(([{20(\?<=8}[:alnum:]pP$`(\?#N)wRH[:graph:]aaaaaaaaaaaaaa(\?=aaaaaaaaaaaaaaaaP]a)))[:punct:]-\?)A^", 2, 0 },
+		{ "[^(.//[:punct:]&-333333333333333333333333333(\?<!33)LLLLLLLLLLLLLLLLL[:alnum:]$1]~8]|^\"A[:xdigit:]\?[:ascii:]{128,}{,-74}[:graph:]{157}3N){-196,184}D", 0, 0 },
+		{ "[^($(\?{(\?<=)[#)]})[:space:]]nWML0D{}", 0, 0 },
+		{ ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,[^]x{213,-93}(\?{A7]V{}})", 0, 0 },
+		{ "[k(\?=*)+^[f(])r_H6", 0, 0 },
+		{ "[(\?#(\?{)]q})", 0, 0 },
+		{ "([GLLLLLLLLLL(\?!((\?:LLLLLLLL]))C#T$Y))^|>W90DDDDDDDDDDD[^DDDDDDDDDDDDDDDDDDDD]B[:punct:]c/", 1, 0 },
+		{ "[^(\?<!)(\?{b}){,199}A[:space:]+++++++(\?!++++++++{36}Tn])", 0, 0 },
+		{ "()[:alpha:]a", 1, 0 },
+		{ "[(\?(:blan)kcntrl:])lUUUUUUUUUUUUUUUUUUUUUUU", 0, 0 },
+		{ "[^[^(s[[[[[[[[[[[[[[(\?#[[[[[[[)\?`````][:blankcntrl:(\?>]|)p1EmmmmmmmmmmmmmmmmmmmmmmmmmmmmL{-241}666666666666666666666)]^bLDDDDDDDDDDDDD]", 0, 0 },
+		{ "[nn(\?<!nnnnn(\?#n8)=````````````````````{41,}]U,cb*%Y[:graph:]).[:alnum:]\\\\\\\\\\gt", 0, 0 },
+		{ "()\?5{,-195}lm*Ga[:space:]Y", 1, 0 },
+		{ "[(\?:].di)c", 0, 0 },
+		{ "([([^([\?{})Za,$S(\?!p(\?{++(\?##V(\?<!Evuil.2(\?<![^[h|[^']C)*\"]5]", 1, 0 },
+		{ "[((^24(\?#4[^Kkj{}))]]{232}47)077[:alpha:]zzzzzzzz{}", 0, 0 },
+		{ "[^(\?:[^F]o$h)-iV%]", 0, 0 },
+		{ "[[^[([((([^(\?{[^((\?=)kaSx(\?imsximsx:w3A[`%+A$I{,62}ns&Y!#ay o9YAo{Y>1((\?>\?#45)Z{,108}{}11111111111111111111111111qqqq)\?][:lowerprint:]mbo#)@", 0, 0 },
+		{ "[^iii8(888888(\?<!8^]))s", 0, 0 },
+		{ "([[(\?(\?:({^]}[)[(r)])G]{,-87}", 1, 0 },
+		{ "([[^{249,}(\?>(\?=)]]T()[:bl(\?!ankcntrl:]=jjjjjjjjjjjjjjjj-)))t{}[:alpha:]-\":i! Gn[A4Ym7<<<<<<<<<<<<<<<<]", 2, 0 },
+		{ "^{}{[^,241(\?#}(\?m(\?ixim:sximsx:]t))+oD)", 0, 0 },
+		{ "5[(\?#:xdigit:])", 0, 0 },
+		{ "[^f{(\?>,22(9}[^[^])6KKKKKKKKKKKKK)]RRRRRRRRfuK99999999C}osnNR]BgCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC[:blankcntrl:]", 0, 0 },
+		{ "[^(\?=U){24,}W-{,17(\?:3[^}]q.nQ#PU_|i$$$$$$$$$$$$$$+)[:dig(\?<!it:]){-98}\?[:upperword:]]", -1, 0 },
+		{ "[(\?<=[0(\?!72])euE.]{,-159}[:alnum:]t-:l\?)$yyyyyyyyyyyyyyyyyyyyyyyyyyfffffffffffffffffffffffffff", 0, 0 },
+		{ "[^[^]q[:asc(\?imsxmsx:ii:]JJJJJJJJJJJJJJJJJJJJ[:graph:]]$)`#DdY^qqqqqqqqqqqqqqqqqqqqqqqqqqqu>4^4ta[:alpha:]", 0, 0 },
+		{ "(((b0HN)q))p5<T())`7JJv{'cv'#L8BNz", 4, 0 },
+		{ "[pFp2VttBg(\?<=7777777777777|TTTTTTTTTTTTTTT[:space:]Z]^p\"[:blankcntrl:])", 0, 0 },
+		{ ")aM@@@@@@@@@@@@@", 0, 0 },
+		{ "([^[(\?<![^])", 1, 0 },
+		{ "()Z[:ascii:]", 1, 0 },
+		{ "(fuPPo)..........................[:xdigit:]{}{,4}*kkkkkkkCx#,_=&~)|.2x", 1, 0 },
+		{ "[+(\?<=){}++++++[:alnum:](\?=+]s)[:alnum:]~~~~~~XXXXXXXXXXXXXXX.[:digit:]", 0, 0 },
+		{ "[{}[^^(\?(]))CCCCCCCCCCCCCCCCCCCCEg2cF]{}3", 0, 0 },
+		{ "([[[^[^[^([[^[^([(\?<=G[[)=(\?!===(\?isximsx:==(\?#==[^=====(\?{==================$T[[^^u_TiC.Fo.02>X)uH]$})354b[:alnum:]]]EVVVVVVVVVVVVVVVVVVVVVVVVVVVVVz[:digi(\?(t:][:upperword:])", 1, 0 },
+		{ "([:blankcntrl:]t-){121,}[:ascii:]444444{}[:graph:]E040", 1, 0 },
+		{ "[^{134,}]DzQ\?{-30,191})z,\?1Vfq!z}cgv)ERK)1T/=f\?>'", 0, 0 },
+		{ "@v)<yN]'l-/KKKKKKKBBBBBBBBBBBBBMa2eLA[:digit(\?<!:])\"\"e|l$&m`_yn[:blankcntrl:]uuuuuuuuuuuuuuuuuuu[:punct:]", 0, 0 },
+		{ "[[999999999999999(\?<=(\?:(\?ixmx:(\?>))])Y]|){,10}\?{}", 0, 0 },
+		{ "([[[(\?!^]P-AA[AAAAAA[A[^A)r]+B]])", 1, 0 },
+		{ "3}|[:ascii:][:punct:]()", 1, 0 },
+		{ "()dw", 1, 0 },
+		{ "[N]{})))))))))))))))))))))))", 0, 0 },
+		{ "[[[^([[(\?()(\?#)++([^\?{+++[^+++++++++++(\?!+(\?=+++++++r9/n]N7{-219}{-91}pP[:punct:]T]mROm+~[:digit:][:digit:])Y:", 0, 0 },
+		{ "[^'Pu[(\?<!D&]_a[:alnum:]E<,F%4&[:xdigit:])][:lowerprint:]", 0, 0 },
+		{ "tttt(tttttttttt*uKKUUUUU)", 1, 0 },
+		{ "([:ascii:]GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG)+kX______________{}GGGGG\?TUH3,{67,77}|[:graph:]C{,-136}{}[:upperword:[]{,-6}&]T84]n={C", 1, 0 },
+		{ "[:upperword:]DC[:u(\?<=pperword:]*d`H0\?m>~\?N|z#Ar--SO{,-141}076)G\?{,-110}M+-[:alpha:]", 0, 0 },
+		{ "{,-214}{,10(9})", 1, 0 },
+		{ "([^xxxxxxxxxxxxxxxxxMMMMMMMMMMMMMMXW])].[:punct:]Q`{-63,63}Uua[:alnum:]\?OQssb#L@@@@@@@@(@@@)[:graph:]", 2, 0 },
+		{ "[[^(\?!```[^``````````````(\?<=``(\?>````````M/////(\?!////////////////////[^GD!|#li]~)*.$]))Tq!]C[:lowerprint:]Qk[{}]]JJJJJJJJJJJJJJJJJJJJJJJ{e])c", 0, 0 },
+		{ "$[5(7ES])[:xdigit:]%{MRMtYD&aS&g6jp&ghJ@:!I~4%{P\?0vvvvvvvvvvvvvvvvvvvv\\\\\\\\\\\\\\\\\\\\\\\\x54[:lowerprint:][:upperword:]", 0, 0 },
+		{ "[((([(\?((\?>[:alnum:][):as(\?<!cii:(\?:]Re))K|)|^){-28,89}l<H.<H:N)QKuuuuuuuuw8E136P)^)[:ascii:]][:xdigit:]-", 0, 0 },
+		{ "(pjvA'x]=D\"qUby\\+'R)r\?C22[:ascii:]", 1, 0 },
+		{ "[]*b~y C=#P\"6(gD%#-[^FBt{}]${-244}", 0, 0 },
+		{ "[:up(\?!pe(\?=rword:])lA-'yb\"Xk|K_V\"/@}:&zUA-)W#{-178,-142}(){-202,}", 1, 0 },
+		{ "()1.WldRA-!!!!!!!!!!!!!!!!!", 1, 0 },
+		{ "lZZZZZZZZZZZZZZZ(Z[:al(\?:num:])ttttttttttttttttttttttttttttttg.)6$yyy", 1, 0 },
+		{ "[([^([^[^(([([^[^(([[$(\?{P(\?=(\?<(\?!=(\?#P[^Y])<GA[:ascii:][(\?#(\?<!:alpha:](B{100,})]}))\?)XU=", 1, 0 },
+		{ "[[dVw{6(\?{9,}2222kkkkkkkkkkkkkkkkkkkkkkkkkk|{}*E]]{}SB{35}-w%{eh})<{-178,}", 0, 0 },
+		{ "(D(~))", 2, 0 },
+		{ "[(:alpha:]{,90}Z|)[:ascii:]Du\?[:grap[^h:]^w+|{}][:ascii:]", 0, 0 },
+		{ "[:p(\?<=unct:]kkkkkkkkkkkkkkkkkkkk)", 0, 0 },
+		{ "{}[:((\?<!dig((\?#it(\?#:]())p))ZZZZZZZZZZ[:blankcntrl:]){}{-124,})[:ascii:]", 1, 0 },
+		{ "[[:graph:]{168}lRRRRRRRRRRRRR(\?#RRRRRRRRRRRRRRRRR)rrrr(\?(rrrrrr)rrrrrrrS[(\?<!@f)6>{,-49})q${98,}J\?]){", 0, 0 },
+		{ "([:pu(\?(nc)t:]F{-32,-102}+)\?cpP[:lowerprint:].^)", 1, 0 },
+		{ "([{}{210,-238}]1:h)", 1, 0 },
+		{ "([]QQQQ[QQQQQQQQQQQQQQQQQQ][:digit:]Z{-20,}Slllllll[:space:]C^(@{-174,-156}fx{cf2c}{-242,}rBBBBBBBBBBBBBBBBBBc[:alpha:]N\?))$[:graph:][:ascii:]P+nnnnnnnnnnnnnnnnnnnnnnn1N$r>>>>>>>>>>>>>>>>>>>>>>>>(>>{,88}{,-234}__________)[:upperword:]R.[:alnum:][:lowerprint:]^}\"", 3, 0 },
+		{ "([^(\?=]-))$", 1, 0 },
+		{ "([:ascii:]\?,D[:upperword:][:xdigit:]tttttttttttt[^tt(\?<!ttttttttt21f|.(pP[:punct:])])rrrrrrrr)", 1, 0 },
+		{ "([{1(\?=16}iiiiiiiiii((\?<=iiiiiiiiiiiiiiiiii|ZZZZZZZZZZZ(\?(\?#{ZZZZZZZ))c}))<<<<<(\?#<<<<<<<<<<<d7CVq8]w{-148,-168}\\Gp){-230,}D3", 1, 0 },
+		{ "[^8888(88888888888EX].[:alnum:]){}", 0, 0 },
+		{ "([^][^)2]-[:lower(\?=print:]{,79}[:graph:]n)", 1, 0 },
+		{ "[bSi\?x_mp(C)0{64}[:space:]hhh(\?(hhh)hhL){5,130}'w\"$l&[:xdigit:][:alpha:]IIIIIIIIIIIIIIIIIIIIIII+-SOOOOOOOOOOOO               (\?( )              ]f)ed", 0, 0 },
+		{ "[[^[(^(C.Jl[^X&Rb64a+Sd])'m[:alpha:])]]]{134,}", 0, 0 },
+		{ "()L", 1, 0 },
+		{ "[[(({224,(\?#88})@======(\?!=========(\?{=)PPP)i^@p(\?([:punct:]})^^[^^^^^^^^^^^^^^^^^^^^^@)m]|{CS{,-3}168)-[:xdigit:][:upperword:]hnD=Bns)z)AAAAAAAAAAAAAAAAAAAAAAA[^A{}ccccccccccc)SZ]Q-p.sD]]+P", 0, 0 },
+		{ "[[^[^]{135,}66666666666666666666[6(666i2M9.!uhmT\?JMm.*(\?!+)[:alpha:]eeeeeeeeeeeeeeeeeeeeeeeeeee]]])ZZ[:blankcntrl:][:ascii:]", 0, 0 },
+		{ "(13[3Ux>{,10}[(\?<=:xdigit:]))PL9{-89,-181}F'''''''''", 1, 0 },
+		{ "[^.|(\?{af]})^$XE!$", 0, 0 },
+		{ "(WWWWWWWWWWWWWWWWWWWWWWWWWWWW#J)", 1, 0 },
+		{ "({}}M7we-216)L[:digit:][:upperword:]", 1, 0 },
+		{ "([:aln[^u(\?=m:]))].z", 1, 0 },
+		{ "([:alpha:]{(92})%6{41,136})Vij@[:alnum:][:lowerprint:]", 2, 0 },
+		{ "[[[++(\?{+++{}})n{{137,}{51,-177}Z[]M*[:ascii:]{(-29,-47}2)$e^{,-195}{-156,}^]{}{-225,69}A]{-222,}{,20}m[:blankcntrl:]", 1, 0 },
+		{ ")l)[:alnum:][:graph:]g8TTTTTTTTTTTTTTTTLLLLLLLLLLLLLLLLL", 0, 0 },
+		{ "[([(\?<=.(\?{)/})mmmmmmmm(\?(mmmmm]{-154,-176}*S)I]", 0, 0 },
+		{ "[(([{(\?(\?<!im(\?imsix:sim(sx:,141}])D)l{,42}ttttt[(\?::punct:])){-162,-141}{-26,})dU@@@@@@@@@@@@@@@ S)\\A\?w|VVVVVVVVV)X.kN{,21}{-208,-52}>[:lowerprint:][:ascii:]e-]]]]]]]]]]]]]]]]]]]]]", 0, 0 },
+		{ "[^({}(){(66(\?=,}[^]'''''QQQQQQQQQ).P#>^){86,168}Z[(\?<!:lowerprint:]{-166,-70}<k", 0, 0 },
+		{ "APP[:alpha:][:alnum:]nd[:upperword:(\?(]^xxxxxxxxxxxxxxxxxxx)xxxxxxxxx{-70}[:punct:]l)U-", 0, 0 },
+		{ "[^(.\"od~(6({[^(\?<!228}\?)\?)######(\?:#########z )c(\?<!aQ`(\?{UKSwu[})][^-17]{11,}}][:ascii:]))^RiH+WyspP[qi&)=p6])[:space:]{-221,}]6p", 0, 0 },
+		{ "{-78}()[:xdigit:]{155}{,-92}", 1, 0 },
+		{ "[(\?>Q{,147}_____________(\?!______uuuuuuuuuuuuuTr]){74,179}{}){,103}{-209,16}*RRRRRRRRRRRRRRRRw{,87}9{144}[:ascii:]'<Ab", 0, 0 },
+		{ "([666c] {-171}yc,8-k_)EEEEEEEEEEEEEEEEEEEEE<", 1, 0 },
+		{ "[^(\?>(\?<!)2(\?imim:)6HwN)^|fc!(\?(d]75))065)G", 0, 0 },
+		{ "[[^xDB[:alnum:][:xdigit:]][:digit:]jW]([:alpha:])", 1, 0 },
+		{ "[ds~T+[x55[:digit:]X[JJJJJJJ.[(\?::upperword:]){,-14}][:xdigit:]bbbbbbbbbbb", 0, 0 },
+		{ "[qqqqq(\?<=qqqq(\?(qqq)^G[):ascii:]])W", 0, 0 },
+		{ "[:space:]JJJJJJ[:alph(\?<!a:]|[:ascii:(\?(])[:x)digit:]- XSstG[:g(\?>raph:])^)Ny6RF_ndoU9@*rxW{4,41}4{}", 0, 0 },
+		{ "[:punct:]{162,}j[:aln(um:].....................[^...]\?>z[:l[owerprint:]){55,222}]", 0, 0 },
+		{ "(>vWa)OXcccccccccccccccccccccccc[:alpha:]C{,-10}81|m1D^T)[:lowerprint:]''''[:alpha:]l", 1, 0 },
+		{ "(XZcgM/UI-/mZq-222){-85,-196}[:alpha:]{114}rrrrrrrrrrrrrrrrrrrrrrrr{,157}ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZLkD-&&&&&&&&&&&&&&&-][:alnum:]{}{,111}[:digit:]", 1, 0 },
+		{ "[^(\?:]MMMMMMMMMMMMMMMMMMMMMMMMMMM)cK[KKKKKKKKKKKKKKKKKKKKKKKK]P{146}", 0, 0 },
+		{ "([^[^wqesa)n\?L(\?<=FH+G[^rCGmfD]w)m1D\"%}]])", 1, 0 },
+		{ "[((\?:[^.HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH|S)xd)*[:space:](])[:xdigit:]ngr'G#/B]-----------------------------", 0, 0 },
+		{ ")[:lowerprint(\?<=(:]l))G p", 0, 0 },
+		{ "[^[^(\?<(\?<(=(\?imsximx:![(((\?<!\?(^))\?]^)[:xdigit:][:graph:]{-104,})Gf+GD*qc)c]f))])", 0, 0 },
+		{ "[^([\?())P[:alnum:]w]{-186,-139}-[:space:]RN3w[Fmvpl[:space:][:digit:]&&&&&&&&&&&&}(\?#}}}}}}}}}}}}}}}}}}}])z", 0, 0 },
+		{ "([[^^*C[()f][(\?=:punct([\?#:]o)]V)]%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%[^x{1f948})]]", 1, 0 },
+		{ "[(:xdigit:])zE", 0, 0 },
+		{ "[:pu(\?(nc)t:])(a*){-51}", 1, 0 },
+		{ "[^(.NKKKKKKKKKKKKKKKKKKKKKKKK-[:upperword:][:space:]`MPi>", -1, 0 },
+		{ "Nvvv[vv.][:alnu[^m:]+|Crrrrrrrrrrrrrrrrrrrrr[:xdigit:]j1n)v#]", 0, 0 },
+		{ "[^#}[(\?>:alnum:]).QQQQ[^QQQQQQ!!![!!!!!!!-s.n]se]{-238,}Tf]p4721", 0, 0 },
+		{ "([((\?#\?<=)+)Hr:-H]z[:graph:].{}oooooo(ooooooooo][:punct:]k<gXG@@@@@@@@@@@@@@@@@@@{,-176}){}L`)$", 2, 0 },
+		{ "({,249}{-73,}Z&&&&&&&&Ds35MB<v)qqqqqqqqqqqqqqqqqqqqqqqqq", 1, 0 },
+		{ "[^.N][:blankcntrl:]))))))))))))))))))))))))))))))", 0, 0 },
+		{ "(()*){198,}", 2, 0 },
+		{ "{-237,}220{}[:ascii:]```````(`````````````\?{-115,185}){,-18}[:punct:]'|Kk", 1, 0 },
+		{ "[(\?()])", 0, 0 },
+		{ "([(\?#[:alnum:]CQ)}}}}}}}}(\?>}}}}}}}(}}}}}\?310[|))xA5r][[^:ascii:]^{,-156}{])CCCCCCCCCCC-145]FzwOD_u\?", 1, 0 },
+		{ "[^[^[]{-163}{(-203}[(\?!:upperword:]PPGjZ[:xdi(\?=git(\?#:]{-73}s)qqqq(qqqqqqqqqqqqqqqqqq{173,210}[:xdigit:(\?<(\?>=]WW[^WWWWWWW\?*O)))Q){}08)[(\?(\?<=#:blankcntrl:]{90,}]U)])L)ooooooooooooooooooooooooooox--^c[:ascii:]])s)", 2, 0 },
+		{ "[(\?!:punc(\?imximx:t[^:]4F<}!)]'M-)tKKKa4904", 0, 0 },
+		{ "[^^{}\\(\?<!\\\\\\\\\\\\\\\\\\(\?#\\\\\\\\[:punct:](\?>)T000000000(\?(000)00000))+])", 0, 0 },
+		{ "L[:p(\?#unct:])", 0, 0 },
+		{ "[:upperw(\?<!ord:])", 0, 0 },
+		{ "@$\"\"\"\"\"\"\"[\"\"\"\"\"\"\"\"\"\"[^(\"\"\"\"\"(\"\"][]))*U{223,138}*o```````````````(\?=[```````````````]{238}mmmPPPPPPPPPPPPPPP&&&&&&&&&&&&&&&&&&)sF$[:digit:[]]", 0, 0 },
+		{ "[^#Txx[xxxlPB(\?><[^U/)]]{}X3333333333(3333333f*])", 1, 0 },
+		{ "<<<<<<<<<<<<<<<[^<<<<<<<<<.][(\?#:ascii:])[:xdigit:]|^", 0, 0 },
+		{ "([:punct:]{}){-167,}{-59,}Pd\"", 1, 0 },
+		{ "[((\?#{,214})t$)VVV[:xdigit:]{104(\?<=}D][:graph:])|H){1,}{-176,}", 0, 0 },
+		{ "[[([[^N,,,,,(\?=,,(\?#(\?:,,,,,,,,,,,[^,,,,,,,,,,]<,~4::_.A]){-52,}-[:alnum:]Pnnnnnnnnnnnnnnnnnn)d", 0, 0 },
+		{ "{-18(3,})uT{4,}", 1, 0 },
+		{ "[^[^[(p+c(\?<!b$))(\?:EU(\?(.][^{}]3[:xdigi[^t):][:punct(\?>:])[])][:s[^pace:]][:alnum:][:alpha:]]kw06E", 0, 0 },
+		{ "[^^^^^^JJJJJJJJ(JJ(\?=JJ(.6[:space:]H]{231,}A^eqqq)[:ascii:(\?>(])[(\?>:spa(\?:ce:]xxxxxxxxx)@_t-))138GNNNNNNNNNNNNNNNNNNNNNNNNNN[:digit:]no!`#E\?&[:lowerprint:].)[:graph:]{86,}[:digit:][:alnum:]", 0, 0 },
+		{ "[:g(\?<=raph:]a{114,146}(){}0Y[:bl(ankcntrl:])D)\?", 1, 0 },
+		{ "[^[^]*H{-192,96}S|]G)6B-kLB", 0, 0 },
+		{ "[[^[^][/NS8`um(\?{82&{((\?{\?<!-[110,-88}]m)})kkkkkkkk$$$$$$$$$$$$[^$$$$$@n%BuK@X!P)y0v!^]YY[YYY[YYYYYYYYYYYYYYYYYY///////{}{{{{{{{{{{{{{oiiii})]8{-2[53}w{82,}]{,245}]{-134}]fffffffffffffffffff]\"I>DW>9tN%{113}{unE", 0, 0 },
+		{ "[:(\?(alpha:]`))Y2sCqWQ104", 0, 0 },
+		{ "(([^()Wcccccccc(\?{cccccccccccccccccc(\?<!c(ccccc[:space:]$)(\?>)FZ{}{}`|||||||||||||*````````````````````````````'=dLQmx/Y.A7j'o}jn{}:})][:punct:]$|,-)!&Y:Ys#ykL7JJJJJJJJJJJJJJJJJJJJJJJJJ8yex>#mv[:punct:](x@)$[:uppe(\?<!rword:])_)", 3, 0 },
+		{ "[[(^HHHHHHHHHHHH(\?imsximx:HH(HHHHHH(\?{HH[HH])qjR>9))i})]a!lBW3p{A=or)ShE%[:punct:]{}]5r", 0, 0 },
+		{ "[:pu[nc[^t:]]]}}}}}}}[}}}}}}}(\?#}])@@@@@@@@@@@@@@@@@@DDDDDDDDDDDDDDDDDDD\?]xA2\?", 0, 0 },
+		{ "(.[:alpha:]xB7[:alnu(\?{m:]})RRRRRRRRRRRRRRRRRRRRRRRRRRRL)[:space:]G\?", 1, 0 },
+		{ "[:blan(\?<!(\?=kcntrl:]){71,})!ooooooooooooN", 0, 0 },
+		{ "()e$$$$$$$$$$$$$$$$$$$$iiiiiiii", 1, 0 },
+		{ "(b[:ascii:]67777777777777777777777777)({-106}kkk^F-------------------------------{13}A)f00000000sBAddddd{-66}kd!D'", 2, 0 },
+		{ "(Q                        ^])[^lf][:space:][:lowerprint:]\?", 1, 0 },
+		{ "[[^]\\S{152}W![:digit:][[^:space:(\?(]=pEhwY][:alnum:][:digit):][:graph:]])QQIC9h-oowf[:xdigit:]{-52}{,190}1111111111111111111fX{-189,226}W", 0, 0 },
+		{ "[^(\?!(\?<=)]).h[:as(\?>cii:])[:alnum:]$$$$$[:space:]3$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$1", 0, 0 },
+		{ "[[$zQ================(\?<!=(\?>=========(\?====D[^))|i{}\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?)][:s(pace:]]))]", 0, 0 },
+		{ "[^{,-[15(\?#6}]Vwjjjjjjjj[jjjjjjjjjjjjjjjjjjS9999)]q]rWWWWWWWWWWWWWWWW[:punct:]@@@@@@@@@@@@@@@@@@@@@@@@gO[:blankcntrl:]>L[:ascii:]:::::::::::::::::::x11uuuuuuuuuuuuuuuuuuuuuuuuuuuuu{-124,114}[:graph:]C#{tcg[:xdigit:]gZZZZ[:lowerprint:]nA(_{{{{{{{{{{{{{{{{{{{{SS)\\D[:alpha:]", 1, 0 },
+		{ "[^(\?())]!T\?[:asc[^ii:]E:4},,]I[^b(\?:n4(njj~+{\?'k{7}{189,-194}{ig.[[[[[[(\?#[[[_bs6,JD`1(\?<!WBo]F+{d*VO22z2K1][:xdigit:]))Suuuuuuuuuuu[^u{,117}\?YYYYYYYYYYYYYYYYYYYYYYYYB^]|q]:eY1GGGGGGGGGGGGGGGGGGGGGGGGGGGGe\?)bU[:punct:]", 0, 0 },
+		{ "[\?UA(\?:]\?)[:xdigit:]A^mmmmmmmmmmmmmm>>>>>>>>>>>>>>>>>>>>>>>>>>>>[^>>>(\?(>)){,-165}]", 0, 0 },
+		{ "([^[][^n(\?{[[p]#})|][^]L|66666666666[:graph:]][:graph:]2[:xdigit:][:space:]9b})[:digit(\?imsximsx::]+PZ):{}|E)[:xdigit[^:]|>]^[:alpha:]::::::::[:ascii:]````[:ascii:]:", 1, 0 },
+		{ "[:lowerprint(\?<!:])", 0, 0 },
+		{ "[[^[]{-47}[:lowerprint:][:punct:]L[(\?::g(raph:]lY[:alnum:])qWYU)}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}[c%$dp5[:alnum:]DDDDDDDD^^%&{,-94}E]{-8,175}[:alpha:]-.^[:digi(t:]CCCC(CCCCCCCCC]).ax72)", 1, 0 },
+		{ "[[^($$$$$$$$$$$$$$$$$$[^$I((\?{\?(u)\"YuK ZpOHq[!(\?>t|LQT(|)L[(:ascii:])", 0, 0 },
+		{ "[^[^([:graph:](QpPdyDQ`[:alpha:](.X[:digit:]wwwwwwwwwwwwww(\?imxims:wwwwwwwe(\?<!z)ONNN(\?#)[^])[:space:](KKKKKKKKK{113,}327[:xdigit:]k)]CeeeeeeeeeeeeeeeeeMMMMMMMMMMMMMMMMM)[:lowerprint:]]HHHHHHHHHHHHHHHHHHH]]]]]]]]]]]]]", 1, 0 },
+		{ "[Q(r(\?=)v]dm[:alnum:][:b(\?{lankcntrl:][:xdigit(\?=:])})P[:graph:]bd/Rx){50}{-150,-172}", 0, 0 },
+		{ "[(\?(im(\?:sxims:))9]))L", 0, 0 },
+		{ "[[^[(\?{^Z][^0[:alpha:]]\\XB*{-151}t})][:alnum:]]", 0, 0 },
+		{ "[([(D\?/////////////////////.'yvYysU&5AU-]kV)*){,123}z]", 0, 0 },
+		{ "[:alnu(\?{m:][:a(\?=lpha:][:alpha:])n}))7[:ascii:][:xdigit:][:punct:]-", 0, 0 },
+		{ "[^[:graph:]IIIIIIIIIIIIIIIIIIIIIII][:sp(\?<!ace:])", 0, 0 },
+		{ "[[[(\?=[[[cDD(\?<!D(\?:DDDDDDDDDDDD(\?<=DDD(DDDDDD(\?:DDDDDDD(\?<=D(\?()])rvp{243,}D$<[:space:]([:lowerpr)int:])])Ea{}U[:upperword:][:xdigit(\?#:]or}Z+34gD{/P NJ", 1, 0 },
+		{ "[^(,H>)*d2K0DNX5)T(].)[:digit:].", 0, 0 },
+		{ "([:punct:(\?#])})JJJJJJJJ[:xdigit:]PPUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU.......................0hSk{,89}[:xdigit:].[:xdigit:]Z", 1, 0 },
+		{ "(LGTTTTTTTTTTTTTTTTTTTTTTTTTT[:alpha:]){-106,113}[:punct:]d|[:digit:]kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk\?wP", 1, 0 },
+		{ "([^[^<N_-k\?{(\?#18}]i]::::::::::::::::::::::::::)1+LLLLn{}/){-198}", 1, 0 },
+		{ "([[^(AAAAAAAAAA(\?(AAAAA)AAAAf).LzHHHHHHHHHHHHHHHHHHHHH(\?#HHHHH|)[ZEEEEE(\?#EEEEEEEEE(\?<!EEEEEEEEsG)q[:punct:]{}][:upperword:]D)[:space:][:digit:]+e[:ascii:]].i|JJJJJJJJ+n][:xdigit:]Se)P[:lowerprint:]_______________________________.[:punct:]pP{-172,86}iiiiiiiiiiiiiiiiiiiiiiiii){,-178}", 1, 0 },
+		{ "([\?=[[^,BDRRPZ{129}*D-[:punct:]]])([:upperword:]ud)\?][:punct:]A", -1, 0 },
+		{ "(([(\?#((\?{\?=^])c-)C[:lowerprint:]xvkR}k\")ccccccccccccccccccccNNNNNNN[:alp[ha:]{,93}vhlX:|A]2})nSw)]N.", 2, 0 },
+		{ "()g/qzyiV(x3d|A0wllllll){162}[:space:]", 2, 0 },
+		{ "qqqqqqqqqqqqqqqqqqqqvvvvvvvvvvvv8[:x(\?imsxmsx:digit:][:alpha:]''''''''''''''''''''''''''')", 0, 0 },
+		{ "({,226}nf^W=vs$xK^=A=M#b,)V", 1, 0 },
+		{ "(_T 2BC9N'cccccccccc-87EF#&^eQfDDDn._,m&c`tjAwR #~A)[:(\?imsimx:alpha:])/yHYL6|{-40,47}", 1, 0 },
+		{ "[[^]{-8(4,138})z[:xdigit:]{180,}]", 1, 0 },
+		{ "[([^T____________________(\?:__C(\?<=]-)])+[:ascii:])r[:graph:].----------", 0, 0 },
+		{ "[f{}LLLL(LLp((((\?<!((((((((((((((({,56}]BR`{,52}){-22,}\?[:space:]h>Sow", 0, 0 },
+		{ "{-179}^[:alpha:(\?!].a'5wacA3\\\\\\\\AAAAAAAA)~^]wC", 0, 0 },
+		{ ">[:digit:]{,-212}+(`)LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL[:ascii:][:digit:][:space:]", 1, 0 },
+		{ "[[^[[^RBW{,255(}(\?(\?>=(W)_]uu][:blankcntrl:])O)]]", 0, 0 },
+		{ "(C_______________________________)2", 1, 0 },
+		{ "([/ntf_a3].)", 1, 0 },
+		{ "[:space:]+[(:upperword:],c7[:asci(\?<=i:]ggggggggggg)[:ascii:]/1$$$$$$$$$$$$$$$$$$$$$$$$$$)", 0, 0 },
+		{ "Xq{109}~EEEEEEEE[:upper[^word:]lgB:X(h[:alpha:]B[:space:]].)IkaH@3}}H'yK~\?[:upperw(\?#ord:(\?:]){=================[:blankcntrl:])", 1, 0 },
+		{ "(([[^]]$3Xr^$%%%%%%%%%%%%%%%%%%%%%================U[:ascii:])X).FFFFFFFFFFgO[:punct:]oooooooooooooooooooBC[:blankcntrl:]mmmmmmmmmmmmmmmmmmmm[:lowerprint:]rBM~<HAc#Sb&&&&&&&&&&&&&&&&&&&&&&&&&&&&&Cy", 2, 0 },
+		{ "([([([^(\?:)D]-{M#H >rERRRRRRR[^RRRRR(\?>RRRRR])[(\?=^)X]{207,}U])))Z[:blankcntrl:]]yyyyyyyyyyyyyyyy\?", 1, 0 },
+		{ "[Q(\?{*[^(\?(\?!!])[:graph:]]})[:alnum:]iE)dGGGGGGG[^GGGGGGGGGG[:xdigit:]w]", 0, 0 },
+		{ "[^Z(\?!6(\?(\?><=)[:graph:])]BBBBBBBBBBBBBBBB^)", 0, 0 },
+		{ "[[^([^[^][[[[[[[(\?({[[(\?(\?imsxmsx(\?imsi[ms:::[[[[[[[[[}))]$)){12,})|:::::::::::::::::::[:lowerprint:]{}{-96,-147}){13,}`[:digit:]]\"^Ca%%%%%%%%%%%%%%%%%%%%%%%%%%UUUUUUUUUUUUUUUUUU]]9", 0, 0 },
+		{ "[^(\?(\?(\?#!<=))JLBS\"zi)'''''''''''['''''''''''''piiiiiiiiiiiii(\?<=iiii]])ZZZZZZZZZZZZZZZZZZ[:space:]", 0, 0 },
+		{ "({})[:punct:]", 1, 0 },
+		{ "E9[:blankc(\?{ntrl:]})N", 0, 0 },
+		{ "[:alph(\?#a:]){198,}sq\?X0B7", 0, 0 },
+		{ "[^\\\\\\\\(\\\\\\[\\\\\\\\\\\\[(\?<(\?isximsx:={11(\?(9,}\?0])]]))\?FN3M\?{-128,}Z444444)444fbLiVN8)", 0, 0 },
+		{ "[[^[^([[[[[[[[[(\?>[[[[[[[[[[[[[[[[[[[[[{53(\?<=,-175(\?>}ggggggggggggggggg%))[:alnum:])[:punct:]kkkkkkkkkkkkkkkkkkkkkkkkk)+Soooooooooooooooooooooooooooooooo](WR+--)x36+llllllllllll{,35}]Fqb^=F]KKKKKKaaaaa{,131}", 1, 0 },
+		{ "(g\"Ssqw<&{Cl{82,}Mdf|9cIlmCW{}[:digit:]4C{}[:alnum:]PP)", 1, 0 },
+		{ "OOOOOOOU[*evVIIIIIIIIIIIIIIIII(\?#(\?#IIII)]PP[:xdigit:]2222222222222222[:xdigit:]Kx)p[:digit:]", 0, 0 },
+		{ "([[{248,16(\?=5(\?#}][:alpha:])|[:p(\?!unct:(\?(]", 1, 0 },
+		{ "[pP((\?=S)(\?#)]$[:aln(\?(um:)]2\?)$GGGGGGGGGGGGGGGGG({-U:c){-61,}[:ascii:]{-202}G", 1, 0 },
+		{ "()$D[:alnum:]", 1, 0 },
+		{ "[(\?#^]){}[:ascii:]", 0, 0 },
+		{ "[uuuuuuuuuuuuuuuuuuuuuuuuuuuuuu]FFFFFFFFFFFFFFFFFFFFFF&2e\?)%oP'mc@z2b}n{<b4_Laz^0LLLLLLLLLLLLLLLLLLLLLLL,,,d", 0, 0 },
+		{ "{}(^________________''|$)RRRRRRRRRRRRRRRRRRR", 1, 0 },
+		{ "(H)####################bbbbbbbbbbbbbbbbVSSSSSSSSSSS|tdU\"goeAbPP{-248,81}", 1, 0 },
+		{ "[^[(\?ims(\?>xisx:)UHpP*n{}]{}fx14<7OEpE>n2150)8888888888888888]^GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGS", 0, 0 },
+		{ "(d)+", 1, 0 },
+		{ "[^.(\?(>)(\?=e)])al[:space:]x", 0, 0 },
+		{ "[^256c(\?!]){-19,}", 0, 0 },
+		{ "Q)", 0, 0 },
+		{ "[^s\?\?(\?{\?\?\?(\?#\?(\?<!\?\?\?\?\?\?\?\?\?\?\?(\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?{}]F\?j(jjjjjjjjjjjjjjjjjjn)kTI1f[{1|(\?<=^[^+[:digit:]{}^s^))})))T]{-17}{CCCCCCCCCCa{-21,}{,-146}^uZQB]YuLu-|tUGRMz^^", 1, 0 },
+		{ "([^.{}.EE[EEEEEEEE(\?<=EEEEEEEEEEEEEEEU]]-@s))$", 1, 0 },
+		{ "[^([((\?#[#])|a)])[cccccccccccccccc][:digit:]LLLLLLL[:alnum:]}[P%vzl{}^]&", 0, 0 },
+		{ "({}[:space:]E)101+A{-35,11}", 1, 0 },
+		{ "(va:7)u[:alpha:]", 1, 0 },
+		{ "([^[[rrrrrrrrrr(\?:rrrrrrrrrr(\?<!rrrrrrrrry|D'*AH@a{}\?[:space:][:alpha:]^]$ {-225}[(\?(:as)(\?(>cii:])){-107,-139}6/{^[:upperw(\?imsxmsx:ord:]{,-47} ]wuH#nAn)GGGGGGGGGGGGGGGGGr[)]T{91}lJ))[:lowerprint:][:xdigit:][:lowerprint:])]*", 1, 0 },
+		{ "()[:space:]~!$[:alnum:]JJJJ[:ascii:]", 1, 0 },
+		{ "[^(\?<=)-]()k", 1, 0 },
+		{ "(()W){,8}ea", 2, 0 },
+		{ "({,-56}5G&&&&rrrrrrrrrrrrrrrrrrrrrrrrrrk.8) hWJ,TM)0Yd-", 1, 0 },
+		{ "(Z-fddddddddddddddddddddddd)-{9}", 1, 0 },
+		{ "[^<[(\?!:asc(\?:i(\?<!i:])F])[:alp(ha:]b))-}Wwx8B", 0, 0 },
+		{ "[^[^[^([(\?{}(\?=)(\?())-CCCCCCCCCCC(\?=CCCCCCCC(CCCCC(\?:CCCCCCCC(\?{l[(\?!:space:]})[:upperwor(\?:d:]{-27}[:al[^pha:][:xdigit:]^f", 0, 0 },
+		{ "[[^]G@>2!+[:punct:(\?<!]{,189}6ZF[:blankcntrl:][:digit:]{,214}){-115,-14}l[:upperword:]{101,}Z[:ascii:]Ld&02|c]<0~<bc", 0, 0 },
+		{ "(Q)[:digit:]x", 1, 0 },
+		{ "hT[[:alnum:]\?]O[OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOxFF%^(\?(_LN 8uXQT\"*/L)+l)>qQ[^]e[:ascii:]PP()[:digit:]NQ8%6d=&2I{-62,-142}w]].e{}*", 1, 0 },
+		{ "{,-219}xxxtEEEEEEEEEEEEEEEE[:pun(\?(ct:])qqq)nnnnnnnnnnnnnnnnnnnnnnnnnnn", 0, 0 },
+		{ "[:di(\?>git:])W4", 0, 0 },
+		{ "([^y])Fkvto$", 1, 0 },
+		{ "[^($$$$$$(\?!$$$$$(\?{$$$$$$(\?<=$$$$$$$$$$$+===)[:alnum:]MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM)Z]{}^[:blankcntrl:]--xxxxxxxxxxxxxxx[^xxxxxxx)\?tVG\?{232,81}{121,}xn{,-226}})tttttttttttttttttttttttmu(\?<!&&&&&&&&&&&&&&&&&&&&&&0b]z)$87{,-192}{}{-242,}", 0, 0 },
+		{ "l[:dig(\?(it:]|s*)aA[:digit(\?<=:].^.))x[:digit:]", 0, 0 },
+		{ "[:grap[^(\?#h:]').]Z", 0, 0 },
+		{ "[:gra[^ph:]t[:digit:]222222222222(22222222222222222H qM]pWZr[:ascii:]-hRb_.)Q{-228,-204}{}", 1, 0 },
+		{ "AAAAAAAAAAAAAAA(AA)YeX", 1, 0 },
+		{ "(!dqqqF*^){(,-79}s!!!!!!!!!!!!)", 2, 0 },
+		{ "[^(\?msxm(\?#sx:]|)ZHYup)j{95}0L:vXB#')d'DX\?m.T034\\\\\\\\\\\\\\\\\\\\\\y5rV{}S", 0, 0 },
+		{ "(W*O+yl([\?!P(\?:)I]${}{-195,-14}[:upperword:]{}[:xdi[^git:][:space:]X[:grap[^h:]~]zzzzzzzzzzzzzzzzzzzzzzzL)+)Y b.-=jf{-216,}${/!}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}|]", 2, 0 },
+		{ "[^\\\\\\\\\\(\?<=\\\\\\\\\\\\\\\\m]{-48,234}[:alpha:]s)", 0, 0 },
+		{ "[(\?{U}(\?<!)])LLLLLLLLLLLLLLsssssssssssssssssssssssssss[:ascii:][:blankcntrl:]---------b", 0, 0 },
+		{ "[^[^[(\?#)(\?imsxims[x:)<<<<[<<<<<<<<<<(\?<!<<<<<<<([^\?(<<<<<<<<<<z(\?(zu(\?<=~83}aZpIE)[:alnum:](\?imsximsx:(\?!jrE6(\?<!\?V(SzDU)000[000000000((\?=\?)=0])L|lOYuWXk", 0, 0 },
+		{ "$o[:dig(it:]nnnnnnnnnnnnnnn{-94}|G)[:alpha(\?!:] {,-108}D=\?>[:digit:]S[:space:]t", 0, 0 },
+		{ "()n", 1, 0 },
+		{ "[:upp(erword:]$)<}.vZM<lEY5Y*", 0, 0 },
+		{ "[^([^\?>)rCD&{5(\?msxisx:7,}qqqqqqqqqqqqqqqqqq{31,}@w#W:(@(\?:zp$YYYYA[:alpha:]{1}A)*dZJ\"5OG|\?(\?#a])]|){-150}[:xdigit:]", 0, 0 },
+		{ "[($)gwo{`\"]{-160,}\\\\\\\\\\\\\\\\\\\\\\\\\\66666666666666888888888888", -1, 1 },
+		{ "((}DA+Rc000000000000000000)%vvvvvvvvvvvvvvvvvvvvv%C&emZ*[:alnum:]#m/D[:graph:][:blank[^cntrl:]E{,168})kkkkkkkkkk000000000000000]", 2, 0 },
+		{ "[^[u*(\?#x01234)oxGGGGG(\?([GGGG)GGGGGGGGG]^U)!!CCCCBM`4QB^XEN]{,-60}[:upperword:]G]", 0, 0 },
+		{ "(%)~t{S,K^MI3PMo)=b", 1, 0 },
+		{ "[[[^]{}eU([:xdigit:]&&&&&&&&&&&&&&&&&)\"W|43[:alpha:][:graph:]J8b[:blankcntrl:]gggggQ{,183}{,-254}\?[:ascii(:]{,134}", 1, 0 },
+		{ "[[([^[^([^(\?=)1RRRRRRRRRRRRRRRRRRRRRR(\?:(\?(\?(\?!=#RRRRR(\?=RRRR(\?<[^!Ru)])]o[:[graph:[^]{,7})[:digit(\?::]{-215,}e[:space:]]", 0, 0 },
+		{ "({{{{{{{{{{{{{{{{{{KKKKKKKKKKKKKKKKKKKKKKKKKKKKBBBBBBBBBBBB)[:space:]0[:alnum:]HcctQA", 1, 0 },
+		{ "[^(pP7(HsN[^g{186,-87}\?\?]EQ%u:-Y)+>>>>>>>>>>>>>>>>>>>>>pP][:alpha:]", 0, 0 },
+		{ "[(.{141}h|)((\?:\?=@Q} ghcC{+*(R)D+][:lo(\?#werprint:]zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz))", 0, 0 },
+		{ "[^({}S)PPFl(])-216", 0, 0 },
+		{ "[([[^(((([(\?#^[^[^\?4[(:[dig[^it(\?(:]{122,})y\?", 0, 0 },
+		{ "[[2${188}u{1(4(\?(1,1(\?{98}e{&tbaoI]q)[:punct:])d}))Nqffffffffffffffffffffffffffff[:ascii:]+]", 0, 0 },
+		{ "()K-", 1, 0 },
+		{ "[[{2(2((\?(\?!()2})])[:alpha:]fVVVVVVVVV{-47}):::::::::::)\?vwyyyyyyyyyyyyyyyyyyyyyyyyy-]{}", 0, 0 },
+		{ "ivcs)g", 0, 0 },
+		{ "(hhhh[^hhhh(\?{h\?]})%%%%%%%%%%%%%%%)\"+38mbY:s9{/d# zaNnbQb)b:*zpKI{-26,-189}", 1, 0 },
+		{ "S*(#)[:graph:]lllllllll&G)t", 1, 0 },
+		{ "([^[(([\?=\?<!)]]___{-63,})]nt", 1, 0 },
+		{ "[:b(lankcntrl:][:alpha:]*[:pu[^[nct:][:alpha:]A]$aaaaaaaaaaaa*)A[:digit:]U][:alnum:]", 0, 0 },
+		{ "[^f[^p000{68(\?isxmx:,}(\?!vvvvvv)$)]PP#*{(})[:punct:]&&&&&&&&&&&&&[:punct:]\?][:blankcntrl:]", 1, 0 },
+		{ "[^(((\?(\?(()))GGGGGGGGG{(\?!($)))((\?!)V^{228,145}))]{-229}Qjjjjj[:punct:]R)", 0, 0 },
+		{ "[(Q[^((\?{(\?:]~z)})gE(.<){}|)Kuuuuu$*222222222222222222222D]", -1, 0 },
+		{ "([^`(\?<=`````[^`````````M]\?)=L74A[:upperword:]]P", 1, 0 },
+		{ "(({}[:space:]qv-T){,-192}{-45}{65}9\?X).d", 2, 0 },
+		{ "_[(:upperword:]mU(P}qX>\?%)$Lwq[:alpha:]{-115,}================================{127,}", 1, 0 },
+		{ "e)", 0, 0 },
+		{ "[{,2[5}Klen+D0'YX(\?<=|_H]I,Y\"*/<3sM[:digit:]])#.", 0, 0 },
+		{ "[:(xdigit:]){[:digit(\?mxmsx::][:as(\?<=cii:]d!{135})#)pP[:space:]Syyyyyyyyyyyyyyyyyyyy\"Gg8", 0, 0 },
+		{ "[(\?()])", 0, 0 },
+		{ "[^([^[^[[^[:alpha:]SIus[^f<f]}}}}}}}}}}][:xdigit(\?=:]Z{-13}*]_[]LLLL)]E[:alnum:]b$)]]]]]]]]]]]]]]]]]]]]]]]]][:lowerprint:][:ascii:]{,40}{86,}333333333999999999999999999999999999*fffffffffffffffffffffffff99999999U9|[:digit:][:upperword:]oowwwwwwww[wwwwwwwwww{195}[:xdigit:]]H{-73,153}R+zAz{}r/////////////{232,}kAoffffffffff[:blankcntrl:]xxxxxxxxxxxxxxx]KKKKKl0,[:alpha:]|{,-165}Qc{96}CCCCCCCCCCCCCCCCCCCC/", 0, 0 },
+		{ "{}:V(7O-)[:ascii:][:graph:]PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP#", 1, 0 },
+		{ "[^(\?<[^=CC(CC$)]*        c)BBBBBBBBBBBBBBBBBBBBBBB]z{-18,}", 0, 0 },
+		{ "[[qqqqqqqqqqq(\?(qq235|ttttttttttttttttttttttttttttt[[ttt<<<<(\?{<<<<<<<<<<<<)<<<<<<<<p)/S9(\?{OOOOOOO(\?<!OOOk)})]nIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIb]Z})", 0, 0 },
+		{ "[^[^(\?>][^((\?<!C(\?!+(\?=)]^8)6nx).)){,-13}[:blankcntrl:]\"(L{}){,29}nnnnn{-83}]l[:upperword:])", 1, 0 },
+		{ "[(ZZ\"#(\?#Nb(\?<!:U)oRRRR])Zei${Ec/)s", 0, 0 },
+		{ "[^[^[(\?(t(\?:3```````)`````)|#CB)/////////////////////////////*!liB#|CCCCCCCCCCCCCC(\?=CCCCCCa7N]weTTTTTTTTTTTTTTTT1{}o\?{}BBBBBBBBBBBBBBBBBBBBBBBB.])u{-218,126}.,[:space:]]", 0, 0 },
+		{ "[[([:alnum:])yyy(\?!yyyyyyyyyy(\?!yyyyyyyyyyyyyyyyyyy[:graph:]I])Uw*X.^[:ascii:]{,-63}[:digit:]{-88})&&&&&&&&&&&&&&]*", 0, 0 },
+		{ "[[[^K(\?=KKKKKKKKKKKK(\?:KKKKKKKKK[KKKKKK]]U[:digit:])]dd)({,16})xy+Pu)JJJJJJJJJJJJJJJ[:space:][:ascii:][:upperword:]ql_jywmt4B+]{-30,}^555555555Xza[:punct:]", 1, 0 },
+		{ "[[^^XXX(\?:XXX((XXXXXXXXXXXXXXXXXXXX)v)$N9$r\"\"\"\"\"\"\"\"\"\"\"\"\"].{,239}$[:punct:]\"9999][:alpha:]{}c){,55}s[:upperword:][:xdigit:]310", 0, 0 },
+		{ "[@([^I8oNl)]-{-203,-224}{-78,}KKKKKKKKc{-66}[:xdi(\?=git:]==========){}f{-124,}[:upperword:][:lowerprint:]]{}--------l+", 0, 0 },
+		{ "[^]ozp+0(\?#\"[(\?()X]))[:blankcntrl:][^e{99,222}JJJJJJJJJJJJJJJ3F]\?[:blankcntrl:]l$ot", 0, 0 },
+		{ "[[^[[((\?isximx:)2222222222(\?=22222[:graph:])+U)((\?{\?<=(\?()iYv8qc@#y)G])+}))FvnP\"7OZ-b273[:ascii:]Ak6*`S[:digit:][:graph:]]{2}^G{79,}DDDDDbbbbbbbbbbbbbbbbbbbbbbbb(bbbbbbb)|tP48y{wNJ_S hJbY]]dc", 1, 0 },
+		{ "[:alph(\?{a:]p1[:lowerprint:]}){163,}", 0, 0 },
+		{ "W()", 1, 0 },
+		{ "()``````````````````````````[:ascii:][:alnum:]{,26}[:graph:]", 1, 0 },
+		{ "[:al(\?<!num:]|byyy,*)U5%u${190}-{-221,-33}k7777777777777777777777777777777+eXXXXXXXXXXXXXXXXX[X(\?(XX)XX)S'vEAa]*e", -1, 0 },
+		{ "[^(([R_AC[lE'{2(\?{28(]8LTt[]b[:punct:]]O)|2[:graph:][:space:]})                               x3C[:alpha:])uI+dddddddddddddddddddddddd{-165,}FFFFFFFFFFFFFFFFFFFFFFF)cccc*[:upperword:]]G{,-38}{24,}555555555555555555555555555VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVZ[:blankcntrl:][:ascii:]", 0, 0 },
+		{ "[^QQQQQQQ(\?#QQ(QQQQQQ[:punct:][:space:]){(\?(\?:!}[:graph:]t}}[^}}(}}}}}444444[^444444444444444444444]\?]G)E)L{,-103}{84,}r$ii]-[:alp(\?<=ha:]S5G~9>n*)P<3tttttttttttttttttttttttttt)n{}[:graph:]eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee{,83}[:digit:])0BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB[:alpha:]{-155,}{151,}", 0, 0 },
+		{ "Ue{,254}+f[:lowerp(\?<=rint:]U.fff)", 0, 0 },
+		{ "QQQQQQQQQQQQQQQQQQQQQQQQAY<J)'MPi_u%#2doopqU7/{103}[:graph:]e!7{GOr", 0, 0 },
+		{ "[^({,[^233}[^d)BBBBBBBBBBBBBBB=======(\?>===========[^=S|[^[:alpha:]G/]qqqqqqqqq{}[:xdigit:])..k", 0, 0 },
+		{ "[([^[[:space:]ffffff(\?=ff]M]))[:xdigit:]UbCI,CzalLU*y5I[:digit:]r{-30,180}{-209,-45}Paf]", 0, 0 },
+		{ "[^[h(\?{hhhhhhhhhhhhhhhhhhhhh})]{,143}[:lowerprint:][:ascii:((\?(\?=])[:asc)ii:])zp]", 0, 0 },
+		{ "[[(\?{]})]", 0, 0 },
+		{ "[[1\"3m^,(\?<!2((\?!\?#t```````````````````````````)\?)|c^)A^~]{61}W\\\\\\vvvvrrrrrrrrrrr[:digit(\?#:])]F[:upperword:]dX\\\\", 0, 0 },
+		{ "([${144,}(\?<!)-RAk_F(\?imsxisx:=9]z/))", 1, 0 },
+		{ "[[^[[[^([[^[^[^([[^([[Uiiiii#####(\?(\?{(\?<!#########(\?=#####).^)(.|>2m[M/2222222222222222222222222222(\?:22222222222(\?#22(\?:(\?=22222{,243}]x68+I/K)11111111111]\\pP[:graph:]$[:space:]^{}A)[:xdigit:]-={>", 0, 0 },
+		{ "[(\?>[(^()Vty2vvvvvvvvvvvvvvvvz^])ZZZZZZZZZZZZZZZZZZZ----------------5\\dVLSp8UE2m+z3X/Sd", 0, 0 },
+		{ "[}}}}}}}}}}}}}}}}}}}(\?#}}(\?<=)|*C ]*29JW7O9mEB]pE_OoxN)[:alpha:]", 0, 0 },
+		{ "([^((\?<=\?)D{,200}.[(\?#:ascii:])[:space:].)[:alpha:]D|[:graph:]{,-41}*LLUUUUUUUUUUUUU{-189,-131}]qHR<k2@P{27}<^e,ub%\?/4){-243}+[:digit:]%*x9lA^", 1, 0 },
+		{ "([:alpha:]bT&+_)$Z{,212}x26`", 1, 0 },
+		{ "[^([^(A{[^}g(\?()A9p#54b]-------------------------------).wzD#=f\\)A)8a]]DNNNNNNNNNNNNNNNNNNNNNNNNNN", 0, 0 },
+		{ "(W000000000000000000000000000000)", 1, 0 },
+		{ "www(wwwwwwwwwwwww)", 1, 0 },
+		{ "()555555555555{18}i+[:alnum:]E  {}U", 1, 0 },
+		{ "SqbHoooooooooooo[^oooooo([^ooooooo])\\N[:xdigit:]]oooo`", 0, 0 },
+		{ "[999999999999999999uE{193,0}lx{7917}[:punct:]4&d]{221,}[:digit:]{49,156}[:lowe(\?<=rprint:])[:space:]{-33}w+", 0, 0 },
+		{ "[^(\?{})<{220,-193}[(\?=:xdigit:]UUUUUUUUUUUUUUUUUUU'{-18}])", 0, 0 },
+		{ "b[(\?<=:upperw(\?{ord:][:digit:]})EEEEEEEEEEEEEEEEEEEEE//////////////////){177}C", 0, 0 },
+		{ "(^).[:alnum:][^[(\?=[(\?{[})DA5{)[[I~y&O\?9>])]][:blankcntrl:]M[:alpha:]x9[:upperword:]|[:xdigit:]b", 1, 0 },
+		{ "()[:digit:][^[U}-]]{,206}V*WJ@R]\?", 1, 0 },
+		{ "[^](\?#{}(\?[<=)yv)]r", 0, 0 },
+		{ "({,-192}//////////////////////7!eW_0eoL){}", 1, 0 },
+		{ "^[:punct:(]+)IIIIIIIII[:punct:]P$pP", 0, 0 },
+		{ "[(\?=|U)^-]{-52,-72}[:digit:]*6666666666\?{{{", 0, 0 },
+		{ "([^f(\?:+{1((\?=34,}]))^)s0bux7\?5`Bwr[:upperword:])Dy+", 1, 0 },
+		{ "AL{}:::::::::::::::::::::::::::::::{,(104}~@,Ysey@h).", 1, 0 },
+		{ "[^((.)))(\?()))))))))))))))))))))(\?msxims:))))))))))[)][:upperword:][:alpha:])", 0, 0 },
+		{ "[^(()f])G^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^T{}N*nK[G]{,61}^^^^^^^^]", 0, 0 },
+		{ "[(N::(\?<=[:digit:][:graph:][:space:]xB5[(:xdigit:]|Yv{}HHHHHHHHHHHHHHHHHHHHHHHHd).[:g(\?<=raph:])[:digit:]<<)[:digit:])[:space:]Q[:punct:]x7C]", 0, 0 },
+		{ "[^((\?(\?(())a)(\?!){})W)pP3333333333(33333333333333333333hhh]{})", 0, 0 },
+		{ "[^                [               a*FFFFF[^FFFFFFFFFFF(\?<[^!FFFF(\?=FF])])L1]{,-52}{B-bxsPKg{,8}[:digit:][:punct:][:upperword:]DD${,-131}", 0, 0 },
+		{ "($$$$$$$$$$$$$$$$$$$$$$$$$$$$$^pP),,,,,,,,,,,,,(,,,,,,,,,,,,)QQQQQQQQQQQQQQQQQQQQQQQQ", 2, 0 },
+		{ "[:lowerprint:]|l{(,-54}C{}*-)IIIIIIIIIIIIIIIII", 1, 0 },
+		{ "()+", 1, 0 },
+		{ "[(([(\?{[:punct:]]|))[[[[[[[[[[})]WWWWWWWW&$$$$$$$[:graph:]", 0, 0 },
+		{ "[^(\?{}){(107[(^,}][:space:[]))^w,&aPPPPPP[^PPPPP{117,-213}s\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?]]]222222[:d(\?(igit:]NNNNNN)NNNNNNNNNNNNN8)I", 0, 0 },
+		{ "[^(\?<!$)|TTTTTTTTTTTTTTTTTTTTTT(TTTT]a8)2<", 0, 0 },
+		{ "([^[]%[^[^]-][:alpha:]37*:[:space:]]lQvu)[:xdigit:][:blankcntrl:]", 1, 0 },
+		{ "[[Bl_>9C^:\?X_KK]2sw@hHZT!],uuuuuuut|lFW()'''''''''''''''''''''[:graph:]<~v{-251}0[:digit:]C[{222,}]{,41}{}*g^UuS/{-114}", 1, 0 },
+		{ "(D{,-79}[:gra(ph:(\?(]C[:ascii:]))I[tC.%tkllll[^llllllllllllllll]&&&&&&)&&&&&&&&&&&&&&&&&&&&&&)]10435", 1, 0 },
+		{ "[:al(\?{[^num:]]})}x'[:(\?#xdigit:])xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKKKKKKKKKKKKKKKKKKKKKKKKKKKKTTTr*%{~f", 0, 0 },
+		{ "[ZQKEEEEEEEEEEEEEEEEE(\?<!]3|.~~~~~~~~~~~~~~303)33333333333333333", 0, 0 },
+		{ "(-62([:ascii:]5555){-230,}<<<<<<SM[:punct:]{72}|E{160,})Pfqba!{,-188}DS{ +2tRu\"0JG$", 2, 0 },
+		{ "([^(\?:(Ea00000000000000[:punct:][:graph:]{}]))[:xdigit:]{-65}t){164,}", 1, 0 },
+		{ "[\?$$$$$$$$$$$$$$$$$$$$$$$$$F......(\?(.).q#R:j6%TTLCdtuM|8*54<GHoqEh9FBW0:W]L0)o][:upperword:]", 0, 0 },
+		{ "[(\?>[:alnum:]W[:space:]]D)|L", 0, 0 },
+		{ "(M(MM)[:alnum:]|[:lowerprint:]4)", 2, 0 },
+		{ "[[^(\?:{}{2[2(\?>0,})]]]Etu)-)", 0, 0 },
+		{ "([^[^^z[:graph:]]#{-144,96}[:punct:]!4LY//////////////////SSSSSSSSSSSSSSSSSSSSSSSSS[[^:xdigit:]\?`-!L#p0{52}]%{-121,}[:graph:]]WqJ>$6UBg{,7}[:blankcntrl:])[:upperword:]y2wW!A[:blankcntrl:]0CN\?", 1, 0 },
+		{ "[[^(\?:|+bII(IIIIIII(\?(\?>!)275SIIIIIIIIII(IIIIIII(\?=IIIIII[:graph:]|)`]S\?.}A)[:alnum:]Jgggggggggg{-150,}{-89,})[:alpha:]Q)|07be5:j)]", 0, 0 },
+		{ "([(\?i(ms(\?=x-x(\?>:))C)]){})>eIqm~lFb[:upperword:][:blankcntrl:]w=[:digit:][:graph:]", 1, 0 },
+		{ "([HHHHHHHHHHHHHHHHHHHHHHHHHH[^HHH(\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?!!!!!!!!!!!!!!!!!!!!{23}]~J=[:ascii:]tttttttttttttttt])-216", 1, 0 },
+		{ "B{[^-32,246}{13(\?!0}q>GVQw*[:digit:][:punct:].77777777777777777777`T(-t01odD]\?${}{-247}+gV{131})+[:lowerprint:]m/z~d", 0, 0 },
+		{ "[t[$FV+(\?=E=[^])]-$U{-22[5,}{253,}08g]$[{}][:xdigit:][:punct:]{-18}{-173,}]{,-191}V_|90", 0, 0 },
+		{ "()$", 1, 0 },
+		{ "[^[^((((((((((((((W[(\?::blankcntrl:]&-JH]J){93}LLLLLLL|r{,221}tY/172]-AS", 0, 0 },
+		{ "[^()(\?{qqqq(\?msimsx:qqqqqqqqqq3999999999999GGGGG|S*W%{,128}][:xdigit:]AJt]}\"Zf!lRpr{>){,36}})", 0, 0 },
+		{ "[([]^]^)", 0, 0 },
+		{ "([.(\?#){}[:alpha:]\?S{2}P%Gw]nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnYiq5)>i*r<", 1, 0 },
+		{ "[ggggggggggg$PPP:S (:]N{239,}|A[:lowerprint:]vvvvvvvvvv[:lower(print:]{-184}({-133,}+)[:punct:]P/Q.OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO", 1, 0 },
+		{ "(RRRRRRR[^RRRRR[RRRRRRRRR])]", 1, 0 },
+		{ "[(\?:^])D%", 0, 0 },
+		{ "()[]#C[+[j]{,29}-]", 1, 0 },
+		{ "(([(\?(((\?{\?!(\?=\?=#[Es*){02$r'}(\?:3pz)uPPPPPPPPPPPPPPPP(\?(\?>:PPPP][:graph:][:ascii:]`.)[:punct:][:a(\?mxi:lnum:])r)$)[:xdigit:]$[:(\?=digit:])aa[^]a)\?])sQQQQQQQQQQQQQQQQQQQQQQQQQQ^|$)-}))", 2, 0 },
+		{ "z@@@@@@@y${}[:(\?:upperword:]l\?{,144}-)", 0, 0 },
+		{ "[:aln(\?:(\?>um:(\?imximsx:]){})FGGGGGGGGGG|-p){,105}", 0, 0 },
+		{ "[[{17}llllllllllllllll(\?:lllllllll{,(\?#-94}OUUUUUUU(\?#UUUUUUUUUUUUUAA]p[:digit:]{-1(57,}5yyyyyyyyyyyyyyyyyyyyy[:alnum:]v{-185}^^^^^^^^^^^^^)d[[[p)]))", 1, 0 },
+		{ "()|[:digit:].E2o", 1, 0 },
+		{ "()3[:lowerprint:]", 1, 0 },
+		{ "[(\?{(\?#(\?>SN}[^)z+r^t[:digit:]seP[:alnum:]$b1ZY[U(\?<!U4IIIIIIIIIIIII(\?<=IIIIIIIIII]m)]))]4)", 0, 0 },
+		{ "{,74}      qkk[^p]kbi6>{}000000000000000000000000000000$|)", 0, 0 },
+		{ "[:(\?=digit:])v{164}", 0, 0 },
+		{ "[:graph:]h[:upper(\?(wo(\?{rd:)])00000[^000000000000}).4OEVf{,-46}]A", 0, 0 },
+		{ "[](((((((((((((((N{{{{{{{{{{{{{{{{,-1}e]a{-166,-44}", 0, 0 },
+		{ "([[^[^[(^[]]YYYYYYYYYYY]D.cQ{}[:alpha:]ttttttt000000[^0000(\?<!0000000000000000N::::::::].][:alpha:]#5\?{}{-253,-193}]\\[:ascii:]tS{,35}B)ffffffffffffffffffffffff))/", 1, 0 },
+		{ "(G)[:alpha:(\?#])W{-197,-220}w8", 1, 0 },
+		{ "{-2[^00,(\?#-([84}ig+)]]l[:graph:][:graph:][:space:])aaaaaaaaaaaaaaaaaaa{-208,}ea{,224}", 0, 0 },
+		{ "[^[W(\?<=[B[:xdigit:]{255,}FAAAAAAAAAAAAAAAAAAAPP])[:xdigit:]+][:lowerprint:]${-195}", 0, 0 },
+		{ "[v{104,}BB].HHHHHHHHHHHH[:ascii:]bbbbbbbbbbbbbbbbbbbbbbbbbbbb(btttttttttttttttttttttttttt){180}", 1, 0 },
+		{ "[^(i[^iiiiiiiiiiiiiiiiii(ii)n])#######################]", 0, 0 },
+		{ "(([:space:])[:g(\?>raph:])[:punct:][:upperword:]LV\"t+t!)[:ascii:][:lowerprint:]q", 2, 0 },
+		{ "[[[^([7(\?[<!)\\PP~D7L        (\?imsimsx:(\?=  $GS26L3-J(\?()!)]]{-178}%$[:p(\?!unct:]))yyyyyyyyyyyyyy@w,[11!R86:)G*[(\?(:blankcntrl:]267$~L\?{-108}k[:alnum:]So\?Y/eq]-|[:xdigit:]555555555555555555555555555)55555........W*O))][:alnum:]]I{,-126}[:lowerprint:]8\?[:xdigit:]u%wHc6\?:Pc...........................,,,,,,,,,,,,,,,,,,,,,,,,,,,]", 0, 0 },
+		{ "((3pPp))QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ", 2, 0 },
+		{ "[[^]{-244[}(\?([^|W0E4]UUUUUUUUUUUUUU[:upper)word:][:space:]{-57,})+L>R]]$PeFuufcBA`qr!!!!!!!!!!!!!!!!!!!!!!!!!", 0, 0 },
+		{ "[[(\?#F^(\?<!)|)fff(\?!fffffffffffffffff(\?{ffffff(\?:ffffff[:alnum:])]]c.\?-}))", 0, 0 },
+		{ "[^[^((\?:)ww[wwww(\?>wwwww)3z/57z){34}]/(/////////////[^//////////////////)]E%)L{-133}]*$]", 1, 0 },
+		{ "(!)GS[:ascii:][:punct:]{235}T'&-_h\"", 1, 0 },
+		{ "(){}", 1, 0 },
+		{ "[[^((\?!(\?<=)*QF[:alpha:])([^[^\?<!x60t(\?<!UUUUUUUUUUUUUUUUUUUU)K&d{118}z7nM.G)```````````````````````````E:(\?(){31,}){}]k]){,109}[:space:]]ZZ[:xdigit:]]{-68,}`{}{}e\?[:alnum:]", 0, 0 },
+		{ "[^{223}.^,-qqqqqqqqq((\?!\?>qqqqqqqqqqqqqqqqqqqqqqqP6W0_'O)Bur*'6&*t)]{65})+", 0, 0 },
+		{ "([(\?=)]wr$7f5ru){100,}[:xdigit:]y{}[:digit:]{}2n@P|9#mru~97{-189,73}$a", 1, 0 },
+		{ "({-113,213}){-172,221}B[:ascii:]{,-48}", 1, 0 },
+		{ "[^[[Xf`````((\?{(\?<=\?imsmsx:`````````(\?!`````````[```(\?mximsx:``(\?(&|o{xIaO][:)space:]3))\?])+)*<|@@@@@@@@@@@@@@@@@@@@@@){-251,}{}]*[:graph:]1!azE\?|-120u*][:lowerprint:]})", 0, 0 },
+		{ "[[[^##(\?################(\?>(\?(##t)][:punct:])b))<<<<<<<<<<<<<<<<<<<<<<<<<<[:alnum:]y >u=l:rp8i3Ci#]46%NIO-W[:space:]IIIIIIIIIIIIIIIIII]W[:space:]f]l{-253}", 0, 0 },
+		{ "[:graph:]L{-136,175}{[^}h(\?=t)Q]ooooooooo(ooooooooooooooooo_)[:space:]q\?", 1, 0 },
+		{ "()$.", 1, 0 },
+		{ "[(\?<!^$.\?{197}B]$)", 0, 0 },
+		{ "[:di(git:])[:low(erprint:])qqqqqqqqqqqqqqqq[:digit:]", 0, 0 },
+		{ "((zzzzzzzzzzzzAUUUU)l$]VD                 z~)n", 2, 0 },
+		{ "([^[(\?<=^[]{}][.WWWW)044444444444(\?=44(\?{444(\?{(444444444444e{(\?=}}))..t]+[:(\?<!xdigit:]P]-N}))))|)", 1, 0 },
+		{ "\\ce[:(\?#asc(\?{ii:])})[:upperword:]`^", 0, 0 },
+		{ "[:graph:(\?<=])[:alpha:]", 0, 0 },
+		{ "([:upp(\?=erword:])pC)lp\?", 1, 0 },
+		{ "(oooooooooooooo\?fN)-[:alpha:]{-213}[:alnum:]qHEu", 1, 0 },
+		{ "[:punct:]TTTTTTTTTTTTTTTTTTT[:d(\?#igit:])[:alpha:]", 0, 0 },
+		{ "([^[^[^J4(+++++++++++++++++++++SgDE(\?>\"y8].]:::::::::::::::)pP5-]p)O{,199}xxxxxxxxxxxxxxxxxxxxxx[:ascii:]%", 1, 0 },
+		{ "([:alpha:]Fs)Z", 1, 0 },
+		{ "[()]{209}[:alpha:]hhhhhhhhh(hhhhhhhhhhhhhhhhhhhhh)pP<<<<<<<<<<<<<<<<<<<<<<<<<<<<<", 1, 0 },
+		{ "-{-8,}.[:(\?imsxx:ascii(\?<!:]{-231}aa*{}K^UQL\?)d\?[:lowerprint:]W)q>D9'", 0, 0 },
+		{ "[#(\?msximsx:#########################-IIIIIIIIIIIIII(IIII(\?#IIIII((\?#[^III{})N.[(\?=:lowerprint:]))CwT,,,,,,,,,,,,,,,,,,,,Sq]$CCCCCCCCCCCCCCCCCCCCCCCuuuuuuuu])))", 0, 0 },
+		{ "[:xdigit:][(\?#]){13}{,75}lllllllll", 0, 0 },
+		{ "[c]QQQQQQQQ1+{-252[(\?#}33333])[:upperword:]", 0, 0 },
+		{ "P@i #>>PF!@8G<[(\?:^P]-)D", 0, 0 },
+		{ "uZZZZZZZZZZZZZZ[^ZZZZZl*-211{199}(\?!p])EEEEEEEEEEEEEEEEEEEEEEEEEEED[:lowerp(\?msximsx:rint:])", 0, 0 },
+		{ "[(\?!^])021[:graph:]'", 0, 0 },
+		{ "\\(\?>[(\?<=:ascii:]{}[:alpha:]d8}G))", 0, 0 },
+		{ "[^[((\?!1)[^,a|]\?{,242}[:alnum:])X\"a", 0, 0 },
+		{ "pP[((\?simx::a(\?!lnum:]vvvvvvvvvvvvvvvvvvvvvvvvv)|O0)[:digit:]ooooooooooooooooooooo)\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"", 0, 0 },
+		{ "_ L:8J-~ Y$[:uppe(rword:]{,-184}]{}6.A)", 0, 0 },
+		{ "{,105}.(9]]{-12})N@0nOOE", 1, 0 },
+		{ "HHHHHHHHHH[:xdigit:]uuuuuuuuuuuu{}E^X\\\\\\12601", -1, 1 },
+		{ "( o)=\"OU7h{V>", 1, 0 },
+		{ "[[:xdigit:])))))$[:xdigit:]+{152}{,-50}(c),,,,,,!!!!!!!!!!!!!!(\?>!!!!!!!!!!!!!.[:digit:]i>\"O'i9])-175d_", 0, 0 },
+		{ "[([^[^[^([[Eeee[^eeeeeee(\?(\?<!(eeeeeeeeeeeeeeeeeef|]][:alph()\?>(\?!(\?>a:]a{,166})/////////////////////[:gr[^aph:])Gpu", 0, 0 },
+		{ "(7)NNNNNNNNNNN132", 1, 0 },
+		{ "[([\?#^[]{QKm$v])][:alp[^ha:]]", 0, 0 },
+		{ "(:{86})7{K|[:alpha:]{O", 1, 0 },
+		{ "([Y(\?{[[^:alnum:][:alnum:][:digit:][:a(\?(lpha(\?(:].})", 1, 0 },
+		{ "[[({29,-30}([[^:digit:])Y]]J=~{,220}[:blankcntrl:])0ooooooooooooooooooooooooooooooo[:punct:]&]", 0, 0 },
+		{ "[^1Dx32[:alnum:]]{[(\?::punct:]MMMMMMMMMM)12759", 0, 0 },
+		{ "([[[]]*|(_])[:u(\?{pperword:]})", 2, 0 },
+		{ "[:upper(\?(wo)rd:]){-16,250}", 0, 0 },
+		{ "([^{194}i(\?({161)}PP\\S{}{,-14}]))z{208,225}BpPEt", 1, 0 },
+		{ "[(\?m-ms:)}&!@29k0sUqzt9}<-x|A$!+G>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>CCCCCCCCCC-][[:space:]][:space:]El", 0, 0 },
+		{ "()[:digit:(\?isx(\?>ix:]K^WQQQQQQQQQQQQQQs)[:lowerprint:])", 1, 0 },
+		{ "[a|(\?imix:S(\?(SSSS)SS(\?>S)]W)8t[:ascii:]f$)[:alnum:]111111111111111111111[^[:space:]x{12729}+'''''''''''''''']", 0, 0 },
+		{ "[^(\?!(\?(\?#=)a)[:punct:]=2)(){}$$$$$$$$$(\?ims(\?#-isx:$$$$$$$$$$$$$$$$(\?#$$s)x{294b}##############################slllll)]){,209}333333333333333333G:v2/K", 0, 0 },
+		{ "[^]ub(\?<=)vQ6(\?#Z\"3.)[:space:]u[[:digit:]]7777777777777777U'{}sssssssssss", 0, 0 },
+		{ "(([(])`[:ascii:]b)", 2, 0 },
+		{ "[[[^[^([^[^(\?=(\?imxisx:[[^w])", 0, 0 },
+		{ "pppp(pppppppppp-{-175}Nb>k&)sssss{-190,-54}", 1, 0 },
+		{ "()OJ@`'%[:(as(\?!cii(\?#:]))+pffffffffffffffffffffffffffff{,162}[:ascii:]5)s-[:graph:]", 1, 0 },
+		{ "[(M{}Ux5{jaW/{}[^u[:alpha:]s^{84,}PPb@Wt$(\?>nha<Yf41a)]{}[:lowerprint:])*[:lowerprint:]][:upperword:]^1gS.^=pp{}FFFFFFFFFFFFFFFFFFFFFFFFFFF33333333333{}", 0, 0 },
+		{ ")\?L9~h4BQnNp F\\Q{}", 0, 0 },
+		{ "($)[:upperwor(\?:d:])N[:alnum:]bcccccccc5555555555555555555555555.N[:blankcntrl:]", 1, 0 },
+		{ "2222222222222222222ppppppppppppppppp[:lowerprint:]))[^B\\e{{{{{f]6#+{,-104}{{{{{{{{{{{{{", 0, 0 },
+		{ "<[(\?>:al[^pha:]])\"O\"vN", 0, 0 },
+		{ "[(\?>d8E@b.{(\?<=,-250}(\?=mx48[:punct:]^&)]nAeYY)W)-13272", 0, 0 },
+		{ "22222222222222222222222222///////////////////[:digi(\?#t:]eM)[:lowerprint:][:alpha:][:alpha:]EEEEEEEEEEE", 0, 0 },
+		{ "[(\?={38,223})^\\\\\\\\\\\\\\\\L(\?:{,-50}3|)}r]aW\\x70U{-110,}8LUf)w]4+oav", 0, 0 },
+		{ "G[:upperword:]v[:lowerprint:]-tu)j8CK", 0, 0 },
+		{ "[([([^().(\?(\?><=c)'(\?<(='(\?<!''''''''(\?(\?<!!'''''''''''(\?=''''''/(|dHj(P>L\?q!G))|)(\?=n(\?(^tk)T-z$q!D|2<rc[^{,53})]jZy))))6)[:bla)nkcntrl:])010])7pE`l[:space:]([:lowerprint:]eXXXXXXXXXXXXXXXXXXXTTTrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr]+[:alph(\?!a:]7)444444444444444444444444l{34,}]J{}yyyyyyyyyyyyyyyyyyyyyyyyyyy)\?'z9~9s.mA", 1, 0 },
+		{ "().", 1, 0 },
+		{ "{-205(,}[:al(ph(\?>[^a:]W,[4DLR[^^8THMtVv~KKw(\?>)pPF)].{-245,}]))fffffffffd[:alpha:]zzzzzzzzzzzzzzzzzzzzzzzzzzzzz", 1, 0 },
+		{ "[^[[^]{-[1(\?imximx:83,}{,182}][:graph:]]^])-bTO X0P", 0, 0 },
+		{ "[11111111111(\?#11111111]U[:asc([\?!ii:]{,37}+{-89}){-170,218}{-21,})f[:xdigit:]]P.[:xdig(\?:it:]145)YYYYYY$S@:@@@@@@@@@{-150,-109}", 0, 0 },
+		{ "{-40}<o][^D[(:graph:]]d).Q", 0, 0 },
+		{ "()APPLn[:xdigit:]", 1, 0 },
+		{ "[([^\?+++++++++++      [       (\?>  (\?(     (\?{  (\?!]E{-29})pP)})ZpP", 0, 0 },
+		{ "(t|{}c[^z^\?(@YLD]bSSSSSSSSSSSSSSS)+{{{{{{{{{{{{{{{[:xdigit:]n>1)WkF}7", 1, 0 },
+		{ "W22[0Q[^d-d{}PPPPPPPPPPPPPPP<^FZ(\?<=\"[U]Yo}9H'cYy]S[:alnum:]^8wTDH)^u", 0, 0 },
+		{ "([^[(\?:(\?>((\?#$)(\?{^(\?>))///////////(\?>/ggggggggggggggggg{1(\?!90,-13}\\D)Dyyyyyyyyyyyy(\?!y(\?<!yyyyyyy)})]]$)[:xdigit:]|{}-)#a))nPpP[:lowerprint:]AA)V+q^[:blankcntrl:]", 1, 0 },
+		{ "([^(\?!]))D{,97}", 1, 0 },
+		{ "(c){,141}", 1, 0 },
+		{ "nn[:s(\?<=pace:])[:upperword:]ooooooooooooooooooo*^[:space:]`{-188,129}mmmmmmmmmmmmm^.", 0, 0 },
+		{ "[[G{(\?imsximsx:2(49}{,-46}r(\?(\?=#Gw]u))[:bl(\?>ankcntrl:]))(^m+)zSiZ F4[!]VV$E{-9,-100}''''('''''''''\?DEOOOOOOOOOOOO###############[:space:])HHHH)[:digit:]'////////////", 2, 0 },
+		{ "[^*}(\?>)(\?:7Q=#+]KKKKKKKKKKKKKKKKKKKKKKKKKKKG)]]]]]]]]]]]]]]]]]]]]]]]]]][:alpha:]-{}", 0, 0 },
+		{ "[n(\?<(\?#!nnnnnn55555{205,}!)[:alnum:]^]!!!!!!!!!!!!!!!!!!!!!!![:punct:])[:x(\?(digit:]vr)|'n6W5 D&jk[:punct:]5)", 0, 0 },
+		{ "[^P(P{(\?i(msxisx:235,}))***])[:alpha:]^", 0, 0 },
+		{ "[([t(\?<!(\?<!4])[:u(\?=pperword:]))-])}}}}}}}}}}}}}}}}}c{-39,}[:digit:]$-", 0, 0 },
+		{ "([^)]{241}[:xdigit:][:upp(\?=erwo(\?(rd:]-xF5b{})q[:ascii:])T4U{185}9999999999)()X&Ny[:alpha:]@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@{69,}[:alnum:]x{d7f8}p-[:digit:]", 2, 0 },
+		{ "(f)(${,111}{25,}!\\d{,94}[:blankcntrl:]@[:space:][:ascii:])-237{,232}DQVVVVVVVVVVVVVV)-", 2, 0 },
+		{ "PP[:g(\?!raph:]){}", 0, 0 },
+		{ "([[^-][^4[:digit:]NNNNNNNNNNN]TVU:])[:ascii:]", 1, 0 },
+		{ "(([^(\?[[^<=)][:graph:]+iiiiiiiiiiiiiiiiiiiiiiiiii0INFX[:xdigi(\?(t:][:blankcntrl:]][:graph:]qM6A[:alpha:][:graph:])1*]eFvvvvvvvvvv)v-)U))t{89}", 2, 0 },
+		{ "[^ZZZZZZZZZZZZZZZiiiiiiiiiiiii(iiiiiiiiiiiiiii{}))))))))))))))))))]))))))))))))))))))))))))[:digit:]-", 0, 0 },
+		{ "ddddddddd+zzzzzzzzzzzz[:graph(:])ssssssM{-223}[:graph:]", 0, 0 },
+		{ "[:alph(\?>a:])x11{-144,45}.", 0, 0 },
+		{ "[]{#y.^(\?{{}&&&&(\?:[^&&&&&&&&)[:punct:]n{190}OylBQ{(\?!-73})2u',x(\?#Ds(\?#{})j(\?{-})})u0(((((((\?{(((([:alnum:])MC})b=71TncyE>[:xdigit:]*\\f]{}]\"p#!8twZT\")[:punct:][:space:]", 0, 0 },
+		{ "[^(Z6]8)|'@p8{}[:upperword:]MMMMMMMMMMMMMMMMMMMMMMMMMMMM{}7c", 0, 0 },
+		{ "$0)@#vp,VcJ.Bdh", 0, 0 },
+		{ "[[^(-])nnnn+s`[:alpha:][:blankcnt[^rl:][:upperword:]{-15,}][:g(raph:]c]){,-177}6[:upperword:]##################{,-14}", 0, 0 },
+		{ "[[(5C{86(,}PPrrrrrrrrrrrrrrrrrrrrr{150,182})N{}LSC|)-[:alnum:]{}KKKKKKKKKKKKKKKK<4=~7K3PPPPPPPPPPPPPPPPPPPPPPP[:lowerprint:]]]", -1, 0 },
+		{ "([^(x{145b[5}^hfc.0)+]z@_&lA{-34,}])X\?", 1, 0 },
+		{ "([(\?<=)(\?!])l)L", 1, 0 },
+		{ "({-104,}DrPPDF4444444444444[:space:])[:space:]", 1, 0 },
+		{ "())))", 1, 0 },
+		{ "[[^((\?>\?(\?[{})q5v}r7t(P)xtffffffffffff))]{,-66}kdExX&-SCeCzzzzzzzzzEc)E,\"^I]x{e629}|{}]", 0, 0 },
+		{ "[h[:punct:]p\\[\\\\(\?:\\\\[^\\\\)Eo#:C$u[^T/ysA[*%nM:f]{,221}[:lowerprin[^t:]{]bx{f285}E]E[:alnum:]+]1oe3B][:alp(ha:]]fh7}M$l)D{17}", 0, 0 },
+		{ "IIIIIIII[^IIIIIIX]-_S[:digit(\?#:])33333333333333333333333333[:punct:]iiiiiiiiiiiiiiiiii", 0, 0 },
+		{ "[^[[:punct:](\?((\?:^ #Q_po(\?=[:alpha:]{}z()(\?!======'wq$Q2)LLLLLLLLLLLLLLLe(C9gggggggggggggggggg[(\?<=:alnum:]()\?<!{-85,}W[[[[[[[[[[[[[[[[(\?{[[[[[[^)(]\?])|uuu[uuuuuuuuuuuuuuuuuu{,-20}p${}]MHI&7s:\?$[:digit:]-:)_V`*{-52,}{250}$:ME9izF/uP[:blankcntrl:]})''''''''''''''''''''''''''''')CCCCCCCCCCCCCCCCCCCCCCCCdd[:ascii:][:lowerprint:].Mcccccccccc2B{-230,}$[:digit:]", 1, 0 },
+		{ "()|mOAuK~P144[:space:]^9dddddddddddddddddddddddddddddd[:blankcntrl:]", 1, 0 },
+		{ "[^[^[^.L[^-vEUl(\?>(\?=a!Ib1P]])])~~~~~~~]xE9", 0, 0 },
+		{ "X()", 1, 0 },
+		{ "[^()(\?#G(\?<!)(\?=^r])*,XXXXXXXXXXXXXXXXX@)444444444", 0, 0 },
+		{ "([[((\?<=({,-70})-[:xd(\?=igit:]{,138})", -1, 0 },
+		{ "[(^]{62,67})", 0, 0 },
+		{ "([((])[:space:]))", 1, 0 },
+		{ "(a{(109,})[:alpha:]{,-121}{})]RRRRRRRRRRRRRRRRRRRRRRRR{}{125,}ttttttttt{46,}`[:space:]", 2, 0 },
+		{ "[^[^([q[8]~.IPmiBSspP)]QpX[pT==8@lulANS]]{,-98}]", 0, 0 },
+		{ "[^77777777777777777777777(\?>777777])", 0, 0 },
+		{ "(),e<^X~{[:alpha:]{}G{70}", 1, 0 },
+		{ "({-211,}'){}", 1, 0 },
+		{ "[^(\?imsxsx:{}[*])cccccccccccccccccccccccccccccccc<z0W8]$", 0, 0 },
+		{ "(){2,89}$z", 1, 0 },
+		{ "((050[^\"\"\"\"\"\"\"\"z]8|j{}{,-112}$).pP)qq1~hW}L", 2, 0 },
+		{ "[[^[(+xx(\?<!xxxxxxxx(\?!xxxxxxxxxx(\?#(\?>[x))(\?:]r.]]]))[:graph(\?<=:])))", 0, 0 },
+		{ "[^([(\?#)(\?(\?(<=)l|\?(\?!])kkkkkkkkkkkkkkkkkkkkkkkkkk", 0, 0 },
+		{ "[:xdigit:]K(KKKKKKK)^3c.OOO{-240,-10}2{-97,-139}*{-34,}[:xdigit:]", 1, 0 },
+		{ "[([^66666666F(\?>FFFFFFFFFFwpP)LLLLLDeDA&Am$l[:xdigit:]!T5#]n[:alpha:]U*)))))))))))))PP]", 0, 0 },
+		{ "[[[:punct:]u^[:xdigit:]L(\?:[:xdigit:][[:graph:]PP{21}A[:alpha:]8%I(M%b<eE~#C@r=uG~~~~~~~~~~~~~~~~~~~~~~~~~~~~+w]pP)T]]$$$$$$$$$$$$$$${-121,}|l", 0, 0 },
+		{ "([(107{,-4(\?=}~[^D)])f]{,46}+ri<)", 1, 0 },
+		{ "[(\?<=]{,208}+~)", 0, 0 },
+		{ "[^444(\?<=4444444[:alnum:]&[,i]0)[:alpha:][:upperword:]", 0, 0 },
+		{ "[^([^(\?()*+)SS(\?>SSSSSSSSSSSSSSSSSSSSSS]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]{,-1}])[:blankcntrl:]===============================[:punct:][:blankcntrl:]Z[:space:][:ascii:]$|$[:blankcntrl:] JR.{,133}[:alpha:]$\?)<]", -1, 0 },
+		{ "(OL[:u[pperword(:][:s[^pace:].[:spac(e:],,,,]*])$)\?)", 1, 0 },
+		{ "(VI[:digit:][:alpha:]6)EG", 1, 0 },
+		{ "({}){-2,-40}rrrrrrrrrrrrrrrrrrrrrrr[:punct:]", 1, 0 },
+		{ "()q", 1, 0 },
+		{ "[^([^[([^C|])]{,-56}[:xdigit:]{-144,}V])fYv{-[40,-58}$@@@@@@@@@@@@@]|Y(-]-.]h-[:dig(it:])>>>dddddddddddddddddddddddddd{101,}", 1, 0 },
+		{ "([P,{1(\?(\?(<=28,-218[^)}LoZX)])!!!!!!!!!!!!!!*[:blank(\?!cntrl:]ed)\\\\\\\\\\\\\\\\\\\\[\\L\?][:graph:]:*Y{-108,120}xCC)]", 1, 0 },
+		{ "(A[:space:]PP{185}a^!!!!!!lllllll)*db\?$Pfr", 1, 0 },
+		{ "{-21,-118}kG[(\?{:xdigit:]})[:punct:]{69}Qyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy5{}TTTTTTTTTTTTTTTTTTTTT", 0, 0 },
+		{ "[[^[P(\?<=P$X>0^d.[:punct:](\?#ccccccccccccccccccccccccc{}3N000(\?>00000000000000000000000000000]f[:punct:]5)).R================{,222}^wwwwwwww$)]-{}              ]{,-22}CjP{242,}", 0, 0 },
+		{ "[(\?#^]{})", 0, 0 },
+		{ "[^([[([([[([^[^(\?:(\?(\?(!)]\"))h>\"RRRRRRRRRRRRRRRR[^RRRRR{68,-65}7Q(\?{]", 0, 0 },
+		{ "(P{}){175,}PP{}rttttttttttt", 1, 0 },
+		{ "[:bla(\?{nkcntrl(\?#:]})))))))))))))))))))))))!!!!sR{})", 0, 0 },
+		{ " [:digit:]dAAAAAAAAAAAAA^[:ascii(:]55)^", 0, 0 },
+		{ "($*)dZY", -1, 0 },
+		{ "[:graph:][:lowerprint:]S[:gr(\?=aph:]{-128,}666666666666666666666{}[:upperword:]|nnnnnnnnnnnnnnnnnnnnnnnnnnB)c[:xdigit:]{-225,}{-4,}{-192,}QQQQQQQQQQQQQQQ@@@@@@@@@@@@@@@@@@@@@@.", 0, 0 },
+		{ "([:digit:]s{44,}{}{-31,}c{,-130}pP){-241,}UeN", 1, 0 },
+		{ "([^)((\?>\?#{}hK\"V2\?d][KKK(\?imsxim:KKKKKKKKKKKKKKKKKKKK[^KKKKKKKKKWWWW[WWWWWWWWWWWWWWWWW)B])_l_3", 1, 0 },
+		{ "[(^[(\?!*){[^,91}].j]*]L)*c|[:alpha:]&", 0, 0 },
+		{ "[^[[[^[777GGG(\?:W_U(\?imsxms:[:punct:]A]-)[:digit:][:blankcntrl(\?(:]][:alnum:)])]WRRRRRRRRRRRRRRRRRRRRRRRRRRR]{31,}[:xdigit:]][:xdigit:]))))))))))))))))))))))$[:xdigit:]", 0, 0 },
+		{ "[:ascii:]m*[:punct:]#[(\?<!:punct:][:alpha:]-,7vyXeeeeeeeeeeeeeeeeeeeeeeeee^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%%%%%%%%%%%%%%%%%%%%%%%%%%%%[:digit:]''''''''''''''''')", 0, 0 },
+		{ "([^*[(:punct:]9999999999999999999{147,}]j{,193}{171}Z-)){208}0[:graph:]yDt", 1, 0 },
+		{ "(dw[[:alpha:]U]ttt[tttttttttttttttttttt]Q^171e)[:xdigit:]/", 1, 0 },
+		{ "[[^((\?#)Tqqqqqqqqqqqqqqqqqqqqqqqqq105++++++++++++++++++++++++++b7V+7dit]])|D", 0, 0 },
+		{ "{}P7.Ajh[:xdigit:]^[:blankc((\?(\?<=nt[rl:]FFF)-]){}o|a[:grap(\?!h:]))PsssssssssssssssssssssssssssssssN^{-60,}Kb", 0, 0 },
+		{ "[:alpha(\?(:]$!_+777777777777777777777777O)666)lll[^llllll[^l{{{{{{{{{{{{{{{{{{{{{{|]{-217,}MoEl`7)^)LlU[:alph[a:]({-241,27})]]{-212}{,249}n)X", 1, 0 },
+		{ "[U|ajP[:alnum:]n[(:digit:]]W)[:graph:]b[:xdigit:].P", 0, 0 },
+		{ "(([:low(\?-imsx:erprint:]|{}[:ascii:][:gr(\?:aph:])>>>>>>>>>>>>>{,-129}))\?{-226,}^P)R", 2, 0 },
+		{ "[^[[nnnnnnnnnn(\?=nnnn(\?!nnnnnnnnnnnn(\?#nnnnnn{,-38}N){202,}]$[:alnum:])]t][:alnum:[]^=w){237}][:alpha:]-[:alpha:]+e", 0, 0 },
+		{ "()[(\?(:digit):]+qc)O88888888{,151}aJ", 1, 0 },
+		{ "([^([(\?!sv(\?=)d]{-200,})N))]Z{-73,15}", 1, 0 },
+		{ "([\?\?\?\?|||||||||||(\?{||(\?=||||||||-}[))Ehhhhhhhhhhhhh{,202}&TcfL((\?:>)((\?!\?>$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$8[:alpha:]\\d])]C[:graph:]h*,\"\?u{|mU,a)[:blankcntrl:][:lowerp(\?>rint:])PPnP+9.[:xdigit:]*PPjjjjjjjjjj~y<#*scf_\"^e[:xdig(\?(i)t(:])~$y)^){-131,77}^L%", 1, 0 },
+		{ "[^[(((\?>)$}h9$B5+yhU/Nqh$YYYYYYYYYYYYYYYYYYYYYShK)3WHw1vMMMMMMMMMMMMM(\?=MMMMMMMMMMMM[:alnum:]/)dddddddddddd(dddddd\"e5zLW)+![:space:]+BHGHfAS]\?IIIIIIIIIIIIIIII*&&&&&&&&&&&&&&&&&&)NNvwDteepjdm<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<${61,219}D][:digit:]0", -1, 0 },
+		{ "[:punct:][{177,(\?=234}]ix9*)", 0, 0 },
+		{ "([^K{,3(\?<=4}]I)\?U)", 1, 0 },
+		{ "[([^[[[^([([^[^(\?=])X", 0, 0 },
+		{ "[:blankcntrl:(])qd_R\?{\?r[=\"[^[^6]vX8)a+{C%H84CK6Uy#E]sE{208}", 0, 0 },
+		{ "PPPPPPPPPPPPPPPPPPPPPPPPPPnnnnnnnnnn()[:upperword:]us", 1, 0 },
+		{ "x{,46}[:graph:]LU{}CU)", 0, 0 },
+		{ "()-t|[^W{}][:lo[^werprint:]{}]\?b5", 1, 0 },
+		{ "()x5A", 1, 0 },
+		{ "[([^]-217)]s{-47,135}0000000000000000000000000000000{,-108}", 0, 0 },
+		{ "[^((\?{[^L\?u]})f", 0, 0 },
+		{ "()[[^^(\?{y(\?=VF_(\?<=]D}))]-= {46,})^5bIEQ{,-96}Z", 1, 0 },
+		{ "([^{}f[:punct:]\"X%%%%%%%%%%%%%%%%%%%%]5{-194}A[:punct:]mnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn+AAAAAAAAAA-)", 1, 0 },
+		{ "(CCCCCCCCCCCCCCCCCCCC{-230}352{-182,-68}O4{})", 1, 0 },
+		{ "([^[^\?[:space:]$TTTTTTTTTTTTLLLLL[^LLLLLLLLLL[^({}{4,-179}]]J] C]){}C{}{-224,})QQQQQQQQQQQQQQQQQ^", 1, 0 },
+		{ "([[:alnum:]].){-155,-82}dzI{55,}^", 1, 0 },
+		{ "([[:alnum:](\?#{88,-178})[:graph:]NC\"pI[:punct:]rmWd5y^p+gUP]YYYYYYYYYYYYYYYYYYYY~{,-62}{,200}{-109}{}+333333333333333333333333333333{}p)^.hhhhhhhhhhhhhhh", 1, 0 },
+		{ "[000000(\?mmsx:00000000000000000000000)M]]]]2*`[^]QQQQQQQQ(\?<=QQQQQQQQQQQQQQQQQQQQQQQ])\"<h\?", 0, 0 },
+		{ "[^((<g(\?>5j[bbbbbbb(\?{bb)o{}3(\?imxisx:E]g})YYYYY[:blankcntr(\?#l:].(()w264[:ascii:]^)[:ascii:]G)&(n {^PGn[:xdigit:])nv_e|]{-103,30}", 3, 0 },
+		{ "[^(([(\?!{}@[^HCO[[^^D[|]{,-49}][:xdigit:]]c`4[:ascii(\?<!:])$66666666666)*)]PP$Z[:alpha:]{,-235}UK],(aT/+6rbMqs60EloA)[:g(\?isx:raph:]!)]z$o{-24,}x1E[:blankcntrl:]ZDFvk", 1, 0 },
+		{ "[:blank(\?=cntrl:]US@.!\"[:digit:]*E)$16182", 0, 0 },
+		{ "[-{}x{3772[}][:(\?<=xdigit:][:u(\?#pperword:].W)aD)<pfN<b=C|-{-38}EZdOP|!>ggggggggggggggg\\\\\\\\\\\\\\\\\\\\\\\\\\Ef[:space:]\?][:ascii:]{21,}", 0, 0 },
+		{ "([:xdigit:]W[:u(pperword(\?::]jS [:upperword:]*)[:alpha:]nnnnnnnnnnn))-148}SSu", 1, 0 },
+		{ "([^(\?!\?)[(:upperword:])Bx^x$~lCr6*)6", 1, 0 },
+		{ "[{,-78}Y[:xdigit:][^s(\?>]P[:space:])]YYYYYYYYY[:punct:][:alnum:][:blankcntrl:]", 0, 0 },
+		{ "([MMMMMM(\?(MMM)M(\?<=MMMMMMMMMMMMMMM[^M)]en][:punct:]-[:alpha:]))Nr[:space:]", 1, 0 },
+		{ "~=1([^(\?=(\?:l){}])j{-44}{-18}[^u[:graph:]]{-187,}[:xdigit:]w[:alpha:])", 1, 0 },
+		{ "[ccccc(\?>c(\?{cccc[ccccwetoCei+)w&-+{,-142}[:alpha:]PP66io4(|zkA=],,,,,,,,,,,,,,,,,,,,,Lx5Cx{d2bb}]{188}U~~~~~~~~~~~~~~~~~~~~~~~})", 0, 0 },
+		{ "Q|0\"[:d(\?:igit:]^{,-174})", 0, 0 },
+		{ "[^[(\?>rh])]", 0, 0 },
+		{ "[ees{{{{{{{{{{{{{{{{{bbbbbbb4`ml******(\?=****+])", 0, 0 },
+		{ "((hdG[((\?<=:dig(it:])[^[:alpha:]$(\?sxi:)x{11390}[(\?{:upperword:]~)i 8[:blankcn[trl:(])]+{,-183}Zqp", 2, 0 },
+		{ "Dd{D8`+DW={-[53,1(\?<=71}])", 0, 0 },
+		{ "[:(\?(alpha:][:punct:])", 0, 0 },
+		{ ".LLLLLLLLLLLLLLLLLLLLLLLLLLLL{}pP[:punct:]x0CZ{30,}!!!(!!!!!!!!!!!!!!!!!!!!!!!!!==@77.%[:graph:]D)", 1, 0 },
+		{ "[^[^[[r(\?#]){-237,}RRRRRRRRRRRRRRRRRRRRRRRR[^Rll(\?!(\?{lllll]", 0, 0 },
+		{ "()*ooooooooooooooooooooyyyyyyyyyyyyyyy", 1, 0 },
+		{ "{,4(}D)JJJJJJJJJJJJJJJJJJJJJJJJJ", 1, 0 },
+		{ "((b.D{}[:al[pha:]{64}]{})==========================[:alnum:]h>77b)!Ab", 2, 0 },
+		{ "([^[^[^oooooooooooooooooooooo][:space:][:punct:]PeniKe*~$g\?${>[:lowerprint:]w))))))))))))))){}yyyyyyyyyyyyyyyyyy]pP.|QhZ]{,190})sssssssssssssr+=[:blankcntrl:]WWWWWWWWWWWWWWWWWWWWW", 1, 0 },
+		{ "([*(\?{})hhhhhhhhhhhhhhhh]G{,-170}QdErrrrrrrc-jjjjjjjjjjjjjjjjjjjjn+{-130,-10})PpDS@Bee", 1, 0 },
+		{ "([:b(\?=lankcntrl:]))T[:alnum:]{-224}ywt", 1, 0 },
+		{ "([633(\?<=333(\?<=3333333333(333333)^\?]aGA)[:digi(\?>(\?{t:])$[[:space:][:xdigit:])|8T\?',_{171}{}{113}b\?5kAv0/7{})`huh>xM]C8pYRz]s$Eu08)", 1, 0 },
+		{ "-(pP)[:alnum:]$^", 1, 0 },
+		{ "[^x(\?{{17681}]P*)U(_t/8E_\"iN})3333333", 1, 0 },
+		{ "(([^([[r(\?=[[^^*kx$][:alpha:]:::[:::::[^[^::::::::((\?{\?{::]).^p[:space:]}){52}{}]W{}fn", 2, 0 },
+		{ "[:(\?>punct:]Ef[:xdigit:]x{c07b}{-50}Z{129,}YL1T`\\A)x[:punc(\?=t:]e[:xdigit:]2c6E46Y)+n               ", 0, 0 },
+		{ "[^(\?!{,-79}[:punct:]'|}>,)][:blankcntrl:]{-118,-231}{-119,-50}:XXXXXXXXXXXXXXXXX-~{}$txlB)3KFL", 0, 0 },
+		{ "[^(([^fccccccccccccccccccc(\?<!ccccgQeKMfKzz]X$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$[:l(\?<=(\?<=owerprint:]))s{-97}{}))EUi${,-132}'{79}---------{,-93}77777777777777777[:lowerprint:].:H)[:punct:]nnnnnncP\?s1:dGed{186}N@pppppppppppppppppppppP{-212,-110}[:space:][:lowerprint:]$S}7{-112,164}-*.{-184,}OOOOOOOOOO]f\?", 0, 0 },
+		{ "(([\?#(\?>)])qcU$Q7|82\?{})", 2, 0 },
+		{ "[^yyyyyyyyyyyyyyyyyyyy(\?#yyyyyyyyyyya][:ascii:]\?)", 0, 0 },
+		{ "(([((\?{)EEEE(\?<!EEEEE(\?:EEEEEE~)}){244,}QQQQQQQQQQQQQQQQQQQ(\?>QQQQQQ(\?!QQQQQ][:digit:]\?))99999999999999)[:digit:][:upperword:]b))PP{}{}", 2, 0 },
+		{ "(K(c=B))", 2, 0 },
+		{ "(G`*s\?b[:g(raph:]))", 1, 0 },
+		{ "[^[([[[*QQQQQQQQQQQQQQQQ(\?=(\?=QQQQQQ(\?<!QQQQQQQQZddddddddd((\?{\?>ddddddddddc{22,}iiiiiiiii(iiiiiiiiiiiiiii(\?#iiiiiii[^i))\?\?\?\?\?\?]WWW)[:lowerprint:])]{-60,202}+[:upperword:]f[:xdigit:][:alnum:]{,-214})1~~~~~~~MMMMMMMMMMMMMMMMMM.", 0, 0 },
+		{ "({-102,})A.", 1, 0 },
+		{ "[((((\?<!(\?[^>(\?#\?()))p\"JD.{}(\?>)))((\?{l(\?<=).'053][:xdigit:]N+)})]WWWW%[:asc(\?{ii:]}))B[:alnum:]X){}s[:digit:]", 0, 0 },
+		{ "x7&{139}WWWWWWWWWWWWWW[:blankcntr[^(\?<!l:]-71]\"{-167}cqkI)[:dig[^it:]{}{}[:digit:]*[:punct:]-[l11111111111111111(\?(111111111{175,-216}~[:alnum:]`+X1F)vCpWSp(\?>~[^n@f`````````````)````````P])Y,N{}{}]{}pXF@)", 0, 0 },
+		{ "G[([(\?(^)$])P]^[:alnum:]){,-48}[:blankcntrl:]{}", 0, 0 },
+		{ "[[^[^f(\?=f(\?<=fffffff[^fffffffff[^fffffffff(\?<=fff]){-194,150}fx{e5a4}V", 0, 0 },
+		{ "9[:xdigit(\?{:]})", 0, 0 },
+		{ "[^([[(\?>()$xxxxxxxxxxxxxx[xxxxxxxxxxxxxxxx((\?=aA)s13]])pp[(\?>pppppppppppppppp|{}){20,}]b)]{-179,183}{-204,}[:ascii:])]-11111111{}{,132}qooooooooooooooooooo{}${}|9t", 0, 0 },
+		{ "([^[{}]\"[^6]*-{,-106}{}u]BR~8WG,U-)[:blankcntrl:]", 1, 0 },
+		{ "[''''''''(''''''''''z])c", 0, 0 },
+		{ "[^[(\?>])[:alnum:]r[:alnum:]+{,215}D]", 0, 0 },
+		{ "([({,127}7Qr(\?:z)pPNev%}(\?msximsx:4(\?<!){}&.D5555(\?<=55555555555555555555i$[:xdigit:]){,-157}[:graph:]U[:punct:]nn(\?=nnnnnnnnnnnn(\?>nn(\?:nnnnnnnn_U{}]E)):^oooooooooooooooooooooooooooo)", 1, 0 },
+		{ "[^(\?#)(\?<!k2z]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]BW[:alnum:][:graph:]{157}Y]s$C)[:graph:]{,-189}", 0, 0 },
+		{ "$+CCCCCCCCC[^CCCCCC(\?<=Ca=]r{-81}[:alpha:][:alpha:])E=", -1, 0 },
+		{ "[(((\?=\?{([^(\?<=)])>!(([:alnum:]{252}{}})ffffffffffffl){}A2r\?~ImE\"[:punct:]){}[:digit:]", 2, 0 },
+		{ "([:blank[cntrl:]].t^P)", 1, 0 },
+		{ "[^[(\?:X])|rrrrrrrrrrrrrrrrrrrrrrrrrr*P]Q", 0, 0 },
+		{ "[[[^(\?{((\?<!))s})(\?<!A){14}(\?:L*+TTTTTTT]U{[^-12([\?!,}\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?)Y`Y)L]|]]|]", 0, 0 },
+		{ "hkXzf',]yP$+[:u(pperword:])", -1, 0 },
+		{ "(#[:blankcnt(\?iximsx:rl:])$QQQQQQ{}[:digit:])\?A", 1, 0 },
+		{ "(B{-34,})*{,106}", 1, 0 },
+		{ "[(\?{:graph:]})", 0, 0 },
+		{ "((){}{,63}[:punct:]^t[:space:])^17737", 2, 0 },
+		{ "([^[SSSSSSSSS[SSSSSSSSSSSSSSS[([[[{38,}]Jn][:alpha:]])])$'", 1, 0 },
+		{ "[^({}{95})B{1(\?>15}]x{f779}ZZ,Wo)O[:alpha:][:lowerprint:]{81,228}Q[:upperword:]", 0, 0 },
+		{ "[[^[^()n[[[[[[[[[[[[^[[[[[[[[[[(\?: G)(\?{K![^m) j(\?:C|((\?:n*Xlaa908:n$m,))[:xdigit:]x(\?{{1a5cd}pppppppppppppp(\?(pppp)p(pQ)))ddddddddddddddddddddddddddddddd]q[:alnum:(\?{]Ga})\?})@[:lowerprint:]{,169}[:blankcntrl:][:graph:]]n{-76,}|U\"{,-54}t]I{}{-64,-232}]\?].\?{-111,227}) @hFp\?j=H$Wbu<{,209}De{,145}{206}-})[:blankcntrl:]", 0, 0 },
+		{ "[^[^(LLLLLLLLLLLLLL[^L[L[:alpha:]3{,189}(\?#(\?>n){}^EXXXXXXXXXXXXXXXXXXXXXXXXX]c*)^r=$WWWWWWWWWWWWW", 0, 0 },
+		{ ")w###################", 0, 0 },
+		{ "{,121}[:d(\?(i)git:])E\?[:punct:]LLLLLLLLL[:ascii:]+", 0, 0 },
+		{ "([]]]]]]]]]]]]][:space:]Jrt3o.]b)pwwwwwwwwwwwQfm~", 1, 0 },
+		{ "[+-{,-120}*(\?!()t*(\?(\?{>G)F)yd]V{}f<\?}){245}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[:upperword:]", 0, 0 },
+		{ "(DDDDDDDDDDDDDDDDDDDDDDDDDDDDDc[:space:][:pu[^nct:]{-11,12}[:ascii:][:alpha:]{,155}P])", 1, 0 },
+		{ "()ggggggg{-136,-21}", 1, 0 },
+		{ "([^((\?<=U\?)(\?=^^^^^^^^^^^[^^^^^^^^^^^^^///(\?#//[////////////////////(\?()#######b+]$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$^[:digit:])\\U]Q8@}4d)\\U", 1, 0 },
+		{ "A[:graph(\?::])-mo=U[:upperword:]ttttttttttttttttttttttttttt", 0, 0 },
+		{ "[^(((\?=\?im-m(sx:)c~~[^~~~~~~~~~~~~~(\?>~~~~~~~~~~~~~SSSSSSSSSSSSSSSSSSSS]{51,}[:digit:]{,-179}N))kk[kkkkkkkkkkkkkkg$)[(\?::punct:]zWl)]|)*", 0, 0 },
+		{ "[((\?=()+A)][:graph:]x0B)[:graph:]", 0, 0 },
+		{ "(nR%B[:blankcntrl:]C=|en-[:digit:]n[:graph:]HHHH[HH]D\?%[:digit:]MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.z(oF9zW8A7cfff(f))-[:blankcntrl:][:blankcntrl:]A[:digit:])D{,-243}", 3, 0 },
+		{ "([[()]]{,-251(})\?L)uw@", 2, 0 },
+		{ "\"|{(,-144})A.ooooooooo(ooooooFFFFFFFFFFFFF\?)n{,-18}", 2, 0 },
+		{ "([^([(([[^([000000[0(0(\?!0(\?=0000000])45|E]", 1, 0 },
+		{ "[B[[[[[[[[[[[|{}*oKqv%(\?<=wsQ{1pMeK1^6%nLNqi<@ge][:punct:]= M@* D|NwL\\-117\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"~Qnd]h.O\"01x:[:alpha:]^){}D}\"", 0, 0 },
+		{ "([[RRRRRRRRRRRRRRRRRRRRRRRRRRRRxpSrx{7d79}*oJ2`Ft{n1,3g:1H@bT$D &[n/Cg)=ld@Ir{Fk>*4*`(\?>````````````````````(\?:`````.....................]]{,246})7 \"F4[^F|/g)]+e`rw@{,-69}H)", 1, 0 },
+		{ "([(\?<=)X[:digit:]PP.[(\?#:((\?#\?#graph:])[:digit:][Q+)(N][:alpha:]]f)[:graph:])+Elllllllllllllllll[:digit:]=)pP{uU-20bzY|ZKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKt<c", 1, 0 },
+		{ "[^(([^$(\?:(\?#w)[(\?::punct:]]d{-149,}[:ascii:])[:blankcntrl:]@@@@@[@@@@@@@@@@@@@@[:graph:][:xdigit:]O[:alpha:]2$-[:graph:])[:lowerprint:]-\?#S[:blankcntrl:][:alnum:]){-77,}]d[:digit:]N5v+Sqqqqqqq^% -I4]*.)^[:alnum:]JDfjMRU7ttttttttttttjjjjjjjjjjjjjjjjjjjjjjCCCCCCCCCCCCCCCCCCCD{,21}{0,67}[:graph:]{,208}B", -1, 0 },
+		{ "(%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%[:ascii:])i{}[:lowerprint:]epxxxxxxxxxxxxxx[:lowerprint:]r-", 1, 0 },
+		{ "([(^w(\?!)()])-s", 1, 0 },
+		{ "[aIIIIIIIIIIIII(\?imsxims(\?=x:IIIIIIIm^NXXXXX(\?!(\?isximsx:XXXXXXXXXXXXXS0]F)z))+rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr{,-237})ZZZZZZZZZZZZZZZZZZZZZZ", 0, 0 },
+		{ "(Z)[:alpha:]", 1, 0 },
+		{ "U#Z(=)", 1, 0 },
+		{ "([:lowerprint:][:punct:])1cVb*[:xdigit:]&&&&&&&&&&&&&&&&&&&&&&&&O", 1, 0 },
+		{ "()~K`3/[^*h[]G6[:upperw(\?()ord:]w)[:punct:]]{}", 1, 0 },
+		{ "[[[]V[:digit(\?>:])|l*KKKKKKKKKKKKKKKKK,,,,,,,[,,,s.{148,}P33333][:lo(\?<!werprin(\?!t:]ZZZZZZZZZZZZZZZZZZZZZZZ]{,-229}{-160,}){,-211}XPPP].{}z[:alnum:][:alpha:(\?=]t{166,}uuuuu6]i*p(m))[:space:]E|S", 1, 0 },
+		{ "[^(h(\?(\?({#2})(\?(\?#>Q){,57}%[:digit:]\?\?\?\?\?\?\?\?\?\?.[)]]d{)-49,}f)^O{,68})\?C", 0, 0 },
+		{ "(}u])18621", 1, 0 },
+		{ "[:as(\?=cii:][^(\?=)(S-{.F-[:punct:]3-105^[:lowerprint:]111111111111111111111111---)][:alnum:][:ascii:]JJJJJwHSk", -1, 0 },
+		{ "[^3>>>>>>-sZ^^^^(\?>]Y[:di(\?(\?imxim:#git:]{-158,-102}[:punct:]{}{87,})))[:upperword:]", 0, 0 },
+		{ "[(\?<!^r]$W){}*[:alpha:].[:digit:]", 0, 0 },
+		{ "[:ascii(\?::[^])X]-", 0, 0 },
+		{ "[([^]Z)[:upperword:]N{}*[:graph:]*^", 0, 0 },
+		{ "([[(\?#^[(:graph:]]){205,}[:gr(aph:]T%]^MMMMMMMMMMMMMMMMMMMM){) <v\\[:digit:])", 1, 0 },
+		{ "[^Y.h~b(\?<=~P{(\?=169,65}\?[^\?\?\?\?\?\?\?\?\?[\?\?\?\?\?\?\?\?\?K\"s`[yT7oP[:alpha:]{})]zrrrrrrrrrrrrrr)]KKKKKKKKKKKKKKK[:digit:]S][:lowerprint:][:digit:]", 0, 0 },
+		{ "(s)", 1, 0 },
+		{ "[u(\?!uuuuuuuuuuuuuuuuuuuu[:digit:]{,48}[:graph:]WL[:alnum:]]v=_)VN>{AjBBBBBBBBBBBBBBBBBBBBBBB[:upperword:]`'W)", 0, 0 },
+		{ "[^([[()DN1[^][|]\?]{-104,}])[:space:]][:lowerprint:]r[:alpha:].DU", 0, 0 },
+		{ "[^((33333333333333333333333(\?<=3333333D))kkkkkkkkkkkkkkkkkkkkkkk[k[:alpha:]])]X+", 0, 0 },
+		{ "[({,-17})[@e{220,(\?#41}])]]{-213,-225}", 0, 0 },
+		{ "[[^(\?#[(\?:^[[(\?(^]))]])]vvvvvvvvvvvvvvvvvvvvv{,96}|m]{-79,248}[:alpha:])", 0, 0 },
+		{ "([[(\?imsisx:^}$,-[:al(\?>num:]Xqqqqqqqqqqqq{-185,154}]b#+T){-241,})A{-27}[(\?<!:lowerprint:]X)[:punct:]ME-]+BBBBBBBBBBBBBBBBa|{-40}M8mhgD 0HU]{16})", -1, 0 },
+		{ "[^(\?>([\?()(\?#))]--R1rk^UnP.[(\?!:digit:]])^)[:upperword:]{}0000000000000000000000000000000~U{-139,-19}z<L-228", 0, 0 },
+		{ "()-:=3uE$[:alnum:]bP%{-210,}", 1, 0 },
+		{ "(U)7777]]]]]]]]]]]]]]]]]]]]]]]]]]]]]c::AA[:alpha:]{,3}f1{NzH@3lTf{}{", 1, 0 },
+		{ "[C{(\?>})RR(\?=R<]p'N~&.-})6]", 0, 0 },
+		{ "[^\?[^(\?(lFt]).[^7Q-])kkkkkkkkkkkk]XTFy\"1Deiv!,'xVK", 0, 0 },
+		{ "[^$[^[:xdigit:](\?{*{245,99}h8v(\?!)]]u)Z[:punct:]})[:alnum:]+|[:blankcntrl:]u{}[:lowerprint:]+bBJ4+k-v{-116}", 0, 0 },
+		{ "S)f{,180}[:graph:]&{12,244}", 0, 0 },
+		{ "(([[(.()[^^{80(\?>(\?<=,235})ddddddddd[^ddddddddd(\?<=d.__B{36}````````````````(\?:```(\?>```````,,,,,,,(\?:,,)P$U,[:xdigit:])zzzzzzzzzzzzz]UUUU[uB]n<&[(:ascii:].][:alnum:])\?S]{})d{138,}s9========[:lowerprint:]]OOOOOOOOOOOOOOO|yyyyyyyyyyyyyyy$LZ[:lowerprint:]EEEEEEE[:ascii:][:punct:]VpP^{-48}D){,46}x))2P))a[:lowerprint:]r", 2, 0 },
+		{ "[^(((\?<!):())PPPPPPPPPPPPPPP(\?=[PPPPPPP(\?{PPPPPPPP$)})77777777777777777]{,-57}::::::::::::(::::::::::::::::)]g{89}__________________[:xdigit:]l[:punct:])N", 1, 0 },
+		{ ":02-k\?p3I7aEhJ\\265-[:space:]pP[:space:]x0F[:alnum:]aM4[:lowerprint:]sA@@@@@@@@@@@@@@@@@@@@@@@@@@@@", -1, 1 },
+		{ "a[:upper(\?{word:]})X{-173,}-2F[:lowerprint:]", 0, 0 },
+		{ "u,w<g*Q002S{,130}{239}[:lower(print:]cr{-165,}#$k<L/&)[:blankcntrl:]aaaaaaaaaaaaaaaaaaaaaa[:ascii:]", 0, 0 },
+		{ "(xFA^{-161,93})U[:xdigit:]", 1, 0 },
+		{ "[^(\?=]{})mE`", 0, 0 },
+		{ "[[((\?(\?#:alnum:]])x6CS[:digit:]{-197,}.)N", 0, 0 },
+		{ "[^(\?![])C*[:upp(erword:])-176]", 0, 0 },
+		{ "[[^[[^[55555555555555555555555555(\?>555(\?<!555)S][]]A[:l(\?>owerp(rint:]])]*", 0, 0 },
+		{ "Au)khgzAfXIZoZ=g[:digit:]){,186}Upvf=x<]Tbd5Rq\?.", 0, 0 },
+		{ "b{-176,}B^[:bla(\?(<!nkcntrl:]{-6,133}#B :)<<<<<<<<<<<<<<<<<<<)[:alnum:]$}}}}}}}}}}}}}}}}}}}}}}}[:xdigit:]tw", 0, 0 },
+		{ "(4IIIII(IIIIIIIIIIIIIIIII{})W{-152,-238}){,-56}^{-142,}", 2, 0 },
+		{ "[^([[(\?(\?(!)>>>>>>>>>>>>>(>>>>>>>>D)Ix{(1(\?imxmsx:762)c}))A)[[[[[[[[[[[[[[5Rp]DDDDDDDDDDDDDDDDDDDD]Us+\\w[:digit:]{-47}[:xdigit:][:blankcntrl:])ddddddddddddddd[^ddddddddddddd[:digit:]|]]*{-165,-230}{-212}{53,}]\?", 0, 0 },
+		{ "[^[^]]|[:(\?:alnum:])}}}}}}}}}}}}}}}}}}}}", 0, 0 },
+		{ "VVVVVVVVVVVVVVVVVVVVVVVVVVVV[:d(i(\?#git:])){{{{{{[:digit:]ZfQ55555555{}Z", 0, 0 },
+		{ "[L][:blankcnt(\?((\?=rl:(\?=]){-35,[^}){)eJb>>>>>>>>>>>>>>>>>>>>>>$ [:xdigit:]l0Tv2Tw2@C[:space:]Zc/{*)>]N3j~.dMBBBB", 0, 0 },
+		{ "[[^(\?>(([]))])[:graph:]]{65,}as#Q:lQ", 0, 0 },
+		{ "[^[fPPUUUUUUUUUUU(\?#UUU[^UUUUUU(\?<=UUUUUUUUUGGGGGGGGGGGGGGGGGGG((\?{\?=GGGGGG.MK))+]+)&UxFW)rwv\?@D.", 0, 0 },
+		{ "{-(60,})m", 1, 0 },
+		{ "b[(])^w", 0, 0 },
+		{ "[][^qVs(\?:(p])X)\?'", 0, 0 },
+		{ "()8", 1, 0 },
+		{ "(t[:punc[^t:(\?{][:blankcntrl:])})[^8\?]z*]", 1, 0 },
+		{ "[:lowerprint:])[:graph:]lppppppppppppppppppppppppppppf", 0, 0 },
+		{ "[:alph(a:])[:ascii:]g +z-Bc-U{,%Gk", 0, 0 },
+		{ "u[:graph:(\?=]*)W:::", 0, 0 },
+		{ "([:alnum(:])l)", 1, 0 },
+		{ "[[[}}}}}}}}(\?<!}}}}}}}+(\?{),,,,,,,,,,,,,,(\?!,,,,,,,,]99999999999&R[:ascii:]ZZZZ-{-10,}{96}Ed*][:graph:])]}){}{}G{-9,}", 0, 0 },
+		{ "([^[{}]]Z[[^:graph:]{-47}55555555555555555555555555555[:ascii:]s]6,$:3qAew1Y)+)[:punct:]", 1, 0 },
+		{ "[[[[[([[[[[[[[[[[[[[[[[[[[[[[[8!1i]')", 0, 0 },
+		{ "([((\?(\?#>)(\?{,)At]%M9FSq5)EB", 1, 0 },
+		{ "(}````````````````(``{210,})[:(\?#space:]P[:digit:])PP.{-227,}$pK~mm ImR|{,51}[:alnum:]<)[:alpha:]", 2, 0 },
+		{ "[^(\?<=])[:digit:]", 0, 0 },
+		{ "[^'''''''{(\?:178,}e{,16}$QQQQQQQQQQQQQQQQQQQQQQQ$])", 0, 0 },
+		{ "[^(\?>@K*)(\?#d18]{78,}B)[:digit:]{-193,}=wg{,59}", 0, 0 },
+		{ "[^.{156,}!(\?<=!!!!!!!!!!!!!!(\?{!(\?(!!!!!!!!!!!!!)})TTTTTTTTTTTTTTTTTTTTTTTTTTTTT[^}}}}}}}}}}}})}}}}}}}}}}}}}]]){}^L#%-{}FC", 0, 0 },
+		{ "(eeeee{-169,-100}-fa[:upperword:]N)$Nellllllllllllll", 1, 0 },
+		{ "[[(\?!())\?[(\?!:alnum:]e{,28}M])[:punct:]CCCCCCCCCCCCCCCCCCCC]{-150,}{-167}", 0, 0 },
+		{ "[[@[@(\?#@[@]P]Z{')]{-186,117}]+)7f-", 0, 0 },
+		{ "\\Q+kD}]AEM)u ", 0, 0 },
+		{ "([(\?{(\?=:::::::::::::&){,210}]^})P{-31,}8[:space:]C[:alnum:][:a(scii:]z|[:upperword:])[:alnum:][:graph:])zr~Zk", 1, 0 },
+		{ ".[:space:]e[:g(\?{(\?{raph:]})})@@@@@@@@@@@@@wb|~k", 0, 0 },
+		{ "()ooooooooo\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"[:graph:]", 1, 0 },
+		{ "[^64h(\?(@Eyw][:xdi[git:]pP%%%%%u(uuu[:up[perword:]`8Utdh{)}]]))lW[:punct:]W.hhhhhhhhhhhhhhhhhhhhhhhh'm<<}O8`ZXtG.$", 1, 0 },
+		{ "BPP[:digit:]bbbbbbbbbbb(bb)S+[:alnum:]", 1, 0 },
+		{ "um.[:ascii((\?#\?!:])*)+KKKKKKKKKKKKKKKKKKKKKKKKKS.=<Bf", 0, 0 },
+		{ "", -1, 0 },
+		{ "(()$[:lowerprint:][:s[pace:]2]bbbbbbbbbyoooooooooooooooooo*{39,}$')qV`AcH>,eDl", -1, 0 },
+		{ "(()[^])e{-241,}", -1, 0 },
+		{ "()[:alpha:]rliiiiiiii[:alnum:]Mb*QW9N.>\?{115,}&u*j", -1, 0 },
+		{ "()[]p", -1, 0 },
+		{ "(I[^]pfL)$[:punct:]", -1, 0 },
+		{ "([])>>>>>>>>>>[:alnum:]", -1, 0 },
+		{ "([])O\\\\\\\\\\\\\\fffffffffffffffffffffff=s6jCZy/b+ir2'*{151,}", -1, 0 },
+		{ "([])nnnnnnnnnnnnnnnnnnnnnnnnnn[:xdigit:]^N$f", -1, 0 },
+		{ "([]M)[:lowerprint:]a(pg$Z[:punct:])77777777777.", -1, 0 },
+		{ "([]XXXXXXXXXXXXXXXXXXXXXX-===========)", -1, 0 },
+		{ "([]lkX{-224}[:blankcntrl:]$gPKIZlSC#F@XX I'^}{234}yZm)uuuuuuuuuuuuuuuuuuuuuurS", -1, 0 },
+		{ "([^0kYkg9])IIIIIIIIIIIIIIIIIIIIII/{(192,-118}l+FoSD6\?A)c[:xdigit:]`````````````````e-{-4,-170}x{4620}Z[:upperword:]", -1, 0 },
+		{ "([^[^[^()(\?>){}B]XYF+#[:alpha:]{-85((,-55[^}t]n).{,-33}]](bQJ!|O+{175,})RFh)Z+^.{137,}:VpP[:alpha:]-MceqVVkkkk(kkkkkkkkkkkkkkkkkk)\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?{-115,-67})``````````````````````````````", -1, 0 },
+		{ "([^]EzU[:alnum:]+^^^^^^^^^^^^^^^^^^^)[:xdigit:]HHHHHHHH$66666666666666666666666666666666UUUUUUUUUUUUUUUUUUUUL{}iiii{-76}X", -1, 0 },
+		{ "([^]~~~~~~~~~~{240,})]NOp", -1, 0 },
+		{ "(sb)[:digit:]VVVVVVVVx{9569}52,|]", -1, 0 },
+		{ "(x{19762}){}", -1, 0 },
+		{ "-[:xdigit:][]", -1, 0 },
+		{ "121|", -1, 0 },
+		{ "141[:xdigit:][:lowerprint:]{24}{59,191}[:digit:]/", -1, 0 },
+		{ "G[^],,,,,,,,,,,,,+\"DiX", -1, 0 },
+		{ "Gm(ho9:\"8{-188,-200}Z[:blankcntrl:]{,171}\?\?\?\?\?\?\?\?\?\?\?[:blankcntrl:]LLLLLLLLLLLLLLLLLLLLLLL{}^[:graph:][:blankc(\?#ntrl:])w", -1, 0 },
+		{ "N\"\"\"\"\"\"\"-------------------------|[:alnum:]AAAAAAAAAAAAAAAAAAAAf\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?", -1, 0 },
+		{ "U{-30,}^\?\?\?", -1, 0 },
+		{ "W^*04rAY(Ee*>[^o3[]]_)", -1, 0 },
+		{ "X[^]}*C[:alnum:]", -1, 0 },
+		{ "[${,-3}]+^\?[|x8A|][:space:]'''''['''''JJJJJJJJJJJJJJJJJJJJJJJJJJJJJyl}.Y7G]", -1, 0 },
+		{ "[()&[&&&]\?\?[\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?pg%k8ug`Wqk4|NR{h[CK5Ez=]jHpQw&`{:]{,91}D", -1, 0 },
+		{ "[(\?#(\?:)[)([\?>)(\?>(\?:[:alnum:])]G]{85}[^)w]N]gYrUs|", -1, 0 },
+		{ "[(\?<=)[:digit:]\?]{152,}VR|", -1, 0 },
+		{ "[****(\?>**********(\?<!*******Q)Vr){[^25,}*:FFFFFFFFFFFFFFFFFFFFFFFF(\?{FFFF(({}D]|", -1, 0 },
+		{ "[:ascii:]+{124,}:*]\?$-{92}D[:lowerprint:]`````````````````````", -1, 0 },
+		{ "[:ascii:]\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?A<", -1, 0 },
+		{ "[:blankcntrl:]p\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?$\?TTTTTTTTTTTTTTTTT[:ascii:][:upperword:]", -1, 0 },
+		{ "[:punct:]{254}DDDDDDDDDDDDDDD@[:alpha:]Z\?\?-----R", -1, 0 },
+		{ "[:upperword:]J\?\?nqCAdfyW5", -1, 0 },
+		{ "[:upperword:]{-39}|", -1, 0 },
+		{ "[:xdigit:]^\?", -1, 0 },
+		{ "[Z*e ]NdmP\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?\?", -1, 0 },
+		{ "[[:punct:]q]ex{15625}-", -1, 0 },
+		{ "[[[^([^L((\?{b(\?=C\?]-134{,-207}[:ascii:]Hz}XIz}|", -1, 0 },
+		{ "[[^V(\?:(\?<!(\?>))TTTTTTTTTTTTTTTTTTTTTTT)[:punct:][:digit:]]GGGGGGGGGGGGGGGGGGGGG,]|.{-224}{96}{239,}1", -1, 0 },
+		{ "[[^^PP]{,-222}{182}{141}]zFD}-.", -1, 0 },
+		{ "[] Hn&[:xdigit:][:upperword:]f", -1, 0 },
+		{ "[]$.B", -1, 0 },
+		{ "[]&&&&&&&&&&&&&&&&&&&&&&&", -1, 0 },
+		{ "[]()[:xdigit:]er063{132,140}$", -1, 0 },
+		{ "[]+1434", -1, 0 },
+		{ "[]-", -1, 0 },
+		{ "[]-#yyK", -1, 0 },
+		{ "[]-(S$5)AxbdTKO[:alnum:]", -1, 0 },
+		{ "[]2883", -1, 0 },
+		{ "[]2dhd-[:alpha:]sssssssssssssssss55555555555555555555555555555555Z[:punct:]", -1, 0 },
+		{ "[]4", -1, 0 },
+		{ "[]44444444444444444G", -1, 0 },
+		{ "[]\?", -1, 0 },
+		{ "[]A", -1, 0 },
+		{ "[]Gap8bc", -1, 0 },
+		{ "[]OOOO", -1, 0 },
+		{ "[]PP", -1, 0 },
+		{ "[]QQ", -1, 0 },
+		{ "[]WaFaGO,o", -1, 0 },
+		{ "[]Z", -1, 0 },
+		{ "[][:alpha:]|[:digit:]Ls$I-Ff~+xA3e", -1, 0 },
+		{ "[][:ascii:]-218", -1, 0 },
+		{ "[][:ascii:]N}}}}}}}}}}}}}}}-{137,}8682", -1, 0 },
+		{ "[][:lowerprint:]Ur", -1, 0 },
+		{ "[][:space:]15097", -1, 0 },
+		{ "[][:xdigit:]", -1, 0 },
+		{ "[]dpSSSSSSSS", -1, 0 },
+		{ "[]e13768", -1, 0 },
+		{ "[]gT", -1, 0 },
+		{ "[]h", -1, 0 },
+		{ "[]n", -1, 0 },
+		{ "[]vvvvvvvvvvvvvvvvvvvvvvvvvv*[:xdigit:]", -1, 0 },
+		{ "[]{,-212}1111111111111111111C3821", -1, 0 },
+		{ "[]{-128,}hc", -1, 0 },
+		{ "[]{-181,}&[:xdigit:].\?}}}}}}}}}}}}}}}}}}}}}}", -1, 0 },
+		{ "[]{}F&}i`7|ZAH", -1, 0 },
+		{ "[^(\?())u{196,}pP][r^ndddddddddddddddddddddd]{31,246}\?J", -1, 0 },
+		{ "[^.ii.1-S]lwwwwwwwwwwwwwwwwww[^wwwwwwwwwwwwww[:alnum:]DOpP+<N][^]44{179}{-194,56}", -1, 0 },
+		{ "[^2[:alnum:]]\?t\?\?", -1, 0 },
+		{ "[^[((\?{[^^<<<<(\?(\?<!{)})(\?<!]{,184}{-213}|", -1, 0 },
+		{ "[^[^[]\?{89,}PPsvf{[:space:]]]vd{161,}", -1, 0 },
+		{ "[^[^].]+{0}s", -1, 0 },
+		{ "[^]${}", -1, 0 },
+		{ "[^]([:punct:]),%[:xdigit:]w^0\?{-233}", -1, 0 },
+		{ "[^]-", -1, 0 },
+		{ "[^].^", -1, 0 },
+		{ "[^]6743", -1, 0 },
+		{ "[^]JD", -1, 0 },
+		{ "[^]N=[:upperword:]zzzzzzzzzzzzzzzzz.", -1, 0 },
+		{ "[^]OLz_6", -1, 0 },
+		{ "[^]PP[:digit:]0eBEx=", -1, 0 },
+		{ "[^]SHzuKp", -1, 0 },
+		{ "[^][:upperword:]{111}-TpmXw", -1, 0 },
+		{ "[^]^''''''''z{-73,}", -1, 0 },
+		{ "[^]^{,141}e", -1, 0 },
+		{ "[^]aaaaaaaaaaaaaaaaaaa{-98,43}", -1, 0 },
+		{ "[^]f", -1, 0 },
+		{ "[^]l", -1, 0 },
+		{ "[^]n\"Wt", -1, 0 },
+		{ "[^]pPZ\?q+m0LJ+", -1, 0 },
+		{ "[^]p[:upperword:]L:", -1, 0 },
+		{ "[^]q\?{,-18}-", -1, 0 },
+		{ "[^]s[:space:(\?<=]$", -1, 0 },
+		{ "[^]{,58}t", -1, 0 },
+		{ "[^]{255,}JJJJJJJJJJJJJJJJJJJJJJJJJJ", -1, 0 },
+		{ "[^]{45}", -1, 0 },
+		{ "[^]{W", -1, 0 },
+		{ "[^]{}{-22}", -1, 0 },
+		{ "[^]{}{}{}[:xdigit:]+", -1, 0 },
+		{ "[^]|9{,-108}{}.LVIJJJJJJJJJJJJJJJPP", -1, 0 },
+		{ "[^{,-254}]|", -1, 0 },
+		{ "[o(\?{(\?<=}[))f++++++++++++++++777777777777777777777777yzPPs]\?\?dRRRRRRRRRRRRRRRRRRRRRRRRRRRR&]>%fffffffffff", -1, 0 },
+		{ "aW|", -1, 0 },
+		{ "cT{}[]C^r2``tm", -1, 0 },
+		{ "kkkkkkkkkkkkkkkkkkkkkkk[:blankcntrl:]|{}3{26,}{151,}[:punct:]JJJlH$gP%(2WUE%%%%%%%%%%%%%%%%%%%%a){ibf{}\?", -1, 0 },
+		{ "lZ\?\?\?\?\?\?\?\?\?\?\?-P2eZt[:punct:]", -1, 0 },
+		{ "vF3qn[^]N.", -1, 0 },
+		{ "wwwwwwwwwwwwww{-176,}275[^]>.UUUUUUUUUUUUUUUUUUUUeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee2$Yd", -1, 0 },
+		{ "{-197,223}bf]]]]]]]]]]\?&}/s\?\?~c", -1, 0 },
+		{ "{-37,}EpP|", -1, 0 },
+		{ "{}@]a[][:xdigit:]z{a", -1, 0 },
+		{ "}02|", -1, 0 },
+		{ "}}}}}}}}}(}}){}[llll]^N|", -1, 0 },
+	};
+	unsigned int i;
+	int r;
+
+	UNUSED(tc);
+
+#ifdef HAVE_REGEX_H
+	/*
+	 * Check if we get the expected response.
+	 */
+	for (i = 0; i < sizeof(tests)/sizeof(*tests); i++) {
+		regex_t preg;
+
+		memset(&preg, 0, sizeof(preg));
+		r = regcomp(&preg, tests[i].expression, REG_EXTENDED);
+		if (((r != 0 && tests[i].expect != -1) ||
+		     (r == 0 && tests[i].expect == -1)) && !tests[i].exception)
+			fprintf(stderr, "regcomp(%s) -> %s expected %s\n",
+				tests[i].expression, r != 0 ? "bad" : "good",
+				tests[i].expect == -1 ? "bad" : "good");
+		else if (r == 0 &&
+			 preg.re_nsub != (unsigned int)tests[i].expect &&
+			 !tests[i].exception) {
+			fprintf(stderr, "%s preg.re_nsub %lu expected %d\n",
+				tests[i].expression,
+				(unsigned long)preg.re_nsub, tests[i].expect);
+				tests[i].expect = preg.re_nsub;
+		}
+		if (r == 0)
+			regfree(&preg);
+	}
+#endif
+
+	/*
+	 * Check if we get the expected response.
+	 */
+	for (i = 0; i < sizeof(tests)/sizeof(*tests); i++) {
+		r = isc_regex_validate(tests[i].expression);
+		if (r != tests[i].expect)
+			fprintf(stderr, "%s -> %d expected %d\n",
+				tests[i].expression, r, tests[i].expect);
+		ATF_CHECK_EQ(r, tests[i].expect);
+	}
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, regex_validate);
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/result_test.c b/lib/isc/tests/result_test.c
new file mode 100644
index 0000000..cfaabb3
--- /dev/null
+++ b/lib/isc/tests/result_test.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <string.h>
+
+#include <isc/result.h>
+
+ATF_TC(isc_result_toid);
+ATF_TC_HEAD(isc_result_toid, tc) {
+	atf_tc_set_md_var(tc, "descr", "convert result to identifier string");
+}
+ATF_TC_BODY(isc_result_toid, tc) {
+	const char *id;
+
+	id = isc_result_toid(ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ("ISC_R_SUCCESS", id);
+
+	id = isc_result_toid(ISC_R_FAILURE);
+	ATF_REQUIRE_STREQ("ISC_R_FAILURE", id);
+}
+
+ATF_TC(isc_result_totext);
+ATF_TC_HEAD(isc_result_totext, tc) {
+	atf_tc_set_md_var(tc, "descr", "convert result to description string");
+}
+ATF_TC_BODY(isc_result_totext, tc) {
+	const char *str;
+
+	str = isc_result_totext(ISC_R_SUCCESS);
+	ATF_REQUIRE_STREQ("success", str);
+
+	str = isc_result_totext(ISC_R_FAILURE);
+	ATF_REQUIRE_STREQ("failure", str);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_result_toid);
+	ATF_TP_ADD_TC(tp, isc_result_totext);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/safe_test.c b/lib/isc/tests/safe_test.c
new file mode 100644
index 0000000..f721cd1
--- /dev/null
+++ b/lib/isc/tests/safe_test.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* ! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/safe.h>
+#include <isc/util.h>
+
+ATF_TC(isc_safe_memequal);
+ATF_TC_HEAD(isc_safe_memequal, tc) {
+	atf_tc_set_md_var(tc, "descr", "safe memequal()");
+}
+ATF_TC_BODY(isc_safe_memequal, tc) {
+	UNUSED(tc);
+
+	ATF_CHECK(isc_safe_memequal("test", "test", 4));
+	ATF_CHECK(!isc_safe_memequal("test", "tesc", 4));
+	ATF_CHECK(isc_safe_memequal("\x00\x00\x00\x00",
+				    "\x00\x00\x00\x00", 4));
+	ATF_CHECK(!isc_safe_memequal("\x00\x00\x00\x00",
+				     "\x00\x00\x00\x01", 4));
+	ATF_CHECK(!isc_safe_memequal("\x00\x00\x00\x02",
+				     "\x00\x00\x00\x00", 4));
+}
+
+ATF_TC(isc_safe_memcompare);
+ATF_TC_HEAD(isc_safe_memcompare, tc) {
+	atf_tc_set_md_var(tc, "descr", "safe memcompare()");
+}
+ATF_TC_BODY(isc_safe_memcompare, tc) {
+	UNUSED(tc);
+
+	ATF_CHECK(isc_safe_memcompare("test", "test", 4) == 0);
+	ATF_CHECK(isc_safe_memcompare("test", "tesc", 4) > 0);
+	ATF_CHECK(isc_safe_memcompare("test", "tesy", 4) < 0);
+	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+				      "\x00\x00\x00\x00", 4) == 0);
+	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x00",
+				      "\x00\x00\x00\x01", 4) < 0);
+	ATF_CHECK(isc_safe_memcompare("\x00\x00\x00\x02",
+				      "\x00\x00\x00\x00", 4) > 0);
+}
+
+ATF_TC(isc_safe_memwipe);
+ATF_TC_HEAD(isc_safe_memwipe, tc) {
+	atf_tc_set_md_var(tc, "descr", "isc_safe_memwipe()");
+}
+ATF_TC_BODY(isc_safe_memwipe, tc) {
+	UNUSED(tc);
+
+	/* These should pass. */
+	isc_safe_memwipe(NULL, 0);
+	isc_safe_memwipe((void *) -1, 0);
+	isc_safe_memwipe(NULL, 42);
+
+	/*
+	 * isc_safe_memwipe(ptr, size) should function same as
+	 * memset(ptr, 0, size);
+	 */
+	{
+		char buf1[4] = { 1, 2, 3, 4 };
+		char buf2[4] = { 1, 2, 3, 4 };
+
+		isc_safe_memwipe(buf1, sizeof(buf1));
+		memset(buf2, 0, sizeof(buf2));
+
+		ATF_CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
+	}
+
+	/*
+	 * Boundary test.
+	 */
+	{
+		char buf1[4] = { 1, 2, 3, 4 };
+		char buf2[4] = { 1, 2, 3, 4 };
+
+		/*
+		 * We wipe 3 elements on purpose, keeping the 4th in
+		 * place.
+		 */
+		isc_safe_memwipe(buf1, 3);
+		memset(buf2, 0, 3);
+
+		ATF_CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
+	}
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_safe_memequal);
+	ATF_TP_ADD_TC(tp, isc_safe_memcompare);
+	ATF_TP_ADD_TC(tp, isc_safe_memwipe);
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/sockaddr_test.c b/lib/isc/tests/sockaddr_test.c
new file mode 100644
index 0000000..fd6494f
--- /dev/null
+++ b/lib/isc/tests/sockaddr_test.c
@@ -0,0 +1,166 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/print.h>
+
+#include "isctest.h"
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(sockaddr_hash);
+ATF_TC_HEAD(sockaddr_hash, tc) {
+	atf_tc_set_md_var(tc, "descr", "sockaddr hash");
+}
+ATF_TC_BODY(sockaddr_hash, tc) {
+	isc_result_t result;
+	isc_sockaddr_t addr;
+	struct in_addr in;
+	struct in6_addr in6;
+	unsigned int h1, h2, h3, h4;
+	int ret;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr, &in, 1);
+	h1 = isc_sockaddr_hash(&addr, true);
+	h2 = isc_sockaddr_hash(&addr, false);
+	ATF_CHECK(h1 != h2);
+
+	ret = inet_pton(AF_INET6, "::ffff:127.0.0.1", &in6);
+	ATF_CHECK(ret == 1);
+	isc_sockaddr_fromin6(&addr, &in6, 1);
+	h3 = isc_sockaddr_hash(&addr, true);
+	h4 = isc_sockaddr_hash(&addr, false);
+	ATF_CHECK(h1 == h3);
+	ATF_CHECK(h2 == h4);
+
+	isc_test_end();
+}
+
+ATF_TC(sockaddr_isnetzero);
+ATF_TC_HEAD(sockaddr_isnetzero, tc) {
+	atf_tc_set_md_var(tc, "descr", "sockaddr is net zero");
+}
+ATF_TC_BODY(sockaddr_isnetzero, tc) {
+	isc_sockaddr_t addr;
+	struct in_addr in;
+	struct in6_addr in6;
+	bool r;
+	int ret;
+	size_t i;
+	struct {
+		const char *string;
+		bool expect;
+	} data4[] = {
+		{ "0.0.0.0", true },
+		{ "0.0.0.1", true },
+		{ "0.0.1.0", true },
+		{ "0.1.0.0", true },
+		{ "1.0.0.0", false },
+		{ "0.0.0.127", true },
+		{ "0.0.0.255", true },
+		{ "127.0.0.1", false },
+		{ "255.255.255.255", false },
+	};
+	/*
+	 * Mapped addresses are currently not netzero.
+	 */
+	struct {
+		const char *string;
+		bool expect;
+	} data6[] = {
+		{ "::ffff:0.0.0.0", false },
+		{ "::ffff:0.0.0.1", false },
+		{ "::ffff:0.0.0.127", false },
+		{ "::ffff:0.0.0.255", false },
+		{ "::ffff:127.0.0.1", false },
+		{ "::ffff:255.255.255.255", false },
+	};
+
+	UNUSED(tc);
+
+	for (i = 0; i < sizeof(data4)/sizeof(data4[0]); i++) {
+		in.s_addr = inet_addr(data4[i].string);
+		isc_sockaddr_fromin(&addr, &in, 1);
+		r = isc_sockaddr_isnetzero(&addr);
+		ATF_CHECK_EQ_MSG(r, data4[i].expect, "%s", data4[i].string);
+	}
+
+	for (i = 0; i < sizeof(data6)/sizeof(data6[0]); i++) {
+		ret = inet_pton(AF_INET6, data6[i].string, &in6);
+		ATF_CHECK_EQ(ret, 1);
+		isc_sockaddr_fromin6(&addr, &in6, 1);
+		r = isc_sockaddr_isnetzero(&addr);
+		ATF_CHECK_EQ_MSG(r, data6[i].expect, "%s", data6[i].string);
+	}
+}
+
+ATF_TC(sockaddr_eqaddrprefix);
+ATF_TC_HEAD(sockaddr_eqaddrprefix, tc) {
+	atf_tc_set_md_var(tc, "descr",
+			  "isc_sockaddr_eqaddrprefix() returns true when "
+			  "prefixes of a and b are equal, and false when "
+			  "they are not equal");
+}
+ATF_TC_BODY(sockaddr_eqaddrprefix, tc) {
+	struct in_addr ina_a;
+	struct in_addr ina_b;
+	struct in_addr ina_c;
+	isc_sockaddr_t isa_a;
+	isc_sockaddr_t isa_b;
+	isc_sockaddr_t isa_c;
+
+	UNUSED(tc);
+
+	ATF_CHECK(inet_pton(AF_INET, "194.100.32.87", &ina_a) >= 0);
+	ATF_CHECK(inet_pton(AF_INET, "194.100.32.80", &ina_b) >= 0);
+	ATF_CHECK(inet_pton(AF_INET, "194.101.32.87", &ina_c) >= 0);
+
+	isc_sockaddr_fromin(&isa_a, &ina_a, 0);
+	isc_sockaddr_fromin(&isa_b, &ina_b, 42);
+	isc_sockaddr_fromin(&isa_c, &ina_c, 0);
+
+	ATF_CHECK(isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 0));
+	ATF_CHECK(isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 29));
+	ATF_CHECK(isc_sockaddr_eqaddrprefix(&isa_a, &isa_c, 8));
+
+	ATF_CHECK(! isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 30));
+	ATF_CHECK(! isc_sockaddr_eqaddrprefix(&isa_a, &isa_b, 32));
+	ATF_CHECK(! isc_sockaddr_eqaddrprefix(&isa_a, &isa_c, 16));
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, sockaddr_hash);
+	ATF_TP_ADD_TC(tp, sockaddr_isnetzero);
+	ATF_TP_ADD_TC(tp, sockaddr_eqaddrprefix);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/socket_test.c b/lib/isc/tests/socket_test.c
new file mode 100644
index 0000000..3f3f249
--- /dev/null
+++ b/lib/isc/tests/socket_test.c
@@ -0,0 +1,923 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <unistd.h>
+#include <time.h>
+
+#include <isc/platform.h>
+#include <isc/socket.h>
+#include <isc/print.h>
+
+#include "../task_p.h"
+#include "../unix/socket_p.h"
+#include "isctest.h"
+
+static bool recv_dscp;
+static unsigned int recv_dscp_value;
+static bool recv_trunc;
+
+/*
+ * Helper functions
+ */
+
+typedef struct {
+	bool done;
+	isc_result_t result;
+	isc_socket_t *socket;
+} completion_t;
+
+static void
+completion_init(completion_t *completion) {
+	completion->done = false;
+	completion->socket = NULL;
+}
+
+static void
+accept_done(isc_task_t *task, isc_event_t *event) {
+	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+	completion_t *completion = event->ev_arg;
+
+	UNUSED(task);
+
+	completion->result = nevent->result;
+	completion->done = true;
+	if (completion->result == ISC_R_SUCCESS)
+		completion->socket = nevent->newsocket;
+
+	isc_event_free(&event);
+}
+
+static void
+event_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *dev;
+	completion_t *completion = event->ev_arg;
+
+	UNUSED(task);
+
+	dev = (isc_socketevent_t *) event;
+	completion->result = dev->result;
+	completion->done = true;
+	if ((dev->attributes & ISC_SOCKEVENTATTR_DSCP) != 0) {
+		recv_dscp = true;
+		recv_dscp_value = dev->dscp;;
+	} else {
+		recv_dscp = false;
+	}
+	recv_trunc = (dev->attributes & ISC_SOCKEVENTATTR_TRUNC);
+	isc_event_free(&event);
+}
+
+static isc_result_t
+waitfor(completion_t *completion) {
+	int i = 0;
+	while (!completion->done && i++ < 5000) {
+#ifndef ISC_PLATFORM_USETHREADS
+		while (isc__taskmgr_ready(taskmgr))
+			isc__taskmgr_dispatch(taskmgr);
+#endif
+		isc_test_nap(1000);
+	}
+	if (completion->done)
+		return (ISC_R_SUCCESS);
+	return (ISC_R_FAILURE);
+}
+
+#if 0
+static isc_result_t
+waitfor(completion_t *completion) {
+	int i = 0;
+	while (!completion->done && i++ < 5000) {
+		waitbody();
+	}
+	if (completion->done)
+		return (ISC_R_SUCCESS);
+	return (ISC_R_FAILURE);
+}
+#endif
+
+static void
+waitbody(void) {
+#ifndef ISC_PLATFORM_USETHREADS
+	struct timeval tv;
+	isc_socketwait_t *swait = NULL;
+
+	while (isc__taskmgr_ready(taskmgr))
+		isc__taskmgr_dispatch(taskmgr);
+	if (socketmgr != NULL) {
+		tv.tv_sec = 0;
+		tv.tv_usec = 1000 ;
+		if (isc__socketmgr_waitevents(socketmgr, &tv, &swait) > 0)
+			isc__socketmgr_dispatch(socketmgr, swait);
+	} else
+#endif
+		isc_test_nap(1000);
+}
+
+static isc_result_t
+waitfor2(completion_t *c1, completion_t *c2) {
+	int i = 0;
+
+	while (!(c1->done && c2->done) && i++ < 5000) {
+		waitbody();
+	}
+	if (c1->done && c2->done)
+		return (ISC_R_SUCCESS);
+	return (ISC_R_FAILURE);
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* Test UDP sendto/recv (IPv4) */
+ATF_TC(udp_sendto);
+ATF_TC_HEAD(udp_sendto, tc) {
+	atf_tc_set_md_var(tc, "descr", "UDP sendto/recv");
+}
+ATF_TC_BODY(udp_sendto, tc) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	isc_socket_t *s1 = NULL, *s2 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s1, &r, task, event_done, &completion,
+				   &addr2, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+
+	isc_test_end();
+}
+
+/* Test UDP sendto/recv with duplicated socket */
+ATF_TC(udp_dup);
+ATF_TC_HEAD(udp_dup, tc) {
+	atf_tc_set_md_var(tc, "descr", "duplicated socket sendto/recv");
+}
+ATF_TC_BODY(udp_dup, tc) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s1, &addr1, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_bind(s2, &addr2, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s2, &addr2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_socket_dup(s2, &s3);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s1, &r, task, event_done, &completion,
+				   &addr2, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	snprintf(sendbuf, sizeof(sendbuf), "World");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s1, &r, task, event_done, &completion,
+				   &addr2, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s3, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "World");
+
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+	isc_socket_detach(&s3);
+
+	isc_test_end();
+}
+
+/* Test TCP sendto/recv (IPv4) */
+ATF_TC(udp_dscp_v4);
+ATF_TC_HEAD(udp_dscp_v4, tc) {
+	atf_tc_set_md_var(tc, "descr", "UDP DSCP IPV4");
+}
+ATF_TC_BODY(udp_dscp_v4, tc) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	isc_socket_t *s1 = NULL, *s2 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+	isc_socketevent_t *socketevent;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_bind(s1, &addr1, ISC_SOCKET_REUSEADDRESS);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_bind(s2, &addr2, ISC_SOCKET_REUSEADDRESS);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_getsockname(s2, &addr2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(mctx, s1, ISC_SOCKEVENT_SENDDONE,
+					     event_done, &completion);
+	ATF_REQUIRE(socketevent != NULL);
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPPKTV4) != 0) {
+		socketevent->dscp = 056; /* EF */
+		socketevent->attributes |= ISC_SOCKEVENTATTR_DSCP;
+	} else if ((isc_net_probedscp() & ISC_NET_DSCPSETV4) != 0) {
+		isc_socket_dscp(s1, 056);  /* EF */
+		socketevent->dscp = 0;
+		socketevent->attributes &= ~ISC_SOCKEVENTATTR_DSCP;
+	}
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV4) != 0) {
+		ATF_CHECK(recv_dscp);
+		ATF_CHECK_EQ(recv_dscp_value, 056);
+	} else
+		ATF_CHECK(!recv_dscp);
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+
+	isc_test_end();
+}
+
+/* Test TCP sendto/recv (IPv4) */
+ATF_TC(udp_dscp_v6);
+ATF_TC_HEAD(udp_dscp_v6, tc) {
+	atf_tc_set_md_var(tc, "descr", "udp dscp ipv6");
+}
+ATF_TC_BODY(udp_dscp_v6, tc) {
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(WANT_IPV6)
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in6_addr in6;
+	isc_socket_t *s1 = NULL, *s2 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+	isc_socketevent_t *socketevent;
+	int n;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	n = inet_pton(AF_INET6, "::1", &in6.s6_addr);
+	ATF_REQUIRE(n == 1);
+	isc_sockaddr_fromin6(&addr1, &in6, 0);
+	isc_sockaddr_fromin6(&addr2, &in6, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_udp,
+				   &s1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	result = isc_socket_bind(s1, &addr1, 0);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_udp,
+				   &s2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	result = isc_socket_bind(s2, &addr2, 0);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	result = isc_socket_getsockname(s2, &addr2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(mctx, s1, ISC_SOCKEVENT_SENDDONE,
+					     event_done, &completion);
+	ATF_REQUIRE(socketevent != NULL);
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPPKTV6) != 0) {
+		socketevent->dscp = 056; /* EF */
+		socketevent->attributes = ISC_SOCKEVENTATTR_DSCP;
+	} else if ((isc_net_probedscp() & ISC_NET_DSCPSETV6) != 0)
+		isc_socket_dscp(s1, 056);  /* EF */
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV6) != 0) {
+		ATF_CHECK(recv_dscp);
+		ATF_CHECK_EQ(recv_dscp_value, 056);
+	} else
+		ATF_CHECK(!recv_dscp);
+
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+
+	isc_test_end();
+#else
+	UNUSED(tc);
+	atf_tc_skip("IPv6 not available");
+#endif
+}
+
+/* Test TCP sendto/recv (IPv4) */
+ATF_TC(tcp_dscp_v4);
+ATF_TC_HEAD(tcp_dscp_v4, tc) {
+	atf_tc_set_md_var(tc, "descr", "tcp dscp ipv4");
+}
+ATF_TC_BODY(tcp_dscp_v4, tc) {
+	isc_result_t result;
+	isc_sockaddr_t addr1;
+	struct in_addr in;
+	isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion, completion2;
+	isc_region_t r;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_tcp, &s1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_socket_bind(s1, &addr1, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_listen(s1, 3);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_tcp, &s2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	completion_init(&completion2);
+	result = isc_socket_accept(s1, task, accept_done, &completion2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	completion_init(&completion);
+	result = isc_socket_connect(s2, &addr1, task, event_done, &completion);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	waitfor2(&completion, &completion2);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK(completion2.done);
+	ATF_CHECK_EQ(completion2.result, ISC_R_SUCCESS);
+	s3 = completion2.socket;
+
+	isc_socket_dscp(s2, 056);  /* EF */
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s2, &r, task, event_done, &completion,
+				   NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s3, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV4) != 0) {
+		if (recv_dscp)
+			ATF_CHECK_EQ(recv_dscp_value, 056);
+	} else
+		ATF_CHECK(!recv_dscp);
+
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+	isc_socket_detach(&s3);
+
+	isc_test_end();
+}
+
+/* Test TCP sendto/recv (IPv6) */
+ATF_TC(tcp_dscp_v6);
+ATF_TC_HEAD(tcp_dscp_v6, tc) {
+	atf_tc_set_md_var(tc, "descr", "tcp dscp ipv6");
+}
+ATF_TC_BODY(tcp_dscp_v6, tc) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+	isc_result_t result;
+	isc_sockaddr_t addr1;
+	struct in6_addr in6;
+	isc_socket_t *s1 = NULL, *s2 = NULL, *s3 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ], recvbuf[BUFSIZ];
+	completion_t completion, completion2;
+	isc_region_t r;
+	int n;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	n = inet_pton(AF_INET6, "::1", &in6.s6_addr);
+	ATF_REQUIRE(n == 1);
+	isc_sockaddr_fromin6(&addr1, &in6, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_tcp,
+				   &s1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_socket_bind(s1, &addr1, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_listen(s1, 3);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_socket_create(socketmgr, PF_INET6, isc_sockettype_tcp,
+				   &s2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	completion_init(&completion2);
+	result = isc_socket_accept(s1, task, accept_done, &completion2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	completion_init(&completion);
+	result = isc_socket_connect(s2, &addr1, task, event_done, &completion);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	waitfor2(&completion, &completion2);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK(completion2.done);
+	ATF_CHECK_EQ(completion2.result, ISC_R_SUCCESS);
+	s3 = completion2.socket;
+
+	isc_socket_dscp(s2, 056);  /* EF */
+
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	recv_dscp = false;
+	recv_dscp_value = 0;
+
+	completion_init(&completion);
+	result = isc_socket_sendto(s2, &r, task, event_done, &completion,
+				   NULL, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	result = isc_socket_recv(s3, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+
+	if ((isc_net_probedscp() & ISC_NET_DSCPRECVV6) != 0) {
+		/*
+		 * IPV6_RECVTCLASS is undefined for TCP however
+		 * if we do get it it should be the value we set.
+		 */
+		if (recv_dscp)
+			ATF_CHECK_EQ(recv_dscp_value, 056);
+	} else
+		ATF_CHECK(!recv_dscp);
+
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+	isc_socket_detach(&s3);
+
+	isc_test_end();
+#else
+	UNUSED(tc);
+	atf_tc_skip("IPv6 not available");
+#endif
+}
+
+ATF_TC(net_probedscp);
+ATF_TC_HEAD(net_probedscp, tc) {
+	atf_tc_set_md_var(tc, "descr", "probe dscp capabilities");
+}
+ATF_TC_BODY(net_probedscp, tc) {
+	unsigned int n;
+
+	UNUSED(tc);
+
+	n = isc_net_probedscp();
+	ATF_CHECK((n & ~ISC_NET_DSCPALL) == 0);
+
+	/* ISC_NET_DSCPSETV4 MUST be set if any is set. */
+	if (n & (ISC_NET_DSCPSETV4|ISC_NET_DSCPPKTV4|ISC_NET_DSCPRECVV4))
+		ATF_CHECK_MSG((n & ISC_NET_DSCPSETV4) != 0,
+			      "IPv4:%s%s%s\n",
+			      (n & ISC_NET_DSCPSETV4) ? " set" : " none",
+			      (n & ISC_NET_DSCPPKTV4) ? " packet" : "",
+			      (n & ISC_NET_DSCPRECVV4) ? " receive" : "");
+
+	/* ISC_NET_DSCPSETV6 MUST be set if any is set. */
+	if (n & (ISC_NET_DSCPSETV6|ISC_NET_DSCPPKTV6|ISC_NET_DSCPRECVV6))
+		ATF_CHECK_MSG((n & ISC_NET_DSCPSETV6) != 0,
+			      "IPv6:%s%s%s\n",
+			      (n & ISC_NET_DSCPSETV6) ? " set" : " none",
+			      (n & ISC_NET_DSCPPKTV6) ? " packet" : "",
+			      (n & ISC_NET_DSCPRECVV6) ? " receive" : "");
+
+#if 0
+	fprintf(stdout, "IPv4:%s%s%s\n",
+		(n & ISC_NET_DSCPSETV4) ? " set" : "none",
+		(n & ISC_NET_DSCPPKTV4) ? " packet" : "",
+		(n & ISC_NET_DSCPRECVV4) ? " receive" : "");
+
+	fprintf(stdout, "IPv6:%s%s%s\n",
+		(n & ISC_NET_DSCPSETV6) ? " set" : "none",
+		(n & ISC_NET_DSCPPKTV6) ? " packet" : "",
+		(n & ISC_NET_DSCPRECVV6) ? " receive" : "");
+#endif
+}
+
+/* Test UDP truncation detection */
+ATF_TC(udp_trunc);
+ATF_TC_HEAD(udp_trunc, tc) {
+	atf_tc_set_md_var(tc, "descr", "UDP Truncation detection");
+}
+ATF_TC_BODY(udp_trunc, tc) {
+	isc_result_t result;
+	isc_sockaddr_t addr1, addr2;
+	struct in_addr in;
+	isc_socket_t *s1 = NULL, *s2 = NULL;
+	isc_task_t *task = NULL;
+	char sendbuf[BUFSIZ*2], recvbuf[BUFSIZ];
+	completion_t completion;
+	isc_region_t r;
+	isc_socketevent_t *socketevent;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	in.s_addr = inet_addr("127.0.0.1");
+	isc_sockaddr_fromin(&addr1, &in, 0);
+	isc_sockaddr_fromin(&addr2, &in, 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_bind(s1, &addr1, ISC_SOCKET_REUSEADDRESS);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_getsockname(s1, &addr1);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr1) != 0);
+
+	result = isc_socket_create(socketmgr, PF_INET, isc_sockettype_udp, &s2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_bind(s2, &addr2, ISC_SOCKET_REUSEADDRESS);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	result = isc_socket_getsockname(s2, &addr2);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			 isc_result_totext(result));
+	ATF_REQUIRE(isc_sockaddr_getport(&addr2) != 0);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+
+	/*
+	 * Send a message that will not be truncated.
+	 */
+	memset(sendbuf, 0xff, sizeof(sendbuf));
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = strlen(sendbuf) + 1;
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(mctx, s1, ISC_SOCKEVENT_SENDDONE,
+					     event_done, &completion);
+	ATF_REQUIRE(socketevent != NULL);
+
+	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	recv_trunc = false;
+	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+	ATF_CHECK_EQ(recv_trunc, false);
+
+	/*
+	 * Send a message that will be truncated.
+	 */
+	memset(sendbuf, 0xff, sizeof(sendbuf));
+	snprintf(sendbuf, sizeof(sendbuf), "Hello");
+	r.base = (void *) sendbuf;
+	r.length = sizeof(sendbuf);
+
+	completion_init(&completion);
+
+	socketevent = isc_socket_socketevent(mctx, s1, ISC_SOCKEVENT_SENDDONE,
+					     event_done, &completion);
+	ATF_REQUIRE(socketevent != NULL);
+
+	result = isc_socket_sendto2(s1, &r, task, &addr2, NULL, socketevent, 0);
+	ATF_REQUIRE_EQ_MSG(result, ISC_R_SUCCESS, "%s",
+			   isc_result_totext(result));
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+
+	r.base = (void *) recvbuf;
+	r.length = BUFSIZ;
+	completion_init(&completion);
+	recv_trunc = false;
+	result = isc_socket_recv(s2, &r, 1, task, event_done, &completion);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	waitfor(&completion);
+	ATF_CHECK(completion.done);
+	ATF_CHECK_EQ(completion.result, ISC_R_SUCCESS);
+	ATF_CHECK_STREQ(recvbuf, "Hello");
+	ATF_CHECK_EQ(recv_trunc, true);
+
+	isc_task_detach(&task);
+
+	isc_socket_detach(&s1);
+	isc_socket_detach(&s2);
+
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, udp_sendto);
+	ATF_TP_ADD_TC(tp, udp_dup);
+	ATF_TP_ADD_TC(tp, tcp_dscp_v4);
+	ATF_TP_ADD_TC(tp, tcp_dscp_v6);
+	ATF_TP_ADD_TC(tp, udp_dscp_v4);
+	ATF_TP_ADD_TC(tp, udp_dscp_v6);
+	ATF_TP_ADD_TC(tp, net_probedscp);
+	ATF_TP_ADD_TC(tp, udp_trunc);
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/symtab_test.c b/lib/isc/tests/symtab_test.c
new file mode 100644
index 0000000..a50553b
--- /dev/null
+++ b/lib/isc/tests/symtab_test.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/symtab.h>
+#include <isc/print.h>
+
+#include "isctest.h"
+
+static void
+undefine(char *key, unsigned int type, isc_symvalue_t value, void *arg) {
+	UNUSED(arg);
+
+	ATF_REQUIRE_EQ(type, 1);
+	isc_mem_free(mctx, key);
+	isc_mem_free(mctx, value.as_pointer);
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(symtab_grow);
+ATF_TC_HEAD(symtab_grow, tc) {
+	atf_tc_set_md_var(tc, "descr", "symbol table growth");
+}
+ATF_TC_BODY(symtab_grow, tc) {
+	isc_result_t result;
+	isc_symtab_t *st = NULL;
+	isc_symvalue_t value;
+	isc_symexists_t policy = isc_symexists_reject;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_symtab_create(mctx, 3, undefine, NULL, false, &st);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE(st != NULL);
+
+	/* Nothing should be in the table yet */
+
+	/*
+	 * Put 1024 entries in the table (this should necessate
+	 * regrowing the hash table several times
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16], *key;
+
+		snprintf(str, sizeof(str), "%04x", i);
+		key = isc_mem_strdup(mctx, str);
+		ATF_REQUIRE(key != NULL);
+		value.as_pointer = isc_mem_strdup(mctx, str);
+		ATF_REQUIRE(value.as_pointer != NULL);
+		result = isc_symtab_define(st, key, 1, value, policy);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
+			undefine(key, 1, value, NULL);
+	}
+
+	/*
+	 * Try to put them in again; this should fail
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16], *key;
+
+		snprintf(str, sizeof(str), "%04x", i);
+		key = isc_mem_strdup(mctx, str);
+		ATF_REQUIRE(key != NULL);
+		value.as_pointer = isc_mem_strdup(mctx, str);
+		ATF_REQUIRE(value.as_pointer != NULL);
+		result = isc_symtab_define(st, key, 1, value, policy);
+		ATF_CHECK_EQ(result, ISC_R_EXISTS);
+		undefine(key, 1, value, NULL);
+	}
+
+	/*
+	 * Retrieve them; this should succeed
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16];
+
+		snprintf(str, sizeof(str), "%04x", i);
+		result = isc_symtab_lookup(st, str, 0, &value);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+		ATF_CHECK_STREQ(str, (char *)value.as_pointer);
+	}
+
+	/*
+	 * Undefine them
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16];
+
+		snprintf(str, sizeof(str), "%04x", i);
+		result = isc_symtab_undefine(st, str, 1);
+		ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Retrieve them again; this should fail
+	 */
+	for (i = 0; i < 1024; i++) {
+		char str[16];
+
+		snprintf(str, sizeof(str), "%04x", i);
+		result = isc_symtab_lookup(st, str, 0, &value);
+		ATF_CHECK_EQ(result, ISC_R_NOTFOUND);
+	}
+
+	isc_symtab_destroy(&st);
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, symtab_grow);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/task_test.c b/lib/isc/tests/task_test.c
new file mode 100644
index 0000000..c991272
--- /dev/null
+++ b/lib/isc/tests/task_test.c
@@ -0,0 +1,1474 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <inttypes.h>
+
+#include <isc/condition.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include "../task_p.h"
+#include "isctest.h"
+
+/*
+ * Helper functions
+ */
+
+static isc_mutex_t lock;
+int counter = 0;
+static int active[10];
+static bool done = false;
+
+#ifdef ISC_PLATFORM_USETHREADS
+static isc_condition_t cv;
+#endif
+
+static void
+set(isc_task_t *task, isc_event_t *event) {
+	int *value = (int *) event->ev_arg;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	LOCK(&lock);
+	*value = counter++;
+	UNLOCK(&lock);
+}
+
+static void
+set_and_drop(isc_task_t *task, isc_event_t *event) {
+	int *value = (int *) event->ev_arg;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	LOCK(&lock);
+	*value = (int) isc_taskmgr_mode(taskmgr);
+	counter++;
+	UNLOCK(&lock);
+	isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_normal);
+}
+
+/*
+ * Individual unit tests
+ */
+
+/* Create a task */
+ATF_TC(create_task);
+ATF_TC_HEAD(create_task, tc) {
+	atf_tc_set_md_var(tc, "descr", "create and destroy a task");
+}
+ATF_TC_BODY(create_task, tc) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_task_destroy(&task);
+	ATF_REQUIRE_EQ(task, NULL);
+
+	isc_test_end();
+}
+
+/* Process events */
+ATF_TC(all_events);
+ATF_TC_HEAD(all_events, tc) {
+	atf_tc_set_md_var(tc, "descr", "process task events");
+}
+ATF_TC_BODY(all_events, tc) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_event_t *event = NULL;
+	int a = 0, b = 0;
+	int i = 0;
+
+	UNUSED(tc);
+
+	counter = 1;
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/* First event */
+	event = isc_event_allocate(mctx, task, ISC_TASKEVENT_TEST,
+				   set, &a, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(a, 0);
+	isc_task_send(task, &event);
+
+	event = isc_event_allocate(mctx, task, ISC_TASKEVENT_TEST,
+				   set, &b, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(b, 0);
+	isc_task_send(task, &event);
+
+	while ((a == 0 || b == 0) && i++ < 5000) {
+#ifndef ISC_PLATFORM_USETHREADS
+		while (isc__taskmgr_ready(taskmgr))
+			isc__taskmgr_dispatch(taskmgr);
+#endif
+		isc_test_nap(1000);
+	}
+
+	ATF_CHECK(a != 0);
+	ATF_CHECK(b != 0);
+
+	isc_task_destroy(&task);
+	ATF_REQUIRE_EQ(task, NULL);
+
+	isc_test_end();
+}
+
+/* Privileged events */
+ATF_TC(privileged_events);
+ATF_TC_HEAD(privileged_events, tc) {
+	atf_tc_set_md_var(tc, "descr", "process privileged events");
+}
+ATF_TC_BODY(privileged_events, tc) {
+	isc_result_t result;
+	isc_task_t *task1 = NULL, *task2 = NULL;
+	isc_event_t *event = NULL;
+	int a = 0, b = 0, c = 0, d = 0, e = 0;
+	int i = 0;
+
+	UNUSED(tc);
+
+	counter = 1;
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Pause the task manager so we can fill up the work queue
+	 * without things happening while we do it.
+	 */
+	isc__taskmgr_pause(taskmgr);
+#endif
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_task_setname(task1, "privileged", NULL);
+	ATF_CHECK(!isc_task_privilege(task1));
+	isc_task_setprivilege(task1, true);
+	ATF_CHECK(isc_task_privilege(task1));
+
+	result = isc_task_create(taskmgr, 0, &task2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_task_setname(task2, "normal", NULL);
+	ATF_CHECK(!isc_task_privilege(task2));
+
+	/* First event: privileged */
+	event = isc_event_allocate(mctx, task1, ISC_TASKEVENT_TEST,
+				   set, &a, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(a, 0);
+	isc_task_send(task1, &event);
+
+	/* Second event: not privileged */
+	event = isc_event_allocate(mctx, task2, ISC_TASKEVENT_TEST,
+				   set, &b, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(b, 0);
+	isc_task_send(task2, &event);
+
+	/* Third event: privileged */
+	event = isc_event_allocate(mctx, task1, ISC_TASKEVENT_TEST,
+				   set, &c, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(c, 0);
+	isc_task_send(task1, &event);
+
+	/* Fourth event: privileged */
+	event = isc_event_allocate(mctx, task1, ISC_TASKEVENT_TEST,
+				   set, &d, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(d, 0);
+	isc_task_send(task1, &event);
+
+	/* Fifth event: not privileged */
+	event = isc_event_allocate(mctx, task2, ISC_TASKEVENT_TEST,
+				   set, &e, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(e, 0);
+	isc_task_send(task2, &event);
+
+	ATF_CHECK_EQ(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
+	isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_privileged);
+	ATF_CHECK_EQ(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_privileged);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	isc__taskmgr_resume(taskmgr);
+#endif
+
+	/* We're waiting for *all* variables to be set */
+	while ((a == 0 || b == 0 || c == 0 || d == 0 || e == 0) && i++ < 5000) {
+#ifndef ISC_PLATFORM_USETHREADS
+		while (isc__taskmgr_ready(taskmgr))
+			isc__taskmgr_dispatch(taskmgr);
+#endif
+		isc_test_nap(1000);
+	}
+
+	/*
+	 * We can't guarantee what order the events fire, but
+	 * we do know the privileged tasks that set a, c, and d
+	 * would have fired first.
+	 */
+	ATF_CHECK(a <= 3);
+	ATF_CHECK(c <= 3);
+	ATF_CHECK(d <= 3);
+
+	/* ...and the non-privileged tasks that set b and e, last */
+	ATF_CHECK(b >= 4);
+	ATF_CHECK(e >= 4);
+
+	ATF_CHECK_EQ(counter, 6);
+
+	isc_task_setprivilege(task1, false);
+	ATF_CHECK(!isc_task_privilege(task1));
+
+	ATF_CHECK_EQ(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
+
+	isc_task_destroy(&task1);
+	ATF_REQUIRE_EQ(task1, NULL);
+	isc_task_destroy(&task2);
+	ATF_REQUIRE_EQ(task2, NULL);
+
+	isc_test_end();
+}
+
+/*
+ * Edge case: this tests that the task manager behaves as expected when
+ * we explicitly set it into normal mode *while* running privileged.
+ */
+ATF_TC(privilege_drop);
+ATF_TC_HEAD(privilege_drop, tc) {
+	atf_tc_set_md_var(tc, "descr", "process privileged events");
+}
+ATF_TC_BODY(privilege_drop, tc) {
+	isc_result_t result;
+	isc_task_t *task1 = NULL, *task2 = NULL;
+	isc_event_t *event = NULL;
+	int a = -1, b = -1, c = -1, d = -1, e = -1;	/* non valid states */
+	int i = 0;
+
+	UNUSED(tc);
+
+	counter = 1;
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Pause the task manager so we can fill up the work queue
+	 * without things happening while we do it.
+	 */
+	isc__taskmgr_pause(taskmgr);
+#endif
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_task_setname(task1, "privileged", NULL);
+	ATF_CHECK(!isc_task_privilege(task1));
+	isc_task_setprivilege(task1, true);
+	ATF_CHECK(isc_task_privilege(task1));
+
+	result = isc_task_create(taskmgr, 0, &task2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	isc_task_setname(task2, "normal", NULL);
+	ATF_CHECK(!isc_task_privilege(task2));
+
+	/* First event: privileged */
+	event = isc_event_allocate(mctx, task1, ISC_TASKEVENT_TEST,
+				   set_and_drop, &a, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(a, -1);
+	isc_task_send(task1, &event);
+
+	/* Second event: not privileged */
+	event = isc_event_allocate(mctx, task2, ISC_TASKEVENT_TEST,
+				   set_and_drop, &b, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(b, -1);
+	isc_task_send(task2, &event);
+
+	/* Third event: privileged */
+	event = isc_event_allocate(mctx, task1, ISC_TASKEVENT_TEST,
+				   set_and_drop, &c, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(c, -1);
+	isc_task_send(task1, &event);
+
+	/* Fourth event: privileged */
+	event = isc_event_allocate(mctx, task1, ISC_TASKEVENT_TEST,
+				   set_and_drop, &d, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(d, -1);
+	isc_task_send(task1, &event);
+
+	/* Fifth event: not privileged */
+	event = isc_event_allocate(mctx, task2, ISC_TASKEVENT_TEST,
+				   set_and_drop, &e, sizeof (isc_event_t));
+	ATF_REQUIRE(event != NULL);
+
+	ATF_CHECK_EQ(e, -1);
+	isc_task_send(task2, &event);
+
+	ATF_CHECK_EQ(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
+	isc_taskmgr_setmode(taskmgr, isc_taskmgrmode_privileged);
+	ATF_CHECK_EQ(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_privileged);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	isc__taskmgr_resume(taskmgr);
+#endif
+
+	/* We're waiting for all variables to be set. */
+	while ((a == -1 || b == -1 || c == -1 || d == -1 || e == -1) &&
+	       i++ < 5000) {
+#ifndef ISC_PLATFORM_USETHREADS
+		while (isc__taskmgr_ready(taskmgr))
+			isc__taskmgr_dispatch(taskmgr);
+#endif
+		isc_test_nap(1000);
+	}
+
+	/*
+	 * We can't guarantee what order the events fire, but
+	 * we do know *exactly one* of the privileged tasks will
+	 * have run in privileged mode...
+	 */
+	ATF_CHECK(a == isc_taskmgrmode_privileged ||
+		  c == isc_taskmgrmode_privileged ||
+		  d == isc_taskmgrmode_privileged);
+	ATF_CHECK(a + c + d == isc_taskmgrmode_privileged);
+
+	/* ...and neither of the non-privileged tasks did... */
+	ATF_CHECK(b == isc_taskmgrmode_normal || e == isc_taskmgrmode_normal);
+
+	/* ...but all five of them did run. */
+	ATF_CHECK_EQ(counter, 6);
+
+	ATF_CHECK_EQ(isc_taskmgr_mode(taskmgr), isc_taskmgrmode_normal);
+
+	isc_task_destroy(&task1);
+	ATF_REQUIRE_EQ(task1, NULL);
+	isc_task_destroy(&task2);
+	ATF_REQUIRE_EQ(task2, NULL);
+
+	isc_test_end();
+}
+
+/*
+ * Basic task functions:
+ */
+static void
+basic_cb(isc_task_t *task, isc_event_t *event) {
+	int i;
+	int j;
+
+	UNUSED(task);
+
+	j = 0;
+	for (i = 0; i < 1000000; i++) {
+		j += 100;
+	}
+
+	printf("task %s\n", (char *)event->ev_arg);
+	isc_event_free(&event);
+}
+
+static void
+basic_shutdown(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	printf("shutdown %s\n", (char *)event->ev_arg);
+	isc_event_free(&event);
+}
+
+static void
+basic_tick(isc_task_t *task, isc_event_t *event) {
+
+	UNUSED(task);
+
+	printf("%s\n", (char *)event->ev_arg);
+	isc_event_free(&event);
+}
+
+static char one[] = "1";
+static char two[] = "2";
+static char three[] = "3";
+static char four[] = "4";
+static char tick[] = "tick";
+static char tock[] = "tock";
+
+
+ATF_TC(basic);
+ATF_TC_HEAD(basic, tc) {
+	atf_tc_set_md_var(tc, "descr", "basic task system check");
+}
+ATF_TC_BODY(basic, tc) {
+	isc_result_t result;
+	isc_task_t *task1 = NULL;
+	isc_task_t *task2 = NULL;
+	isc_task_t *task3 = NULL;
+	isc_task_t *task4 = NULL;
+	isc_event_t *event = NULL;
+	isc_timer_t *ti1 = NULL;
+	isc_timer_t *ti2 = NULL;
+	isc_time_t absolute;
+	isc_interval_t interval;
+	char *testarray[] = {
+		one, one, one, one, one, one, one, one, one,
+		two, three, four, two, three, four, NULL
+	};
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_task_create(taskmgr, 0, &task2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_task_create(taskmgr, 0, &task3);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_task_create(taskmgr, 0, &task4);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task1, basic_shutdown, one);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_task_onshutdown(task2, basic_shutdown, two);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_task_onshutdown(task3, basic_shutdown, three);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	result = isc_task_onshutdown(task4, basic_shutdown, four);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_time_settoepoch(&absolute);
+	isc_interval_set(&interval, 1, 0);
+	result = isc_timer_create(timermgr, isc_timertype_ticker,
+				&absolute, &interval,
+				task1, basic_tick, tick, &ti1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ti2 = NULL;
+	isc_time_settoepoch(&absolute);
+	isc_interval_set(&interval, 1, 0);
+	result = isc_timer_create(timermgr, isc_timertype_ticker,
+				  &absolute, &interval,
+				  task2, basic_tick, tock, &ti2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+#ifndef WIN32
+	sleep(2);
+#else
+	Sleep(2000);
+#endif
+
+	for (i = 0; testarray[i] != NULL; i++) {
+		/*
+		 * Note:  (void *)1 is used as a sender here, since some
+		 * compilers don't like casting a function pointer to a
+		 * (void *).
+		 *
+		 * In a real use, it is more likely the sender would be a
+		 * structure (socket, timer, task, etc) but this is just a
+		 * test program.
+		 */
+		event = isc_event_allocate(mctx, (void *)1, 1, basic_cb,
+					   testarray[i], sizeof(*event));
+		ATF_REQUIRE(event != NULL);
+		isc_task_send(task1, &event);
+	}
+
+	(void)isc_task_purge(task3, NULL, 0, 0);
+
+	isc_task_detach(&task1);
+	isc_task_detach(&task2);
+	isc_task_detach(&task3);
+	isc_task_detach(&task4);
+
+#ifndef WIN32
+	sleep(10);
+#else
+	Sleep(10000);
+#endif
+	isc_timer_detach(&ti1);
+	isc_timer_detach(&ti2);
+
+	isc_test_end();
+}
+
+/*
+ * Exclusive mode test:
+ * When one task enters exclusive mode, all other active
+ * tasks complete first.
+ */
+static
+int spin(int n) {
+	int i;
+	int r = 0;
+	for (i = 0; i < n; i++) {
+		r += i;
+		if (r > 1000000)
+			r = 0;
+	}
+	return (r);
+}
+
+static void
+exclusive_cb(isc_task_t *task, isc_event_t *event) {
+	int taskno = *(int *)(event->ev_arg);
+
+	printf("task enter %d\n", taskno);
+
+	/* task chosen from the middle of the range */
+	if (taskno == 6) {
+		isc_result_t result;
+		int i;
+
+		result = isc_task_beginexclusive(task);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		for (i = 0; i < 10; i++) {
+			ATF_CHECK(active[i] == 0);
+		}
+
+		isc_task_endexclusive(task);
+		done = true;
+	} else {
+		active[taskno]++;
+		(void) spin(10000000);
+		active[taskno]--;
+	}
+
+	printf("task exit %d\n", taskno);
+
+	if (done) {
+		isc_mem_put(event->ev_destroy_arg, event->ev_arg, sizeof (int));
+		isc_event_free(&event);
+	} else {
+		isc_task_send(task, &event);
+	}
+}
+
+ATF_TC(task_exclusive);
+ATF_TC_HEAD(task_exclusive, tc) {
+	atf_tc_set_md_var(tc, "descr", "test exclusive mode");
+}
+ATF_TC_BODY(task_exclusive, tc) {
+	isc_task_t *tasks[10];
+	isc_result_t result;
+	int i;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 4);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	for (i = 0; i < 10; i++) {
+		isc_event_t *event = NULL;
+		int *v;
+
+		tasks[i] = NULL;
+
+		result = isc_task_create(taskmgr, 0, &tasks[i]);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		v = isc_mem_get(mctx, sizeof *v);
+		ATF_REQUIRE(v != NULL);
+
+		*v = i;
+
+		event = isc_event_allocate(mctx, NULL, 1, exclusive_cb,
+					   v, sizeof(*event));
+		ATF_REQUIRE(event != NULL);
+
+		isc_task_send(tasks[i], &event);
+	}
+
+	for (i = 0; i < 10; i++) {
+		isc_task_detach(&tasks[i]);
+	}
+	isc_test_end();
+}
+
+/*
+ * The remainder of these tests require threads
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+/*
+ * Max tasks test:
+ * The task system can create and execute many tasks. Tests with 10000.
+ */
+static void
+maxtask_shutdown(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	if (event->ev_arg != NULL) {
+		isc_task_destroy((isc_task_t**) &event->ev_arg);
+	} else {
+		LOCK(&lock);
+		done = true;
+		SIGNAL(&cv);
+		UNLOCK(&lock);
+
+		isc_event_free(&event);
+		isc_taskmgr_destroy(&taskmgr);
+		isc_mem_destroy(&mctx);
+
+		isc_condition_destroy(&cv);
+		DESTROYLOCK(&lock);
+	}
+}
+
+static void
+maxtask_cb(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	if (event->ev_arg != NULL) {
+		isc_task_t *newtask = NULL;
+
+		event->ev_arg = (void *)(((uintptr_t) event->ev_arg) - 1);
+
+		/*
+		 * Create a new task and forward the message.
+		 */
+		result = isc_task_create(taskmgr, 0, &newtask);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		result = isc_task_onshutdown(newtask, maxtask_shutdown,
+						 (void *)task);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		isc_task_send(newtask, &event);
+	} else if (task != NULL) {
+		isc_task_destroy(&task);
+	}
+}
+
+ATF_TC(manytasks);
+ATF_TC_HEAD(manytasks, tc) {
+	atf_tc_set_md_var(tc, "descr", "many tasks");
+}
+ATF_TC_BODY(manytasks, tc) {
+	isc_result_t result;
+	isc_event_t *event = NULL;
+	uintptr_t ntasks = 10000;
+
+	UNUSED(tc);
+
+	printf("Testing with %lu tasks\n", (unsigned long)ntasks);
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mem_create(0, 0, &mctx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_taskmgr_create(mctx, 4, 0, &taskmgr);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	event = isc_event_allocate(mctx, (void *)1, 1, maxtask_cb,
+				   (void *)ntasks, sizeof(*event));
+	ATF_REQUIRE(event != NULL);
+
+	LOCK(&lock);
+	maxtask_cb(NULL, event);
+	while (!done) {
+		WAIT(&cv, &lock);
+	}
+}
+
+
+/*
+ * Shutdown test:
+ * When isc_task_shutdown() is called, shutdown events are posted
+ * in LIFO order.
+ */
+
+static int senders[4];
+static int nevents = 0;
+static int nsdevents = 0;
+
+static void
+sd_sde1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	ATF_CHECK_EQ(nevents, 256);
+	ATF_REQUIRE_EQ(nsdevents, 1);
+	++nsdevents;
+	printf("shutdown 1\n");
+
+	isc_event_free(&event);
+}
+
+static void
+sd_sde2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	ATF_CHECK_EQ(nevents, 256);
+	ATF_REQUIRE_EQ(nsdevents, 0);
+	++nsdevents;
+	printf("shutdown 2\n");
+
+	isc_event_free(&event);
+}
+
+static void
+sd_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	while (!done) {
+		WAIT(&cv, &lock);
+	}
+
+	printf("event 1\n");
+
+	isc_event_free(&event);
+}
+
+static void
+sd_event2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	++nevents;
+
+	printf("event 2\n");
+
+	isc_event_free(&event);
+}
+
+ATF_TC(shutdown);
+ATF_TC_HEAD(shutdown, tc) {
+	atf_tc_set_md_var(tc, "descr", "task shutdown");
+}
+ATF_TC_BODY(shutdown, tc) {
+	isc_result_t result;
+	isc_eventtype_t event_type;
+	isc_event_t *event = NULL;
+	isc_task_t *task = NULL;
+	int i;
+
+	nevents = nsdevents = 0;
+	done = false;
+
+	event_type = 3;
+
+	result = isc_test_begin(NULL, true, 4);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	LOCK(&lock);
+
+	task = NULL;
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * This event causes the task to wait on cv.
+	 */
+	event = isc_event_allocate(mctx, &senders[1], event_type, sd_event1,
+				   NULL, sizeof(*event));
+	ATF_REQUIRE(event != NULL);
+	isc_task_send(task, &event);
+
+	/*
+	 * Now we fill up the task's event queue with some events.
+	 */
+	for (i = 0; i < 256; ++i) {
+		event = isc_event_allocate(mctx, &senders[1], event_type,
+					   sd_event2, NULL, sizeof(*event));
+		ATF_REQUIRE(event != NULL);
+		isc_task_send(task, &event);
+	}
+
+	/*
+	 * Now we register two shutdown events.
+	 */
+	result = isc_task_onshutdown(task, sd_sde1, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, sd_sde2, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_task_shutdown(task);
+
+	/*
+	 * Now we free the task by signaling cv.
+	 */
+	done = true;
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+
+	isc_test_end();
+
+	ATF_REQUIRE_EQ(nsdevents, 2);
+}
+
+/*
+ * Post-shutdown test:
+ * After isc_task_shutdown() has been called, any call to
+ * isc_task_onshutdown() will return ISC_R_SHUTTINGDOWN.
+ */
+static void
+psd_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+
+	while (!done) {
+		WAIT(&cv, &lock);
+	}
+
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+psd_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	isc_event_free(&event);
+}
+
+ATF_TC(post_shutdown);
+ATF_TC_HEAD(post_shutdown, tc) {
+	atf_tc_set_md_var(tc, "descr", "post-shutdown");
+}
+ATF_TC_BODY(post_shutdown, tc) {
+	isc_result_t result;
+	isc_eventtype_t event_type;
+	isc_event_t *event;
+	isc_task_t *task;
+
+	done = false;
+	event_type = 4;
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	LOCK(&lock);
+
+	task = NULL;
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * This event causes the task to wait on cv.
+	 */
+	event = isc_event_allocate(mctx, &senders[1], event_type, psd_event1,
+				   NULL, sizeof(*event));
+	ATF_REQUIRE(event != NULL);
+	isc_task_send(task, &event);
+
+	isc_task_shutdown(task);
+
+	result = isc_task_onshutdown(task, psd_sde, NULL);
+	ATF_CHECK_EQ(result, ISC_R_SHUTTINGDOWN);
+
+	/*
+	 * Release the task.
+	 */
+	done = true;
+
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+	isc_test_end();
+
+	(void) isc_condition_destroy(&cv);
+	DESTROYLOCK(&lock);
+}
+
+/*
+ * Helper for the purge tests below:
+ */
+
+#define	SENDERCNT 3
+#define	TYPECNT 4
+#define	TAGCNT 5
+#define	NEVENTS	(SENDERCNT * TYPECNT * TAGCNT)
+
+static bool testrange;
+static void *purge_sender;
+static isc_eventtype_t purge_type_first;
+static isc_eventtype_t purge_type_last;
+static void *purge_tag;
+static int eventcnt;
+
+bool started = false;
+
+static void
+pg_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	while (!started) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+pg_event2(isc_task_t *task, isc_event_t *event) {
+	bool sender_match = false;
+	bool type_match = false;
+	bool tag_match = false;
+
+	UNUSED(task);
+
+	if ((purge_sender == NULL) || (purge_sender == event->ev_sender)) {
+		sender_match = true;
+	}
+
+	if (testrange) {
+		if ((purge_type_first <= event->ev_type) &&
+		    (event->ev_type <= purge_type_last))
+		{
+			type_match = true;
+		}
+	} else {
+		if (purge_type_first == event->ev_type) {
+			type_match = true;
+		}
+	}
+
+	if ((purge_tag == NULL) || (purge_tag == event->ev_tag)) {
+		tag_match = true;
+	}
+
+	if (sender_match && type_match && tag_match) {
+		if (event->ev_attributes & ISC_EVENTATTR_NOPURGE) {
+			printf("event %p,%d,%p matched but was not purgeable\n",
+			       event->ev_sender, (int)event->ev_type,
+			       event->ev_tag);
+			++eventcnt;
+		} else {
+			printf("*** event %p,%d,%p not purged\n",
+			       event->ev_sender, (int)event->ev_type,
+			       event->ev_tag);
+		}
+	} else {
+		++eventcnt;
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+pg_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	done = true;
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+test_purge(int sender, int type, int tag, int exp_purged) {
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_event_t *eventtab[NEVENTS];
+	isc_event_t *event = NULL;
+	isc_interval_t interval;
+	isc_time_t now;
+	int sender_cnt, type_cnt, tag_cnt, event_cnt, i;
+	int purged = 0;
+
+	started = false;
+	done = false;
+	eventcnt = 0;
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, pg_sde, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Block the task on cv.
+	 */
+	event = isc_event_allocate(mctx, (void *)1, 9999,
+				   pg_event1, NULL, sizeof(*event));
+
+	ATF_REQUIRE(event != NULL);
+	isc_task_send(task, &event);
+
+	/*
+	 * Fill the task's queue with some messages with varying
+	 * sender, type, tag, and purgeable attribute values.
+	 */
+	event_cnt = 0;
+	for (sender_cnt = 0; sender_cnt < SENDERCNT; ++sender_cnt) {
+		for (type_cnt = 0; type_cnt < TYPECNT; ++type_cnt) {
+			for (tag_cnt = 0; tag_cnt < TAGCNT; ++tag_cnt) {
+				eventtab[event_cnt] =
+					isc_event_allocate(mctx,
+					    &senders[sender + sender_cnt],
+					    (isc_eventtype_t)(type + type_cnt),
+					    pg_event2, NULL, sizeof(*event));
+
+				ATF_REQUIRE(eventtab[event_cnt] != NULL);
+
+				eventtab[event_cnt]->ev_tag =
+					(void *)((uintptr_t)tag + tag_cnt);
+
+				/*
+				 * Mark events as non-purgeable if
+				 * sender, type and tag are all
+				 * odd-numbered. (There should be 4
+				 * of these out of 60 events total.)
+				 */
+				if (((sender_cnt % 2) != 0) &&
+				    ((type_cnt % 2) != 0) &&
+				    ((tag_cnt % 2) != 0))
+				{
+					eventtab[event_cnt]->ev_attributes |=
+						ISC_EVENTATTR_NOPURGE;
+				}
+				++event_cnt;
+			}
+		}
+	}
+
+	for (i = 0; i < event_cnt; ++i) {
+		isc_task_send(task, &eventtab[i]);
+	}
+
+	if (testrange) {
+		/*
+		 * We're testing isc_task_purgerange.
+		 */
+		purged  = isc_task_purgerange(task, purge_sender,
+					      (isc_eventtype_t)purge_type_first,
+					      (isc_eventtype_t)purge_type_last,
+					      purge_tag);
+		ATF_CHECK_EQ(purged, exp_purged);
+	} else {
+		/*
+		 * We're testing isc_task_purge.
+		 */
+		printf("purge events %p,%u,%p\n",
+		       purge_sender, purge_type_first, purge_tag);
+		purged = isc_task_purge(task, purge_sender,
+					(isc_eventtype_t)purge_type_first,
+					purge_tag);
+		printf("purged %d expected %d\n", purged, exp_purged);
+		ATF_CHECK_EQ(purged, exp_purged);
+	}
+
+	/*
+	 * Unblock the task, allowing event processing.
+	 */
+	LOCK(&lock);
+	started = true;
+	SIGNAL(&cv);
+
+	isc_task_shutdown(task);
+
+	isc_interval_set(&interval, 5, 0);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (!done) {
+		result = isc_time_nowplusinterval(&now, &interval);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		WAITUNTIL(&cv, &lock, &now);
+	}
+
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+
+	isc_test_end();
+	DESTROYLOCK(&lock);
+	(void) isc_condition_destroy(&cv);
+
+	ATF_CHECK_EQ(eventcnt, event_cnt - exp_purged);
+}
+
+/*
+ * Purge test:
+ * A call to isc_task_purge(task, sender, type, tag) purges all events of
+ * type 'type' and with tag 'tag' not marked as unpurgeable from sender
+ * from the task's " queue and returns the number of events purged.
+ */
+ATF_TC(purge);
+ATF_TC_HEAD(purge, tc) {
+	atf_tc_set_md_var(tc, "descr", "purge");
+}
+ATF_TC_BODY(purge, tc) {
+	/* Try purging on a specific sender. */
+	printf("testing purge on 2,4,8 expecting 1\n");
+	purge_sender = &senders[2];
+	purge_type_first = 4;
+	purge_type_last = 4;
+	purge_tag = (void *)8;
+	testrange = false;
+	test_purge(1, 4, 7, 1);
+
+	/* Try purging on all senders. */
+	printf("testing purge on 0,4,8 expecting 3\n");
+	purge_sender = NULL;
+	purge_type_first = 4;
+	purge_type_last = 4;
+	purge_tag = (void *)8;
+	testrange = false;
+	test_purge(1, 4, 7, 3);
+
+	/* Try purging on all senders, specified type, all tags. */
+	printf("testing purge on 0,4,0 expecting 15\n");
+	purge_sender = NULL;
+	purge_type_first = 4;
+	purge_type_last = 4;
+	purge_tag = NULL;
+	testrange = false;
+	test_purge(1, 4, 7, 15);
+
+	/* Try purging on a specified tag, no such type. */
+	printf("testing purge on 0,99,8 expecting 0\n");
+	purge_sender = NULL;
+	purge_type_first = 99;
+	purge_type_last = 99;
+	purge_tag = (void *)8;
+	testrange = false;
+	test_purge(1, 4, 7, 0);
+
+	/*
+	 * Try purging on specified sender, type, all tags.
+	 */
+	printf("testing purge on 3,5,0 expecting 5\n");
+	purge_sender = &senders[3];
+	purge_type_first = 5;
+	purge_type_last = 5;
+	purge_tag = NULL;
+	testrange = false;
+	test_purge(1, 4, 7, 5);
+}
+
+/*
+ * Purge range test:
+ * A call to isc_event_purgerange(task, sender, first, last, tag) purges
+ * all events not marked unpurgeable from sender 'sender' and of type within
+ * the range 'first' to 'last' inclusive from the task's event queue and
+ * returns the number of tasks purged.
+ */
+
+ATF_TC(purgerange);
+ATF_TC_HEAD(purgerange, tc) {
+	atf_tc_set_md_var(tc, "descr", "purge-range");
+}
+ATF_TC_BODY(purgerange, tc) {
+	/* Now let's try some ranges. */
+	printf("testing purgerange on 2,4-5,8 expecting 1\n");
+	purge_sender = &senders[2];
+	purge_type_first = 4;
+	purge_type_last = 5;
+	purge_tag = (void *)8;
+	testrange = true;
+	test_purge(1, 4, 7, 1);
+
+	/* Try purging on all senders. */
+	printf("testing purge on 0,4-5,8 expecting 5\n");
+	purge_sender = NULL;
+	purge_type_first = 4;
+	purge_type_last = 5;
+	purge_tag = (void *)8;
+	testrange = true;
+	test_purge(1, 4, 7, 5);
+
+	/* Try purging on all senders, specified type, all tags. */
+	printf("testing purge on 0,5-6,0 expecting 28\n");
+	purge_sender = NULL;
+	purge_type_first = 5;
+	purge_type_last = 6;
+	purge_tag = NULL;
+	testrange = true;
+	test_purge(1, 4, 7, 28);
+
+	/* Try purging on a specified tag, no such type. */
+	printf("testing purge on 0,99-101,8 expecting 0\n");
+	purge_sender = NULL;
+	purge_type_first = 99;
+	purge_type_last = 101;
+	purge_tag = (void *)8;
+	testrange = true;
+	test_purge(1, 4, 7, 0);
+
+	/* Try purging on specified sender, type, all tags. */
+	printf("testing purge on 3,5-6,0 expecting 10\n");
+	purge_sender = &senders[3];
+	purge_type_first = 5;
+	purge_type_last = 6;
+	purge_tag = NULL;
+	testrange = true;
+	test_purge(1, 4, 7, 10);
+}
+
+/*
+ * Helpers for purge event tests
+ */
+static void
+pge_event1(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	while (!started) {
+		WAIT(&cv, &lock);
+	}
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+pge_event2(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	++eventcnt;
+	isc_event_free(&event);
+}
+
+
+static void
+pge_sde(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	LOCK(&lock);
+	done = true;
+	SIGNAL(&cv);
+	UNLOCK(&lock);
+
+	isc_event_free(&event);
+}
+
+static void
+try_purgeevent(bool purgeable) {
+	isc_result_t	result;
+	isc_task_t *task = NULL;
+	bool purged;
+	isc_event_t *event1 = NULL;
+	isc_event_t *event2 = NULL;
+	isc_event_t *event2_clone = NULL;;
+	isc_time_t now;
+	isc_interval_t interval;
+
+	started = false;
+	done = false;
+	eventcnt = 0;
+
+	result = isc_mutex_init(&lock);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, pge_sde, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Block the task on cv.
+	 */
+	event1 = isc_event_allocate(mctx, (void *)1, (isc_eventtype_t)1,
+				    pge_event1, NULL, sizeof(*event1));
+	ATF_REQUIRE(event1 != NULL);
+	isc_task_send(task, &event1);
+
+	event2 = isc_event_allocate(mctx, (void *)1, (isc_eventtype_t)1,
+				    pge_event2, NULL, sizeof(*event2));
+	ATF_REQUIRE(event2 != NULL);
+
+	event2_clone = event2;
+
+	if (purgeable) {
+		event2->ev_attributes &= ~ISC_EVENTATTR_NOPURGE;
+	} else {
+		event2->ev_attributes |= ISC_EVENTATTR_NOPURGE;
+	}
+
+	isc_task_send(task, &event2);
+
+	purged = isc_task_purgeevent(task, event2_clone);
+	ATF_CHECK_EQ(purgeable, purged);
+
+	/*
+	 * Unblock the task, allowing event processing.
+	 */
+	LOCK(&lock);
+	started = true;
+	SIGNAL(&cv);
+
+	isc_task_shutdown(task);
+
+	isc_interval_set(&interval, 5, 0);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (!done) {
+		result = isc_time_nowplusinterval(&now, &interval);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		WAITUNTIL(&cv, &lock, &now);
+	}
+
+	UNLOCK(&lock);
+
+	isc_task_detach(&task);
+
+	isc_test_end();
+	DESTROYLOCK(&lock);
+	(void) isc_condition_destroy(&cv);
+
+	ATF_REQUIRE_EQ(eventcnt, (purgeable ? 0 : 1));
+}
+
+/*
+ * Purge event test:
+ * When the event is marked as purgeable, a call to
+ * isc_task_purgeevent(task, event) purges the event 'event' from the
+ * task's queue and returns true.
+ */
+
+ATF_TC(purgeevent);
+ATF_TC_HEAD(purgeevent, tc) {
+	atf_tc_set_md_var(tc, "descr", "purge-event");
+}
+ATF_TC_BODY(purgeevent, tc) {
+	try_purgeevent(true);
+}
+
+/*
+ * Purge event not purgeable test:
+ * When the event is not marked as purgable, a call to
+ * isc_task_purgeevent(task, event) does not purge the event
+ * 'event' from the task's queue and returns false.
+ */
+
+ATF_TC(purgeevent_notpurge);
+ATF_TC_HEAD(purgeevent_notpurge, tc) {
+	atf_tc_set_md_var(tc, "descr", "purge-event");
+}
+ATF_TC_BODY(purgeevent_notpurge, tc) {
+	try_purgeevent(false);
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, create_task);
+	ATF_TP_ADD_TC(tp, all_events);
+	ATF_TP_ADD_TC(tp, privileged_events);
+	ATF_TP_ADD_TC(tp, privilege_drop);
+	ATF_TP_ADD_TC(tp, basic);
+	ATF_TP_ADD_TC(tp, task_exclusive);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	ATF_TP_ADD_TC(tp, manytasks);
+	ATF_TP_ADD_TC(tp, shutdown);
+	ATF_TP_ADD_TC(tp, post_shutdown);
+	ATF_TP_ADD_TC(tp, purge);
+	ATF_TP_ADD_TC(tp, purgerange);
+	ATF_TP_ADD_TC(tp, purgeevent);
+	ATF_TP_ADD_TC(tp, purgeevent_notpurge);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/tests/taskpool_test.c b/lib/isc/tests/taskpool_test.c
new file mode 100644
index 0000000..ff2de9e
--- /dev/null
+++ b/lib/isc/tests/taskpool_test.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/task.h>
+#include <isc/taskpool.h>
+
+#include "isctest.h"
+
+/*
+ * Individual unit tests
+ */
+
+/* Create a taskpool */
+ATF_TC(create_pool);
+ATF_TC_HEAD(create_pool, tc) {
+	atf_tc_set_md_var(tc, "descr", "create a taskpool");
+}
+ATF_TC_BODY(create_pool, tc) {
+	isc_result_t result;
+	isc_taskpool_t *pool = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_taskpool_create(taskmgr, mctx, 8, 2, &pool);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool), 8);
+
+	isc_taskpool_destroy(&pool);
+	ATF_REQUIRE_EQ(pool, NULL);
+
+	isc_test_end();
+}
+
+/* Resize a taskpool */
+ATF_TC(expand_pool);
+ATF_TC_HEAD(expand_pool, tc) {
+	atf_tc_set_md_var(tc, "descr", "expand a taskpool");
+}
+ATF_TC_BODY(expand_pool, tc) {
+	isc_result_t result;
+	isc_taskpool_t *pool1 = NULL, *pool2 = NULL, *hold = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_taskpool_create(taskmgr, mctx, 10, 2, &pool1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool1), 10);
+
+	/* resizing to a smaller size should have no effect */
+	hold = pool1;
+	result = isc_taskpool_expand(&pool1, 5, &pool2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool2), 10);
+	ATF_REQUIRE_EQ(pool2, hold);
+	ATF_REQUIRE_EQ(pool1, NULL);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to the same size should have no effect */
+	hold = pool1;
+	result = isc_taskpool_expand(&pool1, 10, &pool2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool2), 10);
+	ATF_REQUIRE_EQ(pool2, hold);
+	ATF_REQUIRE_EQ(pool1, NULL);
+	pool1 = pool2;
+	pool2 = NULL;
+
+	/* resizing to larger size should make a new pool */
+	hold = pool1;
+	result = isc_taskpool_expand(&pool1, 20, &pool2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool2), 20);
+	ATF_REQUIRE(pool2 != hold);
+	ATF_REQUIRE_EQ(pool1, NULL);
+
+	isc_taskpool_destroy(&pool2);
+	ATF_REQUIRE_EQ(pool2, NULL);
+
+	isc_test_end();
+}
+
+/* Get tasks */
+ATF_TC(get_tasks);
+ATF_TC_HEAD(get_tasks, tc) {
+	atf_tc_set_md_var(tc, "descr", "create a taskpool");
+}
+ATF_TC_BODY(get_tasks, tc) {
+	isc_result_t result;
+	isc_taskpool_t *pool = NULL;
+	isc_task_t *task1 = NULL, *task2 = NULL, *task3 = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_taskpool_create(taskmgr, mctx, 2, 2, &pool);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool), 2);
+
+	/* two tasks in pool; make sure we can access them more than twice */
+	isc_taskpool_gettask(pool, &task1);
+	ATF_REQUIRE(ISCAPI_TASK_VALID(task1));
+
+	isc_taskpool_gettask(pool, &task2);
+	ATF_REQUIRE(ISCAPI_TASK_VALID(task2));
+
+	isc_taskpool_gettask(pool, &task3);
+	ATF_REQUIRE(ISCAPI_TASK_VALID(task3));
+
+	isc_task_destroy(&task1);
+	isc_task_destroy(&task2);
+	isc_task_destroy(&task3);
+
+	isc_taskpool_destroy(&pool);
+	ATF_REQUIRE_EQ(pool, NULL);
+
+	isc_test_end();
+}
+
+/* Get tasks */
+ATF_TC(set_privilege);
+ATF_TC_HEAD(set_privilege, tc) {
+	atf_tc_set_md_var(tc, "descr", "create a taskpool");
+}
+ATF_TC_BODY(set_privilege, tc) {
+	isc_result_t result;
+	isc_taskpool_t *pool = NULL;
+	isc_task_t *task1 = NULL, *task2 = NULL, *task3 = NULL;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 0);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_taskpool_create(taskmgr, mctx, 2, 2, &pool);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_taskpool_size(pool), 2);
+
+	isc_taskpool_setprivilege(pool, true);
+
+	isc_taskpool_gettask(pool, &task1);
+	isc_taskpool_gettask(pool, &task2);
+	isc_taskpool_gettask(pool, &task3);
+
+	ATF_CHECK(ISCAPI_TASK_VALID(task1));
+	ATF_CHECK(ISCAPI_TASK_VALID(task2));
+	ATF_CHECK(ISCAPI_TASK_VALID(task3));
+
+	ATF_CHECK(isc_task_privilege(task1));
+	ATF_CHECK(isc_task_privilege(task2));
+	ATF_CHECK(isc_task_privilege(task3));
+
+	isc_taskpool_setprivilege(pool, false);
+
+	ATF_CHECK(!isc_task_privilege(task1));
+	ATF_CHECK(!isc_task_privilege(task2));
+	ATF_CHECK(!isc_task_privilege(task3));
+
+	isc_task_destroy(&task1);
+	isc_task_destroy(&task2);
+	isc_task_destroy(&task3);
+
+	isc_taskpool_destroy(&pool);
+	ATF_REQUIRE_EQ(pool, NULL);
+
+	isc_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, create_pool);
+	ATF_TP_ADD_TC(tp, expand_pool);
+	ATF_TP_ADD_TC(tp, get_tasks);
+	ATF_TP_ADD_TC(tp, set_privilege);
+
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/testdata/file/keep b/lib/isc/tests/testdata/file/keep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/lib/isc/tests/testdata/file/keep
diff --git a/lib/isc/tests/time_test.c b/lib/isc/tests/time_test.c
new file mode 100644
index 0000000..c548869
--- /dev/null
+++ b/lib/isc/tests/time_test.c
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+
+#include <atf-c.h>
+
+#include <isc/time.h>
+#include <isc/result.h>
+
+ATF_TC(isc_time_parsehttptimestamp);
+ATF_TC_HEAD(isc_time_parsehttptimestamp, tc) {
+	atf_tc_set_md_var(tc, "descr", "parse http time stamp");
+}
+ATF_TC_BODY(isc_time_parsehttptimestamp, tc) {
+	isc_result_t result;
+	isc_time_t t, x;
+	char buf[ISC_FORMATHTTPTIMESTAMP_SIZE];
+
+	setenv("TZ", "PST8PDT", 1);
+	result = isc_time_now(&t);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_time_formathttptimestamp(&t, buf, sizeof(buf));
+	result = isc_time_parsehttptimestamp(buf, &x);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(isc_time_seconds(&t), isc_time_seconds(&x));
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, isc_time_parsehttptimestamp);
+	return (atf_no_error());
+}
+
diff --git a/lib/isc/tests/timer_test.c b/lib/isc/tests/timer_test.c
new file mode 100644
index 0000000..7a32f1d
--- /dev/null
+++ b/lib/isc/tests/timer_test.c
@@ -0,0 +1,593 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <unistd.h>
+
+#include <isc/condition.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+#include <isc/util.h>
+
+#include "isctest.h"
+
+/*
+ * This entire test requires threads.
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+
+/*
+ * Helper functions
+ */
+#define	FUDGE_SECONDS	0	     /* in absence of clock_getres() */
+#define	FUDGE_NANOSECONDS	500000000    /* in absence of clock_getres() */
+
+static	isc_timer_t *timer = NULL;
+static	isc_condition_t cv;
+static	isc_mutex_t mx;
+static	isc_time_t endtime;
+static	isc_time_t lasttime;
+static	int seconds;
+static	int nanoseconds;
+static	int eventcnt;
+static	int nevents;
+
+static void
+shutdown(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	UNUSED(task);
+
+	/*
+	 * Signal shutdown processing complete.
+	 */
+	result = isc_mutex_lock(&mx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_signal(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_mutex_unlock(&mx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_event_free(&event);
+}
+
+static void
+setup_test(isc_timertype_t timertype, isc_time_t *expires,
+	   isc_interval_t *interval,
+	   void (*action)(isc_task_t *, isc_event_t *))
+{
+	isc_result_t result;
+	isc_task_t *task = NULL;
+	isc_time_settoepoch(&endtime);
+	eventcnt = 0;
+
+	result = isc_mutex_init(&mx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	LOCK(&mx);
+
+	result = isc_task_create(taskmgr, 0, &task);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task, shutdown, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_time_now(&lasttime);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_timer_create(timermgr, timertype, expires, interval,
+				  task, action, (void *)timertype,
+				  &timer);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (eventcnt != nevents) {
+		result = isc_condition_wait(&cv, &mx);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	UNLOCK(&mx);
+
+	isc_task_detach(&task);
+	DESTROYLOCK(&mx);
+	(void) isc_condition_destroy(&cv);
+}
+
+static void
+ticktock(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t base;
+	isc_time_t ulim;
+	isc_time_t llim;
+	isc_interval_t interval;
+	isc_eventtype_t expected_event_type;
+
+	++eventcnt;
+
+	printf("tick %d\n", eventcnt);
+
+	expected_event_type = ISC_TIMEREVENT_LIFE;
+	if ((isc_timertype_t) event->ev_arg == isc_timertype_ticker) {
+		expected_event_type = ISC_TIMEREVENT_TICK;
+	}
+
+	if (event->ev_type != expected_event_type) {
+		printf("expected event type %u, got %u\n",
+		       expected_event_type, event->ev_type);
+	}
+
+	result = isc_time_now(&now);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	result = isc_time_add(&lasttime, &interval, &base);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, FUDGE_SECONDS, FUDGE_NANOSECONDS);
+	result = isc_time_add(&base, &interval, &ulim);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_time_subtract(&base, &interval, &llim);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK(isc_time_compare(&llim, &now) <= 0);
+	ATF_CHECK(isc_time_compare(&ulim, &now) >= 0);
+	lasttime = now;
+
+	if (eventcnt == nevents) {
+		result = isc_time_now(&endtime);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		isc_timer_detach(&timer);
+		isc_task_shutdown(task);
+	}
+
+	isc_event_free(&event);
+}
+
+/*
+ * Individual unit tests
+ */
+
+ATF_TC(ticker);
+ATF_TC_HEAD(ticker, tc) {
+	atf_tc_set_md_var(tc, "descr", "timer type ticker");
+}
+ATF_TC_BODY(ticker, tc) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(tc);
+
+	nevents = 12;
+	seconds = 0;
+	nanoseconds = 500000000;
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_time_settoepoch(&expires);
+
+	setup_test(isc_timertype_ticker, &expires, &interval, ticktock);
+
+	isc_test_end();
+}
+
+ATF_TC(once_life);
+ATF_TC_HEAD(once_life, tc) {
+	atf_tc_set_md_var(tc, "descr", "timer type once reaches lifetime");
+}
+ATF_TC_BODY(once_life, tc) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(tc);
+
+	nevents = 1;
+	seconds = 1;
+	nanoseconds = 100000000;
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, 0, 0);
+
+	setup_test(isc_timertype_once, &expires, &interval, ticktock);
+
+	isc_test_end();
+}
+
+
+static void
+test_idle(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t base;
+	isc_time_t ulim;
+	isc_time_t llim;
+	isc_interval_t interval;
+
+	++eventcnt;
+
+	printf("tick %d\n", eventcnt);
+
+	result = isc_time_now(&now);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	result = isc_time_add(&lasttime, &interval, &base);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, FUDGE_SECONDS, FUDGE_NANOSECONDS);
+	result = isc_time_add(&base, &interval, &ulim);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_time_subtract(&base, &interval, &llim);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK(isc_time_compare(&llim, &now) <= 0);
+	ATF_CHECK(isc_time_compare(&ulim, &now) >= 0);
+	lasttime = now;
+
+	ATF_CHECK_EQ(event->ev_type, ISC_TIMEREVENT_IDLE);
+
+	isc_timer_detach(&timer);
+	isc_task_shutdown(task);
+	isc_event_free(&event);
+}
+
+ATF_TC(once_idle);
+ATF_TC_HEAD(once_idle, tc) {
+	atf_tc_set_md_var(tc, "descr", "timer type once idles out");
+}
+ATF_TC_BODY(once_idle, tc) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(tc);
+
+	nevents = 1;
+	seconds = 1;
+	nanoseconds = 200000000;
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds + 1, nanoseconds);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+
+	setup_test(isc_timertype_once, &expires, &interval, test_idle);
+
+	isc_test_end();
+}
+
+static void
+test_reset(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t base;
+	isc_time_t ulim;
+	isc_time_t llim;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	++eventcnt;
+
+	printf("tick %d\n", eventcnt);
+
+	/*
+	 * Check expired time.
+	 */
+
+	result = isc_time_now(&now);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	result = isc_time_add(&lasttime, &interval, &base);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, FUDGE_SECONDS, FUDGE_NANOSECONDS);
+	result = isc_time_add(&base, &interval, &ulim);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_time_subtract(&base, &interval, &llim);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	ATF_CHECK(isc_time_compare(&llim, &now) <= 0);
+	ATF_CHECK(isc_time_compare(&ulim, &now) >= 0);
+	lasttime = now;
+
+	if (eventcnt < 3) {
+		ATF_CHECK_EQ(event->ev_type, ISC_TIMEREVENT_TICK);
+
+		if (eventcnt == 2) {
+			isc_interval_set(&interval, seconds, nanoseconds);
+			result = isc_time_nowplusinterval(&expires, &interval);
+			ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+			isc_interval_set(&interval, 0, 0);
+			result = isc_timer_reset(timer, isc_timertype_once,
+						 &expires, &interval,
+						 false);
+			ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		}
+	} else {
+		ATF_CHECK_EQ(event->ev_type, ISC_TIMEREVENT_LIFE);
+
+		isc_timer_detach(&timer);
+		isc_task_shutdown(task);
+	}
+
+	isc_event_free(&event);
+}
+
+ATF_TC(reset);
+ATF_TC_HEAD(reset, tc) {
+	atf_tc_set_md_var(tc, "descr", "timer reset");
+}
+ATF_TC_BODY(reset, tc) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	nevents = 3;
+	seconds = 0;
+	nanoseconds = 750000000;
+
+	isc_interval_set(&interval, seconds, nanoseconds);
+	isc_time_settoepoch(&expires);
+
+	setup_test(isc_timertype_ticker, &expires, &interval, test_reset);
+
+	isc_test_end();
+}
+
+static int startflag;
+static int shutdownflag;
+static isc_timer_t *tickertimer = NULL;
+static isc_timer_t *oncetimer = NULL;
+static isc_task_t *task1 = NULL;
+static isc_task_t *task2 = NULL;
+
+/*
+ * task1 blocks on mx while events accumulate
+ * in its queue, until signaled by task2.
+ */
+
+static void
+start_event(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	printf("start_event\n");
+
+	LOCK(&mx);
+	while (! startflag) {
+		(void) isc_condition_wait(&cv, &mx);
+	}
+	UNLOCK(&mx);
+
+	isc_event_free(&event);
+}
+
+static void
+tick_event(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(task);
+
+	++eventcnt;
+	printf("tick_event %d\n", eventcnt);
+
+	/*
+	 * On the first tick, purge all remaining tick events
+	 * and then shut down the task.
+	 */
+	if (eventcnt == 1) {
+		isc_time_settoepoch(&expires);
+		isc_interval_set(&interval, seconds, 0);
+		result = isc_timer_reset(tickertimer, isc_timertype_ticker,
+					 &expires, &interval, true);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+		isc_task_shutdown(task);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+once_event(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	printf("once_event\n");
+
+	/*
+	 * Allow task1 to start processing events.
+	 */
+	LOCK(&mx);
+	startflag = 1;
+
+	result = isc_condition_broadcast(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	UNLOCK(&mx);
+
+	isc_event_free(&event);
+	isc_task_shutdown(task);
+}
+
+static void
+shutdown_purge(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+
+	UNUSED(task);
+	UNUSED(event);
+
+	printf("shutdown_event\n");
+
+	/*
+	 * Signal shutdown processing complete.
+	 */
+	LOCK(&mx);
+	shutdownflag = 1;
+
+	result = isc_condition_signal(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	UNLOCK(&mx);
+
+	isc_event_free(&event);
+}
+
+ATF_TC(purge);
+ATF_TC_HEAD(purge, tc) {
+	atf_tc_set_md_var(tc, "descr", "timer events purged");
+}
+ATF_TC_BODY(purge, tc) {
+	isc_result_t result;
+	isc_event_t *event = NULL;
+	isc_time_t expires;
+	isc_interval_t interval;
+
+	UNUSED(tc);
+
+	result = isc_test_begin(NULL, true, 2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	startflag = 0;
+	shutdownflag = 0;
+	eventcnt = 0;
+	seconds = 1;
+	nanoseconds = 0;
+
+	result = isc_mutex_init(&mx);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_condition_init(&cv);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_onshutdown(task1, shutdown_purge, NULL);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = isc_task_create(taskmgr, 0, &task2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	LOCK(&mx);
+
+	event = isc_event_allocate(mctx, (void *)1 , (isc_eventtype_t)1,
+				   start_event, NULL, sizeof(*event));
+	ATF_REQUIRE(event != NULL);
+	isc_task_send(task1, &event);
+
+	isc_time_settoepoch(&expires);
+	isc_interval_set(&interval, seconds, 0);
+
+	tickertimer = NULL;
+	result = isc_timer_create(timermgr, isc_timertype_ticker,
+				  &expires, &interval, task1,
+				  tick_event, NULL, &tickertimer);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	oncetimer = NULL;
+
+	isc_interval_set(&interval, (seconds * 2) + 1, 0);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	isc_interval_set(&interval, 0, 0);
+	result = isc_timer_create(timermgr, isc_timertype_once,
+				      &expires, &interval, task2,
+				      once_event, NULL, &oncetimer);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	/*
+	 * Wait for shutdown processing to complete.
+	 */
+	while (! shutdownflag) {
+		result = isc_condition_wait(&cv, &mx);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	}
+
+	UNLOCK(&mx);
+
+	ATF_CHECK_EQ(eventcnt, 1);
+
+	isc_timer_detach(&tickertimer);
+	isc_timer_detach(&oncetimer);
+	isc_task_destroy(&task1);
+	isc_task_destroy(&task2);
+	DESTROYLOCK(&mx);
+
+	isc_test_end();
+}
+#else
+ATF_TC(untested);
+ATF_TC_HEAD(untested, tc) {
+	atf_tc_set_md_var(tc, "descr", "skipping nsec3 test");
+}
+ATF_TC_BODY(untested, tc) {
+	UNUSED(tc);
+	atf_tc_skip("DNSSEC not available");
+}
+#endif
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+#ifdef ISC_PLATFORM_USETHREADS
+	ATF_TP_ADD_TC(tp, ticker);
+	ATF_TP_ADD_TC(tp, once_life);
+	ATF_TP_ADD_TC(tp, once_idle);
+	ATF_TP_ADD_TC(tp, reset);
+	ATF_TP_ADD_TC(tp, purge);
+#else
+	ATF_TP_ADD_TC(tp, untested);
+#endif
+
+	return (atf_no_error());
+}
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
new file mode 100644
index 0000000..2baa9e6
--- /dev/null
+++ b/lib/isc/timer.c
@@ -0,0 +1,1191 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/app.h>
+#include <isc/condition.h>
+#include <isc/heap.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
+/* See task.c about the following definition: */
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_TIMER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+
+#ifndef USE_TIMER_THREAD
+#include "timer_p.h"
+#endif /* USE_TIMER_THREAD */
+
+#ifdef ISC_TIMER_TRACE
+#define XTRACE(s)			fprintf(stderr, "%s\n", (s))
+#define XTRACEID(s, t)			fprintf(stderr, "%s %p\n", (s), (t))
+#define XTRACETIME(s, d)		fprintf(stderr, "%s %u.%09u\n", (s), \
+					       (d).seconds, (d).nanoseconds)
+#define XTRACETIME2(s, d, n)		fprintf(stderr, "%s %u.%09u %u.%09u\n", (s), \
+					       (d).seconds, (d).nanoseconds, (n).seconds, (n).nanoseconds)
+#define XTRACETIMER(s, t, d)		fprintf(stderr, "%s %p %u.%09u\n", (s), (t), \
+					       (d).seconds, (d).nanoseconds)
+#else
+#define XTRACE(s)
+#define XTRACEID(s, t)
+#define XTRACETIME(s, d)
+#define XTRACETIME2(s, d, n)
+#define XTRACETIMER(s, t, d)
+#endif /* ISC_TIMER_TRACE */
+
+#define TIMER_MAGIC			ISC_MAGIC('T', 'I', 'M', 'R')
+#define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
+
+typedef struct isc__timer isc__timer_t;
+typedef struct isc__timermgr isc__timermgr_t;
+
+struct isc__timer {
+	/*! Not locked. */
+	isc_timer_t			common;
+	isc__timermgr_t *		manager;
+	isc_mutex_t			lock;
+	/*! Locked by timer lock. */
+	unsigned int			references;
+	isc_time_t			idle;
+	/*! Locked by manager lock. */
+	isc_timertype_t			type;
+	isc_time_t			expires;
+	isc_interval_t			interval;
+	isc_task_t *			task;
+	isc_taskaction_t		action;
+	void *				arg;
+	unsigned int			index;
+	isc_time_t			due;
+	LINK(isc__timer_t)		link;
+};
+
+#define TIMER_MANAGER_MAGIC		ISC_MAGIC('T', 'I', 'M', 'M')
+#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
+
+struct isc__timermgr {
+	/* Not locked. */
+	isc_timermgr_t			common;
+	isc_mem_t *			mctx;
+	isc_mutex_t			lock;
+	/* Locked by manager lock. */
+	bool			done;
+	LIST(isc__timer_t)		timers;
+	unsigned int			nscheduled;
+	isc_time_t			due;
+#ifdef USE_TIMER_THREAD
+	isc_condition_t			wakeup;
+	isc_thread_t			thread;
+#endif	/* USE_TIMER_THREAD */
+#ifdef USE_SHARED_MANAGER
+	unsigned int			refs;
+#endif /* USE_SHARED_MANAGER */
+	isc_heap_t *			heap;
+};
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access from
+ * unit tests etc.
+ */
+
+isc_result_t
+isc__timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		  const isc_time_t *expires, const isc_interval_t *interval,
+		  isc_task_t *task, isc_taskaction_t action, void *arg,
+		  isc_timer_t **timerp);
+isc_result_t
+isc__timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		 const isc_time_t *expires, const isc_interval_t *interval,
+		 bool purge);
+isc_timertype_t
+isc_timer_gettype(isc_timer_t *timer);
+isc_result_t
+isc__timer_touch(isc_timer_t *timer);
+void
+isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp);
+void
+isc__timer_detach(isc_timer_t **timerp);
+isc_result_t
+isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
+void
+isc_timermgr_poke(isc_timermgr_t *manager0);
+void
+isc__timermgr_destroy(isc_timermgr_t **managerp);
+
+static struct isc__timermethods {
+	isc_timermethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *gettype;
+} timermethods = {
+	{
+		isc__timer_attach,
+		isc__timer_detach,
+		isc__timer_reset,
+		isc__timer_touch
+	},
+	(void *)isc_timer_gettype
+};
+
+static struct isc__timermgrmethods {
+	isc_timermgrmethods_t methods;
+	void *poke;		/* see above */
+} timermgrmethods = {
+	{
+		isc__timermgr_destroy,
+		isc__timer_create
+	},
+	(void *)isc_timermgr_poke
+};
+
+#ifdef USE_SHARED_MANAGER
+/*!
+ * If the manager is supposed to be shared, there can be only one.
+ */
+static isc__timermgr_t *timermgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+static inline isc_result_t
+schedule(isc__timer_t *timer, isc_time_t *now, bool signal_ok) {
+	isc_result_t result;
+	isc__timermgr_t *manager;
+	isc_time_t due;
+	int cmp;
+#ifdef USE_TIMER_THREAD
+	bool timedwait;
+#endif
+
+	/*!
+	 * Note: the caller must ensure locking.
+	 */
+
+	REQUIRE(timer->type != isc_timertype_inactive);
+
+#ifndef USE_TIMER_THREAD
+	UNUSED(signal_ok);
+#endif /* USE_TIMER_THREAD */
+
+	manager = timer->manager;
+
+#ifdef USE_TIMER_THREAD
+	/*!
+	 * If the manager was timed wait, we may need to signal the
+	 * manager to force a wakeup.
+	 */
+	timedwait = (manager->nscheduled > 0 &&
+		     isc_time_seconds(&manager->due) != 0);
+#endif
+
+	/*
+	 * Compute the new due time.
+	 */
+	if (timer->type != isc_timertype_once) {
+		result = isc_time_add(now, &timer->interval, &due);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (timer->type == isc_timertype_limited &&
+		    isc_time_compare(&timer->expires, &due) < 0)
+			due = timer->expires;
+	} else {
+		if (isc_time_isepoch(&timer->idle))
+			due = timer->expires;
+		else if (isc_time_isepoch(&timer->expires))
+			due = timer->idle;
+		else if (isc_time_compare(&timer->idle, &timer->expires) < 0)
+			due = timer->idle;
+		else
+			due = timer->expires;
+	}
+
+	/*
+	 * Schedule the timer.
+	 */
+
+	if (timer->index > 0) {
+		/*
+		 * Already scheduled.
+		 */
+		cmp = isc_time_compare(&due, &timer->due);
+		timer->due = due;
+		switch (cmp) {
+		case -1:
+			isc_heap_increased(manager->heap, timer->index);
+			break;
+		case 1:
+			isc_heap_decreased(manager->heap, timer->index);
+			break;
+		case 0:
+			/* Nothing to do. */
+			break;
+		}
+	} else {
+		timer->due = due;
+		result = isc_heap_insert(manager->heap, timer);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result == ISC_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
+		}
+		manager->nscheduled++;
+	}
+
+	XTRACETIMER(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+				   ISC_MSG_SCHEDULE, "schedule"), timer, due);
+
+	/*
+	 * If this timer is at the head of the queue, we need to ensure
+	 * that we won't miss it if it has a more recent due time than
+	 * the current "next" timer.  We do this either by waking up the
+	 * run thread, or explicitly setting the value in the manager.
+	 */
+#ifdef USE_TIMER_THREAD
+
+	/*
+	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
+	 * and 5.1a.  Sometimes, pthread_cond_timedwait() doesn't actually
+	 * return when the time expires, so here, we check to see if
+	 * we're 15 seconds or more behind, and if we are, we signal
+	 * the dispatcher.  This isn't such a bad idea as a general purpose
+	 * watchdog, so perhaps we should just leave it in here.
+	 */
+	if (signal_ok && timedwait) {
+		isc_interval_t fifteen;
+		isc_time_t then;
+
+		isc_interval_set(&fifteen, 15, 0);
+		result = isc_time_add(&manager->due, &fifteen, &then);
+
+		if (result == ISC_R_SUCCESS &&
+		    isc_time_compare(&then, now) < 0) {
+			SIGNAL(&manager->wakeup);
+			signal_ok = false;
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_TIMER, ISC_LOG_WARNING,
+				      "*** POKED TIMER ***");
+		}
+	}
+
+	if (timer->index == 1 && signal_ok) {
+		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+				      ISC_MSG_SIGNALSCHED,
+				      "signal (schedule)"));
+		SIGNAL(&manager->wakeup);
+	}
+#else /* USE_TIMER_THREAD */
+	if (timer->index == 1 &&
+	    isc_time_compare(&timer->due, &manager->due) < 0)
+		manager->due = timer->due;
+#endif /* USE_TIMER_THREAD */
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+deschedule(isc__timer_t *timer) {
+#ifdef USE_TIMER_THREAD
+	bool need_wakeup = false;
+#endif
+	isc__timermgr_t *manager;
+
+	/*
+	 * The caller must ensure locking.
+	 */
+
+	manager = timer->manager;
+	if (timer->index > 0) {
+#ifdef USE_TIMER_THREAD
+		if (timer->index == 1)
+			need_wakeup = true;
+#endif
+		isc_heap_delete(manager->heap, timer->index);
+		timer->index = 0;
+		INSIST(manager->nscheduled > 0);
+		manager->nscheduled--;
+#ifdef USE_TIMER_THREAD
+		if (need_wakeup) {
+			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+					      ISC_MSG_SIGNALDESCHED,
+					      "signal (deschedule)"));
+			SIGNAL(&manager->wakeup);
+		}
+#endif /* USE_TIMER_THREAD */
+	}
+}
+
+static void
+destroy(isc__timer_t *timer) {
+	isc__timermgr_t *manager = timer->manager;
+
+	/*
+	 * The caller must ensure it is safe to destroy the timer.
+	 */
+
+	LOCK(&manager->lock);
+
+	(void)isc_task_purgerange(timer->task,
+				  timer,
+				  ISC_TIMEREVENT_FIRSTEVENT,
+				  ISC_TIMEREVENT_LASTEVENT,
+				  NULL);
+	deschedule(timer);
+	UNLINK(manager->timers, timer, link);
+
+	UNLOCK(&manager->lock);
+
+	isc_task_detach(&timer->task);
+	DESTROYLOCK(&timer->lock);
+	timer->common.impmagic = 0;
+	timer->common.magic = 0;
+	isc_mem_put(manager->mctx, timer, sizeof(*timer));
+}
+
+isc_result_t
+isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
+		  const isc_time_t *expires, const isc_interval_t *interval,
+		  isc_task_t *task, isc_taskaction_t action, void *arg,
+		  isc_timer_t **timerp)
+{
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+	isc__timer_t *timer;
+	isc_result_t result;
+	isc_time_t now;
+
+	/*
+	 * Create a new 'type' timer managed by 'manager'.  The timers
+	 * parameters are specified by 'expires' and 'interval'.  Events
+	 * will be posted to 'task' and when dispatched 'action' will be
+	 * called with 'arg' as the arg value.  The new timer is returned
+	 * in 'timerp'.
+	 */
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	if (expires == NULL)
+		expires = isc_time_epoch;
+	if (interval == NULL)
+		interval = isc_interval_zero;
+	REQUIRE(type == isc_timertype_inactive ||
+		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
+
+	/*
+	 * Get current time.
+	 */
+	if (type != isc_timertype_inactive) {
+		TIME_NOW(&now);
+	} else {
+		/*
+		 * We don't have to do this, but it keeps the compiler from
+		 * complaining about "now" possibly being used without being
+		 * set, even though it will never actually happen.
+		 */
+		isc_time_settoepoch(&now);
+	}
+
+
+	timer = isc_mem_get(manager->mctx, sizeof(*timer));
+	if (timer == NULL)
+		return (ISC_R_NOMEMORY);
+
+	timer->manager = manager;
+	timer->references = 1;
+
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(manager->mctx, timer, sizeof(*timer));
+			return (result);
+		}
+	} else
+		isc_time_settoepoch(&timer->idle);
+
+	timer->type = type;
+	timer->expires = *expires;
+	timer->interval = *interval;
+	timer->task = NULL;
+	isc_task_attach(task, &timer->task);
+	timer->action = action;
+	/*
+	 * Removing the const attribute from "arg" is the best of two
+	 * evils here.  If the timer->arg member is made const, then
+	 * it affects a great many recipients of the timer event
+	 * which did not pass in an "arg" that was truly const.
+	 * Changing isc_timer_create() to not have "arg" prototyped as const,
+	 * though, can cause compilers warnings for calls that *do*
+	 * have a truly const arg.  The caller will have to carefully
+	 * keep track of whether arg started as a true const.
+	 */
+	DE_CONST(arg, timer->arg);
+	timer->index = 0;
+	result = isc_mutex_init(&timer->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_task_detach(&timer->task);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
+		return (result);
+	}
+	ISC_LINK_INIT(timer, link);
+	timer->common.impmagic = TIMER_MAGIC;
+	timer->common.magic = ISCAPI_TIMER_MAGIC;
+	timer->common.methods = (isc_timermethods_t *)&timermethods;
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Note we don't have to lock the timer like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	if (type != isc_timertype_inactive)
+		result = schedule(timer, &now, true);
+	else
+		result = ISC_R_SUCCESS;
+	if (result == ISC_R_SUCCESS) {
+		*timerp = (isc_timer_t *)timer;
+		APPEND(manager->timers, timer, link);
+	}
+
+	UNLOCK(&manager->lock);
+
+	if (result != ISC_R_SUCCESS) {
+		timer->common.impmagic = 0;
+		timer->common.magic = 0;
+		DESTROYLOCK(&timer->lock);
+		isc_task_detach(&timer->task);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__timer_reset(isc_timer_t *timer0, isc_timertype_t type,
+		 const isc_time_t *expires, const isc_interval_t *interval,
+		 bool purge)
+{
+	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc_time_t now;
+	isc__timermgr_t *manager;
+	isc_result_t result;
+
+	/*
+	 * Change the timer's type, expires, and interval values to the given
+	 * values.  If 'purge' is true, any pending events from this timer
+	 * are purged from its task's event queue.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+	manager = timer->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	if (expires == NULL)
+		expires = isc_time_epoch;
+	if (interval == NULL)
+		interval = isc_interval_zero;
+	REQUIRE(type == isc_timertype_inactive ||
+		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
+
+	/*
+	 * Get current time.
+	 */
+	if (type != isc_timertype_inactive) {
+		TIME_NOW(&now);
+	} else {
+		/*
+		 * We don't have to do this, but it keeps the compiler from
+		 * complaining about "now" possibly being used without being
+		 * set, even though it will never actually happen.
+		 */
+		isc_time_settoepoch(&now);
+	}
+
+	LOCK(&manager->lock);
+	LOCK(&timer->lock);
+
+	if (purge)
+		(void)isc_task_purgerange(timer->task,
+					  timer,
+					  ISC_TIMEREVENT_FIRSTEVENT,
+					  ISC_TIMEREVENT_LASTEVENT,
+					  NULL);
+	timer->type = type;
+	timer->expires = *expires;
+	timer->interval = *interval;
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+	} else {
+		isc_time_settoepoch(&timer->idle);
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		if (type == isc_timertype_inactive) {
+			deschedule(timer);
+			result = ISC_R_SUCCESS;
+		} else
+			result = schedule(timer, &now, true);
+	}
+
+	UNLOCK(&timer->lock);
+	UNLOCK(&manager->lock);
+
+	return (result);
+}
+
+isc_timertype_t
+isc_timer_gettype(isc_timer_t *timer0) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc_timertype_t t;
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+	t = timer->type;
+	UNLOCK(&timer->lock);
+
+	return (t);
+}
+
+isc_result_t
+isc__timer_touch(isc_timer_t *timer0) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
+	isc_result_t result;
+	isc_time_t now;
+
+	/*
+	 * Set the last-touched time of 'timer' to the current time.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+
+	/*
+	 * We'd like to
+	 *
+	 *	REQUIRE(timer->type == isc_timertype_once);
+	 *
+	 * but we cannot without locking the manager lock too, which we
+	 * don't want to do.
+	 */
+
+	TIME_NOW(&now);
+	result = isc_time_add(&now, &timer->interval, &timer->idle);
+
+	UNLOCK(&timer->lock);
+
+	return (result);
+}
+
+void
+isc__timer_attach(isc_timer_t *timer0, isc_timer_t **timerp) {
+	isc__timer_t *timer = (isc__timer_t *)timer0;
+
+	/*
+	 * Attach *timerp to timer.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+
+	LOCK(&timer->lock);
+	timer->references++;
+	UNLOCK(&timer->lock);
+
+	*timerp = (isc_timer_t *)timer;
+}
+
+void
+isc__timer_detach(isc_timer_t **timerp) {
+	isc__timer_t *timer;
+	bool free_timer = false;
+
+	/*
+	 * Detach *timerp from its timer.
+	 */
+
+	REQUIRE(timerp != NULL);
+	timer = (isc__timer_t *)*timerp;
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+	REQUIRE(timer->references > 0);
+	timer->references--;
+	if (timer->references == 0)
+		free_timer = true;
+	UNLOCK(&timer->lock);
+
+	if (free_timer)
+		destroy(timer);
+
+	*timerp = NULL;
+}
+
+static void
+dispatch(isc__timermgr_t *manager, isc_time_t *now) {
+	bool done = false, post_event, need_schedule;
+	isc_timerevent_t *event;
+	isc_eventtype_t type = 0;
+	isc__timer_t *timer;
+	isc_result_t result;
+	bool idle;
+
+	/*!
+	 * The caller must be holding the manager lock.
+	 */
+
+	while (manager->nscheduled > 0 && !done) {
+		timer = isc_heap_element(manager->heap, 1);
+		INSIST(timer != NULL && timer->type != isc_timertype_inactive);
+		if (isc_time_compare(now, &timer->due) >= 0) {
+			if (timer->type == isc_timertype_ticker) {
+				type = ISC_TIMEREVENT_TICK;
+				post_event = true;
+				need_schedule = true;
+			} else if (timer->type == isc_timertype_limited) {
+				int cmp;
+				cmp = isc_time_compare(now, &timer->expires);
+				if (cmp >= 0) {
+					type = ISC_TIMEREVENT_LIFE;
+					post_event = true;
+					need_schedule = false;
+				} else {
+					type = ISC_TIMEREVENT_TICK;
+					post_event = true;
+					need_schedule = true;
+				}
+			} else if (!isc_time_isepoch(&timer->expires) &&
+				   isc_time_compare(now,
+						    &timer->expires) >= 0) {
+				type = ISC_TIMEREVENT_LIFE;
+				post_event = true;
+				need_schedule = false;
+			} else {
+				idle = false;
+
+				LOCK(&timer->lock);
+				if (!isc_time_isepoch(&timer->idle) &&
+				    isc_time_compare(now,
+						     &timer->idle) >= 0) {
+					idle = true;
+				}
+				UNLOCK(&timer->lock);
+				if (idle) {
+					type = ISC_TIMEREVENT_IDLE;
+					post_event = true;
+					need_schedule = false;
+				} else {
+					/*
+					 * Idle timer has been touched;
+					 * reschedule.
+					 */
+					XTRACEID(isc_msgcat_get(isc_msgcat,
+								ISC_MSGSET_TIMER,
+								ISC_MSG_IDLERESCHED,
+								"idle reschedule"),
+						 timer);
+					post_event = false;
+					need_schedule = true;
+				}
+			}
+
+			if (post_event) {
+				XTRACEID(isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_TIMER,
+							ISC_MSG_POSTING,
+							"posting"), timer);
+				/*
+				 * XXX We could preallocate this event.
+				 */
+				event = (isc_timerevent_t *)isc_event_allocate(manager->mctx,
+							   timer,
+							   type,
+							   timer->action,
+							   timer->arg,
+							   sizeof(*event));
+
+				if (event != NULL) {
+					event->due = timer->due;
+					isc_task_send(timer->task,
+						      ISC_EVENT_PTR(&event));
+				} else
+					UNEXPECTED_ERROR(__FILE__, __LINE__, "%s",
+						 isc_msgcat_get(isc_msgcat,
+							 ISC_MSGSET_TIMER,
+							 ISC_MSG_EVENTNOTALLOC,
+							 "couldn't "
+							 "allocate event"));
+			}
+
+			timer->index = 0;
+			isc_heap_delete(manager->heap, 1);
+			manager->nscheduled--;
+
+			if (need_schedule) {
+				result = schedule(timer, now, false);
+				if (result != ISC_R_SUCCESS)
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "%s: %u",
+						isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_TIMER,
+							ISC_MSG_SCHEDFAIL,
+							"couldn't schedule "
+							"timer"),
+							 result);
+			}
+		} else {
+			manager->due = timer->due;
+			done = true;
+		}
+	}
+}
+
+#ifdef USE_TIMER_THREAD
+static isc_threadresult_t
+#ifdef _WIN32			/* XXXDCL */
+WINAPI
+#endif
+run(void *uap) {
+	isc__timermgr_t *manager = uap;
+	isc_time_t now;
+	isc_result_t result;
+
+	LOCK(&manager->lock);
+	while (!manager->done) {
+		TIME_NOW(&now);
+
+		XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					  ISC_MSG_RUNNING,
+					  "running"), now);
+
+		dispatch(manager, &now);
+
+		if (manager->nscheduled > 0) {
+			XTRACETIME2(isc_msgcat_get(isc_msgcat,
+						   ISC_MSGSET_GENERAL,
+						   ISC_MSG_WAITUNTIL,
+						   "waituntil"),
+				    manager->due, now);
+			result = WAITUNTIL(&manager->wakeup, &manager->lock, &manager->due);
+			INSIST(result == ISC_R_SUCCESS ||
+			       result == ISC_R_TIMEDOUT);
+		} else {
+			XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						  ISC_MSG_WAIT, "wait"), now);
+			WAIT(&manager->wakeup, &manager->lock);
+		}
+		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+				      ISC_MSG_WAKEUP, "wakeup"));
+	}
+	UNLOCK(&manager->lock);
+
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
+	return ((isc_threadresult_t)0);
+}
+#endif /* USE_TIMER_THREAD */
+
+static bool
+sooner(void *v1, void *v2) {
+	isc__timer_t *t1, *t2;
+
+	t1 = v1;
+	t2 = v2;
+	REQUIRE(VALID_TIMER(t1));
+	REQUIRE(VALID_TIMER(t2));
+
+	if (isc_time_compare(&t1->due, &t2->due) < 0)
+		return (true);
+	return (false);
+}
+
+static void
+set_index(void *what, unsigned int index) {
+	isc__timer_t *timer;
+
+	timer = what;
+	REQUIRE(VALID_TIMER(timer));
+
+	timer->index = index;
+}
+
+isc_result_t
+isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc__timermgr_t *manager;
+	isc_result_t result;
+
+	/*
+	 * Create a timer manager.
+	 */
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+#ifdef USE_SHARED_MANAGER
+	if (timermgr != NULL) {
+		timermgr->refs++;
+		*managerp = (isc_timermgr_t *)timermgr;
+		return (ISC_R_SUCCESS);
+	}
+#endif /* USE_SHARED_MANAGER */
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+
+	manager->common.impmagic = TIMER_MANAGER_MAGIC;
+	manager->common.magic = ISCAPI_TIMERMGR_MAGIC;
+	manager->common.methods = (isc_timermgrmethods_t *)&timermgrmethods;
+	manager->mctx = NULL;
+	manager->done = false;
+	INIT_LIST(manager->timers);
+	manager->nscheduled = 0;
+	isc_time_settoepoch(&manager->due);
+	manager->heap = NULL;
+	result = isc_heap_create(mctx, sooner, set_index, 0, &manager->heap);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(result == ISC_R_NOMEMORY);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		return (ISC_R_NOMEMORY);
+	}
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_heap_destroy(&manager->heap);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		return (result);
+	}
+	isc_mem_attach(mctx, &manager->mctx);
+#ifdef USE_TIMER_THREAD
+	if (isc_condition_init(&manager->wakeup) != ISC_R_SUCCESS) {
+		isc_mem_detach(&manager->mctx);
+		DESTROYLOCK(&manager->lock);
+		isc_heap_destroy(&manager->heap);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+	if (isc_thread_create(run, manager, &manager->thread) !=
+	    ISC_R_SUCCESS) {
+		isc_mem_detach(&manager->mctx);
+		(void)isc_condition_destroy(&manager->wakeup);
+		DESTROYLOCK(&manager->lock);
+		isc_heap_destroy(&manager->heap);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_create() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_thread_setname(manager->thread, "isc-timer");
+#endif
+#ifdef USE_SHARED_MANAGER
+	manager->refs = 1;
+	timermgr = manager;
+#endif /* USE_SHARED_MANAGER */
+
+	*managerp = (isc_timermgr_t *)manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_timermgr_poke(isc_timermgr_t *manager0) {
+#ifdef USE_TIMER_THREAD
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	SIGNAL(&manager->wakeup);
+#else
+	UNUSED(manager0);
+#endif
+}
+
+void
+isc__timermgr_destroy(isc_timermgr_t **managerp) {
+	isc__timermgr_t *manager;
+	isc_mem_t *mctx;
+
+	/*
+	 * Destroy a timer manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = (isc__timermgr_t *)*managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->lock);
+
+#ifdef USE_SHARED_MANAGER
+	manager->refs--;
+	if (manager->refs > 0) {
+		UNLOCK(&manager->lock);
+		*managerp = NULL;
+		return;
+	}
+	timermgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+#ifndef USE_TIMER_THREAD
+	isc__timermgr_dispatch((isc_timermgr_t *)manager);
+#endif
+
+	REQUIRE(EMPTY(manager->timers));
+	manager->done = true;
+
+#ifdef USE_TIMER_THREAD
+	XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+			      ISC_MSG_SIGNALDESTROY, "signal (destroy)"));
+	SIGNAL(&manager->wakeup);
+#endif /* USE_TIMER_THREAD */
+
+	UNLOCK(&manager->lock);
+
+#ifdef USE_TIMER_THREAD
+	/*
+	 * Wait for thread to exit.
+	 */
+	if (isc_thread_join(manager->thread, NULL) != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_join() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+#endif /* USE_TIMER_THREAD */
+
+	/*
+	 * Clean up.
+	 */
+#ifdef USE_TIMER_THREAD
+	(void)isc_condition_destroy(&manager->wakeup);
+#endif /* USE_TIMER_THREAD */
+	DESTROYLOCK(&manager->lock);
+	isc_heap_destroy(&manager->heap);
+	manager->common.impmagic = 0;
+	manager->common.magic = 0;
+	mctx = manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+	isc_mem_detach(&mctx);
+
+	*managerp = NULL;
+
+#ifdef USE_SHARED_MANAGER
+	timermgr = NULL;
+#endif
+}
+
+#ifndef USE_TIMER_THREAD
+isc_result_t
+isc__timermgr_nextevent(isc_timermgr_t *manager0, isc_time_t *when) {
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = timermgr;
+#endif
+	if (manager == NULL || manager->nscheduled == 0)
+		return (ISC_R_NOTFOUND);
+	*when = manager->due;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__timermgr_dispatch(isc_timermgr_t *manager0) {
+	isc__timermgr_t *manager = (isc__timermgr_t *)manager0;
+	isc_time_t now;
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = timermgr;
+#endif
+	if (manager == NULL)
+		return;
+	TIME_NOW(&now);
+	dispatch(manager, &now);
+}
+#endif /* USE_TIMER_THREAD */
+
+isc_result_t
+isc__timer_register(void) {
+	return (isc_timer_register(isc__timermgr_create));
+}
+
+static isc_mutex_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_timermgrcreatefunc_t timermgr_createfunc = NULL;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_mutex_init(&createlock) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_timer_register(isc_timermgrcreatefunc_t createfunc) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	LOCK(&createlock);
+	if (timermgr_createfunc == NULL)
+		timermgr_createfunc = createfunc;
+	else
+		result = ISC_R_EXISTS;
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+isc_result_t
+isc_timermgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			 isc_timermgr_t **managerp)
+{
+	isc_result_t result;
+
+	LOCK(&createlock);
+
+	REQUIRE(timermgr_createfunc != NULL);
+	result = (*timermgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_settimermgr(actx, *managerp);
+
+	return (result);
+}
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc_result_t result;
+
+	if (isc_bind9)
+		return (isc__timermgr_create(mctx, managerp));
+
+	LOCK(&createlock);
+
+	REQUIRE(timermgr_createfunc != NULL);
+	result = (*timermgr_createfunc)(mctx, managerp);
+
+	UNLOCK(&createlock);
+
+	return (result);
+}
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp) {
+	REQUIRE(*managerp != NULL && ISCAPI_TIMERMGR_VALID(*managerp));
+
+	if (isc_bind9)
+		isc__timermgr_destroy(managerp);
+	else
+		(*managerp)->methods->destroy(managerp);
+
+	ENSURE(*managerp == NULL);
+}
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		 const isc_time_t *expires, const isc_interval_t *interval,
+		 isc_task_t *task, isc_taskaction_t action, void *arg,
+		 isc_timer_t **timerp)
+{
+	REQUIRE(ISCAPI_TIMERMGR_VALID(manager));
+
+	if (isc_bind9)
+		return (isc__timer_create(manager, type, expires, interval,
+					  task, action, arg, timerp));
+
+	return (manager->methods->timercreate(manager, type, expires,
+					      interval, task, action, arg,
+					      timerp));
+}
+
+void
+isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+
+	if (isc_bind9)
+		isc__timer_attach(timer, timerp);
+	else
+		timer->methods->attach(timer, timerp);
+
+	ENSURE(*timerp == timer);
+}
+
+void
+isc_timer_detach(isc_timer_t **timerp) {
+	REQUIRE(timerp != NULL && ISCAPI_TIMER_VALID(*timerp));
+
+	if (isc_bind9)
+		isc__timer_detach(timerp);
+	else
+		(*timerp)->methods->detach(timerp);
+
+	ENSURE(*timerp == NULL);
+}
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		const isc_time_t *expires, const isc_interval_t *interval,
+		bool purge)
+{
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+
+	if (isc_bind9)
+		return (isc__timer_reset(timer, type, expires,
+					 interval, purge));
+
+	return (timer->methods->reset(timer, type, expires, interval, purge));
+}
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer) {
+	REQUIRE(ISCAPI_TIMER_VALID(timer));
+
+	if (isc_bind9)
+		return (isc__timer_touch(timer));
+
+	return (timer->methods->touch(timer));
+}
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
new file mode 100644
index 0000000..815f611
--- /dev/null
+++ b/lib/isc/timer_p.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: timer_p.h,v 1.12 2009/09/02 23:48:02 tbox Exp $ */
+
+#ifndef ISC_TIMER_P_H
+#define ISC_TIMER_P_H
+
+/*! \file */
+
+isc_result_t
+isc__timermgr_nextevent(isc_timermgr_t *timermgr, isc_time_t *when);
+
+void
+isc__timermgr_dispatch(isc_timermgr_t *timermgr);
+
+#endif /* ISC_TIMER_P_H */
diff --git a/lib/isc/tm.c b/lib/isc/tm.c
new file mode 100644
index 0000000..c390396
--- /dev/null
+++ b/lib/isc/tm.c
@@ -0,0 +1,439 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*-
+ * Copyright (c) 1997, 1998 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code was contributed to The NetBSD Foundation by Klaus Klein.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
+
+#include <isc/tm.h>
+#include <isc/util.h>
+
+/*
+ * Portable conversion routines for struct tm, replacing
+ * timegm() and strptime(), which are not available on all
+ * platforms and don't always behave the same way when they
+ * are.
+ */
+
+/*
+ * We do not implement alternate representations. However, we always
+ * check whether a given modifier is allowed for a certain conversion.
+ */
+#define ALT_E			0x01
+#define ALT_O			0x02
+#define	LEGAL_ALT(x)		{ if (alt_format & ~(x)) return (0); }
+
+#ifndef TM_YEAR_BASE
+#define TM_YEAR_BASE 1900
+#endif
+
+static const char *day[7] = {
+	"Sunday", "Monday", "Tuesday", "Wednesday", "Thursday",
+	"Friday", "Saturday"
+};
+static const char *abday[7] = {
+	"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"
+};
+static const char *mon[12] = {
+	"January", "February", "March", "April", "May", "June", "July",
+	"August", "September", "October", "November", "December"
+};
+static const char *abmon[12] = {
+	"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+	"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+};
+static const char *am_pm[2] = {
+	"AM", "PM"
+};
+
+static int
+conv_num(const char **buf, int *dest, int llim, int ulim) {
+	int result = 0;
+
+	/* The limit also determines the number of valid digits. */
+	int rulim = ulim;
+
+	if (**buf < '0' || **buf > '9')
+		return (0);
+
+	do {
+		result *= 10;
+		result += *(*buf)++ - '0';
+		rulim /= 10;
+	} while ((result * 10 <= ulim) &&
+		 rulim && **buf >= '0' && **buf <= '9');
+
+	if (result < llim || result > ulim)
+		return (0);
+
+	*dest = result;
+	return (1);
+}
+
+time_t
+isc_tm_timegm(struct tm *tm) {
+	time_t ret;
+	int i, yday = 0, leapday;
+	int mdays[] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30 };
+
+	leapday = ((((tm->tm_year + 1900 ) % 4) == 0 &&
+		    ((tm->tm_year + 1900 ) % 100) != 0) ||
+		   ((tm->tm_year + 1900 ) % 400) == 0) ? 1 : 0;
+	mdays[1] += leapday;
+
+	yday = tm->tm_mday - 1;
+	for (i = 1; i <= tm->tm_mon; i++)
+		yday += mdays[i - 1];
+	ret = tm->tm_sec +
+	      (60 * tm->tm_min) +
+	      (3600 * tm->tm_hour) +
+	      (86400 * (yday +
+		       ((tm->tm_year - 70) * 365) +
+		       ((tm->tm_year - 69) / 4) -
+		       ((tm->tm_year - 1) / 100) +
+		       ((tm->tm_year + 299) / 400)));
+	return (ret);
+}
+
+char *
+isc_tm_strptime(const char *buf, const char *fmt, struct tm *tm) {
+	char c, *ret;
+	const char *bp;
+	size_t len = 0;
+	int alt_format, i, split_year = 0;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(fmt != NULL);
+	REQUIRE(tm != NULL);
+
+	memset(tm, 0, sizeof(struct tm));
+
+	bp = buf;
+
+	while ((c = *fmt) != '\0') {
+		/* Clear `alternate' modifier prior to new conversion. */
+		alt_format = 0;
+
+		/* Eat up white-space. */
+		if (isspace((unsigned char) c)) {
+			while (isspace((unsigned char) *bp))
+				bp++;
+
+			fmt++;
+			continue;
+		}
+
+		if ((c = *fmt++) != '%')
+			goto literal;
+
+
+again:		switch (c = *fmt++) {
+		case '%':	/* "%%" is converted to "%". */
+literal:
+			if (c != *bp++)
+				return (0);
+			break;
+
+		/*
+		 * "Alternative" modifiers. Just set the appropriate flag
+		 * and start over again.
+		 */
+		case 'E':	/* "%E?" alternative conversion modifier. */
+			LEGAL_ALT(0);
+			alt_format |= ALT_E;
+			goto again;
+
+		case 'O':	/* "%O?" alternative conversion modifier. */
+			LEGAL_ALT(0);
+			alt_format |= ALT_O;
+			goto again;
+
+		/*
+		 * "Complex" conversion rules, implemented through recursion.
+		 */
+		case 'c':	/* Date and time, using the locale's format. */
+			LEGAL_ALT(ALT_E);
+			if (!(bp = isc_tm_strptime(bp, "%x %X", tm)))
+				return (0);
+			break;
+
+		case 'D':	/* The date as "%m/%d/%y". */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%m/%d/%y", tm)))
+				return (0);
+			break;
+
+		case 'R':	/* The time as "%H:%M". */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%H:%M", tm)))
+				return (0);
+			break;
+
+		case 'r':	/* The time in 12-hour clock representation. */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%I:%M:%S %p", tm)))
+				return (0);
+			break;
+
+		case 'T':	/* The time as "%H:%M:%S". */
+			LEGAL_ALT(0);
+			if (!(bp = isc_tm_strptime(bp, "%H:%M:%S", tm)))
+				return (0);
+			break;
+
+		case 'X':	/* The time, using the locale's format. */
+			LEGAL_ALT(ALT_E);
+			if (!(bp = isc_tm_strptime(bp, "%H:%M:%S", tm)))
+				return (0);
+			break;
+
+		case 'x':	/* The date, using the locale's format. */
+			LEGAL_ALT(ALT_E);
+			if (!(bp = isc_tm_strptime(bp, "%m/%d/%y", tm)))
+				return (0);
+			break;
+
+		/*
+		 * "Elementary" conversion rules.
+		 */
+		case 'A':	/* The day of week, using the locale's form. */
+		case 'a':
+			LEGAL_ALT(0);
+			for (i = 0; i < 7; i++) {
+				/* Full name. */
+				len = strlen(day[i]);
+				if (strncasecmp(day[i], bp, len) == 0)
+					break;
+
+				/* Abbreviated name. */
+				len = strlen(abday[i]);
+				if (strncasecmp(abday[i], bp, len) == 0)
+					break;
+			}
+
+			/* Nothing matched. */
+			if (i == 7)
+				return (0);
+
+			tm->tm_wday = i;
+			bp += len;
+			break;
+
+		case 'B':	/* The month, using the locale's form. */
+		case 'b':
+		case 'h':
+			LEGAL_ALT(0);
+			for (i = 0; i < 12; i++) {
+				/* Full name. */
+				len = strlen(mon[i]);
+				if (strncasecmp(mon[i], bp, len) == 0)
+					break;
+
+				/* Abbreviated name. */
+				len = strlen(abmon[i]);
+				if (strncasecmp(abmon[i], bp, len) == 0)
+					break;
+			}
+
+			/* Nothing matched. */
+			if (i == 12)
+				return (0);
+
+			tm->tm_mon = i;
+			bp += len;
+			break;
+
+		case 'C':	/* The century number. */
+			LEGAL_ALT(ALT_E);
+			if (!(conv_num(&bp, &i, 0, 99)))
+				return (0);
+
+			if (split_year) {
+				tm->tm_year = (tm->tm_year % 100) + (i * 100);
+			} else {
+				tm->tm_year = i * 100;
+				split_year = 1;
+			}
+			break;
+
+		case 'd':	/* The day of month. */
+		case 'e':
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_mday, 1, 31)))
+				return (0);
+			break;
+
+		case 'k':	/* The hour (24-hour clock representation). */
+			LEGAL_ALT(0);
+			/* FALLTHROUGH */
+		case 'H':
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_hour, 0, 23)))
+				return (0);
+			break;
+
+		case 'l':	/* The hour (12-hour clock representation). */
+			LEGAL_ALT(0);
+			/* FALLTHROUGH */
+		case 'I':
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_hour, 1, 12)))
+				return (0);
+			if (tm->tm_hour == 12)
+				tm->tm_hour = 0;
+			break;
+
+		case 'j':	/* The day of year. */
+			LEGAL_ALT(0);
+			if (!(conv_num(&bp, &i, 1, 366)))
+				return (0);
+			tm->tm_yday = i - 1;
+			break;
+
+		case 'M':	/* The minute. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_min, 0, 59)))
+				return (0);
+			break;
+
+		case 'm':	/* The month. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &i, 1, 12)))
+				return (0);
+			tm->tm_mon = i - 1;
+			break;
+
+		case 'p':	/* The locale's equivalent of AM/PM. */
+			LEGAL_ALT(0);
+			/* AM? */
+			if (strcasecmp(am_pm[0], bp) == 0) {
+				if (tm->tm_hour > 11)
+					return (0);
+
+				bp += strlen(am_pm[0]);
+				break;
+			}
+			/* PM? */
+			else if (strcasecmp(am_pm[1], bp) == 0) {
+				if (tm->tm_hour > 11)
+					return (0);
+
+				tm->tm_hour += 12;
+				bp += strlen(am_pm[1]);
+				break;
+			}
+
+			/* Nothing matched. */
+			return (0);
+
+		case 'S':	/* The seconds. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_sec, 0, 61)))
+				return (0);
+			break;
+
+		case 'U':	/* The week of year, beginning on sunday. */
+		case 'W':	/* The week of year, beginning on monday. */
+			LEGAL_ALT(ALT_O);
+			/*
+			 * XXX This is bogus, as we can not assume any valid
+			 * information present in the tm structure at this
+			 * point to calculate a real value, so just check the
+			 * range for now.
+			 */
+			 if (!(conv_num(&bp, &i, 0, 53)))
+				return (0);
+			 break;
+
+		case 'w':	/* The day of week, beginning on sunday. */
+			LEGAL_ALT(ALT_O);
+			if (!(conv_num(&bp, &tm->tm_wday, 0, 6)))
+				return (0);
+			break;
+
+		case 'Y':	/* The year. */
+			LEGAL_ALT(ALT_E);
+			if (!(conv_num(&bp, &i, 0, 9999)))
+				return (0);
+
+			tm->tm_year = i - TM_YEAR_BASE;
+			break;
+
+		case 'y':	/* The year within 100 years of the epoch. */
+			LEGAL_ALT(ALT_E | ALT_O);
+			if (!(conv_num(&bp, &i, 0, 99)))
+				return (0);
+
+			if (split_year) {
+				tm->tm_year = ((tm->tm_year / 100) * 100) + i;
+				break;
+			}
+			split_year = 1;
+			if (i <= 68)
+				tm->tm_year = i + 2000 - TM_YEAR_BASE;
+			else
+				tm->tm_year = i + 1900 - TM_YEAR_BASE;
+			break;
+
+		/*
+		 * Miscellaneous conversions.
+		 */
+		case 'n':	/* Any kind of white-space. */
+		case 't':
+			LEGAL_ALT(0);
+			while (isspace((unsigned char) *bp))
+				bp++;
+			break;
+
+
+		default:	/* Unknown/unsupported conversion. */
+			return (0);
+		}
+
+
+	}
+
+	/* LINTED functional specification */
+	DE_CONST(bp, ret);
+	return (ret);
+}
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
new file mode 100644
index 0000000..bdd7bfd
--- /dev/null
+++ b/lib/isc/unix/Makefile.in
@@ -0,0 +1,44 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../@ISC_THREAD_DIR@/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/.. @ISC_OPENSSL_INC@
+
+CDEFINES =	@CRYPTO@
+CWARNINGS =
+
+# Alphabetically
+OBJS =		@ISC_IPV6_O@ @ISC_PK11_API_O@ \
+		app.@O@ dir.@O@ entropy.@O@ errno.@O@ errno2result.@O@ \
+		file.@O@ fsaccess.@O@ interfaceiter.@O@ \
+		keyboard.@O@ meminfo.@O@ \
+		net.@O@ os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \
+		strerror.@O@ syslog.@O@ time.@O@
+
+# Alphabetically
+SRCS =		@ISC_IPV6_C@ @ISC_PK11_API_C@ \
+		app.c dir.c entropy.c errno.c errno2result.c \
+		file.c fsaccess.c interfaceiter.c keyboard.c meminfo.c \
+		net.c os.c resource.c socket.c stdio.c stdtime.c \
+		strerror.c syslog.c time.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
+
+interfaceiter.@O@: interfaceiter.c ifiter_ioctl.c ifiter_sysctl.c ifiter_getifaddrs.c
+
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
new file mode 100644
index 0000000..7e5a0ee
--- /dev/null
+++ b/lib/isc/unix/app.c
@@ -0,0 +1,1038 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
+#include <sys/types.h>
+
+#include <stddef.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/time.h>
+#ifdef HAVE_EPOLL
+#include <sys/epoll.h>
+#endif
+
+#include <isc/app.h>
+#include <isc/condition.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/event.h>
+#include <isc/platform.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_USETHREADS
+#include <pthread.h>
+#endif
+
+/*%
+ * For BIND9 internal applications built with threads, we use a single app
+ * context and let multiple worker, I/O, timer threads do actual jobs.
+ * For other cases (including BIND9 built without threads) an app context acts
+ * as an event loop dispatching various events.
+ */
+#ifndef ISC_PLATFORM_USETHREADS
+#include "../timer_p.h"
+#include "../task_p.h"
+#include "socket_p.h"
+#endif /* ISC_PLATFORM_USETHREADS */
+
+#ifdef ISC_PLATFORM_USETHREADS
+static pthread_t		blockedthread;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access from
+ * unit tests etc.
+ */
+isc_result_t isc__app_start(void);
+isc_result_t isc__app_ctxstart(isc_appctx_t *ctx);
+isc_result_t isc__app_onrun(isc_mem_t *mctx, isc_task_t *task,
+			    isc_taskaction_t action, void *arg);
+isc_result_t isc__app_ctxrun(isc_appctx_t *ctx);
+isc_result_t isc__app_run(void);
+isc_result_t isc__app_ctxshutdown(isc_appctx_t *ctx);
+isc_result_t isc__app_shutdown(void);
+isc_result_t isc__app_reload(void);
+isc_result_t isc__app_ctxsuspend(isc_appctx_t *ctx);
+void isc__app_ctxfinish(isc_appctx_t *ctx);
+void isc__app_finish(void);
+void isc__app_block(void);
+void isc__app_unblock(void);
+isc_result_t isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
+void isc__appctx_destroy(isc_appctx_t **ctxp);
+void isc__appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr);
+void isc__appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr);
+void isc__appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr);
+isc_result_t isc__app_ctxonrun(isc_appctx_t *ctx, isc_mem_t *mctx,
+			       isc_task_t *task, isc_taskaction_t action,
+			       void *arg);
+
+/*
+ * The application context of this module.  This implementation actually
+ * doesn't use it. (This may change in the future).
+ */
+#define APPCTX_MAGIC		ISC_MAGIC('A', 'p', 'c', 'x')
+#define VALID_APPCTX(c)		ISC_MAGIC_VALID(c, APPCTX_MAGIC)
+
+typedef struct isc__appctx {
+	isc_appctx_t		common;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	isc_eventlist_t		on_run;
+	bool		shutdown_requested;
+	bool		running;
+
+	/*!
+	 * We assume that 'want_shutdown' can be read and written atomically.
+	 */
+	bool		want_shutdown;
+	/*
+	 * We assume that 'want_reload' can be read and written atomically.
+	 */
+	bool		want_reload;
+
+	bool		blocked;
+
+	isc_taskmgr_t		*taskmgr;
+	isc_socketmgr_t		*socketmgr;
+	isc_timermgr_t		*timermgr;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_mutex_t		readylock;
+	isc_condition_t		ready;
+#endif /* ISC_PLATFORM_USETHREADS */
+} isc__appctx_t;
+
+static isc__appctx_t isc_g_appctx;
+
+static struct {
+	isc_appmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *run, *shutdown, *start, *reload, *finish, *block, *unblock;
+} appmethods = {
+	{
+		isc__appctx_destroy,
+		isc__app_ctxstart,
+		isc__app_ctxrun,
+		isc__app_ctxsuspend,
+		isc__app_ctxshutdown,
+		isc__app_ctxfinish,
+		isc__appctx_settaskmgr,
+		isc__appctx_setsocketmgr,
+		isc__appctx_settimermgr,
+		isc__app_ctxonrun
+	},
+	(void *)isc__app_run,
+	(void *)isc__app_shutdown,
+	(void *)isc__app_start,
+	(void *)isc__app_reload,
+	(void *)isc__app_finish,
+	(void *)isc__app_block,
+	(void *)isc__app_unblock
+};
+
+#ifdef HAVE_LINUXTHREADS
+/*!
+ * Linux has sigwait(), but it appears to prevent signal handlers from
+ * running, even if they're not in the set being waited for.  This makes
+ * it impossible to get the default actions for SIGILL, SIGSEGV, etc.
+ * Instead of messing with it, we just use sigsuspend() instead.
+ */
+#undef HAVE_SIGWAIT
+/*!
+ * We need to remember which thread is the main thread...
+ */
+static pthread_t		main_thread;
+#endif
+
+#ifndef HAVE_SIGWAIT
+static void
+exit_action(int arg) {
+	UNUSED(arg);
+	isc_g_appctx.want_shutdown = true;
+}
+
+static void
+reload_action(int arg) {
+	UNUSED(arg);
+	isc_g_appctx.want_reload = true;
+}
+#endif
+
+static isc_result_t
+handle_signal(int sig, void (*handler)(int)) {
+	struct sigaction sa;
+	char strbuf[ISC_STRERRORSIZE];
+
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = handler;
+
+	if (sigfillset(&sa.sa_mask) != 0 ||
+	    sigaction(sig, &sa, NULL) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_APP,
+					       ISC_MSG_SIGNALSETUP,
+					       "handle_signal() %d setup: %s"),
+				 sig, strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_ctxstart(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc_result_t result;
+	int presult;
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	/*
+	 * Start an ISC library application.
+	 */
+
+#ifdef NEED_PTHREAD_INIT
+	/*
+	 * BSDI 3.1 seg faults in pthread_sigmask() if we don't do this.
+	 */
+	presult = pthread_init();
+	if (presult != 0) {
+		isc__strerror(presult, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() pthread_init: %s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+#endif
+
+#ifdef ISC_PLATFORM_USETHREADS
+#ifdef HAVE_LINUXTHREADS
+	main_thread = pthread_self();
+#endif /* HAVE_LINUXTHREADS */
+
+	result = isc_mutex_init(&ctx->readylock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_condition_init(&ctx->ready);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rlock;
+
+	result = isc_mutex_init(&ctx->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_rcond;
+#else /* ISC_PLATFORM_USETHREADS */
+	result = isc_mutex_init(&ctx->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	ISC_LIST_INIT(ctx->on_run);
+
+	ctx->shutdown_requested = false;
+	ctx->running = false;
+	ctx->want_shutdown = false;
+	ctx->want_reload = false;
+	ctx->blocked = false;
+
+#ifndef HAVE_SIGWAIT
+	/*
+	 * Install do-nothing handlers for SIGINT and SIGTERM.
+	 *
+	 * We install them now because BSDI 3.1 won't block
+	 * the default actions, regardless of what we do with
+	 * pthread_sigmask().
+	 */
+	result = handle_signal(SIGINT, exit_action);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = handle_signal(SIGTERM, exit_action);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#endif
+
+	/*
+	 * Always ignore SIGPIPE.
+	 */
+	result = handle_signal(SIGPIPE, SIG_IGN);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * On Solaris 2, delivery of a signal whose action is SIG_IGN
+	 * will not cause sigwait() to return. We may have inherited
+	 * unexpected actions for SIGHUP, SIGINT, and SIGTERM from our parent
+	 * process (e.g, Solaris cron).  Set an action of SIG_DFL to make
+	 * sure sigwait() works as expected.  Only do this for SIGTERM and
+	 * SIGINT if we don't have sigwait(), since a different handler is
+	 * installed above.
+	 */
+	result = handle_signal(SIGHUP, SIG_DFL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+#ifdef HAVE_SIGWAIT
+	result = handle_signal(SIGTERM, SIG_DFL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = handle_signal(SIGINT, SIG_DFL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#endif
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Block SIGHUP, SIGINT, SIGTERM.
+	 *
+	 * If isc_app_start() is called from the main thread before any other
+	 * threads have been created, then the pthread_sigmask() call below
+	 * will result in all threads having SIGHUP, SIGINT and SIGTERM
+	 * blocked by default, ensuring that only the thread that calls
+	 * sigwait() for them will get those signals.
+	 */
+	if (sigemptyset(&sset) != 0 ||
+	    sigaddset(&sset, SIGHUP) != 0 ||
+	    sigaddset(&sset, SIGINT) != 0 ||
+	    sigaddset(&sset, SIGTERM) != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() sigsetops: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+	presult = pthread_sigmask(SIG_BLOCK, &sset, NULL);
+	if (presult != 0) {
+		isc__strerror(presult, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() pthread_sigmask: %s",
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+#else /* ISC_PLATFORM_USETHREADS */
+	/*
+	 * Unblock SIGHUP, SIGINT, SIGTERM.
+	 *
+	 * If we're not using threads, we need to make sure that SIGHUP,
+	 * SIGINT and SIGTERM are not inherited as blocked from the parent
+	 * process.
+	 */
+	if (sigemptyset(&sset) != 0 ||
+	    sigaddset(&sset, SIGHUP) != 0 ||
+	    sigaddset(&sset, SIGINT) != 0 ||
+	    sigaddset(&sset, SIGTERM) != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() sigsetops: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+	presult = sigprocmask(SIG_UNBLOCK, &sset, NULL);
+	if (presult != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() sigprocmask: %s", strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+#ifdef ISC_PLATFORM_USETHREADS
+ cleanup_rcond:
+	(void)isc_condition_destroy(&ctx->ready);
+
+ cleanup_rlock:
+	(void)isc_mutex_destroy(&ctx->readylock);
+#endif /* ISC_PLATFORM_USETHREADS */
+	return (result);
+}
+
+isc_result_t
+isc__app_start(void) {
+	isc_g_appctx.common.impmagic = APPCTX_MAGIC;
+	isc_g_appctx.common.magic = ISCAPI_APPCTX_MAGIC;
+	isc_g_appctx.common.methods = &appmethods.methods;
+	isc_g_appctx.mctx = NULL;
+	/* The remaining members will be initialized in ctxstart() */
+
+	return (isc__app_ctxstart((isc_appctx_t *)&isc_g_appctx));
+}
+
+isc_result_t
+isc__app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	      void *arg)
+{
+	return (isc__app_ctxonrun((isc_appctx_t *)&isc_g_appctx, mctx,
+				  task, action, arg));
+}
+
+isc_result_t
+isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
+		  isc_taskaction_t action, void *arg)
+{
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc_event_t *event;
+	isc_task_t *cloned_task = NULL;
+	isc_result_t result;
+
+	LOCK(&ctx->lock);
+
+	if (ctx->running) {
+		result = ISC_R_ALREADYRUNNING;
+		goto unlock;
+	}
+
+	/*
+	 * Note that we store the task to which we're going to send the event
+	 * in the event's "sender" field.
+	 */
+	isc_task_attach(task, &cloned_task);
+	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		isc_task_detach(&cloned_task);
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+
+	ISC_LIST_APPEND(ctx->on_run, event, ev_link);
+
+	result = ISC_R_SUCCESS;
+
+ unlock:
+	UNLOCK(&ctx->lock);
+
+	return (result);
+}
+
+#ifndef ISC_PLATFORM_USETHREADS
+/*!
+ * Event loop for nonthreaded programs.
+ */
+static isc_result_t
+evloop(isc__appctx_t *ctx) {
+	isc_result_t result;
+
+	while (!ctx->want_shutdown) {
+		int n;
+		isc_time_t when, now;
+		struct timeval tv, *tvp;
+		isc_socketwait_t *swait;
+		bool readytasks;
+		bool call_timer_dispatch = false;
+
+		/*
+		 * Check the reload (or suspend) case first for exiting the
+		 * loop as fast as possible in case:
+		 *   - the direct call to isc__taskmgr_dispatch() in
+		 *     isc__app_ctxrun() completes all the tasks so far,
+		 *   - there is thus currently no active task, and
+		 *   - there is a timer event
+		 */
+		if (ctx->want_reload) {
+			ctx->want_reload = false;
+			return (ISC_R_RELOAD);
+		}
+
+		readytasks = isc__taskmgr_ready(ctx->taskmgr);
+		if (readytasks) {
+			tv.tv_sec = 0;
+			tv.tv_usec = 0;
+			tvp = &tv;
+			call_timer_dispatch = true;
+		} else {
+			result = isc__timermgr_nextevent(ctx->timermgr, &when);
+			if (result != ISC_R_SUCCESS)
+				tvp = NULL;
+			else {
+				uint64_t us;
+
+				TIME_NOW(&now);
+				us = isc_time_microdiff(&when, &now);
+				if (us == 0)
+					call_timer_dispatch = true;
+				tv.tv_sec = us / 1000000;
+				tv.tv_usec = us % 1000000;
+				tvp = &tv;
+			}
+		}
+
+		swait = NULL;
+		n = isc__socketmgr_waitevents(ctx->socketmgr, tvp, &swait);
+
+		if (n == 0 || call_timer_dispatch) {
+			/*
+			 * We call isc__timermgr_dispatch() only when
+			 * necessary, in order to reduce overhead.  If the
+			 * select() call indicates a timeout, we need the
+			 * dispatch.  Even if not, if we set the 0-timeout
+			 * for the select() call, we need to check the timer
+			 * events.  In the 'readytasks' case, there may be no
+			 * timeout event actually, but there is no other way
+			 * to reduce the overhead.
+			 * Note that we do not have to worry about the case
+			 * where a new timer is inserted during the select()
+			 * call, since this loop only runs in the non-thread
+			 * mode.
+			 */
+			isc__timermgr_dispatch(ctx->timermgr);
+		}
+		if (n > 0)
+			(void)isc__socketmgr_dispatch(ctx->socketmgr, swait);
+		(void)isc__taskmgr_dispatch(ctx->taskmgr);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This is a gross hack to support waiting for condition
+ * variables in nonthreaded programs in a limited way;
+ * see lib/isc/nothreads/include/isc/condition.h.
+ * We implement isc_condition_wait() by entering the
+ * event loop recursively until the want_shutdown flag
+ * is set by isc_condition_signal().
+ */
+
+/*!
+ * \brief True if we are currently executing in the recursive
+ * event loop.
+ */
+static bool in_recursive_evloop = false;
+
+/*!
+ * \brief True if we are exiting the event loop as the result of
+ * a call to isc_condition_signal() rather than a shutdown
+ * or reload.
+ */
+static bool signalled = false;
+
+isc_result_t
+isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
+	isc_result_t result;
+
+	UNUSED(cp);
+	UNUSED(mp);
+
+	INSIST(!in_recursive_evloop);
+	in_recursive_evloop = true;
+
+	INSIST(*mp == 1); /* Mutex must be locked on entry. */
+	--*mp;
+
+	result = evloop(&isc_g_appctx);
+	if (result == ISC_R_RELOAD)
+		isc_g_appctx.want_reload = true;
+	if (signalled) {
+		isc_g_appctx.want_shutdown = false;
+		signalled = false;
+	}
+
+	++*mp;
+	in_recursive_evloop = false;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__nothread_signal_hack(isc_condition_t *cp) {
+
+	UNUSED(cp);
+
+	INSIST(in_recursive_evloop);
+
+	isc_g_appctx.want_shutdown = true;
+	signalled = true;
+	return (ISC_R_SUCCESS);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc__app_ctxrun(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	int result;
+	isc_event_t *event, *next_event;
+	isc_task_t *task;
+#ifdef ISC_PLATFORM_USETHREADS
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef HAVE_SIGWAIT
+	int sig;
+#endif /* HAVE_SIGWAIT */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+#ifdef HAVE_LINUXTHREADS
+	REQUIRE(main_thread == pthread_self());
+#endif
+
+	LOCK(&ctx->lock);
+
+	if (!ctx->running) {
+		ctx->running = true;
+
+		/*
+		 * Post any on-run events (in FIFO order).
+		 */
+		for (event = ISC_LIST_HEAD(ctx->on_run);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
+			task = event->ev_sender;
+			event->ev_sender = NULL;
+			isc_task_sendanddetach(&task, &event);
+		}
+
+	}
+
+	UNLOCK(&ctx->lock);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (isc_bind9 && ctx == &isc_g_appctx) {
+		result = handle_signal(SIGHUP, reload_action);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+	}
+
+	(void) isc__taskmgr_dispatch(ctx->taskmgr);
+	result = evloop(ctx);
+	return (result);
+#else /* ISC_PLATFORM_USETHREADS */
+	/*
+	 * BIND9 internal tools using multiple contexts do not
+	 * rely on signal.
+	 */
+	if (isc_bind9 && ctx != &isc_g_appctx)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * There is no danger if isc_app_shutdown() is called before we
+	 * wait for signals.  Signals are blocked, so any such signal will
+	 * simply be made pending and we will get it when we call
+	 * sigwait().
+	 */
+	while (!ctx->want_shutdown) {
+#ifdef HAVE_SIGWAIT
+		if (isc_bind9) {
+			/*
+			 * BIND9 internal; single context:
+			 * Wait for SIGHUP, SIGINT, or SIGTERM.
+			 */
+			if (sigemptyset(&sset) != 0 ||
+			    sigaddset(&sset, SIGHUP) != 0 ||
+			    sigaddset(&sset, SIGINT) != 0 ||
+			    sigaddset(&sset, SIGTERM) != 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_run() sigsetops: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+
+#ifndef HAVE_UNIXWARE_SIGWAIT
+			result = sigwait(&sset, &sig);
+			if (result == 0) {
+				if (sig == SIGINT || sig == SIGTERM)
+					ctx->want_shutdown = true;
+				else if (sig == SIGHUP)
+					ctx->want_reload = true;
+			}
+
+#else /* Using UnixWare sigwait semantics. */
+			sig = sigwait(&sset);
+			if (sig >= 0) {
+				if (sig == SIGINT || sig == SIGTERM)
+					ctx->want_shutdown = true;
+				else if (sig == SIGHUP)
+					ctx->want_reload = true;
+			}
+#endif /* HAVE_UNIXWARE_SIGWAIT */
+		} else {
+			/*
+			 * External, or BIND9 using multiple contexts:
+			 * wait until woken up.
+			 */
+			LOCK(&ctx->readylock);
+			if (ctx->want_shutdown) {
+				/* shutdown() won the race. */
+				UNLOCK(&ctx->readylock);
+				break;
+			}
+			if (!ctx->want_reload)
+				WAIT(&ctx->ready, &ctx->readylock);
+			UNLOCK(&ctx->readylock);
+		}
+#else  /* Don't have sigwait(). */
+		if (isc_bind9) {
+			/*
+			 * BIND9 internal; single context:
+			 * Install a signal handler for SIGHUP, then wait for
+			 * all signals.
+			 */
+			result = handle_signal(SIGHUP, reload_action);
+			if (result != ISC_R_SUCCESS)
+				return (ISC_R_SUCCESS);
+
+			if (sigemptyset(&sset) != 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_run() sigsetops: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+#ifdef HAVE_GPERFTOOLS_PROFILER
+			if (sigaddset(&sset, SIGALRM) != 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "isc_app_run() sigsetops: %s",
+						 strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+#endif
+			(void)sigsuspend(&sset);
+		} else {
+			/*
+			 * External, or BIND9 using multiple contexts:
+			 * wait until woken up.
+			 */
+			LOCK(&ctx->readylock);
+			if (ctx->want_shutdown) {
+				/* shutdown() won the race. */
+				UNLOCK(&ctx->readylock);
+				break;
+			}
+			if (!ctx->want_reload)
+				WAIT(&ctx->ready, &ctx->readylock);
+			UNLOCK(&ctx->readylock);
+		}
+#endif /* HAVE_SIGWAIT */
+
+		if (ctx->want_reload) {
+			ctx->want_reload = false;
+			return (ISC_R_RELOAD);
+		}
+
+		if (ctx->want_shutdown && ctx->blocked)
+			exit(1);
+	}
+
+	return (ISC_R_SUCCESS);
+#endif /* ISC_PLATFORM_USETHREADS */
+}
+
+isc_result_t
+isc__app_run(void) {
+	return (isc__app_ctxrun((isc_appctx_t *)&isc_g_appctx));
+}
+
+isc_result_t
+isc__app_ctxshutdown(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	bool want_kill = true;
+#ifdef ISC_PLATFORM_USETHREADS
+	char strbuf[ISC_STRERRORSIZE];
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	LOCK(&ctx->lock);
+
+	REQUIRE(ctx->running);
+
+	if (ctx->shutdown_requested)
+		want_kill = false;
+	else
+		ctx->shutdown_requested = true;
+
+	UNLOCK(&ctx->lock);
+
+	if (want_kill) {
+		if (isc_bind9 && ctx != &isc_g_appctx)
+			/* BIND9 internal, but using multiple contexts */
+			ctx->want_shutdown = true;
+		else {
+#ifndef ISC_PLATFORM_USETHREADS
+			ctx->want_shutdown = true;
+#else /* ISC_PLATFORM_USETHREADS */
+#ifdef HAVE_LINUXTHREADS
+			if (isc_bind9) {
+				/* BIND9 internal, single context */
+				int result;
+
+				result = pthread_kill(main_thread, SIGTERM);
+				if (result != 0) {
+					isc__strerror(result,
+						      strbuf, sizeof(strbuf));
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "isc_app_shutdown() "
+							 "pthread_kill: %s",
+							 strbuf);
+					return (ISC_R_UNEXPECTED);
+				}
+			}
+#else
+			if (isc_bind9) {
+				/* BIND9 internal, single context */
+				if (kill(getpid(), SIGTERM) < 0) {
+					isc__strerror(errno,
+						      strbuf, sizeof(strbuf));
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "isc_app_shutdown() "
+							 "kill: %s", strbuf);
+					return (ISC_R_UNEXPECTED);
+				}
+			}
+#endif /* HAVE_LINUXTHREADS */
+			else {
+				/* External, multiple contexts */
+				LOCK(&ctx->readylock);
+				ctx->want_shutdown = true;
+				UNLOCK(&ctx->readylock);
+				SIGNAL(&ctx->ready);
+			}
+#endif /* ISC_PLATFORM_USETHREADS */
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_shutdown(void) {
+	return (isc__app_ctxshutdown((isc_appctx_t *)&isc_g_appctx));
+}
+
+isc_result_t
+isc__app_ctxsuspend(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	bool want_kill = true;
+#ifdef ISC_PLATFORM_USETHREADS
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	LOCK(&ctx->lock);
+
+	REQUIRE(ctx->running);
+
+	/*
+	 * Don't send the reload signal if we're shutting down.
+	 */
+	if (ctx->shutdown_requested)
+		want_kill = false;
+
+	UNLOCK(&ctx->lock);
+
+	if (want_kill) {
+		if (isc_bind9 && ctx != &isc_g_appctx)
+			/* BIND9 internal, but using multiple contexts */
+			ctx->want_reload = true;
+		else {
+#ifndef ISC_PLATFORM_USETHREADS
+			ctx->want_reload = true;
+#else /* ISC_PLATFORM_USETHREADS */
+#ifdef HAVE_LINUXTHREADS
+			if (isc_bind9) {
+				/* BIND9 internal, single context */
+				int result;
+
+				result = pthread_kill(main_thread, SIGHUP);
+				if (result != 0) {
+					isc__strerror(result,
+						      strbuf, sizeof(strbuf));
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "isc_app_reload() "
+							 "pthread_kill: %s",
+							 strbuf);
+					return (ISC_R_UNEXPECTED);
+				}
+			}
+#else
+			if (isc_bind9) {
+				/* BIND9 internal, single context */
+				if (kill(getpid(), SIGHUP) < 0) {
+					isc__strerror(errno,
+						      strbuf, sizeof(strbuf));
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "isc_app_reload() "
+							 "kill: %s", strbuf);
+					return (ISC_R_UNEXPECTED);
+				}
+			}
+#endif /* HAVE_LINUXTHREADS */
+			else {
+				/* External, multiple contexts */
+				LOCK(&ctx->readylock);
+				ctx->want_reload = true;
+				UNLOCK(&ctx->readylock);
+				SIGNAL(&ctx->ready);
+			}
+#endif /* ISC_PLATFORM_USETHREADS */
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_reload(void) {
+	return (isc__app_ctxsuspend((isc_appctx_t *)&isc_g_appctx));
+}
+
+void
+isc__app_ctxfinish(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	DESTROYLOCK(&ctx->lock);
+}
+
+void
+isc__app_finish(void) {
+	isc__app_ctxfinish((isc_appctx_t *)&isc_g_appctx);
+}
+
+void
+isc__app_block(void) {
+#ifdef ISC_PLATFORM_USETHREADS
+	sigset_t sset;
+#endif /* ISC_PLATFORM_USETHREADS */
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(!isc_g_appctx.blocked);
+
+	isc_g_appctx.blocked = true;
+#ifdef ISC_PLATFORM_USETHREADS
+	blockedthread = pthread_self();
+	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
+		      sigaddset(&sset, SIGINT) == 0 &&
+		      sigaddset(&sset, SIGTERM) == 0);
+	RUNTIME_CHECK(pthread_sigmask(SIG_UNBLOCK, &sset, NULL) == 0);
+#endif /* ISC_PLATFORM_USETHREADS */
+}
+
+void
+isc__app_unblock(void) {
+#ifdef ISC_PLATFORM_USETHREADS
+	sigset_t sset;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(isc_g_appctx.blocked);
+
+	isc_g_appctx.blocked = false;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	REQUIRE(blockedthread == pthread_self());
+
+	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
+		      sigaddset(&sset, SIGINT) == 0 &&
+		      sigaddset(&sset, SIGTERM) == 0);
+	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
+#endif /* ISC_PLATFORM_USETHREADS */
+}
+
+isc_result_t
+isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+
+	ctx = isc_mem_get(mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ctx->common.impmagic = APPCTX_MAGIC;
+	ctx->common.magic = ISCAPI_APPCTX_MAGIC;
+	ctx->common.methods = &appmethods.methods;
+
+	ctx->mctx = NULL;
+	isc_mem_attach(mctx, &ctx->mctx);
+
+	ctx->taskmgr = NULL;
+	ctx->socketmgr = NULL;
+	ctx->timermgr = NULL;
+
+	*ctxp = (isc_appctx_t *)ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__appctx_destroy(isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__appctx_t *)*ctxp;
+	REQUIRE(VALID_APPCTX(ctx));
+
+	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
+
+	*ctxp = NULL;
+}
+
+void
+isc__appctx_settaskmgr(isc_appctx_t *ctx0, isc_taskmgr_t *taskmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->taskmgr = taskmgr;
+}
+
+void
+isc__appctx_setsocketmgr(isc_appctx_t *ctx0, isc_socketmgr_t *socketmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->socketmgr = socketmgr;
+}
+
+void
+isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->timermgr = timermgr;
+}
+
+isc_result_t
+isc__app_register(void) {
+	return (isc_app_register(isc__appctx_create));
+}
+
+#include "../app_api.c"
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
new file mode 100644
index 0000000..dae0e66
--- /dev/null
+++ b/lib/isc/unix/dir.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/dir.h>
+#include <isc/magic.h>
+#include <isc/netdb.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+#define ISC_DIR_MAGIC		ISC_MAGIC('D', 'I', 'R', '*')
+#define VALID_DIR(dir)		ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
+
+void
+isc_dir_init(isc_dir_t *dir) {
+	REQUIRE(dir != NULL);
+
+	dir->entry.name[0] = '\0';
+	dir->entry.length = 0;
+
+	dir->handle = NULL;
+
+	dir->magic = ISC_DIR_MAGIC;
+}
+
+/*!
+ * \brief Allocate workspace and open directory stream. If either one fails,
+ * NULL will be returned.
+ */
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname) {
+	char *p;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_DIR(dir));
+	REQUIRE(dirname != NULL);
+
+	/*
+	 * Copy directory name.  Need to have enough space for the name,
+	 * a possible path separator, the wildcard, and the final NUL.
+	 */
+	if (strlen(dirname) + 3 > sizeof(dir->dirname)) {
+		/* XXXDCL ? */
+		return (ISC_R_NOSPACE);
+	}
+	strlcpy(dir->dirname, dirname, sizeof(dir->dirname));
+
+	/*
+	 * Append path separator, if needed, and "*".
+	 */
+	p = dir->dirname + strlen(dir->dirname);
+	if (dir->dirname < p && *(p - 1) != '/')
+		*p++ = '/';
+	*p++ = '*';
+	*p = '\0';
+
+	/*
+	 * Open stream.
+	 */
+	dir->handle = opendir(dirname);
+
+	if (dir->handle == NULL) {
+		return (isc__errno2result(errno));
+	}
+
+	return (result);
+}
+
+/*!
+ * \brief Return previously retrieved file or get next one.
+
+ * Unix's dirent has
+ * separate open and read functions, but the Win32 and DOS interfaces open
+ * the dir stream and reads the first file in one operation.
+ */
+isc_result_t
+isc_dir_read(isc_dir_t *dir) {
+	struct dirent *entry;
+
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	/*
+	 * Fetch next file in directory.
+	 */
+	entry = readdir(dir->handle);
+
+	if (entry == NULL)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	if (sizeof(dir->entry.name) <= strlen(entry->d_name))
+		return (ISC_R_UNEXPECTED);
+
+	strlcpy(dir->entry.name, entry->d_name, sizeof(dir->entry.name));
+
+	/*
+	 * Some dirents have d_namlen, but it is not portable.
+	 */
+	dir->entry.length = strlen(entry->d_name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*!
+ * \brief Close directory stream.
+ */
+void
+isc_dir_close(isc_dir_t *dir) {
+       REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+       (void)closedir(dir->handle);
+       dir->handle = NULL;
+}
+
+/*!
+ * \brief Reposition directory stream at start.
+ */
+isc_result_t
+isc_dir_reset(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	rewinddir(dir->handle);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chdir(const char *dirname) {
+	/*!
+	 * \brief Change the current directory to 'dirname'.
+	 */
+
+	REQUIRE(dirname != NULL);
+
+	if (chdir(dirname) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chroot(const char *dirname) {
+#ifdef HAVE_CHROOT
+	void *tmp;
+#endif
+
+	REQUIRE(dirname != NULL);
+
+#ifdef HAVE_CHROOT
+	/*
+	 * Try to use getservbyname and getprotobyname before chroot.
+	 * If WKS records are used in a zone under chroot, Name Service Switch
+	 * may fail to load library in chroot.
+	 * Do not report errors if it fails, we do not need any result now.
+	 */
+	tmp = getprotobyname("udp");
+	if (tmp != NULL)
+		(void) getservbyname("domain", "udp");
+
+	if (chroot(dirname) < 0 || chdir("/") < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+isc_dir_createunique(char *templet) {
+	isc_result_t result;
+	char *x;
+	char *p;
+	int i;
+	int pid;
+
+	REQUIRE(templet != NULL);
+
+	/*!
+	 * \brief mkdtemp is not portable, so this emulates it.
+	 */
+
+	pid = getpid();
+
+	/*
+	 * Replace trailing Xs with the process-id, zero-filled.
+	 */
+	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
+	     x--, pid /= 10)
+		*x = pid % 10 + '0';
+
+	x++;			/* Set x to start of ex-Xs. */
+
+	do {
+		i = mkdir(templet, 0700);
+		if (i == 0 || errno != EEXIST)
+			break;
+
+		/*
+		 * The BSD algorithm.
+		 */
+		p = x;
+		while (*p != '\0') {
+			if (isdigit(*p & 0xff))
+				*p = 'a';
+			else if (*p != 'z')
+				++*p;
+			else {
+				/*
+				 * Reset character and move to next.
+				 */
+				*p++ = 'a';
+				continue;
+			}
+
+			break;
+		}
+
+		if (*p == '\0') {
+			/*
+			 * Tried all combinations.  errno should already
+			 * be EEXIST, but ensure it is anyway for
+			 * isc__errno2result().
+			 */
+			errno = EEXIST;
+			break;
+		}
+	} while (1);
+
+	if (i == -1)
+		result = isc__errno2result(errno);
+	else
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c
new file mode 100644
index 0000000..18eb938
--- /dev/null
+++ b/lib/isc/unix/entropy.c
@@ -0,0 +1,603 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* \file unix/entropy.c
+ * \brief
+ * This is the system dependent part of the ISC entropy API.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#ifdef HAVE_NANOSLEEP
+#include <time.h>
+#endif
+#include <unistd.h>
+
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+
+#ifdef ISC_PLATFORM_NEEDSYSSELECTH
+#include <sys/select.h>
+#endif
+
+#include "errno2result.h"
+
+/*%
+ * There is only one variable in the entropy data structures that is not
+ * system independent, but pulling the structure that uses it into this file
+ * ultimately means pulling several other independent structures here also to
+ * resolve their interdependencies.  Thus only the problem variable's type
+ * is defined here.
+ */
+#define FILESOURCE_HANDLE_TYPE	int
+
+typedef struct {
+	int	handle;
+	enum	{
+		isc_usocketsource_disconnected,
+		isc_usocketsource_connecting,
+		isc_usocketsource_connected,
+		isc_usocketsource_ndesired,
+		isc_usocketsource_wrote,
+		isc_usocketsource_reading
+	} status;
+	size_t	sz_to_recv;
+} isc_entropyusocketsource_t;
+
+#include "../entropy.c"
+
+static unsigned int
+get_from_filesource(isc_entropysource_t *source, uint32_t desired) {
+	isc_entropy_t *ent = source->ent;
+	unsigned char buf[128];
+	int fd = source->sources.file.handle;
+	ssize_t n, ndesired;
+	unsigned int added;
+
+	if (source->bad)
+		return (0);
+
+	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
+
+	added = 0;
+	while (desired > 0) {
+		ndesired = ISC_MIN(desired, sizeof(buf));
+		n = read(fd, buf, ndesired);
+		if (n < 0) {
+			if (errno == EAGAIN || errno == EINTR)
+				goto out;
+			goto err;
+		}
+		if (n == 0)
+			goto err;
+
+		entropypool_adddata(ent, buf, n, n * 8);
+		added += n * 8;
+		desired -= n;
+	}
+	goto out;
+
+ err:
+	(void)close(fd);
+	source->sources.file.handle = -1;
+	source->bad = true;
+
+ out:
+	return (added);
+}
+
+static unsigned int
+get_from_usocketsource(isc_entropysource_t *source, uint32_t desired) {
+	isc_entropy_t *ent = source->ent;
+	unsigned char buf[128];
+	int fd = source->sources.usocket.handle;
+	ssize_t n = 0, ndesired;
+	unsigned int added;
+	size_t sz_to_recv = source->sources.usocket.sz_to_recv;
+
+	if (source->bad)
+		return (0);
+
+	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
+
+	added = 0;
+	while (desired > 0) {
+		ndesired = ISC_MIN(desired, sizeof(buf));
+ eagain_loop:
+
+		switch ( source->sources.usocket.status ) {
+		case isc_usocketsource_ndesired:
+			buf[0] = ndesired;
+			if ((n = sendto(fd, buf, 1, 0, NULL, 0)) < 0) {
+				if (errno == EWOULDBLOCK || errno == EINTR ||
+				    errno == ECONNRESET)
+					goto out;
+				goto err;
+			}
+			INSIST(n == 1);
+			source->sources.usocket.status =
+						isc_usocketsource_wrote;
+			goto eagain_loop;
+
+		case isc_usocketsource_connecting:
+		case isc_usocketsource_connected:
+			buf[0] = 1;
+			buf[1] = ndesired;
+			if ((n = sendto(fd, buf, 2, 0, NULL, 0)) < 0) {
+				if (errno == EWOULDBLOCK || errno == EINTR ||
+				    errno == ECONNRESET)
+					goto out;
+				goto err;
+			}
+			if (n == 1) {
+				source->sources.usocket.status =
+					isc_usocketsource_ndesired;
+				goto eagain_loop;
+			}
+			INSIST(n == 2);
+			source->sources.usocket.status =
+						isc_usocketsource_wrote;
+			/* FALLTHROUGH */
+
+		case isc_usocketsource_wrote:
+			if (recvfrom(fd, buf, 1, 0, NULL, NULL) != 1) {
+				if (errno == EAGAIN) {
+					/*
+					 * The problem of EAGAIN (try again
+					 * later) is a major issue on HP-UX.
+					 * Solaris actually tries the recvfrom
+					 * call again, while HP-UX just dies.
+					 * This code is an attempt to let the
+					 * entropy pool fill back up (at least
+					 * that's what I think the problem is.)
+					 * We go to eagain_loop because if we
+					 * just "break", then the "desired"
+					 * amount gets borked.
+					 */
+#ifdef HAVE_NANOSLEEP
+					struct timespec ts;
+
+					ts.tv_sec = 0;
+					ts.tv_nsec = 1000000;
+					nanosleep(&ts, NULL);
+#else
+					usleep(1000);
+#endif
+					goto eagain_loop;
+				}
+				if (errno == EWOULDBLOCK || errno == EINTR)
+					goto out;
+				goto err;
+			}
+			source->sources.usocket.status =
+					isc_usocketsource_reading;
+			sz_to_recv = buf[0];
+			source->sources.usocket.sz_to_recv = sz_to_recv;
+			if (sz_to_recv > sizeof(buf))
+				goto err;
+			/* FALLTHROUGH */
+
+		case isc_usocketsource_reading:
+			if (sz_to_recv != 0U) {
+				n = recv(fd, buf, sz_to_recv, 0);
+				if (n < 0) {
+					if (errno == EWOULDBLOCK ||
+					    errno == EINTR)
+						goto out;
+					goto err;
+				}
+			} else
+				n = 0;
+			break;
+
+		default:
+			goto err;
+		}
+
+		if ((size_t)n != sz_to_recv)
+			source->sources.usocket.sz_to_recv -= n;
+		else
+			source->sources.usocket.status =
+				isc_usocketsource_connected;
+
+		if (n == 0)
+			goto out;
+
+		entropypool_adddata(ent, buf, n, n * 8);
+		added += n * 8;
+		desired -= n;
+	}
+	goto out;
+
+ err:
+	close(fd);
+	source->bad = true;
+	source->sources.usocket.status = isc_usocketsource_disconnected;
+	source->sources.usocket.handle = -1;
+
+ out:
+	return (added);
+}
+
+/*
+ * Poll each source, trying to get data from it to stuff into the entropy
+ * pool.
+ */
+static void
+fillpool(isc_entropy_t *ent, unsigned int desired, bool blocking) {
+	unsigned int added;
+	unsigned int remaining;
+	unsigned int needed;
+	unsigned int nsource;
+	isc_entropysource_t *source;
+
+	REQUIRE(VALID_ENTROPY(ent));
+
+	needed = desired;
+
+	/*
+	 * This logic is a little strange, so an explanation is in order.
+	 *
+	 * If needed is 0, it means we are being asked to "fill to whatever
+	 * we think is best."  This means that if we have at least a
+	 * partially full pool (say, > 1/4th of the pool) we probably don't
+	 * need to add anything.
+	 *
+	 * Also, we will check to see if the "pseudo" count is too high.
+	 * If it is, try to mix in better data.  Too high is currently
+	 * defined as 1/4th of the pool.
+	 *
+	 * Next, if we are asked to add a specific bit of entropy, make
+	 * certain that we will do so.  Clamp how much we try to add to
+	 * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy).
+	 *
+	 * Note that if we are in a blocking mode, we will only try to
+	 * get as much data as we need, not as much as we might want
+	 * to build up.
+	 */
+	if (needed == 0) {
+		REQUIRE(!blocking);
+
+		if ((ent->pool.entropy >= RND_POOLBITS / 4)
+		    && (ent->pool.pseudo <= RND_POOLBITS / 4))
+			return;
+
+		needed = THRESHOLD_BITS * 4;
+	} else {
+		needed = ISC_MAX(needed, THRESHOLD_BITS);
+		needed = ISC_MIN(needed, RND_POOLBITS);
+	}
+
+	/*
+	 * In any case, clamp how much we need to how much we can add.
+	 */
+	needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy);
+
+	/*
+	 * But wait!  If we're not yet initialized, we need at least
+	 *	THRESHOLD_BITS
+	 * of randomness.
+	 */
+	if (ent->initialized < THRESHOLD_BITS)
+		needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized);
+
+	/*
+	 * Poll each file source to see if we can read anything useful from
+	 * it.  XXXMLG When where are multiple sources, we should keep a
+	 * record of which one we last used so we can start from it (or the
+	 * next one) to avoid letting some sources build up entropy while
+	 * others are always drained.
+	 */
+
+	added = 0;
+	remaining = needed;
+	if (ent->nextsource == NULL) {
+		ent->nextsource = ISC_LIST_HEAD(ent->sources);
+		if (ent->nextsource == NULL)
+			return;
+	}
+	source = ent->nextsource;
+ again_file:
+	for (nsource = 0; nsource < ent->nsources; nsource++) {
+		unsigned int got;
+
+		if (remaining == 0)
+			break;
+
+		got = 0;
+
+		switch ( source->type ) {
+		case ENTROPY_SOURCETYPE_FILE:
+			got = get_from_filesource(source, remaining);
+			break;
+
+		case ENTROPY_SOURCETYPE_USOCKET:
+			got = get_from_usocketsource(source, remaining);
+			break;
+		}
+
+		added += got;
+
+		remaining -= ISC_MIN(remaining, got);
+
+		source = ISC_LIST_NEXT(source, link);
+		if (source == NULL)
+			source = ISC_LIST_HEAD(ent->sources);
+	}
+	ent->nextsource = source;
+
+	if (blocking && remaining != 0) {
+		int fds;
+
+		fds = wait_for_sources(ent);
+		if (fds > 0)
+			goto again_file;
+	}
+
+	/*
+	 * Here, if there are bits remaining to be had and we can block,
+	 * check to see if we have a callback source.  If so, call them.
+	 */
+	source = ISC_LIST_HEAD(ent->sources);
+	while ((remaining != 0) && (source != NULL)) {
+		unsigned int got;
+
+		got = 0;
+
+		if (source->type == ENTROPY_SOURCETYPE_CALLBACK)
+			got = get_from_callback(source, remaining, blocking);
+
+		added += got;
+		remaining -= ISC_MIN(remaining, got);
+
+		if (added >= needed)
+			break;
+
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	/*
+	 * Mark as initialized if we've added enough data.
+	 */
+	if (ent->initialized < THRESHOLD_BITS)
+		ent->initialized += added;
+}
+
+static int
+wait_for_sources(isc_entropy_t *ent) {
+	isc_entropysource_t *source;
+	int maxfd, fd;
+	int cc;
+	fd_set reads;
+	fd_set writes;
+
+	maxfd = -1;
+	FD_ZERO(&reads);
+	FD_ZERO(&writes);
+
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		if (source->type == ENTROPY_SOURCETYPE_FILE) {
+			fd = source->sources.file.handle;
+			if (fd >= 0) {
+				maxfd = ISC_MAX(maxfd, fd);
+				FD_SET(fd, &reads);
+			}
+		}
+		if (source->type == ENTROPY_SOURCETYPE_USOCKET) {
+			fd = source->sources.usocket.handle;
+			if (fd >= 0) {
+				switch (source->sources.usocket.status) {
+				case isc_usocketsource_disconnected:
+					break;
+				case isc_usocketsource_connecting:
+				case isc_usocketsource_connected:
+				case isc_usocketsource_ndesired:
+					maxfd = ISC_MAX(maxfd, fd);
+					FD_SET(fd, &writes);
+					break;
+				case isc_usocketsource_wrote:
+				case isc_usocketsource_reading:
+					maxfd = ISC_MAX(maxfd, fd);
+					FD_SET(fd, &reads);
+					break;
+				}
+			}
+		}
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	if (maxfd < 0)
+		return (-1);
+
+	cc = select(maxfd + 1, &reads, &writes, NULL, NULL);
+	if (cc < 0)
+		return (-1);
+
+	return (cc);
+}
+
+static void
+destroyfilesource(isc_entropyfilesource_t *source) {
+	(void)close(source->handle);
+}
+
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source) {
+	close(source->handle);
+}
+
+/*
+ * Make a fd non-blocking
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef USE_FIONBIO_IOCTL
+	int on = 1;
+#else
+	int flags;
+#endif
+
+#ifdef USE_FIONBIO_IOCTL
+	ret = ioctl(fd, FIONBIO, (char *)&on);
+#else
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= PORT_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+#endif
+
+	if (ret == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+#ifdef USE_FIONBIO_IOCTL
+				 "ioctl(%d, FIONBIO, &on): %s", fd,
+#else
+				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
+#endif
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
+	int fd;
+	struct stat _stat;
+	bool is_usocket = false;
+	bool is_connected = false;
+	isc_result_t ret;
+	isc_entropysource_t *source;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(fname != NULL);
+
+	LOCK(&ent->lock);
+
+	if (stat(fname, &_stat) < 0) {
+		ret = isc__errno2result(errno);
+		goto errout;
+	}
+	/*
+	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
+	 * but it does return type S_IFIFO (the OS believes that
+	 * the socket is a fifo).  This may be an issue if we tell
+	 * the program to look at an actual FIFO as its source of
+	 * entropy.
+	 */
+#if defined(S_ISSOCK)
+	if (S_ISSOCK(_stat.st_mode))
+		is_usocket = true;
+#endif
+#if defined(S_ISFIFO) && defined(sun)
+	if (S_ISFIFO(_stat.st_mode))
+		is_usocket = true;
+#endif
+	if (is_usocket)
+		fd = socket(PF_UNIX, SOCK_STREAM, 0);
+	else
+		fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0);
+
+	if (fd < 0) {
+		ret = isc__errno2result(errno);
+		goto errout;
+	}
+
+	ret = make_nonblock(fd);
+	if (ret != ISC_R_SUCCESS)
+		goto closefd;
+
+	if (is_usocket) {
+		struct sockaddr_un sname;
+
+		memset(&sname, 0, sizeof(sname));
+		sname.sun_family = AF_UNIX;
+		strlcpy(sname.sun_path, fname, sizeof(sname.sun_path));
+#ifdef ISC_PLATFORM_HAVESALEN
+#if !defined(SUN_LEN)
+#define SUN_LEN(su) \
+	(sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))
+#endif
+		sname.sun_len = SUN_LEN(&sname);
+#endif
+
+		if (connect(fd, (struct sockaddr *) &sname,
+			    sizeof(struct sockaddr_un)) < 0) {
+			if (errno != EINPROGRESS) {
+				ret = isc__errno2result(errno);
+				goto closefd;
+			}
+		} else
+			is_connected = true;
+	}
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto closefd;
+	}
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->ent = ent;
+	source->total = 0;
+	source->bad = false;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+	if (is_usocket) {
+		source->sources.usocket.handle = fd;
+		if (is_connected)
+			source->sources.usocket.status =
+					isc_usocketsource_connected;
+		else
+			source->sources.usocket.status =
+					isc_usocketsource_connecting;
+		source->sources.usocket.sz_to_recv = 0;
+		source->type = ENTROPY_SOURCETYPE_USOCKET;
+	} else {
+		source->sources.file.handle = fd;
+		source->type = ENTROPY_SOURCETYPE_FILE;
+	}
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ closefd:
+	(void)close(fd);
+
+ errout:
+	UNLOCK(&ent->lock);
+
+	return (ret);
+}
diff --git a/lib/isc/unix/errno.c b/lib/isc/unix/errno.c
new file mode 100644
index 0000000..a2445f3
--- /dev/null
+++ b/lib/isc/unix/errno.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/errno.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_errno_toresult(int err) {
+	return (isc___errno2result(err, false, 0, 0));
+}
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
new file mode 100644
index 0000000..2f12bcc
--- /dev/null
+++ b/lib/isc/unix/errno2result.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/result.h>
+#include <isc/strerror.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*%
+ * Convert a POSIX errno value into an isc_result_t.  The
+ * list of supported errno values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc___errno2result(int posixerrno, bool dolog,
+		   const char *file, unsigned int line)
+{
+	char strbuf[ISC_STRERRORSIZE];
+
+	switch (posixerrno) {
+	case ENOTDIR:
+	case ELOOP:
+	case EINVAL:		/* XXX sometimes this is not for files */
+	case ENAMETOOLONG:
+	case EBADF:
+		return (ISC_R_INVALIDFILE);
+	case ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case EACCES:
+	case EPERM:
+		return (ISC_R_NOPERM);
+	case EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case EIO:
+		return (ISC_R_IOERROR);
+	case ENOMEM:
+		return (ISC_R_NOMEMORY);
+	case ENFILE:
+	case EMFILE:
+		return (ISC_R_TOOMANYOPENFILES);
+#ifdef EOVERFLOW
+	case EOVERFLOW:
+		return (ISC_R_RANGE);
+#endif
+	case EPIPE:
+#ifdef ECONNRESET
+	case ECONNRESET:
+#endif
+#ifdef ECONNABORTED
+	case ECONNABORTED:
+#endif
+		return (ISC_R_CONNECTIONRESET);
+#ifdef ENOTCONN
+	case ENOTCONN:
+		return (ISC_R_NOTCONNECTED);
+#endif
+#ifdef ETIMEDOUT
+	case ETIMEDOUT:
+		return (ISC_R_TIMEDOUT);
+#endif
+#ifdef ENOBUFS
+	case ENOBUFS:
+		return (ISC_R_NORESOURCES);
+#endif
+#ifdef EAFNOSUPPORT
+	case EAFNOSUPPORT:
+		return (ISC_R_FAMILYNOSUPPORT);
+#endif
+#ifdef ENETDOWN
+	case ENETDOWN:
+		return (ISC_R_NETDOWN);
+#endif
+#ifdef EHOSTDOWN
+	case EHOSTDOWN:
+		return (ISC_R_HOSTDOWN);
+#endif
+#ifdef ENETUNREACH
+	case ENETUNREACH:
+		return (ISC_R_NETUNREACH);
+#endif
+#ifdef EHOSTUNREACH
+	case EHOSTUNREACH:
+		return (ISC_R_HOSTUNREACH);
+#endif
+#ifdef EADDRINUSE
+	case EADDRINUSE:
+		return (ISC_R_ADDRINUSE);
+#endif
+	case EADDRNOTAVAIL:
+		return (ISC_R_ADDRNOTAVAIL);
+	case ECONNREFUSED:
+		return (ISC_R_CONNREFUSED);
+	default:
+		if (dolog) {
+			isc__strerror(posixerrno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(file, line, "unable to convert errno "
+					 "to isc_result: %d: %s",
+					 posixerrno, strbuf);
+		}
+		/*
+		 * XXXDCL would be nice if perhaps this function could
+		 * return the system's error string, so the caller
+		 * might have something more descriptive than "unexpected
+		 * error" to log with.
+		 */
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/lib/isc/unix/errno2result.h b/lib/isc/unix/errno2result.h
new file mode 100644
index 0000000..7733ab3
--- /dev/null
+++ b/lib/isc/unix/errno2result.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef UNIX_ERRNO2RESULT_H
+#define UNIX_ERRNO2RESULT_H 1
+
+/*! \file */
+
+/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
+
+#include <errno.h>		/* Provides errno. */
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define isc__errno2result(x) isc___errno2result(x, true, __FILE__, __LINE__)
+
+isc_result_t
+isc___errno2result(int posixerrno, bool dolog,
+		   const char *file, unsigned int line);
+
+ISC_LANG_ENDDECLS
+
+#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
new file mode 100644
index 0000000..64d9596
--- /dev/null
+++ b/lib/isc/unix/file.c
@@ -0,0 +1,781 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Portions Copyright (c) 1987, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <time.h>		/* Required for utimes on some platforms. */
+#include <unistd.h>		/* Required for mkstemp on NetBSD. */
+
+
+#include <sys/stat.h>
+#include <sys/time.h>
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
+ * it might be good to provide a mechanism that allows for the results
+ * of a previous stat() to be used again without having to do another stat,
+ * such as perl's mechanism of using "_" in place of a file name to indicate
+ * that the results of the last stat should be used.  But then you get into
+ * annoying MP issues.   BTW, Win32 has stat().
+ */
+static isc_result_t
+file_stats(const char *file, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(stats != NULL);
+
+	if (stat(file, stats) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+}
+
+static isc_result_t
+fd_stats(int fd, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(stats != NULL);
+
+	if (fstat(fd, stats) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getsizefd(int fd, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(size != NULL);
+
+	result = fd_stats(fd, &stats);
+
+	if (result == ISC_R_SUCCESS)
+		*size = stats.st_size;
+
+	return (result);
+}
+
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS)
+		*modep = (stats.st_mode & 07777);
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *modtime) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(modtime != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS)
+#ifdef ISC_PLATFORM_HAVESTATNSEC
+		isc_time_set(modtime, stats.st_mtime, stats.st_mtim.tv_nsec);
+#else
+		isc_time_set(modtime, stats.st_mtime, 0);
+#endif
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getsize(const char *file, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(size != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS)
+		*size = stats.st_size;
+
+	return (result);
+}
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *when) {
+	struct timeval times[2];
+
+	REQUIRE(file != NULL && when != NULL);
+
+	/*
+	 * tv_sec is at least a 32 bit quantity on all platforms we're
+	 * dealing with, but it is signed on most (all?) of them,
+	 * so we need to make sure the high bit isn't set.  This unfortunately
+	 * loses when either:
+	 *   * tv_sec becomes a signed 64 bit integer but long is 32 bits
+	 *	and isc_time_seconds > LONG_MAX, or
+	 *   * isc_time_seconds is changed to be > 32 bits but long is 32 bits
+	 *      and isc_time_seconds has at least 33 significant bits.
+	 */
+	times[0].tv_sec = times[1].tv_sec = (long)isc_time_seconds(when);
+
+	/*
+	 * Here is the real check for the high bit being set.
+	 */
+	if ((times[0].tv_sec &
+	     (1ULL << (sizeof(times[0].tv_sec) * CHAR_BIT - 1))) != 0)
+		return (ISC_R_RANGE);
+
+	/*
+	 * isc_time_nanoseconds guarantees a value that divided by 1000 will
+	 * fit into the minimum possible size tv_usec field.  Unfortunately,
+	 * we don't know what that type is so can't cast directly ... but
+	 * we can at least cast to signed so the IRIX compiler shuts up.
+	 */
+	times[0].tv_usec = times[1].tv_usec =
+		(int32_t)(isc_time_nanoseconds(when) / 1000);
+
+	if (utimes(file, times) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+#undef TEMPLATE
+#define TEMPLATE "tmp-XXXXXXXXXX" /*%< 14 characters. */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
+	return (isc_file_template(path, TEMPLATE, buf, buflen));
+}
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen)
+{
+	const char *s;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(buf != NULL);
+
+	if (path == NULL)
+		path = "";
+
+	s = strrchr(templet, '/');
+	if (s != NULL)
+		templet = s + 1;
+
+	s = strrchr(path, '/');
+
+	if (s != NULL) {
+		size_t prefixlen = s - path + 1;
+		if ((prefixlen + strlen(templet) + 1) > buflen)
+			return (ISC_R_NOSPACE);
+
+		/* Copy 'prefixlen' bytes and NUL terminate. */
+		strlcpy(buf, path, ISC_MIN(prefixlen + 1, buflen));
+		strlcat(buf, templet, buflen);
+	} else {
+		if ((strlen(templet) + 1) > buflen)
+			return (ISC_R_NOSPACE);
+
+		strlcpy(buf, templet, buflen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static const char alphnum[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet) {
+	char *x;
+	char *cp;
+
+	REQUIRE(file != NULL);
+	REQUIRE(templet != NULL);
+
+	cp = templet;
+	while (*cp != '\0')
+		cp++;
+	if (cp == templet)
+		return (ISC_R_FAILURE);
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		uint32_t which;
+
+		isc_random_get(&which);
+		*cp = alphnum[which % (sizeof(alphnum) - 1)];
+		x = cp--;
+	}
+	while (link(file, templet) == -1) {
+		if (errno != EEXIST)
+			return (isc__errno2result(errno));
+		for (cp = x;;) {
+			const char *t;
+			if (*cp == '\0')
+				return (ISC_R_FAILURE);
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0')
+				*cp++ = alphnum[0];
+			else {
+				*cp = *t;
+				break;
+			}
+		}
+	}
+	if (unlink(file) < 0)
+		if (errno != ENOENT)
+			return (isc__errno2result(errno));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp) {
+	int fd;
+	FILE *f;
+	isc_result_t result = ISC_R_SUCCESS;
+	char *x;
+	char *cp;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	cp = templet;
+	while (*cp != '\0')
+		cp++;
+	if (cp == templet)
+		return (ISC_R_FAILURE);
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		uint32_t which;
+
+		isc_random_get(&which);
+		*cp = alphnum[which % (sizeof(alphnum) - 1)];
+		x = cp--;
+	}
+
+
+	while ((fd = open(templet, O_RDWR|O_CREAT|O_EXCL, mode)) == -1) {
+		if (errno != EEXIST)
+			return (isc__errno2result(errno));
+		for (cp = x;;) {
+			char *t;
+			if (*cp == '\0')
+				return (ISC_R_FAILURE);
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0')
+				*cp++ = alphnum[0];
+			else {
+				*cp = *t;
+				break;
+			}
+		}
+	}
+	f = fdopen(fd, "w+");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		if (remove(templet) < 0) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_FILE, ISC_LOG_ERROR,
+				      "remove '%s': failed", templet);
+		}
+		(void)close(fd);
+	} else
+		*fp = f;
+
+	return (result);
+}
+
+isc_result_t
+isc_file_bopenunique(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp) {
+	int mode = S_IWUSR|S_IRUSR;
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) {
+	return (isc_file_openuniquemode(templet, mode, fp));
+}
+
+isc_result_t
+isc_file_remove(const char *filename) {
+	int r;
+
+	REQUIRE(filename != NULL);
+
+	r = unlink(filename);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname) {
+	int r;
+
+	REQUIRE(oldname != NULL);
+	REQUIRE(newname != NULL);
+
+	r = rename(oldname, newname);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+bool
+isc_file_exists(const char *pathname) {
+	struct stat stats;
+
+	REQUIRE(pathname != NULL);
+
+	return (file_stats(pathname, &stats) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfile(const char *filename) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat,0,sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1)
+		return(isc__errno2result(errno));
+
+	if(! S_ISREG(filestat.st_mode))
+		return(ISC_R_INVALIDFILE);
+
+	return(ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfilefd(int fd) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat,0,sizeof(struct stat));
+
+	if ((fstat(fd, &filestat)) == -1)
+		return(isc__errno2result(errno));
+
+	if(! S_ISREG(filestat.st_mode))
+		return(ISC_R_INVALIDFILE);
+
+	return(ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isdirectory(const char *filename) {
+	/*
+	 * This function returns success if filename exists and is a
+	 * directory.
+	 */
+	struct stat filestat;
+	memset(&filestat,0,sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1)
+		return(isc__errno2result(errno));
+
+	if(! S_ISDIR(filestat.st_mode))
+		return(ISC_R_INVALIDFILE);
+
+	return(ISC_R_SUCCESS);
+}
+
+
+bool
+isc_file_isabsolute(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (filename[0] == '/');
+}
+
+bool
+isc_file_iscurrentdir(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (filename[0] == '.' && filename[1] == '\0');
+}
+
+bool
+isc_file_ischdiridempotent(const char *filename) {
+	REQUIRE(filename != NULL);
+	if (isc_file_isabsolute(filename))
+		return (true);
+	if (isc_file_iscurrentdir(filename))
+		return (true);
+	return (false);
+}
+
+const char *
+isc_file_basename(const char *filename) {
+	const char *s;
+
+	REQUIRE(filename != NULL);
+
+	s = strrchr(filename, '/');
+	if (s == NULL)
+		return (filename);
+
+	return (s + 1);
+}
+
+isc_result_t
+isc_file_progname(const char *filename, char *buf, size_t buflen) {
+	const char *base;
+	size_t len;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(buf != NULL);
+
+	base = isc_file_basename(filename);
+	len = strlen(base) + 1;
+
+	if (len > buflen)
+		return (ISC_R_NOSPACE);
+	memmove(buf, base, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Put the absolute name of the current directory into 'dirname', which is
+ * a buffer of at least 'length' characters.  End the string with the
+ * appropriate path separator, such that the final product could be
+ * concatenated with a relative pathname to make a valid pathname string.
+ */
+static isc_result_t
+dir_current(char *dirname, size_t length) {
+	char *cwd;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dirname != NULL);
+	REQUIRE(length > 0U);
+
+	cwd = getcwd(dirname, length);
+
+	if (cwd == NULL) {
+		if (errno == ERANGE) {
+			result = ISC_R_NOSPACE;
+		} else {
+			result = isc__errno2result(errno);
+		}
+	} else {
+		if (strlen(dirname) + 1 == length) {
+			result = ISC_R_NOSPACE;
+		} else if (dirname[1] != '\0') {
+			strlcat(dirname, "/", length);
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
+	isc_result_t result;
+	result = dir_current(path, pathlen);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (strlen(path) + strlen(filename) + 1 > pathlen)
+		return (ISC_R_NOSPACE);
+	strlcat(path, filename, pathlen);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (truncate(filename, size) < 0)
+		result = isc__errno2result(errno);
+	return (result);
+}
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0)
+			return (ISC_R_INVALIDFILE);
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else
+		return (result);
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1)
+		return (isc__errno2result(errno));
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, const char *path, char **dirname,
+		   char const **bname)
+{
+	char *dir;
+	const char *file, *slash;
+
+	if (path == NULL)
+		return (ISC_R_INVALIDFILE);
+
+	slash = strrchr(path, '/');
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		if (dir != NULL)
+			strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*bname = file;
+
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc_file_mmap(void *addr, size_t len, int prot,
+	      int flags, int fd, off_t offset)
+{
+#ifdef HAVE_MMAP
+	return (mmap(addr, len, prot, flags, fd, offset));
+#else
+	void *buf;
+	ssize_t ret;
+	off_t end;
+
+	UNUSED(addr);
+	UNUSED(prot);
+	UNUSED(flags);
+
+	end = lseek(fd, 0, SEEK_END);
+	lseek(fd, offset, SEEK_SET);
+	if (end - offset < (off_t) len)
+		len = end - offset;
+
+	buf = malloc(len);
+	if (buf == NULL)
+		return (NULL);
+
+	ret = read(fd, buf, len);
+	if (ret != (ssize_t) len) {
+		free(buf);
+		buf = NULL;
+	}
+
+	return (buf);
+#endif
+}
+
+int
+isc_file_munmap(void *addr, size_t len) {
+#ifdef HAVE_MMAP
+	return (munmap(addr, len));
+#else
+	UNUSED(len);
+
+	free(addr);
+	return (0);
+#endif
+}
+
+#define DISALLOW "\\/ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
+isc_result_t
+isc_file_sanitize(const char *dir, const char *base, const char *ext,
+		  char *path, size_t length)
+{
+	char buf[PATH_MAX], hash[ISC_SHA256_DIGESTSTRINGLENGTH];
+	size_t l = 0;
+
+	REQUIRE(base != NULL);
+	REQUIRE(path != NULL);
+
+	l = strlen(base) + 1;
+
+	/*
+	 * allow room for a full sha256 hash (64 chars
+	 * plus null terminator)
+	 */
+	if (l < 65U)
+		l = 65;
+
+	if (dir != NULL)
+		l += strlen(dir) + 1;
+	if (ext != NULL)
+		l += strlen(ext) + 1;
+
+	if (l > length || l > (unsigned)PATH_MAX)
+		return (ISC_R_NOSPACE);
+
+	/* Check whether the full-length SHA256 hash filename exists */
+	isc_sha256_data((const void *) base, strlen(base), hash);
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s",
+		dir != NULL ? dir : "", dir != NULL ? "/" : "",
+		hash, ext != NULL ? "." : "", ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for a truncated SHA256 hash filename */
+	hash[16] = '\0';
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s",
+		dir != NULL ? dir : "", dir != NULL ? "/" : "",
+		hash, ext != NULL ? "." : "", ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If neither hash filename already exists, then we'll use
+	 * the original base name if it has no disallowed characters,
+	 * or the truncated hash name if it does.
+	 */
+	if (strpbrk(base, DISALLOW) != NULL) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s",
+		dir != NULL ? dir : "", dir != NULL ? "/" : "",
+		base, ext != NULL ? "." : "", ext != NULL ? ext : "");
+	strlcpy(path, buf, length);
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_file_isdirwritable(const char *path) {
+	return (access(path, W_OK|X_OK) == 0);
+}
diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c
new file mode 100644
index 0000000..e3cd0bf
--- /dev/null
+++ b/lib/isc/unix/fsaccess.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <stdbool.h>
+#include <errno.h>
+
+#include "errno2result.h"
+
+/*! \file
+ * \brief
+ * The OS-independent part of the API is in lib/isc.
+ */
+#include "../fsaccess.c"
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	struct stat statb;
+	mode_t mode;
+	bool is_dir = false;
+	isc_fsaccess_t bits;
+	isc_result_t result;
+
+	if (stat(path, &statb) != 0)
+		return (isc__errno2result(errno));
+
+	if ((statb.st_mode & S_IFDIR) != 0)
+		is_dir = true;
+	else if ((statb.st_mode & S_IFREG) == 0)
+		return (ISC_R_INVALIDFILE);
+
+	result = check_bad_bits(access, is_dir);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Done with checking bad bits.  Set mode_t.
+	 */
+	mode = 0;
+
+#define SET_AND_CLEAR1(modebit) \
+	if ((access & bits) != 0) { \
+		mode |= modebit; \
+		access &= ~bits; \
+	}
+#define SET_AND_CLEAR(user, group, other) \
+	SET_AND_CLEAR1(user); \
+	bits <<= STEP; \
+	SET_AND_CLEAR1(group); \
+	bits <<= STEP; \
+	SET_AND_CLEAR1(other);
+
+	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
+
+	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
+
+	bits = ISC_FSACCESS_WRITE |
+	       ISC_FSACCESS_CREATECHILD |
+	       ISC_FSACCESS_DELETECHILD;
+
+	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
+
+	bits = ISC_FSACCESS_EXECUTE |
+	       ISC_FSACCESS_ACCESSCHILD;
+
+	SET_AND_CLEAR(S_IXUSR, S_IXGRP, S_IXOTH);
+
+	INSIST(access == 0);
+
+	if (chmod(path, mode) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
new file mode 100644
index 0000000..de6f060
--- /dev/null
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief
+ * Obtain the list of network interfaces using the getifaddrs(3) library.
+ */
+
+#include <stdbool.h>
+#include <ifaddrs.h>
+
+/*% Iterator Magic */
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'G')
+/*% Valid Iterator */
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+#ifdef __linux
+static bool seenv6 = false;
+#endif
+
+/*% Iterator structure */
+struct isc_interfaceiter {
+	unsigned int		magic;		/*%< Magic number. */
+	isc_mem_t		*mctx;
+	void			*buf;		/*%< (unused) */
+	unsigned int		bufsize;	/*%< (always 0) */
+	struct ifaddrs		*ifaddrs;	/*%< List of ifaddrs */
+	struct ifaddrs		*pos;		/*%< Ptr to current ifaddr */
+	isc_interface_t		current;	/*%< Current interface data. */
+	isc_result_t		result;		/*%< Last result code. */
+#ifdef  __linux
+	FILE *                  proc;
+	char                    entry[ISC_IF_INET6_SZ];
+	isc_result_t            valid;
+#endif
+};
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->buf = NULL;
+	iter->bufsize = 0;
+	iter->ifaddrs = NULL;
+#ifdef __linux
+	/*
+	 * Only open "/proc/net/if_inet6" if we have never seen a IPv6
+	 * address returned by getifaddrs().
+	 */
+	if (!seenv6)
+		iter->proc = fopen("/proc/net/if_inet6", "r");
+	else
+		iter->proc = NULL;
+	iter->valid = ISC_R_FAILURE;
+#endif
+
+	if (getifaddrs(&iter->ifaddrs) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERGETIFADDRS,
+						ISC_MSG_GETIFADDRS,
+						"getting interface "
+						"addresses: getifaddrs: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->pos = NULL;
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ failure:
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+#endif
+	if (iter->ifaddrs != NULL) /* just in case */
+		freeifaddrs(iter->ifaddrs);
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family,
+ * return ISC_R_IGNORE.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	struct ifaddrs *ifa;
+	int family;
+	unsigned int namelen;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	ifa = iter->pos;
+
+#ifdef __linux
+	if (iter->pos == NULL)
+		return (linux_if_inet6_current(iter));
+#endif
+
+	INSIST(ifa != NULL);
+	INSIST(ifa->ifa_name != NULL);
+
+	if (ifa->ifa_addr == NULL)
+		return (ISC_R_IGNORE);
+
+	family = ifa->ifa_addr->sa_family;
+	if (family != AF_INET && family != AF_INET6)
+		return (ISC_R_IGNORE);
+
+#ifdef __linux
+	if (family == AF_INET6)
+		seenv6 = true;
+#endif
+
+	memset(&iter->current, 0, sizeof(iter->current));
+
+	namelen = strlen(ifa->ifa_name);
+	if (namelen > sizeof(iter->current.name) - 1)
+		namelen = sizeof(iter->current.name) - 1;
+
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memmove(iter->current.name, ifa->ifa_name, namelen);
+
+	iter->current.flags = 0;
+
+	if ((ifa->ifa_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+	if ((ifa->ifa_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+
+	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+	iter->current.af = family;
+
+	get_addr(family, &iter->current.address, ifa->ifa_addr, ifa->ifa_name);
+
+	if (ifa->ifa_netmask != NULL)
+		get_addr(family, &iter->current.netmask, ifa->ifa_netmask,
+			 ifa->ifa_name);
+
+	if (ifa->ifa_dstaddr != NULL &&
+	    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
+		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
+			 ifa->ifa_name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+
+	if (iter->pos != NULL)
+		iter->pos = iter->pos->ifa_next;
+	if (iter->pos == NULL) {
+#ifdef __linux
+		if (!seenv6)
+			return (linux_if_inet6_next(iter));
+#endif
+		return (ISC_R_NOMORE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+	iter->proc = NULL;
+#endif
+	if (iter->ifaddrs)
+		freeifaddrs(iter->ifaddrs);
+	iter->ifaddrs = NULL;
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+
+#ifdef __linux
+	linux_if_inet6_first(iter);
+#endif
+	iter->pos = iter->ifaddrs;
+}
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
new file mode 100644
index 0000000..9702fae
--- /dev/null
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -0,0 +1,931 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <isc/print.h>
+
+/*! \file
+ * \brief
+ * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
+ * See netintro(4).
+ */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+#ifdef ISC_PLATFORM_HAVEIF_LADDRCONF
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
+#else
+#define ISC_HAVE_LIFC_FAMILY 1
+#define ISC_HAVE_LIFC_FLAGS 1
+#define LIFCONF lifconf
+#endif
+
+#ifdef ISC_PLATFORM_HAVEIF_LADDRREQ
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
+#define ss_family sa_family
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
+#endif
+
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'T')
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	int			mode;
+	int			socket;
+	struct ifconf 		ifc;
+	void			*buf;		/* Buffer for sysctl data. */
+	unsigned int		bufsize;	/* Bytes allocated. */
+	unsigned int		pos;		/* Current offset in
+						   SIOCGIFCONF data */
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	int			socket6;
+	struct LIFCONF 		lifc;
+	void			*buf6;		/* Buffer for sysctl data. */
+	unsigned int		bufsize6;	/* Bytes allocated. */
+	unsigned int		pos6;		/* Current offset in
+						   SIOCGLIFCONF data */
+	isc_result_t		result6;	/* Last result code. */
+	bool		first6;
+#endif
+#ifdef HAVE_TRUCLUSTER
+	int			clua_context;	/* Cluster alias context */
+	bool		clua_done;
+	struct sockaddr		clua_sa;
+#endif
+#ifdef	__linux
+	FILE *			proc;
+	char			entry[ISC_IF_INET6_SZ];
+	isc_result_t		valid;
+#endif
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+#ifdef HAVE_TRUCLUSTER
+#include <clua/clua.h>
+#include <sys/socket.h>
+#endif
+
+
+/*%
+ * Size of buffer for SIOCGLIFCONF, in bytes.  We assume no sane system
+ * will have more than a megabyte of interface configuration data.
+ */
+#define IFCONF_BUFSIZE_INITIAL	4096
+#define IFCONF_BUFSIZE_MAX	1048576
+
+#ifdef __linux
+#ifndef IF_NAMESIZE
+# ifdef IFNAMSIZ
+#  define IF_NAMESIZE  IFNAMSIZ
+# else
+#  define IF_NAMESIZE 16
+# endif
+#endif
+#endif
+
+static isc_result_t
+getbuf4(isc_interfaceiter_t *iter) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	iter->bufsize = IFCONF_BUFSIZE_INITIAL;
+
+	for (;;) {
+		iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
+		if (iter->buf == NULL)
+			return (ISC_R_NOMEMORY);
+
+		memset(&iter->ifc.ifc_len, 0, sizeof(iter->ifc.ifc_len));
+		iter->ifc.ifc_len = iter->bufsize;
+		iter->ifc.ifc_buf = iter->buf;
+		/*
+		 * Ignore the HP/UX warning about "integer overflow during
+		 * conversion".  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGIFCONF, (char *)&iter->ifc)
+		    == -1) {
+			if (errno != EINVAL) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+						 strbuf);
+				goto unexpected;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The ioctl succeeded.
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * ifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (iter->ifc.ifc_len + 2 * sizeof(struct ifreq)
+			    < iter->bufsize)
+				break;
+		}
+		if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_BUFFERMAX,
+							"get interface "
+							"configuration: "
+							"maximum buffer "
+							"size exceeded"));
+			goto unexpected;
+		}
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+
+		iter->bufsize *= 2;
+	}
+	return (ISC_R_SUCCESS);
+
+ unexpected:
+	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+	iter->buf = NULL;
+	return (ISC_R_UNEXPECTED);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+getbuf6(isc_interfaceiter_t *iter) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+
+	iter->bufsize6 = IFCONF_BUFSIZE_INITIAL;
+
+	for (;;) {
+		iter->buf6 = isc_mem_get(iter->mctx, iter->bufsize6);
+		if (iter->buf6 == NULL)
+			return (ISC_R_NOMEMORY);
+
+		memset(&iter->lifc, 0, sizeof(iter->lifc));
+#ifdef ISC_HAVE_LIFC_FAMILY
+		iter->lifc.lifc_family = AF_INET6;
+#endif
+#ifdef ISC_HAVE_LIFC_FLAGS
+		iter->lifc.lifc_flags = 0;
+#endif
+		iter->lifc.lifc_len = iter->bufsize6;
+		iter->lifc.lifc_buf = iter->buf6;
+		/*
+		 * Ignore the HP/UX warning about "integer overflow during
+		 * conversion".  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket6, SIOCGLIFCONF, (char *)&iter->lifc)
+		    == -1) {
+#ifdef __hpux
+			/*
+			 * IPv6 interface scanning is not available on all
+			 * kernels w/ IPv6 sockets.
+			 */
+			if (errno == ENOENT) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_INTERFACE,
+					      ISC_LOG_DEBUG(1),
+					      isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+					       strbuf);
+				result = ISC_R_FAILURE;
+				goto cleanup;
+			}
+#endif
+			if (errno != EINVAL) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+						 strbuf);
+				result = ISC_R_UNEXPECTED;
+				goto cleanup;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The ioctl succeeded.
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * ifc.ifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (iter->lifc.lifc_len + 2 * sizeof(struct LIFREQ)
+			    < iter->bufsize6)
+				break;
+		}
+		if (iter->bufsize6 >= IFCONF_BUFSIZE_MAX) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_BUFFERMAX,
+							"get interface "
+							"configuration: "
+							"maximum buffer "
+							"size exceeded"));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+
+		iter->bufsize6 *= 2;
+	}
+
+	if (iter->lifc.lifc_len != 0)
+		iter->mode = 6;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+	iter->buf6 = NULL;
+	return (result);
+}
+#endif
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->mode = 4;
+	iter->buf = NULL;
+	iter->pos = (unsigned int) -1;
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	iter->buf6 = NULL;
+	iter->pos6 = (unsigned int) -1;
+	iter->result6 = ISC_R_NOMORE;
+	iter->socket6 = -1;
+	iter->first6 = false;
+#endif
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Create an unbound datagram socket to do the SIOCGLIFCONF
+		 * ioctl on.  HP/UX requires an AF_INET6 socket for
+		 * SIOCGLIFCONF to get IPv6 addresses.
+		 */
+		if ((iter->socket6 = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_MAKESCANSOCKET,
+							"making interface "
+							"scan socket: %s"),
+					 strbuf);
+			result = ISC_R_UNEXPECTED;
+			goto socket6_failure;
+		}
+		result = iter->result6 = getbuf6(iter);
+		if (result != ISC_R_NOTIMPLEMENTED && result != ISC_R_SUCCESS)
+			goto ioctl6_failure;
+	}
+#endif
+	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERIOCTL,
+						ISC_MSG_MAKESCANSOCKET,
+						"making interface "
+						"scan socket: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto socket_failure;
+	}
+	result = getbuf4(iter);
+	if (result != ISC_R_SUCCESS)
+		goto ioctl_failure;
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+#ifdef HAVE_TRUCLUSTER
+	iter->clua_context = -1;
+	iter->clua_done = true;
+#endif
+#ifdef __linux
+	iter->proc = fopen("/proc/net/if_inet6", "r");
+	iter->valid = ISC_R_FAILURE;
+#endif
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ ioctl_failure:
+	if (iter->buf != NULL)
+		isc_mem_put(mctx, iter->buf, iter->bufsize);
+	(void) close(iter->socket);
+
+ socket_failure:
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->buf6 != NULL)
+		isc_mem_put(mctx, iter->buf6, iter->bufsize6);
+  ioctl6_failure:
+	if (iter->socket6 != -1)
+		(void) close(iter->socket6);
+  socket6_failure:
+#endif
+
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+#ifdef HAVE_TRUCLUSTER
+static void
+get_inaddr(isc_netaddr_t *dst, struct in_addr *src) {
+	dst->family = AF_INET;
+	memmove(&dst->type.in, src, sizeof(struct in_addr));
+}
+
+static isc_result_t
+internal_current_clusteralias(isc_interfaceiter_t *iter) {
+	struct clua_info ci;
+	if (clua_getaliasinfo(&iter->clua_sa, &ci) != CLUA_SUCCESS)
+		return (ISC_R_IGNORE);
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = iter->clua_sa.sa_family;
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	snprintf(iter->current.name, sizeof(iter->current.name),
+		 "clua%d", ci.aliasid);
+	iter->current.flags = INTERFACE_F_UP;
+	get_inaddr(&iter->current.address, &ci.addr);
+	get_inaddr(&iter->current.netmask, &ci.netmask);
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family, or if
+ * some operation on it fails, return ISC_R_IGNORE to make
+ * the higher-level iterator code ignore it.
+ */
+
+static isc_result_t
+internal_current4(isc_interfaceiter_t *iter) {
+	struct ifreq *ifrp;
+	struct ifreq ifreq;
+	int family;
+	char strbuf[ISC_STRERRORSIZE];
+#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
+	struct lifreq lifreq;
+#else
+	char sabuf[256];
+#endif
+	int i, bits, prefixlen;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	if (iter->ifc.ifc_len == 0 ||
+	    iter->pos == (unsigned int)iter->ifc.ifc_len) {
+#ifdef __linux
+		return (linux_if_inet6_current(iter));
+#else
+		return (ISC_R_NOMORE);
+#endif
+	}
+
+	INSIST( iter->pos < (unsigned int) iter->ifc.ifc_len);
+
+	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
+
+	memset(&ifreq, 0, sizeof(ifreq));
+	memmove(&ifreq, ifrp, sizeof(ifreq));
+
+	family = ifreq.ifr_addr.sa_family;
+#if defined(ISC_PLATFORM_HAVEIPV6)
+	if (family != AF_INET && family != AF_INET6)
+#else
+	if (family != AF_INET)
+#endif
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = family;
+
+	INSIST(sizeof(ifreq.ifr_name) <= sizeof(iter->current.name));
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memmove(iter->current.name, ifreq.ifr_name, sizeof(ifreq.ifr_name));
+
+	get_addr(family, &iter->current.address,
+		 (struct sockaddr *)&ifrp->ifr_addr, ifreq.ifr_name);
+
+	/*
+	 * If the interface does not have a address ignore it.
+	 */
+	switch (family) {
+	case AF_INET:
+		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
+			return (ISC_R_IGNORE);
+		break;
+	case AF_INET6:
+		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
+			   sizeof(in6addr_any)) == 0)
+			return (ISC_R_IGNORE);
+		break;
+	}
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+
+	/*
+	 * Ignore the HP/UX warning about "integer overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(iter->socket, SIOCGIFFLAGS, (char *) &ifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface flags: %s",
+				 ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+
+	if ((ifreq.ifr_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+#ifdef IFF_POINTOPOINT
+	if ((ifreq.ifr_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+#endif
+
+	if ((ifreq.ifr_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+	if (family == AF_INET)
+		goto inet;
+
+#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
+	memset(&lifreq, 0, sizeof(lifreq));
+	memmove(lifreq.lifr_name, iter->current.name, sizeof(lifreq.lifr_name));
+	memmove(&lifreq.lifr_addr, &iter->current.address.type.in6,
+	       sizeof(iter->current.address.type.in6));
+
+	if (ioctl(iter->socket, SIOCGLIFADDR, &lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface address: %s",
+				 ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	prefixlen = lifreq.lifr_addrlen;
+#else
+	isc_netaddr_format(&iter->current.address, sabuf, sizeof(sabuf));
+	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+		      ISC_LOGMODULE_INTERFACE,
+		      ISC_LOG_INFO,
+		      isc_msgcat_get(isc_msgcat,
+				     ISC_MSGSET_IFITERIOCTL,
+				     ISC_MSG_GETIFCONFIG,
+				     "prefix length for %s is unknown "
+				     "(assume 128)"), sabuf);
+	prefixlen = 128;
+#endif
+
+	/*
+	 * Netmask already zeroed.
+	 */
+	iter->current.netmask.family = family;
+	for (i = 0; i < 16; i++) {
+		if (prefixlen > 8) {
+			bits = 0;
+			prefixlen -= 8;
+		} else {
+			bits = 8 - prefixlen;
+			prefixlen = 0;
+		}
+		iter->current.netmask.type.in6.s6_addr[i] =
+			(~0U << bits) & 0xff;
+	}
+	return (ISC_R_SUCCESS);
+
+ inet:
+	if (family != AF_INET)
+		return (ISC_R_IGNORE);
+#ifdef IFF_POINTOPOINT
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+		/*
+		 * Ignore the HP/UX warning about "integer overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGIFDSTADDR, (char *)&ifreq)
+		    < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat,
+					       ISC_MSGSET_IFITERIOCTL,
+					       ISC_MSG_GETDESTADDR,
+					       "%s: getting "
+					       "destination address: %s"),
+					 ifreq.ifr_name, strbuf);
+			return (ISC_R_IGNORE);
+		}
+		get_addr(family, &iter->current.dstaddress,
+			 (struct sockaddr *)&ifreq.ifr_dstaddr, ifreq.ifr_name);
+	}
+#endif
+
+	/*
+	 * Get the network mask.
+	 */
+	memset(&ifreq, 0, sizeof(ifreq));
+	memmove(&ifreq, ifrp, sizeof(ifreq));
+	/*
+	 * Ignore the HP/UX warning about "integer overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(iter->socket, SIOCGIFNETMASK, (char *)&ifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+			isc_msgcat_get(isc_msgcat,
+				       ISC_MSGSET_IFITERIOCTL,
+				       ISC_MSG_GETNETMASK,
+				       "%s: getting netmask: %s"),
+				       ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	get_addr(family, &iter->current.netmask,
+		 (struct sockaddr *)&ifreq.ifr_addr, ifreq.ifr_name);
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+internal_current6(isc_interfaceiter_t *iter) {
+	struct LIFREQ *ifrp;
+	struct LIFREQ lifreq;
+	int family;
+	char strbuf[ISC_STRERRORSIZE];
+	int fd;
+
+	REQUIRE(VALID_IFITER(iter));
+	if (iter->result6 != ISC_R_SUCCESS)
+		return (iter->result6);
+	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
+
+	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
+
+	memset(&lifreq, 0, sizeof(lifreq));
+	memmove(&lifreq, ifrp, sizeof(lifreq));
+
+	family = lifreq.lifr_addr.ss_family;
+#ifdef ISC_PLATFORM_HAVEIPV6
+	if (family != AF_INET && family != AF_INET6)
+#else
+	if (family != AF_INET)
+#endif
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = family;
+
+	INSIST(sizeof(lifreq.lifr_name) <= sizeof(iter->current.name));
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memmove(iter->current.name, lifreq.lifr_name, sizeof(lifreq.lifr_name));
+
+	get_addr(family, &iter->current.address,
+		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
+
+	/*
+	 * If the interface does not have a address ignore it.
+	 */
+	switch (family) {
+	case AF_INET:
+		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
+			return (ISC_R_IGNORE);
+		break;
+	case AF_INET6:
+		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
+			   sizeof(in6addr_any)) == 0)
+			return (ISC_R_IGNORE);
+		break;
+	}
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+
+	if (family == AF_INET6)
+		fd = iter->socket6;
+	else
+		fd = iter->socket;
+
+	/*
+	 * Ignore the HP/UX warning about "integer overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(fd, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface flags: %s",
+				 lifreq.lifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+
+	if ((lifreq.lifr_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+#ifdef IFF_POINTOPOINT
+	if ((lifreq.lifr_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+#endif
+
+	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+#ifdef IFF_POINTOPOINT
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+		/*
+		 * Ignore the HP/UX warning about "integer overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(fd, SIOCGLIFDSTADDR, (char *)&lifreq)
+		    < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat,
+					       ISC_MSGSET_IFITERIOCTL,
+					       ISC_MSG_GETDESTADDR,
+					       "%s: getting "
+					       "destination address: %s"),
+					 lifreq.lifr_name, strbuf);
+			return (ISC_R_IGNORE);
+		}
+		get_addr(family, &iter->current.dstaddress,
+			 (struct sockaddr *)&lifreq.lifr_dstaddr,
+			 lifreq.lifr_name);
+	}
+#endif
+
+	/*
+	 * Get the network mask.  Netmask already zeroed.
+	 */
+	memset(&lifreq, 0, sizeof(lifreq));
+	memmove(&lifreq, ifrp, sizeof(lifreq));
+
+#ifdef lifr_addrlen
+	/*
+	 * Special case: if the system provides lifr_addrlen member, the
+	 * netmask of an IPv6 address can be derived from the length, since
+	 * an IPv6 address always has a contiguous mask.
+	 */
+	if (family == AF_INET6) {
+		int i, bits;
+
+		iter->current.netmask.family = family;
+		for (i = 0; i < lifreq.lifr_addrlen; i += 8) {
+			bits = lifreq.lifr_addrlen - i;
+			bits = (bits < 8) ? (8 - bits) : 0;
+			iter->current.netmask.type.in6.s6_addr[i / 8] =
+				(~0U << bits) & 0xff;
+		}
+
+		return (ISC_R_SUCCESS);
+	}
+#endif
+
+	/*
+	 * Ignore the HP/UX warning about "integer overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(fd, SIOCGLIFNETMASK, (char *)&lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERIOCTL,
+						ISC_MSG_GETNETMASK,
+						"%s: getting netmask: %s"),
+				 lifreq.lifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	get_addr(family, &iter->current.netmask,
+		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
+
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->mode == 6) {
+		iter->result6 = internal_current6(iter);
+		if (iter->result6 != ISC_R_NOMORE)
+			return (iter->result6);
+	}
+#endif
+#ifdef HAVE_TRUCLUSTER
+	if (!iter->clua_done)
+		return(internal_current_clusteralias(iter));
+#endif
+	return (internal_current4(iter));
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next4(isc_interfaceiter_t *iter) {
+#ifdef ISC_PLATFORM_HAVESALEN
+	struct ifreq *ifrp;
+#endif
+
+	if (iter->pos < (unsigned int) iter->ifc.ifc_len) {
+#ifdef ISC_PLATFORM_HAVESALEN
+		ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
+
+		if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
+			iter->pos += sizeof(ifrp->ifr_name) +
+				     ifrp->ifr_addr.sa_len;
+		else
+#endif
+			iter->pos += sizeof(struct ifreq);
+
+	} else {
+		INSIST(iter->pos == (unsigned int) iter->ifc.ifc_len);
+#ifdef __linux
+		return (linux_if_inet6_next(iter));
+#else
+		return (ISC_R_NOMORE);
+#endif
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+internal_next6(isc_interfaceiter_t *iter) {
+#ifdef ISC_PLATFORM_HAVESALEN
+	struct LIFREQ *ifrp;
+#endif
+
+	if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE)
+		return (iter->result6);
+
+	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
+
+#ifdef ISC_PLATFORM_HAVESALEN
+	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
+
+	if (ifrp->lifr_addr.sa_len > sizeof(struct sockaddr))
+		iter->pos6 += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len;
+	else
+#endif
+		iter->pos6 += sizeof(struct LIFREQ);
+
+	if (iter->pos6 >= (unsigned int) iter->lifc.lifc_len)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+#ifdef HAVE_TRUCLUSTER
+	int clua_result;
+#endif
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->mode == 6) {
+		iter->result6 = internal_next6(iter);
+		if (iter->result6 != ISC_R_NOMORE)
+			return (iter->result6);
+		if (iter->first6) {
+			iter->first6 = false;
+			return (ISC_R_SUCCESS);
+		}
+	}
+#endif
+#ifdef HAVE_TRUCLUSTER
+	if (!iter->clua_done) {
+		clua_result = clua_getaliasaddress(&iter->clua_sa,
+						   &iter->clua_context);
+		if (clua_result != CLUA_SUCCESS)
+			iter->clua_done = true;
+		return (ISC_R_SUCCESS);
+	}
+#endif
+	return (internal_next4(iter));
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+	(void) close(iter->socket);
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->socket6 != -1)
+		(void) close(iter->socket6);
+	if (iter->buf6 != NULL) {
+		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+	}
+#endif
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+#endif
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+#ifdef HAVE_TRUCLUSTER
+	int clua_result;
+#endif
+	iter->pos = 0;
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	iter->pos6 = 0;
+	if (iter->result6 == ISC_R_NOMORE)
+		iter->result6 = ISC_R_SUCCESS;
+	iter->first6 = true;
+#endif
+#ifdef HAVE_TRUCLUSTER
+	iter->clua_context = 0;
+	clua_result = clua_getaliasaddress(&iter->clua_sa,
+					   &iter->clua_context);
+	iter->clua_done = (clua_result != CLUA_SUCCESS);
+#endif
+#ifdef __linux
+	linux_if_inet6_first(iter);
+#endif
+}
diff --git a/lib/isc/unix/ifiter_sysctl.c b/lib/isc/unix/ifiter_sysctl.c
new file mode 100644
index 0000000..ebbefe9
--- /dev/null
+++ b/lib/isc/unix/ifiter_sysctl.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file
+ * \brief
+ * Obtain the list of network interfaces using sysctl.
+ * See TCP/IP Illustrated Volume 2, sections 19.8, 19.14,
+ * and 19.16.
+ */
+
+#include <inttypes.h>
+
+#include <sys/param.h>
+#include <sys/sysctl.h>
+
+#include <net/route.h>
+#include <net/if_dl.h>
+
+#include <isc/print.h>
+
+/* XXX what about Alpha? */
+#ifdef sgi
+#define ROUNDUP(a) ((a) > 0 ? \
+		(1 + (((a) - 1) | (sizeof(__uint64_t) - 1))) : \
+		sizeof(__uint64_t))
+#else
+#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) \
+		    : sizeof(long))
+#endif
+
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'S')
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	void			*buf;		/* Buffer for sysctl data. */
+	unsigned int		bufsize;	/* Bytes allocated. */
+	unsigned int		bufused;	/* Bytes used. */
+	unsigned int		pos;		/* Current offset in
+						   sysctl data. */
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+static int mib[6] = {
+	CTL_NET,
+	PF_ROUTE,
+	0,
+	0, 			/* Any address family. */
+	NET_RT_IFLIST,
+	0 			/* Flags. */
+};
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	size_t bufsize;
+	size_t bufused;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->buf = 0;
+
+	/*
+	 * Determine the amount of memory needed.
+	 */
+	bufsize = 0;
+	if (sysctl(mib, 6, NULL, &bufsize, NULL, (size_t) 0) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERSYSCTL,
+						ISC_MSG_GETIFLISTSIZE,
+						"getting interface "
+						"list size: sysctl: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+	iter->bufsize = bufsize;
+
+	iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
+	if (iter->buf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	bufused = bufsize;
+	if (sysctl(mib, 6, iter->buf, &bufused, NULL, (size_t) 0) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERSYSCTL,
+						ISC_MSG_GETIFLIST,
+						"getting interface list: "
+						"sysctl: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+	iter->bufused = bufused;
+	INSIST(iter->bufused <= iter->bufsize);
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->pos = (unsigned int) -1;
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (iter->buf != NULL)
+		isc_mem_put(mctx, iter->buf, iter->bufsize);
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family,
+ * return ISC_R_IGNORE.  In case of other failure,
+ * return ISC_R_UNEXPECTED.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	struct ifa_msghdr *ifam, *ifam_end;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE (iter->pos < (unsigned int) iter->bufused);
+
+	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
+	ifam_end = (struct ifa_msghdr *) ((char *) iter->buf + iter->bufused);
+
+	if (ifam->ifam_type == RTM_IFINFO) {
+		struct if_msghdr *ifm = (struct if_msghdr *) ifam;
+		struct sockaddr_dl *sdl = (struct sockaddr_dl *) (ifm + 1);
+		unsigned int namelen;
+
+		memset(&iter->current, 0, sizeof(iter->current));
+
+		namelen = sdl->sdl_nlen;
+		if (namelen > sizeof(iter->current.name) - 1)
+			namelen = sizeof(iter->current.name) - 1;
+
+		memset(iter->current.name, 0, sizeof(iter->current.name));
+		memmove(iter->current.name, sdl->sdl_data, namelen);
+
+		iter->current.flags = 0;
+
+		if ((ifam->ifam_flags & IFF_UP) != 0)
+			iter->current.flags |= INTERFACE_F_UP;
+
+		if ((ifam->ifam_flags & IFF_POINTOPOINT) != 0)
+			iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+
+		if ((ifam->ifam_flags & IFF_LOOPBACK) != 0)
+			iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+		/*
+		 * This is not an interface address.
+		 * Force another iteration.
+		 */
+		return (ISC_R_IGNORE);
+	} else if (ifam->ifam_type == RTM_NEWADDR) {
+		int i;
+		int family;
+		struct sockaddr *mask_sa = NULL;
+		struct sockaddr *addr_sa = NULL;
+		struct sockaddr *dst_sa = NULL;
+
+		struct sockaddr *sa = (struct sockaddr *)(ifam + 1);
+		family = sa->sa_family;
+
+		for (i = 0; i < RTAX_MAX; i++)
+		{
+			if ((ifam->ifam_addrs & (1 << i)) == 0)
+				continue;
+
+			INSIST(sa < (struct sockaddr *) ifam_end);
+
+			switch (i) {
+			case RTAX_NETMASK: /* Netmask */
+				mask_sa = sa;
+				break;
+			case RTAX_IFA: /* Interface address */
+				addr_sa = sa;
+				break;
+			case RTAX_BRD: /* Broadcast or destination address */
+				dst_sa = sa;
+				break;
+			}
+#ifdef ISC_PLATFORM_HAVESALEN
+			sa = (struct sockaddr *)((char*)(sa)
+					 + ROUNDUP(sa->sa_len));
+#else
+#ifdef sgi
+			/*
+			 * Do as the contributed SGI code does.
+			 */
+			sa = (struct sockaddr *)((char*)(sa)
+					 + ROUNDUP(_FAKE_SA_LEN_DST(sa)));
+#else
+			/* XXX untested. */
+			sa = (struct sockaddr *)((char*)(sa)
+					 + ROUNDUP(sizeof(struct sockaddr)));
+#endif
+#endif
+		}
+
+		if (addr_sa == NULL)
+			return (ISC_R_IGNORE);
+
+		family = addr_sa->sa_family;
+		if (family != AF_INET && family != AF_INET6)
+			return (ISC_R_IGNORE);
+
+		iter->current.af = family;
+
+		get_addr(family, &iter->current.address, addr_sa,
+			 iter->current.name);
+
+		if (mask_sa != NULL)
+			get_addr(family, &iter->current.netmask, mask_sa,
+				 iter->current.name);
+
+		if (dst_sa != NULL &&
+		    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
+			get_addr(family, &iter->current.dstaddress, dst_sa,
+				 iter->current.name);
+
+		return (ISC_R_SUCCESS);
+	} else {
+		printf("%s",
+		       isc_msgcat_get(isc_msgcat, ISC_MSGSET_IFITERSYSCTL,
+				      ISC_MSG_UNEXPECTEDTYPE,
+				      "warning: unexpected interface list "
+				      "message type\n"));
+		return (ISC_R_IGNORE);
+	}
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	struct ifa_msghdr *ifam;
+	REQUIRE (iter->pos < (unsigned int) iter->bufused);
+
+	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
+
+	iter->pos += ifam->ifam_msglen;
+
+	if (iter->pos >= iter->bufused)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+	UNUSED(iter); /* Unused. */
+	/*
+	 * Do nothing.
+	 */
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+	iter->pos = 0;
+}
diff --git a/lib/isc/unix/include/Makefile.in b/lib/isc/unix/include/Makefile.in
new file mode 100644
index 0000000..2cbf021
--- /dev/null
+++ b/lib/isc/unix/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc pkcs11
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/unix/include/isc/Makefile.in b/lib/isc/unix/include/isc/Makefile.in
new file mode 100644
index 0000000..977defe
--- /dev/null
+++ b/lib/isc/unix/include/isc/Makefile.in
@@ -0,0 +1,35 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	dir.h keyboard.h net.h netdb.h offset.h stat.h \
+		stdtime.h strerror.h syslog.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h
new file mode 100644
index 0000000..36d0aad
--- /dev/null
+++ b/lib/isc/unix/include/isc/dir.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_DIR_H
+#define ISC_DIR_H 1
+
+/*! \file */
+
+#include <sys/types.h>		/* Required on some systems. */
+#include <dirent.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+#define ISC_DIR_NAMEMAX 256
+#define ISC_DIR_PATHMAX 1024
+
+/*% Directory Entry */
+typedef struct isc_direntry {
+	/*!
+	 * Ideally, this should be NAME_MAX, but AIX does not define it by
+	 * default and dynamically allocating the space based on pathconf()
+	 * complicates things undesirably, as does adding special conditionals
+	 * just for AIX.  So a comfortably sized buffer is chosen instead.
+	 */
+	char 		name[ISC_DIR_NAMEMAX];
+	unsigned int	length;
+} isc_direntry_t;
+
+/*% Directory */
+typedef struct isc_dir {
+	unsigned int	magic;
+	/*!
+	 * As with isc_direntry_t->name, making this "right" for all systems
+	 * is slightly problematic because AIX does not define PATH_MAX.
+	 */
+	char		dirname[ISC_DIR_PATHMAX];
+	isc_direntry_t	entry;
+	DIR *		handle;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_dir_init(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname);
+
+isc_result_t
+isc_dir_read(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_reset(isc_dir_t *dir);
+
+void
+isc_dir_close(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_chdir(const char *dirname);
+
+isc_result_t
+isc_dir_chroot(const char *dirname);
+
+isc_result_t
+isc_dir_createunique(char *templet);
+/*!<
+ * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
+ * named, empty directory.  The templet string is modified in place.
+ * If result == ISC_R_SUCCESS, it is the name of the directory that was
+ * created.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_DIR_H */
diff --git a/lib/isc/unix/include/isc/keyboard.h b/lib/isc/unix/include/isc/keyboard.h
new file mode 100644
index 0000000..4dc8745
--- /dev/null
+++ b/lib/isc/unix/include/isc/keyboard.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_KEYBOARD_H
+#define ISC_KEYBOARD_H 1
+
+/*! \file */
+
+#include <stdbool.h>
+#include <termios.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	int fd;
+	struct termios saved_mode;
+	isc_result_t result;
+} isc_keyboard_t;
+
+isc_result_t
+isc_keyboard_open(isc_keyboard_t *keyboard);
+
+isc_result_t
+isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleepseconds);
+
+isc_result_t
+isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp);
+
+bool
+isc_keyboard_canceled(isc_keyboard_t *keyboard);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_KEYBOARD_H */
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
new file mode 100644
index 0000000..08be590
--- /dev/null
+++ b/lib/isc/unix/include/isc/net.h
@@ -0,0 +1,417 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_NET_H
+#define ISC_NET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *\li		struct in_addr
+ *\li		struct in6_addr
+ *\li		struct in6_pktinfo
+ *\li		struct sockaddr
+ *\li		struct sockaddr_in
+ *\li		struct sockaddr_in6
+ *\li		struct sockaddr_storage
+ *\li		in_port_t
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares inet_aton(), inet_ntop(), and inet_pton().
+ *
+ * It ensures that #INADDR_LOOPBACK, #INADDR_ANY, #IN6ADDR_ANY_INIT,
+ * IN6ADDR_V4MAPPED_INIT, in6addr_any, and in6addr_loopback are available.
+ *
+ * It ensures that IN_MULTICAST() is available to check for multicast
+ * addresses.
+ *
+ * MP:
+ *\li	No impact.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	N/A.
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	BSD Socket API
+ *\li	RFC2553
+ */
+
+/***
+ *** Imports.
+ ***/
+#include <isc/platform.h>
+
+#include <inttypes.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>		/* Contractual promise. */
+
+#include <net/if.h>
+
+#include <netinet/in.h>		/* Contractual promise. */
+#include <arpa/inet.h>		/* Contractual promise. */
+#ifdef ISC_PLATFORM_NEEDNETINETIN6H
+#include <netinet/in6.h>	/* Required on UnixWare. */
+#endif
+#ifdef ISC_PLATFORM_NEEDNETINET6IN6H
+#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIPV6
+#include <isc/ipv6.h>		/* Contractual promise. */
+#endif
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_HAVEINADDR6
+#define in6_addr in_addr6	/*%< Required for pre RFC2133 implementations. */
+#endif
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifndef IN6ADDR_ANY_INIT
+#ifdef s6_addr
+/*%
+ * Required for some pre RFC2133 implementations.
+ * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
+ * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.
+ * If 's6_addr' is defined then assume that there is a union and three
+ * levels otherwise assume two levels required.
+ */
+#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
+#else
+#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
+#endif
+#endif
+
+#ifndef IN6ADDR_LOOPBACK_INIT
+#ifdef s6_addr
+/*% IPv6 address loopback init */
+#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
+#else
+#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
+#endif
+#endif
+
+#ifndef IN6ADDR_V4MAPPED_INIT
+#ifdef s6_addr
+/*% IPv6 v4mapped prefix init */
+#define IN6ADDR_V4MAPPED_INIT { { { 0,0,0,0,0,0,0,0,0,0,0xff,0xff,0,0,0,0 } } }
+#else
+#define IN6ADDR_V4MAPPED_INIT { { 0,0,0,0,0,0,0,0,0,0,0xff,0xff,0,0,0,0 } }
+#endif
+#endif
+
+#ifndef IN6_IS_ADDR_V4MAPPED
+/*% Is IPv6 address V4 mapped? */
+#define IN6_IS_ADDR_V4MAPPED(x) \
+	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 10) == 0 && \
+	  (x)->s6_addr[10] == 0xff && (x)->s6_addr[11] == 0xff)
+#endif
+
+#ifndef IN6_IS_ADDR_V4COMPAT
+/*% Is IPv6 address V4 compatible? */
+#define IN6_IS_ADDR_V4COMPAT(x) \
+	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 12) == 0 && \
+	 ((x)->s6_addr[12] != 0 || (x)->s6_addr[13] != 0 || \
+	  (x)->s6_addr[14] != 0 || \
+	  ((x)->s6_addr[15] != 0 && (x)->s6_addr[15] != 1)))
+#endif
+
+#ifndef IN6_IS_ADDR_MULTICAST
+/*% Is IPv6 address multicast? */
+#define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
+#endif
+
+#ifndef IN6_IS_ADDR_LINKLOCAL
+/*% Is IPv6 address linklocal? */
+#define IN6_IS_ADDR_LINKLOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+/*% is IPv6 address sitelocal? */
+#define IN6_IS_ADDR_SITELOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif
+
+
+#ifndef IN6_IS_ADDR_LOOPBACK
+/*% is IPv6 address loopback? */
+#define IN6_IS_ADDR_LOOPBACK(x) \
+	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
+#endif
+#endif
+
+#ifndef AF_INET6
+/*% IPv6 */
+#define AF_INET6 99
+#endif
+
+#ifndef PF_INET6
+/*% IPv6 */
+#define PF_INET6 AF_INET6
+#endif
+
+#ifndef INADDR_ANY
+/*% inaddr any */
+#define INADDR_ANY 0x00000000UL
+#endif
+
+#ifndef INADDR_LOOPBACK
+/*% inaddr loopback */
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
+/*% IPv6 packet info */
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /*%< send/recv interface index */
+};
+#endif
+
+
+#ifndef ISC_PLATFORM_HAVESOCKADDRSTORAGE
+#define _SS_MAXSIZE 128
+#define _SS_ALIGNSIZE  (sizeof (uint64_t))
+#ifdef ISC_PLATFORM_HAVESALEN
+#define _SS_PAD1SIZE (_SS_ALIGNSIZE - (2 * sizeof(uint8_t)))
+#define _SS_PAD2SIZE (_SS_MAXSIZE - (_SS_ALIGNSIZE + _SS_PAD1SIZE \
+		       + 2 * sizeof(uint8_t)))
+#else
+#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(uint16_t))
+#define _SS_PAD2SIZE (_SS_MAXSIZE - (_SS_ALIGNSIZE + _SS_PAD1SIZE \
+			+ sizeof(uint16_t)))
+#endif
+
+struct sockaddr_storage {
+#ifdef ISC_PLATFORM_HAVESALEN
+       uint8_t             ss_len;
+       uint8_t             ss_family;
+#else
+       uint16_t            ss_family;
+#endif
+       char                    __ss_pad1[_SS_PAD1SIZE];
+       uint64_t            __ss_align;  /* field to force desired structure */
+       char                    __ss_pad2[_SS_PAD2SIZE];
+};
+#endif
+
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
+extern const struct in6_addr isc_net_in6addrany;
+/*%
+ * Cope with a missing in6addr_any and in6addr_loopback.
+ */
+#define in6addr_any isc_net_in6addrany
+#endif
+
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
+extern const struct in6_addr isc_net_in6addrloop;
+#define in6addr_loopback isc_net_in6addrloop
+#endif
+
+#ifdef ISC_PLATFORM_FIXIN6ISADDR
+#undef  IN6_IS_ADDR_GEOGRAPHIC
+/*!
+ * \brief
+ * Fix UnixWare 7.1.1's broken IN6_IS_ADDR_* definitions.
+ */
+#define IN6_IS_ADDR_GEOGRAPHIC(a) (((a)->S6_un.S6_l[0] & 0xE0) == 0x80)
+#undef  IN6_IS_ADDR_IPX
+#define IN6_IS_ADDR_IPX(a)        (((a)->S6_un.S6_l[0] & 0xFE) == 0x04)
+#undef  IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0x80FE)
+#undef  IN6_IS_ADDR_MULTICAST
+#define IN6_IS_ADDR_MULTICAST(a)  (((a)->S6_un.S6_l[0] & 0xFF) == 0xFF)
+#undef  IN6_IS_ADDR_NSAP
+#define IN6_IS_ADDR_NSAP(a)       (((a)->S6_un.S6_l[0] & 0xFE) == 0x02)
+#undef  IN6_IS_ADDR_PROVIDER
+#define IN6_IS_ADDR_PROVIDER(a)   (((a)->S6_un.S6_l[0] & 0xE0) == 0x40)
+#undef  IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0xC0FE)
+#endif /* ISC_PLATFORM_FIXIN6ISADDR */
+
+#ifdef ISC_PLATFORM_NEEDPORTT
+/*%
+ * Ensure type in_port_t is defined.
+ */
+typedef uint16_t in_port_t;
+#endif
+
+#ifndef MSG_TRUNC
+/*%
+ * If this system does not have MSG_TRUNC (as returned from recvmsg())
+ * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
+ * faking code in socket.c.
+ */
+#define ISC_PLATFORM_RECVOVERFLOW
+#endif
+
+/*% IP address. */
+#define ISC__IPADDR(x)	((uint32_t)htonl((uint32_t)(x)))
+
+/*% Is IP address multicast? */
+#define ISC_IPADDR_ISMULTICAST(i) \
+		(((uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
+		 == ISC__IPADDR(0xe0000000))
+
+#define ISC_IPADDR_ISEXPERIMENTAL(i) \
+		(((uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
+		 == ISC__IPADDR(0xf0000000))
+
+/***
+ *** Functions.
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_net_probeipv4(void);
+/*%<
+ * Check if the system's kernel supports IPv4.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		IPv4 is supported.
+ *\li	#ISC_R_NOTFOUND		IPv4 is not supported.
+ *\li	#ISC_R_DISABLED		IPv4 is disabled.
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeipv6(void);
+/*%<
+ * Check if the system's kernel supports IPv6.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		IPv6 is supported.
+ *\li	#ISC_R_NOTFOUND		IPv6 is not supported.
+ *\li	#ISC_R_DISABLED		IPv6 is disabled.
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*%<
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *\li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void);
+/*
+ * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
+ * for UDP sockets.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS		the option is supported.
+ * \li	#ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ * \li	#ISC_R_UNEXPECTED
+ */
+
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
+isc_result_t
+isc_net_probeunix(void);
+/*
+ * Returns whether UNIX domain sockets are supported.
+ */
+
+#define ISC_NET_DSCPRECVV4	0x01	/* Can receive sent DSCP value IPv4 */
+#define ISC_NET_DSCPRECVV6	0x02	/* Can receive sent DSCP value IPv6 */
+#define ISC_NET_DSCPSETV4	0x04	/* Can set DSCP on socket IPv4 */
+#define ISC_NET_DSCPSETV6	0x08	/* Can set DSCP on socket IPv6 */
+#define ISC_NET_DSCPPKTV4	0x10	/* Can set DSCP on per packet IPv4 */
+#define ISC_NET_DSCPPKTV6	0x20	/* Can set DSCP on per packet IPv6 */
+#define ISC_NET_DSCPALL		0x3f	/* All valid flags */
+
+unsigned int
+isc_net_probedscp(void);
+/*%<
+ * Probe the level of DSCP support.
+ */
+
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high);
+/*%<
+ * Returns system's default range of ephemeral UDP ports, if defined.
+ * If the range is not available or unknown, ISC_NET_PORTRANGELOW and
+ * ISC_NET_PORTRANGEHIGH will be returned.
+ *
+ * Requires:
+ *
+ *\li	'low' and 'high' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	*low and *high will be the ports specifying the low and high ends of
+ *	the range.
+ */
+
+#ifdef ISC_PLATFORM_NEEDNTOP
+const char *
+isc_net_ntop(int af, const void *src, char *dst, size_t size);
+#undef inet_ntop
+#define inet_ntop isc_net_ntop
+#endif
+
+#ifdef ISC_PLATFORM_NEEDPTON
+int
+isc_net_pton(int af, const char *src, void *dst);
+#undef inet_pton
+#define inet_pton isc_net_pton
+#endif
+
+int
+isc_net_aton(const char *cp, struct in_addr *addr);
+#undef inet_aton
+#define inet_aton isc_net_aton
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NET_H */
diff --git a/lib/isc/unix/include/isc/netdb.h b/lib/isc/unix/include/isc/netdb.h
new file mode 100644
index 0000000..5aaa9f6
--- /dev/null
+++ b/lib/isc/unix/include/isc/netdb.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_NETDB_H
+#define ISC_NETDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file
+ * \brief
+ * Portable netdb.h support.
+ *
+ * This module is responsible for defining the get<x>by<y> APIs.
+ *
+ * MP:
+ *\li	No impact.
+ *
+ * Reliability:
+ *\li	No anticipated impact.
+ *
+ * Resources:
+ *\li	N/A.
+ *
+ * Security:
+ *\li	No anticipated impact.
+ *
+ * Standards:
+ *\li	BSD API
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/net.h>
+
+#include <netdb.h>
+
+#endif /* ISC_NETDB_H */
diff --git a/lib/isc/unix/include/isc/offset.h b/lib/isc/unix/include/isc/offset.h
new file mode 100644
index 0000000..cf57292
--- /dev/null
+++ b/lib/isc/unix/include/isc/offset.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_OFFSET_H
+#define ISC_OFFSET_H 1
+
+/*! \file
+ * \brief
+ * File offsets are operating-system dependent.
+ */
+#include <limits.h>             /* Required for CHAR_BIT. */
+#include <sys/types.h>
+#include <stddef.h>		/* For Linux Standard Base. */
+
+typedef off_t isc_offset_t;
+
+#endif /* ISC_OFFSET_H */
diff --git a/lib/isc/unix/include/isc/stat.h b/lib/isc/unix/include/isc/stat.h
new file mode 100644
index 0000000..24c4ce5
--- /dev/null
+++ b/lib/isc/unix/include/isc/stat.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STAT_H
+#define ISC_STAT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Portable <sys/stat.h> support.
+ *
+ * This module is responsible for defining S_IS??? macros.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#endif /* ISC_STAT_H */
diff --git a/lib/isc/unix/include/isc/stdtime.h b/lib/isc/unix/include/isc/stdtime.h
new file mode 100644
index 0000000..1a3da82
--- /dev/null
+++ b/lib/isc/unix/include/isc/stdtime.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STDTIME_H
+#define ISC_STDTIME_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <inttypes.h>
+
+/*%
+ * It's public information that 'isc_stdtime_t' is an unsigned integral type.
+ * Applications that want maximum portability should not assume anything
+ * about its size.
+ */
+typedef uint32_t isc_stdtime_t;
+
+/* but this flag helps... */
+#define STDTIME_ON_32BITS	1
+
+/*
+ * isc_stdtime32_t is a 32-bit version of isc_stdtime_t.  A variable of this
+ * type should only be used as an opaque integer (e.g.,) to compare two
+ * time values.
+ */
+typedef uint32_t isc_stdtime32_t;
+
+ISC_LANG_BEGINDECLS
+/* */
+void
+isc_stdtime_get(isc_stdtime_t *t);
+/*%<
+ * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+#define isc_stdtime_convert32(t, t32p) (*(t32p) = t)
+/*
+ * Convert the standard time to its 32-bit version.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDTIME_H */
diff --git a/lib/isc/unix/include/isc/strerror.h b/lib/isc/unix/include/isc/strerror.h
new file mode 100644
index 0000000..fa0e429
--- /dev/null
+++ b/lib/isc/unix/include/isc/strerror.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STRERROR_H
+#define ISC_STRERROR_H
+
+/*! \file */
+
+#include <sys/types.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% String Error Size */
+#define ISC_STRERRORSIZE 128
+
+/*%
+ * Provide a thread safe wrapper to strerror().
+ *
+ * Requires:
+ * 	'buf' to be non NULL.
+ */
+void
+isc__strerror(int num, char *buf, size_t bufsize);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STRERROR_H */
diff --git a/lib/isc/unix/include/isc/syslog.h b/lib/isc/unix/include/isc/syslog.h
new file mode 100644
index 0000000..e0b8e85
--- /dev/null
+++ b/lib/isc/unix/include/isc/syslog.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SYSLOG_H
+#define ISC_SYSLOG_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp);
+/*%<
+ * Convert 'str' to the appropriate syslog facility constant.
+ *
+ * Requires:
+ *
+ *\li	'str' is not NULL
+ *\li	'facilityp' is not NULL
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYSLOG_H */
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
new file mode 100644
index 0000000..b864c29
--- /dev/null
+++ b/lib/isc/unix/include/isc/time.h
@@ -0,0 +1,361 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_TIME_H
+#define ISC_TIME_H 1
+
+/*! \file */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/***
+ *** Intervals
+ ***/
+
+/*!
+ *  \brief
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+struct isc_interval {
+	unsigned int seconds;
+	unsigned int nanoseconds;
+};
+
+extern const isc_interval_t * const isc_interval_zero;
+
+/*
+ * ISC_FORMATHTTPTIMESTAMP_SIZE needs to be 30 in C locale and potentially
+ * more for other locales to handle longer national abbreviations when
+ * expanding strftime's %a and %b.
+ */
+#define ISC_FORMATHTTPTIMESTAMP_SIZE 50
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_interval_set(isc_interval_t *i,
+		 unsigned int seconds, unsigned int nanoseconds);
+/*%<
+ * Set 'i' to a value representing an interval of 'seconds' seconds and
+ * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
+ * isc_time_subtract().
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ *\li	nanoseconds < 1000000000.
+ */
+
+bool
+isc_interval_iszero(const isc_interval_t *i);
+/*%<
+ * Returns true iff. 'i' is the zero interval.
+ *
+ * Requires:
+ *
+ *\li	'i' is a valid pointer.
+ */
+
+/***
+ *** Absolute Times
+ ***/
+
+/*%
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+
+struct isc_time {
+	unsigned int	seconds;
+	unsigned int	nanoseconds;
+};
+
+extern const isc_time_t * const isc_time_epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*%<
+ * Set 't' to a value which represents the given number of seconds and
+ * nanoseconds since 00:00:00 January 1, 1970, UTC.
+ *
+ * Notes:
+ *\li	The Unix version of this call is equivalent to:
+ *\code
+ *	isc_time_settoepoch(t);
+ *	isc_interval_set(i, seconds, nanoseconds);
+ *	isc_time_add(t, i, t);
+ *\endcode
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *\li	nanoseconds < 1000000000.
+ */
+
+void
+isc_time_settoepoch(isc_time_t *t);
+/*%<
+ * Set 't' to the time of the epoch.
+ *
+ * Notes:
+ *\li	The date of the epoch is platform-dependent.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+bool
+isc_time_isepoch(const isc_time_t *t);
+/*%<
+ * Returns true iff. 't' is the epoch ("time zero").
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_now(isc_time_t *t);
+/*%<
+ * Set 't' to the current absolute time.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ *		Getting the time from the system failed.
+ *\li	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
+/*%<
+ * Set *t to the current absolute time + i.
+ *
+ * Note:
+ *\li	This call is equivalent to:
+ *
+ *\code
+ *		isc_time_now(t);
+ *		isc_time_add(t, i, t);
+ *\endcode
+ *
+ * Requires:
+ *
+ *\li	't' and 'i' are valid pointers.
+ *
+ * Returns:
+ *
+ *\li	Success
+ *\li	Unexpected error
+ *		Getting the time from the system failed.
+ *\li	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
+/*%<
+ * Compare the times referenced by 't1' and 't2'
+ *
+ * Requires:
+ *
+ *\li	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *
+ *\li	-1		t1 < t2		(comparing times, not pointers)
+ *\li	0		t1 = t2
+ *\li	1		t1 > t2
+ */
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
+/*%<
+ * Add 'i' to 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *\li	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
+/*%<
+ * Subtract 'i' from 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *\li	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ *		The interval is larger than the time since the epoch.
+ */
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
+/*%<
+ * Find the difference in microseconds between time t1 and time t2.
+ * t2 is the subtrahend of t1; ie, difference = t1 - t2.
+ *
+ * Requires:
+ *
+ *\li	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *\li	The difference of t1 - t2, or 0 if t1 <= t2.
+ */
+
+uint32_t
+isc_time_seconds(const isc_time_t *t);
+/*%<
+ * Return the number of seconds since the epoch stored in a time structure.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
+/*%<
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *\li	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ */
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t);
+/*%<
+ * Return the number of nanoseconds stored in a time structure.
+ *
+ * Notes:
+ *\li	This is the number of nanoseconds in excess of the number
+ *	of seconds since the epoch; it will always be less than one
+ *	full second.
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *
+ * Ensures:
+ *\li	The returned value is less than 1*10^9.
+ */
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+isc_result_t
+isc_time_parsehttptimestamp(char *input, isc_time_t *t);
+/*%<
+ * Parse the time in 'input' into the isc_time_t pointed to by 't',
+ * expecting a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ *
+ *  Requires:
+ *\li      'buf' and 't' are not NULL.
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.sssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIME_H */
diff --git a/lib/isc/unix/include/pkcs11/Makefile.in b/lib/isc/unix/include/pkcs11/Makefile.in
new file mode 100644
index 0000000..420fec1
--- /dev/null
+++ b/lib/isc/unix/include/pkcs11/Makefile.in
@@ -0,0 +1,31 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =	cryptoki.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/pkcs11 || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/pkcs11/$$i || exit 1; \
+	done
diff --git a/lib/isc/unix/include/pkcs11/cryptoki.h b/lib/isc/unix/include/pkcs11/cryptoki.h
new file mode 100644
index 0000000..7dc48b0
--- /dev/null
+++ b/lib/isc/unix/include/pkcs11/cryptoki.h
@@ -0,0 +1,66 @@
+/* cryptoki.h include file for PKCS #11. */
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/* $Revision: 1.3 $ */
+
+/*
+ * Portions Copyright RSA Security Inc.
+ *
+ * License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the 
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This is a sample file containing the top level include directives
+ * for building Unix Cryptoki libraries and applications.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+  returnType name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+  returnType name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+  returnType (* name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+  returnType (* name)
+
+/* NULL is in unistd.h */
+#include <unistd.h>
+#define NULL_PTR NULL
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+#include <pkcs11/pkcs11.h>
+
+#endif /* ___CRYPTOKI_H_INC___ */
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
new file mode 100644
index 0000000..4df4d34
--- /dev/null
+++ b/lib/isc/unix/interfaceiter.c
@@ -0,0 +1,306 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>		/* Required for ifiter_ioctl.c. */
+#endif
+
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+/* Must follow <isc/net.h>. */
+#ifdef HAVE_NET_IF6_H
+#include <net/if6.h>
+#endif
+#include <net/if.h>
+
+/* Common utility functions */
+
+/*%
+ * Extract the network address part from a "struct sockaddr".
+ * \brief
+ * The address family is given explicitly
+ * instead of using src->sa_family, because the latter does not work
+ * for copying a network mask obtained by SIOCGIFNETMASK (it does
+ * not have a valid address family).
+ */
+
+static void
+get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
+	 char *ifname)
+{
+	struct sockaddr_in6 *sa6;
+
+#if !defined(ISC_PLATFORM_HAVEIFNAMETOINDEX) || \
+    !defined(ISC_PLATFORM_HAVESCOPEID)
+	UNUSED(ifname);
+#endif
+
+	/* clear any remaining value for safety */
+	memset(dst, 0, sizeof(*dst));
+
+	dst->family = family;
+	switch (family) {
+	case AF_INET:
+		memmove(&dst->type.in,
+			&((struct sockaddr_in *) src)->sin_addr,
+			sizeof(struct in_addr));
+		break;
+	case AF_INET6:
+		sa6 = (struct sockaddr_in6 *)src;
+		memmove(&dst->type.in6, &sa6->sin6_addr,
+			sizeof(struct in6_addr));
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		if (sa6->sin6_scope_id != 0)
+			isc_netaddr_setzone(dst, sa6->sin6_scope_id);
+		else {
+			/*
+			 * BSD variants embed scope zone IDs in the 128bit
+			 * address as a kernel internal form.  Unfortunately,
+			 * the embedded IDs are not hidden from applications
+			 * when getting access to them by sysctl or ioctl.
+			 * We convert the internal format to the pure address
+			 * part and the zone ID part.
+			 * Since multicast addresses should not appear here
+			 * and they cannot be distinguished from netmasks,
+			 * we only consider unicast link-local addresses.
+			 */
+			if (IN6_IS_ADDR_LINKLOCAL(&sa6->sin6_addr)) {
+				uint16_t zone16;
+
+				memmove(&zone16, &sa6->sin6_addr.s6_addr[2],
+					sizeof(zone16));
+				zone16 = ntohs(zone16);
+				if (zone16 != 0) {
+					/* the zone ID is embedded */
+					isc_netaddr_setzone(dst,
+							    (uint32_t)zone16);
+					dst->type.in6.s6_addr[2] = 0;
+					dst->type.in6.s6_addr[3] = 0;
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+				} else if (ifname != NULL) {
+					unsigned int zone;
+
+					/*
+					 * sin6_scope_id is still not provided,
+					 * but the corresponding interface name
+					 * is know.  Use the interface ID as
+					 * the link ID.
+					 */
+					zone = if_nametoindex(ifname);
+					if (zone != 0) {
+						isc_netaddr_setzone(dst,
+								    (uint32_t)zone);
+					}
+#endif
+				}
+			}
+		}
+#endif
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+/*
+ * Include system-dependent code.
+ */
+
+#ifdef __linux
+#define ISC_IF_INET6_SZ \
+    sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n")
+static isc_result_t linux_if_inet6_next(isc_interfaceiter_t *);
+static isc_result_t linux_if_inet6_current(isc_interfaceiter_t *);
+static void linux_if_inet6_first(isc_interfaceiter_t *iter);
+#endif
+
+#if HAVE_GETIFADDRS
+#include "ifiter_getifaddrs.c"
+#elif HAVE_IFLIST_SYSCTL
+#include "ifiter_sysctl.c"
+#else
+#include "ifiter_ioctl.c"
+#endif
+
+#ifdef __linux
+static void
+linux_if_inet6_first(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL) {
+		rewind(iter->proc);
+		(void)linux_if_inet6_next(iter);
+	} else
+		iter->valid = ISC_R_NOMORE;
+}
+
+static isc_result_t
+linux_if_inet6_next(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL &&
+	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
+		iter->valid = ISC_R_SUCCESS;
+	else
+		iter->valid = ISC_R_NOMORE;
+	return (iter->valid);
+}
+
+static isc_result_t
+linux_if_inet6_current(isc_interfaceiter_t *iter) {
+	char address[33];
+	char name[IF_NAMESIZE+1];
+	struct in6_addr addr6;
+	unsigned int ifindex, prefix, flag3, flag4;
+	int res;
+	unsigned int i;
+
+	if (iter->valid != ISC_R_SUCCESS)
+		return (iter->valid);
+	if (iter->proc == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:iter->proc == NULL");
+		return (ISC_R_FAILURE);
+	}
+
+	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
+		     address, &ifindex, &prefix, &flag3, &flag4, name);
+	if (res != 6) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
+			      res);
+		return (ISC_R_FAILURE);
+	}
+	if (strlen(address) != 32) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:strlen(%s) != 32", address);
+		return (ISC_R_FAILURE);
+	}
+	for (i = 0; i < 16; i++) {
+		unsigned char byte;
+		static const char hex[] = "0123456789abcdef";
+		byte = ((strchr(hex, address[i * 2]) - hex) << 4) |
+		       (strchr(hex, address[i * 2 + 1]) - hex);
+		addr6.s6_addr[i] = byte;
+	}
+	iter->current.af = AF_INET6;
+	iter->current.flags = INTERFACE_F_UP;
+	isc_netaddr_fromin6(&iter->current.address, &addr6);
+	if (isc_netaddr_islinklocal(&iter->current.address)) {
+		isc_netaddr_setzone(&iter->current.address,
+				    (uint32_t)ifindex);
+	}
+	for (i = 0; i < 16; i++) {
+		if (prefix > 8) {
+			addr6.s6_addr[i] = 0xff;
+			prefix -= 8;
+		} else {
+			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
+			prefix = 0;
+		}
+	}
+	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
+	strlcpy(iter->current.name, name, sizeof(iter->current.name));
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+/*
+ * The remaining code is common to the sysctl and ioctl case.
+ */
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter,
+			  isc_interface_t *ifdata)
+{
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+	memmove(ifdata, &iter->current, sizeof(*ifdata));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	internal_first(iter);
+	for (;;) {
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE)
+			break;
+		result = internal_next(iter);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	iter->result = result;
+	return (result);
+}
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+
+	for (;;) {
+		result = internal_next(iter);
+		if (result != ISC_R_SUCCESS)
+			break;
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE)
+			break;
+	}
+	iter->result = result;
+	return (result);
+}
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp)
+{
+	isc_interfaceiter_t *iter;
+	REQUIRE(iterp != NULL);
+	iter = *iterp;
+	REQUIRE(VALID_IFITER(iter));
+
+	internal_destroy(iter);
+	if (iter->buf != NULL)
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+
+	iter->magic = 0;
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
+	*iterp = NULL;
+}
diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c
new file mode 100644
index 0000000..eb77377
--- /dev/null
+++ b/lib/isc/unix/ipv6.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/ipv6.h>
+
+const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/lib/isc/unix/keyboard.c b/lib/isc/unix/keyboard.c
new file mode 100644
index 0000000..cb5f116
--- /dev/null
+++ b/lib/isc/unix/keyboard.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <isc/keyboard.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_keyboard_open(isc_keyboard_t *keyboard) {
+	int fd;
+	isc_result_t ret;
+	struct termios current_mode;
+
+	REQUIRE(keyboard != NULL);
+
+	fd = open("/dev/tty", O_RDONLY, 0);
+	if (fd < 0)
+		return (ISC_R_IOERROR);
+
+	keyboard->fd = fd;
+
+	if (tcgetattr(fd, &keyboard->saved_mode) < 0) {
+		ret = ISC_R_IOERROR;
+		goto errout;
+	}
+
+	current_mode = keyboard->saved_mode;
+
+	current_mode.c_iflag &=
+			~(IGNBRK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL|IXON);
+	current_mode.c_oflag &= ~OPOST;
+	current_mode.c_lflag &= ~(ECHO|ECHONL|ICANON|ISIG|IEXTEN);
+	current_mode.c_cflag &= ~(CSIZE|PARENB);
+	current_mode.c_cflag |= CS8;
+
+	current_mode.c_cc[VMIN] = 1;
+	current_mode.c_cc[VTIME] = 0;
+	if (tcsetattr(fd, TCSAFLUSH, &current_mode) < 0) {
+		ret = ISC_R_IOERROR;
+		goto errout;
+	}
+
+	keyboard->result = ISC_R_SUCCESS;
+
+	return (ISC_R_SUCCESS);
+
+ errout:
+	close (fd);
+
+	return (ret);
+}
+
+isc_result_t
+isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) {
+	REQUIRE(keyboard != NULL);
+
+	if (sleeptime > 0 && keyboard->result != ISC_R_CANCELED)
+		(void)sleep(sleeptime);
+
+	(void)tcsetattr(keyboard->fd, TCSAFLUSH, &keyboard->saved_mode);
+	(void)close(keyboard->fd);
+
+	keyboard->fd = -1;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp) {
+	ssize_t cc;
+	unsigned char c;
+	cc_t *controlchars;
+
+	REQUIRE(keyboard != NULL);
+	REQUIRE(cp != NULL);
+
+	cc = read(keyboard->fd, &c, 1);
+	if (cc < 0) {
+		keyboard->result = ISC_R_IOERROR;
+		return (keyboard->result);
+	}
+
+	controlchars = keyboard->saved_mode.c_cc;
+	if (c == controlchars[VINTR] || c == controlchars[VQUIT]) {
+		keyboard->result = ISC_R_CANCELED;
+		return (keyboard->result);
+	}
+
+	*cp = c;
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_keyboard_canceled(isc_keyboard_t *keyboard) {
+	return (keyboard->result == ISC_R_CANCELED);
+}
diff --git a/lib/isc/unix/meminfo.c b/lib/isc/unix/meminfo.c
new file mode 100644
index 0000000..ad750a7
--- /dev/null
+++ b/lib/isc/unix/meminfo.c
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <isc/meminfo.h>
+#include <inttypes.h>
+#include <unistd.h>
+#ifdef HAVE_SYS_SYSCTL_H
+#include <sys/sysctl.h>
+#endif
+
+uint64_t
+isc_meminfo_totalphys(void) {
+#if defined(CTL_HW) && (defined(HW_PHYSMEM64) || defined(HW_MEMSIZE))
+	int mib[2];
+	mib[0] = CTL_HW;
+#if defined(HW_MEMSIZE)
+	mib[1] = HW_MEMSIZE;
+#elif defined(HW_PHYSMEM64)
+	mib[1] = HW_PHYSMEM64;
+#endif
+	uint64_t size = 0;
+	size_t len = sizeof(size);
+	if (sysctl(mib, 2, &size, &len, NULL, 0) == 0)
+		return (size);
+#endif
+#if defined(_SC_PHYS_PAGES) && defined(_SC_PAGESIZE)
+	return ((size_t) (sysconf(_SC_PHYS_PAGES) * sysconf(_SC_PAGESIZE)));
+#endif
+	return (0);
+}
diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c
new file mode 100644
index 0000000..efe17bd
--- /dev/null
+++ b/lib/isc/unix/net.c
@@ -0,0 +1,913 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#if defined(HAVE_SYS_SYSCTL_H)
+#if defined(HAVE_SYS_PARAM_H)
+#include <sys/param.h>
+#endif
+#include <sys/sysctl.h>
+#endif
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <isc/log.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/netdb.h>
+#include <isc/once.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#ifndef ISC_SOCKADDR_LEN_T
+#define ISC_SOCKADDR_LEN_T unsigned int
+#endif
+
+/*%
+ * Definitions about UDP port range specification.  This is a total mess of
+ * portability variants: some use sysctl (but the sysctl names vary), some use
+ * system-specific interfaces, some have the same interface for IPv4 and IPv6,
+ * some separate them, etc...
+ */
+
+/*%
+ * The last resort defaults: use all non well known port space
+ */
+#ifndef ISC_NET_PORTRANGELOW
+#define ISC_NET_PORTRANGELOW 1024
+#endif	/* ISC_NET_PORTRANGELOW */
+#ifndef ISC_NET_PORTRANGEHIGH
+#define ISC_NET_PORTRANGEHIGH 65535
+#endif	/* ISC_NET_PORTRANGEHIGH */
+
+#ifdef HAVE_SYSCTLBYNAME
+
+/*%
+ * sysctl variants
+ */
+#if defined(__FreeBSD__) || defined(__APPLE__) || defined(__DragonFly__)
+#define USE_SYSCTL_PORTRANGE
+#define SYSCTL_V4PORTRANGE_LOW	"net.inet.ip.portrange.hifirst"
+#define SYSCTL_V4PORTRANGE_HIGH	"net.inet.ip.portrange.hilast"
+#define SYSCTL_V6PORTRANGE_LOW	"net.inet.ip.portrange.hifirst"
+#define SYSCTL_V6PORTRANGE_HIGH	"net.inet.ip.portrange.hilast"
+#endif
+
+#ifdef __NetBSD__
+#define USE_SYSCTL_PORTRANGE
+#define SYSCTL_V4PORTRANGE_LOW	"net.inet.ip.anonportmin"
+#define SYSCTL_V4PORTRANGE_HIGH	"net.inet.ip.anonportmax"
+#define SYSCTL_V6PORTRANGE_LOW	"net.inet6.ip6.anonportmin"
+#define SYSCTL_V6PORTRANGE_HIGH	"net.inet6.ip6.anonportmax"
+#endif
+
+#else /* !HAVE_SYSCTLBYNAME */
+
+#ifdef __OpenBSD__
+#define USE_SYSCTL_PORTRANGE
+#define SYSCTL_V4PORTRANGE_LOW	{ CTL_NET, PF_INET, IPPROTO_IP, \
+				  IPCTL_IPPORT_HIFIRSTAUTO }
+#define SYSCTL_V4PORTRANGE_HIGH	{ CTL_NET, PF_INET, IPPROTO_IP, \
+				  IPCTL_IPPORT_HILASTAUTO }
+/* Same for IPv6 */
+#define SYSCTL_V6PORTRANGE_LOW	SYSCTL_V4PORTRANGE_LOW
+#define SYSCTL_V6PORTRANGE_HIGH	SYSCTL_V4PORTRANGE_HIGH
+#endif
+
+#endif /* HAVE_SYSCTLBYNAME */
+
+#if defined(ISC_PLATFORM_HAVEIPV6)
+# if defined(ISC_PLATFORM_NEEDIN6ADDRANY)
+const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
+# endif
+
+# if defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
+const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT;
+# endif
+
+# if defined(WANT_IPV6)
+static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
+
+#  if defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+static isc_once_t 	once_ipv6pktinfo = ISC_ONCE_INIT;
+#  endif
+# endif /* WANT_IPV6 */
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+
+#ifndef ISC_CMSG_IP_TOS
+#ifdef __APPLE__
+#define ISC_CMSG_IP_TOS 0	/* As of 10.8.2. */
+#else /* ! __APPLE__ */
+#define ISC_CMSG_IP_TOS 1
+#endif /* ! __APPLE__ */
+#endif /* ! ISC_CMSG_IP_TOS */
+
+static isc_once_t 	once = ISC_ONCE_INIT;
+static isc_once_t 	once_dscp = ISC_ONCE_INIT;
+
+static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t	unix_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
+static unsigned int	dscp_result = 0;
+
+static isc_result_t
+try_proto(int domain) {
+	int s;
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+
+	s = socket(domain, SOCK_STREAM, 0);
+	if (s == -1) {
+		switch (errno) {
+#ifdef EAFNOSUPPORT
+		case EAFNOSUPPORT:
+#endif
+#ifdef EPFNOSUPPORT
+		case EPFNOSUPPORT:
+#endif
+#ifdef EPROTONOSUPPORT
+		case EPROTONOSUPPORT:
+#endif
+#ifdef EINVAL
+		case EINVAL:
+#endif
+			return (ISC_R_NOTFOUND);
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() %s: %s",
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	if (domain == PF_INET6) {
+		struct sockaddr_in6 sin6;
+		unsigned int len;
+
+		/*
+		 * Check to see if IPv6 is broken, as is common on Linux.
+		 */
+		len = sizeof(sin6);
+		if (getsockname(s, (struct sockaddr *)&sin6, (void *)&len) < 0)
+		{
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "retrieving the address of an IPv6 "
+				      "socket from the kernel failed.");
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "IPv6 is not supported.");
+			result = ISC_R_NOTFOUND;
+		} else {
+			if (len == sizeof(struct sockaddr_in6))
+				result = ISC_R_SUCCESS;
+			else {
+				isc_log_write(isc_lctx,
+					      ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_ERROR,
+					      "IPv6 structures in kernel and "
+					      "user space do not match.");
+				isc_log_write(isc_lctx,
+					      ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_ERROR,
+					      "IPv6 is not supported.");
+				result = ISC_R_NOTFOUND;
+			}
+		}
+	}
+#endif
+#endif
+#endif
+
+	(void)close(s);
+
+	return (result);
+}
+
+static void
+initialize_action(void) {
+	ipv4_result = try_proto(PF_INET);
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	ipv6_result = try_proto(PF_INET6);
+#endif
+#endif
+#endif
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	unix_result = try_proto(PF_UNIX);
+#endif
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_net_probeipv4(void) {
+	initialize();
+	return (ipv4_result);
+}
+
+isc_result_t
+isc_net_probeipv6(void) {
+	initialize();
+	return (ipv6_result);
+}
+
+isc_result_t
+isc_net_probeunix(void) {
+	initialize();
+	return (unix_result);
+}
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+#endif /* IPV6_V6ONLY */
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
+				  try_ipv6only) == ISC_R_SUCCESS);
+}
+#endif /* WANT_IPV6 */
+
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef WANT_IPV6
+static void
+try_ipv6pktinfo(void) {
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+	int optname;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6pktinfo_result = result;
+		return;
+	}
+
+	/* we only use this for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6pktinfo_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+#ifdef IPV6_RECVPKTINFO
+	optname = IPV6_RECVPKTINFO;
+#else
+	optname = IPV6_PKTINFO;
+#endif
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) {
+		ipv6pktinfo_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6pktinfo_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+}
+
+static void
+initialize_ipv6pktinfo(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo,
+				  try_ipv6pktinfo) == ISC_R_SUCCESS);
+}
+#endif /* WANT_IPV6 */
+#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6only();
+#else
+	ipv6only_result = ISC_R_NOTFOUND;
+#endif
+#endif
+	return (ipv6only_result);
+}
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef WANT_IPV6
+	initialize_ipv6pktinfo();
+#else
+	ipv6pktinfo_result = ISC_R_NOTFOUND;
+#endif
+#endif
+#endif
+	return (ipv6pktinfo_result);
+}
+
+#if ISC_CMSG_IP_TOS || \
+    defined(ISC_NET_BSD44MSGHDR) && defined(IPV6_TCLASS) && defined(WANT_IPV6)
+
+static inline ISC_SOCKADDR_LEN_T
+cmsg_len(ISC_SOCKADDR_LEN_T len) {
+#ifdef CMSG_LEN
+	return (CMSG_LEN(len));
+#else
+	ISC_SOCKADDR_LEN_T hdrlen;
+
+	/*
+	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
+	 * is correct.
+	 */
+	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(((struct cmsghdr *)NULL));
+	return (hdrlen + len);
+#endif
+}
+
+static inline ISC_SOCKADDR_LEN_T
+cmsg_space(ISC_SOCKADDR_LEN_T len) {
+#ifdef CMSG_SPACE
+	return (CMSG_SPACE(len));
+#else
+	struct msghdr msg;
+	struct cmsghdr *cmsgp;
+	/*
+	 * XXX: The buffer length is an ad-hoc value, but should be enough
+	 * in a practical sense.
+	 */
+	char dummybuf[sizeof(struct cmsghdr) + 1024];
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_control = dummybuf;
+	msg.msg_controllen = sizeof(dummybuf);
+
+	cmsgp = (struct cmsghdr *)dummybuf;
+	cmsgp->cmsg_len = cmsg_len(len);
+
+	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
+	if (cmsgp != NULL)
+		return ((char *)cmsgp - (char *)msg.msg_control);
+	else
+		return (0);
+#endif
+}
+
+#ifdef ISC_NET_BSD44MSGHDR
+/*
+ * Make a fd non-blocking.
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	int flags;
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef USE_FIONBIO_IOCTL
+	int on = 1;
+
+	ret = ioctl(fd, FIONBIO, (char *)&on);
+#else
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= PORT_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+#endif
+
+	if (ret == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+#ifdef USE_FIONBIO_IOCTL
+				 "ioctl(%d, FIONBIO, &on): %s", fd,
+#else
+				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
+#endif
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static bool
+cmsgsend(int s, int level, int type, struct addrinfo *res) {
+	char strbuf[ISC_STRERRORSIZE];
+	struct sockaddr_storage ss;
+	ISC_SOCKADDR_LEN_T len = sizeof(ss);
+	struct msghdr msg;
+	union {
+		struct cmsghdr h;
+		unsigned char b[256];
+	} control;
+	struct cmsghdr *cmsgp;
+	int dscp = (46 << 2);	/* Expedited forwarding. */
+	struct iovec iovec;
+	char buf[1] = { 0 };
+	isc_result_t result;
+
+	if (bind(s, res->ai_addr, res->ai_addrlen) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "bind: %s", strbuf);
+		return (false);
+	}
+
+	if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "getsockname: %s", strbuf);
+		return (false);
+	}
+
+	iovec.iov_base = buf;
+	iovec.iov_len = sizeof(buf);
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_name = (struct sockaddr *)&ss;
+	msg.msg_namelen = len;
+	msg.msg_iov = &iovec;
+	msg.msg_iovlen = 1;
+	msg.msg_control = (void*)&control;
+	msg.msg_controllen = 0;
+	msg.msg_flags = 0;
+
+	cmsgp = msg.msg_control;
+
+	switch (type) {
+#ifdef IP_TOS
+	case IP_TOS:
+		memset(cmsgp, 0, cmsg_space(sizeof(char)));
+		cmsgp->cmsg_level = level;
+		cmsgp->cmsg_type = type;
+		cmsgp->cmsg_len = cmsg_len(sizeof(char));
+		*(unsigned char*)CMSG_DATA(cmsgp) = dscp;
+		msg.msg_controllen += cmsg_space(sizeof(char));
+		break;
+#endif
+#ifdef IPV6_TCLASS
+	case IPV6_TCLASS:
+		memset(cmsgp, 0, cmsg_space(sizeof(dscp)));
+		cmsgp->cmsg_level = level;
+		cmsgp->cmsg_type = type;
+		cmsgp->cmsg_len = cmsg_len(sizeof(dscp));
+		memmove(CMSG_DATA(cmsgp), &dscp, sizeof(dscp));
+		msg.msg_controllen += cmsg_space(sizeof(dscp));
+		break;
+#endif
+	default:
+		INSIST(0);
+	}
+
+	if (sendmsg(s, &msg, 0) < 0) {
+		int debug = ISC_LOG_DEBUG(10);
+		const char *typestr;
+		const char *msgstr;
+		switch (errno) {
+#ifdef ENOPROTOOPT
+		case ENOPROTOOPT:
+#endif
+#ifdef EOPNOTSUPP
+		case EOPNOTSUPP:
+#endif
+		case EINVAL:
+		case EPERM:
+			break;
+		default:
+			debug = ISC_LOG_NOTICE;
+		}
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		if (debug != ISC_LOG_NOTICE) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+				      "sendmsg: %s", strbuf);
+		} else {
+			typestr = (type == IP_TOS) ? "IP_TOS" : "IPV6_TCLASS";
+			msgstr = isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed");
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "probing "
+					 "sendmsg() with %s=%02x %s: %s",
+					 typestr, dscp, msgstr, strbuf);
+		}
+		return (false);
+	}
+
+	/*
+	 * Make sure the message actually got sent.
+	 */
+	result = make_nonblock(s);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	iovec.iov_base = buf;
+	iovec.iov_len = sizeof(buf);
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_name = (struct sockaddr *)&ss;
+	msg.msg_namelen = sizeof(ss);
+	msg.msg_iov = &iovec;
+	msg.msg_iovlen = 1;
+	msg.msg_control = NULL;
+	msg.msg_controllen = 0;
+	msg.msg_flags = 0;
+
+	if (recvmsg(s, &msg, 0) < 0)
+		return (false);
+
+	return (true);
+}
+#endif
+#endif
+
+static void
+try_dscp_v4(void) {
+#ifdef IP_TOS
+	char strbuf[ISC_STRERRORSIZE];
+	struct addrinfo hints, *res0;
+	int s, dscp = 0, n;
+#ifdef IP_RECVTOS
+	int on = 1;
+#endif /* IP_RECVTOS */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_INET;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+#else
+	hints.ai_flags = AI_PASSIVE;
+#endif
+
+	n = getaddrinfo("127.0.0.1", NULL, &hints, &res0);
+	if (n != 0 || res0 == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "getaddrinfo(127.0.0.1): %s", gai_strerror(n));
+		return;
+	}
+
+	s = socket(res0->ai_family, res0->ai_socktype, res0->ai_protocol);
+
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "socket: %s", strbuf);
+		freeaddrinfo(res0);
+		return;
+	}
+
+	if (setsockopt(s, IPPROTO_IP, IP_TOS, &dscp, sizeof(dscp)) == 0)
+		dscp_result |= ISC_NET_DSCPSETV4;
+
+#ifdef IP_RECVTOS
+	on = 1;
+	if (setsockopt(s, IPPROTO_IP, IP_RECVTOS, &on, sizeof(on)) == 0)
+		dscp_result |= ISC_NET_DSCPRECVV4;
+#endif /* IP_RECVTOS */
+
+#ifdef ISC_NET_BSD44MSGHDR
+
+#if ISC_CMSG_IP_TOS
+	if (cmsgsend(s, IPPROTO_IP, IP_TOS, res0))
+		dscp_result |= ISC_NET_DSCPPKTV4;
+#endif /* ISC_CMSG_IP_TOS */
+
+#endif /* ISC_NET_BSD44MSGHDR */
+
+	freeaddrinfo(res0);
+	close(s);
+
+#endif /* IP_TOS */
+}
+
+static void
+try_dscp_v6(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+#ifdef IPV6_TCLASS
+	char strbuf[ISC_STRERRORSIZE];
+	struct addrinfo hints, *res0;
+	int s, dscp = 0, n;
+#if defined(IPV6_RECVTCLASS)
+	int on = 1;
+#endif /* IPV6_RECVTCLASS */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_INET6;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+#else
+	hints.ai_flags = AI_PASSIVE;
+#endif
+
+	n = getaddrinfo("::1", NULL, &hints, &res0);
+	if (n != 0 || res0 == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "getaddrinfo(::1): %s", gai_strerror(n));
+		return;
+	}
+
+	s = socket(res0->ai_family, res0->ai_socktype, res0->ai_protocol);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(10),
+			      "socket: %s", strbuf);
+		freeaddrinfo(res0);
+		return;
+	}
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &dscp, sizeof(dscp)) == 0)
+		dscp_result |= ISC_NET_DSCPSETV6;
+
+#ifdef IPV6_RECVTCLASS
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_RECVTCLASS, &on, sizeof(on)) == 0)
+		dscp_result |= ISC_NET_DSCPRECVV6;
+#endif /* IPV6_RECVTCLASS */
+
+#ifdef ISC_NET_BSD44MSGHDR
+	if (cmsgsend(s, IPPROTO_IPV6, IPV6_TCLASS, res0))
+		dscp_result |= ISC_NET_DSCPPKTV6;
+#endif /* ISC_NET_BSD44MSGHDR */
+
+	freeaddrinfo(res0);
+	close(s);
+
+#endif /* IPV6_TCLASS */
+#endif /* WANT_IPV6 */
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+}
+
+static void
+try_dscp(void) {
+	try_dscp_v4();
+	try_dscp_v6();
+}
+
+static void
+initialize_dscp(void) {
+	RUNTIME_CHECK(isc_once_do(&once_dscp, try_dscp) == ISC_R_SUCCESS);
+}
+
+unsigned int
+isc_net_probedscp(void) {
+	initialize_dscp();
+	return (dscp_result);
+}
+
+#if defined(USE_SYSCTL_PORTRANGE)
+#if defined(HAVE_SYSCTLBYNAME)
+static isc_result_t
+getudpportrange_sysctl(int af, in_port_t *low, in_port_t *high) {
+	int port_low, port_high;
+	size_t portlen;
+	const char *sysctlname_lowport, *sysctlname_hiport;
+
+	if (af == AF_INET) {
+		sysctlname_lowport = SYSCTL_V4PORTRANGE_LOW;
+		sysctlname_hiport = SYSCTL_V4PORTRANGE_HIGH;
+	} else {
+		sysctlname_lowport = SYSCTL_V6PORTRANGE_LOW;
+		sysctlname_hiport = SYSCTL_V6PORTRANGE_HIGH;
+	}
+	portlen = sizeof(port_low);
+	if (sysctlbyname(sysctlname_lowport, &port_low, &portlen,
+			 NULL, 0) < 0) {
+		return (ISC_R_FAILURE);
+	}
+	portlen = sizeof(port_high);
+	if (sysctlbyname(sysctlname_hiport, &port_high, &portlen,
+			 NULL, 0) < 0) {
+		return (ISC_R_FAILURE);
+	}
+	if ((port_low & ~0xffff) != 0 || (port_high & ~0xffff) != 0)
+		return (ISC_R_RANGE);
+
+	*low = (in_port_t)port_low;
+	*high = (in_port_t)port_high;
+
+	return (ISC_R_SUCCESS);
+}
+#else /* !HAVE_SYSCTLBYNAME */
+static isc_result_t
+getudpportrange_sysctl(int af, in_port_t *low, in_port_t *high) {
+	int mib_lo4[4] = SYSCTL_V4PORTRANGE_LOW;
+	int mib_hi4[4] = SYSCTL_V4PORTRANGE_HIGH;
+	int mib_lo6[4] = SYSCTL_V6PORTRANGE_LOW;
+	int mib_hi6[4] = SYSCTL_V6PORTRANGE_HIGH;
+	int *mib_lo, *mib_hi, miblen;
+	int port_low, port_high;
+	size_t portlen;
+
+	if (af == AF_INET) {
+		mib_lo = mib_lo4;
+		mib_hi = mib_hi4;
+		miblen = sizeof(mib_lo4) / sizeof(mib_lo4[0]);
+	} else {
+		mib_lo = mib_lo6;
+		mib_hi = mib_hi6;
+		miblen = sizeof(mib_lo6) / sizeof(mib_lo6[0]);
+	}
+
+	portlen = sizeof(port_low);
+	if (sysctl(mib_lo, miblen, &port_low, &portlen, NULL, 0) < 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	portlen = sizeof(port_high);
+	if (sysctl(mib_hi, miblen, &port_high, &portlen, NULL, 0) < 0) {
+		return (ISC_R_FAILURE);
+	}
+
+	if ((port_low & ~0xffff) != 0 || (port_high & ~0xffff) != 0)
+		return (ISC_R_RANGE);
+
+	*low = (in_port_t) port_low;
+	*high = (in_port_t) port_high;
+
+	return (ISC_R_SUCCESS);
+}
+#endif /* HAVE_SYSCTLBYNAME */
+#endif /* USE_SYSCTL_PORTRANGE */
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high) {
+	int result = ISC_R_FAILURE;
+#if !defined(USE_SYSCTL_PORTRANGE) && defined(__linux)
+	FILE *fp;
+#endif
+
+	REQUIRE(low != NULL && high != NULL);
+
+#if defined(USE_SYSCTL_PORTRANGE)
+	result = getudpportrange_sysctl(af, low, high);
+#elif defined(__linux)
+
+	UNUSED(af);
+
+	/*
+	 * Linux local ports are address family agnostic.
+	 */
+	fp = fopen("/proc/sys/net/ipv4/ip_local_port_range", "r");
+	if (fp != NULL) {
+		int n;
+		unsigned int l, h;
+
+		n = fscanf(fp, "%u %u", &l, &h);
+		if (n == 2 && (l & ~0xffff) == 0 && (h & ~0xffff) == 0) {
+			*low = l;
+			*high = h;
+			result = ISC_R_SUCCESS;
+		}
+		fclose(fp);
+	}
+#else
+	UNUSED(af);
+#endif
+
+	if (result != ISC_R_SUCCESS) {
+		*low = ISC_NET_PORTRANGELOW;
+		*high = ISC_NET_PORTRANGEHIGH;
+	}
+
+	return (ISC_R_SUCCESS);	/* we currently never fail in this function */
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS)
+		ipv4_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS)
+		ipv6_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED)
+		ipv4_result = ISC_R_SUCCESS;
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED)
+		ipv6_result = ISC_R_SUCCESS;
+}
diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c
new file mode 100644
index 0000000..8cff6b6
--- /dev/null
+++ b/lib/isc/unix/os.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <isc/os.h>
+
+
+#ifdef HAVE_SYSCONF
+
+#include <unistd.h>
+
+#ifndef __hpux
+static inline long
+sysconf_ncpus(void) {
+#if defined(_SC_NPROCESSORS_ONLN)
+	return sysconf((_SC_NPROCESSORS_ONLN));
+#elif defined(_SC_NPROC_ONLN)
+	return sysconf((_SC_NPROC_ONLN));
+#else
+	return (0);
+#endif
+}
+#endif
+#endif /* HAVE_SYSCONF */
+
+
+#ifdef __hpux
+
+#include <sys/pstat.h>
+
+static inline int
+hpux_ncpus(void) {
+	struct pst_dynamic psd;
+	if (pstat_getdynamic(&psd, sizeof(psd), 1, 0) != -1)
+		return (psd.psd_proc_cnt);
+	else
+		return (0);
+}
+
+#endif /* __hpux */
+
+#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
+#include <sys/types.h>  /* for FreeBSD */
+#include <sys/param.h>  /* for NetBSD */
+#include <sys/sysctl.h>
+
+static int
+sysctl_ncpus(void) {
+	int ncpu, result;
+	size_t len;
+
+	len = sizeof(ncpu);
+	result = sysctlbyname("hw.ncpu", &ncpu, &len , 0, 0);
+	if (result != -1)
+		return (ncpu);
+	return (0);
+}
+#endif
+
+unsigned int
+isc_os_ncpus(void) {
+	long ncpus = 0;
+
+#ifdef __hpux
+	ncpus = hpux_ncpus();
+#elif defined(HAVE_SYSCONF)
+	ncpus = sysconf_ncpus();
+#endif
+#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
+	if (ncpus <= 0)
+		ncpus = sysctl_ncpus();
+#endif
+	if (ncpus <= 0)
+		ncpus = 1;
+
+	return ((unsigned int)ncpus);
+}
diff --git a/lib/isc/unix/pk11_api.c b/lib/isc/unix/pk11_api.c
new file mode 100644
index 0000000..bbc55af
--- /dev/null
+++ b/lib/isc/unix/pk11_api.c
@@ -0,0 +1,681 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <string.h>
+#include <dlfcn.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pkcs11/cryptoki.h>
+#include <pkcs11/pkcs11.h>
+
+#define KEEP_PKCS11_NAMES
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+
+static void *hPK11 = NULL;
+static char loaderrmsg[1024];
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+	CK_C_Initialize sym;
+
+	if (hPK11 != NULL)
+		return (CKR_LIBRARY_ALREADY_INITIALIZED);
+
+	hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+
+	if (hPK11 == NULL) {
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "dlopen(\"%s\") failed: %s\n",
+			 pk11_get_lib_name(), dlerror());
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(pReserved);
+}
+
+char *pk11_get_load_error_message(void) {
+	return (loaderrmsg);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+	CK_C_Finalize sym;
+	CK_RV rv;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	rv = (*sym)(pReserved);
+	if ((rv == CKR_OK) && (dlclose(hPK11) != 0))
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	hPK11 = NULL;
+	return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList,
+		   CK_ULONG_PTR pulCount)
+{
+	static CK_C_GetSlotList sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetSlotList)dlsym(hPK11, "C_GetSlotList");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(tokenPresent, pSlotList, pulCount);
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) {
+	static CK_C_GetTokenInfo sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetTokenInfo)dlsym(hPK11, "C_GetTokenInfo");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(slotID, pInfo);
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+			CK_MECHANISM_INFO_PTR pInfo)
+{
+	static CK_C_GetMechanismInfo sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetMechanismInfo)dlsym(hPK11,
+						   "C_GetMechanismInfo");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(slotID, type, pInfo);
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+		   CK_VOID_PTR pApplication,
+		   CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+				     CK_NOTIFICATION event,
+				     CK_VOID_PTR pApplication),
+		   CK_SESSION_HANDLE_PTR phSession)
+{
+	static CK_C_OpenSession sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		hPK11 = dlopen(pk11_get_lib_name(), RTLD_NOW);
+	if (hPK11 == NULL) {
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "dlopen(\"%s\") failed: %s\n",
+			 pk11_get_lib_name(), dlerror());
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+	static CK_C_CloseSession sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+	     CK_CHAR_PTR pPin, CK_ULONG usPinLen)
+{
+	static CK_C_Login sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Login)dlsym(hPK11, "C_Login");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+	static CK_C_Logout sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Logout)dlsym(hPK11, "C_Logout");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phObject)
+{
+	static CK_C_CreateObject sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+	static CK_C_DestroyObject sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, hObject);
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+	static CK_C_GetAttributeValue sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GetAttributeValue)dlsym(hPK11,
+						    "C_GetAttributeValue");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
+			 CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+	static CK_C_SetAttributeValue sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SetAttributeValue)dlsym(hPK11,
+						    "C_SetAttributeValue");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
+		       CK_ULONG usCount)
+{
+	static CK_C_FindObjectsInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
+		   CK_ULONG usMaxObjectCount, CK_ULONG_PTR pusObjectCount)
+{
+	static CK_C_FindObjects sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+	static CK_C_FindObjectsFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_FindObjectsFinal)dlsym(hPK11,
+						   "C_FindObjectsFinal");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_OBJECT_HANDLE hKey)
+{
+	static CK_C_EncryptInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_EncryptInit)dlsym(hPK11, "C_EncryptInit");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	       CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+	       CK_ULONG_PTR pulEncryptedDataLen)
+{
+	static CK_C_Encrypt sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Encrypt)dlsym(hPK11, "C_Encrypt");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pData, ulDataLen,
+		      pEncryptedData, pulEncryptedDataLen);
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) {
+	static CK_C_DigestInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DigestInit)dlsym(hPK11, "C_DigestInit");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism);
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen)
+{
+	static CK_C_DigestUpdate sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DigestUpdate)dlsym(hPK11, "C_DigestUpdate");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+		   CK_ULONG_PTR pulDigestLen)
+{
+	static CK_C_DigestFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DigestFinal)dlsym(hPK11, "C_DigestFinal");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pDigest, pulDigestLen);
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		CK_OBJECT_HANDLE hKey)
+{
+	static CK_C_SignInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SignInit)dlsym(hPK11, "C_SignInit");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	    CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+	    CK_ULONG_PTR pulSignatureLen)
+{
+	static CK_C_Sign sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Sign)dlsym(hPK11, "C_Sign");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		  CK_ULONG ulPartLen)
+{
+	static CK_C_SignUpdate sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SignUpdate)dlsym(hPK11, "C_SignUpdate");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		 CK_ULONG_PTR pulSignatureLen)
+{
+	static CK_C_SignFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SignFinal)dlsym(hPK11, "C_SignFinal");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		  CK_OBJECT_HANDLE hKey)
+{
+	static CK_C_VerifyInit sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_VerifyInit)dlsym(hPK11, "C_VerifyInit");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+	      CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+	      CK_ULONG ulSignatureLen)
+{
+	static CK_C_Verify sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_Verify)dlsym(hPK11, "C_Verify");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+		    CK_ULONG ulPartLen)
+{
+	static CK_C_VerifyUpdate sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_VerifyUpdate)dlsym(hPK11, "C_VerifyUpdate");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+		   CK_ULONG ulSignatureLen)
+{
+	static CK_C_VerifyFinal sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_VerifyFinal)dlsym(hPK11, "C_VerifyFinal");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		   CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+		   CK_OBJECT_HANDLE_PTR phKey)
+{
+	static CK_C_GenerateKey sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GenerateKey)dlsym(hPK11, "C_GenerateKey");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+		       CK_MECHANISM_PTR pMechanism,
+		       CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		       CK_ULONG usPublicKeyAttributeCount,
+		       CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		       CK_ULONG usPrivateKeyAttributeCount,
+		       CK_OBJECT_HANDLE_PTR phPrivateKey,
+		       CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+	static CK_C_GenerateKeyPair sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession,
+		      pMechanism,
+		      pPublicKeyTemplate,
+		      usPublicKeyAttributeCount,
+		      pPrivateKeyTemplate,
+		      usPrivateKeyAttributeCount,
+		      phPrivateKey,
+		      phPublicKey);
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+		 CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate,
+		 CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
+{
+	static CK_C_DeriveKey sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_DeriveKey)dlsym(hPK11, "C_DeriveKey");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession,
+		      pMechanism,
+		      hBaseKey,
+		      pTemplate,
+		      ulAttributeCount,
+		      phKey);
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+		  CK_ULONG ulSeedLen)
+{
+	static CK_C_SeedRandom sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_SeedRandom)dlsym(hPK11, "C_SeedRandom");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pSeed, ulSeedLen);
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR RandomData,
+		      CK_ULONG ulRandomLen)
+{
+	static CK_C_GenerateRandom sym = NULL;
+	static void *pPK11 = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if ((sym == NULL) || (hPK11 != pPK11)) {
+		pPK11 = hPK11;
+		sym = (CK_C_GenerateRandom)dlsym(hPK11, "C_GenerateRandom");
+	}
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, RandomData, ulRandomLen);
+}
diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c
new file mode 100644
index 0000000..6d5c5aa
--- /dev/null
+++ b/lib/isc/unix/resource.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <sys/types.h>
+#include <sys/time.h>	/* Required on some systems for <sys/resource.h>. */
+#include <sys/resource.h>
+
+#include <isc/platform.h>
+#include <isc/resource.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#ifdef __linux__
+#include <linux/fs.h>	/* To get the large NR_OPEN. */
+#endif
+
+#if defined(__hpux) && defined(HAVE_SYS_DYNTUNE_H)
+#include <sys/dyntune.h>
+#endif
+
+#include "errno2result.h"
+
+static isc_result_t
+resource2rlim(isc_resource_t resource, int *rlim_resource) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	switch (resource) {
+	case isc_resource_coresize:
+		*rlim_resource = RLIMIT_CORE;
+		break;
+	case isc_resource_cputime:
+		*rlim_resource = RLIMIT_CPU;
+		break;
+	case isc_resource_datasize:
+		*rlim_resource = RLIMIT_DATA;
+		break;
+	case isc_resource_filesize:
+		*rlim_resource = RLIMIT_FSIZE;
+		break;
+	case isc_resource_lockedmemory:
+#ifdef RLIMIT_MEMLOCK
+		*rlim_resource = RLIMIT_MEMLOCK;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_openfiles:
+#ifdef RLIMIT_NOFILE
+		*rlim_resource = RLIMIT_NOFILE;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_processes:
+#ifdef RLIMIT_NPROC
+		*rlim_resource = RLIMIT_NPROC;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_residentsize:
+#ifdef RLIMIT_RSS
+		*rlim_resource = RLIMIT_RSS;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_stacksize:
+		*rlim_resource = RLIMIT_STACK;
+		break;
+	default:
+		/*
+		 * This test is not very robust if isc_resource_t
+		 * changes, but generates a clear assertion message.
+		 */
+		REQUIRE(resource >= isc_resource_coresize &&
+			resource <= isc_resource_stacksize);
+
+		result = ISC_R_RANGE;
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
+	struct rlimit rl;
+	ISC_PLATFORM_RLIMITTYPE rlim_value;
+	int unixresult;
+	int unixresource;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (value == ISC_RESOURCE_UNLIMITED)
+		rlim_value = RLIM_INFINITY;
+
+	else {
+		/*
+		 * isc_resourcevalue_t was chosen as an unsigned 64 bit
+		 * integer so that it could contain the maximum range of
+		 * reasonable values.  Unfortunately, this exceeds the typical
+		 * range on Unix systems.  Ensure the range of
+		 * ISC_PLATFORM_RLIMITTYPE is not overflowed.
+		 */
+		isc_resourcevalue_t rlim_max;
+		bool rlim_t_is_signed =
+			(((double)(ISC_PLATFORM_RLIMITTYPE)-1) < 0);
+
+		if (rlim_t_is_signed)
+			rlim_max = ~((ISC_PLATFORM_RLIMITTYPE)1 <<
+				     (sizeof(ISC_PLATFORM_RLIMITTYPE) * 8 - 1));
+		else
+			rlim_max = (ISC_PLATFORM_RLIMITTYPE)-1;
+
+		if (value > rlim_max)
+			value = rlim_max;
+
+		rlim_value = value;
+	}
+
+	rl.rlim_cur = rl.rlim_max = rlim_value;
+	unixresult = setrlimit(unixresource, &rl);
+
+	if (unixresult == 0)
+		return (ISC_R_SUCCESS);
+
+#if defined(OPEN_MAX) && defined(__APPLE__)
+	/*
+	 * The Darwin kernel doesn't accept RLIM_INFINITY for rlim_cur; the
+	 * maximum possible value is OPEN_MAX.  BIND8 used to use
+	 * sysconf(_SC_OPEN_MAX) for such a case, but this value is much
+	 * smaller than OPEN_MAX and is not really effective.
+	 */
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		rl.rlim_cur = OPEN_MAX;
+		unixresult = setrlimit(unixresource, &rl);
+		if (unixresult == 0)
+			return (ISC_R_SUCCESS);
+	}
+#elif defined(__linux__)
+#ifndef NR_OPEN
+#define NR_OPEN (1024*1024)
+#endif
+
+	/*
+	 * Some Linux kernels don't accept RLIM_INFINIT; the maximum
+	 * possible value is the NR_OPEN defined in linux/fs.h.
+	 */
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		rl.rlim_cur = rl.rlim_max = NR_OPEN;
+		unixresult = setrlimit(unixresource, &rl);
+		if (unixresult == 0)
+			return (ISC_R_SUCCESS);
+	}
+#elif defined(__hpux) && defined(HAVE_SYS_DYNTUNE_H)
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		uint64_t maxfiles;
+		if (gettune("maxfiles_lim", &maxfiles) == 0) {
+			rl.rlim_cur = rl.rlim_max = maxfiles;
+			unixresult = setrlimit(unixresource, &rl);
+			if (unixresult == 0)
+				return (ISC_R_SUCCESS);
+		}
+	}
+#endif
+	if (resource == isc_resource_openfiles && rlim_value == RLIM_INFINITY) {
+		if (getrlimit(unixresource, &rl) == 0) {
+			rl.rlim_cur = rl.rlim_max;
+			unixresult = setrlimit(unixresource, &rl);
+			if (unixresult == 0)
+				return (ISC_R_SUCCESS);
+		}
+	}
+	return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	int unixresult;
+	int unixresource;
+	struct rlimit rl;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result == ISC_R_SUCCESS) {
+		unixresult = getrlimit(unixresource, &rl);
+		INSIST(unixresult == 0);
+		*value = rl.rlim_max;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	int unixresult;
+	int unixresource;
+	struct rlimit rl;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result == ISC_R_SUCCESS) {
+		unixresult = getrlimit(unixresource, &rl);
+		INSIST(unixresult == 0);
+		*value = rl.rlim_cur;
+	}
+
+	return (result);
+}
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
new file mode 100644
index 0000000..5a40768
--- /dev/null
+++ b/lib/isc/unix/socket.c
@@ -0,0 +1,6848 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#ifdef HAVE_SYS_SYSCTL_H
+#include <sys/sysctl.h>
+#endif
+#include <sys/time.h>
+#include <sys/uio.h>
+
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H)
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#endif
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/condition.h>
+#include <isc/formatcheck.h>
+#include <isc/json.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/resource.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+#include <isc/xml.h>
+
+#ifdef ISC_PLATFORM_HAVESYSUNH
+#include <sys/un.h>
+#endif
+#ifdef ISC_PLATFORM_HAVEKQUEUE
+#include <sys/event.h>
+#endif
+#ifdef ISC_PLATFORM_HAVEEPOLL
+#include <sys/epoll.h>
+#endif
+#ifdef ISC_PLATFORM_HAVEDEVPOLL
+#if defined(HAVE_SYS_DEVPOLL_H)
+#include <sys/devpoll.h>
+#elif defined(HAVE_DEVPOLL_H)
+#include <devpoll.h>
+#endif
+#endif
+
+#include <netinet/tcp.h>
+
+#include "errno2result.h"
+
+/* See task.c about the following definition: */
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WATCHER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif	/* ISC_PLATFORM_USETHREADS */
+
+#ifndef USE_WATCHER_THREAD
+#include "socket_p.h"
+#include "../task_p.h"
+#endif /* USE_WATCHER_THREAD */
+
+#if defined(SO_BSDCOMPAT) && defined(__linux__)
+#include <sys/utsname.h>
+#endif
+
+#ifdef ISC_PLATFORM_HAVETFO
+#include <netinet/tcp.h>
+#endif
+
+/*%
+ * Choose the most preferable multiplex method.
+ */
+#ifdef ISC_PLATFORM_HAVEKQUEUE
+#define USE_KQUEUE
+#elif defined (ISC_PLATFORM_HAVEEPOLL)
+#define USE_EPOLL
+#elif defined (ISC_PLATFORM_HAVEDEVPOLL)
+#define USE_DEVPOLL
+typedef struct {
+	unsigned int want_read : 1,
+		want_write : 1;
+} pollinfo_t;
+#else
+#define USE_SELECT
+#endif	/* ISC_PLATFORM_HAVEKQUEUE */
+
+#ifndef USE_WATCHER_THREAD
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+struct isc_socketwait {
+	int nevents;
+};
+#elif defined (USE_SELECT)
+struct isc_socketwait {
+	fd_set *readset;
+	fd_set *writeset;
+	int nfds;
+	int maxfd;
+};
+#endif	/* USE_KQUEUE */
+#endif /* !USE_WATCHER_THREAD */
+
+/*
+ * Set by the -T dscp option on the command line. If set to a value
+ * other than -1, we check to make sure DSCP values match it, and
+ * assert if not.
+ */
+int isc_dscp_check_value = -1;
+
+/*%
+ * Maximum number of allowable open sockets.  This is also the maximum
+ * allowable socket file descriptor.
+ *
+ * Care should be taken before modifying this value for select():
+ * The API standard doesn't ensure select() accept more than (the system default
+ * of) FD_SETSIZE descriptors, and the default size should in fact be fine in
+ * the vast majority of cases.  This constant should therefore be increased only
+ * when absolutely necessary and possible, i.e., the server is exhausting all
+ * available file descriptors (up to FD_SETSIZE) and the select() function
+ * and FD_xxx macros support larger values than FD_SETSIZE (which may not
+ * always by true, but we keep using some of them to ensure as much
+ * portability as possible).  Note also that overall server performance
+ * may be rather worsened with a larger value of this constant due to
+ * inherent scalability problems of select().
+ *
+ * As a special note, this value shouldn't have to be touched if
+ * this is a build for an authoritative only DNS server.
+ */
+#ifndef ISC_SOCKET_MAXSOCKETS
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+#ifdef TUNE_LARGE
+#define ISC_SOCKET_MAXSOCKETS 21000
+#else
+#define ISC_SOCKET_MAXSOCKETS 4096
+#endif /* TUNE_LARGE */
+#elif defined(USE_SELECT)
+#define ISC_SOCKET_MAXSOCKETS FD_SETSIZE
+#endif	/* USE_KQUEUE... */
+#endif	/* ISC_SOCKET_MAXSOCKETS */
+
+#ifdef USE_SELECT
+/*%
+ * Mac OS X needs a special definition to support larger values in select().
+ * We always define this because a larger value can be specified run-time.
+ */
+#ifdef __APPLE__
+#define _DARWIN_UNLIMITED_SELECT
+#endif	/* __APPLE__ */
+#endif	/* USE_SELECT */
+
+#ifdef ISC_SOCKET_USE_POLLWATCH
+/*%
+ * If this macro is defined, enable workaround for a Solaris /dev/poll kernel
+ * bug: DP_POLL ioctl could keep sleeping even if socket I/O is possible for
+ * some of the specified FD.  The idea is based on the observation that it's
+ * likely for a busy server to keep receiving packets.  It specifically works
+ * as follows: the socket watcher is first initialized with the state of
+ * "poll_idle".  While it's in the idle state it keeps sleeping until a socket
+ * event occurs.  When it wakes up for a socket I/O event, it moves to the
+ * poll_active state, and sets the poll timeout to a short period
+ * (ISC_SOCKET_POLLWATCH_TIMEOUT msec).  If timeout occurs in this state, the
+ * watcher goes to the poll_checking state with the same timeout period.
+ * In this state, the watcher tries to detect whether this is a break
+ * during intermittent events or the kernel bug is triggered.  If the next
+ * polling reports an event within the short period, the previous timeout is
+ * likely to be a kernel bug, and so the watcher goes back to the active state.
+ * Otherwise, it moves to the idle state again.
+ *
+ * It's not clear whether this is a thread-related bug, but since we've only
+ * seen this with threads, this workaround is used only when enabling threads.
+ */
+
+typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
+
+#ifndef ISC_SOCKET_POLLWATCH_TIMEOUT
+#define ISC_SOCKET_POLLWATCH_TIMEOUT 10
+#endif	/* ISC_SOCKET_POLLWATCH_TIMEOUT */
+#endif	/* ISC_SOCKET_USE_POLLWATCH */
+
+/*%
+ * Size of per-FD lock buckets.
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+#define FDLOCK_COUNT		1024
+#define FDLOCK_ID(fd)		((fd) % FDLOCK_COUNT)
+#else
+#define FDLOCK_COUNT		1
+#define FDLOCK_ID(fd)		0
+#endif	/* ISC_PLATFORM_USETHREADS */
+
+/*%
+ * Maximum number of events communicated with the kernel.  There should normally
+ * be no need for having a large number.
+ */
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+#ifndef ISC_SOCKET_MAXEVENTS
+#ifdef TUNE_LARGE
+#define ISC_SOCKET_MAXEVENTS	2048
+#else
+#define ISC_SOCKET_MAXEVENTS	64
+#endif /* TUNE_LARGE */
+#endif
+#endif
+
+/*%
+ * Some systems define the socket length argument as an int, some as size_t,
+ * some as socklen_t.  This is here so it can be easily changed if needed.
+ */
+#ifndef ISC_SOCKADDR_LEN_T
+#define ISC_SOCKADDR_LEN_T unsigned int
+#endif
+
+/*%
+ * Define what the possible "soft" errors can be.  These are non-fatal returns
+ * of various network related functions, like recv() and so on.
+ *
+ * For some reason, BSDI (and perhaps others) will sometimes return <0
+ * from recv() but will have errno==0.  This is broken, but we have to
+ * work around it here.
+ */
+#define SOFT_ERROR(e)	((e) == EAGAIN || \
+			 (e) == EWOULDBLOCK || \
+			 (e) == ENOBUFS || \
+			 (e) == EINTR || \
+			 (e) == 0)
+
+#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
+
+/*!<
+ * DLVL(90)  --  Function entry/exit and other tracing.
+ * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
+ * DLVL(60)  --  Socket data send/receive
+ * DLVL(50)  --  Event tracing, including receiving/sending completion events.
+ * DLVL(20)  --  Socket creation/destruction.
+ */
+#define TRACE_LEVEL		90
+#define CORRECTNESS_LEVEL	70
+#define IOEVENT_LEVEL		60
+#define EVENT_LEVEL		50
+#define CREATION_LEVEL		20
+
+#define TRACE		DLVL(TRACE_LEVEL)
+#define CORRECTNESS	DLVL(CORRECTNESS_LEVEL)
+#define IOEVENT		DLVL(IOEVENT_LEVEL)
+#define EVENT		DLVL(EVENT_LEVEL)
+#define CREATION	DLVL(CREATION_LEVEL)
+
+typedef isc_event_t intev_t;
+
+#define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
+#define VALID_SOCKET(s)		ISC_MAGIC_VALID(s, SOCKET_MAGIC)
+
+/*!
+ * IPv6 control information.  If the socket is an IPv6 socket we want
+ * to collect the destination address and interface so the client can
+ * set them on outgoing packets.
+ */
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifndef USE_CMSG
+#define USE_CMSG	1
+#endif
+#endif
+
+/*%
+ * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
+ * a setsockopt() like interface to request timestamps, and if the OS
+ * doesn't do it for us, call gettimeofday() on every UDP receive?
+ */
+#ifdef SO_TIMESTAMP
+#ifndef USE_CMSG
+#define USE_CMSG	1
+#endif
+#endif
+
+/*%
+ * The size to raise the receive buffer to (from BIND 8).
+ */
+#ifdef TUNE_LARGE
+#ifdef sun
+#define RCVBUFSIZE (1*1024*1024)
+#else
+#define RCVBUFSIZE (16*1024*1024)
+#endif
+#else
+#define RCVBUFSIZE (32*1024)
+#endif /* TUNE_LARGE */
+
+/*%
+ * Instead of calculating the cmsgbuf lengths every time we take
+ * a rule of thumb approach - sizes are taken from x86_64 linux,
+ * multiplied by 2, everything should fit. Those sizes are not
+ * large enough to cause any concern.
+ */
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+#define CMSG_SP_IN6PKT 40
+#else
+#define CMSG_SP_IN6PKT 0
+#endif
+
+#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
+#define CMSG_SP_TIMESTAMP 32
+#else
+#define CMSG_SP_TIMESTAMP 0
+#endif
+
+#if defined(USE_CMSG) && (defined(IPV6_TCLASS) || defined(IP_TOS))
+#define CMSG_SP_TCTOS 24
+#else
+#define CMSG_SP_TCTOS 0
+#endif
+
+#define CMSG_SP_INT 24
+
+/* Align cmsg buffers to be safe on SPARC etc. */
+#define RECVCMSGBUFLEN ISC_ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1, sizeof(void*))
+#define SENDCMSGBUFLEN ISC_ALIGN(2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1, sizeof(void*))
+
+/*%
+ * The number of times a send operation is repeated if the result is EINTR.
+ */
+#define NRETRIES 10
+
+typedef struct isc__socket isc__socket_t;
+typedef struct isc__socketmgr isc__socketmgr_t;
+
+#define NEWCONNSOCK(ev) ((isc__socket_t *)(ev)->newsocket)
+
+struct isc__socket {
+	/* Not locked. */
+	isc_socket_t		common;
+	isc__socketmgr_t	*manager;
+	isc_mutex_t		lock;
+	isc_sockettype_t	type;
+	const isc_statscounter_t	*statsindex;
+
+	/* Locked by socket lock. */
+	ISC_LINK(isc__socket_t)	link;
+	unsigned int		references;
+	int			fd;
+	int			pf;
+	char				name[16];
+	void *				tag;
+
+	ISC_LIST(isc_socketevent_t)		send_list;
+	ISC_LIST(isc_socketevent_t)		recv_list;
+	ISC_LIST(isc_socket_newconnev_t)	accept_list;
+	ISC_LIST(isc_socket_connev_t)		connect_list;
+
+	/*
+	 * Internal events.  Posted when a descriptor is readable or
+	 * writable.  These are statically allocated and never freed.
+	 * They will be set to non-purgable before use.
+	 */
+	intev_t			readable_ev;
+	intev_t			writable_ev;
+
+	isc_sockaddr_t		peer_address;       /* remote address */
+
+	unsigned int		pending_recv : 1,
+				pending_send : 1,
+				pending_accept : 1,
+				listener : 1,       /* listener socket */
+				connected : 1,
+				connecting : 1,     /* connect pending */
+				bound : 1,          /* bound to local addr */
+				dupped : 1,
+				active : 1,         /* currently active */
+				pktdscp : 1;	    /* per packet dscp */
+
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+	unsigned char		overflow; /* used for MSG_TRUNC fake */
+#endif
+
+	void			*fdwatcharg;
+	isc_sockfdwatch_t	fdwatchcb;
+	int			fdwatchflags;
+	isc_task_t		*fdwatchtask;
+	unsigned int		dscp;
+};
+
+#define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
+#define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
+
+struct isc__socketmgr {
+	/* Not locked. */
+	isc_socketmgr_t		common;
+	isc_mem_t	       *mctx;
+	isc_mutex_t		lock;
+	isc_mutex_t		*fdlock;
+	isc_stats_t		*stats;
+#ifdef USE_KQUEUE
+	int			kqueue_fd;
+	int			nevents;
+	struct kevent		*events;
+#endif	/* USE_KQUEUE */
+#ifdef USE_EPOLL
+	int			epoll_fd;
+	int			nevents;
+	struct epoll_event	*events;
+#endif	/* USE_EPOLL */
+#ifdef USE_DEVPOLL
+	int			devpoll_fd;
+	isc_resourcevalue_t	open_max;
+	unsigned int		calls;
+	int			nevents;
+	struct pollfd		*events;
+#endif	/* USE_DEVPOLL */
+#ifdef USE_SELECT
+	int			fd_bufsize;
+#endif	/* USE_SELECT */
+	unsigned int		maxsocks;
+#ifdef ISC_PLATFORM_USETHREADS
+	int			pipe_fds[2];
+#endif
+
+	/* Locked by fdlock. */
+	isc__socket_t	       **fds;
+	int			*fdstate;
+#if defined(USE_EPOLL)
+	uint32_t		*epoll_events;
+#endif
+#ifdef USE_DEVPOLL
+	pollinfo_t		*fdpollinfo;
+#endif
+
+	/* Locked by manager lock. */
+	ISC_LIST(isc__socket_t)	socklist;
+#ifdef USE_SELECT
+	fd_set			*read_fds;
+	fd_set			*read_fds_copy;
+	fd_set			*write_fds;
+	fd_set			*write_fds_copy;
+	int			maxfd;
+#endif	/* USE_SELECT */
+	int			reserved;	/* unlocked */
+#ifdef USE_WATCHER_THREAD
+	isc_thread_t		watcher;
+	isc_condition_t		shutdown_ok;
+#else /* USE_WATCHER_THREAD */
+	unsigned int		refs;
+#endif /* USE_WATCHER_THREAD */
+	int			maxudp;
+};
+
+#ifdef USE_SHARED_MANAGER
+static isc__socketmgr_t *socketmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+#define CLOSED			0	/* this one must be zero */
+#define MANAGED			1
+#define CLOSE_PENDING		2
+
+/*
+ * send() and recv() iovec counts
+ */
+#define MAXSCATTERGATHER_SEND	(ISC_SOCKET_MAXSCATTERGATHER)
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER + 1)
+#else
+# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
+#endif
+
+static isc_result_t socket_create(isc_socketmgr_t *manager0, int pf,
+				  isc_sockettype_t type,
+				  isc_socket_t **socketp,
+				  isc_socket_t *dup_socket);
+static void send_recvdone_event(isc__socket_t *, isc_socketevent_t **);
+static void send_senddone_event(isc__socket_t *, isc_socketevent_t **);
+static void send_connectdone_event(isc__socket_t *, isc_socket_connev_t **);
+static void free_socket(isc__socket_t **);
+static isc_result_t allocate_socket(isc__socketmgr_t *, isc_sockettype_t,
+				    isc__socket_t **);
+static void destroy(isc__socket_t **);
+static void internal_accept(isc_task_t *, isc_event_t *);
+static void internal_connect(isc_task_t *, isc_event_t *);
+static void internal_recv(isc_task_t *, isc_event_t *);
+static void internal_send(isc_task_t *, isc_event_t *);
+static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
+static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
+static void process_cmsg(isc__socket_t *, struct msghdr *, isc_socketevent_t *);
+static void build_msghdr_send(isc__socket_t *, char *, isc_socketevent_t *,
+			      struct msghdr *, struct iovec *, size_t *);
+static void build_msghdr_recv(isc__socket_t *, char *, isc_socketevent_t *,
+			      struct msghdr *, struct iovec *, size_t *);
+#ifdef USE_WATCHER_THREAD
+static bool process_ctlfd(isc__socketmgr_t *manager);
+#endif
+static void setdscp(isc__socket_t *sock, isc_dscp_t dscp);
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access from
+ * unit tests etc.
+ */
+
+isc_result_t
+isc__socket_open(isc_socket_t *sock0);
+isc_result_t
+isc__socket_close(isc_socket_t *sock0);
+isc_result_t
+isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp);
+void
+isc__socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
+void
+isc__socket_detach(isc_socket_t **socketp);
+isc_result_t
+isc__socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum, isc_task_t *task,
+		  isc_taskaction_t action, void *arg);
+isc_result_t
+isc__socket_recv(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, void *arg);
+isc_result_t
+isc__socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags);
+isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, void *arg);
+isc_result_t
+isc__socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, void *arg);
+isc_result_t
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc__socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		     unsigned int flags);
+isc_result_t
+isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags);
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender,
+		       isc_eventtype_t eventtype, isc_taskaction_t action,
+		       void *arg);
+
+void
+isc__socket_cleanunix(isc_sockaddr_t *sockaddr, bool active);
+isc_result_t
+isc__socket_permunix(isc_sockaddr_t *sockaddr, uint32_t perm,
+		     uint32_t owner, uint32_t group);
+isc_result_t
+isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		 unsigned int options);
+isc_result_t
+isc__socket_filter(isc_socket_t *sock, const char *filter);
+isc_result_t
+isc__socket_listen(isc_socket_t *sock, unsigned int backlog);
+isc_result_t
+isc__socket_accept(isc_socket_t *sock,
+		   isc_task_t *task, isc_taskaction_t action, void *arg);
+isc_result_t
+isc__socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+		    isc_task_t *task, isc_taskaction_t action,
+		    void *arg);
+isc_result_t
+isc__socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
+isc_result_t
+isc__socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
+void
+isc__socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how);
+isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock);
+bool
+isc__socket_isbound(isc_socket_t *sock);
+void
+isc__socket_ipv6only(isc_socket_t *sock, bool yes);
+void
+isc__socket_dscp(isc_socket_t *sock, isc_dscp_t dscp);
+isc_result_t
+isc__socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
+			  isc_sockfdwatch_t callback, void *cbarg,
+			  isc_task_t *task, isc_socket_t **socketp);
+isc_result_t
+isc__socket_fdwatchpoke(isc_socket_t *sock, int flags);
+isc_result_t
+isc__socket_dup(isc_socket_t *sock, isc_socket_t **socketp);
+int
+isc__socket_getfd(isc_socket_t *sock);
+
+isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks);
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager0, unsigned int *nsockp);
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager0, isc_stats_t *stats);
+void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp);
+void
+isc__socket_setname(isc_socket_t *socket0, const char *name, void *tag);
+const char *
+isc__socket_getname(isc_socket_t *socket0);
+void *
+isc__socket_gettag(isc_socket_t *socket0);
+
+#ifdef HAVE_LIBXML2
+void
+isc__socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer);
+#endif
+#ifdef HAVE_JSON
+isc_result_t
+isc__socketmgr_renderjson(isc_socketmgr_t *mgr0, json_object *stats);
+#endif
+
+static struct {
+	isc_socketmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *recvv, *send, *sendv, *sendto2, *cleanunix, *permunix, *filter,
+	     *listen, *accept, *getpeername, *isbound;
+} socketmethods = {
+	{
+		isc__socket_attach,
+		isc__socket_detach,
+		isc__socket_bind,
+		isc__socket_sendto,
+		isc__socket_sendto2,
+		isc__socket_connect,
+		isc__socket_recv,
+		isc__socket_recv2,
+		isc__socket_cancel,
+		isc__socket_getsockname,
+		isc__socket_gettype,
+		isc__socket_ipv6only,
+		isc__socket_fdwatchpoke,
+		isc__socket_dup,
+		isc__socket_getfd,
+		isc__socket_dscp
+	},
+	(void *)isc__socket_recvv, (void *)isc__socket_send,
+	(void *)isc__socket_sendv, (void *)isc__socket_sendto2,
+	(void *)isc__socket_cleanunix, (void *)isc__socket_permunix,
+	(void *)isc__socket_filter, (void *)isc__socket_listen,
+	(void *)isc__socket_accept, (void *)isc__socket_getpeername,
+	(void *)isc__socket_isbound
+};
+
+static isc_socketmgrmethods_t socketmgrmethods = {
+	isc__socketmgr_destroy,
+	isc__socket_create,
+	isc__socket_fdwatchcreate
+};
+
+#define SELECT_POKE_SHUTDOWN		(-1)
+#define SELECT_POKE_NOTHING		(-2)
+#define SELECT_POKE_READ		(-3)
+#define SELECT_POKE_ACCEPT		(-3) /*%< Same as _READ */
+#define SELECT_POKE_WRITE		(-4)
+#define SELECT_POKE_CONNECT		(-4) /*%< Same as _WRITE */
+#define SELECT_POKE_CLOSE		(-5)
+
+#define SOCK_DEAD(s)			((s)->references == 0)
+
+/*%
+ * Shortcut index arrays to get access to statistics counters.
+ */
+enum {
+	STATID_OPEN = 0,
+	STATID_OPENFAIL = 1,
+	STATID_CLOSE = 2,
+	STATID_BINDFAIL = 3,
+	STATID_CONNECTFAIL = 4,
+	STATID_CONNECT = 5,
+	STATID_ACCEPTFAIL = 6,
+	STATID_ACCEPT = 7,
+	STATID_SENDFAIL = 8,
+	STATID_RECVFAIL = 9,
+	STATID_ACTIVE = 10
+};
+static const isc_statscounter_t udp4statsindex[] = {
+	isc_sockstatscounter_udp4open,
+	isc_sockstatscounter_udp4openfail,
+	isc_sockstatscounter_udp4close,
+	isc_sockstatscounter_udp4bindfail,
+	isc_sockstatscounter_udp4connectfail,
+	isc_sockstatscounter_udp4connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp4sendfail,
+	isc_sockstatscounter_udp4recvfail,
+	isc_sockstatscounter_udp4active
+};
+static const isc_statscounter_t udp6statsindex[] = {
+	isc_sockstatscounter_udp6open,
+	isc_sockstatscounter_udp6openfail,
+	isc_sockstatscounter_udp6close,
+	isc_sockstatscounter_udp6bindfail,
+	isc_sockstatscounter_udp6connectfail,
+	isc_sockstatscounter_udp6connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp6sendfail,
+	isc_sockstatscounter_udp6recvfail,
+	isc_sockstatscounter_udp6active
+};
+static const isc_statscounter_t tcp4statsindex[] = {
+	isc_sockstatscounter_tcp4open,
+	isc_sockstatscounter_tcp4openfail,
+	isc_sockstatscounter_tcp4close,
+	isc_sockstatscounter_tcp4bindfail,
+	isc_sockstatscounter_tcp4connectfail,
+	isc_sockstatscounter_tcp4connect,
+	isc_sockstatscounter_tcp4acceptfail,
+	isc_sockstatscounter_tcp4accept,
+	isc_sockstatscounter_tcp4sendfail,
+	isc_sockstatscounter_tcp4recvfail,
+	isc_sockstatscounter_tcp4active
+};
+static const isc_statscounter_t tcp6statsindex[] = {
+	isc_sockstatscounter_tcp6open,
+	isc_sockstatscounter_tcp6openfail,
+	isc_sockstatscounter_tcp6close,
+	isc_sockstatscounter_tcp6bindfail,
+	isc_sockstatscounter_tcp6connectfail,
+	isc_sockstatscounter_tcp6connect,
+	isc_sockstatscounter_tcp6acceptfail,
+	isc_sockstatscounter_tcp6accept,
+	isc_sockstatscounter_tcp6sendfail,
+	isc_sockstatscounter_tcp6recvfail,
+	isc_sockstatscounter_tcp6active
+};
+static const isc_statscounter_t unixstatsindex[] = {
+	isc_sockstatscounter_unixopen,
+	isc_sockstatscounter_unixopenfail,
+	isc_sockstatscounter_unixclose,
+	isc_sockstatscounter_unixbindfail,
+	isc_sockstatscounter_unixconnectfail,
+	isc_sockstatscounter_unixconnect,
+	isc_sockstatscounter_unixacceptfail,
+	isc_sockstatscounter_unixaccept,
+	isc_sockstatscounter_unixsendfail,
+	isc_sockstatscounter_unixrecvfail,
+	isc_sockstatscounter_unixactive
+};
+static const isc_statscounter_t fdwatchstatsindex[] = {
+	-1,
+	-1,
+	isc_sockstatscounter_fdwatchclose,
+	isc_sockstatscounter_fdwatchbindfail,
+	isc_sockstatscounter_fdwatchconnectfail,
+	isc_sockstatscounter_fdwatchconnect,
+	-1,
+	-1,
+	isc_sockstatscounter_fdwatchsendfail,
+	isc_sockstatscounter_fdwatchrecvfail,
+	-1
+};
+static const isc_statscounter_t rawstatsindex[] = {
+	isc_sockstatscounter_rawopen,
+	isc_sockstatscounter_rawopenfail,
+	isc_sockstatscounter_rawclose,
+	-1,
+	-1,
+	-1,
+	-1,
+	-1,
+	-1,
+	isc_sockstatscounter_rawrecvfail,
+	isc_sockstatscounter_rawactive
+};
+
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) || \
+    defined(USE_WATCHER_THREAD)
+static void
+manager_log(isc__socketmgr_t *sockmgr,
+	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
+static void
+manager_log(isc__socketmgr_t *sockmgr,
+	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	    const char *fmt, ...)
+{
+	char msgbuf[2048];
+	va_list ap;
+
+	if (! isc_log_wouldlog(isc_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level,
+		      "sockmgr %p: %s", sockmgr, msgbuf);
+}
+#endif
+
+static void
+socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   isc_msgcat_t *msgcat, int msgset, int message,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
+static void
+socket_log(isc__socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   isc_msgcat_t *msgcat, int msgset, int message,
+	   const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	va_list ap;
+
+	if (! isc_log_wouldlog(isc_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (address == NULL) {
+		isc_log_iwrite(isc_lctx, category, module, level,
+			       msgcat, msgset, message,
+			       "socket %p: %s", sock, msgbuf);
+	} else {
+		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
+		isc_log_iwrite(isc_lctx, category, module, level,
+			       msgcat, msgset, message,
+			       "socket %p %s: %s", sock, peerbuf, msgbuf);
+	}
+}
+
+#if defined(_AIX) && defined(ISC_NET_BSD44MSGHDR) && \
+    defined(USE_CMSG) && defined(IPV6_RECVPKTINFO)
+/*
+ * AIX has a kernel bug where IPV6_RECVPKTINFO gets cleared by
+ * setting IPV6_V6ONLY.
+ */
+static void
+FIX_IPV6_RECVPKTINFO(isc__socket_t *sock)
+{
+	char strbuf[ISC_STRERRORSIZE];
+	int on = 1;
+
+	if (sock->pf != AF_INET6 || sock->type != isc_sockettype_udp)
+		return;
+
+	if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+		       (void *)&on, sizeof(on)) < 0) {
+
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, IPV6_RECVPKTINFO) "
+				 "%s: %s", sock->fd,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+	}
+}
+#else
+#define FIX_IPV6_RECVPKTINFO(sock) (void)0
+#endif
+
+/*%
+ * Increment socket-related statistics counters.
+ */
+static inline void
+inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
+	REQUIRE(counterid != -1);
+
+	if (stats != NULL)
+		isc_stats_increment(stats, counterid);
+}
+
+/*%
+ * Decrement socket-related statistics counters.
+ */
+static inline void
+dec_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
+	REQUIRE(counterid != -1);
+
+	if (stats != NULL)
+		isc_stats_decrement(stats, counterid);
+}
+
+static inline isc_result_t
+watch_fd(isc__socketmgr_t *manager, int fd, int msg) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+#ifdef USE_KQUEUE
+	struct kevent evchange;
+
+	memset(&evchange, 0, sizeof(evchange));
+	if (msg == SELECT_POKE_READ)
+		evchange.filter = EVFILT_READ;
+	else
+		evchange.filter = EVFILT_WRITE;
+	evchange.flags = EV_ADD;
+	evchange.ident = fd;
+	if (kevent(manager->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+#elif defined(USE_EPOLL)
+	struct epoll_event event;
+	uint32_t oldevents;
+	int ret;
+	int op;
+
+	oldevents = manager->epoll_events[fd];
+	if (msg == SELECT_POKE_READ)
+		manager->epoll_events[fd] |= EPOLLIN;
+	else
+		manager->epoll_events[fd] |= EPOLLOUT;
+
+	event.events = manager->epoll_events[fd];
+	memset(&event.data, 0, sizeof(event.data));
+	event.data.fd = fd;
+
+	op = (oldevents == 0U) ? EPOLL_CTL_ADD : EPOLL_CTL_MOD;
+	ret = epoll_ctl(manager->epoll_fd, op, fd, &event);
+	if (ret == -1) {
+		if (errno == EEXIST)
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "epoll_ctl(ADD/MOD) returned "
+					 "EEXIST for fd %d", fd);
+		result = isc__errno2result(errno);
+	}
+
+	return (result);
+#elif defined(USE_DEVPOLL)
+	struct pollfd pfd;
+	int lockid = FDLOCK_ID(fd);
+
+	memset(&pfd, 0, sizeof(pfd));
+	if (msg == SELECT_POKE_READ)
+		pfd.events = POLLIN;
+	else
+		pfd.events = POLLOUT;
+	pfd.fd = fd;
+	pfd.revents = 0;
+	LOCK(&manager->fdlock[lockid]);
+	if (write(manager->devpoll_fd, &pfd, sizeof(pfd)) == -1)
+		result = isc__errno2result(errno);
+	else {
+		if (msg == SELECT_POKE_READ)
+			manager->fdpollinfo[fd].want_read = 1;
+		else
+			manager->fdpollinfo[fd].want_write = 1;
+	}
+	UNLOCK(&manager->fdlock[lockid]);
+
+	return (result);
+#elif defined(USE_SELECT)
+	LOCK(&manager->lock);
+	if (msg == SELECT_POKE_READ)
+		FD_SET(fd, manager->read_fds);
+	if (msg == SELECT_POKE_WRITE)
+		FD_SET(fd, manager->write_fds);
+	UNLOCK(&manager->lock);
+
+	return (result);
+#endif
+}
+
+static inline isc_result_t
+unwatch_fd(isc__socketmgr_t *manager, int fd, int msg) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+#ifdef USE_KQUEUE
+	struct kevent evchange;
+
+	memset(&evchange, 0, sizeof(evchange));
+	if (msg == SELECT_POKE_READ)
+		evchange.filter = EVFILT_READ;
+	else
+		evchange.filter = EVFILT_WRITE;
+	evchange.flags = EV_DELETE;
+	evchange.ident = fd;
+	if (kevent(manager->kqueue_fd, &evchange, 1, NULL, 0, NULL) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+#elif defined(USE_EPOLL)
+	struct epoll_event event;
+	int ret;
+	int op;
+
+	if (msg == SELECT_POKE_READ)
+		manager->epoll_events[fd] &= ~(EPOLLIN);
+	else
+		manager->epoll_events[fd] &= ~(EPOLLOUT);
+
+	event.events = manager->epoll_events[fd];
+	memset(&event.data, 0, sizeof(event.data));
+	event.data.fd = fd;
+
+	op = (event.events == 0U) ? EPOLL_CTL_DEL : EPOLL_CTL_MOD;
+	ret = epoll_ctl(manager->epoll_fd, op, fd, &event);
+	if (ret == -1 && errno != ENOENT) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "epoll_ctl(DEL), %d: %s", fd, strbuf);
+		result = ISC_R_UNEXPECTED;
+	}
+	return (result);
+#elif defined(USE_DEVPOLL)
+	struct pollfd pfds[2];
+	size_t writelen = sizeof(pfds[0]);
+	int lockid = FDLOCK_ID(fd);
+
+	memset(pfds, 0, sizeof(pfds));
+	pfds[0].events = POLLREMOVE;
+	pfds[0].fd = fd;
+
+	/*
+	 * Canceling read or write polling via /dev/poll is tricky.  Since it
+	 * only provides a way of canceling per FD, we may need to re-poll the
+	 * socket for the other operation.
+	 */
+	LOCK(&manager->fdlock[lockid]);
+	if (msg == SELECT_POKE_READ &&
+	    manager->fdpollinfo[fd].want_write == 1) {
+		pfds[1].events = POLLOUT;
+		pfds[1].fd = fd;
+		writelen += sizeof(pfds[1]);
+	}
+	if (msg == SELECT_POKE_WRITE &&
+	    manager->fdpollinfo[fd].want_read == 1) {
+		pfds[1].events = POLLIN;
+		pfds[1].fd = fd;
+		writelen += sizeof(pfds[1]);
+	}
+
+	if (write(manager->devpoll_fd, pfds, writelen) == -1)
+		result = isc__errno2result(errno);
+	else {
+		if (msg == SELECT_POKE_READ)
+			manager->fdpollinfo[fd].want_read = 0;
+		else
+			manager->fdpollinfo[fd].want_write = 0;
+	}
+	UNLOCK(&manager->fdlock[lockid]);
+
+	return (result);
+#elif defined(USE_SELECT)
+	LOCK(&manager->lock);
+	if (msg == SELECT_POKE_READ)
+		FD_CLR(fd, manager->read_fds);
+	else if (msg == SELECT_POKE_WRITE)
+		FD_CLR(fd, manager->write_fds);
+	UNLOCK(&manager->lock);
+
+	return (result);
+#endif
+}
+
+static void
+wakeup_socket(isc__socketmgr_t *manager, int fd, int msg) {
+	isc_result_t result;
+	int lockid = FDLOCK_ID(fd);
+
+	/*
+	 * This is a wakeup on a socket.  If the socket is not in the
+	 * process of being closed, start watching it for either reads
+	 * or writes.
+	 */
+
+	INSIST(fd >= 0 && fd < (int)manager->maxsocks);
+
+	if (msg == SELECT_POKE_CLOSE) {
+		/* No one should be updating fdstate, so no need to lock it */
+		INSIST(manager->fdstate[fd] == CLOSE_PENDING);
+		manager->fdstate[fd] = CLOSED;
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+		(void)close(fd);
+		return;
+	}
+
+	LOCK(&manager->fdlock[lockid]);
+	if (manager->fdstate[fd] == CLOSE_PENDING) {
+		UNLOCK(&manager->fdlock[lockid]);
+
+		/*
+		 * We accept (and ignore) any error from unwatch_fd() as we are
+		 * closing the socket, hoping it doesn't leave dangling state in
+		 * the kernel.
+		 * Note that unwatch_fd() must be called after releasing the
+		 * fdlock; otherwise it could cause deadlock due to a lock order
+		 * reversal.
+		 */
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+		return;
+	}
+	if (manager->fdstate[fd] != MANAGED) {
+		UNLOCK(&manager->fdlock[lockid]);
+		return;
+	}
+	UNLOCK(&manager->fdlock[lockid]);
+
+	/*
+	 * Set requested bit.
+	 */
+	result = watch_fd(manager, fd, msg);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * XXXJT: what should we do?  Ignoring the failure of watching
+		 * a socket will make the application dysfunctional, but there
+		 * seems to be no reasonable recovery process.
+		 */
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "failed to start watching FD (%d): %s",
+			      fd, isc_result_totext(result));
+	}
+}
+
+#ifdef USE_WATCHER_THREAD
+/*
+ * Poke the select loop when there is something for us to do.
+ * The write is required (by POSIX) to complete.  That is, we
+ * will not get partial writes.
+ */
+static void
+select_poke(isc__socketmgr_t *mgr, int fd, int msg) {
+	int cc;
+	int buf[2];
+	char strbuf[ISC_STRERRORSIZE];
+
+	buf[0] = fd;
+	buf[1] = msg;
+
+	do {
+		cc = write(mgr->pipe_fds[1], buf, sizeof(buf));
+#ifdef ENOSR
+		/*
+		 * Treat ENOSR as EAGAIN but loop slowly as it is
+		 * unlikely to clear fast.
+		 */
+		if (cc < 0 && errno == ENOSR) {
+			sleep(1);
+			errno = EAGAIN;
+		}
+#endif
+	} while (cc < 0 && SOFT_ERROR(errno));
+
+	if (cc < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_WRITEFAILED,
+					   "write() failed "
+					   "during watcher poke: %s"),
+			    strbuf);
+	}
+
+	INSIST(cc == sizeof(buf));
+}
+
+/*
+ * Read a message on the internal fd.
+ */
+static void
+select_readmsg(isc__socketmgr_t *mgr, int *fd, int *msg) {
+	int buf[2];
+	int cc;
+	char strbuf[ISC_STRERRORSIZE];
+
+	cc = read(mgr->pipe_fds[0], buf, sizeof(buf));
+	if (cc < 0) {
+		*msg = SELECT_POKE_NOTHING;
+		*fd = -1;	/* Silence compiler. */
+		if (SOFT_ERROR(errno))
+			return;
+
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_READFAILED,
+					   "read() failed "
+					   "during watcher poke: %s"),
+			    strbuf);
+	}
+	INSIST(cc == sizeof(buf));
+
+	*fd = buf[0];
+	*msg = buf[1];
+}
+#else /* USE_WATCHER_THREAD */
+/*
+ * Update the state of the socketmgr when something changes.
+ */
+static void
+select_poke(isc__socketmgr_t *manager, int fd, int msg) {
+	if (msg == SELECT_POKE_SHUTDOWN)
+		return;
+	else if (fd >= 0)
+		wakeup_socket(manager, fd, msg);
+	return;
+}
+#endif /* USE_WATCHER_THREAD */
+
+/*
+ * Make a fd non-blocking.
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	char strbuf[ISC_STRERRORSIZE];
+#ifdef USE_FIONBIO_IOCTL
+	int on = 1;
+#else
+	int flags;
+#endif
+
+#ifdef USE_FIONBIO_IOCTL
+	ret = ioctl(fd, FIONBIO, (char *)&on);
+#else
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= PORT_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+#endif
+
+	if (ret == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+#ifdef USE_FIONBIO_IOCTL
+				 "ioctl(%d, FIONBIO, &on): %s", fd,
+#else
+				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
+#endif
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef USE_CMSG
+/*
+ * Not all OSes support advanced CMSG macros: CMSG_LEN and CMSG_SPACE.
+ * In order to ensure as much portability as possible, we provide wrapper
+ * functions of these macros.
+ * Note that cmsg_space() could run slow on OSes that do not have
+ * CMSG_SPACE.
+ */
+static inline ISC_SOCKADDR_LEN_T
+cmsg_len(ISC_SOCKADDR_LEN_T len) {
+#ifdef CMSG_LEN
+	return (CMSG_LEN(len));
+#else
+	ISC_SOCKADDR_LEN_T hdrlen;
+
+	/*
+	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
+	 * is correct.
+	 */
+	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(((struct cmsghdr *)NULL));
+	return (hdrlen + len);
+#endif
+}
+
+static inline ISC_SOCKADDR_LEN_T
+cmsg_space(ISC_SOCKADDR_LEN_T len) {
+#ifdef CMSG_SPACE
+	return (CMSG_SPACE(len));
+#else
+	struct msghdr msg;
+	struct cmsghdr *cmsgp;
+	/*
+	 * XXX: The buffer length is an ad-hoc value, but should be enough
+	 * in a practical sense.
+	 */
+	char dummybuf[sizeof(struct cmsghdr) + 1024];
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_control = dummybuf;
+	msg.msg_controllen = sizeof(dummybuf);
+
+	cmsgp = (struct cmsghdr *)dummybuf;
+	cmsgp->cmsg_len = cmsg_len(len);
+
+	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
+	if (cmsgp != NULL)
+		return ((char *)cmsgp - (char *)msg.msg_control);
+	else
+		return (0);
+#endif
+}
+#endif /* USE_CMSG */
+
+/*
+ * Process control messages received on a socket.
+ */
+static void
+process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
+#ifdef ISC_NET_BSD44MSGHDR
+#ifdef USE_CMSG
+	struct cmsghdr *cmsgp;
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	struct in6_pktinfo *pktinfop;
+#endif
+#ifdef SO_TIMESTAMP
+	void *timevalp;
+#endif
+#endif
+#endif
+
+	/*
+	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
+	 * msg and dev are used only when ISC_NET_BSD44MSGHDR is defined.
+	 * They are all here, outside of the CPP tests, because it is
+	 * more consistent with the usual ISC coding style.
+	 */
+	UNUSED(sock);
+	UNUSED(msg);
+	UNUSED(dev);
+
+#ifdef ISC_NET_BSD44MSGHDR
+
+#ifdef MSG_TRUNC
+	if ((msg->msg_flags & MSG_TRUNC) == MSG_TRUNC)
+		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
+#endif
+
+#ifdef MSG_CTRUNC
+	if ((msg->msg_flags & MSG_CTRUNC) == MSG_CTRUNC)
+		dev->attributes |= ISC_SOCKEVENTATTR_CTRUNC;
+#endif
+
+#ifndef USE_CMSG
+	return;
+#else
+	if (msg->msg_controllen == 0U || msg->msg_control == NULL)
+		return;
+
+#ifdef SO_TIMESTAMP
+	timevalp = NULL;
+#endif
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	pktinfop = NULL;
+#endif
+
+	cmsgp = CMSG_FIRSTHDR(msg);
+	while (cmsgp != NULL) {
+		socket_log(sock, NULL, TRACE,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PROCESSCMSG,
+			   "processing cmsg %p", cmsgp);
+
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+		if (cmsgp->cmsg_level == IPPROTO_IPV6
+		    && cmsgp->cmsg_type == IPV6_PKTINFO) {
+
+			pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
+			memmove(&dev->pktinfo, pktinfop,
+				sizeof(struct in6_pktinfo));
+			dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+			socket_log(sock, NULL, TRACE,
+				   isc_msgcat, ISC_MSGSET_SOCKET,
+				   ISC_MSG_IFRECEIVED,
+				   "interface received on ifindex %u",
+				   dev->pktinfo.ipi6_ifindex);
+			if (IN6_IS_ADDR_MULTICAST(&pktinfop->ipi6_addr))
+				dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST;
+			goto next;
+		}
+#endif
+
+#ifdef SO_TIMESTAMP
+		if (cmsgp->cmsg_level == SOL_SOCKET
+		    && cmsgp->cmsg_type == SCM_TIMESTAMP) {
+			struct timeval tv;
+			timevalp = CMSG_DATA(cmsgp);
+			memmove(&tv, timevalp, sizeof(tv));
+			dev->timestamp.seconds = tv.tv_sec;
+			dev->timestamp.nanoseconds = tv.tv_usec * 1000;
+			dev->attributes |= ISC_SOCKEVENTATTR_TIMESTAMP;
+			goto next;
+		}
+#endif
+
+#ifdef IPV6_TCLASS
+		if (cmsgp->cmsg_level == IPPROTO_IPV6
+		    && cmsgp->cmsg_type == IPV6_TCLASS) {
+			dev->dscp = *(int *)CMSG_DATA(cmsgp);
+			dev->dscp >>= 2;
+			dev->attributes |= ISC_SOCKEVENTATTR_DSCP;
+			goto next;
+		}
+#endif
+
+#ifdef IP_TOS
+		if (cmsgp->cmsg_level == IPPROTO_IP
+		    && (cmsgp->cmsg_type == IP_TOS
+#ifdef IP_RECVTOS
+			|| cmsgp->cmsg_type == IP_RECVTOS
+#endif
+			)) {
+			dev->dscp = (int) *(unsigned char *)CMSG_DATA(cmsgp);
+			dev->dscp >>= 2;
+			dev->attributes |= ISC_SOCKEVENTATTR_DSCP;
+			goto next;
+		}
+#endif
+	next:
+		cmsgp = CMSG_NXTHDR(msg, cmsgp);
+	}
+#endif /* USE_CMSG */
+
+#endif /* ISC_NET_BSD44MSGHDR */
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the SEND constructor, which will use the used region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ *
+ * If write_countp != NULL, *write_countp will hold the number of bytes
+ * this transaction can send.
+ */
+static void
+build_msghdr_send(isc__socket_t *sock, char* cmsgbuf, isc_socketevent_t *dev,
+		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
+{
+	unsigned int iovcount;
+	isc_buffer_t *buffer;
+	isc_region_t used;
+	size_t write_count;
+	size_t skip_count;
+#ifdef ISC_NET_BSD44MSGHDR
+	struct cmsghdr *cmsgp;
+#endif
+
+	memset(msg, 0, sizeof(*msg));
+
+	if (!sock->connected) {
+		msg->msg_name = (void *)&dev->address.type.sa;
+		msg->msg_namelen = dev->address.length;
+	} else {
+		msg->msg_name = NULL;
+		msg->msg_namelen = 0;
+	}
+
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	write_count = 0;
+	iovcount = 0;
+
+	/*
+	 * Single buffer I/O?  Skip what we've done so far in this region.
+	 */
+	if (buffer == NULL) {
+		write_count = dev->region.length - dev->n;
+		iov[0].iov_base = (void *)(dev->region.base + dev->n);
+		iov[0].iov_len = write_count;
+		iovcount = 1;
+
+		goto config;
+	}
+
+	/*
+	 * Multibuffer I/O.
+	 * Skip the data in the buffer list that we have already written.
+	 */
+	skip_count = dev->n;
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (skip_count < isc_buffer_usedlength(buffer))
+			break;
+		skip_count -= isc_buffer_usedlength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	while (buffer != NULL) {
+		INSIST(iovcount < MAXSCATTERGATHER_SEND);
+
+		isc_buffer_usedregion(buffer, &used);
+
+		if (used.length > 0) {
+			iov[iovcount].iov_base = (void *)(used.base
+							  + skip_count);
+			iov[iovcount].iov_len = used.length - skip_count;
+			write_count += (used.length - skip_count);
+			skip_count = 0;
+			iovcount++;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	INSIST(skip_count == 0U);
+
+ config:
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+
+#ifdef ISC_NET_BSD44MSGHDR
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+	msg->msg_flags = 0;
+#if defined(USE_CMSG)
+
+#if defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+	if ((sock->type == isc_sockettype_udp) &&
+	    ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0))
+	{
+		struct in6_pktinfo *pktinfop;
+
+		socket_log(sock, NULL, TRACE,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_SENDTODATA,
+			   "sendto pktinfo data, ifindex %u",
+			   dev->pktinfo.ipi6_ifindex);
+
+		msg->msg_control = (void *)cmsgbuf;
+		msg->msg_controllen = cmsg_space(sizeof(struct in6_pktinfo));
+		INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+		cmsgp = (struct cmsghdr *)cmsgbuf;
+		cmsgp->cmsg_level = IPPROTO_IPV6;
+		cmsgp->cmsg_type = IPV6_PKTINFO;
+		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
+		pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
+		memmove(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
+	}
+#endif
+
+#if defined(IPV6_USE_MIN_MTU)
+	if ((sock->type == isc_sockettype_udp) &&
+	    ((dev->attributes & ISC_SOCKEVENTATTR_USEMINMTU) != 0))
+	{
+		int use_min_mtu = 1;	/* -1, 0, 1 */
+
+		cmsgp = (struct cmsghdr *)(cmsgbuf +
+					   msg->msg_controllen);
+
+		msg->msg_control = (void *)cmsgbuf;
+		msg->msg_controllen += cmsg_space(sizeof(use_min_mtu));
+		INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+		cmsgp->cmsg_level = IPPROTO_IPV6;
+		cmsgp->cmsg_type = IPV6_USE_MIN_MTU;
+		cmsgp->cmsg_len = cmsg_len(sizeof(use_min_mtu));
+		memmove(CMSG_DATA(cmsgp), &use_min_mtu, sizeof(use_min_mtu));
+	}
+#endif
+
+	if (isc_dscp_check_value > -1) {
+		if (sock->type == isc_sockettype_udp)
+			INSIST((int)dev->dscp == isc_dscp_check_value);
+		else if (sock->type == isc_sockettype_tcp)
+			INSIST((int)sock->dscp == isc_dscp_check_value);
+	}
+
+#if defined(IP_TOS) || (defined(IPPROTO_IPV6) && defined(IPV6_TCLASS))
+	if ((sock->type == isc_sockettype_udp) &&
+	    ((dev->attributes & ISC_SOCKEVENTATTR_DSCP) != 0))
+	{
+		int dscp = (dev->dscp << 2) & 0xff;
+
+		INSIST(dev->dscp < 0x40);
+
+#ifdef IP_TOS
+		if (sock->pf == AF_INET && sock->pktdscp) {
+			cmsgp = (struct cmsghdr *)(cmsgbuf +
+						   msg->msg_controllen);
+			msg->msg_control = (void *)cmsgbuf;
+			msg->msg_controllen += cmsg_space(sizeof(dscp));
+			INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+			cmsgp->cmsg_level = IPPROTO_IP;
+			cmsgp->cmsg_type = IP_TOS;
+			cmsgp->cmsg_len = cmsg_len(sizeof(char));
+			*(unsigned char*)CMSG_DATA(cmsgp) = dscp;
+		} else if (sock->pf == AF_INET && sock->dscp != dev->dscp) {
+			if (setsockopt(sock->fd, IPPROTO_IP, IP_TOS,
+			       (void *)&dscp, sizeof(int)) < 0)
+			{
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "setsockopt(%d, IP_TOS, %.02x)"
+						 " %s: %s",
+						 sock->fd, dscp >> 2,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+						 strbuf);
+			} else
+				sock->dscp = dscp;
+		}
+#endif
+#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
+		if (sock->pf == AF_INET6 && sock->pktdscp) {
+			cmsgp = (struct cmsghdr *)(cmsgbuf +
+						   msg->msg_controllen);
+			msg->msg_control = (void *)cmsgbuf;
+			msg->msg_controllen += cmsg_space(sizeof(dscp));
+			INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
+
+			cmsgp->cmsg_level = IPPROTO_IPV6;
+			cmsgp->cmsg_type = IPV6_TCLASS;
+			cmsgp->cmsg_len = cmsg_len(sizeof(dscp));
+			memmove(CMSG_DATA(cmsgp), &dscp, sizeof(dscp));
+		} else if (sock->pf == AF_INET6 && sock->dscp != dev->dscp) {
+			if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_TCLASS,
+				       (void *)&dscp, sizeof(int)) < 0) {
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "setsockopt(%d, IPV6_TCLASS, "
+						 "%.02x) %s: %s",
+						 sock->fd, dscp >> 2,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+						 strbuf);
+			} else
+				sock->dscp = dscp;
+		}
+#endif
+		if (msg->msg_controllen != 0 &&
+		    msg->msg_controllen < SENDCMSGBUFLEN)
+		{
+			memset(cmsgbuf + msg->msg_controllen, 0,
+			       SENDCMSGBUFLEN - msg->msg_controllen);
+		}
+	}
+#endif
+#endif /* USE_CMSG */
+#else /* ISC_NET_BSD44MSGHDR */
+	msg->msg_accrights = NULL;
+	msg->msg_accrightslen = 0;
+#endif /* ISC_NET_BSD44MSGHDR */
+
+	if (write_countp != NULL)
+		*write_countp = write_count;
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the RECV constructor, which will use the available region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ *
+ * If read_countp != NULL, *read_countp will hold the number of bytes
+ * this transaction can receive.
+ */
+static void
+build_msghdr_recv(isc__socket_t *sock, char *cmsgbuf, isc_socketevent_t *dev,
+		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
+{
+	unsigned int iovcount;
+	isc_buffer_t *buffer;
+	isc_region_t available;
+	size_t read_count;
+
+	memset(msg, 0, sizeof(struct msghdr));
+
+	if (sock->type == isc_sockettype_udp) {
+		memset(&dev->address, 0, sizeof(dev->address));
+#ifdef BROKEN_RECVMSG
+		if (sock->pf == AF_INET) {
+			msg->msg_name = (void *)&dev->address.type.sin;
+			msg->msg_namelen = sizeof(dev->address.type.sin6);
+		} else if (sock->pf == AF_INET6) {
+			msg->msg_name = (void *)&dev->address.type.sin6;
+			msg->msg_namelen = sizeof(dev->address.type.sin6);
+#ifdef ISC_PLATFORM_HAVESYSUNH
+		} else if (sock->pf == AF_UNIX) {
+			msg->msg_name = (void *)&dev->address.type.sunix;
+			msg->msg_namelen = sizeof(dev->address.type.sunix);
+#endif
+		} else {
+			msg->msg_name = (void *)&dev->address.type.sa;
+			msg->msg_namelen = sizeof(dev->address.type);
+		}
+#else
+		msg->msg_name = (void *)&dev->address.type.sa;
+		msg->msg_namelen = sizeof(dev->address.type);
+#endif
+	} else { /* TCP */
+		msg->msg_name = NULL;
+		msg->msg_namelen = 0;
+		dev->address = sock->peer_address;
+	}
+
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	read_count = 0;
+
+	/*
+	 * Single buffer I/O?  Skip what we've done so far in this region.
+	 */
+	if (buffer == NULL) {
+		read_count = dev->region.length - dev->n;
+		iov[0].iov_base = (void *)(dev->region.base + dev->n);
+		iov[0].iov_len = read_count;
+		iovcount = 1;
+
+		goto config;
+	}
+
+	/*
+	 * Multibuffer I/O.
+	 * Skip empty buffers.
+	 */
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (isc_buffer_availablelength(buffer) != 0)
+			break;
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	iovcount = 0;
+	while (buffer != NULL) {
+		INSIST(iovcount < MAXSCATTERGATHER_RECV);
+
+		isc_buffer_availableregion(buffer, &available);
+
+		if (available.length > 0) {
+			iov[iovcount].iov_base = (void *)(available.base);
+			iov[iovcount].iov_len = available.length;
+			read_count += available.length;
+			iovcount++;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+ config:
+
+	/*
+	 * If needed, set up to receive that one extra byte.
+	 */
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+	if (sock->type == isc_sockettype_udp) {
+		INSIST(iovcount < MAXSCATTERGATHER_RECV);
+		iov[iovcount].iov_base = (void *)(&sock->overflow);
+		iov[iovcount].iov_len = 1;
+		iovcount++;
+	}
+#endif
+
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+
+#ifdef ISC_NET_BSD44MSGHDR
+#if defined(USE_CMSG)
+	msg->msg_control = cmsgbuf;
+	msg->msg_controllen = RECVCMSGBUFLEN;
+#else
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+#endif /* USE_CMSG */
+	msg->msg_flags = 0;
+#else /* ISC_NET_BSD44MSGHDR */
+	msg->msg_accrights = NULL;
+	msg->msg_accrightslen = 0;
+#endif /* ISC_NET_BSD44MSGHDR */
+
+	if (read_countp != NULL)
+		*read_countp = read_count;
+}
+
+static void
+set_dev_address(isc_sockaddr_t *address, isc__socket_t *sock,
+		isc_socketevent_t *dev)
+{
+	if (sock->type == isc_sockettype_udp) {
+		if (address != NULL)
+			dev->address = *address;
+		else
+			dev->address = sock->peer_address;
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(address == NULL);
+		dev->address = sock->peer_address;
+	}
+}
+
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	INSIST(ISC_LIST_EMPTY(ev->bufferlist));
+
+	(ev->destroy)(event);
+}
+
+static isc_socketevent_t *
+allocate_socketevent(isc_mem_t *mctx, void *sender,
+		     isc_eventtype_t eventtype, isc_taskaction_t action,
+		     void *arg)
+{
+	isc_socketevent_t *ev;
+
+	ev = (isc_socketevent_t *)isc_event_allocate(mctx, sender,
+						     eventtype, action, arg,
+						     sizeof(*ev));
+
+	if (ev == NULL)
+		return (NULL);
+
+	ev->result = ISC_R_UNSET;
+	ISC_LINK_INIT(ev, ev_link);
+	ISC_LIST_INIT(ev->bufferlist);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
+	ev->dscp = 0;
+
+	return (ev);
+}
+
+#if defined(ISC_SOCKET_DEBUG)
+static void
+dump_msg(struct msghdr *msg) {
+	unsigned int i;
+
+	printf("MSGHDR %p\n", msg);
+	printf("\tname %p, namelen %ld\n", msg->msg_name,
+	       (long) msg->msg_namelen);
+	printf("\tiov %p, iovlen %ld\n", msg->msg_iov,
+	       (long) msg->msg_iovlen);
+	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
+		printf("\t\t%u\tbase %p, len %ld\n", i,
+		       msg->msg_iov[i].iov_base,
+		       (long) msg->msg_iov[i].iov_len);
+#ifdef ISC_NET_BSD44MSGHDR
+	printf("\tcontrol %p, controllen %ld\n", msg->msg_control,
+	       (long) msg->msg_controllen);
+#endif
+}
+#endif
+
+#define DOIO_SUCCESS		0	/* i/o ok, event sent */
+#define DOIO_SOFT		1	/* i/o ok, soft error, no event sent */
+#define DOIO_HARD		2	/* i/o error, event sent */
+#define DOIO_EOF		3	/* EOF, no event sent */
+
+static int
+doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
+	int cc;
+	struct iovec iov[MAXSCATTERGATHER_RECV];
+	size_t read_count;
+	size_t actual_count;
+	struct msghdr msghdr;
+	isc_buffer_t *buffer;
+	int recv_errno;
+	char strbuf[ISC_STRERRORSIZE];
+	char cmsgbuf[RECVCMSGBUFLEN] = {0};
+
+	build_msghdr_recv(sock, cmsgbuf, dev, &msghdr, iov, &read_count);
+
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif
+
+	cc = recvmsg(sock->fd, &msghdr, 0);
+	recv_errno = errno;
+
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif
+
+	if (cc < 0) {
+		if (SOFT_ERROR(recv_errno))
+			return (DOIO_SOFT);
+
+		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+			isc__strerror(recv_errno, strbuf, sizeof(strbuf));
+			socket_log(sock, NULL, IOEVENT,
+				   isc_msgcat, ISC_MSGSET_SOCKET,
+				   ISC_MSG_DOIORECV,
+				  "doio_recv: recvmsg(%d) %d bytes, err %d/%s",
+				   sock->fd, cc, recv_errno, strbuf);
+		}
+
+#define SOFT_OR_HARD(_system, _isc) \
+	if (recv_errno == _system) { \
+		if (sock->connected) { \
+			dev->result = _isc; \
+			inc_stats(sock->manager->stats, \
+				  sock->statsindex[STATID_RECVFAIL]); \
+			return (DOIO_HARD); \
+		} \
+		return (DOIO_SOFT); \
+	}
+#define ALWAYS_HARD(_system, _isc) \
+	if (recv_errno == _system) { \
+		dev->result = _isc; \
+		inc_stats(sock->manager->stats, \
+			  sock->statsindex[STATID_RECVFAIL]); \
+		return (DOIO_HARD); \
+	}
+
+		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
+		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+		SOFT_OR_HARD(EHOSTDOWN, ISC_R_HOSTDOWN);
+		/* HPUX 11.11 can return EADDRNOTAVAIL. */
+		SOFT_OR_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+		SOFT_OR_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		/* Should never get this one but it was seen. */
+#ifdef ENOPROTOOPT
+		SOFT_OR_HARD(ENOPROTOOPT, ISC_R_HOSTUNREACH);
+#endif
+		/*
+		 * HPUX returns EPROTO and EINVAL on receiving some ICMP/ICMPv6
+		 * errors.
+		 */
+#ifdef EPROTO
+		SOFT_OR_HARD(EPROTO, ISC_R_HOSTUNREACH);
+#endif
+		SOFT_OR_HARD(EINVAL, ISC_R_HOSTUNREACH);
+
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
+
+		dev->result = isc__errno2result(recv_errno);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_RECVFAIL]);
+		return (DOIO_HARD);
+	}
+
+	/*
+	 * On TCP and UNIX sockets, zero length reads indicate EOF,
+	 * while on UDP sockets, zero length reads are perfectly valid,
+	 * although strange.
+	 */
+	switch (sock->type) {
+	case isc_sockettype_tcp:
+	case isc_sockettype_unix:
+		if (cc == 0)
+			return (DOIO_EOF);
+		break;
+	case isc_sockettype_udp:
+	case isc_sockettype_raw:
+		break;
+	case isc_sockettype_fdwatch:
+	default:
+		INSIST(0);
+	}
+
+	if (sock->type == isc_sockettype_udp) {
+		dev->address.length = msghdr.msg_namelen;
+		if (isc_sockaddr_getport(&dev->address) == 0) {
+			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+				socket_log(sock, &dev->address, IOEVENT,
+					   isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_ZEROPORT,
+					   "dropping source port zero packet");
+			}
+			return (DOIO_SOFT);
+		}
+		/*
+		 * Simulate a firewall blocking UDP responses bigger than
+		 * 'maxudp' bytes.
+		 */
+		if (sock->manager->maxudp != 0 && cc > sock->manager->maxudp)
+			return (DOIO_SOFT);
+	}
+
+	socket_log(sock, &dev->address, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PKTRECV,
+		   "packet received correctly");
+
+	/*
+	 * Overflow bit detection.  If we received MORE bytes than we should,
+	 * this indicates an overflow situation.  Set the flag in the
+	 * dev entry and adjust how much we read by one.
+	 */
+#ifdef ISC_PLATFORM_RECVOVERFLOW
+	if ((sock->type == isc_sockettype_udp) && ((size_t)cc > read_count)) {
+		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
+		cc--;
+	}
+#endif
+
+	/*
+	 * If there are control messages attached, run through them and pull
+	 * out the interesting bits.
+	 */
+	process_cmsg(sock, &msghdr, dev);
+
+	/*
+	 * update the buffers (if any) and the i/o count
+	 */
+	dev->n += cc;
+	actual_count = cc;
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	while (buffer != NULL && actual_count > 0U) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (isc_buffer_availablelength(buffer) <= actual_count) {
+			actual_count -= isc_buffer_availablelength(buffer);
+			isc_buffer_add(buffer,
+				       isc_buffer_availablelength(buffer));
+		} else {
+			isc_buffer_add(buffer, actual_count);
+			actual_count = 0;
+			POST(actual_count);
+			break;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+		if (buffer == NULL) {
+			INSIST(actual_count == 0U);
+		}
+	}
+
+	/*
+	 * If we read less than we expected, update counters,
+	 * and let the upper layer poke the descriptor.
+	 */
+	if (((size_t)cc != read_count) && (dev->n < dev->minimum))
+		return (DOIO_SOFT);
+
+	/*
+	 * Full reads are posted, or partials if partials are ok.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+/*
+ * Returns:
+ *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
+ *			ISC_R_SUCCESS.
+ *
+ *	DOIO_HARD	A hard or unexpected I/O error was encountered.
+ *			dev->result contains the appropriate error.
+ *
+ *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
+ *			event was sent.  The operation should be retried.
+ *
+ *	No other return values are possible.
+ */
+static int
+doio_send(isc__socket_t *sock, isc_socketevent_t *dev) {
+	int cc;
+	struct iovec iov[MAXSCATTERGATHER_SEND];
+	size_t write_count;
+	struct msghdr msghdr;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	int attempts = 0;
+	int send_errno;
+	char strbuf[ISC_STRERRORSIZE];
+	char cmsgbuf[SENDCMSGBUFLEN] = {0};
+
+	build_msghdr_send(sock, cmsgbuf, dev, &msghdr, iov, &write_count);
+
+ resend:
+	if (sock->type == isc_sockettype_udp &&
+	    sock->manager->maxudp != 0 &&
+	    write_count > (size_t)sock->manager->maxudp)
+		cc = write_count;
+	else
+		cc = sendmsg(sock->fd, &msghdr, 0);
+	send_errno = errno;
+
+	/*
+	 * Check for error or block condition.
+	 */
+	if (cc < 0) {
+		if (send_errno == EINTR && ++attempts < NRETRIES)
+			goto resend;
+
+		if (SOFT_ERROR(send_errno)) {
+			if (errno == EWOULDBLOCK || errno == EAGAIN)
+				dev->result = ISC_R_WOULDBLOCK;
+			return (DOIO_SOFT);
+		}
+
+#define SOFT_OR_HARD(_system, _isc) \
+	if (send_errno == _system) { \
+		if (sock->connected) { \
+			dev->result = _isc; \
+			inc_stats(sock->manager->stats, \
+				  sock->statsindex[STATID_SENDFAIL]); \
+			return (DOIO_HARD); \
+		} \
+		return (DOIO_SOFT); \
+	}
+#define ALWAYS_HARD(_system, _isc) \
+	if (send_errno == _system) { \
+		dev->result = _isc; \
+		inc_stats(sock->manager->stats, \
+			  sock->statsindex[STATID_SENDFAIL]); \
+		return (DOIO_HARD); \
+	}
+
+		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
+		ALWAYS_HARD(EACCES, ISC_R_NOPERM);
+		ALWAYS_HARD(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+		ALWAYS_HARD(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif
+		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		SOFT_OR_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		ALWAYS_HARD(EPERM, ISC_R_HOSTUNREACH);
+		ALWAYS_HARD(EPIPE, ISC_R_NOTCONNECTED);
+		ALWAYS_HARD(ECONNRESET, ISC_R_CONNECTIONRESET);
+
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
+
+		/*
+		 * The other error types depend on whether or not the
+		 * socket is UDP or TCP.  If it is UDP, some errors
+		 * that we expect to be fatal under TCP are merely
+		 * annoying, and are really soft errors.
+		 *
+		 * However, these soft errors are still returned as
+		 * a status.
+		 */
+		isc_sockaddr_format(&dev->address, addrbuf, sizeof(addrbuf));
+		isc__strerror(send_errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_send: %s: %s",
+				 addrbuf, strbuf);
+		dev->result = isc__errno2result(send_errno);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_SENDFAIL]);
+		return (DOIO_HARD);
+	}
+
+	if (cc == 0) {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_SENDFAIL]);
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "doio_send: send() %s 0",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_RETURNED, "returned"));
+	}
+
+	/*
+	 * If we write less than we expected, update counters, poke.
+	 */
+	dev->n += cc;
+	if ((size_t)cc != write_count)
+		return (DOIO_SOFT);
+
+	/*
+	 * Exactly what we wanted to write.  We're done with this
+	 * entry.  Post its completion event.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+/*
+ * Kill.
+ *
+ * Caller must ensure that the socket is not locked and no external
+ * references exist.
+ */
+static void
+socketclose(isc__socketmgr_t *manager, isc__socket_t *sock, int fd) {
+	isc_sockettype_t type = sock->type;
+	int lockid = FDLOCK_ID(fd);
+
+	/*
+	 * No one has this socket open, so the watcher doesn't have to be
+	 * poked, and the socket doesn't have to be locked.
+	 */
+	LOCK(&manager->fdlock[lockid]);
+	manager->fds[fd] = NULL;
+	if (type == isc_sockettype_fdwatch)
+		manager->fdstate[fd] = CLOSED;
+	else
+		manager->fdstate[fd] = CLOSE_PENDING;
+	UNLOCK(&manager->fdlock[lockid]);
+	if (type == isc_sockettype_fdwatch) {
+		/*
+		 * The caller may close the socket once this function returns,
+		 * and `fd' may be reassigned for a new socket.  So we do
+		 * unwatch_fd() here, rather than defer it via select_poke().
+		 * Note: this may complicate data protection among threads and
+		 * may reduce performance due to additional locks.  One way to
+		 * solve this would be to dup() the watched descriptor, but we
+		 * take a simpler approach at this moment.
+		 */
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+	} else
+		select_poke(manager, fd, SELECT_POKE_CLOSE);
+
+	inc_stats(manager->stats, sock->statsindex[STATID_CLOSE]);
+	if (sock->active == 1) {
+		dec_stats(manager->stats, sock->statsindex[STATID_ACTIVE]);
+		sock->active = 0;
+	}
+
+	/*
+	 * update manager->maxfd here (XXX: this should be implemented more
+	 * efficiently)
+	 */
+#ifdef USE_SELECT
+	LOCK(&manager->lock);
+	if (manager->maxfd == fd) {
+		int i;
+
+		manager->maxfd = 0;
+		for (i = fd - 1; i >= 0; i--) {
+			lockid = FDLOCK_ID(i);
+
+			LOCK(&manager->fdlock[lockid]);
+			if (manager->fdstate[i] == MANAGED) {
+				manager->maxfd = i;
+				UNLOCK(&manager->fdlock[lockid]);
+				break;
+			}
+			UNLOCK(&manager->fdlock[lockid]);
+		}
+#ifdef ISC_PLATFORM_USETHREADS
+		if (manager->maxfd < manager->pipe_fds[0])
+			manager->maxfd = manager->pipe_fds[0];
+#endif
+	}
+
+	UNLOCK(&manager->lock);
+#endif	/* USE_SELECT */
+}
+
+static void
+destroy(isc__socket_t **sockp) {
+	int fd;
+	isc__socket_t *sock = *sockp;
+	isc__socketmgr_t *manager = sock->manager;
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_DESTROYING, "destroying");
+
+	INSIST(ISC_LIST_EMPTY(sock->connect_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(sock->fd >= -1 && sock->fd < (int)manager->maxsocks);
+
+	if (sock->fd >= 0) {
+		fd = sock->fd;
+		sock->fd = -1;
+		socketclose(manager, sock, fd);
+	}
+
+	LOCK(&manager->lock);
+
+	ISC_LIST_UNLINK(manager->socklist, sock, link);
+
+#ifdef USE_WATCHER_THREAD
+	if (ISC_LIST_EMPTY(manager->socklist))
+		SIGNAL(&manager->shutdown_ok);
+#endif /* USE_WATCHER_THREAD */
+
+	/* can't unlock manager as its memory context is still used */
+	free_socket(sockp);
+
+	UNLOCK(&manager->lock);
+}
+
+static isc_result_t
+allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
+		isc__socket_t **socketp)
+{
+	isc__socket_t *sock;
+	isc_result_t result;
+
+	sock = isc_mem_get(manager->mctx, sizeof(*sock));
+
+	if (sock == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sock->common.magic = 0;
+	sock->common.impmagic = 0;
+	sock->references = 0;
+
+	sock->manager = manager;
+	sock->type = type;
+	sock->fd = -1;
+	sock->dscp = 0;		/* TOS/TCLASS is zero until set. */
+	sock->dupped = 0;
+	sock->statsindex = NULL;
+	sock->active = 0;
+
+	ISC_LINK_INIT(sock, link);
+
+
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+
+	/*
+	 * Set up list of readers and writers to be initially empty.
+	 */
+	ISC_LIST_INIT(sock->recv_list);
+	ISC_LIST_INIT(sock->send_list);
+	ISC_LIST_INIT(sock->accept_list);
+	ISC_LIST_INIT(sock->connect_list);
+	sock->pending_recv = 0;
+	sock->pending_send = 0;
+	sock->pending_accept = 0;
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->connecting = 0;
+	sock->bound = 0;
+	sock->pktdscp = 0;
+
+	/*
+	 * Initialize the lock.
+	 */
+	result = isc_mutex_init(&sock->lock);
+	if (result != ISC_R_SUCCESS) {
+		sock->common.magic = 0;
+		sock->common.impmagic = 0;
+		goto error;
+	}
+
+	/*
+	 * Initialize readable and writable events.
+	 */
+	ISC_EVENT_INIT(&sock->readable_ev, sizeof(intev_t),
+		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTR,
+		       NULL, sock, sock, NULL, NULL);
+	ISC_EVENT_INIT(&sock->writable_ev, sizeof(intev_t),
+		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTW,
+		       NULL, sock, sock, NULL, NULL);
+
+	sock->common.magic = ISCAPI_SOCKET_MAGIC;
+	sock->common.impmagic = SOCKET_MAGIC;
+	*socketp = sock;
+
+	return (ISC_R_SUCCESS);
+
+ error:
+	isc_mem_put(manager->mctx, sock, sizeof(*sock));
+
+	return (result);
+}
+
+/*
+ * This event requires that the various lists be empty, that the reference
+ * count be 1, and that the magic number is valid.  The other socket bits,
+ * like the lock, must be initialized as well.  The fd associated must be
+ * marked as closed, by setting it to -1 on close, or this routine will
+ * also close the socket.
+ */
+static void
+free_socket(isc__socket_t **socketp) {
+	isc__socket_t *sock = *socketp;
+
+	INSIST(VALID_SOCKET(sock));
+	INSIST(sock->references == 0);
+	INSIST(!sock->connecting);
+	INSIST(!sock->pending_recv);
+	INSIST(!sock->pending_send);
+	INSIST(!sock->pending_accept);
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->connect_list));
+	INSIST(!ISC_LINK_LINKED(sock, link));
+
+	sock->common.magic = 0;
+	sock->common.impmagic = 0;
+
+	DESTROYLOCK(&sock->lock);
+
+	isc_mem_put(sock->manager->mctx, sock, sizeof(*sock));
+
+	*socketp = NULL;
+}
+
+#ifdef SO_RCVBUF
+static isc_once_t	rcvbuf_once = ISC_ONCE_INIT;
+static int		rcvbuf = RCVBUFSIZE;
+
+static void
+set_rcvbuf(void) {
+	int fd;
+	int max = rcvbuf, min;
+	ISC_SOCKADDR_LEN_T len;
+
+	fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+#if defined(ISC_PLATFORM_HAVEIPV6)
+	if (fd == -1) {
+		switch (errno) {
+		case EPROTONOSUPPORT:
+		case EPFNOSUPPORT:
+		case EAFNOSUPPORT:
+		/*
+		 * Linux 2.2 (and maybe others) return EINVAL instead of
+		 * EAFNOSUPPORT.
+		 */
+		case EINVAL:
+			fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+			break;
+		}
+	}
+#endif
+	if (fd == -1)
+		return;
+
+	len = sizeof(min);
+	if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&min, &len) == 0 &&
+	    min < rcvbuf) {
+ again:
+		if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf,
+			       sizeof(rcvbuf)) == -1) {
+			if (errno == ENOBUFS && rcvbuf > min) {
+				max = rcvbuf - 1;
+				rcvbuf = (rcvbuf + min) / 2;
+				goto again;
+			} else {
+				rcvbuf = min;
+				goto cleanup;
+			}
+		} else
+			min = rcvbuf;
+		if (min != max) {
+			rcvbuf = max;
+			goto again;
+		}
+	}
+ cleanup:
+	close (fd);
+}
+#endif
+
+#ifdef SO_BSDCOMPAT
+/*
+ * This really should not be necessary to do.  Having to workout
+ * which kernel version we are on at run time so that we don't cause
+ * the kernel to issue a warning about us using a deprecated socket option.
+ * Such warnings should *never* be on by default in production kernels.
+ *
+ * We can't do this a build time because executables are moved between
+ * machines and hence kernels.
+ *
+ * We can't just not set SO_BSDCOMAT because some kernels require it.
+ */
+
+static isc_once_t         bsdcompat_once = ISC_ONCE_INIT;
+bool bsdcompat = true;
+
+static void
+clear_bsdcompat(void) {
+#ifdef __linux__
+	 struct utsname buf;
+	 char *endp;
+	 long int major;
+	 long int minor;
+
+	 uname(&buf);    /* Can only fail if buf is bad in Linux. */
+
+	 /* Paranoia in parsing can be increased, but we trust uname(). */
+	 major = strtol(buf.release, &endp, 10);
+	 if (*endp == '.') {
+		minor = strtol(endp+1, &endp, 10);
+		if ((major > 2) || ((major == 2) && (minor >= 4))) {
+			bsdcompat = false;
+		}
+	 }
+#endif /* __linux __ */
+}
+#endif
+
+static void
+use_min_mtu(isc__socket_t *sock) {
+#if !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU)
+	UNUSED(sock);
+#endif
+#ifdef IPV6_USE_MIN_MTU
+	/* use minimum MTU */
+	if (sock->pf == AF_INET6) {
+		int on = 1;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
+				(void *)&on, sizeof(on));
+	}
+#endif
+#if defined(IPV6_MTU)
+	/*
+	 * Use minimum MTU on IPv6 sockets.
+	 */
+	if (sock->pf == AF_INET6) {
+		int mtu = 1280;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_MTU,
+				 &mtu, sizeof(mtu));
+	}
+#endif
+}
+
+static void
+set_tcp_maxseg(isc__socket_t *sock, int size) {
+#ifdef TCP_MAXSEG
+	if (sock->type == isc_sockettype_tcp)
+		(void)setsockopt(sock->fd, IPPROTO_TCP, TCP_MAXSEG,
+				(void *)&size, sizeof(size));
+#endif
+}
+
+static isc_result_t
+opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
+	   isc__socket_t *dup_socket)
+{
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+	const char *err = "socket";
+	int tries = 0;
+#if defined(USE_CMSG) || defined(SO_BSDCOMPAT) || defined(SO_NOSIGPIPE)
+	int on = 1;
+#endif
+#if defined(SO_RCVBUF)
+	ISC_SOCKADDR_LEN_T optlen;
+	int size = 0;
+#endif
+
+ again:
+	if (dup_socket == NULL) {
+		switch (sock->type) {
+		case isc_sockettype_udp:
+			sock->fd = socket(sock->pf, SOCK_DGRAM, IPPROTO_UDP);
+			break;
+		case isc_sockettype_tcp:
+			sock->fd = socket(sock->pf, SOCK_STREAM, IPPROTO_TCP);
+			break;
+		case isc_sockettype_unix:
+			sock->fd = socket(sock->pf, SOCK_STREAM, 0);
+			break;
+		case isc_sockettype_raw:
+			errno = EPFNOSUPPORT;
+			/*
+			 * PF_ROUTE is a alias for PF_NETLINK on linux.
+			 */
+#if defined(PF_ROUTE)
+			if (sock->fd == -1 && sock->pf == PF_ROUTE) {
+#ifdef NETLINK_ROUTE
+				sock->fd = socket(sock->pf, SOCK_RAW,
+						  NETLINK_ROUTE);
+#else
+				sock->fd = socket(sock->pf, SOCK_RAW, 0);
+#endif
+				if (sock->fd != -1) {
+#ifdef NETLINK_ROUTE
+					struct sockaddr_nl sa;
+					int n;
+
+					/*
+					 * Do an implicit bind.
+					 */
+					memset(&sa, 0, sizeof(sa));
+					sa.nl_family = AF_NETLINK;
+					sa.nl_groups = RTMGRP_IPV4_IFADDR |
+						       RTMGRP_IPV6_IFADDR;
+					n = bind(sock->fd,
+						 (struct sockaddr *) &sa,
+						 sizeof(sa));
+					if (n < 0) {
+						close(sock->fd);
+						sock->fd = -1;
+					}
+#endif
+					sock->bound = 1;
+				}
+			}
+#endif
+			break;
+		case isc_sockettype_fdwatch:
+			/*
+			 * We should not be called for isc_sockettype_fdwatch
+			 * sockets.
+			 */
+			INSIST(0);
+			break;
+		}
+	} else {
+		sock->fd = dup(dup_socket->fd);
+		sock->dupped = 1;
+		sock->bound = dup_socket->bound;
+	}
+	if (sock->fd == -1 && errno == EINTR && tries++ < 42)
+		goto again;
+
+#ifdef F_DUPFD
+	/*
+	 * Leave a space for stdio and TCP to work in.
+	 */
+	if (manager->reserved != 0 && sock->type == isc_sockettype_udp &&
+	    sock->fd >= 0 && sock->fd < manager->reserved) {
+		int newfd, tmp;
+		newfd = fcntl(sock->fd, F_DUPFD, manager->reserved);
+		tmp = errno;
+		(void)close(sock->fd);
+		errno = tmp;
+		sock->fd = newfd;
+		err = "isc_socket_create: fcntl/reserved";
+	} else if (sock->fd >= 0 && sock->fd < 20) {
+		int newfd, tmp;
+		newfd = fcntl(sock->fd, F_DUPFD, 20);
+		tmp = errno;
+		(void)close(sock->fd);
+		errno = tmp;
+		sock->fd = newfd;
+		err = "isc_socket_create: fcntl";
+	}
+#endif
+
+	if (sock->fd >= (int)manager->maxsocks) {
+		(void)close(sock->fd);
+		isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			       isc_msgcat, ISC_MSGSET_SOCKET,
+			       ISC_MSG_TOOMANYFDS,
+			       "socket: file descriptor exceeds limit (%d/%u)",
+			       sock->fd, manager->maxsocks);
+		inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]);
+		return (ISC_R_NORESOURCES);
+	}
+
+	if (sock->fd < 0) {
+		switch (errno) {
+		case EMFILE:
+		case ENFILE:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				       isc_msgcat, ISC_MSGSET_SOCKET,
+				       ISC_MSG_TOOMANYFDS,
+				       "%s: %s", err, strbuf);
+			/* fallthrough */
+		case ENOBUFS:
+			inc_stats(manager->stats,
+				  sock->statsindex[STATID_OPENFAIL]);
+			return (ISC_R_NORESOURCES);
+
+		case EPROTONOSUPPORT:
+		case EPFNOSUPPORT:
+		case EAFNOSUPPORT:
+		/*
+		 * Linux 2.2 (and maybe others) return EINVAL instead of
+		 * EAFNOSUPPORT.
+		 */
+		case EINVAL:
+			inc_stats(manager->stats,
+				  sock->statsindex[STATID_OPENFAIL]);
+			return (ISC_R_FAMILYNOSUPPORT);
+
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "%s() %s: %s", err,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			inc_stats(manager->stats,
+				  sock->statsindex[STATID_OPENFAIL]);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	if (dup_socket != NULL)
+		goto setup_done;
+
+	result = make_nonblock(sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		(void)close(sock->fd);
+		inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]);
+		return (result);
+	}
+
+#ifdef SO_BSDCOMPAT
+	RUNTIME_CHECK(isc_once_do(&bsdcompat_once,
+				  clear_bsdcompat) == ISC_R_SUCCESS);
+	if (sock->type != isc_sockettype_unix && bsdcompat &&
+	    setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
+		       (void *)&on, sizeof(on)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, SO_BSDCOMPAT) %s: %s",
+				 sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		/* Press on... */
+	}
+#endif
+
+#ifdef SO_NOSIGPIPE
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_NOSIGPIPE,
+		       (void *)&on, sizeof(on)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, SO_NOSIGPIPE) %s: %s",
+				 sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		/* Press on... */
+	}
+#endif
+
+	/*
+	 * Use minimum mtu if possible.
+	 */
+	if (sock->type == isc_sockettype_tcp && sock->pf == AF_INET6) {
+		use_min_mtu(sock);
+		set_tcp_maxseg(sock, 1280 - 20 - 40); /* 1280 - TCP - IPV6 */
+	}
+
+#if defined(USE_CMSG) || defined(SO_RCVBUF)
+	if (sock->type == isc_sockettype_udp) {
+
+#if defined(USE_CMSG)
+#if defined(SO_TIMESTAMP)
+		if (setsockopt(sock->fd, SOL_SOCKET, SO_TIMESTAMP,
+			       (void *)&on, sizeof(on)) < 0
+		    && errno != ENOPROTOOPT) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, SO_TIMESTAMP) %s: %s",
+					 sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			/* Press on... */
+		}
+#endif /* SO_TIMESTAMP */
+
+#if defined(ISC_PLATFORM_HAVEIPV6)
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+#ifdef IPV6_RECVPKTINFO
+		/* RFC 3542 */
+		if ((sock->pf == AF_INET6)
+		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+				   (void *)&on, sizeof(on)) < 0)) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_RECVPKTINFO) "
+					 "%s: %s", sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+#else
+		/* RFC 2292 */
+		if ((sock->pf == AF_INET6)
+		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
+				   (void *)&on, sizeof(on)) < 0)) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
+					 sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+#endif /* IPV6_RECVPKTINFO */
+#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
+#if defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DONT)
+		/*
+		 * Turn off Path MTU discovery on IPv6/UDP sockets.
+		 */
+		if (sock->pf == AF_INET6) {
+			int action = IPV6_PMTUDISC_DONT;
+			(void)setsockopt(sock->fd, IPPROTO_IPV6,
+					 IPV6_MTU_DISCOVER, &action,
+					 sizeof(action));
+		}
+#endif
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+#endif /* defined(USE_CMSG) */
+
+#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+		/*
+		 * Turn off Path MTU discovery on IPv4/UDP sockets.
+		 * Prefer IP_PMTUDISC_OMIT over IP_PMTUDISC_DONT
+		 * if it available.
+		 */
+		if (sock->pf == AF_INET) {
+			int action;
+#if defined(IP_PMTUDISC_OMIT)
+			action = IP_PMTUDISC_OMIT;
+			if (setsockopt(sock->fd, IPPROTO_IP,
+				       IP_MTU_DISCOVER, &action,
+				       sizeof(action)) < 0) {
+#endif
+				action = IP_PMTUDISC_DONT;
+				(void)setsockopt(sock->fd, IPPROTO_IP,
+						 IP_MTU_DISCOVER,
+						 &action, sizeof(action));
+#if defined(IP_PMTUDISC_OMIT)
+			}
+#endif
+		}
+#endif
+#if defined(IP_DONTFRAG)
+		/*
+		 * Turn off Path MTU discovery on IPv4/UDP sockets.
+		 */
+		if (sock->pf == AF_INET) {
+			int off = 0;
+			(void)setsockopt(sock->fd, IPPROTO_IP, IP_DONTFRAG,
+					 &off, sizeof(off));
+		}
+#endif
+
+#if defined(SO_RCVBUF)
+		optlen = sizeof(size);
+		if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+			       (void *)&size, &optlen) == 0 && size < rcvbuf) {
+			RUNTIME_CHECK(isc_once_do(&rcvbuf_once,
+						  set_rcvbuf) == ISC_R_SUCCESS);
+			if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+			       (void *)&rcvbuf, sizeof(rcvbuf)) == -1) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+					"setsockopt(%d, SO_RCVBUF, %d) %s: %s",
+					sock->fd, rcvbuf,
+					isc_msgcat_get(isc_msgcat,
+						       ISC_MSGSET_GENERAL,
+						       ISC_MSG_FAILED,
+						       "failed"),
+					strbuf);
+			}
+		}
+#endif
+	}
+#ifdef IPV6_RECVTCLASS
+	if ((sock->pf == AF_INET6)
+	    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVTCLASS,
+			   (void *)&on, sizeof(on)) < 0)) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, IPV6_RECVTCLASS) "
+				 "%s: %s", sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+	}
+#endif
+#ifdef IP_RECVTOS
+	if ((sock->pf == AF_INET)
+	    && (setsockopt(sock->fd, IPPROTO_IP, IP_RECVTOS,
+			   (void *)&on, sizeof(on)) < 0)) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, IP_RECVTOS) "
+				 "%s: %s", sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+	}
+#endif
+#endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
+
+setup_done:
+	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);
+	if (sock->active == 0) {
+		inc_stats(manager->stats, sock->statsindex[STATID_ACTIVE]);
+		sock->active = 1;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Create a 'type' socket or duplicate an existing socket, managed
+ * by 'manager'.  Events will be posted to 'task' and when dispatched
+ * 'action' will be called with 'arg' as the arg value.  The new
+ * socket is returned in 'socketp'.
+ */
+static isc_result_t
+socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+	      isc_socket_t **socketp, isc_socket_t *dup_socket)
+{
+	isc__socket_t *sock = NULL;
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+	isc_result_t result;
+	int lockid;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+	REQUIRE(type != isc_sockettype_fdwatch);
+
+	result = allocate_socket(manager, type, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	switch (sock->type) {
+	case isc_sockettype_udp:
+		sock->statsindex =
+			(pf == AF_INET) ? udp4statsindex : udp6statsindex;
+#define DCSPPKT(pf) ((pf == AF_INET) ? ISC_NET_DSCPPKTV4 : ISC_NET_DSCPPKTV6)
+		sock->pktdscp = (isc_net_probedscp() & DCSPPKT(pf)) != 0;
+		break;
+	case isc_sockettype_tcp:
+		sock->statsindex =
+			(pf == AF_INET) ? tcp4statsindex : tcp6statsindex;
+		break;
+	case isc_sockettype_unix:
+		sock->statsindex = unixstatsindex;
+		break;
+	case isc_sockettype_raw:
+		sock->statsindex = rawstatsindex;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	sock->pf = pf;
+
+	result = opensocket(manager, sock, (isc__socket_t *)dup_socket);
+	if (result != ISC_R_SUCCESS) {
+		free_socket(&sock);
+		return (result);
+	}
+
+	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
+	sock->references = 1;
+	*socketp = (isc_socket_t *)sock;
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	lockid = FDLOCK_ID(sock->fd);
+	LOCK(&manager->fdlock[lockid]);
+	manager->fds[sock->fd] = sock;
+	manager->fdstate[sock->fd] = MANAGED;
+#if defined(USE_EPOLL)
+	manager->epoll_events[sock->fd] = 0;
+#endif
+#ifdef USE_DEVPOLL
+	INSIST(sock->manager->fdpollinfo[sock->fd].want_read == 0 &&
+	       sock->manager->fdpollinfo[sock->fd].want_write == 0);
+#endif
+	UNLOCK(&manager->fdlock[lockid]);
+
+	LOCK(&manager->lock);
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+#ifdef USE_SELECT
+	if (manager->maxfd < sock->fd)
+		manager->maxfd = sock->fd;
+#endif
+	UNLOCK(&manager->lock);
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_CREATED, dup_socket != NULL ? "dupped" : "created");
+
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc__socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp)
+{
+	return (socket_create(manager0, pf, type, socketp, NULL));
+}
+
+/*%
+ * Duplicate an existing socket.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc__socket_dup(isc_socket_t *sock0, isc_socket_t **socketp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	return (socket_create((isc_socketmgr_t *) sock->manager,
+			      sock->pf, sock->type, socketp,
+			      sock0));
+}
+
+isc_result_t
+isc__socket_open(isc_socket_t *sock0) {
+	isc_result_t result;
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	REQUIRE(sock->references == 1);
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
+	UNLOCK(&sock->lock);
+	/*
+	 * We don't need to retain the lock hereafter, since no one else has
+	 * this socket.
+	 */
+	REQUIRE(sock->fd == -1);
+
+	result = opensocket(sock->manager, sock, NULL);
+	if (result != ISC_R_SUCCESS)
+		sock->fd = -1;
+
+	if (result == ISC_R_SUCCESS) {
+		int lockid = FDLOCK_ID(sock->fd);
+
+		LOCK(&sock->manager->fdlock[lockid]);
+		sock->manager->fds[sock->fd] = sock;
+		sock->manager->fdstate[sock->fd] = MANAGED;
+#if defined(USE_EPOLL)
+		sock->manager->epoll_events[sock->fd] = 0;
+#endif
+#ifdef USE_DEVPOLL
+		INSIST(sock->manager->fdpollinfo[sock->fd].want_read == 0 &&
+		       sock->manager->fdpollinfo[sock->fd].want_write == 0);
+#endif
+		UNLOCK(&sock->manager->fdlock[lockid]);
+
+#ifdef USE_SELECT
+		LOCK(&sock->manager->lock);
+		if (sock->manager->maxfd < sock->fd)
+			sock->manager->maxfd = sock->fd;
+		UNLOCK(&sock->manager->lock);
+#endif
+	}
+
+	return (result);
+}
+
+/*
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc__socket_fdwatchcreate(isc_socketmgr_t *manager0, int fd, int flags,
+			  isc_sockfdwatch_t callback, void *cbarg,
+			  isc_task_t *task, isc_socket_t **socketp)
+{
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+	isc__socket_t *sock = NULL;
+	isc_result_t result;
+	int lockid;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	if (fd < 0 || (unsigned int)fd >= manager->maxsocks)
+		return (ISC_R_RANGE);
+
+	result = allocate_socket(manager, isc_sockettype_fdwatch, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	sock->fd = fd;
+	sock->fdwatcharg = cbarg;
+	sock->fdwatchcb = callback;
+	sock->fdwatchflags = flags;
+	sock->fdwatchtask = task;
+	sock->statsindex = fdwatchstatsindex;
+
+	sock->common.methods = (isc_socketmethods_t *)&socketmethods;
+	sock->references = 1;
+	*socketp = (isc_socket_t *)sock;
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	lockid = FDLOCK_ID(sock->fd);
+	LOCK(&manager->fdlock[lockid]);
+	manager->fds[sock->fd] = sock;
+	manager->fdstate[sock->fd] = MANAGED;
+#if defined(USE_EPOLL)
+	manager->epoll_events[sock->fd] = 0;
+#endif
+	UNLOCK(&manager->fdlock[lockid]);
+
+	LOCK(&manager->lock);
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+#ifdef USE_SELECT
+	if (manager->maxfd < sock->fd)
+		manager->maxfd = sock->fd;
+#endif
+	UNLOCK(&manager->lock);
+
+	if (flags & ISC_SOCKFDWATCH_READ)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+	if (flags & ISC_SOCKFDWATCH_WRITE)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_CREATED, "fdwatch-created");
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Indicate to the manager that it should watch the socket again.
+ * This can be used to restart watching if the previous event handler
+ * didn't indicate there was more data to be processed.  Primarily
+ * it is for writing but could be used for reading if desired
+ */
+
+isc_result_t
+isc__socket_fdwatchpoke(isc_socket_t *sock0, int flags)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * We check both flags first to allow us to get the lock
+	 * once but only if we need it.
+	 */
+
+	if ((flags & (ISC_SOCKFDWATCH_READ | ISC_SOCKFDWATCH_WRITE)) != 0) {
+		LOCK(&sock->lock);
+		if (((flags & ISC_SOCKFDWATCH_READ) != 0) &&
+		    !sock->pending_recv)
+			select_poke(sock->manager, sock->fd,
+				    SELECT_POKE_READ);
+		if (((flags & ISC_SOCKFDWATCH_WRITE) != 0) &&
+		    !sock->pending_send)
+			select_poke(sock->manager, sock->fd,
+				    SELECT_POKE_WRITE);
+		UNLOCK(&sock->lock);
+	}
+
+	socket_log(sock, NULL, TRACE, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_POKED, "fdwatch-poked flags: %d", flags);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Attach to a socket.  Caller must explicitly detach when it is done.
+ */
+void
+isc__socket_attach(isc_socket_t *sock0, isc_socket_t **socketp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	LOCK(&sock->lock);
+	sock->references++;
+	UNLOCK(&sock->lock);
+
+	*socketp = (isc_socket_t *)sock;
+}
+
+/*
+ * Dereference a socket.  If this is the last reference to it, clean things
+ * up by destroying the socket.
+ */
+void
+isc__socket_detach(isc_socket_t **socketp) {
+	isc__socket_t *sock;
+	bool kill_socket = false;
+
+	REQUIRE(socketp != NULL);
+	sock = (isc__socket_t *)*socketp;
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	REQUIRE(sock->references > 0);
+	sock->references--;
+	if (sock->references == 0)
+		kill_socket = true;
+	UNLOCK(&sock->lock);
+
+	if (kill_socket)
+		destroy(&sock);
+
+	*socketp = NULL;
+}
+
+isc_result_t
+isc__socket_close(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	int fd;
+	isc__socketmgr_t *manager;
+
+	fflush(stdout);
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(sock->references == 1);
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
+	REQUIRE(sock->fd >= 0 && sock->fd < (int)sock->manager->maxsocks);
+
+	INSIST(!sock->connecting);
+	INSIST(!sock->pending_recv);
+	INSIST(!sock->pending_send);
+	INSIST(!sock->pending_accept);
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->connect_list));
+
+	manager = sock->manager;
+	fd = sock->fd;
+	sock->fd = -1;
+	sock->dupped = 0;
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->connecting = 0;
+	sock->bound = 0;
+	isc_sockaddr_any(&sock->peer_address);
+
+	UNLOCK(&sock->lock);
+
+	socketclose(manager, sock, fd);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * I/O is possible on a given socket.  Schedule an event to this task that
+ * will call an internal function to do the I/O.  This will charge the
+ * task with the I/O operation and let our select loop handler get back
+ * to doing something real as fast as possible.
+ *
+ * The socket and manager must be locked before calling this function.
+ */
+static void
+dispatch_recv(isc__socket_t *sock) {
+	intev_t *iev;
+	isc_socketevent_t *ev;
+	isc_task_t *sender;
+
+	INSIST(!sock->pending_recv);
+
+	if (sock->type != isc_sockettype_fdwatch) {
+		ev = ISC_LIST_HEAD(sock->recv_list);
+		if (ev == NULL)
+			return;
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "dispatch_recv:  event %p -> task %p",
+			   ev, ev->ev_sender);
+		sender = ev->ev_sender;
+	} else {
+		sender = sock->fdwatchtask;
+	}
+
+	sock->pending_recv = 1;
+	iev = &sock->readable_ev;
+
+	sock->references++;
+	iev->ev_sender = sock;
+	if (sock->type == isc_sockettype_fdwatch)
+		iev->ev_action = internal_fdwatch_read;
+	else
+		iev->ev_action = internal_recv;
+	iev->ev_arg = sock;
+
+	isc_task_send(sender, (isc_event_t **)&iev);
+}
+
+static void
+dispatch_send(isc__socket_t *sock) {
+	intev_t *iev;
+	isc_socketevent_t *ev;
+	isc_task_t *sender;
+
+	INSIST(!sock->pending_send);
+
+	if (sock->type != isc_sockettype_fdwatch) {
+		ev = ISC_LIST_HEAD(sock->send_list);
+		if (ev == NULL)
+			return;
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "dispatch_send:  event %p -> task %p",
+			   ev, ev->ev_sender);
+		sender = ev->ev_sender;
+	} else {
+		sender = sock->fdwatchtask;
+	}
+
+	sock->pending_send = 1;
+	iev = &sock->writable_ev;
+
+	sock->references++;
+	iev->ev_sender = sock;
+	if (sock->type == isc_sockettype_fdwatch)
+		iev->ev_action = internal_fdwatch_write;
+	else
+		iev->ev_action = internal_send;
+	iev->ev_arg = sock;
+
+	isc_task_send(sender, (isc_event_t **)&iev);
+}
+
+/*
+ * Dispatch an internal accept event.
+ */
+static void
+dispatch_accept(isc__socket_t *sock) {
+	intev_t *iev;
+	isc_socket_newconnev_t *ev;
+
+	INSIST(!sock->pending_accept);
+
+	/*
+	 * Are there any done events left, or were they all canceled
+	 * before the manager got the socket lock?
+	 */
+	ev = ISC_LIST_HEAD(sock->accept_list);
+	if (ev == NULL)
+		return;
+
+	sock->pending_accept = 1;
+	iev = &sock->readable_ev;
+
+	sock->references++;  /* keep socket around for this internal event */
+	iev->ev_sender = sock;
+	iev->ev_action = internal_accept;
+	iev->ev_arg = sock;
+
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+}
+
+static void
+dispatch_connect(isc__socket_t *sock) {
+	intev_t *iev;
+	isc_socket_connev_t *ev;
+
+	iev = &sock->writable_ev;
+
+	ev = ISC_LIST_HEAD(sock->connect_list);
+	INSIST(ev != NULL); /* XXX */
+
+	INSIST(sock->connecting);
+
+	sock->references++;  /* keep socket around for this internal event */
+	iev->ev_sender = sock;
+	iev->ev_action = internal_connect;
+	iev->ev_arg = sock;
+
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+}
+
+/*
+ * Dequeue an item off the given socket's read queue, set the result code
+ * in the done event to the one provided, and send it to the task it was
+ * destined for.
+ *
+ * If the event to be sent is on a list, remove it before sending.  If
+ * asked to, send and detach from the socket as well.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_recvdone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	task = (*dev)->ev_sender;
+
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
+	    == ISC_SOCKEVENTATTR_ATTACHED)
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	else
+		isc_task_send(task, (isc_event_t **)dev);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_senddone_event(isc__socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
+	    == ISC_SOCKEVENTATTR_ATTACHED)
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	else
+		isc_task_send(task, (isc_event_t **)dev);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_connectdone_event(isc__socket_t *sock, isc_socket_connev_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->connect_list, *dev, ev_link);
+
+	isc_task_sendanddetach(&task, (isc_event_t **)dev);
+}
+
+/*
+ * Call accept() on a socket, to get the new file descriptor.  The listen
+ * socket is used as a prototype to create a new isc_socket_t.  The new
+ * socket has one outstanding reference.  The task receiving the event
+ * will be detached from just after the event is delivered.
+ *
+ * On entry to this function, the event delivered is the internal
+ * readable event, and the first item on the accept_list should be
+ * the done event we want to send.  If the list is empty, this is a no-op,
+ * so just unlock and return.
+ */
+static void
+internal_accept(isc_task_t *me, isc_event_t *ev) {
+	isc__socket_t *sock;
+	isc__socketmgr_t *manager;
+	isc_socket_newconnev_t *dev;
+	isc_task_t *task;
+	ISC_SOCKADDR_LEN_T addrlen;
+	int fd;
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+	const char *err = "accept";
+
+	UNUSED(me);
+
+	sock = ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+		   "internal_accept called, locked socket");
+
+	manager = sock->manager;
+	INSIST(VALID_MANAGER(manager));
+
+	INSIST(sock->listener);
+	INSIST(sock->pending_accept == 1);
+	sock->pending_accept = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Get the first item off the accept list.
+	 * If it is empty, unlock the socket and return.
+	 */
+	dev = ISC_LIST_HEAD(sock->accept_list);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * Try to accept the new connection.  If the accept fails with
+	 * EAGAIN or EINTR, simply poke the watcher to watch this socket
+	 * again.  Also ignore ECONNRESET, which has been reported to
+	 * be spuriously returned on Linux 2.2.19 although it is not
+	 * a documented error for accept().  ECONNABORTED has been
+	 * reported for Solaris 8.  The rest are thrown in not because
+	 * we have seen them but because they are ignored by other
+	 * daemons such as BIND 8 and Apache.
+	 */
+
+	addrlen = sizeof(NEWCONNSOCK(dev)->peer_address.type);
+	memset(&NEWCONNSOCK(dev)->peer_address.type, 0, addrlen);
+	fd = accept(sock->fd, &NEWCONNSOCK(dev)->peer_address.type.sa,
+		    (void *)&addrlen);
+
+#ifdef F_DUPFD
+	/*
+	 * Leave a space for stdio to work in.
+	 */
+	if (fd >= 0 && fd < 20) {
+		int newfd, tmp;
+		newfd = fcntl(fd, F_DUPFD, 20);
+		tmp = errno;
+		(void)close(fd);
+		errno = tmp;
+		fd = newfd;
+		err = "accept/fcntl";
+	}
+#endif
+
+	if (fd < 0) {
+		if (SOFT_ERROR(errno))
+			goto soft_error;
+		switch (errno) {
+		case ENFILE:
+		case EMFILE:
+			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				       isc_msgcat, ISC_MSGSET_SOCKET,
+				       ISC_MSG_TOOMANYFDS,
+				       "%s: too many open file descriptors",
+				       err);
+			goto soft_error;
+
+		case ENOBUFS:
+		case ENOMEM:
+		case ECONNRESET:
+		case ECONNABORTED:
+		case EHOSTUNREACH:
+		case EHOSTDOWN:
+		case ENETUNREACH:
+		case ENETDOWN:
+		case ECONNREFUSED:
+#ifdef EPROTO
+		case EPROTO:
+#endif
+#ifdef ENONET
+		case ENONET:
+#endif
+			goto soft_error;
+		default:
+			break;
+		}
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "internal_accept: %s() %s: %s", err,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		fd = -1;
+		result = ISC_R_UNEXPECTED;
+	} else {
+		if (addrlen == 0U) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_accept(): "
+					 "accept() failed to return "
+					 "remote address");
+
+			(void)close(fd);
+			goto soft_error;
+		} else if (NEWCONNSOCK(dev)->peer_address.type.sa.sa_family !=
+			   sock->pf)
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_accept(): "
+					 "accept() returned peer address "
+					 "family %u (expected %u)",
+					 NEWCONNSOCK(dev)->peer_address.
+					 type.sa.sa_family,
+					 sock->pf);
+			(void)close(fd);
+			goto soft_error;
+		} else if (fd >= (int)manager->maxsocks) {
+			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				       isc_msgcat, ISC_MSGSET_SOCKET,
+				       ISC_MSG_TOOMANYFDS,
+				       "accept: "
+				       "file descriptor exceeds limit (%d/%u)",
+				       fd, manager->maxsocks);
+			(void)close(fd);
+			goto soft_error;
+		}
+	}
+
+	if (fd != -1) {
+		NEWCONNSOCK(dev)->peer_address.length = addrlen;
+		NEWCONNSOCK(dev)->pf = sock->pf;
+	}
+
+	/*
+	 * Pull off the done event.
+	 */
+	ISC_LIST_UNLINK(sock->accept_list, dev, ev_link);
+
+	/*
+	 * Poke watcher if there are more pending accepts.
+	 */
+	if (!ISC_LIST_EMPTY(sock->accept_list))
+		select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
+
+	UNLOCK(&sock->lock);
+
+	if (fd != -1) {
+		result = make_nonblock(fd);
+		if (result != ISC_R_SUCCESS) {
+			(void)close(fd);
+			fd = -1;
+		}
+	}
+
+	/*
+	 * -1 means the new socket didn't happen.
+	 */
+	if (fd != -1) {
+		int lockid = FDLOCK_ID(fd);
+
+		NEWCONNSOCK(dev)->fd = fd;
+		NEWCONNSOCK(dev)->bound = 1;
+		NEWCONNSOCK(dev)->connected = 1;
+
+		/*
+		 * Use minimum mtu if possible.
+		 */
+		use_min_mtu(NEWCONNSOCK(dev));
+		set_tcp_maxseg(NEWCONNSOCK(dev), 1280 - 20 - 40);
+
+		/*
+		 * Ensure DSCP settings are inherited across accept.
+		 */
+		setdscp(NEWCONNSOCK(dev), sock->dscp);
+
+		/*
+		 * Save away the remote address
+		 */
+		dev->address = NEWCONNSOCK(dev)->peer_address;
+
+		if (NEWCONNSOCK(dev)->active == 0) {
+			inc_stats(manager->stats,
+				  NEWCONNSOCK(dev)->statsindex[STATID_ACTIVE]);
+			NEWCONNSOCK(dev)->active = 1;
+		}
+
+		LOCK(&manager->fdlock[lockid]);
+		manager->fds[fd] = NEWCONNSOCK(dev);
+		manager->fdstate[fd] = MANAGED;
+#if defined(USE_EPOLL)
+		manager->epoll_events[fd] = 0;
+#endif
+		UNLOCK(&manager->fdlock[lockid]);
+
+		LOCK(&manager->lock);
+
+#ifdef USE_SELECT
+		if (manager->maxfd < fd)
+			manager->maxfd = fd;
+#endif
+
+		socket_log(sock, &NEWCONNSOCK(dev)->peer_address, CREATION,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
+			   "accepted connection, new socket %p",
+			   dev->newsocket);
+
+		ISC_LIST_APPEND(manager->socklist, NEWCONNSOCK(dev), link);
+
+		UNLOCK(&manager->lock);
+
+		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
+	} else {
+		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
+		NEWCONNSOCK(dev)->references--;
+		free_socket((isc__socket_t **)&dev->newsocket);
+	}
+
+	/*
+	 * Fill in the done event details and send it off.
+	 */
+	dev->result = result;
+	task = dev->ev_sender;
+	dev->ev_sender = sock;
+
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
+	return;
+
+ soft_error:
+	select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
+	UNLOCK(&sock->lock);
+
+	inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
+	return;
+}
+
+static void
+internal_recv(isc_task_t *me, isc_event_t *ev) {
+	isc_socketevent_t *dev;
+	isc__socket_t *sock;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
+
+	sock = ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
+		   "internal_recv: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_recv == 1);
+	sock->pending_recv = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Try to do as much I/O as possible on this socket.  There are no
+	 * limits here, currently.
+	 */
+	dev = ISC_LIST_HEAD(sock->recv_list);
+	while (dev != NULL) {
+		switch (doio_recv(sock, dev)) {
+		case DOIO_SOFT:
+			goto poke;
+
+		case DOIO_EOF:
+			/*
+			 * read of 0 means the remote end was closed.
+			 * Run through the event queue and dispatch all
+			 * the events with an EOF result code.
+			 */
+			do {
+				dev->result = ISC_R_EOF;
+				send_recvdone_event(sock, &dev);
+				dev = ISC_LIST_HEAD(sock->recv_list);
+			} while (dev != NULL);
+			goto poke;
+
+		case DOIO_SUCCESS:
+		case DOIO_HARD:
+			send_recvdone_event(sock, &dev);
+			break;
+		}
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+	}
+
+ poke:
+	if (!ISC_LIST_EMPTY(sock->recv_list))
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+internal_send(isc_task_t *me, isc_event_t *ev) {
+	isc_socketevent_t *dev;
+	isc__socket_t *sock;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc__socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
+		   "internal_send: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_send == 1);
+	sock->pending_send = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Try to do as much I/O as possible on this socket.  There are no
+	 * limits here, currently.
+	 */
+	dev = ISC_LIST_HEAD(sock->send_list);
+	while (dev != NULL) {
+		switch (doio_send(sock, dev)) {
+		case DOIO_SOFT:
+			goto poke;
+
+		case DOIO_HARD:
+		case DOIO_SUCCESS:
+			send_senddone_event(sock, &dev);
+			break;
+		}
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+	}
+
+ poke:
+	if (!ISC_LIST_EMPTY(sock->send_list))
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
+	isc__socket_t *sock;
+	int more_data;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc__socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
+		   "internal_fdwatch_write: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_send == 1);
+
+	UNLOCK(&sock->lock);
+	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
+				      sock->fdwatcharg, ISC_SOCKFDWATCH_WRITE);
+	LOCK(&sock->lock);
+
+	sock->pending_send = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	if (more_data)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
+	isc__socket_t *sock;
+	int more_data;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc__socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
+		   "internal_fdwatch_read: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_recv == 1);
+
+	UNLOCK(&sock->lock);
+	more_data = (sock->fdwatchcb)(me, (isc_socket_t *)sock,
+				      sock->fdwatcharg, ISC_SOCKFDWATCH_READ);
+	LOCK(&sock->lock);
+
+	sock->pending_recv = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	if (more_data)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+
+	UNLOCK(&sock->lock);
+}
+
+/*
+ * Process read/writes on each fd here.  Avoid locking
+ * and unlocking twice if both reads and writes are possible.
+ */
+static void
+process_fd(isc__socketmgr_t *manager, int fd, bool readable,
+	   bool writeable)
+{
+	isc__socket_t *sock;
+	bool unlock_sock;
+	bool unwatch_read = false, unwatch_write = false;
+	int lockid = FDLOCK_ID(fd);
+
+	/*
+	 * If the socket is going to be closed, don't do more I/O.
+	 */
+	LOCK(&manager->fdlock[lockid]);
+	if (manager->fdstate[fd] == CLOSE_PENDING) {
+		UNLOCK(&manager->fdlock[lockid]);
+
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+		return;
+	}
+
+	sock = manager->fds[fd];
+	unlock_sock = false;
+	if (readable) {
+		if (sock == NULL) {
+			unwatch_read = true;
+			goto check_write;
+		}
+		unlock_sock = true;
+		LOCK(&sock->lock);
+		if (!SOCK_DEAD(sock)) {
+			if (sock->listener)
+				dispatch_accept(sock);
+			else
+				dispatch_recv(sock);
+		}
+		unwatch_read = true;
+	}
+check_write:
+	if (writeable) {
+		if (sock == NULL) {
+			unwatch_write = true;
+			goto unlock_fd;
+		}
+		if (!unlock_sock) {
+			unlock_sock = true;
+			LOCK(&sock->lock);
+		}
+		if (!SOCK_DEAD(sock)) {
+			if (sock->connecting)
+				dispatch_connect(sock);
+			else
+				dispatch_send(sock);
+		}
+		unwatch_write = true;
+	}
+	if (unlock_sock)
+		UNLOCK(&sock->lock);
+
+ unlock_fd:
+	UNLOCK(&manager->fdlock[lockid]);
+	if (unwatch_read)
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+	if (unwatch_write)
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+
+}
+
+#ifdef USE_KQUEUE
+static bool
+process_fds(isc__socketmgr_t *manager, struct kevent *events, int nevents) {
+	int i;
+	bool readable, writable;
+	bool done = false;
+#ifdef USE_WATCHER_THREAD
+	bool have_ctlevent = false;
+#endif
+
+	if (nevents == manager->nevents) {
+		/*
+		 * This is not an error, but something unexpected.  If this
+		 * happens, it may indicate the need for increasing
+		 * ISC_SOCKET_MAXEVENTS.
+		 */
+		manager_log(manager, ISC_LOGCATEGORY_GENERAL,
+			    ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
+			    "maximum number of FD events (%d) received",
+			    nevents);
+	}
+
+	for (i = 0; i < nevents; i++) {
+		REQUIRE(events[i].ident < manager->maxsocks);
+#ifdef USE_WATCHER_THREAD
+		if (events[i].ident == (uintptr_t)manager->pipe_fds[0]) {
+			have_ctlevent = true;
+			continue;
+		}
+#endif
+		readable = (events[i].filter == EVFILT_READ);
+		writable = (events[i].filter == EVFILT_WRITE);
+		process_fd(manager, events[i].ident, readable, writable);
+	}
+
+#ifdef USE_WATCHER_THREAD
+	if (have_ctlevent)
+		done = process_ctlfd(manager);
+#endif
+
+	return (done);
+}
+#elif defined(USE_EPOLL)
+static bool
+process_fds(isc__socketmgr_t *manager, struct epoll_event *events, int nevents)
+{
+	int i;
+	bool done = false;
+#ifdef USE_WATCHER_THREAD
+	bool have_ctlevent = false;
+#endif
+
+	if (nevents == manager->nevents) {
+		manager_log(manager, ISC_LOGCATEGORY_GENERAL,
+			    ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
+			    "maximum number of FD events (%d) received",
+			    nevents);
+	}
+
+	for (i = 0; i < nevents; i++) {
+		REQUIRE(events[i].data.fd < (int)manager->maxsocks);
+#ifdef USE_WATCHER_THREAD
+		if (events[i].data.fd == manager->pipe_fds[0]) {
+			have_ctlevent = true;
+			continue;
+		}
+#endif
+		if ((events[i].events & EPOLLERR) != 0 ||
+		    (events[i].events & EPOLLHUP) != 0) {
+			/*
+			 * epoll does not set IN/OUT bits on an erroneous
+			 * condition, so we need to try both anyway.  This is a
+			 * bit inefficient, but should be okay for such rare
+			 * events.  Note also that the read or write attempt
+			 * won't block because we use non-blocking sockets.
+			 */
+			int fd = events[i].data.fd;
+			events[i].events |= manager->epoll_events[fd];
+		}
+		process_fd(manager, events[i].data.fd,
+			   (events[i].events & EPOLLIN) != 0,
+			   (events[i].events & EPOLLOUT) != 0);
+	}
+
+#ifdef USE_WATCHER_THREAD
+	if (have_ctlevent)
+		done = process_ctlfd(manager);
+#endif
+
+	return (done);
+}
+#elif defined(USE_DEVPOLL)
+static bool
+process_fds(isc__socketmgr_t *manager, struct pollfd *events, int nevents) {
+	int i;
+	bool done = false;
+#ifdef USE_WATCHER_THREAD
+	bool have_ctlevent = false;
+#endif
+
+	if (nevents == manager->nevents) {
+		manager_log(manager, ISC_LOGCATEGORY_GENERAL,
+			    ISC_LOGMODULE_SOCKET, ISC_LOG_INFO,
+			    "maximum number of FD events (%d) received",
+			    nevents);
+	}
+
+	for (i = 0; i < nevents; i++) {
+		REQUIRE(events[i].fd < (int)manager->maxsocks);
+#ifdef USE_WATCHER_THREAD
+		if (events[i].fd == manager->pipe_fds[0]) {
+			have_ctlevent = true;
+			continue;
+		}
+#endif
+		process_fd(manager, events[i].fd,
+			   (events[i].events & POLLIN) != 0,
+			   (events[i].events & POLLOUT) != 0);
+	}
+
+#ifdef USE_WATCHER_THREAD
+	if (have_ctlevent)
+		done = process_ctlfd(manager);
+#endif
+
+	return (done);
+}
+#elif defined(USE_SELECT)
+static void
+process_fds(isc__socketmgr_t *manager, int maxfd, fd_set *readfds,
+	    fd_set *writefds)
+{
+	int i;
+
+	REQUIRE(maxfd <= (int)manager->maxsocks);
+
+	for (i = 0; i < maxfd; i++) {
+#ifdef USE_WATCHER_THREAD
+		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
+			continue;
+#endif /* USE_WATCHER_THREAD */
+		process_fd(manager, i, FD_ISSET(i, readfds),
+			   FD_ISSET(i, writefds));
+	}
+}
+#endif
+
+#ifdef USE_WATCHER_THREAD
+static bool
+process_ctlfd(isc__socketmgr_t *manager) {
+	int msg, fd;
+
+	for (;;) {
+		select_readmsg(manager, &fd, &msg);
+
+		manager_log(manager, IOEVENT,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_WATCHERMSG,
+					   "watcher got message %d "
+					   "for socket %d"), msg, fd);
+
+		/*
+		 * Nothing to read?
+		 */
+		if (msg == SELECT_POKE_NOTHING)
+			break;
+
+		/*
+		 * Handle shutdown message.  We really should
+		 * jump out of this loop right away, but
+		 * it doesn't matter if we have to do a little
+		 * more work first.
+		 */
+		if (msg == SELECT_POKE_SHUTDOWN)
+			return (true);
+
+		/*
+		 * This is a wakeup on a socket.  Look
+		 * at the event queue for both read and write,
+		 * and decide if we need to watch on it now
+		 * or not.
+		 */
+		wakeup_socket(manager, fd, msg);
+	}
+
+	return (false);
+}
+
+/*
+ * This is the thread that will loop forever, always in a select or poll
+ * call.
+ *
+ * When select returns something to do, track down what thread gets to do
+ * this I/O and post the event to it.
+ */
+static isc_threadresult_t
+watcher(void *uap) {
+	isc__socketmgr_t *manager = uap;
+	bool done;
+	int cc;
+#ifdef USE_KQUEUE
+	const char *fnname = "kevent()";
+#elif defined (USE_EPOLL)
+	const char *fnname = "epoll_wait()";
+#elif defined(USE_DEVPOLL)
+	isc_result_t result;
+	const char *fnname = "ioctl(DP_POLL)";
+	struct dvpoll dvp;
+	int pass;
+#if defined(ISC_SOCKET_USE_POLLWATCH)
+	pollstate_t pollstate = poll_idle;
+#endif
+#elif defined (USE_SELECT)
+	const char *fnname = "select()";
+	int maxfd;
+	int ctlfd;
+#endif
+	char strbuf[ISC_STRERRORSIZE];
+
+#if defined (USE_SELECT)
+	/*
+	 * Get the control fd here.  This will never change.
+	 */
+	ctlfd = manager->pipe_fds[0];
+#endif
+	done = false;
+	while (!done) {
+		do {
+#ifdef USE_KQUEUE
+			cc = kevent(manager->kqueue_fd, NULL, 0,
+				    manager->events, manager->nevents, NULL);
+#elif defined(USE_EPOLL)
+			cc = epoll_wait(manager->epoll_fd, manager->events,
+					manager->nevents, -1);
+#elif defined(USE_DEVPOLL)
+			/*
+			 * Re-probe every thousand calls.
+			 */
+			if (manager->calls++ > 1000U) {
+				result = isc_resource_getcurlimit(
+							isc_resource_openfiles,
+							&manager->open_max);
+				if (result != ISC_R_SUCCESS)
+					manager->open_max = 64;
+				manager->calls = 0;
+			}
+			for (pass = 0; pass < 2; pass++) {
+				dvp.dp_fds = manager->events;
+				dvp.dp_nfds = manager->nevents;
+				if (dvp.dp_nfds >= manager->open_max)
+					dvp.dp_nfds = manager->open_max - 1;
+#ifndef ISC_SOCKET_USE_POLLWATCH
+				dvp.dp_timeout = -1;
+#else
+				if (pollstate == poll_idle)
+					dvp.dp_timeout = -1;
+				else
+					dvp.dp_timeout =
+						 ISC_SOCKET_POLLWATCH_TIMEOUT;
+#endif	/* ISC_SOCKET_USE_POLLWATCH */
+				cc = ioctl(manager->devpoll_fd, DP_POLL, &dvp);
+				if (cc == -1 && errno == EINVAL) {
+					/*
+					 * {OPEN_MAX} may have dropped.  Look
+					 * up the current value and try again.
+					 */
+					result = isc_resource_getcurlimit(
+							isc_resource_openfiles,
+							&manager->open_max);
+					if (result != ISC_R_SUCCESS)
+						manager->open_max = 64;
+				} else
+					break;
+			}
+#elif defined(USE_SELECT)
+			LOCK(&manager->lock);
+			memmove(manager->read_fds_copy, manager->read_fds,
+				manager->fd_bufsize);
+			memmove(manager->write_fds_copy, manager->write_fds,
+				manager->fd_bufsize);
+			maxfd = manager->maxfd + 1;
+			UNLOCK(&manager->lock);
+
+			cc = select(maxfd, manager->read_fds_copy,
+				    manager->write_fds_copy, NULL, NULL);
+#endif	/* USE_KQUEUE */
+
+			if (cc < 0 && !SOFT_ERROR(errno)) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				FATAL_ERROR(__FILE__, __LINE__,
+					    "%s %s: %s", fnname,
+					    isc_msgcat_get(isc_msgcat,
+							   ISC_MSGSET_GENERAL,
+							   ISC_MSG_FAILED,
+							   "failed"), strbuf);
+			}
+
+#if defined(USE_DEVPOLL) && defined(ISC_SOCKET_USE_POLLWATCH)
+			if (cc == 0) {
+				if (pollstate == poll_active)
+					pollstate = poll_checking;
+				else if (pollstate == poll_checking)
+					pollstate = poll_idle;
+			} else if (cc > 0) {
+				if (pollstate == poll_checking) {
+					/*
+					 * XXX: We'd like to use a more
+					 * verbose log level as it's actually an
+					 * unexpected event, but the kernel bug
+					 * reportedly happens pretty frequently
+					 * (and it can also be a false positive)
+					 * so it would be just too noisy.
+					 */
+					manager_log(manager,
+						    ISC_LOGCATEGORY_GENERAL,
+						    ISC_LOGMODULE_SOCKET,
+						    ISC_LOG_DEBUG(1),
+						    "unexpected POLL timeout");
+				}
+				pollstate = poll_active;
+			}
+#endif
+		} while (cc < 0);
+
+#if defined(USE_KQUEUE) || defined (USE_EPOLL) || defined (USE_DEVPOLL)
+		done = process_fds(manager, manager->events, cc);
+#elif defined(USE_SELECT)
+		process_fds(manager, maxfd, manager->read_fds_copy,
+			    manager->write_fds_copy);
+
+		/*
+		 * Process reads on internal, control fd.
+		 */
+		if (FD_ISSET(ctlfd, manager->read_fds_copy))
+			done = process_ctlfd(manager);
+#endif
+	}
+
+	manager_log(manager, TRACE, "%s",
+		    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				   ISC_MSG_EXITING, "watcher exiting"));
+
+	return ((isc_threadresult_t)0);
+}
+#endif /* USE_WATCHER_THREAD */
+
+void
+isc__socketmgr_setreserved(isc_socketmgr_t *manager0, uint32_t reserved) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->reserved = reserved;
+}
+
+void
+isc__socketmgr_maxudp(isc_socketmgr_t *manager0, int maxudp) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	manager->maxudp = maxudp;
+}
+
+/*
+ * Create a new socket manager.
+ */
+
+static isc_result_t
+setup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
+	isc_result_t result;
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+
+#ifdef USE_KQUEUE
+	manager->nevents = ISC_SOCKET_MAXEVENTS;
+	manager->events = isc_mem_get(mctx, sizeof(struct kevent) *
+				      manager->nevents);
+	if (manager->events == NULL)
+		return (ISC_R_NOMEMORY);
+	manager->kqueue_fd = kqueue();
+	if (manager->kqueue_fd == -1) {
+		result = isc__errno2result(errno);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "kqueue %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct kevent) * manager->nevents);
+		return (result);
+	}
+
+#ifdef USE_WATCHER_THREAD
+	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		close(manager->kqueue_fd);
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct kevent) * manager->nevents);
+		return (result);
+	}
+#endif	/* USE_WATCHER_THREAD */
+#elif defined(USE_EPOLL)
+	manager->nevents = ISC_SOCKET_MAXEVENTS;
+	manager->events = isc_mem_get(mctx, sizeof(struct epoll_event) *
+				      manager->nevents);
+	if (manager->events == NULL)
+		return (ISC_R_NOMEMORY);
+	manager->epoll_fd = epoll_create(manager->nevents);
+	if (manager->epoll_fd == -1) {
+		result = isc__errno2result(errno);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "epoll_create %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct epoll_event) * manager->nevents);
+		return (result);
+	}
+#ifdef USE_WATCHER_THREAD
+	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		close(manager->epoll_fd);
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct epoll_event) * manager->nevents);
+		return (result);
+	}
+#endif	/* USE_WATCHER_THREAD */
+#elif defined(USE_DEVPOLL)
+	manager->nevents = ISC_SOCKET_MAXEVENTS;
+	result = isc_resource_getcurlimit(isc_resource_openfiles,
+					  &manager->open_max);
+	if (result != ISC_R_SUCCESS)
+		manager->open_max = 64;
+	manager->calls = 0;
+	manager->events = isc_mem_get(mctx, sizeof(struct pollfd) *
+				      manager->nevents);
+	if (manager->events == NULL)
+		return (ISC_R_NOMEMORY);
+	/*
+	 * Note: fdpollinfo should be able to support all possible FDs, so
+	 * it must have maxsocks entries (not nevents).
+	 */
+	manager->fdpollinfo = isc_mem_get(mctx, sizeof(pollinfo_t) *
+					  manager->maxsocks);
+	if (manager->fdpollinfo == NULL) {
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct pollfd) * manager->nevents);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(manager->fdpollinfo, 0, sizeof(pollinfo_t) * manager->maxsocks);
+	manager->devpoll_fd = open("/dev/poll", O_RDWR);
+	if (manager->devpoll_fd == -1) {
+		result = isc__errno2result(errno);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "open(/dev/poll) %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct pollfd) * manager->nevents);
+		isc_mem_put(mctx, manager->fdpollinfo,
+			    sizeof(pollinfo_t) * manager->maxsocks);
+		return (result);
+	}
+#ifdef USE_WATCHER_THREAD
+	result = watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		close(manager->devpoll_fd);
+		isc_mem_put(mctx, manager->events,
+			    sizeof(struct pollfd) * manager->nevents);
+		isc_mem_put(mctx, manager->fdpollinfo,
+			    sizeof(pollinfo_t) * manager->maxsocks);
+		return (result);
+	}
+#endif	/* USE_WATCHER_THREAD */
+#elif defined(USE_SELECT)
+	UNUSED(result);
+
+#if ISC_SOCKET_MAXSOCKETS > FD_SETSIZE
+	/*
+	 * Note: this code should also cover the case of MAXSOCKETS <=
+	 * FD_SETSIZE, but we separate the cases to avoid possible portability
+	 * issues regarding howmany() and the actual representation of fd_set.
+	 */
+	manager->fd_bufsize = howmany(manager->maxsocks, NFDBITS) *
+		sizeof(fd_mask);
+#else
+	manager->fd_bufsize = sizeof(fd_set);
+#endif
+
+	manager->read_fds = NULL;
+	manager->read_fds_copy = NULL;
+	manager->write_fds = NULL;
+	manager->write_fds_copy = NULL;
+
+	manager->read_fds = isc_mem_get(mctx, manager->fd_bufsize);
+	if (manager->read_fds != NULL)
+		manager->read_fds_copy = isc_mem_get(mctx, manager->fd_bufsize);
+	if (manager->read_fds_copy != NULL)
+		manager->write_fds = isc_mem_get(mctx, manager->fd_bufsize);
+	if (manager->write_fds != NULL) {
+		manager->write_fds_copy = isc_mem_get(mctx,
+						      manager->fd_bufsize);
+	}
+	if (manager->write_fds_copy == NULL) {
+		if (manager->write_fds != NULL) {
+			isc_mem_put(mctx, manager->write_fds,
+				    manager->fd_bufsize);
+		}
+		if (manager->read_fds_copy != NULL) {
+			isc_mem_put(mctx, manager->read_fds_copy,
+				    manager->fd_bufsize);
+		}
+		if (manager->read_fds != NULL) {
+			isc_mem_put(mctx, manager->read_fds,
+				    manager->fd_bufsize);
+		}
+		return (ISC_R_NOMEMORY);
+	}
+	memset(manager->read_fds, 0, manager->fd_bufsize);
+	memset(manager->write_fds, 0, manager->fd_bufsize);
+
+#ifdef USE_WATCHER_THREAD
+	(void)watch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
+	manager->maxfd = manager->pipe_fds[0];
+#else /* USE_WATCHER_THREAD */
+	manager->maxfd = 0;
+#endif /* USE_WATCHER_THREAD */
+#endif	/* USE_KQUEUE */
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+cleanup_watcher(isc_mem_t *mctx, isc__socketmgr_t *manager) {
+#ifdef USE_WATCHER_THREAD
+	isc_result_t result;
+
+	result = unwatch_fd(manager, manager->pipe_fds[0], SELECT_POKE_READ);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "epoll_ctl(DEL) %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+	}
+#endif	/* USE_WATCHER_THREAD */
+
+#ifdef USE_KQUEUE
+	close(manager->kqueue_fd);
+	isc_mem_put(mctx, manager->events,
+		    sizeof(struct kevent) * manager->nevents);
+#elif defined(USE_EPOLL)
+	close(manager->epoll_fd);
+	isc_mem_put(mctx, manager->events,
+		    sizeof(struct epoll_event) * manager->nevents);
+#elif defined(USE_DEVPOLL)
+	close(manager->devpoll_fd);
+	isc_mem_put(mctx, manager->events,
+		    sizeof(struct pollfd) * manager->nevents);
+	isc_mem_put(mctx, manager->fdpollinfo,
+		    sizeof(pollinfo_t) * manager->maxsocks);
+#elif defined(USE_SELECT)
+	if (manager->read_fds != NULL)
+		isc_mem_put(mctx, manager->read_fds, manager->fd_bufsize);
+	if (manager->read_fds_copy != NULL)
+		isc_mem_put(mctx, manager->read_fds_copy, manager->fd_bufsize);
+	if (manager->write_fds != NULL)
+		isc_mem_put(mctx, manager->write_fds, manager->fd_bufsize);
+	if (manager->write_fds_copy != NULL)
+		isc_mem_put(mctx, manager->write_fds_copy, manager->fd_bufsize);
+#endif	/* USE_KQUEUE */
+}
+
+isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	return (isc__socketmgr_create2(mctx, managerp, 0));
+}
+
+isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks)
+{
+	int i;
+	isc__socketmgr_t *manager;
+#ifdef USE_WATCHER_THREAD
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+	isc_result_t result;
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+#ifdef USE_SHARED_MANAGER
+	if (socketmgr != NULL) {
+		/* Don't allow maxsocks to be updated */
+		if (maxsocks > 0 && socketmgr->maxsocks != maxsocks)
+			return (ISC_R_EXISTS);
+
+		socketmgr->refs++;
+		*managerp = (isc_socketmgr_t *)socketmgr;
+		return (ISC_R_SUCCESS);
+	}
+#endif /* USE_SHARED_MANAGER */
+
+	if (maxsocks == 0)
+		maxsocks = ISC_SOCKET_MAXSOCKETS;
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/* zero-clear so that necessary cleanup on failure will be easy */
+	memset(manager, 0, sizeof(*manager));
+	manager->maxsocks = maxsocks;
+	manager->reserved = 0;
+	manager->maxudp = 0;
+	manager->fds = isc_mem_get(mctx,
+				   manager->maxsocks * sizeof(isc__socket_t *));
+	if (manager->fds == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto free_manager;
+	}
+	manager->fdstate = isc_mem_get(mctx, manager->maxsocks * sizeof(int));
+	if (manager->fdstate == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto free_manager;
+	}
+#if defined(USE_EPOLL)
+	manager->epoll_events = isc_mem_get(mctx, (manager->maxsocks *
+						   sizeof(uint32_t)));
+	if (manager->epoll_events == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto free_manager;
+	}
+	memset(manager->epoll_events, 0, manager->maxsocks * sizeof(uint32_t));
+#endif
+	manager->stats = NULL;
+
+	manager->common.methods = &socketmgrmethods;
+	manager->common.magic = ISCAPI_SOCKETMGR_MAGIC;
+	manager->common.impmagic = SOCKET_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	memset(manager->fds, 0, manager->maxsocks * sizeof(isc_socket_t *));
+	ISC_LIST_INIT(manager->socklist);
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS)
+		goto free_manager;
+	manager->fdlock = isc_mem_get(mctx, FDLOCK_COUNT * sizeof(isc_mutex_t));
+	if (manager->fdlock == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_lock;
+	}
+	for (i = 0; i < FDLOCK_COUNT; i++) {
+		result = isc_mutex_init(&manager->fdlock[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (--i >= 0)
+				DESTROYLOCK(&manager->fdlock[i]);
+			isc_mem_put(mctx, manager->fdlock,
+				    FDLOCK_COUNT * sizeof(isc_mutex_t));
+			manager->fdlock = NULL;
+			goto cleanup_lock;
+		}
+	}
+
+#ifdef USE_WATCHER_THREAD
+	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_lock;
+	}
+
+	/*
+	 * Create the special fds that will be used to wake up the
+	 * select/poll loop when something internal needs to be done.
+	 */
+	if (pipe(manager->pipe_fds) != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "pipe() %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_condition;
+	}
+
+	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[0]) == ISC_R_SUCCESS);
+#if 0
+	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[1]) == ISC_R_SUCCESS);
+#endif
+#endif	/* USE_WATCHER_THREAD */
+
+#ifdef USE_SHARED_MANAGER
+	manager->refs = 1;
+#endif /* USE_SHARED_MANAGER */
+
+	/*
+	 * Set up initial state for the select loop
+	 */
+	result = setup_watcher(mctx, manager);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	memset(manager->fdstate, 0, manager->maxsocks * sizeof(int));
+
+#ifdef USE_WATCHER_THREAD
+	/*
+	 * Start up the select/poll thread.
+	 */
+	if (isc_thread_create(watcher, manager, &manager->watcher) !=
+	    ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_create() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		cleanup_watcher(mctx, manager);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+	isc_thread_setname(manager->watcher, "isc-socket");
+#endif /* USE_WATCHER_THREAD */
+	isc_mem_attach(mctx, &manager->mctx);
+
+#ifdef USE_SHARED_MANAGER
+	socketmgr = manager;
+#endif /* USE_SHARED_MANAGER */
+	*managerp = (isc_socketmgr_t *)manager;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+#ifdef USE_WATCHER_THREAD
+	(void)close(manager->pipe_fds[0]);
+	(void)close(manager->pipe_fds[1]);
+#endif	/* USE_WATCHER_THREAD */
+
+#ifdef USE_WATCHER_THREAD
+cleanup_condition:
+	(void)isc_condition_destroy(&manager->shutdown_ok);
+#endif	/* USE_WATCHER_THREAD */
+
+
+cleanup_lock:
+	if (manager->fdlock != NULL) {
+		for (i = 0; i < FDLOCK_COUNT; i++)
+			DESTROYLOCK(&manager->fdlock[i]);
+	}
+	DESTROYLOCK(&manager->lock);
+
+free_manager:
+	if (manager->fdlock != NULL) {
+		isc_mem_put(mctx, manager->fdlock,
+			    FDLOCK_COUNT * sizeof(isc_mutex_t));
+	}
+#if defined(USE_EPOLL)
+	if (manager->epoll_events != NULL) {
+		isc_mem_put(mctx, manager->epoll_events,
+			    manager->maxsocks * sizeof(uint32_t));
+	}
+#endif
+	if (manager->fdstate != NULL) {
+		isc_mem_put(mctx, manager->fdstate,
+			    manager->maxsocks * sizeof(int));
+	}
+	if (manager->fds != NULL) {
+		isc_mem_put(mctx, manager->fds,
+			    manager->maxsocks * sizeof(isc_socket_t *));
+	}
+	isc_mem_put(mctx, manager, sizeof(*manager));
+
+	return (result);
+}
+
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager0, unsigned int *nsockp) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(nsockp != NULL);
+
+	*nsockp = manager->maxsocks;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager0, isc_stats_t *stats) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
+	REQUIRE(manager->stats == NULL);
+	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
+
+	isc_stats_attach(stats, &manager->stats);
+}
+
+void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc__socketmgr_t *manager;
+	int i;
+	isc_mem_t *mctx;
+
+	/*
+	 * Destroy a socket manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = (isc__socketmgr_t *)*managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+#ifdef USE_SHARED_MANAGER
+	manager->refs--;
+	if (manager->refs > 0) {
+		*managerp = NULL;
+		return;
+	}
+	socketmgr = NULL;
+#endif /* USE_SHARED_MANAGER */
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Wait for all sockets to be destroyed.
+	 */
+	while (!ISC_LIST_EMPTY(manager->socklist)) {
+#ifdef USE_WATCHER_THREAD
+		manager_log(manager, CREATION, "%s",
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_SOCKETSREMAIN,
+					   "sockets exist"));
+		WAIT(&manager->shutdown_ok, &manager->lock);
+#else /* USE_WATCHER_THREAD */
+		UNLOCK(&manager->lock);
+		isc__taskmgr_dispatch(NULL);
+		LOCK(&manager->lock);
+#endif /* USE_WATCHER_THREAD */
+	}
+
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Here, poke our select/poll thread.  Do this by closing the write
+	 * half of the pipe, which will send EOF to the read half.
+	 * This is currently a no-op in the non-threaded case.
+	 */
+	select_poke(manager, 0, SELECT_POKE_SHUTDOWN);
+
+#ifdef USE_WATCHER_THREAD
+	/*
+	 * Wait for thread to exit.
+	 */
+	if (isc_thread_join(manager->watcher, NULL) != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_join() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+#endif /* USE_WATCHER_THREAD */
+
+	/*
+	 * Clean up.
+	 */
+	cleanup_watcher(manager->mctx, manager);
+
+#ifdef USE_WATCHER_THREAD
+	(void)close(manager->pipe_fds[0]);
+	(void)close(manager->pipe_fds[1]);
+	(void)isc_condition_destroy(&manager->shutdown_ok);
+#endif /* USE_WATCHER_THREAD */
+
+	for (i = 0; i < (int)manager->maxsocks; i++)
+		if (manager->fdstate[i] == CLOSE_PENDING) /* no need to lock */
+			(void)close(i);
+
+#if defined(USE_EPOLL)
+	isc_mem_put(manager->mctx, manager->epoll_events,
+		    manager->maxsocks * sizeof(uint32_t));
+#endif
+	isc_mem_put(manager->mctx, manager->fds,
+		    manager->maxsocks * sizeof(isc__socket_t *));
+	isc_mem_put(manager->mctx, manager->fdstate,
+		    manager->maxsocks * sizeof(int));
+
+	if (manager->stats != NULL)
+		isc_stats_detach(&manager->stats);
+
+	if (manager->fdlock != NULL) {
+		for (i = 0; i < FDLOCK_COUNT; i++)
+			DESTROYLOCK(&manager->fdlock[i]);
+		isc_mem_put(manager->mctx, manager->fdlock,
+			    FDLOCK_COUNT * sizeof(isc_mutex_t));
+	}
+	DESTROYLOCK(&manager->lock);
+	manager->common.magic = 0;
+	manager->common.impmagic = 0;
+	mctx= manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+
+	isc_mem_detach(&mctx);
+
+	*managerp = NULL;
+
+#ifdef USE_SHARED_MANAGER
+	socketmgr = NULL;
+#endif
+}
+
+static isc_result_t
+socket_recv(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    unsigned int flags)
+{
+	int io_state;
+	bool have_lock = false;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	if (sock->type == isc_sockettype_udp) {
+		io_state = doio_recv(sock, dev);
+	} else {
+		LOCK(&sock->lock);
+		have_lock = true;
+
+		if (ISC_LIST_EMPTY(sock->recv_list))
+			io_state = doio_recv(sock, dev);
+		else
+			io_state = DOIO_SOFT;
+	}
+
+	switch (io_state) {
+	case DOIO_SOFT:
+		/*
+		 * We couldn't read all or part of the request right now, so
+		 * queue it.
+		 *
+		 * Attach to socket and to task
+		 */
+		isc_task_attach(task, &ntask);
+		dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+		if (!have_lock) {
+			LOCK(&sock->lock);
+			have_lock = true;
+		}
+
+		/*
+		 * Enqueue the request.  If the socket was previously not being
+		 * watched, poke the watcher to start paying attention to it.
+		 */
+		if (ISC_LIST_EMPTY(sock->recv_list) && !sock->pending_recv)
+			select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+		ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
+
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "socket_recv: event %p -> task %p",
+			   dev, ntask);
+
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+			result = ISC_R_INPROGRESS;
+		break;
+
+	case DOIO_EOF:
+		dev->result = ISC_R_EOF;
+		/* fallthrough */
+
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
+			send_recvdone_event(sock, &dev);
+		break;
+	}
+
+	if (have_lock)
+		UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc__socket_recvv(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_taskaction_t action, void *arg)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_socketevent_t *dev;
+	isc__socketmgr_t *manager;
+	unsigned int iocount;
+	isc_buffer_t *buffer;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(buflist != NULL);
+	REQUIRE(!ISC_LIST_EMPTY(*buflist));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	iocount = isc_bufferlist_availablecount(buflist);
+	REQUIRE(iocount > 0);
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_RECVDONE, action, arg);
+	if (dev == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * UDP sockets are always partial read
+	 */
+	if (sock->type == isc_sockettype_udp)
+		dev->minimum = 1;
+	else {
+		if (minimum == 0)
+			dev->minimum = iocount;
+		else
+			dev->minimum = minimum;
+	}
+
+	/*
+	 * Move each buffer from the passed in list to our internal one.
+	 */
+	buffer = ISC_LIST_HEAD(*buflist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(*buflist, buffer, link);
+		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
+		buffer = ISC_LIST_HEAD(*buflist);
+	}
+
+	return (socket_recv(sock, dev, task, 0));
+}
+
+isc_result_t
+isc__socket_recv(isc_socket_t *sock0, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, void *arg)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_socketevent_t *dev;
+	isc__socketmgr_t *manager;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_RECVDONE, action, arg);
+	if (dev == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (isc__socket_recv2(sock0, region, minimum, task, dev, 0));
+}
+
+isc_result_t
+isc__socket_recv2(isc_socket_t *sock0, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	event->ev_sender = sock;
+	event->result = ISC_R_UNSET;
+	ISC_LIST_INIT(event->bufferlist);
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	/*
+	 * UDP sockets are always partial read.
+	 */
+	if (sock->type == isc_sockettype_udp)
+		event->minimum = 1;
+	else {
+		if (minimum == 0)
+			event->minimum = region->length;
+		else
+			event->minimum = minimum;
+	}
+
+	return (socket_recv(sock, event, task, flags));
+}
+
+static isc_result_t
+socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+	    unsigned int flags)
+{
+	int io_state;
+	bool have_lock = false;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	set_dev_address(address, sock, dev);
+	if (pktinfo != NULL) {
+		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+		dev->pktinfo = *pktinfo;
+
+		if (!isc_sockaddr_issitelocal(&dev->address) &&
+		    !isc_sockaddr_islinklocal(&dev->address)) {
+			socket_log(sock, NULL, TRACE, isc_msgcat,
+				   ISC_MSGSET_SOCKET, ISC_MSG_PKTINFOPROVIDED,
+				   "pktinfo structure provided, ifindex %u "
+				   "(set to 0)", pktinfo->ipi6_ifindex);
+
+			/*
+			 * Set the pktinfo index to 0 here, to let the
+			 * kernel decide what interface it should send on.
+			 */
+			dev->pktinfo.ipi6_ifindex = 0;
+		}
+	}
+
+	if (sock->type == isc_sockettype_udp)
+		io_state = doio_send(sock, dev);
+	else {
+		LOCK(&sock->lock);
+		have_lock = true;
+
+		if (ISC_LIST_EMPTY(sock->send_list))
+			io_state = doio_send(sock, dev);
+		else
+			io_state = DOIO_SOFT;
+	}
+
+	switch (io_state) {
+	case DOIO_SOFT:
+		/*
+		 * We couldn't send all or part of the request right now, so
+		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
+		 */
+		if ((flags & ISC_SOCKFLAG_NORETRY) == 0) {
+			isc_task_attach(task, &ntask);
+			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+			if (!have_lock) {
+				LOCK(&sock->lock);
+				have_lock = true;
+			}
+
+			/*
+			 * Enqueue the request.  If the socket was previously
+			 * not being watched, poke the watcher to start
+			 * paying attention to it.
+			 */
+			if (ISC_LIST_EMPTY(sock->send_list) &&
+			    !sock->pending_send)
+				select_poke(sock->manager, sock->fd,
+					    SELECT_POKE_WRITE);
+			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
+
+			socket_log(sock, NULL, EVENT, NULL, 0, 0,
+				   "socket_send: event %p -> task %p",
+				   dev, ntask);
+
+			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+				result = ISC_R_INPROGRESS;
+			break;
+		}
+
+		/* FALLTHROUGH */
+
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
+			send_senddone_event(sock, &dev);
+		break;
+	}
+
+	if (have_lock)
+		UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	/*
+	 * REQUIRE() checking is performed in isc_socket_sendto().
+	 */
+	return (isc__socket_sendto(sock, region, task, action, arg, NULL,
+				   NULL));
+}
+
+isc_result_t
+isc__socket_sendto(isc_socket_t *sock0, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_socketevent_t *dev;
+	isc__socketmgr_t *manager;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(region != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_SENDDONE, action, arg);
+	if (dev == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dev->region = *region;
+
+	return (socket_send(sock, dev, task, address, pktinfo, 0));
+}
+
+isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	return (isc__socket_sendtov2(sock, buflist, task, action, arg, NULL,
+				     NULL, 0));
+}
+
+isc_result_t
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	return (isc__socket_sendtov2(sock, buflist, task, action, arg, address,
+				     pktinfo, 0));
+}
+
+isc_result_t
+isc__socket_sendtov2(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		     unsigned int flags)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_socketevent_t *dev;
+	isc__socketmgr_t *manager;
+	unsigned int iocount;
+	isc_buffer_t *buffer;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(buflist != NULL);
+	REQUIRE(!ISC_LIST_EMPTY(*buflist));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	iocount = isc_bufferlist_usedcount(buflist);
+	REQUIRE(iocount > 0);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_SENDDONE, action, arg);
+	if (dev == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Move each buffer from the passed in list to our internal one.
+	 */
+	buffer = ISC_LIST_HEAD(*buflist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(*buflist, buffer, link);
+		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
+		buffer = ISC_LIST_HEAD(*buflist);
+	}
+
+	return (socket_send(sock, dev, task, address, pktinfo, flags));
+}
+
+isc_result_t
+isc__socket_sendto2(isc_socket_t *sock0, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
+	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
+		REQUIRE(sock->type == isc_sockettype_udp);
+	event->ev_sender = sock;
+	event->result = ISC_R_UNSET;
+	ISC_LIST_INIT(event->bufferlist);
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes &= ~ISC_SOCKEVENTATTR_ATTACHED;
+
+	return (socket_send(sock, event, task, address, pktinfo, flags));
+}
+
+void
+isc__socket_cleanunix(isc_sockaddr_t *sockaddr, bool active) {
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	int s;
+	struct stat sb;
+	char strbuf[ISC_STRERRORSIZE];
+
+	if (sockaddr->type.sa.sa_family != AF_UNIX)
+		return;
+
+#ifndef S_ISSOCK
+#if defined(S_IFMT) && defined(S_IFSOCK)
+#define S_ISSOCK(mode) ((mode & S_IFMT)==S_IFSOCK)
+#elif defined(_S_IFMT) && defined(S_IFSOCK)
+#define S_ISSOCK(mode) ((mode & _S_IFMT)==S_IFSOCK)
+#endif
+#endif
+
+#ifndef S_ISFIFO
+#if defined(S_IFMT) && defined(S_IFIFO)
+#define S_ISFIFO(mode) ((mode & S_IFMT)==S_IFIFO)
+#elif defined(_S_IFMT) && defined(S_IFIFO)
+#define S_ISFIFO(mode) ((mode & _S_IFMT)==S_IFIFO)
+#endif
+#endif
+
+#if !defined(S_ISFIFO) && !defined(S_ISSOCK)
+#error You need to define S_ISFIFO and S_ISSOCK as appropriate for your platform.  See <sys/stat.h>.
+#endif
+
+#ifndef S_ISFIFO
+#define S_ISFIFO(mode) 0
+#endif
+
+#ifndef S_ISSOCK
+#define S_ISSOCK(mode) 0
+#endif
+
+	if (active) {
+		if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: stat(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			return;
+		}
+		if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: %s: not a socket",
+				      sockaddr->type.sunix.sun_path);
+			return;
+		}
+		if (unlink(sockaddr->type.sunix.sun_path) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "isc_socket_cleanunix: unlink(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+		}
+		return;
+	}
+
+	s = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (s < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+			      "isc_socket_cleanunix: socket(%s): %s",
+			      sockaddr->type.sunix.sun_path, strbuf);
+		return;
+	}
+
+	if (stat(sockaddr->type.sunix.sun_path, &sb) < 0) {
+		switch (errno) {
+		case ENOENT:    /* We exited cleanly last time */
+			break;
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: stat(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			break;
+		}
+		goto cleanup;
+	}
+
+	if (!(S_ISSOCK(sb.st_mode) || S_ISFIFO(sb.st_mode))) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+			      "isc_socket_cleanunix: %s: not a socket",
+			      sockaddr->type.sunix.sun_path);
+		goto cleanup;
+	}
+
+	if (connect(s, (struct sockaddr *)&sockaddr->type.sunix,
+		    sizeof(sockaddr->type.sunix)) < 0) {
+		switch (errno) {
+		case ECONNREFUSED:
+		case ECONNRESET:
+			if (unlink(sockaddr->type.sunix.sun_path) < 0) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_WARNING,
+					      "isc_socket_cleanunix: "
+					      "unlink(%s): %s",
+					      sockaddr->type.sunix.sun_path,
+					      strbuf);
+			}
+			break;
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_WARNING,
+				      "isc_socket_cleanunix: connect(%s): %s",
+				      sockaddr->type.sunix.sun_path, strbuf);
+			break;
+		}
+	}
+ cleanup:
+	close(s);
+#else
+	UNUSED(sockaddr);
+	UNUSED(active);
+#endif
+}
+
+isc_result_t
+isc__socket_permunix(isc_sockaddr_t *sockaddr, uint32_t perm,
+		    uint32_t owner, uint32_t group)
+{
+#ifdef ISC_PLATFORM_HAVESYSUNH
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+	char path[sizeof(sockaddr->type.sunix.sun_path)];
+#ifdef NEED_SECURE_DIRECTORY
+	char *slash;
+#endif
+
+	REQUIRE(sockaddr->type.sa.sa_family == AF_UNIX);
+	INSIST(strlen(sockaddr->type.sunix.sun_path) < sizeof(path));
+	strlcpy(path, sockaddr->type.sunix.sun_path, sizeof(path));
+
+#ifdef NEED_SECURE_DIRECTORY
+	slash = strrchr(path, '/');
+	if (slash != NULL) {
+		if (slash != path) {
+			*slash = '\0';
+		} else {
+			strlcpy(path, "/", sizeof(path));
+		}
+	} else {
+		strlcpy(path, ".", sizeof(path));
+	}
+#endif
+
+	if (chmod(path, perm) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "isc_socket_permunix: chmod(%s, %d): %s",
+			      path, perm, strbuf);
+		result = ISC_R_FAILURE;
+	}
+	if (chown(path, owner, group) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			      "isc_socket_permunix: chown(%s, %d, %d): %s",
+			      path, owner, group,
+			      strbuf);
+		result = ISC_R_FAILURE;
+	}
+	return (result);
+#else
+	UNUSED(sockaddr);
+	UNUSED(perm);
+	UNUSED(owner);
+	UNUSED(group);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+isc__socket_bind(isc_socket_t *sock0, isc_sockaddr_t *sockaddr,
+		 unsigned int options) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	char strbuf[ISC_STRERRORSIZE];
+	int on = 1;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	INSIST(!sock->bound);
+	INSIST(!sock->dupped);
+
+	if (sock->pf != sockaddr->type.sa.sa_family) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAMILYMISMATCH);
+	}
+
+	/*
+	 * Only set SO_REUSEADDR when we want a specific port.
+	 */
+#ifdef AF_UNIX
+	if (sock->pf == AF_UNIX)
+		goto bind_socket;
+#endif
+	if ((options & ISC_SOCKET_REUSEADDRESS) != 0 &&
+	    isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
+	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+		       sizeof(on)) < 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d) %s", sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		/* Press on... */
+	}
+#ifdef AF_UNIX
+ bind_socket:
+#endif
+	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_BINDFAIL]);
+
+		UNLOCK(&sock->lock);
+		switch (errno) {
+		case EACCES:
+			return (ISC_R_NOPERM);
+		case EADDRNOTAVAIL:
+			return (ISC_R_ADDRNOTAVAIL);
+		case EADDRINUSE:
+			return (ISC_R_ADDRINUSE);
+		case EINVAL:
+			return (ISC_R_BOUND);
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	socket_log(sock, sockaddr, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND, "bound");
+	sock->bound = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Enable this only for specific OS versions, and only when they have repaired
+ * their problems with it.  Until then, this is is broken and needs to be
+ * diabled by default.  See RT22589 for details.
+ */
+#undef ENABLE_ACCEPTFILTER
+
+isc_result_t
+isc__socket_filter(isc_socket_t *sock0, const char *filter) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
+	char strbuf[ISC_STRERRORSIZE];
+	struct accept_filter_arg afa;
+#else
+	UNUSED(sock);
+	UNUSED(filter);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
+	bzero(&afa, sizeof(afa));
+	strlcpy(afa.af_name, filter, sizeof(afa.af_name));
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
+			 &afa, sizeof(afa)) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+			   ISC_MSG_FILTER, "setsockopt(SO_ACCEPTFILTER): %s",
+			   strbuf);
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+/*
+ * Try enabling TCP Fast Open for a given socket if the OS supports it.
+ */
+static void
+set_tcp_fastopen(isc__socket_t *sock, unsigned int backlog) {
+#if defined(ISC_PLATFORM_HAVETFO) && defined(TCP_FASTOPEN)
+	char strbuf[ISC_STRERRORSIZE];
+
+/*
+ * FreeBSD, as of versions 10.3 and 11.0, defines TCP_FASTOPEN while also
+ * shipping a default kernel without TFO support, so we special-case it by
+ * performing an additional runtime check for TFO support using sysctl to
+ * prevent setsockopt() errors from being logged.
+ */
+#if defined(__FreeBSD__) && defined(HAVE_SYSCTLBYNAME)
+#define SYSCTL_TFO "net.inet.tcp.fastopen.enabled"
+	unsigned int enabled;
+	size_t enabledlen = sizeof(enabled);
+	static bool tfo_notice_logged = false;
+
+	if (sysctlbyname(SYSCTL_TFO, &enabled, &enabledlen, NULL, 0) < 0) {
+		/*
+		 * This kernel does not support TCP Fast Open.  There is
+		 * nothing more we can do.
+		 */
+		return;
+	} else if (enabled == 0) {
+		/*
+		 * This kernel does support TCP Fast Open, but it is disabled
+		 * by sysctl.  Notify the user, but do not nag.
+		 */
+		if (!tfo_notice_logged) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_NOTICE,
+				      "TCP_FASTOPEN support is disabled by "
+				      "sysctl (" SYSCTL_TFO " = 0)");
+			tfo_notice_logged = true;
+		}
+		return;
+	}
+#endif
+
+#ifdef __APPLE__
+	backlog = 1;
+#else
+	backlog = backlog / 2;
+	if (backlog == 0)
+		backlog = 1;
+#endif
+	if (setsockopt(sock->fd, IPPROTO_TCP, TCP_FASTOPEN,
+		       (void *)&backlog, sizeof(backlog)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, TCP_FASTOPEN) failed with %s",
+				 sock->fd, strbuf);
+		/* TCP_FASTOPEN is experimental so ignore failures */
+	}
+#else
+	UNUSED(sock);
+	UNUSED(backlog);
+#endif
+}
+
+/*
+ * Set up to listen on a given socket.  We do this by creating an internal
+ * event that will be dispatched when the socket has read activity.  The
+ * watcher will send the internal event to the task when there is a new
+ * connection.
+ *
+ * Unlike in read, we don't preallocate a done event here.  Every time there
+ * is a new connection we'll have to allocate a new one anyway, so we might
+ * as well keep things simple rather than having to track them.
+ */
+isc_result_t
+isc__socket_listen(isc_socket_t *sock0, unsigned int backlog) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(!sock->listener);
+	REQUIRE(sock->bound);
+	REQUIRE(sock->type == isc_sockettype_tcp ||
+		sock->type == isc_sockettype_unix);
+
+	if (backlog == 0)
+		backlog = SOMAXCONN;
+
+	if (listen(sock->fd, (int)backlog) < 0) {
+		UNLOCK(&sock->lock);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	set_tcp_fastopen(sock, backlog);
+
+	sock->listener = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This should try to do aggressive accept() XXXMLG
+ */
+isc_result_t
+isc__socket_accept(isc_socket_t *sock0,
+		  isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_socket_newconnev_t *dev;
+	isc__socketmgr_t *manager;
+	isc_task_t *ntask = NULL;
+	isc__socket_t *nsock;
+	isc_result_t result;
+	bool do_poke = false;
+
+	REQUIRE(VALID_SOCKET(sock));
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(sock->listener);
+
+	/*
+	 * Sender field is overloaded here with the task we will be sending
+	 * this event to.  Just before the actual event is delivered the
+	 * actual ev_sender will be touched up to be the socket.
+	 */
+	dev = (isc_socket_newconnev_t *)
+		isc_event_allocate(manager->mctx, task, ISC_SOCKEVENT_NEWCONN,
+				   action, arg, sizeof(*dev));
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	ISC_LINK_INIT(dev, ev_link);
+
+	result = allocate_socket(manager, sock->type, &nsock);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		UNLOCK(&sock->lock);
+		return (result);
+	}
+
+	/*
+	 * Attach to socket and to task.
+	 */
+	isc_task_attach(task, &ntask);
+	if (isc_task_exiting(ntask)) {
+		free_socket(&nsock);
+		isc_task_detach(&ntask);
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		UNLOCK(&sock->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+	nsock->references++;
+	nsock->statsindex = sock->statsindex;
+
+	dev->ev_sender = ntask;
+	dev->newsocket = (isc_socket_t *)nsock;
+
+	/*
+	 * Poke watcher here.  We still have the socket locked, so there
+	 * is no race condition.  We will keep the lock for such a short
+	 * bit of time waking it up now or later won't matter all that much.
+	 */
+	if (ISC_LIST_EMPTY(sock->accept_list))
+		do_poke = true;
+
+	ISC_LIST_ENQUEUE(sock->accept_list, dev, ev_link);
+
+	if (do_poke)
+		select_poke(manager, sock->fd, SELECT_POKE_ACCEPT);
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__socket_connect(isc_socket_t *sock0, isc_sockaddr_t *addr,
+		   isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_socket_connev_t *dev;
+	isc_task_t *ntask = NULL;
+	isc__socketmgr_t *manager;
+	int cc;
+	char strbuf[ISC_STRERRORSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(addr != NULL);
+
+	if (isc_sockaddr_ismulticast(addr))
+		return (ISC_R_MULTICAST);
+
+	LOCK(&sock->lock);
+
+	dev = (isc_socket_connev_t *)isc_event_allocate(manager->mctx, sock,
+							ISC_SOCKEVENT_CONNECT,
+							action,	arg,
+							sizeof(*dev));
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	ISC_LINK_INIT(dev, ev_link);
+
+	if (sock->connecting) {
+		INSIST(isc_sockaddr_equal(&sock->peer_address, addr));
+		goto queue;
+	}
+
+	if (sock->connected) {
+		INSIST(isc_sockaddr_equal(&sock->peer_address, addr));
+		dev->result = ISC_R_SUCCESS;
+		isc_task_send(task, ISC_EVENT_PTR(&dev));
+
+		UNLOCK(&sock->lock);
+
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Try to do the connect right away, as there can be only one
+	 * outstanding, and it might happen to complete.
+	 */
+	sock->peer_address = *addr;
+	cc = connect(sock->fd, &addr->type.sa, addr->length);
+	if (cc < 0) {
+		/*
+		 * HP-UX "fails" to connect a UDP socket and sets errno to
+		 * EINPROGRESS if it's non-blocking.  We'd rather regard this as
+		 * a success and let the user detect it if it's really an error
+		 * at the time of sending a packet on the socket.
+		 */
+		if (sock->type == isc_sockettype_udp && errno == EINPROGRESS) {
+			cc = 0;
+			goto success;
+		}
+		if (SOFT_ERROR(errno) || errno == EINPROGRESS)
+			goto queue;
+
+		switch (errno) {
+#define ERROR_MATCH(a, b) case a: dev->result = b; goto err_exit;
+			ERROR_MATCH(EACCES, ISC_R_NOPERM);
+			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif
+			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
+			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
+#undef ERROR_MATCH
+		}
+
+		sock->connected = 0;
+
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "connect(%s) %d/%s",
+				 addrbuf, errno, strbuf);
+
+		UNLOCK(&sock->lock);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		return (ISC_R_UNEXPECTED);
+
+	err_exit:
+		sock->connected = 0;
+		isc_task_send(task, ISC_EVENT_PTR(&dev));
+
+		UNLOCK(&sock->lock);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If connect completed, fire off the done event.
+	 */
+ success:
+	if (cc == 0) {
+		sock->connected = 1;
+		sock->bound = 1;
+		dev->result = ISC_R_SUCCESS;
+		isc_task_send(task, ISC_EVENT_PTR(&dev));
+
+		UNLOCK(&sock->lock);
+
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECT]);
+
+		return (ISC_R_SUCCESS);
+	}
+
+ queue:
+
+	/*
+	 * Attach to task.
+	 */
+	isc_task_attach(task, &ntask);
+
+	dev->ev_sender = ntask;
+
+	/*
+	 * Poke watcher here.  We still have the socket locked, so there
+	 * is no race condition.  We will keep the lock for such a short
+	 * bit of time waking it up now or later won't matter all that much.
+	 */
+	if (ISC_LIST_EMPTY(sock->connect_list) && !sock->connecting)
+		select_poke(manager, sock->fd, SELECT_POKE_CONNECT);
+
+	sock->connecting = 1;
+
+	ISC_LIST_ENQUEUE(sock->connect_list, dev, ev_link);
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Called when a socket with a pending connect() finishes.
+ */
+static void
+internal_connect(isc_task_t *me, isc_event_t *ev) {
+	isc__socket_t *sock;
+	isc_socket_connev_t *dev;
+	int cc;
+	isc_result_t result;
+	ISC_SOCKADDR_LEN_T optlen;
+	char strbuf[ISC_STRERRORSIZE];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(me);
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	sock = ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	/*
+	 * When the internal event was sent the reference count was bumped
+	 * to keep the socket around for us.  Decrement the count here.
+	 */
+	INSIST(sock->references > 0);
+	sock->references--;
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Get the first item off the connect list.
+	 * If it is empty, unlock the socket and return.
+	 */
+	dev = ISC_LIST_HEAD(sock->connect_list);
+	if (dev == NULL) {
+		INSIST(!sock->connecting);
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	INSIST(sock->connecting);
+	sock->connecting = 0;
+
+	/*
+	 * Get any possible error status here.
+	 */
+	optlen = sizeof(cc);
+	if (getsockopt(sock->fd, SOL_SOCKET, SO_ERROR,
+		       (void *)&cc, (void *)&optlen) != 0)
+		cc = errno;
+	else
+		errno = cc;
+
+	if (errno != 0) {
+		/*
+		 * If the error is EAGAIN, just re-select on this
+		 * fd and pretend nothing strange happened.
+		 */
+		if (SOFT_ERROR(errno) || errno == EINPROGRESS) {
+			sock->connecting = 1;
+			select_poke(sock->manager, sock->fd,
+				    SELECT_POKE_CONNECT);
+			UNLOCK(&sock->lock);
+
+			return;
+		}
+
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+
+		/*
+		 * Translate other errors into ISC_R_* flavors.
+		 */
+		switch (errno) {
+#define ERROR_MATCH(a, b) case a: result = b; break;
+			ERROR_MATCH(EACCES, ISC_R_NOPERM);
+			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif
+			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
+			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
+			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
+#undef ERROR_MATCH
+		default:
+			result = ISC_R_UNEXPECTED;
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_connect: connect(%s) %s",
+					 peerbuf, strbuf);
+		}
+	} else {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECT]);
+		result = ISC_R_SUCCESS;
+		sock->connected = 1;
+		sock->bound = 1;
+	}
+
+	do {
+		dev->result = result;
+		send_connectdone_event(sock, &dev);
+		dev = ISC_LIST_HEAD(sock->connect_list);
+	} while (dev != NULL);
+
+	UNLOCK(&sock->lock);
+}
+
+isc_result_t
+isc__socket_getpeername(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	isc_result_t result;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+
+	if (sock->connected) {
+		*addressp = sock->peer_address;
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_NOTCONNECTED;
+	}
+
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc__socket_getsockname(isc_socket_t *sock0, isc_sockaddr_t *addressp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	ISC_SOCKADDR_LEN_T len;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+
+	if (!sock->bound) {
+		result = ISC_R_NOTBOUND;
+		goto out;
+	}
+
+	result = ISC_R_SUCCESS;
+
+	len = sizeof(addressp->type);
+	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s",
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto out;
+	}
+	addressp->length = (unsigned int)len;
+
+ out:
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+/*
+ * Run through the list of events on this socket, and cancel the ones
+ * queued for task "task" of type "how".  "how" is a bitmask.
+ */
+void
+isc__socket_cancel(isc_socket_t *sock0, isc_task_t *task, unsigned int how) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * Quick exit if there is nothing to do.  Don't even bother locking
+	 * in this case.
+	 */
+	if (how == 0)
+		return;
+
+	LOCK(&sock->lock);
+
+	/*
+	 * All of these do the same thing, more or less.
+	 * Each will:
+	 *	o If the internal event is marked as "posted" try to
+	 *	  remove it from the task's queue.  If this fails, mark it
+	 *	  as canceled instead, and let the task clean it up later.
+	 *	o For each I/O request for that task of that type, post
+	 *	  its done event with status of "ISC_R_CANCELED".
+	 *	o Reset any state needed.
+	 */
+	if (((how & ISC_SOCKCANCEL_RECV) == ISC_SOCKCANCEL_RECV)
+	    && !ISC_LIST_EMPTY(sock->recv_list)) {
+		isc_socketevent_t      *dev;
+		isc_socketevent_t      *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_recvdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_SEND) == ISC_SOCKCANCEL_SEND)
+	    && !ISC_LIST_EMPTY(sock->send_list)) {
+		isc_socketevent_t      *dev;
+		isc_socketevent_t      *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_senddone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_ACCEPT) == ISC_SOCKCANCEL_ACCEPT)
+	    && !ISC_LIST_EMPTY(sock->accept_list)) {
+		isc_socket_newconnev_t *dev;
+		isc_socket_newconnev_t *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->accept_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+
+				ISC_LIST_UNLINK(sock->accept_list, dev,
+						ev_link);
+
+				NEWCONNSOCK(dev)->references--;
+				free_socket((isc__socket_t **)&dev->newsocket);
+
+				dev->result = ISC_R_CANCELED;
+				dev->ev_sender = sock;
+				isc_task_sendanddetach(&current_task,
+						       ISC_EVENT_PTR(&dev));
+			}
+
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_CONNECT) == ISC_SOCKCANCEL_CONNECT)
+	    && !ISC_LIST_EMPTY(sock->connect_list)) {
+		isc_socket_connev_t    *dev;
+		isc_socket_connev_t    *next;
+		isc_task_t	       *current_task;
+
+		INSIST(sock->connecting);
+		sock->connecting = 0;
+
+		dev = ISC_LIST_HEAD(sock->connect_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_connectdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	UNLOCK(&sock->lock);
+}
+
+isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	return (sock->type);
+}
+
+bool
+isc__socket_isbound(isc_socket_t *sock0) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+	bool val;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	val = ((sock->bound) ? true : false);
+	UNLOCK(&sock->lock);
+
+	return (val);
+}
+
+void
+isc__socket_ipv6only(isc_socket_t *sock0, bool yes) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+#if defined(IPV6_V6ONLY)
+	int onoff = yes ? 1 : 0;
+#else
+	UNUSED(yes);
+	UNUSED(sock);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+	INSIST(!sock->dupped);
+
+#ifdef IPV6_V6ONLY
+	if (sock->pf == AF_INET6) {
+		if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
+			       (void *)&onoff, sizeof(int)) < 0) {
+			char strbuf[ISC_STRERRORSIZE];
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_V6ONLY) "
+					 "%s: %s", sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+	}
+	FIX_IPV6_RECVPKTINFO(sock);	/* AIX */
+#endif
+}
+
+static void
+setdscp(isc__socket_t *sock, isc_dscp_t dscp) {
+#if defined(IP_TOS) || defined(IPV6_TCLASS)
+	int value = dscp << 2;
+#endif
+
+	sock->dscp = dscp;
+
+#ifdef IP_TOS
+	if (sock->pf == AF_INET) {
+		if (setsockopt(sock->fd, IPPROTO_IP, IP_TOS,
+			       (void *)&value, sizeof(value)) < 0) {
+			char strbuf[ISC_STRERRORSIZE];
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IP_TOS, %.02x) "
+					 "%s: %s", sock->fd, value >> 2,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+	}
+#endif
+#ifdef IPV6_TCLASS
+	if (sock->pf == AF_INET6) {
+		if (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_TCLASS,
+			       (void *)&value, sizeof(value)) < 0) {
+			char strbuf[ISC_STRERRORSIZE];
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_TCLASS, %.02x) "
+					 "%s: %s", sock->fd, dscp >> 2,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+	}
+#endif
+}
+
+void
+isc__socket_dscp(isc_socket_t *sock0, isc_dscp_t dscp) {
+	isc__socket_t *sock = (isc__socket_t *)sock0;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(dscp < 0x40);
+
+#if !defined(IP_TOS) && !defined(IPV6_TCLASS)
+	UNUSED(dscp);
+#else
+	if (dscp < 0)
+		return;
+
+	/* The DSCP value must not be changed once it has been set. */
+	if (isc_dscp_check_value != -1)
+		INSIST(dscp == isc_dscp_check_value);
+#endif
+
+
+#ifdef notyet
+	REQUIRE(!sock->dupped);
+#endif
+
+	setdscp(sock, dscp);
+}
+
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender,
+			isc_eventtype_t eventtype, isc_taskaction_t action,
+			void *arg)
+{
+	return (allocate_socketevent(mctx, sender, eventtype, action, arg));
+}
+
+#ifndef USE_WATCHER_THREAD
+/*
+ * In our assumed scenario, we can simply use a single static object.
+ * XXX: this is not true if the application uses multiple threads with
+ *      'multi-context' mode.  Fixing this is a future TODO item.
+ */
+static isc_socketwait_t swait_private;
+
+int
+isc__socketmgr_waitevents(isc_socketmgr_t *manager0, struct timeval *tvp,
+			  isc_socketwait_t **swaitp)
+{
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+	int n;
+#ifdef USE_KQUEUE
+	struct timespec ts, *tsp;
+#endif
+#ifdef USE_EPOLL
+	int timeout;
+#endif
+#ifdef USE_DEVPOLL
+	isc_result_t result;
+	int pass;
+	struct dvpoll dvp;
+#endif
+
+	REQUIRE(swaitp != NULL && *swaitp == NULL);
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = socketmgr;
+#endif
+	if (manager == NULL)
+		return (0);
+
+#ifdef USE_KQUEUE
+	if (tvp != NULL) {
+		ts.tv_sec = tvp->tv_sec;
+		ts.tv_nsec = tvp->tv_usec * 1000;
+		tsp = &ts;
+	} else
+		tsp = NULL;
+	swait_private.nevents = kevent(manager->kqueue_fd, NULL, 0,
+				       manager->events, manager->nevents,
+				       tsp);
+	n = swait_private.nevents;
+#elif defined(USE_EPOLL)
+	if (tvp != NULL)
+		timeout = tvp->tv_sec * 1000 + (tvp->tv_usec + 999) / 1000;
+	else
+		timeout = -1;
+	swait_private.nevents = epoll_wait(manager->epoll_fd,
+					   manager->events,
+					   manager->nevents, timeout);
+	n = swait_private.nevents;
+#elif defined(USE_DEVPOLL)
+	/*
+	 * Re-probe every thousand calls.
+	 */
+	if (manager->calls++ > 1000U) {
+		result = isc_resource_getcurlimit(isc_resource_openfiles,
+						  &manager->open_max);
+		if (result != ISC_R_SUCCESS)
+			manager->open_max = 64;
+		manager->calls = 0;
+	}
+	for (pass = 0; pass < 2; pass++) {
+		dvp.dp_fds = manager->events;
+		dvp.dp_nfds = manager->nevents;
+		if (dvp.dp_nfds >= manager->open_max)
+			dvp.dp_nfds = manager->open_max - 1;
+		if (tvp != NULL) {
+			dvp.dp_timeout = tvp->tv_sec * 1000 +
+				(tvp->tv_usec + 999) / 1000;
+		} else
+			dvp.dp_timeout = -1;
+		n = ioctl(manager->devpoll_fd, DP_POLL, &dvp);
+		if (n == -1 && errno == EINVAL) {
+			/*
+			 * {OPEN_MAX} may have dropped.  Look
+			 * up the current value and try again.
+			 */
+			result = isc_resource_getcurlimit(
+							isc_resource_openfiles,
+							&manager->open_max);
+			if (result != ISC_R_SUCCESS)
+				manager->open_max = 64;
+		} else
+			break;
+	}
+	swait_private.nevents = n;
+#elif defined(USE_SELECT)
+	memmove(manager->read_fds_copy, manager->read_fds, manager->fd_bufsize);
+	memmove(manager->write_fds_copy, manager->write_fds,
+		manager->fd_bufsize);
+
+	swait_private.readset = manager->read_fds_copy;
+	swait_private.writeset = manager->write_fds_copy;
+	swait_private.maxfd = manager->maxfd + 1;
+
+	n = select(swait_private.maxfd, swait_private.readset,
+		   swait_private.writeset, NULL, tvp);
+#endif
+
+	*swaitp = &swait_private;
+	return (n);
+}
+
+isc_result_t
+isc__socketmgr_dispatch(isc_socketmgr_t *manager0, isc_socketwait_t *swait) {
+	isc__socketmgr_t *manager = (isc__socketmgr_t *)manager0;
+
+	REQUIRE(swait == &swait_private);
+
+#ifdef USE_SHARED_MANAGER
+	if (manager == NULL)
+		manager = socketmgr;
+#endif
+	if (manager == NULL)
+		return (ISC_R_NOTFOUND);
+
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+	(void)process_fds(manager, manager->events, swait->nevents);
+	return (ISC_R_SUCCESS);
+#elif defined(USE_SELECT)
+	process_fds(manager, swait->maxfd, swait->readset, swait->writeset);
+	return (ISC_R_SUCCESS);
+#endif
+}
+#endif /* USE_WATCHER_THREAD */
+
+void
+isc__socket_setname(isc_socket_t *socket0, const char *name, void *tag) {
+	isc__socket_t *sock = (isc__socket_t *)socket0;
+
+	/*
+	 * Name 'sock'.
+	 */
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	strlcpy(sock->name, name, sizeof(sock->name));
+	sock->tag = tag;
+	UNLOCK(&sock->lock);
+}
+
+const char *
+isc__socket_getname(isc_socket_t *socket0) {
+	isc__socket_t *sock = (isc__socket_t *)socket0;
+
+	return (sock->name);
+}
+
+void *
+isc__socket_gettag(isc_socket_t *socket0) {
+	isc__socket_t *sock = (isc__socket_t *)socket0;
+
+	return (sock->tag);
+}
+
+isc_result_t
+isc__socket_register(void) {
+	return (isc_socket_register(isc__socketmgr_create));
+}
+
+int
+isc__socket_getfd(isc_socket_t *socket0) {
+	isc__socket_t *sock = (isc__socket_t *)socket0;
+
+	return ((short) sock->fd);
+}
+
+#if defined(HAVE_LIBXML2) || defined(HAVE_JSON)
+static const char *
+_socktype(isc_sockettype_t type)
+{
+	if (type == isc_sockettype_udp)
+		return ("udp");
+	else if (type == isc_sockettype_tcp)
+		return ("tcp");
+	else if (type == isc_sockettype_unix)
+		return ("unix");
+	else if (type == isc_sockettype_fdwatch)
+		return ("fdwatch");
+	else
+		return ("not-initialized");
+}
+#endif
+
+#ifdef HAVE_LIBXML2
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+int
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr0, xmlTextWriterPtr writer) {
+	isc__socketmgr_t *mgr = (isc__socketmgr_t *)mgr0;
+	isc__socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	ISC_SOCKADDR_LEN_T len;
+	int xmlrc;
+
+	LOCK(&mgr->lock);
+
+#ifdef USE_SHARED_MANAGER
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->refs));
+	TRY0(xmlTextWriterEndElement(writer));
+#endif	/* USE_SHARED_MANAGER */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets"));
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		LOCK(&sock->lock);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket"));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%p", sock));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		if (sock->name[0] != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "name"));
+			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+							    sock->name));
+			TRY0(xmlTextWriterEndElement(writer)); /* name */
+		}
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "references"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    sock->references));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		TRY0(xmlTextWriterWriteElement(writer, ISC_XMLCHAR "type",
+					  ISC_XMLCHAR _socktype(sock->type)));
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "peer-address",
+						  ISC_XMLCHAR peerbuf));
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "local-address",
+						  ISC_XMLCHAR peerbuf));
+		}
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "states"));
+		if (sock->pending_recv)
+			TRY0(xmlTextWriterWriteElement(writer,
+						ISC_XMLCHAR "state",
+						ISC_XMLCHAR "pending-receive"));
+		if (sock->pending_send)
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "pending-send"));
+		if (sock->pending_accept)
+			TRY0(xmlTextWriterWriteElement(writer,
+						 ISC_XMLCHAR "state",
+						 ISC_XMLCHAR "pending_accept"));
+		if (sock->listener)
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "listener"));
+		if (sock->connected)
+			TRY0(xmlTextWriterWriteElement(writer,
+						     ISC_XMLCHAR "state",
+						     ISC_XMLCHAR "connected"));
+		if (sock->connecting)
+			TRY0(xmlTextWriterWriteElement(writer,
+						    ISC_XMLCHAR "state",
+						    ISC_XMLCHAR "connecting"));
+		if (sock->bound)
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "bound"));
+
+		TRY0(xmlTextWriterEndElement(writer)); /* states */
+
+		TRY0(xmlTextWriterEndElement(writer)); /* socket */
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* sockets */
+
+ error:
+	if (sock != NULL)
+		UNLOCK(&sock->lock);
+
+	UNLOCK(&mgr->lock);
+
+	return (xmlrc);
+}
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+#define CHECKMEM(m) do { \
+	if (m == NULL) { \
+		result = ISC_R_NOMEMORY;\
+		goto error;\
+	} \
+} while(0)
+
+isc_result_t
+isc_socketmgr_renderjson(isc_socketmgr_t *mgr0, json_object *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc__socketmgr_t *mgr = (isc__socketmgr_t *)mgr0;
+	isc__socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	ISC_SOCKADDR_LEN_T len;
+	json_object *obj, *array = json_object_new_array();
+
+	CHECKMEM(array);
+
+	LOCK(&mgr->lock);
+
+#ifdef USE_SHARED_MANAGER
+	obj = json_object_new_int(mgr->refs);
+	CHECKMEM(obj);
+	json_object_object_add(stats, "references", obj);
+#endif	/* USE_SHARED_MANAGER */
+
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		json_object *states, *entry = json_object_new_object();
+		char buf[255];
+
+		CHECKMEM(entry);
+		json_object_array_add(array, entry);
+
+		LOCK(&sock->lock);
+
+		snprintf(buf, sizeof(buf), "%p", sock);
+		obj = json_object_new_string(buf);
+		CHECKMEM(obj);
+		json_object_object_add(entry, "id", obj);
+
+		if (sock->name[0] != 0) {
+			obj = json_object_new_string(sock->name);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "name", obj);
+		}
+
+		obj = json_object_new_int(sock->references);
+		CHECKMEM(obj);
+		json_object_object_add(entry, "references", obj);
+
+		obj = json_object_new_string(_socktype(sock->type));
+		CHECKMEM(obj);
+		json_object_object_add(entry, "type", obj);
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "peer-address", obj);
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "local-address", obj);
+		}
+
+		states = json_object_new_array();
+		CHECKMEM(states);
+		json_object_object_add(entry, "states", states);
+
+		if (sock->pending_recv) {
+			obj = json_object_new_string("pending-receive");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_send) {
+			obj = json_object_new_string("pending-send");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_accept) {
+			obj = json_object_new_string("pending-accept");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->listener) {
+			obj = json_object_new_string("listener");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->connected) {
+			obj = json_object_new_string("connected");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->connecting) {
+			obj = json_object_new_string("connecting");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->bound) {
+			obj = json_object_new_string("bound");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+
+	json_object_object_add(stats, "sockets", array);
+	array = NULL;
+	result = ISC_R_SUCCESS;
+
+ error:
+	if (array != NULL)
+		json_object_put(array);
+
+	if (sock != NULL)
+		UNLOCK(&sock->lock);
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+#endif /* HAVE_JSON */
+
+#include "../socket_api.c"
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
new file mode 100644
index 0000000..fb4fdb8
--- /dev/null
+++ b/lib/isc/unix/socket_p.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SOCKET_P_H
+#define ISC_SOCKET_P_H
+
+/*! \file */
+
+#ifdef ISC_PLATFORM_NEEDSYSSELECTH
+#include <sys/select.h>
+#endif
+
+typedef struct isc_socketwait isc_socketwait_t;
+int isc__socketmgr_waitevents(isc_socketmgr_t *, struct timeval *,
+			      isc_socketwait_t **);
+isc_result_t isc__socketmgr_dispatch(isc_socketmgr_t *, isc_socketwait_t *);
+#endif /* ISC_SOCKET_P_H */
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
new file mode 100644
index 0000000..e60fa65
--- /dev/null
+++ b/lib/isc/unix/stdio.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/stdio.h>
+#include <isc/stat.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
+	FILE *f;
+
+	f = fopen(filename, mode);
+	if (f == NULL)
+		return (isc__errno2result(errno));
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_stdio_close(FILE *f) {
+	int r;
+
+	r = fclose(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_seek(FILE *f, off_t offset, int whence) {
+	int r;
+
+#ifdef HAVE_FSEEKO
+	r = fseeko(f, offset, whence);
+#else
+	r = fseek(f, offset, whence);
+#endif
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_tell(FILE *f, off_t *offsetp) {
+	off_t r;
+
+	REQUIRE(offsetp != NULL);
+
+#ifdef HAVE_FTELLO
+	r = ftello(f);
+#else
+	r = ftell(f);
+#endif
+	if (r >= 0) {
+		*offsetp = r;
+		return (ISC_R_SUCCESS);
+	} else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fread(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		if (feof(f))
+			result = ISC_R_EOF;
+		else
+			result = isc__errno2result(errno);
+	}
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fwrite(ptr, size, nmemb, f);
+	if (r != nmemb)
+		result = isc__errno2result(errno);
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_flush(FILE *f) {
+	int r;
+
+	r = fflush(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+/*
+ * OpenBSD has deprecated ENOTSUP in favor of EOPNOTSUPP.
+ */
+#if defined(EOPNOTSUPP) && !defined(ENOTSUP)
+#define ENOTSUP EOPNOTSUPP
+#endif
+
+isc_result_t
+isc_stdio_sync(FILE *f) {
+	struct stat buf;
+	int r;
+
+	if (fstat(fileno(f), &buf) != 0)
+		return (isc__errno2result(errno));
+
+	/*
+	 * Only call fsync() on regular files.
+	 */
+	if ((buf.st_mode & S_IFMT) != S_IFREG)
+		return (ISC_R_SUCCESS);
+
+	r = fsync(fileno(f));
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c
new file mode 100644
index 0000000..989bde4
--- /dev/null
+++ b/lib/isc/unix/stdtime.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stddef.h>	/* NULL */
+#include <stdlib.h>	/* NULL */
+#include <syslog.h>
+
+#include <sys/time.h>
+
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+#ifndef ISC_FIX_TV_USEC
+#define ISC_FIX_TV_USEC 1
+#endif
+
+#define US_PER_S 1000000
+
+#if ISC_FIX_TV_USEC
+static inline void
+fix_tv_usec(struct timeval *tv) {
+	bool fixed = false;
+
+	if (tv->tv_usec < 0) {
+		fixed = true;
+		do {
+			tv->tv_sec -= 1;
+			tv->tv_usec += US_PER_S;
+		} while (tv->tv_usec < 0);
+	} else if (tv->tv_usec >= US_PER_S) {
+		fixed = true;
+		do {
+			tv->tv_sec += 1;
+			tv->tv_usec -= US_PER_S;
+		} while (tv->tv_usec >=US_PER_S);
+	}
+	/*
+	 * Call syslog directly as we are called from the logging functions.
+	 */
+	if (fixed)
+		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+}
+#endif
+
+void
+isc_stdtime_get(isc_stdtime_t *t) {
+	struct timeval tv;
+
+	/*
+	 * Set 't' to the number of seconds since 00:00:00 UTC, January 1,
+	 * 1970.
+	 */
+
+	REQUIRE(t != NULL);
+
+	RUNTIME_CHECK(gettimeofday(&tv, NULL) != -1);
+
+#if ISC_FIX_TV_USEC
+	fix_tv_usec(&tv);
+	INSIST(tv.tv_usec >= 0);
+#else
+	INSIST(tv.tv_usec >= 0 && tv.tv_usec < US_PER_S);
+#endif
+
+	*t = (unsigned int)tv.tv_sec;
+}
diff --git a/lib/isc/unix/strerror.c b/lib/isc/unix/strerror.c
new file mode 100644
index 0000000..e4fb793
--- /dev/null
+++ b/lib/isc/unix/strerror.c
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/util.h>
+
+#ifdef HAVE_STRERROR
+/*%
+ * We need to do this this way for profiled locks.
+ */
+static isc_mutex_t isc_strerror_lock;
+static void init_lock(void) {
+	RUNTIME_CHECK(isc_mutex_init(&isc_strerror_lock) == ISC_R_SUCCESS);
+}
+#else
+extern const char * const sys_errlist[];
+extern const int sys_nerr;
+#endif
+
+void
+isc__strerror(int num, char *buf, size_t size) {
+#ifdef HAVE_STRERROR
+	char *msg;
+	unsigned int unum = (unsigned int)num;
+	static isc_once_t once = ISC_ONCE_INIT;
+
+	REQUIRE(buf != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
+
+	LOCK(&isc_strerror_lock);
+	msg = strerror(num);
+	if (msg != NULL)
+		snprintf(buf, size, "%s", msg);
+	else
+		snprintf(buf, size, "Unknown error: %u", unum);
+	UNLOCK(&isc_strerror_lock);
+#else
+	unsigned int unum = (unsigned int)num;
+
+	REQUIRE(buf != NULL);
+
+	if (num >= 0 && num < sys_nerr)
+		snprintf(buf, size, "%s", sys_errlist[num]);
+	else
+		snprintf(buf, size, "Unknown error: %u", unum);
+#endif
+}
diff --git a/lib/isc/unix/syslog.c b/lib/isc/unix/syslog.c
new file mode 100644
index 0000000..4ce3272
--- /dev/null
+++ b/lib/isc/unix/syslog.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/syslog.h>
+#include <isc/util.h>
+
+static struct dsn_c_pvt_sfnt {
+	int val;
+	const char *strval;
+} facilities[] = {
+	{ LOG_KERN,			"kern" },
+	{ LOG_USER,			"user" },
+	{ LOG_MAIL,			"mail" },
+	{ LOG_DAEMON,			"daemon" },
+	{ LOG_AUTH,			"auth" },
+	{ LOG_SYSLOG,			"syslog" },
+	{ LOG_LPR,			"lpr" },
+#ifdef LOG_NEWS
+	{ LOG_NEWS,			"news" },
+#endif
+#ifdef LOG_UUCP
+	{ LOG_UUCP,			"uucp" },
+#endif
+#ifdef LOG_CRON
+	{ LOG_CRON,			"cron" },
+#endif
+#ifdef LOG_AUTHPRIV
+	{ LOG_AUTHPRIV,			"authpriv" },
+#endif
+#ifdef LOG_FTP
+	{ LOG_FTP,			"ftp" },
+#endif
+	{ LOG_LOCAL0,			"local0"},
+	{ LOG_LOCAL1,			"local1"},
+	{ LOG_LOCAL2,			"local2"},
+	{ LOG_LOCAL3,			"local3"},
+	{ LOG_LOCAL4,			"local4"},
+	{ LOG_LOCAL5,			"local5"},
+	{ LOG_LOCAL6,			"local6"},
+	{ LOG_LOCAL7,			"local7"},
+	{ 0,				NULL }
+};
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp) {
+	int i;
+
+	REQUIRE(str != NULL);
+	REQUIRE(facilityp != NULL);
+
+	for (i = 0; facilities[i].strval != NULL; i++) {
+		if (strcasecmp(facilities[i].strval, str) == 0) {
+			*facilityp = facilities[i].val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+
+}
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
new file mode 100644
index 0000000..8edc9df
--- /dev/null
+++ b/lib/isc/unix/time.c
@@ -0,0 +1,500 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <time.h>
+
+#include <sys/time.h>	/* Required for struct timeval on some platforms. */
+
+#include <isc/log.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/tm.h>
+#include <isc/util.h>
+
+#define NS_PER_S	1000000000	/*%< Nanoseconds per second. */
+#define NS_PER_US	1000		/*%< Nanoseconds per microsecond. */
+#define NS_PER_MS	1000000		/*%< Nanoseconds per millisecond. */
+#define US_PER_S	1000000		/*%< Microseconds per second. */
+
+/*
+ * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
+ * consistency checking of the type. In lieu of magic numbers, it
+ * is the best we've got.  The check is only performed on functions which
+ * need an initialized type.
+ */
+
+#ifndef ISC_FIX_TV_USEC
+#define ISC_FIX_TV_USEC 1
+#endif
+
+/*%
+ *** Intervals
+ ***/
+
+static const isc_interval_t zero_interval = { 0, 0 };
+const isc_interval_t * const isc_interval_zero = &zero_interval;
+
+#if ISC_FIX_TV_USEC
+static inline void
+fix_tv_usec(struct timeval *tv) {
+	bool fixed = false;
+
+	if (tv->tv_usec < 0) {
+		fixed = true;
+		do {
+			tv->tv_sec -= 1;
+			tv->tv_usec += US_PER_S;
+		} while (tv->tv_usec < 0);
+	} else if (tv->tv_usec >= US_PER_S) {
+		fixed = true;
+		do {
+			tv->tv_sec += 1;
+			tv->tv_usec -= US_PER_S;
+		} while (tv->tv_usec >=US_PER_S);
+	}
+	/*
+	 * Call syslog directly as was are called from the logging functions.
+	 */
+	if (fixed)
+		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+}
+#endif
+
+void
+isc_interval_set(isc_interval_t *i,
+		 unsigned int seconds, unsigned int nanoseconds)
+{
+	REQUIRE(i != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	i->seconds = seconds;
+	i->nanoseconds = nanoseconds;
+}
+
+bool
+isc_interval_iszero(const isc_interval_t *i) {
+	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
+
+	if (i->seconds == 0 && i->nanoseconds == 0)
+		return (true);
+
+	return (false);
+}
+
+
+/***
+ *** Absolute Times
+ ***/
+
+static const isc_time_t epoch = { 0, 0 };
+const isc_time_t * const isc_time_epoch = &epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	t->seconds = seconds;
+	t->nanoseconds = nanoseconds;
+}
+
+void
+isc_time_settoepoch(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	t->seconds = 0;
+	t->nanoseconds = 0;
+}
+
+bool
+isc_time_isepoch(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	if (t->seconds == 0 && t->nanoseconds == 0)
+		return (true);
+
+	return (false);
+}
+
+
+isc_result_t
+isc_time_now(isc_time_t *t) {
+	struct timeval tv;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(t != NULL);
+
+	if (gettimeofday(&tv, NULL) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
+	 * then this test will generate warnings for platforms on which it is
+	 * unsigned.  In any event, the chances of any of these problems
+	 * happening are pretty much zero, but since the libisc library ensures
+	 * certain things to be true ...
+	 */
+#if ISC_FIX_TV_USEC
+	fix_tv_usec(&tv);
+	if (tv.tv_sec < 0)
+		return (ISC_R_UNEXPECTED);
+#else
+	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+		return (ISC_R_UNEXPECTED);
+#endif
+
+	/*
+	 * Ensure the tv_sec value fits in t->seconds.
+	 */
+	if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
+	    ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+		return (ISC_R_RANGE);
+
+	t->seconds = tv.tv_sec;
+	t->nanoseconds = tv.tv_usec * NS_PER_US;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
+	struct timeval tv;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(t != NULL);
+	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
+
+	if (gettimeofday(&tv, NULL) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
+	 * then this test will generate warnings for platforms on which it is
+	 * unsigned.  In any event, the chances of any of these problems
+	 * happening are pretty much zero, but since the libisc library ensures
+	 * certain things to be true ...
+	 */
+#if ISC_FIX_TV_USEC
+	fix_tv_usec(&tv);
+	if (tv.tv_sec < 0)
+		return (ISC_R_UNEXPECTED);
+#else
+	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+		return (ISC_R_UNEXPECTED);
+#endif
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)tv.tv_sec + i->seconds > UINT_MAX))
+		return (ISC_R_RANGE);
+
+	t->seconds = tv.tv_sec + i->seconds;
+	t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
+	if (t->nanoseconds >= NS_PER_S) {
+		t->seconds++;
+		t->nanoseconds -= NS_PER_S;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
+	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
+
+	if (t1->seconds < t2->seconds)
+		return (-1);
+	if (t1->seconds > t2->seconds)
+		return (1);
+	if (t1->nanoseconds < t2->nanoseconds)
+		return (-1);
+	if (t1->nanoseconds > t2->nanoseconds)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
+{
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((t->seconds > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)t->seconds + i->seconds > UINT_MAX))
+		return (ISC_R_RANGE);
+
+	result->seconds = t->seconds + i->seconds;
+	result->nanoseconds = t->nanoseconds + i->nanoseconds;
+	if (result->nanoseconds >= NS_PER_S) {
+		result->seconds++;
+		result->nanoseconds -= NS_PER_S;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result)
+{
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	if ((unsigned int)t->seconds < i->seconds ||
+	    ((unsigned int)t->seconds == i->seconds &&
+	     t->nanoseconds < i->nanoseconds))
+	    return (ISC_R_RANGE);
+
+	result->seconds = t->seconds - i->seconds;
+	if (t->nanoseconds >= i->nanoseconds)
+		result->nanoseconds = t->nanoseconds - i->nanoseconds;
+	else {
+		result->nanoseconds = NS_PER_S - i->nanoseconds +
+			t->nanoseconds;
+		result->seconds--;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
+	uint64_t i1, i2, i3;
+
+	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
+
+	i1 = (uint64_t)t1->seconds * NS_PER_S + t1->nanoseconds;
+	i2 = (uint64_t)t2->seconds * NS_PER_S + t2->nanoseconds;
+
+	if (i1 <= i2)
+		return (0);
+
+	i3 = i1 - i2;
+
+	/*
+	 * Convert to microseconds.
+	 */
+	i3 /= NS_PER_US;
+
+	return (i3);
+}
+
+uint32_t
+isc_time_seconds(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	return ((uint32_t)t->seconds);
+}
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure that the number of seconds represented by t->seconds
+	 * can be represented by a time_t.  Since t->seconds is an unsigned
+	 * int and since time_t is mostly opaque, this is trickier than
+	 * it seems.  (This standardized opaqueness of time_t is *very*
+	 * frustrating; time_t is not even limited to being an integral
+	 * type.)
+	 *
+	 * The mission, then, is to avoid generating any kind of warning
+	 * about "signed versus unsigned" while trying to determine if the
+	 * the unsigned int t->seconds is out range for tv_sec, which is
+	 * pretty much only true if time_t is a signed integer of the same
+	 * size as the return value of isc_time_seconds.
+	 *
+	 * If the paradox in the if clause below is true, t->seconds is out
+	 * of range for time_t.
+	 */
+	seconds = (time_t)t->seconds;
+
+	INSIST(sizeof(unsigned int) == sizeof(uint32_t));
+	INSIST(sizeof(time_t) >= sizeof(uint32_t));
+
+	if (t->seconds > (~0U>>1) && seconds <= (time_t)(~0U>>1))
+		return (ISC_R_RANGE);
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	ENSURE(t->nanoseconds < NS_PER_S);
+
+	return ((uint32_t)t->nanoseconds);
+}
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t) t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%d-%b-%Y %X", localtime_r(&now, &tm));
+#else
+	flen = strftime(buf, len, "%d-%b-%Y %X", localtime(&now));
+#endif
+	INSIST(flen < len);
+	if (flen != 0)
+		snprintf(buf + flen, len - flen,
+			 ".%03u", t->nanoseconds / NS_PER_MS);
+	else {
+		strlcpy(buf, "99-Bad-9999 99:99:99.999", len);
+	}
+}
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	/*
+	 * 5 spaces, 1 comma, 3 GMT, 2 %d, 4 %Y, 8 %H:%M:%S, 3+ %a, 3+ %b (29+)
+	 */
+	now = (time_t)t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT",
+			gmtime_r(&now, &tm));
+#else
+	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT", gmtime(&now));
+#endif
+	INSIST(flen < len);
+}
+
+isc_result_t
+isc_time_parsehttptimestamp(char *buf, isc_time_t *t) {
+	struct tm t_tm;
+	time_t when;
+	char *p;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(t != NULL);
+
+	p = isc_tm_strptime(buf, "%a, %d %b %Y %H:%M:%S", &t_tm);
+	if (p == NULL)
+		return (ISC_R_UNEXPECTED);
+	when = isc_tm_timegm(&t_tm);
+	if (when == -1)
+		return (ISC_R_UNEXPECTED);
+	isc_time_set(t, when, 0);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime_r(&now, &tm));
+#else
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
+#endif
+	INSIST(flen < len);
+}
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime_r(&now, &tm));
+#else
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
+#endif
+	INSIST(flen < len);
+	if (flen > 0U && len - flen >= 5) {
+		flen -= 1; /* rewind one character (Z) */
+		snprintf(buf + flen, len - flen, ".%03uZ",
+			 t->nanoseconds / NS_PER_MS);
+	}
+}
diff --git a/lib/isc/version.c b/lib/isc/version.c
new file mode 100644
index 0000000..3a83a39
--- /dev/null
+++ b/lib/isc/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <isc/version.h>
+
+const char isc_version[] = VERSION;
+
+const unsigned int isc_libinterface = LIBINTERFACE;
+const unsigned int isc_librevision = LIBREVISION;
+const unsigned int isc_libage = LIBAGE;
diff --git a/lib/isc/win32/DLLMain.c b/lib/isc/win32/DLLMain.c
new file mode 100644
index 0000000..f14260e
--- /dev/null
+++ b/lib/isc/win32/DLLMain.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+#include <stdio.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason)
+	{
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/isc/win32/Makefile.in b/lib/isc/win32/Makefile.in
new file mode 100644
index 0000000..19b46bd
--- /dev/null
+++ b/lib/isc/win32/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/.. \
+		-I./include \
+		-I${srcdir}/include \
+		-I${srcdir}/../include
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		condition.@O@ dir.@O@ errno.@O@ file.@O@ \
+		meminfo.@O@ fsaccess.@O@ \
+		once.@O@ stdtime.@O@ thread.@O@ time.@O@ @ISC_PK11_API_O@
+
+# Alphabetically
+SRCS =		condition.c dir.c errno.c file.c \
+		meminfo.c once.c fsaccess.c \
+		stdtime.c thread.c time.c @ISC_PK11_API_C@
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/win32/app.c b/lib/isc/win32/app.c
new file mode 100644
index 0000000..35274a2
--- /dev/null
+++ b/lib/isc/win32/app.c
@@ -0,0 +1,481 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <process.h>
+
+#include <isc/app.h>
+#include <isc/condition.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/event.h>
+#include <isc/platform.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+#include <isc/thread.h>
+
+/*%
+ * For BIND9 internal applications built with threads, we use a single app
+ * context and let multiple worker, I/O, timer threads do actual jobs.
+ */
+
+static isc_thread_t	blockedthread;
+
+/*%
+ * The following are intended for internal use (indicated by "isc__"
+ * prefix) but are not declared as static, allowing direct access from
+ * unit tests etc.
+ */
+isc_result_t isc__app_start(void);
+isc_result_t isc__app_ctxstart(isc_appctx_t *ctx);
+isc_result_t isc__app_onrun(isc_mem_t *mctx, isc_task_t *task,
+			    isc_taskaction_t action, void *arg);
+isc_result_t isc__app_ctxrun(isc_appctx_t *ctx);
+isc_result_t isc__app_run(void);
+isc_result_t isc__app_ctxshutdown(isc_appctx_t *ctx);
+isc_result_t isc__app_shutdown(void);
+isc_result_t isc__app_reload(void);
+isc_result_t isc__app_ctxsuspend(isc_appctx_t *ctx);
+void isc__app_ctxfinish(isc_appctx_t *ctx);
+void isc__app_finish(void);
+void isc__app_block(void);
+void isc__app_unblock(void);
+isc_result_t isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp);
+void isc__appctx_destroy(isc_appctx_t **ctxp);
+void isc__appctx_settaskmgr(isc_appctx_t *ctx, isc_taskmgr_t *taskmgr);
+void isc__appctx_setsocketmgr(isc_appctx_t *ctx, isc_socketmgr_t *socketmgr);
+void isc__appctx_settimermgr(isc_appctx_t *ctx, isc_timermgr_t *timermgr);
+isc_result_t isc__app_ctxonrun(isc_appctx_t *ctx, isc_mem_t *mctx,
+			       isc_task_t *task, isc_taskaction_t action,
+			       void *arg);
+
+/*
+ * The application context of this module.  This implementation actually
+ * doesn't use it. (This may change in the future).
+ */
+#define APPCTX_MAGIC		ISC_MAGIC('A', 'p', 'c', 'x')
+#define VALID_APPCTX(c)		ISC_MAGIC_VALID(c, APPCTX_MAGIC)
+
+/* Events to wait for */
+
+#define NUM_EVENTS 2
+
+enum {
+	RELOAD_EVENT,
+	SHUTDOWN_EVENT
+};
+
+typedef struct isc__appctx {
+	isc_appctx_t		common;
+	isc_mem_t		*mctx;
+	isc_eventlist_t		on_run;
+	isc_mutex_t		lock;
+	bool		shutdown_requested;
+	bool		running;
+	/*
+	 * We assume that 'want_shutdown' can be read and written atomically.
+	 */
+	bool		want_shutdown;
+	/*
+	 * We assume that 'want_reload' can be read and written atomically.
+	 */
+	bool		want_reload;
+
+	bool		blocked;
+
+	HANDLE			hEvents[NUM_EVENTS];
+
+	isc_taskmgr_t		*taskmgr;
+	isc_socketmgr_t		*socketmgr;
+	isc_timermgr_t		*timermgr;
+} isc__appctx_t;
+
+static isc__appctx_t isc_g_appctx;
+
+static struct {
+	isc_appmethods_t methods;
+
+	/*%
+	 * The following are defined just for avoiding unused static functions.
+	 */
+	void *run, *shutdown, *start, *reload, *finish, *block, *unblock;
+} appmethods = {
+	{
+		isc__appctx_destroy,
+		isc__app_ctxstart,
+		isc__app_ctxrun,
+		isc__app_ctxsuspend,
+		isc__app_ctxshutdown,
+		isc__app_ctxfinish,
+		isc__appctx_settaskmgr,
+		isc__appctx_setsocketmgr,
+		isc__appctx_settimermgr,
+		isc__app_ctxonrun
+	},
+	(void *)isc__app_run,
+	(void *)isc__app_shutdown,
+	(void *)isc__app_start,
+	(void *)isc__app_reload,
+	(void *)isc__app_finish,
+	(void *)isc__app_block,
+	(void *)isc__app_unblock
+};
+
+/*
+ * We need to remember which thread is the main thread...
+ */
+static isc_thread_t	main_thread;
+
+isc_result_t
+isc__app_ctxstart(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc_result_t result;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	/*
+	 * Start an ISC library application.
+	 */
+
+	main_thread = GetCurrentThread();
+
+	result = isc_mutex_init(&ctx->lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	ctx->shutdown_requested = false;
+	ctx->running = false;
+	ctx->want_shutdown = false;
+	ctx->want_reload = false;
+	ctx->blocked  = false;
+
+	/* Create the reload event in a non-signaled state */
+	ctx->hEvents[RELOAD_EVENT] = CreateEvent(NULL, FALSE, FALSE, NULL);
+
+	/* Create the shutdown event in a non-signaled state */
+	ctx->hEvents[SHUTDOWN_EVENT] = CreateEvent(NULL, FALSE, FALSE, NULL);
+
+	ISC_LIST_INIT(ctx->on_run);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_start(void) {
+	isc_g_appctx.common.impmagic = APPCTX_MAGIC;
+	isc_g_appctx.common.magic = ISCAPI_APPCTX_MAGIC;
+	isc_g_appctx.common.methods = &appmethods.methods;
+	isc_g_appctx.mctx = NULL;
+	/* The remaining members will be initialized in ctxstart() */
+
+	return (isc__app_ctxstart((isc_appctx_t *)&isc_g_appctx));
+}
+
+isc_result_t
+isc__app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	       void *arg)
+{
+	return (isc__app_ctxonrun((isc_appctx_t *)&isc_g_appctx, mctx,
+				  task, action, arg));
+}
+
+isc_result_t
+isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
+		  isc_taskaction_t action, void *arg)
+{
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc_event_t *event;
+	isc_task_t *cloned_task = NULL;
+	isc_result_t result;
+
+	LOCK(&ctx->lock);
+
+	if (ctx->running) {
+		result = ISC_R_ALREADYRUNNING;
+		goto unlock;
+	}
+
+	/*
+	 * Note that we store the task to which we're going to send the event
+	 * in the event's "sender" field.
+	 */
+	isc_task_attach(task, &cloned_task);
+	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+
+	ISC_LINK_INIT(event, ev_link);
+	ISC_LIST_APPEND(ctx->on_run, event, ev_link);
+
+	result = ISC_R_SUCCESS;
+
+ unlock:
+	UNLOCK(&ctx->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc__app_ctxrun(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	isc_event_t *event, *next_event;
+	isc_task_t *task;
+	HANDLE *pHandles = NULL;
+	DWORD  dwWaitResult;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	REQUIRE(main_thread == GetCurrentThread());
+
+	LOCK(&ctx->lock);
+
+	if (!ctx->running) {
+		ctx->running = true;
+
+		/*
+		 * Post any on-run events (in FIFO order).
+		 */
+		for (event = ISC_LIST_HEAD(ctx->on_run);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			ISC_LIST_UNLINK(ctx->on_run, event, ev_link);
+			task = event->ev_sender;
+			event->ev_sender = NULL;
+			isc_task_sendanddetach(&task, &event);
+		}
+
+	}
+
+	UNLOCK(&ctx->lock);
+
+	/*
+	 * There is no danger if isc_app_shutdown() is called before we wait
+	 * for events.
+	 */
+
+	while (!ctx->want_shutdown) {
+		dwWaitResult = WaitForMultipleObjects(NUM_EVENTS, ctx->hEvents,
+						      FALSE, INFINITE);
+
+		/* See why we returned */
+
+		if (WaitSucceeded(dwWaitResult, NUM_EVENTS)) {
+			/*
+			 * The return was due to one of the events
+			 * being signaled
+			 */
+			switch (WaitSucceededIndex(dwWaitResult)) {
+			case RELOAD_EVENT:
+				ctx->want_reload = true;
+				break;
+
+			case SHUTDOWN_EVENT:
+				ctx->want_shutdown = true;
+				break;
+			}
+		}
+
+		if (ctx->want_reload) {
+			ctx->want_reload = false;
+			return (ISC_R_RELOAD);
+		}
+
+		if (ctx->want_shutdown && ctx->blocked)
+			exit(-1);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_run(void) {
+	return (isc__app_ctxrun((isc_appctx_t *)&isc_g_appctx));
+}
+
+isc_result_t
+isc__app_ctxshutdown(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	bool want_kill = true;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	LOCK(&ctx->lock);
+
+	REQUIRE(ctx->running);
+
+	if (ctx->shutdown_requested)
+		want_kill = false;		/* We're only signaling once */
+	else
+		ctx->shutdown_requested = true;
+
+	UNLOCK(&ctx->lock);
+
+	if (want_kill)
+		SetEvent(ctx->hEvents[SHUTDOWN_EVENT]);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_shutdown(void) {
+	return (isc__app_ctxshutdown((isc_appctx_t *)&isc_g_appctx));
+}
+
+isc_result_t
+isc__app_ctxsuspend(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+	bool want_kill = true;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	LOCK(&ctx->lock);
+
+	REQUIRE(ctx->running);
+
+	/*
+	 * Don't send the reload signal if we're shutting down.
+	 */
+	if (ctx->shutdown_requested)
+		want_kill = false;
+
+	UNLOCK(&ctx->lock);
+
+	if (want_kill)
+		SetEvent(ctx->hEvents[RELOAD_EVENT]);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__app_reload(void) {
+	return (isc__app_ctxsuspend((isc_appctx_t *)&isc_g_appctx));
+}
+
+void
+isc__app_ctxfinish(isc_appctx_t *ctx0) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	DESTROYLOCK(&ctx->lock);
+}
+
+void
+isc__app_finish(void) {
+	isc__app_ctxfinish((isc_appctx_t *)&isc_g_appctx);
+}
+
+void
+isc__app_block(void) {
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(!isc_g_appctx.blocked);
+
+	isc_g_appctx.blocked = true;
+	blockedthread = GetCurrentThread();
+}
+
+void
+isc__app_unblock(void) {
+	REQUIRE(isc_g_appctx.running);
+	REQUIRE(isc_g_appctx.blocked);
+
+	isc_g_appctx.blocked = false;
+	REQUIRE(blockedthread == GetCurrentThread());
+}
+
+isc_result_t
+isc__appctx_create(isc_mem_t *mctx, isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+
+	ctx = isc_mem_get(mctx, sizeof(*ctx));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ctx->common.impmagic = APPCTX_MAGIC;
+	ctx->common.magic = ISCAPI_APPCTX_MAGIC;
+	ctx->common.methods = &appmethods.methods;
+
+	ctx->mctx = NULL;
+	isc_mem_attach(mctx, &ctx->mctx);
+
+	ctx->taskmgr = NULL;
+	ctx->socketmgr = NULL;
+	ctx->timermgr = NULL;
+
+	*ctxp = (isc_appctx_t *)ctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__appctx_destroy(isc_appctx_t **ctxp) {
+	isc__appctx_t *ctx;
+
+	REQUIRE(ctxp != NULL);
+	ctx = (isc__appctx_t *)*ctxp;
+	REQUIRE(VALID_APPCTX(ctx));
+
+	isc_mem_putanddetach(&ctx->mctx, ctx, sizeof(*ctx));
+
+	*ctxp = NULL;
+}
+
+void
+isc__appctx_settaskmgr(isc_appctx_t *ctx0, isc_taskmgr_t *taskmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->taskmgr = taskmgr;
+}
+
+void
+isc__appctx_setsocketmgr(isc_appctx_t *ctx0, isc_socketmgr_t *socketmgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->socketmgr = socketmgr;
+}
+
+void
+isc__appctx_settimermgr(isc_appctx_t *ctx0, isc_timermgr_t *timermgr) {
+	isc__appctx_t *ctx = (isc__appctx_t *)ctx0;
+
+	REQUIRE(VALID_APPCTX(ctx));
+
+	ctx->timermgr = timermgr;
+}
+
+isc_result_t
+isc__app_register(void) {
+	return (isc_app_register(isc__appctx_create));
+}
+
+#include "../app_api.c"
diff --git a/lib/isc/win32/condition.c b/lib/isc/win32/condition.c
new file mode 100644
index 0000000..7887508
--- /dev/null
+++ b/lib/isc/win32/condition.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/condition.h>
+#include <isc/assertions.h>
+#include <isc/util.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+
+#define LSIGNAL		0
+#define LBROADCAST	1
+
+isc_result_t
+isc_condition_init(isc_condition_t *cond) {
+	HANDLE h;
+
+	REQUIRE(cond != NULL);
+
+	cond->waiters = 0;
+	/*
+	 * This handle is shared across all threads
+	 */
+	h = CreateEvent(NULL, FALSE, FALSE, NULL);
+	if (h == NULL) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+	cond->events[LSIGNAL] = h;
+
+	/*
+	 * The threadlist will hold the actual events needed
+	 * for the wait condition
+	 */
+	ISC_LIST_INIT(cond->threadlist);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Add the thread to the threadlist along with the required events
+ */
+static isc_result_t
+register_thread(unsigned long thrd, isc_condition_t *gblcond,
+		isc_condition_thread_t **localcond)
+{
+	HANDLE hc;
+	isc_condition_thread_t *newthread;
+
+	REQUIRE(localcond != NULL && *localcond == NULL);
+
+	newthread = malloc(sizeof(isc_condition_thread_t));
+	if (newthread == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Create the thread-specific handle
+	 */
+	hc = CreateEvent(NULL, FALSE, FALSE, NULL);
+	if (hc == NULL) {
+		free(newthread);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Add the thread ID and handles to list of threads for broadcast
+	 */
+	newthread->handle[LSIGNAL] = gblcond->events[LSIGNAL];
+	newthread->handle[LBROADCAST] = hc;
+	newthread->th = thrd;
+
+	/*
+	 * The thread is holding the manager lock so this is safe
+	 */
+	ISC_LINK_INIT(newthread, link);
+	ISC_LIST_APPEND(gblcond->threadlist, newthread, link);
+	*localcond = newthread;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+find_thread_condition(unsigned long thrd, isc_condition_t *cond,
+		      isc_condition_thread_t **threadcondp)
+{
+	isc_condition_thread_t *threadcond;
+
+	REQUIRE(threadcondp != NULL && *threadcondp == NULL);
+
+	/*
+	 * Look for the thread ID.
+	 */
+	for (threadcond = ISC_LIST_HEAD(cond->threadlist);
+	     threadcond != NULL;
+	     threadcond = ISC_LIST_NEXT(threadcond, link)) {
+
+		if (threadcond->th == thrd) {
+			*threadcondp = threadcond;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Not found, so add it.
+	 */
+	return (register_thread(thrd, cond, threadcondp));
+}
+
+isc_result_t
+isc_condition_signal(isc_condition_t *cond) {
+
+	/*
+	 * Unlike pthreads, the caller MUST hold the lock associated with
+	 * the condition variable when calling us.
+	 */
+	REQUIRE(cond != NULL);
+
+	if (!SetEvent(cond->events[LSIGNAL])) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_condition_broadcast(isc_condition_t *cond) {
+
+	isc_condition_thread_t *threadcond;
+	bool failed = false;
+
+	/*
+	 * Unlike pthreads, the caller MUST hold the lock associated with
+	 * the condition variable when calling us.
+	 */
+	REQUIRE(cond != NULL);
+
+	/*
+	 * Notify every thread registered for this
+	 */
+	for (threadcond = ISC_LIST_HEAD(cond->threadlist);
+	     threadcond != NULL;
+	     threadcond = ISC_LIST_NEXT(threadcond, link)) {
+
+		if (!SetEvent(threadcond->handle[LBROADCAST]))
+			failed = true;
+	}
+
+	if (failed)
+		return (ISC_R_UNEXPECTED);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_condition_destroy(isc_condition_t *cond) {
+
+	isc_condition_thread_t *next, *threadcond;
+
+	REQUIRE(cond != NULL);
+	REQUIRE(cond->waiters == 0);
+
+	(void)CloseHandle(cond->events[LSIGNAL]);
+
+	/*
+	 * Delete the threadlist
+	 */
+	threadcond = ISC_LIST_HEAD(cond->threadlist);
+
+	while (threadcond != NULL) {
+		next = ISC_LIST_NEXT(threadcond, link);
+		DEQUEUE(cond->threadlist, threadcond, link);
+		(void) CloseHandle(threadcond->handle[LBROADCAST]);
+		free(threadcond);
+		threadcond = next;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This is always called when the mutex (lock) is held, but because
+ * we are waiting we need to release it and reacquire it as soon as the wait
+ * is over. This allows other threads to make use of the object guarded
+ * by the mutex but it should never try to delete it as long as the
+ * number of waiters > 0. Always reacquire the mutex regardless of the
+ * result of the wait. Note that EnterCriticalSection will wait to acquire
+ * the mutex.
+ */
+static isc_result_t
+wait(isc_condition_t *cond, isc_mutex_t *mutex, DWORD milliseconds) {
+	DWORD result;
+	isc_result_t tresult;
+	isc_condition_thread_t *threadcond = NULL;
+
+	/*
+	 * Get the thread events needed for the wait
+	 */
+	tresult = find_thread_condition(isc_thread_self(), cond, &threadcond);
+	if (tresult !=  ISC_R_SUCCESS)
+		return (tresult);
+
+	cond->waiters++;
+	LeaveCriticalSection(mutex);
+	result = WaitForMultipleObjects(2, threadcond->handle, FALSE,
+					milliseconds);
+	EnterCriticalSection(mutex);
+	cond->waiters--;
+	if (result == WAIT_FAILED) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+	if (result == WAIT_TIMEOUT)
+		return (ISC_R_TIMEDOUT);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_condition_wait(isc_condition_t *cond, isc_mutex_t *mutex) {
+	return (wait(cond, mutex, INFINITE));
+}
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *cond, isc_mutex_t *mutex,
+			isc_time_t *t) {
+	DWORD milliseconds;
+	uint64_t microseconds;
+	isc_time_t now;
+
+	if (isc_time_now(&now) != ISC_R_SUCCESS) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+
+	microseconds = isc_time_microdiff(t, &now);
+	if (microseconds > 0xFFFFFFFFi64 * 1000)
+		milliseconds = 0xFFFFFFFF;
+	else
+		milliseconds = (DWORD)(microseconds / 1000);
+
+	return (wait(cond, mutex, milliseconds));
+}
diff --git a/lib/isc/win32/dir.c b/lib/isc/win32/dir.c
new file mode 100644
index 0000000..5db2c23
--- /dev/null
+++ b/lib/isc/win32/dir.c
@@ -0,0 +1,307 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <string.h>
+#include <direct.h>
+#include <process.h>
+#include <io.h>
+
+#include <sys/stat.h>
+
+#include <isc/assertions.h>
+#include <isc/dir.h>
+#include <isc/magic.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+#define ISC_DIR_MAGIC		ISC_MAGIC('D', 'I', 'R', '*')
+#define VALID_DIR(dir)		ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
+
+static isc_result_t
+start_directory(isc_dir_t *p);
+
+void
+isc_dir_init(isc_dir_t *dir) {
+	REQUIRE(dir != NULL);
+
+	dir->dirname[0] = '\0';
+
+	dir->entry.name[0] = '\0';
+	dir->entry.length = 0;
+	memset(&(dir->entry.find_data), 0, sizeof(dir->entry.find_data));
+
+	dir->entry_filled = false;
+	dir->search_handle = INVALID_HANDLE_VALUE;
+
+	dir->magic = ISC_DIR_MAGIC;
+}
+
+/*
+ * Allocate workspace and open directory stream. If either one fails,
+ * NULL will be returned.
+ */
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname) {
+	char *p;
+	isc_result_t result;
+
+	REQUIRE(dirname != NULL);
+	REQUIRE(VALID_DIR(dir) && dir->search_handle == INVALID_HANDLE_VALUE);
+
+	/*
+	 * Copy directory name.  Need to have enough space for the name,
+	 * a possible path separator, the wildcard, and the final NUL.
+	 */
+	if (strlen(dirname) + 3 > sizeof(dir->dirname))
+		/* XXXDCL ? */
+		return (ISC_R_NOSPACE);
+	strlcpy(dir->dirname, dirname, sizeof(dir->dirname));
+
+	/*
+	 * Append path separator, if needed, and "*".
+	 */
+	p = dir->dirname + strlen(dir->dirname);
+	if (dir->dirname < p && *(p - 1) != '\\' && *(p - 1) != ':')
+		*p++ = '\\';
+	*p++ = '*';
+	*p = '\0';
+
+	/*
+	 * Open stream.
+	 */
+	result = start_directory(dir);
+
+	return (result);
+}
+
+/*
+ * Return previously retrieved file or get next one.  Unix's dirent has
+ * separate open and read functions, but the Win32 and DOS interfaces open
+ * the dir stream and reads the first file in one operation.
+ */
+isc_result_t
+isc_dir_read(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->search_handle != INVALID_HANDLE_VALUE);
+
+	if (dir->entry_filled)
+		/*
+		 * start_directory() already filled in the first entry.
+		 */
+		dir->entry_filled = false;
+
+	else {
+		/*
+		 * Fetch next file in directory.
+		 */
+		if (FindNextFile(dir->search_handle,
+				 &dir->entry.find_data) == FALSE)
+			/*
+			 * Either the last file has been processed or
+			 * an error has occurred.  The former is not
+			 * really an error, but the latter is.
+			 */
+			if (GetLastError() == ERROR_NO_MORE_FILES)
+				return (ISC_R_NOMORE);
+			else
+				return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	strlcpy(dir->entry.name, dir->entry.find_data.cFileName,
+		sizeof(dir->entry.name));
+	dir->entry.length = strlen(dir->entry.name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Close directory stream.
+ */
+void
+isc_dir_close(isc_dir_t *dir) {
+       REQUIRE(VALID_DIR(dir) && dir->search_handle != INVALID_HANDLE_VALUE);
+
+       FindClose(dir->search_handle);
+       dir->search_handle = INVALID_HANDLE_VALUE;
+}
+
+/*
+ * Reposition directory stream at start.
+ */
+isc_result_t
+isc_dir_reset(isc_dir_t *dir) {
+	isc_result_t result;
+
+	REQUIRE(VALID_DIR(dir) && dir->search_handle != INVALID_HANDLE_VALUE);
+	REQUIRE(dir->dirname != NULL);
+
+	/*
+	 * NT cannot reposition the seek pointer to the beginning of the
+	 * the directory stream, but rather the directory needs to be
+	 * closed and reopened.  The latter might fail.
+	 */
+
+	isc_dir_close(dir);
+
+	result = start_directory(dir);
+
+	return (result);
+}
+
+/*
+ * Initialize isc_dir_t structure with new directory. The function
+ * returns 0 on failure and nonzero on success.
+ *
+ * Note:
+ * - Be sure to close previous stream before opening new one
+ */
+static isc_result_t
+start_directory(isc_dir_t *dir)
+{
+	REQUIRE(VALID_DIR(dir));
+	REQUIRE(dir->search_handle == INVALID_HANDLE_VALUE);
+
+	dir->entry_filled = false;
+
+	/*
+	 * Open stream and retrieve first file.
+	 */
+	dir->search_handle = FindFirstFile(dir->dirname,
+					    &dir->entry.find_data);
+
+	if (dir->search_handle == INVALID_HANDLE_VALUE) {
+		/*
+		 * Something went wrong but we don't know what. GetLastError()
+		 * could give us more information about the error, but the
+		 * MSDN documentation is frustratingly thin about what
+		 * possible errors could have resulted.  (Score one for
+		 * the Unix manual pages.)  So there is just this lame error
+		 * instead of being able to differentiate ISC_R_NOTFOUND
+		 * from ISC_R_UNEXPECTED.
+		 */
+		return (ISC_R_FAILURE);
+	}
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	INSIST(sizeof(dir->entry.name) >
+	       strlen(dir->entry.find_data.cFileName));
+
+	/*
+	 * Fill in the data for the first entry of the directory.
+	 */
+	strlcpy(dir->entry.name, dir->entry.find_data.cFileName,
+		sizeof(dir->entry.name));
+	dir->entry.length = strlen(dir->entry.name);
+
+	dir->entry_filled = true;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chdir(const char *dirname) {
+	/*
+	 * Change the current directory to 'dirname'.
+	 */
+
+	REQUIRE(dirname != NULL);
+
+	if (chdir(dirname) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chroot(const char *dirname) {
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+isc_dir_createunique(char *templet) {
+	isc_result_t result;
+	char *x;
+	char *p;
+	int i;
+	int pid;
+
+	REQUIRE(templet != NULL);
+
+	/*
+	 * mkdtemp is not portable, so this emulates it.
+	 */
+
+	pid = getpid();
+
+	/*
+	 * Replace trailing Xs with the process-id, zero-filled.
+	 */
+	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
+	     x--, pid /= 10)
+		*x = pid % 10 + '0';
+
+	x++;			/* Set x to start of ex-Xs. */
+
+	do {
+		i = mkdir(templet);
+		if (i == 0)
+			i = chmod(templet, 0700);
+
+		if (i == 0 || errno != EEXIST)
+			break;
+
+		/*
+		 * The BSD algorithm.
+		 */
+		p = x;
+		while (*p != '\0') {
+			if (isdigit(*p & 0xff))
+				*p = 'a';
+			else if (*p != 'z')
+				++*p;
+			else {
+				/*
+				 * Reset character and move to next.
+				 */
+				*p++ = 'a';
+				continue;
+			}
+
+			break;
+		}
+
+		if (*p == '\0') {
+			/*
+			 * Tried all combinations.  errno should already
+			 * be EEXIST, but ensure it is anyway for
+			 * isc__errno2result().
+			 */
+			errno = EEXIST;
+			break;
+		}
+	} while (1);
+
+	if (i == -1)
+		result = isc__errno2result(errno);
+	else
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
diff --git a/lib/isc/win32/entropy.c b/lib/isc/win32/entropy.c
new file mode 100644
index 0000000..2480c02
--- /dev/null
+++ b/lib/isc/win32/entropy.c
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This is the system dependent part of the ISC entropy API.
+ */
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <windows.h>
+#include <wincrypt.h>
+
+#include <process.h>
+#include <io.h>
+#include <share.h>
+
+/*
+ * There is only one variable in the entropy data structures that is not
+ * system independent, but pulling the structure that uses it into this file
+ * ultimately means pulling several other independent structures here also to
+ * resolve their interdependencies.  Thus only the problem variable's type
+ * is defined here.
+ */
+#define FILESOURCE_HANDLE_TYPE	HCRYPTPROV
+
+typedef struct {
+	int dummy;
+} isc_entropyusocketsource_t;
+
+#include "../entropy.c"
+
+static unsigned int
+get_from_filesource(isc_entropysource_t *source, uint32_t desired) {
+	isc_entropy_t *ent = source->ent;
+	unsigned char buf[128];
+	HCRYPTPROV hcryptprov = source->sources.file.handle;
+	ssize_t ndesired;
+	unsigned int added;
+
+	if (source->bad)
+		return (0);
+
+	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
+
+	added = 0;
+	while (desired > 0) {
+		ndesired = ISC_MIN(desired, sizeof(buf));
+		if (!CryptGenRandom(hcryptprov, (DWORD)ndesired, buf)) {
+			CryptReleaseContext(hcryptprov, 0);
+			source->bad = true;
+			goto out;
+		}
+
+		entropypool_adddata(ent, buf,
+				    (unsigned int)ndesired,
+				    (unsigned int)ndesired * 8);
+		added += (unsigned int)ndesired * 8;
+		desired -= (uint32_t)ndesired;
+	}
+
+ out:
+	return (added);
+}
+
+/*
+ * Poll each source, trying to get data from it to stuff into the entropy
+ * pool.
+ */
+static void
+fillpool(isc_entropy_t *ent, unsigned int desired, bool blocking) {
+	unsigned int added;
+	unsigned int remaining;
+	unsigned int needed;
+	unsigned int nsource;
+	isc_entropysource_t *source;
+	isc_entropysource_t *firstsource;
+
+	REQUIRE(VALID_ENTROPY(ent));
+
+	needed = desired;
+
+	/*
+	 * This logic is a little strange, so an explanation is in order.
+	 *
+	 * If needed is 0, it means we are being asked to "fill to whatever
+	 * we think is best."  This means that if we have at least a
+	 * partially full pool (say, > 1/4th of the pool) we probably don't
+	 * need to add anything.
+	 *
+	 * Also, we will check to see if the "pseudo" count is too high.
+	 * If it is, try to mix in better data.  Too high is currently
+	 * defined as 1/4th of the pool.
+	 *
+	 * Next, if we are asked to add a specific bit of entropy, make
+	 * certain that we will do so.  Clamp how much we try to add to
+	 * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy).
+	 *
+	 * Note that if we are in a blocking mode, we will only try to
+	 * get as much data as we need, not as much as we might want
+	 * to build up.
+	 */
+	if (needed == 0) {
+		REQUIRE(!blocking);
+
+		if ((ent->pool.entropy >= RND_POOLBITS / 4)
+		    && (ent->pool.pseudo <= RND_POOLBITS / 4))
+			return;
+
+		needed = THRESHOLD_BITS * 4;
+	} else {
+		needed = ISC_MAX(needed, THRESHOLD_BITS);
+		needed = ISC_MIN(needed, RND_POOLBITS);
+	}
+
+	/*
+	 * In any case, clamp how much we need to how much we can add.
+	 */
+	needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy);
+
+	/*
+	 * But wait!  If we're not yet initialized, we need at least
+	 *	THRESHOLD_BITS
+	 * of randomness.
+	 */
+	if (ent->initialized < THRESHOLD_BITS)
+		needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized);
+
+	/*
+	 * Poll each file source to see if we can read anything useful from
+	 * it.  XXXMLG When where are multiple sources, we should keep a
+	 * record of which one we last used so we can start from it (or the
+	 * next one) to avoid letting some sources build up entropy while
+	 * others are always drained.
+	 */
+
+	added = 0;
+	remaining = needed;
+	if (ent->nextsource == NULL) {
+		ent->nextsource = ISC_LIST_HEAD(ent->sources);
+		if (ent->nextsource == NULL)
+			return;
+	}
+	source = ent->nextsource;
+	/*
+	 * Remember the first source so we can break if we have looped back to
+	 * the beginning and still have nothing
+	 */
+	firstsource = source;
+ again_file:
+	for (nsource = 0; nsource < ent->nsources; nsource++) {
+		unsigned int got;
+
+		if (remaining == 0)
+			break;
+
+		got = 0;
+
+		if (source->type == ENTROPY_SOURCETYPE_FILE)
+			got = get_from_filesource(source, remaining);
+
+		added += got;
+
+		remaining -= ISC_MIN(remaining, got);
+
+		source = ISC_LIST_NEXT(source, link);
+		if (source == NULL)
+			source = ISC_LIST_HEAD(ent->sources);
+	}
+	ent->nextsource = source;
+
+	/*
+	 * Go again only if there's been progress and we've not
+	 * gone back to the beginning
+	 */
+	if (!(ent->nextsource == firstsource && added == 0)) {
+		if (blocking && remaining != 0) {
+				goto again_file;
+		}
+	}
+
+	/*
+	 * Here, if there are bits remaining to be had and we can block,
+	 * check to see if we have a callback source.  If so, call them.
+	 */
+	source = ISC_LIST_HEAD(ent->sources);
+	while ((remaining != 0) && (source != NULL)) {
+		unsigned int got;
+
+		got = 0;
+
+		if (source->type == ENTROPY_SOURCETYPE_CALLBACK)
+			got = get_from_callback(source, remaining, blocking);
+
+		added += got;
+		remaining -= ISC_MIN(remaining, got);
+
+		if (added >= needed)
+			break;
+
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	/*
+	 * Mark as initialized if we've added enough data.
+	 */
+	if (ent->initialized < THRESHOLD_BITS)
+		ent->initialized += added;
+}
+
+
+
+/*
+ * Requires "ent" be locked.
+ */
+static void
+destroyfilesource(isc_entropyfilesource_t *source) {
+	CryptReleaseContext(source->handle, 0);
+}
+
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source) {
+	UNUSED(source);
+}
+
+
+isc_result_t
+isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
+	isc_result_t ret;
+	isc_entropysource_t *source;
+	HCRYPTPROV hcryptprov;
+	BOOL err;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(fname != NULL);
+
+	LOCK(&ent->lock);
+
+	source = NULL;
+
+	/*
+	 * The first time we just try to acquire the context
+	 */
+	err = CryptAcquireContext(&hcryptprov, NULL, NULL, PROV_RSA_FULL,
+				  CRYPT_VERIFYCONTEXT);
+	if (!err){
+		(void)GetLastError();
+		ret = ISC_R_IOERROR;
+		goto errout;
+	}
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto closecontext;
+	}
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->type = ENTROPY_SOURCETYPE_FILE;
+	source->ent = ent;
+	source->total = 0;
+	source->bad = false;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+	source->sources.file.handle = hcryptprov;
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ closecontext:
+	CryptReleaseContext(hcryptprov, 0);
+
+ errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
+	UNLOCK(&ent->lock);
+
+	return (ret);
+}
diff --git a/lib/isc/win32/errno.c b/lib/isc/win32/errno.c
new file mode 100644
index 0000000..74ebf0c
--- /dev/null
+++ b/lib/isc/win32/errno.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_errno_toresult(int err) {
+	return (isc__errno2resultx(err, false, 0, 0));
+}
diff --git a/lib/isc/win32/errno2result.c b/lib/isc/win32/errno2result.c
new file mode 100644
index 0000000..83dbb4e
--- /dev/null
+++ b/lib/isc/win32/errno2result.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdbool.h>
+
+#include <winsock2.h>
+#include "errno2result.h"
+#include <isc/result.h>
+#include <isc/strerror.h>
+#include <isc/util.h>
+
+/*
+ * Convert a POSIX errno value into an isc_result_t.  The
+ * list of supported errno values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc__errno2resultx(int posixerrno, bool dolog,
+		   const char *file, int line)
+{
+	char strbuf[ISC_STRERRORSIZE];
+
+	switch (posixerrno) {
+	case ENOTDIR:
+	case WSAELOOP:
+	case WSAEINVAL:
+	case EINVAL:		/* XXX sometimes this is not for files */
+	case ENAMETOOLONG:
+	case WSAENAMETOOLONG:
+	case EBADF:
+	case WSAEBADF:
+		return (ISC_R_INVALIDFILE);
+	case ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case EACCES:
+	case WSAEACCES:
+	case EPERM:
+		return (ISC_R_NOPERM);
+	case EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case EIO:
+		return (ISC_R_IOERROR);
+	case ENOMEM:
+		return (ISC_R_NOMEMORY);
+#ifdef EOVERFLOW
+	case EOVERFLOW:
+		return (ISC_R_RANGE);
+#endif
+	case ENFILE:
+	case EMFILE:
+	case WSAEMFILE:
+		return (ISC_R_TOOMANYOPENFILES);
+	case ERROR_CANCELLED:
+		return (ISC_R_CANCELED);
+	case ERROR_CONNECTION_REFUSED:
+	case WSAECONNREFUSED:
+		return (ISC_R_CONNREFUSED);
+	case WSAENOTCONN:
+	case ERROR_CONNECTION_INVALID:
+		return (ISC_R_NOTCONNECTED);
+	case ERROR_HOST_UNREACHABLE:
+	case WSAEHOSTUNREACH:
+		return (ISC_R_HOSTUNREACH);
+	case ERROR_NETWORK_UNREACHABLE:
+	case WSAENETUNREACH:
+		return (ISC_R_NETUNREACH);
+	case ERROR_NO_NETWORK:
+		return (ISC_R_NETUNREACH);
+	case ERROR_PORT_UNREACHABLE:
+		return (ISC_R_HOSTUNREACH);
+	case ERROR_SEM_TIMEOUT:
+		return (ISC_R_TIMEDOUT);
+	case WSAECONNRESET:
+	case WSAENETRESET:
+	case WSAECONNABORTED:
+	case WSAEDISCON:
+	case ERROR_OPERATION_ABORTED:
+	case ERROR_CONNECTION_ABORTED:
+	case ERROR_REQUEST_ABORTED:
+		return (ISC_R_CONNECTIONRESET);
+	case WSAEADDRNOTAVAIL:
+		return (ISC_R_ADDRNOTAVAIL);
+	case ERROR_NETNAME_DELETED:
+	case WSAENETDOWN:
+		return (ISC_R_NETUNREACH);
+	case WSAEHOSTDOWN:
+		return (ISC_R_HOSTUNREACH);
+	case WSAENOBUFS:
+		return (ISC_R_NORESOURCES);
+	default:
+		if (dolog) {
+			isc__strerror(posixerrno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(file, line,
+					 "unable to convert errno "
+					 "to isc_result: %d: %s",
+					 posixerrno, strbuf);
+		}
+		/*
+		 * XXXDCL would be nice if perhaps this function could
+		 * return the system's error string, so the caller
+		 * might have something more descriptive than "unexpected
+		 * error" to log with.
+		 */
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/lib/isc/win32/errno2result.h b/lib/isc/win32/errno2result.h
new file mode 100644
index 0000000..99752ae
--- /dev/null
+++ b/lib/isc/win32/errno2result.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef UNIX_ERRNO2RESULT_H
+#define UNIX_ERRNO2RESULT_H 1
+
+/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
+
+#include <errno.h>		/* Provides errno. */
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define isc__errno2result(posixerrno) \
+	isc__errno2resultx(posixerrno, true, __FILE__, __LINE__)
+
+isc_result_t
+isc__errno2resultx(int posixerrno, bool dolog,
+		   const char *file, int line);
+
+ISC_LANG_ENDDECLS
+
+#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
new file mode 100644
index 0000000..d281ba1
--- /dev/null
+++ b/lib/isc/win32/file.c
@@ -0,0 +1,928 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#undef rename
+#include <errno.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <io.h>
+#include <process.h>
+
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/utime.h>
+
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/sha2.h>
+#include <isc/stat.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+static const char alphnum[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+/*
+ * Emulate UNIX mkstemp, which returns an open FD to the new file
+ *
+ */
+static int
+gettemp(char *path, bool binary, int *doopen) {
+	char *start, *trv;
+	struct stat sbuf;
+	int flags = O_CREAT|O_EXCL|O_RDWR;
+
+	if (binary)
+		flags |= _O_BINARY;
+
+	trv = strrchr(path, 'X');
+	trv++;
+	/* extra X's get set to 0's */
+	while (*--trv == 'X') {
+		uint32_t which;
+
+		isc_random_get(&which);
+		*trv = alphnum[which % (sizeof(alphnum) - 1)];
+	}
+	/*
+	 * check the target directory; if you have six X's and it
+	 * doesn't exist this runs for a *very* long time.
+	 */
+	for (start = trv + 1;; --trv) {
+		if (trv <= path)
+			break;
+		if (*trv == '\\') {
+			*trv = '\0';
+			if (stat(path, &sbuf))
+				return (0);
+			if (!S_ISDIR(sbuf.st_mode)) {
+				errno = ENOTDIR;
+				return (0);
+			}
+			*trv = '\\';
+			break;
+		}
+	}
+
+	for (;;) {
+		if (doopen) {
+			if ((*doopen =
+			    open(path, flags, _S_IREAD | _S_IWRITE)) >= 0)
+				return (1);
+			if (errno != EEXIST)
+				return (0);
+		} else if (stat(path, &sbuf))
+			return (errno == ENOENT ? 1 : 0);
+
+		/* tricky little algorithm for backward compatibility */
+		for (trv = start;;) {
+			if (!*trv)
+				return (0);
+			if (*trv == 'z')
+				*trv++ = 'a';
+			else {
+				if (isdigit(*trv))
+					*trv = 'a';
+				else
+					++*trv;
+				break;
+			}
+		}
+	}
+	/*NOTREACHED*/
+}
+
+static int
+mkstemp(char *path, bool binary) {
+	int fd;
+
+	return (gettemp(path, binary, &fd) ? fd : -1);
+}
+
+/*
+ * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
+ * it might be good to provide a mechanism that allows for the results
+ * of a previous stat() to be used again without having to do another stat,
+ * such as perl's mechanism of using "_" in place of a file name to indicate
+ * that the results of the last stat should be used.  But then you get into
+ * annoying MP issues.   BTW, Win32 has stat().
+ */
+static isc_result_t
+file_stats(const char *file, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(stats != NULL);
+
+	if (stat(file, stats) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+}
+
+static isc_result_t
+fd_stats(int fd, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(stats != NULL);
+
+	if (fstat(fd, stats) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getsizefd(int fd, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(size != NULL);
+
+	result = fd_stats(fd, &stats);
+
+	if (result == ISC_R_SUCCESS)
+		*size = stats.st_size;
+	return (result);
+}
+
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS)
+		*modep = (stats.st_mode & 07777);
+	return (result);
+}
+
+/*
+ * isc_file_safemovefile is needed to be defined here to ensure that
+ * any file with the new name is renamed to a backup name and then the
+ * rename is done. If all goes well then the backup can be deleted,
+ * otherwise it gets renamed back.
+ */
+
+int
+isc_file_safemovefile(const char *oldname, const char *newname) {
+	BOOL filestatus;
+	char buf[512];
+	struct stat sbuf;
+	BOOL exists = FALSE;
+	int tmpfd;
+
+	/*
+	 * Make sure we have something to do
+	 */
+	if (stat(oldname, &sbuf) != 0) {
+		errno = ENOENT;
+		return (-1);
+	}
+
+	/*
+	 * Rename to a backup the new file if it still exists
+	 */
+	if (stat(newname, &sbuf) == 0) {
+		exists = TRUE;
+		strlcpy(buf, newname, sizeof(buf));
+		strlcat(buf, ".XXXXX", sizeof(buf));
+		tmpfd = mkstemp(buf, true);
+		if (tmpfd > 0)
+			_close(tmpfd);
+		(void)DeleteFile(buf);
+		_chmod(newname, _S_IREAD | _S_IWRITE);
+
+		filestatus = MoveFile(newname, buf);
+	}
+	/* Now rename the file to the new name
+	 */
+	_chmod(oldname, _S_IREAD | _S_IWRITE);
+
+	filestatus = MoveFile(oldname, newname);
+	if (filestatus == 0) {
+		/*
+		 * Try to rename the backup back to the original name
+		 * if the backup got created
+		 */
+		if (exists == TRUE) {
+			filestatus = MoveFile(buf, newname);
+			if (filestatus == 0)
+				errno = EACCES;
+		}
+		return (-1);
+	}
+
+	/*
+	 * Delete the backup file if it got created
+	 */
+	if (exists == TRUE)
+		(void)DeleteFile(buf);
+	return (0);
+}
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time) {
+	int fh;
+
+	REQUIRE(file != NULL);
+	REQUIRE(time != NULL);
+
+	if ((fh = open(file, _O_RDONLY | _O_BINARY)) < 0)
+		return (isc__errno2result(errno));
+
+	if (!GetFileTime((HANDLE) _get_osfhandle(fh),
+			 NULL,
+			 NULL,
+			 &time->absolute))
+	{
+		close(fh);
+		errno = EINVAL;
+		return (isc__errno2result(errno));
+	}
+	close(fh);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_getsize(const char *file, off_t *size) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(size != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS)
+		*size = stats.st_size;
+
+	return (result);
+}
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time) {
+	int fh;
+
+	REQUIRE(file != NULL && time != NULL);
+
+	if ((fh = open(file, _O_RDWR | _O_BINARY)) < 0)
+		return (isc__errno2result(errno));
+
+	/*
+	 * Set the date via the filedate system call and return.  Failing
+	 * this call implies the new file times are not supported by the
+	 * underlying file system.
+	 */
+	if (!SetFileTime((HANDLE) _get_osfhandle(fh),
+			 NULL,
+			 &time->absolute,
+			 &time->absolute))
+	{
+		close(fh);
+		errno = EINVAL;
+		return (isc__errno2result(errno));
+	}
+
+	close(fh);
+	return (ISC_R_SUCCESS);
+
+}
+
+#undef TEMPLATE
+#define TEMPLATE "XXXXXXXXXX.tmp" /* 14 characters. */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
+	return (isc_file_template(path, TEMPLATE, buf, buflen));
+}
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen)
+{
+	char *s;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(buf != NULL);
+
+	if (path == NULL)
+		path = "";
+
+	s = strrchr(templet, '\\');
+	if (s != NULL)
+		templet = s + 1;
+
+	s = strrchr(path, '\\');
+
+	if (s != NULL) {
+		size_t prefixlen = s - path + 1;
+		if ((prefixlen + strlen(templet) + 1) > buflen)
+			return (ISC_R_NOSPACE);
+
+		/* Copy 'prefixlen' bytes and NUL terminate. */
+		strlcpy(buf, path, ISC_MIN(prefixlen + 1, buflen));
+		strlcat(buf, templet, buflen);
+	} else {
+		if ((strlen(templet) + 1) > buflen)
+			return (ISC_R_NOSPACE);
+
+		strlcpy(buf, templet, buflen);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet) {
+	int fd;
+	int res = 0;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(templet != NULL);
+
+	fd = mkstemp(templet, true);
+	if (fd == -1)
+		result = isc__errno2result(errno);
+	else
+		close(fd);
+
+	if (result == ISC_R_SUCCESS) {
+		res = isc_file_safemovefile(file, templet);
+		if (res != 0) {
+			result = isc__errno2result(errno);
+			(void)unlink(templet);
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+openuniquemode(char *templet, int mode, bool binary, FILE **fp) {
+	int fd;
+	FILE *f;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	/*
+	 * Win32 does not have mkstemp. Using emulation above.
+	 */
+	fd = mkstemp(templet, binary);
+
+	if (fd == -1)
+		result = isc__errno2result(errno);
+	if (result == ISC_R_SUCCESS) {
+#if 1
+		UNUSED(mode);
+#else
+		(void)fchmod(fd, mode);
+#endif
+		f = fdopen(fd, binary ? "wb+" : "w+");
+		if (f == NULL) {
+			result = isc__errno2result(errno);
+			(void)remove(templet);
+			(void)close(fd);
+		} else
+			*fp = f;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_openuniqueprivate(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, false, fp));
+}
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, false, fp));
+}
+
+isc_result_t
+isc_file_openuniquemode(char *templet, int mode, FILE **fp) {
+	return (openuniquemode(templet, mode, false, fp));
+}
+
+isc_result_t
+isc_file_bopenuniqueprivate(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, true, fp));
+}
+
+isc_result_t
+isc_file_bopenunique(char *templet, FILE **fp) {
+	int mode = _S_IREAD | _S_IWRITE;
+	return (openuniquemode(templet, mode, true, fp));
+}
+
+isc_result_t
+isc_file_bopenuniquemode(char *templet, int mode, FILE **fp) {
+	return (openuniquemode(templet, mode, true, fp));
+}
+
+isc_result_t
+isc_file_remove(const char *filename) {
+	int r;
+
+	REQUIRE(filename != NULL);
+
+	r = unlink(filename);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname) {
+	int r;
+
+	REQUIRE(oldname != NULL);
+	REQUIRE(newname != NULL);
+
+	r = isc_file_safemovefile(oldname, newname);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+bool
+isc_file_exists(const char *pathname) {
+	struct stat stats;
+
+	REQUIRE(pathname != NULL);
+
+	return (file_stats(pathname, &stats) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfile(const char *filename) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat,0,sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1)
+		return(isc__errno2result(errno));
+
+	if(! S_ISREG(filestat.st_mode))
+		return(ISC_R_INVALIDFILE);
+
+	return(ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isplainfilefd(int fd) {
+	/*
+	 * This function returns success if filename is a plain file.
+	 */
+	struct stat filestat;
+	memset(&filestat,0,sizeof(struct stat));
+
+	if ((fstat(fd, &filestat)) == -1)
+		return(isc__errno2result(errno));
+
+	if(! S_ISREG(filestat.st_mode))
+		return(ISC_R_INVALIDFILE);
+
+	return(ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_isdirectory(const char *filename) {
+	/*
+	 * This function returns success if filename is a directory.
+	 */
+	struct stat filestat;
+	memset(&filestat,0,sizeof(struct stat));
+
+	if ((stat(filename, &filestat)) == -1)
+		return(isc__errno2result(errno));
+
+	if(! S_ISDIR(filestat.st_mode))
+		return(ISC_R_INVALIDFILE);
+
+	return(ISC_R_SUCCESS);
+}
+
+
+bool
+isc_file_isabsolute(const char *filename) {
+	REQUIRE(filename != NULL);
+	/*
+	 * Look for c:\path\... style, c:/path/... or \\computer\shar\path...
+	 * the UNC style file specs
+	 */
+	if ((filename[0] == '\\') && (filename[1] == '\\'))
+		return (true);
+	if (isalpha(filename[0]) && filename[1] == ':' && filename[2] == '\\')
+		return (true);
+	if (isalpha(filename[0]) && filename[1] == ':' && filename[2] == '/')
+		return (true);
+	return (false);
+}
+
+bool
+isc_file_iscurrentdir(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (filename[0] == '.' && filename[1] == '\0');
+}
+
+bool
+isc_file_ischdiridempotent(const char *filename) {
+	REQUIRE(filename != NULL);
+
+	if (isc_file_isabsolute(filename))
+		return (true);
+	if (filename[0] == '\\')
+		return (true);
+	if (filename[0] == '/')
+		return (true);
+	if (isc_file_iscurrentdir(filename))
+		return (true);
+	return (false);
+}
+
+const char *
+isc_file_basename(const char *filename) {
+	char *s;
+
+	REQUIRE(filename != NULL);
+
+	s = strrchr(filename, '\\');
+	if (s == NULL)
+		return (filename);
+	return (s + 1);
+}
+
+isc_result_t
+isc_file_progname(const char *filename, char *progname, size_t namelen) {
+	const char *s;
+	const char *p;
+	size_t len;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(progname != NULL);
+
+	/*
+	 * Strip the path from the name
+	 */
+	s = isc_file_basename(filename);
+	if (s == NULL) {
+		return (ISC_R_NOSPACE);
+	}
+
+	/*
+	 * Strip any and all suffixes
+	 */
+	p = strchr(s, '.');
+	if (p == NULL) {
+		if (namelen <= strlen(s))
+			return (ISC_R_NOSPACE);
+
+		strlcpy(progname, s, namelen);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Copy the result to the buffer
+	 */
+	len = p - s;
+	if (len >= namelen)
+		return (ISC_R_NOSPACE);
+
+	/* Copy up to 'len' bytes and NUL terminate. */
+	strlcpy(progname, s, ISC_MIN(len + 1, namelen));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
+	char *ptrname;
+	DWORD retval;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(path != NULL);
+
+	retval = GetFullPathName(filename, (DWORD) pathlen, path, &ptrname);
+
+	/* Something went wrong in getting the path */
+	if (retval == 0)
+		return (ISC_R_NOTFOUND);
+	/* Caller needs to provide a larger buffer to contain the string */
+	if (retval >= pathlen)
+		return (ISC_R_NOSPACE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	int fh;
+
+	REQUIRE(filename != NULL && size >= 0);
+
+	if ((fh = open(filename, _O_RDWR | _O_BINARY)) < 0)
+		return (isc__errno2result(errno));
+
+	if(_chsize(fh, size) != 0) {
+		close(fh);
+		return (isc__errno2result(errno));
+	}
+	close(fh);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_safecreate(const char *filename, FILE **fp) {
+	isc_result_t result;
+	int flags;
+	struct stat sb;
+	FILE *f;
+	int fd;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	result = file_stats(filename, &sb);
+	if (result == ISC_R_SUCCESS) {
+		if ((sb.st_mode & S_IFREG) == 0)
+			return (ISC_R_INVALIDFILE);
+		flags = O_WRONLY | O_TRUNC;
+	} else if (result == ISC_R_FILENOTFOUND) {
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+	} else
+		return (result);
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1)
+		return (isc__errno2result(errno));
+
+	f = fdopen(fd, "w");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		close(fd);
+		return (result);
+	}
+
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_splitpath(isc_mem_t *mctx, const char *path, char **dirname,
+		   char const ** basename)
+{
+	char *dir;
+	const char *file, *slash;
+	char *backslash;
+
+	slash = strrchr(path, '/');
+
+	backslash = strrchr(path, '\\');
+	if ((slash != NULL && backslash != NULL && backslash > slash) ||
+	    (slash == NULL && backslash != NULL))
+		slash = backslash;
+
+	if (slash == path) {
+		file = ++slash;
+		dir = isc_mem_strdup(mctx, "/");
+	} else if (slash != NULL) {
+		file = ++slash;
+		dir = isc_mem_allocate(mctx, slash - path);
+		if (dir != NULL)
+			strlcpy(dir, path, slash - path);
+	} else {
+		file = path;
+		dir = isc_mem_strdup(mctx, ".");
+	}
+
+	if (dir == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (*file == '\0') {
+		isc_mem_free(mctx, dir);
+		return (ISC_R_INVALIDFILE);
+	}
+
+	*dirname = dir;
+	*basename = file;
+
+	return (ISC_R_SUCCESS);
+}
+
+void *
+isc_file_mmap(void *addr, size_t len, int prot,
+	      int flags, int fd, off_t offset)
+{
+	void *buf;
+	ssize_t ret;
+	off_t end;
+
+	UNUSED(addr);
+	UNUSED(prot);
+	UNUSED(flags);
+
+	end = lseek(fd, 0, SEEK_END);
+	lseek(fd, offset, SEEK_SET);
+	if (end - offset < (off_t) len)
+		len = end - offset;
+
+	buf = malloc(len);
+	if (buf == NULL)
+		return (NULL);
+
+	ret = read(fd, buf, (unsigned int) len);
+	if (ret != (ssize_t) len) {
+		free(buf);
+		buf = NULL;
+	}
+
+	return (buf);
+}
+
+int
+isc_file_munmap(void *addr, size_t len) {
+	UNUSED(len);
+	free(addr);
+	return (0);
+}
+
+#define DISALLOW "\\/:ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+#ifndef PATH_MAX
+#define PATH_MAX 1024
+#endif
+
+isc_result_t
+isc_file_sanitize(const char *dir, const char *base, const char *ext,
+		  char *path, size_t length)
+{
+	char buf[PATH_MAX], hash[ISC_SHA256_DIGESTSTRINGLENGTH];
+	size_t l = 0;
+
+	REQUIRE(base != NULL);
+	REQUIRE(path != NULL);
+
+	l = strlen(base) + 1;
+
+	/*
+	 * allow room for a full sha256 hash (64 chars
+	 * plus null terminator)
+	 */
+	if (l < 65)
+		l = 65;
+
+	if (dir != NULL)
+		l += strlen(dir) + 1;
+	if (ext != NULL)
+		l += strlen(ext) + 1;
+
+	if (l > length || l > PATH_MAX)
+		return (ISC_R_NOSPACE);
+
+	/* Check whether the full-length SHA256 hash filename exists */
+	isc_sha256_data((const void *) base, strlen(base), hash);
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s",
+		dir != NULL ? dir : "", dir != NULL ? "/" : "",
+		hash, ext != NULL ? "." : "", ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for a truncated SHA256 hash filename */
+	hash[16] = '\0';
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s",
+		dir != NULL ? dir : "", dir != NULL ? "/" : "",
+		hash, ext != NULL ? "." : "", ext != NULL ? ext : "");
+	if (isc_file_exists(buf)) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If neither hash filename already exists, then we'll use
+	 * the original base name if it has no disallowed characters,
+	 * or the truncated hash name if it does.
+	 */
+	if (strpbrk(base, DISALLOW) != NULL) {
+		strlcpy(path, buf, length);
+		return (ISC_R_SUCCESS);
+	}
+
+	snprintf(buf, sizeof(buf), "%s%s%s%s%s",
+		dir != NULL ? dir : "", dir != NULL ? "/" : "",
+		base, ext != NULL ? "." : "", ext != NULL ? ext : "");
+	strlcpy(path, buf, length);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Based on http://blog.aaronballman.com/2011/08/how-to-check-access-rights/
+ */
+bool
+isc_file_isdirwritable(const char *path) {
+	DWORD length = 0;
+	HANDLE hToken = NULL;
+	PSECURITY_DESCRIPTOR security = NULL;
+	bool answer = false;
+
+	if (isc_file_isdirectory(path) != ISC_R_SUCCESS) {
+		return (answer);
+	}
+
+	/*
+	 * Figure out buffer size. GetFileSecurity() should not succeed.
+	 */
+	if (GetFileSecurity(path, OWNER_SECURITY_INFORMATION |
+				  GROUP_SECURITY_INFORMATION |
+				  DACL_SECURITY_INFORMATION,
+			    NULL, 0, &length))
+	{
+		return (answer);
+	}
+
+	if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
+		return (answer);
+	}
+
+	security = malloc(length);
+	if (security == NULL) {
+		return (answer);
+	}
+
+	/*
+	 * GetFileSecurity() should succeed.
+	 */
+	if (!GetFileSecurity(path, OWNER_SECURITY_INFORMATION |
+				   GROUP_SECURITY_INFORMATION |
+				   DACL_SECURITY_INFORMATION,
+			     security, length, &length))
+	{
+		return (answer);
+	}
+
+	if (OpenProcessToken(GetCurrentProcess(), TOKEN_IMPERSONATE |
+			     TOKEN_QUERY | TOKEN_DUPLICATE |
+			     STANDARD_RIGHTS_READ, &hToken))
+	{
+		HANDLE hImpersonatedToken = NULL;
+
+		if (DuplicateToken(hToken, SecurityImpersonation,
+				   &hImpersonatedToken))
+		{
+			GENERIC_MAPPING mapping;
+			PRIVILEGE_SET privileges = { 0 };
+			DWORD grantedAccess = 0;
+			DWORD privilegesLength = sizeof(privileges);
+			BOOL result = FALSE;
+			DWORD genericAccessRights = GENERIC_WRITE;
+
+			mapping.GenericRead = FILE_GENERIC_READ;
+			mapping.GenericWrite = FILE_GENERIC_WRITE;
+			mapping.GenericExecute = FILE_GENERIC_EXECUTE;
+			mapping.GenericAll = FILE_ALL_ACCESS;
+
+			MapGenericMask(&genericAccessRights, &mapping);
+			if (AccessCheck(security, hImpersonatedToken,
+					genericAccessRights, &mapping,
+					&privileges, &privilegesLength,
+					&grantedAccess, &result))
+			{
+				answer = result;
+			}
+			CloseHandle(hImpersonatedToken);
+		}
+		CloseHandle(hToken);
+	}
+	free(security);
+	return (answer);
+}
diff --git a/lib/isc/win32/fsaccess.c b/lib/isc/win32/fsaccess.c
new file mode 100644
index 0000000..164985d
--- /dev/null
+++ b/lib/isc/win32/fsaccess.c
@@ -0,0 +1,365 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * Note that Win32 does not have the concept of files having access
+ * and ownership bits.  The FAT File system only has a readonly flag
+ * for everyone and that's all. NTFS uses ACL's which is a totally
+ * different concept of controlling access.
+ *
+ * This code needs to be revisited to set up proper access control for
+ * NTFS file systems.  Nothing can be done for FAT file systems.
+ */
+
+#include <config.h>
+
+#include <aclapi.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <io.h>
+#include <errno.h>
+#include <stdbool.h>
+
+#include <isc/file.h>
+#include <isc/stat.h>
+#include <isc/string.h>
+
+#include "errno2result.h"
+
+/*
+ * The OS-independent part of the API is in lib/isc.
+ */
+#include "../fsaccess.c"
+
+/* Store the user account name locally */
+static char username[255] = "\0";
+static DWORD namelen = 0;
+
+/*
+ * In order to set or retrieve access information, we need to obtain
+ * the File System type.  These could be UNC-type shares.
+ */
+
+BOOL
+is_ntfs(const char * file) {
+
+	char drive[255];
+	char FSType[20];
+	char tmpbuf[256];
+	char *machinename;
+	char *sharename;
+	char filename[1024];
+
+	REQUIRE(filename != NULL);
+
+	if (isc_file_absolutepath(file, filename,
+		sizeof(filename)) != ISC_R_SUCCESS) {
+		return (FALSE);
+	}
+
+	/*
+	 * Look for c:\path\... style, c:/path/... or \\computer\shar\path...
+	 * the UNC style file specs
+	 */
+	if (isalpha(filename[0]) && filename[1] == ':' &&
+		(filename[2] == '\\' || filename[2] == '/')) {
+		/* Copy 'c:\' or 'c:/' and NUL terminate. */
+		strlcpy(drive, filename, ISC_MIN(3 + 1, sizeof(drive)));
+	} else if ((filename[0] == '\\') && (filename[1] == '\\')) {
+		/* Find the machine and share name and rebuild the UNC */
+		strlcpy(tmpbuf, filename, sizeof(tmpbuf));
+		machinename = strtok(tmpbuf, "\\");
+		sharename = strtok(NULL, "\\");
+		strlcpy(drive, "\\\\", sizeof(drive));
+		strlcat(drive, machinename, sizeof(drive));
+		strlcat(drive, "\\", sizeof(drive));
+		strlcat(drive, sharename, sizeof(drive));
+		strlcat(drive, "\\", sizeof(drive));
+
+	} else /* Not determinable */
+		return (FALSE);
+
+	GetVolumeInformation(drive, NULL, 0, NULL, 0, NULL, FSType,
+			     sizeof(FSType));
+	if (strcmp(FSType, "NTFS") == 0)
+		return (TRUE);
+	else
+		return (FALSE);
+}
+
+/*
+ * If it's not NTFS, we assume that it is FAT and proceed
+ * with almost nothing to do. Only the write flag can be set or
+ * cleared.
+ */
+isc_result_t
+FAT_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	int mode;
+	isc_fsaccess_t bits;
+
+	/*
+	 * Done with checking bad bits.  Set mode_t.
+	 */
+	mode = 0;
+
+#define SET_AND_CLEAR1(modebit) \
+	if ((access & bits) != 0) { \
+		mode |= modebit; \
+		access &= ~bits; \
+	}
+#define SET_AND_CLEAR(user, group, other) \
+	SET_AND_CLEAR1(user); \
+	bits <<= STEP; \
+	SET_AND_CLEAR1(group); \
+	bits <<= STEP; \
+	SET_AND_CLEAR1(other);
+
+	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
+
+	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
+
+	bits = ISC_FSACCESS_WRITE |
+	       ISC_FSACCESS_CREATECHILD |
+	       ISC_FSACCESS_DELETECHILD;
+
+	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
+
+	INSIST(access == 0);
+
+	if (_chmod(path, mode) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+NTFS_Access_Control(const char *filename, const char *user, int access,
+		    bool isdir) {
+	SECURITY_DESCRIPTOR sd;
+	BYTE aclBuffer[1024];
+	PACL pacl=(PACL)&aclBuffer;
+	BYTE sidBuffer[100];
+	PSID psid=(PSID) &sidBuffer;
+	DWORD sidBufferSize = sizeof(sidBuffer);
+	BYTE adminSidBuffer[100];
+	PSID padminsid=(PSID) &adminSidBuffer;
+	DWORD adminSidBufferSize = sizeof(adminSidBuffer);
+	BYTE otherSidBuffer[100];
+	PSID pothersid=(PSID) &otherSidBuffer;
+	DWORD otherSidBufferSize = sizeof(otherSidBuffer);
+	char domainBuffer[100];
+	DWORD domainBufferSize = sizeof(domainBuffer);
+	SID_NAME_USE snu;
+	DWORD NTFSbits;
+	int caccess;
+
+
+	/* Initialize an ACL */
+	if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
+		return (ISC_R_NOPERM);
+	if (!InitializeAcl(pacl, sizeof(aclBuffer), ACL_REVISION))
+		return (ISC_R_NOPERM);
+	if (!LookupAccountName(0, user, psid, &sidBufferSize, domainBuffer,
+			  &domainBufferSize, &snu))
+		return (ISC_R_NOPERM);
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Administrators", padminsid,
+		&adminSidBufferSize, domainBuffer, &domainBufferSize, &snu)) {
+		(void)GetLastError();
+		return (ISC_R_NOPERM);
+	}
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Everyone", pothersid,
+		&otherSidBufferSize, domainBuffer, &domainBufferSize, &snu)) {
+		(void)GetLastError();
+		return (ISC_R_NOPERM);
+	}
+
+	caccess = access;
+	/* Owner check */
+
+	NTFSbits = 0;
+	if (caccess & ISC_FSACCESS_READ)
+		NTFSbits |= FILE_GENERIC_READ;
+	if (caccess & ISC_FSACCESS_WRITE)
+		NTFSbits |= FILE_GENERIC_WRITE;
+	if (caccess & ISC_FSACCESS_EXECUTE)
+		NTFSbits |= FILE_GENERIC_EXECUTE;
+
+	/* For directories check the directory-specific bits */
+	if (isdir == true) {
+		if (caccess & ISC_FSACCESS_CREATECHILD)
+			NTFSbits |= FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE;
+		if (caccess & ISC_FSACCESS_DELETECHILD)
+			NTFSbits |= FILE_DELETE_CHILD;
+		if (caccess & ISC_FSACCESS_LISTDIRECTORY)
+			NTFSbits |= FILE_LIST_DIRECTORY;
+		if (caccess & ISC_FSACCESS_ACCESSCHILD)
+			NTFSbits |= FILE_TRAVERSE;
+	}
+
+	if (NTFSbits == (FILE_GENERIC_READ | FILE_GENERIC_WRITE
+		     | FILE_GENERIC_EXECUTE))
+		     NTFSbits |= FILE_ALL_ACCESS;
+	/*
+	 * Owner and Administrator also get STANDARD_RIGHTS_ALL
+	 * to ensure that they have full control
+	 */
+
+	NTFSbits |= STANDARD_RIGHTS_ALL;
+
+	/* Add the ACE to the ACL */
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, psid))
+		return (ISC_R_NOPERM);
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits, padminsid))
+		return (ISC_R_NOPERM);
+
+	/*
+	 * Group is ignored since we can be in multiple groups or no group
+	 * and its meaning is not clear on Win32
+	 */
+
+	caccess = caccess >> STEP;
+
+	/*
+	 * Other check.  We translate this to be the same as Everyone
+	 */
+
+	caccess = caccess >> STEP;
+
+	NTFSbits = 0;
+	if (caccess & ISC_FSACCESS_READ)
+		NTFSbits |= FILE_GENERIC_READ;
+	if (caccess & ISC_FSACCESS_WRITE)
+		NTFSbits |= FILE_GENERIC_WRITE;
+	if (caccess & ISC_FSACCESS_EXECUTE)
+		NTFSbits |= FILE_GENERIC_EXECUTE;
+
+	/* For directories check the directory-specific bits */
+	if (isdir == TRUE) {
+		if (caccess & ISC_FSACCESS_CREATECHILD)
+			NTFSbits |= FILE_ADD_SUBDIRECTORY | FILE_ADD_FILE;
+		if (caccess & ISC_FSACCESS_DELETECHILD)
+			NTFSbits |= FILE_DELETE_CHILD;
+		if (caccess & ISC_FSACCESS_LISTDIRECTORY)
+			NTFSbits |= FILE_LIST_DIRECTORY;
+		if (caccess & ISC_FSACCESS_ACCESSCHILD)
+			NTFSbits |= FILE_TRAVERSE;
+	}
+	/* Add the ACE to the ACL */
+	if (!AddAccessAllowedAce(pacl, ACL_REVISION, NTFSbits,
+				 pothersid))
+		return (ISC_R_NOPERM);
+
+	if (!SetSecurityDescriptorDacl(&sd, TRUE, pacl, FALSE))
+		return (ISC_R_NOPERM);
+	if (!SetFileSecurity(filename, DACL_SECURITY_INFORMATION, &sd)) {
+		return (ISC_R_NOPERM);
+	}
+
+	return(ISC_R_SUCCESS);
+}
+
+isc_result_t
+NTFS_fsaccess_set(const char *path, isc_fsaccess_t access,
+		  bool isdir){
+
+	/*
+	 * For NTFS we first need to get the name of the account under
+	 * which BIND is running
+	 */
+	if (namelen == 0) {
+		namelen = sizeof(username);
+		if (GetUserName(username, &namelen) == 0)
+			return (ISC_R_FAILURE);
+	}
+	return (NTFS_Access_Control(path, username, access, isdir));
+}
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	struct stat statb;
+	bool is_dir = false;
+	isc_result_t result;
+
+	if (stat(path, &statb) != 0)
+		return (isc__errno2result(errno));
+
+	if ((statb.st_mode & S_IFDIR) != 0)
+		is_dir = true;
+	else if ((statb.st_mode & S_IFREG) == 0)
+		return (ISC_R_INVALIDFILE);
+
+	result = check_bad_bits(access, is_dir);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Determine if this is a FAT or NTFS disk and
+	 * call the appropriate function to set the permissions
+	 */
+	if (is_ntfs(path))
+		return (NTFS_fsaccess_set(path, access, is_dir));
+	else
+		return (FAT_fsaccess_set(path, access));
+}
+
+isc_result_t
+isc_fsaccess_changeowner(const char *filename, const char *user) {
+	SECURITY_DESCRIPTOR psd;
+	BYTE sidBuffer[500];
+	BYTE groupBuffer[500];
+	PSID psid=(PSID) &sidBuffer;
+	DWORD sidBufferSize = sizeof(sidBuffer);
+	char domainBuffer[100];
+	DWORD domainBufferSize = sizeof(domainBuffer);
+	SID_NAME_USE snu;
+	PSID pSidGroup = (PSID) &groupBuffer;
+	DWORD groupBufferSize = sizeof(groupBuffer);
+
+
+	/*
+	 * Determine if this is a FAT or NTFS disk and
+	 * call the appropriate function to set the ownership
+	 * FAT disks do not have ownership attributes so it's
+	 * a noop.
+	 */
+	if (is_ntfs(filename) == FALSE)
+		return (ISC_R_SUCCESS);
+
+	if (!InitializeSecurityDescriptor(&psd, SECURITY_DESCRIPTOR_REVISION))
+		return (ISC_R_NOPERM);
+
+	if (!LookupAccountName(0, user, psid, &sidBufferSize, domainBuffer,
+		&domainBufferSize, &snu))
+		return (ISC_R_NOPERM);
+
+	/* Make sure administrators can get to it */
+	domainBufferSize = sizeof(domainBuffer);
+	if (!LookupAccountName(0, "Administrators", pSidGroup,
+		&groupBufferSize, domainBuffer, &domainBufferSize, &snu))
+		return (ISC_R_NOPERM);
+
+	if (!SetSecurityDescriptorOwner(&psd, psid, FALSE))
+		return (ISC_R_NOPERM);
+
+	if (!SetSecurityDescriptorGroup(&psd, pSidGroup, FALSE))
+		return (ISC_R_NOPERM);
+
+	if (!SetFileSecurity(filename,
+		OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION,
+		&psd))
+		return (ISC_R_NOPERM);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/include/Makefile.in b/lib/isc/win32/include/Makefile.in
new file mode 100644
index 0000000..2cbf021
--- /dev/null
+++ b/lib/isc/win32/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc pkcs11
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/win32/include/isc/Makefile.in b/lib/isc/win32/include/isc/Makefile.in
new file mode 100644
index 0000000..a7c0243
--- /dev/null
+++ b/lib/isc/win32/include/isc/Makefile.in
@@ -0,0 +1,30 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	dir.h keyboard.h mutex.h net.h netdb.h once.h \
+		stat.h stdtime.h thread.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}\isc
+
+install:: installdirs
+	for i in $(HEADERS); do \
+		$(INSTALL_DATA) $(srcdir)\$$i $(includedir)\isc || exit 1; \
+	done
diff --git a/lib/isc/win32/include/isc/atomic.h b/lib/isc/win32/include/isc/atomic.h
new file mode 100644
index 0000000..4b3d92d
--- /dev/null
+++ b/lib/isc/win32/include/isc/atomic.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+#ifdef ISC_PLATFORM_HAVEXADD
+static __inline int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	return (int32_t) _InterlockedExchangeAdd((long *)p, (long)val);
+}
+#endif
+
+#ifdef ISC_PLATFORM_HAVEXADDQ
+static __inline int64_t
+isc_atomic_xaddq(int64_t *p, int64_t val) {
+	return (int64_t) _InterlockedExchangeAdd64((__int64 *)p,
+						       (__int64) val);
+}
+#endif
+
+/*
+ * This routine atomically stores the value 'val' in 'p' (32-bit version).
+ */
+#ifdef ISC_PLATFORM_HAVEATOMICSTORE
+static __inline void
+isc_atomic_store(int32_t *p, int32_t val) {
+	(void) _InterlockedExchange((long *)p, (long)val);
+}
+#endif
+
+/*
+ * This routine atomically stores the value 'val' in 'p' (64-bit version).
+ */
+#ifdef ISC_PLATFORM_HAVEATOMICSTOREQ
+static __inline void
+isc_atomic_storeq(int64_t *p, int64_t val) {
+	(void) _InterlockedExchange64((__int64 *)p, (__int64)val);
+}
+#endif
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+#ifdef ISC_PLATFORM_HAVECMPXCHG
+static __inline int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	/* beware: swap arguments */
+	return (int32_t) _InterlockedCompareExchange((long *)p,
+							 (long)val,
+							 (long)cmpval);
+}
+#endif
+
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/win32/include/isc/bind_registry.h b/lib/isc/win32/include/isc/bind_registry.h
new file mode 100644
index 0000000..57970be
--- /dev/null
+++ b/lib/isc/win32/include/isc/bind_registry.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_BINDREGISTRY_H
+#define ISC_BINDREGISTRY_H
+
+/*
+ * BIND makes use of the following Registry keys in various places, especially
+ * during startup and installation
+ */
+
+#define BIND_SUBKEY		"Software\\ISC\\BIND"
+#define BIND_SESSION		"CurrentSession"
+#define BIND_SESSION_SUBKEY	"Software\\ISC\\BIND\\CurrentSession"
+#define BIND_UNINSTALL_SUBKEY	\
+	"Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ISC BIND"
+
+#define EVENTLOG_APP_SUBKEY	\
+	"SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application"
+#define BIND_MESSAGE_SUBKEY	\
+	"SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\named"
+#define BIND_MESSAGE_NAME	"named"
+
+#define BIND_SERVICE_SUBKEY	\
+	"SYSTEM\\CurrentControlSet\\Services\\named"
+
+
+#define BIND_CONFIGFILE		0
+#define BIND_DEBUGLEVEL		1
+#define BIND_QUERYLOG		2
+#define BIND_FOREGROUND		3
+#define BIND_PORT		4
+
+#endif /* ISC_BINDREGISTRY_H */
diff --git a/lib/isc/win32/include/isc/bindevt.h b/lib/isc/win32/include/isc/bindevt.h
new file mode 100644
index 0000000..d4088e8
--- /dev/null
+++ b/lib/isc/win32/include/isc/bindevt.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_BINDEVT_H
+#define ISC_BINDEVT_H 1
+
+/*
+ * This is used for the event log for both logging the messages and
+ * later on by the event viewer when looking at the events
+ */
+
+/*
+ * Values are 32 bit values layed out as follows:
+ *
+ *   3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
+ *   1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ *  +---+-+-+-----------------------+-------------------------------+
+ *  |Sev|C|R|     Facility          |               Code            |
+ *  +---+-+-+-----------------------+-------------------------------+
+ *
+ *  where
+ *
+ *      Sev - is the severity code
+ *
+ *          00 - Success
+ *          01 - Informational
+ *          10 - Warning
+ *          11 - Error
+ *
+ *      C - is the Customer code flag
+ *
+ *      R - is a reserved bit
+ *
+ *      Facility - is the facility code
+ *
+ *      Code - is the facility's status code
+ *
+ *
+ * Define the facility codes
+ */
+
+
+/*
+ * Define the severity codes
+ */
+
+
+/*
+ * MessageId: BIND_ERR_MSG
+ *
+ * MessageText:
+ *
+ *  %1
+ */
+#define BIND_ERR_MSG		((DWORD)0xC0000001L)
+
+/*
+ * MessageId: BIND_WARN_MSG
+ *
+ * MessageText:
+ *
+ *  %1
+ */
+#define BIND_WARN_MSG		((DWORD)0x80000002L)
+
+/*
+ * MessageId: BIND_INFO_MSG
+ *
+ * MessageText:
+ *
+ *  %1
+ */
+#define BIND_INFO_MSG		((DWORD)0x40000003L)
+
+#endif /* ISC_BINDEVT_H */
diff --git a/lib/isc/win32/include/isc/condition.h b/lib/isc/win32/include/isc/condition.h
new file mode 100644
index 0000000..1f5b2d6
--- /dev/null
+++ b/lib/isc/win32/include/isc/condition.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_CONDITION_H
+#define ISC_CONDITION_H 1
+
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/thread.h>
+#include <isc/types.h>
+
+typedef struct isc_condition_thread isc_condition_thread_t;
+
+struct isc_condition_thread {
+	unsigned long				th;
+	HANDLE					handle[2];
+	ISC_LINK(isc_condition_thread_t)	link;
+
+};
+
+typedef struct isc_condition {
+	HANDLE 		events[2];
+	unsigned int	waiters;
+	ISC_LIST(isc_condition_thread_t) threadlist;
+} isc_condition_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_condition_init(isc_condition_t *);
+
+isc_result_t
+isc_condition_wait(isc_condition_t *, isc_mutex_t *);
+
+isc_result_t
+isc_condition_signal(isc_condition_t *);
+
+isc_result_t
+isc_condition_broadcast(isc_condition_t *);
+
+isc_result_t
+isc_condition_destroy(isc_condition_t *);
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_CONDITION_H */
diff --git a/lib/isc/win32/include/isc/dir.h b/lib/isc/win32/include/isc/dir.h
new file mode 100644
index 0000000..7370fa6
--- /dev/null
+++ b/lib/isc/win32/include/isc/dir.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_DIR_H
+#define ISC_DIR_H 1
+
+#include <windows.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+#define ISC_DIR_NAMEMAX _MAX_FNAME
+#define ISC_DIR_PATHMAX _MAX_PATH
+
+typedef struct {
+	char 		name[ISC_DIR_NAMEMAX];
+	unsigned int	length;
+	WIN32_FIND_DATA	find_data;
+} isc_direntry_t;
+
+typedef struct {
+	unsigned int	magic;
+	char		dirname[ISC_DIR_PATHMAX];
+	isc_direntry_t	entry;
+	bool	entry_filled;
+	HANDLE        	search_handle;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_dir_init(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname);
+
+isc_result_t
+isc_dir_read(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_reset(isc_dir_t *dir);
+
+void
+isc_dir_close(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_chdir(const char *dirname);
+
+isc_result_t
+isc_dir_chroot(const char *dirname);
+
+isc_result_t
+isc_dir_createunique(char *templet);
+/*
+ * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
+ * named, empty directory.  The templet string is modified in place.
+ * If result == ISC_R_SUCCESS, it is the name of the directory that was
+ * created.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_DIR_H */
diff --git a/lib/isc/win32/include/isc/ipv6.h b/lib/isc/win32/include/isc/ipv6.h
new file mode 100644
index 0000000..bee1bd0
--- /dev/null
+++ b/lib/isc/win32/include/isc/ipv6.h
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_IPV6_H
+#define ISC_IPV6_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * IPv6 definitions for systems which do not support IPv6.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFC2553.
+ */
+
+#if _MSC_VER < 1300
+#define in6_addr in_addr6
+#endif
+
+#ifndef IN6ADDR_ANY_INIT
+#define IN6ADDR_ANY_INIT 	{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}
+#endif
+#ifndef IN6ADDR_LOOPBACK_INIT
+#define IN6ADDR_LOOPBACK_INIT 	{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}
+#endif
+#ifndef IN6ADDR_V4MAPPED_INIT
+#define IN6ADDR_V4MAPPED_INIT 	{{ 0,0,0,0,0,0,0,0,0,0,0xff,0xff,0,0,0,0 }}
+#endif
+
+LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_any;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr isc_in6addr_loopback;
+
+/*
+ * Unspecified
+ */
+#ifndef IN6_IS_ADDR_UNSPECIFIED
+#define IN6_IS_ADDR_UNSPECIFIED(a) (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == 0 && \
+*((u_long *)((a)->s6_addr) + 3) == 0 \
+)
+#endif
+
+/*
+ * Loopback
+ */
+#ifndef IN6_IS_ADDR_LOOPBACK
+#define IN6_IS_ADDR_LOOPBACK(a) (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == 0 && \
+*((u_long *)((a)->s6_addr) + 3) == htonl(1) \
+)
+#endif
+
+/*
+ * IPv4 compatible
+ */
+#define IN6_IS_ADDR_V4COMPAT(a)  (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == 0 && \
+*((u_long *)((a)->s6_addr) + 3) != 0 && \
+*((u_long *)((a)->s6_addr) + 3) != htonl(1) \
+)
+
+/*
+ * Mapped
+ */
+#define IN6_IS_ADDR_V4MAPPED(a) (\
+*((u_long *)((a)->s6_addr)    ) == 0 && \
+*((u_long *)((a)->s6_addr) + 1) == 0 && \
+*((u_long *)((a)->s6_addr) + 2) == htonl(0x0000ffff))
+
+/*
+ * Multicast
+ */
+#define IN6_IS_ADDR_MULTICAST(a)	\
+	((a)->s6_addr[0] == 0xffU)
+
+/*
+ * Unicast link / site local.
+ */
+#ifndef IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a)	(\
+       ((a)->s6_addr[0] == 0xfe) && \
+       (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a)	(\
+       ((a)->s6_addr[0] == 0xfe) && \
+       (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif
+
+#endif /* ISC_IPV6_H */
diff --git a/lib/isc/win32/include/isc/keyboard.h b/lib/isc/win32/include/isc/keyboard.h
new file mode 100644
index 0000000..009523a
--- /dev/null
+++ b/lib/isc/win32/include/isc/keyboard.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_KEYBOARD_H
+#define ISC_KEYBOARD_H 1
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	int fd;
+	isc_result_t result;
+} isc_keyboard_t;
+
+isc_result_t
+isc_keyboard_open(isc_keyboard_t *keyboard);
+
+isc_result_t
+isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleepseconds);
+
+isc_result_t
+isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp);
+
+bool
+isc_keyboard_canceled(isc_keyboard_t *keyboard);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_KEYBOARD_H */
diff --git a/lib/isc/win32/include/isc/mutex.h b/lib/isc/win32/include/isc/mutex.h
new file mode 100644
index 0000000..6815741
--- /dev/null
+++ b/lib/isc/win32/include/isc/mutex.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+#include <isc/net.h>
+#include <windows.h>
+
+#include <isc/result.h>
+
+typedef CRITICAL_SECTION isc_mutex_t;
+
+/*
+ * This definition is here since some versions of WINBASE.H
+ * omits it for some reason.
+ */
+#if (_WIN32_WINNT < 0x0400)
+WINBASEAPI BOOL WINAPI
+TryEnterCriticalSection(LPCRITICAL_SECTION lpCriticalSection);
+#endif /* _WIN32_WINNT < 0x0400 */
+
+#define isc_mutex_init(mp) \
+	(InitializeCriticalSection((mp)), ISC_R_SUCCESS)
+#define isc_mutex_lock(mp) \
+	(EnterCriticalSection((mp)), ISC_R_SUCCESS)
+#define isc_mutex_unlock(mp) \
+	(LeaveCriticalSection((mp)), ISC_R_SUCCESS)
+#define isc_mutex_trylock(mp) \
+	(TryEnterCriticalSection((mp)) ? ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#define isc_mutex_destroy(mp) \
+	(DeleteCriticalSection((mp)), ISC_R_SUCCESS)
+
+/*
+ * This is a placeholder for now since we are not keeping any mutex stats
+ */
+#define isc_mutex_stats(fp) do {} while (0)
+
+#endif /* ISC_MUTEX_H */
diff --git a/lib/isc/win32/include/isc/net.h b/lib/isc/win32/include/isc/net.h
new file mode 100644
index 0000000..9712a6a
--- /dev/null
+++ b/lib/isc/win32/include/isc/net.h
@@ -0,0 +1,431 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+#ifndef ISC_NET_H
+#define ISC_NET_H 1
+
+/*
+ * Also define LWRES_IPV6_H to keep it from being included if liblwres is
+ * being used, or redefinition errors will occur.
+ */
+#define LWRES_IPV6_H 1
+
+
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *		struct in_addr
+ *		struct in6_addr
+ *		struct in6_pktinfo
+ *		struct sockaddr
+ *		struct sockaddr_in
+ *		struct sockaddr_in6
+ *		in_port_t
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares inet_aton(), inet_ntop(), and inet_pton().
+ *
+ * It ensures that INADDR_ANY, IN6ADDR_ANY_INIT, in6addr_any, and
+ * in6addr_loopback are available.
+ *
+ * It ensures that IN_MULTICAST() is available to check for multicast
+ * addresses.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	BSD Socket API
+ *	RFC2553
+ */
+
+/***
+ *** Imports.
+ ***/
+#include <inttypes.h>
+
+#include <isc/platform.h>
+
+/*
+ * Because of some sort of problem in the MS header files, this cannot
+ * be simple "#include <winsock2.h>", because winsock2.h tries to include
+ * windows.h, which then generates an error out of mswsock.h.  _You_
+ * figure it out.
+ */
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_   /* Prevent inclusion of winsock.h in windows.h */
+#endif
+
+#include <winsock2.h>
+
+#include <sys/types.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <ws2tcpip.h>
+#include <isc/ipv6.h>
+
+/*
+ * This is here because named client, interfacemgr.c, etc. use the name as
+ * a variable
+ */
+#undef interface
+
+#ifndef INADDR_ANY
+#define INADDR_ANY 0x00000000UL
+#endif
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /* send/recv interface index */
+};
+#endif
+
+#if _MSC_VER < 1300
+#define in6addr_any isc_in6addr_any
+#define in6addr_loopback isc_in6addr_loopback
+#endif
+
+/*
+ * Ensure type in_port_t is defined.
+ */
+#ifdef ISC_PLATFORM_NEEDPORTT
+typedef uint16_t in_port_t;
+#endif
+
+/*
+ * If this system does not have MSG_TRUNC (as returned from recvmsg())
+ * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
+ * faking code in socket.c.
+ */
+#ifndef MSG_TRUNC
+#define ISC_PLATFORM_RECVOVERFLOW
+#endif
+
+#define ISC__IPADDR(x)	((uint32_t)htonl((uint32_t)(x)))
+
+#define ISC_IPADDR_ISMULTICAST(i) \
+		(((uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
+		 == ISC__IPADDR(0xe0000000))
+
+#define ISC_IPADDR_ISEXPERIMENTAL(i) \
+		(((uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
+		 == ISC__IPADDR(0xf0000000))
+
+/*
+ * Fix the FD_SET and FD_CLR Macros to properly cast
+ */
+#undef FD_CLR
+#define FD_CLR(fd, set) do { \
+    u_int __i; \
+    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
+	if (((fd_set FAR *)(set))->fd_array[__i] == (SOCKET) fd) { \
+	    while (__i < ((fd_set FAR *)(set))->fd_count-1) { \
+		((fd_set FAR *)(set))->fd_array[__i] = \
+		    ((fd_set FAR *)(set))->fd_array[__i+1]; \
+		__i++; \
+	    } \
+	    ((fd_set FAR *)(set))->fd_count--; \
+	    break; \
+	} \
+    } \
+} while (0)
+
+#undef FD_SET
+#define FD_SET(fd, set) do { \
+    u_int __i; \
+    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
+	if (((fd_set FAR *)(set))->fd_array[__i] == (SOCKET)(fd)) { \
+	    break; \
+	} \
+    } \
+    if (__i == ((fd_set FAR *)(set))->fd_count) { \
+	if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \
+	    ((fd_set FAR *)(set))->fd_array[__i] = (SOCKET)(fd); \
+	    ((fd_set FAR *)(set))->fd_count++; \
+	} \
+    } \
+} while (0)
+
+/*
+ * Windows Sockets errors redefined as regular Berkeley error constants.
+ * These are usually commented out in Windows NT to avoid conflicts with errno.h.
+ * Use the WSA constants instead.
+ */
+
+#include <errno.h>
+
+#ifndef EWOULDBLOCK
+#define EWOULDBLOCK             WSAEWOULDBLOCK
+#endif
+#ifndef EINPROGRESS
+#define EINPROGRESS             WSAEINPROGRESS
+#endif
+#ifndef EALREADY
+#define EALREADY                WSAEALREADY
+#endif
+#ifndef ENOTSOCK
+#define ENOTSOCK                WSAENOTSOCK
+#endif
+#ifndef EDESTADDRREQ
+#define EDESTADDRREQ            WSAEDESTADDRREQ
+#endif
+#ifndef EMSGSIZE
+#define EMSGSIZE                WSAEMSGSIZE
+#endif
+#ifndef EPROTOTYPE
+#define EPROTOTYPE              WSAEPROTOTYPE
+#endif
+#ifndef ENOPROTOOPT
+#define ENOPROTOOPT             WSAENOPROTOOPT
+#endif
+#ifndef EPROTONOSUPPORT
+#define EPROTONOSUPPORT         WSAEPROTONOSUPPORT
+#endif
+#ifndef ESOCKTNOSUPPORT
+#define ESOCKTNOSUPPORT         WSAESOCKTNOSUPPORT
+#endif
+#ifndef EOPNOTSUPP
+#define EOPNOTSUPP              WSAEOPNOTSUPP
+#endif
+#ifndef EPFNOSUPPORT
+#define EPFNOSUPPORT            WSAEPFNOSUPPORT
+#endif
+#ifndef EAFNOSUPPORT
+#define EAFNOSUPPORT            WSAEAFNOSUPPORT
+#endif
+#ifndef EADDRINUSE
+#define EADDRINUSE              WSAEADDRINUSE
+#endif
+#ifndef EADDRNOTAVAIL
+#define EADDRNOTAVAIL           WSAEADDRNOTAVAIL
+#endif
+#ifndef ENETDOWN
+#define ENETDOWN                WSAENETDOWN
+#endif
+#ifndef ENETUNREACH
+#define ENETUNREACH             WSAENETUNREACH
+#endif
+#ifndef ENETRESET
+#define ENETRESET               WSAENETRESET
+#endif
+#ifndef ECONNABORTED
+#define ECONNABORTED            WSAECONNABORTED
+#endif
+#ifndef ECONNRESET
+#define ECONNRESET              WSAECONNRESET
+#endif
+#ifndef ENOBUFS
+#define ENOBUFS                 WSAENOBUFS
+#endif
+#ifndef EISCONN
+#define EISCONN                 WSAEISCONN
+#endif
+#ifndef ENOTCONN
+#define ENOTCONN                WSAENOTCONN
+#endif
+#ifndef ESHUTDOWN
+#define ESHUTDOWN               WSAESHUTDOWN
+#endif
+#ifndef ETOOMANYREFS
+#define ETOOMANYREFS            WSAETOOMANYREFS
+#endif
+#ifndef ETIMEDOUT
+#define ETIMEDOUT               WSAETIMEDOUT
+#endif
+#ifndef ECONNREFUSED
+#define ECONNREFUSED            WSAECONNREFUSED
+#endif
+#ifndef ELOOP
+#define ELOOP                   WSAELOOP
+#endif
+#ifndef EHOSTDOWN
+#define EHOSTDOWN               WSAEHOSTDOWN
+#endif
+#ifndef EHOSTUNREACH
+#define EHOSTUNREACH            WSAEHOSTUNREACH
+#endif
+#ifndef EPROCLIM
+#define EPROCLIM                WSAEPROCLIM
+#endif
+#ifndef EUSERS
+#define EUSERS                  WSAEUSERS
+#endif
+#ifndef EDQUOT
+#define EDQUOT                  WSAEDQUOT
+#endif
+#ifndef ESTALE
+#define ESTALE                  WSAESTALE
+#endif
+#ifndef EREMOTE
+#define EREMOTE                 WSAEREMOTE
+#endif
+
+
+/***
+ *** Functions.
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_net_probeipv4(void);
+/*
+ * Check if the system's kernel supports IPv4.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		IPv4 is supported.
+ *	ISC_R_NOTFOUND		IPv4 is not supported.
+ *	ISC_R_DISABLED		IPv4 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeipv6(void);
+/*
+ * Check if the system's kernel supports IPv6.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		IPv6 is supported.
+ *	ISC_R_NOTFOUND		IPv6 is not supported.
+ *	ISC_R_DISABLED		IPv6 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeunix(void);
+/*
+ * Check if UNIX domain sockets are supported.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ */
+
+#define ISC_NET_DSCPRECVV4      0x01    /* Can receive sent DSCP value IPv4 */
+#define ISC_NET_DSCPRECVV6      0x02    /* Can receive sent DSCP value IPv6 */
+#define ISC_NET_DSCPSETV4       0x04    /* Can set DSCP on socket IPv4 */
+#define ISC_NET_DSCPSETV6       0x08    /* Can set DSCP on socket IPv6 */
+#define ISC_NET_DSCPPKTV4       0x10    /* Can set DSCP on per packet IPv4 */
+#define ISC_NET_DSCPPKTV6       0x20    /* Can set DSCP on per packet IPv6 */
+#define ISC_NET_DSCPALL         0x3f    /* All valid flags */
+
+unsigned int
+isc_net_probedscp(void);
+/*%<
+ * Probe the level of DSCP support.
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void);
+/*
+ * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
+ * for UDP sockets.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high);
+/*%<
+ * Returns system's default range of ephemeral UDP ports, if defined.
+ * If the range is not available or unknown, ISC_NET_PORTRANGELOW and
+ * ISC_NET_PORTRANGEHIGH will be returned.
+ *
+ * Requires:
+ *
+ *\li	'low' and 'high' must be non NULL.
+ *
+ * Returns:
+ *
+ *\li	*low and *high will be the ports specifying the low and high ends of
+ *	the range.
+ */
+
+#ifdef ISC_PLATFORM_NEEDNTOP
+const char *
+isc_net_ntop(int af, const void *src, char *dst, size_t size);
+#undef inet_ntop
+#define inet_ntop isc_net_ntop
+#endif
+
+#ifdef ISC_PLATFORM_NEEDPTON
+int
+isc_net_pton(int af, const char *src, void *dst);
+#define inet_pton isc_net_pton
+#endif
+
+int
+isc_net_aton(const char *cp, struct in_addr *addr);
+#define inet_aton isc_net_aton
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NET_H */
diff --git a/lib/isc/win32/include/isc/netdb.h b/lib/isc/win32/include/isc/netdb.h
new file mode 100644
index 0000000..c07194d
--- /dev/null
+++ b/lib/isc/win32/include/isc/netdb.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_NETDB_H
+#define ISC_NETDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Portable netdb.h support.
+ *
+ * This module is responsible for defining the get<x>by<y> APIs.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	BSD API
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/net.h>
+
+#endif /* ISC_NETDB_H */
diff --git a/lib/isc/win32/include/isc/ntgroups.h b/lib/isc/win32/include/isc/ntgroups.h
new file mode 100644
index 0000000..e8352fc
--- /dev/null
+++ b/lib/isc/win32/include/isc/ntgroups.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_NTGROUPS_H
+#define ISC_NTGROUPS_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+
+isc_result_t
+isc_ntsecurity_getaccountgroups(char *name, char **Groups, unsigned int maxgroups,
+	     unsigned int *total);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NTGROUPS_H */
diff --git a/lib/isc/win32/include/isc/ntpaths.h b/lib/isc/win32/include/isc/ntpaths.h
new file mode 100644
index 0000000..c0010fc
--- /dev/null
+++ b/lib/isc/win32/include/isc/ntpaths.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * Windows-specific path definitions
+ * These routines are used to set up and return system-specific path
+ * information about the files enumerated in NtPaths
+ */
+
+#ifndef ISC_NTPATHS_H
+#define ISC_NTPATHS_H
+
+#include <isc/lang.h>
+
+/*
+ * Index of paths needed
+ */
+enum NtPaths {
+	NAMED_CONF_PATH,
+	LWRES_CONF_PATH,
+	RESOLV_CONF_PATH,
+	RNDC_CONF_PATH,
+	NAMED_PID_PATH,
+	LWRESD_PID_PATH,
+	NAMED_LOCK_PATH,
+	LOCAL_STATE_DIR,
+	SYS_CONF_DIR,
+	RNDC_KEY_PATH,
+	SESSION_KEY_PATH
+};
+
+/*
+ * Define macros to get the path of the config files
+ */
+#define NAMED_CONFFILE isc_ntpaths_get(NAMED_CONF_PATH)
+#define RNDC_CONFFILE isc_ntpaths_get(RNDC_CONF_PATH)
+#define RNDC_KEYFILE isc_ntpaths_get(RNDC_KEY_PATH)
+#define SESSION_KEYFILE isc_ntpaths_get(SESSION_KEY_PATH)
+#define RESOLV_CONF isc_ntpaths_get(RESOLV_CONF_PATH)
+
+/*
+ * Information about where the files are on disk
+ */
+#define NS_LOCALSTATEDIR	"/dns/bin"
+#define NS_SYSCONFDIR		"/dns/etc"
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_ntpaths_init(void);
+
+char *
+isc_ntpaths_get(int);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NTPATHS_H */
diff --git a/lib/isc/win32/include/isc/offset.h b/lib/isc/win32/include/isc/offset.h
new file mode 100644
index 0000000..14ef06f
--- /dev/null
+++ b/lib/isc/win32/include/isc/offset.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_OFFSET_H
+#define ISC_OFFSET_H 1
+
+/*
+ * File offsets are operating-system dependent.
+ */
+#include <limits.h>             /* Required for CHAR_BIT. */
+#include <sys/types.h>
+
+typedef _off_t isc_offset_t;
+
+#endif /* ISC_OFFSET_H */
diff --git a/lib/isc/win32/include/isc/once.h b/lib/isc/win32/include/isc/once.h
new file mode 100644
index 0000000..c005b0b
--- /dev/null
+++ b/lib/isc/win32/include/isc/once.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	int status;
+	int counter;
+} isc_once_t;
+
+#define ISC_ONCE_INIT_NEEDED 0
+#define ISC_ONCE_INIT_DONE 1
+
+#define ISC_ONCE_INIT { ISC_ONCE_INIT_NEEDED, 1 }
+
+isc_result_t
+isc_once_do(isc_once_t *controller, void(*function)(void));
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ONCE_H */
diff --git a/lib/isc/win32/include/isc/platform.h.in b/lib/isc/win32/include/isc/platform.h.in
new file mode 100644
index 0000000..5b8a2c9
--- /dev/null
+++ b/lib/isc/win32/include/isc/platform.h.in
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISC_PLATFORM_H
+#define ISC_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+#define ISC_PLATFORM_USETHREADS 1
+
+/***
+ *** Network.
+ ***/
+
+#ifndef PATH_MAX
+#define PATH_MAX _MAX_PATH
+#endif
+
+#define ISC_PLATFORM_HAVEIPV6
+#if _MSC_VER > 1200
+#define ISC_PLATFORM_HAVEIN6PKTINFO
+#endif
+#define ISC_PLATFORM_HAVESCOPEID
+#define ISC_PLATFORM_NEEDPORTT
+#undef MSG_TRUNC
+#define ISC_PLATFORM_NEEDNTOP
+#define ISC_PLATFORM_NEEDPTON
+#define ISC_PLATFORM_HAVESOCKADDRSTORAGE
+
+#define ISC_PLATFORM_NEEDSTRSEP
+#define ISC_PLATFORM_NEEDSTRLCPY
+#define ISC_PLATFORM_NEEDSTRLCAT
+#define ISC_PLATFORM_NEEDSTRLCPY
+
+/*
+ * Used to control how extern data is linked; needed for Win32 platforms.
+ */
+#define ISC_PLATFORM_USEDECLSPEC 1
+
+/*
+ * Define this here for now as winsock2.h defines h_errno
+ * and we don't want to redeclare it.
+ */
+#define ISC_PLATFORM_NONSTDHERRNO
+
+/*
+ * Define if the platform has <sys/un.h>.
+ */
+#undef ISC_PLATFORM_HAVESYSUNH
+
+/*
+ * Define if we want to log backtrace
+ */
+@ISC_PLATFORM_USEBACKTRACE@
+
+/*
+ * Defines for the noreturn attribute.
+ */
+#define ISC_PLATFORM_NORETURN_PRE __declspec(noreturn)
+#define ISC_PLATFORM_NORETURN_POST
+
+/*
+ * Define if the hash functions must be provided by OpenSSL.
+ */
+@ISC_PLATFORM_OPENSSLHASH@
+
+/*
+ * Define if AES support is wanted
+ */
+@ISC_PLATFORM_WANTAES@
+
+/*
+ * If the "xadd" operation is available on this architecture,
+ * ISC_PLATFORM_HAVEXADD will be defined.
+ */
+@ISC_PLATFORM_HAVEXADD@
+
+/*
+ * If the "xaddq" operation (64bit xadd) is available on this architecture,
+ * ISC_PLATFORM_HAVEXADDQ will be defined.
+ */
+@ISC_PLATFORM_HAVEXADDQ@
+
+/*
+ * If the "atomic swap" operation is available on this architecture,
+ * ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
+ */
+@ISC_PLATFORM_HAVEATOMICSTORE@
+
+/*
+ * If the "compare-and-exchange" operation is available on this architecture,
+ * ISC_PLATFORM_HAVECMPXCHG will be defined.
+ */
+@ISC_PLATFORM_HAVECMPXCHG@
+
+/*
+ * Define with the busy wait nop asm or function call.
+ */
+@ISC_PLATFORM_BUSYWAITNOP@
+
+/*
+ * If the strcasestr() operation is not available on this platform,
+ * ISC_PLATFORM_NEEDSTRCASESTR will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRCASESTR@
+
+/*
+ * Set up a macro for importing and exporting from the DLL
+ */
+
+#ifdef LIBISC_EXPORTS
+#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBDNS_EXPORTS
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBISCCC_EXPORTS
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBISCCFG_EXPORTS
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBBIND9_EXPORTS
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#ifdef LIBTESTS_EXPORTS
+#define LIBTESTS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBTESTS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+#endif /* ISC_PLATFORM_H */
diff --git a/lib/isc/win32/include/isc/stat.h b/lib/isc/win32/include/isc/stat.h
new file mode 100644
index 0000000..8b7d685
--- /dev/null
+++ b/lib/isc/win32/include/isc/stat.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STAT_H
+#define ISC_STAT_H 1
+
+#include <sys/stat.h>
+
+/*
+ * Windows doesn't typedef this.
+ */
+typedef unsigned short mode_t;
+
+/* open() under unix allows setting of read/write permissions
+ * at the owner, group and other levels.  These don't exist in NT
+ * We'll just map them all to the NT equivalent
+ */
+
+#define S_IREAD	_S_IREAD	/* read permission, owner */
+#define S_IWRITE _S_IWRITE	/* write permission, owner */
+#define S_IRUSR _S_IREAD	/* Owner read permission */
+#define S_IWUSR _S_IWRITE	/* Owner write permission */
+#define S_IRGRP _S_IREAD	/* Group read permission */
+#define S_IWGRP _S_IWRITE	/* Group write permission */
+#define S_IROTH _S_IREAD	/* Other read permission */
+#define S_IWOTH _S_IWRITE	/* Other write permission */
+
+#ifndef S_IFMT
+# define S_IFMT   _S_IFMT
+#endif
+#ifndef S_IFDIR
+# define S_IFDIR  _S_IFDIR
+#endif
+#ifndef S_IFCHR
+# define S_IFCHR  _S_IFCHR
+#endif
+#ifndef S_IFREG
+# define S_IFREG  _S_IFREG
+#endif
+
+#ifndef S_ISDIR
+# define S_ISDIR(m)	(((m) & S_IFMT) == S_IFDIR)
+#endif
+#ifndef S_ISREG
+# define S_ISREG(m)	(((m) & S_IFMT) == S_IFREG)
+#endif
+
+#endif /* ISC_STAT_H */
diff --git a/lib/isc/win32/include/isc/stdtime.h b/lib/isc/win32/include/isc/stdtime.h
new file mode 100644
index 0000000..e11647f
--- /dev/null
+++ b/lib/isc/win32/include/isc/stdtime.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STDTIME_H
+#define ISC_STDTIME_H 1
+
+#include <isc/lang.h>
+#include <inttypes.h>
+
+/*
+ * It's public information that 'isc_stdtime_t' is an unsigned integral type.
+ * Applications that want maximum portability should not assume anything
+ * about its size.
+ */
+typedef uint32_t isc_stdtime_t;
+
+/* but this flag helps... */
+#define STDTIME_ON_32BITS	1
+
+/*
+ * isc_stdtime32_t is a 32-bit version of isc_stdtime_t.  A variable of this
+ * type should only be used as an opaque integer (e.g.,) to compare two
+ * time values.
+ */
+typedef uint32_t isc_stdtime32_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_stdtime_get(isc_stdtime_t *t);
+/*
+ * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+#define isc_stdtime_convert32(t, t32p) (*(t32p) = t)
+/*
+ * Convert the standard time to its 32-bit version.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDTIME_H */
diff --git a/lib/isc/win32/include/isc/strerror.h b/lib/isc/win32/include/isc/strerror.h
new file mode 100644
index 0000000..ae040a4
--- /dev/null
+++ b/lib/isc/win32/include/isc/strerror.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_STRERROR_H
+#define ISC_STRERROR_H
+
+#include <sys/types.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+#define ISC_STRERRORSIZE 128
+
+/*
+ * Provide a thread safe wrapper to strerrror().
+ *
+ * Requires:
+ * 	'buf' to be non NULL.
+ */
+void
+isc__strerror(int num, char *buf, size_t bufsize);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STRERROR_H */
diff --git a/lib/isc/win32/include/isc/syslog.h b/lib/isc/win32/include/isc/syslog.h
new file mode 100644
index 0000000..66431e5
--- /dev/null
+++ b/lib/isc/win32/include/isc/syslog.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_SYSLOG_H
+#define ISC_SYSLOG_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp);
+/*
+ * Convert 'str' to the appropriate syslog facility constant.
+ *
+ * Requires:
+ *
+ *	'str' is not NULL
+ *	'facilityp' is not NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYSLOG_H */
diff --git a/lib/isc/win32/include/isc/thread.h b/lib/isc/win32/include/isc/thread.h
new file mode 100644
index 0000000..be1343a
--- /dev/null
+++ b/lib/isc/win32/include/isc/thread.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+/*
+ * Inlines to help with wait return checking
+ */
+
+/* check handle for NULL and INVALID_HANDLE */
+inline BOOL IsValidHandle( HANDLE hHandle) {
+    return ((hHandle != NULL) && (hHandle != INVALID_HANDLE_VALUE));
+}
+
+/* validate wait return codes... */
+inline BOOL WaitSucceeded( DWORD dwWaitResult, DWORD dwHandleCount) {
+    return ((dwWaitResult >= WAIT_OBJECT_0) &&
+	    (dwWaitResult < WAIT_OBJECT_0 + dwHandleCount));
+}
+
+inline BOOL WaitAbandoned( DWORD dwWaitResult, DWORD dwHandleCount) {
+    return ((dwWaitResult >= WAIT_ABANDONED_0) &&
+	    (dwWaitResult < WAIT_ABANDONED_0 + dwHandleCount));
+}
+
+inline BOOL WaitTimeout( DWORD dwWaitResult) {
+    return (dwWaitResult == WAIT_TIMEOUT);
+}
+
+inline BOOL WaitFailed( DWORD dwWaitResult) {
+    return (dwWaitResult == WAIT_FAILED);
+}
+
+/* compute object indices for waits... */
+inline DWORD WaitSucceededIndex( DWORD dwWaitResult) {
+    return (dwWaitResult - WAIT_OBJECT_0);
+}
+
+inline DWORD WaitAbandonedIndex( DWORD dwWaitResult) {
+    return (dwWaitResult - WAIT_ABANDONED_0);
+}
+
+
+
+typedef HANDLE isc_thread_t;
+typedef DWORD isc_threadresult_t;
+typedef void * isc_threadarg_t;
+typedef isc_threadresult_t (WINAPI *isc_threadfunc_t)(isc_threadarg_t);
+typedef DWORD isc_thread_key_t;
+
+#define isc_thread_self (unsigned long)GetCurrentThreadId
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
+
+isc_result_t
+isc_thread_join(isc_thread_t, isc_threadresult_t *);
+
+void
+isc_thread_setconcurrency(unsigned int level);
+
+void
+isc_thread_setname(isc_thread_t, const char *);
+
+int
+isc_thread_key_create(isc_thread_key_t *key, void (*func)(void *));
+
+int
+isc_thread_key_delete(isc_thread_key_t key);
+
+void *
+isc_thread_key_getspecific(isc_thread_key_t);
+
+int
+isc_thread_key_setspecific(isc_thread_key_t key, void *value);
+
+#define isc_thread_yield() Sleep(0)
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/lib/isc/win32/include/isc/time.h b/lib/isc/win32/include/isc/time.h
new file mode 100644
index 0000000..486f527
--- /dev/null
+++ b/lib/isc/win32/include/isc/time.h
@@ -0,0 +1,357 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_TIME_H
+#define ISC_TIME_H 1
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <windows.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/***
+ *** Intervals
+ ***/
+
+/*
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+struct isc_interval {
+	int64_t interval;
+};
+
+LIBISC_EXTERNAL_DATA extern const isc_interval_t * const isc_interval_zero;
+
+/*
+ * ISC_FORMATHTTPTIMESTAMP_SIZE needs to be 30 in C locale and potentially
+ * more for other locales to handle longer national abbreviations when
+ * expanding strftime's %a and %b.
+ */
+#define ISC_FORMATHTTPTIMESTAMP_SIZE 50
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_interval_set(isc_interval_t *i,
+		 unsigned int seconds, unsigned int nanoseconds);
+/*
+ * Set 'i' to a value representing an interval of 'seconds' seconds and
+ * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
+ * isc_time_subtract().
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
+ */
+
+bool
+isc_interval_iszero(const isc_interval_t *i);
+/*
+ * Returns true iff. 'i' is the zero interval.
+ *
+ * Requires:
+ *
+ *	'i' is a valid pointer.
+ */
+
+/***
+ *** Absolute Times
+ ***/
+
+/*
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+
+struct isc_time {
+	FILETIME absolute;
+};
+
+LIBISC_EXTERNAL_DATA extern const isc_time_t * const isc_time_epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*%<
+ * Set 't' to a value which represents the given number of seconds and
+ * nanoseconds since 00:00:00 January 1, 1970, UTC.
+ *
+ * Requires:
+ *\li   't' is a valid pointer.
+ *\li   nanoseconds < 1000000000.
+ */
+
+void
+isc_time_settoepoch(isc_time_t *t);
+/*
+ * Set 't' to the time of the epoch.
+ *
+ * Notes:
+ * 	The date of the epoch is platform-dependent.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+bool
+isc_time_isepoch(const isc_time_t *t);
+/*
+ * Returns true iff. 't' is the epoch ("time zero").
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_now(isc_time_t *t);
+/*
+ * Set 't' to the current absolute time.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
+/*
+ * Set *t to the current absolute time + i.
+ *
+ * Note:
+ *	This call is equivalent to:
+ *
+ *		isc_time_now(t);
+ *		isc_time_add(t, i, t);
+ *
+ * Requires:
+ *
+ *	't' and 'i' are valid pointers.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
+/*
+ * Compare the times referenced by 't1' and 't2'
+ *
+ * Requires:
+ *
+ *	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *
+ *	-1		t1 < t2		(comparing times, not pointers)
+ *	0		t1 = t2
+ *	1		t1 > t2
+ */
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
+/*
+ * Add 'i' to 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ * 	Success
+ *	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
+/*
+ * Subtract 'i' from 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *	Success
+ *	Out of range
+ *		The interval is larger than the time since the epoch.
+ */
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
+/*
+ * Find the difference in milliseconds between time t1 and time t2.
+ * t2 is the subtrahend of t1; ie, difference = t1 - t2.
+ *
+ * Requires:
+ *
+ *	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *	The difference of t1 - t2, or 0 if t1 <= t2.
+ */
+
+isc_result_t
+isc_time_parsehttptimestamp(char *input, isc_time_t *t);
+/*%<
+ * Parse the time in 'input' into the isc_time_t pointed to by 't',
+ * expecting a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ *
+ *  Requires:
+ *\li      'buf' and 't' are not NULL.
+ */
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t);
+/*
+ * Return the number of nanoseconds stored in a time structure.
+ *
+ * Notes:
+ *	This is the number of nanoseconds in excess of the number
+ *	of seconds since the epoch; it will always be less than one
+ *	full second.
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *
+ * Ensures:
+ *	The returned value is less than 1*10^9.
+ */
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *      'len' > 0
+ *      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *      'len' > 0
+ *      'buf' points to an array of at least len chars
+ *
+ */
+
+isc_result_t
+isc_time_parsehttptimestamp(char *input, isc_time_t *t);
+/*%<
+ * Parse the time in 'input' into the isc_time_t pointed to by 't',
+ * expecting a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ *
+ *  Requires:
+ *\li      'buf' and 't' are not NULL.
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ss.sssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+uint32_t
+isc_time_seconds(const isc_time_t *t);
+/*%<
+ * Return the number of seconds since the epoch stored in a time structure.
+ *
+ * Requires:
+ *
+ *\li	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
+/*%<
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *\li	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *\li	't' is a valid pointer.
+ *
+ * Returns:
+ *\li	Success
+ *\li	Out of range
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIME_H */
diff --git a/lib/isc/win32/include/isc/win32os.h b/lib/isc/win32/include/isc/win32os.h
new file mode 100644
index 0000000..bc18c40
--- /dev/null
+++ b/lib/isc/win32/include/isc/win32os.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_WIN32OS_H
+#define ISC_WIN32OS_H 1
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Return the number of CPUs available on the system, or 1 if this cannot
+ * be determined.
+ */
+
+int
+isc_win32os_versioncheck(unsigned int major, unsigned int minor,
+		     unsigned int updatemajor, unsigned int updateminor);
+
+/*
+ * Checks the current version of the operating system with the
+ * supplied version information.
+ * Returns:
+ * -1	if less than the version information supplied
+ *  0   if equal to all of the version information supplied
+ * +1   if greater than the version information supplied
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_WIN32OS_H */
diff --git a/lib/isc/win32/include/pkcs11/Makefile.in b/lib/isc/win32/include/pkcs11/Makefile.in
new file mode 100644
index 0000000..e9a85d4
--- /dev/null
+++ b/lib/isc/win32/include/pkcs11/Makefile.in
@@ -0,0 +1,26 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =	cryptoki.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/pkcs11
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/pkcs11 || exit 1; \
+	done
diff --git a/lib/isc/win32/include/pkcs11/cryptoki.h b/lib/isc/win32/include/pkcs11/cryptoki.h
new file mode 100644
index 0000000..2a681c4
--- /dev/null
+++ b/lib/isc/win32/include/pkcs11/cryptoki.h
@@ -0,0 +1,66 @@
+/* cryptoki.h include file for PKCS #11. */

+/* $Revision: 1.2 $ */

+

+/* License to copy and use this software is granted provided that it is

+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface

+ * (Cryptoki)" in all material mentioning or referencing this software.

+

+ * License is also granted to make and use derivative works provided that

+ * such works are identified as "derived from the RSA Security Inc. PKCS #11

+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 

+ * referencing the derived work.

+

+ * RSA Security Inc. makes no representations concerning either the 

+ * merchantability of this software or the suitability of this software for

+ * any particular purpose. It is provided "as is" without express or implied

+ * warranty of any kind.

+ */

+

+/* This is a sample file containing the top level include directives

+ * for building Win32 Cryptoki libraries and applications.

+ */

+

+#ifndef ___CRYPTOKI_H_INC___

+#define ___CRYPTOKI_H_INC___

+

+#pragma pack(push, cryptoki, 1)

+

+/* Specifies that the function is a DLL entry point. */

+#define CK_IMPORT_SPEC __declspec(dllimport)

+

+/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do

+ * not define it in applications.

+ */

+#ifdef CRYPTOKI_EXPORTS

+/* Specified that the function is an exported DLL entry point. */

+#define CK_EXPORT_SPEC __declspec(dllexport) 

+#else

+#define CK_EXPORT_SPEC CK_IMPORT_SPEC 

+#endif

+

+/* Ensures the calling convention for Win32 builds */

+#define CK_CALL_SPEC __cdecl

+

+#define CK_PTR *

+

+#define CK_DEFINE_FUNCTION(returnType, name) \

+  returnType CK_EXPORT_SPEC CK_CALL_SPEC name

+

+#define CK_DECLARE_FUNCTION(returnType, name) \

+  returnType CK_EXPORT_SPEC CK_CALL_SPEC name

+

+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \

+  returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)

+

+#define CK_CALLBACK_FUNCTION(returnType, name) \

+  returnType (CK_CALL_SPEC CK_PTR name)

+

+#ifndef NULL_PTR

+#define NULL_PTR 0

+#endif

+

+#include <pkcs11/pkcs11.h>

+

+#pragma pack(pop, cryptoki)

+

+#endif /* ___CRYPTOKI_H_INC___ */

diff --git a/lib/isc/win32/interfaceiter.c b/lib/isc/win32/interfaceiter.c
new file mode 100644
index 0000000..1bbd0f8
--- /dev/null
+++ b/lib/isc/win32/interfaceiter.c
@@ -0,0 +1,543 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * Note that this code will need to be revisited to support IPv6 Interfaces.
+ * For now we just iterate through IPv4 interfaces.
+ */
+
+#include <config.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <sys/types.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/strerror.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+void InitSockets(void);
+
+/* Common utility functions */
+
+/*
+ * Extract the network address part from a "struct sockaddr".
+ *
+ * The address family is given explicitly
+ * instead of using src->sa_family, because the latter does not work
+ * for copying a network mask obtained by SIOCGIFNETMASK (it does
+ * not have a valid address family).
+ */
+
+
+#define IFITER_MAGIC		0x49464954U	/* IFIT. */
+#define VALID_IFITER(t)		((t) != NULL && (t)->magic == IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	SOCKET			socket;
+	INTERFACE_INFO		IFData;		/* Current Interface Info. */
+	int			numIF;		/* Current Interface count. */
+	int			v4IF;		/* Number of IPv4 Interfaces */
+	INTERFACE_INFO		*buf4;		/* Buffer for WSAIoctl data. */
+	unsigned int		buf4size;	/* Bytes allocated. */
+	INTERFACE_INFO		*pos4;		/* Current offset in IF List */
+	SOCKET_ADDRESS_LIST	*buf6;		/* Buffer for WSAIoctl data. */
+	unsigned int		buf6size;	/* Bytes allocated. */
+	unsigned int		pos6;		/* Which entry to process. */
+	bool		v6loop;		/* See IPv6 loop address. */
+	bool		pos6zero;	/* Done pos6 == 0. */
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+
+/*
+ * Size of buffer for SIO_GET_INTERFACE_LIST, in number of interfaces.
+ * We assume no sane system will have more than than 1K of IP addresses on
+ * all of its adapters.
+ */
+#define IFCONF_SIZE_INITIAL	  16
+#define IFCONF_SIZE_INCREMENT	  64
+#define IFCONF_SIZE_MAX		1040
+
+static void
+get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src) {
+	dst->family = family;
+	switch (family) {
+	case AF_INET:
+		memmove(&dst->type.in,
+			&((struct sockaddr_in *) src)->sin_addr,
+			sizeof(struct in_addr));
+		break;
+	case	AF_INET6:
+		memmove(&dst->type.in6,
+			&((struct sockaddr_in6 *) src)->sin6_addr,
+			sizeof(struct in6_addr));
+		dst->zone = ((struct sockaddr_in6 *) src)->sin6_scope_id;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	int error;
+	unsigned long bytesReturned = 0;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	InitSockets();
+
+	iter->mctx = mctx;
+	iter->buf4 = NULL;
+	iter->buf6 = NULL;
+	iter->pos4 = NULL;
+	iter->pos6 = 0;
+	iter->v6loop = true;
+	iter->pos6zero = true;
+	iter->buf6size = 0;
+	iter->buf4size = 0;
+	iter->result = ISC_R_FAILURE;
+	iter->numIF = 0;
+	iter->v4IF = 0;
+
+	/*
+	 * Create an unbound datagram socket to do the
+	 * SIO_GET_INTERFACE_LIST WSAIoctl on.
+	 */
+	iter->socket = socket(AF_INET, SOCK_DGRAM, 0);
+	if (iter->socket == INVALID_SOCKET) {
+		error = WSAGetLastError();
+		if (error == WSAEAFNOSUPPORT)
+			goto inet6_only;
+		isc__strerror(error, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				"making interface scan socket: %s",
+				strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto socket_failure;
+	}
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+	iter->buf4size = IFCONF_SIZE_INITIAL*sizeof(INTERFACE_INFO);
+
+	for (;;) {
+		iter->buf4 = isc_mem_get(mctx, iter->buf4size);
+		if (iter->buf4 == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto alloc_failure;
+		}
+
+		if (WSAIoctl(iter->socket, SIO_GET_INTERFACE_LIST,
+			     0, 0, iter->buf4, iter->buf4size,
+			     &bytesReturned, 0, 0) == SOCKET_ERROR)
+		{
+			error = WSAGetLastError();
+			if (error != WSAEFAULT && error != WSAENOBUFS) {
+				errno = error;
+				isc__strerror(error, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						"get interface configuration: %s",
+						strbuf);
+				result = ISC_R_UNEXPECTED;
+				goto ioctl_failure;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The WSAIoctl succeeded.
+			 * If the number of the returned bytes is the same
+			 * as the buffer size, we will grow it just in
+			 * case and retry.
+			 */
+			if (bytesReturned > 0 &&
+			    (bytesReturned < iter->buf4size))
+				break;
+		}
+		if (iter->buf4size >= IFCONF_SIZE_MAX*sizeof(INTERFACE_INFO)) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "get interface configuration: "
+					 "maximum buffer size exceeded");
+			result = ISC_R_UNEXPECTED;
+			goto ioctl_failure;
+		}
+		isc_mem_put(mctx, iter->buf4, iter->buf4size);
+
+		iter->buf4size += IFCONF_SIZE_INCREMENT *
+			sizeof(INTERFACE_INFO);
+	}
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->v4IF = bytesReturned/sizeof(INTERFACE_INFO);
+
+	/* We don't need the socket any more, so close it */
+	closesocket(iter->socket);
+
+ inet6_only:
+	/*
+	 * Create an unbound datagram socket to do the
+	 * SIO_ADDRESS_LIST_QUERY WSAIoctl on.
+	 */
+	iter->socket = socket(AF_INET6, SOCK_DGRAM, 0);
+	if (iter->socket == INVALID_SOCKET) {
+		error = WSAGetLastError();
+		if (error == WSAEAFNOSUPPORT)
+			goto inet_only;
+		isc__strerror(error, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				"making interface scan socket: %s",
+				strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto ioctl_failure;
+	}
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+	iter->buf6size = sizeof(SOCKET_ADDRESS_LIST) +
+			 IFCONF_SIZE_INITIAL*sizeof(SOCKET_ADDRESS);
+
+	for (;;) {
+		iter->buf6 = isc_mem_get(mctx, iter->buf6size);
+		if (iter->buf6 == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto ioctl_failure;
+		}
+
+		if (WSAIoctl(iter->socket, SIO_ADDRESS_LIST_QUERY,
+			     0, 0, iter->buf6, iter->buf6size,
+			     &bytesReturned, 0, 0) == SOCKET_ERROR)
+		{
+			error = WSAGetLastError();
+			if (error != WSAEFAULT && error != WSAENOBUFS) {
+				errno = error;
+				isc__strerror(error, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "sio address list query: %s",
+						 strbuf);
+				result = ISC_R_UNEXPECTED;
+				goto ioctl6_failure;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else
+			break;
+
+		if (iter->buf6size >= IFCONF_SIZE_MAX*sizeof(SOCKET_ADDRESS)) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "get interface configuration: "
+					 "maximum buffer size exceeded");
+			result = ISC_R_UNEXPECTED;
+			goto ioctl6_failure;
+		}
+		isc_mem_put(mctx, iter->buf6, iter->buf6size);
+
+		iter->buf6size += IFCONF_SIZE_INCREMENT *
+			sizeof(SOCKET_ADDRESS);
+	}
+
+	closesocket(iter->socket);
+
+ inet_only:
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ ioctl6_failure:
+	isc_mem_put(mctx, iter->buf6, iter->buf6size);
+
+ ioctl_failure:
+	if (iter->buf4 != NULL)
+		isc_mem_put(mctx, iter->buf4, iter->buf4size);
+
+ alloc_failure:
+	if (iter->socket != INVALID_SOCKET)
+		(void) closesocket(iter->socket);
+
+ socket_failure:
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family, or if
+ * some operation on it fails, return ISC_R_IGNORE to make
+ * the higher-level iterator code ignore it.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	BOOL ifNamed = FALSE;
+	unsigned long flags;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->numIF >= 0);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = AF_INET;
+
+	get_addr(AF_INET, &iter->current.address,
+		 (struct sockaddr *)&(iter->IFData.iiAddress));
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+	flags = iter->IFData.iiFlags;
+
+	if ((flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+	if ((flags & IFF_POINTTOPOINT) != 0) {
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "PPP Interface %d", iter->numIF);
+		ifNamed = TRUE;
+	}
+
+	if ((flags & IFF_LOOPBACK) != 0) {
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "Loopback Interface %d", iter->numIF);
+		ifNamed = TRUE;
+	}
+
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+		get_addr(AF_INET, &iter->current.dstaddress,
+		(struct sockaddr *)&(iter->IFData.iiBroadcastAddress));
+	}
+
+	if (ifNamed == FALSE)
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			"TCP/IP Interface %d", iter->numIF);
+
+	/*
+	 * Get the network mask.
+	 */
+	get_addr(AF_INET, &iter->current.netmask,
+		 (struct sockaddr *)&(iter->IFData.iiNetmask));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+internal_current6(isc_interfaceiter_t *iter) {
+	SOCKET fd;
+	int i;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->buf6 != NULL);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = AF_INET6;
+
+	if (!iter->pos6zero) {
+		if (iter->pos6 == 0U)
+			iter->pos6zero = true;
+		get_addr(AF_INET6, &iter->current.address,
+			 iter->buf6->Address[iter->pos6].lpSockaddr);
+
+		/*
+		 * Set interface flags.
+		 */
+
+		iter->current.flags = INTERFACE_F_UP;
+
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			 "TCP/IPv6 Interface %u", iter->pos6 + 1);
+
+		for (i = 0; i < 16; i++)
+			iter->current.netmask.type.in6.s6_addr[i] = 0xff;
+		iter->current.netmask.family = AF_INET6;
+		if (IN6_IS_ADDR_LOOPBACK(&iter->current.address.type.in6))
+			   iter->v6loop = true;
+	} else {
+		/*
+		 * See if we can bind to the ::1 and if so return ::1.
+		 */
+		struct sockaddr_in6 sin6;
+
+		iter->v6loop = true;	/* So we don't loop forever. */
+
+		fd = socket(AF_INET6, SOCK_DGRAM, 0);
+		if (fd == INVALID_SOCKET)
+			return (ISC_R_IGNORE);
+		memset(&sin6, 0, sizeof(sin6));
+		sin6.sin6_family = AF_INET6;
+		sin6.sin6_addr.s6_addr[15] = 1;
+		if (bind(fd, (struct sockaddr *)&sin6, sizeof(sin6)) < 0) {
+			closesocket(fd);
+			return (ISC_R_IGNORE);
+		}
+		closesocket(fd);
+
+		iter->current.flags = INTERFACE_F_UP | INTERFACE_F_LOOPBACK;
+		snprintf(iter->current.name, sizeof(iter->current.name),
+			"TCP/IPv6 Loopback Interface");
+		for (i = 0; i < 16; i++) {
+			if (i != 15)
+				iter->current.address.type.in6.s6_addr[i] = 0;
+			else
+				iter->current.address.type.in6.s6_addr[i] = 1;
+			iter->current.netmask.type.in6.s6_addr[i] = 0xff;
+		}
+		iter->current.address.family = AF_INET6;
+		iter->current.netmask.family = AF_INET6;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	if (iter->numIF >= iter->v4IF)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * The first one needs to be set up to point to the last
+	 * Element of the array.  Go to the end and back up
+	 * Microsoft's implementation is peculiar for returning
+	 * the list in reverse order
+	 */
+
+	if (iter->numIF == 0)
+		iter->pos4 = (INTERFACE_INFO *)(iter->buf4 + (iter->v4IF));
+
+	iter->pos4--;
+	if (&(iter->pos4) < &(iter->buf4))
+		return (ISC_R_NOMORE);
+
+	memset(&(iter->IFData), 0, sizeof(INTERFACE_INFO));
+	memmove(&(iter->IFData), iter->pos4, sizeof(INTERFACE_INFO));
+	iter->numIF++;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+internal_next6(isc_interfaceiter_t *iter) {
+	if (iter->pos6 == 0U && iter->v6loop)
+		return (ISC_R_NOMORE);
+	if (iter->pos6 != 0U)
+		iter->pos6--;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter,
+			  isc_interface_t *ifdata) {
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+	memmove(ifdata, &iter->current, sizeof(*ifdata));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter) {
+
+	REQUIRE(VALID_IFITER(iter));
+
+	if (iter->buf6 != NULL) {
+		iter->pos6 = iter->buf6->iAddressCount;
+		iter->v6loop = false;
+		iter->pos6zero = (iter->pos6 == 0U);
+	}
+	iter->result = ISC_R_SUCCESS;
+	return (isc_interfaceiter_next(iter));
+}
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+
+	for (;;) {
+		result = internal_next(iter);
+		if (result == ISC_R_NOMORE) {
+			result = internal_next6(iter);
+			if (result != ISC_R_SUCCESS)
+				break;
+			result = internal_current6(iter);
+			if (result == ISC_R_IGNORE)
+				continue;
+			break;
+		} else if (result != ISC_R_SUCCESS)
+			break;
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE)
+			break;
+	}
+	iter->result = result;
+	return (result);
+}
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	REQUIRE(iterp != NULL);
+	iter = *iterp;
+	REQUIRE(VALID_IFITER(iter));
+
+	if (iter->buf4 != NULL)
+		isc_mem_put(iter->mctx, iter->buf4, iter->buf4size);
+	if (iter->buf6 != NULL)
+		isc_mem_put(iter->mctx, iter->buf6, iter->buf6size);
+
+	iter->magic = 0;
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
+	*iterp = NULL;
+}
diff --git a/lib/isc/win32/ipv6.c b/lib/isc/win32/ipv6.c
new file mode 100644
index 0000000..c2a4ac5
--- /dev/null
+++ b/lib/isc/win32/ipv6.c
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <isc/net.h>
+#include <isc/platform.h>
+
+LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_any =
+	IN6ADDR_ANY_INIT;
+
+LIBISC_EXTERNAL_DATA const struct in6_addr isc_in6addr_loopback =
+	IN6ADDR_LOOPBACK_INIT;
diff --git a/lib/isc/win32/keyboard.c b/lib/isc/win32/keyboard.c
new file mode 100644
index 0000000..6e6f800
--- /dev/null
+++ b/lib/isc/win32/keyboard.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <windows.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <io.h>
+
+#include <isc/keyboard.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_keyboard_open(isc_keyboard_t *keyboard) {
+	int fd;
+
+	REQUIRE(keyboard != NULL);
+
+	fd = _fileno(stdin);
+	if (fd < 0)
+		return (ISC_R_IOERROR);
+
+	keyboard->fd = fd;
+
+	keyboard->result = ISC_R_SUCCESS;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) {
+	REQUIRE(keyboard != NULL);
+
+	if (sleeptime > 0 && keyboard->result != ISC_R_CANCELED)
+		(void)Sleep(sleeptime*1000);
+
+	keyboard->fd = -1;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp) {
+	ssize_t cc;
+	unsigned char c;
+
+	REQUIRE(keyboard != NULL);
+	REQUIRE(cp != NULL);
+
+	cc = read(keyboard->fd, &c, 1);
+	if (cc < 0) {
+		keyboard->result = ISC_R_IOERROR;
+		return (keyboard->result);
+	}
+
+	*cp = c;
+
+	return (ISC_R_SUCCESS);
+}
+
+bool
+isc_keyboard_canceled(isc_keyboard_t *keyboard) {
+	return (keyboard->result == ISC_R_CANCELED);
+}
diff --git a/lib/isc/win32/libgen.h b/lib/isc/win32/libgen.h
new file mode 100644
index 0000000..e74740f
--- /dev/null
+++ b/lib/isc/win32/libgen.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef LIBGEN_H
+#define LIBGEN_H 1
+
+char *basename(const char *);
+char *dirname(const char *);
+
+#endif
diff --git a/lib/isc/win32/libisc.def.exclude b/lib/isc/win32/libisc.def.exclude
new file mode 100644
index 0000000..41e8562
--- /dev/null
+++ b/lib/isc/win32/libisc.def.exclude
@@ -0,0 +1,42 @@
+; These symbols are not needed by the WIN32 build, but build-tarballs
+; will complain if they aren't present here.
+isc_print_fprintf
+isc_print_printf
+isc_print_snprintf
+isc_print_sprintf
+isc_print_vsnprintf
+isc_socket_accept
+isc_socket_attach
+isc_socket_bind
+isc_socket_cancel
+isc_socket_cleanunix
+isc_socket_close
+isc_socket_connect
+isc_socket_create
+isc_socket_detach
+isc_socket_dscp
+isc_socket_dup
+isc_socket_fdwatchcreate
+isc_socket_fdwatchpoke
+isc_socket_filter
+isc_socket_getpeername
+isc_socket_getsockname
+isc_socket_gettype
+isc_socket_ipv6only
+isc_socket_listen
+isc_socket_open
+isc_socket_permunix
+isc_socket_recv
+isc_socket_recv2
+isc_socket_recvv
+isc_socket_register
+isc_socket_send
+isc_socket_sendto
+isc_socket_sendto2
+isc_socket_sendtov
+isc_socket_sendtov2
+isc_socket_sendv
+isc_socketmgr_create
+isc_socketmgr_create2
+isc_socketmgr_destroy
+isc_socketmgr_setstats
diff --git a/lib/isc/win32/libisc.def.in b/lib/isc/win32/libisc.def.in
new file mode 100644
index 0000000..a82face
--- /dev/null
+++ b/lib/isc/win32/libisc.def.in
@@ -0,0 +1,836 @@
+LIBRARY libisc
+
+; Exported Functions
+EXPORTS
+
+NTReportError
+closelog
+@IF PKCS11
+getpassphrase
+@END PKCS11
+isc___socketmgr_maxudp
+isc__app_block
+isc__app_ctxfinish
+isc__app_ctxonrun
+isc__app_ctxrun
+isc__app_ctxshutdown
+isc__app_ctxstart
+isc__app_ctxsuspend
+isc__app_finish
+isc__app_onrun
+isc__app_reload
+isc__app_run
+isc__app_shutdown
+isc__app_start
+isc__app_unblock
+isc__appctx_create
+isc__appctx_destroy
+isc__appctx_setsocketmgr
+isc__appctx_settaskmgr
+isc__appctx_settimermgr
+isc__buffer_activeregion
+isc__buffer_add
+isc__buffer_availableregion
+isc__buffer_back
+isc__buffer_clear
+isc__buffer_consumedregion
+isc__buffer_first
+isc__buffer_forward
+isc__buffer_init
+isc__buffer_initnull
+isc__buffer_invalidate
+isc__buffer_putmem
+isc__buffer_putstr
+isc__buffer_putuint16
+isc__buffer_putuint24
+isc__buffer_putuint32
+isc__buffer_putuint48
+isc__buffer_putuint8
+isc__buffer_region
+isc__buffer_remainingregion
+isc__buffer_setactive
+isc__buffer_subtract
+isc__buffer_usedregion
+isc__hash_setvec
+isc__mem_allocate
+isc__mem_free
+isc__mem_get
+isc__mem_put
+isc__mem_putanddetach
+isc__mem_reallocate
+isc__mem_strdup
+isc__mempool_get
+isc__mempool_put
+isc__socket_accept
+isc__socket_attach
+isc__socket_bind
+isc__socket_cancel
+isc__socket_cleanunix
+isc__socket_close
+isc__socket_connect
+isc__socket_create
+isc__socket_detach
+isc__socket_dscp
+isc__socket_dup
+isc__socket_filter
+isc__socket_getfd
+isc__socket_getname
+isc__socket_getpeername
+isc__socket_getsockname
+isc__socket_gettag
+isc__socket_gettype
+isc__socket_ipv6only
+isc__socket_isbound
+isc__socket_listen
+isc__socket_open
+isc__socket_permunix
+isc__socket_recv
+isc__socket_recv2
+isc__socket_recvv
+isc__socket_register
+isc__socket_send
+isc__socket_sendto
+isc__socket_sendto2
+isc__socket_sendtov
+isc__socket_sendtov2
+isc__socket_sendv
+isc__socket_setname
+isc__socketmgr_create
+isc__socketmgr_create2
+isc__socketmgr_destroy
+isc__socketmgr_getmaxsockets
+isc__socketmgr_setreserved
+isc__socketmgr_setstats
+isc__strerror
+isc__task_getname
+isc__task_gettag
+isc__task_unsendrange
+isc__taskmgr_mode
+@IF AES
+isc_aes128_crypt
+isc_aes192_crypt
+isc_aes256_crypt
+@END AES
+isc_app_block
+isc_app_ctxfinish
+isc_app_ctxonrun
+isc_app_ctxrun
+isc_app_ctxshutdown
+isc_app_ctxstart
+isc_app_ctxsuspend
+isc_app_finish
+isc_app_isrunning
+isc_app_onrun
+isc_app_register
+isc_app_reload
+isc_app_run
+isc_app_shutdown
+isc_app_start
+isc_app_unblock
+isc_appctx_create
+isc_appctx_destroy
+isc_appctx_setsocketmgr
+isc_appctx_settaskmgr
+isc_appctx_settimermgr
+isc_assertion_failed
+isc_assertion_setcallback
+isc_assertion_typetotext
+isc_backtrace_getsymbol
+isc_backtrace_getsymbolfromindex
+isc_backtrace_gettrace
+isc_base32_decoderegion
+isc_base32_decodestring
+isc_base32_tobuffer
+isc_base32_totext
+isc_base32hex_decoderegion
+isc_base32hex_decodestring
+isc_base32hex_tobuffer
+isc_base32hex_totext
+isc_base32hexnp_decoderegion
+isc_base32hexnp_decodestring
+isc_base32hexnp_tobuffer
+isc_base32hexnp_totext
+isc_base64_decodestring
+isc_base64_tobuffer
+isc_base64_totext
+isc_buffer_allocate
+isc_buffer_compact
+isc_buffer_copyregion
+isc_buffer_dup
+isc_buffer_free
+isc_buffer_getuint16
+isc_buffer_getuint32
+isc_buffer_getuint48
+isc_buffer_getuint8
+isc_buffer_putdecint
+isc_buffer_reallocate
+isc_buffer_reinit
+isc_buffer_reserve
+isc_buffer_setautorealloc
+isc_bufferlist_availablecount
+isc_bufferlist_usedcount
+isc_commandline_parse
+isc_commandline_strtoargv
+isc_condition_broadcast
+isc_condition_destroy
+isc_condition_init
+isc_condition_signal
+isc_condition_wait
+isc_condition_waituntil
+isc_counter_attach
+isc_counter_create
+isc_counter_detach
+isc_counter_increment
+isc_counter_setlimit
+isc_counter_used
+isc_crc64_final
+isc_crc64_init
+isc_crc64_update
+isc_dir_chdir
+isc_dir_chroot
+isc_dir_close
+isc_dir_createunique
+isc_dir_init
+isc_dir_open
+isc_dir_read
+isc_dir_reset
+isc_entropy_addcallbacksample
+isc_entropy_addsample
+isc_entropy_attach
+isc_entropy_create
+isc_entropy_createcallbacksource
+isc_entropy_createfilesource
+isc_entropy_createsamplesource
+isc_entropy_destroysource
+isc_entropy_detach
+isc_entropy_getdata
+isc_entropy_putdata
+isc_entropy_stats
+isc_entropy_status
+isc_entropy_stopcallbacksources
+isc_entropy_usebestsource
+isc_errno_toresult
+isc_error_fatal
+isc_error_runtimecheck
+isc_error_setfatal
+isc_error_setunexpected
+isc_error_unexpected
+isc_event_allocate
+isc_event_constallocate
+isc_event_free
+isc_file_absolutepath
+isc_file_basename
+isc_file_bopenunique
+isc_file_bopenuniquemode
+isc_file_bopenuniqueprivate
+isc_file_exists
+isc_file_getmodtime
+isc_file_getsize
+isc_file_getsizefd
+isc_file_isabsolute
+isc_file_ischdiridempotent
+isc_file_iscurrentdir
+isc_file_isdirectory
+isc_file_isdirwritable
+isc_file_isplainfile
+isc_file_isplainfilefd
+isc_file_mktemplate
+isc_file_mmap
+isc_file_mode
+isc_file_munmap
+isc_file_openunique
+isc_file_openuniquemode
+isc_file_openuniqueprivate
+isc_file_progname
+isc_file_remove
+isc_file_rename
+isc_file_renameunique
+isc_file_safecreate
+isc_file_safemovefile
+isc_file_sanitize
+isc_file_settime
+isc_file_splitpath
+isc_file_template
+isc_file_truncate
+isc_fsaccess_add
+isc_fsaccess_changeowner
+isc_fsaccess_remove
+isc_fsaccess_set
+isc_hash_calc
+isc_hash_create
+isc_hash_ctxattach
+isc_hash_ctxcalc
+isc_hash_ctxcreate
+isc_hash_ctxdetach
+isc_hash_ctxinit
+isc_hash_destroy
+isc_hash_function
+isc_hash_function_reverse
+isc_hash_get_initializer
+isc_hash_init
+isc_hash_set_initializer
+isc_heap_create
+isc_heap_decreased
+isc_heap_delete
+isc_heap_destroy
+isc_heap_foreach
+isc_heap_element
+isc_heap_increased
+isc_heap_insert
+isc_hex_decodestring
+isc_hex_tobuffer
+isc_hex_totext
+isc_hmacmd5_check
+isc_hmacmd5_init
+isc_hmacmd5_invalidate
+isc_hmacmd5_sign
+isc_hmacmd5_update
+isc_hmacmd5_verify
+isc_hmacmd5_verify2
+isc_hmacsha1_check
+isc_hmacsha1_init
+isc_hmacsha1_invalidate
+isc_hmacsha1_sign
+isc_hmacsha1_update
+isc_hmacsha1_verify
+isc_hmacsha224_init
+isc_hmacsha224_invalidate
+isc_hmacsha224_sign
+isc_hmacsha224_update
+isc_hmacsha224_verify
+isc_hmacsha256_init
+isc_hmacsha256_invalidate
+isc_hmacsha256_sign
+isc_hmacsha256_update
+isc_hmacsha256_verify
+isc_hmacsha384_init
+isc_hmacsha384_invalidate
+isc_hmacsha384_sign
+isc_hmacsha384_update
+isc_hmacsha384_verify
+isc_hmacsha512_init
+isc_hmacsha512_invalidate
+isc_hmacsha512_sign
+isc_hmacsha512_update
+isc_hmacsha512_verify
+isc_ht_add
+isc_ht_count
+isc_ht_delete
+isc_ht_destroy
+isc_ht_find
+isc_ht_init
+isc_ht_iter_create
+isc_ht_iter_current
+isc_ht_iter_currentkey
+isc_ht_iter_delcurrent_next
+isc_ht_iter_destroy
+isc_ht_iter_first
+isc_ht_iter_next
+isc_httpd_addheader
+isc_httpd_addheaderuint
+isc_httpd_response
+isc_httpd_setfinishhook
+isc_httpdmgr_addurl
+isc_httpdmgr_addurl2
+isc_httpdmgr_create
+isc_httpdmgr_shutdown
+isc_interfaceiter_create
+isc_interfaceiter_current
+isc_interfaceiter_destroy
+isc_interfaceiter_first
+isc_interfaceiter_next
+isc_interval_iszero
+isc_interval_set
+isc_iterated_hash
+isc_keyboard_canceled
+isc_keyboard_close
+isc_keyboard_getchar
+isc_keyboard_open
+isc_lex_close
+isc_lex_create
+isc_lex_destroy
+isc_lex_getcomments
+isc_lex_getlasttokentext
+isc_lex_getmastertoken
+isc_lex_getoctaltoken
+isc_lex_getsourceline
+isc_lex_getsourcename
+isc_lex_getspecials
+isc_lex_gettoken
+isc_lex_isfile
+isc_lex_openbuffer
+isc_lex_openfile
+isc_lex_openstream
+isc_lex_setcomments
+isc_lex_setsourceline
+isc_lex_setsourcename
+isc_lex_setspecials
+isc_lex_ungettoken
+isc_lfsr_generate
+isc_lfsr_generate32
+isc_lfsr_init
+isc_lfsr_skip
+isc_lib_initmsgcat
+isc_lib_register
+isc_log_categorybyname
+isc_log_closefilelogs
+isc_log_create
+isc_log_createchannel
+isc_log_destroy
+isc_log_getdebuglevel
+isc_log_getduplicateinterval
+isc_log_gettag
+isc_log_ivwrite
+isc_log_ivwrite1
+isc_log_iwrite
+isc_log_iwrite1
+isc_log_modulebyname
+isc_log_opensyslog
+isc_log_registercategories
+isc_log_registermodules
+isc_log_setcontext
+isc_log_setdebuglevel
+isc_log_setduplicateinterval
+isc_log_settag
+isc_log_usechannel
+isc_log_vwrite
+isc_log_vwrite1
+isc_log_wouldlog
+isc_log_write
+isc_log_write1
+isc_logconfig_create
+isc_logconfig_destroy
+isc_logconfig_get
+isc_logconfig_use
+isc_logfile_roll
+isc_md5_check
+isc_md5_final
+isc_md5_init
+isc_md5_invalidate
+isc_md5_update
+isc_mem_attach
+isc_mem_checkdestroyed
+isc_mem_create
+isc_mem_create2
+isc_mem_createx
+isc_mem_createx2
+isc_mem_destroy
+isc_mem_detach
+isc_mem_getname
+isc_mem_getquota
+isc_mem_gettag
+isc_mem_inuse
+isc_mem_isovermem
+isc_mem_maxinuse
+isc_mem_ondestroy
+isc_mem_printallactive
+isc_mem_references
+isc_mem_register
+@IF NOTYET
+isc_mem_renderjson
+@END NOTYET
+@IF LIBXML2
+isc_mem_renderxml
+@END LIBXML2
+isc_mem_setdestroycheck
+isc_mem_setname
+isc_mem_setquota
+isc_mem_setwater
+isc_mem_stats
+isc_mem_total
+isc_mem_waterack
+isc_meminfo_totalphys
+isc_mempool_associatelock
+isc_mempool_create
+isc_mempool_destroy
+isc_mempool_getallocated
+isc_mempool_getfillcount
+isc_mempool_getfreecount
+isc_mempool_getfreemax
+isc_mempool_getmaxalloc
+isc_mempool_setfillcount
+isc_mempool_setfreemax
+isc_mempool_setmaxalloc
+isc_mempool_setname
+isc_msgcat_close
+isc_msgcat_get
+isc_msgcat_open
+isc_mutexblock_destroy
+isc_mutexblock_init
+isc_net_aton
+isc_net_disableipv4
+isc_net_disableipv6
+isc_net_enableipv4
+isc_net_enableipv6
+isc_net_getudpportrange
+isc_net_ntop
+isc_net_probe_ipv6only
+isc_net_probe_ipv6pktinfo
+isc_net_probedscp
+isc_net_probeipv4
+isc_net_probeipv6
+isc_net_probeunix
+isc_net_pton
+isc_netaddr_any
+isc_netaddr_any6
+isc_netaddr_eqprefix
+isc_netaddr_equal
+isc_netaddr_format
+isc_netaddr_fromin
+isc_netaddr_fromin6
+isc_netaddr_frompath
+isc_netaddr_fromsockaddr
+isc_netaddr_fromv4mapped
+isc_netaddr_getzone
+isc_netaddr_isexperimental
+isc_netaddr_islinklocal
+isc_netaddr_isloopback
+isc_netaddr_ismulticast
+isc_netaddr_isnetzero
+isc_netaddr_issitelocal
+isc_netaddr_masktoprefixlen
+isc_netaddr_prefixok
+isc_netaddr_setzone
+isc_netaddr_totext
+isc_netscope_pton
+isc_ntpaths_get
+isc_ntpaths_init
+isc_once_do
+isc_ondestroy_init
+isc_ondestroy_notify
+isc_ondestroy_register
+isc_os_ncpus
+isc_parse_uint16
+isc_parse_uint32
+isc_parse_uint8
+isc_pool_count
+isc_pool_create
+isc_pool_destroy
+isc_pool_expand
+isc_pool_get
+isc_portset_add
+isc_portset_addrange
+isc_portset_create
+isc_portset_destroy
+isc_portset_isset
+isc_portset_nports
+isc_portset_remove
+isc_portset_removerange
+isc_quota_attach
+isc_quota_destroy
+isc_quota_detach
+isc_quota_init
+isc_quota_max
+isc_quota_release
+isc_quota_reserve
+isc_quota_soft
+isc_radix_create
+isc_radix_destroy
+isc_radix_insert
+isc_radix_process
+isc_radix_remove
+isc_radix_search
+isc_random_get
+isc_random_jitter
+isc_random_seed
+isc_ratelimiter_attach
+isc_ratelimiter_create
+isc_ratelimiter_dequeue
+isc_ratelimiter_detach
+isc_ratelimiter_enqueue
+isc_ratelimiter_release
+isc_ratelimiter_setinterval
+isc_ratelimiter_setpertic
+isc_ratelimiter_setpushpop
+isc_ratelimiter_shutdown
+isc_ratelimiter_stall
+isc_refcount_init
+isc_regex_validate
+isc_region_compare
+isc_resource_getcurlimit
+isc_resource_getlimit
+isc_resource_setlimit
+isc_result_register
+isc_result_registerids
+isc_result_toid
+isc_result_totext
+isc_rng_attach
+isc_rng_create
+isc_rng_detach
+isc_rng_random
+isc_rng_uniformrandom
+isc_rwlock_destroy
+isc_rwlock_downgrade
+isc_rwlock_init
+isc_rwlock_lock
+isc_rwlock_trylock
+isc_rwlock_tryupgrade
+isc_rwlock_unlock
+isc_safe_memcompare
+isc_safe_memequal
+isc_safe_memwipe
+isc_serial_eq
+isc_serial_ge
+isc_serial_gt
+isc_serial_le
+isc_serial_lt
+isc_serial_ne
+isc_sha1_check
+isc_sha1_final
+isc_sha1_init
+isc_sha1_invalidate
+isc_sha1_update
+isc_sha224_data
+isc_sha224_end
+isc_sha224_final
+isc_sha224_init
+isc_sha224_invalidate
+isc_sha224_update
+isc_sha256_data
+isc_sha256_end
+isc_sha256_final
+isc_sha256_init
+isc_sha256_invalidate
+isc_sha256_update
+isc_sha384_data
+isc_sha384_end
+isc_sha384_final
+isc_sha384_init
+isc_sha384_invalidate
+isc_sha384_update
+isc_sha512_data
+isc_sha512_end
+isc_sha512_final
+isc_sha512_init
+isc_sha512_invalidate
+isc_sha512_update
+isc_sockaddr_any
+isc_sockaddr_any6
+isc_sockaddr_anyofpf
+isc_sockaddr_compare
+isc_sockaddr_eqaddr
+isc_sockaddr_eqaddrprefix
+isc_sockaddr_equal
+isc_sockaddr_format
+isc_sockaddr_fromin
+isc_sockaddr_fromin6
+isc_sockaddr_fromnetaddr
+isc_sockaddr_frompath
+isc_sockaddr_getport
+isc_sockaddr_hash
+isc_sockaddr_isexperimental
+isc_sockaddr_islinklocal
+isc_sockaddr_ismulticast
+isc_sockaddr_isnetzero
+isc_sockaddr_issitelocal
+isc_sockaddr_pf
+isc_sockaddr_setport
+isc_sockaddr_totext
+isc_sockaddr_v6fromin
+isc_socket_socketevent
+isc_socketmgr_createinctx
+@IF NOTYET
+isc_socketmgr_renderjson
+@END NOTYET
+@IF LIBXML2
+isc_socketmgr_renderxml
+@END LIBXML2
+isc_stats_attach
+isc_stats_create
+isc_stats_decrement
+isc_stats_detach
+isc_stats_dump
+isc_stats_increment
+isc_stats_ncounters
+isc_stats_set
+isc_stdio_close
+isc_stdio_flush
+isc_stdio_open
+isc_stdio_read
+isc_stdio_seek
+isc_stdio_sync
+isc_stdio_tell
+isc_stdio_write
+isc_stdtime_get
+isc_string_append
+isc_string_append_truncate
+isc_string_copy
+isc_string_copy_truncate
+isc_string_printf
+isc_string_printf_truncate
+isc_string_regiondup
+isc_string_separate
+isc_string_strcasestr
+isc_string_strlcat
+isc_string_strlcpy
+isc_string_touint64
+isc_symtab_count
+isc_symtab_create
+isc_symtab_define
+isc_symtab_destroy
+isc_symtab_lookup
+isc_symtab_undefine
+isc_syslog_facilityfromstring
+isc_task_attach
+isc_task_beginexclusive
+isc_task_create
+isc_task_destroy
+isc_task_detach
+isc_task_endexclusive
+isc_task_exiting
+isc_task_getcurrenttime
+isc_task_getcurrenttimex
+isc_task_onshutdown
+isc_task_privilege
+isc_task_purge
+isc_task_purgeevent
+isc_task_purgerange
+isc_task_register
+isc_task_send
+isc_task_sendanddetach
+isc_task_setname
+isc_task_setprivilege
+isc_task_shutdown
+isc_task_unsend
+isc_taskmgr_create
+isc_taskmgr_createinctx
+isc_taskmgr_destroy
+isc_taskmgr_excltask
+isc_taskmgr_mode
+@IF NOTYET
+isc_taskmgr_renderjson
+@END NOTYET
+@IF LIBXML2
+isc_taskmgr_renderxml
+@END LIBXML2
+isc_taskmgr_setexcltask
+isc_taskmgr_setmode
+isc_taskpool_create
+isc_taskpool_destroy
+isc_taskpool_expand
+isc_taskpool_gettask
+isc_taskpool_setprivilege
+isc_taskpool_size
+isc_thread_create
+isc_thread_join
+isc_thread_key_create
+isc_thread_key_delete
+isc_thread_key_getspecific
+isc_thread_key_setspecific
+isc_thread_setconcurrency
+isc_thread_setname
+isc_time_add
+isc_time_compare
+isc_time_formatISO8601
+isc_time_formatISO8601ms
+isc_time_formathttptimestamp
+isc_time_formattimestamp
+isc_time_isepoch
+isc_time_microdiff
+isc_time_nanoseconds
+isc_time_now
+isc_time_nowplusinterval
+isc_time_parsehttptimestamp
+isc_time_secondsastimet
+isc_time_seconds
+isc_time_set
+isc_time_settoepoch
+isc_time_subtract
+isc_timer_attach
+isc_timer_create
+isc_timer_detach
+isc_timer_gettype
+isc_timer_register
+isc_timer_reset
+isc_timer_touch
+isc_timermgr_create
+isc_timermgr_createinctx
+isc_timermgr_destroy
+isc_timermgr_poke
+isc_tm_timegm
+isc_tm_strptime
+isc_win32os_versioncheck
+openlog
+@IF PKCS11
+pk11_attribute_bytype
+pk11_attribute_first
+pk11_attribute_next
+pk11_dump_tokens
+pk11_error_fatalcheck
+pk11_finalize
+pk11_get_best_token
+pk11_get_lib_name
+pk11_get_load_error_message
+pk11_get_session
+pk11_initialize
+pk11_initmsgcat
+pk11_mem_get
+pk11_mem_put
+pk11_numbits
+pk11_parse_uri
+pk11_rand_bytes
+pk11_rand_seed_fromfile
+pk11_result_register
+pk11_result_totext
+pk11_return_session
+pk11_set_lib_name
+pkcs_C_CloseSession
+pkcs_C_CreateObject
+pkcs_C_DeriveKey
+pkcs_C_DestroyObject
+pkcs_C_DigestFinal
+pkcs_C_DigestInit
+pkcs_C_DigestUpdate
+pkcs_C_Encrypt
+pkcs_C_EncryptInit
+pkcs_C_Finalize
+pkcs_C_FindObjects
+pkcs_C_FindObjectsFinal
+pkcs_C_FindObjectsInit
+pkcs_C_GenerateKey
+pkcs_C_GenerateKeyPair
+pkcs_C_GenerateRandom
+pkcs_C_GetAttributeValue
+pkcs_C_GetMechanismInfo
+pkcs_C_GetSlotList
+pkcs_C_GetTokenInfo
+pkcs_C_Initialize
+pkcs_C_Login
+pkcs_C_Logout
+pkcs_C_OpenSession
+pkcs_C_SeedRandom
+pkcs_C_SetAttributeValue
+pkcs_C_Sign
+pkcs_C_SignFinal
+pkcs_C_SignInit
+pkcs_C_SignUpdate
+pkcs_C_Verify
+pkcs_C_VerifyFinal
+pkcs_C_VerifyInit
+pkcs_C_VerifyUpdate
+@END PKCS11
+syslog
+
+@IF NOLONGER
+; Exported Data
+
+EXPORTS
+
+isc__backtrace_nsymbols		DATA
+isc__backtrace_symtable		DATA
+isc_bind9			DATA
+isc_commandline_argument	DATA
+isc_commandline_errprint	DATA
+isc_commandline_index		DATA
+isc_commandline_option		DATA
+isc_commandline_progname	DATA
+isc_commandline_reset		DATA
+isc_dscp_check_value		DATA
+isc_hashctx			DATA
+isc_mem_debugging		DATA
+isc_msgcat			DATA
+@IF PKCS11
+pk11_msgcat			DATA
+pk11_verbose_init		DATA
+@END PKCS11
+@END NOLONGER
diff --git a/lib/isc/win32/libisc.dsp.in b/lib/isc/win32/libisc.dsp.in
new file mode 100644
index 0000000..d21edb8
--- /dev/null
+++ b/lib/isc/win32/libisc.dsp.in
@@ -0,0 +1,949 @@
+# Microsoft Developer Studio Project File - Name="libisc" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libisc - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libisc.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisc - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libisc - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "BIND9" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@IF PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@ELSE PKCS11
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /c
+@END PKCS11
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 @LIBXML2_LIB@ @OPENSSL_LIB@ @ZLIB_LIB@ user32.lib advapi32.lib ws2_32.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisc.dll"
+# SUBTRACT LINK32 /pdb:none
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" @COPTY@ /FD /GZ /c
+@IF PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@ELSE PKCS11
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+@END PKCS11
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 @LIBXML2_LIB@ @OPENSSL_LIB@ @ZLIB_LIB@ user32.lib advapi32.lib ws2_32.lib /nologo /dll /map /debug @MACHINE@ /out:"../../../Build/Debug/libisc.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libisc - @PLATFORM@ Release"
+# Name "libisc - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\app.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\condition.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\dir.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\entropy.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\errno.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\errno2result.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\file.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\fsaccess.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\interfaceiter.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\ipv6.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\keyboard.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\meminfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\net.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\ntpaths.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\once.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\os.c
+# End Source File
+@IF PKCS11
+# Begin Source File
+
+SOURCE=.\pk11_api.c
+# End Source File
+@END PKCS11
+# Begin Source File
+
+SOURCE=.\resource.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\socket.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\stdio.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\stdtime.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\strerror.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\syslog.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\thread.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\time.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\win32os.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+@IF AES
+# Begin Source File
+
+SOURCE=..\include\isc\aes.h
+# End Source File
+@END AES
+# Begin Source File
+
+SOURCE=..\include\isc\app.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\assertions.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\backtrace.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\base32.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\base64.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\bind9.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\bind_registry.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\bindevt.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\boolean.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\buffer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\bufferlist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\commandline.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\counter.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\condition.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\..\config.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\crc64.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\dir.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\entropy.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\errno.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\errno2result.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\error.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\event.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\eventclass.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\file.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\formatcheck.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\fsaccess.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\hash.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\heap.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\hex.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\hmacmd5.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\hmacsha.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\ht.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\httpd.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\int.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\interfaceiter.h
+# End Source File
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\include\pk11\internal.h
+# End Source File
+@END PKCS11
+# Begin Source File
+
+SOURCE=.\include\isc\ipv6.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\iterated_hash.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\keyboard.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\json.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\lang.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\lex.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\lfsr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\lib.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\list.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\log.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\magic.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\md5.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\mem.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\meminfo.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\msgcat.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\mutex.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\mutexblock.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\net.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\netaddr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\netscope.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\netdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\ntgroups.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\ntpaths.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\offset.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\once.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\ondestroy.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\os.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\parseint.h
+# End Source File
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\include\pk11\pk11.h
+# End Source File
+@END PKCS11
+# Begin Source File
+
+SOURCE=..\include\isc\pool.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\portset.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\platform.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\print.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\queue.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\quota.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\radix.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\random.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\ratelimiter.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\refcount.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\regex.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\region.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\resource.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\result.h
+# End Source File
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\include\pk11\result.h
+# End Source File
+@END PKCS11
+# Begin Source File
+
+SOURCE=..\include\isc\resultclass.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\rwlock.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\safe.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\serial.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\sha1.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\sha2.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\sockaddr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\socket.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\stat.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\stats.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\stdio.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\stdlib.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\stdtime.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\strerror.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\string.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\symtab.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\syslog.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\syslog.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\task.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\taskpool.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\thread.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\time.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\timer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\tm.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\isc\win32os.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\unistd.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\util.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\..\versions.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isc\xml.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Group "Main Isc Lib"
+
+# PROP Default_Filter "c"
+@IF AES
+# Begin Source File
+
+SOURCE=..\aes.c
+# End Source File
+@END AES
+# Begin Source File
+
+SOURCE=..\assertions.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\backtrace.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\backtrace-emptytbl.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\base32.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\base64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\bind9.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\buffer.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\bufferlist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\commandline.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\counter.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\crc64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\error.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\event.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hash.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\heap.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hex.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hmacmd5.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\hmacsha.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ht.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\httpd.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\inet_aton.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\inet_ntop.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\inet_pton.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\iterated_hash.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lex.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lfsr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\log.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\md5.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\mem.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\nls\msgcat.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\mutexblock.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\netaddr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\netscope.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ondestroy.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\parseint.c
+# End Source File
+@IF PKCS11
+# Begin Source File
+
+SOURCE=..\pk11.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\pk11_result.c
+# End Source File
+@END PKCS11
+# Begin Source File
+
+SOURCE=..\pool.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\portset.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\quota.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\radix.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\random.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ratelimiter.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\refcount.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\regex.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\region.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\rwlock.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\safe.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\serial.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sha1.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sha2.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sockaddr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\stats.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\string.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\symtab.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\task.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\taskpool.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\timer.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\tm.c
+# End Source File
+# End Group
+@IF ATOMIC
+# Begin Source File
+
+SOURCE=.\include\atomic.h
+# End Source File
+@ELSE ATOMIC
+# Begin Source File
+
+SOURCE=..\noatomic\include\atomic.h
+# End Source File
+@END ATOMIC
+# Begin Source File
+
+SOURCE=.\libisc.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/isc/win32/libisc.dsw b/lib/isc/win32/libisc.dsw
new file mode 100644
index 0000000..49c089c
--- /dev/null
+++ b/lib/isc/win32/libisc.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "libisc"=".\libisc.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/isc/win32/libisc.mak.in b/lib/isc/win32/libisc.mak.in
new file mode 100644
index 0000000..9a6acd5
--- /dev/null
+++ b/lib/isc/win32/libisc.mak.in
@@ -0,0 +1,2398 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libisc.dsp
+!IF "$(CFG)" == ""
+CFG=libisc - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to libisc - @PLATFORM@ Debug.
+!ENDIF
+
+!IF "$(CFG)" != "libisc - @PLATFORM@ Release" && "$(CFG)" != "libisc - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE
+!MESSAGE NMAKE /f "libisc.mak" CFG="libisc - @PLATFORM@ Debug"
+!MESSAGE
+!MESSAGE Possible choices for configuration are:
+!MESSAGE
+!MESSAGE "libisc - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libisc - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE
+!ERROR An invalid configuration is specified.
+!ENDIF
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE
+NULL=nul
+!ENDIF
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+LIBXML=@LIBXML2_LIB@
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\libisc.dll"
+
+
+CLEAN :
+@IF AES
+	-@erase "$(INTDIR)\aes.obj"
+@END AES
+	-@erase "$(INTDIR)\app.obj"
+	-@erase "$(INTDIR)\assertions.obj"
+	-@erase "$(INTDIR)\backtrace.obj"
+	-@erase "$(INTDIR)\backtrace-emptytbl.obj"
+	-@erase "$(INTDIR)\base32.obj"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\bind9.obj"
+	-@erase "$(INTDIR)\buffer.obj"
+	-@erase "$(INTDIR)\bufferlist.obj"
+	-@erase "$(INTDIR)\commandline.obj"
+	-@erase "$(INTDIR)\counter.obj"
+	-@erase "$(INTDIR)\condition.obj"
+	-@erase "$(INTDIR)\crc64.obj"
+	-@erase "$(INTDIR)\dir.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\entropy.obj"
+	-@erase "$(INTDIR)\errno.obj"
+	-@erase "$(INTDIR)\errno2result.obj"
+	-@erase "$(INTDIR)\error.obj"
+	-@erase "$(INTDIR)\event.obj"
+	-@erase "$(INTDIR)\file.obj"
+	-@erase "$(INTDIR)\fsaccess.obj"
+	-@erase "$(INTDIR)\hash.obj"
+	-@erase "$(INTDIR)\heap.obj"
+	-@erase "$(INTDIR)\hex.obj"
+	-@erase "$(INTDIR)\hmacmd5.obj"
+	-@erase "$(INTDIR)\hmacsha.obj"
+	-@erase "$(INTDIR)\ht.obj"
+	-@erase "$(INTDIR)\httpd.obj"
+	-@erase "$(INTDIR)\inet_aton.obj"
+	-@erase "$(INTDIR)\inet_ntop.obj"
+	-@erase "$(INTDIR)\inet_pton.obj"
+	-@erase "$(INTDIR)\interfaceiter.obj"
+	-@erase "$(INTDIR)\ipv6.obj"
+	-@erase "$(INTDIR)\iterated_hash.obj"
+	-@erase "$(INTDIR)\keyboard.obj"
+	-@erase "$(INTDIR)\lex.obj"
+	-@erase "$(INTDIR)\lfsr.obj"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\md5.obj"
+	-@erase "$(INTDIR)\mem.obj"
+	-@erase "$(INTDIR)\msgcat.obj"
+	-@erase "$(INTDIR)\mutexblock.obj"
+	-@erase "$(INTDIR)\meminfo.obj"
+	-@erase "$(INTDIR)\net.obj"
+	-@erase "$(INTDIR)\netaddr.obj"
+	-@erase "$(INTDIR)\netscope.obj"
+	-@erase "$(INTDIR)\ntpaths.obj"
+	-@erase "$(INTDIR)\once.obj"
+	-@erase "$(INTDIR)\ondestroy.obj"
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\parseint.obj"
+@IF PKCS11
+	-@erase "$(INTDIR)\pk11.obj"
+	-@erase "$(INTDIR)\pk11_api.obj"
+	-@erase "$(INTDIR)\pk11_result.obj"
+@END PKCS11
+	-@erase "$(INTDIR)\pool.obj"
+	-@erase "$(INTDIR)\portset.obj"
+	-@erase "$(INTDIR)\quota.obj"
+	-@erase "$(INTDIR)\radix.obj"
+	-@erase "$(INTDIR)\random.obj"
+	-@erase "$(INTDIR)\ratelimiter.obj"
+	-@erase "$(INTDIR)\refcount.obj"
+	-@erase "$(INTDIR)\regex.obj"
+	-@erase "$(INTDIR)\region.obj"
+	-@erase "$(INTDIR)\resource.obj"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\rwlock.obj"
+	-@erase "$(INTDIR)\safe.obj"
+	-@erase "$(INTDIR)\serial.obj"
+	-@erase "$(INTDIR)\sha1.obj"
+	-@erase "$(INTDIR)\sha2.obj"
+	-@erase "$(INTDIR)\sockaddr.obj"
+	-@erase "$(INTDIR)\socket.obj"
+	-@erase "$(INTDIR)\stats.obj"
+	-@erase "$(INTDIR)\stdio.obj"
+	-@erase "$(INTDIR)\stdtime.obj"
+	-@erase "$(INTDIR)\strerror.obj"
+	-@erase "$(INTDIR)\string.obj"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\syslog.obj"
+	-@erase "$(INTDIR)\task.obj"
+	-@erase "$(INTDIR)\taskpool.obj"
+	-@erase "$(INTDIR)\thread.obj"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\tm.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\win32os.obj"
+	-@erase "$(OUTDIR)\libisc.exp"
+	-@erase "$(OUTDIR)\libisc.lib"
+	-@erase "..\..\..\Build\Release\libisc.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+@IF PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../dns/win32/include" /I "../../dns/include" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /D "BIND9" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+@END PKCS11
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) @OPENSSL_LIB@ @ZLIB_LIB@ /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisc.pdb" @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Release/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" 
+DEF_FILE= \
+	".\libisc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\app.obj" \
+	"$(INTDIR)\condition.obj" \
+	"$(INTDIR)\dir.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\entropy.obj" \
+	"$(INTDIR)\errno.obj" \
+	"$(INTDIR)\errno2result.obj" \
+	"$(INTDIR)\file.obj" \
+	"$(INTDIR)\fsaccess.obj" \
+	"$(INTDIR)\interfaceiter.obj" \
+	"$(INTDIR)\ipv6.obj" \
+	"$(INTDIR)\iterated_hash.obj" \
+	"$(INTDIR)\keyboard.obj" \
+	"$(INTDIR)\meminfo.obj" \
+	"$(INTDIR)\net.obj" \
+	"$(INTDIR)\ntpaths.obj" \
+	"$(INTDIR)\once.obj" \
+	"$(INTDIR)\os.obj" \
+@IF PKCS11
+	"$(INTDIR)\pk11_api.obj" \
+@END PKCS11
+	"$(INTDIR)\resource.obj" \
+	"$(INTDIR)\socket.obj" \
+	"$(INTDIR)\stdio.obj" \
+	"$(INTDIR)\stdtime.obj" \
+	"$(INTDIR)\strerror.obj" \
+	"$(INTDIR)\syslog.obj" \
+	"$(INTDIR)\thread.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\win32os.obj" \
+@IF AES
+	"$(INTDIR)\aes.obj" \
+@END AES
+	"$(INTDIR)\assertions.obj" \
+	"$(INTDIR)\backtrace.obj" \
+	"$(INTDIR)\backtrace-emptytbl.obj" \
+	"$(INTDIR)\base32.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\bind9.obj" \
+	"$(INTDIR)\buffer.obj" \
+	"$(INTDIR)\bufferlist.obj" \
+	"$(INTDIR)\commandline.obj" \
+	"$(INTDIR)\counter.obj" \
+	"$(INTDIR)\crc64.obj" \
+	"$(INTDIR)\error.obj" \
+	"$(INTDIR)\event.obj" \
+	"$(INTDIR)\hash.obj" \
+	"$(INTDIR)\heap.obj" \
+	"$(INTDIR)\hex.obj" \
+	"$(INTDIR)\hmacmd5.obj" \
+	"$(INTDIR)\hmacsha.obj" \
+	"$(INTDIR)\ht.obj" \
+	"$(INTDIR)\httpd.obj" \
+	"$(INTDIR)\inet_aton.obj" \
+	"$(INTDIR)\inet_ntop.obj" \
+	"$(INTDIR)\inet_pton.obj" \
+	"$(INTDIR)\lex.obj" \
+	"$(INTDIR)\lfsr.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\md5.obj" \
+	"$(INTDIR)\mem.obj" \
+	"$(INTDIR)\msgcat.obj" \
+	"$(INTDIR)\mutexblock.obj" \
+	"$(INTDIR)\netaddr.obj" \
+	"$(INTDIR)\netscope.obj" \
+	"$(INTDIR)\ondestroy.obj" \
+@IF PKCS11
+	"$(INTDIR)\pk11.obj" \
+	"$(INTDIR)\pk11_result.obj" \
+@END PKCS11
+	"$(INTDIR)\quota.obj" \
+	"$(INTDIR)\radix.obj" \
+	"$(INTDIR)\random.obj" \
+	"$(INTDIR)\ratelimiter.obj" \
+	"$(INTDIR)\refcount.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rwlock.obj" \
+	"$(INTDIR)\safe.obj" \
+	"$(INTDIR)\serial.obj" \
+	"$(INTDIR)\sha1.obj" \
+	"$(INTDIR)\sha2.obj" \
+	"$(INTDIR)\sockaddr.obj" \
+	"$(INTDIR)\stats.obj" \
+	"$(INTDIR)\string.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\task.obj" \
+	"$(INTDIR)\taskpool.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\tm.obj" \
+	"$(INTDIR)\parseint.obj" \
+	"$(INTDIR)\pool.obj" \
+	"$(INTDIR)\portset.obj" \
+	"$(INTDIR)\regex.obj" \
+	"$(INTDIR)\region.obj"
+
+"..\..\..\Build\Release\libisc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\libisc.dll" "$(OUTDIR)\libisc.bsc"
+
+
+CLEAN :
+@IF AES
+	-@erase "$(INTDIR)\aes.obj"
+	-@erase "$(INTDIR)\aes.sbr"
+@END AES
+	-@erase "$(INTDIR)\app.obj"
+	-@erase "$(INTDIR)\app.sbr"
+	-@erase "$(INTDIR)\assertions.obj"
+	-@erase "$(INTDIR)\assertions.sbr"
+	-@erase "$(INTDIR)\backtrace.obj"
+	-@erase "$(INTDIR)\backtrace-emptytbl.obj"
+	-@erase "$(INTDIR)\backtrace.sbr"
+	-@erase "$(INTDIR)\backtrace-emptytbl.sbr"
+	-@erase "$(INTDIR)\base32.obj"
+	-@erase "$(INTDIR)\base32.sbr"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\base64.sbr"
+	-@erase "$(INTDIR)\bind9.obj"
+	-@erase "$(INTDIR)\bind9.sbr"
+	-@erase "$(INTDIR)\buffer.obj"
+	-@erase "$(INTDIR)\buffer.sbr"
+	-@erase "$(INTDIR)\bufferlist.obj"
+	-@erase "$(INTDIR)\bufferlist.sbr"
+	-@erase "$(INTDIR)\commandline.obj"
+	-@erase "$(INTDIR)\commandline.sbr"
+	-@erase "$(INTDIR)\counter.obj"
+	-@erase "$(INTDIR)\counter.sbr"
+	-@erase "$(INTDIR)\condition.obj"
+	-@erase "$(INTDIR)\condition.sbr"
+	-@erase "$(INTDIR)\crc64.obj"
+	-@erase "$(INTDIR)\crc64.sbr"
+	-@erase "$(INTDIR)\dir.obj"
+	-@erase "$(INTDIR)\dir.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\entropy.obj"
+	-@erase "$(INTDIR)\entropy.sbr"
+	-@erase "$(INTDIR)\errno.obj"
+	-@erase "$(INTDIR)\errno.sbr"
+	-@erase "$(INTDIR)\errno2result.obj"
+	-@erase "$(INTDIR)\errno2result.sbr"
+	-@erase "$(INTDIR)\error.obj"
+	-@erase "$(INTDIR)\error.sbr"
+	-@erase "$(INTDIR)\event.obj"
+	-@erase "$(INTDIR)\event.sbr"
+	-@erase "$(INTDIR)\file.obj"
+	-@erase "$(INTDIR)\file.sbr"
+	-@erase "$(INTDIR)\fsaccess.obj"
+	-@erase "$(INTDIR)\fsaccess.sbr"
+	-@erase "$(INTDIR)\hash.obj"
+	-@erase "$(INTDIR)\hash.sbr"
+	-@erase "$(INTDIR)\heap.obj"
+	-@erase "$(INTDIR)\heap.sbr"
+	-@erase "$(INTDIR)\hex.obj"
+	-@erase "$(INTDIR)\hex.sbr"
+	-@erase "$(INTDIR)\hmacmd5.obj"
+	-@erase "$(INTDIR)\hmacmd5.sbr"
+	-@erase "$(INTDIR)\hmacsha.obj"
+	-@erase "$(INTDIR)\hmacsha.sbr"
+	-@erase "$(INTDIR)\ht.obj"
+	-@erase "$(INTDIR)\ht.sbr"
+	-@erase "$(INTDIR)\httpd.obj"
+	-@erase "$(INTDIR)\httpd.sbr"
+	-@erase "$(INTDIR)\inet_aton.obj"
+	-@erase "$(INTDIR)\inet_aton.sbr"
+	-@erase "$(INTDIR)\inet_ntop.obj"
+	-@erase "$(INTDIR)\inet_ntop.sbr"
+	-@erase "$(INTDIR)\inet_pton.obj"
+	-@erase "$(INTDIR)\inet_pton.sbr"
+	-@erase "$(INTDIR)\interfaceiter.obj"
+	-@erase "$(INTDIR)\interfaceiter.sbr"
+	-@erase "$(INTDIR)\ipv6.obj"
+	-@erase "$(INTDIR)\ipv6.sbr"
+	-@erase "$(INTDIR)\iterated_hash.obj"
+	-@erase "$(INTDIR)\iterated_hash.sbr"
+	-@erase "$(INTDIR)\keyboard.obj"
+	-@erase "$(INTDIR)\keyboard.sbr"
+	-@erase "$(INTDIR)\lex.obj"
+	-@erase "$(INTDIR)\lex.sbr"
+	-@erase "$(INTDIR)\lfsr.obj"
+	-@erase "$(INTDIR)\lfsr.sbr"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\lib.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\md5.obj"
+	-@erase "$(INTDIR)\md5.sbr"
+	-@erase "$(INTDIR)\mem.obj"
+	-@erase "$(INTDIR)\mem.sbr"
+	-@erase "$(INTDIR)\msgcat.obj"
+	-@erase "$(INTDIR)\msgcat.sbr"
+	-@erase "$(INTDIR)\mutexblock.obj"
+	-@erase "$(INTDIR)\mutexblock.sbr"
+	-@erase "$(INTDIR)\meminfo.obj"
+	-@erase "$(INTDIR)\meminfo.sbr"
+	-@erase "$(INTDIR)\net.obj"
+	-@erase "$(INTDIR)\net.sbr"
+	-@erase "$(INTDIR)\netaddr.obj"
+	-@erase "$(INTDIR)\netaddr.sbr"
+	-@erase "$(INTDIR)\netscope.obj"
+	-@erase "$(INTDIR)\netscope.sbr"
+	-@erase "$(INTDIR)\ntpaths.obj"
+	-@erase "$(INTDIR)\ntpaths.sbr"
+	-@erase "$(INTDIR)\once.obj"
+	-@erase "$(INTDIR)\once.sbr"
+	-@erase "$(INTDIR)\ondestroy.obj"
+	-@erase "$(INTDIR)\ondestroy.sbr"
+	-@erase "$(INTDIR)\os.obj"
+	-@erase "$(INTDIR)\os.sbr"
+	-@erase "$(INTDIR)\parseint.obj"
+	-@erase "$(INTDIR)\parseint.sbr"
+@IF PKCS11
+	-@erase "$(INTDIR)\pk11.obj"
+	-@erase "$(INTDIR)\pk11_api.obj"
+	-@erase "$(INTDIR)\pk11_result.obj"
+@END PKCS11
+	-@erase "$(INTDIR)\pool.obj"
+	-@erase "$(INTDIR)\pool.sbr"
+	-@erase "$(INTDIR)\portset.obj"
+	-@erase "$(INTDIR)\portset.sbr"
+	-@erase "$(INTDIR)\quota.obj"
+	-@erase "$(INTDIR)\quota.sbr"
+	-@erase "$(INTDIR)\radix.obj"
+	-@erase "$(INTDIR)\radix.sbr"
+	-@erase "$(INTDIR)\random.obj"
+	-@erase "$(INTDIR)\random.sbr"
+	-@erase "$(INTDIR)\ratelimiter.obj"
+	-@erase "$(INTDIR)\ratelimiter.sbr"
+	-@erase "$(INTDIR)\refcount.obj"
+	-@erase "$(INTDIR)\refcount.sbr"
+	-@erase "$(INTDIR)\regex.obj"
+	-@erase "$(INTDIR)\regex.sbr"
+	-@erase "$(INTDIR)\region.obj"
+	-@erase "$(INTDIR)\region.sbr"
+	-@erase "$(INTDIR)\resource.obj"
+	-@erase "$(INTDIR)\resource.sbr"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\result.sbr"
+	-@erase "$(INTDIR)\rwlock.obj"
+	-@erase "$(INTDIR)\rwlock.sbr"
+	-@erase "$(INTDIR)\safe.obj"
+	-@erase "$(INTDIR)\safe.sbr"
+	-@erase "$(INTDIR)\serial.obj"
+	-@erase "$(INTDIR)\serial.sbr"
+	-@erase "$(INTDIR)\sha1.obj"
+	-@erase "$(INTDIR)\sha1.sbr"
+	-@erase "$(INTDIR)\sha2.obj"
+	-@erase "$(INTDIR)\sha2.sbr"
+	-@erase "$(INTDIR)\sockaddr.obj"
+	-@erase "$(INTDIR)\sockaddr.sbr"
+	-@erase "$(INTDIR)\socket.obj"
+	-@erase "$(INTDIR)\socket.sbr"
+	-@erase "$(INTDIR)\stats.obj"
+	-@erase "$(INTDIR)\stats.sbr"
+	-@erase "$(INTDIR)\stdio.obj"
+	-@erase "$(INTDIR)\stdio.sbr"
+	-@erase "$(INTDIR)\stdtime.obj"
+	-@erase "$(INTDIR)\stdtime.sbr"
+	-@erase "$(INTDIR)\strerror.obj"
+	-@erase "$(INTDIR)\strerror.sbr"
+	-@erase "$(INTDIR)\string.obj"
+	-@erase "$(INTDIR)\string.sbr"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\symtab.sbr"
+	-@erase "$(INTDIR)\syslog.obj"
+	-@erase "$(INTDIR)\syslog.sbr"
+	-@erase "$(INTDIR)\task.obj"
+	-@erase "$(INTDIR)\task.sbr"
+	-@erase "$(INTDIR)\taskpool.obj"
+	-@erase "$(INTDIR)\taskpool.sbr"
+	-@erase "$(INTDIR)\thread.obj"
+	-@erase "$(INTDIR)\thread.sbr"
+	-@erase "$(INTDIR)\time.obj"
+	-@erase "$(INTDIR)\time.sbr"
+	-@erase "$(INTDIR)\timer.obj"
+	-@erase "$(INTDIR)\timer.sbr"
+	-@erase "$(INTDIR)\tm.obj"
+	-@erase "$(INTDIR)\tm.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(INTDIR)\win32os.obj"
+	-@erase "$(INTDIR)\win32os.sbr"
+	-@erase "$(OUTDIR)\libisc.bsc"
+	-@erase "$(OUTDIR)\libisc.exp"
+	-@erase "$(OUTDIR)\libisc.lib"
+	-@erase "$(OUTDIR)\libisc.map"
+	-@erase "$(OUTDIR)\libisc.pdb"
+	-@erase "..\..\..\Build\Debug\libisc.dll"
+	-@erase "..\..\..\Build\Debug\libisc.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+@IF PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" /I "../../dns/win32/include" /I "../../dns/include" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /D "BIND9" @CRYPTO@ @PK11_LIB_LOCATION@ /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@ELSE PKCS11
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "win32" /I "../../isccfg/include" @LIBXML2_INC@ @OPENSSL_INC@ @ZLIB_INC@ /D "BIND9" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "LIBISC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+@END PKCS11
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisc.bsc"
+BSC32_SBRS= \
+	"$(INTDIR)\app.sbr" \
+	"$(INTDIR)\condition.sbr" \
+	"$(INTDIR)\dir.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\entropy.sbr" \
+	"$(INTDIR)\errno.sbr" \
+	"$(INTDIR)\errno2result.sbr" \
+	"$(INTDIR)\file.sbr" \
+	"$(INTDIR)\fsaccess.sbr" \
+	"$(INTDIR)\interfaceiter.sbr" \
+	"$(INTDIR)\ipv6.sbr" \
+	"$(INTDIR)\iterated_hash.sbr" \
+	"$(INTDIR)\keyboard.sbr" \
+	"$(INTDIR)\meminfo.sbr" \
+	"$(INTDIR)\net.sbr" \
+	"$(INTDIR)\ntpaths.sbr" \
+	"$(INTDIR)\once.sbr" \
+	"$(INTDIR)\os.sbr" \
+@IF PKCS11
+	"$(INTDIR)\pk11_api.sbr" \
+@END PKCS11
+	"$(INTDIR)\resource.sbr" \
+	"$(INTDIR)\socket.sbr" \
+	"$(INTDIR)\stdio.sbr" \
+	"$(INTDIR)\stdtime.sbr" \
+	"$(INTDIR)\strerror.sbr" \
+	"$(INTDIR)\syslog.sbr" \
+	"$(INTDIR)\thread.sbr" \
+	"$(INTDIR)\time.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\win32os.sbr" \
+@IF AES
+	"$(INTDIR)\aes.sbr" \
+@END AES
+	"$(INTDIR)\assertions.sbr" \
+	"$(INTDIR)\backtrace.sbr" \
+	"$(INTDIR)\backtrace-emptytbl.sbr" \
+	"$(INTDIR)\base32.sbr" \
+	"$(INTDIR)\base64.sbr" \
+	"$(INTDIR)\bind9.sbr" \
+	"$(INTDIR)\buffer.sbr" \
+	"$(INTDIR)\bufferlist.sbr" \
+	"$(INTDIR)\commandline.sbr" \
+	"$(INTDIR)\counter.sbr" \
+	"$(INTDIR)\crc64.sbr" \
+	"$(INTDIR)\error.sbr" \
+	"$(INTDIR)\event.sbr" \
+	"$(INTDIR)\hash.sbr" \
+	"$(INTDIR)\heap.sbr" \
+	"$(INTDIR)\hex.sbr" \
+	"$(INTDIR)\hmacmd5.sbr" \
+	"$(INTDIR)\hmacsha.sbr" \
+	"$(INTDIR)\ht.sbr" \
+	"$(INTDIR)\httpd.sbr" \
+	"$(INTDIR)\inet_aton.sbr" \
+	"$(INTDIR)\inet_ntop.sbr" \
+	"$(INTDIR)\inet_pton.sbr" \
+	"$(INTDIR)\lex.sbr" \
+	"$(INTDIR)\lfsr.sbr" \
+	"$(INTDIR)\lib.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\md5.sbr" \
+	"$(INTDIR)\mem.sbr" \
+	"$(INTDIR)\msgcat.sbr" \
+	"$(INTDIR)\mutexblock.sbr" \
+	"$(INTDIR)\netaddr.sbr" \
+	"$(INTDIR)\netscope.sbr" \
+	"$(INTDIR)\ondestroy.sbr" \
+@IF PKCS11
+	"$(INTDIR)\pk11.sbr" \
+	"$(INTDIR)\pk11_result.sbr" \
+@END PKCS11
+	"$(INTDIR)\quota.sbr" \
+	"$(INTDIR)\radix.sbr" \
+	"$(INTDIR)\random.sbr" \
+	"$(INTDIR)\ratelimiter.sbr" \
+	"$(INTDIR)\refcount.sbr" \
+	"$(INTDIR)\result.sbr" \
+	"$(INTDIR)\rwlock.sbr" \
+	"$(INTDIR)\safe.sbr" \
+	"$(INTDIR)\serial.sbr" \
+	"$(INTDIR)\sha1.sbr" \
+	"$(INTDIR)\sha2.sbr" \
+	"$(INTDIR)\sockaddr.sbr" \
+	"$(INTDIR)\stats.sbr" \
+	"$(INTDIR)\string.sbr" \
+	"$(INTDIR)\symtab.sbr" \
+	"$(INTDIR)\task.sbr" \
+	"$(INTDIR)\taskpool.sbr" \
+	"$(INTDIR)\timer.sbr" \
+	"$(INTDIR)\tm.sbr" \
+	"$(INTDIR)\parseint.sbr" \
+	"$(INTDIR)\pool.sbr" \
+	"$(INTDIR)\portset.sbr" \
+	"$(INTDIR)\regex.sbr" \
+	"$(INTDIR)\region.sbr"
+
+"$(OUTDIR)\libisc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib $(LIBXML) @OPENSSL_LIB@ @ZLIB_LIB@ /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisc.pdb" /map:"$(INTDIR)\libisc.map" /debug @MACHINE@ /def:".\libisc.def" /out:"../../../Build/Debug/libisc.dll" /implib:"$(OUTDIR)\libisc.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libisc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\app.obj" \
+	"$(INTDIR)\condition.obj" \
+	"$(INTDIR)\dir.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\entropy.obj" \
+	"$(INTDIR)\errno.obj" \
+	"$(INTDIR)\errno2result.obj" \
+	"$(INTDIR)\file.obj" \
+	"$(INTDIR)\fsaccess.obj" \
+	"$(INTDIR)\interfaceiter.obj" \
+	"$(INTDIR)\ipv6.obj" \
+	"$(INTDIR)\iterated_hash.obj" \
+	"$(INTDIR)\keyboard.obj" \
+	"$(INTDIR)\meminfo.obj" \
+	"$(INTDIR)\net.obj" \
+	"$(INTDIR)\ntpaths.obj" \
+	"$(INTDIR)\once.obj" \
+	"$(INTDIR)\os.obj" \
+@IF PKCS11
+	"$(INTDIR)\pk11_api.obj" \
+@END PKCS11
+	"$(INTDIR)\resource.obj" \
+	"$(INTDIR)\socket.obj" \
+	"$(INTDIR)\stdio.obj" \
+	"$(INTDIR)\stdtime.obj" \
+	"$(INTDIR)\strerror.obj" \
+	"$(INTDIR)\syslog.obj" \
+	"$(INTDIR)\thread.obj" \
+	"$(INTDIR)\time.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\win32os.obj" \
+@IF AES
+	"$(INTDIR)\aes.obj" \
+@END AES
+	"$(INTDIR)\assertions.obj" \
+	"$(INTDIR)\backtrace.obj" \
+	"$(INTDIR)\backtrace-emptytbl.obj" \
+	"$(INTDIR)\base32.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\bind9.obj" \
+	"$(INTDIR)\buffer.obj" \
+	"$(INTDIR)\bufferlist.obj" \
+	"$(INTDIR)\commandline.obj" \
+	"$(INTDIR)\counter.obj" \
+	"$(INTDIR)\crc64.obj" \
+	"$(INTDIR)\error.obj" \
+	"$(INTDIR)\event.obj" \
+	"$(INTDIR)\hash.obj" \
+	"$(INTDIR)\heap.obj" \
+	"$(INTDIR)\hex.obj" \
+	"$(INTDIR)\hmacmd5.obj" \
+	"$(INTDIR)\hmacsha.obj" \
+	"$(INTDIR)\ht.obj" \
+	"$(INTDIR)\httpd.obj" \
+	"$(INTDIR)\inet_aton.obj" \
+	"$(INTDIR)\inet_ntop.obj" \
+	"$(INTDIR)\inet_pton.obj" \
+	"$(INTDIR)\lex.obj" \
+	"$(INTDIR)\lfsr.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\md5.obj" \
+	"$(INTDIR)\mem.obj" \
+	"$(INTDIR)\msgcat.obj" \
+	"$(INTDIR)\mutexblock.obj" \
+	"$(INTDIR)\netaddr.obj" \
+	"$(INTDIR)\netscope.obj" \
+	"$(INTDIR)\ondestroy.obj" \
+@IF PKCS11
+	"$(INTDIR)\pk11.obj" \
+	"$(INTDIR)\pk11_result.obj" \
+@END PKCS11
+	"$(INTDIR)\quota.obj" \
+	"$(INTDIR)\radix.obj" \
+	"$(INTDIR)\random.obj" \
+	"$(INTDIR)\ratelimiter.obj" \
+	"$(INTDIR)\refcount.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\rwlock.obj" \
+	"$(INTDIR)\safe.obj" \
+	"$(INTDIR)\serial.obj" \
+	"$(INTDIR)\sha1.obj" \
+	"$(INTDIR)\sha2.obj" \
+	"$(INTDIR)\sockaddr.obj" \
+	"$(INTDIR)\stats.obj" \
+	"$(INTDIR)\string.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\task.obj" \
+	"$(INTDIR)\taskpool.obj" \
+	"$(INTDIR)\timer.obj" \
+	"$(INTDIR)\tm.obj" \
+	"$(INTDIR)\parseint.obj" \
+	"$(INTDIR)\pool.obj" \
+	"$(INTDIR)\portset.obj" \
+	"$(INTDIR)\regex.obj" \
+	"$(INTDIR)\region.obj"
+
+"..\..\..\Build\Debug\libisc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $<
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $<
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $<
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $<
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libisc.dep")
+!INCLUDE "libisc.dep"
+!ELSE
+!MESSAGE Warning: cannot find "libisc.dep"
+!ENDIF
+!ENDIF
+
+
+!IF "$(CFG)" == "libisc - @PLATFORM@ Release" || "$(CFG)" == "libisc - @PLATFORM@ Debug"
+SOURCE=.\app.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\app.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\app.obj"	"$(INTDIR)\app.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\condition.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\condition.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\condition.obj"	"$(INTDIR)\condition.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\dir.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dir.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dir.obj"	"$(INTDIR)\dir.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\entropy.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\entropy.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\entropy.obj"	"$(INTDIR)\entropy.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\errno.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\errno.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\errno.obj"	"$(INTDIR)\errno.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+
+SOURCE=.\errno2result.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\errno2result.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\errno2result.obj"	"$(INTDIR)\errno2result.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\file.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\file.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\file.obj"	"$(INTDIR)\file.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\fsaccess.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\fsaccess.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\fsaccess.obj"	"$(INTDIR)\fsaccess.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\interfaceiter.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\interfaceiter.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\interfaceiter.obj"	"$(INTDIR)\interfaceiter.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\ipv6.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ipv6.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ipv6.obj"	"$(INTDIR)\ipv6.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+
+SOURCE=.\keyboard.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\keyboard.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\keyboard.obj"	"$(INTDIR)\keyboard.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\meminfo.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\meminfo.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\meminfo.obj"	"$(INTDIR)\meminfo.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\net.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\net.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\net.obj"	"$(INTDIR)\net.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\ntpaths.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ntpaths.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ntpaths.obj"	"$(INTDIR)\ntpaths.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\once.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\once.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\once.obj"	"$(INTDIR)\once.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\os.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\os.obj"	"$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\pk11_api.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11_api.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11_api.obj"	"$(INTDIR)\pk11_api.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=.\resource.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\resource.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\resource.obj"	"$(INTDIR)\resource.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\socket.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\socket.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\socket.obj"	"$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\stdio.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\stdio.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\stdio.obj"	"$(INTDIR)\stdio.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\stdtime.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\stdtime.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\stdtime.obj"	"$(INTDIR)\stdtime.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\strerror.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\strerror.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\strerror.obj"	"$(INTDIR)\strerror.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\syslog.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\syslog.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\syslog.obj"	"$(INTDIR)\syslog.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\thread.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\thread.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\thread.obj"	"$(INTDIR)\thread.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\time.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\time.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\time.obj"	"$(INTDIR)\time.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+SOURCE=.\win32os.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\win32os.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\win32os.obj"	"$(INTDIR)\win32os.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF
+
+@IF AES
+SOURCE=..\aes.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\aes.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\aes.obj"	"$(INTDIR)\aes.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+@END AES
+
+SOURCE=..\assertions.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\assertions.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\assertions.obj"	"$(INTDIR)\assertions.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\backtrace.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\backtrace.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\backtrace.obj"	"$(INTDIR)\backtrace.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\backtrace-emptytbl.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\backtrace-emptytbl.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\backtrace-emptytbl.obj"	"$(INTDIR)\backtrace-emptytbl.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\base32.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\base32.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\base32.obj"	"$(INTDIR)\base32.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\base64.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\base64.obj"	"$(INTDIR)\base64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\bind9.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\bind9.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\bind9.obj"	"$(INTDIR)\bind9.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\buffer.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\buffer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\buffer.obj"	"$(INTDIR)\buffer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\bufferlist.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\bufferlist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\bufferlist.obj"	"$(INTDIR)\bufferlist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\commandline.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\commandline.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\commandline.obj"	"$(INTDIR)\commandline.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\counter.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\counter.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\counter.obj"	"$(INTDIR)\counter.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\crc64.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\crc64.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\crc64.obj"	"$(INTDIR)\crc64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\error.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\error.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\error.obj"	"$(INTDIR)\error.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\event.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\event.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\event.obj"	"$(INTDIR)\event.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\hash.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\hash.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\hash.obj"	"$(INTDIR)\hash.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\heap.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\heap.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\heap.obj"	"$(INTDIR)\heap.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\hex.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\hex.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\hex.obj"	"$(INTDIR)\hex.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\hmacmd5.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\hmacmd5.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\hmacmd5.obj"	"$(INTDIR)\hmacmd5.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\hmacsha.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\hmacsha.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\hmacsha.obj"	"$(INTDIR)\hmacsha.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\ht.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ht.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ht.obj"	"$(INTDIR)\ht.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\httpd.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\httpd.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\httpd.obj"	"$(INTDIR)\httpd.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\inet_aton.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\inet_aton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\inet_aton.obj"	"$(INTDIR)\inet_aton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\inet_ntop.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\inet_ntop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\inet_ntop.obj"	"$(INTDIR)\inet_ntop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\inet_pton.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\inet_pton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\inet_pton.obj"	"$(INTDIR)\inet_pton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\iterated_hash.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\iterated_hash.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\iterated_hash.obj"	"$(INTDIR)\iterated_hash.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\lex.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lex.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lex.obj"	"$(INTDIR)\lex.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\lfsr.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lfsr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lfsr.obj"	"$(INTDIR)\lfsr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\lib.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\md5.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\md5.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\md5.obj"	"$(INTDIR)\md5.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\mem.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\mem.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\mem.obj"	"$(INTDIR)\mem.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\nls\msgcat.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\msgcat.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\msgcat.obj"	"$(INTDIR)\msgcat.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\mutexblock.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\mutexblock.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\mutexblock.obj"	"$(INTDIR)\mutexblock.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\netaddr.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\netaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\netaddr.obj"	"$(INTDIR)\netaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\netscope.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\netscope.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\netscope.obj"	"$(INTDIR)\netscope.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\ondestroy.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ondestroy.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ondestroy.obj"	"$(INTDIR)\ondestroy.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\parseint.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\parseint.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\parseint.obj"	"$(INTDIR)\parseint.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pk11.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11.obj"	"$(INTDIR)\pk11.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pk11_result.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pk11_result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pk11_result.obj"	"$(INTDIR)\pk11_result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\pool.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\pool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\pool.obj"	"$(INTDIR)\pool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\portset.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\portset.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\portset.obj"	"$(INTDIR)\portset.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\quota.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\quota.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\quota.obj"	"$(INTDIR)\quota.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\radix.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\radix.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\radix.obj"	"$(INTDIR)\radix.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\random.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\random.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\random.obj"	"$(INTDIR)\random.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\ratelimiter.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ratelimiter.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ratelimiter.obj"	"$(INTDIR)\ratelimiter.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\refcount.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\refcount.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\refcount.obj"	"$(INTDIR)\refcount.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\regex.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\regex.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\regex.obj"	"$(INTDIR)\regex.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+
+SOURCE=..\region.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\region.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\region.obj"	"$(INTDIR)\region.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\result.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\rwlock.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\rwlock.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\rwlock.obj"	"$(INTDIR)\rwlock.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\safe.c
+
+!IF  "$(CFG)" == "libisc - Win32 Release"
+
+
+"$(INTDIR)\safe.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - Win32 Debug"
+
+
+"$(INTDIR)\safe.obj"	"$(INTDIR)\safe.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\serial.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\serial.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\serial.obj"	"$(INTDIR)\serial.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\sha1.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sha1.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sha1.obj"	"$(INTDIR)\sha1.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\sha2.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sha2.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sha2.obj"	"$(INTDIR)\sha2.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\sockaddr.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sockaddr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sockaddr.obj"	"$(INTDIR)\sockaddr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\stats.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\stats.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\stats.obj"	"$(INTDIR)\stats.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\string.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\string.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\string.obj"	"$(INTDIR)\string.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\symtab.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\symtab.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\symtab.obj"	"$(INTDIR)\symtab.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\task.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\task.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\task.obj"	"$(INTDIR)\task.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\taskpool.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\taskpool.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\taskpool.obj"	"$(INTDIR)\taskpool.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\timer.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\timer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\timer.obj"	"$(INTDIR)\timer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+SOURCE=..\tm.c
+
+!IF  "$(CFG)" == "libisc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\tm.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\tm.obj"	"$(INTDIR)\tm.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF
+
+
+!ENDIF
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/isc/win32/libisc.vcxproj.filters.in b/lib/isc/win32/libisc.vcxproj.filters.in
new file mode 100644
index 0000000..d6a5234
--- /dev/null
+++ b/lib/isc/win32/libisc.vcxproj.filters.in
@@ -0,0 +1,675 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Library Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Win32 Source Files">
+      <UniqueIdentifier>{289562c2-1bdd-4582-b6bd-3f598ee23cbd}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Win32 Header Files">
+      <UniqueIdentifier>{d03c3e6a-e78e-4a01-bd77-64c839b1adfe}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Library Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libisc.def" />
+  </ItemGroup>
+  <ItemGroup>
+@IF AES
+    <ClInclude Include="..\include\isc\aes.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@END AES
+    <ClInclude Include="..\include\isc\app.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\assertions.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\backtrace.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\base32.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\base64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\bind9.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\boolean.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\buffer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\bufferlist.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\commandline.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\counter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\crc64.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\entropy.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\errno.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\error.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\event.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\eventclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\file.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\formatcheck.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\fsaccess.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hash.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\heap.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hex.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hmacmd5.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\hmacsha.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\ht.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\httpd.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\int.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\interfaceiter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\iterated_hash.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\json.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lang.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lex.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lfsr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\lib.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\list.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\log.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\magic.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\md5.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\mem.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\meminfo.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\msgcat.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\msgs.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\mutexblock.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\netaddr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\netscope.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\ondestroy.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\os.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\parseint.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\pool.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\portset.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\print.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\queue.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\quota.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\radix.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\random.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\ratelimiter.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\refcount.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\regex.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\region.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\resource.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\resultclass.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\rwlock.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\safe.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\serial.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\sha1.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\sha2.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\sockaddr.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\socket.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\stats.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\stdio.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\stdlib.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\string.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\symtab.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\task.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\taskpool.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\timer.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\tm.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\types.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\util.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\version.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isc\xml.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+@IF PKCS11
+    <ClInclude Include="..\include\pk11\constants.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pk11\internal.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pk11\pk11.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pk11\result.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pkcs11\pkcs11.h">
+      <Filter>Pkcs11 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pkcs11\pkcs11f.h">
+      <Filter>Pkcs11 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\pkcs11\pkcs11t.h">
+      <Filter>Pkcs11 Header Files</Filter>
+    </ClInclude>
+@END PKCS11
+    <ClInclude Include="include\isc\bind_registry.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\bindevt.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\condition.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\dir.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\ipv6.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\keyboard.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\mutex.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\net.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\netdb.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\ntgroups.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\ntpaths.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\offset.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\once.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\platform.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\stat.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\stdtime.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\strerror.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\syslog.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\thread.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\time.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\isc\win32os.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="errno2result.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="syslog.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="unistd.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+@IF PKCS11
+    <ClInclude Include="include\pkcs11\cryptoki.h">
+      <Filter>Win32 Header Files</Filter>
+    </ClInclude>
+@END PKCS11
+@IF ATOMIC
+    <ClInclude Include="include\isc\atomic.h">
+@ELSE ATOMIC
+    <ClInclude Include="..\noatomic\include\isc\atomic.h">
+@END ATOMIC
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\config.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\versions.h">
+      <Filter>Library Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="app.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="condition.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="dir.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="entropy.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="errno.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="errno2result.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="file.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="fsaccess.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="interfaceiter.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ipv6.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="keyboard.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="meminfo.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="net.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ntpaths.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="once.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="os.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="resource.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="socket.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="stdio.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="stdtime.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="strerror.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="syslog.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="thread.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="time.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="win32os.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+@IF PKCS11
+    <ClCompile Include="pk11_api.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+@END PKCS11
+@IF AES
+    <ClCompile Include="..\aes.c">
+      <Filter>Win32 Source Files</Filter>
+    </ClCompile>
+@END AES
+    <ClCompile Include="..\assertions.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\backtrace.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\backtrace-emptytbl.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\base32.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\base64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\bind9.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\buffer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\bufferlist.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\commandline.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\counter.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\crc64.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\error.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\event.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hash.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\heap.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hex.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hmacmd5.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\hmacsha.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ht.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\httpd.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\inet_aton.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\inet_ntop.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\inet_pton.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\iterated_hash.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lex.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lfsr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lib.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\md5.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\mem.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\nls\msgcat.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\mutexblock.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netaddr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\netscope.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ondestroy.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\parseint.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pool.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\portset.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\quota.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\radix.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\random.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ratelimiter.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\refcount.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\regex.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\region.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\rwlock.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\safe.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\serial.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sha1.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sha2.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sockaddr.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\stats.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\string.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\symtab.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\task.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\taskpool.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\timer.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\tm.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@IF PKCS11
+    <ClCompile Include="..\pk11.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\pk11_result.c">
+      <Filter>Library Source Files</Filter>
+    </ClCompile>
+@END PKCS11
+  </ItemGroup>
+</Project>
diff --git a/lib/isc/win32/libisc.vcxproj.in b/lib/isc/win32/libisc.vcxproj.in
new file mode 100644
index 0000000..fb9222a
--- /dev/null
+++ b/lib/isc/win32/libisc.vcxproj.in
@@ -0,0 +1,530 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3840E563-D180-4761-AA9C-E6155F02EAFF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libisc</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+@IF PKCS11
+      <PreprocessorDefinitions>BIND9;@CRYPTO@@PK11_LIB_LOCATION@WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;win32;..\..\isccfg\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@ELSE PKCS11
+      <PreprocessorDefinitions>BIND9;WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;win32;..\..\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@END PKCS11
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@LIBXML2_LIB@@OPENSSL_LIB@@ZLIB_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+    <PreBuildEvent>
+      <Command>cd ..\..\..\win32utils
+
+if NOT Exist ..\Build mkdir ..\Build
+if NOT Exist ..\Build\Debug mkdir ..\Build\Debug
+
+echo Copying COPYRIGHT notice.
+
+copy ..\COPYRIGHT ..\Build\Debug
+
+@IF OPENSSL
+echo Copying the OpenSSL DLL and LICENSE.
+
+copy @OPENSSL_DLL@ ..\Build\Debug\
+copy @OPENSSL_PATH@\LICENSE ..\Build\Debug\OpenSSL-LICENSE
+@END OPENSSL
+
+@IF LIBXML2
+echo Copying the libxml DLL.
+
+copy @LIBXML2_DLL@ ..\Build\Debug\
+@END LIBXML2
+
+@IF GSSAPI
+echo Copying the GSSAPI and KRB5 DLLs.
+
+copy @GSSAPI_DLL@ ..\Build\Debug\
+copy @KRB5_DLL@ ..\Build\Debug\
+copy @COMERR_DLL@ ..\Build\Debug\
+copy @K5SPRT_DLL@ ..\Build\Debug\
+copy @WSHELP_DLL@ ..\Build\Debug\
+@END GSSAPI
+
+@IF GEOIP
+echo Copying the GeoIP DLL.
+
+copy @GEOIP_DLL@ ..\Build\Debug\
+@END GEOIP
+
+@IF IDNKIT
+echo Copying the IDN kit DLL.
+
+copy @IDN_DLL@ ..\Build\Debug\
+copy @ICONV_DLL@ ..\Build\Debug\
+@END IDNKIT
+
+@IF ZLIB
+echo Copying the zlib DLL.
+
+copy @ZLIB_DLL@	..\Build\Debug\
+@END ZLIB
+
+echo Copying Visual C x86 Redistributable Installer.
+
+copy /Y @VCREDIST_PATH@	..\Build\Debug\
+
+echo Copying install files (flags and file list).
+
+copy InstallFlags ..\Build\Debug\
+copy InstallFiles ..\Build\Debug\
+
+</Command>
+    </PreBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+@IF PKCS11
+      <PreprocessorDefinitions>BIND9;@CRYPTO@@PK11_LIB_LOCATION@WIN32;NDEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;win32;..\..\isccfg\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@ELSE PKCS11
+      <PreprocessorDefinitions>BIND9;WIN32;_DEBUG;_WINDOWS;_USRDLL;LIBISC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@@ZLIB_INC@include;..\include;win32;..\..\isccfg\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+@END PKCS11
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalDependencies>@LIBXML2_LIB@@OPENSSL_LIB@@ZLIB_LIB@ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+    <PreBuildEvent>
+      <Command>cd ..\..\..\win32utils
+
+if NOT Exist ..\Build mkdir ..\Build
+if NOT Exist ..\Build\Release mkdir ..\Build\Release
+
+echo Copying the ARM and the Installation Notes.
+
+copy ..\COPYRIGHT ..\Build\Release
+copy ..\README ..\Build\Release
+copy ..\HISTORY ..\Build\Release
+copy readme1st.txt ..\Build\Release
+copy index.html ..\Build\Release
+copy ..\doc\arm\*.html ..\Build\Release
+copy ..\doc\arm\notes.pdf ..\Build\Release
+copy ..\doc\arm\Bv9ARM.pdf ..\Build\Release
+copy ..\CHANGES ..\Build\Release
+if Exist ..\CHANGES.SE copy ..\CHANGES.SE ..\Build\Release
+copy ..\FAQ ..\Build\Release
+
+echo Copying the standalone manual pages.
+
+copy ..\bin\named\named.html ..\Build\Release
+copy ..\bin\named\named.conf.html ..\Build\Release
+copy ..\bin\named\lwresd.html ..\Build\Release
+copy ..\bin\rndc\*.html ..\Build\Release
+copy ..\bin\confgen\*.html ..\Build\Release
+copy ..\bin\dig\*.html ..\Build\Release
+copy ..\bin\delv\*.html ..\Build\Release
+copy ..\bin\nsupdate\*.html ..\Build\Release
+copy ..\bin\check\*.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-keygen.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-signzone.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-dsfromkey.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-keyfromlabel.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-settime.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-revoke.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-verify.html ..\Build\Release
+copy ..\bin\dnssec\dnssec-importkey.html ..\Build\Release
+@IF PYTHON
+copy ..\bin\python\dnssec-checkds.html ..\Build\Release
+copy ..\bin\python\dnssec-coverage.html ..\Build\Release
+copy ..\bin\python\dnssec-keymgr.html ..\Build\Release
+@END PYTHON
+@IF PKCS11
+copy ..\bin\pkcs11\pkcs11-keygen.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-list.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release
+copy ..\bin\pkcs11\pkcs11-tokens.html ..\Build\Release
+@END PKCS11
+copy ..\bin\tools\arpaname.html ..\Build\Release
+copy ..\bin\tools\genrandom.html ..\Build\Release
+copy ..\bin\tools\isc-hmac-fixup.html ..\Build\Release
+copy ..\bin\tools\named-journalprint.html ..\Build\Release
+copy ..\bin\tools\named-rrchecker.html ..\Build\Release
+copy ..\bin\tools\nsec3hash.html ..\Build\Release
+copy ..\bin\tools\mdig.html ..\Build\Release
+
+echo Copying the migration notes.
+
+copy ..\doc\misc\migration ..\Build\Release
+copy ..\doc\misc\migration-4to9 ..\Build\Release
+
+@IF OPENSSL
+echo Copying the OpenSSL DLL and LICENSE.
+
+copy @OPENSSL_DLL@ ..\Build\Release\
+copy @OPENSSL_PATH@\LICENSE ..\Build\Release\OpenSSL-LICENSE
+@END OPENSSL
+
+@IF LIBXML2
+echo Copying the libxml DLL.
+
+copy @LIBXML2_DLL@ ..\Build\Release\
+@END LIBXML2
+
+@IF GSSAPI
+echo Copying the GSSAPI and KRB5 DLLs.
+
+copy @GSSAPI_DLL@ ..\Build\Release\
+copy @KRB5_DLL@ ..\Build\Release\
+copy @COMERR_DLL@ ..\Build\Release\
+copy @K5SPRT_DLL@ ..\Build\Release\
+copy @WSHELP_DLL@ ..\Build\Release\
+@END GSSAPI
+
+@IF GEOIP
+echo Copying the GeoIP DLL.
+
+copy @GEOIP_DLL@ ..\Build\Release\
+@END GEOIP
+
+@IF IDNKIT
+echo Copying the IDN kit DLL.
+
+copy @IDN_DLL@ ..\Build\Release\
+copy @ICONV_DLL@ ..\Build\Release\
+@END IDNKIT
+
+@IF ZLIB
+echo Copying the zlib DLL.
+
+copy @ZLIB_DLL@ ..\Build\Release\
+@END ZLIB
+
+echo Copying Visual C x86 Redistributable Installer.
+
+copy /Y @VCREDIST_PATH@ ..\Build\Release\
+
+echo Copying install files (flags and file list).
+
+copy InstallFlags ..\Build\Release\
+copy InstallFiles ..\Build\Release\
+
+</Command>
+    </PreBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libisc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\config.h" />
+@IF AES
+    <ClInclude Include="..\include\isc\aes.h" />
+@END AES
+    <ClInclude Include="..\include\isc\app.h" />
+    <ClInclude Include="..\include\isc\assertions.h" />
+    <ClInclude Include="..\include\isc\backtrace.h" />
+    <ClInclude Include="..\include\isc\base32.h" />
+    <ClInclude Include="..\include\isc\base64.h" />
+    <ClInclude Include="..\include\isc\bind9.h" />
+    <ClInclude Include="..\include\isc\boolean.h" />
+    <ClInclude Include="..\include\isc\buffer.h" />
+    <ClInclude Include="..\include\isc\bufferlist.h" />
+    <ClInclude Include="..\include\isc\commandline.h" />
+    <ClInclude Include="..\include\isc\counter.h" />
+    <ClInclude Include="..\include\isc\crc64.h" />
+    <ClInclude Include="..\include\isc\entropy.h" />
+    <ClInclude Include="..\include\isc\errno.h" />
+    <ClInclude Include="..\include\isc\error.h" />
+    <ClInclude Include="..\include\isc\event.h" />
+    <ClInclude Include="..\include\isc\eventclass.h" />
+    <ClInclude Include="..\include\isc\file.h" />
+    <ClInclude Include="..\include\isc\formatcheck.h" />
+    <ClInclude Include="..\include\isc\fsaccess.h" />
+    <ClInclude Include="..\include\isc\hash.h" />
+    <ClInclude Include="..\include\isc\heap.h" />
+    <ClInclude Include="..\include\isc\hex.h" />
+    <ClInclude Include="..\include\isc\hmacmd5.h" />
+    <ClInclude Include="..\include\isc\hmacsha.h" />
+    <ClInclude Include="..\include\isc\ht.h" />
+    <ClInclude Include="..\include\isc\httpd.h" />
+    <ClInclude Include="..\include\isc\int.h" />
+    <ClInclude Include="..\include\isc\interfaceiter.h" />
+    <ClInclude Include="..\include\isc\iterated_hash.h" />
+    <ClInclude Include="..\include\isc\json.h" />
+    <ClInclude Include="..\include\isc\lang.h" />
+    <ClInclude Include="..\include\isc\lex.h" />
+    <ClInclude Include="..\include\isc\lfsr.h" />
+    <ClInclude Include="..\include\isc\lib.h" />
+    <ClInclude Include="..\include\isc\list.h" />
+    <ClInclude Include="..\include\isc\log.h" />
+    <ClInclude Include="..\include\isc\magic.h" />
+    <ClInclude Include="..\include\isc\md5.h" />
+    <ClInclude Include="..\include\isc\mem.h" />
+    <ClInclude Include="..\include\isc\meminfo.h" />
+    <ClInclude Include="..\include\isc\msgcat.h" />
+    <ClInclude Include="..\include\isc\msgs.h" />
+    <ClInclude Include="..\include\isc\mutexblock.h" />
+    <ClInclude Include="..\include\isc\netaddr.h" />
+    <ClInclude Include="..\include\isc\netscope.h" />
+    <ClInclude Include="..\include\isc\ondestroy.h" />
+    <ClInclude Include="..\include\isc\os.h" />
+    <ClInclude Include="..\include\isc\parseint.h" />
+    <ClInclude Include="..\include\isc\pool.h" />
+    <ClInclude Include="..\include\isc\portset.h" />
+    <ClInclude Include="..\include\isc\print.h" />
+    <ClInclude Include="..\include\isc\queue.h" />
+    <ClInclude Include="..\include\isc\quota.h" />
+    <ClInclude Include="..\include\isc\radix.h" />
+    <ClInclude Include="..\include\isc\random.h" />
+    <ClInclude Include="..\include\isc\ratelimiter.h" />
+    <ClInclude Include="..\include\isc\refcount.h" />
+    <ClInclude Include="..\include\isc\regex.h" />
+    <ClInclude Include="..\include\isc\region.h" />
+    <ClInclude Include="..\include\isc\resource.h" />
+    <ClInclude Include="..\include\isc\result.h" />
+    <ClInclude Include="..\include\isc\resultclass.h" />
+    <ClInclude Include="..\include\isc\rwlock.h" />
+    <ClInclude Include="..\include\isc\safe.h" />
+    <ClInclude Include="..\include\isc\serial.h" />
+    <ClInclude Include="..\include\isc\sha1.h" />
+    <ClInclude Include="..\include\isc\sha2.h" />
+    <ClInclude Include="..\include\isc\sockaddr.h" />
+    <ClInclude Include="..\include\isc\socket.h" />
+    <ClInclude Include="..\include\isc\stats.h" />
+    <ClInclude Include="..\include\isc\stdio.h" />
+    <ClInclude Include="..\include\isc\stdlib.h" />
+    <ClInclude Include="..\include\isc\string.h" />
+    <ClInclude Include="..\include\isc\symtab.h" />
+    <ClInclude Include="..\include\isc\task.h" />
+    <ClInclude Include="..\include\isc\taskpool.h" />
+    <ClInclude Include="..\include\isc\timer.h" />
+    <ClInclude Include="..\include\isc\tm.h" />
+    <ClInclude Include="..\include\isc\types.h" />
+    <ClInclude Include="..\include\isc\util.h" />
+    <ClInclude Include="..\include\isc\version.h" />
+    <ClInclude Include="..\include\isc\xml.h" />
+@IF PKCS11
+    <ClInclude Include="..\include\pk11\constants.h" />
+    <ClInclude Include="..\include\pk11\internal.h" />
+    <ClInclude Include="..\include\pk11\pk11.h" />
+    <ClInclude Include="..\include\pk11\result.h" />
+    <ClInclude Include="..\include\pkcs11\pkcs11.h" />
+    <ClInclude Include="..\include\pkcs11\pkcs11f.h" />
+    <ClInclude Include="..\include\pkcs11\pkcs11t.h" />
+@END PKCS11
+@IF ATOMIC
+    <ClInclude Include="include\isc\atomic.h" />
+@ELSE ATOMIC
+    <ClInclude Include="..\noatomic\include\isc\atomic.h" />
+@END ATOMIC
+    <ClInclude Include="errno2result.h" />
+    <ClInclude Include="include\isc\bindevt.h" />
+    <ClInclude Include="include\isc\bind_registry.h" />
+    <ClInclude Include="include\isc\condition.h" />
+    <ClInclude Include="include\isc\dir.h" />
+    <ClInclude Include="include\isc\ipv6.h" />
+    <ClInclude Include="include\isc\keyboard.h" />
+    <ClInclude Include="include\isc\mutex.h" />
+    <ClInclude Include="include\isc\net.h" />
+    <ClInclude Include="include\isc\netdb.h" />
+    <ClInclude Include="include\isc\ntgroups.h" />
+    <ClInclude Include="include\isc\ntpaths.h" />
+    <ClInclude Include="include\isc\offset.h" />
+    <ClInclude Include="include\isc\once.h" />
+    <ClInclude Include="include\isc\platform.h" />
+    <ClInclude Include="include\isc\stat.h" />
+    <ClInclude Include="include\isc\stdtime.h" />
+    <ClInclude Include="include\isc\strerror.h" />
+    <ClInclude Include="include\isc\syslog.h" />
+    <ClInclude Include="include\isc\thread.h" />
+    <ClInclude Include="include\isc\time.h" />
+    <ClInclude Include="include\isc\win32os.h" />
+    <ClInclude Include="syslog.h" />
+    <ClInclude Include="unistd.h" />
+@IF PKCS11
+    <ClInclude Include="include\pkcs11\cryptoki.h" />
+@END PKCS11
+    <ClInclude Include="..\..\versions.h" />
+  </ItemGroup>
+  <ItemGroup>
+@IF AES
+    <ClCompile Include="..\aes.c" />
+@END AES
+    <ClCompile Include="..\assertions.c" />
+    <ClCompile Include="..\backtrace-emptytbl.c" />
+    <ClCompile Include="..\backtrace.c" />
+    <ClCompile Include="..\base32.c" />
+    <ClCompile Include="..\base64.c" />
+    <ClCompile Include="..\bind9.c" />
+    <ClCompile Include="..\buffer.c" />
+    <ClCompile Include="..\bufferlist.c" />
+    <ClCompile Include="..\commandline.c" />
+    <ClCompile Include="..\counter.c" />
+    <ClCompile Include="..\crc64.c" />
+    <ClCompile Include="..\error.c" />
+    <ClCompile Include="..\event.c" />
+    <ClCompile Include="..\hash.c" />
+    <ClCompile Include="..\heap.c" />
+    <ClCompile Include="..\hex.c" />
+    <ClCompile Include="..\hmacmd5.c" />
+    <ClCompile Include="..\hmacsha.c" />
+    <ClCompile Include="..\ht.c" />
+    <ClCompile Include="..\httpd.c" />
+    <ClCompile Include="..\inet_aton.c" />
+    <ClCompile Include="..\inet_ntop.c" />
+    <ClCompile Include="..\inet_pton.c" />
+    <ClCompile Include="..\iterated_hash.c" />
+    <ClCompile Include="..\lex.c" />
+    <ClCompile Include="..\lfsr.c" />
+    <ClCompile Include="..\lib.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\md5.c" />
+    <ClCompile Include="..\mem.c" />
+    <ClCompile Include="..\mutexblock.c" />
+    <ClCompile Include="..\netaddr.c" />
+    <ClCompile Include="..\netscope.c" />
+    <ClCompile Include="..\nls\msgcat.c" />
+    <ClCompile Include="..\ondestroy.c" />
+    <ClCompile Include="..\parseint.c" />
+    <ClCompile Include="..\pool.c" />
+    <ClCompile Include="..\portset.c" />
+    <ClCompile Include="..\quota.c" />
+    <ClCompile Include="..\radix.c" />
+    <ClCompile Include="..\random.c" />
+    <ClCompile Include="..\ratelimiter.c" />
+    <ClCompile Include="..\refcount.c" />
+    <ClCompile Include="..\regex.c" />
+    <ClCompile Include="..\region.c" />
+    <ClCompile Include="..\result.c" />
+    <ClCompile Include="..\rwlock.c" />
+    <ClCompile Include="..\safe.c" />
+    <ClCompile Include="..\serial.c" />
+    <ClCompile Include="..\sha1.c" />
+    <ClCompile Include="..\sha2.c" />
+    <ClCompile Include="..\sockaddr.c" />
+    <ClCompile Include="..\stats.c" />
+    <ClCompile Include="..\string.c" />
+    <ClCompile Include="..\symtab.c" />
+    <ClCompile Include="..\task.c" />
+    <ClCompile Include="..\taskpool.c" />
+    <ClCompile Include="..\timer.c" />
+    <ClCompile Include="..\tm.c" />
+@IF PKCS11
+    <ClCompile Include="..\pk11.c" />
+    <ClCompile Include="..\pk11_result.c" />
+@END PKCS11
+    <ClCompile Include="app.c" />
+    <ClCompile Include="condition.c" />
+    <ClCompile Include="dir.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="entropy.c" />
+    <ClCompile Include="errno.c" />
+    <ClCompile Include="errno2result.c" />
+    <ClCompile Include="file.c" />
+    <ClCompile Include="fsaccess.c" />
+    <ClCompile Include="interfaceiter.c" />
+    <ClCompile Include="ipv6.c" />
+    <ClCompile Include="keyboard.c" />
+    <ClCompile Include="meminfo.c" />
+    <ClCompile Include="net.c" />
+    <ClCompile Include="ntpaths.c" />
+    <ClCompile Include="once.c" />
+    <ClCompile Include="os.c" />
+    <ClCompile Include="resource.c" />
+    <ClCompile Include="socket.c" />
+    <ClCompile Include="stdio.c" />
+    <ClCompile Include="stdtime.c" />
+    <ClCompile Include="strerror.c" />
+    <ClCompile Include="syslog.c" />
+    <ClCompile Include="thread.c" />
+    <ClCompile Include="time.c" />
+    <ClCompile Include="version.c" />
+    <ClCompile Include="win32os.c" />
+@IF PKCS11
+    <ClCompile Include="pk11_api.c" />
+@END PKCS11
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/isc/win32/libisc.vcxproj.user b/lib/isc/win32/libisc.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/isc/win32/libisc.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/isc/win32/meminfo.c b/lib/isc/win32/meminfo.c
new file mode 100644
index 0000000..51077f6
--- /dev/null
+++ b/lib/isc/win32/meminfo.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <windows.h>
+
+#include <isc/meminfo.h>
+
+uint64_t
+isc_meminfo_totalphys(void) {
+	MEMORYSTATUSEX statex;
+
+	statex.dwLength = sizeof(statex);
+	GlobalMemoryStatusEx(&statex);
+	return ((uint64_t)statex.ullTotalPhys);
+}
diff --git a/lib/isc/win32/net.c b/lib/isc/win32/net.c
new file mode 100644
index 0000000..c49bb6b
--- /dev/null
+++ b/lib/isc/win32/net.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/log.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*%
+ * Definitions about UDP port range specification.  This is a total mess of
+ * portability variants: some use sysctl (but the sysctl names vary), some use
+ * system-specific interfaces, some have the same interface for IPv4 and IPv6,
+ * some separate them, etc...
+ */
+
+/*%
+ * The last resort defaults: use all non well known port space
+ */
+#ifndef ISC_NET_PORTRANGELOW
+#define ISC_NET_PORTRANGELOW 1024
+#endif	/* ISC_NET_PORTRANGELOW */
+#ifndef ISC_NET_PORTRANGEHIGH
+#define ISC_NET_PORTRANGEHIGH 65535
+#endif	/* ISC_NET_PORTRANGEHIGH */
+
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
+const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
+#endif
+
+static isc_once_t 	once = ISC_ONCE_INIT;
+static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
+static isc_once_t 	once_ipv6pktinfo = ISC_ONCE_INIT;
+static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
+
+void InitSockets(void);
+
+static isc_result_t
+try_proto(int domain) {
+	SOCKET s;
+	char strbuf[ISC_STRERRORSIZE];
+	int errval;
+
+	s = socket(domain, SOCK_STREAM, IPPROTO_TCP);
+	if (s == INVALID_SOCKET) {
+		errval = WSAGetLastError();
+		switch (errval) {
+		case WSAEAFNOSUPPORT:
+		case WSAEPROTONOSUPPORT:
+		case WSAEINVAL:
+			return (ISC_R_NOTFOUND);
+		default:
+			isc__strerror(errval, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() %s: %s",
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	closesocket(s);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	InitSockets();
+	ipv4_result = try_proto(PF_INET);
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	ipv6_result = try_proto(PF_INET6);
+#endif
+#endif
+#endif
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_net_probeipv4(void) {
+	initialize();
+	return (ipv4_result);
+}
+
+isc_result_t
+isc_net_probeipv6(void) {
+	initialize();
+	return (ipv6_result);
+}
+
+isc_result_t
+isc_net_probeunix(void) {
+	return (ISC_R_NOTFOUND);
+}
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	SOCKET s;
+	int on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == INVALID_SOCKET) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (const char *)&on,
+		       sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	closesocket(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == INVALID_SOCKET) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (const char *)&on,
+		       sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	closesocket(s);
+	return;
+#endif /* IPV6_V6ONLY */
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
+				  try_ipv6only) == ISC_R_SUCCESS);
+}
+
+#ifdef __notyet__
+/*
+ * XXXMPA requires win32/socket.c to be updated to support
+ * WSASendMsg and WSARecvMsg which are themselves Winsock
+ * and compiler version dependent.
+ */
+static void
+try_ipv6pktinfo(void) {
+	SOCKET s;
+	int on;
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+	int optname;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6pktinfo_result = result;
+		return;
+	}
+
+	/* we only use this for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+	if (s == INVALID_SOCKET) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6pktinfo_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+#ifdef IPV6_RECVPKTINFO
+	optname = IPV6_RECVPKTINFO;
+#else
+	optname = IPV6_PKTINFO;
+#endif
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, optname, (const char *) &on,
+		       sizeof(on)) < 0) {
+		ipv6pktinfo_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	ipv6pktinfo_result = ISC_R_SUCCESS;
+
+close:
+	closesocket(s);
+	return;
+}
+
+static void
+initialize_ipv6pktinfo(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo,
+				  try_ipv6pktinfo) == ISC_R_SUCCESS);
+}
+#endif /* __notyet__ */
+#endif /* WANT_IPV6 */
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6only();
+#else
+	ipv6only_result = ISC_R_NOTFOUND;
+#endif
+#endif
+	return (ipv6only_result);
+}
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void) {
+#ifdef __notyet__
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6pktinfo();
+#else
+	ipv6pktinfo_result = ISC_R_NOTFOUND;
+#endif
+#endif
+#endif /* __notyet__ */
+	return (ipv6pktinfo_result);
+}
+
+isc_result_t
+isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high) {
+	int result = ISC_R_FAILURE;
+
+	REQUIRE(low != NULL && high != NULL);
+
+	UNUSED(af);
+
+	if (result != ISC_R_SUCCESS) {
+		*low = ISC_NET_PORTRANGELOW;
+		*high = ISC_NET_PORTRANGEHIGH;
+	}
+
+	return (ISC_R_SUCCESS);	/* we currently never fail in this function */
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS)
+		ipv4_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS)
+		ipv6_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED)
+		ipv4_result = ISC_R_SUCCESS;
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED)
+		ipv6_result = ISC_R_SUCCESS;
+}
+
+unsigned int
+isc_net_probedscp(void) {
+	return (0);
+}
diff --git a/lib/isc/win32/netdb.h b/lib/isc/win32/netdb.h
new file mode 100644
index 0000000..a9398c8
--- /dev/null
+++ b/lib/isc/win32/netdb.h
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef NETDB_H
+#define NETDB_H 1
+
+#include <stddef.h>
+#include <winsock2.h>
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+
+#if _MSC_VER < 1600
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+
+/*
+ * Undefine all \#defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritative Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_MAX		14
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
+
+/*
+ * Structures for getrrsetbyname()
+ */
+struct rdatainfo {
+	unsigned int		rdi_length;
+	unsigned char		*rdi_data;
+};
+
+struct rrsetinfo {
+	unsigned int		rri_flags;
+	int			rri_rdclass;
+	int			rri_rdtype;
+	unsigned int		rri_ttl;
+	unsigned int		rri_nrdatas;
+	unsigned int		rri_nsigs;
+	char			*rri_name;
+	struct rdatainfo	*rri_rdatas;
+	struct rdatainfo	*rri_sigs;
+};
+
+/*
+ * Flags for getrrsetbyname()
+ */
+#define RRSET_VALIDATED		0x00000001
+	/* Set was dnssec validated */
+
+/*
+ * Return codes for getrrsetbyname()
+ */
+#define ERRSET_SUCCESS		0
+#define ERRSET_NOMEMORY		1
+#define ERRSET_FAIL		2
+#define ERRSET_INVAL		3
+
+
+#endif /* NETDB_H */
diff --git a/lib/isc/win32/ntgroups.c b/lib/isc/win32/ntgroups.c
new file mode 100644
index 0000000..e3a45ca
--- /dev/null
+++ b/lib/isc/win32/ntgroups.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * The NT Groups have two groups that are not well documented and are
+ * not normally seen: None and Everyone.  A user account belongs to
+ * any number of groups, but if it is not a member of any group then
+ * it is a member of the None Group. The None group is not listed
+ * anywhere. You cannot remove an account from the none group except
+ * by making it a member of some other group, The second group is the
+ * Everyone group.  All accounts, no matter how many groups that they
+ * belong to, also belong to the Everyone group. You cannot remove an
+ * account from the Everyone group.
+ */
+
+#ifndef UNICODE
+#define UNICODE
+#endif /* UNICODE */
+
+/*
+ * Silence warnings.
+ */
+#define _CRT_SECURE_NO_DEPRECATE 1
+
+#include <windows.h>
+#include <assert.h>
+#include <lm.h>
+
+#include <isc/ntgroups.h>
+#include <isc/result.h>
+
+#define MAX_NAME_LENGTH 256
+
+isc_result_t
+isc_ntsecurity_getaccountgroups(char *username, char **GroupList,
+				unsigned int maxgroups,
+				unsigned int *totalGroups) {
+	LPGROUP_USERS_INFO_0 pTmpBuf;
+	LPLOCALGROUP_USERS_INFO_0 pTmpLBuf;
+	DWORD i;
+	LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
+	LPGROUP_USERS_INFO_0 pgrpBuf = NULL;
+	DWORD dwLevel = 0;
+	DWORD dwFlags = LG_INCLUDE_INDIRECT;
+	DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
+	DWORD dwEntriesRead = 0;
+	DWORD dwTotalEntries = 0;
+	NET_API_STATUS nStatus;
+	size_t retlen;
+	wchar_t user[MAX_NAME_LENGTH];
+
+	retlen = mbstowcs(user, username, MAX_NAME_LENGTH);
+
+	*totalGroups = 0;
+	/*
+	 * Call the NetUserGetLocalGroups function
+	 * specifying information level 0.
+	 *
+	 * The LG_INCLUDE_INDIRECT flag specifies that the
+	 * function should also return the names of the local
+	 * groups in which the user is indirectly a member.
+	 */
+	nStatus = NetUserGetLocalGroups(NULL,
+				   user,
+				   dwLevel,
+				   dwFlags,
+				   (LPBYTE *) &pBuf,
+				   dwPrefMaxLen,
+				   &dwEntriesRead,
+				   &dwTotalEntries);
+	/*
+	 * See if the call succeeds,
+	 */
+	if (nStatus != NERR_Success) {
+		if (nStatus == ERROR_ACCESS_DENIED)
+			return (ISC_R_NOPERM);
+		if (nStatus == ERROR_MORE_DATA)
+			return (ISC_R_NOSPACE);
+		if (nStatus == NERR_UserNotFound)
+			dwEntriesRead = 0;
+	}
+
+	if (pBuf != NULL) {
+		pTmpLBuf = pBuf;
+		/*
+		 * Loop through the entries
+		 */
+		 for (i = 0;
+		     (i < dwEntriesRead && *totalGroups < maxgroups); i++) {
+			assert(pTmpLBuf != NULL);
+			if (pTmpLBuf == NULL)
+				break;
+			retlen = wcslen(pTmpLBuf->lgrui0_name);
+			GroupList[*totalGroups] = (char *) malloc(retlen +1);
+			if (GroupList[*totalGroups] == NULL)
+				return (ISC_R_NOMEMORY);
+
+			retlen = wcstombs(GroupList[*totalGroups],
+				 pTmpLBuf->lgrui0_name, retlen);
+			GroupList[*totalGroups][retlen] = '\0';
+			if (strcmp(GroupList[*totalGroups], "None") == 0)
+				free(GroupList[*totalGroups]);
+			else
+				(*totalGroups)++;
+			pTmpLBuf++;
+		}
+	}
+	/* Free the allocated memory. */
+	if (pBuf != NULL)
+		NetApiBufferFree(pBuf);
+
+
+	/*
+	 * Call the NetUserGetGroups function, specifying level 0.
+	 */
+	nStatus = NetUserGetGroups(NULL,
+			      user,
+			      dwLevel,
+			      (LPBYTE*)&pgrpBuf,
+			      dwPrefMaxLen,
+			      &dwEntriesRead,
+			      &dwTotalEntries);
+	/*
+	 * See if the call succeeds,
+	 */
+	if (nStatus != NERR_Success) {
+		if (nStatus == ERROR_ACCESS_DENIED)
+			return (ISC_R_NOPERM);
+		if (nStatus == ERROR_MORE_DATA)
+			return (ISC_R_NOSPACE);
+		if (nStatus == NERR_UserNotFound)
+			dwEntriesRead = 0;
+	}
+
+	if (pgrpBuf != NULL) {
+		pTmpBuf = pgrpBuf;
+		/*
+		 * Loop through the entries
+		 */
+		 for (i = 0;
+		     (i < dwEntriesRead && *totalGroups < maxgroups); i++) {
+			assert(pTmpBuf != NULL);
+
+			if (pTmpBuf == NULL)
+				break;
+			retlen = wcslen(pTmpBuf->grui0_name);
+			GroupList[*totalGroups] = (char *) malloc(retlen +1);
+			if (GroupList[*totalGroups] == NULL)
+				return (ISC_R_NOMEMORY);
+
+			retlen = wcstombs(GroupList[*totalGroups],
+				 pTmpBuf->grui0_name, retlen);
+			GroupList[*totalGroups][retlen] = '\0';
+			if (strcmp(GroupList[*totalGroups], "None") == 0)
+				free(GroupList[*totalGroups]);
+			else
+				(*totalGroups)++;
+			pTmpBuf++;
+		}
+	}
+	/*
+	 * Free the allocated memory.
+	 */
+	if (pgrpBuf != NULL)
+		NetApiBufferFree(pgrpBuf);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/ntpaths.c b/lib/isc/win32/ntpaths.c
new file mode 100644
index 0000000..df71bfa
--- /dev/null
+++ b/lib/isc/win32/ntpaths.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * This module fetches the required path information that is specific
+ * to NT systems which can have its configuration and system files
+ * almost anywhere. It can be used to override whatever the application
+ * had previously assigned to the pointer. Basic information about the
+ * file locations are stored in the registry.
+ */
+
+#include <config.h>
+
+#include <isc/bind_registry.h>
+#include <isc/ntpaths.h>
+#include <isc/string.h>
+
+/*
+ * Module Variables
+ */
+
+static char systemDir[MAX_PATH];
+static char namedBase[MAX_PATH];
+static char ns_confFile[MAX_PATH];
+static char lwresd_confFile[MAX_PATH];
+static char lwresd_resolvconfFile[MAX_PATH];
+static char rndc_confFile[MAX_PATH];
+static char ns_defaultpidfile[MAX_PATH];
+static char lwresd_defaultpidfile[MAX_PATH];
+static char ns_lockfile[MAX_PATH];
+static char local_state_dir[MAX_PATH];
+static char sys_conf_dir[MAX_PATH];
+static char rndc_keyFile[MAX_PATH];
+static char session_keyFile[MAX_PATH];
+
+static DWORD baseLen = MAX_PATH;
+static BOOL Initialized = FALSE;
+
+void
+isc_ntpaths_init(void) {
+	HKEY hKey;
+	BOOL keyFound = TRUE;
+
+	memset(namedBase, 0, sizeof(namedBase));
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, BIND_SUBKEY, 0, KEY_READ, &hKey)
+		!= ERROR_SUCCESS)
+		keyFound = FALSE;
+
+	if (keyFound == TRUE) {
+		/* Get the named directory */
+		if (RegQueryValueEx(hKey, "InstallDir", NULL, NULL,
+			(LPBYTE)namedBase, &baseLen) != ERROR_SUCCESS)
+			keyFound = FALSE;
+		RegCloseKey(hKey);
+	}
+
+	GetSystemDirectory(systemDir, MAX_PATH);
+
+	if (keyFound == FALSE) {
+		/* Use the System Directory as a default */
+		strlcpy(namedBase, systemDir, sizeof(namedBase));
+	}
+
+	strlcpy(lwresd_confFile, namedBase, sizeof(lwresd_confFile)) ;
+	strlcat(lwresd_confFile, "\\etc\\lwresd.conf",
+		sizeof(lwresd_confFile));
+
+	strlcpy(lwresd_defaultpidfile, namedBase,
+		sizeof(lwresd_defaultpidfile));
+	strlcat(lwresd_defaultpidfile, "\\etc\\lwresd.pid",
+		sizeof(lwresd_defaultpidfile));
+
+	strlcpy(lwresd_resolvconfFile, systemDir,
+		sizeof(lwresd_resolvconfFile));
+	strlcat(lwresd_resolvconfFile, "\\Drivers\\etc\\resolv.conf",
+		sizeof(lwresd_resolvconfFile));
+
+	strlcpy(ns_confFile, namedBase, sizeof(ns_confFile));
+	strlcat(ns_confFile, "\\etc\\named.conf", sizeof(ns_confFile));
+
+	strlcpy(rndc_keyFile, namedBase, sizeof(rndc_keyFile));
+	strlcat(rndc_keyFile, "\\etc\\rndc.key", sizeof(rndc_keyFile));
+
+	strlcpy(session_keyFile, namedBase, sizeof(session_keyFile));
+	strlcat(session_keyFile, "\\etc\\session.key", sizeof(session_keyFile));
+
+	strlcpy(rndc_confFile, namedBase, sizeof(rndc_confFile));
+	strlcat(rndc_confFile, "\\etc\\rndc.conf", sizeof(rndc_confFile));
+
+	strlcpy(ns_defaultpidfile, namedBase, sizeof(ns_defaultpidfile));
+	strlcat(ns_defaultpidfile, "\\etc\\named.pid",
+		sizeof(ns_defaultpidfile));
+
+	strlcpy(ns_lockfile, namedBase, sizeof(ns_lockfile));
+	strlcat(ns_lockfile, "\\etc\\named.lock", sizeof(ns_lockfile));
+
+	strlcpy(local_state_dir, namedBase, sizeof(local_state_dir));
+	strlcat(local_state_dir, "\\bin", sizeof(local_state_dir));
+
+	strlcpy(sys_conf_dir, namedBase, sizeof(sys_conf_dir));
+	strlcat(sys_conf_dir, "\\etc", sizeof(sys_conf_dir));
+
+	Initialized = TRUE;
+}
+
+char *
+isc_ntpaths_get(int ind) {
+	if (!Initialized)
+		isc_ntpaths_init();
+
+	switch (ind) {
+	case NAMED_CONF_PATH:
+		return (ns_confFile);
+		break;
+	case LWRES_CONF_PATH:
+		return (lwresd_confFile);
+		break;
+	case RESOLV_CONF_PATH:
+		return (lwresd_resolvconfFile);
+		break;
+	case RNDC_CONF_PATH:
+		return (rndc_confFile);
+		break;
+	case NAMED_PID_PATH:
+		return (ns_defaultpidfile);
+		break;
+	case LWRESD_PID_PATH:
+		return (lwresd_defaultpidfile);
+		break;
+	case NAMED_LOCK_PATH:
+		return (ns_lockfile);
+		break;
+	case LOCAL_STATE_DIR:
+		return (local_state_dir);
+		break;
+	case SYS_CONF_DIR:
+		return (sys_conf_dir);
+		break;
+	case RNDC_KEY_PATH:
+		return (rndc_keyFile);
+		break;
+	case SESSION_KEY_PATH:
+		return (session_keyFile);
+		break;
+	default:
+		return (NULL);
+	}
+}
diff --git a/lib/isc/win32/once.c b/lib/isc/win32/once.c
new file mode 100644
index 0000000..baf178d
--- /dev/null
+++ b/lib/isc/win32/once.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <windows.h>
+
+#include <isc/once.h>
+#include <isc/assertions.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_once_do(isc_once_t *controller, void(*function)(void)) {
+	REQUIRE(controller != NULL && function != NULL);
+
+	if (controller->status == ISC_ONCE_INIT_NEEDED) {
+
+		if (InterlockedDecrement(&controller->counter) == 0) {
+			if (controller->status == ISC_ONCE_INIT_NEEDED) {
+				function();
+				controller->status = ISC_ONCE_INIT_DONE;
+			}
+		} else {
+			while (controller->status == ISC_ONCE_INIT_NEEDED) {
+				/*
+				 * Sleep(0) indicates that this thread
+				 * should be suspended to allow other
+				 * waiting threads to execute.
+				 */
+				Sleep(0);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/win32/os.c b/lib/isc/win32/os.c
new file mode 100644
index 0000000..0f4023f
--- /dev/null
+++ b/lib/isc/win32/os.c
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+
+#include <isc/os.h>
+
+static BOOL bInit = FALSE;
+static SYSTEM_INFO SystemInfo;
+
+static void
+initialize_action(void) {
+	if (bInit)
+		return;
+
+	GetSystemInfo(&SystemInfo);
+	bInit = TRUE;
+}
+
+unsigned int
+isc_os_ncpus(void) {
+	long ncpus;
+	initialize_action();
+	ncpus = SystemInfo.dwNumberOfProcessors;
+	if (ncpus <= 0)
+		ncpus = 1;
+
+	return ((unsigned int)ncpus);
+}
diff --git a/lib/isc/win32/pk11_api.c b/lib/isc/win32/pk11_api.c
new file mode 100644
index 0000000..76e4abb
--- /dev/null
+++ b/lib/isc/win32/pk11_api.c
@@ -0,0 +1,675 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+/* missing code for WIN32 */
+
+#include <config.h>
+
+#include <string.h>
+#include <windows.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+
+#define HAVE_GETPASSPHRASE
+
+char *
+getpassphrase(const char *prompt) {
+	static char buf[128];
+	HANDLE h;
+	DWORD cc, mode;
+	int cnt;
+
+	h = GetStdHandle(STD_INPUT_HANDLE);
+	fputs(prompt, stderr);
+	fflush(stderr);
+	fflush(stdout);
+	FlushConsoleInputBuffer(h);
+	GetConsoleMode(h, &mode);
+	SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
+
+	for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
+	{
+		ReadFile(h, buf + cnt, 1, &cc, NULL);
+		if (buf[cnt] == '\r')
+			break;
+		fputc('*', stdout);
+		fflush(stderr);
+		fflush(stdout);
+	}
+
+	SetConsoleMode(h, mode);
+	buf[cnt] = '\0';
+	fputs("\n", stderr);
+	return (buf);
+}
+
+/* load PKCS11 DLL */
+
+static HINSTANCE hPK11 = NULL;
+static char loaderrmsg[1024];
+
+CK_RV
+pkcs_C_Initialize(CK_VOID_PTR pReserved) {
+	CK_C_Initialize sym;
+	const char *lib_name = pk11_get_lib_name();
+
+	if (hPK11 != NULL)
+		return (CKR_LIBRARY_ALREADY_INITIALIZED);
+
+	if (lib_name == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	/* Visual Studio convertion issue... */
+	if (*lib_name == ' ')
+		lib_name++;
+
+	hPK11 = LoadLibraryA(lib_name);
+
+	if (hPK11 == NULL) {
+		const DWORD err = GetLastError();
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "LoadLibraryA(\"%s\") failed with 0x%X\n",
+			 lib_name, err);
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(pReserved);
+}
+
+char *pk11_get_load_error_message(void) {
+	return (loaderrmsg);
+}
+
+CK_RV
+pkcs_C_Finalize(CK_VOID_PTR pReserved) {
+	CK_C_Finalize sym;
+	CK_RV rv;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	rv = (*sym)(pReserved);
+	if ((rv == CKR_OK) && (FreeLibrary(hPK11) == 0))
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	hPK11 = NULL;
+	return (rv);
+}
+
+CK_RV
+pkcs_C_GetSlotList(CK_BBOOL tokenPresent,
+	      CK_SLOT_ID_PTR pSlotList,
+	      CK_ULONG_PTR pulCount)
+{
+	static CK_C_GetSlotList sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GetSlotList)GetProcAddress(hPK11, "C_GetSlotList");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(tokenPresent, pSlotList, pulCount);
+}
+
+CK_RV
+pkcs_C_GetTokenInfo(CK_SLOT_ID slotID,
+	       CK_TOKEN_INFO_PTR pInfo)
+{
+	static CK_C_GetTokenInfo sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GetTokenInfo)GetProcAddress(hPK11,
+							"C_GetTokenInfo");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(slotID, pInfo);
+}
+
+CK_RV
+pkcs_C_GetMechanismInfo(CK_SLOT_ID slotID,
+		   CK_MECHANISM_TYPE type,
+		   CK_MECHANISM_INFO_PTR pInfo)
+{
+	static CK_C_GetMechanismInfo sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GetMechanismInfo)GetProcAddress(hPK11,
+							"C_GetMechanismInfo");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(slotID, type, pInfo);
+}
+
+CK_RV
+pkcs_C_OpenSession(CK_SLOT_ID slotID,
+	      CK_FLAGS flags,
+	      CK_VOID_PTR pApplication,
+	      CK_RV  (*Notify) (CK_SESSION_HANDLE hSession,
+				CK_NOTIFICATION event,
+				CK_VOID_PTR pApplication),
+	      CK_SESSION_HANDLE_PTR phSession)
+{
+	static CK_C_OpenSession sym = NULL;
+
+	if (hPK11 == NULL)
+		hPK11 = LoadLibraryA(pk11_get_lib_name());
+	if (hPK11 == NULL) {
+		const DWORD err = GetLastError();
+		snprintf(loaderrmsg, sizeof(loaderrmsg),
+			 "LoadLibraryA(\"%s\") failed with 0x%X\n",
+			 pk11_get_lib_name(), err);
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	}
+	if (sym == NULL)
+		sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+CK_RV
+pkcs_C_CloseSession(CK_SESSION_HANDLE hSession) {
+	static CK_C_CloseSession sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_CloseSession)GetProcAddress(hPK11,
+							"C_CloseSession");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_Login(CK_SESSION_HANDLE hSession,
+	CK_USER_TYPE userType,
+	CK_CHAR_PTR pPin,
+	CK_ULONG usPinLen)
+{
+	static CK_C_Login sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+CK_RV
+pkcs_C_Logout(CK_SESSION_HANDLE hSession) {
+	static CK_C_Logout sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_Logout)GetProcAddress(hPK11, "C_Logout");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_CreateObject(CK_SESSION_HANDLE hSession,
+	       CK_ATTRIBUTE_PTR pTemplate,
+	       CK_ULONG usCount,
+	       CK_OBJECT_HANDLE_PTR phObject)
+{
+	static CK_C_CreateObject sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_CreateObject)GetProcAddress(hPK11,
+							"C_CreateObject");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+CK_RV
+pkcs_C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) {
+	static CK_C_DestroyObject sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_DestroyObject)GetProcAddress(hPK11,
+							 "C_DestroyObject");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, hObject);
+}
+
+CK_RV
+pkcs_C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount)
+{
+	static CK_C_GetAttributeValue sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
+							"C_GetAttributeValue");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+		    CK_OBJECT_HANDLE hObject,
+		    CK_ATTRIBUTE_PTR pTemplate,
+		    CK_ULONG usCount)
+{
+	static CK_C_SetAttributeValue sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
+							"C_SetAttributeValue");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+		  CK_ATTRIBUTE_PTR pTemplate,
+		  CK_ULONG usCount)
+{
+	static CK_C_FindObjectsInit sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
+							"C_FindObjectsInit");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pTemplate, usCount);
+}
+
+CK_RV
+pkcs_C_FindObjects(CK_SESSION_HANDLE hSession,
+	      CK_OBJECT_HANDLE_PTR phObject,
+	      CK_ULONG usMaxObjectCount,
+	      CK_ULONG_PTR pusObjectCount)
+{
+	static CK_C_FindObjects sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+CK_RV
+pkcs_C_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
+	static CK_C_FindObjectsFinal sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
+							"C_FindObjectsFinal");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession);
+}
+
+CK_RV
+pkcs_C_EncryptInit(CK_SESSION_HANDLE hSession,
+		   CK_MECHANISM_PTR pMechanism,
+		   CK_OBJECT_HANDLE hKey)
+{
+	static CK_C_EncryptInit sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_EncryptInit)GetProcAddress(hPK11, "C_EncryptInit");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Encrypt(CK_SESSION_HANDLE hSession,
+	       CK_BYTE_PTR pData,
+	       CK_ULONG ulDataLen,
+	       CK_BYTE_PTR pEncryptedData,
+	       CK_ULONG_PTR pulEncryptedDataLen)
+{
+	static CK_C_Encrypt sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_Encrypt)GetProcAddress(hPK11, "C_Encrypt");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pData, ulDataLen,
+		      pEncryptedData, pulEncryptedDataLen);
+}
+
+CK_RV
+pkcs_C_DigestInit(CK_SESSION_HANDLE hSession,
+	     CK_MECHANISM_PTR pMechanism)
+{
+	static CK_C_DigestInit sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_DigestInit)GetProcAddress(hPK11, "C_DigestInit");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism);
+}
+
+CK_RV
+pkcs_C_DigestUpdate(CK_SESSION_HANDLE hSession,
+	       CK_BYTE_PTR pPart,
+	       CK_ULONG ulPartLen)
+{
+	static CK_C_DigestUpdate sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_DigestUpdate)GetProcAddress(hPK11,
+							"C_DigestUpdate");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_DigestFinal(CK_SESSION_HANDLE hSession,
+	      CK_BYTE_PTR pDigest,
+	      CK_ULONG_PTR pulDigestLen)
+{
+	static CK_C_DigestFinal sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_DigestFinal)GetProcAddress(hPK11, "C_DigestFinal");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pDigest, pulDigestLen);
+}
+
+CK_RV
+pkcs_C_SignInit(CK_SESSION_HANDLE hSession,
+	   CK_MECHANISM_PTR pMechanism,
+	   CK_OBJECT_HANDLE hKey)
+{
+	static CK_C_SignInit sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_SignInit)GetProcAddress(hPK11, "C_SignInit");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Sign(CK_SESSION_HANDLE hSession,
+       CK_BYTE_PTR pData,
+       CK_ULONG ulDataLen,
+       CK_BYTE_PTR pSignature,
+       CK_ULONG_PTR pulSignatureLen)
+{
+	static CK_C_Sign sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_Sign)GetProcAddress(hPK11, "C_Sign");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_SignUpdate(CK_SESSION_HANDLE hSession,
+	     CK_BYTE_PTR pPart,
+	     CK_ULONG ulPartLen)
+{
+	static CK_C_SignUpdate sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_SignUpdate)GetProcAddress(hPK11, "C_SignUpdate");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_SignFinal(CK_SESSION_HANDLE hSession,
+	    CK_BYTE_PTR pSignature,
+	    CK_ULONG_PTR pulSignatureLen)
+{
+	static CK_C_SignFinal sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_SignFinal)GetProcAddress(hPK11, "C_SignFinal");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pSignature, pulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyInit(CK_SESSION_HANDLE hSession,
+	     CK_MECHANISM_PTR pMechanism,
+	     CK_OBJECT_HANDLE hKey)
+{
+	static CK_C_VerifyInit sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_VerifyInit)GetProcAddress(hPK11, "C_VerifyInit");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, hKey);
+}
+
+CK_RV
+pkcs_C_Verify(CK_SESSION_HANDLE hSession,
+	 CK_BYTE_PTR pData,
+	 CK_ULONG ulDataLen,
+	 CK_BYTE_PTR pSignature,
+	 CK_ULONG ulSignatureLen)
+{
+	static CK_C_Verify sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_Verify)GetProcAddress(hPK11, "C_Verify");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_VerifyUpdate(CK_SESSION_HANDLE hSession,
+	       CK_BYTE_PTR pPart,
+	       CK_ULONG ulPartLen)
+{
+	static CK_C_VerifyUpdate sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_VerifyUpdate)GetProcAddress(hPK11,
+							"C_VerifyUpdate");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pPart, ulPartLen);
+}
+
+CK_RV
+pkcs_C_VerifyFinal(CK_SESSION_HANDLE hSession,
+	      CK_BYTE_PTR pSignature,
+	      CK_ULONG ulSignatureLen)
+{
+	static CK_C_VerifyFinal sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_VerifyFinal)GetProcAddress(hPK11, "C_VerifyFinal");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pSignature, ulSignatureLen);
+}
+
+CK_RV
+pkcs_C_GenerateKey(CK_SESSION_HANDLE hSession,
+	      CK_MECHANISM_PTR pMechanism,
+	      CK_ATTRIBUTE_PTR pTemplate,
+	      CK_ULONG ulCount,
+	      CK_OBJECT_HANDLE_PTR phKey)
+{
+	static CK_C_GenerateKey sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GenerateKey)GetProcAddress(hPK11, "C_GenerateKey");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pMechanism, pTemplate, ulCount, phKey);
+}
+
+CK_RV
+pkcs_C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+		  CK_MECHANISM_PTR pMechanism,
+		  CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+		  CK_ULONG usPublicKeyAttributeCount,
+		  CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+		  CK_ULONG usPrivateKeyAttributeCount,
+		  CK_OBJECT_HANDLE_PTR phPrivateKey,
+		  CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+	static CK_C_GenerateKeyPair sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
+							"C_GenerateKeyPair");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession,
+		      pMechanism,
+		      pPublicKeyTemplate,
+		      usPublicKeyAttributeCount,
+		      pPrivateKeyTemplate,
+		      usPrivateKeyAttributeCount,
+		      phPrivateKey,
+		      phPublicKey);
+}
+
+CK_RV
+pkcs_C_DeriveKey(CK_SESSION_HANDLE hSession,
+	    CK_MECHANISM_PTR pMechanism,
+	    CK_OBJECT_HANDLE hBaseKey,
+	    CK_ATTRIBUTE_PTR pTemplate,
+	    CK_ULONG ulAttributeCount,
+	    CK_OBJECT_HANDLE_PTR phKey)
+{
+	static CK_C_DeriveKey sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_DeriveKey)GetProcAddress(hPK11, "C_DeriveKey");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession,
+		      pMechanism,
+		      hBaseKey,
+		      pTemplate,
+		      ulAttributeCount,
+		      phKey);
+}
+
+CK_RV
+pkcs_C_SeedRandom(CK_SESSION_HANDLE hSession,
+	     CK_BYTE_PTR pSeed,
+	     CK_ULONG ulSeedLen)
+{
+	static CK_C_SeedRandom sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_SeedRandom)GetProcAddress(hPK11, "C_SeedRandom");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, pSeed, ulSeedLen);
+}
+
+CK_RV
+pkcs_C_GenerateRandom(CK_SESSION_HANDLE hSession,
+		 CK_BYTE_PTR RandomData,
+		 CK_ULONG ulRandomLen)
+{
+	static CK_C_GenerateRandom sym = NULL;
+
+	if (hPK11 == NULL)
+		return (CKR_LIBRARY_FAILED_TO_LOAD);
+	if (sym == NULL)
+		sym = (CK_C_GenerateRandom)GetProcAddress(hPK11,
+							  "C_GenerateRandom");
+	if (sym == NULL)
+		return (CKR_SYMBOL_RESOLUTION_FAILED);
+	return (*sym)(hSession, RandomData, ulRandomLen);
+}
diff --git a/lib/isc/win32/resource.c b/lib/isc/win32/resource.c
new file mode 100644
index 0000000..0fbc9a4
--- /dev/null
+++ b/lib/isc/win32/resource.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdio.h>
+
+#include <isc/platform.h>
+#include <isc/resource.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * Windows limits the maximum number of open files to 2048
+ */
+
+#define WIN32_MAX_OPEN_FILES	2048
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
+	isc_resourcevalue_t rlim_value;
+	int wresult;
+
+	if (resource != isc_resource_openfiles)
+		return (ISC_R_NOTIMPLEMENTED);
+
+
+	if (value == ISC_RESOURCE_UNLIMITED)
+		rlim_value = WIN32_MAX_OPEN_FILES;
+	else
+		rlim_value = min(value, WIN32_MAX_OPEN_FILES);
+
+	wresult = _setmaxstdio((int) rlim_value);
+
+	if (wresult > 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+
+	if (resource != isc_resource_openfiles)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	*value = WIN32_MAX_OPEN_FILES;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_resource_getcurlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	return (isc_resource_getlimit(resource, value));
+}
diff --git a/lib/isc/win32/socket.c b/lib/isc/win32/socket.c
new file mode 100644
index 0000000..75b1c26
--- /dev/null
+++ b/lib/isc/win32/socket.c
@@ -0,0 +1,4277 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* This code uses functions which are only available on Server 2003 and
+ * higher, and Windows XP and higher.
+ *
+ * This code is by nature multithreaded and takes advantage of various
+ * features to pass on information through the completion port for
+ * when I/O is completed.  All sends, receives, accepts, and connects are
+ * completed through the completion port.
+ *
+ * The number of Completion Port Worker threads used is the total number
+ * of CPU's + 1. This increases the likelihood that a Worker Thread is
+ * available for processing a completed request.
+ *
+ * XXXPDM 5 August, 2002
+ */
+
+#include <config.h>
+
+#define MAKE_EXTERNAL 1
+
+#include <sys/types.h>
+
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_   /* Prevent inclusion of winsock.h in windows.h */
+#endif
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <io.h>
+#include <fcntl.h>
+#include <process.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/condition.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/os.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/syslog.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+#include <isc/win32os.h>
+
+#include <mswsock.h>
+
+#include "errno2result.h"
+
+/*
+ * Set by the -T dscp option on the command line. If set to a value
+ * other than -1, we check to make sure DSCP values match it, and
+ * assert if not.
+ */
+LIBISC_EXTERNAL_DATA int isc_dscp_check_value = -1;
+
+/*
+ * How in the world can Microsoft exist with APIs like this?
+ * We can't actually call this directly, because it turns out
+ * no library exports this function.  Instead, we need to
+ * issue a runtime call to get the address.
+ */
+LPFN_CONNECTEX ISCConnectEx;
+LPFN_ACCEPTEX ISCAcceptEx;
+LPFN_GETACCEPTEXSOCKADDRS ISCGetAcceptExSockaddrs;
+
+/*
+ * Run expensive internal consistency checks.
+ */
+#ifdef ISC_SOCKET_CONSISTENCY_CHECKS
+#define CONSISTENT(sock) consistent(sock)
+#else
+#define CONSISTENT(sock) do {} while (0)
+#endif
+static void consistent(isc_socket_t *sock);
+
+/*
+ * Define this macro to control the behavior of connection
+ * resets on UDP sockets.  See Microsoft KnowledgeBase Article Q263823
+ * for details.
+ * NOTE: This requires that Windows 2000 systems install Service Pack 2
+ * or later.
+ */
+#ifndef SIO_UDP_CONNRESET
+#define SIO_UDP_CONNRESET _WSAIOW(IOC_VENDOR,12)
+#endif
+
+/*
+ * Some systems define the socket length argument as an int, some as size_t,
+ * some as socklen_t.  This is here so it can be easily changed if needed.
+ */
+#ifndef ISC_SOCKADDR_LEN_T
+#define ISC_SOCKADDR_LEN_T unsigned int
+#endif
+
+/*
+ * Define what the possible "soft" errors can be.  These are non-fatal returns
+ * of various network related functions, like recv() and so on.
+ */
+#define SOFT_ERROR(e)	((e) == WSAEINTR || \
+			 (e) == WSAEWOULDBLOCK || \
+			 (e) == EWOULDBLOCK || \
+			 (e) == EINTR || \
+			 (e) == EAGAIN || \
+			 (e) == 0)
+
+/*
+ * Pending errors are not really errors and should be
+ * kept separate
+ */
+#define PENDING_ERROR(e) ((e) == WSA_IO_PENDING || (e) == 0)
+
+#define DOIO_SUCCESS	  0       /* i/o ok, event sent */
+#define DOIO_SOFT	  1       /* i/o ok, soft error, no event sent */
+#define DOIO_HARD	  2       /* i/o error, event sent */
+#define DOIO_EOF	  3       /* EOF, no event sent */
+#define DOIO_PENDING	  4       /* status when i/o is in process */
+#define DOIO_NEEDMORE	  5       /* IO was processed, but we need more due to minimum */
+
+#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
+
+/*
+ * DLVL(90)  --  Function entry/exit and other tracing.
+ * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
+ * DLVL(60)  --  Socket data send/receive
+ * DLVL(50)  --  Event tracing, including receiving/sending completion events.
+ * DLVL(20)  --  Socket creation/destruction.
+ */
+#define TRACE_LEVEL		90
+#define CORRECTNESS_LEVEL	70
+#define IOEVENT_LEVEL		60
+#define EVENT_LEVEL		50
+#define CREATION_LEVEL		20
+
+#define TRACE		DLVL(TRACE_LEVEL)
+#define CORRECTNESS	DLVL(CORRECTNESS_LEVEL)
+#define IOEVENT		DLVL(IOEVENT_LEVEL)
+#define EVENT		DLVL(EVENT_LEVEL)
+#define CREATION	DLVL(CREATION_LEVEL)
+
+typedef isc_event_t intev_t;
+
+/*
+ * Socket State
+ */
+enum {
+  SOCK_INITIALIZED,	/* Socket Initialized */
+  SOCK_OPEN,		/* Socket opened but nothing yet to do */
+  SOCK_DATA,		/* Socket sending or receiving data */
+  SOCK_LISTEN,		/* TCP Socket listening for connects */
+  SOCK_ACCEPT,		/* TCP socket is waiting to accept */
+  SOCK_CONNECT,		/* TCP Socket connecting */
+  SOCK_CLOSED,		/* Socket has been closed */
+};
+
+#define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
+#define VALID_SOCKET(t)		ISC_MAGIC_VALID(t, SOCKET_MAGIC)
+
+/*
+ * IPv6 control information.  If the socket is an IPv6 socket we want
+ * to collect the destination address and interface so the client can
+ * set them on outgoing packets.
+ */
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifndef USE_CMSG
+#define USE_CMSG	1
+#endif
+#endif
+
+/*
+ * We really  don't want to try and use these control messages. Win32
+ * doesn't have this mechanism before XP.
+ */
+#undef USE_CMSG
+
+/*
+ * Message header for recvmsg and sendmsg calls.
+ * Used value-result for recvmsg, value only for sendmsg.
+ */
+struct msghdr {
+	SOCKADDR_STORAGE to_addr;	/* UDP send/recv address */
+	int      to_addr_len;		/* length of the address */
+	WSABUF  *msg_iov;		/* scatter/gather array */
+	u_int   msg_iovlen;             /* # elements in msg_iov */
+	void	*msg_control;           /* ancillary data, see below */
+	u_int   msg_controllen;         /* ancillary data buffer len */
+	u_int	msg_totallen;		/* total length of this message */
+} msghdr;
+
+/*
+ * The size to raise the receive buffer to.
+ */
+#define RCVBUFSIZE (32*1024)
+
+/*
+ * The number of times a send operation is repeated if the result
+ * is WSAEINTR.
+ */
+#define NRETRIES 10
+
+struct isc_socket {
+	/* Not locked. */
+	unsigned int		magic;
+	isc_socketmgr_t	       *manager;
+	isc_mutex_t		lock;
+	isc_sockettype_t	type;
+
+	/* Pointers to scatter/gather buffers */
+	WSABUF			iov[ISC_SOCKET_MAXSCATTERGATHER];
+
+	/* Locked by socket lock. */
+	ISC_LINK(isc_socket_t)	link;
+	unsigned int		references; /* EXTERNAL references */
+	SOCKET			fd;	/* file handle */
+	int			pf;	/* protocol family */
+	char			name[16];
+	void *			tag;
+
+	/*
+	 * Each recv() call uses this buffer.  It is a per-socket receive
+	 * buffer that allows us to decouple the system recv() from the
+	 * recv_list done events.  This means the items on the recv_list
+	 * can be removed without having to cancel pending system recv()
+	 * calls.  It also allows us to read-ahead in some cases.
+	 */
+	struct {
+		SOCKADDR_STORAGE	from_addr;	   // UDP send/recv address
+		int		from_addr_len;	   // length of the address
+		char		*base;		   // the base of the buffer
+		char		*consume_position; // where to start copying data from next
+		unsigned int	len;		   // the actual size of this buffer
+		unsigned int	remaining;	   // the number of bytes remaining
+	} recvbuf;
+
+	ISC_LIST(isc_socketevent_t)		send_list;
+	ISC_LIST(isc_socketevent_t)		recv_list;
+	ISC_LIST(isc_socket_newconnev_t)	accept_list;
+	ISC_LIST(isc_socket_connev_t)		connect_list;
+
+	isc_sockaddr_t		address;  /* remote address */
+
+	unsigned int		listener : 1,	/* listener socket */
+				connected : 1,
+				pending_connect : 1, /* connect pending */
+				bound : 1,	/* bound to local addr */
+				dupped : 1;     /* created by isc_socket_dup() */
+	unsigned int		pending_iocp;	/* Should equal the counters below. Debug. */
+	unsigned int		pending_recv;  /* Number of outstanding recv() calls. */
+	unsigned int		pending_send;  /* Number of outstanding send() calls. */
+	unsigned int		pending_accept; /* Number of outstanding accept() calls. */
+	unsigned int		state; /* Socket state. Debugging and consistency checking. */
+	int			state_lineno;  /* line which last touched state */
+};
+
+#define _set_state(sock, _state) do { (sock)->state = (_state); (sock)->state_lineno = __LINE__; } while (0)
+
+/*
+ * Buffer structure
+ */
+typedef struct buflist buflist_t;
+
+struct buflist {
+	void			*buf;
+	unsigned int		buflen;
+	ISC_LINK(buflist_t)	link;
+};
+
+/*
+ * I/O Completion ports Info structures
+ */
+
+static HANDLE hHeapHandle = NULL;
+typedef struct IoCompletionInfo {
+	OVERLAPPED		overlapped;
+	isc_socketevent_t	*dev;  /* send()/recv() done event */
+	isc_socket_connev_t	*cdev; /* connect() done event */
+	isc_socket_newconnev_t	*adev; /* accept() done event */
+	void			*acceptbuffer;
+	DWORD			received_bytes;
+	int			request_type;
+	struct msghdr		messagehdr;
+	ISC_LIST(buflist_t)	bufferlist;	/*%< list of buffers */
+} IoCompletionInfo;
+
+/*
+ * Define a maximum number of I/O Completion Port worker threads
+ * to handle the load on the Completion Port. The actual number
+ * used is the number of CPU's + 1.
+ */
+#define MAX_IOCPTHREADS 20
+
+#define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
+#define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
+
+struct isc_socketmgr {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_mem_t		       *mctx;
+	isc_mutex_t			lock;
+	isc_stats_t		       *stats;
+
+	/* Locked by manager lock. */
+	ISC_LIST(isc_socket_t)		socklist;
+	bool			bShutdown;
+	isc_condition_t			shutdown_ok;
+	HANDLE				hIoCompletionPort;
+	int				maxIOCPThreads;
+	HANDLE				hIOCPThreads[MAX_IOCPTHREADS];
+	DWORD				dwIOCPThreadIds[MAX_IOCPTHREADS];
+
+	/*
+	 * Debugging.
+	 * Modified by InterlockedIncrement() and InterlockedDecrement()
+	 */
+	LONG				totalSockets;
+	LONG				iocp_total;
+};
+
+enum {
+	SOCKET_RECV,
+	SOCKET_SEND,
+	SOCKET_ACCEPT,
+	SOCKET_CONNECT
+};
+
+/*
+ * send() and recv() iovec counts
+ */
+#define MAXSCATTERGATHER_SEND	(ISC_SOCKET_MAXSCATTERGATHER)
+#define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
+
+static isc_result_t socket_create(isc_socketmgr_t *manager0, int pf,
+				  isc_sockettype_t type,
+				  isc_socket_t **socketp,
+				  isc_socket_t *dup_socket);
+static isc_threadresult_t WINAPI SocketIoThread(LPVOID ThreadContext);
+static void maybe_free_socket(isc_socket_t **, int);
+static void free_socket(isc_socket_t **, int);
+static bool senddone_is_active(isc_socket_t *sock, isc_socketevent_t *dev);
+static bool acceptdone_is_active(isc_socket_t *sock, isc_socket_newconnev_t *dev);
+static bool connectdone_is_active(isc_socket_t *sock, isc_socket_connev_t *dev);
+static void send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev);
+static void send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev);
+static void send_acceptdone_event(isc_socket_t *sock, isc_socket_newconnev_t **adev);
+static void send_connectdone_event(isc_socket_t *sock, isc_socket_connev_t **cdev);
+static void send_recvdone_abort(isc_socket_t *sock, isc_result_t result);
+static void send_connectdone_abort(isc_socket_t *sock, isc_result_t result);
+static void queue_receive_event(isc_socket_t *sock, isc_task_t *task, isc_socketevent_t *dev);
+static void queue_receive_request(isc_socket_t *sock);
+
+/*
+ * This is used to dump the contents of the sock structure
+ * You should make sure that the sock is locked before
+ * dumping it. Since the code uses simple printf() statements
+ * it should only be used interactively.
+ */
+void
+sock_dump(isc_socket_t *sock) {
+	isc_socketevent_t *ldev;
+	isc_socket_newconnev_t *ndev;
+	isc_socket_connev_t *cdev;
+
+#if 0
+	isc_sockaddr_t addr;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+
+	result = isc_socket_getpeername(sock, &addr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&addr, socktext, sizeof(socktext));
+		printf("Remote Socket: %s\n", socktext);
+	}
+	result = isc_socket_getsockname(sock, &addr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&addr, socktext, sizeof(socktext));
+		printf("This Socket: %s\n", socktext);
+	}
+#endif
+
+	printf("\n\t\tSock Dump\n");
+	printf("\t\tfd: %Iu\n", sock->fd);
+	printf("\t\treferences: %u\n", sock->references);
+	printf("\t\tpending_accept: %u\n", sock->pending_accept);
+	printf("\t\tconnecting: %u\n", sock->pending_connect);
+	printf("\t\tconnected: %u\n", sock->connected);
+	printf("\t\tbound: %u\n", sock->bound);
+	printf("\t\tpending_iocp: %u\n", sock->pending_iocp);
+	printf("\t\tsocket type: %d\n", sock->type);
+
+	printf("\n\t\tSock Recv List\n");
+	ldev = ISC_LIST_HEAD(sock->recv_list);
+	while (ldev != NULL) {
+		printf("\t\tdev: %p\n", ldev);
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+	}
+
+	printf("\n\t\tSock Send List\n");
+	ldev = ISC_LIST_HEAD(sock->send_list);
+	while (ldev != NULL) {
+		printf("\t\tdev: %p\n", ldev);
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+	}
+
+	printf("\n\t\tSock Accept List\n");
+	ndev = ISC_LIST_HEAD(sock->accept_list);
+	while (ndev != NULL) {
+		printf("\t\tdev: %p\n", ldev);
+		ndev = ISC_LIST_NEXT(ndev, ev_link);
+	}
+
+	printf("\n\t\tSock Connect List\n");
+	cdev = ISC_LIST_HEAD(sock->connect_list);
+	while (cdev != NULL) {
+		printf("\t\tdev: %p\n", cdev);
+		cdev = ISC_LIST_NEXT(cdev, ev_link);
+	}
+}
+
+static void
+socket_log(int lineno, isc_socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   isc_msgcat_t *msgcat, int msgset, int message,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
+
+/*  This function will add an entry to the I/O completion port
+ *  that will signal the I/O thread to exit (gracefully)
+ */
+static void
+signal_iocompletionport_exit(isc_socketmgr_t *manager) {
+	int i;
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	for (i = 0; i < manager->maxIOCPThreads; i++) {
+		if (!PostQueuedCompletionStatus(manager->hIoCompletionPort,
+						0, 0, 0)) {
+			errval = GetLastError();
+			isc__strerror(errval, strbuf, sizeof(strbuf));
+			FATAL_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+				ISC_MSG_FAILED,
+				"Can't request service thread to exit: %s"),
+				strbuf);
+		}
+	}
+}
+
+/*
+ * Create the worker threads for the I/O Completion Port
+ */
+void
+iocompletionport_createthreads(int total_threads, isc_socketmgr_t *manager) {
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+	int i;
+
+	INSIST(total_threads > 0);
+	REQUIRE(VALID_MANAGER(manager));
+	/*
+	 * We need at least one
+	 */
+	for (i = 0; i < total_threads; i++) {
+		manager->hIOCPThreads[i] = CreateThread(NULL, 0, SocketIoThread,
+						manager, 0,
+						&manager->dwIOCPThreadIds[i]);
+		if (manager->hIOCPThreads[i] == NULL) {
+			errval = GetLastError();
+			isc__strerror(errval, strbuf, sizeof(strbuf));
+			FATAL_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+				ISC_MSG_FAILED,
+				"Can't create IOCP thread: %s"),
+				strbuf);
+		}
+	}
+}
+
+/*
+ *  Create/initialise the I/O completion port
+ */
+void
+iocompletionport_init(isc_socketmgr_t *manager) {
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	/*
+	 * Create a private heap to handle the socket overlapped structure
+	 * The minimum number of structures is 10, there is no maximum
+	 */
+	hHeapHandle = HeapCreate(0, 10 * sizeof(IoCompletionInfo), 0);
+	if (hHeapHandle == NULL) {
+		errval = GetLastError();
+		isc__strerror(errval, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_FAILED,
+					   "HeapCreate() failed during "
+					   "initialization: %s"),
+			    strbuf);
+	}
+
+	manager->maxIOCPThreads = min(isc_os_ncpus() + 1, MAX_IOCPTHREADS);
+
+	/* Now Create the Completion Port */
+	manager->hIoCompletionPort = CreateIoCompletionPort(
+			INVALID_HANDLE_VALUE, NULL,
+			0, manager->maxIOCPThreads);
+	if (manager->hIoCompletionPort == NULL) {
+		errval = GetLastError();
+		isc__strerror(errval, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+				ISC_MSG_FAILED,
+				"CreateIoCompletionPort() failed "
+				"during initialization: %s"),
+				strbuf);
+	}
+
+	/*
+	 * Worker threads for servicing the I/O
+	 */
+	iocompletionport_createthreads(manager->maxIOCPThreads, manager);
+}
+
+/*
+ * Associate a socket with an IO Completion Port.  This allows us to queue events for it
+ * and have our worker pool of threads process them.
+ */
+void
+iocompletionport_update(isc_socket_t *sock) {
+	HANDLE hiocp;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	hiocp = CreateIoCompletionPort((HANDLE)sock->fd,
+		sock->manager->hIoCompletionPort, (ULONG_PTR)sock, 0);
+
+	if (hiocp == NULL) {
+		DWORD errval = GetLastError();
+		isc__strerror(errval, strbuf, sizeof(strbuf));
+		isc_log_iwrite(isc_lctx,
+				ISC_LOGCATEGORY_GENERAL,
+				ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				isc_msgcat, ISC_MSGSET_SOCKET,
+				ISC_MSG_TOOMANYHANDLES,
+				"iocompletionport_update: failed to open"
+				" io completion port: %s",
+				strbuf);
+
+		/* XXXMLG temporary hack to make failures detected.
+		 * This function should return errors to the caller, not
+		 * exit here.
+		 */
+		FATAL_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+				ISC_MSG_FAILED,
+				"CreateIoCompletionPort() failed "
+				"during initialization: %s"),
+				strbuf);
+	}
+
+	InterlockedIncrement(&sock->manager->iocp_total);
+}
+
+/*
+ * Routine to cleanup and then close the socket.
+ * Only close the socket here if it is NOT associated
+ * with an event, otherwise the WSAWaitForMultipleEvents
+ * may fail due to the fact that the Wait should not
+ * be running while closing an event or a socket.
+ * The socket is locked before calling this function
+ */
+void
+socket_close(isc_socket_t *sock) {
+
+	REQUIRE(sock != NULL);
+
+	if (sock->fd != INVALID_SOCKET) {
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		_set_state(sock, SOCK_CLOSED);
+		InterlockedDecrement(&sock->manager->totalSockets);
+	}
+}
+
+static isc_once_t initialise_once = ISC_ONCE_INIT;
+static bool initialised = false;
+
+static void
+initialise(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+	SOCKET sock;
+	GUID GUIDConnectEx = WSAID_CONNECTEX;
+	GUID GUIDAcceptEx = WSAID_ACCEPTEX;
+	GUID GUIDGetAcceptExSockaddrs = WSAID_GETACCEPTEXSOCKADDRS;
+	DWORD dwBytes;
+
+	/* Need Winsock 2.2 or better */
+	wVersionRequested = MAKEWORD(2, 2);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if (err != 0) {
+		char strbuf[ISC_STRERRORSIZE];
+		isc__strerror(err, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__, "WSAStartup() %s: %s",
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					   ISC_MSG_FAILED, "failed"),
+			    strbuf);
+	}
+	/*
+	 * The following APIs do not exist as functions in a library, but
+	 * we must ask winsock for them.  They are "extensions" -- but why
+	 * they cannot be actual functions is beyond me.  So, ask winsock
+	 * for the pointers to the functions we need.
+	 */
+	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
+	INSIST(sock != INVALID_SOCKET);
+	err = WSAIoctl(sock,  SIO_GET_EXTENSION_FUNCTION_POINTER,
+		 &GUIDConnectEx, sizeof(GUIDConnectEx),
+		 &ISCConnectEx, sizeof(ISCConnectEx),
+		 &dwBytes, NULL, NULL);
+	INSIST(err == 0);
+
+	err = WSAIoctl(sock,  SIO_GET_EXTENSION_FUNCTION_POINTER,
+		 &GUIDAcceptEx, sizeof(GUIDAcceptEx),
+		 &ISCAcceptEx, sizeof(ISCAcceptEx),
+		 &dwBytes, NULL, NULL);
+	INSIST(err == 0);
+
+	err = WSAIoctl(sock,  SIO_GET_EXTENSION_FUNCTION_POINTER,
+		 &GUIDGetAcceptExSockaddrs, sizeof(GUIDGetAcceptExSockaddrs),
+		 &ISCGetAcceptExSockaddrs, sizeof(ISCGetAcceptExSockaddrs),
+		 &dwBytes, NULL, NULL);
+	INSIST(err == 0);
+
+	closesocket(sock);
+
+	initialised = true;
+}
+
+/*
+ * Initialize socket services
+ */
+void
+InitSockets(void) {
+	RUNTIME_CHECK(isc_once_do(&initialise_once,
+				  initialise) == ISC_R_SUCCESS);
+	if (!initialised)
+		exit(1);
+}
+
+int
+internal_sendmsg(isc_socket_t *sock, IoCompletionInfo *lpo,
+		 struct msghdr *messagehdr, int flags, int *Error)
+{
+	int Result;
+	DWORD BytesSent;
+	DWORD Flags = flags;
+	int total_sent;
+
+	*Error = 0;
+	Result = WSASendTo(sock->fd, messagehdr->msg_iov,
+			   messagehdr->msg_iovlen, &BytesSent,
+			   Flags, (SOCKADDR *)&messagehdr->to_addr,
+			   messagehdr->to_addr_len, (LPWSAOVERLAPPED)lpo,
+			   NULL);
+
+	total_sent = (int)BytesSent;
+
+	/* Check for errors.*/
+	if (Result == SOCKET_ERROR) {
+		*Error = WSAGetLastError();
+
+		switch (*Error) {
+		case WSA_IO_INCOMPLETE:
+		case WSA_WAIT_IO_COMPLETION:
+		case WSA_IO_PENDING:
+		case NO_ERROR:		/* Strange, but okay */
+			sock->pending_iocp++;
+			sock->pending_send++;
+			break;
+
+		default:
+			return (-1);
+			break;
+		}
+	} else {
+		sock->pending_iocp++;
+		sock->pending_send++;
+	}
+
+	if (lpo != NULL)
+		return (0);
+	else
+		return (total_sent);
+}
+
+static void
+queue_receive_request(isc_socket_t *sock) {
+	DWORD Flags = 0;
+	DWORD NumBytes = 0;
+	int Result;
+	int Error;
+	int need_retry;
+	WSABUF iov[1];
+	IoCompletionInfo *lpo = NULL;
+	isc_result_t isc_result;
+
+ retry:
+	need_retry = false;
+
+	/*
+	 * If we already have a receive pending, do nothing.
+	 */
+	if (sock->pending_recv > 0) {
+		if (lpo != NULL)
+			HeapFree(hHeapHandle, 0, lpo);
+		return;
+	}
+
+	/*
+	 * If no one is waiting, do nothing.
+	 */
+	if (ISC_LIST_EMPTY(sock->recv_list)) {
+		if (lpo != NULL)
+			HeapFree(hHeapHandle, 0, lpo);
+		return;
+	}
+
+	INSIST(sock->recvbuf.remaining == 0);
+	INSIST(sock->fd != INVALID_SOCKET);
+
+	iov[0].len = sock->recvbuf.len;
+	iov[0].buf = sock->recvbuf.base;
+
+	if (lpo == NULL) {
+		lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle,
+						    HEAP_ZERO_MEMORY,
+						    sizeof(IoCompletionInfo));
+		RUNTIME_CHECK(lpo != NULL);
+	} else
+		ZeroMemory(lpo, sizeof(IoCompletionInfo));
+	lpo->request_type = SOCKET_RECV;
+
+	sock->recvbuf.from_addr_len = sizeof(sock->recvbuf.from_addr);
+
+	Error = 0;
+	Result = WSARecvFrom((SOCKET)sock->fd, iov, 1,
+			     &NumBytes, &Flags,
+			     (SOCKADDR *)&sock->recvbuf.from_addr,
+			     &sock->recvbuf.from_addr_len,
+			     (LPWSAOVERLAPPED)lpo, NULL);
+
+	/* Check for errors. */
+	if (Result == SOCKET_ERROR) {
+		Error = WSAGetLastError();
+
+		switch (Error) {
+		case WSA_IO_PENDING:
+			sock->pending_iocp++;
+			sock->pending_recv++;
+			break;
+
+		/* direct error: no completion event */
+		case ERROR_HOST_UNREACHABLE:
+		case WSAENETRESET:
+		case WSAECONNRESET:
+			if (!sock->connected) {
+				/* soft error */
+				need_retry = true;
+				break;
+			}
+			/* FALLTHROUGH */
+
+		default:
+			isc_result = isc__errno2result(Error);
+			if (isc_result == ISC_R_UNEXPECTED)
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+					"WSARecvFrom: Windows error code: %d, isc result %d",
+					Error, isc_result);
+			send_recvdone_abort(sock, isc_result);
+			HeapFree(hHeapHandle, 0, lpo);
+			lpo = NULL;
+			break;
+		}
+	} else {
+		/*
+		 * The recv() finished immediately, but we will still get
+		 * a completion event.  Rather than duplicate code, let
+		 * that thread handle sending the data along its way.
+		 */
+		sock->pending_iocp++;
+		sock->pending_recv++;
+	}
+
+	socket_log(__LINE__, sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_DOIORECV,
+		   "queue_io_request: fd %d result %d error %d",
+		   sock->fd, Result, Error);
+
+	CONSISTENT(sock);
+
+	if (need_retry)
+		goto retry;
+}
+
+static void
+manager_log(isc_socketmgr_t *sockmgr, isc_logcategory_t *category,
+	    isc_logmodule_t *module, int level, const char *fmt, ...)
+{
+	char msgbuf[2048];
+	va_list ap;
+
+	if (!isc_log_wouldlog(isc_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level,
+		      "sockmgr %p: %s", sockmgr, msgbuf);
+}
+
+static void
+socket_log(int lineno, isc_socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   isc_msgcat_t *msgcat, int msgset, int message,
+	   const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+
+	if (!isc_log_wouldlog(isc_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (address == NULL) {
+		isc_log_iwrite(isc_lctx, category, module, level,
+			       msgcat, msgset, message,
+			       "socket %p line %d: %s", sock, lineno, msgbuf);
+	} else {
+		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
+		isc_log_iwrite(isc_lctx, category, module, level,
+			       msgcat, msgset, message,
+				   "socket %p line %d %s: %s", sock, lineno,
+				   peerbuf, msgbuf);
+	}
+
+}
+
+/*
+ * Make an fd SOCKET non-blocking.
+ */
+static isc_result_t
+make_nonblock(SOCKET fd) {
+	int ret;
+	unsigned long flags = 1;
+	char strbuf[ISC_STRERRORSIZE];
+
+	/* Set the socket to non-blocking */
+	ret = ioctlsocket(fd, FIONBIO, &flags);
+
+	if (ret == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "ioctlsocket(%d, FIOBIO, %d): %s",
+				 fd, flags, strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Windows 2000 systems incorrectly cause UDP sockets using WSARecvFrom
+ * to not work correctly, returning a WSACONNRESET error when a WSASendTo
+ * fails with an "ICMP port unreachable" response and preventing the
+ * socket from using the WSARecvFrom in subsequent operations.
+ * The function below fixes this, but requires that Windows 2000
+ * Service Pack 2 or later be installed on the system.  NT 4.0
+ * systems are not affected by this and work correctly.
+ * See Microsoft Knowledge Base Article Q263823 for details of this.
+ */
+isc_result_t
+connection_reset_fix(SOCKET fd) {
+	DWORD dwBytesReturned = 0;
+	BOOL  bNewBehavior = FALSE;
+	DWORD status;
+
+	if (isc_win32os_versioncheck(5, 0, 0, 0) < 0)
+		return (ISC_R_SUCCESS); /*  NT 4.0 has no problem */
+
+	/* disable bad behavior using IOCTL: SIO_UDP_CONNRESET */
+	status = WSAIoctl(fd, SIO_UDP_CONNRESET, &bNewBehavior,
+			  sizeof(bNewBehavior), NULL, 0,
+			  &dwBytesReturned, NULL, NULL);
+	if (status != SOCKET_ERROR)
+		return (ISC_R_SUCCESS);
+	else {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "WSAIoctl(SIO_UDP_CONNRESET, oldBehaviour) %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the SEND constructor, which will use the used region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ */
+static void
+build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
+		  struct msghdr *msg, char *cmsg, WSABUF *iov,
+		  IoCompletionInfo  *lpo)
+{
+	unsigned int iovcount;
+	isc_buffer_t *buffer;
+	buflist_t  *cpbuffer;
+	isc_region_t used;
+	size_t write_count;
+	size_t skip_count;
+
+	memset(msg, 0, sizeof(*msg));
+
+	memmove(&msg->to_addr, &dev->address.type, dev->address.length);
+	msg->to_addr_len = dev->address.length;
+
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	write_count = 0;
+	iovcount = 0;
+
+	/*
+	 * Single buffer I/O?  Skip what we've done so far in this region.
+	 */
+	if (buffer == NULL) {
+		write_count = dev->region.length - dev->n;
+		cpbuffer = HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY, sizeof(buflist_t));
+		RUNTIME_CHECK(cpbuffer != NULL);
+		cpbuffer->buf = HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY, write_count);
+		RUNTIME_CHECK(cpbuffer->buf != NULL);
+
+		socket_log(__LINE__, sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+		   "alloc_buffer %p %d %p %d", cpbuffer, sizeof(buflist_t),
+		   cpbuffer->buf, write_count);
+
+		memmove(cpbuffer->buf,(dev->region.base + dev->n), write_count);
+		cpbuffer->buflen = (unsigned int)write_count;
+		ISC_LINK_INIT(cpbuffer, link);
+		ISC_LIST_ENQUEUE(lpo->bufferlist, cpbuffer, link);
+		iov[0].buf = cpbuffer->buf;
+		iov[0].len = (u_long)write_count;
+		iovcount = 1;
+
+		goto config;
+	}
+
+	/*
+	 * Multibuffer I/O.
+	 * Skip the data in the buffer list that we have already written.
+	 */
+	skip_count = dev->n;
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (skip_count < isc_buffer_usedlength(buffer))
+			break;
+		skip_count -= isc_buffer_usedlength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	while (buffer != NULL) {
+		INSIST(iovcount < MAXSCATTERGATHER_SEND);
+
+		isc_buffer_usedregion(buffer, &used);
+
+		if (used.length > 0) {
+			int uselen = (int)(used.length - skip_count);
+			cpbuffer = HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY, sizeof(buflist_t));
+			RUNTIME_CHECK(cpbuffer != NULL);
+			cpbuffer->buf = HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY, uselen);
+			RUNTIME_CHECK(cpbuffer->buf != NULL);
+
+			socket_log(__LINE__, sock, NULL, TRACE,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+			   "alloc_buffer %p %d %p %d", cpbuffer, sizeof(buflist_t),
+			   cpbuffer->buf, write_count);
+
+			memmove(cpbuffer->buf,(used.base + skip_count), uselen);
+			cpbuffer->buflen = uselen;
+			iov[iovcount].buf = cpbuffer->buf;
+			iov[iovcount].len = (u_long)(used.length - skip_count);
+			write_count += uselen;
+			skip_count = 0;
+			iovcount++;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	INSIST(skip_count == 0);
+
+ config:
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+	msg->msg_totallen = (u_int)write_count;
+}
+
+static void
+set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
+		isc_socketevent_t *dev)
+{
+	if (sock->type == isc_sockettype_udp) {
+		if (address != NULL)
+			dev->address = *address;
+		else
+			dev->address = sock->address;
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(address == NULL);
+		dev->address = sock->address;
+	}
+}
+
+static void
+destroy_socketevent(isc_event_t *event) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)event;
+
+	INSIST(ISC_LIST_EMPTY(ev->bufferlist));
+
+	(ev->destroy)(event);
+}
+
+static isc_socketevent_t *
+allocate_socketevent(isc_mem_t *mctx, isc_socket_t *sock,
+		     isc_eventtype_t eventtype, isc_taskaction_t action,
+		     void *arg)
+{
+	isc_socketevent_t *ev;
+
+	ev = (isc_socketevent_t *)isc_event_allocate(mctx, sock, eventtype,
+						     action, arg,
+						     sizeof(*ev));
+	if (ev == NULL)
+		return (NULL);
+
+	ev->result = ISC_R_IOERROR; // XXXMLG temporary change to detect failure to set
+	ISC_LINK_INIT(ev, ev_link);
+	ISC_LIST_INIT(ev->bufferlist);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+	ev->destroy = ev->ev_destroy;
+	ev->ev_destroy = destroy_socketevent;
+	ev->dscp = 0;
+
+	return (ev);
+}
+
+#if defined(ISC_SOCKET_DEBUG)
+static void
+dump_msg(struct msghdr *msg, isc_socket_t *sock) {
+	unsigned int i;
+
+	printf("MSGHDR %p, Socket #: %Iu\n", msg, sock->fd);
+	printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen);
+	printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen);
+	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
+		printf("\t\t%u\tbase %p, len %u\n", i,
+		       msg->msg_iov[i].buf, msg->msg_iov[i].len);
+}
+#endif
+
+/*
+ * map the error code
+ */
+int
+map_socket_error(isc_socket_t *sock, int windows_errno, int *isc_errno,
+		 char *errorstring, size_t bufsize) {
+
+	int doreturn;
+	switch (windows_errno) {
+	case WSAECONNREFUSED:
+		*isc_errno = ISC_R_CONNREFUSED;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case WSAENETUNREACH:
+	case ERROR_NETWORK_UNREACHABLE:
+		*isc_errno = ISC_R_NETUNREACH;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case ERROR_PORT_UNREACHABLE:
+	case ERROR_HOST_UNREACHABLE:
+	case WSAEHOSTUNREACH:
+		*isc_errno = ISC_R_HOSTUNREACH;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case WSAENETDOWN:
+		*isc_errno = ISC_R_NETDOWN;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case WSAEHOSTDOWN:
+		*isc_errno = ISC_R_HOSTDOWN;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case WSAEACCES:
+		*isc_errno = ISC_R_NOPERM;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case WSAECONNRESET:
+	case WSAENETRESET:
+	case WSAECONNABORTED:
+	case WSAEDISCON:
+		*isc_errno = ISC_R_CONNECTIONRESET;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case WSAENOTCONN:
+		*isc_errno = ISC_R_NOTCONNECTED;
+		if (sock->connected)
+			doreturn = DOIO_HARD;
+		else
+			doreturn = DOIO_SOFT;
+		break;
+	case ERROR_OPERATION_ABORTED:
+	case ERROR_CONNECTION_ABORTED:
+	case ERROR_REQUEST_ABORTED:
+		*isc_errno = ISC_R_CONNECTIONRESET;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAENOBUFS:
+		*isc_errno = ISC_R_NORESOURCES;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAEAFNOSUPPORT:
+		*isc_errno = ISC_R_FAMILYNOSUPPORT;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAEADDRNOTAVAIL:
+		*isc_errno = ISC_R_ADDRNOTAVAIL;
+		doreturn = DOIO_HARD;
+		break;
+	case WSAEDESTADDRREQ:
+		*isc_errno = ISC_R_BADADDRESSFORM;
+		doreturn = DOIO_HARD;
+		break;
+	case ERROR_NETNAME_DELETED:
+		*isc_errno = ISC_R_NETDOWN;
+		doreturn = DOIO_HARD;
+		break;
+	default:
+		*isc_errno = ISC_R_IOERROR;
+		doreturn = DOIO_HARD;
+		break;
+	}
+	if (doreturn == DOIO_HARD) {
+		isc__strerror(windows_errno, errorstring, bufsize);
+	}
+	return (doreturn);
+}
+
+static void
+fill_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
+	isc_region_t r;
+	int copylen;
+	isc_buffer_t *buffer;
+
+	INSIST(dev->n < dev->minimum);
+	INSIST(sock->recvbuf.remaining > 0);
+	INSIST(sock->pending_recv == 0);
+
+	if (sock->type == isc_sockettype_udp) {
+		dev->address.length = sock->recvbuf.from_addr_len;
+		memmove(&dev->address.type, &sock->recvbuf.from_addr,
+			sock->recvbuf.from_addr_len);
+		if (isc_sockaddr_getport(&dev->address) == 0) {
+			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+				socket_log(__LINE__, sock, &dev->address, IOEVENT,
+					   isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_ZEROPORT,
+					   "dropping source port zero packet");
+			}
+			sock->recvbuf.remaining = 0;
+			return;
+		}
+	} else if (sock->type == isc_sockettype_tcp) {
+		dev->address = sock->address;
+	}
+
+	/*
+	 * Run through the list of buffers we were given, and find the
+	 * first one with space.  Once it is found, loop through, filling
+	 * the buffers as much as possible.
+	 */
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	if (buffer != NULL) { // Multi-buffer receive
+		while (buffer != NULL && sock->recvbuf.remaining > 0) {
+			REQUIRE(ISC_BUFFER_VALID(buffer));
+			if (isc_buffer_availablelength(buffer) > 0) {
+				isc_buffer_availableregion(buffer, &r);
+				copylen = min(r.length,
+					      sock->recvbuf.remaining);
+				memmove(r.base, sock->recvbuf.consume_position,
+					copylen);
+				sock->recvbuf.consume_position += copylen;
+				sock->recvbuf.remaining -= copylen;
+				isc_buffer_add(buffer, copylen);
+				dev->n += copylen;
+			}
+			buffer = ISC_LIST_NEXT(buffer, link);
+		}
+	} else { // Single-buffer receive
+		copylen = min(dev->region.length - dev->n, sock->recvbuf.remaining);
+		memmove(dev->region.base + dev->n,
+			sock->recvbuf.consume_position, copylen);
+		sock->recvbuf.consume_position += copylen;
+		sock->recvbuf.remaining -= copylen;
+		dev->n += copylen;
+	}
+
+	/*
+	 * UDP receives are all-consuming.  That is, if we have 4k worth of
+	 * data in our receive buffer, and the caller only gave us
+	 * 1k of space, we will toss the remaining 3k of data.  TCP
+	 * will keep the extra data around and use it for later requests.
+	 */
+	if (sock->type == isc_sockettype_udp)
+		sock->recvbuf.remaining = 0;
+}
+
+/*
+ * Copy out as much data from the internal buffer to done events.
+ * As each done event is filled, send it along its way.
+ */
+static void
+completeio_recv(isc_socket_t *sock)
+{
+	isc_socketevent_t *dev;
+
+	/*
+	 * If we are in the process of filling our buffer, we cannot
+	 * touch it yet, so don't.
+	 */
+	if (sock->pending_recv > 0)
+		return;
+
+	while (sock->recvbuf.remaining > 0 && !ISC_LIST_EMPTY(sock->recv_list)) {
+		dev = ISC_LIST_HEAD(sock->recv_list);
+
+		/*
+		 * See if we have sufficient data in our receive buffer
+		 * to handle this.  If we do, copy out the data.
+		 */
+		fill_recv(sock, dev);
+
+		/*
+		 * Did we satisfy it?
+		 */
+		if (dev->n >= dev->minimum) {
+			dev->result = ISC_R_SUCCESS;
+			send_recvdone_event(sock, &dev);
+		}
+	}
+}
+
+/*
+ * Returns:
+ *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
+ *			ISC_R_SUCCESS.
+ *
+ *	DOIO_HARD	A hard or unexpected I/O error was encountered.
+ *			dev->result contains the appropriate error.
+ *
+ *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
+ *			event was sent.  The operation should be retried.
+ *
+ *	No other return values are possible.
+ */
+static int
+completeio_send(isc_socket_t *sock, isc_socketevent_t *dev,
+		struct msghdr *messagehdr, int cc, int send_errno)
+{
+	char strbuf[ISC_STRERRORSIZE];
+
+	if (send_errno != 0) {
+		if (SOFT_ERROR(send_errno))
+			return (DOIO_SOFT);
+
+		return (map_socket_error(sock, send_errno, &dev->result,
+			strbuf, sizeof(strbuf)));
+	}
+
+	/*
+	 * If we write less than we expected, update counters, poke.
+	 */
+	dev->n += cc;
+	if (cc != messagehdr->msg_totallen)
+		return (DOIO_SOFT);
+
+	/*
+	 * Exactly what we wanted to write.  We're done with this
+	 * entry.  Post its completion event.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+static int
+startio_send(isc_socket_t *sock, isc_socketevent_t *dev, int *nbytes,
+	     int *send_errno)
+{
+	char *cmsg = NULL;
+	char strbuf[ISC_STRERRORSIZE];
+	IoCompletionInfo *lpo;
+	int status;
+	struct msghdr *mh;
+
+	lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle,
+					    HEAP_ZERO_MEMORY,
+					    sizeof(IoCompletionInfo));
+	RUNTIME_CHECK(lpo != NULL);
+	lpo->request_type = SOCKET_SEND;
+	lpo->dev = dev;
+	mh = &lpo->messagehdr;
+	memset(mh, 0, sizeof(struct msghdr));
+	ISC_LIST_INIT(lpo->bufferlist);
+
+	build_msghdr_send(sock, dev, mh, cmsg, sock->iov, lpo);
+
+	*nbytes = internal_sendmsg(sock, lpo, mh, 0, send_errno);
+
+	if (*nbytes <= 0) {
+		/*
+		 * I/O has been initiated
+		 * completion will be through the completion port
+		 */
+		if (PENDING_ERROR(*send_errno)) {
+			status = DOIO_PENDING;
+			goto done;
+		}
+
+		if (SOFT_ERROR(*send_errno)) {
+			status = DOIO_SOFT;
+			goto done;
+		}
+
+		/*
+		 * If we got this far then something is wrong
+		 */
+		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+			isc__strerror(*send_errno, strbuf, sizeof(strbuf));
+			socket_log(__LINE__, sock, NULL, IOEVENT,
+				   isc_msgcat, ISC_MSGSET_SOCKET,
+				   ISC_MSG_INTERNALSEND,
+				   "startio_send: internal_sendmsg(%d) %d "
+				   "bytes, err %d/%s",
+				   sock->fd, *nbytes, *send_errno, strbuf);
+		}
+		status = DOIO_HARD;
+		goto done;
+	}
+	dev->result = ISC_R_SUCCESS;
+	status = DOIO_SOFT;
+ done:
+	_set_state(sock, SOCK_DATA);
+	return (status);
+}
+
+static void
+use_min_mtu(isc_socket_t *sock) {
+#ifdef IPV6_USE_MIN_MTU
+	/* use minimum MTU */
+	if (sock->pf == AF_INET6) {
+		int on = 1;
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
+				(void *)&on, sizeof(on));
+	}
+#else
+	UNUSED(sock);
+#endif
+}
+
+static isc_result_t
+allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
+		isc_socket_t **socketp) {
+	isc_socket_t *sock;
+	isc_result_t result;
+
+	sock = isc_mem_get(manager->mctx, sizeof(*sock));
+
+	if (sock == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sock->magic = 0;
+	sock->references = 0;
+
+	sock->manager = manager;
+	sock->type = type;
+	sock->fd = INVALID_SOCKET;
+
+	ISC_LINK_INIT(sock, link);
+
+	/*
+	 * Set up list of readers and writers to be initially empty.
+	 */
+	ISC_LIST_INIT(sock->recv_list);
+	ISC_LIST_INIT(sock->send_list);
+	ISC_LIST_INIT(sock->accept_list);
+	ISC_LIST_INIT(sock->connect_list);
+	sock->pending_accept = 0;
+	sock->pending_recv = 0;
+	sock->pending_send = 0;
+	sock->pending_iocp = 0;
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->pending_connect = 0;
+	sock->bound = 0;
+	sock->dupped = 0;
+	memset(sock->name, 0, sizeof(sock->name));	// zero the name field
+	_set_state(sock, SOCK_INITIALIZED);
+
+	sock->recvbuf.len = 65536;
+	sock->recvbuf.consume_position = sock->recvbuf.base;
+	sock->recvbuf.remaining = 0;
+	sock->recvbuf.base = isc_mem_get(manager->mctx, sock->recvbuf.len); // max buffer size
+	if (sock->recvbuf.base == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error;
+	}
+
+	/*
+	 * Initialize the lock.
+	 */
+	result = isc_mutex_init(&sock->lock);
+	if (result != ISC_R_SUCCESS)
+		goto error;
+
+	socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+		   "allocated");
+
+	sock->magic = SOCKET_MAGIC;
+	*socketp = sock;
+
+	return (ISC_R_SUCCESS);
+
+ error:
+	if (sock->recvbuf.base != NULL)
+		isc_mem_put(manager->mctx, sock->recvbuf.base, sock->recvbuf.len);
+	isc_mem_put(manager->mctx, sock, sizeof(*sock));
+
+	return (result);
+}
+
+/*
+ * Verify that the socket state is consistent.
+ */
+static void
+consistent(isc_socket_t *sock) {
+
+	isc_socketevent_t *dev;
+	isc_socket_newconnev_t *nev;
+	unsigned int count;
+	char *crash_reason;
+	bool crash = false;
+
+	REQUIRE(sock->pending_iocp == sock->pending_recv + sock->pending_send
+		+ sock->pending_accept + sock->pending_connect);
+
+	dev = ISC_LIST_HEAD(sock->send_list);
+	count = 0;
+	while (dev != NULL) {
+		count++;
+		dev = ISC_LIST_NEXT(dev, ev_link);
+	}
+	if (count > sock->pending_send) {
+		crash = true;
+		crash_reason = "send_list > sock->pending_send";
+	}
+
+	nev = ISC_LIST_HEAD(sock->accept_list);
+	count = 0;
+	while (nev != NULL) {
+		count++;
+		nev = ISC_LIST_NEXT(nev, ev_link);
+	}
+	if (count > sock->pending_accept) {
+		crash = true;
+		crash_reason = "accept_list > sock->pending_accept";
+	}
+
+	if (crash) {
+		socket_log(__LINE__, sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+			   ISC_MSG_DESTROYING, "SOCKET INCONSISTENT: %s",
+			   crash_reason);
+		sock_dump(sock);
+		INSIST(crash == false);
+	}
+}
+
+/*
+ * Maybe free the socket.
+ *
+ * This function will verify tht the socket is no longer in use in any way,
+ * either internally or externally.  This is the only place where this
+ * check is to be made; if some bit of code believes that IT is done with
+ * the socket (e.g., some reference counter reaches zero), it should call
+ * this function.
+ *
+ * When calling this function, the socket must be locked, and the manager
+ * must be unlocked.
+ *
+ * When this function returns, *socketp will be NULL.  No tricks to try
+ * to hold on to this pointer are allowed.
+ */
+static void
+maybe_free_socket(isc_socket_t **socketp, int lineno) {
+	isc_socket_t *sock = *socketp;
+	*socketp = NULL;
+
+	INSIST(VALID_SOCKET(sock));
+	CONSISTENT(sock);
+
+	if (sock->pending_iocp > 0
+	    || sock->pending_recv > 0
+	    || sock->pending_send > 0
+	    || sock->pending_accept > 0
+	    || sock->references > 0
+	    || sock->pending_connect == 1
+	    || !ISC_LIST_EMPTY(sock->recv_list)
+	    || !ISC_LIST_EMPTY(sock->send_list)
+	    || !ISC_LIST_EMPTY(sock->accept_list)
+	    || !ISC_LIST_EMPTY(sock->connect_list)
+	    || sock->fd != INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return;
+	}
+	UNLOCK(&sock->lock);
+
+	free_socket(&sock, lineno);
+}
+
+void
+free_socket(isc_socket_t **sockp, int lineno) {
+	isc_socketmgr_t *manager;
+	isc_socket_t *sock = *sockp;
+	*sockp = NULL;
+
+	/*
+	 * Seems we can free the socket after all.
+	 */
+	manager = sock->manager;
+	socket_log(__LINE__, sock, NULL, CREATION, isc_msgcat,
+		   ISC_MSGSET_SOCKET, ISC_MSG_DESTROYING,
+		   "freeing socket line %d fd %d lock %p semaphore %p",
+		   lineno, sock->fd, &sock->lock, sock->lock.LockSemaphore);
+
+	sock->magic = 0;
+	DESTROYLOCK(&sock->lock);
+
+	if (sock->recvbuf.base != NULL)
+		isc_mem_put(manager->mctx, sock->recvbuf.base,
+			    sock->recvbuf.len);
+
+	LOCK(&manager->lock);
+	if (ISC_LINK_LINKED(sock, link))
+		ISC_LIST_UNLINK(manager->socklist, sock, link);
+	isc_mem_put(manager->mctx, sock, sizeof(*sock));
+
+	if (ISC_LIST_EMPTY(manager->socklist))
+		SIGNAL(&manager->shutdown_ok);
+	UNLOCK(&manager->lock);
+}
+
+/*
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+static isc_result_t
+socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+	      isc_socket_t **socketp, isc_socket_t *dup_socket)
+{
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+#if defined(USE_CMSG)
+	int on = 1;
+#endif
+#if defined(SO_RCVBUF)
+	ISC_SOCKADDR_LEN_T optlen;
+	int size;
+#endif
+	int socket_errno;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+	REQUIRE(type != isc_sockettype_fdwatch);
+
+#ifndef SOCK_RAW
+	if (type == isc_sockettype_raw)
+		return (ISC_R_NOTIMPLEMENTED);
+#endif
+
+	result = allocate_socket(manager, type, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	sock->pf = pf;
+	switch (type) {
+	case isc_sockettype_udp:
+		sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
+		if (sock->fd != INVALID_SOCKET) {
+			result = connection_reset_fix(sock->fd);
+			if (result != ISC_R_SUCCESS) {
+				socket_log(__LINE__, sock,
+					NULL, EVENT, NULL, 0, 0,
+					"closed %d %d %d "
+					"con_reset_fix_failed",
+					sock->pending_recv,
+					sock->pending_send,
+					sock->references);
+				closesocket(sock->fd);
+				_set_state(sock, SOCK_CLOSED);
+				sock->fd = INVALID_SOCKET;
+				free_socket(&sock, __LINE__);
+				return (result);
+			}
+		}
+		break;
+	case isc_sockettype_tcp:
+		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
+		break;
+#ifdef SOCK_RAW
+	case isc_sockettype_raw:
+		sock->fd = socket(pf, SOCK_RAW, 0);
+#ifdef PF_ROUTE
+		if (pf == PF_ROUTE)
+			sock->bound = 1;
+#endif
+		break;
+#endif
+	}
+
+	if (sock->fd == INVALID_SOCKET) {
+		socket_errno = WSAGetLastError();
+		free_socket(&sock, __LINE__);
+
+		switch (socket_errno) {
+		case WSAEMFILE:
+		case WSAENOBUFS:
+			return (ISC_R_NORESOURCES);
+
+		case WSAEPROTONOSUPPORT:
+		case WSAEPFNOSUPPORT:
+		case WSAEAFNOSUPPORT:
+			return (ISC_R_FAMILYNOSUPPORT);
+
+		default:
+			isc__strerror(socket_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() %s: %s",
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	result = make_nonblock(sock->fd);
+	if (result != ISC_R_SUCCESS) {
+		socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+			"closed %d %d %d make_nonblock_failed",
+			sock->pending_recv, sock->pending_send,
+			sock->references);
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		free_socket(&sock, __LINE__);
+		return (result);
+	}
+
+	/*
+	 * Use minimum mtu if possible.
+	 */
+	use_min_mtu(sock);
+
+#if defined(USE_CMSG) || defined(SO_RCVBUF)
+	if (type == isc_sockettype_udp) {
+
+#if defined(USE_CMSG)
+#if defined(ISC_PLATFORM_HAVEIPV6)
+#ifdef IPV6_RECVPKTINFO
+		/* 2292bis */
+		if ((pf == AF_INET6)
+		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+				   (char *)&on, sizeof(on)) < 0)) {
+			isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_RECVPKTINFO) "
+					 "%s: %s", sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+#else
+		/* 2292 */
+		if ((pf == AF_INET6)
+		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
+				   (char *)&on, sizeof(on)) < 0)) {
+			isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
+					 sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+#endif /* IPV6_RECVPKTINFO */
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+#endif /* defined(USE_CMSG) */
+
+#if defined(SO_RCVBUF)
+	       optlen = sizeof(size);
+	       if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+			      (char *)&size, &optlen) >= 0 &&
+		    size < RCVBUFSIZE) {
+		       size = RCVBUFSIZE;
+		       (void)setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
+					(char *)&size, sizeof(size));
+	       }
+#endif
+
+	}
+#endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
+
+	_set_state(sock, SOCK_OPEN);
+	sock->references = 1;
+	*socketp = sock;
+
+	iocompletionport_update(sock);
+
+	if (dup_socket) {
+#ifndef ISC_ALLOW_MAPPED
+		isc__socket_ipv6only(sock, true);
+#endif
+
+		if (dup_socket->bound) {
+			isc_sockaddr_t local;
+
+			result = isc__socket_getsockname(dup_socket, &local);
+			if (result != ISC_R_SUCCESS) {
+				isc_socket_close(sock);
+				return (result);
+			}
+			result = isc__socket_bind(sock, &local,
+						  ISC_SOCKET_REUSEADDRESS);
+			if (result != ISC_R_SUCCESS) {
+				isc_socket_close(sock);
+				return (result);
+			}
+		}
+		sock->dupped = 1;
+	}
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+	LOCK(&manager->lock);
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+	InterlockedIncrement(&manager->totalSockets);
+	UNLOCK(&manager->lock);
+
+	socket_log(__LINE__, sock, NULL, CREATION, isc_msgcat,
+		   ISC_MSGSET_SOCKET, ISC_MSG_CREATED,
+		   "created %u type %u", sock->fd, type);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		   isc_socket_t **socketp)
+{
+	return (socket_create(manager, pf, type, socketp, NULL));
+}
+
+isc_result_t
+isc__socket_dup(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	return (socket_create(sock->manager, sock->pf, sock->type,
+			      socketp, sock));
+}
+
+isc_result_t
+isc_socket_open(isc_socket_t *sock) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Attach to a socket.  Caller must explicitly detach when it is done.
+ */
+void
+isc__socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+	sock->references++;
+	UNLOCK(&sock->lock);
+
+	*socketp = sock;
+}
+
+/*
+ * Dereference a socket.  If this is the last reference to it, clean things
+ * up by destroying the socket.
+ */
+void
+isc__socket_detach(isc_socket_t **socketp) {
+	isc_socket_t *sock;
+
+	REQUIRE(socketp != NULL);
+	sock = *socketp;
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+	REQUIRE(sock->references > 0);
+	sock->references--;
+
+	socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+		"detach_socket %d %d %d",
+		sock->pending_recv, sock->pending_send,
+		sock->references);
+
+	if (sock->references == 0 && sock->fd != INVALID_SOCKET) {
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		_set_state(sock, SOCK_CLOSED);
+	}
+
+	maybe_free_socket(&sock, __LINE__);
+
+	*socketp = NULL;
+}
+
+isc_result_t
+isc_socket_close(isc_socket_t *sock) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Dequeue an item off the given socket's read queue, set the result code
+ * in the done event to the one provided, and send it to the task it was
+ * destined for.
+ *
+ * If the event to be sent is on a list, remove it before sending.  If
+ * asked to, send and detach from the task as well.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
+	    == ISC_SOCKEVENTATTR_ATTACHED)
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	else
+		isc_task_send(task, (isc_event_t **)dev);
+
+	CONSISTENT(sock);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ */
+static void
+send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
+	    == ISC_SOCKEVENTATTR_ATTACHED)
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	else
+		isc_task_send(task, (isc_event_t **)dev);
+
+	CONSISTENT(sock);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ */
+static void
+send_acceptdone_event(isc_socket_t *sock, isc_socket_newconnev_t **adev) {
+	isc_task_t *task;
+
+	INSIST(adev != NULL && *adev != NULL);
+
+	task = (*adev)->ev_sender;
+	(*adev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*adev, ev_link))
+		ISC_LIST_DEQUEUE(sock->accept_list, *adev, ev_link);
+
+	isc_task_sendanddetach(&task, (isc_event_t **)adev);
+
+	CONSISTENT(sock);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ */
+static void
+send_connectdone_event(isc_socket_t *sock, isc_socket_connev_t **cdev) {
+	isc_task_t *task;
+
+	INSIST(cdev != NULL && *cdev != NULL);
+
+	task = (*cdev)->ev_sender;
+	(*cdev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*cdev, ev_link))
+		ISC_LIST_DEQUEUE(sock->connect_list, *cdev, ev_link);
+
+	isc_task_sendanddetach(&task, (isc_event_t **)cdev);
+
+	CONSISTENT(sock);
+}
+
+/*
+ * On entry to this function, the event delivered is the internal
+ * readable event, and the first item on the accept_list should be
+ * the done event we want to send.  If the list is empty, this is a no-op,
+ * so just close the new connection, unlock, and return.
+ *
+ * Note the socket is locked before entering here
+ */
+static void
+internal_accept(isc_socket_t *sock, IoCompletionInfo *lpo, int accept_errno) {
+	isc_socket_newconnev_t *adev;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_socket_t *nsock;
+	struct sockaddr *localaddr;
+	int localaddr_len = sizeof(*localaddr);
+	struct sockaddr *remoteaddr;
+	int remoteaddr_len = sizeof(*remoteaddr);
+
+	INSIST(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	socket_log(__LINE__, sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+		   "internal_accept called");
+
+	INSIST(sock->listener);
+
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_accept > 0);
+	sock->pending_accept--;
+
+	adev = lpo->adev;
+
+	/*
+	 * If the event is no longer in the list we can just return.
+	 */
+	if (!acceptdone_is_active(sock, adev))
+		goto done;
+
+	nsock = adev->newsocket;
+
+	/*
+	 * Pull off the done event.
+	 */
+	ISC_LIST_UNLINK(sock->accept_list, adev, ev_link);
+
+	/*
+	 * Extract the addresses from the socket, copy them into the structure,
+	 * and return the new socket.
+	 */
+	ISCGetAcceptExSockaddrs(lpo->acceptbuffer, 0,
+		sizeof(SOCKADDR_STORAGE) + 16, sizeof(SOCKADDR_STORAGE) + 16,
+		(LPSOCKADDR *)&localaddr, &localaddr_len,
+		(LPSOCKADDR *)&remoteaddr, &remoteaddr_len);
+	memmove(&adev->address.type, remoteaddr, remoteaddr_len);
+	adev->address.length = remoteaddr_len;
+	nsock->address = adev->address;
+	nsock->pf = adev->address.type.sa.sa_family;
+
+	socket_log(__LINE__, nsock, &nsock->address, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+		   "internal_accept parent %p", sock);
+
+	result = make_nonblock(adev->newsocket->fd);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * Use minimum mtu if possible.
+	 */
+	use_min_mtu(adev->newsocket);
+
+	INSIST(setsockopt(nsock->fd, SOL_SOCKET, SO_UPDATE_ACCEPT_CONTEXT,
+			  (char *)&sock->fd, sizeof(sock->fd)) == 0);
+
+	/*
+	 * Hook it up into the manager.
+	 */
+	nsock->bound = 1;
+	nsock->connected = 1;
+	_set_state(nsock, SOCK_OPEN);
+
+	LOCK(&nsock->manager->lock);
+	ISC_LIST_APPEND(nsock->manager->socklist, nsock, link);
+	InterlockedIncrement(&nsock->manager->totalSockets);
+	UNLOCK(&nsock->manager->lock);
+
+	socket_log(__LINE__, sock, &nsock->address, CREATION,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
+		   "accepted_connection new_socket %p fd %d",
+		   nsock, nsock->fd);
+
+	adev->result = result;
+	send_acceptdone_event(sock, &adev);
+
+done:
+	CONSISTENT(sock);
+	UNLOCK(&sock->lock);
+
+	HeapFree(hHeapHandle, 0, lpo->acceptbuffer);
+	lpo->acceptbuffer = NULL;
+}
+
+/*
+ * Called when a socket with a pending connect() finishes.
+ * Note that the socket is locked before entering.
+ */
+static void
+internal_connect(isc_socket_t *sock, IoCompletionInfo *lpo, int connect_errno) {
+	isc_socket_connev_t *cdev;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_connect == 1);
+	sock->pending_connect = 0;
+
+	/*
+	 * If the event is no longer in the list we can just close and return.
+	 */
+	cdev = lpo->cdev;
+	if (!connectdone_is_active(sock, cdev)) {
+		sock->pending_connect = 0;
+		if (sock->fd != INVALID_SOCKET) {
+			closesocket(sock->fd);
+			sock->fd = INVALID_SOCKET;
+			_set_state(sock, SOCK_CLOSED);
+		}
+		CONSISTENT(sock);
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * Check possible Windows network event error status here.
+	 */
+	if (connect_errno != 0) {
+		/*
+		 * If the error is SOFT, just try again on this
+		 * fd and pretend nothing strange happened.
+		 */
+		if (SOFT_ERROR(connect_errno) ||
+		    connect_errno == WSAEINPROGRESS) {
+			sock->pending_connect = 1;
+			CONSISTENT(sock);
+			UNLOCK(&sock->lock);
+			return;
+		}
+
+		/*
+		 * Translate other errors into ISC_R_* flavors.
+		 */
+		switch (connect_errno) {
+#define ERROR_MATCH(a, b) case a: result = b; break;
+			ERROR_MATCH(WSAEACCES, ISC_R_NOPERM);
+			ERROR_MATCH(WSAEADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(WSAEAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(WSAECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(WSAEHOSTUNREACH, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(WSAEHOSTDOWN, ISC_R_HOSTDOWN);
+			ERROR_MATCH(WSAENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(WSAENETDOWN, ISC_R_NETDOWN);
+			ERROR_MATCH(WSAENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(WSAECONNRESET, ISC_R_CONNECTIONRESET);
+			ERROR_MATCH(WSAECONNABORTED, ISC_R_CONNECTIONRESET);
+			ERROR_MATCH(WSAETIMEDOUT, ISC_R_TIMEDOUT);
+#undef ERROR_MATCH
+		default:
+			result = ISC_R_UNEXPECTED;
+			isc__strerror(connect_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_connect: connect() %s",
+					 strbuf);
+		}
+	} else {
+		INSIST(setsockopt(sock->fd, SOL_SOCKET,
+				  SO_UPDATE_CONNECT_CONTEXT, NULL, 0) == 0);
+		result = ISC_R_SUCCESS;
+		sock->connected = 1;
+		socket_log(__LINE__, sock, &sock->address, IOEVENT,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
+			   "internal_connect: success");
+	}
+
+	do {
+		cdev->result = result;
+		send_connectdone_event(sock, &cdev);
+		cdev = ISC_LIST_HEAD(sock->connect_list);
+	} while (cdev != NULL);
+
+	UNLOCK(&sock->lock);
+}
+
+/*
+ * Loop through the socket, returning ISC_R_EOF for each done event pending.
+ */
+static void
+send_recvdone_abort(isc_socket_t *sock, isc_result_t result) {
+	isc_socketevent_t *dev;
+
+	while (!ISC_LIST_EMPTY(sock->recv_list)) {
+		dev = ISC_LIST_HEAD(sock->recv_list);
+		dev->result = result;
+		send_recvdone_event(sock, &dev);
+	}
+}
+
+/*
+ * Loop through the socket, returning result for each done event pending.
+ */
+static void
+send_connectdone_abort(isc_socket_t *sock, isc_result_t result) {
+	isc_socket_connev_t *dev;
+
+	while (!ISC_LIST_EMPTY(sock->connect_list)) {
+		dev = ISC_LIST_HEAD(sock->connect_list);
+		dev->result = result;
+		send_connectdone_event(sock, &dev);
+	}
+}
+
+/*
+ * Take the data we received in our private buffer, and if any recv() calls on
+ * our list are satisfied, send the corresponding done event.
+ *
+ * If we need more data (there are still items on the recv_list after we consume all
+ * our data) then arrange for another system recv() call to fill our buffers.
+ */
+static void
+internal_recv(isc_socket_t *sock, int nbytes)
+{
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	socket_log(__LINE__, sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
+		   "internal_recv: %d bytes received", nbytes);
+
+	/*
+	 * If we got here, the I/O operation succeeded.  However, we might still have removed this
+	 * event from our notification list (or never placed it on it due to immediate completion.)
+	 * Handle the reference counting here, and handle the cancellation event just after.
+	 */
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_recv > 0);
+	sock->pending_recv--;
+
+	/*
+	 * The only way we could have gotten here is that our I/O has successfully completed.
+	 * Update our pointers, and move on.  The only odd case here is that we might not
+	 * have received enough data on a TCP stream to satisfy the minimum requirements.  If
+	 * this is the case, we will re-issue the recv() call for what we need.
+	 *
+	 * We do check for a recv() of 0 bytes on a TCP stream.  This means the remote end
+	 * has closed.
+	 */
+	if (nbytes == 0 && sock->type == isc_sockettype_tcp) {
+		send_recvdone_abort(sock, ISC_R_EOF);
+		maybe_free_socket(&sock, __LINE__);
+		return;
+	}
+	sock->recvbuf.remaining = nbytes;
+	sock->recvbuf.consume_position = sock->recvbuf.base;
+	completeio_recv(sock);
+
+	/*
+	 * If there are more receivers waiting for data, queue another receive
+	 * here.
+	 */
+	queue_receive_request(sock);
+
+	/*
+	 * Unlock and/or destroy if we are the last thing this socket has left to do.
+	 */
+	maybe_free_socket(&sock, __LINE__);
+}
+
+static void
+internal_send(isc_socket_t *sock, isc_socketevent_t *dev,
+	      struct msghdr *messagehdr, int nbytes, int send_errno, IoCompletionInfo *lpo)
+{
+	buflist_t *buffer;
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	socket_log(__LINE__, sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
+		   "internal_send: task got socket event %p", dev);
+
+	buffer = ISC_LIST_HEAD(lpo->bufferlist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(lpo->bufferlist, buffer, link);
+
+		socket_log(__LINE__, sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+		   "free_buffer %p %p", buffer, buffer->buf);
+
+		HeapFree(hHeapHandle, 0, buffer->buf);
+		HeapFree(hHeapHandle, 0, buffer);
+		buffer = ISC_LIST_HEAD(lpo->bufferlist);
+	}
+
+	INSIST(sock->pending_iocp > 0);
+	sock->pending_iocp--;
+	INSIST(sock->pending_send > 0);
+	sock->pending_send--;
+
+	/* If the event is no longer in the list we can just return */
+	if (!senddone_is_active(sock, dev))
+		goto done;
+
+	/*
+	 * Set the error code and send things on its way.
+	 */
+	switch (completeio_send(sock, dev, messagehdr, nbytes, send_errno)) {
+	case DOIO_SOFT:
+		break;
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		send_senddone_event(sock, &dev);
+		break;
+	}
+
+ done:
+	maybe_free_socket(&sock, __LINE__);
+}
+
+/*
+ * These return if the done event passed in is on the list.
+ * Using these ensures we will not double-send an event.
+ */
+static bool
+senddone_is_active(isc_socket_t *sock, isc_socketevent_t *dev)
+{
+	isc_socketevent_t *ldev;
+
+	ldev = ISC_LIST_HEAD(sock->send_list);
+	while (ldev != NULL && ldev != dev)
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+
+	return (ldev == NULL ? false : true);
+}
+
+static bool
+acceptdone_is_active(isc_socket_t *sock, isc_socket_newconnev_t *dev)
+{
+	isc_socket_newconnev_t *ldev;
+
+	ldev = ISC_LIST_HEAD(sock->accept_list);
+	while (ldev != NULL && ldev != dev)
+		ldev = ISC_LIST_NEXT(ldev, ev_link);
+
+	return (ldev == NULL ? false : true);
+}
+
+static bool
+connectdone_is_active(isc_socket_t *sock, isc_socket_connev_t *dev)
+{
+	isc_socket_connev_t *cdev;
+
+	cdev = ISC_LIST_HEAD(sock->connect_list);
+	while (cdev != NULL && cdev != dev)
+		cdev = ISC_LIST_NEXT(cdev, ev_link);
+
+	return (cdev == NULL ? false : true);
+}
+
+//
+// The Windows network stack seems to have two very distinct paths depending
+// on what is installed.  Specifically, if something is looking at network
+// connections (like an anti-virus or anti-malware application, such as
+// McAfee products) Windows may return additional error conditions which
+// were not previously returned.
+//
+// One specific one is when a TCP SYN scan is used.  In this situation,
+// Windows responds with the SYN-ACK, but the scanner never responds with
+// the 3rd packet, the ACK.  Windows consiers this a partially open connection.
+// Most Unix networking stacks, and Windows without McAfee installed, will
+// not return this to the caller.  However, with this product installed,
+// Windows returns this as a failed status on the Accept() call.  Here, we
+// will just re-issue the ISCAcceptEx() call as if nothing had happened.
+//
+// This code should only be called when the listening socket has received
+// such an error.  Additionally, the "parent" socket must be locked.
+// Additionally, the lpo argument is re-used here, and must not be freed
+// by the caller.
+//
+static isc_result_t
+restart_accept(isc_socket_t *parent, IoCompletionInfo *lpo)
+{
+	isc_socket_t *nsock = lpo->adev->newsocket;
+	SOCKET new_fd;
+
+	/*
+	 * AcceptEx() requires we pass in a socket.  Note that we carefully
+	 * do not close the previous socket in case of an error message returned by
+	 * our new socket() call.  If we return an error here, our caller will
+	 * clean up.
+	 */
+	new_fd = socket(parent->pf, SOCK_STREAM, IPPROTO_TCP);
+	if (nsock->fd == INVALID_SOCKET) {
+		return (ISC_R_FAILURE); // parent will ask windows for error message
+	}
+	closesocket(nsock->fd);
+	nsock->fd = new_fd;
+
+	memset(&lpo->overlapped, 0, sizeof(lpo->overlapped));
+
+	ISCAcceptEx(parent->fd,
+		    nsock->fd,				/* Accepted Socket */
+		    lpo->acceptbuffer,			/* Buffer for initial Recv */
+		    0,					/* Length of Buffer */
+		    sizeof(SOCKADDR_STORAGE) + 16,	/* Local address length + 16 */
+		    sizeof(SOCKADDR_STORAGE) + 16,	/* Remote address lengh + 16 */
+		    (LPDWORD)&lpo->received_bytes,	/* Bytes Recved */
+		    (LPOVERLAPPED)lpo			/* Overlapped structure */
+		    );
+
+	InterlockedDecrement(&nsock->manager->iocp_total);
+	iocompletionport_update(nsock);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This is the I/O Completion Port Worker Function. It loops forever
+ * waiting for I/O to complete and then forwards them for further
+ * processing. There are a number of these in separate threads.
+ */
+static isc_threadresult_t WINAPI
+SocketIoThread(LPVOID ThreadContext) {
+	isc_socketmgr_t *manager = ThreadContext;
+	BOOL bSuccess = FALSE;
+	DWORD nbytes;
+	IoCompletionInfo *lpo = NULL;
+	isc_socket_t *sock = NULL;
+	int request;
+	struct msghdr *messagehdr = NULL;
+	int errval;
+	char strbuf[ISC_STRERRORSIZE];
+	int errstatus;
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	/*
+	 * Set the thread priority high enough so I/O will
+	 * preempt normal recv packet processing, but not
+	 * higher than the timer sync thread.
+	 */
+	if (!SetThreadPriority(GetCurrentThread(),
+			       THREAD_PRIORITY_ABOVE_NORMAL)) {
+		errval = GetLastError();
+		isc__strerror(errval, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+				ISC_MSG_FAILED,
+				"Can't set thread priority: %s"),
+				strbuf);
+	}
+
+	/*
+	 * Loop forever waiting on I/O Completions and then processing them
+	 */
+	while (TRUE) {
+		wait_again:
+		bSuccess = GetQueuedCompletionStatus(manager->hIoCompletionPort,
+						     &nbytes,
+						     (PULONG_PTR)&sock,
+						     (LPWSAOVERLAPPED *)&lpo,
+						     INFINITE);
+		if (lpo == NULL) /* Received request to exit */
+			break;
+
+		REQUIRE(VALID_SOCKET(sock));
+
+		request = lpo->request_type;
+
+		if (!bSuccess)
+			errstatus = GetLastError();
+		else
+			errstatus = 0;
+		if (!bSuccess && errstatus != ERROR_MORE_DATA) {
+			isc_result_t isc_result;
+
+			/*
+			 * Did the I/O operation complete?
+			 */
+			isc_result = isc__errno2result(errstatus);
+
+			LOCK(&sock->lock);
+			CONSISTENT(sock);
+			switch (request) {
+			case SOCKET_RECV:
+				INSIST(sock->pending_iocp > 0);
+				sock->pending_iocp--;
+				INSIST(sock->pending_recv > 0);
+				sock->pending_recv--;
+				if (!sock->connected &&
+				    ((errstatus == ERROR_HOST_UNREACHABLE) ||
+				     (errstatus == WSAENETRESET) ||
+				     (errstatus == WSAECONNRESET))) {
+					/* ignore soft errors */
+					queue_receive_request(sock);
+					break;
+				}
+				send_recvdone_abort(sock, isc_result);
+				if (isc_result == ISC_R_UNEXPECTED) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+						"SOCKET_RECV: Windows error code: %d, returning ISC error %d",
+						errstatus, isc_result);
+				}
+				break;
+
+			case SOCKET_SEND:
+				INSIST(sock->pending_iocp > 0);
+				sock->pending_iocp--;
+				INSIST(sock->pending_send > 0);
+				sock->pending_send--;
+				if (senddone_is_active(sock, lpo->dev)) {
+					lpo->dev->result = isc_result;
+					socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+						"canceled_send");
+					send_senddone_event(sock, &lpo->dev);
+				}
+				break;
+
+			case SOCKET_ACCEPT:
+				INSIST(sock->pending_iocp > 0);
+				INSIST(sock->pending_accept > 0);
+
+				socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+					"Accept: errstatus=%d isc_result=%d", errstatus, isc_result);
+
+				if (acceptdone_is_active(sock, lpo->adev)) {
+					if (restart_accept(sock, lpo) == ISC_R_SUCCESS) {
+						UNLOCK(&sock->lock);
+						goto wait_again;
+					} else {
+						errstatus = GetLastError();
+						isc_result = isc__errno2result(errstatus);
+						socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+							"restart_accept() failed: errstatus=%d isc_result=%d",
+							errstatus, isc_result);
+					}
+				}
+
+				sock->pending_iocp--;
+				sock->pending_accept--;
+				if (acceptdone_is_active(sock, lpo->adev)) {
+					closesocket(lpo->adev->newsocket->fd);
+					lpo->adev->newsocket->fd = INVALID_SOCKET;
+					lpo->adev->newsocket->references--;
+					free_socket(&lpo->adev->newsocket, __LINE__);
+					lpo->adev->result = isc_result;
+					socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+						"canceled_accept");
+					send_acceptdone_event(sock, &lpo->adev);
+				}
+				break;
+
+			case SOCKET_CONNECT:
+				INSIST(sock->pending_iocp > 0);
+				sock->pending_iocp--;
+				INSIST(sock->pending_connect == 1);
+				sock->pending_connect = 0;
+				if (connectdone_is_active(sock, lpo->cdev)) {
+					socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+						"canceled_connect");
+					send_connectdone_abort(sock, isc_result);
+				}
+				break;
+			}
+			maybe_free_socket(&sock, __LINE__);
+
+			if (lpo != NULL)
+				HeapFree(hHeapHandle, 0, lpo);
+			continue;
+		}
+
+		messagehdr = &lpo->messagehdr;
+
+		switch (request) {
+		case SOCKET_RECV:
+			internal_recv(sock, nbytes);
+			break;
+		case SOCKET_SEND:
+			internal_send(sock, lpo->dev, messagehdr, nbytes, errstatus, lpo);
+			break;
+		case SOCKET_ACCEPT:
+			internal_accept(sock, lpo, errstatus);
+			break;
+		case SOCKET_CONNECT:
+			internal_connect(sock, lpo, errstatus);
+			break;
+		}
+
+		if (lpo != NULL)
+			HeapFree(hHeapHandle, 0, lpo);
+	}
+
+	/*
+	 * Exit Completion Port Thread
+	 */
+	manager_log(manager, TRACE,
+		    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				   ISC_MSG_EXITING, "SocketIoThread exiting"));
+	return ((isc_threadresult_t)0);
+}
+
+/*
+ * Create a new socket manager.
+ */
+isc_result_t
+isc__socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	return (isc_socketmgr_create2(mctx, managerp, 0));
+}
+
+isc_result_t
+isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
+		       unsigned int maxsocks)
+{
+	isc_socketmgr_t *manager;
+	isc_result_t result;
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+	if (maxsocks != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+
+	InitSockets();
+
+	manager->magic = SOCKET_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	manager->stats = NULL;
+	ISC_LIST_INIT(manager->socklist);
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		return (result);
+	}
+	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
+		DESTROYLOCK(&manager->lock);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	isc_mem_attach(mctx, &manager->mctx);
+
+	iocompletionport_init(manager);	/* Create the Completion Ports */
+
+	manager->bShutdown = false;
+	manager->totalSockets = 0;
+	manager->iocp_total = 0;
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(nsockp != NULL);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
+	REQUIRE(manager->stats == NULL);
+	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
+
+	isc_stats_attach(stats, &manager->stats);
+}
+
+void
+isc__socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc_socketmgr_t *manager;
+	int i;
+	isc_mem_t *mctx;
+
+	/*
+	 * Destroy a socket manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Wait for all sockets to be destroyed.
+	 */
+	while (!ISC_LIST_EMPTY(manager->socklist)) {
+		manager_log(manager, CREATION,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_SOCKETSREMAIN,
+					   "sockets exist"));
+		WAIT(&manager->shutdown_ok, &manager->lock);
+	}
+
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Here, we need to had some wait code for the completion port
+	 * thread.
+	 */
+	signal_iocompletionport_exit(manager);
+	manager->bShutdown = true;
+
+	/*
+	 * Wait for threads to exit.
+	 */
+	for (i = 0; i < manager->maxIOCPThreads; i++) {
+		if (isc_thread_join((isc_thread_t) manager->hIOCPThreads[i],
+			NULL) != ISC_R_SUCCESS)
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_join() for Completion Port %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+	}
+	/*
+	 * Clean up.
+	 */
+
+	CloseHandle(manager->hIoCompletionPort);
+
+	(void)isc_condition_destroy(&manager->shutdown_ok);
+
+	DESTROYLOCK(&manager->lock);
+	if (manager->stats != NULL)
+		isc_stats_detach(&manager->stats);
+	manager->magic = 0;
+	mctx= manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+
+	isc_mem_detach(&mctx);
+
+	*managerp = NULL;
+}
+
+static void
+queue_receive_event(isc_socket_t *sock, isc_task_t *task, isc_socketevent_t *dev)
+{
+	isc_task_t *ntask = NULL;
+
+	isc_task_attach(task, &ntask);
+	dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+	/*
+	 * Enqueue the request.
+	 */
+	INSIST(!ISC_LINK_LINKED(dev, ev_link));
+	ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
+
+	socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+		   "queue_receive_event: event %p -> task %p",
+		   dev, ntask);
+}
+
+/*
+ * Check the pending receive queue, and if we have data pending, give it to this
+ * caller.  If we have none, queue an I/O request.  If this caller is not the first
+ * on the list, then we will just queue this event and return.
+ *
+ * Caller must have the socket locked.
+ */
+static isc_result_t
+socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    unsigned int flags)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	if (sock->fd == INVALID_SOCKET)
+		return (ISC_R_EOF);
+
+	/*
+	 * Queue our event on the list of things to do.  Call our function to
+	 * attempt to fill buffers as much as possible, and return done events.
+	 * We are going to lie about our handling of the ISC_SOCKFLAG_IMMEDIATE
+	 * here and tell our caller that we could not satisfy it immediately.
+	 */
+	queue_receive_event(sock, task, dev);
+	if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+		result = ISC_R_INPROGRESS;
+
+	completeio_recv(sock);
+
+	/*
+	 * If there are more receivers waiting for data, queue another receive
+	 * here.  If the
+	 */
+	queue_receive_request(sock);
+
+	return (result);
+}
+
+isc_result_t
+isc__socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, void *arg)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	unsigned int iocount;
+	isc_buffer_t *buffer;
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * Make sure that the socket is not closed.  XXXMLG change error here?
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	REQUIRE(buflist != NULL);
+	REQUIRE(!ISC_LIST_EMPTY(*buflist));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	iocount = isc_bufferlist_availablecount(buflist);
+	REQUIRE(iocount > 0);
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_RECVDONE, action, arg);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * UDP sockets are always partial read
+	 */
+	if (sock->type == isc_sockettype_udp)
+		dev->minimum = 1;
+	else {
+		if (minimum == 0)
+			dev->minimum = iocount;
+		else
+			dev->minimum = minimum;
+	}
+
+	/*
+	 * Move each buffer from the passed in list to our internal one.
+	 */
+	buffer = ISC_LIST_HEAD(*buflist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(*buflist, buffer, link);
+		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
+		buffer = ISC_LIST_HEAD(*buflist);
+	}
+
+	ret = socket_recv(sock, dev, task, 0);
+
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc__socket_recv(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, void *arg)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_RECVDONE, action, arg);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+
+	ret = isc_socket_recv2(sock, region, minimum, task, dev, 0);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc__socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		  unsigned int minimum, isc_task_t *task,
+		  isc_socketevent_t *event, unsigned int flags)
+{
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	event->result = ISC_R_UNEXPECTED;
+	event->ev_sender = sock;
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	ISC_LIST_INIT(event->bufferlist);
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	/*
+	 * UDP sockets are always partial read.
+	 */
+	if (sock->type == isc_sockettype_udp)
+		event->minimum = 1;
+	else {
+		if (minimum == 0)
+			event->minimum = region->length;
+		else
+			event->minimum = minimum;
+	}
+
+	ret = socket_recv(sock, event, task, flags);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+/*
+ * Caller must have the socket locked.
+ */
+static isc_result_t
+socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+	    unsigned int flags)
+{
+	int io_state;
+	int send_errno = 0;
+	int cc = 0;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	set_dev_address(address, sock, dev);
+	if (pktinfo != NULL) {
+		socket_log(__LINE__, sock, NULL, TRACE, isc_msgcat, ISC_MSGSET_SOCKET,
+			   ISC_MSG_PKTINFOPROVIDED,
+			   "pktinfo structure provided, ifindex %u (set to 0)",
+			   pktinfo->ipi6_ifindex);
+
+		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+		dev->pktinfo = *pktinfo;
+		/*
+		 * Set the pktinfo index to 0 here, to let the kernel decide
+		 * what interface it should send on.
+		 */
+		dev->pktinfo.ipi6_ifindex = 0;
+	}
+
+	io_state = startio_send(sock, dev, &cc, &send_errno);
+	switch (io_state) {
+	case DOIO_PENDING:	/* I/O started. Enqueue completion event. */
+	case DOIO_SOFT:
+		/*
+		 * We couldn't send all or part of the request right now, so
+		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
+		 */
+		if ((flags & ISC_SOCKFLAG_NORETRY) == 0 ||
+		    io_state == DOIO_PENDING) {
+			isc_task_attach(task, &ntask);
+			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+			/*
+			 * Enqueue the request.
+			 */
+			INSIST(!ISC_LINK_LINKED(dev, ev_link));
+			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
+
+			socket_log(__LINE__, sock, NULL, EVENT, NULL, 0, 0,
+				   "socket_send: event %p -> task %p",
+				   dev, ntask);
+
+			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+				result = ISC_R_INPROGRESS;
+			break;
+		}
+
+	case DOIO_SUCCESS:
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc__socket_send(isc_socket_t *sock, isc_region_t *region,
+		 isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	/*
+	 * REQUIRE() checking is performed in isc_socket_sendto().
+	 */
+	return (isc_socket_sendto(sock, region, task, action, arg, NULL,
+				  NULL));
+}
+
+isc_result_t
+isc__socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task, isc_taskaction_t action, void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	REQUIRE(region != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_SENDDONE, action, arg);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	dev->region = *region;
+
+	ret = socket_send(sock, dev, task, address, pktinfo, 0);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		  isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	return (isc_socket_sendtov2(sock, buflist, task, action, arg, NULL,
+				    NULL, 0));
+}
+
+isc_result_t
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		    isc_task_t *task, isc_taskaction_t action, void *arg,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	return (isc_socket_sendtov2(sock, buflist, task, action, arg, address,
+				    pktinfo, 0));
+}
+
+isc_result_t
+isc__socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		     unsigned int flags)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	unsigned int iocount;
+	isc_buffer_t *buffer;
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	REQUIRE(buflist != NULL);
+	REQUIRE(!ISC_LIST_EMPTY(*buflist));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	iocount = isc_bufferlist_usedcount(buflist);
+	REQUIRE(iocount > 0);
+
+	dev = allocate_socketevent(manager->mctx, sock,
+				   ISC_SOCKEVENT_SENDDONE, action, arg);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * Move each buffer from the passed in list to our internal one.
+	 */
+	buffer = ISC_LIST_HEAD(*buflist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(*buflist, buffer, link);
+		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
+		buffer = ISC_LIST_HEAD(*buflist);
+	}
+
+	ret = socket_send(sock, dev, task, address, pktinfo, flags);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		    isc_task_t *task,
+		    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		    isc_socketevent_t *event, unsigned int flags)
+{
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
+	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
+		REQUIRE(sock->type == isc_sockettype_udp);
+	event->ev_sender = sock;
+	event->result = ISC_R_UNEXPECTED;
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+	ISC_LIST_INIT(event->bufferlist);
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	ret = socket_send(sock, event, task, address, pktinfo, flags);
+	UNLOCK(&sock->lock);
+	return (ret);
+}
+
+isc_result_t
+isc__socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
+		 unsigned int options) {
+	int bind_errno;
+	char strbuf[ISC_STRERRORSIZE];
+	int on = 1;
+
+	REQUIRE(VALID_SOCKET(sock));
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	INSIST(!sock->bound);
+	INSIST(!sock->dupped);
+
+	if (sock->pf != sockaddr->type.sa.sa_family) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAMILYMISMATCH);
+	}
+	/*
+	 * Only set SO_REUSEADDR when we want a specific port.
+	 */
+	if ((options & ISC_SOCKET_REUSEADDRESS) != 0 &&
+	    isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
+	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (char *)&on,
+		       sizeof(on)) < 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d) %s", sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		/* Press on... */
+	}
+	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+		bind_errno = WSAGetLastError();
+		UNLOCK(&sock->lock);
+		switch (bind_errno) {
+		case WSAEACCES:
+			return (ISC_R_NOPERM);
+		case WSAEADDRNOTAVAIL:
+			return (ISC_R_ADDRNOTAVAIL);
+		case WSAEADDRINUSE:
+			return (ISC_R_ADDRINUSE);
+		case WSAEINVAL:
+			return (ISC_R_BOUND);
+		default:
+			isc__strerror(bind_errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	socket_log(__LINE__, sock, sockaddr, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND, "bound");
+	sock->bound = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__socket_filter(isc_socket_t *sock, const char *filter) {
+	UNUSED(sock);
+	UNUSED(filter);
+
+	REQUIRE(VALID_SOCKET(sock));
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+/*
+ * Set up to listen on a given socket.  We do this by creating an internal
+ * event that will be dispatched when the socket has read activity.  The
+ * watcher will send the internal event to the task when there is a new
+ * connection.
+ *
+ * Unlike in read, we don't preallocate a done event here.  Every time there
+ * is a new connection we'll have to allocate a new one anyway, so we might
+ * as well keep things simple rather than having to track them.
+ */
+isc_result_t
+isc__socket_listen(isc_socket_t *sock, unsigned int backlog) {
+	char strbuf[ISC_STRERRORSIZE];
+#if defined(ISC_PLATFORM_HAVETFO) && defined(TCP_FASTOPEN)
+	char on = 1;
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	REQUIRE(!sock->listener);
+	REQUIRE(sock->bound);
+	REQUIRE(sock->type == isc_sockettype_tcp);
+
+	if (backlog == 0)
+		backlog = SOMAXCONN;
+
+	if (listen(sock->fd, (int)backlog) < 0) {
+		UNLOCK(&sock->lock);
+		isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
+
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+#if defined(ISC_PLATFORM_HAVETFO) && defined(TCP_FASTOPEN)
+	if (setsockopt(sock->fd, IPPROTO_TCP, TCP_FASTOPEN,
+		       &on, sizeof(on)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, TCP_FASTOPEN) failed with %s",
+				 sock->fd, strbuf);
+		/* TCP_FASTOPEN is experimental so ignore failures */
+	}
+#endif
+
+	socket_log(__LINE__, sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND, "listening");
+	sock->listener = 1;
+	_set_state(sock, SOCK_LISTEN);
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This should try to do aggressive accept() XXXMLG
+ */
+isc_result_t
+isc__socket_accept(isc_socket_t *sock,
+		   isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc_socket_newconnev_t *adev;
+	isc_socketmgr_t *manager;
+	isc_task_t *ntask = NULL;
+	isc_socket_t *nsock;
+	isc_result_t result;
+	IoCompletionInfo *lpo;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	REQUIRE(sock->listener);
+
+	/*
+	 * Sender field is overloaded here with the task we will be sending
+	 * this event to.  Just before the actual event is delivered the
+	 * actual ev_sender will be touched up to be the socket.
+	 */
+	adev = (isc_socket_newconnev_t *)
+		isc_event_allocate(manager->mctx, task, ISC_SOCKEVENT_NEWCONN,
+				   action, arg, sizeof(*adev));
+	if (adev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	ISC_LINK_INIT(adev, ev_link);
+
+	result = allocate_socket(manager, sock->type, &nsock);
+	if (result != ISC_R_SUCCESS) {
+		isc_event_free((isc_event_t **)&adev);
+		UNLOCK(&sock->lock);
+		return (result);
+	}
+
+	/*
+	 * AcceptEx() requires we pass in a socket.
+	 */
+	nsock->fd = socket(sock->pf, SOCK_STREAM, IPPROTO_TCP);
+	if (nsock->fd == INVALID_SOCKET) {
+		free_socket(&nsock, __LINE__);
+		isc_event_free((isc_event_t **)&adev);
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAILURE); // XXXMLG need real error message
+	}
+
+	/*
+	 * Attach to socket and to task.
+	 */
+	isc_task_attach(task, &ntask);
+	if (isc_task_exiting(ntask)) {
+		free_socket(&nsock, __LINE__);
+		isc_task_detach(&ntask);
+		isc_event_free(ISC_EVENT_PTR(&adev));
+		UNLOCK(&sock->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+	nsock->references++;
+
+	adev->ev_sender = ntask;
+	adev->newsocket = nsock;
+	_set_state(nsock, SOCK_ACCEPT);
+
+	/*
+	 * Queue io completion for an accept().
+	 */
+	lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle,
+					    HEAP_ZERO_MEMORY,
+					    sizeof(IoCompletionInfo));
+	RUNTIME_CHECK(lpo != NULL);
+	lpo->acceptbuffer = (void *)HeapAlloc(hHeapHandle, HEAP_ZERO_MEMORY,
+		(sizeof(SOCKADDR_STORAGE) + 16) * 2);
+	RUNTIME_CHECK(lpo->acceptbuffer != NULL);
+
+	lpo->adev = adev;
+	lpo->request_type = SOCKET_ACCEPT;
+
+	ISCAcceptEx(sock->fd,
+		    nsock->fd,				/* Accepted Socket */
+		    lpo->acceptbuffer,			/* Buffer for initial Recv */
+		    0,					/* Length of Buffer */
+		    sizeof(SOCKADDR_STORAGE) + 16,		/* Local address length + 16 */
+		    sizeof(SOCKADDR_STORAGE) + 16,		/* Remote address lengh + 16 */
+		    (LPDWORD)&lpo->received_bytes,	/* Bytes Recved */
+		    (LPOVERLAPPED)lpo			/* Overlapped structure */
+		    );
+	iocompletionport_update(nsock);
+
+	socket_log(__LINE__, sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND,
+		   "accepting for nsock %p fd %d", nsock, nsock->fd);
+
+	/*
+	 * Enqueue the event
+	 */
+	ISC_LIST_ENQUEUE(sock->accept_list, adev, ev_link);
+	sock->pending_accept++;
+	sock->pending_iocp++;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+		    isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	char strbuf[ISC_STRERRORSIZE];
+	isc_socket_connev_t *cdev;
+	isc_task_t *ntask = NULL;
+	isc_socketmgr_t *manager;
+	IoCompletionInfo *lpo;
+	int bind_errno;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(addr != NULL);
+
+	if (isc_sockaddr_ismulticast(addr))
+		return (ISC_R_MULTICAST);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	/*
+	 * Windows sockets won't connect unless the socket is bound.
+	 */
+	if (!sock->bound) {
+		isc_sockaddr_t any;
+
+		isc_sockaddr_anyofpf(&any, isc_sockaddr_pf(addr));
+		if (bind(sock->fd, &any.type.sa, any.length) < 0) {
+			bind_errno = WSAGetLastError();
+			UNLOCK(&sock->lock);
+			switch (bind_errno) {
+			case WSAEACCES:
+				return (ISC_R_NOPERM);
+			case WSAEADDRNOTAVAIL:
+				return (ISC_R_ADDRNOTAVAIL);
+			case WSAEADDRINUSE:
+				return (ISC_R_ADDRINUSE);
+			case WSAEINVAL:
+				return (ISC_R_BOUND);
+			default:
+				isc__strerror(bind_errno, strbuf,
+					      sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "bind: %s", strbuf);
+				return (ISC_R_UNEXPECTED);
+			}
+		}
+		sock->bound = 1;
+	}
+
+	cdev = (isc_socket_connev_t *)isc_event_allocate(manager->mctx, sock,
+							ISC_SOCKEVENT_CONNECT,
+							action,	arg,
+							sizeof(*cdev));
+	if (cdev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	ISC_LINK_INIT(cdev, ev_link);
+
+	if (sock->connected) {
+		INSIST(isc_sockaddr_equal(&sock->address, addr));
+		cdev->result = ISC_R_SUCCESS;
+		isc_task_send(task, ISC_EVENT_PTR(&cdev));
+
+		UNLOCK(&sock->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((sock->type == isc_sockettype_tcp) && !sock->pending_connect) {
+		/*
+		 * Queue io completion for an accept().
+		 */
+		lpo = (IoCompletionInfo *)HeapAlloc(hHeapHandle,
+						    HEAP_ZERO_MEMORY,
+						    sizeof(IoCompletionInfo));
+		lpo->cdev = cdev;
+		lpo->request_type = SOCKET_CONNECT;
+
+		sock->address = *addr;
+		ISCConnectEx(sock->fd, &addr->type.sa, addr->length,
+			NULL, 0, NULL, (LPOVERLAPPED)lpo);
+
+		/*
+		 * Attach to task.
+		 */
+		isc_task_attach(task, &ntask);
+		cdev->ev_sender = ntask;
+
+		sock->pending_connect = 1;
+		_set_state(sock, SOCK_CONNECT);
+
+		/*
+		 * Enqueue the request.
+		 */
+		INSIST(!ISC_LINK_LINKED(cdev, ev_link));
+		ISC_LIST_ENQUEUE(sock->connect_list, cdev, ev_link);
+		sock->pending_iocp++;
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(sock->pending_connect);
+		INSIST(isc_sockaddr_equal(&sock->address, addr));
+		isc_task_attach(task, &ntask);
+		cdev->ev_sender = ntask;
+		INSIST(!ISC_LINK_LINKED(cdev, ev_link));
+		ISC_LIST_ENQUEUE(sock->connect_list, cdev, ev_link);
+	} else {
+		REQUIRE(!sock->pending_connect);
+		WSAConnect(sock->fd, &addr->type.sa, addr->length, NULL, NULL, NULL, NULL);
+		cdev->result = ISC_R_SUCCESS;
+		isc_task_send(task, (isc_event_t **)&cdev);
+	}
+	CONSISTENT(sock);
+	UNLOCK(&sock->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	isc_result_t result;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	if (sock->connected) {
+		*addressp = sock->address;
+		result = ISC_R_SUCCESS;
+	} else {
+		result = ISC_R_NOTCONNECTED;
+	}
+
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc__socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	ISC_SOCKADDR_LEN_T len;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	if (!sock->bound) {
+		result = ISC_R_NOTBOUND;
+		goto out;
+	}
+
+	result = ISC_R_SUCCESS;
+
+	len = sizeof(addressp->type);
+	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
+		isc__strerror(WSAGetLastError(), strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s",
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto out;
+	}
+	addressp->length = (unsigned int)len;
+
+ out:
+	UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+/*
+ * Run through the list of events on this socket, and cancel the ones
+ * queued for task "task" of type "how".  "how" is a bitmask.
+ */
+void
+isc__socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * Quick exit if there is nothing to do.  Don't even bother locking
+	 * in this case.
+	 */
+	if (how == 0)
+		return;
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * All of these do the same thing, more or less.
+	 * Each will:
+	 *	o If the internal event is marked as "posted" try to
+	 *	  remove it from the task's queue.  If this fails, mark it
+	 *	  as canceled instead, and let the task clean it up later.
+	 *	o For each I/O request for that task of that type, post
+	 *	  its done event with status of "ISC_R_CANCELED".
+	 *	o Reset any state needed.
+	 */
+
+	if ((how & ISC_SOCKCANCEL_RECV) == ISC_SOCKCANCEL_RECV) {
+		isc_socketevent_t      *dev;
+		isc_socketevent_t      *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_recvdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+	how &= ~ISC_SOCKCANCEL_RECV;
+
+	if ((how & ISC_SOCKCANCEL_SEND) == ISC_SOCKCANCEL_SEND) {
+		isc_socketevent_t      *dev;
+		isc_socketevent_t      *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_senddone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+	how &= ~ISC_SOCKCANCEL_SEND;
+
+	if (((how & ISC_SOCKCANCEL_ACCEPT) == ISC_SOCKCANCEL_ACCEPT)
+	    && !ISC_LIST_EMPTY(sock->accept_list)) {
+		isc_socket_newconnev_t *dev;
+		isc_socket_newconnev_t *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->accept_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+
+				dev->newsocket->references--;
+				closesocket(dev->newsocket->fd);
+				dev->newsocket->fd = INVALID_SOCKET;
+				free_socket(&dev->newsocket, __LINE__);
+
+				dev->result = ISC_R_CANCELED;
+				send_acceptdone_event(sock, &dev);
+			}
+
+			dev = next;
+		}
+	}
+	how &= ~ISC_SOCKCANCEL_ACCEPT;
+
+	if (((how & ISC_SOCKCANCEL_CONNECT) == ISC_SOCKCANCEL_CONNECT)
+	    && !ISC_LIST_EMPTY(sock->connect_list)) {
+		isc_socket_connev_t    *dev;
+		isc_socket_connev_t    *next;
+		isc_task_t	       *current_task;
+
+		INSIST(sock->pending_connect);
+
+		dev = ISC_LIST_HEAD(sock->connect_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_connectdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+		closesocket(sock->fd);
+		sock->fd = INVALID_SOCKET;
+		_set_state(sock, SOCK_CLOSED);
+	}
+	how &= ~ISC_SOCKCANCEL_CONNECT;
+
+	maybe_free_socket(&sock, __LINE__);
+}
+
+isc_sockettype_t
+isc__socket_gettype(isc_socket_t *sock) {
+	isc_sockettype_t type;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_CONNREFUSED);
+	}
+
+	type = sock->type;
+	UNLOCK(&sock->lock);
+	return (type);
+}
+
+bool
+isc__socket_isbound(isc_socket_t *sock) {
+	bool val;
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	CONSISTENT(sock);
+
+	/*
+	 * make sure that the socket's not closed
+	 */
+	if (sock->fd == INVALID_SOCKET) {
+		UNLOCK(&sock->lock);
+		return (false);
+	}
+
+	val = ((sock->bound) ? true : false);
+	UNLOCK(&sock->lock);
+
+	return (val);
+}
+
+void
+isc__socket_ipv6only(isc_socket_t *sock, bool yes) {
+#if defined(IPV6_V6ONLY)
+	int onoff = yes ? 1 : 0;
+#else
+	UNUSED(yes);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef IPV6_V6ONLY
+	if (sock->pf == AF_INET6) {
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
+				 (char *)&onoff, sizeof(onoff));
+	}
+#endif
+}
+
+void
+isc__socket_dscp(isc_socket_t *sock, isc_dscp_t dscp) {
+#if !defined(IP_TOS) && !defined(IPV6_TCLASS)
+	UNUSED(dscp);
+#else
+	if (dscp < 0)
+		return;
+
+	dscp <<= 2;
+	dscp &= 0xff;
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef IP_TOS
+	if (sock->pf == AF_INET) {
+		(void)setsockopt(sock->fd, IPPROTO_IP, IP_TOS,
+				 (char *)&dscp, sizeof(dscp));
+	}
+#endif
+#ifdef IPV6_TCLASS
+	if (sock->pf == AF_INET6) {
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_TCLASS,
+				 (char *)&dscp, sizeof(dscp));
+	}
+#endif
+}
+
+void
+isc__socket_cleanunix(isc_sockaddr_t *addr, bool active) {
+	UNUSED(addr);
+	UNUSED(active);
+}
+
+isc_result_t
+isc__socket_permunix(isc_sockaddr_t *addr, uint32_t perm,
+		     uint32_t owner, uint32_t group)
+{
+	UNUSED(addr);
+	UNUSED(perm);
+	UNUSED(owner);
+	UNUSED(group);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+isc__socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+
+	/*
+	 * Name 'socket'.
+	 */
+
+	REQUIRE(VALID_SOCKET(socket));
+
+	LOCK(&socket->lock);
+	strlcpy(socket->name, name, sizeof(socket->name));
+	socket->tag = tag;
+	UNLOCK(&socket->lock);
+}
+
+const char *
+isc__socket_getname(isc_socket_t *socket) {
+	return (socket->name);
+}
+
+void *
+isc__socket_gettag(isc_socket_t *socket) {
+	return (socket->tag);
+}
+
+int
+isc__socket_getfd(isc_socket_t *socket) {
+	return ((short) socket->fd);
+}
+
+void
+isc__socketmgr_setreserved(isc_socketmgr_t *manager, uint32_t reserved) {
+	UNUSED(manager);
+	UNUSED(reserved);
+}
+
+void
+isc___socketmgr_maxudp(isc_socketmgr_t *manager, int maxudp) {
+
+	UNUSED(manager);
+	UNUSED(maxudp);
+}
+
+isc_socketevent_t *
+isc_socket_socketevent(isc_mem_t *mctx, void *sender,
+		       isc_eventtype_t eventtype, isc_taskaction_t action,
+		       void *arg)
+{
+	return (allocate_socketevent(mctx, sender, eventtype, action, arg));
+}
+
+#ifdef HAVE_LIBXML2
+
+static const char *
+_socktype(isc_sockettype_t type) {
+	if (type == isc_sockettype_udp)
+		return ("udp");
+	else if (type == isc_sockettype_tcp)
+		return ("tcp");
+	else if (type == isc_sockettype_unix)
+		return ("unix");
+	else if (type == isc_sockettype_fdwatch)
+		return ("fdwatch");
+	else
+		return ("not-initialized");
+}
+
+#define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
+int
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer)
+{
+	isc_socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	ISC_SOCKADDR_LEN_T len;
+	int xmlrc;
+
+	LOCK(&mgr->lock);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "references"));
+	TRY0(xmlTextWriterWriteFormatString(writer, "%d", mgr->refs));
+	TRY0(xmlTextWriterEndElement(writer));
+#endif
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets"));
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		LOCK(&sock->lock);
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket"));
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "id"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%p", sock));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		if (sock->name[0] != 0) {
+			TRY0(xmlTextWriterStartElement(writer,
+						       ISC_XMLCHAR "name"));
+			TRY0(xmlTextWriterWriteFormatString(writer, "%s",
+							    sock->name));
+			TRY0(xmlTextWriterEndElement(writer)); /* name */
+		}
+
+		TRY0(xmlTextWriterStartElement(writer,
+					       ISC_XMLCHAR "references"));
+		TRY0(xmlTextWriterWriteFormatString(writer, "%d",
+						    sock->references));
+		TRY0(xmlTextWriterEndElement(writer));
+
+		TRY0(xmlTextWriterWriteElement(writer, ISC_XMLCHAR "type",
+					  ISC_XMLCHAR _socktype(sock->type)));
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->address, peerbuf,
+					    sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "peer-address",
+						  ISC_XMLCHAR peerbuf));
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "local-address",
+						  ISC_XMLCHAR peerbuf));
+		}
+
+		TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "states"));
+		if (sock->pending_recv)
+			TRY0(xmlTextWriterWriteElement(writer,
+						ISC_XMLCHAR "state",
+						ISC_XMLCHAR "pending-receive"));
+		if (sock->pending_send)
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "pending-send"));
+		if (sock->pending_accept)
+			TRY0(xmlTextWriterWriteElement(writer,
+						 ISC_XMLCHAR "state",
+						 ISC_XMLCHAR "pending_accept"));
+		if (sock->listener)
+			TRY0(xmlTextWriterWriteElement(writer,
+						       ISC_XMLCHAR "state",
+						       ISC_XMLCHAR "listener"));
+		if (sock->connected)
+			TRY0(xmlTextWriterWriteElement(writer,
+						     ISC_XMLCHAR "state",
+						     ISC_XMLCHAR "connected"));
+		if (sock->pending_connect)
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "connecting"));
+		if (sock->bound)
+			TRY0(xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "bound"));
+
+		TRY0(xmlTextWriterEndElement(writer)); /* states */
+
+		TRY0(xmlTextWriterEndElement(writer)); /* socket */
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* sockets */
+
+error:
+	if (sock != NULL)
+		UNLOCK(&sock->lock);
+
+	UNLOCK(&mgr->lock);
+
+	return (xmlrc);
+}
+#endif /* HAVE_LIBXML2 */
+
+#ifdef HAVE_JSON
+#define CHECKMEM(m) do { \
+	if (m == NULL) { \
+		result = ISC_R_NOMEMORY;\
+		goto error;\
+	} \
+} while(0)
+
+isc_result_t
+isc_socketmgr_renderjson(isc_socketmgr_t *mgr, json_object *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_socket_t *sock = NULL;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	ISC_SOCKADDR_LEN_T len;
+	json_object *obj, *array = json_object_new_array();
+
+	CHECKMEM(array);
+
+	LOCK(&mgr->lock);
+
+#ifdef USE_SHARED_MANAGER
+	obj = json_object_new_int(mgr->refs);
+	CHECKMEM(obj);
+	json_object_object_add(stats, "references", obj);
+#endif	/* USE_SHARED_MANAGER */
+
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		json_object *states, *entry = json_object_new_object();
+		char buf[255];
+
+		CHECKMEM(entry);
+		json_object_array_add(array, entry);
+
+		LOCK(&sock->lock);
+
+		snprintf(buf, sizeof(buf), "%p", sock);
+		obj = json_object_new_string(buf);
+		CHECKMEM(obj);
+		json_object_object_add(entry, "id", obj);
+
+		if (sock->name[0] != 0) {
+			obj = json_object_new_string(sock->name);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "name", obj);
+		}
+
+		obj = json_object_new_int(sock->references);
+		CHECKMEM(obj);
+		json_object_object_add(entry, "references", obj);
+
+		obj = json_object_new_string(_socktype(sock->type));
+		CHECKMEM(obj);
+		json_object_object_add(entry, "type", obj);
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->address, peerbuf,
+					    sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "peer-address", obj);
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			obj = json_object_new_string(peerbuf);
+			CHECKMEM(obj);
+			json_object_object_add(entry, "local-address", obj);
+		}
+
+		states = json_object_new_array();
+		CHECKMEM(states);
+		json_object_object_add(entry, "states", states);
+
+		if (sock->pending_recv) {
+			obj = json_object_new_string("pending-receive");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_send) {
+			obj = json_object_new_string("pending-send");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_accept) {
+			obj = json_object_new_string("pending-accept");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->listener) {
+			obj = json_object_new_string("listener");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->connected) {
+			obj = json_object_new_string("connected");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->pending_connect) {
+			obj = json_object_new_string("connecting");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		if (sock->bound) {
+			obj = json_object_new_string("bound");
+			CHECKMEM(obj);
+			json_object_array_add(states, obj);
+		}
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+
+	json_object_object_add(stats, "sockets", array);
+	array = NULL;
+	result = ISC_R_SUCCESS;
+
+ error:
+	if (array != NULL)
+		json_object_put(array);
+
+	if (sock != NULL)
+		UNLOCK(&sock->lock);
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+#endif /* HAVE_JSON */
+
+/*
+ * Replace ../socket_api.c
+ */
+
+isc_result_t
+isc__socket_register(void) {
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socketmgr_createinctx(isc_mem_t *mctx, isc_appctx_t *actx,
+			  isc_socketmgr_t **managerp)
+{
+	isc_result_t result;
+
+	result = isc_socketmgr_create(mctx, managerp);
+
+	if (result == ISC_R_SUCCESS)
+		isc_appctx_setsocketmgr(actx, *managerp);
+
+	return (result);
+}
diff --git a/lib/isc/win32/stdio.c b/lib/isc/win32/stdio.c
new file mode 100644
index 0000000..a4c8134
--- /dev/null
+++ b/lib/isc/win32/stdio.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <io.h>
+#include <errno.h>
+
+#include <isc/stdio.h>
+#include <isc/util.h>
+
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
+	FILE *f;
+
+	f = fopen(filename, mode);
+	if (f == NULL)
+		return (isc__errno2result(errno));
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_stdio_close(FILE *f) {
+	int r;
+
+	r = fclose(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_seek(FILE *f, off_t offset, int whence) {
+	int r;
+
+#ifndef _WIN64
+	r = fseek(f, offset, whence);
+#else
+	r = _fseeki64(f, offset, whence);
+#endif
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_tell(FILE *f, off_t *offsetp) {
+#ifndef _WIN64
+	long r;
+#else
+	__int64 r;
+#endif
+
+	REQUIRE(offsetp != NULL);
+
+#ifndef _WIN64
+	r = ftell(f);
+#else
+	r = _ftelli64(f);
+#endif
+	if (r >= 0) {
+		*offsetp = r;
+		return (ISC_R_SUCCESS);
+	} else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fread(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		if (feof(f))
+			result = ISC_R_EOF;
+		else
+			result = isc__errno2result(errno);
+	}
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fwrite(ptr, size, nmemb, f);
+	if (r != nmemb)
+		result = isc__errno2result(errno);
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_flush(FILE *f) {
+	int r;
+
+	r = fflush(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_sync(FILE *f) {
+	struct _stat buf;
+	int r;
+
+	if (_fstat(_fileno(f), &buf) != 0)
+		return (isc__errno2result(errno));
+
+	/*
+	 * Only call _commit() on regular files.
+	 */
+	if ((buf.st_mode & S_IFMT) != S_IFREG)
+		return (ISC_R_SUCCESS);
+
+	r = _commit(_fileno(f));
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
diff --git a/lib/isc/win32/stdtime.c b/lib/isc/win32/stdtime.c
new file mode 100644
index 0000000..bff6fd1
--- /dev/null
+++ b/lib/isc/win32/stdtime.c
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <time.h>
+
+#include <isc/assertions.h>
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+void
+isc_stdtime_get(isc_stdtime_t *t) {
+	/*
+	 * Set 't' to the number of seconds past 00:00:00 UTC, January 1, 1970.
+	 */
+
+	REQUIRE(t != NULL);
+
+	(void)_time32(t);
+}
diff --git a/lib/isc/win32/strerror.c b/lib/isc/win32/strerror.c
new file mode 100644
index 0000000..36c9b79
--- /dev/null
+++ b/lib/isc/win32/strerror.c
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <winsock2.h>
+
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/util.h>
+
+/*
+ * Forward declarations
+ */
+
+char *
+FormatError(int error);
+
+char *
+GetWSAErrorMessage(int errval);
+
+char *
+NTstrerror(int err, BOOL *bfreebuf);
+
+/*
+ * We need to do this this way for profiled locks.
+ */
+
+static isc_mutex_t isc_strerror_lock;
+static void init_lock(void) {
+	RUNTIME_CHECK(isc_mutex_init(&isc_strerror_lock) == ISC_R_SUCCESS);
+}
+
+/*
+ * This routine needs to free up any buffer allocated by FormatMessage
+ * if that routine gets used.
+ */
+
+void
+isc__strerror(int num, char *buf, size_t size) {
+	char *msg;
+	BOOL freebuf;
+	unsigned int unum = num;
+	static isc_once_t once = ISC_ONCE_INIT;
+
+	REQUIRE(buf != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
+
+	LOCK(&isc_strerror_lock);
+	freebuf = FALSE;
+	msg = NTstrerror(num, &freebuf);
+	if (msg != NULL)
+		snprintf(buf, size, "%s", msg);
+	else
+		snprintf(buf, size, "Unknown error: %u", unum);
+	if(freebuf && msg != NULL) {
+		LocalFree(msg);
+	}
+	UNLOCK(&isc_strerror_lock);
+}
+
+/*
+ * Note this will cause a memory leak unless the memory allocated here
+ * is freed by calling LocalFree.  isc__strerror does this before unlocking.
+ * This only gets called if there is a system type of error and will likely
+ * be an unusual event.
+ */
+char *
+FormatError(int error) {
+	LPVOID lpMsgBuf = NULL;
+	FormatMessage(
+		FORMAT_MESSAGE_ALLOCATE_BUFFER |
+		FORMAT_MESSAGE_FROM_SYSTEM |
+		FORMAT_MESSAGE_IGNORE_INSERTS,
+		NULL,
+		error,
+		/* Default language */
+		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+		(LPTSTR) &lpMsgBuf,
+		0,
+		NULL);
+
+	return (lpMsgBuf);
+}
+
+/*
+ * This routine checks the error value and calls the WSA Windows Sockets
+ * Error message function GetWSAErrorMessage below if it's within that range
+ * since those messages are not available in the system error messages.
+ */
+char *
+NTstrerror(int err, BOOL *bfreebuf) {
+	char *retmsg = NULL;
+
+	/* Copy the error value first in case of other errors */
+	DWORD errval = err;
+
+	*bfreebuf = FALSE;
+
+	/* Get the Winsock2 error messages */
+	if (errval >= WSABASEERR && errval <= (WSABASEERR + 1015)) {
+		retmsg = GetWSAErrorMessage(errval);
+		if (retmsg != NULL)
+			return (retmsg);
+	}
+	/*
+	 * If it's not one of the standard Unix error codes,
+	 * try a system error message
+	 */
+	if (errval > (DWORD) _sys_nerr) {
+		*bfreebuf = TRUE;
+		return (FormatError(errval));
+	} else {
+		return (strerror(errval));
+	}
+}
+
+/*
+ * This is a replacement for perror
+ */
+void __cdecl
+NTperror(char *errmsg) {
+	/* Copy the error value first in case of other errors */
+	int errval = errno;
+	BOOL bfreebuf = FALSE;
+	char *msg;
+
+	msg = NTstrerror(errval, &bfreebuf);
+	fprintf(stderr, "%s: %s\n", errmsg, msg);
+	if(bfreebuf == TRUE) {
+		LocalFree(msg);
+	}
+
+}
+
+/*
+ * Return the error string related to Winsock2 errors.
+ * This function is necessary since FormatMessage knows nothing about them
+ * and there is no function to get them.
+ */
+char *
+GetWSAErrorMessage(int errval) {
+	char *msg;
+
+	switch (errval) {
+
+	case WSAEINTR:
+		msg = "Interrupted system call";
+		break;
+
+	case WSAEBADF:
+		msg = "Bad file number";
+		break;
+
+	case WSAEACCES:
+		msg = "Permission denied";
+		break;
+
+	case WSAEFAULT:
+		msg = "Bad address";
+		break;
+
+	case WSAEINVAL:
+		msg = "Invalid argument";
+		break;
+
+	case WSAEMFILE:
+		msg = "Too many open sockets";
+		break;
+
+	case WSAEWOULDBLOCK:
+		msg = "Operation would block";
+		break;
+
+	case WSAEINPROGRESS:
+		msg = "Operation now in progress";
+		break;
+
+	case WSAEALREADY:
+		msg = "Operation already in progress";
+		break;
+
+	case WSAENOTSOCK:
+		msg = "Socket operation on non-socket";
+		break;
+
+	case WSAEDESTADDRREQ:
+		msg = "Destination address required";
+		break;
+
+	case WSAEMSGSIZE:
+		msg = "Message too long";
+		break;
+
+	case WSAEPROTOTYPE:
+		msg = "Protocol wrong type for socket";
+		break;
+
+	case WSAENOPROTOOPT:
+		msg = "Bad protocol option";
+		break;
+
+	case WSAEPROTONOSUPPORT:
+		msg = "Protocol not supported";
+		break;
+
+	case WSAESOCKTNOSUPPORT:
+		msg = "Socket type not supported";
+		break;
+
+	case WSAEOPNOTSUPP:
+		msg = "Operation not supported on socket";
+		break;
+
+	case WSAEPFNOSUPPORT:
+		msg = "Protocol family not supported";
+		break;
+
+	case WSAEAFNOSUPPORT:
+		msg = "Address family not supported";
+		break;
+
+	case WSAEADDRINUSE:
+		msg = "Address already in use";
+		break;
+
+	case WSAEADDRNOTAVAIL:
+		msg = "Can't assign requested address";
+		break;
+
+	case WSAENETDOWN:
+		msg = "Network is down";
+		break;
+
+	case WSAENETUNREACH:
+		msg = "Network is unreachable";
+		break;
+
+	case WSAENETRESET:
+		msg = "Net connection reset";
+		break;
+
+	case WSAECONNABORTED:
+		msg = "Software caused connection abort";
+		break;
+
+	case WSAECONNRESET:
+		msg = "Connection reset by peer";
+		break;
+
+	case WSAENOBUFS:
+		msg = "No buffer space available";
+		break;
+
+	case WSAEISCONN:
+		msg = "Socket is already connected";
+		break;
+
+	case WSAENOTCONN:
+		msg = "Socket is not connected";
+		break;
+
+	case WSAESHUTDOWN:
+		msg = "Can't send after socket shutdown";
+		break;
+
+	case WSAETOOMANYREFS:
+		msg = "Too many references: can't splice";
+		break;
+
+	case WSAETIMEDOUT:
+		msg = "Connection timed out";
+		break;
+
+	case WSAECONNREFUSED:
+		msg = "Connection refused";
+		break;
+
+	case WSAELOOP:
+		msg = "Too many levels of symbolic links";
+		break;
+
+	case WSAENAMETOOLONG:
+		msg = "File name too long";
+		break;
+
+	case WSAEHOSTDOWN:
+		msg = "Host is down";
+		break;
+
+	case WSAEHOSTUNREACH:
+		msg = "No route to host";
+		break;
+
+	case WSAENOTEMPTY:
+		msg = "Directory not empty";
+		break;
+
+	case WSAEPROCLIM:
+		msg = "Too many processes";
+		break;
+
+	case WSAEUSERS:
+		msg = "Too many users";
+		break;
+
+	case WSAEDQUOT:
+		msg = "Disc quota exceeded";
+		break;
+
+	case WSAESTALE:
+		msg = "Stale NFS file handle";
+		break;
+
+	case WSAEREMOTE:
+		msg = "Too many levels of remote in path";
+		break;
+
+	case WSASYSNOTREADY:
+		msg = "Network system is unavailable";
+		break;
+
+	case WSAVERNOTSUPPORTED:
+		msg = "Winsock version out of range";
+		break;
+
+	case WSANOTINITIALISED:
+		msg = "WSAStartup not yet called";
+		break;
+
+	case WSAEDISCON:
+		msg = "Graceful shutdown in progress";
+		break;
+/*
+	case WSAHOST_NOT_FOUND:
+		msg = "Host not found";
+		break;
+
+	case WSANO_DATA:
+		msg = "No host data of that type was found";
+		break;
+*/
+	default:
+		msg = NULL;
+		break;
+	}
+	return (msg);
+}
+
+/*
+ * These error messages are more informative about CryptAPI Errors than the
+ * standard error messages
+ */
+
+char *
+GetCryptErrorMessage(int errval) {
+	char *msg;
+
+	switch (errval) {
+
+	case NTE_BAD_FLAGS:
+		msg = "The dwFlags parameter has an illegal value.";
+		break;
+	case NTE_BAD_KEYSET:
+		msg = "The Registry entry for the key container "
+			"could not be opened and may not exist.";
+		break;
+	case NTE_BAD_KEYSET_PARAM:
+		msg = "The pszContainer or pszProvider parameter "
+			"is set to an illegal value.";
+		break;
+	case NTE_BAD_PROV_TYPE:
+		msg = "The value of the dwProvType parameter is out "
+			"of range. All provider types must be from "
+			"1 to 999, inclusive.";
+		break;
+	case NTE_BAD_SIGNATURE:
+		msg = "The provider DLL signature did not verify "
+			"correctly. Either the DLL or the digital "
+			"signature has been tampered with.";
+		break;
+	case NTE_EXISTS:
+		msg = "The dwFlags parameter is CRYPT_NEWKEYSET, but the key"
+		      " container already exists.";
+		break;
+	case NTE_KEYSET_ENTRY_BAD:
+		msg = "The Registry entry for the pszContainer key container "
+		      "was found (in the HKEY_CURRENT_USER window), but is "
+		      "corrupt. See the section System Administration for "
+		      " etails about CryptoAPI's Registry usage.";
+		break;
+	case NTE_KEYSET_NOT_DEF:
+		msg = "No Registry entry exists in the HKEY_CURRENT_USER "
+			"window for the key container specified by "
+			"pszContainer.";
+		break;
+	case NTE_NO_MEMORY:
+		msg = "The CSP ran out of memory during the operation.";
+		break;
+	case NTE_PROV_DLL_NOT_FOUND:
+		msg = "The provider DLL file does not exist or is not on the "
+		      "current path.";
+		break;
+	case NTE_PROV_TYPE_ENTRY_BAD:
+		msg = "The Registry entry for the provider type specified by "
+		      "dwProvType is corrupt. This error may relate to "
+		      "either the user default CSP list or the machine "
+		      "default CSP list. See the section System "
+		      "Administration for details about CryptoAPI's "
+		      "Registry usage.";
+		break;
+	case NTE_PROV_TYPE_NO_MATCH:
+		msg = "The provider type specified by dwProvType does not "
+		      "match the provider type found in the Registry. Note "
+		      "that this error can only occur when pszProvider "
+		      "specifies an actual CSP name.";
+		break;
+	case NTE_PROV_TYPE_NOT_DEF:
+		msg = "No Registry entry exists for the provider type "
+		      "specified by dwProvType.";
+		break;
+	case NTE_PROVIDER_DLL_FAIL:
+		msg = "The provider DLL file could not be loaded, and "
+		      "may not exist. If it exists, then the file is "
+		      "not a valid DLL.";
+		break;
+	case NTE_SIGNATURE_FILE_BAD:
+		msg = "An error occurred while loading the DLL file image, "
+		      "prior to verifying its signature.";
+		break;
+
+	default:
+		msg = NULL;
+		break;
+	}
+	return msg;
+}
+
diff --git a/lib/isc/win32/syslog.c b/lib/isc/win32/syslog.c
new file mode 100644
index 0000000..071e187
--- /dev/null
+++ b/lib/isc/win32/syslog.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <stdio.h>
+#include <windows.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <isc/bindevt.h>
+#include <isc/result.h>
+#include <isc/syslog.h>
+#include <isc/util.h>
+
+static HANDLE hAppLog = NULL;
+static FILE *log_stream;
+static int debug_level = 0;
+
+static struct dsn_c_pvt_sfnt {
+	int val;
+	const char *strval;
+} facilities[] = {
+	{ LOG_KERN,		"kern" },
+	{ LOG_USER,		"user" },
+	{ LOG_MAIL,		"mail" },
+	{ LOG_DAEMON,		"daemon" },
+	{ LOG_AUTH,		"auth" },
+	{ LOG_SYSLOG,		"syslog" },
+	{ LOG_LPR,		"lpr" },
+#ifdef LOG_NEWS
+	{ LOG_NEWS,		"news" },
+#endif
+#ifdef LOG_UUCP
+	{ LOG_UUCP,		"uucp" },
+#endif
+#ifdef LOG_CRON
+	{ LOG_CRON,		"cron" },
+#endif
+#ifdef LOG_AUTHPRIV
+	{ LOG_AUTHPRIV,		"authpriv" },
+#endif
+#ifdef LOG_FTP
+	{ LOG_FTP,		"ftp" },
+#endif
+	{ LOG_LOCAL0,		"local0"},
+	{ LOG_LOCAL1,		"local1"},
+	{ LOG_LOCAL2,		"local2"},
+	{ LOG_LOCAL3,		"local3"},
+	{ LOG_LOCAL4,		"local4"},
+	{ LOG_LOCAL5,		"local5"},
+	{ LOG_LOCAL6,		"local6"},
+	{ LOG_LOCAL7,		"local7"},
+	{ 0,			NULL }
+};
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp) {
+	int i;
+
+	REQUIRE(str != NULL);
+	REQUIRE(facilityp != NULL);
+
+	for (i = 0; facilities[i].strval != NULL; i++) {
+		if (strcasecmp(facilities[i].strval, str) == 0) {
+			*facilityp = facilities[i].val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Log to the NT Event Log
+ */
+void
+syslog(int level, const char *fmt, ...) {
+	va_list ap;
+	char buf[1024];
+	char *str[1];
+
+	str[0] = buf;
+
+	va_start(ap, fmt);
+	vsprintf(buf, fmt, ap);
+	va_end(ap);
+
+	/* Make sure that the channel is open to write the event */
+	if (hAppLog != NULL) {
+		switch (level) {
+		case LOG_INFO:
+		case LOG_NOTICE:
+		case LOG_DEBUG:
+			ReportEvent(hAppLog, EVENTLOG_INFORMATION_TYPE, 0,
+				    BIND_INFO_MSG, NULL, 1, 0, str, NULL);
+			break;
+		case LOG_WARNING:
+			ReportEvent(hAppLog, EVENTLOG_WARNING_TYPE, 0,
+				    BIND_WARN_MSG, NULL, 1, 0, str, NULL);
+			break;
+		default:
+			ReportEvent(hAppLog, EVENTLOG_ERROR_TYPE, 0,
+				    BIND_ERR_MSG, NULL, 1, 0, str, NULL);
+			break;
+		}
+	}
+}
+
+/*
+ * Initialize event logging
+ */
+void
+openlog(const char *name, int flags, ...) {
+	/* Get a handle to the Application event log */
+	hAppLog = RegisterEventSource(NULL, name);
+}
+
+/*
+ * Close the Handle to the application Event Log
+ * We don't care whether or not we succeeded so ignore return values
+ * In fact if we failed then we would have nowhere to put the message
+ */
+void
+closelog(void) {
+	DeregisterEventSource(hAppLog);
+}
+
+/*
+ * Keep event logging synced with the current debug level
+ */
+void
+ModifyLogLevel(int level) {
+	debug_level = level;
+}
+
+/*
+ * Initialize logging for the port section of libbind.
+ * Piggyback onto stream given.
+ */
+void
+InitNTLogging(FILE *stream, int debug) {
+	log_stream = stream;
+	ModifyLogLevel(debug);
+}
+/*
+ * This function is for reporting errors to the application
+ * event log in case the regular syslog is not available
+ * mainly during startup. It should not be used under normal
+ * circumstances.
+ */
+void
+NTReportError(const char *name, const char *str) {
+	HANDLE hNTAppLog = NULL;
+	const char *buf[1];
+
+	buf[0] = str;
+
+	hNTAppLog = RegisterEventSource(NULL, name);
+
+	ReportEvent(hNTAppLog, EVENTLOG_ERROR_TYPE, 0,
+		    BIND_ERR_MSG, NULL, 1, 0, buf, NULL);
+
+	DeregisterEventSource(hNTAppLog);
+}
diff --git a/lib/isc/win32/syslog.h b/lib/isc/win32/syslog.h
new file mode 100644
index 0000000..0197165
--- /dev/null
+++ b/lib/isc/win32/syslog.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef _SYSLOG_H
+#define _SYSLOG_H
+
+#include <stdio.h>
+
+/* Constant definitions for openlog() */
+#define LOG_PID		1
+#define LOG_CONS	2
+/* NT event log does not support facility level */
+#define LOG_KERN	0
+#define LOG_USER	0
+#define LOG_MAIL	0
+#define LOG_DAEMON	0
+#define LOG_AUTH	0
+#define LOG_SYSLOG	0
+#define LOG_LPR		0
+#define LOG_LOCAL0	0
+#define LOG_LOCAL1	0
+#define LOG_LOCAL2	0
+#define LOG_LOCAL3	0
+#define LOG_LOCAL4	0
+#define LOG_LOCAL5	0
+#define LOG_LOCAL6	0
+#define LOG_LOCAL7	0
+
+#define LOG_EMERG       0       /* system is unusable */
+#define LOG_ALERT       1       /* action must be taken immediately */
+#define LOG_CRIT        2       /* critical conditions */
+#define LOG_ERR         3       /* error conditions */
+#define LOG_WARNING     4       /* warning conditions */
+#define LOG_NOTICE      5       /* normal but signification condition */
+#define LOG_INFO        6       /* informational */
+#define LOG_DEBUG       7       /* debug-level messages */
+
+void
+syslog(int level, const char *fmt, ...);
+
+void
+openlog(const char *, int, ...);
+
+void
+closelog(void);
+
+void
+ModifyLogLevel(int level);
+
+void
+InitNTLogging(FILE *, int);
+
+void
+NTReportError(const char *, const char *);
+/*
+ * Include the event codes required for logging.
+ */
+#include <isc/bindevt.h>
+
+#endif
diff --git a/lib/isc/win32/thread.c b/lib/isc/win32/thread.c
new file mode 100644
index 0000000..ebc2f29
--- /dev/null
+++ b/lib/isc/win32/thread.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <process.h>
+
+#include <isc/thread.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t start, isc_threadarg_t arg,
+		  isc_thread_t *threadp)
+{
+	isc_thread_t thread;
+	unsigned int id;
+
+	thread = (isc_thread_t)_beginthreadex(NULL, 0, start, arg, 0, &id);
+	if (thread == NULL) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+
+	*threadp = thread;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_thread_join(isc_thread_t thread, isc_threadresult_t *rp) {
+	DWORD result;
+
+	result = WaitForSingleObject(thread, INFINITE);
+	if (result != WAIT_OBJECT_0) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+	if (rp != NULL && !GetExitCodeThread(thread, rp)) {
+		/* XXX */
+		return (ISC_R_UNEXPECTED);
+	}
+	(void)CloseHandle(thread);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_thread_setconcurrency(unsigned int level) {
+	/*
+	 * This is unnecessary on Win32 systems, but is here so that the
+	 * call exists
+	 */
+}
+
+void
+isc_thread_setname(isc_thread_t thread, const char *name) {
+	UNUSED(thread);
+	UNUSED(name);
+}
+
+void *
+isc_thread_key_getspecific(isc_thread_key_t key) {
+	return(TlsGetValue(key));
+}
+
+int
+isc_thread_key_setspecific(isc_thread_key_t key, void *value) {
+	return (TlsSetValue(key, value) ? 0 : GetLastError());
+}
+
+int
+isc_thread_key_create(isc_thread_key_t *key, void (*func)(void *)) {
+	*key = TlsAlloc();
+
+	return ((*key != -1) ? 0 : GetLastError());
+}
+
+int
+isc_thread_key_delete(isc_thread_key_t key) {
+	return (TlsFree(key) ? 0 : GetLastError());
+}
diff --git a/lib/isc/win32/time.c b/lib/isc/win32/time.c
new file mode 100644
index 0000000..a1c8a84
--- /dev/null
+++ b/lib/isc/win32/time.c
@@ -0,0 +1,388 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <windows.h>
+
+#include <isc/assertions.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/tm.h>
+#include <isc/util.h>
+
+/*
+ * struct FILETIME uses "100-nanoseconds intervals".
+ * NS / S = 1000000000 (10^9).
+ * While it is reasonably obvious that this makes the needed
+ * conversion factor 10^7, it is coded this way for additional clarity.
+ */
+#define NS_PER_S 	1000000000
+#define NS_INTERVAL	100
+#define INTERVALS_PER_S (NS_PER_S / NS_INTERVAL)
+
+/***
+ *** Absolute Times
+ ***/
+
+static const isc_time_t epoch = { { 0, 0 } };
+LIBISC_EXTERNAL_DATA const isc_time_t * const isc_time_epoch = &epoch;
+
+/***
+ *** Intervals
+ ***/
+
+static const isc_interval_t zero_interval = { 0 };
+LIBISC_EXTERNAL_DATA const isc_interval_t * const isc_interval_zero = &zero_interval;
+
+void
+isc_interval_set(isc_interval_t *i, unsigned int seconds,
+		 unsigned int nanoseconds)
+{
+	REQUIRE(i != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	/*
+	 * This rounds nanoseconds up not down.
+	 */
+	i->interval = (LONGLONG)seconds * INTERVALS_PER_S
+		+ (nanoseconds + NS_INTERVAL - 1) / NS_INTERVAL;
+}
+
+bool
+isc_interval_iszero(const isc_interval_t *i) {
+	REQUIRE(i != NULL);
+	if (i->interval == 0)
+		return (true);
+
+	return (false);
+}
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	SYSTEMTIME epoch1970 = { 1970, 1, 4, 1, 0, 0, 0, 0 };
+	FILETIME temp;
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	SystemTimeToFileTime(&epoch1970, &temp);
+
+	i1.LowPart = temp.dwLowDateTime;
+	i1.HighPart = temp.dwHighDateTime;
+
+	i1.QuadPart += (unsigned __int64)nanoseconds/100;
+	i1.QuadPart += (unsigned __int64)seconds*10000000;
+
+	t->absolute.dwLowDateTime = i1.LowPart;
+	t->absolute.dwHighDateTime = i1.HighPart;
+}
+
+void
+isc_time_settoepoch(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	t->absolute.dwLowDateTime = 0;
+	t->absolute.dwHighDateTime = 0;
+}
+
+bool
+isc_time_isepoch(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	if (t->absolute.dwLowDateTime == 0 &&
+	    t->absolute.dwHighDateTime == 0)
+		return (true);
+
+	return (false);
+}
+
+isc_result_t
+isc_time_now(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	GetSystemTimeAsFileTime(&t->absolute);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL);
+	REQUIRE(i != NULL);
+
+	GetSystemTimeAsFileTime(&t->absolute);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	if (UINT64_MAX - i1.QuadPart < (unsigned __int64)i->interval)
+		return (ISC_R_RANGE);
+
+	i1.QuadPart += i->interval;
+
+	t->absolute.dwLowDateTime  = i1.LowPart;
+	t->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
+	REQUIRE(t1 != NULL && t2 != NULL);
+
+	return ((int)CompareFileTime(&t1->absolute, &t2->absolute));
+}
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
+{
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	if (UINT64_MAX - i1.QuadPart < (unsigned __int64)i->interval)
+		return (ISC_R_RANGE);
+
+	i1.QuadPart += i->interval;
+
+	result->absolute.dwLowDateTime = i1.LowPart;
+	result->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result) {
+	ULARGE_INTEGER i1;
+
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+
+	i1.LowPart = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+
+	if (i1.QuadPart < (unsigned __int64) i->interval)
+		return (ISC_R_RANGE);
+
+	i1.QuadPart -= i->interval;
+
+	result->absolute.dwLowDateTime = i1.LowPart;
+	result->absolute.dwHighDateTime = i1.HighPart;
+
+	return (ISC_R_SUCCESS);
+}
+
+uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
+	ULARGE_INTEGER i1, i2;
+	LONGLONG i3;
+
+	REQUIRE(t1 != NULL && t2 != NULL);
+
+	i1.LowPart  = t1->absolute.dwLowDateTime;
+	i1.HighPart = t1->absolute.dwHighDateTime;
+	i2.LowPart  = t2->absolute.dwLowDateTime;
+	i2.HighPart = t2->absolute.dwHighDateTime;
+
+	if (i1.QuadPart <= i2.QuadPart)
+		return (0);
+
+	/*
+	 * Convert to microseconds.
+	 */
+	i3 = (i1.QuadPart - i2.QuadPart) / 10;
+
+	return (i3);
+}
+
+uint32_t
+isc_time_seconds(const isc_time_t *t) {
+	SYSTEMTIME epoch1970 = { 1970, 1, 4, 1, 0, 0, 0, 0 };
+	FILETIME temp;
+	ULARGE_INTEGER i1, i2;
+	LONGLONG i3;
+
+	SystemTimeToFileTime(&epoch1970, &temp);
+
+	i1.LowPart  = t->absolute.dwLowDateTime;
+	i1.HighPart = t->absolute.dwHighDateTime;
+	i2.LowPart  = temp.dwLowDateTime;
+	i2.HighPart = temp.dwHighDateTime;
+
+	i3 = (i1.QuadPart - i2.QuadPart) / 10000000;
+
+	return ((uint32_t)i3);
+}
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+
+	seconds = (time_t)isc_time_seconds(t);
+
+	INSIST(sizeof(unsigned int) == sizeof(uint32_t));
+	INSIST(sizeof(time_t) >= sizeof(uint32_t));
+
+	if (isc_time_seconds(t) > (~0U>>1) && seconds <= (time_t)(~0U>>1))
+		return (ISC_R_RANGE);
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+uint32_t
+isc_time_nanoseconds(const isc_time_t *t) {
+	ULARGE_INTEGER i;
+
+	i.LowPart  = t->absolute.dwLowDateTime;
+	i.HighPart = t->absolute.dwHighDateTime;
+	return ((uint32_t)(i.QuadPart % 10000000) * 100);
+}
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	FILETIME localft;
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToLocalFileTime(&t->absolute, &localft) &&
+	    FileTimeToSystemTime(&localft, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st, "dd-MMM-yyyy",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT, TIME_NOTIMEMARKER|
+			      TIME_FORCE24HOURFORMAT, &st, NULL, TimeBuf, 50);
+
+		snprintf(buf, len, "%s %s.%03u", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+
+	} else {
+		strlcpy(buf, "99-Bad-9999 99:99:99.999", len);
+	}
+}
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+/* strftime() format: "%a, %d %b %Y %H:%M:%S GMT" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_USER_DEFAULT, 0, &st,
+			      "ddd',' dd MMM yyyy", DateBuf, 50);
+		GetTimeFormat(LOCALE_USER_DEFAULT,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT,
+			      &st, "hh':'mm':'ss", TimeBuf, 50);
+
+		snprintf(buf, len, "%s %s GMT", DateBuf, TimeBuf);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+isc_result_t
+isc_time_parsehttptimestamp(char *buf, isc_time_t *t) {
+	struct tm t_tm;
+	time_t when;
+	char *p;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(t != NULL);
+
+	p = isc_tm_strptime(buf, "%a, %d %b %Y %H:%M:%S", &t_tm);
+	if (p == NULL)
+		return (ISC_R_UNEXPECTED);
+	when = isc_tm_timegm(&t_tm);
+	if (when == -1)
+		return (ISC_R_UNEXPECTED);
+	isc_time_set(t, (unsigned int)when, 0);
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%SZ" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_NEUTRAL, 0, &st, "yyyy-MM-dd",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_NEUTRAL,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT,
+			      &st, "hh':'mm':'ss", TimeBuf, 50);
+		snprintf(buf, len, "%sT%sZ", DateBuf, TimeBuf);
+	} else {
+		buf[0] = 0;
+	}
+}
+
+void
+isc_time_formatISO8601ms(const isc_time_t *t, char *buf, unsigned int len) {
+	SYSTEMTIME st;
+	char DateBuf[50];
+	char TimeBuf[50];
+
+	/* strtime() format: "%Y-%m-%dT%H:%M:%S.SSSZ" */
+
+	REQUIRE(t != NULL);
+	REQUIRE(buf != NULL);
+	REQUIRE(len > 0);
+
+	if (FileTimeToSystemTime(&t->absolute, &st)) {
+		GetDateFormat(LOCALE_NEUTRAL, 0, &st, "yyyy-MM-dd",
+			      DateBuf, 50);
+		GetTimeFormat(LOCALE_NEUTRAL,
+			      TIME_NOTIMEMARKER | TIME_FORCE24HOURFORMAT,
+			      &st, "hh':'mm':'ss", TimeBuf, 50);
+		snprintf(buf, len, "%sT%s.%03uZ", DateBuf, TimeBuf,
+			 st.wMilliseconds);
+	} else {
+		buf[0] = 0;
+	}
+}
diff --git a/lib/isc/win32/unistd.h b/lib/isc/win32/unistd.h
new file mode 100644
index 0000000..170577e
--- /dev/null
+++ b/lib/isc/win32/unistd.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/* None of these are defined in NT, so define them for our use */
+#define O_NONBLOCK 1
+#define PORT_NONBLOCK O_NONBLOCK
+
+/*
+ * fcntl() commands
+ */
+#define F_SETFL 0
+#define F_GETFL 1
+#define F_SETFD 2
+#define F_GETFD 3
+/*
+ * Enough problems not having full fcntl() without worrying about this!
+ */
+#undef F_DUPFD
+
+int fcntl(int, int, ...);
+
+/*
+ * access() related definitions for winXP
+ */
+#include <io.h>
+#ifndef F_OK
+#define	F_OK	0
+#endif
+
+#ifndef X_OK
+#define	X_OK	1
+#endif
+
+#ifndef W_OK
+#define W_OK 2
+#endif
+
+#ifndef R_OK
+#define R_OK 4
+#endif
+
+#define access _access
+
+#include <process.h>
diff --git a/lib/isc/win32/version.c b/lib/isc/win32/version.c
new file mode 100644
index 0000000..d86c781
--- /dev/null
+++ b/lib/isc/win32/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <versions.h>
+
+#include <isc/version.h>
+
+LIBISC_EXTERNAL_DATA const char isc_version[] = VERSION;
+
+LIBISC_EXTERNAL_DATA const unsigned int isc_libinterface = LIBINTERFACE;
+LIBISC_EXTERNAL_DATA const unsigned int isc_librevision = LIBREVISION;
+LIBISC_EXTERNAL_DATA const unsigned int isc_libage = LIBAGE;
diff --git a/lib/isc/win32/win32os.c b/lib/isc/win32/win32os.c
new file mode 100644
index 0000000..9af95c8
--- /dev/null
+++ b/lib/isc/win32/win32os.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <windows.h>
+
+#ifndef TESTVERSION
+#include <isc/win32os.h>
+#else
+#include <stdio.h>
+#include <isc/util.h>
+#endif
+#include <isc/print.h>
+
+int
+isc_win32os_versioncheck(unsigned int major, unsigned int minor,
+			 unsigned int spmajor, unsigned int spminor)
+{
+	OSVERSIONINFOEX osVer;
+	DWORD typeMask;
+	ULONGLONG conditionMask;
+
+	memset(&osVer, 0, sizeof(OSVERSIONINFOEX));
+	osVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	typeMask = 0;
+	conditionMask = 0;
+
+	/* Optimistic: likely greater */
+	osVer.dwMajorVersion = major;
+	typeMask |= VER_MAJORVERSION;
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_MAJORVERSION,
+					    VER_GREATER);
+	osVer.dwMinorVersion = minor;
+	typeMask |= VER_MINORVERSION;
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_MINORVERSION,
+					    VER_GREATER);
+	osVer.wServicePackMajor = spmajor;
+	typeMask |= VER_SERVICEPACKMAJOR;
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_SERVICEPACKMAJOR,
+					    VER_GREATER);
+	osVer.wServicePackMinor = spminor;
+	typeMask |= VER_SERVICEPACKMINOR;
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_SERVICEPACKMINOR,
+					    VER_GREATER);
+	if (VerifyVersionInfo(&osVer, typeMask, conditionMask))
+		return (1);
+
+	/* Failed: retry with equal */
+	conditionMask = 0;
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_MAJORVERSION,
+					    VER_EQUAL);
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_MINORVERSION,
+					    VER_EQUAL);
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_SERVICEPACKMAJOR,
+					    VER_EQUAL);
+	conditionMask = VerSetConditionMask(conditionMask,
+					    VER_SERVICEPACKMINOR,
+					    VER_EQUAL);
+	if (VerifyVersionInfo(&osVer, typeMask, conditionMask))
+		return (0);
+	else
+		return (-1);
+}
+
+#ifdef TESTVERSION
+int
+main(int argc, char **argv) {
+	unsigned int major = 0;
+	unsigned int minor = 0;
+	unsigned int spmajor = 0;
+	unsigned int spminor = 0;
+	int ret;
+
+	if (argc > 1) {
+		--argc;
+		++argv;
+		major = (unsigned int) atoi(argv[0]);
+	}
+	if (argc > 1) {
+		--argc;
+		++argv;
+		minor = (unsigned int) atoi(argv[0]);
+	}
+	if (argc > 1) {
+		--argc;
+		++argv;
+		spmajor = (unsigned int) atoi(argv[0]);
+	}
+	if (argc > 1) {
+		--argc;
+		POST(argc);
+		++argv;
+		spminor = (unsigned int) atoi(argv[0]);
+	}
+
+	ret = isc_win32os_versioncheck(major, minor, spmajor, spminor);
+
+	printf("%s major %u minor %u SP major %u SP minor %u\n",
+	       ret > 0 ? "greater" : (ret == 0 ? "equal" : "less"),
+	       major, minor, spmajor, spminor);
+	return (ret);
+}
+#endif
diff --git a/lib/isc/x86_32/Makefile.in b/lib/isc/x86_32/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/x86_32/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/x86_32/include/Makefile.in b/lib/isc/x86_32/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/x86_32/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/x86_32/include/isc/Makefile.in b/lib/isc/x86_32/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/x86_32/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/x86_32/include/isc/atomic.h b/lib/isc/x86_32/include/isc/atomic.h
new file mode 100644
index 0000000..8bcc8b0
--- /dev/null
+++ b/lib/isc/x86_32/include/isc/atomic.h
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+/*
+ * This routine atomically increments the value stored in 'p' by 'val', and
+ * returns the previous value.
+ */
+static __inline__ int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	int32_t prev = val;
+
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xadd %0, %1"
+		:"=q"(prev)
+		:"m"(*p), "0"(prev)
+		:"memory", "cc");
+
+	return (prev);
+}
+
+#ifdef ISC_PLATFORM_HAVEXADDQ
+static __inline__ int64_t
+isc_atomic_xaddq(int64_t *p, int64_t val) {
+	int64_t prev = val;
+
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+	    "lock;"
+#endif
+	    "xaddq %0, %1"
+	    :"=q"(prev)
+	    :"m"(*p), "0"(prev)
+	    :"memory", "cc");
+
+	return (prev);
+}
+#endif /* ISC_PLATFORM_HAVEXADDQ */
+
+/*
+ * This routine atomically stores the value 'val' in 'p' (32-bit version).
+ */
+static __inline__ void
+isc_atomic_store(int32_t *p, int32_t val) {
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		/*
+		 * xchg should automatically lock memory, but we add it
+		 * explicitly just in case (it at least doesn't harm)
+		 */
+		"lock;"
+#endif
+
+		"xchgl %1, %0"
+		:
+		: "r"(val), "m"(*p)
+		: "memory");
+}
+
+#ifdef ISC_PLATFORM_HAVEATOMICSTOREQ
+/*
+ * This routine atomically stores the value 'val' in 'p' (64-bit version).
+ */
+static __inline__ void
+isc_atomic_storeq(int64_t *p, int64_t val) {
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		/*
+		 * xchg should automatically lock memory, but we add it
+		 * explicitly just in case (it at least doesn't harm)
+		 */
+		"lock;"
+#endif
+
+		"xchgq %1, %0"
+		:
+		: "r"(val), "m"(*p)
+		: "memory");
+}
+#endif /* ISC_PLATFORM_HAVEATOMICSTOREQ */
+
+/*
+ * This routine atomically replaces the value in 'p' with 'val', if the
+ * original value is equal to 'cmpval'.  The original value is returned in any
+ * case.
+ */
+static __inline__ int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"cmpxchgl %1, %2"
+		: "=a"(cmpval)
+		: "r"(val), "m"(*p), "a"(cmpval)
+		: "memory");
+
+	return (cmpval);
+}
+
+#elif defined(ISC_PLATFORM_USESTDASM)
+/*
+ * The followings are "generic" assembly code which implements the same
+ * functionality in case the gcc extension cannot be used.  It should be
+ * better to avoid inlining below, since we directly refer to specific
+ * positions of the stack frame, which would not actually point to the
+ * intended address in the embedded mnemonic.
+ */
+static int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	(void)(p);
+	(void)(val);
+
+	__asm (
+		"movl 8(%ebp), %ecx\n"
+		"movl 12(%ebp), %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xadd %edx, (%ecx)\n"
+
+		/*
+		 * set the return value directly in the register so that we
+		 * can avoid guessing the correct position in the stack for a
+		 * local variable.
+		 */
+		"movl %edx, %eax"
+		);
+}
+
+static void
+isc_atomic_store(int32_t *p, int32_t val) {
+	(void)(p);
+	(void)(val);
+
+	__asm (
+		"movl 8(%ebp), %ecx\n"
+		"movl 12(%ebp), %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xchgl (%ecx), %edx\n"
+		);
+}
+
+static int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	(void)(p);
+	(void)(cmpval);
+	(void)(val);
+
+	__asm (
+		"movl 8(%ebp), %ecx\n"
+		"movl 12(%ebp), %eax\n"	/* must be %eax for cmpxchgl */
+		"movl 16(%ebp), %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+
+		/*
+		 * If (%ecx) == %eax then (%ecx) := %edx.
+		 % %eax is set to old (%ecx), which will be the return value.
+		 */
+		"cmpxchgl %edx, (%ecx)"
+		);
+}
+#else /* !ISC_PLATFORM_USEGCCASM && !ISC_PLATFORM_USESTDASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isc/x86_64/Makefile.in b/lib/isc/x86_64/Makefile.in
new file mode 100644
index 0000000..419cf9f
--- /dev/null
+++ b/lib/isc/x86_64/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/x86_64/include/Makefile.in b/lib/isc/x86_64/include/Makefile.in
new file mode 100644
index 0000000..d33c0fc
--- /dev/null
+++ b/lib/isc/x86_64/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isc/x86_64/include/isc/Makefile.in b/lib/isc/x86_64/include/isc/Makefile.in
new file mode 100644
index 0000000..97b6b41
--- /dev/null
+++ b/lib/isc/x86_64/include/isc/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+HEADERS =	atomic.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isc/$$i || exit 1; \
+	done
diff --git a/lib/isc/x86_64/include/isc/atomic.h b/lib/isc/x86_64/include/isc/atomic.h
new file mode 100644
index 0000000..b2d7880
--- /dev/null
+++ b/lib/isc/x86_64/include/isc/atomic.h
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISC_ATOMIC_H
+#define ISC_ATOMIC_H 1
+
+#include <inttypes.h>
+
+#include <isc/platform.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_USEGCCASM
+
+/* We share the gcc-version with x86_32 */
+#error "impossible case.  check build configuration"
+
+#elif defined(ISC_PLATFORM_USESTDASM)
+/*
+ * The followings are "generic" assembly code which implements the same
+ * functionality in case the gcc extension cannot be used.  It should be
+ * better to avoid inlining below, since we directly refer to specific
+ * registers for arguments, which would not actually correspond to the
+ * intended address or value in the embedded mnemonic.
+ */
+
+static int32_t
+isc_atomic_xadd(int32_t *p, int32_t val) {
+	(void)(p);
+	(void)(val);
+
+	__asm (
+		"movq %rdi, %rdx\n"
+		"movl %esi, %eax\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xadd %eax, (%rdx)\n"
+		/*
+		 * XXX: assume %eax will be used as the return value.
+		 */
+		);
+}
+
+#ifdef ISC_PLATFORM_HAVEXADDQ
+static int64_t
+isc_atomic_xaddq(int64_t *p, int64_t val) {
+	(void)(p);
+	(void)(val);
+
+	__asm (
+		"movq %rdi, %rdx\n"
+		"movq %rsi, %rax\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xaddq %rax, (%rdx)\n"
+		/*
+		 * XXX: assume %rax will be used as the return value.
+		 */
+		);
+}
+#endif
+
+static void
+isc_atomic_store(int32_t *p, int32_t val) {
+	(void)(p);
+	(void)(val);
+
+	__asm (
+		"movq %rdi, %rax\n"
+		"movl %esi, %edx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xchgl (%rax), %edx\n"
+		);
+}
+
+#ifdef ISC_PLATFORM_HAVEATOMICSTOREQ
+static void
+isc_atomic_storeq(int64_t *p, int64_t val) {
+	(void)(p);
+	(void)(val);
+
+	__asm (
+		"movq %rdi, %rax\n"
+		"movq %rsi, %rdx\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xchgq (%rax), %rdx\n"
+		);
+}
+#endif
+
+static int32_t
+isc_atomic_cmpxchg(int32_t *p, int32_t cmpval, int32_t val) {
+	(void)(p);
+	(void)(cmpval);
+	(void)(val);
+
+	__asm (
+		/*
+		 * p is %rdi, cmpval is %esi, val is %edx.
+		 */
+		"movl %edx, %ecx\n"
+		"movl %esi, %eax\n"
+		"movq %rdi, %rdx\n"
+
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		/*
+		 * If [%rdi] == %eax then [%rdi] := %ecx (equal to %edx
+		 * from above), and %eax is untouched (equal to %esi)
+		 * from above.
+		 *
+		 * Else if [%rdi] != %eax then [%rdi] := [%rdi]
+		 * (rewritten in write cycle) and %eax := [%rdi].
+		 */
+		"cmpxchgl %ecx, (%rdx)"
+		);
+}
+
+#else /* !ISC_PLATFORM_USEGCCASM && !ISC_PLATFORM_USESTDASM */
+
+#error "unsupported compiler.  disable atomic ops by --disable-atomic"
+
+#endif
+#endif /* ISC_ATOMIC_H */
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
new file mode 100644
index 0000000..ca88e98
--- /dev/null
+++ b/lib/isccc/Makefile.in
@@ -0,0 +1,84 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id$
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@LIBISCCC_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCC_INCLUDES} @ISC_OPENSSL_INC@
+
+CDEFINES =	@CRYPTO@
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCCDEPLIBS =	libisccc.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		alist.@O@ base64.@O@ cc.@O@ ccmsg.@O@ \
+		lib.@O@ \
+		result.@O@ sexpr.@O@ symtab.@O@ version.@O@
+
+# Alphabetically
+SRCS =		alist.c base64.c cc.c ccmsg.c \
+		lib.c \
+		result.c sexpr.c symtab.c version.c
+
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisccc.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccc.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${ISCLIBS} ${LIBS}
+
+timestamp: libisccc.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisccc.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisccc.@A@
+
+clean distclean::
+	rm -f libisccc.@A@ timestamp
diff --git a/lib/isccc/alist.c b/lib/isccc/alist.c
new file mode 100644
index 0000000..22992d6
--- /dev/null
+++ b/lib/isccc/alist.c
@@ -0,0 +1,307 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isccc/alist.h>
+#include <isc/assertions.h>
+#include <isc/print.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/util.h>
+
+#define CAR(s)			(s)->value.as_dottedpair.car
+#define CDR(s)			(s)->value.as_dottedpair.cdr
+
+#define ALIST_TAG		"*alist*"
+#define MAX_INDENT		64
+
+static char spaces[MAX_INDENT + 1] =
+	"                                                                ";
+
+isccc_sexpr_t *
+isccc_alist_create(void)
+{
+	isccc_sexpr_t *alist, *tag;
+
+	tag = isccc_sexpr_fromstring(ALIST_TAG);
+	if (tag == NULL)
+		return (NULL);
+	alist = isccc_sexpr_cons(tag, NULL);
+	if (alist == NULL) {
+		isccc_sexpr_free(&tag);
+		return (NULL);
+	}
+
+	return (alist);
+}
+
+bool
+isccc_alist_alistp(isccc_sexpr_t *alist)
+{
+	isccc_sexpr_t *car;
+
+	if (alist == NULL || alist->type != ISCCC_SEXPRTYPE_DOTTEDPAIR)
+		return (false);
+	car = CAR(alist);
+	if (car == NULL || car->type != ISCCC_SEXPRTYPE_STRING)
+		return (false);
+	if (strcmp(car->value.as_string, ALIST_TAG) != 0)
+		return (false);
+	return (true);
+}
+
+bool
+isccc_alist_emptyp(isccc_sexpr_t *alist)
+{
+	REQUIRE(isccc_alist_alistp(alist));
+
+	if (CDR(alist) == NULL)
+		return (true);
+	return (false);
+}
+
+isccc_sexpr_t *
+isccc_alist_first(isccc_sexpr_t *alist)
+{
+	REQUIRE(isccc_alist_alistp(alist));
+
+	return (CDR(alist));
+}
+
+isccc_sexpr_t *
+isccc_alist_assq(isccc_sexpr_t *alist, const char *key)
+{
+	isccc_sexpr_t *car, *caar;
+
+	REQUIRE(isccc_alist_alistp(alist));
+
+	/*
+	 * Skip alist type tag.
+	 */
+	alist = CDR(alist);
+
+	while (alist != NULL) {
+		INSIST(alist->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		car = CAR(alist);
+		INSIST(car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		caar = CAR(car);
+		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
+		    strcmp(caar->value.as_string, key) == 0)
+			return (car);
+		alist = CDR(alist);
+	}
+
+	return (NULL);
+}
+
+void
+isccc_alist_delete(isccc_sexpr_t *alist, const char *key)
+{
+	isccc_sexpr_t *car, *caar, *rest, *prev;
+
+	REQUIRE(isccc_alist_alistp(alist));
+
+	prev = alist;
+	rest = CDR(alist);
+	while (rest != NULL) {
+		INSIST(rest->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		car = CAR(rest);
+		INSIST(car != NULL && car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		caar = CAR(car);
+		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
+		    strcmp(caar->value.as_string, key) == 0) {
+			CDR(prev) = CDR(rest);
+			CDR(rest) = NULL;
+			isccc_sexpr_free(&rest);
+			break;
+		}
+		prev = rest;
+		rest = CDR(rest);
+	}
+}
+
+isccc_sexpr_t *
+isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value)
+{
+	isccc_sexpr_t *kv, *k, *elt;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv == NULL) {
+		/*
+		 * New association.
+		 */
+		k = isccc_sexpr_fromstring(key);
+		if (k == NULL)
+			return (NULL);
+		kv = isccc_sexpr_cons(k, value);
+		if (kv == NULL) {
+			isccc_sexpr_free(&kv);
+			return (NULL);
+		}
+		elt = isccc_sexpr_addtolist(&alist, kv);
+		if (elt == NULL) {
+			isccc_sexpr_free(&kv);
+			return (NULL);
+		}
+	} else {
+		/*
+		 * We've already got an entry for this key.  Replace it.
+		 */
+		isccc_sexpr_free(&CDR(kv));
+		CDR(kv) = value;
+	}
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
+{
+	isccc_sexpr_t *v, *kv;
+
+	v = isccc_sexpr_fromstring(str);
+	if (v == NULL)
+		return (NULL);
+	kv = isccc_alist_define(alist, key, v);
+	if (kv == NULL)
+		isccc_sexpr_free(&v);
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r)
+{
+	isccc_sexpr_t *v, *kv;
+
+	v = isccc_sexpr_frombinary(r);
+	if (v == NULL)
+		return (NULL);
+	kv = isccc_alist_define(alist, key, v);
+	if (kv == NULL)
+		isccc_sexpr_free(&v);
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_lookup(isccc_sexpr_t *alist, const char *key)
+{
+	isccc_sexpr_t *kv;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL)
+		return (CDR(kv));
+	return (NULL);
+}
+
+isc_result_t
+isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = CDR(kv);
+		if (isccc_sexpr_stringp(v)) {
+			if (strp != NULL)
+				*strp = isccc_sexpr_tostring(v);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (r != NULL)
+				*r = isccc_sexpr_tobinary(v);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream)
+{
+	isccc_sexpr_t *elt, *kv, *k, *v;
+
+	if (isccc_alist_alistp(sexpr)) {
+		fprintf(stream, "{\n");
+		indent += 4;
+		for (elt = isccc_alist_first(sexpr);
+		     elt != NULL;
+		     elt = CDR(elt)) {
+			kv = CAR(elt);
+			INSIST(isccc_sexpr_listp(kv));
+			k = CAR(kv);
+			v = CDR(kv);
+			INSIST(isccc_sexpr_stringp(k));
+			fprintf(stream, "%.*s%s => ", (int)indent, spaces,
+				isccc_sexpr_tostring(k));
+			isccc_alist_prettyprint(v, indent, stream);
+			if (CDR(elt) != NULL)
+				fprintf(stream, ",");
+			fprintf(stream, "\n");
+		}
+		indent -= 4;
+		fprintf(stream, "%.*s}", (int)indent, spaces);
+	} else if (isccc_sexpr_listp(sexpr)) {
+		fprintf(stream, "(\n");
+		indent += 4;
+		for (elt = sexpr;
+		     elt != NULL;
+		     elt = CDR(elt)) {
+			fprintf(stream, "%.*s", (int)indent, spaces);
+			isccc_alist_prettyprint(CAR(elt), indent, stream);
+			if (CDR(elt) != NULL)
+				fprintf(stream, ",");
+			fprintf(stream, "\n");
+		}
+		indent -= 4;
+		fprintf(stream, "%.*s)", (int)indent, spaces);
+	} else
+		isccc_sexpr_print(sexpr, stream);
+}
diff --git a/lib/isccc/api b/lib/isccc/api
new file mode 100644
index 0000000..79bb9eb
--- /dev/null
+++ b/lib/isccc/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 161
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/isccc/base64.c b/lib/isccc/base64.c
new file mode 100644
index 0000000..54e8bd0
--- /dev/null
+++ b/lib/isccc/base64.c
@@ -0,0 +1,73 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/region.h>
+#include <isc/result.h>
+
+#include <isccc/base64.h>
+#include <isccc/result.h>
+#include <isccc/util.h>
+
+isc_result_t
+isccc_base64_encode(isccc_region_t *source, int wordlength,
+		  const char *wordbreak, isccc_region_t *target)
+{
+	isc_region_t sr;
+	isc_buffer_t tb;
+	isc_result_t result;
+
+	sr.base = source->rstart;
+	sr.length = (unsigned int)(source->rend - source->rstart);
+	isc_buffer_init(&tb, target->rstart,
+			(unsigned int)(target->rend - target->rstart));
+
+	result = isc_base64_totext(&sr, wordlength, wordbreak, &tb);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	source->rstart = source->rend;
+	target->rstart = isc_buffer_used(&tb);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_base64_decode(const char *cstr, isccc_region_t *target) {
+	isc_buffer_t b;
+	isc_result_t result;
+
+	isc_buffer_init(&b, target->rstart,
+			(unsigned int)(target->rend - target->rstart));
+	result = isc_base64_decodestring(cstr, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	target->rstart = isc_buffer_used(&b);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
new file mode 100644
index 0000000..c2740cb
--- /dev/null
+++ b/lib/isccc/cc.c
@@ -0,0 +1,1084 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <inttypes.h>
+#include <string.h>
+#include <errno.h>
+
+#include <isc/assertions.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
+#include <isc/print.h>
+#include <isc/safe.h>
+#include <isc/stdlib.h>
+
+#include <pk11/site.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/symtab.h>
+#include <isccc/symtype.h>
+#include <isccc/util.h>
+
+#define MAX_TAGS		256
+#define DUP_LIFETIME		900
+
+typedef isccc_sexpr_t *sexpr_ptr;
+
+#ifndef PK11_MD5_DISABLE
+static unsigned char auth_hmd5[] = {
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/*%< len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,				/*%< message type */
+	0x00, 0x00, 0x00, 0x20,				/*%< length == 32 */
+	0x04, 0x68, 0x6d, 0x64, 0x35,			/*%< len + hmd5 */
+	ISCCC_CCMSGTYPE_BINARYDATA,			/*%< message type */
+	0x00, 0x00, 0x00, 0x16,				/*%< length == 22 */
+	/*
+	 * The base64 encoding of one of our HMAC-MD5 signatures is
+	 * 22 bytes.
+	 */
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#define HMD5_OFFSET	21		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 */
+#define HMD5_LENGTH	22
+#endif
+
+static unsigned char auth_hsha[] = {
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/*%< len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,				/*%< message type */
+	0x00, 0x00, 0x00, 0x63,				/*%< length == 99 */
+	0x04, 0x68, 0x73, 0x68, 0x61,			/*%< len + hsha */
+	ISCCC_CCMSGTYPE_BINARYDATA,			/*%< message type */
+	0x00, 0x00, 0x00, 0x59,				/*%< length == 89 */
+	0x00,						/*%< algorithm */
+	/*
+	 * The base64 encoding of one of our HMAC-SHA* signatures is
+	 * 88 bytes.
+	 */
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#define HSHA_OFFSET	22		/*%< 21 = 6 + 1 + 4 + 5 + 1 + 4 + 1 */
+#define HSHA_LENGTH	88
+
+static isc_result_t
+table_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer);
+
+static isc_result_t
+list_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer);
+
+static isc_result_t
+value_towire(isccc_sexpr_t *elt, isc_buffer_t **buffer) {
+	unsigned int len;
+	isccc_region_t *vr;
+	isc_result_t result;
+
+	if (isccc_sexpr_binaryp(elt)) {
+		vr = isccc_sexpr_tobinary(elt);
+		len = REGION_SIZE(*vr);
+		result = isc_buffer_reserve(buffer, 1 + 4);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(*buffer, ISCCC_CCMSGTYPE_BINARYDATA);
+		isc_buffer_putuint32(*buffer, len);
+
+		result = isc_buffer_reserve(buffer, len);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putmem(*buffer, vr->rstart, len);
+	} else if (isccc_alist_alistp(elt)) {
+		unsigned int used;
+		isc_buffer_t b;
+
+		result = isc_buffer_reserve(buffer, 1 + 4);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(*buffer, ISCCC_CCMSGTYPE_TABLE);
+		/*
+		 * Emit a placeholder length.
+		 */
+		used = (*buffer)->used;
+		isc_buffer_putuint32(*buffer, 0);
+
+		/*
+		 * Emit the table.
+		 */
+		result = table_towire(elt, buffer);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		len = (*buffer)->used - used;
+		/*
+		 * 'len' is 4 bytes too big, since it counts
+		 * the placeholder length too.	Adjust and
+		 * emit.
+		 */
+		INSIST(len >= 4U);
+		len -= 4;
+
+		isc_buffer_init(&b, (unsigned char *) (*buffer)->base + used, 4);
+		isc_buffer_putuint32(&b, len);
+	} else if (isccc_sexpr_listp(elt)) {
+		unsigned int used;
+		isc_buffer_t b;
+
+		result = isc_buffer_reserve(buffer, 1 + 4);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(*buffer, ISCCC_CCMSGTYPE_LIST);
+		/*
+		 * Emit a placeholder length.
+		 */
+		used = (*buffer)->used;
+		isc_buffer_putuint32(*buffer, 0);
+
+		/*
+		 * Emit the list.
+		 */
+		result = list_towire(elt, buffer);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		len = (*buffer)->used - used;
+		/*
+		 * 'len' is 4 bytes too big, since it counts
+		 * the placeholder length too.	Adjust and
+		 * emit.
+		 */
+		INSIST(len >= 4U);
+		len -= 4;
+
+		isc_buffer_init(&b, (unsigned char *) (*buffer)->base + used, 4);
+		isc_buffer_putuint32(&b, len);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+table_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer) {
+	isccc_sexpr_t *kv, *elt, *k, *v;
+	char *ks;
+	isc_result_t result;
+	unsigned int len;
+
+	for (elt = isccc_alist_first(alist);
+	     elt != NULL;
+	     elt = ISCCC_SEXPR_CDR(elt)) {
+		kv = ISCCC_SEXPR_CAR(elt);
+		k = ISCCC_SEXPR_CAR(kv);
+		ks = isccc_sexpr_tostring(k);
+		v = ISCCC_SEXPR_CDR(kv);
+		len = (unsigned int)strlen(ks);
+		INSIST(len <= 255U);
+		/*
+		 * Emit the key name.
+		 */
+		result = isc_buffer_reserve(buffer, 1 + len);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(*buffer, (uint8_t)len);
+		isc_buffer_putmem(*buffer, (const unsigned char *) ks, len);
+		/*
+		 * Emit the value.
+		 */
+		result = value_towire(v, buffer);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+list_towire(isccc_sexpr_t *list, isc_buffer_t **buffer) {
+	isc_result_t result;
+
+	while (list != NULL) {
+		result = value_towire(ISCCC_SEXPR_CAR(list), buffer);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		list = ISCCC_SEXPR_CDR(list);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+sign(unsigned char *data, unsigned int length, unsigned char *hmac,
+     uint32_t algorithm, isccc_region_t *secret)
+{
+	union {
+#ifndef PK11_MD5_DISABLE
+		isc_hmacmd5_t hmd5;
+#endif
+		isc_hmacsha1_t hsha;
+		isc_hmacsha224_t h224;
+		isc_hmacsha256_t h256;
+		isc_hmacsha384_t h384;
+		isc_hmacsha512_t h512;
+	} ctx;
+	isc_result_t result;
+	isccc_region_t source, target;
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	unsigned char digestb64[HSHA_LENGTH + 4];
+
+	source.rstart = digest;
+
+	switch (algorithm) {
+#ifndef PK11_MD5_DISABLE
+	case ISCCC_ALG_HMACMD5:
+		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+				 REGION_SIZE(*secret));
+		isc_hmacmd5_update(&ctx.hmd5, data, length);
+		isc_hmacmd5_sign(&ctx.hmd5, digest);
+		source.rend = digest + ISC_MD5_DIGESTLENGTH;
+		break;
+#endif
+
+	case ISCCC_ALG_HMACSHA1:
+		isc_hmacsha1_init(&ctx.hsha, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha1_update(&ctx.hsha, data, length);
+		isc_hmacsha1_sign(&ctx.hsha, digest,
+				    ISC_SHA1_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA1_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA224:
+		isc_hmacsha224_init(&ctx.h224, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha224_update(&ctx.h224, data, length);
+		isc_hmacsha224_sign(&ctx.h224, digest,
+				    ISC_SHA224_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA224_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA256:
+		isc_hmacsha256_init(&ctx.h256, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha256_update(&ctx.h256, data, length);
+		isc_hmacsha256_sign(&ctx.h256, digest,
+				    ISC_SHA256_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA256_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA384:
+		isc_hmacsha384_init(&ctx.h384, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha384_update(&ctx.h384, data, length);
+		isc_hmacsha384_sign(&ctx.h384, digest,
+				    ISC_SHA384_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA384_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA512:
+		isc_hmacsha512_init(&ctx.h512, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha512_update(&ctx.h512, data, length);
+		isc_hmacsha512_sign(&ctx.h512, digest,
+				    ISC_SHA512_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA512_DIGESTLENGTH;
+		break;
+
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	memset(digestb64, 0, sizeof(digestb64));
+	target.rstart = digestb64;
+	target.rend = digestb64 + sizeof(digestb64);
+	result = isccc_base64_encode(&source, 64, "", &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+#ifndef PK11_MD5_DISABLE
+	if (algorithm == ISCCC_ALG_HMACMD5)
+		PUT_MEM(digestb64, HMD5_LENGTH, hmac);
+	else
+#endif
+		PUT_MEM(digestb64, HSHA_LENGTH, hmac);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
+		uint32_t algorithm, isccc_region_t *secret)
+{
+	unsigned int hmac_base, signed_base;
+	isc_result_t result;
+
+#ifndef PK11_MD5_DISABLE
+	result = isc_buffer_reserve(buffer,
+				    4 + ((algorithm == ISCCC_ALG_HMACMD5) ?
+					 sizeof(auth_hmd5) :
+					 sizeof(auth_hsha)));
+#else
+	if (algorithm == ISCCC_ALG_HMACMD5)
+		return (ISC_R_NOTIMPLEMENTED);
+	result = isc_buffer_reserve(buffer, 4 + sizeof(auth_hsha));
+#endif
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Emit protocol version.
+	 */
+	isc_buffer_putuint32(*buffer, 1);
+
+	if (secret != NULL) {
+		/*
+		 * Emit _auth section with zeroed HMAC signature.
+		 * We'll replace the zeros with the real signature once
+		 * we know what it is.
+		 */
+#ifndef PK11_MD5_DISABLE
+		if (algorithm == ISCCC_ALG_HMACMD5) {
+			hmac_base = (*buffer)->used + HMD5_OFFSET;
+			isc_buffer_putmem(*buffer,
+					  auth_hmd5, sizeof(auth_hmd5));
+		} else
+#endif
+		{
+			unsigned char *hmac_alg;
+
+			hmac_base = (*buffer)->used + HSHA_OFFSET;
+			hmac_alg = (unsigned char *) isc_buffer_used(*buffer) +
+				HSHA_OFFSET - 1;
+			isc_buffer_putmem(*buffer,
+					  auth_hsha, sizeof(auth_hsha));
+			*hmac_alg = algorithm;
+		}
+	} else
+		hmac_base = 0;
+	signed_base = (*buffer)->used;
+	/*
+	 * Delete any existing _auth section so that we don't try
+	 * to encode it.
+	 */
+	isccc_alist_delete(alist, "_auth");
+	/*
+	 * Emit the message.
+	 */
+	result = table_towire(alist, buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (secret != NULL)
+		return (sign((unsigned char *) (*buffer)->base + signed_base,
+			     (*buffer)->used - signed_base,
+			     (unsigned char *) (*buffer)->base + hmac_base,
+			     algorithm, secret));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+       uint32_t algorithm, isccc_region_t *secret)
+{
+	union {
+#ifndef PK11_MD5_DISABLE
+		isc_hmacmd5_t hmd5;
+#endif
+		isc_hmacsha1_t hsha;
+		isc_hmacsha224_t h224;
+		isc_hmacsha256_t h256;
+		isc_hmacsha384_t h384;
+		isc_hmacsha512_t h512;
+	} ctx;
+	isccc_region_t source;
+	isccc_region_t target;
+	isc_result_t result;
+	isccc_sexpr_t *_auth, *hmac;
+	unsigned char digest[ISC_SHA512_DIGESTLENGTH];
+	unsigned char digestb64[HSHA_LENGTH * 4];
+
+	/*
+	 * Extract digest.
+	 */
+	_auth = isccc_alist_lookup(alist, "_auth");
+	if (!isccc_alist_alistp(_auth))
+		return (ISC_R_FAILURE);
+#ifndef PK11_MD5_DISABLE
+	if (algorithm == ISCCC_ALG_HMACMD5)
+		hmac = isccc_alist_lookup(_auth, "hmd5");
+	else
+#endif
+		hmac = isccc_alist_lookup(_auth, "hsha");
+	if (!isccc_sexpr_binaryp(hmac))
+		return (ISC_R_FAILURE);
+	/*
+	 * Compute digest.
+	 */
+	source.rstart = digest;
+	target.rstart = digestb64;
+	switch (algorithm) {
+#ifndef PK11_MD5_DISABLE
+	case ISCCC_ALG_HMACMD5:
+		isc_hmacmd5_init(&ctx.hmd5, secret->rstart,
+				 REGION_SIZE(*secret));
+		isc_hmacmd5_update(&ctx.hmd5, data, length);
+		isc_hmacmd5_sign(&ctx.hmd5, digest);
+		source.rend = digest + ISC_MD5_DIGESTLENGTH;
+		break;
+#endif
+
+	case ISCCC_ALG_HMACSHA1:
+		isc_hmacsha1_init(&ctx.hsha, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha1_update(&ctx.hsha, data, length);
+		isc_hmacsha1_sign(&ctx.hsha, digest,
+				    ISC_SHA1_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA1_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA224:
+		isc_hmacsha224_init(&ctx.h224, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha224_update(&ctx.h224, data, length);
+		isc_hmacsha224_sign(&ctx.h224, digest,
+				    ISC_SHA224_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA224_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA256:
+		isc_hmacsha256_init(&ctx.h256, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha256_update(&ctx.h256, data, length);
+		isc_hmacsha256_sign(&ctx.h256, digest,
+				    ISC_SHA256_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA256_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA384:
+		isc_hmacsha384_init(&ctx.h384, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha384_update(&ctx.h384, data, length);
+		isc_hmacsha384_sign(&ctx.h384, digest,
+				    ISC_SHA384_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA384_DIGESTLENGTH;
+		break;
+
+	case ISCCC_ALG_HMACSHA512:
+		isc_hmacsha512_init(&ctx.h512, secret->rstart,
+				    REGION_SIZE(*secret));
+		isc_hmacsha512_update(&ctx.h512, data, length);
+		isc_hmacsha512_sign(&ctx.h512, digest,
+				    ISC_SHA512_DIGESTLENGTH);
+		source.rend = digest + ISC_SHA512_DIGESTLENGTH;
+		break;
+
+	default:
+		return (ISC_R_FAILURE);
+	}
+	target.rstart = digestb64;
+	target.rend = digestb64 + sizeof(digestb64);
+	memset(digestb64, 0, sizeof(digestb64));
+	result = isccc_base64_encode(&source, 64, "", &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Verify.
+	 */
+#ifndef PK11_MD5_DISABLE
+	if (algorithm == ISCCC_ALG_HMACMD5) {
+		isccc_region_t *region;
+		unsigned char *value;
+
+		region = isccc_sexpr_tobinary(hmac);
+		if ((region->rend - region->rstart) != HMD5_LENGTH)
+			return (ISCCC_R_BADAUTH);
+		value = region->rstart;
+		if (!isc_safe_memequal(value, digestb64, HMD5_LENGTH))
+			return (ISCCC_R_BADAUTH);
+	} else
+#endif
+	{
+		isccc_region_t *region;
+		unsigned char *value;
+		uint32_t valalg;
+
+		region = isccc_sexpr_tobinary(hmac);
+
+		/*
+		 * Note: with non-MD5 algorithms, there's an extra octet
+		 * to identify which algorithm is in use.
+		 */
+		if ((region->rend - region->rstart) != HSHA_LENGTH + 1)
+			return (ISCCC_R_BADAUTH);
+		value = region->rstart;
+		GET8(valalg, value);
+		if ((valalg != algorithm) ||
+		    !isc_safe_memequal(value, digestb64, HSHA_LENGTH))
+			return (ISCCC_R_BADAUTH);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+	       uint32_t algorithm, isccc_sexpr_t **alistp);
+
+static isc_result_t
+list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+
+static isc_result_t
+value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
+	unsigned int msgtype;
+	uint32_t len;
+	isccc_sexpr_t *value;
+	isccc_region_t active;
+	isc_result_t result;
+
+	if (REGION_SIZE(*source) < 1 + 4)
+		return (ISC_R_UNEXPECTEDEND);
+	GET8(msgtype, source->rstart);
+	GET32(len, source->rstart);
+	if (REGION_SIZE(*source) < len)
+		return (ISC_R_UNEXPECTEDEND);
+	active.rstart = source->rstart;
+	active.rend = active.rstart + len;
+	source->rstart = active.rend;
+	if (msgtype == ISCCC_CCMSGTYPE_BINARYDATA) {
+		value = isccc_sexpr_frombinary(&active);
+		if (value != NULL) {
+			*valuep = value;
+			result = ISC_R_SUCCESS;
+		} else
+			result = ISC_R_NOMEMORY;
+	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+		result = table_fromwire(&active, NULL, 0, valuep);
+	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+		result = list_fromwire(&active, valuep);
+	else
+		result = ISCCC_R_SYNTAX;
+
+	return (result);
+}
+
+static isc_result_t
+table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+	       uint32_t algorithm, isccc_sexpr_t **alistp)
+{
+	char key[256];
+	uint32_t len;
+	isc_result_t result;
+	isccc_sexpr_t *alist, *value;
+	bool first_tag;
+	unsigned char *checksum_rstart;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	checksum_rstart = NULL;
+	first_tag = true;
+	alist = isccc_alist_create();
+	if (alist == NULL)
+		return (ISC_R_NOMEMORY);
+
+	while (!REGION_EMPTY(*source)) {
+		GET8(len, source->rstart);
+		if (REGION_SIZE(*source) < len) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto bad;
+		}
+		GET_MEM(key, len, source->rstart);
+		key[len] = '\0';	/* Ensure NUL termination. */
+		value = NULL;
+		result = value_fromwire(source, &value);
+		if (result != ISC_R_SUCCESS)
+			goto bad;
+		if (isccc_alist_define(alist, key, value) == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto bad;
+		}
+		if (first_tag && secret != NULL && strcmp(key, "_auth") == 0)
+			checksum_rstart = source->rstart;
+		first_tag = false;
+	}
+
+	if (secret != NULL) {
+		if (checksum_rstart != NULL)
+			result = verify(alist, checksum_rstart,
+					(unsigned int)
+					(source->rend - checksum_rstart),
+					algorithm, secret);
+		else
+			result = ISCCC_R_BADAUTH;
+	} else
+		result = ISC_R_SUCCESS;
+
+ bad:
+	if (result == ISC_R_SUCCESS)
+		*alistp = alist;
+	else
+		isccc_sexpr_free(&alist);
+
+	return (result);
+}
+
+static isc_result_t
+list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
+	isccc_sexpr_t *list, *value;
+	isc_result_t result;
+
+	list = NULL;
+	while (!REGION_EMPTY(*source)) {
+		value = NULL;
+		result = value_fromwire(source, &value);
+		if (result != ISC_R_SUCCESS) {
+			isccc_sexpr_free(&list);
+			return (result);
+		}
+		if (isccc_sexpr_addtolist(&list, value) == NULL) {
+			isccc_sexpr_free(&value);
+			isccc_sexpr_free(&list);
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	*listp = list;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+		  uint32_t algorithm, isccc_region_t *secret)
+{
+	unsigned int size;
+	uint32_t version;
+
+	size = REGION_SIZE(*source);
+	if (size < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	GET32(version, source->rstart);
+	if (version != 1)
+		return (ISCCC_R_UNKNOWNVERSION);
+
+	return (table_fromwire(source, secret, algorithm, alistp));
+}
+
+static isc_result_t
+createmessage(uint32_t version, const char *from, const char *to,
+	      uint32_t serial, isccc_time_t now,
+	      isccc_time_t expires, isccc_sexpr_t **alistp,
+	      bool want_expires)
+{
+	isccc_sexpr_t *alist, *_ctrl, *_data;
+	isc_result_t result;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	if (version != 1)
+		return (ISCCC_R_UNKNOWNVERSION);
+
+	alist = isccc_alist_create();
+	if (alist == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = ISC_R_NOMEMORY;
+
+	_ctrl = isccc_alist_create();
+	if (_ctrl == NULL)
+		goto bad;
+	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL) {
+		isccc_sexpr_free(&_ctrl);
+		goto bad;
+	}
+
+	_data = isccc_alist_create();
+	if (_data == NULL)
+		goto bad;
+	if (isccc_alist_define(alist, "_data", _data) == NULL) {
+		isccc_sexpr_free(&_data);
+		goto bad;
+	}
+
+	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
+	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
+	    (want_expires &&
+	     isccc_cc_defineuint32(_ctrl, "_exp", expires) == NULL))
+		goto bad;
+	if (from != NULL &&
+	    isccc_cc_definestring(_ctrl, "_frm", from) == NULL)
+		goto bad;
+	if (to != NULL &&
+	    isccc_cc_definestring(_ctrl, "_to", to) == NULL)
+		goto bad;
+
+	*alistp = alist;
+
+	return (ISC_R_SUCCESS);
+
+ bad:
+	isccc_sexpr_free(&alist);
+
+	return (result);
+}
+
+isc_result_t
+isccc_cc_createmessage(uint32_t version, const char *from, const char *to,
+		       uint32_t serial, isccc_time_t now,
+		       isccc_time_t expires, isccc_sexpr_t **alistp)
+{
+	return (createmessage(version, from, to, serial, now, expires,
+			      alistp, true));
+}
+
+isc_result_t
+isccc_cc_createack(isccc_sexpr_t *message, bool ok,
+		   isccc_sexpr_t **ackp)
+{
+	char *_frm, *_to;
+	uint32_t serial;
+	isccc_sexpr_t *ack, *_ctrl;
+	isc_result_t result;
+	isccc_time_t t;
+
+	REQUIRE(ackp != NULL && *ackp == NULL);
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl) ||
+	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	/*
+	 * _frm and _to are optional.
+	 */
+	_frm = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
+	_to = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
+	/*
+	 * Create the ack.
+	 */
+	ack = NULL;
+	result = createmessage(1, _to, _frm, serial, t, 0, &ack, false);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	_ctrl = isccc_alist_lookup(ack, "_ctrl");
+	if (_ctrl == NULL) {
+		result = ISC_R_FAILURE;
+		goto bad;
+	}
+	if (isccc_cc_definestring(ack, "_ack", (ok) ? "1" : "0") == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto bad;
+	}
+
+	*ackp = ack;
+
+	return (ISC_R_SUCCESS);
+
+ bad:
+	isccc_sexpr_free(&ack);
+
+	return (result);
+}
+
+bool
+isccc_cc_isack(isccc_sexpr_t *message) {
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl))
+		return (false);
+	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
+		return (true);
+	return (false);
+}
+
+bool
+isccc_cc_isreply(isccc_sexpr_t *message) {
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl))
+		return (false);
+	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
+		return (true);
+	return (false);
+}
+
+isc_result_t
+isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+			isccc_time_t expires, isccc_sexpr_t **alistp)
+{
+	char *_frm, *_to, *type = NULL;
+	uint32_t serial;
+	isccc_sexpr_t *alist, *_ctrl, *_data;
+	isc_result_t result;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	_data = isccc_alist_lookup(message, "_data");
+	if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
+	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	/*
+	 * _frm and _to are optional.
+	 */
+	_frm = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
+	_to = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
+	/*
+	 * Create the response.
+	 */
+	alist = NULL;
+	result = isccc_cc_createmessage(1, _to, _frm, serial, now, expires,
+					 &alist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	_ctrl = isccc_alist_lookup(alist, "_ctrl");
+	if (_ctrl == NULL) {
+		result = ISC_R_FAILURE;
+		goto bad;
+	}
+
+	_data = isccc_alist_lookup(alist, "_data");
+	if (_data == NULL) {
+		result = ISC_R_FAILURE;
+		goto bad;
+	}
+
+	if (isccc_cc_definestring(_ctrl, "_rpl", "1") == NULL ||
+	    isccc_cc_definestring(_data, "type", type) == NULL)
+	{
+		result = ISC_R_NOMEMORY;
+		goto bad;
+	}
+
+	*alistp = alist;
+
+	return (ISC_R_SUCCESS);
+
+ bad:
+	isccc_sexpr_free(&alist);
+	return (result);
+}
+
+isccc_sexpr_t *
+isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str) {
+	size_t len;
+	isccc_region_t r;
+
+	len = strlen(str);
+	DE_CONST(str, r.rstart);
+	r.rend = r.rstart + len;
+
+	return (isccc_alist_definebinary(alist, key, &r));
+}
+
+isccc_sexpr_t *
+isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, uint32_t i) {
+	char b[100];
+	size_t len;
+	isccc_region_t r;
+
+	snprintf(b, sizeof(b), "%u", i);
+	len = strlen(b);
+	r.rstart = (unsigned char *)b;
+	r.rend = (unsigned char *)b + len;
+
+	return (isccc_alist_definebinary(alist, key, &r));
+}
+
+isc_result_t
+isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp) {
+	isccc_sexpr_t *kv, *v;
+
+	REQUIRE(strp == NULL || *strp == NULL);
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = ISCCC_SEXPR_CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (strp != NULL)
+				*strp = isccc_sexpr_tostring(v);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
+		      uint32_t *uintp)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = ISCCC_SEXPR_CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (uintp != NULL)
+				*uintp = (uint32_t)
+					strtoul(isccc_sexpr_tostring(v),
+						NULL, 10);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static void
+symtab_undefine(char *key, unsigned int type, isccc_symvalue_t value,
+		void *arg)
+{
+	UNUSED(type);
+	UNUSED(value);
+	UNUSED(arg);
+
+	free(key);
+}
+
+static bool
+symtab_clean(char *key, unsigned int type, isccc_symvalue_t value, void *arg) {
+	isccc_time_t *now;
+
+	UNUSED(key);
+	UNUSED(type);
+
+	now = arg;
+
+	if (*now < value.as_uinteger)
+		return (false);
+	if ((*now - value.as_uinteger) < DUP_LIFETIME)
+		return (false);
+	return (true);
+}
+
+isc_result_t
+isccc_cc_createsymtab(isccc_symtab_t **symtabp) {
+	return (isccc_symtab_create(11897, symtab_undefine, NULL, false,
+				  symtabp));
+}
+
+void
+isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now) {
+	isccc_symtab_foreach(symtab, symtab_clean, &now);
+}
+
+static bool
+has_whitespace(const char *str) {
+	char c;
+
+	if (str == NULL)
+		return (false);
+	while ((c = *str++) != '\0') {
+		if (c == ' ' || c == '\t' || c == '\n')
+			return (true);
+	}
+	return (false);
+}
+
+isc_result_t
+isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+		  isccc_time_t now)
+{
+	const char *_frm;
+	const char *_to;
+	char *_ser = NULL, *_tim = NULL, *tmp;
+	isc_result_t result;
+	char *key;
+	size_t len;
+	isccc_symvalue_t value;
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl) ||
+	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+
+	INSIST(_ser != NULL);
+	INSIST(_tim != NULL);
+
+	/*
+	 * _frm and _to are optional.
+	 */
+	tmp = NULL;
+	if (isccc_cc_lookupstring(_ctrl, "_frm", &tmp) != ISC_R_SUCCESS)
+		_frm = "";
+	else
+		_frm = tmp;
+	tmp = NULL;
+	if (isccc_cc_lookupstring(_ctrl, "_to", &tmp) != ISC_R_SUCCESS)
+		_to = "";
+	else
+		_to = tmp;
+	/*
+	 * Ensure there is no newline in any of the strings.  This is so
+	 * we can write them to a file later.
+	 */
+	if (has_whitespace(_frm) || has_whitespace(_to) ||
+	    has_whitespace(_ser) || has_whitespace(_tim))
+		return (ISC_R_FAILURE);
+	len = strlen(_frm) + strlen(_to) + strlen(_ser) + strlen(_tim) + 4;
+	key = malloc(len);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+	snprintf(key, len, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
+	value.as_uinteger = now;
+	result = isccc_symtab_define(symtab, key, ISCCC_SYMTYPE_CCDUP, value,
+				   isccc_symexists_reject);
+	if (result != ISC_R_SUCCESS) {
+		free(key);
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c
new file mode 100644
index 0000000..4cfa528
--- /dev/null
+++ b/lib/isccc/ccmsg.c
@@ -0,0 +1,230 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <isccc/events.h>
+#include <isccc/ccmsg.h>
+
+#define CCMSG_MAGIC		ISC_MAGIC('C', 'C', 'm', 's')
+#define VALID_CCMSG(foo)	ISC_MAGIC_VALID(foo, CCMSG_MAGIC)
+
+static void recv_length(isc_task_t *, isc_event_t *);
+static void recv_message(isc_task_t *, isc_event_t *);
+
+
+static void
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
+	isc_region_t region;
+	isc_result_t result;
+
+	INSIST(VALID_CCMSG(ccmsg));
+
+	dev = &ccmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		ccmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	/*
+	 * Success.
+	 */
+	ccmsg->size = ntohl(ccmsg->size);
+	if (ccmsg->size == 0) {
+		ccmsg->result = ISC_R_UNEXPECTEDEND;
+		goto send_and_free;
+	}
+	if (ccmsg->size > ccmsg->maxsize) {
+		ccmsg->result = ISC_R_RANGE;
+		goto send_and_free;
+	}
+
+	region.base = isc_mem_get(ccmsg->mctx, ccmsg->size);
+	region.length = ccmsg->size;
+	if (region.base == NULL) {
+		ccmsg->result = ISC_R_NOMEMORY;
+		goto send_and_free;
+	}
+
+	isc_buffer_init(&ccmsg->buffer, region.base, region.length);
+	result = isc_socket_recv(ccmsg->sock, &region, 0,
+				 task, recv_message, ccmsg);
+	if (result != ISC_R_SUCCESS) {
+		ccmsg->result = result;
+		goto send_and_free;
+	}
+
+	isc_event_free(&ev_in);
+	return;
+
+ send_and_free:
+	isc_task_send(ccmsg->task, &dev);
+	ccmsg->task = NULL;
+	isc_event_free(&ev_in);
+	return;
+}
+
+static void
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
+
+	(void)task;
+
+	INSIST(VALID_CCMSG(ccmsg));
+
+	dev = &ccmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		ccmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	ccmsg->result = ISC_R_SUCCESS;
+	isc_buffer_add(&ccmsg->buffer, ev->n);
+	ccmsg->address = ev->address;
+
+ send_and_free:
+	isc_task_send(ccmsg->task, &dev);
+	ccmsg->task = NULL;
+	isc_event_free(&ev_in);
+}
+
+void
+isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(ccmsg != NULL);
+
+	ccmsg->magic = CCMSG_MAGIC;
+	ccmsg->size = 0;
+	ccmsg->buffer.base = NULL;
+	ccmsg->buffer.length = 0;
+	ccmsg->maxsize = 4294967295U;	/* Largest message possible. */
+	ccmsg->mctx = mctx;
+	ccmsg->sock = sock;
+	ccmsg->task = NULL;			/* None yet. */
+	ccmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
+	/*
+	 * Should probably initialize the event here, but it can wait.
+	 */
+}
+
+
+void
+isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	ccmsg->maxsize = maxsize;
+}
+
+
+isc_result_t
+isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_CCMSG(ccmsg));
+	REQUIRE(task != NULL);
+	REQUIRE(ccmsg->task == NULL);  /* not currently in use */
+
+	if (ccmsg->buffer.base != NULL) {
+		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
+			    ccmsg->buffer.length);
+		ccmsg->buffer.base = NULL;
+		ccmsg->buffer.length = 0;
+	}
+
+	ccmsg->task = task;
+	ccmsg->action = action;
+	ccmsg->arg = arg;
+	ccmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
+
+	ISC_EVENT_INIT(&ccmsg->event, sizeof(isc_event_t), 0, 0,
+		       ISCCC_EVENT_CCMSG, action, arg, ccmsg,
+		       NULL, NULL);
+
+	region.base = (unsigned char *)&ccmsg->size;
+	region.length = 4;  /* uint32_t */
+	result = isc_socket_recv(ccmsg->sock, &region, 0,
+				 ccmsg->task, recv_length, ccmsg);
+
+	if (result != ISC_R_SUCCESS)
+		ccmsg->task = NULL;
+
+	return (result);
+}
+
+void
+isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	isc_socket_cancel(ccmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
+}
+
+#if 0
+void
+isccc_ccmsg_freebuffer(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	if (ccmsg->buffer.base == NULL)
+		return;
+
+	isc_mem_put(ccmsg->mctx, ccmsg->buffer.base, ccmsg->buffer.length);
+	ccmsg->buffer.base = NULL;
+	ccmsg->buffer.length = 0;
+}
+#endif
+
+void
+isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	ccmsg->magic = 0;
+
+	if (ccmsg->buffer.base != NULL) {
+		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
+			    ccmsg->buffer.length);
+		ccmsg->buffer.base = NULL;
+		ccmsg->buffer.length = 0;
+	}
+}
diff --git a/lib/isccc/include/Makefile.in b/lib/isccc/include/Makefile.in
new file mode 100644
index 0000000..aea49d7
--- /dev/null
+++ b/lib/isccc/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isccc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isccc/include/isccc/Makefile.in b/lib/isccc/include/isccc/Makefile.in
new file mode 100644
index 0000000..23903db
--- /dev/null
+++ b/lib/isccc/include/isccc/Makefile.in
@@ -0,0 +1,39 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	alist.h base64.h cc.h ccmsg.h events.h lib.h result.h \
+		sexpr.h symtab.h symtype.h types.h util.h version.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccc || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isccc/$$i || exit 1; \
+	done
diff --git a/lib/isccc/include/isccc/alist.h b/lib/isccc/include/isccc/alist.h
new file mode 100644
index 0000000..ea50a44
--- /dev/null
+++ b/lib/isccc/include/isccc/alist.h
@@ -0,0 +1,81 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_ALIST_H
+#define ISCCC_ALIST_H 1
+
+/*! \file isccc/alist.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isccc_sexpr_t *
+isccc_alist_create(void);
+
+bool
+isccc_alist_alistp(isccc_sexpr_t *alist);
+
+bool
+isccc_alist_emptyp(isccc_sexpr_t *alist);
+
+isccc_sexpr_t *
+isccc_alist_first(isccc_sexpr_t *alist);
+
+isccc_sexpr_t *
+isccc_alist_assq(isccc_sexpr_t *alist, const char *key);
+
+void
+isccc_alist_delete(isccc_sexpr_t *alist, const char *key);
+
+isccc_sexpr_t *
+isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value);
+
+isccc_sexpr_t *
+isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
+
+isccc_sexpr_t *
+isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r);
+
+isccc_sexpr_t *
+isccc_alist_lookup(isccc_sexpr_t *alist, const char *key);
+
+isc_result_t
+isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+
+isc_result_t
+isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r);
+
+void
+isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_ALIST_H */
diff --git a/lib/isccc/include/isccc/base64.h b/lib/isccc/include/isccc/base64.h
new file mode 100644
index 0000000..c9bf70a
--- /dev/null
+++ b/lib/isccc/include/isccc/base64.h
@@ -0,0 +1,78 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_BASE64_H
+#define ISCCC_BASE64_H 1
+
+/*! \file isccc/base64.h */
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isccc_base64_encode(isccc_region_t *source, int wordlength,
+		  const char *wordbreak, isccc_region_t *target);
+/*%<
+ * Convert data into base64 encoded text.
+ *
+ * Notes:
+ *\li	The base64 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data.
+ *\li	'target' is a text region containing available space.
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters.
+ */
+
+isc_result_t
+isccc_base64_decode(const char *cstr, isccc_region_t *target);
+/*%<
+ * Decode a null-terminated base64 string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *\li	#ISC_R_NOSPACE	-- 'target' is not big enough.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_BASE64_H */
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
new file mode 100644
index 0000000..5da2a72
--- /dev/null
+++ b/lib/isccc/include/isccc/cc.h
@@ -0,0 +1,129 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_CC_H
+#define ISCCC_CC_H 1
+
+/*! \file isccc/cc.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isc/buffer.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% from lib/dns/include/dst/dst.h */
+
+#define ISCCC_ALG_UNKNOWN	0
+#define ISCCC_ALG_HMACMD5	157
+#define ISCCC_ALG_HMACSHA1	161
+#define ISCCC_ALG_HMACSHA224	162
+#define ISCCC_ALG_HMACSHA256	163
+#define ISCCC_ALG_HMACSHA384	164
+#define ISCCC_ALG_HMACSHA512	165
+
+/*% Maximum Datagram Package */
+#define ISCCC_CC_MAXDGRAMPACKET		4096
+
+/*% Message Type String */
+#define ISCCC_CCMSGTYPE_STRING		0x00
+/*% Message Type Binary Data */
+#define ISCCC_CCMSGTYPE_BINARYDATA	0x01
+/*% Message Type Table */
+#define ISCCC_CCMSGTYPE_TABLE		0x02
+/*% Message Type List */
+#define ISCCC_CCMSGTYPE_LIST		0x03
+
+/*% Send to Wire */
+isc_result_t
+isccc_cc_towire(isccc_sexpr_t *alist, isc_buffer_t **buffer,
+		uint32_t algorithm, isccc_region_t *secret);
+
+/*% Get From Wire */
+isc_result_t
+isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+		  uint32_t algorithm, isccc_region_t *secret);
+
+/*% Create Message */
+isc_result_t
+isccc_cc_createmessage(uint32_t version, const char *from, const char *to,
+		       uint32_t serial, isccc_time_t now,
+		       isccc_time_t expires, isccc_sexpr_t **alistp);
+
+/*% Create Acknowledgment */
+isc_result_t
+isccc_cc_createack(isccc_sexpr_t *message, bool ok,
+		   isccc_sexpr_t **ackp);
+
+/*% Is Ack? */
+bool
+isccc_cc_isack(isccc_sexpr_t *message);
+
+/*% Is Reply? */
+bool
+isccc_cc_isreply(isccc_sexpr_t *message);
+
+/*% Create Response */
+isc_result_t
+isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+			isccc_time_t expires, isccc_sexpr_t **alistp);
+
+/*% Define String */
+isccc_sexpr_t *
+isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
+
+/*% Define uint 32 */
+isccc_sexpr_t *
+isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, uint32_t i);
+
+/*% Lookup String */
+isc_result_t
+isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+
+/*% Lookup uint 32 */
+isc_result_t
+isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
+		      uint32_t *uintp);
+
+/*% Create Symbol Table */
+isc_result_t
+isccc_cc_createsymtab(isccc_symtab_t **symtabp);
+
+/*% Clean up Symbol Table */
+void
+isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
+
+/*% Check for Duplicates */
+isc_result_t
+isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+		  isccc_time_t now);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_CC_H */
diff --git a/lib/isccc/include/isccc/ccmsg.h b/lib/isccc/include/isccc/ccmsg.h
new file mode 100644
index 0000000..230d985
--- /dev/null
+++ b/lib/isccc/include/isccc/ccmsg.h
@@ -0,0 +1,143 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_CCMSG_H
+#define ISCCC_CCMSG_H 1
+
+/*! \file isccc/ccmsg.h */
+
+#include <inttypes.h>
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+/*% ISCCC Message Structure */
+typedef struct isccc_ccmsg {
+	/* private (don't touch!) */
+	unsigned int		magic;
+	uint32_t		size;
+	isc_buffer_t		buffer;
+	unsigned int		maxsize;
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;
+	isc_task_t	       *task;
+	isc_taskaction_t	action;
+	void		       *arg;
+	isc_event_t		event;
+	/* public (read-only) */
+	isc_result_t		result;
+	isc_sockaddr_t		address;
+} isccc_ccmsg_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg);
+/*%
+ * Associate a cc message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *\li	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *\li	"sock" be a read/write TCP socket.
+ *
+ *\li	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *\li	"ccmsg" is a valid structure.
+ */
+
+void
+isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize);
+/*%
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ *
+ *\li	512 <= "maxsize" <= 4294967296
+ */
+
+isc_result_t
+isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg);
+/*%
+ * Schedule an event to be delivered when a command channel message is
+ * readable, or when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ *
+ *\li	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS		-- no error
+ *\li	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *\li	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the isccc_ccmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg);
+/*%
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ */
+
+void
+isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg);
+/*%
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *\li	"ccmsg" be valid.
+ *
+ * Ensures:
+ *
+ *\li	"ccmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_CCMSG_H */
diff --git a/lib/isccc/include/isccc/events.h b/lib/isccc/include/isccc/events.h
new file mode 100644
index 0000000..5b6d23f
--- /dev/null
+++ b/lib/isccc/include/isccc/events.h
@@ -0,0 +1,43 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_EVENTS_H
+#define ISCCC_EVENTS_H 1
+
+/*! \file isccc/events.h */
+
+#include <isc/eventclass.h>
+
+/*%
+ * Registry of ISCCC event numbers.
+ */
+
+#define ISCCC_EVENT_CCMSG			(ISC_EVENTCLASS_ISCCC + 0)
+
+#define ISCCC_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_ISCCC + 0)
+#define ISCCC_EVENT_LASTEVENT			(ISC_EVENTCLASS_ISCCC + 65535)
+
+#endif /* ISCCC_EVENTS_H */
diff --git a/lib/isccc/include/isccc/lib.h b/lib/isccc/include/isccc/lib.h
new file mode 100644
index 0000000..408dee4
--- /dev/null
+++ b/lib/isccc/include/isccc/lib.h
@@ -0,0 +1,48 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_LIB_H
+#define ISCCC_LIB_H 1
+
+/*! \file isccc/lib.h */
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBISCCC_EXTERNAL_DATA extern isc_msgcat_t *isccc_msgcat;
+
+void
+isccc_lib_initmsgcat(void);
+/*%
+ * Initialize the ISCCC library's message catalog, isccc_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_LIB_H */
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
new file mode 100644
index 0000000..6ff81ad
--- /dev/null
+++ b/lib/isccc/include/isccc/result.h
@@ -0,0 +1,66 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_RESULT_H
+#define ISCCC_RESULT_H 1
+
+/*! \file isccc/result.h */
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+#include <isc/result.h>
+
+#include <isccc/types.h>
+
+/*% Unknown Version */
+#define ISCCC_R_UNKNOWNVERSION		(ISC_RESULTCLASS_ISCCC + 0)
+/*% Syntax Error */
+#define ISCCC_R_SYNTAX			(ISC_RESULTCLASS_ISCCC + 1)
+/*% Bad Authorization */
+#define ISCCC_R_BADAUTH			(ISC_RESULTCLASS_ISCCC + 2)
+/*% Expired */
+#define ISCCC_R_EXPIRED			(ISC_RESULTCLASS_ISCCC + 3)
+/*% Clock Skew */
+#define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
+/*% Duplicate */
+#define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
+
+#define ISCCC_R_NRESULTS 		6	/*%< Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *
+isccc_result_totext(isc_result_t result);
+/*%
+ * Convert a isccc_result_t into a string message describing the result.
+ */
+
+void
+isccc_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_RESULT_H */
diff --git a/lib/isccc/include/isccc/sexpr.h b/lib/isccc/include/isccc/sexpr.h
new file mode 100644
index 0000000..10f215c
--- /dev/null
+++ b/lib/isccc/include/isccc/sexpr.h
@@ -0,0 +1,118 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_SEXPR_H
+#define ISCCC_SEXPR_H 1
+
+/*! \file isccc/sexpr.h */
+
+#include <stdbool.h>
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*% dotted pair structure */
+struct isccc_dottedpair {
+	isccc_sexpr_t *car;
+	isccc_sexpr_t *cdr;
+};
+
+/*% iscc_sexpr structure */
+struct isccc_sexpr {
+	unsigned int			type;
+	union {
+		char *			as_string;
+		isccc_dottedpair_t	as_dottedpair;
+		isccc_region_t		as_region;
+	}				value;
+};
+
+#define ISCCC_SEXPRTYPE_NONE		0x00	/*%< Illegal. */
+#define ISCCC_SEXPRTYPE_T			0x01
+#define ISCCC_SEXPRTYPE_STRING		0x02
+#define ISCCC_SEXPRTYPE_DOTTEDPAIR	0x03
+#define ISCCC_SEXPRTYPE_BINARY		0x04
+
+#define ISCCC_SEXPR_CAR(s)		(s)->value.as_dottedpair.car
+#define ISCCC_SEXPR_CDR(s)		(s)->value.as_dottedpair.cdr
+
+isccc_sexpr_t *
+isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr);
+
+isccc_sexpr_t *
+isccc_sexpr_tconst(void);
+
+isccc_sexpr_t *
+isccc_sexpr_fromstring(const char *str);
+
+isccc_sexpr_t *
+isccc_sexpr_frombinary(const isccc_region_t *region);
+
+void
+isccc_sexpr_free(isccc_sexpr_t **sexprp);
+
+void
+isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream);
+
+isccc_sexpr_t *
+isccc_sexpr_car(isccc_sexpr_t *list);
+
+isccc_sexpr_t *
+isccc_sexpr_cdr(isccc_sexpr_t *list);
+
+void
+isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car);
+
+void
+isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr);
+
+isccc_sexpr_t *
+isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2);
+
+bool
+isccc_sexpr_listp(isccc_sexpr_t *sexpr);
+
+bool
+isccc_sexpr_emptyp(isccc_sexpr_t *sexpr);
+
+bool
+isccc_sexpr_stringp(isccc_sexpr_t *sexpr);
+
+bool
+isccc_sexpr_binaryp(isccc_sexpr_t *sexpr);
+
+char *
+isccc_sexpr_tostring(isccc_sexpr_t *sexpr);
+
+isccc_region_t *
+isccc_sexpr_tobinary(isccc_sexpr_t *sexpr);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_SEXPR_H */
diff --git a/lib/isccc/include/isccc/symtab.h b/lib/isccc/include/isccc/symtab.h
new file mode 100644
index 0000000..cd595a1
--- /dev/null
+++ b/lib/isccc/include/isccc/symtab.h
@@ -0,0 +1,130 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_SYMTAB_H
+#define ISCCC_SYMTAB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isccc/symtab.h
+ * \brief
+ * Provides a simple memory-based symbol table.
+ *
+ * Keys are C strings.  A type may be specified when looking up,
+ * defining, or undefining.  A type value of 0 means "match any type";
+ * any other value will only match the given type.
+ *
+ * It's possible that a client will attempt to define a <key, type,
+ * value> tuple when a tuple with the given key and type already
+ * exists in the table.  What to do in this case is specified by the
+ * client.  Possible policies are:
+ *
+ *\li	isccc_symexists_reject	Disallow the define, returning #ISC_R_EXISTS
+ *\li	isccc_symexists_replace	Replace the old value with the new.  The
+ *				undefine action (if provided) will be called
+ *				with the old <key, type, value> tuple.
+ *\li	isccc_symexists_add	Add the new tuple, leaving the old tuple in
+ *				the table.  Subsequent lookups will retrieve
+ *				the most-recently-defined tuple.
+ *
+ * A lookup of a key using type 0 will return the most-recently
+ * defined symbol with that key.  An undefine of a key using type 0
+ * will undefine the most-recently defined symbol with that key.
+ * Trying to define a key with type 0 is illegal.
+ *
+ * The symbol table library does not make a copy the key field, so the
+ * caller must ensure that any key it passes to isccc_symtab_define()
+ * will not change until it calls isccc_symtab_undefine() or
+ * isccc_symtab_destroy().
+ *
+ * A user-specified action will be called (if provided) when a symbol
+ * is undefined.  It can be used to free memory associated with keys
+ * and/or values.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <stdbool.h>
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+/***
+ *** Symbol Tables.
+ ***/
+
+typedef union isccc_symvalue {
+	void *				as_pointer;
+	int				as_integer;
+	unsigned int			as_uinteger;
+} isccc_symvalue_t;
+
+typedef void (*isccc_symtabundefaction_t)(char *key, unsigned int type,
+					isccc_symvalue_t value, void *userarg);
+
+typedef bool (*isccc_symtabforeachaction_t)(char *key,
+						   unsigned int type,
+						   isccc_symvalue_t value,
+						   void *userarg);
+
+typedef enum {
+	isccc_symexists_reject = 0,
+	isccc_symexists_replace = 1,
+	isccc_symexists_add = 2
+} isccc_symexists_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isccc_symtab_create(unsigned int size,
+		  isccc_symtabundefaction_t undefine_action, void *undefine_arg,
+		  bool case_sensitive, isccc_symtab_t **symtabp);
+
+void
+isccc_symtab_destroy(isccc_symtab_t **symtabp);
+
+isc_result_t
+isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
+		  isccc_symvalue_t *value);
+
+isc_result_t
+isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
+		  isccc_symvalue_t value, isccc_symexists_t exists_policy);
+
+isc_result_t
+isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type);
+
+void
+isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
+		   void *arg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_SYMTAB_H */
diff --git a/lib/isccc/include/isccc/symtype.h b/lib/isccc/include/isccc/symtype.h
new file mode 100644
index 0000000..dbd9ad7
--- /dev/null
+++ b/lib/isccc/include/isccc/symtype.h
@@ -0,0 +1,37 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_SYMTYPE_H
+#define ISCCC_SYMTYPE_H 1
+
+/*! \file isccc/symtype.h */
+
+#define ISCCC_SYMTYPE_ZONESTATS			0x0001
+#define ISCCC_SYMTYPE_CCDUP			0x0002
+#define ISCCC_SYMTYPE_TELLSERVICE			0x0003
+#define ISCCC_SYMTYPE_TELLRESPONSE		0x0004
+
+#endif /* ISCCC_SYMTYPE_H */
diff --git a/lib/isccc/include/isccc/types.h b/lib/isccc/include/isccc/types.h
new file mode 100644
index 0000000..bea22c9
--- /dev/null
+++ b/lib/isccc/include/isccc/types.h
@@ -0,0 +1,52 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_TYPES_H
+#define ISCCC_TYPES_H 1
+
+/*! \file isccc/types.h */
+
+#include <inttypes.h>
+
+#include <isc/result.h>
+
+/*% isccc_time_t typedef */
+typedef uint32_t isccc_time_t;
+
+/*% isccc_sexpr_t typedef */
+typedef struct isccc_sexpr isccc_sexpr_t;
+/*% isccc_dottedpair_t typedef */
+typedef struct isccc_dottedpair isccc_dottedpair_t;
+/*% isccc_symtab_t typedef */
+typedef struct isccc_symtab isccc_symtab_t;
+
+/*% iscc region structure */
+typedef struct isccc_region {
+	unsigned char *		rstart;
+	unsigned char *		rend;
+} isccc_region_t;
+
+#endif /* ISCCC_TYPES_H */
diff --git a/lib/isccc/include/isccc/util.h b/lib/isccc/include/isccc/util.h
new file mode 100644
index 0000000..58e69b3
--- /dev/null
+++ b/lib/isccc/include/isccc/util.h
@@ -0,0 +1,220 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef ISCCC_UTIL_H
+#define ISCCC_UTIL_H 1
+
+#include <inttypes.h>
+
+#include <isc/util.h>
+
+/*! \file isccc/util.h
+ * \brief
+ * Macros for dealing with unaligned numbers.
+ *
+ * \note no side effects are allowed when invoking these macros!
+ */
+
+#define GET8(v, w) \
+	do { \
+		v = *w; \
+		w++; \
+	} while (0)
+
+#define GET16(v, w) \
+	do { \
+		v = (unsigned int)w[0] << 8; \
+		v |= (unsigned int)w[1]; \
+		w += 2; \
+	} while (0)
+
+#define GET24(v, w) \
+	do { \
+		v = (unsigned int)w[0] << 16; \
+		v |= (unsigned int)w[1] << 8; \
+		v |= (unsigned int)w[2]; \
+		w += 3; \
+	} while (0)
+
+#define GET32(v, w) \
+	do { \
+		v = (unsigned int)w[0] << 24; \
+		v |= (unsigned int)w[1] << 16; \
+		v |= (unsigned int)w[2] << 8; \
+		v |= (unsigned int)w[3]; \
+		w += 4; \
+	} while (0)
+
+#define GET64(v, w) \
+	do { \
+		v = (uint64_t)w[0] << 56; \
+		v |= (uint64_t)w[1] << 48; \
+		v |= (uint64_t)w[2] << 40; \
+		v |= (uint64_t)w[3] << 32; \
+		v |= (uint64_t)w[4] << 24; \
+		v |= (uint64_t)w[5] << 16; \
+		v |= (uint64_t)w[6] << 8; \
+		v |= (uint64_t)w[7]; \
+		w += 8; \
+	} while (0)
+
+#define GETC16(v, w, d) \
+	do { \
+		GET8(v, w); \
+		if (v == 0) \
+			d = ISCCC_TRUE; \
+		else { \
+			d = ISCCC_FALSE; \
+			if (v == 255) \
+				GET16(v, w); \
+		} \
+	} while (0)
+
+#define GETC32(v, w) \
+	do { \
+		GET24(v, w); \
+		if (v == 0xffffffu) \
+			GET32(v, w); \
+	} while (0)
+
+#define GET_OFFSET(v, w)		GET32(v, w)
+
+#define GET_MEM(v, c, w) \
+	do { \
+		memmove(v, w, c); \
+		w += c; \
+	} while (0)
+
+#define GET_TYPE(v, w) \
+	do { \
+		GET8(v, w); \
+		if (v > 127) { \
+			if (v < 255) \
+				v = ((v & 0x7f) << 16) | ISCCC_RDATATYPE_SIG; \
+			else \
+				GET32(v, w); \
+		} \
+	} while (0)
+
+#define PUT8(v, w) \
+	do { \
+		*w = (v & 0x000000ffU); \
+		w++; \
+	} while (0)
+
+#define PUT16(v, w) \
+	do { \
+		w[0] = (v & 0x0000ff00U) >> 8; \
+		w[1] = (v & 0x000000ffU); \
+		w += 2; \
+	} while (0)
+
+#define PUT24(v, w) \
+	do { \
+		w[0] = (v & 0x00ff0000U) >> 16; \
+		w[1] = (v & 0x0000ff00U) >> 8; \
+		w[2] = (v & 0x000000ffU); \
+		w += 3; \
+	} while (0)
+
+#define PUT32(v, w) \
+	do { \
+		w[0] = (v & 0xff000000U) >> 24; \
+		w[1] = (v & 0x00ff0000U) >> 16; \
+		w[2] = (v & 0x0000ff00U) >> 8; \
+		w[3] = (v & 0x000000ffU); \
+		w += 4; \
+	} while (0)
+
+#define PUT64(v, w) \
+	do { \
+		w[0] = (v & 0xff00000000000000ULL) >> 56; \
+		w[1] = (v & 0x00ff000000000000ULL) >> 48; \
+		w[2] = (v & 0x0000ff0000000000ULL) >> 40; \
+		w[3] = (v & 0x000000ff00000000ULL) >> 32; \
+		w[4] = (v & 0x00000000ff000000ULL) >> 24; \
+		w[5] = (v & 0x0000000000ff0000ULL) >> 16; \
+		w[6] = (v & 0x000000000000ff00ULL) >> 8; \
+		w[7] = (v & 0x00000000000000ffULL); \
+		w += 8; \
+	} while (0)
+
+#define PUTC16(v, w) \
+	do { \
+		if (v > 0 && v < 255) \
+			PUT8(v, w); \
+		else { \
+			PUT8(255, w); \
+			PUT16(v, w); \
+		} \
+	} while (0)
+
+#define PUTC32(v, w) \
+	do { \
+		if (v < 0xffffffU) \
+			PUT24(v, w); \
+		else { \
+			PUT24(0xffffffU, w); \
+			PUT32(v, w); \
+		} \
+	} while (0)
+
+#define PUT_OFFSET(v, w)		PUT32(v, w)
+
+#include <string.h>
+
+#define PUT_MEM(s, c, w) \
+	do { \
+		memmove(w, s, c); \
+		w += c; \
+	} while (0)
+
+/*
+ * Regions.
+ */
+#define REGION_SIZE(r)		((unsigned int)((r).rend - (r).rstart))
+#define REGION_EMPTY(r)		((r).rstart == (r).rend)
+#define REGION_FROMSTRING(r, s) do { \
+	(r).rstart = (unsigned char *)s; \
+	(r).rend = (r).rstart + strlen(s); \
+} while (0)
+
+/*%
+ * Use this to remove the const qualifier of a variable to assign it to
+ * a non-const variable or pass it as a non-const function argument ...
+ * but only when you are sure it won't then be changed!
+ * This is necessary to sometimes shut up some compilers
+ * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
+ * situation.
+ */
+#define DE_CONST(konst, var) \
+	do { \
+		union { const void *k; void *v; } _u; \
+		_u.k = konst; \
+		var = _u.v; \
+	} while (0)
+
+#endif /* ISCCC_UTIL_H */
diff --git a/lib/isccc/include/isccc/version.h b/lib/isccc/include/isccc/version.h
new file mode 100644
index 0000000..dcb352f
--- /dev/null
+++ b/lib/isccc/include/isccc/version.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isccc/version.h */
+
+#include <isc/platform.h>
+
+LIBISCCC_EXTERNAL_DATA extern const char isccc_version[];
+
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libinterface;
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_librevision;
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libage;
diff --git a/lib/isccc/lib.c b/lib/isccc/lib.c
new file mode 100644
index 0000000..1222bbe
--- /dev/null
+++ b/lib/isccc/lib.c
@@ -0,0 +1,71 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <isccc/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBISCCC_EXTERNAL_DATA isc_msgcat_t *		isccc_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libisccc.cat", &isccc_msgcat);
+}
+
+void
+isccc_lib_initmsgcat(void) {
+
+	/*
+	 * Initialize the DNS library's message catalog, isccc_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
new file mode 100644
index 0000000..75f5ade
--- /dev/null
+++ b/lib/isccc/result.c
@@ -0,0 +1,94 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <isccc/result.h>
+#include <isccc/lib.h>
+
+static const char *text[ISCCC_R_NRESULTS] = {
+	"unknown version",			/* 1 */
+	"syntax error",				/* 2 */
+	"bad auth",				/* 3 */
+	"expired",				/* 4 */
+	"clock skew",				/* 5 */
+	"duplicate"				/* 6 */
+};
+
+static const char *ids[ISCCC_R_NRESULTS] = {
+	"ISCCC_R_UNKNOWNVERSION",
+	"ISCCC_R_SYNTAX",
+	"ISCCC_R_BADAUTH",
+	"ISCCC_R_EXPIRED",
+	"ISCCC_R_CLOCKSKEW",
+	"ISCCC_R_DUPLICATE",
+};
+
+#define ISCCC_RESULT_RESULTSET			2
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
+				     text, isccc_msgcat,
+				     ISCCC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+
+	result = isc_result_registerids(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
+					ids, isccc_msgcat,
+					ISCCC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_registerids() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	isccc_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+isccc_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+isccc_result_register(void) {
+	initialize();
+}
diff --git a/lib/isccc/sexpr.c b/lib/isccc/sexpr.c
new file mode 100644
index 0000000..68dbe44
--- /dev/null
+++ b/lib/isccc/sexpr.c
@@ -0,0 +1,301 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/print.h>
+#include <isccc/sexpr.h>
+#include <isccc/util.h>
+
+static isccc_sexpr_t sexpr_t = { ISCCC_SEXPRTYPE_T, { NULL } };
+
+#define CAR(s)			(s)->value.as_dottedpair.car
+#define CDR(s)			(s)->value.as_dottedpair.cdr
+
+isccc_sexpr_t *
+isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr) {
+	isccc_sexpr_t *sexpr;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL)
+		return (NULL);
+	sexpr->type = ISCCC_SEXPRTYPE_DOTTEDPAIR;
+	CAR(sexpr) = car;
+	CDR(sexpr) = cdr;
+
+	return (sexpr);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_tconst(void) {
+	return (&sexpr_t);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_fromstring(const char *str) {
+	isccc_sexpr_t *sexpr;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL)
+		return (NULL);
+	sexpr->type = ISCCC_SEXPRTYPE_STRING;
+	sexpr->value.as_string = strdup(str);
+	if (sexpr->value.as_string == NULL) {
+		free(sexpr);
+		return (NULL);
+	}
+
+	return (sexpr);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_frombinary(const isccc_region_t *region) {
+	isccc_sexpr_t *sexpr;
+	unsigned int region_size;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL)
+		return (NULL);
+	sexpr->type = ISCCC_SEXPRTYPE_BINARY;
+	region_size = REGION_SIZE(*region);
+	/*
+	 * We add an extra byte when we malloc so we can NUL terminate
+	 * the binary data.  This allows the caller to use it as a C
+	 * string.  It's up to the caller to ensure this is safe.  We don't
+	 * add 1 to the length of the binary region, because the NUL is
+	 * not part of the binary data.
+	 */
+	sexpr->value.as_region.rstart = malloc(region_size + 1);
+	if (sexpr->value.as_region.rstart == NULL) {
+		free(sexpr);
+		return (NULL);
+	}
+	sexpr->value.as_region.rend = sexpr->value.as_region.rstart +
+		region_size;
+	memmove(sexpr->value.as_region.rstart, region->rstart, region_size);
+	/*
+	 * NUL terminate.
+	 */
+	sexpr->value.as_region.rstart[region_size] = '\0';
+
+	return (sexpr);
+}
+
+void
+isccc_sexpr_free(isccc_sexpr_t **sexprp) {
+	isccc_sexpr_t *sexpr;
+	isccc_sexpr_t *item;
+
+	sexpr = *sexprp;
+	if (sexpr == NULL)
+		return;
+	switch (sexpr->type) {
+	case ISCCC_SEXPRTYPE_STRING:
+		free(sexpr->value.as_string);
+		break;
+	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
+		item = CAR(sexpr);
+		if (item != NULL)
+			isccc_sexpr_free(&item);
+		item = CDR(sexpr);
+		if (item != NULL)
+			isccc_sexpr_free(&item);
+		break;
+	case ISCCC_SEXPRTYPE_BINARY:
+		free(sexpr->value.as_region.rstart);
+		break;
+	}
+	free(sexpr);
+
+	*sexprp = NULL;
+}
+
+static bool
+printable(isccc_region_t *r) {
+	unsigned char *curr;
+
+	curr = r->rstart;
+	while (curr != r->rend) {
+		if (!isprint(*curr))
+			return (false);
+		curr++;
+	}
+
+	return (true);
+}
+
+void
+isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream) {
+	isccc_sexpr_t *cdr;
+	unsigned int size, i;
+	unsigned char *curr;
+
+	if (sexpr == NULL) {
+		fprintf(stream, "nil");
+		return;
+	}
+
+	switch (sexpr->type) {
+	case ISCCC_SEXPRTYPE_T:
+		fprintf(stream, "t");
+		break;
+	case ISCCC_SEXPRTYPE_STRING:
+		fprintf(stream, "\"%s\"", sexpr->value.as_string);
+		break;
+	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
+		fprintf(stream, "(");
+		do {
+			isccc_sexpr_print(CAR(sexpr), stream);
+			cdr = CDR(sexpr);
+			if (cdr != NULL) {
+				fprintf(stream, " ");
+				if (cdr->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) {
+					fprintf(stream, ". ");
+					isccc_sexpr_print(cdr, stream);
+					cdr = NULL;
+				}
+			}
+			sexpr = cdr;
+		} while (sexpr != NULL);
+		fprintf(stream, ")");
+		break;
+	case ISCCC_SEXPRTYPE_BINARY:
+		size = REGION_SIZE(sexpr->value.as_region);
+		curr = sexpr->value.as_region.rstart;
+		if (printable(&sexpr->value.as_region)) {
+			fprintf(stream, "'%.*s'", (int)size, curr);
+		} else {
+			fprintf(stream, "0x");
+			for (i = 0; i < size; i++)
+				fprintf(stream, "%02x", *curr++);
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+}
+
+isccc_sexpr_t *
+isccc_sexpr_car(isccc_sexpr_t *list) {
+	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	return (CAR(list));
+}
+
+isccc_sexpr_t *
+isccc_sexpr_cdr(isccc_sexpr_t *list) {
+	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	return (CDR(list));
+}
+
+void
+isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car) {
+	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	CAR(pair) = car;
+}
+
+void
+isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr) {
+	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	CDR(pair) = cdr;
+}
+
+isccc_sexpr_t *
+isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2) {
+	isccc_sexpr_t *last, *elt, *l1;
+
+	REQUIRE(l1p != NULL);
+	l1 = *l1p;
+	REQUIRE(l1 == NULL || l1->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	elt = isccc_sexpr_cons(l2, NULL);
+	if (elt == NULL)
+		return (NULL);
+	if (l1 == NULL) {
+		*l1p = elt;
+		return (elt);
+	}
+	for (last = l1; CDR(last) != NULL; last = CDR(last))
+		/* Nothing */;
+	CDR(last) = elt;
+
+	return (elt);
+}
+
+bool
+isccc_sexpr_listp(isccc_sexpr_t *sexpr) {
+	if (sexpr == NULL || sexpr->type == ISCCC_SEXPRTYPE_DOTTEDPAIR)
+		return (true);
+	return (false);
+}
+
+bool
+isccc_sexpr_emptyp(isccc_sexpr_t *sexpr) {
+	if (sexpr == NULL)
+		return (true);
+	return (false);
+}
+
+bool
+isccc_sexpr_stringp(isccc_sexpr_t *sexpr) {
+	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_STRING)
+		return (true);
+	return (false);
+}
+
+bool
+isccc_sexpr_binaryp(isccc_sexpr_t *sexpr) {
+	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY)
+		return (true);
+	return (false);
+}
+
+char *
+isccc_sexpr_tostring(isccc_sexpr_t *sexpr) {
+	REQUIRE(sexpr != NULL &&
+		(sexpr->type == ISCCC_SEXPRTYPE_STRING ||
+		 sexpr->type == ISCCC_SEXPRTYPE_BINARY));
+
+	if (sexpr->type == ISCCC_SEXPRTYPE_BINARY)
+		return ((char *)sexpr->value.as_region.rstart);
+	return (sexpr->value.as_string);
+}
+
+isccc_region_t *
+isccc_sexpr_tobinary(isccc_sexpr_t *sexpr) {
+	REQUIRE(sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY);
+	return (&sexpr->value.as_region);
+}
diff --git a/lib/isccc/symtab.c b/lib/isccc/symtab.c
new file mode 100644
index 0000000..da59a78
--- /dev/null
+++ b/lib/isccc/symtab.c
@@ -0,0 +1,287 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) 2001 Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/magic.h>
+#include <isc/string.h>
+
+#include <isccc/result.h>
+#include <isccc/symtab.h>
+#include <isccc/util.h>
+
+typedef struct elt {
+	char *				key;
+	unsigned int			type;
+	isccc_symvalue_t			value;
+	ISC_LINK(struct elt)		link;
+} elt_t;
+
+typedef ISC_LIST(elt_t)			eltlist_t;
+
+#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
+#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
+
+struct isccc_symtab {
+	unsigned int			magic;
+	unsigned int			size;
+	eltlist_t *			table;
+	isccc_symtabundefaction_t		undefine_action;
+	void *				undefine_arg;
+	bool			case_sensitive;
+};
+
+isc_result_t
+isccc_symtab_create(unsigned int size,
+		  isccc_symtabundefaction_t undefine_action,
+		  void *undefine_arg,
+		  bool case_sensitive,
+		  isccc_symtab_t **symtabp)
+{
+	isccc_symtab_t *symtab;
+	unsigned int i;
+
+	REQUIRE(symtabp != NULL && *symtabp == NULL);
+	REQUIRE(size > 0);	/* Should be prime. */
+
+	symtab = malloc(sizeof(*symtab));
+	if (symtab == NULL)
+		return (ISC_R_NOMEMORY);
+	symtab->table = malloc(size * sizeof(eltlist_t));
+	if (symtab->table == NULL) {
+		free(symtab);
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < size; i++)
+		ISC_LIST_INIT(symtab->table[i]);
+	symtab->size = size;
+	symtab->undefine_action = undefine_action;
+	symtab->undefine_arg = undefine_arg;
+	symtab->case_sensitive = case_sensitive;
+	symtab->magic = SYMTAB_MAGIC;
+
+	*symtabp = symtab;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+free_elt(isccc_symtab_t *symtab, unsigned int bucket, elt_t *elt) {
+	ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
+	if (symtab->undefine_action != NULL)
+		(symtab->undefine_action)(elt->key, elt->type, elt->value,
+					  symtab->undefine_arg);
+	free(elt);
+}
+
+void
+isccc_symtab_destroy(isccc_symtab_t **symtabp) {
+	isccc_symtab_t *symtab;
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(symtabp != NULL);
+	symtab = *symtabp;
+	REQUIRE(VALID_SYMTAB(symtab));
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = ISC_LIST_HEAD(symtab->table[i]);
+		     elt != NULL;
+		     elt = nelt) {
+			nelt = ISC_LIST_NEXT(elt, link);
+			free_elt(symtab, i, elt);
+		}
+	}
+	free(symtab->table);
+	symtab->magic = 0;
+	free(symtab);
+
+	*symtabp = NULL;
+}
+
+static inline unsigned int
+hash(const char *key, bool case_sensitive) {
+	const char *s;
+	unsigned int h = 0;
+	unsigned int g;
+	int c;
+
+	/*
+	 * P. J. Weinberger's hash function, adapted from p. 436 of
+	 * _Compilers: Principles, Techniques, and Tools_, Aho, Sethi
+	 * and Ullman, Addison-Wesley, 1986, ISBN 0-201-10088-6.
+	 */
+
+	if (case_sensitive) {
+		for (s = key; *s != '\0'; s++) {
+			h = ( h << 4 ) + *s;
+			if ((g = ( h & 0xf0000000 )) != 0) {
+				h = h ^ (g >> 24);
+				h = h ^ g;
+			}
+		}
+	} else {
+		for (s = key; *s != '\0'; s++) {
+			c = *s;
+			c = tolower((unsigned char)c);
+			h = ( h << 4 ) + c;
+			if ((g = ( h & 0xf0000000 )) != 0) {
+				h = h ^ (g >> 24);
+				h = h ^ g;
+			}
+		}
+	}
+
+	return (h);
+}
+
+#define FIND(s, k, t, b, e) \
+	b = hash((k), (s)->case_sensitive) % (s)->size; \
+	if ((s)->case_sensitive) { \
+		for (e = ISC_LIST_HEAD((s)->table[b]); \
+		     e != NULL; \
+		     e = ISC_LIST_NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	} else { \
+		for (e = ISC_LIST_HEAD((s)->table[b]); \
+		     e != NULL; \
+		     e = ISC_LIST_NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcasecmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	}
+
+isc_result_t
+isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
+		  isccc_symvalue_t *value)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (value != NULL)
+		*value = elt->value;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
+		  isccc_symvalue_t value, isccc_symexists_t exists_policy)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+	REQUIRE(type != 0);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (exists_policy != isccc_symexists_add && elt != NULL) {
+		if (exists_policy == isccc_symexists_reject)
+			return (ISC_R_EXISTS);
+		INSIST(exists_policy == isccc_symexists_replace);
+		ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
+		if (symtab->undefine_action != NULL)
+			(symtab->undefine_action)(elt->key, elt->type,
+						  elt->value,
+						  symtab->undefine_arg);
+	} else {
+		elt = malloc(sizeof(*elt));
+		if (elt == NULL)
+			return (ISC_R_NOMEMORY);
+		ISC_LINK_INIT(elt, link);
+	}
+
+	elt->key = key;
+	elt->type = type;
+	elt->value = value;
+
+	/*
+	 * We prepend so that the most recent definition will be found.
+	 */
+	ISC_LIST_PREPEND(symtab->table[bucket], elt, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	free_elt(symtab, bucket, elt);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
+		   void *arg)
+{
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(action != NULL);
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = ISC_LIST_HEAD(symtab->table[i]);
+		     elt != NULL;
+		     elt = nelt) {
+			nelt = ISC_LIST_NEXT(elt, link);
+			if ((action)(elt->key, elt->type, elt->value, arg))
+				free_elt(symtab, i, elt);
+		}
+	}
+}
diff --git a/lib/isccc/version.c b/lib/isccc/version.c
new file mode 100644
index 0000000..a3c1d9b
--- /dev/null
+++ b/lib/isccc/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <isccc/version.h>
+
+const char isccc_version[] = VERSION;
+
+const unsigned int isccc_libinterface = LIBINTERFACE;
+const unsigned int isccc_librevision = LIBREVISION;
+const unsigned int isccc_libage = LIBAGE;
diff --git a/lib/isccc/win32/DLLMain.c b/lib/isccc/win32/DLLMain.c
new file mode 100644
index 0000000..8ff1017
--- /dev/null
+++ b/lib/isccc/win32/DLLMain.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason) {
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/isccc/win32/libisccc.def b/lib/isccc/win32/libisccc.def
new file mode 100644
index 0000000..7a06b9a
--- /dev/null
+++ b/lib/isccc/win32/libisccc.def
@@ -0,0 +1,70 @@
+LIBRARY libisccc
+
+; Exported Functions
+EXPORTS
+
+isccc_alist_create
+isccc_alist_alistp
+isccc_alist_emptyp
+isccc_alist_first
+isccc_alist_assq
+isccc_alist_delete
+isccc_alist_define
+isccc_alist_definestring
+isccc_alist_definebinary
+isccc_alist_lookup
+isccc_alist_lookupstring
+isccc_alist_lookupbinary
+isccc_alist_prettyprint
+isccc_base64_encode
+isccc_base64_decode
+isccc_cc_towire
+isccc_cc_fromwire
+isccc_cc_createmessage
+isccc_cc_createack
+isccc_cc_isack
+isccc_cc_isreply
+isccc_cc_createresponse
+isccc_cc_definestring
+isccc_cc_defineuint32
+isccc_cc_lookupstring
+isccc_cc_lookupuint32
+isccc_cc_createsymtab
+isccc_cc_cleansymtab
+isccc_cc_checkdup
+isccc_ccmsg_init
+isccc_ccmsg_setmaxsize
+isccc_ccmsg_readmessage
+isccc_ccmsg_cancelread
+isccc_ccmsg_invalidate
+isccc_lib_initmsgcat
+isccc_result_totext
+isccc_result_register
+isccc_sexpr_cons
+isccc_sexpr_tconst
+isccc_sexpr_fromstring
+isccc_sexpr_frombinary
+isccc_sexpr_free
+isccc_sexpr_print
+isccc_sexpr_car
+isccc_sexpr_cdr
+isccc_sexpr_setcar
+isccc_sexpr_setcdr
+isccc_sexpr_addtolist
+isccc_sexpr_listp
+isccc_sexpr_emptyp
+isccc_sexpr_stringp
+isccc_sexpr_binaryp
+isccc_sexpr_tostring
+isccc_sexpr_tobinary
+isccc_symtab_destroy
+isccc_symtab_create
+isccc_symtab_destroy
+isccc_symtab_lookup
+isccc_symtab_define
+isccc_symtab_undefine
+isccc_symtab_foreach
+
+; Exported Data
+
+;isccc_msgcat
diff --git a/lib/isccc/win32/libisccc.dsp.in b/lib/isccc/win32/libisccc.dsp.in
new file mode 100644
index 0000000..82c731e
--- /dev/null
+++ b/lib/isccc/win32/libisccc.dsp.in
@@ -0,0 +1,201 @@
+# Microsoft Developer Studio Project File - Name="libisccc" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libisccc - @PLATFORM@ Release
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccc.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccc.mak" CFG="libisccc - @PLATFORM@ Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccc - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libisccc - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisccc.dll"
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccc_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/libisccc.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libisccc - @PLATFORM@ Release"
+# Name "libisccc - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\alist.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\base64.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\cc.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\ccmsg.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lib.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\result.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\sexpr.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\symtab.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\isccc\alist.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\base64.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\cc.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\ccmsg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\events.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\lib.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\result.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\sexpr.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\symtab.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\symtype.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\types.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\util.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccc\version.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libisccc.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/isccc/win32/libisccc.dsw b/lib/isccc/win32/libisccc.dsw
new file mode 100644
index 0000000..28eaa74
--- /dev/null
+++ b/lib/isccc/win32/libisccc.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "libisccc"=.\libisccc.dsp - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/isccc/win32/libisccc.mak.in b/lib/isccc/win32/libisccc.mak.in
new file mode 100644
index 0000000..d6512d3
--- /dev/null
+++ b/lib/isccc/win32/libisccc.mak.in
@@ -0,0 +1,540 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libisccc.dsp
+!IF "$(CFG)" == ""
+CFG=libisccc - @PLATFORM@ Release
+!MESSAGE No configuration specified. Defaulting to libisccc - @PLATFORM@ Release.
+!ENDIF 
+
+!IF "$(CFG)" != "libisccc - @PLATFORM@ Release" && "$(CFG)" != "libisccc - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccc.mak" CFG="libisccc - @PLATFORM@ Release"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccc - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libisccc - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libisccc.dll"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Release" "..\..\..\Build\Release\libisccc.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\alist.obj"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\cc.obj"
+	-@erase "$(INTDIR)\ccmsg.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\sexpr.obj"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libisccc.exp"
+	-@erase "$(OUTDIR)\libisccc.lib"
+	-@erase "..\..\..\Build\Release\libisccc.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisccc.pdb" @MACHINE@ /def:".\libisccc.def" /out:"../../../Build/Release/libisccc.dll" /implib:"$(OUTDIR)\libisccc.lib" 
+DEF_FILE= \
+	".\libisccc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\alist.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\cc.obj" \
+	"$(INTDIR)\ccmsg.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\sexpr.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libisccc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libisccc.dll" "$(OUTDIR)\libisccc.bsc"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Debug" "..\..\..\Build\Debug\libisccc.dll" "$(OUTDIR)\libisccc.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\alist.obj"
+	-@erase "$(INTDIR)\alist.sbr"
+	-@erase "$(INTDIR)\base64.obj"
+	-@erase "$(INTDIR)\base64.sbr"
+	-@erase "$(INTDIR)\cc.obj"
+	-@erase "$(INTDIR)\cc.sbr"
+	-@erase "$(INTDIR)\ccmsg.obj"
+	-@erase "$(INTDIR)\ccmsg.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\lib.obj"
+	-@erase "$(INTDIR)\lib.sbr"
+	-@erase "$(INTDIR)\result.obj"
+	-@erase "$(INTDIR)\result.sbr"
+	-@erase "$(INTDIR)\sexpr.obj"
+	-@erase "$(INTDIR)\sexpr.sbr"
+	-@erase "$(INTDIR)\symtab.obj"
+	-@erase "$(INTDIR)\symtab.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libisccc.bsc"
+	-@erase "$(OUTDIR)\libisccc.exp"
+	-@erase "$(OUTDIR)\libisccc.lib"
+	-@erase "$(OUTDIR)\libisccc.pdb"
+	-@erase "..\..\..\Build\Debug\libisccc.dll"
+	-@erase "..\..\..\Build\Debug\libisccc.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCC_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccc.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccc.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\alist.sbr" \
+	"$(INTDIR)\base64.sbr" \
+	"$(INTDIR)\cc.sbr" \
+	"$(INTDIR)\ccmsg.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\lib.sbr" \
+	"$(INTDIR)\result.sbr" \
+	"$(INTDIR)\sexpr.sbr" \
+	"$(INTDIR)\symtab.sbr" \
+	"$(INTDIR)\version.sbr"
+
+"$(OUTDIR)\libisccc.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisccc.pdb" /debug @MACHINE@ /def:".\libisccc.def" /out:"../../../Build/Debug/libisccc.dll" /implib:"$(OUTDIR)\libisccc.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libisccc.def"
+LINK32_OBJS= \
+	"$(INTDIR)\alist.obj" \
+	"$(INTDIR)\base64.obj" \
+	"$(INTDIR)\cc.obj" \
+	"$(INTDIR)\ccmsg.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\lib.obj" \
+	"$(INTDIR)\result.obj" \
+	"$(INTDIR)\sexpr.obj" \
+	"$(INTDIR)\symtab.obj" \
+	"$(INTDIR)\version.obj" \
+	"..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libisccc.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libisccc.dep")
+!INCLUDE "libisccc.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libisccc.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libisccc - @PLATFORM@ Release" || "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+SOURCE=..\alist.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\alist.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\alist.obj"	"$(INTDIR)\alist.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\base64.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\base64.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\base64.obj"	"$(INTDIR)\base64.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\cc.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\cc.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\cc.obj"	"$(INTDIR)\cc.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\ccmsg.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\ccmsg.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\ccmsg.obj"	"$(INTDIR)\ccmsg.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\lib.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lib.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lib.obj"	"$(INTDIR)\lib.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\result.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\result.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\result.obj"	"$(INTDIR)\result.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\sexpr.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sexpr.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sexpr.obj"	"$(INTDIR)\sexpr.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\symtab.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\symtab.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\symtab.obj"	"$(INTDIR)\symtab.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libisccc - @PLATFORM@ Release"
+
+"libisc - @PLATFORM@ Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" 
+   cd "..\..\isccc\win32"
+
+"libisc - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\isccc\win32"
+
+!ELSEIF  "$(CFG)" == "libisccc - @PLATFORM@ Debug"
+
+"libisc - @PLATFORM@ Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" 
+   cd "..\..\isccc\win32"
+
+"libisc - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\isccc\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/isccc/win32/libisccc.vcxproj.filters.in b/lib/isccc/win32/libisccc.vcxproj.filters.in
new file mode 100644
index 0000000..b17d13c
--- /dev/null
+++ b/lib/isccc/win32/libisccc.vcxproj.filters.in
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libisccc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\alist.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\base64.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\cc.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\ccmsg.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lib.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\result.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\sexpr.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\symtab.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccc\alist.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\base64.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\cc.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\ccmsg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\events.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\lib.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\result.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\sexpr.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\symtab.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\symtype.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\util.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccc\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/isccc/win32/libisccc.vcxproj.in b/lib/isccc/win32/libisccc.vcxproj.in
new file mode 100644
index 0000000..0ba2049
--- /dev/null
+++ b/lib/isccc/win32/libisccc.vcxproj.in
@@ -0,0 +1,141 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{B556705F-1920-4400-878A-B259D3556047}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libisccc</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBISCCC_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libisccc.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\alist.c" />
+    <ClCompile Include="..\base64.c" />
+    <ClCompile Include="..\cc.c" />
+    <ClCompile Include="..\ccmsg.c" />
+    <ClCompile Include="..\lib.c" />
+    <ClCompile Include="..\result.c" />
+    <ClCompile Include="..\sexpr.c" />
+    <ClCompile Include="..\symtab.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccc\alist.h" />
+    <ClInclude Include="..\include\isccc\base64.h" />
+    <ClInclude Include="..\include\isccc\cc.h" />
+    <ClInclude Include="..\include\isccc\ccmsg.h" />
+    <ClInclude Include="..\include\isccc\events.h" />
+    <ClInclude Include="..\include\isccc\lib.h" />
+    <ClInclude Include="..\include\isccc\result.h" />
+    <ClInclude Include="..\include\isccc\sexpr.h" />
+    <ClInclude Include="..\include\isccc\symtab.h" />
+    <ClInclude Include="..\include\isccc\symtype.h" />
+    <ClInclude Include="..\include\isccc\types.h" />
+    <ClInclude Include="..\include\isccc\util.h" />
+    <ClInclude Include="..\include\isccc\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/isccc/win32/libisccc.vcxproj.user b/lib/isccc/win32/libisccc.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/isccc/win32/libisccc.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/isccc/win32/version.c b/lib/isccc/win32/version.c
new file mode 100644
index 0000000..dfdd947
--- /dev/null
+++ b/lib/isccc/win32/version.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <versions.h>
+
+#include <isccc/version.h>
+
+LIBISCCC_EXTERNAL_DATA const char isccc_version[] = VERSION;
+
+LIBISCCC_EXTERNAL_DATA const unsigned int isccc_libinterface = LIBINTERFACE;
+LIBISCCC_EXTERNAL_DATA const unsigned int isccc_librevision = LIBREVISION;
+LIBISCCC_EXTERNAL_DATA const unsigned int isccc_libage = LIBAGE;
diff --git a/lib/isccfg/Atffile b/lib/isccfg/Atffile
new file mode 100644
index 0000000..1edb838
--- /dev/null
+++ b/lib/isccfg/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: tests
diff --git a/lib/isccfg/Kyuafile b/lib/isccfg/Kyuafile
new file mode 100644
index 0000000..0739e3a
--- /dev/null
+++ b/lib/isccfg/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
new file mode 100644
index 0000000..f459bd5
--- /dev/null
+++ b/lib/isccfg/Makefile.in
@@ -0,0 +1,83 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@LIBISCCFG_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@
+ISCCFGLIBS =	../../lib/cfg/libisccfg.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+TESTDIRS =	@UNITTESTS@
+
+# Alphabetically
+OBJS =		aclconf.@O@ dnsconf.@O@ log.@O@ namedconf.@O@ \
+		parser.@O@ version.@O@
+
+# Alphabetically
+SRCS =		aclconf.c dnsconf.c log.c namedconf.c \
+		parser.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisccfg.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccfg.la: ${OBJS}
+	 ${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${DNSLIBS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ \
+		${LIBS}
+
+timestamp: libisccfg.@A@
+	touch timestamp
+
+testdirs: libisccfg.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libisccfg.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libisccfg.@A@
+
+clean distclean::
+	rm -f libisccfg.@A@ timestamp
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
new file mode 100644
index 0000000..3fa813e
--- /dev/null
+++ b/lib/isccfg/aclconf.c
@@ -0,0 +1,906 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+#include <isccfg/aclconf.h>
+
+#include <dns/acl.h>
+#include <dns/iptable.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+
+#ifdef HAVE_GEOIP
+#include <stdlib.h>
+#include <math.h>
+#endif /* HAVE_GEOIP */
+
+#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
+
+isc_result_t
+cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret) {
+	isc_result_t result;
+	cfg_aclconfctx_t *actx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	actx = isc_mem_get(mctx, sizeof(*actx));
+	if (actx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_refcount_init(&actx->references, 1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	actx->mctx = NULL;
+	isc_mem_attach(mctx, &actx->mctx);
+	ISC_LIST_INIT(actx->named_acl_cache);
+
+#ifdef HAVE_GEOIP
+	actx->geoip = NULL;
+#endif
+
+	*ret = actx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(mctx, actx, sizeof(*actx));
+	return (result);
+}
+
+void
+cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references, NULL);
+	*dest = src;
+}
+
+void
+cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp) {
+	cfg_aclconfctx_t *actx;
+	dns_acl_t *dacl, *next;
+	unsigned int refs;
+
+	REQUIRE(actxp != NULL && *actxp != NULL);
+
+	actx = *actxp;
+
+	isc_refcount_decrement(&actx->references, &refs);
+	if (refs == 0) {
+		for (dacl = ISC_LIST_HEAD(actx->named_acl_cache);
+		     dacl != NULL;
+		     dacl = next)
+		{
+			next = ISC_LIST_NEXT(dacl, nextincache);
+			ISC_LIST_UNLINK(actx->named_acl_cache, dacl,
+					nextincache);
+			dns_acl_detach(&dacl);
+		}
+		isc_mem_putanddetach(&actx->mctx, actx, sizeof(*actx));
+	}
+
+	*actxp = NULL;
+}
+
+/*
+ * Find the definition of the named acl whose name is "name".
+ */
+static isc_result_t
+get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_obj_t *acls = NULL;
+	const cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "acl", &acls);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(acls);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *acl = cfg_listelt_value(elt);
+		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+		if (strcasecmp(aclname, name) == 0) {
+			if (ret != NULL) {
+				*ret = cfg_tuple_get(acl, "value");
+			}
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
+		  isc_log_t *lctx, cfg_aclconfctx_t *ctx,
+		  isc_mem_t *mctx, unsigned int nest_level,
+		  dns_acl_t **target)
+{
+	isc_result_t result;
+	const cfg_obj_t *cacl = NULL;
+	dns_acl_t *dacl;
+	dns_acl_t loop;
+	const char *aclname = cfg_obj_asstring(nameobj);
+
+	/* Look for an already-converted version. */
+	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
+	     dacl != NULL;
+	     dacl = ISC_LIST_NEXT(dacl, nextincache))
+	{
+		if (strcasecmp(aclname, dacl->name) == 0) {
+			if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
+				cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
+					    "acl loop detected: %s", aclname);
+				return (ISC_R_FAILURE);
+			}
+			dns_acl_attach(dacl, target);
+			return (ISC_R_SUCCESS);
+		}
+	}
+	/* Not yet converted.  Convert now. */
+	result = get_acl_def(cctx, aclname, &cacl);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(nameobj, lctx, ISC_LOG_WARNING,
+			    "undefined ACL '%s'", aclname);
+		return (result);
+	}
+	/*
+	 * Add a loop detection element.
+	 */
+	memset(&loop, 0, sizeof(loop));
+	ISC_LINK_INIT(&loop, nextincache);
+	DE_CONST(aclname, loop.name);
+	loop.magic = LOOP_MAGIC;
+	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
+	result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx,
+				    nest_level, &dacl);
+	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
+	loop.magic = 0;
+	loop.name = NULL;
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
+	if (dacl->name == NULL)
+		return (ISC_R_NOMEMORY);
+	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
+	dns_acl_attach(dacl, target);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
+		dns_name_t *dnsname)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fixname;
+	unsigned int keylen;
+	const char *txtname = cfg_obj_asstring(keyobj);
+
+	keylen = strlen(txtname);
+	isc_buffer_constinit(&buf, txtname, keylen);
+	isc_buffer_add(&buf, keylen);
+	dns_fixedname_init(&fixname);
+	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
+				   dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING,
+			    "key name '%s' is not a valid domain name",
+			    txtname);
+		return (result);
+	}
+	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
+}
+
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static isc_result_t
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
+		   uint32_t *count, bool *has_negative)
+{
+	const cfg_listelt_t *elt;
+	isc_result_t result;
+	uint32_t n = 0;
+
+	REQUIRE(count != NULL);
+
+	if (has_negative != NULL)
+		*has_negative = false;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* might be a negated element, in which case get the value. */
+		if (cfg_obj_istuple(ce)) {
+			const cfg_obj_t *negated =
+				cfg_tuple_get(ce, "negated");
+			if (! cfg_obj_isvoid(negated)) {
+				ce = negated;
+				if (has_negative != NULL)
+					*has_negative = true;
+			}
+		}
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			bool negative;
+			uint32_t sub;
+			result = count_acl_elements(ce, cctx, lctx, ctx, mctx,
+						    &sub, &negative);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			n += sub;
+			if (negative)
+				n++;
+#ifdef HAVE_GEOIP
+		} else if (cfg_obj_istuple(ce) &&
+			   cfg_obj_isvoid(cfg_tuple_get(ce, "negated")))
+		{
+			n++;
+#endif /* HAVE_GEOIP */
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0 ||
+			    strcasecmp(name, "none") == 0)
+			{
+				n++;
+			} else if (strcasecmp(name, "any") != 0) {
+				dns_acl_t *inneracl = NULL;
+				/*
+				 * Convert any named acls we reference now if
+				 * they have not already been converted.
+				 */
+				result = convert_named_acl(ce, cctx, lctx, ctx,
+							   mctx, 0, &inneracl);
+				if (result == ISC_R_SUCCESS) {
+					if (inneracl->has_negatives)
+						n++;
+					else
+						n += inneracl->length;
+					dns_acl_detach(&inneracl);
+				} else
+					return (result);
+			}
+		}
+	}
+
+	*count = n;
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef HAVE_GEOIP
+static dns_geoip_subtype_t
+get_subtype(const cfg_obj_t *obj, isc_log_t *lctx,
+	    dns_geoip_subtype_t subtype, const char *dbname)
+{
+	if (dbname == NULL)
+		return (subtype);
+
+	switch (subtype) {
+	case dns_geoip_countrycode:
+		if (strcasecmp(dbname, "city") == 0)
+			return (dns_geoip_city_countrycode);
+		else if (strcasecmp(dbname, "region") == 0)
+			return (dns_geoip_region_countrycode);
+		else if (strcasecmp(dbname, "country") == 0)
+			return (dns_geoip_country_code);
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid GeoIP DB specified for "
+			    "country search: ignored");
+		return (subtype);
+	case dns_geoip_countrycode3:
+		if (strcasecmp(dbname, "city") == 0)
+			return (dns_geoip_city_countrycode3);
+		else if (strcasecmp(dbname, "country") == 0)
+			return (dns_geoip_country_code3);
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid GeoIP DB specified for "
+			    "country search: ignored");
+		return (subtype);
+	case dns_geoip_countryname:
+		if (strcasecmp(dbname, "city") == 0)
+			return (dns_geoip_city_countryname);
+		else if (strcasecmp(dbname, "country") == 0)
+			return (dns_geoip_country_name);
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid GeoIP DB specified for "
+			    "country search: ignored");
+		return (subtype);
+	case dns_geoip_region:
+		if (strcasecmp(dbname, "city") == 0)
+			return (dns_geoip_city_region);
+		else if (strcasecmp(dbname, "region") == 0)
+			return (dns_geoip_region_code);
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid GeoIP DB specified for "
+			    "region search: ignored");
+		return (subtype);
+	case dns_geoip_regionname:
+		if (strcasecmp(dbname, "city") == 0)
+			return (dns_geoip_city_region);
+		else if (strcasecmp(dbname, "region") == 0)
+			return (dns_geoip_region_name);
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "invalid GeoIP DB specified for "
+			    "region search: ignored");
+		return (subtype);
+
+	/*
+	 * Log a warning if the wrong database was specified
+	 * on an unambiguous query
+	 */
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_metrocode:
+	case dns_geoip_city_areacode:
+	case dns_geoip_city_continentcode:
+	case dns_geoip_city_timezonecode:
+		if (strcasecmp(dbname, "city") != 0)
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid GeoIP DB specified for "
+				    "a 'city'-only search type: ignoring");
+		return (subtype);
+	case dns_geoip_isp_name:
+		if (strcasecmp(dbname, "isp") != 0)
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid GeoIP DB specified for "
+				    "an 'isp' search: ignoring");
+		return (subtype);
+	case dns_geoip_org_name:
+		if (strcasecmp(dbname, "org") != 0)
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid GeoIP DB specified for "
+				    "an 'org' search: ignoring");
+		return (subtype);
+	case dns_geoip_as_asnum:
+		if (strcasecmp(dbname, "asnum") != 0)
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid GeoIP DB specified for "
+				    "an 'asnum' search: ignoring");
+		return (subtype);
+	case dns_geoip_domain_name:
+		if (strcasecmp(dbname, "domain") != 0)
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid GeoIP DB specified for "
+				    "a 'domain' search: ignoring");
+		return (subtype);
+	case dns_geoip_netspeed_id:
+		if (strcasecmp(dbname, "netspeed") != 0)
+			cfg_obj_log(obj, lctx, ISC_LOG_WARNING,
+				    "invalid GeoIP DB specified for "
+				    "a 'netspeed' search: ignoring");
+		return (subtype);
+	default:
+		INSIST(0);
+	}
+}
+
+static bool
+geoip_can_answer(dns_aclelement_t *elt, cfg_aclconfctx_t *ctx) {
+	if (ctx->geoip == NULL)
+		return (true);
+
+	switch (elt->geoip_elem.subtype) {
+	case dns_geoip_countrycode:
+	case dns_geoip_countrycode3:
+	case dns_geoip_countryname:
+		if (ctx->geoip->city_v4 != NULL ||
+		    ctx->geoip->city_v6 != NULL ||
+		    ctx->geoip->country_v4 != NULL ||
+		    ctx->geoip->country_v6 != NULL ||
+		    ctx->geoip->region != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_region:
+	case dns_geoip_regionname:
+		if (ctx->geoip->city_v4 != NULL ||
+		    ctx->geoip->city_v6 != NULL ||
+		    ctx->geoip->region != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_country_code:
+	case dns_geoip_country_code3:
+	case dns_geoip_country_name:
+		if (ctx->geoip->country_v4 != NULL ||
+		    ctx->geoip->country_v6 != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_region_countrycode:
+	case dns_geoip_region_code:
+	case dns_geoip_region_name:
+		if (ctx->geoip->region != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_city_countrycode:
+	case dns_geoip_city_countrycode3:
+	case dns_geoip_city_countryname:
+	case dns_geoip_city_region:
+	case dns_geoip_city_regionname:
+	case dns_geoip_city_name:
+	case dns_geoip_city_postalcode:
+	case dns_geoip_city_metrocode:
+	case dns_geoip_city_areacode:
+	case dns_geoip_city_continentcode:
+	case dns_geoip_city_timezonecode:
+		if (ctx->geoip->city_v4 != NULL ||
+		    ctx->geoip->city_v6 != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_isp_name:
+		if (ctx->geoip->isp != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_org_name:
+		if (ctx->geoip->org != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_as_asnum:
+		if (ctx->geoip->as != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_domain_name:
+		if (ctx->geoip->domain != NULL)
+			return (true);
+		/* FALLTHROUGH */
+	case dns_geoip_netspeed_id:
+		if (ctx->geoip->netspeed != NULL)
+			return (true);
+	}
+
+	return (false);
+}
+
+static isc_result_t
+parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
+		    cfg_aclconfctx_t *ctx, dns_aclelement_t *dep)
+{
+	const cfg_obj_t *ge;
+	const char *dbname = NULL;
+	const char *stype, *search;
+	dns_geoip_subtype_t subtype;
+	dns_aclelement_t de;
+	size_t len;
+
+	REQUIRE(dep != NULL);
+
+	de = *dep;
+
+	ge = cfg_tuple_get(obj, "db");
+	if (!cfg_obj_isvoid(ge))
+		dbname = cfg_obj_asstring(ge);
+
+	stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
+	search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
+	len = strlen(search);
+
+	if (len == 0) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "zero-length geoip search field");
+		return (ISC_R_FAILURE);
+	}
+
+	if (strcasecmp(stype, "country") == 0 && len == 2) {
+		/* Two-letter country code */
+		subtype = dns_geoip_countrycode;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "country") == 0 && len == 3) {
+		/* Three-letter country code */
+		subtype = dns_geoip_countrycode3;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "country") == 0) {
+		/* Country name */
+		subtype = dns_geoip_countryname;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "region") == 0 && len == 2) {
+		/* Two-letter region code */
+		subtype = dns_geoip_region;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "region") == 0) {
+		/* Region name */
+		subtype = dns_geoip_regionname;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "city") == 0) {
+		/* City name */
+		subtype = dns_geoip_city_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "postal") == 0 ||
+		   strcasecmp(stype, "postalcode") == 0)
+	{
+		if (len < 7) {
+			subtype = dns_geoip_city_postalcode;
+			strlcpy(de.geoip_elem.as_string, search,
+				sizeof(de.geoip_elem.as_string));
+		} else {
+			cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+				    "geoiop postal code (%s) too long",
+				    search);
+			return (ISC_R_FAILURE);
+		}
+	} else if (strcasecmp(stype, "metro") == 0 ||
+		   strcasecmp(stype, "metrocode") == 0)
+	{
+		subtype = dns_geoip_city_metrocode;
+		de.geoip_elem.as_int = atoi(search);
+	} else if (strcasecmp(stype, "area") == 0 ||
+		   strcasecmp(stype, "areacode") == 0)
+	{
+		subtype = dns_geoip_city_areacode;
+		de.geoip_elem.as_int = atoi(search);
+	} else if (strcasecmp(stype, "tz") == 0 ||
+		   strcasecmp(stype, "timezone") == 0)
+	{
+		subtype = dns_geoip_city_timezonecode;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "continent") == 0 && len == 2) {
+		/* Two-letter continent code */
+		subtype = dns_geoip_city_continentcode;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "continent") == 0) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "geoiop continent code (%s) too long", search);
+		return (ISC_R_FAILURE);
+	} else if (strcasecmp(stype, "isp") == 0) {
+		subtype = dns_geoip_isp_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "asnum") == 0) {
+		subtype = dns_geoip_as_asnum;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "org") == 0) {
+		subtype = dns_geoip_org_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "domain") == 0) {
+		subtype = dns_geoip_domain_name;
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "netspeed") == 0) {
+		subtype = dns_geoip_netspeed_id;
+		de.geoip_elem.as_int = atoi(search);
+	} else
+		INSIST(0);
+
+	de.geoip_elem.subtype = get_subtype(obj, lctx, subtype, dbname);
+
+	if (! geoip_can_answer(&de, ctx)) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "no GeoIP database installed which can answer "
+			    "queries of type '%s'", stype);
+		return (ISC_R_FAILURE);
+	}
+
+	*dep = de;
+
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+isc_result_t
+cfg_acl_fromconfig(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx,
+		   isc_mem_t *mctx, unsigned int nest_level,
+		   dns_acl_t **target)
+{
+	return (cfg_acl_fromconfig2(caml, cctx, lctx, ctx, mctx,
+				    nest_level, 0, target));
+}
+
+isc_result_t
+cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx,
+		   isc_mem_t *mctx, unsigned int nest_level,
+		   uint16_t family, dns_acl_t **target)
+{
+	isc_result_t result;
+	dns_acl_t *dacl = NULL, *inneracl = NULL;
+	dns_aclelement_t *de;
+	const cfg_listelt_t *elt;
+	dns_iptable_t *iptab;
+	int new_nest_level = 0;
+
+	if (nest_level != 0)
+		new_nest_level = nest_level - 1;
+
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL || DNS_ACL_VALID(*target));
+
+	if (*target != NULL) {
+		/*
+		 * If target already points to an ACL, then we're being
+		 * called recursively to configure a nested ACL.  The
+		 * nested ACL's contents should just be absorbed into its
+		 * parent ACL.
+		 */
+		dns_acl_attach(*target, &dacl);
+		dns_acl_detach(target);
+	} else {
+		/*
+		 * Need to allocate a new ACL structure.  Count the items
+		 * in the ACL definition that will require space in the
+		 * elements table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
+		 */
+		uint32_t nelem;
+
+		if (nest_level == 0) {
+			result = count_acl_elements(caml, cctx, lctx, ctx,
+						    mctx, &nelem, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		} else
+			nelem = cfg_list_length(caml, false);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	de = dacl->elements;
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+		bool neg = false;
+
+		INSIST(dacl->length <= dacl->alloc);
+
+		if (cfg_obj_istuple(ce)) {
+			/* Might be a negated element */
+			const cfg_obj_t *negated =
+				cfg_tuple_get(ce, "negated");
+			if (! cfg_obj_isvoid(negated)) {
+				neg = true;
+				dacl->has_negatives = true;
+				ce = negated;
+			}
+		}
+
+		/*
+		 * If nest_level is nonzero, then every element is
+		 * to be stored as a separate, nested ACL rather than
+		 * merged into the main iptable.
+		 */
+		iptab = dacl->iptable;
+
+		if (nest_level != 0) {
+			result = dns_acl_create(mctx,
+						cfg_list_length(ce, false),
+						&de->nestedacl);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			iptab = de->nestedacl->iptable;
+		}
+
+		if (cfg_obj_isnetprefix(ce)) {
+			/* Network prefix */
+			isc_netaddr_t	addr;
+			unsigned int	bitlen;
+			bool	setpos, setecs;
+
+			cfg_obj_asnetprefix(ce, &addr, &bitlen);
+			if (family != 0 && family != addr.family) {
+				char buf[ISC_NETADDR_FORMATSIZE + 1];
+				isc_netaddr_format(&addr, buf, sizeof(buf));
+				cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+					    "'%s': incorrect address family; "
+					    "ignoring", buf);
+				if (nest_level != 0)
+					dns_acl_detach(&de->nestedacl);
+				continue;
+			}
+			result = isc_netaddr_prefixok(&addr, bitlen);
+			if (result != ISC_R_SUCCESS) {
+				char buf[ISC_NETADDR_FORMATSIZE + 1];
+				isc_netaddr_format(&addr, buf, sizeof(buf));
+				cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+					    "'%s/%u': address/prefix length "
+					    "mismatch", buf, bitlen);
+			}
+
+			/*
+			 * If nesting ACLs (nest_level != 0), we negate
+			 * the nestedacl element, not the iptable entry.
+			 */
+			setpos = (nest_level != 0 || !neg);
+			setecs = cfg_obj_istype(ce, &cfg_type_ecsprefix);
+			result = dns_iptable_addprefix2(iptab, &addr, bitlen,
+							setpos, setecs);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+
+			if (nest_level > 0) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_nestedacl;
+				de->negative = neg;
+			} else
+				continue;
+		} else if (cfg_obj_islist(ce)) {
+			/*
+			 * If we're nesting ACLs, put the nested
+			 * ACL onto the elements list; otherwise
+			 * merge it into *this* ACL.  We nest ACLs
+			 * in two cases: 1) sortlist, 2) if the
+			 * nested ACL contains negated members.
+			 */
+			if (inneracl != NULL)
+				dns_acl_detach(&inneracl);
+			result = cfg_acl_fromconfig(ce, cctx, lctx,
+						    ctx, mctx, new_nest_level,
+						    &inneracl);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+nested_acl:
+			if (nest_level > 0 || inneracl->has_negatives) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_nestedacl;
+				de->negative = neg;
+				if (de->nestedacl != NULL)
+					dns_acl_detach(&de->nestedacl);
+				dns_acl_attach(inneracl,
+					       &de->nestedacl);
+				dns_acl_detach(&inneracl);
+				/* Fall through. */
+			} else {
+				INSIST(dacl->length + inneracl->length
+				       <= dacl->alloc);
+				dns_acl_merge(dacl, inneracl,
+					      !neg);
+				de += inneracl->length;  /* elements added */
+				dns_acl_detach(&inneracl);
+				INSIST(dacl->length <= dacl->alloc);
+				continue;
+			}
+		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			/* Key name. */
+			INSIST(dacl->length < dacl->alloc);
+			de->type = dns_aclelementtype_keyname;
+			de->negative = neg;
+			dns_name_init(&de->keyname, NULL);
+			result = convert_keyname(ce, lctx, mctx,
+						 &de->keyname);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+#ifdef HAVE_GEOIP
+		} else if (cfg_obj_istuple(ce) &&
+			   cfg_obj_isvoid(cfg_tuple_get(ce, "negated")))
+		{
+			INSIST(dacl->length < dacl->alloc);
+			result = parse_geoip_element(ce, lctx, ctx, de);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			de->type = dns_aclelementtype_geoip;
+			de->negative = neg;
+#endif /* HAVE_GEOIP */
+		} else if (cfg_obj_isstring(ce)) {
+			/* ACL name. */
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "any") == 0) {
+				/* Iptable entry with zero bit length. */
+				result = dns_iptable_addprefix(iptab, NULL, 0,
+					      (nest_level != 0 || !neg));
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				if (nest_level != 0) {
+					INSIST(dacl->length < dacl->alloc);
+					de->type = dns_aclelementtype_nestedacl;
+					de->negative = neg;
+				} else
+					continue;
+			} else if (strcasecmp(name, "none") == 0) {
+				/* none == !any */
+				/*
+				 * We don't unconditional set
+				 * dacl->has_negatives and
+				 * de->negative to true so we can handle
+				 * "!none;".
+				 */
+				result = dns_iptable_addprefix(iptab, NULL, 0,
+					      (nest_level != 0 || neg));
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				if (!neg)
+					dacl->has_negatives = !neg;
+
+				if (nest_level != 0) {
+					INSIST(dacl->length < dacl->alloc);
+					de->type = dns_aclelementtype_nestedacl;
+					de->negative = !neg;
+				} else
+					continue;
+			} else if (strcasecmp(name, "localhost") == 0) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_localhost;
+				de->negative = neg;
+			} else if (strcasecmp(name, "localnets") == 0) {
+				INSIST(dacl->length < dacl->alloc);
+				de->type = dns_aclelementtype_localnets;
+				de->negative = neg;
+			} else {
+				if (inneracl != NULL)
+					dns_acl_detach(&inneracl);
+				/*
+				 * This call should just find the cached
+				 * of the named acl.
+				 */
+				result = convert_named_acl(ce, cctx, lctx, ctx,
+							   mctx, new_nest_level,
+							   &inneracl);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				goto nested_acl;
+			}
+		} else {
+			cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+				    "address match list contains "
+				    "unsupported element type");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		/*
+		 * This should only be reached for localhost, localnets
+		 * and keyname elements, and nested ACLs if nest_level is
+		 * nonzero (i.e., in sortlists).
+		 */
+		if (de->nestedacl != NULL &&
+		    de->type != dns_aclelementtype_nestedacl)
+			dns_acl_detach(&de->nestedacl);
+
+		dacl->node_count++;
+		de->node_num = dacl->node_count;
+
+		dacl->length++;
+		de++;
+		INSIST(dacl->length <= dacl->alloc);
+	}
+
+	dns_acl_attach(dacl, target);
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (inneracl != NULL)
+		dns_acl_detach(&inneracl);
+	dns_acl_detach(&dacl);
+	return (result);
+}
diff --git a/lib/isccfg/api b/lib/isccfg/api
new file mode 100644
index 0000000..4cbb63b
--- /dev/null
+++ b/lib/isccfg/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 163
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/isccfg/dnsconf.c b/lib/isccfg/dnsconf.c
new file mode 100644
index 0000000..5d150c8
--- /dev/null
+++ b/lib/isccfg/dnsconf.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+
+/*%
+ * A trusted key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t trustedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_trustedkey = {
+	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, trustedkey_fields
+};
+
+static cfg_type_t cfg_type_trustedkeys = {
+	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_trustedkey
+};
+
+/*%
+ * Clauses that can be found within the top level of the dns.conf
+ * file only.
+ */
+static cfg_clausedef_t
+dnsconf_clauses[] = {
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*% The top-level dns.conf syntax. */
+
+static cfg_clausedef_t *
+dnsconf_clausesets[] = {
+	dnsconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_dnsconf = {
+	"dnsconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, dnsconf_clausesets
+};
diff --git a/lib/isccfg/include/Makefile.in b/lib/isccfg/include/Makefile.in
new file mode 100644
index 0000000..b2d2147
--- /dev/null
+++ b/lib/isccfg/include/Makefile.in
@@ -0,0 +1,17 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isccfg
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in
new file mode 100644
index 0000000..e0fde73
--- /dev/null
+++ b/lib/isccfg/include/isccfg/Makefile.in
@@ -0,0 +1,40 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	aclconf.h cfg.h dnsconf.h grammar.h log.h namedconf.h \
+		version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccfg
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccfg || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/isccfg/$$i || exit 1; \
+	done
diff --git a/lib/isccfg/include/isccfg/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h
new file mode 100644
index 0000000..005827e
--- /dev/null
+++ b/lib/isccfg/include/isccfg/aclconf.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISCCFG_ACLCONF_H
+#define ISCCFG_ACLCONF_H 1
+
+#include <inttypes.h>
+
+#include <isc/lang.h>
+#include <isc/refcount.h>
+
+#include <isccfg/cfg.h>
+
+#ifdef HAVE_GEOIP
+#include <dns/geoip.h>
+#endif
+#include <dns/types.h>
+
+typedef struct cfg_aclconfctx {
+	ISC_LIST(dns_acl_t) named_acl_cache;
+	isc_mem_t *mctx;
+#ifdef HAVE_GEOIP
+	dns_geoip_databases_t *geoip;
+#endif
+	isc_refcount_t references;
+} cfg_aclconfctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+cfg_aclconfctx_create(isc_mem_t *mctx, cfg_aclconfctx_t **ret);
+/*
+ * Creates and initializes an ACL configuration context.
+ */
+
+void
+cfg_aclconfctx_detach(cfg_aclconfctx_t **actxp);
+/*
+ * Removes a reference to an ACL configuration context; when references
+ * reaches zero, clears the contents and deallocate the structure.
+ */
+
+void
+cfg_aclconfctx_attach(cfg_aclconfctx_t *src, cfg_aclconfctx_t **dest);
+/*
+ * Attaches a pointer to an existing ACL configuration context.
+ */
+
+isc_result_t
+cfg_acl_fromconfig(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx,
+		   isc_mem_t *mctx, unsigned int nest_level,
+		   dns_acl_t **target);
+
+isc_result_t
+cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_log_t *lctx, cfg_aclconfctx_t *ctx,
+		   isc_mem_t *mctx, unsigned int nest_level,
+		   uint16_t family, dns_acl_t **target);
+/*
+ * Construct a new dns_acl_t from configuration data in 'caml' and
+ * 'cctx'.  Memory is allocated through 'mctx'.
+ *
+ * Any named ACLs referred to within 'caml' will be be converted
+ * into nested dns_acl_t objects.  Multiple references to the same
+ * named ACLs will be converted into shared references to a single
+ * nested dns_acl_t object when the referring objects were created
+ * passing the same ACL configuration context 'ctx'.
+ *
+ * cfg_acl_fromconfig() is a backward-compatible version of
+ * cfg_acl_fromconfig2(), which allows an address family to be
+ * specified.  If 'family' is not zero, then only addresses/prefixes
+ * of a matching family (AF_INET or AF_INET6) may be configured.
+ *
+ * On success, attach '*target' to the new dns_acl_t object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_ACLCONF_H */
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
new file mode 100644
index 0000000..468ca29
--- /dev/null
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -0,0 +1,559 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_CFG_H
+#define ISCCFG_CFG_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isccfg/cfg.h
+ * \brief
+ * This is the new, table-driven, YACC-free configuration file parser.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/list.h>
+
+/***
+ *** Types
+ ***/
+
+/*%
+ * A configuration parser.
+ */
+typedef struct cfg_parser cfg_parser_t;
+
+/*%
+ * A configuration type definition object.  There is a single
+ * static cfg_type_t object for each data type supported by
+ * the configuration parser.
+ */
+typedef struct cfg_type cfg_type_t;
+
+/*%
+ * A configuration object.  This is the basic building block of the
+ * configuration parse tree.  It contains a value (which may be
+ * of one of several types) and information identifying the file
+ * and line number the value came from, for printing error
+ * messages.
+ */
+typedef struct cfg_obj cfg_obj_t;
+
+/*%
+ * A configuration object list element.
+ */
+typedef struct cfg_listelt cfg_listelt_t;
+
+/*%
+ * A callback function to be called when parsing an option
+ * that needs to be interpreted at parsing time, like
+ * "directory".
+ */
+typedef isc_result_t
+(*cfg_parsecallback_t)(const char *clausename, const cfg_obj_t *obj, void *arg);
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+void
+cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest);
+/*%<
+ * Reference a parser object.
+ */
+
+isc_result_t
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
+/*%<
+ * Create a configuration file parser.  Any warning and error
+ * messages will be logged to 'lctx'.
+ *
+ * The parser object returned can be used for a single call
+ * to cfg_parse_file() or cfg_parse_buffer().  It must not
+ * be reused for parsing multiple files or buffers.
+ */
+
+void
+cfg_parser_setcallback(cfg_parser_t *pctx,
+		       cfg_parsecallback_t callback,
+		       void *arg);
+/*%<
+ * Make the parser call 'callback' whenever it encounters
+ * a configuration clause with the callback attribute,
+ * passing it the clause name, the clause value,
+ * and 'arg' as arguments.
+ *
+ * To restore the default of not invoking callbacks, pass
+ * callback==NULL and arg==NULL.
+ */
+
+isc_result_t
+cfg_parse_file(cfg_parser_t *pctx, const char *file,
+	       const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		 const cfg_type_t *type, cfg_obj_t **ret);
+isc_result_t
+cfg_parse_buffer2(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, const cfg_type_t *type,
+		  cfg_obj_t **ret);
+isc_result_t
+cfg_parse_buffer3(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, unsigned int line,
+		  const cfg_type_t *type, cfg_obj_t **ret);
+isc_result_t
+cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, unsigned int line,
+		  const cfg_type_t *type, unsigned int flags,
+		  cfg_obj_t **ret);
+/*%<
+ * Read a configuration containing data of type 'type'
+ * and make '*ret' point to its parse tree.
+ *
+ * The configuration is read from the file 'filename'
+ * (isc_parse_file()) or the buffer 'buffer'
+ * (isc_parse_buffer()).
+ *
+ * If 'file' is not NULL, it is the name of the file, or a name to use
+ * for the buffer in place of the filename, when logging errors.
+ *
+ * If 'line' is not 0, then it is the beginning line number to report
+ * when logging errors. This is useful when passing text that has been
+ * read from the middle of a file.
+ *
+ * Returns an error if the file or buffer does not parse correctly.
+ *
+ * Requires:
+ *\li 	"filename" is valid.
+ *\li 	"mem" is valid.
+ *\li	"type" is valid.
+ *\li 	"cfg" is non-NULL and "*cfg" is NULL.
+ *\li   "flags" be one or more of CFG_PCTX_NODEPRECATED or zero.
+ *
+ * Returns:
+ *     \li #ISC_R_SUCCESS                 - success
+ *\li      #ISC_R_NOMEMORY                - no memory available
+ *\li      #ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
+ *\li      others	                      - file contains errors
+ */
+
+isc_result_t
+cfg_parser_mapadd(cfg_parser_t *pctx, cfg_obj_t *mapobj,
+		  cfg_obj_t *obj, const char *clause);
+/*%<
+ * Add the object 'obj' to the specified clause in mapbody 'mapobj'.
+ * Used for adding new zones.
+ *
+ * Require:
+ * \li     'obj' is a valid cfg_obj_t.
+ * \li     'mapobj' is a valid cfg_obj_t of type map.
+ * \li     'pctx' is a valid cfg_parser_t.
+ */
+
+void
+cfg_parser_reset(cfg_parser_t *pctx);
+/*%<
+ * Reset an existing parser so it can be re-used for a new file or
+ * buffer.
+ */
+
+void
+cfg_parser_destroy(cfg_parser_t **pctxp);
+/*%<
+ * Remove a reference to a configuration parser; destroy it if there are no
+ * more references.
+ */
+
+bool
+cfg_obj_isvoid(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of void type (e.g., an optional
+ * value not specified).
+ */
+
+bool
+cfg_obj_ismap(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a map type.
+ */
+
+bool
+cfg_obj_isfixedpoint(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a fixedpoint type.
+ */
+
+bool
+cfg_obj_ispercentage(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a percentage type.
+ */
+
+isc_result_t
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj);
+/*%<
+ * Extract an element from a configuration object, which
+ * must be of a map type.
+ *
+ * Requires:
+ * \li     'mapobj' points to a valid configuration object of a map type.
+ * \li     'name' points to a null-terminated string.
+ * \li	'obj' is non-NULL and '*obj' is NULL.
+ *
+ * Returns:
+ * \li     #ISC_R_SUCCESS                  - success
+ * \li     #ISC_R_NOTFOUND                 - name not found in map
+ */
+
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj);
+/*%<
+ * Get the name of a named map object, like a server "key" clause.
+ *
+ * Requires:
+ *    \li  'mapobj' points to a valid configuration object of a map type.
+ *
+ * Returns:
+ * \li     A pointer to a configuration object naming the map object,
+ *	or NULL if the map object does not have a name.
+ */
+
+unsigned int
+cfg_map_count(const cfg_obj_t *mapobj);
+/*%<
+ * Get the number of elements defined in the symbol table of a map object.
+ *
+ * Requires:
+ *    \li  'mapobj' points to a valid configuration object of a map type.
+ *
+ * Returns:
+ * \li     The number of elements in the map object.
+ */
+
+bool
+cfg_obj_istuple(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a map type.
+ */
+
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char *name);
+/*%<
+ * Extract an element from a configuration object, which
+ * must be of a tuple type.
+ *
+ * Requires:
+ * \li     'tupleobj' points to a valid configuration object of a tuple type.
+ * \li     'name' points to a null-terminated string naming one of the
+ *\li	fields of said tuple type.
+ */
+
+bool
+cfg_obj_isuint32(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of integer type.
+ */
+
+uint32_t
+cfg_obj_asuint32(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of 32-bit integer type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of 32-bit integer type.
+ *
+ * Returns:
+ * \li     A 32-bit unsigned integer.
+ */
+
+bool
+cfg_obj_isuint64(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of integer type.
+ */
+
+uint64_t
+cfg_obj_asuint64(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of 64-bit integer type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of 64-bit integer type.
+ *
+ * Returns:
+ * \li     A 64-bit unsigned integer.
+ */
+
+uint32_t
+cfg_obj_asfixedpoint(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of fixed point number.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of fixed point type.
+ *
+ * Returns:
+ * \li     A 32-bit unsigned integer.
+ */
+
+uint32_t
+cfg_obj_aspercentage(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of percentage
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of percentage type.
+ *
+ * Returns:
+ * \li     A 32-bit unsigned integer.
+ */
+
+bool
+cfg_obj_isstring(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of string type.
+ */
+
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of a string type
+ * as a null-terminated string.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a string type.
+ *
+ * Returns:
+ * \li     A pointer to a null terminated string.
+ */
+
+bool
+cfg_obj_isboolean(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of a boolean type.
+ */
+
+bool
+cfg_obj_asboolean(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object of a boolean type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a boolean type.
+ *
+ * Returns:
+ * \li     A boolean value.
+ */
+
+bool
+cfg_obj_issockaddr(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is a socket address.
+ */
+
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj);
+/*%<
+ * Returns the value of a configuration object representing a socket address.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a socket address type.
+ *
+ * Returns:
+ * \li     A pointer to a sockaddr.  The sockaddr must be copied by the caller
+ *      if necessary.
+ */
+
+isc_dscp_t
+cfg_obj_getdscp(const cfg_obj_t *obj);
+/*%<
+ * Returns the DSCP value of a configuration object representing a
+ * socket address.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a
+ *         socket address type.
+ *
+ * Returns:
+ * \li     DSCP value associated with a sockaddr, or -1.
+ */
+
+bool
+cfg_obj_isnetprefix(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is a network prefix.
+ */
+
+void
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
+		    unsigned int *prefixlen);
+/*%<
+ * Gets the value of a configuration object representing a network
+ * prefix.  The network address is returned through 'netaddr' and the
+ * prefix length in bits through 'prefixlen'.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of network prefix type.
+ *\li	'netaddr' and 'prefixlen' are non-NULL.
+ */
+
+bool
+cfg_obj_islist(const cfg_obj_t *obj);
+/*%<
+ * Return true iff 'obj' is of list type.
+ */
+
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj);
+/*%<
+ * Returns the first list element in a configuration object of a list type.
+ *
+ * Requires:
+ * \li     'obj' points to a valid configuration object of a list type or NULL.
+ *
+ * Returns:
+ *   \li   A pointer to a cfg_listelt_t representing the first list element,
+ * 	or NULL if the list is empty or nonexistent.
+ */
+
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt);
+/*%<
+ * Returns the next element of a list of configuration objects.
+ *
+ * Requires:
+ * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ *	a previous call to cfg_list_next().
+ *
+ * Returns:
+ * \li     A pointer to a cfg_listelt_t representing the next element,
+ * 	or NULL if there are no more elements.
+ */
+
+unsigned int
+cfg_list_length(const cfg_obj_t *obj, bool recurse);
+/*%<
+ * Returns the length of a list of configure objects.  If obj is
+ * not a list, returns 0.  If recurse is true, add in the length of
+ * all contained lists.
+ */
+
+cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt);
+/*%<
+ * Returns the configuration object associated with cfg_listelt_t.
+ *
+ * Requires:
+ * \li     'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ *	cfg_list_next().
+ *
+ * Returns:
+ * \li     A non-NULL pointer to a configuration object.
+ */
+
+void
+cfg_print(const cfg_obj_t *obj,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure);
+void
+cfg_printx(const cfg_obj_t *obj, unsigned int flags,
+	   void (*f)(void *closure, const char *text, int textlen),
+	   void *closure);
+
+#define CFG_PRINTER_XKEY        0x1     /* '?' out shared keys. */
+#define CFG_PRINTER_ONELINE     0x2     /* print config as a single line */
+
+/*%<
+ * Print the configuration object 'obj' by repeatedly calling the
+ * function 'f', passing 'closure' and a region of text starting
+ * at 'text' and comprising 'textlen' characters.
+ *
+ * If CFG_PRINTER_XKEY the contents of shared keys will be obscured
+ * by replacing them with question marks ('?')
+ */
+
+void
+cfg_print_grammar(const cfg_type_t *type,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure);
+/*%<
+ * Print a summary of the grammar of the configuration type 'type'.
+ */
+
+bool
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type);
+/*%<
+ * Return true iff 'obj' is of type 'type'.
+ */
+
+void
+cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest);
+/*%<
+ * Reference a configuration object.
+ */
+
+void
+cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
+/*%<
+ * Delete a reference to a configuration object; destroy the object if
+ * there are no more references.
+ *
+ * Require:
+ * \li     '*obj' is a valid cfg_obj_t.
+ * \li     'pctx' is a valid cfg_parser_t.
+ */
+
+void
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+	    const char *fmt, ...)
+	ISC_FORMAT_PRINTF(4, 5);
+/*%<
+ * Log a message concerning configuration object 'obj' to the logging
+ * channel of 'pctx', at log level 'level'.  The message will be prefixed
+ * with the file name(s) and line number where 'obj' was defined.
+ */
+
+const char *
+cfg_obj_file(const cfg_obj_t *obj);
+/*%<
+ * Return the file that defined this object.
+ */
+
+unsigned int
+cfg_obj_line(const cfg_obj_t *obj);
+/*%<
+ * Return the line in file where this object was defined.
+ */
+
+const char *
+cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
+		    unsigned int *idx);
+const char *
+cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
+		   unsigned int *idx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_CFG_H */
diff --git a/lib/isccfg/include/isccfg/dnsconf.h b/lib/isccfg/include/isccfg/dnsconf.h
new file mode 100644
index 0000000..51221d3
--- /dev/null
+++ b/lib/isccfg/include/isccfg/dnsconf.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_DNSCONF_H
+#define ISCCFG_DNSCONF_H 1
+
+
+/*! \file
+ * \brief
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnsconf;
+/*%< A complete dns.conf file. */
+
+#endif /* ISCCFG_DNSCONF_H */
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
new file mode 100644
index 0000000..9e0732a
--- /dev/null
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -0,0 +1,561 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef ISCCFG_GRAMMAR_H
+#define ISCCFG_GRAMMAR_H 1
+
+/*! \file isccfg/grammar.h */
+
+#include <inttypes.h>
+#include <stdbool.h>
+
+#include <isc/lex.h>
+#include <isc/netaddr.h>
+#include <isc/refcount.h>
+#include <isc/sockaddr.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+/*
+ * Definitions shared between the configuration parser
+ * and the grammars; not visible to users of the parser.
+ */
+
+/*% Clause may occur multiple times (e.g., "zone") */
+#define CFG_CLAUSEFLAG_MULTI 		0x00000001
+/*% Clause is obsolete */
+#define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
+/*% Clause is not implemented, and may never be */
+#define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
+/*% Clause is not implemented yet */
+#define CFG_CLAUSEFLAG_NYI 		0x00000008
+/*% Default value has changed since earlier release */
+#define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
+/*%
+ * Clause needs to be interpreted during parsing
+ * by calling a callback function, like the
+ * "directory" option.
+ */
+#define CFG_CLAUSEFLAG_CALLBACK		0x00000020
+/*% A option that is only used in testing. */
+#define CFG_CLAUSEFLAG_TESTONLY		0x00000040
+/*% A configuration option that was not configured at compile time. */
+#define CFG_CLAUSEFLAG_NOTCONFIGURED	0x00000080
+/*% A option for a experimental feature. */
+#define CFG_CLAUSEFLAG_EXPERIMENTAL	0x00000100
+/*% A configuration option that is ineffective due to
+ * compile time options, but is harmless. */
+#define CFG_CLAUSEFLAG_NOOP		0x00000200
+/*% Clause is obsolete in a future release */
+#define CFG_CLAUSEFLAG_DEPRECATED	0x00000400
+
+/*%
+ * Zone types for which a clause is valid:
+ * These share space with CFG_CLAUSEFLAG values, but count
+ * down from the top.
+ */
+#define CFG_ZONE_MASTER			0x80000000
+#define CFG_ZONE_SLAVE			0x40000000
+#define CFG_ZONE_STUB			0x20000000
+#define CFG_ZONE_HINT			0x10000000
+#define CFG_ZONE_FORWARD		0x08000000
+#define CFG_ZONE_STATICSTUB		0x04000000
+#define CFG_ZONE_REDIRECT		0x02000000
+#define CFG_ZONE_DELEGATION		0x01000000
+#define CFG_ZONE_INVIEW			0x00800000
+
+typedef struct cfg_clausedef cfg_clausedef_t;
+typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
+typedef struct cfg_printer cfg_printer_t;
+typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
+typedef struct cfg_map cfg_map_t;
+typedef struct cfg_rep cfg_rep_t;
+
+/*
+ * Function types for configuration object methods
+ */
+
+typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
+					cfg_obj_t **);
+typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, const cfg_obj_t *);
+typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
+typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
+
+/*
+ * Structure definitions
+ */
+
+/*%
+ * A configuration printer object.  This is an abstract
+ * interface to a destination to which text can be printed
+ * by calling the function 'f'.
+ */
+struct cfg_printer {
+	void (*f)(void *closure, const char *text, int textlen);
+	void *closure;
+	int indent;
+	int flags;
+};
+
+/*% A clause definition. */
+struct cfg_clausedef {
+	const char      *name;
+	cfg_type_t      *type;
+	unsigned int	flags;
+};
+
+/*% A tuple field definition. */
+struct cfg_tuplefielddef {
+	const char      *name;
+	cfg_type_t      *type;
+	unsigned int	flags;
+};
+
+/*% A configuration object type definition. */
+struct cfg_type {
+	const char *name;	/*%< For debugging purposes only */
+	cfg_parsefunc_t	parse;
+	cfg_printfunc_t print;
+	cfg_docfunc_t	doc;	/*%< Print grammar description */
+	cfg_rep_t *	rep;	/*%< Data representation */
+	const void *	of;	/*%< Additional data for meta-types */
+};
+
+/*% A keyword-type definition, for things like "port <integer>". */
+typedef struct {
+	const char *name;
+	const cfg_type_t *type;
+} keyword_type_t;
+
+struct cfg_map {
+	cfg_obj_t	 *id; /*%< Used for 'named maps' like keys, zones, &c */
+	const cfg_clausedef_t * const *clausesets; /*%< The clauses that
+						      can occur in this map;
+						      used for printing */
+	isc_symtab_t     *symtab;
+};
+
+typedef struct cfg_netprefix cfg_netprefix_t;
+
+struct cfg_netprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int prefixlen;
+};
+
+/*%
+ * A configuration data representation.
+ */
+struct cfg_rep {
+	const char *	name;	/*%< For debugging only */
+	cfg_freefunc_t 	free;	/*%< How to free this kind of data. */
+};
+
+/*%
+ * A configuration object.  This is the main building block
+ * of the configuration parse tree.
+ */
+
+struct cfg_obj {
+	const cfg_type_t *type;
+	union {
+		uint32_t  	uint32;
+		uint64_t  	uint64;
+		isc_textregion_t string; /*%< null terminated, too */
+		bool 	boolean;
+		cfg_map_t	map;
+		cfg_list_t	list;
+		cfg_obj_t **	tuple;
+		isc_sockaddr_t	sockaddr;
+		struct {
+			isc_sockaddr_t	sockaddr;
+			isc_dscp_t	dscp;
+		} sockaddrdscp;
+		cfg_netprefix_t netprefix;
+	}               value;
+	isc_refcount_t  references;     /*%< reference counter */
+	const char *	file;
+	unsigned int    line;
+	cfg_parser_t *	pctx;
+};
+
+
+/*% A list element. */
+struct cfg_listelt {
+	cfg_obj_t               *obj;
+	ISC_LINK(cfg_listelt_t)  link;
+};
+
+/*% The parser object. */
+struct cfg_parser {
+	isc_mem_t *	mctx;
+	isc_log_t *	lctx;
+	isc_lex_t *	lexer;
+	unsigned int    errors;
+	unsigned int    warnings;
+	isc_token_t     token;
+
+	/*% We are at the end of all input. */
+	bool	seen_eof;
+
+	/*% The current token has been pushed back. */
+	bool	ungotten;
+
+	/*%
+	 * The stack of currently active files, represented
+	 * as a configuration list of configuration strings.
+	 * The head is the top-level file, subsequent elements
+	 * (if any) are the nested include files, and the
+	 * last element is the file currently being parsed.
+	 */
+	cfg_obj_t *	open_files;
+
+	/*%
+	 * Names of files that we have parsed and closed
+	 * and were previously on the open_file list.
+	 * We keep these objects around after closing
+	 * the files because the file names may still be
+	 * referenced from other configuration objects
+	 * for use in reporting semantic errors after
+	 * parsing is complete.
+	 */
+	cfg_obj_t *	closed_files;
+
+	/*%
+	 * Name of a buffer being parsed; used only for
+	 * logging.
+	 */
+	char const *	buf_name;
+
+	/*%
+	 * Current line number.  We maintain our own
+	 * copy of this so that it is available even
+	 * when a file has just been closed.
+	 */
+	unsigned int	line;
+
+	/*%
+	 * Parser context flags, used for maintaining state
+	 * from one token to the next.
+	 */
+	unsigned int flags;
+
+	/*%< Reference counter */
+	isc_refcount_t  references;
+
+	cfg_parsecallback_t callback;
+	void *callbackarg;
+};
+
+/* Parser context flags */
+#define CFG_PCTX_SKIP		0x1
+#define CFG_PCTX_NODEPRECATED	0x2
+
+/*@{*/
+/*%
+ * Flags defining whether to accept certain types of network addresses.
+ */
+#define CFG_ADDR_V4OK 		0x00000001
+#define CFG_ADDR_V4PREFIXOK 	0x00000002
+#define CFG_ADDR_V6OK 		0x00000004
+#define CFG_ADDR_WILDOK		0x00000008
+#define CFG_ADDR_DSCPOK		0x00000010
+#define CFG_ADDR_MASK		(CFG_ADDR_V6OK|CFG_ADDR_V4OK)
+/*@}*/
+
+/*@{*/
+/*%
+ * Predefined data representation types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint32;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint64;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_string;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_boolean;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_map;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_list;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_tuple;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_sockaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_netprefix;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_void;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_fixedpoint;
+LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_percentage;
+/*@}*/
+
+/*@{*/
+/*%
+ * Predefined configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint32;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sstring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bracketed_text;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddrdscp;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr4wild;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr6wild;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_fixedpoint;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_percentage;
+/*@}*/
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options);
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options);
+
+void
+cfg_ungettoken(cfg_parser_t *pctx);
+
+#define CFG_LEXOPT_QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u);
+
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_sstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na);
+
+bool
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
+
+isc_result_t
+cfg_parse_dscp(cfg_parser_t *pctx, isc_dscp_t *dscp);
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special);
+/*%< Parse a required special character 'special'. */
+
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret);
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
+/*%< Print 'len' characters at 'text' */
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s);
+/*%< Print the null-terminated string 's' */
+
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **
+ret);
+
+void
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_fixedpoint(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret);
+
+void
+cfg_print_fixedpoint(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_percentage(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret);
+
+void
+cfg_print_percentage(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
+/*%<
+ * Print a description of the grammar of an arbitrary configuration
+ * type 'type'
+ */
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
+/*%<
+ * Document the type 'type' as a terminal by printing its
+ * name in angle brackets, e.g., &lt;uint32>.
+ */
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
+		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
+/*!
+ * Pass one of these flags to cfg_parser_error() to include the
+ * token text in log message.
+ */
+#define CFG_LOG_NEAR    0x00000001	/*%< Say "near <token>" */
+#define CFG_LOG_BEFORE  0x00000002	/*%< Say "before <token>" */
+#define CFG_LOG_NOPREP  0x00000004	/*%< Say just "<token>" */
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
+		   const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
+
+bool
+cfg_is_enum(const char *s, const char *const *enums);
+/*%< Return true iff the string 's' is one of the strings in 'enums' */
+
+bool
+cfg_clause_validforzone(const char *name, unsigned int ztype);
+/*%<
+ * Check whether an option is legal for the specified zone type.
+ */
+
+void
+cfg_print_zonegrammar(const unsigned int zonetype,
+		      void (*f)(void *closure, const char *text, int textlen),
+		      void *closure);
+/*%<
+ * Print a summary of the grammar of the zone type represented by
+ * 'zonetype'.
+ */
+
+void
+cfg_print_clauseflags(cfg_printer_t *pctx, unsigned int flags);
+/*%<
+ * Print clause flags (e.g. "obsolete", "not implemented", etc) in
+ * human readable form
+ */
+
+void
+cfg_print_indent(cfg_printer_t *pctx);
+/*%<
+ * Print the necessary indent required by the current settings of 'pctx'.
+ */
+
+#endif /* ISCCFG_GRAMMAR_H */
diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h
new file mode 100644
index 0000000..5c7fe95
--- /dev/null
+++ b/lib/isccfg/include/isccfg/log.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISCCFG_LOG_H
+#define ISCCFG_LOG_H 1
+
+/*! \file isccfg/log.h */
+
+#include <isc/lang.h>
+#include <isc/log.h>
+
+LIBISCCFG_EXTERNAL_DATA extern isc_logcategory_t cfg_categories[];
+LIBISCCFG_EXTERNAL_DATA extern isc_logmodule_t cfg_modules[];
+
+#define CFG_LOGCATEGORY_CONFIG	(&cfg_categories[0])
+
+#define CFG_LOGMODULE_PARSER	(&cfg_modules[0])
+
+ISC_LANG_BEGINDECLS
+
+void
+cfg_log_init(isc_log_t *lctx);
+/*%<
+ * Make the libisccfg categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *\li	lctx is a valid logging context.
+ *
+ *\li	cfg_log_init() is called only once.
+ *
+ * Ensures:
+ * \li	The categories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_LOG_H */
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
new file mode 100644
index 0000000..0a191c9
--- /dev/null
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#ifndef ISCCFG_NAMEDCONF_H
+#define ISCCFG_NAMEDCONF_H 1
+
+/*! \file isccfg/namedconf.h
+ * \brief
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
+/*%< A complete named.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bindkeys;
+/*%< A bind.keys file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_newzones;
+/*%< A new-zones file (for zones added by 'rndc addzone'). */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_addzoneconf;
+/*%< A single zone passed via the addzone rndc command. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
+/*%< A complete rndc.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
+/*%< A complete rndc.key file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sessionkey;
+/*%< A complete session.key file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
+/*%< A key reference, used as an ACL element */
+
+/*%< An EDNS client subnet address, used as an ACL element */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ecsprefix;
+
+/*%< Zone options */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_zoneopts;
+
+#endif /* ISCCFG_NAMEDCONF_H */
diff --git a/lib/isccfg/include/isccfg/version.h b/lib/isccfg/include/isccfg/version.h
new file mode 100644
index 0000000..2e9a139
--- /dev/null
+++ b/lib/isccfg/include/isccfg/version.h
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file isccfg/version.h */
+
+#include <isc/platform.h>
+
+LIBISCCFG_EXTERNAL_DATA extern const char cfg_version[];
+
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libinterface;
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_librevision;
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libage;
diff --git a/lib/isccfg/log.c b/lib/isccfg/log.c
new file mode 100644
index 0000000..4fd5e57
--- /dev/null
+++ b/lib/isccfg/log.c
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <isccfg/log.h>
+
+/*%
+ * When adding a new category, be sure to add the appropriate
+ * \#define to <isccfg/log.h>.
+ */
+LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
+	{ "config", 	0 },
+	{ NULL, 	0 }
+};
+
+/*%
+ * When adding a new module, be sure to add the appropriate
+ * \#define to <isccfg/log.h>.
+ */
+LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
+	{ "isccfg/parser",	0 },
+	{ NULL, 		0 }
+};
+
+void
+cfg_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, cfg_categories);
+	isc_log_registermodules(lctx, cfg_modules);
+}
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
new file mode 100644
index 0000000..cd797a6
--- /dev/null
+++ b/lib/isccfg/namedconf.c
@@ -0,0 +1,4013 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/ttl.h>
+#include <dns/result.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+#include <isccfg/namedconf.h>
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/*% Check a return value. */
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+
+/*% Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj) \
+	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
+
+
+/*%
+ * Forward declarations of static functions.
+ */
+
+static isc_result_t
+parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+		    const cfg_type_t *othertype, cfg_obj_t **ret);
+
+static void
+doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
+		  const cfg_type_t *othertype);
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret);
+
+static isc_result_t
+parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret);
+static void
+print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static void
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+#ifdef HAVE_GEOIP
+static isc_result_t
+parse_geoip(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_geoip(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type);
+#endif /* HAVE_GEOIP */
+
+static cfg_type_t cfg_type_acl;
+static cfg_type_t cfg_type_addrmatchelt;
+static cfg_type_t cfg_type_bracketed_aml;
+static cfg_type_t cfg_type_bracketed_dscpsockaddrlist;
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
+static cfg_type_t cfg_type_bracketed_sockaddrlist;
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist;
+static cfg_type_t cfg_type_controls;
+static cfg_type_t cfg_type_controls_sockaddr;
+static cfg_type_t cfg_type_destinationlist;
+static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_dlz;
+static cfg_type_t cfg_type_dnstap;
+static cfg_type_t cfg_type_dnstapoutput;
+static cfg_type_t cfg_type_dyndb;
+static cfg_type_t cfg_type_filter_aaaa;
+static cfg_type_t cfg_type_ixfrdifftype;
+static cfg_type_t cfg_type_key;
+static cfg_type_t cfg_type_logfile;
+static cfg_type_t cfg_type_logging;
+static cfg_type_t cfg_type_logseverity;
+static cfg_type_t cfg_type_lwres;
+static cfg_type_t cfg_type_masterselement;
+static cfg_type_t cfg_type_maxttl;
+static cfg_type_t cfg_type_minimal;
+static cfg_type_t cfg_type_nameportiplist;
+static cfg_type_t cfg_type_negated;
+static cfg_type_t cfg_type_notifytype;
+static cfg_type_t cfg_type_optional_allow;
+static cfg_type_t cfg_type_optional_class;
+static cfg_type_t cfg_type_optional_dscp;
+static cfg_type_t cfg_type_optional_facility;
+static cfg_type_t cfg_type_optional_keyref;
+static cfg_type_t cfg_type_optional_port;
+static cfg_type_t cfg_type_optional_uint32;
+static cfg_type_t cfg_type_options;
+static cfg_type_t cfg_type_portiplist;
+static cfg_type_t cfg_type_querysource4;
+static cfg_type_t cfg_type_querysource6;
+static cfg_type_t cfg_type_querysource;
+static cfg_type_t cfg_type_server;
+static cfg_type_t cfg_type_server_key_kludge;
+static cfg_type_t cfg_type_size;
+static cfg_type_t cfg_type_sizenodefault;
+static cfg_type_t cfg_type_sizeorpercent;
+static cfg_type_t cfg_type_sizeval;
+static cfg_type_t cfg_type_sockaddr4wild;
+static cfg_type_t cfg_type_sockaddr6wild;
+static cfg_type_t cfg_type_statschannels;
+static cfg_type_t cfg_type_ttlval;
+static cfg_type_t cfg_type_view;
+static cfg_type_t cfg_type_viewopts;
+static cfg_type_t cfg_type_zone;
+
+/*% tkey-dhkey */
+
+static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
+	{ "name", &cfg_type_qstring, 0 },
+	{ "keyid", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_tkey_dhkey = {
+	"tkey-dhkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, tkey_dhkey_fields
+};
+
+/*% listen-on */
+
+static cfg_tuplefielddef_t listenon_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, 0 },
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_listenon = {
+	"listenon", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, listenon_fields
+};
+
+/*% acl */
+
+static cfg_tuplefielddef_t acl_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "value", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_acl = {
+	"acl", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, acl_fields
+};
+
+/*% masters */
+static cfg_tuplefielddef_t masters_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, 0 },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_masters = {
+	"masters", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, masters_fields
+};
+
+/*%
+ * "sockaddrkeylist", a list of socket addresses with optional keys
+ * and an optional default port, as used in the masters option.
+ * E.g.,
+ *   "port 1234 { mymasters; 10.0.0.1 key foo; 1::2 port 69; }"
+ */
+
+static cfg_tuplefielddef_t namesockaddrkey_fields[] = {
+	{ "masterselement", &cfg_type_masterselement, 0 },
+	{ "key", &cfg_type_optional_keyref, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_type_t cfg_type_namesockaddrkey = {
+	"namesockaddrkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, namesockaddrkey_fields
+};
+
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist = {
+	"bracketed_namesockaddrkeylist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_namesockaddrkey
+};
+
+static cfg_tuplefielddef_t namesockaddrkeylist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, 0 },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_namesockaddrkeylist = {
+	"sockaddrkeylist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, namesockaddrkeylist_fields
+};
+
+/*%
+ * A list of socket addresses with an optional default port, as used
+ * in the lwresd 'listen-on' option.  E.g., "{ 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t portiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, 0 },
+	{ "addresses", &cfg_type_bracketed_dscpsockaddrlist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_portiplist = {
+	"portiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, portiplist_fields
+};
+
+/*%
+ * A public key, as in the "pubkey" statement.
+ */
+static cfg_tuplefielddef_t pubkey_fields[] = {
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_pubkey = {
+	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, pubkey_fields
+};
+
+/*%
+ * A list of RR types, used in grant statements.
+ * Note that the old parser allows quotes around the RR type names.
+ */
+static cfg_type_t cfg_type_rrtypelist = {
+	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist,
+	cfg_doc_terminal, &cfg_rep_list, &cfg_type_astring
+};
+
+static const char *mode_enums[] = { "deny", "grant", NULL };
+static cfg_type_t cfg_type_mode = {
+	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &mode_enums
+};
+
+static isc_result_t
+parse_matchtype(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "zonesub") == 0) {
+		pctx->flags |= CFG_PCTX_SKIP;
+	}
+	return (cfg_parse_enum(pctx, type, ret));
+
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_matchname(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	if ((pctx->flags & CFG_PCTX_SKIP) != 0) {
+		pctx->flags &= ~CFG_PCTX_SKIP;
+		CHECK(cfg_parse_void(pctx, NULL, &obj));
+	} else
+		result = cfg_parse_astring(pctx, type, &obj);
+
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+static void
+doc_matchname(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_cstr(pctx, "[ ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static const char *matchtype_enums[] = {
+	"6to4-self", "external", "krb5-self", "krb5-selfsub",
+	"krb5-subdomain", "ms-self", "ms-selfsub", "ms-subdomain",
+	"name", "self", "selfsub", "selfwild", "subdomain", "tcp-self",
+	"wildcard", "zonesub", NULL
+};
+
+static cfg_type_t cfg_type_matchtype = {
+	"matchtype", parse_matchtype, cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &matchtype_enums
+};
+
+static cfg_type_t cfg_type_matchname = {
+	"optional_matchname", parse_matchname, cfg_print_ustring,
+	&doc_matchname, &cfg_rep_tuple, &cfg_type_ustring
+};
+
+/*%
+ * A grant statement, used in the update policy.
+ */
+static cfg_tuplefielddef_t grant_fields[] = {
+	{ "mode", &cfg_type_mode, 0 },
+	{ "identity", &cfg_type_astring, 0 }, /* domain name */
+	{ "matchtype", &cfg_type_matchtype, 0 },
+	{ "name", &cfg_type_matchname, 0 }, /* domain name */
+	{ "types", &cfg_type_rrtypelist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_grant = {
+	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	 &cfg_rep_tuple, grant_fields
+};
+
+static cfg_type_t cfg_type_updatepolicy = {
+	"update_policy", parse_updatepolicy, print_updatepolicy,
+	doc_updatepolicy, &cfg_rep_list, &cfg_type_grant
+};
+
+static isc_result_t
+parse_updatepolicy(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{') {
+		cfg_ungettoken(pctx);
+		return (cfg_parse_bracketed_list(pctx, type, ret));
+	}
+
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "local") == 0) {
+		cfg_obj_t *obj = NULL;
+		CHECK(cfg_create_obj(pctx, &cfg_type_ustring, &obj));
+		obj->value.string.length = strlen("local");
+		obj->value.string.base	= isc_mem_get(pctx->mctx,
+						obj->value.string.length + 1);
+		if (obj->value.string.base == NULL) {
+			isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+			return (ISC_R_NOMEMORY);
+		}
+		memmove(obj->value.string.base, "local", 5);
+		obj->value.string.base[5] = '\0';
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	}
+
+	cfg_ungettoken(pctx);
+	return (ISC_R_UNEXPECTEDTOKEN);
+
+ cleanup:
+	return (result);
+}
+
+static void
+print_updatepolicy(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (cfg_obj_isstring(obj))
+		cfg_print_ustring(pctx, obj);
+	else
+		cfg_print_bracketed_list(pctx, obj);
+}
+
+static void
+doc_updatepolicy(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_cstr(pctx, "( local | { ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, "; ... }");
+}
+
+/*%
+ * A view statement.
+ */
+static cfg_tuplefielddef_t view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_viewopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_view = {
+	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	 &cfg_rep_tuple, view_fields
+};
+
+/*%
+ * A zone statement.
+ */
+static cfg_tuplefielddef_t zone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_zone = {
+	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, zone_fields
+};
+
+/*%
+ * A "category" clause in the "logging" statement.
+ */
+static cfg_tuplefielddef_t category_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "destinations", &cfg_type_destinationlist,0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_category = {
+	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, category_fields
+};
+
+
+/*%
+ * A dnssec key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t dnsseckey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_dnsseckey = {
+	"dnsseckey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, dnsseckey_fields
+};
+
+/*%
+ * A managed key initialization specifier, as used in the
+ * "managed-keys" statement.
+ */
+static cfg_tuplefielddef_t managedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "init", &cfg_type_ustring, 0 },   /* must be literal "initial-key" */
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_managedkey = {
+	"managedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, managedkey_fields
+};
+
+static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_class = {
+	"optional_wild_class", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &wild_class_kw
+};
+
+static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_type = {
+	"optional_wild_type", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_type_kw
+};
+
+static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
+
+static cfg_type_t cfg_type_optional_wild_name = {
+	"optional_wild_name", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &wild_name_kw
+};
+
+/*%
+ * An rrset ordering element.
+ */
+static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
+	{ "class", &cfg_type_optional_wild_class, 0 },
+	{ "type", &cfg_type_optional_wild_type, 0 },
+	{ "name", &cfg_type_optional_wild_name, 0 },
+	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */
+	{ "ordering", &cfg_type_ustring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rrsetorderingelement = {
+	"rrsetorderingelement", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple, &cfg_rep_tuple, rrsetorderingelement_fields
+};
+
+/*%
+ * A global or view "check-names" option.  Note that the zone
+ * "check-names" option has a different syntax.
+ */
+
+static const char *checktype_enums[] = { "master", "slave", "response", NULL };
+static cfg_type_t cfg_type_checktype = {
+	"checktype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &checktype_enums
+};
+
+static const char *checkmode_enums[] = { "fail", "warn", "ignore", NULL };
+static cfg_type_t cfg_type_checkmode = {
+	"checkmode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &checkmode_enums
+};
+
+static const char *warn_enums[] = { "warn", "ignore", NULL };
+static cfg_type_t cfg_type_warn = {
+	"warn", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &warn_enums
+};
+
+static cfg_tuplefielddef_t checknames_fields[] = {
+	{ "type", &cfg_type_checktype, 0 },
+	{ "mode", &cfg_type_checkmode, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_checknames = {
+	"checknames", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, checknames_fields
+};
+
+static cfg_type_t cfg_type_bracketed_dscpsockaddrlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_sockaddrdscp
+};
+
+static cfg_type_t cfg_type_bracketed_sockaddrlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_sockaddr
+};
+
+static const char *autodnssec_enums[] = {
+	 "allow", "maintain", "off", NULL
+};
+static cfg_type_t cfg_type_autodnssec = {
+	"autodnssec", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &autodnssec_enums
+};
+
+static const char *dnssecupdatemode_enums[] = {
+	"maintain", "no-resign", NULL
+};
+static cfg_type_t cfg_type_dnssecupdatemode = {
+	"dnssecupdatemode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &dnssecupdatemode_enums
+};
+
+static const char *updatemethods_enums[] = {
+	"date", "increment", "unixtime", NULL
+};
+static cfg_type_t cfg_type_updatemethod = {
+	"updatemethod", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &updatemethods_enums
+};
+
+/*
+ * zone-statistics: full, terse, or none.
+ *
+ * for backward compatibility, we also support boolean values.
+ * yes represents "full", no represents "terse". in the future we
+ * may change no to mean "none".
+ */
+static const char *zonestat_enums[] = { "full", "terse", "none", NULL };
+static isc_result_t
+parse_zonestat(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_zonestat(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_zonestat = {
+	"zonestat", parse_zonestat, cfg_print_ustring, doc_zonestat,
+	&cfg_rep_string, zonestat_enums
+};
+
+static cfg_type_t cfg_type_rrsetorder = {
+	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_rrsetorderingelement
+};
+
+static keyword_type_t dscp_kw = { "dscp", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_optional_dscp = {
+	"optional_dscp", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32, &dscp_kw
+};
+
+static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_optional_port = {
+	"optional_port", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32, &port_kw
+};
+
+/*% A list of keys, as in the "key" clause of the controls statement. */
+static cfg_type_t cfg_type_keylist = {
+	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
+};
+
+/*% A list of dnssec keys, as in "trusted-keys" */
+static cfg_type_t cfg_type_dnsseckeys = {
+	"dnsseckeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnsseckey
+};
+
+/*%
+ * A list of managed key entries, as in "trusted-keys".  Currently
+ * (9.7.0) this has a format similar to dnssec keys, except the keyname
+ * is followed by the keyword "initial-key".  In future releases, this
+ * keyword may take other values indicating different methods for the
+ * key to be initialized.
+ */
+
+static cfg_type_t cfg_type_managedkeys = {
+	"managedkeys", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_managedkey
+};
+
+static const char *forwardtype_enums[] = { "first", "only", NULL };
+static cfg_type_t cfg_type_forwardtype = {
+	"forwardtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &forwardtype_enums
+};
+
+static const char *zonetype_enums[] = {
+	"delegation-only", "forward", "hint", "master", "redirect",
+	"slave", "static-stub", "stub", NULL
+};
+static cfg_type_t cfg_type_zonetype = {
+	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &zonetype_enums
+};
+
+static const char *loglevel_enums[] = {
+	"critical", "error", "warning", "notice", "info", "dynamic", NULL
+};
+static cfg_type_t cfg_type_loglevel = {
+	"loglevel", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &loglevel_enums
+};
+
+static const char *transferformat_enums[] = {
+	"many-answers", "one-answer", NULL
+};
+static cfg_type_t cfg_type_transferformat = {
+	"transferformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &transferformat_enums
+};
+
+/*%
+ * The special keyword "none", as used in the pid-file option.
+ */
+
+static void
+print_none(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "none");
+}
+
+static cfg_type_t cfg_type_none = {
+	"none", NULL, print_none, NULL, &cfg_rep_void, NULL
+};
+
+/*%
+ * A quoted string or the special keyword "none".  Used in the pid-file option.
+ */
+static isc_result_t
+parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <quoted_string> | none )");
+}
+
+static cfg_type_t cfg_type_qstringornone = {
+	"qstringornone", parse_qstringornone, NULL, doc_qstringornone,
+	NULL, NULL
+};
+
+/*%
+ * A boolean ("yes" or "no"), or the special keyword "auto".
+ * Used in the dnssec-validation option.
+ */
+static void
+print_auto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "auto");
+}
+
+static cfg_type_t cfg_type_auto = {
+	"auto", NULL, print_auto, NULL, &cfg_rep_void, NULL
+};
+
+static isc_result_t
+parse_boolorauto(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "auto") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_auto, ret));
+	cfg_ungettoken(pctx);
+	return (cfg_parse_boolean(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+print_boolorauto(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (obj->type->rep == &cfg_rep_void)
+		cfg_print_cstr(pctx, "auto");
+	else if (obj->value.boolean)
+		cfg_print_cstr(pctx, "yes");
+	else
+		cfg_print_cstr(pctx, "no");
+}
+
+static void
+doc_boolorauto(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( yes | no | auto )");
+}
+
+static cfg_type_t cfg_type_boolorauto = {
+	"boolorauto", parse_boolorauto, print_boolorauto,
+	doc_boolorauto, NULL, NULL
+};
+
+/*%
+ * keyword hostname
+ */
+static void
+print_hostname(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_cstr(pctx, "hostname");
+}
+
+static cfg_type_t cfg_type_hostname = {
+	"hostname", NULL, print_hostname, NULL, &cfg_rep_boolean, NULL
+};
+
+/*%
+ * "server-id" argument.
+ */
+
+static isc_result_t
+parse_serverid(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "hostname") == 0) {
+		result = cfg_create_obj(pctx, &cfg_type_hostname, ret);
+		if (result == ISC_R_SUCCESS)
+			(*ret)->value.boolean = true;
+		return (result);
+	}
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <quoted_string> | none | hostname )");
+}
+
+static cfg_type_t cfg_type_serverid = {
+	"serverid", parse_serverid, NULL, doc_serverid, NULL, NULL };
+
+/*%
+ * Port list.
+ */
+static void
+print_porttuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "range ");
+	cfg_print_tuple(pctx, obj);
+}
+static cfg_tuplefielddef_t porttuple_fields[] = {
+	{ "loport", &cfg_type_uint32, 0 },
+	{ "hiport", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_porttuple = {
+	"porttuple", cfg_parse_tuple, print_porttuple, cfg_doc_tuple,
+	&cfg_rep_tuple, porttuple_fields
+};
+
+static isc_result_t
+parse_port(cfg_parser_t *pctx, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	CHECK(cfg_parse_uint32(pctx, NULL, ret));
+	if ((*ret)->value.uint32 > 0xffff) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
+		cfg_obj_destroy(pctx, ret);
+		result = ISC_R_RANGE;
+	}
+
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_portrange(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type == isc_tokentype_number)
+		CHECK(parse_port(pctx, ret));
+	else {
+		CHECK(cfg_gettoken(pctx, 0));
+		if (pctx->token.type != isc_tokentype_string ||
+		    strcasecmp(TOKEN_STRING(pctx), "range") != 0) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected integer or 'range'");
+			return (ISC_R_UNEXPECTEDTOKEN);
+		}
+		CHECK(cfg_create_tuple(pctx, &cfg_type_porttuple, &obj));
+		CHECK(parse_port(pctx, &obj->value.tuple[0]));
+		CHECK(parse_port(pctx, &obj->value.tuple[1]));
+		if (obj->value.tuple[0]->value.uint32 >
+		    obj->value.tuple[1]->value.uint32) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "low port '%u' must not be larger "
+					 "than high port",
+					 obj->value.tuple[0]->value.uint32);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		*ret = obj;
+		obj = NULL;
+	}
+
+ cleanup:
+	if (obj != NULL)
+		cfg_obj_destroy(pctx, &obj);
+	return (result);
+}
+
+static cfg_type_t cfg_type_portrange = {
+	"portrange", parse_portrange, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+static cfg_type_t cfg_type_bracketed_portlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_portrange
+};
+
+static const char *cookiealg_enums[] = { "aes", "sha1", "sha256", NULL };
+static cfg_type_t cfg_type_cookiealg = {
+	"cookiealg", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &cookiealg_enums
+};
+
+/*%
+ * fetch-quota-params
+ */
+
+static cfg_tuplefielddef_t fetchquota_fields[] = {
+	{ "frequency", &cfg_type_uint32, 0 },
+	{ "low", &cfg_type_fixedpoint, 0 },
+	{ "high", &cfg_type_fixedpoint, 0 },
+	{ "discount", &cfg_type_fixedpoint, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_fetchquota = {
+	"fetchquota", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, fetchquota_fields
+};
+
+/*%
+ * fetches-per-server or fetches-per-zone
+ */
+
+static const char *response_enums[] = { "drop", "fail", NULL };
+
+static isc_result_t
+parse_optional_enum(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	return (parse_enum_or_other(pctx, type, &cfg_type_void, ret));
+}
+
+static void
+doc_optional_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ ");
+	cfg_doc_enum(pctx, type);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static cfg_type_t cfg_type_responsetype = {
+	"responsetype", parse_optional_enum, cfg_print_ustring,
+	doc_optional_enum, &cfg_rep_string, response_enums
+};
+
+static cfg_tuplefielddef_t fetchesper_fields[] = {
+	{ "fetches", &cfg_type_uint32, 0 },
+	{ "response", &cfg_type_responsetype, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_fetchesper = {
+	"fetchesper", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, fetchesper_fields
+};
+
+/*%
+ * Clauses that can be found within the top level of the named.conf
+ * file only.
+ */
+static cfg_clausedef_t
+namedconf_clauses[] = {
+	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
+	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
+	{ "logging", &cfg_type_logging, 0 },
+	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
+	{ "masters", &cfg_type_masters, CFG_CLAUSEFLAG_MULTI },
+	{ "options", &cfg_type_options, 0 },
+	{ "statistics-channels", &cfg_type_statschannels,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can occur at the top level or in the view
+ * statement, but not in the options block.
+ */
+static cfg_clausedef_t
+namedconf_or_view_clauses[] = {
+	{ "dlz", &cfg_type_dlz, CFG_CLAUSEFLAG_MULTI },
+	{ "dyndb", &cfg_type_dyndb, CFG_CLAUSEFLAG_MULTI },
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can occur in the bind.keys file.
+ */
+static cfg_clausedef_t
+bindkeys_clauses[] = {
+	{ "managed-keys", &cfg_type_managedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_dnsseckeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static const char *fstrm_model_enums[] = { "mpsc", "spsc", NULL };
+static cfg_type_t cfg_type_fstrm_model = {
+	"model", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &fstrm_model_enums
+};
+
+/*%
+ * Clauses that can be found within the 'options' statement.
+ */
+static cfg_clausedef_t
+options_clauses[] = {
+	{ "answer-cookie", &cfg_type_boolean, 0 },
+	{ "automatic-interface-scan", &cfg_type_boolean, 0 },
+	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "bindkeys-file", &cfg_type_qstring, 0 },
+	{ "blackhole", &cfg_type_bracketed_aml, 0 },
+	{ "cookie-algorithm", &cfg_type_cookiealg, 0 },
+	{ "cookie-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_MULTI },
+	{ "coresize", &cfg_type_size, 0 },
+	{ "datasize", &cfg_type_size, 0 },
+	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
+#ifdef HAVE_DNSTAP
+	{ "dnstap-output", &cfg_type_dnstapoutput, 0 },
+	{ "dnstap-identity", &cfg_type_serverid, 0 },
+	{ "dnstap-version", &cfg_type_qstringornone, 0 },
+#else
+	{ "dnstap-output", &cfg_type_dnstapoutput,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "dnstap-identity", &cfg_type_serverid,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "dnstap-version", &cfg_type_qstringornone,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
+	{ "dscp", &cfg_type_uint32, 0 },
+	{ "dump-file", &cfg_type_qstring, 0 },
+	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "files", &cfg_type_size, 0 },
+	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
+#ifdef HAVE_DNSTAP
+	{ "fstrm-set-buffer-hint", &cfg_type_uint32, 0 },
+	{ "fstrm-set-flush-timeout", &cfg_type_uint32, 0 },
+	{ "fstrm-set-input-queue-size", &cfg_type_uint32, 0 },
+	{ "fstrm-set-output-notify-threshold", &cfg_type_uint32, 0 },
+	{ "fstrm-set-output-queue-model", &cfg_type_fstrm_model, 0 },
+	{ "fstrm-set-output-queue-size", &cfg_type_uint32, 0 },
+	{ "fstrm-set-reopen-interval", &cfg_type_uint32, 0 },
+#else
+	{ "fstrm-set-buffer-hint", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-flush-timeout", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-input-queue-size", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-output-notify-threshold", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-output-queue-model", &cfg_type_fstrm_model,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-output-queue-size", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fstrm-set-reopen-interval", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* HAVE_DNSTAP */
+#ifdef HAVE_GEOIP
+	{ "geoip-directory", &cfg_type_qstringornone, 0 },
+	{ "geoip-use-ecs", &cfg_type_boolean, 0 },
+#else
+	{ "geoip-directory", &cfg_type_qstringornone,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "geoip-use-ecs", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* HAVE_GEOIP */
+	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "heartbeat-interval", &cfg_type_uint32, 0 },
+	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
+	{ "host-statistics-max", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+	{ "hostname", &cfg_type_qstringornone, 0 },
+	{ "interface-interval", &cfg_type_uint32, 0 },
+	{ "keep-response-order", &cfg_type_bracketed_aml, 0 },
+	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "lock-file", &cfg_type_qstringornone, 0 },
+	{ "managed-keys-directory", &cfg_type_qstring, 0 },
+	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
+	{ "max-rsa-exponent-size", &cfg_type_uint32, 0 },
+	{ "memstatistics", &cfg_type_boolean, 0 },
+	{ "memstatistics-file", &cfg_type_qstring, 0 },
+	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "notify-rate", &cfg_type_uint32, 0 },
+	{ "pid-file", &cfg_type_qstringornone, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ "querylog", &cfg_type_boolean, 0 },
+	{ "random-device", &cfg_type_qstring, 0 },
+	{ "recursing-file", &cfg_type_qstring, 0 },
+	{ "recursive-clients", &cfg_type_uint32, 0 },
+	{ "reserved-sockets", &cfg_type_uint32, 0 },
+	{ "secroots-file", &cfg_type_qstring, 0 },
+	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "serial-query-rate", &cfg_type_uint32, 0 },
+	{ "server-id", &cfg_type_serverid, 0 },
+	{ "session-keyalg", &cfg_type_astring, 0 },
+	{ "session-keyfile", &cfg_type_qstringornone, 0 },
+	{ "session-keyname", &cfg_type_astring, 0 },
+	{ "sit-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "stacksize", &cfg_type_size, 0 },
+	{ "startup-notify-rate", &cfg_type_uint32, 0 },
+	{ "statistics-file", &cfg_type_qstring, 0 },
+	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
+	{ "tcp-clients", &cfg_type_uint32, 0 },
+	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
+	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
+	{ "tkey-domain", &cfg_type_qstring, 0 },
+	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+	{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
+	{ "transfer-message-size", &cfg_type_uint32, 0 },
+	{ "transfers-in", &cfg_type_uint32, 0 },
+	{ "transfers-out", &cfg_type_uint32, 0 },
+	{ "transfers-per-ns", &cfg_type_uint32, 0 },
+	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "use-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "version", &cfg_type_qstringornone, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_namelist = {
+	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring
+};
+
+static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exclude = {
+	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw
+};
+
+static keyword_type_t exceptionnames_kw = {
+	"except-from", &cfg_type_namelist
+};
+
+static cfg_type_t cfg_type_optional_exceptionnames = {
+	"optional_allow", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list, &exceptionnames_kw
+};
+
+static cfg_tuplefielddef_t denyaddresses_fields[] = {
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaddresses = {
+	"denyaddresses", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, denyaddresses_fields
+};
+
+static cfg_tuplefielddef_t denyaliases_fields[] = {
+	{ "name", &cfg_type_namelist, 0 },
+	{ "except-from", &cfg_type_optional_exceptionnames, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_denyaliases = {
+	"denyaliases", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, denyaliases_fields
+};
+
+static cfg_type_t cfg_type_algorithmlist = {
+	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
+};
+
+static cfg_tuplefielddef_t disablealgorithm_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "algorithms", &cfg_type_algorithmlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_disablealgorithm = {
+	"disablealgorithm", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, disablealgorithm_fields
+};
+
+static cfg_type_t cfg_type_dsdigestlist = {
+	"dsdigestlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
+};
+
+static cfg_tuplefielddef_t disabledsdigest_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "digests", &cfg_type_dsdigestlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_disabledsdigest = {
+	"disabledsdigest", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, disabledsdigest_fields
+};
+
+static cfg_tuplefielddef_t mustbesecure_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "value", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_mustbesecure = {
+	"mustbesecure", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, mustbesecure_fields
+};
+
+static const char *masterformat_enums[] = { "map", "raw", "text", NULL };
+static cfg_type_t cfg_type_masterformat = {
+	"masterformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &masterformat_enums
+};
+
+static const char *masterstyle_enums[] = { "full", "relative", NULL };
+static cfg_type_t cfg_type_masterstyle = {
+	"masterstyle", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &masterstyle_enums
+};
+
+/*%
+ *  dnstap {
+ *      &lt;message type&gt; [query | response] ;
+ *      ...
+ *  }
+ *
+ *  ... where message type is one of: client, resolver, auth, forwarder, all
+ */
+static const char *dnstap_types[] = {
+	"all", "auth", "client", "forwarder", "resolver", NULL
+};
+
+static const char *dnstap_modes[] = { "query", "response", NULL };
+
+static cfg_type_t cfg_type_dnstap_type = {
+	"dnstap_type", cfg_parse_enum, cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, dnstap_types
+};
+
+static cfg_type_t cfg_type_dnstap_mode = {
+	"dnstap_mode", parse_optional_enum, cfg_print_ustring,
+	doc_optional_enum, &cfg_rep_string, dnstap_modes
+};
+
+static cfg_tuplefielddef_t dnstap_fields[] = {
+	{ "type", &cfg_type_dnstap_type, 0 },
+	{ "mode", &cfg_type_dnstap_mode, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dnstap_entry = {
+	"dnstap_value", cfg_parse_tuple, cfg_print_tuple,
+	cfg_doc_tuple, &cfg_rep_tuple, dnstap_fields
+};
+
+static cfg_type_t cfg_type_dnstap = {
+	"dnstap", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_dnstap_entry
+};
+
+/*%
+ * dnstap-output
+ */
+static const char *dtoutmode_enums[] = { "file", "unix", NULL };
+static cfg_type_t cfg_type_dtmode = {
+	"dtmode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &dtoutmode_enums
+};
+
+static cfg_tuplefielddef_t dtout_fields[] = {
+	{ "mode", &cfg_type_dtmode, 0 },
+	{ "path", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dnstapoutput = {
+	"dnstapoutput", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, dtout_fields
+};
+
+/*%
+ *  response-policy {
+ *	zone &lt;string&gt; [ policy (given|disabled|passthru|drop|tcp-only|
+ *					nxdomain|nodata|cname &lt;domain&gt; ) ]
+ *		      [ recursive-only yes|no ] [ log yes|no ]
+ *		      [ max-policy-ttl number ] ;
+ *  } [ recursive-only yes|no ] [ max-policy-ttl number ]
+ *	 [ break-dnssec yes|no ] [ min-ns-dots number ]
+ *	 [ qname-wait-recurse yes|no ] ;
+ */
+
+static void
+doc_rpz_policy(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char * const *p;
+	/*
+	 * This is cfg_doc_enum() without the trailing " )".
+	 */
+	cfg_print_cstr(pctx, "( ");
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL)
+			cfg_print_cstr(pctx, " | ");
+	}
+}
+
+static void
+doc_rpz_cname(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_terminal(pctx, type);
+	cfg_print_cstr(pctx, " )");
+}
+
+/*
+ * Parse
+ *	given|disabled|passthru|drop|tcp-only|nxdomain|nodata|cname <domain>
+ */
+static isc_result_t
+cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	fields = type->of;
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+	/*
+	 * parse cname domain only after "policy cname"
+	 */
+	if (strcasecmp("cname", cfg_obj_asstring(obj->value.tuple[0])) != 0) {
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	} else {
+		CHECK(cfg_parse_obj(pctx, fields[1].type,
+				    &obj->value.tuple[1]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+/*
+ * Parse a tuple consisting of any kind of required field followed
+ * by 2 or more optional keyvalues that can be in any order.
+ */
+static isc_result_t
+cfg_parse_kv_tuple(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret)
+{
+	const cfg_tuplefielddef_t *fields, *f;
+	cfg_obj_t *obj = NULL;
+	int fn;
+	isc_result_t result;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	/*
+	 * The zone first field is required and always first.
+	 */
+	fields = type->of;
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+		if (pctx->token.type != isc_tokentype_string)
+			break;
+
+		for (fn = 1, f = &fields[1]; ; ++fn, ++f) {
+			if (f->name == NULL) {
+				cfg_parser_error(pctx, 0, "unexpected '%s'",
+						 TOKEN_STRING(pctx));
+				result = ISC_R_UNEXPECTEDTOKEN;
+				goto cleanup;
+			}
+			if (obj->value.tuple[fn] == NULL &&
+			    strcasecmp(f->name, TOKEN_STRING(pctx)) == 0)
+				break;
+		}
+
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[fn]));
+	}
+
+	for (fn = 1, f = &fields[1]; f->name != NULL; ++fn, ++f) {
+		if (obj->value.tuple[fn] == NULL)
+			CHECK(cfg_parse_void(pctx, NULL,
+					     &obj->value.tuple[fn]));
+	}
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+cfg_print_kv_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields, *f;
+	const cfg_obj_t *fieldobj;
+
+	fields = obj->type->of;
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		fieldobj = obj->value.tuple[i];
+		if (fieldobj->type->print == cfg_print_void)
+			continue;
+		if (i != 0) {
+			cfg_print_cstr(pctx, " ");
+			cfg_print_cstr(pctx, f->name);
+			cfg_print_cstr(pctx, " ");
+		}
+		cfg_print_obj(pctx, fieldobj);
+	}
+}
+
+static void
+cfg_doc_kv_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields, *f;
+
+	fields = type->of;
+	for (f = fields; f->name != NULL; f++) {
+		if (f != fields) {
+			cfg_print_cstr(pctx, " [ ");
+			cfg_print_cstr(pctx, f->name);
+			if (f->type->doc != cfg_doc_void)
+				cfg_print_cstr(pctx, " ");
+		}
+		cfg_doc_obj(pctx, f->type);
+		if (f != fields)
+			cfg_print_cstr(pctx, " ]");
+	}
+}
+
+static keyword_type_t zone_kw = {"zone", &cfg_type_qstring};
+static cfg_type_t cfg_type_rpz_zone = {
+	"zone", parse_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string,
+	&zone_kw
+};
+/*
+ * "no-op" is an obsolete equivalent of "passthru".
+ */
+static const char *rpz_policies[] = {
+	"cname", "disabled", "drop", "given", "no-op", "nodata",
+	"nxdomain", "passthru", "tcp-only", NULL
+};
+static cfg_type_t cfg_type_rpz_policy_name = {
+	"policy name", cfg_parse_enum, cfg_print_ustring,
+	doc_rpz_policy, &cfg_rep_string,
+	&rpz_policies
+};
+static cfg_type_t cfg_type_rpz_cname = {
+	"quoted_string", cfg_parse_astring, NULL,
+	doc_rpz_cname, &cfg_rep_string,
+	NULL
+};
+static cfg_tuplefielddef_t rpz_policy_fields[] = {
+	{ "policy name", &cfg_type_rpz_policy_name, 0 },
+	{ "cname", &cfg_type_rpz_cname, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz_policy = {
+	"policy tuple", cfg_parse_rpz_policy,
+	cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	rpz_policy_fields
+};
+static cfg_tuplefielddef_t rpz_zone_fields[] = {
+	{ "zone name", &cfg_type_rpz_zone, 0 },
+	{ "log", &cfg_type_boolean, 0 },
+	{ "max-policy-ttl", &cfg_type_uint32, 0 },
+	{ "policy", &cfg_type_rpz_policy, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz_tuple = {
+	"rpz tuple", cfg_parse_kv_tuple,
+	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
+	rpz_zone_fields
+};
+static cfg_type_t cfg_type_rpz_list = {
+	"zone list", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_rpz_tuple
+};
+static cfg_tuplefielddef_t rpz_fields[] = {
+	{ "zone list", &cfg_type_rpz_list, 0 },
+	{ "break-dnssec", &cfg_type_boolean, 0 },
+	{ "max-policy-ttl", &cfg_type_uint32, 0 },
+	{ "min-ns-dots", &cfg_type_uint32, 0 },
+	{ "nsip-wait-recurse", &cfg_type_boolean, 0 },
+	{ "qname-wait-recurse", &cfg_type_boolean, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rpz = {
+	"rpz", cfg_parse_kv_tuple,
+	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
+	rpz_fields
+};
+
+/*
+ * Catalog zones
+ */
+static cfg_type_t cfg_type_catz_zone = {
+	"zone", parse_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string,
+	&zone_kw
+};
+
+static cfg_tuplefielddef_t catz_zone_fields[] = {
+	{ "zone name", &cfg_type_catz_zone, 0 },
+	{ "default-masters", &cfg_type_namesockaddrkeylist, 0 },
+	{ "zone-directory", &cfg_type_qstring, 0 },
+	{ "in-memory", &cfg_type_boolean, 0 },
+	{ "min-update-interval", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_catz_tuple = {
+	"catz tuple", cfg_parse_kv_tuple,
+	cfg_print_kv_tuple, cfg_doc_kv_tuple, &cfg_rep_tuple,
+	catz_zone_fields
+};
+static cfg_type_t cfg_type_catz_list = {
+	"zone list", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_catz_tuple
+};
+static cfg_tuplefielddef_t catz_fields[] = {
+	{ "zone list", &cfg_type_catz_list, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_catz = {
+	"catz", cfg_parse_kv_tuple, cfg_print_kv_tuple,
+	cfg_doc_kv_tuple, &cfg_rep_tuple, catz_fields
+};
+
+/*
+ * rate-limit
+ */
+static cfg_clausedef_t rrl_clauses[] = {
+	{ "all-per-second", &cfg_type_uint32, 0 },
+	{ "errors-per-second", &cfg_type_uint32, 0 },
+	{ "exempt-clients", &cfg_type_bracketed_aml, 0 },
+	{ "ipv4-prefix-length", &cfg_type_uint32, 0 },
+	{ "ipv6-prefix-length", &cfg_type_uint32, 0 },
+	{ "log-only", &cfg_type_boolean, 0 },
+	{ "max-table-size", &cfg_type_uint32, 0 },
+	{ "min-table-size", &cfg_type_uint32, 0 },
+	{ "nodata-per-second", &cfg_type_uint32, 0 },
+	{ "nxdomains-per-second", &cfg_type_uint32, 0 },
+	{ "qps-scale", &cfg_type_uint32, 0 },
+	{ "referrals-per-second", &cfg_type_uint32, 0 },
+	{ "responses-per-second", &cfg_type_uint32, 0 },
+	{ "slip", &cfg_type_uint32, 0 },
+	{ "window", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *rrl_clausesets[] = {
+	rrl_clauses, NULL
+};
+
+static cfg_type_t cfg_type_rrl = {
+	"rate-limit", cfg_parse_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, rrl_clausesets
+};
+
+/*%
+ * dnssec-lookaside
+ */
+
+static void
+print_lookaside(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_obj_t *domain = obj->value.tuple[0];
+
+	if (domain->value.string.length == 4 &&
+	    strncmp(domain->value.string.base, "auto", 4) == 0)
+		cfg_print_cstr(pctx, "auto");
+	else
+		cfg_print_tuple(pctx, obj);
+}
+
+static void
+doc_lookaside(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( <string> trust-anchor <string> | auto | no )");
+}
+
+static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
+
+static cfg_type_t cfg_type_optional_trustanchor = {
+	"optional_trustanchor", parse_optional_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_string, &trustanchor_kw
+};
+
+static cfg_tuplefielddef_t lookaside_fields[] = {
+	{ "domain", &cfg_type_astring, 0 },
+	{ "trust-anchor", &cfg_type_optional_trustanchor, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_lookaside = {
+	"lookaside", cfg_parse_tuple, print_lookaside, doc_lookaside,
+	&cfg_rep_tuple, lookaside_fields
+};
+
+static isc_result_t
+parse_optional_uint32(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type == isc_tokentype_number) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_uint32, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_optional_uint32(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ <integer> ]");
+}
+
+static cfg_type_t cfg_type_optional_uint32 = {
+	"optional_uint32", parse_optional_uint32, NULL, doc_optional_uint32,
+	NULL, NULL
+};
+
+static cfg_tuplefielddef_t prefetch_fields[] = {
+	{ "trigger", &cfg_type_uint32, 0 },
+	{ "eligible", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_prefetch = {
+	"prefetch", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, prefetch_fields
+};
+/*
+ * DNS64.
+ */
+static cfg_clausedef_t
+dns64_clauses[] = {
+	{ "break-dnssec", &cfg_type_boolean, 0 },
+	{ "clients", &cfg_type_bracketed_aml, 0 },
+	{ "exclude", &cfg_type_bracketed_aml, 0 },
+	{ "mapped", &cfg_type_bracketed_aml, 0 },
+	{ "recursive-only", &cfg_type_boolean, 0 },
+	{ "suffix", &cfg_type_netaddr6, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_clausedef_t *
+dns64_clausesets[] = {
+	dns64_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_dns64 = {
+	"dns64", cfg_parse_netprefix_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, dns64_clausesets
+};
+
+/*%
+ * Clauses that can be found within the 'view' statement,
+ * with defaults in the 'options' statement.
+ */
+
+static cfg_clausedef_t
+view_clauses[] = {
+	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },
+	{ "acache-enable", &cfg_type_boolean, 0 },
+	{ "additional-from-auth", &cfg_type_boolean, 0 },
+	{ "additional-from-cache", &cfg_type_boolean, 0 },
+	{ "allow-new-zones", &cfg_type_boolean, 0 },
+	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
+	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "attach-cache", &cfg_type_astring, 0 },
+	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
+	{ "cache-file", &cfg_type_qstring, 0 },
+	{ "catalog-zones", &cfg_type_catz, 0 },
+	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
+	{ "cleaning-interval", &cfg_type_uint32, 0 },
+	{ "clients-per-query", &cfg_type_uint32, 0 },
+	{ "deny-answer-addresses", &cfg_type_denyaddresses, 0 },
+	{ "deny-answer-aliases", &cfg_type_denyaliases, 0 },
+	{ "disable-algorithms", &cfg_type_disablealgorithm,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "disable-ds-digests", &cfg_type_disabledsdigest,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
+	{ "dns64", &cfg_type_dns64, CFG_CLAUSEFLAG_MULTI },
+	{ "dns64-contact", &cfg_type_astring, 0 },
+	{ "dns64-server", &cfg_type_astring, 0 },
+	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
+	{ "dnssec-enable", &cfg_type_boolean, 0 },
+	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-validation", &cfg_type_boolorauto, 0 },
+#ifdef HAVE_DNSTAP
+	{ "dnstap", &cfg_type_dnstap, 0 },
+#else
+	{ "dnstap", &cfg_type_dnstap, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif /* HAVE_DNSTAP */
+	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "empty-contact", &cfg_type_astring, 0 },
+	{ "empty-server", &cfg_type_astring, 0 },
+	{ "empty-zones-enable", &cfg_type_boolean, 0 },
+	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "fetch-quota-params", &cfg_type_fetchquota, 0 },
+	{ "fetches-per-server", &cfg_type_fetchesper, 0 },
+	{ "fetches-per-zone", &cfg_type_fetchesper, 0 },
+#ifdef ALLOW_FILTER_AAAA
+	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
+	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
+	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
+#else
+	{ "filter-aaaa", &cfg_type_bracketed_aml,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa,
+	   CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
+	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
+	{ "lame-ttl", &cfg_type_ttlval, 0 },
+#ifdef HAVE_LMDB
+	{ "lmdb-mapsize", &cfg_type_sizeval, 0 },
+#else
+	{ "lmdb-mapsize", &cfg_type_sizeval, CFG_CLAUSEFLAG_NOOP },
+#endif
+	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
+	{ "max-cache-size", &cfg_type_sizeorpercent, 0 },
+	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+	{ "max-clients-per-query", &cfg_type_uint32, 0 },
+	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
+	{ "max-recursion-depth", &cfg_type_uint32, 0 },
+	{ "max-recursion-queries", &cfg_type_uint32, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "message-compression", &cfg_type_boolean, 0 },
+	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+	{ "minimal-any", &cfg_type_boolean, 0 },
+	{ "minimal-responses", &cfg_type_minimal, 0 },
+	{ "no-case-compress", &cfg_type_bracketed_aml, 0 },
+	{ "nocookie-udp-size", &cfg_type_uint32, 0 },
+	{ "nosit-udp-size", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "nta-lifetime", &cfg_type_ttlval, 0 },
+	{ "nta-recheck", &cfg_type_ttlval, 0 },
+	{ "nxdomain-redirect", &cfg_type_astring, 0 },
+	{ "preferred-glue", &cfg_type_astring, 0 },
+	{ "prefetch", &cfg_type_prefetch, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	/*
+	 * Note that the query-source option syntax is different
+	 * from the other -source options.
+	 */
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "queryport-pool-ports", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "queryport-pool-updateinterval", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "rate-limit", &cfg_type_rrl, 0 },
+	{ "recursion", &cfg_type_boolean, 0 },
+	{ "request-nsid", &cfg_type_boolean, 0 },
+	{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "require-server-cookie", &cfg_type_boolean, 0 },
+	{ "resolver-query-timeout", &cfg_type_uint32, 0 },
+	{ "response-policy", &cfg_type_rpz, 0 },
+	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "root-key-sentinel", &cfg_type_boolean, 0 },
+	{ "rrset-order", &cfg_type_rrsetorder, 0 },
+	{ "send-cookie", &cfg_type_boolean, 0 },
+	{ "servfail-ttl", &cfg_type_ttlval, 0 },
+	{ "sortlist", &cfg_type_bracketed_aml, 0 },
+	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "trust-anchor-telemetry", &cfg_type_boolean,
+	  CFG_CLAUSEFLAG_EXPERIMENTAL },
+	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "v6-bias", &cfg_type_uint32, 0 },
+	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can be found within the 'view' statement only.
+ */
+static cfg_clausedef_t
+view_only_clauses[] = {
+	{ "match-clients", &cfg_type_bracketed_aml, 0 },
+	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
+	{ "match-recursive-only", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Sig-validity-interval.
+ */
+
+static cfg_tuplefielddef_t validityinterval_fields[] = {
+	{ "validity", &cfg_type_uint32, 0 },
+	{ "re-sign", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_validityinterval = {
+	"validityinterval", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, validityinterval_fields
+};
+
+/*%
+ * Clauses that can be found in a 'zone' statement,
+ * with defaults in the 'view' or 'options' statement.
+ *
+ * Note: CFG_ZONE_* options indicate in which zone types this clause is
+ * legal.
+ */
+static cfg_clausedef_t
+zone_clauses[] = {
+	{ "allow-notify", &cfg_type_bracketed_aml,
+		CFG_ZONE_SLAVE
+	},
+	{ "allow-query", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB
+	},
+	{ "allow-query-on", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB
+	},
+	{ "allow-transfer", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "allow-update", &cfg_type_bracketed_aml,
+		CFG_ZONE_MASTER
+	},
+	{ "allow-update-forwarding", &cfg_type_bracketed_aml,
+		CFG_ZONE_SLAVE
+	},
+	{ "also-notify", &cfg_type_namesockaddrkeylist,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "alt-transfer-source", &cfg_type_sockaddr4wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "auto-dnssec", &cfg_type_autodnssec,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "check-dup-records", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-integrity", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "check-mx", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-mx-cname", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-sibling", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "check-spf", &cfg_type_warn,
+		CFG_ZONE_MASTER
+	},
+	{ "check-srv-cname", &cfg_type_checkmode,
+		CFG_ZONE_MASTER
+	},
+	{ "check-wildcard", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "dialup", &cfg_type_dialuptype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "dnssec-dnskey-kskonly", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "dnssec-loadkeys-interval", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "dnssec-secure-to-insecure", &cfg_type_boolean,
+		CFG_ZONE_MASTER
+	},
+	{ "dnssec-update-mode", &cfg_type_dnssecupdatemode,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "forward", &cfg_type_forwardtype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD
+	},
+	{ "forwarders", &cfg_type_portiplist,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_FORWARD
+	},
+	{ "inline-signing", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "key-directory", &cfg_type_qstring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "maintain-ixfr-base", &cfg_type_boolean,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "masterfile-format", &cfg_type_masterformat,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE |
+		CFG_ZONE_STUB | CFG_ZONE_REDIRECT
+	},
+	{ "masterfile-style", &cfg_type_masterstyle,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE |
+		CFG_ZONE_STUB | CFG_ZONE_REDIRECT
+	},
+	{ "max-ixfr-log-size", &cfg_type_size,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "max-journal-size", &cfg_type_sizenodefault,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "max-records", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT
+	},
+	{ "max-refresh-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-retry-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-transfer-idle-in", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-transfer-idle-out", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "max-transfer-time-in", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "max-transfer-time-out", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "max-zone-ttl", &cfg_type_maxttl,
+		CFG_ZONE_MASTER | CFG_ZONE_REDIRECT
+	},
+	{ "min-refresh-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "min-retry-time", &cfg_type_uint32,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "multi-master", &cfg_type_boolean,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "notify", &cfg_type_notifytype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-delay", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-source", &cfg_type_sockaddr4wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-source-v6", &cfg_type_sockaddr6wild,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "notify-to-soa", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "nsec3-test-zone", &cfg_type_boolean,
+		CFG_CLAUSEFLAG_TESTONLY |
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "request-expire", &cfg_type_boolean,
+		CFG_ZONE_SLAVE
+	},
+	{ "request-ixfr", &cfg_type_boolean,
+		CFG_ZONE_SLAVE
+	},
+	{ "serial-update-method", &cfg_type_updatemethod,
+		CFG_ZONE_MASTER
+	},
+	{ "sig-signing-nodes", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "sig-signing-signatures", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "sig-signing-type", &cfg_type_uint32,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "sig-validity-interval", &cfg_type_validityinterval,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "transfer-source", &cfg_type_sockaddr4wild,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "try-tcp-refresh", &cfg_type_boolean,
+		CFG_ZONE_SLAVE
+	},
+	{ "update-check-ksk", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "use-alt-transfer-source", &cfg_type_boolean,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "zero-no-soa-ttl", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "zone-statistics", &cfg_type_zonestat,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT
+	},
+	{ NULL, NULL, 0 }
+};
+
+/*%
+ * Clauses that can be found in a 'zone' statement only.
+ *
+ * Note: CFG_ZONE_* options indicate in which zone types this clause is
+ * legal.
+ */
+static cfg_clausedef_t
+zone_only_clauses[] = {
+	/*
+	 * Note that the format of the check-names option is different between
+	 * the zone options and the global/view options.  Ugh.
+	 */
+	{ "type", &cfg_type_zonetype,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_STATICSTUB | CFG_ZONE_DELEGATION | CFG_ZONE_HINT |
+		CFG_ZONE_REDIRECT | CFG_ZONE_FORWARD
+	},
+	{ "check-names", &cfg_type_checkmode,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE |
+		CFG_ZONE_HINT | CFG_ZONE_STUB
+	},
+	{ "database", &cfg_type_astring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB
+	},
+	{ "delegation-only", &cfg_type_boolean,
+		CFG_ZONE_HINT | CFG_ZONE_STUB | CFG_ZONE_FORWARD
+	},
+	{ "dlz", &cfg_type_astring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_REDIRECT
+	},
+	{ "file", &cfg_type_qstring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE | CFG_ZONE_STUB |
+		CFG_ZONE_HINT | CFG_ZONE_REDIRECT
+	},
+	{ "in-view", &cfg_type_astring,
+		CFG_ZONE_INVIEW
+	},
+	{ "ixfr-base", &cfg_type_qstring,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "ixfr-from-differences", &cfg_type_boolean,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "ixfr-tmp-file", &cfg_type_qstring,
+		CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "journal", &cfg_type_qstring,
+		CFG_ZONE_MASTER | CFG_ZONE_SLAVE
+	},
+	{ "masters", &cfg_type_namesockaddrkeylist,
+		CFG_ZONE_SLAVE | CFG_ZONE_STUB | CFG_ZONE_REDIRECT
+	},
+	{ "pubkey", &cfg_type_pubkey,
+		CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE
+	},
+	{ "server-addresses", &cfg_type_bracketed_sockaddrlist,
+		CFG_ZONE_STATICSTUB
+	},
+	{ "server-names", &cfg_type_namelist,
+		CFG_ZONE_STATICSTUB
+	},
+	{ "update-policy", &cfg_type_updatepolicy,
+		CFG_ZONE_MASTER
+	},
+	{ NULL, NULL, 0 }
+};
+
+/*% The top-level named.conf syntax. */
+
+static cfg_clausedef_t *
+namedconf_clausesets[] = {
+	namedconf_clauses,
+	namedconf_or_view_clauses,
+	NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
+	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, namedconf_clausesets
+};
+
+/*% The bind.keys syntax (trusted-keys/managed-keys only). */
+static cfg_clausedef_t *
+bindkeys_clausesets[] = {
+	bindkeys_clauses,
+	NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bindkeys = {
+	"bindkeys", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, bindkeys_clausesets
+};
+
+/*% The "options" statement syntax. */
+
+static cfg_clausedef_t *
+options_clausesets[] = {
+	options_clauses,
+	view_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_options = {
+	"options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	options_clausesets
+};
+
+/*% The "view" statement syntax. */
+
+static cfg_clausedef_t *
+view_clausesets[] = {
+	view_only_clauses,
+	namedconf_or_view_clauses,
+	view_clauses,
+	zone_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_viewopts = {
+	"view", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	view_clausesets
+};
+
+/*% The "zone" statement syntax. */
+
+static cfg_clausedef_t *
+zone_clausesets[] = {
+	zone_only_clauses,
+	zone_clauses,
+	NULL
+};
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_zoneopts = {
+	"zoneopts", cfg_parse_map, cfg_print_map,
+	cfg_doc_map, &cfg_rep_map, zone_clausesets };
+
+/*% The "dynamically loadable zones" statement syntax. */
+
+static cfg_clausedef_t
+dlz_clauses[] = {
+	{ "database", &cfg_type_astring, 0 },
+	{ "search", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+dlz_clausesets[] = {
+	dlz_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_dlz = {
+	"dlz", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
+	 &cfg_rep_map, dlz_clausesets
+};
+
+/*%
+ * The "dyndb" statement syntax.
+ */
+
+static cfg_tuplefielddef_t dyndb_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "library", &cfg_type_qstring, 0 },
+	{ "parameters", &cfg_type_bracketed_text, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_dyndb = {
+	"dyndb", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	 &cfg_rep_tuple, dyndb_fields
+};
+
+/*%
+ * Clauses that can be found within the 'key' statement.
+ */
+static cfg_clausedef_t
+key_clauses[] = {
+	{ "algorithm", &cfg_type_astring, 0 },
+	{ "secret", &cfg_type_sstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+key_clausesets[] = {
+	key_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_key = {
+	"key", cfg_parse_named_map, cfg_print_map,
+	cfg_doc_map, &cfg_rep_map, key_clausesets
+};
+
+
+/*%
+ * Clauses that can be found in a 'server' statement.
+ */
+static cfg_clausedef_t
+server_clauses[] = {
+	{ "bogus", &cfg_type_boolean, 0 },
+	{ "edns", &cfg_type_boolean, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "edns-version", &cfg_type_uint32, 0 },
+	{ "keys", &cfg_type_server_key_kludge, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "request-expire", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "request-nsid", &cfg_type_boolean, 0 },
+	{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "send-cookie", &cfg_type_boolean, 0 },
+	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "tcp-only", &cfg_type_boolean, 0 },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "transfers", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+server_clausesets[] = {
+	server_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_server = {
+	"server", cfg_parse_netprefix_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, server_clausesets
+};
+
+
+/*%
+ * Clauses that can be found in a 'channel' clause in the
+ * 'logging' statement.
+ *
+ * These have some additional constraints that need to be
+ * checked after parsing:
+ *  - There must exactly one of file/syslog/null/stderr
+ *
+ */
+static cfg_clausedef_t
+channel_clauses[] = {
+	/* Destinations.  We no longer require these to be first. */
+	{ "file", &cfg_type_logfile, 0 },
+	{ "syslog", &cfg_type_optional_facility, 0 },
+	{ "null", &cfg_type_void, 0 },
+	{ "stderr", &cfg_type_void, 0 },
+	/* Options.  We now accept these for the null channel, too. */
+	{ "severity", &cfg_type_logseverity, 0 },
+	{ "print-time", &cfg_type_boolean, 0 },
+	{ "print-severity", &cfg_type_boolean, 0 },
+	{ "print-category", &cfg_type_boolean, 0 },
+	{ "buffered", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+channel_clausesets[] = {
+	channel_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_channel = {
+	"channel", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, channel_clausesets
+};
+
+/*% A list of log destination, used in the "category" clause. */
+static cfg_type_t cfg_type_destinationlist = {
+	"destinationlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
+};
+
+/*%
+ * Clauses that can be found in a 'logging' statement.
+ */
+static cfg_clausedef_t logging_clauses[] = {
+	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
+	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t * logging_clausesets[] = {
+	logging_clauses, NULL
+};
+static cfg_type_t cfg_type_logging = {
+	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, logging_clausesets
+};
+
+/*%
+ * For parsing an 'addzone' statement
+ */
+static cfg_tuplefielddef_t addzone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "view", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_addzone = {
+	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, addzone_fields
+};
+
+static cfg_clausedef_t
+addzoneconf_clauses[] = {
+	{ "zone", &cfg_type_addzone, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+addzoneconf_clausesets[] = {
+	addzoneconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_addzoneconf = {
+	"addzoneconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, addzoneconf_clausesets
+};
+
+static isc_result_t
+parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
+	char *endp;
+	unsigned int len;
+	uint64_t value;
+	uint64_t unit;
+
+	value = isc_string_touint64(str, &endp, 10);
+	if (*endp == 0) {
+		*valuep = value;
+		return (ISC_R_SUCCESS);
+	}
+
+	len = strlen(str);
+	if (len < 2 || endp[1] != '\0')
+		return (ISC_R_FAILURE);
+
+	switch (str[len - 1]) {
+	case 'k':
+	case 'K':
+		unit = 1024;
+		break;
+	case 'm':
+	case 'M':
+		unit = 1024 * 1024;
+		break;
+	case 'g':
+	case 'G':
+		unit = 1024 * 1024 * 1024;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	if (value > UINT64_MAX / unit)
+		return (ISC_R_FAILURE);
+	*valuep = value * unit;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	uint64_t val;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+	CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
+	obj->value.uint64 = val;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected integer and optional unit");
+	return (result);
+}
+
+static isc_result_t
+parse_sizeval_percent(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret)
+{
+	char *endp;
+	isc_result_t  result;
+	cfg_obj_t *obj = NULL;
+	uint64_t val;
+	uint64_t percent;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	percent = isc_string_touint64(TOKEN_STRING(pctx), &endp, 10);
+
+	if (*endp == '%' && *(endp+1) == 0) {
+		CHECK(cfg_create_obj(pctx, &cfg_type_percentage, &obj));
+		obj->value.uint32 = (uint32_t)percent;
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	} else {
+		CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
+		CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
+		obj->value.uint64 = val;
+		*ret = obj;
+		return (ISC_R_SUCCESS);
+	}
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected integer and optional unit or percent");
+	return (result);
+}
+
+static void
+doc_sizeval_percent(cfg_printer_t *pctx, const cfg_type_t *type) {
+
+	UNUSED(type);
+
+	cfg_print_cstr(pctx, "( ");
+	cfg_doc_terminal(pctx, &cfg_type_size);
+	cfg_print_cstr(pctx, " | ");
+	cfg_doc_terminal(pctx, &cfg_type_percentage);
+	cfg_print_cstr(pctx, " )");
+}
+
+/*%
+ * A size value (number + optional unit).
+ */
+static cfg_type_t cfg_type_sizeval = {
+	"sizeval", parse_sizeval, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL
+};
+
+/*%
+ * A size, "unlimited", or "default".
+ */
+
+static isc_result_t
+parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
+}
+
+static void
+doc_size(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_sizeval);
+}
+
+static const char *size_enums[] = { "default", "unlimited", NULL };
+static cfg_type_t cfg_type_size = {
+	"size", parse_size, cfg_print_ustring, doc_size,
+	&cfg_rep_string, size_enums
+};
+
+/*%
+ * A size or "unlimited", but not "default".
+ */
+static const char *sizenodefault_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_sizenodefault = {
+	"size_no_default", parse_size, cfg_print_ustring, doc_size,
+	&cfg_rep_string, sizenodefault_enums
+};
+
+/*%
+ * A size in absolute values or percents.
+ */
+
+static cfg_type_t cfg_type_sizeval_percent = {
+	"sizeval_percent", parse_sizeval_percent, cfg_print_ustring,
+	doc_sizeval_percent, &cfg_rep_string, NULL
+};
+
+/*%
+ * A size in absolute values or percents, or "unlimited", or "default"
+ */
+
+static isc_result_t
+parse_size_or_percent(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret)
+{
+	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval_percent,
+				    ret));
+}
+
+static void
+doc_parse_size_or_percent(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_sizeval_percent);
+}
+
+static const char *sizeorpercent_enums[] = { "default", "unlimited", NULL };
+static cfg_type_t cfg_type_sizeorpercent = {
+	"size_or_percent", parse_size_or_percent, cfg_print_ustring,
+	doc_parse_size_or_percent, &cfg_rep_string, sizeorpercent_enums
+};
+
+/*%
+ * optional_keyvalue
+ */
+static isc_result_t
+parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			      bool optional, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const keyword_type_t *kw = type->of;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), kw->name) == 0) {
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(kw->type->parse(pctx, kw->type, &obj));
+		obj->type = type; /* XXX kludge */
+	} else {
+		if (optional) {
+			CHECK(cfg_parse_void(pctx, NULL, &obj));
+		} else {
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "expected '%s'",
+				     kw->name);
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+	}
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+		    const cfg_type_t *othertype, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) {
+		CHECK(cfg_parse_enum(pctx, enumtype, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, othertype, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
+		  const cfg_type_t *othertype)
+{
+	const char * const *p;
+	bool first = true;
+
+	/*
+	 * If othertype is cfg_type_void, it means that enumtype is
+	 * optional.
+	 */
+
+	if (othertype == &cfg_type_void)
+		cfg_print_cstr(pctx, "[ ");
+	cfg_print_cstr(pctx, "( ");
+	for (p = enumtype->of; *p != NULL; p++) {
+		if (!first)
+			cfg_print_cstr(pctx, " | ");
+		first = false;
+		cfg_print_cstr(pctx, *p);
+	}
+	if (othertype == &cfg_type_sizeval_percent) {
+		if (!first)
+			cfg_print_cstr(pctx, " | ");
+		cfg_doc_terminal(pctx, &cfg_type_sizeval);
+		cfg_print_cstr(pctx, " | ");
+		cfg_doc_terminal(pctx, &cfg_type_percentage);
+	} else if (othertype != &cfg_type_void) {
+		if (!first)
+			cfg_print_cstr(pctx, " | ");
+		cfg_doc_terminal(pctx, othertype);
+	}
+	cfg_print_cstr(pctx, " )");
+	if (othertype == &cfg_type_void)
+		cfg_print_cstr(pctx, " ]");
+}
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, false, ret));
+}
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret)
+{
+	return (parse_maybe_optional_keyvalue(pctx, type, true, ret));
+}
+
+static void
+print_keyvalue(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const keyword_type_t *kw = obj->type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	kw->type->print(pctx, obj);
+}
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, kw->type);
+}
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, "[ ");
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static const char *dialup_enums[] = {
+	"notify", "notify-passive", "passive", "refresh", NULL
+};
+static isc_result_t
+parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_dialup_type(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_dialuptype = {
+	"dialuptype", parse_dialup_type, cfg_print_ustring, doc_dialup_type,
+	&cfg_rep_string, dialup_enums
+};
+
+static const char *notify_enums[] = { "explicit", "master-only", NULL };
+static isc_result_t
+parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_notify_type(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_notifytype = {
+	"notifytype", parse_notify_type, cfg_print_ustring, doc_notify_type,
+	&cfg_rep_string, notify_enums,
+};
+
+static const char *minimal_enums[] = { "no-auth", "no-auth-recursive", NULL };
+static isc_result_t
+parse_minimal(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_minimal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_minimal = {
+	"mimimal", parse_minimal, cfg_print_ustring, doc_minimal,
+	&cfg_rep_string, minimal_enums,
+};
+
+static const char *ixfrdiff_enums[] = { "master", "slave", NULL };
+static isc_result_t
+parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_ixfrdiff_type(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_ixfrdifftype = {
+	"ixfrdiff", parse_ixfrdiff_type, cfg_print_ustring, doc_ixfrdiff_type,
+	&cfg_rep_string, ixfrdiff_enums,
+};
+
+static const char *filter_aaaa_enums[] = { "break-dnssec", NULL };
+static isc_result_t
+parse_filter_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static void
+doc_filter_aaaa(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_boolean);
+}
+static cfg_type_t cfg_type_filter_aaaa = {
+	"filter_aaaa", parse_filter_aaaa, cfg_print_ustring,
+	doc_filter_aaaa, &cfg_rep_string, filter_aaaa_enums,
+};
+
+static keyword_type_t key_kw = { "key", &cfg_type_astring };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
+	"keyref", parse_keyvalue, print_keyvalue, doc_keyvalue,
+	&cfg_rep_string, &key_kw
+};
+
+static cfg_type_t cfg_type_optional_keyref = {
+	"optional_keyref", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &key_kw
+};
+
+#ifdef HAVE_GEOIP
+/*
+ * "geoip" ACL element:
+ * geoip [ db <database> ] search-type <string>
+ */
+static const char *geoiptype_enums[] = {
+	"area", "areacode", "asnum", "city", "continent", "country",
+	"country3", "countryname", "domain", "isp", "metro", "metrocode",
+	"netspeed", "org", "postal", "postalcode", "region", "regionname",
+	"timezone", "tz", NULL
+};
+static cfg_type_t cfg_type_geoiptype = {
+	"geoiptype", cfg_parse_enum, cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &geoiptype_enums
+};
+
+static const char *geoipdb_enums[] = {
+	"asnum", "city", "country", "domain", "isp", "netspeed",
+	"org", "region", NULL
+};
+static cfg_type_t cfg_type_geoipdb = {
+	"geoipdb", cfg_parse_enum, cfg_print_ustring,
+	cfg_doc_enum, &cfg_rep_string, &geoipdb_enums
+};
+
+static cfg_tuplefielddef_t geoip_fields[] = {
+	{ "negated", &cfg_type_void, 0 },
+	{ "db", &cfg_type_geoipdb, 0 },
+	{ "subtype", &cfg_type_geoiptype, 0 },
+	{ "search", &cfg_type_astring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_geoip = {
+	"geoip", parse_geoip, print_geoip, doc_geoip,
+	&cfg_rep_tuple, geoip_fields
+};
+
+static isc_result_t
+parse_geoip(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+	CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[0]));
+
+	/* Parse the optional "db" field. */
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string) {
+		CHECK(cfg_gettoken(pctx, 0));
+		if (strcasecmp(TOKEN_STRING(pctx), "db") == 0 &&
+		    obj->value.tuple[1] == NULL) {
+			CHECK(cfg_parse_obj(pctx, fields[1].type,
+				    &obj->value.tuple[1]));
+		} else {
+			CHECK(cfg_parse_void(pctx, NULL,
+					     &obj->value.tuple[1]));
+			cfg_ungettoken(pctx);
+		}
+	}
+
+	CHECK(cfg_parse_obj(pctx, fields[2].type, &obj->value.tuple[2]));
+	CHECK(cfg_parse_obj(pctx, fields[3].type, &obj->value.tuple[3]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_geoip(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	if (obj->value.tuple[1]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " db ");
+		cfg_print_obj(pctx, obj->value.tuple[1]);
+	}
+	cfg_print_obj(pctx, obj->value.tuple[2]);
+	cfg_print_obj(pctx, obj->value.tuple[3]);
+}
+
+static void
+doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ db ");
+	cfg_doc_enum(pctx, &cfg_type_geoipdb);
+	cfg_print_cstr(pctx, " ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_enum(pctx, &cfg_type_geoiptype);
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "<quoted_string>");
+}
+#endif /* HAVE_GEOIP */
+
+/*%
+ * An EDNS client subnet address
+ */
+
+static keyword_type_t ecs_kw = { "ecs", &cfg_type_netprefix };
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ecsprefix = {
+	"edns_client_subnet", parse_keyvalue, print_keyvalue, doc_keyvalue,
+	&cfg_rep_netprefix, &ecs_kw
+};
+
+/*%
+ * A "controls" statement is represented as a map with the multivalued
+ * "inet" and "unix" clauses.
+ */
+
+static keyword_type_t controls_allow_kw = {
+	"allow", &cfg_type_bracketed_aml };
+
+static cfg_type_t cfg_type_controls_allow = {
+	"controls_allow", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_list, &controls_allow_kw
+};
+
+static keyword_type_t controls_keys_kw = {
+	"keys", &cfg_type_keylist
+};
+
+static cfg_type_t cfg_type_controls_keys = {
+	"controls_keys", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue,
+	&cfg_rep_list, &controls_keys_kw
+};
+
+static keyword_type_t controls_readonly_kw = {
+	"read-only", &cfg_type_boolean
+};
+
+static cfg_type_t cfg_type_controls_readonly = {
+	"controls_readonly", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue,
+	&cfg_rep_boolean, &controls_readonly_kw
+};
+
+static cfg_tuplefielddef_t inetcontrol_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 },
+	{ "allow", &cfg_type_controls_allow, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ "read-only", &cfg_type_controls_readonly, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_inetcontrol = {
+	"inetcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, inetcontrol_fields
+};
+
+static keyword_type_t controls_perm_kw = {
+	"perm", &cfg_type_uint32
+};
+
+static cfg_type_t cfg_type_controls_perm = {
+	"controls_perm", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &controls_perm_kw
+};
+
+static keyword_type_t controls_owner_kw = {
+	"owner", &cfg_type_uint32
+};
+
+static cfg_type_t cfg_type_controls_owner = {
+	"controls_owner", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &controls_owner_kw
+};
+
+static keyword_type_t controls_group_kw = {
+	"group", &cfg_type_uint32
+};
+
+static cfg_type_t cfg_type_controls_group = {
+	"controls_allow", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &controls_group_kw
+};
+
+static cfg_tuplefielddef_t unixcontrol_fields[] = {
+	{ "path", &cfg_type_qstring, 0 },
+	{ "perm", &cfg_type_controls_perm, 0 },
+	{ "owner", &cfg_type_controls_owner, 0 },
+	{ "group", &cfg_type_controls_group, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ "read-only", &cfg_type_controls_readonly, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_unixcontrol = {
+	"unixcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, unixcontrol_fields
+};
+
+static cfg_clausedef_t
+controls_clauses[] = {
+	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
+	{ "unix", &cfg_type_unixcontrol, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+controls_clausesets[] = {
+	controls_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_controls = {
+	"controls", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	&controls_clausesets
+};
+
+/*%
+ * A "statistics-channels" statement is represented as a map with the
+ * multivalued "inet" clauses.
+ */
+static void
+doc_optional_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, "[ ");
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_cstr(pctx, " ");
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_cstr(pctx, " ]");
+}
+
+static cfg_type_t cfg_type_optional_allow = {
+	"optional_allow", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_bracketed_list, &cfg_rep_list, &controls_allow_kw
+};
+
+static cfg_tuplefielddef_t statserver_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 }, /* reuse controls def */
+	{ "allow", &cfg_type_optional_allow, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_statschannel = {
+	"statschannel", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, statserver_fields
+};
+
+static cfg_clausedef_t
+statservers_clauses[] = {
+	{ "inet", &cfg_type_statschannel, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+statservers_clausesets[] = {
+	statservers_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_statschannels = {
+	"statistics-channels", cfg_parse_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map,	&statservers_clausesets
+};
+
+/*%
+ * An optional class, as used in view and zone statements.
+ */
+static isc_result_t
+parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string)
+		CHECK(cfg_parse_obj(pctx, &cfg_type_ustring, ret));
+	else
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_optional_class(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ <class> ]");
+}
+
+static cfg_type_t cfg_type_optional_class = {
+	"optional_class", parse_optional_class, NULL, doc_optional_class,
+	NULL, NULL
+};
+
+static isc_result_t
+parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	in_port_t port = 0;
+	isc_dscp_t dscp = -1;
+	unsigned int have_address = 0;
+	unsigned int have_port = 0;
+	unsigned int have_dscp = 0;
+	const unsigned int *flagp = type->of;
+
+	if ((*flagp & CFG_ADDR_V4OK) != 0)
+		isc_netaddr_any(&netaddr);
+	else if ((*flagp & CFG_ADDR_V6OK) != 0)
+		isc_netaddr_any6(&netaddr);
+	else
+		INSIST(0);
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "address") == 0)
+			{
+				/* read "address" */
+				CHECK(cfg_gettoken(pctx, 0));
+				CHECK(cfg_parse_rawaddr(pctx, *flagp,
+							&netaddr));
+				have_address++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
+			{
+				/* read "port" */
+				CHECK(cfg_gettoken(pctx, 0));
+				CHECK(cfg_parse_rawport(pctx,
+							CFG_ADDR_WILDOK,
+							&port));
+				have_port++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "dscp") == 0)
+			{
+				/* read "dscp" */
+				CHECK(cfg_gettoken(pctx, 0));
+				CHECK(cfg_parse_dscp(pctx, &dscp));
+				have_dscp++;
+			} else if (have_port == 0 && have_dscp == 0 &&
+				   have_address == 0)
+			{
+				return (cfg_parse_sockaddr(pctx, type, ret));
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+					     "expected 'address', 'port', "
+					     "or 'dscp'");
+				return (ISC_R_UNEXPECTEDTOKEN);
+			}
+		} else
+			break;
+	}
+	if (have_address > 1 || have_port > 1 ||
+	    have_address + have_port == 0) {
+		cfg_parser_error(pctx, 0, "expected one address and/or port");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	if (have_dscp > 1) {
+		cfg_parser_error(pctx, 0, "expected at most one dscp");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	obj->value.sockaddrdscp.dscp = dscp;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	isc_netaddr_t na;
+	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
+	cfg_print_cstr(pctx, "address ");
+	cfg_print_rawaddr(pctx, &na);
+	cfg_print_cstr(pctx, " port ");
+	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
+	if (obj->value.sockaddrdscp.dscp != -1) {
+		cfg_print_cstr(pctx, " dscp ");
+		cfg_print_rawuint(pctx, obj->value.sockaddrdscp.dscp);
+	}
+}
+
+static void
+doc_querysource(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+
+	cfg_print_cstr(pctx, "( ( [ address ] ( ");
+	if (*flagp & CFG_ADDR_V4OK)
+		cfg_print_cstr(pctx, "<ipv4_address>");
+	else if (*flagp & CFG_ADDR_V6OK)
+		cfg_print_cstr(pctx, "<ipv6_address>");
+	else
+		INSIST(0);
+	cfg_print_cstr(pctx, " | * ) [ port ( <integer> | * ) ] ) | "
+		       "( [ [ address ] ( ");
+	if (*flagp & CFG_ADDR_V4OK)
+		cfg_print_cstr(pctx, "<ipv4_address>");
+	else if (*flagp & CFG_ADDR_V6OK)
+		cfg_print_cstr(pctx, "<ipv6_address>");
+	else
+		INSIST(0);
+	cfg_print_cstr(pctx, " | * ) ] port ( <integer> | * ) ) )"
+		       " [ dscp <integer> ]");
+}
+
+static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK |
+					  CFG_ADDR_DSCPOK;
+static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK |
+					  CFG_ADDR_DSCPOK;
+
+static cfg_type_t cfg_type_querysource4 = {
+	"querysource4", parse_querysource, NULL, doc_querysource,
+	NULL, &sockaddr4wild_flags
+};
+
+static cfg_type_t cfg_type_querysource6 = {
+	"querysource6", parse_querysource, NULL, doc_querysource,
+	NULL, &sockaddr6wild_flags
+};
+
+static cfg_type_t cfg_type_querysource = {
+	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL
+};
+
+/*% addrmatchelt */
+
+static isc_result_t
+parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type,
+		   cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (pctx->token.type == isc_tokentype_string &&
+		    (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
+			CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
+		} else if (pctx->token.type == isc_tokentype_string &&
+			   (strcasecmp(TOKEN_STRING(pctx), "ecs") == 0)) {
+			CHECK(cfg_parse_obj(pctx, &cfg_type_ecsprefix, ret));
+		} else if (pctx->token.type == isc_tokentype_string &&
+			   (strcasecmp(TOKEN_STRING(pctx), "geoip") == 0)) {
+#ifdef HAVE_GEOIP
+			CHECK(cfg_gettoken(pctx, 0));
+			CHECK(cfg_parse_obj(pctx, &cfg_type_geoip, ret));
+#else
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "'geoip' "
+					 "not supported in this build");
+			return (ISC_R_UNEXPECTEDTOKEN);
+#endif
+		} else {
+			if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
+						  CFG_ADDR_V4PREFIXOK |
+						  CFG_ADDR_V6OK))
+			{
+				CHECK(cfg_parse_netprefix(pctx, NULL, ret));
+			} else {
+				CHECK(cfg_parse_astring(pctx, NULL, ret));
+			}
+		}
+	} else if (pctx->token.type == isc_tokentype_special) {
+		if (pctx->token.value.as_char == '{') {
+			/* Nested match list. */
+			CHECK(cfg_parse_obj(pctx,
+					    &cfg_type_bracketed_aml, ret));
+		} else if (pctx->token.value.as_char == '!') {
+			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
+		} else {
+			goto bad;
+		}
+	} else {
+	bad:
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP match list element");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	return (result);
+}
+
+/*%
+ * A negated address match list element (like "! 10.0.0.1").
+ * Somewhat sneakily, the caller is expected to parse the
+ * "!", but not to print it.
+ */
+
+static cfg_tuplefielddef_t negated_fields[] = {
+	{ "negated", &cfg_type_addrmatchelt, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static void
+print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "!");
+	cfg_print_tuple(pctx, obj);
+}
+
+static cfg_type_t cfg_type_negated = {
+	"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
+	&negated_fields
+};
+
+/*% An address match list element */
+
+static cfg_type_t cfg_type_addrmatchelt = {
+	"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+/*% A bracketed address match list */
+
+static cfg_type_t cfg_type_bracketed_aml = {
+	"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
+};
+
+/*%
+ * The socket address syntax in the "controls" statement is silly.
+ * It allows both socket address families, but also allows "*",
+ * whis is gratuitously interpreted as the IPv4 wildcard address.
+ */
+static unsigned int controls_sockaddr_flags =
+	CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
+static cfg_type_t cfg_type_controls_sockaddr = {
+	"controls_sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &controls_sockaddr_flags
+};
+
+/*%
+ * Handle the special kludge syntax of the "keys" clause in the "server"
+ * statement, which takes a single key with or without braces and semicolon.
+ */
+static isc_result_t
+parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret)
+{
+	isc_result_t result;
+	bool braces = false;
+	UNUSED(type);
+
+	/* Allow opening brace. */
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{') {
+		CHECK(cfg_gettoken(pctx, 0));
+		braces = true;
+	}
+
+	CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+
+	if (braces) {
+		/* Skip semicolon if present. */
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+			CHECK(cfg_gettoken(pctx, 0));
+
+		CHECK(cfg_parse_special(pctx, '}'));
+	}
+ cleanup:
+	return (result);
+}
+static cfg_type_t cfg_type_server_key_kludge = {
+	"server_key", parse_server_key_kludge, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+
+/*%
+ * An optional logging facility.
+ */
+
+static isc_result_t
+parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type,
+			cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_optional_facility(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "[ <syslog_facility> ]");
+}
+
+static cfg_type_t cfg_type_optional_facility = {
+	"optional_facility", parse_optional_facility, NULL,
+	doc_optional_facility, NULL, NULL
+};
+
+
+/*%
+ * A log severity.  Return as a string, except "debug N",
+ * which is returned as a keyword object.
+ */
+
+static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
+static cfg_type_t cfg_type_debuglevel = {
+	"debuglevel", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &debug_kw
+};
+
+static isc_result_t
+parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "debug") == 0) {
+		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
+		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type == isc_tokentype_number) {
+			CHECK(cfg_parse_uint32(pctx, NULL, ret));
+		} else {
+			/*
+			 * The debug level is optional and defaults to 1.
+			 * This makes little sense, but we support it for
+			 * compatibility with BIND 8.
+			 */
+			CHECK(cfg_create_obj(pctx, &cfg_type_uint32, ret));
+			(*ret)->value.uint32 = 1;
+		}
+		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_loglevel, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_logseverity = {
+	"log_severity", parse_logseverity, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+/*%
+ * The "file" clause of the "channel" statement.
+ * This is yet another special case.
+ */
+
+static const char *logversions_enums[] = { "unlimited", NULL };
+static isc_result_t
+parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
+}
+
+static void
+doc_logversions(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_uint32);
+}
+
+static cfg_type_t cfg_type_logversions = {
+	"logversions", parse_logversions, cfg_print_ustring, doc_logversions,
+	&cfg_rep_string, logversions_enums
+};
+
+static cfg_tuplefielddef_t logfile_fields[] = {
+	{ "file", &cfg_type_qstring, 0 },
+	{ "versions", &cfg_type_logversions, 0 },
+	{ "size", &cfg_type_size, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static isc_result_t
+parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+
+	/* Parse the mandatory "file" field */
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	/* Parse "versions" and "size" fields in any order. */
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			CHECK(cfg_gettoken(pctx, 0));
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "versions") == 0 &&
+			    obj->value.tuple[1] == NULL) {
+				CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			} else if (strcasecmp(TOKEN_STRING(pctx),
+					      "size") == 0 &&
+				   obj->value.tuple[2] == NULL) {
+				CHECK(cfg_parse_obj(pctx, fields[2].type,
+					    &obj->value.tuple[2]));
+			} else {
+				break;
+			}
+		} else {
+			break;
+		}
+	}
+
+	/* Create void objects for missing optional values. */
+	if (obj->value.tuple[1] == NULL)
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	if (obj->value.tuple[2] == NULL)
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+print_logfile(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
+	if (obj->value.tuple[1]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " versions ");
+		cfg_print_obj(pctx, obj->value.tuple[1]);
+	}
+	if (obj->value.tuple[2]->type->print != cfg_print_void) {
+		cfg_print_cstr(pctx, " size ");
+		cfg_print_obj(pctx, obj->value.tuple[2]);
+	}
+}
+
+
+static void
+doc_logfile(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "<quoted_string>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ versions ( \"unlimited\" | <integer> ) ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ size <size> ]");
+}
+
+static cfg_type_t cfg_type_logfile = {
+	"log_file", parse_logfile, print_logfile, doc_logfile,
+	&cfg_rep_tuple, logfile_fields
+};
+
+/*% An IPv4 address with optional dscp and port, "*" accepted as wildcard. */
+static cfg_type_t cfg_type_sockaddr4wild = {
+	"sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags
+};
+
+/*% An IPv6 address with optional port, "*" accepted as wildcard. */
+static cfg_type_t cfg_type_sockaddr6wild = {
+	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags
+};
+
+/*%
+ * lwres
+ */
+
+static cfg_tuplefielddef_t lwres_view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_lwres_view = {
+	"lwres_view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, lwres_view_fields
+};
+
+static cfg_type_t cfg_type_lwres_searchlist = {
+	"lwres_searchlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring
+};
+
+static cfg_clausedef_t
+lwres_clauses[] = {
+	{ "listen-on", &cfg_type_portiplist, 0 },
+	{ "view", &cfg_type_lwres_view, 0 },
+	{ "search", &cfg_type_lwres_searchlist, 0 },
+	{ "ndots", &cfg_type_uint32, 0 },
+	{ "lwres-tasks", &cfg_type_uint32, 0},
+	{ "lwres-clients", &cfg_type_uint32, 0},
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+lwres_clausesets[] = {
+	lwres_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_lwres = {
+	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	lwres_clausesets
+};
+
+/*%
+ * rndc
+ */
+
+static cfg_clausedef_t
+rndcconf_options_clauses[] = {
+	{ "default-key", &cfg_type_astring, 0 },
+	{ "default-port", &cfg_type_uint32, 0 },
+	{ "default-server", &cfg_type_astring, 0 },
+	{ "default-source-address", &cfg_type_netaddr4wild, 0 },
+	{ "default-source-address-v6", &cfg_type_netaddr6wild, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_options_clausesets[] = {
+	rndcconf_options_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_options = {
+	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, rndcconf_options_clausesets
+};
+
+static cfg_clausedef_t
+rndcconf_server_clauses[] = {
+	{ "key", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ "source-address", &cfg_type_netaddr4wild, 0 },
+	{ "source-address-v6", &cfg_type_netaddr6wild, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_server_clausesets[] = {
+	rndcconf_server_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_server = {
+	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, rndcconf_server_clausesets
+};
+
+static cfg_clausedef_t
+rndcconf_clauses[] = {
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
+	{ "options", &cfg_type_rndcconf_options, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_clausesets[] = {
+	rndcconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
+	"rndcconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndcconf_clausesets
+};
+
+static cfg_clausedef_t
+rndckey_clauses[] = {
+	{ "key", &cfg_type_key, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndckey_clausesets[] = {
+	rndckey_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
+	"rndckey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndckey_clausesets
+};
+
+/*
+ * session.key has exactly the same syntax as rndc.key, but it's defined
+ * separately for clarity (and so we can extend it someday, if needed).
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sessionkey = {
+	"sessionkey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndckey_clausesets
+};
+
+static cfg_tuplefielddef_t nameport_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "dscp", &cfg_type_optional_dscp, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nameport = {
+	"nameport", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, nameport_fields
+};
+
+static void
+doc_sockaddrnameport(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( ");
+	cfg_print_cstr(pctx, "<quoted_string>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ dscp <integer> ]");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ dscp <integer> ]");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ dscp <integer> ]");
+	cfg_print_cstr(pctx, " )");
+}
+
+static isc_result_t
+parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type,
+		       cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr,
+						 ret));
+		else {
+			const cfg_tuplefielddef_t *fields =
+						   cfg_type_nameport.of;
+			CHECK(cfg_create_tuple(pctx, &cfg_type_nameport,
+					       &obj));
+			CHECK(cfg_parse_obj(pctx, fields[0].type,
+					    &obj->value.tuple[0]));
+			CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			CHECK(cfg_parse_obj(pctx, fields[2].type,
+					    &obj->value.tuple[2]));
+			*ret = obj;
+			obj = NULL;
+		}
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP address or hostname");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static cfg_type_t cfg_type_sockaddrnameport = {
+	"sockaddrnameport_element", parse_sockaddrnameport, NULL,
+	 doc_sockaddrnameport, NULL, NULL
+};
+
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
+	"bracketed_sockaddrnameportlist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_sockaddrnameport
+};
+
+/*%
+ * A list of socket addresses or name with an optional default port,
+ * as used in the dual-stack-servers option.  E.g.,
+ * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t nameportiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nameportiplist = {
+	"nameportiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, nameportiplist_fields
+};
+
+/*%
+ * masters element.
+ */
+
+static void
+doc_masterselement(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_cstr(pctx, "( ");
+	cfg_print_cstr(pctx, "<masters>");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " | ");
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_cstr(pctx, " ");
+	cfg_print_cstr(pctx, "[ port <integer> ]");
+	cfg_print_cstr(pctx, " )");
+}
+
+static isc_result_t
+parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr,
+			      ret));
+		else
+			CHECK(cfg_parse_astring(pctx, &cfg_type_astring, ret));
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP address or masters name");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static cfg_type_t cfg_type_masterselement = {
+	"masters_element", parse_masterselement, NULL,
+	 doc_masterselement, NULL, NULL
+};
+
+static isc_result_t
+parse_ttlval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	uint32_t ttl;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	result = dns_ttl_fromtext(&pctx->token.value.as_textregion, &ttl);
+	if (result == ISC_R_RANGE ) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "TTL out of range ");
+		return (result);
+	} else if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
+	obj->value.uint32 = ttl;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR,
+			 "expected integer and optional unit");
+	return (result);
+}
+
+/*%
+ * A TTL value (number + optional unit).
+ */
+static cfg_type_t cfg_type_ttlval = {
+	"ttlval", parse_ttlval, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL
+};
+
+static isc_result_t
+parse_maxttl(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_ttlval, ret));
+}
+
+static void
+doc_maxttl(cfg_printer_t *pctx, const cfg_type_t *type) {
+	doc_enum_or_other(pctx, type, &cfg_type_ttlval);
+}
+
+/*%
+ * A size or "unlimited", but not "default".
+ */
+static const char *maxttl_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_maxttl = {
+	"maxttl_no_default", parse_maxttl, cfg_print_ustring, doc_maxttl,
+	&cfg_rep_string, maxttl_enums
+};
+
+static int cmp_clause(const void *ap, const void *bp) {
+	const cfg_clausedef_t *a = (const cfg_clausedef_t *)ap;
+	const cfg_clausedef_t *b = (const cfg_clausedef_t *)bp;
+	return (strcmp(a->name, b->name));
+}
+
+bool
+cfg_clause_validforzone(const char *name, unsigned int ztype) {
+	const cfg_clausedef_t *clause;
+	bool valid = false;
+
+	for (clause = zone_clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & ztype) == 0 ||
+		    strcmp(clause->name, name) != 0)
+		{
+			continue;
+		}
+		valid = true;
+	}
+	for (clause = zone_only_clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & ztype) == 0 ||
+		    strcmp(clause->name, name) != 0)
+		{
+			continue;
+		}
+		valid = true;
+	}
+
+	return (valid);
+}
+
+void
+cfg_print_zonegrammar(const unsigned int zonetype,
+		      void (*f)(void *closure, const char *text, int textlen),
+		      void *closure)
+{
+#define NCLAUSES \
+	(((sizeof(zone_clauses) + sizeof(zone_only_clauses)) / \
+	  sizeof(clause[0])) - 1)
+
+	cfg_printer_t pctx;
+	cfg_clausedef_t *clause = NULL;
+	cfg_clausedef_t clauses[NCLAUSES];
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = 0;
+
+	memmove(clauses, zone_clauses, sizeof(zone_clauses));
+	memmove(clauses + sizeof(zone_clauses)/sizeof(zone_clauses[0]) - 1,
+		zone_only_clauses, sizeof(zone_only_clauses));
+	qsort(clauses, NCLAUSES - 1, sizeof(clause[0]), cmp_clause);
+
+	cfg_print_cstr(&pctx, "zone <string> [ <class> ] {\n");
+	pctx.indent++;
+
+	switch (zonetype) {
+	case CFG_ZONE_MASTER:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type ( master | primary );\n");
+		break;
+	case CFG_ZONE_SLAVE:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type ( slave | secondary );\n");
+		break;
+	case CFG_ZONE_STUB:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type stub;\n");
+		break;
+	case CFG_ZONE_HINT:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type hint;\n");
+		break;
+	case CFG_ZONE_FORWARD:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type forward;\n");
+		break;
+	case CFG_ZONE_STATICSTUB:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type static-stub;\n");
+		break;
+	case CFG_ZONE_REDIRECT:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type redirect;\n");
+		break;
+	case CFG_ZONE_DELEGATION:
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, "type delegation-only;\n");
+		break;
+	case CFG_ZONE_INVIEW:
+		/* no zone type is specified for these */
+		break;
+	default:
+		INSIST(0);
+	}
+
+	for (clause = clauses; clause->name != NULL; clause++) {
+		if ((clause->flags & zonetype) == 0 ||
+		    strcasecmp(clause->name, "type") == 0) {
+			continue;
+		}
+		cfg_print_indent(&pctx);
+		cfg_print_cstr(&pctx, clause->name);
+		cfg_print_cstr(&pctx, " ");
+		cfg_doc_obj(&pctx, clause->type);
+		cfg_print_cstr(&pctx, ";");
+		cfg_print_clauseflags(&pctx, clause->flags);
+		cfg_print_cstr(&pctx, "\n");
+	}
+
+	pctx.indent--;
+	cfg_print_cstr(&pctx, "};\n");
+}
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
new file mode 100644
index 0000000..e08e257
--- /dev/null
+++ b/lib/isccfg/parser.c
@@ -0,0 +1,3282 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/formatcheck.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/netscope.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/string.h>
+#include <isc/sockaddr.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+
+/* Shorthand */
+#define CAT CFG_LOGCATEGORY_CONFIG
+#define MOD CFG_LOGMODULE_PARSER
+
+#define MAP_SYM 1 	/* Unique type for isc_symtab */
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/* Check a return value. */
+#define CHECK(op) 						\
+	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto cleanup; 	\
+	} while (0)
+
+/* Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj) \
+	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
+
+
+/*
+ * Forward declarations of static functions.
+ */
+
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj);
+
+static void
+free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
+
+static isc_result_t
+create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
+	      cfg_obj_t **ret);
+
+static void
+free_string(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+static void
+free_map(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+parse_symtab_elt(cfg_parser_t *pctx, const char *name,
+		 cfg_type_t *elttype, isc_symtab_t *symtab,
+		 bool callback);
+
+static void
+free_noop(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+cfg_getstringtoken(cfg_parser_t *pctx);
+
+static void
+parser_complain(cfg_parser_t *pctx, bool is_warning,
+		unsigned int flags, const char *format, va_list args);
+
+/*
+ * Data representations.  These correspond to members of the
+ * "value" union in struct cfg_obj (except "void", which does
+ * not need a union member).
+ */
+
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint32 = { "uint32", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint64 = { "uint64", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_string = { "string", free_string };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_boolean = { "boolean", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_map = { "map", free_map };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_list = { "list", free_list };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_tuple = { "tuple", free_tuple };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_sockaddr = { "sockaddr", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_netprefix =
+	{ "netprefix", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_void = { "void", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_fixedpoint =
+	{ "fixedpoint", free_noop };
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_percentage =
+	{ "percentage", free_noop };
+
+/*
+ * Configuration type definitions.
+ */
+
+/*%
+ * An implicit list.  These are formed by clauses that occur multiple times.
+ */
+static cfg_type_t cfg_type_implicitlist = {
+	"implicitlist", NULL, print_list, NULL, &cfg_rep_list, NULL };
+
+/* Functions. */
+
+void
+cfg_print_obj(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	obj->type->print(pctx, obj);
+}
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(text != NULL);
+
+	pctx->f(pctx->closure, text, len);
+}
+
+static void
+print_open(cfg_printer_t *pctx) {
+	if ((pctx->flags & CFG_PRINTER_ONELINE) != 0)
+		cfg_print_cstr(pctx, "{ ");
+	else {
+		cfg_print_cstr(pctx, "{\n");
+		pctx->indent++;
+	}
+}
+
+void
+cfg_print_indent(cfg_printer_t *pctx) {
+	int indent = pctx->indent;
+	if ((pctx->flags & CFG_PRINTER_ONELINE) != 0) {
+		cfg_print_cstr(pctx, " ");
+		return;
+	}
+	while (indent > 0) {
+		cfg_print_cstr(pctx, "\t");
+		indent--;
+	}
+}
+
+static void
+print_close(cfg_printer_t *pctx) {
+	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0) {
+		pctx->indent--;
+		cfg_print_indent(pctx);
+	}
+	cfg_print_cstr(pctx, "}");
+}
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	result = type->parse(pctx, type, ret);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	ENSURE(*ret != NULL);
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_print(const cfg_obj_t *obj,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure)
+{
+	REQUIRE(obj != NULL);
+	REQUIRE(f != NULL);
+
+	cfg_printx(obj, 0, f, closure);
+}
+
+void
+cfg_printx(const cfg_obj_t *obj, unsigned int flags,
+	     void (*f)(void *closure, const char *text, int textlen),
+	     void *closure)
+{
+	cfg_printer_t pctx;
+
+	REQUIRE(obj != NULL);
+	REQUIRE(f != NULL);
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = flags;
+	obj->type->print(&pctx, obj);
+}
+
+/* Tuples. */
+
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *f;
+	cfg_obj_t *obj = NULL;
+	unsigned int nfields = 0;
+	int i;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	for (f = fields; f->name != NULL; f++)
+		nfields++;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	obj->value.tuple = isc_mem_get(pctx->mctx,
+				       nfields * sizeof(cfg_obj_t *));
+	if (obj->value.tuple == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	for (f = fields, i = 0; f->name != NULL; f++, i++)
+		obj->value.tuple[i] = NULL;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (obj != NULL)
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	return (result);
+}
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *f;
+	cfg_obj_t *obj = NULL;
+	unsigned int i;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+	for (f = fields, i = 0; f->name != NULL; f++, i++)
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[i]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	bool need_space = false;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	fields = obj->type->of;
+
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		const cfg_obj_t *fieldobj = obj->value.tuple[i];
+		if (need_space && fieldobj->type->rep != &cfg_rep_void)
+			cfg_print_cstr(pctx, " ");
+		cfg_print_obj(pctx, fieldobj);
+		need_space = (need_space ||
+			      fieldobj->type->print != cfg_print_void);
+	}
+}
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	bool need_space = false;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	fields = type->of;
+
+	for (f = fields; f->name != NULL; f++) {
+		if (need_space)
+			cfg_print_cstr(pctx, " ");
+		cfg_doc_obj(pctx, f->type);
+		need_space = (f->type->print != cfg_print_void);
+	}
+}
+
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields = obj->type->of;
+	const cfg_tuplefielddef_t *f;
+	unsigned int nfields = 0;
+
+	if (obj->value.tuple == NULL)
+		return;
+
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		CLEANUP_OBJ(obj->value.tuple[i]);
+		nfields++;
+	}
+	isc_mem_put(pctx->mctx, obj->value.tuple,
+		    nfields * sizeof(cfg_obj_t *));
+}
+
+bool
+cfg_obj_istuple(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_tuple);
+}
+
+const cfg_obj_t *
+cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+
+	REQUIRE(tupleobj != NULL && tupleobj->type->rep == &cfg_rep_tuple);
+	REQUIRE(name != NULL);
+
+	fields = tupleobj->type->of;
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		if (strcmp(f->name, name) == 0)
+			return (tupleobj->value.tuple[i]);
+	}
+	INSIST(0);
+	return (NULL);
+}
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == special)
+		return (ISC_R_SUCCESS);
+
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "'%c' expected", special);
+	return (ISC_R_UNEXPECTEDTOKEN);
+ cleanup:
+	return (result);
+}
+
+/*
+ * Parse a required semicolon.  If it is not there, log
+ * an error and increment the error count but continue
+ * parsing.  Since the next token is pushed back,
+ * care must be taken to make sure it is eventually
+ * consumed or an infinite loop may result.
+ */
+static isc_result_t
+parse_semicolon(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == ';')
+		return (ISC_R_SUCCESS);
+
+	cfg_parser_error(pctx, CFG_LOG_BEFORE, "missing ';'");
+	cfg_ungettoken(pctx);
+ cleanup:
+	return (result);
+}
+
+/*
+ * Parse EOF, logging and returning an error if not there.
+ */
+static isc_result_t
+parse_eof(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, 0));
+
+	if (pctx->token.type == isc_tokentype_eof)
+		return (ISC_R_SUCCESS);
+
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "syntax error");
+	return (ISC_R_UNEXPECTEDTOKEN);
+ cleanup:
+	return (result);
+}
+
+/* A list of files, used internally for pctx->files. */
+
+static cfg_type_t cfg_type_filelist = {
+	"filelist", NULL, print_list, NULL, &cfg_rep_list,
+	&cfg_type_qstring
+};
+
+isc_result_t
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
+	isc_result_t result;
+	cfg_parser_t *pctx;
+	isc_lexspecials_t specials;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	pctx = isc_mem_get(mctx, sizeof(*pctx));
+	if (pctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	pctx->mctx = NULL;
+	isc_mem_attach(mctx, &pctx->mctx);
+
+	result = isc_refcount_init(&pctx->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
+		return (result);
+	}
+
+	pctx->lctx = lctx;
+	pctx->lexer = NULL;
+	pctx->seen_eof = false;
+	pctx->ungotten = false;
+	pctx->errors = 0;
+	pctx->warnings = 0;
+	pctx->open_files = NULL;
+	pctx->closed_files = NULL;
+	pctx->line = 0;
+	pctx->callback = NULL;
+	pctx->callbackarg = NULL;
+	pctx->token.type = isc_tokentype_unknown;
+	pctx->flags = 0;
+	pctx->buf_name = NULL;
+
+	memset(specials, 0, sizeof(specials));
+	specials['{'] = 1;
+	specials['}'] = 1;
+	specials[';'] = 1;
+	specials['/'] = 1;
+	specials['"'] = 1;
+	specials['!'] = 1;
+
+	CHECK(isc_lex_create(pctx->mctx, 1024, &pctx->lexer));
+
+	isc_lex_setspecials(pctx->lexer, specials);
+	isc_lex_setcomments(pctx->lexer, (ISC_LEXCOMMENT_C |
+					 ISC_LEXCOMMENT_CPLUSPLUS |
+					 ISC_LEXCOMMENT_SHELL));
+
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->open_files));
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
+
+	*ret = pctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (pctx->lexer != NULL)
+		isc_lex_destroy(&pctx->lexer);
+	CLEANUP_OBJ(pctx->open_files);
+	CLEANUP_OBJ(pctx->closed_files);
+	isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
+	return (result);
+}
+
+static isc_result_t
+parser_openfile(cfg_parser_t *pctx, const char *filename) {
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+	cfg_obj_t *stringobj = NULL;
+
+	result = isc_lex_openfile(pctx->lexer, filename);
+	if (result != ISC_R_SUCCESS) {
+		cfg_parser_error(pctx, 0, "open: %s: %s",
+			     filename, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	CHECK(create_string(pctx, filename, &cfg_type_qstring, &stringobj));
+	CHECK(create_listelt(pctx, &elt));
+	elt->obj = stringobj;
+	ISC_LIST_APPEND(pctx->open_files->value.list, elt, link);
+
+	return (ISC_R_SUCCESS);
+ cleanup:
+	CLEANUP_OBJ(stringobj);
+	return (result);
+}
+
+void
+cfg_parser_setcallback(cfg_parser_t *pctx,
+		       cfg_parsecallback_t callback,
+		       void *arg)
+{
+	REQUIRE(pctx != NULL);
+
+	pctx->callback = callback;
+	pctx->callbackarg = arg;
+}
+
+void
+cfg_parser_reset(cfg_parser_t *pctx) {
+	REQUIRE(pctx != NULL);
+
+	if (pctx->lexer != NULL)
+		isc_lex_close(pctx->lexer);
+
+	pctx->seen_eof = false;
+	pctx->ungotten = false;
+	pctx->errors = 0;
+	pctx->warnings = 0;
+	pctx->line = 0;
+}
+
+/*
+ * Parse a configuration using a pctx where a lexer has already
+ * been set up with a source.
+ */
+static isc_result_t
+parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	result = cfg_parse_obj(pctx, type, &obj);
+
+	if (pctx->errors != 0) {
+		/* Errors have been logged. */
+		if (result == ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		/* Parsing failed but no errors have been logged. */
+		cfg_parser_error(pctx, 0, "parsing failed: %s",
+				 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	CHECK(parse_eof(pctx));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+isc_result_t
+cfg_parse_file(cfg_parser_t *pctx, const char *filename,
+	       const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_listelt_t *elt;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(filename != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(parser_openfile(pctx, filename));
+
+	result = parse2(pctx, type, ret);
+
+	/* Clean up the opened file */
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	INSIST(elt != NULL);
+	ISC_LIST_UNLINK(pctx->open_files->value.list, elt, link);
+	ISC_LIST_APPEND(pctx->closed_files->value.list, elt, link);
+
+ cleanup:
+	return (result);
+}
+
+
+isc_result_t
+cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
+	const cfg_type_t *type, cfg_obj_t **ret)
+{
+	return (cfg_parse_buffer4(pctx, buffer, NULL, 0, type, 0, ret));
+}
+
+isc_result_t
+cfg_parse_buffer2(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	return (cfg_parse_buffer4(pctx, buffer, file, 0, type, 0, ret));
+}
+
+isc_result_t
+cfg_parse_buffer3(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, unsigned int line,
+		  const cfg_type_t *type, cfg_obj_t **ret)
+{
+	return (cfg_parse_buffer4(pctx, buffer, file, line, type, 0, ret));
+}
+
+isc_result_t
+cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, unsigned int line,
+		  const cfg_type_t *type, unsigned int flags,
+		  cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(buffer != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+	REQUIRE((flags & ~(CFG_PCTX_NODEPRECATED)) == 0);
+
+	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));
+
+	pctx->buf_name = file;
+	pctx->flags = flags;
+
+	if (line != 0U)
+		CHECK(isc_lex_setsourceline(pctx->lexer, line));
+
+	CHECK(parse2(pctx, type, ret));
+	pctx->buf_name = NULL;
+
+ cleanup:
+	return (result);
+}
+
+void
+cfg_parser_attach(cfg_parser_t *src, cfg_parser_t **dest) {
+	REQUIRE(src != NULL);
+	REQUIRE(dest != NULL && *dest == NULL);
+
+	isc_refcount_increment(&src->references, NULL);
+	*dest = src;
+}
+
+void
+cfg_parser_destroy(cfg_parser_t **pctxp) {
+	cfg_parser_t *pctx;
+	unsigned int refs;
+
+	REQUIRE(pctxp != NULL && *pctxp != NULL);
+
+	pctx = *pctxp;
+	*pctxp = NULL;
+
+	isc_refcount_decrement(&pctx->references, &refs);
+	if (refs == 0) {
+		isc_lex_destroy(&pctx->lexer);
+		/*
+		 * Cleaning up open_files does not
+		 * close the files; that was already done
+		 * by closing the lexer.
+		 */
+		CLEANUP_OBJ(pctx->open_files);
+		CLEANUP_OBJ(pctx->closed_files);
+		isc_mem_putanddetach(&pctx->mctx, pctx, sizeof(*pctx));
+	}
+}
+
+/*
+ * void
+ */
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	return (cfg_create_obj(pctx, &cfg_type_void, ret));
+}
+
+void
+cfg_print_void(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	UNUSED(pctx);
+	UNUSED(obj);
+}
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	UNUSED(pctx);
+	UNUSED(type);
+}
+
+bool
+cfg_obj_isvoid(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_void);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_void = {
+	"void", cfg_parse_void, cfg_print_void, cfg_doc_void, &cfg_rep_void,
+	NULL };
+
+/*
+ * percentage
+ */
+isc_result_t
+cfg_parse_percentage(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	char *endp;
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	uint64_t percent;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected percentage");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	percent = isc_string_touint64(TOKEN_STRING(pctx), &endp, 10);
+	if (*endp != '%' || *(endp+1) != 0) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected percentage");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_percentage, &obj));
+	obj->value.uint32 = (uint32_t)percent;
+	*ret = obj;
+
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_percentage(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[64];
+	int n;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	n = snprintf(buf, sizeof(buf), "%u%%", obj->value.uint32);
+	INSIST(n > 0 && (size_t)n < sizeof(buf));
+	cfg_print_chars(pctx, buf, strlen(buf));
+}
+
+uint32_t
+cfg_obj_aspercentage(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_percentage);
+	return (obj->value.uint32);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_percentage = {
+	"percentage", cfg_parse_percentage, cfg_print_percentage,
+	cfg_doc_terminal, &cfg_rep_percentage, NULL
+};
+
+bool
+cfg_obj_ispercentage(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_percentage);
+}
+
+/*
+ * Fixed point
+ */
+isc_result_t
+cfg_parse_fixedpoint(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	size_t n1, n2, n3, l;
+	const char *p;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected fixed point number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+
+	p = TOKEN_STRING(pctx);
+	l = strlen(p);
+	n1 = strspn(p, "0123456789");
+	n2 = strspn(p + n1, ".");
+	n3 = strspn(p + n1 + n2, "0123456789");
+
+	if ((n1 + n2 + n3 != l) || (n1 + n3 == 0) ||
+	    n1 > 5 || n2 > 1 || n3 > 2) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected fixed point number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_fixedpoint, &obj));
+
+	obj->value.uint32 = strtoul(p, NULL, 10) * 100;
+	switch (n3) {
+	case 2:
+		obj->value.uint32 += strtoul(p + n1 + n2, NULL, 10);
+		break;
+	case 1:
+		obj->value.uint32 += strtoul(p + n1 + n2, NULL, 10) * 10;
+		break;
+	}
+	*ret = obj;
+
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_fixedpoint(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[64];
+	int n;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	n = snprintf(buf, sizeof(buf), "%u.%02u",
+		     obj->value.uint32/100, obj->value.uint32%100);
+	INSIST(n > 0 && (size_t)n < sizeof(buf));
+	cfg_print_chars(pctx, buf, strlen(buf));
+}
+
+uint32_t
+cfg_obj_asfixedpoint(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_fixedpoint);
+	return (obj->value.uint32);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_fixedpoint = {
+	"fixedpoint", cfg_parse_fixedpoint, cfg_print_fixedpoint,
+	cfg_doc_terminal, &cfg_rep_fixedpoint, NULL
+};
+
+bool
+cfg_obj_isfixedpoint(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_fixedpoint);
+}
+
+/*
+ * uint32
+ */
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
+
+	obj->value.uint32 = pctx->token.value.as_ulong;
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s) {
+	cfg_print_chars(pctx, s, strlen(s));
+}
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
+	char buf[32];
+
+	snprintf(buf, sizeof(buf), "%u", u);
+	cfg_print_cstr(pctx, buf);
+}
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_rawuint(pctx, obj->value.uint32);
+}
+
+bool
+cfg_obj_isuint32(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_uint32);
+}
+
+uint32_t
+cfg_obj_asuint32(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
+	return (obj->value.uint32);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_uint32 = {
+	"integer", cfg_parse_uint32, cfg_print_uint32, cfg_doc_terminal,
+	&cfg_rep_uint32, NULL
+};
+
+
+/*
+ * uint64
+ */
+bool
+cfg_obj_isuint64(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_uint64);
+}
+
+uint64_t
+cfg_obj_asuint64(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
+	return (obj->value.uint64);
+}
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	char buf[32];
+
+	snprintf(buf, sizeof(buf), "%" PRIu64,
+		 obj->value.uint64);
+	cfg_print_cstr(pctx, buf);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_uint64 = {
+	"64_bit_integer", NULL, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL
+};
+
+/*
+ * qstring (quoted string), ustring (unquoted string), astring
+ * (any string)
+ */
+
+/* Create a string object from a null-terminated C string. */
+static isc_result_t
+create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
+	      cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	int len;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	len = strlen(contents);
+	obj->value.string.length = len;
+	obj->value.string.base = isc_mem_get(pctx->mctx, len + 1);
+	if (obj->value.string.base == 0) {
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+		return (ISC_R_NOMEMORY);
+	}
+	memmove(obj->value.string.base, contents, len);
+	obj->value.string.base[len] = '\0';
+
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type != isc_tokentype_qstring) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected quoted string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx, TOKEN_STRING(pctx),
+			      &cfg_type_qstring, ret));
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected unquoted string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_ustring,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_getstringtoken(pctx));
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_qstring,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_sstring(cfg_parser_t *pctx, const cfg_type_t *type,
+		  cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_getstringtoken(pctx));
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_sstring,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_btext(cfg_parser_t *pctx, const cfg_type_t *type,
+	    cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_BTEXT));
+	if (pctx->token.type != isc_tokentype_btext) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+				 "expected bracketed text");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_bracketed_text,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+static void
+print_btext(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	/*
+	 * We need to print "{" instead of running print_open()
+	 * in order to preserve the exact original formatting
+	 * of the bracketed text. But we increment the indent value
+	 * so that print_close() will leave us back in our original
+	 * state.
+	 */
+	pctx->indent++;
+	cfg_print_cstr(pctx, "{");
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
+	print_close(pctx);
+}
+
+static void
+doc_btext(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+
+	cfg_print_cstr(pctx, "{ <unspecified-text> }");
+}
+
+
+bool
+cfg_is_enum(const char *s, const char *const *enums) {
+	const char * const *p;
+
+	REQUIRE(s != NULL);
+	REQUIRE(enums != NULL);
+
+	for (p = enums; *p != NULL; p++) {
+		if (strcasecmp(*p, s) == 0)
+			return (true);
+	}
+	return (false);
+}
+
+static isc_result_t
+check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
+	const char *s = obj->value.string.base;
+
+	if (cfg_is_enum(s, enums))
+		return (ISC_R_SUCCESS);
+	cfg_parser_error(pctx, 0, "'%s' unexpected", s);
+	return (ISC_R_UNEXPECTEDTOKEN);
+}
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(parse_ustring(pctx, NULL, &obj));
+	CHECK(check_enum(pctx, obj, type->of));
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char * const *p;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "( ");
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL)
+			cfg_print_cstr(pctx, " | ");
+	}
+	cfg_print_cstr(pctx, " )");
+}
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
+}
+
+static void
+print_qstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "\"");
+	cfg_print_ustring(pctx, obj);
+	cfg_print_cstr(pctx, "\"");
+}
+
+static void
+print_sstring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	cfg_print_cstr(pctx, "\"");
+	if ((pctx->flags & CFG_PRINTER_XKEY) != 0) {
+		unsigned int len = obj->value.string.length;
+		while (len-- > 0)
+			cfg_print_cstr(pctx, "?");
+	} else
+		cfg_print_ustring(pctx, obj);
+	cfg_print_cstr(pctx, "\"");
+}
+
+static void
+free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	isc_mem_put(pctx->mctx, obj->value.string.base,
+		    obj->value.string.length + 1);
+}
+
+bool
+cfg_obj_isstring(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_string);
+}
+
+const char *
+cfg_obj_asstring(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
+	return (obj->value.string.base);
+}
+
+/* Quoted string only */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_qstring = {
+	"quoted_string", cfg_parse_qstring, print_qstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/* Unquoted string only */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ustring = {
+	"string", parse_ustring, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/* Any string (quoted or unquoted); printed with quotes */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_astring = {
+	"string", cfg_parse_astring, print_qstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * Any string (quoted or unquoted); printed with quotes.
+ * If CFG_PRINTER_XKEY is set when printing the string will be '?' out.
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sstring = {
+	"string", cfg_parse_sstring, print_sstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * Text enclosed in brackets. Used to pass a block of configuration
+ * text to dynamic library or external application. Checked for
+ * bracket balance, but not otherwise parsed.
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bracketed_text = {
+	"bracketed_text", parse_btext, print_btext, doc_btext,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * Booleans
+ */
+
+bool
+cfg_obj_isboolean(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_boolean);
+}
+
+bool
+cfg_obj_asboolean(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
+	return (obj->value.boolean);
+}
+
+isc_result_t
+cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	bool value;
+	cfg_obj_t *obj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	result = cfg_gettoken(pctx, 0);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pctx->token.type != isc_tokentype_string)
+		goto bad_boolean;
+
+	if ((strcasecmp(TOKEN_STRING(pctx), "true") == 0) ||
+	    (strcasecmp(TOKEN_STRING(pctx), "yes") == 0) ||
+	    (strcmp(TOKEN_STRING(pctx), "1") == 0)) {
+		value = true;
+	} else if ((strcasecmp(TOKEN_STRING(pctx), "false") == 0) ||
+		   (strcasecmp(TOKEN_STRING(pctx), "no") == 0) ||
+		   (strcmp(TOKEN_STRING(pctx), "0") == 0)) {
+		value = false;
+	} else {
+		goto bad_boolean;
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_boolean, &obj));
+	obj->value.boolean = value;
+	*ret = obj;
+	return (result);
+
+ bad_boolean:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "boolean expected");
+	return (ISC_R_UNEXPECTEDTOKEN);
+
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_boolean(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	if (obj->value.boolean)
+		cfg_print_cstr(pctx, "yes");
+	else
+		cfg_print_cstr(pctx, "no");
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_boolean = {
+	"boolean", cfg_parse_boolean, cfg_print_boolean, cfg_doc_terminal,
+	&cfg_rep_boolean, NULL
+};
+
+/*
+ * Lists.
+ */
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
+	CHECK(cfg_create_obj(pctx, type, obj));
+	ISC_LIST_INIT((*obj)->value.list);
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp) {
+	cfg_listelt_t *elt;
+
+	elt = isc_mem_get(pctx->mctx, sizeof(*elt));
+	if (elt == NULL)
+		return (ISC_R_NOMEMORY);
+	elt->obj = NULL;
+	ISC_LINK_INIT(elt, link);
+	*eltp = elt;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_listelt(cfg_parser_t *pctx, cfg_listelt_t *elt) {
+	if (elt->obj != NULL)
+		cfg_obj_destroy(pctx, &elt->obj);
+	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
+}
+
+static void
+free_list(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	cfg_listelt_t *elt, *next;
+	for (elt = ISC_LIST_HEAD(obj->value.list);
+	     elt != NULL;
+	     elt = next)
+	{
+		next = ISC_LIST_NEXT(elt, link);
+		free_listelt(pctx, elt);
+	}
+}
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret)
+{
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+	cfg_obj_t *value = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(elttype != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(create_listelt(pctx, &elt));
+
+	result = cfg_parse_obj(pctx, elttype, &value);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	elt->obj = value;
+
+	*ret = elt;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
+	return (result);
+}
+
+/*
+ * Parse a homogeneous list whose elements are of type 'elttype'
+ * and where each element is terminated by a semicolon.
+ */
+static isc_result_t
+parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
+{
+	cfg_obj_t *listobj = NULL;
+	const cfg_type_t *listof = listtype->of;
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == /*{*/ '}')
+			break;
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
+		CHECK(parse_semicolon(pctx));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+		elt = NULL;
+	}
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (elt != NULL)
+		free_listelt(pctx, elt);
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+static void
+print_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
+
+	for (elt = ISC_LIST_HEAD(*list);
+	     elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link))
+	{
+		if ((pctx->flags & CFG_PRINTER_ONELINE) != 0) {
+			cfg_print_obj(pctx, elt->obj);
+			cfg_print_cstr(pctx, "; ");
+		} else {
+			cfg_print_indent(pctx);
+			cfg_print_obj(pctx, elt->obj);
+			cfg_print_cstr(pctx, ";\n");
+		}
+	}
+}
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(parse_list(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	print_open(pctx);
+	print_list(pctx, obj);
+	print_close(pctx);
+}
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "{ ");
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_cstr(pctx, "; ... }");
+}
+
+/*
+ * Parse a homogeneous list whose elements are of type 'elttype'
+ * and where elements are separated by space.  The list ends
+ * before the first semicolon.
+ */
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
+		    cfg_obj_t **ret)
+{
+	cfg_obj_t *listobj = NULL;
+	const cfg_type_t *listof = listtype->of;
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(listtype != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
+
+	for (;;) {
+		cfg_listelt_t *elt = NULL;
+
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+			break;
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+	}
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_list_t *list = &obj->value.list;
+	const cfg_listelt_t *elt;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	for (elt = ISC_LIST_HEAD(*list);
+	     elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link)) {
+		cfg_print_obj(pctx, elt->obj);
+		if (ISC_LIST_NEXT(elt, link) != NULL)
+			cfg_print_cstr(pctx, " ");
+	}
+}
+
+bool
+cfg_obj_islist(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_list);
+}
+
+const cfg_listelt_t *
+cfg_list_first(const cfg_obj_t *obj) {
+	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
+	if (obj == NULL)
+		return (NULL);
+	return (ISC_LIST_HEAD(obj->value.list));
+}
+
+const cfg_listelt_t *
+cfg_list_next(const cfg_listelt_t *elt) {
+	REQUIRE(elt != NULL);
+	return (ISC_LIST_NEXT(elt, link));
+}
+
+/*
+ * Return the length of a list object.  If obj is NULL or is not
+ * a list, return 0.
+ */
+unsigned int
+cfg_list_length(const cfg_obj_t *obj, bool recurse) {
+	const cfg_listelt_t *elt;
+	unsigned int count = 0;
+
+	if (obj == NULL || !cfg_obj_islist(obj))
+		return (0U);
+	for (elt = cfg_list_first(obj);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		if (recurse && cfg_obj_islist(elt->obj)) {
+			count += cfg_list_length(elt->obj, recurse);
+		} else {
+			count++;
+		}
+	}
+	return (count);
+}
+
+cfg_obj_t *
+cfg_listelt_value(const cfg_listelt_t *elt) {
+	REQUIRE(elt != NULL);
+	return (elt->obj);
+}
+
+/*
+ * Maps.
+ */
+
+/*
+ * Parse a map body.  That's something like
+ *
+ *   "foo 1; bar { glub; }; zap true; zap false;"
+ *
+ * i.e., a sequence of option names followed by values and
+ * terminated by semicolons.  Used for the top level of
+ * the named.conf syntax, as well as for the body of the
+ * options, view, zone, and other statements.
+ */
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	const cfg_clausedef_t * const *clausesets = type->of;
+	isc_result_t result;
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+	cfg_obj_t *value = NULL;
+	cfg_obj_t *obj = NULL;
+	cfg_obj_t *eltobj = NULL;
+	cfg_obj_t *includename = NULL;
+	isc_symvalue_t symval;
+	cfg_list_t *list = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(create_map(pctx, type, &obj));
+
+	obj->value.map.clausesets = clausesets;
+
+	for (;;) {
+		cfg_listelt_t *elt;
+
+	redo:
+		/*
+		 * Parse the option name and see if it is known.
+		 */
+		CHECK(cfg_gettoken(pctx, 0));
+
+		if (pctx->token.type != isc_tokentype_string) {
+			cfg_ungettoken(pctx);
+			break;
+		}
+
+		/*
+		 * We accept "include" statements wherever a map body
+		 * clause can occur.
+		 */
+		if (strcasecmp(TOKEN_STRING(pctx), "include") == 0) {
+			/*
+			 * Turn the file name into a temporary configuration
+			 * object just so that it is not overwritten by the
+			 * semicolon token.
+			 */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_qstring, &includename));
+			CHECK(parse_semicolon(pctx));
+			CHECK(parser_openfile(pctx, includename->
+					      value.string.base));
+			 cfg_obj_destroy(pctx, &includename);
+			 goto redo;
+		}
+
+		clause = NULL;
+		for (clauseset = clausesets; *clauseset != NULL; clauseset++) {
+			for (clause = *clauseset;
+			     clause->name != NULL;
+			     clause++) {
+				if (strcasecmp(TOKEN_STRING(pctx),
+					   clause->name) == 0)
+					goto done;
+			}
+		}
+	done:
+		if (clause == NULL || clause->name == NULL) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "unknown option");
+			/*
+			 * Try to recover by parsing this option as an unknown
+			 * option and discarding it.
+			 */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported,
+					    &eltobj));
+			cfg_obj_destroy(pctx, &eltobj);
+			CHECK(parse_semicolon(pctx));
+			continue;
+		}
+
+		/* Clause is known. */
+
+		/* Issue warnings if appropriate */
+		if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0 &&
+		    (clause->flags & CFG_CLAUSEFLAG_DEPRECATED) != 0)
+		{
+			cfg_parser_warning(pctx, 0, "option '%s' is deprecated",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' is "
+					   "not implemented", clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' is "
+					   "not implemented", clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NOOP) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' was not "
+					   "enabled at compile time "
+					   "(ignored)", clause->name);
+		}
+
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTCONFIGURED) != 0) {
+			cfg_parser_warning(pctx, 0, "option '%s' was not "
+					   "enabled at compile time",
+					   clause->name);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+
+		/*
+		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
+		 * set here - we need to log the *lack* of such an option,
+		 * not its presence.
+		 */
+
+		/* See if the clause already has a value; if not create one. */
+		result = isc_symtab_lookup(obj->value.map.symtab,
+					   clause->name, 0, &symval);
+
+		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
+			/* Multivalued clause */
+			cfg_obj_t *listobj = NULL;
+			if (result == ISC_R_NOTFOUND) {
+				CHECK(cfg_create_list(pctx,
+						  &cfg_type_implicitlist,
+						  &listobj));
+				symval.as_pointer = listobj;
+				result = isc_symtab_define(obj->value.
+						   map.symtab,
+						   clause->name,
+						   1, symval,
+						   isc_symexists_reject);
+				if (result != ISC_R_SUCCESS) {
+					cfg_parser_error(pctx, CFG_LOG_NEAR,
+						     "isc_symtab_define(%s) "
+						     "failed", clause->name);
+					isc_mem_put(pctx->mctx, list,
+						    sizeof(cfg_list_t));
+					goto cleanup;
+				}
+			} else {
+				INSIST(result == ISC_R_SUCCESS);
+				listobj = symval.as_pointer;
+			}
+
+			elt = NULL;
+			CHECK(cfg_parse_listelt(pctx, clause->type, &elt));
+			CHECK(parse_semicolon(pctx));
+
+			ISC_LIST_APPEND(listobj->value.list, elt, link);
+		} else {
+			/* Single-valued clause */
+			if (result == ISC_R_NOTFOUND) {
+				bool callback =
+					(clause->flags & CFG_CLAUSEFLAG_CALLBACK);
+				CHECK(parse_symtab_elt(pctx, clause->name,
+						       clause->type,
+						       obj->value.map.symtab,
+						       callback));
+				CHECK(parse_semicolon(pctx));
+			} else if (result == ISC_R_SUCCESS) {
+				cfg_parser_error(pctx, CFG_LOG_NEAR, "'%s' redefined",
+					     clause->name);
+				result = ISC_R_EXISTS;
+				goto cleanup;
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+					     "isc_symtab_define() failed");
+				goto cleanup;
+			}
+		}
+	}
+
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(value);
+	CLEANUP_OBJ(obj);
+	CLEANUP_OBJ(eltobj);
+	CLEANUP_OBJ(includename);
+	return (result);
+}
+
+static isc_result_t
+parse_symtab_elt(cfg_parser_t *pctx, const char *name,
+		 cfg_type_t *elttype, isc_symtab_t *symtab,
+		 bool callback)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_symvalue_t symval;
+
+	CHECK(cfg_parse_obj(pctx, elttype, &obj));
+
+	if (callback && pctx->callback != NULL)
+		CHECK(pctx->callback(name, obj, pctx->callbackarg));
+
+	symval.as_pointer = obj;
+	CHECK(isc_symtab_define(symtab, name,
+				1, symval,
+				isc_symexists_reject));
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+/*
+ * Parse a map; e.g., "{ foo 1; bar { glub; }; zap true; zap false; }"
+ */
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(cfg_parse_mapbody(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
+ cleanup:
+	return (result);
+}
+
+/*
+ * Subroutine for cfg_parse_named_map() and cfg_parse_addressed_map().
+ */
+static isc_result_t
+parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype,
+		    const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *idobj = NULL;
+	cfg_obj_t *mapobj = NULL;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(nametype != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	CHECK(cfg_parse_obj(pctx, nametype, &idobj));
+	CHECK(cfg_parse_map(pctx, type, &mapobj));
+	mapobj->value.map.id = idobj;
+	*ret = mapobj;
+	return (result);
+ cleanup:
+	CLEANUP_OBJ(idobj);
+	CLEANUP_OBJ(mapobj);
+	return (result);
+}
+
+/*
+ * Parse a map identified by a string name.  E.g., "name { foo 1; }".
+ * Used for the "key" and "channel" statements.
+ */
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_astring, type, ret));
+}
+
+/*
+ * Parse a map identified by a network address.
+ * Used to be used for the "server" statement.
+ */
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
+}
+
+/*
+ * Parse a map identified by a network prefix.
+ * Used for the "server" statement.
+ */
+isc_result_t
+cfg_parse_netprefix_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_netprefix, type, ret));
+}
+
+static void
+print_symval(cfg_printer_t *pctx, const char *name, cfg_obj_t *obj) {
+	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0)
+		cfg_print_indent(pctx);
+
+	cfg_print_cstr(pctx, name);
+	cfg_print_cstr(pctx, " ");
+	cfg_print_obj(pctx, obj);
+
+	if ((pctx->flags & CFG_PRINTER_ONELINE) == 0)
+		cfg_print_cstr(pctx, ";\n");
+	else
+		cfg_print_cstr(pctx, "; ");
+}
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_clausedef_t * const *clauseset;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	for (clauseset = obj->value.map.clausesets;
+	     *clauseset != NULL;
+	     clauseset++)
+	{
+		isc_symvalue_t symval;
+		const cfg_clausedef_t *clause;
+
+		for (clause = *clauseset;
+		     clause->name != NULL;
+		     clause++) {
+			result = isc_symtab_lookup(obj->value.map.symtab,
+						   clause->name, 0, &symval);
+			if (result == ISC_R_SUCCESS) {
+				cfg_obj_t *symobj = symval.as_pointer;
+				if (symobj->type == &cfg_type_implicitlist) {
+					/* Multivalued. */
+					cfg_list_t *list = &symobj->value.list;
+					cfg_listelt_t *elt;
+					for (elt = ISC_LIST_HEAD(*list);
+					     elt != NULL;
+					     elt = ISC_LIST_NEXT(elt, link)) {
+						print_symval(pctx,
+							     clause->name,
+							     elt->obj);
+					}
+				} else {
+					/* Single-valued. */
+					print_symval(pctx, clause->name,
+						     symobj);
+				}
+			} else if (result == ISC_R_NOTFOUND) {
+				; /* do nothing */
+			} else {
+				INSIST(0);
+			}
+		}
+	}
+}
+
+static struct flagtext {
+	unsigned int flag;
+	const char *text;
+} flagtexts[] = {
+	{ CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
+	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
+	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
+	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
+	{ CFG_CLAUSEFLAG_TESTONLY, "test only" },
+	{ CFG_CLAUSEFLAG_NOTCONFIGURED, "not configured" },
+	{ CFG_CLAUSEFLAG_MULTI, "may occur multiple times" },
+	{ CFG_CLAUSEFLAG_EXPERIMENTAL, "experimental" },
+	{ CFG_CLAUSEFLAG_NOOP, "non-operational" },
+	{ 0, NULL }
+};
+
+void
+cfg_print_clauseflags(cfg_printer_t *pctx, unsigned int flags) {
+	struct flagtext *p;
+	bool first = true;
+	for (p = flagtexts; p->flag != 0; p++) {
+		if ((flags & p->flag) != 0) {
+			if (first)
+				cfg_print_cstr(pctx, " // ");
+			else
+				cfg_print_cstr(pctx, ", ");
+			cfg_print_cstr(pctx, p->text);
+			first = false;
+		}
+	}
+}
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			cfg_print_cstr(pctx, clause->name);
+			cfg_print_cstr(pctx, " ");
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_cstr(pctx, ";");
+			cfg_print_clauseflags(pctx, clause->flags);
+			cfg_print_cstr(pctx, "\n\n");
+		}
+	}
+}
+
+void
+cfg_print_map(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	if (obj->value.map.id != NULL) {
+		cfg_print_obj(pctx, obj->value.map.id);
+		cfg_print_cstr(pctx, " ");
+	}
+	print_open(pctx);
+	cfg_print_mapbody(pctx, obj);
+	print_close(pctx);
+}
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	if (type->parse == cfg_parse_named_map) {
+		cfg_doc_obj(pctx, &cfg_type_astring);
+		cfg_print_cstr(pctx, " ");
+	} else if (type->parse == cfg_parse_addressed_map) {
+		cfg_doc_obj(pctx, &cfg_type_netaddr);
+		cfg_print_cstr(pctx, " ");
+	} else if (type->parse == cfg_parse_netprefix_map) {
+		cfg_doc_obj(pctx, &cfg_type_netprefix);
+		cfg_print_cstr(pctx, " ");
+	}
+
+	print_open(pctx);
+
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			cfg_print_indent(pctx);
+			cfg_print_cstr(pctx, clause->name);
+			if (clause->type->print != cfg_print_void)
+				cfg_print_cstr(pctx, " ");
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_cstr(pctx, ";");
+			cfg_print_clauseflags(pctx, clause->flags);
+			cfg_print_cstr(pctx, "\n");
+		}
+	}
+	print_close(pctx);
+}
+
+bool
+cfg_obj_ismap(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_map);
+}
+
+isc_result_t
+cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
+	isc_result_t result;
+	isc_symvalue_t val;
+	const cfg_map_t *map;
+
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	REQUIRE(name != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
+	map = &mapobj->value.map;
+
+	result = isc_symtab_lookup(map->symtab, name, MAP_SYM, &val);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	*obj = val.as_pointer;
+	return (ISC_R_SUCCESS);
+}
+
+const cfg_obj_t *
+cfg_map_getname(const cfg_obj_t *mapobj) {
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	return (mapobj->value.map.id);
+}
+
+unsigned int
+cfg_map_count(const cfg_obj_t *mapobj) {
+	const cfg_map_t *map;
+
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+
+	map = &mapobj->value.map;
+	return (isc_symtab_count(map->symtab));
+}
+
+const char *
+cfg_map_firstclause(const cfg_type_t *map, const void **clauses,
+		    unsigned int *idx)
+{
+	cfg_clausedef_t * const * clauseset;
+
+	REQUIRE(map != NULL && map->rep == &cfg_rep_map);
+	REQUIRE(idx != NULL);
+	REQUIRE(clauses != NULL && *clauses == NULL);
+
+	clauseset = map->of;
+	if (*clauseset == NULL) {
+		return (NULL);
+	}
+	*clauses = *clauseset;
+	*idx = 0;
+	while ((*clauseset)[*idx].name == NULL) {
+		*clauses = (*++clauseset);
+		if (*clauses == NULL)
+			return (NULL);
+	}
+	return ((*clauseset)[*idx].name);
+}
+
+const char *
+cfg_map_nextclause(const cfg_type_t *map, const void **clauses,
+		   unsigned int *idx)
+{
+	cfg_clausedef_t * const * clauseset;
+
+	REQUIRE(map != NULL && map->rep == &cfg_rep_map);
+	REQUIRE(idx != NULL);
+	REQUIRE(clauses != NULL && *clauses != NULL);
+
+	clauseset = map->of;
+	while (*clauseset != NULL && *clauseset != *clauses) {
+		clauseset++;
+	}
+	INSIST(*clauseset == *clauses);
+	(*idx)++;
+	while ((*clauseset)[*idx].name == NULL) {
+		*idx = 0;
+		*clauses = (*++clauseset);
+		if (*clauses == NULL)
+			return (NULL);
+	}
+	return ((*clauseset)[*idx].name);
+}
+
+/* Parse an arbitrary token, storing its raw text representation. */
+static isc_result_t
+parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+	isc_region_t r;
+
+	UNUSED(type);
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_token, &obj));
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_eof) {
+		cfg_ungettoken(pctx);
+		result = ISC_R_EOF;
+		goto cleanup;
+	}
+
+	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
+
+	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
+	if (obj->value.string.base == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	obj->value.string.length = r.length;
+	memmove(obj->value.string.base, r.base, r.length);
+	obj->value.string.base[r.length] = '\0';
+	*ret = obj;
+	return (result);
+
+ cleanup:
+	if (obj != NULL)
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	return (result);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_token = {
+	"token", parse_token, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * An unsupported option.  This is just a list of tokens with balanced braces
+ * ending in a semicolon.
+ */
+
+static isc_result_t
+parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *listobj = NULL;
+	isc_result_t result;
+	int braces = 0;
+
+	CHECK(cfg_create_list(pctx, type, &listobj));
+
+	for (;;) {
+		cfg_listelt_t *elt = NULL;
+
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special) {
+			if (pctx->token.value.as_char == '{')
+				braces++;
+			else if (pctx->token.value.as_char == '}')
+				braces--;
+			else if (pctx->token.value.as_char == ';')
+				if (braces == 0)
+					break;
+		}
+		if (pctx->token.type == isc_tokentype_eof || braces < 0) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "unexpected token");
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+
+		CHECK(cfg_parse_listelt(pctx, &cfg_type_token, &elt));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+	}
+	INSIST(braces == 0);
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_unsupported = {
+	"unsupported", parse_unsupported, cfg_print_spacelist, cfg_doc_terminal,
+	&cfg_rep_list, NULL
+};
+
+/*
+ * Try interpreting the current token as a network address.
+ *
+ * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
+ * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
+ * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is
+ * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
+ * and the IPv6 wildcard address otherwise.
+ */
+static isc_result_t
+token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+	char *s;
+	struct in_addr in4a;
+	struct in6_addr in6a;
+
+	if (pctx->token.type != isc_tokentype_string)
+		return (ISC_R_UNEXPECTEDTOKEN);
+
+	s = TOKEN_STRING(pctx);
+	if ((flags & CFG_ADDR_WILDOK) != 0 && strcmp(s, "*") == 0) {
+		if ((flags & CFG_ADDR_V4OK) != 0) {
+			isc_netaddr_any(na);
+			return (ISC_R_SUCCESS);
+		} else if ((flags & CFG_ADDR_V6OK) != 0) {
+			isc_netaddr_any6(na);
+			return (ISC_R_SUCCESS);
+		} else {
+			INSIST(0);
+		}
+	} else {
+		if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) {
+			if (inet_pton(AF_INET, s, &in4a) == 1) {
+				isc_netaddr_fromin(na, &in4a);
+				return (ISC_R_SUCCESS);
+			}
+		}
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 && strlen(s) <= 15U) {
+			char buf[64];
+			int i;
+
+			strlcpy(buf, s, sizeof(buf));
+			for (i = 0; i < 3; i++) {
+				strlcat(buf, ".0", sizeof(buf));
+				if (inet_pton(AF_INET, buf, &in4a) == 1) {
+					isc_netaddr_fromin(na, &in4a);
+					return (ISC_R_SUCCESS);
+				}
+			}
+		}
+		if ((flags & CFG_ADDR_V6OK) != 0 && strlen(s) <= 127U) {
+			char buf[128]; /* see lib/bind9/getaddresses.c */
+			char *d; /* zone delimiter */
+			uint32_t zone = 0; /* scope zone ID */
+
+			strlcpy(buf, s, sizeof(buf));
+			d = strchr(buf, '%');
+			if (d != NULL)
+				*d = '\0';
+
+			if (inet_pton(AF_INET6, buf, &in6a) == 1) {
+				if (d != NULL) {
+#ifdef ISC_PLATFORM_HAVESCOPEID
+					isc_result_t result;
+
+					result = isc_netscope_pton(AF_INET6,
+								   d + 1,
+								   &in6a,
+								   &zone);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+#else
+				return (ISC_R_BADADDRESSFORM);
+#endif
+				}
+
+				isc_netaddr_fromin6(na, &in6a);
+				isc_netaddr_setzone(na, zone);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+	return (ISC_R_UNEXPECTEDTOKEN);
+}
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+	isc_result_t result;
+	const char *wild = "";
+	const char *prefix = "";
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(na != NULL);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	result = token_addr(pctx, flags, na);
+	if (result == ISC_R_UNEXPECTEDTOKEN) {
+		if ((flags & CFG_ADDR_WILDOK) != 0)
+			wild = " or '*'";
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0)
+			wild = " or IPv4 prefix";
+		if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V4OK)
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IPv4 address%s%s",
+					 prefix, wild);
+		else if ((flags & CFG_ADDR_MASK) == CFG_ADDR_V6OK)
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IPv6 address%s%s",
+					 prefix, wild);
+		else
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+					 "expected IP address%s%s",
+					 prefix, wild);
+	}
+ cleanup:
+	return (result);
+}
+
+bool
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
+	isc_result_t result;
+	isc_netaddr_t na_dummy;
+
+	REQUIRE(pctx != NULL);
+
+	result = token_addr(pctx, flags, &na_dummy);
+	return (result == ISC_R_SUCCESS);
+}
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(port != NULL);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
+
+	if ((flags & CFG_ADDR_WILDOK) != 0 &&
+	    pctx->token.type == isc_tokentype_string &&
+	    strcmp(TOKEN_STRING(pctx), "*") == 0) {
+		*port = 0;
+		return (ISC_R_SUCCESS);
+	}
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected port number or '*'");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	if (pctx->token.value.as_ulong >= 65536U) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "port number out of range");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	*port = (in_port_t)(pctx->token.value.as_ulong);
+	return (ISC_R_SUCCESS);
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, const isc_netaddr_t *na) {
+	isc_result_t result;
+	char text[128];
+	isc_buffer_t buf;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(na != NULL);
+
+	isc_buffer_init(&buf, text, sizeof(text));
+	result = isc_netaddr_totext(na, &buf);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	cfg_print_chars(pctx, isc_buffer_base(&buf),
+			isc_buffer_usedlength(&buf));
+}
+
+isc_result_t
+cfg_parse_dscp(cfg_parser_t *pctx, isc_dscp_t *dscp) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(dscp != NULL);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	if (pctx->token.value.as_ulong > 63U) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "dscp out of range");
+		return (ISC_R_RANGE);
+	}
+	*dscp = (isc_dscp_t)(pctx->token.value.as_ulong);
+	return (ISC_R_SUCCESS);
+ cleanup:
+	return (result);
+}
+
+/* netaddr */
+
+static unsigned int netaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+static unsigned int netaddr4_flags = CFG_ADDR_V4OK;
+static unsigned int netaddr4wild_flags = CFG_ADDR_V4OK | CFG_ADDR_WILDOK;
+static unsigned int netaddr6_flags = CFG_ADDR_V6OK;
+static unsigned int netaddr6wild_flags = CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
+
+static isc_result_t
+parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	unsigned int flags = *(const unsigned int *)type->of;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static void
+cfg_doc_netaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+	int n = 0;
+	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK)
+		cfg_print_cstr(pctx, "( ");
+	if (*flagp & CFG_ADDR_V4OK) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
+	}
+	if (*flagp & CFG_ADDR_V6OK) {
+		if (n != 0)
+			cfg_print_cstr(pctx, " | ");
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;
+	}
+	if (*flagp & CFG_ADDR_WILDOK) {
+		if (n != 0)
+			cfg_print_cstr(pctx, " | ");
+		cfg_print_cstr(pctx, "*");
+		n++;
+		POST(n);
+	}
+	if (*flagp != CFG_ADDR_V4OK && *flagp != CFG_ADDR_V6OK)
+		cfg_print_cstr(pctx, " )");
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr = {
+	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr4 = {
+	"netaddr4", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr4_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr4wild = {
+	"netaddr4wild", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr4wild_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr6 = {
+	"netaddr6", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr6_flags
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netaddr6wild = {
+	"netaddr6wild", parse_netaddr, cfg_print_sockaddr, cfg_doc_netaddr,
+	&cfg_rep_sockaddr, &netaddr6wild_flags
+};
+
+/* netprefix */
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	unsigned int addrlen = 0, prefixlen;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	UNUSED(type);
+
+	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
+				CFG_ADDR_V6OK, &netaddr));
+	switch (netaddr.family) {
+	case AF_INET:
+		addrlen = 32;
+		break;
+	case AF_INET6:
+		addrlen = 128;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '/') {
+		CHECK(cfg_gettoken(pctx, 0)); /* read "/" */
+		CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type != isc_tokentype_number) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+				     "expected prefix length");
+			return (ISC_R_UNEXPECTEDTOKEN);
+		}
+		prefixlen = pctx->token.value.as_ulong;
+		if (prefixlen > addrlen) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+				     "invalid prefix length");
+			return (ISC_R_RANGE);
+		}
+	} else {
+		prefixlen = addrlen;
+	}
+	CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
+	obj->value.netprefix.address = netaddr;
+	obj->value.netprefix.prefixlen = prefixlen;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected network prefix");
+	return (result);
+}
+
+static void
+print_netprefix(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	const cfg_netprefix_t *p = &obj->value.netprefix;
+
+	cfg_print_rawaddr(pctx, &p->address);
+	cfg_print_cstr(pctx, "/");
+	cfg_print_rawuint(pctx, p->prefixlen);
+}
+
+bool
+cfg_obj_isnetprefix(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_netprefix);
+}
+
+void
+cfg_obj_asnetprefix(const cfg_obj_t *obj, isc_netaddr_t *netaddr,
+		    unsigned int *prefixlen)
+{
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
+	REQUIRE(netaddr != NULL);
+	REQUIRE(prefixlen != NULL);
+
+	*netaddr = obj->value.netprefix.address;
+	*prefixlen = obj->value.netprefix.prefixlen;
+}
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_netprefix = {
+	"netprefix", cfg_parse_netprefix, print_netprefix, cfg_doc_terminal,
+	&cfg_rep_netprefix, NULL
+};
+
+static isc_result_t
+parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type,
+		  int flags, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	in_port_t port = 0;
+	isc_dscp_t dscp = -1;
+	cfg_obj_t *obj = NULL;
+	int have_port = 0, have_dscp = 0;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
+				CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
+				CHECK(cfg_parse_rawport(pctx, flags, &port));
+				++have_port;
+			} else if ((flags & CFG_ADDR_DSCPOK) != 0 &&
+				   strcasecmp(TOKEN_STRING(pctx), "dscp") == 0)
+			{
+				CHECK(cfg_gettoken(pctx, 0)); /* read "dscp" */
+				CHECK(cfg_parse_dscp(pctx, &dscp));
+				++have_dscp;
+			} else
+				break;
+		} else
+			break;
+	}
+	if (have_port > 1) {
+		cfg_parser_error(pctx, 0, "expected at most one port");
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+
+	if (have_dscp > 1) {
+		cfg_parser_error(pctx, 0, "expected at most one dscp");
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	obj->value.sockaddrdscp.dscp = dscp;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sockaddr = {
+	"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr,
+	&cfg_rep_sockaddr, &sockaddr_flags
+};
+
+static unsigned int sockaddrdscp_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK |
+					 CFG_ADDR_DSCPOK;
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_sockaddrdscp = {
+	"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr,
+	&cfg_rep_sockaddr, &sockaddrdscp_flags
+};
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	const unsigned int *flagp;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	flagp = type->of;
+
+	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
+}
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, const cfg_obj_t *obj) {
+	isc_netaddr_t netaddr;
+	in_port_t port;
+	char buf[ISC_NETADDR_FORMATSIZE];
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(obj != NULL);
+
+	isc_netaddr_fromsockaddr(&netaddr, &obj->value.sockaddr);
+	isc_netaddr_format(&netaddr, buf, sizeof(buf));
+	cfg_print_cstr(pctx, buf);
+	port = isc_sockaddr_getport(&obj->value.sockaddr);
+	if (port != 0) {
+		cfg_print_cstr(pctx, " port ");
+		cfg_print_rawuint(pctx, port);
+	}
+	if (obj->value.sockaddrdscp.dscp != -1) {
+		cfg_print_cstr(pctx, " dscp ");
+		cfg_print_rawuint(pctx, obj->value.sockaddrdscp.dscp);
+	}
+}
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+	int n = 0;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "( ");
+	if (*flagp & CFG_ADDR_V4OK) {
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
+	}
+	if (*flagp & CFG_ADDR_V6OK) {
+		if (n != 0)
+			cfg_print_cstr(pctx, " | ");
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;
+	}
+	if (*flagp & CFG_ADDR_WILDOK) {
+		if (n != 0)
+			cfg_print_cstr(pctx, " | ");
+		cfg_print_cstr(pctx, "*");
+		n++;
+		POST(n);
+	}
+	cfg_print_cstr(pctx, " ) ");
+	if (*flagp & CFG_ADDR_WILDOK) {
+		cfg_print_cstr(pctx, "[ port ( <integer> | * ) ]");
+	} else {
+		cfg_print_cstr(pctx, "[ port <integer> ]");
+	}
+	if ((*flagp & CFG_ADDR_DSCPOK) != 0) {
+		cfg_print_cstr(pctx, " [ dscp <integer> ]");
+	}
+}
+
+bool
+cfg_obj_issockaddr(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (obj->type->rep == &cfg_rep_sockaddr);
+}
+
+const isc_sockaddr_t *
+cfg_obj_assockaddr(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
+	return (&obj->value.sockaddr);
+}
+
+isc_dscp_t
+cfg_obj_getdscp(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
+	return (obj->value.sockaddrdscp.dscp);
+}
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+
+	if (pctx->seen_eof)
+		return (ISC_R_SUCCESS);
+
+	options |= (ISC_LEXOPT_EOF | ISC_LEXOPT_NOMORE);
+
+ redo:
+	pctx->token.type = isc_tokentype_unknown;
+	result = isc_lex_gettoken(pctx->lexer, options, &pctx->token);
+	pctx->ungotten = false;
+	pctx->line = isc_lex_getsourceline(pctx->lexer);
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if (pctx->token.type == isc_tokentype_eof) {
+			result = isc_lex_close(pctx->lexer);
+			INSIST(result == ISC_R_NOMORE ||
+			       result == ISC_R_SUCCESS);
+
+			if (isc_lex_getsourcename(pctx->lexer) != NULL) {
+				/*
+				 * Closed an included file, not the main file.
+				 */
+				cfg_listelt_t *elt;
+				elt = ISC_LIST_TAIL(pctx->open_files->
+						    value.list);
+				INSIST(elt != NULL);
+				ISC_LIST_UNLINK(pctx->open_files->
+						value.list, elt, link);
+				ISC_LIST_APPEND(pctx->closed_files->
+						value.list, elt, link);
+				goto redo;
+			}
+			pctx->seen_eof = true;
+		}
+		break;
+
+	case ISC_R_NOSPACE:
+		/* More understandable than "ran out of space". */
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "token too big");
+		break;
+
+	case ISC_R_IOERROR:
+		cfg_parser_error(pctx, 0, "%s",
+				 isc_result_totext(result));
+		break;
+
+	default:
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "%s",
+				 isc_result_totext(result));
+		break;
+	}
+	return (result);
+}
+
+void
+cfg_ungettoken(cfg_parser_t *pctx) {
+	REQUIRE(pctx != NULL);
+
+	if (pctx->seen_eof)
+		return;
+	isc_lex_ungettoken(pctx->lexer, &pctx->token);
+	pctx->ungotten = true;
+}
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options) {
+	isc_result_t result;
+
+	REQUIRE(pctx != NULL);
+
+	CHECK(cfg_gettoken(pctx, options));
+	cfg_ungettoken(pctx);
+ cleanup:
+	return (result);
+}
+
+/*
+ * Get a string token, accepting both the quoted and the unquoted form.
+ * Log an error if the next token is not a string.
+ */
+static isc_result_t
+cfg_getstringtoken(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	result = cfg_gettoken(pctx, CFG_LEXOPT_QSTRING);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pctx->token.type != isc_tokentype_string &&
+	    pctx->token.type != isc_tokentype_qstring) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+	va_list args;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(fmt != NULL);
+
+	va_start(args, fmt);
+	parser_complain(pctx, false, flags, fmt, args);
+	va_end(args);
+	pctx->errors++;
+}
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+	va_list args;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(fmt != NULL);
+
+	va_start(args, fmt);
+	parser_complain(pctx, true, flags, fmt, args);
+	va_end(args);
+	pctx->warnings++;
+}
+
+#define MAX_LOG_TOKEN 30 /* How much of a token to quote in log messages. */
+
+static bool
+have_current_file(cfg_parser_t *pctx) {
+	cfg_listelt_t *elt;
+	if (pctx->open_files == NULL)
+		return (false);
+
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	if (elt == NULL)
+	      return (false);
+
+	return (true);
+}
+
+static char *
+current_file(cfg_parser_t *pctx) {
+	static char none[] = "none";
+	cfg_listelt_t *elt;
+	cfg_obj_t *fileobj;
+
+	if (!have_current_file(pctx))
+		return (none);
+
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	if (elt == NULL)	/* shouldn't be possible, but... */
+	      return (none);
+
+	fileobj = elt->obj;
+	INSIST(fileobj->type == &cfg_type_qstring);
+	return (fileobj->value.string.base);
+}
+
+static void
+parser_complain(cfg_parser_t *pctx, bool is_warning,
+		unsigned int flags, const char *format,
+		va_list args)
+{
+	char tokenbuf[MAX_LOG_TOKEN + 10];
+	static char where[ISC_DIR_PATHMAX + 100];
+	static char message[2048];
+	int level = ISC_LOG_ERROR;
+	const char *prep = "";
+	size_t len;
+
+	if (is_warning)
+		level = ISC_LOG_WARNING;
+
+	where[0] = '\0';
+	if (have_current_file(pctx))
+		snprintf(where, sizeof(where), "%s:%u: ",
+			 current_file(pctx), pctx->line);
+	else if (pctx->buf_name != NULL)
+		snprintf(where, sizeof(where), "%s: ", pctx->buf_name);
+
+	len = vsnprintf(message, sizeof(message), format, args);
+#define ELIPSIS " ... "
+	if (len >= sizeof(message)) {
+		message[sizeof(message) - sizeof(ELIPSIS)] = 0;
+		strlcat(message, ELIPSIS, sizeof(message));
+	}
+
+	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
+		isc_region_t r;
+
+		if (pctx->ungotten)
+			(void)cfg_gettoken(pctx, 0);
+
+		if (pctx->token.type == isc_tokentype_eof) {
+			snprintf(tokenbuf, sizeof(tokenbuf), "end of file");
+		} else if (pctx->token.type == isc_tokentype_unknown) {
+			flags = 0;
+			tokenbuf[0] = '\0';
+		} else {
+			isc_lex_getlasttokentext(pctx->lexer,
+						 &pctx->token, &r);
+			if (r.length > MAX_LOG_TOKEN)
+				snprintf(tokenbuf, sizeof(tokenbuf),
+					 "'%.*s...'", MAX_LOG_TOKEN, r.base);
+			else
+				snprintf(tokenbuf, sizeof(tokenbuf),
+					 "'%.*s'", (int)r.length, r.base);
+		}
+
+		/* Choose a preposition. */
+		if (flags & CFG_LOG_NEAR)
+			prep = " near ";
+		else if (flags & CFG_LOG_BEFORE)
+			prep = " before ";
+		else
+			prep = " ";
+	} else {
+		tokenbuf[0] = '\0';
+	}
+	isc_log_write(pctx->lctx, CAT, MOD, level,
+		      "%s%s%s%s", where, message, prep, tokenbuf);
+}
+
+void
+cfg_obj_log(const cfg_obj_t *obj, isc_log_t *lctx, int level,
+	    const char *fmt, ...) {
+	va_list ap;
+	char msgbuf[2048];
+
+	REQUIRE(obj != NULL);
+	REQUIRE(fmt != NULL);
+
+	if (! isc_log_wouldlog(lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (obj->file != NULL) {
+		isc_log_write(lctx, CAT, MOD, level,
+			      "%s:%u: %s", obj->file, obj->line, msgbuf);
+	} else {
+		isc_log_write(lctx, CAT, MOD, level, "%s", msgbuf);
+	}
+}
+
+const char *
+cfg_obj_file(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+
+	return (obj->file);
+}
+
+unsigned int
+cfg_obj_line(const cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+
+	return (obj->line);
+}
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
+	if (obj == NULL)
+		return (ISC_R_NOMEMORY);
+
+	obj->type = type;
+	obj->file = current_file(pctx);
+	obj->line = pctx->line;
+	obj->pctx = pctx;
+
+	result = isc_refcount_init(&obj->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+		return (result);
+	}
+	*ret = obj;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+static void
+map_symtabitem_destroy(char *key, unsigned int type,
+		       isc_symvalue_t symval, void *userarg)
+{
+	cfg_obj_t *obj = symval.as_pointer;
+	cfg_parser_t *pctx = (cfg_parser_t *)userarg;
+
+	UNUSED(key);
+	UNUSED(type);
+
+	cfg_obj_destroy(pctx, &obj);
+}
+
+static isc_result_t
+create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	isc_symtab_t *symtab = NULL;
+	cfg_obj_t *obj = NULL;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
+				map_symtabitem_destroy,
+				pctx, false, &symtab));
+	obj->value.map.symtab = symtab;
+	obj->value.map.id = NULL;
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (obj != NULL)
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	return (result);
+}
+
+static void
+free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	CLEANUP_OBJ(obj->value.map.id);
+	isc_symtab_destroy(&obj->value.map.symtab);
+}
+
+bool
+cfg_obj_istype(const cfg_obj_t *obj, const cfg_type_t *type) {
+
+	REQUIRE(obj != NULL);
+	REQUIRE(type != NULL);
+
+	return (obj->type == type);
+}
+
+/*
+ * Destroy 'obj', a configuration object created in 'pctx'.
+ */
+void
+cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **objp) {
+	cfg_obj_t *obj;
+	unsigned int refs;
+
+	REQUIRE(objp != NULL && *objp != NULL);
+	REQUIRE(pctx != NULL);
+
+	obj = *objp;
+
+	isc_refcount_decrement(&obj->references, &refs);
+	if (refs == 0) {
+		obj->type->rep->free(pctx, obj);
+		isc_refcount_destroy(&obj->references);
+		isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+	}
+	*objp = NULL;
+}
+
+void
+cfg_obj_attach(cfg_obj_t *src, cfg_obj_t **dest) {
+    REQUIRE(src != NULL);
+    REQUIRE(dest != NULL && *dest == NULL);
+
+    isc_refcount_increment(&src->references, NULL);
+    *dest = src;
+}
+
+static void
+free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	UNUSED(pctx);
+	UNUSED(obj);
+}
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	type->doc(pctx, type);
+}
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	REQUIRE(pctx != NULL);
+	REQUIRE(type != NULL);
+
+	cfg_print_cstr(pctx, "<");
+	cfg_print_cstr(pctx, type->name);
+	cfg_print_cstr(pctx, ">");
+}
+
+void
+cfg_print_grammar(const cfg_type_t *type,
+	void (*f)(void *closure, const char *text, int textlen),
+	void *closure)
+{
+	cfg_printer_t pctx;
+
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	pctx.flags = 0;
+	cfg_doc_obj(&pctx, type);
+}
+
+isc_result_t
+cfg_parser_mapadd(cfg_parser_t *pctx, cfg_obj_t *mapobj,
+		  cfg_obj_t *obj, const char *clausename)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	const cfg_map_t *map;
+	isc_symvalue_t symval;
+	cfg_obj_t *destobj = NULL;
+	cfg_listelt_t *elt = NULL;
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+
+	REQUIRE(pctx != NULL);
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	REQUIRE(obj != NULL);
+	REQUIRE(clausename != NULL);
+
+	map = &mapobj->value.map;
+
+	clause = NULL;
+	for (clauseset = map->clausesets; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset; clause->name != NULL; clause++) {
+			if (strcasecmp(clause->name, clausename) == 0) {
+				goto breakout;
+			}
+		}
+	}
+
+ breakout:
+	if (clause == NULL || clause->name == NULL)
+		return (ISC_R_FAILURE);
+
+	result = isc_symtab_lookup(map->symtab, clausename, 0, &symval);
+	if (result == ISC_R_NOTFOUND) {
+		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
+			CHECK(cfg_create_list(pctx, &cfg_type_implicitlist,
+					      &destobj));
+			CHECK(create_listelt(pctx, &elt));
+			cfg_obj_attach(obj, &elt->obj);
+			ISC_LIST_APPEND(destobj->value.list, elt, link);
+			symval.as_pointer = destobj;
+		} else
+			symval.as_pointer = obj;
+
+		CHECK(isc_symtab_define(map->symtab, clausename, 1, symval,
+					isc_symexists_reject));
+	} else {
+		cfg_obj_t *destobj2 = symval.as_pointer;
+
+		INSIST(result == ISC_R_SUCCESS);
+
+		if (destobj2->type == &cfg_type_implicitlist) {
+			CHECK(create_listelt(pctx, &elt));
+			cfg_obj_attach(obj, &elt->obj);
+			ISC_LIST_APPEND(destobj2->value.list, elt, link);
+		} else
+			result = ISC_R_EXISTS;
+	}
+
+	destobj = NULL;
+	elt = NULL;
+
+ cleanup:
+	if (elt != NULL)
+		free_listelt(pctx, elt);
+	CLEANUP_OBJ(destobj);
+
+	return (result);
+}
diff --git a/lib/isccfg/tests/Atffile b/lib/isccfg/tests/Atffile
new file mode 100644
index 0000000..f399e12
--- /dev/null
+++ b/lib/isccfg/tests/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: parser_test
diff --git a/lib/isccfg/tests/Kyuafile b/lib/isccfg/tests/Kyuafile
new file mode 100644
index 0000000..342d25f
--- /dev/null
+++ b/lib/isccfg/tests/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+atf_test_program{name='parser_test'}
diff --git a/lib/isccfg/tests/Makefile.in b/lib/isccfg/tests/Makefile.in
new file mode 100644
index 0000000..327226b
--- /dev/null
+++ b/lib/isccfg/tests/Makefile.in
@@ -0,0 +1,54 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude \
+		${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+		@DST_OPENSSL_INC@
+CDEFINES =	@CRYPTO@ -DTESTS="\"${top_builddir}/lib/dns/tests/\""
+
+ISCLIBS =	../../isc/libisc.@A@
+ISCDEPLIBS =	../../isc/libisc.@A@
+DNSLIBS =	../../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSDEPLIBS =	../../dns/libdns.@A@
+ISCCFGLIBS = 	../libisccfg.@A@
+ISCCFGDEPLIBS = ../libisccfg.@A@
+
+LIBS =		@LIBS@ @ATFLIBS@
+
+OBJS =
+SRCS =		parser_test.c
+
+SUBDIRS =
+TARGETS =	parser_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+parser_test@EXEEXT@: parser_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			parser_test.@O@ ${ISCCFGLIBS} ${DNSLIBS} \
+				${ISCLIBS} ${LIBS}
+
+unit::
+	sh ${top_builddir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/isccfg/tests/parser_test.c b/lib/isccfg/tests/parser_test.c
new file mode 100644
index 0000000..606bbeb
--- /dev/null
+++ b/lib/isccfg/tests/parser_test.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/namedconf.h>
+
+#define CHECK(r) \
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+isc_mem_t *mctx = NULL;
+isc_log_t *lctx = NULL;
+static isc_logcategory_t categories[] = {
+		{ "",                0 },
+		{ "client",          0 },
+		{ "network",         0 },
+		{ "update",          0 },
+		{ "queries",         0 },
+		{ "unmatched",       0 },
+		{ "update-security", 0 },
+		{ "query-errors",    0 },
+		{ NULL,              0 }
+};
+
+static void
+cleanup() {
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+	if (mctx != NULL)
+		isc_mem_destroy(&mctx);
+}
+
+static isc_result_t
+setup() {
+	isc_result_t result;
+
+	isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+	CHECK(isc_mem_create(0, 0, &mctx));
+
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+
+	CHECK(isc_log_create(mctx, &lctx, &logconfig));
+	isc_log_registercategories(lctx, categories);
+	isc_log_setcontext(lctx);
+
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	CHECK(isc_log_createchannel(logconfig, "stderr",
+				    ISC_LOG_TOFILEDESC,
+				    ISC_LOG_DYNAMIC,
+				    &destination, 0));
+	CHECK(isc_log_usechannel(logconfig, "stderr", NULL, NULL));
+
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	cleanup();
+	return (result);
+}
+
+ATF_TC(parse_buffer);
+ATF_TC_HEAD(parse_buffer, tc) {
+	atf_tc_set_md_var(tc, "descr", "cfg_parse_buffer");
+}
+ATF_TC_BODY(parse_buffer, tc) {
+	isc_result_t result;
+	unsigned char text[] = "options\n{\nrecursion yes;\n};\n";
+	isc_buffer_t buf1, buf2;
+	cfg_parser_t *p1 = NULL, *p2 = NULL;
+	cfg_obj_t *c1 = NULL, *c2 = NULL;
+
+	UNUSED(tc);
+
+	setup();
+
+	isc_buffer_init(&buf1, &text[0], sizeof(text) - 1);
+	isc_buffer_add(&buf1, sizeof(text) - 1);
+
+	/* Parse with default line numbering */
+	result = cfg_parser_create(mctx, lctx, &p1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = cfg_parse_buffer3(p1, &buf1, "text1", 0,
+				   &cfg_type_namedconf, &c1);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(p1->line, 5);
+
+	isc_buffer_init(&buf2, &text[0], sizeof(text) - 1);
+	isc_buffer_add(&buf2, sizeof(text) - 1);
+
+	/* Parse with changed line number */
+	result = cfg_parser_create(mctx, lctx, &p2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = cfg_parse_buffer3(p2, &buf2, "text2", 100,
+				   &cfg_type_namedconf, &c2);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	ATF_REQUIRE_EQ(p2->line, 104);
+
+	cfg_obj_destroy(p1, &c1);
+	cfg_obj_destroy(p2, &c2);
+
+	cfg_parser_destroy(&p1);
+	cfg_parser_destroy(&p2);
+
+	cleanup();
+}
+
+ATF_TC(cfg_map_firstclause);
+ATF_TC_HEAD(cfg_map_firstclause, tc) {
+	atf_tc_set_md_var(tc, "descr", "cfg_map_firstclause");
+}
+ATF_TC_BODY(cfg_map_firstclause, tc) {
+	const char *name = NULL;
+	const void *clauses = NULL;
+	unsigned int idx;
+
+	UNUSED(tc);
+
+	name = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &idx);
+	ATF_CHECK(name != NULL);
+	ATF_CHECK(clauses != NULL);
+	ATF_CHECK_EQ(idx, 0);
+}
+
+ATF_TC(cfg_map_nextclause);
+ATF_TC_HEAD(cfg_map_nextclause, tc) {
+	atf_tc_set_md_var(tc, "descr", "cfg_map_firstclause");
+}
+ATF_TC_BODY(cfg_map_nextclause, tc) {
+	const char *name = NULL;
+	const void *clauses = NULL;
+	unsigned int idx;
+
+	UNUSED(tc);
+
+	name = cfg_map_firstclause(&cfg_type_zoneopts, &clauses, &idx);
+	ATF_REQUIRE(name != NULL);
+	ATF_REQUIRE(clauses != NULL);
+	ATF_REQUIRE_EQ(idx, ISC_R_SUCCESS);
+
+	do {
+		name = cfg_map_nextclause(&cfg_type_zoneopts, &clauses, &idx);
+		if (name != NULL) {
+			ATF_CHECK(clauses != NULL);
+		} else {
+			ATF_CHECK_EQ(clauses, NULL);
+			ATF_CHECK_EQ(idx, 0);
+		}
+	} while (name != NULL);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, parse_buffer);
+	ATF_TP_ADD_TC(tp, cfg_map_firstclause);
+	ATF_TP_ADD_TC(tp, cfg_map_nextclause);
+	return (atf_no_error());
+}
diff --git a/lib/isccfg/version.c b/lib/isccfg/version.c
new file mode 100644
index 0000000..51ed4b5
--- /dev/null
+++ b/lib/isccfg/version.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*! \file */
+
+#include <isccfg/version.h>
+
+const char cfg_version[] = VERSION;
+
+const unsigned int cfg_libinterface = LIBINTERFACE;
+const unsigned int cfg_librevision = LIBREVISION;
+const unsigned int cfg_libage = LIBAGE;
+
diff --git a/lib/isccfg/win32/DLLMain.c b/lib/isccfg/win32/DLLMain.c
new file mode 100644
index 0000000..93c2893
--- /dev/null
+++ b/lib/isccfg/win32/DLLMain.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason)
+	{
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/*
+	 * The attached process creates a new thread.
+	 */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/isccfg/win32/libisccfg.def b/lib/isccfg/win32/libisccfg.def
new file mode 100644
index 0000000..c5e9be7
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.def
@@ -0,0 +1,165 @@
+LIBRARY libisccfg
+
+; Exported Functions
+EXPORTS
+
+cfg_acl_fromconfig
+cfg_acl_fromconfig2
+cfg_aclconfctx_attach
+cfg_aclconfctx_create
+cfg_aclconfctx_detach
+cfg_clause_validforzone
+cfg_create_list
+cfg_create_obj
+cfg_create_tuple
+cfg_doc_bracketed_list
+cfg_doc_enum
+cfg_doc_map
+cfg_doc_mapbody
+cfg_doc_obj
+cfg_doc_sockaddr
+cfg_doc_terminal
+cfg_doc_tuple
+cfg_doc_void
+cfg_gettoken
+cfg_is_enum
+cfg_list_first
+cfg_list_length
+cfg_list_next
+cfg_listelt_value
+cfg_log_init
+cfg_lookingat_netaddr
+cfg_map_count
+cfg_map_firstclause
+cfg_map_get
+cfg_map_getname
+cfg_map_nextclause
+cfg_obj_asboolean
+cfg_obj_asfixedpoint
+cfg_obj_asnetprefix
+cfg_obj_aspercentage
+cfg_obj_assockaddr
+cfg_obj_asstring
+cfg_obj_asuint32
+cfg_obj_asuint64
+cfg_obj_attach
+cfg_obj_destroy
+cfg_obj_file
+cfg_obj_getdscp
+cfg_obj_isboolean
+cfg_obj_isfixedpoint
+cfg_obj_islist
+cfg_obj_ismap
+cfg_obj_isnetprefix
+cfg_obj_ispercentage
+cfg_obj_issockaddr
+cfg_obj_isstring
+cfg_obj_istuple
+cfg_obj_istype
+cfg_obj_isuint32
+cfg_obj_isuint64
+cfg_obj_isvoid
+cfg_obj_line
+cfg_obj_log
+cfg_parse_addressed_map
+cfg_parse_astring
+cfg_parse_boolean
+cfg_parse_bracketed_list
+cfg_parse_buffer
+cfg_parse_buffer2
+cfg_parse_buffer3
+cfg_parse_buffer4
+cfg_parse_dscp
+cfg_parse_enum
+cfg_parse_file
+cfg_parse_fixedpoint
+cfg_parse_listelt
+cfg_parse_map
+cfg_parse_mapbody
+cfg_parse_named_map
+cfg_parse_netprefix
+cfg_parse_netprefix_map
+cfg_parse_obj
+cfg_parse_percentage
+cfg_parse_qstring
+cfg_parse_rawaddr
+cfg_parse_rawport
+cfg_parse_sockaddr
+cfg_parse_spacelist
+cfg_parse_special
+cfg_parse_sstring
+cfg_parse_tuple
+cfg_parse_uint32
+cfg_parse_void
+cfg_parser_attach
+cfg_parser_create
+cfg_parser_destroy
+cfg_parser_error
+cfg_parser_mapadd
+cfg_parser_reset
+cfg_parser_setcallback
+cfg_parser_warning
+cfg_peektoken
+cfg_print
+cfg_print_boolean
+cfg_print_bracketed_list
+cfg_print_chars
+cfg_print_clauseflags
+cfg_print_cstr
+cfg_print_fixedpoint
+cfg_print_grammar
+cfg_print_indent
+cfg_print_map
+cfg_print_mapbody
+cfg_print_obj
+cfg_print_percentage
+cfg_print_rawaddr
+cfg_print_rawuint
+cfg_print_sockaddr
+cfg_print_spacelist
+cfg_print_tuple
+cfg_print_uint32
+cfg_print_uint64
+cfg_print_ustring
+cfg_print_void
+cfg_print_zonegrammar
+cfg_printx
+cfg_tuple_get
+cfg_ungettoken
+
+; Exported Data
+
+;cfg_rep_boolean
+;cfg_rep_fixedpoint
+;cfg_rep_list
+;cfg_rep_map
+;cfg_rep_netprefix
+;cfg_rep_percentage
+;cfg_rep_sockaddr
+;cfg_rep_string
+;cfg_rep_tuple
+;cfg_rep_uint32
+;cfg_rep_uint64
+;cfg_rep_void
+;cfg_type_astring
+;cfg_type_boolean
+;cfg_type_bracketed_text
+;cfg_type_fixedpoint
+;cfg_type_netaddr
+;cfg_type_netaddr4
+;cfg_type_netaddr4wild
+;cfg_type_netaddr6
+;cfg_type_netaddr6wild
+;cfg_type_netprefix
+;cfg_type_percentage
+;cfg_type_qstring
+;cfg_type_rndcconf
+;cfg_type_sockaddr
+;cfg_type_sockaddrdscp
+;cfg_type_sstring
+;cfg_type_token
+;cfg_type_uint32
+;cfg_type_uint64
+;cfg_type_unsupported
+;cfg_type_ustring
+;cfg_type_void
diff --git a/lib/isccfg/win32/libisccfg.dsp.in b/lib/isccfg/win32/libisccfg.dsp.in
new file mode 100644
index 0000000..425af5a
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.dsp.in
@@ -0,0 +1,169 @@
+# Microsoft Developer Studio Project File - Name="libisccfg" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=libisccfg - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccfg.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccfg.mak" CFG="libisccfg - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccfg - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libisccfg - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCFG_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../dns/win32/Release/libdns.lib ../../isc/win32/Release/libisc.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/libisccfg.dll"
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "libisccfg_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISCCFG_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../dns/win32/debug/libdns.lib ../../isc/win32/debug/libisc.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/libisccfg.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "libisccfg - @PLATFORM@ Release"
+# Name "libisccfg - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\aclconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\dnsconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\log.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\namedconf.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\parser.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\isccfg\cfg.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\check.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\grammar.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\aclconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\dnsconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\log.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\namedconf.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\isccfg\version.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\libisccfg.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/isccfg/win32/libisccfg.dsw b/lib/isccfg/win32/libisccfg.dsw
new file mode 100644
index 0000000..2851ea8
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "libisccfg"=".\libisccfg.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/isccfg/win32/libisccfg.mak.in b/lib/isccfg/win32/libisccfg.mak.in
new file mode 100644
index 0000000..aa24b27
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.mak.in
@@ -0,0 +1,490 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on libisccfg.dsp
+!IF "$(CFG)" == ""
+CFG=libisccfg - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to libisccfg - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "libisccfg - @PLATFORM@ Release" && "$(CFG)" != "libisccfg - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "libisccfg.mak" CFG="libisccfg - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "libisccfg - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "libisccfg - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Release\libisccfg.dll"
+
+!ELSE 
+
+ALL : "libdns - @PLATFORM@ Release" "libisc - @PLATFORM@ Release" "..\..\..\Build\Release\libisccfg.dll"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libdns - @PLATFORM@ ReleaseCLEAN" "libisc - @PLATFORM@ ReleaseCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\aclconf.obj"
+	-@erase "$(INTDIR)\dnsconf.obj"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\namedconf.obj"
+	-@erase "$(INTDIR)\parser.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\libisccfg.exp"
+	-@erase "$(OUTDIR)\libisccfg.lib"
+	-@erase "..\..\..\Build\Release\libisccfg.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBISCCFG_EXPORTS" /Fp"$(INTDIR)\libisccfg.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../dns/win32/Release/libdns.lib ../../isc/win32/Release/libisc.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\libisccfg.pdb" @MACHINE@ /def:".\libisccfg.def" /out:"../../../Build/Release/libisccfg.dll" /implib:"$(OUTDIR)\libisccfg.lib" 
+DEF_FILE= \
+	".\libisccfg.def"
+LINK32_OBJS= \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\aclconf.obj" \
+	"$(INTDIR)\dnsconf.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\parser.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\namedconf.obj" \
+	"..\..\dns\win32\Release\libdns.lib" \
+	"..\..\isc\win32\Release\libisc.lib"
+
+"..\..\..\Build\Release\libisccfg.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+!IF "$(RECURSE)" == "0" 
+
+ALL : "..\..\..\Build\Debug\libisccfg.dll" "$(OUTDIR)\libisccfg.bsc"
+
+!ELSE 
+
+ALL : "libisc - @PLATFORM@ Debug" "..\..\..\Build\Debug\libisccfg.dll" "$(OUTDIR)\libisccfg.bsc"
+
+!ENDIF 
+
+!IF "$(RECURSE)" == "1" 
+CLEAN :"libisc - @PLATFORM@ DebugCLEAN" 
+!ELSE 
+CLEAN :
+!ENDIF 
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\aclconf.obj"
+	-@erase "$(INTDIR)\aclconf.sbr"
+	-@erase "$(INTDIR)\dnsconf.obj"
+	-@erase "$(INTDIR)\dnsconf.sbr"
+	-@erase "$(INTDIR)\log.obj"
+	-@erase "$(INTDIR)\log.sbr"
+	-@erase "$(INTDIR)\namedconf.obj"
+	-@erase "$(INTDIR)\namedconf.sbr"
+	-@erase "$(INTDIR)\parser.obj"
+	-@erase "$(INTDIR)\parser.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\libisccfg.bsc"
+	-@erase "$(OUTDIR)\libisccfg.exp"
+	-@erase "$(OUTDIR)\libisccfg.lib"
+	-@erase "$(OUTDIR)\libisccfg.pdb"
+	-@erase "..\..\..\Build\Debug\libisccfg.dll"
+	-@erase "..\..\..\Build\Debug\libisccfg.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../" /I "include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" @LIBXML2_INC@ @GEOIP_INC@ /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBISCCFG_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\libisccfg.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\libisccfg.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\aclconf.sbr" \
+	"$(INTDIR)\dnsconf.sbr" \
+	"$(INTDIR)\log.sbr" \
+	"$(INTDIR)\parser.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\namedconf.sbr"
+
+"$(OUTDIR)\libisccfg.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../dns/win32/debug/libdns.lib ../../isc/win32/debug/libisc.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\libisccfg.pdb" /debug @MACHINE@ /def:".\libisccfg.def" /out:"../../../Build/Debug/libisccfg.dll" /implib:"$(OUTDIR)\libisccfg.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\libisccfg.def"
+LINK32_OBJS= \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\aclconf.obj" \
+	"$(INTDIR)\dnsconf.obj" \
+	"$(INTDIR)\log.obj" \
+	"$(INTDIR)\parser.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\namedconf.obj" \
+	"..\..\dns\win32\Debug\libdns.lib" \
+	"..\..\isc\win32\Debug\libisc.lib"
+
+"..\..\..\Build\Debug\libisccfg.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("libisccfg.dep")
+!INCLUDE "libisccfg.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "libisccfg.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "libisccfg - @PLATFORM@ Release" || "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\aclconf.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\aclconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\aclconf.obj"	"$(INTDIR)\aclconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\dnsconf.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\dnsconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\dnsconf.obj"	"$(INTDIR)\dnsconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\log.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\log.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\log.obj"	"$(INTDIR)\log.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\namedconf.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\namedconf.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\namedconf.obj"	"$(INTDIR)\namedconf.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\parser.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\parser.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\parser.obj"	"$(INTDIR)\parser.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+!IF  "$(CFG)" == "libisccfg - @PLATFORM@ Release"
+
+"libdns - @PLATFORM@ Release" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Release" 
+   cd "..\..\isccfg\win32"
+
+"libdns - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\isccfg\win32"
+
+"libisc - @PLATFORM@ Release" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" 
+   cd "..\..\isccfg\win32"
+
+"libisc - @PLATFORM@ ReleaseCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Release" RECURSE=1 CLEAN 
+   cd "..\..\isccfg\win32"
+
+!ELSEIF  "$(CFG)" == "libisccfg - @PLATFORM@ Debug"
+
+"libdns - @PLATFORM@ Debug" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Debug" 
+   cd "..\..\isccfg\win32"
+
+"libdns - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\dns\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libdns.mak" CFG="libdns - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\isccfg\win32"
+
+"libisc - @PLATFORM@ Debug" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" 
+   cd "..\..\isccfg\win32"
+
+"libisc - @PLATFORM@ DebugCLEAN" : 
+   cd "..\..\isc\win32"
+   $(MAKE) /$(MAKEFLAGS) /F ".\libisc.mak" CFG="libisc - @PLATFORM@ Debug" RECURSE=1 CLEAN 
+   cd "..\..\isccfg\win32"
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/isccfg/win32/libisccfg.vcxproj.filters.in b/lib/isccfg/win32/libisccfg.vcxproj.filters.in
new file mode 100644
index 0000000..46b4e54
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.vcxproj.filters.in
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="libisccfg.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\aclconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\dnsconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\log.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\namedconf.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\parser.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccfg\aclconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\dnsconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\cfg.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\grammar.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\log.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\namedconf.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\isccfg\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/isccfg/win32/libisccfg.vcxproj.in b/lib/isccfg/win32/libisccfg.vcxproj.in
new file mode 100644
index 0000000..74a445f
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.vcxproj.in
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{B2DFA58C-6347-478E-81E8-01E06999D4F1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>libisccfg</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalLibraryDirectories>..\..\dns\win32\$(Configuration);..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libdns.lib;libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBISCCFG_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;@LIBXML2_INC@@GEOIP_INC@%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalLibraryDirectories>..\..\dns\win32\$(Configuration);..\..\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libdns.lib;libisc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="libisccfg.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\aclconf.c" />
+    <ClCompile Include="..\dnsconf.c" />
+    <ClCompile Include="..\log.c" />
+    <ClCompile Include="..\namedconf.c" />
+    <ClCompile Include="..\parser.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\isccfg\aclconf.h" />
+    <ClInclude Include="..\include\isccfg\dnsconf.h" />
+    <ClInclude Include="..\include\isccfg\cfg.h" />
+    <ClInclude Include="..\include\isccfg\grammar.h" />
+    <ClInclude Include="..\include\isccfg\log.h" />
+    <ClInclude Include="..\include\isccfg\namedconf.h" />
+    <ClInclude Include="..\include\isccfg\version.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/isccfg/win32/libisccfg.vcxproj.user b/lib/isccfg/win32/libisccfg.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/isccfg/win32/libisccfg.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/isccfg/win32/version.c b/lib/isccfg/win32/version.c
new file mode 100644
index 0000000..4a69e87
--- /dev/null
+++ b/lib/isccfg/win32/version.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <versions.h>
+
+#include <isccfg/version.h>
+
+LIBISCCFG_EXTERNAL_DATA const char cfg_version[] = VERSION;
+
+LIBISCCFG_EXTERNAL_DATA const unsigned int cfg_libinterface = LIBINTERFACE;
+LIBISCCFG_EXTERNAL_DATA const unsigned int cfg_librevision = LIBREVISION;
+LIBISCCFG_EXTERNAL_DATA const unsigned int cfg_libage = LIBAGE;
+
diff --git a/lib/lwres/Atffile b/lib/lwres/Atffile
new file mode 100644
index 0000000..1edb838
--- /dev/null
+++ b/lib/lwres/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: tests
diff --git a/lib/lwres/Kyuafile b/lib/lwres/Kyuafile
new file mode 100644
index 0000000..0739e3a
--- /dev/null
+++ b/lib/lwres/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+include('tests/Kyuafile')
diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in
new file mode 100644
index 0000000..4d0f505
--- /dev/null
+++ b/lib/lwres/Makefile.in
@@ -0,0 +1,83 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.34 2007/06/19 23:47:22 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@LIBLWRES_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I. -I./include -I${srcdir}/include ${ISC_INCLUDES}
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		compat.@O@ context.@O@ \
+		gai_strerror.@O@ getaddrinfo.@O@ gethost.@O@ \
+		getipnode.@O@ getnameinfo.@O@ getrrset.@O@ herror.@O@ \
+		lwbuffer.@O@ lwconfig.@O@ lwpacket.@O@ lwresutil.@O@ \
+		lwres_gabn.@O@ lwres_gnba.@O@ lwres_grbn.@O@ lwres_noop.@O@ \
+		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@ print.@O@
+
+# Alphabetically
+SRCS =		compat.c context.c gai_strerror.c getaddrinfo.c gethost.c \
+		getipnode.c getnameinfo.c getrrset.c herror.c \
+		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
+		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
+		lwinetaton.c lwinetpton.c lwinetntop.c print.c
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include man unix
+TARGETS =	timestamp
+TESTDIRS =	@UNITTESTS@
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+liblwres.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+liblwres.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o liblwres.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS}
+
+timestamp: liblwres.@A@
+	touch timestamp
+
+testdirs: liblwres.@A@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} liblwres.@A@ ${DESTDIR}${libdir}
+
+uninstall::
+	${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/liblwres.@A@
+
+clean distclean::
+	rm -f liblwres.@A@ liblwres.la timestamp
diff --git a/lib/lwres/api b/lib/lwres/api
new file mode 100644
index 0000000..79bb9eb
--- /dev/null
+++ b/lib/lwres/api
@@ -0,0 +1,13 @@
+# LIBINTERFACE ranges
+# 9.6: 50-59, 110-119
+# 9.7: 60-79
+# 9.8: 80-89, 120-129
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 161
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/lib/lwres/assert_p.h b/lib/lwres/assert_p.h
new file mode 100644
index 0000000..3b44f25
--- /dev/null
+++ b/lib/lwres/assert_p.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+#ifndef LWRES_ASSERT_P_H
+#define LWRES_ASSERT_P_H 1
+
+/*! \file */
+
+#include <assert.h>		/* Required for assert() prototype. */
+
+#define REQUIRE(x)		assert(x)
+#define INSIST(x)		assert(x)
+
+#define UNUSED(x)		((void)(x))
+#define POST(x)			((void)(x))
+
+#define SPACE_OK(b, s)		(LWRES_BUFFER_AVAILABLECOUNT(b) >= (s))
+#define SPACE_REMAINING(b, s)	(LWRES_BUFFER_REMAINING(b) >= (s))
+
+#endif /* LWRES_ASSERT_P_H */
diff --git a/lib/lwres/compat.c b/lib/lwres/compat.c
new file mode 100644
index 0000000..5d78067
--- /dev/null
+++ b/lib/lwres/compat.c
@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*! \file */
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <limits.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include <lwres/stdlib.h>
+#include <lwres/string.h>
+
+#define DE_CONST(konst, var) \
+	do { \
+		union { const void *k; void *v; } _u; \
+		_u.k = konst; \
+		var = _u.v; \
+	} while (0)
+
+/*!
+ * Convert a string to an unsigned long integer.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+unsigned long
+lwres_strtoul(const char *nptr, char **endptr, int base) {
+	const char *s = nptr;
+	unsigned long acc;
+	unsigned char c;
+	unsigned long cutoff;
+	int neg = 0, any, cutlim;
+
+	/*
+	 * See strtol for comments as to the logic used.
+	 */
+	do {
+		c = *s++;
+	} while (isspace(c));
+	if (c == '-') {
+		neg = 1;
+		c = *s++;
+	} else if (c == '+')
+		c = *s++;
+	if ((base == 0 || base == 16) &&
+	    c == '0' && (*s == 'x' || *s == 'X')) {
+		c = s[1];
+		s += 2;
+		base = 16;
+	}
+	if (base == 0)
+		base = c == '0' ? 8 : 10;
+	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
+	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
+	for (acc = 0, any = 0;; c = *s++) {
+		if (!isascii(c))
+			break;
+		if (isdigit(c))
+			c -= '0';
+		else if (isalpha(c))
+			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+		else
+			break;
+		if (c >= base)
+			break;
+		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
+			any = -1;
+		else {
+			any = 1;
+			acc *= base;
+			acc += c;
+		}
+	}
+	if (any < 0) {
+		acc = ULONG_MAX;
+		errno = ERANGE;
+	} else if (neg)
+		/* XXX: acc was declared unsigned! */
+		acc = -acc;
+	if (endptr != 0)
+		DE_CONST(any ? s - 1 : nptr, *endptr);
+	return (acc);
+}
+
+size_t
+lwres_strlcpy(char *dst, const char *src, size_t size) {
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+
+	/* Copy as many bytes as will fit */
+	if (n != 0U && --n != 0U) {
+		do {
+			if ((*d++ = *s++) == 0)
+				break;
+		} while (--n != 0U);
+	}
+
+	/* Not enough room in dst, add NUL and traverse rest of src */
+	if (n == 0U) {
+		if (size != 0U)
+			*d = '\0';		/* NUL-terminate dst */
+		while (*s++)
+			;
+	}
+
+	return(s - src - 1);	/* count does not include NUL */
+}
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
new file mode 100644
index 0000000..b991d67
--- /dev/null
+++ b/lib/lwres/context.c
@@ -0,0 +1,511 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: context.c,v 1.55 2009/09/02 23:48:03 tbox Exp $ */
+
+/*! \file context.c
+   lwres_context_create() creates a #lwres_context_t structure for use in
+   lightweight resolver operations. It holds a socket and other data
+   needed for communicating with a resolver daemon. The new
+   lwres_context_t is returned through contextp, a pointer to a
+   lwres_context_t pointer. This lwres_context_t pointer must initially
+   be NULL, and is modified to point to the newly created
+   lwres_context_t.
+
+   When the lightweight resolver needs to perform dynamic memory
+   allocation, it will call malloc_function to allocate memory and
+   free_function to free it. If malloc_function and free_function are
+   NULL, memory is allocated using malloc and free. It is not
+   permitted to have a NULL malloc_function and a non-NULL free_function
+   or vice versa. arg is passed as the first parameter to the memory
+   allocation functions. If malloc_function and free_function are NULL,
+   arg is unused and should be passed as NULL.
+
+   Once memory for the structure has been allocated, it is initialized
+   using lwres_conf_init() and returned via *contextp.
+
+   lwres_context_destroy() destroys a #lwres_context_t, closing its
+   socket. contextp is a pointer to a pointer to the context that is to
+   be destroyed. The pointer will be set to NULL when the context has
+   been destroyed.
+
+   The context holds a serial number that is used to identify resolver
+   request packets and associate responses with the corresponding
+   requests. This serial number is controlled using
+   lwres_context_initserial() and lwres_context_nextserial().
+   lwres_context_initserial() sets the serial number for context *ctx to
+   serial. lwres_context_nextserial() increments the serial number and
+   returns the previous value.
+
+   Memory for a lightweight resolver context is allocated and freed using
+   lwres_context_allocmem() and lwres_context_freemem(). These use
+   whatever allocations were defined when the context was created with
+   lwres_context_create(). lwres_context_allocmem() allocates len bytes
+   of memory and if successful returns a pointer to the allocated
+   storage. lwres_context_freemem() frees len bytes of space starting at
+   location mem.
+
+   lwres_context_sendrecv() performs I/O for the context ctx. Data are
+   read and written from the context's socket. It writes data from
+   sendbase -- typically a lightweight resolver query packet -- and waits
+   for a reply which is copied to the receive buffer at recvbase. The
+   number of bytes that were written to this receive buffer is returned
+   in *recvd_len.
+
+\section context_return Return Values
+
+   lwres_context_create() returns #LWRES_R_NOMEMORY if memory for the
+   struct lwres_context could not be allocated, #LWRES_R_SUCCESS
+   otherwise.
+
+   Successful calls to the memory allocator lwres_context_allocmem()
+   return a pointer to the start of the allocated space. It returns NULL
+   if memory could not be allocated.
+
+   #LWRES_R_SUCCESS is returned when lwres_context_sendrecv() completes
+   successfully. #LWRES_R_IOERROR is returned if an I/O error occurs and
+   #LWRES_R_TIMEOUT is returned if lwres_context_sendrecv() times out
+   waiting for a response.
+
+\section context_see See Also
+
+   lwres_conf_init(), malloc, free.
+ */
+#include <config.h>
+
+#include <fcntl.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/platform.h>
+
+#ifdef LWRES_PLATFORM_NEEDSYSSELECTH
+#include <sys/select.h>
+#endif
+
+#include "context_p.h"
+#include "assert_p.h"
+
+/*!
+ * Some systems define the socket length argument as an int, some as size_t,
+ * some as socklen_t.  The last is what the current POSIX standard mandates.
+ * This definition is here so it can be portable but easily changed if needed.
+ */
+#ifndef LWRES_SOCKADDR_LEN_T
+#define LWRES_SOCKADDR_LEN_T unsigned int
+#endif
+
+/*!
+ * Make a socket nonblocking.
+ */
+#ifndef MAKE_NONBLOCKING
+#define MAKE_NONBLOCKING(sd, retval) \
+do { \
+	retval = fcntl(sd, F_GETFL, 0); \
+	if (retval != -1) { \
+		retval |= O_NONBLOCK; \
+		retval = fcntl(sd, F_SETFL, retval); \
+	} \
+} while (0)
+#endif
+
+LIBLWRES_EXTERNAL_DATA uint16_t lwres_udp_port = LWRES_UDP_PORT;
+LIBLWRES_EXTERNAL_DATA const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
+
+static void *
+lwres_malloc(void *, size_t);
+
+static void
+lwres_free(void *, void *, size_t);
+
+/*!
+ * lwres_result_t
+ */
+static lwres_result_t
+context_connect(lwres_context_t *);
+
+/*%
+ * Creates a #lwres_context_t structure for use in
+ *  lightweight resolver operations.
+ */
+lwres_result_t
+lwres_context_create(lwres_context_t **contextp, void *arg,
+		     lwres_malloc_t malloc_function,
+		     lwres_free_t free_function,
+		     unsigned int flags)
+{
+	lwres_context_t *ctx;
+
+	REQUIRE(contextp != NULL && *contextp == NULL);
+
+	/*
+	 * If we were not given anything special to use, use our own
+	 * functions.  These are just wrappers around malloc() and free().
+	 */
+	if (malloc_function == NULL || free_function == NULL) {
+		REQUIRE(malloc_function == NULL);
+		REQUIRE(free_function == NULL);
+		malloc_function = lwres_malloc;
+		free_function = lwres_free;
+	}
+
+	ctx = malloc_function(arg, sizeof(lwres_context_t));
+	if (ctx == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	/*
+	 * Set up the context.
+	 */
+	ctx->malloc = malloc_function;
+	ctx->free = free_function;
+	ctx->arg = arg;
+	ctx->sock = -1;
+
+	ctx->timeout = LWRES_DEFAULT_TIMEOUT;
+#ifndef WIN32
+	ctx->serial = time(NULL); /* XXXMLG or BEW */
+#else
+	ctx->serial = _time32(NULL);
+#endif
+
+	ctx->use_ipv4 = 1;
+	ctx->use_ipv6 = 1;
+	if ((flags & (LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6)) ==
+	    LWRES_CONTEXT_USEIPV6) {
+		ctx->use_ipv4 = 0;
+	}
+	if ((flags & (LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6)) ==
+	    LWRES_CONTEXT_USEIPV4) {
+		ctx->use_ipv6 = 0;
+	}
+
+	/*
+	 * Init resolv.conf bits.
+	 */
+	lwres_conf_init(ctx);
+
+	*contextp = ctx;
+	return (LWRES_R_SUCCESS);
+}
+
+/*%
+Destroys a #lwres_context_t, closing its socket.
+contextp is a pointer to a pointer to the context that is
+to be destroyed. The pointer will be set to NULL
+when the context has been destroyed.
+ */
+void
+lwres_context_destroy(lwres_context_t **contextp) {
+	lwres_context_t *ctx;
+
+	REQUIRE(contextp != NULL && *contextp != NULL);
+
+	ctx = *contextp;
+	*contextp = NULL;
+
+	if (ctx->sock != -1) {
+#ifdef WIN32
+		DestroySockets();
+#endif
+		(void)close(ctx->sock);
+		ctx->sock = -1;
+	}
+
+	CTXFREE(ctx, sizeof(lwres_context_t));
+}
+/*% Increments the serial number and returns the previous value. */
+uint32_t
+lwres_context_nextserial(lwres_context_t *ctx) {
+	REQUIRE(ctx != NULL);
+
+	return (ctx->serial++);
+}
+
+/*% Sets the serial number for context *ctx to serial. */
+void
+lwres_context_initserial(lwres_context_t *ctx, uint32_t serial) {
+	REQUIRE(ctx != NULL);
+
+	ctx->serial = serial;
+}
+
+/*% Frees len bytes of space starting at location mem. */
+void
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
+	REQUIRE(mem != NULL);
+	REQUIRE(len != 0U);
+
+	CTXFREE(mem, len);
+}
+
+/*% Allocates len bytes of memory and if successful returns a pointer to the allocated storage. */
+void *
+lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
+	REQUIRE(len != 0U);
+
+	return (CTXMALLOC(len));
+}
+
+static void *
+lwres_malloc(void *arg, size_t len) {
+	void *mem;
+
+	UNUSED(arg);
+
+	mem = malloc(len);
+	if (mem == NULL)
+		return (NULL);
+
+	memset(mem, 0xe5, len);
+
+	return (mem);
+}
+
+static void
+lwres_free(void *arg, void *mem, size_t len) {
+	UNUSED(arg);
+
+	memset(mem, 0xa9, len);
+	free(mem);
+}
+
+static lwres_result_t
+context_connect(lwres_context_t *ctx) {
+#ifndef WIN32
+	int s;
+#else
+	SOCKET s;
+#endif
+	int ret;
+	struct sockaddr_in sin;
+	struct sockaddr_in6 sin6;
+	struct sockaddr *sa;
+	LWRES_SOCKADDR_LEN_T salen;
+	int domain;
+
+	if (ctx->confdata.lwnext != 0) {
+		memmove(&ctx->address, &ctx->confdata.lwservers[0],
+			sizeof(lwres_addr_t));
+		LWRES_LINK_INIT(&ctx->address, link);
+	} else {
+		/* The default is the IPv4 loopback address 127.0.0.1. */
+		memset(&ctx->address, 0, sizeof(ctx->address));
+		ctx->address.family = LWRES_ADDRTYPE_V4;
+		ctx->address.length = 4;
+		ctx->address.address[0] = 127;
+		ctx->address.address[1] = 0;
+		ctx->address.address[2] = 0;
+		ctx->address.address[3] = 1;
+	}
+
+	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
+		memmove(&sin.sin_addr, ctx->address.address,
+			sizeof(sin.sin_addr));
+		sin.sin_port = htons(lwres_udp_port);
+		sin.sin_family = AF_INET;
+		sa = (struct sockaddr *)&sin;
+		salen = sizeof(sin);
+		domain = PF_INET;
+	} else if (ctx->address.family == LWRES_ADDRTYPE_V6) {
+		memmove(&sin6.sin6_addr, ctx->address.address,
+			sizeof(sin6.sin6_addr));
+		sin6.sin6_port = htons(lwres_udp_port);
+		sin6.sin6_family = AF_INET6;
+		sa = (struct sockaddr *)&sin6;
+		salen = sizeof(sin6);
+		domain = PF_INET6;
+	} else
+		return (LWRES_R_IOERROR);
+
+#ifdef WIN32
+	InitSockets();
+#endif
+	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
+#ifndef WIN32
+	if (s < 0) {
+		return (LWRES_R_IOERROR);
+	}
+#else
+	if (s == INVALID_SOCKET) {
+		DestroySockets();
+		return (LWRES_R_IOERROR);
+	}
+#endif
+
+	ret = connect(s, sa, salen);
+	if (ret != 0) {
+#ifdef WIN32
+		DestroySockets();
+#endif
+		(void)close(s);
+		return (LWRES_R_IOERROR);
+	}
+
+	MAKE_NONBLOCKING(s, ret);
+	if (ret < 0) {
+#ifdef WIN32
+		DestroySockets();
+#endif
+		(void)close(s);
+		return (LWRES_R_IOERROR);
+	}
+
+	ctx->sock = (int)s;
+
+	return (LWRES_R_SUCCESS);
+}
+
+int
+lwres_context_getsocket(lwres_context_t *ctx) {
+	return (ctx->sock);
+}
+
+lwres_result_t
+lwres_context_send(lwres_context_t *ctx,
+		   void *sendbase, int sendlen) {
+	int ret;
+	lwres_result_t lwresult;
+
+	if (ctx->sock == -1) {
+		lwresult = context_connect(ctx);
+		if (lwresult != LWRES_R_SUCCESS)
+			return (lwresult);
+		INSIST(ctx->sock >= 0);
+	}
+
+	ret = sendto(ctx->sock, sendbase, sendlen, 0, NULL, 0);
+	if (ret < 0)
+		return (LWRES_R_IOERROR);
+	if (ret != sendlen)
+		return (LWRES_R_IOERROR);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_context_recv(lwres_context_t *ctx,
+		   void *recvbase, int recvlen,
+		   int *recvd_len)
+{
+	LWRES_SOCKADDR_LEN_T fromlen;
+	struct sockaddr_in sin;
+	struct sockaddr_in6 sin6;
+	struct sockaddr *sa;
+	int ret;
+
+	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
+		sa = (struct sockaddr *)&sin;
+		fromlen = sizeof(sin);
+	} else {
+		sa = (struct sockaddr *)&sin6;
+		fromlen = sizeof(sin6);
+	}
+
+	/*
+	 * The address of fromlen is cast to void * to shut up compiler
+	 * warnings, namely on systems that have the sixth parameter
+	 * prototyped as a signed int when LWRES_SOCKADDR_LEN_T is
+	 * defined as unsigned.
+	 */
+	ret = recvfrom(ctx->sock, recvbase, recvlen, 0, sa, (void *)&fromlen);
+
+	if (ret < 0)
+		return (LWRES_R_IOERROR);
+
+	if (ret == recvlen)
+		return (LWRES_R_TOOLARGE);
+
+	/*
+	 * If we got something other than what we expect, have the caller
+	 * wait for another packet.  This can happen if an old result
+	 * comes in, or if someone is sending us random stuff.
+	 */
+	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
+		if (fromlen != sizeof(sin)
+		    || memcmp(&sin.sin_addr, ctx->address.address,
+			      sizeof(sin.sin_addr)) != 0
+		    || sin.sin_port != htons(lwres_udp_port))
+			return (LWRES_R_RETRY);
+	} else {
+		if (fromlen != sizeof(sin6)
+		    || memcmp(&sin6.sin6_addr, ctx->address.address,
+			      sizeof(sin6.sin6_addr)) != 0
+		    || sin6.sin6_port != htons(lwres_udp_port))
+			return (LWRES_R_RETRY);
+	}
+
+	if (recvd_len != NULL)
+		*recvd_len = ret;
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% performs I/O for the context ctx. */
+lwres_result_t
+lwres_context_sendrecv(lwres_context_t *ctx,
+		       void *sendbase, int sendlen,
+		       void *recvbase, int recvlen,
+		       int *recvd_len)
+{
+	lwres_result_t result;
+	int ret2;
+	fd_set readfds;
+	struct timeval timeout;
+
+	/*
+	 * Type of tv_sec is 32 bits long.
+	 */
+	if (ctx->timeout <= 0x7FFFFFFFU)
+		timeout.tv_sec = (int)ctx->timeout;
+	else
+		timeout.tv_sec = 0x7FFFFFFF;
+
+	timeout.tv_usec = 0;
+
+	result = lwres_context_send(ctx, sendbase, sendlen);
+	if (result != LWRES_R_SUCCESS)
+		return (result);
+
+	/*
+	 * If this is not checked, select() can overflow,
+	 * causing corruption elsewhere.
+	 */
+	if (ctx->sock >= (int)FD_SETSIZE) {
+		close(ctx->sock);
+		ctx->sock = -1;
+		return (LWRES_R_IOERROR);
+	}
+
+ again:
+	FD_ZERO(&readfds);
+	FD_SET(ctx->sock, &readfds);
+	ret2 = select(ctx->sock + 1, &readfds, NULL, NULL, &timeout);
+
+	/*
+	 * What happened with select?
+	 */
+	if (ret2 < 0)
+		return (LWRES_R_IOERROR);
+	if (ret2 == 0)
+		return (LWRES_R_TIMEOUT);
+
+	result = lwres_context_recv(ctx, recvbase, recvlen, recvd_len);
+	if (result == LWRES_R_RETRY)
+		goto again;
+
+	return (result);
+}
diff --git a/lib/lwres/context_p.h b/lib/lwres/context_p.h
new file mode 100644
index 0000000..dce0319
--- /dev/null
+++ b/lib/lwres/context_p.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: context_p.h,v 1.19 2008/12/17 23:47:58 tbox Exp $ */
+
+#ifndef LWRES_CONTEXT_P_H
+#define LWRES_CONTEXT_P_H 1
+
+#include <inttypes.h>
+
+/*! \file */
+
+/*@{*/
+/**
+ * Helper functions, assuming the context is always called "ctx" in
+ * the scope these functions are called from.
+ */
+#define CTXMALLOC(len)		ctx->malloc(ctx->arg, (len))
+#define CTXFREE(addr, len)	ctx->free(ctx->arg, (addr), (len))
+/*@}*/
+
+#define LWRES_DEFAULT_TIMEOUT	120	/* 120 seconds for a reply */
+
+/**
+ * Not all the attributes here are actually settable by the application at
+ * this time.
+ */
+struct lwres_context {
+	unsigned int		timeout;	/*%< time to wait for reply */
+	uint32_t		serial;		/*%< serial number state */
+
+	/*
+	 * For network I/O.
+	 */
+	int			sock;		/*%< socket to send on */
+	lwres_addr_t		address;	/*%< address to send to */
+	int			use_ipv4;	/*%< use IPv4 transaction */
+	int			use_ipv6;	/*%< use IPv6 transaction */
+
+	/*@{*/
+	/*
+	 * Function pointers for allocating memory.
+	 */
+	lwres_malloc_t		malloc;
+	lwres_free_t		free;
+	void		       *arg;
+	/*@}*/
+
+	/*%
+	 * resolv.conf-like data
+	 */
+	lwres_conf_t		confdata;
+};
+
+#endif /* LWRES_CONTEXT_P_H */
diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c
new file mode 100644
index 0000000..797fd09
--- /dev/null
+++ b/lib/lwres/gai_strerror.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: gai_strerror.c,v 1.22 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file gai_strerror.c
+ * lwres_gai_strerror() returns an error message corresponding to an
+ * error code returned by getaddrinfo(). The following error codes and
+ * their meaning are defined in \link netdb.h include/lwres/netdb.h.\endlink
+ *
+ * \li #EAI_ADDRFAMILY address family for hostname not supported
+ * \li #EAI_AGAIN temporary failure in name resolution
+ * \li #EAI_BADFLAGS invalid value for #ai_flags
+ * \li #EAI_FAIL non-recoverable failure in name resolution
+ * \li #EAI_FAMILY ai_family not supported
+ * \li #EAI_MEMORY memory allocation failure
+ * \li #EAI_NODATA no address associated with hostname
+ * \li #EAI_NONAME hostname or servname not provided, or not known
+ * \li #EAI_SERVICE servname not supported for ai_socktype
+ * \li #EAI_SOCKTYPE ai_socktype not supported
+ * \li #EAI_SYSTEM system error returned in errno
+ *
+ * The message invalid error code is returned if ecode is out of range.
+ *
+ * ai_flags, ai_family and ai_socktype are elements of the struct
+ * addrinfo used by lwres_getaddrinfo().
+ *
+ * \section gai_strerror_see See Also
+ *
+ * strerror, lwres_getaddrinfo(), getaddrinfo(), RFC2133.
+ */
+
+#include <config.h>
+
+#include <lwres/netdb.h>
+
+/*% Text of error messages. */
+static const char *gai_messages[] = {
+	"no error",
+	"address family for hostname not supported",
+	"temporary failure in name resolution",
+	"invalid value for ai_flags",
+	"non-recoverable failure in name resolution",
+	"ai_family not supported",
+	"memory allocation failure",
+	"no address associated with hostname",
+	"hostname nor servname provided, or not known",
+	"servname not supported for ai_socktype",
+	"ai_socktype not supported",
+	"system error returned in errno",
+	"bad hints",
+	"bad protocol",
+	"overflow"
+};
+
+/*% Returns an error message corresponding to an error code returned by getaddrinfo() */
+char *
+lwres_gai_strerror(int ecode) {
+	union {
+		const char *const_ptr;
+		char *deconst_ptr;
+	} ptr;
+
+	if ((ecode < 0) ||
+	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
+		ptr.const_ptr = "invalid error code";
+	else
+		ptr.const_ptr = gai_messages[ecode];
+	return (ptr.deconst_ptr);
+}
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
new file mode 100644
index 0000000..e26c944
--- /dev/null
+++ b/lib/lwres/getaddrinfo.c
@@ -0,0 +1,811 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddrinfo.c,v 1.54 2008/11/25 23:47:23 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    lwres_getaddrinfo() is used to get a list of IP addresses and port
+ *    numbers for host hostname and service servname. The function is the
+ *    lightweight resolver's implementation of getaddrinfo() as defined in
+ *    RFC2133. hostname and servname are pointers to null-terminated strings
+ *    or NULL. hostname is either a host name or a numeric host address
+ *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
+ *    either a decimal port number or a service name as listed in
+ *    /etc/services.
+ *
+ *    If the operating system does not provide a struct addrinfo, the
+ *    following structure is used:
+ *
+ * \code
+ * struct  addrinfo {
+ *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
+ *         int             ai_family;      // PF_xxx
+ *         int             ai_socktype;    // SOCK_xxx
+ *         int             ai_protocol;    // 0 or IPPROTO_xxx for IPv4 and IPv6
+ *         size_t          ai_addrlen;     // length of ai_addr
+ *         char            *ai_canonname;  // canonical name for hostname
+ *         struct sockaddr *ai_addr;       // binary address
+ *         struct addrinfo *ai_next;       // next structure in linked list
+ * };
+ * \endcode
+ *
+ *
+ *    hints is an optional pointer to a struct addrinfo. This structure can
+ *    be used to provide hints concerning the type of socket that the caller
+ *    supports or wishes to use. The caller can supply the following
+ *    structure elements in *hints:
+ *
+ * <ul>
+ *    <li>ai_family:
+ *           The protocol family that should be used. When ai_family is set
+ *           to PF_UNSPEC, it means the caller will accept any protocol
+ *           family supported by the operating system.</li>
+ *
+ *    <li>ai_socktype:
+ *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
+ *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
+ *           will accept any socket type.</li>
+ *
+ *    <li>ai_protocol:
+ *           indicates which transport protocol is wanted: IPPROTO_UDP or
+ *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
+ *           protocol.</li>
+ *
+ *    <li>ai_flags:
+ *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
+ *           lwres_getaddrinfo() will return a null-terminated string
+ *           containing the canonical name of the specified hostname in
+ *           ai_canonname of the first addrinfo structure returned. Setting
+ *           the AI_PASSIVE bit indicates that the returned socket address
+ *           structure is intended for used in a call to bind(2). In this
+ *           case, if the hostname argument is a NULL pointer, then the IP
+ *           address portion of the socket address structure will be set to
+ *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
+ *           address.<br /><br />
+ *
+ *           When ai_flags does not set the AI_PASSIVE bit, the returned
+ *           socket address structure will be ready for use in a call to
+ *           connect(2) for a connection-oriented protocol or connect(2),
+ *           sendto(2), or sendmsg(2) if a connectionless protocol was
+ *           chosen. The IP address portion of the socket address structure
+ *           will be set to the loopback address if hostname is a NULL
+ *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
+ *
+ *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
+ *           should be treated as a numeric string defining an IPv4 or IPv6
+ *           address and no name resolution should be attempted.
+ * </li></ul>
+ *
+ *    All other elements of the struct addrinfo passed via hints must be
+ *    zero.
+ *
+ *    A hints of NULL is treated as if the caller provided a struct addrinfo
+ *    initialized to zero with ai_familyset to PF_UNSPEC.
+ *
+ *    After a successful call to lwres_getaddrinfo(), *res is a pointer to a
+ *    linked list of one or more addrinfo structures. Each struct addrinfo
+ *    in this list cn be processed by following the ai_next pointer, until a
+ *    NULL pointer is encountered. The three members ai_family, ai_socktype,
+ *    and ai_protocol in each returned addrinfo structure contain the
+ *    corresponding arguments for a call to socket(2). For each addrinfo
+ *    structure in the list, the ai_addr member points to a filled-in socket
+ *    address structure of length ai_addrlen.
+ *
+ *    All of the information returned by lwres_getaddrinfo() is dynamically
+ *    allocated: the addrinfo structures, and the socket address structures
+ *    and canonical host name strings pointed to by the addrinfostructures.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to lwres_getaddrinfo() is released by
+ *    lwres_freeaddrinfo(). ai is a pointer to a struct addrinfo created by
+ *    a call to lwres_getaddrinfo().
+ *
+ * \section lwresreturn RETURN VALUES
+ *
+ *    lwres_getaddrinfo() returns zero on success or one of the error codes
+ *    listed in gai_strerror() if an error occurs. If both hostname and
+ *    servname are NULL lwres_getaddrinfo() returns #EAI_NONAME.
+ *
+ * \section lwressee SEE ALSO
+ *
+ *    lwres(3), lwres_getaddrinfo(), lwres_freeaddrinfo(),
+ *    lwres_gai_strerror(), RFC2133, getservbyname(3), connect(2),
+ *    sendto(2), sendmsg(2), socket(2).
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <errno.h>
+#include <string.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>
+#include <lwres/stdlib.h>
+#include <lwres/string.h>
+
+#define SA(addr)	((struct sockaddr *)(addr))
+#define SIN(addr)	((struct sockaddr_in *)(addr))
+#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
+#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
+
+/*! \struct addrinfo
+ */
+static struct addrinfo
+	*ai_reverse(struct addrinfo *oai),
+	*ai_clone(struct addrinfo *oai, int family),
+	*ai_alloc(int family, int addrlen);
+#ifdef AF_LOCAL
+static int get_local(const char *name, int socktype, struct addrinfo **res);
+#endif
+
+static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+    int socktype, int port);
+static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+    int socktype, int port);
+static void set_order(int, int (**)(const char *, int, struct addrinfo **,
+	 int, int));
+
+#define FOUND_IPV4	0x1
+#define FOUND_IPV6	0x2
+#define FOUND_MAX	2
+
+#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
+/*% Get a list of IP addresses and port numbers for host hostname and service servname. */
+int
+lwres_getaddrinfo(const char *hostname, const char *servname,
+	const struct addrinfo *hints, struct addrinfo **res)
+{
+	struct servent *sp;
+	const char *proto;
+	int family, socktype, flags, protocol;
+	struct addrinfo *ai, *ai_list;
+	int port, err, i;
+	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
+		 int, int);
+
+	if (hostname == NULL && servname == NULL)
+		return (EAI_NONAME);
+
+	proto = NULL;
+	if (hints != NULL) {
+		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
+			return (EAI_BADFLAGS);
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next) {
+			errno = EINVAL;
+			return (EAI_SYSTEM);
+		}
+		family = hints->ai_family;
+		socktype = hints->ai_socktype;
+		protocol = hints->ai_protocol;
+		flags = hints->ai_flags;
+		switch (family) {
+		case AF_UNSPEC:
+			switch (hints->ai_socktype) {
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			}
+			break;
+		case AF_INET:
+		case AF_INET6:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_RAW:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#ifdef	AF_LOCAL
+		case AF_LOCAL:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				break;
+			case SOCK_DGRAM:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#endif
+		default:
+			return (EAI_FAMILY);
+		}
+	} else {
+		protocol = 0;
+		family = 0;
+		socktype = 0;
+		flags = 0;
+	}
+
+#ifdef	AF_LOCAL
+	/*!
+	 * First, deal with AF_LOCAL.  If the family was not set,
+	 * then assume AF_LOCAL if the first character of the
+	 * hostname/servname is '/'.
+	 */
+
+	if (hostname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
+		return (get_local(hostname, socktype, res));
+
+	if (servname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
+		return (get_local(servname, socktype, res));
+#endif
+
+	/*
+	 * Ok, only AF_INET and AF_INET6 left.
+	 */
+	ai_list = NULL;
+
+	/*
+	 * First, look up the service name (port) if it was
+	 * requested.  If the socket type wasn't specified, then
+	 * try and figure it out.
+	 */
+	if (servname != NULL) {
+		char *e;
+
+		port = strtol(servname, &e, 10);
+		if (*e == '\0') {
+			if (socktype == 0)
+				return (EAI_SOCKTYPE);
+			if (port < 0 || port > 65535)
+				return (EAI_SERVICE);
+			port = htons((unsigned short) port);
+		} else {
+			sp = getservbyname(servname, proto);
+			if (sp == NULL)
+				return (EAI_SERVICE);
+			port = sp->s_port;
+			if (socktype == 0) {
+				if (strcmp(sp->s_proto, "tcp") == 0)
+					socktype = SOCK_STREAM;
+				else if (strcmp(sp->s_proto, "udp") == 0)
+					socktype = SOCK_DGRAM;
+			}
+		}
+	} else
+		port = 0;
+
+	/*
+	 * Next, deal with just a service name, and no hostname.
+	 * (we verified that one of them was non-null up above).
+	 */
+	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
+		if (family == AF_INET || family == 0) {
+			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN(ai->ai_addr)->sin_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		if (family == AF_INET6 || family == 0) {
+			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
+			if (ai == NULL) {
+				lwres_freeaddrinfo(ai_list);
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		*res = ai_list;
+		return (0);
+	}
+
+	/*
+	 * If the family isn't specified or AI_NUMERICHOST specified,
+	 * check first to see if it is a numeric address.
+	 * Though the gethostbyname2() routine
+	 * will recognize numeric addresses, it will only recognize
+	 * the format that it is being called for.  Thus, a numeric
+	 * AF_INET address will be treated by the AF_INET6 call as
+	 * a domain name, and vice versa.  Checking for both numerics
+	 * here avoids that.
+	 */
+	if (hostname != NULL &&
+	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
+		char abuf[sizeof(struct in6_addr)];
+		char nbuf[NI_MAXHOST];
+		int addrsize, addroff;
+#ifdef LWRES_HAVE_SIN6_SCOPE_ID
+		char *p, *ep;
+		char ntmp[NI_MAXHOST];
+		uint32_t scopeid;
+#endif
+
+#ifdef LWRES_HAVE_SIN6_SCOPE_ID
+		/*
+		 * Scope identifier portion.
+		 */
+		ntmp[0] = '\0';
+		if (strchr(hostname, '%') != NULL) {
+			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
+			ntmp[sizeof(ntmp) - 1] = '\0';
+			p = strchr(ntmp, '%');
+			ep = NULL;
+
+			/*
+			 * Vendors may want to support non-numeric
+			 * scopeid around here.
+			 */
+
+			if (p != NULL)
+				scopeid = (uint32_t)strtoul(p + 1,
+								  &ep, 10);
+			if (p != NULL && ep != NULL && ep[0] == '\0')
+				*p = '\0';
+			else {
+				ntmp[0] = '\0';
+				scopeid = 0;
+			}
+		} else
+			scopeid = 0;
+#endif
+
+	       if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
+		   == 1)
+	       {
+			if (family == AF_INET6) {
+				/*
+				 * Convert to a V4 mapped address.
+				 */
+				struct in6_addr *a6 = (struct in6_addr *)abuf;
+				memmove(&a6->s6_addr[12], &a6->s6_addr[0], 4);
+				memset(&a6->s6_addr[10], 0xff, 2);
+				memset(&a6->s6_addr[0], 0, 10);
+				goto inet6_addr;
+			}
+			addrsize = sizeof(struct in_addr);
+			addroff = offsetof(struct sockaddr_in, sin_addr);
+			family = AF_INET;
+			goto common;
+#ifdef LWRES_HAVE_SIN6_SCOPE_ID
+		} else if (ntmp[0] != '\0' &&
+			   lwres_net_pton(AF_INET6, ntmp, abuf) == 1)
+		{
+			if (family && family != AF_INET6)
+				return (EAI_NONAME);
+			addrsize = sizeof(struct in6_addr);
+			addroff = offsetof(struct sockaddr_in6, sin6_addr);
+			family = AF_INET6;
+			goto common;
+#endif
+		} else if (lwres_net_pton(AF_INET6, hostname, abuf) == 1) {
+			if (family != 0 && family != AF_INET6)
+				return (EAI_NONAME);
+		inet6_addr:
+			addrsize = sizeof(struct in6_addr);
+			addroff = offsetof(struct sockaddr_in6, sin6_addr);
+			family = AF_INET6;
+
+		common:
+			ai = ai_clone(ai_list, family);
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai_list = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memmove((char *)ai->ai_addr + addroff, abuf, addrsize);
+			if (flags & AI_CANONNAME) {
+#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
+				if (ai->ai_family == AF_INET6)
+					SIN6(ai->ai_addr)->sin6_scope_id =
+									scopeid;
+#endif
+				if (lwres_getnameinfo(ai->ai_addr,
+				    ai->ai_addrlen, nbuf, sizeof(nbuf),
+						      NULL, 0,
+						      NI_NUMERICHOST) == 0) {
+					ai->ai_canonname = strdup(nbuf);
+					if (ai->ai_canonname == NULL) {
+						lwres_freeaddrinfo(ai_list);
+						return (EAI_MEMORY);
+					}
+				} else {
+					/* XXX raise error? */
+					ai->ai_canonname = NULL;
+				}
+			}
+			goto done;
+		} else if ((flags & AI_NUMERICHOST) != 0) {
+			return (EAI_NONAME);
+		}
+	}
+
+	set_order(family, net_order);
+	for (i = 0; i < FOUND_MAX; i++) {
+		if (net_order[i] == NULL)
+			break;
+		err = (net_order[i])(hostname, flags, &ai_list,
+				     socktype, port);
+		if (err != 0)
+			return (err);
+	}
+
+	if (ai_list == NULL)
+		return (EAI_NODATA);
+
+done:
+	ai_list = ai_reverse(ai_list);
+
+	*res = ai_list;
+	return (0);
+}
+
+static char *
+lwres_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
+					int, int))
+{
+	char *order, *tok;
+	int found;
+
+	if (family) {
+		switch (family) {
+		case AF_INET:
+			*net_order++ = add_ipv4;
+			break;
+		case AF_INET6:
+			*net_order++ = add_ipv6;
+			break;
+		}
+	} else {
+		order = getenv("NET_ORDER");
+		found = 0;
+		while (order != NULL) {
+			/*
+			 * We ignore any unknown names.
+			 */
+			tok = lwres_strsep(&order, ":");
+			if (strcasecmp(tok, "inet6") == 0) {
+				if ((found & FOUND_IPV6) == 0)
+					*net_order++ = add_ipv6;
+				found |= FOUND_IPV6;
+			} else if (strcasecmp(tok, "inet") == 0 ||
+			    strcasecmp(tok, "inet4") == 0) {
+				if ((found & FOUND_IPV4) == 0)
+					*net_order++ = add_ipv4;
+				found |= FOUND_IPV4;
+			}
+		}
+
+		/*
+		 * Add in anything that we didn't find.
+		 */
+		if ((found & FOUND_IPV4) == 0)
+			*net_order++ = add_ipv4;
+		if ((found & FOUND_IPV6) == 0)
+			*net_order++ = add_ipv6;
+	}
+	*net_order = NULL;
+	return;
+}
+
+static char v4_loop[4] = { 127, 0, 0, 1 };
+
+/*
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define SETERROR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+	int socktype, int port)
+{
+	struct addrinfo *ai;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gabnresponse_t *by = NULL;
+	lwres_addr_t *addr;
+	lwres_result_t lwres;
+	int result = 0;
+
+	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (lwres != LWRES_R_SUCCESS)
+		SETERROR(EAI_FAIL);
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		ai = ai_clone(*aip, AF_INET);
+		if (ai == NULL)
+			SETERROR(EAI_MEMORY);
+
+		*aip = ai;
+		ai->ai_socktype = socktype;
+		SIN(ai->ai_addr)->sin_port = port;
+		memmove(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
+	} else {
+		lwres = lwres_getaddrsbyname(lwrctx, hostname,
+					     LWRES_ADDRTYPE_V4, &by);
+		if (lwres != LWRES_R_SUCCESS) {
+			if (lwres == LWRES_R_NOTFOUND)
+				goto cleanup;
+			else
+				SETERROR(EAI_FAIL);
+		}
+		addr = LWRES_LIST_HEAD(by->addrs);
+		while (addr != NULL) {
+			ai = ai_clone(*aip, AF_INET);
+			if (ai == NULL)
+				SETERROR(EAI_MEMORY);
+			*aip = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memmove(&SIN(ai->ai_addr)->sin_addr,
+				addr->address, 4);
+			if (flags & AI_CANONNAME) {
+				ai->ai_canonname = strdup(by->realname);
+				if (ai->ai_canonname == NULL)
+					SETERROR(EAI_MEMORY);
+			}
+			addr = LWRES_LIST_NEXT(addr, link);
+		}
+	}
+ cleanup:
+	if (by != NULL)
+		lwres_gabnresponse_free(lwrctx, &by);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
+
+static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
+
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gabnresponse_t *by = NULL;
+	lwres_addr_t *addr;
+	lwres_result_t lwres;
+	int result = 0;
+
+	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (lwres != LWRES_R_SUCCESS)
+		SETERROR(EAI_FAIL);
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		ai = ai_clone(*aip, AF_INET6);
+		if (ai == NULL)
+			SETERROR(EAI_MEMORY);
+
+		*aip = ai;
+		ai->ai_socktype = socktype;
+		SIN6(ai->ai_addr)->sin6_port = port;
+		memmove(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
+	} else {
+		lwres = lwres_getaddrsbyname(lwrctx, hostname,
+					     LWRES_ADDRTYPE_V6, &by);
+		if (lwres != LWRES_R_SUCCESS) {
+			if (lwres == LWRES_R_NOTFOUND)
+				goto cleanup;
+			else
+				SETERROR(EAI_FAIL);
+		}
+		addr = LWRES_LIST_HEAD(by->addrs);
+		while (addr != NULL) {
+			ai = ai_clone(*aip, AF_INET6);
+			if (ai == NULL)
+				SETERROR(EAI_MEMORY);
+			*aip = ai;
+			ai->ai_socktype = socktype;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			memmove(&SIN6(ai->ai_addr)->sin6_addr,
+				addr->address, 16);
+			if (flags & AI_CANONNAME) {
+				ai->ai_canonname = strdup(by->realname);
+				if (ai->ai_canonname == NULL)
+					SETERROR(EAI_MEMORY);
+			}
+			addr = LWRES_LIST_NEXT(addr, link);
+		}
+	}
+ cleanup:
+	if (by != NULL)
+		lwres_gabnresponse_free(lwrctx, &by);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
+
+/*% Free address info. */
+void
+lwres_freeaddrinfo(struct addrinfo *ai) {
+	struct addrinfo *ai_next;
+
+	while (ai != NULL) {
+		ai_next = ai->ai_next;
+		if (ai->ai_addr != NULL)
+			free(ai->ai_addr);
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		free(ai);
+		ai = ai_next;
+	}
+}
+
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res) {
+	struct addrinfo *ai;
+	struct sockaddr_un *slocal;
+
+	if (socktype == 0)
+		return (EAI_SOCKTYPE);
+
+	if (strlen(name) >= sizeof(slocal->sun_path))
+		return (EAI_OVERFLOW);
+
+	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	slocal = SLOCAL(ai->ai_addr);
+	strncpy(slocal->sun_path, name, sizeof(slocal->sun_path));
+	slocal->sun_path[sizeof(slocal->sun_path) - 1] = '\0';
+
+	ai->ai_socktype = socktype;
+	/*
+	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
+	 * and ai->ai_next were initialized to zero.
+	 */
+
+	*res = ai;
+	return (0);
+}
+#endif
+
+/*!
+ * Allocate an addrinfo structure, and a sockaddr structure
+ * of the specificed length.  We initialize:
+ *	ai_addrlen
+ *	ai_family
+ *	ai_addr
+ *	ai_addr->sa_family
+ *	ai_addr->sa_len	(LWRES_PLATFORM_HAVESALEN)
+ * and everything else is initialized to zero.
+ */
+static struct addrinfo *
+ai_alloc(int family, int addrlen) {
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
+	if (ai == NULL)
+		return (NULL);
+
+	ai->ai_addr = SA(calloc(1, addrlen));
+	if (ai->ai_addr == NULL) {
+		free(ai);
+		return (NULL);
+	}
+	ai->ai_addrlen = addrlen;
+	ai->ai_family = family;
+	ai->ai_addr->sa_family = family;
+#ifdef LWRES_PLATFORM_HAVESALEN
+	ai->ai_addr->sa_len = addrlen;
+#endif
+	return (ai);
+}
+
+static struct addrinfo *
+ai_clone(struct addrinfo *oai, int family) {
+	struct addrinfo *ai;
+
+	ai = ai_alloc(family, ((family == AF_INET6) ?
+	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
+
+	if (ai == NULL) {
+		lwres_freeaddrinfo(oai);
+		return (NULL);
+	}
+	if (oai == NULL)
+		return (ai);
+
+	ai->ai_flags = oai->ai_flags;
+	ai->ai_socktype = oai->ai_socktype;
+	ai->ai_protocol = oai->ai_protocol;
+	ai->ai_canonname = NULL;
+	ai->ai_next = oai;
+	return (ai);
+}
+
+static struct addrinfo *
+ai_reverse(struct addrinfo *oai) {
+	struct addrinfo *nai, *tai;
+
+	nai = NULL;
+
+	while (oai != NULL) {
+		/*
+		 * Grab one off the old list.
+		 */
+		tai = oai;
+		oai = oai->ai_next;
+		/*
+		 * Put it on the front of the new list.
+		 */
+		tai->ai_next = nai;
+		nai = tai;
+	}
+	return (nai);
+}
diff --git a/lib/lwres/gethost.c b/lib/lwres/gethost.c
new file mode 100644
index 0000000..891f7a4
--- /dev/null
+++ b/lib/lwres/gethost.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: gethost.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions provide hostname-to-address and address-to-hostname
+ *    lookups by means of the lightweight resolver. They are similar to the
+ *    standard gethostent(3) functions provided by most operating systems.
+ *    They use a struct hostent which is usually defined in <namedb.h>.
+ *
+ * \code
+ * struct  hostent {
+ *         char    *h_name;        // official name of host
+ * 	   char    **h_aliases;    // alias list
+ *         int     h_addrtype;     // host address type
+ *         int     h_length;       // length of address
+ *         char    **h_addr_list;  // list of addresses from name server
+ * };
+ * #define h_addr  h_addr_list[0]  // address, for backward compatibility
+ * \endcode
+ *
+ *    The members of this structure are:
+ *
+ * \li   h_name:
+ *           The official (canonical) name of the host.
+ *
+ * \li   h_aliases:
+ *           A NULL-terminated array of alternate names (nicknames) for the
+ *           host.
+ *
+ * \li   h_addrtype:
+ *           The type of address being returned -- PF_INET or PF_INET6.
+ *
+ * \li   h_length:
+ *           The length of the address in bytes.
+ *
+ * \li   h_addr_list:
+ *           A NULL terminated array of network addresses for the host. Host
+ *           addresses are returned in network byte order.
+ *
+ *    For backward compatibility with very old software, h_addr is the first
+ *    address in h_addr_list.
+ *
+ *    lwres_gethostent(), lwres_sethostent(), lwres_endhostent(),
+ *    lwres_gethostent_r(), lwres_sethostent_r() and lwres_endhostent_r()
+ *    provide iteration over the known host entries on systems that provide
+ *    such functionality through facilities like /etc/hosts or NIS. The
+ *    lightweight resolver does not currently implement these functions; it
+ *    only provides them as stub functions that always return failure.
+ *
+ *    lwres_gethostbyname() and lwres_gethostbyname2() look up the hostname
+ *    name. lwres_gethostbyname() always looks for an IPv4 address while
+ *    lwres_gethostbyname2() looks for an address of protocol family af:
+ *    either PF_INET or PF_INET6 -- IPv4 or IPV6 addresses respectively.
+ *    Successful calls of the functions return a struct hostent for the name
+ *    that was looked up. NULL is returned if the lookups by
+ *    lwres_gethostbyname() or lwres_gethostbyname2() fail.
+ *
+ *    Reverse lookups of addresses are performed by lwres_gethostbyaddr().
+ *    addr is an address of length len bytes and protocol family type --
+ *    PF_INET or PF_INET6. lwres_gethostbyname_r() is a thread-safe function
+ *    for forward lookups. If an error occurs, an error code is returned in
+ *    *error. resbuf is a pointer to a struct hostent which is initialised
+ *    by a successful call to lwres_gethostbyname_r() . buf is a buffer of
+ *    length len bytes which is used to store the h_name, h_aliases, and
+ *    h_addr_list elements of the struct hostent returned in resbuf.
+ *    Successful calls to lwres_gethostbyname_r() return resbuf, which is a
+ *    pointer to the struct hostent it created.
+ *
+ *    lwres_gethostbyaddr_r() is a thread-safe function that performs a
+ *    reverse lookup of address addr which is len bytes long and is of
+ *    protocol family type -- PF_INET or PF_INET6. If an error occurs, the
+ *    error code is returned in *error. The other function parameters are
+ *    identical to those in lwres_gethostbyname_r(). resbuf is a pointer to
+ *    a struct hostent which is initialised by a successful call to
+ *    lwres_gethostbyaddr_r(). buf is a buffer of length len bytes which is
+ *    used to store the h_name, h_aliases, and h_addr_list elements of the
+ *    struct hostent returned in resbuf. Successful calls to
+ *    lwres_gethostbyaddr_r() return resbuf, which is a pointer to the
+ *    struct hostent it created.
+ *
+ * \section gethost_return Return Values
+ *
+ *    The functions lwres_gethostbyname(), lwres_gethostbyname2(),
+ *    lwres_gethostbyaddr(), and lwres_gethostent() return NULL to indicate
+ *    an error. In this case the global variable lwres_h_errno will contain
+ *    one of the following error codes defined in \link netdb.h <lwres/netdb.h>:\endlink
+ *
+ * \li #HOST_NOT_FOUND:
+ *           The host or address was not found.
+ *
+ * \li #TRY_AGAIN:
+ *           A recoverable error occurred, e.g., a timeout. Retrying the
+ *           lookup may succeed.
+ *
+ * \li #NO_RECOVERY:
+ *           A non-recoverable error occurred.
+ *
+ * \li #NO_DATA:
+ *           The name exists, but has no address information associated with
+ *           it (or vice versa in the case of a reverse lookup). The code
+ *           NO_ADDRESS is accepted as a synonym for NO_DATA for backwards
+ *           compatibility.
+ *
+ *    lwres_hstrerror() translates these error codes to suitable error
+ *    messages.
+ *
+ *    lwres_gethostent() and lwres_gethostent_r() always return NULL.
+ *
+ *    Successful calls to lwres_gethostbyname_r() and
+ *    lwres_gethostbyaddr_r() return resbuf, a pointer to the struct hostent
+ *    that was initialised by these functions. They return NULL if the
+ *    lookups fail or if buf was too small to hold the list of addresses and
+ *    names referenced by the h_name, h_aliases, and h_addr_list elements of
+ *    the struct hostent. If buf was too small, both lwres_gethostbyname_r()
+ *    and lwres_gethostbyaddr_r() set the global variable errno to ERANGE.
+ *
+ * \section gethost_see See Also
+ *
+ *    gethostent(), \link getipnode.c getipnode\endlink, lwres_hstrerror()
+ *
+ * \section gethost_bugs Bugs
+ *
+ *    lwres_gethostbyname(), lwres_gethostbyname2(), lwres_gethostbyaddr()
+ *    and lwres_endhostent() are not thread safe; they return pointers to
+ *    static data and provide error codes through a global variable.
+ *    Thread-safe versions for name and address lookup are provided by
+ *    lwres_gethostbyname_r(), and lwres_gethostbyaddr_r() respectively.
+ *
+ *    The resolver daemon does not currently support any non-DNS name
+ *    services such as /etc/hosts or NIS, consequently the above functions
+ *    don't, either.
+ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <string.h>
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h> /* uintptr_t */
+#endif
+
+#include <lwres/net.h>
+#include <lwres/netdb.h>
+
+#include "assert_p.h"
+
+#define LWRES_ALIGNBYTES (sizeof(char *) - 1)
+#define LWRES_ALIGN(p) \
+	(((uintptr_t)(p) + LWRES_ALIGNBYTES) &~ LWRES_ALIGNBYTES)
+
+static struct hostent *he = NULL;
+static int copytobuf(struct hostent *, struct hostent *, char *, int);
+
+/*% Always looks for an IPv4 address. */
+struct hostent *
+lwres_gethostbyname(const char *name) {
+
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	he = lwres_getipnodebyname(name, AF_INET, 0, &lwres_h_errno);
+	return (he);
+}
+
+/*% Looks for either an IPv4 or IPv6 address. */
+struct hostent *
+lwres_gethostbyname2(const char *name, int af) {
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	he = lwres_getipnodebyname(name, af, 0, &lwres_h_errno);
+	return (he);
+}
+
+/*% Reverse lookup of addresses. */
+struct hostent *
+lwres_gethostbyaddr(const char *addr, int len, int type) {
+
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	he = lwres_getipnodebyaddr(addr, len, type, &lwres_h_errno);
+	return (he);
+}
+
+/*% Stub function.  Always returns failure. */
+struct hostent *
+lwres_gethostent(void) {
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	return (NULL);
+}
+
+/*% Stub function.  Always returns failure. */
+void
+lwres_sethostent(int stayopen) {
+	/*
+	 * Empty.
+	 */
+	UNUSED(stayopen);
+}
+
+/*% Stub function.  Always returns failure. */
+void
+lwres_endhostent(void) {
+	/*
+	 * Empty.
+	 */
+}
+
+/*% Thread-safe function for forward lookups. */
+struct hostent *
+lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
+		char *buf, int buflen, int *error)
+{
+	struct hostent *myhe;
+	int res;
+
+	myhe = lwres_getipnodebyname(name, AF_INET, 0, error);
+	if (myhe == NULL)
+		return (NULL);
+	res = copytobuf(myhe, resbuf, buf, buflen);
+	lwres_freehostent(myhe);
+	if (res != 0) {
+		errno = ERANGE;
+		return (NULL);
+	}
+	return (resbuf);
+}
+
+/*% Thread-safe reverse lookup. */
+struct hostent  *
+lwres_gethostbyaddr_r(const char *addr, int len, int type,
+		      struct hostent *resbuf, char *buf, int buflen,
+		      int *error)
+{
+	struct hostent *myhe;
+	int res;
+
+	myhe = lwres_getipnodebyaddr(addr, len, type, error);
+	if (myhe == NULL)
+		return (NULL);
+	res = copytobuf(myhe, resbuf, buf, buflen);
+	lwres_freehostent(myhe);
+	if (res != 0) {
+		errno = ERANGE;
+		return (NULL);
+	}
+	return (resbuf);
+}
+
+/*% Stub function.  Always returns failure. */
+struct hostent  *
+lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
+	UNUSED(resbuf);
+	UNUSED(buf);
+	UNUSED(buflen);
+	*error = 0;
+	return (NULL);
+}
+
+/*% Stub function.  Always returns failure. */
+void
+lwres_sethostent_r(int stayopen) {
+	/*
+	 * Empty.
+	 */
+	UNUSED(stayopen);
+}
+
+/*% Stub function.  Always returns failure. */
+void
+lwres_endhostent_r(void) {
+	/*
+	 * Empty.
+	 */
+}
+
+static int
+copytobuf(struct hostent *src, struct hostent *hptr, char *buf, int buflen) {
+	char *cp;
+	char **ptr;
+	int i, n;
+	int nptr, len;
+
+	/*
+	 * Find out the amount of space required to store the answer.
+	 */
+	nptr = 2; /* NULL ptrs */
+	len = (int)((char *)LWRES_ALIGN(buf) - buf);
+	for (i = 0; src->h_addr_list[i]; i++, nptr++) {
+		len += src->h_length;
+	}
+	for (i = 0; src->h_aliases[i]; i++, nptr++) {
+		len += strlen(src->h_aliases[i]) + 1;
+	}
+	len += strlen(src->h_name) + 1;
+	len += nptr * sizeof(char*);
+
+	if (len > buflen) {
+		return (-1);
+	}
+
+	/*
+	 * Copy address size and type.
+	 */
+	hptr->h_addrtype = src->h_addrtype;
+	n = hptr->h_length = src->h_length;
+
+	ptr = (char **)LWRES_ALIGN(buf);
+	cp = (char *)LWRES_ALIGN(buf) + nptr * sizeof(char *);
+
+	/*
+	 * Copy address list.
+	 */
+	hptr->h_addr_list = ptr;
+	for (i = 0; src->h_addr_list[i]; i++, ptr++) {
+		memmove(cp, src->h_addr_list[i], n);
+		hptr->h_addr_list[i] = cp;
+		cp += n;
+	}
+	hptr->h_addr_list[i] = NULL;
+	ptr++;
+
+	/*
+	 * Copy official name.
+	 */
+	n = strlen(src->h_name) + 1;
+	strcpy(cp, src->h_name);
+	hptr->h_name = cp;
+	cp += n;
+
+	/*
+	 * Copy aliases.
+	 */
+	hptr->h_aliases = ptr;
+	for (i = 0; src->h_aliases[i]; i++) {
+		n = strlen(src->h_aliases[i]) + 1;
+		strcpy(cp, src->h_aliases[i]);
+		hptr->h_aliases[i] = cp;
+		cp += n;
+	}
+	hptr->h_aliases[i] = NULL;
+
+	return (0);
+}
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
new file mode 100644
index 0000000..f0c0ae6
--- /dev/null
+++ b/lib/lwres/getipnode.c
@@ -0,0 +1,1160 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: getipnode.c,v 1.47 2009/09/01 23:47:45 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions perform thread safe, protocol independent
+ *    nodename-to-address and address-to-nodename translation as defined in
+ *    RFC2553.  This use a struct hostent which is defined in namedb.h:
+ *
+ * \code
+ * struct  hostent {
+ *         char    *h_name;        // official name of host
+ *         char    **h_aliases;    // alias list
+ *         int     h_addrtype;     // host address type
+ *         int     h_length;       // length of address
+ *         char    **h_addr_list;  // list of addresses from name server
+ * };
+ * #define h_addr  h_addr_list[0]  // address, for backward compatibility
+ * \endcode
+ *
+ *    The members of this structure are:
+ *
+ * \li   h_name:
+ *           The official (canonical) name of the host.
+ *
+ * \li   h_aliases:
+ *           A NULL-terminated array of alternate names (nicknames) for the
+ *           host.
+ *
+ * \li   h_addrtype:
+ *           The type of address being returned - usually PF_INET or
+ *           PF_INET6.
+ *
+ * \li   h_length:
+ *           The length of the address in bytes.
+ *
+ * \li   h_addr_list:
+ *           A NULL terminated array of network addresses for the host. Host
+ *           addresses are returned in network byte order.
+ *
+ *    lwres_getipnodebyname() looks up addresses of protocol family af for
+ *    the hostname name. The flags parameter contains ORed flag bits to
+ *    specify the types of addresses that are searched for, and the types of
+ *    addresses that are returned. The flag bits are:
+ *
+ * \li   #AI_V4MAPPED:
+ *           This is used with an af of #AF_INET6, and causes IPv4 addresses
+ *           to be returned as IPv4-mapped IPv6 addresses.
+ *
+ * \li   #AI_ALL:
+ *           This is used with an af of #AF_INET6, and causes all known
+ *           addresses (IPv6 and IPv4) to be returned. If #AI_V4MAPPED is
+ *           also set, the IPv4 addresses are return as mapped IPv6
+ *           addresses.
+ *
+ * \li   #AI_ADDRCONFIG:
+ *           Only return an IPv6 or IPv4 address if here is an active
+ *           network interface of that type. This is not currently
+ *           implemented in the BIND 9 lightweight resolver, and the flag is
+ *           ignored.
+ *
+ * \li   #AI_DEFAULT:
+ *           This default sets the #AI_V4MAPPED and #AI_ADDRCONFIG flag bits.
+ *
+ *    lwres_getipnodebyaddr() performs a reverse lookup of address src which
+ *    is len bytes long. af denotes the protocol family, typically PF_INET
+ *    or PF_INET6.
+ *
+ *    lwres_freehostent() releases all the memory associated with the struct
+ *    hostent pointer. Any memory allocated for the h_name, h_addr_list
+ *    and h_aliases is freed, as is the memory for the hostent structure
+ *    itself.
+ *
+ * \section getipnode_return Return Values
+ *
+ *    If an error occurs, lwres_getipnodebyname() and
+ *    lwres_getipnodebyaddr() set *error_num to an appropriate error code
+ *    and the function returns a NULL pointer. The error codes and their
+ *    meanings are defined in \link netdb.h <lwres/netdb.h>\endlink:
+ *
+ * \li   #HOST_NOT_FOUND:
+ *           No such host is known.
+ *
+ * \li   #NO_ADDRESS:
+ *           The server recognised the request and the name but no address
+ *           is available. Another type of request to the name server for
+ *           the domain might return an answer.
+ *
+ * \li   #TRY_AGAIN:
+ *           A temporary and possibly transient error occurred, such as a
+ *           failure of a server to respond. The request may succeed if
+ *           retried.
+ *
+ * \li   #NO_RECOVERY:
+ *           An unexpected failure occurred, and retrying the request is
+ *           pointless.
+ *
+ *    lwres_hstrerror() translates these error codes to suitable error
+ *    messages.
+ *
+ * \section getipnode_see See Also
+ *
+ * getaddrinfo.c, gethost.c, getnameinfo.c, herror.c, RFC2553
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
+
+#include "assert_p.h"
+
+#ifndef INADDRSZ
+#define INADDRSZ 4
+#endif
+#ifndef IN6ADDRSZ
+#define IN6ADDRSZ 16
+#endif
+
+#ifdef LWRES_PLATFORM_NEEDIN6ADDRANY
+LIBLWRES_EXTERNAL_DATA const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+#endif
+
+#ifndef IN6_IS_ADDR_V4COMPAT
+static const unsigned char in6addr_compat[12] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
+				 ((x)->s6_addr[12] != 0 || \
+				  (x)->s6_addr[13] != 0 || \
+				  (x)->s6_addr[14] != 0 || \
+				   ((x)->s6_addr[15] != 0 && \
+				    (x)->s6_addr[15] != 1)))
+#endif
+#ifndef IN6_IS_ADDR_V4MAPPED
+#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
+#endif
+
+static const unsigned char in6addr_mapped[12] = {
+	0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff
+};
+
+/***
+ ***	Forward declarations.
+ ***/
+
+static int
+scan_interfaces(int *, int *);
+
+static struct hostent *
+copyandmerge(struct hostent *, struct hostent *, int, int *);
+
+static struct hostent *
+hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src);
+
+static struct hostent *
+hostfromname(lwres_gabnresponse_t *name, int af);
+
+/***
+ ***	Public functions.
+ ***/
+
+/*!
+ *	AI_V4MAPPED + AF_INET6
+ *	If no IPv6 address then a query for IPv4 and map returned values.
+ *
+ *	AI_ALL + AI_V4MAPPED + AF_INET6
+ *	Return IPv6 and IPv4 mapped.
+ *
+ *	AI_ADDRCONFIG
+ *	Only return IPv6 / IPv4 address if there is an interface of that
+ *	type active.
+ */
+
+struct hostent *
+lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
+	int have_v4 = 1, have_v6 = 1;
+	struct in_addr in4;
+	struct in6_addr in6;
+	struct hostent he, *he1 = NULL, *he2 = NULL, *he3 = NULL;
+	int v4 = 0, v6 = 0;
+	int tmp_err = 0;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gabnresponse_t *by = NULL;
+	int n;
+
+	/*
+	 * If we care about active interfaces then check.
+	 */
+	if ((flags & AI_ADDRCONFIG) != 0)
+		if (scan_interfaces(&have_v4, &have_v6) == -1) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+
+	/* Check for literal address. */
+	if ((v4 = lwres_net_pton(AF_INET, name, &in4)) != 1)
+		v6 = lwres_net_pton(AF_INET6, name, &in6);
+
+	/*
+	 * Impossible combination?
+	 */
+	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
+	    (af == AF_INET && v6 == 1) ||
+	    (have_v4 == 0 && v4 == 1) ||
+	    (have_v6 == 0 && v6 == 1) ||
+	    (have_v4 == 0 && af == AF_INET) ||
+	    (have_v6 == 0 && af == AF_INET6 &&
+	     (((flags & AI_V4MAPPED) != 0 && have_v4) ||
+	      (flags & AI_V4MAPPED) == 0))) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+
+	/*
+	 * Literal address?
+	 */
+	if (v4 == 1 || v6 == 1) {
+		char *addr_list[2];
+		char *aliases[1];
+		char mappedname[sizeof("::ffff:123.123.123.123")];
+		union {
+			const char *const_name;
+			char *deconst_name;
+		} u;
+
+		u.const_name = name;
+		if (v4 == 1 && af == AF_INET6) {
+			strcpy(mappedname, "::ffff:");
+			lwres_net_ntop(AF_INET, (char *)&in4,
+				       mappedname + sizeof("::ffff:") - 1,
+				       sizeof(mappedname) - sizeof("::ffff:")
+				       + 1);
+			he.h_name = mappedname;
+		} else
+			he.h_name = u.deconst_name;
+		he.h_addr_list = addr_list;
+		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
+		he.h_addr_list[1] = NULL;
+		he.h_aliases = aliases;
+		he.h_aliases[0] = NULL;
+		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
+		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
+		return (copyandmerge(&he, NULL, af, error_num));
+	}
+
+	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (n != 0) {
+		*error_num = NO_RECOVERY;
+		goto cleanup;
+	}
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+	tmp_err = NO_RECOVERY;
+	if (have_v6 && af == AF_INET6) {
+		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V6, &by);
+		if (n == 0) {
+			he1 = hostfromname(by, AF_INET6);
+			lwres_gabnresponse_free(lwrctx, &by);
+			if (he1 == NULL) {
+				*error_num = NO_RECOVERY;
+				goto cleanup;
+			}
+		} else {
+			if (n == LWRES_R_NOTFOUND)
+				tmp_err = HOST_NOT_FOUND;
+			else {
+				*error_num = NO_RECOVERY;
+				goto cleanup;
+			}
+		}
+	}
+
+	if (have_v4 &&
+	    ((af == AF_INET) ||
+	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
+	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
+		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V4, &by);
+		if (n == 0) {
+			he2 = hostfromname(by, AF_INET);
+			lwres_gabnresponse_free(lwrctx, &by);
+			if (he2 == NULL) {
+				*error_num = NO_RECOVERY;
+				goto cleanup;
+			}
+		} else if (he1 == NULL) {
+			if (n == LWRES_R_NOTFOUND)
+				*error_num = HOST_NOT_FOUND;
+			else
+				*error_num = NO_RECOVERY;
+			goto cleanup;
+		}
+	} else
+		*error_num = tmp_err;
+
+	he3 = copyandmerge(he1, he2, af, error_num);
+
+ cleanup:
+	if (he1 != NULL)
+		lwres_freehostent(he1);
+	if (he2 != NULL)
+		lwres_freehostent(he2);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (he3);
+}
+
+/*% performs a reverse lookup of address src which is len bytes long. af denotes the protocol family, typically #PF_INET or PF_INET6. */
+struct hostent *
+lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
+	struct hostent *he1, *he2;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gnbaresponse_t *by = NULL;
+	lwres_result_t n;
+	union {
+		const void *konst;
+		struct in6_addr *in6;
+	} u;
+
+	/*
+	 * Sanity checks.
+	 */
+	if (src == NULL) {
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+
+	switch (af) {
+	case AF_INET:
+		if (len != (unsigned int)INADDRSZ) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		break;
+	case AF_INET6:
+		if (len != (unsigned int)IN6ADDRSZ) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		break;
+	default:
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+
+	/*
+	 * The de-"const"-ing game is done because at least one
+	 * vendor's system (RedHat 6.0) defines the IN6_IS_ADDR_*
+	 * macros in such a way that they discard the const with
+	 * internal casting, and gcc ends up complaining.  Rather
+	 * than replacing their own (possibly optimized) definitions
+	 * with our own, cleanly discarding the const is the easiest
+	 * thing to do.
+	 */
+	u.konst = src;
+
+	/*
+	 * Look up IPv4 and IPv4 mapped/compatible addresses.
+	 */
+	if ((af == AF_INET6 && IN6_IS_ADDR_V4COMPAT(u.in6)) ||
+	    (af == AF_INET6 && IN6_IS_ADDR_V4MAPPED(u.in6)) ||
+	    (af == AF_INET)) {
+		const unsigned char *cp = src;
+
+		if (af == AF_INET6)
+			cp += 12;
+		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+		if (n == LWRES_R_SUCCESS)
+			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+		if (n == LWRES_R_SUCCESS)
+			n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V4,
+						INADDRSZ, cp, &by);
+		if (n != LWRES_R_SUCCESS) {
+			lwres_conf_clear(lwrctx);
+			lwres_context_destroy(&lwrctx);
+			if (n == LWRES_R_NOTFOUND)
+				*error_num = HOST_NOT_FOUND;
+			else
+				*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		he1 = hostfromaddr(by, AF_INET, cp);
+		lwres_gnbaresponse_free(lwrctx, &by);
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+		if (af != AF_INET6)
+			return (he1);
+
+		/*
+		 * Convert from AF_INET to AF_INET6.
+		 */
+		he2 = copyandmerge(he1, NULL, af, error_num);
+		lwres_freehostent(he1);
+		if (he2 == NULL)
+			return (NULL);
+		/*
+		 * Restore original address.
+		 */
+		memmove(he2->h_addr, src, len);
+		return (he2);
+	}
+
+	/*
+	 * Lookup IPv6 address.
+	 */
+	if (memcmp(src, &in6addr_any, IN6ADDRSZ) == 0) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+
+	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (n == LWRES_R_SUCCESS)
+		(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+	if (n == LWRES_R_SUCCESS)
+		n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ,
+					src, &by);
+	if (n != 0) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+
+		if (n == LWRES_R_NOTFOUND)
+		       *error_num = HOST_NOT_FOUND;
+		else
+		       *error_num = NO_RECOVERY;
+
+		return (NULL);
+	}
+
+	he1 = hostfromaddr(by, AF_INET6, src);
+	lwres_gnbaresponse_free(lwrctx, &by);
+	if (he1 == NULL)
+		*error_num = NO_RECOVERY;
+	lwres_conf_clear(lwrctx);
+	lwres_context_destroy(&lwrctx);
+	return (he1);
+}
+
+/*% releases all the memory associated with the struct hostent pointer */
+void
+lwres_freehostent(struct hostent *he) {
+	char **cpp;
+	int names = 1;
+	int addresses = 1;
+
+	if (he == NULL)
+		return;
+
+	free(he->h_name);
+
+	cpp = he->h_addr_list;
+	while (*cpp != NULL) {
+		free(*cpp);
+		*cpp = NULL;
+		cpp++;
+		addresses++;
+	}
+
+	cpp = he->h_aliases;
+	while (*cpp != NULL) {
+		free(*cpp);
+		cpp++;
+		names++;
+	}
+
+	free(he->h_aliases);
+	free(he->h_addr_list);
+	free(he);
+}
+
+/*
+ * Private
+ */
+
+/*
+ * Scan the interface table and set have_v4 and have_v6 depending
+ * upon whether there are IPv4 and IPv6 interface addresses.
+ *
+ * Returns:
+ *	0 on success
+ *	-1 on failure.
+ */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF)
+
+#ifdef __hpux
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
+#else
+#define ISC_HAVE_LIFC_FAMILY 1
+#define ISC_HAVE_LIFC_FLAGS 1
+#define LIFCONF lifconf
+#endif
+
+#ifdef __hpux
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
+#define ss_family sa_family
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
+
+static int
+scan_interfaces6(int *have_v4, int *have_v6) {
+	struct LIFCONF lifc;
+	struct LIFREQ lifreq;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, cpsize, n;
+
+	/*
+	 * Set to zero.  Used as loop terminators below.
+	 */
+	*have_v4 = *have_v6 = 0;
+
+	/*
+	 * Get interface list from system.
+	 */
+	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
+		goto err_ret;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = malloc(bufsiz);
+		if (buf == NULL)
+			goto err_ret;
+#ifdef ISC_HAVE_LIFC_FAMILY
+		lifc.lifc_family = AF_UNSPEC;	/* request all families */
+#endif
+#ifdef ISC_HAVE_LIFC_FLAGS
+		lifc.lifc_flags = 0;
+#endif
+		lifc.lifc_len = bufsiz;
+		lifc.lifc_buf = buf;
+		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * lifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
+				break;
+		}
+		if ((n == -1) && errno != EINVAL)
+			goto err_ret;
+
+		if (bufsiz > 1000000)
+			goto err_ret;
+
+		free(buf);
+		bufsiz += 4096;
+	}
+
+	/*
+	 * Parse system's interface list.
+	 */
+	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memmove(&lifreq, cp, sizeof(lifreq));
+#ifdef LWRES_PLATFORM_HAVESALEN
+#ifdef FIX_ZERO_SA_LEN
+		if (lifreq.lifr_addr.sa_len == 0)
+			lifreq.lifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof(lifreq);
+		if (lifreq.lifr_addr.sa_len > sizeof(struct sockaddr))
+			cpsize += (int)lifreq.lifr_addr.sa_len -
+				(int)(sizeof(struct sockaddr));
+#else
+		cpsize = sizeof(lifreq.lifr_name) + lifreq.lifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof(lifreq);
+#else
+		cpsize = sizeof(lifreq.lifr_name);
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
+			continue;
+#endif
+		switch (lifreq.lifr_addr.ss_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memmove(&in4,
+					&((struct sockaddr_in *)
+					  &lifreq.lifr_addr)->sin_addr,
+					sizeof(in4));
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			}
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memmove(&in6,
+					&((struct sockaddr_in6 *)
+					  &lifreq.lifr_addr)->sin6_addr,
+					sizeof(in6));
+				if (memcmp(&in6, &in6addr_any,
+					   sizeof(in6)) == 0)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		free(buf);
+	close(s);
+	return (0);
+ err_ret:
+	if (buf != NULL)
+		free(buf);
+	if (s != -1)
+		close(s);
+	return (-1);
+}
+#endif
+
+static int
+scan_interfaces(int *have_v4, int *have_v6) {
+#if !defined(SIOCGIFCONF) || !defined(SIOCGIFADDR)
+	*have_v4 = *have_v6 = 1;
+	return (0);
+#else
+	struct ifconf ifc;
+	union {
+		char _pad[256];		/* leave space for IPv6 addresses */
+		struct ifreq ifreq;
+	} u;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, n;
+	size_t cpsize;
+
+#ifdef WIN32
+	InitSockets();
+#endif
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF)
+	/*
+	 * Try to scan the interfaces using IPv6 ioctls().
+	 */
+	if (!scan_interfaces6(have_v4, have_v6)) {
+#ifdef WIN32
+		DestroySockets();
+#endif
+		return (0);
+	}
+#endif
+
+	/*
+	 * Set to zero.  Used as loop terminators below.
+	 */
+	*have_v4 = *have_v6 = 0;
+
+	/*
+	 * Get interface list from system.
+	 */
+	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+		goto err_ret;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = malloc(bufsiz);
+		if (buf == NULL)
+			goto err_ret;
+		ifc.ifc_len = bufsiz;
+		ifc.ifc_buf = buf;
+#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
+		/*
+		 * This is a fix for IRIX OS in which the call to ioctl with
+		 * the flag SIOCGIFCONF may not return an entry for all the
+		 * interfaces like most flavors of Unix.
+		 */
+		if (emul_ioctl(&ifc) >= 0)
+			break;
+#else
+		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * ifc.ifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
+				break;
+		}
+#endif
+		if ((n == -1) && errno != EINVAL)
+			goto err_ret;
+
+		if (bufsiz > 1000000)
+			goto err_ret;
+
+		free(buf);
+		bufsiz += 4096;
+	}
+
+	/*
+	 * Parse system's interface list.
+	 */
+	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memmove(&u.ifreq, cp, sizeof(u.ifreq));
+#ifdef LWRES_PLATFORM_HAVESALEN
+#ifdef FIX_ZERO_SA_LEN
+		if (u.ifreq.ifr_addr.sa_len == 0)
+			u.ifreq.ifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof(u.ifreq);
+		if (u.ifreq.ifr_addr.sa_len > sizeof(struct sockaddr))
+			cpsize += (int)u.ifreq.ifr_addr.sa_len -
+				(int)(sizeof(struct sockaddr));
+#else
+		cpsize = sizeof(u.ifreq.ifr_name) + u.ifreq.ifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+		if (cpsize > sizeof(u.ifreq) && cpsize <= sizeof(u))
+			memmove(&u.ifreq, cp, cpsize);
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof(u.ifreq);
+#else
+		cpsize = sizeof(u.ifreq.ifr_name);
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
+			continue;
+#endif
+		switch (u.ifreq.ifr_addr.sa_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memmove(&in4,
+					&((struct sockaddr_in *)
+					  &u.ifreq.ifr_addr)->sin_addr,
+					sizeof(in4));
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
+				if (n < 0)
+					break;
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			}
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memmove(&in6,
+					&((struct sockaddr_in6 *)
+					  &u.ifreq.ifr_addr)->sin6_addr,
+					sizeof(in6));
+				if (memcmp(&in6, &in6addr_any,
+					   sizeof(in6)) == 0)
+					break;
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
+				if (n < 0)
+					break;
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		free(buf);
+#ifdef WIN32
+	DestroySockets();
+#endif
+	close(s);
+	return (0);
+
+ err_ret:
+	if (buf != NULL)
+		free(buf);
+	if (s != -1)
+		close(s);
+#ifdef WIN32
+	DestroySockets();
+#endif
+	return (-1);
+#endif
+}
+
+static struct hostent *
+copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
+{
+	struct hostent *he = NULL;
+	int addresses = 1;	/* NULL terminator */
+	int names = 1;		/* NULL terminator */
+	int len = 0;
+	char **cpp, **npp;
+
+	/*
+	 * Work out array sizes.
+	 */
+	if (he1 != NULL) {
+		cpp = he1->h_addr_list;
+		while (*cpp != NULL) {
+			addresses++;
+			cpp++;
+		}
+		cpp = he1->h_aliases;
+		while (*cpp != NULL) {
+			names++;
+			cpp++;
+		}
+	}
+
+	if (he2 != NULL) {
+		cpp = he2->h_addr_list;
+		while (*cpp != NULL) {
+			addresses++;
+			cpp++;
+		}
+		if (he1 == NULL) {
+			cpp = he2->h_aliases;
+			while (*cpp != NULL) {
+				names++;
+				cpp++;
+			}
+		}
+	}
+
+	if (addresses == 1) {
+		*error_num = NO_ADDRESS;
+		return (NULL);
+	}
+
+	he = malloc(sizeof(*he));
+	if (he == NULL)
+		goto no_recovery;
+
+	he->h_addr_list = malloc(sizeof(char *) * (addresses));
+	if (he->h_addr_list == NULL)
+		goto cleanup0;
+	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
+
+	/*
+	 * Copy addresses.
+	 */
+	npp = he->h_addr_list;
+	if (he1 != NULL) {
+		cpp = he1->h_addr_list;
+		while (*cpp != NULL) {
+			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			if (*npp == NULL)
+				goto cleanup1;
+			/*
+			 * Convert to mapped if required.
+			 */
+			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
+				memmove(*npp, in6addr_mapped,
+					sizeof(in6addr_mapped));
+				memmove(*npp + sizeof(in6addr_mapped), *cpp,
+					INADDRSZ);
+			} else {
+				memmove(*npp, *cpp,
+					(af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			}
+			cpp++;
+			npp++;
+		}
+	}
+
+	if (he2 != NULL) {
+		cpp = he2->h_addr_list;
+		while (*cpp != NULL) {
+			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			if (*npp == NULL)
+				goto cleanup1;
+			/*
+			 * Convert to mapped if required.
+			 */
+			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
+				memmove(*npp, in6addr_mapped,
+					sizeof(in6addr_mapped));
+				memmove(*npp + sizeof(in6addr_mapped), *cpp,
+					INADDRSZ);
+			} else {
+				memmove(*npp, *cpp,
+					(af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			}
+			cpp++;
+			npp++;
+		}
+	}
+
+	he->h_aliases = malloc(sizeof(char *) * (names));
+	if (he->h_aliases == NULL)
+		goto cleanup1;
+	memset(he->h_aliases, 0, sizeof(char *) * (names));
+
+	/*
+	 * Copy aliases.
+	 */
+	npp = he->h_aliases;
+	cpp = (he1 != NULL) ? he1->h_aliases
+		: ((he2 != NULL) ?  he2->h_aliases : NULL);
+	while (cpp != NULL && *cpp != NULL) {
+		len = strlen (*cpp) + 1;
+		*npp = malloc(len);
+		if (*npp == NULL)
+			goto cleanup2;
+		strcpy(*npp, *cpp);
+		npp++;
+		cpp++;
+	}
+
+	/*
+	 * Copy hostname.
+	 */
+	he->h_name = malloc(strlen((he1 != NULL) ?
+			    he1->h_name : he2->h_name) + 1);
+	if (he->h_name == NULL)
+		goto cleanup2;
+	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
+
+	/*
+	 * Set address type and length.
+	 */
+	he->h_addrtype = af;
+	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
+	return (he);
+
+ cleanup2:
+	cpp = he->h_aliases;
+	while (*cpp != NULL) {
+		free(*cpp);
+		cpp++;
+	}
+	free(he->h_aliases);
+
+ cleanup1:
+	cpp = he->h_addr_list;
+	while (*cpp != NULL) {
+		free(*cpp);
+		*cpp = NULL;
+		cpp++;
+	}
+	free(he->h_addr_list);
+
+ cleanup0:
+	free(he);
+
+ no_recovery:
+	*error_num = NO_RECOVERY;
+	return (NULL);
+}
+
+static struct hostent *
+hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
+	struct hostent *he;
+	int i;
+
+	he = malloc(sizeof(*he));
+	if (he == NULL)
+		goto cleanup;
+	memset(he, 0, sizeof(*he));
+
+	/*
+	 * Set family and length.
+	 */
+	he->h_addrtype = af;
+	switch (af) {
+	case AF_INET:
+		he->h_length = INADDRSZ;
+		break;
+	case AF_INET6:
+		he->h_length = IN6ADDRSZ;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	/*
+	 * Copy name.
+	 */
+	he->h_name = strdup(addr->realname);
+	if (he->h_name == NULL)
+		goto cleanup;
+
+	/*
+	 * Copy aliases.
+	 */
+	he->h_aliases = malloc(sizeof(char *) * (addr->naliases + 1));
+	if (he->h_aliases == NULL)
+		goto cleanup;
+	for (i = 0; i < addr->naliases; i++) {
+		he->h_aliases[i] = strdup(addr->aliases[i]);
+		if (he->h_aliases[i] == NULL)
+			goto cleanup;
+	}
+	he->h_aliases[i] = NULL;
+
+	/*
+	 * Copy address.
+	 */
+	he->h_addr_list = malloc(sizeof(char *) * 2);
+	if (he->h_addr_list == NULL)
+		goto cleanup;
+	he->h_addr_list[0] = malloc(he->h_length);
+	if (he->h_addr_list[0] == NULL)
+		goto cleanup;
+	memmove(he->h_addr_list[0], src, he->h_length);
+	he->h_addr_list[1] = NULL;
+	return (he);
+
+ cleanup:
+	if (he != NULL && he->h_addr_list != NULL) {
+		for (i = 0; he->h_addr_list[i] != NULL; i++)
+			free(he->h_addr_list[i]);
+		free(he->h_addr_list);
+	}
+	if (he != NULL && he->h_aliases != NULL) {
+		for (i = 0; he->h_aliases[i] != NULL; i++)
+			free(he->h_aliases[i]);
+		free(he->h_aliases);
+	}
+	if (he != NULL && he->h_name != NULL)
+		free(he->h_name);
+	if (he != NULL)
+		free(he);
+	return (NULL);
+}
+
+static struct hostent *
+hostfromname(lwres_gabnresponse_t *name, int af) {
+	struct hostent *he;
+	int i;
+	lwres_addr_t *addr;
+
+	he = malloc(sizeof(*he));
+	if (he == NULL)
+		goto cleanup;
+	memset(he, 0, sizeof(*he));
+
+	/*
+	 * Set family and length.
+	 */
+	he->h_addrtype = af;
+	switch (af) {
+	case AF_INET:
+		he->h_length = INADDRSZ;
+		break;
+	case AF_INET6:
+		he->h_length = IN6ADDRSZ;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	/*
+	 * Copy name.
+	 */
+	he->h_name = strdup(name->realname);
+	if (he->h_name == NULL)
+		goto cleanup;
+
+	/*
+	 * Copy aliases.
+	 */
+	he->h_aliases = malloc(sizeof(char *) * (name->naliases + 1));
+	if (he->h_aliases == NULL)
+		goto cleanup;
+	for (i = 0; i < name->naliases; i++) {
+		he->h_aliases[i] = strdup(name->aliases[i]);
+		if (he->h_aliases[i] == NULL)
+			goto cleanup;
+	}
+	he->h_aliases[i] = NULL;
+
+	/*
+	 * Copy addresses.
+	 */
+	he->h_addr_list = malloc(sizeof(char *) * (name->naddrs + 1));
+	if (he->h_addr_list == NULL)
+		goto cleanup;
+	addr = LWRES_LIST_HEAD(name->addrs);
+	i = 0;
+	while (addr != NULL) {
+		he->h_addr_list[i] = malloc(he->h_length);
+		if (he->h_addr_list[i] == NULL)
+			goto cleanup;
+		memmove(he->h_addr_list[i], addr->address, he->h_length);
+		addr = LWRES_LIST_NEXT(addr, link);
+		i++;
+	}
+	he->h_addr_list[i] = NULL;
+	return (he);
+
+ cleanup:
+	if (he != NULL && he->h_addr_list != NULL) {
+		for (i = 0; he->h_addr_list[i] != NULL; i++)
+			free(he->h_addr_list[i]);
+		free(he->h_addr_list);
+	}
+	if (he != NULL && he->h_aliases != NULL) {
+		for (i = 0; he->h_aliases[i] != NULL; i++)
+			free(he->h_aliases[i]);
+		free(he->h_aliases);
+	}
+	if (he != NULL && he->h_name != NULL)
+		free(he->h_name);
+	if (he != NULL)
+		free(he);
+	return (NULL);
+}
diff --git a/lib/lwres/getnameinfo.c b/lib/lwres/getnameinfo.c
new file mode 100644
index 0000000..9951f4c
--- /dev/null
+++ b/lib/lwres/getnameinfo.c
@@ -0,0 +1,342 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id$ */
+
+/*! \file */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * XXX
+ * Issues to be discussed:
+ * - Return values.  There seems to be no standard for return value (RFC2553)
+ *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
+ */
+
+
+/**
+ *    This function is equivalent to the getnameinfo(3) function defined in
+ *    RFC2133. lwres_getnameinfo() returns the hostname for the struct
+ *    sockaddr sa which is salen bytes long. The hostname is of length
+ *    hostlen and is returned via *host. The maximum length of the hostname
+ *    is 1025 bytes: #NI_MAXHOST.
+ *
+ *    The name of the service associated with the port number in sa is
+ *    returned in *serv. It is servlen bytes long. The maximum length of the
+ *    service name is #NI_MAXSERV - 32 bytes.
+ *
+ *    The flags argument sets the following bits:
+ *
+ * \li   #NI_NOFQDN:
+ *           A fully qualified domain name is not required for local hosts.
+ *           The local part of the fully qualified domain name is returned
+ *           instead.
+ *
+ * \li   #NI_NUMERICHOST
+ *           Return the address in numeric form, as if calling inet_ntop(),
+ *           instead of a host name.
+ *
+ * \li   #NI_NAMEREQD
+ *           A name is required. If the hostname cannot be found in the DNS
+ *           and this flag is set, a non-zero error code is returned. If the
+ *           hostname is not found and the flag is not set, the address is
+ *           returned in numeric form.
+ *
+ * \li   #NI_NUMERICSERV
+ *           The service name is returned as a digit string representing the
+ *           port number.
+ *
+ * \li   #NI_DGRAM
+ *           Specifies that the service being looked up is a datagram
+ *           service, and causes getservbyport() to be called with a second
+ *           argument of "udp" instead of its default of "tcp". This is
+ *           required for the few ports (512-514) that have different
+ *           services for UDP and TCP.
+ *
+ * \section getnameinfo_return Return Values
+ *
+ *    lwres_getnameinfo() returns 0 on success or a non-zero error code if
+ *    an error occurs.
+ *
+ * \section getname_see See Also
+ *
+ *    RFC2133, getservbyport(),
+ *    lwres_getnamebyaddr(). lwres_net_ntop().
+ *
+ * \section getnameinfo_bugs Bugs
+ *
+ *    RFC2133 fails to define what the nonzero return values of
+ *    getnameinfo() are.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>
+#include "print_p.h"
+
+#include "assert_p.h"
+
+#define SUCCESS 0
+
+/*% afd structure definition */
+static struct afd {
+	int a_af;
+	size_t a_addrlen;
+	size_t a_socklen;
+} afdl [] = {
+	/*!
+	 * First entry is linked last...
+	 */
+	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
+	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
+	{0, 0, 0},
+};
+
+#define ENI_NOSERVNAME	1
+#define ENI_NOHOSTNAME	2
+#define ENI_MEMORY	3
+#define ENI_SYSTEM	4
+#define ENI_FAMILY	5
+#define ENI_SALEN	6
+#define ENI_NOSOCKET 	7
+
+/*!
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+/*% lightweight resolver socket address structure to hostname and service name */
+int
+lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
+		  size_t hostlen, char *serv, size_t servlen, int flags)
+{
+	struct afd *afd = NULL;
+	struct servent *sp;
+	unsigned short port;
+#ifdef LWRES_PLATFORM_HAVESALEN
+	size_t len;
+#endif
+	int family, i;
+	const void *addr;
+	char *p;
+#if 0
+	unsigned long v4a;
+	unsigned char pfx;
+#endif
+	char numserv[sizeof("65000")];
+	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
+		    + 1 + sizeof("4294967295")];
+	const char *proto;
+	uint32_t lwf = 0;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gnbaresponse_t *by = NULL;
+	int result = SUCCESS;
+	int n;
+
+	if (sa == NULL)
+		ERR(ENI_NOSOCKET);
+
+#ifdef LWRES_PLATFORM_HAVESALEN
+	len = sa->sa_len;
+	if (len != salen)
+		ERR(ENI_SALEN);
+#endif
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	ERR(ENI_FAMILY);
+
+ found:
+	if (salen != afd->a_socklen)
+		ERR(ENI_SALEN);
+
+	switch (family) {
+	case AF_INET:
+		port = ((const struct sockaddr_in *)sa)->sin_port;
+		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
+		break;
+
+	case AF_INET6:
+		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
+		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
+		break;
+
+	default:
+		port = 0;
+		addr = NULL;
+		POST(port); POST(addr);
+		INSIST(0);
+	}
+	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * Caller does not want service.
+		 */
+	} else if ((flags & NI_NUMERICSERV) != 0 ||
+		   (sp = getservbyport(port, proto)) == NULL) {
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if ((strlen(numserv) + 1) > servlen)
+			ERR(ENI_MEMORY);
+		strcpy(serv, numserv);
+	} else {
+		if ((strlen(sp->s_name) + 1) > servlen)
+			ERR(ENI_MEMORY);
+		strcpy(serv, sp->s_name);
+	}
+
+#if 0
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+			flags |= NI_NUMERICHOST;
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET)
+			flags |= NI_NUMERICHOST;
+		break;
+
+	case AF_INET6:
+		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
+		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
+			flags |= NI_NUMERICHOST;
+		break;
+	}
+#endif
+
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * What should we do?
+		 */
+	} else if (flags & NI_NUMERICHOST) {
+		if (lwres_net_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+		    == NULL)
+			ERR(ENI_SYSTEM);
+#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
+		if (afd->a_af == AF_INET6 &&
+		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
+			char *p = numaddr + strlen(numaddr);
+			const char *stringscope = NULL;
+#if 0
+			if ((flags & NI_NUMERICSCOPE) == 0) {
+				/*
+				 * Vendors may want to add support for
+				 * non-numeric scope identifier.
+				 */
+				stringscope = foo;
+			}
+#endif
+			if (stringscope == NULL) {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%u",
+				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
+			} else {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%s", stringscope);
+			}
+		}
+#endif
+		if (strlen(numaddr) + 1 > hostlen)
+			ERR(ENI_MEMORY);
+		strcpy(host, numaddr);
+	} else {
+		switch (family) {
+		case AF_INET:
+			lwf = LWRES_ADDRTYPE_V4;
+			break;
+		case AF_INET6:
+			lwf = LWRES_ADDRTYPE_V6;
+			break;
+		default:
+			INSIST(0);
+		}
+
+		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+		if (n == 0)
+			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+
+		if (n == 0)
+			n = lwres_getnamebyaddr(lwrctx, lwf,
+						(uint16_t)afd->a_addrlen,
+						addr, &by);
+		if (n == 0) {
+			if (flags & NI_NOFQDN) {
+				p = strchr(by->realname, '.');
+				if (p)
+					*p = '\0';
+			}
+			if ((strlen(by->realname) + 1) > hostlen)
+				ERR(ENI_MEMORY);
+			strcpy(host, by->realname);
+		} else {
+			if (flags & NI_NAMEREQD)
+				ERR(ENI_NOHOSTNAME);
+			if (lwres_net_ntop(afd->a_af, addr, numaddr,
+					   sizeof(numaddr))
+			    == NULL)
+				ERR(ENI_NOHOSTNAME);
+			if ((strlen(numaddr) + 1) > hostlen)
+				ERR(ENI_MEMORY);
+			strcpy(host, numaddr);
+		}
+	}
+	result = SUCCESS;
+ cleanup:
+	if (by != NULL)
+		lwres_gnbaresponse_free(lwrctx, &by);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
diff --git a/lib/lwres/getrrset.c b/lib/lwres/getrrset.c
new file mode 100644
index 0000000..8f43eb8
--- /dev/null
+++ b/lib/lwres/getrrset.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: getrrset.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+/**
+ * DESCRIPTION
+ *
+ *    lwres_getrrsetbyname() gets a set of resource records associated with
+ *    a hostname, class, and type. hostname is a pointer a to
+ *    null-terminated string. The flags field is currently unused and must
+ *    be zero.
+ *
+ *    After a successful call to lwres_getrrsetbyname(), *res is a pointer
+ *    to an #rrsetinfo structure, containing a list of one or more #rdatainfo
+ *    structures containing resource records and potentially another list of
+ *    rdatainfo structures containing SIG resource records associated with
+ *    those records. The members #rri_rdclass and #rri_rdtype are copied from
+ *    the parameters. #rri_ttl and #rri_name are properties of the obtained
+ *    rrset. The resource records contained in #rri_rdatas and #rri_sigs are
+ *    in uncompressed DNS wire format. Properties of the rdataset are
+ *    represented in the #rri_flags bitfield. If the #RRSET_VALIDATED bit is
+ *    set, the data has been DNSSEC validated and the signatures verified.
+ *
+ *    All of the information returned by lwres_getrrsetbyname() is
+ *    dynamically allocated: the rrsetinfo and rdatainfo structures, and the
+ *    canonical host name strings pointed to by the rrsetinfostructure.
+ *    Memory allocated for the dynamically allocated structures created by a
+ *    successful call to lwres_getrrsetbyname() is released by
+ *    lwres_freerrset(). rrset is a pointer to a struct rrset created by a
+ *    call to lwres_getrrsetbyname().
+ *
+ *    The following structures are used:
+ *
+ * \code
+ * struct  rdatainfo {
+ *         unsigned int            rdi_length;     // length of data
+ *         unsigned char           *rdi_data;      // record data
+ * };
+ *
+ * struct  rrsetinfo {
+ *         unsigned int            rri_flags;      // RRSET_VALIDATED...
+ *         unsigned int            rri_rdclass;    // class number
+ *         unsigned int            rri_rdtype;     // RR type number
+ *         unsigned int            rri_ttl;        // time to live
+ *         unsigned int            rri_nrdatas;    // size of rdatas array
+ *         unsigned int            rri_nsigs;      // size of sigs array
+ *         char                    *rri_name;      // canonical name
+ *         struct rdatainfo        *rri_rdatas;    // individual records
+ *         struct rdatainfo        *rri_sigs;      // individual signatures
+ * };
+ * \endcode
+ *
+ * \section getrrset_return Return Values
+ *
+ *    lwres_getrrsetbyname() returns zero on success, and one of the
+ *    following error codes if an error occurred:
+ *
+ * \li   #ERRSET_NONAME: the name does not exist
+ *
+ * \li   #ERRSET_NODATA:
+ *           the name exists, but does not have data of the desired type
+ *
+ * \li   #ERRSET_NOMEMORY:
+ *           memory could not be allocated
+ *
+ * \li   #ERRSET_INVAL:
+ *           a parameter is invalid
+ *
+ * \li   #ERRSET_FAIL:
+ *           other failure
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
+
+#include "assert_p.h"
+
+/*!
+ * Structure to map results
+ */
+static unsigned int
+lwresult_to_result(lwres_result_t lwresult) {
+	switch (lwresult) {
+	case LWRES_R_SUCCESS:	return (ERRSET_SUCCESS);
+	case LWRES_R_NOMEMORY:	return (ERRSET_NOMEMORY);
+	case LWRES_R_NOTFOUND:	return (ERRSET_NONAME);
+	case LWRES_R_TYPENOTFOUND: return (ERRSET_NODATA);
+	default:		return (ERRSET_FAIL);
+	}
+}
+
+/*@{*/
+/*!
+ * malloc / calloc functions that guarantee to only
+ * return NULL if there is an error, like they used
+ * to before the ANSI C committee broke them.
+ */
+
+static void *
+sane_malloc(size_t size) {
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void *
+sane_calloc(size_t number, size_t size) {
+	size_t len = number * size;
+	void *mem  = sane_malloc(len);
+	if (mem != NULL)
+		memset(mem, 0, len);
+	return (mem);
+}
+/*@}*/
+
+/*% Returns a set of resource records associated with a hostname, class, and type. hostname is a pointer a to null-terminated string. */
+int
+lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
+		     unsigned int rdtype, unsigned int flags,
+		     struct rrsetinfo **res)
+{
+	lwres_context_t *lwrctx = NULL;
+	lwres_result_t lwresult;
+	lwres_grbnresponse_t *response = NULL;
+	struct rrsetinfo *rrset = NULL;
+	unsigned int i;
+	unsigned int lwflags;
+	unsigned int result;
+
+	if (rdclass > 0xffff || rdtype > 0xffff) {
+		result = ERRSET_INVAL;
+		goto fail;
+	}
+
+	/*
+	 * Don't allow queries of class or type ANY
+	 */
+	if (rdclass == 0xff || rdtype == 0xff) {
+		result = ERRSET_INVAL;
+		goto fail;
+	}
+
+	lwresult = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (lwresult != LWRES_R_SUCCESS) {
+		result = lwresult_to_result(lwresult);
+		goto fail;
+	}
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+
+	/*
+	 * If any input flags were defined, lwflags would be set here
+	 * based on them
+	 */
+	UNUSED(flags);
+	lwflags = 0;
+
+	lwresult = lwres_getrdatabyname(lwrctx, hostname,
+					(uint16_t)rdclass,
+					(uint16_t)rdtype,
+					lwflags, &response);
+	if (lwresult != LWRES_R_SUCCESS) {
+		result = lwresult_to_result(lwresult);
+		goto fail;
+	}
+
+	rrset = sane_malloc(sizeof(struct rrsetinfo));
+	if (rrset == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	rrset->rri_name = NULL;
+	rrset->rri_rdclass = response->rdclass;
+	rrset->rri_rdtype = response->rdtype;
+	rrset->rri_ttl = response->ttl;
+	rrset->rri_flags = 0;
+	rrset->rri_nrdatas = 0;
+	rrset->rri_rdatas = NULL;
+	rrset->rri_nsigs = 0;
+	rrset->rri_sigs = NULL;
+
+	rrset->rri_name = sane_malloc(response->realnamelen + 1);
+	if (rrset->rri_name == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	strncpy(rrset->rri_name, response->realname, response->realnamelen);
+	rrset->rri_name[response->realnamelen] = 0;
+
+	if ((response->flags & LWRDATA_VALIDATED) != 0)
+		rrset->rri_flags |= RRSET_VALIDATED;
+
+	rrset->rri_nrdatas = response->nrdatas;
+	rrset->rri_rdatas = sane_calloc(rrset->rri_nrdatas,
+				   sizeof(struct rdatainfo));
+	if (rrset->rri_rdatas == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	for (i = 0; i < rrset->rri_nrdatas; i++) {
+		rrset->rri_rdatas[i].rdi_length = response->rdatalen[i];
+		rrset->rri_rdatas[i].rdi_data =
+				sane_malloc(rrset->rri_rdatas[i].rdi_length);
+		if (rrset->rri_rdatas[i].rdi_data == NULL) {
+			result = ERRSET_NOMEMORY;
+			goto fail;
+		}
+		memmove(rrset->rri_rdatas[i].rdi_data, response->rdatas[i],
+			rrset->rri_rdatas[i].rdi_length);
+	}
+	rrset->rri_nsigs = response->nsigs;
+	rrset->rri_sigs = sane_calloc(rrset->rri_nsigs,
+				      sizeof(struct rdatainfo));
+	if (rrset->rri_sigs == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	for (i = 0; i < rrset->rri_nsigs; i++) {
+		rrset->rri_sigs[i].rdi_length = response->siglen[i];
+		rrset->rri_sigs[i].rdi_data =
+				sane_malloc(rrset->rri_sigs[i].rdi_length);
+		if (rrset->rri_sigs[i].rdi_data == NULL) {
+			result = ERRSET_NOMEMORY;
+			goto fail;
+		}
+		memmove(rrset->rri_sigs[i].rdi_data, response->sigs[i],
+			rrset->rri_sigs[i].rdi_length);
+	}
+
+	lwres_grbnresponse_free(lwrctx, &response);
+	lwres_conf_clear(lwrctx);
+	lwres_context_destroy(&lwrctx);
+	*res = rrset;
+	return (ERRSET_SUCCESS);
+ fail:
+	if (rrset != NULL)
+		lwres_freerrset(rrset);
+	if (response != NULL)
+		lwres_grbnresponse_free(lwrctx, &response);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
+
+/*% Releases memory allocated for the dynamically allocated structures created by a successful call to lwres_getrrsetbyname(). */
+void
+lwres_freerrset(struct rrsetinfo *rrset) {
+	unsigned int i;
+	if (rrset->rri_rdatas != NULL) {
+		for (i = 0; i < rrset->rri_nrdatas; i++) {
+			if (rrset->rri_rdatas[i].rdi_data == NULL)
+				break;
+			free(rrset->rri_rdatas[i].rdi_data);
+		}
+		free(rrset->rri_rdatas);
+	}
+	if (rrset->rri_sigs != NULL) {
+		for (i = 0; i < rrset->rri_nsigs; i++) {
+			if (rrset->rri_sigs[i].rdi_data == NULL)
+				break;
+			free(rrset->rri_sigs[i].rdi_data);
+		}
+		free(rrset->rri_sigs);
+	}
+	free(rrset->rri_name);
+	free(rrset);
+}
diff --git a/lib/lwres/herror.c b/lib/lwres/herror.c
new file mode 100644
index 0000000..25bd65e
--- /dev/null
+++ b/lib/lwres/herror.c
@@ -0,0 +1,114 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1987, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*! \file herror.c
+   lwres_herror() prints the string s on stderr followed by the string
+   generated by lwres_hstrerror() for the error code stored in the global
+   variable lwres_h_errno.
+
+   lwres_hstrerror() returns an appropriate string for the error code
+   gievn by err. The values of the error codes and messages are as
+   follows:
+
+\li   #NETDB_SUCCESS: Resolver Error 0 (no error)
+
+\li   #HOST_NOT_FOUND: Unknown host
+
+\li #TRY_AGAIN: Host name lookup failure
+
+\li   #NO_RECOVERY: Unknown server error
+
+\li   #NO_DATA: No address associated with name
+
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] =
+	"$Id$";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <stdio.h>
+
+#include <isc/print.h>
+
+#include <lwres/netdb.h>
+#include <lwres/platform.h>
+
+LIBLWRES_EXTERNAL_DATA int	lwres_h_errno;
+
+/*!
+ * these have never been declared in any header file so make them static
+ */
+
+static const char *h_errlist[] = {
+	"Resolver Error 0 (no error)",		/*%< 0 no error */
+	"Unknown host",				/*%< 1 HOST_NOT_FOUND */
+	"Host name lookup failure",		/*%< 2 TRY_AGAIN */
+	"Unknown server error",			/*%< 3 NO_RECOVERY */
+	"No address associated with name",	/*%< 4 NO_ADDRESS */
+};
+
+static int	h_nerr = sizeof(h_errlist) / sizeof(h_errlist[0]);
+
+
+/*!
+ * herror --
+ *	print the error indicated by the h_errno value.
+ */
+void
+lwres_herror(const char *s) {
+	fprintf(stderr, "%s: %s\n", s, lwres_hstrerror(lwres_h_errno));
+}
+
+/*!
+ * hstrerror --
+ *	return the string associated with a given "host" errno value.
+ */
+const char *
+lwres_hstrerror(int err) {
+	if (err < 0)
+		return ("Resolver internal error");
+	else if (err < h_nerr)
+		return (h_errlist[err]);
+	return ("Unknown resolver error");
+}
diff --git a/lib/lwres/include/Makefile.in b/lib/lwres/include/Makefile.in
new file mode 100644
index 0000000..51564a9
--- /dev/null
+++ b/lib/lwres/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.8 2007/06/19 23:47:22 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	lwres
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/lwres/include/lwres/Makefile.in b/lib/lwres/include/lwres/Makefile.in
new file mode 100644
index 0000000..2a07df5
--- /dev/null
+++ b/lib/lwres/include/lwres/Makefile.in
@@ -0,0 +1,46 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	context.h int.h ipv6.h lang.h list.h \
+		lwbuffer.h lwpacket.h lwres.h result.h \
+		stdlib.h string.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/lwres || exit 1; \
+	done
+	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/lwres
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/lwres
+
+uninstall::
+	rm -f ${DESTDIR}${includedir}/lwres/platform.h
+	rm -f ${DESTDIR}${includedir}/lwres/netdb.h
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/lwres/$$i || exit 1; \
+	done
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/lib/lwres/include/lwres/context.h b/lib/lwres/include/lwres/context.h
new file mode 100644
index 0000000..2acc4a1
--- /dev/null
+++ b/lib/lwres/include/lwres/context.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: context.h,v 1.23 2008/12/17 23:47:58 tbox Exp $ */
+
+#ifndef LWRES_CONTEXT_H
+#define LWRES_CONTEXT_H 1
+
+/*! \file lwres/context.h */
+
+#include <inttypes.h>
+#include <stddef.h>
+
+#include <lwres/lang.h>
+#include <lwres/result.h>
+
+/*!
+ * Used to set various options such as timeout, authentication, etc
+ */
+typedef struct lwres_context lwres_context_t;
+
+LWRES_LANG_BEGINDECLS
+
+typedef void *(*lwres_malloc_t)(void *arg, size_t length);
+typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
+
+/*
+ * XXXMLG
+ *
+ * Make the server reload /etc/resolv.conf periodically.
+ *
+ * Make the server do sortlist/searchlist.
+ *
+ * Client side can disable the search/sortlist processing.
+ *
+ * Use an array of addresses/masks and searchlist for client-side, and
+ * if added to the client disable the processing on the server.
+ *
+ * Share /etc/resolv.conf data between contexts.
+ */
+
+/*!
+ * _SERVERMODE
+ *	Don't allocate and connect a socket to the server, since the
+ *	caller _is_ a server.
+ *
+ * _USEIPV4, _USEIPV6
+ *	Use IPv4 and IPv6 transactions with remote servers, respectively.
+ *	For backward compatibility, regard both flags as being set when both
+ *	are cleared.
+ */
+#define LWRES_CONTEXT_SERVERMODE	0x00000001U
+#define LWRES_CONTEXT_USEIPV4		0x00000002U
+#define LWRES_CONTEXT_USEIPV6		0x00000004U
+
+lwres_result_t
+lwres_context_create(lwres_context_t **contextp, void *arg,
+		     lwres_malloc_t malloc_function,
+		     lwres_free_t free_function,
+		     unsigned int flags);
+/**<
+ * Allocate a lwres context.  This is used in all lwres calls.
+ *
+ * Memory management can be replaced here by passing in two functions.
+ * If one is non-NULL, they must both be non-NULL.  "arg" is passed to
+ * these functions.
+ *
+ * Contexts are not thread safe.  Document at the top of the file.
+ * XXXMLG
+ *
+ * If they are NULL, the standard malloc() and free() will be used.
+ *
+ *\pre	contextp != NULL && contextp == NULL.
+ *
+ *\return	Returns 0 on success, non-zero on failure.
+ */
+
+void
+lwres_context_destroy(lwres_context_t **contextp);
+/**<
+ * Frees all memory associated with a lwres context.
+ *
+ *\pre	contextp != NULL && contextp == NULL.
+ */
+
+uint32_t
+lwres_context_nextserial(lwres_context_t *ctx);
+/**<
+ * XXXMLG Document
+ */
+
+void
+lwres_context_initserial(lwres_context_t *ctx, uint32_t serial);
+
+void
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
+
+void *
+lwres_context_allocmem(lwres_context_t *ctx, size_t len);
+
+int
+lwres_context_getsocket(lwres_context_t *ctx);
+
+lwres_result_t
+lwres_context_send(lwres_context_t *ctx,
+		   void *sendbase, int sendlen);
+
+lwres_result_t
+lwres_context_recv(lwres_context_t *ctx,
+		   void *recvbase, int recvlen,
+		   int *recvd_len);
+
+lwres_result_t
+lwres_context_sendrecv(lwres_context_t *ctx,
+		       void *sendbase, int sendlen,
+		       void *recvbase, int recvlen,
+		       int *recvd_len);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_CONTEXT_H */
diff --git a/lib/lwres/include/lwres/int.h b/lib/lwres/include/lwres/int.h
new file mode 100644
index 0000000..8bc5ce8
--- /dev/null
+++ b/lib/lwres/include/lwres/int.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef LWRES_INT_H
+#define LWRES_INT_H 1
+
+#include <inttypes.h>
+
+/*! \file lwres/int.h */
+
+typedef lwres_int8_t			int8_t;
+typedef lwres_uint8_t			uint8_t;
+typedef lwres_int16_t			int16_t;
+typedef lwres_uint16_t			uint16_t;
+typedef lwres_int32_t			int32_t;
+typedef lwres_uint32_t			uint32_t;
+typedef lwres_int64_t			int64_t;
+typedef lwres_uint64_t			uint64_t;
+
+#endif /* LWRES_INT_H */
diff --git a/lib/lwres/include/lwres/ipv6.h b/lib/lwres/include/lwres/ipv6.h
new file mode 100644
index 0000000..8747605
--- /dev/null
+++ b/lib/lwres/include/lwres/ipv6.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: ipv6.h,v 1.16 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_IPV6_H
+#define LWRES_IPV6_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file lwres/ipv6.h
+ * IPv6 definitions for systems which do not support IPv6.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <inttypes.h>
+
+#include <lwres/platform.h>
+
+/***
+ *** Types.
+ ***/
+
+/*% in6_addr structure */
+struct in6_addr {
+	union {
+		uint8_t	_S6_u8[16];
+		uint16_t	_S6_u16[8];
+		uint32_t	_S6_u32[4];
+	} _S6_un;
+};
+/*@{*/
+/*% IP v6 types */
+#define s6_addr		_S6_un._S6_u8
+#define s6_addr8	_S6_un._S6_u8
+#define s6_addr16	_S6_un._S6_u16
+#define s6_addr32	_S6_un._S6_u32
+/*@}*/
+
+#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
+
+LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
+LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
+
+/*% used in getaddrinfo.c and getnameinfo.c */
+struct sockaddr_in6 {
+#ifdef LWRES_PLATFORM_HAVESALEN
+	uint8_t		sin6_len;
+	uint8_t		sin6_family;
+#else
+	uint16_t		sin6_family;
+#endif
+	uint16_t		sin6_port;
+	uint32_t		sin6_flowinfo;
+	struct in6_addr		sin6_addr;
+	uint32_t		sin6_scope_id;
+};
+
+#ifdef LWRES_PLATFORM_HAVESALEN
+#define SIN6_LEN 1
+#endif
+
+/*% in6_pktinfo structure */
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /*%< src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /*%< send/recv interface index */
+};
+
+/*!
+ * Unspecified IPv6 address
+ */
+#define IN6_IS_ADDR_UNSPECIFIED(a)      \
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == 0))
+
+/*
+ * Loopback
+ */
+#define IN6_IS_ADDR_LOOPBACK(a)         \
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == htonl(1)))
+
+/*
+ * IPv4 compatible
+ */
+#define IN6_IS_ADDR_V4COMPAT(a)         \
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] != 0) &&    \
+	 ((a)->s6_addr32[3] != htonl(1)))
+
+/*
+ * Mapped
+ */
+#define IN6_IS_ADDR_V4MAPPED(a)               \
+	(((a)->s6_addr32[0] == 0) &&          \
+	 ((a)->s6_addr32[1] == 0) &&          \
+	 ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+
+#endif /* LWRES_IPV6_H */
diff --git a/lib/lwres/include/lwres/lang.h b/lib/lwres/include/lwres/lang.h
new file mode 100644
index 0000000..7396b9a
--- /dev/null
+++ b/lib/lwres/include/lwres/lang.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lang.h,v 1.13 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_LANG_H
+#define LWRES_LANG_H 1
+
+/*! \file lwres/lang.h */
+
+#ifdef __cplusplus
+#define LWRES_LANG_BEGINDECLS	extern "C" {
+#define LWRES_LANG_ENDDECLS	}
+#else
+#define LWRES_LANG_BEGINDECLS
+#define LWRES_LANG_ENDDECLS
+#endif
+
+#endif /* LWRES_LANG_H */
diff --git a/lib/lwres/include/lwres/list.h b/lib/lwres/include/lwres/list.h
new file mode 100644
index 0000000..f235c18
--- /dev/null
+++ b/lib/lwres/include/lwres/list.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: list.h,v 1.14 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_LIST_H
+#define LWRES_LIST_H 1
+
+/*! \file lwres/list.h */
+
+#define LWRES_LIST(type) struct { type *head, *tail; }
+#define LWRES_LIST_INIT(list) \
+	do { (list).head = NULL; (list).tail = NULL; } while (0)
+
+#define LWRES_LINK(type) struct { type *prev, *next; }
+#define LWRES_LINK_INIT(elt, link) \
+	do { \
+		(elt)->link.prev = (void *)(-1); \
+		(elt)->link.next = (void *)(-1); \
+	} while (0)
+#define LWRES_LINK_LINKED(elt, link) \
+	((void *)((elt)->link.prev) != (void *)(-1))
+
+#define LWRES_LIST_HEAD(list) ((list).head)
+#define LWRES_LIST_TAIL(list) ((list).tail)
+#define LWRES_LIST_EMPTY(list) LWRES_TF((list).head == NULL)
+
+#define LWRES_LIST_PREPEND(list, elt, link) \
+	do { \
+		if ((list).head != NULL) \
+			(list).head->link.prev = (elt); \
+		else \
+			(list).tail = (elt); \
+		(elt)->link.prev = NULL; \
+		(elt)->link.next = (list).head; \
+		(list).head = (elt); \
+	} while (0)
+
+#define LWRES_LIST_APPEND(list, elt, link) \
+	do { \
+		if ((list).tail != NULL) \
+			(list).tail->link.next = (elt); \
+		else \
+			(list).head = (elt); \
+		(elt)->link.prev = (list).tail; \
+		(elt)->link.next = NULL; \
+		(list).tail = (elt); \
+	} while (0)
+
+#define LWRES_LIST_UNLINK(list, elt, link) \
+	do { \
+		if ((elt)->link.next != NULL) \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else \
+			(list).tail = (elt)->link.prev; \
+		if ((elt)->link.prev != NULL) \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else \
+			(list).head = (elt)->link.next; \
+		(elt)->link.prev = (void *)(-1); \
+		(elt)->link.next = (void *)(-1); \
+	} while (0)
+
+#define LWRES_LIST_PREV(elt, link) ((elt)->link.prev)
+#define LWRES_LIST_NEXT(elt, link) ((elt)->link.next)
+
+#define LWRES_LIST_INSERTBEFORE(list, before, elt, link) \
+	do { \
+		if ((before)->link.prev == NULL) \
+			LWRES_LIST_PREPEND(list, elt, link); \
+		else { \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt); \
+			(elt)->link.prev->link.next = (elt); \
+			(elt)->link.next = (before); \
+		} \
+	} while (0)
+
+#define LWRES_LIST_INSERTAFTER(list, after, elt, link) \
+	do { \
+		if ((after)->link.next == NULL) \
+			LWRES_LIST_APPEND(list, elt, link); \
+		else { \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt); \
+			(elt)->link.next->link.prev = (elt); \
+			(elt)->link.prev = (after); \
+		} \
+	} while (0)
+
+#define LWRES_LIST_APPENDLIST(list1, list2, link) \
+	do { \
+		if (LWRES_LIST_EMPTY(list1)) \
+			(list1) = (list2); \
+		else if (!LWRES_LIST_EMPTY(list2)) { \
+			(list1).tail->link.next = (list2).head; \
+			(list2).head->link.prev = (list1).tail; \
+			(list1).tail = (list2).tail; \
+		} \
+		(list2).head = NULL; \
+		(list2).tail = NULL; \
+	} while (0)
+
+#define LWRES_LIST_ENQUEUE(list, elt, link) LWRES_LIST_APPEND(list, elt, link)
+#define LWRES_LIST_DEQUEUE(list, elt, link) LWRES_LIST_UNLINK(list, elt, link)
+
+#endif /* LWRES_LIST_H */
diff --git a/lib/lwres/include/lwres/lwbuffer.h b/lib/lwres/include/lwres/lwbuffer.h
new file mode 100644
index 0000000..056a813
--- /dev/null
+++ b/lib/lwres/include/lwres/lwbuffer.h
@@ -0,0 +1,401 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwbuffer.h,v 1.22 2007/06/19 23:47:23 tbox Exp $ */
+
+
+/*! \file lwres/lwbuffer.h
+ *
+ * A buffer is a region of memory, together with a set of related subregions.
+ * Buffers are used for parsing and I/O operations.
+ *
+ * The 'used region' and the 'available' region are disjoint, and their
+ * union is the buffer's region.  The used region extends from the beginning
+ * of the buffer region to the last used byte.  The available region
+ * extends from one byte greater than the last used byte to the end of the
+ * buffer's region.  The size of the used region can be changed using various
+ * buffer commands.  Initially, the used region is empty.
+ *
+ * The used region is further subdivided into two disjoint regions: the
+ * 'consumed region' and the 'remaining region'.  The union of these two
+ * regions is the used region.  The consumed region extends from the beginning
+ * of the used region to the byte before the 'current' offset (if any).  The
+ * 'remaining' region the current pointer to the end of the used
+ * region.  The size of the consumed region can be changed using various
+ * buffer commands.  Initially, the consumed region is empty.
+ *
+ * The 'active region' is an (optional) subregion of the remaining region.
+ * It extends from the current offset to an offset in the remaining region
+ * that is selected with lwres_buffer_setactive().  Initially, the active
+ * region is empty.  If the current offset advances beyond the chosen offset,
+ * the active region will also be empty.
+ *
+ * \verbatim
+ *  /----- used region -----\/-- available --\
+ *  +----------------------------------------+
+ *  | consumed  | remaining |                |
+ *  +----------------------------------------+
+ *  a           b     c     d                e
+ *
+ * a == base of buffer.
+ * b == current pointer.  Can be anywhere between a and d.
+ * c == active pointer.  Meaningful between b and d.
+ * d == used pointer.
+ * e == length of buffer.
+ *
+ * a-e == entire (length) of buffer.
+ * a-d == used region.
+ * a-b == consumed region.
+ * b-d == remaining region.
+ * b-c == optional active region.
+ * \endverbatim
+ *
+ * The following invariants are maintained by all routines:
+ *
+ *\verbatim
+ *	length > 0
+ *
+ *	base is a valid pointer to length bytes of memory
+ *
+ *	0 <= used <= length
+ *
+ *	0 <= current <= used
+ *
+ *	0 <= active <= used
+ *	(although active < current implies empty active region)
+ *\endverbatim
+ *
+ * \li MP:
+ *	Buffers have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * \li Reliability:
+ *	No anticipated impact.
+ *
+ * \li Resources:
+ *	Memory: 1 pointer + 6 unsigned integers per buffer.
+ *
+ * \li Security:
+ *	No anticipated impact.
+ *
+ * \li Standards:
+ *	None.
+ */
+
+#ifndef LWRES_LWBUFFER_H
+#define LWRES_LWBUFFER_H 1
+
+/***
+ *** Imports
+ ***/
+
+#include <inttypes.h>
+
+#include <lwres/lang.h>
+
+LWRES_LANG_BEGINDECLS
+
+/***
+ *** Magic numbers
+ ***/
+#define LWRES_BUFFER_MAGIC		0x4275663fU	/* Buf?. */
+
+#define LWRES_BUFFER_VALID(b)		((b) != NULL && \
+					 (b)->magic == LWRES_BUFFER_MAGIC)
+
+/*!
+ * The following macros MUST be used only on valid buffers.  It is the
+ * caller's responsibility to ensure this by using the LWRES_BUFFER_VALID
+ * check above, or by calling another lwres_buffer_*() function (rather than
+ * another macro.)
+ */
+
+/*!
+ * Get the length of the used region of buffer "b"
+ */
+#define LWRES_BUFFER_USEDCOUNT(b)	((b)->used)
+
+/*!
+ * Get the length of the available region of buffer "b"
+ */
+#define LWRES_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
+
+#define LWRES_BUFFER_REMAINING(b)	((b)->used - (b)->current)
+
+/*!
+ * Note that the buffer structure is public.  This is principally so buffer
+ * operations can be implemented using macros.  Applications are strongly
+ * discouraged from directly manipulating the structure.
+ */
+
+typedef struct lwres_buffer lwres_buffer_t;
+/*!
+ * Buffer data structure
+ */
+struct lwres_buffer {
+	unsigned int		magic;
+	unsigned char 	       *base;
+	/* The following integers are byte offsets from 'base'. */
+	unsigned int		length;
+	unsigned int		used;
+	unsigned int 		current;
+	unsigned int 		active;
+};
+
+/***
+ *** Functions
+ ***/
+
+void
+lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
+/**<
+ * Make 'b' refer to the 'length'-byte region starting at base.
+ *
+ * Requires:
+ *
+ *	'length' > 0
+ *
+ *	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+lwres_buffer_invalidate(lwres_buffer_t *b);
+/**<
+ * Make 'b' an invalid buffer.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'b' without
+ *	calling lwres_buffer_init() on it will cause an assertion failure.
+ */
+
+void
+lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
+/**<
+ * Increase the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	used + n <= length
+ *
+ */
+
+void
+lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
+/**<
+ * Decrease the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	used >= n
+ *
+ */
+
+void
+lwres_buffer_clear(lwres_buffer_t *b);
+/**<
+ * Make the used region empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	used = 0
+ *
+ */
+
+
+void
+lwres_buffer_first(lwres_buffer_t *b);
+/**<
+ * Make the consumed region empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	current == 0
+ *
+ */
+
+void
+lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
+/**<
+ * Increase the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	current + n <= used
+ *
+ */
+
+void
+lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
+/**<
+ * Decrease the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	n <= current
+ *
+ */
+
+uint8_t
+lwres_buffer_getuint8(lwres_buffer_t *b);
+/**<
+ * Read an unsigned 8-bit integer from 'b' and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 1.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 1.
+ *
+ * Returns:
+ *
+ *	A 8-bit unsigned integer.
+ */
+
+void
+lwres_buffer_putuint8(lwres_buffer_t *b, uint8_t val);
+/**<
+ * Store an unsigned 8-bit integer from 'val' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 1.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 1.
+ */
+
+uint16_t
+lwres_buffer_getuint16(lwres_buffer_t *b);
+/**<
+ * Read an unsigned 16-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 2.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *	A 16-bit unsigned integer.
+ */
+
+void
+lwres_buffer_putuint16(lwres_buffer_t *b, uint16_t val);
+/**<
+ * Store an unsigned 16-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 2.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 2.
+ */
+
+uint32_t
+lwres_buffer_getuint32(lwres_buffer_t *b);
+/**<
+ * Read an unsigned 32-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 2.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *	A 32-bit unsigned integer.
+ */
+
+void
+lwres_buffer_putuint32(lwres_buffer_t *b, uint32_t val);
+/**<
+ * Store an unsigned 32-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 4.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 4.
+ */
+
+void
+lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
+		    unsigned int length);
+/**<
+ * Copy 'length' bytes of memory at 'base' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'base' points to 'length' bytes of valid memory.
+ *
+ */
+
+void
+lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
+		    unsigned int length);
+/**<
+ * Copy 'length' bytes of memory from 'b' into 'base'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'base' points to at least 'length' bytes of valid memory.
+ *
+ *	'b' have at least 'length' bytes remaining.
+ */
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_LWBUFFER_H */
diff --git a/lib/lwres/include/lwres/lwpacket.h b/lib/lwres/include/lwres/lwpacket.h
new file mode 100644
index 0000000..656a5cb
--- /dev/null
+++ b/lib/lwres/include/lwres/lwpacket.h
@@ -0,0 +1,155 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwpacket.h,v 1.24 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_LWPACKET_H
+#define LWRES_LWPACKET_H 1
+
+#include <inttypes.h>
+
+#include <lwres/lang.h>
+#include <lwres/lwbuffer.h>
+#include <lwres/result.h>
+
+/*% lwres_lwpacket_t */
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+
+/*% lwres_lwpacket structure */
+struct lwres_lwpacket {
+	/*! The overall packet length, including the
+	 *  entire packet header.
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
+	uint32_t		length;
+	/*! Specifies the header format.  Currently,
+	 *  there is only one format, #LWRES_LWPACKETVERSION_0.
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
+	uint16_t		version;
+	/*! Specifies library-defined flags for this packet, such as
+	 *  whether the packet is a request or a reply.  None of
+	 *  these are definable by the caller, but library-defined values
+	 *  can be set by the caller.  For example, one bit in this field
+	 *  indicates if the packet is a request or a response.
+	 *  This field is filled in by
+	 *  the application wits the exception of the
+	 *  #LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library
+	 *  in the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
+	uint16_t		pktflags;
+	/*! Set by the requestor and is returned in all replies.
+	 *  If two packets from the same source have the same serial
+	 *  number and are from the same source, they are assumed to
+	 *  be duplicates and the latter ones may be dropped.
+	 *  (The library does not do this by default on replies, but
+	 * does so on requests.)
+	 */
+	uint32_t		serial;
+	/*! Opcodes between 0x04000000 and 0xffffffff
+	 *  are application defined.  Opcodes between
+	 *  0x00000000 and 0x03ffffff are
+	 * reserved for library use.
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
+	uint32_t		opcode;
+	/*! Only valid for results.
+	 *  Results between 0x04000000 and 0xffffffff are application
+	 *  defined.
+	 * Results between 0x00000000 and 0x03ffffff are reserved for
+	 * library use.
+	 * (This is the same reserved range defined in <isc/resultclass.h>,
+	 * so it
+	 * would be trivial to map ISC_R_* result codes into packet result
+	 * codes when appropriate.)
+	 *  This field is filled in by the
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
+	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
+	 */
+	uint32_t		result;
+	/*! Set to the maximum buffer size that the receiver can
+	 *  handle on requests, and the size of the buffer needed to
+	 *  satisfy a request
+	 *  when the buffer is too large for replies.
+	 *  This field is supplied by the application.
+	 */
+	uint32_t		recvlength;
+	/*! The packet level auth type used.
+	 *  Authtypes between 0x1000 and 0xffff are application defined.
+	 *  Authtypes
+	 *  between 0x0000 and 0x0fff are reserved for library use.
+	 *  This is currently
+	 *  unused and MUST be set to zero.
+	 */
+	uint16_t		authtype;
+	/*! The length of the authentication data.
+	 *  See the specific
+	 * authtypes for more information on what is contained
+	 * in this field.  This is currently unused, and
+	 * MUST be set to zero.
+	 */
+	uint16_t		authlength;
+};
+
+#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4) /*%< Overall length. */
+
+#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/*%< If set, pkt is a response. */
+
+
+#define LWRES_LWPACKETVERSION_0		0	/*%< Header format. */
+
+/*! \file lwres/lwpacket.h
+ *
+ *
+ * The remainder of the packet consists of two regions, one described by
+ * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
+ *
+ * That is:
+ *
+ * \code
+ *	pkt header
+ *	authlen bytes of auth information
+ *	data bytes
+ * \endcode
+ *
+ * Currently defined opcodes:
+ *
+ *\li	#LWRES_OPCODE_NOOP.  Success is always returned, with the packet contents echoed.
+ *
+ *\li	#LWRES_OPCODE_GETADDRSBYNAME.  Return all known addresses for a given name.
+ *		This may return NIS or /etc/hosts info as well as DNS
+ *		information.  Flags will be provided to indicate ip4/ip6
+ *		addresses are desired.
+ *
+ *\li	#LWRES_OPCODE_GETNAMEBYADDR.	Return the hostname for the given address.  Once
+ *		again, it will return data from multiple sources.
+ */
+
+LWRES_LANG_BEGINDECLS
+
+/* XXXMLG document */
+lwres_result_t
+lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+
+lwres_result_t
+lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_LWPACKET_H */
diff --git a/lib/lwres/include/lwres/lwres.h b/lib/lwres/include/lwres/lwres.h
new file mode 100644
index 0000000..81a0e02
--- /dev/null
+++ b/lib/lwres/include/lwres/lwres.h
@@ -0,0 +1,577 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwres.h,v 1.57 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_LWRES_H
+#define LWRES_LWRES_H 1
+
+#include <inttypes.h>
+#include <stdio.h>
+
+#include <lwres/context.h>
+#include <lwres/lang.h>
+#include <lwres/list.h>
+#include <lwres/lwpacket.h>
+#include <lwres/platform.h>
+
+/*! \file lwres/lwres.h */
+
+/*!
+ * Design notes:
+ *
+ * Each opcode has two structures and three functions which operate on each
+ * structure.  For example, using the "no operation/ping" opcode as an
+ * example:
+ *
+ *	<ul><li>lwres_nooprequest_t:
+ *
+ *		lwres_nooprequest_render() takes a lwres_nooprequest_t and
+ *		and renders it into wire format, storing the allocated
+ *		buffer information in a passed-in buffer.  When this buffer
+ *		is no longer needed, it must be freed by
+ *		lwres_context_freemem().  All other memory used by the
+ *		caller must be freed manually, including the
+ *		lwres_nooprequest_t passed in.<br /><br />
+ *
+ *		lwres_nooprequest_parse() takes a wire format message and
+ *		breaks it out into a lwres_nooprequest_t.  The structure
+ *		must be freed via lwres_nooprequest_free() when it is no longer
+ *		needed.<br /><br />
+ *
+ *		lwres_nooprequest_free() releases into the lwres_context_t
+ *		any space allocated during parsing.</li>
+ *
+ *	<li>lwres_noopresponse_t:
+ *
+ *		The functions used are similar to the three used for
+ *		requests, just with different names.</li></ul>
+ *
+ * Typically, the client will use request_render, response_parse, and
+ * response_free, while the daemon will use request_parse, response_render,
+ * and request_free.
+ *
+ * The basic flow of a typical client is:
+ *
+ *	\li fill in a request_t, and call the render function.
+ *
+ *	\li Transmit the buffer returned to the daemon.
+ *
+ *	\li Wait for a response.
+ *
+ *	\li When a response is received, parse it into a response_t.
+ *
+ *	\li free the request buffer using lwres_context_freemem().
+ *
+ *	\li free the response structure and its associated buffer using
+ *	response_free().
+ */
+
+#define LWRES_UDP_PORT		921	/*%< UDP Port Number */
+#define LWRES_RECVLENGTH	16384 /*%< Maximum Packet Length */
+#define LWRES_ADDR_MAXLEN	16	/*%< changing this breaks ABI */
+#define LWRES_RESOLV_CONF	"/etc/resolv.conf" /*%< Location of resolv.conf */
+
+/*% DNSSEC is not required (input).  Only relevant to rrset queries. */
+#define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
+/*% The data was crypto-verified with DNSSEC (output). */
+#define LWRES_FLAG_SECUREDATA		0x00000002U
+
+/*% no-op */
+#define LWRES_OPCODE_NOOP		0x00000000U
+
+/*% lwres_nooprequest_t */
+typedef struct {
+	/* public */
+	uint16_t			datalength;
+	unsigned char		       *data;
+} lwres_nooprequest_t;
+
+/*% lwres_noopresponse_t */
+typedef struct {
+	/* public */
+	uint16_t			datalength;
+	unsigned char		       *data;
+} lwres_noopresponse_t;
+
+/*% get addresses by name */
+#define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
+
+/*% lwres_addr_t */
+typedef struct lwres_addr lwres_addr_t;
+
+/*% LWRES_LIST */
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+/*% lwres_addr */
+struct lwres_addr {
+	uint32_t			family;
+	uint16_t			length;
+	unsigned char			address[LWRES_ADDR_MAXLEN];
+	uint32_t			zone;
+	LWRES_LINK(lwres_addr_t)	link;
+};
+
+/*% lwres_gabnrequest_t */
+typedef struct {
+	/* public */
+	uint32_t			flags;
+	uint32_t			addrtypes;
+	uint16_t			namelen;
+	char			       *name;
+} lwres_gabnrequest_t;
+
+/*% lwres_gabnresponse_t */
+typedef struct {
+	/* public */
+	uint32_t			flags;
+	uint16_t			naliases;
+	uint16_t			naddrs;
+	char			       *realname;
+	char			      **aliases;
+	uint16_t			realnamelen;
+	uint16_t		       *aliaslen;
+	lwres_addrlist_t		addrs;
+	/*! if base != NULL, it will be freed when this structure is freed. */
+	void			       *base;
+	size_t				baselen;
+} lwres_gabnresponse_t;
+
+/*% get name by address */
+#define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
+
+/*% lwres_gnbarequest_t */
+typedef struct {
+	/* public */
+	uint32_t			flags;
+	lwres_addr_t			addr;
+} lwres_gnbarequest_t;
+
+/*% lwres_gnbaresponse_t */
+typedef struct {
+	/* public */
+	uint32_t			flags;
+	uint16_t			naliases;
+	char			       *realname;
+	char			      **aliases;
+	uint16_t			realnamelen;
+	uint16_t		       *aliaslen;
+	/*! if base != NULL, it will be freed when this structure is freed. */
+	void			       *base;
+	size_t				baselen;
+} lwres_gnbaresponse_t;
+
+/*% get rdata by name */
+#define LWRES_OPCODE_GETRDATABYNAME	0x00010003U
+
+/*% lwres_grbnrequest_t */
+typedef struct {
+	/* public */
+	uint32_t			flags;
+	uint16_t			rdclass;
+	uint16_t			rdtype;
+	uint16_t			namelen;
+	char			       *name;
+} lwres_grbnrequest_t;
+
+/*% lwres_grbnresponse_t */
+typedef struct {
+	/* public */
+	uint32_t			flags;
+	uint16_t			rdclass;
+	uint16_t			rdtype;
+	uint32_t			ttl;
+	uint16_t			nrdatas;
+	uint16_t			nsigs;
+	char			       *realname;
+	uint16_t			realnamelen;
+	unsigned char		      **rdatas;
+	uint16_t		       *rdatalen;
+	unsigned char		      **sigs;
+	uint16_t		       *siglen;
+	/*% if base != NULL, it will be freed when this structure is freed. */
+	void			       *base;
+	size_t				baselen;
+} lwres_grbnresponse_t;
+
+/*% Used by lwres_getrrsetbyname() */
+#define LWRDATA_VALIDATED	0x00000001
+
+/*!
+ * resolv.conf data
+ */
+
+#define LWRES_CONFMAXNAMESERVERS 3	/*%< max 3 "nameserver" entries */
+#define LWRES_CONFMAXLWSERVERS 1	/*%< max 1 "lwserver" entry */
+#define LWRES_CONFMAXSEARCH 8		/*%< max 8 domains in "search" entry */
+#define LWRES_CONFMAXLINELEN 256	/*%< max size of a line */
+#define LWRES_CONFMAXSORTLIST 10	/*%< max 10 */
+
+/*% lwres_conf_t */
+typedef struct {
+	lwres_context_t *lwctx;
+	lwres_addr_t    nameservers[LWRES_CONFMAXNAMESERVERS];
+	uint8_t	nsnext;		/*%< index for next free slot */
+
+	lwres_addr_t	lwservers[LWRES_CONFMAXLWSERVERS];
+	uint8_t	lwnext;		/*%< index for next free slot */
+
+	char	       *domainname;
+
+	char 	       *search[LWRES_CONFMAXSEARCH];
+	uint8_t	searchnxt;	/*%< index for next free slot */
+
+	struct {
+		lwres_addr_t addr;
+		/*% mask has a non-zero 'family' and 'length' if set */
+		lwres_addr_t mask;
+	} sortlist[LWRES_CONFMAXSORTLIST];
+	uint8_t	sortlistnxt;
+
+	uint8_t	resdebug;      /*%< non-zero if 'options debug' set */
+	uint8_t	ndots;	       /*%< set to n in 'options ndots:n' */
+	uint8_t	no_tld_query;  /*%< non-zero if 'options no_tld_query' */
+	int32_t	attempts;      /*%< set to n in 'options attempts:n' */
+	int32_t	timeout;       /*%< set to n in 'options timeout:n' */
+} lwres_conf_t;
+
+#define LWRES_ADDRTYPE_V4		0x00000001U	/*%< ipv4 */
+#define LWRES_ADDRTYPE_V6		0x00000002U	/*%< ipv6 */
+
+#define LWRES_MAX_ALIASES		16		/*%< max # of aliases */
+#define LWRES_MAX_ADDRS			64		/*%< max # of addrs */
+
+LWRES_LANG_BEGINDECLS
+
+/*% This is in host byte order. */
+LIBLWRES_EXTERNAL_DATA extern uint16_t lwres_udp_port;
+
+LIBLWRES_EXTERNAL_DATA extern const char *lwres_resolv_conf;
+
+lwres_result_t
+lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
+
+lwres_result_t
+lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_gabnresponse_t **structp);
+
+void
+lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+void
+lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+
+lwres_result_t
+lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
+
+lwres_result_t
+lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_gnbaresponse_t **structp);
+
+void
+lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+void
+lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+lwres_result_t
+lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp);
+
+lwres_result_t
+lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_grbnresponse_t **structp);
+
+void
+lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+void
+lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+lwres_result_t
+lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+/**<
+ * Allocate space and render into wire format a noop request packet.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	b != NULL, and points to a lwres_buffer_t.  The contents of the
+ *	buffer structure will be initialized to contain the wire-format
+ *	noop request packet.
+ *
+ *	Caller needs to fill in parts of "pkt" before calling:
+ *		serial, maxrecv, result.
+ *
+ * Returns:
+ *
+ *	Returns 0 on success, non-zero on failure.
+ *
+ *	On successful return, *b will contain data about the wire-format
+ *	packet.  It can be transmitted in any way, including lwres_sendblock().
+ */
+
+lwres_result_t
+lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
+/**<
+ * Parse a noop request.  Note that to get here, the lwpacket must have
+ * already been parsed and removed by the caller, otherwise it would be
+ * pretty hard for it to know this is the right function to call.
+ *
+ * The function verifies bits of the header, but does not modify it.
+ */
+
+lwres_result_t
+lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_noopresponse_t **structp);
+
+void
+lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
+
+void
+lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
+
+/**<
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_context_create().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename);
+/**<
+ * parses a resolv.conf-format file and stores the results in the structure
+ * pointed to by *ctx.
+ *
+ * Requires:
+ *	ctx != NULL
+ *	filename != NULL && strlen(filename) > 0
+ *
+ * Returns:
+ *	LWRES_R_SUCCESS on a successful parse.
+ *	Anything else on error, although the structure may be partially filled
+ *	in.
+ */
+
+lwres_result_t
+lwres_conf_print(lwres_context_t *ctx, FILE *fp);
+/**<
+ * Prints a resolv.conf-format of confdata output to fp.
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+void
+lwres_conf_init(lwres_context_t *ctx);
+/**<
+ * sets all internal fields to a default state. Used to initialize a new
+ * lwres_conf_t structure (not reset a used on).
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+void
+lwres_conf_clear(lwres_context_t *ctx);
+/**<
+ * frees all internally allocated memory in confdata. Uses the memory
+ * routines supplied by ctx.
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+lwres_conf_t *
+lwres_conf_get(lwres_context_t *ctx);
+/**<
+ * Be extremely cautions in modifying the contents of this structure; it
+ * needs an API to return the various bits of data, walk lists, etc.
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+/*
+ * Helper functions
+ */
+
+lwres_result_t
+lwres_data_parse(lwres_buffer_t *b, unsigned char **p, uint16_t *len);
+
+lwres_result_t
+lwres_string_parse(lwres_buffer_t *b, char **c, uint16_t *len);
+
+lwres_result_t
+lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
+
+lwres_result_t
+lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
+		     uint32_t addrtypes, lwres_gabnresponse_t **structp);
+
+lwres_result_t
+lwres_getnamebyaddr(lwres_context_t *ctx, uint32_t addrtype,
+		    uint16_t addrlen, const unsigned char *addr,
+		    lwres_gnbaresponse_t **structp);
+
+lwres_result_t
+lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
+		     uint16_t rdclass, uint16_t rdtype,
+		     uint32_t flags, lwres_grbnresponse_t **structp);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_LWRES_H */
diff --git a/lib/lwres/include/lwres/netdb.h.in b/lib/lwres/include/lwres/netdb.h.in
new file mode 100644
index 0000000..8e65bc8
--- /dev/null
+++ b/lib/lwres/include/lwres/netdb.h.in
@@ -0,0 +1,516 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: netdb.h.in,v 1.41 2009/01/18 23:48:14 tbox Exp $ */
+
+/*! \file */
+
+#ifndef LWRES_NETDB_H
+#define LWRES_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+#include <netdb.h>	/* Contractual provision. */
+
+#include <lwres/lang.h>
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+@ISC_LWRES_NEEDADDRINFO@
+
+#ifdef ISC_LWRES_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritative Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_OVERFLOW
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_OVERFLOW	14
+#define EAI_MAX		15
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
+
+/*
+ * Define if <netdb.h> does not declare struct rrsetinfo.
+ */
+@ISC_LWRES_NEEDRRSETINFO@
+
+#ifdef ISC_LWRES_NEEDRRSETINFO
+/*
+ * Structures for getrrsetbyname()
+ */
+struct rdatainfo {
+	unsigned int		rdi_length;
+	unsigned char		*rdi_data;
+};
+
+struct rrsetinfo {
+	unsigned int		rri_flags;
+	int			rri_rdclass;
+	int			rri_rdtype;
+	unsigned int		rri_ttl;
+	unsigned int		rri_nrdatas;
+	unsigned int		rri_nsigs;
+	char			*rri_name;
+	struct rdatainfo	*rri_rdatas;
+	struct rdatainfo	*rri_sigs;
+};
+
+/*
+ * Flags for getrrsetbyname()
+ */
+#define RRSET_VALIDATED		0x00000001
+	/* Set was dnssec validated */
+
+/*
+ * Return codes for getrrsetbyname()
+ */
+#define ERRSET_SUCCESS		0
+#define ERRSET_NOMEMORY		1
+#define ERRSET_FAIL		2
+#define ERRSET_INVAL		3
+#define	ERRSET_NONAME	 	4
+#define	ERRSET_NODATA	 	5
+#endif
+
+/*
+ * Define to map into lwres_ namespace.
+ */
+
+#define LWRES_NAMESPACE
+
+#ifdef LWRES_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo lwres_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo lwres_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo lwres_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror lwres_gai_strerror
+
+#ifdef herror
+#undef herror
+#endif
+#define herror lwres_herror
+
+#ifdef hstrerror
+#undef hstrerror
+#endif
+#define hstrerror lwres_hstrerror
+
+#ifdef getipnodebyname
+#undef getipnodebyname
+#endif
+#define getipnodebyname lwres_getipnodebyname
+
+#ifdef getipnodebyaddr
+#undef getipnodebyaddr
+#endif
+#define getipnodebyaddr lwres_getipnodebyaddr
+
+#ifdef freehostent
+#undef freehostent
+#endif
+#define freehostent lwres_freehostent
+
+#ifdef gethostbyname
+#undef gethostbyname
+#endif
+#define gethostbyname lwres_gethostbyname
+
+#ifdef gethostbyname2
+#undef gethostbyname2
+#endif
+#define gethostbyname2 lwres_gethostbyname2
+
+#ifdef gethostbyaddr
+#undef gethostbyaddr
+#endif
+#define gethostbyaddr lwres_gethostbyaddr
+
+#ifdef gethostent
+#undef gethostent
+#endif
+#define gethostent lwres_gethostent
+
+#ifdef sethostent
+#undef sethostent
+#endif
+#define sethostent lwres_sethostent
+
+#ifdef endhostent
+#undef endhostent
+#endif
+#define endhostent lwres_endhostent
+
+/* #define sethostfile lwres_sethostfile */
+
+#ifdef gethostbyname_r
+#undef gethostbyname_r
+#endif
+#define gethostbyname_r lwres_gethostbyname_r
+
+#ifdef gethostbyaddr_r
+#undef gethostbyaddr_r
+#endif
+#define gethostbyaddr_r lwres_gethostbyaddr_r
+
+#ifdef gethostent_r
+#undef gethostent_r
+#endif
+#define gethostent_r lwres_gethostent_r
+
+#ifdef sethostent_r
+#undef sethostent_r
+#endif
+#define sethostent_r lwres_sethostent_r
+
+#ifdef endhostent_r
+#undef endhostent_r
+#endif
+#define endhostent_r lwres_endhostent_r
+
+#ifdef getrrsetbyname
+#undef getrrsetbyname
+#endif
+#define getrrsetbyname lwres_getrrsetbyname
+
+#ifdef freerrset
+#undef freerrset
+#endif
+#define freerrset lwres_freerrset
+
+#ifdef notyet
+#define getservbyname lwres_getservbyname
+#define getservbyport lwres_getservbyport
+#define getservent lwres_getservent
+#define setservent lwres_setservent
+#define endservent lwres_endservent
+
+#define getservbyname_r lwres_getservbyname_r
+#define getservbyport_r lwres_getservbyport_r
+#define getservent_r lwres_getservent_r
+#define setservent_r lwres_setservent_r
+#define endservent_r lwres_endservent_r
+
+#define getprotobyname lwres_getprotobyname
+#define getprotobynumber lwres_getprotobynumber
+#define getprotoent lwres_getprotoent
+#define setprotoent lwres_setprotoent
+#define endprotoent lwres_endprotoent
+
+#define getprotobyname_r lwres_getprotobyname_r
+#define getprotobynumber_r lwres_getprotobynumber_r
+#define getprotoent_r lwres_getprotoent_r
+#define setprotoent_r lwres_setprotoent_r
+#define endprotoent_r lwres_endprotoent_r
+
+#ifdef getnetbyname
+#undef getnetbyname
+#endif
+#define getnetbyname lwres_getnetbyname
+
+#ifdef getnetbyaddr
+#undef getnetbyaddr
+#endif
+#define getnetbyaddr lwres_getnetbyaddr
+
+#ifdef getnetent
+#undef getnetent
+#endif
+#define getnetent lwres_getnetent
+
+#ifdef setnetent
+#undef setnetent
+#endif
+#define setnetent lwres_setnetent
+
+#ifdef endnetent
+#undef endnetent
+#endif
+#define endnetent lwres_endnetent
+
+
+#ifdef getnetbyname_r
+#undef getnetbyname_r
+#endif
+#define getnetbyname_r lwres_getnetbyname_r
+
+#ifdef getnetbyaddr_r
+#undef getnetbyaddr_r
+#endif
+#define getnetbyaddr_r lwres_getnetbyaddr_r
+
+#ifdef getnetent_r
+#undef getnetent_r
+#endif
+#define getnetent_r lwres_getnetent_r
+
+#ifdef setnetent_r
+#undef setnetent_r
+#endif
+#define setnetent_r lwres_setnetent_r
+
+#ifdef endnetent_r
+#undef endnetent_r
+#endif
+#define endnetent_r lwres_endnetent_r
+#endif	/* notyet */
+
+#ifdef h_errno
+#undef h_errno
+#endif
+#define h_errno lwres_h_errno
+
+#endif	/* LWRES_NAMESPACE */
+
+LWRES_LANG_BEGINDECLS
+
+extern int lwres_h_errno;
+
+int		lwres_getaddrinfo(const char *, const char *,
+				 const struct addrinfo *, struct addrinfo **);
+int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
+				 size_t, char *, size_t, int);
+void		lwres_freeaddrinfo(struct addrinfo *);
+char		*lwres_gai_strerror(int);
+
+struct hostent	*lwres_gethostbyaddr(const char *, int, int);
+struct hostent	*lwres_gethostbyname(const char *);
+struct hostent	*lwres_gethostbyname2(const char *, int);
+struct hostent	*lwres_gethostent(void);
+struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
+struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
+void		lwres_endhostent(void);
+void		lwres_sethostent(int);
+/* void		lwres_sethostfile(const char *); */
+void		lwres_freehostent(struct hostent *);
+
+int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
+				     unsigned int, struct rrsetinfo **);
+void		lwres_freerrset(struct rrsetinfo *);
+
+#ifdef notyet
+struct netent	*lwres_getnetbyaddr(unsigned long, int);
+struct netent	*lwres_getnetbyname(const char *);
+struct netent	*lwres_getnetent(void);
+void		lwres_endnetent(void);
+void		lwres_setnetent(int);
+
+struct protoent	*lwres_getprotobyname(const char *);
+struct protoent	*lwres_getprotobynumber(int);
+struct protoent	*lwres_getprotoent(void);
+void		lwres_endprotoent(void);
+void		lwres_setprotoent(int);
+
+struct servent	*lwres_getservbyname(const char *, const char *);
+struct servent	*lwres_getservbyport(int, const char *);
+struct servent	*lwres_getservent(void);
+void		lwres_endservent(void);
+void		lwres_setservent(int);
+#endif /* notyet */
+
+void		lwres_herror(const char *);
+const char	*lwres_hstrerror(int);
+
+
+struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
+					char *, int, int *);
+struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
+					char *, int, int *);
+struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
+void		lwres_sethostent_r(int);
+void		lwres_endhostent_r(void);
+
+#ifdef notyet
+struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
+					char *, int);
+struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
+					char *, int);
+struct netent	*lwres_getnetent_r(struct netent *, char *, int);
+void		lwres_setnetent_r(int);
+void		lwres_endnetent_r(void);
+
+struct protoent	*lwres_getprotobyname_r(const char *,
+				struct protoent *, char *, int);
+struct protoent	*lwres_getprotobynumber_r(int,
+				struct protoent *, char *, int);
+struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
+void		lwres_setprotoent_r(int);
+void		lwres_endprotoent_r(void);
+
+struct servent	*lwres_getservbyname_r(const char *name, const char *,
+					struct servent *, char *, int);
+struct servent	*lwres_getservbyport_r(int port, const char *,
+					struct servent *, char *, int);
+struct servent	*lwres_getservent_r(struct servent *, char *, int);
+void		lwres_setservent_r(int);
+void		lwres_endservent_r(void);
+#endif	/* notyet */
+
+LWRES_LANG_ENDDECLS
+
+#ifdef notyet
+/* This is nec'y to make this include file properly replace the sun version. */
+#ifdef sun
+#ifdef __GNU_LIBRARY__
+#include <rpc/netdb.h>		/* Required. */
+#else /* !__GNU_LIBRARY__ */
+struct rpcent {
+	char	*r_name;	/* name of server for this rpc program */
+	char	**r_aliases;	/* alias list */
+	int	r_number;	/* rpc program number */
+};
+struct rpcent	*lwres_getrpcbyname();
+struct rpcent	*lwres_getrpcbynumber(),
+struct rpcent	*lwres_getrpcent();
+#endif /* __GNU_LIBRARY__ */
+#endif /* sun */
+#endif /* notyet */
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* LWRES_NETDB_H */
diff --git a/lib/lwres/include/lwres/platform.h.in b/lib/lwres/include/lwres/platform.h.in
new file mode 100644
index 0000000..52c7192
--- /dev/null
+++ b/lib/lwres/include/lwres/platform.h.in
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: platform.h.in,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
+
+/*! \file */
+
+#ifndef LWRES_PLATFORM_H
+#define LWRES_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+/***
+ *** Network.
+ ***/
+
+/*
+ * Define if this system needs the <netinet/in6.h> header file for IPv6.
+ */
+@LWRES_PLATFORM_NEEDNETINETIN6H@
+
+/*
+ * Define if this system needs the <netinet6/in6.h> header file for IPv6.
+ */
+@LWRES_PLATFORM_NEEDNETINET6IN6H@
+
+/*
+ * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
+ * will be defined.
+ */
+@LWRES_PLATFORM_HAVESALEN@
+
+/*
+ * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
+ * will be defined.
+ */
+@LWRES_PLATFORM_HAVEIPV6@
+
+/*
+ * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
+ * be defined.
+ */
+@LWRES_PLATFORM_NEEDIN6ADDRANY@
+
+/*
+ * If this system is missing in6addr_loopback,
+ * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
+ */
+@LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK@
+
+/*
+ * If this system has in_addr6, rather than in6_addr,
+ * LWRES_PLATFORM_HAVEINADDR6 will be defined.
+ */
+@LWRES_PLATFORM_HAVEINADDR6@
+
+/*
+ * Defined if unistd.h does not cause fd_set to be delared.
+ */
+@LWRES_PLATFORM_NEEDSYSSELECTH@
+
+/*
+ * Used to control how extern data is linked; needed for Win32 platforms.
+ */
+@LWRES_PLATFORM_USEDECLSPEC@
+
+/*
+ * Defined this system needs vsnprintf() and snprintf().
+ */
+@LWRES_PLATFORM_NEEDVSNPRINTF@
+
+/*
+ * If this system need a modern sprintf() that returns (int) not (char*).
+ */
+@LWRES_PLATFORM_NEEDSPRINTF@
+
+/*! \brief
+ * Define if this system needs strtoul.
+ */
+@LWRES_PLATFORM_NEEDSTRTOUL@
+
+/*! \brief
+ * Define if this system needs strlcpy.
+ */
+@LWRES_PLATFORM_NEEDSTRLCPY@
+
+#ifndef LWRES_PLATFORM_USEDECLSPEC
+#define LIBLWRES_EXTERNAL_DATA
+#else
+#ifdef LIBLWRES_EXPORTS
+#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* LWRES_PLATFORM_H */
diff --git a/lib/lwres/include/lwres/result.h b/lib/lwres/include/lwres/result.h
new file mode 100644
index 0000000..7397a93
--- /dev/null
+++ b/lib/lwres/include/lwres/result.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: result.h,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_RESULT_H
+#define LWRES_RESULT_H 1
+
+/*! \file lwres/result.h */
+
+typedef unsigned int lwres_result_t;
+
+#define LWRES_R_SUCCESS			0
+#define LWRES_R_NOMEMORY		1
+#define LWRES_R_TIMEOUT			2
+#define LWRES_R_NOTFOUND		3
+#define LWRES_R_UNEXPECTEDEND		4	/* unexpected end of input */
+#define LWRES_R_FAILURE			5	/* generic failure */
+#define LWRES_R_IOERROR			6
+#define LWRES_R_NOTIMPLEMENTED		7
+#define LWRES_R_UNEXPECTED		8
+#define LWRES_R_TRAILINGDATA		9
+#define LWRES_R_INCOMPLETE		10
+#define LWRES_R_RETRY			11
+#define LWRES_R_TYPENOTFOUND		12
+#define LWRES_R_TOOLARGE		13
+
+#endif /* LWRES_RESULT_H */
diff --git a/lib/lwres/include/lwres/stdlib.h b/lib/lwres/include/lwres/stdlib.h
new file mode 100644
index 0000000..856f954
--- /dev/null
+++ b/lib/lwres/include/lwres/stdlib.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef LWRES_STDLIB_H
+#define LWRES_STDLIB_H 1
+
+/*! \file lwres/stdlib.h */
+
+#include <stdlib.h>
+
+#include <lwres/lang.h>
+#include <lwres/platform.h>
+
+#ifdef LWRES_PLATFORM_NEEDSTRTOUL
+#define strtoul lwres_strtoul
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+unsigned long lwres_strtoul(const char *, char **, int);
+
+LWRES_LANG_ENDDECLS
+
+#endif
diff --git a/lib/lwres/include/lwres/string.h b/lib/lwres/include/lwres/string.h
new file mode 100644
index 0000000..76d0747
--- /dev/null
+++ b/lib/lwres/include/lwres/string.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#ifndef LWRES_STRING_H
+#define LWRES_STRING_H 1
+
+/*! \file lwres/string.h */
+
+#include <stdlib.h>
+
+#include <lwres/lang.h>
+#include <lwres/platform.h>
+
+#ifdef LWRES_PLATFORM_NEEDSTRLCPY
+#define strlcpy lwres_strlcpy
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+size_t lwres_strlcpy(char *dst, const char *src, size_t size);
+
+LWRES_LANG_ENDDECLS
+
+#endif
diff --git a/lib/lwres/include/lwres/version.h b/lib/lwres/include/lwres/version.h
new file mode 100644
index 0000000..802f403
--- /dev/null
+++ b/lib/lwres/include/lwres/version.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: version.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
+
+/*! \file lwres/version.h */
+
+#include <lwres/platform.h>
+
+LIBLWRES_EXTERNAL_DATA extern const char lwres_version[];
+
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libinterface;
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_librevision;
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libage;
diff --git a/lib/lwres/lwbuffer.c b/lib/lwres/lwbuffer.c
new file mode 100644
index 0000000..9cdf5ed
--- /dev/null
+++ b/lib/lwres/lwbuffer.c
@@ -0,0 +1,356 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwbuffer.c,v 1.15 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions provide bounds checked access to a region of memory
+ *    where data is being read or written. They are based on, and similar
+ *    to, the isc_buffer_ functions in the ISC library.
+ *
+ *    A buffer is a region of memory, together with a set of related
+ *    subregions. The used region and the available region are disjoint, and
+ *    their union is the buffer's region. The used region extends from the
+ *    beginning of the buffer region to the last used byte. The available
+ *    region extends from one byte greater than the last used byte to the
+ *    end of the buffer's region. The size of the used region can be changed
+ *    using various buffer commands. Initially, the used region is empty.
+ *
+ *    The used region is further subdivided into two disjoint regions: the
+ *    consumed region and the remaining region. The union of these two
+ *    regions is the used region. The consumed region extends from the
+ *    beginning of the used region to the byte before the current offset (if
+ *    any). The remaining region the current pointer to the end of the used
+ *    region. The size of the consumed region can be changed using various
+ *    buffer commands. Initially, the consumed region is empty.
+ *
+ *    The active region is an (optional) subregion of the remaining region.
+ *    It extends from the current offset to an offset in the remaining
+ *    region. Initially, the active region is empty. If the current offset
+ *    advances beyond the chosen offset, the active region will also be
+ *    empty.
+ *
+ *
+ * \verbatim
+ *    /------------entire length---------------\\
+ *    /----- used region -----\\/-- available --\\
+ *    +----------------------------------------+
+ *    | consumed  | remaining |                |
+ *    +----------------------------------------+
+ *    a           b     c     d                e
+ *
+ *   a == base of buffer.
+ *   b == current pointer.  Can be anywhere between a and d.
+ *   c == active pointer.  Meaningful between b and d.
+ *   d == used pointer.
+ *   e == length of buffer.
+ *
+ *   a-e == entire length of buffer.
+ *   a-d == used region.
+ *   a-b == consumed region.
+ *   b-d == remaining region.
+ *   b-c == optional active region.
+ * \endverbatim
+ *
+ *    lwres_buffer_init() initializes the lwres_buffer_t *b and assocates it
+ *    with the memory region of size length bytes starting at location base.
+ *
+ *    lwres_buffer_invalidate() marks the buffer *b as invalid. Invalidating
+ *    a buffer after use is not required, but makes it possible to catch its
+ *    possible accidental use.
+ *
+ *    The functions lwres_buffer_add() and lwres_buffer_subtract()
+ *    respectively increase and decrease the used space in buffer *b by n
+ *    bytes. lwres_buffer_add() checks for buffer overflow and
+ *    lwres_buffer_subtract() checks for underflow. These functions do not
+ *    allocate or deallocate memory. They just change the value of used.
+ *
+ *    A buffer is re-initialised by lwres_buffer_clear(). The function sets
+ *    used , current and active to zero.
+ *
+ *    lwres_buffer_first() makes the consumed region of buffer *p empty by
+ *    setting current to zero (the start of the buffer).
+ *
+ *    lwres_buffer_forward() increases the consumed region of buffer *b by n
+ *    bytes, checking for overflow. Similarly, lwres_buffer_back() decreases
+ *    buffer b's consumed region by n bytes and checks for underflow.
+ *
+ *    lwres_buffer_getuint8() reads an unsigned 8-bit integer from *b and
+ *    returns it. lwres_buffer_putuint8() writes the unsigned 8-bit integer
+ *    val to buffer *b.
+ *
+ *    lwres_buffer_getuint16() and lwres_buffer_getuint32() are identical to
+ *    lwres_buffer_putuint8() except that they respectively read an unsigned
+ *    16-bit or 32-bit integer in network byte order from b. Similarly,
+ *    lwres_buffer_putuint16() and lwres_buffer_putuint32() writes the
+ *    unsigned 16-bit or 32-bit integer val to buffer b, in network byte
+ *    order.
+ *
+ *    Arbitrary amounts of data are read or written from a lightweight
+ *    resolver buffer with lwres_buffer_getmem() and lwres_buffer_putmem()
+ *    respectively. lwres_buffer_putmem() copies length bytes of memory at
+ *    base to b. Conversely, lwres_buffer_getmem() copies length bytes of
+ *    memory from b to base.
+ */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+
+#include "assert_p.h"
+
+void
+lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length)
+{
+	/*
+	 * Make 'b' refer to the 'length'-byte region starting at base.
+	 */
+
+	REQUIRE(b != NULL);
+
+	b->magic = LWRES_BUFFER_MAGIC;
+	b->base = base;
+	b->length = length;
+	b->used = 0;
+	b->current = 0;
+	b->active = 0;
+}
+
+/*  Make 'b' an invalid buffer. */
+void
+lwres_buffer_invalidate(lwres_buffer_t *b)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+
+	b->magic = 0;
+	b->base = NULL;
+	b->length = 0;
+	b->used = 0;
+	b->current = 0;
+	b->active = 0;
+}
+
+/* Increase the 'used' region of 'b' by 'n' bytes. */
+void
+lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + n <= b->length);
+
+	b->used += n;
+}
+
+/* Decrease the 'used' region of 'b' by 'n' bytes. */
+void
+lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used >= n);
+
+	b->used -= n;
+	if (b->current > b->used)
+		b->current = b->used;
+	if (b->active > b->used)
+		b->active = b->used;
+}
+
+/* Make the used region empty. */
+void
+lwres_buffer_clear(lwres_buffer_t *b)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+
+	b->used = 0;
+	b->current = 0;
+	b->active = 0;
+}
+
+/* Make the consumed region empty. */
+void
+lwres_buffer_first(lwres_buffer_t *b)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+
+	b->current = 0;
+}
+
+/* Increase the 'consumed' region of 'b' by 'n' bytes. */
+void
+lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->current + n <= b->used);
+
+	b->current += n;
+}
+
+/* Decrease the 'consumed' region of 'b' by 'n' bytes. */
+void
+lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
+{
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(n <= b->current);
+
+	b->current -= n;
+}
+
+/* Read an unsigned 8-bit integer from 'b' and return it. */
+uint8_t
+lwres_buffer_getuint8(lwres_buffer_t *b)
+{
+	unsigned char *cp;
+	uint8_t result;
+
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 1);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += 1;
+	result = ((unsigned int)(cp[0]));
+
+	return (result);
+}
+
+/* Put an unsigned 8-bit integer */
+void
+lwres_buffer_putuint8(lwres_buffer_t *b, uint8_t val)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + 1 <= b->length);
+
+	cp = b->base;
+	cp += b->used;
+	b->used += 1;
+	cp[0] = (val & 0x00ff);
+}
+
+/*  Read an unsigned 16-bit integer in network byte order from 'b', convert it to host byte order, and return it. */
+uint16_t
+lwres_buffer_getuint16(lwres_buffer_t *b)
+{
+	unsigned char *cp;
+	uint16_t result;
+
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 2);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += 2;
+	result = ((unsigned int)(cp[0])) << 8;
+	result |= ((unsigned int)(cp[1]));
+
+	return (result);
+}
+
+/* Put an unsigned 16-bit integer. */
+void
+lwres_buffer_putuint16(lwres_buffer_t *b, uint16_t val)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + 2 <= b->length);
+
+	cp = b->base;
+	cp += b->used;
+	b->used += 2;
+	cp[0] = (val & 0xff00) >> 8;
+	cp[1] = (val & 0x00ff);
+}
+
+/*  Read an unsigned 32-bit integer in network byte order from 'b', convert it to host byte order, and return it. */
+uint32_t
+lwres_buffer_getuint32(lwres_buffer_t *b)
+{
+	unsigned char *cp;
+	uint32_t result;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 4);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += 4;
+	result = ((unsigned int)(cp[0])) << 24;
+	result |= ((unsigned int)(cp[1])) << 16;
+	result |= ((unsigned int)(cp[2])) << 8;
+	result |= ((unsigned int)(cp[3]));
+
+	return (result);
+}
+
+/* Put an unsigned 32-bit integer. */
+void
+lwres_buffer_putuint32(lwres_buffer_t *b, uint32_t val)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + 4 <= b->length);
+
+	cp = b->base;
+	cp += b->used;
+	b->used += 4;
+	cp[0] = (unsigned char)((val & 0xff000000) >> 24);
+	cp[1] = (unsigned char)((val & 0x00ff0000) >> 16);
+	cp[2] = (unsigned char)((val & 0x0000ff00) >> 8);
+	cp[3] = (unsigned char)(val & 0x000000ff);
+}
+
+/* copies length bytes of memory at base to b */
+void
+lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
+		    unsigned int length)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + length <= b->length);
+
+	cp = (unsigned char *)b->base + b->used;
+	memmove(cp, base, length);
+	b->used += length;
+}
+
+/* copies length bytes of memory at b to base */
+void
+lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
+		    unsigned int length)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= length);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += length;
+
+	memmove(base, cp, length);
+}
diff --git a/lib/lwres/lwconfig.c b/lib/lwres/lwconfig.c
new file mode 100644
index 0000000..36367b2
--- /dev/null
+++ b/lib/lwres/lwconfig.c
@@ -0,0 +1,797 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+/**
+ * Module for parsing resolv.conf files.
+ *
+ *    lwres_conf_init() creates an empty lwres_conf_t structure for
+ *    lightweight resolver context ctx.
+ *
+ *    lwres_conf_clear() frees up all the internal memory used by that
+ *    lwres_conf_t structure in resolver context ctx.
+ *
+ *    lwres_conf_parse() opens the file filename and parses it to initialise
+ *    the resolver context ctx's lwres_conf_t structure.
+ *
+ *    lwres_conf_print() prints the lwres_conf_t structure for resolver
+ *    context ctx to the FILE fp.
+ *
+ * \section lwconfig_return Return Values
+ *
+ *    lwres_conf_parse() returns #LWRES_R_SUCCESS if it successfully read and
+ *    parsed filename. It returns #LWRES_R_FAILURE if filename could not be
+ *    opened or contained incorrect resolver statements.
+ *
+ *    lwres_conf_print() returns #LWRES_R_SUCCESS unless an error occurred
+ *    when converting the network addresses to a numeric host address
+ *    string. If this happens, the function returns #LWRES_R_FAILURE.
+ *
+ * \section lwconfig_see See Also
+ *
+ *    stdio(3), \link resolver resolver \endlink
+ *
+ * \section files Files
+ *
+ *    /etc/resolv.conf
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <errno.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/result.h>
+#include <lwres/stdlib.h>
+#include <lwres/string.h>
+
+#include "assert_p.h"
+#include "context_p.h"
+#include "print_p.h"
+
+
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
+#endif
+
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
+#endif
+
+static lwres_result_t
+lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parsedomain(lwres_context_t *ctx, FILE *fp);
+
+static lwres_result_t
+lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp);
+
+static void
+lwres_resetaddr(lwres_addr_t *addr);
+
+static lwres_result_t
+lwres_create_addr(const char *buff, lwres_addr_t *addr, int convert_zero);
+
+static int lwresaddr2af(int lwresaddrtype);
+
+
+static int
+lwresaddr2af(int lwresaddrtype)
+{
+	int af = 0;
+
+	switch (lwresaddrtype) {
+	case LWRES_ADDRTYPE_V4:
+		af = AF_INET;
+		break;
+
+	case LWRES_ADDRTYPE_V6:
+		af = AF_INET6;
+		break;
+	}
+
+	return (af);
+}
+
+
+/*!
+ * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
+ */
+static int
+eatline(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF)
+		ch = fgetc(fp);
+
+	return (ch);
+}
+
+
+/*!
+ * Eats white space up to next newline or non-whitespace character (of
+ * EOF). Returns the last character read. Comments are considered white
+ * space.
+ */
+static int
+eatwhite(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
+		ch = fgetc(fp);
+
+	if (ch == ';' || ch == '#')
+		ch = eatline(fp);
+
+	return (ch);
+}
+
+
+/*!
+ * Skip over any leading whitespace and then read in the next sequence of
+ * non-whitespace characters. In this context newline is not considered
+ * whitespace. Returns EOF on end-of-file, or the character
+ * that caused the reading to stop.
+ */
+static int
+getword(FILE *fp, char *buffer, size_t size) {
+	int ch;
+	char *p = buffer;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(size > 0U);
+
+	*p = '\0';
+
+	ch = eatwhite(fp);
+
+	if (ch == EOF)
+		return (EOF);
+
+	do {
+		*p = '\0';
+
+		if (ch == EOF || isspace((unsigned char)ch))
+			break;
+		else if ((size_t) (p - buffer) == size - 1)
+			return (EOF);	/* Not enough space. */
+
+		*p++ = (char)ch;
+		ch = fgetc(fp);
+	} while (1);
+
+	return (ch);
+}
+
+static void
+lwres_resetaddr(lwres_addr_t *addr) {
+	REQUIRE(addr != NULL);
+
+	memset(addr->address, 0, LWRES_ADDR_MAXLEN);
+	addr->family = 0;
+	addr->length = 0;
+	addr->zone = 0;
+}
+
+static char *
+lwres_strdup(lwres_context_t *ctx, const char *str) {
+	char *p;
+
+	REQUIRE(str != NULL);
+	REQUIRE(strlen(str) > 0U);
+
+	p = CTXMALLOC(strlen(str) + 1);
+	if (p != NULL)
+		strcpy(p, str);
+
+	return (p);
+}
+
+/*% intializes data structure for subsequent config parsing. */
+void
+lwres_conf_init(lwres_context_t *ctx) {
+	int i;
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	confdata->nsnext = 0;
+	confdata->lwnext = 0;
+	confdata->domainname = NULL;
+	confdata->searchnxt = 0;
+	confdata->sortlistnxt = 0;
+	confdata->resdebug = 0;
+	confdata->ndots = 1;
+	confdata->no_tld_query = 0;
+	confdata->attempts = 0;
+	confdata->timeout = 0;
+
+	for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
+		lwres_resetaddr(&confdata->nameservers[i]);
+
+	for (i = 0; i < LWRES_CONFMAXSEARCH; i++)
+		confdata->search[i] = NULL;
+
+	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
+		lwres_resetaddr(&confdata->sortlist[i].addr);
+		lwres_resetaddr(&confdata->sortlist[i].mask);
+	}
+}
+
+/*% Frees up all the internal memory used by the config data structure, returning it to the lwres_context_t. */
+void
+lwres_conf_clear(lwres_context_t *ctx) {
+	int i;
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	for (i = 0; i < confdata->nsnext; i++)
+		lwres_resetaddr(&confdata->nameservers[i]);
+
+	if (confdata->domainname != NULL) {
+		CTXFREE(confdata->domainname,
+			strlen(confdata->domainname) + 1);
+		confdata->domainname = NULL;
+	}
+
+	for (i = 0; i < confdata->searchnxt; i++) {
+		if (confdata->search[i] != NULL) {
+			CTXFREE(confdata->search[i],
+				strlen(confdata->search[i]) + 1);
+			confdata->search[i] = NULL;
+		}
+	}
+
+	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
+		lwres_resetaddr(&confdata->sortlist[i].addr);
+		lwres_resetaddr(&confdata->sortlist[i].mask);
+	}
+
+	confdata->nsnext = 0;
+	confdata->lwnext = 0;
+	confdata->domainname = NULL;
+	confdata->searchnxt = 0;
+	confdata->sortlistnxt = 0;
+	confdata->resdebug = 0;
+	confdata->ndots = 1;
+	confdata->no_tld_query = 0;
+	confdata->attempts = 0;
+	confdata->timeout = 0;
+}
+
+static lwres_result_t
+lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
+	char word[LWRES_CONFMAXLINELEN];
+	int res;
+	lwres_conf_t *confdata;
+	lwres_addr_t address;
+
+	confdata = &ctx->confdata;
+
+	if (confdata->nsnext == LWRES_CONFMAXNAMESERVERS)
+		return (LWRES_R_SUCCESS);
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
+
+	res = lwres_create_addr(word, &address, 1);
+	if (res == LWRES_R_SUCCESS &&
+	    ((address.family == LWRES_ADDRTYPE_V4 && ctx->use_ipv4 == 1) ||
+	     (address.family == LWRES_ADDRTYPE_V6 && ctx->use_ipv6 == 1))) {
+		confdata->nameservers[confdata->nsnext++] = address;
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp) {
+	char word[LWRES_CONFMAXLINELEN];
+	int res;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	if (confdata->lwnext == LWRES_CONFMAXLWSERVERS)
+		return (LWRES_R_SUCCESS);
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
+
+	res = lwres_create_addr(word,
+				&confdata->lwservers[confdata->lwnext++], 1);
+	if (res != LWRES_R_SUCCESS)
+		return (res);
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
+	char word[LWRES_CONFMAXLINELEN];
+	int res, i;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing else on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
+
+	if (confdata->domainname != NULL)
+		CTXFREE(confdata->domainname,
+			strlen(confdata->domainname) + 1); /*  */
+
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
+	for (i = 0; i < LWRES_CONFMAXSEARCH; i++) {
+		if (confdata->search[i] != NULL) {
+			CTXFREE(confdata->search[i],
+				strlen(confdata->search[i])+1);
+			confdata->search[i] = NULL;
+		}
+	}
+	confdata->searchnxt = 0;
+
+	confdata->domainname = lwres_strdup(ctx, word);
+
+	if (confdata->domainname == NULL)
+		return (LWRES_R_FAILURE);
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
+	int idx, delim;
+	char word[LWRES_CONFMAXLINELEN];
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	if (confdata->domainname != NULL) {
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
+		CTXFREE(confdata->domainname,
+			strlen(confdata->domainname) + 1);
+		confdata->domainname = NULL;
+	}
+
+	/*
+	 * Remove any previous search definitions.
+	 */
+	for (idx = 0; idx < LWRES_CONFMAXSEARCH; idx++) {
+		if (confdata->search[idx] != NULL) {
+			CTXFREE(confdata->search[idx],
+				strlen(confdata->search[idx])+1);
+			confdata->search[idx] = NULL;
+		}
+	}
+	confdata->searchnxt = 0;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing else on line. */
+
+	idx = 0;
+	while (strlen(word) > 0U) {
+		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
+			goto ignore; /* Too many domains. */
+
+		confdata->search[idx] = lwres_strdup(ctx, word);
+		if (confdata->search[idx] == NULL)
+			return (LWRES_R_FAILURE);
+		idx++;
+		confdata->searchnxt++;
+
+	ignore:
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_create_addr(const char *buffer, lwres_addr_t *addr, int convert_zero) {
+	struct in_addr v4;
+	struct in6_addr v6;
+	char buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255") +
+		 sizeof("%4294967295")];
+	char *percent;
+	size_t n;
+
+	n = strlcpy(buf, buffer, sizeof(buf));
+	if (n >= sizeof(buf))
+		return (LWRES_R_FAILURE);
+
+	percent = strchr(buf, '%');
+	if (percent != NULL)
+		*percent = 0;
+
+	if (lwres_net_aton(buffer, &v4) == 1) {
+		if (convert_zero) {
+			unsigned char zeroaddress[] = {0, 0, 0, 0};
+			unsigned char loopaddress[] = {127, 0, 0, 1};
+			if (memcmp(&v4, zeroaddress, 4) == 0)
+				memmove(&v4, loopaddress, 4);
+		}
+		addr->family = LWRES_ADDRTYPE_V4;
+		addr->length = NS_INADDRSZ;
+		addr->zone = 0;
+		memmove((void *)addr->address, &v4, NS_INADDRSZ);
+
+	} else if (lwres_net_pton(AF_INET6, buf, &v6) == 1) {
+		addr->family = LWRES_ADDRTYPE_V6;
+		addr->length = NS_IN6ADDRSZ;
+		memmove((void *)addr->address, &v6, NS_IN6ADDRSZ);
+		if (percent != NULL) {
+			unsigned long zone;
+			char *ep;
+
+			percent++;
+
+#ifdef HAVE_IF_NAMETOINDEX
+			zone = if_nametoindex(percent);
+			if (zone != 0U) {
+				addr->zone = zone;
+				return (LWRES_R_SUCCESS);
+			}
+#endif
+			zone = strtoul(percent, &ep, 10);
+			if (ep != percent && *ep == 0)
+				addr->zone = zone;
+			else
+				return (LWRES_R_FAILURE);
+		} else
+			addr->zone = 0;
+	} else
+		return (LWRES_R_FAILURE); /* Unrecognised format. */
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp) {
+	int delim, res, idx;
+	char word[LWRES_CONFMAXLINELEN];
+	char *p;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
+			return (LWRES_R_FAILURE); /* Too many values. */
+
+		p = strchr(word, '/');
+		if (p != NULL)
+			*p++ = '\0';
+
+		idx = confdata->sortlistnxt;
+		res = lwres_create_addr(word, &confdata->sortlist[idx].addr, 1);
+		if (res != LWRES_R_SUCCESS)
+			return (res);
+
+		if (p != NULL) {
+			res = lwres_create_addr(p,
+						&confdata->sortlist[idx].mask,
+						0);
+			if (res != LWRES_R_SUCCESS)
+				return (res);
+		} else {
+			/*
+			 * Make up a mask.
+			 */
+			confdata->sortlist[idx].mask =
+				confdata->sortlist[idx].addr;
+
+			memset(&confdata->sortlist[idx].mask.address, 0xff,
+			       confdata->sortlist[idx].addr.length);
+		}
+
+		confdata->sortlistnxt++;
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
+	int delim;
+	long ndots;
+	long attempts;
+	long timeout;
+	char *p;
+	char word[LWRES_CONFMAXLINELEN];
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (strcmp("debug", word) == 0) {
+			confdata->resdebug = 1;
+		} else if (strcmp("no_tld_query", word) == 0) {
+			confdata->no_tld_query = 1;
+		} else if (strcmp("debug", word) == 0) {
+			confdata->resdebug = 1;
+		} else if (strncmp("ndots:", word, 6) == 0) {
+			ndots = strtol(word + 6, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (LWRES_R_FAILURE);
+			if (ndots < 0 || ndots > 0xff) /* Out of range. */
+				return (LWRES_R_FAILURE);
+			confdata->ndots = (uint8_t)ndots;
+		} else if (strncmp("timeout:", word, 8) == 0) {
+			timeout = strtol(word + 8, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (LWRES_R_FAILURE);
+			confdata->timeout = (int32_t)timeout;
+		} else if (strncmp("attempts:", word, 9) == 0) {
+			attempts = strtol(word + 9, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (LWRES_R_FAILURE);
+			if (attempts < 0) /* Out of range. */
+				return (LWRES_R_FAILURE);
+			confdata->attempts = (int32_t)attempts;
+		}
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% parses a file and fills in the data structure. */
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
+	FILE *fp = NULL;
+	char word[256];
+	lwres_result_t rval, ret;
+	lwres_conf_t *confdata;
+	int stopchar;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(strlen(filename) > 0U);
+	REQUIRE(confdata != NULL);
+
+	errno = 0;
+	if ((fp = fopen(filename, "r")) == NULL)
+		return (LWRES_R_NOTFOUND);
+
+	ret = LWRES_R_SUCCESS;
+	do {
+		stopchar = getword(fp, word, sizeof(word));
+		if (stopchar == EOF) {
+			rval = LWRES_R_SUCCESS;
+			POST(rval);
+			break;
+		}
+
+		if (strlen(word) == 0U)
+			rval = LWRES_R_SUCCESS;
+		else if (strcmp(word, "nameserver") == 0)
+			rval = lwres_conf_parsenameserver(ctx, fp);
+		else if (strcmp(word, "lwserver") == 0)
+			rval = lwres_conf_parselwserver(ctx, fp);
+		else if (strcmp(word, "domain") == 0)
+			rval = lwres_conf_parsedomain(ctx, fp);
+		else if (strcmp(word, "search") == 0)
+			rval = lwres_conf_parsesearch(ctx, fp);
+		else if (strcmp(word, "sortlist") == 0)
+			rval = lwres_conf_parsesortlist(ctx, fp);
+		else if (strcmp(word, "options") == 0)
+			rval = lwres_conf_parseoption(ctx, fp);
+		else {
+			/* unrecognised word. Ignore entire line */
+			rval = LWRES_R_SUCCESS;
+			stopchar = eatline(fp);
+			if (stopchar == EOF) {
+				break;
+			}
+		}
+		if (ret == LWRES_R_SUCCESS && rval != LWRES_R_SUCCESS)
+			ret = rval;
+	} while (1);
+
+	fclose(fp);
+
+	return (ret);
+}
+
+/*% Prints the config data structure to the FILE. */
+lwres_result_t
+lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
+	int i;
+	int af;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+	char buf[sizeof("%4000000000")];
+	const char *p;
+	lwres_conf_t *confdata;
+	lwres_addr_t tmpaddr;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	REQUIRE(confdata->nsnext <= LWRES_CONFMAXNAMESERVERS);
+
+	for (i = 0; i < confdata->nsnext; i++) {
+		af = lwresaddr2af(confdata->nameservers[i].family);
+
+		p = lwres_net_ntop(af, confdata->nameservers[i].address,
+				   tmp, sizeof(tmp));
+		if (p != tmp)
+			return (LWRES_R_FAILURE);
+
+		if (af == AF_INET6 && confdata->lwservers[i].zone != 0) {
+			snprintf(buf, sizeof(buf), "%%%u",
+				confdata->nameservers[i].zone);
+		} else
+			buf[0] = 0;
+
+		fprintf(fp, "nameserver %s%s\n", tmp, buf);
+	}
+
+	for (i = 0; i < confdata->lwnext; i++) {
+		af = lwresaddr2af(confdata->lwservers[i].family);
+
+		p = lwres_net_ntop(af, confdata->lwservers[i].address,
+				   tmp, sizeof(tmp));
+		if (p != tmp)
+			return (LWRES_R_FAILURE);
+
+		if (af == AF_INET6 && confdata->lwservers[i].zone != 0) {
+			snprintf(buf, sizeof(buf), "%%%u",
+				confdata->nameservers[i].zone);
+		} else
+			buf[0] = 0;
+
+		fprintf(fp, "lwserver %s%s\n", tmp, buf);
+	}
+
+	if (confdata->domainname != NULL) {
+		fprintf(fp, "domain %s\n", confdata->domainname);
+	} else if (confdata->searchnxt > 0) {
+		REQUIRE(confdata->searchnxt <= LWRES_CONFMAXSEARCH);
+
+		fprintf(fp, "search");
+		for (i = 0; i < confdata->searchnxt; i++)
+			fprintf(fp, " %s", confdata->search[i]);
+		fputc('\n', fp);
+	}
+
+	REQUIRE(confdata->sortlistnxt <= LWRES_CONFMAXSORTLIST);
+
+	if (confdata->sortlistnxt > 0) {
+		fputs("sortlist", fp);
+		for (i = 0; i < confdata->sortlistnxt; i++) {
+			af = lwresaddr2af(confdata->sortlist[i].addr.family);
+
+			p = lwres_net_ntop(af,
+					   confdata->sortlist[i].addr.address,
+					   tmp, sizeof(tmp));
+			if (p != tmp)
+				return (LWRES_R_FAILURE);
+
+			fprintf(fp, " %s", tmp);
+
+			tmpaddr = confdata->sortlist[i].mask;
+			memset(&tmpaddr.address, 0xff, tmpaddr.length);
+
+			if (memcmp(&tmpaddr.address,
+				   confdata->sortlist[i].mask.address,
+				   confdata->sortlist[i].mask.length) != 0) {
+				af = lwresaddr2af(
+					    confdata->sortlist[i].mask.family);
+				p = lwres_net_ntop
+					(af,
+					 confdata->sortlist[i].mask.address,
+					 tmp, sizeof(tmp));
+				if (p != tmp)
+					return (LWRES_R_FAILURE);
+
+				fprintf(fp, "/%s", tmp);
+			}
+		}
+		fputc('\n', fp);
+	}
+
+	if (confdata->resdebug)
+		fprintf(fp, "options debug\n");
+
+	if (confdata->ndots > 0)
+		fprintf(fp, "options ndots:%d\n", confdata->ndots);
+
+	if (confdata->no_tld_query)
+		fprintf(fp, "options no_tld_query\n");
+
+	if (confdata->attempts)
+		fprintf(fp, "options attempts:%d\n", confdata->attempts);
+
+	if (confdata->timeout)
+		fprintf(fp, "options timeout:%d\n", confdata->timeout);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Returns a pointer to the current config structure. */
+lwres_conf_t *
+lwres_conf_get(lwres_context_t *ctx) {
+	REQUIRE(ctx != NULL);
+
+	return (&ctx->confdata);
+}
diff --git a/lib/lwres/lwinetaton.c b/lib/lwres/lwinetaton.c
new file mode 100644
index 0000000..c2b90af
--- /dev/null
+++ b/lib/lwres/lwinetaton.c
@@ -0,0 +1,195 @@
+/*
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Copyright (c) 1983, 1990, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*! \file lwinetaton.c
+ */
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.16 2007/06/19 23:47:22 tbox Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stddef.h>
+
+#include <lwres/net.h>
+
+#include "assert_p.h"
+
+/*!
+ * Check whether "cp" is a valid ascii representation
+ * of an Internet address and convert to a binary address.
+ * Returns 1 if the address is valid, 0 if not.
+ * This replaces inet_addr, the return value from which
+ * cannot distinguish between failure and a local broadcast address.
+ */
+int
+lwres_net_aton(const char *cp, struct in_addr *addr) {
+	uint32_t val;
+	int base;
+	ptrdiff_t n;
+	unsigned char c;
+	uint8_t parts[4];
+	uint8_t *pp = parts;
+	int digit;
+
+	REQUIRE(cp != NULL);
+
+	c = *cp;
+	for (;;) {
+		/*
+		 * Collect number up to ``.''.
+		 * Values are specified as for C:
+		 * 0x=hex, 0=octal, isdigit=decimal.
+		 */
+		if (!isdigit(c & 0xff))
+			return (0);
+		val = 0;
+		base = 10;
+		digit = 0;
+		if (c == '0') {
+			c = *++cp;
+			if (c == 'x' || c == 'X') {
+				base = 16;
+				c = *++cp;
+			} else {
+				base = 8;
+				digit = 1;
+			}
+		}
+		for (;;) {
+			/*
+			 * isascii() is valid for all integer values, and
+			 * when it is true, c is known to be in scope
+			 * for isdigit().  No cast necessary.  Similar
+			 * comment applies for later ctype uses.
+			 */
+			if (isascii(c) && isdigit(c)) {
+				if (base == 8 && (c == '8' || c == '9'))
+					return (0);
+				val = (val * base) + (c - '0');
+				c = *++cp;
+				digit = 1;
+			} else if (base == 16 && isascii(c) && isxdigit(c)) {
+				val = (val << 4) |
+					(c + 10 - (islower(c) ? 'a' : 'A'));
+				c = *++cp;
+				digit = 1;
+			} else
+				break;
+		}
+		if (c == '.') {
+			/*
+			 * Internet format:
+			 *	a.b.c.d
+			 *	a.b.c	(with c treated as 16 bits)
+			 *	a.b	(with b treated as 24 bits)
+			 */
+			if (pp >= parts + 3 || val > 0xffU)
+				return (0);
+			*pp++ = (uint8_t)val;
+			c = *++cp;
+		} else
+			break;
+	}
+	/*
+	 * Check for trailing characters.
+	 */
+	if (c != '\0' && (!isascii(c) || !isspace(c)))
+		return (0);
+	/*
+	 * Did we get a valid digit?
+	 */
+	if (!digit)
+		return (0);
+	/*
+	 * Concoct the address according to
+	 * the number of parts specified.
+	 */
+	n = pp - parts + 1;
+	switch (n) {
+	case 1:				/* a -- 32 bits */
+		break;
+
+	case 2:				/* a.b -- 8.24 bits */
+		if (val > 0xffffffU)
+			return (0);
+		val |= parts[0] << 24;
+		break;
+
+	case 3:				/* a.b.c -- 8.8.16 bits */
+		if (val > 0xffffU)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16);
+		break;
+
+	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
+		if (val > 0xffU)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
+		break;
+	}
+	if (addr != NULL)
+		addr->s_addr = htonl(val);
+
+	return (1);
+}
diff --git a/lib/lwres/lwinetntop.c b/lib/lwres/lwinetntop.c
new file mode 100644
index 0000000..8fc43a1
--- /dev/null
+++ b/lib/lwres/lwinetntop.c
@@ -0,0 +1,191 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file lwinetntop.c
+ */
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] =
+	"$Id: lwinetntop.c,v 1.18 2007/06/19 23:47:22 tbox Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <lwres/net.h>
+#include "print_p.h"
+
+#define NS_INT16SZ	 2
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static const char *inet_ntop4(const unsigned char *src, char *dst,
+			      size_t size);
+
+#ifdef AF_INET6
+static const char *inet_ntop6(const unsigned char *src, char *dst,
+			      size_t size);
+#endif
+
+/*! char *
+ * lwres_net_ntop(af, src, dst, size)
+ *	convert a network format address to presentation format.
+ * return:
+ *	pointer to presentation format address (`dst'), or NULL (see errno).
+ * author:
+ *	Paul Vixie, 1996.
+ */
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size) {
+	switch (af) {
+	case AF_INET:
+		return (inet_ntop4(src, dst, size));
+#ifdef AF_INET6
+	case AF_INET6:
+		return (inet_ntop6(src, dst, size));
+#endif
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	/* NOTREACHED */
+}
+
+/*! const char *
+ * inet_ntop4(src, dst, size)
+ *	format an IPv4 address
+ * return:
+ *	`dst' (as a const)
+ * notes:
+ *	(1) uses no statics
+ *	(2) takes a unsigned char* not an in_addr as input
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static const char *
+inet_ntop4(const unsigned char *src, char *dst, size_t size) {
+	static const char fmt[] = "%u.%u.%u.%u";
+	char tmp[sizeof("255.255.255.255")];
+	size_t len;
+
+	len = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
+	if (len >= size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+
+	return (dst);
+}
+
+/*! const char *
+ * inet_ntop6(src, dst, size)
+ *	convert IPv6 binary address into presentation (printable) format
+ * author:
+ *	Paul Vixie, 1996.
+ */
+#ifdef AF_INET6
+static const char *
+inet_ntop6(const unsigned char *src, char *dst, size_t size) {
+	/*!
+	 * Note that int32_t and int16_t need only be "at least" large enough
+	 * to contain a value of the specified size.  On some systems, like
+	 * Crays, there is no such thing as an integer variable with 16 bits.
+	 * Keep this in mind if you think this function should have been coded
+	 * to use pointer overlays.  All the world's not a VAX.
+	 */
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
+	struct { int base, len; } best, cur;
+	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
+	int i;
+
+	/*
+	 * Preprocess:
+	 *	Copy the input (bytewise) array into a wordwise array.
+	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
+	 */
+	memset(words, '\0', sizeof(words));
+	for (i = 0; i < NS_IN6ADDRSZ; i++)
+		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
+	best.base = -1;
+	best.len = 0;
+	cur.base = -1;
+	cur.len = 0;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		if (words[i] == 0) {
+			if (cur.base == -1)
+				cur.base = i, cur.len = 1;
+			else
+				cur.len++;
+		} else {
+			if (cur.base != -1) {
+				if (best.base == -1 || cur.len > best.len)
+					best = cur;
+				cur.base = -1;
+			}
+		}
+	}
+	if (cur.base != -1) {
+		if (best.base == -1 || cur.len > best.len)
+			best = cur;
+	}
+	if (best.base != -1 && best.len < 2)
+		best.base = -1;
+
+	/*
+	 * Format the result.
+	 */
+	tp = tmp;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		/* Are we inside the best run of 0x00's? */
+		if (best.base != -1 && i >= best.base &&
+		    i < (best.base + best.len)) {
+			if (i == best.base)
+				*tp++ = ':';
+			continue;
+		}
+		/* Are we following an initial run of 0x00s or any real hex? */
+		if (i != 0)
+			*tp++ = ':';
+		/* Is this address an encapsulated IPv4? */
+		if (i == 6 && best.base == 0 &&
+		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
+			if (!inet_ntop4(src+12, tp,
+					sizeof(tmp) - (tp - tmp)))
+				return (NULL);
+			tp += strlen(tp);
+			break;
+		}
+		tp += sprintf(tp, "%x", words[i]); /* XXX */
+	}
+	/* Was it a trailing run of 0x00's? */
+	if (best.base != -1 && (best.base + best.len) ==
+	    (NS_IN6ADDRSZ / NS_INT16SZ))
+		*tp++ = ':';
+	*tp++ = '\0';
+
+	/*
+	 * Check for overflow, copy, and we're done.
+	 */
+	if ((size_t)(tp - tmp) > size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+	return (dst);
+}
+#endif /* AF_INET6 */
diff --git a/lib/lwres/lwinetpton.c b/lib/lwres/lwinetpton.c
new file mode 100644
index 0000000..6a1aba7
--- /dev/null
+++ b/lib/lwres/lwinetpton.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file lwinetpton.c
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] = "$Id$";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include <lwres/net.h>
+
+#define NS_INT16SZ	 2
+#define NS_INADDRSZ	 4
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int inet_pton4(const char *src, unsigned char *dst);
+static int inet_pton6(const char *src, unsigned char *dst);
+
+/*!
+ * int
+ * lwres_net_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+lwres_net_pton(int af, const char *src, void *dst) {
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/*! int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(const char *src, unsigned char *dst) {
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	unsigned char tmp[NS_INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			unsigned int byte = *tp * 10;
+
+			byte += (unsigned int)(pch - digits);
+			if (byte > 255)
+				return (0);
+			*tp = byte;
+			if (! saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			/*
+			 * "clang --analyse" generates warnings using:
+			 * 		*++tp = 0;
+			 */
+			tp++;
+			*tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+	memmove(dst, tmp, NS_INADDRSZ);
+	return (1);
+}
+
+/*! int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	(1) does not touch `dst' unless it's returning 1.
+ *	(2) :: in a full address is silently ignored.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(const char *src, unsigned char *dst) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, seen_xdigits;
+	unsigned int val;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	seen_xdigits = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (++seen_xdigits > 4)
+				return (0);
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!seen_xdigits) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			}
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (unsigned char) (val >> 8) & 0xff;
+			*tp++ = (unsigned char) val & 0xff;
+			seen_xdigits = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += NS_INADDRSZ;
+			seen_xdigits = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (seen_xdigits) {
+		if (tp + NS_INT16SZ > endp)
+			return (0);
+		*tp++ = (unsigned char) (val >> 8) & 0xff;
+		*tp++ = (unsigned char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = (int)(tp - colonp);
+		int i;
+
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memmove(dst, tmp, NS_IN6ADDRSZ);
+	return (1);
+}
diff --git a/lib/lwres/lwpacket.c b/lib/lwres/lwpacket.c
new file mode 100644
index 0000000..473cc44
--- /dev/null
+++ b/lib/lwres/lwpacket.c
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwpacket.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    These functions rely on a struct lwres_lwpacket which is defined in
+ *    \link lwpacket.h lwres/lwpacket.h.\endlink
+ *
+ *    The following opcodes are currently defined:
+ *
+ * \li   #LWRES_OPCODE_NOOP
+ *           Success is always returned and the packet contents are
+ *           echoed. The \link lwres_noop.c lwres_noop_*()\endlink functions should be used for this
+ *           type.
+ *
+ * \li   #LWRES_OPCODE_GETADDRSBYNAME
+ *           returns all known addresses for a given name. The
+ *           \link lwres_gabn.c lwres_gabn_*()\endlink functions should be used for this type.
+ *
+ * \li   #LWRES_OPCODE_GETNAMEBYADDR
+ *           return the hostname for the given address. The
+ *           \link lwres_gnba.c lwres_gnba_*() \endlink functions should be used for this type.
+ *
+ *    lwres_lwpacket_renderheader() transfers the contents of lightweight
+ *    resolver packet structure #lwres_lwpacket_t *pkt in network byte
+ *    order to the lightweight resolver buffer, *b.
+ *
+ *    lwres_lwpacket_parseheader() performs the converse operation. It
+ *    transfers data in network byte order from buffer *b to resolver
+ *    packet *pkt. The contents of the buffer b should correspond to a
+ *    #lwres_lwpacket_t.
+ *
+ * \section lwpacket_return Return Values
+ *
+ *    Successful calls to lwres_lwpacket_renderheader() and
+ *    lwres_lwpacket_parseheader() return #LWRES_R_SUCCESS. If there is
+ *    insufficient space to copy data between the buffer *b and
+ *    lightweight resolver packet *pkt both functions return
+ *    #LWRES_R_UNEXPECTEDEND.
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/result.h>
+
+#include "assert_p.h"
+
+/*% Length of Packet */
+#define LWPACKET_LENGTH \
+	(sizeof(uint16_t) * 4 + sizeof(uint32_t) * 5)
+
+/*% transfers the contents of lightweight resolver packet structure lwres_lwpacket_t *pkt in network byte order to the lightweight resolver buffer, *b. */
+
+lwres_result_t
+lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+
+	if (!SPACE_OK(b, LWPACKET_LENGTH))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	lwres_buffer_putuint32(b, pkt->length);
+	lwres_buffer_putuint16(b, pkt->version);
+	lwres_buffer_putuint16(b, pkt->pktflags);
+	lwres_buffer_putuint32(b, pkt->serial);
+	lwres_buffer_putuint32(b, pkt->opcode);
+	lwres_buffer_putuint32(b, pkt->result);
+	lwres_buffer_putuint32(b, pkt->recvlength);
+	lwres_buffer_putuint16(b, pkt->authtype);
+	lwres_buffer_putuint16(b, pkt->authlength);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% transfers data in network byte order from buffer *b to resolver packet *pkt. The contents of the buffer b should correspond to a lwres_lwpacket_t. */
+
+lwres_result_t
+lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
+	uint32_t space;
+
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+
+	space = LWRES_BUFFER_REMAINING(b);
+	if (space < LWPACKET_LENGTH)
+		return (LWRES_R_UNEXPECTEDEND);
+
+	pkt->length = lwres_buffer_getuint32(b);
+	/*
+	 * XXXBEW/MLG Checking that the buffer is long enough probably
+	 * shouldn't be done here, since this function is supposed to just
+	 * parse the header.
+	 */
+	if (pkt->length > space)
+		return (LWRES_R_UNEXPECTEDEND);
+	pkt->version = lwres_buffer_getuint16(b);
+	pkt->pktflags = lwres_buffer_getuint16(b);
+	pkt->serial = lwres_buffer_getuint32(b);
+	pkt->opcode = lwres_buffer_getuint32(b);
+	pkt->result = lwres_buffer_getuint32(b);
+	pkt->recvlength = lwres_buffer_getuint32(b);
+	pkt->authtype = lwres_buffer_getuint16(b);
+	pkt->authlength = lwres_buffer_getuint16(b);
+
+	return (LWRES_R_SUCCESS);
+}
diff --git a/lib/lwres/lwres_gabn.c b/lib/lwres/lwres_gabn.c
new file mode 100644
index 0000000..630609b
--- /dev/null
+++ b/lib/lwres/lwres_gabn.c
@@ -0,0 +1,500 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwres_gabn.c,v 1.33 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file lwres_gabn.c
+   These are low-level routines for creating and parsing lightweight
+   resolver name-to-address lookup request and response messages.
+
+   There are four main functions for the getaddrbyname opcode. One render
+   function converts a getaddrbyname request structure --
+   lwres_gabnrequest_t -- to the lighweight resolver's canonical format.
+   It is complemented by a parse function that converts a packet in this
+   canonical format to a getaddrbyname request structure. Another render
+   function converts the getaddrbyname response structure --
+   lwres_gabnresponse_t -- to the canonical format. This is complemented
+   by a parse function which converts a packet in canonical format to a
+   getaddrbyname response structure.
+
+   These structures are defined in \link lwres.h <lwres/lwres.h>.\endlink They are shown below.
+
+\code
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+typedef struct {
+	uint32_t  flags;
+	uint32_t  addrtypes;
+	uint16_t  namelen;
+	char           *name;
+} lwres_gabnrequest_t;
+
+typedef struct {
+	uint32_t          flags;
+	uint16_t          naliases;
+	uint16_t          naddrs;
+	char                   *realname;
+	char                  **aliases;
+	uint16_t          realnamelen;
+	uint16_t         *aliaslen;
+	lwres_addrlist_t        addrs;
+	void                   *base;
+	size_t                  baselen;
+} lwres_gabnresponse_t;
+\endcode
+
+   lwres_gabnrequest_render() uses resolver context ctx to convert
+   getaddrbyname request structure req to canonical format. The packet
+   header structure pkt is initialised and transferred to buffer b. The
+   contents of *req are then appended to the buffer in canonical format.
+   lwres_gabnresponse_render() performs the same task, except it converts
+   a getaddrbyname response structure lwres_gabnresponse_t to the
+   lightweight resolver's canonical format.
+
+   lwres_gabnrequest_parse() uses context ctx to convert the contents of
+   packet pkt to a lwres_gabnrequest_t structure. Buffer b provides space
+   to be used for storing this structure. When the function succeeds, the
+   resulting lwres_gabnrequest_t is made available through *structp.
+   lwres_gabnresponse_parse() offers the same semantics as
+   lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t
+   structure.
+
+   lwres_gabnresponse_free() and lwres_gabnrequest_free() release the
+   memory in resolver context ctx that was allocated to the
+   lwres_gabnresponse_t or lwres_gabnrequest_t structures referenced via
+   structp. Any memory associated with ancillary buffers and strings for
+   those structures is also discarded.
+
+\section lwres_gabn_return Return Values
+
+   The getaddrbyname opcode functions lwres_gabnrequest_render(),
+   lwres_gabnresponse_render() lwres_gabnrequest_parse() and
+   lwres_gabnresponse_parse() all return #LWRES_R_SUCCESS on success. They
+   return #LWRES_R_NOMEMORY if memory allocation fails.
+   #LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer
+   b is too small to accommodate the packet header or the
+   lwres_gabnrequest_t and lwres_gabnresponse_t structures.
+   lwres_gabnrequest_parse() and lwres_gabnresponse_parse() will return
+   #LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the
+   received packet. These functions will return #LWRES_R_FAILURE if
+   pktflags in the packet header structure #lwres_lwpacket_t indicate that
+   the packet is not a response to an earlier query.
+
+\section lwres_gabn_see See Also
+
+   \link lwpacket.c lwres_lwpacket \endlink
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+/*% uses resolver context ctx to convert getaddrbyname request structure req to canonical format. */
+lwres_result_t
+lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	uint16_t datalen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(req->name != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	datalen = (uint16_t) strlen(req->name);
+
+	payload_length = 4 + 4 + 2 + req->namelen + 1;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Flags.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/*
+	 * Address types we'll accept.
+	 */
+	lwres_buffer_putuint32(b, req->addrtypes);
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
+	lwres_buffer_putuint8(b, 0); /* trailing NUL */
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+/*% converts a getaddrbyname response structure lwres_gabnresponse_t to the lightweight resolver's canonical format. */
+lwres_result_t
+lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	uint16_t datalen;
+	lwres_addr_t *addr;
+	int x;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	/* naliases, naddrs */
+	payload_length = 4 + 2 + 2;
+	/* real name encoding */
+	payload_length += 2 + req->realnamelen + 1;
+	/* each alias */
+	for (x = 0; x < req->naliases; x++)
+		payload_length += 2 + req->aliaslen[x] + 1;
+	/* each address */
+	x = 0;
+	addr = LWRES_LIST_HEAD(req->addrs);
+	while (addr != NULL) {
+		payload_length += 4 + 2;
+		payload_length += addr->length;
+		addr = LWRES_LIST_NEXT(addr, link);
+		x++;
+	}
+	INSIST(x == req->naddrs);
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	/*
+	 * Check space needed here.
+	 */
+	INSIST(SPACE_OK(b, payload_length));
+
+	/* Flags. */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode naliases and naddrs */
+	lwres_buffer_putuint16(b, req->naliases);
+	lwres_buffer_putuint16(b, req->naddrs);
+
+	/* encode the real name */
+	datalen = req->realnamelen;
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
+	lwres_buffer_putuint8(b, 0);
+
+	/* encode the aliases */
+	for (x = 0; x < req->naliases; x++) {
+		datalen = req->aliaslen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
+				    datalen);
+		lwres_buffer_putuint8(b, 0);
+	}
+
+	/* encode the addresses */
+	addr = LWRES_LIST_HEAD(req->addrs);
+	while (addr != NULL) {
+		lwres_buffer_putuint32(b, addr->family);
+		lwres_buffer_putuint16(b, addr->length);
+		lwres_buffer_putmem(b, addr->address, addr->length);
+		addr = LWRES_LIST_NEXT(addr, link);
+	}
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
+
+	return (LWRES_R_SUCCESS);
+}
+/*% Uses context ctx to convert the contents of packet pkt to a lwres_gabnrequest_t structure. */
+lwres_result_t
+lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp)
+{
+	int ret;
+	char *name;
+	lwres_gabnrequest_t *gabn;
+	uint32_t addrtypes;
+	uint32_t flags;
+	uint16_t namelen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	if (!SPACE_REMAINING(b, 4 + 4))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	flags = lwres_buffer_getuint32(b);
+	addrtypes = lwres_buffer_getuint32(b);
+
+	/*
+	 * Pull off the name itself
+	 */
+	ret = lwres_string_parse(b, &name, &namelen);
+	if (ret != LWRES_R_SUCCESS)
+		return (ret);
+
+	if (LWRES_BUFFER_REMAINING(b) != 0)
+		return (LWRES_R_TRAILINGDATA);
+
+	gabn = CTXMALLOC(sizeof(lwres_gabnrequest_t));
+	if (gabn == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	gabn->flags = flags;
+	gabn->addrtypes = addrtypes;
+	gabn->name = name;
+	gabn->namelen = namelen;
+
+	*structp = gabn;
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Offers the same semantics as lwres_gabnrequest_parse() except it yields a lwres_gabnresponse_t structure. */
+
+lwres_result_t
+lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp)
+{
+	lwres_result_t ret;
+	unsigned int x;
+	uint32_t flags;
+	uint16_t naliases;
+	uint16_t naddrs;
+	lwres_gabnresponse_t *gabn;
+	lwres_addrlist_t addrlist;
+	lwres_addr_t *addr;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	gabn = NULL;
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	/*
+	 * Pull off the name itself
+	 */
+	if (!SPACE_REMAINING(b, 4 + 2 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
+	naliases = lwres_buffer_getuint16(b);
+	naddrs = lwres_buffer_getuint16(b);
+
+	gabn = CTXMALLOC(sizeof(lwres_gabnresponse_t));
+	if (gabn == NULL)
+		return (LWRES_R_NOMEMORY);
+	gabn->aliases = NULL;
+	gabn->aliaslen = NULL;
+	LWRES_LIST_INIT(gabn->addrs);
+	gabn->base = NULL;
+
+	gabn->flags = flags;
+	gabn->naliases = naliases;
+	gabn->naddrs = naddrs;
+
+	LWRES_LIST_INIT(addrlist);
+
+	if (naliases > 0) {
+		gabn->aliases = CTXMALLOC(sizeof(char *) * naliases);
+		if (gabn->aliases == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		gabn->aliaslen = CTXMALLOC(sizeof(uint16_t) * naliases);
+		if (gabn->aliaslen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	for (x = 0; x < naddrs; x++) {
+		addr = CTXMALLOC(sizeof(lwres_addr_t));
+		if (addr == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+		LWRES_LINK_INIT(addr, link);
+		LWRES_LIST_APPEND(addrlist, addr, link);
+	}
+
+	/*
+	 * Now, pull off the real name.
+	 */
+	ret = lwres_string_parse(b, &gabn->realname, &gabn->realnamelen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Parse off the aliases.
+	 */
+	for (x = 0; x < gabn->naliases; x++) {
+		ret = lwres_string_parse(b, &gabn->aliases[x],
+					 &gabn->aliaslen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	/*
+	 * Pull off the addresses.  We already strung the linked list
+	 * up above.
+	 */
+	addr = LWRES_LIST_HEAD(addrlist);
+	for (x = 0; x < gabn->naddrs; x++) {
+		INSIST(addr != NULL);
+		ret = lwres_addr_parse(b, addr);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+		addr = LWRES_LIST_NEXT(addr, link);
+	}
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	gabn->addrs = addrlist;
+
+	*structp = gabn;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (gabn != NULL) {
+		if (gabn->aliases != NULL)
+			CTXFREE(gabn->aliases, sizeof(char *) * naliases);
+		if (gabn->aliaslen != NULL)
+			CTXFREE(gabn->aliaslen,
+				sizeof(uint16_t) * naliases);
+		addr = LWRES_LIST_HEAD(addrlist);
+		while (addr != NULL) {
+			LWRES_LIST_UNLINK(addrlist, addr, link);
+			CTXFREE(addr, sizeof(lwres_addr_t));
+			addr = LWRES_LIST_HEAD(addrlist);
+		}
+		CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
+	}
+
+	return (ret);
+}
+
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gabnrequest_t. */
+void
+lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
+{
+	lwres_gabnrequest_t *gabn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gabn = *structp;
+	*structp = NULL;
+
+	CTXFREE(gabn, sizeof(lwres_gabnrequest_t));
+}
+
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gabnresponse_t. */
+void
+lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp)
+{
+	lwres_gabnresponse_t *gabn;
+	lwres_addr_t *addr;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gabn = *structp;
+	*structp = NULL;
+
+	if (gabn->naliases > 0) {
+		CTXFREE(gabn->aliases, sizeof(char *) * gabn->naliases);
+		CTXFREE(gabn->aliaslen,
+			sizeof(uint16_t) * gabn->naliases);
+	}
+	addr = LWRES_LIST_HEAD(gabn->addrs);
+	while (addr != NULL) {
+		LWRES_LIST_UNLINK(gabn->addrs, addr, link);
+		CTXFREE(addr, sizeof(lwres_addr_t));
+		addr = LWRES_LIST_HEAD(gabn->addrs);
+	}
+	if (gabn->base != NULL)
+		CTXFREE(gabn->base, gabn->baselen);
+	CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
+}
diff --git a/lib/lwres/lwres_gnba.c b/lib/lwres/lwres_gnba.c
new file mode 100644
index 0000000..d242f5c
--- /dev/null
+++ b/lib/lwres/lwres_gnba.c
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwres_gnba.c,v 1.28 2007/09/24 17:18:25 each Exp $ */
+
+/*! \file lwres_gnba.c
+   These are low-level routines for creating and parsing lightweight
+   resolver address-to-name lookup request and response messages.
+
+   There are four main functions for the getnamebyaddr opcode. One
+ render function converts a getnamebyaddr request structure --
+   lwres_gnbarequest_t -- to the lightweight resolver's canonical
+   format. It is complemented by a parse function that converts a
+   packet in this canonical format to a getnamebyaddr request
+   structure. Another render function converts the getnamebyaddr
+   response structure -- lwres_gnbaresponse_t to the canonical format.
+   This is complemented by a parse function which converts a packet in
+   canonical format to a getnamebyaddr response structure.
+
+   These structures are defined in \link lwres.h <lwres/lwres.h.>\endlink They are shown
+   below.
+
+\code
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+
+typedef struct {
+	uint32_t  flags;
+	lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+
+typedef struct {
+	uint32_t  flags;
+	uint16_t  naliases;
+	char           *realname;
+	char          **aliases;
+	uint16_t  realnamelen;
+	uint16_t *aliaslen;
+	void           *base;
+	size_t          baselen;
+} lwres_gnbaresponse_t;
+\endcode
+
+   lwres_gnbarequest_render() uses resolver context ctx to convert
+   getnamebyaddr request structure req to canonical format. The packet
+   header structure pkt is initialised and transferred to buffer b.
+   The contents of *req are then appended to the buffer in canonical
+   format. lwres_gnbaresponse_render() performs the same task, except
+   it converts a getnamebyaddr response structure lwres_gnbaresponse_t
+   to the lightweight resolver's canonical format.
+
+   lwres_gnbarequest_parse() uses context ctx to convert the contents
+   of packet pkt to a lwres_gnbarequest_t structure. Buffer b provides
+   space to be used for storing this structure. When the function
+   succeeds, the resulting lwres_gnbarequest_t is made available
+   through *structp. lwres_gnbaresponse_parse() offers the same
+semantics as lwres_gnbarequest_parse() except it yields a
+   lwres_gnbaresponse_t structure.
+
+   lwres_gnbaresponse_free() and lwres_gnbarequest_free() release the
+   memory in resolver context ctx that was allocated to the
+   lwres_gnbaresponse_t or lwres_gnbarequest_t structures referenced
+   via structp. Any memory associated with ancillary buffers and
+   strings for those structures is also discarded.
+
+\section lwres_gbna_return Return Values
+
+   The getnamebyaddr opcode functions lwres_gnbarequest_render(),
+   lwres_gnbaresponse_render() lwres_gnbarequest_parse() and
+   lwres_gnbaresponse_parse() all return #LWRES_R_SUCCESS on success.
+   They return #LWRES_R_NOMEMORY if memory allocation fails.
+   #LWRES_R_UNEXPECTEDEND is returned if the available space in the
+   buffer b is too small to accommodate the packet header or the
+   lwres_gnbarequest_t and lwres_gnbaresponse_t structures.
+   lwres_gnbarequest_parse() and lwres_gnbaresponse_parse() will
+   return #LWRES_R_UNEXPECTEDEND if the buffer is not empty after
+   decoding the received packet. These functions will return
+   #LWRES_R_FAILURE if pktflags in the packet header structure
+   #lwres_lwpacket_t indicate that the packet is not a response to an
+   earlier query.
+
+\section lwres_gbna_see See Also
+
+   \link lwpacket.c lwres_packet\endlink
+
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+/*% Uses resolver context ctx to convert getnamebyaddr request structure req to canonical format. */
+lwres_result_t
+lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(req->addr.family != 0);
+	REQUIRE(req->addr.length != 0);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	payload_length = 4 + 4 + 2 + + req->addr.length;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+	lwres_buffer_putuint32(b, req->addr.family);
+	lwres_buffer_putuint16(b, req->addr.length);
+	lwres_buffer_putmem(b, (unsigned char *)req->addr.address,
+			    req->addr.length);
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Converts a getnamebyaddr response structure lwres_gnbaresponse_t to the lightweight resolver's canonical format. */
+lwres_result_t
+lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	uint16_t datalen;
+	int x;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	/*
+	 * Calculate packet size.
+	 */
+	payload_length = 4;			       /* flags */
+	payload_length += 2;			       /* naliases */
+	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
+	for (x = 0; x < req->naliases; x++)	       /* each alias */
+		payload_length += 2 + req->aliaslen[x] + 1;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode naliases */
+	lwres_buffer_putuint16(b, req->naliases);
+
+	/* encode the real name */
+	datalen = req->realnamelen;
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
+	lwres_buffer_putuint8(b, 0);
+
+	/* encode the aliases */
+	for (x = 0; x < req->naliases; x++) {
+		datalen = req->aliaslen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
+				    datalen);
+		lwres_buffer_putuint8(b, 0);
+	}
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Uses context ctx to convert the contents of packet pkt to a lwres_gnbarequest_t structure. */
+lwres_result_t
+lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp)
+{
+	int ret;
+	lwres_gnbarequest_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	if (!SPACE_REMAINING(b, 4))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	gnba = CTXMALLOC(sizeof(lwres_gnbarequest_t));
+	if (gnba == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	gnba->flags = lwres_buffer_getuint32(b);
+
+	ret = lwres_addr_parse(b, &gnba->addr);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	*structp = gnba;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (gnba != NULL)
+		lwres_gnbarequest_free(ctx, &gnba);
+
+	return (ret);
+}
+
+/*% Offers the same semantics as lwres_gnbarequest_parse() except it yields a lwres_gnbaresponse_t structure. */
+
+lwres_result_t
+lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp)
+{
+	int ret;
+	unsigned int x;
+	uint32_t flags;
+	uint16_t naliases;
+	lwres_gnbaresponse_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	gnba = NULL;
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	/*
+	 * Pull off flags & naliases
+	 */
+	if (!SPACE_REMAINING(b, 4 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
+	naliases = lwres_buffer_getuint16(b);
+
+	gnba = CTXMALLOC(sizeof(lwres_gnbaresponse_t));
+	if (gnba == NULL)
+		return (LWRES_R_NOMEMORY);
+	gnba->base = NULL;
+	gnba->aliases = NULL;
+	gnba->aliaslen = NULL;
+
+	gnba->flags = flags;
+	gnba->naliases = naliases;
+
+	if (naliases > 0) {
+		gnba->aliases = CTXMALLOC(sizeof(char *) * naliases);
+		if (gnba->aliases == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		gnba->aliaslen = CTXMALLOC(sizeof(uint16_t) * naliases);
+		if (gnba->aliaslen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	/*
+	 * Now, pull off the real name.
+	 */
+	ret = lwres_string_parse(b, &gnba->realname, &gnba->realnamelen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Parse off the aliases.
+	 */
+	for (x = 0; x < gnba->naliases; x++) {
+		ret = lwres_string_parse(b, &gnba->aliases[x],
+					 &gnba->aliaslen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	*structp = gnba;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (gnba != NULL) {
+		if (gnba->aliases != NULL)
+			CTXFREE(gnba->aliases, sizeof(char *) * naliases);
+		if (gnba->aliaslen != NULL)
+			CTXFREE(gnba->aliaslen,
+				sizeof(uint16_t) * naliases);
+		CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
+	}
+
+	return (ret);
+}
+
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gnbarequest_t. */
+void
+lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
+{
+	lwres_gnbarequest_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gnba = *structp;
+	*structp = NULL;
+
+	CTXFREE(gnba, sizeof(lwres_gnbarequest_t));
+}
+
+/*% Release the memory in resolver context ctx that was allocated to the lwres_gnbaresponse_t. */
+void
+lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
+{
+	lwres_gnbaresponse_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gnba = *structp;
+	*structp = NULL;
+
+	if (gnba->naliases > 0) {
+		CTXFREE(gnba->aliases, sizeof(char *) * gnba->naliases);
+		CTXFREE(gnba->aliaslen,
+			sizeof(uint16_t) * gnba->naliases);
+	}
+	if (gnba->base != NULL)
+		CTXFREE(gnba->base, gnba->baselen);
+	CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
+}
diff --git a/lib/lwres/lwres_grbn.c b/lib/lwres/lwres_grbn.c
new file mode 100644
index 0000000..c736a41
--- /dev/null
+++ b/lib/lwres/lwres_grbn.c
@@ -0,0 +1,421 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwres_grbn.c,v 1.10 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file lwres_grbn.c
+
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
+lwres_result_t
+lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	uint16_t datalen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(req->name != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	datalen = (uint16_t) strlen(req->name);
+
+	payload_length = 4 + 2 + 2 + 2 + req->namelen + 1;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Flags.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/*
+	 * Class.
+	 */
+	lwres_buffer_putuint16(b, req->rdclass);
+
+	/*
+	 * Type.
+	 */
+	lwres_buffer_putuint16(b, req->rdtype);
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
+	lwres_buffer_putuint8(b, 0); /* trailing NUL */
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
+lwres_result_t
+lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	uint16_t datalen;
+	int x;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	/* flags, class, type, ttl, nrdatas, nsigs */
+	payload_length = 4 + 2 + 2 + 4 + 2 + 2;
+	/* real name encoding */
+	payload_length += 2 + req->realnamelen + 1;
+	/* each rr */
+	for (x = 0; x < req->nrdatas; x++)
+		payload_length += 2 + req->rdatalen[x];
+	for (x = 0; x < req->nsigs; x++)
+		payload_length += 2 + req->siglen[x];
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	/*
+	 * Check space needed here.
+	 */
+	INSIST(SPACE_OK(b, payload_length));
+
+	/* Flags. */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode class, type, ttl, and nrdatas */
+	lwres_buffer_putuint16(b, req->rdclass);
+	lwres_buffer_putuint16(b, req->rdtype);
+	lwres_buffer_putuint32(b, req->ttl);
+	lwres_buffer_putuint16(b, req->nrdatas);
+	lwres_buffer_putuint16(b, req->nsigs);
+
+	/* encode the real name */
+	datalen = req->realnamelen;
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
+	lwres_buffer_putuint8(b, 0);
+
+	/* encode the rdatas */
+	for (x = 0; x < req->nrdatas; x++) {
+		datalen = req->rdatalen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, req->rdatas[x], datalen);
+	}
+
+	/* encode the signatures */
+	for (x = 0; x < req->nsigs; x++) {
+		datalen = req->siglen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, req->sigs[x], datalen);
+	}
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
+lwres_result_t
+lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp)
+{
+	int ret;
+	char *name;
+	lwres_grbnrequest_t *grbn;
+	uint32_t flags;
+	uint16_t rdclass, rdtype;
+	uint16_t namelen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	if (!SPACE_REMAINING(b, 4 + 2 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	/*
+	 * Pull off the flags, class, and type.
+	 */
+	flags = lwres_buffer_getuint32(b);
+	rdclass = lwres_buffer_getuint16(b);
+	rdtype = lwres_buffer_getuint16(b);
+
+	/*
+	 * Pull off the name itself
+	 */
+	ret = lwres_string_parse(b, &name, &namelen);
+	if (ret != LWRES_R_SUCCESS)
+		return (ret);
+
+	if (LWRES_BUFFER_REMAINING(b) != 0)
+		return (LWRES_R_TRAILINGDATA);
+
+	grbn = CTXMALLOC(sizeof(lwres_grbnrequest_t));
+	if (grbn == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	grbn->flags = flags;
+	grbn->rdclass = rdclass;
+	grbn->rdtype = rdtype;
+	grbn->name = name;
+	grbn->namelen = namelen;
+
+	*structp = grbn;
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Thread-safe equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
+lwres_result_t
+lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_grbnresponse_t **structp)
+{
+	lwres_result_t ret;
+	unsigned int x;
+	uint32_t flags;
+	uint16_t rdclass, rdtype;
+	uint32_t ttl;
+	uint16_t nrdatas, nsigs;
+	lwres_grbnresponse_t *grbn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	grbn = NULL;
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	/*
+	 * Pull off the flags, class, type, ttl, nrdatas, and nsigs
+	 */
+	if (!SPACE_REMAINING(b, 4 + 2 + 2 + 4 + 2 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
+	rdclass = lwres_buffer_getuint16(b);
+	rdtype = lwres_buffer_getuint16(b);
+	ttl = lwres_buffer_getuint32(b);
+	nrdatas = lwres_buffer_getuint16(b);
+	nsigs = lwres_buffer_getuint16(b);
+
+	/*
+	 * Pull off the name itself
+	 */
+
+	grbn = CTXMALLOC(sizeof(lwres_grbnresponse_t));
+	if (grbn == NULL)
+		return (LWRES_R_NOMEMORY);
+	grbn->rdatas = NULL;
+	grbn->rdatalen = NULL;
+	grbn->sigs = NULL;
+	grbn->siglen = NULL;
+	grbn->base = NULL;
+
+	grbn->flags = flags;
+	grbn->rdclass = rdclass;
+	grbn->rdtype = rdtype;
+	grbn->ttl = ttl;
+	grbn->nrdatas = nrdatas;
+	grbn->nsigs = nsigs;
+
+	if (nrdatas > 0) {
+		grbn->rdatas = CTXMALLOC(sizeof(char *) * nrdatas);
+		if (grbn->rdatas == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		grbn->rdatalen = CTXMALLOC(sizeof(uint16_t) * nrdatas);
+		if (grbn->rdatalen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	if (nsigs > 0) {
+		grbn->sigs = CTXMALLOC(sizeof(char *) * nsigs);
+		if (grbn->sigs == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		grbn->siglen = CTXMALLOC(sizeof(uint16_t) * nsigs);
+		if (grbn->siglen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	/*
+	 * Now, pull off the real name.
+	 */
+	ret = lwres_string_parse(b, &grbn->realname, &grbn->realnamelen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Parse off the rdatas.
+	 */
+	for (x = 0; x < grbn->nrdatas; x++) {
+		ret = lwres_data_parse(b, &grbn->rdatas[x],
+					 &grbn->rdatalen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	/*
+	 * Parse off the signatures.
+	 */
+	for (x = 0; x < grbn->nsigs; x++) {
+		ret = lwres_data_parse(b, &grbn->sigs[x], &grbn->siglen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	*structp = grbn;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (grbn != NULL) {
+		if (grbn->rdatas != NULL)
+			CTXFREE(grbn->rdatas, sizeof(char *) * nrdatas);
+		if (grbn->rdatalen != NULL)
+			CTXFREE(grbn->rdatalen,
+				sizeof(uint16_t) * nrdatas);
+		if (grbn->sigs != NULL)
+			CTXFREE(grbn->sigs, sizeof(char *) * nsigs);
+		if (grbn->siglen != NULL)
+			CTXFREE(grbn->siglen, sizeof(uint16_t) * nsigs);
+		CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
+	}
+
+	return (ret);
+}
+
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
+void
+lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
+{
+	lwres_grbnrequest_t *grbn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	grbn = *structp;
+	*structp = NULL;
+
+	CTXFREE(grbn, sizeof(lwres_grbnrequest_t));
+}
+
+/*% Thread-save equivalent to \link lwres_gabn.c lwres_gabn* \endlink routines. */
+void
+lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp)
+{
+	lwres_grbnresponse_t *grbn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	grbn = *structp;
+	*structp = NULL;
+
+	if (grbn->nrdatas > 0) {
+		CTXFREE(grbn->rdatas, sizeof(char *) * grbn->nrdatas);
+		CTXFREE(grbn->rdatalen,
+			sizeof(uint16_t) * grbn->nrdatas);
+	}
+	if (grbn->nsigs > 0) {
+		CTXFREE(grbn->sigs, sizeof(char *) * grbn->nsigs);
+		CTXFREE(grbn->siglen, sizeof(uint16_t) * grbn->nsigs);
+	}
+	if (grbn->base != NULL)
+		CTXFREE(grbn->base, grbn->baselen);
+	CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
+}
diff --git a/lib/lwres/lwres_noop.c b/lib/lwres/lwres_noop.c
new file mode 100644
index 0000000..062c2d1
--- /dev/null
+++ b/lib/lwres/lwres_noop.c
@@ -0,0 +1,337 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwres_noop.c,v 1.19 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    These are low-level routines for creating and parsing lightweight
+ *    resolver no-op request and response messages.
+ *
+ *    The no-op message is analogous to a ping packet: a packet is sent to
+ *    the resolver daemon and is simply echoed back. The opcode is intended
+ *    to allow a client to determine if the server is operational or not.
+ *
+ *    There are four main functions for the no-op opcode. One render
+ *    function converts a no-op request structure -- lwres_nooprequest_t --
+ *    to the lighweight resolver's canonical format. It is complemented by a
+ *    parse function that converts a packet in this canonical format to a
+ *    no-op request structure. Another render function converts the no-op
+ *    response structure -- lwres_noopresponse_t to the canonical format.
+ *    This is complemented by a parse function which converts a packet in
+ *    canonical format to a no-op response structure.
+ *
+ *    These structures are defined in \link lwres.h <lwres/lwres.h.> \endlink They are shown below.
+ *
+ * \code
+ * #define LWRES_OPCODE_NOOP       0x00000000U
+ *
+ * typedef struct {
+ *         uint16_t  datalength;
+ *         unsigned char   *data;
+ * } lwres_nooprequest_t;
+ *
+ * typedef struct {
+ *         uint16_t  datalength;
+ *         unsigned char   *data;
+ * } lwres_noopresponse_t;
+ * \endcode
+ *
+ *    Although the structures have different types, they are identical. This
+ *    is because the no-op opcode simply echos whatever data was sent: the
+ *    response is therefore identical to the request.
+ *
+ *    lwres_nooprequest_render() uses resolver context ctx to convert no-op
+ *    request structure req to canonical format. The packet header structure
+ *    pkt is initialised and transferred to buffer b. The contents of *req
+ *    are then appended to the buffer in canonical format.
+ *    lwres_noopresponse_render() performs the same task, except it converts
+ *    a no-op response structure lwres_noopresponse_t to the lightweight
+ *    resolver's canonical format.
+ *
+ *    lwres_nooprequest_parse() uses context ctx to convert the contents of
+ *    packet pkt to a lwres_nooprequest_t structure. Buffer b provides space
+ *    to be used for storing this structure. When the function succeeds, the
+ *    resulting lwres_nooprequest_t is made available through *structp.
+ *    lwres_noopresponse_parse() offers the same semantics as
+ *    lwres_nooprequest_parse() except it yields a lwres_noopresponse_t
+ *    structure.
+ *
+ *    lwres_noopresponse_free() and lwres_nooprequest_free() release the
+ *    memory in resolver context ctx that was allocated to the
+ *    lwres_noopresponse_t or lwres_nooprequest_t structures referenced via
+ *    structp.
+ *
+ * \section lwres_noop_return Return Values
+ *
+ *    The no-op opcode functions lwres_nooprequest_render(),
+ *    lwres_noopresponse_render() lwres_nooprequest_parse() and
+ *    lwres_noopresponse_parse() all return #LWRES_R_SUCCESS on success. They
+ *    return #LWRES_R_NOMEMORY if memory allocation fails.
+ *    #LWRES_R_UNEXPECTEDEND is returned if the available space in the buffer
+ *    b is too small to accommodate the packet header or the
+ *    lwres_nooprequest_t and lwres_noopresponse_t structures.
+ *    lwres_nooprequest_parse() and lwres_noopresponse_parse() will return
+ *    #LWRES_R_UNEXPECTEDEND if the buffer is not empty after decoding the
+ *    received packet. These functions will return #LWRES_R_FAILURE if
+ *    pktflags in the packet header structure #lwres_lwpacket_t indicate that
+ *    the packet is not a response to an earlier query.
+ *
+ * \section lwres_noop_see See Also
+ *
+ *    lwpacket.c
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+/*% Uses resolver context ctx to convert no-op request structure req to canonical format. */
+lwres_result_t
+lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	payload_length = sizeof(uint16_t) + req->datalength;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_NOOP;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, req->datalength);
+	lwres_buffer_putmem(b, req->data, req->datalength);
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Converts a no-op response structure lwres_noopresponse_t to the lightweight resolver's canonical format. */
+
+lwres_result_t
+lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	payload_length = sizeof(uint16_t) + req->datalength;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, (unsigned int)buflen);
+
+	pkt->length = (uint32_t)buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_NOOP;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, req->datalength);
+	lwres_buffer_putmem(b, req->data, req->datalength);
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Uses context ctx to convert the contents of packet pkt to a lwres_nooprequest_t structure. */
+lwres_result_t
+lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp)
+{
+	int ret;
+	lwres_nooprequest_t *req;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	req = CTXMALLOC(sizeof(lwres_nooprequest_t));
+	if (req == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	if (!SPACE_REMAINING(b, sizeof(uint16_t))) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->datalength = lwres_buffer_getuint16(b);
+
+	if (!SPACE_REMAINING(b, req->datalength)) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->data = b->base + b->current;
+	lwres_buffer_forward(b, req->datalength);
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	/* success! */
+	*structp = req;
+	return (LWRES_R_SUCCESS);
+
+	/* Error return */
+ out:
+	CTXFREE(req, sizeof(lwres_nooprequest_t));
+	return (ret);
+}
+
+/*% Offers the same semantics as lwres_nooprequest_parse() except it yields a lwres_noopresponse_t structure. */
+lwres_result_t
+lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp)
+{
+	int ret;
+	lwres_noopresponse_t *req;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	req = CTXMALLOC(sizeof(lwres_noopresponse_t));
+	if (req == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	if (!SPACE_REMAINING(b, sizeof(uint16_t))) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->datalength = lwres_buffer_getuint16(b);
+
+	if (!SPACE_REMAINING(b, req->datalength)) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->data = b->base + b->current;
+
+	lwres_buffer_forward(b, req->datalength);
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	/* success! */
+	*structp = req;
+	return (LWRES_R_SUCCESS);
+
+	/* Error return */
+ out:
+	CTXFREE(req, sizeof(lwres_noopresponse_t));
+	return (ret);
+}
+
+/*% Release the memory in resolver context ctx. */
+void
+lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
+{
+	lwres_noopresponse_t *noop;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	noop = *structp;
+	*structp = NULL;
+
+	CTXFREE(noop, sizeof(lwres_noopresponse_t));
+}
+
+/*% Release the memory in resolver context ctx. */
+void
+lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp)
+{
+	lwres_nooprequest_t *noop;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	noop = *structp;
+	*structp = NULL;
+
+	CTXFREE(noop, sizeof(lwres_nooprequest_t));
+}
diff --git a/lib/lwres/lwresutil.c b/lib/lwres/lwresutil.c
new file mode 100644
index 0000000..3ddc8d5
--- /dev/null
+++ b/lib/lwres/lwresutil.c
@@ -0,0 +1,571 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwresutil.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+/**
+ *    lwres_string_parse() retrieves a DNS-encoded string starting the
+ *    current pointer of lightweight resolver buffer b: i.e. b->current.
+ *    When the function returns, the address of the first byte of the
+ *    encoded string is returned via *c and the length of that string is
+ *    given by *len. The buffer's current pointer is advanced to point at
+ *    the character following the string length, the encoded string, and
+ *    the trailing NULL character.
+ *
+ *    lwres_addr_parse() extracts an address from the buffer b. The
+ *    buffer's current pointer b->current is presumed to point at an
+ *    encoded address: the address preceded by a 32-bit protocol family
+ *    identifier and a 16-bit length field. The encoded address is copied
+ *    to addr->address and addr->length indicates the size in bytes of
+ *    the address that was copied. b->current is advanced to point at the
+ *  next byte of available data in the buffer following the encoded
+ *    address.
+ *
+ *    lwres_getaddrsbyname() and lwres_getnamebyaddr() use the
+ *    lwres_gnbaresponse_t structure defined below:
+ *
+ * \code
+ * typedef struct {
+ *         uint32_t          flags;
+ *         uint16_t          naliases;
+ *         uint16_t          naddrs;
+ *         char                   *realname;
+ *         char                  **aliases;
+ *         uint16_t          realnamelen;
+ *         uint16_t         *aliaslen;
+ *         lwres_addrlist_t        addrs;
+ *         void                   *base;
+ *         size_t                  baselen;
+ * } lwres_gabnresponse_t;
+ * \endcode
+ *
+ *    The contents of this structure are not manipulated directly but
+ *    they are controlled through the \link lwres_gabn.c lwres_gabn*\endlink functions.
+ *
+ *    The lightweight resolver uses lwres_getaddrsbyname() to perform
+ *    foward lookups. Hostname name is looked up using the resolver
+ *    context ctx for memory allocation. addrtypes is a bitmask
+ *    indicating which type of addresses are to be looked up. Current
+ *    values for this bitmask are #LWRES_ADDRTYPE_V4 for IPv4 addresses
+ *    and #LWRES_ADDRTYPE_V6 for IPv6 addresses. Results of the lookup are
+ *    returned in *structp.
+ *
+ *    lwres_getnamebyaddr() performs reverse lookups. Resolver context
+ *    ctx is used for memory allocation. The address type is indicated by
+ *    addrtype: #LWRES_ADDRTYPE_V4 or #LWRES_ADDRTYPE_V6. The address to be
+ *    looked up is given by addr and its length is addrlen bytes. The
+ *    result of the function call is made available through *structp.
+ *
+ * \section lwresutil_return Return Values
+ *
+ *    Successful calls to lwres_string_parse() and lwres_addr_parse()
+ *    return #LWRES_R_SUCCESS. Both functions return #LWRES_R_FAILURE if
+ *    the buffer is corrupt or #LWRES_R_UNEXPECTEDEND if the buffer has
+ *    less space than expected for the components of the encoded string
+ *    or address.
+ *
+ * lwres_getaddrsbyname() returns #LWRES_R_SUCCESS on success and it
+ *    returns #LWRES_R_NOTFOUND if the hostname name could not be found.
+ *
+ *    #LWRES_R_SUCCESS is returned by a successful call to
+ *    lwres_getnamebyaddr().
+ *
+ *    Both lwres_getaddrsbyname() and lwres_getnamebyaddr() return
+ *    #LWRES_R_NOMEMORY when memory allocation requests fail and
+ *    #LWRES_R_UNEXPECTEDEND if the buffers used for sending queries and
+ *    receiving replies are too small.
+ *
+ * \section lwresutil_see See Also
+ *
+ *    lwbuffer.c, lwres_gabn.c
+ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "assert_p.h"
+#include "context_p.h"
+
+/*% Parse data. */
+/*!
+ * Requires:
+ *
+ *	The "current" pointer in "b" points to encoded raw data.
+ *
+ * Ensures:
+ *
+ *	The address of the first byte of the data is returned via "p",
+ *	and the length is returned via "len".  If NULL, they are not
+ *	set.
+ *
+ *	On return, the current pointer of "b" will point to the character
+ *	following the data length and the data.
+ *
+ */
+lwres_result_t
+lwres_data_parse(lwres_buffer_t *b, unsigned char **p, uint16_t *len)
+{
+	uint16_t datalen;
+	unsigned char *data;
+
+	REQUIRE(b != NULL);
+
+	/*
+	 * Pull off the length (2 bytes)
+	 */
+	if (!SPACE_REMAINING(b, 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	datalen = lwres_buffer_getuint16(b);
+
+	/*
+	 * Set the pointer to this string to the right place, then
+	 * advance the buffer pointer.
+	 */
+	if (!SPACE_REMAINING(b, datalen))
+		return (LWRES_R_UNEXPECTEDEND);
+	data = b->base + b->current;
+	lwres_buffer_forward(b, datalen);
+
+	if (len != NULL)
+		*len = datalen;
+	if (p != NULL)
+		*p = data;
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Retrieves a DNS-encoded string. */
+/*!
+ * Requires:
+ *
+ *	The "current" pointer in "b" point to an encoded string.
+ *
+ * Ensures:
+ *
+ *	The address of the first byte of the string is returned via "c",
+ *	and the length is returned via "len".  If NULL, they are not
+ *	set.
+ *
+ *	On return, the current pointer of "b" will point to the character
+ *	following the string length, the string, and the trailing NULL.
+ *
+ */
+lwres_result_t
+lwres_string_parse(lwres_buffer_t *b, char **c, uint16_t *len)
+{
+	uint16_t datalen;
+	char *string;
+
+	REQUIRE(b != NULL);
+
+	/*
+	 * Pull off the length (2 bytes)
+	 */
+	if (!SPACE_REMAINING(b, 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	datalen = lwres_buffer_getuint16(b);
+
+	/*
+	 * Set the pointer to this string to the right place, then
+	 * advance the buffer pointer.
+	 */
+	if (!SPACE_REMAINING(b, datalen))
+		return (LWRES_R_UNEXPECTEDEND);
+	string = (char *)b->base + b->current;
+	lwres_buffer_forward(b, datalen);
+
+	/*
+	 * Skip the "must be zero" byte.
+	 */
+	if (!SPACE_REMAINING(b, 1))
+		return (LWRES_R_UNEXPECTEDEND);
+	if (0 != lwres_buffer_getuint8(b))
+		return (LWRES_R_FAILURE);
+
+	if (len != NULL)
+		*len = datalen;
+	if (c != NULL)
+		*c = string;
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Extracts an address from the buffer b. */
+lwres_result_t
+lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
+{
+	REQUIRE(addr != NULL);
+
+	if (!SPACE_REMAINING(b, 6))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	addr->family = lwres_buffer_getuint32(b);
+	addr->length = lwres_buffer_getuint16(b);
+
+	if (!SPACE_REMAINING(b, addr->length))
+		return (LWRES_R_UNEXPECTEDEND);
+	if (addr->length > LWRES_ADDR_MAXLEN)
+		return (LWRES_R_FAILURE);
+
+	lwres_buffer_getmem(b, addr->address, addr->length);
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*% Used to perform forward lookups. */
+lwres_result_t
+lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
+		     uint32_t addrtypes, lwres_gabnresponse_t **structp)
+{
+	lwres_gabnrequest_t request;
+	lwres_gabnresponse_t *response;
+	int ret;
+	int recvlen;
+	lwres_buffer_t b_in, b_out;
+	lwres_lwpacket_t pkt;
+	uint32_t serial;
+	char *buffer;
+	char target_name[1024];
+	unsigned int target_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(addrtypes != 0);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	b_in.base = NULL;
+	b_out.base = NULL;
+	response = NULL;
+	buffer = NULL;
+	serial = lwres_context_nextserial(ctx);
+
+	buffer = CTXMALLOC(LWRES_RECVLENGTH);
+	if (buffer == NULL) {
+		ret = LWRES_R_NOMEMORY;
+		goto out;
+	}
+
+	target_length = strlen(name);
+	if (target_length >= sizeof(target_name))
+		return (LWRES_R_FAILURE);
+	strcpy(target_name, name); /* strcpy is safe */
+
+	/*
+	 * Set up our request and render it to a buffer.
+	 */
+	request.flags = 0;
+	request.addrtypes = addrtypes;
+	request.name = target_name;
+	request.namelen = target_length;
+	pkt.pktflags = 0;
+	pkt.serial = serial;
+	pkt.result = 0;
+	pkt.recvlength = LWRES_RECVLENGTH;
+
+ again:
+	ret = lwres_gabnrequest_render(ctx, &request, &pkt, &b_out);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
+				     LWRES_RECVLENGTH, &recvlen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	lwres_buffer_init(&b_in, buffer, recvlen);
+	b_in.used = recvlen;
+
+	/*
+	 * Parse the packet header.
+	 */
+	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Sanity check.
+	 */
+	if (pkt.serial != serial)
+		goto again;
+	if (pkt.opcode != LWRES_OPCODE_GETADDRSBYNAME)
+		goto again;
+
+	/*
+	 * Free what we've transmitted
+	 */
+	CTXFREE(b_out.base, b_out.length);
+	b_out.base = NULL;
+	b_out.length = 0;
+
+	if (pkt.result != LWRES_R_SUCCESS) {
+		ret = pkt.result;
+		goto out;
+	}
+
+	/*
+	 * Parse the response.
+	 */
+	ret = lwres_gabnresponse_parse(ctx, &b_in, &pkt, &response);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+	response->base = buffer;
+	response->baselen = LWRES_RECVLENGTH;
+	buffer = NULL; /* don't free this below */
+
+	*structp = response;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (b_out.base != NULL)
+		CTXFREE(b_out.base, b_out.length);
+	if (buffer != NULL)
+		CTXFREE(buffer, LWRES_RECVLENGTH);
+	if (response != NULL)
+		lwres_gabnresponse_free(ctx, &response);
+
+	return (ret);
+}
+
+
+/*% Used to perform reverse lookups. */
+lwres_result_t
+lwres_getnamebyaddr(lwres_context_t *ctx, uint32_t addrtype,
+		    uint16_t addrlen, const unsigned char *addr,
+		    lwres_gnbaresponse_t **structp)
+{
+	lwres_gnbarequest_t request;
+	lwres_gnbaresponse_t *response;
+	int ret;
+	int recvlen;
+	lwres_buffer_t b_in, b_out;
+	lwres_lwpacket_t pkt;
+	uint32_t serial;
+	char *buffer;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(addrtype != 0);
+	REQUIRE(addrlen != 0);
+	REQUIRE(addr != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	b_in.base = NULL;
+	b_out.base = NULL;
+	response = NULL;
+	buffer = NULL;
+	serial = lwres_context_nextserial(ctx);
+
+	buffer = CTXMALLOC(LWRES_RECVLENGTH);
+	if (buffer == NULL) {
+		ret = LWRES_R_NOMEMORY;
+		goto out;
+	}
+
+	/*
+	 * Set up our request and render it to a buffer.
+	 */
+	request.flags = 0;
+	request.addr.family = addrtype;
+	request.addr.length = addrlen;
+	memmove(request.addr.address, addr, addrlen);
+	pkt.pktflags = 0;
+	pkt.serial = serial;
+	pkt.result = 0;
+	pkt.recvlength = LWRES_RECVLENGTH;
+
+ again:
+	ret = lwres_gnbarequest_render(ctx, &request, &pkt, &b_out);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
+				     LWRES_RECVLENGTH, &recvlen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	lwres_buffer_init(&b_in, buffer, recvlen);
+	b_in.used = recvlen;
+
+	/*
+	 * Parse the packet header.
+	 */
+	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Sanity check.
+	 */
+	if (pkt.serial != serial)
+		goto again;
+	if (pkt.opcode != LWRES_OPCODE_GETNAMEBYADDR)
+		goto again;
+
+	/*
+	 * Free what we've transmitted
+	 */
+	CTXFREE(b_out.base, b_out.length);
+	b_out.base = NULL;
+	b_out.length = 0;
+
+	if (pkt.result != LWRES_R_SUCCESS) {
+		ret = pkt.result;
+		goto out;
+	}
+
+	/*
+	 * Parse the response.
+	 */
+	ret = lwres_gnbaresponse_parse(ctx, &b_in, &pkt, &response);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+	response->base = buffer;
+	response->baselen = LWRES_RECVLENGTH;
+	buffer = NULL; /* don't free this below */
+
+	*structp = response;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (b_out.base != NULL)
+		CTXFREE(b_out.base, b_out.length);
+	if (buffer != NULL)
+		CTXFREE(buffer, LWRES_RECVLENGTH);
+	if (response != NULL)
+		lwres_gnbaresponse_free(ctx, &response);
+
+	return (ret);
+}
+
+/*% Get rdata by name. */
+lwres_result_t
+lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
+		     uint16_t rdclass, uint16_t rdtype,
+		     uint32_t flags, lwres_grbnresponse_t **structp)
+{
+	int ret;
+	int recvlen;
+	lwres_buffer_t b_in, b_out;
+	lwres_lwpacket_t pkt;
+	uint32_t serial;
+	char *buffer;
+	lwres_grbnrequest_t request;
+	lwres_grbnresponse_t *response;
+	char target_name[1024];
+	unsigned int target_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	b_in.base = NULL;
+	b_out.base = NULL;
+	response = NULL;
+	buffer = NULL;
+	serial = lwres_context_nextserial(ctx);
+
+	buffer = CTXMALLOC(LWRES_RECVLENGTH);
+	if (buffer == NULL) {
+		ret = LWRES_R_NOMEMORY;
+		goto out;
+	}
+
+	target_length = strlen(name);
+	if (target_length >= sizeof(target_name))
+		return (LWRES_R_FAILURE);
+	strcpy(target_name, name); /* strcpy is safe */
+
+	/*
+	 * Set up our request and render it to a buffer.
+	 */
+	request.rdclass = rdclass;
+	request.rdtype = rdtype;
+	request.flags = flags;
+	request.name = target_name;
+	request.namelen = target_length;
+	pkt.pktflags = 0;
+	pkt.serial = serial;
+	pkt.result = 0;
+	pkt.recvlength = LWRES_RECVLENGTH;
+
+ again:
+	ret = lwres_grbnrequest_render(ctx, &request, &pkt, &b_out);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
+				     LWRES_RECVLENGTH, &recvlen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	lwres_buffer_init(&b_in, buffer, recvlen);
+	b_in.used = recvlen;
+
+	/*
+	 * Parse the packet header.
+	 */
+	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Sanity check.
+	 */
+	if (pkt.serial != serial)
+		goto again;
+	if (pkt.opcode != LWRES_OPCODE_GETRDATABYNAME)
+		goto again;
+
+	/*
+	 * Free what we've transmitted
+	 */
+	CTXFREE(b_out.base, b_out.length);
+	b_out.base = NULL;
+	b_out.length = 0;
+
+	if (pkt.result != LWRES_R_SUCCESS) {
+		ret = pkt.result;
+		goto out;
+	}
+
+	/*
+	 * Parse the response.
+	 */
+	ret = lwres_grbnresponse_parse(ctx, &b_in, &pkt, &response);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+	response->base = buffer;
+	response->baselen = LWRES_RECVLENGTH;
+	buffer = NULL; /* don't free this below */
+
+	*structp = response;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (b_out.base != NULL)
+		CTXFREE(b_out.base, b_out.length);
+	if (buffer != NULL)
+		CTXFREE(buffer, LWRES_RECVLENGTH);
+	if (response != NULL)
+		lwres_grbnresponse_free(ctx, &response);
+
+	return (ret);
+}
diff --git a/lib/lwres/man/Makefile.in b/lib/lwres/man/Makefile.in
new file mode 100644
index 0000000..62387cb
--- /dev/null
+++ b/lib/lwres/man/Makefile.in
@@ -0,0 +1,303 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.9 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_RULES@
+
+# Alphabetically
+#MANPAGES =	lwres.3 lwres_addr_parse.3 lwres_buffer.3 \
+#		lwres_buffer_add.3 lwres_buffer_back.3 lwres_buffer_clear.3 \
+#		lwres_buffer_first.3 lwres_buffer_forward.3 \
+#		lwres_buffer_getmem.3 lwres_buffer_getuint16.3 \
+#		lwres_buffer_getuint32.3 lwres_buffer_getuint8.3 \
+#		lwres_buffer_init.3 lwres_buffer_invalidate.3 \
+#		lwres_buffer_putmem.3 lwres_buffer_putuint16.3 \
+#		lwres_buffer_putuint32.3 lwres_buffer_putuint8.3 \
+#		lwres_buffer_subtract.3 lwres_conf_clear.3 \
+#		lwres_conf_get.3 lwres_conf_init.3 \
+#		lwres_conf_parse.3 lwres_conf_print.3 \
+#		lwres_config.3 lwres_context.3 \
+#		lwres_context_allocmem.3 lwres_context_create.3 \
+#		lwres_context_destroy.3 lwres_context_freemem.3 \
+#		lwres_context_initserial.3 lwres_context_nextserial.3 \
+#		lwres_context_sendrecv.3 lwres_endhostent.3 \
+#		lwres_endhostent_r.3 lwres_freeaddrinfo.3 \
+#		lwres_freehostent.3 lwres_gabn.3 \
+#		lwres_gabnrequest_free.3 lwres_gabnrequest_parse.3 \
+#		lwres_gabnrequest_render.3 lwres_gabnresponse_free.3 \
+#		lwres_gabnresponse_parse.3 lwres_gabnresponse_render.3 \
+#		lwres_gai_strerror.3 lwres_getaddrinfo.3 \
+#		lwres_getaddrsbyname.3 lwres_gethostbyaddr.3 \
+#		lwres_gethostbyaddr_r.3 lwres_gethostbyname.3 \
+#		lwres_gethostbyname2.3 lwres_gethostbyname_r.3 \
+#		lwres_gethostent.3 lwres_gethostent_r.3 \
+#		lwres_getipnode.3 lwres_getipnodebyaddr.3 \
+#		lwres_getipnodebyname.3 lwres_getnamebyaddr.3 \
+#		lwres_getnameinfo.3 lwres_getrrsetbyname.3 \
+#		lwres_gnba.3 lwres_gnbarequest_free.3 \
+#		lwres_gnbarequest_parse.3 lwres_gnbarequest_render.3 \
+#		lwres_gnbaresponse_free.3 lwres_gnbaresponse_parse.3 \
+#		lwres_gnbaresponse_render.3 lwres_herror.3 \
+#		lwres_hstrerror.3 lwres_inetntop.3 \
+#		lwres_lwpacket_parseheader.3 lwres_lwpacket_renderheader.3 \
+#		lwres_net_ntop.3 lwres_noop.3 \
+#		lwres_nooprequest_free.3 lwres_nooprequest_parse.3 \
+#		lwres_nooprequest_render.3 lwres_noopresponse_free.3 \
+#		lwres_noopresponse_parse.3 lwres_noopresponse_render.3 \
+#		lwres_packet.3 lwres_resutil.3 \
+#		lwres_sethostent.3 lwres_sethostent_r.3 \
+#		lwres_string_parse.3
+
+
+MANPAGES = 	lwres.3 lwres_buffer.3 lwres_config.3 lwres_context.3	\
+		lwres_gabn.3 lwres_gai_strerror.3 lwres_getaddrinfo.3			\
+		lwres_gethostent.3 lwres_getipnode.3 lwres_getnameinfo.3		\
+		lwres_getrrsetbyname.3 lwres_gnba.3 lwres_hstrerror.3 lwres_inetntop.3	\
+		lwres_noop.3 lwres_packet.3 lwres_resutil.3
+
+HTMLPAGES = 	lwres.html lwres_buffer.html lwres_config.html lwres_context.html	\
+		lwres_gabn.html lwres_gai_strerror.html lwres_getaddrinfo.html			\
+		lwres_gethostent.html lwres_getipnode.html lwres_getnameinfo.html		\
+		lwres_getrrsetbyname.html lwres_gnba.html lwres_hstrerror.html lwres_inetntop.html	\
+		lwres_noop.html lwres_packet.html lwres_resutil.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean::
+	rm -f timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man3
+
+man3 = ${DESTDIR}${mandir}/man3
+
+timestamp: ${MANOBJS}
+	touch timestamp
+
+install:: installdirs
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man3 || exit 1; done
+	rm -f ${man3}/lwres_addr_parse.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_addr_parse.3
+	rm -f ${man3}/lwres_buffer_add.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_add.3
+	rm -f ${man3}/lwres_buffer_back.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_back.3
+	rm -f ${man3}/lwres_buffer_clear.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_clear.3
+	rm -f ${man3}/lwres_buffer_first.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_first.3
+	rm -f ${man3}/lwres_buffer_forward.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_forward.3
+	rm -f ${man3}/lwres_buffer_getmem.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getmem.3
+	rm -f ${man3}/lwres_buffer_getuint16.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint16.3
+	rm -f ${man3}/lwres_buffer_getuint32.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint32.3
+	rm -f ${man3}/lwres_buffer_getuint8.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint8.3
+	rm -f ${man3}/lwres_buffer_init.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_init.3
+	rm -f ${man3}/lwres_buffer_invalidate.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_invalidate.3
+	rm -f ${man3}/lwres_buffer_putmem.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putmem.3
+	rm -f ${man3}/lwres_buffer_putuint16.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint16.3
+	rm -f ${man3}/lwres_buffer_putuint32.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint32.3
+	rm -f ${man3}/lwres_buffer_putuint8.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint8.3
+	rm -f ${man3}/lwres_buffer_subtract.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_subtract.3
+	rm -f ${man3}/lwres_conf_clear.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_clear.3
+	rm -f ${man3}/lwres_conf_get.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_get.3
+	rm -f ${man3}/lwres_conf_init.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_init.3
+	rm -f ${man3}/lwres_conf_parse.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_parse.3
+	rm -f ${man3}/lwres_conf_print.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_print.3
+	rm -f ${man3}/lwres_context_allocmem.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_allocmem.3
+	rm -f ${man3}/lwres_context_create.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_create.3
+	rm -f ${man3}/lwres_context_destroy.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_destroy.3
+	rm -f ${man3}/lwres_context_freemem.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_freemem.3
+	rm -f ${man3}/lwres_context_initserial.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_initserial.3
+	rm -f ${man3}/lwres_context_nextserial.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_nextserial.3
+	rm -f ${man3}/lwres_context_sendrecv.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_sendrecv.3
+	rm -f ${man3}/lwres_endhostent.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent.3
+	rm -f ${man3}/lwres_endhostent_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent_r.3
+	rm -f ${man3}/lwres_freeaddrinfo.3
+	@LN@ ${man3}/lwres_getaddrinfo.3 ${man3}/lwres_freeaddrinfo.3
+	rm -f ${man3}/lwres_freehostent.3
+	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_freehostent.3
+	rm -f ${man3}/lwres_gabnrequest_free.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_free.3
+	rm -f ${man3}/lwres_gabnrequest_parse.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_parse.3
+	rm -f ${man3}/lwres_gabnrequest_render.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_render.3
+	rm -f ${man3}/lwres_gabnresponse_free.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_free.3
+	rm -f ${man3}/lwres_gabnresponse_parse.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_parse.3
+	rm -f ${man3}/lwres_gabnresponse_render.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_render.3
+	rm -f ${man3}/lwres_getaddrsbyname.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getaddrsbyname.3
+	rm -f ${man3}/lwres_gethostbyaddr.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr.3
+	rm -f ${man3}/lwres_gethostbyaddr_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr_r.3
+	rm -f ${man3}/lwres_gethostbyname.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname.3
+	rm -f ${man3}/lwres_gethostbyname2.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname2.3
+	rm -f ${man3}/lwres_gethostbyname_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname_r.3
+	rm -f ${man3}/lwres_gethostent_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostent_r.3
+	rm -f ${man3}/lwres_getipnodebyaddr.3
+	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyaddr.3
+	rm -f ${man3}/lwres_getipnodebyname.3
+	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyname.3
+	rm -f ${man3}/lwres_getnamebyaddr.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getnamebyaddr.3
+	rm -f ${man3}/lwres_gnbarequest_free.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_free.3
+	rm -f ${man3}/lwres_gnbarequest_parse.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_parse.3
+	rm -f ${man3}/lwres_gnbarequest_render.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_render.3
+	rm -f ${man3}/lwres_gnbaresponse_free.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_free.3
+	rm -f ${man3}/lwres_gnbaresponse_parse.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_parse.3
+	rm -f ${man3}/lwres_gnbaresponse_render.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_render.3
+	rm -f ${man3}/lwres_herror.3
+	@LN@ ${man3}/lwres_hstrerror.3 ${man3}/lwres_herror.3
+	rm -f ${man3}/lwres_lwpacket_parseheader.3
+	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_parseheader.3
+	rm -f ${man3}/lwres_lwpacket_renderheader.3
+	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_renderheader.3
+	rm -f ${man3}/lwres_net_ntop.3
+	@LN@ ${man3}/lwres_inetntop.3 ${man3}/lwres_net_ntop.3
+	rm -f ${man3}/lwres_nooprequest_free.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_free.3
+	rm -f ${man3}/lwres_nooprequest_parse.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_parse.3
+	rm -f ${man3}/lwres_nooprequest_render.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_render.3
+	rm -f ${man3}/lwres_noopresponse_free.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_free.3
+	rm -f ${man3}/lwres_noopresponse_parse.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_parse.3
+	rm -f ${man3}/lwres_noopresponse_render.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_render.3
+	rm -f ${man3}/lwres_sethostent.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent.3
+	rm -f ${man3}/lwres_sethostent_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent_r.3
+	rm -f ${man3}/lwres_string_parse.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_string_parse.3
+
+uninstall::
+	for m in ${MANPAGES}; do rm -f ${man3}/$$m || exit 1; done
+	rm -f ${man3}/lwres_addr_parse.3
+	rm -f ${man3}/lwres_buffer_add.3
+	rm -f ${man3}/lwres_buffer_back.3
+	rm -f ${man3}/lwres_buffer_clear.3
+	rm -f ${man3}/lwres_buffer_first.3
+	rm -f ${man3}/lwres_buffer_forward.3
+	rm -f ${man3}/lwres_buffer_getmem.3
+	rm -f ${man3}/lwres_buffer_getuint16.3
+	rm -f ${man3}/lwres_buffer_getuint32.3
+	rm -f ${man3}/lwres_buffer_getuint8.3
+	rm -f ${man3}/lwres_buffer_init.3
+	rm -f ${man3}/lwres_buffer_invalidate.3
+	rm -f ${man3}/lwres_buffer_putmem.3
+	rm -f ${man3}/lwres_buffer_putuint16.3
+	rm -f ${man3}/lwres_buffer_putuint32.3
+	rm -f ${man3}/lwres_buffer_putuint8.3
+	rm -f ${man3}/lwres_buffer_subtract.3
+	rm -f ${man3}/lwres_conf_clear.3
+	rm -f ${man3}/lwres_conf_get.3
+	rm -f ${man3}/lwres_conf_init.3
+	rm -f ${man3}/lwres_conf_parse.3
+	rm -f ${man3}/lwres_conf_print.3
+	rm -f ${man3}/lwres_context_allocmem.3
+	rm -f ${man3}/lwres_context_create.3
+	rm -f ${man3}/lwres_context_destroy.3
+	rm -f ${man3}/lwres_context_freemem.3
+	rm -f ${man3}/lwres_context_initserial.3
+	rm -f ${man3}/lwres_context_nextserial.3
+	rm -f ${man3}/lwres_context_sendrecv.3
+	rm -f ${man3}/lwres_endhostent.3
+	rm -f ${man3}/lwres_endhostent_r.3
+	rm -f ${man3}/lwres_freeaddrinfo.3
+	rm -f ${man3}/lwres_freehostent.3
+	rm -f ${man3}/lwres_gabnrequest_free.3
+	rm -f ${man3}/lwres_gabnrequest_parse.3
+	rm -f ${man3}/lwres_gabnrequest_render.3
+	rm -f ${man3}/lwres_gabnresponse_free.3
+	rm -f ${man3}/lwres_gabnresponse_parse.3
+	rm -f ${man3}/lwres_gabnresponse_render.3
+	rm -f ${man3}/lwres_getaddrsbyname.3
+	rm -f ${man3}/lwres_gethostbyaddr.3
+	rm -f ${man3}/lwres_gethostbyaddr_r.3
+	rm -f ${man3}/lwres_gethostbyname.3
+	rm -f ${man3}/lwres_gethostbyname2.3
+	rm -f ${man3}/lwres_gethostbyname_r.3
+	rm -f ${man3}/lwres_gethostent_r.3
+	rm -f ${man3}/lwres_getipnodebyaddr.3
+	rm -f ${man3}/lwres_getipnodebyname.3
+	rm -f ${man3}/lwres_getnamebyaddr.3
+	rm -f ${man3}/lwres_gnbarequest_free.3
+	rm -f ${man3}/lwres_gnbarequest_parse.3
+	rm -f ${man3}/lwres_gnbarequest_render.3
+	rm -f ${man3}/lwres_gnbaresponse_free.3
+	rm -f ${man3}/lwres_gnbaresponse_parse.3
+	rm -f ${man3}/lwres_gnbaresponse_render.3
+	rm -f ${man3}/lwres_herror.3
+	rm -f ${man3}/lwres_lwpacket_parseheader.3
+	rm -f ${man3}/lwres_lwpacket_renderheader.3
+	rm -f ${man3}/lwres_net_ntop.3
+	rm -f ${man3}/lwres_nooprequest_free.3
+	rm -f ${man3}/lwres_nooprequest_parse.3
+	rm -f ${man3}/lwres_nooprequest_render.3
+	rm -f ${man3}/lwres_noopresponse_free.3
+	rm -f ${man3}/lwres_noopresponse_parse.3
+	rm -f ${man3}/lwres_noopresponse_render.3
+	rm -f ${man3}/lwres_sethostent.3
+	rm -f ${man3}/lwres_sethostent_r.3
+	rm -f ${man3}/lwres_string_parse.3
diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3
new file mode 100644
index 0000000..61bed07
--- /dev/null
+++ b/lib/lwres/man/lwres.3
@@ -0,0 +1,176 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres \- introduction to the lightweight resolver library
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.SH "DESCRIPTION"
+.PP
+The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library\&. It provides hostname\-to\-address and address\-to\-hostname lookup services to applications by transmitting lookup requests to a resolver daemon
+\fBlwresd\fR
+running on the local host\&. The resolver daemon performs the lookup using the DNS or possibly other name service protocols, and returns the results to the application through the library\&. The library and resolver daemon communicate using a simple UDP\-based protocol\&.
+.SH "OVERVIEW"
+.PP
+The lwresd library implements multiple name service APIs\&. The standard
+\fBgethostbyname()\fR,
+\fBgethostbyaddr()\fR,
+\fBgethostbyname_r()\fR,
+\fBgethostbyaddr_r()\fR,
+\fBgetaddrinfo()\fR,
+\fBgetipnodebyname()\fR, and
+\fBgetipnodebyaddr()\fR
+functions are all supported\&. To allow the lwres library to coexist with system libraries that define functions of the same name, the library defines these functions with names prefixed by
+lwres_\&. To define the standard names, applications must include the header file
+<lwres/netdb\&.h>
+which contains macro definitions mapping the standard function names into
+lwres_
+prefixed ones\&. Operating system vendors who integrate the lwres library into their base distributions should rename the functions in the library proper so that the renaming macros are not needed\&.
+.PP
+The library also provides a native API consisting of the functions
+\fBlwres_getaddrsbyname()\fR
+and
+\fBlwres_getnamebyaddr()\fR\&. These may be called by applications that require more detailed control over the lookup process than the standard functions provide\&.
+.PP
+In addition to these name service independent address lookup functions, the library implements a new, experimental API for looking up arbitrary DNS resource records, using the
+\fBlwres_getaddrsbyname()\fR
+function\&.
+.PP
+Finally, there is a low\-level API for converting lookup requests and responses to and from raw lwres protocol packets\&. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the
+\fBlwresd\fR
+resolver daemon\&. The use of this low\-level API in clients and servers is outlined in the following sections\&.
+.SH "CLIENT-SIDE LOW-LEVEL API CALL FLOW"
+.PP
+When a client program wishes to make an lwres request using the native low\-level API, it typically performs the following sequence of actions\&.
+.PP
+(1) Allocate or use an existing
+\fBlwres_packet_t\fR, called
+\fIpkt\fR
+below\&.
+.PP
+(2) Set
+\fIpkt\&.recvlength\fR
+to the maximum length we will accept\&. This is done so the receiver of our packets knows how large our receive buffer is\&. The "default" is a constant in
+lwres\&.h:
+\fBLWRES_RECVLENGTH = 4096\fR\&.
+.PP
+(3) Set
+\fIpkt\&.serial\fR
+to a unique serial number\&. This value is echoed back to the application by the remote server\&.
+.PP
+(4) Set
+\fIpkt\&.pktflags\fR\&. Usually this is set to 0\&.
+.PP
+(5) Set
+\fIpkt\&.result\fR
+to 0\&.
+.PP
+(6) Call
+\fBlwres_*request_render()\fR, or marshall in the data using the primitives such as
+\fBlwres_packet_render()\fR
+and storing the packet data\&.
+.PP
+(7) Transmit the resulting buffer\&.
+.PP
+(8) Call
+\fBlwres_*response_parse()\fR
+to parse any packets received\&.
+.PP
+(9) Verify that the opcode and serial match a request, and process the packet specific information contained in the body\&.
+.SH "SERVER-SIDE LOW-LEVEL API CALL FLOW"
+.PP
+When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the following is typically involved in processing each request packet\&.
+.PP
+Note that the same
+\fBlwres_packet_t\fR
+is used in both the
+\fB_parse()\fR
+and
+\fB_render()\fR
+calls, with only a few modifications made to the packet header\*(Aqs contents between uses\&. This method is recommended as it keeps the serial, opcode, and other fields correct\&.
+.PP
+(1) When a packet is received, call
+\fBlwres_*request_parse()\fR
+to unmarshall it\&. This returns a
+\fBlwres_packet_t\fR
+(also called
+\fIpkt\fR, below) as well as a data specific type, such as
+\fBlwres_gabnrequest_t\fR\&.
+.PP
+(2) Process the request in the data specific type\&.
+.PP
+(3) Set the
+\fIpkt\&.result\fR,
+\fIpkt\&.recvlength\fR
+as above\&. All other fields can be left untouched since they were filled in by the
+\fB*_parse()\fR
+call above\&. If using
+\fBlwres_*response_render()\fR,
+\fIpkt\&.pktflags\fR
+will be set up properly\&. Otherwise, the
+\fBLWRES_LWPACKETFLAG_RESPONSE\fR
+bit should be set\&.
+.PP
+(4) Call the data specific rendering function, such as
+\fBlwres_gabnresponse_render()\fR\&.
+.PP
+(5) Send the resulting packet to the client\&.
+.PP
+.SH "SEE ALSO"
+.PP
+\fBlwres_gethostent\fR(3),
+\fBlwres_getipnode\fR(3),
+\fBlwres_getnameinfo\fR(3),
+\fBlwres_noop\fR(3),
+\fBlwres_gabn\fR(3),
+\fBlwres_gnba\fR(3),
+\fBlwres_context\fR(3),
+\fBlwres_config\fR(3),
+\fBresolver\fR(5),
+\fBlwresd\fR(8)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres.docbook b/lib/lwres/man/lwres.docbook
new file mode 100644
index 0000000..0cabe65
--- /dev/null
+++ b/lib/lwres/man/lwres.docbook
@@ -0,0 +1,258 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+  <refnamediv>
+    <refname>lwres</refname>
+    <refpurpose>introduction to the lightweight resolver library</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      The BIND 9 lightweight resolver library is a simple, name service
+      independent stub resolver library.  It provides hostname-to-address
+      and address-to-hostname lookup services to applications by
+      transmitting lookup requests to a resolver daemon
+      <command>lwresd</command>
+      running on the local host. The resolver daemon performs the
+      lookup using the DNS or possibly other name service protocols,
+      and returns the results to the application through the library.
+      The library and resolver daemon communicate using a simple
+      UDP-based protocol.
+    </para>
+  </refsection>
+
+  <refsection><info><title>OVERVIEW</title></info>
+
+    <para>
+      The lwresd library implements multiple name service APIs.
+      The standard
+      <function>gethostbyname()</function>,
+      <function>gethostbyaddr()</function>,
+      <function>gethostbyname_r()</function>,
+      <function>gethostbyaddr_r()</function>,
+      <function>getaddrinfo()</function>,
+      <function>getipnodebyname()</function>,
+      and
+      <function>getipnodebyaddr()</function>
+      functions are all supported.  To allow the lwres library to coexist
+      with system libraries that define functions of the same name,
+      the library defines these functions with names prefixed by
+      <literal>lwres_</literal>.
+      To define the standard names, applications must include the
+      header file
+      <filename>&lt;lwres/netdb.h&gt;</filename>
+      which contains macro definitions mapping the standard function names
+      into
+      <literal>lwres_</literal>
+      prefixed ones.  Operating system vendors who integrate the lwres
+      library into their base distributions should rename the functions
+      in the library proper so that the renaming macros are not needed.
+    </para>
+    <para>
+      The library also provides a native API consisting of the functions
+      <function>lwres_getaddrsbyname()</function>
+      and
+      <function>lwres_getnamebyaddr()</function>.
+      These may be called by applications that require more detailed
+      control over the lookup process than the standard functions
+      provide.
+    </para>
+    <para>
+      In addition to these name service independent address lookup
+      functions, the library implements a new, experimental API
+      for looking up arbitrary DNS resource records, using the
+      <function>lwres_getaddrsbyname()</function>
+      function.
+    </para>
+    <para>
+      Finally, there is a low-level API for converting lookup
+      requests and responses to and from raw lwres protocol packets.
+      This API can be used by clients requiring nonblocking operation,
+      and is also used when implementing the server side of the lwres
+      protocol, for example in the
+      <command>lwresd</command>
+      resolver daemon.  The use of this low-level API in clients
+      and servers is outlined in the following sections.
+    </para>
+  </refsection>
+  <refsection><info><title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title></info>
+
+    <para>
+      When a client program wishes to make an lwres request using the
+      native low-level API, it typically performs the following
+      sequence of actions.
+    </para>
+    <para>
+      (1) Allocate or use an existing <type>lwres_packet_t</type>,
+      called <varname>pkt</varname> below.
+    </para>
+    <para>
+      (2) Set <varname remap="structfield">pkt.recvlength</varname> to the maximum length
+      we will accept.
+      This is done so the receiver of our packets knows how large our receive
+      buffer is.  The "default" is a constant in
+      <filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
+    </para>
+    <para>
+      (3) Set <varname remap="structfield">pkt.serial</varname>
+      to a unique serial number.  This value is echoed
+      back to the application by the remote server.
+    </para>
+    <para>
+      (4) Set <varname remap="structfield">pkt.pktflags</varname>.  Usually this is set to
+      0.
+    </para>
+    <para>
+      (5) Set <varname remap="structfield">pkt.result</varname> to 0.
+    </para>
+    <para>
+      (6) Call <function>lwres_*request_render()</function>,
+      or marshall in the data using the primitives
+      such as <function>lwres_packet_render()</function>
+      and storing the packet data.
+    </para>
+    <para>
+      (7) Transmit the resulting buffer.
+    </para>
+    <para>
+      (8) Call <function>lwres_*response_parse()</function>
+      to parse any packets received.
+    </para>
+    <para>
+      (9) Verify that the opcode and serial match a request, and process the
+      packet specific information contained in the body.
+    </para>
+  </refsection>
+  <refsection><info><title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title></info>
+
+    <para>
+      When implementing the server side of the lightweight resolver
+      protocol using the lwres library, a sequence of actions like the
+      following is typically involved in processing each request packet.
+    </para>
+    <para>
+      Note that the same <type>lwres_packet_t</type> is used
+      in both the <function>_parse()</function> and <function>_render()</function> calls,
+      with only a few modifications made
+      to the packet header's contents between uses.  This method is
+      recommended
+      as it keeps the serial, opcode, and other fields correct.
+    </para>
+    <para>
+      (1) When a packet is received, call <function>lwres_*request_parse()</function> to
+      unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
+      as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
+    </para>
+    <para>
+      (2) Process the request in the data specific type.
+    </para>
+    <para>
+      (3) Set the <varname remap="structfield">pkt.result</varname>,
+      <varname remap="structfield">pkt.recvlength</varname> as above.  All other fields
+      can
+      be left untouched since they were filled in by the <function>*_parse()</function> call
+      above.  If using <function>lwres_*response_render()</function>,
+      <varname remap="structfield">pkt.pktflags</varname> will be set up
+      properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
+      set.
+    </para>
+    <para>
+      (4) Call the data specific rendering function, such as
+      <function>lwres_gabnresponse_render()</function>.
+    </para>
+    <para>
+      (5) Send the resulting packet to the client.
+    </para>
+    <para/>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
new file mode 100644
index 0000000..b8cf257
--- /dev/null
+++ b/lib/lwres/man/lwres.html
@@ -0,0 +1,248 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres
+     &#8212; introduction to the lightweight resolver library
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      The BIND 9 lightweight resolver library is a simple, name service
+      independent stub resolver library.  It provides hostname-to-address
+      and address-to-hostname lookup services to applications by
+      transmitting lookup requests to a resolver daemon
+      <span class="command"><strong>lwresd</strong></span>
+      running on the local host. The resolver daemon performs the
+      lookup using the DNS or possibly other name service protocols,
+      and returns the results to the application through the library.
+      The library and resolver daemon communicate using a simple
+      UDP-based protocol.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>OVERVIEW</h2>
+
+    <p>
+      The lwresd library implements multiple name service APIs.
+      The standard
+      <code class="function">gethostbyname()</code>,
+      <code class="function">gethostbyaddr()</code>,
+      <code class="function">gethostbyname_r()</code>,
+      <code class="function">gethostbyaddr_r()</code>,
+      <code class="function">getaddrinfo()</code>,
+      <code class="function">getipnodebyname()</code>,
+      and
+      <code class="function">getipnodebyaddr()</code>
+      functions are all supported.  To allow the lwres library to coexist
+      with system libraries that define functions of the same name,
+      the library defines these functions with names prefixed by
+      <code class="literal">lwres_</code>.
+      To define the standard names, applications must include the
+      header file
+      <code class="filename">&lt;lwres/netdb.h&gt;</code>
+      which contains macro definitions mapping the standard function names
+      into
+      <code class="literal">lwres_</code>
+      prefixed ones.  Operating system vendors who integrate the lwres
+      library into their base distributions should rename the functions
+      in the library proper so that the renaming macros are not needed.
+    </p>
+    <p>
+      The library also provides a native API consisting of the functions
+      <code class="function">lwres_getaddrsbyname()</code>
+      and
+      <code class="function">lwres_getnamebyaddr()</code>.
+      These may be called by applications that require more detailed
+      control over the lookup process than the standard functions
+      provide.
+    </p>
+    <p>
+      In addition to these name service independent address lookup
+      functions, the library implements a new, experimental API
+      for looking up arbitrary DNS resource records, using the
+      <code class="function">lwres_getaddrsbyname()</code>
+      function.
+    </p>
+    <p>
+      Finally, there is a low-level API for converting lookup
+      requests and responses to and from raw lwres protocol packets.
+      This API can be used by clients requiring nonblocking operation,
+      and is also used when implementing the server side of the lwres
+      protocol, for example in the
+      <span class="command"><strong>lwresd</strong></span>
+      resolver daemon.  The use of this low-level API in clients
+      and servers is outlined in the following sections.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
+
+    <p>
+      When a client program wishes to make an lwres request using the
+      native low-level API, it typically performs the following
+      sequence of actions.
+    </p>
+    <p>
+      (1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
+      called <code class="varname">pkt</code> below.
+    </p>
+    <p>
+      (2) Set <code class="varname">pkt.recvlength</code> to the maximum length
+      we will accept.
+      This is done so the receiver of our packets knows how large our receive
+      buffer is.  The "default" is a constant in
+      <code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
+    </p>
+    <p>
+      (3) Set <code class="varname">pkt.serial</code>
+      to a unique serial number.  This value is echoed
+      back to the application by the remote server.
+    </p>
+    <p>
+      (4) Set <code class="varname">pkt.pktflags</code>.  Usually this is set to
+      0.
+    </p>
+    <p>
+      (5) Set <code class="varname">pkt.result</code> to 0.
+    </p>
+    <p>
+      (6) Call <code class="function">lwres_*request_render()</code>,
+      or marshall in the data using the primitives
+      such as <code class="function">lwres_packet_render()</code>
+      and storing the packet data.
+    </p>
+    <p>
+      (7) Transmit the resulting buffer.
+    </p>
+    <p>
+      (8) Call <code class="function">lwres_*response_parse()</code>
+      to parse any packets received.
+    </p>
+    <p>
+      (9) Verify that the opcode and serial match a request, and process the
+      packet specific information contained in the body.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
+
+    <p>
+      When implementing the server side of the lightweight resolver
+      protocol using the lwres library, a sequence of actions like the
+      following is typically involved in processing each request packet.
+    </p>
+    <p>
+      Note that the same <span class="type">lwres_packet_t</span> is used
+      in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
+      with only a few modifications made
+      to the packet header's contents between uses.  This method is
+      recommended
+      as it keeps the serial, opcode, and other fields correct.
+    </p>
+    <p>
+      (1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
+      unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
+      as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
+    </p>
+    <p>
+      (2) Process the request in the data specific type.
+    </p>
+    <p>
+      (3) Set the <code class="varname">pkt.result</code>,
+      <code class="varname">pkt.recvlength</code> as above.  All other fields
+      can
+      be left untouched since they were filled in by the <code class="function">*_parse()</code> call
+      above.  If using <code class="function">lwres_*response_render()</code>,
+      <code class="varname">pkt.pktflags</code> will be set up
+      properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
+      set.
+    </p>
+    <p>
+      (4) Call the data specific rendering function, such as
+      <code class="function">lwres_gabnresponse_render()</code>.
+    </p>
+    <p>
+      (5) Send the resulting packet to the client.
+    </p>
+    <p></p>
+  </div>
+  <div class="refsection">
+<a name="id-1.11"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_gethostent</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getipnode</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getnameinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_noop</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_gabn</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_gnba</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_context</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_config</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">resolver</span>(5)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwresd</span>(8)
+      </span>.
+
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3
new file mode 100644
index 0000000..f567132
--- /dev/null
+++ b/lib/lwres/man/lwres_buffer.3
@@ -0,0 +1,252 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_buffer
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_BUFFER" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwbuffer\&.h>
+.fi
+.ft
+.HP \w'void\ lwres_buffer_init('u
+.BI "void lwres_buffer_init(lwres_buffer_t\ *" "b" ", void\ *" "base" ", unsigned\ int\ " "length" ");"
+.HP \w'void\ lwres_buffer_invalidate('u
+.BI "void lwres_buffer_invalidate(lwres_buffer_t\ *" "b" ");"
+.HP \w'void\ lwres_buffer_add('u
+.BI "void lwres_buffer_add(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
+.HP \w'void\ lwres_buffer_subtract('u
+.BI "void lwres_buffer_subtract(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
+.HP \w'void\ lwres_buffer_clear('u
+.BI "void lwres_buffer_clear(lwres_buffer_t\ *" "b" ");"
+.HP \w'void\ lwres_buffer_first('u
+.BI "void lwres_buffer_first(lwres_buffer_t\ *" "b" ");"
+.HP \w'void\ lwres_buffer_forward('u
+.BI "void lwres_buffer_forward(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
+.HP \w'void\ lwres_buffer_back('u
+.BI "void lwres_buffer_back(lwres_buffer_t\ *" "b" ", unsigned\ int\ " "n" ");"
+.HP \w'uint8_t\ lwres_buffer_getuint8('u
+.BI "uint8_t lwres_buffer_getuint8(lwres_buffer_t\ *" "b" ");"
+.HP \w'void\ lwres_buffer_putuint8('u
+.BI "void lwres_buffer_putuint8(lwres_buffer_t\ *" "b" ", uint8_t\ " "val" ");"
+.HP \w'uint16_t\ lwres_buffer_getuint16('u
+.BI "uint16_t lwres_buffer_getuint16(lwres_buffer_t\ *" "b" ");"
+.HP \w'void\ lwres_buffer_putuint16('u
+.BI "void lwres_buffer_putuint16(lwres_buffer_t\ *" "b" ", uint16_t\ " "val" ");"
+.HP \w'uint32_t\ lwres_buffer_getuint32('u
+.BI "uint32_t lwres_buffer_getuint32(lwres_buffer_t\ *" "b" ");"
+.HP \w'void\ lwres_buffer_putuint32('u
+.BI "void lwres_buffer_putuint32(lwres_buffer_t\ *" "b" ", uint32_t\ " "val" ");"
+.HP \w'void\ lwres_buffer_putmem('u
+.BI "void lwres_buffer_putmem(lwres_buffer_t\ *" "b" ", const\ unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");"
+.HP \w'void\ lwres_buffer_getmem('u
+.BI "void lwres_buffer_getmem(lwres_buffer_t\ *" "b" ", unsigned\ char\ *" "base" ", unsigned\ int\ " "length" ");"
+.SH "DESCRIPTION"
+.PP
+These functions provide bounds checked access to a region of memory where data is being read or written\&. They are based on, and similar to, the
+isc_buffer_
+functions in the ISC library\&.
+.PP
+A buffer is a region of memory, together with a set of related subregions\&. The
+\fIused region\fR
+and the
+\fIavailable\fR
+region are disjoint, and their union is the buffer\*(Aqs region\&. The used region extends from the beginning of the buffer region to the last used byte\&. The available region extends from one byte greater than the last used byte to the end of the buffer\*(Aqs region\&. The size of the used region can be changed using various buffer commands\&. Initially, the used region is empty\&.
+.PP
+The used region is further subdivided into two disjoint regions: the
+\fIconsumed region\fR
+and the
+\fIremaining region\fR\&. The union of these two regions is the used region\&. The consumed region extends from the beginning of the used region to the byte before the
+\fIcurrent\fR
+offset (if any)\&. The
+\fIremaining\fR
+region the current pointer to the end of the used region\&. The size of the consumed region can be changed using various buffer commands\&. Initially, the consumed region is empty\&.
+.PP
+The
+\fIactive region\fR
+is an (optional) subregion of the remaining region\&. It extends from the current offset to an offset in the remaining region\&. Initially, the active region is empty\&. If the current offset advances beyond the chosen offset, the active region will also be empty\&.
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+   /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\e\e
+   /\-\-\-\-\- used region \-\-\-\-\-\e\e/\-\- available \-\-\e\e
+   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
+   | consumed  | remaining |                |
+   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
+   a           b     c     d                e
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+  a == base of buffer\&.
+  b == current pointer\&.  Can be anywhere between a and d\&.
+  c == active pointer\&.  Meaningful between b and d\&.
+  d == used pointer\&.
+  e == length of buffer\&.
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+  a\-e == entire length of buffer\&.
+  a\-d == used region\&.
+  a\-b == consumed region\&.
+  b\-d == remaining region\&.
+  b\-c == optional active region\&.
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBlwres_buffer_init()\fR
+initializes the
+\fBlwres_buffer_t\fR\fI*b\fR
+and assocates it with the memory region of size
+\fIlength\fR
+bytes starting at location
+\fIbase\&.\fR
+.PP
+\fBlwres_buffer_invalidate()\fR
+marks the buffer
+\fI*b\fR
+as invalid\&. Invalidating a buffer after use is not required, but makes it possible to catch its possible accidental use\&.
+.PP
+The functions
+\fBlwres_buffer_add()\fR
+and
+\fBlwres_buffer_subtract()\fR
+respectively increase and decrease the used space in buffer
+\fI*b\fR
+by
+\fIn\fR
+bytes\&.
+\fBlwres_buffer_add()\fR
+checks for buffer overflow and
+\fBlwres_buffer_subtract()\fR
+checks for underflow\&. These functions do not allocate or deallocate memory\&. They just change the value of
+\fIused\fR\&.
+.PP
+A buffer is re\-initialised by
+\fBlwres_buffer_clear()\fR\&. The function sets
+\fIused\fR,
+\fIcurrent\fR
+and
+\fIactive\fR
+to zero\&.
+.PP
+\fBlwres_buffer_first\fR
+makes the consumed region of buffer
+\fI*p\fR
+empty by setting
+\fIcurrent\fR
+to zero (the start of the buffer)\&.
+.PP
+\fBlwres_buffer_forward()\fR
+increases the consumed region of buffer
+\fI*b\fR
+by
+\fIn\fR
+bytes, checking for overflow\&. Similarly,
+\fBlwres_buffer_back()\fR
+decreases buffer
+\fIb\fR\*(Aqs consumed region by
+\fIn\fR
+bytes and checks for underflow\&.
+.PP
+\fBlwres_buffer_getuint8()\fR
+reads an unsigned 8\-bit integer from
+\fI*b\fR
+and returns it\&.
+\fBlwres_buffer_putuint8()\fR
+writes the unsigned 8\-bit integer
+\fIval\fR
+to buffer
+\fI*b\fR\&.
+.PP
+\fBlwres_buffer_getuint16()\fR
+and
+\fBlwres_buffer_getuint32()\fR
+are identical to
+\fBlwres_buffer_putuint8()\fR
+except that they respectively read an unsigned 16\-bit or 32\-bit integer in network byte order from
+\fIb\fR\&. Similarly,
+\fBlwres_buffer_putuint16()\fR
+and
+\fBlwres_buffer_putuint32()\fR
+writes the unsigned 16\-bit or 32\-bit integer
+\fIval\fR
+to buffer
+\fIb\fR, in network byte order\&.
+.PP
+Arbitrary amounts of data are read or written from a lightweight resolver buffer with
+\fBlwres_buffer_getmem()\fR
+and
+\fBlwres_buffer_putmem()\fR
+respectively\&.
+\fBlwres_buffer_putmem()\fR
+copies
+\fIlength\fR
+bytes of memory at
+\fIbase\fR
+to
+\fIb\fR\&. Conversely,
+\fBlwres_buffer_getmem()\fR
+copies
+\fIlength\fR
+bytes of memory from
+\fIb\fR
+to
+\fIbase\fR\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_buffer.docbook b/lib/lwres/man/lwres_buffer.docbook
new file mode 100644
index 0000000..b7a38d0
--- /dev/null
+++ b/lib/lwres/man/lwres_buffer.docbook
@@ -0,0 +1,387 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_buffer</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_buffer_init</refname>
+    <refname>lwres_buffer_invalidate</refname>
+    <refname>lwres_buffer_add</refname>
+    <refname>lwres_buffer_subtract</refname>
+    <refname>lwres_buffer_clear</refname>
+    <refname>lwres_buffer_first</refname>
+    <refname>lwres_buffer_forward</refname>
+    <refname>lwres_buffer_back</refname>
+    <refname>lwres_buffer_getuint8</refname>
+    <refname>lwres_buffer_putuint8</refname>
+    <refname>lwres_buffer_getuint16</refname>
+    <refname>lwres_buffer_putuint16</refname>
+    <refname>lwres_buffer_getuint32</refname>
+    <refname>lwres_buffer_putuint32</refname>
+    <refname>lwres_buffer_putmem</refname>
+    <refname>lwres_buffer_getmem</refname>
+    <refpurpose>lightweight resolver buffer management</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+
+    <funcsynopsis>
+<funcsynopsisinfo>
+#include &lt;lwres/lwbuffer.h&gt;
+</funcsynopsisinfo>
+
+<funcprototype>
+
+        <funcdef>
+void
+<function>lwres_buffer_init</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>void *<parameter>base</parameter></paramdef>
+        <paramdef>unsigned int <parameter>length</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_invalidate</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_add</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_subtract</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_clear</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_first</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_forward</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+
+        <funcdef>
+void
+<function>lwres_buffer_back</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned int <parameter>n</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+uint8_t
+<function>lwres_buffer_getuint8</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_putuint8</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>uint8_t <parameter>val</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+uint16_t
+<function>lwres_buffer_getuint16</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_putuint16</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>uint16_t <parameter>val</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+uint32_t
+<function>lwres_buffer_getuint32</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_putuint32</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>uint32_t <parameter>val</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_putmem</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>const unsigned char *<parameter>base</parameter></paramdef>
+        <paramdef>unsigned int <parameter>length</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_buffer_getmem</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>unsigned char *<parameter>base</parameter></paramdef>
+        <paramdef>unsigned int <parameter>length</parameter></paramdef>
+      </funcprototype>
+
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para>
+      These functions provide bounds checked access to a region of memory
+      where data is being read or written.
+      They are based on, and similar to, the
+      <literal>isc_buffer_</literal>
+      functions in the ISC library.
+    </para>
+    <para>
+      A buffer is a region of memory, together with a set of related
+      subregions.
+      The <emphasis>used region</emphasis> and the
+      <emphasis>available</emphasis> region are disjoint, and
+      their union is the buffer's region.
+      The used region extends from the beginning of the buffer region to the
+      last used byte.
+      The available region extends from one byte greater than the last used
+      byte to the end of the  buffer's region.
+      The size of the used region can be changed using various
+      buffer commands.
+      Initially, the used region is empty.
+    </para>
+    <para>
+      The used region is further subdivided into two disjoint regions: the
+      <emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
+      The union of these two regions is the used region.
+      The consumed region extends from the beginning of the used region to
+      the byte before the <emphasis>current</emphasis> offset (if any).
+      The <emphasis>remaining</emphasis> region the current pointer to the end
+      of the used
+      region.
+      The size of the consumed region can be changed using various
+      buffer commands.
+      Initially, the consumed region is empty.
+    </para>
+    <para>
+      The <emphasis>active region</emphasis> is an (optional) subregion of the
+      remaining
+      region.
+      It extends from the current offset to an offset in the
+      remaining region.
+      Initially, the active region is empty.
+      If the current offset advances beyond the chosen offset,
+      the active region will also be empty.
+    </para>
+    <para><programlisting>
+   /------------entire length---------------\\
+   /----- used region -----\\/-- available --\\
+   +----------------------------------------+
+   | consumed  | remaining |                |
+   +----------------------------------------+
+   a           b     c     d                e
+      </programlisting>
+    </para>
+    <para><programlisting>
+  a == base of buffer.
+  b == current pointer.  Can be anywhere between a and d.
+  c == active pointer.  Meaningful between b and d.
+  d == used pointer.
+  e == length of buffer.
+      </programlisting>
+    </para>
+    <para><programlisting>
+  a-e == entire length of buffer.
+  a-d == used region.
+  a-b == consumed region.
+  b-d == remaining region.
+  b-c == optional active region.
+</programlisting>
+    </para>
+    <para><function>lwres_buffer_init()</function>
+      initializes the
+      <type>lwres_buffer_t</type>
+      <parameter>*b</parameter>
+      and assocates it with the memory region of size
+      <parameter>length</parameter>
+      bytes starting at location
+      <parameter>base.</parameter>
+    </para>
+    <para><function>lwres_buffer_invalidate()</function>
+      marks the buffer <parameter>*b</parameter>
+      as invalid.  Invalidating a buffer after use is not required,
+      but makes it possible to catch its possible accidental use.
+    </para>
+    <para>
+      The functions
+      <function>lwres_buffer_add()</function>
+      and
+      <function>lwres_buffer_subtract()</function>
+      respectively increase and decrease the used space in
+      buffer
+      <parameter>*b</parameter>
+      by
+      <parameter>n</parameter>
+      bytes.
+      <function>lwres_buffer_add()</function>
+      checks for buffer overflow and
+      <function>lwres_buffer_subtract()</function>
+      checks for underflow.
+      These functions do not allocate or deallocate memory.
+      They just change the value of
+      <varname remap="structfield">used</varname>.
+    </para>
+    <para>
+      A buffer is re-initialised by
+      <function>lwres_buffer_clear()</function>.
+      The function sets
+      <varname remap="structfield">used</varname>,
+      <varname remap="structfield">current</varname>
+      and
+      <varname remap="structfield">active</varname>
+      to zero.
+    </para>
+    <para><function>lwres_buffer_first</function>
+      makes the consumed region of buffer
+      <parameter>*p</parameter>
+      empty by setting
+      <varname remap="structfield">current</varname>
+      to zero (the start of the buffer).
+    </para>
+    <para><function>lwres_buffer_forward()</function>
+      increases the consumed region of buffer
+      <parameter>*b</parameter>
+      by
+      <parameter>n</parameter>
+      bytes, checking for overflow.
+      Similarly,
+      <function>lwres_buffer_back()</function>
+      decreases buffer
+      <parameter>b</parameter>'s
+      consumed region by
+      <parameter>n</parameter>
+      bytes and checks for underflow.
+    </para>
+    <para><function>lwres_buffer_getuint8()</function>
+      reads an unsigned 8-bit integer from
+      <parameter>*b</parameter>
+      and returns it.
+      <function>lwres_buffer_putuint8()</function>
+      writes the unsigned 8-bit integer
+      <parameter>val</parameter>
+      to buffer
+      <parameter>*b</parameter>.
+    </para>
+    <para><function>lwres_buffer_getuint16()</function>
+      and
+      <function>lwres_buffer_getuint32()</function>
+      are identical to
+      <function>lwres_buffer_putuint8()</function>
+      except that they respectively read an unsigned 16-bit or 32-bit integer
+      in network byte order from
+      <parameter>b</parameter>.
+      Similarly,
+      <function>lwres_buffer_putuint16()</function>
+      and
+      <function>lwres_buffer_putuint32()</function>
+      writes the unsigned 16-bit or 32-bit integer
+      <parameter>val</parameter>
+      to buffer
+      <parameter>b</parameter>,
+      in network byte order.
+    </para>
+    <para>
+      Arbitrary amounts of data are read or written from a lightweight
+      resolver buffer with
+      <function>lwres_buffer_getmem()</function>
+      and
+      <function>lwres_buffer_putmem()</function>
+      respectively.
+      <function>lwres_buffer_putmem()</function>
+      copies
+      <parameter>length</parameter>
+      bytes of memory at
+      <parameter>base</parameter>
+      to
+      <parameter>b</parameter>.
+      Conversely,
+      <function>lwres_buffer_getmem()</function>
+      copies
+      <parameter>length</parameter>
+      bytes of memory from
+      <parameter>b</parameter>
+      to
+      <parameter>base</parameter>.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
new file mode 100644
index 0000000..5d0b057
--- /dev/null
+++ b/lib/lwres/man/lwres_buffer.html
@@ -0,0 +1,449 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_buffer</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_buffer_init, 
+    lwres_buffer_invalidate, 
+    lwres_buffer_add, 
+    lwres_buffer_subtract, 
+    lwres_buffer_clear, 
+    lwres_buffer_first, 
+    lwres_buffer_forward, 
+    lwres_buffer_back, 
+    lwres_buffer_getuint8, 
+    lwres_buffer_putuint8, 
+    lwres_buffer_getuint16, 
+    lwres_buffer_putuint16, 
+    lwres_buffer_getuint32, 
+    lwres_buffer_putuint32, 
+    lwres_buffer_putmem, 
+    lwres_buffer_getmem
+     &#8212; lightweight resolver buffer management
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">
+#include &lt;lwres/lwbuffer.h&gt;
+</pre>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_init</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>void *<var class="pdparam">base</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">length</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_add</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">n</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_subtract</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">n</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_clear</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_first</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_forward</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">n</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_back</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">n</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+uint8_t
+<b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_putuint8</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint8_t <var class="pdparam">val</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+uint16_t
+<b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_putuint16</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint16_t <var class="pdparam">val</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+uint32_t
+<b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_putuint32</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint32_t <var class="pdparam">val</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_putmem</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const unsigned char *<var class="pdparam">base</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">length</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_buffer_getmem</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned char *<var class="pdparam">base</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">length</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p>
+      These functions provide bounds checked access to a region of memory
+      where data is being read or written.
+      They are based on, and similar to, the
+      <code class="literal">isc_buffer_</code>
+      functions in the ISC library.
+    </p>
+    <p>
+      A buffer is a region of memory, together with a set of related
+      subregions.
+      The <span class="emphasis"><em>used region</em></span> and the
+      <span class="emphasis"><em>available</em></span> region are disjoint, and
+      their union is the buffer's region.
+      The used region extends from the beginning of the buffer region to the
+      last used byte.
+      The available region extends from one byte greater than the last used
+      byte to the end of the  buffer's region.
+      The size of the used region can be changed using various
+      buffer commands.
+      Initially, the used region is empty.
+    </p>
+    <p>
+      The used region is further subdivided into two disjoint regions: the
+      <span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
+      The union of these two regions is the used region.
+      The consumed region extends from the beginning of the used region to
+      the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
+      The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end
+      of the used
+      region.
+      The size of the consumed region can be changed using various
+      buffer commands.
+      Initially, the consumed region is empty.
+    </p>
+    <p>
+      The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the
+      remaining
+      region.
+      It extends from the current offset to an offset in the
+      remaining region.
+      Initially, the active region is empty.
+      If the current offset advances beyond the chosen offset,
+      the active region will also be empty.
+    </p>
+    <pre class="programlisting">
+   /------------entire length---------------\\
+   /----- used region -----\\/-- available --\\
+   +----------------------------------------+
+   | consumed  | remaining |                |
+   +----------------------------------------+
+   a           b     c     d                e
+      </pre>
+<p>
+    </p>
+    <pre class="programlisting">
+  a == base of buffer.
+  b == current pointer.  Can be anywhere between a and d.
+  c == active pointer.  Meaningful between b and d.
+  d == used pointer.
+  e == length of buffer.
+      </pre>
+<p>
+    </p>
+    <pre class="programlisting">
+  a-e == entire length of buffer.
+  a-d == used region.
+  a-b == consumed region.
+  b-d == remaining region.
+  b-c == optional active region.
+</pre>
+<p>
+    </p>
+    <p><code class="function">lwres_buffer_init()</code>
+      initializes the
+      <span class="type">lwres_buffer_t</span>
+      <em class="parameter"><code>*b</code></em>
+      and assocates it with the memory region of size
+      <em class="parameter"><code>length</code></em>
+      bytes starting at location
+      <em class="parameter"><code>base.</code></em>
+    </p>
+    <p><code class="function">lwres_buffer_invalidate()</code>
+      marks the buffer <em class="parameter"><code>*b</code></em>
+      as invalid.  Invalidating a buffer after use is not required,
+      but makes it possible to catch its possible accidental use.
+    </p>
+    <p>
+      The functions
+      <code class="function">lwres_buffer_add()</code>
+      and
+      <code class="function">lwres_buffer_subtract()</code>
+      respectively increase and decrease the used space in
+      buffer
+      <em class="parameter"><code>*b</code></em>
+      by
+      <em class="parameter"><code>n</code></em>
+      bytes.
+      <code class="function">lwres_buffer_add()</code>
+      checks for buffer overflow and
+      <code class="function">lwres_buffer_subtract()</code>
+      checks for underflow.
+      These functions do not allocate or deallocate memory.
+      They just change the value of
+      <code class="varname">used</code>.
+    </p>
+    <p>
+      A buffer is re-initialised by
+      <code class="function">lwres_buffer_clear()</code>.
+      The function sets
+      <code class="varname">used</code>,
+      <code class="varname">current</code>
+      and
+      <code class="varname">active</code>
+      to zero.
+    </p>
+    <p><code class="function">lwres_buffer_first</code>
+      makes the consumed region of buffer
+      <em class="parameter"><code>*p</code></em>
+      empty by setting
+      <code class="varname">current</code>
+      to zero (the start of the buffer).
+    </p>
+    <p><code class="function">lwres_buffer_forward()</code>
+      increases the consumed region of buffer
+      <em class="parameter"><code>*b</code></em>
+      by
+      <em class="parameter"><code>n</code></em>
+      bytes, checking for overflow.
+      Similarly,
+      <code class="function">lwres_buffer_back()</code>
+      decreases buffer
+      <em class="parameter"><code>b</code></em>'s
+      consumed region by
+      <em class="parameter"><code>n</code></em>
+      bytes and checks for underflow.
+    </p>
+    <p><code class="function">lwres_buffer_getuint8()</code>
+      reads an unsigned 8-bit integer from
+      <em class="parameter"><code>*b</code></em>
+      and returns it.
+      <code class="function">lwres_buffer_putuint8()</code>
+      writes the unsigned 8-bit integer
+      <em class="parameter"><code>val</code></em>
+      to buffer
+      <em class="parameter"><code>*b</code></em>.
+    </p>
+    <p><code class="function">lwres_buffer_getuint16()</code>
+      and
+      <code class="function">lwres_buffer_getuint32()</code>
+      are identical to
+      <code class="function">lwres_buffer_putuint8()</code>
+      except that they respectively read an unsigned 16-bit or 32-bit integer
+      in network byte order from
+      <em class="parameter"><code>b</code></em>.
+      Similarly,
+      <code class="function">lwres_buffer_putuint16()</code>
+      and
+      <code class="function">lwres_buffer_putuint32()</code>
+      writes the unsigned 16-bit or 32-bit integer
+      <em class="parameter"><code>val</code></em>
+      to buffer
+      <em class="parameter"><code>b</code></em>,
+      in network byte order.
+    </p>
+    <p>
+      Arbitrary amounts of data are read or written from a lightweight
+      resolver buffer with
+      <code class="function">lwres_buffer_getmem()</code>
+      and
+      <code class="function">lwres_buffer_putmem()</code>
+      respectively.
+      <code class="function">lwres_buffer_putmem()</code>
+      copies
+      <em class="parameter"><code>length</code></em>
+      bytes of memory at
+      <em class="parameter"><code>base</code></em>
+      to
+      <em class="parameter"><code>b</code></em>.
+      Conversely,
+      <code class="function">lwres_buffer_getmem()</code>
+      copies
+      <em class="parameter"><code>length</code></em>
+      bytes of memory from
+      <em class="parameter"><code>b</code></em>
+      to
+      <em class="parameter"><code>base</code></em>.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3
new file mode 100644
index 0000000..1b3285f
--- /dev/null
+++ b/lib/lwres/man/lwres_config.3
@@ -0,0 +1,116 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_config
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_CONFIG" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.HP \w'void\ lwres_conf_init('u
+.BI "void lwres_conf_init(lwres_context_t\ *" "ctx" ");"
+.HP \w'void\ lwres_conf_clear('u
+.BI "void lwres_conf_clear(lwres_context_t\ *" "ctx" ");"
+.HP \w'lwres_result_t\ lwres_conf_parse('u
+.BI "lwres_result_t lwres_conf_parse(lwres_context_t\ *" "ctx" ", const\ char\ *" "filename" ");"
+.HP \w'lwres_result_t\ lwres_conf_print('u
+.BI "lwres_result_t lwres_conf_print(lwres_context_t\ *" "ctx" ", FILE\ *" "fp" ");"
+.HP \w'lwres_conf_t\ *\ lwres_conf_get('u
+.BI "lwres_conf_t * lwres_conf_get(lwres_context_t\ *" "ctx" ");"
+.SH "DESCRIPTION"
+.PP
+\fBlwres_conf_init()\fR
+creates an empty
+\fBlwres_conf_t\fR
+structure for lightweight resolver context
+\fIctx\fR\&.
+.PP
+\fBlwres_conf_clear()\fR
+frees up all the internal memory used by that
+\fBlwres_conf_t\fR
+structure in resolver context
+\fIctx\fR\&.
+.PP
+\fBlwres_conf_parse()\fR
+opens the file
+\fIfilename\fR
+and parses it to initialise the resolver context
+\fIctx\fR\*(Aqs
+\fBlwres_conf_t\fR
+structure\&.
+.PP
+\fBlwres_conf_print()\fR
+prints the
+\fBlwres_conf_t\fR
+structure for resolver context
+\fIctx\fR
+to the
+\fBFILE\fR\fIfp\fR\&.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_conf_parse()\fR
+returns
+\fBLWRES_R_SUCCESS\fR
+if it successfully read and parsed
+\fIfilename\fR\&. It returns
+\fBLWRES_R_FAILURE\fR
+if
+\fIfilename\fR
+could not be opened or contained incorrect resolver statements\&.
+.PP
+\fBlwres_conf_print()\fR
+returns
+\fBLWRES_R_SUCCESS\fR
+unless an error occurred when converting the network addresses to a numeric host address string\&. If this happens, the function returns
+\fBLWRES_R_FAILURE\fR\&.
+.SH "SEE ALSO"
+.PP
+\fBstdio\fR(3),
+\fBresolver\fR(5)\&.
+.SH "FILES"
+.PP
+/etc/resolv\&.conf
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_config.docbook b/lib/lwres/man/lwres_config.docbook
new file mode 100644
index 0000000..83ebeeb
--- /dev/null
+++ b/lib/lwres/man/lwres_config.docbook
@@ -0,0 +1,165 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_config</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_conf_init</refname>
+    <refname>lwres_conf_clear</refname>
+    <refname>lwres_conf_parse</refname>
+    <refname>lwres_conf_print</refname>
+    <refname>lwres_conf_get</refname>
+    <refpurpose>lightweight resolver configuration</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_conf_init</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_conf_clear</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_conf_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>const char *<parameter>filename</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_conf_print</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>FILE *<parameter>fp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_conf_t *
+<function>lwres_conf_get</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_conf_init()</function>
+      creates an empty
+      <type>lwres_conf_t</type>
+      structure for lightweight resolver context
+      <parameter>ctx</parameter>.
+    </para>
+
+    <para><function>lwres_conf_clear()</function>
+      frees up all the internal memory used by
+      that
+      <type>lwres_conf_t</type>
+      structure in resolver context
+      <parameter>ctx</parameter>.
+    </para>
+
+    <para><function>lwres_conf_parse()</function>
+      opens the file
+      <parameter>filename</parameter>
+      and parses it to initialise the resolver context
+      <parameter>ctx</parameter>'s
+      <type>lwres_conf_t</type>
+      structure.
+    </para>
+
+    <para><function>lwres_conf_print()</function>
+      prints the
+      <type>lwres_conf_t</type>
+      structure for resolver context
+      <parameter>ctx</parameter>
+      to the
+      <type>FILE</type>
+      <parameter>fp</parameter>.
+    </para>
+  </refsection>
+  <refsection><info><title>RETURN VALUES</title></info>
+
+
+
+    <para><function>lwres_conf_parse()</function>
+      returns <errorcode>LWRES_R_SUCCESS</errorcode>
+      if it successfully read and parsed
+      <parameter>filename</parameter>.
+      It returns <errorcode>LWRES_R_FAILURE</errorcode>
+      if <parameter>filename</parameter>
+      could not be opened or contained incorrect
+      resolver statements.
+    </para>
+
+    <para><function>lwres_conf_print()</function>
+      returns <errorcode>LWRES_R_SUCCESS</errorcode>
+      unless an error occurred when converting the network addresses to a
+      numeric host address string.
+      If this happens, the function returns
+      <errorcode>LWRES_R_FAILURE</errorcode>.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+  <refsection><info><title>FILES</title></info>
+
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
new file mode 100644
index 0000000..de8f1a6
--- /dev/null
+++ b/lib/lwres/man/lwres_config.html
@@ -0,0 +1,169 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_config</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_conf_init, 
+    lwres_conf_clear, 
+    lwres_conf_parse, 
+    lwres_conf_print, 
+    lwres_conf_get
+     &#8212; lightweight resolver configuration
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_conf_init</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_conf_clear</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_conf_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const char *<var class="pdparam">filename</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_conf_print</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>FILE *<var class="pdparam">fp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+lwres_conf_t *
+<b class="fsfunc">lwres_conf_get</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_conf_init()</code>
+      creates an empty
+      <span class="type">lwres_conf_t</span>
+      structure for lightweight resolver context
+      <em class="parameter"><code>ctx</code></em>.
+    </p>
+
+    <p><code class="function">lwres_conf_clear()</code>
+      frees up all the internal memory used by
+      that
+      <span class="type">lwres_conf_t</span>
+      structure in resolver context
+      <em class="parameter"><code>ctx</code></em>.
+    </p>
+
+    <p><code class="function">lwres_conf_parse()</code>
+      opens the file
+      <em class="parameter"><code>filename</code></em>
+      and parses it to initialise the resolver context
+      <em class="parameter"><code>ctx</code></em>'s
+      <span class="type">lwres_conf_t</span>
+      structure.
+    </p>
+
+    <p><code class="function">lwres_conf_print()</code>
+      prints the
+      <span class="type">lwres_conf_t</span>
+      structure for resolver context
+      <em class="parameter"><code>ctx</code></em>
+      to the
+      <span class="type">FILE</span>
+      <em class="parameter"><code>fp</code></em>.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+
+
+    <p><code class="function">lwres_conf_parse()</code>
+      returns <span class="errorcode">LWRES_R_SUCCESS</span>
+      if it successfully read and parsed
+      <em class="parameter"><code>filename</code></em>.
+      It returns <span class="errorcode">LWRES_R_FAILURE</span>
+      if <em class="parameter"><code>filename</code></em>
+      could not be opened or contained incorrect
+      resolver statements.
+    </p>
+
+    <p><code class="function">lwres_conf_print()</code>
+      returns <span class="errorcode">LWRES_R_SUCCESS</span>
+      unless an error occurred when converting the network addresses to a
+      numeric host address string.
+      If this happens, the function returns
+      <span class="errorcode">LWRES_R_FAILURE</span>.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">stdio</span>(3)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">resolver</span>(5)
+      </span>.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.10"></a><h2>FILES</h2>
+
+    <p><code class="filename">/etc/resolv.conf</code>
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3
new file mode 100644
index 0000000..13e09af
--- /dev/null
+++ b/lib/lwres/man/lwres_context.3
@@ -0,0 +1,181 @@
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_context
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_CONTEXT" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.HP \w'lwres_result_t\ lwres_context_create('u
+.BI "lwres_result_t lwres_context_create(lwres_context_t\ **" "contextp" ", void\ *" "arg" ", lwres_malloc_t\ " "malloc_function" ", lwres_free_t\ " "free_function" ");"
+.HP \w'lwres_result_t\ lwres_context_destroy('u
+.BI "lwres_result_t lwres_context_destroy(lwres_context_t\ **" "contextp" ");"
+.HP \w'void\ lwres_context_initserial('u
+.BI "void lwres_context_initserial(lwres_context_t\ *" "ctx" ", uint32_t\ " "serial" ");"
+.HP \w'uint32_t\ lwres_context_nextserial('u
+.BI "uint32_t lwres_context_nextserial(lwres_context_t\ *" "ctx" ");"
+.HP \w'void\ lwres_context_freemem('u
+.BI "void lwres_context_freemem(lwres_context_t\ *" "ctx" ", void\ *" "mem" ", size_t\ " "len" ");"
+.HP \w'void\ lwres_context_allocmem('u
+.BI "void lwres_context_allocmem(lwres_context_t\ *" "ctx" ", size_t\ " "len" ");"
+.HP \w'void\ *\ lwres_context_sendrecv('u
+.BI "void * lwres_context_sendrecv(lwres_context_t\ *" "ctx" ", void\ *" "sendbase" ", int\ " "sendlen" ", void\ *" "recvbase" ", int\ " "recvlen" ", int\ *" "recvd_len" ");"
+.SH "DESCRIPTION"
+.PP
+\fBlwres_context_create()\fR
+creates a
+\fBlwres_context_t\fR
+structure for use in lightweight resolver operations\&. It holds a socket and other data needed for communicating with a resolver daemon\&. The new
+\fBlwres_context_t\fR
+is returned through
+\fIcontextp\fR, a pointer to a
+\fBlwres_context_t\fR
+pointer\&. This
+\fBlwres_context_t\fR
+pointer must initially be NULL, and is modified to point to the newly created
+\fBlwres_context_t\fR\&.
+.PP
+When the lightweight resolver needs to perform dynamic memory allocation, it will call
+\fImalloc_function\fR
+to allocate memory and
+\fIfree_function\fR
+to free it\&. If
+\fImalloc_function\fR
+and
+\fIfree_function\fR
+are NULL, memory is allocated using
+\fBmalloc\fR(3)\&. and
+\fBfree\fR(3)\&. It is not permitted to have a NULL
+\fImalloc_function\fR
+and a non\-NULL
+\fIfree_function\fR
+or vice versa\&.
+\fIarg\fR
+is passed as the first parameter to the memory allocation functions\&. If
+\fImalloc_function\fR
+and
+\fIfree_function\fR
+are NULL,
+\fIarg\fR
+is unused and should be passed as NULL\&.
+.PP
+Once memory for the structure has been allocated, it is initialized using
+\fBlwres_conf_init\fR(3)
+and returned via
+\fI*contextp\fR\&.
+.PP
+\fBlwres_context_destroy()\fR
+destroys a
+\fBlwres_context_t\fR, closing its socket\&.
+\fIcontextp\fR
+is a pointer to a pointer to the context that is to be destroyed\&. The pointer will be set to NULL when the context has been destroyed\&.
+.PP
+The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests\&. This serial number is controlled using
+\fBlwres_context_initserial()\fR
+and
+\fBlwres_context_nextserial()\fR\&.
+\fBlwres_context_initserial()\fR
+sets the serial number for context
+\fI*ctx\fR
+to
+\fIserial\fR\&.
+\fBlwres_context_nextserial()\fR
+increments the serial number and returns the previous value\&.
+.PP
+Memory for a lightweight resolver context is allocated and freed using
+\fBlwres_context_allocmem()\fR
+and
+\fBlwres_context_freemem()\fR\&. These use whatever allocations were defined when the context was created with
+\fBlwres_context_create()\fR\&.
+\fBlwres_context_allocmem()\fR
+allocates
+\fIlen\fR
+bytes of memory and if successful returns a pointer to the allocated storage\&.
+\fBlwres_context_freemem()\fR
+frees
+\fIlen\fR
+bytes of space starting at location
+\fImem\fR\&.
+.PP
+\fBlwres_context_sendrecv()\fR
+performs I/O for the context
+\fIctx\fR\&. Data are read and written from the context\*(Aqs socket\&. It writes data from
+\fIsendbase\fR
+\(em typically a lightweight resolver query packet \(em and waits for a reply which is copied to the receive buffer at
+\fIrecvbase\fR\&. The number of bytes that were written to this receive buffer is returned in
+\fI*recvd_len\fR\&.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_context_create()\fR
+returns
+\fBLWRES_R_NOMEMORY\fR
+if memory for the
+\fBstruct lwres_context\fR
+could not be allocated,
+\fBLWRES_R_SUCCESS\fR
+otherwise\&.
+.PP
+Successful calls to the memory allocator
+\fBlwres_context_allocmem()\fR
+return a pointer to the start of the allocated space\&. It returns NULL if memory could not be allocated\&.
+.PP
+\fBLWRES_R_SUCCESS\fR
+is returned when
+\fBlwres_context_sendrecv()\fR
+completes successfully\&.
+\fBLWRES_R_IOERROR\fR
+is returned if an I/O error occurs and
+\fBLWRES_R_TIMEOUT\fR
+is returned if
+\fBlwres_context_sendrecv()\fR
+times out waiting for a response\&.
+.SH "SEE ALSO"
+.PP
+\fBlwres_conf_init\fR(3),
+\fBmalloc\fR(3),
+\fBfree\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_context.docbook b/lib/lwres/man/lwres_context.docbook
new file mode 100644
index 0000000..c05ea66
--- /dev/null
+++ b/lib/lwres/man/lwres_context.docbook
@@ -0,0 +1,256 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_context</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2003</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_context_create</refname>
+    <refname>lwres_context_destroy</refname>
+    <refname>lwres_context_nextserial</refname>
+    <refname>lwres_context_initserial</refname>
+    <refname>lwres_context_freemem</refname>
+    <refname>lwres_context_allocmem</refname>
+    <refname>lwres_context_sendrecv</refname>
+    <refpurpose>lightweight resolver context management</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_context_create</function></funcdef>
+        <paramdef>lwres_context_t **<parameter>contextp</parameter></paramdef>
+        <paramdef>void *<parameter>arg</parameter></paramdef>
+        <paramdef>lwres_malloc_t <parameter>malloc_function</parameter></paramdef>
+        <paramdef>lwres_free_t <parameter>free_function</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_context_destroy</function></funcdef>
+        <paramdef>lwres_context_t **<parameter>contextp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_context_initserial</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>uint32_t <parameter>serial</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+uint32_t
+<function>lwres_context_nextserial</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_context_freemem</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>void *<parameter>mem</parameter></paramdef>
+        <paramdef>size_t <parameter>len</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_context_allocmem</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>size_t <parameter>len</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void *
+<function>lwres_context_sendrecv</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>void *<parameter>sendbase</parameter></paramdef>
+        <paramdef>int <parameter>sendlen</parameter></paramdef>
+        <paramdef>void *<parameter>recvbase</parameter></paramdef>
+        <paramdef>int <parameter>recvlen</parameter></paramdef>
+        <paramdef>int *<parameter>recvd_len</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_context_create()</function>
+      creates a <type>lwres_context_t</type> structure for use in
+      lightweight resolver operations.  It holds a socket and other
+      data needed for communicating with a resolver daemon.  The new
+      <type>lwres_context_t</type> is returned through
+      <parameter>contextp</parameter>, a pointer to a
+      <type>lwres_context_t</type> pointer.  This
+      <type>lwres_context_t</type> pointer must initially be NULL, and
+      is modified to point to the newly created
+      <type>lwres_context_t</type>.
+    </para>
+    <para>
+      When the lightweight resolver needs to perform dynamic memory
+      allocation, it will call
+      <parameter>malloc_function</parameter>
+      to allocate memory and
+      <parameter>free_function</parameter>
+      to free it.  If
+      <parameter>malloc_function</parameter>
+      and
+      <parameter>free_function</parameter>
+      are NULL, memory is allocated using
+      <citerefentry>
+        <refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+      and
+      <citerefentry>
+        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+
+      It is not permitted to have a NULL
+      <parameter>malloc_function</parameter> and a non-NULL
+      <parameter>free_function</parameter> or vice versa.
+      <parameter>arg</parameter> is passed as the first parameter to
+      the memory allocation functions.  If
+      <parameter>malloc_function</parameter> and
+      <parameter>free_function</parameter> are NULL,
+      <parameter>arg</parameter> is unused and should be passed as
+      NULL.
+    </para>
+
+    <para>
+      Once memory for the structure has been allocated,
+      it is initialized using
+      <citerefentry>
+        <refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      and returned via <parameter>*contextp</parameter>.
+    </para>
+
+    <para><function>lwres_context_destroy()</function>
+      destroys a <type>lwres_context_t</type>, closing its socket.
+      <parameter>contextp</parameter> is a pointer to a pointer to the
+      context that is to be destroyed.  The pointer will be set to
+      NULL when the context has been destroyed.
+    </para>
+
+    <para>
+      The context holds a serial number that is used to identify
+      resolver request packets and associate responses with the
+      corresponding requests.  This serial number is controlled using
+      <function>lwres_context_initserial()</function> and
+      <function>lwres_context_nextserial()</function>.
+      <function>lwres_context_initserial()</function> sets the serial
+      number for context <parameter>*ctx</parameter> to
+      <parameter>serial</parameter>.
+      <function>lwres_context_nextserial()</function> increments the
+      serial number and returns the previous value.
+    </para>
+
+    <para>
+      Memory for a lightweight resolver context is allocated and freed
+      using <function>lwres_context_allocmem()</function> and
+      <function>lwres_context_freemem()</function>.  These use
+      whatever allocations were defined when the context was created
+      with <function>lwres_context_create()</function>.
+      <function>lwres_context_allocmem()</function> allocates
+      <parameter>len</parameter> bytes of memory and if successful
+      returns a pointer to the allocated storage.
+      <function>lwres_context_freemem()</function> frees
+      <parameter>len</parameter> bytes of space starting at location
+      <parameter>mem</parameter>.
+    </para>
+
+    <para><function>lwres_context_sendrecv()</function>
+      performs I/O for the context <parameter>ctx</parameter>.  Data
+      are read and written from the context's socket.  It writes data
+      from <parameter>sendbase</parameter> &mdash; typically a
+      lightweight resolver query packet &mdash; and waits for a reply
+      which is copied to the receive buffer at
+      <parameter>recvbase</parameter>.  The number of bytes that were
+      written to this receive buffer is returned in
+      <parameter>*recvd_len</parameter>.
+    </para>
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+
+    <para><function>lwres_context_create()</function>
+      returns <errorcode>LWRES_R_NOMEMORY</errorcode> if memory for
+      the <type>struct lwres_context</type> could not be allocated,
+      <errorcode>LWRES_R_SUCCESS</errorcode> otherwise.
+    </para>
+    <para>
+      Successful calls to the memory allocator
+      <function>lwres_context_allocmem()</function>
+      return a pointer to the start of the allocated space.
+      It returns NULL if memory could not be allocated.
+    </para>
+    <para><errorcode>LWRES_R_SUCCESS</errorcode>
+      is returned when
+      <function>lwres_context_sendrecv()</function>
+      completes successfully.
+      <errorcode>LWRES_R_IOERROR</errorcode>
+      is returned if an I/O error occurs and
+      <errorcode>LWRES_R_TIMEOUT</errorcode>
+      is returned if
+      <function>lwres_context_sendrecv()</function>
+      times out waiting for a response.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
new file mode 100644
index 0000000..84fcf28
--- /dev/null
+++ b/lib/lwres/man/lwres_context.html
@@ -0,0 +1,294 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_context</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_context_create, 
+    lwres_context_destroy, 
+    lwres_context_nextserial, 
+    lwres_context_initserial, 
+    lwres_context_freemem, 
+    lwres_context_allocmem, 
+    lwres_context_sendrecv
+     &#8212; lightweight resolver context management
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_context_create</b>(</code></td>
+<td>lwres_context_t **<var class="pdparam">contextp</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>void *<var class="pdparam">arg</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_malloc_t <var class="pdparam">malloc_function</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_free_t <var class="pdparam">free_function</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_context_destroy</b>(</code></td>
+<td>lwres_context_t **<var class="pdparam">contextp</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_context_initserial</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint32_t <var class="pdparam">serial</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+uint32_t
+<b class="fsfunc">lwres_context_nextserial</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_context_freemem</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>void *<var class="pdparam">mem</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">len</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_context_allocmem</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">len</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void *
+<b class="fsfunc">lwres_context_sendrecv</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>void *<var class="pdparam">sendbase</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">sendlen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>void *<var class="pdparam">recvbase</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">recvlen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int *<var class="pdparam">recvd_len</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_context_create()</code>
+      creates a <span class="type">lwres_context_t</span> structure for use in
+      lightweight resolver operations.  It holds a socket and other
+      data needed for communicating with a resolver daemon.  The new
+      <span class="type">lwres_context_t</span> is returned through
+      <em class="parameter"><code>contextp</code></em>, a pointer to a
+      <span class="type">lwres_context_t</span> pointer.  This
+      <span class="type">lwres_context_t</span> pointer must initially be NULL, and
+      is modified to point to the newly created
+      <span class="type">lwres_context_t</span>.
+    </p>
+    <p>
+      When the lightweight resolver needs to perform dynamic memory
+      allocation, it will call
+      <em class="parameter"><code>malloc_function</code></em>
+      to allocate memory and
+      <em class="parameter"><code>free_function</code></em>
+      to free it.  If
+      <em class="parameter"><code>malloc_function</code></em>
+      and
+      <em class="parameter"><code>free_function</code></em>
+      are NULL, memory is allocated using
+      <span class="citerefentry">
+        <span class="refentrytitle">malloc</span>(3)
+      </span>.
+      and
+      <span class="citerefentry">
+        <span class="refentrytitle">free</span>(3)
+      </span>.
+
+      It is not permitted to have a NULL
+      <em class="parameter"><code>malloc_function</code></em> and a non-NULL
+      <em class="parameter"><code>free_function</code></em> or vice versa.
+      <em class="parameter"><code>arg</code></em> is passed as the first parameter to
+      the memory allocation functions.  If
+      <em class="parameter"><code>malloc_function</code></em> and
+      <em class="parameter"><code>free_function</code></em> are NULL,
+      <em class="parameter"><code>arg</code></em> is unused and should be passed as
+      NULL.
+    </p>
+
+    <p>
+      Once memory for the structure has been allocated,
+      it is initialized using
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_conf_init</span>(3)
+      </span>
+      and returned via <em class="parameter"><code>*contextp</code></em>.
+    </p>
+
+    <p><code class="function">lwres_context_destroy()</code>
+      destroys a <span class="type">lwres_context_t</span>, closing its socket.
+      <em class="parameter"><code>contextp</code></em> is a pointer to a pointer to the
+      context that is to be destroyed.  The pointer will be set to
+      NULL when the context has been destroyed.
+    </p>
+
+    <p>
+      The context holds a serial number that is used to identify
+      resolver request packets and associate responses with the
+      corresponding requests.  This serial number is controlled using
+      <code class="function">lwres_context_initserial()</code> and
+      <code class="function">lwres_context_nextserial()</code>.
+      <code class="function">lwres_context_initserial()</code> sets the serial
+      number for context <em class="parameter"><code>*ctx</code></em> to
+      <em class="parameter"><code>serial</code></em>.
+      <code class="function">lwres_context_nextserial()</code> increments the
+      serial number and returns the previous value.
+    </p>
+
+    <p>
+      Memory for a lightweight resolver context is allocated and freed
+      using <code class="function">lwres_context_allocmem()</code> and
+      <code class="function">lwres_context_freemem()</code>.  These use
+      whatever allocations were defined when the context was created
+      with <code class="function">lwres_context_create()</code>.
+      <code class="function">lwres_context_allocmem()</code> allocates
+      <em class="parameter"><code>len</code></em> bytes of memory and if successful
+      returns a pointer to the allocated storage.
+      <code class="function">lwres_context_freemem()</code> frees
+      <em class="parameter"><code>len</code></em> bytes of space starting at location
+      <em class="parameter"><code>mem</code></em>.
+    </p>
+
+    <p><code class="function">lwres_context_sendrecv()</code>
+      performs I/O for the context <em class="parameter"><code>ctx</code></em>.  Data
+      are read and written from the context's socket.  It writes data
+      from <em class="parameter"><code>sendbase</code></em> &#8212; typically a
+      lightweight resolver query packet &#8212; and waits for a reply
+      which is copied to the receive buffer at
+      <em class="parameter"><code>recvbase</code></em>.  The number of bytes that were
+      written to this receive buffer is returned in
+      <em class="parameter"><code>*recvd_len</code></em>.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+
+    <p><code class="function">lwres_context_create()</code>
+      returns <span class="errorcode">LWRES_R_NOMEMORY</span> if memory for
+      the <span class="type">struct lwres_context</span> could not be allocated,
+      <span class="errorcode">LWRES_R_SUCCESS</span> otherwise.
+    </p>
+    <p>
+      Successful calls to the memory allocator
+      <code class="function">lwres_context_allocmem()</code>
+      return a pointer to the start of the allocated space.
+      It returns NULL if memory could not be allocated.
+    </p>
+    <p><span class="errorcode">LWRES_R_SUCCESS</span>
+      is returned when
+      <code class="function">lwres_context_sendrecv()</code>
+      completes successfully.
+      <span class="errorcode">LWRES_R_IOERROR</span>
+      is returned if an I/O error occurs and
+      <span class="errorcode">LWRES_R_TIMEOUT</span>
+      is returned if
+      <code class="function">lwres_context_sendrecv()</code>
+      times out waiting for a response.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_conf_init</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">malloc</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">free</span>(3)
+      </span>.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3
new file mode 100644
index 0000000..5e9b070
--- /dev/null
+++ b/lib/lwres/man/lwres_gabn.3
@@ -0,0 +1,217 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_gabn
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GABN" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.HP \w'lwres_result_t\ lwres_gabnrequest_render('u
+.BI "lwres_result_t lwres_gabnrequest_render(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
+.HP \w'lwres_result_t\ lwres_gabnresponse_render('u
+.BI "lwres_result_t lwres_gabnresponse_render(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
+.HP \w'lwres_result_t\ lwres_gabnrequest_parse('u
+.BI "lwres_result_t lwres_gabnrequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnrequest_t\ **" "structp" ");"
+.HP \w'lwres_result_t\ lwres_gabnresponse_parse('u
+.BI "lwres_result_t lwres_gabnresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gabnresponse_t\ **" "structp" ");"
+.HP \w'void\ lwres_gabnresponse_free('u
+.BI "void lwres_gabnresponse_free(lwres_context_t\ *" "ctx" ", lwres_gabnresponse_t\ **" "structp" ");"
+.HP \w'void\ lwres_gabnrequest_free('u
+.BI "void lwres_gabnrequest_free(lwres_context_t\ *" "ctx" ", lwres_gabnrequest_t\ **" "structp" ");"
+.SH "DESCRIPTION"
+.PP
+These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages\&.
+.PP
+There are four main functions for the getaddrbyname opcode\&. One render function converts a getaddrbyname request structure \(em
+\fBlwres_gabnrequest_t\fR
+\(em to the lightweight resolver\*(Aqs canonical format\&. It is complemented by a parse function that converts a packet in this canonical format to a getaddrbyname request structure\&. Another render function converts the getaddrbyname response structure \(em
+\fBlwres_gabnresponse_t\fR
+\(em to the canonical format\&. This is complemented by a parse function which converts a packet in canonical format to a getaddrbyname response structure\&.
+.PP
+These structures are defined in
+<lwres/lwres\&.h>\&. They are shown below\&.
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint32_t  flags;
+        uint32_t  addrtypes;
+        uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint32_t          flags;
+        uint16_t          naliases;
+        uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        uint16_t          realnamelen;
+        uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBlwres_gabnrequest_render()\fR
+uses resolver context
+\fIctx\fR
+to convert getaddrbyname request structure
+\fIreq\fR
+to canonical format\&. The packet header structure
+\fIpkt\fR
+is initialised and transferred to buffer
+\fIb\fR\&. The contents of
+\fI*req\fR
+are then appended to the buffer in canonical format\&.
+\fBlwres_gabnresponse_render()\fR
+performs the same task, except it converts a getaddrbyname response structure
+\fBlwres_gabnresponse_t\fR
+to the lightweight resolver\*(Aqs canonical format\&.
+.PP
+\fBlwres_gabnrequest_parse()\fR
+uses context
+\fIctx\fR
+to convert the contents of packet
+\fIpkt\fR
+to a
+\fBlwres_gabnrequest_t\fR
+structure\&. Buffer
+\fIb\fR
+provides space to be used for storing this structure\&. When the function succeeds, the resulting
+\fBlwres_gabnrequest_t\fR
+is made available through
+\fI*structp\fR\&.
+\fBlwres_gabnresponse_parse()\fR
+offers the same semantics as
+\fBlwres_gabnrequest_parse()\fR
+except it yields a
+\fBlwres_gabnresponse_t\fR
+structure\&.
+.PP
+\fBlwres_gabnresponse_free()\fR
+and
+\fBlwres_gabnrequest_free()\fR
+release the memory in resolver context
+\fIctx\fR
+that was allocated to the
+\fBlwres_gabnresponse_t\fR
+or
+\fBlwres_gabnrequest_t\fR
+structures referenced via
+\fIstructp\fR\&. Any memory associated with ancillary buffers and strings for those structures is also discarded\&.
+.SH "RETURN VALUES"
+.PP
+The getaddrbyname opcode functions
+\fBlwres_gabnrequest_render()\fR,
+\fBlwres_gabnresponse_render()\fR\fBlwres_gabnrequest_parse()\fR
+and
+\fBlwres_gabnresponse_parse()\fR
+all return
+\fBLWRES_R_SUCCESS\fR
+on success\&. They return
+\fBLWRES_R_NOMEMORY\fR
+if memory allocation fails\&.
+\fBLWRES_R_UNEXPECTEDEND\fR
+is returned if the available space in the buffer
+\fIb\fR
+is too small to accommodate the packet header or the
+\fBlwres_gabnrequest_t\fR
+and
+\fBlwres_gabnresponse_t\fR
+structures\&.
+\fBlwres_gabnrequest_parse()\fR
+and
+\fBlwres_gabnresponse_parse()\fR
+will return
+\fBLWRES_R_UNEXPECTEDEND\fR
+if the buffer is not empty after decoding the received packet\&. These functions will return
+\fBLWRES_R_FAILURE\fR
+if
+\fIpktflags\fR
+in the packet header structure
+\fBlwres_lwpacket_t\fR
+indicate that the packet is not a response to an earlier query\&.
+.SH "SEE ALSO"
+.PP
+\fBlwres_packet\fR(3)
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_gabn.docbook b/lib/lwres/man/lwres_gabn.docbook
new file mode 100644
index 0000000..4cff953
--- /dev/null
+++ b/lib/lwres/man/lwres_gabn.docbook
@@ -0,0 +1,254 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_gabn</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_gabnrequest_render</refname>
+    <refname>lwres_gabnresponse_render</refname>
+    <refname>lwres_gabnrequest_parse</refname>
+    <refname>lwres_gabnresponse_parse</refname>
+    <refname>lwres_gabnresponse_free</refname>
+    <refname>lwres_gabnrequest_free</refname>
+    <refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gabnrequest_render</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnrequest_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gabnresponse_render</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gabnrequest_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gabnrequest_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gabnresponse_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_gabnresponse_free</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_gabnrequest_free</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gabnrequest_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      These are low-level routines for creating and parsing
+      lightweight resolver name-to-address lookup request and
+      response messages.
+    </para>
+    <para>
+      There are four main functions for the getaddrbyname opcode.
+      One render function converts a getaddrbyname request structure &mdash;
+      <type>lwres_gabnrequest_t</type> &mdash;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getaddrbyname request structure.
+      Another render function converts the getaddrbyname response structure
+      &mdash; <type>lwres_gabnresponse_t</type> &mdash;
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getaddrbyname response structure.
+    </para>
+    <para>
+      These structures are defined in
+      <filename>&lt;lwres/lwres.h&gt;</filename>.
+      They are shown below.
+    </para>
+    <para><programlisting>
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct {
+        uint32_t  flags;
+        uint32_t  addrtypes;
+        uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct {
+        uint32_t          flags;
+        uint16_t          naliases;
+        uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        uint16_t          realnamelen;
+        uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+</programlisting>
+    </para>
+
+    <para><function>lwres_gabnrequest_render()</function>
+      uses resolver context <parameter>ctx</parameter> to convert
+      getaddrbyname request structure <parameter>req</parameter> to
+      canonical format.  The packet header structure
+      <parameter>pkt</parameter> is initialised and transferred to
+      buffer <parameter>b</parameter>.
+
+      The contents of <parameter>*req</parameter> are then appended to
+      the buffer in canonical format.
+      <function>lwres_gabnresponse_render()</function> performs the
+      same task, except it converts a getaddrbyname response structure
+      <type>lwres_gabnresponse_t</type> to the lightweight resolver's
+      canonical format.
+    </para>
+
+    <para><function>lwres_gabnrequest_parse()</function>
+      uses context <parameter>ctx</parameter> to convert the contents
+      of packet <parameter>pkt</parameter> to a
+      <type>lwres_gabnrequest_t</type> structure.  Buffer
+      <parameter>b</parameter> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <type>lwres_gabnrequest_t</type> is made available through
+      <parameter>*structp</parameter>.
+
+      <function>lwres_gabnresponse_parse()</function> offers the same
+      semantics as <function>lwres_gabnrequest_parse()</function>
+      except it yields a <type>lwres_gabnresponse_t</type> structure.
+    </para>
+
+    <para><function>lwres_gabnresponse_free()</function>
+      and <function>lwres_gabnrequest_free()</function> release the
+      memory in resolver context <parameter>ctx</parameter> that was
+      allocated to the <type>lwres_gabnresponse_t</type> or
+      <type>lwres_gabnrequest_t</type> structures referenced via
+      <parameter>structp</parameter>.
+
+      Any memory associated with ancillary buffers and strings for
+      those structures is also discarded.
+    </para>
+  </refsection>
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      The getaddrbyname opcode functions
+      <function>lwres_gabnrequest_render()</function>,
+      <function>lwres_gabnresponse_render()</function>
+      <function>lwres_gabnrequest_parse()</function>
+      and
+      <function>lwres_gabnresponse_parse()</function>
+      all return
+      <errorcode>LWRES_R_SUCCESS</errorcode>
+      on success.
+      They return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      if memory allocation fails.
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      is returned if the available space in the buffer
+      <parameter>b</parameter>
+      is too small to accommodate the packet header or the
+      <type>lwres_gabnrequest_t</type>
+      and
+      <type>lwres_gabnresponse_t</type>
+      structures.
+      <function>lwres_gabnrequest_parse()</function>
+      and
+      <function>lwres_gabnresponse_parse()</function>
+      will return
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if
+      <varname remap="structfield">pktflags</varname>
+      in the packet header structure
+      <type>lwres_lwpacket_t</type>
+      indicate that the packet is not a response to an earlier query.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
new file mode 100644
index 0000000..612045e
--- /dev/null
+++ b/lib/lwres/man/lwres_gabn.html
@@ -0,0 +1,304 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_gabn</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_gabnrequest_render, 
+    lwres_gabnresponse_render, 
+    lwres_gabnrequest_parse, 
+    lwres_gabnresponse_parse, 
+    lwres_gabnresponse_free, 
+    lwres_gabnrequest_free
+     &#8212; lightweight resolver getaddrbyname message handling
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gabnrequest_render</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnrequest_t *<var class="pdparam">req</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gabnresponse_render</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnresponse_t *<var class="pdparam">req</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnrequest_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_gabnresponse_free</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_gabnrequest_free</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnrequest_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      These are low-level routines for creating and parsing
+      lightweight resolver name-to-address lookup request and
+      response messages.
+    </p>
+    <p>
+      There are four main functions for the getaddrbyname opcode.
+      One render function converts a getaddrbyname request structure &#8212;
+      <span class="type">lwres_gabnrequest_t</span> &#8212;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getaddrbyname request structure.
+      Another render function converts the getaddrbyname response structure
+      &#8212; <span class="type">lwres_gabnresponse_t</span> &#8212;
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getaddrbyname response structure.
+    </p>
+    <p>
+      These structures are defined in
+      <code class="filename">&lt;lwres/lwres.h&gt;</code>.
+      They are shown below.
+    </p>
+    <pre class="programlisting">
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct {
+        uint32_t  flags;
+        uint32_t  addrtypes;
+        uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct {
+        uint32_t          flags;
+        uint16_t          naliases;
+        uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        uint16_t          realnamelen;
+        uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+</pre>
+<p>
+    </p>
+
+    <p><code class="function">lwres_gabnrequest_render()</code>
+      uses resolver context <em class="parameter"><code>ctx</code></em> to convert
+      getaddrbyname request structure <em class="parameter"><code>req</code></em> to
+      canonical format.  The packet header structure
+      <em class="parameter"><code>pkt</code></em> is initialised and transferred to
+      buffer <em class="parameter"><code>b</code></em>.
+
+      The contents of <em class="parameter"><code>*req</code></em> are then appended to
+      the buffer in canonical format.
+      <code class="function">lwres_gabnresponse_render()</code> performs the
+      same task, except it converts a getaddrbyname response structure
+      <span class="type">lwres_gabnresponse_t</span> to the lightweight resolver's
+      canonical format.
+    </p>
+
+    <p><code class="function">lwres_gabnrequest_parse()</code>
+      uses context <em class="parameter"><code>ctx</code></em> to convert the contents
+      of packet <em class="parameter"><code>pkt</code></em> to a
+      <span class="type">lwres_gabnrequest_t</span> structure.  Buffer
+      <em class="parameter"><code>b</code></em> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <span class="type">lwres_gabnrequest_t</span> is made available through
+      <em class="parameter"><code>*structp</code></em>.
+
+      <code class="function">lwres_gabnresponse_parse()</code> offers the same
+      semantics as <code class="function">lwres_gabnrequest_parse()</code>
+      except it yields a <span class="type">lwres_gabnresponse_t</span> structure.
+    </p>
+
+    <p><code class="function">lwres_gabnresponse_free()</code>
+      and <code class="function">lwres_gabnrequest_free()</code> release the
+      memory in resolver context <em class="parameter"><code>ctx</code></em> that was
+      allocated to the <span class="type">lwres_gabnresponse_t</span> or
+      <span class="type">lwres_gabnrequest_t</span> structures referenced via
+      <em class="parameter"><code>structp</code></em>.
+
+      Any memory associated with ancillary buffers and strings for
+      those structures is also discarded.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      The getaddrbyname opcode functions
+      <code class="function">lwres_gabnrequest_render()</code>,
+      <code class="function">lwres_gabnresponse_render()</code>
+      <code class="function">lwres_gabnrequest_parse()</code>
+      and
+      <code class="function">lwres_gabnresponse_parse()</code>
+      all return
+      <span class="errorcode">LWRES_R_SUCCESS</span>
+      on success.
+      They return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      if memory allocation fails.
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      is returned if the available space in the buffer
+      <em class="parameter"><code>b</code></em>
+      is too small to accommodate the packet header or the
+      <span class="type">lwres_gabnrequest_t</span>
+      and
+      <span class="type">lwres_gabnresponse_t</span>
+      structures.
+      <code class="function">lwres_gabnrequest_parse()</code>
+      and
+      <code class="function">lwres_gabnresponse_parse()</code>
+      will return
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if
+      <code class="varname">pktflags</code>
+      in the packet header structure
+      <span class="type">lwres_lwpacket_t</span>
+      indicate that the packet is not a response to an earlier query.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_packet</span>(3)
+      </span>
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3
new file mode 100644
index 0000000..c0a4afa
--- /dev/null
+++ b/lib/lwres/man/lwres_gai_strerror.3
@@ -0,0 +1,140 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_gai_strerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GAI_STRERROR" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_gai_strerror \- print suitable error string
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'char\ *\ gai_strerror('u
+.BI "char * gai_strerror(int\ " "ecode" ");"
+.SH "DESCRIPTION"
+.PP
+\fBlwres_gai_strerror()\fR
+returns an error message corresponding to an error code returned by
+\fBgetaddrinfo()\fR\&. The following error codes and their meaning are defined in
+include/lwres/netdb\&.h\&.
+.PP
+\fBEAI_ADDRFAMILY\fR
+.RS 4
+address family for hostname not supported
+.RE
+.PP
+\fBEAI_AGAIN\fR
+.RS 4
+temporary failure in name resolution
+.RE
+.PP
+\fBEAI_BADFLAGS\fR
+.RS 4
+invalid value for
+\fBai_flags\fR
+.RE
+.PP
+\fBEAI_FAIL\fR
+.RS 4
+non\-recoverable failure in name resolution
+.RE
+.PP
+\fBEAI_FAMILY\fR
+.RS 4
+\fBai_family\fR
+not supported
+.RE
+.PP
+\fBEAI_MEMORY\fR
+.RS 4
+memory allocation failure
+.RE
+.PP
+\fBEAI_NODATA\fR
+.RS 4
+no address associated with hostname
+.RE
+.PP
+\fBEAI_NONAME\fR
+.RS 4
+hostname or servname not provided, or not known
+.RE
+.PP
+\fBEAI_SERVICE\fR
+.RS 4
+servname not supported for
+\fBai_socktype\fR
+.RE
+.PP
+\fBEAI_SOCKTYPE\fR
+.RS 4
+\fBai_socktype\fR
+not supported
+.RE
+.PP
+\fBEAI_SYSTEM\fR
+.RS 4
+system error returned in errno
+.RE
+The message
+invalid error code
+is returned if
+\fIecode\fR
+is out of range\&.
+.PP
+\fBai_flags\fR,
+\fBai_family\fR
+and
+\fBai_socktype\fR
+are elements of the
+\fBstruct addrinfo\fR
+used by
+\fBlwres_getaddrinfo()\fR\&.
+.SH "SEE ALSO"
+.PP
+\fBstrerror\fR(3),
+\fBlwres_getaddrinfo\fR(3),
+\fBgetaddrinfo\fR(3),
+\fBRFC2133\fR()\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_gai_strerror.docbook b/lib/lwres/man/lwres_gai_strerror.docbook
new file mode 100644
index 0000000..8fa178b
--- /dev/null
+++ b/lib/lwres/man/lwres_gai_strerror.docbook
@@ -0,0 +1,192 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_gai_strerror</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_gai_strerror</refname>
+    <refpurpose>print suitable error string</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+char *
+<function>gai_strerror</function></funcdef>
+        <paramdef>int <parameter>ecode</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_gai_strerror()</function>
+      returns an error message corresponding to an error code returned by
+      <function>getaddrinfo()</function>.
+      The following error codes and their meaning are defined in
+      <filename>include/lwres/netdb.h</filename>.
+      <variablelist>
+        <varlistentry>
+          <term><errorcode>EAI_ADDRFAMILY</errorcode></term>
+          <listitem>
+            <para>
+              address family for hostname not supported
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_AGAIN</errorcode></term>
+          <listitem>
+            <para>
+              temporary failure in name resolution
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_BADFLAGS</errorcode></term>
+          <listitem>
+            <para>
+              invalid value for
+              <constant>ai_flags</constant>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_FAIL</errorcode></term>
+          <listitem>
+            <para>
+              non-recoverable failure in name resolution
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_FAMILY</errorcode></term>
+          <listitem>
+            <para><constant>ai_family</constant> not supported
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_MEMORY</errorcode></term>
+          <listitem>
+            <para>
+              memory allocation failure
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_NODATA</errorcode></term>
+          <listitem>
+            <para>
+              no address associated with hostname
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_NONAME</errorcode></term>
+          <listitem>
+            <para>
+              hostname or servname not provided, or not known
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_SERVICE</errorcode></term>
+          <listitem>
+            <para>
+              servname not supported for <constant>ai_socktype</constant>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_SOCKTYPE</errorcode></term>
+          <listitem>
+            <para><constant>ai_socktype</constant> not supported
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>EAI_SYSTEM</errorcode></term>
+          <listitem>
+            <para>
+              system error returned in errno
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+      The message <errorname>invalid error code</errorname> is returned if
+      <parameter>ecode</parameter>
+      is out of range.
+    </para>
+    <para><constant>ai_flags</constant>,
+      <constant>ai_family</constant>
+      and
+      <constant>ai_socktype</constant>
+      are elements of the
+      <type>struct  addrinfo</type>
+      used by
+      <function>lwres_getaddrinfo()</function>.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>RFC2133</refentrytitle>
+      </citerefentry>.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
new file mode 100644
index 0000000..9ee1453
--- /dev/null
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -0,0 +1,160 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_gai_strerror</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_gai_strerror
+     &#8212; print suitable error string
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+char *
+<b class="fsfunc">gai_strerror</b>(</code></td>
+<td>int <var class="pdparam">ecode</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_gai_strerror()</code>
+      returns an error message corresponding to an error code returned by
+      <code class="function">getaddrinfo()</code>.
+      The following error codes and their meaning are defined in
+      <code class="filename">include/lwres/netdb.h</code>.
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
+<dd>
+            <p>
+              address family for hostname not supported
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
+<dd>
+            <p>
+              temporary failure in name resolution
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
+<dd>
+            <p>
+              invalid value for
+              <code class="constant">ai_flags</code>
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
+<dd>
+            <p>
+              non-recoverable failure in name resolution
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
+<dd>
+            <p><code class="constant">ai_family</code> not supported
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
+<dd>
+            <p>
+              memory allocation failure
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
+<dd>
+            <p>
+              no address associated with hostname
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
+<dd>
+            <p>
+              hostname or servname not provided, or not known
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
+<dd>
+            <p>
+              servname not supported for <code class="constant">ai_socktype</code>
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
+<dd>
+            <p><code class="constant">ai_socktype</code> not supported
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
+<dd>
+            <p>
+              system error returned in errno
+            </p>
+          </dd>
+</dl></div>
+<p>
+      The message <span class="errorname">invalid error code</span> is returned if
+      <em class="parameter"><code>ecode</code></em>
+      is out of range.
+    </p>
+    <p><code class="constant">ai_flags</code>,
+      <code class="constant">ai_family</code>
+      and
+      <code class="constant">ai_socktype</code>
+      are elements of the
+      <span class="type">struct  addrinfo</span>
+      used by
+      <code class="function">lwres_getaddrinfo()</code>.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">strerror</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getaddrinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">getaddrinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">RFC2133</span>
+      </span>.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3
new file mode 100644
index 0000000..581ea5c
--- /dev/null
+++ b/lib/lwres/man/lwres_getaddrinfo.3
@@ -0,0 +1,254 @@
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_getaddrinfo
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GETADDRINFO" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'int\ lwres_getaddrinfo('u
+.BI "int lwres_getaddrinfo(const\ char\ *" "hostname" ", const\ char\ *" "servname" ", const\ struct\ addrinfo\ *" "hints" ", struct\ addrinfo\ **" "res" ");"
+.HP \w'void\ lwres_freeaddrinfo('u
+.BI "void lwres_freeaddrinfo(struct\ addrinfo\ *" "ai" ");"
+.PP
+If the operating system does not provide a
+\fBstruct addrinfo\fR, the following structure is used:
+.PP
+.nf
+struct  addrinfo {
+        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int             ai_family;      /* PF_xxx */
+        int             ai_socktype;    /* SOCK_xxx */
+        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t          ai_addrlen;     /* length of ai_addr */
+        char            *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};
+.fi
+.sp
+.SH "DESCRIPTION"
+.PP
+\fBlwres_getaddrinfo()\fR
+is used to get a list of IP addresses and port numbers for host
+\fIhostname\fR
+and service
+\fIservname\fR\&. The function is the lightweight resolver\*(Aqs implementation of
+\fBgetaddrinfo()\fR
+as defined in RFC2133\&.
+\fIhostname\fR
+and
+\fIservname\fR
+are pointers to null\-terminated strings or
+\fBNULL\fR\&.
+\fIhostname\fR
+is either a host name or a numeric host address string: a dotted decimal IPv4 address or an IPv6 address\&.
+\fIservname\fR
+is either a decimal port number or a service name as listed in
+/etc/services\&.
+.PP
+\fIhints\fR
+is an optional pointer to a
+\fBstruct addrinfo\fR\&. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use\&. The caller can supply the following structure elements in
+\fI*hints\fR:
+.PP
+\fBai_family\fR
+.RS 4
+The protocol family that should be used\&. When
+\fBai_family\fR
+is set to
+\fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system\&.
+.RE
+.PP
+\fBai_socktype\fR
+.RS 4
+denotes the type of socket \(em
+\fBSOCK_STREAM\fR,
+\fBSOCK_DGRAM\fR
+or
+\fBSOCK_RAW\fR
+\(em that is wanted\&. When
+\fBai_socktype\fR
+is zero the caller will accept any socket type\&.
+.RE
+.PP
+\fBai_protocol\fR
+.RS 4
+indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP\&. If
+\fBai_protocol\fR
+is zero the caller will accept any protocol\&.
+.RE
+.PP
+\fBai_flags\fR
+.RS 4
+Flag bits\&. If the
+\fBAI_CANONNAME\fR
+bit is set, a successful call to
+\fBlwres_getaddrinfo()\fR
+will return a null\-terminated string containing the canonical name of the specified hostname in
+\fBai_canonname\fR
+of the first
+\fBaddrinfo\fR
+structure returned\&. Setting the
+\fBAI_PASSIVE\fR
+bit indicates that the returned socket address structure is intended for used in a call to
+\fBbind\fR(2)\&. In this case, if the hostname argument is a
+\fBNULL\fR
+pointer, then the IP address portion of the socket address structure will be set to
+\fBINADDR_ANY\fR
+for an IPv4 address or
+\fBIN6ADDR_ANY_INIT\fR
+for an IPv6 address\&.
+.sp
+When
+\fBai_flags\fR
+does not set the
+\fBAI_PASSIVE\fR
+bit, the returned socket address structure will be ready for use in a call to
+\fBconnect\fR(2)
+for a connection\-oriented protocol or
+\fBconnect\fR(2),
+\fBsendto\fR(2), or
+\fBsendmsg\fR(2)
+if a connectionless protocol was chosen\&. The IP address portion of the socket address structure will be set to the loopback address if
+\fIhostname\fR
+is a
+\fBNULL\fR
+pointer and
+\fBAI_PASSIVE\fR
+is not set in
+\fBai_flags\fR\&.
+.sp
+If
+\fBai_flags\fR
+is set to
+\fBAI_NUMERICHOST\fR
+it indicates that
+\fIhostname\fR
+should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted\&.
+.RE
+.PP
+All other elements of the
+\fBstruct addrinfo\fR
+passed via
+\fIhints\fR
+must be zero\&.
+.PP
+A
+\fIhints\fR
+of
+\fBNULL\fR
+is treated as if the caller provided a
+\fBstruct addrinfo\fR
+initialized to zero with
+\fBai_family\fRset to
+\fBPF_UNSPEC\fR\&.
+.PP
+After a successful call to
+\fBlwres_getaddrinfo()\fR,
+\fI*res\fR
+is a pointer to a linked list of one or more
+\fBaddrinfo\fR
+structures\&. Each
+\fBstruct addrinfo\fR
+in this list cn be processed by following the
+\fBai_next\fR
+pointer, until a
+\fBNULL\fR
+pointer is encountered\&. The three members
+\fBai_family\fR,
+\fBai_socktype\fR, and
+\fBai_protocol\fR
+in each returned
+\fBaddrinfo\fR
+structure contain the corresponding arguments for a call to
+\fBsocket\fR(2)\&. For each
+\fBaddrinfo\fR
+structure in the list, the
+\fBai_addr\fR
+member points to a filled\-in socket address structure of length
+\fBai_addrlen\fR\&.
+.PP
+All of the information returned by
+\fBlwres_getaddrinfo()\fR
+is dynamically allocated: the addrinfo structures, and the socket address structures and canonical host name strings pointed to by the
+\fBaddrinfo\fRstructures\&. Memory allocated for the dynamically allocated structures created by a successful call to
+\fBlwres_getaddrinfo()\fR
+is released by
+\fBlwres_freeaddrinfo()\fR\&.
+\fIai\fR
+is a pointer to a
+\fBstruct addrinfo\fR
+created by a call to
+\fBlwres_getaddrinfo()\fR\&.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_getaddrinfo()\fR
+returns zero on success or one of the error codes listed in
+\fBgai_strerror\fR(3)
+if an error occurs\&. If both
+\fIhostname\fR
+and
+\fIservname\fR
+are
+\fBNULL\fR\fBlwres_getaddrinfo()\fR
+returns
+\fBEAI_NONAME\fR\&.
+.SH "SEE ALSO"
+.PP
+\fBlwres\fR(3),
+\fBlwres_getaddrinfo\fR(3),
+\fBlwres_freeaddrinfo\fR(3),
+\fBlwres_gai_strerror\fR(3),
+\fBRFC2133\fR(),
+\fBgetservbyname\fR(3),
+\fBbind\fR(2),
+\fBconnect\fR(2),
+\fBsendto\fR(2),
+\fBsendmsg\fR(2),
+\fBsocket\fR(2)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_getaddrinfo.docbook b/lib/lwres/man/lwres_getaddrinfo.docbook
new file mode 100644
index 0000000..bfe649a
--- /dev/null
+++ b/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -0,0 +1,381 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_getaddrinfo</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2003</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_getaddrinfo</refname>
+    <refname>lwres_freeaddrinfo</refname>
+    <refpurpose>socket address structure to host and service name</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+int
+<function>lwres_getaddrinfo</function></funcdef>
+        <paramdef>const char *<parameter>hostname</parameter></paramdef>
+        <paramdef>const char *<parameter>servname</parameter></paramdef>
+        <paramdef>const struct addrinfo *<parameter>hints</parameter></paramdef>
+        <paramdef>struct addrinfo **<parameter>res</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_freeaddrinfo</function></funcdef>
+        <paramdef>struct addrinfo *<parameter>ai</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+
+    <para>
+      If the operating system does not provide a
+      <type>struct addrinfo</type>,
+      the following structure is used:
+    </para>
+    <para><programlisting>
+struct  addrinfo {
+        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int             ai_family;      /* PF_xxx */
+        int             ai_socktype;    /* SOCK_xxx */
+        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t          ai_addrlen;     /* length of ai_addr */
+        char            *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};
+</programlisting>
+    </para>
+
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_getaddrinfo()</function>
+      is used to get a list of IP addresses and port numbers for host
+      <parameter>hostname</parameter> and service
+      <parameter>servname</parameter>.
+
+      The function is the lightweight resolver's implementation of
+      <function>getaddrinfo()</function> as defined in RFC2133.
+      <parameter>hostname</parameter> and
+      <parameter>servname</parameter> are pointers to null-terminated
+      strings or <type>NULL</type>.
+
+      <parameter>hostname</parameter> is either a host name or a
+      numeric host address string: a dotted decimal IPv4 address or an
+      IPv6 address.  <parameter>servname</parameter> is either a
+      decimal port number or a service name as listed in
+      <filename>/etc/services</filename>.
+    </para>
+
+    <para><parameter>hints</parameter>
+      is an optional pointer to a
+      <type>struct addrinfo</type>.
+      This structure can be used to provide hints concerning the type of
+      socket
+      that the caller supports or wishes to use.
+      The caller can supply the following structure elements in
+      <parameter>*hints</parameter>:
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>ai_family</constant></term>
+          <listitem>
+            <para>
+              The protocol family that should be used.
+              When
+              <constant>ai_family</constant>
+              is set to
+              <type>PF_UNSPEC</type>,
+              it means the caller will accept any protocol family supported by
+              the
+              operating system.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>ai_socktype</constant></term>
+          <listitem>
+            <para>
+              denotes the type of socket &mdash;
+              <type>SOCK_STREAM</type>,
+              <type>SOCK_DGRAM</type>
+              or
+              <type>SOCK_RAW</type>
+              &mdash; that is wanted.
+              When
+              <constant>ai_socktype</constant>
+              is zero the caller will accept any socket type.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>ai_protocol</constant></term>
+          <listitem>
+            <para>
+              indicates which transport protocol is wanted: IPPROTO_UDP or
+              IPPROTO_TCP.
+              If
+              <constant>ai_protocol</constant>
+              is zero the caller will accept any protocol.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>ai_flags</constant></term>
+          <listitem>
+            <para>
+              Flag bits.
+              If the
+              <type>AI_CANONNAME</type>
+              bit is set, a successful call to
+              <function>lwres_getaddrinfo()</function>
+              will return a null-terminated string containing the canonical
+              name
+              of the specified hostname in
+              <constant>ai_canonname</constant>
+              of the first
+              <type>addrinfo</type>
+              structure returned.
+              Setting the
+              <type>AI_PASSIVE</type>
+              bit indicates that the returned socket address structure is
+              intended
+              for used in a call to
+              <citerefentry>
+                <refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>.
+
+              In this case, if the hostname argument is a
+              <type>NULL</type>
+              pointer, then the IP address portion of the socket
+              address structure will be set to
+              <type>INADDR_ANY</type>
+              for an IPv4 address or
+              <type>IN6ADDR_ANY_INIT</type>
+              for an IPv6 address.
+            </para>
+            <para>
+              When
+              <constant>ai_flags</constant>
+              does not set the
+              <type>AI_PASSIVE</type>
+              bit, the returned socket address structure will be ready
+              for use in a call to
+              <citerefentry>
+                <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>
+              for a connection-oriented protocol or
+              <citerefentry>
+                <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>,
+
+              <citerefentry>
+                <refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>,
+
+              or
+              <citerefentry>
+                <refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
+              </citerefentry>
+              if a connectionless protocol was chosen.
+              The IP address portion of the socket address structure will be
+              set to the loopback address if
+              <parameter>hostname</parameter>
+              is a
+              <type>NULL</type>
+              pointer and
+              <type>AI_PASSIVE</type>
+              is not set in
+              <constant>ai_flags</constant>.
+            </para>
+            <para>
+              If
+              <constant>ai_flags</constant>
+              is set to
+              <type>AI_NUMERICHOST</type>
+              it indicates that
+              <parameter>hostname</parameter>
+              should be treated as a numeric string defining an IPv4 or IPv6
+              address
+              and no name resolution should be attempted.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+
+    <para>
+      All other elements of the <type>struct addrinfo</type> passed
+      via <parameter>hints</parameter> must be zero.
+    </para>
+
+    <para>
+      A <parameter>hints</parameter> of <type>NULL</type> is
+      treated as if
+      the caller provided a <type>struct addrinfo</type> initialized to zero
+      with <constant>ai_family</constant>set to
+      <constant>PF_UNSPEC</constant>.
+    </para>
+
+    <para>
+      After a successful call to
+      <function>lwres_getaddrinfo()</function>,
+      <parameter>*res</parameter>
+      is a pointer to a linked list of one or more
+      <type>addrinfo</type>
+      structures.
+      Each
+      <type>struct addrinfo</type>
+      in this list cn be processed by following
+      the
+      <constant>ai_next</constant>
+      pointer, until a
+      <type>NULL</type>
+      pointer is encountered.
+      The three members
+      <constant>ai_family</constant>,
+      <constant>ai_socktype</constant>,
+      and
+      <constant>ai_protocol</constant>
+      in each
+      returned
+      <type>addrinfo</type>
+      structure contain the corresponding arguments for a call to
+      <citerefentry>
+        <refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>.
+      For each
+      <type>addrinfo</type>
+      structure in the list, the
+      <constant>ai_addr</constant>
+      member points to a filled-in socket address structure of length
+      <constant>ai_addrlen</constant>.
+    </para>
+
+    <para>
+      All of the information returned by
+      <function>lwres_getaddrinfo()</function>
+      is dynamically allocated: the addrinfo structures, and the socket
+      address structures and canonical host name strings pointed to by the
+      <constant>addrinfo</constant>structures.
+      Memory allocated for the dynamically allocated structures created by
+      a successful call to
+      <function>lwres_getaddrinfo()</function>
+      is released by
+      <function>lwres_freeaddrinfo()</function>.
+      <parameter>ai</parameter>
+      is a pointer to a
+      <type>struct addrinfo</type>
+      created by a call to
+      <function>lwres_getaddrinfo()</function>.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+
+    <para><function>lwres_getaddrinfo()</function>
+      returns zero on success or one of the error codes listed in
+      <citerefentry>
+        <refentrytitle>gai_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      if an error occurs.  If both <parameter>hostname</parameter> and
+      <parameter>servname</parameter> are <type>NULL</type>
+      <function>lwres_getaddrinfo()</function> returns
+      <errorcode>EAI_NONAME</errorcode>.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>RFC2133</refentrytitle>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
new file mode 100644
index 0000000..786a811
--- /dev/null
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -0,0 +1,374 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_getaddrinfo</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_getaddrinfo, 
+    lwres_freeaddrinfo
+     &#8212; socket address structure to host and service name
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+int
+<b class="fsfunc">lwres_getaddrinfo</b>(</code></td>
+<td>const char *<var class="pdparam">hostname</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const char *<var class="pdparam">servname</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const struct addrinfo *<var class="pdparam">hints</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>struct addrinfo **<var class="pdparam">res</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
+<td>struct addrinfo *<var class="pdparam">ai</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+
+    <p>
+      If the operating system does not provide a
+      <span class="type">struct addrinfo</span>,
+      the following structure is used:
+    </p>
+    <pre class="programlisting">
+struct  addrinfo {
+        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int             ai_family;      /* PF_xxx */
+        int             ai_socktype;    /* SOCK_xxx */
+        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t          ai_addrlen;     /* length of ai_addr */
+        char            *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};
+</pre>
+<p>
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_getaddrinfo()</code>
+      is used to get a list of IP addresses and port numbers for host
+      <em class="parameter"><code>hostname</code></em> and service
+      <em class="parameter"><code>servname</code></em>.
+
+      The function is the lightweight resolver's implementation of
+      <code class="function">getaddrinfo()</code> as defined in RFC2133.
+      <em class="parameter"><code>hostname</code></em> and
+      <em class="parameter"><code>servname</code></em> are pointers to null-terminated
+      strings or <span class="type">NULL</span>.
+
+      <em class="parameter"><code>hostname</code></em> is either a host name or a
+      numeric host address string: a dotted decimal IPv4 address or an
+      IPv6 address.  <em class="parameter"><code>servname</code></em> is either a
+      decimal port number or a service name as listed in
+      <code class="filename">/etc/services</code>.
+    </p>
+
+    <p><em class="parameter"><code>hints</code></em>
+      is an optional pointer to a
+      <span class="type">struct addrinfo</span>.
+      This structure can be used to provide hints concerning the type of
+      socket
+      that the caller supports or wishes to use.
+      The caller can supply the following structure elements in
+      <em class="parameter"><code>*hints</code></em>:
+
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">ai_family</code></span></dt>
+<dd>
+            <p>
+              The protocol family that should be used.
+              When
+              <code class="constant">ai_family</code>
+              is set to
+              <span class="type">PF_UNSPEC</span>,
+              it means the caller will accept any protocol family supported by
+              the
+              operating system.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
+<dd>
+            <p>
+              denotes the type of socket &#8212;
+              <span class="type">SOCK_STREAM</span>,
+              <span class="type">SOCK_DGRAM</span>
+              or
+              <span class="type">SOCK_RAW</span>
+              &#8212; that is wanted.
+              When
+              <code class="constant">ai_socktype</code>
+              is zero the caller will accept any socket type.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
+<dd>
+            <p>
+              indicates which transport protocol is wanted: IPPROTO_UDP or
+              IPPROTO_TCP.
+              If
+              <code class="constant">ai_protocol</code>
+              is zero the caller will accept any protocol.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ai_flags</code></span></dt>
+<dd>
+            <p>
+              Flag bits.
+              If the
+              <span class="type">AI_CANONNAME</span>
+              bit is set, a successful call to
+              <code class="function">lwres_getaddrinfo()</code>
+              will return a null-terminated string containing the canonical
+              name
+              of the specified hostname in
+              <code class="constant">ai_canonname</code>
+              of the first
+              <span class="type">addrinfo</span>
+              structure returned.
+              Setting the
+              <span class="type">AI_PASSIVE</span>
+              bit indicates that the returned socket address structure is
+              intended
+              for used in a call to
+              <span class="citerefentry">
+                <span class="refentrytitle">bind</span>(2)
+              </span>.
+
+              In this case, if the hostname argument is a
+              <span class="type">NULL</span>
+              pointer, then the IP address portion of the socket
+              address structure will be set to
+              <span class="type">INADDR_ANY</span>
+              for an IPv4 address or
+              <span class="type">IN6ADDR_ANY_INIT</span>
+              for an IPv6 address.
+            </p>
+            <p>
+              When
+              <code class="constant">ai_flags</code>
+              does not set the
+              <span class="type">AI_PASSIVE</span>
+              bit, the returned socket address structure will be ready
+              for use in a call to
+              <span class="citerefentry">
+                <span class="refentrytitle">connect</span>(2)
+              </span>
+              for a connection-oriented protocol or
+              <span class="citerefentry">
+                <span class="refentrytitle">connect</span>(2)
+              </span>,
+
+              <span class="citerefentry">
+                <span class="refentrytitle">sendto</span>(2)
+              </span>,
+
+              or
+              <span class="citerefentry">
+                <span class="refentrytitle">sendmsg</span>(2)
+              </span>
+              if a connectionless protocol was chosen.
+              The IP address portion of the socket address structure will be
+              set to the loopback address if
+              <em class="parameter"><code>hostname</code></em>
+              is a
+              <span class="type">NULL</span>
+              pointer and
+              <span class="type">AI_PASSIVE</span>
+              is not set in
+              <code class="constant">ai_flags</code>.
+            </p>
+            <p>
+              If
+              <code class="constant">ai_flags</code>
+              is set to
+              <span class="type">AI_NUMERICHOST</span>
+              it indicates that
+              <em class="parameter"><code>hostname</code></em>
+              should be treated as a numeric string defining an IPv4 or IPv6
+              address
+              and no name resolution should be attempted.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+
+    <p>
+      All other elements of the <span class="type">struct addrinfo</span> passed
+      via <em class="parameter"><code>hints</code></em> must be zero.
+    </p>
+
+    <p>
+      A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is
+      treated as if
+      the caller provided a <span class="type">struct addrinfo</span> initialized to zero
+      with <code class="constant">ai_family</code>set to
+      <code class="constant">PF_UNSPEC</code>.
+    </p>
+
+    <p>
+      After a successful call to
+      <code class="function">lwres_getaddrinfo()</code>,
+      <em class="parameter"><code>*res</code></em>
+      is a pointer to a linked list of one or more
+      <span class="type">addrinfo</span>
+      structures.
+      Each
+      <span class="type">struct addrinfo</span>
+      in this list cn be processed by following
+      the
+      <code class="constant">ai_next</code>
+      pointer, until a
+      <span class="type">NULL</span>
+      pointer is encountered.
+      The three members
+      <code class="constant">ai_family</code>,
+      <code class="constant">ai_socktype</code>,
+      and
+      <code class="constant">ai_protocol</code>
+      in each
+      returned
+      <span class="type">addrinfo</span>
+      structure contain the corresponding arguments for a call to
+      <span class="citerefentry">
+        <span class="refentrytitle">socket</span>(2)
+      </span>.
+      For each
+      <span class="type">addrinfo</span>
+      structure in the list, the
+      <code class="constant">ai_addr</code>
+      member points to a filled-in socket address structure of length
+      <code class="constant">ai_addrlen</code>.
+    </p>
+
+    <p>
+      All of the information returned by
+      <code class="function">lwres_getaddrinfo()</code>
+      is dynamically allocated: the addrinfo structures, and the socket
+      address structures and canonical host name strings pointed to by the
+      <code class="constant">addrinfo</code>structures.
+      Memory allocated for the dynamically allocated structures created by
+      a successful call to
+      <code class="function">lwres_getaddrinfo()</code>
+      is released by
+      <code class="function">lwres_freeaddrinfo()</code>.
+      <em class="parameter"><code>ai</code></em>
+      is a pointer to a
+      <span class="type">struct addrinfo</span>
+      created by a call to
+      <code class="function">lwres_getaddrinfo()</code>.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+
+    <p><code class="function">lwres_getaddrinfo()</code>
+      returns zero on success or one of the error codes listed in
+      <span class="citerefentry">
+        <span class="refentrytitle">gai_strerror</span>(3)
+      </span>
+      if an error occurs.  If both <em class="parameter"><code>hostname</code></em> and
+      <em class="parameter"><code>servname</code></em> are <span class="type">NULL</span>
+      <code class="function">lwres_getaddrinfo()</code> returns
+      <span class="errorcode">EAI_NONAME</span>.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getaddrinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_freeaddrinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_gai_strerror</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">RFC2133</span>
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">getservbyname</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">bind</span>(2)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">connect</span>(2)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">sendto</span>(2)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">sendmsg</span>(2)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">socket</span>(2)
+      </span>.
+    </p>
+
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3
new file mode 100644
index 0000000..f88372a
--- /dev/null
+++ b/lib/lwres/man/lwres_gethostent.3
@@ -0,0 +1,329 @@
+.\" Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_gethostent
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GETHOSTENT" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'struct\ hostent\ *\ lwres_gethostbyname('u
+.BI "struct hostent * lwres_gethostbyname(const\ char\ *" "name" ");"
+.HP \w'struct\ hostent\ *\ lwres_gethostbyname2('u
+.BI "struct hostent * lwres_gethostbyname2(const\ char\ *" "name" ", int\ " "af" ");"
+.HP \w'struct\ hostent\ *\ lwres_gethostbyaddr('u
+.BI "struct hostent * lwres_gethostbyaddr(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ");"
+.HP \w'struct\ hostent\ *\ lwres_gethostent('u
+.BI "struct hostent * lwres_gethostent(void);"
+.HP \w'void\ lwres_sethostent('u
+.BI "void lwres_sethostent(int\ " "stayopen" ");"
+.HP \w'void\ lwres_endhostent('u
+.BI "void lwres_endhostent(void);"
+.HP \w'struct\ hostent\ *\ lwres_gethostbyname_r('u
+.BI "struct hostent * lwres_gethostbyname_r(const\ char\ *" "name" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
+.HP \w'struct\ hostent\ *\ lwres_gethostbyaddr_r('u
+.BI "struct hostent * lwres_gethostbyaddr_r(const\ char\ *" "addr" ", int\ " "len" ", int\ " "type" ", struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
+.HP \w'struct\ hostent\ *\ lwres_gethostent_r('u
+.BI "struct hostent * lwres_gethostent_r(struct\ hostent\ *" "resbuf" ", char\ *" "buf" ", int\ " "buflen" ", int\ *" "error" ");"
+.HP \w'void\ lwres_sethostent_r('u
+.BI "void lwres_sethostent_r(int\ " "stayopen" ");"
+.HP \w'void\ lwres_endhostent_r('u
+.BI "void lwres_endhostent_r(void);"
+.SH "DESCRIPTION"
+.PP
+These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver\&. They are similar to the standard
+\fBgethostent\fR(3)
+functions provided by most operating systems\&. They use a
+\fBstruct hostent\fR
+which is usually defined in
+<namedb\&.h>\&.
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The members of this structure are:
+.PP
+\fBh_name\fR
+.RS 4
+The official (canonical) name of the host\&.
+.RE
+.PP
+\fBh_aliases\fR
+.RS 4
+A NULL\-terminated array of alternate names (nicknames) for the host\&.
+.RE
+.PP
+\fBh_addrtype\fR
+.RS 4
+The type of address being returned \(em
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR\&.
+.RE
+.PP
+\fBh_length\fR
+.RS 4
+The length of the address in bytes\&.
+.RE
+.PP
+\fBh_addr_list\fR
+.RS 4
+A
+\fBNULL\fR
+terminated array of network addresses for the host\&. Host addresses are returned in network byte order\&.
+.RE
+.PP
+For backward compatibility with very old software,
+\fBh_addr\fR
+is the first address in
+\fBh_addr_list\&.\fR
+.PP
+\fBlwres_gethostent()\fR,
+\fBlwres_sethostent()\fR,
+\fBlwres_endhostent()\fR,
+\fBlwres_gethostent_r()\fR,
+\fBlwres_sethostent_r()\fR
+and
+\fBlwres_endhostent_r()\fR
+provide iteration over the known host entries on systems that provide such functionality through facilities like
+/etc/hosts
+or NIS\&. The lightweight resolver does not currently implement these functions; it only provides them as stub functions that always return failure\&.
+.PP
+\fBlwres_gethostbyname()\fR
+and
+\fBlwres_gethostbyname2()\fR
+look up the hostname
+\fIname\fR\&.
+\fBlwres_gethostbyname()\fR
+always looks for an IPv4 address while
+\fBlwres_gethostbyname2()\fR
+looks for an address of protocol family
+\fIaf\fR: either
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR
+\(em IPv4 or IPV6 addresses respectively\&. Successful calls of the functions return a
+\fBstruct hostent\fRfor the name that was looked up\&.
+\fBNULL\fR
+is returned if the lookups by
+\fBlwres_gethostbyname()\fR
+or
+\fBlwres_gethostbyname2()\fR
+fail\&.
+.PP
+Reverse lookups of addresses are performed by
+\fBlwres_gethostbyaddr()\fR\&.
+\fIaddr\fR
+is an address of length
+\fIlen\fR
+bytes and protocol family
+\fItype\fR
+\(em
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR\&.
+\fBlwres_gethostbyname_r()\fR
+is a thread\-safe function for forward lookups\&. If an error occurs, an error code is returned in
+\fI*error\fR\&.
+\fIresbuf\fR
+is a pointer to a
+\fBstruct hostent\fR
+which is initialised by a successful call to
+\fBlwres_gethostbyname_r()\fR\&.
+\fIbuf\fR
+is a buffer of length
+\fIlen\fR
+bytes which is used to store the
+\fBh_name\fR,
+\fBh_aliases\fR, and
+\fBh_addr_list\fR
+elements of the
+\fBstruct hostent\fR
+returned in
+\fIresbuf\fR\&. Successful calls to
+\fBlwres_gethostbyname_r()\fR
+return
+\fIresbuf\fR, which is a pointer to the
+\fBstruct hostent\fR
+it created\&.
+.PP
+\fBlwres_gethostbyaddr_r()\fR
+is a thread\-safe function that performs a reverse lookup of address
+\fIaddr\fR
+which is
+\fIlen\fR
+bytes long and is of protocol family
+\fItype\fR
+\(em
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR\&. If an error occurs, the error code is returned in
+\fI*error\fR\&. The other function parameters are identical to those in
+\fBlwres_gethostbyname_r()\fR\&.
+\fIresbuf\fR
+is a pointer to a
+\fBstruct hostent\fR
+which is initialised by a successful call to
+\fBlwres_gethostbyaddr_r()\fR\&.
+\fIbuf\fR
+is a buffer of length
+\fIlen\fR
+bytes which is used to store the
+\fBh_name\fR,
+\fBh_aliases\fR, and
+\fBh_addr_list\fR
+elements of the
+\fBstruct hostent\fR
+returned in
+\fIresbuf\fR\&. Successful calls to
+\fBlwres_gethostbyaddr_r()\fR
+return
+\fIresbuf\fR, which is a pointer to the
+\fBstruct hostent()\fR
+it created\&.
+.SH "RETURN VALUES"
+.PP
+The functions
+\fBlwres_gethostbyname()\fR,
+\fBlwres_gethostbyname2()\fR,
+\fBlwres_gethostbyaddr()\fR, and
+\fBlwres_gethostent()\fR
+return NULL to indicate an error\&. In this case the global variable
+\fBlwres_h_errno\fR
+will contain one of the following error codes defined in
+<lwres/netdb\&.h>:
+.PP
+\fBHOST_NOT_FOUND\fR
+.RS 4
+The host or address was not found\&.
+.RE
+.PP
+\fBTRY_AGAIN\fR
+.RS 4
+A recoverable error occurred, e\&.g\&., a timeout\&. Retrying the lookup may succeed\&.
+.RE
+.PP
+\fBNO_RECOVERY\fR
+.RS 4
+A non\-recoverable error occurred\&.
+.RE
+.PP
+\fBNO_DATA\fR
+.RS 4
+The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup)\&. The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility\&.
+.RE
+.PP
+\fBlwres_hstrerror\fR(3)
+translates these error codes to suitable error messages\&.
+.PP
+\fBlwres_gethostent()\fR
+and
+\fBlwres_gethostent_r()\fR
+always return
+\fBNULL\fR\&.
+.PP
+Successful calls to
+\fBlwres_gethostbyname_r()\fR
+and
+\fBlwres_gethostbyaddr_r()\fR
+return
+\fIresbuf\fR, a pointer to the
+\fBstruct hostent\fR
+that was initialised by these functions\&. They return
+\fBNULL\fR
+if the lookups fail or if
+\fIbuf\fR
+was too small to hold the list of addresses and names referenced by the
+\fBh_name\fR,
+\fBh_aliases\fR, and
+\fBh_addr_list\fR
+elements of the
+\fBstruct hostent\fR\&. If
+\fIbuf\fR
+was too small, both
+\fBlwres_gethostbyname_r()\fR
+and
+\fBlwres_gethostbyaddr_r()\fR
+set the global variable
+\fBerrno\fR
+to
+\fBERANGE\fR\&.
+.SH "SEE ALSO"
+.PP
+\fBgethostent\fR(3),
+\fBlwres_getipnode\fR(3),
+\fBlwres_hstrerror\fR(3)
+.SH "BUGS"
+.PP
+\fBlwres_gethostbyname()\fR,
+\fBlwres_gethostbyname2()\fR,
+\fBlwres_gethostbyaddr()\fR
+and
+\fBlwres_endhostent()\fR
+are not thread safe; they return pointers to static data and provide error codes through a global variable\&. Thread\-safe versions for name and address lookup are provided by
+\fBlwres_gethostbyname_r()\fR, and
+\fBlwres_gethostbyaddr_r()\fR
+respectively\&.
+.PP
+The resolver daemon does not currently support any non\-DNS name services such as
+/etc/hosts
+or
+\fBNIS\fR, consequently the above functions don\*(Aqt, either\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_gethostent.docbook b/lib/lwres/man/lwres_gethostent.docbook
new file mode 100644
index 0000000..f11ee07
--- /dev/null
+++ b/lib/lwres/man/lwres_gethostent.docbook
@@ -0,0 +1,433 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_gethostent</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_gethostbyname</refname>
+    <refname>lwres_gethostbyname2</refname>
+    <refname>lwres_gethostbyaddr</refname>
+    <refname>lwres_gethostent</refname>
+    <refname>lwres_sethostent</refname>
+    <refname>lwres_endhostent</refname>
+    <refname>lwres_gethostbyname_r</refname>
+    <refname>lwres_gethostbyaddr_r</refname>
+    <refname>lwres_gethostent_r</refname>
+    <refname>lwres_sethostent_r</refname>
+    <refname>lwres_endhostent_r</refname>
+    <refpurpose>lightweight resolver get network host entry</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_gethostbyname</function></funcdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_gethostbyname2</function></funcdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_gethostbyaddr</function></funcdef>
+        <paramdef>const char *<parameter>addr</parameter></paramdef>
+        <paramdef>int <parameter>len</parameter></paramdef>
+        <paramdef>int <parameter>type</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_gethostent</function></funcdef>
+        <paramdef>void</paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_sethostent</function></funcdef>
+        <paramdef>int <parameter>stayopen</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_endhostent</function></funcdef>
+        <paramdef>void</paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_gethostbyname_r</function></funcdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
+        <paramdef>char *<parameter>buf</parameter></paramdef>
+        <paramdef>int <parameter>buflen</parameter></paramdef>
+        <paramdef>int *<parameter>error</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent  *
+<function>lwres_gethostbyaddr_r</function></funcdef>
+        <paramdef>const char *<parameter>addr</parameter></paramdef>
+        <paramdef>int <parameter>len</parameter></paramdef>
+        <paramdef>int <parameter>type</parameter></paramdef>
+        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
+        <paramdef>char *<parameter>buf</parameter></paramdef>
+        <paramdef>int <parameter>buflen</parameter></paramdef>
+        <paramdef>int *<parameter>error</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent  *
+<function>lwres_gethostent_r</function></funcdef>
+        <paramdef>struct hostent *<parameter>resbuf</parameter></paramdef>
+        <paramdef>char *<parameter>buf</parameter></paramdef>
+        <paramdef>int <parameter>buflen</parameter></paramdef>
+        <paramdef>int *<parameter>error</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_sethostent_r</function></funcdef>
+        <paramdef>int <parameter>stayopen</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_endhostent_r</function></funcdef>
+        <paramdef>void</paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      These functions provide hostname-to-address and
+      address-to-hostname lookups by means of the lightweight resolver.
+      They are similar to the standard
+      <citerefentry>
+        <refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      functions provided by most operating systems.
+      They use a
+      <type>struct hostent</type>
+      which is usually defined in
+      <filename>&lt;namedb.h&gt;</filename>.
+    </para>
+    <para><programlisting>
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+</programlisting>
+    </para>
+    <para>
+      The members of this structure are:
+      <variablelist>
+        <varlistentry>
+          <term><constant>h_name</constant></term>
+          <listitem>
+            <para>
+              The official (canonical) name of the host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_aliases</constant></term>
+          <listitem>
+            <para>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addrtype</constant></term>
+          <listitem>
+            <para>
+              The type of address being returned &mdash;
+              <type>PF_INET</type>
+              or
+              <type>PF_INET6</type>.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_length</constant></term>
+          <listitem>
+            <para>
+              The length of the address in bytes.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addr_list</constant></term>
+          <listitem>
+            <para>
+              A <type>NULL</type>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+    <para>
+      For backward compatibility with very old software,
+      <constant>h_addr</constant>
+      is the first address in
+      <constant>h_addr_list.</constant>
+    </para>
+    <para><function>lwres_gethostent()</function>,
+      <function>lwres_sethostent()</function>,
+      <function>lwres_endhostent()</function>,
+      <function>lwres_gethostent_r()</function>,
+      <function>lwres_sethostent_r()</function>
+      and
+      <function>lwres_endhostent_r()</function>
+      provide iteration over the known host entries on systems that
+      provide such functionality through facilities like
+      <filename>/etc/hosts</filename>
+      or NIS.  The lightweight resolver does not currently implement
+      these functions; it only provides them as stub functions that always
+      return failure.
+    </para>
+
+    <para><function>lwres_gethostbyname()</function>
+      and <function>lwres_gethostbyname2()</function> look up the
+      hostname <parameter>name</parameter>.
+      <function>lwres_gethostbyname()</function> always looks for an
+      IPv4 address while <function>lwres_gethostbyname2()</function>
+      looks for an address of protocol family
+      <parameter>af</parameter>: either <type>PF_INET</type> or
+      <type>PF_INET6</type> &mdash; IPv4 or IPV6 addresses
+      respectively.  Successful calls of the functions return a
+      <type>struct hostent</type>for the name that was looked up.
+      <type>NULL</type> is returned if the lookups by
+      <function>lwres_gethostbyname()</function> or
+      <function>lwres_gethostbyname2()</function> fail.
+    </para>
+
+    <para>
+      Reverse lookups of addresses are performed by
+      <function>lwres_gethostbyaddr()</function>.
+      <parameter>addr</parameter> is an address of length
+      <parameter>len</parameter> bytes and protocol family
+      <parameter>type</parameter> &mdash; <type>PF_INET</type> or
+      <type>PF_INET6</type>.
+      <function>lwres_gethostbyname_r()</function> is a
+      thread-safe function
+      for forward lookups.  If an error occurs, an error code is returned in
+      <parameter>*error</parameter>.
+      <parameter>resbuf</parameter> is a pointer to a
+      <type>struct hostent</type> which is initialised by a successful call to
+      <function>lwres_gethostbyname_r()</function>.
+      <parameter>buf</parameter> is a buffer of length
+      <parameter>len</parameter> bytes which is used to store the
+      <constant>h_name</constant>, <constant>h_aliases</constant>, and
+      <constant>h_addr_list</constant> elements of the
+      <type>struct hostent</type> returned in <parameter>resbuf</parameter>.
+      Successful calls to <function>lwres_gethostbyname_r()</function>
+      return <parameter>resbuf</parameter>,
+      which is a pointer to the <type>struct hostent</type> it created.
+    </para>
+
+    <para><function>lwres_gethostbyaddr_r()</function>
+      is a thread-safe function
+      that performs a reverse lookup of address <parameter>addr</parameter>
+      which is <parameter>len</parameter> bytes long and is of
+      protocol
+      family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
+      <type>PF_INET6</type>.  If an error occurs, the error code is returned
+      in <parameter>*error</parameter>.  The other function
+      parameters are
+      identical to those in <function>lwres_gethostbyname_r()</function>.
+      <parameter>resbuf</parameter> is a pointer to a
+      <type>struct hostent</type> which is initialised by a successful call to
+      <function>lwres_gethostbyaddr_r()</function>.
+      <parameter>buf</parameter> is a buffer of length
+      <parameter>len</parameter> bytes which is used to store the
+      <constant>h_name</constant>, <constant>h_aliases</constant>, and
+      <constant>h_addr_list</constant> elements of the
+      <type>struct hostent</type> returned in <parameter>resbuf</parameter>.
+      Successful calls to <function>lwres_gethostbyaddr_r()</function> return
+      <parameter>resbuf</parameter>, which is a pointer to the
+      <function>struct hostent()</function> it created.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      The functions
+      <function>lwres_gethostbyname()</function>,
+      <function>lwres_gethostbyname2()</function>,
+      <function>lwres_gethostbyaddr()</function>,
+      and
+      <function>lwres_gethostent()</function>
+      return NULL to indicate an error.  In this case the global variable
+      <type>lwres_h_errno</type>
+      will contain one of the following error codes defined in
+      <filename>&lt;lwres/netdb.h&gt;</filename>:
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>HOST_NOT_FOUND</constant></term>
+          <listitem>
+            <para>
+              The host or address was not found.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>TRY_AGAIN</constant></term>
+          <listitem>
+            <para>
+              A recoverable error occurred, e.g., a timeout.
+              Retrying the lookup may succeed.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_RECOVERY</constant></term>
+          <listitem>
+            <para>
+              A non-recoverable error occurred.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_DATA</constant></term>
+          <listitem>
+            <para>
+              The name exists, but has no address information
+              associated with it (or vice versa in the case
+              of a reverse lookup).  The code NO_ADDRESS
+              is accepted as a synonym for NO_DATA for backwards
+              compatibility.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      translates these error codes to suitable error messages.
+    </para>
+
+    <para><function>lwres_gethostent()</function>
+      and <function>lwres_gethostent_r()</function>
+      always return <type>NULL</type>.
+    </para>
+
+    <para>
+      Successful calls to <function>lwres_gethostbyname_r()</function> and
+      <function>lwres_gethostbyaddr_r()</function> return
+      <parameter>resbuf</parameter>, a pointer to the
+      <type>struct hostent</type> that was initialised by these functions.  They return
+      <type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
+      was too small to hold the list of addresses and names referenced by
+      the <constant>h_name</constant>, <constant>h_aliases</constant>, and
+      <constant>h_addr_list</constant> elements of the
+      <type>struct hostent</type>.
+      If <parameter>buf</parameter> was too small, both
+      <function>lwres_gethostbyname_r()</function> and
+      <function>lwres_gethostbyaddr_r()</function> set the global
+      variable
+      <type>errno</type> to <errorcode>ERANGE</errorcode>.
+    </para>
+
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsection>
+
+  <refsection><info><title>BUGS</title></info>
+
+    <para><function>lwres_gethostbyname()</function>,
+      <function>lwres_gethostbyname2()</function>,
+      <function>lwres_gethostbyaddr()</function>
+      and
+      <function>lwres_endhostent()</function>
+      are not thread safe; they return pointers to static data and
+      provide error codes through a global variable.
+      Thread-safe versions for name and address lookup are provided by
+      <function>lwres_gethostbyname_r()</function>,
+      and
+      <function>lwres_gethostbyaddr_r()</function>
+      respectively.
+    </para>
+    <para>
+      The resolver daemon does not currently support any non-DNS
+      name services such as
+      <filename>/etc/hosts</filename>
+      or
+      <type>NIS</type>,
+      consequently the above functions don't, either.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
new file mode 100644
index 0000000..a67e8da
--- /dev/null
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -0,0 +1,477 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_gethostent</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_gethostbyname, 
+    lwres_gethostbyname2, 
+    lwres_gethostbyaddr, 
+    lwres_gethostent, 
+    lwres_sethostent, 
+    lwres_endhostent, 
+    lwres_gethostbyname_r, 
+    lwres_gethostbyaddr_r, 
+    lwres_gethostent_r, 
+    lwres_sethostent_r, 
+    lwres_endhostent_r
+     &#8212; lightweight resolver get network host entry
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_gethostbyname</b>(</code></td>
+<td>const char *<var class="pdparam">name</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_gethostbyname2</b>(</code></td>
+<td>const char *<var class="pdparam">name</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">af</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_gethostbyaddr</b>(</code></td>
+<td>const char *<var class="pdparam">addr</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">len</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">type</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_gethostent</b>(</code></td>
+<td>void<code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_sethostent</b>(</code></td>
+<td>int <var class="pdparam">stayopen</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_endhostent</b>(</code></td>
+<td>void<code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_gethostbyname_r</b>(</code></td>
+<td>const char *<var class="pdparam">name</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>struct hostent *<var class="pdparam">resbuf</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char *<var class="pdparam">buf</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">buflen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int *<var class="pdparam">error</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent  *
+<b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td>
+<td>const char *<var class="pdparam">addr</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">len</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">type</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>struct hostent *<var class="pdparam">resbuf</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char *<var class="pdparam">buf</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">buflen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int *<var class="pdparam">error</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent  *
+<b class="fsfunc">lwres_gethostent_r</b>(</code></td>
+<td>struct hostent *<var class="pdparam">resbuf</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char *<var class="pdparam">buf</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">buflen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int *<var class="pdparam">error</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_sethostent_r</b>(</code></td>
+<td>int <var class="pdparam">stayopen</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_endhostent_r</b>(</code></td>
+<td>void<code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      These functions provide hostname-to-address and
+      address-to-hostname lookups by means of the lightweight resolver.
+      They are similar to the standard
+      <span class="citerefentry">
+        <span class="refentrytitle">gethostent</span>(3)
+      </span>
+      functions provided by most operating systems.
+      They use a
+      <span class="type">struct hostent</span>
+      which is usually defined in
+      <code class="filename">&lt;namedb.h&gt;</code>.
+    </p>
+    <pre class="programlisting">
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+</pre>
+<p>
+    </p>
+    <p>
+      The members of this structure are:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">h_name</code></span></dt>
+<dd>
+            <p>
+              The official (canonical) name of the host.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
+<dd>
+            <p>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
+<dd>
+            <p>
+              The type of address being returned &#8212;
+              <span class="type">PF_INET</span>
+              or
+              <span class="type">PF_INET6</span>.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_length</code></span></dt>
+<dd>
+            <p>
+              The length of the address in bytes.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
+<dd>
+            <p>
+              A <span class="type">NULL</span>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+    <p>
+      For backward compatibility with very old software,
+      <code class="constant">h_addr</code>
+      is the first address in
+      <code class="constant">h_addr_list.</code>
+    </p>
+    <p><code class="function">lwres_gethostent()</code>,
+      <code class="function">lwres_sethostent()</code>,
+      <code class="function">lwres_endhostent()</code>,
+      <code class="function">lwres_gethostent_r()</code>,
+      <code class="function">lwres_sethostent_r()</code>
+      and
+      <code class="function">lwres_endhostent_r()</code>
+      provide iteration over the known host entries on systems that
+      provide such functionality through facilities like
+      <code class="filename">/etc/hosts</code>
+      or NIS.  The lightweight resolver does not currently implement
+      these functions; it only provides them as stub functions that always
+      return failure.
+    </p>
+
+    <p><code class="function">lwres_gethostbyname()</code>
+      and <code class="function">lwres_gethostbyname2()</code> look up the
+      hostname <em class="parameter"><code>name</code></em>.
+      <code class="function">lwres_gethostbyname()</code> always looks for an
+      IPv4 address while <code class="function">lwres_gethostbyname2()</code>
+      looks for an address of protocol family
+      <em class="parameter"><code>af</code></em>: either <span class="type">PF_INET</span> or
+      <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6 addresses
+      respectively.  Successful calls of the functions return a
+      <span class="type">struct hostent</span>for the name that was looked up.
+      <span class="type">NULL</span> is returned if the lookups by
+      <code class="function">lwres_gethostbyname()</code> or
+      <code class="function">lwres_gethostbyname2()</code> fail.
+    </p>
+
+    <p>
+      Reverse lookups of addresses are performed by
+      <code class="function">lwres_gethostbyaddr()</code>.
+      <em class="parameter"><code>addr</code></em> is an address of length
+      <em class="parameter"><code>len</code></em> bytes and protocol family
+      <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
+      <span class="type">PF_INET6</span>.
+      <code class="function">lwres_gethostbyname_r()</code> is a
+      thread-safe function
+      for forward lookups.  If an error occurs, an error code is returned in
+      <em class="parameter"><code>*error</code></em>.
+      <em class="parameter"><code>resbuf</code></em> is a pointer to a
+      <span class="type">struct hostent</span> which is initialised by a successful call to
+      <code class="function">lwres_gethostbyname_r()</code>.
+      <em class="parameter"><code>buf</code></em> is a buffer of length
+      <em class="parameter"><code>len</code></em> bytes which is used to store the
+      <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
+      <code class="constant">h_addr_list</code> elements of the
+      <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
+      Successful calls to <code class="function">lwres_gethostbyname_r()</code>
+      return <em class="parameter"><code>resbuf</code></em>,
+      which is a pointer to the <span class="type">struct hostent</span> it created.
+    </p>
+
+    <p><code class="function">lwres_gethostbyaddr_r()</code>
+      is a thread-safe function
+      that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
+      which is <em class="parameter"><code>len</code></em> bytes long and is of
+      protocol
+      family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
+      <span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
+      in <em class="parameter"><code>*error</code></em>.  The other function
+      parameters are
+      identical to those in <code class="function">lwres_gethostbyname_r()</code>.
+      <em class="parameter"><code>resbuf</code></em> is a pointer to a
+      <span class="type">struct hostent</span> which is initialised by a successful call to
+      <code class="function">lwres_gethostbyaddr_r()</code>.
+      <em class="parameter"><code>buf</code></em> is a buffer of length
+      <em class="parameter"><code>len</code></em> bytes which is used to store the
+      <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
+      <code class="constant">h_addr_list</code> elements of the
+      <span class="type">struct hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
+      Successful calls to <code class="function">lwres_gethostbyaddr_r()</code> return
+      <em class="parameter"><code>resbuf</code></em>, which is a pointer to the
+      <code class="function">struct hostent()</code> it created.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      The functions
+      <code class="function">lwres_gethostbyname()</code>,
+      <code class="function">lwres_gethostbyname2()</code>,
+      <code class="function">lwres_gethostbyaddr()</code>,
+      and
+      <code class="function">lwres_gethostent()</code>
+      return NULL to indicate an error.  In this case the global variable
+      <span class="type">lwres_h_errno</span>
+      will contain one of the following error codes defined in
+      <code class="filename">&lt;lwres/netdb.h&gt;</code>:
+
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
+<dd>
+            <p>
+              The host or address was not found.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
+<dd>
+            <p>
+              A recoverable error occurred, e.g., a timeout.
+              Retrying the lookup may succeed.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
+<dd>
+            <p>
+              A non-recoverable error occurred.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
+<dd>
+            <p>
+              The name exists, but has no address information
+              associated with it (or vice versa in the case
+              of a reverse lookup).  The code NO_ADDRESS
+              is accepted as a synonym for NO_DATA for backwards
+              compatibility.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_hstrerror</span>(3)
+      </span>
+      translates these error codes to suitable error messages.
+    </p>
+
+    <p><code class="function">lwres_gethostent()</code>
+      and <code class="function">lwres_gethostent_r()</code>
+      always return <span class="type">NULL</span>.
+    </p>
+
+    <p>
+      Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
+      <code class="function">lwres_gethostbyaddr_r()</code> return
+      <em class="parameter"><code>resbuf</code></em>, a pointer to the
+      <span class="type">struct hostent</span> that was initialised by these functions.  They return
+      <span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
+      was too small to hold the list of addresses and names referenced by
+      the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
+      <code class="constant">h_addr_list</code> elements of the
+      <span class="type">struct hostent</span>.
+      If <em class="parameter"><code>buf</code></em> was too small, both
+      <code class="function">lwres_gethostbyname_r()</code> and
+      <code class="function">lwres_gethostbyaddr_r()</code> set the global
+      variable
+      <span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
+    </p>
+
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">gethostent</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getipnode</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_hstrerror</span>(3)
+      </span>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>BUGS</h2>
+
+    <p><code class="function">lwres_gethostbyname()</code>,
+      <code class="function">lwres_gethostbyname2()</code>,
+      <code class="function">lwres_gethostbyaddr()</code>
+      and
+      <code class="function">lwres_endhostent()</code>
+      are not thread safe; they return pointers to static data and
+      provide error codes through a global variable.
+      Thread-safe versions for name and address lookup are provided by
+      <code class="function">lwres_gethostbyname_r()</code>,
+      and
+      <code class="function">lwres_gethostbyaddr_r()</code>
+      respectively.
+    </p>
+    <p>
+      The resolver daemon does not currently support any non-DNS
+      name services such as
+      <code class="filename">/etc/hosts</code>
+      or
+      <span class="type">NIS</span>,
+      consequently the above functions don't, either.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3
new file mode 100644
index 0000000..7bd1b5c
--- /dev/null
+++ b/lib/lwres/man/lwres_getipnode.3
@@ -0,0 +1,220 @@
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_getipnode
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GETIPNODE" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'struct\ hostent\ *\ lwres_getipnodebyname('u
+.BI "struct hostent * lwres_getipnodebyname(const\ char\ *" "name" ", int\ " "af" ", int\ " "flags" ", int\ *" "error_num" ");"
+.HP \w'struct\ hostent\ *\ lwres_getipnodebyaddr('u
+.BI "struct hostent * lwres_getipnodebyaddr(const\ void\ *" "src" ", size_t\ " "len" ", int\ " "af" ", int\ *" "error_num" ");"
+.HP \w'void\ lwres_freehostent('u
+.BI "void lwres_freehostent(struct\ hostent\ *" "he" ");"
+.SH "DESCRIPTION"
+.PP
+These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553\&.
+.PP
+They use a
+\fBstruct hostent\fR
+which is defined in
+namedb\&.h:
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The members of this structure are:
+.PP
+\fBh_name\fR
+.RS 4
+The official (canonical) name of the host\&.
+.RE
+.PP
+\fBh_aliases\fR
+.RS 4
+A NULL\-terminated array of alternate names (nicknames) for the host\&.
+.RE
+.PP
+\fBh_addrtype\fR
+.RS 4
+The type of address being returned \- usually
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR\&.
+.RE
+.PP
+\fBh_length\fR
+.RS 4
+The length of the address in bytes\&.
+.RE
+.PP
+\fBh_addr_list\fR
+.RS 4
+A
+\fBNULL\fR
+terminated array of network addresses for the host\&. Host addresses are returned in network byte order\&.
+.RE
+.PP
+\fBlwres_getipnodebyname()\fR
+looks up addresses of protocol family
+\fIaf\fR
+for the hostname
+\fIname\fR\&. The
+\fIflags\fR
+parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned\&. The flag bits are:
+.PP
+\fBAI_V4MAPPED\fR
+.RS 4
+This is used with an
+\fIaf\fR
+of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses\&.
+.RE
+.PP
+\fBAI_ALL\fR
+.RS 4
+This is used with an
+\fIaf\fR
+of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned\&. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses\&.
+.RE
+.PP
+\fBAI_ADDRCONFIG\fR
+.RS 4
+Only return an IPv6 or IPv4 address if here is an active network interface of that type\&. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored\&.
+.RE
+.PP
+\fBAI_DEFAULT\fR
+.RS 4
+This default sets the
+\fBAI_V4MAPPED\fR
+and
+\fBAI_ADDRCONFIG\fR
+flag bits\&.
+.RE
+.PP
+\fBlwres_getipnodebyaddr()\fR
+performs a reverse lookup of address
+\fIsrc\fR
+which is
+\fIlen\fR
+bytes long\&.
+\fIaf\fR
+denotes the protocol family, typically
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR\&.
+.PP
+\fBlwres_freehostent()\fR
+releases all the memory associated with the
+\fBstruct hostent\fR
+pointer
+\fIhe\fR\&. Any memory allocated for the
+\fBh_name\fR,
+\fBh_addr_list\fR
+and
+\fBh_aliases\fR
+is freed, as is the memory for the
+\fBhostent\fR
+structure itself\&.
+.SH "RETURN VALUES"
+.PP
+If an error occurs,
+\fBlwres_getipnodebyname()\fR
+and
+\fBlwres_getipnodebyaddr()\fR
+set
+\fI*error_num\fR
+to an appropriate error code and the function returns a
+\fBNULL\fR
+pointer\&. The error codes and their meanings are defined in
+<lwres/netdb\&.h>:
+.PP
+\fBHOST_NOT_FOUND\fR
+.RS 4
+No such host is known\&.
+.RE
+.PP
+\fBNO_ADDRESS\fR
+.RS 4
+The server recognised the request and the name but no address is available\&. Another type of request to the name server for the domain might return an answer\&.
+.RE
+.PP
+\fBTRY_AGAIN\fR
+.RS 4
+A temporary and possibly transient error occurred, such as a failure of a server to respond\&. The request may succeed if retried\&.
+.RE
+.PP
+\fBNO_RECOVERY\fR
+.RS 4
+An unexpected failure occurred, and retrying the request is pointless\&.
+.RE
+.PP
+\fBlwres_hstrerror\fR(3)
+translates these error codes to suitable error messages\&.
+.SH "SEE ALSO"
+.PP
+\fBRFC2553\fR(),
+\fBlwres\fR(3),
+\fBlwres_gethostent\fR(3),
+\fBlwres_getaddrinfo\fR(3),
+\fBlwres_getnameinfo\fR(3),
+\fBlwres_hstrerror\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_getipnode.docbook b/lib/lwres/man/lwres_getipnode.docbook
new file mode 100644
index 0000000..d9c92f0
--- /dev/null
+++ b/lib/lwres/man/lwres_getipnode.docbook
@@ -0,0 +1,323 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_getipnode</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2003</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_getipnodebyname</refname>
+    <refname>lwres_getipnodebyaddr</refname>
+    <refname>lwres_freehostent</refname>
+    <refpurpose>lightweight resolver nodename / address translation API</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_getipnodebyname</function></funcdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+        <paramdef>int *<parameter>error_num</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+struct hostent *
+<function>lwres_getipnodebyaddr</function></funcdef>
+        <paramdef>const void *<parameter>src</parameter></paramdef>
+        <paramdef>size_t <parameter>len</parameter></paramdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        <paramdef>int *<parameter>error_num</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_freehostent</function></funcdef>
+        <paramdef>struct hostent *<parameter>he</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para>
+      These functions perform thread safe, protocol independent
+      nodename-to-address and address-to-nodename
+      translation as defined in RFC2553.
+    </para>
+
+    <para>
+      They use a
+      <type>struct hostent</type>
+      which is defined in
+      <filename>namedb.h</filename>:
+    </para>
+    <para><programlisting>
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+</programlisting>
+    </para>
+
+    <para>
+      The members of this structure are:
+      <variablelist>
+        <varlistentry>
+          <term><constant>h_name</constant></term>
+          <listitem>
+            <para>
+              The official (canonical) name of the host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_aliases</constant></term>
+          <listitem>
+            <para>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addrtype</constant></term>
+          <listitem>
+            <para>
+              The type of address being returned - usually
+              <type>PF_INET</type>
+              or
+              <type>PF_INET6</type>.
+
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_length</constant></term>
+          <listitem>
+            <para>
+              The length of the address in bytes.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>h_addr_list</constant></term>
+          <listitem>
+            <para>
+              A
+              <type>NULL</type>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+
+    <para><function>lwres_getipnodebyname()</function>
+      looks up addresses of protocol family <parameter>af</parameter>
+      for the hostname <parameter>name</parameter>.  The
+      <parameter>flags</parameter> parameter contains ORed flag bits
+      to specify the types of addresses that are searched for, and the
+      types of addresses that are returned.  The flag bits are:
+
+      <variablelist>
+        <varlistentry>
+          <term><constant>AI_V4MAPPED</constant></term>
+          <listitem>
+            <para>
+              This is used with an
+              <parameter>af</parameter>
+              of AF_INET6, and causes IPv4 addresses to be returned as
+              IPv4-mapped
+              IPv6 addresses.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>AI_ALL</constant></term>
+          <listitem>
+            <para>
+              This is used with an
+              <parameter>af</parameter>
+              of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
+              be returned.
+              If AI_V4MAPPED is also set, the IPv4 addresses are return as
+              mapped
+              IPv6 addresses.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>AI_ADDRCONFIG</constant></term>
+          <listitem>
+            <para>
+              Only return an IPv6 or IPv4 address if here is an active network
+              interface of that type.  This is not currently implemented
+              in the BIND 9 lightweight resolver, and the flag is ignored.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>AI_DEFAULT</constant></term>
+          <listitem>
+            <para>
+              This default sets the
+              <constant>AI_V4MAPPED</constant>
+              and
+              <constant>AI_ADDRCONFIG</constant>
+              flag bits.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+
+    <para><function>lwres_getipnodebyaddr()</function>
+      performs a reverse lookup of address <parameter>src</parameter>
+      which is <parameter>len</parameter> bytes long.
+      <parameter>af</parameter> denotes the protocol family, typically
+      <type>PF_INET</type> or <type>PF_INET6</type>.
+    </para>
+    <para><function>lwres_freehostent()</function>
+      releases all the memory associated with the <type>struct
+      hostent</type> pointer <parameter>he</parameter>.  Any memory
+      allocated for the <constant>h_name</constant>,
+      <constant>h_addr_list</constant> and
+      <constant>h_aliases</constant> is freed, as is the memory for
+      the <type>hostent</type> structure itself.
+    </para>
+  </refsection>
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      If an error occurs,
+      <function>lwres_getipnodebyname()</function>
+      and
+      <function>lwres_getipnodebyaddr()</function>
+      set
+      <parameter>*error_num</parameter>
+      to an appropriate error code and the function returns a
+      <type>NULL</type>
+      pointer.
+      The error codes and their meanings are defined in
+      <filename>&lt;lwres/netdb.h&gt;</filename>:
+      <variablelist>
+        <varlistentry>
+          <term><constant>HOST_NOT_FOUND</constant></term>
+          <listitem>
+            <para>
+              No such host is known.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_ADDRESS</constant></term>
+          <listitem>
+            <para>
+              The server recognised the request and the name but no address is
+              available.  Another type of request to the name server for the
+              domain might return an answer.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>TRY_AGAIN</constant></term>
+          <listitem>
+            <para>
+              A temporary and possibly transient error occurred, such as a
+              failure of a server to respond.  The request may succeed if
+              retried.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NO_RECOVERY</constant></term>
+          <listitem>
+            <para>
+              An unexpected failure occurred, and retrying the request
+              is pointless.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+    <para><citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      translates these error codes to suitable error messages.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>RFC2553</refentrytitle>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
new file mode 100644
index 0000000..49e2c14
--- /dev/null
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -0,0 +1,316 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_getipnode</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_getipnodebyname, 
+    lwres_getipnodebyaddr, 
+    lwres_freehostent
+     &#8212; lightweight resolver nodename / address translation API
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_getipnodebyname</b>(</code></td>
+<td>const char *<var class="pdparam">name</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">af</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">flags</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int *<var class="pdparam">error_num</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+struct hostent *
+<b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td>
+<td>const void *<var class="pdparam">src</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">len</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">af</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int *<var class="pdparam">error_num</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_freehostent</b>(</code></td>
+<td>struct hostent *<var class="pdparam">he</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p>
+      These functions perform thread safe, protocol independent
+      nodename-to-address and address-to-nodename
+      translation as defined in RFC2553.
+    </p>
+
+    <p>
+      They use a
+      <span class="type">struct hostent</span>
+      which is defined in
+      <code class="filename">namedb.h</code>:
+    </p>
+    <pre class="programlisting">
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+</pre>
+<p>
+    </p>
+
+    <p>
+      The members of this structure are:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">h_name</code></span></dt>
+<dd>
+            <p>
+              The official (canonical) name of the host.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
+<dd>
+            <p>
+              A NULL-terminated array of alternate names (nicknames) for the
+              host.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
+<dd>
+            <p>
+              The type of address being returned - usually
+              <span class="type">PF_INET</span>
+              or
+              <span class="type">PF_INET6</span>.
+
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_length</code></span></dt>
+<dd>
+            <p>
+              The length of the address in bytes.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
+<dd>
+            <p>
+              A
+              <span class="type">NULL</span>
+              terminated array of network addresses for the host.
+              Host addresses are returned in network byte order.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+
+    <p><code class="function">lwres_getipnodebyname()</code>
+      looks up addresses of protocol family <em class="parameter"><code>af</code></em>
+      for the hostname <em class="parameter"><code>name</code></em>.  The
+      <em class="parameter"><code>flags</code></em> parameter contains ORed flag bits
+      to specify the types of addresses that are searched for, and the
+      types of addresses that are returned.  The flag bits are:
+
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
+<dd>
+            <p>
+              This is used with an
+              <em class="parameter"><code>af</code></em>
+              of AF_INET6, and causes IPv4 addresses to be returned as
+              IPv4-mapped
+              IPv6 addresses.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
+<dd>
+            <p>
+              This is used with an
+              <em class="parameter"><code>af</code></em>
+              of AF_INET6, and causes all known addresses (IPv6 and IPv4) to
+              be returned.
+              If AI_V4MAPPED is also set, the IPv4 addresses are return as
+              mapped
+              IPv6 addresses.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
+<dd>
+            <p>
+              Only return an IPv6 or IPv4 address if here is an active network
+              interface of that type.  This is not currently implemented
+              in the BIND 9 lightweight resolver, and the flag is ignored.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
+<dd>
+            <p>
+              This default sets the
+              <code class="constant">AI_V4MAPPED</code>
+              and
+              <code class="constant">AI_ADDRCONFIG</code>
+              flag bits.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+
+    <p><code class="function">lwres_getipnodebyaddr()</code>
+      performs a reverse lookup of address <em class="parameter"><code>src</code></em>
+      which is <em class="parameter"><code>len</code></em> bytes long.
+      <em class="parameter"><code>af</code></em> denotes the protocol family, typically
+      <span class="type">PF_INET</span> or <span class="type">PF_INET6</span>.
+    </p>
+    <p><code class="function">lwres_freehostent()</code>
+      releases all the memory associated with the <span class="type">struct
+      hostent</span> pointer <em class="parameter"><code>he</code></em>.  Any memory
+      allocated for the <code class="constant">h_name</code>,
+      <code class="constant">h_addr_list</code> and
+      <code class="constant">h_aliases</code> is freed, as is the memory for
+      the <span class="type">hostent</span> structure itself.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      If an error occurs,
+      <code class="function">lwres_getipnodebyname()</code>
+      and
+      <code class="function">lwres_getipnodebyaddr()</code>
+      set
+      <em class="parameter"><code>*error_num</code></em>
+      to an appropriate error code and the function returns a
+      <span class="type">NULL</span>
+      pointer.
+      The error codes and their meanings are defined in
+      <code class="filename">&lt;lwres/netdb.h&gt;</code>:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
+<dd>
+            <p>
+              No such host is known.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
+<dd>
+            <p>
+              The server recognised the request and the name but no address is
+              available.  Another type of request to the name server for the
+              domain might return an answer.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
+<dd>
+            <p>
+              A temporary and possibly transient error occurred, such as a
+              failure of a server to respond.  The request may succeed if
+              retried.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
+<dd>
+            <p>
+              An unexpected failure occurred, and retrying the request
+              is pointless.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_hstrerror</span>(3)
+      </span>
+      translates these error codes to suitable error messages.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">RFC2553</span>
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_gethostent</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getaddrinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getnameinfo</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_hstrerror</span>(3)
+      </span>.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3
new file mode 100644
index 0000000..075a3ec
--- /dev/null
+++ b/lib/lwres/man/lwres_getnameinfo.3
@@ -0,0 +1,127 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_getnameinfo
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GETNAMEINFO" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'int\ lwres_getnameinfo('u
+.BI "int lwres_getnameinfo(const\ struct\ sockaddr\ *" "sa" ", size_t\ " "salen" ", char\ *" "host" ", size_t\ " "hostlen" ", char\ *" "serv" ", size_t\ " "servlen" ", int\ " "flags" ");"
+.SH "DESCRIPTION"
+.PP
+This function is equivalent to the
+\fBgetnameinfo\fR(3)
+function defined in RFC2133\&.
+\fBlwres_getnameinfo()\fR
+returns the hostname for the
+\fBstruct sockaddr\fR\fIsa\fR
+which is
+\fIsalen\fR
+bytes long\&. The hostname is of length
+\fIhostlen\fR
+and is returned via
+\fI*host\&.\fR
+The maximum length of the hostname is 1025 bytes:
+\fBNI_MAXHOST\fR\&.
+.PP
+The name of the service associated with the port number in
+\fIsa\fR
+is returned in
+\fI*serv\&.\fR
+It is
+\fIservlen\fR
+bytes long\&. The maximum length of the service name is
+\fBNI_MAXSERV\fR
+\- 32 bytes\&.
+.PP
+The
+\fIflags\fR
+argument sets the following bits:
+.PP
+\fBNI_NOFQDN\fR
+.RS 4
+A fully qualified domain name is not required for local hosts\&. The local part of the fully qualified domain name is returned instead\&.
+.RE
+.PP
+\fBNI_NUMERICHOST\fR
+.RS 4
+Return the address in numeric form, as if calling inet_ntop(), instead of a host name\&.
+.RE
+.PP
+\fBNI_NAMEREQD\fR
+.RS 4
+A name is required\&. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned\&. If the hostname is not found and the flag is not set, the address is returned in numeric form\&.
+.RE
+.PP
+\fBNI_NUMERICSERV\fR
+.RS 4
+The service name is returned as a digit string representing the port number\&.
+.RE
+.PP
+\fBNI_DGRAM\fR
+.RS 4
+Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp"\&. This is required for the few ports (512\-514) that have different services for UDP and TCP\&.
+.RE
+.SH "RETURN VALUES"
+.PP
+\fBlwres_getnameinfo()\fR
+returns 0 on success or a non\-zero error code if an error occurs\&.
+.SH "SEE ALSO"
+.PP
+\fBRFC2133\fR(),
+\fBgetservbyport\fR(3),
+\fBlwres\fR(3),
+\fBlwres_getnameinfo\fR(3),
+\fBlwres_getnamebyaddr\fR(3)\&.
+\fBlwres_net_ntop\fR(3)\&.
+.SH "BUGS"
+.PP
+RFC2133 fails to define what the nonzero return values of
+\fBgetnameinfo\fR(3)
+are\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_getnameinfo.docbook b/lib/lwres/man/lwres_getnameinfo.docbook
new file mode 100644
index 0000000..d741113
--- /dev/null
+++ b/lib/lwres/man/lwres_getnameinfo.docbook
@@ -0,0 +1,197 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_getnameinfo</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_getnameinfo</refname>
+    <refpurpose>lightweight resolver socket address structure to hostname and
+      service name
+    </refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+int
+<function>lwres_getnameinfo</function></funcdef>
+        <paramdef>const struct sockaddr *<parameter>sa</parameter></paramdef>
+        <paramdef>size_t <parameter>salen</parameter></paramdef>
+        <paramdef>char *<parameter>host</parameter></paramdef>
+        <paramdef>size_t <parameter>hostlen</parameter></paramdef>
+        <paramdef>char *<parameter>serv</parameter></paramdef>
+        <paramdef>size_t <parameter>servlen</parameter></paramdef>
+        <paramdef>int <parameter>flags</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para>
+       This function is equivalent to the
+      <citerefentry>
+        <refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry> function defined in RFC2133.
+      <function>lwres_getnameinfo()</function> returns the
+      hostname for the
+      <type>struct sockaddr</type> <parameter>sa</parameter> which
+      is
+      <parameter>salen</parameter> bytes long.  The hostname is of
+      length
+      <parameter>hostlen</parameter> and is returned via
+      <parameter>*host.</parameter> The maximum length of the
+      hostname is
+      1025 bytes: <constant>NI_MAXHOST</constant>.
+    </para>
+
+    <para> The name of the service associated with the port number in
+      <parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
+      It is <parameter>servlen</parameter> bytes long.  The
+      maximum length
+      of the service name is <constant>NI_MAXSERV</constant> - 32
+      bytes.
+    </para>
+
+    <para>
+       The <parameter>flags</parameter> argument sets the
+      following
+      bits:
+      <variablelist>
+        <varlistentry>
+          <term><constant>NI_NOFQDN</constant></term>
+          <listitem>
+            <para>
+              A fully qualified domain name is not required for local hosts.
+              The local part of the fully qualified domain name is returned
+              instead.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_NUMERICHOST</constant></term>
+          <listitem>
+            <para>
+              Return the address in numeric form, as if calling inet_ntop(),
+              instead of a host name.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_NAMEREQD</constant></term>
+          <listitem>
+            <para>
+              A name is required. If the hostname cannot be found in the DNS
+              and
+              this flag is set, a non-zero error code is returned.
+              If the hostname is not found and the flag is not set, the
+              address is returned in numeric form.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_NUMERICSERV</constant></term>
+          <listitem>
+            <para>
+              The service name is returned as a digit string representing the
+              port number.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>NI_DGRAM</constant></term>
+          <listitem>
+            <para>
+              Specifies that the service being looked up is a datagram
+              service,  and causes getservbyport() to be called with a second
+              argument of "udp" instead of its default of "tcp".  This is
+              required
+              for the few ports (512-514) that have different services for UDP
+              and
+              TCP.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para><function>lwres_getnameinfo()</function>
+      returns 0 on success or a non-zero error code if an error occurs.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>RFC2133</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+      <citerefentry>
+        <refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+  <refsection><info><title>BUGS</title></info>
+
+    <para>
+      RFC2133 fails to define what the nonzero return values of
+      <citerefentry>
+        <refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      are.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
new file mode 100644
index 0000000..03eb4a6
--- /dev/null
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -0,0 +1,199 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_getnameinfo</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_getnameinfo
+     &#8212; lightweight resolver socket address structure to hostname and
+      service name
+    
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+int
+<b class="fsfunc">lwres_getnameinfo</b>(</code></td>
+<td>const struct sockaddr *<var class="pdparam">sa</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">salen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char *<var class="pdparam">host</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">hostlen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char *<var class="pdparam">serv</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">servlen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>int <var class="pdparam">flags</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p>
+       This function is equivalent to the
+      <span class="citerefentry">
+        <span class="refentrytitle">getnameinfo</span>(3)
+      </span> function defined in RFC2133.
+      <code class="function">lwres_getnameinfo()</code> returns the
+      hostname for the
+      <span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which
+      is
+      <em class="parameter"><code>salen</code></em> bytes long.  The hostname is of
+      length
+      <em class="parameter"><code>hostlen</code></em> and is returned via
+      <em class="parameter"><code>*host.</code></em> The maximum length of the
+      hostname is
+      1025 bytes: <code class="constant">NI_MAXHOST</code>.
+    </p>
+
+    <p> The name of the service associated with the port number in
+      <em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
+      It is <em class="parameter"><code>servlen</code></em> bytes long.  The
+      maximum length
+      of the service name is <code class="constant">NI_MAXSERV</code> - 32
+      bytes.
+    </p>
+
+    <p>
+       The <em class="parameter"><code>flags</code></em> argument sets the
+      following
+      bits:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
+<dd>
+            <p>
+              A fully qualified domain name is not required for local hosts.
+              The local part of the fully qualified domain name is returned
+              instead.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
+<dd>
+            <p>
+              Return the address in numeric form, as if calling inet_ntop(),
+              instead of a host name.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
+<dd>
+            <p>
+              A name is required. If the hostname cannot be found in the DNS
+              and
+              this flag is set, a non-zero error code is returned.
+              If the hostname is not found and the flag is not set, the
+              address is returned in numeric form.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
+<dd>
+            <p>
+              The service name is returned as a digit string representing the
+              port number.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
+<dd>
+            <p>
+              Specifies that the service being looked up is a datagram
+              service,  and causes getservbyport() to be called with a second
+              argument of "udp" instead of its default of "tcp".  This is
+              required
+              for the few ports (512-514) that have different services for UDP
+              and
+              TCP.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p><code class="function">lwres_getnameinfo()</code>
+      returns 0 on success or a non-zero error code if an error occurs.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">RFC2133</span>
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">getservbyport</span>(3)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres</span>(3)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getnameinfo</span>(3)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_getnamebyaddr</span>(3)
+      </span>.
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_net_ntop</span>(3)
+      </span>.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.10"></a><h2>BUGS</h2>
+
+    <p>
+      RFC2133 fails to define what the nonzero return values of
+      <span class="citerefentry">
+        <span class="refentrytitle">getnameinfo</span>(3)
+      </span>
+      are.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3
new file mode 100644
index 0000000..d567023
--- /dev/null
+++ b/lib/lwres/man/lwres_getrrsetbyname.3
@@ -0,0 +1,170 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_getrrsetbyname
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GETRRSETBYNAME" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'int\ lwres_getrrsetbyname('u
+.BI "int lwres_getrrsetbyname(const\ char\ *" "hostname" ", unsigned\ int\ " "rdclass" ", unsigned\ int\ " "rdtype" ", unsigned\ int\ " "flags" ", struct\ rrsetinfo\ **" "res" ");"
+.HP \w'void\ lwres_freerrset('u
+.BI "void lwres_freerrset(struct\ rrsetinfo\ *" "rrset" ");"
+.PP
+The following structures are used:
+.PP
+.nf
+struct  rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+.fi
+.PP
+.nf
+struct  rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED\&.\&.\&. */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};
+.fi
+.sp
+.SH "DESCRIPTION"
+.PP
+\fBlwres_getrrsetbyname()\fR
+gets a set of resource records associated with a
+\fIhostname\fR,
+\fIclass\fR, and
+\fItype\fR\&.
+\fIhostname\fR
+is a pointer a to null\-terminated string\&. The
+\fIflags\fR
+field is currently unused and must be zero\&.
+.PP
+After a successful call to
+\fBlwres_getrrsetbyname()\fR,
+\fI*res\fR
+is a pointer to an
+\fBrrsetinfo\fR
+structure, containing a list of one or more
+\fBrdatainfo\fR
+structures containing resource records and potentially another list of
+\fBrdatainfo\fR
+structures containing SIG resource records associated with those records\&. The members
+\fBrri_rdclass\fR
+and
+\fBrri_rdtype\fR
+are copied from the parameters\&.
+\fBrri_ttl\fR
+and
+\fBrri_name\fR
+are properties of the obtained rrset\&. The resource records contained in
+\fBrri_rdatas\fR
+and
+\fBrri_sigs\fR
+are in uncompressed DNS wire format\&. Properties of the rdataset are represented in the
+\fBrri_flags\fR
+bitfield\&. If the RRSET_VALIDATED bit is set, the data has been DNSSEC validated and the signatures verified\&.
+.PP
+All of the information returned by
+\fBlwres_getrrsetbyname()\fR
+is dynamically allocated: the
+\fBrrsetinfo\fR
+and
+\fBrdatainfo\fR
+structures, and the canonical host name strings pointed to by the
+\fBrrsetinfo\fRstructure\&. Memory allocated for the dynamically allocated structures created by a successful call to
+\fBlwres_getrrsetbyname()\fR
+is released by
+\fBlwres_freerrset()\fR\&.
+\fIrrset\fR
+is a pointer to a
+\fBstruct rrset\fR
+created by a call to
+\fBlwres_getrrsetbyname()\fR\&.
+.PP
+.SH "RETURN VALUES"
+.PP
+\fBlwres_getrrsetbyname()\fR
+returns zero on success, and one of the following error codes if an error occurred:
+.PP
+\fBERRSET_NONAME\fR
+.RS 4
+the name does not exist
+.RE
+.PP
+\fBERRSET_NODATA\fR
+.RS 4
+the name exists, but does not have data of the desired type
+.RE
+.PP
+\fBERRSET_NOMEMORY\fR
+.RS 4
+memory could not be allocated
+.RE
+.PP
+\fBERRSET_INVAL\fR
+.RS 4
+a parameter is invalid
+.RE
+.PP
+\fBERRSET_FAIL\fR
+.RS 4
+other failure
+.RE
+.PP
+.RS 4
+.RE
+.SH "SEE ALSO"
+.PP
+\fBlwres\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_getrrsetbyname.docbook b/lib/lwres/man/lwres_getrrsetbyname.docbook
new file mode 100644
index 0000000..97f75f5
--- /dev/null
+++ b/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -0,0 +1,215 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_getrrsetbyname</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_getrrsetbyname</refname>
+    <refname>lwres_freerrset</refname>
+    <refpurpose>retrieve DNS records</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+int
+<function>lwres_getrrsetbyname</function></funcdef>
+        <paramdef>const char *<parameter>hostname</parameter></paramdef>
+        <paramdef>unsigned int <parameter>rdclass</parameter></paramdef>
+        <paramdef>unsigned int <parameter>rdtype</parameter></paramdef>
+        <paramdef>unsigned int <parameter>flags</parameter></paramdef>
+        <paramdef>struct rrsetinfo **<parameter>res</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_freerrset</function></funcdef>
+        <paramdef>struct rrsetinfo *<parameter>rrset</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+
+    <para>
+      The following structures are used:
+    </para>
+    <para><programlisting>
+struct  rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+</programlisting>
+    </para>
+    <para><programlisting>
+struct  rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};
+</programlisting>
+    </para>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><function>lwres_getrrsetbyname()</function>
+      gets a set of resource records associated with a
+      <parameter>hostname</parameter>, <parameter>class</parameter>,
+      and <parameter>type</parameter>.
+      <parameter>hostname</parameter> is a pointer a to
+      null-terminated string.  The <parameter>flags</parameter> field
+      is currently unused and must be zero.
+    </para>
+    <para>
+      After a successful call to
+      <function>lwres_getrrsetbyname()</function>,
+      <parameter>*res</parameter> is a pointer to an
+      <type>rrsetinfo</type> structure, containing a list of one or
+      more <type>rdatainfo</type> structures containing resource
+      records and potentially another list of <type>rdatainfo</type>
+      structures containing SIG resource records associated with those
+      records.  The members <constant>rri_rdclass</constant> and
+      <constant>rri_rdtype</constant> are copied from the parameters.
+      <constant>rri_ttl</constant> and <constant>rri_name</constant>
+      are properties of the obtained rrset.  The resource records
+      contained in <constant>rri_rdatas</constant> and
+      <constant>rri_sigs</constant> are in uncompressed DNS wire
+      format.  Properties of the rdataset are represented in the
+      <constant>rri_flags</constant> bitfield.  If the RRSET_VALIDATED
+      bit is set, the data has been DNSSEC validated and the
+      signatures verified.
+    </para>
+    <para>
+      All of the information returned by
+      <function>lwres_getrrsetbyname()</function> is dynamically
+      allocated: the <constant>rrsetinfo</constant> and
+      <constant>rdatainfo</constant> structures, and the canonical
+      host name strings pointed to by the
+      <constant>rrsetinfo</constant>structure.
+
+      Memory allocated for the dynamically allocated structures
+      created by a successful call to
+      <function>lwres_getrrsetbyname()</function> is released by
+      <function>lwres_freerrset()</function>.
+
+      <parameter>rrset</parameter> is a pointer to a <type>struct
+      rrset</type> created by a call to
+      <function>lwres_getrrsetbyname()</function>.
+    </para>
+    <para/>
+  </refsection>
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para><function>lwres_getrrsetbyname()</function>
+      returns zero on success, and one of the following error codes if
+      an error occurred:
+      <variablelist>
+
+        <varlistentry>
+          <term><constant>ERRSET_NONAME</constant></term>
+          <listitem>
+            <para>
+              the name does not exist
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_NODATA</constant></term>
+          <listitem>
+            <para>
+              the name exists, but does not have data of the desired type
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_NOMEMORY</constant></term>
+          <listitem>
+            <para>
+              memory could not be allocated
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_INVAL</constant></term>
+          <listitem>
+            <para>
+              a parameter is invalid
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>ERRSET_FAIL</constant></term>
+          <listitem>
+            <para>
+              other failure
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant/></term>
+          <listitem>
+            <para/>
+          </listitem>
+        </varlistentry>
+
+      </variablelist>
+
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
new file mode 100644
index 0000000..0e83121
--- /dev/null
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -0,0 +1,204 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_getrrsetbyname</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_getrrsetbyname, 
+    lwres_freerrset
+     &#8212; retrieve DNS records
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+int
+<b class="fsfunc">lwres_getrrsetbyname</b>(</code></td>
+<td>const char *<var class="pdparam">hostname</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">rdclass</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">rdtype</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>unsigned int <var class="pdparam">flags</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>struct rrsetinfo **<var class="pdparam">res</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_freerrset</b>(</code></td>
+<td>struct rrsetinfo *<var class="pdparam">rrset</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+
+    <p>
+      The following structures are used:
+    </p>
+    <pre class="programlisting">
+struct  rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+struct  rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};
+</pre>
+<p>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><code class="function">lwres_getrrsetbyname()</code>
+      gets a set of resource records associated with a
+      <em class="parameter"><code>hostname</code></em>, <em class="parameter"><code>class</code></em>,
+      and <em class="parameter"><code>type</code></em>.
+      <em class="parameter"><code>hostname</code></em> is a pointer a to
+      null-terminated string.  The <em class="parameter"><code>flags</code></em> field
+      is currently unused and must be zero.
+    </p>
+    <p>
+      After a successful call to
+      <code class="function">lwres_getrrsetbyname()</code>,
+      <em class="parameter"><code>*res</code></em> is a pointer to an
+      <span class="type">rrsetinfo</span> structure, containing a list of one or
+      more <span class="type">rdatainfo</span> structures containing resource
+      records and potentially another list of <span class="type">rdatainfo</span>
+      structures containing SIG resource records associated with those
+      records.  The members <code class="constant">rri_rdclass</code> and
+      <code class="constant">rri_rdtype</code> are copied from the parameters.
+      <code class="constant">rri_ttl</code> and <code class="constant">rri_name</code>
+      are properties of the obtained rrset.  The resource records
+      contained in <code class="constant">rri_rdatas</code> and
+      <code class="constant">rri_sigs</code> are in uncompressed DNS wire
+      format.  Properties of the rdataset are represented in the
+      <code class="constant">rri_flags</code> bitfield.  If the RRSET_VALIDATED
+      bit is set, the data has been DNSSEC validated and the
+      signatures verified.
+    </p>
+    <p>
+      All of the information returned by
+      <code class="function">lwres_getrrsetbyname()</code> is dynamically
+      allocated: the <code class="constant">rrsetinfo</code> and
+      <code class="constant">rdatainfo</code> structures, and the canonical
+      host name strings pointed to by the
+      <code class="constant">rrsetinfo</code>structure.
+
+      Memory allocated for the dynamically allocated structures
+      created by a successful call to
+      <code class="function">lwres_getrrsetbyname()</code> is released by
+      <code class="function">lwres_freerrset()</code>.
+
+      <em class="parameter"><code>rrset</code></em> is a pointer to a <span class="type">struct
+      rrset</span> created by a call to
+      <code class="function">lwres_getrrsetbyname()</code>.
+    </p>
+    <p></p>
+  </div>
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p><code class="function">lwres_getrrsetbyname()</code>
+      returns zero on success, and one of the following error codes if
+      an error occurred:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
+<dd>
+            <p>
+              the name does not exist
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
+<dd>
+            <p>
+              the name exists, but does not have data of the desired type
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
+<dd>
+            <p>
+              memory could not be allocated
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
+<dd>
+            <p>
+              a parameter is invalid
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
+<dd>
+            <p>
+              other failure
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant"></code></span></dt>
+<dd>
+            <p></p>
+          </dd>
+</dl></div>
+<p>
+
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres</span>(3)
+      </span>.
+    </p>
+
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3
new file mode 100644
index 0000000..7e43c0a
--- /dev/null
+++ b/lib/lwres/man/lwres_gnba.3
@@ -0,0 +1,202 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_gnba
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_GNBA" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.HP \w'lwres_result_t\ lwres_gnbarequest_render('u
+.BI "lwres_result_t lwres_gnbarequest_render(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
+.HP \w'lwres_result_t\ lwres_gnbaresponse_render('u
+.BI "lwres_result_t lwres_gnbaresponse_render(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
+.HP \w'lwres_result_t\ lwres_gnbarequest_parse('u
+.BI "lwres_result_t lwres_gnbarequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbarequest_t\ **" "structp" ");"
+.HP \w'lwres_result_t\ lwres_gnbaresponse_parse('u
+.BI "lwres_result_t lwres_gnbaresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_gnbaresponse_t\ **" "structp" ");"
+.HP \w'void\ lwres_gnbaresponse_free('u
+.BI "void lwres_gnbaresponse_free(lwres_context_t\ *" "ctx" ", lwres_gnbaresponse_t\ **" "structp" ");"
+.HP \w'void\ lwres_gnbarequest_free('u
+.BI "void lwres_gnbarequest_free(lwres_context_t\ *" "ctx" ", lwres_gnbarequest_t\ **" "structp" ");"
+.SH "DESCRIPTION"
+.PP
+These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages\&.
+.PP
+There are four main functions for the getnamebyaddr opcode\&. One render function converts a getnamebyaddr request structure \(em
+\fBlwres_gnbarequest_t\fR
+\(em to the lightweight resolver\*(Aqs canonical format\&. It is complemented by a parse function that converts a packet in this canonical format to a getnamebyaddr request structure\&. Another render function converts the getnamebyaddr response structure \(em
+\fBlwres_gnbaresponse_t\fR
+to the canonical format\&. This is complemented by a parse function which converts a packet in canonical format to a getnamebyaddr response structure\&.
+.PP
+These structures are defined in
+lwres/lwres\&.h\&. They are shown below\&.
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint32_t  flags;
+        uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        uint16_t  realnamelen;
+        uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+\fBlwres_gnbarequest_render()\fR
+uses resolver context
+\fIctx\fR
+to convert getnamebyaddr request structure
+\fIreq\fR
+to canonical format\&. The packet header structure
+\fIpkt\fR
+is initialised and transferred to buffer
+\fIb\fR\&. The contents of
+\fI*req\fR
+are then appended to the buffer in canonical format\&.
+\fBlwres_gnbaresponse_render()\fR
+performs the same task, except it converts a getnamebyaddr response structure
+\fBlwres_gnbaresponse_t\fR
+to the lightweight resolver\*(Aqs canonical format\&.
+.PP
+\fBlwres_gnbarequest_parse()\fR
+uses context
+\fIctx\fR
+to convert the contents of packet
+\fIpkt\fR
+to a
+\fBlwres_gnbarequest_t\fR
+structure\&. Buffer
+\fIb\fR
+provides space to be used for storing this structure\&. When the function succeeds, the resulting
+\fBlwres_gnbarequest_t\fR
+is made available through
+\fI*structp\fR\&.
+\fBlwres_gnbaresponse_parse()\fR
+offers the same semantics as
+\fBlwres_gnbarequest_parse()\fR
+except it yields a
+\fBlwres_gnbaresponse_t\fR
+structure\&.
+.PP
+\fBlwres_gnbaresponse_free()\fR
+and
+\fBlwres_gnbarequest_free()\fR
+release the memory in resolver context
+\fIctx\fR
+that was allocated to the
+\fBlwres_gnbaresponse_t\fR
+or
+\fBlwres_gnbarequest_t\fR
+structures referenced via
+\fIstructp\fR\&. Any memory associated with ancillary buffers and strings for those structures is also discarded\&.
+.SH "RETURN VALUES"
+.PP
+The getnamebyaddr opcode functions
+\fBlwres_gnbarequest_render()\fR,
+\fBlwres_gnbaresponse_render()\fR\fBlwres_gnbarequest_parse()\fR
+and
+\fBlwres_gnbaresponse_parse()\fR
+all return
+\fBLWRES_R_SUCCESS\fR
+on success\&. They return
+\fBLWRES_R_NOMEMORY\fR
+if memory allocation fails\&.
+\fBLWRES_R_UNEXPECTEDEND\fR
+is returned if the available space in the buffer
+\fIb\fR
+is too small to accommodate the packet header or the
+\fBlwres_gnbarequest_t\fR
+and
+\fBlwres_gnbaresponse_t\fR
+structures\&.
+\fBlwres_gnbarequest_parse()\fR
+and
+\fBlwres_gnbaresponse_parse()\fR
+will return
+\fBLWRES_R_UNEXPECTEDEND\fR
+if the buffer is not empty after decoding the received packet\&. These functions will return
+\fBLWRES_R_FAILURE\fR
+if
+\fIpktflags\fR
+in the packet header structure
+\fBlwres_lwpacket_t\fR
+indicate that the packet is not a response to an earlier query\&.
+.SH "SEE ALSO"
+.PP
+\fBlwres_packet\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_gnba.docbook b/lib/lwres/man/lwres_gnba.docbook
new file mode 100644
index 0000000..72e5a1c
--- /dev/null
+++ b/lib/lwres/man/lwres_gnba.docbook
@@ -0,0 +1,255 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_gnba</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_gnbarequest_render</refname>
+    <refname>lwres_gnbaresponse_render</refname>
+    <refname>lwres_gnbarequest_parse</refname>
+    <refname>lwres_gnbaresponse_parse</refname>
+    <refname>lwres_gnbaresponse_free</refname>
+    <refname>lwres_gnbarequest_free</refname>
+    <refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+
+    <funcsynopsis>
+<funcsynopsisinfo>
+#include &lt;lwres/lwres.h&gt;
+</funcsynopsisinfo>
+
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gnbarequest_render</function>
+</funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gnbaresponse_render</function>
+</funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gnbarequest_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gnbarequest_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_gnbaresponse_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_gnbaresponse_free</function>
+</funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_gnbarequest_free</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_gnbarequest_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      These are low-level routines for creating and parsing
+      lightweight resolver address-to-name lookup request and
+      response messages.
+    </para>
+    <para>
+      There are four main functions for the getnamebyaddr opcode.
+      One render function converts a getnamebyaddr request structure &mdash;
+      <type>lwres_gnbarequest_t</type> &mdash;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getnamebyaddr request structure.
+      Another render function converts the getnamebyaddr response structure
+      &mdash;
+      <type>lwres_gnbaresponse_t</type>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getnamebyaddr response structure.
+    </para>
+    <para>
+      These structures are defined in
+      <filename>lwres/lwres.h</filename>.
+      They are shown below.
+    </para>
+    <para><programlisting>
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct {
+        uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct {
+        uint32_t  flags;
+        uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        uint16_t  realnamelen;
+        uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;
+</programlisting>
+    </para>
+
+    <para><function>lwres_gnbarequest_render()</function>
+      uses resolver context <varname>ctx</varname> to convert
+      getnamebyaddr request structure <varname>req</varname> to
+      canonical format.  The packet header structure
+      <varname>pkt</varname> is initialised and transferred to buffer
+      <varname>b</varname>.  The contents of <varname>*req</varname>
+      are then appended to the buffer in canonical format.
+      <function>lwres_gnbaresponse_render()</function> performs the
+      same task, except it converts a getnamebyaddr response structure
+      <type>lwres_gnbaresponse_t</type> to the lightweight resolver's
+      canonical format.
+    </para>
+
+    <para><function>lwres_gnbarequest_parse()</function>
+      uses context <varname>ctx</varname> to convert the contents of
+      packet <varname>pkt</varname> to a
+      <type>lwres_gnbarequest_t</type> structure.  Buffer
+      <varname>b</varname> provides space to be used for storing this
+      structure.  When the function succeeds, the resulting
+      <type>lwres_gnbarequest_t</type> is made available through
+      <varname>*structp</varname>.
+      <function>lwres_gnbaresponse_parse()</function> offers the same
+      semantics as <function>lwres_gnbarequest_parse()</function>
+      except it yields a <type>lwres_gnbaresponse_t</type> structure.
+    </para>
+
+    <para><function>lwres_gnbaresponse_free()</function>
+      and <function>lwres_gnbarequest_free()</function> release the
+      memory in resolver context <varname>ctx</varname> that was
+      allocated to the <type>lwres_gnbaresponse_t</type> or
+      <type>lwres_gnbarequest_t</type> structures referenced via
+      <varname>structp</varname>.  Any memory associated with
+      ancillary buffers and strings for those structures is also
+      discarded.
+    </para>
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      The getnamebyaddr opcode functions
+      <function>lwres_gnbarequest_render()</function>,
+      <function>lwres_gnbaresponse_render()</function>
+      <function>lwres_gnbarequest_parse()</function>
+      and
+      <function>lwres_gnbaresponse_parse()</function>
+      all return
+      <errorcode>LWRES_R_SUCCESS</errorcode>
+      on success.
+      They return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      if memory allocation fails.
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      is returned if the available space in the buffer
+      <varname>b</varname>
+      is too small to accommodate the packet header or the
+      <type>lwres_gnbarequest_t</type>
+      and
+      <type>lwres_gnbaresponse_t</type>
+      structures.
+      <function>lwres_gnbarequest_parse()</function>
+      and
+      <function>lwres_gnbaresponse_parse()</function>
+      will return
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if
+      <varname remap="structfield">pktflags</varname>
+      in the packet header structure
+      <type>lwres_lwpacket_t</type>
+      indicate that the packet is not a response to an earlier query.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
new file mode 100644
index 0000000..b44e5ed
--- /dev/null
+++ b/lib/lwres/man/lwres_gnba.html
@@ -0,0 +1,304 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_gnba</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_gnbarequest_render, 
+    lwres_gnbaresponse_render, 
+    lwres_gnbarequest_parse, 
+    lwres_gnbaresponse_parse, 
+    lwres_gnbaresponse_free, 
+    lwres_gnbarequest_free
+     &#8212; lightweight resolver getnamebyaddress message handling
+  </p>
+</div>
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">
+#include &lt;lwres/lwres.h&gt;
+</pre>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gnbarequest_render</b>
+(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbarequest_t *<var class="pdparam">req</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gnbaresponse_render</b>
+(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbaresponse_t *<var class="pdparam">req</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbarequest_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbaresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_gnbaresponse_free</b>
+(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbaresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_gnbarequest_free</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbarequest_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      These are low-level routines for creating and parsing
+      lightweight resolver address-to-name lookup request and
+      response messages.
+    </p>
+    <p>
+      There are four main functions for the getnamebyaddr opcode.
+      One render function converts a getnamebyaddr request structure &#8212;
+      <span class="type">lwres_gnbarequest_t</span> &#8212;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a getnamebyaddr request structure.
+      Another render function converts the getnamebyaddr response structure
+      &#8212;
+      <span class="type">lwres_gnbaresponse_t</span>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a getnamebyaddr response structure.
+    </p>
+    <p>
+      These structures are defined in
+      <code class="filename">lwres/lwres.h</code>.
+      They are shown below.
+    </p>
+    <pre class="programlisting">
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct {
+        uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct {
+        uint32_t  flags;
+        uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        uint16_t  realnamelen;
+        uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;
+</pre>
+<p>
+    </p>
+
+    <p><code class="function">lwres_gnbarequest_render()</code>
+      uses resolver context <code class="varname">ctx</code> to convert
+      getnamebyaddr request structure <code class="varname">req</code> to
+      canonical format.  The packet header structure
+      <code class="varname">pkt</code> is initialised and transferred to buffer
+      <code class="varname">b</code>.  The contents of <code class="varname">*req</code>
+      are then appended to the buffer in canonical format.
+      <code class="function">lwres_gnbaresponse_render()</code> performs the
+      same task, except it converts a getnamebyaddr response structure
+      <span class="type">lwres_gnbaresponse_t</span> to the lightweight resolver's
+      canonical format.
+    </p>
+
+    <p><code class="function">lwres_gnbarequest_parse()</code>
+      uses context <code class="varname">ctx</code> to convert the contents of
+      packet <code class="varname">pkt</code> to a
+      <span class="type">lwres_gnbarequest_t</span> structure.  Buffer
+      <code class="varname">b</code> provides space to be used for storing this
+      structure.  When the function succeeds, the resulting
+      <span class="type">lwres_gnbarequest_t</span> is made available through
+      <code class="varname">*structp</code>.
+      <code class="function">lwres_gnbaresponse_parse()</code> offers the same
+      semantics as <code class="function">lwres_gnbarequest_parse()</code>
+      except it yields a <span class="type">lwres_gnbaresponse_t</span> structure.
+    </p>
+
+    <p><code class="function">lwres_gnbaresponse_free()</code>
+      and <code class="function">lwres_gnbarequest_free()</code> release the
+      memory in resolver context <code class="varname">ctx</code> that was
+      allocated to the <span class="type">lwres_gnbaresponse_t</span> or
+      <span class="type">lwres_gnbarequest_t</span> structures referenced via
+      <code class="varname">structp</code>.  Any memory associated with
+      ancillary buffers and strings for those structures is also
+      discarded.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      The getnamebyaddr opcode functions
+      <code class="function">lwres_gnbarequest_render()</code>,
+      <code class="function">lwres_gnbaresponse_render()</code>
+      <code class="function">lwres_gnbarequest_parse()</code>
+      and
+      <code class="function">lwres_gnbaresponse_parse()</code>
+      all return
+      <span class="errorcode">LWRES_R_SUCCESS</span>
+      on success.
+      They return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      if memory allocation fails.
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      is returned if the available space in the buffer
+      <code class="varname">b</code>
+      is too small to accommodate the packet header or the
+      <span class="type">lwres_gnbarequest_t</span>
+      and
+      <span class="type">lwres_gnbaresponse_t</span>
+      structures.
+      <code class="function">lwres_gnbarequest_parse()</code>
+      and
+      <code class="function">lwres_gnbaresponse_parse()</code>
+      will return
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if
+      <code class="varname">pktflags</code>
+      in the packet header structure
+      <span class="type">lwres_lwpacket_t</span>
+      indicate that the packet is not a response to an earlier query.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_packet</span>(3)
+      </span>.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3
new file mode 100644
index 0000000..831e523
--- /dev/null
+++ b/lib/lwres/man/lwres_hstrerror.3
@@ -0,0 +1,110 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_hstrerror
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_HSTRERROR" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/netdb\&.h>
+.fi
+.ft
+.HP \w'void\ lwres_herror('u
+.BI "void lwres_herror(const\ char\ *" "s" ");"
+.HP \w'const\ char\ *\ lwres_hstrerror('u
+.BI "const char * lwres_hstrerror(int\ " "err" ");"
+.SH "DESCRIPTION"
+.PP
+\fBlwres_herror()\fR
+prints the string
+\fIs\fR
+on
+\fBstderr\fR
+followed by the string generated by
+\fBlwres_hstrerror()\fR
+for the error code stored in the global variable
+\fBlwres_h_errno\fR\&.
+.PP
+\fBlwres_hstrerror()\fR
+returns an appropriate string for the error code gievn by
+\fIerr\fR\&. The values of the error codes and messages are as follows:
+.PP
+\fBNETDB_SUCCESS\fR
+.RS 4
+Resolver Error 0 (no error)
+.RE
+.PP
+\fBHOST_NOT_FOUND\fR
+.RS 4
+Unknown host
+.RE
+.PP
+\fBTRY_AGAIN\fR
+.RS 4
+Host name lookup failure
+.RE
+.PP
+\fBNO_RECOVERY\fR
+.RS 4
+Unknown server error
+.RE
+.PP
+\fBNO_DATA\fR
+.RS 4
+No address associated with name
+.RE
+.SH "RETURN VALUES"
+.PP
+The string
+Unknown resolver error
+is returned by
+\fBlwres_hstrerror()\fR
+when the value of
+\fBlwres_h_errno\fR
+is not a valid error code\&.
+.SH "SEE ALSO"
+.PP
+\fBherror\fR(3),
+\fBlwres_hstrerror\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_hstrerror.docbook b/lib/lwres/man/lwres_hstrerror.docbook
new file mode 100644
index 0000000..8f83428
--- /dev/null
+++ b/lib/lwres/man/lwres_hstrerror.docbook
@@ -0,0 +1,144 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_hstrerror</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_herror</refname>
+    <refname>lwres_hstrerror</refname>
+    <refpurpose>lightweight resolver error message generation</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_herror</function></funcdef>
+        <paramdef>const char *<parameter>s</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+const char *
+<function>lwres_hstrerror</function></funcdef>
+        <paramdef>int <parameter>err</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_herror()</function>
+      prints the string <parameter>s</parameter> on
+      <type>stderr</type> followed by the string generated by
+      <function>lwres_hstrerror()</function> for the error code stored
+      in the global variable <constant>lwres_h_errno</constant>.
+    </para>
+
+    <para><function>lwres_hstrerror()</function>
+      returns an appropriate string for the error code gievn by
+      <parameter>err</parameter>.  The values of the error codes and
+      messages are as follows:
+
+      <variablelist>
+        <varlistentry>
+          <term><errorcode>NETDB_SUCCESS</errorcode></term>
+          <listitem>
+            <para><errorname>Resolver Error 0 (no error)</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>HOST_NOT_FOUND</errorcode></term>
+          <listitem>
+            <para><errorname>Unknown host</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>TRY_AGAIN</errorcode></term>
+          <listitem>
+            <para><errorname>Host name lookup failure</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>NO_RECOVERY</errorcode></term>
+          <listitem>
+            <para><errorname>Unknown server error</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><errorcode>NO_DATA</errorcode></term>
+          <listitem>
+            <para><errorname>No address associated with name</errorname>
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      The string <errorname>Unknown resolver error</errorname> is returned by
+      <function>lwres_hstrerror()</function>
+      when the value of
+      <constant>lwres_h_errno</constant>
+      is not a valid error code.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
new file mode 100644
index 0000000..f20c392
--- /dev/null
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -0,0 +1,126 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_hstrerror</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_herror, 
+    lwres_hstrerror
+     &#8212; lightweight resolver error message generation
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_herror</b>(</code></td>
+<td>const char *<var class="pdparam">s</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;"><tr>
+<td><code class="funcdef">
+const char *
+<b class="fsfunc">lwres_hstrerror</b>(</code></td>
+<td>int <var class="pdparam">err</var><code>)</code>;</td>
+</tr></table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_herror()</code>
+      prints the string <em class="parameter"><code>s</code></em> on
+      <span class="type">stderr</span> followed by the string generated by
+      <code class="function">lwres_hstrerror()</code> for the error code stored
+      in the global variable <code class="constant">lwres_h_errno</code>.
+    </p>
+
+    <p><code class="function">lwres_hstrerror()</code>
+      returns an appropriate string for the error code gievn by
+      <em class="parameter"><code>err</code></em>.  The values of the error codes and
+      messages are as follows:
+
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
+<dd>
+            <p><span class="errorname">Resolver Error 0 (no error)</span>
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
+<dd>
+            <p><span class="errorname">Unknown host</span>
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
+<dd>
+            <p><span class="errorname">Host name lookup failure</span>
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
+<dd>
+            <p><span class="errorname">Unknown server error</span>
+            </p>
+          </dd>
+<dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
+<dd>
+            <p><span class="errorname">No address associated with name</span>
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      The string <span class="errorname">Unknown resolver error</span> is returned by
+      <code class="function">lwres_hstrerror()</code>
+      when the value of
+      <code class="constant">lwres_h_errno</code>
+      is not a valid error code.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">herror</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_hstrerror</span>(3)
+      </span>.
+    </p>
+
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3
new file mode 100644
index 0000000..5c8cfc9
--- /dev/null
+++ b/lib/lwres/man/lwres_inetntop.3
@@ -0,0 +1,88 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_inetntop
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_INETNTOP" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_net_ntop \- lightweight resolver IP address presentation
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/net\&.h>
+.fi
+.ft
+.HP \w'const\ char\ *\ lwres_net_ntop('u
+.BI "const char * lwres_net_ntop(int\ " "af" ", const\ void\ *" "src" ", char\ *" "dst" ", size_t\ " "size" ");"
+.SH "DESCRIPTION"
+.PP
+\fBlwres_net_ntop()\fR
+converts an IP address of protocol family
+\fIaf\fR
+\(em IPv4 or IPv6 \(em at location
+\fIsrc\fR
+from network format to its conventional representation as a string\&. For IPv4 addresses, that string would be a dotted\-decimal\&. An IPv6 address would be represented in colon notation as described in RFC1884\&.
+.PP
+The generated string is copied to
+\fIdst\fR
+provided
+\fIsize\fR
+indicates it is long enough to store the ASCII representation of the address\&.
+.SH "RETURN VALUES"
+.PP
+If successful, the function returns
+\fIdst\fR: a pointer to a string containing the presentation format of the address\&.
+\fBlwres_net_ntop()\fR
+returns
+\fBNULL\fR
+and sets the global variable
+\fBerrno\fR
+to
+\fBEAFNOSUPPORT\fR
+if the protocol family given in
+\fIaf\fR
+is not supported\&.
+.SH "SEE ALSO"
+.PP
+\fBRFC1884\fR(),
+\fBinet_ntop\fR(3),
+\fBerrno\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_inetntop.docbook b/lib/lwres/man/lwres_inetntop.docbook
new file mode 100644
index 0000000..78aacc0
--- /dev/null
+++ b/lib/lwres/man/lwres_inetntop.docbook
@@ -0,0 +1,114 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_inetntop</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_net_ntop</refname>
+    <refpurpose>lightweight resolver IP address presentation</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/net.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+const char *
+<function>lwres_net_ntop</function></funcdef>
+        <paramdef>int <parameter>af</parameter></paramdef>
+        <paramdef>const void *<parameter>src</parameter></paramdef>
+        <paramdef>char *<parameter>dst</parameter></paramdef>
+        <paramdef>size_t <parameter>size</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_net_ntop()</function>
+      converts an IP address of protocol family
+      <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash; at
+      location <parameter>src</parameter> from network format to its
+      conventional representation as a string.  For IPv4 addresses,
+      that string would be a dotted-decimal.  An IPv6 address would be
+      represented in colon notation as described in RFC1884.
+    </para>
+
+    <para>
+      The generated string is copied to <parameter>dst</parameter>
+      provided
+      <parameter>size</parameter> indicates it is long enough to
+      store the
+      ASCII representation of the address.
+    </para>
+
+  </refsection>
+  <refsection><info><title>RETURN VALUES</title></info>
+
+
+    <para>
+      If successful, the function returns <parameter>dst</parameter>:
+      a pointer to a string containing the presentation format of the
+      address.  <function>lwres_net_ntop()</function> returns
+      <type>NULL</type> and sets the global variable
+      <constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
+      the protocol family given in <parameter>af</parameter> is
+      not
+      supported.
+    </para>
+
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>RFC1884</refentrytitle>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
new file mode 100644
index 0000000..1a0bcf1
--- /dev/null
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -0,0 +1,112 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_inetntop</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_net_ntop
+     &#8212; lightweight resolver IP address presentation
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/net.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+const char *
+<b class="fsfunc">lwres_net_ntop</b>(</code></td>
+<td>int <var class="pdparam">af</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const void *<var class="pdparam">src</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char *<var class="pdparam">dst</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>size_t <var class="pdparam">size</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_net_ntop()</code>
+      converts an IP address of protocol family
+      <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212; at
+      location <em class="parameter"><code>src</code></em> from network format to its
+      conventional representation as a string.  For IPv4 addresses,
+      that string would be a dotted-decimal.  An IPv6 address would be
+      represented in colon notation as described in RFC1884.
+    </p>
+
+    <p>
+      The generated string is copied to <em class="parameter"><code>dst</code></em>
+      provided
+      <em class="parameter"><code>size</code></em> indicates it is long enough to
+      store the
+      ASCII representation of the address.
+    </p>
+
+  </div>
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+
+    <p>
+      If successful, the function returns <em class="parameter"><code>dst</code></em>:
+      a pointer to a string containing the presentation format of the
+      address.  <code class="function">lwres_net_ntop()</code> returns
+      <span class="type">NULL</span> and sets the global variable
+      <code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
+      the protocol family given in <em class="parameter"><code>af</code></em> is
+      not
+      supported.
+    </p>
+
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">RFC1884</span>
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">inet_ntop</span>(3)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">errno</span>(3)
+      </span>.
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3
new file mode 100644
index 0000000..b922057
--- /dev/null
+++ b/lib/lwres/man/lwres_noop.3
@@ -0,0 +1,202 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_noop
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_NOOP" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no\-op message handling
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.HP \w'lwres_result_t\ lwres_nooprequest_render('u
+.BI "lwres_result_t lwres_nooprequest_render(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
+.HP \w'lwres_result_t\ lwres_noopresponse_render('u
+.BI "lwres_result_t lwres_noopresponse_render(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ *" "req" ", lwres_lwpacket_t\ *" "pkt" ", lwres_buffer_t\ *" "b" ");"
+.HP \w'lwres_result_t\ lwres_nooprequest_parse('u
+.BI "lwres_result_t lwres_nooprequest_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_nooprequest_t\ **" "structp" ");"
+.HP \w'lwres_result_t\ lwres_noopresponse_parse('u
+.BI "lwres_result_t lwres_noopresponse_parse(lwres_context_t\ *" "ctx" ", lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ", lwres_noopresponse_t\ **" "structp" ");"
+.HP \w'void\ lwres_noopresponse_free('u
+.BI "void lwres_noopresponse_free(lwres_context_t\ *" "ctx" ", lwres_noopresponse_t\ **" "structp" ");"
+.HP \w'void\ lwres_nooprequest_free('u
+.BI "void lwres_nooprequest_free(lwres_context_t\ *" "ctx" ", lwres_nooprequest_t\ **" "structp" ");"
+.SH "DESCRIPTION"
+.PP
+These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages\&.
+.PP
+The no\-op message is analogous to a
+\fBping\fR
+packet: a packet is sent to the resolver daemon and is simply echoed back\&. The opcode is intended to allow a client to determine if the server is operational or not\&.
+.PP
+There are four main functions for the no\-op opcode\&. One render function converts a no\-op request structure \(em
+\fBlwres_nooprequest_t\fR
+\(em to the lightweight resolver\*(Aqs canonical format\&. It is complemented by a parse function that converts a packet in this canonical format to a no\-op request structure\&. Another render function converts the no\-op response structure \(em
+\fBlwres_noopresponse_t\fR
+to the canonical format\&. This is complemented by a parse function which converts a packet in canonical format to a no\-op response structure\&.
+.PP
+These structures are defined in
+lwres/lwres\&.h\&. They are shown below\&.
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+#define LWRES_OPCODE_NOOP       0x00000000U
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint16_t  datalength;
+        unsigned char   *data;
+} lwres_nooprequest_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint16_t  datalength;
+        unsigned char   *data;
+} lwres_noopresponse_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+Although the structures have different types, they are identical\&. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request\&.
+.PP
+\fBlwres_nooprequest_render()\fR
+uses resolver context
+\fIctx\fR
+to convert no\-op request structure
+\fIreq\fR
+to canonical format\&. The packet header structure
+\fIpkt\fR
+is initialised and transferred to buffer
+\fIb\fR\&. The contents of
+\fI*req\fR
+are then appended to the buffer in canonical format\&.
+\fBlwres_noopresponse_render()\fR
+performs the same task, except it converts a no\-op response structure
+\fBlwres_noopresponse_t\fR
+to the lightweight resolver\*(Aqs canonical format\&.
+.PP
+\fBlwres_nooprequest_parse()\fR
+uses context
+\fIctx\fR
+to convert the contents of packet
+\fIpkt\fR
+to a
+\fBlwres_nooprequest_t\fR
+structure\&. Buffer
+\fIb\fR
+provides space to be used for storing this structure\&. When the function succeeds, the resulting
+\fBlwres_nooprequest_t\fR
+is made available through
+\fI*structp\fR\&.
+\fBlwres_noopresponse_parse()\fR
+offers the same semantics as
+\fBlwres_nooprequest_parse()\fR
+except it yields a
+\fBlwres_noopresponse_t\fR
+structure\&.
+.PP
+\fBlwres_noopresponse_free()\fR
+and
+\fBlwres_nooprequest_free()\fR
+release the memory in resolver context
+\fIctx\fR
+that was allocated to the
+\fBlwres_noopresponse_t\fR
+or
+\fBlwres_nooprequest_t\fR
+structures referenced via
+\fIstructp\fR\&.
+.SH "RETURN VALUES"
+.PP
+The no\-op opcode functions
+\fBlwres_nooprequest_render()\fR,
+\fBlwres_noopresponse_render()\fR\fBlwres_nooprequest_parse()\fR
+and
+\fBlwres_noopresponse_parse()\fR
+all return
+\fBLWRES_R_SUCCESS\fR
+on success\&. They return
+\fBLWRES_R_NOMEMORY\fR
+if memory allocation fails\&.
+\fBLWRES_R_UNEXPECTEDEND\fR
+is returned if the available space in the buffer
+\fIb\fR
+is too small to accommodate the packet header or the
+\fBlwres_nooprequest_t\fR
+and
+\fBlwres_noopresponse_t\fR
+structures\&.
+\fBlwres_nooprequest_parse()\fR
+and
+\fBlwres_noopresponse_parse()\fR
+will return
+\fBLWRES_R_UNEXPECTEDEND\fR
+if the buffer is not empty after decoding the received packet\&. These functions will return
+\fBLWRES_R_FAILURE\fR
+if
+\fBpktflags\fR
+in the packet header structure
+\fBlwres_lwpacket_t\fR
+indicate that the packet is not a response to an earlier query\&.
+.SH "SEE ALSO"
+.PP
+\fBlwres_packet\fR(3)
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_noop.docbook b/lib/lwres/man/lwres_noop.docbook
new file mode 100644
index 0000000..64ab392
--- /dev/null
+++ b/lib/lwres/man/lwres_noop.docbook
@@ -0,0 +1,249 @@
+<!DOCTYPE book [
+<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_noop</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_nooprequest_render</refname>
+    <refname>lwres_noopresponse_render</refname>
+    <refname>lwres_nooprequest_parse</refname>
+    <refname>lwres_noopresponse_parse</refname>
+    <refname>lwres_noopresponse_free</refname>
+    <refname>lwres_nooprequest_free</refname>
+    <refpurpose>lightweight resolver no-op message handling</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>
+#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_nooprequest_render</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_nooprequest_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_noopresponse_render</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_noopresponse_t *<parameter>req</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_nooprequest_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_nooprequest_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_noopresponse_parse</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        <paramdef>lwres_noopresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_noopresponse_free</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_noopresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+void
+<function>lwres_nooprequest_free</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>lwres_nooprequest_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      These are low-level routines for creating and parsing
+      lightweight resolver no-op request and response messages.
+    </para>
+    <para>
+      The no-op message is analogous to a <command>ping</command>
+      packet:
+      a packet is sent to the resolver daemon and is simply echoed back.
+      The opcode is intended to allow a client to determine if the server is
+      operational or not.
+    </para>
+    <para>
+      There are four main functions for the no-op opcode.
+      One render function converts a no-op request structure &mdash;
+      <type>lwres_nooprequest_t</type> &mdash;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a no-op request structure.
+      Another render function converts the no-op response structure &mdash;
+      <type>lwres_noopresponse_t</type>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a no-op response structure.
+    </para>
+    <para>
+      These structures are defined in
+      <filename>lwres/lwres.h</filename>.
+
+      They are shown below.
+    </para>
+    <para><programlisting>
+#define LWRES_OPCODE_NOOP       0x00000000U
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct {
+        uint16_t  datalength;
+        unsigned char   *data;
+} lwres_nooprequest_t;
+</programlisting>
+    </para>
+    <para><programlisting>
+typedef struct {
+        uint16_t  datalength;
+        unsigned char   *data;
+} lwres_noopresponse_t;
+</programlisting>
+    </para>
+    <para>
+      Although the structures have different types, they are identical.
+      This is because the no-op opcode simply echos whatever data was sent:
+      the response is therefore identical to the request.
+    </para>
+
+    <para><function>lwres_nooprequest_render()</function>
+      uses resolver context <parameter>ctx</parameter> to convert
+      no-op request structure <parameter>req</parameter> to canonical
+      format.  The packet header structure <parameter>pkt</parameter>
+      is initialised and transferred to buffer
+      <parameter>b</parameter>.  The contents of
+      <parameter>*req</parameter> are then appended to the buffer in
+      canonical format.
+      <function>lwres_noopresponse_render()</function> performs the
+      same task, except it converts a no-op response structure
+      <type>lwres_noopresponse_t</type> to the lightweight resolver's
+      canonical format.
+    </para>
+
+    <para><function>lwres_nooprequest_parse()</function>
+      uses context <parameter>ctx</parameter> to convert the contents
+      of packet <parameter>pkt</parameter> to a
+      <type>lwres_nooprequest_t</type> structure.  Buffer
+      <parameter>b</parameter> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <type>lwres_nooprequest_t</type> is made available through
+      <parameter>*structp</parameter>.
+      <function>lwres_noopresponse_parse()</function> offers the same
+      semantics as <function>lwres_nooprequest_parse()</function>
+      except it yields a <type>lwres_noopresponse_t</type> structure.
+    </para>
+
+    <para><function>lwres_noopresponse_free()</function>
+      and <function>lwres_nooprequest_free()</function> release the
+      memory in resolver context <parameter>ctx</parameter> that was
+      allocated to the <type>lwres_noopresponse_t</type> or
+      <type>lwres_nooprequest_t</type> structures referenced via
+      <parameter>structp</parameter>.
+    </para>
+
+  </refsection>
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      The no-op opcode functions
+      <function>lwres_nooprequest_render()</function>,
+
+      <function>lwres_noopresponse_render()</function>
+      <function>lwres_nooprequest_parse()</function>
+      and
+      <function>lwres_noopresponse_parse()</function>
+      all return
+      <errorcode>LWRES_R_SUCCESS</errorcode>
+      on success.
+      They return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      if memory allocation fails.
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      is returned if the available space in the buffer
+      <parameter>b</parameter>
+      is too small to accommodate the packet header or the
+      <type>lwres_nooprequest_t</type>
+      and
+      <type>lwres_noopresponse_t</type>
+      structures.
+      <function>lwres_nooprequest_parse()</function>
+      and
+      <function>lwres_noopresponse_parse()</function>
+      will return
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if
+      <constant>pktflags</constant>
+      in the packet header structure
+      <type>lwres_lwpacket_t</type>
+      indicate that the packet is not a response to an earlier query.
+    </para>
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+    </para>
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
new file mode 100644
index 0000000..0e9cea7
--- /dev/null
+++ b/lib/lwres/man/lwres_noop.html
@@ -0,0 +1,298 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_noop</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_nooprequest_render, 
+    lwres_noopresponse_render, 
+    lwres_nooprequest_parse, 
+    lwres_noopresponse_parse, 
+    lwres_noopresponse_free, 
+    lwres_nooprequest_free
+     &#8212; lightweight resolver no-op message handling
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">
+#include &lt;lwres/lwres.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_nooprequest_render</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_nooprequest_t *<var class="pdparam">req</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_noopresponse_render</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_noopresponse_t *<var class="pdparam">req</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_nooprequest_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_nooprequest_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_noopresponse_parse</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_noopresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_noopresponse_free</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_noopresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+void
+<b class="fsfunc">lwres_nooprequest_free</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_nooprequest_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      These are low-level routines for creating and parsing
+      lightweight resolver no-op request and response messages.
+    </p>
+    <p>
+      The no-op message is analogous to a <span class="command"><strong>ping</strong></span>
+      packet:
+      a packet is sent to the resolver daemon and is simply echoed back.
+      The opcode is intended to allow a client to determine if the server is
+      operational or not.
+    </p>
+    <p>
+      There are four main functions for the no-op opcode.
+      One render function converts a no-op request structure &#8212;
+      <span class="type">lwres_nooprequest_t</span> &#8212;
+      to the lightweight resolver's canonical format.
+      It is complemented by a parse function that converts a packet in this
+      canonical format to a no-op request structure.
+      Another render function converts the no-op response structure &#8212;
+      <span class="type">lwres_noopresponse_t</span>
+      to the canonical format.
+      This is complemented by a parse function which converts a packet in
+      canonical format to a no-op response structure.
+    </p>
+    <p>
+      These structures are defined in
+      <code class="filename">lwres/lwres.h</code>.
+
+      They are shown below.
+    </p>
+    <pre class="programlisting">
+#define LWRES_OPCODE_NOOP       0x00000000U
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct {
+        uint16_t  datalength;
+        unsigned char   *data;
+} lwres_nooprequest_t;
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+typedef struct {
+        uint16_t  datalength;
+        unsigned char   *data;
+} lwres_noopresponse_t;
+</pre>
+<p>
+    </p>
+    <p>
+      Although the structures have different types, they are identical.
+      This is because the no-op opcode simply echos whatever data was sent:
+      the response is therefore identical to the request.
+    </p>
+
+    <p><code class="function">lwres_nooprequest_render()</code>
+      uses resolver context <em class="parameter"><code>ctx</code></em> to convert
+      no-op request structure <em class="parameter"><code>req</code></em> to canonical
+      format.  The packet header structure <em class="parameter"><code>pkt</code></em>
+      is initialised and transferred to buffer
+      <em class="parameter"><code>b</code></em>.  The contents of
+      <em class="parameter"><code>*req</code></em> are then appended to the buffer in
+      canonical format.
+      <code class="function">lwres_noopresponse_render()</code> performs the
+      same task, except it converts a no-op response structure
+      <span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
+      canonical format.
+    </p>
+
+    <p><code class="function">lwres_nooprequest_parse()</code>
+      uses context <em class="parameter"><code>ctx</code></em> to convert the contents
+      of packet <em class="parameter"><code>pkt</code></em> to a
+      <span class="type">lwres_nooprequest_t</span> structure.  Buffer
+      <em class="parameter"><code>b</code></em> provides space to be used for storing
+      this structure.  When the function succeeds, the resulting
+      <span class="type">lwres_nooprequest_t</span> is made available through
+      <em class="parameter"><code>*structp</code></em>.
+      <code class="function">lwres_noopresponse_parse()</code> offers the same
+      semantics as <code class="function">lwres_nooprequest_parse()</code>
+      except it yields a <span class="type">lwres_noopresponse_t</span> structure.
+    </p>
+
+    <p><code class="function">lwres_noopresponse_free()</code>
+      and <code class="function">lwres_nooprequest_free()</code> release the
+      memory in resolver context <em class="parameter"><code>ctx</code></em> that was
+      allocated to the <span class="type">lwres_noopresponse_t</span> or
+      <span class="type">lwres_nooprequest_t</span> structures referenced via
+      <em class="parameter"><code>structp</code></em>.
+    </p>
+
+  </div>
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      The no-op opcode functions
+      <code class="function">lwres_nooprequest_render()</code>,
+
+      <code class="function">lwres_noopresponse_render()</code>
+      <code class="function">lwres_nooprequest_parse()</code>
+      and
+      <code class="function">lwres_noopresponse_parse()</code>
+      all return
+      <span class="errorcode">LWRES_R_SUCCESS</span>
+      on success.
+      They return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      if memory allocation fails.
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      is returned if the available space in the buffer
+      <em class="parameter"><code>b</code></em>
+      is too small to accommodate the packet header or the
+      <span class="type">lwres_nooprequest_t</span>
+      and
+      <span class="type">lwres_noopresponse_t</span>
+      structures.
+      <code class="function">lwres_nooprequest_parse()</code>
+      and
+      <code class="function">lwres_noopresponse_parse()</code>
+      will return
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer is not empty after decoding the received packet.
+      These functions will return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if
+      <code class="constant">pktflags</code>
+      in the packet header structure
+      <span class="type">lwres_lwpacket_t</span>
+      indicate that the packet is not a response to an earlier query.
+    </p>
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_packet</span>(3)
+      </span>
+    </p>
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3
new file mode 100644
index 0000000..d13f107
--- /dev/null
+++ b/lib/lwres/man/lwres_packet.3
@@ -0,0 +1,186 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_packet
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_PACKET" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwpacket\&.h>
+.fi
+.ft
+.HP \w'lwres_result_t\ lwres_lwpacket_renderheader('u
+.BI "lwres_result_t lwres_lwpacket_renderheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");"
+.HP \w'lwres_result_t\ lwres_lwpacket_parseheader('u
+.BI "lwres_result_t lwres_lwpacket_parseheader(lwres_buffer_t\ *" "b" ", lwres_lwpacket_t\ *" "pkt" ");"
+.SH "DESCRIPTION"
+.PP
+These functions rely on a
+\fBstruct lwres_lwpacket\fR
+which is defined in
+lwres/lwpacket\&.h\&.
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+struct lwres_lwpacket {
+        uint32_t          length;
+        uint16_t          version;
+        uint16_t          pktflags;
+        uint32_t          serial;
+        uint32_t          opcode;
+        uint32_t          result;
+        uint32_t          recvlength;
+        uint16_t          authtype;
+        uint16_t          authlength;
+};
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The elements of this structure are:
+.PP
+\fBlength\fR
+.RS 4
+the overall packet length, including the entire packet header\&. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls\&.
+.RE
+.PP
+\fBversion\fR
+.RS 4
+the header format\&. There is currently only one format,
+\fBLWRES_LWPACKETVERSION_0\fR\&. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls\&.
+.RE
+.PP
+\fBpktflags\fR
+.RS 4
+library\-defined flags for this packet: for instance whether the packet is a request or a reply\&. Flag values can be set, but not defined by the caller\&. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls\&.
+.RE
+.PP
+\fBserial\fR
+.RS 4
+is set by the requestor and is returned in all replies\&. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped\&. This field must be set by the application\&.
+.RE
+.PP
+\fBopcode\fR
+.RS 4
+indicates the operation\&. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library\&. Opcodes between 0x04000000 and 0xffffffff are application defined\&. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls\&.
+.RE
+.PP
+\fBresult\fR
+.RS 4
+is only valid for replies\&. Results between 0x04000000 and 0xffffffff are application defined\&. Results between 0x00000000 and 0x03ffffff are reserved for library use\&. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls\&.
+.RE
+.PP
+\fBrecvlength\fR
+.RS 4
+is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies\&. This field is supplied by the application\&.
+.RE
+.PP
+\fBauthtype\fR
+.RS 4
+defines the packet level authentication that is used\&. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use\&. Currently these are not used and must be zero\&.
+.RE
+.PP
+\fBauthlen\fR
+.RS 4
+gives the length of the authentication data\&. Since packet authentication is currently not used, this must be zero\&.
+.RE
+.PP
+The following opcodes are currently defined:
+.PP
+\fBNOOP\fR
+.RS 4
+Success is always returned and the packet contents are echoed\&. The lwres_noop_*() functions should be used for this type\&.
+.RE
+.PP
+\fBGETADDRSBYNAME\fR
+.RS 4
+returns all known addresses for a given name\&. The lwres_gabn_*() functions should be used for this type\&.
+.RE
+.PP
+\fBGETNAMEBYADDR\fR
+.RS 4
+return the hostname for the given address\&. The lwres_gnba_*() functions should be used for this type\&.
+.RE
+.PP
+\fBlwres_lwpacket_renderheader()\fR
+transfers the contents of lightweight resolver packet structure
+\fBlwres_lwpacket_t\fR\fI*pkt\fR
+in network byte order to the lightweight resolver buffer,
+\fI*b\fR\&.
+.PP
+\fBlwres_lwpacket_parseheader()\fR
+performs the converse operation\&. It transfers data in network byte order from buffer
+\fI*b\fR
+to resolver packet
+\fI*pkt\fR\&. The contents of the buffer
+\fIb\fR
+should correspond to a
+\fBlwres_lwpacket_t\fR\&.
+.SH "RETURN VALUES"
+.PP
+Successful calls to
+\fBlwres_lwpacket_renderheader()\fR
+and
+\fBlwres_lwpacket_parseheader()\fR
+return
+\fBLWRES_R_SUCCESS\fR\&. If there is insufficient space to copy data between the buffer
+\fI*b\fR
+and lightweight resolver packet
+\fI*pkt\fR
+both functions return
+\fBLWRES_R_UNEXPECTEDEND\fR\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_packet.docbook b/lib/lwres/man/lwres_packet.docbook
new file mode 100644
index 0000000..8b43750
--- /dev/null
+++ b/lib/lwres/man/lwres_packet.docbook
@@ -0,0 +1,283 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_packet</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_lwpacket_renderheader</refname>
+    <refname>lwres_lwpacket_parseheader</refname>
+    <refpurpose>lightweight resolver packet handling functions</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwpacket.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_lwpacket_renderheader</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_lwpacket_parseheader</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para>
+      These functions rely on a
+      <type>struct lwres_lwpacket</type>
+      which is defined in
+      <filename>lwres/lwpacket.h</filename>.
+    </para>
+
+    <para><programlisting>
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+      </programlisting>
+    </para>
+    <para><programlisting>
+struct lwres_lwpacket {
+        uint32_t          length;
+        uint16_t          version;
+        uint16_t          pktflags;
+        uint32_t          serial;
+        uint32_t          opcode;
+        uint32_t          result;
+        uint32_t          recvlength;
+        uint16_t          authtype;
+        uint16_t          authlength;
+};
+</programlisting>
+    </para>
+
+    <para>
+      The elements of this structure are:
+      <variablelist>
+        <varlistentry>
+          <term><constant>length</constant></term>
+          <listitem>
+            <para>
+              the overall packet length, including the entire packet header.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>version</constant></term>
+          <listitem>
+            <para>
+              the header format. There is currently only one format,
+              <type>LWRES_LWPACKETVERSION_0</type>.
+
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>pktflags</constant></term>
+          <listitem>
+            <para>
+              library-defined flags for this packet: for instance whether the
+              packet
+              is a request or a reply. Flag values can be set, but not defined
+              by
+              the caller.
+              This field is filled in by the application wit the exception of
+              the
+              LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
+              the
+              lwres_gabn_*() and lwres_gnba_*() calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>serial</constant></term>
+          <listitem>
+            <para>
+              is set by the requestor and is returned in all replies. If two
+              or more
+              packets from the same source have the same serial number and are
+              from
+              the same source, they are assumed to be duplicates and the
+              latter ones
+              may be dropped.
+              This field must be set by the application.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>opcode</constant></term>
+          <listitem>
+            <para>
+              indicates the operation.
+              Opcodes between 0x00000000 and 0x03ffffff are
+              reserved for use by the lightweight resolver library. Opcodes
+              between
+              0x04000000 and 0xffffffff are application defined.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>result</constant></term>
+          <listitem>
+            <para>
+              is only valid for replies.
+              Results between 0x04000000 and 0xffffffff are application
+              defined.
+              Results between 0x00000000 and 0x03ffffff are reserved for
+              library use.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>recvlength</constant></term>
+          <listitem>
+            <para>
+              is the maximum buffer size that the receiver can handle on
+              requests
+              and the size of the buffer needed to satisfy a request when the
+              buffer
+              is too large for replies.
+              This field is supplied by the application.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>authtype</constant></term>
+          <listitem>
+            <para>
+              defines the packet level authentication that is used.
+              Authorisation types between 0x1000 and 0xffff are application
+              defined
+              and types between 0x0000 and 0x0fff are reserved for library
+              use.
+              Currently these are not used and must be zero.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>authlen</constant></term>
+          <listitem>
+            <para>
+              gives the length of the authentication data.
+              Since packet authentication is currently not used, this must be
+              zero.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+    <para>
+      The following opcodes are currently defined:
+      <variablelist>
+        <varlistentry>
+          <term><constant>NOOP</constant></term>
+          <listitem>
+            <para>
+              Success is always returned and the packet contents are echoed.
+              The lwres_noop_*() functions should be used for this type.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>GETADDRSBYNAME</constant></term>
+          <listitem>
+            <para>
+              returns all known addresses for a given name.
+              The lwres_gabn_*() functions should be used for this type.
+            </para>
+          </listitem>
+        </varlistentry>
+        <varlistentry>
+          <term><constant>GETNAMEBYADDR</constant></term>
+          <listitem>
+            <para>
+              return the hostname for the given address.
+              The lwres_gnba_*() functions should be used for this type.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </para>
+
+    <para><function>lwres_lwpacket_renderheader()</function>
+      transfers the contents of lightweight resolver packet structure
+      <type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in
+      network byte order to the lightweight resolver buffer,
+      <parameter>*b</parameter>.
+    </para>
+
+    <para><function>lwres_lwpacket_parseheader()</function>
+      performs the converse operation.  It transfers data in network
+      byte order from buffer <parameter>*b</parameter> to resolver
+      packet <parameter>*pkt</parameter>.  The contents of the buffer
+      <parameter>b</parameter> should correspond to a
+      <type>lwres_lwpacket_t</type>.
+    </para>
+
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      Successful calls to
+      <function>lwres_lwpacket_renderheader()</function> and
+      <function>lwres_lwpacket_parseheader()</function> return
+      <errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
+      space to copy data between the buffer <parameter>*b</parameter> and
+      lightweight resolver packet <parameter>*pkt</parameter> both
+      functions
+      return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
+    </para>
+
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
new file mode 100644
index 0000000..38281c3
--- /dev/null
+++ b/lib/lwres/man/lwres_packet.html
@@ -0,0 +1,264 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_packet</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_lwpacket_renderheader, 
+    lwres_lwpacket_parseheader
+     &#8212; lightweight resolver packet handling functions
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/lwpacket.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_lwpacket_t *<var class="pdparam">pkt</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p>
+      These functions rely on a
+      <span class="type">struct lwres_lwpacket</span>
+      which is defined in
+      <code class="filename">lwres/lwpacket.h</code>.
+    </p>
+
+    <pre class="programlisting">
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+      </pre>
+<p>
+    </p>
+    <pre class="programlisting">
+struct lwres_lwpacket {
+        uint32_t          length;
+        uint16_t          version;
+        uint16_t          pktflags;
+        uint32_t          serial;
+        uint32_t          opcode;
+        uint32_t          result;
+        uint32_t          recvlength;
+        uint16_t          authtype;
+        uint16_t          authlength;
+};
+</pre>
+<p>
+    </p>
+
+    <p>
+      The elements of this structure are:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">length</code></span></dt>
+<dd>
+            <p>
+              the overall packet length, including the entire packet header.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">version</code></span></dt>
+<dd>
+            <p>
+              the header format. There is currently only one format,
+              <span class="type">LWRES_LWPACKETVERSION_0</span>.
+
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">pktflags</code></span></dt>
+<dd>
+            <p>
+              library-defined flags for this packet: for instance whether the
+              packet
+              is a request or a reply. Flag values can be set, but not defined
+              by
+              the caller.
+              This field is filled in by the application wit the exception of
+              the
+              LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in
+              the
+              lwres_gabn_*() and lwres_gnba_*() calls.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">serial</code></span></dt>
+<dd>
+            <p>
+              is set by the requestor and is returned in all replies. If two
+              or more
+              packets from the same source have the same serial number and are
+              from
+              the same source, they are assumed to be duplicates and the
+              latter ones
+              may be dropped.
+              This field must be set by the application.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">opcode</code></span></dt>
+<dd>
+            <p>
+              indicates the operation.
+              Opcodes between 0x00000000 and 0x03ffffff are
+              reserved for use by the lightweight resolver library. Opcodes
+              between
+              0x04000000 and 0xffffffff are application defined.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">result</code></span></dt>
+<dd>
+            <p>
+              is only valid for replies.
+              Results between 0x04000000 and 0xffffffff are application
+              defined.
+              Results between 0x00000000 and 0x03ffffff are reserved for
+              library use.
+              This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+              calls.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">recvlength</code></span></dt>
+<dd>
+            <p>
+              is the maximum buffer size that the receiver can handle on
+              requests
+              and the size of the buffer needed to satisfy a request when the
+              buffer
+              is too large for replies.
+              This field is supplied by the application.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">authtype</code></span></dt>
+<dd>
+            <p>
+              defines the packet level authentication that is used.
+              Authorisation types between 0x1000 and 0xffff are application
+              defined
+              and types between 0x0000 and 0x0fff are reserved for library
+              use.
+              Currently these are not used and must be zero.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">authlen</code></span></dt>
+<dd>
+            <p>
+              gives the length of the authentication data.
+              Since packet authentication is currently not used, this must be
+              zero.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+    <p>
+      The following opcodes are currently defined:
+      </p>
+<div class="variablelist"><dl class="variablelist">
+<dt><span class="term"><code class="constant">NOOP</code></span></dt>
+<dd>
+            <p>
+              Success is always returned and the packet contents are echoed.
+              The lwres_noop_*() functions should be used for this type.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
+<dd>
+            <p>
+              returns all known addresses for a given name.
+              The lwres_gabn_*() functions should be used for this type.
+            </p>
+          </dd>
+<dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
+<dd>
+            <p>
+              return the hostname for the given address.
+              The lwres_gnba_*() functions should be used for this type.
+            </p>
+          </dd>
+</dl></div>
+<p>
+    </p>
+
+    <p><code class="function">lwres_lwpacket_renderheader()</code>
+      transfers the contents of lightweight resolver packet structure
+      <span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in
+      network byte order to the lightweight resolver buffer,
+      <em class="parameter"><code>*b</code></em>.
+    </p>
+
+    <p><code class="function">lwres_lwpacket_parseheader()</code>
+      performs the converse operation.  It transfers data in network
+      byte order from buffer <em class="parameter"><code>*b</code></em> to resolver
+      packet <em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
+      <em class="parameter"><code>b</code></em> should correspond to a
+      <span class="type">lwres_lwpacket_t</span>.
+    </p>
+
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      Successful calls to
+      <code class="function">lwres_lwpacket_renderheader()</code> and
+      <code class="function">lwres_lwpacket_parseheader()</code> return
+      <span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
+      space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
+      lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both
+      functions
+      return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
+    </p>
+
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3
new file mode 100644
index 0000000..26f37a0
--- /dev/null
+++ b/lib/lwres/man/lwres_resutil.3
@@ -0,0 +1,185 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: lwres_resutil
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2007-06-18
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "LWRES_RESUTIL" "3" "2007\-06\-18" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions
+.SH "SYNOPSIS"
+.sp
+.ft B
+.nf
+#include <lwres/lwres\&.h>
+.fi
+.ft
+.HP \w'lwres_result_t\ lwres_string_parse('u
+.BI "lwres_result_t lwres_string_parse(lwres_buffer_t\ *" "b" ", char\ **" "c" ", uint16_t\ *" "len" ");"
+.HP \w'lwres_result_t\ lwres_addr_parse('u
+.BI "lwres_result_t lwres_addr_parse(lwres_buffer_t\ *" "b" ", lwres_addr_t\ *" "addr" ");"
+.HP \w'lwres_result_t\ lwres_getaddrsbyname('u
+.BI "lwres_result_t lwres_getaddrsbyname(lwres_context_t\ *" "ctx" ", const\ char\ *" "name" ", uint32_t\ " "addrtypes" ", lwres_gabnresponse_t\ **" "structp" ");"
+.HP \w'lwres_result_t\ lwres_getnamebyaddr('u
+.BI "lwres_result_t lwres_getnamebyaddr(lwres_context_t\ *" "ctx" ", uint32_t\ " "addrtype" ", uint16_t\ " "addrlen" ", const\ unsigned\ char\ *" "addr" ", lwres_gnbaresponse_t\ **" "structp" ");"
+.SH "DESCRIPTION"
+.PP
+\fBlwres_string_parse()\fR
+retrieves a DNS\-encoded string starting the current pointer of lightweight resolver buffer
+\fIb\fR: i\&.e\&.
+\fBb\->current\fR\&. When the function returns, the address of the first byte of the encoded string is returned via
+\fI*c\fR
+and the length of that string is given by
+\fI*len\fR\&. The buffer\*(Aqs current pointer is advanced to point at the character following the string length, the encoded string, and the trailing
+\fBNULL\fR
+character\&.
+.PP
+\fBlwres_addr_parse()\fR
+extracts an address from the buffer
+\fIb\fR\&. The buffer\*(Aqs current pointer
+\fBb\->current\fR
+is presumed to point at an encoded address: the address preceded by a 32\-bit protocol family identifier and a 16\-bit length field\&. The encoded address is copied to
+\fBaddr\->address\fR
+and
+\fBaddr\->length\fR
+indicates the size in bytes of the address that was copied\&.
+\fBb\->current\fR
+is advanced to point at the next byte of available data in the buffer following the encoded address\&.
+.PP
+\fBlwres_getaddrsbyname()\fR
+and
+\fBlwres_getnamebyaddr()\fR
+use the
+\fBlwres_gnbaresponse_t\fR
+structure defined below:
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+typedef struct {
+        uint32_t          flags;
+        uint16_t          naliases;
+        uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        uint16_t          realnamelen;
+        uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+The contents of this structure are not manipulated directly but they are controlled through the
+\fBlwres_gabn\fR(3)
+functions\&.
+.PP
+The lightweight resolver uses
+\fBlwres_getaddrsbyname()\fR
+to perform forward lookups\&. Hostname
+\fIname\fR
+is looked up using the resolver context
+\fIctx\fR
+for memory allocation\&.
+\fIaddrtypes\fR
+is a bitmask indicating which type of addresses are to be looked up\&. Current values for this bitmask are
+\fBLWRES_ADDRTYPE_V4\fR
+for IPv4 addresses and
+\fBLWRES_ADDRTYPE_V6\fR
+for IPv6 addresses\&. Results of the lookup are returned in
+\fI*structp\fR\&.
+.PP
+\fBlwres_getnamebyaddr()\fR
+performs reverse lookups\&. Resolver context
+\fIctx\fR
+is used for memory allocation\&. The address type is indicated by
+\fIaddrtype\fR:
+\fBLWRES_ADDRTYPE_V4\fR
+or
+\fBLWRES_ADDRTYPE_V6\fR\&. The address to be looked up is given by
+\fIaddr\fR
+and its length is
+\fIaddrlen\fR
+bytes\&. The result of the function call is made available through
+\fI*structp\fR\&.
+.SH "RETURN VALUES"
+.PP
+Successful calls to
+\fBlwres_string_parse()\fR
+and
+\fBlwres_addr_parse()\fR
+return
+\fBLWRES_R_SUCCESS\&.\fR
+Both functions return
+\fBLWRES_R_FAILURE\fR
+if the buffer is corrupt or
+\fBLWRES_R_UNEXPECTEDEND\fR
+if the buffer has less space than expected for the components of the encoded string or address\&.
+.PP
+\fBlwres_getaddrsbyname()\fR
+returns
+\fBLWRES_R_SUCCESS\fR
+on success and it returns
+\fBLWRES_R_NOTFOUND\fR
+if the hostname
+\fIname\fR
+could not be found\&.
+.PP
+\fBLWRES_R_SUCCESS\fR
+is returned by a successful call to
+\fBlwres_getnamebyaddr()\fR\&.
+.PP
+Both
+\fBlwres_getaddrsbyname()\fR
+and
+\fBlwres_getnamebyaddr()\fR
+return
+\fBLWRES_R_NOMEMORY\fR
+when memory allocation requests fail and
+\fBLWRES_R_UNEXPECTEDEND\fR
+if the buffers used for sending queries and receiving replies are too small\&.
+.SH "SEE ALSO"
+.PP
+\fBlwres_buffer\fR(3),
+\fBlwres_gabn\fR(3)\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/lib/lwres/man/lwres_resutil.docbook b/lib/lwres/man/lwres_resutil.docbook
new file mode 100644
index 0000000..7ade2d9
--- /dev/null
+++ b/lib/lwres/man/lwres_resutil.docbook
@@ -0,0 +1,230 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0">
+  <info>
+    <date>2007-06-18</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>lwres_resutil</refentrytitle>
+    <manvolnum>3</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refnamediv>
+    <refname>lwres_string_parse</refname>
+    <refname>lwres_addr_parse</refname>
+    <refname>lwres_getaddrsbyname</refname>
+    <refname>lwres_getnamebyaddr</refname>
+    <refpurpose>lightweight resolver utility functions</refpurpose>
+  </refnamediv>
+  <refsynopsisdiv>
+    <funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_string_parse</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>char **<parameter>c</parameter></paramdef>
+        <paramdef>uint16_t *<parameter>len</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_addr_parse</function></funcdef>
+        <paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+        <paramdef>lwres_addr_t *<parameter>addr</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_getaddrsbyname</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>const char *<parameter>name</parameter></paramdef>
+        <paramdef>uint32_t <parameter>addrtypes</parameter></paramdef>
+        <paramdef>lwres_gabnresponse_t **<parameter>structp</parameter></paramdef>
+        </funcprototype>
+<funcprototype>
+        <funcdef>
+lwres_result_t
+<function>lwres_getnamebyaddr</function></funcdef>
+        <paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+        <paramdef>uint32_t <parameter>addrtype</parameter></paramdef>
+        <paramdef>uint16_t <parameter>addrlen</parameter></paramdef>
+        <paramdef>const unsigned char *<parameter>addr</parameter></paramdef>
+        <paramdef>lwres_gnbaresponse_t **<parameter>structp</parameter></paramdef>
+      </funcprototype>
+</funcsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+
+    <para><function>lwres_string_parse()</function>
+      retrieves a DNS-encoded string starting the current pointer of
+      lightweight resolver buffer <parameter>b</parameter>: i.e.
+      <constant>b-&gt;current</constant>.  When the function returns,
+      the address of the first byte of the encoded string is returned
+      via <parameter>*c</parameter> and the length of that string is
+      given by <parameter>*len</parameter>.  The buffer's current
+      pointer is advanced to point at the character following the
+      string length, the encoded string, and the trailing
+      <type>NULL</type> character.
+    </para>
+
+    <para><function>lwres_addr_parse()</function>
+      extracts an address from the buffer <parameter>b</parameter>.
+      The buffer's current pointer <constant>b-&gt;current</constant>
+      is presumed to point at an encoded address: the address preceded
+      by a 32-bit protocol family identifier and a 16-bit length
+      field.  The encoded address is copied to
+      <constant>addr-&gt;address</constant> and
+      <constant>addr-&gt;length</constant> indicates the size in bytes
+      of the address that was copied.
+      <constant>b-&gt;current</constant> is advanced to point at the
+      next byte of available data in the buffer following the encoded
+      address.
+    </para>
+
+    <para><function>lwres_getaddrsbyname()</function>
+      and <function>lwres_getnamebyaddr()</function> use the
+      <type>lwres_gnbaresponse_t</type> structure defined below:
+    </para>
+
+<para><programlisting>
+typedef struct {
+        uint32_t          flags;
+        uint16_t          naliases;
+        uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        uint16_t          realnamelen;
+        uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+</programlisting></para>
+
+    <para>
+      The contents of this structure are not manipulated directly but
+      they are controlled through the
+      <citerefentry>
+        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>
+      functions.
+    </para>
+
+    <para>
+      The lightweight resolver uses
+      <function>lwres_getaddrsbyname()</function> to perform
+      forward lookups.
+      Hostname <parameter>name</parameter> is looked up using the
+      resolver
+      context <parameter>ctx</parameter> for memory allocation.
+      <parameter>addrtypes</parameter> is a bitmask indicating
+      which type of
+      addresses are to be looked up.  Current values for this bitmask are
+      <type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
+      <type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
+      lookup are returned in <parameter>*structp</parameter>.
+    </para>
+
+    <para><function>lwres_getnamebyaddr()</function>
+      performs reverse lookups.  Resolver context
+      <parameter>ctx</parameter> is used for memory allocation.  The
+      address type is indicated by <parameter>addrtype</parameter>:
+      <type>LWRES_ADDRTYPE_V4</type> or
+      <type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is
+      given by <parameter>addr</parameter> and its length is
+      <parameter>addrlen</parameter> bytes.  The result of the
+      function call is made available through
+      <parameter>*structp</parameter>.
+    </para>
+  </refsection>
+
+  <refsection><info><title>RETURN VALUES</title></info>
+
+    <para>
+      Successful calls to
+      <function>lwres_string_parse()</function>
+      and
+      <function>lwres_addr_parse()</function>
+      return
+      <errorcode>LWRES_R_SUCCESS.</errorcode>
+      Both functions return
+      <errorcode>LWRES_R_FAILURE</errorcode>
+      if the buffer is corrupt or
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffer has less space than expected for the components of the
+      encoded string or address.
+    </para>
+
+    <para><function>lwres_getaddrsbyname()</function>
+      returns <errorcode>LWRES_R_SUCCESS</errorcode> on success and it
+      returns <errorcode>LWRES_R_NOTFOUND</errorcode> if the hostname
+      <parameter>name</parameter> could not be found.
+    </para>
+    <para><errorcode>LWRES_R_SUCCESS</errorcode>
+      is returned by a successful call to
+      <function>lwres_getnamebyaddr()</function>.
+    </para>
+
+    <para>
+      Both
+      <function>lwres_getaddrsbyname()</function>
+      and
+      <function>lwres_getnamebyaddr()</function>
+      return
+      <errorcode>LWRES_R_NOMEMORY</errorcode>
+      when memory allocation requests fail and
+      <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+      if the buffers used for sending queries and receiving replies are too
+      small.
+    </para>
+
+  </refsection>
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+
+      <citerefentry>
+        <refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsection>
+</refentry>
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
new file mode 100644
index 0000000..a5ed52e
--- /dev/null
+++ b/lib/lwres/man/lwres_resutil.html
@@ -0,0 +1,260 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>lwres_resutil</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="id-1"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    lwres_string_parse, 
+    lwres_addr_parse, 
+    lwres_getaddrsbyname, 
+    lwres_getnamebyaddr
+     &#8212; lightweight resolver utility functions
+  </p>
+</div>
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="funcsynopsis">
+<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_string_parse</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>char **<var class="pdparam">c</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint16_t *<var class="pdparam">len</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_addr_parse</b>(</code></td>
+<td>lwres_buffer_t *<var class="pdparam">b</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_addr_t *<var class="pdparam">addr</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_getaddrsbyname</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const char *<var class="pdparam">name</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint32_t <var class="pdparam">addrtypes</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gabnresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+<table border="0" class="funcprototype-table" summary="Function synopsis" style="cellspacing: 0; cellpadding: 0;">
+<tr>
+<td><code class="funcdef">
+lwres_result_t
+<b class="fsfunc">lwres_getnamebyaddr</b>(</code></td>
+<td>lwres_context_t *<var class="pdparam">ctx</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint32_t <var class="pdparam">addrtype</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>uint16_t <var class="pdparam">addrlen</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>const unsigned char *<var class="pdparam">addr</var>, </td>
+</tr>
+<tr>
+<td> </td>
+<td>lwres_gnbaresponse_t **<var class="pdparam">structp</var><code>)</code>;</td>
+</tr>
+</table>
+<div class="funcprototype-spacer"> </div>
+</div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+
+    <p><code class="function">lwres_string_parse()</code>
+      retrieves a DNS-encoded string starting the current pointer of
+      lightweight resolver buffer <em class="parameter"><code>b</code></em>: i.e.
+      <code class="constant">b-&gt;current</code>.  When the function returns,
+      the address of the first byte of the encoded string is returned
+      via <em class="parameter"><code>*c</code></em> and the length of that string is
+      given by <em class="parameter"><code>*len</code></em>.  The buffer's current
+      pointer is advanced to point at the character following the
+      string length, the encoded string, and the trailing
+      <span class="type">NULL</span> character.
+    </p>
+
+    <p><code class="function">lwres_addr_parse()</code>
+      extracts an address from the buffer <em class="parameter"><code>b</code></em>.
+      The buffer's current pointer <code class="constant">b-&gt;current</code>
+      is presumed to point at an encoded address: the address preceded
+      by a 32-bit protocol family identifier and a 16-bit length
+      field.  The encoded address is copied to
+      <code class="constant">addr-&gt;address</code> and
+      <code class="constant">addr-&gt;length</code> indicates the size in bytes
+      of the address that was copied.
+      <code class="constant">b-&gt;current</code> is advanced to point at the
+      next byte of available data in the buffer following the encoded
+      address.
+    </p>
+
+    <p><code class="function">lwres_getaddrsbyname()</code>
+      and <code class="function">lwres_getnamebyaddr()</code> use the
+      <span class="type">lwres_gnbaresponse_t</span> structure defined below:
+    </p>
+
+<pre class="programlisting">
+typedef struct {
+        uint32_t          flags;
+        uint16_t          naliases;
+        uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        uint16_t          realnamelen;
+        uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+</pre>
+
+    <p>
+      The contents of this structure are not manipulated directly but
+      they are controlled through the
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_gabn</span>(3)
+      </span>
+      functions.
+    </p>
+
+    <p>
+      The lightweight resolver uses
+      <code class="function">lwres_getaddrsbyname()</code> to perform
+      forward lookups.
+      Hostname <em class="parameter"><code>name</code></em> is looked up using the
+      resolver
+      context <em class="parameter"><code>ctx</code></em> for memory allocation.
+      <em class="parameter"><code>addrtypes</code></em> is a bitmask indicating
+      which type of
+      addresses are to be looked up.  Current values for this bitmask are
+      <span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
+      <span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
+      lookup are returned in <em class="parameter"><code>*structp</code></em>.
+    </p>
+
+    <p><code class="function">lwres_getnamebyaddr()</code>
+      performs reverse lookups.  Resolver context
+      <em class="parameter"><code>ctx</code></em> is used for memory allocation.  The
+      address type is indicated by <em class="parameter"><code>addrtype</code></em>:
+      <span class="type">LWRES_ADDRTYPE_V4</span> or
+      <span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is
+      given by <em class="parameter"><code>addr</code></em> and its length is
+      <em class="parameter"><code>addrlen</code></em> bytes.  The result of the
+      function call is made available through
+      <em class="parameter"><code>*structp</code></em>.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>RETURN VALUES</h2>
+
+    <p>
+      Successful calls to
+      <code class="function">lwres_string_parse()</code>
+      and
+      <code class="function">lwres_addr_parse()</code>
+      return
+      <span class="errorcode">LWRES_R_SUCCESS.</span>
+      Both functions return
+      <span class="errorcode">LWRES_R_FAILURE</span>
+      if the buffer is corrupt or
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffer has less space than expected for the components of the
+      encoded string or address.
+    </p>
+
+    <p><code class="function">lwres_getaddrsbyname()</code>
+      returns <span class="errorcode">LWRES_R_SUCCESS</span> on success and it
+      returns <span class="errorcode">LWRES_R_NOTFOUND</span> if the hostname
+      <em class="parameter"><code>name</code></em> could not be found.
+    </p>
+    <p><span class="errorcode">LWRES_R_SUCCESS</span>
+      is returned by a successful call to
+      <code class="function">lwres_getnamebyaddr()</code>.
+    </p>
+
+    <p>
+      Both
+      <code class="function">lwres_getaddrsbyname()</code>
+      and
+      <code class="function">lwres_getnamebyaddr()</code>
+      return
+      <span class="errorcode">LWRES_R_NOMEMORY</span>
+      when memory allocation requests fail and
+      <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
+      if the buffers used for sending queries and receiving replies are too
+      small.
+    </p>
+
+  </div>
+  <div class="refsection">
+<a name="id-1.9"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">lwres_buffer</span>(3)
+      </span>,
+
+      <span class="citerefentry">
+        <span class="refentrytitle">lwres_gabn</span>(3)
+      </span>.
+    </p>
+
+  </div>
+</div></body>
+</html>
diff --git a/lib/lwres/print.c b/lib/lwres/print.c
new file mode 100644
index 0000000..005a4ec
--- /dev/null
+++ b/lib/lwres/print.c
@@ -0,0 +1,577 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <inttypes.h>
+#include <stdio.h>		/* for sprintf */
+#include <string.h>
+
+#define	LWRES__PRINT_SOURCE	/* Used to get the lwres_print_* prototypes. */
+
+#include <lwres/stdlib.h>
+#include <lwres/string.h>
+
+#include "assert_p.h"
+#include "print_p.h"
+
+int
+lwres__print_sprintf(char *str, const char *format, ...) {
+	va_list ap;
+
+	va_start(ap, format);
+	vsprintf(str, format, ap);
+	va_end(ap);
+	return (strlen(str));
+}
+
+/*
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+lwres__print_snprintf(char *str, size_t size, const char *format, ...) {
+	va_list ap;
+	int ret;
+
+	va_start(ap, format);
+	ret = vsnprintf(str, size, format, ap);
+	va_end(ap);
+	return (ret);
+
+}
+
+/*
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
+	int h;
+	int l;
+	int q;
+	int z;
+	int alt;
+	int zero;
+	int left;
+	int plus;
+	int space;
+	long long tmpi;
+	unsigned long long tmpui;
+	unsigned long width;
+	unsigned long precision;
+	unsigned int length;
+	char buf[1024];
+	char c;
+	void *v;
+	char *save = str;
+	const char *cp;
+	const char *head;
+	int count = 0;
+	int pad;
+	int zeropad;
+	int dot;
+	double dbl;
+#ifdef HAVE_LONG_DOUBLE
+	long double ldbl;
+#endif
+	char fmt[32];
+
+	INSIST(str != NULL);
+	INSIST(format != NULL);
+
+	while (*format != '\0') {
+		if (*format != '%') {
+			if (size > 1U) {
+				*str++ = *format;
+				size--;
+			}
+			count++;
+			format++;
+			continue;
+		}
+		format++;
+
+		/*
+		 * Reset flags.
+		 */
+		dot = space = plus = left = zero = alt = h = l = q = z = 0;
+		width = precision = 0;
+		head = "";
+		length = pad = zeropad = 0;
+		POST(length);
+
+		do {
+			if (*format == '#') {
+				alt = 1;
+				format++;
+			} else if (*format == '-') {
+				left = 1;
+				zero = 0;
+				format++;
+			} else if (*format == ' ') {
+				if (!plus)
+					space = 1;
+				format++;
+			} else if (*format == '+') {
+				plus = 1;
+				space = 0;
+				format++;
+			} else if (*format == '0') {
+				if (!left)
+					zero = 1;
+				format++;
+			} else
+				break;
+		} while (1);
+
+		/*
+		 * Width.
+		 */
+		if (*format == '*') {
+			width = va_arg(ap, int);
+			format++;
+		} else if (isdigit((unsigned char)*format)) {
+			char *e;
+			width = strtoul(format, &e, 10);
+			format = e;
+		}
+
+		/*
+		 * Precision.
+		 */
+		if (*format == '.') {
+			format++;
+			dot = 1;
+			if (*format == '*') {
+				precision = va_arg(ap, int);
+				format++;
+			} else if (isdigit((unsigned char)*format)) {
+				char *e;
+				precision = strtoul(format, &e, 10);
+				format = e;
+			}
+		}
+
+		switch (*format) {
+		case '\0':
+			continue;
+		case '%':
+			if (size > 1U) {
+				*str++ = *format;
+				size--;
+			}
+			count++;
+			break;
+		case 'q':
+			q = 1;
+			format++;
+			goto doint;
+		case 'h':
+			h = 1;
+			format++;
+			goto doint;
+		case 'l':
+			l = 1;
+			format++;
+			if (*format == 'l') {
+				q = 1;
+				format++;
+			}
+			goto doint;
+		case 'z':
+			z = 1;
+			format++;
+			goto doint;
+		case 'n':
+		case 'i':
+		case 'd':
+		case 'o':
+		case 'u':
+		case 'x':
+		case 'X':
+		doint:
+			if (precision != 0U)
+				zero = 0;
+			switch (*format) {
+			case 'n':
+				if (h) {
+					short int *p;
+					p = va_arg(ap, short *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else if (l) {
+					long int *p;
+					p = va_arg(ap, long *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else if (z) {
+					size_t *p;
+					p = va_arg(ap, size_t *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else {
+					int *p;
+					p = va_arg(ap, int *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				}
+				break;
+			case 'i':
+			case 'd':
+				if (q)
+					tmpi = va_arg(ap, long long int);
+				else if (l)
+					tmpi = va_arg(ap, long int);
+				else if (z)
+					tmpi = va_arg(ap, size_t);
+				else
+					tmpi = va_arg(ap, int);
+				if (tmpi < 0) {
+					head = "-";
+					tmpui = -tmpi;
+				} else {
+					if (plus)
+						head = "+";
+					else if (space)
+						head = " ";
+					else
+						head = "";
+					tmpui = tmpi;
+				}
+				sprintf(buf, "%llu",
+					tmpui);
+				goto printint;
+			case 'o':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, int);
+				sprintf(buf,
+					alt ? "%#llo"
+					    : "%llo",
+					tmpui);
+				goto printint;
+			case 'u':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				sprintf(buf, "%llu",
+					tmpui);
+				goto printint;
+			case 'x':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0x";
+					if (precision > 2U)
+						precision -= 2;
+				}
+				sprintf(buf, "%llx",
+					tmpui);
+				goto printint;
+			case 'X':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else if (z)
+					tmpui = va_arg(ap, size_t);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0X";
+					if (precision > 2U)
+						precision -= 2;
+				}
+				sprintf(buf, "%llX",
+					tmpui);
+				goto printint;
+			printint:
+				if (precision != 0U || width != 0U) {
+					length = strlen(buf);
+					if (length < precision)
+						zeropad = precision - length;
+					else if (length < width && zero)
+						zeropad = width - length;
+					if (width != 0U) {
+						pad = width - length -
+						      zeropad - strlen(head);
+						if (pad < 0)
+							pad = 0;
+					}
+				}
+				count += strlen(head) + strlen(buf) + pad +
+					 zeropad;
+				if (!left) {
+					while (pad > 0 && size > 1U) {
+						*str++ = ' ';
+						size--;
+						pad--;
+					}
+				}
+				cp = head;
+				while (*cp != '\0' && size > 1U) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (zeropad > 0 && size > 1U) {
+					*str++ = '0';
+					size--;
+					zeropad--;
+				}
+				cp = buf;
+				while (*cp != '\0' && size > 1U) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (pad > 0 && size > 1U) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+				break;
+			default:
+				break;
+			}
+			break;
+		case 's':
+			cp = va_arg(ap, char *);
+			REQUIRE(cp != NULL);
+
+			if (precision != 0U) {
+				/*
+				 * cp need not be NULL terminated.
+				 */
+				const char *tp;
+				unsigned long n;
+
+				n = precision;
+				tp = cp;
+				while (n != 0U && *tp != '\0')
+					n--, tp++;
+				length = precision - n;
+			} else {
+				length = strlen(cp);
+			}
+			if (width != 0U) {
+				pad = width - length;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += pad + length;
+			if (!left)
+				while (pad > 0 && size > 1U) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+			if (precision != 0U)
+				while (precision > 0U && *cp != '\0' &&
+				       size > 1U) {
+					*str++ = *cp++;
+					size--;
+					precision--;
+				}
+			else
+				while (*cp != '\0' && size > 1U) {
+					*str++ = *cp++;
+					size--;
+				}
+			while (pad > 0 && size > 1U) {
+				*str++ = ' ';
+				size--;
+				pad--;
+			}
+			break;
+		case 'c':
+			c = va_arg(ap, int);
+			if (width > 0U) {
+				count += width;
+				width--;
+				if (left) {
+					*str++ = c;
+					size--;
+				}
+				while (width-- > 0U && size > 1U) {
+					*str++ = ' ';
+					size--;
+				}
+				if (!left && size > 1U) {
+					*str++ = c;
+					size--;
+				}
+			} else {
+				count++;
+				if (size > 1U) {
+					*str++ = c;
+					size--;
+				}
+			}
+			break;
+		case 'p':
+			v = va_arg(ap, void *);
+			sprintf(buf, "%p", v);
+			length = strlen(buf);
+			if (precision > length)
+				zeropad = precision - length;
+			if (width > 0U) {
+				pad = width - length - zeropad;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += length + pad + zeropad;
+			if (!left)
+				while (pad > 0 && size > 1U) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+			cp = buf;
+			if (zeropad > 0 && buf[0] == '0' &&
+			    (buf[1] == 'x' || buf[1] == 'X')) {
+				if (size > 1U) {
+					*str++ = *cp++;
+					size--;
+				}
+				if (size > 1U) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (zeropad > 0 && size > 1U) {
+					*str++ = '0';
+					size--;
+					zeropad--;
+				}
+			}
+			while (*cp != '\0' && size > 1U) {
+				*str++ = *cp++;
+				size--;
+			}
+			while (pad > 0 && size > 1U) {
+				*str++ = ' ';
+				size--;
+				pad--;
+			}
+			break;
+
+		case 'D':	/*deprecated*/
+			INSIST("use %ld instead of %D" == NULL);
+			break;
+		case 'O':	/*deprecated*/
+			INSIST("use %lo instead of %O" == NULL);
+			break;
+		case 'U':	/*deprecated*/
+			INSIST("use %lu instead of %U" == NULL);
+			break;
+
+		case 'L':
+#ifdef HAVE_LONG_DOUBLE
+			l = 1;
+#else
+			INSIST("long doubles are not supported" == NULL);
+#endif
+			/* FALLTHROUGH */
+		case 'e':
+		case 'E':
+		case 'f':
+		case 'g':
+		case 'G':
+			if (!dot)
+				precision = 6;
+			/*
+			 * IEEE floating point.
+			 * MIN 2.2250738585072014E-308
+			 * MAX 1.7976931348623157E+308
+			 * VAX floating point has a smaller range than IEEE.
+			 *
+			 * precisions > 324 don't make much sense.
+			 * if we cap the precision at 512 we will not
+			 * overflow buf.
+			 */
+			if (precision > 512U)
+				precision = 512;
+			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
+				plus ? "+" : space ? " " : "",
+				precision, l ? "L" : "", *format);
+			switch (*format) {
+			case 'e':
+			case 'E':
+			case 'f':
+			case 'g':
+			case 'G':
+#ifdef HAVE_LONG_DOUBLE
+				if (l) {
+					ldbl = va_arg(ap, long double);
+					sprintf(buf, fmt, ldbl);
+				} else
+#endif
+				{
+					dbl = va_arg(ap, double);
+					sprintf(buf, fmt, dbl);
+				}
+				length = strlen(buf);
+				if (width > 0U) {
+					pad = width - length;
+					if (pad < 0)
+						pad = 0;
+				}
+				count += length + pad;
+				if (!left)
+					while (pad > 0 && size > 1U) {
+						*str++ = ' ';
+						size--;
+						pad--;
+					}
+				cp = buf;
+				while (*cp != ' ' && size > 1U) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (pad > 0 && size > 1U) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+				break;
+			default:
+				continue;
+			}
+			break;
+		default:
+			continue;
+		}
+		format++;
+	}
+	if (size > 0U)
+		*str = '\0';
+	return (count);
+}
diff --git a/lib/lwres/print_p.h b/lib/lwres/print_p.h
new file mode 100644
index 0000000..0a86b19
--- /dev/null
+++ b/lib/lwres/print_p.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: print_p.h,v 1.6 2010/08/16 23:46:52 tbox Exp $ */
+
+#ifndef LWRES_PRINT_P_H
+#define LWRES_PRINT_P_H 1
+
+/***
+ *** Imports
+ ***/
+
+#include <lwres/lang.h>
+#include <lwres/platform.h>
+
+/*
+ * This block allows lib/lwres/print.c to be cleanly compiled even if
+ * the platform does not need it.  The standard Makefile will still
+ * not compile print.c or archive print.o, so this is just to make test
+ * compilation ("make print.o") easier.
+ */
+#if !defined(LWRES_PLATFORM_NEEDVSNPRINTF) && defined(LWRES__PRINT_SOURCE)
+#define LWRES_PLATFORM_NEEDVSNPRINTF
+#endif
+
+#if !defined(LWRES_PLATFORM_NEEDSPRINTF) && defined(LWRES__PRINT_SOURCE)
+#define LWRES_PLATFORM_NEEDSPRINTF
+#endif
+
+/***
+ *** Macros.
+ ***/
+
+#ifdef __GNUC__
+#define LWRES_FORMAT_PRINTF(fmt, args) \
+	__attribute__((__format__(__printf__, fmt, args)))
+#else
+#define LWRES_FORMAT_PRINTF(fmt, args)
+#endif
+
+/***
+ *** Functions
+ ***/
+
+#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
+#include <stdarg.h>
+#include <stddef.h>
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
+int
+lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
+     LWRES_FORMAT_PRINTF(3, 0);
+#ifdef vsnprintf
+#undef vsnprintf
+#endif
+#define vsnprintf lwres__print_vsnprintf
+
+int
+lwres__print_snprintf(char *str, size_t size, const char *format, ...)
+     LWRES_FORMAT_PRINTF(3, 4);
+#ifdef snprintf
+#undef snprintf
+#endif
+#define snprintf lwres__print_snprintf
+#endif /* LWRES_PLATFORM_NEEDVSNPRINTF */
+
+#ifdef LWRES_PLATFORM_NEEDSPRINTF
+int
+lwres__print_sprintf(char *str, const char *format, ...) LWRES_FORMAT_PRINTF(2, 3);
+#ifdef sprintf
+#undef sprintf
+#endif
+#define sprintf lwres__print_sprintf
+#endif
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_PRINT_P_H */
diff --git a/lib/lwres/tests/Atffile b/lib/lwres/tests/Atffile
new file mode 100644
index 0000000..69a7eba
--- /dev/null
+++ b/lib/lwres/tests/Atffile
@@ -0,0 +1,5 @@
+Content-Type: application/X-atf-atffile; version="1"
+
+prop: test-suite = bind9
+
+tp: config_test
diff --git a/lib/lwres/tests/Kyuafile b/lib/lwres/tests/Kyuafile
new file mode 100644
index 0000000..6d373e8
--- /dev/null
+++ b/lib/lwres/tests/Kyuafile
@@ -0,0 +1,4 @@
+syntax(2)
+test_suite('bind9')
+
+atf_test_program{name='config_test'}
diff --git a/lib/lwres/tests/Makefile.in b/lib/lwres/tests/Makefile.in
new file mode 100644
index 0000000..b0e989d
--- /dev/null
+++ b/lib/lwres/tests/Makefile.in
@@ -0,0 +1,49 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id$
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. -Iinclude -I../include ${LWRES_INCLUDES}
+CDEFINES =	-DTESTS="\"${top_builddir}/lib/lwres/tests/\""
+
+LWRESLIBS =	../liblwres.@A@
+LWRESDEPLIBS =	../liblwres.@A@
+
+LIBS =		@LIBS@ @ATFLIBS@
+
+OBJS =
+SRCS =		config_test.c
+
+SUBDIRS =
+TARGETS =	config_test@EXEEXT@
+
+@BIND9_MAKE_RULES@
+
+config_test@EXEEXT@: config_test.@O@ ${LWRESDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			config_test.@O@ ${LWRESLIBS} ${LIBS}
+
+unit::
+	sh ${top_srcdir}/unit/unittest.sh
+
+clean distclean::
+	rm -f ${TARGETS}
+	rm -f atf.out
diff --git a/lib/lwres/tests/config_test.c b/lib/lwres/tests/config_test.c
new file mode 100644
index 0000000..0a6d66a
--- /dev/null
+++ b/lib/lwres/tests/config_test.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#include <atf-c.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "../lwconfig.c"
+
+static void
+setup_test() {
+	/*
+	 * atf-run changes us to a /tmp directory, so tests
+	 * that access test data files must first chdir to the proper
+	 * location.
+	 */
+	ATF_CHECK(chdir(TESTS) != -1);
+}
+
+ATF_TC(parse_linklocal);
+ATF_TC_HEAD(parse_linklocal, tc) {
+	atf_tc_set_md_var(tc, "descr", "lwres_conf_parse link-local nameserver");
+}
+ATF_TC_BODY(parse_linklocal, tc) {
+	lwres_result_t result;
+	lwres_context_t *ctx = NULL;
+	unsigned char addr[16] = { 0xfe, 0x80, 0x00, 0x00,
+				   0x00, 0x00, 0x00, 0x00,
+				   0x00, 0x00, 0x00, 0x00,
+				   0x00, 0x00, 0x00, 0x01 };
+
+	UNUSED(tc);
+
+	setup_test();
+
+	lwres_context_create(&ctx, NULL, NULL, NULL,
+			     LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6);
+	ATF_CHECK_EQ(ctx->confdata.nsnext, 0);
+	ATF_CHECK_EQ(ctx->confdata.nameservers[0].zone, 0);
+
+	result = lwres_conf_parse(ctx, "testdata/link-local.conf");
+	ATF_CHECK_EQ(result, LWRES_R_SUCCESS);
+	ATF_CHECK_EQ(ctx->confdata.nsnext, 1);
+	ATF_CHECK_EQ(ctx->confdata.nameservers[0].zone, 1);
+	ATF_CHECK_EQ(memcmp(ctx->confdata.nameservers[0].address, addr, 16), 0);
+	lwres_context_destroy(&ctx);
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+	ATF_TP_ADD_TC(tp, parse_linklocal);
+	return (atf_no_error());
+}
diff --git a/lib/lwres/tests/testdata/link-local.conf b/lib/lwres/tests/testdata/link-local.conf
new file mode 100644
index 0000000..8a37963
--- /dev/null
+++ b/lib/lwres/tests/testdata/link-local.conf
@@ -0,0 +1 @@
+nameserver fe80::1%1
diff --git a/lib/lwres/unix/Makefile.in b/lib/lwres/unix/Makefile.in
new file mode 100644
index 0000000..93e2bdc
--- /dev/null
+++ b/lib/lwres/unix/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/lwres/unix/include/Makefile.in b/lib/lwres/unix/include/Makefile.in
new file mode 100644
index 0000000..d9a3044
--- /dev/null
+++ b/lib/lwres/unix/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	lwres
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/lwres/unix/include/lwres/Makefile.in b/lib/lwres/unix/include/lwres/Makefile.in
new file mode 100644
index 0000000..aff3bee
--- /dev/null
+++ b/lib/lwres/unix/include/lwres/Makefile.in
@@ -0,0 +1,33 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =	net.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/lwres || exit 1; \
+	done
+
+uninstall::
+	for i in ${HEADERS}; do \
+		rm -f ${DESTDIR}${includedir}/lwres/$$i || exit 1; \
+	done
diff --git a/lib/lwres/unix/include/lwres/net.h b/lib/lwres/unix/include/lwres/net.h
new file mode 100644
index 0000000..674b39f
--- /dev/null
+++ b/lib/lwres/unix/include/lwres/net.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: net.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_NET_H
+#define LWRES_NET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file net.h
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *\li		struct in_addr
+ *\li		struct in6_addr
+ *\li		struct sockaddr
+ *\li		struct sockaddr_in
+ *\li		struct sockaddr_in6
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
+ *
+ * It ensures that #INADDR_LOOPBACK, #INADDR_ANY and #IN6ADDR_ANY_INIT
+ * are defined.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>		/* Contractual promise. */
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>		/* Contractual promise. */
+#include <arpa/inet.h>		/* Contractual promise. */
+#ifdef LWRES_PLATFORM_NEEDNETINETIN6H
+#include <netinet/in6.h>	/* Required on UnixWare. */
+#endif
+#ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
+#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
+#endif
+#include <net/if.h>
+
+#include <lwres/lang.h>
+
+#ifndef LWRES_PLATFORM_HAVEIPV6
+#include <lwres/ipv6.h>		/* Contractual promise. */
+#endif
+
+#ifdef LWRES_PLATFORM_HAVEINADDR6
+#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
+#endif
+
+/*!
+ * Required for some pre RFC2133 implementations.
+ * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
+ * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.
+ * If 's6_addr' is defined then assume that there is a union and three
+ * levels otherwise assume two levels required.
+ */
+#ifndef IN6ADDR_ANY_INIT
+#ifdef s6_addr
+#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
+#else
+#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
+#endif
+#endif
+
+/*!
+ * Initialize address loopback.  See IN6ADDR_ANY_INIT
+ */
+#ifndef IN6ADDR_LOOPBACK_INIT
+#ifdef s6_addr
+#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
+#else
+#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
+#endif
+#endif
+
+/*% Used by AI_ALL */
+#ifndef AF_INET6
+#define AF_INET6 99
+#endif
+
+
+/*% Used to return IPV6 address types. */
+#ifndef PF_INET6
+#define PF_INET6 AF_INET6
+#endif
+
+/*% inaddr Loopback */
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size);
+
+int
+lwres_net_pton(int af, const char *src, void *dst);
+
+int
+lwres_net_aton(const char *cp, struct in_addr *addr);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_NET_H */
diff --git a/lib/lwres/version.c b/lib/lwres/version.c
new file mode 100644
index 0000000..3683f12
--- /dev/null
+++ b/lib/lwres/version.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: version.c,v 1.12 2007/06/19 23:47:22 tbox Exp $ */
+
+/*! \file */
+
+#include <lwres/version.h>
+
+const char lwres_version[] = VERSION;
+
+const unsigned int lwres_libinterface = LIBINTERFACE;
+const unsigned int lwres_librevision = LIBREVISION;
+const unsigned int lwres_libage = LIBAGE;
diff --git a/lib/lwres/win32/DLLMain.c b/lib/lwres/win32/DLLMain.c
new file mode 100644
index 0000000..46ca8ac
--- /dev/null
+++ b/lib/lwres/win32/DLLMain.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <windows.h>
+#include <signal.h>
+
+/*
+ * Called when we enter the DLL
+ */
+__declspec(dllexport) BOOL WINAPI DllMain(HINSTANCE hinstDLL,
+					  DWORD fdwReason, LPVOID lpvReserved)
+{
+	switch (fdwReason)
+	{
+	/*
+	 * The DLL is loading due to process
+	 * initialization or a call to LoadLibrary.
+	 */
+	case DLL_PROCESS_ATTACH:
+		break;
+
+	/* The attached process creates a new thread.  */
+	case DLL_THREAD_ATTACH:
+		break;
+
+	/* The thread of the attached process terminates. */
+	case DLL_THREAD_DETACH:
+		break;
+
+	/*
+	 * The DLL is unloading from a process due to
+	 * process termination or a call to FreeLibrary.
+	 */
+	case DLL_PROCESS_DETACH:
+		break;
+
+	default:
+		break;
+	}
+	return (TRUE);
+}
+
diff --git a/lib/lwres/win32/Makefile.in b/lib/lwres/win32/Makefile.in
new file mode 100644
index 0000000..93e2bdc
--- /dev/null
+++ b/lib/lwres/win32/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/lwres/win32/include/Makefile.in b/lib/lwres/win32/include/Makefile.in
new file mode 100644
index 0000000..d9a3044
--- /dev/null
+++ b/lib/lwres/win32/include/Makefile.in
@@ -0,0 +1,19 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	lwres
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/lib/lwres/win32/include/lwres/Makefile.in b/lib/lwres/win32/include/lwres/Makefile.in
new file mode 100644
index 0000000..9d388de
--- /dev/null
+++ b/lib/lwres/win32/include/lwres/Makefile.in
@@ -0,0 +1,28 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =	net.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/lwres || exit 1; \
+	done
diff --git a/lib/lwres/win32/include/lwres/net.h b/lib/lwres/win32/include/lwres/net.h
new file mode 100644
index 0000000..41ffca4
--- /dev/null
+++ b/lib/lwres/win32/include/lwres/net.h
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: net.h,v 1.6 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_NET_H
+#define LWRES_NET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *		struct in_addr
+ *		struct in6_addr
+ *		struct sockaddr
+ *		struct sockaddr_in
+ *		struct sockaddr_in6
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
+ *
+ * It ensures that INADDR_LOOPBACK, INADDR_ANY and IN6ADDR_ANY_INIT
+ * are defined.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+/*
+ * Because of some sort of problem in the MS header files, this cannot
+ * be simple "#include <winsock2.h>", because winsock2.h tries to include
+ * windows.h, which then generates an error out of mswsock.h.  _You_
+ * figure it out.
+ */
+#ifndef _WINSOCKAPI_
+#define _WINSOCKAPI_   /* Prevent inclusion of winsock.h in windows.h */
+#endif
+
+#include <winsock2.h>
+#include <sys/types.h>
+
+#include <lwres/ipv6.h>
+#include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
+
+#include <lwres/lang.h>
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+/*
+ * Fix the FD_SET and FD_CLR Macros to properly cast
+ */
+#undef FD_CLR
+#define FD_CLR(fd, set) do { \
+    u_int __i; \
+    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
+	if (((fd_set FAR *)(set))->fd_array[__i] == (SOCKET) fd) { \
+	    while (__i < ((fd_set FAR *)(set))->fd_count-1) { \
+		((fd_set FAR *)(set))->fd_array[__i] = \
+		    ((fd_set FAR *)(set))->fd_array[__i+1]; \
+		__i++; \
+	    } \
+	    ((fd_set FAR *)(set))->fd_count--; \
+	    break; \
+	} \
+    } \
+} while (0)
+
+#undef FD_SET
+#define FD_SET(fd, set) do { \
+    u_int __i; \
+    for (__i = 0; __i < ((fd_set FAR *)(set))->fd_count; __i++) { \
+	if (((fd_set FAR *)(set))->fd_array[__i] == (SOCKET)(fd)) { \
+	    break; \
+	} \
+    } \
+    if (__i == ((fd_set FAR *)(set))->fd_count) { \
+	if (((fd_set FAR *)(set))->fd_count < FD_SETSIZE) { \
+	    ((fd_set FAR *)(set))->fd_array[__i] = (SOCKET)(fd); \
+	    ((fd_set FAR *)(set))->fd_count++; \
+	} \
+    } \
+} while (0)
+
+/*
+ * Windows Sockets errors redefined as regular Berkeley error constants.
+ * These are usually commented out in Windows NT to avoid conflicts with errno.h.
+ * Use the WSA constants instead.
+ */
+
+#include <errno.h>
+
+#ifndef EWOULDBLOCK
+#define EWOULDBLOCK             WSAEWOULDBLOCK
+#endif
+#ifndef EINPROGRESS
+#define EINPROGRESS             WSAEINPROGRESS
+#endif
+#ifndef EALREADY
+#define EALREADY                WSAEALREADY
+#endif
+#ifndef ENOTSOCK
+#define ENOTSOCK                WSAENOTSOCK
+#endif
+#ifndef EDESTADDRREQ
+#define EDESTADDRREQ            WSAEDESTADDRREQ
+#endif
+#ifndef EMSGSIZE
+#define EMSGSIZE                WSAEMSGSIZE
+#endif
+#ifndef EPROTOTYPE
+#define EPROTOTYPE              WSAEPROTOTYPE
+#endif
+#ifndef ENOPROTOOPT
+#define ENOPROTOOPT             WSAENOPROTOOPT
+#endif
+#ifndef EPROTONOSUPPORT
+#define EPROTONOSUPPORT         WSAEPROTONOSUPPORT
+#endif
+#ifndef ESOCKTNOSUPPORT
+#define ESOCKTNOSUPPORT         WSAESOCKTNOSUPPORT
+#endif
+#ifndef EOPNOTSUPP
+#define EOPNOTSUPP              WSAEOPNOTSUPP
+#endif
+#ifndef EPFNOSUPPORT
+#define EPFNOSUPPORT            WSAEPFNOSUPPORT
+#endif
+#ifndef EAFNOSUPPORT
+#define EAFNOSUPPORT            WSAEAFNOSUPPORT
+#endif
+#ifndef EADDRINUSE
+#define EADDRINUSE              WSAEADDRINUSE
+#endif
+#ifndef EADDRNOTAVAIL
+#define EADDRNOTAVAIL           WSAEADDRNOTAVAIL
+#endif
+#ifndef ENETDOWN
+#define ENETDOWN                WSAENETDOWN
+#endif
+#ifndef ENETUNREACH
+#define ENETUNREACH             WSAENETUNREACH
+#endif
+#ifndef ENETRESET
+#define ENETRESET               WSAENETRESET
+#endif
+#ifndef ECONNABORTED
+#define ECONNABORTED            WSAECONNABORTED
+#endif
+#ifndef ECONNRESET
+#define ECONNRESET              WSAECONNRESET
+#endif
+#ifndef ENOBUFS
+#define ENOBUFS                 WSAENOBUFS
+#endif
+#ifndef EISCONN
+#define EISCONN                 WSAEISCONN
+#endif
+#ifndef ENOTCONN
+#define ENOTCONN                WSAENOTCONN
+#endif
+#ifndef ESHUTDOWN
+#define ESHUTDOWN               WSAESHUTDOWN
+#endif
+#ifndef ETOOMANYREFS
+#define ETOOMANYREFS            WSAETOOMANYREFS
+#endif
+#ifndef ETIMEDOUT
+#define ETIMEDOUT               WSAETIMEDOUT
+#endif
+#ifndef ECONNREFUSED
+#define ECONNREFUSED            WSAECONNREFUSED
+#endif
+#ifndef ELOOP
+#define ELOOP                   WSAELOOP
+#endif
+#ifndef EHOSTDOWN
+#define EHOSTDOWN               WSAEHOSTDOWN
+#endif
+#ifndef EHOSTUNREACH
+#define EHOSTUNREACH            WSAEHOSTUNREACH
+#endif
+#ifndef EPROCLIM
+#define EPROCLIM                WSAEPROCLIM
+#endif
+#ifndef EUSERS
+#define EUSERS                  WSAEUSERS
+#endif
+#ifndef EDQUOT
+#define EDQUOT                  WSAEDQUOT
+#endif
+#ifndef ESTALE
+#define ESTALE                  WSAESTALE
+#endif
+#ifndef EREMOTE
+#define EREMOTE                 WSAEREMOTE
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size);
+
+int
+lwres_net_pton(int af, const char *src, void *dst);
+
+int
+lwres_net_aton(const char *cp, struct in_addr *addr);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_NET_H */
diff --git a/lib/lwres/win32/include/lwres/netdb.h b/lib/lwres/win32/include/lwres/netdb.h
new file mode 100644
index 0000000..f0d8a86
--- /dev/null
+++ b/lib/lwres/win32/include/lwres/netdb.h
@@ -0,0 +1,512 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: netdb.h,v 1.7 2007/06/19 23:47:23 tbox Exp $ */
+
+#ifndef LWRES_NETDB_H
+#define LWRES_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+
+#define off_t _off_t
+#include <sys/types.h>
+
+#include <lwres/net.h>
+#include <lwres/lang.h>
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+#if _MSC_VER < 1600
+#define ISC_LWRES_NEEDADDRINFO 1
+#endif
+
+#ifdef ISC_LWRES_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all \#defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritative Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_MAX		14
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
+
+/*
+ * Structures for getrrsetbyname()
+ */
+struct rdatainfo {
+	unsigned int		rdi_length;
+	unsigned char		*rdi_data;
+};
+
+struct rrsetinfo {
+	unsigned int		rri_flags;
+	int			rri_rdclass;
+	int			rri_rdtype;
+	unsigned int		rri_ttl;
+	unsigned int		rri_nrdatas;
+	unsigned int		rri_nsigs;
+	char			*rri_name;
+	struct rdatainfo	*rri_rdatas;
+	struct rdatainfo	*rri_sigs;
+};
+
+/*
+ * Flags for getrrsetbyname()
+ */
+#define RRSET_VALIDATED		0x00000001
+	/* Set was dnssec validated */
+
+/*
+ * Return codes for getrrsetbyname()
+ */
+#define ERRSET_SUCCESS		0
+#define ERRSET_NOMEMORY		1
+#define ERRSET_FAIL		2
+#define ERRSET_INVAL		3
+#define	ERRSET_NONAME	 	4
+#define	ERRSET_NODATA	 	5
+
+/*
+ * Define to map into lwres_ namespace.
+ */
+
+#define LWRES_NAMESPACE
+
+#ifdef LWRES_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo lwres_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo lwres_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo lwres_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror lwres_gai_strerror
+
+#ifdef herror
+#undef herror
+#endif
+#define herror lwres_herror
+
+#ifdef hstrerror
+#undef hstrerror
+#endif
+#define hstrerror lwres_hstrerror
+
+#ifdef getipnodebyname
+#undef getipnodebyname
+#endif
+#define getipnodebyname lwres_getipnodebyname
+
+#ifdef getipnodebyaddr
+#undef getipnodebyaddr
+#endif
+#define getipnodebyaddr lwres_getipnodebyaddr
+
+#ifdef freehostent
+#undef freehostent
+#endif
+#define freehostent lwres_freehostent
+
+#ifdef gethostbyname
+#undef gethostbyname
+#endif
+#define gethostbyname lwres_gethostbyname
+
+#ifdef gethostbyname2
+#undef gethostbyname2
+#endif
+#define gethostbyname2 lwres_gethostbyname2
+
+#ifdef gethostbyaddr
+#undef gethostbyaddr
+#endif
+#define gethostbyaddr lwres_gethostbyaddr
+
+#ifdef gethostent
+#undef gethostent
+#endif
+#define gethostent lwres_gethostent
+
+#ifdef sethostent
+#undef sethostent
+#endif
+#define sethostent lwres_sethostent
+
+#ifdef endhostent
+#undef endhostent
+#endif
+#define endhostent lwres_endhostent
+
+/* #define sethostfile lwres_sethostfile */
+
+#ifdef gethostbyname_r
+#undef gethostbyname_r
+#endif
+#define gethostbyname_r lwres_gethostbyname_r
+
+#ifdef gethostbyaddr_r
+#undef gethostbyaddr_r
+#endif
+#define gethostbyaddr_r lwres_gethostbyaddr_r
+
+#ifdef gethostent_r
+#undef gethostent_r
+#endif
+#define gethostent_r lwres_gethostent_r
+
+#ifdef sethostent_r
+#undef sethostent_r
+#endif
+#define sethostent_r lwres_sethostent_r
+
+#ifdef endhostent_r
+#undef endhostent_r
+#endif
+#define endhostent_r lwres_endhostent_r
+
+#ifdef getrrsetbyname
+#undef getrrsetbyname
+#endif
+#define getrrsetbyname lwres_getrrsetbyname
+
+#ifdef freerrset
+#undef freerrset
+#endif
+#define freerrset lwres_freerrset
+
+#ifdef notyet
+#define getservbyname lwres_getservbyname
+#define getservbyport lwres_getservbyport
+#define getservent lwres_getservent
+#define setservent lwres_setservent
+#define endservent lwres_endservent
+
+#define getservbyname_r lwres_getservbyname_r
+#define getservbyport_r lwres_getservbyport_r
+#define getservent_r lwres_getservent_r
+#define setservent_r lwres_setservent_r
+#define endservent_r lwres_endservent_r
+
+#define getprotobyname lwres_getprotobyname
+#define getprotobynumber lwres_getprotobynumber
+#define getprotoent lwres_getprotoent
+#define setprotoent lwres_setprotoent
+#define endprotoent lwres_endprotoent
+
+#define getprotobyname_r lwres_getprotobyname_r
+#define getprotobynumber_r lwres_getprotobynumber_r
+#define getprotoent_r lwres_getprotoent_r
+#define setprotoent_r lwres_setprotoent_r
+#define endprotoent_r lwres_endprotoent_r
+
+#ifdef getnetbyname
+#undef getnetbyname
+#endif
+#define getnetbyname lwres_getnetbyname
+
+#ifdef getnetbyaddr
+#undef getnetbyaddr
+#endif
+#define getnetbyaddr lwres_getnetbyaddr
+
+#ifdef getnetent
+#undef getnetent
+#endif
+#define getnetent lwres_getnetent
+
+#ifdef setnetent
+#undef setnetent
+#endif
+#define setnetent lwres_setnetent
+
+#ifdef endnetent
+#undef endnetent
+#endif
+#define endnetent lwres_endnetent
+
+
+#ifdef getnetbyname_r
+#undef getnetbyname_r
+#endif
+#define getnetbyname_r lwres_getnetbyname_r
+
+#ifdef getnetbyaddr_r
+#undef getnetbyaddr_r
+#endif
+#define getnetbyaddr_r lwres_getnetbyaddr_r
+
+#ifdef getnetent_r
+#undef getnetent_r
+#endif
+#define getnetent_r lwres_getnetent_r
+
+#ifdef setnetent_r
+#undef setnetent_r
+#endif
+#define setnetent_r lwres_setnetent_r
+
+#ifdef endnetent_r
+#undef endnetent_r
+#endif
+#define endnetent_r lwres_endnetent_r
+#endif	/* notyet */
+
+#ifdef h_errno
+#undef h_errno
+#endif
+#define h_errno lwres_h_errno
+
+#endif	/* LWRES_NAMESPACE */
+
+LWRES_LANG_BEGINDECLS
+
+LIBLWRES_EXTERNAL_DATA extern int lwres_h_errno;
+
+int		lwres_getaddrinfo(const char *, const char *,
+				 const struct addrinfo *, struct addrinfo **);
+int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
+				 size_t, char *, size_t, int);
+void		lwres_freeaddrinfo(struct addrinfo *);
+char		*lwres_gai_strerror(int);
+
+struct hostent	*lwres_gethostbyaddr(const char *, int, int);
+struct hostent	*lwres_gethostbyname(const char *);
+struct hostent	*lwres_gethostbyname2(const char *, int);
+struct hostent	*lwres_gethostent(void);
+struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
+struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
+void		lwres_endhostent(void);
+void		lwres_sethostent(int);
+/* void		lwres_sethostfile(const char *); */
+void		lwres_freehostent(struct hostent *);
+
+int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
+				     unsigned int, struct rrsetinfo **);
+void		lwres_freerrset(struct rrsetinfo *);
+
+#ifdef notyet
+struct netent	*lwres_getnetbyaddr(unsigned long, int);
+struct netent	*lwres_getnetbyname(const char *);
+struct netent	*lwres_getnetent(void);
+void		lwres_endnetent(void);
+void		lwres_setnetent(int);
+
+struct protoent	*lwres_getprotobyname(const char *);
+struct protoent	*lwres_getprotobynumber(int);
+struct protoent	*lwres_getprotoent(void);
+void		lwres_endprotoent(void);
+void		lwres_setprotoent(int);
+
+struct servent	*lwres_getservbyname(const char *, const char *);
+struct servent	*lwres_getservbyport(int, const char *);
+struct servent	*lwres_getservent(void);
+void		lwres_endservent(void);
+void		lwres_setservent(int);
+#endif /* notyet */
+
+void		lwres_herror(const char *);
+const char	*lwres_hstrerror(int);
+
+
+#ifdef _REENTRANT
+struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
+					char *, int, int *);
+struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
+					char *, int, int *);
+struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
+void		lwres_sethostent_r(int);
+void		lwres_endhostent_r(void);
+
+#ifdef notyet
+struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
+					char *, int);
+struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
+					char *, int);
+struct netent	*lwres_getnetent_r(struct netent *, char *, int);
+void		lwres_setnetent_r(int);
+void		lwres_endnetent_r(void);
+
+struct protoent	*lwres_getprotobyname_r(const char *,
+				struct protoent *, char *, int);
+struct protoent	*lwres_getprotobynumber_r(int,
+				struct protoent *, char *, int);
+struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
+void		lwres_setprotoent_r(int);
+void		lwres_endprotoent_r(void);
+
+struct servent	*lwres_getservbyname_r(const char *name, const char *,
+					struct servent *, char *, int);
+struct servent	*lwres_getservbyport_r(int port, const char *,
+					struct servent *, char *, int);
+struct servent	*lwres_getservent_r(struct servent *, char *, int);
+void		lwres_setservent_r(int);
+void		lwres_endservent_r(void);
+#endif	/* notyet */
+#endif	/* _REENTRANT */
+
+LWRES_LANG_ENDDECLS
+
+#ifdef notyet
+/* This is nec'y to make this include file properly replace the sun version. */
+#ifdef sun
+#ifdef __GNU_LIBRARY__
+#include <rpc/netdb.h>		/* Required. */
+#else /* !__GNU_LIBRARY__ */
+struct rpcent {
+	char	*r_name;	/* name of server for this rpc program */
+	char	**r_aliases;	/* alias list */
+	int	r_number;	/* rpc program number */
+};
+struct rpcent	*lwres_getrpcbyname();
+struct rpcent	*lwres_getrpcbynumber(),
+struct rpcent	*lwres_getrpcent();
+#endif /* __GNU_LIBRARY__ */
+#endif /* sun */
+#endif /* notyet */
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* LWRES_NETDB_H */
diff --git a/lib/lwres/win32/include/lwres/platform.h b/lib/lwres/win32/include/lwres/platform.h
new file mode 100644
index 0000000..1484e47
--- /dev/null
+++ b/lib/lwres/win32/include/lwres/platform.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: platform.h,v 1.7 2007/06/18 23:47:52 tbox Exp $ */
+
+#ifndef LWRES_PLATFORM_H
+#define LWRES_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+/***
+ *** Network.
+ ***/
+
+/*
+ * Define if this system needs the <netinet/in6.h> header file for IPv6.
+ */
+/*@LWRES_PLATFORM_NEEDNETINETIN6H@ */
+
+/*
+ * Define if this system needs the <netinet6/in6.h> header file for IPv6.
+ */
+/*@LWRES_PLATFORM_NEEDNETINET6IN6H@ */
+
+/*
+ * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
+ * will be defined.
+ */
+/*@LWRES_PLATFORM_HAVESALEN@ */
+
+/*
+ * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
+ * will be defined.
+ */
+/*@LWRES_PLATFORM_HAVEIPV6@ */
+
+/*
+ * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
+ * be defined.
+ */
+#define LWRES_PLATFORM_NEEDIN6ADDRANY
+
+/*
+ * If this system has in_addr6, rather than in6_addr,
+ * LWRES_PLATFORM_HAVEINADDR6 will be defined.
+ */
+/*@LWRES_PLATFORM_HAVEINADDR6@ */
+
+/*
+ * Defined if unistd.h does not cause fd_set to be delared.
+ */
+/*@LWRES_PLATFORM_NEEDSYSSELECTH@ */
+
+/* VS2005 does not provide strlcpy() */
+#define LWRES_PLATFORM_NEEDSTRLCPY
+
+/*
+ * Define some Macros
+ */
+#ifdef LIBLWRES_EXPORTS
+#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
+#endif
+
+/*
+ * Define the MAKE_NONBLOCKING Macro here since it can get used in
+ * a number of places.
+ */
+#define MAKE_NONBLOCKING(sd, retval) \
+do { \
+	int _on = 1; \
+	retval = ioctlsocket((SOCKET) sd, FIONBIO, &_on); \
+} while (0)
+
+/*
+ * Need to define close here since lwres closes sockets and not files
+ */
+#undef  close
+#define close closesocket
+
+/*
+ * Internal to liblwres.
+ */
+void InitSockets(void);
+
+void DestroySockets(void);
+
+#endif /* LWRES_PLATFORM_H */
diff --git a/lib/lwres/win32/liblwres.def b/lib/lwres/win32/liblwres.def
new file mode 100644
index 0000000..e3ce6e5
--- /dev/null
+++ b/lib/lwres/win32/liblwres.def
@@ -0,0 +1,90 @@
+LIBRARY liblwres
+
+; Exported Functions
+EXPORTS
+
+lwres_addr_parse
+lwres_buffer_add
+lwres_buffer_back
+lwres_buffer_clear
+lwres_buffer_first
+lwres_buffer_forward
+lwres_buffer_getmem
+lwres_buffer_getuint16
+lwres_buffer_getuint32
+lwres_buffer_getuint8
+lwres_buffer_init
+lwres_buffer_invalidate
+lwres_buffer_putmem
+lwres_buffer_putuint16
+lwres_buffer_putuint32
+lwres_buffer_putuint8
+lwres_buffer_subtract
+lwres_conf_clear
+lwres_conf_get
+lwres_conf_init
+lwres_conf_parse
+lwres_conf_print
+lwres_context_allocmem
+lwres_context_create
+lwres_context_destroy
+lwres_context_freemem
+lwres_context_getsocket
+lwres_context_initserial
+lwres_context_nextserial
+lwres_context_recv
+lwres_context_send
+lwres_context_sendrecv
+lwres_data_parse
+lwres_freeaddrinfo
+lwres_freehostent
+lwres_freerrset
+lwres_gabnrequest_free
+lwres_gabnrequest_parse
+lwres_gabnrequest_render
+lwres_gabnresponse_free
+lwres_gabnresponse_parse
+lwres_gabnresponse_render
+lwres_gai_strerror
+lwres_getaddrinfo
+lwres_getaddrsbyname
+lwres_gethostbyaddr
+lwres_gethostbyname
+lwres_gethostbyname2
+lwres_getipnodebyaddr
+lwres_getipnodebyname
+lwres_getnamebyaddr
+lwres_getnameinfo
+lwres_getrdatabyname
+lwres_getrrsetbyname
+lwres_gnbarequest_free
+lwres_gnbarequest_parse
+lwres_gnbarequest_render
+lwres_gnbaresponse_free
+lwres_gnbaresponse_parse
+lwres_gnbaresponse_render
+lwres_grbnrequest_free
+lwres_grbnrequest_parse
+lwres_grbnrequest_render
+lwres_grbnresponse_free
+lwres_grbnresponse_parse
+lwres_grbnresponse_render
+lwres_hstrerror
+lwres_lwpacket_parseheader
+lwres_lwpacket_renderheader
+lwres_net_aton
+lwres_net_ntop
+lwres_net_pton
+lwres_nooprequest_free
+lwres_nooprequest_parse
+lwres_nooprequest_render
+lwres_noopresponse_free
+lwres_noopresponse_parse
+lwres_noopresponse_render
+lwres_string_parse
+
+; Exported Data
+
+EXPORTS
+
+;lwres_h_errno		DATA
diff --git a/lib/lwres/win32/liblwres.dsp.in b/lib/lwres/win32/liblwres.dsp.in
new file mode 100644
index 0000000..5a66a95
--- /dev/null
+++ b/lib/lwres/win32/liblwres.dsp.in
@@ -0,0 +1,261 @@
+# Microsoft Developer Studio Project File - Name="liblwres" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=liblwres - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "liblwres.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "liblwres.mak" CFG="liblwres - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "liblwres - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "liblwres - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" @COPTY@ /FD /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll @MACHINE@ /out:"../../../Build/Release/liblwres.dll"
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "liblwres_EXPORTS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /FR @COPTY@ /FD /GZ /c
+# SUBTRACT CPP /X
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /debug @MACHINE@ /out:"../../../Build/Debug/liblwres.dll" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "liblwres - @PLATFORM@ Release"
+# Name "liblwres - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE=..\compat.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\context.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\DLLMain.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gai_strerror.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getaddrinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\gethost.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getipnode.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getnameinfo.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\getrrset.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\herror.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwbuffer.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\lwconfig.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwinetaton.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwinetntop.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwinetpton.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwpacket.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_gabn.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_gnba.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_grbn.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwres_noop.c
+# End Source File
+# Begin Source File
+
+SOURCE=..\lwresutil.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\socket.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\version.c
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# Begin Source File
+
+SOURCE=..\include\lwres\context.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\int.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\ipv6.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lang.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\list.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lwbuffer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lwpacket.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\lwres.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\net.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\netdb.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\include\lwres\platform.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\result.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\stdlib.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\string.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\include\lwres\version.h
+# End Source File
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# Begin Source File
+
+SOURCE=.\liblwres.def
+# End Source File
+# End Target
+# End Project
diff --git a/lib/lwres/win32/liblwres.dsw b/lib/lwres/win32/liblwres.dsw
new file mode 100644
index 0000000..06267b5
--- /dev/null
+++ b/lib/lwres/win32/liblwres.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "liblwres"=".\liblwres.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/lwres/win32/liblwres.mak.in b/lib/lwres/win32/liblwres.mak.in
new file mode 100644
index 0000000..30ff30d
--- /dev/null
+++ b/lib/lwres/win32/liblwres.mak.in
@@ -0,0 +1,798 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on liblwres.dsp
+!IF "$(CFG)" == ""
+CFG=liblwres - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to liblwres - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "liblwres - @PLATFORM@ Release" && "$(CFG)" != "liblwres - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "liblwres.mak" CFG="liblwres - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "liblwres - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "liblwres - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\liblwres.dll"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\compat.obj"
+	-@erase "$(INTDIR)\context.obj"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\gai_strerror.obj"
+	-@erase "$(INTDIR)\getaddrinfo.obj"
+	-@erase "$(INTDIR)\gethost.obj"
+	-@erase "$(INTDIR)\getipnode.obj"
+	-@erase "$(INTDIR)\getnameinfo.obj"
+	-@erase "$(INTDIR)\getrrset.obj"
+	-@erase "$(INTDIR)\herror.obj"
+	-@erase "$(INTDIR)\lwbuffer.obj"
+	-@erase "$(INTDIR)\lwconfig.obj"
+	-@erase "$(INTDIR)\lwinetaton.obj"
+	-@erase "$(INTDIR)\lwinetntop.obj"
+	-@erase "$(INTDIR)\lwinetpton.obj"
+	-@erase "$(INTDIR)\lwpacket.obj"
+	-@erase "$(INTDIR)\lwres_gabn.obj"
+	-@erase "$(INTDIR)\lwres_gnba.obj"
+	-@erase "$(INTDIR)\lwres_grbn.obj"
+	-@erase "$(INTDIR)\lwres_noop.obj"
+	-@erase "$(INTDIR)\lwresutil.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\socket.obj"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(OUTDIR)\liblwres.exp"
+	-@erase "$(OUTDIR)\liblwres.lib"
+	-@erase "..\..\..\Build\Release\liblwres.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /incremental:no /pdb:"$(OUTDIR)\liblwres.pdb" @MACHINE@ /def:".\liblwres.def" /out:"../../../Build/Release/liblwres.dll" /implib:"$(OUTDIR)\liblwres.lib" 
+DEF_FILE= \
+	".\liblwres.def"
+LINK32_OBJS= \
+	"$(INTDIR)\compat.obj" \
+	"$(INTDIR)\context.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\gai_strerror.obj" \
+	"$(INTDIR)\getaddrinfo.obj" \
+	"$(INTDIR)\gethost.obj" \
+	"$(INTDIR)\getipnode.obj" \
+	"$(INTDIR)\getnameinfo.obj" \
+	"$(INTDIR)\getrrset.obj" \
+	"$(INTDIR)\herror.obj" \
+	"$(INTDIR)\lwbuffer.obj" \
+	"$(INTDIR)\lwinetaton.obj" \
+	"$(INTDIR)\lwinetntop.obj" \
+	"$(INTDIR)\lwinetpton.obj" \
+	"$(INTDIR)\lwpacket.obj" \
+	"$(INTDIR)\lwres_gabn.obj" \
+	"$(INTDIR)\lwres_gnba.obj" \
+	"$(INTDIR)\lwres_grbn.obj" \
+	"$(INTDIR)\lwres_noop.obj" \
+	"$(INTDIR)\lwresutil.obj" \
+	"$(INTDIR)\socket.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\lwconfig.obj"
+
+"..\..\..\Build\Release\liblwres.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\liblwres.dll" "$(OUTDIR)\liblwres.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\compat.obj"
+	-@erase "$(INTDIR)\compat.sbr"
+	-@erase "$(INTDIR)\context.obj"
+	-@erase "$(INTDIR)\context.sbr"
+	-@erase "$(INTDIR)\DLLMain.obj"
+	-@erase "$(INTDIR)\DLLMain.sbr"
+	-@erase "$(INTDIR)\gai_strerror.obj"
+	-@erase "$(INTDIR)\gai_strerror.sbr"
+	-@erase "$(INTDIR)\getaddrinfo.obj"
+	-@erase "$(INTDIR)\getaddrinfo.sbr"
+	-@erase "$(INTDIR)\gethost.obj"
+	-@erase "$(INTDIR)\gethost.sbr"
+	-@erase "$(INTDIR)\getipnode.obj"
+	-@erase "$(INTDIR)\getipnode.sbr"
+	-@erase "$(INTDIR)\getnameinfo.obj"
+	-@erase "$(INTDIR)\getnameinfo.sbr"
+	-@erase "$(INTDIR)\getrrset.obj"
+	-@erase "$(INTDIR)\getrrset.sbr"
+	-@erase "$(INTDIR)\herror.obj"
+	-@erase "$(INTDIR)\herror.sbr"
+	-@erase "$(INTDIR)\lwbuffer.obj"
+	-@erase "$(INTDIR)\lwbuffer.sbr"
+	-@erase "$(INTDIR)\lwconfig.obj"
+	-@erase "$(INTDIR)\lwconfig.sbr"
+	-@erase "$(INTDIR)\lwinetaton.obj"
+	-@erase "$(INTDIR)\lwinetaton.sbr"
+	-@erase "$(INTDIR)\lwinetntop.obj"
+	-@erase "$(INTDIR)\lwinetntop.sbr"
+	-@erase "$(INTDIR)\lwinetpton.obj"
+	-@erase "$(INTDIR)\lwinetpton.sbr"
+	-@erase "$(INTDIR)\lwpacket.obj"
+	-@erase "$(INTDIR)\lwpacket.sbr"
+	-@erase "$(INTDIR)\lwres_gabn.obj"
+	-@erase "$(INTDIR)\lwres_gabn.sbr"
+	-@erase "$(INTDIR)\lwres_gnba.obj"
+	-@erase "$(INTDIR)\lwres_gnba.sbr"
+	-@erase "$(INTDIR)\lwres_grbn.obj"
+	-@erase "$(INTDIR)\lwres_grbn.sbr"
+	-@erase "$(INTDIR)\lwres_noop.obj"
+	-@erase "$(INTDIR)\lwres_noop.sbr"
+	-@erase "$(INTDIR)\lwresutil.obj"
+	-@erase "$(INTDIR)\lwresutil.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(INTDIR)\socket.obj"
+	-@erase "$(INTDIR)\socket.sbr"
+	-@erase "$(INTDIR)\version.obj"
+	-@erase "$(INTDIR)\version.sbr"
+	-@erase "$(OUTDIR)\liblwres.bsc"
+	-@erase "$(OUTDIR)\liblwres.exp"
+	-@erase "$(OUTDIR)\liblwres.lib"
+	-@erase "$(OUTDIR)\liblwres.pdb"
+	-@erase "..\..\..\Build\Debug\liblwres.dll"
+	-@erase "..\..\..\Build\Debug\liblwres.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "./" /I "../../../lib/lwres/win32/include/lwres" /I "include" /I "../include" /I "../../../" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isc/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /D "_USRDLL" /D "USE_MD5" @CRYPTO@ /D "LIBLWRES_EXPORTS" /FR"$(INTDIR)\\" /Fp"$(INTDIR)\liblwres.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\liblwres.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\compat.sbr" \
+	"$(INTDIR)\context.sbr" \
+	"$(INTDIR)\DLLMain.sbr" \
+	"$(INTDIR)\gai_strerror.sbr" \
+	"$(INTDIR)\getaddrinfo.sbr" \
+	"$(INTDIR)\gethost.sbr" \
+	"$(INTDIR)\getipnode.sbr" \
+	"$(INTDIR)\getnameinfo.sbr" \
+	"$(INTDIR)\getrrset.sbr" \
+	"$(INTDIR)\herror.sbr" \
+	"$(INTDIR)\lwbuffer.sbr" \
+	"$(INTDIR)\lwinetaton.sbr" \
+	"$(INTDIR)\lwinetntop.sbr" \
+	"$(INTDIR)\lwinetpton.sbr" \
+	"$(INTDIR)\lwpacket.sbr" \
+	"$(INTDIR)\lwres_gabn.sbr" \
+	"$(INTDIR)\lwres_gnba.sbr" \
+	"$(INTDIR)\lwres_grbn.sbr" \
+	"$(INTDIR)\lwres_noop.sbr" \
+	"$(INTDIR)\lwresutil.sbr" \
+	"$(INTDIR)\socket.sbr" \
+	"$(INTDIR)\version.sbr" \
+	"$(INTDIR)\lwconfig.sbr"
+
+"$(OUTDIR)\liblwres.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib iphlpapi.lib /nologo /dll /incremental:yes /pdb:"$(OUTDIR)\liblwres.pdb" /debug @MACHINE@ /def:".\liblwres.def" /out:"../../../Build/Debug/liblwres.dll" /implib:"$(OUTDIR)\liblwres.lib" /pdbtype:sept 
+DEF_FILE= \
+	".\liblwres.def"
+LINK32_OBJS= \
+	"$(INTDIR)\compat.obj" \
+	"$(INTDIR)\context.obj" \
+	"$(INTDIR)\DLLMain.obj" \
+	"$(INTDIR)\gai_strerror.obj" \
+	"$(INTDIR)\getaddrinfo.obj" \
+	"$(INTDIR)\gethost.obj" \
+	"$(INTDIR)\getipnode.obj" \
+	"$(INTDIR)\getnameinfo.obj" \
+	"$(INTDIR)\getrrset.obj" \
+	"$(INTDIR)\herror.obj" \
+	"$(INTDIR)\lwbuffer.obj" \
+	"$(INTDIR)\lwinetaton.obj" \
+	"$(INTDIR)\lwinetntop.obj" \
+	"$(INTDIR)\lwinetpton.obj" \
+	"$(INTDIR)\lwpacket.obj" \
+	"$(INTDIR)\lwres_gabn.obj" \
+	"$(INTDIR)\lwres_gnba.obj" \
+	"$(INTDIR)\lwres_grbn.obj" \
+	"$(INTDIR)\lwres_noop.obj" \
+	"$(INTDIR)\lwresutil.obj" \
+	"$(INTDIR)\socket.obj" \
+	"$(INTDIR)\version.obj" \
+	"$(INTDIR)\lwconfig.obj"
+
+"..\..\..\Build\Debug\liblwres.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("liblwres.dep")
+!INCLUDE "liblwres.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "liblwres.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "liblwres - @PLATFORM@ Release" || "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+SOURCE=..\compat.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\compat.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\compat.obj"	"$(INTDIR)\compat.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\context.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\context.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\context.obj"	"$(INTDIR)\context.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\DLLMain.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\DLLMain.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\DLLMain.obj"	"$(INTDIR)\DLLMain.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\gai_strerror.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\gai_strerror.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\gai_strerror.obj"	"$(INTDIR)\gai_strerror.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getaddrinfo.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getaddrinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getaddrinfo.obj"	"$(INTDIR)\getaddrinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\gethost.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\gethost.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\gethost.obj"	"$(INTDIR)\gethost.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getipnode.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getipnode.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getipnode.obj"	"$(INTDIR)\getipnode.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getnameinfo.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getnameinfo.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getnameinfo.obj"	"$(INTDIR)\getnameinfo.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\getrrset.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\getrrset.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\getrrset.obj"	"$(INTDIR)\getrrset.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\herror.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\herror.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\herror.obj"	"$(INTDIR)\herror.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwbuffer.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwbuffer.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwbuffer.obj"	"$(INTDIR)\lwbuffer.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\lwconfig.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwconfig.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwconfig.obj"	"$(INTDIR)\lwconfig.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=..\lwinetaton.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwinetaton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwinetaton.obj"	"$(INTDIR)\lwinetaton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwinetntop.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwinetntop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwinetntop.obj"	"$(INTDIR)\lwinetntop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwinetpton.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwinetpton.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwinetpton.obj"	"$(INTDIR)\lwinetpton.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwpacket.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwpacket.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwpacket.obj"	"$(INTDIR)\lwpacket.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_gabn.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwres_gabn.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwres_gabn.obj"	"$(INTDIR)\lwres_gabn.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_gnba.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwres_gnba.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwres_gnba.obj"	"$(INTDIR)\lwres_gnba.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_grbn.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwres_grbn.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwres_grbn.obj"	"$(INTDIR)\lwres_grbn.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwres_noop.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwres_noop.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwres_noop.obj"	"$(INTDIR)\lwres_noop.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=..\lwresutil.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\lwresutil.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\lwresutil.obj"	"$(INTDIR)\lwresutil.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+SOURCE=.\socket.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\socket.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\socket.obj"	"$(INTDIR)\socket.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\version.c
+
+!IF  "$(CFG)" == "liblwres - @PLATFORM@ Release"
+
+
+"$(INTDIR)\version.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "liblwres - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\version.obj"	"$(INTDIR)\version.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/lwres/win32/liblwres.vcxproj.filters.in b/lib/lwres/win32/liblwres.vcxproj.filters.in
new file mode 100644
index 0000000..990684d
--- /dev/null
+++ b/lib/lwres/win32/liblwres.vcxproj.filters.in
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="liblwres.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="DLLMain.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="lwconfig.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="socket.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="version.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\compat.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\context.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gai_strerror.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getaddrinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\gethost.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getipnode.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getnameinfo.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\getrrset.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\herror.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwbuffer.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwinetaton.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwinetntop.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwinetpton.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwpacket.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwres_gabn.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwres_gnba.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwres_grbn.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwres_noop.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\lwresutil.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="include\lwres\int.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\lwres\net.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\lwres\netdb.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="include\lwres\platform.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\context.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\ipv6.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\lang.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\list.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\lwbuffer.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\lwpacket.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\lwres.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\result.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\stdlib.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\string.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\include\lwres\version.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+</Project>
diff --git a/lib/lwres/win32/liblwres.vcxproj.in b/lib/lwres/win32/liblwres.vcxproj.in
new file mode 100644
index 0000000..c7ae18f
--- /dev/null
+++ b/lib/lwres/win32/liblwres.vcxproj.in
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{EBDB30A3-E8EB-4E1D-915E-06720600A84E}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>liblwres</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@_DEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <AdditionalDependencies>ws2_32.lib;iphlpapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;USE_MD5;@CRYPTO@NDEBUG;_WINDOWS;_USRDLL;LIBLWRES_EXPORTS;%(PreprocessorDefinitions);%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>.\;..\..\lwres\win32\include;..\..\..\;include;..\include;..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <AdditionalDependencies>ws2_32.lib;iphlpapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ModuleDefinitionFile>$(ProjectName).def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="liblwres.def" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\compat.c" />
+    <ClCompile Include="..\context.c" />
+    <ClCompile Include="..\gai_strerror.c" />
+    <ClCompile Include="..\getaddrinfo.c" />
+    <ClCompile Include="..\gethost.c" />
+    <ClCompile Include="..\getipnode.c" />
+    <ClCompile Include="..\getnameinfo.c" />
+    <ClCompile Include="..\getrrset.c" />
+    <ClCompile Include="..\herror.c" />
+    <ClCompile Include="..\lwbuffer.c" />
+    <ClCompile Include="..\lwinetaton.c" />
+    <ClCompile Include="..\lwinetntop.c" />
+    <ClCompile Include="..\lwinetpton.c" />
+    <ClCompile Include="..\lwpacket.c" />
+    <ClCompile Include="..\lwresutil.c" />
+    <ClCompile Include="..\lwres_gabn.c" />
+    <ClCompile Include="..\lwres_gnba.c" />
+    <ClCompile Include="..\lwres_grbn.c" />
+    <ClCompile Include="..\lwres_noop.c" />
+    <ClCompile Include="DLLMain.c" />
+    <ClCompile Include="lwconfig.c" />
+    <ClCompile Include="socket.c" />
+    <ClCompile Include="version.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\include\lwres\context.h" />
+    <ClInclude Include="..\include\lwres\ipv6.h" />
+    <ClInclude Include="..\include\lwres\lang.h" />
+    <ClInclude Include="..\include\lwres\list.h" />
+    <ClInclude Include="..\include\lwres\lwbuffer.h" />
+    <ClInclude Include="..\include\lwres\lwpacket.h" />
+    <ClInclude Include="..\include\lwres\lwres.h" />
+    <ClInclude Include="..\include\lwres\result.h" />
+    <ClInclude Include="..\include\lwres\stdlib.h" />
+    <ClInclude Include="..\include\lwres\string.h" />
+    <ClInclude Include="..\include\lwres\version.h" />
+    <ClInclude Include="include\lwres\int.h" />
+    <ClInclude Include="include\lwres\net.h" />
+    <ClInclude Include="include\lwres\netdb.h" />
+    <ClInclude Include="include\lwres\platform.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/lwres/win32/liblwres.vcxproj.user b/lib/lwres/win32/liblwres.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/lwres/win32/liblwres.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/lwres/win32/lwconfig.c b/lib/lwres/win32/lwconfig.c
new file mode 100644
index 0000000..9a6c426
--- /dev/null
+++ b/lib/lwres/win32/lwconfig.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: lwconfig.c,v 1.7 2007/12/14 01:40:42 marka Exp $ */
+
+/*
+ * We do this so that we may incorporate everything in the main routines
+ * so that we can take advantage of the fixes and changes made there
+ * without having to add them twice. We can then call the parse routine
+ * if there is a resolv.conf file and fetch our own data from the
+ * Windows environment otherwise.
+ */
+
+/*
+ * Note that on Win32 there is normally no resolv.conf since all information
+ * is stored in the registry. Therefore there is no ordering like the
+ * contents of resolv.conf. Since the "search" or "domain" keyword, on
+ * Win32 if a search list is found it is used, otherwise the domain name
+ * is used since they are mutually exclusive. The search list can be entered
+ * in the DNS tab of the "Advanced TCP/IP settings" window under the same place
+ * that you add your nameserver list.
+ */
+
+#define lwres_conf_parse generic_lwres_conf_parse
+#include "../lwconfig.c"
+#undef lwres_conf_parse
+
+#include <iphlpapi.h>
+
+#define TCPIP_SUBKEY	\
+	"SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"
+
+void
+get_win32_searchlist(lwres_context_t *ctx) {
+	HKEY hKey;
+	BOOL keyFound = TRUE;
+	char searchlist[MAX_PATH];
+	DWORD searchlen = MAX_PATH;
+	char *cp;
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	memset(searchlist, 0, MAX_PATH);
+	if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, TCPIP_SUBKEY, 0, KEY_READ, &hKey)
+		!= ERROR_SUCCESS)
+		keyFound = FALSE;
+
+	if (keyFound == TRUE) {
+		/* Get the named directory */
+		if (RegQueryValueEx(hKey, "SearchList", NULL, NULL,
+			(LPBYTE)searchlist, &searchlen) != ERROR_SUCCESS)
+			keyFound = FALSE;
+		RegCloseKey(hKey);
+	}
+
+	confdata->searchnxt = 0;
+
+	if (!keyFound)
+		return;
+
+	cp = strtok((char *)searchlist, ", \0");
+	while (cp != NULL) {
+		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
+			break;
+		if (strlen(cp) <= MAX_PATH && strlen(cp) > 0) {
+			confdata->search[confdata->searchnxt] = lwres_strdup(ctx, cp);
+			if (confdata->search[confdata->searchnxt] != NULL)
+				confdata->searchnxt++;
+		}
+		cp = strtok(NULL, ", \0");
+	}
+}
+
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
+	lwres_result_t ret;
+	lwres_conf_t *confdata;
+	FIXED_INFO * FixedInfo;
+	ULONG    BufLen = sizeof(FIXED_INFO);
+	DWORD    dwRetVal;
+	IP_ADDR_STRING *pIPAddr;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+	REQUIRE(confdata != NULL);
+
+	/* Use the resolver if there is one */
+	ret = generic_lwres_conf_parse(ctx, filename);
+	if ((ret != LWRES_R_NOTFOUND && ret != LWRES_R_SUCCESS) ||
+		(ret == LWRES_R_SUCCESS && confdata->nsnext > 0))
+		return (ret);
+
+	/*
+	 * We didn't get any nameservers so we need to do this ourselves
+	 */
+	FixedInfo = (FIXED_INFO *) GlobalAlloc(GPTR, BufLen);
+	dwRetVal = GetNetworkParams(FixedInfo, &BufLen);
+	if (dwRetVal == ERROR_BUFFER_OVERFLOW) {
+		GlobalFree(FixedInfo);
+		FixedInfo = GlobalAlloc(GPTR, BufLen);
+		dwRetVal = GetNetworkParams(FixedInfo, &BufLen);
+	}
+	if (dwRetVal != ERROR_SUCCESS) {
+		GlobalFree(FixedInfo);
+		return (LWRES_R_FAILURE);
+	}
+
+	/* Get the search list from the registry */
+	get_win32_searchlist(ctx);
+
+	/* Use only if there is no search list */
+	if (confdata->searchnxt == 0 && strlen(FixedInfo->DomainName) > 0) {
+		confdata->domainname = lwres_strdup(ctx, FixedInfo->DomainName);
+		if (confdata->domainname == NULL) {
+			GlobalFree(FixedInfo);
+			return (LWRES_R_FAILURE);
+		}
+	} else
+		confdata->domainname = NULL;
+
+	/* Get the list of nameservers */
+	pIPAddr = &FixedInfo->DnsServerList;
+	while (pIPAddr) {
+		if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
+			break;
+
+		ret = lwres_create_addr(pIPAddr->IpAddress.String,
+				&confdata->nameservers[confdata->nsnext++], 1);
+		if (ret != LWRES_R_SUCCESS) {
+			GlobalFree(FixedInfo);
+			return (ret);
+		}
+		pIPAddr = pIPAddr ->Next;
+	}
+
+	GlobalFree(FixedInfo);
+	return (LWRES_R_SUCCESS);
+}
diff --git a/lib/lwres/win32/socket.c b/lib/lwres/win32/socket.c
new file mode 100644
index 0000000..c6453dd
--- /dev/null
+++ b/lib/lwres/win32/socket.c
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: socket.c,v 1.3 2007/06/18 23:47:51 tbox Exp $ */
+
+#include <stdio.h>
+#include <isc/print.h>
+#include <lwres/platform.h>
+#include <Winsock2.h>
+
+void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup( wVersionRequested, &wsaData );
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+void
+DestroySockets(void) {
+	WSACleanup();
+}
diff --git a/lib/lwres/win32/version.c b/lib/lwres/win32/version.c
new file mode 100644
index 0000000..f213b33
--- /dev/null
+++ b/lib/lwres/win32/version.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* $Id: version.c,v 1.6 2007/06/19 23:47:23 tbox Exp $ */
+
+#include <versions.h>
+
+#include <lwres/version.h>
+
+LIBLWRES_EXTERNAL_DATA const char lwres_version[] = VERSION;
+
+LIBLWRES_EXTERNAL_DATA const unsigned int lwres_libinterface = LIBINTERFACE;
+LIBLWRES_EXTERNAL_DATA const unsigned int lwres_librevision = LIBREVISION;
+LIBLWRES_EXTERNAL_DATA const unsigned int lwres_libage = LIBAGE;
diff --git a/lib/samples/Makefile-postinstall.in b/lib/samples/Makefile-postinstall.in
new file mode 100644
index 0000000..aa512f1
--- /dev/null
+++ b/lib/samples/Makefile-postinstall.in
@@ -0,0 +1,73 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# $Id: Makefile-postinstall.in,v 1.3 2009/09/02 23:48:02 tbox Exp $
+
+srcdir =	@srcdir@
+#prefix =	@prefix@
+#exec_prefix =	@exec_prefix@
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	-ldns @DNS_CRYPTO_LIBS@
+ISCLIBS =	-lisc
+ISCCFGLIBS =	-lisccfg
+IRSLIBS =	-lirs
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	sample@EXEEXT@ sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@ \
+		dlvchecks@EXEEXT@
+
+OBJS =		sample.@O@ sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+		sample-request.@O@ nsprobe.@O@ dlvchecks.@O@
+
+SRCS =		sample.c sample-async.c sample-gai.c sample-update.c \
+		sample-request.c nsprobe.c dlvchecks..c
+
+@BIND9_MAKE_RULES@
+
+# The following two may depend on BIND9_MAKE_RULES
+CINCLUDES =	-I@export_includedir@
+LDFLAGS =	-L@export_libdir@
+
+sample@EXEEXT@: sample.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample.@O@ ${LIBS}
+
+sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-async.@O@ ${LIBS}
+
+sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-gai.@O@ ${IRSLIBS} ${LIBS}
+
+sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-update.@O@ ${LIBS}
+
+sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-request.@O@ ${LIBS}
+
+nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nsprobe.@O@ ${LIBS}
+
+dlvchecks@EXEEXT@: dlvchecks.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dlvchecks.@O@ ${LIBS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/lib/samples/Makefile.in b/lib/samples/Makefile.in
new file mode 100644
index 0000000..7abdd8e
--- /dev/null
+++ b/lib/samples/Makefile.in
@@ -0,0 +1,96 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+VERSION=@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I../dns/include \
+		${DNS_INCLUDES} ${ISC_INCLUDES} \
+		-I${top_srcdir}/lib/irs/include \
+		-I../../lib/irs/include @ISC_OPENSSL_INC@
+
+CDEFINES =	@CRYPTO@ -DVERSION=\"${VERSION}\" \
+		-DSYSCONFDIR=\"${sysconfdir}\"
+CWARNINGS =
+
+ISCLIBS =	../isc/libisc.@A@
+DNSLIBS =	../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS =	../isccfg/libisccfg.@A@
+IRSLIBS =	../irs/libirs.@A@
+
+ISCDEPLIBS =	../isc/libisc.@A@
+DNSDEPLIBS =	../dns/libdns.@A@
+ISCCFGDEPLIBS =	../isccfg/libisccfg.@A@
+IRSDEPLIBS =	../irs/libirs.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	resolve@EXEEXT@ \
+		sample-async@EXEEXT@ sample-gai@EXEEXT@ \
+		sample-update@EXEEXT@ sample-request@EXEEXT@ nsprobe@EXEEXT@
+
+OBJS =		resolve.@O@ \
+		sample-async.@O@ sample-gai.@O@ sample-update.@O@ \
+		sample-request.@O@ nsprobe.@O@
+
+UOBJS =
+
+SRCS =		resolve.c \
+		sample-async.c sample-gai.c sample-update.c \
+		sample-request.c nsprobe.c
+
+MANPAGES =
+
+HTMLPAGES =
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+resolve@EXEEXT@: resolve.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	resolve.@O@ ${IRSLIBS} ${LIBS}
+
+sample-async@EXEEXT@: sample-async.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-async.@O@ ${LIBS}
+
+sample-gai@EXEEXT@: sample-gai.@O@ ${IRSDEPLIBS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-gai.@O@ ${IRSLIBS} ${LIBS}
+
+sample-update@EXEEXT@: sample-update.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-update.@O@ ${LIBS}
+
+sample-request@EXEEXT@: sample-request.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	sample-request.@O@ ${LIBS}
+
+nsprobe@EXEEXT@: nsprobe.@O@ ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nsprobe.@O@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
+	rm -f sample.key
diff --git a/lib/samples/nsprobe.c b/lib/samples/nsprobe.c
new file mode 100644
index 0000000..2ebb19a
--- /dev/null
+++ b/lib/samples/nsprobe.c
@@ -0,0 +1,1216 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#ifndef WIN32
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <unistd.h>
+#include <netdb.h>
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#define MAX_PROBES 1000
+
+static dns_client_t *client = NULL;
+static isc_task_t *probe_task = NULL;
+static isc_appctx_t *actx = NULL;
+static isc_mem_t *mctx = NULL;
+static unsigned int outstanding_probes = 0;
+const char *cacheserver = "127.0.0.1";
+static FILE *input;
+
+typedef enum {
+	none,
+	exist,
+	nxdomain,
+	othererr,
+	multiplesoa,
+	multiplecname,
+	brokenanswer,
+	lame,
+	timedout,
+	notype,
+	unexpected
+} query_result_t;
+
+struct server {
+	ISC_LINK(struct server) link;
+
+	isc_sockaddr_t address;
+	query_result_t result_a;
+	query_result_t result_aaaa;
+};
+
+struct probe_ns {
+	ISC_LINK(struct probe_ns) link;
+
+	dns_fixedname_t fixedname;
+	dns_name_t *name;
+	struct server *current_server;
+	ISC_LIST(struct server) servers;
+};
+
+struct probe_trans {
+	bool inuse;
+	char *domain;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	const char **qlabel;
+	bool qname_found;
+	dns_clientrestrans_t *resid;
+	dns_message_t *qmessage;
+	dns_message_t *rmessage;
+	dns_clientreqtrans_t *reqid;
+
+	/* NS list */
+	struct probe_ns *current_ns;
+	ISC_LIST(struct probe_ns) nslist;
+};
+
+struct lcl_stat {
+	unsigned long valid;
+	unsigned long ignore;
+	unsigned long nxdomain;
+	unsigned long othererr;
+	unsigned long multiplesoa;
+	unsigned long multiplecname;
+	unsigned long brokenanswer;
+	unsigned long lame;
+	unsigned long unknown;
+} server_stat, domain_stat;
+
+static unsigned long number_of_domains = 0;
+static unsigned long number_of_servers = 0;
+static unsigned long multiple_error_domains = 0;
+static bool debug_mode = false;
+static int verbose_level = 0;
+static const char *qlabels[] = {"www.", "ftp.", NULL};
+static struct probe_trans probes[MAX_PROBES];
+
+static isc_result_t probe_domain(struct probe_trans *trans);
+static void reset_probe(struct probe_trans *trans);
+static isc_result_t fetch_nsaddress(struct probe_trans *trans);
+static isc_result_t probe_name(struct probe_trans *trans,
+			       dns_rdatatype_t type);
+
+/* Dump an rdataset for debug */
+static isc_result_t
+print_rdataset(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!debug_mode)
+		return (ISC_R_SUCCESS);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (!dns_rdataset_isassociated(rdataset))
+		return (ISC_R_SUCCESS);
+	result = dns_rdataset_totext(rdataset, owner, false, false,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+print_name(dns_name_t *name) {
+	isc_result_t result;
+	isc_buffer_t target;
+	isc_region_t r;
+	char t[4096];
+
+	isc_buffer_init(&target, t, sizeof(t));
+	result = dns_name_totext(name, true, &target);
+	if (result == ISC_R_SUCCESS) {
+		isc_buffer_usedregion(&target, &r);
+		printf("%.*s", (int)r.length, (char *)r.base);
+	} else
+		printf("(invalid name)");
+
+	return (result);
+}
+
+static isc_result_t
+print_address(FILE *fp, isc_sockaddr_t *addr) {
+	char buf[NI_MAXHOST];
+
+	if (getnameinfo(&addr->type.sa, addr->length, buf, sizeof(buf),
+			NULL, 0, NI_NUMERICHOST) == 0) {
+		fprintf(fp, "%s", buf);
+	} else {
+		fprintf(fp, "(invalid address)");
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (*taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (*timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (*socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (*actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (*mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+/*
+ * Common routine to make query data
+ */
+static isc_result_t
+make_querymessage(dns_message_t *message, dns_name_t *qname0,
+		  dns_rdatatype_t rdtype)
+{
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(qname0, qname);
+	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	return (result);
+}
+
+/*
+ * Update statistics
+ */
+static inline void
+increment_entry(unsigned long *entryp) {
+	(*entryp)++;
+	INSIST(*entryp != 0U);	/* check overflow */
+}
+
+static void
+update_stat(struct probe_trans *trans) {
+	struct probe_ns *pns;
+	struct server *server;
+	struct lcl_stat local_stat;
+	unsigned int err_count = 0;
+	const char *stattype;
+
+	increment_entry(&number_of_domains);
+	memset(&local_stat, 0, sizeof(local_stat));
+
+	/* Update per sever statistics */
+	for (pns = ISC_LIST_HEAD(trans->nslist); pns != NULL;
+	     pns = ISC_LIST_NEXT(pns, link)) {
+		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			increment_entry(&number_of_servers);
+
+			if (server->result_aaaa == exist ||
+			    server->result_aaaa == notype) {
+				/*
+				 * Don't care about the result of A query if
+				 * the answer to AAAA query was expected.
+				 */
+				stattype = "valid";
+				increment_entry(&server_stat.valid);
+				increment_entry(&local_stat.valid);
+			} else if (server->result_a == exist) {
+				switch (server->result_aaaa) {
+				case exist:
+				case notype:
+					stattype = "valid";
+					increment_entry(&server_stat.valid);
+					increment_entry(&local_stat.valid);
+					break;
+				case timedout:
+					stattype = "ignore";
+					increment_entry(&server_stat.ignore);
+					increment_entry(&local_stat.ignore);
+					break;
+				case nxdomain:
+					stattype = "nxdomain";
+					increment_entry(&server_stat.nxdomain);
+					increment_entry(&local_stat.nxdomain);
+					break;
+				case othererr:
+					stattype = "othererr";
+					increment_entry(&server_stat.othererr);
+					increment_entry(&local_stat.othererr);
+					break;
+				case multiplesoa:
+					stattype = "multiplesoa";
+					increment_entry(&server_stat.multiplesoa);
+					increment_entry(&local_stat.multiplesoa);
+					break;
+				case multiplecname:
+					stattype = "multiplecname";
+					increment_entry(&server_stat.multiplecname);
+					increment_entry(&local_stat.multiplecname);
+					break;
+				case brokenanswer:
+					stattype = "brokenanswer";
+					increment_entry(&server_stat.brokenanswer);
+					increment_entry(&local_stat.brokenanswer);
+					break;
+				case lame:
+					stattype = "lame";
+					increment_entry(&server_stat.lame);
+					increment_entry(&local_stat.lame);
+					break;
+				default:
+					stattype = "unknown";
+					increment_entry(&server_stat.unknown);
+					increment_entry(&local_stat.unknown);
+					break;
+				}
+			} else {
+				stattype = "unknown";
+				increment_entry(&server_stat.unknown);
+				increment_entry(&local_stat.unknown);
+			}
+
+			if (verbose_level > 1 ||
+			    (verbose_level == 1 &&
+			     strcmp(stattype, "valid") != 0 &&
+			     strcmp(stattype, "unknown") != 0)) {
+				print_name(pns->name);
+				putchar('(');
+				print_address(stdout, &server->address);
+				printf(") for %s:%s\n", trans->domain,
+				       stattype);
+			}
+		}
+	}
+
+	/* Update per domain statistics */
+	if (local_stat.ignore > 0U) {
+		if (verbose_level > 0)
+			printf("%s:ignore\n", trans->domain);
+		increment_entry(&domain_stat.ignore);
+		err_count++;
+	}
+	if (local_stat.nxdomain > 0U) {
+		if (verbose_level > 0)
+			printf("%s:nxdomain\n", trans->domain);
+		increment_entry(&domain_stat.nxdomain);
+		err_count++;
+	}
+	if (local_stat.othererr > 0U) {
+		if (verbose_level > 0)
+			printf("%s:othererr\n", trans->domain);
+		increment_entry(&domain_stat.othererr);
+		err_count++;
+	}
+	if (local_stat.multiplesoa > 0U) {
+		if (verbose_level > 0)
+			printf("%s:multiplesoa\n", trans->domain);
+		increment_entry(&domain_stat.multiplesoa);
+		err_count++;
+	}
+	if (local_stat.multiplecname > 0U) {
+		if (verbose_level > 0)
+			printf("%s:multiplecname\n", trans->domain);
+		increment_entry(&domain_stat.multiplecname);
+		err_count++;
+	}
+	if (local_stat.brokenanswer > 0U) {
+		if (verbose_level > 0)
+			printf("%s:brokenanswer\n", trans->domain);
+		increment_entry(&domain_stat.brokenanswer);
+		err_count++;
+	}
+	if (local_stat.lame > 0U) {
+		if (verbose_level > 0)
+			printf("%s:lame\n", trans->domain);
+		increment_entry(&domain_stat.lame);
+		err_count++;
+	}
+
+	if (err_count > 1U)
+		increment_entry(&multiple_error_domains);
+
+	/*
+	 * We regard the domain as valid if and only if no authoritative server
+	 * has a problem and at least one server is known to be valid.
+	 */
+	if (local_stat.valid > 0U && err_count == 0U) {
+		if (verbose_level > 1)
+			printf("%s:valid\n", trans->domain);
+		increment_entry(&domain_stat.valid);
+	}
+
+	/*
+	 * If the domain has no available server or all servers have the
+	 * 'unknown' result, the domain's result is also regarded as unknown.
+	 */
+	if (local_stat.valid == 0U && err_count == 0U) {
+		if (verbose_level > 1)
+			printf("%s:unknown\n", trans->domain);
+		increment_entry(&domain_stat.unknown);
+	}
+}
+
+/*
+ * Search for an existent name with an A RR
+ */
+
+static isc_result_t
+set_nextqname(struct probe_trans *trans) {
+	isc_result_t result;
+	unsigned int domainlen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad-hoc constant, but should be enough */
+
+	if (*trans->qlabel == NULL)
+		return (ISC_R_NOMORE);
+
+	result = isc_string_copy(buf, sizeof(buf), *trans->qlabel);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = isc_string_append(buf, sizeof(buf), trans->domain);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	domainlen = strlen(buf);
+	isc_buffer_init(&b, buf, domainlen);
+	isc_buffer_add(&b, domainlen);
+	trans->qname = dns_fixedname_initname(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname,
+				   0, NULL);
+
+	trans->qlabel++;
+
+	return (result);
+}
+
+static void
+request_done(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientreqevent_t *rev = (dns_clientreqevent_t *)event;
+	dns_message_t *rmessage;
+	struct probe_ns *pns;
+	struct server *server;
+	isc_result_t result;
+	query_result_t *resultp;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans != NULL && trans->inuse == true);
+	rmessage = rev->rmessage;
+	REQUIRE(rmessage == trans->rmessage);
+	INSIST(outstanding_probes > 0);
+
+	server = trans->current_ns->current_server;
+	INSIST(server != NULL);
+
+	if (server->result_a == none) {
+		type = dns_rdatatype_a;
+		resultp = &server->result_a;
+	} else {
+		resultp = &server->result_aaaa;
+		type = dns_rdatatype_aaaa;
+	}
+
+	if (rev->result == ISC_R_SUCCESS) {
+		if ((rmessage->flags & DNS_MESSAGEFLAG_AA) == 0)
+			*resultp = lame;
+		else if (rmessage->rcode == dns_rcode_nxdomain)
+			*resultp = nxdomain;
+		else if (rmessage->rcode != dns_rcode_noerror)
+			*resultp = othererr;
+		else if (rmessage->counts[DNS_SECTION_ANSWER] == 0) {
+			/* no error but empty answer */
+			*resultp = notype;
+		} else {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_ANSWER);
+			while (result == ISC_R_SUCCESS) {
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_ANSWER,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					(void)print_rdataset(rdataset, name);
+
+					if (rdataset->type ==
+					    dns_rdatatype_cname ||
+					    rdataset->type ==
+					    dns_rdatatype_dname) {
+						/* Should chase the chain? */
+						*resultp = exist;
+						goto found;
+					} else if (rdataset->type == type) {
+						*resultp = exist;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_ANSWER);
+			}
+
+			/*
+			 * Something unexpected happened: the response
+			 * contained a non-empty authoritative answer, but we
+			 * could not find an expected result.
+			 */
+			*resultp = unexpected;
+		}
+	} else if (rev->result == DNS_R_RECOVERABLE ||
+		   rev->result == DNS_R_BADLABELTYPE) {
+		/* Broken response.  Try identifying known cases. */
+		*resultp = brokenanswer;
+
+		if (rmessage->counts[DNS_SECTION_ANSWER] > 0) {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_ANSWER);
+			while (result == ISC_R_SUCCESS) {
+				/*
+				 * Check to see if the response has multiple
+				 * CNAME RRs.  Update the result code if so.
+				 */
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_ANSWER,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					if (rdataset->type ==
+					    dns_rdatatype_cname &&
+					    dns_rdataset_count(rdataset) > 1) {
+						*resultp = multiplecname;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_ANSWER);
+			}
+		}
+
+		if (rmessage->counts[DNS_SECTION_AUTHORITY] > 0) {
+			result = dns_message_firstname(rmessage,
+						       DNS_SECTION_AUTHORITY);
+			while (result == ISC_R_SUCCESS) {
+				/*
+				 * Check to see if the response has multiple
+				 * SOA RRs.  Update the result code if so.
+				 */
+				name = NULL;
+				dns_message_currentname(rmessage,
+							DNS_SECTION_AUTHORITY,
+							&name);
+				for (rdataset = ISC_LIST_HEAD(name->list);
+				     rdataset != NULL;
+				     rdataset = ISC_LIST_NEXT(rdataset,
+							      link)) {
+					if (rdataset->type ==
+					    dns_rdatatype_soa &&
+					    dns_rdataset_count(rdataset) > 1) {
+						*resultp = multiplesoa;
+						goto found;
+					}
+				}
+				result = dns_message_nextname(rmessage,
+							      DNS_SECTION_AUTHORITY);
+			}
+		}
+	} else if (rev->result == ISC_R_TIMEDOUT)
+		*resultp = timedout;
+	else {
+		fprintf(stderr, "unexpected result: %u (domain=%s, server=",
+			rev->result, trans->domain);
+		print_address(stderr, &server->address);
+		fputc('\n', stderr);
+		*resultp = unexpected;
+	}
+
+ found:
+	INSIST(*resultp != none);
+	if (type == dns_rdatatype_a && *resultp == exist)
+		trans->qname_found = true;
+
+	dns_client_destroyreqtrans(&trans->reqid);
+	isc_event_free(&event);
+	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	result = probe_name(trans, type);
+	if (result == ISC_R_NOMORE) {
+		/* We've tried all addresses of all servers. */
+		if (type == dns_rdatatype_a && trans->qname_found) {
+			/*
+			 * If we've explored A RRs and found an existent
+			 * record, we can move to AAAA.
+			 */
+			trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+			probe_name(trans, dns_rdatatype_aaaa);
+			result = ISC_R_SUCCESS;
+		} else if (type == dns_rdatatype_a) {
+			/*
+			 * No server provided an existent A RR of this name.
+			 * Try next label.
+			 */
+			dns_fixedname_invalidate(&trans->fixedname);
+			trans->qname = NULL;
+			result = set_nextqname(trans);
+			if (result == ISC_R_SUCCESS) {
+				trans->current_ns =
+					ISC_LIST_HEAD(trans->nslist);
+				for (pns = trans->current_ns; pns != NULL;
+				     pns = ISC_LIST_NEXT(pns, link)) {
+					for (server = ISC_LIST_HEAD(pns->servers);
+					     server != NULL;
+					     server = ISC_LIST_NEXT(server,
+								    link)) {
+						INSIST(server->result_aaaa ==
+						       none);
+						server->result_a = none;
+					}
+				}
+				result = probe_name(trans, dns_rdatatype_a);
+			}
+		}
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We've explored AAAA RRs or failed to find a valid
+			 * query label.  Wrap up the result and move to the
+			 * next domain.
+			 */
+			reset_probe(trans);
+		}
+	} else if (result != ISC_R_SUCCESS)
+		reset_probe(trans); /* XXX */
+}
+
+static isc_result_t
+probe_name(struct probe_trans *trans, dns_rdatatype_t type) {
+	isc_result_t result;
+	struct probe_ns *pns;
+	struct server *server;
+
+	REQUIRE(trans->reqid == NULL);
+	REQUIRE(type == dns_rdatatype_a || type == dns_rdatatype_aaaa);
+
+	for (pns = trans->current_ns; pns != NULL;
+	     pns = ISC_LIST_NEXT(pns, link)) {
+		for (server = ISC_LIST_HEAD(pns->servers); server != NULL;
+		     server = ISC_LIST_NEXT(server, link)) {
+			if ((type == dns_rdatatype_a &&
+			     server->result_a == none) ||
+			    (type == dns_rdatatype_aaaa &&
+			     server->result_aaaa == none)) {
+				pns->current_server = server;
+				goto found;
+			}
+		}
+	}
+
+ found:
+	trans->current_ns = pns;
+	if (pns == NULL)
+		return (ISC_R_NOMORE);
+
+	INSIST(pns->current_server != NULL);
+	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
+	result = make_querymessage(trans->qmessage, trans->qname, type);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_client_startrequest(client, trans->qmessage,
+					 trans->rmessage,
+					 &pns->current_server->address,
+					 0, DNS_MESSAGEPARSE_BESTEFFORT,
+					 NULL, 120, 0, 4,
+					 probe_task, request_done, trans,
+					 &trans->reqid);
+
+	return (result);
+}
+
+/*
+ * Get IP addresses of NSes
+ */
+
+static void
+resolve_nsaddress(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct probe_ns *pns = trans->current_ns;
+	isc_result_t result;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans->inuse == true);
+	REQUIRE(pns != NULL);
+	INSIST(outstanding_probes > 0);
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)print_rdataset(rdataset, name);
+
+			if (rdataset->type != dns_rdatatype_a)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_in_a_t rdata_a;
+				struct server *server;
+
+				dns_rdataset_current(rdataset, &rdata);
+				result = dns_rdata_tostruct(&rdata, &rdata_a,
+							    NULL);
+				if (result != ISC_R_SUCCESS)
+					continue;
+
+				server = isc_mem_get(mctx, sizeof(*server));
+				if (server == NULL) {
+					fprintf(stderr, "resolve_nsaddress: "
+						"mem_get failed");
+					result = ISC_R_NOMEMORY;
+					POST(result);
+					goto cleanup;
+				}
+				isc_sockaddr_fromin(&server->address,
+						    &rdata_a.in_addr, 53);
+				ISC_LINK_INIT(server, link);
+				server->result_a = none;
+				server->result_aaaa = none;
+				ISC_LIST_APPEND(pns->servers, server, link);
+			}
+		}
+	}
+
+ cleanup:
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->resid);
+	isc_event_free(&event);
+
+ next_ns:
+	trans->current_ns = ISC_LIST_NEXT(pns, link);
+	if (trans->current_ns == NULL) {
+		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+		dns_fixedname_invalidate(&trans->fixedname);
+		trans->qname = NULL;
+		result = set_nextqname(trans);
+		if (result == ISC_R_SUCCESS)
+			 result = probe_name(trans, dns_rdatatype_a);
+	} else {
+		result = fetch_nsaddress(trans);
+		if (result != ISC_R_SUCCESS)
+			goto next_ns; /* XXX: this is unlikely to succeed */
+	}
+
+	if (result != ISC_R_SUCCESS)
+		reset_probe(trans);
+}
+
+static isc_result_t
+fetch_nsaddress(struct probe_trans *trans) {
+	struct probe_ns *pns;
+
+	pns = trans->current_ns;
+	REQUIRE(pns != NULL);
+
+	return (dns_client_startresolve(client, pns->name, dns_rdataclass_in,
+					dns_rdatatype_a, 0, probe_task,
+					resolve_nsaddress, trans,
+					&trans->resid));
+}
+
+/*
+ * Get NS RRset for a given domain
+ */
+
+static void
+reset_probe(struct probe_trans *trans) {
+	struct probe_ns *pns;
+	struct server *server;
+	isc_result_t result;
+
+	REQUIRE(trans->resid == NULL);
+	REQUIRE(trans->reqid == NULL);
+
+	update_stat(trans);
+
+	dns_message_reset(trans->qmessage, DNS_MESSAGE_INTENTRENDER);
+	dns_message_reset(trans->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	trans->inuse = false;
+	if (trans->domain != NULL)
+		isc_mem_free(mctx, trans->domain);
+	trans->domain = NULL;
+	if (trans->qname != NULL)
+		dns_fixedname_invalidate(&trans->fixedname);
+	trans->qname = NULL;
+	trans->qlabel = qlabels;
+	trans->qname_found = false;
+	trans->current_ns = NULL;
+
+	while ((pns = ISC_LIST_HEAD(trans->nslist)) != NULL) {
+		ISC_LIST_UNLINK(trans->nslist, pns, link);
+		while ((server = ISC_LIST_HEAD(pns->servers)) != NULL) {
+			ISC_LIST_UNLINK(pns->servers, server, link);
+			isc_mem_put(mctx, server, sizeof(*server));
+		}
+		isc_mem_put(mctx, pns, sizeof(*pns));
+	}
+
+	outstanding_probes--;
+
+	result = probe_domain(trans);
+	if (result == ISC_R_NOMORE && outstanding_probes == 0)
+		isc_app_ctxshutdown(actx);
+}
+
+static void
+resolve_ns(isc_task_t *task, isc_event_t *event) {
+	struct probe_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct probe_ns *pns;
+
+	REQUIRE(task == probe_task);
+	REQUIRE(trans->inuse == true);
+	INSIST(outstanding_probes > 0);
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)print_rdataset(rdataset, name);
+
+			if (rdataset->type != dns_rdatatype_ns)
+				continue;
+
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_ns_t ns;
+
+				dns_rdataset_current(rdataset, &rdata);
+				/*
+				 * Extract the name from the NS record.
+				 */
+				result = dns_rdata_tostruct(&rdata, &ns, NULL);
+				if (result != ISC_R_SUCCESS)
+					continue;
+
+				pns = isc_mem_get(mctx, sizeof(*pns));
+				if (pns == NULL) {
+					fprintf(stderr,
+						"resolve_ns: mem_get failed");
+					result = ISC_R_NOMEMORY;
+					POST(result);
+					/*
+					 * XXX: should we continue with the
+					 * available servers anyway?
+					 */
+					goto cleanup;
+				}
+
+				pns->name =
+				       dns_fixedname_initname(&pns->fixedname);
+				ISC_LINK_INIT(pns, link);
+				ISC_LIST_APPEND(trans->nslist, pns, link);
+				ISC_LIST_INIT(pns->servers);
+
+				dns_name_copy(&ns.name, pns->name, NULL);
+				dns_rdata_reset(&rdata);
+				dns_rdata_freestruct(&ns);
+			}
+		}
+	}
+
+ cleanup:
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->resid);
+	isc_event_free(&event);
+
+	if (!ISC_LIST_EMPTY(trans->nslist)) {
+		/* Go get addresses of NSes */
+		trans->current_ns = ISC_LIST_HEAD(trans->nslist);
+		result = fetch_nsaddress(trans);
+	} else
+		result = ISC_R_FAILURE;
+
+	if (result == ISC_R_SUCCESS)
+		return;
+
+	reset_probe(trans);
+}
+
+static isc_result_t
+probe_domain(struct probe_trans *trans) {
+	isc_result_t result;
+	unsigned int domainlen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad hoc constant, but should be enough */
+	char *cp;
+
+	REQUIRE(trans != NULL);
+	REQUIRE(trans->inuse == false);
+	REQUIRE(outstanding_probes < MAX_PROBES);
+
+	/* Construct domain */
+	cp = fgets(buf, sizeof(buf), input);
+	if (cp == NULL)
+		return (ISC_R_NOMORE);
+	if ((cp = strchr(buf, '\n')) != NULL) /* zap NL if any */
+		*cp = '\0';
+	trans->domain = isc_mem_strdup(mctx, buf);
+	if (trans->domain == NULL) {
+		fprintf(stderr,
+			"failed to allocate memory for domain: %s", cp);
+		return (ISC_R_NOMEMORY);
+	}
+
+	/* Start getting NS for the domain */
+	domainlen = strlen(buf);
+	isc_buffer_init(&b, buf, domainlen);
+	isc_buffer_add(&b, domainlen);
+	trans->qname = dns_fixedname_initname(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_client_startresolve(client, trans->qname,
+					 dns_rdataclass_in, dns_rdatatype_ns,
+					 0, probe_task, resolve_ns, trans,
+					 &trans->resid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	trans->inuse = true;
+	outstanding_probes++;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_free(mctx, trans->domain);
+	dns_fixedname_invalidate(&trans->fixedname);
+
+	return (result);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: nsprobe [-d] [-v [-v...]] [-c cache_address] "
+		"[input_file]\n");
+
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch, error;
+	struct addrinfo hints, *res;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+
+	while ((ch = isc_commandline_parse(argc, argv, "c:dhv")) != -1) {
+		switch (ch) {
+		case 'c':
+			cacheserver = isc_commandline_argument;
+			break;
+		case 'd':
+			debug_mode = true;
+			break;
+		case 'h':
+			usage();
+			break;
+		case 'v':
+			verbose_level++;
+			break;
+		default:
+			usage();
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	/* Common set up */
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
+		exit(1);
+	}
+
+	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "ctx create failed: %u\n", result);
+		exit(1);
+	}
+
+	isc_app_ctxstart(actx);
+
+	result = dns_client_createx(mctx, actx, taskmgr, socketmgr,
+				    timermgr, 0, &client);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_createx failed: %u\n", result);
+		exit(1);
+	}
+
+	/* Set local cache server */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	error = getaddrinfo(cacheserver, "53", &hints, &res);
+	if (error != 0) {
+		fprintf(stderr, "failed to convert server name (%s): %s\n",
+			cacheserver, gai_strerror(error));
+		exit(1);
+	}
+
+	if (res->ai_addrlen > sizeof(sa.type)) {
+		fprintf(stderr,
+			"assumption failure: addrlen is too long: %ld\n",
+			(long)res->ai_addrlen);
+		exit(1);
+	}
+	memmove(&sa.type.sa, res->ai_addr, res->ai_addrlen);
+	sa.length = (unsigned int)res->ai_addrlen;
+	freeaddrinfo(res);
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to set server: %u\n", result);
+		exit(1);
+	}
+
+	/* Create the main task */
+	probe_task = NULL;
+	result = isc_task_create(taskmgr, 0, &probe_task);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create task: %u\n", result);
+		exit(1);
+	}
+
+	/* Open input file */
+	if (argc == 0)
+		input = stdin;
+	else {
+		input = fopen(argv[0], "r");
+		if (input == NULL) {
+			fprintf(stderr, "failed to open input file: %s\n",
+				argv[0]);
+			exit(1);
+		}
+	}
+
+	/* Set up and start probe */
+	for (i = 0; i < MAX_PROBES; i++) {
+		probes[i].inuse = false;
+		probes[i].domain = NULL;
+		dns_fixedname_init(&probes[i].fixedname);
+		probes[i].qname = NULL;
+		probes[i].qlabel = qlabels;
+		probes[i].qname_found = false;
+		probes[i].resid = NULL;
+		ISC_LIST_INIT(probes[i].nslist);
+		probes[i].reqid = NULL;
+
+		probes[i].qmessage = NULL;
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+					    &probes[i].qmessage);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_message_create(mctx,
+						    DNS_MESSAGE_INTENTPARSE,
+						    &probes[i].rmessage);
+		}
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "initialization failure\n");
+			exit(1);
+		}
+	}
+	for (i = 0; i < MAX_PROBES; i++) {
+		result = probe_domain(&probes[i]);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to issue an initial probe\n");
+			exit(1);
+		}
+	}
+
+	/* Start event loop */
+	isc_app_ctxrun(actx);
+
+	/* Dump results */
+	printf("Per domain results (out of %lu domains):\n",
+	       number_of_domains);
+	printf("  valid: %lu\n"
+	       "  ignore: %lu\n"
+	       "  nxdomain: %lu\n"
+	       "  othererr: %lu\n"
+	       "  multiplesoa: %lu\n"
+	       "  multiplecname: %lu\n"
+	       "  brokenanswer: %lu\n"
+	       "  lame: %lu\n"
+	       "  unknown: %lu\n"
+	       "  multiple errors: %lu\n",
+	       domain_stat.valid, domain_stat.ignore, domain_stat.nxdomain,
+	       domain_stat.othererr, domain_stat.multiplesoa,
+	       domain_stat.multiplecname, domain_stat.brokenanswer,
+	       domain_stat.lame, domain_stat.unknown, multiple_error_domains);
+	printf("Per server results (out of %lu servers):\n",
+	       number_of_servers);
+	printf("  valid: %lu\n"
+	       "  ignore: %lu\n"
+	       "  nxdomain: %lu\n"
+	       "  othererr: %lu\n"
+	       "  multiplesoa: %lu\n"
+	       "  multiplecname: %lu\n"
+	       "  brokenanswer: %lu\n"
+	       "  lame: %lu\n"
+	       "  unknown: %lu\n",
+	       server_stat.valid, server_stat.ignore, server_stat.nxdomain,
+	       server_stat.othererr, server_stat.multiplesoa,
+	       server_stat.multiplecname, server_stat.brokenanswer,
+	       server_stat.lame, server_stat.unknown);
+
+	/* Cleanup */
+	for (i = 0; i < MAX_PROBES; i++) {
+		dns_message_destroy(&probes[i].qmessage);
+		dns_message_destroy(&probes[i].rmessage);
+	}
+	isc_task_detach(&probe_task);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+	isc_app_ctxfinish(actx);
+	ctxs_destroy(&mctx, &actx, &taskmgr, &socketmgr, &timermgr);
+
+	return (0);
+}
diff --git a/lib/samples/resolve.c b/lib/samples/resolve.c
new file mode 100644
index 0000000..30389fc
--- /dev/null
+++ b/lib/samples/resolve.c
@@ -0,0 +1,494 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+#include <config.h>
+
+#ifndef WIN32
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <unistd.h>
+#endif
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+#include <isc/app.h>
+#include <isc/task.h>
+#include <isc/socket.h>
+#include <isc/timer.h>
+
+#include <irs/resconf.h>
+#include <irs/netdb.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+static char *algname;
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		printf("[WARN: empty]\n");
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, false, false,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "resolve [-t RRtype] "
+		"[[-a algorithm] [-e] -k keyname -K keystring] "
+		"[-S domain:serveraddr_for_domain ] [-s server_address]"
+		"[-b address[#port]] hostname\n");
+
+	exit(1);
+}
+
+static void
+set_key(dns_client_t *client, char *keynamestr, char *keystr,
+	bool is_sep, isc_mem_t **mctxp)
+{
+	isc_result_t result;
+	dns_fixedname_t fkeyname;
+	unsigned int namelen;
+	dns_name_t *keyname;
+	dns_rdata_dnskey_t keystruct;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_buffer_t b;
+	isc_textregion_t tr;
+	isc_region_t r;
+	dns_secalg_t alg;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create mctx\n");
+		exit(1);
+	}
+
+	if (algname != NULL) {
+		tr.base = algname;
+		tr.length = strlen(algname);
+		result = dns_secalg_fromtext(&alg, &tr);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to identify the algorithm\n");
+			exit(1);
+		}
+	} else
+		alg = DNS_KEYALG_RSASHA1;
+
+	keystruct.common.rdclass = dns_rdataclass_in;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
+	if (is_sep)
+		keystruct.flags |= DNS_KEYFLAG_KSK;
+	keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
+	keystruct.algorithm = alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+	result = isc_base64_decodestring(keystr, &keydatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "base64 decode failed\n");
+		exit(1);
+	}
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
+				      keystruct.common.rdtype,
+				      &keystruct, &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key rdata\n");
+		exit(1);
+	}
+	namelen = strlen(keynamestr);
+	isc_buffer_init(&b, keynamestr, namelen);
+	isc_buffer_add(&b, namelen);
+	keyname = dns_fixedname_initname(&fkeyname);
+	result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to construct key name\n");
+		exit(1);
+	}
+	result = dns_client_addtrustedkey(client, dns_rdataclass_in,
+					  keyname, &rrdatabuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to add key for %s\n",
+			keynamestr);
+		exit(1);
+	}
+}
+
+static void
+addserver(dns_client_t *client, const char *addrstr, const char *port,
+	  const char *name_space)
+{
+	struct addrinfo hints, *res;
+	int gaierror;
+	isc_sockaddr_t sa;
+	isc_sockaddrlist_t servers;
+	isc_result_t result;
+	unsigned int namelen;
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name = NULL;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+	hints.ai_flags = AI_NUMERICHOST;
+	gaierror = getaddrinfo(addrstr, port, &hints, &res);
+	if (gaierror != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gaierror));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memmove(&sa.type, res->ai_addr, res->ai_addrlen);
+	sa.length = (unsigned int)res->ai_addrlen;
+	freeaddrinfo(res);
+	ISC_LINK_INIT(&sa, link);
+	ISC_LIST_INIT(servers);
+	ISC_LIST_APPEND(servers, &sa, link);
+
+	if (name_space != NULL) {
+		namelen = strlen(name_space);
+		isc_buffer_constinit(&b, name_space, namelen);
+		isc_buffer_add(&b, namelen);
+		name = dns_fixedname_initname(&fname);
+		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "failed to convert qname: %u\n",
+				result);
+			exit(1);
+		}
+	}
+
+	result = dns_client_setservers(client, dns_rdataclass_in, name,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %u\n", result);
+		exit(1);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	char *server = NULL;
+	char *altserver = NULL;
+	char *altserveraddr = NULL;
+	char *altservername = NULL;
+	dns_client_t *client = NULL;
+	char *keynamestr = NULL;
+	char *keystr = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t qname0;
+	unsigned int namelen;
+	dns_name_t *qname, *name;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	dns_rdataset_t *rdataset;
+	dns_namelist_t namelist;
+	isc_mem_t *keymctx = NULL;
+	unsigned int clientopt, resopt;
+	bool is_sep = false;
+	const char *port = "53";
+	isc_mem_t *mctx = NULL;
+	isc_appctx_t *actx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_sockaddr_t a4, a6;
+	isc_sockaddr_t *addr4 = NULL, *addr6 = NULL;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:b:es:t:k:K:p:S:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = isc_commandline_argument;
+			tr.length = strlen(isc_commandline_argument);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'a':
+			algname = isc_commandline_argument;
+			break;
+		case 'b':
+			if (inet_pton(AF_INET,
+				      isc_commandline_argument, &in4) == 1) {
+				if (addr4 != NULL) {
+					fprintf(stderr, "only one local "
+							"address per family "
+							"can be specified\n");
+					exit(1);
+				}
+				isc_sockaddr_fromin(&a4, &in4, 0);
+				addr4 = &a4;
+			} else if (inet_pton(AF_INET6,
+					     isc_commandline_argument,
+					     &in6) == 1) {
+				if (addr6 != NULL) {
+					fprintf(stderr, "only one local "
+							"address per family "
+							"can be specified\n");
+					exit(1);
+				}
+				isc_sockaddr_fromin6(&a6, &in6, 0);
+				addr6 = &a6;
+			} else {
+				fprintf(stderr, "invalid address %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 'e':
+			is_sep = true;
+			break;
+		case 'S':
+			if (altserver != NULL) {
+				fprintf(stderr, "alternate server "
+					"already defined: %s\n",
+					altserver);
+				exit(1);
+			}
+			altserver = isc_commandline_argument;
+			break;
+		case 's':
+			if (server != NULL) {
+				fprintf(stderr, "server "
+					"already defined: %s\n",
+					server);
+				exit(1);
+			}
+			server = isc_commandline_argument;
+			break;
+		case 'k':
+			keynamestr = isc_commandline_argument;
+			break;
+		case 'K':
+			keystr = isc_commandline_argument;
+			break;
+		case 'p':
+			port = isc_commandline_argument;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	if (argc < 1)
+		usage();
+
+	if (altserver != NULL) {
+		char *cp;
+
+		cp = strchr(altserver, ':');
+		if (cp == NULL) {
+			fprintf(stderr, "invalid alternate server: %s\n",
+				altserver);
+			exit(1);
+		}
+		*cp = '\0';
+		altservername = altserver;
+		altserveraddr = cp + 1;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
+		exit(1);
+	}
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to crate mctx\n");
+		exit(1);
+	}
+
+	result = isc_appctx_create(mctx, &actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_app_ctxstart(actx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_taskmgr_createinctx(mctx, actx, 1, 0, &taskmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_socketmgr_createinctx(mctx, actx, &socketmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_timermgr_createinctx(mctx, actx, &timermgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	clientopt = 0;
+	result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
+				    clientopt, &client, addr4, addr6);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %u, %s\n", result,
+			isc_result_totext(result));
+		exit(1);
+	}
+
+	/* Set the nameserver */
+	if (server == NULL) {
+		irs_resconf_t *resconf = NULL;
+		isc_sockaddrlist_t *nameservers;
+
+		result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf);
+		if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
+			fprintf(stderr, "irs_resconf_load failed: %u\n",
+				result);
+			exit(1);
+		}
+		nameservers = irs_resconf_getnameservers(resconf);
+		result = dns_client_setservers(client, dns_rdataclass_in,
+					       NULL, nameservers);
+		if (result != ISC_R_SUCCESS) {
+			irs_resconf_destroy(&resconf);
+			fprintf(stderr, "dns_client_setservers failed: %u\n",
+				result);
+			exit(1);
+		}
+		irs_resconf_destroy(&resconf);
+	} else {
+		addserver(client, server, port, NULL);
+	}
+
+	/* Set the alternate nameserver (when specified) */
+	if (altserver != NULL)
+		addserver(client, altserveraddr, port, altservername);
+
+	/* Install DNSSEC key (if given) */
+	if (keynamestr != NULL) {
+		if (keystr == NULL) {
+			fprintf(stderr,
+				"key string is missing "
+				"while key name is provided\n");
+			exit(1);
+		}
+		set_key(client, keynamestr, keystr, is_sep, &keymctx);
+	}
+
+	/* Construct qname */
+	namelen = strlen(argv[0]);
+	isc_buffer_init(&b, argv[0], namelen);
+	isc_buffer_add(&b, namelen);
+	qname = dns_fixedname_initname(&qname0);
+	result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "failed to convert qname: %u\n", result);
+
+	/* Perform resolution */
+	resopt = DNS_CLIENTRESOPT_ALLOWRUN;
+	if (keynamestr == NULL)
+		resopt |= DNS_CLIENTRESOPT_NODNSSEC;
+	ISC_LIST_INIT(namelist);
+	result = dns_client_resolve(client, qname, dns_rdataclass_in, type,
+				    resopt, &namelist);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"resolution failed: %s\n", dns_result_totext(result));
+	}
+	for (name = ISC_LIST_HEAD(namelist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (printdata(rdataset, name) != ISC_R_SUCCESS)
+				fprintf(stderr, "print data failed\n");
+		}
+	}
+
+	dns_client_freeresanswer(client, &namelist);
+
+	/* Cleanup */
+cleanup:
+	dns_client_destroy(&client);
+
+	if (taskmgr != NULL)
+		isc_taskmgr_destroy(&taskmgr);
+	if (timermgr != NULL)
+		isc_timermgr_destroy(&timermgr);
+	if (socketmgr != NULL)
+		isc_socketmgr_destroy(&socketmgr);
+	if (actx != NULL)
+		isc_appctx_destroy(&actx);
+	isc_mem_detach(&mctx);
+
+	if (keynamestr != NULL)
+		isc_mem_destroy(&keymctx);
+	dns_lib_shutdown();
+
+	return (0);
+}
diff --git a/lib/samples/rootkey.sh b/lib/samples/rootkey.sh
new file mode 100644
index 0000000..3dbfafd
--- /dev/null
+++ b/lib/samples/rootkey.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# Fetch a copy of a current root signing key; used for testing
+# DNSSEC validation in 'sample'.
+#
+# After running this script, "sample `cat sample.key` <args>" will
+# perform a lookup as specified in <args> and validate the result
+# using the root key.
+#
+# (This is NOT a secure method of obtaining the root key; it is
+# included here for testing purposes only.)
+dig +noall +answer dnskey . | perl -n -e '
+local ($dn, $ttl, $class, $type, $flags, $proto, $alg, @rest) = split;
+next if ($flags != 257);
+local $key = join("", @rest);
+print "-a $alg -e -k $dn -K $key\n"
+' > sample.key
diff --git a/lib/samples/sample-async.c b/lib/samples/sample-async.c
new file mode 100644
index 0000000..28c6573
--- /dev/null
+++ b/lib/samples/sample-async.c
@@ -0,0 +1,403 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#ifndef WIN32
+#include <stdbool.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/sockaddr.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#define MAX_SERVERS 10
+#define MAX_QUERIES 100
+
+static dns_client_t *client = NULL;
+static isc_task_t *query_task = NULL;
+static isc_appctx_t *query_actx = NULL;
+static unsigned int outstanding_queries = 0;
+static const char *def_server = "127.0.0.1";
+static FILE *fp;
+
+struct query_trans {
+	int id;
+	bool inuse;
+	dns_rdatatype_t type;
+	dns_fixedname_t fixedname;
+	dns_name_t *qname;
+	dns_namelist_t answerlist;
+	dns_clientrestrans_t *xid;
+};
+
+static struct query_trans query_array[MAX_QUERIES];
+
+static isc_result_t dispatch_query(struct query_trans *trans);
+
+static void
+ctxs_destroy(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	     isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	     isc_timermgr_t **timermgrp)
+{
+	if (*taskmgrp != NULL)
+		isc_taskmgr_destroy(taskmgrp);
+
+	if (*timermgrp != NULL)
+		isc_timermgr_destroy(timermgrp);
+
+	if (*socketmgrp != NULL)
+		isc_socketmgr_destroy(socketmgrp);
+
+	if (*actxp != NULL)
+		isc_appctx_destroy(actxp);
+
+	if (*mctxp != NULL)
+		isc_mem_destroy(mctxp);
+}
+
+static isc_result_t
+ctxs_init(isc_mem_t **mctxp, isc_appctx_t **actxp,
+	  isc_taskmgr_t **taskmgrp, isc_socketmgr_t **socketmgrp,
+	  isc_timermgr_t **timermgrp)
+{
+	isc_result_t result;
+
+	result = isc_mem_create(0, 0, mctxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_appctx_create(*mctxp, actxp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_taskmgr_createinctx(*mctxp, *actxp, 1, 0, taskmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_socketmgr_createinctx(*mctxp, *actxp, socketmgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	result = isc_timermgr_createinctx(*mctxp, *actxp, timermgrp);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	ctxs_destroy(mctxp, actxp, taskmgrp, socketmgrp, timermgrp);
+
+	return (result);
+}
+
+static isc_result_t
+printdata(dns_rdataset_t *rdataset, dns_name_t *owner) {
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	if (!dns_rdataset_isassociated(rdataset))
+		return (ISC_R_SUCCESS);
+	result = dns_rdataset_totext(rdataset, owner, false, false,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("  %.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+process_answer(isc_task_t *task, isc_event_t *event) {
+	struct query_trans *trans = event->ev_arg;
+	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(task == query_task);
+	REQUIRE(trans->inuse == true);
+	REQUIRE(outstanding_queries > 0);
+
+	printf("answer[%2d]\n", trans->id);
+
+	if (rev->result != ISC_R_SUCCESS)
+		printf("  failed: %u(%s)\n", rev->result,
+		       dns_result_totext(rev->result));
+
+	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
+	     name = ISC_LIST_NEXT(name, link)) {
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			(void)printdata(rdataset, name);
+		}
+	}
+
+	dns_client_freeresanswer(client, &rev->answerlist);
+	dns_client_destroyrestrans(&trans->xid);
+
+	isc_event_free(&event);
+
+	trans->inuse = false;
+	dns_fixedname_invalidate(&trans->fixedname);
+	trans->qname = NULL;
+	outstanding_queries--;
+
+	result = dispatch_query(trans);
+#if 0				/* for cancel test */
+	if (result == ISC_R_SUCCESS) {
+		static int count = 0;
+
+		if ((++count) % 10 == 0)
+			dns_client_cancelresolve(trans->xid);
+	}
+#endif
+	if (result == ISC_R_NOMORE && outstanding_queries == 0)
+		isc_app_ctxshutdown(query_actx);
+}
+
+static isc_result_t
+dispatch_query(struct query_trans *trans) {
+	isc_result_t result;
+	unsigned int namelen;
+	isc_buffer_t b;
+	char buf[4096];	/* XXX ad hoc constant, but should be enough */
+	char *cp;
+
+	REQUIRE(trans != NULL);
+	REQUIRE(trans->inuse == false);
+	REQUIRE(ISC_LIST_EMPTY(trans->answerlist));
+	REQUIRE(outstanding_queries < MAX_QUERIES);
+
+	/* Construct qname */
+	cp = fgets(buf, sizeof(buf), fp);
+	if (cp == NULL)
+		return (ISC_R_NOMORE);
+	/* zap NL if any */
+	if ((cp = strchr(buf, '\n')) != NULL)
+		*cp = '\0';
+	namelen = strlen(buf);
+	isc_buffer_init(&b, buf, namelen);
+	isc_buffer_add(&b, namelen);
+	trans->qname = dns_fixedname_initname(&trans->fixedname);
+	result = dns_name_fromtext(trans->qname, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Start resolution */
+	result = dns_client_startresolve(client, trans->qname,
+					 dns_rdataclass_in, trans->type, 0,
+					 query_task, process_answer, trans,
+					 &trans->xid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	trans->inuse = true;
+	outstanding_queries++;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_fixedname_invalidate(&trans->fixedname);
+
+	return (result);
+}
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "usage: sample-async [-s server_address] [-t RR type] "
+		"input_file\n");
+
+	exit(1);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	isc_textregion_t tr;
+	isc_mem_t *mctx = NULL;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_socketmgr_t *socketmgr = NULL;
+	isc_timermgr_t *timermgr = NULL;
+	int nservers = 0;
+	const char *serveraddr[MAX_SERVERS];
+	isc_sockaddr_t sa[MAX_SERVERS];
+	isc_sockaddrlist_t servers;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	struct in_addr inaddr;
+	isc_result_t result;
+	int i;
+
+	while ((ch = isc_commandline_parse(argc, argv, "s:t:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = isc_commandline_argument;
+			tr.length = strlen(isc_commandline_argument);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		case 's':
+			if (nservers == MAX_SERVERS) {
+				fprintf(stderr,
+					"too many servers (up to %d)\n",
+					MAX_SERVERS);
+				exit(1);
+			}
+			serveraddr[nservers++] =
+				(const char *)isc_commandline_argument;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	if (argc < 1)
+		usage();
+
+	if (nservers == 0) {
+		nservers = 1;
+		serveraddr[0] = def_server;
+	}
+
+	for (i = 0; i < MAX_QUERIES; i++) {
+		query_array[i].id = i;
+		query_array[i].inuse = false;
+		query_array[i].type = type;
+		dns_fixedname_init(&query_array[i].fixedname);
+		query_array[i].qname = NULL;
+		ISC_LIST_INIT(query_array[i].answerlist);
+		query_array[i].xid = NULL;
+	}
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
+		exit(1);
+	}
+
+	result = ctxs_init(&mctx, &query_actx, &taskmgr, &socketmgr,
+			   &timermgr);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "ctx create failed: %u\n", result);
+		exit(1);
+	}
+
+	isc_app_ctxstart(query_actx);
+
+	result = dns_client_createx(mctx, query_actx, taskmgr, socketmgr,
+				    timermgr, 0, &client);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_createx failed: %u\n", result);
+		exit(1);
+	}
+
+	/* Set nameservers */
+	ISC_LIST_INIT(servers);
+	for (i = 0; i < nservers; i++) {
+		if (inet_pton(AF_INET, serveraddr[i], &inaddr) != 1) {
+			fprintf(stderr, "failed to parse IPv4 address %s\n",
+				serveraddr[i]);
+			exit(1);
+		}
+		isc_sockaddr_fromin(&sa[i], &inaddr, 53);
+		ISC_LIST_APPEND(servers, &sa[i], link);
+	}
+	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
+				       &servers);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "set server failed: %u\n", result);
+		exit(1);
+	}
+
+	/* Create the main task */
+	query_task = NULL;
+	result = isc_task_create(taskmgr, 0, &query_task);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create task: %u\n", result);
+		exit(1);
+	}
+
+	/* Open input file */
+	fp = fopen(argv[0], "r");
+	if (fp == NULL) {
+		fprintf(stderr, "failed to open input file: %s\n", argv[1]);
+		exit(1);
+	}
+
+	/* Dispatch initial queries */
+	for (i = 0; i < MAX_QUERIES; i++) {
+		result = dispatch_query(&query_array[i]);
+		if (result == ISC_R_NOMORE)
+			break;
+	}
+
+	/* Start event loop */
+	isc_app_ctxrun(query_actx);
+
+	/* Sanity check */
+	for (i = 0; i < MAX_QUERIES; i++)
+		INSIST(query_array[i].inuse == false);
+
+	/* Cleanup */
+	isc_task_detach(&query_task);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+	isc_app_ctxfinish(query_actx);
+	ctxs_destroy(&mctx, &query_actx, &taskmgr, &socketmgr, &timermgr);
+
+	return (0);
+}
diff --git a/lib/samples/sample-gai.c b/lib/samples/sample-gai.c
new file mode 100644
index 0000000..8b56ab9
--- /dev/null
+++ b/lib/samples/sample-gai.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#include <isc/net.h>
+#include <isc/print.h>
+
+#include <irs/netdb.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+static void
+do_gai(int family, char *hostname) {
+	struct addrinfo hints, *res, *res0;
+	int error;
+	char namebuf[1024], addrbuf[1024], servbuf[1024];
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_CANONNAME;
+	error = getaddrinfo(hostname, "http", &hints, &res0);
+	if (error) {
+		fprintf(stderr, "getaddrinfo failed for %s,family=%d: %s\n",
+			hostname, family, gai_strerror(error));
+		return;
+	}
+
+	for (res = res0; res; res = res->ai_next) {
+		error = getnameinfo(res->ai_addr,
+				    (socklen_t)res->ai_addrlen,
+				    addrbuf, sizeof(addrbuf),
+				    NULL, 0, NI_NUMERICHOST);
+		if (error == 0)
+			error = getnameinfo(res->ai_addr,
+					    (socklen_t)res->ai_addrlen,
+					    namebuf, sizeof(namebuf),
+					    servbuf, sizeof(servbuf), 0);
+		if (error != 0) {
+			fprintf(stderr, "getnameinfo failed: %s\n",
+				gai_strerror(error));
+		} else {
+			printf("%s(%s/%s)=%s:%s\n", hostname,
+			       res->ai_canonname, addrbuf, namebuf, servbuf);
+		}
+	}
+
+	freeaddrinfo(res0);
+}
+
+int
+main(int argc, char *argv[]) {
+	if (argc < 2)
+		exit(1);
+
+	do_gai(AF_INET, argv[1]);
+	do_gai(AF_INET6, argv[1]);
+	do_gai(AF_UNSPEC, argv[1]);
+
+	return (0);
+}
diff --git a/lib/samples/sample-request.c b/lib/samples/sample-request.c
new file mode 100644
index 0000000..e60a6df
--- /dev/null
+++ b/lib/samples/sample-request.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#ifndef WIN32
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <unistd.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/lib.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+static isc_mem_t *mctx;
+static dns_fixedname_t fixedqname;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "sample-request [-t RRtype] server_address hostname\n");
+
+	exit(1);
+}
+
+static isc_result_t
+make_querymessage(dns_message_t *message, const char *namestr,
+		  dns_rdatatype_t rdtype)
+{
+	dns_name_t *qname = NULL, *qname0;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	unsigned int namelen;
+
+	REQUIRE(message != NULL);
+	REQUIRE(namestr != NULL);
+
+	/* Construct qname */
+	namelen = strlen(namestr);
+	isc_buffer_constinit(&b, namestr, namelen);
+	isc_buffer_add(&b, namelen);
+	qname0 = dns_fixedname_initname(&fixedqname);
+	result = dns_name_fromtext(qname0, &b, dns_rootname, 0, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to convert qname: %u\n", result);
+		return (result);
+	}
+
+	/* Construct query message */
+	message->opcode = dns_opcode_query;
+	message->rdclass = dns_rdataclass_in;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(qname0, qname);
+	dns_rdataset_makequestion(qrdataset, message->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	dns_message_destroy(&message);
+	return (result);
+}
+
+static void
+print_section(dns_message_t *message, int section, isc_buffer_t *buf) {
+	isc_result_t result;
+	isc_region_t r;
+
+	result = dns_message_sectiontotext(message, section,
+					   &dns_master_style_full, 0, buf);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	isc_buffer_usedregion(buf, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return;
+
+ fail:
+	fprintf(stderr, "failed to convert a section\n");
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch, i, gaierror;
+	struct addrinfo hints, *res;
+	isc_textregion_t tr;
+	dns_client_t *client = NULL;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	dns_message_t *qmessage, *rmessage;
+	dns_rdatatype_t type = dns_rdatatype_a;
+	isc_buffer_t *outputbuf;
+
+	while ((ch = isc_commandline_parse(argc, argv, "t:")) != -1) {
+		switch (ch) {
+		case 't':
+			tr.base = isc_commandline_argument;
+			tr.length = strlen(isc_commandline_argument);
+			result = dns_rdatatype_fromtext(&type, &tr);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr,
+					"invalid RRtype: %s\n",
+					isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	if (argc < 2)
+		usage();
+
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
+		exit(1);
+	}
+
+	result = dns_client_create(&client, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %u\n", result);
+		exit(1);
+	}
+
+	/* Prepare message structures */
+	mctx = NULL;
+	qmessage = NULL;
+	rmessage = NULL;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create a memory context\n");
+		exit(1);
+	}
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &qmessage);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+					    &rmessage);
+	}
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create messages\n");
+		exit(1);
+	}
+
+	/* Initialize the nameserver address */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags = AI_NUMERICHOST;
+#endif
+	gaierror = getaddrinfo(argv[0], "53", &hints, &res);
+	if (gaierror != 0) {
+		fprintf(stderr, "getaddrinfo failed: %s\n",
+			gai_strerror(gaierror));
+		exit(1);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sa.type));
+	memmove(&sa.type, res->ai_addr, res->ai_addrlen);
+	freeaddrinfo(res);
+	sa.length = (unsigned int)res->ai_addrlen;
+	ISC_LINK_INIT(&sa, link);
+
+	/* Construct qname */
+	result = make_querymessage(qmessage, argv[1], type);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to create a query\n");
+		exit(1);
+	}
+
+	/* Send request and wait for a response */
+	result = dns_client_request(client, qmessage, rmessage, &sa, 0, 0,
+				    NULL, 60, 0, 3);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to get a response: %s\n",
+			dns_result_totext(result));
+	}
+
+	/* Dump the response */
+	outputbuf = NULL;
+	result = isc_buffer_allocate(mctx, &outputbuf, 65535);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to allocate a result buffer\n");
+		exit(1);
+	}
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		print_section(rmessage, i, outputbuf);
+		isc_buffer_clear(outputbuf);
+	}
+	isc_buffer_free(&outputbuf);
+
+	/* Cleanup */
+	dns_message_destroy(&qmessage);
+	dns_message_destroy(&rmessage);
+	isc_mem_destroy(&mctx);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+
+	return (0);
+}
diff --git a/lib/samples/sample-update.c b/lib/samples/sample-update.c
new file mode 100644
index 0000000..83f963d
--- /dev/null
+++ b/lib/samples/sample-update.c
@@ -0,0 +1,796 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+#include <config.h>
+
+#ifndef WIN32
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+
+#include <netdb.h>
+#include <unistd.h>
+#endif
+
+#include <ctype.h>
+#include <stdio.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/lex.h>
+#include <isc/lib.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/client.h>
+#include <dns/fixedname.h>
+#include <dns/lib.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/tsec.h>
+
+#include <dst/dst.h>
+
+static dns_tsec_t *tsec = NULL;
+static const dns_rdataclass_t default_rdataclass = dns_rdataclass_in;
+static isc_bufferlist_t usedbuffers;
+static ISC_LIST(dns_rdatalist_t) usedrdatalists;
+
+static const char *port = "53";
+
+static void setup_tsec(char *keyfile, isc_mem_t *mctx);
+static void update_addordelete(isc_mem_t *mctx, char *cmdline,
+			       bool isdelete, dns_name_t *name);
+static void evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name);
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+	fprintf(stderr, "sample-update "
+		"-s "
+		"[-a auth_server] "
+		"[-k keyfile] "
+		"[-p prerequisite] "
+		"[-r recursive_server] "
+		"[-z zonename] "
+		"(add|delete) \"name TTL RRtype RDATA\"\n");
+	exit(1);
+}
+
+#ifdef _WIN32
+static void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+static void
+DestroySockets(void) {
+	WSACleanup();
+}
+#else
+#define InitSockets() ((void)0)
+#define DestroySockets() ((void)0)
+#endif
+
+static bool
+addserver(const char *server, isc_sockaddrlist_t *list,
+	   isc_sockaddr_t *sockaddr)
+{
+	struct addrinfo hints, *res;
+	int gaierror;
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = AF_UNSPEC;
+	hints.ai_socktype = SOCK_DGRAM;
+	hints.ai_protocol = IPPROTO_UDP;
+#ifdef AI_NUMERICHOST
+	hints.ai_flags |= AI_NUMERICHOST;
+#endif
+#ifdef AI_NUMERICSERV
+	hints.ai_flags |= AI_NUMERICSERV;
+#endif
+	InitSockets();
+	gaierror = getaddrinfo(server, port, &hints, &res);
+	if (gaierror != 0) {
+		fprintf(stderr, "getaddrinfo(%s) failed: %s\n",
+			server, gai_strerror(gaierror));
+		DestroySockets();
+		return (false);
+	}
+	INSIST(res->ai_addrlen <= sizeof(sockaddr->type));
+	memmove(&sockaddr->type, res->ai_addr, res->ai_addrlen);
+	sockaddr->length = (unsigned int)res->ai_addrlen;
+	ISC_LINK_INIT(sockaddr, link);
+	ISC_LIST_APPEND(*list, sockaddr, link);
+	freeaddrinfo(res);
+	DestroySockets();
+	return (true);
+}
+
+int
+main(int argc, char *argv[]) {
+	int ch;
+	dns_client_t *client = NULL;
+	char *zonenamestr = NULL;
+	char *keyfilename = NULL;
+	char *prereqstr = NULL;
+	isc_sockaddr_t sa_auth[10], sa_recursive[10];
+	unsigned int nsa_auth = 0, nsa_recursive = 0;
+	isc_sockaddrlist_t rec_servers;
+	isc_sockaddrlist_t auth_servers, *auth_serversp = &auth_servers;
+	isc_result_t result;
+	bool isdelete;
+	isc_buffer_t b, *buf;
+	dns_fixedname_t zname0, pname0, uname0;
+	unsigned int namelen;
+	dns_name_t *zname = NULL, *uname, *pname;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	dns_namelist_t updatelist, prereqlist, *prereqlistp = NULL;
+	isc_mem_t *umctx = NULL;
+	bool sendtwice = false;
+
+	ISC_LIST_INIT(auth_servers);
+	ISC_LIST_INIT(rec_servers);
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:k:p:P:r:sz:")) != EOF)
+	{
+		switch (ch) {
+		case 'k':
+			keyfilename = isc_commandline_argument;
+			break;
+		case 'a':
+			if (nsa_auth < sizeof(sa_auth)/sizeof(*sa_auth) &&
+			    addserver(isc_commandline_argument, &auth_servers,
+				      &sa_auth[nsa_auth]))
+				nsa_auth++;
+			break;
+		case 'p':
+			prereqstr = isc_commandline_argument;
+			break;
+		case 'P':
+			port = isc_commandline_argument;
+			break;
+		case 'r':
+			if (nsa_recursive <
+				sizeof(sa_recursive)/sizeof(*sa_recursive) &&
+			    addserver(isc_commandline_argument, &rec_servers,
+				      &sa_recursive[nsa_recursive]))
+				nsa_recursive++;
+			break;
+		case 's':
+			sendtwice = true;
+			break;
+		case 'z':
+			zonenamestr = isc_commandline_argument;
+			break;
+		default:
+			usage();
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+	if (argc < 2)
+		usage();
+
+	/* command line argument validation */
+	if (strcmp(argv[0], "delete") == 0)
+		isdelete = true;
+	else if (strcmp(argv[0], "add") == 0)
+		isdelete = false;
+	else {
+		fprintf(stderr, "invalid update command: %s\n", argv[0]);
+		exit(1);
+	}
+
+	if (ISC_LIST_HEAD(auth_servers) == NULL &&
+	    ISC_LIST_HEAD(rec_servers) == NULL) {
+		fprintf(stderr, "authoritative or recursive servers "
+			"must be specified\n");
+		usage();
+	}
+
+	/* Initialization */
+	ISC_LIST_INIT(usedbuffers);
+	ISC_LIST_INIT(usedrdatalists);
+	ISC_LIST_INIT(prereqlist);
+	isc_lib_register();
+	result = dns_lib_init();
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
+		exit(1);
+	}
+	result = isc_mem_create(0, 0, &umctx);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "failed to crate mctx\n");
+		exit(1);
+	}
+
+	result = dns_client_create(&client, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "dns_client_create failed: %u\n", result);
+		exit(1);
+	}
+
+	/* Construct zone name */
+	zname = NULL;
+	if (zonenamestr != NULL) {
+		namelen = strlen(zonenamestr);
+		isc_buffer_init(&b, zonenamestr, namelen);
+		isc_buffer_add(&b, namelen);
+		zname = dns_fixedname_initname(&zname0);
+		result = dns_name_fromtext(zname, &b, dns_rootname, 0, NULL);
+		if (result != ISC_R_SUCCESS)
+			fprintf(stderr, "failed to convert zone name: %u\n",
+				result);
+	}
+
+	/* Construct prerequisite name (if given) */
+	if (prereqstr != NULL) {
+		pname = dns_fixedname_initname(&pname0);
+		evaluate_prereq(umctx, prereqstr, pname);
+		ISC_LIST_APPEND(prereqlist, pname, link);
+		prereqlistp = &prereqlist;
+	}
+
+	/* Construct update name */
+	ISC_LIST_INIT(updatelist);
+	uname = dns_fixedname_initname(&uname0);
+	update_addordelete(umctx, argv[1], isdelete, uname);
+	ISC_LIST_APPEND(updatelist, uname, link);
+
+	/* Set up TSIG/SIG(0) key (if given) */
+	if (keyfilename != NULL)
+		setup_tsec(keyfilename, umctx);
+
+	if (ISC_LIST_HEAD(auth_servers) == NULL)
+		auth_serversp = NULL;
+
+	/* Perform update */
+	result = dns_client_update(client,
+				   default_rdataclass, /* XXX: fixed */
+				   zname, prereqlistp, &updatelist,
+				   auth_serversp, tsec, 0);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr,
+			"update failed: %s\n", dns_result_totext(result));
+	} else
+		fprintf(stderr, "update succeeded\n");
+
+	if (sendtwice) {
+		/* Perform 2nd update */
+		result = dns_client_update(client,
+					   default_rdataclass, /* XXX: fixed */
+					   zname, prereqlistp, &updatelist,
+					   auth_serversp, tsec, 0);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "2nd update failed: %s\n",
+				dns_result_totext(result));
+		} else
+			fprintf(stderr, "2nd update succeeded\n");
+	}
+
+	/* Cleanup */
+	while ((pname = ISC_LIST_HEAD(prereqlist)) != NULL) {
+		while ((rdataset = ISC_LIST_HEAD(pname->list)) != NULL) {
+			ISC_LIST_UNLINK(pname->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
+		}
+		ISC_LIST_UNLINK(prereqlist, pname, link);
+	}
+	while ((uname = ISC_LIST_HEAD(updatelist)) != NULL) {
+		while ((rdataset = ISC_LIST_HEAD(uname->list)) != NULL) {
+			ISC_LIST_UNLINK(uname->list, rdataset, link);
+			dns_rdataset_disassociate(rdataset);
+			isc_mem_put(umctx, rdataset, sizeof(*rdataset));
+		}
+		ISC_LIST_UNLINK(updatelist, uname, link);
+	}
+	while ((rdatalist = ISC_LIST_HEAD(usedrdatalists)) != NULL) {
+		while ((rdata = ISC_LIST_HEAD(rdatalist->rdata)) != NULL) {
+			ISC_LIST_UNLINK(rdatalist->rdata, rdata, link);
+			isc_mem_put(umctx, rdata, sizeof(*rdata));
+		}
+		ISC_LIST_UNLINK(usedrdatalists, rdatalist, link);
+		isc_mem_put(umctx, rdatalist, sizeof(*rdatalist));
+	}
+	while ((buf = ISC_LIST_HEAD(usedbuffers)) != NULL) {
+		ISC_LIST_UNLINK(usedbuffers, buf, link);
+		isc_buffer_free(&buf);
+	}
+	if (tsec != NULL)
+		dns_tsec_destroy(&tsec);
+	isc_mem_destroy(&umctx);
+	dns_client_destroy(&client);
+	dns_lib_shutdown();
+
+	return (0);
+}
+
+/*
+ *  Subroutines borrowed from nsupdate.c
+ */
+#define MAXWIRE (64 * 1024)
+#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
+
+static char *
+nsu_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (; *string != '\0'; string++) {
+		sc = *string;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc)
+				break;
+		}
+		if (dc == 0)
+			break;
+	}
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+		}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static inline void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS)
+		fatal("%s: %s", msg, isc_result_totext(result));
+}
+
+static void
+parse_name(char **cmdlinep, dns_name_t *name) {
+	isc_result_t result;
+	char *word;
+	isc_buffer_t source;
+
+	word = nsu_strsep(cmdlinep, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read owner name\n");
+		exit(1);
+	}
+
+	isc_buffer_init(&source, word, strlen(word));
+	isc_buffer_add(&source, strlen(word));
+	result = dns_name_fromtext(name, &source, dns_rootname, 0, NULL);
+	check_result(result, "dns_name_fromtext");
+	isc_buffer_invalidate(&source);
+}
+
+static void
+parse_rdata(isc_mem_t *mctx, char **cmdlinep, dns_rdataclass_t rdataclass,
+	    dns_rdatatype_t rdatatype, dns_rdata_t *rdata)
+{
+	char *cmdline = *cmdlinep;
+	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
+	isc_region_t r;
+	isc_lex_t *lex = NULL;
+	dns_rdatacallbacks_t callbacks;
+	isc_result_t result;
+
+	while (cmdline != NULL && *cmdline != 0 &&
+	       isspace((unsigned char)*cmdline))
+		cmdline++;
+
+	if (cmdline != NULL && *cmdline != 0) {
+		dns_rdatacallbacks_init(&callbacks);
+		result = isc_lex_create(mctx, strlen(cmdline), &lex);
+		check_result(result, "isc_lex_create");
+		isc_buffer_init(&source, cmdline, strlen(cmdline));
+		isc_buffer_add(&source, strlen(cmdline));
+		result = isc_lex_openbuffer(lex, &source);
+		check_result(result, "isc_lex_openbuffer");
+		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
+		check_result(result, "isc_buffer_allocate");
+		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
+					    dns_rootname, 0, mctx, buf,
+					    &callbacks);
+		isc_lex_destroy(&lex);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(buf, &r);
+			result = isc_buffer_allocate(mctx, &newbuf, r.length);
+			check_result(result, "isc_buffer_allocate");
+			isc_buffer_putmem(newbuf, r.base, r.length);
+			isc_buffer_usedregion(newbuf, &r);
+			dns_rdata_reset(rdata);
+			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
+			isc_buffer_free(&buf);
+			ISC_LIST_APPEND(usedbuffers, newbuf, link);
+		} else {
+			fprintf(stderr, "invalid rdata format: %s\n",
+				isc_result_totext(result));
+			isc_buffer_free(&buf);
+			exit(1);
+		}
+	} else {
+		rdata->flags = DNS_RDATA_UPDATE;
+	}
+	*cmdlinep = cmdline;
+}
+
+static void
+update_addordelete(isc_mem_t *mctx, char *cmdline, bool isdelete,
+		   dns_name_t *name)
+{
+	isc_result_t result;
+	uint32_t ttl;
+	char *word;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	isc_textregion_t region;
+
+	/*
+	 * Read the owner name.
+	 */
+	parse_name(&cmdline, name);
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fprintf(stderr, "memory allocation for rdata failed\n");
+		exit(1);
+	}
+	dns_rdata_init(rdata);
+
+	/*
+	 * If this is an add, read the TTL and verify that it's in range.
+	 * If it's a delete, ignore a TTL if present (for compatibility).
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		if (!isdelete) {
+			fprintf(stderr, "could not read owner ttl\n");
+			exit(1);
+		}
+		else {
+			ttl = 0;
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		}
+	}
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
+		if (isdelete) {
+			ttl = 0;
+			goto parseclass;
+		} else {
+			fprintf(stderr, "ttl '%s': %s\n", word,
+				isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	if (isdelete)
+		ttl = 0;
+	else if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
+			word, TTL_MAX);
+		exit(1);
+	}
+
+	/*
+	 * Read the class or type.
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+ parseclass:
+	if (word == NULL || *word == 0) {
+		if (isdelete) {
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+		goto doneparsing;
+		} else {
+			fprintf(stderr, "could not read class or type\n");
+			exit(1);
+		}
+	}
+	region.base = word;
+	region.length = strlen(word);
+	result = dns_rdataclass_fromtext(&rdataclass, &region);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Now read the type.
+		 */
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			if (isdelete) {
+				rdataclass = dns_rdataclass_any;
+				rdatatype = dns_rdatatype_any;
+				rdata->flags = DNS_RDATA_UPDATE;
+				goto doneparsing;
+			} else {
+				fprintf(stderr, "could not read type\n");
+				exit(1);
+			}
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid type: %s\n",
+				word, isc_result_totext(result));
+			exit(1);
+		}
+	} else {
+		rdataclass = default_rdataclass;
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid class or type: "
+				"%s\n", word, isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
+
+	if (isdelete) {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
+			rdataclass = dns_rdataclass_any;
+		else
+			rdataclass = dns_rdataclass_none;
+	} else {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+			fprintf(stderr, "could not read rdata\n");
+			exit(1);
+		}
+	}
+
+ doneparsing:
+
+	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
+	if (rdatalist == NULL) {
+		fprintf(stderr, "memory allocation for rdatalist failed\n");
+		exit(1);
+	}
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	rdatalist->rdclass = rdataclass;
+	rdatalist->covers = rdatatype;
+	rdatalist->ttl = (dns_ttl_t)ttl;
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL) {
+		fprintf(stderr, "memory allocation for rdataset failed\n");
+		exit(1);
+	}
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	dns_rdataset_setownercase(rdataset, name);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+make_prereq(isc_mem_t *mctx, char *cmdline, bool ispositive,
+	    bool isrrset, dns_name_t *name)
+{
+	isc_result_t result;
+	char *word;
+	isc_textregion_t region;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+
+	/*
+	 * Read the owner name
+	 */
+	parse_name(&cmdline, name);
+
+	/*
+	 * If this is an rrset prereq, read the class or type.
+	 */
+	if (isrrset) {
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (word == NULL || *word == 0) {
+			fprintf(stderr, "could not read class or type\n");
+			exit(1);
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdataclass_fromtext(&rdataclass, &region);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Now read the type.
+			 */
+			word = nsu_strsep(&cmdline, " \t\r\n");
+			if (word == NULL || *word == 0) {
+				fprintf(stderr, "could not read type\n");
+				exit(1);
+			}
+			region.base = word;
+			region.length = strlen(word);
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				exit(1);
+			}
+		} else {
+			rdataclass = default_rdataclass;
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				exit(1);
+			}
+		}
+	} else
+		rdatatype = dns_rdatatype_any;
+
+	rdata = isc_mem_get(mctx, sizeof(*rdata));
+	if (rdata == NULL) {
+		fprintf(stderr, "memory allocation for rdata failed\n");
+		exit(1);
+	}
+	dns_rdata_init(rdata);
+
+	if (isrrset && ispositive)
+		parse_rdata(mctx, &cmdline, rdataclass, rdatatype, rdata);
+	else
+		rdata->flags = DNS_RDATA_UPDATE;
+
+	rdatalist = isc_mem_get(mctx, sizeof(*rdatalist));
+	if (rdatalist == NULL) {
+		fprintf(stderr, "memory allocation for rdatalist failed\n");
+		exit(1);
+	}
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	if (ispositive) {
+		if (isrrset && rdata->data != NULL)
+			rdatalist->rdclass = rdataclass;
+		else
+			rdatalist->rdclass = dns_rdataclass_any;
+	} else
+		rdatalist->rdclass = dns_rdataclass_none;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatatype;
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(usedrdatalists, rdatalist, link);
+
+	rdataset = isc_mem_get(mctx, sizeof(*rdataset));
+	if (rdataset == NULL) {
+		fprintf(stderr, "memory allocation for rdataset failed\n");
+		exit(1);
+	}
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	dns_rdataset_setownercase(rdataset, name);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+static void
+evaluate_prereq(isc_mem_t *mctx, char *cmdline, dns_name_t *name) {
+	char *word;
+	bool ispositive, isrrset;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (word == NULL || *word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		exit(1);
+	}
+	if (strcasecmp(word, "nxdomain") == 0) {
+		ispositive = false;
+		isrrset = false;
+	} else if (strcasecmp(word, "yxdomain") == 0) {
+		ispositive = true;
+		isrrset = false;
+	} else if (strcasecmp(word, "nxrrset") == 0) {
+		ispositive = false;
+		isrrset = true;
+	} else if (strcasecmp(word, "yxrrset") == 0) {
+		ispositive = true;
+		isrrset = true;
+	} else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		exit(1);
+	}
+
+	make_prereq(mctx, cmdline, ispositive, isrrset, name);
+}
+
+static void
+setup_tsec(char *keyfile, isc_mem_t *mctx) {
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	dns_tsectype_t tsectype;
+
+	result = dst_key_fromnamedfile(keyfile, NULL,
+				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
+				       &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not read key from %s: %s\n",
+			keyfile, isc_result_totext(result));
+		exit(1);
+	}
+
+	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5)
+		tsectype = dns_tsectype_tsig;
+	else
+		tsectype = dns_tsectype_sig0;
+
+	result = dns_tsec_create(mctx, tsectype, dstkey, &tsec);
+	dst_key_free(&dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create tsec: %s\n",
+			isc_result_totext(result));
+		exit(1);
+	}
+}
diff --git a/lib/samples/win32/async.dsp.in b/lib/samples/win32/async.dsp.in
new file mode 100644
index 0000000..35dfb6b
--- /dev/null
+++ b/lib/samples/win32/async.dsp.in
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="async" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=async - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "async.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "async.mak" CFG="async - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "async - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "async - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "async - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/sample-async.exe"
+
+!ELSEIF  "$(CFG)" == "async - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/sample-async.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "async - @PLATFORM@ Release"
+# Name "async - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\sample-async.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/samples/win32/async.dsw b/lib/samples/win32/async.dsw
new file mode 100644
index 0000000..f5be775
--- /dev/null
+++ b/lib/samples/win32/async.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "async"=".\async.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/samples/win32/async.mak.in b/lib/samples/win32/async.mak.in
new file mode 100644
index 0000000..13e59c1
--- /dev/null
+++ b/lib/samples/win32/async.mak.in
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on async.dsp
+!IF "$(CFG)" == ""
+CFG=async - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to async - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "async - @PLATFORM@ Release" && "$(CFG)" != "async - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "async.mak" CFG="async - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "async - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "async - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "async - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "async - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\sample-async.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-async.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\sample-async.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\sample-async.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-async.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\sample-async.pdb" @MACHINE@ /out:"../../../Build/Release/sample-async.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-async.obj"
+
+"..\..\..\Build\Release\sample-async.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "async - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\sample-async.exe" "$(OUTDIR)\sample-async.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-async.obj"
+	-@erase "$(INTDIR)\sample-async.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\sample-async.pdb"
+	-@erase "$(OUTDIR)\sample-async.bsc"
+	-@erase "..\..\..\Build\Debug\sample-async.exe"
+	-@erase "..\..\..\Build\Debug\sample-async.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-async.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\sample-async.sbr"
+
+"$(OUTDIR)\sample-async.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\sample-async.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/sample-async.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-async.obj"
+
+"..\..\..\Build\Debug\sample-async.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("sample-async.dep")
+!INCLUDE "sample-async.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "sample-async.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "async - @PLATFORM@ Release" || "$(CFG)" == "async - @PLATFORM@ Debug"
+SOURCE="..\sample-async.c"
+
+!IF  "$(CFG)" == "async - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sample-async.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "async - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sample-async.obj"	"$(INTDIR)\sample-async.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/samples/win32/async.vcxproj.filters.in b/lib/samples/win32/async.vcxproj.filters.in
new file mode 100644
index 0000000..2698e21
--- /dev/null
+++ b/lib/samples/win32/async.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-async.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/async.vcxproj.in b/lib/samples/win32/async.vcxproj.in
new file mode 100644
index 0000000..b4fb8d9
--- /dev/null
+++ b/lib/samples/win32/async.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{9FC33CA3-CE4A-4EDF-BA99-EECA4B81AD06}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>async</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-async.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/samples/win32/async.vcxproj.user b/lib/samples/win32/async.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/samples/win32/async.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/gai.dsp.in b/lib/samples/win32/gai.dsp.in
new file mode 100644
index 0000000..9282955
--- /dev/null
+++ b/lib/samples/win32/gai.dsp.in
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="gai" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=gai - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "gai.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "gai.mak" CFG="gai - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "gai - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "gai - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "gai - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib ../../irs/win32/Release/libirs.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/sample-gai.exe"
+
+!ELSEIF  "$(CFG)" == "gai - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib ../../irs/win32/Debug/libirs.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/sample-gai.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "gai - @PLATFORM@ Release"
+# Name "gai - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\sample-gai.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/samples/win32/gai.dsw b/lib/samples/win32/gai.dsw
new file mode 100644
index 0000000..d294056
--- /dev/null
+++ b/lib/samples/win32/gai.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "gai"=".\gai.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/samples/win32/gai.mak.in b/lib/samples/win32/gai.mak.in
new file mode 100644
index 0000000..39cd2fb
--- /dev/null
+++ b/lib/samples/win32/gai.mak.in
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on gai.dsp
+!IF "$(CFG)" == ""
+CFG=gai - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to gai - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "gai - @PLATFORM@ Release" && "$(CFG)" != "gai - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "gai.mak" CFG="gai - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "gai - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "gai - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "gai - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "gai - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\sample-gai.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-gai.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\sample-gai.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\sample-gai.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-gai.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib ../../irs/win32/Release/libirs.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\sample-gai.pdb" @MACHINE@ /out:"../../../Build/Release/sample-gai.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-gai.obj"
+
+"..\..\..\Build\Release\sample-gai.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "gai - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\sample-gai.exe" "$(OUTDIR)\sample-gai.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-gai.obj"
+	-@erase "$(INTDIR)\sample-gai.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\sample-gai.pdb"
+	-@erase "$(OUTDIR)\sample-gai.bsc"
+	-@erase "..\..\..\Build\Debug\sample-gai.exe"
+	-@erase "..\..\..\Build\Debug\sample-gai.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-gai.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\sample-gai.sbr"
+
+"$(OUTDIR)\sample-gai.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib ../../irs/win32/Debug/libirs.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\sample-gai.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/sample-gai.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-gai.obj"
+
+"..\..\..\Build\Debug\sample-gai.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("sample-gai.dep")
+!INCLUDE "sample-gai.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "sample-gai.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "gai - @PLATFORM@ Release" || "$(CFG)" == "gai - @PLATFORM@ Debug"
+SOURCE="..\sample-gai.c"
+
+!IF  "$(CFG)" == "gai - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sample-gai.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "gai - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sample-gai.obj"	"$(INTDIR)\sample-gai.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/samples/win32/gai.vcxproj.filters.in b/lib/samples/win32/gai.vcxproj.filters.in
new file mode 100644
index 0000000..a709e03
--- /dev/null
+++ b/lib/samples/win32/gai.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-gai.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/gai.vcxproj.in b/lib/samples/win32/gai.vcxproj.in
new file mode 100644
index 0000000..e177d89
--- /dev/null
+++ b/lib/samples/win32/gai.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D42B8670-8DF6-4D90-90F7-DB5FB845AFAE}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>gai</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;..\..\irs\win32\include;..\..\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);..\..\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;..\..\irs\win32\include;..\..\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);..\..\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-gai.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/samples/win32/gai.vcxproj.user b/lib/samples/win32/gai.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/samples/win32/gai.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/nsprobe.dsp.in b/lib/samples/win32/nsprobe.dsp.in
new file mode 100644
index 0000000..5161a24
--- /dev/null
+++ b/lib/samples/win32/nsprobe.dsp.in
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="nsprobe" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=nsprobe - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "nsprobe.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nsprobe.mak" CFG="nsprobe - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nsprobe - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "nsprobe - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "nsprobe - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/nsprobe.exe"
+
+!ELSEIF  "$(CFG)" == "nsprobe - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/nsprobe.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "nsprobe - @PLATFORM@ Release"
+# Name "nsprobe - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\nsprobe.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/samples/win32/nsprobe.dsw b/lib/samples/win32/nsprobe.dsw
new file mode 100644
index 0000000..76ac5fb
--- /dev/null
+++ b/lib/samples/win32/nsprobe.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "nsprobe"=".\nsprobe.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/samples/win32/nsprobe.mak.in b/lib/samples/win32/nsprobe.mak.in
new file mode 100644
index 0000000..5efcdb0
--- /dev/null
+++ b/lib/samples/win32/nsprobe.mak.in
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on nsprobe.dsp
+!IF "$(CFG)" == ""
+CFG=nsprobe - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to nsprobe - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "nsprobe - @PLATFORM@ Release" && "$(CFG)" != "nsprobe - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "nsprobe.mak" CFG="nsprobe - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "nsprobe - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "nsprobe - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "nsprobe - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "nsprobe - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\nsprobe.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\nsprobe.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\nsprobe.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nsprobe.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsprobe.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nsprobe.pdb" @MACHINE@ /out:"../../../Build/Release/nsprobe.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\nsprobe.obj"
+
+"..\..\..\Build\Release\nsprobe.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "nsprobe - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\nsprobe.exe" "$(OUTDIR)\nsprobe.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\nsprobe.obj"
+	-@erase "$(INTDIR)\nsprobe.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\nsprobe.pdb"
+	-@erase "$(OUTDIR)\nsprobe.bsc"
+	-@erase "..\..\..\Build\Debug\nsprobe.exe"
+	-@erase "..\..\..\Build\Debug\nsprobe.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsprobe.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\nsprobe.sbr"
+
+"$(OUTDIR)\nsprobe.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nsprobe.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/nsprobe.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\nsprobe.obj"
+
+"..\..\..\Build\Debug\nsprobe.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("nsprobe.dep")
+!INCLUDE "nsprobe.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "nsprobe.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "nsprobe - @PLATFORM@ Release" || "$(CFG)" == "nsprobe - @PLATFORM@ Debug"
+SOURCE="..\nsprobe.c"
+
+!IF  "$(CFG)" == "nsprobe - @PLATFORM@ Release"
+
+
+"$(INTDIR)\nsprobe.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "nsprobe - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\nsprobe.obj"	"$(INTDIR)\nsprobe.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/samples/win32/nsprobe.vcxproj.filters.in b/lib/samples/win32/nsprobe.vcxproj.filters.in
new file mode 100644
index 0000000..d7e313b
--- /dev/null
+++ b/lib/samples/win32/nsprobe.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\nsprobe.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/nsprobe.vcxproj.in b/lib/samples/win32/nsprobe.vcxproj.in
new file mode 100644
index 0000000..96c8a18
--- /dev/null
+++ b/lib/samples/win32/nsprobe.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{CB2A29F6-E73B-40AB-8AC4-2C1AAE7280BD}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>nsprobe</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\nsprobe.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/samples/win32/nsprobe.vcxproj.user b/lib/samples/win32/nsprobe.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/samples/win32/nsprobe.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/request.dsp.in b/lib/samples/win32/request.dsp.in
new file mode 100644
index 0000000..dbdfe83
--- /dev/null
+++ b/lib/samples/win32/request.dsp.in
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="request" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=request - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "request.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "request.mak" CFG="request - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "request - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "request - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "request - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/sample-request.exe"
+
+!ELSEIF  "$(CFG)" == "request - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/sample-request.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "request - @PLATFORM@ Release"
+# Name "request - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\sample-request.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/samples/win32/request.dsw b/lib/samples/win32/request.dsw
new file mode 100644
index 0000000..322cc90
--- /dev/null
+++ b/lib/samples/win32/request.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "request"=".\request.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/samples/win32/request.mak.in b/lib/samples/win32/request.mak.in
new file mode 100644
index 0000000..b9681c6
--- /dev/null
+++ b/lib/samples/win32/request.mak.in
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on request.dsp
+!IF "$(CFG)" == ""
+CFG=request - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to request - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "request - @PLATFORM@ Release" && "$(CFG)" != "request - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "request.mak" CFG="request - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "request - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "request - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "request - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "request - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\sample-request.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-request.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\sample-request.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\sample-request.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-request.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\sample-request.pdb" @MACHINE@ /out:"../../../Build/Release/sample-request.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-request.obj"
+
+"..\..\..\Build\Release\sample-request.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "request - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\sample-request.exe" "$(OUTDIR)\sample-request.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-request.obj"
+	-@erase "$(INTDIR)\sample-request.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\sample-request.pdb"
+	-@erase "$(OUTDIR)\sample-request.bsc"
+	-@erase "..\..\..\Build\Debug\sample-request.exe"
+	-@erase "..\..\..\Build\Debug\sample-request.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-request.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\sample-request.sbr"
+
+"$(OUTDIR)\sample-request.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\sample-request.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/sample-request.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-request.obj"
+
+"..\..\..\Build\Debug\sample-request.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("sample-request.dep")
+!INCLUDE "sample-request.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "sample-request.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "request - @PLATFORM@ Release" || "$(CFG)" == "request - @PLATFORM@ Debug"
+SOURCE="..\sample-request.c"
+
+!IF  "$(CFG)" == "request - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sample-request.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "request - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sample-request.obj"	"$(INTDIR)\sample-request.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/samples/win32/request.vcxproj.filters.in b/lib/samples/win32/request.vcxproj.filters.in
new file mode 100644
index 0000000..9edd41d
--- /dev/null
+++ b/lib/samples/win32/request.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-request.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/request.vcxproj.in b/lib/samples/win32/request.vcxproj.in
new file mode 100644
index 0000000..3b204f2
--- /dev/null
+++ b/lib/samples/win32/request.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{FF440E85-7450-439C-82EE-04C464512D0E}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>request</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-request.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/samples/win32/request.vcxproj.user b/lib/samples/win32/request.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/samples/win32/request.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/resolve.dsp.in b/lib/samples/win32/resolve.dsp.in
new file mode 100644
index 0000000..e73835d
--- /dev/null
+++ b/lib/samples/win32/resolve.dsp.in
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="resolve" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=resolve - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "resolve.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "resolve.mak" CFG="resolve - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "resolve - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "resolve - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "resolve - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib ../../irs/win32/Release/libirs.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/resolve.exe"
+
+!ELSEIF  "$(CFG)" == "resolve - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib ../../irs/win32/Debug/libirs.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/resolve.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "resolve - @PLATFORM@ Release"
+# Name "resolve - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\resolve.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/samples/win32/resolve.dsw b/lib/samples/win32/resolve.dsw
new file mode 100644
index 0000000..32fb539
--- /dev/null
+++ b/lib/samples/win32/resolve.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "resolve"=".\resolve.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/samples/win32/resolve.mak.in b/lib/samples/win32/resolve.mak.in
new file mode 100644
index 0000000..ae461d1
--- /dev/null
+++ b/lib/samples/win32/resolve.mak.in
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on resolve.dsp
+!IF "$(CFG)" == ""
+CFG=resolve - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to resolve - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "resolve - @PLATFORM@ Release" && "$(CFG)" != "resolve - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "resolve.mak" CFG="resolve - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "resolve - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "resolve - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "resolve - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "resolve - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\resolve.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\resolve.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\resolve.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\resolve.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib ../../irs/win32/Release/libirs.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\resolve.pdb" @MACHINE@ /out:"../../../Build/Release/resolve.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\resolve.obj"
+
+"..\..\..\Build\Release\resolve.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "resolve - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\resolve.exe" "$(OUTDIR)\resolve.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\resolve.obj"
+	-@erase "$(INTDIR)\resolve.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\resolve.pdb"
+	-@erase "$(OUTDIR)\resolve.bsc"
+	-@erase "..\..\..\Build\Debug\resolve.exe"
+	-@erase "..\..\..\Build\Debug\resolve.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /I "../../irs/win32/include" /I "../../irs/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\resolve.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\resolve.sbr"
+
+"$(OUTDIR)\resolve.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib ../../irs/win32/Debug/libirs.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\resolve.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/resolve.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\resolve.obj"
+
+"..\..\..\Build\Debug\resolve.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("resolve.dep")
+!INCLUDE "resolve.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "resolve.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "resolve - @PLATFORM@ Release" || "$(CFG)" == "resolve - @PLATFORM@ Debug"
+SOURCE="..\resolve.c"
+
+!IF  "$(CFG)" == "resolve - @PLATFORM@ Release"
+
+
+"$(INTDIR)\resolve.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "resolve - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\resolve.obj"	"$(INTDIR)\resolve.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/samples/win32/resolve.vcxproj.filters.in b/lib/samples/win32/resolve.vcxproj.filters.in
new file mode 100644
index 0000000..882e23f
--- /dev/null
+++ b/lib/samples/win32/resolve.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\resolve.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/resolve.vcxproj.in b/lib/samples/win32/resolve.vcxproj.in
new file mode 100644
index 0000000..189a39a
--- /dev/null
+++ b/lib/samples/win32/resolve.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{F66D8B7E-721D-4602-99AD-820D19AD1313}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>resolve</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;..\..\irs\win32\include;..\..\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);..\..\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;..\..\irs\win32\include;..\..\irs\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);..\..\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\resolve.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/samples/win32/resolve.vcxproj.user b/lib/samples/win32/resolve.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/samples/win32/resolve.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/update.dsp.in b/lib/samples/win32/update.dsp.in
new file mode 100644
index 0000000..37be0a9
--- /dev/null
+++ b/lib/samples/win32/update.dsp.in
@@ -0,0 +1,103 @@
+# Microsoft Developer Studio Project File - Name="update" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Console Application" 0x0103
+
+CFG=update - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "update.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "update.mak" CFG="update - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "update - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "update - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "update - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD CPP /nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /c
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console @MACHINE@
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console @MACHINE@ /out:"../../../Build/Release/sample-update.exe"
+
+!ELSEIF  "$(CFG)" == "update - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 0
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" @COPTY@ /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c
+# SUBTRACT CPP /X @COPTY@
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /debug @MACHINE@ /out:"../../../Build/Debug/sample-update.exe" /pdbtype:sept
+
+!ENDIF 
+
+# Begin Target
+
+# Name "update - @PLATFORM@ Release"
+# Name "update - @PLATFORM@ Debug"
+# Begin Group "Source Files"
+
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
+# Begin Source File
+
+SOURCE="..\sample-update.c"
+# End Source File
+# End Group
+# Begin Group "Header Files"
+
+# PROP Default_Filter "h;hpp;hxx;hm;inl"
+# End Group
+# Begin Group "Resource Files"
+
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
+# End Group
+# End Target
+# End Project
diff --git a/lib/samples/win32/update.dsw b/lib/samples/win32/update.dsw
new file mode 100644
index 0000000..a119c89
--- /dev/null
+++ b/lib/samples/win32/update.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "update"=".\update.dsp" - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/samples/win32/update.mak.in b/lib/samples/win32/update.mak.in
new file mode 100644
index 0000000..38bfecb
--- /dev/null
+++ b/lib/samples/win32/update.mak.in
@@ -0,0 +1,299 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on update.dsp
+!IF "$(CFG)" == ""
+CFG=update - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to update - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "update - @PLATFORM@ Release" && "$(CFG)" != "update - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "update.mak" CFG="update - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "update - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE "update - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Console Application")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+!IF  "$(CFG)" == "update - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "update - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\sample-update.exe"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-update.obj"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "..\..\..\Build\Release\sample-update.exe"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MD /W3 @COPTX@ @COPTI@ /O2 /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\sample-update.pch" @COPTY@ /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-update.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Release/libisc.lib ../../dns/win32/Release/libdns.lib ../../isccfg/win32/Release/libisccfg.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\sample-update.pdb" @MACHINE@ /out:"../../../Build/Release/sample-update.exe" 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-update.obj"
+
+"..\..\..\Build\Release\sample-update.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ELSEIF  "$(CFG)" == "update - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\sample-update.exe" "$(OUTDIR)\sample-update.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\sample-update.obj"
+	-@erase "$(INTDIR)\sample-update.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\sample-update.pdb"
+	-@erase "$(OUTDIR)\sample-update.bsc"
+	-@erase "..\..\..\Build\Debug\sample-update.exe"
+	-@erase "..\..\..\Build\Debug\sample-update.ilk"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP=cl.exe
+CPP_PROJ=/nologo /MDd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /I "../../../" @LIBXML2_INC@ @OPENSSL_INC@ /I "../../isc/win32" /I "../../isc/win32/include" /I "../../isc/include" /I "../../dns/win32/include" /I "../../dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+RSC=rc.exe
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\sample-update.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\sample-update.sbr"
+
+"$(OUTDIR)\sample-update.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../isc/win32/Debug/libisc.lib ../../dns/win32/Debug/libdns.lib ../../isccfg/win32/Debug/libisccfg.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\sample-update.pdb" /debug @MACHINE@ /out:"../../../Build/Debug/sample-update.exe" /pdbtype:sept 
+LINK32_OBJS= \
+	"$(INTDIR)\sample-update.obj"
+
+"..\..\..\Build\Debug\sample-update.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+    $(_VC_MANIFEST_EMBED_EXE)
+
+!ENDIF 
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("sample-update.dep")
+!INCLUDE "sample-update.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "sample-update.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "update - @PLATFORM@ Release" || "$(CFG)" == "update - @PLATFORM@ Debug"
+SOURCE="..\sample-update.c"
+
+!IF  "$(CFG)" == "update - @PLATFORM@ Release"
+
+
+"$(INTDIR)\sample-update.obj" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ELSEIF  "$(CFG)" == "update - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\sample-update.obj"	"$(INTDIR)\sample-update.sbr" : $(SOURCE) "$(INTDIR)"
+	$(CPP) $(CPP_PROJ) $(SOURCE)
+
+
+!ENDIF 
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/samples/win32/update.vcxproj.filters.in b/lib/samples/win32/update.vcxproj.filters.in
new file mode 100644
index 0000000..8479fba
--- /dev/null
+++ b/lib/samples/win32/update.vcxproj.filters.in
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-update.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/samples/win32/update.vcxproj.in b/lib/samples/win32/update.vcxproj.in
new file mode 100644
index 0000000..3a403ca
--- /dev/null
+++ b/lib/samples/win32/update.vcxproj.in
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{05682E12-523F-4DAE-8E6D-ADFDBC308AFD}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>update</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <StringPooling>true</StringPooling>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <AdditionalIncludeDirectories>..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\isc\win32;..\..\isc\win32\include;..\..\isc\include;..\..\dns\win32\include;..\..\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <CompileAs>CompileAsC</CompileAs>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <AdditionalLibraryDirectories>..\..\isc\win32\$(Configuration);..\..\dns\win32\$(Configuration);..\..\isccfg\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libisc.lib;libdns.lib;libisccfg.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\sample-update.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/lib/samples/win32/update.vcxproj.user b/lib/samples/win32/update.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/samples/win32/update.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file
diff --git a/lib/win32/bindevt/bindevt.c b/lib/win32/bindevt/bindevt.c
new file mode 100644
index 0000000..d74a2f1
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.c
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+
+/*
+ * bindevt.c : Defines the entry point for event log viewer DLL.
+ */
+
+#include <windows.h>
+
+BOOL APIENTRY DllMain(HANDLE hModule, DWORD  ul_reason_for_call,
+		      LPVOID lpReserved)
+{
+	return (TRUE);
+}
+
diff --git a/lib/win32/bindevt/bindevt.dsp.in b/lib/win32/bindevt/bindevt.dsp.in
new file mode 100644
index 0000000..34cbbd1
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.dsp.in
@@ -0,0 +1,132 @@
+# Microsoft Developer Studio Project File - Name="bindevt" - Package Owner=<4>
+# Microsoft Developer Studio Generated Build File, Format Version 6.00
+# ** DO NOT EDIT **
+
+# TARGTYPE "@PLATFORM@ (x86) Dynamic-Link Library" 0x0102
+
+CFG=bindevt - @PLATFORM@ Debug
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,
+!MESSAGE use the Export Makefile command and run
+!MESSAGE 
+!MESSAGE NMAKE /f "bindevt.mak".
+!MESSAGE 
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "bindevt.mak" CFG="bindevt - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "bindevt - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "bindevt - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+
+# Begin Project
+# PROP AllowPerConfigDependencies 0
+# PROP Scc_ProjName ""
+# PROP Scc_LocalPath ""
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "bindevt - @PLATFORM@ Release"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 0
+# PROP BASE Output_Dir "Release"
+# PROP BASE Intermediate_Dir "Release"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 0
+# PROP Output_Dir "Release"
+# PROP Intermediate_Dir "Release"
+# PROP Ignore_Export_Lib 1
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Yu"stdafx.h" /FD /c
+# ADD CPP /nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FD /c
+# SUBTRACT CPP @COPTY@ /Yc /Yu
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "NDEBUG"
+# ADD RSC /l 0x409 /d "NDEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll @MACHINE@
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none @MACHINE@ /out:"..\..\..\Build\Release\bindevt.dll"
+
+!ELSEIF  "$(CFG)" == "bindevt - @PLATFORM@ Debug"
+
+# PROP BASE Use_MFC 0
+# PROP BASE Use_Debug_Libraries 1
+# PROP BASE Output_Dir "Debug"
+# PROP BASE Intermediate_Dir "Debug"
+# PROP BASE Target_Dir ""
+# PROP Use_MFC 0
+# PROP Use_Debug_Libraries 1
+# PROP Output_Dir "Debug"
+# PROP Intermediate_Dir "Debug"
+# PROP Ignore_Export_Lib 1
+# PROP Target_Dir ""
+# ADD BASE CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Yu"stdafx.h" /FD /GZ /c
+# ADD CPP /nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FR /FD /GZ /c
+# SUBTRACT CPP @COPTY@ /Yc /Yu
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
+# ADD BASE RSC /l 0x409 /d "_DEBUG"
+# ADD RSC /l 0x409 /d "_DEBUG"
+BSC32=bscmake.exe
+# ADD BASE BSC32 /nologo
+# ADD BSC32 /nologo
+LINK32=link.exe
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug @MACHINE@ /pdbtype:sept
+# ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /debug @MACHINE@ /out:"..\..\..\Build\Debug\bindevt.dll"
+
+!ENDIF 
+
+# Begin Target
+
+# Name "bindevt - @PLATFORM@ Release"
+# Name "bindevt - @PLATFORM@ Debug"
+# Begin Source File
+
+SOURCE=.\bindevt.c
+# End Source File
+# Begin Source File
+
+SOURCE=.\bindevt.mc
+
+!IF  "$(CFG)" == "bindevt - @PLATFORM@ Release"
+
+# Begin Custom Build
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+"$(TargetName).rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	mc $(InputName).mc
+
+# End Custom Build
+
+!ELSEIF  "$(CFG)" == "bindevt - @PLATFORM@ Debug"
+
+# Begin Custom Build
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+"$(TargetName).rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	mc $(InputName).mc
+
+# End Custom Build
+
+!ENDIF 
+
+# End Source File
+# Begin Source File
+
+SOURCE=.\bindevt.rc
+# End Source File
+# End Target
+# End Project
diff --git a/lib/win32/bindevt/bindevt.dsw b/lib/win32/bindevt/bindevt.dsw
new file mode 100644
index 0000000..7421804
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.dsw
@@ -0,0 +1,29 @@
+Microsoft Developer Studio Workspace File, Format Version 6.00

+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!

+

+###############################################################################

+

+Project: "bindevt"=.\bindevt.dsp - Package Owner=<4>

+

+Package=<5>

+{{{

+}}}

+

+Package=<4>

+{{{

+}}}

+

+###############################################################################

+

+Global:

+

+Package=<5>

+{{{

+}}}

+

+Package=<3>

+{{{

+}}}

+

+###############################################################################

+

diff --git a/lib/win32/bindevt/bindevt.mak.in b/lib/win32/bindevt/bindevt.mak.in
new file mode 100644
index 0000000..b8b503e
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.mak.in
@@ -0,0 +1,310 @@
+# Microsoft Developer Studio Generated NMAKE File, Based on bindevt.dsp
+!IF "$(CFG)" == ""
+CFG=bindevt - @PLATFORM@ Debug
+!MESSAGE No configuration specified. Defaulting to bindevt - @PLATFORM@ Debug.
+!ENDIF 
+
+!IF "$(CFG)" != "bindevt - @PLATFORM@ Release" && "$(CFG)" != "bindevt - @PLATFORM@ Debug"
+!MESSAGE Invalid configuration "$(CFG)" specified.
+!MESSAGE You can specify a configuration when running NMAKE
+!MESSAGE by defining the macro CFG on the command line. For example:
+!MESSAGE 
+!MESSAGE NMAKE /f "bindevt.mak" CFG="bindevt - @PLATFORM@ Debug"
+!MESSAGE 
+!MESSAGE Possible choices for configuration are:
+!MESSAGE 
+!MESSAGE "bindevt - @PLATFORM@ Release" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE "bindevt - @PLATFORM@ Debug" (based on "@PLATFORM@ (x86) Dynamic-Link Library")
+!MESSAGE 
+!ERROR An invalid configuration is specified.
+!ENDIF 
+
+!IF "$(OS)" == "Windows_NT"
+NULL=
+!ELSE 
+NULL=nul
+!ENDIF 
+
+CPP=cl.exe
+MTL=midl.exe
+RSC=rc.exe
+
+!IF  "$(CFG)" == "bindevt - @PLATFORM@ Release"
+_VC_MANIFEST_INC=0
+_VC_MANIFEST_BASENAME=__VC80
+!ELSE
+_VC_MANIFEST_INC=1
+_VC_MANIFEST_BASENAME=__VC80.Debug
+!ENDIF
+
+####################################################
+# Specifying name of temporary resource file used only in incremental builds:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res
+!else
+_VC_MANIFEST_AUTO_RES=
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1
+
+!endif
+
+####################################################
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+#MT_SPECIAL_RETURN=1090650113
+#MT_SPECIAL_SWITCH=-notify_resource_update
+MT_SPECIAL_RETURN=0
+MT_SPECIAL_SWITCH=
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \
+link $** /out:$@ $(LFLAGS)
+
+!else
+
+_VC_MANIFEST_EMBED_EXE= \
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2
+
+!endif
+####################################################
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:
+
+!if "$(_VC_MANIFEST_INC)" == "1"
+
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \
+    $(_VC_MANIFEST_BASENAME).auto.rc \
+    $(_VC_MANIFEST_BASENAME).auto.manifest
+
+!else
+
+_VC_MANIFEST_CLEAN=
+
+!endif
+
+!IF  "$(CFG)" == "bindevt - @PLATFORM@ Release"
+
+OUTDIR=.\Release
+INTDIR=.\Release
+
+ALL : "..\..\..\Build\Release\bindevt.dll"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\bindevt.obj"
+	-@erase "$(INTDIR)\bindevt.res"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(OUTDIR)\bindevt.exp"
+	-@erase "..\..\..\Build\Release\bindevt.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MT /W3 @COPTX@ @COPTI@ /O2 /I "..\include" /I "..\..\..\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c 
+MTL_PROJ=/nologo /D "NDEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\bindevt.res" /d "NDEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\bindevt.bsc" 
+BSC32_SBRS= \
+	
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none @MACHINE@ /out:"..\..\..\Build\Release\bindevt.dll" /implib:"$(OUTDIR)\bindevt.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\bindevt.obj" \
+	"$(INTDIR)\bindevt.res"
+
+"..\..\..\Build\Release\bindevt.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ELSEIF  "$(CFG)" == "bindevt - @PLATFORM@ Debug"
+
+OUTDIR=.\Debug
+INTDIR=.\Debug
+# Begin Custom Macros
+OutDir=.\Debug
+# End Custom Macros
+
+ALL : "..\..\..\Build\Debug\bindevt.dll" "$(OUTDIR)\bindevt.bsc"
+
+
+CLEAN :
+	-@erase "$(INTDIR)\bindevt.obj"
+	-@erase "$(INTDIR)\bindevt.res"
+	-@erase "$(INTDIR)\bindevt.sbr"
+	-@erase "$(INTDIR)\vc60.idb"
+	-@erase "$(INTDIR)\vc60.pdb"
+	-@erase "$(OUTDIR)\bindevt.bsc"
+	-@erase "$(OUTDIR)\bindevt.exp"
+	-@erase "..\..\..\Build\Debug\bindevt.dll"
+	-@$(_VC_MANIFEST_CLEAN)
+
+"$(OUTDIR)" :
+    if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"
+
+CPP_PROJ=/nologo /MTd /W3 /Gm @COPTX@ @COPTI@ /Zi /Od /I "..\include" /I "..\..\..\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "BINDEVT_EXPORTS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c 
+MTL_PROJ=/nologo /D "_DEBUG" /mktyplib203 /win32 
+RSC_PROJ=/l 0x409 /fo"$(INTDIR)\bindevt.res" /d "_DEBUG" 
+BSC32=bscmake.exe
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\bindevt.bsc" 
+BSC32_SBRS= \
+	"$(INTDIR)\bindevt.sbr"
+
+"$(OUTDIR)\bindevt.bsc" : "$(OUTDIR)" $(BSC32_SBRS)
+    $(BSC32) @<<
+  $(BSC32_FLAGS) $(BSC32_SBRS)
+<<
+
+LINK32=link.exe
+LINK32_FLAGS=kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /pdb:none /debug @MACHINE@ /out:"..\..\..\Build\Debug\bindevt.dll" /implib:"$(OUTDIR)\bindevt.lib" 
+LINK32_OBJS= \
+	"$(INTDIR)\bindevt.obj" \
+	"$(INTDIR)\bindevt.res"
+
+"..\..\..\Build\Debug\bindevt.dll" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)
+    $(LINK32) @<<
+  $(LINK32_FLAGS) $(LINK32_OBJS)
+<<
+  $(_VC_MANIFEST_EMBED_DLL)
+
+!ENDIF 
+
+.c{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.obj::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.c{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cpp{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+.cxx{$(INTDIR)}.sbr::
+   $(CPP) @<<
+   $(CPP_PROJ) $< 
+<<
+
+
+!IF "$(NO_EXTERNAL_DEPS)" != "1"
+!IF EXISTS("bindevt.dep")
+!INCLUDE "bindevt.dep"
+!ELSE 
+!MESSAGE Warning: cannot find "bindevt.dep"
+!ENDIF 
+!ENDIF 
+
+
+!IF "$(CFG)" == "bindevt - @PLATFORM@ Release" || "$(CFG)" == "bindevt - @PLATFORM@ Debug"
+SOURCE=.\bindevt.c
+
+!IF  "$(CFG)" == "bindevt - @PLATFORM@ Release"
+
+
+"$(INTDIR)\bindevt.obj" : $(SOURCE) "$(INTDIR)"
+
+
+!ELSEIF  "$(CFG)" == "bindevt - @PLATFORM@ Debug"
+
+
+"$(INTDIR)\bindevt.obj"	"$(INTDIR)\bindevt.sbr" : $(SOURCE) "$(INTDIR)"
+
+
+!ENDIF 
+
+SOURCE=.\bindevt.mc
+
+!IF  "$(CFG)" == "bindevt - @PLATFORM@ Release"
+
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+".\bindevt.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	<<tempfile.bat 
+	@echo off 
+	mc $(InputName).mc
+<< 
+	
+
+!ELSEIF  "$(CFG)" == "bindevt - @PLATFORM@ Debug"
+
+TargetName=bindevt
+InputPath=.\bindevt.mc
+InputName=bindevt
+
+".\bindevt.rc" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+	<<tempfile.bat 
+	@echo off 
+	mc $(InputName).mc
+<< 
+	
+
+!ENDIF 
+
+SOURCE=.\bindevt.rc
+
+"$(INTDIR)\bindevt.res" : $(SOURCE) "$(INTDIR)"
+	$(RSC) $(RSC_PROJ) $(SOURCE)
+
+
+
+!ENDIF 
+
+####################################################
+# Commands to generate initial empty manifest file and the RC file
+# that references it, and for generating the .res file:
+
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc
+
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest
+    type <<$@
+#include <winuser.h>
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"
+<< KEEP
+
+$(_VC_MANIFEST_BASENAME).auto.manifest :
+    type <<$@
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
+</assembly>
+<< KEEP
diff --git a/lib/win32/bindevt/bindevt.mc b/lib/win32/bindevt/bindevt.mc
new file mode 100644
index 0000000..7d34547
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.mc
@@ -0,0 +1,39 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+MessageIdTypedef=DWORD
+
+LanguageNames = (English=0x409:MSG00409)
+
+OutputBase = 16
+
+
+MessageId=0x1
+Severity=Error
+Facility=Application
+SymbolicName=BIND_ERR_MSG
+Language=English
+%1
+.
+
+MessageId=0x2
+Severity=Warning
+Facility=Application
+SymbolicName=BIND_WARN_MSG
+Language=English
+%1
+.
+
+MessageId=0x3
+Severity=Informational
+Facility=Application
+SymbolicName=BIND_INFO_MSG
+Language=English
+%1
+.
diff --git a/lib/win32/bindevt/bindevt.vcxproj.filters.in b/lib/win32/bindevt/bindevt.vcxproj.filters.in
new file mode 100644
index 0000000..2b9ee98
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.vcxproj.filters.in
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="bindevt.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="bindevt.mc" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="bindevt.rc" />
+  </ItemGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/win32/bindevt/bindevt.vcxproj.in b/lib/win32/bindevt/bindevt.vcxproj.in
new file mode 100644
index 0000000..bc1394d
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.vcxproj.in
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|@PLATFORM@">
+      <Configuration>Debug</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|@PLATFORM@">
+      <Configuration>Release</Configuration>
+      <Platform>@PLATFORM@</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0D745CD9-FC3B-49DC-99BE-1E6DF85593F0}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>bindevt</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <CustomBuildBeforeTargets>ResourceCompile</CustomBuildBeforeTargets>
+    <IgnoreImportLibrary>true</IgnoreImportLibrary>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
+    <IntDir>.\$(Configuration)\</IntDir>
+    <CustomBuildBeforeTargets>ResourceCompile</CustomBuildBeforeTargets>
+    <IgnoreImportLibrary>true</IgnoreImportLibrary>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;BINDEVT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>..\include;..\..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <BrowseInformation>true</BrowseInformation>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+    <CustomBuildStep>
+      <Command>mc bindevt.mc</Command>
+    </CustomBuildStep>
+    <CustomBuildStep>
+      <Outputs>$(TargetName).rc</Outputs>
+    </CustomBuildStep>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;BINDEVT_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>..\include;..\..\..\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
+      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
+      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
+      <ImportLibrary>.\$(Configuration)\$(ProjectName).lib</ImportLibrary>
+    </Link>
+    <CustomBuildStep>
+      <Command>mc bindevt.mc</Command>
+    </CustomBuildStep>
+    <CustomBuildStep>
+      <Outputs>$(TargetName).rc</Outputs>
+    </CustomBuildStep>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="bindevt.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="bindevt.mc" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="bindevt.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/lib/win32/bindevt/bindevt.vcxproj.user b/lib/win32/bindevt/bindevt.vcxproj.user
new file mode 100644
index 0000000..695b5c7
--- /dev/null
+++ b/lib/win32/bindevt/bindevt.vcxproj.user
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>

+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">

+</Project>
\ No newline at end of file